Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

RapidAntivirus Question


  • Please log in to reply
14 replies to this topic

#1 Stiner777

Stiner777

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:04:35 AM

Posted 11 April 2009 - 09:30 PM

I have a question to anyone who may know what to do in my situation.

The past couple of days, I have recieved error messages that just pop up seemingly from Internet Explorer saying that my system is "showing signs of infection, blah blah..." I have the option of clicking either OK or Cancel, but either one will take me to the RapidAntivirus website. I have not downloaded the file it wanted me to. I have been to several websites that explain how to manually remove the RapidAntivirus program, but those files or registry entries listed on these sites are not on my computer.

So how is it I am getting this "error message" at random? What am I missing? Is this a remote attack or is there some file on my computer that's trying to trick me into buying this rogue program?

EDIT:

I am running Windows Vista 64 (Business Edition)
Internet Explorer 7

(McAffee virus scanner shows everything is clean)

Edited by Stiner777, 11 April 2009 - 09:40 PM.


BC AdBot (Login to Remove)

 


#2 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,082 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:04:35 AM

Posted 11 April 2009 - 10:48 PM

Hi please run this MBAM scan and post that log,thanks.
Please download Malwarebytes Anti-Malware (v1.36) and save it to your desktop.
alternate download link 1
alternate download link 2
If you have a previous version of MBAM, remove it via Add/Remove Programs and download a fresh copy.
  • Make sure you are connected to the Internet.
  • Double-click on mbam-setup.exe to install the application.
  • When the installation begins, follow the prompts and do not make any changes to default settings.
  • When installation has finished, make sure you leave both of these checked:
    • Update Malwarebytes' Anti-Malware
    • Launch Malwarebytes' Anti-Malware
  • Then click Finish.
MBAM will automatically start and you will be asked to update the program before performing a scan.
  • If an update is found, the program will automatically update itself.
  • Press the OK button to close that box and continue.
  • If you encounter any problems while downloading the updates, manually download them from here and just double-click on mbam-rules.exe to install. Alternatively, you can update through MBAM's interface from a clean computer, copy the definitions (rules.ref) located in C:\Documents and Settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware from that system to a usb stick or CD and then copy it to the infected machine.
On the Scanner tab:
  • Make sure the "Perform Quick Scan" option is selected.
  • Then click on the Scan button.
  • If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
  • The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
  • When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  • Click OK to close the message box and continue with the removal process.
Back at the main Scanner screen:
  • Click on the Show Results button to see a list of any malware that was found.
  • Make sure that everything is checked, and click Remove Selected.
  • When removal is completed, a log report will open in Notepad.
  • The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
  • Copy and paste the contents of that report in your next reply and exit MBAM.
Note: If MBAM encounters a file that is difficult to remove, you may be asked to reboot your computer so it can proceed with the disinfection process. Regardless if prompted to restart the computer or not, please do so immediately. Failure to reboot normally (not into safe mode) will prevent MBAM from removing all the malware. MBAM may "make changes to your registry" as part of its disinfection routine. If using other security programs that detect registry changes (ie Spybot's Teatimer), they may interfere or alert you after scanning with MBAM. Please temporarily disable such programs or permit them to allow the changes.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#3 Stiner777

Stiner777
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:04:35 AM

Posted 12 April 2009 - 12:58 PM

Yeah, I previously installed MBAM and it caught a few registry entries. This time, nothing. All clean, supposedly but I'm not completely convinced. Here's the log.

Malwarebytes' Anti-Malware 1.36
Database version: 1967
Windows 6.0.6001 Service Pack 1

4/12/2009 1:54:49 PM
mbam-log-2009-04-12 (13-54-49).txt

Scan type: Quick Scan
Objects scanned: 63581
Time elapsed: 2 minute(s), 12 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

Edited by Stiner777, 12 April 2009 - 01:23 PM.


#4 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,082 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:04:35 AM

Posted 12 April 2009 - 01:47 PM

Well let's do some more checking. Please tell me the exact error message.

From your regular user account..
Download Attribune's ATF Cleaner and then SUPERAntiSpyware , Free Home Version. Save both to desktop ..
DO NOT run yet.
Open SUPER from icon and install and Update it
Under Scanner Options make sure the following are checked (leave all others unchecked):
Close browsers before scanning.
Scan for tracking cookies.
Terminate memory threats before quarantining
.
Click the "Close" button to leave the control center screen and exit the program. DO NOT run yet.

