Hi,
Yesterday I unfortunately got a virus with one of these fake-antivirus programs - “System Fix”, which resulted in that my desktop icons were gone, the wallpaper got changed, some links gone in the start menu were missing and some other minor changes. It also spammed me with a window saying my hdd failed (I think, at least some sort of critical error) and started a “scan”. The virus is described here: http://www.bleepingcomputer.com/virus-removal/remove-system-fix - and I followed their guide to remove it.
It seems to have disappeared. Before, once I started up my computer it would only take a few seconds until a bunch of these hdd failure windows popped up (or some other error, can’t remember now) - but that’s gone now, and I got my desktop icons back using the unhide app from bleepingcomputer. The TDSSKiller and RKill mentioned on Beelpingcomputers didn’t seem to do anything really, but I didn’t have any problems starting Malwarebyte Anti-Malware.
I ran Malwarebyte Anti-Malware in safemode with networking and it found 7 issues (3 Rogue.FakeHDD, 2 PUM.Hijack.StartMenu and 2 Trojan.Agent.Gen) - now they’re in the “quarantine” and when scanning a full scan now it doesn’t find anything. Should I go to the quarantine-tab and delete them? For reference here is the anti-malware log:
Malwarebytes Anti-Malware (Trial) 1.60.1.1000 www.malwarebytes.orgDatabase version: v2012.03.17.06
Windows 7 Service Pack 1 x64 NTFS (Safe Mode/Networking)
Internet Explorer 9.0.8112.16421Protection: Disabled
17-03-2012 19:37:25
mbam-log-2012-03-17 (19-37-25).txtScan type: Full scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 691636
Time elapsed: 32 minute(s), 58 second(s)Memory Processes Detected: 0
(No malicious items detected)Memory Modules Detected: 0
(No malicious items detected)Registry Keys Detected: 0
(No malicious items detected)Registry Values Detected: 2
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run|VwQGJwSURThVmE.exe (Rogue.FakeHDD) → Data: C:\ProgramData\VwQGJwSURThVmE.exe → Quarantined and deleted successfully.
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce|GrpConv (Trojan.Agent.Gen) → Data: grpconv -o → Quarantined and deleted successfully.Registry Data Items Detected: 2
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced|Start_ShowMyComputer (PUM.Hijack.StartMenu) → Bad: (0) Good: (1) → Quarantined and repaired successfully.
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced|Start_ShowSearch (PUM.Hijack.StartMenu) → Bad: (0) Good: (1) → Quarantined and repaired successfully.Folders Detected: 0
(No malicious items detected)Files Detected: 3
C:\ProgramData\VwQGJwSURThVmE.exe (Rogue.FakeHDD) → Quarantined and deleted successfully.
C:\Users\Tobias\AppData\Local\Temp\aYY0MiDUjVhSiD.exe.tmp (Rogue.FakeHDD) → Quarantined and deleted successfully.
C:\Windows\System32\grpconv.exe (Trojan.Agent.Gen) → Quarantined and deleted successfully.(end)
l also did a full system scans with Avast and Super Antispyware and they didn’t find any issues.
However I also did a boot-time scan with Avast and even though in the scan log that I can see in Windows it says no infections found, it did show up some issues in the scan itself - here is the log:
03/18/2012 12:28 Scan of all local drivesFile C:\Program Files\Common Files\Autodesk Shared\DirectConnect2012 (64-bit)\Public\DevIL\DevIL-1.7.8.zip|>devil-1.7.8\configure Error 42125 {ZIP archive is corrupted.}
File C:\Windows\SoftwareDistribution\Download\827d676a7ccadfb12c8c0a5dc44229ac\BIT1CD9.tmp|>x64\LogiLDA.dll Error 42127 {CAB archive is corrupted.}
File E:\Documents-backup\Documents\Animation-Opgaver-Retning\s083472-“NAME REMOVED”\s082730-s083472-02565-2011-XSI.zip|>s082730-s083472-02565-2011-XSI\Soft11\Render_Pictures\Thumbs.db|>256_925a1d5f3253841d Error 42144 {OLE archive is corrupted.}
File E:\Downloads\Autodesk\Maya2012\x64\DirectConnect\DirectConnect6.0.cab|>DevIL_1.7.8.zip|>devil-1.7.8\configure Error 42125 {ZIP archive is corrupted.}
File E:\Downloads\HDRLS_Pro_Demo3_64bit (1).zip|>HDR Light Studio Pro Demo v3.0x64 Installer.exe Error 42125 {ZIP archive is corrupted.}
File E:\Downloads\HDRLS_Pro_Demo3_64bit.zip|>HDR Light Studio Pro Demo v3.0x64 Installer.exe Error 42125 {ZIP archive is corrupted.}
File E:\Downloads\mr_antiGravity_Ground_ShatteringFX (1).rar|>mr_antiGravity_Ground_ShatteringFX_\Scene.rar|>Scene\rode_diffuse.tga Error 42126 {RAR archive is corrupted.}
File E:\Downloads\mr_antiGravity_Ground_ShatteringFX (1).rar|>mr_antiGravity_Ground_ShatteringFX_\Scene.rar Error 42126 {RAR archive is corrupted.}
File F:\Documents\Animation-Opgaver-Retning\s083472-“NAME REMOVED”\s082730-s083472-02565-2011-XSI.zip|>s082730-s083472-02565-2011-XSI\Soft11\Render_Pictures\Thumbs.db|>256_925a1d5f3253841d Error 42144 {OLE archive is corrupted.}
File F:\Downloads\Autodesk\Maya_2012_EJ_Win_64-bit\x64\DirectConnect\DirectConnect6.0.cab|>DevIL_1.7.8.zip|>devil-1.7.8\configure Error 42125 {ZIP archive is corrupted.}
File F:\Downloads\Autodesk_Maya_2012_English_Japanese_Win_64bit.exe|>x64\DirectConnect\DirectConnect6.0.cab|>DevIL_1.7.8.zip|>devil-1.7.8\configure Error 42125 {ZIP archive is corrupted.}
Number of searched folders: 74560
Number of tested files: 3180456
Number of infected files: 0
Is this something I should worry about? The one that caught my attention is the logiLDA.dll, but it may be related to Logitech?
I don’t see any strange behaviour on my machine anymore, but do you think I should do any additional scans or should I feel safe about the virus being completely gone?
I hope someone can help - thanks