Thread Rating:
  • 0 Vote(s) - 0 Average
  • 1
  • 2
  • 3
  • 4
  • 5
Rogue Antivirus
#1
1. My issues are:

My friend was over at my house, and he said that Antimalware Doctor (the infection) "randomly popped up". I believe he downloaded something, but he won't admit to it. Anyways, I'm in Safe Mode with Networking right now, running an MBAM scan. I will update this with the other scans in a few minutes. My streak of 6 years being free of any serious malware has been ruined. Sad

Edit: It looks like I'm in the clear of the Rogue Antivirus. My computer is a lot slower than it usually is, though.

Edit 2: I guess I'm not fully cleansed. While I was running the DDS scan, my antivirus was prompted with a malicious attack, and then another Rogue Antivirus appeared. Also, Firefox crashed and I got a blue screen telling me that my drivers were corrupted. I didn't get a full view of it, but my computer restarted. My current state of machine is still infected with a Rogue Antivirus. The logs below were before the second virus.

2.My MBAM log:

http://tinypaste.com/0bac73


3.My HJT log:

http://tinypaste.com/99d41

#2
Greetings,

Whilst I am in the process of scrutinizing your complete set of provided logs for any possible infections or problems, I ask for your forbearance. Understand that the process of analysis requires time and careful examination hence the need for a cautious response. Accuracy is of the essence. Once I come across infections, I shall present the finest methods of removal for your convenience.

In return for this service, I propose to you two conditions:
  1. You are not to create any new threads regarding the similar topic as it will waste another helper's time.
  2. You are not to install any new software in your system, as it may hinder our process thus making this futile.
In accordance to my terms, I also ask of you five things, stated below:
  1. You are not to modify the logs in any way. Failure to do so will instantly deprive you of this service.
  2. You are to paste each log separately at PasteBin as it is. That is correct, no syntax highlighting, no editing - just the log purely. Post back the links for each log. You shall not hide them under spoiler codes.
  3. You are to provide the complete set of requested logs.
  4. You are to respond to every step I ask you to do using the format provided at the end of my post.
  5. You agree that I have the right to discontinue the analysis at any time, upon a violation of a single rule.
Provided that you will continue with this service, you hereby agree to the above statements. If you deem the conditions are portraying equality, I will willingly perform the analysis without further delay. Should you have any concerns or problems with the above conditions, or if you feel that I have overlooked your log, do inform me through a Private Message by clicking 'this'.

Thank you.

Genuinely yours,
Quintus
  • Pre-Step

    Click 'here' to download Temp File Cleaner by OldTimer. Save it to your Desktop.
    • Close any open windows.
    • Double-click TFC.exe and select 'Run' when prompted to execute the program. It will close all open programs itself in order to run.
    • Click the Start button to begin the cleaning process.
    • Please let the program run uninterruptedly.
    • Once the cleaning has been done, your computer should automatically reboot. Otherwise, please do so when it does not.
  • Prerequisite

    If you are having a problem running HijackThis as Administrator, please follow the steps below.
    • Go to My Computer and navigate to your default disc drive (C: is the most common).
    • Go to Program Files > Trend Micro > HijackThis.
    • Right-click HiJackThis.exe and run it as Administrator.
  • Step 1

    Please download RKill.
    • Please chose "iExplore.exe" and save it to your Desktop.
    • Double-click the file for it to stop any process associated with the rogue program.
    • When done, a prompt will automatically close.

      "If you get a message that RKill is an infection, do not be concerned. This message is just a fake warning given by Antimalware Doctor when it terminates programs that may potentially remove it. If you run into these infections warnings that close RKill, a trick is to leave the warning on the screen and then run RKill again. By not closing the warning, this typically will allow you to bypass the malware trying to protect itself so that rkill can terminate Antimalware Doctor. So, please try running RKill until the malware is no longer running. If you continue having problems running RKill, you can download the other renamed versions of RKill from the Rkill download page. All of the files are renamed copies of RKill, which you can try instead. Please note that the download page will open in a new browser window or tab. Do not reboot your computer after running RKill as the malware programs will start again."
  • Step 2
    • Please download Malwarebytes' Anti-Malware 'here'.
    • Double-click mbam-setup.exe to install the application.
    • Make sure a checkmark is placed next to 'Malwarebytes' Anti-Malware' and 'Launch Malwarebytes' Anti-Malware', then click 'Finish'.
    • If an update is found, it will download and install the latest version.
    • Once the program has loaded, select 'Perform Full Scan', then click 'Scan'. The scan may take some time to finish, so please be patient.
    • When the scan is complete, click 'OK', then 'Show Results' to view the results.
    • Make sure that everything is checked, and click 'Remove Selected'.
    • When disinfection is completed, a log will open in Notepad and you may be prompted to restart. Restart if it tells you to.
    • The log is automatically saved by Malwarebytes' Anti-Malware and can be viewed by clicking the 'Logs' tab in the interface.
    • Copy and paste the entire report in your next reply.
  • Step 3

