Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infected with AV Security Virus attack


  • This topic is locked This topic is locked
25 replies to this topic

#1 vpoison

vpoison

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:02:37 AM

Posted 11 October 2010 - 01:36 AM

Hello,
I while back I was infected wtih AV Security Virus and since then have been getting annoying popups. I already have Norton Antivirus and Malware bytes installed and ran it a few times, but the infection does not seem to go away. I wrote on one of the posts and requested help and was asked to start at step 6 of "Preparation guide for Use Before Using Malware Removal Tools and Requesting help". I could not get the DDS.scr to open, when I click on it, it opens in notepad and it gives this error message "This Program cannot be run on DOS mode" and other characters. I proceeded to the next step and ran a GMER scan for which the results are attached in the attachments. Please help, I would like to get rid of this virus and get my computer running as soon as possible.

Many Thanks,
VK

Attached Files

  • Attached File  ark.txt   9.95KB   2 downloads


BC AdBot (Login to Remove)

 


#2 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,066 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:12:37 PM

Posted 17 October 2010 - 07:33 AM

Hello ,
And welcome.gif to the Bleeping Computer Malware Removal Forum
. My name is Elise and I'll be glad to help you with your computer problems.


I will be working on your malware issues, this may or may not solve other issues you may have with your machine.

Please note that whatever repairs we make, are for fixing your computer problems only and by no means should be used on another computer.
  • The cleaning process is not instant. Logs can take some time to research, so please be patient with me. I know that you need your computer working as quickly as possible, and I will work hard to help see that happen.
  • Please reply using the Add/Reply button in the lower right hand corner of your screen. Do not start a new topic.
  • The logs that you post should be pasted directly into the reply. Only attach them if requested or if they do not fit into the post.
  • Unfortunately, if I do not hear back from you within 5 days, I will be forced to close your topic. If you still need help after I have closed your topic, send me or a moderator a personal message with the address of the thread or feel free to create a new one.
You may want to keep the link to this topic in your favorites. Alternatively, you can click the button at the top bar of this topic and Track this Topic, where you can choose email notifications. The topics you are tracking are shown here.
-----------------------------------------------------------

If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine.

If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.

If you have already posted a log, please do so again, as your situation may have changed.
Use the 'Add Reply' and add the new log to this thread.

We need to see some information about what is happening in your machine. Please perform the following scan:
  • Please download OTL from one of the following mirrors:
  • Save it to your desktop.
  • Double click on the icon on your desktop.
  • Click the "Scan All Users" checkbox.
  • Push the Quick Scan button.
  • Two reports will open, copy and paste them in a reply here:
    • OTListIt.txt <-- Will be opened
    • Extra.txt <-- Will be minimized

Please download Rootkit Unhooker and save it to your Desktop
  • Double-click on RKUnhookerLE to run it
  • Click the Report tab, then click Scan
  • Check Drivers, Stealth and uncheck the rest
  • Click OK
  • Wait until it's finished and then go to File > Save Report
  • Save the report to your Desktop
Copy the entire contents of the report and paste it in a reply here.

Note - you may get this warning it is ok, just ignore: "Rootkit Unhooker has detected a parasite inside itself!
It is recommended to remove parasite, okay?"


-------------------------------------------------------------
In the meantime please, do NOT install any new programs or update anything unless told to do so while we are fixing your problem

If you still need help, please include the following in your next reply
  • A detailed description of your problems
  • A new OTL log (don't forget extra.txt)
  • RKU log

Thanks and again sorry for the delay.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#3 vpoison

vpoison
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:02:37 AM

Posted 18 October 2010 - 09:04 PM

Hello,

Thank you for your help. A while back I was infected with AV security virus attack, after running Malware Bytes, it seemed like the while malware was removed but I get pop ups after i open Internet Explorer, computer runs really slow and also the windows taskbar at the bottom wants to automatically go back to previous version, Internet Explorer wants to go back a version, even though IE8 is installed, some websites refuse to recognize it. As requested I have attached OTL.txt, Extras.txt and RKU.txt. Please advise if i need to do something else. Many thanks for your help, I hope i can get rid of this problem as soon as possible.

Regards,
VK

Attached Files



#4 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,066 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:12:37 PM

Posted 19 October 2010 - 02:03 AM

Hi, unfortunately you have a nasty rootkit on your computer.

BACKDOOR WARNING
------------------------------
One or more of the identified infections is known to use a backdoor.

This allows hackers to remotely control your computer, steal critical system information and download and execute files.

I would advice you to disconnect this PC from the Internet immediately. If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.

Though the infection has been identified and can be killed, because of it's backdoor functionality, your PC is very likely compromised and there is no way to be sure your computer can ever again be trusted. Many experts in the security community believe that once infected with this type of trojan, the best course of action would be a reformat and reinstall of the OS. Please read these for more information:

How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?
When Should I Format, How Should I Reinstall

We can still clean this machine but I can't guarantee that it will be 100% secure afterwards. Let me know what you decide to do. If you decide to go through with the cleanup, please proceed with the following steps.


COMBOFIX
---------------
Please download ComboFix from one of these locations:Bleepingcomputer
ForoSpyware
  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. (Click on this link to see a list of programs that should be disabled. The list is not all inclusive.)
  • Double click on Combofix.exe and follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, or if you are running Vista, ComboFix will continue it's malware removal procedures.

