Rogue Virus

A friend of mine called me panicked with a concern...A Rogue Virus...XP Console or something similar to that.  I ran Hitman Pro, Mbam and SAS.  I have attached the logs.  After I ran AVG 2011 it came up clean.  Is there anything else I should do?
log.xml
mbam-log-2011-03-27--12-28-28-.txt
SUPERAntiSpyware-Scan-Log---03-2.log
SUPERAntiSpyware-Scan-Log---03-2.log
MagsOwnerAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

edbedbCommented:
I would run another scan with MalwareBytes to make sure the deleted files are still gone.
0
younghvCommented:
Normally you need a "Rogue Process" stopper to make MBAM more effective.
Look at this:
http://www.experts-exchange.com/A_4922.html (Rogue-Killer-What-a-great-name)

You could also use "RKill"
http://www.bleepingcomputer.com/download/anti-virus/rkill

Then follow the instructions here:
http://www.experts-exchange.com/A_1940.html (Basic Malware Troubleshooting)

Basically,
1 - Stop the Rogue
2 - Run a clean version of Malwarebytes.
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
rpggamergirlCommented:
Good idea to run Malwarebytes again to make sure the scan comes out clean, Or scan with the RogueKiller that younghv had suggested.

The MBAM log shows a bad dll(below) to be deleted on reboot, did MBAM reboot and has the file been deleted?

c:\WINDOWS\wmoimsen.dll (Trojan.Hiloti.Gen) -> Delete on reboot.


The HitmanPro log is not in easily readable format.
The log showed TDSS, flagged a patched driver and it's "Pending-to-Delete", whether it was deleted or not or whether SAS also replaced the driver, what I see in the log is "Pending-to-Delete"

</Item>
- <Item type="Malware" malwareName="Rootkit" score="114.0" status="PendingDelete">
- <Scanners>
  <Scanner id="G Data" name="Rootkit.Patched.TDSS.Gen (Engine-A)" />
  <Scanner id="DrWeb" name="BackDoor.Tdss.2459" />
  <Scanner id="Ikarus" name="Virus.Win32.Alureon!IK" />
  </Scanners>
  <File path="C:\WINDOWS\system32\DRIVERS\compbatt.sys" hash="B6502E18156E13ECD31925D22F7C6D5AE70CF5A02C5DD3F1A1B749A50BDF6FDA" />
- <Startup>
  <Key path="HKLM\SYSTEM\CurrentControlSet\Services\Compbatt\" />



I would scan the system with TDSSKiller or ComboFix as these tools can detect and replace patched drivers if a clean replacement is found. Using ComboFix she would need to uninstall AVG so ComboFix will run.

TDSSKiller:
http://support.kaspersky.com/viruses/solutions?qid=208280684

ComboFix:
http://www.bleepingcomputer.com/combofix/how-to-use-combofix




0
How do you know if your security is working?

Protecting your business doesn’t have to mean sifting through endless alerts and notifications. With WatchGuard Total Security Suite, you can feel confident that your business is secure, meaning you can get back to the things that have been sitting on your to-do list.

MagsOwnerAuthor Commented:
Hello again everyone!  Boy are there ever alot of viruses out there!!  Thanks for your sugguestions.  I ran rkill before Hitman.  I will run it before I run Malwarebytes again and also run TDSSKiller.  The machine was restarted after each scan so I believe everything was deleted.  Should I assume they have been deleted upon reboot or do you recommend rerunning each scan to verify?  I really appreciate all your time and help!
0
rpggamergirlCommented:
Oh yeah, a lot of viruses out there unfortunately....

If the PC is running fine now then that's great!....some scans takes a long time, so up to you if you want to run those scans again.

My only concern is the file that SAS flagged in the log.....any red flags on the TDSSKiller log?

If it's clean and PC is running fine then nothing to worry about.
You can flush those restore points and create a clean new one.

Turn OFF, turn it back ON and create a new restore point.
http://support.microsoft.com/kb/310405

Also get rid of temp files either manually or using tool, CCleaner (www.ccleaner.com)
0
MagsOwnerAuthor Commented:
Love CCleaner!  Use it all the time.  Great idea to flush the restore points...Thanks!
0
MagsOwnerAuthor Commented:
Thanks for all your assistance!!
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Anti-Virus Apps

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.