Secure Bill Virus Removal

Discussion in 'Malware Help - MG (A Specialist Will Reply)' started by mpvader, Jan 30, 2012.

  1. mpvader

    mpvader Private E-2

    I have the Secure Bill virus/malware issue. It has blocked access to any functions in my computer. I have been following the instructions in the "Read & Run Me First Malware Removal Guide). However I am stuck trying to to remove the AVG softwared. I have download the removal tool and ran it. The first time I ran the program it required me to reboot, which I did. Then when I tried to run combofix.exe, it said AVG was still running so I closed combofix and ran the removal tool again. This time it ran and did not ask me to reboot, but created a text document on the desktop. The file is currently to large to upload, but I can break it apart and upload if it is needed.

    I have been operating in safe mode in a windows XP system, since the infection does not let me access the computer functions in a regular boot mode.

    Any help getting over this step is appreciated. Thanks.
     
    mpvader, Jan 30, 2012
    #1
  2. Kestrel13!

    Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

    Just run Combofix despite the warning. It's probably just detecting remnants left over...
     
    Kestrel13!, Jan 30, 2012
    #2
  3. mpvader

    mpvader Private E-2

    Hi, thanks for the advice. I did move on but ran into some problems. Basically I went ahead and skipped scans that I could not get to run. I have attached the logs for the scans that did run (SuperAntiSpyware, Malwarebytes, and MGtools.

    I could not get ComboFix to complete a scan. I did let it ignore the fact it thought AVG was running as advised. It then needed to download and install Microsoft Windows recovery console. I reconnected the device to the internet and hit "yes", but it failed to download and install. ComboFix put up a note that it would attempt the scan anyway and would take 10 minutes or longer. The scan was left to run all night long and the next morning the screen had not changed. The computer was frozen and had to be rebooted in safe mode. A second attempt to run the program was made but the program failed to load.

    I tried to find a download of RootRepeal as a zip, but could only find it in "rar" format. I am not to familiar with that and what I was able to find indicated I needed a program to open it that I did not have.

    Thanks for any help and assistance with this problem.
     

    Attached Files:

    mpvader, Jan 31, 2012
    #3
  4. Kestrel13!

    Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

    Let's not worry about rootrepeal now.

    Please attach the log(s) from Malware Bytes showing what it removed.

    C:\Documents and Settings\Administrator\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\mbam-log-2012-01-30 (13-19-23).txt



    Download and run OTM.

    Download OTM by Old Timer and save it to your Desktop.

    Code:
    :Reg
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentVersion\Run]
"RUMrAHicILvex.exe"=-
"PAwhgCLyHSr.exe"=-

:Files
C:\Program Files\Internet Explorer\SET616.tmp
C:\Program Files\Internet Explorer\SET7C1.tmp
C:\Documents and Settings\All Users\Application Data\PAwhgCLyHSr.exe
C:\Documents and Settings\All Users\Application Data\RUMrAHicILvex.exe
C:\Documents and Settings\All Users\Application Data\s4IeF21N7PHEMV
C:\Documents and Settings\All Users\Application Data\s4IeF21N7PHEMV.exe
C:\Documents and Settings\All Users\Application Data\~s4IeF21N7PHEMV
C:\Documents and Settings\All Users\Application Data\~s4IeF21N7PHEMVr
C:\WINDOWS\pchealth\helpctr\binaries\SET619.tmp
C:\WINDOWS\pchealth\helpctr\binaries\SET6B5.tmp
C:\WINDOWS\pchealth\helpctr\binaries\SET7C4.tmp
C:\WINDOWS\pchealth\helpctr\binaries\SET881.tmp
C:\WINDOWS\pchealth\helpctr\binaries\SET95E.tmp
C:\WINDOWS\pchealth\helpctr\binaries\SETA41.tmp

:Commands
[emptytemp]
[Reboot]
    • Return to OTM, right click in the Paste List of Files/Folders to Move window (under the yellow bar) and choose Paste.
    • Push the large http://farm3.static.flickr.com/2782/4174320048_f01c448b32_o.png button.
    • OTM may ask to reboot the machine. Please do so if asked.
    • Copy everything in the Results window (under the green bar), and paste it in your next reply.

