Announcement

Collapse
No announcement yet.

CRAP!!!

Collapse
This topic is closed.
X
X
 
  • Filter
  • Time
  • Show
Clear All
new posts

  • CRAP!!!

    Despite warnings about not downloading anything on my netbook, and not opening Facebook messages saying "Look at this" or some other such thing, it appears I once again have a trojan/worm/virus on my computer.

    I am getting browser redirects, and I was getting IE popups with google search results of various anti-virus programs.

    I use Avira, as it was installed for me by the guys who did my last cleanup.
    It was going nuts with popups from Avira telling me I had malicious files.
    I quarantined them.
    I have run Avira about 4 times, and it will pick up malicious files one time, then not, and then it will, again.

    I run Lavasoft AdAware, and it shows nothing.
    Spybot comes up with nothing.
    MalwareBytes found something, but it supposedly quarantined and repaired, and then it found nothing, but then it will find something on the next scan. Lather, rinse, repeat.
    SUPERAntiSpyware finds nothing, then it will find something, then nothing again, and so on.

    It won't let me do any type of online spyware scans from the places I usually go.

    I downloaded a removal tool from Avira, and it found nothing.

    I know there's something on the computer. The browser redirects are annoying. Google is useless right now.

    I just don't know how to get rid of it, short of wiping the drive and starting again, or taking it to a shop and spending money I really don't have to get it fixed.

    Any suggestions?
    Too tired of living and too tired to end it. What a conundrum.

  • #2
    You're using a netbook and haven't installed Linux on it? For shame.

    Comment


    • #3
      Thanks for that very informative and constructive advice for my problem.
      Too tired of living and too tired to end it. What a conundrum.

      Comment


      • #4
        One thing to check is to see if in your internet settings on the connections tab under lan settings the virus didn't set up a proxy for you to go to.

        Comment


        • #5
          It sounds very much like the Google Redirect Virus a friend just had. It required use of a TDSS rootkit removal bit. I don't have the URL where it was found, but I believe it was the Kaspersky one listed here:

          http://www.brighthub.com/internet/go...les/66090.aspx

          It was a resistant little bit to remove, but it did finally leave.

          I hope that helps!

          Comment


          • #6
            Can you roll back (assuming XP) to just BEFORE you had the virus?

            Use AVG and online scanners to find out the exact name of the virus.

            Use Malwarebytes to see if you can remove the virus/trojan
            In my heart, in my soul, I'm a woman for rock & roll.
            She's as fast as slugs on barbituates.

            Comment


            • #7
              I normally use Firefox, but my foster daughter uses IE.

              I saw something in the Avira scan that said it was Koobface.
              Unfortunately all the tools I found don't work.
              I went to Symantec to see what it said about Koobface, and when I checked the registry, the file they said I should find was not there.

              This is from the scan logs
              [DETECTION] Is the TR/Drop.Agent.cjup Trojan
              That's in there 8 times.
              [DETECTION] Contains recognition pattern of the EXP/Pidief.coi exploit
              [DETECTION] Contains recognition pattern of the WORM/Koobface.gvh worm
              [DETECTION] Contains recognition pattern of the RKIT/Koobface.DT root kit
              This was from the very first warning that popped up on my screen:
              Virus or unwanted program 'HTML/ExpKit.Gen2 [virus]'
              detected in file 'C:\Documents and Settings\*************\Local Settings\Temporary Internet Files\Content.IE5\3FFZTZ1I\index[1].htm.
              Action performed: Deny access
              (The stars are filling in for my actual name. Didn't really want to put that in public. )
              This popped up only minutes later:
              Virus or unwanted program 'HTML/ExpKit.Gen2 [virus]'
              detected in file 'C:\Documents and Settings\*************\Local Settings\Temporary Internet Files\Content.IE5\3FFZTZ1I\index[1].htm.
              Action performed: Deny access
              These are all the other detections:
              Virus or unwanted program 'TR/ATRAPS.Gen [trojan]'
              detected in file 'C:\Documents and Settings\*************\Local Settings\Temporary Internet Files\Content.IE5\Z091VJAJ\hostsgb3[1].exe.
              Action performed: Move file to quarantine

              Virus or unwanted program 'TR/Dropper.Gen [trojan]'
              detected in file 'C:\Documents and Settings\*************\Local Settings\Temporary Internet Files\Content.IE5\AG1XUE7R\migdal.org.il[1].exe.
              Action performed: Move file to quarantine

              Virus or unwanted program 'BDS/Backdoor.Gen [backdoor]'
              detected in file 'C:\Documents and Settings\*************\Local Settings\Temporary Internet Files\Content.IE5\FMX8FL64\ws[1].exe.
              Action performed: Move file to quarantine

