Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

BAD INFECTION!


  • Please log in to reply
3 replies to this topic

#1 Unique666

Unique666

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:08:30 PM

Posted 07 March 2009 - 12:15 PM

I'm infected with a virus that prevents me from visiting any anti-virus website (web page times out), and I'm also being prevented from installing any type of anti-virus software. I receive a fake error message or the program won't even open at all. What ever it is, it even works in safe mode since I still get directed to advertisements there.

There are no entries in my hosts file except 127.0.0.1, but my DNS was changed by the virus. I set the DNS back to normal, but I still get redirected and blocked from sites.

Programs I've tried so far:

Super Anti-Spyware - Web page won't load so I copied over the network, I received an error message when trying to install about how "Installing programs was disabled by my administrator". I re-enabled the windows installer service and got the software installed. Then, the program kept coming up with an error message on execution (see above link). I finally got it open some how, but it didn't find any viruses when the scan completed.

Microsoft's removal tool - Web page won't load so I copied over the network. It mysteriously ends about half way through extracting the files.

Malware Bytes - Web page won't load so I copied over the network, installation went fine, but I cannot open the program. When I double click it, it shows an hour glass for a split second, and it never opens.

Hijackthis - Used it but nothing bad showed up.

SmitFraudFix - Used it but didn't fix anything.

Winsock fixer - Used it but didn't fix anything.

Eset Smart Security - I had this installed when before I got the virus, and the database was up to date. It missed the virus and let me install it.

I know where I got the virus from if anyone wants to see it.

Edited by Unique666, 07 March 2009 - 12:22 PM.


BC AdBot (Login to Remove)

 


#2 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:09:30 PM

Posted 07 March 2009 - 04:58 PM

Hello.

Does sound like a very bad infection. I suspect a rootkit involved in here. We also may need you to start another topic in the Malware Removal forum.

Hijackthis - Used it but nothing bad showed up.

How do you know nothing "bad" showed up?

See if you can run any of those tools MBAM or SAS in Safe Mode. Also try renaming the actual ".exe" file itself to something else such as "random.exe" as see if it runs.

How to Boot into Safe Mode

I suggest you read over the instructions on how to boot into Safe Mode and then print these instructions out or save them in Notepad because you won't have access to this page while in Safe Mode.

Start in Safe Mode Using the F8 method:
  • Restart the computer.
  • As soon as the BIOS is loaded begin tapping the F8 key until the boot menu appears.
  • Use your arrow keys to navigate and highlight Safe Mode.
  • Hit Enter.
  • You will now be asked to choose your operating system. Again, use the arrow keys to select Microsoft Windows XP.
  • Hit Enter.
Your computer will proceed to booting into Safe Mode. During the boot process, you may see random code go past your screen. Simply wait for it to pass. Your computer should boot like usually, except with Safe Mode written in the corners of your screen. Your screen may also appear to be a different size because the video drivers are not loaded properly in Safe Mode.

After the boot, you will be asked whether you wish to use system restore, or to continue to Safe Mode. Select OK to choose Safe mode.


Additional instructions on booting into Safe Mode can be found here

Let me know how it goes. If it still won't work let me know. Also try running GMER, it may not work so you may need to transfer it from another computer..

Download and Run Scan with GMER

We will use GMER to scan for rootkits.
  • Double-click on Gmer.exe to start the program.
  • Allow the gmer.sys driver to load if asked.
  • If it gives you a warning at program start about rootkit activity and asks if you want to run a scan...click NO.
  • Click the >>>
  • Click on Settings, then check the first five settings:
    • System Protection and Tracing
    • Processes
    • Save created processes to the log
    • Drivers
    • Save loaded drivers to the log
  • You will be prompted to restart your computer. Please do so.
  • After the reboot, run Gmer again and click on the Rootkit tab.[list]
  • Look at the right hand side (under Files) and uncheck all drives with the exception of your C drive.
  • Make sure all other boxes on the right of the screen are checked, EXCEPT for Show All.
  • Click on the Scan and wait for the scan to finish.
    Note: Before scanning, make sure all other running programs are closed and no other actions like a scheduled antivirus scan will occur while this scan completes. Also do not use your computer during the scan. You will know that the scan is done when the Stop buttons turns back to Scan.
  • When completed, click on the Copy button and right-click on your Desktop, choose New>Text document. Once the file is created, open it and right-click again and choose Paste. Save the file as gmer.txt and copy the information in your next reply.
If GMER doesn't work in Normal Mode try running it in Safe Mode

Important!:Please do not select the Show all checkbox during the scan..

I know where I got the virus from if anyone wants to see it.

I suggest you DO NOT post it in this topic or any other public topic as if someone accidentally clicks the link they may get infected. You can PM me the link or kill the link if you wish.

With Regards,
Extremeboy
Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.

#3 NSF

NSF

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:08:30 PM

Posted 07 March 2009 - 05:20 PM

I seem to have the same or very similar problem(s). I'm attempting the gmer advice but uncertain if I do that in "safe mode." That's where I'll try it.

I would like to know the link that the problem came from but understand why it shouldn't be posted. Now I'm curious how one can get a PM from this forum. I'm leery about posting my email here.

I'll keep an eye on this thread for a fix and try to apply the same to my system.

NSF

#4 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:09:30 PM

Posted 07 March 2009 - 05:24 PM

Hello.

@NSF
I suggest you stick to your own topic over here. It is not that I don't want to help you but I just don't want to cause confusion like this. I'll perhaps take a look at your topic later and see.

To PM someone. Click their Profile, scroll down where it says "Send Message". Then you can Pm them.

With Regards,
Extremeboy
Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users