Posted Image


Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Posted Image


Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#5 vpoison

vpoison
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:02:37 AM

Posted 19 October 2010 - 09:08 PM

Hi! Thank you for your response. After I posted the logs yday I started having registry errors. The message I get when I try to load my computer is
"STOP: C0000218 (Registry file failure)
The registry can not load the hive (file): \Systemroot\System32\Config\Software
or its log or alternate.
It is corrupt, absent or not writable."

At this point, the computer works in safe mode only and system restore is not responding. Any ideas? Please help.

#6 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,066 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:12:37 PM

Posted 20 October 2010 - 03:41 AM

Sounds like there might be a harddisk problem involved as well. Please click Start > Run, type chkdsk /r and press enter. Type Y to schedule the scan for next reboot.

Restart your computer and let the disk check run unhindered. Note - this may take some time.

When done, let me know if you still get that error. If not, run combofix as instructed.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#7 vpoison

vpoison
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:02:37 AM

Posted 21 October 2010 - 11:24 AM

Hi Elise,

I ran the chkdsk scan, the volume came clean, but the computer would not boot beyond the login screen, it just gets stuck after i put in my credentials. I ran the chkdsk a couple times, but eventually after forcing restart i got the same error. I was going to try this tomorrow http://support.microsoft.com/kb/307545 what do you think?

Thanks,
VK

#8 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,066 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:12:37 PM

Posted 21 October 2010 - 01:46 PM

Please tap F8 on startup and try to boot the Last Known Good Configuration. Let me know if you can boot that way.

If not, try safe mode and let me know if that was successful.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#9 vpoison

vpoison
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:02:37 AM

Posted 21 October 2010 - 08:49 PM

Tried to start the computer through Last Known Good Configuration, I get the same error. I restarted in Safe Mode and it works, however system restore through safe mode also does not work. Safe mode is the only mode the computer works in, but I can hardly do anything in that mode. Should I try the steps listed on the microsoft website, i pasted the link in the previous post.

#10 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,066 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:12:37 PM

Posted 22 October 2010 - 11:05 AM

Hi, please run Combofix from safe mode as instructed.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#11 vpoison

vpoison
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:02:37 AM

Posted 23 October 2010 - 12:58 PM

Hello Elise,

I ran the combofix in safe mode as instructed and attached the log. I had to run it three times because the first two times it got stuck at deleting files stage for a long time.

The computer was infected back in August, since then computer was in quarantine and I haven't used it for accessing personal information.

However, I still get the same registry error. Now it also says
"Beginning dump of physical memory
Physical memory dump complete.
Contact your system administrator or technical support group for further assistance"

I tried system restore all the way back to August and it still does not work.
Any suggestions?

Thanks a lot for your help.
VK.

Attached Files



#12 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,066 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:12:37 PM

Posted 23 October 2010 - 02:27 PM

Did you try system restore to a closer date?

Can you also post me c:\qoobox\combofix2.txt if it exists?

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#13 vpoison

vpoison
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:02:37 AM

Posted 24 October 2010 - 12:18 AM

Hi Elise,

I tried system restore with the most recent available date and also all the dates that are available, i get the same error.

There is C:\Qoobox folder and there are two folders and three files in it. The folders are BackEnv and Quarantine. I have attached the combofix-quarantined-files.txt to this message. The other two files are Add-Remove Programs.txt and Snapshot@2010-10-23_06.21.04.DAT.

Also while i was running the combofix first time, it gave me a message that rootkit is bad and the program was going to try other resources and asked me to note down the path to a driver named "i2omp.sys"

What should I do next?
Thanks,
VK

Attached Files



#14 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,066 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:12:37 PM

Posted 24 October 2010 - 04:03 AM

Thank you, that is helpful information. To be sure, lets run the following:

Please download the TDSS Rootkit Removing Tool (TDSSKiller.exe) and save it to your Desktop. <-Important!!!
Be sure to download TDSSKiller.exe (v2.4.0.0) from Kaspersky's website and not TDSSKiller.zip which appears to be an older version 2.3.2.2 of the tool.
  • Double-click on TDSSKiller.exe to run the tool for known TDSS variants.
    Vista/Windows 7 users right-click and select Run As Administrator.
  • If TDSSKiller does not run, try renaming it.
  • To do this, right-click on TDSSKiller.exe, select Rename and give it a random name with the .com file extension (i.e. 123abc.com). If you do not see the file extension, please refer to How to change the file extension.
  • Click the Start Scan button.
  • Do not use the computer during the scan
  • If the scan completes with nothing found, click Close to exit.
  • If malicious objects are found, they will show in the Scan results - Select action for found objects and offer three options.
  • Ensure Cure (default) is selected, then click Continue > Reboot now to finish the cleaning process.
  • A log file named TDSSKiller_version_date_time_log.txt (i.e. TDSSKiller.2.4.0.0_27.07.2010_09.o7.26_log.txt) will be created and saved to the root directory (usually Local Disk C:).
  • Copy and paste the contents of that file in your next reply.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#15 vpoison

vpoison
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:02:37 AM

Posted 24 October 2010 - 10:57 AM

No infections found.

How can I fix the registry error?

Thanks again.
VK

Attached Files






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users