Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

New and Improved Malware Defense /Internet Security 2010


  • Please log in to reply
2 replies to this topic

#1 Wamba

Wamba

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:04:43 AM

Posted 30 January 2010 - 08:05 AM

Hello all.

All assistance is appreciated.

I seem to have an new, industrial strength version of this virus.

I have scanned the forums, here and elsewhere, for removal instructions.

I have tried, among other things, Grinler's rkill method

http://www.bleepingcomputer.com/virus-removal/remove-malware-defense

and the alternate rkill methods

http://www.bleepingcomputer.com/forums/index.php?showtopic=289872&hl=malware+defense

Unfortunately, the rkill download sites are blocked by the virus. All BC addresses are blocked.

I imported the rkills via thumb drive, but when I run them, I the run window disappears in about three seconds, and a message appears:

Application cannot be executed. The file is infected. Please activate your antivirus software.

And the band plays on - popups demanding payment for the "antiviurs software."

The malwarebytes site is also blocked. I imported mbam via thumb drive, also, and ran it, anyway, but it simply doesn't execute.

I have run rkill and mbam multiple times, even without closing error messages, but nothing executes.

There is no old mbam on the machine to uninstall.

I have tried the Combo-Fix method, but it, too, will not execute. I first get a message that says

!! Alert !! It is NOT SAFE to continue! The content of the ComboFix package has been compromosed. http://www.bleepingcomputer.com/combofix/how-to-use-combofix Note: You may be infected with a file patching virus 'virut'


Needless to say, I run Combo-Fix again, without closing the error window, but the following message pops up again, and Combo-Fix does not execute

Application cannot be executed. The file is infected. Please activate your antivirus software.

I tried the manual removal suggested here

http://www.bleepingcomputer.com/forums/t/290328/malware-defense-has-taken-over-my-computer/

but Task Manager and Regedit have been disabled.

For what it is worth, cache versions of blocked sites are available.

In sum, all solutions offered in this forum - at least the ones I have been able to run down - have failed. It appears that someone is cribbing our notes and updating their malware accordingly.

I am willing to try anything, and eager for help.

Again, thanks to all for any suggestions.

BC AdBot (Login to Remove)

 


#2 Wamba

Wamba
  • Topic Starter

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:04:43 AM

Posted 30 January 2010 - 03:52 PM

I have an update for anyone who stumbles across this question in the forum in search of help.

And I have to believe someone will.

And I know you're really going to need help, because this is nasty.

As in the original post, nothing automated ran. So it was on to hand-to-hand combat.

First, I regained Task Manager, with the help of this little tool

http://www.taskmanagerfix.com/

Then I deleted all suspicious processes, including mdefense.exe and uninstall.exe. Also, iexplorer.exe, because I had removed Internet Explorer from my machine long ago. The virus, it seems, had installed and executed it.

This helped immensely.

I then deleted the following registry values

HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\SimpleShlExt
HKEY_CLASSES_ROOT\CLSID\{5E2121EE-0300-11D4-8D3B-444553540000}
HKEY_CLASSES_ROOT\Folder\shellex\ContextMenuHandlers\SimpleShlExt
HKEY_LOCAL_MACHINE\SOFTWARE\Malware Defense

I looked for the following registry value, but couldn't find it

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run "Malware Defense"

Then, in C:\Program Files\Malware Defense, I unregistered mdext.dll. I then tried to delete it, but wasn't allowed to. I tried with Unlocker, but still no luck. So I renamed it, but still couldn't delete. Finally, I told Unlocker to delete it upon re-boot, although I have my serious doubts about whether that will get done.

By this time, I had large control of my machine again. So I deleted all "Malware Defense" files and folders that I could find with a Search.

At this time, I do not have access to the Internet on the machine. I tried using Tools->Internet Options->Connections, and clicking the LAN Settings button, in hopes of unchecking the "Use a proxy server for your LAN" box, but it was already unchecked. And I can't get a status on my connection.

I have run rkill several times; it stays on for about ten seconds, then disappears. I presume it has killed what is left of Malware Defense's operation, but I don't know. Nothing shows in Task Manager.

On the other hand, I still can't run mbam. I have uninstalled and re-installed it several times, and it seems to install fine, but when it comes to the end, and asks if I want to update and launch it, I indicate that I do, but it doesn't. And I can't launch it automatically.

I kind of hope that if re-boot it, the Internet connection will re-establish, and mbam will run. On the other hand, I kind of fear that Malware Defense will re-generate itself upon re-boot, especially if mbam has not been run first. But I don't know what else to try to get mbam to run short of re-booting.

