Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Virus is attacking!


  • Please log in to reply
6 replies to this topic

#1 dsage

dsage

  • Members
  • 33 posts
  • OFFLINE
  •  
  • Local time:01:26 AM

Posted 01 November 2008 - 08:27 PM

My friend's computer is infected with virus. She cannot open the web browser (she uses Firefox). Whenever she opens up the Firefox, the window is white, blank, nothing comeing up. Also, the same thing happens when she opens yahoo messenger. She can access the messenger, but whenever she chats with somebody, she cannot see everything that she or her friends type up. However, the MSN works perfectly. She ran the MBAM already (she restarted the computer immediately), but nothing get fixed. Here is the log:

Malwarebytes' Anti-Malware 1.30
Database version: 1354
Windows 5.1.2600 Service Pack 2

11/2/2008 7:50:49 AM
mbam-log-2008-11-02 (07-50-49).txt

Scan type: Quick Scan
Objects scanned: 69882
Time elapsed: 9 minute(s), 20 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 2
Registry Keys Infected: 0
Registry Values Infected: 2
Registry Data Items Infected: 2
Folders Infected: 0
Files Infected: 8

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
C:\WINDOWS\system32\ckvo1.dll (Trojan.Agent) -> Delete on reboot.
C:\WINDOWS\system32\amvo0.dll (Trojan.Agent) -> Delete on reboot.

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\kamsoft (Trojan.FakeAlert.H) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\amva (Trojan.Agent) -> Quarantined and deleted successfully.

Registry Data Items Infected:
HKEY_CLASSES_ROOT\scrfile\shell\open\command\ (Broken.OpenCommand) -> Bad: (%1) Good: ("%1" /S) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\Hidden\SHOWALL\CheckedValue (Hijack.System.Hidden) -> Bad: (0) Good: (1) -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\system32\ckvo.exe (Trojan.FakeAlert.H) -> Quarantined and deleted successfully.
C:\Documents and Settings\bennya2.MAR2508\Local Settings\Temp\nod4A.tmp (Trojan.OnlineGames) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\ckvo0.dll (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\ckvo1.dll (Trojan.Agent) -> Delete on reboot.
C:\xih9.cmd (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\amvo.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\amvo0.dll (Trojan.Agent) -> Delete on reboot.
C:\WINDOWS\system32\amvo1.dll (Trojan.Agent) -> Quarantined and deleted successfully.

How can she fix her computer?

BC AdBot (Login to Remove)

 


#2 eduardo0

eduardo0

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:12:26 AM

Posted 02 November 2008 - 01:38 AM

reinstall the firefox and YM :thumbsup:

#3 dsage

dsage
  • Topic Starter

  • Members
  • 33 posts
  • OFFLINE
  •  
  • Local time:01:26 AM

Posted 02 November 2008 - 06:01 PM

It's not only the Firefox. The Internet Explorer has the same problem.

#4 dsage

dsage
  • Topic Starter

  • Members
  • 33 posts
  • OFFLINE
  •  
  • Local time:01:26 AM

Posted 03 November 2008 - 12:49 PM

anyone?

#5 hellknight

hellknight

  • Members
  • 120 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:06:26 AM

Posted 03 November 2008 - 01:26 PM

dsage - I'd start off with running MBAM again - if several of the entries re-appear, it's likely the virus was only partially removed, and recovers itself.
Please post the new log here

#6 scff249

scff249

    Indecisive Lurker


  • Members
  • 1,319 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:A galaxy far, far away...
  • Local time:12:26 AM

Posted 03 November 2008 - 01:34 PM

NOTE TO HIGHER UPS: If I'm doing something wrong and I'm not supposed to help or give advice of any sort, then please shoot me

Can you download anything from the internet on that computer?

Just to add a note: Refrain from sticking a usb drive (i.e. portable flash drives) in the infected computer unless instructed to do so from someone higher up. If I'm seeing this one right, it's a worm that can infect other computers via flash drive. If any flash drives were used between any computers and the infected one while it was infected, chances are that those computers are also infected as well as the device used.

....yeah....I'd better leave this to the experts to keep from screwing anything up for anyone.

Edited by scff249, 03 November 2008 - 01:37 PM.

"Ototo'i wa usagi o mita no...Kino wa shika...Kyo wa anata." -Kotomi Ichinose (Clannad) [see below for translation]
"Day before yesterday I saw a rabbit, and yesterday a deer, and today, you." -The Dandelion Girl
"You are not alone, and you are not strange. You are you, and everyone has damage. Be the better person." -Katawa Shoujo


#7 rigel

rigel

    FD-BC


  • BC Advisor
  • 12,944 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:South Carolina - USA
  • Local time:01:26 AM

Posted 03 November 2008 - 03:56 PM

Please update and rerun Malwarebytes following the procedure below.

On the Scanner tab:
  • Make sure the "Perform Quick Scan" option is selected.
  • Then click on the Scan button.
  • If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
  • The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
  • When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  • Click OK to close the message box and continue with the removal process.
Back at the main Scanner screen:
  • Click on the Show Results button to see a list of any malware that was found.
  • Make sure that everything is checked, and click Remove Selected.
  • When removal is completed, a log report will open in Notepad.
  • The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
  • Copy and paste the contents of that report in your next reply and exit MBAM.
Note:
-- If MBAM encounters a file that is difficult to remove, you may be asked to reboot your computer so it can proceed with the disinfection process. Regardless if prompted to restart the computer or not, please do so immediately. Failure to reboot normally (not into safe mode) will prevent MBAM from removing all the malware.

-- MBAM may make changes to your registry as part of its disinfection routine. If you're using other security programs that detect registry changes (like Spybot's Teatimer), they may interfere with the fix or alert you after scanning with MBAM. Please disable such programs until disinfection is complete or permit them to allow the changes.

"In a world where you can be anything, be yourself." ~ unknown

"Fall in love with someone who deserves your heart. Not someone who plays with it. Will Smith





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users