Virus - suspicious processes?

WStokes

Weaksauce
Joined
Feb 26, 2009
Messages
114
My older computer illiterate cousin got a virus and downloaded Ultimate Anti virus which she then paid $80 or something for. Anyway I was trying to just toubleshoot the pc (she is on windows XP) and I could not even get into the task manager so I followed some steps to fix the problem from here http://www.spywareremove.com/security/how-to-kill-spyware-processes/.

I got PsTools working and got a list of the running processes. I tried to install Avast but it failed to run once installed and gave me an error saying it didnt install correctly...3 times. Anyway I took a screenshot of all the programs running and would like to know if anyone sees any programs that they know for sure are viruses. I would like to just do a full reinstall but she would like to keep a lot of the data she has on the machine, is it risky copying music, pictures, contacts to an external hd? I wouldnt want to copy the virus as well.

Here is the list of processes


She has an HP Printer and scanner, she installed a wireless usb stick (linksys i believe). She now has an iphone and used to have a blackberry which I believe were synced with the computer.

I went though and killed a lot of the processes but I still could not open the task manager. If I closed the program that is causing these problems would I be able to open the task manager? How can I tell I have closed the correct process causing the problems?

Thanks in advance,
Will
 
Use a Ubuntu boot (install) disk and copy the files that are important to her. You will not have to worry about ownership rights using Linux. After such Restore the PC using the system's utility. Handle data migration and anti-virus scan(s) to the copied data accordingly.

Now this is one caveat that I see. Did she really purchase the malware anti-virus? If this was done I would be on the phone requesting a new card immediately!
 
Boot into safe mode, run rkill, then try to run Malwarebytes/Hitmanpro/Superantispyware/Combofix to remove infection. Should fix it right up.

The process P13e8_289 looks very suspicious..
 
Be careful...some malware pretends to be anti-virus and just steals the credit card info. Stick with well known vendors. Can you get the free version of Malwarebytes to work? Just download it from www.download.com
I find that to be the best at removals of Malware. Definitely back up important files before running removal tools because after a clean-up, your system may not boot at all. This is due to system files that have been modified or removed. Just a precaution.
 
PI3e8_289
that's the only one that really sticks out.

unsure of:
wdfmgr
AsfIpMon
AOLacsd
WLService
QBCFMonitor (QuickBooks?)

what you may try is making a copy of taskmgr.exe, and renaming it to, say, tissue.exe

some viruses block executables by the name. ie, I remember dealing with something that would block mbam.exe, but if I renamed the file to blah.exe it would run.

iirc, it placed a lot of things in the registry which was blocking the exe's based on their name
 
PI3e8_289
that's the only one that really sticks out.

unsure of:
wdfmgr
AsfIpMon
AOLacsd
WLService
QBCFMonitor (QuickBooks?)

what you may try is making a copy of taskmgr.exe, and renaming it to, say, tissue.exe

some viruses block executables by the name. ie, I remember dealing with something that would block mbam.exe, but if I renamed the file to blah.exe it would run.

iirc, it placed a lot of things in the registry which was blocking the exe's based on their name

yeah...that mbam.exe thing has happened many of times and it was recommended to even convert it to mbam.bat because it would run the same as if named .exe, but the virus didn't know better. Sometimes the viruses block all .exe files, so the .bat got past both of them.
 
Thanks for all the feedback guys, I really appreciate it. I will get on that tomorrow, Im fed up with messing with it today haha. First thing i did was tell her to call the credit card company and cancel and she is changing passwords to online banking etc. It was one of those fake "you have a virus" popups i believe so she clicked it and installed that anti virus that turns out to be a worm or trojan...

I had malwarebytes running but I ended that through the PsTools unknowingly. Ill start it up again tonight in safe mode. As for RKill do I just download the rkill.exe file -703kb from here http://www.bleepingcomputer.com/forums/topic308364.html? I have never heard of this so I just want to be sure im getting the right file.

If I do have to reformat I might try the linux trick to migrate the data over, i have been wanting to try that out but never really had the motivation to do it.

Thanks again
 
Last edited:
Don't have her "just cancel"...rather also get a whole new number because they will sell that info to other indentity thefters. Also, as always, try to run those apps in safe mode for maximum removal.
 
Well after booting into safe mode and running rkill than malwarebytes it got rid of a bunch of stuff. Malwarebytes caught 787 items (hadnt been run or updated since 4/2009) and after i removed them i could access the task manager. I really appreciate all the help and I will run a few other antivirus/malware programs and tell her to run them daily and keep them up to date. So I believe this should be fixed and thank you for all the help.

edit: If the computer does seem normal again I will try to post the list of programs running once everything has been cleared up. I could not even get internet unless I entered safe mode
 
Last edited:
Try creating a new account with admin rights and see if it gets internet. Sometimes with viruses you get a setting tweak somewhere funky that just affects the one account. Kinda wierd, but it is a lot quicker to make a new account then tracking down the setting. You can also just delete the account if it didn't fix the problem.
 
By "you could not get internet" do you mean you had no physical connection? ie. the network manager showed no connection

OR

You had DNS resolution issues?

If its DNS (and this is very common with viruses) its because they change your hosts file to redirect common sites to theirs, and especially if she bought their malware (that makes me sad to hear, you really have no idea how much hate I have for those scams) then I can almost 1000% guarantee that it did just that for her.

You can go and checkout the hosts file yourself, but odds are the virus will just redo the thing as soon as you reboot.

I agree with everyone else in the end though. Backup whats good, and nuke it from orbit
 
Well after booting into safe mode and running rkill than malwarebytes it got rid of a bunch of stuff. Malwarebytes caught 787 items (hadnt been run or updated since 4/2009) and after i removed them i could access the task manager. I really appreciate all the help and I will run a few other antivirus/malware programs and tell her to run them daily and keep them up to date. So I believe this should be fixed and thank you for all the help.

edit: If the computer does seem normal again I will try to post the list of programs running once everything has been cleared up. I could not even get internet unless I entered safe mode

I personally would scan with a few different programs, clean out what you can, back her shit up, wipe and reload Windows.
 
Well after booting into safe mode and running rkill than malwarebytes it got rid of a bunch of stuff. Malwarebytes caught 787 items (hadnt been run or updated since 4/2009) and after i removed them i could access the task manager. I really appreciate all the help and I will run a few other antivirus/malware programs and tell her to run them daily and keep them up to date. So I believe this should be fixed and thank you for all the help.

edit: If the computer does seem normal again I will try to post the list of programs running once everything has been cleared up. I could not even get internet unless I entered safe mode


instead of just having her run a virus scanner once a day how about getting her a virus scanner that has active scanning. something like nod32 which has a built in firewall, active document scan, email scan, and file scanning. far better option then her remembering to do a manual scan all the time.
 
Well after booting into safe mode and running rkill than malwarebytes it got rid of a bunch of stuff. Malwarebytes caught 787 items (hadnt been run or updated since 4/2009) and after i removed them i could access the task manager. I really appreciate all the help and I will run a few other antivirus/malware programs and tell her to run them daily and keep them up to date. So I believe this should be fixed and thank you for all the help.

edit: If the computer does seem normal again I will try to post the list of programs running once everything has been cleared up. I could not even get internet unless I entered safe mode

go into IE or control panel, internet options, connections tab, lan setttings at the bottom, uncheck the proxy server.

I have seen this before, the virus will set the pc as a proxy server and go there for dns. Try that before you reinstall.
 
instead of just having her run a virus scanner once a day how about getting her a virus scanner that has active scanning. something like nod32 which has a built in firewall, active document scan, email scan, and file scanning. far better option then her remembering to do a manual scan all the time.

Another good point.
 
I wouldnt trust any computer after a heavy infection like that, as someone suggested, boot off a live disk (ubuntu, mint, etc) and backup all her stuff, then wipe the disk clean and reinstall windows...in the long run, it will be safer this way.
 
Thanks guys, it has cleaned up a lot but when I run combofix, it still detects one of the rogue AV programs. I think I will just do the full reinstall and salvage anything important she needs.
 
I wouldnt trust any computer after a heavy infection like that, as someone suggested, boot off a live disk (ubuntu, mint, etc) and backup all her stuff, then wipe the disk clean and reinstall windows...in the long run, it will be safer this way.

The answer!
 
Back
Top