Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Particularly Nasty Virus


  • Please log in to reply
7 replies to this topic

#1 Imaybesteve

Imaybesteve

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:02:25 AM

Posted 22 August 2010 - 12:12 PM

Greeting guys, I wish my first post could be under different circumstances, but such is life.


I got stuck doing Tech Support for a friend's computer, and she has this thing buggered up something terrible. I've been working at this for a day or so now, and nothing is working.

Symptoms:

The running of nearly any program results in a popup notice stating that the item is infected and presents a "Yes or No" option to fix it. "Yes" brings up a webpage for a bogus AV program. "No" ends the program.

System Restore is hidden from User Access, and gpedit.msc seems to be effected too (cannot be found by the computer in search or run commands)

All network connections are limited to the scam AV site. Trying to access any page brings up a similar page to the one that appears when trying to run most programs.

Steps Taken:

Due to the virus preventing internet access and any function that doesn't directly lead to the downloading of its program, I have been booting into Safemode and using a 1Gig Jumpdrive I have lying around to transfer AV programs that I install to it and then copy them onto her system (these are all updated before the transfer). So far I have tried: Spybot S&D, Super AntiSpyware, Hijackthis, and Malware Bytes.

Spybot S&D: Revealed a number of issues when run in safemode, "deleted" them and then ran a 4 hour or so boot scan. No changes.

MalwareBytes: Won't run. I get the "Run-time error "0" popup every time.

Hijakthis: I have the logs from the scan. I have removed a few of the items under the guidance of one of the IT professionals in my Clan. Seems to have helped somewhat, but the problem remains.

Super Antispyware: Scans reveal problems in excess of 300. After 4 scan and reboot to safemode cycles, no problems are found. Problems persist.

Also, after doing some looking around we also found that the computer's internet settings were running a proxy. The settings have been reverted to default, but I have not had any more success than before.


Any help would be greatly appreciated. I would like to avoid nuking this thing from orbit if at all possible.

BC AdBot (Login to Remove)

 


#2 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,199 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:03:25 AM

Posted 22 August 2010 - 03:26 PM

Please copy and paste the following text in the Code box exactly as written into notepad (not wordpad or any other text editor):

regsvr32 "C:\Program Files\Malwarebytes' Anti-Malware\mbamext.dll"
regsvr32 "C:\Program Files\Malwarebytes' Anti-Malware\ssubtmr6.dll"
regsvr32 "C:\Program Files\Malwarebytes' Anti-Malware\vbalsgrid6.ocx"

?Once you've done that click on File and select Save As...
?In the Save dialogue box click on the drop down menu next to Save as type and select All Files
?Name the file MBAM Fix.bat (the .bat extension is very important)
?Save the file to your desktop and double click it to run it on XP. For Vista please right click on it and choose Run As Admin
?Click OK to each of the 3 dialog boxes that should show a success message for each file registered
?If you get an error that REGSVR32 "is not recognized as an internal or external command, operable program or batch file", then ensure that the file REGSVR32.EXE exists in the %WINDIR%\SYSTEM32 folder. If it's not found there you can copy if from another Computer running the same operating system and service pack level.
If that doesn't fix it then please download and install the Microsoft Visual Basic Common Controls from HERE to see if it helps.
{Credit Tigger93 @MBAM}
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#3 Imaybesteve

Imaybesteve
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:02:25 AM

Posted 22 August 2010 - 05:31 PM

?Save the file to your desktop and double click it to run it on XP. For Vista please right click on it and choose Run As Admin



Sorry, I forgot to mention that the OS is Windows 7 (64). Will this still run without issue? Also, will running that in Safe mode be an issue? (Noob questions I know, but better sure than formatted.)



EDIT: Upon running the fix, the error "The module "C:\Program Files' Anti-Malware\mbamext.dll" failed to load.


Now, the MB files are kept on the desktop as opposed to the C:\ path. (Just dragged and dropped from my Jumpdrive) Would you like me to shift them over to the C:\ drive?

