Problems with computer, possibly 'MS antisvirus' virus

Discussion in 'Malware Help (A Specialist Will Reply)' started by Heracles, Aug 9, 2009.

  1. Heracles

    Heracles Private E-2

    Hi there,

    I'm having trouble with my computer at the moment. I was browsing sites a couple of days ago and what now appears to be a fake anti-virus window appeared. I clicked it thinking it to be the windows or my anti-virus program. Since then i have had continuous problems with my pc. After some looking through websites and forums i believe i have the 'MS Antivirus' virus (i have a process running called msa.exe).

    Now when i log in to windows, it crashes before anything can be clicked every 4 out 5 attempts. I have tried to run the programs in the Read and Run section, but they either crash, or the process appears in the task manager but the application doesn't start. Because of this I can not post any logs.

    Is it worth running them from safe mode? I know they wont be full logs but are they worth posting?

    I would appreciate any help you can provide in this matter.
     
    Heracles, Aug 9, 2009
    #1
  2. Heracles

    Heracles Private E-2

    I've managed to get a couple of logs.

    The MGlogs are from a normal windows start up, but the rrlog is was run in safe mode.

    Any advice is welcome, I can't browse the net or even load up windows on most attempts and am at my wits end.
     

    Attached Files:

    Heracles, Aug 9, 2009
    #2
  3. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Welcome to Major Geeks!

    Seems you have managed to pickup a few infections. We will have to run a few steps to clean this up.

    I see lot's of things stuck in MSconfig registry keys! Are you using MSconfig or anything else to control startup processes? If yes, please disable this right now.


    Please double-click the RootRepeal.exe previously downloaded.
    • Select File then Scan
    • On the Select Drives form select drive C by "ticking" the box for drive C and click OK
    • When the scan is complete - highlight each of the following file(s) (one at a time if more then one is listed) by left clicking it. Then use right mouse click and select the Wipe File option only for each file.
      • C:\WINDOWS\system32\SKYNETbiqrlmmq.dat
      • C:\WINDOWS\system32\SKYNETgimaqsxn.dll
      • C:\WINDOWS\system32\SKYNETvpdcdppa.dat
      • C:\WINDOWS\system32\SKYNETxlvdktlw.dll
      • C:\WINDOWS\system32\UACdgldtspmtf.dll
      • C:\WINDOWS\system32\UACfhylqgikmx.dll
      • C:\WINDOWS\system32\UACharnsymeji.dll
      • C:\WINDOWS\system32\UAChboaivkkwb.dll
      • C:\WINDOWS\system32\UAChyfuwbakpj.dll
      • C:\WINDOWS\system32\uacinit.dll
      • C:\WINDOWS\system32\UAComplvbtxhv.dat
      • C:\WINDOWS\system32\UACwwgfodtvtf.db
      • C:\WINDOWS\system32\drivers\SKYNETewsftiqh.sys
      • C:\WINDOWS\system32\drivers\UACnqyotxjkhr.sys
      • C:\Documents and Settings\Phil\Local Settings\Temp\UAC7c93.tmp
    • After Wiping all files, immediately reboot your pc!
    After reboot, Run this Disable/Remove Windows Messenger to remove Windows Messenger. Do not confuse Windows Messenger with MSN Messenger because they are not the same. Windows Messenger is a frequent cause of popups.

    Run C:\MGtools\analyse.exe by double clicking on it (Note: if using Vista, don't double click, use right click and select Run As Administrator). This is really HijackThis (select Do a system scan only) and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:

    F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\sdra64.exe,
    O2 - BHO: XML module - {500BCA15-57A7-4eaf-8143-8C619470B13D} - C:\WINDOWS\system32\msxml71.dll
    O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)
    O15 - Trusted Zone: *.antimalwareguard.com
    O15 - Trusted Zone: *.gomyhit.com
    O15 - Trusted Zone: *.antimalwareguard.com (HKLM)
    O15 - Trusted Zone: *.gomyhit.com (HKLM)

    After clicking Fix, exit HJT.


    Now download The Avenger by Swandog46, and save it to your Desktop.
    • Extract avenger.exe from the Zip file and save it to your desktop
    • Run avenger.exe by double-clicking on it.
    • Do not change any check box options!!
    • Copy everything in the Quote box below, and paste it into the Input script here: part of the window:
    • Now click the Execute button.
    • Click Yes to the prompt to confirm you want to execute.
    • Click Yes to the Reboot now? question that will appear when Avenger finishes running.
    • Your PC should reboot, if not, reboot it yourself.
    • A log file from Avenger will be produced at C:\avenger.txt and it will popup for you to view when you login after reboot.
    Now try to run SUPERAntiSpyware, Malwarebytes and ComboFix per the cleaning instructions.

    Now run Ccleaner. Only use the Run Cleaner button. Do not run anything else on any other forms.

    Now run the C:\MGtools\GetLogs.bat file by double clicking on it (Note: if using Vista, don't double click, use right click and select Run As Administrator).


    Then attach the below logs:
    • C:\avenger.txt
    • the logs from SUPERAntiSpyware, Malwarebytes and ComboFix if they ran
    • C:\MGlogs.zip
    Make sure you tell me how things are working now!
     
    chaslang, Aug 11, 2009
    #3

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds