Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Total Security virus 2011


  • This topic is locked This topic is locked
14 replies to this topic

#1 Hicks

Hicks

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:11:13 PM

Posted 26 April 2011 - 03:42 AM

Hello, This is my first post and first time ever searching for online help so please bare with me.
I recently got the total security 2011 virus,I have googled this like no tommmorow and followed youtube videos. I have used Rogue killer, Rkill,super-antispyware,Malware bites and AVG. After following the steps I just got back my desktop backround and can use the internet,also the Total security scan does not show up anymore.I still can not gain access to any of my files anytime I click on my documents it says "my stationary".I'm lost on what to do I know my Hijack log has something wrong with it I just dont want to start deleting the wrong things because I am now getting internet explorer script errors after I deleted a few things off there.I'm tempted to get the computer wiped but I can't view or save any of my files so I could really use some help.

Thanks,
Adam

Edited by elise025, 26 April 2011 - 04:52 AM.
Topic moved from XP forum to Am I Infected ~Elise


BC AdBot (Login to Remove)

 


#2 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,932 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:11:13 PM

Posted 26 April 2011 - 08:29 AM

The symptoms you describe can be indicative of a side effect from the HDD Defrag family of rogues which changes file attributes to "hidden", making them appear invisible so the user thinks all of their files have been deleted.

See this example guide which includes removal instructions and using unhide.exe (Step 17), a tool which will remove the "hidden" attribute on all files. The tool is designed not to remove hidden attribute for system files. When done you will need to restore the hidden attributes to those files manually.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#3 Hicks

Hicks
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:11:13 PM

Posted 27 April 2011 - 01:49 AM

Thanks, that worked getting my files back!
What would u recommend for the other viruses on my computer?
I'm still getting a script error msg and sometimes when I'm on the internet I'll get the audio of advertisements but theres no video or other windows open,it's very strange. I ran avast after all this and it found a Win32:cycbot-cz and a Win 32: Alureon-lu [trj] asssuming that means trojan. It said some could not be fixed I really wanna avoid reformatting again is that my only option?

#4 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,932 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:11:13 PM

Posted 27 April 2011 - 06:41 AM

Please post the results of your last MBAM scan for review (even if nothing was found).

To retrieve the Malwarebytes Anti-Malware scan log information, launch MBAM.
  • Click the Logs Tab at the top.
  • The log will be named by the date of scan in the following format: mbam-log-date(time).txt
    -- If you have previously used MBAM, there may be several logs showing in the list.
  • Click on the log name to highlight it.
  • Go to the bottom and click on Open.
  • The log should automatically open in notepad as a text file.
  • Go to Edit and choose Select all.
  • Go back to Edit and choose Copy or right-click on the highlighted text and choose Copy from there.
  • Come back to this thread, click Add Reply, then right-click and choose Paste.
  • Be sure to post the complete log to include the top portion which shows MBAM's database version and your operating system.
Logs are saved to the following locations:
-- XP: C:\Documents and Settings\<Username>\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\mbam-log-yyyy-mm-dd
-- Vista, Windows 7, 2008: C:\ProgramData\Malwarebytes\Malwarebytes' Anti-Malware\Logs\mbam-log-yyyy-mm-dd



Please download the TDSS Rootkit Removing Tool (TDSSKiller.zip) and save it to your Desktop. <-Important!!!
Be sure to print out and follow all instructions for performing a scan or refer to these instructions with screenshots.

  • Extract (unzip) the file to your desktop and make sure TDSSKiller.exe (the contents of the zipped file) is on the Desktop itself, not within a folder on the Desktop. Vista/Windows 7 users refer to these instructions if you're unsure how to unzip a file.
  • If you don't have an extracting program, you can download TDSSKiller.exe and use that instead.
  • Double-click on TDSSKiller.exe to run the tool for known TDSS variants.
    Vista/Windows 7 users right-click and select Run As Administrator.
  • When the program opens, click the Start Scan button.

    Posted Image
  • Do not use the computer during the scan
  • If the scan completes with nothing found, click Close to exit.
  • Any objects found, will show in the Scan results - Select action for found objects and offer three options.
  • If an infected file is detected, the default action will be Cure...do not change it.

    Posted Image
  • Click Continue > Reboot now to finish the cleaning process.<- Important!!

    Posted Image
  • If 'Suspicious' objects are detected, you will be given the option to Skip or Quarantine. Skip will be the default selection. Leave it as such for now.
  • A log file named TDSSKiller_version_date_time_log.txt will be created and saved to the root directory (usually Local Disk C:).
  • Copy and paste the contents of that file in your next reply.
-- If TDSSKiller does not run, try renaming it. To do this, right-click on TDSSKiller.exe, select Rename and give it a random name with the .com file extension (i.e. 123abc.com). If you do not see the file extension, please refer to these instructions. In some cases it may be necessary to redownload TDSSKiller and randomly rename it before downloading and saving to the computer.

