Virus - Please solve me how to deal with this virus

[freebird_9924]

submit a hijack this report please, if hijack this won't run then rename the file to something else and run it.

i didnt understand.
How to do that?

 

[DonInKansas]

Some infections can only be cured by a reinstall of Windows. This may be one of those times. Back up your files and reformat.

 

[ste2425]

i hate to say it but i agree with everyone else on the reformat, every time ive had a virus infect main windows stuff its been game over and ive had to nuke it, your lucky you can still access your files to back them up i couldnt.

 

[freebird_9924]

i tried to run kaspersky bootcd but it's not detecting any of my harddrive in my laptop so no benifit.

it detects usb drives though..

 

[Steve-007UK]

Files Infected:
C:\Windows\System32\kbiwkmbitgwgsj.dll (Rootkit.TDSS) -> Delete on reboot.
C:\Windows\System32\kbiwkmciqigqal.dll (Rootkit.TDSS) -> Delete on reboot.
C:\Windows\System32\kbiwkmjwciwovt.dll (Rootkit.TDSS) -> Delete on reboot.
C:\Windows\System32\kbiwkmneckpmii.dll (Rootkit.TDSS) -> Delete on reboot.
C:\Windows\System32\kbiwkmvffpoevc.dll (Rootkit.TDSS) -> Delete on reboot.
C:\Windows\System32\kbiwkmvxepstfk.dll (Rootkit.TDSS) -> Delete on reboot.
C:\Windows\System32\drivers\kbiwkmbjoprotq.sys (Rootkit.TDSS) -> Delete on reboot.
C:\Windows\System32\drivers\kbiwkmoikuyrfl.sys (Rootkit.TDSS) -> Delete on reboot.
C:\Windows\System32\drivers\kbiwkmotaonqts.sys (Rootkit.TDSS) -> Delete on reboot.
C:\Windows\System32\kbiwkmhwubyyih.dat (Rootkit.TDSS) -> Delete on reboot.
C:\Windows\System32\kbiwkmijdcuxsj.dat (Rootkit.TDSS) -> Delete on reboot.
C:\Windows\System32\kbiwkmijhtnyjv.dll (Rootkit.TDSS) -> Delete on reboot.
C:\Windows\System32\kbiwkmjakrmkwx.dat (Rootkit.TDSS) -> Delete on reboot.
C:\Windows\System32\kbiwkmklfwpqur.dll (Rootkit.TDSS) -> Delete on reboot.
C:\Windows\System32\kbiwkmqwmqrnxn.dat (Rootkit.TDSS) -> Delete on reboot.
C:\Windows\System32\kbiwkmrwibvbcs.dll (Rootkit.TDSS) -> Delete on reboot.
C:\Windows\System32\kbiwkmsobtsnwm.dat (Rootkit.TDSS) -> Delete on reboot.
C:\Windows\System32\kbiwkmwsxvowut.dll (Rootkit.TDSS) -> Delete on reboot.

This basicly tells you where the bad files are so what i would now do.

Make sure system restore is turned of because this keeps copys of dodgy files and if you dont turn it of they will keep coming back.

then manulay goto c:\system32 and manulay find the files in that list and delete them one by one (yes it takes time but better than format of you cant be bothered)

after you have deleted the files in the list restart and run the scan again untill you have fully removed the files.

another usefull scanner i use is the norton online scan its free and does a very good job of findind where dodgy files hide, it willl also give you a list at the end with any viruses or bad files that need to be removed. follow the list and manuly delete.

 

[95Viper]

Try this:http://www.superantispyware.com/onlinescan.html and this(use MS IE for this one):http://onecare.live.com/site/en-US/center/howsafe.htm?s_cid=mscom_msrt

Good luck

Make sure system restore is turned of because this keeps copys of dodgy files and if you dont turn it of they will keep coming back.

That is a very good point! I forget that sucker everytime.

 

[freebird_9924]

Files Infected:
C:\Windows\System32\kbiwkmbitgwgsj.dll (Rootkit.TDSS) -> Delete on reboot.
C:\Windows\System32\kbiwkmciqigqal.dll (Rootkit.TDSS) -> Delete on reboot.
C:\Windows\System32\kbiwkmjwciwovt.dll (Rootkit.TDSS) -> Delete on reboot.
C:\Windows\System32\kbiwkmneckpmii.dll (Rootkit.TDSS) -> Delete on reboot.
C:\Windows\System32\kbiwkmvffpoevc.dll (Rootkit.TDSS) -> Delete on reboot.
C:\Windows\System32\kbiwkmvxepstfk.dll (Rootkit.TDSS) -> Delete on reboot.
C:\Windows\System32\drivers\kbiwkmbjoprotq.sys (Rootkit.TDSS) -> Delete on reboot.
C:\Windows\System32\drivers\kbiwkmoikuyrfl.sys (Rootkit.TDSS) -> Delete on reboot.
C:\Windows\System32\drivers\kbiwkmotaonqts.sys (Rootkit.TDSS) -> Delete on reboot.
C:\Windows\System32\kbiwkmhwubyyih.dat (Rootkit.TDSS) -> Delete on reboot.
C:\Windows\System32\kbiwkmijdcuxsj.dat (Rootkit.TDSS) -> Delete on reboot.
C:\Windows\System32\kbiwkmijhtnyjv.dll (Rootkit.TDSS) -> Delete on reboot.
C:\Windows\System32\kbiwkmjakrmkwx.dat (Rootkit.TDSS) -> Delete on reboot.
C:\Windows\System32\kbiwkmklfwpqur.dll (Rootkit.TDSS) -> Delete on reboot.
C:\Windows\System32\kbiwkmqwmqrnxn.dat (Rootkit.TDSS) -> Delete on reboot.
C:\Windows\System32\kbiwkmrwibvbcs.dll (Rootkit.TDSS) -> Delete on reboot.
C:\Windows\System32\kbiwkmsobtsnwm.dat (Rootkit.TDSS) -> Delete on reboot.
C:\Windows\System32\kbiwkmwsxvowut.dll (Rootkit.TDSS) -> Delete on reboot.

This basicly tells you where the bad files are so what i would now do.

Make sure system restore is turned of because this keeps copys of dodgy files and if you dont turn it of they will keep coming back.

then manulay goto c:\system32 and manulay find the files in that list and delete them one by one (yes it takes time but better than format of you cant be bothered)

after you have deleted the files in the list restart and run the scan again untill you have fully removed the files.

another usefull scanner i use is the norton online scan its free and does a very good job of findind where dodgy files hide, it willl also give you a list at the end with any viruses or bad files that need to be removed. follow the list and manuly delete.

Thanks and i've already tried to delete manually but when i try to do that, it shows blue screen and reboot itself.

Even bitdefender and malware bytes arent able to delete it bcz it's in globalroot.

 

[Steve-007UK]

do you see any of the above files running as a task in task manager?
in the process list>?

if so what happens if you manual end the task? blue screen?

Another thing that might be worth checking is MSCONFIG and see if anything is loading up at the start that is associated with the rootkit.

Start/run/type msconfig look for any dodgy files is the startup tab

 

[freebird_9924]

one file in startup in msconfig which i dont know is "BDAMonitor application" manufactured by eMPIA techology and command hcwemmon.exe.

I dont know wht is it but doesnt seems like virus..

 

[oily_17]

See if this will help you out any -

http://www.gmer.net/

EDIT: Some tips on running Gmer

Note its name and save it to your root folder, such as C:\.

* Disconnect from the Internet and close all running programs.
* Temporarily disable any real-time active protection so your security program drivers will not conflict with this file.
* Click on this link to see a list of programs that should be disabled.
* Double-click on the downloaded file to start the program. (If running Vista, right click on it and select "Run as an Administrator")
* Allow the driver to load if asked.
* You may be prompted to scan immediately if it detects rootkit activity.
* If you are prompted to scan your system click "No".
* Click the "Rootkit/Malware" tab.
* When the Quick scan is finished, click Save, Then browse to save the scan results to your Desktop.
* Save the file as Results and copy/paste the contents in your next reply.
* Exit the program and re-enable all active protection when done.

You do not need to run a scan. Immediately after the program starts, a Quick Scan is performed.

 

[freebird_9924]

i was able to run this program in safe mode only.
Log file attached.

From this program, it showing root of virus.. this virus is in explorer.exe so it's impossible to remove it without bootscan.????

