Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Nasty Personal Virus


  • Please log in to reply
22 replies to this topic

#1 DougHesketh

DougHesketh

  • Members
  • 31 posts
  • OFFLINE
  •  
  • Local time:01:29 PM

Posted 30 August 2009 - 08:27 AM

Hi Guys,

My Daughters PC is infected, probably with "Personal Antivirus".

I have been through my list of things to do when all goes bad, but I am stopped at the first hurdle. For some unknown reason I am not able to get into the bios. I was going to boot from a CD, but that's the first issue.

Kaspersky was installed on the machine, but it's not there anymore, daughter has no knowledge of it, but I had password protected it so it shouldn't have been able to be uninstalled!! (Her login is not restricted though).

Even if I get to the "There was a problem during last startup" the keyboard will not work to allow me to arrow up or down. It just stops the countdown and I am then unable to do anything other than reboot.

Once into windows I have tried accessing my CD and also my USB Flash (Which should run as a CD autoplay - LaunchU3.exe), but nothing runs. I tried to drop to command prompt and run that way, but was stopped again.

Where should I turn now? I am currently trying to boot the computer up and gain access to internet to see if I can get the MBAM, but it is very hard work getting into windows without it locking up and then off to reboot button once more.

Help Please.

Regards
Doug

Update: 31/08/2009

The computer is running XP, I eventullay got into Safe Mode using msconfig. Installed Avira and it went through and found quite a few things. Limewire is probably to blame. The PC now boots up with much more predictability, but I know it's not clean yet. It is still redirecting IE7 to banofindsite.com (I think that is what it was) I managed to install Kaspersky again by copying the files to desktop. I am still unable to execute anything from CD or memory stick. (Could be local settings?)

I gave up last night trying to update to the latest kaspersky definitions as the PC just sat on 34% for ages. I have also tried to install and run MBAM, but that doesn;t want to play ball either. It says it finshes installing but won't run.

Thanks in Advance

Edited by DougHesketh, 31 August 2009 - 06:18 AM.


BC AdBot (Login to Remove)

 


#2 DougHesketh

DougHesketh
  • Topic Starter

  • Members
  • 31 posts
  • OFFLINE
  •  
  • Local time:01:29 PM

Posted 19 September 2009 - 03:36 PM

Hi Guys,

My Daughters PC is infected, probably with "Personal Antivirus".

I have been through my list of things to do when all goes bad, but I am stopped at the first hurdle. For some unknown reason I am not able to get into the bios. I was going to boot from a CD, but that's the first issue.

Kaspersky was installed on the machine, but it's not there anymore, daughter has no knowledge of it, but I had password protected it so it shouldn't have been able to be uninstalled!! (Her login is not restricted though).

Even if I get to the "There was a problem during last startup" the keyboard will not work to allow me to arrow up or down. It just stops the countdown and I am then unable to do anything other than reboot.

Once into windows I have tried accessing my CD and also my USB Flash (Which should run as a CD autoplay - LaunchU3.exe), but nothing runs. I tried to drop to command prompt and run that way, but was stopped again.

Where should I turn now? I am currently trying to boot the computer up and gain access to internet to see if I can get the MBAM, but it is very hard work getting into windows without it locking up and then off to reboot button once more.

Help Please.

Regards
Doug

Update: 31/08/2009

The computer is running XP, I eventullay got into Safe Mode using msconfig. Installed Avira and it went through and found quite a few things. Limewire is probably to blame. The PC now boots up with much more predictability, but I know it's not clean yet. It is still redirecting IE7 to banofindsite.com (I think that is what it was) I managed to install Kaspersky again by copying the files to desktop. I am still unable to execute anything from CD or memory stick. (Could be local settings?)

I gave up last night trying to update to the latest kaspersky definitions as the PC just sat on 34% for ages. I have also tried to install and run MBAM, but that doesn;t want to play ball either. It says it finshes installing but won't run.

Thanks in Advance


Please could someone give some advice.

Not being able to run MBAM is a real pain as that will really help, but nothing!! Big fat nothing!!

I am really pulling my hair out. One response would be great just to get me on the road to recovery, Please

#3 Computer Pro

Computer Pro

  • Members
  • 2,448 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:08:29 AM

Posted 19 September 2009 - 06:42 PM

Hello and welcome to Bleeping Computer. I am sorry that your topic had gone unnoticed.

