Hi all,

Please help - I am in a dire situation!

I was browsing the net yesterday when I got attacked by malware of some sort. It seemed to have disabled ny Microsoft Forefront anti-virus tool. It then changed my desktop and put a message threatening that whatever I do is recorded to my disk etc… I also noticed a shortcut on my desktop saying ‘System tool 2011’ but I could not find this anywhere in the Program Files directory to uninstall it.

Currently my conputer is booting, but it is not allowing me to open anything and just keeps throwing up messages about it being infected. I am typing this from a different pc because mine does not open internet. I managed to open Forefront through task manager and ran a scan but it claimed my computer is fine! There were 2 files which it noticed but it said they zere permitted to carry on their actions. I suspect these might be related to the virus.

I really hope you guys can suggest something, but I am not too tech savvy so you zill have to explain it well.

download these programs to a USB stick and plug it in the infected one, then run the program from the USB stick

Hitman Pro 3 - Second Opinion Malware Scanner http://www.surfright.nl/en/hitmanpro
Hitman Pro in Force Breach Mode http://hitmanpro.wordpress.com/2010/03/16/hitman-pro-in-force-breach-mode/

SUPERAntiSpyware Portable Scanner http://superantispyware.com/portablescanner.html?tag=SAS_HOMEPAGE

I guess this is the bug you have

http://forums.malwarebytes.org/index.php?showtopic=66064
http://www.bleepingcomputer.com/virus-removal/remove-system-tool

or try the instructions from here : http://forums.malwarebytes.org/index.php?showtopic=66064

Thanks Pondus, I’ll give this a try!

Do I have to try all 3 or just one of them?

Also, thanks Derick, I’ll take a look.

there are 2 to run from USB stick Hitman pro and Superantispyware
the second Hitman pro link will show you how to start hitman pro in Force Breach Mode

If this work, i recomend installing and running Malwarebytes after to be sure everything is gone

If it does not work, i will send a message to Essexboy, he is the removal expert

OK, here is what I have done so far:

I installed and ran malwarebytes in safe mode.

Quick scan showed up ’ or 5 infections. I removed them and the system tool icon disappeared. However, when I started up the computer in normal mode, system tool was still around, even though there was no icon.

I also seem to have something called Windows scan, which is malware.

Quite deflating tbh.

when in safe mode, did you have safemode with networking so you could update Malwarebytes ?
are you able to run Malwarebytes (and update) in normal mode as that is when it works best ?

Looks as you also have this

Remove Windows Scan (Uninstall Guide)
http://www.bleepingcomputer.com/virus-removal/remove-windows-scan

Hmm, I didn’t have internet access on that machine so I couldn’t update.

Also, I tried first running in normal mode, but as soon as ny computer had finished booting, system tool started closing everything and not letting me do anything.

Did you try step 3 in the removal guide ?

tried any of the other tools, like HitmanPRO in force breach mode ?

The trick is to stop what is blocking Malwarebytes from running and updating, if you manage to do that it will usually remove these rogues unless it is a very new version

I will send a PM to Essexboy, he is usually in here 8:pm to 11:59pm uk time

Right, some good news for me at last!

I managed to connect to the internet and run malwarebytes software. It seems to have removed the two malwares I had (Windows scan and System tool).

However, there is still a shortcut for Windows scan on the desktop, though it looks like the white square box.

I want to be sure that my laptop has returned to normal. Is there some check I can run and post a log here or something that will allow the experts among you to see if the machine has been truly cleaned?

Is that not a bit greedy having two malware virus programme s

Download OTL to your Desktop

[*]Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.
[*]Select All Users
[*]Under the Custom Scan box paste this in

netsvcs
%SYSTEMDRIVE%*.exe
/md5start
explorer.exe
winlogon.exe
Userinit.exe
svchost.exe
/md5stop
%systemroot%*. /mp /s
CREATERESTOREPOINT

[*]Click the Quick Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.

[*]When the scan completes, it will open two notepad windows. OTL.Txt and Extras.Txt. These are saved in the same location as OTL.
[*]Attach both logs

Essex wit

Thanks for the tip. I’ll get right on it!

Is that not a bit greedy having two malware virus programme s

OK here goes. The text files are attached…

You have worms in flash memory. Install this program http://amf.mycity.rs/programs/mc/mcshield/
When you are finished cleaning, insert usb and Waiting to clean up the program

