Unique problem

My desktop (Win Vista Business) recently fell victim to a nasty virus that prevents connection to antivirus websites (avg, avast, symantec). None of my programs have been able to manage this foe. I downloaded avast home on my laptop (WinXP) and installed it on my external hard drive. I then hooked the external up to my desktop and attempted to run Avast. On the laptop, it worked fine, but on the desktop it immediately requested a license key. I registered the product and received the key but when I typed in the key it was a character short. I NEED to get this desktop up and working again within a couple of days. Anyone have any suggestions or insight?

Hi, You may be reassured to know that having a virus that prevents connection to AV sites is not that unique.

Need the name a path of the detections, please (if there have been detections) and the program that detected them/it.

Try downloading MBAM.
You will need to install and update it and run a quick scan. At the completion of the scan, save the scan report for posting here, and have it fix anything found (remove selected button.)

If you have trouble downloading or installing or opening MBAM, let us know. If it will download but not install/open, renaming the relevant executables often works, as malware seems to identify/block these by name.

MBAM is a very good demand antispyware scanner often recommended for various infections.

Well, the real problem is that the desktop has zero internet accessibility. I have to do everything through my laptop and external drive. Will that solution work by installing the program onto the external and then running it on the desktop?

Download the installer file to the flash drive, and rename it to something like, say, icoeph.exe.
Plug the drive into the sick computer, and copy the file to your desktop. Then try installing it.

Once it has installed (hopefully) navigate to C:\Program files\MalwareByte’s anti malware, and rename the executable “MBAM.exe” , and then try running the renamed file by double-clicking it from that folder. (Any desktop icon installed won’t work once it has been renamed.)

Update it if possible, if not, just run a scan.

There are ways to install a fairly recent database offline, if required I (or someone) will post the info. (The most up-to-date database can only be installed via the programs own updater.)

PS, might as well post the info now, see this thread at the MBAM forumfor a link to the offline update, and instructions on how to use it.

Sorry for the multiple replies, I found (via the forum link above) a different an probably better method for offline updating.

Also install MBAM on your healthy computer. Update it. Go to this folder and copy the “rules.ref” file to a flash drive.

C:\Documents and Settings\All Users.WINDOWS\Application Data\Malwarebytes\Malwarebytes' Anti-Malware

Assuming you have been able to install MBAM to the sick computer, navigate to the same folder, and copy the new “rules.ref” to it, permitting it to overwrite the existing file.

It should then be as up-to-date as possible. Hopefully it will work.

Still want the name of the detection, please, otherwise I (and anyone else that might help) is working in the dark a bit.

Also, what AV was installed on this computer?

Alrighty, successfully installed MBAM on both computers. On laptop I could not follow the pathing given so I instead went C:\Program Files\Malwarebytes’ Anti-Malware. I did not find the rules.ref or any other .ref files to update my infected computer. I ran a quick, un-updated scan and this is what came back:

Malwarebytes’ Anti-Malware 1.40
Database version: 2551
Windows 6.0.6002 Service Pack 2

9/2/2009 9:21:21 AM
mbam-log-2009-09-02 (09-21-09).txt

Scan type: Quick Scan
Objects scanned: 83170
Time elapsed: 2 minute(s), 50 second(s)

Memory Processes Infected: 1
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 1
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
C:\Windows\ld14.exe (Worm.KoobFace) → No action taken.

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sysldtray (Backdoor.Bot) → No action taken.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
c:\Windows\ld14.exe (Backdoor.Bot) → No action taken.

This post is being typed as I continue work (didn’t think that one through) and after clicking the fix selected issues button, all issues were quarantined and deleted successfully. I ran a full scan after the reboot and nothing was flagged, but then again, I was unable to update MBAM with the recent definitions.

I still cannot update any anti-virus software or access any anti-virus websites (avg, symantec, avast), and to answer the question posed beforehand, the desktop was running AVG free (I believe v8.0)

So I ran the offline update drill and another quick scan on the infected pc and came up with this:

Malwarebytes’ Anti-Malware 1.40
Database version: 2725
Windows 6.0.6002 Service Pack 2

9/2/2009 10:59:43 AM
mbam-log-2009-09-02 (10-59-43).txt

Scan type: Quick Scan
Objects scanned: 85548
Time elapsed: 2 minute(s), 58 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 1
Registry Keys Infected: 3
Registry Values Infected: 1
Registry Data Items Infected: 0
Folders Infected: 1
Files Infected: 3

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
c:\program files\ddnsfilter\ddnsfilter.dll (Trojan.DNSChanger) → Delete on reboot.

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\ddnsfilter (Trojan.DNSChanger) → Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\ddnsfilter (Trojan.DNSChanger) → Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\ddnsfilter (Trojan.DNSChanger) → Quarantined and deleted successfully.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SvcHost\ddnsfilter (Trojan.DNSChanger) → Quarantined and deleted successfully.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
C:\Program Files\DDnsFilter (Trojan.DNSChanger) → Delete on reboot.

