Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Really Debilitating Virus/Malware


  • This topic is locked This topic is locked
5 replies to this topic

#1 seanb

seanb

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:01:16 AM

Posted 16 October 2008 - 09:32 AM

Comp Info: Windows XP, SP2 (or 3, but I dont think so). I'm not posting this from that computer.

So last night i was playing WOW (I deserve a virus for that alone) and my computer froze, completely, no Alt-CTRL-Del, nothing. Although this is pretty damned rare I was tired so i hit the reset button and walked away.

When i woke up this morning i had 24 IE windows open, several error prompts, my Virus detector was going crazy (AVG), ad's everywhere, my background had been changed to a red and white "your windows is not genuine", and WGA tooltip was poping up and down like it was on crack. (My windows is actually genuine)

I Hit the Power button. Since then i have not been back on my computer in regular mode. Everything Detailed here is in Safe Mode, in an administrator account.

In Safe Mode With Networking, the system is a little quieter. The only thing noticably wrong is that the WGA tooltip is still running, and that my computer restarts itself after about 5 minutes, after a window that pop's up saying something about a fault error, and that the computer must shut down in 60, 59, 58.... etc.

I've managed to run hijackthis. I know how to use the program fairly well. I found a number of suspicious entries in both the registry, BHO's, and other areas. i got rid of them and deleted the source files (all in /windows and /windows/system32/)

i cannot install any software or anti-virus-adware-malware programs. When i try the computer says "the admistrator has policies to prevent this action"

When the computer reboots itself, the virus does not seem to re-propogate itself, but the WGA popup and the time limited boot are still in effect. I'm still in safe mode though, so i'm not certain i'm clean. The time limited boot only happens when i'm in the actual ADMINISTRATOR account, and it does not always give me the 60 second warning

What else can i do? Solutions must be short, as i only have about 5 minutes per boot to execute them. I can post a hijackthis log, but i'm not sure where i'm supposed to do this, because you have a separate forum for them.

Thanks.

EDIT: I just found a bunch of links on another accounts desktop, they all link to viruswebprotect---2008.com

EDIT2: More developments. I just noticed that beside my clock is the words "VIRUS ALERT".

Edited by seanb, 16 October 2008 - 10:14 AM.


BC AdBot (Login to Remove)

 


m

#2 rigel

rigel

    FD-BC


  • BC Advisor
  • 12,944 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:South Carolina - USA
  • Local time:02:16 AM

Posted 16 October 2008 - 02:09 PM

Please download Malwarebytes Anti-Malware and save it to your desktop.
alternate download link 1
alternate download link 2
  • Make sure you are connected to the Internet.
  • Double-click on mbam-setup.exe to install the application.
  • When the installation begins, follow the prompts and do not make any changes to default settings.
  • When installation has finished, make sure you leave both of these checked:
    • Update Malwarebytes' Anti-Malware
    • Launch Malwarebytes' Anti-Malware
  • Then click Finish.
MBAM will automatically start and you will be asked to update the program before performing a scan.
  • If an update is found, the program will automatically update itself.
  • Press the OK button to close that box and continue.
  • If you encounter any problems while downloading the updates, manually download them from here and just double-click on mbam-rules.exe to install.
On the Scanner tab:
  • Make sure the "Perform Quick Scan" option is selected.
  • Then click on the Scan button.
  • If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
  • The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
  • When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  • Click OK to close the message box and continue with the removal process.
Back at the main Scanner screen:
  • Click on the Show Results button to see a list of any malware that was found.
  • Make sure that everything is checked, and click Remove Selected.
  • When removal is completed, a log report will open in Notepad.
  • The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
  • Copy and paste the contents of that report in your next reply and exit MBAM.
Note:
-- If MBAM encounters a file that is difficult to remove, you may be asked to reboot your computer so it can proceed with the disinfection process. Regardless if prompted to restart the computer or not, please do so immediately. Failure to reboot normally (not into safe mode) will prevent MBAM from removing all the malware.

-- MBAM may make changes to your registry as part of its disinfection routine. If you're using other security programs that detect registry changes (like Spybot's Teatimer), they may interfere with the fix or alert you after scanning with MBAM. Please disable such programs until disinfection is complete or permit them to allow the changes.

