Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

AntiSpy2011Setup(4).exe - TR/Vilsel.badd and Java/Exdoer.BJ


  • This topic is locked This topic is locked
40 replies to this topic

#1 goodnow

goodnow

  • Members
  • 28 posts
  • OFFLINE
  •  
  • Local time:04:55 PM

Posted 10 May 2011 - 08:33 PM

I think the virus came through in an email attachment from one of the users in my laptop.
I have Malwarebytes and Avira installed on my laptop. Once i realized the laptop was infected i checked both apps and found that they were infected. The virus would not let me open task manager nor would it let me update either of the antivirus apps. I used another computer and downloaded a fresh copy of Malwarebytes and installed it on my laptop. I ran this in sasfe mode as an admin user (note that i was not signed in as an admin user - but as the user who was infected.) The app found 5 infected objects which i marked for removal. All files were related to the AntiSpy2011Setup4.exe and the Java/Exdoer.BJ virus.

Next i ran the Avira app in administrator mode. I left the house and came back to find the lap top turned off, I hit the power button and the system seemed very slow to start. Once it booted back up i immediately restarted it in safe mode and checked the Avira app. I clicked the option to receive updates and got a bogus pop up with chinese charactesr as the message. I then went to malwarebytes and found that i was not allowed to get updates for that app either. My guess would be that running the infected Avira simply reinstated the virus but i'm not really sure. I did a search in my registry for AntiSpy2011 but it came up with nothing.

I again downloaded and installed a fresh copy of Malwarebytes and that is in the process of running right now. I have not had an opportunity to run the DDS program that you suggested in the "new user" how to section of the forum. I truly apologize if i'm breaking any forum rules by posting prior to running the DDS program but i'm extremely worried. I don't know what the Avira software may have done to my system especially since i ran it in administrator mode. I'm PRAYING that it has not violently disrupted my registry.

I apologize but because Malwarebytes is currently running i can not access the log file from the initial run.
Once Malwarebytes finishes running i will reinstall Avira.
I would appreciate any direction/guidance that you can provide.

BC AdBot (Login to Remove)

 


#2 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,530 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:04:55 PM

Posted 10 May 2011 - 08:44 PM

Hello, I moved this to AM i Infected for now as there is no DDS log.
The malware is causing the issues you see in Avira.

Please post the MBAM log.
The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
Copy and paste the contents of that report in your next reply. Be sure to post the complete log to include the top portion which shows MBAM's database version and your operating system.


Please click Start > Run, type inetcpl.cpl in the runbox and press enter.
Click the Connections tab and click the LAN settings option.
Verify if "Use a proxy..." is checked, if so, UNcheck it and click OK/OK to exit.


Reboot into Safe Mode with Networking
How to enter safe mode(XP/Vista)
Using the F8 Method
Restart your computer.
When the machine first starts again it will generally list some equipment that is installed in your machine, amount of memory, hard drives installed etc. At this point you should gently tap the F8 key repeatedly until you are presented with a Windows XP Advanced Options menu.
Select the option for Safe Mode with Networking using the arrow keys.
Then press enter on your keyboard to boot into Safe Mode
.


>>>> Download this file and doubleclick on it to run it. Allow the information to be merged with the registry.

RKill....

Download and Run RKill
  • Please download RKill by Grinler from one of the 4 links below and save it to your desktop.

    Link 1
    Link 2
    Link 3
    Link 4

  • Before we begin, you should disable your anti-malware softwares you have installed so they do not interfere RKill running as some anti-malware softwares detect RKill as malicious. Please refer to this page if you are not sure how.
  • Double-click on Rkill on your desktop to run it. (If you are using Windows Vista, please right-click on it and select Run As Administrator)
  • A black screen will appear and then disappear. Please do not worry, that is normal. This means that the tool has been successfully executed.
  • If nothing happens or if the tool does not run, please let me know in your next reply

Do not reboot your computer after running rkill as the malware programs will start again. Or if rebooting is required run it again.


If you continue having problems running rkill.com, you can download iExplore.exe or eXplorer.exe, which are renamed copies of rkill.com, and try them instead.