Files Infected:
C:\Program Files\DDnsFilter\DDnsFilter.dll (Trojan.DNSChanger) → Delete on reboot.
C:\Windows\0101120101464954.xe (KoobFace.Trace) → Quarantined and deleted successfully.
C:\Windows\0535251103110107106.yux (KoobFace.Trace) → Quarantined and deleted successfully.

There were some that couldn’t be deleted and those seem to be the infections that say Delete on Reboot. I guess I’ll see afterwards.

I guess you were able to locate the folder to manually update the definitions, looking at the info in your reply #7.

Did you have to change any of the MBAM names to get it to install or run?

This time, update MBAM again (if possible) run a full scan, remove anything found, and if it asks to delete a file on reboot, “OK” it and reboot immediately.
(It will probably be the “memory item”, locked by the operating system, that needs a reboot to remove.)

After rebooting, check to see if you have internet access.

You have been infected by a variant of the Koobface trojan. This is spread predominantly through social networking sites. Some more action/cleaning will possibly be needed once it’s cleaned.

I successfully updated MBAM and ran a few different scans (quick and full) with updated definitions, removing a few extra items along the way. I finally have internet access, downloaded Avast! and am running the start-up scan now. It has found numerous trojan infected files which I subsequently deleted.

Sounds like you are on the way to beating this one, but I wouldn’t have deleted items found when scanning with Avast…file deletion (rather than quarantining) leaves you with no options if it was a necessary file.

Do (or did) you have any other AV on this computer?
What other security software is installed?

Do you appear to have normal internet access, now, with no sites blocked? Can you load this test page? (It is for a different infection, but if you can see it correctly, with the 6 links often blocked by malware, it’s a fair indication things are OK.)

Everything seems to be running fine. I clicked the link on the desktop and it came up with no problem. I had AVG free (8.0 I believe), and currently have MBAM, symantec, and Avast! loaded on the PC. I will run a few more scans to scour the computer as much as possible.

I will run a few more scans to scour the computer as much as possible.
I strongly suggest that before doing that you make sure the other antivirus programs have been completely removed.

You should only run one antivirus on a computer. Having an extra installed - even if it is not active - will cause problems sooner or later, and ironically may actually leave you less protected.

Having chosen Avast (good choice, by the way!) remove the others using the programs and settings menu in the control panel.
(What Symantec program was installed, and can you remove it?)

To finish off the uninstallation please download these two tools: Norton Removal Tool and AVG Remover. (If you have 32bit Windows it will be the first tool on the AVG Tools page; if 64bit the second tool.)

After uninstalling each program via the control panel, please run (as admin) each uninstaller.

There are more tools we can use (a) as scanners so you can help ensure for yourself that the malware is removed (b) as diagnostics, so myself and others can check a log posted here to make sure all is well, and (c) as maintenance suggestions, for example, making sure stuff is up to date, not vulnerable. (This is a pretty common issue, and often implicated in infections.)

If you would like any of these suggestions (recommended), please let me know. Most of the maintenance ones are good common sense, the sort of stuff all web users should be taught when buying a 'pooter. Not hard.

I do know my way around a computer, but I would still love to hear what you have to say.

Sure, don’t doubt it for a minute.
But you got infected.

Make sure that the Vista firewall is on.

You should always have one (and only one) of each: Firewall, and Antivirus. You can have as many demand scanners as you want. Similar to MBAM is Superantispyware which is also good for demand scans. (Provided that at the moment you don’t run any “PCTools” applications…there appears to be a software confliction.)

I find a Hosts files good for blocking known bad sites. I use MVPS Hosts. (Google it.) And an application called Hostsman for easy management of same.

Carry out disk cleanups and defrags from time to time. Ccleaner (without the Yahoo toolbar) or ATF cleaner (by atribune) allow for good, comprehensive disk cleanups. Often a good disk clean will rid malware from within temp files. It is usually the first step in a malware cleaning routine.

One of the popular diagnostics is an application called HijackThis, which scans processes and settings and produces a log that can be analyzed for “improper” processes, and out of date applications.

A browser that prompts for the allowing of scripts (can be set in any browser, but Firefox has an add-on called “Noscript” which manages the job nicely) can prevent a lot, if not most, of the “drive by downloads”, which infect, and require no user action beyond visiting an infected page.

An application I use is from Secunia and this outfit specialise in maintaining an online database of out of date and/or vulnerable software. Well worth at least performing an online scan. I use the PSI application that constantly scans the computer.

There’s all sorts of other things can be done to limit damage from web-facing applications, probably one of the more important is to back up important files regularly.

Hope all is well now, a belated welcome to the forum, any more questions or problems, just ask.

Will, do. This rates as by far one of the most complicated work arounds I’ve had to do. I’ve only had to take my computer to a tech shop once before and I thought I might have to do so again, but you managed to save me some cash and frustration in that department, so thank you. Avast! and MBAM are going to the top of my “must have” program lists for my friends and “tech customers”.

You’re very welcome, glad to have helped.

I do recommend some follow up scans, say, with Superantispyware, as a second opinion, just to be sure.