Welcome to MalwareRemoval.com,
What if we told you that you could get malware removal help from experts, and that it was 100% free? MalwareRemoval.com provides free support for people with infected computers. Our help, and the tools we use are always 100% free. No hidden catch. We simply enjoy helping others. You enjoy a clean, safe computer.

Malware Removal Instructions

[dupe]Worst Malware Infection EVER! seriously, it's that bad

MalwareRemoval.com provides free support for people with infected computers. Using plain language that anyone can understand, our community of volunteer experts will walk you through each step.

[dupe]Worst Malware Infection EVER! seriously, it's that bad

Unread postby eclare82 » October 26th, 2010, 12:50 pm

Hi all, I'm new to this board and I found it because I thought I was pretty good with malware/virus removals but this one has absolutely exhausted me....

It installed a standard obnoxious UI interface, "System infected with 10 million viruses", etc, it also installed "Antivirus 2010" in the start menu.

Got rid of the front end portion no problem found where the executable it was running out of, all registry keys for it in the obvious places 'HKLM\software\microsoft\windows\currentversion\Run' 'HKLM\software\microsoft\windowsNT\currentversion\winlogon' and it has not altered the Explorer shell.

But whenever I try to run Malwarebytes, Superantispyware, Hijack-This!, the scan will stop after 2 seconds and the permissions are removed for the executable. Whenever I open IE, it will open an additional window with advertisements, it also redirects google links.

I tried searching for all files created/altered between the time of infections included hidden folders, but I can find anything discernible.

I tried running Combofix which successfully ran 1 time, but I can't get it to start again. Here's the log that ran a few days ago:

ComboFix 10-10-22.05 - eclare 10/23/2010 20:37:05.2.1 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1023.624 [GMT -4:00]
Running from: C:\ComboFix.exe
AV: AVG Internet Security Network Edition *On-access scanning enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\All Users\Application Data\.wtav
C:\Documents and Settings\All Users\Desktop\Control center.lnk
C:\WINDOWS\java.exe
C:\WINDOWS\System32\drivers\vbma68cb.sys
C:\WINDOWS\system32\USRINI~1.EXE
C:\WINDOWS\System32\drivers\vbma68cb.sys . . . . Failed to delete

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_USERINIT
-------\Service_userinit
-------\Service_vbma68cb


((((((((((((((((((((((((( Files Created from 2010-09-24 to 2010-10-24 )))))))))))))))))))))))))))))))
.

2010-10-24 00:59:03 . 2010-10-24 00:59:03 30720 ----a-w- C:\WINDOWS\system32\drivers\vbma68cb.sys
2010-10-23 22:53:27 . 2010-10-23 22:52:30 389120 ----a-w- C:\WINDOWS\system32\CF18986.exe
2010-10-23 22:53:01 . 2010-10-23 22:53:11 -------- d-----w- C:\Documents and Settings\eclare\Local Settings\Application Data\Temp
2010-10-23 22:53:00 . 2010-10-23 22:53:00 -------- d-----w- C:\Documents and Settings\NetworkService\Local Settings\Application Data\Google
2010-10-23 22:43:01 . 2010-10-23 22:43:01 -------- d-----w- C:\Documents and Settings\eclare\Local Settings\Application Data\Yahoo
2010-10-23 22:42:57 . 2010-10-23 22:42:57 -------- d-----w- C:\Documents and Settings\eclare\Application Data\Yahoo!
2010-10-23 22:37:01 . 2010-10-23 22:37:01 -------- d-----w- C:\Documents and Settings\eclare\Application Data\SUPERAntiSpyware.com
2010-10-23 22:03:27 . 2010-10-23 22:03:27 -------- d-----w- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2010-10-23 22:03:27 . 2010-10-23 22:03:27 -------- d-----w- C:\Documents and Settings\agm\Application Data\SUPERAntiSpyware.com
2010-10-23 22:03:10 . 2010-10-23 22:03:41 -------- d-----w- C:\Program Files\SUPERAntiSpyware
2010-10-23 22:02:46 . 2010-10-23 22:02:39 9578056 ----a-w- C:\SUPERAntiSpyware.exe
2010-10-23 21:54:58 . 2010-10-23 21:54:58 -------- d-----w- C:\Documents and Settings\agm\Application Data\Malwarebytes
2010-10-23 21:54:26 . 2010-10-23 21:54:26 -------- d-----w- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2010-10-23 21:54:25 . 2010-10-24 00:30:28 -------- d-----w- C:\Program Files\Malwarebytes' Anti-Malware
2010-10-21 03:13:27 . 2009-12-24 06:59:40 177664 ------w- C:\WINDOWS\system32\dllcache\wintrust.dll
2010-10-21 03:10:24 . 2010-06-14 14:31:20 744448 ------w- C:\WINDOWS\system32\dllcache\helpsvc.exe
2010-10-20 16:44:03 . 2010-10-20 16:44:03 -------- d-----w- C:\Documents and Settings\NetworkService\Application Data\Yahoo!
2010-10-17 19:16:07 . 2010-10-17 19:16:07 -------- d-----w- C:\Documents and Settings\agm\Local Settings\Application Data\Yahoo
2010-10-14 00:00:34 . 2010-10-21 03:32:01 -------- d-----w- C:\Documents and Settings\agm\Application Data\gtk-2.0
2010-10-14 00:00:06 . 2010-10-14 00:00:06 -------- d-----w- C:\Documents and Settings\agm\.thumbnails
2010-10-13 23:58:47 . 2010-10-21 03:36:11 -------- d-----w- C:\Documents and Settings\agm\.gimp-2.6
2010-10-13 23:58:38 . 2010-10-13 23:58:42 -------- d-----w- C:\Documents and Settings\agm\.gegl-0.0
2010-10-13 23:54:41 . 2010-10-13 23:54:44 -------- d-----w- C:\Documents and Settings\agm\Application Data\My.Freeze.com NetAssistant
2010-10-13 23:54:03 . 2010-10-13 23:54:20 -------- d-----w- C:\Program Files\Gimp-2.0
2010-10-13 23:53:29 . 2010-10-20 02:34:40 -------- d-----w- C:\Documents and Settings\All Users\Application Data\Yahoo! Companion
2010-10-13 23:53:08 . 2010-10-13 23:53:10 -------- d-----w- C:\Program Files\Free Offers from Freeze.com