 

[TheMailMan78]

Have you tried this one yet? Its free and its known to cure things the others can't.

http://www.microsoft.com/Security_Essentials/

 

[freebird_9924]

Have you tried this one yet? Its free and its known to cure things the others can't.

http://www.microsoft.com/Security_Essentials/

Not available in your country or region

 

[allen337]

I have yet to see mailwarebytes not remove a virus, did you go to the update tab and update mailwarebytes before you scanned?

 

[freebird_9924]

I have yet to see mailwarebytes not remove a virus, did you go to the update tab and update mailwarebytes before you scanned?

i've recently installed so not updated but it's detecting rootkit but not removing. "o action can be taken"

so if i update or not, will it make any difference?

 

[allen337]

yes it makes a difference, they update it daily and the one you download is out of date from cnet.com when you get it

 

[freebird_9924]

yes it makes a difference, they update it daily and the one you download is out of date from cnet.com when you get it

wht i wanted to say is it will make in detecting trojen and malwares , it shd not make difference in malwarebyte functions.

As it's detecting trojen nothing to do with database though i've just updated it and it hasnt make any difference in terms of deleting trojen which werent being deleted earlier.

 

[allen337]

If you updated mailwarebytes and scanned your system in the last 3 minutes that weve posted you got another problem. It isnt scanning it takes 5 minutes to scan usually, if you dont want to update it live with the virus

 

[DonInKansas]

To update Malwarebytes manually, copy this file to a flash drive:

http://www.malwarebytes.org/mbam/database/mbam-rules.exe

 

[allen337]

I just updated and ran it and this is how long it took a clean system

 

[Boyfriend]

It is really astonishing to know that Kaspersky BootCD don't detect hdd of your laptop. I have used it numerous times to clean many desktops and laptops from very clever malwares, which sometimes even render Windows useless due to excess & exhaustive resources utilization.
One more thing to try is here:
Install Kaspersky 2010. Update it and run a complete system scan. Follow the instructions given here. Upload GSI log. Go to main GUI --> Support --> Support tools --> Create system state report. Also upload it to some server (rapidshare, megashare etc.) and give the links here by starting a new thread. Kaspersky experts will suggest method(s) to remove the malware(s) detected. The suggested script they provide can be run in main GUI --> Support --> Support tools --> Excecute AVZ script.
Then Go to Security+ tab --> Microsoft Windows Settings Troubleshoot and follow the recommended actions.
It might seem you lengthy process, but it is one of the best method to skip format of your hdd. Trust me!

You can also upload GSI log and give a link here and I might do the rest of job for you.

 

[freebird_9924]

If you updated mailwarebytes and scanned your system in the last 3 minutes that weve posted you got another problem. It isnt scanning it takes 5 minutes to scan usually, if you dont want to update it live with the virus

10-31-2009 06:08 PM & 10-31-2009 06:17 PM
Check time duration.
It's around 10 minutes.
and i've updated malwarebytes.
Screenshot:

I dont want to debate here for statistics but according to my knowledge, if it was detecting virus then it has nothing to do witth update, problem was it was not removing virus. though according to ur advice, i've updated, scanned and no difference.

Database version: 3065
Windows 6.0.6000

31-10-2009 18:29:58
mbam-log-2009-10-31 (18-29-58).txt

Scan type: Quick Scan
Objects scanned: 98510
Time elapsed: 9 minute(s), 44 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 1
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 25

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
\\?\globalroot\systemroot\System32\kbiwkmsfwpvjfx.dll (Trojan.FakeAlert) -> Delete on reboot.

