I think I have a virus

I think I have gotten a virus. It is called Total Security 2009. I have saved Malwarebytes Anti-malware to my desktop, but when I try to open it to run it, Total Security tells me it is infected. I cant open my Task Manager, My add/remove program, defragment, nothing but my internet will open. When my internet is open it pops up every few minutes to tell me that I am infected. I cant even open my AVG 8.5 to run it. So everthing I have heard of to try I cant do because I can topen anything. If I try downloading and running it wont even do that. PLEASE someone HELP me.

You have a nasty infection. Let's try a quick scan

Install RootRepeal

Click here - Official Rootrepeal Site, and download RootRepeal.zip. I recommend downloading to your desktop.
Fatdcuk at Malwarebytes posted a comprehensive tutorial - Self Help guide can be found here if needed.: Malwarebytes Removal and Self Help Guides.
Click RootRepeal.exe to open the scanner.
Click the Report tab, now click on Scan. A Window will open asking what to include in the scan.
Check the following items:
Drivers
Files
Processes
SSDT
Stealth Objects
Hidden Services
Click OK
Scan your C Drive (Or your current system drive) and click OK. The scan will begin. This my take a moment, so please be patient. When the scan completes, click Save Report.
Name the log RootRepeal.txt and save it to your Documents folder - (Default folder).
Paste the log into your next reply.

Please note: If Rootrepeal fails to run, try this step: Click Settings - Options. Set the Disk Access slider to High

I have it downloaded to my desktop but it wont let me open it. I t tells me the file is infected and wont open. I cant find options under my settings. But however I cant open anything in my settings either. It tells me everything is infected and I cant open it. Please Help!!!!!!!!!!!!!!!

Let's try this instead...

Please download Sophos Anti-rootkit & save it to your desktop.
alternate download link
Note: If using the vendor's download site you will be asked to register with MySophos so an email containing an activation link can be sent to your email address.

Be sure to print out and read the Sophos Anti-Rookit User Manual and Release Notes.

• Double-click sar_15_sfx.exe to begin the installation, read the license agreement and click Accept.
• Allow the default location of C:\Program Files\Sophos\Sophos Anti-Rootkit and click Install.
• A message will appear "Sophos Anti-Rootkit was successfully installed. Click 'yes' to start it now". Click Yes.
• Make sure the following are checked:
  • Running processes
  • Windows Registry
  • Local Hard Drives
• Click Start scan.
• Sophos Anti-Rootkit will scan the selected areas and display any suspicious files in the upper panel.
• When the scan is complete, a pop-up screen will appear with "Rootkit Scan Results". Click OK to continue.
• Click on the suspicious file to display more information about it in the lower panel which also includes whether the item is recommended for removal.
  • Files tagged as Removable: No are not marked for removal and cannot be removed.
  • Files tagged as Removable: Yes (clean up recommended) are marked for removal by default.
  • Files tagged as Removable: Yes (but clean up not recommended) are not marked for removal because Sophos did not recognize them. These files will require further investigation.
• Select only items recommended for removal, then click "Clean up checked items". You will be asked to confirm, click Yes.
• A pop up window will appear advising the cleanup will finish when you restart your computer. Click Restart Now.
• After reboot, a dialog box displays the files you selected for removal and the action taken.
• Click Empty list and then click Continue to re-scan your computer a second time to ensure everything was cleaned.
• When done, go to Start > Run and type or copy/paste: %temp%\sarscan.log
• This should open the log from the rootkit scan. Please post this log in your next reply. If you have a problem, you can find sarscan.log in C:\Documents and Settings\\Local Settings\Temp\.

Before performing an ARK scan it is recommended to do the following to ensure more accurate results and avoid common issues that may cause false detections.

• Disconnect from the Internet or physically unplug you Internet cable connection.
• Clean out your temporary files.
• Close all open programs, scheduling/updating tasks and background processes that might activate during the scan including the screensaver.
• Temporarily disable your anti-virus and real-time anti-spyware protection.
• After starting the scan, do not use the computer until the scan has completed.
• When finished, re-enable your anti-virus/anti-malware (or reboot) and then you can reconnect to the Internet.