Now reboot into Safe Mode: How to enter safe mode(XP)
Using the F8 Method
Restart your computer.
When the machine first starts again it will generally list some equipment that is installed in your machine, amount of memory, hard drives installed etc. At this point you should gently tap the F8 key repeatedly until you are presented with a Windows XP Advanced Options menu.
Select the option for Safe Mode using the arrow keys.
Then press enter on your keyboard to boot into Safe Mode
.

Double-click ATF-Cleaner.exe to run the program.
Under Main "Select Files to Delete" choose: Select All.
Click the Empty Selected button.

If you use Firefox or Opera browser click that browser at the top and choose: Select All
Click the Empty Selected button.
If you would like to keep your saved passwords, please click No at the prompt.
Click Exit on the Main menu to close the program
.

NOW Scan with SUPER
Open from the desktop icon or the program Files list
On the left, make sure you check C:\Fixed Drive.
Perform a Complete scan. After scan,Verify they are all checked.
Click OK on the summary screen to quarantine all found items.
If asked if you want to reboot, click "Yes" and reboot normally.

To retrieve the removal information after reboot, launch SUPERAntispyware again.
Click Preferences, then click the Statistics/Logs tab.
Under Scanner Logs, double-click SUPERAntiSpyware Scan Log.
If there are several logs, click the current dated log and press View log.
A text file will open in your default text editor.
Please copy and paste the Scan Log results in your next reply.
Click Close to exit the program.


Rerun updated MBAM

Open MBAM in normal mode and click Update tab, select Check for Updates,when done
click Scanner tab,select Quick scan and scan.
After scan click Remove Selected, Post new scan log and Reboot into normal mode.


Please ask any needed questions,post logs and Let us know how the PC is running now.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#5 Stiner777

Stiner777
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:04:35 AM

Posted 12 April 2009 - 04:43 PM

I did as you asked. Scan came up clean. Maybe those two registry entries I mentioned earlier were it? Well, anyway, here's the log.

SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 04/12/2009 at 05:27 PM

Application Version : 4.26.1000

Core Rules Database Version : 3839
Trace Rules Database Version: 1795

Scan type : Complete Scan
Total Scan Time : 00:23:15

Memory items scanned : 206
Memory threats detected : 0
Registry items scanned : 7000
Registry threats detected : 0
File items scanned : 36447
File threats detected : 0


The exact error message, sadly, I don't remember word for word. It didn't come from the system tray and said something like "Your system is showing signs of spyware infection. We recommend you go to RapidAntivirus.com for a free scan" or something like that. I could click OK or Cancel, but either one would take me to the site anyway. So far it hasn't happened today. I guess I can assume it's gone. If by chance it comes back again, what would you recommend I do?

By the way, thanks for the help you've given me thus far.
God bless ya for it.

#6 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,082 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:04:35 AM

Posted 12 April 2009 - 07:07 PM

The error is gone now also? Machine is running normally?
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#7 Stiner777

Stiner777
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:04:35 AM

Posted 15 April 2009 - 05:12 PM

Well, I would like to reply saying that all is normal, but just today, I got the message again. It's still up, I have not clicked anything. This is what it says.

Warning!!! Your computer contains various signs of viruses and malware programs presence.

Your system requires immediate anti viruses check! Personal Anti Virus will perform a quick and free scanning of your PC for viruses and malicious programs.

Again, it gives the option of OK or cancel. Also, I just noticed that it opens a browser up which is hidden behind the error message. The browser is now not pointed at RapidAntivirus.com now, but rather antispywarep...(too small to see rest) The window is small in size so that it fits hidden behind the message.

Again, all my scans have come up clean. What's going on?

EDIT: When this popped up, it closed out the webpage I was viewing at the time, (foxnews.com)

Edited by Stiner777, 15 April 2009 - 05:22 PM.


#8 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,082 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:04:35 AM

Posted 15 April 2009 - 05:25 PM

Well it;s for sure that it's there. EWe will run probably 3 tools > first these.

Rerun MBAM

Open MBAM in normal mode and click Update tab, select Check for Updates,when done
click Scanner tab,select Full scan and scan.
After scan click Remove Selected, Post new scan log and Reboot into normal mode.


