Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Virus that makes other viruses and popups


  • This topic is locked This topic is locked
4 replies to this topic

#1 bleedgreen

bleedgreen

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:12:45 PM

Posted 30 December 2008 - 02:47 AM

Hi all,

I have been trying to get rid of this virus for a while.

I even came here and went through a bunch of removal steps and it SEEMED as though it was gone, but it came back a few days of no bad behavior.

Old removal thread:
Need Help with Spyware/Virus on my PC

So I will attempt to describe the virus behavior as best I can in hopes someone will recognize it and know how to remove this specific virus.

- Firefox pops up new browser windows with random websites
- A Windows Security Alerts icon with a Red X appears in the system tray
- A rundll32.dll is running on startup
- New mysterious/bad dll's are created in system32
- McAfee pops up alerts every now and then and says it found and removed a virus. Sometimes a few alerts appear in a row.
- Some times my audio does not work. It restores some times on reboot.


A Spybot pop up with makkmkpk.dll tried to be added. So that was my lead on that as a bad process. I figure this is one of the viruses the root virus has downloaded.

I ran ProcMon on startup and found that there are some processes loaded when the following command is run:

"C:\WINDOWS\system32\rundll32.exe" "C:\WINDOWS\system32\makkmkpk.dll",b

The processes are:
C:\WINDOWS\system32\ctrzax.dll
C:\WINDOWS\system32\yvbvti.dll


These processes have no company/version/description information and when I go into system32 to try to remove them they are not there (using windows explorer).



- I have since ran Brute Force Uninstaller and inserted those paths and my next ProcMon startup log did not contain any of those files. HOWEVER, the fake Windows Security Alerts persists, so I am sure it is not gone.


Has anyone experienced something like this?


HEEEELLLPPP!!!!


Here are all my standard logs:
DDS.txt

DDS (Version 1.1.0) - NTFSx86
Run by Graeham at 21:46:58.01 on Mon 12/29/2008
Internet Explorer: 7.0.5730.13 BrowserJavaVersion: 1.6.0_11
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2046.1421 [GMT -8:00]

============== Running Processes ===============

C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\WINDOWS\system32\E_S00RP1.EXE
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\McAfee\SiteAdvisor\McSACore.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\program files\common files\mcafee\mna\mcnasvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\Program Files\McAfee\VirusScan\McShield.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\Program Files\McAfee\MSK\MskSrver.exe
svchost.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\TortoiseSVN\bin\TSVNCache.exe
c:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\WINDOWS\ehome\ehtray.exe
C:\WINDOWS\stsystra.exe
C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIADA.EXE
C:\Program Files\Microsoft ActiveSync\wcescomm.exe
C:\Program Files\Windows Media Player\WMPNSCFG.exe
C:\Program Files\Taskbar Shuffle\taskbarshuffle.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\PROGRA~1\MI3AA1~1\rapimgr.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\Program Files\Process Explorer\procexp.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Graeham\Desktop\dds.com

