Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

removed malware but still having some issues


  • Please log in to reply
8 replies to this topic

#1 ninjah

ninjah

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:01:10 PM

Posted 13 May 2010 - 09:58 PM

I was recently infected with some malware which included a rogue anti-spyware software called "Anti-spyware soft"
Though my issues we're not quite as straight forward as other people (from what i've read in other forums)
Using some of the information on this site (http://deletemalware.blogspot.com/2010/01/how-to-remove-antivirus-soft-fake.html) I was able to remove the malware or atleast solve a lot of the issues caused by the malware.

Unlike other people infected with this rogue software i was unable to boot into safe mode, every time i tried my computer would reboot.

Here are some of the things i did to remove the malware
1. First tried the stop the software from booting in msconfig after rebooting so it wouldn't load up but this didn't quite workout (after having tried to boot safemode)
2. Ran a scan, also found the site mentioned above.
3. Used a Ubuntu LIVE CD and remove enough of the malware to beable to stop the software from running when i booted up my pc.
4. Followed the "Alternative Antivirus Soft removal instructions using HijackThis (in Normal mode):"

The guide is as follows

". Download iexplore.exe (NOTE: iexplore.exe file is renamed HijackThis tool from TrendMicro).
Launch the iexplore.exe and click "Do a system scan only" button.
If you can't open iexplore.exe file then download explorer.scr and run it.

2. Search for similar entries in the scan results:
O4 HKLM\..\Run: [mxdeorsw] C:\Documents and Settings\User\Local Settings\Application Data\rmqwne\lkwcsysguard.exe
O4 HKCU\..\Run: [mxdeorsw] C:\Documents and Settings\User\Local Settings\Application Data\rmqwne\lkwcsysguard.exe
O4 HKCU\..\Run: [wdpayrmq] C:\Users\Owner\AppData\Local\rtpoma\rewqsftav.exe
O4 HKCU\..\Run: [kgtrlpor] C:\Users\Owner\AppData\Local\mfkrtl\oprgsftav.exe
R1 HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=127.0.0.1:5555 <----- The only similar entry i was able to find


Select all similar entries and click once on the "Fix checked" button. Close HijackThis tool.

3. Download SUPERAntispyware, MalwareBytes Anti-malware or Spybot - Search & Destroy and run a full system scan. NOTE: before saving the selected program onto your computer, please rename the installer to winlogon.exe or iexplore.exe. Launch the program and follow the prompts. Don't forget to update the installed program before scanning."

But despite constantly deleting them 2 trojan downloaders kept appearing:
C:\System Volume Information\Whisler\svchost.exe , Trojan horse Downloader. Generic9.BUIV
C:\System Volume Information\Whisler\smss.exe , Trojan horse Downloader. Generic9.BUGQ

So in reaction to that i deleted them and then installed "Winparol [Free Edition]

and its seems to have worked but i still have these remaining issues:

1. Google Chrome has stopped working, I can open it but it just sits there saying "loading" without timing out.
2. Every time i turn on my pc, before booting i get a message telling me my CPU fan is failing which it is not.
3. Once in a while i will get "Browser hijacked"
4.Still cannot boot in safe mode

Am I still infected? if so how to I get uninfected? If not how do I solve the remaining issues?

BC AdBot (Login to Remove)

 


#2 Budapest

Budapest

    Bleepin' Cynic


  • Moderator
  • 23,579 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:04:10 AM

Posted 18 May 2010 - 05:41 PM

Please run a Malwarebytes scan and post the log.
The power of accurate observation is commonly called cynicism by those who haven't got it.

—George Bernard Shaw

#3 ninjah

ninjah
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:01:10 PM

Posted 19 May 2010 - 03:59 PM

Thanks for the Reply! ^___^

Here is the log:

Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org

Database version: 4089

Windows 5.1.2600 Service Pack 3
Internet Explorer 6.0.2900.5512

19/05/2010 12:33:18 PM
mbam-log-2010-05-19 (12-33-18).txt

Scan type: Full scan (C:\|D:\|)
Objects scanned: 217547
Time elapsed: 1 hour(s), 33 minute(s), 31 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

#4 Budapest

Budapest

    Bleepin' Cynic


  • Moderator
  • 23,579 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:04:10 AM

Posted 19 May 2010 - 04:31 PM

Now run a scan with SAS in Safe Mode and post that log.
The power of accurate observation is commonly called cynicism by those who haven't got it.

—George Bernard Shaw

#5 ninjah

ninjah
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:01:10 PM

Posted 19 May 2010 - 09:13 PM

I can't boot into safe mode :S

Every time I try my computer reboots......

also whats SAS?

#6 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,323 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:02:10 PM

Posted 19 May 2010 - 09:29 PM

Hello SAS = Superantisypware

SUPERAntiSypware has a built in "Repairs" feature to fix policy restrictions and certain Windows settings which are sometimes targeted by malware infection.

Please download SUPERAntiSpyware Free
  • Double-click SUPERAntiSpyware.exe and use the default settings for installation.
  • An icon will be created on your desktop. Double-click that icon to launch the program.
  • Click the Repairs tab.
  • Click on (highlight) "Repair broken SafeBoot key" and then click the Repair button.
  • You may be asked to reboot your computer for the changes to take effect.

Now scan with SAS
If not open doublr click the desktop icon.
If asked to update the program definitions, click "Yes". If not, update the definitions before scanning by selecting "Check for Updates". (If you encounter any problems while downloading the updates, manually download them from here. Double-click on the hyperlink for Download Installer and save SASDEFINITIONS.EXE to your desktop. Then double-click on SASDEFINITIONS.EXE to install the definitions.)
[*]In the Main Menu, click the Preferences... button.
[*]Click the "General and Startup" tab, and under Start-up Options, make sure "Start SUPERAntiSpyware when Windows starts" box is unchecked.
[*]Click the "Scanning Control" tab, and under Scanner Options, make sure the following are checked (leave all others unchecked):
  • Close browsers before scanning.
  • Scan for tracking cookies.
  • Terminate memory threats before quarantining.
[*]Click the "Close" button to leave the control center screen and exit the program.
[*]Do not run a scan just yet.[/list]Reboot your computer in "Safe Mode" using the F8 method. To do this, restart your computer and after hearing your computer beep once during startup (but before the Windows icon appears) press the F8 key repeatedly. A menu will appear with several options. Use the arrow keys to navigate and select the option to run Windows in "Safe Mode".

Scan with SUPERAntiSpyware as follows:
  • Launch the program and back on the main screen, under "Scan for Harmful Software" click Scan your computer.
  • On the left, make sure you check C:\Fixed Drive.
  • On the right, under "Complete Scan", choose Perform Complete Scan and click "Next".
  • After the scan is complete, a Scan Summary box will appear with potentially harmful items that were detected. Click "OK".
  • Make sure everything has a checkmark next to it and click "Next".
  • A notification will appear that "Quarantine and Removal is Complete". Click "OK" and then click the "Finish" button to return to the main menu.
  • If asked if you want to reboot, click "Yes" and reboot normally.
  • To retrieve the removal information after reboot, launch SUPERAntispyware again.
    • Click Preferences, then click the Statistics/Logs tab.
    • Under Scanner Logs, double-click SUPERAntiSpyware Scan Log.
    • If there are several logs, click the current dated log and press View log. A text file will open in your default text editor.
    • Please copy and paste the Scan Log results in your next reply.
  • Click Close to exit the program.
If you have a problem downloading, installing or getting SAS to run, try downloading and using the SUPERAntiSpyware Portable Scanner instead. Save the randomly named file (i.e. SAS_1710895.COM) to a usb drive or CD and transfer to the infected computer. Then double-click on it to launch and scan. The file is randomly named to help keep malware from blocking the scanner.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#7 ninjah

ninjah
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:01:10 PM

Posted 19 May 2010 - 10:14 PM

Despite following your instructions safe mode will still not boot... But when i rebooted normally "Hitman Pro 3.5.5" popped up saying this:

Posted Image

As i said in my first post i have removed both of these files before....

Really not sure what to do here....

Edited by ninjah, 19 May 2010 - 10:25 PM.


#8 ninjah

ninjah
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:01:10 PM

Posted 19 May 2010 - 10:19 PM

Also Microsoft Security Essential just picked all these up D:!

Posted Image

#9 Budapest

Budapest

    Bleepin' Cynic


  • Moderator
  • 23,579 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:04:10 AM

Posted 19 May 2010 - 10:41 PM

Have you tried cleaning out your system restore?

Go Start > Programs > Accessories > System Tools and click System Restore. Choose the radio button marked Create a Restore Point on the first screen then click Next. Give the Restore Point a name and then click Create. Then use Disk Cleanup to remove all but the most recently created Restore Point. Go Start > Run and type: "Cleanmgr" (without the quotes). Click Ok > More Options tab > Clean Up in the System Restore section to remove all previous restore points except the newly created one.

Edited by Budapest, 19 May 2010 - 11:10 PM.

The power of accurate observation is commonly called cynicism by those who haven't got it.

—George Bernard Shaw




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users