Crazy trojan

By smitherson
Sep 6, 2009
Topic Status:
Not open for further replies.
  1. I started having troubles a few weeks ago when I was getting this "Microsoft Anti-virus" program popping up and just taking over begging for me to buy it. So I ran Malwarebytes Anti-malware, and it got rid of the problem for a few days. Then I started noticing that I could not google search. Every time I clicked on a link it was sending me to different websites then the links I was clicking on. Finally I followed all 8 steps and I thought it was fine until today when "AntivirusPro_2010" showed up on my desktop doing the same thing. My computer kept locking up so i restarted in safe mode and the only thing that would run was AVG commamd prompt. Now Superantispyware, Malwarebytes, and AVG will not run in any safe mode or normal mode. The last LOG I was able to get was from when AVG ran in safe mode. I hope some1 can give me advise on what to do.
  2. Zyldar

    Zyldar Newcomer, in training Posts: 34

    Open Malwarebytes & click on the LOGS tab. You should be able to post the latest log from the last time your ran it.

    Are you getting errors in SAFE Mode when running malwarebytes or is it starting and quickly shutting down?

    Write down & keep track of the dates that you starting having problems, you may need to run a system RESTORE (c:\windows\system32\restore\rstrui.exe). Dont run the restore yet.

    Post your existing Malwarebytes log.

    From the Start menu, click on RUN, type in 'Services.MSC'
    Click on the ACTION menu and choose Export List. Save & Post the tab delimited .txt file here.
    Close the services.msc window.

    Hope that helps.
    Zyldar
  3. smitherson

    smitherson Newcomer, in training Topic Starter

    Malware will open but i have to reinstall it or the second i run a scan it closes. Then I get this error when I try to reopen it, "Windows cannot access the specified device, path, or file. You may not have the appropriate permissions to access the item."
    I can't even run the Superantispyware install program. I hit run and it just closes. This is in safe or normal mode.

    Attached Files:

  4. raybay

    raybay TechSpot Evangelist Posts: 10,716   +6

    Remove (uninstall MalwareBytes and AVG) then reinstall MalwareBytes after a defragmentation, and then use Avira or Avast instead of AVG...
    Hope that works.
    Looks like you have disableds some routine functions... You might have to diddle with your computer to figger out why some functions have been disabled.
  5. smitherson

    smitherson Newcomer, in training Topic Starter

    it will not un install AVG. keeps acting likes it completes but it doesn't go away.
    i tried to defrag and got this error. "disc defragmenter could not start"
    this is getting frustrating!
  6. raybay

    raybay TechSpot Evangelist Posts: 10,716   +6

    Remove AVG in SAFE Mode
  7. smitherson

    smitherson Newcomer, in training Topic Starter

    I ytried it in normal and safe mode and had the same results
  8. Zyldar

    Zyldar Newcomer, in training Posts: 34

    i haven't viewed your logs yet completely, but the reason you can't run some installed programs like AVG or malwarebytes is that the Security settings have been changed by the infection. You need to enable the 'security' tab to change the security settings for some .exe files to allow them to run correctly.

    Enabling the security tab in Safe Mode with xp home edition, pro edition, or Media Center edition:
    1. Boot to Safe Mode (Press F8 multiple times on bootup prior to the windows logo appearing)
    2. Up arrow to SAFE MODE and press Enter.
    3. When Userinit.exe loads (logon screen) left click on Administrator.
    4. When the desktop loads, left click on the START Menu.
    5. Left click on 'My Computer'
    6. Left click on the 'Tools' menu.
    7. Left click on 'Folder Options'
    8. Left click on the 'View' Tab.
    9. Left click and drag the slider to scroll down to the bottom of the options.
    10. Uncheck 'Use Simple File Sharing' and click the OK button.

    At this point, you'll be able to see a new TAB in the Properties window of any folder or program you view.

    You need to add 'System' to all of the programs that aren't running and you need to change the security setting for 'System'. 'System' has security settings like all users to allow Windows to open & run system programs. When the virus removed 'System' from the 'Security' of some programs, it disabled your ability to run those programs.

    To enable the 'Security' account to have access to run programs you need to change each program that has been disabled. Note: Reinstalling AVG or Malwarebytes as described by a previous user may help as well. However, this will help you enable the programs to run if you don't re-install them.

    For MRT (microsot Removal Tool)
    Note: MRT is a microsoft tool that can help clean & remove some viruses. I suggest that you run it. The next few steps to help enable MRT.EXE can also be applied to SpybotSD.exe or mbam.exe (malwarebytes).
    1. Left click on the Start Menu.
    2. Left click on My Computer.
    3. Double Left click on the C:\ drive.
    4. Dbl left click on Windows.
    (spybot resides in C:\Program Files\Spybot - Search & Destroy\spybotsd.exe)
    (malwarebytes resides in C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe)
    5. Dbl left click on System32
    6. Scroll down until you find MRT.EXE.
    7. Right click on MRT.EXE and left click on Properties.
    8. Left click on the 'Security' tab.
    9. If 'SYSTEM' is in the list of 'Group or User Names', then you'll need to add it.

    Note: If 'System' is in the list, then you can click the 'Cancel' button and stop following the next few steps - double left click on MRT to run it and scan your pc. 'System' should have 'Full Control' checked though. If not, follow the next steps to add or change it's Rights.

    10. Left click on the ADD button.
    11. Left click the Advanced button.
    12. Left click the Find Now button.
    13. Scroll down and single left click on 'System' (make it highlighted).
    14. Left click the OK button.
    15. Left click the Full Control check box.
    16. Left click the OK button.

    The program MRT.EXE is now set to run correctly. The same steps should be done for Mbam.exe and Spybotsd.exe.

    Post the Logs if the programs run correctly.

    Note: If you're able to get the system cleaned from enabling the scanner programs to run correctly, you should set or check the 'Use Simple File Sharing' check box back to the ON position.

    Please post your results.

    Hope that helps.
    Zyldar.
  9. matt9801

    matt9801 Newcomer, in training Posts: 16

    ok so if you are getting frustrated and can not figure out how to fix the problem then just backup your files you need to keep and reformat your computer. This may not be the best option, but as a last resort it should solve most software problems on your computer.
  10. smitherson

    smitherson Newcomer, in training Topic Starter

    Same issue... I could now open Malware, but it would not let me scan. About 4 secondsinto a scan Malware bytes would automatically shut down.
  11. Zyldar

    Zyldar Newcomer, in training Posts: 34

    See if you can download, run in Safe Mode, & save logs using Rootrepeal.
    http://ad13.geekstogo.com/RootRepeal.rar

    You'll need to Unrar the compressed file to run the executable.

    Post the log back here.

    Another options is to remove the hard drive, install it (temporarily) in a clean computer as a secondary or slave drive and run anti-virus and anti-spyware scans on it. You may have a hidden rootkit virus that keeps shutting down your programs (even in safe mode), so scanning it in another computer will probably help.

    Start by downloading & running Rootrepeal first to see if hidden processes & services & files are active.

    Hope that helps.
    Zyldar
  12. edteach

    edteach Newcomer, in training Posts: 42

    This is the exact same problem I have had this past week. It started when I saw a video that came up that looked like a youtube video, I clicked on it and then realized it was not youtube but spelled very similar. a box poped up saying it was loading an 88kb file. I though this may be the probem. It was not a video but some small file, and there is no reason to hide it in a fake video like this unless it is a virus or trojan. I could not get my computer to run any spy ware, I loaded it in regular and safe mode and my anti virus ran but did not detect anything and would not update. I finaly backed up my files and ran system recovery, I was in the process of loading in the files and I got a desktop screen that turned blue and said I had been infected. It was the fake alarm crap, I dropped what I was loading and opened and ran malware bytes. It detected 11 trojans and removed them. I am running now and it has not detected any. I also ran cclean and then ran combofix. I also ran hijack this. I have no idea how a trojan could get on my computer after a system disc restore. Unless it is somewhere on my files.

    I
  13. Tmagic650

    Tmagic650 TS Ambassador Posts: 20,455   +135

    You tried a System Restore and the Trojan came back? Turn off System Restore and run the scans again. When the scans are clean, turn back on System restore and create a "new" restore point
     
  14. edteach

    edteach Newcomer, in training Posts: 42

    I used the restore disc to install a new OS. I backed up all my files on My docs. and ran the disc. as I was loading files back on and down loading programs such a firefox and flash player, the screen went blue with that fake virus alert page. I did an down load and install of Malwere bytes and it picked up 11 trojan infections. I did not do the destructive load and backed up files I wish I have not done that. But I have since deleted the back up file.
  15. Tmagic650

    Tmagic650 TS Ambassador Posts: 20,455   +135

    Ok, I got you now... Once you are sure you are clean, you can create another back up set
  16. edteach

    edteach Newcomer, in training Posts: 42

    Cleaning

    How do I know when I am "clean"?
  17. Tmagic650

    Tmagic650 TS Ambassador Posts: 20,455   +135

    Rerun your Antivirus scans
  18. raybay

    raybay TechSpot Evangelist Posts: 10,716   +6

    Scans in regular mode. Clean scans in safe mode. Done.
  19. edteach

    edteach Newcomer, in training Posts: 42

    1 trojan found

    At first I was thinking where are all these coming from since I just reloaded the OS, and after I did the log it was in the backup file of the old system. I hope this is it, it is called Trojan.sirefef and here is the log.

    Malwarebytes' Anti-Malware 1.40
    Database version: 2773
    Windows 5.1.2600 Service Pack 2

    9/10/2009 6:09:08 PM
    mbam-log-2009-09-10 (18-09-08).txt

    Scan type: Full Scan (C:\|D:\|)
    Objects scanned: 306554
    Time elapsed: 3 hour(s), 39 minute(s), 55 second(s)

    Memory Processes Infected: 0
    Memory Modules Infected: 0
    Registry Keys Infected: 0
    Registry Values Infected: 0
    Registry Data Items Infected: 0
    Folders Infected: 0
    Files Infected: 1

    Memory Processes Infected:
    (No malicious items detected)

    Memory Modules Infected:
    (No malicious items detected)

    Registry Keys Infected:
    (No malicious items detected)

    Registry Values Infected:
    (No malicious items detected)

    Registry Data Items Infected:
    (No malicious items detected)

    Folders Infected:
    (No malicious items detected)

    Files Infected:
    C:\My Backup -- 09-09-09 0508PM\WINDOWS\system32\eventlog.dll (Trojan.Sirefef) -> Quarantined and deleted successfully.
  20. edteach

    edteach Newcomer, in training Posts: 42

    I updated to the most recent data base in malwerebytes and am running it again and it shows another trojan. I hope I can get this thing clean.
  21. raybay

    raybay TechSpot Evangelist Posts: 10,716   +6

    Some Trojans are designed to hide in memory, and pop right back when you reboot...

    The best way seems to be to scan with Avira or Avast, then MalWareBytes, then SuperAntiSpyware, then do a shutdown with the power button, and then reboot 9immediately in to SAFE Mode by pressing the <Fi8> button repeatedly until it opens in the low resolution SAFE MODe screen. Then go to the top of the list.

    Run Malwarebytes again, and Avira... I don't think superAntispyware will run in SaFE MOE, so if you have another good malware scanner, use it...

    It takes a lot of time and patience, to rid your system of a Trojan like that one.
  22. raybay

    raybay TechSpot Evangelist Posts: 10,716   +6

    Keep running it until nothing shows up in HiJack This, or go to the TechSpot 8 steps which is very good and very thorough.
  23. pomkon

    pomkon Newcomer, in training Posts: 27

    I am a similar problem that something is damaging my browsers and the AV softwares are down, I want to get some log files as well to show. But in AVG I cant even access to virus vault (the virus scan history.
  24. raybay

    raybay TechSpot Evangelist Posts: 10,716   +6

    A good time to consider switching to Avast or Avira Antivir, or Kaspersky, or Nod32... all better than AVG
  25. edteach

    edteach Newcomer, in training Posts: 42

    I am running avira now. The little umbrella is not up in the task bar but it it running. I may have turned it off on start up as I disabled everything on start up in the SC. I found a file called MCWelcom, and it may be a trojan on my Reg. Anyone heard of it?
Topic Status:
Not open for further replies.


Add New Comment

TechSpot Members
Login or sign up for free,
it takes about 30 seconds.
You may also...


Get complete access to the TechSpot community. Join thousands of technology enthusiasts that contribute and share knowledge in our forum. Get a private inbox, upload your own photo gallery and more.