    Please run a free online scan with ESET Online Scanner by downloading ESET Smart Installer 'here'. Save it to your Desktop.
    • Double-click esetsmartinstaller_enu.exe to execute the program.
    • Tick 'YES, I accept the Terms of Use'.
    • Click 'Start'.
    • If this is your first time installing the scanner, allow the 'ActiveX Control' to install.
    • Database download may take some time.
    • When done, make sure that the option 'Remove found threats' is ticked. Under the and 'Advanced Settings', please put a check on the following options:
      • Scan for potentially unwanted applications
      • Enable Anti-Stealth Technology
    • Click 'Start'.
    • Wait for the scan to finish.
    • Once it is finished, use Notepad to open the logfile located at C:\Program Files\ESET\ESET Online Scanner\log.txt.
    • Copy and paste that log as a reply to this topic.
  • Step 4

    Download DDS.scr by sUBs from one of the following links and save it to your Desktop.

    'Link 1'
    'Link 2'
    • Double-click on DDS.scr and a command window will appear. This is normal.
    • Shortly after two logs will appear, DDS.txt and Attach.txt.
    • A window will open instructing you save and post the logs. Save the logs to a convenient place such as your Desktop.
    • Copy the contents of both logs and post in your next reply.
  • In your next post, please provide the following:
    • A Fresh HijackThis (HJT) Log
    • Deckard's System Scanner (DDS) Logs
      • DDS.txt
      • Attach.txt
    • ESET Scan Log
    • Malwarebytes' Anti-Malware Scan Log
  • Format of Response

    As part of my service terms, you are to fill this up every time you respond to your log. Copy and paste the content inside the code box and write directly after the closing tags. Do not add spaces as they are already provided. An exception applies to the numbers, as they are to be written after the # sign.

    Step #1: Change the number accordingly.
    Problems Encountered: Put N/A if the operation went smoothly.

    Link To Requested Logs: Post the links to the logs I have asked you to produce.

  • Code:
    [color=#00BFFF][b]Step #[/b][/color]
    [color=#FFD700][b]Problems Encountered:[/b][/color]

    [color=#00BFFF][b]Step #[/b][/color]
    [color=#FFD700][b]Problems Encountered:[/b][/color]

    [color=#00BFFF][b]Step #[/b][/color]
    [color=#FFD700][b]Problems Encountered:[/b][/color]

    [color=#00BFFF][b]Link To Requested Logs:[/b][/color]
#3
Step #1
Problems Encountered: N/A

Step #2
Problems Encountered: N/A

Step #3
Problems Encountered: N/A

Link To Requested Logs:
I couldn't run anything without getting the BSOD, so I used system restore to go back a week. I ran all of the scans, and my computer looks fine.
Somehow my free Avast! Antivirus got deactivated. Which combination (antivirus + firewall) would you recommend for me? I don't visit many websites (Facebook, YouTube, and of course Support Forums). I am running Windows 7 Service Pack 1, and I use my computer about 4-6 hours a day.

Another, I am being directed towards unwanted websites through Google. For example, if I click on the link to:

http://free.antivirus.com/hijackthis/

It will send me to a different site, something like this:

http://channel1reports.com/jobs3/?from=1_113594


It is also giving me this:
[Image: kkCxNA.jpg][
#4
  • Step 5

    Download TDSSKiller and save it to your Desktop.
    • Make sure all other windows are closed and to let it run uninterrupted.
    • Extract the file and run it.
    • Once extracted, open the TDSSKiller folder and double-click on TDSSKiller.exe to run the application, then on Start Scan.
      • If an infected file is detected, the default action will be Cure, click on Continue.
      • If a suspicious file is detected, the default action will be Skip, click on Continue.
    • It may ask you to reboot the computer to complete the process. Click on Reboot Now.
  • Step 6

    I will ask you to disable the Interactive Services Detection service.
    • Press CTRL + R to open the Run prompt.
    • Type in "services.msc" without the quotes. You may get a prompt for Administrator permission. Allow this.
    • Click on Services.
    • Find Interactive Services Detection in the list.
    • Right-click > Properties > Stop > Startup Type > Disable.
  • Step 7

    Download SUPERAntiSpyware.
    • Install it and let it check for updates.
    • Perform a complete scan and let it remove everything it finds.
    • Once done, post the log here and provide the link to this thread.
  • In your next post, please provide the following:
    • A Fresh HijackThis (HJT) Log
    • Deckard's System Scanner (DDS) Logs
      • DDS.txt
      • Attach.txt
    • SUPERAntiSpyware Log
    • TDSSKiller Results
  • Format of Response

    Code:
    [color=#00BFFF][b]Step #[/b][/color]
    [color=#FFD700][b]Problems Encountered:[/b][/color]

    [color=#00BFFF][b]Step #[/b][/color]
    [color=#FFD700][b]Problems Encountered:[/b][/color]

    [color=#00BFFF][b]Step #[/b][/color]
    [color=#FFD700][b]Problems Encountered:[/b][/color]

    [color=#00BFFF][b]Link To Requested Logs:[/b][/color]
  • Comments:
    • I would recommend that you download Avira and Comodo Firewall.
#5
Step #5
Problems Encountered: Couldn't find a log. Everything was clean, though.

Step #6
Problems Encountered: N/A. Already disabled.

Step #7
Problems Encountered: N/A

Link To Requested Logs:
Comments:
  • I'm still being redirected to random websites and Mozilla Firefox randomly crashes.
  • Everytime I attempt to shut down my computer, I get the blue screen (of death).
#6
Last virus I had was a long time ago too. I wasn't getting redirected, however random sites with the prefix of "CID" kept popping up. It was one of the most annoying and troublesome viruses i've had. Got it from a virus off of windows live. Fixed it by deleting it's registry entry through an hour of looking through regedit.exe. And I also had to fix my hosts file, as well as delete it's entry inside of System32.

Hope you get things sorted out through Quintus' advisement's though Smile I can't help you in this area of the forum.
#7
  • Step 8

    Please download GooredFix from one of the locations below and save it to your Desktop.
    Download Mirror #1
    Download Mirror #2
    • Ensure all Firefox windows are closed.
    • To run the tool, double-click it (Windows XP), or right-click and select Run As Administrator (Windows Vista & Windows 7).
    • Select "Yes" when prompted.
    • GooredFix will check for infections, and then a log will appear. Please post the contents of that log in your next reply (it can also be found on your Desktop, called GooredFix.txt).
  • Step 9

    Please download the OTL Log Analysis from 'here'. Please click the Go (Arrow Button) or press Enter in the URL address bar to start the download.
    • Save it to your Desktop.
    • Please double-click OTL.exe to run it.
    • Make sure all other windows are closed to let it run uninterrupted.
    • When the window appears, underneath Output, change it to Minimal Output.
    • Under the Standard Registry box change it to All.
    • Check the boxes beside LOP Check and Purity Check.
    • Click the Run Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
    • When the scan completes, it will open two Notepad windows.
      • OTL.txt
      • Extras.txt
    • These are saved in the same location as OTL.
    • Please copy (Right-click > Select All > Copy) the contents of these files, one at a time, and post it with your next reply.
  • In your next post, please provide the following:
    • A Fresh HijackThis (HJT) Log
    • Deckard's System Scanner (DDS) Logs
      • DDS.txt
      • Attach.txt
    • GooredFix Log
    • OTL Scan Log
  • Format of Response

    Code:
    [color=#00BFFF][b]Step #[/b][/color]
    [color=#FFD700][b]Problems Encountered:[/b][/color]

    [color=#00BFFF][b]Step #[/b][/color]
    [color=#FFD700][b]Problems Encountered:[/b][/color]

    [color=#00BFFF][b]Step #[/b][/color]
    [color=#FFD700][b]Problems Encountered:[/b][/color]

    [color=#00BFFF][b]Link To Requested Logs:[/b][/color]
#8
Step #8
Problems Encountered: N/A

Step #9
Problems Encountered: N/A

Link To Requested Logs:

Every time I boot up my computer I get this error message:


EDIT 2: Once again, I was infected by Win 7 Total Security 2011. I ran MBAM and SAS to remove this infection. I am tempted to download a new Antivirus program, but i was told not to download any software. Also, why is it that this virus re-appears after cleaning it? If you need it:


Thanks for your time Quintus, it means a lot.
#9
Note: Give me the above minidumps. I would suggest that you download everything mentioned in here first and save this page so that you can access it offline. Only connect to the Internet when necessary. Another, please do not update using Windows Update at the time being.
  • Step 10

    Download this Registry fix and run it as Administrator. It would be preferable that you download it off a clean computer and save it in a USB drive. But seeing as you can access and download from the Internet, you may opt to download it on this very machine.
  • Step 11

    Please download RKill.
    • Please chose "eXplorer.exe" and save it to your Desktop.
    • Double-click the file for it to stop any process associated with the rogue program.
    • When done, a prompt will automatically close.

