October 18, 2012 06:50 Police Virus #218716
Reply with Quote | Quick Reply | Top
ConfusedGuy92

Avatar

Novice
Join Date: 18.10.2012
Posts: 4
I had got this before, and I easily solved it with safe mode > mbam, problem solved.

I got it again, this time a different variant, all in Irish. Same deal I'm assuming though as it has taken control of the screen and works the same way as before.

I did the usual, got 7 hits with mbam, got rid of them, restarted...nope, still there.

I've downloaded the free trial of AVG and am searching right now, but I'm getting a lot of errors on the command line scan with AVG in safe mode and in the first 5 minutes I already had 5 hits with mbam. I'm not sure if this is spreading but I'll post my complete scan results and hopefully one of you can give some further assistance. I've now found several viruses throught the command line. Looking at a lot of hits here, so I'm assuming this mfka is spreading quite fast and I can only hope the the scans catch up quick enough. Any sort of assistance once I've posted up the results would be highly appreciated.

Thanks, CG
October 18, 2012 07:03 Re: Police Virus #218717
Reply with Quote | Quick Reply | Top
ConfusedGuy92

Avatar

Novice
Join Date: 18.10.2012
Posts: 4
AVG 2013 Anti-Virus command line scanner
Copyright (c) 1992 - 2012 AVG Technologies
Program version 2013.0.2741, engine 2013.0.2614
Virus Database: Version 2614/5838 2012-10-17
06:13:23 New high severity detection:
HKU\S-1-5-21-2071956835-2444239964-2862127085-1000\Software\Microsoft\Windows\CurrentVersion\Run\\mlYyH
Description: Found registry key with reference to infected file C:\Users\Tony\AppData\Roaming\mSFco.exe

Successfully healed.
06:13:24 New high severity detection:
HKU\S-1-5-21-2071956835-2444239964-2862127085-1000\Software\Microsoft\Windows\CurrentVersion\Run\\omWDn
Description: Found registry key with reference to infected file C:\Users\Tony\AppData\Roaming\LrRyJ.exe

Successfully healed.
06:14:07 Error 0xc007045d:
C:\Windows\system32\DRIVERS\igdkmd64.sys
06:14:24 Error 0xe0010058:
c:\$Recycle.Bin\S-1-5-21-2071956835-2444239964-2862127085-1000\$12a17e12329f2f8711d8ca6e7b1dd358\
06:14:24 Error 0xe0010058:
c:\Documents and Settings\
06:20:42 Error 0xe0010058:
c:\ProgramData\Desktop\
06:20:42 Error 0xe0010058:
c:\ProgramData\Documents\
06:20:42 Error 0xe0010058:
c:\ProgramData\Favorites\
06:21:32 Error 0xe0010058:
c:\System Volume Information\
06:21:41 Error 0xe0010058:
c:\Users\Default\AppData\Local\History\
06:21:42 Error 0xe0010058:
c:\Users\Default\AppData\Local\Temporary Internet Files\
06:21:42 Error 0xe0010058:
c:\Users\Default\Cookies\
06:21:42 Error 0xe0010058:
c:\Users\Default\Documents\My Music\
06:21:42 Error 0xe0010058:
c:\Users\Default\Documents\My Pictures\
06:21:42 Error 0xe0010058:
c:\Users\Default\Documents\My Videos\
06:21:42 Error 0xe0010058:
c:\Users\Default\NetHood\
06:21:42 Error 0xe0010058:
c:\Users\Default\PrintHood\
06:21:42 Error 0xe0010058:
c:\Users\Default\Recent\
06:21:42 Error 0xe0010058:
c:\Users\Default\Templates\
06:21:42 Error 0xe0010058:
c:\Users\Public\Documents\My Music\
06:21:42 Error 0xe0010058:
c:\Users\Public\Documents\My Pictures\
06:21:42 Error 0xe0010058:
c:\Users\Public\Documents\My Videos\
06:21:55 Error 0xe0010058:
c:\Users\Tony\AppData\Local\History\
06:24:50 Error 0xe0010058:
c:\Users\Tony\Documents\My Music\
06:24:50 Error 0xe0010058:
c:\Users\Tony\Documents\My Pictures\
06:24:50 Error 0xe0010058:
c:\Users\Tony\Documents\My Videos\
06:24:54 Error 0xe0010058:
c:\Users\Tony\NetHood\
06:24:55 Error 0xe0010058:
c:\Users\Tony\PrintHood\
06:24:55 Error 0xe0010058:
c:\Users\Tony\Templates\
06:25:39 New high severity detection:
c:\Users\Tony\AppData\Local\Temp\tmp19a8ee2d\44.exe
Description: Trojan horse Agent3.CCQT

Successfully healed.
06:29:16 New low severity detection:
c:\Users\Tony\Documents\Tony\Dell Laptop Downloads\R78499.EXE
Description: The file is signed with a broken digital signature, issued by: Dell Inc.

Healing action failed with error 0xe0010002
06:29:19 New low severity detection:
c:\Users\Tony\Documents\Tony\Dell Laptop Downloads\R99254.EXE
Description: The file is signed with a broken digital signature, issued by: Dell Inc.

