Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Stubborn Infection - not identified.


  • This topic is locked This topic is locked
7 replies to this topic

#1 Nove

Nove

  • Members
  • 23 posts
  • OFFLINE
  •  
  • Local time:03:43 PM

Posted 06 April 2010 - 06:02 PM

A few days ago (Thursday 4-1, I think), I picked up a bit of malware that cut straight through my existing security programs (windows basics, McAfee AV+, Malwarebytes) - I believe that was Total Vista Security. I think it showed up primarily as the ave.exe process.

I ran the solution I found online (fix.reg, run Malwarebytes, etc) - that seemed to restore control to me and remove the pop-ups and redirects.

This morning (Tuesday 4-6), while browsing I came under serious "attack" as multiple processes tried to open and reach the internet. My security blocked them, but there were so many that I had to manually power down my computer to get back ahold of it. When I brought it back up, the processes were not trying to "get out", but I had Antimalware Doctor popping up and causing problems. I used rkill and several reboots, safe-modes, and runs of malwarebytes and I seem to have gotten that under control as well - to the point where Antimalware Doctor is no longer showing up when I do scans or on the last time I rebooted.

Malwarebytes and McAfee have returned several "clean" reports, but I am convinced my system (specifically Firefox) remains infected. When I do searches on Google, the some links take me to different sites that look very much like the standard "buy this av protection!" scams. "Open in New Tab" usually eliminates this problem, and it does not happen with every search result. I also viewed the google-cached sites and they were different than the sites I was being redirected to. Additionally, every now and again I would get a browser "pop up" that would look like a new browser instance (ie, not a tiny or reduced-size browser advert) that would be an ad - very similar to what Seijin described: http://www.bleepingcomputer.com/forums/topic307659.html

I also noticed that Hotmail does not respond as I am used to - it "hangs" when I click to go to the inbox, or to access an email, and if I click and then click again, it usually goes through. This is new as of today's problems.

I called McAfee and tried to get help from them directly since I pay them for support - the first person seemed helpful but all subsequent have tried to have me sign up for an $80 fix-it session. The first support person sent me an email with a number of links on it and directed me to run McAfee's FreeScan - which has turned up a BackDoor-ENZ trojan.

I have been browsing this site and the internet for most of the day using Firefox while McAfee's FreeScan runs on Internet Explore - I have been very conservative with what I click or access, and I have had few incidents once I thought I saw a pattern - so I'm going out of my way while looking to make sure that I don't "trigger" anything.


1 - How do I fix Firefox? Can I fix it by reinstalling Firefox, or by uninstalling and then reinstalling? Why isn't McAfee/Malwarebytes detecting it?

2 - How can I be sure that I have completely purged my system of Total Vista Security and Antimalware Doctor?

3 - In my youth, I had bad experiences with running two anti-virus programs on the same computer at the same time - so I'm hesitant to run both Malwarebytes and Spybot SD on the same system. Can I do this? Will they try to eat each other, or do they operate separately, happily?

4 - Is my Hotmail compromised somehow?

Edited by Nove, 06 April 2010 - 06:03 PM.


BC AdBot (Login to Remove)

 


#2 Nove

Nove
  • Topic Starter

  • Members
  • 23 posts
  • OFFLINE
  •  
  • Local time:03:43 PM

Posted 06 April 2010 - 08:02 PM

I've been running the McAfee fastscan for several hours - more than five.

I have JUST noticed a warning from my computer that my harddrive (~700GB) is nearly FULL. Yesterday, it was less than half-way full. I'm near panic now - what is going on?!

I looked into my registry, and found some values which didn't add up. I don't know what's going on or why my drive is filling up so quickly!

- edit at 11:26pm 4-6.

I have freed up space by deleting programs - I've got about 16GB opened, and it does seem to be slowly filling back up - I got 16.9 free and now I'm at 16.8 - within about a half hour.

I have been looking around my system and I can't figure out where these files are.

I have gone into Users-Me-AppData-Local-Microsoft-Windows, and the folder shows me five subfolders and four files. That adds up to maybe 6MB. When I go there with a DOS command, I get about the same thing. When I click in the folder and select "Properties" through Windows, I get 77,000 files and 7350 folders, and about 200GB. I've tried viewing hidden files, but I don't see anything change. DOS isn't picking it up and I don't see any other hidden folders with a dir search there.

This has me very, very worried - I don't want to wake up tomorrow and have this 16GB I cleared filled up again. I can't even see the files!

Edited by Nove, 06 April 2010 - 11:32 PM.


#3 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,213 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:05:43 PM

Posted 06 April 2010 - 11:17 PM

Hello... for # 1
Removing and replacing should work.

#2
We need a deper look,something seems to be protecting the malware.
Please go here....
Preparation Guide ,do steps 6 - 9.

Create a DDS log and post it in the new topic explained in step 9 and not here,thanks.
If Gmer won't run,skip it and move on.
Let me know if that went well.


#3
These tools are compatible .. MBAM and SpyBot are not AV's

#4
Will be determined in The DDS forum.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#4 Nove

Nove
  • Topic Starter

  • Members
  • 23 posts
  • OFFLINE
  •  
  • Local time:03:43 PM

Posted 06 April 2010 - 11:39 PM

Hello... for # 1
Removing and replacing should work.

#2
We need a deeper look,something seems to be protecting the malware.
Please go here....
Preparation Guide ,do steps 6 - 9.

Create a DDS log and post it in the new topic explained in step 9 and not here,thanks.
If Gmer won't run,skip it and move on.
Let me know if that went well.


Boopme,
Thank you for the response and the greeting.

I have run Spybot SD and I -believe- that helped the Firefox issue - I've only been using it while trying to search out an answer for this hard-drive fill-up (Gah!), but preoccupied as I am, it seems like the browser is responding quicker, I don't have to click several times to access something, and I haven't seen any more pop-ups/unders.

I will be looking into the Preparation Guide (6-9) tonight/tomorrow morning - so far, I've had a day full of stress and I'm more than a little depleted by panic.

Thank you.

#5 Nove

Nove
  • Topic Starter

  • Members
  • 23 posts
  • OFFLINE
  •  
  • Local time:03:43 PM

Posted 07 April 2010 - 12:40 AM

http://www.bleepingcomputer.com/forums/t/307746/hard-drive-filled-total-vista-secantimalware-dr-etc/

Boopme,

I was not able to successfully run the GMER program - it locked up and forced Windows to a "blue screen of death" and a memory dump of some sort. After I rebooted to normal mode, I got an error message of: "error loading c:users\machine\appdata\local\temp\mstczvlg.dll"

I did notice just before that happened that GMER seemed to have found a "Virtualized" folder inside my AppData\...\Windows folder that looked like it had copies of every file on my harddrive - like my harddrive was duplicated there.

Thanks.

Edited by Nove, 07 April 2010 - 12:44 AM.


#6 Nove

Nove
  • Topic Starter

  • Members
  • 23 posts
  • OFFLINE
  •  
  • Local time:03:43 PM

Posted 07 April 2010 - 06:52 AM

Immediately prior to shutting down last night, my HD space had expanded once again from 84GB free to 118GB free. This morning, I'm at 117GB free.

#7 Nove

Nove
  • Topic Starter

  • Members
  • 23 posts
  • OFFLINE
  •  
  • Local time:03:43 PM

Posted 07 April 2010 - 06:09 PM

Running a full scan of Malwarebytes picked up some entries in the "Virtualized" folder. I used the "navigate to the entries" feature in Malwarebytes and then created a shortcut to the hidden folder. I can now access it using Windows Explorer. It seems to be under another hidden "Temporary Internet Files" folder that is stashed inside the Windows folder. If I move up the file tree, when I get to "Windows" I can't see the TempIntFiles any more, and can't get back down the tree.

"C:\Users\Machine\AppData\Local\Microsoft\Windows\Temporary Internet Files\Virtualized\C"

From there on, it's like it is a duplicate of my C: drive.

Can I delete this "Virtualized" folder without causing problems? Just open it up in Explore, click on the folder, select delete, and go on my merry way?

#8 Orange Blossom

Orange Blossom

    OBleepin Investigator


  • Moderator
  • 36,947 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Bloomington, IN
  • Local time:05:43 PM

Posted 07 April 2010 - 06:34 PM

Hello,

Now that you have posted a log here: http://www.bleepingcomputer.com/forums/t/307746/hard-drive-filled-total-vista-secantimalware-dr-etc/ you should NOT make further changes to your computer (install/uninstall programs, use special fix tools, delete files, edit the registry, etc) unless advised by a MRT Team member, nor should you ask for help elsewhere. Doing so can result in system changes which may not show in the log you already posted. Further, any modifications you make on your own may cause confusion for the helper assisting you and could complicate the malware removal process which would extend the time it takes to clean your computer.

From this point on the MRT Team should be the only members that you take advice from, until they have verified your log as clean.

Please be patient. It may take a while to get a response because the MRT Team members are EXTREMELY busy working logs posted before yours. They are volunteers who will help you out as soon as possible. Once you have made your post and are waiting, please DO NOT make another reply until it has been responded to by a member of the MRT Team. Generally the staff checks the forum for postings that have 0 replies as this makes it easier for them to identify those who have not been helped. If you post another response there will be 1 reply. A team member, looking for a new log to work may assume another MRT Team member is already assisting you and not open the thread to respond.

Please be patient. It may take several days to get a response but your log will be reviewed and answered as soon as possible. I advise checking your topic once a day for responses as the e-mail notification system is unreliable.

To avoid confusion, I am closing this topic. Good luck with your log.

Orange Blossom :thumbsup:
Help us help you. If HelpBot replies, you MUST follow step 1 in its reply so we know you need help.

Orange Blossom

An ounce of prevention is worth a pound of cure

SpywareBlaster, WinPatrol Plus, ESET Smart Security, Malwarebytes' Anti-Malware, NoScript Firefox ext., Norton noscript




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users