Anti Virus Pro 2009 (Malware) Grrrrrrr! [Archive] - Glock Talk

PDA

View Full Version : Anti Virus Pro 2009 (Malware) Grrrrrrr!


Chad Landry
11-11-2008, 21:07
Well, my wife done clicked the wrong popup again. This time none of the anti-malware programs will run, and it has my "System Restore" disabled.

Any time I try to run any of the programs, "Malwarebytes", "Superantispyware", "HiJackThis", or "ComboFix", none will run except for "HiJackThis", and it comes back showing that everything is fine.

I even deleted McAfee (again), because it was running in safe mode.

This crap did something to my registry to where I can't even run any of these programs in safe mode.

I'm about to reformat and reinstall Windows (again). Sigh.

I told my wife that this is the last time, and that next time she can learn this stuff for herself.

I download these programs on my laptop, then transfer them via memory stick to the desktop PC, and they won't run on it.

She's pretty sure she clicked "OK" on a popup that asked if she wanted to fix her spyware problem.

Blitzer
11-11-2008, 21:13
NOD32 will kill the critters, I am slowly moving every PC from Zone Alarm Internet suite to NOD32. It works on a Pent 2 laptop with 128MB of RAM! Mighty tough software too.

B. Somm
11-11-2008, 21:19
She's pretty sure she clicked "OK" on a popup that asked if she wanted to fix her spyware problem.

One of those damn things got me the other day! :steamed:

I had to restart my computer several times before I could get my Spyware stuff up & running.

When I got the popup, I clicked cancel as I didn't recognize the "program" that was informing me that my computer was infected with spyware. It started downloading it's "fix" anyway. Locked up my computer.

Things seem to be running ok now. The only sites that I had gone to were my AOL mail, GT in the Outpost Forum and Photobucket. There was also a Flash Player update that kept coming up when I got my computer back up. Pissed me off royally!

B. :sigh:

Chad Landry
11-11-2008, 21:26
Downloading NOD32 now, Blitzer. I'll try anything to keep from having to do another reformat on that machine.

srhoades
11-11-2008, 21:29
It's pretty easy to disable in the registry
hkey local machine > software > microsoft > windows > current version > run
and hkey current user "" "" "" ""

Once you remove those entries restart and go into safemode with networking (so malwarebytes can update if needed). Malwarebytes should remove it. I should know I just removed it about 2 hours ago from a customers computer.

If your wife is prone to his behaviour you can purchase the paid version of malwarebytes, it then runs as active protection and catches it in the act.

Chad Landry
11-11-2008, 21:41
It's pretty easy to disable in the registry
hkey local machine > software > microsoft > windows > current version > run
and hkey current user "" "" "" ""

Once you remove those entries restart and go into safemode with networking (so malwarebytes can update if needed). Malwarebytes should remove it. I should know I just removed it about 2 hours ago from a customers computer.

If your wife is prone to his behaviour you can purchase the paid version of malwarebytes, it then runs as active protection and catches it in the act.

I found several different lists of registry values to delete on different sites, and couldn't find any of the listed values in the registry.

Once I've done running Blitzer's recommendation, I'll try it again.

So far the NOD32 has found zero threats although the malware popups keep popping up.

srhoades
11-11-2008, 21:42
I would give combofix a whirl too. It's pretty effective.

Also, if you have a linux live cd you can just delete the program in the program files entry. It's usually called AV09 or XPAV09 or even all spelled out.

ppcrusa
11-11-2008, 21:48
It doesn't matter if she clicked ok,cancel, or even the red X at the top of the popup. At that point it was infected anyway. That Antivirus 2009 crap has caused me more heartache and pain than any other infection I've ran across at work. It all boils down to going to shady sites and hunting down that next "Freebie" or discount. I feel for ya.

Chad Landry
11-11-2008, 21:48
I have on "Local Machine".../run/optional components/ (then 4 sub folders)

/imail

/mapi

and

/msfs

Under current user, I have "run" with six items under it.

Do I just delete the entire "run" folder?

ppcrusa
11-11-2008, 21:50
I would give combofix a whirl too. It's pretty effective.

Also, if you have a linux live cd you can just delete the program in the program files entry. It's usually called AV09 or XPAV09 or even all spelled out.

Yeah but the newest variant of that scum sucking malware also downloads friends to come and play too. Usually in the form of trojans. They immediately load up into processes and download yet more. It is like a giant snowball effect, except in this case it is brown and it stinks.

srhoades
11-11-2008, 22:09
I have on "Local Machine".../run/optional components/ (then 4 sub folders)

/imail

/mapi

and

/msfs

Under current user, I have "run" with six items under it.