              Virus or unwanted program 'TR/REG.Koobface.89 [trojan]'
              detected in file 'C:\3.reg.
              Action performed: Move file to quarantine

              Virus or unwanted program 'EXP/CVE-2010-0886 [exploit]'
              detected in file 'C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\YA5K0DRV\Applet11[1].htm.
              Action performed: Deny access

              Virus or unwanted program 'HTML/Infected.WebPage.Gen [virus]'
              detected in file 'C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\PVZ1Q410\load[1].js.
              Action performed: Deny access

              Virus or unwanted program 'Defo (Boot) [virus]'
              detected in file 'C:\Program Files\Spyware Doctor\avdb\temp\BS.tmp.
              Action performed: Deny access

              The file 'C:\Documents and Settings\*************\Local Settings\Application Data\rdr_1278973277.exe'
              contained a virus or unwanted program 'TR/Drop.Agent.cjup' [trojan]
              Action(s) taken:
              The file was moved to '4cb3b9c2.qua'!

              The file 'C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\YA5K0DRV\Notes11[1].pdf'
              contained a virus or unwanted program 'EXP/Pidief.coi' [exploit]
              Action(s) taken:
              The file was moved to '4cb5b9ce.qua'!

              The file 'C:\Documents and Settings\*************\Local Settings\Temporary Internet Files\Content.IE5\JD59JQVD\dogma[1].exe'
              contained a virus or unwanted program 'TR/Drop.TDss.dax' [trojan]
              Action(s) taken:
              The file was moved to '4ca8b9ce.qua'!

              The file 'C:\WINDOWS\system32\drivers\npi.sys'
              contained a virus or unwanted program 'RKIT/Koobface.DT' [trojan]
              Action(s) taken:
              The file was moved to '4caab9d6.qua'!

              The file 'C:\WINDOWS\system32\npi.dll'
              contained a virus or unwanted program 'WORM/Koobface.gvh' [worm]
              Action(s) taken:
              An error has occurred and the file was not deleted. ErrorID: 26003.
              The file could not be deleted!
              Attempting to perform action using the ARK library.
              The file was moved to '4caab9d0.qua'!
              Last edited by Ree; 07-18-2010, 02:11 AM.
              Too tired of living and too tired to end it. What a conundrum.

              Comment


              • #8
                Follow the link and download tdsskiller.exe I've had really good luck with this one lately.

                http://support.kaspersky.com/viruses...?qid=208280684

                Comment


                • #9
                  I downloaded that tool and ran it.
                  When I rebooted, I got the blue screen of death.
                  I chose "Last known configuration that worked"

                  Is it possible, then, that it just reinfected?
                  I ran the tool again after Windows came up, and it detected something again.
                  I rebooted and got the blue screen again.
                  I chose "Last known configuration that worked" again.

                  I did attempt a google search, and it seemed to work much better.
                  I didn't get redirected, anyway.
                  Too tired of living and too tired to end it. What a conundrum.

                  Comment


                  • #10
                    Darn. That's not good. Glad you were able to restore from the bluescreen.

                    I normally download and CCleaner just to get all the temp files and crap out of the way to speed up the other scans.

                    Go to malwarebytes.org and download their free software. Update that and run it.

                    You can get a thirty day trial of Norton. I don't think they are any better than the other ones but the Internet Secuity part will often at least let you know what is going even if they can't fix it. http://download.cnet.com/Norton-Inte...-10592551.html lets you download without registering anythig. You can even give a fake e-mail address in the download window if you want.

                    hijackthis.de will let you download hijackthis (link in upper left corner) then you can paste the log file in the window and see what all is running and whether it is good or evil. Some of their answers are just wrong so be careful with this one as you can easily turn the computers registry to mush removing things.

                    Hope some of this helps. I have found that this tdss isn't thar hard to cure but all the crap it allows in can be a nightmare.

                    Steve

                    Comment


                    • #11
                      If you use Comcast you can get Norton for free... I would try that if you have Comcast.
                      Jacob (F&R Computer Man)

                      Comment


                      • #12
                        @Chromatix:
                        I'm a big Linux fan, too, but being snide is what really makes us look bad to MS users. I re-registered after more than a year absence from this site just to make up for this slight. And for Ree - 'cause she's pretty awesome.

                        @1756GR2:
                        Good call on the Proxy! I've had the last three computers I've looked at messed up because of this. It's now one of the first things I check.