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com/ig/dell?hl=en
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
BHO: {53707962-6F74-2D53-2644-206D7942484F} - c:\program files\spybot - search & destroy\SDHelper.dll
BHO: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - c:\program files\java\jre6\bin\ssv.dll
BHO: {B164E929-A1B6-4A06-B104-2CD0E90A88FF} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
BHO: {DBC80044-A445-435b-BC74-9C25C1C588A9} - c:\program files\java\jre6\bin\jp2ssv.dll
TB: {0EBBBE48-BAD4-4B4C-8E5A-516ABECAE064} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
uRun: [H/PC Connection Agent] "c:\program files\microsoft activesync\wcescomm.exe"
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [WMPNSCFG] c:\program files\windows media player\WMPNSCFG.exe
uRun: [Taskbar Shuffle] c:\program files\taskbar shuffle\taskbarshuffle.exe
uRun: [SpybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe
mRun: [ehTray] c:\windows\ehome\ehtray.exe
mRun: [SigmatelSysTrayApp] stsystra.exe
mRun: [ATIPTA] "c:\program files\ati technologies\ati control panel\atiptaxx.exe"
mRun: [IntelMeM] c:\program files\intel\modem event monitor\IntelMEM.exe
mRun: [ISUSPM Startup] "c:\program files\common files\installshield\updateservice\isuspm.exe" -startup
mRun: [ISUSScheduler] "c:\program files\common files\installshield\updateservice\issch.exe" -start
mRun: [Auto EPSON Stylus CX4800 Series on G4D2000] c:\windows\system32\spool\drivers\w32x86\3\e_fatiada.exe /p42 "auto epson stylus cx4800 series on g4d2000" /o17 "\\g4d2000\Printer" /M "Stylus CX4800"
mRun: [Auto EPSON Stylus CX4800 Series on KILLER] c:\windows\system32\spool\drivers\w32x86\3\e_fatiada.exe /p41 "auto epson stylus cx4800 series on killer" /o17 "\\killer\Printer3" /M "Stylus CX4800"
mRun: [EPSON Stylus CX4800 Series] c:\windows\system32\spool\drivers\w32x86\3\E_FATIADA.EXE /P26 "EPSON Stylus CX4800 Series" /O6 "USB001" /M "Stylus CX4800"
mRun: [EPSON Stylus CX4800 Series on G4D2000 (from 4-D)] c:\windows\system32\spool\drivers\w32x86\3\E_FATIADA.EXE /P48 "EPSON Stylus CX4800 Series on G4D2000 (from 4-D)" /O5 "TS001" /M "Stylus CX4800"
mRun: [mcagent_exe] c:\program files\mcafee.com\agent\mcagent.exe /runkey
mRun: [SpyHunter Security Suite] c:\program files\enigma software group\spyhunter\SpyHunter3.exe
StartupFolder: c:\docume~1\graeham\startm~1\programs\startup\adobeg~1.lnk - c:\program files\common files\adobe\calibration\Adobe Gamma Loader.exe
StartupFolder: c:\docume~1\graeham\startm~1\programs\startup\autoru~1\monito~1.lnk - c:\program files\apache software foundation\apache2.2\bin\ApacheMonitor.exe
StartupFolder: c:\docume~1\graeham\startm~1\programs\startup\autoru~1\openof~1.lnk - c:\program files\openoffice.org 2.0\program\quickstart.exe
StartupFolder: c:\docume~1\graeham\startm~1\programs\startup\autoru~1\openof~2.lnk - c:\program files\openoffice.org 2.4\program\quickstart.exe
StartupFolder: c:\docume~1\graeham\startm~1\programs\startup\autoru~1\sdktra~1.lnk - c:\program files\sun\sdk\jdk\bin\javaw.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adobeg~1.lnk - c:\program files\common files\adobe\calibration\Adobe Gamma Loader.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\autoru~1\adober~1.lnk - c:\program files\adobe\acrobat 7.0\reader\reader_sl.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\autoru~1\micros~1.lnk - c:\program files\microsoft office\office10\OSA.EXE
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - {2EAF5BB0-070F-11D3-9307-00C04FAE2D4F} - c:\progra~1\mi3aa1~1\INetRepl.dll
IE: {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - {2EAF5BB0-070F-11D3-9307-00C04FAE2D4F} - c:\progra~1\mi3aa1~1\INetRepl.dll
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\program files\spybot - search & destroy\SDHelper.dll
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
Handler: cdo - {CD00020A-8B95-11D1-82DB-00C04FB1625D} - c:\program files\common files\microsoft shared\web folders\PKMCDO.DLL
Handler: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\progra~1\mcafee\sitead~1\McIEPlg.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SecurityProviders: msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll, digeste.dll
LSA: Authentication Packages = msv1_0 c:\windows\system32\pmnnMecy

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\graeham\applic~1\mozilla\firefox\profiles\hg4v4nr4.default\
FF - component: c:\program files\mcafee\siteadvisor\components\McFFPlg.dll
FF - plugin: c:\program files\mozilla firefox\plugins\NPTURNMED.dll

ATTENTION: FIREFOX POLICES IS IN FORCE
FF - user.js: dom.disable_open_during_load - false // Popupblocker control handled by McAfee Privacy Service
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.rights.version", 3);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.rights.3.shown", false);

============= SERVICES / DRIVERS ===============

R1 mfehidk;McAfee Inc. mfehidk;c:\windows\system32\drivers\mfehidk.sys [2007-2-20 201320]
R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;"c:\program files\mcafee\siteadvisor\McSACore.exe" [2008-12-2 206096]
R2 McProxy;McAfee Proxy Service;c:\progra~1\common~1\mcafee\mcproxy\mcproxy.exe [2007-2-20 359248]
R2 McrdSvc;Media Center Extender Service;c:\windows\ehome\McrdSvc.exe [2005-10-20 96256]
R2 McShield;McAfee Real-time Scanner;c:\program files\mcafee\virusscan\McShield.exe [2007-2-20 144704]
R3 McSysmon;McAfee SystemGuards;c:\progra~1\mcafee\viruss~1\mcsysmon.exe [2007-2-20 695624]
R3 mfeavfk;McAfee Inc. mfeavfk;c:\windows\system32\drivers\mfeavfk.sys [2007-2-20 79304]
R3 mfebopk;McAfee Inc. mfebopk;c:\windows\system32\drivers\mfebopk.sys [2007-2-20 35240]
R3 mfesmfk;McAfee Inc. mfesmfk;c:\windows\system32\drivers\mfesmfk.sys [2007-2-20 40488]
S0 pavboot;pavboot;c:\windows\system32\drivers\pavboot.sys []
S1 symuu33;symuu33;c:\windows\system32\drivers\symuu33.sys []
S1 usbccgpp;usbccgpp;c:\windows\system32\drivers\usbccgpp.sys []
S2 0220071229998600mcinstcleanup;McAfee Application Installer Cleanup (0220071229998600);c:\windows\temp\022007~1.exe c:\progra~1\common~1\mcafee\instal~1\cleanup.ini -cleanup -nolog -service []
S3 ApacheHTTPServer;Apache HTTP Server;"c:\program files\apache software foundation\apache2.2\bin\httpd.exe" -k runservice [2006-7-27 20539]
S3 mferkdk;McAfee Inc. mferkdk;c:\windows\system32\drivers\mferkdk.sys [2007-2-20 33832]
S3 Tomcat6;Apache Tomcat;"c:\program files\apache software foundation\tomcat 6.0\bin\tomcat6.exe" //RS//Tomcat6 [2008-1-28 57344]
S4 AAOH;AAOH;c:\docume~1\admini~1\locals~1\temp\AAOH.exe []
S4 IDTLIY;IDTLIY;c:\docume~1\graeham\locals~1\temp\IDTLIY.exe []
S4 IFCGAIERE;IFCGAIERE;c:\docume~1\graeham\locals~1\temp\IFCGAIERE.exe []