Do I just delete the entire "run" folder?


No, don't delete any of those. If you just click run, the entries will be on the right. Look for one that is starting the offending program.

Chad Landry
11-11-2008, 22:10
No, don't delete any of those. If you just click run, the entries will be on the right. Look for one that is starting the offending program.

I have no way of knowing which one is starting the offending program, as they are not named anything near av2009, or any variant there of.

tantrix
11-11-2008, 22:16
.....

Chad Landry
11-11-2008, 22:19
NOD32 went through the entire scan and found nothing.

I'm gonna uninstall it and then run Avast. That's what I have on my personal machine.

James Markov
11-11-2008, 22:21
Same thing happened here-Spybot, AVG , and finally Commadore firewall helped. Also CC Cleaner is nice...

Chad Landry
11-11-2008, 22:21
srhoades, I have under "Current User/..../run/ four items

Default Reg_sz (value not set)

brastk reg_sz c:windows/system32/brastk.exe

ctfmon.exe reg_sz c:windows/system32/ctfmon.exe

svchost.exe reg_sz c:windows/system32/drivers/svchost.exe

tantrix
11-11-2008, 22:23
Here ya go cj...try it.

1) Go to Start>Run and type in "msconfig".
2) Go over to the tab named "Startup" and click disable all. Reboot.
3) Download Avast Home, Spybot, and Adaware. Install and update all 3.
4) Reboot and hit F8 during startup. Select "start computer in safe mode" and hit enter.
5) Do a thorough scan with all 3 of the programs above...Avast 1st, Spybot 2nd, and Adaware 3rd.
6) Report back. :supergrin:

Chad Landry
11-11-2008, 22:25
NOD32 found nothing, but now I notice that the malware prevents NOD32 from downloading updates.

Chad Landry
11-11-2008, 22:29
Here ya go cj...try it.

1) Go to Start>Run and type in "msconfig".
2) Go over to the tab named "Startup" and click disable all. Reboot.
3) Download Avast Home, Spybot, and Adaware. Install and update all 3.
4) Reboot and hit F8 during startup. Select "start computer in safe mode" and hit enter.
5) Do a thorough scan with all 3 of the programs above...Avast 1st, Spybot 2nd, and Adaware 3rd.
6) Report back. :supergrin:

<---- slaps head

I forgot about msconfig.

I just ran it like that and used system restore. Rebooting now. Next I'll see what happens with Malwarebytes.

Of course, there were so many programs in startup that were hiding from me in other places.

Thanks for that advice, Tantrix. I think this may get it!

BAILIFF
11-11-2008, 22:30
brastk.exe is the problem. http://answers.yahoo.com/question/index?qid=20081008184112AAjxZa1

Minuteman
11-11-2008, 22:30
http://www.bleepingcomputer.com/malware-removal/remove-antivirus-pro-2009

srhoades
11-11-2008, 22:33
Also get rid of that svchost. Svchost runs from system32, not system32/drivers

Dragoon44
11-11-2008, 22:38
Save yourself a lot of grief, Reload windows soon as everything is installed and set up the way you want it. get Acronis true image home. create a back up image of the drive. then create a boot disk. Store the image on a USB drive.

Next time she clocks the wrong thing, fixing it is as simple as booting from the rescue disk, connecting the USB drive and restoring the pristine image. all done in short order with no muss no fuss.

Chad Landry
11-11-2008, 22:45
http://www.bleepingcomputer.com/malware-removal/remove-antivirus-pro-2009


That was my very first attempt, Minuteman. This malware is obviously newer than that fix.

Chad Landry
11-11-2008, 22:48
Even with everything off in startup, from msconfig, it's blocking all access to those sites, and it blocks the software from running when I load it from my memory stick.

This is one seriously bad ass new malware version.

Chad Landry
11-11-2008, 22:51
I ran "HiJackThis" and made a log.

Here's the log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 22:47:51, on 11/11/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16735)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
C:\WINDOWS\System32\HPZipm12.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wuauclt.exe
E:\HiJackThis.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O8 - Extra context menu item: &Search - ?p=ZJfox000
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1200607764671
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O20 - AppInit_DLLs: karna.dat
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe

--
End of file - 3106 bytes

itisbruno
11-11-2008, 23:19
http://www.bleepingcomputer.com/malware-removal/remove-antivirus-pro-2009

Did you try minuteman's suggestion?

Minuteman
11-11-2008, 23:25
That was my very first attempt, Minuteman. This malware is obviously newer than that fix.

It's dated 11/4/08. There's also registry and assoc file info at the bottom. That's how I got rid of it.

