Solved

VIRUS FIX

Posted on 2011-03-14
24
584 Views
Last Modified: 2013-11-22
I have a machine with the lastest "Your computer is infected with a virus" click here for a free scan virus.  Before you could run malware bytes remove the infected files and then search the registery for 127.0.0.1 then remove the folders those values are contained in (proxy server stuff).  This new one doesn't use 127.0.0.1 (loop back address).  So the internet won't work.  Can anyone help!  What do I need to do to get the internet back up and running.

The attached log files are from after the virus was partitally removed by Mbam.
hijackthis.log
mbam-log.txt
0
Comment
Question by:kwolbert_IT
  • 7
  • 6
  • 3
  • +6
24 Comments
 
LVL 5

Expert Comment

by:sweeps
ID: 35128225
did you go into internet explorer properties under connections then uncheck the proxy settings?
0
 
LVL 28

Expert Comment

by:jhyiesla
ID: 35128254
If you have a second user account, try booting the computer into Safe mode and then log in as that second user. We had something similar happen recently that doing this allowed us to run MWB completely and get rid of the infection.

However, it did leave the original account unable to run any EXE files so I had to save off her documents, delete the profile and have her log on again to create a new profile.
0
 
LVL 23

Expert Comment

by:edbedb
ID: 35128293
Try running this Microsoft Fixit.
http://support.microsoft.com/kb/972034
0
Free Tool: SSL Checker

Scans your site and returns information about your SSL implementation and certificate. Helpful for debugging and validating your SSL configuration.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

 
LVL 2

Author Comment

by:kwolbert_IT
ID: 35128297
Under the LAN Settings?  There the proxy settings is unchecked.  I don't see a proxy settings just under the connections tab.  
0
 
LVL 5

Expert Comment

by:sweeps
ID: 35128307
Then I would do what jhyiesla suggested.  
0
 
LVL 38

Accepted Solution

by:
younghv earned 250 total points
ID: 35128348
You may need to use something to stop the malware processes first.
And you should download MBAM again using the instructions (Save As) below - or downloading it to a clean computer and renaming the executable before it touches the infected computer.

Check out this link to download "RogueKiller".
Follow the instructions to run it - then do MBAM in "Normal Mode" - ignore any advice to use "Safe Mode" for MBAM.

http://www.geekstogo.com/forum/files/file/413-roguekiller/

*********************
Download, install, and run
CCleaner (www.ccleaner.com)
Doing this will clean out all of the Temp/Junk files from your browser.

Download, install, and run
Malwarebytes (MBAM) (http://www.malwarebytes.org/mbam.php)
When downloading, save to your "Desktop" and use the "Save As" function (Internet Explorer) to rename the file.
The instructions are included right in that link.

If you need to manually download the latest update, use this link:
http://data.mbamupdates.com/tools/mbam-rules.exe

When finished with MBAM, post the log that is generated and let us look at it for you.
0
 
LVL 38

Expert Comment

by:younghv
ID: 35128377
@Experts:
Please read the actual guidance from the developers of MBAM and quit making this "Safe Mode" recommendation.

http://forums.malwarebytes.org/index.php?showtopic=17334&pid=88995&start=&st=#entry88995
0
 
LVL 2

Author Comment

by:kwolbert_IT
ID: 35128388
Microsoft fixit didn't work.  I can only connect to this machine remotely.  Booting into safe made would terminate my connection.  

Has anyone possibly searched the registry in the older versions and recorded the folders that stored 127.0.0.1.  If I delete those folders I think it will start to work again (this is my theory).
0
 
LVL 23

Expert Comment

by:edbedb
ID: 35128408
Try WinSock XP Fix, you can get it here. http://www.snapfiles.com/get/winsockxpfix.html
0
 
LVL 1

Assisted Solution

by:Tony_the_PC-Tuner
Tony_the_PC-Tuner earned 250 total points
ID: 35128429
Download  RKill onto a clean computer, and put it on a USB drive.

Restart your computer, navigate to the USB drive, and then run RKill.


RKill will "kill" any suspicious processes.  You might need to run RKill twice or even three times.  Eventually, it will interfere with any process that isn't supposed to be running, temporarily rendering the virus disabled.  

Now run your top quality antivirus program, in "deep scan" or "full" mode.  Restart your computer and run your antivirus again in "full" or "deep scan" mode.  Immediately following this 2nd scan, run CCleaner or other temp file cleaner.

This series of steps will often go a long way towards cleaning up an infected machine.
0
 
LVL 6

Expert Comment

by:nettek0300
ID: 35128482
I would try logging in using a different profile.  Most of these viruses only affect the user profile that it was installed with.  Once you log on using a different profile, you can backup the needed files in that profile and delete the profile.  Most of these place an executable file (.exe or .cmd) somewhere in the user profile.  If you compare a different user profile with the infected one, you can probably fine the executable file it is running.  Most times it ends up either in the root of the profile or in one of the app data directories in the profile folder.
0
 
LVL 38

Expert Comment

by:younghv
ID: 35128578
nettek0300,
"Different profile/account" was already suggested here: http:#a35128254

Please acknowledge prior Expert's suggestions when you expand on a comment they have made.
0
 
LVL 38

Expert Comment

by:younghv
ID: 35128616
"Tony_the_PC-Tuner" mentions downloading "Rkill" to a USB device.

You can also download it (to the Desktop) of that remote computer - but use this link:
http://download.bleepingcomputer.com/grinler/eXplorer.exe

It is a renamed version of Rkill that won't be recognized by the malware.
0
 
LVL 23

Expert Comment

by:phototropic
ID: 35128651
I would check your hosts file.

From the run box, type the following:

 notepad c:\windows\system32\drivers\etc\hosts

How does the hosts file look?
0
 
LVL 2

Author Comment

by:kwolbert_IT
ID: 35128837
i tried the other account thing.  I tried the admin account with no success.  I tried rkill and the host file looks fine.  I am rebooting after rkill.exe/ccleaner.exe/mbam.exe -> this one found 4 instead of 2.  I also went into documents and settings\[the user accounts]\local setting\temp and deleted all the files and folders.
0
 
LVL 2

Author Comment

by:kwolbert_IT
ID: 35128862
No DNS resolution, I also can't ping but ICMP is turned off.
0
 
LVL 38

Expert Comment

by:younghv
ID: 35128924
Is there a router at that remote location?

This link was provided by the Expert known as sjklein42 - if he checks in to this question (and it works) please give him the credit.

http://tidystorm.com/423/the-redirect-virus-was-in-my-router/ 
0
 
LVL 1

Expert Comment

by:Tony_the_PC-Tuner
ID: 35129098
I know you're trying to restore internet connectivity, but have you found yourself in a place where you are satisfied the machine is clean?

I could be reading you wrong, but it sounds like you're trying to connect to the net while working from a sick machine.  In my opjnion this is not the best route to take, mostly because if you've still got some nasty malware, it could phone home and invite its cousins, or it might reinstall some of the stuff you've already removed.

The route I would take is to make sure you're clean as a whistle, then just reinstall your LAN/NIC drivers as needed.  
0
 
LVL 9

Expert Comment

by:discgman
ID: 35129114
what was the name of the program that pretended to be a virus scan and clean?? antivirus 2011?
0
 
LVL 2

Author Comment

by:kwolbert_IT
ID: 35129247
I'll go with that.  I was called and told that outlook express was installed on the machine.  Since outlook express is installed on all machines then the icon had to appear at random.  Most likely by an employee (is what I was thinking).  When I logged into the computer it had the lock computer, shutdown, login screen,  This is impossible since I used remote desktop to connect.  I canceled out and got the Desktop.  I then started to run scans.

The reason I say anitvirus is because it is doing all the same stuff.  From the weird file in windows\temp to the internet proxy setting that fails after the virus's removal.  I have no symptoms other than the wierd login screen and outlook express icon appearing on the desktop and possibly in the quick launch.
0
 
LVL 2

Author Comment

by:kwolbert_IT
ID: 35129350
I think I got it.  Most likely the rkill, cccleaner, mbam combo.  The DNS settings were wiped out.  I put the settings back in and it came up to the run once screen.  I'm getting errors there but I'll probably figure that out (if not I'll post again)  Thanks for everyone's help!
0
 
LVL 38

Expert Comment

by:younghv
ID: 35129368
kwolbert_IT,
My comment here: http:#a35128348 is specifically targeted to these 'scareware' infections such as Antivirus 2011.

Another link here from the Malwarebytes forum.
http://forums.malwarebytes.org/index.php?showtopic=77433
0
 
LVL 38

Expert Comment

by:younghv
ID: 35129377
OK - good.
I was typing at the same time you were.
0
 
LVL 1

Expert Comment

by:Tony_the_PC-Tuner
ID: 35129565
I think I got it.  Most likely the rkill, cccleaner, mbam combo.  The DNS settings were wiped out.  I put the settings back in and it came up to the run once screen.  I'm getting errors there but I'll probably figure that out (if not I'll post again)  Thanks for everyone's help!

That is good news!

But just an FYI, make sure that after you've completed all of this, you do a full reboot into the "normal" mode on the primary user's account (the one with the infection) and run another complete deep scan with Malwarebytes or whatever high quality antimalware program you are running.

I know, It takes forever, but you want to make sure that some trace of the virus didn't respawn.  If it does respawn because some trace of it was left,  it is possible that you'll find yourself back in the same situation with your DNS settings wiped out or your proxy settings messed with.  Doing a second (and hopefully final) scan from the user's profile will give you a much better degree of certainty.  
0

Featured Post

Free Tool: Site Down Detector

Helpful to verify reports of your own downtime, or to double check a downed website you are trying to access.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

PREFACE The purpose of this guide is to explain what the SEPC Status Utility is and how it works. I have written the utility using AutoIt and have included the source code for your review. You are welcome to modify the code to your liking, but I wi…
The purpose of this Article is to provide information for a newly released variant of malware – with the assumption that many EE Members will have need of the information. According to “Computerworld”, well over one million web sites have been co…
Established in 1997, Technology Architects has become one of the most reputable technology solutions companies in the country. TA have been providing businesses with cost effective state-of-the-art solutions and unparalleled service that is designed…
Email security requires an ever evolving service that stays up to date with counter-evolving threats. The Email Laundry perform Research and Development to ensure their email security service evolves faster than cyber criminals. We apply our Threat…

808 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question