Our new Indie Games subforum is now open for business in G&T. Go and check it out, you might land a code for a free game. If you're developing an indie game and want to post about it, follow these directions. If you don't, he'll break your legs! Hahaha! Seriously though.
Our rules have been updated and given their own forum. Go and look at them! They are nice, and there may be new ones that you didn't know about! Hooray for rules! Hooray for The System! Hooray for Conforming!

big ole virus on my pc. or trojan.

IriahIriah Registered User regular
edited March 2010 in Help / Advice Forum
I was browsing youtube last night when firefox closed and popped up with a clearly fake Windows Defender panel saying I had viruses. Then it launched a clearly fake virus scan which found I had hundreds of viruses. It was coming from a process called ave.exe, which appears to be associated with something called the sndog worm - though I'm not convinced that's the real problem, it may have just been something another trojan downloaded. I closed it, but whenever I opened another .exe it popped up instead. Only google chrome works, for some reason.

I ran spybot S&D and AVG. Spybot found some registry changes, which I nixed, and it seemed to fix it for a while. Then it happened all over again.

The same thing happens in Safe Mode, too.

For a while I thought it was also the fault of lsass.exe, csrss.exe, lsm.exe, and some others, but they all appear to be in system32 so that seems to validate them.

Otherwise, I don't really know what to do! Any ideas?

Iriah on
«1

Posts

  • Santa ClaustrophobiaSanta Claustrophobia Ho Ho Ho Disconnecting from Xbox LIVERegistered User regular
    edited March 2010
    I recently had to get rid of virtumonde. I also picked up Avast! and Malwarebytes. Eventually, they cleaned the system though I did have to boot in safe mode and make sure things weren't being activated in memory.

    Eventually, you have to realise that you're either not doing enough or there isn't anything else you can do. But definitely try a few other methods before killing the machine and starting over.

  • EshEsh Tending bar. FFXIV. Spending too much money eating out. That's about it. Portland, ORRegistered User regular
    edited March 2010
    Nuke it from orbit. Back up what you can and do a full format. System Defender is nasty.

    "At first he thought it might be a natural occurrence - maybe a rabbit. But upon closer inspection, it was clear a knife had been used. And rabbits don't carry knives."

    Final Fantasy XIV:Lilja Sunblade
  • IriahIriah Registered User regular
    edited March 2010
    Unfortunately I can't install avast or malwarebytes in or out of safe mode. It just brings up the dreaded ave.exe.

    This sure isn't good news...

  • Santa ClaustrophobiaSanta Claustrophobia Ho Ho Ho Disconnecting from Xbox LIVERegistered User regular
    edited March 2010
    Yeah, I'm with Esh, then. Nuke it. You're probably too far gone to do anything. Save what you can and start over.

  • DarkewolfeDarkewolfe Registered User regular
    edited March 2010
    I've had Windows Defender before. It's actually currently embedded on a banner ad on pirate bay, for what it's worth, might be where you got it.

    Download Malwarebytes. Change the name of the malwarebytes executable to Malwarebytes.com. This changes the extension, without preventing windows from executing it. It's a very simple trojan and will be fooled by the different extension, allowing you to run it. As long as the version hasn't been updated since last month, that'll clean you up.

    "Well, look at this. Appears we got here just in the nick of time. What's that make us?"
    "Big Damn Heroes, Sir."
    "Ain't we just."
  • SeñorAmorSeñorAmor Registered User regular
    edited March 2010
    Can you slave your current drive to another computer and do the scan that way? It'll save you a F&R.

  • Dunadan019Dunadan019 Registered User regular
    edited March 2010
    Malwarebytes in safemode and rename it as darkewolfe said.

    It can take care of pretty much anything.

  • RuckusRuckus Registered User regular
    edited March 2010
    I've had success in simply running a a file search in safe mode for *.* modified in the approximate time window you think the infection occured. That along with a good AV and Spybot scan usually gets everything.

    Raneados wrote: »
    so what SPECIFICALLY is the problem with my hole?
  • theclamtheclam Registered User
    edited March 2010
    If Malwarebytes won't run, try Combofix. Download it and rename the exe file before running it, of course.

    rez_guy.png
  • Santa ClaustrophobiaSanta Claustrophobia Ho Ho Ho Disconnecting from Xbox LIVERegistered User regular
    edited March 2010
    When I was researching my virtumonde problem, combofix tended to come up fairly often. They way they made it seem was that it was more complicated to use than it needed to be just to fix the problem.

    I make no judgments on its effectiveness, but then, my problem apparently wasn't as bad as the OP's. So I didn't need it in the end. If anything, it's an option to look into.

  • SkyCaptainSkyCaptain Registered User regular
    edited March 2010
    Microsoft Security Esentials is also good to use.

    The RPG Bestiary - Dangerous foes and legendary monsters for D&D 4th Edition
  • Eat it You Nasty Pig.Eat it You Nasty Pig. tell homeland security 'we are the bomb'Registered User regular
    edited March 2010
    If you can't get to safe mode (or somehow no longer have control of your machine in safe mode), it is time to reformat. You could spend a long time wrestling with removing a malicious rootkit and never be entirely sure whether you've fixed everything, or you could just back up necessary files and format. Not only will you have a clean bill of health and be able to install necessary protection software from scratch, your PC will perform better.

    edit: one thing to do in the future is create an account without administrative privileges and use that for your everyday stuff. Not being an admin when you get hit with something like this does a lot to prevent damage and preserve your ability to fix things without formatting.

    gkcmatch_zps97480250.jpg
    stand up! It was the smallest on the list but
    pluto was a planet and I'll never forget
  • IriahIriah Registered User regular
    edited March 2010
    Thank you all, I'll give it a shot after I've had a lot of sleep.

    Worst a time for a virus...

  • IriahIriah Registered User regular
    edited March 2010
    Turns out I'm an obsessive liar, too.

    I rebooted in safe mode, ran spybot first and removed the registry changes it suggested, then was able to install malwarebytes. the quick scan in turn found 2 things which I didn't bother to read about before nuking, which probably wasn't the smartest thing to do.

    Still, it is probably solved for now. Thank you all very much for your help. It's going to run a full system scan while I sleep for reals now.

  • President RexPresident Rex Registered User regular
    edited March 2010
    2-viruses.com says it is (was?) XP Defender Pro (here if you want their list of processes, registry entries and actual files it affects and such).

    I had a problem with something similar. I ended up having to clear the registry entries for EXE files (you can then re-associate EXE files with Tools->Folder Options->File Types in any windows explorer window). This let me actually run Adaware (which didn't find the guilty files making it keep popping up) and subsequently get Malware Bytes Anti Malware (which did find them, and seems to be a lot like Adaware used to be). It seems like you went the easier route of going through Safe Mode, but if you need another option, maybe that'll be helpful.

    There's always the "nuke it from orbit" option of formatting if it subsequently pops up.

    Join the Crew: Sink to the level of sinking those trying to sink us.
    PR-SH3-sig2.gif
  • DarkewolfeDarkewolfe Registered User regular
    edited March 2010
    I speak from experience that I have had Defender (twice, before I realized it was coming through that specific banner ad), and malwarebytes gets it every time.

    "Well, look at this. Appears we got here just in the nick of time. What's that make us?"
    "Big Damn Heroes, Sir."
    "Ain't we just."
  • MustangMustang Registered User regular
    edited March 2010
    That's a prick of a virus, I've had it on a few work pc's in a few months and they seem to be modifying it constantly to avoid detection. I've seen it in 3 different forms. 4 now, it was labeled XP security 2010 last time I saw it. Agree with the guys here, Malwarebytes has been the most effective at getting rid of it.

  • KendeathwalkerKendeathwalker Registered User regular
    edited March 2010
    I just had to nuke this fucker. How do you prevent it from ever happening again? I am running bit defenders full security sweet now, and have been avoiding STC and TPB

  • Santa ClaustrophobiaSanta Claustrophobia Ho Ho Ho Disconnecting from Xbox LIVERegistered User regular
    edited March 2010
    You can't really prevent it short of not visiting any sites on the internets. Use trusted scanning programs and update and scan at least once a week. It's generally like any real disease; the sooner you catch it, the easier it will be to get rid of it.

  • IriahIriah Registered User regular
    edited March 2010
    Yeah, funny you say that - it was strange, because about half an hour after I started it up again, AVG of all things picked up a whole bunch of attempts to download 'ave.exe'. I'm wary. But, you know, nothing's doing. So good.

  • Dunadan019Dunadan019 Registered User regular
    edited March 2010
    Iriah wrote: »
    Yeah, funny you say that - it was strange, because about half an hour after I started it up again, AVG of all things picked up a whole bunch of attempts to download 'ave.exe'. I'm wary. But, you know, nothing's doing. So good.

    It sounds like you still have something.

    is your computer connected to a public network or any storage device that you didn't scan?

    did you run a full scan using malwarebytes?

  • IriahIriah Registered User regular
    edited March 2010
    Yes and yes. But none of the other computers connected have been infected, or at least didn't show any signs of infection.

    edit: I'll give them a scan with malwarebytes too.

  • Dunadan019Dunadan019 Registered User regular
    edited March 2010
    yeah and for the time being you might want to disconnect your computer from the others and redo a full virus scan just in case.

