1. Computer problem? Tech Support Guy is completely free -- paid for by advertisers and donations. Click here to join today! If you're new to Tech Support Guy, we highly recommend that you visit our Guide for New Members.

Fsqwr Virus

Discussion in 'Virus & Other Malware Removal' started by marshadelaney, Jan 25, 2011.

Thread Status:
Not open for further replies.
Advertisement
  1. marshadelaney

    marshadelaney Thread Starter

    Joined:
    Jan 25, 2011
    Messages:
    5
    My desktop has been infected with a virus called Fsqwr. How do I get rid of it? I can't go on the internet from my desktop because it's taken over. I'm working from my laptop. What can I do to get rid of it? Help!
     
  2. kevinf80

    kevinf80 Malware Specialist

    Joined:
    Mar 21, 2006
    Messages:
    11,383
    First Name:
    Kevin
    Can the Desktop connect to the internet? What exactly happens?
     
  3. marshadelaney

    marshadelaney Thread Starter

    Joined:
    Jan 25, 2011
    Messages:
    5
    No. The "System Tool" screen pops up like it's running a system check. A little box also comes up that says, "Application cannot be executed. The file aswUpd.sv.exe is infected."
     
  4. kevinf80

    kevinf80 Malware Specialist

    Joined:
    Mar 21, 2006
    Messages:
    11,383
    First Name:
    Kevin
    OK lets try the following :-

    Step 1

    Boot into safe mode with networking :-

    Re-boot PC and continuously tap the F8 key until you see the Windows Advanced Menu, from the available options select "Safe Mode with Neworking"

    Step 2

    Check for proxy server settings in your browser, the following are the most common used.

    Internet Explorer:
    Tools Menu -> Internet Options -> Connections Tab ->Lan Settings > uncheck "use a proxy server" and check to "Automatically detect settings". ok, apply (only if applicable), ok.

    Firefox:
    Tools Menu -> Options... -> Advanced Tab -> Network Tab -> "Settings" under Connection. "No Proxy" should be selected, unless you have one set up yourself.

    Chrome:
    Select -> Tools menu -> then "Options", then go to "Change Proxy Settings", then "LAN Settings" , then take out the check mark for "Use a proxy server for your LAN" if set, unless you set this up yourself.

    Safari
    • Launch Safari
    • Go to general settings menu
    • Then in Preferences/ Advanced
    • Then on line click Proxies change settings ...
    • Click Internet Options, then click the Connections tab, click Network Settings.
    • Disable option (uncheck) for the use of proxy server ...

    Step 3

    Please download Rkill and save to your Desktop.
    • Double-click on the Rkill desktop icon to run the tool.
    • If using Vista or Windows 7 right-click on it and Run As Administrator.
    • A black DOS box will briefly flash and then disappear. This is normal and indicates the tool ran successfully.
    • If you get an alert from HDD that RKill is a threat, leave that alert open and re-run RKill again.
    Do not re-boot your system after steps 1 or 2.

    Step 4

    [​IMG] Please download Malwarebytes Anti-Malware and save it to your desktop.
    Alernative D/L mirror
    Alternative D/L mirror

    Double Click mbam-setup.exe to install the application.
    • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes Anti-Malware, then click Finish.
    • If an update is found, it will download and install the latest version.
    • Once the program has loaded, select "Perform Quick Scan", then click Scan.
    • The scan may take some time to finish,so please be patient.
    • When the scan is complete, click OK, then Show Results to view the results.
    • Make sure that everything is checked, and click Remove Selected.
    • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart. (See Extra Note)
    • Please save the log to a location you will remember.
    • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
    • Copy and paste the entire report in your next reply.

    Extra Note:

    If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediately. Let it boot into Normal mode then run Malwarebytes again as above.

    Post both logs from Malwarebytes in your reply..

    Kevin
     
  5. marshadelaney

    marshadelaney Thread Starter

    Joined:
    Jan 25, 2011
    Messages:
    5
    Hi, Kevin. Thank you so very much. It looked like it worked, but then when I restarted under "normal" mode, the same damned thing came up. Any suggestions as to what to do now? Should I try running Rkill and Malwarebytes from my desktop again, but in normal mode?Thanks.
     
  6. kevinf80

    kevinf80 Malware Specialist

    Joined:
    Mar 21, 2006
    Messages:
    11,383
    First Name:
    Kevin
    Hiya,

    Boot into safe mode with networking again then as follows :-

    Step 1

    Please download Rkill and save to your Desktop.
    • Double-click on the Rkill desktop icon to run the tool.
    • If using Vista or Windows 7 right-click on it and Run As Administrator.
    • A black DOS box will briefly flash and then disappear. This is normal and indicates the tool ran successfully.
    • If you get an alert from the rogue that RKill is a threat, leave that alert open and re-run RKill again.

    Step 2

    We will continue with ComboFix.exe. Please visit this webpage for download links, and instructions for running the tool:

    Combofix

    Don`t forget Combofix must be saved to your desktop, do not save to or run from anywhere else. <--Very important

    Before saving Combofix to the Desktop re-name to Gotcha.exe as below:

    [​IMG]

    Ensure you have disabledyour Firewall and all anti virus and anti malware programs so they do not interfere with the running of ComboFix. <---Very important

    Please include the C:\ComboFix.txt in your next reply for further review.

    Examples of how to disable realtime protection available at the following link :-

    Disable realtime protection

    Note: Do not click combofix's window with your mouse while it's running. That action may cause it to stall.

    *EXTRA NOTES*
    • If Combofix detects any Rootkit/Bootkit activity on your system it will give a warning and prompt for a reboot, you must allow it to do so.
    • If Combofix reboot's due to a rootkit, the screen may stay black for several minutes on reboot, this is normal
    • If after running Combofix you receive any type of warning message about registry key's being listed for deletion when trying to open certain items, reboot the system and this will fix the issue (Those items will not be deleted)

    Post the log from Combofix in your reply..

    Kevin
     
  7. marshadelaney

    marshadelaney Thread Starter

    Joined:
    Jan 25, 2011
    Messages:
    5
    Okay. Actually, while I was waiting, I went ahead and initiated another quick scan with Malwarebytes in safe networking mode, and it found two more things and got rid of them. I think the problem was that it said the version I downloaded was 35 days out of date, so it downloaded a more current version. I'm in normal mode right now and (keeping my fingers crossed), it looks like the problem is gone. I hope! If not, I will continue with what you just sent me.

    Thank you SO much for your help. I really appreciate it. I'm pasting my logs here (now that I can).

    Malwarebytes' Anti-Malware 1.50.1.1100
    www.malwarebytes.org

    Database version: 5604

    Windows 6.0.6001 Service Pack 1 (Safe Mode)
    Internet Explorer 8.0.6001.18702

    1/25/2011 4:30:07 PM
    mbam-log-2011-01-25 (16-30-07).txt

    Scan type: Quick scan
    Objects scanned: 150556
    Time elapsed: 2 minute(s), 55 second(s)

    Memory Processes Infected: 0
    Memory Modules Infected: 0
    Registry Keys Infected: 0
    Registry Values Infected: 2
    Registry Data Items Infected: 0
    Folders Infected: 0
    Files Infected: 1

    Memory Processes Infected:
    (No malicious items detected)

    Memory Modules Infected:
    (No malicious items detected)

    Registry Keys Infected:
    (No malicious items detected)

    Registry Values Infected:
    HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\gIaAoOg10600 (Rogue.SystemTool) -> Value: gIaAoOg10600 -> Quarantined and deleted successfully.
    HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyServer (PUM.Bad.Proxy) -> Value: ProxyServer -> Quarantined and deleted successfully.

    Registry Data Items Infected:
    (No malicious items detected)

    Folders Infected:
    (No malicious items detected)

    Files Infected:
    c:\programdata\giaaoog10600\giaaoog10600.exe (Rogue.SystemTool) -> Quarantined and deleted

    gistry Data Items Infected: 2
    Folders Infected: 1
    Files Infected: 8

    Memory Processes Infected:
    (No malicious items detected)

    Memory Modules Infected:
    (No malicious items detected)

    Registry Keys Infected:
    HKEY_CURRENT_USER\SOFTWARE\6BTOP2GA8A (Trojan.FakeAlert) -> Quarantined and deleted successfully.
    HKEY_CURRENT_USER\SOFTWARE\HJRUDZ5DT2 (Trojan.FakeAlert) -> Quarantined and deleted successfully.
    HKEY_CURRENT_USER\SOFTWARE\NtWqIVLZEWZU (Trojan.FakeAlert) -> Quarantined and deleted successfully.
    HKEY_CURRENT_USER\SOFTWARE\SaveDefense (Rogue.SaveDefense) -> Quarantined and deleted successfully.
    HKEY_CURRENT_USER\SOFTWARE\wnxmal (Rogue.SecuritySuite) -> Quarantined and deleted successfully.
    HKEY_CURRENT_USER\SOFTWARE\XML (Trojan.FakeAlert) -> Quarantined and deleted successfully.
    HKEY_CURRENT_USER\SOFTWARE\Microsoft\Handle (Malware.Trace) -> Quarantined and deleted successfully.
    HKEY_CURRENT_USER\Software\ere94fe5o32 (Trojan.FakeAV) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\MSIVXserv.sys (Trojan.Agent) -> Quarantined and deleted successfully.

    Registry Values Infected:
    HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Wpusozoqocefuwej (Trojan.Hiloti.Gen) -> Value: Wpusozoqocefuwej -> Quarantined and deleted successfully.
    HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell (Trojan.Agent) -> Value: Shell -> Quarantined and deleted successfully.
    HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\20091618 (Rogue.Multiple) -> Value: 20091618 -> Quarantined and deleted successfully.
    HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\mxmrmmwy (Trojan.FakeAlert.Gen) -> Value: mxmrmmwy -> Quarantined and deleted successfully.
    HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\jmtjnasm (Trojan.FakeAlert.Gen) -> Value: jmtjnasm -> Quarantined and deleted successfully.
    HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\vpqdcnvr (Trojan.FakeAlert.Gen) -> Value: vpqdcnvr -> Quarantined and deleted successfully.
    HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\rwwvjjfp (Trojan.FakeAlert.Gen) -> Value: rwwvjjfp -> Quarantined and deleted successfully.
    HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\fnpcxgjw (Trojan.FakeAlert.Gen) -> Value: fnpcxgjw -> Quarantined and deleted successfully.
    HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dwawpbte (Trojan.FakeAlert.Gen) -> Value: dwawpbte -> Quarantined and deleted successfully.
    HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\fdregkqy (Trojan.FakeAlert.Gen) -> Value: fdregkqy -> Quarantined and deleted successfully.
    HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HJRUDZ5DT2 (Trojan.FakeAlert) -> Value: HJRUDZ5DT2 -> Quarantined and deleted successfully.
    HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\Virus Protector (Rogue.VirusProtector) -> Value: Virus Protector -> Quarantined and deleted successfully.
    HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\ifddtmdh (Trojan.FakeAlert.Gen) -> Value: ifddtmdh -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Uwigihikiciluc (Trojan.Agent.U) -> Value: Uwigihikiciluc -> Quarantined and deleted successfully.

    Registry Data Items Infected:
    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\NameServer (Trojan.DNSChanger) -> Bad: (85.255.112.91,85.255.112.85) Good: () -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{AE2288C0-0B3A-4D50-81BB-66442F43639C}\NameServer (Trojan.DNSChanger) -> Bad: (85.255.112.91,85.255.112.85) Good: () -> Quarantined and deleted successfully.

    Folders Infected:
    c:\programdata\20091618 (Rogue.Multiple) -> Quarantined and deleted successfully.

    Files Infected:
    c:\Users\Marsha\AppData\Local\m419132.dll (Trojan.Hiloti.Gen) -> Quarantined and deleted successfully.
    c:\Users\Marsha\local settings\m419132.dll (Trojan.Hiloti.Gen) -> Quarantined and deleted successfully.
    c:\Users\Marsha\local settings\application data\m419132.dll (Trojan.Hiloti.Gen) -> Quarantined and deleted successfully.
    c:\Users\Marsha\AppData\Roaming\microsoft\internet explorer\quick launch\savedefense.lnk (Rogue.SaveDefense) -> Quarantined and deleted successfully.
    c:\Windows\System32\msivxcount (Trojan.Agent) -> Quarantined and deleted successfully.
    c:\Windows\Tasks\{22116563-108c-42c0-a7ce-60161b75e508}.job (Trojan.Downloader) -> Quarantined and deleted successfully.
    c:\Windows\Tasks\{bbaeaeaf-1275-40e2-bd6c-bc8f88bd114a}.job (Trojan.Downloader) -> Quarantined and deleted successfully.
    c:\Users\Marsha\AppData\Local\ixajaxakuqejako.dll (Trojan.Agent.U) -> Quarantined and deleted successfully.
     
  8. kevinf80

    kevinf80 Malware Specialist

    Joined:
    Mar 21, 2006
    Messages:
    11,383
    First Name:
    Kevin
    That log from MB is in Safe mode, can you run again in Normal mode? and show the log, I think you`ve nailed it.....
     
  9. marshadelaney

    marshadelaney Thread Starter

    Joined:
    Jan 25, 2011
    Messages:
    5
    I ran it in normal mode and it didn't detect any malicious items. Yeah! Thank you. You rock :) Here is the log:

    Malwarebytes' Anti-Malware 1.50.1.1100
    www.malwarebytes.org

    Database version: 5604

    Windows 6.0.6001 Service Pack 1
    Internet Explorer 8.0.6001.18702

    1/25/2011 5:05:26 PM
    mbam-log-2011-01-25 (17-05-26).txt

    Scan type: Quick scan
    Objects scanned: 153099
    Time elapsed: 8 minute(s), 15 second(s)

    Memory Processes Infected: 0
    Memory Modules Infected: 0
    Registry Keys Infected: 0
    Registry Values Infected: 0
    Registry Data Items Infected: 0
    Folders Infected: 0
    Files Infected: 0

    Memory Processes Infected:
    (No malicious items detected)

    Memory Modules Infected:
    (No malicious items detected)

    Registry Keys Infected:
    (No malicious items detected)

    Registry Values Infected:
    (No malicious items detected)

    Registry Data Items Infected:
    (No malicious items detected)

    Folders Infected:
    (No malicious items detected)

    Files Infected:
    (No malicious items detected)
     
  10. kevinf80

    kevinf80 Malware Specialist

    Joined:
    Mar 21, 2006
    Messages:
    11,383
    First Name:
    Kevin
    You wan to run the following scan,see the state of play with Java, Adobe and your security system etc...

    Download Security Check by screen317 from HERE or HERE.
    Save it to your Desktop.
    Double click SecurityCheck.exe (Vista or Windows 7 users right click and select "Run as Administrator") and follow the onscreen instructions inside of the black box. Press any key when asked.
    A Notepad document should open automatically called checkup.txt; please post the contents of that document.

    Kevin...
     
  11. Sponsor

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 733,556 other people just like you!

Loading...
Thread Status:
Not open for further replies.

Short URL to this thread: https://techguy.org/976914

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice