Tuesday, June 17, 2008

stubborn viruses

Steven's daughter's (Bryanna) laptop got hit with multiple viruses. All stubborn.

First was a windows script host message saying

cannot find

c:\document and settings\owner\Local Settings\Temp\tt992.tmp.vbs

Later were attempts to get to WWW.WINIFIXER.COM which were blocked by SpySweeper. WWW.VIRUSBURST.COM too.

The background had a message that the system was infected. And a crawling bug screensaver kept popping up. Both are symptoms of FakeAlert-AG.

Some of this may have been due to running Malware Protector.

XP Defender also popped up. Like I said, multiple problems.

I did the standard stuff like installing AVG, Windows Defender, Ad-Aware, Spybot. CrapClean too for good measure. AVG seemed to catch some of it. And so did Windows Defender.

The screen saver and background tabs were missing, but I was able to reset them at KellysKorner.

That seemed to help a lot, though I was still getting the occasional popups.

I also tried if I could do a system restore. But all the old restore points were gone.

Anyway, that seemed good enough for me, so I tried to do a system update of XP Service Pack 3. Unfortunately, hours later, the system stopped responding so I tried to cancel and the system stalled again.

So I rebooted, the upgrade got uninstalled. And the viruses were back including the crawling bugs. Well at least the background message was gone.

AVG turned up Generic.OYG/ which I move to vault.

Windows Defender detected TrojanJS/Agent.FA

KellysKorner would bring back the tabs, but they would get lost again on reboot.

AVG would find TrojanhorseAgent.WLG, Trojanhorse Fake/Alert.O. Not to mention FakeAlert.O and Agent.WLQ.

And I couldn't get rid of them.

So I turned to safe mode and ran AVG in command line mode (the only mode it runs in in safe mode).

It found a problem in the registry starting up trojanhouse agent.WLG,
Fake_antispyware.OI, and Trojan house FakeAlert.O

I deleted the registry key and infected files from the command prompt
That seemed to clear up a lot of the problems.

Power back on. No Windows Script Host message (may have been running from the registry key). Good sign.

But AVG found Trojan horse Agent.WLQ which was in System Volume Information\_restore. I manually deleted the file.

Trend Micro showed microsoft vulnerabilities, but no spyware. Tried Office update, but the installed Office could not be verified as genuine.

Spysweeper found apmebf cookie, and rogue security products in quarantine. Deleted the quarantine.

Windows Defender found Trojan: JS/Agent.FA which is also known as
Trojan-Downloader.JS.Istbar.ax (Kapersky)
VBS/Istbar (Ahnlab)
JS/ForcePopup (Authentium)
Trojan.Clicker.CM (BitDefender)

This was very annoying and wouldn't go away

I installed BitDefender which sure enough caught multiple occurrences of Trojan.Clicker.CM. But they kept coming back even after manually deleting them.

Exasperated, tried turning back the system date to see if I could do a system restore. No dice, all the old restore points were still missing.

Ran bitdefender full scan again. Ran AdAware which found tracking cookie.

Ran Spybot which found tracking cookie. Then tried to immunize which got stuck. So I shut down the background virusprotection (TrendMicro, AVG, SpySweeper, etc.) and the immunization went through.

Ran BitDefender again, but the Trojan.Clicker.CM was back.

At this point, I think I tried Windows Update again and this time there were some specific updates to apply instead of the whole Service Pack 3 (don't ask me why). And this time the updates were successful.

Windows Defender found nothing. Bit Defender found nothing. Reboot and Bit Defender found only files in trendmicro quarantine.

I don't know if it was perfectly clean, but that was good enough for me. Uninstall Bit Defender. And get it out of here.

The other option, of course, would be to reinstall the O/S from scratch. But I didn't have the system CD. And I don't know if they had all the programs. Office might have been borrowed.

So in summary, what helped fixed it were AVG, KellysKorner, AVG in safe mode and manually deleting in command mode, and Windows Update. Immunizing with spybot might have helped too but I'm not sure.

2 comments:

Unknown said...

Hi Mike,
Great blog. Found it as I tried to figure out what to do with my blue screen/"Warning Spyware Detected on Your Computer" message.I ran Webroot but can't fix my background either. On a scale of 1-10, I'm about a 6 with regards to computer and was able to follow your procedures quite well. I'm tempted to walk my laptop to GeekSquad. Do you have an idea of the cost to 'clean up' this mess? Also, there are online forums where I can post my logs and they'll help me out. Do you recommend any reputable ones? I dont want to follow steps from hacker. Thanks again. Leo

Mike said...

Probably the best thing to do would be to reinstall your operating system. Especially if you're having problems getting rid of the virus.

I usually do that as a last resort if I can't get rid of the virus(es) satisfactorily. But in this case, I didn't have the system CD.

Looking at the Geek Squad web site, it looks like they would charge a couple hundred bucks.