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-10-23 22:54:50 . 2009-10-01 20:25:28 3884040 ----a-r- C:\ComboFix.exe
2010-08-27 20:08:17 . 2009-11-07 22:42:28 1426872 ----a-w- C:\WINDOWS\system32\rmconfig.EXE
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\SlowFile Icon Overlay]
@="{7D688A77-C613-11D0-999B-00C04FD655E1}"
[HKEY_CLASSES_ROOT\CLSID\{7D688A77-C613-11D0-999B-00C04FD655E1}]
2010-07-27 06:30:35 8462336 ----a-w- C:\WINDOWS\SYSTEM32\shell32.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RealPlayer"="C:\Program Files\Real\RealPlayer\realplay.exe" [2006-05-28 13:11:15 1003520]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2009-04-03 19:09:23 68856]
"Skype"="C:\Program Files\Skype\Phone\Skype.exe" [2007-07-02 21:10:58 23237416]
"AdobeUpdater"="C:\Program Files\Common Files\Adobe\Updater5\AdobeUpdater.exe" [2008-12-07 06:30:55 2356088]
"Google Update"="C:\Documents and Settings\agm\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2010-08-25 21:57:07 136176]
"IPEVO Control Center"="C:\Program Files\IPEVO\Control Center\IPEVO Control Center.exe" [2009-11-06 19:51:16 1491456]
"SUPERAntiSpyware"="C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2010-09-28 14:04:57 2424560]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-10-11 00:51:55 39792]
"Kaseya Agent Service Helper"="C:\Program Files\Kaseya\Agent\KaUsrTsk.exe" [2008-09-04 17:35:10 229376]
"VirginAtlanticListener"="C:\Program Files\Virgin Atlantic\Virgin Atlantic Listener\VAA.exe" [2005-06-23 08:02:50 507904]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2004-05-20 20:53:46 180269]
"ButtonMonitor"="C:\Program Files\Verbatim\ButtonMonitor.exe" [2007-03-16 02:39:00 53248]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [2010-03-19 02:16:10 421888]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2010-07-16 11:41:58 141608]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"Printing Migration"="C:\WINDOWS\System32\spool\migrate.dll" [2003-03-31 16:00:00 30208]


I ran Kaspersky TDSSKiller, and it detects rootkits on ever scan, but when I delete and reboot and run the scan again, they reappear.

Please let me know if you can assist.

Thanks,
Ed
eclare82
Active Member
 
Posts: 3
Joined: October 26th, 2010, 11:51 am
Advertisement
Register to Remove

Re: Worst Malware Infection EVER! seriously, it's that bad

Unread postby NonSuch » October 26th, 2010, 3:37 pm

Closed duplicate.
User avatar
NonSuch
Administrator
Administrator
 
Posts: 27300
Joined: February 23rd, 2005, 7:08 am
Location: California


  • Similar Topics
    Replies
    Views
    Last post

Return to Infected? Virus, malware, adware, ransomware, oh my!



Who is online

Users browsing this forum: No registered users and 56 guests

Contact us:

Advertisements do not imply our endorsement of that product or service. Register to remove all ads. The forum is run by volunteers who donate their time and expertise. We make every attempt to ensure that the help and advice posted is accurate and will not cause harm to your computer. However, we do not guarantee that they are accurate and they are to be used at your own risk. All trademarks are the property of their respective owners.

Member site: UNITE Against Malware