Sign in to follow this  
Followers 0
DarkRider

Internet Security 2010 and Other Nasty Security Viruses

61 posts in this topic

Troubleshooting Internet Security 2010 and Other Similar "Anti Mal-ware" Viruses.

So, you have a nasty internet virus eh? Giving you loads of scary warning pop-ups about how infected your PC is while running its fake anti-malware program and sinks its claws into your system?

While there are many variations of these viruses there are a few things you should know:

1) Do not restore your PC at the first sign of danger. This can actually exacerbate the situation if your PC is still infected when you restore.

2) The malware pros agree these programs, while terrifying with their scary warnings, are designed to annoy more often than to cause lasting damage. Do not interact with the popups DO NOT enter any of your information.

3) Identify your opponent! One of those pop ups will have enough information to help identify what virus you are working against. Make note of what they say!

4) Take a deep breath and prepare to fight back. These viruses do get worse if you try to just ignore them and they will not go away quietly

5) If you are not PC savvy, manually removing suspicious .exe files is not recommended as you may inadvertently delete something unrelated or spread your infection; damage caused from novice removal can be irreparable.

How they work:

You can pick up one of these viruses while surfing anywhere on the internet. It's important to take some prevention measures with your PC. Make sure you are using up to date virus and spyware protection. Viruses and spyware are not the same thing and many PC users are protected against one but not the other.

The virus slips onto your PC via a cookie (all websites give you cookies when you visit) and once the cookie finds your system, it installs an .exe installer or more that will continue to crank out spyware and scary popups. The virus is very self preserving, it may shutdown your virus protection, it may lock up your desktop altogether, or stop you from running other .exe programs (like those you need to run to install software to help you). Mostly, these viruses are trying to ruin your day not your rig, but there are exceptions, so be careful not to interact with the program. Every pop up is a lure, do not take the bait.

What to do:

Every virus is different and behaves differently for every system, but there are three things you should do to reclaim your PC in a timely manner.

Step 1: Install and run a virus and spyware remover program: There are some free versions like SUPERAntiSpyware, but if your virus is particularly nasty you may need to go with a paid software. We recommend Webroot Antivirus Plus SpySweeper This has been proven effective against these viruses and only 1/4 of the cost of having a pro save your PC for you.

Some malware will not let you install anything, or, they will not let specifically known anti-malware programs to run, or install. A cheap trick to get around this is to rename the program or installer to Winlogon.exe. This is the name of a windows process that the computer needs to run, so, no malware is going to stop it.

Step 2: Install and run a registry cleaner: Once you have punched the virus to pieces and quarantined all the trojans, worms, and spy cookies, use a registry cleaner like CCleaner to tidy up the holes the virus chewed in your registry. This program is free.

Step 3: Restore your System: Once the virus has been completely removed, restore your PC to an earlier restore point, make sure you choose the most likely point that lands before you were infected.

When it comes to virus fighting there are no guarantees, but these steps have proven effective for others in the past. Post here with any questions and specifics about your virus and those with PC savvy will do their best to advise you.

Take a deep breath, it's going to be okay again very soon...we'll help :cry:

0

Share this post


Link to post
Share on other sites

dbf70700.exe is associated with the malware but it is NOT the name of the program calling this garbage...

You need to look at the logs to find out what registry setting are calling the RUN command at start up.

0

Share this post


Link to post
Share on other sites

Something to keep in mind. You can go here to housecall.trendmicro.comand get a free scan on your computer. Trendmicro is a very good antivirus program and used it for years.

0

Share this post


Link to post
Share on other sites

Vince I sent you a PM..... check it when you have a chance.

0

Share this post


Link to post
Share on other sites

The following is what is left after I subtract what was running Feb. 9th plus known changes:

C:\WINDOWS\system32\csrss.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\Xwufab.exe

C:\DOCUME~1\VINCEB~1\LOCALS~1\Temp\Xfw.exe

C:\WINDOWS\System32\wbem\wmiprvse.exe

C:\Documents and Settings\Vince Bly\Application Data\50A8F20A3BFFE119D1A9C07BF9224F03\dbf70700.exe

C:\DOCUME~1\VINCEB~1\LOCALS~1\Temp\cmd.exe

C:\WINDOWS\system32\rundll32.exe

C:\WINDOWS\system32\rundll32.exe

The svchost.exe's and rundll32.exe's are extra copied compared to Feb. 9

I think the cmd.exe just means that one of the programs opened the DOS screen. All the others are very suspect. I plan to check these names on the net.

