Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Another ave.exe basket case


  • This topic is locked This topic is locked
11 replies to this topic

#1 hourwasted

hourwasted

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:11:46 PM

Posted 15 April 2010 - 05:50 PM

I am heavily infected with ave.exe and av.exe and a host of other items. I have been able to isolate and remove all infections several times with malaware virus remover. I have edited the registry keys and removed all traces, I have removed the ave exectuable from its location on windows, no issues with that.

The problem is... every time I reboot, it comes back instantly. I have tracked it to the startup menu, and disabled everything in startup. Somehow, there must be an exe running at startup and it adds entries back into the startup script and I go through the same thing all over. I am not gaining on it, though I can use my machine and get around, the virus is still present.

So far, I have read nothing about this virus being found in the startup. What I have done is run msconfig to disable. SOmething else is happening here...

Ideas??????

Edited by Budapest, 15 April 2010 - 06:23 PM.
Moved from XP ~BP


BC AdBot (Login to Remove)

 


#2 Ken-in-West-Seattle

Ken-in-West-Seattle

  • Members
  • 518 posts
  • OFFLINE
  •  
  • Local time:08:46 PM

Posted 15 April 2010 - 06:02 PM

These rootkits load from the registry as well as startup and sometimes even hijacked files that are the same name as standard windows files or other commercial software.

You should post in the "am I infected" forum and wait for someone to help you.

If you have all important files backed up, I usually just reformat the partition and reload xp. Sometimes severe rootkits cannot be trusted even after cleaning.

The moderator may move this topic to one of the virus cleanup forums.

#3 hourwasted

hourwasted
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:11:46 PM

Posted 15 April 2010 - 07:34 PM

Sorry for incorrect forum location. I am not sure about repartitioning. My install disk and key are long since gone. I hope there are other options out there.

#4 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,561 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:10:46 PM

Posted 15 April 2010 - 09:28 PM

Hello, did you mean MalwareBytes??

let's run a Safe Mode scan..

Next run ATF and SAS: If you cannot access Safe Mode,run in normal ,but let me know.

Note: On Vista, "Windows Temp" is disabled. To empty "Windows Temp" ATF-Cleaner must be "Run as an Administrator".

From your regular user account..
Download Attribune's ATF Cleaner and then SUPERAntiSpyware , Free Home Version. Save both to desktop ..
DO NOT run yet.
Open SUPER from icon and install and Update it
Under Scanner Options make sure the following are checked (leave all others unchecked):
Close browsers before scanning.
Scan for tracking cookies.
Terminate memory threats before quarantining
.
Click the "Close" button to leave the control center screen and exit the program. DO NOT run yet.

Now reboot into Safe Mode: How to enter safe mode(XP)
Using the F8 Method
Restart your computer.
When the machine first starts again it will generally list some equipment that is installed in your machine, amount of memory, hard drives installed etc. At this point you should gently tap the F8 key repeatedly until you are presented with a Windows XP Advanced Options menu.
Select the option for Safe Mode using the arrow keys.
Then press enter on your keyboard to boot into Safe Mode
.

Double-click ATF-Cleaner.exe to run the program.
Under Main "Select Files to Delete" choose: Select All.
Click the Empty Selected button.

If you use Firefox or Opera browser click that browser at the top and choose: Select All
Click the Empty Selected button.
If you would like to keep your saved passwords, please click No at the prompt.
Click Exit on the Main menu to close the program
.

NOW Scan with SUPER
Open from the desktop icon or the program Files list
On the left, make sure you check C:\Fixed Drive.
Perform a Complete scan. After scan,Verify they are all checked.
Click OK on the summary screen to quarantine all found items.
If asked if you want to reboot, click "Yes" and reboot normally.

To retrieve the removal information after reboot, launch SUPERAntispyware again.
Click Preferences, then click the Statistics/Logs tab.
Under Scanner Logs, double-click SUPERAntiSpyware Scan Log.
If there are several logs, click the current dated log and press View log.
A text file will open in your default text editor.
Please copy and paste the Scan Log results in your next reply.
Click Close to exit the program.


Rerun MBAM (MalwareBytes) like this:

Open MBAM in normal mode and click Update tab, select Check for Updates,when done
click Scanner tab,select Quick scan and scan (normal mode).
After scan click Remove Selected, Post new scan log and Reboot into normal mode.



Please ask any needed questions,post logs and Let us know how the PC is running now.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#5 hourwasted

hourwasted
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:11:46 PM

Posted 16 April 2010 - 01:31 PM

WHEW! I think I licked it. Super ANit Spyware did the trick. mbam did not do it... The proper tools were needed apparently. It was interesting though that Super Anti Spy Ware removed malawarebytes software. It also did not like Ad Aware. So many things were infected. Its a bit early to tell, but so far so good. If anything goes awry in the next few days Ill post back. Many thanks are in order....

UPDATE - Not more than 15 minutes later... the machine started acting up again. Its popping up new browser sessions, and when I input something in the address bar (for example hotmail) it redirects somewhere else. GRRRRRRRRRRRRRRRR.

I am re-running SUPER spy ware and it found something again, already. Trojan.Agent/Gen-Virut. So far. (running on another machine right now)..

Also, when I tried to run a scan before the link redirected me to somewhere that did not look quite right. I opted to run the anti virus without the scan first..

I can try and re-run. Any ideas? I am on XP SP 2. Working on trying to download SP3..

Also working on pasting the log files. Busy day today..

Edited by hourwasted, 16 April 2010 - 02:12 PM.


#6 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,561 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:10:46 PM

Posted 16 April 2010 - 02:51 PM

Hello, whenever I see Virut.. I se a reformat unfortunately..
Your system is infected with a nasty variant of Virut, a polymorphic file infector with IRCBot functionality which infects .exe, .scr files, downloads more malicious files to your system, and opens a back door that compromises your computer.

With this particular infection, the safest solution and only sure way to remove it effectively is to reformat and reinstall the OS.

According to this Norman White Paper Assessment of W32/Virut, some variants can infect the HOSTS file and block access to security related web sites. Other variants of virut can even penetrate and infect .exe files within compressed files (.zip, .cab, rar). The Virux and Win32/Virut.17408 variants are an even more complex file infectors which can embed an iframe into the body of web-related files and infect script files (.php, .asp, .htm, .html, .xml). When Virut creates infected files, it also creates non-functional files that are corrupted beyond repair and in some instances can disable Windows File Protection. In many cases the infected files cannot be disinfected properly by your anti-virus. When disinfection is attempted, the files become corrupted and the system may become irreparable. The longer virut remains on a computer, the more critical system files will become infected and corrupt so the degree of infection can vary.

The virus disables Windows File Protection by injecting code into the "winlogon.exe" process that patches system code in memory.

CA Virus detail of W32/Virut

The virus has a number of bugs in its code, and as a result it may misinfect a proportion of executable files....some W32/Virut.h infections are corrupted beyond repair.

McAfee Risk Assessment and Overview of W32/Virut

There are bugs in the viral code. When the virus produces infected files, it also creates non-functional files that also contain the virus...Due to the damaged caused to files by virut it's possible to find repaired but corrupted files. They became corrupted by the incorrect writing of the viral code during the process of infection. undetected, corrupted files (possibly still containing part of the viral code) can also be found. this is caused by incorrectly written and non-function viral code present in these files.

AVG Overview of W32/VirutVirut is commonly spread via a flash drive (usb, pen, thumb, jump) infection using RUNDLL32.EXE and other malicious files. It is often contracted and spread by visiting remote, crack and keygen sites. These type of sites are infested with a smörgåsbord of malware and a major source of system infection.

...warez and crack web pages are being used by cybercriminals as download sites for malware related to VIRUT and VIRUX. Searches for serial numbers, cracks, and even antivirus products like Trend Micro yield malcodes that come in the form of executables or self-extracting files...quick links in these sites also lead to malicious files. Ads and banners are also infection vectors...

Keygen and Crack Sites Distribute VIRUX and FakeAV

However, the CA Security Advisor Research Blog have found MySpace user pages carrying the malicious Virut URL. Either way you can end up with a computer system so badly damaged that recovery is not possible and it cannot be repaired. When that happens there is nothing you can do besides reformatting and reinstalling the OS.

