big ole virus on my pc. or trojan.

Iriah

I was browsing youtube last night when firefox closed and popped up with a clearly fake Windows Defender panel saying I had viruses. Then it launched a clearly fake virus scan which found I had hundreds of viruses. It was coming from a process called ave.exe, which appears to be associated with something called the sndog worm - though I'm not convinced that's the real problem, it may have just been something another trojan downloaded. I closed it, but whenever I opened another .exe it popped up instead. Only google chrome works, for some reason.

I ran spybot S&D and AVG. Spybot found some registry changes, which I nixed, and it seemed to fix it for a while. Then it happened all over again.

The same thing happens in Safe Mode, too.

For a while I thought it was also the fault of lsass.exe, csrss.exe, lsm.exe, and some others, but they all appear to be in system32 so that seems to validate them.

Otherwise, I don't really know what to do! Any ideas?

Santa Claustrophobia

I recently had to get rid of virtumonde. I also picked up Avast! and Malwarebytes. Eventually, they cleaned the system though I did have to boot in safe mode and make sure things weren't being activated in memory.

Eventually, you have to realise that you're either not doing enough or there isn't anything else you can do. But definitely try a few other methods before killing the machine and starting over.

Esh

Nuke it from orbit. Back up what you can and do a full format. System Defender is nasty.

Iriah

Unfortunately I can't install avast or malwarebytes in or out of safe mode. It just brings up the dreaded ave.exe.

This sure isn't good news...

Santa Claustrophobia

Yeah, I'm with Esh, then. Nuke it. You're probably too far gone to do anything. Save what you can and start over.

Darkewolfe

I've had Windows Defender before. It's actually currently embedded on a banner ad on pirate bay, for what it's worth, might be where you got it.

Download Malwarebytes. Change the name of the malwarebytes executable to Malwarebytes.com. This changes the extension, without preventing windows from executing it. It's a very simple trojan and will be fooled by the different extension, allowing you to run it. As long as the version hasn't been updated since last month, that'll clean you up.

SeñorAmor

Can you slave your current drive to another computer and do the scan that way? It'll save you a F&R.

Dunadan019

Malwarebytes in safemode and rename it as darkewolfe said.

It can take care of pretty much anything.

Ruckus

I've had success in simply running a a file search in safe mode for *.* modified in the approximate time window you think the infection occured. That along with a good AV and Spybot scan usually gets everything.

theclam

If Malwarebytes won't run, try Combofix. Download it and rename the exe file before running it, of course.

Santa Claustrophobia

When I was researching my virtumonde problem, combofix tended to come up fairly often. They way they made it seem was that it was more complicated to use than it needed to be just to fix the problem.

I make no judgments on its effectiveness, but then, my problem apparently wasn't as bad as the OP's. So I didn't need it in the end. If anything, it's an option to look into.

SkyCaptain

Microsoft Security Esentials is also good to use.

Eat it You Nasty Pig.

If you can't get to safe mode (or somehow no longer have control of your machine in safe mode), it is time to reformat. You could spend a long time wrestling with removing a malicious rootkit and never be entirely sure whether you've fixed everything, or you could just back up necessary files and format. Not only will you have a clean bill of health and be able to install necessary protection software from scratch, your PC will perform better.

edit: one thing to do in the future is create an account without administrative privileges and use that for your everyday stuff. Not being an admin when you get hit with something like this does a lot to prevent damage and preserve your ability to fix things without formatting.

Iriah

Thank you all, I'll give it a shot after I've had a lot of sleep.

Worst a time for a virus...

Iriah

Turns out I'm an obsessive liar, too.

I rebooted in safe mode, ran spybot first and removed the registry changes it suggested, then was able to install malwarebytes. the quick scan in turn found 2 things which I didn't bother to read about before nuking, which probably wasn't the smartest thing to do.

Still, it is probably solved for now. Thank you all very much for your help. It's going to run a full system scan while I sleep for reals now.

President Rex

2-viruses.com says it is (was?) XP Defender Pro (here if you want their list of processes, registry entries and actual files it affects and such).

I had a problem with something similar. I ended up having to clear the registry entries for EXE files (you can then re-associate EXE files with Tools->Folder Options->File Types in any windows explorer window). This let me actually run Adaware (which didn't find the guilty files making it keep popping up) and subsequently get Malware Bytes Anti Malware (which did find them, and seems to be a lot like Adaware used to be). It seems like you went the easier route of going through Safe Mode, but if you need another option, maybe that'll be helpful.

There's always the "nuke it from orbit" option of formatting if it subsequently pops up.

Darkewolfe

I speak from experience that I have had Defender (twice, before I realized it was coming through that specific banner ad), and malwarebytes gets it every time.

Mustang

That's a prick of a virus, I've had it on a few work pc's in a few months and they seem to be modifying it constantly to avoid detection. I've seen it in 3 different forms. 4 now, it was labeled XP security 2010 last time I saw it. Agree with the guys here, Malwarebytes has been the most effective at getting rid of it.

Kendeathwalker

I just had to nuke this fucker. How do you prevent it from ever happening again? I am running bit defenders full security sweet now, and have been avoiding STC and TPB

Santa Claustrophobia

You can't really prevent it short of not visiting any sites on the internets. Use trusted scanning programs and update and scan at least once a week. It's generally like any real disease; the sooner you catch it, the easier it will be to get rid of it.

Iriah

Yeah, funny you say that - it was strange, because about half an hour after I started it up again, AVG of all things picked up a whole bunch of attempts to download 'ave.exe'. I'm wary. But, you know, nothing's doing. So good.

Dunadan019

Iriah wrote: »

Yeah, funny you say that - it was strange, because about half an hour after I started it up again, AVG of all things picked up a whole bunch of attempts to download 'ave.exe'. I'm wary. But, you know, nothing's doing. So good.

It sounds like you still have something.

is your computer connected to a public network or any storage device that you didn't scan?

did you run a full scan using malwarebytes?

Iriah

Yes and yes. But none of the other computers connected have been infected, or at least didn't show any signs of infection.

edit: I'll give them a scan with malwarebytes too.

Dunadan019

yeah and for the time being you might want to disconnect your computer from the others and redo a full virus scan just in case.

Iriah

Well, it's connected to a router - does that count? I thought they had some kind of firewall to prevent it spreading.

cooljammer00

I think this might be like the Vundo worm I had. Nasty bastard, deletes antivirus programs so you can't fix it.

Calebros

I dealt with a combination of virus' on a clients computer and it had pretty much locked everything down. I had to use a combination of things to get it out. Turns out a bunch of rootkits had been installed to stamp out the installation of anything that could get rid of it. After about 5 hours I got it out with a combination of:

TDSS Killer
RKill
Malwarebytes

and once cleaned, installed Avast.

It was a series of things that faked virus scans and tried to get you to buy their program. It locked down everything >_< so annoying

uean

Iriah wrote: »

Unfortunately I can't install avast or malwarebytes in or out of safe mode. It just brings up the dreaded ave.exe.

This sure isn't good news...

I'm dealing with what you're talking about right now, in fact just got it last night on a coworker's computer (her personal one). XP Smart Security 2010 is what it is called, and it is just naaaasty. Throws tons of fake windows at you, security centre stuff, fake warnings, puts porn shortcuts on your desktop, "scans" the drive and finds hundreds of viruses, DOS prompt opens up and says "sending spam to theguy@mail.net --done" through your entire address book... its actually quite hilarious if it weren't so annoying, and of course all it wants is your credit card number.

Some googling said to install MBAM (Malwarebytes), but I couldn't as the program had thrown a bunch of hooks in. No task manager either, and the firewall was turned off.I was able to install Spyboy Search & Destroy though, which found and nuked all the hooks, then rebooted and was able to install and run malwarebytes, which found more stuff. Unfortunately after everything, while the computer is much more useable now (previously there was a redirect to the fake security alerts whenever any exe was run...) it is still there. I cant get rid of it. Now looking for a good solution, and we're taking it in to a shop in the city to get blasted.

Calebros

Read my post right above you

use RKill to kill any processes that might try to stop anything
use TDSS to get rid of the rootkits, reboot
Use RKill again for good measure, just to make sure MalwareBytes can install
Run MWB

uean

Mustang wrote: »

That's a prick of a virus, I've had it on a few work pc's in a few months and they seem to be modifying it constantly to avoid detection. I've seen it in 3 different forms. 4 now, it was labeled XP security 2010 last time I saw it. Agree with the guys here, Malwarebytes has been the most effective at getting rid of it.

Damn. Malwarebytes is finding it and killing it, but it keeps coming back. I've even gone into the registry and removed everything in there I could find and still nothing.

Also, a search of the drive for av*.exe is not turning up anything.

Calebros

uean wrote: »

Mustang wrote: »

That's a prick of a virus, I've had it on a few work pc's in a few months and they seem to be modifying it constantly to avoid detection. I've seen it in 3 different forms. 4 now, it was labeled XP security 2010 last time I saw it. Agree with the guys here, Malwarebytes has been the most effective at getting rid of it.