Healing action failed with error 0xe0010002
06:30:12 New low severity detection:
c:\Users\Tony\Documents\Tony\Dell Laptop Downloads\R114079.EXE
Description: The file is signed with a broken digital signature, issued by: Dell Inc.

Healing action failed with error 0xe0010002
06:31:02 New high severity detection:
c:\Users\Tony\AppData\Roaming\pJuGb.exe
Description: Trojan horse Agent3.CCQT

Successfully healed.
06:39:24 New high severity detection:
c:\Users\Tony\AppData\Local\Temp\tmp518b1b95\6.exe
Description: Trojan horse Agent3.CBTK

Successfully healed.
06:39:39 New high severity detection:
c:\Users\Tony\AppData\Roaming\uAlwp.exe
Description: Trojan horse PSW.Generic10.RZP

Successfully healed.
06:45:52 Error 0xe0010058:
c:\Windows\System32\LogFiles\WMI\RtBackup\
06:48:05 New high severity detection:
c:\Windows\Temp\tmp000072bf\tmp000093bc
Description: Found Luhe.Boxed.S

Successfully healed.
06:48:07 New high severity detection:
c:\Windows\Temp\tmp000072bf\tmp000093bd
Description: Found Luhe.Boxed.S

Successfully healed.
06:55:31 Error 0xe0010058:
d:\System Volume Information\

------------------------------------------------------------
Test started: 18.10.2012 6:13:01
Duration of test: 43 minute(s) 41 second(s)
------------------------------------------------------------
Objects scanned : 194987
Found infections : 11
Found high severity : 8
Found med severity : 0
Found info severity : 3
Fixed high severity : 8
Fixed med severity : 0
Fixed info severity : 0
------------------------------------------------------------
October 18, 2012 07:23 Re: Police Virus #218718
Reply with Quote | Quick Reply | Top
ConfusedGuy92

Avatar

Novice
Join Date: 18.10.2012
Posts: 4
Malwarebytes Anti-Malware 1.65.0.1400
www.malwarebytes.org

Database version: v2012.10.16.13

Windows 7 Service Pack 1 x64 NTFS (Safe Mode/Networking)
Internet Explorer 9.0.8112.16421
Tony :: TONY-HP [administrator]

18/10/2012 07:15:44
mbam-log-2012-10-18 (07-15-44).txt

Scan type: Full scan (C:\|D:\|E:\|)
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 339863
Time elapsed: 1 hour(s), 3 minute(s), 27 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 1
C:\Users\Tony\AppData\Roaming\hellomoto (Trojan.Ransom.FGen) -> Quarantined and deleted successfully.

Files Detected: 7
C:\$Recycle.Bin\S-1-5-21-2071956835-2444239964-2862127085-1000\$12a17e12329f2f8711d8ca6e7b1dd358\U\00000004.@ (Trojan.0Access) -> Quarantined and deleted successfully.
C:\$Recycle.Bin\S-1-5-21-2071956835-2444239964-2862127085-1000\$12a17e12329f2f8711d8ca6e7b1dd358\U\00000008.@ (Trojan.Dropper.BCMiner) -> Quarantined and deleted successfully.
C:\$Recycle.Bin\S-1-5-21-2071956835-2444239964-2862127085-1000\$12a17e12329f2f8711d8ca6e7b1dd358\U\000000cb.@ (Trojan.0Access) -> Quarantined and deleted successfully.
C:\$Recycle.Bin\S-1-5-21-2071956835-2444239964-2862127085-1000\$12a17e12329f2f8711d8ca6e7b1dd358\U\80000000.@ (Trojan.0Access) -> Quarantined and deleted successfully.
C:\$Recycle.Bin\S-1-5-21-2071956835-2444239964-2862127085-1000\$12a17e12329f2f8711d8ca6e7b1dd358\U\80000064.@ (Trojan.0Access) -> Quarantined and deleted successfully.
C:\Users\Tony\AppData\Roaming\hellomoto\TujP.dat (Trojan.Ransom.FGen) -> Quarantined and deleted successfully.
C:\Users\Tony\AppData\Roaming\hellomoto\BukF.dat (Trojan.Ransom.FGen) -> Quarantined and deleted successfully.

(end)
October 18, 2012 07:52 Re: Police Virus #218719
Reply with Quote | Quick Reply | Top
ConfusedGuy92

Avatar

Novice
Join Date: 18.10.2012
Posts: 4
No use. Upon starting it out of Safe Mode, I was given a message about my files being accessed by simultanious OfficeOrg programs, and that it could be someone else accessing them. The police message (Im assuming it is police, but in general it's the same pop up/ransom deal) still appears unlike it did before. It seems like this is a more extreme version, so I'll need held to get some more extreme means of cleaning out the infection. Responses greatly appreciated.
October 29, 2012 15:36 Re: Police Virus #219492
Reply with Quote | Quick Reply | Top
Pokornyz

Avatar

Administrator
Join Date: 29.11.2010
Posts: 8222
Hello ConfusedGuy92,

In order to analyze your issue please provide us with more information (AVG scan result export, Msinfo output ,GMER scan results).

Thank you.



AVG Team
How-To articles | FAQ | Free Support