There's several other versions at the top right, i.e. pro antivirus, ulta antivivus, etc.

Altaris
11-11-2008, 23:26
Here ya go cj...try it.

1) Go to Start>Run and type in "msconfig".
2) Go over to the tab named "Startup" and click disable all. Reboot.
3) Download Avast Home, Spybot, and Adaware. Install and update all 3.
4) Reboot and hit F8 during startup. Select "start computer in safe mode" and hit enter.
5) Do a thorough scan with all 3 of the programs above...Avast 1st, Spybot 2nd, and Adaware 3rd.
6) Report back. :supergrin:

I got that virus about 2 months ago. It was a huge pain the butt, then I basically did this and it worked fine. Start up in safe mode, ran Adaware and Spybot and my problem was gone. I don't think it is possible to get rid of this one if you don't start in safe mode and run the antivirus programs from there.

Chad Landry
11-12-2008, 00:06
Keep the suggestions coming, please. I'm leaving it alone for the rest of the night, and I'll start on it again in the morning.

franklin
11-12-2008, 00:17
CJ - I got this virus a month ago. It took me 3 days to get rid of it. Spybot was the best fix but it took 3 or 4 programs to fully get rid of it. I'm only guessing but it seems like the virus has something built in to block the spyware fixes. At first my system would start to scan and then lock-up. Single commands were taking 2-3 minutes to execute. You have to keep trying and beat it down. Running Spybot in safe mode with networking is the best start. AdAware from Lava Soft is good also.

Good Luck

tantrix
11-12-2008, 03:47
The real stubborn ones that are hard to get rid of are usually because they manage to keep launching processes in the background, and unless those processes are shut down, they can't completely be removed because the files are in use when you run antivirus/spyware removal utilities. You have to literally get the OS to the bare minimum...only the processes running that the OS needs to function, then they can be removed.

I haven't had to format a drive due to viruses or spyware in quite a few years, due to the newer software doing a pretty good job nowadays...but I must say some of them are quite a headache to remove manually.


Here's some more things you can try. All of this you should do from safe mode.

Look for any traces of these folders & files on your system and delete them:

(Delete only the stuff in bold)

C:\Program Files\AntivirusPro2009\AntivirusPro2009.exe
C:\Program Files\AntivirusPro2009\AntivirusPro2009.cfg
C:\Program Files\AntivirusPro2009\AVEngn.dll
C:\Program Files\AntivirusPro2009\htmlayout.dll
C:\Program Files\AntivirusPro2009\pthreadVC2.dll
C:\Program Files\AntivirusPro2009\Uninstall.exe
C:\Program Files\AntivirusPro2009\wscui
C:\Program Files\AntivirusPro2009\data


And, if you find any files going by these names, delete them also:

AVP2009.exe
AntivirusPro2009.exe
AntivirusPro2009.lnk
UninstallAntivirusPro2009.lnk
avp2009.cpl
avp2009.dat
AVP20091.dat



Now, click Run and type "Regedit" and hit enter.

Look for any of these registry entries and delete them:

HKEY_CURRENT_USER\Software\AntiVirus
HKEY_CURRENT_USER\Software\AVP2009
HKEY_CLASSES_ROOT\.key
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run “Antivirus”
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run “Antivirus”

SavageDragon
11-12-2008, 06:06
Download Malwarebytes (it's free) from malwarebytes.org and run it. It gets rid of it like magic.

Blitzer
11-12-2008, 06:13
Sorry you got bit, I am overwhelmed that NOD32 didn't fix your issues, terribly sorry. I can only hope the bug doesn't hit here!

shootin-blanks
11-12-2008, 06:15
Download Malwarebytes (it's free) from malwarebytes.org and run it. It gets rid of it like magic.


** two thumbs up for Malwarebytes.. I use it almost every other day, to clean machines.. I put the EXE on my site, so clients could find it..
download mbam-setup.exe
http://www.snoyes.net/utils/

Minskin85
11-12-2008, 06:48
Here ya go cj...try it.

1) Go to Start>Run and type in "msconfig".
2) Go over to the tab named "Startup" and click disable all. Reboot.
3) Download Avast Home, Spybot, and Adaware. Install and update all 3.
4) Reboot and hit F8 during startup. Select "start computer in safe mode" and hit enter.
5) Do a thorough scan with all 3 of the programs above...Avast 1st, Spybot 2nd, and Adaware 3rd.
6) Report back. :supergrin:
thank you that got rid of about 3 years of junk :wavey:

It's pretty easy to disable in the registry
hkey local machine > software > microsoft > windows > current version > run
and hkey current user "" "" "" ""

Once you remove those entries restart and go into safemode with networking (so malwarebytes can update if needed). Malwarebytes should remove it. I should know I just removed it about 2 hours ago from a customers computer.