  • IriahIriah Registered User regular
    edited March 2010
    Well, it's connected to a router - does that count? I thought they had some kind of firewall to prevent it spreading.

  • cooljammer00cooljammer00 Hey Small Businessman!Registered User regular
    edited March 2010
    I think this might be like the Vundo worm I had. Nasty bastard, deletes antivirus programs so you can't fix it.

    steam_sig.png

    I pronounce it bee-log. Most recent entry: VIDEO GAMES: GUNPOINT, OR A SCIENTIFIC STUDY ON WHAT HAPPENS WHEN GLASS MEETS TROUSERS.
    3DS Friend Code: 2165-6448-8348 www.Twitch.TV/TheJohnDarc
  • CalebrosCalebros Registered User regular
    edited March 2010
    I dealt with a combination of virus' on a clients computer and it had pretty much locked everything down. I had to use a combination of things to get it out. Turns out a bunch of rootkits had been installed to stamp out the installation of anything that could get rid of it. After about 5 hours I got it out with a combination of:

    TDSS Killer
    RKill
    Malwarebytes

    and once cleaned, installed Avast.

    It was a series of things that faked virus scans and tried to get you to buy their program. It locked down everything >_< so annoying

    SS: 0904 5171 3790
  • ueanuean Registered User regular
    edited March 2010
    Iriah wrote: »
    Unfortunately I can't install avast or malwarebytes in or out of safe mode. It just brings up the dreaded ave.exe.

    This sure isn't good news...

    I'm dealing with what you're talking about right now, in fact just got it last night on a coworker's computer (her personal one). XP Smart Security 2010 is what it is called, and it is just naaaasty. Throws tons of fake windows at you, security centre stuff, fake warnings, puts porn shortcuts on your desktop, "scans" the drive and finds hundreds of viruses, DOS prompt opens up and says "sending spam to theguy@mail.net --done" through your entire address book... its actually quite hilarious if it weren't so annoying, and of course all it wants is your credit card number.

    Some googling said to install MBAM (Malwarebytes), but I couldn't as the program had thrown a bunch of hooks in. No task manager either, and the firewall was turned off.I was able to install Spyboy Search & Destroy though, which found and nuked all the hooks, then rebooted and was able to install and run malwarebytes, which found more stuff. Unfortunately after everything, while the computer is much more useable now (previously there was a redirect to the fake security alerts whenever any exe was run...) it is still there. I cant get rid of it. Now looking for a good solution, and we're taking it in to a shop in the city to get blasted.

    Guys? Hay guys?
    steam_sig.png
  • CalebrosCalebros Registered User regular
    edited March 2010
    Read my post right above you

    use RKill to kill any processes that might try to stop anything
    use TDSS to get rid of the rootkits, reboot
    Use RKill again for good measure, just to make sure MalwareBytes can install
    Run MWB

    SS: 0904 5171 3790
  • ueanuean Registered User regular
    edited March 2010
    Mustang wrote: »
    That's a prick of a virus, I've had it on a few work pc's in a few months and they seem to be modifying it constantly to avoid detection. I've seen it in 3 different forms. 4 now, it was labeled XP security 2010 last time I saw it. Agree with the guys here, Malwarebytes has been the most effective at getting rid of it.

    Damn. Malwarebytes is finding it and killing it, but it keeps coming back. I've even gone into the registry and removed everything in there I could find and still nothing.

    Also, a search of the drive for av*.exe is not turning up anything.

    Guys? Hay guys?
    steam_sig.png
  • CalebrosCalebros Registered User regular
    edited March 2010
    uean wrote: »
    Mustang wrote: »
    That's a prick of a virus, I've had it on a few work pc's in a few months and they seem to be modifying it constantly to avoid detection. I've seen it in 3 different forms. 4 now, it was labeled XP security 2010 last time I saw it. Agree with the guys here, Malwarebytes has been the most effective at getting rid of it.

    Damn. Malwarebytes is finding it and killing it, but it keeps coming back. I've even gone into the registry and removed everything in there I could find and still nothing.

    Also, a search of the drive for av*.exe is not turning up anything.

    TDSS Killer

    srsly

    This is the exact same thing I've fought with twice now and the same procedure worked both times

    SS: 0904 5171 3790
  • MuddBuddMuddBudd Registered User regular
    edited March 2010
    I just had this thing on my work computer. I was able to stop it by shutting down the av.exe process and resetting the exe extension back to normal, then running adaware and spybot.

    Was a bitch to figure out though.

    And another co-worker just got it on their home computer. Seems to be the hot new malware.

    steam_sig.png
  • CalebrosCalebros Registered User regular
    edited March 2010
    I'm not even sure how it gets in. It has to be in something really common for all these people to keep getting it. Maybe in ads or something in an untrusted website?

    SS: 0904 5171 3790
  • ueanuean Registered User regular
    edited March 2010
    That would be nice to know actually. The coworker's computer never even accesses the internet as she is too far from the wireless router we have here. It intermittently connects when the wind blows the right way. My guess is she got it through a flash drive which then downloaded itself and installed itself.

    Guys? Hay guys?
    steam_sig.png
  • ueanuean Registered User regular
    edited March 2010
    Calebros wrote: »
    uean wrote: »
    Mustang wrote: »
    That's a prick of a virus, I've had it on a few work pc's in a few months and they seem to be modifying it constantly to avoid detection. I've seen it in 3 different forms. 4 now, it was labeled XP security 2010 last time I saw it. Agree with the guys here, Malwarebytes has been the most effective at getting rid of it.

    Damn. Malwarebytes is finding it and killing it, but it keeps coming back. I've even gone into the registry and removed everything in there I could find and still nothing.

    Also, a search of the drive for av*.exe is not turning up anything.

    TDSS Killer

    srsly

    This is the exact same thing I've fought with twice now and the same procedure worked both times

    Alright, ran rkill and it runs, and then kills itself, which is kind of funny.
    Ran TDSSKiller and it runs and finds a rootkit in c:\windows\system32\drivers\iastor.sys, but says cure failed.

    This is in safe mode.

    Reboot and try again, safe mode, same deal.

    Guys? Hay guys?
    steam_sig.png
  • SteevLSteevL What can I do for you? Registered User regular
    edited March 2010
    My fiancee just had something like this a few weeks ago. I don't know where she could have picked it up from, but after I spent a day thinking I had successfully cleaned the PC, it would consistently freeze up about half an hour after being turned on or rebooted. This even happened in safe mode.

    In the end, I just did the whole reformat thing. It was annoying, but at least her PC is running faster now.

  • ueanuean Registered User regular
    edited March 2010
    Alright, some progress. Ran RKILL in regular mode (not safe mode) and it killed a ton of processes. Googled all processes and they were all ok except for one, which is zipdkg32.exe.

    Unfortunately TDSSKiller is still not able to cure the iastor.sys rootkit (if it is there) and this site doesn't give me confidence it will be fixed, but we'll see.

    Still waiting for Malwarebytes to finish its scan in regular mode. If it kills ZIPDKG32.exe, then yay, and if not, I'll just delete it myself and hope for the best. Killing the process via RKILL made all the popups and nonsense go away so I have high hopes.

    edit - Malwarebytes came back with nothing, deleted the file using FileASSASSIN (MWB tool), rebooted, spybot search and destroy then found another taskmanager disable, killed that, rebooted again, and it has now been working for a good long while. yay. But man what a PITA.

    Guys? Hay guys?
    steam_sig.png
  • MuddBuddMuddBudd Registered User regular
    edited March 2010
    Calebros wrote: »
    I'm not even sure how it gets in. It has to be in something really common for all these people to keep getting it. Maybe in ads or something in an untrusted website?

    It's built into banner ads, as far as I can tell. I'm about 90% sure I got it from either MMO-Champion or Explosm.net (Cyanide and Happiness comic).

    In both cases I've personally seen, it's installed itself without any need for the user to click on anything.

    steam_sig.png
  • Santa ClaustrophobiaSanta Claustrophobia Ho Ho Ho Disconnecting from Xbox LIVERegistered User regular
    edited March 2010
    MuddBudd wrote: »
    Calebros wrote: »
    I'm not even sure how it gets in. It has to be in something really common for all these people to keep getting it. Maybe in ads or something in an untrusted website?

    It's built into banner ads, as far as I can tell. I'm about 90% sure I got it from either MMO-Champion or Explosm.net (Cyanide and Happiness comic).

    In both cases I've personally seen, it's installed itself without any need for the user to click on anything.

    I've seen some mentions about these things being in .wmv files as well.

  • John MatrixJohn Matrix Registered User regular
    edited March 2010
    My PC has recently succumbed to the ravages of a similar virus. After cleaning it I can no longer get windows updates, even after many attempted fixes.

    I've never formatted a PC before, does anyone have a good moron's guide for this sort of thing? The old girl is going to be retired in the next few months before I go back to school with a laptop, but I want to keep it working as a backup. I've still got my old windows reinstall disc that came with the PC.

  • Eat it You Nasty Pig.Eat it You Nasty Pig. tell homeland security 'we are the bomb'Registered User regular
    edited March 2010
    Put the CD in the drive and hit whatever key gets you to a boot menu during startup, select 'boot from cd,' and follow the instructions. Formatting windows is super easy at this point.

    gkcmatch_zps97480250.jpg
    stand up! It was the smallest on the list but
    pluto was a planet and I'll never forget
«1
Sign In or Register to comment.