Jump to content

Recommended Posts

My computer has a virus that is refusing to die.

On Sunday, a virus appeared known as "Vista Anti Virus 2011" which I am sure you guys are aware of judging from the posts, after awhile I managed to run Malwarebytes and the virus was seemingly destroyed. After that, however, my PC was all screwed up. The icons didn't work unless I right clicked and pressed "Run as Administrator" and when I get into a browser and click website links, they lead me to a random advertisement site unless I manually type in the correct URL which gets annoying after awhile.

But the biggest problem of all is that system restore and pretty much all of my other PC programs don't work. Video games and the Internet work fine, but I was really hoping was that now that I got rid of the virus, I would be able to access system restore, but to no avail. If I try to boot system restore up, it says "System restore is turned off" and it then gives me a link to turn it back on (I think the link lead to "system"). The link was unclickable however, so I manually find system, but guess what? System is not found apparently, I even tried to run system restore from CMD, and CMD wasn't found. I rebooted the computer into Safe Mode with Command Prompt and the CMD was there afterall. (So the programs are THERE but my computer keeps saying they aren't). So I tried to run system restore from there...and it wasn't found.

Then the virus comes back, I destroy it with Malwarebytes, it came back again later under different names like "Vista Home Security."

Can anyone please help me? I have no idea if the Malwarebytes destroyed my computer or if the Virus did. Even though the virus prevented me from running the programs, they were still able to open before I used Malwarebytes.

Last two logs (First one is more recent):

Malwarebytes' Anti-Malware 1.50

www.malwarebytes.org

Database version: 6282

Windows 6.0.6001 Service Pack 1

Internet Explorer 7.0.6001.18000

4/6/2011 7:25:16 PM

mbam-log-2011-04-06 (19-25-16).txt

Scan type: Full scan (C:\|)

Objects scanned: 243523

Time elapsed: 2 hour(s), 3 minute(s), 47 second(s)

Memory Processes Infected: 1

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 1

Memory Processes Infected:

c:\Users\user\AppData\Local\quk.exe (Trojan.Agent) -> 6020 -> Unloaded process successfully.

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

c:\Users\user\AppData\Local\quk.exe (Trojan.Agent) -> Quarantined and deleted successfully.

SECOND LOG

Malwarebytes' Anti-Malware 1.50

www.malwarebytes.org

Database version: 6282

Windows 6.0.6001 Service Pack 1 (Safe Mode)

Internet Explorer 7.0.6001.18000

4/6/2011 4:25:20 PM

mbam-log-2011-04-06 (16-25-20).txt

Scan type: Quick scan

Objects scanned: 211945

Time elapsed: 13 minute(s), 20 second(s)

Memory Processes Infected: 1

Memory Modules Infected: 0

Registry Keys Infected: 4

Registry Values Infected: 2

Registry Data Items Infected: 3

Folders Infected: 0

Files Infected: 10

Memory Processes Infected:

c:\Users\user\AppData\Local\sdf.exe (Trojan.Agent) -> 1248 -> Unloaded process successfully.

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

HKEY_CURRENT_USER\SOFTWARE\IKXGVMFZHI (Trojan.FakeAlert) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\SOFTWARE\NtWqIVLZEWZU (Trojan.FakeAlert) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\SOFTWARE\Q8PS7ZCLN6 (Trojan.FakeAlert) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\ (Hijack.Zones) -> Quarantined and deleted successfully.

Registry Values Infected:

HKEY_CLASSES_ROOT\.exe\shell\open\command\(default) (Hijack.ExeFile) -> Value: (default) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Whabivanomozo (Trojan.Agent.U) -> Value: Whabivanomozo -> Quarantined and deleted successfully.

Registry Data Items Infected:

HKEY_LOCAL_MACHINE\SOFTWARE\Clients\StartMenuInternet\FIREFOX.EXE\shell\open\command\(default) (Hijack.StartMenuInternet) -> Bad: ("C:\Users\user\AppData\Local\tvi.exe" -a "C:\Program Files\Mozilla Firefox\firefox.exe") Good: (firefox.exe) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Clients\StartMenuInternet\FIREFOX.EXE\shell\safemode\command\(default) (Hijack.StartMenuInternet) -> Bad: ("C:\Users\user\AppData\Local\tvi.exe" -a "C:\Program Files\Mozilla Firefox\firefox.exe" -safe-mode) Good: (firefox.exe -safe-mode) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Clients\StartMenuInternet\IEXPLORE.EXE\shell\open\command\(default) (Hijack.StartMenuInternet) -> Bad: ("C:\Users\user\AppData\Local\tvi.exe" -a "C:\Program Files\Internet Explorer\iexplore.exe") Good: (iexplore.exe) -> Quarantined and deleted successfully.