Please subscribe to your topic so that you will be notified as soon as I post a reply, instead of you having to check the topic all of the time. This will allow you to get an email notification when I reply.

To subscribe, go to your topic, and at the top right hand corner by your first post, click the Options button and then click Track this topic. The bullet the immediate notification bubble. Then press submit.



Lets try to get Malwarebytes to run:

let's try Fatdcuk's fix.

Please navigate to the MBAM folder located in the Program Files directory.

Locate MBAM.exe and rename it to winlogon.exe

Once renamed double click on the file to open MBAM and select Quick Scan

At the end of the scan click Remove Selected and then reboot.


Post the scan log. The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
Copy and paste the contents of that report in your next reply. Be sure to post the complete log to include the top portion which shows MBAM's database version and your operating system.
Computer Pro

#4 DougHesketh

DougHesketh
  • Topic Starter

  • Members
  • 31 posts
  • OFFLINE
  •  
  • Local time:01:29 PM

Posted 20 September 2009 - 05:59 AM

It has taken me a couple of days to get the computer to the login screen, as I can only get it to run in safe mode by using msconfig should I try to get MBAM working in safe mode? So far I have been unable to successfully install MBAM. I followed another post and renamed it to zztoy.exe and it helped, but it never "Finished". The computer froze and I had to power off. Do you think that it is a sympton of the virus that I am unable to use the keyboard during boot up?

Thanks

#5 DougHesketh

DougHesketh
  • Topic Starter

  • Members
  • 31 posts
  • OFFLINE
  •  
  • Local time:01:29 PM

Posted 20 September 2009 - 06:14 AM

WOW, MBAM is actuallyrunning after renaming it!I'll put the log onto a reply when it's done

Cheers

#6 DougHesketh

DougHesketh
  • Topic Starter

  • Members
  • 31 posts
  • OFFLINE
  •  
  • Local time:01:29 PM

Posted 20 September 2009 - 06:14 AM

WOW, MBAM is actuallyrunning after renaming it!I'll put the log onto a reply when it's done

Cheers

#7 DougHesketh

DougHesketh
  • Topic Starter

  • Members
  • 31 posts
  • OFFLINE
  •  
  • Local time:01:29 PM

Posted 20 September 2009 - 07:16 AM

OK, renamed MBAM to Winlogon and it started to run. It stopped (Locked up) in windows so I rebooted to safe mode and ran it there. It completed successfully.

Log:-

Malwarebytes' Anti-Malware 1.40
Database version: 2551
Windows 5.1.2600 Service Pack 3 (Safe Mode)

20/09/2009 13:16:07
mbam-log-2009-09-20 (13-16-07).txt

Scan type: Full Scan (C:\|D:\|)
Objects scanned: 194346
Time elapsed: 31 minute(s), 52 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 2
Registry Keys Infected: 7
Registry Values Infected: 1
Registry Data Items Infected: 0
Folders Infected: 6
Files Infected: 8

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
\\?\globalroot\systemroot\system32\UACxdfmevtvwd.dll (Rogue.Agent) -> Delete on reboot.
C:\Program Files\Internet Explorer\msimg32.dll (Adware.MyWebSearch) -> Delete on reboot.

Registry Keys Infected:
HKEY_CLASSES_ROOT\CLSID\{a77d3539-581d-450c-9e44-a84c415a6172} (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{a77d3539-581d-450c-9e44-a84c415a6172} (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{a77d3539-581d-450c-9e44-a84c415a6172} (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{07b18ea9-a523-4961-b6bb-170de4475cca} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{07b18ea1-a523-4961-b6bb-170de4475cca} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{00a6faf1-072e-44cf-8957-5838f569a31d} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\UAC (Rootkit.Trace) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\personalav (Rogue.PersonalAntiVirus) -> Quarantined and deleted successfully.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
C:\Documents and Settings\Bex\Application Data\FunWebProducts (Adware.MyWay) -> Quarantined and deleted successfully.
C:\Documents and Settings\Bex\Application Data\FunWebProducts\Data (Adware.MyWay) -> Quarantined and deleted successfully.
C:\Documents and Settings\Bex\Application Data\FunWebProducts\Data\Bex (Adware.MyWay) -> Quarantined and deleted successfully.
C:\Program Files\PersonalAV (Rogue.PersonalAntiVirus) -> Quarantined and deleted successfully.
C:\Program Files\Common Files\Uninstall\PersonalAV (Rogue.PersonalAntiVirus) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Start Menu\PersonalAV (Rogue.PersonalAntiVirus) -> Quarantined and deleted successfully.

Files Infected:
\\?\globalroot\systemroot\system32\UACxdfmevtvwd.dll (Rogue.Agent) -> Quarantined and deleted successfully.
C:\Program Files\Internet Explorer\msimg32.dll (Adware.MyWebSearch) -> Delete on reboot.
C:\WINDOWS\system32\msxmlm.dll (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\Program Files\Common Files\Uninstall\PersonalAV\Uninstall.lnk (Rogue.PersonalAntiVirus) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Start Menu\PersonalAV\Personal Antivirus.lnk (Rogue.PersonalAntiVirus) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Start Menu\PersonalAV\Uninstall.lnk (Rogue.PersonalAntiVirus) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\uacinit.dll (Trojan.Agent) -> Delete on reboot.
C:\Documents and Settings\Bex\Desktop\Personal Antivirus.lnk (Rogue.PersonalAntiVirus) -> Quarantined and deleted successfully.

Thanks so far:-

#8 DougHesketh

DougHesketh
  • Topic Starter

  • Members
  • 31 posts
  • OFFLINE
  •  
  • Local time:01:29 PM

Posted 20 September 2009 - 10:09 AM

Rerun MBAM again with the latest update. log Below:-

Malwarebytes' Anti-Malware 1.41
Database version: 2830
Windows 5.1.2600 Service Pack 3 (Safe Mode)

20/09/2009 16:04:18
mbam-log-2009-09-20 (16-04-18).txt

Scan type: Full Scan (C:\|D:\|)
Objects scanned: 199338
Time elapsed: 47 minute(s), 32 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 1
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 8

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\UACd.sys (Trojan.Agent) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\system32\UACwatiuoqpao.dll (Rootkit.TDSS) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\UACxdfmevtvwd.dll (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\drivers\UACssiouihdnt.sys (Trojan.TDSS.T) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\UACa47e.tmp (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\UACa6a7.tmp (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\UACae71.tmp (Rootkit.TDSS) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\UACghqvysogcm.dat (Rootkit.TDSS) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\UACmwiikusrkw.dll (Rootkit.TDSS) -> Quarantined and deleted successfully.

Thanks again.

#9 Skydie

Skydie

  • Members
  • 353 posts
  • OFFLINE
  •  
  • Local time:02:29 PM

Posted 20 September 2009 - 10:11 AM

Can you access task manager in normal mode?

#10 Computer Pro

Computer Pro

  • Members
  • 2,448 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:08:29 AM

Posted 20 September 2009 - 11:08 AM

DougHesketh,

Please rerun a Quick Scan with Malwarebytes and post back the log.
Computer Pro

#11 DougHesketh

DougHesketh
  • Topic Starter

  • Members
  • 31 posts
  • OFFLINE
  •  
  • Local time:01:29 PM

Posted 20 September 2009 - 12:34 PM

After the last MBAM I rebooted into normal mode.

Kaspersky then had a full scan and it went through without locking up.

Full Scan: completed 20/09/2009 17:25:01 (events: 35, objects: 223953, time: 00:51:13)
20/09/2009 16:33:48 Task started
20/09/2009 16:35:21 Detected: http://www.viruslist.com/en/advisories/36627 c:\program files\quicktime\quicktimeplayer.exe
20/09/2009 16:42:01 Detected: HEUR:Trojan.Win32.Generic c:\Documents and Settings\Bex\Application Data\close base\live bone math.exe
20/09/2009 16:42:29 Untreated: HEUR:Trojan.Win32.Generic c:\Documents and Settings\Bex\Application Data\close base\live bone math.exe Postponed
20/09/2009 16:42:29 Detected: HEUR:Trojan.Win32.Generic c:\Documents and Settings\Bex\Application Data\close base\live bone math.exe
20/09/2009 16:42:29 Detected: HEUR:Trojan.Win32.Generic c:\Documents and Settings\Bex\Application Data\close base\live bone math.exe
20/09/2009 16:43:33 Detected: Trojan-Downloader.Java.OpenConnection.at c:\Documents and Settings\Bex\Application Data\Sun\Java\Deployment\cache\6.0\37\27ab4de5-2589e650/vlocal.class
20/09/2009 16:43:33 Untreated: Trojan-Downloader.Java.OpenConnection.at c:\Documents and Settings\Bex\Application Data\Sun\Java\Deployment\cache\6.0\37\27ab4de5-2589e650/vlocal.class Postponed
20/09/2009 16:48:00 Detected: HEUR:Trojan.Win32.Generic c:\Documents and Settings\Bex\Local Settings\Temp\sta1FC.exe
20/09/2009 16:48:03 Detected: Trojan.Win32.Patched.hq c:\Documents and Settings\Bex\Local Settings\Temp\UACd79.tmp
20/09/2009 16:48:18 Untreated: HEUR:Trojan.Win32.Generic c:\Documents and Settings\Bex\Local Settings\Temp\sta1FC.exe Postponed
20/09/2009 16:48:19 Detected: HEUR:Trojan.Win32.Generic c:\Documents and Settings\Bex\Local Settings\Temp\sta1FC.exe
20/09/2009 16:48:22 Detected: HEUR:Trojan.Win32.Generic c:\Documents and Settings\Bex\Local Settings\Temp\sta1FC.exe
20/09/2009 16:48:22 Untreated: Trojan.Win32.Patched.hq c:\Documents and Settings\Bex\Local Settings\Temp\UACd79.tmp Postponed
20/09/2009 16:58:52 Detected: http://www.viruslist.com/en/advisories/26027 c:\program files\Common Files\AOL\Flasha.ocx
20/09/2009 16:58:52 Detected: http://www.viruslist.com/en/advisories/35948 c:\program files\Common Files\Adobe AIR\Versions\1.0\Resources\NPSWF32.dll
20/09/2009 16:58:54 Detected: http://www.viruslist.com/en/advisories/35948 c:\program files\Common Files\Adobe AIR\Versions\1.0\Adobe AIR.dll
20/09/2009 17:05:19 Detected: http://www.viruslist.com/en/advisories/20845 c:\program files\InterActual\InterActual Player\bin\pcfpatch
20/09/2009 17:22:15 Detected: http://www.viruslist.com/en/advisories/34451 c:\WINDOWS\system32\java.exe
20/09/2009 17:22:58 Detected: http://www.viruslist.com/en/advisories/36049 c:\WINDOWS\system32\Adobe\Director\np32dsw.dll
20/09/2009 17:22:58 Detected: http://www.viruslist.com/en/advisories/36049 c:\WINDOWS\system32\Adobe\Shockwave 11\Plugin.dll
20/09/2009 17:22:59 Detected: http://www.viruslist.com/en/advisories/36049 c:\WINDOWS\system32\Adobe\Shockwave 11\SwInit.exe
20/09/2009 17:23:46 Detected: http://www.viruslist.com/en/advisories/32270 c:\WINDOWS\system32\Macromed\Flash\SWFlash.ocx
20/09/2009 17:23:53 Detected: http://www.viruslist.com/en/advisories/35948 c:\WINDOWS\system32\Macromed\Flash\Flash10b.ocx
20/09/2009 17:24:57 Detected: HEUR:Trojan.Win32.Generic c:\Documents and Settings\Bex\Application Data\close base\live bone math.exe
20/09/2009 17:25:01 Detected: HEUR:Trojan.Win32.Generic c:\Documents and Settings\Bex\Application Data\close base\live bone math.exe
20/09/2009 17:25:01 Detected: HEUR:Trojan.Win32.Generic c:\Documents and Settings\Bex\Application Data\close base\live bone math.exe
20/09/2009 17:25:01 Detected: HEUR:Trojan.Win32.Generic c:\Documents and Settings\Bex\Local Settings\Temp\sta1FC.exe
20/09/2009 17:25:01 Detected: HEUR:Trojan.Win32.Generic c:\Documents and Settings\Bex\Local Settings\Temp\sta1FC.exe
20/09/2009 17:25:01 Detected: HEUR:Trojan.Win32.Generic c:\Documents and Settings\Bex\Local Settings\Temp\sta1FC.exe
20/09/2009 17:25:01 Detected: Trojan.Win32.Patched.hq c:\Documents and Settings\Bex\Local Settings\Temp\UACd79.tmp
20/09/2009 17:25:01 Deleted: Trojan.Win32.Patched.hq c:\Documents and Settings\Bex\Local Settings\Temp\UACd79.tmp
20/09/2009 17:25:01 Detected: Trojan-Downloader.Java.OpenConnection.at c:\Documents and Settings\Bex\Application Data\Sun\Java\Deployment\cache\6.0\37\27ab4de5-2589e650/vlocal.class
20/09/2009 17:25:01 Deleted: Trojan-Downloader.Java.OpenConnection.at c:\Documents and Settings\Bex\Application Data\Sun\Java\Deployment\cache\6.0\37\27ab4de5-2589e650/vlocal.class
20/09/2009 17:25:01 Task completed

There is something still going on I would guess.

I then went mack into normal mode to visit bleeping site and then it locked up, so I'm back to safe mode again.

MBAM in quick scan produced no threats, but I'm not sure I'm out of the woods yet.:-

Malwarebytes' Anti-Malware 1.41
Database version: 2830
Windows 5.1.2600 Service Pack 3 (Safe Mode)

20/09/2009 18:32:08
mbam-log-2009-09-20 (18-32-08).txt

Scan type: Quick Scan
Objects scanned: 102890
Time elapsed: 4 minute(s), 5 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)


Regards
Doug

#12 Computer Pro

Computer Pro

  • Members
  • 2,448 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:08:29 AM

Posted 20 September 2009 - 03:28 PM

I noticed that you did not have Kaspersky delete some files. Make sure you have it delete all of the items that it finds.
Computer Pro

#13 garmanma

garmanma

    Computer Masochist


  • Members
  • 27,809 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Cleveland, Ohio
  • Local time:09:29 AM

Posted 20 September 2009 - 09:42 PM

DougHesketh

FYI



Keep in mind that using MSConfig to access (force) safe mode when there is malware on your system could have disastrous results and render your computer unbootable. Some types of malware can delete or alter the safeboot key in the registry resulting in the inability to reboot fully into safe mode or back to normal mode. The Safeboot option modifies the Boot.ini file and you may be locked in a continuous reboot loop afterwards where you cannot get back to MSConfig and undo your selection. The same thing can occur with BootSafe as you may not be able to get back to Normal mode and undo your selection. See "Booting into Safe Mode safely".
Mark
Posted Image
why won't my laptop work?

Having grandkids is God's way of giving you a 2nd chance because you were too busy working your butt off the 1st time around
Do not send me PMs with problems that should be posted in the forums. Keep it in the forums, so everyone benefits
Become a BleepingComputer fan: Facebook and Twitter

#14 DougHesketh

DougHesketh
  • Topic Starter

  • Members
  • 31 posts
  • OFFLINE
  •  
  • Local time:01:29 PM

Posted 21 September 2009 - 02:14 AM

I thought that Kaspersky took the relevant action after a reboot, I've never had to force it into carrying out quarantine and delete.

My computer will NOT boot into safe mode using the F8 key. If I do (very rarely) get the boot up menu, the arrow keys do not work and I am unable to select anything. There have been times that I thought I had entered the continuous reboot loop, but luckily not yet.

With MBAM now reporting the computer has no malicious items left and it still locking up in normal mode, is there another tool that I need to run to ascertain the problem?

Thank you so much for all of your help to date. I am at least able to boot up the computer.

Cheers :thumbsup:

Edited by DougHesketh, 21 September 2009 - 03:57 AM.


#15 DougHesketh

DougHesketh
  • Topic Starter

  • Members
  • 31 posts
  • OFFLINE
  •  
  • Local time:01:29 PM

Posted 21 September 2009 - 10:31 AM

Will autoruns be as useful in safe mode?

I'm still getting slowness and a egg timer in normal mode which eventually seems to then do nothing. e.g. no windows button working, no three finger salute etc. only option is to force the machine off.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users