Please Help - VIRUS ALERT!

Steelman on 9/9/2008 at 19:50

Hi, I was hoping you guys will be able to help me with a big problem I have with my PC.

I booted up my PC as normal yesterday evening after work when, just before my desktop normally appears, a virus scanner called MS Antivirus popped up and promptly scanned my PC for me! It "found" a load of Viruses and directed me to register for their Removal tool. It wouldn't let me cancel or get rid of it as my PC had not fully booted up and it wouldn't let me ctrl/alt/del to bring up the task manager.

After rebooting, the desktop briefly appeared before the scanner had finished and I was able to access the start menu and remove MSAntivirus.exe (I think it was called something like that) and one or two other similarly named things. So now, when I boot up, the desktop appears for about thirty seconds or so, giving me just enough time to bring up a browser. The desktop then disappears, leaving a blue grey screen, and I can use the browser but nothing else on my PC.

I did a few searches and I believe I have managed to catch something called MS Antivirus. Oh, it also dumped a couple of porn short cuts to my desktop and has removed my email manager thingy, Calypso, from the desktop, but I can still access it from the start menu when its available.

In short, guys, this thing has wrecked my fucking PC. How can I get it back to it's normal self?

I will greatly appreciate any and every attempt to help but please bear in mind that I am computer illiterate and will probably need quite detailed instructions:o

My OS is Win2000pro

Please help - Steelman

bikerdude on 9/9/2008 at 19:59

hi Steelman

Thats a new virus thats being doing the rounds latley - Ive rebuild 4x PC's for people in the last 2 weeks alone.

You only fix for this is the following:-

* Download slax live CD 180mb, and burn to a CD.
* Backup your inportant data ONLY...(docs/pics/email/desktop etc) to same usb drive if you have the space or another USB drive.
* wipe your HDD and reinstall windows, drivers, apps.
* restore data from usb drive.

I would suggest you go and buy a descent antivirus program - even browsing less salubrious websites doesent faz kaspersky, its caught eveything.

biker

37637598 on 9/9/2008 at 21:29

Indeed as Biker said, this virus is a nasty one that's VERY hard to get rid of. Your best bet is to format your drive and re-install windows...

OR, do what I did; Get a second hard drive (not a usb one, but a normal HDD), replace your current HD with it, and install windows on it. Then, once windows is running on your new HD, turn your computer off and hook up the old 'virused' hard drive as a slave. This will allow you to still run programs on your old drive without worrying about the virus. It worked great for me! The only down-side that I can remember, is not being able to retrive your old OS settings. Once you do this, you can also browse through the virused HD and look for the virus and try to delete it, or just grab your files off of it and move them to your new HD, format the old HD, and use it for storage, OR format and install windows so you have 2 hard drives with working windows on them, just incase something like this happens again...

Hope that helps! It worked wonders for me! And a new HD is only about $80 for 300GB... Maybe less now.

-Vinnie-

EDIT: PS. If this sounds like something you would want to do, let me know and I can step ya through it if you need.

Steelman on 10/9/2008 at 22:05

Thanks for the replies.

I have a friend of a friend coming around tomorrow to pick up my PC, apparently he's a whizz with this kind of thing, so fingers crossed, but I don't hold out much hope to be honest.

I reckon that basically I am fucked, and I now have limited options. I either wipe my PC and start again as Bikerdude said, buy a new hard drive and do as 37637598 said or take advantage of the situation and do the upgrading that I had been meaning to do for a while. I just might take the latter option and have done with it and put it down to bad experience. Fucking fucking bollocks, that's a couple of hundred quid I could do without spending right now.

I'll be PCless for a couple of days (I hope it's only a couple) but will let you know how it goes (if I can) and will maybe need advice on new equipment.

Bye for now and thanks again for any help. steelman

The Gnat on 11/9/2008 at 01:31

Bikerdude, I have seen other people on other forums dealing with this virus. From your experience is this thing random or is it attaching and striking from certain sites or content?

bikerdude on 11/9/2008 at 15:10

Quote Posted by The Gnat

Bikerdude, I have seen other people on other forums dealing with this virus. From your experience is this thing random or is it attaching and striking from certain sites or content?

Generally the PC's I have have rebuilt for people were infect by browsing porn/warez sites and the like. If you have shite antivirus proggy like norton/mcafee, this virus will get past them.

I personally recommend Kaspersky. FYI zonealarm are now incorporating KAV into its security suite now...!!!

biker

Omega on 11/9/2008 at 20:55

If it's really XP Antivirus 2008 that you've got on your computer, ie, it changes the desktop wallpaper and adds policies so you can't change it back. You just need to (http://www.download.com/Malwarebytes-Anti-Malware/3000-8022_4-10804572.html) download malwarebytes and have it do a quick scan (yes, it's free). Then when it finds stuff let it fix all the stuff it finds and you're done. It's like a 20 minute fix.

Steelman on 16/9/2008 at 21:51

Thanks for the advice.

Great news (well for me anyway). Malwarebytes seems to have done the trick. That friend of a friend thing didn't happen (some people are full of shit). I have Kaspersky looking after things now so this doesn't happen again. So thanks for all the help.

The thing is, whenever I run Malwarebytes it still finds this:

Registry Keys Infected:
HKEY_CLASSES_ROOT\CLSID\{9346a6bb-1ed0-4174-afb4-13cd4ec0aa40} (Trojan.Agent)

A search reveals that it is something called a Browser Helper Object (BHO), the description of which doesn't sound like the sort of thing that it would be a good idea to have on your machine. Any ideas on how to get rid of it? Malwarebytes tells me that it will remove it on reboot, but when it scans immediately on restarting it always finds it again.

Any help appreciated.

Omega on 19/9/2008 at 21:43

You could do a scan with (http://www.bleepingcomputer.com/combofix/how-to-use-combofix) ComboFix then when that's finished, try another Malwarebytes scan and then when it still finds the issue, try a scan with (http://www.freedrweb.com/cureit/) CureIt.

belboz on 26/9/2008 at 16:52

it writes itself to two places in the registry the virus checker programs remove one of the places they dont remover the other place because the other place is a random generated key name, although if you do a regedit its the first item in the list where the key the virus checker removes, the random generated key contains links to four programs that the virus has written into your system, which basically reinstall the virus after you've run the virus checker and removed the other key, and then rewrites the other key to your registry. does exactly the same if you reboot. It also deletes all your system restore files so you cant restore your computer to an ealier date when it wasn't in your computer. Its just a money sink to steal your credit card number if you are stupid enough to buy the software its offering, I know some people who did that, and they had to cancel their credit cards.

All the people I know who've had this virus have had to re-install there operating system.