Help with a virus

[savagegreywolf]

I'm having trouble with an incredibly persistent virus on my wife's computer. The virus is a fake AV, is very aggressive and will not let you launch nearly any countermeasure, including rkill, unless you launch rkill before the system is done loading. I've run Malwarebytes, HijackThis (with a log analyzer), and Avast! several times upon the computer over the last few weeks and it keeps returning. I need to get this taken care of first, and then I guess I'll be going over computer security with her. Again. After I have the system clean. Again.



This is the log from rkill:

Processes terminated by Rkill or while it was running:


C:\WINDOWS\system32\userinit.exe
C:\Program Files\Brother\ControlCenter3\brctrcen.exe
C:\Documents and Settings\NetworkService\Local Settings\Application Data\cxbrkrjao\fpggjultssd.exe
C:\Documents and Settings\Mel\Desktop\pwn nubs\rkill.com
C:\Documents and Settings\Mel\Application Data\Smilebox\SmileboxTray.exe
C:\Program Files\LimeWire\LimeWire.exe
C:\Program Files\Alwil Software\Avast5\defs\10070301\Sf.bin


Rkill completed on 07/04/2010 at 7:41:37.



After running rkill, I launched HijackThis, and have pastebinned the log in case anyone wishes to peruse it.
http://hijackthis.pastebin.com/iCihHZ8T

After this I will run Malwarebytes in an attempt to clear the system, I've done all this before and -thought- I had fixed it but the virus keeps returning. Any help with this would be greatly appreciated.

 

[Guest]

Try ComboFix and get rid of crappy Avast.

 

[Saga Lout]

After this I will run Malwarebytes in an attempt to clear the system, I've done all this before and -thought- I had fixed it but the virus keeps returning. Any help with this would be greatly appreciated.

Are you actually using a Proxy server? You really ought to cut down that StartUp list especially Limewire. ComboFix will probably help but it's important to read up on it first so if you haven't tried it yet, go to Kaspersky's site and download TDSSKiller first. If that doesn't find anything, it won't do any harm.

 

[50crckt51]

Have you used the boot scan option set at the highest heuristic setting, in Avast? I have beat FakeAV in this fassion before. ComboFix definately will work but it is an advanced user tool. To find info on it go to www.bleepingcomputer.com

 

[soundguruman]

The problem really being that none of the above mentioned security systems prevents unauthorized connections to your computer from the internet.
You clean it out (all of them do that) and it comes back, because of the unauthorized connections. The free systems do not prevent this from occurring, none of them do.
The only two that really prevent this to my understanding are Norton 360 and Panda Internet security. They both block incoming connections all day every day. Instead of neutralizing the infection after it occurs, or relying on manual updates and manual scans, it blocks the intrusion, and updates automatically to start with. That is the difference, and it's a major difference.
This is probably why these two systems are the most widely used, and most highly rated, world wide.
The investment of $20 a year to install a much better system is more than worth it.

 

[saran008]

Boot into Safe mode before doing a full system Scan with Malwarebytes & Remove the threats found.

After things are ok, Install the following 3 freewares & Keep them always updated. It forms a free complete security suite for your system!
1. Avira Anvivir - http://www.free-av.com/en/download/index.html .
Avira is best & light solution for excellent overall system protection & internet security with real time updates, .

2. Malwarebytes - http://www.malwarebytes.org/ .
Malwarebytes is one of the best & effective antimalware tool out there.

3. Ccleaner - http://www.piriform.com/ccleaner/download .
CCleaner is a system optimization, privacy and cleaning tool with an efficient & most useful registry cleaner.

The Best Security & System Optimization combo for all types of systems.

 

[jimmysmitty]

I'm having trouble with an incredibly persistent virus on my wife's computer. The virus is a fake AV, is very aggressive and will not let you launch nearly any countermeasure, including rkill, unless you launch rkill before the system is done loading. I've run Malwarebytes, HijackThis (with a log analyzer), and Avast! several times upon the computer over the last few weeks and it keeps returning. I need to get this taken care of first, and then I guess I'll be going over computer security with her. Again. After I have the system clean. Again.