-- For any files detected as 'Suspicious' (except those identified as Forged to be cured after reboot) get a second opinion by submitting to Jotti's virusscan or VirusTotal. In the "File to upload & scan" box, browse to the location of the suspicious file and submit (upload) it for scanning/analysis.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#5 Hicks

Hicks
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:11:13 PM

Posted 27 April 2011 - 02:00 PM

Malwarebytes' Anti-Malware 1.50.1.1100
www.malwarebytes.org

Database version: 6376

Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

24/04/2011 5:14:48 PM
mbam-log-2011-04-24 (17-14-48).txt

Scan type: Quick scan
Objects scanned: 189583
Time elapsed: 17 minute(s), 22 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 1
Registry Values Infected: 0
Registry Data Items Infected: 4
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{1602F07D-8BF3-4C08-BDD6-DDDB1C48AEDC} (Adware.ClickPotato) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\ActiveDesktop\NoChangingWallPaper (PUM.Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Clients\StartMenuInternet\FIREFOX.EXE\shell\open\command\(default) (Hijack.StartMenuInternet) -> Bad: ("C:\Documents and Settings\HP_Administrator\Local Settings\Application Data\mwr.exe" -a "firefox.exe) Good: (firefox.exe) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Clients\StartMenuInternet\FIREFOX.EXE\shell\safemode\command\(default) (Hijack.StartMenuInternet) -> Bad: ("C:\Documents and Settings\HP_Administrator\Local Settings\Application Data\mwr.exe" -a "firefox.exe -safe-mode) Good: (firefox.exe -safe-mode) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Clients\StartMenuInternet\IEXPLORE.EXE\shell\open\command\(default) (Hijack.StartMenuInternet) -> Bad: ("C:\Documents and Settings\HP_Administrator\Local Settings\Application Data\mwr.exe" -a "iexplore.exe) Good: (iexplore.exe) -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

I have tried for the past 15 minutes to get TDSS to work. I saved it to desktop extracted files and I tried just downloading the exe file but when I click on it nothing shows up.

#6 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,932 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:11:13 PM

Posted 27 April 2011 - 02:09 PM

I have tried for the past 15 minutes to get TDSS to work. I saved it to desktop extracted files and I tried just downloading the exe file but when I click on it nothing shows up.

Some types of malware will target security tools to keep them from running properly. If TDSSKiller will not run or complete a scan, then try performing a scan in safe mode.

If that does not help, then try this:

Please download FixNCR.reg to your Desktop.
  • Double-click on that file to run.
    Vista/Windows 7 users right-click and select Run As Administrator.
  • Choose "Yes" when prompted to add it into the registry.
  • Once that is completed you should be able to run other programs.

Now rescan again with Malwarebytes Anti-Malware, but this time perform a Full Scan in normal mode and check all items found for removal. Don't forgot to check for database definition updates through the program's interface (preferable method) before scanning and to reboot afterwards. Failure to reboot normally will prevent Malwarebytes' from removing all the malware. When done, click the Logs tab and copy/paste the contents of the new report in your next reply.

The database in your previous log shows 6376. Last I checked it was 6449.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#7 Hicks

Hicks
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:11:13 PM

Posted 28 April 2011 - 03:48 AM

Still no luck running TDSS I tried running it in safe mode normal mode and even downloading it in safe mode with networking.The only difference in safe mode was the window with run or cancel popped up, but still nothing happened when I clicked Run.Here is the latest version of my Malware just finished scanning now.

Malwarebytes' Anti-Malware 1.50.1.1100
www.malwarebytes.org

Database version: 6461

Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

28/04/2011 4:42:20 AM
mbam-log-2011-04-28 (04-42-20).txt

Scan type: Full scan (C:\|D:\|)
Objects scanned: 299634
Time elapsed: 1 hour(s), 12 minute(s), 50 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

#8 Hicks

Hicks
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:11:13 PM

Posted 28 April 2011 - 03:52 AM

Also,I did download and run FixNCR.reg and then ran malware, followed by trying TDSS again.

#9 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,932 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:11:13 PM

Posted 28 April 2011 - 06:23 AM

Please download Norman TDSS Cleaner and save to your Desktop.
  • Double-click on Norman_TDSS_Cleaner.exe to run the tool.
  • Read the agreement and click Accept.
  • When the program window opens, click Start scan.
  • After the scan has finished, a log file named NFix_date_time (i.e. NFix_2009-06-22_07-08-56.log) will be created on your desktop with the results.
  • Copy and paste the contents of that file in your next reply.

Then perform a scan with Windows Live OneCare safety scan.
  • Close all open programs and do not use the computer during the scan.
  • Click "Full Service Scan" in the middle of the page.
  • Allow the download of the ActiveX controls that the scan needs to run.
  • Choose "Complete Scan" in the window that opens and then click "Next"
  • The scan may take several hours...be patient and allow the scan complete.
If using Firefox, please refer to these special instructions provided by Microsoft.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#10 Hicks

Hicks
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:11:13 PM

Posted 28 April 2011 - 05:52 PM

Norman TDSS Cleaner
Version 2.0.2
Copyright 1990 - 2010, Norman ASA. Built 2010/11/12 06:32:24

Scan started: 2011/04/28 15:56:25

Running pre-scan cleanup routine:
Operating System: Microsoft Windows XP Professional 5.1.2600 Service Pack 3
Logged on user: YOUR-4DACD0EA75\HP_Administrator


Scanning kernel...

Scan complete

This is what shows up in notepad on my desktop but when I click "list viruses" in the program theres a list of about 30 viruses some include the win 32 alureon, and I found it interesting about 15 of them were "Win 32/TDSS.drv.gen1" it goes from gen 1-8. I also completed Microsoft safety scan thats what the link took me to saved it to desktop and ran- 2 files were found not sure how to post them but it said one was fixed and " adware:Win32/open candy " could not be removed

#11 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,932 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:11:13 PM

Posted 29 April 2011 - 06:48 AM

Are you able to run TDSSKiller now?
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#12 Hicks

Hicks
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:11:13 PM

Posted 29 April 2011 - 02:18 PM

still unable to run TDSSKiller,Even in safe mode same as before.

#13 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,932 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:11:13 PM

Posted 29 April 2011 - 10:50 PM

Some infections are difficult to remove completely because of their morphing characteristics which allows the malware to regenerate itself or infect critical system files which cannot be cleaned. Sometimes there is an undetected hidden piece of malware such as a rootkit which protects malicious files and registry keys so they cannot be permanently deleted. Disinfection will probably require the use of more powerful tools than we recommend in this forum. Before that can be done you will need you to create and post a DDS log for further investigation.

Please read the "Preparation Guide".
  • If you cannot complete a step, then skip it and continue with the next.
  • In Step 7 there are instructions for downloading and running DDS which will create a Pseudo HJT Report as part of its log.
When you have done that, post your log in the Virus, Trojan, Spyware, and Malware Removal Logs forum, NOT here, for assistance by the Malware Response Team Experts. A member of the Team will walk you through, step by step, on how to clean your computer. If you post your log back in this thread, the response from the Malware Response Team will be delayed because your post will have to be moved. This means it will fall in line behind any others posted that same day.

Start a new topic, give it a relevant title and post your log along with a brief description of your problem, a summary of any anti-malware tools you have used and a summary of any steps that you have performed on your own. An expert will analyze your log and reply with instructions advising you what to fix. After doing this, please reply back here with a link to the new topic so we can closed this one.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#14 Hicks

Hicks
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:11:13 PM

Posted 02 May 2011 - 04:23 AM

http://www.bleepingcomputer.com/forums/topic394995.html

Here is the link to my new topic.

Thanks for all your help!

#15 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,932 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:11:13 PM

Posted 02 May 2011 - 06:36 AM

You're welcome.

Now that your log is posted, you should NOT make further changes to your computer (install/uninstall programs, use special fix tools, delete files, edit the registry, etc) unless advised by a Malware Response Team member...nor should you continue to ask for help elsewhere. Doing so can result in system changes which may not show it the log you already posted. Further, any modifications you make on your own may cause confusion for the member assisting you and could complicate the malware removal process or make things worst which would extend the time it takes to clean your computer.

From this point on the Malware Response Team should be the only members that you take advice from, until they have verified your log as clean.

Please be patient. It may take a while to get a response because the Malware Response Team members are very busy working logs posted before yours. They are volunteers who will help you out as soon as possible. Once you have posted your log and are waiting, please DO NOT "bump" your post or make another reply until it has been responded to by a member of the Malware Response Team. Generally the staff checks the forum for postings that have 0 replies as this makes it easier for them to identify those who have not been helped. If you post another response there will be 1 reply. A team member, looking for a new log to work may assume another Malware Response Team member is already assisting you and not open the thread to respond.

To avoid confusion, I am closing this topic until you are cleared by the Malware Response Team. If you still need assistance after your log has been reviewed and you have been cleared, please PM me or another moderator and we will re-open this topic.

Good luck with your log.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users