Thread Rating:
  • 0 Vote(s) - 0 Average
  • 1
  • 2
  • 3
  • 4
  • 5
Rogue Antivirus
#11
  • Step 16

    Open Notepad.

    Copy (Ctrl +C) and paste everything in the quote box below:

    Quote:@echo off
    pushd\windows\system32\drivers\etc
    attrib -h -s -r hosts
    echo 127.0.0.1 localhost>HOSTS
    attrib +r +h +s hosts
    popd
    del %0

    In the Notepad interface, go to File > Save As.

    Specify the file name as reset.bat or anything you wish however using the same file extension.

    Change Save As Type to All Files and save the file to your desktop.

    Now double-click on reset.bat located at your desktop to run the batch file. It will self-delete when completed.
  • Step 17

    Please set Windows Vista to show both hidden and system files and folders so that you can find specific files to delete.
    • Click Start and navigate to Control Panel.
      If you are in Classic View:
      1. Click on Folder Options
      2. On the View tab, uncheck the following:
        • Hide file extensions for known file types
        • Hide protected operating system files (Recommended)
      3. Click Yes on the warning message.
      4. Under Hidden files and folders, check Show hidden files and folders.
      5. Click Apply to All Folders.
      6. Click OK.
      • If you are in Control Panel Home View:
        1. Click on Appearance and Personalization > Show Hidden Files or Folders.
        2. On the View tab, uncheck the following:
          • Hide file extensions for known file types
          • Hide protected operating system files (Recommended)
        3. Click Yes on the warning message.
        4. Under Hidden files and folders, check Show hidden files and folders.
        5. Click Apply to All Folders.
        6. Click OK.
    Note: I will give you instructions for hiding them again once your system seems clean.
  • Step 18

    We need to do a quick check.
    • Go to 'VirusTotal'.
    • Click Browse.
    • Copy and paste the exact file name(s) in bold (if there are more than one file listed, please open multiple tabs) to the address bar located on top of the new window that appeared:
      • c:\windows\system32\deployJava1.dll
        c:\windows\system32\usbaaplrc.dll
        c:\windows\system32\flash_player.exe
        c:\windows\system32\drivers\gkfgefdi.sys
        c:\windows\system32\drivers\TsUsbFlt.sys
    • Click Open > Send File.
    • Copy and paste back the link(s) to the result(s) once VirusTotal has finished scanning the file.
  • Step 19

    Please download ComboFix from one of the following locations:

    'Link 1'
    'Link 2'

    **IMPORTANT!**

    Let me give you a warning beforehand. I am instructing you to use one of the most powerful removal tool created. A simple mistake of running ComboFix without a helper's advice might render your machine unbootable. Do note that the steps below are crucial for the success of the clean-up you are currently undergoing. If by any chance you failed to meet any of them, I can almost guarantee a dreadful occurrence happening. See to it that you read the instructions first up to the very end and follow them accordingly after to ensure the best possible performance.
    • Save ComboFix to your desktop.
    • Disable your anti-virus and anti-spyware applications, usually via a right-click on the System Tray icon. They may otherwise interfere with ComboFix. If you have difficulty properly disabling your protective programs, refer to 'this' link.
    • Double-click ComboFix.exe and follow the prompts.
    • As part of its process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery or repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
    • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
    • If the Microsoft Windows Recovery Console is already installed, ComboFix will continue its malware removal procedures.

      [Image: RcAuto1.gif]
    • Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

      [Image: whatnext.png]

    • Click on Yes, to continue scanning for malware.
    • When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.

Reminders:
  1. Do not mouse-click ComboFix's window while it is running. That may cause it to stall.
  2. Do not "re-run" ComboFix. If you have a problem, reply back for further instructions.
  3. ComboFix may reset a number of Internet Explorer's settings, including making it the default browser.
  4. ComboFix prevents autorun of all CD, floppy and USB devices to assist with malware removal and increase security. If this is an issue or makes it difficult for you - please tell me.
  5. ComboFix disconnects your machine from the Internet. The connection is automatically restored before ComboFix completes its run. If ComboFix runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.
  • In your next post, please provide the following:
    • A Fresh HijackThis (HJT) Log
    • ComboFix Log
    • Doesn't Do Squat (DDS) Logs
      • DDS.txt
      • Attach.txt
    • VirusTotal Results
  • Code:
    [b]Step # [/b]
    [b]Problems Encountered: [/b]

    [b]Step # [/b]
    [b]Problems Encountered: [/b]

    [b]Step # [/b]
    [b]Problems Encountered: [/b]

    [b]Step # [/b]
    [b]Problems Encountered: [/b]

    [b]Link To Requested Logs: [/b]
#12
Step # 16
Problems Encountered: N/A

Step # 17
Problems Encountered: N/A

Step # 18
Problems Encountered: N/A

Step # 19
Problems Encountered: BSOD upon opening.

Link To Requested Logs:
#13
Edit: Just got another Rogue Antivirus pop-up. This is getting really damn frustrating... Sad
#14
  • Step 20

    Please run HijackThis as an administrator. Click Do a system scan only and place a check next to the following line(s) if present:

    F2 - REGConfusedystem.ini: UserInit=userinit.exe
    O4 - HKLM\..\Run: [cftmon] C:\Windows\system32\gvjhu.exe
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
    O4 - HKUS\S-1-5-18\..\Run: [D1T2EUR7FZ] C:\Windows\TEMP\Lbe.exe (User 'SYSTEM')
    O4 - HKUS\.DEFAULT\..\Run: [D1T2EUR7FZ] C:\Windows\TEMP\Lbe.exe (User 'Default user')


    Then, close all other open windows and click Fix Checked. You are to reboot your system afterwards.

    If you are having a problem running HijackThis as an administrator (Windows Vista and Windows 7), please follow the steps below.
    • On your desktop, right-click the HijackThis icon and select Properties.
    • Navigate to the Compatibility tab and put a check on the Run this program as an administrator box.
    • Click Apply > OK.
    • HijackThis should prompt you to run it as an administrator every time you open it.
  • Step 21

    Please download the OldTimer's Move-It (OTM) from 'here'.
    • Save it to your desktop.
    • Please double-click OTM.exe to run it.
    • Copy the lines inside the Code box below to the Clipboard by highlighting all of the content and pressing CTRL + C (or, after highlighting, right-click and choose Copy):

      Code:
      :Processes
      explorer.exe

      :Files
      c:\windows\system32\gvjhu.exe
      c:\windows\temp\Lbe.exe
      c:\users\tyler\appdata\roaming\8BD3CBF1A238C722473BB8C7B3E545D4
      c:\users\tyler\appdata\roaming\microsoft\installer\{45a66726-69bc-466b-a7a4-12fcba4883d7}\HiJackThis.exe
      c:\windows\system32\drivers\gkfgefdi.sys

      :Commands
      [purity]
      [emptytemp]
      [start explorer]
      [Reboot]
    • Return to OTM, right-click in the Paste Instructions for Items to be Moved window and choose Paste.
    • Click the red MoveIt! button.
    • Copy everything in the Results window to the Clipboard by highlighting all of the content and by pressing CTRL + C (or, after highlighting, right-click and choose Copy).
    • Paste it in your next reply.
    • Close OTM.

    Note: If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the moving process. If you are asked to reboot the machine choose Yes. In this case, after the reboot, open Notepad (Start > All Programs > Accessories > Notepad) and click File > Open. In the File Name box enter *.log and press the Enter key, navigate to the C:\_OTM\MovedFiles folder, and open the newest log file present. Copy and paste the contents of that document back here in your next post.
  • Step 22

    Please download OldTimer ListIt (OTL) from 'here'. Please click the Go (Arrow Button) or press Enter in the URL address bar to start the download.
    • Save it to your desktop.
    • Please double-click OTL.exe to run it.
    • Make sure all other windows are closed to let it run uninterrupted.
    • Under the Custom Scan box paste this in:

      Code:
      %systemroot%\*. /mp /s
      %systemroot%\system32\*.dll /lockedfiles
      %systemroot%\system32\*.exe /lockedfiles
      %systemroot%\Tasks\*.job /lockedfiles
      %systemroot%\system32\drivers\*.sys /lockedfiles
      %systemroot%\System32\config\*.sav
      %systemroot%\system32\*.sys
      %systemroot%\system32\drivers\*.dll
      %systemroot%\system32\drivers\*.ini
      %systemroot%\system32\drivers\*.exe
      %SYSTEMDRIVE%\*.*
      %PROGRAMFILES%\*.
      %appdata%\*.*
      netsvcs
      msconfig
      safebootminimal
      safebootnetwork
      activex
      drivers32
      /md5start
      eventlog.dll
      scecli.dll
      netlogon.dll
      cngaudit.dll
      sceclt.dll
      ntelogon.dll
      logevent.dll
      iaStor.sys
      nvstor.sys
      atapi.sys
      IdeChnDr.sys
      viasraid.sys
      AGP440.sys
      vaxscsi.sys
      nvatabus.sys
      viamraid.sys
      nvata.sys
      nvgts.sys
      iastorv.sys
      ViPrt.sys
      eNetHook.dll
      ahcix86.sys
      KR10N.sys
      disk.sys
      nvstor32.sys
      ahcix86s.sys
      nvrd32.sys
      symmpi.sys
      adp3132.sys
      mv61xx.sys
      usbstor.sys
      /md5stop
      CREATERESTOREPOINT
      HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update\Results\Install|LastSuccessTime /rs
    • Click the Quick Scan button. Do not change any settings unless otherwise told to do so. The scan won't take long.
    • When the scan completes, it will open two Notepad windows.
      • OTL.txt
      • Extras.txt
    • These are saved in the same location as OTL.
    • Please copy (Right-click > Select All > Copy) the contents of these files, one at a time, and post it with your next reply.
  • In your next post, please provide the following:
    • A Fresh HijackThis (HJT) Log
    • ComboFix Log
    • Doesn't Do Squat (DDS) Logs
      • DDS.txt
      • Attach.txt
    • OTL Log
    • OTM Log
  • Format of Response

    Code:
    [b]Step # [/b]
    [b]Problems Encountered: [/b]

    [b]Step # [/b]
    [b]Problems Encountered: [/b]

    [b]Step # [/b]
    [b]Problems Encountered: [/b]

    [b]Step # [/b]
    [b]Problems Encountered: [/b]

    [b]Link To Requested Logs: [/b]
  • Comments:
    • Try running ComboFix by running this in the Run prompt: "%userprofile%\desktop\combofix.exe"
    • If you get another BSOD, please do so in Safe Mode.
#15
C:\Users\Tyler\desktop\combofix.exe

Application not found


I have it on my desktop named as ComboFix.exe
#16
Proceed to Safe Mode then.
#17

I get this when I try opening ComboFix. Ran it as Administrator, still the same result.

Should I execute steps 20-22 or is ComboFix a priority?
#18
Well they were labeled for a reason. Roflmao Please do the previous fixes first. Tell me when you are at the ComboFix part once again.
#19
I somehow got ComboFix to run in Safe Mode. Now it says to disable AntiVir Desktop, but I don't see it in my System Tray nor the task manager.
#20
Open Notepad. Copy and paste the content below.

Code:
@echo off
sc stop AntiVirSchedulerService
sc stop AntiVirService
del %0

Save it, and run it as an administrator.


Possibly Related Threads…
Thread Author Replies Views Last Post
  Vista security 2011 Rogue anti-virus help! Mr. Jewtastic 8 3,338 05-08-2011, 07:46 PM
Last Post: Quintus

Forum Jump:


Users browsing this thread: 7 Guest(s)