                        Ree: Open IE and hit the "Tools -> Internet Options", then select the "Connections" tab, and finally, "LAN Settings". Make sure it's set to "Automatically detect settings", and NOT "Use Proxy...". A Proxy, by the way, is what re-directs your browser to the malware site(s) to get infected, then bumps you back over to where you wanted to go in the first place, hiding the fact that your system just got hosed.

                        @Imprl59:
                        CCleaner is awesome, granted, but CAN wind up removing things like the cookies this site needs for auto-login (the "remember me" feature). Use with caution!
                        Norton, IMPO, is a pile of crap. I know of no other utility that has a downloadable removal tool (NRT) that MUST be run to get rid of all the files. Seriously? (And, yes, I have had to use it to get at least two computers running...)

                        Now, back to the netbook at hand:

                        Ree, the first thing I would suggest is to run your scans in Safe Mode (tap F8 as the computer boots, select it from the menu that pops up). Also, Avira (my favorite, BTW) does not have the optimum settings as default. So...
                        Launch Avira, and select the Configuration in the top right corner (in blue - there's no button for it). Under Guard, select "All Files"; under Scanner, select "All files" and "All Types" (it defaults to scanning only non-joke and priority types of infections - we want to get rid of everything!). Once selected, save settings and scan.
                        Then run MBAM (Malwarebytes' Anti-Malware) the same way. I haven't seen anything (yet) that MBAM missed that Spybot picked up, so I usually just use MBAM.

                        What, I fear, is happening is that the particular infection(s) you have are able to hide in filetypes that aren't scanned by Avira by default, and are being re-spawned the next time you boot. By telling Avira to scan all files, this will (hopefully) pick up whatever file is hosting the infection(s) and get rid of them for good. Note that doing the scan and guard this way will make things go slower. Expect about 1-2 hours to do a complete scan with Avira, maybe the same with MBAM. So, make some tea and grab a crossword puzzle while it does the job.

                        Now, if the infection(s) happen to be in one of the drivers, then you'll wind up with the blue screen. If this happens, see if there's some sort of restore or recovery option in your BIOS (F1, F2, or DEL on most computers, or try F12 instead of F8 for Windows Vista/7) to see if it will re-load a known good driver. Try RECOVERY first, as restore usually deletes everything in there and starts from scratch.

                        barcode
                        Whew! Back with a vengeance!
                        and check out http://www.remove-malware.com for in-depth info!

                        Comment


                        • #13
                          Still running fine, Ree?

                          Rapscallion

                          Comment


                          • #14
                            Thanks so much barcode.

                            Glad to have you back.

                            Seems OK at the moment.

                            I just may have beaten this thing.
                            Too tired of living and too tired to end it. What a conundrum.

                            Comment


                            • #15
                              Not a problem, Ree.

                              I hope something up ^ there helped out. If not, let us know which netbook you have, as it may get harder to fix it depending on how bad you got wonked.

                              *** What I'd be doing with it if I had it here ***

                              If the thing had a removable hard drive, I'd just pop it out and connect it to my "clean" and updated PC (WinXP/Fedora dual-booter) using my USB-PATA/SATA cable, and use that to scan the drive with Avira and MBAM (CCleaner needs to be run on the machine/drive you boot from). Once cleaned, just pop it back in and go.

                              If it happened to have a removable flash drive of some sort (SDHC, XD, or CF card), then you'd just pop that into a reader and go from there.

                              If the netbook has a bootable CD or USB option, then you could download a bootable image and use that. You boot Avira from the CD or flash drive, and run the scan (to download the Avira rescue image, go to http://www.free-av.com/en/tools/12/a...ue_system.html ).

                              If the netbook has the main storage as a flash chip soldered on the mobo, then you're kinda out of luck. You'll have to redo things from scratch if it got borked really good. Sorry.

                              *** If all else fails, it's small enough to sail through a window without hitting the sill ***

                              If you do decide to run Linux, I can help you out with that, too. I've been running since RedHat 5.2, skipped 6, used 7 for quite a while, skipped 8, ran and really loved 9, watched RedHat split into RHEL and Fedora, and I've been running Fedora ever since. I started with FC1 on one machine, then when FC2 came out six months later, I installed it on my second machine. Another six months, and I threw FC3 on my "odd" machine, FC4 on the "even", and I've been hopscotching the two every six months. They're up to Fedora 13.
                              In between, I've played with Knoppix, Ubuntu, and Mandriva - but I always seem to gravitate back to Fedora.

                              barcode
                              (Spiffed up the avatar - the last UPC got muddled - because we all know what happens if the UPC doesn't scan...)

                              Comment

                              Working...
                              X