Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Malware Defense Virus and more...


  • This topic is locked This topic is locked
22 replies to this topic

#1 Centuck

Centuck

  • Members
  • 68 posts
  • OFFLINE
  •  
  • Local time:01:55 AM

Posted 21 December 2009 - 11:56 PM

Hey everyone, if anyone has any insight on how to resolve this problem it would be greatly appreciated!

So i come to my computer that i left on and a few random websites are open even though i never left IE on so whatever i close them. The next time i come to my computer i have this Malware Defense program installed onto my computer and it says i am infected yadda yadda yadda. Many people already know this is a hoax so i uninstall the thing but it reinstalls itself back on, and at the same time my computer keeps freezing every now and then and my internet access on the computer is gone and Mcaffee will not open.

So to safe mode i go! In safe mode i open up msconfig and look under startup to find 3 things i do not want there. c.exe, richtx64.exe and mdefense.exe. So i find their path and delete them. I figure hey i may have just fixed my problem, so i go to startup my computer in normal mode and suddenly everytime i do this, it freezes on the welcome screen after i click on "user".

So i try something another poster said worked. I installed avast onto my laptop, and sent it over to my desktop. I run a scan just a moderate one and leave my computer for a bit. I come back and it froze, so i reboot it, and i later find out that i have a process called iexplore.exe that if i stop, comes back every minute, so that is what is freezing my computer in safe mode. So while i am running a scan i just remove the process explorer.exe so that only the virus scanner is open and then my computer doesn't freeze.

So avast finds only one worm on its scan. win32:Agent-JXL [wrm] and i find that it is in my archive files for microsoft outlook. I find the e-mail it was in and i delete it. Tried to boot windows in normal mode same problem. So now where i stand is i am doing a "Thorough" scan which takes virtually forever. If anyone has any insight or any ideas on what to try, please do post them.

Thanks Alot!!
Centuck

BC AdBot (Login to Remove)

 


#2 Computer Pro

Computer Pro

  • Members
  • 2,448 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:55 AM

Posted 22 December 2009 - 10:17 PM

Hello and welcome to Bleeping Computer. My name is Computer Pro and I will be helping you with your issues.

Please subscribe to your topic so that you will be notified as soon as I post a reply, instead of you having to check the topic all of the time. This will allow you to get an email notification when I reply.

To subscribe, go to your topic, and at the top right hand corner by your first post, click the Options button and then click Track this topic. Then bullet the immediate notification bubble. Finally, press submit.


Lets take a look with Malwarebytes

Please download Malwarebytes' Anti-Malware from here:
Malwarebytes
Please rename the file BEFORE downloading to zztoy.exe instead of mbam-setup.exe

MBAM may "make changes to your registry" as part of its disinfection routine. If using other security programs that detect registry changes (ie Spybot's Teatimer), they may interfere or alert you. Temporarily disable such programs or permit them to allow the changes.

Double Click zztoy.exe to install the application.
* Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
* If an update is found, it will download and install the latest version.
* Once the program has loaded, select "Perform Full Scan", then click Scan.
* The scan may take some time to finish,so please be patient.
* When the scan is complete, click OK, then Show Results to view the results.
* Make sure that everything is checked, and click Remove Selected.
* When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
* The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
* Copy&Paste the entire MBAM report (even if it does not find anything) in your next reply

Extra Note:
If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process, if asked to restart the computer, please do so immediately.


If Malwarebytes won't install or run

Some types of malware will disable MBAM and other security tools. If MBAM will not install, try renaming it. Right-click on the mbam-setup.exe file and change the .exe extension to .bat, .com, .pif, or .scr and then double-click on it to run.