=============== Created Last 30 ================

2008-12-29 12:15 <DIR> --d----- C:\bintheredunthat
2008-12-29 11:09 <DIR> --d----- c:\program files\Enigma Software Group
2008-12-27 13:25 1,306,974 ---sh--- c:\windows\system32\kpkmkkam.ini
2008-12-27 13:22 129,024 a------- c:\windows\system32\ylqjurmf.dll
2008-12-22 18:18 1,661,209 ---sh--- c:\windows\system32\ahitqvma.ini
2008-12-22 18:12 129,024 a------- c:\windows\system32\nkfuclqg.dll
2008-12-16 22:01 1,646,211 ---sh--- c:\windows\system32\jiliacbn.ini
2008-12-16 21:58 129,024 a------- c:\windows\system32\gwvtxpdi.dll
2008-12-16 20:31 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Citrix
2008-12-16 20:23 61,224 a------- c:\documents and settings\graeham\GoToAssistDownloadHelper.exe
2008-12-16 20:07 <DIR> --d----- c:\docume~1\graeham\applic~1\McAfee
2008-12-15 21:58 1,646,212 ---sh--- c:\windows\system32\mxqckdea.ini
2008-12-15 21:57 129,024 a------- c:\windows\system32\dgjufyug.dll
2008-12-15 20:54 121 ---sh--- c:\windows\system32\mqtkrioo.ini
2008-12-15 20:54 129,024 a------- c:\windows\system32\imkvtrol.dll
2008-12-14 20:15 129,024 a------- c:\windows\system32\stwnrodo.dll
2008-12-14 20:10 1,647,120 ---sh--- c:\windows\system32\nldygcxk.ini
2008-12-14 20:10 72,704 a------- c:\windows\system32\kxcgydln.dll
2008-12-13 14:32 0 a------- C:\Documents
2008-12-13 14:25 <DIR> --d----- c:\docume~1\graeham\applic~1\Scooter Software
2008-12-13 14:24 <DIR> --d----- c:\program files\Beyond Compare 3
2008-12-13 12:59 129,024 a------- c:\windows\system32\xueddrbt.dll
2008-12-13 12:59 116,736 a------- c:\windows\system32\dbusidhw.dll
2008-12-13 12:58 704,313 a--sh--- c:\windows\system32\yceMnnmp.ini2
2008-12-13 12:58 704,313 a--sh--- c:\windows\system32\yceMnnmp.ini
2008-12-10 23:24 <DIR> --d----- C:\ComboFix
2008-12-09 21:53 410,984 a------- c:\windows\system32\deploytk.dll
2008-12-09 21:53 73,728 a------- c:\windows\system32\javacpl.cpl
2008-12-09 21:50 19 a------- c:\documents and settings\graeham\killbat.bat
2008-12-08 22:32 <DIR> a-dshr-- C:\cmdcons
2008-12-07 19:30 250 a------- c:\windows\gmer.ini
2008-12-06 11:27 <DIR> --d----- c:\program files\Panda Security
2008-12-06 11:05 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Avg8
2008-12-03 22:01 <DIR> --d----- C:\backup
2008-12-03 21:44 <DIR> --d----- c:\program files\Trend Micro
2008-12-03 21:25 <DIR> --d----- C:\BFU
2008-12-03 21:01 <DIR> --d----- c:\program files\CleanUp!

==================== Find3M ====================

2008-11-04 07:37 96,384 a------- c:\windows\system32\drivers\sptd2205.sys
2008-11-03 23:55 88,959 a------- c:\windows\pchealth\helpctr\offlinecache\index.dat
2008-10-24 03:21 455,296 -------- c:\windows\system32\dllcache\mrxsmb.sys
2008-10-23 04:36 286,720 a------- c:\windows\system32\gdi32.dll
2008-10-23 04:36 286,720 -------- c:\windows\system32\dllcache\gdi32.dll
2008-10-17 02:08 3,593,216 -------- c:\windows\system32\dllcache\mshtml.dll
2008-10-16 14:13 1,809,944 a------- c:\windows\system32\dllcache\wuaueng.dll
2008-10-16 14:13 202,776 a------- c:\windows\system32\dllcache\wuweb.dll
2008-10-16 14:12 323,608 a------- c:\windows\system32\dllcache\wucltui.dll
2008-10-16 14:12 561,688 a------- c:\windows\system32\dllcache\wuapi.dll
2008-10-16 14:09 92,696 a------- c:\windows\system32\dllcache\cdm.dll
2008-10-16 14:09 51,224 a------- c:\windows\system32\dllcache\wuauclt.exe
2008-10-16 14:08 34,328 a------- c:\windows\system32\dllcache\wups.dll
2008-10-16 05:11 70,656 -------- c:\windows\system32\dllcache\ie4uinit.exe
2008-10-16 05:11 13,824 -------- c:\windows\system32\dllcache\ieudinit.exe
2008-10-15 09:25 2,892,144 a------- c:\windows\system32\Procmon.exe
2008-10-15 09:25 644,976 a------- c:\windows\system32\autoruns.exe
2008-10-15 09:25 538,480 a------- c:\windows\system32\autorunsc.exe
2008-10-15 08:34 337,408 -------- c:\windows\system32\dllcache\netapi32.dll
2008-10-14 23:06 633,632 -------- c:\windows\system32\dllcache\iexplore.exe
2008-10-14 23:04 161,792 -------- c:\windows\system32\dllcache\ieakui.dll
2008-10-03 02:02 247,326 a------- c:\windows\system32\strmdll.dll
2008-10-03 02:02 247,326 -------- c:\windows\system32\dllcache\strmdll.dll
2006-02-11 19:57 3,568 a------- c:\program files\Absynth 1.3 prefs.ini
2006-07-16 08:56 104 ---shr-- c:\windows\system32\0A563CDB5B.sys
2006-08-25 20:26 6,686 a--sh--- c:\windows\system32\KGyGaAvL.sys