BTW, I realize this is potentially very serious. I do not plan to make any rash moves. The first thing I plan to do is identify the bad programs if possible. Since HijackThis gives the path, I could potentially just remove them. However, I won't do that until I've identified what I can and others here think that's the right move.

0

Share this post


Link to post
Share on other sites

We're looking for something that looks like this below:

Infected Files in Past 7 Days - North America

Recent Threats Information with name type risk date discovered # Virus Name # of Infected Files # of Scanned Files % Infected

1 Vundo 6769015 41605908 16.27

2 W32/YahLover.worm.gen 4209212 96879586 4.34

3 Generic.dx!pel 4139724 44955193125 0.01

4 Exploit-MS04-028 3127641 15872935 19.70

5 GameVance 2024908 472865782 0.43

6 W32/Gael.worm.a 1810035 4891741 37.00

7 W32/Rontokbro.gen@MM 1724774 79231477 2.18

8 Generic!atr 1455811 449756671 0.32

9 Generic PUP.x!i 1370468 10239825 13.38

10 Adware-Hotbar.lnk 681080 110856895 0.61

11 W32/Autorun.worm.f 549851 49836503 1.10

12 RemAdm-VNCView 540224 477319347 0.11

13 W32/Hakaglan.inf 518816 4441884 11.68

14 Generic FakeAlert.a 500297 257580333 0.19

15 Generic PUP.z 488479 2123536596 0.02

16 W32/PatchLoad.d 482792 288917511 0.17

17 FakeAlert-WPS 481418 103097077 0.47

18 W32/YahLover.worm 397194 31699999 1.25

19 Adware-OneStep 372595 2371280082 0.02

20 FakeAlert-MA.gen 356511 290911897 0.12

Those are threats over the past 7 days..

Are you able to access in some shapre or form the mcafee logs?

0

Share this post


Link to post
Share on other sites

If you are able to get online with the computer without exposing any of your other computers on a network (wired or wireless) try going here to mcafee for a freescan. It may or may not be able to clean it but it will at least tell you what it is.. There maybe tools available to get rid of it or you might have to do it manually. My experience has been where its had to be manually eradicated.

I've been doing this professionally for a good number of years.

McAfee

0

Share this post


Link to post
Share on other sites

I've eliminated csrss.exe (as a suspect), as long as it's in the Windows32 folder, it's fine.

A net searchfor Xwufab.exe returns nothing.

xfw.exe is installed and used by I-Worm.Petik. It appears that it can be deleated once you know were it is (I do).

Apparently, wmiprve.exe os part of the windows operating system. There have been complaints about it taking too much CPU time and there is a download on MicroSoft's site to fix it. I've never seen that program running before.

dbf70700.exe is definitly malware. BTW, it's the name I couldn't remember "Antimalware Doctor". So far, I've only found sites that want you to download one of their programs to remove it.

So, apparently there are two definitly bad programs and one unknown.

I'll post this and wait for comments.

0

Share this post


Link to post
Share on other sites

I was just doing some reading on wmiprve.exe- what makes it tricky to a novice like myself is that it could be legit as Windows Management Instrumentation, but I also read that a couple forms of malware disguise themselves as this. I really don't have an educated recommendation on that particular file. :cry:

I am casting about for reliable info on the other exes on your list. ;)

0

Share this post


Link to post
Share on other sites

Removing bits of the program manually is not recommended it can cause permanent damage to your system. It's much safer to use a virus and spyware removing program. This site will walk you step by step through removing the Antimalware Doctor virus manually if that's what you want to do: http://www.2-viruses.com/remove-antimalware-doctor

You have to realize that not every .exe you track down is related to this virus. Most PCs, even those running protection will have a bit of harmless virus/cookie junk the user never knew about until trying to track down the current threat. So deleting that type of stuff won't help you.

0

Share this post


Link to post
Share on other sites

I've eliminated csrss.exe (as a suspect), as long as it's in the Windows32 folder, it's fine.

csrss.exe is a windows file and normally runs...

A net searchfor Xwufab.exe returns nothing.

xfw.exe is installed and used by I-Worm.Petik. It appears that it can be deleated once you know were it is (I do).

I'll look up and see if its called from the registry and let you know if we need to do anything else with it then

Apparently, wmiprve.exe os part of the windows operating system. There have been complaints about it taking too much CPU time and there is a download on MicroSoft's site to fix it. I've never seen that program running before.

dbf70700.exe is definitly malware. BTW, it's the name I couldn't remember "Antimalware Doctor". So far, I've only found sites that want you to download one of their programs to remove it.

