Author Topic: I need your help Corrine. (Read 2346 times)

-blaze- · « **on:** January 30, 2010, 07:58:28 AM »

My firewall popped up with a warning and stupidly I allowed the action. First thing i noticed was that a program called "Antivirus Soft" downloaded itself and started scanning my computer, and on the right hand side it said "Antivirus Software Alert" "Your computer is being attacked by an internet virus. It could be a password-stealing attack, a trojan -dropper or similar".

-I googled on how to remove the virus
-I tried dowloading "kavremover9", it downloaded, but it wouldnt open. It gives this message everytime i try to open it "Application cannot be executed. The file kavremover9.exe is infected. Do you want to activate your antivirus software now?"
-I also tried downloading a program called "Malware bytes", i tried extracting it, but it wouldnt let me.
-Next thing i did was shutdown my computer, and running it in "Safe mode with networking". I tried downloading the programs, but after 5 mins, the computer shut off. I turned it back on, and tried running it in "Safe mode with networking", but the computer shut off again.
-Also, the virus keeps opening up an internet explorer window and these sites keep popping up "porno.org", and "viagra.com", and it wouldnt let me use internet explorer to go on any other websites besides those two.
-I kept googling, and came across a post in "gardenweb.com" that sort of sounded similar to that problem i have. A user named ravencajun, suggested to the topic starter: "that sounds like it could be one of the bad ones possibly vundo, let me suggest you go here and post in this area, ask Corrine for help tell her I sent you, she will assist you with this using some special programs. Be sure to say in your post that you are unable to get a hijack this log or run AV programs including online scans." and the problem was solved. But the topic starter never posted what solved his problem, so i came here, hoping that you'd help me.

-b1aze-

P.S i need to sleep, so for now, im going to leave my computer turned off until i wake up.

Corrine · « **Reply #1 on:** January 30, 2010, 01:05:15 PM »

Hi, -blaze-. Welcome to LandzDown Forum.

We will do our best to assist you. However, in order to do so, please follow all instructions provided in the sequence given. Do not install/re-install any programs or run any fixes or scanners that you have not been instructed to use. This may cause conflicts with the tools being used in the cleanup process.

If you have questions regarding any of the instructions or problems running any tools, please let us know.

Please download and run the following tool to help allow other programs to run. (courtesy of BleepingComputer.com)
There are 6 different versions. If one of them won't run then download and try to run the other one.

Windows Vista and Windows 7 users need to right-click and choose Run as Admin.

You only need to get one of them to run, not all of them.

1. rkill.exe
2. rkill.com
3. rkill.scr
4. rkill.pif
5. WiNlOgOn.exe
6. uSeRiNiT.exe

Now try to install and run Malwarebytes with the following instructions:

Double-click mbam-setup.exe and follow the prompts to install the program.
At the end, be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
If an update is found, it will download and install the latest version.
Once the program has loaded, be sure Quick scan is selected, then click Scan.
When the scan is complete, click OK, then Show Results to view the results.
Be sure that everything is checked, EXCEPT items in System Restore as shown in this sample:
Click Remove Selected.
When completed, a log will open in Notepad. Please save it to a convenient location. The log can also be found here: C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\log-date.txt
Please post contents of that file in your next reply as well as the information requested in Log Posting Instructions.

-blaze- · « **Reply #2 on:** January 30, 2010, 03:33:25 PM »

I downloaded all 6 of them, but none of them will work. It keeps saying that the file is "infected". And it wont let it run.

Eric the Red · « **Reply #3 on:** January 30, 2010, 03:37:37 PM »

What program is saying

Quote

It keeps saying that the file is "infected". And it wont let it run.

Is it the rogue Antivirus soft or another antivirus product on your computer (AVG, Norton, Kaspersky, etc)?

-blaze- · « **Reply #4 on:** January 30, 2010, 03:49:53 PM »

Its saying something almost similar for each.

For the 1st one it says: "Application cannot be executed. The file cmd.exe is infected. Do you want to activate software now?"
2nd one it says: "Application cannot be executed. The file pev.exe is infected, Do you want to activate antivirus software now?"
etc.

so its basicly saying: "Application cannot be executed. The file (file name) is infected. Do you want to activate software now?"

And i believe the name of the virus is called "Antivirus Soft"

Eric the Red · « **Reply #5 on:** January 30, 2010, 03:56:47 PM »

This has been happening a lot lately, the malware authors have got wise to rkill. I am going to go and do some digging to see if I can find an answer to this so you may get a reply from Corrine before you hear back from me.

Did you save the copies of rkill to your desktop? That is the best place to run them from.

-blaze- · « **Reply #6 on:** January 30, 2010, 04:11:30 PM »

Yes, I saved the copies to the desktop, and ran them from the desktop.

And another thing is:

Every 5-15 seconds, i get this message: "Application cannot be executed. The file hpzipm12.exe is infected. Do you want to activate your antivirus software now?"

Eric the Red · « **Reply #7 on:** January 30, 2010, 04:25:24 PM »

OK,

To save time I have copied the following text from our friends at bleepingcomputer.com

Quote

Please perform the following scan:

   * Download DDS by sUBs from one of the following links. Save it to your desktop.
   o DDS.scr
   o DDS.pif
   * Double click on the DDS icon, allow it to run.
   * A small box will open, with an explaination about the tool. No input is needed, the scan is running.
   * Notepad will open with the results.
   * Follow the instructions that pop up for posting the results.
   * Close the program window, and delete the program from your desktop.

Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Use the "Save As" option to save the two logs to your desktop and then post them as replies to this thread.

-blaze- · « **Reply #8 on:** January 30, 2010, 09:12:33 PM »

both DDS.scr and DDS.pif wont open. "Antivirus Soft (virus)" wont let me open them.

Paddy · « **Reply #9 on:** January 30, 2010, 09:56:26 PM »

Can you try this Please..

If Malwarebytes Anti-malware or any of your security programs won’t install, run or update, then you’ve probably got malware or the effects of malware on the computer (some types of malware will disable Malwarebytes Anti-malware and other security tools).

Malwarebytes Anti-malware or any of your security programs won`t install.

Fix 1: Before saving Malwarebytes Anti-malware or any of your security programs, rename them first.You clicked on a download link and a Save dialog opens. Change file name and click on Save. For example, before you save Malwarebytes Anti-malware, rename mbam-setup.exe to something like mapp.exe (or use any random name) and then click on Save and save it to your desktop. Double Click mapp.exe to install the application.

Fix 2: Change Malwarebytes Anti-malware or another security program installation file extension.
Turn on “show file extensions for known file types”.

1. Double-click on the My Computer icon.
2. Select the Tools menu and click Folder Options.
3. After the new window appears select the View tab.
4. Put a checkmark in the checkbox labeled Display the contents of system folders.
5. Remove the checkmark from the checkbox labeled Hide file extensions for known file types.
6. Press the Apply button and then the OK button.
7. Now your computer is configured to show file extensions for known file types.

Right-click on a installation file (the mbam-setup.exe file for Malwarebytes Anti-malware) and change the .exe extension to .bat, .com, .pif, or .scr. Press Enter and then double-click on it to run.

Paddy..

Corrine · « **Reply #10 on:** January 30, 2010, 10:11:30 PM »

Hi, -Blaze-.

Please give this a try:

Please download exeHelper to your desktop.

Double-click on exeHelper.com to run the fix.
A black window should pop up, press any key to close once the fix is completed.
Post the contents of exehelperlog.txt (Will be created in the directory where you ran exeHelper.com, and should open at the end of the scan)

Note: If the window shows a message that says "Error deleting file", please re-run the program before posting a log - and post the two logs together (they will both be in the one file).

-blaze- · « **Reply #11 on:** January 30, 2010, 10:24:35 PM »

As soon as i double click on exeHelper.com, the black window comes up, but only for less than a second =/ and it does the same for notepad.exe

When i run the computer in safe mode, the virus doesnt seem to bother.

Corrine · « **Reply #12 on:** January 30, 2010, 10:41:20 PM »

First try the following. If unsuccessful, although MBAM works best in Normal Mode, try it in SafeMode.

Please download a randomized renamed mbam.exe version from here and do the following:

Place the renamed mbam.exe in the Program Files\Malwarebytes' Anti-Malware folder on the infected PC and launch the renamed file. Then malwarebytes should run.
Note: In some cases, it will be necessary to rename the randomly named mbam.exe to explorer.exe (for example, when you are also dealing with "Security Tool" or similar fake scanner. You should be able to bypass whatever is blocking it by renaming the program/ exe file you want to run, to explorer.exe).
Once the renamed mbam.exe runs, the first step is to click the update tab in order to download the latest updates. If the computer cannot connect to the Internet, download the latest MBAM update from here http://www.gt500.org/malwarebytes/database.jsp and transport it to the infected computer via USB or similar means. Then manually install the update.
Run a quick scan according to the the previously supplied instructions, allowing MBAM to remove what is found.
Shutdown/restart the computer.
Please let us know if y ou receive a "bad image error" when restarting the computer. This can be fixed by removing the appropriate O20 - AppInit_DLLs file.

Corrine · « **Reply #13 on:** January 31, 2010, 12:57:55 AM »

-blaze-,

You managed to get one of the newest rogues. I just saw that the Bleeping Computer tutorial was just published this afternoon. According to the tutorial, rkill should be able to run. Continue trying the instructions I provided but if unsuccessful or if you are using Internet Explorer, try the instructions at http://www.bleepingcomputer.com/virus-removal/remove-antivirus-soft and post the resulting MBAM log.

-blaze- · « **Reply #14 on:** January 31, 2010, 01:18:39 AM »

Corrine, i followed your directions in post #12.
It didnt work in normal mode, so i shutdown the computer manually. When i turned it back on, the computer started checking something, im unsure what it was. When it was done, i clicked f8 and ran it in safe mode with networking. Then i tried downloading malwarebytes, but the computer turned off. I turned it back on, and as soon as it was turning on, i clicked on exeHelper, here is what was in the exeHelperlog:

exeHelper by Raktor
exeHelper by Raktor
Build 20091220
exeHelper by Raktor
Build 20091220
Run at 18:23:46exeHelper by Raktor
Build 20091220
Run at 18:23:57 on exeHelper by Raktor
Build 20091220
Run at 20:55:50 on 01/30/10
Now searching...
Checking for numerical processes...
Checking for sysguard processes...
Checking for bad processes...
Checking for bad files...
Checking for bad registry entries...
Resetting filetype association for .exe
Resetting filetype association for .com
Resetting userinit and shell values...
Resetting policies...
--Finished--

After that, i noticed that there was no sign of the virus. So i went ahead and double clicked on malwarebytes, and it worked. I did a quick scan and now im following the directions you gave me in your 1st post.

LandzDown Forum

News:

Author Topic: I need your help Corrine. (Read 2346 times)

-blaze-

I need your help Corrine.

Corrine

Re: I need your help Corrine.

-blaze-

Re: I need your help Corrine.

Eric the Red

Re: I need your help Corrine.

-blaze-

Re: I need your help Corrine.

Eric the Red

Re: I need your help Corrine.

-blaze-

Re: I need your help Corrine.

Eric the Red

Re: I need your help Corrine.

-blaze-

Re: I need your help Corrine.

Paddy

Re: I need your help Corrine.

Corrine

Re: I need your help Corrine.

-blaze-

Re: I need your help Corrine.

Corrine

Re: I need your help Corrine.

Corrine

Re: I need your help Corrine.

-blaze-

Re: I need your help Corrine.