Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

XP Antimalware Virus


  • This topic is locked This topic is locked
1 reply to this topic

#1 husky1954

husky1954

  • Members
  • 41 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Eagle, CO
  • Local time:12:17 AM

Posted 01 April 2010 - 09:50 PM

I am an unemployed IT professional and I work part time at an apartment complex in Eagle, CO. The computer in the office has been infected twice with a virus and I was asked to fix it. The first time was a couple months ago. I think the virus was called Antivirus 2010. I used rkill and Malwarebytes to remove it. After this I installed AVG and Spybot. AVG is updated every night and runs once a week. The second incident happened today. AVG ran last night with nothing detected. This time I could not run Malwarebytes and could not get to the internet. I was able to run Spybot. Spybot found that the antivirus, firewall and Windows update had been disabled. While Spybot was running the little shield that the virus puts in the lower right of the task bar, went away. After Spybot I ran Malwarebytes and it removed 7 entries(see log below). There was also a third virus that occurred last October before I worked here. I think Malwarebytes was used then too.

This is the virus I removed http://www.bleepingcomputer.com/virus-remo...irus-vista-2010

Recently the infected computer has only been used to run business software, email, Craigslist and Youtube. The computer user was reading email when the virus was noticed.

I would like to know how this virus propagates? Does it use email or something else? Also, is it possible that virus has not been completely removed?

MB log:
Malwarebytes' Anti-Malware 1.45

www.malwarebytes.org



Database version: 3930



Windows 5.1.2600 Service Pack 3

Internet Explorer 7.0.5730.13



4/1/2010 2:37:54 PM

mbam-log-2010-04-01 (14-37-54).txt



Scan type: Full scan (C:\|D:\|)

Objects scanned: 151381

Time elapsed: 31 minute(s), 7 second(s)



Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 2

Registry Data Items Infected: 4

Folders Infected: 0

Files Infected: 1



Memory Processes Infected:

(No malicious items detected)



Memory Modules Infected:

(No malicious items detected)



Registry Keys Infected:

(No malicious items detected)



Registry Values Infected:

HKEY_CLASSES_ROOT\.exe\shell\open\command\(default) (Hijack.ExeFile) -> Quarantined and deleted successfully.

HKEY_CLASSES_ROOT\secfile\shell\open\command\(default) (Rogue.MultipleAV) -> Quarantined and deleted successfully.



Registry Data Items Infected:

HKEY_LOCAL_MACHINE\SOFTWARE\Clients\StartMenuInternet\IEXPLORE.EXE\shell\open\command\(default) (Hijack.StartMenuInternet) -> Bad: ("C:\Documents and Settings\eaglevillas\Local Settings\Application Data\ave.exe" /START "C:\Program Files\Internet Explorer\IEXPLORE.EXE") Good: (iexplore.exe) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\FirewallDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.



Folders Infected:

(No malicious items detected)



Files Infected:

C:\Documents and Settings\eaglevillas\Local Settings\Application Data\ave.exe (Rogue.MultipleAV) -> Quarantined and deleted successfully.

BC AdBot (Login to Remove)

 


#2 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,430 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:03:17 AM

Posted 18 December 2012 - 10:25 PM

Closed per request here.
http://www.bleepingcomputer.com/forums/topic400074.html/page__pid__2924761#entry2924761
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users