Damn. Malwarebytes is finding it and killing it, but it keeps coming back. I've even gone into the registry and removed everything in there I could find and still nothing.

Also, a search of the drive for av*.exe is not turning up anything.

TDSS Killer

srsly

This is the exact same thing I've fought with twice now and the same procedure worked both times

MuddBudd

I just had this thing on my work computer. I was able to stop it by shutting down the av.exe process and resetting the exe extension back to normal, then running adaware and spybot.

Was a bitch to figure out though.

And another co-worker just got it on their home computer. Seems to be the hot new malware.

Calebros

I'm not even sure how it gets in. It has to be in something really common for all these people to keep getting it. Maybe in ads or something in an untrusted website?

uean

That would be nice to know actually. The coworker's computer never even accesses the internet as she is too far from the wireless router we have here. It intermittently connects when the wind blows the right way. My guess is she got it through a flash drive which then downloaded itself and installed itself.

uean

Calebros wrote: »

uean wrote: »

Mustang wrote: »

That's a prick of a virus, I've had it on a few work pc's in a few months and they seem to be modifying it constantly to avoid detection. I've seen it in 3 different forms. 4 now, it was labeled XP security 2010 last time I saw it. Agree with the guys here, Malwarebytes has been the most effective at getting rid of it.

Damn. Malwarebytes is finding it and killing it, but it keeps coming back. I've even gone into the registry and removed everything in there I could find and still nothing.

Also, a search of the drive for av*.exe is not turning up anything.

TDSS Killer

srsly

This is the exact same thing I've fought with twice now and the same procedure worked both times

Alright, ran rkill and it runs, and then kills itself, which is kind of funny.
Ran TDSSKiller and it runs and finds a rootkit in c:\windows\system32\drivers\iastor.sys, but says cure failed.

This is in safe mode.

Reboot and try again, safe mode, same deal.

Steev

My fiancee just had something like this a few weeks ago. I don't know where she could have picked it up from, but after I spent a day thinking I had successfully cleaned the PC, it would consistently freeze up about half an hour after being turned on or rebooted. This even happened in safe mode.

In the end, I just did the whole reformat thing. It was annoying, but at least her PC is running faster now.

uean

Alright, some progress. Ran RKILL in regular mode (not safe mode) and it killed a ton of processes. Googled all processes and they were all ok except for one, which is zipdkg32.exe.

Unfortunately TDSSKiller is still not able to cure the iastor.sys rootkit (if it is there) and this site doesn't give me confidence it will be fixed, but we'll see.

Still waiting for Malwarebytes to finish its scan in regular mode. If it kills ZIPDKG32.exe, then yay, and if not, I'll just delete it myself and hope for the best. Killing the process via RKILL made all the popups and nonsense go away so I have high hopes.

edit - Malwarebytes came back with nothing, deleted the file using FileASSASSIN (MWB tool), rebooted, spybot search and destroy then found another taskmanager disable, killed that, rebooted again, and it has now been working for a good long while. yay. But man what a PITA.

MuddBudd

Calebros wrote: »

I'm not even sure how it gets in. It has to be in something really common for all these people to keep getting it. Maybe in ads or something in an untrusted website?

It's built into banner ads, as far as I can tell. I'm about 90% sure I got it from either MMO-Champion or Explosm.net (Cyanide and Happiness comic).

In both cases I've personally seen, it's installed itself without any need for the user to click on anything.

Santa Claustrophobia

MuddBudd wrote: »

Calebros wrote: »

I'm not even sure how it gets in. It has to be in something really common for all these people to keep getting it. Maybe in ads or something in an untrusted website?

It's built into banner ads, as far as I can tell. I'm about 90% sure I got it from either MMO-Champion or Explosm.net (Cyanide and Happiness comic).

In both cases I've personally seen, it's installed itself without any need for the user to click on anything.

I've seen some mentions about these things being in .wmv files as well.

John Matrix

My PC has recently succumbed to the ravages of a similar virus. After cleaning it I can no longer get windows updates, even after many attempted fixes.

I've never formatted a PC before, does anyone have a good moron's guide for this sort of thing? The old girl is going to be retired in the next few months before I go back to school with a laptop, but I want to keep it working as a backup. I've still got my old windows reinstall disc that came with the PC.

Eat it You Nasty Pig.

Put the CD in the drive and hit whatever key gets you to a boot menu during startup, select 'boot from cd,' and follow the instructions. Formatting windows is super easy at this point.