TechSpot

Virus blocking malware tools

Inactive
By robmcmorrow
Sep 29, 2010
  1. A virus with the “Microsoft Security Essentials Alert” message has hijacked my computer. It will not let me open Explorer, Firefox, Task Manager, regedit, or start up in safe mode. When I run MalwareBytes it will run for about 20-minutes finding no errors and crash the computer. I tried the following:

    Rkill (and variants) do not disable the process.
    TFC – kills process but shuts down computer before it can complete
    GBER – runs for 2 hours getting to the systems files and crashed computer
    DDS – will not run

    Please let me know if there are any other things to try.

    Thanks
     
  2. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +36

    Okay- The fake Microsoft Security Essentials Alert is a Trojan that attempts to trick you into thinking you are infected so that you will then install and purchase one of 5 rogue anti-virus programs that it is distributing.

    See if you can run this online scan:

    Run Eset NOD32 Online AntiVirus scan HERE
    1. Tick the box next to YES, I accept the Terms of Use.
    2. Click Start
    3. When asked, allow the Active X control to install
    4. Disable your current Antivirus software. You can usually do this with its Notification Tray icon near the clock.
    5. Click Start
    6. Make sure that the option "Remove found threats" is Unchecked, and the option "Scan unwanted applications" is checked
    7. Click Scan
    8. Wait for the scan to finish
    9. Re-enable your Antivirus software.
    10. A logfile is created and located at C:\Program Files\EsetOnlineScanner\log.txt. Please include this on your post.

    Hopefully you can get into the system long enough to run this. All of these security alerts, like the scan results, are fake and should be ignored. The see if you can run the following:
    Please download randmbam.exe

    It will try to create random names and shortcuts for Malwarebytes Anti Malware(MBAM) if you have it installed already.

    Once done, try running Malwarebytes again
     
  3. robmcmorrow

    robmcmorrow TS Rookie Topic Starter

    Thanks. Is there a way to download the eset software to a thumb drive? I am not able to open a browser on the infected computer. I will try changing the mbam name and see if that helps.
     
  4. robmcmorrow

    robmcmorrow TS Rookie Topic Starter

    I ran the random name generator and that enabled Malwarebytes to run. The scan found and corrected 10 infections but the serious virus is still there. This is mbam v1.44. It would not let me update to v1.46. The update feature returned an error and if I tried to run the installation file for the latest version it tells me the file is corrupted and will not install. Please let me know if there are any other ideas.
     
  5. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +36

    Please paste the Mbam log in for me to see- it will give me an idea of what the malware is. I want the log showing the original quarantines, not a new scan.

    You can download Combofix to a flash drive and then install/run on the problem computer:

    Please download ComboFix from Here and save to your Desktop.

    • [1]. Do NOT rename Combofix unless instructed.
      [2].Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
      [3].Close any open browsers.
      [4]. Double click combofix.exe & follow the prompts to run.
    • NOTE: Combofix will disconnect your machine from the Internet as soon as it starts. The connection is automatically restored before CF completes its run. If it does not, restart your computer to restore your connection.
      [5]. If Combofix asks you to install Recovery Console, please allow it.
      [6]. If Combofix asks you to update the program, always allow.
    • Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
      [7]. A report will be generated after the scan. Please paste the C:\ComboFix.txt in next reply.
    Note: Do not mouseclick combofix's window while it's running. That may cause it to stall.
    Note: Make sure you re-enable your security programs, when you're done with Combofix..

    Hold off on the Eset scan. Please PASTE the Combofix log in next reply.
     
  6. robmcmorrow

    robmcmorrow TS Rookie Topic Starter

    Here is the mbam log. I will try the combofix program now.

    Database version: 3907
    Windows 5.1.2600 Service Pack 3
    Internet Explorer 8.0.6001.18702

    9/28/2010 2:43:07 PM
    mbam-log-2010-09-28 (14-43-07).txt

    Scan type: Full Scan (C:\|)
    Objects scanned: 247244
    Time elapsed: 1 hour(s), 0 minute(s), 6 second(s)

    Memory Processes Infected: 1
    Memory Modules Infected: 0
    Registry Keys Infected: 0
    Registry Values Infected: 1
    Registry Data Items Infected: 0
    Folders Infected: 4
    Files Infected: 5

    Memory Processes Infected:
    C:\Documents and Settings\Margaret\Application Data\SystemProc\lsass.exe (Trojan.Agent) -> Unloaded process successfully.

    Memory Modules Infected:
    (No malicious items detected)

    Registry Keys Infected:
    (No malicious items detected)

    Registry Values Infected:
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\rthdbpl (Trojan.Agent) -> Quarantined and deleted successfully.

