Rogue Virus

Mags
Mags used Ask the Experts™
on
A friend of mine called me panicked with a concern...A Rogue Virus...XP Console or something similar to that.  I ran Hitman Pro, Mbam and SAS.  I have attached the logs.  After I ran AVG 2011 it came up clean.  Is there anything else I should do?
log.xml
mbam-log-2011-03-27--12-28-28-.txt
SUPERAntiSpyware-Scan-Log---03-2.log
SUPERAntiSpyware-Scan-Log---03-2.log
Comment
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
Commented:
I would run another scan with MalwareBytes to make sure the deleted files are still gone.
Author of the Year 2011
Top Expert 2006
Commented:
Normally you need a "Rogue Process" stopper to make MBAM more effective.
Look at this:
http://www.experts-exchange.com/A_4922.html (Rogue-Killer-What-a-great-name)

You could also use "RKill"
http://www.bleepingcomputer.com/download/anti-virus/rkill

Then follow the instructions here:
http://www.experts-exchange.com/A_1940.html (Basic Malware Troubleshooting)

Basically,
1 - Stop the Rogue
2 - Run a clean version of Malwarebytes.
Top Expert 2007
Commented:
Good idea to run Malwarebytes again to make sure the scan comes out clean, Or scan with the RogueKiller that younghv had suggested.

The MBAM log shows a bad dll(below) to be deleted on reboot, did MBAM reboot and has the file been deleted?

c:\WINDOWS\wmoimsen.dll (Trojan.Hiloti.Gen) -> Delete on reboot.


The HitmanPro log is not in easily readable format.
The log showed TDSS, flagged a patched driver and it's "Pending-to-Delete", whether it was deleted or not or whether SAS also replaced the driver, what I see in the log is "Pending-to-Delete"

</Item>
- <Item type="Malware" malwareName="Rootkit" score="114.0" status="PendingDelete">
- <Scanners>
  <Scanner id="G Data" name="Rootkit.Patched.TDSS.Gen (Engine-A)" />
  <Scanner id="DrWeb" name="BackDoor.Tdss.2459" />
  <Scanner id="Ikarus" name="Virus.Win32.Alureon!IK" />
  </Scanners>
  <File path="C:\WINDOWS\system32\DRIVERS\compbatt.sys" hash="B6502E18156E13ECD31925D22F7C6D5AE70CF5A02C5DD3F1A1B749A50BDF6FDA" />
- <Startup>
  <Key path="HKLM\SYSTEM\CurrentControlSet\Services\Compbatt\" />



I would scan the system with TDSSKiller or ComboFix as these tools can detect and replace patched drivers if a clean replacement is found. Using ComboFix she would need to uninstall AVG so ComboFix will run.

TDSSKiller:
http://support.kaspersky.com/viruses/solutions?qid=208280684

ComboFix:
http://www.bleepingcomputer.com/combofix/how-to-use-combofix




Ensure you’re charging the right price for your IT

Do you wonder if your IT business is truly profitable or if you should raise your prices? Learn how to calculate your overhead burden using our free interactive tool and use it to determine the right price for your IT services. Start calculating Now!

MagsOwner

Author

Commented:
Hello again everyone!  Boy are there ever alot of viruses out there!!  Thanks for your sugguestions.  I ran rkill before Hitman.  I will run it before I run Malwarebytes again and also run TDSSKiller.  The machine was restarted after each scan so I believe everything was deleted.  Should I assume they have been deleted upon reboot or do you recommend rerunning each scan to verify?  I really appreciate all your time and help!
Top Expert 2007
Commented:
Oh yeah, a lot of viruses out there unfortunately....

If the PC is running fine now then that's great!....some scans takes a long time, so up to you if you want to run those scans again.

My only concern is the file that SAS flagged in the log.....any red flags on the TDSSKiller log?

If it's clean and PC is running fine then nothing to worry about.
You can flush those restore points and create a clean new one.

Turn OFF, turn it back ON and create a new restore point.
http://support.microsoft.com/kb/310405

Also get rid of temp files either manually or using tool, CCleaner (www.ccleaner.com)
MagsOwner

Author

Commented:
Love CCleaner!  Use it all the time.  Great idea to flush the restore points...Thanks!
MagsOwner

Author

Commented:
Thanks for all your assistance!!

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial