'System Security' Malware‏

[Alzinho]

I believe I've tried all the previously suggested 'cures' on this site.

In fact, no .exe files will run - the malware pops-up a message saying that the .exe is infected.

I can't even open a .txt file to write this in - having lost it 3 times already with a blue-screen shutdown!

I'm getting the blue-screen about once every 5-6 minutes.

I can't open Task Manager to kill the process, nor Process Explorer (same .exe problem).

I can't even run anything from the cmd box, so can't get at the registry or msconfig.

It seems to have killed my anti-virus software (PCTools - in fact it's disappeared altogether) - and shuts down the firewall soon after booting up.

It also seems to have disabled Windows Safe Mode (!) - on pressing F8 on boot-up, it either just does nothing and has also blue-screened a couple of times.

Oh, it's also installed its own desktop wallpaper, red print on a black background, claiming "YOUR'RE(sic) IN DANGER" etc.

My browser also seems to have stopped displaying gifs or jpegs and I'm having a terrible time finding the 'post' button on here (which is why I've lost all this info 4 times now!).

It is continually popping up with "you have 38 infections and are in danger - update your Windows Security Software now" before directing me to their generous offer - "only $49.95, please enter your credit card details."

Yeah right.

I'm at my wits end here, seriously considering a HDD format.

:-(

Alzinho

[AdvancedSetup]

Please check your Private Messages.

[AdvancedSetup]

Okay, please see if you can download and run Dr Web. Try renaming it if you have to , and in Safe Mode if you have to.

Please download to your Desktop: Dr.Web CureIt

• After the file has downloaded, disable your current Anti-Virus and disconnect from the Internet
  
• Doubleclick the drweb-cureit.exe file, then click the Start button, then the OK button to perform an Express Scan.
  
• This will scan the files currently running in memory and when something is found, click the yes button when it asks you if you want to cure it.
  
• Once the short scan has finished, Click on the Complete scan radio button.
  
• Then click on the Settings menu on top, the select Change Settings or press the F9 key. You can also change the Language
  
• Choose the Scanning tab and I recomend leaving the Heuristic analysis enabled (this can lead to False Positives though)
  
• On the File types tab ensure you select All files
  
• Click on the Actions tab and set the following:
  
  • Objects Infected objects = Cure, Incurable objects = Move, Suspicious objects = Report
    
  • Infected packages Archive = Move, E-mails = Report, Containers = Move
    
  • Malware Adware = Move, Dialers = Move, Jokes = Move, Riskware = Move, Hacktools = Move
    
  • Do not change the Rename extension - default is: #??
    
  • Leave the default save path for Moved files here: %USERPROFILE%\DoctorWeb\Quarantine\
    
  • Leave prompt on Action checked
    

  [*]On the Log file tab leave the Log to file checked.

  [*]Leave the log file path alone: %USERPROFILE%\DoctorWeb\CureIt.log

  [*]Log mode = Append

  [*]Encoding = ANSI

  [*]Details Leave Names of file packers and Statistics checked.

  [*]Limit log file size = 2048 KB and leave the check mark on the Maximum log file size.

  [*]On the General tab leave the Scan Priority on High

  [*]Click the Apply button at the bottom, and then the OK button.

  [*]On the right side under the Dr Web Anti-Virus Logo you will see 3 little buttons. Click the left VCR style Start button.

  [*]In this mode it will scan Boot sectors of all disks, All removable media, and all local drives

  [*]The more files and folders you have the longer the scan will take. On large drives it can take hours to complete.

  [*]When the Cure option is selected, an additional context menu will open. Select the necessary action of the program, if the curing fails.

  [*]Click 'Yes to all' if it asks if you want to cure/move the files.

  [*]This will move it to the %USERPROFILE%\DoctorWeb\Quarantine\ folder if it can't be cured. (in this case we need samples)

  [*]After selecting, in the Dr.Web CureIt menu on top, click file and choose save report list

  [*]Save the report to your Desktop. The report will be called DrWeb.csv

  [*]Close Dr.Web Cureit.

  [*]Reboot your computer!! Because it could be possible that files in use will be moved/deleted during reboot.

  [*]After reboot, post the contents of the log from Dr.Web you saved previously to your Desktop in your next reply with a new hijackthis log.

  

[Alzinho]

With all due respect Ron, before even trying this I know it's not going to work.

drweb-cureit.exe is an .exe file - and even if I rename it, it's still not going to run.

And as mentioned in my first post, Safe Mode is not an option.

[Alzinho]

With all due respect Ron, before even trying this I know it's not going to work.

drweb-cureit.exe is an .exe file - and even if I rename it, it's still not going to run.

And as mentioned in my first post, Safe Mode is not an option.

:-/

[AdvancedSetup]

Well if there is no way to run or rename and make it work then you're going to need to use an Alternate method.

Using a Friends computer or work computer please download and burn this and then run it on your system.

Avira AntiVir Rescue System

Requires access to a working computer with a CD/DVD burner to create a bootable CD.

• Download the
  Avira AntiVir Rescue System
  from
  here
• Place a blank CD in your burner and double-click on the downloaded file named
  rescuecd.exe
  
  
• The program will automatically burn the CD for you.
  
  
• Place the burned CD into the affected computer and start the computer from this CD.
  
  
• On the bottom left side of the screen there are 2 flags. Using your mouse click on the British flag to use English.
  
  
• Click on the
  Configuration
  button.
  
  
  • Select
    Scan all files
  • Select
    Try to repair infected files
    and
    Rename files, if they cannot be removed
    
    
  • Select
    Scan for dialers
    
    
  • Select
    Scan for joke programs (Jokes)
    
    
  • Select
    Scan for games
    
    
  • Select
    Scan for spyware (SPR)
    
    
  [*]
  Click on
  Virus scanner
  [*]
  Click on
  Start scanner
  at the bottom of the screen
  [*]
  Currently the program does not support saving a log. Write down the amount of items for Records, Suspect files, and Warnings

The Avira AntiVir Rescue System is a Linux-based application that allows accessing computers that cannot be booted anymore and is updated several times a day so that the most recent security updates are always available.

Possible solutions to Screen Resolution and other issues

1. Please see the post
   here
   if you're unable to view the entire screen of Avira.
2. You can also review this one
   Fixed Rescue CD Resolution Probs with Dell Video
   
   
3. Currently only the German keyboard is supported.
   Command Line not working
   English keyboards require work arounds.
   
   
4. Some computers attempt to mount the floppy even though they don't have one. You may need to go in to the BIOS and disable the floppy drive in order to mount your hard drive for scanning.
   
   

[Alzinho]

OK, thanks. Will try that tomorrow.

[Alzinho]

Made a copy of the bootable Avira AntiVir rescuecd.

Brought it home and ran it.

Watched it for an hour as it found the following:

alerts: 27

suspicious: 0

repaired: 0

deleted: 0

renamed: 25

quarantined: 0

warnings: 1

What it found:

Trojan TR/Crypt.XPACK.Gen

Trojan TR/Crpt.FKM.Gen

Trojan TR/VB.njy.1.A

HTML Script virus HTML/Shellcode.Gen

Exploits EXP/PDF.16462

Program SPR/Tool.Reboot.F

x1 file too big to scan completely.

Rebooted normally......NO CHANGE!

Aaaaaargh!

[AdvancedSetup]

Do you have the Windows XP CD so that you can start the Recovery Console?

Or access to a copy of the CD.

[Alzinho]

No.

I have a laptop that came with XP pre-installed.

I have my system recovery discs and had to use them several months ago after a HDD crash resulted in having to install a new HDD - so I know they work. And having done a data back-up only about a week ago I'm OK with formating the HDD and installing from scratch.

I'm only now pursuing this because I want to see this nonsense beaten, but it feels like we're running out of options...?

[AdvancedSetup]

See if you can find a file named BLOCKER.DLL and if possible try to rename it and if so immediately reboot the box and try to run an AV or Anti-Malware scanner.

If you can't get in at a boot level with like an XP CD and not knowing specifically which variant piece of junk is on the box it's hard to stop it in normal mode.

You can try renaming MBAM.EXE as stuff live svchost.exe explorer.exe and see if it will run and scan or not.

Otherwise you need some boot CD that can access the NTFS folder and remove some startup stuff.

You might be able to download and burn a bootable CD

www.ultimatebootcd.com

http://www.hiren.info/pages/bootcd

http://lifehacker.com/192982/geek-to-live-...-with-a-boot-cd

See if you can use one of these methods to get to the file system and remove stuff. If so then let me know and we can look at what might be running on your box that we can remove and then scan with other tools in normal mode.

[Alzinho]

No file called BLOCKER.DLL.

I don't have the MBAM.EXE - nor any of the other suggested virus/malware .exes - they all start with eg. MBAM_SETUP.EXE and cannot be run as such. Some of them will run when their name (eg. STOPzilla_setup.exe or DrWeb_setup.exe) is changed to EXPLORER.EXE but are then thwarted as soon as they call on the actual 'VIRUSCHECKER'.EXE.

Nothing, nada, zip that has anything to do with Malwarebytes will run, no matter what it's renamed.

Will try and beg, steal or borrow a bootable XP disc next.

[Alzinho]

There's about a 5 second 'window of opportunity' after booting up before the malware process kicks in.

I can even open Task Manager briefly and have tried watching the processes as they kick in to see if I can recognize the rogue one with my finger hovering over the 'End Process' button. But it all happens too quickly and unfortunately there isn't a process called 'barstardMalware.exe' or anything equally obvious.

[AdvancedSetup]

Please take a look at the following posts and see if they help you to resolve this or not. Otherwise we'll need either a Windows XP disk to boot to or a Linux boot CD that can access NTFS.

Potential Malware infection issues to review to get MBAM running

• MB won't run(Fix) - Total-Security (FakeAlert)
• MBAM wont run (Fix) - av360 (Fakealert)
  
• MBAM wont install or will not run. - CLB Rootkit driver=TDSS/Seneka/GAOPDX/UAC
  

[Alzinho]

Please take a look at the following posts and see if they help you to resolve this or not. Otherwise we'll need either a Windows XP disk to boot to or a Linux boot CD that can access NTFS.

Potential Malware infection issues to review to get MBAM running

• MB won't run(Fix) - Total-Security (FakeAlert)

• MBAM wont run (Fix) - av360 (Fakealert)

• MBAM wont install or will not run. - CLB Rootkit driver=TDSS/Seneka/GAOPDX/UAC

All of those tried and not feesible because of the impossibility of running .exe files.

Unfortunately I've found it IMPOSSIBLE to locate a legitimate Windows XP disc here - I live in the arse-end of nowhere in the jungle of northern Argentina and nobody owns anything legitimate. I'm at my wits end and on the verge of formatting my HDD.

In fact I've had enough and I'm definitely going to format my HDD.

I may still have a problem with this malware though.

Unfortunately I was transferring files to my backup external HDD when this thing struck - do you think it's possible that the malware could now be present on there and that I'll be endangering my laptop again by reconnecting it?

If so, what can I do to stop it? (The only reason I'm going ahead with this HDD format is because I've got most of my data on that backup drive.)

Thanks in advance.

[AdvancedSetup]

Yes it's possible for it to infect an external USB drive. As long as it's not something like the VIRUT virus though it typically does not infect your data.

The most common thing is they're trying to trick users into buying their bogus software, not destroy your system.

Normally if you had Virut then the other programs would probably still run, but they wouldn't help much due to the severity of the programs corruption of your system.

Well I think you now see the need for some Boot CD with tools on it or even buying an OEM XP CD for about $150 so that you'll always have a means to correct issues such as this.

So, can't promise that your data was not infected and the only way to check would be to use a working system to scan it with.

[Alzinho]

OK, thanks Ron.

Shame I lost patience and we never actually found out how to beat this obviously 'new and improved version' of this thing, but I need my laptop working.

I guess you can close this thread.

Hopefully I won't need to come back here once I've obliterated my HDD and gone 5 years back in time to my laptop's original build.

The first thing I'll be getting before starting the long and painful re-install will be MBAM!

[AdvancedSetup]

Well one of the very first things is to get XP SP3 installed and Anti-Virus so that nothing new tries to get on and DO NOT go to any other sites except for Microsoft for updates if you can help it. Avira is a really good Free Anti-Virus.

The paid version of Malwarebytes does offer real time protection and comes with a life time update policy for home users.

[Alzinho]

Thanks Ron.

XP SP3 installed - check.

Avira anti-virus installed and run - check.

Malwarebytes installed and run - check.

External HDD installed and inspected - check.

5 years worth of programmes and data - to be re-installed!

I'm finding it difficult to buy the 'full' version of Malwarebytes as I don't have a credit or debit card, but am looking to try and get some cash into a PayPal account - if successful I reckon it'll be worth it.

[AdvancedSetup]

Great, glad to hear your data on external was okay. Though we did not have the opportunity to clean your system, let me provide a canned message that we would normally provide when completed. This is just information to review and you do not have to use everything on it, but it might help prevent you from getting into this situation again.

If you use Firefox I would highly suggest using both NoScript and AdBlock Plus as these two plugins can also stop a lot of the drive by attacks.

Great, all looks good now.

I'll close your post soon so that other don't post into it and leave you with this information and suggestions.

So how did I get infected in the first place?

At this time your system appears to be clean. Nothing else in the logs indicates that you are still infected.

Now that you appear to be clean, please follow these simple steps in order to keep your computer clean and secure:

Remove all but the most recent Restore Point on Windows XP

You should

Create a New Restore Point

to prevent possible reinfection from an old one.

Some of the malware you picked up could have been saved in System Restore.

Since this is a protected directory your tools cannot access to delete these files, they sometimes can reinfect your system if you accidentally use an old restore point.

Setting a new restore point AFTER cleaning your system will help prevent this and enable your computer to

"roll-back"

to a clean working state.

The easiest and safest way to do this is

:

• Go to
  Start
  >
  Programs
  >
  Accessories
  >
  System Tools
  and click "
  System Restore
  ".
• If the shortcut is missing you can also click on
  START
  >
  RUN
  > and type in
  %SystemRoot%\system32\restore\rstrui.exe
  and click OK
  
  
• Choose the radio button marked "
  Create a Restore Point
  " on the first screen then click "
  Next
  ".
  
  
• Give the new Restore Point a name, then click "
  Create
  ".
  
  
• The new point will be stamped with the current date and time. Keep a log of this so you can find it easily should you need to use System Restore.
  
  

• Then use the
  Disk Cleanup
  to remove all but the most recently created Restore Point.
• Go to
  Start
  >
  Run
  and type:
  Cleanmgr.exe
  
  
• Select the drive where Windows is installed and click "
  Ok
  ". Disk Cleanup will scan your files for several minutes, then open.
  
  
• Click the "
  More Options
  " tab, then click the "
  Clean up
  " button under System Restore.
  
  
• Click Ok. You will be prompted with "
  Are you sure you want to delete all but the most recent restore point?
  "
  
  
• Click
  Yes
  , then click Ok.
  
  
• Click
  Yes
  again when prompted with "
  Are you sure you want to perform these actions?
  "
  
  
• Disk Cleanup will remove the files and close automatically.
  
  
• On the
  Disk Cleanup
  tab, if the
  System Restore: Obsolete Data Stores
  entry is available remove them also.
  
  
• These are files that were created before Windows was reformatted or reinstalled. They are obsolete and you can delete them.
  
  

Additional information

Microsoft KB article: How to turn off and turn on System Restore in Windows XP

Bert Kinney's site: All about Windows System Restore

Here are some free programs I recommend that could help you improve your computer's security.

Install SpyWare Blaster

Download it from here

Find here the tutorial on how to use Spyware Blaster here

Install WinPatrol

Download it from here

Here you can find information about how WinPatrol works here

Install FireTrust SiteHound

You can find information and download it from here

Install hpHosts

Download it from here

hpHosts is a community managed and maintained hosts file that allows an additional layer of protection against access to ad,

tracking and malicious websites. This prevents your computer from connecting to these untrusted sites

by redirecting them to 127.0.0.1 which is your own local computer.

hpHosts Support Forum

Update your Antivirus programs and other security products regularly to avoid new threats that could infect your system.

You can use one of these sites to check if any updates are needed for your pc.

Secunia Software Inspector

F-secure Health Check

Visit Microsoft often to get the latest updates for your computer.

http://www.update.microsoft.com

Note 1: If you are running Windows XP SP2, you should upgrade to SP3.

Note 2: Users of Norton Internet Security 2008 should uninstall the software before they install Service Pack 3.

The security suite can then be reinstalled afterwards.

The windows firewall is not sufficient to protect your system. It doesn't monitor outgoing traffic and this is a must.

I recommend Online Armor Free

A little outdated but good reading on how to prevent Malware

Keep safe online and happy surfing.

Since this issue is resolved I will close the thread to prevent others from posting into it. If you need assistance please start your own topic and someone will be happy to assist you.

The fixes and advice in this thread are for this machine only. Do not apply to your machine unless you Fully Understand how these programs work and what you're doing. Please start a thread of your own and someone will be happy to help you, just follow the Pre-Hijackthis instructions found here before posting Pre- HJT Post Instructions

Also don't forget that we offer FREE assistance with General PC questions and repair here PC Help

If you're pleased with the product Malwarebytes and the service provided you, please let your friends, family, and co-workers know. http://www.malwarebytes.org