I'll see what I can come up with on this for you. Might take me a few minutes.

So, apparently there are two definitly bad programs and one unknown.

I'll post this and wait for comments.

0

Share this post


Link to post
Share on other sites

I've verified that the "Antimalware Doctor" will disable restore and add a command to the registry to run it at startup.

Right now, I'm running in safe mode without network connection and the ethernet cable disconnected.

BTW, this program was first seen in the US on February 28th.

Edited by Vince
0

Share this post


Link to post
Share on other sites

Arion, do you know anything about a OTL report or running GMER?

0

Share this post


Link to post
Share on other sites

Anti-MalwareDoctor - Here's a link for help with programs ( all free that will remove it)

HERE

Still tracking the others...

0

Share this post


Link to post
Share on other sites

Arion, do you know anything about a OTL report or running GMER?

Not off hand....

0

Share this post


Link to post
Share on other sites

It appears that AntiMalware Doctor is the rider program. Its the other one that is the carrier.. I'm stll trying to find something on it.. Sometimes the name is changed between companies for whatever reason... As soon as I find what it is, I'll let you know.. Going through everything I have access to try to find an answer.

0

Share this post


Link to post
Share on other sites

Arion,

I'm reading the site you sent me to with "HERE". I'll be back as soon as I read it. Really, thanks for the help.

vince

0

Share this post


Link to post
Share on other sites

Arion,

I've read what it says on that site. However, none of the filenames it refers to, either to remove the files or the registry entries are the same as I have. It mentions "enemies-names.txt" and "Antimalwaredoctor.exe". I have "dbf70700.exe" which is identified on many sites as Antimalwaredoctor".

I'll look in the registry (but not change right now) for references to dbf70700.

Vince

EDIT: the link provided by DarkRider also refers to the two names above.

I've found four entries in the registry of interest:

O4 - HKCU\..\Run: [YVIBBBHA8C] C:\DOCUME~1\VINCEB~1\LOCALS~1\Temp\Xfw.exe

O4 - HKCU\..\Run: [dbf70700.exe] C:\Documents and Settings\Vince Bly\Application Data\50A8F20A3BFFE119D1A9C07BF9224F03\dbf70700.exe

O4 - HKCU\..\Run: [hsf87efjhdsf87f3jfsdi7fhsujfd] C:\DOCUME~1\VINCEB~1\LOCALS~1\Temp\cmd.exe

O4 - Startup: Antimalware Doctor.lnk = C:\Documents and Settings\Vince Bly\Application Data\50A8F20A3BFFE119D1A9C07BF9224F03\dbf70700.exe

Edited by Vince
0

Share this post


Link to post
Share on other sites

Here' it is... this is the carrier program that you need. Here Is the norton website that has all the information you need to get rid of the carrier.

The removal is on one of the tabs above the description.

0

Share this post


Link to post
Share on other sites

If it's a malware infestation you're dealing with, I've not found a better utility for removing things like that than Superantispyware. If you can managed to download and install that, and then let it do a complete scan of your system, chances are you'll be rid of whatever you picked up.

Yes, their website looks dodgy and the name of the program itself looks dodgy, but I've used it myself for years and we made regular use of it at the IT department I used to work in. It catches things that Ad-Aware and/or Symantec won't find.

0

Share this post


Link to post
Share on other sites

Any options we can give him are a help.. Thanks Arthmoor.... What's tricky about this is, its just like numerious others that everyone has a different name for it and supposed their program is the best to get rid of whatever it is that ails your system.. Trying to dig through the fluff for the real info is where I get bogged down.

So glad your jumping in to help.. I can use any information to add to my list of tools as well. :)

0

Share this post


Link to post
Share on other sites

More bad news. I wanted to look at the registry directly, since the entries I listed came from HijackThis. When I tried, I got the message 'Registry editing has been disabled by your administrator". What now?

Edit: I said I was using McAfee, but NASA switched to Symantec. They provide it free for our home computers.

If I can't edit the registry in safe mode, I would be afraid to do much. Since the bad software is not running now, and I'm an administrator of my computer, can you tell me how to re-enable registry editing. Or, if I run the program Arthmoor suggested, does it not matter?

Edited by Vince
0

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!


Register a new account

Sign in

Already have an account? Sign in here.


Sign In Now
Sign in to follow this  
Followers 0