How do I get rid permanently of a virus or malware please?

Discussion in 'Computer Support' started by Alasdair, Apr 17, 2010.

  1. Alasdair

    Alasdair Guest

    I have been infected by a virus and malware and I cannot get rid of
    it. It just keeps re-infecting my computer with itself. I use Panda
    Global Internet Protection and Malwarebytes' Anti-Malware 1.45.
    Please, has anyone any idea what I can do?


    This program comes up saying "Microsoft XP security centre has
    detected that your computer is infected with ??? Trojan and ??? worm,
    click here to disinfect". and whether you click it or not it changes
    nothing.



    I get rid of this malware and within the first ½ hour of going on to
    the net I notice I am being redirected to another site.

    The two sites it tries to send me to are

    http://bart4simp.com/in.cgi?6&parameter=keyboards+for+lapto&ur=1&HTTP_REFERER=33371

    and

    www3.makecure15p.xorg.pl

    I try to close the page that is redirecting me but Internet Explorer
    comes up with "this page is not responding" for a while and then the
    damage is done!

    What I want to know is where I can find the file that stores the
    redirected file?



    This is the log from Malwarebytes Antimalware prog

    Malwarebytes' Anti-Malware 1.45

    www.malwarebytes.org



    Database version: 3930



    Windows 5.1.2600 Service Pack 3

    Internet Explorer 8.0.6001.18702



    17/04/2010 12:55:46

    mbam-log-2010-04-17 (12-55-46).txt



    Scan type: Quick scan

    Objects scanned: 111580

    Time elapsed: 19 minute(s), 21 second(s)



    Memory Processes Infected: 0

    Memory Modules Infected: 0

    Registry Keys Infected: 0

    Registry Values Infected: 2

    Registry Data Items Infected: 6

    Folders Infected: 0

    Files Infected: 2



    Memory Processes Infected:

    (No malicious items detected)



    Memory Modules Infected:

    (No malicious items detected)



    Registry Keys Infected:

    (No malicious items detected)



    Registry Values Infected:

    HKEY_CLASSES_ROOT\.exe\shell\open\command\(default) (Hijack.ExeFile)
    -> Quarantined and deleted successfully.

    HKEY_CLASSES_ROOT\secfile\shell\open\command\(default)
    (Rogue.MultipleAV) -> Quarantined and deleted successfully.



    Registry Data Items Infected:

    HKEY_LOCAL_MACHINE\SOFTWARE\Clients\StartMenuInternet\FIREFOX.EXE\shell\open\command\(default)
    (Hijack.StartMenuInternet) -> Bad: ("C:\Documents and
    Settings\Home\Local Settings\Application Data\ave.exe" /START
    "firefox.exe") Good: (firefox.exe) -> Quarantined and deleted
    successfully.

    HKEY_LOCAL_MACHINE\SOFTWARE\Clients\StartMenuInternet\IEXPLORE.EXE\shell\open\command\(default)
    (Hijack.StartMenuInternet) -> Bad: ("C:\Documents and
    Settings\Home\Local Settings\Application Data\ave.exe" /START
    "C:\Program Files\Internet Explorer\IEXPLORE.EXE") Good:
    (iexplore.exe) -> Quarantined and deleted successfully.

    HKEY_LOCAL_MACHINE\SOFTWARE\Clients\StartMenuInternet\FIREFOX.EXE\shell\safemode\command\(default)
    (Hijack.StartMenuInternet) -> Bad: ("C:\Documents and
    Settings\Home\Local Settings\Application Data\ave.exe" /START
    "firefox.exe -safe-mode") Good: (firefox.exe -safe-mode) ->
    Quarantined and deleted successfully.

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security
    Center\AntiVirusDisableNotify (Disabled.SecurityCenter) -> Bad: (1)
    Good: (0) -> Quarantined and deleted successfully.

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security
    Center\FirewallDisableNotify (Disabled.SecurityCenter) -> Bad: (1)
    Good: (0) -> Quarantined and deleted successfully.

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security
    Center\UpdatesDisableNotify (Disabled.SecurityCenter) -> Bad: (1)
    Good: (0) -> Quarantined and deleted successfully.



    Folders Infected:

    (No malicious items detected)



    Files Infected:

    C:\Documents and Settings\Home\Local Settings\Temporary Internet
    Files\Content.IE5\ZP5W1ZA5\Setup_95[1].exe (Trojan.FakeAlert) ->
    Quarantined and deleted successfully.

    C:\Documents and Settings\Home\Local Settings\Application Data\ave.exe
    (Rogue.MultipleAV) -> Quarantined and deleted successfully.
     
    Alasdair, Apr 17, 2010
    #1
    1. Advertisements

  2. Alasdair

    Mike Easter Guest

    This is not the right place or the right protocol to be using to do this
    - what you are trying to do.

    For various reasons, newsgroups like this are not the proper
    'environment'. On the one hand, there isn't a 'vetting' process for
    those such as you who would pose a question problem, and on the other
    hand, there also isn't a vetting process for those who might answer.

