Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

laptop showing signs of being infected by a lot of different viruses


  • Please log in to reply
22 replies to this topic

#1 youkojin

youkojin

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:05:37 AM

Posted 17 August 2009 - 03:16 AM

hello! im a newb in this forum and this is my first post. this seems to be a safe place to start asking questions. i'm trying to clean a laptop that the owner suspects is infected, and after exploring and using it, the problem seems to be more complicated than i first thought. hope someone will be able to help me.^_^

anyways, here are the symptoms that i discovered so far:
1. prevents access to some websites including, but not limited to, antivirus websites
2. can't install or update antivirus and malware programs
3. can't run online scans
4. can't run in safe mode
5. can't delete files

as you can see, the first thing i did was try to identify the virus, but it (these?) are preventing me from doing that. some of the symptoms are associated with known viruses (like beagle and virtu) and there are removal tools available already, but these tools were not able to detect anything at all. please advise me on what to do next. thanks!

BC AdBot (Login to Remove)

 


#2 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,281 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:05:37 PM

Posted 17 August 2009 - 07:31 AM

If you cannot use the Internet or download any required programs to the infected machine, try downloading them from another computer (family member, friend, library, etc) with an Internet connection. Save to a flash (usb, pen, thumb, jump) drive or CD, transfer to the infected machine, then install and run the program(s). If you cannot copy files to your usb drive, make sure it is not "Write Protected".

Please download Malwarebytes Anti-Malware (v1.40) and save it to your desktop.
alternate download link 1
alternate download link 2

MBAM may "make changes to your registry" as part of its disinfection routine. If using other security programs that detect registry changes (ie Spybot's Teatimer), they may interfere or alert you. Temporarily disable such programs or permit them to allow the changes.
  • Make sure you are connected to the Internet.
  • Double-click on mbam-setup.exe to install the application.
  • When the installation begins, follow the prompts and do not make any changes to default settings.
  • When installation has finished, make sure you leave both of these checked:
    • Update Malwarebytes' Anti-Malware
    • Launch Malwarebytes' Anti-Malware
  • Then click Finish.
MBAM will automatically start and you will be asked to update the program before performing a scan.
  • If an update is found, the program will automatically update itself. Press the OK button to close that box and continue.
  • If you encounter any problems while downloading the definition updates, manually download them from here and just double-click on mbam-rules.exe to install.
On the Scanner tab:
  • Make sure the "Perform Quick Scan" option is selected.
  • Then click on the Scan button.
  • If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
  • The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
  • When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  • Click OK to close the message box and continue with the removal process.
Back at the main Scanner screen:
  • Click on the Show Results button to see a list of any malware that was found.
  • Make sure that everything is checked, and click Remove Selected.
  • When removal is completed, a log report will open in Notepad.
  • The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
  • Copy and paste the contents of that report in your next reply. Be sure to post the complete log to include the top portion which shows MBAM's database version and your operating system.
  • Exit MBAM when done.
Note: If MBAM encounters a file that is difficult to remove, you will be asked to reboot your computer so MBAM can proceed with the disinfection process. If asked to restart the computer, please do so immediately. Failure to reboot normally (not into safe mode) will prevent MBAM from removing all the malware.

-- If Malwarebytes Anti-Malware results in any error messages, please refer to Fixes for common problems and Error Codes. Some issues with errors can be related to malware infection but others are not.

-- Some types of malware will disable Malwarebytes Anti-Malware and other security tools. If MBAM will not install, try renaming it first.
  • Right-click on the mbam-setup.exe file file and rename it to mysetup.exe.
  • Double-click on mysetup.exe to start the installation.
  • If that did not work, then try renaming and changing the file extension. <- click this link if you do not see the file extension
  • Right-click on the mbam-setup.exe file, rename it to mysetup and change the .exe extension to .scr, .com, .pif, or .bat.
  • Then double-click on mysetup.scr (or whatever extension you renamed it) to begin installation.
If after installation, MBAM will not run, open the Malwarebytes' Anti-Malware folder in Program Files.
  • Right-click on mbam.exe, rename it to myscan.exe.
  • Double-click on myscan.exe to launch the program.
  • If that did not work, then right-click on the file and rename it to winlogon.exe.
  • If that still did not work, then try renaming and change the .exe extension in the same way as noted above.
  • Double-click on myscan.scr (or whatever extension you renamed it) to launch the program.
If using Windows Vista, refer to How to Change a File Extension in Windows Vista.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#3 youkojin

youkojin
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:05:37 AM

Posted 17 August 2009 - 08:12 AM

here's the mbam log..

Malwarebytes' Anti-Malware 1.39
Database version: 2636
Windows 5.1.2600 Service Pack 2

8/17/2009 9:05:44 PM
mbam-log-2009-08-17 (21-05-44).txt

Scan type: Quick Scan
Objects scanned: 105485
Time elapsed: 7 minute(s), 15 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

there dont seem to be mush info there.. :thumbsup:

#4 youkojin

youkojin
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:05:37 AM

Posted 17 August 2009 - 08:54 AM

here's another log, the mbam in this laptop needed to be updated.

