Very stubborn virus

By LuckytoHaveYOU
Nov 14, 2008
Topic Status:
Not open for further replies.
  1. The main reason that I am writing this post is to warn whoever else that might be reading this about a malware program or virus or something that I currently have on my computer and hopefully get some help. This thing is quite a bugger.

    So it turns out that whatever I have generates a fake Microsoft security icon next to all of my other active running program icons in the bottom right-hand corner of my screen that indicating that my computer may be at a security risk. When I clicked on it an almost identical "Microsoft" firewall security page comes up with all of the firewall settings and security features (some of which are defaulted to "security off" to make me think windows is not covering my security needs properly) and the refers me to a third party paying service that claims it will get protect/rid my computer of any viruses.

    At this point, currently, I am forty hours deep in figuring out the what I can do to get this wretched thing off my computer. I have used the 8-step viruses/spyware/malware preliminary removal instructions and although some infections were erased, the final result was that my computer was still cursed with this infection. Obviously whoever wrote this program to infect my computer has done everything VERY well to prevent me from deleting it.

    Some of my other symptoms of this mystery virus include: firefox starting up very slowly and taking longer to refresh information, iTunes taking a lot longer to do everything, ***Any/ALL spyware, firewall, and malware programs not being able to update their databases (including a freshly installed norton anti-virus)!****, system restore will NOT work, and neither will windows updates. Oh, and did I forget to mention that my windows "turn off system restore" is "disabled by group policy"?

    At this point in time I am almost certain that all my bank accounts, passwords, credit cards, and other accounts have been compromised. I will be reprogramming all my accounts after this is fixed.

    Anyways, to try fixing the problem, I tried to turn off system restore, but since this feature/option was disabled by the virus, I had to find out another route. I Googled my problem and I got some instructions from a website to go in manually through Start<Run<"regedit.exe"<(navigate /scroll mouse to)=HKEY_LOCAL_MACHINE \ Software \ Policies \ Microsoft \ Windows NT \ SystemRestore<then delete DisableConfig and DisableSR in the right hand screen.

    I thought that this would help to fix the reinfection or something but it did not. So far I have ran avira, avast, superanti-spyware, malwarebytes, HJT, CCleaner, SmitFraudFix, Norton, and Comodo, but nothing has fixed it yet. Some things have shown up here and there but the infection is still there and Comodo is telling me that it is from pop-up windows.

    Now I cannot uninstall Norton Anti-Virus Internet Security for some reason and none of my anti-virus/spyware/firewall programs will update to the databases. I am confused on what to do next. Will someone help me? I have attached the hijackthis report.
  2. rf6647

    rf6647 TechSpot Maniac Posts: 931

    The new HJT log is consitent with your problem.
    Tick off the items in the second quote block.

    Repeat efforts to get down to 1 firewall & 1 AV program.

  3. LuckytoHaveYOU

    LuckytoHaveYOU Newcomer, in training Topic Starter

    I have checked off the selected items you specified for me but it did not seem to do anything? I am confused as to what you mean when you say "repeat efforts to get down to one firewall and AV". I still need help on this. None of my software updates to the databases so running scans do nothing because this virus has duped them into thinking that nothing is wrong. I really don't want to reformat. Help???
  4. rf6647

    rf6647 TechSpot Maniac Posts: 931

    OK. Let’s follow this tack. Here is the post that is the source:
    mflynn - brutal malware. Use link in upper right corner to view entire thread.

    The following is an excerpt.

    D/L Xclean_Micro
    http://www.xblock.com/download/xclean_micro.exe

    No install, just run it. Delete all it finds. Decline to reboot on each item found, until the program finishes then reboot.
    Xclean will run minimized and will pop up a window if it finds anything. If it finds nothing it will exit.
    Please make a note of what it found as it has no log - (this may not be practical).
    If it does run in normal mode and does removals, then reboot to regular Safe mode and run again.

    Repeat until it runs clean or progress stalls.

    Once here, uninstall MBAM & SAS.
    Download new sources for MBAM & SAS.
    If not reachable from Techspot, then try www.download.com.

    Post logs & report progress.
  5. LuckytoHaveYOU

    LuckytoHaveYOU Newcomer, in training Topic Starter

    Yeah, lol, I can get online in safe mode. My computer is so messed up.. let me try this and then get back. I will report back when finish these steps.
  6. LuckytoHaveYOU

    LuckytoHaveYOU Newcomer, in training Topic Starter

    ok, I followed the steps to run xccleaner and it found a couple things which I deleted off my computer but after expecting a log after so many times, I forgot to write these applications down - I think one of them was named -viewbuilder-... I also installed and ran stinger which did not find anything. I uninstalled MWB and SAS after xccleaner was done (donwloaded both from download.com) and MWB worked fine with updates and everything (just as it did before) when I reinstalled it but the "system configuration settings" prevented me from reinstalling SAS in safe mode so it still will not update to the database and I am at another brick wall. I am writing this to you in safe mode again and am looking for more help. Please let me know anything else that I can do.
  7. mflynn

    mflynn Newcomer, in training Posts: 2,793

  8. LuckytoHaveYOU

    LuckytoHaveYOU Newcomer, in training Topic Starter

    ok so the sas file that you made and that I downloaded to my desktop still will not let me update. It says "make sure that your firewall is not blocking SuperAnti-Spyware". The MWB was able to update and detected one trojan but the MWB was always able to update.