    Registry Data Items Infected:
    (No malicious items detected)

    Folders Infected:
    C:\Documents and Settings\Margaret\Application Data\SystemProc (Trojan.Agent) -> Quarantined and deleted successfully.
    C:\Program Files\Mozilla Firefox\extensions\{9CE11043-9A15-4207-A565-0C94C42D590D} (Worm.Prolaco.M) -> Quarantined and deleted successfully.
    C:\Program Files\Mozilla Firefox\extensions\{9CE11043-9A15-4207-A565-0C94C42D590D}\chrome (Worm.Prolaco.M) -> Quarantined and deleted successfully.
    C:\Program Files\Mozilla Firefox\extensions\{9CE11043-9A15-4207-A565-0C94C42D590D}\chrome\content (Worm.Prolaco.M) -> Quarantined and deleted successfully.

    Files Infected:
    C:\Documents and Settings\Margaret\Application Data\SystemProc\lsass.exe (Trojan.Agent) -> Quarantined and deleted successfully.
    C:\Program Files\Mozilla Firefox\extensions\{9CE11043-9A15-4207-A565-0C94C42D590D}\chrome.manifest (Worm.Prolaco.M) -> Quarantined and deleted successfully.
    C:\Program Files\Mozilla Firefox\extensions\{9CE11043-9A15-4207-A565-0C94C42D590D}\install.rdf (Worm.Prolaco.M) -> Quarantined and deleted successfully.
    C:\Program Files\Mozilla Firefox\extensions\{9CE11043-9A15-4207-A565-0C94C42D590D}\chrome\content\timer.xul (Worm.Prolaco.M) -> Quarantined and deleted successfully.
    C:\Documents and Settings\Margaret\Desktop\eXplorer.exe (Heuristics.Reserved.Word.Exploit) -> Quarantined and deleted successfully.
     
  7. robmcmorrow

    robmcmorrow TS Rookie Topic Starter

    I tried to run Combofix. it opened a small box for a short while then stopped. Nothing else happened and the virus is still there.
     
  8. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +36

    Can you please tell me what you are seeing for
    Where is "there"?

    Please print these directions out. You will need to follow them in the order given and won't have access to them once you start: Download 'rkill', 'exehelper' and 'Malwarebytes on the flash drive first. Run each in this order, following all instructions carefully. One thing I anticipate is a problem with the old version of Mbam> when you first get back into the system, you should uninstall the old version, them reboot the computer before you begin:

    Step 1:
    Please download and run the tool below named Rkill (courtesy of BleepingComputer.com) which may help allow other programs to run.
    There are 4 different versions. If one of them won't run then download and try to run the other one.
    You only need to get one of these to run, not all of them. You may get warnings from your antivirus about this tool, ignore them or shutdown your antivirus.
    • Rkill.com
    • Rkill.scr
    • Rkill.pif
    • Rkill.exe
    • Double-click on the Rkill desktop icon to run the tool.
    • A black DOS box will briefly flash and then disappear. This is normal and indicates the tool ran successfully.
    • If not, delete the file, then download and use the one provided in Link 2.
    • If it does not work, repeat the process and attempt to use one of the remaining links until the tool runs.
    • Do not reboot until instructed.
    • If the tool does not run from any of the links provided, please let me know.
    Once you've gotten one of them to run then try to immediately run the following>>>>.

    Step 2:
    Please download exeHelper by Raktor and save it to your desktop.
    • Double-click on exeHelper.com or exeHelper.scr to run the fix tool.
    • A black window should pop up, press any key to close once the fix is completed.
    • A log file called exehelperlog.txt will be created and should open at the end of the scan)
    • A copy of that log will also be saved in the directory where you ran exeHelper.com
    You can hold this log until all completed.
    Note: If the window shows a message that says "Error deleting file", please re-run the tool again before posting a log and then post the two logs together (they both will be in the one file).

    Step 3:
    [​IMG]
    Malwarebytes' Anti-Malware
    • Please download Malwarebytes' Anti-Malware from from HERE
    • Double-click mbam-setup.exe and follow the prompts to install the program.
    • At the end, be sure a checkmark is placed next to
      [o] Update Malwarebytes' Anti-Malware
      [o] and Launch Malwarebytes' Anti-Malware
    • then click Finish.
    • If an update is found, it will download and install the latest version.
    • Once the program has loaded, select Perform Quick scan, then click Scan.
      * When the scan is complete, click OK, then Show Results to view the results.
    • Be sure that everything is checked, and click Remove Selected.
    • When completed, a log will open in Notepad. please paste this log in your reply
      [o] If you accidentally close it, the log file is saved here and will be named like this:
      [o] C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\mbam-log-date (time).txt
    ========================
     
  9. robmcmorrow

    robmcmorrow TS Rookie Topic Starter

    By the “serious virus is still there” I meant that the box with the Microsoft Securities Essentials bulletin was still there and I still was unable to open a browser, run rkill, or get the task manager to run. I will follow these instructions but I expect I’ll still have problems with the rkill and variants.
     
