Had a problem with a virus. I fought most of the past 3 days straight on this thing and think I have it fixed now, mostly thanks to topics of what appears to be the exact same thing on this forum, but I would like an expert's opinion, as I am far from such when it comes to... whatever kind of virus this was/is.
That said, here is the info I know about it of the top of my head (as I've been fighting this thing for almost 3 days straight):
Virus starts processes, one of which eats mem and cpu like crazy
Search links are automatically redirected upon click
Antivirus and similar programs become unusable/undeletable
How I got it:
- Downloaded a game, or what I thought was a game. I wasn't really paying attention and only noticed after I opened it that it was a ".exe" file. (I normally scan these with multiple anitvirus prior). Just my luck.
1. Basic Research
- Within seconds, the file disappeared (this is when I knew it was bad). I opened task manager and these programs which I have never seen before were running: "a_exe" "b_exe" "c_exe" "mbs.exe"
- - The first 3 ran in sequencial order, closing before the next one began, until it stopped on c_exe. They were all user processes, taking virtually no cpu and very little memory, except for mbs.exe. That one was 99% cpu constantly and ranging from around 100,000K to 200,000K mem usage.
- I immediately ended these processes and searched online for such processess from "http://www.tasklist.org/". They weren't listed.
I noticed that mbs.exe reopened somewhat periodically if ended, and c_exe ran only on startup. Using a program (Startup Delayer) I removed c_exe from starting, but mbs.exe I'm afraid I don't remember what I did to stop from reopening.
At the time I had Ad-Aware, AVG, and Spybot. I ran Ad-Aware first, only to find it wouldn't run. It gave a message:
"Couldn't load the resource manager."
I proceeded to unistall (add or remove programs) and opened ie to get a fresh copy. Going through yahoo's homepage, I searched for "Ad Aware". It was the top link, but when I click it, my url was redirected. This continued happening with that link and other links (although I tried the same search from my avg search toolbar and those same links wouldnt redirect) to rediect to 1 of I believe just 3 different sites. The url would immediately change to a search engine site (such as "http://www.google.com/" and then rest on the targeted url site after that). I got around this just clicking the 'catched' links, and proceeded to freshly download Ad-Aware. Upon installing, I was alerted that Ad Aware still existed on my computer, so I rechecked add/remove programs and opened the my programs files folder after. Sure enough it was still there. The processes for adware weren't running, so I attempted to rightclick-delete the entire folder (lavasoft) but it wouldn't let me. I dragged the folder out and on to my desktop, where then I could delete it, making sure it was out of program files, then installed my fresh copy. Ad-Aware automatically started afte install. I updated it, and ran a scan... The scan ran for about 2 minutes, then the program suddenly terminated and could no longer be run again. It was giving the same error as before.
I repeated to try AVG and Spybot with the same results (except the error was: "Windows cannot access the specified...")
At some point I was able to manually search (based off a scanner that showed the files infected locations before terminating) to remove 2 infected files ("mba.exe" "mbb.exe" though not sure if thats right).
3. Antivirus Fails, What Next?
First? Researched access rights (follow the error lead) and attempted some suggestions (such as folder ownership). No change. So I gave up the hope of it being a simple matter and began more drastic measures.
System Restore. To a point about 2 months ago (to a time known to be virus-free). Booted in safe mode to be sure. Freshly redownloaded the 3 mentioned programs and installed, with the same outcome.
4. New Programs
I asked my dad for help. He suggested a few programs and inspected the errors first hand. Somewhere there was one that said something about a missing dll file. He said "registry".
Heres a list of the programs I attempted to use. They all ran the first time, but suddenly terminated at some point durring the scan (one being already 3 hours into it ) and then refused to run again. Reboots and safe mode were uneffective too:
GMER (used the random file name install)
ComboFix (different kind of error. researched and found a fix.)
PC Pitstop Exterminate (trial version, actually the only one that didnt self terminate, but still only ran once)
AntiVir PE (I did not run a scan, so it is still fully functional)
ComboFix -> combined with info from AntiVir PE's Live Guard alerts to pin point the cause of ComboFix not running. Was able to find a fix (not sure how sorry). When able to run finally, it needed to reboot the system a total of 3 times, and reloaded the user settings many more times. but ultimately, was able to fix (i hope) the issue. I was able to run (freshly installed) HiJackThis after that.
Just before posting, did the folowing:
MalwareBytes (fresh dl/install) Quick Scan:
detected and removed. malwarebytes still operable.
AVG (fresh dl/install) full scan:
73 (all cookies and previous firefox extentions)
removed. still operable.
lingering files (unable to delete, non-running)
ljj9cm14.exe (GMER - Desktop)
Ad Aware (add/remove programs - folder non existant in program files. AdAware cannot reinstall untill removed.)
I thought processes in task manager always used ".exe" or similar. Is it normal to end in "_exe"?
Can you recommend a program or guide for removing files that cannot be unistalled/deleted/renamed via traditional methods?
I want to make sure this thing is done with. Whats my next step?
All help appreciated,
Please note that all instructions given are customized for that member's computer only, the tools used may cause damage if run on a computer with different infections. Your symptoms may only appear to be similar. Regardless, please do not take fixes given to another user and apply to your own machine.