    NOTE: If you are unable to copy/paste from this window (as will be the case if the machine was rebooted), open Notepad (Start->All Programs->Accessories->Notepad), click File->Open, in the File Name box enter *.log and press the Enter key, navigate to the C:\_OTM\MovedFiles folder, and open the newest .log file present, and copy/paste the contents of that document back here in your next post.

    Now in NORMAL mode please if possible....

    Run the C:\MGtools\GetLogs.bat file by double clicking on it. Then attach the new C:\MGlogs.zip file that will be created by running this.

    Let us know of any problems you may have encountered with the above instructions and also let me know how things are running now!
     
    Kestrel13!, Feb 1, 2012
    #4
  5. mpvader

    mpvader Private E-2

    Hi,

    Attached is the Malware Bytes log file.

    OTM - I ran this program as instructed and it did ask me to reboot. When it rebooted it went into Normal mode and did not fully reboot. It opened a text file listing files it moved and then seemed to be stuck on items it was deleting from Registry. I left the computer alone for a couple of hours and it was still stuck so I saved and closed the text file. The virus then kicked in and started its "scan". I unplugged the computer and rebooted in safe mode. When I followed the directions to cut and paste the OTM log file, it was thesame file that had been stuck open. The information is pasted below:


    I ran the Getlogs.bat which went without incident and attached is the zip file.

    I went ahead and rebooted the computer in Normal mode and the virus was still there. I have rebooted again in safe mode.

    By the way I am communicating to you from a second computer. Not sure it matters, but thought I would pass it along. Thanks for all your help.
     

    Attached Files:

    Last edited by a moderator: Feb 3, 2012
    mpvader, Feb 2, 2012
    #5
  6. Kestrel13!

    Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

    Code:
    :files
C:\Documents and Settings\All Users\Application Data\Hgv87xXud
C:\Documents and Settings\All Users\Application Data\Hgv87xXud.exe

:Commands
[emptytemp]
[Reboot]
    • Return to OTM, right click in the Paste List of Files/Folders to Move window (under the yellow bar) and choose Paste.
    • Push the large http://farm3.static.flickr.com/2782/4174320048_f01c448b32_o.png button.
    • OTM may ask to reboot the machine. Please do so if asked.
    • Copy everything in the Results window (under the green bar), and paste it into notepad, save it as something appropriate and attach it into your next reply.

    NOTE: If you are unable to copy/paste from this window (as will be the case if the machine was rebooted), open Notepad (Start->All Programs->Accessories->Notepad), click File->Open, in the File Name box enter *.log and press the Enter key, navigate to the C:\_OTM\MovedFiles folder, and open the newest .log file present, and attach the contents of that document back here in your next post.

    Now run the C:\MGtools\GetLogs.bat file by double clicking on it. (Right click and run as admin if using Vista or Windows7) Then attach the new C:\MGlogs.zip file that will be created by running this.

    Let me know of any problems you may have encountered with the above instructions and also let me know how things are running now!
     
    Kestrel13!, Feb 3, 2012
    #6
  7. mpvader

    mpvader Private E-2

    I ran the instructions and had the same result when running OTM. After following the instructions I rebooted the computer and the virus is still blocking out things. However the blue desktop background comes up without any icons. In the task bar is a little icon that if you roll your mouse over says "System Check". Previously when rebooting many error messages would pop and the system check would start running telling you it was trying to fix the problems in the error messages.

    So it the reboot is a bit different now.
     

    Attached Files:

    mpvader, Feb 3, 2012
    #7
  8. Kestrel13!

    Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

    Please download and save the below to your Desktop or anywhere else you can find it ( if the Desktop is not showing )

    http://download.bleepingcomputer.com/grinler/unhide.exe

    Now run it.


    Please download and run the below tool named Rkill (courtesy of BleepingComputer.com) which may help allow other programs to run.
    There are 4 different versions. If one of them won't run then download and try to run the other one.