Next run Superantisypware (SAS):

Download and scan with SUPERAntiSpyware Free for Home Users
  • Double-click SUPERAntiSpyware.exe and use the default settings for installation.
  • An icon will be created on your desktop. Double-click that icon to launch the program.
  • If asked to update the program definitions, click "Yes". If not, update the definitions before scanning by selecting "Check for Updates". (If you encounter any problems while downloading the updates, manually download them from here. Double-click on the hyperlink for Download Installer and save SASDEFINITIONS.EXE to your desktop. Then double-click on SASDEFINITIONS.EXE to install the definitions.)
  • In the Main Menu, click the Preferences... button.
  • Click the Scanning Control tab.
  • Under Scanner Options make sure the following are checked (leave all others unchecked):
    • Close browsers before scanning.
    • Scan for tracking cookies.
    • Terminate memory threats before quarantining.
  • Click the "Close" button to leave the control center screen.
  • Back on the main screen, under "Scan for Harmful Software" click Scan your computer.
  • On the left, make sure you check C:\Fixed Drive.
  • On the right, under "Complete Scan", choose Perform Complete Scan.
  • Click "Next" to start the scan. Please be patient while it scans your computer.
  • After the scan is complete, a Scan Summary box will appear with potentially harmful items that were detected. Click "OK".
  • Make sure everything has a checkmark next to it and click "Next".
  • A notification will appear that "Quarantine and Removal is Complete". Click "OK" and then click the "Finish" button to return to the main menu.
  • If asked if you want to reboot, click "Yes".
  • To retrieve the removal information after reboot, launch SUPERAntispyware again.
    • Click Preferences, then click the Statistics/Logs tab.
    • Under Scanner Logs, double-click SUPERAntiSpyware Scan Log.
    • If there are several logs, click the current dated log and press View log. A text file will open in your default text editor.
    • Please copy and paste the Scan Log results in your next reply.
  • Click Close to exit the program.
If you have a problem downloading, installing or getting SAS to run, try downloading and using the SUPERAntiSpyware Portable Scanner instead. Save the randomly named file (i.e. SAS_1710895.COM) to a usb drive or CD and transfer to the infected computer. Then double-click on it to launch and scan. The file is randomly named to help keep malware from blocking the scanner.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#3 goodnow

goodnow
  • Topic Starter

  • Members
  • 28 posts
  • OFFLINE
  •  
  • Local time:04:55 PM

Posted 10 May 2011 - 09:48 PM

thank you for the response. Shall I run the SuperAntiSpyware in Admin mode?

The initial Run of MBAM provided the following info in the log:
Malwarebytes' Anti-Malware 1.50.1.1100
www.malwarebytes.org

Database version: 6542

Windows 6.0.6002 Service Pack 2 (Safe Mode)
Internet Explorer 7.0.6002.18005

5/10/2011 6:37:12 PM
mbam-log-2011-05-10 (18-37-12).txt

Scan type: Full scan (C:\|)
Objects scanned: 435815
Time elapsed: 1 hour(s), 25 minute(s), 16 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 1
Files Infected: 4

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
c:\Users\michael\AppData\Roaming\antivirus antispyware 2011 (Rogue.AntiVirusAntiSpyware2011) -> Quarantined and deleted successfully.

Files Infected:
c:\Users\michael\AppData\Local\microsoft\Windows\temporary internet files\Content.IE5\6S067NTA\info[1].exe (Trojan.FakeAlertRP.Gen) -> Quarantined and deleted successfully.
c:\Users\michael\AppData\Roaming\antivirus antispyware 2011\icoactivate.ico (Rogue.AntiVirusAntiSpyware2011) -> Quarantined and deleted successfully.
c:\Users\michael\AppData\Roaming\antivirus antispyware 2011\IcoHelp.ico (Rogue.AntiVirusAntiSpyware2011) -> Quarantined and deleted successfully.
c:\Users\michael\AppData\Roaming\antivirus antispyware 2011\icouninstall.ico (Rogue.AntiVirusAntiSpyware2011) -> Quarantined and deleted successfully.


**As I mentioned in the initial post I ran MBAM a second time after determining that i'd run an infected version of the Avira app. Please note that the 2nd run of MBAM has completed but it has not located any viruses.

*********Here is the 2nd run of MBAM**************
Malwarebytes' Anti-Malware 1.50.1.1100
www.malwarebytes.org

Database version: 6550

Windows 6.0.6002 Service Pack 2 (Safe Mode)
Internet Explorer 7.0.6002.18005

5/10/2011 10:32:57 PM
mbam-log-2011-05-10 (22-32-57).txt

Scan type: Full scan (C:\|)
Objects scanned: 435906
Time elapsed: 1 hour(s), 22 minute(s), 16 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

#4 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,530 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:04:55 PM

Posted 10 May 2011 - 10:31 PM

Hello,run SAS from Admin and on all user accounts.
Isee we did get the AV2011 with MBAM.

Do you need a clean copy of Avira? I am a little confused as to how you got an infected one. I will look back tomorrow as it will bw an hour or so for SAS to complete.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#5 goodnow

goodnow
  • Topic Starter

  • Members
  • 28 posts
  • OFFLINE
  •  
  • Local time:04:55 PM

Posted 10 May 2011 - 10:41 PM

I've attempted to run the fixexe file for the registry but it fails with the message: Cannot import G:\RKILL FILES\FixExe.reg Not all data was successfully written to the registry. Some keys are open by the system or other processes.
I'm running the free version of Avira so i do not have any option to set it to inactive. If i check my system tray i do not have the icon for that app and if i check my services i see that windows defender has been stopped. The only security that is currently running is windows firewall.
Also, i downloaded the RKILL file but the file type is listed as a screensaver?? Is that correct?

I'm not sure what do do from this point so I will await your instruction.

#6 goodnow

goodnow
  • Topic Starter

  • Members
  • 28 posts
  • OFFLINE
  •  
  • Local time:04:55 PM

Posted 10 May 2011 - 10:47 PM

OK - here's a brief recap of what happened. I've always had both Avira and Malwarebytes on my lap top. 1) got the virus and found that both Avira and Malwarebytes were infected. 2) Using a different computer i downloaded a new copy of MBAM from their website. I installed this on my lap top and then ran it in safe mode.
3) i then ran Avira but the mistake i made is that i never installed a fresh copy of Avira. As a result I ended up running a virus check using infected software. The pc shut down and when I powered it back up it took a long time to boot so i restarted in safe mode and checked both MBAM and Avira and both were again infected.

So i reinstalled MBAM and ran it a second time. The 2nd run of MBAM showed no infected files but that's definately not the case.

#7 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,530 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:04:55 PM

Posted 10 May 2011 - 10:59 PM

Ok, let's see if we can run an online scan,then perhaps if it removes something the others willl work.

I'd like us to scan your machine with ESET OnlineScan
  • Hold down Control and click on the following link to open ESET OnlineScan in a new window.
    ESET OnlineScan
  • Click the Posted Image button.
  • For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
    • Click on Posted Image to download the ESET Smart Installer. Save it to your desktop.
    • Double click on the Posted Image icon on your desktop.
  • Check Posted Image
  • Click the Posted Image button.
  • Accept any security warnings from your browser.
  • Under scan settings, check Posted Image and check Remove found threats
  • Click Advanced settings and select the following:
    • Scan potentially unwanted applications
    • Scan for potentially unsafe applications
    • Enable Anti-Stealth technology
  • ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
  • When the scan completes, push Posted Image
  • Push Posted Image, and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
  • Push the Posted Image button.
  • Push Posted Image

How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#8 goodnow

goodnow
  • Topic Starter

  • Members
  • 28 posts
  • OFFLINE
  •  
  • Local time:04:55 PM

Posted 11 May 2011 - 05:25 AM

Good Morning.
Prior to receiving your final post last night I did the following. Attempted to run the registry fix but I was unable to get it to load successfully. I then ran the RKill successfully. From there i downloaded and launched SAS and set it to run. I'm on the east coast so by that time it was 12:30am. I let the app run and went to bed. I woke up this morning and see that the PC is powered down. I would imagine that the SAS software would not auto shut down the laptop after running the scan but i've never used it before. Is this normal?
It's now 6:23am. I'll see if i can boot the pc up in safe mode and see if there was any log written from the SAS app.

#9 goodnow

goodnow
  • Topic Starter

  • Members
  • 28 posts
  • OFFLINE
  •  
  • Local time:04:55 PM

Posted 11 May 2011 - 05:47 AM

Ok - i've rebooted in safe mode. If i click on the SAS icon it takes me through all of hte standard prompts asking me if i want to protect my home page, if i want updates etc. I uninstalled and reinstalled a fresh Avira app but unfortunately its still infected and when i attempt an update it's giving me the pop up with chinese characters. I have no clue as to if my fresh MBAM app is also infected. It's 6:45am and i'll have to go to work soon. For now I'll attempt the online scan that you've suggested.

#10 goodnow

goodnow
  • Topic Starter

  • Members
  • 28 posts
  • OFFLINE
  •  
  • Local time:04:55 PM

Posted 11 May 2011 - 06:04 AM

Rebooted in safe mode.
When I launch SAS it takes me through it's regular prompts - do i want to protect my home page, do i want to get updates etc.
Just out of curiosity i uninstalled and reinstalled Avira but despite a fresh install it's still infected. I can't tell if MBAM is infected or not although i guess it doesnt really matter if these apps are infected as its pretty obvious that there is still an infection lurking somewhere. Regardless, I have started the online scan that you suggested and it's now in the process installing its database.

One piece of good news is that prior to running any of these scans - any attempt to launch iether Firefox or IE would cause an immediate redirect of my home page to some bogus page with a message similar to "warning you are infected - click here to start your antivirus software". Now it seems that i can open IE and Firefox without getting a redirect.

So to date here's what we've tried after disabling all existing realtime virus protection 1) running FixEXe file (failed), 2) running rkill (success) 3)running SAS (?possibly failed?) 4)install of malwarebytes (successful install but not sure that its working properly as a recent scan implied there were no infections) 5)install of Avira app was successful but the app is still infected. 6)Now running ESET

I'm off to work but will check for new posts later this evening

#11 goodnow

goodnow
  • Topic Starter

  • Members
  • 28 posts
  • OFFLINE
  •  
  • Local time:04:55 PM

Posted 11 May 2011 - 09:13 AM

No luck. I booted the PC in safe mode, ran the Rkill and then launched SAS - it was going for a good 1/2 hour before i left for work @ 8:00am. It's 10:08am and I just called home to see if SAS was still running and I was told that once again the PC powered itself down. *sigh* What does all this mean? Is the virus so deep that it's shutting down any anti virus programs that might catch it? While SAS was running i pulled up task manager and verified that all of the services were stopped - ie windows defender etc. I did notice in processes that the avgnt.32exe was running - I was surprised that it was running as a process as specially since the service was stopped but i wasnt sure what to do.

So at this point the only spyware that will run completely is MBAM which tells me that i have no infections. SAS, AVG and this ESET have all powered down the machine after running for a certain period of time.

#12 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,530 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:04:55 PM

Posted 11 May 2011 - 09:24 AM

Hello, this is a pest. I think it's a TDSS infection.
[/color]) and save it to your Desktop. <-Important!!!
Be sure to download TDSSKiller.exe (v2.4.0.0) from Kaspersky's website and not TDSSKiller.zip which appears to be an older version 2.3.2.2 of the tool.
  • Double-click on TDSSKiller.exe to run the tool for known TDSS variants.
    Vista/Windows 7 users right-click and select Run As Administrator.
  • If TDSSKiller does not run, try renaming it.
  • To do this, right-click on TDSSKiller.exe, select Rename and give it a random name with the .com file extension (i.e. 123abc.com). If you do not see the file extension, please refer to How to change the file extension.
  • Click the Start Scan button.
  • Do not use the computer during the scan
  • If the scan completes with nothing found, click Close to exit.
  • If malicious objects are found, they will show in the Scan results - Select action for found objects and offer three options.
  • Ensure Cure (default) is selected, then click Continue > Reboot now to finish the cleaning process.
  • A log file named TDSSKiller_version_date_time_log.txt (i.e. TDSSKiller.2.4.0.0_27.07.2010_09.o7.26_log.txt) will be created and saved to the root directory (usually Local Disk C:).
  • Copy and paste the contents of that file in your next reply.


If TDSSKiller does not run, try renaming it. To do this, right-click on TDSSKiller.exe, select Rename and give it a random name with the .com file extension (i.e. 123abc.com). If you do not see the file extension, please refer to these[/color] instructions. [color=green]In some cases it may be necessary to redownload TDSSKiller and randomly rename it before downloading and saving to the computer.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#13 goodnow

goodnow
  • Topic Starter

  • Members
  • 28 posts
  • OFFLINE
  •  
  • Local time:04:55 PM

Posted 11 May 2011 - 04:27 PM

yes, it most definately is a pest and it's kind of freaking me out. I really want to be able to resolve this myself as i'm not to keen on dropping my lap top off to some random person @ the local best buy to have at it. Crossing my fingers that this works. If not, i'm really hoping that youv'e got a few more tricks up your sleeve. I did some research on line today and came up with no fixes except for searching for a restore point. Unfortunately I never configured restore periods, so unless its something thats done automatically.........*sigh*

Ok i've downloaded the files onto my flash drive and i'll be heading home shortly to give this a try.

#14 goodnow

goodnow
  • Topic Starter

  • Members
  • 28 posts
  • OFFLINE
  •  
  • Local time:04:55 PM

Posted 11 May 2011 - 06:37 PM

I downloaded the TDSSKILLER v2.5.0.0 from the link in your last post. I ran rkill, then launched the app from the desk top. Service Drivers and boot sectors were selected as items to scan. It finished in about 3 minutes and came up clean. I kind of expected it to take longer??
I'm now running AVAST free antivirus to see hat that might do for me.

#15 goodnow

goodnow
  • Topic Starter

  • Members
  • 28 posts
  • OFFLINE
  •  
  • Local time:04:55 PM

Posted 11 May 2011 - 07:19 PM

Ok. So now I don't know if I should be super worried or if I should feel like I'm actually making progress here.
The good news is that the AVAST virus scan has completed running (full system scan) without having the pc power down.
The bad news is that it's reported NO THREAT FOUND. ???




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users