    I am about to give up. This is ridiculous, it has been over 50 hours now trying just to get my anti-virus softwares to update to the databases online. I have no access to the internet in normal mode as I am in safe mode with networking running and trying to update all these processes.

    I have some logs attached.

    Attached Files:

  9. mflynn

    mflynn Newcomer, in training Posts: 2,793

    Hi Lucky

    Well don't get negative now as you have broke mbam loose.

    Turn off the Firewall for a few moments if it will not take your approvals/exceptions.

    If you read the fixit log you will notice the volume that it cleaned. The failures were where I was trying to get what may be there. Likely in your case they were not there.

    So you were bad bad off.

    Now a couple of runs with mbam and sas in normal mode will break the Dam loose and things will begin to roll!

    Mike

    EDIT: Boot normal and begin it should work now. Remember if the Firewall won't knuckle under turn it off long enough to do the scans,
  10. LuckytoHaveYOU

    LuckytoHaveYOU Newcomer, in training Topic Starter

    I think I have above average perseverance and diligence but this is pushing it. Sorry for getting negative. I will keep trying.

    I really appreciate all the help from everyone. You guys are giving me hope, lol.

    I have one concern, however, that these actions are getting blocked by a "firewall" that I do not have running. I can't seem to get the "firewall" to stop blocking all my updates? Comodo does not appear to be running in the background and I have added the SAS to the "trusted programs" access but it still is being blocked.

    This is the problem I have right now.
  11. mflynn

    mflynn Newcomer, in training Posts: 2,793

    OK when his happens are you still in safe mode networking?

    Since the mbam ran in Safe Mode Networking see if it will now run without updating in normal mode! If it does and finds more, then run it again until it comes up clean.

    else
    ----------------------------------------------------------------------------------------------------------------------------------
    OK lets go in a different direction do this in Normal or Safe Mode Networking:

    Download SD Fix to Desktop among other things Catchme to look for RootKits.

    http://downloads.andymanchesta.com/RemovalTools/SDFix.exe

    On Desktop run SDdFix It will run (install) then close.

    Then reboot into Safe Mode

    As the computer starts up, tap the F8 key several times.

    On the Boot menu Choose Safe Mode.

    Click thu all the prompts to get to desktop.

    At Desktop
    My Computer C: drive. Double-click to open.

    Look for a folder called SD Fix. Double-click to enter SD Fix.

    Double-clickto RunThis.bat. Type Y to begin.

    SD Fix does its job.

    When prompted hit the enter key to restart the computer

    Your computer will reboot.

    On normal restart the Fixtool will run again and complete the removal process then say Finished.

    Hit the Enter key to end the script and load your desktop icons.

    Once the desktop is up, the SDFix report will open on screen and also be saved to the SDFix folder as Report.txt

    Copy and paste the Report.txt file to your next post.
    ----------------------------------------------------------------------------------------------------------------------------------

    then the above works or not

    ComboFix

    NOTE: If you have had ComboFix more than a few days old delete and re-download.

    Get it here: http://download.bleepingcomputer.com/sUBs/ComboFix.exe
    Or here: http://subs.geekstogo.com/ComboFix.exe

    Double click combofix.exe follow the prompts.

    When finished, it will open a log.
    Attach the log and a new HJT log in your next reply.

    Note: Do not click combofix's window while its running. That may cause it to stall

    Mike

    PS I promise at some point here one of these will succeed and it will be like a Dam opening. Hhang in there! What is the alternative any way a SHOP where they may format away you valuable data photos emails.
     
  12. LuckytoHaveYOU

    LuckytoHaveYOU Newcomer, in training Topic Starter

    That's true. My friend just had his computer sent in to a store to rid his computer of viruses and it ended up costing him $300 and three weeks without a computer.

    I will report back with my new results.

    Thank you again for helping me and to anyone else who has any input.
  13. LuckytoHaveYOU

    LuckytoHaveYOU Newcomer, in training Topic Starter

    Here's the logs. I don't know if it fixed it yet as I have to switch between safe mode and normal mode.
  14. mflynn

    mflynn Newcomer, in training Posts: 2,793

    No you are nowhere near fixed but you may have kicked off enough mud that mbam and sas will now run and that is what we are after these are Dynamic Duo.

    Reboot to normal and try MBAM followed by SAS unupdated if they will run but not update.

    Mike
  15. LuckytoHaveYOU

    LuckytoHaveYOU Newcomer, in training Topic Starter

    Ok at this point I have no idea what is helping and what is hurting. It seems like nothing is getting this thing off my computer. Are there any more steps that I can take to continue my malware elimination? It appears that my computer is still too "muddy".

    I have been downloading everything in safe mode because my internet does not work in normal mode now for some reason. So far, I have tried SAS and MWB in normal and safe mode with no luck, it finds nothing. But SAS won't update, oh ...wait a second, now it will!!!!!! YES!!!!!!!!! Let me get back with results after I update and scan. Hopefully this works. Starting a scan in normal mode now.
  16. mflynn

    mflynn Newcomer, in training Posts: 2,793

    Yes if you still have the Fixit folder it is fast so lets take it in steps.

