Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Vista Infected Can not run any application


  • Please log in to reply
No replies to this topic

#1 vgs8606

vgs8606

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:04:16 PM

Posted 19 March 2010 - 09:32 PM

It started with rogue windows defender virus infection messages yesterday. I immediately rebooted and disconnected the ethernet cable. I kept it disconnected all throughout this ordeal. I was able to run mscofig and disabled all startup entries, rebooted and was able to run the usual AVG anti-virus and cleanup the infection. Afterward, I ran MalwareBytes and SuperAntiSypware. After few reboots, I ran all three again and verified that computer was clean. Then I decided to reconnect the ethernet cable.

Once the internet cable was connected and about half an hour of browsing, a rogue alert along with real alert from AVG popped up. I disconnected the cable from internet and ran the AVG scan again which picked up "Trojan.Agent/Gen-RogueAV" and asked me to reboot. After the reboot, AVG never restarted and I realized that I had been had :-(

Now I can not run any applications at all even when I boot in safe mode. I get that dreaded file associate menu for almost all the applications. I can not even run DVD burner to take the data out from this system :-( At least I am able to use UDF capability of Vista and right now I am burning the CD's of my data from that computer. I hope those CD's will NOT be infected.

This is a Dell system and has the RECEOVERY D: partition. I would be willing to start from the scratch but I am hoping I do not have to go to that length. I don't even know if I have the recovery CDs for this computer but I am hoping that if worse comes to worst, I can restore from the recovery partition.

Please help!
- Vikas

Update:-

I have been reading this great resource and going through all of the recent entries and trying to follow advice given to other participants. I have downloaded few tools on USB stick.

rkill.com was able kill the offending process. Right now I am running quick scan from MBAM quick scan and will post the log when it is finished.

Here is the rkill.log The file name does not seem to indicate which type of malware has infected this file. The EPSON files look like they are infected. I do not know what are the webem\WMIADAP.EXE is. I am hoping that MBAM scan will give me little bit more information.

===============================================
This log file is located at C:\rkill.log.
Please post this only if requested to by the person helping you.
Otherwise you can close this log when you wish.
Ran as sontakke on 03/20/2010 at 7:34:33.


Processes terminated by Rkill or while it was running:


C:\ProgramData\EPSON\EPW!3 SSRP\E_S40ST7.EXE
C:\ProgramData\EPSON\EPW!3 SSRP\E_S40RP7.EXE
\\?\C:\Windows\system32\wbem\WMIADAP.EXE


Rkill completed on 03/20/2010 at 7:35:05.
==================================================


MBAM Quick Scan just completed; here is the log. I do not see the real nasty stuff in here.
It asked me to reboot and I rebooted it. Right now it has come up and now I see
AVG icon in the task tray! I am running full scan of MBAM.
I have found previous logs of mbam and are posted at the end.

==================================================
Malwarebytes' Anti-Malware 1.44
Database version: 3886
Windows 6.0.6001 Service Pack 1
Internet Explorer 7.0.6001.18000

3/20/2010 8:03:34 AM
mbam-log-2010-03-20 (08-03-34).txt

Scan type: Quick Scan
Objects scanned: 132259
Time elapsed: 15 minute(s), 27 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 3
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Clients\StartMenuInternet\FIREFOX.EXE\shell\open\command\(default) (Hijack.StartMenuInternet) -> Bad: ("C:\Users\sontakke\AppData\Local\ave.exe" /START "C:\Program Files\Mozilla Firefox\firefox.exe") Good: (firefox.exe) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Clients\StartMenuInternet\IEXPLORE.EXE\shell\open\command\(default) (Hijack.StartMenuInternet) -> Bad: ("C:\Users\sontakke\AppData\Local\ave.exe" /START "C:\Program Files\Internet Explorer\iexplore.exe") Good: (iexplore.exe) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Clients\StartMenuInternet\FIREFOX.EXE\shell\safemode\command\(default) (Hijack.StartMenuInternet) -> Bad: ("C:\Users\sontakke\AppData\Local\ave.exe" /START "C:\Program Files\Mozilla Firefox\firefox.exe" -safe-mode) Good: (firefox.exe -safe-mode) -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

================================================

I am including relevant information from few mbam logs chronologically. As can be inferred,
mbam showed clean computer but it got re-infected once the computer was internet and
was being used for browsing using IE.


------------------------------------------
Malwarebytes' Anti-Malware 1.44
Database version: 3510
Windows 6.0.6001 Service Pack 1
Internet Explorer 7.0.6001.18000

3/19/2010 6:23:25 AM
mbam-log-2010-03-19 (06-23-25).txt

Scan type: Full Scan (C:\|D:\|)
Objects scanned: 317549
Time elapsed: 1 hour(s), 38 minute(s), 24 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0
---------------------------------------------------

Malwarebytes' Anti-Malware 1.44
Database version: 3885
Windows 6.0.6001 Service Pack 1
Internet Explorer 7.0.6001.18000

3/19/2010 6:36:50 PM
mbam-log-2010-03-19 (18-36-50).txt

Scan type: Full Scan (C:\|D:\|)
Objects scanned: 325699
Time elapsed: 1 hour(s), 36 minute(s), 1 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 2
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 2

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\avsoft (Trojan.Fraudpack) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\avsoft (Trojan.Fraudpack) -> Quarantined and deleted successfully.


Files Infected:
C:\Users\sontakke\AppData\Local\mcinlw\bqbtsftav.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\Users\sontakke\AppData\Local\Temp\vbxlgy.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
........................................

Malwarebytes' Anti-Malware 1.44
Database version: 3886
Windows 6.0.6001 Service Pack 1
Internet Explorer 7.0.6001.18000

3/19/2010 8:00:51 PM
mbam-log-2010-03-19 (20-00-51).txt

Scan type: Quick Scan
Objects scanned: 132641
Time elapsed: 15 minute(s), 20 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0
........................................................

Malwarebytes' Anti-Malware 1.44
Database version: 3886
Windows 6.0.6001 Service Pack 1
Internet Explorer 7.0.6001.18000

3/19/2010 8:00:51 PM
mbam-log-2010-03-19 (20-00-51).txt

Scan type: Quick Scan
Objects scanned: 132641
Time elapsed: 15 minute(s), 20 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Clients\StartMenuInternet\FIREFOX.EXE\shell\open\command\(default) (Hijack.StartMenuInternet) -> Bad: ("C:\Users\sontakke\AppData\Local\ave.exe" /START "C:\Program Files\Mozilla Firefox\firefox.exe") Good: (firefox.exe) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Clients\StartMenuInternet\IEXPLORE.EXE\shell\open\command\(default) (Hijack.StartMenuInternet) -> Bad: ("C:\Users\sontakke\AppData\Local\ave.exe" /START "C:\Program Files\Internet Explorer\iexplore.exe") Good: (iexplore.exe) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Clients\StartMenuInternet\FIREFOX.EXE\shell\safemode\command\(default) (Hijack.StartMenuInternet) -> Bad: ("C:\Users\sontakke\AppData\Local\ave.exe" /START "C:\Program Files\Mozilla Firefox\firefox.exe" -safe-mode) Good: (firefox.exe -safe-mode) -> Quarantined and deleted successfully.

Edited by vgs8606, 20 March 2010 - 07:29 AM.


BC AdBot (Login to Remove)

 





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users