BleepingComputer.com: Antivirus System Pro problems

Antivirus System Pro has started on my computer. It is running XP.

Keep getting porno.com, viagra.com, adult.com and osadwarekill2009.com/purchase.. pop ups.
Repeated 'Infiltation Alert', Security Center pop ups.
Repeated 'Security Warning' "Application cannot be executed"(when programs don't work or at random). "The file ....exe is infected. Do you want to activate your antivirus software now? pop ups."

I cannot run RKill(just shutdowns quickly) or
I cannot start hardly anything except firefox/explorer.
Tried following an online manual removing list of files. It wouldn't find any.
Shuts down task manager straight away if I try to open it.

Downloaded Win32kDiag. Ran only very briefly and closed.
It did create a Win32kDiag.txt. But I cannot open it or any notepad files.

Thanks.

Have you tried going in to safemode? Have you been able to install MBAM? If you can get in to safemode then you shoudl be able to install MBAM and at least run an initial scan. I usually run SUPERAntispyware as well but I realize it's not 100% strength in safemode because it access the userfiles only, not the entire C drive.

Give that a shot and let me know what happens!

azfreetech, on Nov 22 2009, 12:09 AM, said:

Thanks for your help.

I booted XP in safe mode and installed MBAM and it did a scan.

Malwarebytes' Anti-Malware 1.41
Database version: 2775
Windows 5.1.2600 Service Pack 2 (Safe Mode)

22/11/2009 11:56:16 AM
mbam-log-2009-11-22 (11-56-16).txt

Scan type: Quick Scan
Objects scanned: 83689
Time elapsed: 9 minute(s), 13 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 1
Registry Values Infected: 1
Registry Data Items Infected: 3
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CURRENT_USER\SOFTWARE\AvScan (Trojan.FakeAlert) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\ForceClassicControlPanel (Hijack.ControlPanelStyle) -> Quarantined and deleted successfully.

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\FirewallDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

So it quarantined those infected. It then asked to reboot. I then mistakenly ignored it and it didn't do anything else in safe mode so I rebooted normally and the Antivirus Pro scan started again. So again, safe mode, loaded MBAM and scanned and this time it found nothing infected. I can still see the icon sitting down where my clock is though.

The infected files are still sitting in Quarantine.

While in safe mode I tried Rkill.com and while it stayed up for a few seconds, it then was closed and the safe mode yes/no button came up before your desktop appears.

So when I booted up the desktop I was able to open the notepad infection file before the AntiVirus Pro was booted up and quickly copied the contents for pasting here. If I try to open anything else now including the 2nd clear MBAM file it comes up with that 'Security Warning' pop up and any file is quickly closed.

It's been running for an hour and there has been no more annoying pop ups of porn sites or AVSP etc. Just the 'Security Warning' button comes up if I try to open a file or program. Now after closing that button(as I couldn't get an external drive working) it started the pop ups of sites and alerts.

I've also managed to install SUPERAntiSpyware while the desktop loaded.
A scan found 53 items which were quarantined and deleted.

Desktop rebooted successfully and so far no sign of it.

Then I was able to run Rkill.

If there is anything else I can do/need to do, please let me know.

I'm not sure what Azfreetech is doing, but it is frustrating because they just made all of these posts to help people out of nowhere, then they just don't even bother checking back, so I'm trying to take over all of their cases.

Could you please update your Malwarebytes version for me? You can update it by going to the "Update" tab. Then please rerun a Quick scan and post back the log.

Hi Computer Pro,

Malwarebytes' Anti-Malware 1.41
Database version: 3228
Windows 5.1.2600 Service Pack 2

25/11/2009 9:14:09 PM
mbam-log-2009-11-25 (21-14-09).txt

Scan type: Quick Scan
Objects scanned: 94291
Time elapsed: 9 minute(s), 24 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 1
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\yxxwywhv (Trojan.FakeAlert.N) -> Quarantined and deleted successfully.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\Documents and Settings\Administrator\Local Settings\Temp\575.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.

Are you still experiencing any symptoms?

There's no ads or fake scans visually.
Though my hard drive is working away after logging on to the internet. Like it's doing one of those fake scans but now not showing it. Might be nothing, I don't know. Goes for about 5 mins.

Also when my computer boots up it asks for a connection to the internet, though the password isn't the right number of digits. Closing this connection box would start up the AVSP fake scan previously. Closing it now doesn't start it.

There was a dodgy looking Mozilla Firefox shortcut that looks blockier than it usually does. Created another shortcut and it looks how it should, sharp and clear.

Ok, lets run Dr. Web:

Please download Dr. Web the free version & save it to your desktop. DO NOT perform a scan yet.

Scan with Dr. Web Cureit as follows:
• Double-click on launch.exe to open the program and click Start. (There is no need to update if you just downloaded the most current version
• Read the Virus check by DrWeb scanner prompt and click Ok where asked to Start scan now? Allow the setup.exe to load if asked by any of your security programs.
• The Express scan will automatically begin.
(This is a short scan of files currently running in memory, boot sectors, and targeted folders).
• If prompted to dowload the Full version Free Trial, ignore and click the X to close the window.
• If an infected object is found, you will be prompted to move anything that cannot be cured. Click Yes to All.
• When complete, click Select All, then choose Cure > Move incurable.
(This will move any detected files to the C:\Documents and Settings\userprofile\DoctorWeb\Quarantine folder if they can't be cured)
• Now put a check next to Complete scan to scan all local disks and removable media.
• In the top menu, click Settings > Change settings, and UNcheck "Heuristic analysis" under the "Scanning" tab, then click Ok.
• Back at the main window, click the green arrow "Start Scanning" button on the right under the Dr.Web logo.
• When the scan is complete, a message will be displayed at the bottom indicating if any viruses were found.
• Click "Yes to all" if asked to cure or move the file(s) and select "Move incurable".
• In the top menu, click file and choose save report list.
• Save the DrWeb.csv report to your desktop.
• Exit Dr.Web Cureit when done.
• Important! Reboot your computer because it could be possible that files in use will be moved/deleted during reboot.
• After reboot, post the contents of the log from Dr.Web in your next reply. (You can use Notepad to open the DrWeb.cvs report)

I'm having a similar issue with the System Pro Anti virus. Has completely hijacked my lap top. The problem is I can't even get on internet explorer in order to down load the appropriate virus/malware removal tools. So, what to do in a case like that??

Rob

Jocko59,

Please start your own topic to avoid confusion.

Thanks,
Computer Pro

Sorry I'm new here. I thought that I had started a new topic. I guess not. My apolgies.

Scanned with DrWeb as directed and it found 0 items.

Are you still having the same issue?

With the hard drive secretly doing something? At times yes, though no visual sign of AVSP.