    We have not run this in Safe Mode only and we have cleaned other things since.
    And we have turned off UAC since also.

    1. Boot to regular Safe Mode run it let it reboot
    2. Boot to Safe Mode Networking run it let it reboot
    3. back to normal run it again
    4. then try mbam and sas

    Mike
  17. LuckytoHaveYOU

    LuckytoHaveYOU Newcomer, in training Topic Starter

    What is UAC again? Also, do you mean to run fixit those steps? Or a different program? You just say "it" and I am a little confused. I will begin to run fixit in those steps now. Thanks.
  18. mflynn

    mflynn Newcomer, in training Posts: 2,793

    Sorry! Its late that was another Thread only Vista has UAC.

    Yes that is what I wanted you to do run the download from the Fixit folder.

    As it can clean more as it runs in each state.

    Actually you should re download the Attachment as it too as I have updated it since you last downloaded it.

    Mike
  19. LuckytoHaveYOU

    LuckytoHaveYOU Newcomer, in training Topic Starter

    I am running windows XP professional edition. I am going to redownload the fix and try it again in each of safe mode then normal mode and try MWB and SAS. Will post back tomorrow. BTW, I tried to do the steps from the previous post and MWB and SAS report back as nothing being wrong, but obviously there is something wrong because of all my log reports indicate so and I still have no internet in normal mode and no updates taking place. My firewall (Comodo), SAS, Avast, Avira, and Norton do not update, (but MWB and spybot update just fine still as they did similarly in my other previous posts)... so we know that I have to try something else.
  20. LuckytoHaveYOU

    LuckytoHaveYOU Newcomer, in training Topic Starter

    ok so i have run fixit in safe mode, reboot, then safe with networking, reboot, then applied the cracked MWB and SAS in safe networking mode. It found nothing. I still have to try them both in normal mode after I reboot, apply fixit in normal mode, then reboot. Will post back later.
  21. mflynn

    mflynn Newcomer, in training Posts: 2,793

    OK but no need for more mbam and sas in either safe mode.

    Mike
  22. mflynn

    mflynn Newcomer, in training Posts: 2,793

    Ok I just reread the entire thread and have questions.

    Are you still having Internet access problems?

    And if so certain things update but you can't browse?

    Now give me details as to general condition of computer now.

    Boot up and shutdown OK?

    Look and feel of just moving around in My computer etc what ever you do without the Internet?

    Any programs not working or errors?

    Let me know some details about the above.

    But if the Internet is the remaining issues then do the 2 below operations these are not scans and should only take 3-4 minutes. Well do them anyway as they can only help.

    ---------------------------------------------------------------------------------------------------------------------------------
    We are going to give your TCP/IP, WINSOCK, NETBIOS, ARP and DNS an Enema!!

    Drag mouse and copy for pasting all the text in the box watch slider on side go to bottom and end of last line.

    Code:
    @echo off
    ipconfig /all >"%USERPROFILE%"\Desktop\ipconfig.out
    ;Saves ip settings
    
    netsh interface ip delete arpcache
    
    ipconfig /flushdns
    
    ipconfig /release *
    
    ipconfig /renew *
    
    ipconfig /registerdns
    
    nbtstat -RR
    
    netsh winsock show catalog >"%USERPROFILE%"\Desktop\lsp.txt
    ;saves log of current settings
    
    netsh winsock reset catalog
    ;resets Winsock
    
    netsh winsock show catalog >>"%USERPROFILE%"\Desktop\lsp.txt
    ;winsock after rest
    
    netsh int ip reset >"%USERPROFILE%"\Desktop\tcpreset.txt
    ;reset TCP stack
    exit
    exit
    
    Then open a cmd prompt and paste into the black screen. Ignore the errors, cmd screen will close.
    reboot here

    ---------------------------------------------------------------------------------------------------------------------------------
    Download Dial-A-Fix (DAF)
    http://wiki.djlizard.net/Dial-a-fix#...C_and_articles
    http://djlizard.net.nyud.net:8080/software/Dial-a-fix-v0.60.0.24.zip

    Have XP CD available in case DAF needs a file.

    Check all boxes on the screen (clear any restrictions if it shows any)
    Then click GO!

    Check for correct time and date.

    When the entire page is finished click the HammerHead at bottom to go to the second DAF page.

    Here 1 at a time do the below

    Reinstall BITS
    Reinstall Windows Firewall
    Repair Permissions
    Reset networking
    Reset WMI/WBEM (not the reinstall)

    Watch for any File not found or other errors and make note as this may lead to the fix!

    Reboot retest!

    Get back with GOOD news for a change.

    Mike
Topic Status:
Not open for further replies.


Add New Comment

TechSpot Members
Login or sign up for free,
it takes about 30 seconds.
You may also...


Get complete access to the TechSpot community. Join thousands of technology enthusiasts that contribute and share knowledge in our forum. Get a private inbox, upload your own photo gallery and more.