Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

I'm completely updating my original question...


  • Please log in to reply
18 replies to this topic

#1 AtrocityExhibition

AtrocityExhibition

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:37 PM

Posted 09 August 2009 - 07:44 PM

My original question was in regards to Windows Antivirus Pro fraudware removal, as I had read the instructions on how to remove it at this site, but there were little problems (if you want any information/feel like reading about it, you can read here: Original question).

I went through the task manager, and couldn't find the program running, so that apparently wasn't the problem. Upon further searching through google, I found on Yahoo answers how to get rid of this problem and was linked to here. I went through some of the steps before hitting problems. At the bottom, it says "Note: If you are using Windows XP and you enable "System Restore" , you need to
disable "System Restore" in "Safe Mode" before using the instructions above," but I haven't been able to disable system restore.

I may need some help disabling system restore/finishing the process.

Thanks for any help.

BC AdBot (Login to Remove)

 


#2 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,072 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:06:37 PM

Posted 09 August 2009 - 09:16 PM

Helllo ,, before we disable System Restore .. Let's run a scan for that malware. i am closing the other topic.

run MBAM (MalwareBytes):

NOTE: Before saving MBAM please rename it to zztoy.exe....now save it to your desktop.

Please download Malwarebytes Anti-Malware and save it to your desktop.

alternate download link 2

MBAM may "make changes to your registry" as part of its disinfection routine. If using other security programs that detect registry changes (ie Spybot's Teatimer), they may interfere or alert you. Temporarily disable such programs or permit them to allow the changes.
  • Make sure you are connected to the Internet.
  • Double-click on mbam-setup.exe to install the application.
  • When the installation begins, follow the prompts and do not make any changes to default settings.
  • When installation has finished, make sure you leave both of these checked:
    • Update Malwarebytes' Anti-Malware
    • Launch Malwarebytes' Anti-Malware
  • Then click Finish.
MBAM will automatically start and you will be asked to update the program before performing a scan.
  • If an update is found, the program will automatically update itself. Press the OK button to close that box and continue.
  • If you encounter any problems while downloading the definition updates, manually download them from here and just double-click on mbam-rules.exe to install.
On the Scanner tab:
  • Make sure the "Perform Quick Scan" option is selected.
  • Then click on the Scan button.
  • If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
  • The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
  • When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  • Click OK to close the message box and continue with the removal process.
Back at the main Scanner screen:
  • Click on the Show Results button to see a list of any malware that was found.
  • Make sure that everything is checked, and click Remove Selected.
  • When removal is completed, a log report will open in Notepad.
  • The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
  • Copy and paste the contents of that report in your next reply. Be sure to post the complete log to include the top portion which shows MBAM's database version and your operating system.
  • Exit MBAM when done.
Note: If MBAM encounters a file that is difficult to remove, you will be asked to reboot your computer so MBAM can proceed with the disinfection process. If asked to restart the computer, please do so immediately. Failure to reboot normally (not into safe mode) will prevent MBAM from removing all the malware.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#3 AtrocityExhibition

AtrocityExhibition
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:37 PM

Posted 09 August 2009 - 09:36 PM

The first big problem is that every program does not open. My anti-virus doesn't open, MBAM doesn't open... nothing opens. I get a message saying "program too big to fit in memory." This was due to the Windows Antivirus Pro fraudware.

I linked to the windows website because that's what I came up with in my searching through google. It seems like it could work if I didn't run into any unexpected errors.

#4 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,072 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:06:37 PM

Posted 09 August 2009 - 10:09 PM

This should open...
Please download and run Process Explorer v11.33
Click on File then Save As, create a log.
Copy and paste it into your next reply.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#5 kamerlet

kamerlet

  • Members
  • 79 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Virginia
  • Local time:05:37 PM

Posted 09 August 2009 - 10:23 PM

Atrocity

I had almost the identical situation, programs didn't open, couldn't get my task manager etc....and these folks were able to help me. You will learn so much thru this. I sure did!

Hang in there! :thumbsup:
If Jimmy cracks corn and nobody cares, why did they write a song about him?

#6 AtrocityExhibition

AtrocityExhibition
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:37 PM

Posted 09 August 2009 - 10:27 PM

I actually went into another user's thread, which has so far helped. I will use this program and see if I'm fully rid of this problem.

Thanks for the help so far.

#7 AtrocityExhibition

AtrocityExhibition
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:37 PM

Posted 09 August 2009 - 10:31 PM

As per boopme's request:

System 4
smss.exe 564 Windows NT Session Manager Microsoft Corporation
csrss.exe 628 Client Server Runtime Process Microsoft Corporation
winlogon.exe 652 Windows NT Logon Application Microsoft Corporation
services.exe 696 Services and Controller app Microsoft Corporation
svchost.exe 880 Generic Host Process for Win32 Services Microsoft Corporation
svchost.exe 944 Generic Host Process for Win32 Services Microsoft Corporation
svchost.exe 1056 Generic Host Process for Win32 Services Microsoft Corporation
svchost.exe 1360 Generic Host Process for Win32 Services Microsoft Corporation
svchost.exe 1108 Generic Host Process for Win32 Services Microsoft Corporation
svchost.exe 1272 Generic Host Process for Win32 Services Microsoft Corporation
aswUpdSv.exe 1412 avast! Antivirus updating service ALWIL Software
ashServ.exe 1552 avast! antivirus service ALWIL Software
spoolsv.exe 460 Spooler SubSystem App Microsoft Corporation
svchost.exe 1700 Generic Host Process for Win32 Services Microsoft Corporation
aoltsmon.exe 1756 AOL TopSpeed™ Monitor America Online, Inc
aoltpspd.exe 1800 AOL TopSpeed™ America Online Inc
nvsvc32.exe 1480 NVIDIA Driver Helper Service, Version 91.63 NVIDIA Corporation
PRISMXL.SYS 304 PrismXL Service New Boundary Technologies, Inc.
svchost.exe 376 Generic Host Process for Win32 Services Microsoft Corporation
wdfmgr.exe 1148 Windows User Mode Driver Manager Microsoft Corporation
ViewpointService.exe 1216 ViewMgr Viewpoint Corporation
ashMaiSv.exe 2120 avast! e-Mail Scanner Service ALWIL Software
ashWebSv.exe 2172 avast! Web Scanner ALWIL Software
svchost.exe 2748 Generic Host Process for Win32 Services Microsoft Corporation
lsass.exe 708 LSA Shell (Export Version) Microsoft Corporation
explorer.exe 1560 Windows Explorer Microsoft Corporation
shwiconEM.exe 1740 Alcor Micro, Corp.
PDVDServ.exe 1748 PowerDVD RC Service Cyberlink Corp.
RTHDCPL.exe 1764 Realtek HD Audio Control Panel Realtek Semiconductor Corp.
rundll32.exe 1808 Run a DLL as an App Microsoft Corporation
VerizonServicepoint.exe 1816 Verizon Servicepoint Application Verizon
ashDisp.exe 1840 avast! service GUI component ALWIL Software
msmsgs.exe 1864 Windows Messenger Microsoft Corporation
aim6.exe 1872 AIM AOL LLC
aolsoftware.exe 1144 AOL AOL LLC
BigFix.exe 1924 BigFix Client Application BigFix Inc.
LaunchU3.exe 1940
firefox.exe 3092 1.00 Firefox Mozilla Corporation
procexp.exe 3912 Sysinternals Process Explorer Sysinternals - www.sysinternals.com

Once again, thanks for the help so far.

#8 AtrocityExhibition

AtrocityExhibition
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:37 PM

Posted 09 August 2009 - 10:53 PM

I'm updating my situation: I downloaded the program VIPRE Rescue and scanned, and apparently all the Windows Antivirus Pro files are still in my computer, completely skipped over by the MBAM scan.

Do I have to remove these manually? Or does the program remove them for me?

#9 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,072 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:06:37 PM

Posted 09 August 2009 - 11:28 PM

Hello well there is a list of all the related files here also.. But frst try.. Automated Removal Instructions for Windows Antivirus Pro using Malwarebytes' Anti-Malware:
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#10 AtrocityExhibition

AtrocityExhibition
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:37 PM

Posted 09 August 2009 - 11:34 PM

I don't know if I should have done it, but I looked into the registry items associated with Windows Antivirus Pro, and deleted all the registry items listed. I also looked for the "Windows Antivirus Pro" folder and files in the Program Files area of my C: Drive.

I could run another MAMB quick scan again...

#11 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,072 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:06:37 PM

Posted 09 August 2009 - 11:47 PM

Update and run.. I'll look back tomorrow.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#12 AtrocityExhibition

AtrocityExhibition
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:37 PM

Posted 10 August 2009 - 12:01 AM

Another update, boopme: I updated and ran MBAM after all the initial steps I took. For some reason, I can't run MBAM. I double-click on it, and it restarts the computer.

EDIT: I also notice that all the icons are still highlighted blue and the initial computer load takes a while, like it did when Windows Antivirus Pro was in there... so I have a feeling there's something still lurking around in there. And before the background screen loads, there is a blue screen for a few seconds.

Edited by AtrocityExhibition, 10 August 2009 - 12:08 AM.


#13 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,072 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:06:37 PM

Posted 10 August 2009 - 09:32 AM

Hello let's try Fatdcuk's fix.

Please navigate to the MBAM folder located in the Program Files directory.

Locate MBAM.exe and rename it to winlogon.exe

Once renamed double click on the file to open MBAM and select Quick Scan

At the end of the scan click Remove Selected and then reboot.


Post the scan log. The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
Copy and paste the contents of that report in your next reply. Be sure to post the complete log to include the top portion which shows MBAM's database version and your operating system.


Are we running XP or Vista?

This may run..
We Need to check for Rootkits with RootRepeal
  • Download RootRepeal from the following location and save it to your desktop.
  • Extract RootRepeal.exe from the archive.
  • Open Posted Image on your desktop.
  • Click the Posted Image tab.
  • Click the Posted Image button.
  • Check all seven boxes: Posted Image
  • Push Ok
  • Check the box for your main system drive (Usually C:), and press Ok.
  • Allow RootRepeal to run a scan of your system. This may take some time.
  • Once the scan completes, push the Posted Image button. Save the log to your desktop, using a distinctive name, such as RootRepeal.txt. Include this report in your next reply, please.

How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#14 AtrocityExhibition

AtrocityExhibition
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:37 PM

Posted 10 August 2009 - 11:51 AM

I am running Windows XP home edition.

As for your first suggestion, I am not finding mbam.exe as a file in the MBAM folder. I see mbam.dll or mbamext.dll. There's also two blank looking icons next to "mbam-dor" and "mbam service."

#15 AtrocityExhibition

AtrocityExhibition
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:37 PM

Posted 10 August 2009 - 11:53 AM

I keep getting a little error message saying "Could not read the boot sector. Try adjusting the Disk Access Level in the Options dialog.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users