If your wife is prone to his behaviour you can purchase the paid version of malwarebytes, it then runs as active protection and catches it in the act.
Malwarebytes! +1
Download Malwarebytes (it's free) from malwarebytes.org and run it. It gets rid of it like magic.
Malwarebytes! +1
** two thumbs up for Malwarebytes.. I use it almost every other day, to clean machines.. I put the EXE on my site, so clients could find it..
download mbam-setup.exe
http://www.snoyes.net/utils/
Malwarebytes! +1

SKeefe
11-12-2008, 07:38
Download Malwarebytes (it's free) from malwarebytes.org and run it. It gets rid of it like magic.

** two thumbs up for Malwarebytes.. I use it almost every other day, to clean machines.. I put the EXE on my site, so clients could find it..
download mbam-setup.exe
http://www.snoyes.net/utils/


Malwarebytes! +1

Malwarebytes! +1

Malwarebytes! +1

In the OP he states that he has run MalwareBytes and that it is not finding anything.

That was going to be my suggestion as well since I have used it to successfully remove the problem in the past, but then I read the thread and noticed that it didn't work for him.

keyser
11-12-2008, 08:01
Wouldn't it take care of it without losing any information if you put in your operating system disk and did a repair reinstall.

Daps
11-12-2008, 08:06
+1 use malwarebytes that should get it, you can also try SuperAntispyware but i find malwarebytes often finds more...do the scans in normal and safemode.

Grab SDfix, it has to be ran from safemode...

Edit*
Just saw he said malwarebytes didnt work. Did you get the latest definitions and run it in normal and safemode.

Go ahead and get SDfix and see how that works...someone mention combofix also which is another good one

G30Jack
11-12-2008, 08:31
You have to replace your beep.sys with a clean copy from the same service pack level.

Once you do that, boot into safe mode and kill BRASTK.EXE and KARNA.DAT

Search the registry and delete all references to brastk.

I just did this Friday night on my daughter's computer. It worked.

Just found this:


http://net-studio.org/application/brastk.php

Chad Landry
11-12-2008, 08:35
The problem is that this latest upgrade to the malware is completely blocking ANY anti-malware/anti-spyware from running. They simply won't execute, even in safe mode or with everything in startup disabled through msconfig.

This one kept me up late last night, and it's probably gonna keep me busy for a while this morning.

Thanks for all the suggestions.

I told my wife and kids to avoid clicking any popups and to ease off on the free online games sites, but they didn't listen. This is the second time I've gone through this on that particular machine. Hopefully Avast will prevent such crap from happening again, because that's the program I plan to use from now on. McAfee sucks.

PDogSniper
11-12-2008, 08:40
It doesn't matter if she clicked ok,cancel, or even the red X at the top of the popup. At that point it was infected anyway. That Antivirus 2009 crap has caused me more heartache and pain than any other infection I've ran across at work. It all boils down to going to shady sites and hunting down that next "Freebie" or discount. I feel for ya.

Crap, not to long after I read this thread a Windows icon for updates on spyware popped up. I updated but didn't reboot right away. Not too long after a box popped up and said I wasn't protected and needed to download a program... I closed the box but now I'm wondering...:upeyes:

I've since rebooted and so far haven't seen a problem so I'm wondering if the pop-up was due to me not rebooting...

Sandbag
11-12-2008, 08:43
Try SunbeltSoftware's VIPRE. The free trial will kill it. I work there.

You can also get tech support while using the trial. They have the
best virus/malware techs in the US.

Great product/ Incredible Service!

Chad Landry
11-12-2008, 09:10
Try SunbeltSoftware's VIPRE. The free trial will kill it. I work there.

You can also get tech support while using the trial. They have the
best virus/malware techs in the US.

Great product/ Incredible Service!


I wish you'd posted sooner. I just ran repair from the XP disc, and now the computer won't boot at all. Gonna have to reformat and reinstall everything.

Thanks for coming in.

Dragoon44
11-12-2008, 10:01
Your probably better off doing the reformat and reinstall anyway, when you get something that casues that many problems the computer seldom runs right afterward, even if you do get rid of it.

if the hard drive on that desktop is a Maxtor or a Seagate hard drive you can download free utilities from Seagate to make sure you do not have to do this again.

Both utilities have a freeware version of Acronis True Image home in them.

