Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infected with TROJAN.FAKEAV.ADH


  • This topic is locked This topic is locked
9 replies to this topic

#1 geofade

geofade

  • Members
  • 38 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:10:28 PM

Posted 06 February 2010 - 02:53 PM

Hi, Anyone, Please help!
My computer has been hijacked by this nasty virus! I can run my pc on regular mode but it is very slow and sometimes it just freezes,,,, It works fine in safemode.
I have run scans and rootkit clean ups and registry clean ups in safe mode and the results are the same "NO VIRUSES FOUND".,.... but when I try to reboot in regular mode I have no luck :thumbsup:
Can some one please halp me!!!
Geo

BC AdBot (Login to Remove)

 


#2 geofade

geofade
  • Topic Starter

  • Members
  • 38 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:10:28 PM

Posted 09 February 2010 - 10:44 PM

Help pleaaaaaase... my computer is in crap mode!

#3 Sashacat

Sashacat

  • Members
  • 372 posts
  • OFFLINE
  •  
  • Local time:11:28 PM

Posted 10 February 2010 - 11:58 AM

Hate it when that happens, the dreaded "crap mode"......

It is probable and likely that you have things running that are slowing your computer down.

Go to Task Mngr.
(Ctrl, Alt, Delete one time) to view the processes that are running.
You can click on "Image Name" (the title at the top of the category) to alphabetize the entries.
Do you see anything running that is unfamiliar to you?
You can click an entry, and click the End Process button if you are familiar with this.

Task Mngr only shows you the processes that are running, but does NOT show the command lines for those processes.
Process Explorer is a free program that will show all processes AND SHOWS the command lines for each.
You can download Process Explorer from:
http://technet.microsoft.com/en-us/sysinte...s/bb896653.aspx
When you run Process Explorer, click View, Select Columns, and put a checkmark next to "Command Line".
Then you will be able to see the command lines.
Knowing what you're up against is alot better than not knowing.
You can also use Process Explorer to "kill" a process (same thing as "end task").

Check what's set to run on boot by hitting the Start button, Run, type in msconfig and hit Enter.
Click the Startup tab.
A checkmark next to an item means that item will run on boot.
You can remove checkmarks from items if you are familiar with this.
After making changes (clicking to remove a checkmark), hit Apply and then OK to close.
You will get a message that says changes will take effect after next restart, and it gives you the option to restart the computer right then, or at a later time.
When you next restart your computer, you will get a message that says you have used System Configuration Utility......
you can close it (ignore it).
If you are not familiar with, or not comfortable with this, don't make any changes, just report back with which items have a checkmark, and what processes are running.

If you can end task on unnecessary processes that are running, and/or stop unnecessary processes from running on boot, that should free up enough system resources for you to begin fixing your computer without it going so slow.


Get (and use) the following free programs:
(Make sure you get the latest updates for each program before you scan.)

SUPERAntiSpyware:
http://www.superantispyware.com

Malwarebytes` Anti-Malware:
http://www.malwarebytes.org/mbam.php
(Other posts on this site recommend renaming the file to zztoy.exe before saving it to your desktop)


If SUPERAnti-Spyware, Malwarebtes' Antimalware, find/fix infections, you may want to delete your restore points (to ensure there are no infected restore points). To delete all restore points, go to Control Panel, System, System Restore tab, put a checkmark in "Turn Off System Restore" and hit Apply.

(After you get all of this fixed, you will probably want to turn System Restore back on. To turn System Restore back on, go to Control Panel, System, System Restore tab, click to take the checkmark out of "Turn Off System Restore" and hit Apply. Then hit OK to close. )

If you don't already have/use CCleaner, it is a good program, and it's free. Take the tour, see what the program does, look at the screen shots. It not only cleans your computer, it also has a Registry tool that will check for/fix registry errors, and it also has an "uninstall programs" tool and a "startup" tool.
The website for CCleaner is: http://www.ccleaner.com/

Continue to check Startup tab in msconfig, make sure any items you "unchecked" are still "unchecked".

Run an online scan with Kapersky:
http://www.kaspersky.com/kos/eng/partner/d...kavwebscan.html

You did not specify which antivirus program you are using.
AVG Anti-Virus Free Edition
http://download.cnet.com/AVG-Anti-Virus-Fr...4-10320142.html
http://free.avg.com/us-en/homepage

Please report back with the results of the scans and whether you are still experiencing symptoms of infection.

Good luck :thumbsup:
If we don't change the direction we are going,
We are likely to end up where we are headed.

#4 geofade

geofade
  • Topic Starter

  • Members
  • 38 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:10:28 PM

Posted 11 February 2010 - 09:28 PM

thnals for the 411 sashacat.... I will try everything you mentioned and let you know about the logs!
Ciao!
geo

#5 geofade

geofade
  • Topic Starter

  • Members
  • 38 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:10:28 PM

Posted 12 February 2010 - 02:10 AM

Here is a log from malwarebytes.....
there is one file that cannot be deleted and I think it might be a virus.... any idea on how to delete???
Thanks a bunch!
Geo



Malwarebytes' Anti-Malware 1.44
Database version: 3510
Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

2/11/2010 10:23:45 PM
mbam-log-2010-02-11 (22-22-16).txt

Scan type: Quick Scan
Objects scanned: 130674
Time elapsed: 4 minute(s), 56 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\system32\drivers\eceuh.sys (Rootkit.Agent) -> No action taken.

#6 Sashacat

Sashacat

  • Members
  • 372 posts
  • OFFLINE
  •  
  • Local time:11:28 PM

Posted 12 February 2010 - 11:39 AM

Here is a log from malwarebytes.....
there is one file that cannot be deleted and I think it might be a virus.... any idea on how to delete???
Thanks a bunch!
Geo

Malwarebytes' Anti-Malware 1.44
Database version: 3510
Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

2/11/2010 10:23:45 PM
mbam-log-2010-02-11 (22-22-16).txt

Scan type: Quick Scan

Files Infected: 1

Files Infected:
C:\WINDOWS\system32\drivers\eceuh.sys (Rootkit.Agent) -> No action taken.




Did you by any chance run the online Kapersky scan
http://www.kaspersky.com/kos/eng/partner/d...kavwebscan.html

and scan using SUPERAnti-Spyware
http://www.superantispyware.com

Did you scan with AVG Anti-Virus Free Edition
http://download.cnet.com/AVG-Anti-Virus-Fr...4-10320142.html
http://free.avg.com/us-en/homepage



I'd like to know what, if any infected items are found/fixed by the other scans.
Please report back. Thanks :thumbsup:
If we don't change the direction we are going,
We are likely to end up where we are headed.

#7 Sashacat

Sashacat

  • Members
  • 372 posts
  • OFFLINE
  •  
  • Local time:11:28 PM

Posted 12 February 2010 - 12:28 PM

Files Infected: 1

Files Infected:
C:\WINDOWS\system32\drivers\eceuh.sys (Rootkit.Agent) -> No action taken.


See this topic, "Rootkit Removal":
http://www.bleepingcomputer.com/forums/t/250928/instructions-for-posting-advice-in-am-i-infected/

See reply in this topic, reply by user garmanma (a Moderator) (dated 12-18-09 and 12-19-09) with instructions on how to check for rootkit:
http://www.bleepingcomputer.com/forums/t/278568/web-pages-taking-forever-to-load-or-not-loading-at-all/
(Pay attn to part about only providing Hijack This logs only when requested, and WHERE they're supposed to be posted).


Rootkit removal tools (links to download)

http://rootrepeal.googlepages.com/

http://www.gmer.net/

http://www.techsupportalert.com/best-free-...ner-remover.htm



Hope this helps :thumbsup:
If we don't change the direction we are going,
We are likely to end up where we are headed.

#8 geofade

geofade
  • Topic Starter

  • Members
  • 38 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:10:28 PM

Posted 12 February 2010 - 10:17 PM

Thanks for your help Sasha....

Kaspery is down as far as online scans and AVG found this on my computer.....

Warnings
File;"Infection";"Result"
C:\Documents and Settings\HP_Administrator\Application Data\Mozilla\Firefox(2)\Profiles\fs4c4jd1.default\cookies.sqlite:\fastclick.net.90da2802;"Found Tracking cookie.Fastclick";"Moved to Virus Vault"
C:\Documents and Settings\HP_Administrator\Application Data\Mozilla\Firefox(2)\Profiles\fs4c4jd1.default\cookies.sqlite:\fastclick.net.8a6435e9;"Found Tracking cookie.Fastclick";"Moved to Virus Vault"
C:\Documents and Settings\HP_Administrator\Application Data\Mozilla\Firefox(2)\Profiles\fs4c4jd1.default\cookies.sqlite:\fastclick.net.57e8da10;"Found Tracking cookie.Fastclick";"Moved to Virus Vault"
C:\Documents and Settings\HP_Administrator\Application Data\Mozilla\Firefox(2)\Profiles\fs4c4jd1.default\cookies.sqlite:\fastclick.net.1743141b;"Found Tracking cookie.Fastclick";"Moved to Virus Vault"
C:\Documents and Settings\HP_Administrator\Application Data\Mozilla\Firefox(2)\Profiles\fs4c4jd1.default\cookies.sqlite:\7search.com.f2cc2494;"Found Tracking cookie.7search";"Moved to Virus Vault"
C:\Documents and Settings\HP_Administrator\Application Data\Mozilla\Firefox(2)\Profiles\fs4c4jd1.default\cookies.sqlite:\7search.com.5bc4302d;"Found Tracking cookie.7search";"Moved to Virus Vault"
C:\Documents and Settings\HP_Administrator\Application Data\Mozilla\Firefox(2)\Profiles\fs4c4jd1.default\cookies.sqlite;"Found Tracking cookie.Fastclick";"Healed"



I will try what you suggested about the rootkit.....
I just hope I can get that one file out of my system....

I run as as site protection "Stopzilla"... and now Im running AVG also....

Thanks for all the help!
Geo

#9 Sashacat

Sashacat

  • Members
  • 372 posts
  • OFFLINE
  •  
  • Local time:11:28 PM

Posted 13 February 2010 - 09:40 AM

The "cookies" AVG found aren't a big deal, but that IS one of the things that AVG will find/get rid of.

What DOES have me concerned tho, is this result that you posted:
Files Infected:
C:\WINDOWS\system32\drivers\eceuh.sys (Rootkit.Agent) -> No action taken.


Will wait to hear back from you about the latest info you have, after checking for rootkits.

Best of luck to you :thumbsup:
If we don't change the direction we are going,
We are likely to end up where we are headed.

#10 Orange Blossom

Orange Blossom

    OBleepin Investigator


  • Moderator
  • 36,801 posts
  • ONLINE
  •  
  • Gender:Not Telling
  • Location:Bloomington, IN
  • Local time:11:28 PM

Posted 20 February 2010 - 09:20 PM

Closed since receiving assistance here: http://www.bleepingcomputer.com/forums/t/295382/cwindowssystem32driverseceuhsys-rootkitagent-no-action-taken/ ~ OB
Help us help you. If HelpBot replies, you MUST follow step 1 in its reply so we know you need help.

Orange Blossom

An ounce of prevention is worth a pound of cure

SpywareBlaster, WinPatrol Plus, ESET Smart Security, Malwarebytes' Anti-Malware, NoScript Firefox ext., Norton noscript




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users