ClioSport.net

Register a free account today to become a member!
Once signed in, you'll be able to participate on this site by adding your own topics and posts, as well as connect with other members through your own private inbox!

Virus (?) Removal



  Punto/Clio GTT
have a virus i think, firewall is not working properly and im unable to change settings on it.

tried to install AVG and i just get an error when i try to install.

when i goto websites like ad aware download it just redirects me to spam pages.

so cant install avg and cant get my firewall on, where do i start? cheers
 
  Punto/Clio GTT
error i get from avg install is

Local machine: installation failed
Initialization:
Warning: Windows Firewall activity checking failed.
Error 0x800706d9
Installation:
Error: Action failed for file avgldx86.sys: starting service....
Error 0x800704fb
Warning: Action failed for file avgam.exe: enabling in Windows Firewall....
Error 0x800706d9
Rollback:
Warning: Action failed for file avgam.exe: removing from Windows Firewall....
Error 0x800706d9
 
  Clio 172
Download "spybot search and destroy", and "malware bytes", scan and get rid of everything they come up with. Then try install AVG. post how you get on here
 

Don

ClioSport Club Member
  182 & Audi A3
Rkill.exe and malwarebytes (both free) use rkill to kill any processes and malwarebytes once rkill complete...can take a fair while though.
 

Al_G

ClioSport Club Member
  Honda S2000
Have you tried avast?

Download, install and if successful attempt a boot up scan.
 
  Punto/Clio GTT
Database version: v2012.06.17.07

Windows 7 Service Pack 3 x86 NTFS
Internet Explorer 9.0.8112.16421
Dan :: DAN-PC [administrator]

6/17/2012 9:30:48 PM
mbam-log-2012-06-17 (21-30-48).txt

Scan type: Quick scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 189277
Time elapsed: 4 minute(s), 22 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 1
HKCU\SOFTWARE\CLASSES\CLSID\{42AEDC87-2188-41FD-B9A3-0C966FEABEC1}\INPROCSERVER32 (Trojan.Zaccess) -> Quarantined and deleted successfully.

Registry Values Detected: 1
HKCU\SOFTWARE\CLASSES\CLSID\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InprocServer32| (Trojan.Zaccess) -> Data: C:\Users\Dan\AppData\Local\{10474e3c-c607-1990-cafe-3bbb9128dcd3}\n. -> Quarantined and deleted successfully.

Registry Data Items Detected: 1
HKCR\CLSID\{F3130CDB-AA52-4C3A-AB32-85FFC23AF9C1}\InProcServer32| (Trojan.Zaccess) -> Bad: (\\.\globalroot\systemroot\Installer\{10474e3c-c607-1990-cafe-3bbb9128dcd3}\n.) Good: (%systemroot%\system32\wbem\wbemess.dll) -> Quarantined and repaired successfully.

Folders Detected: 0
(No malicious items detected)

Files Detected: 4
C:\Windows\assembly\GAC\Desktop.ini (Trojan.0access) -> Delete on reboot.
C:\Windows\Installer\{10474e3c-c607-1990-cafe-3bbb9128dcd3}\n (Trojan.Agent.MRGGen) -> Delete on reboot.
C:\Windows\Installer\{10474e3c-c607-1990-cafe-3bbb9128dcd3}\U\00000008.@ (Trojan.Dropper.BCMiner) -> Quarantined and deleted successfully.
C:\Windows\Installer\{10474e3c-c607-1990-cafe-3bbb9128dcd3}\U\80000000.@ (Trojan.Sirefef) -> Quarantined and deleted successfully.

(end)
 
  Punto/Clio GTT
222323fdfdf.jpg
 
imho if you're having trouble removing something and are not massively clued up then the best and safest option is to backup and data files (if you haven't got a backup already) and reformat/reinstall Windows.

What AV were you running beforehand, or did you have nothing?

Just having a look at the details of that trojan and to be honest I wouldn't trust a system after having that and would want a wipe and start again, just being extra careful/paranoid :)

Whilst you may have just been infected and no one has done anything, it could be that someone has been fiddling with your machine and who knows what else they may have done.

http://www.symantec.com/security_response/writeup.jsp?docid=2011-071314-0410-99
 
Last edited:
  Punto/Clio GTT
cant install zone alram either
guessnotlol.jpg



aint had an antivirus since i built the pc, this is first time ive had a problem with it, in about 3-4 yrs

im thinking reinstall windows too, what a b*****d
 
And this is why even as someone who works in IT security I'll always run AV on a windows machine (well apart from any scratch/test/honeypot machines), it's just too easy to get hit.

I bet you run as an admin account with UAC turned off as well ;)
 
ok , i need to remeber what its done but it has changed something in your IP routing which blocks the aintivirus sites , i am being vague as it was ages ago i sorted this for someone else , and unless in front of the maching its hard to remember , hopefully this jogs someone elses memory
 
lol ;)

Format, reinstall, run MS AV and run with a standard user acc for day to day with an admin acc there when you need it :)

*edit* the above I'm assuming is talking about the software fiddling with your hosts file.

Thing is you can remove the trojan, but what else have they done to your system that you don't know about?

Again I'm probably more paranoid than most with this sort of thing, but there's a reason ;)

If you just want to remove it try the Symantec removal tool maybe? http://www.symantec.com/security_response/writeup.jsp?docid=2011-121607-4952-99
 
Last edited:
  Clio 172
Chris is bang on the buck. Reading the first log from Avg, it seems to have played with windows firewall, could be why zonealarm couldn't contact the Internet. Problem is, unless you can download a hot fix for this exact virus (which will edit all know files that are changed back to standard), you will have to change each back to standard your self, and u will miss something, then more than likely get it again.

Think is, it's probably installed countless bots, advert program's etcetc. Back up anything you wana save, reinstall and use Microsoft security essentials. Scan all your backed up files before copying them over, as it will probably of started with something you downloaded or a page you visited. Starting again is the only 100% best way.

And yeah, it probably has edited your host file. But like I said, and same with Chris, there will be other things out there that have been changed
 
  Polo + Micra
i'd be booting a live session of ubuntu and go on the attack with the delete button with anything that looks slightly out of place

there might even be a virus scanner for it
 
  Clio 172
Overkill IMO, definetlly if the OP isn't that clued up, by the time you've sorted a live Ubuntu cd/USB, you could of restarted windows. It's difficult to completely remove all traces of it your self
 
  Clio 182
Best and easiest thing to do is:

Take out the Hard-drive and get it into another machine and backup all necessary files.

Put the hard-drive back into the affected machine and re-install Windows.
 


Top