PDA

View Full Version : Need help removing virus (Downloader.Generic8.APEH)


Jerry_03
05-28-09, 08:55 PM
Sorry if this isnt the correct forum to post this in but in any case:

I'm Trying to help my brother remove a virus from his computer. He got it by downloading a program that ended up containing a trojan horse virus. He is using Windows XP Home Ed.

Symptoms of the virus includes not being able to access some AV sites. Mostly the free ones like AVG, Avast and NOD32 (i can however access the ones that arnt free like Norton and McAfee). As a result i cant update the definitions on AVG free. also theres some "pop-ups". its attempting to use IE (My brother uses Firefox) to show pop-ups but these errors are being shown instead:

http://i9.photobucket.com/albums/a94/Jerry003/trojanpopupscript.jpg

When the IE popup script errors came on screen i checked task manager and the following processes was the virus running in the background:

msb.exe and 17067.exe

by ending it in task manager the popup script errors went away but they would return every 30 minutes or so. also the 17067.exe process tookup a lot of memory usage, around 200,000 K.

I ran a AVG scan and found out the name of the virus is Trojan horse Downloader.Generic8.APEH. I typed the name of the virus in google to find some solutions to removing it and couldn't really find anything useful.

I used AVG to move it virus vault and delete it but apparently it didnt work cause its still having the symptoms like not being able to access the AV sites and the popup scripts errors.

However AVG did show the location of where the virus had been installed to and i went to that directory:

C:\Documents and Settings\Username\Local Settings\Temp

i found these files here and deleted it:

http://i9.photobucket.com/albums/a94/Jerry003/torjanhorseexefilesintemp.jpg

Im still getting the virus symptoms but when the pop-up script occurs there is no 17067.exe in the task manager, just the msb.exe. as before ending it closes the popup script error box but it shows up again every 30 mins.

if anyone knows of a solution or program that i can use to remove the virus then it would be greatly appreciated. Thanks in advance.

ninelven
05-29-09, 04:57 AM
On a different PC, download and burn a rescue disk:

Dr. Web: ftp://ftp.drweb.com/pub/drweb/livecd/minDrWebLiveCD-5.0.0.iso
(be sure to update and select to clean/delete files, default is log only I believe)

Avira: http://www.free-av.com/en/products/12/avira_antivir_rescue_system.html

Kaspersky: http://ftp.kaspersky.com/devbuilds/RescueDisk/kav_rescue_2008.iso

Any one of the above should be sufficient.

Download malwarebytes (http://download.cnet.com/Malwarebytes-Anti-Malware/3000-8022_4-10804572.html?part=dl-10804572&subj=dl&tag=button), superantispyware (http://www.superantispyware.com/downloadfile.html?productid=SUPERANTISPYWAREFREE), and comodo internet security (http://personalfirewall.comodo.com/download_firewall.html) and burn to a CD.

Once, you've got that done follow these steps:

1) Boot from CD using rescue disk of choice.
2) Update (if available), select what to do with files, run scan.
3) Reboot into windows, install Comodo (be sure to uncheck the boxes for the Ask toolbar if you don't want it).
4) If able, update both program and virus definitions (will take a long time the first time).
5) Once comodo is updated, scan, kill, and lock baddies down.
6) Once Comodo has handled its business, install malwarebytes and superantispyware.
7) *optional reboot* Scan with malwarebytes and superantispyware
8) Reboot and test system

If you are still having issues or Comodo is being constantly triggered, there is probably a rootkit.

Tutorial on Comodo: http://www.youtube.com/watch?v=jDBjsiKAYaA

To help avoid this in the future: OpenDNS (https://www.opendns.com/start/)

Should help versus established stuff; nothing can help click/download happy users against 0-day threats or bad P2P files. Well, Comodo can but they will probably just click allow there as well.

Good Luck.

Jerry_03
05-30-09, 12:32 AM
thanks for the replies. i ran both malwarebytes and spybot search and destroy. either one of them removed the virus. thanks again.

Mathesar
06-07-09, 11:20 AM
Ive got a friend with the same virus (XP SP2) and man its NASTY, She already had Norton installed but it doesn't even recognize it(?!) I installed the latest Spybot, updated it, it found over 100 problems and fixed them all, rescanned to be sure and it showed 0 problems yet MSB.EXE and 1508.EXE are still running in task manager, the computer runs extremely slow and has constant popups & script errors, MSB.EXE is using nearly 150MB system ram, gonna go back over there today with info from this thread and give it another try.. :cool:

Starscream
06-07-09, 01:49 PM
Try running Combofix followed by Smitfraudfix in safe mode.

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

http://siri.geekstogo.com/SmitfraudFix.php

ninelven
06-07-09, 01:51 PM
Hope everything works out.

A couple of suggestions for prevention in the future:

1) Firefox + Adblock
2) Web of Trust (addon for firefox)

If the user just requires basic functionality (web, word, email, etc...), there is always Ubuntu.

You can also use a Ubuntu/linux live cd to delete files the Antivirus/Antimalware can't.

Mathesar
06-07-09, 05:05 PM
Before attempting the more elaborate methods of cleaning I decided to give Malwarebytes a try since I kept seeing this program mentioned in various forums (Free version) , Well it found 28 problems, 2 of those were memory resident viruses including msb.exe / 1508.exe and it was able to clean everything, I rebooted the pc and its now clean and running much much faster.

I guess Spybot isn't as good as I thought! then again this virus seemed capable of hiding itself from certain malware programs (including norton).

Albo
08-06-09, 09:07 PM
^^^
yea Malwarebytes is the ****

TheBigOne
08-07-09, 11:08 AM
Chance's of Rootkits and other virus still on your system are great Before cleaning you system do a ctrl+alt+del look at your processes, If you see Reader_S or Virut win*32 running don't bother going any futher, backup your data and lowlevel format you drive there no fixed.
Reason
Unfortunately, the virus you have infects every .exe and .scr (actually an executable) file on your system, and when you scan with a virus scanner, it will normally delete it as uncleanable. Eventually you end up loosing more and more files. The only viable alternative is to format the system. You will need to backup your important files before a format and reinstall, but you can not backup any .exe or .scr files, because they are infected. And as I already explained, Virut infects every exe. This means that you may not delete these files, but they should be disinfected. And since it's a buggy virus, the files cannot be properly disinfected.

Now if you don't have this virus and running Windows XP (Running Vista better to do a reload since combofix or most software won't run)
1. Mount the harddrive to another machine delete any 1256hg.exe or any weird .exe in your root directory or system32 folder or run AVG FREE and run full scan it will find them.
2. Put harddrive back into you machine then go to safemode with networking run malwarebytes sure run with no problems, do updates and do full scan.
3. Then download and run Combofix it free.
4. Then download and run a-squared Free 4.5 does better job then most antivirus do full scan.
5. Then type MSCONFIG look at your startup uncheck all unnecessary processes
6. Boot system into normal mode download and run mcafee rootkit detective looks for hidden processes.
7. Deleted any temp files
8. You system sure be fully cleaned and running good.

six_storm
08-17-09, 07:35 AM
^^^
yea Malwarebytes is the ****

+1. It's the best anti-mal/spyware program out there IMO.

For future reference, you can run Anti-Malwarebytes silently every night using a batch file and the user won't even know it's running!!! I use this with all of my "pesky" problem clients. Also, run Firefox with Ad-Block and Script-Block. Make sure you show them how to use it or else they will call you every 10 seconds.