xp 2012 fake anti virus removal-urgent

buickman50401 · Dec 18, 2011

http://www.bleepingcomputer.com/download/anti-virus/rkill

Use that tool to kill off any virus processes running in the background (use your old infected user account when doing this). Follow the instructions (i.e. DO NOT REBOOT when tool is finished until after runing another standalone scanner inlcuding Malwarebytes and a regular AV program).

Also run combofix http://www.bleepingcomputer.com/download/anti-virus/combofix

Had this same problem (though with different companies fake AV) on the computers at church I maintain as their volunteer IT admin.

Oder of removal:
Rkill, then combofix, then scan with Malwarebytes, and finally a scan with your AV pogram of choice (I'd reccomend MSE or Avast).

Simply abandoning the old account won't remove the problem it will just (hopefully quarantine it).

2004tdigls · Dec 18, 2011

run this tool

http://www.microsoft.com/security/pc-security/malware-removal.aspx

after the computer is clean go to system restore and DELETE all previous backup dates, this will ensure the virus is destroyed inside system restore past image dates

then immediately set a new restore point

Jimmy9190 · Dec 18, 2011

Thanks for all of your help on this. I am still using my original user ID. I did set up a second user ID but have not done anything or run any repairs with that ID. So far here is what I have done, all under my original user ID:

System restore back to Dec. 14th

Installed and ran my new AVG paid subscription AV, nothing found

Downloaded Malwarebytes on a flash drive, ran it, nothing found

Ran a full Super AntiSpyware scan this morning, it found 68 spyware/harmful files and it also found 5 files that were "critical harmful malware" or something to that effect. It also called to have a reboot on the computer for the files to be completely eliminated. I was not able to tell what kind of files the critical files were. Here is a copy of the scan, the 5 critcial files are at the bottom:

Adware.Tracking Cookie
C:\Documents and Settings\User\Cookies\LV9AE0PB.txt [ /pfa.rotator.hadj7.adjuggler.net ]
C:\Documents and Settings\User\Cookies\E5NIYUSG.txt [ /legolas-media.com ]
C:\Documents and Settings\User\Cookies\KDX1BZP6.txt [ /ads.bridgetrack.com ]
C:\Documents and Settings\User\Cookies\DNGA8S5F.txt [ /imrworldwide.com ]
C:\Documents and Settings\User\Cookies\M1D8Y3BR.txt [ /insightexpressai.com ]
C:\Documents and Settings\User\Cookies\A7MUKGQJ.txt [ /serving-sys.com ]
C:\Documents and Settings\User\Cookies\T30EV418.txt [ /tracking.hostgator.com ]
C:\Documents and Settings\User\Cookies\6YEOYBJS.txt [ /invitemedia.com ]
C:\Documents and Settings\User\Cookies\J852Q1GI.txt [ /pointroll.com ]
C:\Documents and Settings\User\Cookies\7CKKOQOP.txt [ /a1.interclick.com ]
C:\Documents and Settings\User\Cookies\0T1X05O1.txt [ /adbrite.com ]
C:\Documents and Settings\User\Cookies\OLNU1DKQ.txt [ /fastclick.net ]
C:\Documents and Settings\User\Cookies\72E6NWNE.txt [ /yieldmanager.net ]
C:\Documents and Settings\User\Cookies\Y6OUK3GD.txt [ /www.burstbeacon.com ]
C:\Documents and Settings\User\Cookies\VO19VGZ9.txt [ /brandspotmedia.com ]
C:\Documents and Settings\User\Cookies\VNT55OD6.txt [ /burstbeacon.com ]
C:\Documents and Settings\User\Cookies\VMW3E74G.txt [ /trafficmp.com ]
C:\Documents and Settings\User\Cookies\6WWC0LM1.txt [ /www.burstnet.com ]
C:\Documents and Settings\User\Cookies\FT8140Z9.txt [ /pro-market.net ]
C:\Documents and Settings\User\Cookies\QIJLJPKN.txt [ /adtech.de ]
C:\Documents and Settings\User\Cookies\IN4J7VQ8.txt [ /ru4.com ]
C:\Documents and Settings\User\Cookies\V047R7XS.txt [ /apmebf.com ]
C:\Documents and Settings\User\Cookies\MA4WGKOR.txt [ /sales.liveperson.net ]
C:\Documents and Settings\User\Cookies\039P166K.txt [ /adinterax.com ]
C:\Documents and Settings\User\Cookies\EIXS3CMT.txt [ /adxpose.com ]
C:\Documents and Settings\User\Cookies\SQ41H0IJ.txt [ /ad.yieldmanager.com ]
C:\Documents and Settings\User\Cookies\R43443TR.txt [ /liveperson.net ]
C:\Documents and Settings\User\Cookies\P8QCE4OC.txt [ /tribalfusion.com ]
C:\Documents and Settings\User\Cookies\I8UU2C0J.txt [ /amazon-adsystem.com ]
C:\Documents and Settings\User\Cookies\10UAPDZ5.txt [ /revsci.net ]
C:\Documents and Settings\User\Cookies\TVFISM6U.txt [ /media6degrees.com ]
C:\Documents and Settings\User\Cookies\4CDKBLHK.txt [ /burstnet.com ]
C:\Documents and Settings\User\Cookies\2HHO9BNW.txt [ /content.yieldmanager.com ]
C:\Documents and Settings\User\Cookies\P9ORDO5O.txt [ /questionmarket.com ]
C:\Documents and Settings\User\Cookies\YK0BEYCO.txt [ /ad2.adfarm1.adition.com ]
C:\Documents and Settings\User\Cookies\2J1ZKCFH.txt [ /ads.undertone.com ]
C:\Documents and Settings\User\Cookies\24SECYAK.txt [ /casalemedia.com ]
C:\Documents and Settings\User\Cookies\B2JIC44A.txt [ /atdmt.com ]
C:\Documents and Settings\User\Cookies\Y66OM3VU.txt [ /collective-media.net ]
C:\Documents and Settings\User\Cookies\J1LTOIGE.txt [ /intermundomedia.com ]
C:\Documents and Settings\User\Cookies\QZVKBEOI.txt [ /realmedia.com ]
C:\Documents and Settings\User\Cookies\JWRG208F.txt [ /overture.com ]
C:\Documents and Settings\User\Cookies\Z9NQNAHI.txt [ /akamai.interclickproxy.com ]
C:\Documents and Settings\User\Cookies\WHB0HSQV.txt [ /ads.pubmatic.com ]
C:\Documents and Settings\User\Cookies\N97TSTCK.txt [ /ads.pointroll.com ]
C:\Documents and Settings\User\Cookies\DX0UFBA9.txt [ /liveperson.net ]
C:\Documents and Settings\User\Cookies\ARF8YV13.txt [ /lucidmedia.com ]
C:\Documents and Settings\User\Cookies\M11OFA6M.txt [ /ad.wsod.com ]
C:\Documents and Settings\User\Cookies\Z5Q599ET.txt [ /[censored].serving-sys.com ]
C:\Documents and Settings\User\Cookies\LGM2A73V.txt [ /at.atwola.com ]
C:\Documents and Settings\User\Cookies\012UFFIA.txt [ /zedo.com ]
C:\Documents and Settings\User\Cookies\IS6GOTNY.txt [ /doubleclick.net ]
C:\Documents and Settings\User\Cookies\6WCC8N8G.txt [ /mediaplex.com ]
C:\Documents and Settings\User\Cookies\RC2LEGEH.txt [ /adfarm1.adition.com ]
C:\Documents and Settings\User\Cookies\EJ84656R.txt [ /specificclick.net ]
C:\Documents and Settings\User\Cookies\2OJW31BQ.txt [ /r1-ads.ace.advertising.com ]
C:\Documents and Settings\User\Cookies\8BGZQNU9.txt [ /avgtechnologies.112.2o7.net ]
C:\Documents and Settings\User\Cookies\M4H6P1FD.txt [ /interclick.com ]
C:\Documents and Settings\User\Cookies\U3C4Z1N7.txt [ /adserver.zonemedia.com ]
C:\Documents and Settings\User\Cookies\ZS0IGZH0.txt [ /247realmedia.com ]
C:\Documents and Settings\User\Cookies\IVSEV63H.txt [ /advertising.com ]
C:\Documents and Settings\User\Cookies\39TAM4WA.txt [ /network.realmedia.com ]
C:\Documents and Settings\User\Cookies\Y0BOY072.txt [ /www.googleadservices.com ]
C:\DOCUMENTS AND SETTINGS\JIMMY9190\Cookies\1RHY8JQN.txt [ Cookie:[email protected]/ ]
C:\DOCUMENTS AND SETTINGS\JIMMY9190\Cookies\F5F6BVHF.txt [ Cookie:[email protected]/ ]
C:\DOCUMENTS AND SETTINGS\JIMMY9190\Cookies\UVG9AR4B.txt [ Cookie:[email protected]/ ]
C:\DOCUMENTS AND SETTINGS\JIMMY9190\Cookies\NILL3VLG.txt [ Cookie:[email protected]/ ]
C:\DOCUMENTS AND SETTINGS\JIMMY9190\Cookies\XOAICD12.txt [ Cookie:[email protected]/ ]

I ran Malwarebytes again 2 hours ago, it did not find anything this time either.

So far today I have no suspicious or odd activity when using my computer and I have yet to see the fake virus popups again. I know that does not mean they are not still here. They are on this computer somewhere. I am going to use the tools you guys recommended in the last 2 posts and see how that goes.

Again, thank you very much for helping me with this. I do appreciate it. I will post back after running Rkill and the other tools.

wkcars · Dec 18, 2011

If you haven't done so, make sure to update all the software like windows, browser, java, flash, antivirus, malware scanners, etc...and set your browser security settings to block or ask for your permission before allowing things to run.

91344George · Dec 18, 2011

Originally Posted By: wkcars
If you haven't done so, make sure to update all the software like windows, browser, java, flash, antivirus, malware scanners, etc...and set your browser security settings to block or ask for your permission before allowing things to run.

THIS!

My guess is that because you mentioned the gold shield with the exclaimation point in the task bar is indicating that your OS is NOT fully patched.

@Jimmy:

Once you are clean go to windows update and check for all new patches....download them five at a time, create a restore point for each set of downloads.

Are you using XP sp3? If not you need to be.

Jimmy9190 · Dec 18, 2011

Thanks again for all of your help on this. i did as instructed, downloaded rkill first. Could not get it to run on my computer, I guess the malware was keeping it from running so I saved it on a flash drive and ran it from there. Here is the screen print of what rkill did:

This log file is located at C:\rkill.log.
Please post this only if requested to by the person helping you.
Otherwise you can close this log when you wish.

Rkill was run on 12/18/2011 at 13:16:24.
Operating System: Microsoft Windows XP
Processes terminated by Rkill or while it was running:
Rkill completed on 12/18/2011 at 13:16:46.

Then I ran combofix, I did not see any result screens or anything from it.

Then I ran MalwareBytes again and boy did it find the nasties on my computer. It found ten malicious programs running on my computer, and killed all of them. Here is the scan log:

Malwarebytes' Anti-Malware 1.51.2.1300
www.malwarebytes.org

Database version: 8391

Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

12/18/2011 2:36:11 PM
mbam-log-2011-12-18 (14-36-11).txt

Scan type: Full scan (C:\|)
Objects scanned: 220831
Time elapsed: 1 hour(s), 0 minute(s), 51 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 10
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\attrib.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cmd.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ComboFix.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ctfmon.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\hidec.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\pev.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedit.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rstrui.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\swreg.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\swsc.exe (Security.Hijack) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

ThenI ran a new scan with AVG, it came back and said it found and removed a file called Trojanhorsegeneric26.ASUP.

Then I went to MS Updates and downloaded 5 new updates but the site said none of them were a high priority. I know I do have SP3 on this computer. It is set now to do the MS updates every night at 3:00 am.

Then after the updates installed I let Microsoft restart the computer. I think the bugs are gone. Computer is working fine right now and there are no error or caution messages from AVG or Microsoft in my task bar.

I think my computer is OK now but I am no expert. Do you guys here think I should run Hijack This just to be sure? If so, would you be willing to check the scan log when it is done?

Thanks to all of you who pitched in here and helped me out on this. I would have had no idea how to fix this problem if it were not for you guys here helping me. I do appreciate it very much.

2004tdigls · Dec 18, 2011

make sure your firewall settings have not been altered by the virus

open windows firewall and uncheck all exceptions, then disable remote assistance

rpn453 · Dec 18, 2011

Re-installing the OS would be the most secure option, IMO. It probably would have been quicker and easier to do that right from the start.

If something unexpected happens while on the internet, don't ever click anything. Shut the program down or even yank the plug.

Jimmy9190 · Dec 18, 2011

I don't have a CD of my OS. And when this malware stuff started popping up on my screen last night it all happened so fast I did not know what had hit me. I did not click on any of it or fall for the bogus "your computer is infected with 23 different viruses and trojans" messages either, but I did not turn off my computer because I did not know if the rogue stuff would automatically install itself on my computer if I did shut down.

