Inactive Virus blocking malware tools

[robmcmorrow]

A virus with the “Microsoft Security Essentials Alert” message has hijacked my computer. It will not let me open Explorer, Firefox, Task Manager, regedit, or start up in safe mode. When I run MalwareBytes it will run for about 20-minutes finding no errors and crash the computer. I tried the following:

Rkill (and variants) do not disable the process.
TFC – kills process but shuts down computer before it can complete
GBER – runs for 2 hours getting to the systems files and crashed computer
DDS – will not run

Please let me know if there are any other things to try.

Thanks

 

[Bobbye]

Okay- The fake Microsoft Security Essentials Alert is a Trojan that attempts to trick you into thinking you are infected so that you will then install and purchase one of 5 rogue anti-virus programs that it is distributing.

See if you can run this online scan:

Run Eset NOD32 Online AntiVirus scan HEREhttp://www.eset.eu/online-scanner

1. Tick the box next to YES, I accept the Terms of Use.
2. Click Start
3. When asked, allow the Active X control to install
4. Disable your current Antivirus software. You can usually do this with its Notification Tray icon near the clock.
5. Click Start
6. Make sure that the option "Remove found threats" is Unchecked, and the option "Scan unwanted applications" is checked
7. Click Scan
8. Wait for the scan to finish
9. Re-enable your Antivirus software.
10. A logfile is created and located at C:\Program Files\EsetOnlineScanner\log.txt. Please include this on your post.

Hopefully you can get into the system long enough to run this. All of these security alerts, like the scan results, are fake and should be ignored. The see if you can run the following:
Please download randmbam.exe

It will try to create random names and shortcuts for Malwarebytes Anti Malware(MBAM) if you have it installed already.

Once done, try running Malwarebytes again

 

[robmcmorrow]

Thanks. Is there a way to download the eset software to a thumb drive? I am not able to open a browser on the infected computer. I will try changing the mbam name and see if that helps.

 

[robmcmorrow]

I ran the random name generator and that enabled Malwarebytes to run. The scan found and corrected 10 infections but the serious virus is still there. This is mbam v1.44. It would not let me update to v1.46. The update feature returned an error and if I tried to run the installation file for the latest version it tells me the file is corrupted and will not install. Please let me know if there are any other ideas.

 

[Bobbye]

Please paste the Mbam log in for me to see- it will give me an idea of what the malware is. I want the log showing the original quarantines, not a new scan.

You can download Combofix to a flash drive and then install/run on the problem computer:

Please download ComboFix from Here and save to your Desktop.

• 
  [1]. Do NOT rename Combofix unless instructed.
  [2].Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
  [3].Close any open browsers.
  [4]. Double click combofix.exe & follow the prompts to run.
• NOTE: Combofix will disconnect your machine from the Internet as soon as it starts. The connection is automatically restored before CF completes its run. If it does not, restart your computer to restore your connection.
  [5]. If Combofix asks you to install Recovery Console, please allow it.
  [6]. If Combofix asks you to update the program, always allow.
• Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
  [7]. A report will be generated after the scan. Please paste the C:\ComboFix.txt in next reply.

Note: Do not mouseclick combofix's window while it's running. That may cause it to stall.
Note: Make sure you re-enable your security programs, when you're done with Combofix..

Hold off on the Eset scan. Please PASTE the Combofix log in next reply.

 

[robmcmorrow]

Here is the mbam log. I will try the combofix program now.

Database version: 3907
Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

9/28/2010 2:43:07 PM
mbam-log-2010-09-28 (14-43-07).txt

Scan type: Full Scan (C:\|)
Objects scanned: 247244
Time elapsed: 1 hour(s), 0 minute(s), 6 second(s)

Memory Processes Infected: 1
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 1
Registry Data Items Infected: 0
Folders Infected: 4
Files Infected: 5

Memory Processes Infected:
C:\Documents and Settings\Margaret\Application Data\SystemProc\lsass.exe (Trojan.Agent) -> Unloaded process successfully.

