Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Killing a virus, is it truly gone ?


  • This topic is locked This topic is locked
27 replies to this topic

#1 Dragongirl

Dragongirl

  • Members
  • 191 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Harbin, China
  • Local time:07:17 PM

Posted 18 April 2011 - 07:43 PM

OK so, I got infected six times within a week. all seemingly from the exact same place or 'antivirus' maker. First thing it did was kill my internet window. Thankfully it did NOT kill Microsfot Security Essentials, I imediatly ran MSE, it found three problems, and removed them all, however, when it was done I ran rkill.scr to kill the unewanted proccesses further so I could then run MBAM.

Now, with MBAM running at this moment, I am unable to do any windows updates, Automatic Updates will not turn on, at all. So I wonder, even when killing the virus with MSE and MBAM, is it totally gone ? I use Win XP Professional x64 on my laptop and I really like it. And I am thinking about updating to Windows 7 on our desktop, which uses XP Home x32. But I want to be absolutely sure that the virus is gone from my machine (the laptop) before doing anything more.

for my antivirus software and firewall I use the onboard Windows firewall, Microsoft Security Essentials antivirus, and MBAM, I used to use avast but was recommended to remove it after four BSODs occured on my laptop over course of three days. I used on a older machine Spybot, and have been thinking of getting it again.

How can I be sure the virus is gone ?

EDIT: After running MBAM and removing five newly found items, Windows update still will not work or show any new updates, nor will Automatic Updates turn on.

Mod EDIT:Adding this ...I just found this from your other post,if we need the info.
I will delete the other.

I got several viruses on my laptop, one of them the new spyware threat "XP Total Security 2011" that astart spamming nonsese, the sad thing, and bad thing is, that when running rkill, several proccesses start, with three totally random letters .exe, when its done running, it says it found nothing, logfile can't be read, or something simliar. I use the rkill.scr so the virus thinks its a screensaver, it ends it, but when I try to run something else ot kill the virus in fuill, even in safe mode, it just pops back up

Edited by boopme, 18 April 2011 - 10:11 PM.

The kitten that used to be linked to here in this signature now has her forever home!! Thank you for taking the time to read this signature!

 

"This is the coolest place I've ever been, and I've only been alive for three days!" ~ Figment


BC AdBot (Login to Remove)

 


#2 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 72,898 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:07:17 AM

Posted 18 April 2011 - 08:28 PM

Hello,please post that last MBAM log.
The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
Copy and paste the contents of that report in your next reply. Be sure to post the complete log to include the top portion which shows MBAM's database version and your operating system.

Let's run these next.
Please download the TDSS Rootkit Removing Tool (TDSSKiller.exe) and save it to your Desktop. <-Important!!!
Be sure to download TDSSKiller.exe (v2.4.0.0) from Kaspersky's website and not TDSSKiller.zip which appears to be an older version 2.3.2.2 of the tool.
  • Double-click on TDSSKiller.exe to run the tool for known TDSS variants.
    Vista/Windows 7 users right-click and select Run As Administrator.
  • If TDSSKiller does not run, try renaming it.
  • To do this, right-click on TDSSKiller.exe, select Rename and give it a random name with the .com file extension (i.e. 123abc.com). If you do not see the file extension, please refer to How to change the file extension.
  • Click the Start Scan button.
  • Do not use the computer during the scan
  • If the scan completes with nothing found, click Close to exit.
  • If malicious objects are found, they will show in the Scan results - Select action for found objects and offer three options.
  • Ensure Cure (default) is selected, then click Continue > Reboot now to finish the cleaning process.
  • A log file named TDSSKiller_version_date_time_log.txt (i.e. TDSSKiller.2.4.0.0_27.07.2010_09.o7.26_log.txt) will be created and saved to the root directory (usually Local Disk C:).
  • Copy and paste the contents of that file in your next reply.



Let's run an online scan.
ESET Online Scanner:

Note: You can use either Internet Explorer or Mozilla FireFox for this scan. You will however need to disable your current installed Anti-Virus, how to do so can be read here.