If after installation, MBAM will not run, open the Malwarebytes' Anti-Malware folder in Program Files, right-click on mbam.exe and change the .exe as noted above. Then double-click on it to run.
Computer Pro

#3 Centuck

Centuck
  • Topic Starter

  • Members
  • 68 posts
  • OFFLINE
  •  
  • Local time:01:55 AM

Posted 23 December 2009 - 12:23 AM

Thank you computer pro, now as you were psoting this i was already using Malwarebytes, one issue i have is that i cna only get onto my computer on safe mode so i have no connection to the internet. I got malwarebytes onto my computer through a usb stick. So this did not allow me to update it but i ran a scan and these were the results. I have run in total 4 scans and the results get less with each scan. Sadly i did this before i read your post and so i ddin't save a log for my last search. but my other three searches were as follows.

Sadly my bloody usb drive just stopped working as well!! So here is most of the info.

Registry Keys Infected: 4
REgisty Values Infected: 2
Registy Data Items Infected: 1

Registry Keys Infected:
HKEY_CLASSES_ROOT\CLSID\{870E3B1B-D1C6-4B91-864C-90043CF02E56} (Trojan.Agent)
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\SSHNAS (Trojan.Renos)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\windows\CurentVersion\Uninstall\Radio_USA Toolbar (Trojan.Agent)
HKEY_LOCAL_MACHINE\SOFTWARE\RADIO_USA (Trojan.Agent)

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar\{870E3B1B-D1C6-4B91-864C-90043CF02E56} (Trojan.Agent)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\mvgvbvgc (Trojan.FakeAlert.N)

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\FirewallDisableNotify (Disabled.SecurityCenter)

The latest time i ran a search i only had one thing infected and i can't remember the path of it but i deleted it and now i am currently running another scan. Sorry i couldn't copy and paste stuff from my desktop! Also Note that if i go into msconfig, and startup, i stopped three things. c.exe, richtx64.exe, and mdefense.exe and i deleted them at their paths. But mdefense and richtx64 will not disappear from the startup list, and c.exe came back once. I hope all of this information will help! Thanks alot again!

#4 Centuck

Centuck
  • Topic Starter

  • Members
  • 68 posts
  • OFFLINE
  •  
  • Local time:01:55 AM

Posted 23 December 2009 - 12:46 AM

Just an update, i found out the item that infected me on my last search. It is HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CUrrentVersion\Ext\Settings\{870e3b1b-d1c6-4b91-864c-90043cf02e56}

And also my latest scan brought no malicious results aka the results had nothing infected on my computer.

#5 Centuck

Centuck
  • Topic Starter

  • Members
  • 68 posts
  • OFFLINE
  •  
  • Local time:01:55 AM

Posted 23 December 2009 - 01:38 AM

i just made another discovery, i searched in regedit for mdefense and richtx64 and i found them under
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg
and in this startupeg folder there are two folders called Malware defense and richtx64.exe

Inside those folders they are identical holding the names

(Default) Data-(value not set)
comand Data- "C:\Progam Files\Malware Defense\mdefense.exe" -noscan
hkey Data- HKCU
inimapping Data-0
item Data- mdefense
key Data- SOFTWARE\Microsoft\Windows\CurrentVersion\Run

richtx64.exe folder has the exact same except the data of command is C:\DOCUM~1\user\LOCALS~1\Temp\richtx64.exe

So would it be safe to say i should just delete these two folders of stuff? or is there supposed to be something under startupreg folder? Let me know what you think. Thanks!


OOOOOOOOH I also found that under HKEY_LOCAL_MACHINE\SOFTWARE there are folders called Malware Defense and Richtx64 and in these folders they have some stuff so would i be correct in saying i should delete these files??

Edited by Centuck, 23 December 2009 - 01:42 AM.


#6 Computer Pro

Computer Pro

  • Members
  • 2,448 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:55 AM

Posted 23 December 2009 - 02:10 PM

Lets run Dr. Web:

Please download Dr. Web the free version & save it to your desktop. DO NOT perform a scan yet.

