Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

malware/virus that won't die


  • Please log in to reply
21 replies to this topic

#1 nikster

nikster

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:10:18 PM

Posted 13 February 2009 - 01:38 PM

Hi all,

It seems that my pc got infected with either a virus or malware that is pretty persistant and malicious.

I had a tech look at my pc and he ended up formatting my entire pc. and using my OEM discs of Windows XP Pro
when I received my pc back, I noticed that I still was having problems. True they were tiny but I have been on a PC long enough to know that it was not working like a "freshly-formatted" PC

One of the symptoms was I could not access Internet Options tools in IE. I received the error that it was not available due to restrictions (or something like that)
I could not access windows update, and Flash would not work (no sound)

I turned off Windows Restore, and ran malwarebytes and it got rid of a trojan (or so it says), Ran AVG andeverything came up clean and everything was working as it should.

I turned ON windows restore, and all the problems suddenly re-appeared! So I had to turn it off again and re-run malwarebytes and avg, which cam up with the SAME errors again.

now how do I get rid of this????

I have a suspicion it is somewhere in my _restore file since the error only appears when I turn Widnows Restore ON.

I am at the end of my rope here, any ideas????
I would love to put system restore back on and not running a pc that has a friggin virus somewhere


MALWARE LOG
Malwarebytes' Anti-Malware 1.33
Database version: 1743
Windows 5.1.2600 Service Pack 3

2/11/2009 2:11:22 PM
mbam-log-2009-02-11 (14-11-22).txt

Scan type: Quick Scan
Objects scanned: 61618
Time elapsed: 6 minute(s), 59 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 3

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\system32\bEvtService.exe (Trojan.Agent) -> Delete on reboot.
C:\Program Files\Mozilla Firefox\setupapi.dll (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Program Files\Internet Explorer\setupapi.dll (Trojan.BHO) -> Quarantined and deleted successfully.




please note once I turn System Restore ON all these return.

I have HJT but have not run it yet (never used it before and dont want to screw anything up)

Edit: Moved topic from XP to the more appropriate forum. ~ Animal

BC AdBot (Login to Remove)

 


#2 Helio

Helio

  • Members
  • 48 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:10:18 PM

Posted 13 February 2009 - 01:52 PM

Did he do a repair install or a complete reformat? Nothing should have remained if he did the latter. Well, maybe a boot virus but how likely is that.
Resistance is futile.

#3 nikster

nikster
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:10:18 PM

Posted 13 February 2009 - 02:05 PM

Honestly I do not know. I am just disgusted at the waste of $$

anyhow if there is a a virus it should be able to be removed right? (crossing fingers here)

#4 Helio

Helio

  • Members
  • 48 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:10:18 PM

Posted 13 February 2009 - 03:39 PM

Do you know how to disable system restore? You should do that, then run a boot time virus scan before re-enabling it. I use Avast but your av may have that feature also.
Resistance is futile.

#5 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,416 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:11:18 PM

Posted 13 February 2009 - 03:43 PM

Please don't disable system restore yet.. We at BC feel it better to have an infected restore point than none at all while clean. We can fix the points at the end.
Rerun MBAM

Open MBAM in normal mode and click Update tab, select Check for Updates,when done
click Scanner tab,select Quick scan and scan.
After scan click Remove Selected, Post new scan log and Rebootinto normal mode.

Then From your regular user account..
Download Attribune's ATF Cleaner and then SUPERAntiSpyware , Free Home Version. Save both to desktop ..
DO NOT run yet.
Open SUPER from icon and install and Update it
Under Scanner Options make sure the following are checked (leave all others unchecked):
Close browsers before scanning.
Scan for tracking cookies.
Terminate memory threats before quarantining
.
Click the "Close" button to leave the control center screen and exit the program. DO NOT run yet.

Now reboot into Safe Mode: How to enter safe mode(XP)
Using the F8 Method
Restart your computer.
When the machine first starts again it will generally list some equipment that is installed in your machine, amount of memory, hard drives installed etc. At this point you should gently tap the F8 key repeatedly until you are presented with a Windows XP Advanced Options menu.
Select the option for Safe Mode using the arrow keys.
Then press enter on your keyboard to boot into Safe Mode
.

Double-click ATF-Cleaner.exe to run the program.
Under Main "Select Files to Delete" choose: Select All.
Click the Empty Selected button.

If you use Firefox or Opera browser click that browser at the top and choose: Select All
Click the Empty Selected button.
If you would like to keep your saved passwords, please click No at the prompt.
Click Exit on the Main menu to close the program
.

NOW Scan with SUPER
Open from the desktop icon or the program Files list
On the left, make sure you check C:\Fixed Drive.
Perform a Complete scan. After scan,Verify they are all checked.
Click OK on the summary screen to quarantine all found items.
If asked if you want to reboot, click "Yes" and reboot normally.

To retrieve the removal information after reboot, launch SUPERAntispyware again.
Click Preferences, then click the Statistics/Logs tab.
Under Scanner Logs, double-click SUPERAntiSpyware Scan Log.
If there are several logs, click the current dated log and press View log.
A text file will open in your default text editor.
Please copy and paste the Scan Log results in your next reply.
Click Close to exit the program.

Please ask any needed questions,post log and Let us know how the PC is running now.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#6 Helio

Helio

  • Members
  • 48 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:10:18 PM

Posted 13 February 2009 - 04:17 PM

Niks, I would do what he said:)

My apologies boop, I didnt realize that disabling system restore was a bad thing. Its just that its worked for me in the past when removing a stubborn virus.

I read about it here: http://antivirus.about.com/od/windowsbasic...stemrestore.htm

"To remove the malware, you must first disable System Restore, then scan the system with up-to-date antivirus software - allowing it to clean, delete, or quarantine any viruses found. After the system has been disinfected, you may then re-enable System Restore."
Resistance is futile.

#7 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,416 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:11:18 PM

Posted 13 February 2009 - 04:25 PM

It's OK helios. many sites still advise that. We have found it better tho to leave it and all that get placed ther throughout the removal process and clean them out last. Mostly based on the premise that if something goes wrong,and it can that we can at least go back to the infected state . Start over but not be forced to have to reinstall the OS.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#8 nikster

nikster
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:10:18 PM

Posted 14 February 2009 - 01:03 AM

ok here is the MBAM Log
with System restore ON
Malwarebytes' Anti-Malware 1.34
Database version: 1761
Windows 5.1.2600 Service Pack 3

2/14/2009 1:01:45 AM
mbam-log-2009-02-14 (01-01-45).txt

Scan type: Quick Scan
Objects scanned: 76552
Time elapsed: 1 minute(s), 9 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

#9 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,416 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:11:18 PM

Posted 14 February 2009 - 09:37 AM

Good that's clear, now the SAS log. So we can see if it's all out.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#10 nikster

nikster
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:10:18 PM

Posted 14 February 2009 - 10:12 AM

SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 02/14/2009 at 06:38 AM

Application Version : 4.25.1012

Core Rules Database Version : 3758
Trace Rules Database Version: 1721

Scan type : Complete Scan
Total Scan Time : 05:22:22

Memory items scanned : 199
Memory threats detected : 0
Registry items scanned : 6870
Registry threats detected : 9
File items scanned : 162926
File threats detected : 0

Rogue.AntiSpywareExpert
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_CBEVTSVC
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_CBEVTSVC#NextInstance
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_CBEVTSVC\0000
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_CBEVTSVC\0000#Service
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_CBEVTSVC\0000#Legacy
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_CBEVTSVC\0000#ConfigFlags
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_CBEVTSVC\0000#Class
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_CBEVTSVC\0000#ClassGUID
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_CBEVTSVC\0000#DeviceDesc

#11 nikster

nikster
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:10:18 PM

Posted 14 February 2009 - 10:18 AM

so far everything Seems to be working ok, the only thing that seems out of par is the startup time.
from when I turn the machine on to having windows started

but again all other issues seem to be gone at this time

#12 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,416 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:11:18 PM

Posted 14 February 2009 - 10:22 AM

OK, that's good. Do this next. Then start a new topic in the XP forum to have someone review your Startup list.

Now you should Create a New Restore Point to prevent possible reinfection from an old one. Some of the malware you picked up could have been saved in System Restore. Since this is a protected directory your tools cannot access to delete these files, they sometimes can reinfect your system if you accidentally use an old restore point. Setting a new restore point AFTER cleaning your system will help prevent this and enable your computer to "roll-back" to a clean working state.

The easiest and safest way to do this is:
  • Go to Start > Programs > Accessories > System Tools and click "System Restore".
  • Choose the radio button marked "Create a Restore Point" on the first screen then click "Next". Give the R.P. a name, then click "Create". The new point will be stamped with the current date and time. Keep a log of this so you can find it easily should you need to use System Restore.
  • Then use Disk Cleanup to remove all but the most recently created Restore Point.
  • Go to Start > Run and type: Cleanmgr
  • Click "Ok". Disk Cleanup will scan your files for several minutes, then open.
  • Click the "More Options" tab, then click the "Clean up" button under System Restore.
  • Click Ok. You will be prompted with "Are you sure you want to delete all but the most recent restore point?"
  • Click Yes, then click Ok.
  • Click Yes again when prompted with "Are you sure you want to perform these actions?"
  • Disk Cleanup will remove the files and close automatically.
Vista Users can refer to these links: Create a New Restore Point and Disk Cleanup.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#13 nikster

nikster
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:10:18 PM

Posted 14 February 2009 - 09:58 PM

OMG! awesome! so far my machine is working great!
thank you so much for all your help!
you are the best!

#14 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,416 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:11:18 PM

Posted 14 February 2009 - 10:13 PM

:thumbsup: Excellent..
You're welcome , please take a moment to read quietman7's excellent prevention tips in post 17 here
Tips to protect yourself against malware and reduce the potential for re-infection:
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#15 nikster

nikster
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:10:18 PM

Posted 18 February 2009 - 12:59 PM

DANG IT! it came back!




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users