Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Im Screwed


  • Please log in to reply
9 replies to this topic

#1 TheOperator

TheOperator

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:07:05 AM

Posted 18 September 2008 - 10:44 AM

Ok, so as i mentioned in my introduction topic, i got one nasty bug on my home machine (doing this from work)

My father was over printing some stuff out and checking his email like he does every week, then he opened an attachment from an email that had a trojan. He then said yes to both my firewalls, Eset and Kerio, which downloaded the virus. The virus then set off my Eset/nod32 virus protection and poped up a fake virus alert saying "Microsoft needs to scan your system for spyware" or something similar. He clicked the fake one which ran it.

Heres my symptoms. After it hit the fan it through some html shortcuts on his user's desktop named "Error Cleaner" "Privacy Protector" and "Spyware & Malware Protection" which all lead to hxxp: //viruswebprotect--2008.com/shandler....said=0&sg=# (# = 0, 1, or 2). There is also a message "VIRUS ALERT!" next to my system clock when not in safemode. It is slow to load up in any mode now, about 10 min to get to windows login. In anymode on any user except safe mode with default administrator, the task manager is disabled. The explore crashes instantly in all modes all users, from the default admin task manager, i can see "verclsid.exe" runs every time explorer starts and they both crash after about 10 seconds. I tried to open system restore from safemode to see if i could get to the point of atleast a remote desktop to clean my machine, but it deleted all my system restores, i do have Registry Mechanic and a few back ups on that but only from over a month ago. I actually ran registry mechanic's fix registry option, that doesnt load a back up, and it found and fixed quite a bit but it didnt help me do anything to clean this. From msconfig i tried to load a few different boot options but got nowhere with that either, even the diagnostic startup failed.

I searched for virus symptoms related to mine and found the closest thing was on this site and it said it was worm.netsky.t but that topic did not mention a crashing explorer or the virus alert in my system clock and the shortcuts they mentioned led to a different url, the same as mine but no --2008. When i searched the "verclsid.exe" that i believe is crashing explorer, it said it was a windows security update from 2006 but i have not had this problem with it ever before, and besides sp3, i am up to date with most if not all windows updates. I tried and failed to access the internet yesterday to get HijackThis so i probably wont have a log of anything unless you have a secret to reactivating that.

I run Xp Home 32bit with SP2, I have a 3.4mhz processor (single core) and 2gb of ram.

Mod Edit: Disabled active link to malware site.

Edited by quietman7, 18 September 2008 - 12:50 PM.


BC AdBot (Login to Remove)

 


#2 rigel

rigel

    FD-BC


  • Members
  • 12,944 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:South Carolina - USA
  • Local time:07:05 AM

Posted 18 September 2008 - 12:05 PM

Welcome to BleepingComputer...

Let's start with a MalwareBytes scan:
Please download Malwarebytes Anti-Malware and save it to your desktop.
alternate download link 1
alternate download link 2
  • Make sure you are connected to the Internet.
  • Double-click on mbam-setup.exe to install the application.
  • When the installation begins, follow the prompts and do not make any changes to default settings.
  • When installation has finished, make sure you leave both of these checked:
    • Update Malwarebytes' Anti-Malware
    • Launch Malwarebytes' Anti-Malware
  • Then click Finish.
MBAM will automatically start and you will be asked to update the program before performing a scan.
  • If an update is found, the program will automatically update itself.
  • Press the OK button to close that box and continue.
  • If you encounter any problems while downloading the updates, manually download them from here and just double-click on mbam-rules.exe to install.
On the Scanner tab:
  • Make sure the "Perform Quick Scan" option is selected.
  • Then click on the Scan button.
  • If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
  • The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
  • When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  • Click OK to close the message box and continue with the removal process.
Back at the main Scanner screen:
  • Click on the Show Results button to see a list of any malware that was found.
  • Make sure that everything is checked, and click Remove Selected.
  • When removal is completed, a log report will open in Notepad.
  • The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
  • Copy and paste the contents of that report in your next reply and exit MBAM.
Note: If MBAM encounters a file that is difficult to remove, you may be asked to reboot your computer so it can proceed with the disinfection process. Reagardless if prompted to restart the computer or not, please do so immediately. Failure to reboot normally (not into safe mode) will prevent MBAM from removing all the malware.

"In a world where you can be anything, be yourself." ~ unknown

"Fall in love with someone who deserves your heart. Not someone who plays with it. Will Smith


#3 TheOperator

TheOperator
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:07:05 AM

Posted 18 September 2008 - 12:28 PM

I tried and failed to access the internet yesterday to get HijackThis so i probably wont have a log of anything unless you have a secret to reactivating that.

I cannot get access to the internet with everything I have tried thus far, so unless you know of a long way around to get that working I wont install anything

Edited by TheOperator, 18 September 2008 - 12:30 PM.


#4 rigel

rigel

    FD-BC


  • Members
  • 12,944 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:South Carolina - USA
  • Local time:07:05 AM

Posted 18 September 2008 - 12:31 PM

Sorry, I missed that...

Please download MalwareBytes, and its updates, to the computer you are using. Transfers these files to the infected computer via flash drive / or burned cd. Then run MalwareBytes per the instructions in the above procedure.


Thanks

"In a world where you can be anything, be yourself." ~ unknown

"Fall in love with someone who deserves your heart. Not someone who plays with it. Will Smith


#5 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,490 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:07:05 AM

Posted 18 September 2008 - 12:53 PM

If you cannot transfer to or install on the infected machine, try running the mbam-setup.exe (installation) file directly from the flash drive or CD so it will install on the hard drive.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#6 TheOperator

TheOperator
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:07:05 AM

Posted 18 September 2008 - 01:46 PM

was planning on doing that anyway, but wont be able to till monday so this topic will have to sit a while... guess its worth it if i dont lose my data

#7 TheOperator

TheOperator
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:07:05 AM

Posted 22 September 2008 - 10:26 AM

ok, so i tried over the weekend with a flash drive but running in safemode i cant get the services to run for plug and play, so that failed. I'll try a cd but it would probably be best to have the entire program installed on the cd and run it off that to avoid infection, could someone make an image with whatever tools ill need?

#8 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,490 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:07:05 AM

Posted 22 September 2008 - 10:35 AM

i tried over the weekend with a flash drive but running in safemode i cant get the services to run for plug and play, so that failed

Scanning with MBAM in safe or normal mode will work but removal functions are not as powerful in safe mode. MBAM is designed to be at full power when malware is running so safe mode is not necessary when using it. In fact, it loses some effectiveness for detection & removal when used in safe mode because the program includes a driver which does not work in safe mode. For optimal removal, normal mode is recommended.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#9 TheOperator

TheOperator
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:07:05 AM

Posted 22 September 2008 - 11:11 AM

Well the only access i have to achieve anything at all is from safemode, default administrator, task manager, run/browse. I literally cant do anything unless im in the admin on safemode have a task manager open and browse what i want to run. So more effective or not, it doesnt give me a choice.

All im really looking for is some basic anti-ware to get my explorer running so that i can get into my locked user and back up my files before i format.

Could one of the mods interested in helping me throw the tools i need on a disc image (.iso would be my choice) so that i could run them right off the cd without depending on an installation and attach it or send it to me so i could burn from work.

Edited by TheOperator, 22 September 2008 - 11:41 AM.


#10 DaChew

DaChew

    Visiting Alien


  • Members
  • 10,317 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:millenium falcon and rockytop
  • Local time:07:05 AM

Posted 22 September 2008 - 12:07 PM

http://www.bleepingcomputer.com/forums/ind...st&p=952339

cureit is a standalone executable you should try

http://www.bleepingcomputer.com/forums/t/131299/how-to-use-sdfix/

SDFix will start from safe mode but will want to boot to normal mode to finish cleaning

Several have reported some success with malewarebytes from safe mode, at this point i can't see how it would hurt

Edited by DaChew, 22 September 2008 - 12:09 PM.

Chewy

No. Try not. Do... or do not. There is no try.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users