      "If you get a message that RKill is an infection, do not be concerned. This message is just a fake warning given by Antimalware Doctor when it terminates programs that may potentially remove it. If you run into these infections warnings that close RKill, a trick is to leave the warning on the screen and then run RKill again. By not closing the warning, this typically will allow you to bypass the malware trying to protect itself so that rkill can terminate Antimalware Doctor. So, please try running RKill until the malware is no longer running. If you continue having problems running RKill, you can download the other renamed versions of RKill from the Rkill download page. All of the files are renamed copies of RKill, which you can try instead. Please note that the download page will open in a new browser window or tab. Do not reboot your computer after running RKill as the malware programs will start again."
  • Step 12

    System Restore maintains a backup of your programs however it may also backup infections therefore constant flushing is required to create a clean Restore Point.

    1. On the Start Menu, right-click Computer > Properties > System Protection.
    2. Click Configure.
    3. Click Delete > Continue > OK.
    4. You are now back at the System Protection Tab.
  • Step 13

    Please update and run a full scan with Malwarebytes' Anti-Malware. Make sure you are disconnected from the Internet whilst this process is on-going. After it has asked you to reboot, if infections were found, proceed to run a full scan with Avira, again with no Internet connectivity. Make sure that this is done individually.
  • Step 14

    Please do a clean installation of Firefox.

    I have noticed you have more than one profile. Please backup your bookmarks, and remove Firefox completely. Visit the enclosed path (C:\Users\Tyler\Application Data\Mozilla\Firefox\Profiles) and delete any profiles left. Then do a re-installation.
  • Step 15

    Run OTL.exe.
    • Copy and paste the following text written inside of the code box into the Custom Scans & Fixes box located at the bottom of OTL.

      Code:
      :OTL
      @Alternate Data Stream - 129 bytes -> C:\ProgramData\TEMP:07BF512B
      [2011/04/20 23:01:33 | 000,011,202 | -HS- | C] () -- C:\Users\Tyler\AppData\Local\4kegtidw7006g801m8f6f10
      [2011/04/20 23:01:33 | 000,001,618 | -HS- | C] () -- C:\ProgramData\4203139489
      [2011/04/20 23:01:25 | 000,011,202 | -HS- | C] () -- C:\ProgramData\4kegtidw7006g801m8f6f10

      :Commands
      [purity]
      [emptytemp]
      [RESETHOSTS]
      [CLEARALLRESTOREPOINTS]

    • Then click the Run Fix button at the top.
    • Let the program run unhindered, reboot when it is done.
    • Then post a new OTL log (don't check the boxes beside LOP Check or Purity this time).
  • In your next post, please provide the following:
    • A Fresh HijackThis (HJT) Log
    • Avira Scan Log
    • Deckard's System Scanner (DDS) Logs
      • DDS.txt
      • Attach.txt
    • Malwarebytes' Anti-Malware Scan Log
    • OTL Results
  • Format of Response

    Code:
    [color=#00BFFF][b]Step #[/b][/color]
    [color=#FFD700][b]Problems Encountered:[/b][/color]

    [color=#00BFFF][b]Step #[/b][/color]
    [color=#FFD700][b]Problems Encountered:[/b][/color]

    [color=#00BFFF][b]Step #[/b][/color]
    [color=#FFD700][b]Problems Encountered:[/b][/color]

    [color=#00BFFF][b]Link To Requested Logs:[/b][/color]
  • Comments:
    • Also, as to why you keep getting infected, it is either the infection still resides in the system (and a copy is in the System Volume Information), but I doubt that because you are getting new variants. Another could be because of your activity. You are clicking and visiting wrong sites.
#10
Latest minidump.


Step #10
Problems Encountered: N/A

Step #11
Problems Encountered: BSOD upon opening.

Step #12
Problems Encountered: N/A

Step #13
Problems Encountered: N/A

Step #14
Problems Encountered: N/A

Step #15
Problems Encountered: N/A

Link To Requested Logs:


Comments
  • Upon clicking links through Google, I am redirected to advertisement websites.
  • This happened to me twice now; after leaving my computer on for an hour or so and returning, I wasn't able to open up any programs. For example, I would click Mozilla Firefox, my mouse would show the loading animation, but nothing would show. This same conflict applies to any other commands such as shut down, sleep, etc.
  • BSOD when opening RKill (eXplorer.exe).


Once again, thank you for your time Quintus. I can't express my gratitude for you through words. Tongue


Possibly Related Threads…
Thread Author Replies Views Last Post
  Vista security 2011 Rogue anti-virus help! Mr. Jewtastic 8 3,345 05-08-2011, 07:46 PM
Last Post: Quintus

Forum Jump:


Users browsing this thread: 12 Guest(s)