Malwarebytes' Anti-Malware 1.40
Database version: 2639
Windows 5.1.2600 Service Pack 2

8/17/2009 9:31:49 PM
mbam-log-2009-08-17 (21-31-49).txt

Scan type: Quick Scan
Objects scanned: 105441
Time elapsed: 4 minute(s), 30 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\Documents and Settings\Oliverio G. Laperal\Desktop\noadware.exe (Rogue.Installer) -> Quarantined and deleted successfully.


and another thing, i tried the trial version of windows live onecare. it detects the ff:
sality.am
sality.gen
pramro.b

these viruses are in the .exe files, and it says that it 'cleans' them. it's been running for several hours now and it is still detecting infected files.. i suspect that after being cleaned, the file gets infected again, making the process go on till forever..

i also tried noadware.exe, it detected the following:
BearShare
Backdoor.Bifroso
Trojan.PWS.Tanspy

however, noadware only detected these things, but not removed them.

#5 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,281 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:05:37 PM

Posted 17 August 2009 - 08:58 AM

Please download Norman Malware Cleaner and save to your desktop.
alternate download link
  • Be sure to print out the instructions provided on the same page.
  • Restart your computer in "Safe Mode".
  • Double-click on Norman_Malware_Cleaner.exe to start the program.
  • Read the End User License Agreement and click the Accept button to open the scanning window.
  • Click Start Scan to begin.
  • In some cases Norman Malware Cleaner may require that you restart the computer to completely remove an infection. If prompted, reboot and run the tool again to ensure that all infections are removed.
  • After the scan has finished, a log file with the date (i.e. NFix_2009-06-22_07-08-56.log) will be created on your desktop with the results.
Please download Sophos Anti-rootkit & save it to your desktop.
alternate download link
Note: If using the vendor's download site you will be asked to register with MySophos so an email containing an activation link can be sent to your email address.

Be sure to print out and read the Sophos Anti-Rookit User Manual and Release Notes.
  • Double-click sar_15_sfx.exe to begin the installation, read the license agreement and click Accept.
  • Allow the default location of C:\Program Files\Sophos\Sophos Anti-Rootkit and click Install.
  • A message will appear "Sophos Anti-Rootkit was successfully installed. Click 'yes' to start it now".
  • Click Yes and allow the driver and its randomly named .tmp file (i.e. F.tmp) to load if asked.
  • If the scan did not start automatically, make sure the following are checked:
    • Running processes
    • Windows Registry
    • Local Hard Drives
  • Click Start scan.
  • Sophos Anti-Rootkit will scan the selected areas and display any suspicious files in the upper panel.
  • When the scan is complete, a pop-up screen will appear with "Rootkit Scan Results". Click OK to continue.
  • Click on the suspicious file to display more information about it in the lower panel which also includes whether the item is recommended for removal.
    • Files tagged as Removable: No are not marked for removal and cannot be removed.
    • Files tagged as Removable: Yes (clean up recommended) are marked for removal by default.
    • Files tagged as Removable: Yes (but clean up not recommended) are not marked for removal because Sophos did not recognize them. These files will require further investigation.
  • Select only items recommended for removal, then click "Clean up checked items". You will be asked to confirm, click Yes.
  • A pop up window will appear advising the cleanup will finish when you restart your computer. Click Restart Now.
  • After reboot, a dialog box displays the files you selected for removal and the action taken.
  • Click Empty list and then click Continue to re-scan your computer a second time to ensure everything was cleaned.
  • When done, go to Start > Run and type or copy/paste: %temp%\sarscan.log
  • This should open the log from the rootkit scan. Please post this log in your next reply. If you have a problem, you can find sarscan.log in C:\Documents and Settings\\Local Settings\Temp\.
Important: Before performing an ARK scan it is recommended to do the following to ensure more accurate results and avoid common issues that may cause false detections.
  • Disconnect from the Internet or physically unplug you Internet cable connection.
  • Clean out your temporary files.
  • Close all open programs, scheduling/updating tasks and background processes that might activate during the scan including the screensaver.
  • Temporarily disable your anti-virus and real-time anti-spyware protection.
  • After starting the scan, do not use the computer until the scan has completed.
  • When finished, re-enable your anti-virus/anti-malware (or reboot) and then you can reconnect to the Internet.
Note: Not all hidden components detected by ARKs are malicious. It is normal for a Firewall, some Anti-virus and Anti-malware software (ProcessGuard, Prevx1, AVG AS), sandboxes, virtual machines and Host based Intrusion Prevention Systems (HIPS) to hook into the OS kernal/SSDT in order to protect your system. SSDT (System Service Descriptor Table) is a table that stores addresses of functions that are used by Windows. Both Legitimate programs and rootkits can hook into and alter this table. You should not be alarmed if you see any hidden entries created by legitimate programs after performing a scan.