My Saturday has already been ruined, so I think I am going to sleep on the re-boot. Leaving the machine on overnight does not seem too much of a risk - Malware Defense appears to have been neutered, if not exterminated. And if it hasn't, I suppose I need to know.

I just don't want my Sunday ruined, too.

If I get any closer to complete recovery, I'll post.

#3 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 52,070 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:05:43 AM

Posted 07 February 2010 - 05:15 PM

I have tried the Combo-Fix method, but it, too, will not execute. I first get a message that says

!! Alert !! It is NOT SAFE to continue! The content of the ComboFix package has been compromosed. http://www.bleepingcomputer.com/combofix/how-to-use-combofix Note: You may be infected with a file patching virus 'virut'

I'm afraid I have very bad news.

Virut is a polymorphic file infector with IRCBot functionality which infects .exe, .scr files, downloads more malicious files to your system, and opens a back door that compromises your computer.

With this particular infection, the safest solution and only sure way to remove it effectively is to reformat and reinstall the OS.

According to this Norman White Paper Assessment of W32/Virut, some variants can infect the HOSTS file and block access to security related web sites. Other variants of virut can even penetrate and infect .exe files within compressed files (.zip, .cab, rar). The Virux and Win32/Virut.17408 variants are an even more complex file infectors which can embed an iframe into the body of web-related files and infect script files (.php, .asp, .htm, .html, .xml). When Virut creates infected files, it also creates non-functional files that are corrupted beyond repair and in some instances can disable Windows File Protection. In many cases the infected files cannot be disinfected properly by your anti-virus. When disinfection is attempted, the files become corrupted and the system may become irreparable. The longer virut remains on a computer, the more critical system files will become infected and corrupt so the degree of infection can vary.

The virus disables Windows File Protection by injecting code into the "winlogon.exe" process that patches system code in memory.

CA Virus detail of W32/Virut

The virus has a number of bugs in its code, and as a result it may misinfect a proportion of executable files....some W32/Virut.h infections are corrupted beyond repair.

McAfee Risk Assessment and Overview of W32/Virut

There are bugs in the viral code. When the virus produces infected files, it also creates non-functional files that also contain the virus...Due to the damaged caused to files by virut it's possible to find repaired but corrupted files. They became corrupted by the incorrect writing of the viral code during the process of infection. undetected, corrupted files (possibly still containing part of the viral code) can also be found. this is caused by incorrectly written and non-function viral code present in these files.

AVG Overview of W32/VirutVirut is commonly spread via a flash drive (usb, pen, thumb, jump) infection using RUNDLL32.EXE and other malicious files. It is often contracted and spread by visiting remote, crack and keygen sites. These type of sites are infested with a smörgåsbord of malware and a major source of system infection.

...warez and crack web pages are being used by cybercriminals as download sites for malware related to VIRUT and VIRUX. Searches for serial numbers, cracks, and even antivirus products like Trend Micro yield malcodes that come in the form of executables or self-extracting files...quick links in these sites also lead to malicious files. Ads and banners are also infection vectors...

Keygen and Crack Sites Distribute VIRUX and FakeAV

However, the CA Security Advisor Research Blog have found MySpace user pages carrying the malicious Virut URL. Either way you can end up with a computer system so badly damaged that recovery is not possible and it cannot be repaired. When that happens there is nothing you can do besides reformatting and reinstalling the OS.

If your computer was used for online banking, has credit card information or other sensitive data on it, you should disconnect from the Internet until your system is cleaned. All passwords should be changed immediately to include those used for banking, email, eBay, paypal and online forums. You should consider them to be compromised. You should change each password using a clean computer and not the infected one. If not, an attacker may get the new passwords and transaction information. If using a router, you need to reset it with a strong logon/password so the malware cannot gain control before connect again. Banking and credit card institutions should be notified of the possible security breach. Because your computer was compromised please read:Since virut is not effectively disinfectable, your best option is to perform a full reformat as there is no guarantee this infection can be completely removed. In most instances it may have caused so much damage to your system files that it cannot be completely cleaned or repaired. In many cases the infected files cannot be deleted and anti-malware scanners cannot disinfect them properly. Many experts in the security community believe that once infected with this type of malware, the best course of action is to reformat and reinstall the OS. Reinstalling Windows without first wiping the entire hard drive with a repartition and/or format will not remove the infection. The reinstall will only overwrite the Windows files. Any malware on the system will still be there afterwards. Please read:
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users