MyTechSupport.ca :: Your Computer Technical Resource Headquarters! MyTechSupport.ca :: Your Computer Technical Resource Headquarters!
HOME FORUMS RESOURCES & TOOLS ARTICLES ONLINE STORE ABOUT US
Computer Support Forums arrow Internet & Network Support arrow Security & Viruses arrow Topic: Reaaly Bad Virus
May 19, 2021, 01:42:39 AM
 

Home Forum Rules Help Search Mobile Version Login Register

Welcome, Guest. Please login or register.
Did you miss your activation email?
May 19, 2021, 01:42:39 AM

Login with username, password and session length
 Featured Sites:
News
New  We now offer MyTechSupport.ca Merchandise! Every purchase goes towards maintaining our site.
Thank you for supporting MyTechSupport.ca!
  0 Members and 1 Guest are viewing this topic.
Pages: [1] Go Down Print
Author Topic: Reaaly Bad Virus  (Read 3295 times)
ricj7
Newbie
*

Karma: +0/-0
Offline Offline

Posts: 7


Bookmark and Share

View Profile
« on: April 02, 2011, 07:10:47 PM »

Today while watching a sports event on internet I was hit by a virus called 'XP Total Security 2011'.  It shut out my Firefox browser and when I tried to reopen it there would be no response.  I tried IE, Opera, Chrome that I had installed as back ups but no luck.  Clicking on these shows the hour glass for 4-5 seconds and then nothing.  After some time the virus box loads up and starts its scan process.  Worst is I cannot even start the Malware, Spyware, Registry Mechanic or even a WinAmp player or MS Excel or any program for that matter.

I went to Control Panel and tried to click on Add/Remove Programs or other folders but no response at all.  I tried downloading the TrendMicro House call but the download occurs but I cannot open it to run from the download items box.  Infact the 'Open' or 'Open from folder' options are unlighted so cannot click on them to get any response.  

On the otherhand, I had saved a firefox webpage on my desktop and when I click on it, I can open the Firefox and browse the internet.  But that is only good point.  I need to get this virus out as no other program on computer is accessible.  

I tried system restore but no response.  All along this virus pops up really scarry messages like 'system hacked', 'files being corrupted' etc.  I know they just trying to get me to sign up so basically I just close these boxes out.

I really appreciate any help related inputs from the forum members.   Cheers!
« Last Edit: April 02, 2011, 07:14:35 PM by ricj7 » Logged
Pancake
Global Moderator
Hero Member
*****

Karma: +78/-0
Offline Offline

Gender: Male
Posts: 3915


Bookmark and Share

View Profile
« Reply #1 on: April 03, 2011, 10:38:19 PM »

Hi
This will fix it..

Please download Malwarebytes' Anti-Malware from one of these places:

Majorgeeks or Besttechie


Double Click mbam-setup.exe to install the application.

* Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
* If an update is found, it will download and install the latest version.

* Once the program has loaded, select "Perform Quick Scan", then click Scan.
* The scan may take some time to finish,so please be patient.
* When the scan is complete, click OK, then Show Results to view the results.
* Make sure that everything is checked, and click Remove Selected.
* When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.Do so.
* The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
* Copy&Paste the entire report in your next reply.



===============================================



Download Combofix from Bleepingcomputer or Geekstogo and  place it on your Desktop

* Ensure you have disabled all anti virus and anti malware programs so they do not interfere with the running of ComboFix.Combofix may be slow to start and appear to be doing nothing  before it starts scanning.Just leave it,it will start.

You can get help on disabling your protection programs here : http://www.bleepingcomputer.com/forums/topic114351.html

Please include the C:\ComboFix.txt in your next reply for further review.


Caution.....
Never use this program to remove files.Only use it with  help from an experienced user.Wrongful use can damage your computer.This tool is not a toy and not for everyday use. ComboFix SHOULD NOT be used unless requested by a qualified helper







Logged

An Australian Member of

EDDY
ricj7
Newbie
*

Karma: +0/-0
Offline Offline

Posts: 7


Bookmark and Share

View Profile
« Reply #2 on: April 07, 2011, 03:16:42 AM »

Pancake,

I already have Malware Malbytes program but cannot run it.  If I download any program then I cannot open it from the download box.  Any tool to open these programs from some other place.  I tried going to browser, file, open but that does not open Malbytes program.  By the way Registry mechanic program came up open on its own and I ran the scan the threw out few 'repair' type files but this virus which shows as cfi.exe in the task manager, still remains. 

Look forward to further inputs.  Cheers!
Logged
Pancake
Global Moderator
Hero Member
*****

Karma: +78/-0
Offline Offline

Gender: Male
Posts: 3915


Bookmark and Share

View Profile
« Reply #3 on: April 07, 2011, 03:31:10 AM »

Download and run RKill.from any of these links:


Link 1 Link 2  Link 3
Link 4


Double-click on Rkill on your desktop to run it. (If you are using Windows Vista, please right-click on it and select Run As Administrator)
A black screen will appear and then disappear. Please do not worry, that is normal. This means that the tool has been successfully executed.
Once the tool has run, do NOT reboot the machine, and then try to run Malwarebytes and Combofix again 
Logged

An Australian Member of

EDDY
ricj7
Newbie
*

Karma: +0/-0
Offline Offline

Posts: 7


Bookmark and Share

View Profile
« Reply #4 on: April 07, 2011, 03:47:26 AM »

Rkill ran for like one minute and gave this report below, no relief from the virus, tried to run the Malbytes but no repsonse.
===============================================
This log file is located at C:\rkill.log.
Please post this only if requested to by the person helping you.
Otherwise you can close this log when you wish.

Rkill was run on 04/06/2011 at 23:42:45.
Operating System: Microsoft Windows XP


Processes terminated by Rkill or while it was running:



 --- ATTENTION ---

Windows was configured to use a proxy! Proxy settings have been removed.

The Proxy Server that was configured is: http=127.0.0.1:55152

If this was a valid setting, please double-click on the rk-proxy.reg file on your desktop and allow the data to be merged to restore your proxy settings.


Rkill completed on 04/06/2011 at 23:42:52.
Logged
Pancake
Global Moderator
Hero Member
*****

Karma: +78/-0
Offline Offline

Gender: Male
Posts: 3915


Bookmark and Share

View Profile
« Reply #5 on: April 07, 2011, 06:37:15 AM »

Can you run Combofix or Malwarebytes in safe mode.? If so,do that.
Logged

An Australian Member of

EDDY
ricj7
Newbie
*

Karma: +0/-0
Offline Offline

Posts: 7


Bookmark and Share

View Profile
« Reply #6 on: April 08, 2011, 12:42:22 AM »

Pancake,

Last night after running the Rkill and posting its report on the forum, I shut the computer down like every day.  However, today after opening I did not encounter any virus opening and starting to scan by itself.  I was also able to open firefox, opera and malwarebytes.  Seems Rkill actually worked and took the virus out of the system.  Below is the report from the Malwarebytes and it found 3 objects that were removed.  I will restart the computer again and hope the system keeps free of the virus. 

THANKS SOOOOOO VERY MUCH FOR YOUR HELP!

Malwarebytes' Anti-Malware 1.44
Database version: 3581
Windows 5.1.2600 Service Pack 2
Internet Explorer 6.0.2900.2180

4/7/2011 8:35:25 PM
mbam-log-2011-04-07 (20-35-25).txt

Scan type: Full Scan (C:\|D:\|)
Objects scanned: 162053
Time elapsed: 36 minute(s), 55 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 3
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\FirewallDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)
Logged
ricj7
Newbie
*

Karma: +0/-0
Offline Offline

Posts: 7


Bookmark and Share

View Profile
« Reply #7 on: April 08, 2011, 12:49:37 AM »

Just restarted the computer and seems clean up done by rkill are effective.  Thanks again!
Logged
Pancake
Global Moderator
Hero Member
*****

Karma: +78/-0
Offline Offline

Gender: Male
Posts: 3915


Bookmark and Share

View Profile
« Reply #8 on: April 08, 2011, 01:10:11 AM »

Ok.But just to be on the safe side run Combofix and post the log so we  can be sure its all clean.
Logged

An Australian Member of

EDDY
ricj7
Newbie
*

Karma: +0/-0
Offline Offline

Posts: 7


Bookmark and Share

View Profile
« Reply #9 on: April 08, 2011, 04:13:09 AM »

Just ran another scan from internet provider, the report is below, it removed 3 more trojans.  Will run the combofix tommorrow and hope to be on the right side of the system health.

================================================================

Folders and files selected to scan
C:\

Results
Master Boot Records and Fixed Disk Boot Sectors
Scanned 1 Master Boot Record(s).
Your Master Boot Record(s)/Boot Sector(s) are not infected.
Memory
Scanned: 602 item(s)
Infected files on Local Disk (C:)
Scanned: 55228 item(s) File: C:\Documents and Settings\Dell_User\Local Settings\Application Data\siv.exe Action: This file could not be disinfected. It was quarantined instead.
Virus: Trojan.Generic.KD.176358
File: C:\System Volume Information\_restore{6F90F94C-3CC4-4CB9-94BA-22318320EEBC}\RP254\A0053235.exe Action: This file could not be disinfected. It was quarantined instead.
Virus: Trojan.Generic.KD.176358
File: C:\System Volume Information\_restore{6F90F94C-3CC4-4CB9-94BA-22318320EEBC}\RP254\A0053291.exe Action: This file could not be disinfected. It was quarantined instead.
Virus: Trojan.Generic.KD.176358

Startup programs
Scanned: 187 item(s)
Rootkits
Found: 0 item(s)
Cookies
Scanned: 17 item(s)
Logged
ricj7
Newbie
*

Karma: +0/-0
Offline Offline

Posts: 7


Bookmark and Share

View Profile
« Reply #10 on: April 10, 2011, 10:53:46 PM »

Tried to run Combofix, downloaded and reached upto the blue box where it says 'scanning for infected files, can take more than 10 minutes for really infected machines'.  After that nothing happens or scan in progress type meter running.  Rebooted the computer to get going again, tried twice but same results ending in freeze of mouse etc. 

Did run the Nortel free pack, McFee and both gave one virus each which were deleted.  No problems with the virus that started this thread at least so far. 

Might get Kaspersky anti virus from a source and will post the log if it gives one.  Thanks again!
Logged
Pancake
Global Moderator
Hero Member
*****

Karma: +78/-0
Offline Offline

Gender: Male
Posts: 3915


Bookmark and Share

View Profile
« Reply #11 on: April 10, 2011, 11:25:50 PM »

Run Combofix in safe mode.It will not run in normal mode with Mcafee installed.
Logged

An Australian Member of

EDDY
Pages: [1] Go Up Print 
 
Jump to:  

Powered by MySQL Powered by PHP

Powered by SMF 1.1.21 | SMF © 2015, Simple Machines

Valid XHTML 1.0! Valid CSS!

Disclaimer
This site is NOT responsible for any damage that the information on this site may cause to your system. Everything you try, whether inspired by the response given from this site or not, is entirely at your own risk. All product names and company names used herein are for identification purpose only and may be trademarks or registered trademarks of their respective owners. We are in no way affiliated or representing any of the companies on this site unless specified.
Back to Top
Stop Spam Harvesters, Join Project Honey Pot Fight Back Against Spammers! Get Firefox! Get Thunderbird! View Sylvain Amyots profile on LinkedIn
Back to Top
Google visited last this page October 29, 2018, 01:44:46 PM