Vista/Windows 7 users: You will need to to right-click on the either the IE or FF icon in the Start Menu or Quick Launch Bar on the Taskbar and select Run as Administrator from the context menu.

  • Please go here to run the scan.

    Note: If using Mozilla Firefox you will need to download esetsmartinstaller_enu.exe when prompted then double click on it to install.
    All of the below instructions are compatible with either Internet Explorer or Mozilla FireFox.

  • Select the option YES, I accept the Terms of Use then click on: Posted Image
  • When prompted allow the Add-On/Active X to install.
  • Make sure that the option Remove found threats is NOT checked, and the option Scan archives is checked.
  • Now click on Advanced Settings and select the following:
    • Scan for potentially unwanted applications
    • Scan for potentially unsafe applications
    • Enable Anti-Stealth Technology
  • Now click on: Posted Image
  • The virus signature database... will begin to download. Be patient this make take some time depending on the speed of your Internet Connection.
  • When completed the Online Scan will begin automatically.
  • Do not touch either the Mouse or keyboard during the scan otherwise it may stall.
  • When completed select Uninstall application on close if you so wish, make sure you copy the logfile first!
  • Now click on: Posted Image
  • Use notepad to open the logfile located at C:\Program Files\ESET\EsetOnlineScanner\log.txt.
  • Copy and paste that log as a reply to this topic.
Note: Do not forget to re-enable your Anti-Virus application after running the above scan!


SpyBot is not an AV.. Try Avira Antivir Free.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#3 Dragongirl

Dragongirl
  • Topic Starter

  • Members
  • 191 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Harbin, China
  • Local time:07:17 PM

Posted 18 April 2011 - 08:33 PM

MBAM log as requested....

Malwarebytes' Anti-Malware 1.50.1.1100
www.malwarebytes.org

Database version: 6316

Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

18-Apr-11 21:04:11
mbam-log-2011-04-18 (21-04-11).txt

Scan type: Full scan (C:\|)
Objects scanned: 231561
Time elapsed: 1 hour(s), 10 minute(s), 23 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 4
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Clients\StartMenuInternet\IEXPLORE.EXE\shell\open\command\(default) (Hijack.StartMenuInternet) -> Bad: ("C:\Documents and Settings\Value customer\Local Settings\Application Data\uqq.exe" -a "C:\Program Files\Intern") Good: (iexplore.exe) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify (PUM.Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\FirewallDisableNotify (PUM.Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify (PUM.Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
c:\documents and settings\value customer\local settings\Temp\0.6805767907027993.exe (Trojan.Dropper) -> Quarantined and deleted successfully.

The kitten that used to be linked to here in this signature now has her forever home!! Thank you for taking the time to read this signature!

 

"This is the coolest place I've ever been, and I've only been alive for three days!" ~ Figment


#4 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 72,898 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:07:17 AM

Posted 18 April 2011 - 08:56 PM

Thanks we definately will need the rest as you have a variant of a Hupigon infection. This is a backdoor that will steal personal info. We will need to change all passwords. Do you do banking on here?
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#5 Dragongirl

Dragongirl
  • Topic Starter

  • Members
  • 191 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Harbin, China
  • Local time:07:17 PM

Posted 18 April 2011 - 09:08 PM

A what infection ?? Using desktop right now, avast is at full strength, sad news being the lap[top had it too, TDSS killer found nothing at all. the lappy is currently running the eset scanner now.

And no, no banking, mostly writing, and some gaming (warhammer, rollercoaster tycoon), but no banking.

If its a backdoor, how do I seal it shut without paying a dime ?

The kitten that used to be linked to here in this signature now has her forever home!! Thank you for taking the time to read this signature!

 

"This is the coolest place I've ever been, and I've only been alive for three days!" ~ Figment


#6 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 72,898 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:07:17 AM

Posted 18 April 2011 - 09:16 PM

Hupigon

We are wotking on it. Finish post 2
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#7 Dragongirl

Dragongirl
  • Topic Starter

  • Members
  • 191 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Harbin, China
  • Local time:07:17 PM

Posted 18 April 2011 - 09:25 PM

We will need to change all passwords.

Let me get this right, by all passwords you mean all passwords I've used to loginto places, {EG: gateworld forums, warhammer forums, etc} ? I've changed my email password a dozen times over the last year. Have me slightly confused over that little piece of info of what to change. But I can understand the needage to do such a thing.

Also, I can see we are starting to seal the back door, is that why you're wearing that Home Depot apron and carrying that caulk gun ?? ;) Currently still scanning with the ESET scanner, so far at 54%.

I do not know why I did not come to here when it first started happening though. And furthermore I don;t know what website the virus entered my machine on from either. I was browsing deviant art, one of my roleplaying sites, and also gateworld news pages, and was also on google in the middle of typing a search term when everything just went, blip off my screen. So confusing.

The kitten that used to be linked to here in this signature now has her forever home!! Thank you for taking the time to read this signature!

 

"This is the coolest place I've ever been, and I've only been alive for three days!" ~ Figment


#8 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 72,898 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:07:17 AM

Posted 18 April 2011 - 09:45 PM

The purpose of these cretins is ID theft. They build a database and compile info. I do not know what they can get off you from thise sites as I am not a gamer.. I can only say they are looking. If it were me I would change all my passwords, even my BC password.

Its hard to say where but I do know that game sites,especially the online type are favorite haunts for these scriptwriters.

I am getting the heavy sealants now so we can lock you down :)

I see we are on opposite sides of the world so if i'm gone,gon;t fret I'll look back.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#9 Dragongirl

Dragongirl
  • Topic Starter

  • Members
  • 191 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Harbin, China
  • Local time:07:17 PM

Posted 18 April 2011 - 09:46 PM

Unfortunately, the ESET scan found zero problems, and updates will not work either for MSE or automatic updates >.<

EDIT: I'm running MBAM again, sometimes it finds things upon restarts

EDIT 2: MSE reports "CONNECTION FAILED" when updates are attpmpted, and Automatic Updates will not set to on, period.

Edited by Dragongirl, 18 April 2011 - 10:05 PM.

The kitten that used to be linked to here in this signature now has her forever home!! Thank you for taking the time to read this signature!

 

"This is the coolest place I've ever been, and I've only been alive for three days!" ~ Figment


#10 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 72,898 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:07:17 AM

Posted 18 April 2011 - 10:15 PM

It's posssible the firewall is blocking it
http://windows.microsoft.com/en-us/windows7/Allow-a-program-to-communicate-through-Windows-Firewall

For the connection try these...

Please click Start > Run, type inetcpl.cpl in the runbox and press enter.

Click the Connections tab and click the LAN settings option.

Verify if "Use a proxy..." is checked, if so, UNcheck it and click OK/OK to exit.

Now check if the internet is working again.


OR
Go to Start ... Run and type in cmd
A dos Window will appear.
Type in the dos window: netsh winsock reset
Click on the enter key.

Reboot your system to complete the process.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#11 Dragongirl

Dragongirl
  • Topic Starter

  • Members
  • 191 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Harbin, China
  • Local time:07:17 PM

Posted 18 April 2011 - 10:17 PM

I'm using Xp pro x64 edition, though I've been tempted to go up to Win Seven many times

Net works fine, its just automatic updates, and updates to MSE that don't work.

EDIT: even checked the firewall settings, no good, even pulled in to the router as well, still no good

Edited by Dragongirl, 18 April 2011 - 10:30 PM.

The kitten that used to be linked to here in this signature now has her forever home!! Thank you for taking the time to read this signature!

 

"This is the coolest place I've ever been, and I've only been alive for three days!" ~ Figment


#12 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 72,898 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:07:17 AM

Posted 18 April 2011 - 10:30 PM

Any security software still installed such as a firewall other than the Windows firewwall?

A possible reason for this problem is that you have conflicting security software installed fully or partially on the PC. Remove all other security software from the PC.
You may need this AppRemover
Using AppRemover


Then Install and run the Avira I posted earlier.

I'll look back tomorrow.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#13 Dragongirl

Dragongirl
  • Topic Starter

  • Members
  • 191 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Harbin, China
  • Local time:07:17 PM

Posted 18 April 2011 - 10:40 PM

nope; nothing. Only actual firewall running is the Windows firewall. I have MBAM and MSE, this is driving me nuts that I cannot upxdate my machine >.< I keep getting errors saying the page cannot be shown due to a internet cionectivity issue.

Probelm is apparently fixed, it was weird, I was recommened after saying I got help here to also try somewhere else, (Microsoft forums is where I was pointed) Turns out the sealant you got for that back door worked perfectly!! All it needed was to go just a little bit deeper into the cracks :D

Edited by Dragongirl, 18 April 2011 - 11:19 PM.

The kitten that used to be linked to here in this signature now has her forever home!! Thank you for taking the time to read this signature!

 

"This is the coolest place I've ever been, and I've only been alive for three days!" ~ Figment


#14 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 72,898 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:07:17 AM

Posted 19 April 2011 - 01:29 PM

Excellent... Now mop up.
If there are no more problems or signs of infection, you should Create a New Restore Point to prevent possible reinfection from an old one. Some of the malware you picked up could have been saved in System Restore. Since this is a protected directory your tools cannot access to delete these files, they sometimes can reinfect your system if you accidentally use an old restore point. Setting a new restore point AFTER cleaning your system will help prevent this and enable your computer to "roll-back" to a clean working state.

The easiest and safest way to do this is:
  • Go to Start > Programs > Accessories > System Tools and click "System Restore".
  • Choose the radio button marked "Create a Restore Point" on the first screen then click "Next". Give the R.P. a name, then click "Create". The new point will be stamped with the current date and time. Keep a log of this so you can find it easily should you need to use System Restore.
  • Then use Disk Cleanup to remove all but the most recently created Restore Point.
  • Go to Start > Run and type: Cleanmgr
  • Click "Ok". Disk Cleanup will scan your files for several minutes, then open.
  • Click the "More Options" tab, then click the "Clean up" button under System Restore.
  • Click Ok. You will be prompted with "Are you sure you want to delete all but the most recent restore point?"
  • Click Yes, then click Ok.
  • Click Yes again when prompted with "Are you sure you want to perform these actions?"
  • Disk Cleanup will remove the files and close automatically.
Vista Users can refer to these links: Create a New Restore Point and Disk Cleanup.

Tips to protect yourself against malware and reduce the potential for re-infection:Avoid gaming sites, pirated software, cracking tools, keygens, and peer-to-peer (P2P) file sharing programs. They are a security risk which can make your computer susceptible to a smörgåsbord of malware infections, remote attacks, exposure of personal information, and identity theft. Many malicious worms and Trojans spread across P2P file sharing networks, gaming and underground sites. Users visiting such pages may see innocuous-looking banner ads containing code which can trigger pop-up ads and malicious Flash ads that install viruses, Trojans and spyware. Ads are a target for hackers because they offer a stealthy way to distribute malware to a wide range of Internet users. The best way to reduce the risk of infection is to avoid these types of web sites and not use any P2P applications. Read P2P Software User Advisories and Risks of File-Sharing Technology.

Keeping Autorun enabled on USB and other removable drives has become a significant security risk due to the increasing number of malware variants that can infect them and transfer the infection to your computer. To learn more about this risk, please read:
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#15 Dragongirl

Dragongirl
  • Topic Starter

  • Members
  • 191 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Harbin, China
  • Local time:07:17 PM

Posted 19 April 2011 - 03:06 PM

Kitchen's clean now! =)

*puts up a sign saying Hope Depot, Proud (Unoffical) sponsor of Bleeping Computer Forums* =)

Quick question; doing that step by step list wont actually remove any created files will it ?

The kitten that used to be linked to here in this signature now has her forever home!! Thank you for taking the time to read this signature!

 

"This is the coolest place I've ever been, and I've only been alive for three days!" ~ Figment





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users