    The result is that all of the readers who aren't interested in looking
    at your mbam log are having to download your log data and the other
    result is that you don't know much about the source of the advice you
    might get.

    For that reason, webforums which have specific protocols which you, the
    seeker of sanitization, have to follow first before posting anything,
    and also specific protocols which provide a vetting of those who might
    help you.

    There are many such forums, such as spywarewarrior and techspot's virus
    and malware removal forum. Be sure and follow the guidelines before you
    post anything there

    http://www.techspot.com/vb/menu28.html - Important Topic (please read)
    Special governing rules for the Virus & Malware removal board - Is your
    system infected? Read this before Cleaning or Formatting
     
    Mike Easter, Apr 17, 2010
    #2
    1. Advertisements

  3. Alasdair

    chuckcar Guest

    Are you quaranteening the two files you mention below? Are you using a
    *just* updated version of the virus information files? Have you tried
    removing access to the internet for all web browers with your software
    firewall while you have this problem and then restarting? After that
    you should rescan again and see if it *actually* shows no infection
    then. *Only* then should you again allow access for web browsers.
    Since those are websites, if your web browser can't connect to the
    internet, you can't be reinfected. Hence the reason for what I stated
    above.
    And what about end tasking it?
    For the above two to be fixed a restart after cleaing is required. That
    will allow windows to load the then cleaned registry.
    This requires those two files to be quaranteened.
    *if* you are confortable using regedit (do *not* use it unless you are)
    you can manually remove those keys after the two files are quaranteed.
    After that, rebooting should remove any infection
    Ok, there's your proof it's quaranteening those files. Only the registry
    entries and *not* using a web browser at *all* before restarting are
    required. As stated, this requires two steps: 1. blocking any browser
    from any access to the web 2. cleaning the registry entries (either by
    your AV software and restarting or with regedit - with the conditions
    previously mentioned and then restarting).

    Try doing the scan, quaranteen and registry cleaning in safe mode if the
    above doesn't work.

    As a last resort, wiping the drive and reinstalling windows *will*
    remove this malware. But make *sure* you format the drive first if you
    choose to do it this way.
     
    chuckcar, Apr 17, 2010
    #3
  4. Alasdair

    Buffalo Guest

    [snip]

    Perhaps you can find something at this link:
    http://en.kioskea.net/forum/affich-59028-remove-system-security


    Make sure you update MBAM (MalwarebytesAntiMalware) also.


    You should try the free version of SAS (SuperAntiSpyware) from
    Superantispyware.com.
    Dl, install, update and run it. It will 'fix' any problem it finds that it's
    paid kin will fix. I bought the paid version.
    Try posting in the alt.privacy.spyware news group.
    Buffalo
     
    Buffalo, Apr 17, 2010
    #4
  5. Alasdair

    VanguardLH Guest

    If you spend more than 3 evenings to eradicate a pest, the best choice is to
    flatten and rebuild (i.e., format the OS partition and do a fresh install of
    the OS, drivers, and updates). Save a backup first and then do it new.

    If you have eradicated the pest but keep getting reinfected, well, that's
    the fault of the user for revisiting the same infector sites or reinstalling
    the same infected software. Repeated infections means YOU cause them. No
    security software can overcome a user's desire to reinfect their host
    through their repeated actions.
     
    VanguardLH, Apr 17, 2010
    #5
  6. Alasdair

    Aardvark Guest

    WTF?????
     
    Aardvark, Apr 17, 2010
    #6
  7. Alasdair

    Aardvark Guest

    WTF?????
     
    Aardvark, Apr 17, 2010
    #7
  8. Alasdair

    Aardvark Guest

    Or even 'judgement'? 'Judement' is somewhat obscure, don't you think? :)
    Does the phrase 'forlorn hope' ring any bells? :)
    Prepare for one of DUH-ane's lunatic onslaughts, Meat.
     
    Aardvark, Apr 18, 2010
    #8
  9. Alasdair

    Aardvark Guest

    With that four-toed foot of yours?

    LOL
     
    Aardvark, Apr 18, 2010
    #9
  10. Alasdair

    Aardvark Guest

    Yeah, but you'd be trying to balance on your four-toed gimp foot, wouldn't
    you DUH-ane.
    LOL Yeah. Right, DUH-ane.
    You don't so much leave as fade away, DUH-ane.
     
    Aardvark, Apr 18, 2010
    #10
  11. Alasdair

    §nühw0£f Guest

    Whoa! Way to make the threat of violence on the internets!

    I suspect the men in the black SUV will be parked on your street soon.

    ^_^

    --

    http://www.skepticalscience.com/
    cageprisoners.com|www.snuhwolf.9f.com|www.eyeonpalin.org
    _____ ____ ____ __ /\_/\ __ _ ______ _____
    / __/ |/ / / / / // // . . \\ \ |\ | / __ \ \ \ __\
    _\ \/ / /_/ / _ / \ / \ \| \| \ \_\ \ \__\ _\
    /___/_/|_/\____/_//_/ \[email protected]_/ \__|\__|\____/\____\_\
     
    §nühw0£f, Apr 18, 2010
    #11
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.