============= FINISH: 21:48:06.45 ===============

Attached Files


Edited by bleedgreen, 30 December 2008 - 02:50 AM.


BC AdBot (Login to Remove)

 


#2 bleedgreen

bleedgreen
  • Topic Starter

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:12:45 PM

Posted 30 December 2008 - 03:34 PM

Okay, so I attempted to update Windows which lead me to realize that the Windows Security Alert was real. Let me explain.

When the virus was alive and well, generating popups, there was a Windows Security Alert. I clicked on it to see what the problem was and the firewall was turned off. I then clicked and turned it back on and closed the window, but the Alert was still there afterwords and clicking on the alert again would bring up the same page showing that the firewall was off. Since there were other spoof behaviors going on, I thought that the alert itself was fake.

However, after using BFU on the files mentioned above, I have not had any popups, but I have had the alert. When at the Windows Update website, it said it could not update because some services were off. I went through the step-by-step procedure to turn on the services and turned on the Windows Firewall (removing nearly all firewall exceptions). Windows was then able to update (albeit the only update was for IE which I don't use).

I have since restarted my PC and there are no signs of bad behavior, no Windows Security Alert, no mysterious rundll32.dll's running, no popups.

So after all that, what I am trying to say is:
I think what was happening with the Windows Security Alerts was that there was some viral process that would monitor the firewall and continually turn it off if it got turned on. Therefore, I believe the alerts were NOT fake.



As I mentioned, I have not experienced any bad behavior for a few reboots and a few hours. I left my PC on over night for a Kapersky scan (which revealed nothing). So my PC was connected to the internet after a fresh reboot and no process killing for about 10 hours and there have been no pop ups or bad behavior.

I have had this lull in bad behavior before and it all came back, so I am not hanging my hat up yet.

I will report back and explain my cleansing steps in further detail if this has, in fact, done the trick.

Regards,

- Bleed Green

#3 fenzodahl512

fenzodahl512

  • Members
  • 6,738 posts
  • OFFLINE
  •  
  • Local time:04:45 AM

Posted 05 January 2009 - 06:22 AM

Please download Malwarebytes' Anti-Malware from HERE or HERE

Note: If you already have Malwarebytes' Anti-Malware, just run and update it.. Then do a "Perform Full Scan"

Double Click mbam-setup.exe to install the application.
  • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Full Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the entire report in your next reply.
Extra Note:
If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediately.




NEXT


Please download RSIT by random/random and save it to your Desktop.
  • Double click on RSIT.exe to run RSIT
  • Before you click "Continue", make sure you change the List files/folders created or modified in the last 3 months
  • Click Continue at the disclaimer screen.
  • Once it has finished, two logs will open. Please post the contents of both log.txt and info.txt in your next reply.



NEXT


Please download GMER and unzip it to your Desktop.
  • Open the program and click on the Rootkit tab.
  • Make sure all the boxes on the right of the screen are checked, EXCEPT for ‘Show All’.
  • Click on Scan.
  • When the scan has run click Copy and paste the results into a Notepad >> save it and attach in this thread.


