Long story short, my laptop is currently infected (I'm typing this up on another computer, one of the things the virus knocked out was internet).

I have the free version of Avast, as well as Malwarebytes, however, neither of those seem to be detecting anything, while Windows Internet Security is going nuts, and I keep getting pop-ups saying this and that are disabled, and a second ago I got a BSOD. I currently have my laptop going in "Safe Mode," so that I can list what exactly it's infected with (Internet Security says it's a Blaster Worm, I'm just trying to get the specifics). When I tried to boot up Regedit, not only would it not start, but it made, I shit you not, the sound of a yowling/screeching cat (and I mean that it sounded as if it was programmed by the virus to make that sound, the dicks).

So far, it's listing the viruses/programs/whatever as (note, I was just surfing at the time, not downloading anything):
TrojanDownloader.Win32
Backdoor.Win32.Scrab.p
W32/Child-Porn.PROXY/Server (WHAT. THE. FUCK?!?! Should I even have to say that I don't look at that crap?!? I mean, just, WHAT THE FUCKING HELL?!?!)

My laptop keeps telling me to "Activate Internet Security," but every time I try it just takes me to a website where I apparently have to buy the software (which I should already have), which I can't do because 1) last time I tried to start it outside of "Safe Mode" it BSOD'd on me, so, no internet 2) I do not have the extra money right now to buy extra software 3) Even if the first two weren't a factor, there's still the fact that I don't have a credit card, so I can't buy it immediately anyway.

Is there anything I can do at this point? A little help, please?

That "Activate Internet Security" thing is also malware - it's an attempt to steal your credit card info. In fact, it's probably the only malware at work here, since it generates fake virus warnings.
Is it that same program which keeps giving you popups? If so, what exactly is its name, and when did you download it? Google suggests that the current version of that malware is called Windows Internet Security 2012 - I remember it being Windows Internet Security 2011, which I guess makes sense (not actually made by Microsoft, of course - just so named in the hope that people will see "Windows" and think "Oh, well it must be safe" and install it). It also generates that Child-Porn.PROXY thing in the hope that it will make people panic and "buy the full version" (aka give them your credit card info).

I suggest following this removal guide: http://www.bleepingcomputer.com/vir...t-security-2012 - where it says "use a clean computer", you should be able to use your laptop in safe mode. Remember to read through the instructions thoroughly and download everything before you start, because you shouldn't restart/switch to safe mode while you're actually removing the malware unless the instructions tell you to. Good luck!

Last edited by whiterider : 4th Apr 2012 at 10:42 AM.

Thank you. Actually, I never downloaded anything about Internet security, at least, not that I can remember (and definately not recently), so I'm not really sure how it even managed to get on there in the first place. Especially since I have Vista and not Windows 7? Like I said though, it's not like I have a credit card number that I can actually give them since I don't have any credit cards period. Thank you SO VERY MUCH for the link.

The only problem is that I can't do anything outside of safe mode, as I get a BSOD every time I try to run my computer normally, or it ends up going into a continous loop of restarting itself (does it sound like one of the falsely infected files may have gotten deleted or something?).

You don't need a card with money for them to harass you lol
Nowday you can get Trojan and Virus just by surfing on a page . After you fix your computer , I suggest you look up Addon for your browser (AdBlock come to mind) .
And I humbly recommand SpyBot search And Destroy...because he has a good Browser thingy inside it . To block and clean and what not

And disconnect your computer from the Internet (esp. if it keep opening browsers and pop up ) , you may just have to fix the problem in safe mode (Happen to me many times..) and sometimes the little bugger won't leave..so I end up formating the whole thing .

Good Luck Hope you will be able to fix it

If you can't get the computer loading at all, you may want to try following the manual removal instructions from within Safe Mode - you wouldn't need to do the first couple of steps, as the malware isn't running and doesn't need to be stopped before you can start removal.

Actually, I got the running part (mostly) solved. My laptop is free of the malware (as far as I have been able to tell, anyway; Malware Bytes said that it was gone...), but it will still only run if it's in one of the safe modes (any of the three), otherwise I get a BSOD. Before Malware Bytes took care of it, the virus/malware would still run even in safe mode, but now, nothing. I found out that Avast! ended up deleting something when I told it to just move the infected file it found to the virus chest (this was before I found out that it was malware) . It says that the file was MBR:\\.\PHYSICALDRIVE0, which, after some digging, I found out the "MBR" part meant "Master Boot Record," but when I Googled it, all I could find on "MBR:\\.\PHYSICALDRIVE0" was the malware and how to remove it. So I'm not sure anymore exactly what Avast! did when it deleted that file, but I'm worried that it took something important with it when it left.

So I can sort-of still use my laptop, but a good amount of things are disabled (internet not included, though I'm not sure if Avast! is able to actively run in safe mode, which seriously scares me. I know that it can do scans and certain other things, but as for active protection...). Am I looking at having to have the thing reformatted now?

Ahh. That is interesting - I'm rather surprised that it can load to safe mode if there's an MBR problem .

The way I usually fix MBR problems - and this may not be the easiest way, someone else might wanna jump in - is using the Windows install CD. It doesn't have to be the CD for the laptop's specific copy of Windows, as I realise that's probably OEM; any old Windows CD will do, so long as it's for the same version of Windows (XP, Vista, Windows 7 etc). Do you have such a thing?

If not, the laptop may have a recovery partition which can access the same magical fixing processes. I've never used one, though, so I'd have to go Googling to find out how they work.

The BSOD is not when running in Safe Mode, right? Do you have the Hex code? Is it related to the rootkit or another unrelated issue ie not caused by the virus problems?

If you're still informed of the MBR issue, it seems the rootkit is still not cleaned? You followed all the instructions in the bleepingcomputer page Whitey linked to? The TDSSKiller program? This appears to be what is needed to clear this up - read http://www.bleepingcomputer.com/forums/topic385675.html

Otherwise, if you have your stuff backup or willing to lose data, then a full reformat and Windows reinstall may be best. Especially, if you don't have the Windows Install CD to do the workaround that whiterider ask above, or the recovery partition. The recovery partition restore would also return you to factory settings, though.


Only the paid MalwareBytes have a realtime scan, otherwise you have to do manual scans. As does any Antivirus - just having the realtime scan is not enough. Once things are cleaned up, I suggest to use Windows Schedule Task to schedule weekly DEEP/FULL scans of the computer using these 2 programs. Now, if you're already doing that and Avast lets a virus through, i.e. it is not something you clicked by mistake thinking it is a legit Windows program, then perhaps it is time to switch Antivirus programs.

Before reformatting, be sure you followed all the instructions in the thread whiterider gave you. If that still doesn't clear everything up, then post a thread in http://www.bleepingcomputer.com/forums/forum103.html. The staff at BC walked me through a vicious viral infection and not only removed it but were able to clean up all the damaged files. Just be patient--it took me something like two weeks--and follow every instruction you are given to the letter. These folks know what they are doing.

Thanks for the links (sorry it took so long to get back to you, been busy with work and trying to get this thing off my laptop). I'm about 90% sure now that the BSODs are being caused by the virus/malware, the trick is to get the thing off (since it seems to re-install itself every time the system reboots, which is required for some of these programs).

I'm definitely going to be posting there to try and get this fixed, especially if it can be done without it erasing any of my personal files. But I still better buy a couple of flash drives just in case (since my cd burner is apparently down for the count; I don't do a lot of burning, so I just found out about it a few months ago, and it was most likely killed when SecuRom managed to get in despite my efforts).

Hi, We see this all the time where I work and have to go clean up their computers. (I am a tech by day) As stated above, this one is very pernicious and makes clones of itself and hides them and when you delete the 'main' infected file, it restores from one of it's hidden clones. You need to kill the process before you can get rid of it. We use RKILL.exe at work all the time to stop this one. Get it here - http://www.cnet.com/1770-5_1-0.html...=rkill&tag=srch and go offline. Run RKILL to stop the malware, then use malware bytes to get rid of it. If that fails try restoring your computer to an earlier backup a few weeks prior to your infection and if that fails, wipe and rebuild your computer. Hopefully you made an original restore disk when you first got your machine because most computers come with the OS installed and leave it to the customer to make their first backup cd on a backup partition. Good luck. This one is a royal pain in the patooties to get rid of becaseu it makes so many iterations of itself and hides them well.

remember, to get rid of this one, you have to stop the background processes by running rkill.exe. because this trojan hides renamed and hidden copies of itself and when you reboot, it sees that version '1' is missing and then recreates the file on boot which is why it comes back after rebooting. If you don't kill the process and then remove the killed fragments, you'll never get rid of it. It's nagware anyway and will constantly direct you to their site to buy their solution. DO NOT give them your credit card number! Every year has a new version with the year as part of the name. variations of that have been around for a few years now. You get it merely by visiting sites with an ad running on the side bar or accidentally clicking on an ad. Keep your machhine PATCHED and UPGRADED on Windows OS updates, java and flash. And if you use facebook, NEVER, EVER clink on all those 'free' things you friends post to you. It's junk ware and suspicious.

SO:
download RKILL, SPYBOT, malwarebytes.org
go offline
Run Rkill to stop the process
Run malwarebytes, spybot and your antivirus full system scans ONE AT A TIME.
YOu can try to go back to an earlier restore point. SCAN AGAIN
Reboot. see if the beastie comes back
If that fails, wipe and rebuild your computer from scratch.

Last edited by porkypine : 10th Apr 2012 at 6:00 AM.