Edited by Imaybesteve, 22 August 2010 - 06:02 PM.


#4 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,199 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:03:25 AM

Posted 22 August 2010 - 06:15 PM

Was there by ani chance a choice with that,in which you could select ignore?


OR
1. Uninstall Malwarebytes' Anti-Malware using Add/Remove programs in the control panel.
2. Restart your computer (very important).
3. Download and run this utility. Mbam clean
4. It will ask to restart your computer (please allow it to).
5. After the computer restarts, install the latest version from here. http://www.malwarebytes.org/mbam-download.php
Note: You will need to reactivate the program using the license you were sent.
Note: If using Free version, ignore the part about putting in your license key and activating.
Launch the program and set the Protection and Registration.
Then go to the UPDATE tab if not done during installation and check for updates.
Restart the computer again and verify that MBAM is in the task tray and run a Quick Scan and post that log.


OR
Reboot into Safe Mode with Networking


>>>> Download this file and doubleclick on it to run it. Allow the information to be merged with the registry.

RKill....

Download and Run RKill
  • Please download RKill by Grinler from one of the 4 links below and save it to your desktop.

    Link 1
    Link 2
    Link 3
    Link 4

  • Before we begin, you should disable your anti-malware softwares you have installed so they do not interfere RKill running as some anti-malware softwares detect RKill as malicious. Please refer to this page if you are not sure how.
  • Double-click on Rkill on your desktop to run it. (If you are using Windows Vista, please right-click on it and select Run As Administrator)
  • A black screen will appear and then disappear. Please do not worry, that is normal. This means that the tool has been successfully executed.
  • If nothing happens or if the tool does not run, please let me know in your next reply
Do not reboot your computer after running rkill as the malware programs will start again. Or if rebooting is required run it again.


If you continue having problems running rkill.com, you can download iExplore.exe or eXplorer.exe, which are renamed copies of rkill.com, and try them instead.



Next run Superantisypware (SAS):
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#5 Imaybesteve

Imaybesteve
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:02:25 AM

Posted 22 August 2010 - 06:28 PM

Was there by ani chance a choice with that,in which you could select ignore?


-Snip-


[/url] or eXplorer.exe, which are renamed copies of rkill.com, and try them instead.



Next run Superantisypware (SAS):




I shifted the folder into the program files and the fix preformed as expected. Now when mbam.exe is run, a new error "Blah blah error has occured blah blah report to support team.

MBAM_ERROR_MISSING_FILE (2, 0, mbamswissarmy.sys)

The system cannot find the file specified.





And to be perfectly clear, I can not access the internet or download anything on the infected computer. I am going to reboot into Safe with network connections to see if the proxy change I made earlier will let me access the net.

#6 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,199 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:03:25 AM

Posted 22 August 2010 - 06:39 PM

Try this--open control, internet options, connections tab, lan settings, uncheck the box next to "use proxy...."
OR
Go to Start ... Run and type in cmd
A dos Window will appear.
Type in the dos window: netsh winsock reset
Click on the enter key.

Reboot your system to complete the process.


Please go here....
Preparation Guide ,do steps 6 - 9.

Create a DDS log and post it in the new topic explained in step 9,which is here Virus, Trojan, Spyware, and Malware Removal Logs and not in this topic,thanks.
If Gmer won't run,skip it and move on.
Let me know if that went well.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#7 Imaybesteve

Imaybesteve
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:02:25 AM

Posted 23 August 2010 - 01:30 AM

Thanks for all the help Boop, but she up and took it to a friend that works in the University's IT department. From what I hear, he was having just as hard a time as I was. She and I are going to have a very long talk tomorrow about her browsing habits and safety measures.


Thanks again.

#8 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,199 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:03:25 AM

Posted 23 August 2010 - 10:01 AM

Ok, thanks for letting me know. this looks like it could be a tough one. If you see anything in a scan that says ;Virut.. please reformat the PC.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users