Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

A bundle of "joy"


  • This topic is locked This topic is locked
23 replies to this topic

#1 VDOgamez

VDOgamez

  • Members
  • 22 posts
  • OFFLINE
  •  
  • Local time:12:58 AM

Posted 01 September 2009 - 04:41 PM

I recently got infected with some kind of virus that passed under my scanners. It redirected me on google links and such. I think it may have allowed in more viruses, because before I knew it, I had a few fake virus scanners including Windows Antivirus Pro. I thought I got rid of them, but I must not have, because now I can't run any kind of scans. Oddly enough, just about everything else works fine on my computer. Since then, I've looked around for solutions and have yet to find something that will scan properly.

Any help would be much appreciated.

(I may not be able to respond until tomorrow afternoon)

Edited by VDOgamez, 01 September 2009 - 05:16 PM.


BC AdBot (Login to Remove)

 


#2 Budapest

Budapest

    Bleepin' Cynic


  • Moderator
  • 23,579 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:58 PM

Posted 03 September 2009 - 07:09 PM

Please download Malwarebytes Anti-Malware and save it to your desktop.
alternate download link 1
alternate download link 2

MBAM may "make changes to your registry" as part of its disinfection routine. If using other security programs that detect registry changes (ie Spybot's Teatimer), they may interfere or alert you. Temporarily disable such programs or permit them to allow the changes.
  • Make sure you are connected to the Internet.
  • Double-click on mbam-setup.exe to install the application.
  • When the installation begins, follow the prompts and do not make any changes to default settings.
  • When installation has finished, make sure you leave both of these checked:
    • Update Malwarebytes' Anti-Malware
    • Launch Malwarebytes' Anti-Malware
  • Then click Finish.
MBAM will automatically start and you will be asked to update the program before performing a scan.
  • If an update is found, the program will automatically update itself. Press the OK button to close that box and continue.
  • If you encounter any problems while downloading the definition updates, manually download them from here and just double-click on mbam-rules.exe to install.
On the Scanner tab:
  • Make sure the "Perform Quick Scan" option is selected.
  • Then click on the Scan button.
  • If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
  • The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
  • When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  • Click OK to close the message box and continue with the removal process.
Back at the main Scanner screen:
  • Click on the Show Results button to see a list of any malware that was found.
  • Make sure that everything is checked, and click Remove Selected.
  • When removal is completed, a log report will open in Notepad.
  • The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
  • Copy and paste the contents of that report in your next reply. Be sure to post the complete log to include the top portion which shows MBAM's database version and your operating system.
  • Exit MBAM when done.
Note: If MBAM encounters a file that is difficult to remove, you will be asked to reboot your computer so MBAM can proceed with the disinfection process. If asked to restart the computer, please do so immediately. Failure to reboot normally (not into safe mode) will prevent MBAM from removing all the malware.
The power of accurate observation is commonly called cynicism by those who haven't got it.

—George Bernard Shaw

#3 VDOgamez

VDOgamez
  • Topic Starter

  • Members
  • 22 posts
  • OFFLINE
  •  
  • Local time:12:58 AM

Posted 03 September 2009 - 07:17 PM

Malwarebytes tries to scan, but closes immediately after four seconds of preparing to scan. I now no longer have permission to access it, too. Almost the exact same thing has happened with every scanner I have attempted to run.

#4 Budapest

Budapest

    Bleepin' Cynic


  • Moderator
  • 23,579 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:58 PM

Posted 03 September 2009 - 07:19 PM

We Need to check for Rootkits with RootRepeal
  • Download RootRepeal from the following location and save it to your desktop.
  • Extract RootRepeal.exe from the archive (If you did not use the "Direct Download" mirror).
  • Open Posted Image on your desktop.
  • Click the Posted Image tab.
  • Click the Posted Image button.
  • Check all seven boxes: Posted Image
  • Push Ok
  • Check the box for your main system drive (Usually C:), and press Ok.
  • Allow RootRepeal to run a scan of your system. This may take some time.
  • Once the scan completes, push the Posted Image button. Save the log to your desktop, using a distinctive name, such as RootRepeal.txt. Include this report in your next reply, please.

The power of accurate observation is commonly called cynicism by those who haven't got it.

—George Bernard Shaw

#5 VDOgamez

VDOgamez
  • Topic Starter

  • Members
  • 22 posts
  • OFFLINE
  •  
  • Local time:12:58 AM

Posted 03 September 2009 - 08:58 PM

Tricky virus... It killed that program too.

#6 Budapest

Budapest

    Bleepin' Cynic


  • Moderator
  • 23,579 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:58 PM

Posted 03 September 2009 - 10:11 PM

Try doing just the Drivers scan.
The power of accurate observation is commonly called cynicism by those who haven't got it.