Post me these logs in your next reply.. Post each log in separate post..

1. Malwarebytes'
2. RSIT log.txt
3. RSIT info.txt
4. Attach GMER result..

Keep calm, make it simple, use your brain, don't freak out, and you'll be just fine..
Awesomeness: When I get sad, I stop being sad and be awesome instead.. True story - Barney Stinson
Posted Image Posted Image
Its gonna be legen.. wait for it.. dary! Cherish the pain, it means you're still alive


#4 bleedgreen

bleedgreen
  • Topic Starter

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:12:45 PM

Posted 07 January 2009 - 02:06 AM

yhzanks, but i fixed it as i stated earlier.

So the following are the steps I used to get rid of my virus(es). It is copied from an email I wrote for a friend that had similar virus behavior.

- First you need to get your system up-to-date and remove all old security holes.
- this includes removing the old versions and updating to the latest for all your malware protection/scanners and stuff like Java and browsers that can be exploited

- Throughout the removal steps, use ProcessExplorer to monitor the behavior of processes. It can also be used to kill the ones you know are bad if you are not going to scan on the current boot. Killing "may" prevent the virus behavior and "may" prevent new viruses from being added.
- At this point I would start a forum post, some times it may take a few hours/days before an expert responds. They will usually have you run some scans and post the logs for your initial post, read the forum rules. I would keep moving forward with the rest of thes steps and lean on the experts for help with researching weird processes. Always keep them updated with what you have done though.
- Reboot into Safe Mode and run CleanIt!
- Reboot into Safe Mode and run HijackThis! and research and remove all malicious entries. You might want to consult the forums.
- Reboot into Normal Mode and do NOT do anything except run Kapersky scan. Research the results, remove what you can/know-is-bad. Consult the forum experts if you have any questions.
- Reboot into Normal Mode and do NOT do anything except run Panda scan. Research the results, remove what you can/know-is-bad. Consult the forum experts if you have any questions.
- Reboot into Normal Mode and do NOT do anything except run RootkitRevealer. Research the results, remove what you can/know-is-bad. Consult the Sysinternals forum experts if you have any questions.

Doing that should greatly reduce the effects of the virus.

Now the way I got rid of the root was the following:
- I copied the path of the file that Spybot caught adding itself to the registry. This is a bad file.
- Load ProcessMonitor and set it to monitor on startup
- Reboot (into normal mode)
- once the pc settles after startup, load ProcessMonitor. It will prompt you to save the startup log, do so. It should also load it into the ProcMon.
- In ProcMon, add a Filter {Path . is . <pathOfBadFile>} for every bad file path you have.
- If events show up after filtering, go to their Properties, and then the Process tab.
- Under Modules, look at each of THEIR properties. The ones with no information (no company and no version, etc) or any suspicious ones, research. In my experience the ones with no info were there bad ones.
- Copy-paste all the paths of the modules you KNOW are bad into a new text file. One path on each line.
- I then added those paths to the Brute Force Uninstaller input file. Ran BFU. Rebooted.

I think that is what got rid of it. I then turned on The Windows Firewall that it had turned off, updated my Windows, and did the scanning steps again.



I have been clean ever since.

I hope this helps.

#5 fenzodahl512

fenzodahl512

  • Members
  • 6,738 posts
  • OFFLINE
  •  
  • Local time:04:45 AM

Posted 07 January 2009 - 03:40 AM

Thanks for notify us.. I will now close this topic.. Should you need to reopen this topic, please pm Moderator/HJT Team with the link of this topic..

Keep calm, make it simple, use your brain, don't freak out, and you'll be just fine..
Awesomeness: When I get sad, I stop being sad and be awesome instead.. True story - Barney Stinson
Posted Image Posted Image
Its gonna be legen.. wait for it.. dary! Cherish the pain, it means you're still alive





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users