Scan with Dr. Web Cureit as follows:
Double-click on launch.exe to open the program and click Start. (There is no need to update if you just downloaded the most current version
Read the Virus check by DrWeb scanner prompt and click Ok where asked to Start scan now? Allow the setup.exe to load if asked by any of your security programs.
The Express scan will automatically begin.
(This is a short scan of files currently running in memory, boot sectors, and targeted folders).
If prompted to dowload the Full version Free Trial, ignore and click the X to close the window.
If an infected object is found, you will be prompted to move anything that cannot be cured. Click Yes to All.
When complete, click Select All, then choose Cure > Move incurable.
(This will move any detected files to the C:\Documents and Settings\userprofile\DoctorWeb\Quarantine folder if they can't be cured)
Now put a check next to Complete scan to scan all local disks and removable media.
In the top menu, click Settings > Change settings, and UNcheck "Heuristic analysis" under the "Scanning" tab, then click Ok.
Back at the main window, click the green arrow "Start Scanning" button on the right under the Dr.Web logo.
When the scan is complete, a message will be displayed at the bottom indicating if any viruses were found.
Click "Yes to all" if asked to cure or move the file(s) and select "Move incurable".
In the top menu, click file and choose save report list.
Save the DrWeb.csv report to your desktop.
Exit Dr.Web Cureit when done.
Important! Reboot your computer because it could be possible that files in use will be moved/deleted during reboot.
After reboot, post the contents of the log from Dr.Web in your next reply. (You can use Notepad to open the DrWeb.cvs report)
Computer Pro

#7 Centuck

Centuck
  • Topic Starter

  • Members
  • 68 posts
  • OFFLINE
  •  
  • Local time:01:55 AM

Posted 23 December 2009 - 02:24 PM

Ok i will give it a shot thanks! What is your take on the registry stuff though in regedit? You think ican go ahead and delete those 4 files that shouldnt' be there?

#8 Computer Pro

Computer Pro

  • Members
  • 2,448 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:55 AM

Posted 23 December 2009 - 02:28 PM

Yes go ahead and delete. Just make sure to be very careful when editing the registry.
Computer Pro

#9 Centuck

Centuck
  • Topic Starter

  • Members
  • 68 posts
  • OFFLINE
  •  
  • Local time:01:55 AM

Posted 23 December 2009 - 02:30 PM

Ok i may be a while on this doctor thing because my desktop is no longer recognizing my usb stick sooo i have to find something else now i guess.

#10 Computer Pro

Computer Pro

  • Members
  • 2,448 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:55 AM

Posted 23 December 2009 - 02:31 PM

Take your time. A CD may also work
Computer Pro

#11 Centuck

Centuck
  • Topic Starter

  • Members
  • 68 posts
  • OFFLINE
  •  
  • Local time:01:55 AM

Posted 23 December 2009 - 02:48 PM

So after i deleted those keys i went and tried to get onto windows in normal mode and it worked, but then froze after like a minute, and now i can't get back onto normal mode heh

#12 Computer Pro

Computer Pro

  • Members
  • 2,448 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:55 AM

Posted 23 December 2009 - 03:10 PM

Please try to use Last Known Good Configuration
Computer Pro

#13 Centuck

Centuck
  • Topic Starter

  • Members
  • 68 posts
  • OFFLINE
  •  
  • Local time:01:55 AM

Posted 23 December 2009 - 03:34 PM

Yea i just tried that and it didn't work :thumbsup: And my desktop computer won't let me access anything in a burnt cd like the one i just burnt that doctor thing to.

I just got my usb working on my desktop again so i am currently doing the scan. I will update you asap, so far its found a few object so yay??!!??

Edited by Centuck, 23 December 2009 - 03:44 PM.


#14 Computer Pro

Computer Pro

  • Members
  • 2,448 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:55 AM

Posted 23 December 2009 - 04:43 PM

I'll be waiting for the log.
Computer Pro

#15 Jezza_170

Jezza_170

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:03:55 AM

Posted 23 December 2009 - 06:46 PM

I have this same virus, running malwarebytes atm.

If nothing helps, I will use Dr Web!




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users