Alas I do have a bad sense of humour

Run OTL

[*]Under the Custom Scans/Fixes box at the bottom, paste in the following

:OTL IE - HKU\S-1-5-21-277157712-2701793958-3186961445-1168\..\URLSearchHook: {472734EA-242A-422b-ADF8-83D1E48CC825} - Reg Error: Key error. File not found O4 - HKLM..\Run: [Lwevikeki] C:\WINDOWS\ecedojod.dll () O33 - MountPoints2\{3509cea2-f728-11de-97a8-00059a3c7800}\Shell\Auto\command - "" = F:\a.net O33 - MountPoints2\{3db95a96-97db-11df-992e-001de0898319}\Shell\AutoRun\command - "" = F:\AutoRun.exe [2011/01/23 22:16:31 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\eCmCpNn06511 [2011/01/23 22:18:20 | 000,000,000 | ---D | C] -- C:\Documents and Settings\bas\Start Menu\Programs\Windows Scan [2011/01/24 15:49:37 | 000,000,272 | ---- | M] () -- C:\Documents and Settings\All Users\Application Data\~Eay0Ig4brUF4cE [2011/01/24 15:26:36 | 000,000,000 | ---- | M] () -- C:\WINDOWS\Qgitoqanedevacu.bin [2011/01/23 22:18:36 | 000,000,120 | ---- | M] () -- C:\WINDOWS\Hzilapiqifepu.dat [2011/01/23 22:18:20 | 000,000,835 | ---- | M] () -- C:\Documents and Settings\bas\Desktop\Windows Scan.lnk [2011/01/23 22:18:20 | 000,000,168 | ---- | M] () -- C:\Documents and Settings\All Users\Application Data\~Eay0Ig4brUF4cEr [2011/01/23 22:18:18 | 000,000,336 | ---- | M] () -- C:\Documents and Settings\All Users\Application Data\Eay0Ig4brUF4cE

:Files
ipconfig /flushdns /c

:Commands
[purity]
[resethosts]
[emptytemp]
[EMPTYFLASH]
[CREATERESTOREPOINT]
[Reboot]

[*]Then click the Run Fix button at the top
[*]Let the program run unhindered, reboot the PC when it is done
[*]Open OTL again and click the Quick Scan button. Post the log it produces in your next reply.

.
THEN

Download ComboFix from one of these locations:

Link 1
Link 2

* IMPORTANT !!! Save ComboFix.exe to your Desktop

[*]Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools

[*]Double click on ComboFix.exe & follow the prompts.

[*]As part of it’s process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it’s strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.

[*]Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it’s malware removal procedures.

http://img.photobucket.com/albums/v706/ried7/RcAuto1.gif

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

http://img.photobucket.com/albums/v706/ried7/whatnext.png

Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.

OK, I have done the OTL part and I am about to do the combofix part. But I should mention a couple of things:

• When I did the Run Fix bit, at the end of it, the OTL window was frozen and my computer was frozen. I had to reboot by turning off the computer by holding the power button.

• My Microsoft Forefront constantly keeps telling me that I have threats which need smart cleaning. This was not happening before I did the OTL bit above.

Attached are the files generated from the run fix and subsequent quick scan.

Right, Attached is the combofix log. Another couple of points:

• I exited Microsoft Forefront antivirus, but I still did get messages saying that it is active.
• I also got the following message a couple of times: “Not enough main memory to perform sort”

Thanks so much for your help so far. It’s taken all evening, but I’m hopeful it might get somewhere :-\

Nearly did I feel - once these runs are done (they will be a lot shorter) let me know what problems remain

OTL appeared to stall - but actually it was doing a touch of cleaning Total Files Cleaned = 3,039.00 mb
The reason that forefront started shouting is that OTL revealed this once the protection was removed…

O20 - HKLM Winlogon: UserInit - (C:\Program Files\lmvvjpsi\tsniwscy.exe) - C:\Program Files\lmvvjpsi\tsniwscy.exe File not found

1. Please open Notepad
   [*] Click Start , then Run[*]Type notepad .exe in the Run Box.

2. Now copy/paste the entire content of the codebox below into the Notepad window:

File:: c:\documents and settings\bas\Start Menu\Programs\Startup\tsniwscy.exe c:\windows\system32\drivers\bbcmwebo.sys

Folder::
c:\program files\lmvvjpsi
c:\documents and settings\All Users\Application Data\eCmCpNn06511

Driver::
bbcmwebo

3. Then in the text file go to FILE > SAVE AS and in the dropdown box select SAVE AS TYPE to ALL FILES

4. Save the above as CFScript.txt

5. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.

http://img.photobucket.com/albums/v666/sUBs/CFScriptB-4.gif

6. After reboot, (in case it asks to reboot), please post the following reports/logs into your next reply:
   [*]Combofix.txt .

.
THEN

Run OTL

[*]Under the Custom Scans/Fixes box at the bottom, paste in the following

:OTL O20 - HKLM Winlogon: UserInit - (C:\Program Files\lmvvjpsi\tsniwscy.exe) - C:\Program Files\lmvvjpsi\tsniwscy.exe File not found

:Files
ipconfig /flushdns /c

:Commands
[purity]
[resethosts]
[emptytemp]
[EMPTYFLASH]
[CREATERESTOREPOINT]
[Reboot]

[*]Then click the Run Fix button at the top
[*]Let the program run unhindered, reboot the PC when it is done

^^ I got down to step 5, but the scan is taking forever. I started it shortly after your post. It did not take this long last time and on this occasion I am not getting any messages like “stage 1 completed”. ???