The malware programs and rogue anti virus all ran right over the free version of MSE anti-virus/spyware/malware that I was using. Also I had removed Malwarebtes from my computer just 2 or 3 days ago. I had been running a free trial of MWB that also included a free trial of MWB Pro Edition. It had just ended, I removed it and was going to go back and reinstall the regular free MWB but had not done it yet when I got hit with this stuff yesterday. MWB probably would have stopped it cold or at least kept me off the web page where I picked it up. I am a big believer in MWB now though.

So far though I think the AVG I bought is a pretty good program. It seems to be working well and is not slowing my computer down. If anything the computer seems a bit faster now. Maybe that is because the rogue and malware junk is gone now, I have no idea.

Many thanks again to everyone who helped me with this.

91344George · Dec 18, 2011

One thing that you can't stress enough is that when you are offered Windows Update security patchs DOWNLOAD THEM ASAP!

If you are not good about manually updating on a regular basis just set WU to automatic download and install.

A LOT of malware like this can still get by security suites IF MS own patches are not also installed as well!

ddrumman2004 · Dec 19, 2011

Originally Posted By: rpn453
Re-installing the OS would be the most secure option, IMO. It probably would have been quicker and easier to do that right from the start.

If something unexpected happens while on the internet, don't ever click anything. Shut the program down or even yank the plug.

This...I had a problem with a drum forum I visit that gets hacked and usually Google warns me...as well as Avira AV. But the last time I visited, Google failed to warn me but Avira started popping up all these virus warnings.

I reinstalled Windows and all is well and Avira removed all the problems.

I wish folks would find something better to do than mess up people's computers.

buickman50401 · Dec 20, 2011

Originally Posted By: Jimmy9190
Thanks again for all of your help on this. i did as instructed, downloaded rkill first. Could not get it to run on my computer, I guess the malware was keeping it from running so I saved it on a flash drive and ran it from there. Here is the screen print of what rkill did:

This log file is located at C:\rkill.log.
Please post this only if requested to by the person helping you.
Otherwise you can close this log when you wish.

Rkill was run on 12/18/2011 at 13:16:24.
Operating System: Microsoft Windows XP
Processes terminated by Rkill or while it was running:
Rkill completed on 12/18/2011 at 13:16:46.

Then I ran combofix, I did not see any result screens or anything from it.

Then I ran MalwareBytes again and boy did it find the nasties on my computer. It found ten malicious programs running on my computer, and killed all of them.

ThenI ran a new scan with AVG, it came back and said it found and removed a file called Trojanhorsegeneric26.ASUP.

Glad to hear it worked. That's why I recommended Rkill. I've dealt with the fake AV nonsense and it behaves exactly as you've discovered. It hides very well until you use Rkill to terminate the active malware processes and then once you run Malwarebytes and your AV all of the sudden BOOM!... look at all these entries.

Combofix may or may not have done anything to help your computer. It certainly wouldn't have harmed it which is why I recommended running it.

I would also recommend running the system file checker utility for windows.

Jimmy9190 · Dec 20, 2011

Thanks again for your help on it. My computer seems to be doing fine now. I used to run a daily Super AntiSpyware scan, and did that yesterday, the scan finished and when I came back to my computer I had a message from AVG saying it had found the same trojan again. I was worried something was still going on, so I did another scan with MWB and AVG last night and it came back clean. I did a spyware/malware specific scan with AVG tonight, it found 73 different spyware applications and cookies. I removed SAS and now will just use MWB and AVG exclusively.

My computer is now running about as fast as it did without AVG, and so far I have not had any tell-tale sympoms that any of that fake av junk or any other malware is still here. I guess time will tell but so far, so good since yesterday.

Many thanks for your help and to all here who helped me on this.

Scout1 · Dec 25, 2011

Hi,
Good to hear you have it working again. The only advice I would offer is make sure you research the exact virus you have and make sure you follow all the procedures to clean that particular virus.

My friend recently had a similar Trojan that was also a root-kit so we had to do the scan with a recovery disk but also had to go in and rebuild the Master Boot Record since the virus had modified that. We also had to replace some system files that were infected. Root-kits are very difficult to detect and clean so again, make sure you study and follow all the procedures to get rid of your specific virus or else it might just crop up again...

xp 2012 fake anti virus removal-urgent

Similar threads