Solved

A very BIG Virus Problem.

Posted on 2010-08-16
10
525 Views
Last Modified: 2013-11-22
Working with a company that has 15 terminals.  Almost all of them have gotten a program installed that shows no name, but immediately after a few office updates are removed from the system.  To date, ESET NOD32 Version 4 has not been able to detect this - even with a bootable CD.  AVG has not found it either.  Malware Bytes Anti-Malware does not find it and it gets Error 732 when trying to update.

This is a big problem, as it sure seems like a virus, but I have yet to be able to identify or kill it with confidence.  It seems to make browsing the net this side of impossible - with 2 or 3 searces, the user must reboot.  And slows computer.


LogPic.jpg
0
Comment
Question by:Banacek
10 Comments
 
LVL 17

Accepted Solution

by:
sgsm81 earned 250 total points
ID: 33444688
if you boot into safe mode does it work ?

also if you try another user profile ?

you can always run ccleaner to clear up the cache files of anything nasty.......
0
 
LVL 27

Expert Comment

by:Jonvee
ID: 33445050
Try running tdsskiller to see if it finds and removes the infection:
http://support.kaspersky.com/downloads/utils/tdsskiller.zip

Download the file TDSSKiller.zip and extract it into a folder
Execute the file TDSSKiller.exe.
Wait for the scan and disinfection process to be over.
Close all programs and press “Y” key to restart your computer.

More detail TDSSKiller tutorial:
http://support.kaspersky.com/viruses/solutions?qid=208280684
0
 

Expert Comment

by:m0tek
ID: 33445078
Do you know the process name / hash?
i would try uploading the file to prevx.com or virustotal.com in order to clarify deinfection methods

also - if you can get your hands on mcafee's getsusp
0
 
LVL 27

Expert Comment

by:Jonvee
ID: 33445084
If unsuccessful, try Hitman Pro 3, a Second Opinion Malware Scanner.  It's often quite successsful:
http://www.surfright.nl/en/hitmanpro

If still unresolved i suggest running Combofix.
Download ComboFix and save to your Desktop, from here>
http://download.bleepingcomputer.com/sUBs/ComboFix.exe

Before using ComboFix please disable any realtime Anti-virus, Anti-spyware, Shields, etc. that you may have running.
Also it may be necessary to rename ComboFix.exe (to Combo-Fix.exe for example), before saving it to your desktop.  If you have difficulties downloading it, try downloading to another machine, then into a USB memory stick or CD.  Rename it and carry to the infected machine.

Double click "combofix.exe" and follow the prompts.
When it's finished it will have produced a Logfile, probably at C:\ComboFix.txt.
You could post that log here please.
In case of unfamiliarity, please do not mouseclick Combofix's window while it is running because it may stall.  It is absolutely normal for you to see a blue screen with flashing cursor, and this can last for up to 25 mins.
ComboFix must be run in normal mode.
0
 
LVL 27

Expert Comment

by:Jonvee
ID: 33445202
If (or when) you run Malwarebytes again, try the following if you're still getting error 732 >>

Control panel > internet options > connections tab > "LAN settings" button,
then uncheck the box "use a proxy server", and instead check box "automatically detect settings."  
Apply, and ok your way out.....now try updating Malwarebytes.
0
Complete VMware vSphere® ESX(i) & Hyper-V Backup

Capture your entire system, including the host, with patented disk imaging integrated with VMware VADP / Microsoft VSS and RCT. RTOs is as low as 15 seconds with Acronis Active Restore™. You can enjoy unlimited P2V/V2V migrations from any source (even from a different hypervisor)

 
LVL 2

Expert Comment

by:go2dave
ID: 33447829
Try running SuperAntiSpyware portable.
You can download it at http://superantispyware.com/portablescanner.html

I would also suggest using rkill to terminate any malware processes that are running.
you can download it at http://www.bleepingcomputer.com/forums/topic308364.html

Another thing not mentioned that I have had good luck using is GMER rootkit detector. you can get it at http://www.gmer.net/



0
 
LVL 27

Expert Comment

by:Jonvee
ID: 33448107
@ go2dave  .... RKill is certainly an excellent package, although the GMER rootkit detector you'll find is contained within ComboFix and is usually listed near the end of the final ComboFix logfile, like this>
W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
0
 

Assisted Solution

by:nfcdrummer
nfcdrummer earned 250 total points
ID: 33451218
I have had a few virus infections at a reasonably large site (~300 computers) which have infected quite a few machines.  Both Malwarebytes and SuperAntiSpyware have failed to identify infections along with Norman, which lists mosts modern 'minor' infections as a generic.

I've had to resort to dealing with pretty much all the infections manually.  I use HijackThis to find out what's running on startup, and Process Killer by Beyond Logic to kill processes with a command prompt.  It will also kill system processes which Task Manager prevents you killing.

I've also had to search through the registry for file names which are related to these infections and remove the entries.  We had one (I think it was a variant of Conficker) which kept coming back until I finally uncovered that it required the KB958644 security update.  This update didn't seem to be available on Windows Update but I was able to download it manually and it prevented the computers reinfecting each other.

As we're on a Novell network, for a couple of issues I have written batch files to manually kill processes and remove files when I know how to fix the problems.  I can then launch these batch files from startup.bat.

0
 

Author Closing Comment

by:Banacek
ID: 33463290
Thanx for the help!
0
 

Author Comment

by:Banacek
ID: 33463295
I have dropped to safe mode and could delete the Windows\Temp areas, User Temp areas, internet explorer cache and that appears to have gotten rid of it.

I say appears, because I could never identify it and all the utilites listed did not seem to find anything.  Kinda scary, but once I cleared the temp areas - IN SAFE MODE - the machines all run normally again.

I will try to split the points.
0

Featured Post

Is Your Active Directory as Secure as You Think?

More than 75% of all records are compromised because of the loss or theft of a privileged credential. Experts have been exploring Active Directory infrastructure to identify key threats and establish best practices for keeping data safe. Attend this month’s webinar to learn more.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

In this article we discuss how to recover the missing Outlook 2011 for Mac data like Emails and Contacts manually.
Outlook Free & Paid Tools
The viewer will learn how to simulate a series of coin tosses with the rand() function and learn how to make these “tosses” depend on a predetermined probability. Flipping Coins in Excel: Enter =RAND() into cell A2: Recalculate the random variable…
The viewer will learn how to use the =DISCRINV command to create a discrete random variable, use this command to model a set of probabilities and outcomes in a Monte Carlo simulation, and learn how to find the standard deviation of a set of probabil…

910 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

15 Experts available now in Live!

Get 1:1 Help Now