NoAdaware is a program that was previously listed as a rogue product on the Rogue/Suspect Anti-Spyware Products List because of concerns with False positives and the use of aggressive, deceptive advertising including exploitation of the name "Ad-Aware". It has since been delisted but in my opinion it is not a very effective program compared to others with a proven track record like those mentioned in BC's Freeware Replacements For Common Commercial Apps or Trustworthy Anti-Spyware Products.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#6 youkojin

youkojin
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:05:37 AM

Posted 17 August 2009 - 12:29 PM

i can't run the laptop in safe mode. whenever i try, i get the blue screen. :thumbsup:

i also tried running the norman malware cleaner even if not in safe mode, but it also won't work. :flowers:

Edited by youkojin, 17 August 2009 - 12:32 PM.


#7 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,281 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:05:37 PM

Posted 17 August 2009 - 12:39 PM

Then run the Norman scan in normal mode. Sophos should be run from normal mode as well.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#8 youkojin

youkojin
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:05:37 AM

Posted 18 August 2009 - 10:05 AM

i downloaded norman at the infected laptop but it wont run even in normal mode. as for the rootkit, i cant even open the sophos site.

i'm downloading the norman scanner and the rootkit at another pc now, and i'll see if it will work.

#9 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,281 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:05:37 PM

Posted 18 August 2009 - 10:13 AM

Ok. That's what I would have recommended next.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#10 youkojin

youkojin
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:05:37 AM

Posted 18 August 2009 - 11:18 AM

i just realized that the desktop where i'm downloading the files now is infected by the classified.exe virus. T_T

avira was not able to recognize it, and to think that i always update it. this desktop is newly reformatted and this is the first virus infection ever since. i downloaded and installed mbam but when i try to run it, it says runtime error 0..

this is becoming hopeless, i just wanna laugh at it.. now i cant do the norman and sophos scan at the laptop since my usb is infected by the classified.exe too, and i dont want to infect the laptop more than it's infection already.. i will have to download both again tomorrow in the office and try running them tomorrow night.

do you have any suggestions for the desktop?

btw, thanks for the help so far.

#11 youkojin

youkojin
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:05:37 AM

Posted 19 August 2009 - 12:57 PM

update!

i downloaded norman scanner and sophos anti-rootkit in a virus-free computer and burned it into a cd. i tried it on the laptop. the norman scanner still wont work, but i was able to install the anti-rootkit. i started the scan four hours ago and it is still scanning, is it normal? i checked the entries detected, and all of them are removable but clean up not recommended. i can't tell if the scanner is just going round and round with the files, but it has detected A LOT already.

#12 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,281 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:05:37 PM

Posted 19 August 2009 - 01:01 PM

As I said, not all hidden components detected by ARKs are malicious. Its not unusal to find legitimate files mixed in with the bad. Sophos ARK does not recommend removal of files which the scanner does not recognize. However, that does not mean those files are all good and should be left alone. Further investigation is required after the initial scan to analyze and identify malicious files which were detected so they can be manually removed during a subsequent scan. That's why I need to see the sarscan.log.

It should not take 4 hours though. We may have to try something else if it does not complete.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#13 youkojin

youkojin
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:05:37 AM

Posted 19 August 2009 - 01:07 PM

do you recommend that i leave it on for the night? it's 2am here where i'm at and i need to go to school tom. or maybe i can stop the scan and give you the log? or will it not give me a log if i abort the scan?

#14 youkojin

youkojin
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:05:37 AM

Posted 20 August 2009 - 05:13 AM

i let the scan run through the night and when i checked this morning it still hasn't stopped. i aborted the scan, and the log is super long. there where two programs that it said has encountered errors, jwwbff.exe and another ramdom letter.exe. what do you suggest that i do next?

#15 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,281 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:05:37 PM

Posted 20 August 2009 - 07:47 AM

there where two programs that it said has encountered errors, jwwbff.exe and another ramdom letter.exe

Malwarebytes Anti-Malware has a built-in FileAssassin feature for removing stubborn malware or other malicious files that it did not detect.
  • Go to the "More Tools" tab and click on the "Run Tool" button
  • Browse to the location of the files to remove using the drop down box next to "Look in:" at the top.
  • When you find the file, click on it to highlight, then select Open.
  • You will be prompted with a message warning: This file will be permanently deleted. Are you sure you want to continue?. Click Yes.
  • If removal did not require a reboot, you will receive a message indicating the file was deleted successfully.
  • Click Ok and exit MBAM.
  • If prompted to reboot, then do so immediately.
-- If the file returns, then you probably have other malware on your system which is protecting or regenerating it.

Caution: Be careful what you delete. FileAssassin is a powerful program, designed to move highly persistent files. Using it incorrectly could lead to serious problems with your operating system.


.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users