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\rthdbpl (Trojan.Agent) -> Quarantined and deleted successfully.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
C:\Documents and Settings\Margaret\Application Data\SystemProc (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Program Files\Mozilla Firefox\extensions\{9CE11043-9A15-4207-A565-0C94C42D590D} (Worm.Prolaco.M) -> Quarantined and deleted successfully.
C:\Program Files\Mozilla Firefox\extensions\{9CE11043-9A15-4207-A565-0C94C42D590D}\chrome (Worm.Prolaco.M) -> Quarantined and deleted successfully.
C:\Program Files\Mozilla Firefox\extensions\{9CE11043-9A15-4207-A565-0C94C42D590D}\chrome\content (Worm.Prolaco.M) -> Quarantined and deleted successfully.

Files Infected:
C:\Documents and Settings\Margaret\Application Data\SystemProc\lsass.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Program Files\Mozilla Firefox\extensions\{9CE11043-9A15-4207-A565-0C94C42D590D}\chrome.manifest (Worm.Prolaco.M) -> Quarantined and deleted successfully.
C:\Program Files\Mozilla Firefox\extensions\{9CE11043-9A15-4207-A565-0C94C42D590D}\install.rdf (Worm.Prolaco.M) -> Quarantined and deleted successfully.
C:\Program Files\Mozilla Firefox\extensions\{9CE11043-9A15-4207-A565-0C94C42D590D}\chrome\content\timer.xul (Worm.Prolaco.M) -> Quarantined and deleted successfully.
C:\Documents and Settings\Margaret\Desktop\eXplorer.exe (Heuristics.Reserved.Word.Exploit) -> Quarantined and deleted successfully.

 

[robmcmorrow]

I tried to run Combofix. it opened a small box for a short while then stopped. Nothing else happened and the virus is still there.

 

[Bobbye]

Can you please tell me what you are seeing for

the virus is still there.
A virus with the “Microsoft Security Essentials Alert” message has hijacked my computer.
but the serious virus is still there

Where is "there"?

Please print these directions out. You will need to follow them in the order given and won't have access to them once you start: Download 'rkill', 'exehelper' and 'Malwarebytes on the flash drive first. Run each in this order, following all instructions carefully. One thing I anticipate is a problem with the old version of Mbam> when you first get back into the system, you should uninstall the old version, them reboot the computer before you begin:

Step 1:
Please download and run the tool below named Rkill (courtesy of BleepingComputer.com) which may help allow other programs to run.
There are 4 different versions. If one of them won't run then download and try to run the other one.
You only need to get one of these to run, not all of them. You may get warnings from your antivirus about this tool, ignore them or shutdown your antivirus.

• Rkill.com
• Rkill.scr
• Rkill.pif
• Rkill.exe
  
• Double-click on the Rkill desktop icon to run the tool.
• A black DOS box will briefly flash and then disappear. This is normal and indicates the tool ran successfully.
• If not, delete the file, then download and use the one provided in Link 2.
• If it does not work, repeat the process and attempt to use one of the remaining links until the tool runs.
• Do not reboot until instructed.
• If the tool does not run from any of the links provided, please let me know.

Once you've gotten one of them to run then try to immediately run the following>>>>.

Step 2:
Please download exeHelper by Raktor and save it to your desktop.

• Double-click on exeHelper.com or exeHelper.scr to run the fix tool.
• A black window should pop up, press any key to close once the fix is completed.
• A log file called exehelperlog.txt will be created and should open at the end of the scan)
• A copy of that log will also be saved in the directory where you ran exeHelper.com

You can hold this log until all completed.
Note: If the window shows a message that says "Error deleting file", please re-run the tool again before posting a log and then post the two logs together (they both will be in the one file).

Step 3:

Malwarebytes' Anti-Malware

• Please download Malwarebytes' Anti-Malware from from HERE
• Double-click mbam-setup.exe and follow the prompts to install the program.
• At the end, be sure a checkmark is placed next to
  [o] Update Malwarebytes' Anti-Malware
  [o] and Launch Malwarebytes' Anti-Malware
• then click Finish.
• If an update is found, it will download and install the latest version.
• Once the program has loaded, select Perform Quick scan, then click Scan.
  * When the scan is complete, click OK, then Show Results to view the results.
• Be sure that everything is checked, and click Remove Selected.
• When completed, a log will open in Notepad. please paste this log in your reply
  [o] If you accidentally close it, the log file is saved here and will be named like this:
  [o] C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\mbam-log-date (time).txt

========================

 

[robmcmorrow]

By the “serious virus is still there” I meant that the box with the Microsoft Securities Essentials bulletin was still there and I still was unable to open a browser, run rkill, or get the task manager to run. I will follow these instructions but I expect I’ll still have problems with the rkill and variants.

 

[robmcmorrow]

So good news, I think. I started to follow your latest instructions and found that the “Microsoft Securities Essentials” screen was gone. It looks like one of the earlier steps must have worked – just took some time to take effect. The last thing I ran was Combofix. It did not seem to do much and no log was created. I don’t remember if I rebooted just after this. I did reboot before starting the last steps and found the Malware window gone. I ran through the 3 steps anyway and have attached the logs. I hope this means the Malware is gone and not laying dormant. Please let me know if this make sense to you.

Thanks

exeHelper by Raktor
Build 20100414
Run at 14:46:58 on 09/28/10
Now searching...
Checking for numerical processes...
Checking for sysguard processes...
Checking for bad processes...
Checking for bad files...
Checking for bad registry entries...
Resetting filetype association for .exe
Resetting filetype association for .com
Resetting userinit and shell values...
Resetting policies...
--Finished--

Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org

Database version: 4717

Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

9/28/2010 2:51:12 PM
mbam-log-2010-09-28 (14-51-12).txt

Scan type: Full scan (C:\|)
Objects scanned: 251814
Time elapsed: 1 hour(s), 0 minute(s), 7 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\Documents and Settings\Margaret\Application Data\hotfix.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.

 

[Bobbye]

No, it's not gone yet. Repeating "where is there?"

By the “serious virus is still there” I meant that the box with the Microsoft Securities Essentials bulletin was still there

"There:"
When you startup? On the desktop? On a web page? etc.

The last thing I ran was Combofix. It did not seem to do much and no log was created.

When Combofix scans, it always generates a log
NOTE: The “Microsoft Securities Essentials” can show up in the Combofix header, even if it has been removed. If it does, do not be concerned> I can remove the entry from there so don't attempt to do anything about it.
======================================
Repeat: Please download ComboFix from Here and save to your Desktop.

• 
  [1]. Do NOT rename Combofix unless instructed.
  [2].Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
  [3].Close any open browsers.
  [4]. Double click combofix.exe & follow the prompts to run.
• NOTE: Combofix will disconnect your machine from the Internet as soon as it starts. The connection is automatically restored before CF completes its run. If it does not, restart your computer to restore your connection.
  [5]. If Combofix asks you to install Recovery Console, please allow it.
  [6]. If Combofix asks you to update the program, always allow.
• Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
  [7]. A report will be generated after the scan. Please paste the C:\ComboFix.txt in next reply.

Note: Do not mouseclick combofix's window while it's running. That may cause it to stall.
Note: Make sure you re-enable your security programs, when you're done with Combofix..
=======================================
Run Eset NOD32 Online AntiVirus scan HEREhttp://www.eset.eu/online-scanner

1. Tick the box next to YES, I accept the Terms of Use.
2. Click Start
3. When asked, allow the Active X control to install
4. Disable your current Antivirus software. You can usually do this with its Notification Tray icon near the clock.
5. Click Start
6. Make sure that the option "Remove found threats" is Unchecked, and the option "Scan unwanted applications" is checked
7. Click Scan
8. Wait for the scan to finish
9. Re-enable your Antivirus software.
10. A logfile is created and located at C:\Program Files\EsetOnlineScanner\log.txt. Please include this on your post.

Paste logs for both into your next reply. Okay to take more than 1 post if needed..