Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infected with Rogue Antivirus


  • This topic is locked This topic is locked
24 replies to this topic

#1 justinlaughlin898

justinlaughlin898

  • Members
  • 40 posts
  • OFFLINE
  •  
  • Local time:02:17 AM

Posted 03 February 2010 - 06:54 AM

Hi, I recently got infected with a rogue anti-virus and I really need help getting rid of it. I do all my homework online, and if I can't access my computer, I'll miss my assingments, so your help is very much appreciated :thumbsup:. Anyways, I'm not sure what the exact name of the rogue anti-virus is, but I'll tell you everything I know.


When it first popped up, it displayed a message with a windows firewall icon. It seemed suspicious and I didn't click on it because I thought it might be a rogue anti-virus. I tried to kill it with task manager (I forget if it worked or not), but after that I just pressed the off button on my laptop. After I rebooted, I tried to log in but I couldn't get in, I waited at least 5 minutes for my desktop to load but nothing appeared, so I booted into safe-mode. I went into safe-mode and ran Superantispyware (I had to change the name because it was blocked at first), and it found 5 infections. I removed them, and booted back into regular mode. It seemed fine at first, but when I went onto google (I use firefox btw) it started redirecting me to all these random rogue anti-virus sights (The few that I remember inlcude 'stop-sign antivirus' and some website called ave99.com). I was also denied access to many sites including bleepingcomputer and yahoo answers. I booted into safe-mode and ran Malware bytes (again, I had to rename the file) and it found 1 file, but that didn't do the trick either.

Oh, and one more strange thing I found out.. when I booted into safe-mode, there was a process called iexpore.exe loading every minute. Even if I ended it, it would load up again the next minute. I'm guessing its the rogue anti-virus trying to make a pop-up or some advertisement? But the strange thing is, when I disabled explorer.exe, iexplore.exe wasn't able to load anymore. I don't know if this has anything to do with the problem, but my dad was saying maybe my explorer.exe is infected.


Quick Summary:

I already scanned with avast, Superantispyware, and malwarebytes, they all found stuff, but the problem is still there.
Google search results redirect to random sites (usually rogue anti-virus sites... [stop-sign antivirus, ave99])
"Iexplore.exe" loads every minute regardless of what I do, but once explorer.exe was disabled, Iexplore.exe wasn't able to load anymore. (all this was done in safe-mode btw)
The virus blocks certain websites and certain programs.
I've only encountered the popups 1 time, but google is still redirecting me to other sites, and I'm still restricted access to some sites and programs.


I really need to get rid of this as soon as possible, Thank you very much in advance for your help :flowers:.

P.S. I have HJT and other programs, but it would be very very difficult to get the logs to you because BC is blocked. Perhaps I can send the logs to you through email?


EDIT: This morning my dad did another scan and he said it found a rootkit. But the problems are still there? Isn't a rootkit pretty serious?

EDIT2: Oh, and I just remembered, I think it's also disabling the real-time scanner by avast. Every time I check on it it says disabled, and when turn it back on, it will be disabled a few minutes later.

Edited by justinlaughlin898, 03 February 2010 - 02:21 PM.


BC AdBot (Login to Remove)

 


#2 justinlaughlin898

justinlaughlin898
  • Topic Starter

  • Members
  • 40 posts
  • OFFLINE
  •  
  • Local time:02:17 AM

Posted 03 February 2010 - 05:51 PM

Anybody? I really need help

Edit: Just now about 3-5 random sound files just played (it sounded like a man speaking). I could hear what he said, but I'm pretty sure this was related to the virus. Please help me

Edited by justinlaughlin898, 03 February 2010 - 06:15 PM.


#3 justinlaughlin898

justinlaughlin898
  • Topic Starter

  • Members
  • 40 posts
  • OFFLINE
  •  
  • Local time:02:17 AM

Posted 03 February 2010 - 09:33 PM

Now every 5 minutes or so I'm getting random audio advertisements, mostly about food/cleaning supplies..... Please help? I'm really lost here.

#4 justinlaughlin898

justinlaughlin898
  • Topic Starter

  • Members
  • 40 posts
  • OFFLINE
  •  
  • Local time:02:17 AM

Posted 04 February 2010 - 05:04 PM

Please anybody? Do you think it would be better to reformat? I'm really lost

#5 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,220 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:08:17 AM

Posted 04 February 2010 - 05:11 PM

Helo with all those self replies it looks as if someone is helping you. Consider it will take either a few days in the HJT forum or reformatiing ,it's your choice.

Your decision as to what action to take should be made by reading and asking yourself the questions presented in "When Should I Format, How Should I Reinstall?" In some instances an infection may have caused so much damage to your system that it cannot be completely cleaned or repaired. Wiping your drive, reformatting, and performing a clean install of the OS or doing a factory restore removes everything and is the safest action but I cannot make that decision for you.

Reformatting a hard disk deletes all data. If you decide to reformat, you can back up all your important documents, data files and photos. The safest practice is not to backup any autorun.ini or .exe files because they may be infected. Some types of malware may disguise itself by adding and hiding its extension to the existing extension of files so be sure you take a close look at the full name. After reformatting, as a precaution, make sure you scan these files with your anti-virus prior to copying them back to your hard drive.

The best proceedure is a low level format. This completely wipes the drive. Then reinstall the OS.
Use the free version of Active@ KillDisk.
Or Darik's Boot And Nuke

The best sources of Information on this are
Reformatting Windows XP
Michael Stevens Tech

Of course also feel free to ask anything on this in the XP forum. They'd be glad to help.

==============================

2 guidelines/rules when backing up

1) Backup all your important data files, pictures, music, work etc... and save it onto an external hard-drive. These files usually include .doc, .txt, .mp3, .jpg etc...
2) Do not backup any executables files or any window files. These include .exe/.scr/.htm/.html/.xml/.zip/.rar files as they may contain traces of malware. Also, .html or .htm files that are webpages should also be avoided.

Download Belarc Advisor - builds a detailed profile of your installed software and hardware, including Microsoft Hotfixes, and displays the results in your Web browser.
Run it and then print out the results, they may be handy.

Since we don't know exactly which infections we're dealing with here, we should take some precautions before we attempt to move files from the infected machine. Run the following on your clean computer, and make sure you insert your flash drives at the prompt.
Download and Run FlashDisinfector

Please download Flash_Disinfector.exe by sUBs and save it to your desktop.
  • Double-click Flash_Disinfector.exe to run it and follow any prompts that may appear.
  • The utility may ask you to insert your flash drive and/or other removable drives. Please do so and allow the utility to clean up those drives as well.
  • Hold down the Shift key when inserting the drive until Windows detects it to keep autorun.inf from executing if it is present.
  • Wait until it has finished scanning and then exit the program.
  • Reboot your computer when done.
Note: As part of its routine, Flash_Disinfector will create a hidden folder named autorun.inf in each partition and every USB drive that was plugged in when you ran it. Do not delete this folder...it will help protect your drives from future infection by keeping the autorun file from being installed on the root drive and running other malicious files.


Reinstall Windows Vista

Note: Windows 7 Professional instructions recommend you DO NOT use a third-party software to format the drive.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#6 justinlaughlin898

justinlaughlin898
  • Topic Starter

  • Members
  • 40 posts
  • OFFLINE
  •  
  • Local time:02:17 AM

Posted 05 February 2010 - 04:37 AM

I think I may not need to reformat.. about 5 minutes ago avast caught about 6 trojans in c:\windows\system32. Now I can access bleepingcomputer.com, and I haven't gotten any google redirects so far. Am I clean now? Where should I go from here? Thank you for responding

#7 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,220 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:08:17 AM

Posted 06 February 2010 - 02:55 PM

Hey that's a break!!
Next run MBAM (MalwareBytes):

NOTE: Before saving MBAM please rename it to zztoy.exe....now save it to your desktop.

Please download Malwarebytes Anti-Malware and save it to your desktop.

alternate download link

MBAM may "make changes to your registry" as part of its disinfection routine. If using other security programs that detect registry changes (ie Spybot's Teatimer), they may interfere or alert you. Temporarily disable such programs or permit them to allow the changes.
  • Make sure you are connected to the Internet.
  • Double-click on mbam-setup.exe to install the application.
  • When the installation begins, follow the prompts and do not make any changes to default settings.
  • When installation has finished, make sure you leave both of these checked:
    • Update Malwarebytes' Anti-Malware
    • Launch Malwarebytes' Anti-Malware
  • Then click Finish.
MBAM will automatically start and you will be asked to update the program before performing a scan.
  • If an update is found, the program will automatically update itself. Press the OK button to close that box and continue.
  • If you encounter any problems while downloading the definition updates, manually download them from here and just double-click on mbam-rules.exe to install.
On the Scanner tab:
  • Make sure the "Perform Quick Scan" option is selected.
  • Then click on the Scan button.
  • If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
  • The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
  • When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  • Click OK to close the message box and continue with the removal process.
Back at the main Scanner screen:
  • Click on the Show Results button to see a list of any malware that was found.
  • Make sure that everything is checked, and click Remove Selected.
  • When removal is completed, a log report will open in Notepad.
  • The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
  • Copy and paste the contents of that report in your next reply. Be sure to post the complete log to include the top portion which shows MBAM's database version and your operating system.
  • Exit MBAM when done.
Note: If MBAM encounters a file that is difficult to remove, you will be asked to reboot your computer so MBAM can proceed with the disinfection process. If asked to restart the computer, please do so immediately. Failure to reboot normally (not into safe mode) will prevent MBAM from removing all the malware.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#8 justinlaughlin898

justinlaughlin898
  • Topic Starter

  • Members
  • 40 posts
  • OFFLINE
  •  
  • Local time:02:17 AM

Posted 06 February 2010 - 11:39 PM

Mawlwarebytes didn't find anything. Just to let you know, I did full scans with Malwarebytes, avast!, Superantispyware, and Microsoft Windows Malicious Software Removal Tool, none of them found anything. I got rid of the virus using this program called "root repeal". The scan found around 8 or so files with names like _VOIDgarlkuxdmp.dll. When I tried to delete them with root repeal, I wasn't able to... but for some reason, about 5 minutes after when I wasn't doing anything, avast popped up and said it found the "trojans" and it was able to delete them. If you need me to post anything else just let me know. I'm not really certain I'm safe, its just the google redirects are gone now.. Thank you very much!



Here is the Malwarebytes log:


Malwarebytes' Anti-Malware 1.44
Database version: 3510
Windows 5.1.2600 Service Pack 3
Internet Explorer 7.0.5730.13

2/6/2010 6:24:17 PM
mbam-log-2010-02-06 (18-24-17).txt

Scan type: Quick Scan
Objects scanned: 124174
Time elapsed: 9 minute(s), 25 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

#9 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,220 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:08:17 AM

Posted 07 February 2010 - 12:10 AM

Well that sure is odd as with Rootrepeal you have to tell it which items you want removed. I guess give it a day and see how it is running.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#10 justinlaughlin898

justinlaughlin898
  • Topic Starter

  • Members
  • 40 posts
  • OFFLINE
  •  
  • Local time:02:17 AM

Posted 08 February 2010 - 02:09 AM

I haven't had any symptoms since I got rid of those _VOID files. Do you think I'm pretty safe now? Thank you very much for your help :thumbsup:

#11 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,220 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:08:17 AM

Posted 08 February 2010 - 11:49 AM

Hello, sometimes odd things happen... Well let's just do an online scan so I feel more comfortable also.

I'd like us to scan your machine with ESET OnlineScan
  • Hold down Control and click on the following link to open ESET OnlineScan in a new window.
    ESET OnlineScan
  • Click the Posted Image button.
  • For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
    • Click on Posted Image to download the ESET Smart Installer. Save it to your desktop.
    • Double click on the Posted Image icon on your desktop.
  • Check Posted Image
  • Click the Posted Image button.
  • Accept any security warnings from your browser.
  • Check Posted Image
  • Push the Start button.
  • ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
  • When the scan completes, push Posted Image
  • Push Posted Image, and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
  • Push the Posted Image button.
  • Push Posted Image

How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#12 justinlaughlin898

justinlaughlin898
  • Topic Starter

  • Members
  • 40 posts
  • OFFLINE
  •  
  • Local time:02:17 AM

Posted 08 February 2010 - 06:55 PM

The ESET scan didn't find any threats :thumbsup:

#13 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,220 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:08:17 AM

Posted 08 February 2010 - 08:35 PM

Ok ,maybe I am over cautious but MBAM is at Database version: 3711 and your log says 3510.
so one more 15 min scan plaese


Rerun MBAM (MalwareBytes) like this:

Open MBAM in normal mode and click Update tab, select Check for Updates,when done
click Scanner tab,select Quick scan and scan (normal mode).
After scan click Remove Selected, Post new scan log and Reboot into normal mode.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#14 justinlaughlin898

justinlaughlin898
  • Topic Starter

  • Members
  • 40 posts
  • OFFLINE
  •  
  • Local time:02:17 AM

Posted 08 February 2010 - 08:55 PM

Wow! It's a good thing you realized that: Here is my MBAM log:

(those are the "_VOID" files I was talking about earlier)

Oh, I was gonna tell you earlier that my computer was acting pretty slow, but hopefully after rebooting I'll be fine again.


Malwarebytes' Anti-Malware 1.44
Database version: 3711
Windows 5.1.2600 Service Pack 3
Internet Explorer 7.0.5730.13

2/8/2010 3:51:31 PM
mbam-log-2010-02-08 (15-51-31).txt

Scan type: Quick Scan
Objects scanned: 130168
Time elapsed: 8 minute(s), 54 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 1
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 3

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\_VOID (Rootkit.TDSS) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\Documents and Settings\All Users\Application Data\_VOIDkrl32mainweq.dll (Rootkit.TDSS) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Application Data\_VOIDmainqt.dll (Rootkit.TDSS) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Application Data\sysReserve.ini (Malware.Trace) -> Quarantined and deleted successfully.

#15 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,220 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:08:17 AM

Posted 08 February 2010 - 09:48 PM

Great!! this is what I wanted to see.

Now we'll run these.. I think it will pickup in speed and a few more bits of junk.

Next run ATF and SAS: If you cannot access Safe Mode,run in normal ,but let me know.

Note: On Vista, "Windows Temp" is disabled. To empty "Windows Temp" ATF-Cleaner must be "Run as an Administrator".

From your regular user account..
Download Attribune's ATF Cleaner and then SUPERAntiSpyware , Free Home Version. Save both to desktop ..
DO NOT run yet.
Open SUPER from icon and install and Update it
Under Scanner Options make sure the following are checked (leave all others unchecked):
Close browsers before scanning.
Scan for tracking cookies.
Terminate memory threats before quarantining
.
Click the "Close" button to leave the control center screen and exit the program. DO NOT run yet.

Now reboot into Safe Mode: How to enter safe mode(XP)
Using the F8 Method
Restart your computer.
When the machine first starts again it will generally list some equipment that is installed in your machine, amount of memory, hard drives installed etc. At this point you should gently tap the F8 key repeatedly until you are presented with a Windows XP Advanced Options menu.
Select the option for Safe Mode using the arrow keys.
Then press enter on your keyboard to boot into Safe Mode
.

Double-click ATF-Cleaner.exe to run the program.
Under Main "Select Files to Delete" choose: Select All.
Click the Empty Selected button.

If you use Firefox or Opera browser click that browser at the top and choose: Select All
Click the Empty Selected button.
If you would like to keep your saved passwords, please click No at the prompt.
Click Exit on the Main menu to close the program
.

NOW Scan with SUPER
Open from the desktop icon or the program Files list
On the left, make sure you check C:\Fixed Drive.
Perform a Complete scan. After scan,Verify they are all checked.
Click OK on the summary screen to quarantine all found items.
If asked if you want to reboot, click "Yes" and reboot normally.

To retrieve the removal information after reboot, launch SUPERAntispyware again.
Click Preferences, then click the Statistics/Logs tab.
Under Scanner Logs, double-click SUPERAntiSpyware Scan Log.
If there are several logs, click the current dated log and press View log.
A text file will open in your default text editor.
Please copy and paste the Scan Log results in your next reply.
Click Close to exit the program.


Rerun MBAM (MalwareBytes) like this:

Open MBAM in normal mode and click Update tab, select Check for Updates,when done
click Scanner tab,select FULL scan and scan (normal mode).
After scan click Remove Selected, Post new scan log and Reboot into normal mode.


Please ask any needed questions,post 2 logs and Let us know how the PC is running now.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users