  10. robmcmorrow

    robmcmorrow TS Rookie Topic Starter

    So good news, I think. I started to follow your latest instructions and found that the “Microsoft Securities Essentials” screen was gone. It looks like one of the earlier steps must have worked – just took some time to take effect. The last thing I ran was Combofix. It did not seem to do much and no log was created. I don’t remember if I rebooted just after this. I did reboot before starting the last steps and found the Malware window gone. I ran through the 3 steps anyway and have attached the logs. I hope this means the Malware is gone and not laying dormant. Please let me know if this make sense to you.

    Thanks

    exeHelper by Raktor
    Build 20100414
    Run at 14:46:58 on 09/28/10
    Now searching...
    Checking for numerical processes...
    Checking for sysguard processes...
    Checking for bad processes...
    Checking for bad files...
    Checking for bad registry entries...
    Resetting filetype association for .exe
    Resetting filetype association for .com
    Resetting userinit and shell values...
    Resetting policies...
    --Finished--

    Malwarebytes' Anti-Malware 1.46
    www.malwarebytes.org

    Database version: 4717

    Windows 5.1.2600 Service Pack 3
    Internet Explorer 8.0.6001.18702

    9/28/2010 2:51:12 PM
    mbam-log-2010-09-28 (14-51-12).txt

    Scan type: Full scan (C:\|)
    Objects scanned: 251814
    Time elapsed: 1 hour(s), 0 minute(s), 7 second(s)

    Memory Processes Infected: 0
    Memory Modules Infected: 0
    Registry Keys Infected: 0
    Registry Values Infected: 0
    Registry Data Items Infected: 0
    Folders Infected: 0
    Files Infected: 1

    Memory Processes Infected:
    (No malicious items detected)

    Memory Modules Infected:
    (No malicious items detected)

    Registry Keys Infected:
    (No malicious items detected)

    Registry Values Infected:
    (No malicious items detected)

    Registry Data Items Infected:
    (No malicious items detected)

    Folders Infected:
    (No malicious items detected)

    Files Infected:
    C:\Documents and Settings\Margaret\Application Data\hotfix.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
     
  11. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +36

    No, it's not gone yet. Repeating "where is there?"
    "There:"
    When you startup? On the desktop? On a web page? etc.

    When Combofix scans, it always generates a log
    NOTE: The “Microsoft Securities Essentials” can show up in the Combofix header, even if it has been removed. If it does, do not be concerned> I can remove the entry from there so don't attempt to do anything about it.
    ======================================
    Repeat: Please download ComboFix from Here and save to your Desktop.

    • [1]. Do NOT rename Combofix unless instructed.
      [2].Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
      [3].Close any open browsers.
      [4]. Double click combofix.exe & follow the prompts to run.
    • NOTE: Combofix will disconnect your machine from the Internet as soon as it starts. The connection is automatically restored before CF completes its run. If it does not, restart your computer to restore your connection.
      [5]. If Combofix asks you to install Recovery Console, please allow it.
      [6]. If Combofix asks you to update the program, always allow.
    • Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
      [7]. A report will be generated after the scan. Please paste the C:\ComboFix.txt in next reply.
    Note: Do not mouseclick combofix's window while it's running. That may cause it to stall.
    Note: Make sure you re-enable your security programs, when you're done with Combofix..
    =======================================
    Run Eset NOD32 Online AntiVirus scan HERE
    1. Tick the box next to YES, I accept the Terms of Use.
    2. Click Start
    3. When asked, allow the Active X control to install
    4. Disable your current Antivirus software. You can usually do this with its Notification Tray icon near the clock.
    5. Click Start
    6. Make sure that the option "Remove found threats" is Unchecked, and the option "Scan unwanted applications" is checked
    7. Click Scan
    8. Wait for the scan to finish
    9. Re-enable your Antivirus software.
    10. A logfile is created and located at C:\Program Files\EsetOnlineScanner\log.txt. Please include this on your post.

    Paste logs for both into your next reply. Okay to take more than 1 post if needed..
     
     
Topic Status:
Not open for further replies.


Add New Comment

TechSpot Members
Login or sign up for free,
it takes about 30 seconds.
You may also...


Get complete access to the TechSpot community. Join thousands of technology enthusiasts that contribute and share knowledge in our forum. Get a private inbox, upload your own photo gallery and more.