Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

virusremover 2009


  • Please log in to reply
10 replies to this topic

#1 mikemak

mikemak

  • Members
  • 25 posts
  • OFFLINE
  •  
  • Local time:09:54 PM

Posted 10 April 2009 - 11:00 PM

hi,somebody was helping me but I couldnt find the drweb scan log to post it.I have scanned with SAS,malwarebytes,and SAS removes the threat but it comes back on reboot.I found the reg keys for this virus on pc hell and think I found them in my reg but I dont wanna touch unless positive.a file in IE settings KEYS named 5.0 post platform,and a folder in EXT WINDOWS called "fake user profile"and I did have a fake ADMIN. folder added to my files that I deleted.My only syptome have been my laptop will sometimes hang on black screen during restart or first start up,and I did see the red shield in the bar when in safe mode telling me my windows security was turned off,it wasnt.In normal mode its not there.No pop ups or redirects but I know the virus keeps being found and comes back.I did have weatherbug added somehow also,got rid of all but "weatherbug gadgets"file hiding somewhere.I see SAS pass over it when it scans.Below are the latest scans from mbam,SAS,I will post drweb if someone can tell me where to find log.thank you
http://www.superantispyware.com

Generated 04/10/2009 at 07:52 PM

Application Version : 4.24.1004

Core Rules Database Version : 3838
Trace Rules Database Version: 1794

Scan type : Complete Scan
Total Scan Time : 00:34:07

Memory items scanned : 130
Memory threats detected : 0
Registry items scanned : 5543
Registry threats detected : 0
File items scanned : 39117
File threats detected : 16

Adware.Tracking Cookie
C:\Users\mike\AppData\Roaming\Microsoft\Windows\Cookies\Low\mike@ads.pointroll[1].txt
C:\Users\mike\AppData\Roaming\Microsoft\Windows\Cookies\Low\mike@atdmt[1].txt
C:\Users\mike\AppData\Roaming\Microsoft\Windows\Cookies\Low\mike@doubleclick[2].txt
C:\Users\mike2\AppData\Roaming\Microsoft\Windows\Cookies\Low\mike2@ad.yieldmanager[2].txt
C:\Users\mike2\AppData\Roaming\Microsoft\Windows\Cookies\Low\mike2@advertising[1].txt
C:\Users\mike2\AppData\Roaming\Microsoft\Windows\Cookies\Low\mike2@doubleclick[2].txt
C:\Users\mike2\AppData\Roaming\Microsoft\Windows\Cookies\Low\mike2@mediaplex[1].txt
C:\Users\mike2\AppData\Roaming\Microsoft\Windows\Cookies\Low\mike2@questionmarket[2].txt
C:\Users\mike2\AppData\Roaming\Microsoft\Windows\Cookies\Low\mike2@revsci[2].txt
C:\Users\mike2\AppData\Roaming\Microsoft\Windows\Cookies\Low\mike2@tacoda[2].txt
C:\Users\mike2\AppData\Roaming\Microsoft\Windows\Cookies\Low\mike2@tribalfusion[2].txt
C:\Users\mike2\AppData\Roaming\Microsoft\Windows\Cookies\Low\mike2@xiti[1].txt

Trace.Known Threat Sources
C:\Users\mike2\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\PZXI1AK2\two[5].htm
C:\Users\mike2\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\PRPWMOXR\index[4].htm
C:\Users\mike2\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\BH8R7DV6\index[2].htm
C:\Users\mike2\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\BH8R7DV6\virusremover2009[1].jpg
warebytes' Anti-Malware 1.36
Database version: 1961
Windows 6.0.6001 Service Pack 1

4/10/2009 8:31:27 PM
mbam-log-2009-04-10 (20-31-27).txt

Scan type: Full Scan (C:\|D:\|)
Objects scanned: 179298
Time elapsed: 32 minute(s), 14 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

BC AdBot (Login to Remove)

 


#2 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,213 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:09:54 PM

Posted 10 April 2009 - 11:13 PM

Hi have you looked in DrWeb.csv .. do a search for it. You acan copi it to Notepad if needed.

There is not much showing in the logs,what sysmptoms are you exoeriening?

Perhaps part 1 of S!Ri's SmitfraudFix will shed some light.
Please download SmitfraudFix

Double-click SmitfraudFix.exe
Select option #1 - Search by typing 1 and press "Enter"; a text file will appear, which lists infected files (if present).
Please copy/paste the content of that report into your next reply.

Note : process.exe is detected by some antivirus programs (AntiVir, Dr.Web, Kaspersky) as a "RiskTool"; it is not a virus, but a program used to stop system processes. Antivirus programs cannot distinguish between "good" and "malicious" use of such programs, therefore they may alert the user.
http://www.beyondlogic.org/consulting/proc...processutil.htm

Edited by boopme, 10 April 2009 - 11:14 PM.

How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#3 mikemak

mikemak
  • Topic Starter

  • Members
  • 25 posts
  • OFFLINE
  •  
  • Local time:09:54 PM

Posted 11 April 2009 - 08:30 AM

Hi,running SAS again this morning to see if it comes back.Along with the VIRUSREMOVER 2009 showing up in SAS scan everytime I re-boot I get random freezes,everything stops working including usb,keyboard,I get a black screen and I have to hold power to force shutdown,laptop restarts and seems fine until the next freeze,was 2-3 times a day,now seems only on restarts or fresh start up.Also in safe mode during DRWEB scan I got the fake re shield warning me that my "security center was turned off.Thats about it but I know somethings not right.During my SAS scan I see folders related to WEATHERBUG and its files but cant find anymore to delete.I didnt install this program.Should this 'FAKE USER FOLDER" be in registry,and all the others that match this virus uses?I see them I dont want to make things worse by deleting them.Can I post a shot of them here?Going to look for drweb scan and I will post,but it didnt find anything.Will run the tool above also if it works with vista.thanks alot for your time.UPDATE..I found the file,its long.do I cpoy/paste the whole thing here?UPDATE..I just ran SAS again and just as I thought its back again.It found..All in temp internet files/low/content/.IE5....PRPWMOXR/index[4].htm,BH8R7DV6/index[2].htm,VQL2Z4MW/search[2].htm,PZXI1AK2LG[1].gif,PZXI1AK2/MBAM-VIRUSREMOVER2009[1].jpg,and virusremover2009.When I click your link for smitfraud I get to type 1 search and its says access denied and closes?i am on admin account.

Edited by mikemak, 11 April 2009 - 09:32 AM.


#4 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,213 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:09:54 PM

Posted 11 April 2009 - 08:20 PM

Do you have any way to remove the hard drive and connect it as a Slave drive to another PC and then scan it.?
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#5 mikemak

mikemak
  • Topic Starter

  • Members
  • 25 posts
  • OFFLINE
  •  
  • Local time:09:54 PM

Posted 11 April 2009 - 10:20 PM

I have no idea.Its a compaq c751nr 1.60ghz 2gb ram vista.I have a desktop with xp(old dell 2400)and my daughters new acer netbook with xp that I just found the same virus on(virusremover2009).Since last post I have scanned a few times with SAS and the virus seems to be doing more as time goes on,SAS found 8 files on last scan ,all of above plus now it added PICTURE9maybe desktop) and video or something.Is it possible at this point to wipe clean and start over.I have no files to worry about because my pics,music,etc have always been backed up 2-3 times.Will the virus just return?i have the backup on d drive and I made full backup when I got the laptop one year ago.The desktop(DELL) doesnt show any signs of being infected yet and none are set to share any files,Though I realize they share a network so who knows.I have spent 3 days scanning with the following,avira,SAS,drweb,windows defender(real time off),windows malware removal tool and malwarebytes.If My only way is to start over anyway should I create a restore point and try deleting those registry keys that I think belong to this virus?I have read which need to be deleted but the directions are not very clear.well any help would be great.

#6 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,213 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:09:54 PM

Posted 11 April 2009 - 10:38 PM

Have you removed all these files at the end of this tutorial from ypuir PC? Also run Flash Disinfector on all PC's and Flash drives.
http://www.bleepingcomputer.com/malware-re...irusremover2009

Be sure you back up the registry before editing.


Please download Flash_Disinfector.exe by sUBs and save it to your desktop.
  • Double-click Flash_Disinfector.exe to run it and follow any prompts that may appear.
  • The utility may ask you to insert your flash drive and/or other removable drives. Please do so and allow the utility to clean up those drives as well.
  • Hold down the Shift key when inserting the drive until Windows detects it to keep autorun.inf from executing if it is present.
  • Wait until it has finished scanning and then exit the program.
  • Reboot your computer when done.
Note: As part of its routine, Flash_Disinfector will create a hidden folder named autorun.inf in each partition and every USB drive that was plugged in when you ran it. Do not delete this folder...it will help protect your drives from future infection by keeping the autorun file from being installed on the root drive and running other malicious files.


A suggestion has been made that involves modifying the registry. Modifying the registry can be dangerous (and can render your system unbootable) so it's advisable that you make a backup of the registry before proceeding.
Modification of the registry can be EXTREMELY dangerous if you do not know exactly what you are doing so follow the steps that are listed below EXACTLY. if you cannot perform some of these steps or if you have ANY questions please ask BEFORE proceeding.

Backing Up Your Registry
  • Go Here and download ERUNT
    (ERUNT (Emergency Recovery Utility NT) is a free program that allows you to keep a complete backup of your registry and restore it when needed.)
  • Install ERUNT by following the prompts
    (use the default install settings but say no to the portion that asks you to add ERUNT to the start-up folder, if you like you can enable this option later)
  • Start ERUNT
    (either by double clicking on the desktop icon or choosing to start the program at the end of the setup)
  • Choose a location for the backup
    (the default location is C:\WINDOWS\ERDNT which is acceptable).
  • Make sure that at least the first two check boxes are ticked
  • Press OK
  • Press YES to create the folder.
Registry Modifications

For more information about modifying the registry, see this Microsoft article: http://support.microsoft.com/default.aspx/kb/256986


Reformatting
Not an unwise decision to make. In some instances an infection may have caused so much damage to your system that it cannot be completely cleaned or repaired. Wiping your drive, reformatting, and performing a clean install of the OS or doing a factory restore removes everything and is the safest action but I cannot make that decision for you.

Reformatting a hard disk deletes all data. If you decide to reformat, you can back up all your important documents, data files and photos. The safest practice is not to backup any autorun.ini or .exe files because they may be infected. Some types of malware may disguise itself by adding and hiding its extension to the existing extension of files so be sure you take a close look at the full name. After reformatting, as a precaution, make sure you scan these files with your anti-virus prior to copying them back to your hard drive.

The best proceedure is a low level format. This completely wipes the drive. Then reinstall the OS.
Use the free version of Active@ KillDisk.
Or Darik's Boot And Nuke

The best sources of Information on this are
Reformatting Windows XP
Michael Stevens Tech

Of course also feel free to ask anything on this in the XP forum. They'd be glad to help.
==============================
2 guidelines/rules when backing up

1) Backup all your important data files, pictures, music, work etc... and save it onto an external hard-drive. These files usually include .doc, .txt, .mp3, .jpg etc...
2) Do not backup any executables files or any window files. These include .exe's, .scr, .com, .pif etc... as they may contain traces of malware. Also, .html or .htm files that are webpages should also be avoided.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#7 mikemak

mikemak
  • Topic Starter

  • Members
  • 25 posts
  • OFFLINE
  •  
  • Local time:09:54 PM

Posted 12 April 2009 - 09:00 AM

hi,I use vista .can I still use the programs you listed?i did use the guide in your post but I have tried for 3 days to find any files related to the virus remover 2009 but cant find them.The only files I saw were in the reg.keys.thank you

#8 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,213 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:09:54 PM

Posted 12 April 2009 - 01:28 PM

Hi, Yes they are for XP/Vista. It seems this is a well protected malware. The only options left here are have the HJT team go in there and dig it out or the Full wipe and reinstall.
HJT is about a week in backup.

To run HJT/DDS.
Please follow this guide. go and do steps 6 and 7 ,, Preparation Guide For Use Before Using Hijackthis. Then go here HijackThis Logs and Virus/Trojan/Spyware/Malware Removal ,click New Topic,give it a relevant Title and post that complete log.

Let me know if it went OK.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#9 mikemak

mikemak
  • Topic Starter

  • Members
  • 25 posts
  • OFFLINE
  •  
  • Local time:09:54 PM

Posted 12 April 2009 - 02:27 PM

i found the keys and will delete 1 by 1 until they are gone or my laptop no longer works right.If that happens then I will wipe and re-install.I deleted 3 keys this morning and I am going to scan again to see if It had any effect.I dont understand the point of this virus if its not gonna atlleast try to sell me something,geez.

#10 mikemak

mikemak
  • Topic Starter

  • Members
  • 25 posts
  • OFFLINE
  •  
  • Local time:09:54 PM

Posted 12 April 2009 - 06:50 PM

should I re-install from the laptop(d-drive recovery) or the disk I made when I got the laptop?Couldnt the d drive be infected?thanks

#11 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,213 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:09:54 PM

Posted 12 April 2009 - 07:28 PM

Hi, since it's a lappy I want to confirm that answer. What make and model is it.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users