Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Nasty malware infection evades all detection


  • Please log in to reply
6 replies to this topic

#1 BlueDogs

BlueDogs

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:NE Alabama
  • Local time:02:09 AM

Posted 07 February 2010 - 11:03 AM

My fiancee's aunt and uncle are raising a 17 year old grandson who is famous for infecting their computer (which gets handed to me to fix). They are usually NASTY viruses which require me to seek help on the internet for. No doubt the result of him going to pornographic sites as I notice he erases the browser history quite religiously. (I've been through this with my own teenage son and a teenage stepson as well!)

At any rate this one really takes the cake. Not only did I clean a horrific virus off their computer last time but installed McAfee AV (I told them to get the internet security suite but all they got was the AV) cleaned the computer with malware bytes (but uninstalled this program after using it), AdAware, and Spybot S&D (left those two on the system and showed them how to use them, not that they did), got all the Windows updates loaded, and set up their system for automatic updates and scans.

Now I get it back no more than 2 months later like this.....

Upon boot up there is immediate windows security alerts which tells me the computer is infected and would I like to start my anti-virus program now? I ignored those. Meanwhile error messages are popping up one after another telling me that every file in creation is infected with a virus (including files associated with running McAfee).

Attempting to open McAfee up directly (by-passing the "click here" baloney) with this mess going on does nothing but earn me more error messages regarding the fact that the main files in McAfee are infected with a virus and therefore the program cannot be run.

The entire system is crippled at this point. Recognizing this in the first 45 seconds of having it hooked up here I shut it down and rebooted in safe mode. I was able to run McAfee and ran a full system scan (not a quick scan). The definitions library was last updated two days ago and a full scan reported ZERO issues. WHAT???

I then turned to Adaware. It found nothing more than 217 harmless cookies. Huh??? I then turned to Spybot S&D at this point I had rebooted again into safemode with networking so I could update the definition files for these last two programs. So get this. Spybot tells me, after a full system scan.....

"Congratulations! No threats were found on your system!"

WTF????? A teenage kid has been using this system for over two months and all Adaware finds is cookies and spybot finds nothing??? Meanwhile the system is CRIPPLED!!! What is going on here?? I know enough about computers that this nasty little bug is above my head. I have Malware bytes on disk and on my flash drive but I'm not sticking my flash drive in there!! So I'll have to dig up the disk and install it and HOPE it can detect the problem.

I'm at my wits end. I searched through new programs installed, Windows explorer, etc. and saw nothing out of the ordinary. I need some help here. Any direction, suggestions, anything would be helpful. Thank you!

Oh and by the way, AGAINST my advice they went and bought this computer USED with NO recovery disk. Its an OLD computer that has been updated. They weren't even given the product key to Windows XP (or the disk) so no way to format the stupid thing!!!! Some small town PC repair guy that probably has multiple licences for Windows. Reportedly he upgraded the hardware and installed a fresh copy of XP.

He's not even local either. Lives 5 hours away in another state. They took the advice of their daughter who has "had her computers worked on by him before and never had a problem". He may end up with this one back in his hands......

~Darlene~

Blue Sapphire Kennels
Brains, Beauty, & Brawn, Why Settle for Less?
Learn about Blue and Liver GSD's! At: BlueDogs
"No Good Dog Is a Bad Color" - Max von Stephanitz - German Shepherd Breed Founder


BC AdBot (Login to Remove)

 


#2 Arctic

Arctic

  • Members
  • 46 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:03:09 AM

Posted 07 February 2010 - 11:19 AM

I used this post earlier. At the current time I am a huge fan of rkill, due to it seems to give you a much better working environment for detection and removal.

Just to be clear first and foremost. I'm not a regular technician on this forum, but i think this may be of some assistance

If you have a secondary computer to download programs through put them on a flash drive and transfer them

First you should download rkill from a known good source.
While downloading just to be safe, you may want to rename the files from something other than rkill.

http://download.bleepingcomputer.com/grinler/rkill.com
http://download.bleepingcomputer.com/grinler/rkill.exe
http://download.bleepingcomputer.com/grinler/rkill.pif
http://download.bleepingcomputer.com/grinler/rkill.scr
You will also want to download malewarebytes from a known good source
I would just use http://www.malwarebytes.org/


When running rkill on windows 7 or vista you will need to right click and use the "run as administrator" option.


Try running rkill a few times, the dos box should pop up saying it is terminating known malware processes.
If the exe does not work, try the com version, but make sure to run as Administartor

Once rkill successfully runs, a notepad file should open up with what it stopped.


Now, don't restart the computer.

Remove malewarebytes if its installed, and reinstall it.
Update to the latest definitions.
To be on the safe side i would suggest running a full system scan.
Any entires it finds, remove them.
At this time your computer should be rid of Security tool kit.

If your internet is not working, navigate to Internet explorer -> Internet Options-> Connections tab -> Lan Settings-> uncheck use a proxy server

Hope this helps, and i'll try to check back here to see if its resolved.
Mods: didn't mean to step on anyone's toes, if it is not alright that i posted instructions. Tell me and i will willingly remove them.
I can only help.. If i know what the problem is.

we never have time to do things right, but we always have time to do them again

LAWL

#3 BlueDogs

BlueDogs
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:NE Alabama
  • Local time:02:09 AM

Posted 07 February 2010 - 11:35 AM

Hi Aliciam, thanks. I do have Malwarebytes on disk. I am NOT fond of the idea of putting my flash drive into this computer and then getting it infected and possibly getting my own computer infected after that. I to after all have McAfee on my system. If this thing was able to infect a computer with McAfee running on it with an updated definitions database then what are the chances it won't infect my own? Not willing to give up my beloved hot pink flash drive because some stupid teen-ager can't stay off porn sites. LOL

I will boot it up again in safe mode with networking and try to install and run Malwarebytes however and see what it finds. Everything I described was done last night. Finally it got late and I was tired. Haven't turned it on yet this morning.

~Darlene~

Blue Sapphire Kennels
Brains, Beauty, & Brawn, Why Settle for Less?
Learn about Blue and Liver GSD's! At: BlueDogs
"No Good Dog Is a Bad Color" - Max von Stephanitz - German Shepherd Breed Founder


#4 BlueDogs

BlueDogs
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:NE Alabama
  • Local time:02:09 AM

Posted 07 February 2010 - 12:58 PM

Update:

I installed Malwarebytes from disk in safemode with networking and updated the definition files prior to running a full scan. This is what it found:

Rogue.Multiple (type) File (item) HKEY_LOCAL_MACHINE\Software\Microsoft\SecurityCenter\AntiVirusDisableNotify

Trojan.Fake alert.Gen (type) Registry Value (item) HKEY_LOCAL_MACHINE\Software\Microsoft\SecurityCenter\FirewallDisableNotify

Disabled Security Center (type) Registry Data (item) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\Hidden\SHOWALL\CHECKEDVALUE

Disabled Security Center (type) Registry Data (item) C:\System Volume Information\_restore{955Beace-F339-42D2-AF77-B7816311B33A}\RP201\A003225.EXE

Hijack.System.Hidden (type) Registry Data (item) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\fapwwnrx

So basically I understand this thing is going to reinstall itself after reboot. Which it did by the way. I had to literally pull the power plug on the back to shut it down this time in order to reboot again in safe mode and am rescanning with Malwarebytes. However at the end of the scan I am leaving it be until I get some answers.

I do however have more information on what it is I am dealing with. Some phoney anti-virus popped up and started "scanning" the computer upon reboot. It called itself, "Antivirus Soft" when I hovered the mouse over the task bar where the icon appeared it referred to it as a "demo" version.

I will google this and see if I can't find removal instructions or a removal tool for it. I have DVD-RW disks and since this computer that is infected only has a CD-RW\DVD player I can safely use these disks to install fixes rather than risk my flash drive. Considering it doesn't have the capabilities to burn DVD's like my own computers do.

If anyone has any other suggestions while I am searching for answers it would be most appreciated. I will check back on the forum shortly. Thanks in advance.

~Darlene~

Blue Sapphire Kennels
Brains, Beauty, & Brawn, Why Settle for Less?
Learn about Blue and Liver GSD's! At: BlueDogs
"No Good Dog Is a Bad Color" - Max von Stephanitz - German Shepherd Breed Founder


#5 Arctic

Arctic

  • Members
  • 46 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:03:09 AM

Posted 07 February 2010 - 01:02 PM

I'm just posting the tutorial found on the site

the tutorial is most likely what i based my initial game plan on.

http://www.bleepingcomputer.com/virus-remo...-antivirus-soft
I can only help.. If i know what the problem is.

we never have time to do things right, but we always have time to do them again

LAWL

#6 BlueDogs

BlueDogs
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:NE Alabama
  • Local time:02:09 AM

Posted 07 February 2010 - 02:21 PM

Hi arctic, I did find that tutorial the second I Googled the offending fake AV scan program. I printed out the instructions and downloaded rkill and copied it to a disk. I ran it in safe mode with networking on the infected computer and rkill reported NO processes to be killed.

So I took a chance and rebooted normally and quickly (before it could complete booting up) opened up my computer and started rkill. This time it DID stop a process named "fapwwnrx" which Malwarebytes found the first time I ran it. So now I am running Malwarebytes AGAIN because earlier while still in safe mode AFTER I had made the mistake of rebooting after the first time Malwarebytes found all this junk and it reinstalled itself, it found NOTHING.

Which I knew was impossible because I had just had to unplug the power from the computer to even shut it down so I could reboot in safe mode after that stupid program began its fake scan. So now I'm really confused. I'm assuming this thing has some fantastic stealth capabilities? Meaning that if it is removed once than it knows to hide itself even better the next time when it reinstalls itself upon reboot?

I don't know but if this doesn't work I'm about to send this thing back to its owners and they can pay a shop to deal with this garbage. It's just not worth the frustration IMO. I have better things to do with my time than constantly fix my fiancees families computers all the time because they let their teen-agers run rampant on them. I had to clean 3 systems last week at his brothers house that were literally infested with trojans and other malware and they don't see the need to purchase AV software for any of their computers no matter how much I urge them to do so. With 3 teenagers in the house no less....

~Darlene~

Blue Sapphire Kennels
Brains, Beauty, & Brawn, Why Settle for Less?
Learn about Blue and Liver GSD's! At: BlueDogs
"No Good Dog Is a Bad Color" - Max von Stephanitz - German Shepherd Breed Founder


#7 BlueDogs

BlueDogs
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:NE Alabama
  • Local time:02:09 AM

Posted 07 February 2010 - 03:49 PM

I have solved the problem using rkill and malwarebytes in regular windows mode (did not work in safe mode). I am now also installing McGruff safeguard and having it set to e-mail ME whenever this kid wants to browse anymore adult sites after viewing the browser history!!! Yikes!!!!!!!!!

~Darlene~

Blue Sapphire Kennels
Brains, Beauty, & Brawn, Why Settle for Less?
Learn about Blue and Liver GSD's! At: BlueDogs
"No Good Dog Is a Bad Color" - Max von Stephanitz - German Shepherd Breed Founder





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users