    Vista and Win7 users need to right click and choose Run as Administrator

    You only need to get one of them to run, not all of them. You may get warnings from your antivirus about this tool, ignore them or shutdown your antivirus.
    1. Rkill.exe
    2. Rkill.com
    3. Rkill.scr
    4. Rkill.pif
    Once you've gotten one of them to run then try to immediately run the following.

    I want you to run TDSSKiller so refer to the below for how to do so.

    TDSSkiller - How to run


    Please also download MBRCheck to your desktop
    • Double click MBRCheck.exe to run (vista and Win 7 right click and select Run as Administrator)
    • It will show a Black screen with some information that will contain either the below line if no problem is found:
      • Done! Press ENTER to exit...
    • Or you will see more information like below if a problem is found:
      • Found non-standard or infected MBR.
      • Enter 'Y' and hit ENTER for more options, or 'N' to exit:
    • Either way, just choose to exit the program at this point since we want to see only the scan results to begin with.
    • MBRCheck will create a log named similar to MBRCheck_07.16.10_00.32.33.txt which is random based on date and time.

    Now run the C:\MGtools\GetLogs.bat file by double clicking on it. (Right click and run as admin if using Vista or Windows7) Then attach the new C:\MGlogs.zip file that will be created by running this.

    Let me know of any problems you may have encountered with the above instructions and also let me know how things are running now!
     
    Kestrel13!, Feb 3, 2012
    #8
  9. mpvader

    mpvader Private E-2

    Okay, I ran the instructions you provided and attached the logs. I went ahead and attached the logs for Rkill, TDSK, MGlogs, and MBR.

    Through the whole process if a reboot was required I tired to let it reboot in Normal mode. Each time the virus was still running and I had to reboot in safe mode. After the final step I rebooted and the virus is still running.

    Also prior to starting this process I had previously run unhide.exe. I ran it again per the instructions.

    Thanks.
     

    Attached Files:

    mpvader, Feb 4, 2012
    #9
  10. Kestrel13!

    Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

    Re run TDSSKiller and have it fix this you skipped:

    Attach the new log and after reboot and tell me how things are running now.
     
    Kestrel13!, Feb 5, 2012
    #10
  11. mpvader

    mpvader Private E-2

    I ran the TDSSKiler again and this time it said it did not find any problems. I do not remember intentionally skipping a step last time, so not sure what happened.

    I have attached the log from this scan. The computer is still having the same issue.
     
    mpvader, Feb 6, 2012
    #11
  12. Kestrel13!

    Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

    It did not attach properly. What do you mean everything is still the same? Can you explain exactly what is happening in more detail?
     
    Kestrel13!, Feb 6, 2012
    #12
  13. mpvader

    mpvader Private E-2

    The virus is still present and running if you boot up in regular mode. To perform these tasks I have to boot up in safe mode.

    When windows finishes loading there is the blue desktop with no icons. in the task bar there is a little icon. if you click on that icon the "system check" program the virus runs pops up and starts running.

    You can see some programs in the start menu, but if you click on the program the menu says blank.

    I have not tried to run any of the programs (i.e. MS office), by navigating through the C drive.
     

    Attached Files:

    mpvader, Feb 6, 2012
    #13
  14. Kestrel13!

    Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

    Are you absolutely unable to run MGTools in NORMAL boot mode? The logs from safe mode show no malware. That's the problem.

    If so then we need to look at other options now.


    Run this and attach the results.

    Using ESET's Online Scanner

    Follow the instructions to also try running the Microsoft Safety Scanner

    Let me know how you get on please.
     
    Kestrel13!, Feb 7, 2012
    #14
  15. mpvader

    mpvader Private E-2

    I am so sorry I have not responded, but work got in the way and I have not been able to get to your next set of suggestions. I am hoping to get it to them today or tomorrow. Thanks for all the help
     
    mpvader, Feb 15, 2012
    #15
  16. Kestrel13!

    Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

    You're welcome.
     
    Kestrel13!, Feb 15, 2012
    #16
  17. mpvader

    mpvader Private E-2

    I have decided to format the hard drive and start over. Thanks for all the help.
     
    mpvader, Feb 21, 2012
    #17

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds