Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

CLOUD AV 2011


  • Please log in to reply
1 reply to this topic

#1 kinchy

kinchy

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:08:49 PM

Posted 28 November 2011 - 04:30 PM

I cant find my first post again, so I will start from scratch as a new topic.

I had CLOUD AV 2011, vista O/S, using your site I booted in safe mode with networking, checked IE to check the procy setting under LAN, it was not checked.

Then ran rkill to stop the malware process then Malwearebytes.

After rebooting from safe mode it seemed to be totally fixed, AV CLOUD 2011 was gone and all seemed well, but when I went to type aolcom into firefox browser, the autocomplete function for the URL shows another malware, AV SECURITY 2012, looking like if I clicked on aol.com I would get some more malware.

I did not let malwarebytes reboot immediately but I did reboot the computer before I left safe mode.

My bleeping computer helper said to post the malwearebytes log. Here it is:

Malwarebytes' Anti-Malware 1.51.2.1300
www.malwarebytes.org

Database version: 8249

Windows 6.0.6002 Service Pack 2 (Safe Mode)
Internet Explorer 9.0.8112.16421

11/26/2011 4:08:56 PM
mbam-log-2011-11-26 (16-08-56).txt

Scan type: Full scan (C:\|D:\|)
Objects scanned: 268427
Time elapsed: 31 minute(s), 25 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 3
Registry Data Items Infected: 0
Folders Infected: 1
Files Infected: 7

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\lEL9gTZqjCIrOtP8234A (Rogue.CloudAV2012) -> Value: lEL9gTZqjCIrOtP8234A -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell (Hijack.Shell.Gen) -> Value: Shell -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\NzzONxAv2ib (Trojan.FakeAlert.Gen) -> Value: NzzONxAv2ib -> Quarantined and deleted successfully.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
c:\Users\Kinchie\AppData\Roaming\microsoft\Windows\start menu\Programs\cloud av 2012 (Rogue.CloudAV2012) -> Quarantined and deleted successfully.

Files Infected:
c:\Users\Kinchie\AppData\Roaming\microsoft\0150\2F72.tmp (Malware.Packer) -> Quarantined and deleted successfully.
c:\Users\Kinchie\AppData\Roaming\ahst.lni (Malware.Trace) -> Quarantined and deleted successfully.
c:\Users\Kinchie\AppData\Roaming\java.exe (Trojan.Agent) -> Quarantined and deleted successfully.
c:\Users\Kinchie\AppData\Roaming\chrome.exe (Trojan.Agent) -> Quarantined and deleted successfully.
c:\Users\Kinchie\Desktop\cloud av 2012.lnk (Rogue.CloudAV2012) -> Quarantined and deleted successfully.
c:\Users\Kinchie\AppData\Roaming\microsoft\Windows\start menu\Programs\cloud av 2012\cloud av 2012.lnk (Rogue.CloudAV2012) -> Quarantined and deleted successfully.
c:\Windows\System32\cloud av 2012v121.exe (Rogue.CloudAV2012) -> Quarantined and deleted successfully.

Today I booted into safe mode again, to run rkill again, since as I said I did not click on malewarebytes to reboot as it asked, but did reboot befoer I left safe mode, and wanted to run rkill and malewarebytes again in case I messed up the process. This time the program kept terminating early,with a pop up saying internet explorer had crashed.

I tried two renamed rkill programs as per directions but each time IE stopped running/crashed, keeping rkill from completing. Here is that log:

This log file is located at C:\rkill.log.
Please post this only if requested to by the person helping you.
Otherwise you can close this log when you wish.

Rkill was run on 11/28/2011 at 15:00:29.
Operating System: Windows Vista ™ Home Basic


Processes terminated by Rkill or while it was running:



Rkill completed on 11/28/2011 at 15:00:32.

I ran malewarebytes again anyway, and it found one virus and I rebooted when prompted.Here is that log:

Malwarebytes' Anti-Malware 1.51.2.1300
www.malwarebytes.org

Database version: 8249

Windows 6.0.6002 Service Pack 2 (Safe Mode)
Internet Explorer 9.0.8112.16421

11/28/2011 2:28:02 PM
mbam-log-2011-11-28 (14-28-02).txt

Scan type: Full scan (C:\|D:\|)
Objects scanned: 270323
Time elapsed: 31 minute(s), 38 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
c:\Users\Kinchie\downloads\eXplorer.exe (Heuristics.Reserved.Word.Exploit) -> Quarantined and deleted successfully.

Sorry for starting a new topic but I could not find my first post or the reply the next day.

Whats next? Same problem with typing aol.com into firefox browser, auto complete still shows AV SECURITY 2012, which I am guessing means if I tried to go ahead and go to aol.com I would instead get that malware installed.

Edit: Moved topic from Vista to the more appropriate forum. ~ Animal

BC AdBot (Login to Remove)

 


#2 bloopie

bloopie

    Bleepin' Sith Turner


  • Malware Response Team
  • 7,927 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:New York
  • Local time:09:49 PM

Posted 30 November 2011 - 02:55 PM

Hi again,

Sorry about that. The topic was split because you weren't the original poster. A good rule of thumb here is, different computer, different topic. :thumbup2:

Anyway, Malwarebytes should be able to remove this infection, but I noticed you're version of Malwarebytes is a little out of date. Try rebooting into safemode with networking, then start Malwarebytes and click on the Update tab at the top. Then click Check for Updates.

After updating MBAM re-run Rkill, and when it's finished, run another full scan with MBAM. Post the results of the updated scan in your next reply.

bloopie




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users