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
\\?\globalroot\systemroot\System32\kbiwkmsfwpvjfx.dll (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\Windows\System32\kbiwkmbitgwgsj.dll (Rootkit.TDSS) -> Delete on reboot.
C:\Windows\System32\kbiwkmciqigqal.dll (Rootkit.TDSS) -> Delete on reboot.
C:\Windows\System32\kbiwkmdxnexiuf.dll (Rootkit.TDSS) -> Delete on reboot.
C:\Windows\System32\kbiwkmijhtnyjv.dll (Rootkit.TDSS) -> Delete on reboot.
C:\Windows\System32\kbiwkmjwciwovt.dll (Rootkit.TDSS) -> Delete on reboot.
C:\Windows\System32\kbiwkmklfwpqur.dll (Rootkit.TDSS) -> Delete on reboot.
C:\Windows\System32\kbiwkmneckpmii.dll (Rootkit.TDSS) -> Delete on reboot.
C:\Windows\System32\kbiwkmrwibvbcs.dll (Trojan.FakeAlert) -> Delete on reboot.
C:\Windows\System32\kbiwkmsfwpvjfx.dll (Trojan.FakeAlert) -> Delete on reboot.
C:\Windows\System32\kbiwkmvffpoevc.dll (Rootkit.TDSS) -> Delete on reboot.
C:\Windows\System32\kbiwkmvxepstfk.dll (Rootkit.TDSS) -> Delete on reboot.
C:\Windows\System32\kbiwkmwsxvowut.dll (Rootkit.TDSS) -> Delete on reboot.
C:\Windows\System32\kbiwkmxeqvvcbd.dll (Rootkit.TDSS) -> Delete on reboot.
C:\Windows\System32\kbiwkmxittqpmt.dll (Rootkit.TDSS) -> Delete on reboot.
C:\Windows\System32\drivers\kbiwkmbjoprotq.sys (Rootkit.TDSS) -> Delete on reboot.
C:\Windows\System32\drivers\kbiwkmoikuyrfl.sys (Rootkit.TDSS) -> Delete on reboot.
C:\Windows\System32\drivers\kbiwkmotaonqts.sys (Rootkit.TDSS) -> Delete on reboot.
C:\Windows\System32\kbiwkmcjulvuyw.dat (Rootkit.TDSS) -> Delete on reboot.
C:\Windows\System32\kbiwkmhwubyyih.dat (Rootkit.TDSS) -> Delete on reboot.
C:\Windows\System32\kbiwkmijdcuxsj.dat (Rootkit.TDSS) -> Delete on reboot.
C:\Windows\System32\kbiwkmjakrmkwx.dat (Rootkit.TDSS) -> Delete on reboot.
C:\Windows\System32\kbiwkmqwmqrnxn.dat (Rootkit.TDSS) -> Delete on reboot.
C:\Windows\System32\kbiwkmsobtsnwm.dat (Rootkit.TDSS) -> Delete on reboot.
C:\Windows\System32\kbiwkmxmwxdjhf.dat (Rootkit.TDSS) -> Delete on reboot.

 

[DonInKansas]

With all the time you've spent on this, you could have been backed up and reinstalled a few days ago. Sometimes the virus wins, amigo.

 

[freebird_9924]

It is really astonishing to know that Kaspersky BootCD don't detect hdd of your laptop. I have used it numerous times to clean many desktops and laptops from very clever malwares, which sometimes even render Windows useless due to excess & exhaustive resources utilization.
One more thing to try is here:
Install Kaspersky 2010. Update it and run a complete system scan. Follow the instructions given here. Upload GSI log. Go to main GUI --> Support --> Support tools --> Create system state report. Also upload it to some server (rapidshare, megashare etc.) and give the links here by starting a new thread. Kaspersky experts will suggest method(s) to remove the malware(s) detected. The suggested script they provide can be run in main GUI --> Support --> Support tools --> Excecute AVZ script.
Then Go to Security+ tab --> Microsoft Windows Settings Troubleshoot and follow the recommended actions.
It might seem you lengthy process, but it is one of the best method to skip format of your hdd. Trust me!

You can also upload GSI log and give a link here and I might do the rest of job for you.

Seems complicated.
anyways, i'll try it.
Thanks.

Well, kaspersky bootcd was working and it was detecting removable drives but not my internal hdd, may be bcz it is ntfs system.

anyways, thanks.

 

[freebird_9924]

With all the time you've spent on this, you could have been backed up and reinstalled a few days ago. Sometimes the virus wins, amigo.

You're right but i'm not spending my time continously on this , i try to do something suggested here once daily or eve3ry few days and if i format, i'll have to reinstall everything, all settings and data will be lost etc..

Mainthing i'm not formatting is bitdefending & malwarebytes are blocking virus tohugh not removing it so it's not making any effect on my laptop performance as far as i know.

I hope i'll defeat the virus.

Thanks.