Folders Infected:

(No malicious items detected)

Files Infected:

c:\Users\user\AppData\Local\sdf.exe (Trojan.Agent) -> Quarantined and deleted successfully.

c:\Users\user\local settings\sdf.exe (Trojan.Agent) -> Quarantined and deleted successfully.

c:\Users\user\local settings\application data\sdf.exe (Trojan.Agent) -> Quarantined and deleted successfully.

c:\Windows\Jgocya.exe (Trojan.Downloader) -> Quarantined and deleted successfully.

c:\Windows\Tasks\{22116563-108c-42c0-a7ce-60161b75e508}.job (Trojan.Downloader) -> Quarantined and deleted successfully.

c:\Windows\Tasks\{bbaeaeaf-1275-40e2-bd6c-bc8f88bd114a}.job (Trojan.Downloader) -> Quarantined and deleted successfully.

c:\Users\user\AppData\Roaming\microsoft\Windows\start menu\spyware protection.lnk (Trojan.FakeAlert) -> Quarantined and deleted successfully.

c:\Users\user\AppData\Roaming\microsoft\Windows\start menu\spyware protection .lnk (Malware.Trace) -> Quarantined and deleted successfully.

c:\Users\user\AppData\Roaming\microsoft\Windows\start menu\spyware protection .lnk (Malware.Trace) -> Quarantined and deleted successfully.

c:\Users\user\AppData\Local\ukihuxewo.dll (Trojan.Agent.U) -> Quarantined and deleted successfully.

Link to post
Share on other sites

  • Staff

Hi and welcome to Malwarebytes.

Looks like you're still heavily infected.

Please update MBAM, run a Quick Scan, and post its log..

Next, download DDS by sUBs and save it to your Desktop.

Double-click on the DDS icon and let the scan run. When it has run two logs will be produced, please post DDS.txt directly into your reply.

Link to post
Share on other sites

Hi and welcome to Malwarebytes.

Looks like you're still heavily infected.

Please update MBAM, run a Quick Scan, and post its log..

Next, download DDS by sUBs and save it to your Desktop.

Double-click on the DDS icon and let the scan run. When it has run two logs will be produced, please post DDS.txt directly into your reply.

I am unable to update seeing as it requires me to install a new file and my PC won't let me do that, nor will downloading the DDS work, but I scanned it and here is the log:

Malwarebytes' Anti-Malware 1.50

www.malwarebytes.org

Database version: 6305

Windows 6.0.6001 Service Pack 1

Internet Explorer 7.0.6001.18000

4/7/2011 6:38:32 PM

mbam-log-2011-04-07 (18-38-32).txt

Scan type: Quick scan

Objects scanned: 214297

Time elapsed: 23 minute(s), 8 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 4

Registry Values Infected: 4

Registry Data Items Infected: 3

Folders Infected: 0

Files Infected: 4

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

HKEY_CURRENT_USER\SOFTWARE\IKXGVMFZHI (Trojan.FakeAlert) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\SOFTWARE\NtWqIVLZEWZU (Trojan.FakeAlert) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\SOFTWARE\Q8PS7ZCLN6 (Trojan.FakeAlert) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\ (Hijack.Zones) -> Quarantined and deleted successfully.

Registry Values Infected:

HKEY_CLASSES_ROOT\.exe\shell\open\command\(default) (Hijack.ExeFile) -> Value: (default) -> Delete on reboot.

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Rbifuvupoqoxevu (Trojan.Agent.U) -> Value: Rbifuvupoqoxevu -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\IKXGVMFZHI (Trojan.FakeAlert) -> Value: IKXGVMFZHI -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Whabivanomozo (Trojan.Agent.U) -> Value: Whabivanomozo -> Quarantined and deleted successfully.

Registry Data Items Infected:

HKEY_LOCAL_MACHINE\SOFTWARE\Clients\StartMenuInternet\FIREFOX.EXE\shell\open\command\(default) (Hijack.StartMenuInternet) -> Bad: ("C:\Users\user\AppData\Local\tvi.exe" -a "C:\Program Files\Mozilla Firefox\firefox.exe") Good: (firefox.exe) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Clients\StartMenuInternet\FIREFOX.EXE\shell\safemode\command\(default) (Hijack.StartMenuInternet) -> Bad: ("C:\Users\user\AppData\Local\tvi.exe" -a "C:\Program Files\Mozilla Firefox\firefox.exe" -safe-mode) Good: (firefox.exe -safe-mode) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Clients\StartMenuInternet\IEXPLORE.EXE\shell\open\command\(default) (Hijack.StartMenuInternet) -> Bad: ("C:\Users\user\AppData\Local\tvi.exe" -a "C:\Program Files\Internet Explorer\iexplore.exe") Good: (iexplore.exe) -> Quarantined and deleted successfully.