Next part 1 of S!Ri's SmitfraudFix
Please download SmitfraudFix

Double-click SmitfraudFix.exe
Select option #1 - Search by typing 1 and press "Enter"; a text file will appear, which lists infected files (if present).
Please copy/paste the content of that report into your next reply.

Note : process.exe is detected by some antivirus programs (AntiVir, Dr.Web, Kaspersky) as a "RiskTool"; it is not a virus, but a program used to stop system processes. Antivirus programs cannot distinguish between "good" and "malicious" use of such programs, therefore they may alert the user.
http://www.beyondlogic.org/consulting/proc...processutil.htm
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#9 Stiner777

Stiner777
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:04:35 AM

Posted 15 April 2009 - 06:12 PM

Again, MalwareByte found nothing. I ran the SmitFraudFix.exe file, (had to turn off UAC to do it) and did the search as you directed. It scanned the processes and then closed. Not sure if it did anything or if it was supposed to do anything beyond that.

#10 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,082 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:04:35 AM

Posted 15 April 2009 - 06:29 PM

See if it left a report that you can copy/paste here. The report can be found at the root of the system drive, usually at C:\rapport.txt
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#11 Stiner777

Stiner777
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:04:35 AM

Posted 15 April 2009 - 06:38 PM

Ah, yes. There it is! Here's the report.

(EDIT) While waiting for your reply to this, I went searching for folders and other things that were on my C drive that I didn't recognize. I found a few things. I have a lot of browser helper objects from Motice Communications, and I'm not sure what they do. Motive seems to be a legitimate name... Then I found "Flyswat." This is considered adware and I wonder if it was causing my particular problem? Or is flyswat something else entirely? Either way, nothing was picking it up.. It is listed on Norton's website as adware. (And I have Mcafee)

SmitFraudFix v2.408

Scan done at 19:37:22.27, Wed 04/15/2009
Run from C:\Users\Stiner\Desktop\SmitfraudFix
OS: Microsoft Windows [Version 6.0.6001] - Windows_NT
The filesystem type is NTFS
Fix run in normal mode

Process

C:\Windows\system32\csrss.exe
C:\Windows\system32\wininit.exe
C:\Windows\system32\csrss.exe
C:\Windows\system32\services.exe
C:\Windows\system32\lsass.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe
C:\Windows\system32\nvvsvc.exe
C:\Windows\system32\svchost.exe
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe
C:\Windows\system32\svchost.exe
C:\Windows\system32\winlogon.exe
C:\Program Files (x86)\Creative\Shared Files\CTAudSvc.exe
C:\Windows\system32\svchost.exe
C:\Windows\system32\SLsvc.exe
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe
C:\Windows\system32\rundll32.exe
C:\Windows\SYSTEM32\WISPTIS.EXE
C:\Windows\system32\taskeng.exe
C:\Windows\SYSTEM32\WISPTIS.EXE
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Windows\System32\nvraidservice.exe
C:\Program Files\Microsoft IntelliPoint\ipoint.exe
C:\Windows\System32\rundll32.exe
D:\Vidalia Bundle\Vidalia\vidalia.exe
C:\Program Files (x86)\Belkin\Nostromo\nost_LM.exe
C:\Windows\SysWOW64\CtHelper.exe
C:\Program Files (x86)\McAfee.com\Agent\mcagent.exe
C:\Program Files (x86)\Common Files\Real\Update_OB\realsched.exe
C:\Windows\SysWOW64\Ctxfihlp.exe
C:\Program Files (x86)\Java\jre6\bin\jusched.exe
D:\Vidalia Bundle\Privoxy\privoxy.exe
C:\Windows\SysWOW64\CTXFISPI.EXE
D:\Ideazon\ZEngine\Zboard.exe
C:\Program Files (x86)\Belkin\Nostromo\LoadoutManagerHelper.exe
C:\Windows\system32\taskeng.exe
D:\Kongsoft\Easy CD Ripper\ezcdrservice.exe
C:\Program Files (x86)\McAfee\SiteAdvisor\McSACore.exe
c:\PROGRA~2\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\Windows\SysWOW64\rundll32.exe
C:\Program Files (x86)\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files (x86)\McAfee\MPF\MPFSrv.exe
C:\Program Files (x86)\McAfee\MSK\MskSrver.exe
D:\NVIDIA Corporation\nTune\nTuneService.exe
C:\Windows\SysWOW64\PnkBstrA.exe
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe
D:\NVIDIA Corporation\System Update\UpdateCenterService.exe
C:\Windows\System32\svchost.exe
C:\Windows\system32\SearchIndexer.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin32\nSvcAppFlt.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin32\nSvcIp.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\PROGRA~2\McAfee\MSC\mcmscsvc.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\wbem\unsecapp.exe
C:\Program Files (x86)\Internet Explorer\iexplore.exe
C:\Users\Stiner\Desktop\SmitfraudFix\Policies.exe
C:\Windows\SysWOW64\cmd.exe
D:\Vidalia Bundle\Tor\tor.exe