If your computer was used for online banking, has credit card information or other sensitive data on it, you should disconnect from the Internet until your system is cleaned. All passwords should be changed immediately to include those used for banking, email, eBay, paypal and online forums. You should consider them to be compromised. You should change each password using a clean computer and not the infected one. If not, an attacker may get the new passwords and transaction information. If using a router, you need to reset it with a strong logon/password so the malware cannot gain control before connect again. Banking and credit card institutions should be notified of the possible security breach. Because your computer was compromised please read:Since virut is not effectively disinfectable, your best option is to perform a full reformat as there is no guarantee this infection can be completely removed. In most instances it may have caused so much damage to your system files that it cannot be completely cleaned or repaired. In many cases the infected files cannot be deleted and anti-malware scanners cannot disinfect them properly. Many experts in the security community believe that once infected with this type of malware, the best course of action is to reformat and reinstall the OS. Reinstalling Windows without first wiping the entire hard drive with a repartition and/or format will not remove the infection. The reinstall will only overwrite the Windows files. Any malware on the system will still be there afterwards. Please read:
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#7 hourwasted

hourwasted
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:11:46 PM

Posted 16 April 2010 - 03:15 PM

Well... Thanks.. I think? NOt good news at all. Here are the files.

Is it possible since the restore files appear to have been "fixed" to be able to restore to a time pre-infection??
Do these logs confirm your suspicion??


Begin log, first run
===============================

SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 04/16/2010 at 02:07 PM

Application Version : 4.35.1002

Core Rules Database Version : 4814
Trace Rules Database Version: 2626

Scan type : Complete Scan
Total Scan Time : 01:16:04

Memory items scanned : 227
Memory threats detected : 0
Registry items scanned : 4945
Registry threats detected : 17
File items scanned : 20640
File threats detected : 67

Trojan.Agent/Gen-Virut
[Helper] C:\DOCUMENTS AND SETTINGS\xx\APPLICATION DATA\HELPER\BIN\LIVEU.EXE
C:\DOCUMENTS AND SETTINGS\xxxxxxx\APPLICATION DATA\HELPER\BIN\LIVEU.EXE
C:\PROGRAM FILES\MALWAREBYTES' ANTI-MALWARE\MBAM.EXE
HKLM\Software\Microsoft\Windows\CurrentVersion\App Paths\mbam.exe
HKLM\Software\Microsoft\Windows\CurrentVersion\App Paths\mbam.exe#Path
C:\PROGRAM FILES\MESSENGER\MSMSGS.EXE
HKLM\Software\Microsoft\Windows\CurrentVersion\App Paths\MSMSGS.EXE
HKLM\Software\Microsoft\Windows\CurrentVersion\App Paths\MSMSGS.EXE#Path
C:\DOCUMENTS AND SETTINGS\ALL USERS\APPLICATION DATA\0RJLF37U.EXE
C:\DOCUMENTS AND SETTINGS\ALL USERS\DESKTOP\MALWAREBYTES' ANTI-MALWARE.LNK
C:\PROGRAM FILES\YAHOO!\MESSENGER\YAHOOMESSENGER.EXE
C:\DOCUMENTS AND SETTINGS\ALL USERS\DESKTOP\YAHOO! MESSENGER.LNK
C:\PROGRAM FILES\DELL PHOTO AIO PRINTER 944\MEMCARD.EXE
C:\DOCUMENTS AND SETTINGS\ALL USERS\START MENU\PROGRAMS\DELL PRINTERS\DELL PHOTO AIO PRINTER 944\ACTIVATE MEMORY CARD MANAGER.LNK
C:\DOCUMENTS AND SETTINGS\ALL USERS\START MENU\PROGRAMS\DELL PRINTERS\DELL PHOTO AIO PRINTER 944\DEACTIVATE MEMORY CARD MANAGER.LNK
C:\DOCUMENTS AND SETTINGS\ALL USERS\START MENU\PROGRAMS\MALWAREBYTES' ANTI-MALWARE\MALWAREBYTES' ANTI-MALWARE.LNK
C:\DOCUMENTS AND SETTINGS\ALL USERS\START MENU\PROGRAMS\WINDOWS MESSENGER.LNK
C:\DOCUMENTS AND SETTINGS\ALL USERS\START MENU\PROGRAMS\YAHOO! MESSENGER\YAHOO! MESSENGER.LNK
C:\DOCUMENTS AND SETTINGS\xxxxxx\APPLICATION DATA\MICROSOFT\INTERNET EXPLORER\QUICK LAUNCH\YAHOO! MESSENGER.LNK
C:\PROGRAM FILES\ADOBE\PHOTOSHOP ALBUM STARTER EDITION\3.2\APPS\APDPROXY.EXE
C:\PROGRAM FILES\JAVA\JRE1.5.0_17\BIN\JUSCHED.EXE
C:\PROGRAM FILES\KL\MSDTSF.EXE
C:\PROGRAM FILES\MICROSOFT LIFECAM\LIFEEXP.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{CBADDB63-B6F2-418F-A8F4-94906A8A84C0}\RP513\A0254404.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{CBADDB63-B6F2-418F-A8F4-94906A8A84C0}\RP513\A0255517.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{CBADDB63-B6F2-418F-A8F4-94906A8A84C0}\RP513\A0256520.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{CBADDB63-B6F2-418F-A8F4-94906A8A84C0}\RP514\A0258297.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{CBADDB63-B6F2-418F-A8F4-94906A8A84C0}\RP516\A0258537.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{CBADDB63-B6F2-418F-A8F4-94906A8A84C0}\RP516\A0258750.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{CBADDB63-B6F2-418F-A8F4-94906A8A84C0}\RP517\A0259756.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{CBADDB63-B6F2-418F-A8F4-94906A8A84C0}\RP519\A0260765.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{CBADDB63-B6F2-418F-A8F4-94906A8A84C0}\RP519\A0260783.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{CBADDB63-B6F2-418F-A8F4-94906A8A84C0}\RP519\A0260784.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{CBADDB63-B6F2-418F-A8F4-94906A8A84C0}\RP524\A0263509.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{CBADDB63-B6F2-418F-A8F4-94906A8A84C0}\RP524\A0263519.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{CBADDB63-B6F2-418F-A8F4-94906A8A84C0}\RP524\A0263520.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{CBADDB63-B6F2-418F-A8F4-94906A8A84C0}\RP525\A0264054.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{CBADDB63-B6F2-418F-A8F4-94906A8A84C0}\RP525\A0264064.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{CBADDB63-B6F2-418F-A8F4-94906A8A84C0}\RP525\A0264065.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{CBADDB63-B6F2-418F-A8F4-94906A8A84C0}\RP525\A0264347.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{CBADDB63-B6F2-418F-A8F4-94906A8A84C0}\RP526\A0264386.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{CBADDB63-B6F2-418F-A8F4-94906A8A84C0}\RP527\A0265397.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{CBADDB63-B6F2-418F-A8F4-94906A8A84C0}\RP527\A0265754.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{CBADDB63-B6F2-418F-A8F4-94906A8A84C0}\RP527\A0265755.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{CBADDB63-B6F2-418F-A8F4-94906A8A84C0}\RP527\A0266037.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{CBADDB63-B6F2-418F-A8F4-94906A8A84C0}\RP527\A0266948.LNK
C:\SYSTEM VOLUME INFORMATION\_RESTORE{CBADDB63-B6F2-418F-A8F4-94906A8A84C0}\RP527\A0266949.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{CBADDB63-B6F2-418F-A8F4-94906A8A84C0}\RP527\A0266989.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{CBADDB63-B6F2-418F-A8F4-94906A8A84C0}\RP527\A0266990.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{CBADDB63-B6F2-418F-A8F4-94906A8A84C0}\RP529\A0267046.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{CBADDB63-B6F2-418F-A8F4-94906A8A84C0}\RP529\A0268985.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{CBADDB63-B6F2-418F-A8F4-94906A8A84C0}\RP529\A0269017.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{CBADDB63-B6F2-418F-A8F4-94906A8A84C0}\RP529\A0270072.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{CBADDB63-B6F2-418F-A8F4-94906A8A84C0}\RP529\A0271142.EXE
C:\WINDOWS\FONTS\DDQ30.COM

Adware.MyWebSearch/FunWebProducts
HKU\S-1-5-21-789336058-1202660629-1060284298-1004\SOFTWARE\FunWebProducts
HKU\.DEFAULT\SOFTWARE\MyWebSearch
HKU\S-1-5-18\SOFTWARE\MyWebSearch
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_MYWEBSEARCHSERVICE
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_MYWEBSEARCHSERVICE#NextInstance
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_MYWEBSEARCHSERVICE\0000
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_MYWEBSEARCHSERVICE\0000#Service
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_MYWEBSEARCHSERVICE\0000#Legacy
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_MYWEBSEARCHSERVICE\0000#ConfigFlags
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_MYWEBSEARCHSERVICE\0000#Class
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_MYWEBSEARCHSERVICE\0000#ClassGUID
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_MYWEBSEARCHSERVICE\0000#DeviceDesc

Trojan.Agent/Gen-RogueAV
C:\DOCUMENTS AND SETTINGS\xxxxxxxx\LOCAL SETTINGS\APPLICATION DATA\AVE.EXE

Trojan.Agent/Gen-Nullo[Short]
C:\SYSTEM VOLUME INFORMATION\_RESTORE{CBADDB63-B6F2-418F-A8F4-94906A8A84C0}\RP527\A0266966.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{CBADDB63-B6F2-418F-A8F4-94906A8A84C0}\RP527\A0266967.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{CBADDB63-B6F2-418F-A8F4-94906A8A84C0}\RP527\A0266968.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{CBADDB63-B6F2-418F-A8F4-94906A8A84C0}\RP527\A0266969.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{CBADDB63-B6F2-418F-A8F4-94906A8A84C0}\RP527\A0266970.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{CBADDB63-B6F2-418F-A8F4-94906A8A84C0}\RP527\A0266971.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{CBADDB63-B6F2-418F-A8F4-94906A8A84C0}\RP527\A0266972.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{CBADDB63-B6F2-418F-A8F4-94906A8A84C0}\RP527\A0266973.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{CBADDB63-B6F2-418F-A8F4-94906A8A84C0}\RP527\A0266974.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{CBADDB63-B6F2-418F-A8F4-94906A8A84C0}\RP527\A0266975.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{CBADDB63-B6F2-418F-A8F4-94906A8A84C0}\RP527\A0266976.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{CBADDB63-B6F2-418F-A8F4-94906A8A84C0}\RP527\A0266977.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{CBADDB63-B6F2-418F-A8F4-94906A8A84C0}\RP527\A0266978.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{CBADDB63-B6F2-418F-A8F4-94906A8A84C0}\RP527\A0266979.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{CBADDB63-B6F2-418F-A8F4-94906A8A84C0}\RP529\A0269004.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{CBADDB63-B6F2-418F-A8F4-94906A8A84C0}\RP529\A0271143.EXE


END log, first scan
===================================

Second scan a short time later.
================================

SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 04/16/2010 at 03:25 PM

Application Version : 4.35.1002

Core Rules Database Version : 4815
Trace Rules Database Version: 2627

Scan type : Complete Scan
Total Scan Time : 00:48:05

Memory items scanned : 370
Memory threats detected : 0
Registry items scanned : 4910
Registry threats detected : 0
File items scanned : 20762
File threats detected : 28

Adware.Tracking Cookie
C:\Documents and Settings\xxxxxxxx\Cookies\xxxxxxxx@e-2dj6wjnyeod5ado.stats.esomniture[2].txt
C:\Documents and Settings\xxxxxxxx\Cookies\xxxxxxxxxx@admarketplace[1].txt
C:\Documents and Settings\xxxxxxxx\Cookies\xxxxxxxxxxx@clickthrough.kanoodle[1].txt
C:\Documents and Settings\xxxxxxxxxxx\Cookies\xxxxx@doubleclick[1].txt
C:\Documents and Settings\xxxxxxx\Cookies\xxxxxxxxxx@ad.yieldmanager[2].txt
C:\Documents and Settings\xxxxx\Cookies\xxxxxxx@da-tracking[2].txt
C:\Documents and Settings\xxxxxxxx\Cookies\xxxxxxx@e-2dj6wck4qndjido.stats.esomniture[2].txt
C:\Documents and Settingsxxxxxxxxxxx\Cookies\xxxxxxxx@invitemedia[2].txt
C:\Documents and Settings\xxxxxxxx\Cookies\xxxxx@linksynergy[2].txt
C:\Documents and Settings\xxxxxxxxxxx\Cookies\xxxxxxxx@adecn[1].txt
C:\Documents and Settings\xxxxxxxxxx\Cookies\xxxxxxx@bridge1.admarketplace[1].txt
C:\Documents and Settings\xxxxxxxxxxxx\Cookies\xxxxx@adbrite[1].txt
C:\Documents and Settings\xxxxxx\Cookies\xxxxxxx@ads.undertone[1].txt
C:\Documents and Settings\xxxxxx\Cookies\xxxxxxxx@AdClickTrackerServlet[1].txt
C:\Documents and Settings\NetworkService\Cookies\system@doubleclick[1].txt
C:\Documents and Settings\NetworkService\Cookies\system@atdmt[2].txt
C:\Documents and Settings\NetworkService\Cookies\system@casalemedia[2].txt

Trojan.Agent/Gen-Virut
C:\SYSTEM VOLUME INFORMATION\_RESTORE{CBADDB63-B6F2-418F-A8F4-94906A8A84C0}\RP530\A0273156.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{CBADDB63-B6F2-418F-A8F4-94906A8A84C0}\RP530\A0273157.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{CBADDB63-B6F2-418F-A8F4-94906A8A84C0}\RP530\A0273158.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{CBADDB63-B6F2-418F-A8F4-94906A8A84C0}\RP530\A0273159.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{CBADDB63-B6F2-418F-A8F4-94906A8A84C0}\RP530\A0273161.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{CBADDB63-B6F2-418F-A8F4-94906A8A84C0}\RP530\A0273163.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{CBADDB63-B6F2-418F-A8F4-94906A8A84C0}\RP530\A0273170.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{CBADDB63-B6F2-418F-A8F4-94906A8A84C0}\RP530\A0273171.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{CBADDB63-B6F2-418F-A8F4-94906A8A84C0}\RP530\A0273172.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{CBADDB63-B6F2-418F-A8F4-94906A8A84C0}\RP530\A0273173.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{CBADDB63-B6F2-418F-A8F4-94906A8A84C0}\RP530\A0273174.COM

Edited by hourwasted, 16 April 2010 - 03:18 PM.


#8 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,561 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:10:46 PM

Posted 16 April 2010 - 03:23 PM

It's there ..what we can do is run another scan ,it's long. First we will dump those files so they don't show agin.

Now you should Create a New Restore Point to prevent possible reinfection from an old one. Some of the malware you picked up could have been backed up, renamed and saved in System Restore. Since this is a protected directory your tools cannot access to delete these files, they sometimes can reinfect your system if you accidentally use an old restore point. Setting a new restore point AFTER cleaning your system will help prevent this and enable your computer to "roll-back" to a clean working state.

The easiest and safest way to do this is:
  • Go to Start > Programs > Accessories > System Tools and click "System Restore".
  • Choose the radio button marked "Create a Restore Point" on the first screen then click "Next". Give the R.P. a name, then click "Create". The new point will be stamped with the current date and time. Keep a log of this so you can find it easily should you need to use System Restore.
  • Then use Disk Cleanup to remove all but the most recently created Restore Point.
  • Go to Start > Run and type: Cleanmgr
  • Click "Ok". Disk Cleanup will scan your files for several minutes, then open.
  • Click the "More Options" tab, then click the "Clean up" button under System Restore.
  • Click Ok. You will be prompted with "Are you sure you want to delete all but the most recent restore point?"
  • Click Yes, then click Ok.
  • Click Yes again when prompted with "Are you sure you want to perform these actions?"
  • Disk Cleanup will remove the files and close automatically.
Vista and Windows 7 users can refer to these links: Create a New Restore Point in Vista or Windows 7 and Disk Cleanup in Vista.


Now the long scan...Drweb-cureit

Before we start fixing anything you should print out these instructions or copy them to a NotePad file so they will be accessible. Some steps will require you to disconnect from the Internet or use Safe Mode and you will not have access to this page.

Please download Dr.Web CureIt and save it to your desktop. DO NOT perform a scan yet.
alternate download link
Note: The file will be randomly named (i.e. 5mkuvc4z.exe).

Reboot your computer in "Safe Mode" using the F8 method. To do this, restart your computer and after hearing your computer beep once during startup (but before the Windows icon appears) press the F8 key repeatedly. A menu will appear with several options. Use the arrow keys to navigate and select the option to run Windows in "Safe Mode".

Scan with Dr.Web CureIt as follows:
  • Double-click on the randomly named file to open the program and click Start. (There is no need to update if you just downloaded the most current version
  • Read the Virus check by DrWeb scanner prompt and click Ok where asked to Start scan now? Allow the setup.exe to load if asked by any of your security programs.
  • The Express scan will automatically begin.
    (This is a short scan of files currently running in memory, boot sectors, and targeted folders).
  • If prompted to dowload the Full version Free Trial, ignore and click the X to close the window.
  • If an infected object is found, you will be prompted to move anything that cannot be cured. Click Yes to All. (This will move any detected files to the C:\Documents and Settings\userprofile\DoctorWeb\Quarantine folder if they can't be cured)
  • After the Express Scan is finished, put a check next to Complete scan to scan all local disks and removable media.
  • In the top menu, click Settings > Change settings, and uncheck "Heuristic analysis" under the "Scanning" tab, then click Apply, Ok.
  • Back at the main window, click the green arrow "Start Scanning" button on the right under the Dr.Web logo.
  • Please be patient as this scan could take a long time to complete.
  • When the scan has finished, a message will be displayed at the bottom indicating if any viruses were found.
  • Click Select All, then choose Cure > Move incurable.
  • In the top menu, click file and choose save report list.
  • Save the DrWeb.csv report to your desktop.
  • Exit Dr.Web Cureit when done.
  • Important! Reboot your computer because it could be possible that files in use will be moved/deleted during reboot.
  • After reboot, post the contents of the log from Dr.Web in your next reply. (You can use Notepad to open the DrWeb.cvs report)

How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#9 hourwasted

hourwasted
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:11:46 PM

Posted 21 April 2010 - 09:57 AM

I followed the instructions and ran the Dr web cure it. It did not find anything wrong on my machine. I then ran super anti spy ware again and it found nothing. I rebooted in normal mode and the virus instantly came back. Ran both again, not at the same time, they found nothing. This is a really bad virus. I will try and get a log, but it might not be possible for some time yet. Im also not sure the log will tell anything useful. What to do... I think windows 7 here I come..

#10 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,561 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:10:46 PM

Posted 21 April 2010 - 12:25 PM

Ok, appears we have something protected.
We need a deeper look. Please go here....
Preparation Guide ,do steps 6 - 9.

Create a DDS log and post it in the new topic explained in step 9,which is here Virus, Trojan, Spyware, and Malware Removal Logs and not in this topic,thanks.
If Gmer won't run,skip it and move on.
Let me know if that went well.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#11 hourwasted

hourwasted
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:11:46 PM

Posted 03 May 2010 - 08:20 AM

I was finally able to run the needed exe's and posted the logs. The process for gathering everything went smoothly. Thanks for the hand so far.

#12 Orange Blossom

Orange Blossom

    OBleepin Investigator


  • Moderator
  • 37,108 posts
  • ONLINE
  •  
  • Gender:Not Telling
  • Location:Bloomington, IN
  • Local time:10:46 PM

Posted 03 May 2010 - 03:19 PM

Hello,

Now that you have posted a log here: http://www.bleepingcomputer.com/forums/t/314380/infected-with-avave-and-virut-along-with-others/ you should NOT make further changes to your computer (install/uninstall programs, use special fix tools, delete files, edit the registry, etc) unless advised by a MRT Team member, nor should you ask for help elsewhere. Doing so can result in system changes which may not show in the log you already posted. Further, any modifications you make on your own may cause confusion for the helper assisting you and could complicate the malware removal process which would extend the time it takes to clean your computer.

From this point on the MRT Team should be the only members that you take advice from, until they have verified your log as clean.

Please be patient. It may take a while to get a response because the MRT Team members are EXTREMELY busy working logs posted before yours. They are volunteers who will help you out as soon as possible. Once you have made your post and are waiting, please DO NOT make another reply until it has been responded to by a member of the MRT Team. Generally the staff checks the forum for postings that have 0 replies as this makes it easier for them to identify those who have not been helped. If you post another response there will be 1 reply. A team member, looking for a new log to work may assume another MRT Team member is already assisting you and not open the thread to respond.

Please be patient. It may take several days to get a response but your log will be reviewed and answered as soon as possible. I advise checking your topic once a day for responses as the e-mail notification system is unreliable.

To avoid confusion, I am closing this topic. Good luck with your log.

Orange Blossom :thumbsup:
Help us help you. If HelpBot replies, you MUST follow step 1 in its reply so we know you need help.

Orange Blossom

An ounce of prevention is worth a pound of cure

SpywareBlaster, WinPatrol Plus, ESET Internet Security, NoScript Firefox ext.


animinionsmalltext.gif




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users