"In a world where you can be anything, be yourself." ~ unknown

"Fall in love with someone who deserves your heart. Not someone who plays with it. Will Smith


#3 seanb

seanb
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:01:16 AM

Posted 17 October 2008 - 08:43 AM

Thanks for the quick copy/paste, but you missed a couple things from my initial post.

i cannot install any software or anti-virus-adware-malware programs. When i try the computer says "the admistrator has policies to prevent this action" (malwarebites is no exception) I'm on the administrator account. The group policy editor is MIA.

Solutions must be short, as i only have about 5 minutes per boot to execute them.

To add to this, the virus seems to be rolling back any changes i make with Hijackthis. I click "fix", then "scan", and nothings changed.

EDIT: I think i've managed to chip away at the virus's effects enough to get it on the run. I had to use a combination of Hijackthis, Combofix, and eventually Malwarebites (once i could install it). I'm back in regular mode, and the things i'm dealing with are different enough that I'm going to open another thread. They're not the virus, just the damage i'm left with.

Edited by seanb, 17 October 2008 - 11:19 AM.


#4 iisjman07

iisjman07

  • Members
  • 94 posts
  • OFFLINE
  •  
  • Local time:01:16 AM

Posted 17 October 2008 - 12:25 PM

Burn this to CD:
http://www.avira.com/en/company_news/rescue_cd_.html
. It's the Avira rescue system. Leave the cd in the drive and reboot the computer. Press the down button to highlight to english and then Space Bar to select.

#5 rigel

rigel

    FD-BC


  • BC Advisor
  • 12,944 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:South Carolina - USA
  • Local time:02:16 AM

Posted 17 October 2008 - 01:14 PM

i cannot install any software or anti-virus-adware-malware programs. When i try the computer says "the admistrator has policies to prevent this action"


Since you did not mention Malwarebytes by name, it was worth a try.

I had to use a combination of Hijackthis, Combofix, and eventually Malwarebites


Please note the message text in blue at the top of this forum.

ComboFix is an extremely powerful tool which should only be used when instructed to do so by someone who has been properly trained. ComboFix is intended by its creator to be "used under the guidance and supervision of an expert", NOT for private use. Please read Combofix's Disclaimer. Using this tool incorrectly could lead to disastrous problems with your operating system such as preventing it from ever starting again.

Since you are satisfied that your computer is now free of malware, I would do one more thing.

If there are no more problems or signs of infection, you should Create a New Restore Point to prevent possible reinfection from an old one. Some of the malware you picked up could have been saved in System Restore. Since this is a protected directory your tools cannot access to delete these files, they sometimes can reinfect your system if you accidentally use an old restore point. Setting a new restore point AFTER cleaning your system will help prevent this and enable your computer to "roll-back" to a clean working state.

The easiest and safest way to do this is:
  • Go to Start > Programs > Accessories > System Tools and click "System Restore".
  • Choose the radio button marked "Create a Restore Point" on the first screen then click "Next". Give the R.P. a name, then click "Create". The new point will be stamped with the current date and time. Keep a log of this so you can find it easily should you need to use System Restore.
  • Then use Disk Cleanup to remove all but the most recently created Restore Point.
  • Go to Start > Run and type: Cleanmgr
  • Click "Ok"
  • Disk Cleanup will scan your files for several minutes, then open.
  • Click the "More Options" Tab.
  • Click the "Clean up" button under System Restore.
  • Click Ok. You will be prompted with "Are you sure you want to delete all but the most recent restore point?"
  • Click Yes, then click Ok.
  • Click Yes again when prompted with "Are you sure you want to perform these actions?"
  • Disk Cleanup will remove the files and close automatically.
Safe surfing

"In a world where you can be anything, be yourself." ~ unknown

"Fall in love with someone who deserves your heart. Not someone who plays with it. Will Smith


#6 rigel

rigel

    FD-BC


  • BC Advisor
  • 12,944 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:South Carolina - USA
  • Local time:02:16 AM

Posted 17 October 2008 - 01:18 PM

Oops... I see you have a HijackThis log in place that still has an open status.

Please ignore the above information and only follow the instructions of the HJT team member who takes your log. To prevent confusion, this topic is now closed.

"In a world where you can be anything, be yourself." ~ unknown

"Fall in love with someone who deserves your heart. Not someone who plays with it. Will Smith





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users