Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

MS Antispyware 2009 afflicted...


  • Please log in to reply
3 replies to this topic

#1 Quasi5

Quasi5

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:02:10 AM

Posted 07 February 2009 - 05:30 AM

I was unfortunate enough to visit an internet site that installed "MS Antispyware 2009" on my computer. I've tried researching and learning what I could from looking through files and reading what I could find on the internet. So far I've reformatted my drive twice with little success. Probably because the drive is dual partitioned and I really don't want to lose what I have on the second partition.

I've run HJT and LSPFix as well as Combofix. I had seen it listed on quite of few of the other sites I had visited before actually visting this website so I wasn't aware not to run it without being instructed. Sorry!

I have 2 hard drives, one being partitioned for the O/S (WinXP Pro SP2). I just reformatted for the second time and ran Combofix first and it showed this:

Rootkit;
c:\windows\system32\twext.exe

Also I noticed each time I've rebooted, the hosts file has this added to it:
127.0.0.1 Zief.pl

Considering all of my problems stemmed from a website called ***.something.pl kind of makes sense.

Hope you can steer me in the right direction. Thank you!

Edited by Quasi5, 07 February 2009 - 07:14 AM.


BC AdBot (Login to Remove)

 


#2 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 72,762 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:05:10 AM

Posted 07 February 2009 - 11:06 PM

Hello, that is an IRC/Bot rootkit called W32/Virut.h.... http://vil.nai.com/vil/content/v_143034.htm
A backdoor Trojan can allow an attacker to
gain control of the system, log keystrokes, steal passwords, access personal
data, send malevolent outgoing traffic, and close the security warning
messages displayed by some anti-virus and security programs.

I would advise you to disconnect this PC from the Internet, and then go to
a known clean computer and change any passwords or security information held
on the infected computer. In particular, check whatever relates to online
banking financial transactions, shopping, credit cards, or sensitive
personal information. It is also wise to contact your financial institutions
to apprise them of your situation.

We will do our best to clean the computer of any infections seen on the log.
However, because of the nature of this Trojan, I cannot offer a total
guarantee that there are no remnants left in the system, or that the
computer will be trustworthy.

Many security experts believe that once infected with this type of Trojan,
the best course of action is to reformat and reinstall the Operating System.
Making this decision is based on what the computer is used for, and what
information can be accessed from it.

Knowing the above, let us know if you wish to proceed.


Did you do a low Level format,prior to reinstall? Are there any Flash,USB etc... driives being reconnected to the PC that may have had contact and are reinfecting it.

You can try the AVG Virut Remover. Follow the instructions exactly as specified and pay close attention to the instructions including the note on administrator rights. If that does not work, there may be no recovery from this infection. The only thing you can do then is reformat and reinstall Windows.

Virut/Virtob is contracted and spread by visiting remote, crack and keygen sites. Those who attempt to get software for free may end up with a computer system so badly damaged that recovery is not possible and a Repair Install will NOT help! Reinstalling Windows without first wiping the entire hard drive with a repartition and/or format will not remove the infection. The reinstall will only overwrite the Windows files. Any malware on the system will still be there afterwards. Starting over, reformatting the drive and performing a clean install removes everything.

Use the free version of Killdisk.
One of the best sources of Information on reformatting and reinstall is http://www.michaelstevenstech.com/
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#3 Quasi5

Quasi5
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:02:10 AM

Posted 15 February 2009 - 03:46 AM

When I had reformatted the drive the first time, I had only wiped the O/S partition. At first that seemed to work. After reinstalling drivers and minimal software it was reinfected. I had visited a site to watch a GTA 4 gamer video and it asked to install a type of viewer and that's when all of this started happening.

I reformatted, a second time, into 1 partition and reloaded XP a second time. Then I started to install software and drivers from my second seperate drive. The only way I knew of to check to see if the system was infected again was to check the hosts file to see if that redirect had been added. Sure enough it had been added... the system was reinfected. That was after scanning with BD2008/2009, ComboFix, Hijackthis, SuperAntiSpyware, Malware, rmvirut...nothing was left to find. Or so I thought. Back to the drawing board.

I've reformatted 3 times so far. I've deleted everything except .avi (lost a ton of items collected over the years....ugh) and some compressed files off the second drive attached to the computer. I had read that the Virut could add itself to every .exe on your computer so that prompted me to everything except non executables off the second drive. I did a little more reading and ran across a listing for 'drweb' being a really good way to get rid of virut items. After reading some of your forum and seeing it being listed as something that was real (not like MS Antivirus 2009) I ran it....and sure enough it found Win32.Virut.56 was infecting my Linksys G setup.exe and a few other driver files. Arrghhh....

So...now I've done scans on my other computers (no infections) and I'm about to start reinstalling newly downloaded driver files. Fingers crossed.

After all of this I wonder if it's worth buying a hex editor program so I can check for stuff like that? Also makes me wonder how you guys do it, day in and day out....more patience then most I suppose.

Thank you for all of your advice and help. And, especially, for having such a comprehensive webforum for Joe Public to visit and learn from. I'll be in touch if this latest install starts to crumble...lol.

Edited by Quasi5, 15 February 2009 - 03:49 AM.


#4 Bfromaz

Bfromaz

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:04:10 AM

Posted 15 February 2009 - 03:40 PM

Just got rid of this today off a customers PC. Combination of combofix, NAV, Malwarebytes and manual removal using HJT/process explorer. It did leave me a nice gift on my memory stick lol. Make sure you check any removable writable media.

Bfromaz




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users