I did as you instructed and when I open it says run I click run and It will pop up really fast to accept then it closes and a pop up comes up that reads Application cannot be executed. The file sar_15_sfx.exe is infected. This happens with all downloads. I cant even open my AVG 8.5. Everything on my computer besides the internet will not run or open. I cant even get to my add/remove program or anything in my control panel. I cant even open my task mananger it tells me that it is infected. I now have malwarebytes, rootrepeal, and this sar downloaded on my desktop and I cant open any of them. Any more suggestions or is it hopeless.

We need to move you to the HJT forum...

We need to create an OTL Report

• Please download OTL from one of the following mirrors:
  • This is THE Mirror
• Save it to your desktop.
• Double click on the icon on your desktop.
• Click the "Scan All Users" checkbox.
• Push the button.
• Two reports will open, copy and paste them in a reply here:
  • OTListIt.txt <-- Will be opened
  • Extra.txt <-- Will be minimized

Post your OTL log to the HJT forum and a Team member will be along to help you as soon as possible.

If you need any help with the guide, please let me know.

I once again tried to do as you instructed. And once agin it tells me it cant open file that it is infected, it will pop up real fast and then go away. then a pop up to say that it cant open file that it is infected. I dont know what else to try.

Try this:
Go to the Total Security 2009 directory (C:\Program Files\TSC)
Note down the random lettered or numbered exe file.
Click Start and click Run or Press the Windows Key + R
Copy and paste the following code into the box and press enter.

taskkill /f /im tsc.exe

After that Click Start and click Run or Press the Windows Key + R again.
Copy and paste the following code into the box and press enter. (Change 'replaceme.exe' into the file you noted down before)

taskkill /f /im replaceme.exe

Follow rigel's instructions for Sophos Anti-Rootkit followed by the OTL Report.

Edited by master131, 29 August 2009 - 12:57 AM.

Once again I have tried what you have told me I cant find the file TSC in my C drive program files. I tried to click and paste the code in the run box, but when I hit enter it tells me that Application cannot be excuted the file is infected. As I said before I cant open anything on my desktop except for the internet. I think it is hopeless. If you can please HELP!!!!!!!!!!!

Please follow my instructions as listed above. You have one of the newest forms of malware on your computer. This isn't something that will be easily killed. Some even reformat and reload.

Please reference this thread for further information

Follow these instructions to scan your computer with BitDefender Online Scanner: HERE

Note: Instead of attatching the log post it. If your Java is outdated, there is no point of download/uninstalling it because Total Security 2009 will block it. If Bitdefender Online Scanner can't remove it, create a new topic on the HJT Forum as suggested on this thread.

Edited by master131, 29 August 2009 - 06:36 PM.

I did what you told me with the Bitdefender Online Scanner and here are the results from that scan. Im not sure what I need to do next. This scan still didnt remove the virus. Please Help. BitDefender Online Scanner



Scan report generated at: Sun, Aug 30, 2009 - 13:18:18





Scan path: C:\;D:\;E:\;







Statistics

Time
00:54:17

Files
259363

Folders
6444

Boot Sectors
0

Archives
2454

Packed Files
36414




Results

Identified Viruses
7

Infected Files
10

Suspect Files
0

Warnings
0

Disinfected
2

Deleted Files
7




Engines Info

Virus Definitions
3919087

Engine build
AVCORE v2.1 Windows/i386 11.0.0.26 (Jul 24 2009)

Scan plugins
17

Archive plugins
45

Unpack plugins
7

E-mail plugins
6

System plugins
4




Scan Settings

First Action
Disinfect

Second Action
Delete

Heuristics
Yes

Enable Warnings
Yes

Scanned Extensions
*;

Exclude Extensions


Scan Emails
Yes

Scan Archives
Yes

Scan Packed
Yes

Scan Files
Yes

Scan Boot
Yes




Scanned File
Status

C:\Documents and Settings\Administrator\My Documents\bubbys music\blackice ac dc MTV.mp3
Infected with: Trojan.Wimad.Gen.1

C:\Documents and Settings\Administrator\My Documents\bubbys music\blackice ac dc MTV.mp3
Disinfected

C:\Documents and Settings\Administrator\My Documents\bubbys music\lil wayne - let the beat build - Tha Carter III.mp3
Infected with: Trojan.Wimad.Gen.1

C:\Documents and Settings\Administrator\My Documents\bubbys music\lil wayne - let the beat build - Tha Carter III.mp3
Disinfected

C:\Documents and Settings\Administrator\My Documents\bubbys music\Lil Wayne - Tha Carter III - 01 - 3 Peat.mp3
Infected with: Trojan.Downloader.WMA.Wimad.S

C:\Documents and Settings\Administrator\My Documents\bubbys music\Lil Wayne - Tha Carter III - 01 - 3 Peat.mp3
Deleted

C:\Program Files\IEAntiVirus\uninst.exe
Detected with: Application.Generic.15232

C:\Program Files\IEAntiVirus\uninst.exe
Disinfection failed

C:\Program Files\IEAntiVirus\uninst.exe
Deleted

C:\System Volume Information\_restore{B2FE21D0-A693-4A7E-95A7-41F3AE80BF2F}\RP922\A0353721.exe
Detected with: Application.Generic.15232

C:\System Volume Information\_restore{B2FE21D0-A693-4A7E-95A7-41F3AE80BF2F}\RP922\A0353721.exe
Disinfection failed

C:\System Volume Information\_restore{B2FE21D0-A693-4A7E-95A7-41F3AE80BF2F}\RP922\A0353721.exe
Deleted

C:\WINDOWS\freddy59.exe
Infected with: Dropped:Win32.Worm.Koobface.AGK

C:\WINDOWS\freddy59.exe
Disinfection failed

C:\WINDOWS\freddy59.exe
Deleted

C:\WINDOWS\ld12.exe
Infected with: Dropped:Win32.Worm.Koobface.AGL

C:\WINDOWS\ld12.exe
Disinfection failed

C:\WINDOWS\ld12.exe
Deleted

C:\WINDOWS\mstre21.exe
Infected with: Dropped:Win32.Worm.Koobface.AGK

C:\WINDOWS\mstre21.exe
Disinfection failed

C:\WINDOWS\mstre21.exe
Deleted

C:\WINDOWS\pp11.exe
Infected with: Dropped:Win32.Worm.Koobface.AGJ

C:\WINDOWS\pp11.exe
Disinfection failed

C:\WINDOWS\pp11.exe
Deleted

C:\WINDOWS\system32\lsp.dll
Infected with: Trojan.Redirect.E

C:\WINDOWS\system32\lsp.dll
Delete failed

Hello,

Now that you have posted a log here: http://www.bleepingcomputer.com/forums/t/253975/i-have-tried-it-all/ you should NOT make further changes to your computer (install/uninstall programs, use special fix tools, delete files, edit the registry, etc) unless advised by a HJT Team member, nor should you ask for help elsewhere. Doing so can result in system changes which may not show in the log you already posted. Further, any modifications you make on your own may cause confusion for the helper assisting you and could complicate the malware removal process which would extend the time it takes to clean your computer.

From this point on the HJT Team should be the only members that you take advice from, until they have verified your log as clean.

Please be patient. It may take a while to get a response because the HJT Team members are EXTREMELY busy working logs posted before yours. They are volunteers who will help you out as soon as possible. Once you have made your post and are waiting, please DO NOT make another reply until it has been responded to by a member of the HJT Team. Generally the staff checks the forum for postings that have 0 replies as this makes it easier for them to identify those who have not been helped. If you post another response there will be 1 reply. A team member, looking for a new log to work may assume another HJT Team member is already assisting you and not open the thread to respond.

Please be patient. It may take several days, perhaps less, to get a response but your log will be reviewed and answered as soon as possible. I advise checking your topic once a day for responses.

To avoid confusion, I am closing this topic. Good luck with your log.

Orange Blossom