Folders Infected:

(No malicious items detected)

Files Infected:

c:\Windows\System32\usbuib.dll (Heuristics.Shuriken) -> Quarantined and deleted successfully.

c:\Users\user\AppData\Local\Temp\0.13520466118561936.exe (Trojan.Agent) -> Quarantined and deleted successfully.

c:\Users\user\AppData\Local\Temp\0.3328110843756691.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.

c:\Windows\Tasks\{810401e2-dde0-454e-b0e2-aa89c9e5967c}.job (Trojan.FraudPack) -> Quarantined and deleted successfully.

Link to post
Share on other sites

I am unable to update seeing as it requires me to install a new file and my PC won't let me do that, nor will downloading the DDS work, but I scanned it and here is the log:

Malwarebytes' Anti-Malware 1.50

www.malwarebytes.org

Database version: 6305

Windows 6.0.6001 Service Pack 1

Internet Explorer 7.0.6001.18000

4/7/2011 6:38:32 PM

mbam-log-2011-04-07 (18-38-32).txt

Scan type: Quick scan

Objects scanned: 214297

Time elapsed: 23 minute(s), 8 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 4

Registry Values Infected: 4

Registry Data Items Infected: 3

Folders Infected: 0

Files Infected: 4

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

HKEY_CURRENT_USER\SOFTWARE\IKXGVMFZHI (Trojan.FakeAlert) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\SOFTWARE\NtWqIVLZEWZU (Trojan.FakeAlert) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\SOFTWARE\Q8PS7ZCLN6 (Trojan.FakeAlert) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\ (Hijack.Zones) -> Quarantined and deleted successfully.

Registry Values Infected:

HKEY_CLASSES_ROOT\.exe\shell\open\command\(default) (Hijack.ExeFile) -> Value: (default) -> Delete on reboot.

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Rbifuvupoqoxevu (Trojan.Agent.U) -> Value: Rbifuvupoqoxevu -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\IKXGVMFZHI (Trojan.FakeAlert) -> Value: IKXGVMFZHI -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Whabivanomozo (Trojan.Agent.U) -> Value: Whabivanomozo -> Quarantined and deleted successfully.

Registry Data Items Infected:

HKEY_LOCAL_MACHINE\SOFTWARE\Clients\StartMenuInternet\FIREFOX.EXE\shell\open\command\(default) (Hijack.StartMenuInternet) -> Bad: ("C:\Users\user\AppData\Local\tvi.exe" -a "C:\Program Files\Mozilla Firefox\firefox.exe") Good: (firefox.exe) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Clients\StartMenuInternet\FIREFOX.EXE\shell\safemode\command\(default) (Hijack.StartMenuInternet) -> Bad: ("C:\Users\user\AppData\Local\tvi.exe" -a "C:\Program Files\Mozilla Firefox\firefox.exe" -safe-mode) Good: (firefox.exe -safe-mode) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Clients\StartMenuInternet\IEXPLORE.EXE\shell\open\command\(default) (Hijack.StartMenuInternet) -> Bad: ("C:\Users\user\AppData\Local\tvi.exe" -a "C:\Program Files\Internet Explorer\iexplore.exe") Good: (iexplore.exe) -> Quarantined and deleted successfully.

Folders Infected:

(No malicious items detected)

Files Infected:

c:\Windows\System32\usbuib.dll (Heuristics.Shuriken) -> Quarantined and deleted successfully.

c:\Users\user\AppData\Local\Temp\0.13520466118561936.exe (Trojan.Agent) -> Quarantined and deleted successfully.

c:\Users\user\AppData\Local\Temp\0.3328110843756691.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.

c:\Windows\Tasks\{810401e2-dde0-454e-b0e2-aa89c9e5967c}.job (Trojan.FraudPack) -> Quarantined and deleted successfully.

bump

Link to post
Share on other sites

  • Staff

Hi,

My apologies for the delay, but every time you bumped your topic, you went to the bottom of my reply list. Please refrain from bumping and I will get to your topic when I can.

Can you update in Safe Mode with Networking??

Your version of MBAM is out of date. If you rename it to iexplore.com in Safe Mode, can you update it?

If no joy, these are links to Anti-virus vendors that offer free LiveCD or Rescue CD files that are used to boot from for repair of unbootable and damaged systems, rescue data, scan the system for virus infections. Burn it as an image to a disk to get a bootable CD. All (except Avira) are in the ISO Image file format. Avira uses an EXE that has built-in CD burning capability.

If you are not sure how to burn an image, please read How to write a CD/DVD image or ISO. If you need a FREE utility to burn the ISO image, download and use ImgBurn.

After that, try updating MBAM and running DDS again.

Link to post
Share on other sites

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.