BleepingComputer.com: Rogue anti-spyware installed itself, printer disabled

This virus has not only disabled my printer but will not allow me to log onto the internet, facebook or any site. It pretends to scan my computer and states it has found numerous infections. I tried cleaning it up by following the instructions for removal of Antivir Solution Pro and am now operating in safe mode. However, Malwarebytes did not detect any infections. I am not very computer savvy so I hope my explanation of my plight makes sense. I also noticed a pop-up stating something like "a USB device is not recognized" kept appearing again and again, even though I was not using a thumbdrive nor did I have any external drives in use. I am scared that I have a "back-door" virus...

This post has been edited by elise025: 08 November 2010 - 04:47 AM
Reason for edit: Moved from XP to AII forum ~ Elise

Cranqueen, on 08 November 2010 - 04:34 AM, said:

The problem may be that you failed to update the definitions database for MBAM (currently database version 5072, I think). Try updating MBAM (Open MBAM > Updates tab > Check for Updates). If it fails to update, then you may be able to do it manually using another computer.

Manually download MBAM definitions from here Malwarebytes' Anti-Malware Database
and transfer to the troubled computer. Double-click on mbam-rules.exe to install.

Please post the MBAM log(s) in full here.
(Open MBAM and click on the Logs tab.)

Follow the guide below, carefully ...

Remove Antivir Solution Pro (Uninstall Guide)
Posted by Grinler on July 14, 2010
http://www.bleepingcomputer.com/virus-removal/remove-antivir-solution-pro

The Malwarebytes Anti-Malware is 5070. Here is the contents of the log...

Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org

Database version: 5070

Windows 6.0.6000 (Safe Mode)
Internet Explorer 7.0.6000.16890

11/8/2010 12:48:32 AM
mbam-log-2010-11-08 (00-48-32).txt

Scan type: Full scan (C:\|D:\|E:\|)
Objects scanned: 340511
Time elapsed: 1 hour(s), 6 minute(s), 37 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

Please do not give up on me, but it is 2am here. I have battling with my computer all day and I have to sleep now. My husband was able to revert back to a date before the virus installed itself, so I am able to use my printer now. I am a little afraid to restart msconfig since all the steps I followed did not quarantine any viruses.

This post has been edited by Cranqueen: 08 November 2010 - 05:16 AM

Good.

Nearly bedtime here too. See you tomorrow in that case.

I will check back in the morning for any other suggestions. Thank you for trying to help me.

Cranqueen, on 08 November 2010 - 05:14 AM, said:

What is your situation today, following the successful system restore?
Do you have a working internet connection and are you able to update MBAM?

Try MBAM (Malwarebytes Anti-malware) like this:

• With Windows booted normally (NOT in Safe Mode), open MBAM and click the Update tab and then Check for Updates.
  
• When updating is complete, click the Scanner tab and select Perform quick scan and then click Scan.
  
• When the scan has completed, if anything is found in the Results, choose Remove Selected.
  
• Then post the contents of the log when it is displayed.
  
• Now reboot Windows normally (NOT into Safe Mode). <<< Important

Please ask any questions, post the log and let us know how the PC is running now.

This post has been edited by AustrAlien: 08 November 2010 - 06:56 PM

After the system restore, I am back in business. WOW, that was one scary virus. Every click I made was answered with a pop-up warning me that my computer was infected and encouraging me to buy their product. I was sure that it was not real. My husband said that it disabled McAfee and my printer, so I could not print the instructions on how to remove the virus. It was one nasty bug! I am not much of a gamer but I do play Scrabble against a computer at Pogo. Could I have picked it up there, on FB (even though I never play games there) or at Big Fish playing Hidden Object games? I sure do not want that to happen again. Makes me paranoid.

Thank you for all you do. You are a hero!

Prior to asking your advice, I downloaded Secunia which is NOT working as I had expected. (Clicking on the solutions just opens a weird word document that does not offer a solution) and since I downloaded it, my computer is so SLOW that it is crawling. I cannot figure out how to uninstall Secunia. Can you help me? I thought I should post this in another forum, but was not sure what topic to post it under...

Cranqueen, on 10 November 2010 - 10:22 AM, said:

Me neither ... try this one: All Other Applications

Secunia comes highly recommended, but I personally have no experience with it .... sorry. I am sure someone will be able to help with the issue you are having with Secunia.

This post has been edited by AustrAlien: 10 November 2010 - 08:16 PM

I am back and so is the virus (AntiVir Solution Pro)..the system restore put me back in business for a day or two, but the virus is back with a vengeance. I am following the steps suggested on bleeping computer to remove it, however when I get to the Rkill download step and attempt to run it, I get this message,

Services Stopped:

Processes terminated by Rkill or while it was running:

C:\Users\Dad\Desktop\iExplore.exe

Rkill completed on 11/11/2010 at 15:17:06.

I left the result on the screen and ran it again and again. No matter how many times I try to run it, I get the same message. I tried iExplorer.exe AND eXplorer.exe as well with the same results.

Now what?

This post has been edited by Cranqueen: 11 November 2010 - 06:33 PM

What you see is fine. rkill stopped a process. It has done it's job.

Simply continue with the instructions in the guide.

Okay, sorry I didn't follow your instructions to the letter. I clicked the Update tab, checked for Updates and downloaded the latest version. I have copied the contents of the log, but I understand I am NOT supposed to paste it here. Where do I post it and how will you be able to find it when I do?

The rogue seems to be gone. I AM able to access the internet as the administrator, but when I log on as myself,I cannot reach Google, I get this message "Internet Explorer cannot display the webpage" Can you help?

This post has been edited by Cranqueen: 12 November 2010 - 03:50 AM

There are some logs that should not be posted here in this forum (DDS, HJT, CF, OTL).

Please post the log from MBAM here in this thread.

Shoot.. I copied it and I was doing something else and lost it....is there a way to find it again? I already closed notepad.