—George Bernard Shaw

#7 VDOgamez

VDOgamez
  • Topic Starter

  • Members
  • 22 posts
  • OFFLINE
  •  
  • Local time:12:58 AM

Posted 04 September 2009 - 05:05 PM

Wow, it actually scanned something!

ROOTREPEAL © AD, 2007-2009
==================================================
Scan Start Time: 2009/09/04 17:04
Program Version: Version 1.3.5.0
Windows Version: Windows XP SP3
==================================================

Drivers
-------------------
Name: avimb0lw.SYS
Image Path: C:\WINDOWS\System32\Drivers\avimb0lw.SYS
Address: 0xB91CC000 Size: 229376 File Visible: No Signed: -
Status: -

Name: dump_atapi.sys
Image Path: C:\WINDOWS\System32\Drivers\dump_atapi.sys
Address: 0xB6D65000 Size: 98304 File Visible: No Signed: -
Status: -

Name: dump_WMILIB.SYS
Image Path: C:\WINDOWS\System32\Drivers\dump_WMILIB.SYS
Address: 0xBAE6E000 Size: 8192 File Visible: No Signed: -
Status: -

Name: PCI_PNP1086
Image Path: \Driver\PCI_PNP1086
Address: 0x00000000 Size: 0 File Visible: No Signed: -
Status: -

Name: rootrepeal.sys
Image Path: C:\WINDOWS\system32\drivers\rootrepeal.sys
Address: 0xB548D000 Size: 49152 File Visible: No Signed: -
Status: -

Name: sptd
Image Path: \Driver\sptd
Address: 0x00000000 Size: 0 File Visible: No Signed: -
Status: -

Name: spzw.sys
Image Path: spzw.sys
Address: 0xBA6A6000 Size: 1052672 File Visible: No Signed: -
Status: -

Name: win32k.sys:1
Image Path: C:\WINDOWS\win32k.sys:1
Address: 0xBABD0000 Size: 20480 File Visible: No Signed: -
Status: -

Name: win32k.sys:2
Image Path: C:\WINDOWS\win32k.sys:2
Address: 0xBAA28000 Size: 61440 File Visible: No Signed: -
Status: -

==EOF==

#8 Budapest

Budapest

    Bleepin' Cynic


  • Moderator
  • 23,579 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:58 PM

Posted 04 September 2009 - 05:22 PM

These new infections are very difficult to remove. I think it's time to head on over to the HijackThis forum for a closer look.

Preparation Guide for use before posting a HijackThis Log

Go straight to Step 6. If DDS won't run just post the RootRepeal log with an explaining note.

Please be patient. It may take a while to get a response because the HJT Team members are EXTREMELY busy working logs posted before yours. They are volunteers who will help you out as soon as possible. Once you have made your post and are waiting, please DO NOT make another reply until it has been responded to by a member of the HJT Team. Generally the staff checks the forum for postings that have 0 replies as this makes it easier for them to identify those who have not been helped. If you post another response there will be 1 reply. A team member, looking for a new log to work may assume another HJT Team member is already assisting you and not open the thread to respond.
The power of accurate observation is commonly called cynicism by those who haven't got it.

—George Bernard Shaw

#9 VDOgamez

VDOgamez
  • Topic Starter

  • Members
  • 22 posts
  • OFFLINE
  •  
  • Local time:12:58 AM

Posted 05 September 2009 - 07:23 AM

I was sent here from another thread and told that I could get help here, but I can't get any of the logs to run, nor any other scanners. They shut out after a few seconds and many get disabled afterward. Any help would be much appreciated.

#10 Orange Blossom

Orange Blossom

    OBleepin Investigator


  • Moderator
  • 37,011 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Bloomington, IN
  • Local time:01:58 AM

Posted 05 September 2009 - 03:48 PM

Hello VDOgamez,

I merged your new topic to your previously existing topic so we can help you get a log created.

Please try this:

Download RSIT by random/random and save it to your Desktop.
Note: You will need to run this tool while connected to the Internet so it can download HijackThis if it is not located on your system. If you get a warning from your firewall or other security programs regarding Rist attempting to contact the Internet, please allow the connection.
  • Close all applications and windows so that you have nothing open and are at your Desktop.
  • Double-click on RSIT.exe to start the program.
  • If using Windows Vista, be sure to Run As Administrator.
  • Click Continue after reading the disclaimer screen.
  • Leave the drop down box set to default: "List/folders created or modified in the last 1 month (30 days).
  • When the scan is complete, a text file named log.txt will automatically open in Notepad.
  • Please start a new topic and post your log and the partial RootRepeal log you posted in this topic in the HijackThis Logs and Malware Removal forum, NOT here.
  • Be sure to mention that you tried to follow the Prep Guide but were unable to get DDS to run.
If RSIT did not work, then reply back here.