MaxBlast 5.0

http://www.seagate.com/support/maxblast/MaxBlastSetup.en.exe


Seagate Disc Wizard

http://www.seagate.com/www/en-us/support/downloads/discwizard/discwizard-eula

itisbruno
11-12-2008, 10:32
Thanks Dragoon, that is handy to have ... I've never "imaged" my home PC's, but will gove those utilities a try.

Chad Landry
11-12-2008, 10:51
The sad thing is that I was able to discover that the malware was first installed at 16:30 yesterday, and I started working to find a fix just over an hour later. It got in fast and did a lot of damage fast.

I've reformatted and started reloading hardware drivers. It's working now. The first thing I loaded was Avast. Now I'm gonna load that imaging software so I can show my wife how to back it up. I'm gonna do the same with my work computers and my other home computers.

I'm glad this happened before I left the country again. I'd have hated to have her shut down for an entire month, because she'd have never known what to do.

Thanks for the help and suggestions, everyone.

Remember, if you see a popup that says your computer is infected with malware or spyware, don't click on it. It can cause serious problems.

PDogSniper
11-12-2008, 11:21
Remember, if you see a popup that says your computer is infected with malware or spyware, don't click on it. It can cause serious problems.

Ummm, I think I did today... Like I said, the box came up when I ran Windows update for protection. I'm hoping it came up because I didn't reboot right away... :upeyes:

What problems are you having so I know what to look for?

I'm running Spybot, AVGfree, Spyware Terminator and ZoneAlarm...

MtBaldy
11-12-2008, 11:23
Remember, if you see a popup that says your computer is infected with malware or spyware, don't click on it. It can cause serious problems.

Good advice.

Make sure you also load Spybot S&D or Adaware and run Avast! and your spyware tool weekly. A lot of spyware won't announce itself but just start collecting data and sending it home.

I wouldn't use the DriveImage for backup. Get all your apps and drivers loaded and make sure everything is running well then image it. I would put the image on a bootable CD and not a flash drive but that's just me. Good luck.

ps Image may be too big for one CD but I think DriveImage will multiple volumes.

Smokin23
11-12-2008, 11:34
Ahhh i just had to remove this 3 days ago for a customer. Its the "brastk.exe" that is causing it. Had to remove it in safe mode from both c:/windows as well as c:/windows/system32. There are 2 files in each. Once you delete the 4 files it will get rid of the error and will also allow you to install/run spybot, hijackthis, and AVG to remove the registry traces.


Of course now i cant find the blog for it. Ugh

Chad Landry
11-12-2008, 11:57
Ummm, I think I did today... Like I said, the box came up when I ran Windows update for protection. I'm hoping it came up because I didn't reboot right away... :upeyes:

What problems are you having so I know what to look for?

I'm running Spybot, AVGfree, Spyware Terminator and ZoneAlarm...

The most obvious symptom is a popup from the system tray that says "Your computer is infected. Click here to fix this. (Something along those lines)"

Every time you click it, you authorize more infections to your system. Eventually you'll get popups coming up every minute, in front of your screen, no matter what you're doing. It will drive you insane.

I've fixed this problem on four machines before now (two for friends), but this time it completely kicked my butt!

I have now loaded Malwarebytes on all of my machines, and I purchased it so I'll have real time protection to keep my wife and/or kids from doing that again. It starts when Windows starts, updates automatically, and looks out for that BS as it happens. I'm also running Avast!, so I'm pretty sure I'll be protected from having it hit me again.

speedracer815
11-12-2008, 12:07
My favorite freebies are www.antivirus.com (go to Free Tools and run HouseCall) and SuperAntiSpyware.

Sandbag
11-12-2008, 12:10
I wish you'd posted sooner. I just ran repair from the XP disc, and now the computer won't boot at all. Gonna have to reformat and reinstall everything.

Thanks for coming in.

I REALLY like the idea of creating a good image just after installing windows
and getting your personal settings tweaked. I also like to partition the hard-drive with just a 10,15 or 20 gig partition just for the OS. Keep all your data
and installed software on the other partition. Makes for easy replacement
of the ghost image.

Try Vipre. It should block those installation from happening.
worst-case senerio they will connect you with an expert malware
removal tech that will give you the proper instructions on how to deal with
any malware. These guys sit around all day playing with infections.
They have a "whole house" license which allows you to install on every computer you own... with tech support. GREAT TECH SUPPORT!

TODDPT945
11-12-2008, 12:33
I used malwarebytes to get rid of this when a guy at work got it. You have to run it in safe mode though.

Dragoon44
11-12-2008, 13:19
Another good freeware program for preventing malware from installing itself is WinPatrol. it will block any new start up program from running until you approve it or tell it to continue blocking it.

it will provide you with information on what is trying to run, where the file is located and who the author of the software is.

http://www.winpatrol.com/download.html

I have been using it for years and it has saved me a lot of grief.