hosts


C:\


C:\Windows


C:\Windows\system


C:\Windows\Web


C:\Windows\system32


C:\Windows\system32\LogFiles


C:\Users\Stiner


C:\Users\Stiner\AppData\Local\Temp


C:\Users\Stiner\Application Data


Start Menu


C:\Users\Stiner\FAVORI~1


Desktop


C:\Program Files (x86)

Edited by Stiner777, 15 April 2009 - 06:54 PM.


#12 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,082 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:04:35 AM

Posted 15 April 2009 - 07:41 PM

I think it is just an Avira notice, I cannot find more on it and I feel you are clean.
Perhaps you can start a topic here and shed some light for all of us.. Avira Support Forum
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#13 Stiner777

Stiner777
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:04:35 AM

Posted 15 April 2009 - 07:51 PM

If it's an Avira notice, why would it try to force me to download something? It's very similar to the what the Foistware post on this site describes. Besides, I don't have this particular antivirus installed. Like I said, I have Mcafee.

Edited by Stiner777, 15 April 2009 - 07:52 PM.


#14 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,082 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:04:35 AM

Posted 15 April 2009 - 08:36 PM

Yes I believe I erred, I misread the "Personal Anti Virus will perform " sorry. rereading your post that is again malware(rogue type)PersoanalAntiVirus. Mbam should find and eliminate these, effortlessly,even Rapidanti.... You have run it it Full scan and normal ,that is correct. Let's gat a second opinion,.

Please do an online scan with Kaspersky WebScanner

Click on Kaspersky Online Scanner

You will be prompted to install an ActiveX component from Kaspersky, Click Yes.
  • The program will launch and then begin downloading the latest definition files:
  • Once the files have been downloaded click on NEXT
  • Now click on Scan Settings
  • In the scan settings make sure that the following are selected:
    • Scan using the following Anti-Virus database:
    Extended (if available otherwise Standard)
    • Scan Options:
    Scan Archives
    Scan Mail Bases
  • Click OK
  • Now under select a target to scan:Select My Computer
  • This will program will start and scan your system.
  • The scan will take a while so be patient and let it run.
  • Once the scan is complete it will display if your system has been infected.
    • Now click on the Save as Text button:
  • Save the file to your desktop.
  • Copy and paste that information in your next post.

How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#15 Stiner777

Stiner777
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:04:35 AM

Posted 16 April 2009 - 12:58 AM

Ok, scan complete and it found two things marked as suspicious. It claims that two files (both associated with the same program) are infected with the Packed.win32.black.d virus. The program these files belong to is the evaluation version of the E-Z CD ripper from Kongsoft. I've had this program installed for a long time now and just downloaded an updated version only yesterday. I've tried to find information on this virus, but so far I haven't found anything specific other than possible "False Positives." The program works great. Here is the log.

--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7.0 REPORT
Thursday, April 16, 2009
Operating System: Microsoft Windows Vista Business Edition, 64-bit Service Pack 1 (build 6001)
Kaspersky Online Scanner version: 7.0.26.13
Program database last update: Thursday, April 16, 2009 05:26:54
Records in database: 2049617
--------------------------------------------------------------------------------

Scan settings:
Scan using the following database: extended
Scan archives: yes
Scan mail databases: yes

Scan area - My Computer:
C:\
D:\
E:\

Scan statistics:
Files scanned: 241448
Threat name: 1
Infected objects: 0
Suspicious objects: 2
Duration of the scan: 01:33:10


File name / Threat name / Threats count
C:\Users\Stiner\Desktop\ezcdr_inst.exe Suspicious: Packed.Win32.Black.d 1
D:\Kongsoft\Easy CD Ripper\Easy_CD_Ripper.exe Suspicious: Packed.Win32.Black.d 1

The selected area was scanned.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users