Orange Blossom :thumbsup:
Help us help you. If HelpBot replies, you MUST follow step 1 in its reply so we know you need help.

Orange Blossom

An ounce of prevention is worth a pound of cure

SpywareBlaster, WinPatrol Plus, ESET Smart Security, Malwarebytes' Anti-Malware, NoScript Firefox ext., Norton noscript

#11 VDOgamez

VDOgamez
  • Topic Starter

  • Members
  • 22 posts
  • OFFLINE
  •  
  • Local time:12:58 AM

Posted 06 September 2009 - 07:25 PM

That didn't work either... That's a crafty virus.

#12 VDOgamez

VDOgamez
  • Topic Starter

  • Members
  • 22 posts
  • OFFLINE
  •  
  • Local time:12:58 AM

Posted 10 September 2009 - 09:43 PM

Curse that virus. It's still there, hiding from me. I don't seem to be the only one, too. My brother called me and told me he had a virus, and I tried to help him get rid of it. A bit later, he called me again, and shouted, "The virus LEARNED!" He's got the same thing as me! Maybe if I get this removed, I can try to help him with his.

#13 Orange Blossom

Orange Blossom

    OBleepin Investigator


  • Moderator
  • 37,011 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Bloomington, IN
  • Local time:01:58 AM

Posted 16 September 2009 - 10:48 PM

Hello,

Sorry for not getting back to you sooner. I was out in the hinterlands for a few days where there were no computer.

Because you couldn't get RSIT or DDS to run, please try this

Please download runscanner.zip and save to your desktop.
  • Create a new folder on your hard drive called Runscanner (C:\Runscanner) and extract (unzip) the file there.
    (click here if you're not sure how to do this.)
  • Double-click Runscanner.exe to launch.
  • Select Beginner mode and click Ok.
  • Select Do a full scan and save a log file (default is Full Scan) to start.
  • Please be patient and do not use your computer during the scan.
  • When the scan is complete, a window will open asking you to save runscanner.run. Click Cancel.
  • Another window will open asking you to save runscanner.log.
  • Save it to your desktop and "Save as type: Runscanner log file [*.log].
  • The log file will automatically open in Notepad.
  • Go to the top menu, click on "Format" and uncheck "Word Wrap" if checked.
  • Copy and paste the contents of the log file into a new topic in the HijackThis Logs and Malware Removal forum, NOT here. Also include your Root Repeal log in your post.
  • Exit Runscanner when done.
Important: Be sure to mention that you tried to follow the Prep Guide but were unable to get DDS to run.

If Runscanner did not work, then reply back here.

Orange Blossom :thumbsup:
Help us help you. If HelpBot replies, you MUST follow step 1 in its reply so we know you need help.

Orange Blossom

An ounce of prevention is worth a pound of cure

SpywareBlaster, WinPatrol Plus, ESET Smart Security, Malwarebytes' Anti-Malware, NoScript Firefox ext., Norton noscript

#14 VDOgamez

VDOgamez
  • Topic Starter

  • Members
  • 22 posts
  • OFFLINE
  •  
  • Local time:12:58 AM

Posted 17 September 2009 - 06:49 AM

Guess what else didn't work! :thumbsup:

#15 Orange Blossom

Orange Blossom

    OBleepin Investigator


  • Moderator
  • 37,011 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Bloomington, IN
  • Local time:01:58 AM

Posted 17 September 2009 - 11:53 AM

I have a few more tools in the bag. Let's try this one next:
  • Please download OTL from here:
    http://oldtimer.geekstogo.com/OTL.exe
  • Save it to your desktop.
  • Double click on the Posted Image icon on your desktop.
  • Click the "Scan All Users" checkbox.
  • Push the Posted Image button.
  • Two reports will open:
    • OTListIt.txt <-- Will be opened
    • Extra.txt <-- Will be minimized
  • Copy and paste the contents of the log files into a new topic in the HijackThis Logs and Malware Removal forum, NOT here. Also include your Root Repeal log in your post.
Important: Be sure to mention that you tried to follow the Prep Guide but were unable to get DDS to run.

If OTL did not work, then reply back here.

Orange Blossom :thumbsup:
Help us help you. If HelpBot replies, you MUST follow step 1 in its reply so we know you need help.

Orange Blossom

An ounce of prevention is worth a pound of cure

SpywareBlaster, WinPatrol Plus, ESET Smart Security, Malwarebytes' Anti-Malware, NoScript Firefox ext., Norton noscript




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users