Dirty Dealer
12-08-2008, 00:54
:crying:I feel for you.

Chad Landry
12-08-2008, 00:57
:crying:I feel for you.

Well, that's all ancient history, and I'm in Kuwait today. It's all gonna be OK. :wavey:

MyGlockRocks19
12-08-2008, 01:03
I just dealt with the same problem...wouldn't let AV update, kept Spybot from running...my fix was to lock down my internet connection, disable anything that didn't look kosher in windows startup, re-install Zone Alarm and spybot, and run every scan under the sun. Woo boy, the things I found...trojans and hi-jacks and mal-ware, Oh MY!

2 days later, everything seems to be running smoothly...still scanning twice a day just to be safe.

From the number of people that are posting something similar to this, looks like theres a new round of fun out on the interwebs...don't people have anything better to do than code this crap?

Jdog
12-08-2008, 02:00
I had the same thing happen. I did some research (on my other working pc ...lol) and $30 later it was fixed. So if you happen to have $30 burning a hole in your pocket: www.spysweeper.com downloads and wipes it. (google the spysweeper kim komando 2yr for 1yr coupon code) This spysweeper program has caught other junk trying to sneek in past my piece of junk norton antivirus as well.

just my .02

Krysis22
12-08-2008, 02:30
Ifn you insist on using Windoze, then check out Deersoft for your firewall and

Kaspersky(Ruskie shudder) as an AV they both work quite well

Better yet..go Mandriva or ManDrake as an operating system:cool:


Seriously they aint as scary as some might imply

Download and cut a few CD's

they install themselves seamlessly

HTH :wavey:

Rager
12-08-2008, 05:53
I used malwarebytes to get rid of this when a guy at work got it. You have to run it in safe mode though.
Mmm, I ran Malwarebytes, the free v, it found and deleted immediately, 2 items and placed two (different) items in quarantine. (this was a 4 weeks ago. I'm the only user on this machine and it's been up for 10 months now.)

Now, 2 weeks ago, my "Avantaquest System Suite 8 Professional" , the action of getting AV updates failed due to a couple of missing items. -head smack-

I'm looking for anyone with similar problems, not necessarily a solution. merge.cfg and helper.dll (according to Avantquest) are missing.

I've taken the two quarantined items out, and looked over the log files to find the 'other' two registry items removed. I think they were false positives anyway. And it's entirely possible that the Avantaquest has a bug too. I'd trust them as far as I can throw them.

I'm looking for ideas and I'll sort exactly whether those log entries can be reinserted into the registry. (I have another virgin install, I'll load it (System Suite) there and take a look.)

I've already "repaired" the System Suite install which also, doesn't necessarily mean anything. -groan-

IndyGunFreak
12-08-2008, 06:37
Ifn you insist on using Windoze, then check out Deersoft for your firewall and

Kaspersky(Ruskie shudder) as an AV they both work quite well

Better yet..go Mandriva or ManDrake as an operating system:cool:


Seriously they aint as scary as some might imply

Download and cut a few CD's

they install themselves seamlessly

HTH :wavey:

Linux is a good suggestion, but its not gonna work for everyone. Without knowing his hardware, what he uses the PC for, etc, it might just be an exercise in frustration. There's a lot of good distributions, many better than Mandriva IMHO. If I was formatting, etc as often as it sounds CJ is, I'd be making a switch for sure.

CJ.. Glad you got it figured out, I've not dealt w/ this virus yet, but I've heard its a nasty one.

IGF

dwhite53
12-08-2008, 06:52
I run Linux for this very reason. Most of this malware crap is written for Microsoft Windows based machines. Yeah, I can't play most of the hot new games that come out but I've never been a heavy gamer. I can though do 95% of what I want to on my machine with a very slim chance of getting anything.

Running Windows is almost like going into battle with a target painted on your back.

All the Best,
D. White

jhall
12-08-2008, 08:58
I know this thread is old, but I just saw it as someone brought it back up. A buddy asked me to fix a comp that had the same problem. I couldn't do anything. I tried every suggestion here but it kept anti spyware from running just as you said. I ended up just doing a format and reinstall. Should have did it from the beginning as I spent a good two days on it before doing the format..

srhoades
12-08-2008, 10:07
Use combofix, but rename it first.

Chad Landry
12-09-2008, 03:58
Linux is a good suggestion, but its not gonna work for everyone. Without knowing his hardware, what he uses the PC for, etc, it might just be an exercise in frustration. There's a lot of good distributions, many better than Mandriva IMHO. If I was formatting, etc as often as it sounds CJ is, I'd be making a switch for sure.

CJ.. Glad you got it figured out, I've not dealt w/ this virus yet, but I've heard its a nasty one.

IGF

That particular PC is just a cheap one on which the wife and kids can play, and all their stuff is Windoze based.

I don't have the problem with my computers, because I only visit a few sites online, and they're not typically the sort of sites that would let such a bug get through.

I have installed the pay version of Malwarebytes on their PC, and so far it has kept it from happening again. The pay version has a "watchdog" running that keeps an eye out for such things, and it automatically updates.

I hope that will keep this from ever happening again, on top of repeatedly telling the wife and kids to NOT click on popups, but to use the toolbar, right click, CLOSE feature to get them off the desktop, and to get the hell off the site that forced the popup through the blocker in the first place.

kayakinack
12-09-2008, 04:32
Some genius got that on one of our work computers, yet we can't download stuff to fix it, hell I'm not a computer know-it-all but I can follow a guide. But I would not be able to. And tech support is non-existant. We had a computer go with no monitor for 6 months. ugh..

B. Somm
03-02-2009, 16:25
And back from last year...the av2009 thread! :wow:


A friend of mine possibly has this virus on her computer. I sent her a link to this thread, but once she is in "safe mode", how does she return her computer to normal....just restart?

B. :headscratch:

P.S. She says that her '9' key will keep typing even after she is no longer pushing it. Any idea if that is part of the virus or a virus?

Chad Landry
03-02-2009, 16:52
I wish I could help, dear, but I'd have to be there to see what's happening. Even then, I'm a pee-wee league player compared to many of the guys here.

bumblefoot2004
03-02-2009, 16:54
I have on "Local Machine".../run/optional components/ (then 4 sub folders)

/imail

/mapi

and

/msfs

Under current user, I have "run" with six items under it.

Do I just delete the entire "run" folder?

NO! You're talking about the entries in the OptionalComponents sub-folder right? Those entries are added when you install MS Office. Please state what the file names are in your Run key.

MavsX
03-02-2009, 16:56
i hate that BS...i've had some employees with that crap on their machines..and we don't run as an admin..we make them run as a user...i hate that fake ***** program..

bumblefoot2004
03-02-2009, 17:10
Well, my wife done clicked the wrong popup again. This time none of the anti-malware programs will run, and it has my "System Restore" disabled.

Any time I try to run any of the programs, "Malwarebytes", "Superantispyware", "HiJackThis", or "ComboFix", none will run except for "HiJackThis", and it comes back showing that everything is fine.

I even deleted McAfee (again), because it was running in safe mode.

This crap did something to my registry to where I can't even run any of these programs in safe mode.

I'm about to reformat and reinstall Windows (again). Sigh.

I told my wife that this is the last time, and that next time she can learn this stuff for herself.

I download these programs on my laptop, then transfer them via memory stick to the desktop PC, and they won't run on it.

She's pretty sure she clicked "OK" on a popup that asked if she wanted to fix her spyware problem.

If you want to know EVERYTHING that loads when Windows boots, click here:

http://download.sysinternals.com/Files/Autoruns.zip

Glock20 10mm
03-02-2009, 17:17
Don't use Internet Exploder. Use Mozilla Firefox with NoScript and the pop-up pain goes away, and IF a pop-up does make it through, Firefox will NOT allow auto execute. If you insist on using Windows then at least use better software than what comes with it. I make a lot of $$$ on the side fixing Windows... and the people I convert to Linux, I rarely if ever hear from them. Read my sig...

Chad Landry
03-02-2009, 17:27
NO! You're talking about the entries in the OptionalComponents sub-folder right? Those entries are added when you install MS Office. Please state what the file names are in your Run key.

It's been a long time since I made the original post. Sorry, but I ain't reloading the malware/virus so that I can see the file names.

Chad Landry
03-02-2009, 17:29
Don't use Internet Exploder. Use Mozilla Firefox with NoScript and the pop-up pain goes away, and IF a pop-up does make it through, Firefox will NOT allow auto execute. If you insist on using Windows then at least use better software than what comes with it. I make a lot of $$$ on the side fixing Windows... and the people I convert to Linux, I rarely if ever hear from them. Read my sig...

Me and my family have used nothing but Firefox for a few years now. Firefox doesn't block all popups. I wish it did, but I have personally seen these little popups come through with no action on Firefox's part.

I hate IE and I love Firefox.

Regarding Linux, I'm usually home for a few days at a time, and I don't have the time to learn it, load it, and teach it to my wife and kids.

My road computers are corporate laptops, so I'm stuck with the OS the company provides me, which is Windoze.

Chad Landry
03-02-2009, 17:30
B. Somm, I'm thinking you should start a new thread, because every time this one comes to the top, people start responding to the original post from several months ago.

TBO
03-02-2009, 17:38
Sandboxie is a nice little program that can prevent big headaches.
It creates a sandbox web browser (IE by default, but you can run any program sandboxed, so you can run FF).
When you download something it's in sandbox (virtual world) and when you close out sandboxie, everything that was downloaded through sandboxie disappears (unless you specify to save it, termed "recovery").

antipop
03-02-2009, 17:49
Two other freewares that I've had success with are Spybot search & destroy and Adware.

What it didnt catch is the viruses loaded onto emails from the classmates.com, had two of my users open the emails and loaded some password stealing virus on it.

Wouldnt go away until I removed the registry entries, and changed their passwords.

Ffolkes
03-02-2009, 20:27
Is Vista any better with these evil masquerading antivirus programs out there, all the infections I've seen were on XP.

Chad Landry
03-02-2009, 20:42
Is Vista any better with these evil masquerading antivirus programs out there, all the infections I've seen were on XP.

MS is about selling new OS's, not about preventing problems.

I'd say that the Vista wasn't conceived with security in mind.

PeterJasonMN
03-02-2009, 21:00
Someone kept saying Malwarebytes. I put it on a jump drive, ran my old Gateway in Safe Mode, and it won't even LOAD the Malwarebytes program. You double-click, the little hourglass pops up, then nothing happens.

mike7465
03-02-2009, 21:24
Ubuntu I am a believer. They were right. Get it installed and get on with life without having to deal with MS problems.

reptiman
03-02-2009, 21:41
I got it...I finally gave up trying to get rid of it and used it as an excuse to upgrade my 5 year old machine.

Good Luck (in case you haven't fixed it). I didn't read all 3 pages.

Ffolkes
03-02-2009, 22:02
Does it seem weird that this bug, seemingly written by really expert programmers with advanced knowledge of viruses, can be cured by sending $24.95 to various companies founded and staffed by really expert programmers with advanced knowledge of viruses?

I just wonder who works for who sometimes when these things are released on the net.

paperairplane
03-02-2009, 22:12
Someone kept saying Malwarebytes. I put it on a jump drive, ran my old Gateway in Safe Mode, and it won't even LOAD the Malwarebytes program. You double-click, the little hourglass pops up, then nothing happens.

This is the right answer - however, it knows what malwarebytes is and prevents it from running. You will need to rename the program something else - example.exe - then it will install. However, it will then not run unless you rename the program also - example2.exe - then let it run in safe mode. Run it 2 or 3 times, then run some others as well - superantispyware, search & destry, etc.

This is a nasty and persistent bug.

PeterJasonMN
03-03-2009, 00:10
Tried that as well.

.264 magnum
03-03-2009, 00:15
Great topic.

PeterJasonMN
03-03-2009, 00:19
I renamed the file "Fixit****er" and it ran up to the point of the end install screen, now it's crapped out.

spotco2
03-03-2009, 00:36
Run it again.

I used it to remove this one from a couple of computers and one I had to install 6 or 7 times before it completely installed.

I've always thought that the guys that write the anti-virus software are the same guys that write the virus and send it out.

PeterJasonMN
03-03-2009, 00:38
It fully installed, but now it won't run.


What's weird is AVG took it off this computer though.

bumblefoot2004
03-03-2009, 13:56
It's been a long time since I made the original post. Sorry, but I ain't reloading the malware/virus so that I can see the file names.

I wasn't saying for you to run the malware files. I was talking about if the program files were already running, then use Task Manager to see the names of the files. I'm very familiar with the names of Window's core operating system files, so I would be able to tell which files do not belong. My sister got hit with Antivirus Pro 2009 when her 12 year old son downloaded some free games. It was a pain cleaning her computer because her son downloaded and installed a LOT of games.

Have you been able to eradicate the malware yet?

bumblefoot2004
03-03-2009, 14:06
MS is about selling new OS's, not about preventing problems.

I'd say that the Vista wasn't conceived with security in mind.

Actually, Microsoft stated that Vista was designed to be more secure. The problem is, the UAC would pop up for just about anything and ask you if you really wanted to do this/that. The UAC was so annoying the first thing people asked about Vista was how to disable the UAC so it wouldn't treat you like you're retarded. Vista sucks big time, that's why PC Magazine and PC World recommended you upgrade by installing XP Pro. Vista is a big turd, I'm scared to see what Windows 7 will be like... :dunno:

bumblefoot2004
03-03-2009, 14:16
12345