This is the log from rkill:

Processes terminated by Rkill or while it was running:


C:\WINDOWS\system32\userinit.exe
C:\Program Files\Brother\ControlCenter3\brctrcen.exe
C:\Documents and Settings\NetworkService\Local Settings\Application Data\cxbrkrjao\fpggjultssd.exe
C:\Documents and Settings\Mel\Desktop\pwn nubs\rkill.com
C:\Documents and Settings\Mel\Application Data\Smilebox\SmileboxTray.exe
C:\Program Files\LimeWire\LimeWire.exe
C:\Program Files\Alwil Software\Avast5\defs\10070301\Sf.bin


Rkill completed on 07/04/2010 at 7:41:37.



After running rkill, I launched HijackThis, and have pastebinned the log in case anyone wishes to peruse it.
http://hijackthis.pastebin.com/iCihHZ8T

After this I will run Malwarebytes in an attempt to clear the system, I've done all this before and -thought- I had fixed it but the virus keeps returning. Any help with this would be greatly appreciated.

Man we get about 10-20 of these a week at work. Pretty easy to fix though. Here is what we do:

First of all, you need to boot into Safe Mode. If you don't know how, its easy. Just turn the PC on and when it starts keep tapping F8. It should load a screen with white text. Select "Safe Mode with Networking". That allows you to have internet while also only loading the basic drivers.

Once you are at that part follow these steps:

1. Update Avast. Now depending on which one you have, this will be easy or hard. If you have Avast version 4.8 you click the eject looking button after updating, then select "Schedule Boot Time Scan" (This can only be done if you have a 32bit OS though so if not then just have it scan). A menu will pop up. You want to tell it to do a thourogh scan and to delete whatever it finds. Thats the easy one because you let it run and it wont bother you at all. If you have version 5.0, you go to Scans and schedule the boot time scan but it wont be able to delete anything unless you ok it while it scans. This scan basically loads before Windows and scans for Viruses before anything can load. Now before you restart the PC go to step 2.

2. Download and update Super Anti-Spyware (aka SAS). Then set it to run.

3. Update Malwarebytes (aka MB) until it shows the date of at least 7/16/2010 for the definitions. Set it to run while Super Anti-Spyware is running.

4. Once MB and SAS have finished, remove anything they find and then restart the PC.

5. Let Avast do its thing. Once its done it should restart and boot into Windows.

And viola. You should be fake AV free.

I do suggest getting a better AV though. Avast is great for the boot time scan but its not the best for real time. We normally suggest Avira at work but I also like Microsoft Security Essentials.

Try ComboFix and get rid of crappy Avast.

ComboFix will not fix it. The only way I have been able to fully remove that virus is by using Avasts boot time scan. While thier real time scanner is meh and its a resource hog, thier boot time scan is great.

 

[Saga Lout]

ComboFix will not fix it. The only way I have been able to fully remove that virus is by using Avasts boot time scan. While thier real time scanner is meh and its a resource hog, thier boot time scan is great.

I've with Grumps ontis one - I've used ComboFix on this type of threat three times in the last week and it worked every time. MBAM had run quick and full scans and cleared some threats but it was only after ComboFix had removed the rootkits (GMER and TDSSKiller having found none) that I rescanned with MBAM which then found more and removed them. CF is a specialist tool, though, and anyone thinking of using it should study the tutorials in BleepingComputer's site and only download CF from there.

Finally, I edit the key HKey_CURRENT_USER>Software>Microsoft>Windows>CurrentVersion>Internet Settings>ProxyEnable by changing zero to one in the vague hope it will prevent these things getting again but I;ve yet to prove that's effective. All I can say is I haven't had to revisit any of the dozen or so systems I've fixed in this manner - yet! [/#000ff]

 

[buwish]

Best answer selected by buwish.