Ok, this looks like a fake AV program, but I have never seen one with all these effects before. Here is what I am seeing...
1.) 3 new icons on the desktop named "Setup.exe, Setup(2).exe, and Setup(3).exe"
2.) Bit-Defender AV is not running, and is missing from the system tray.
3.) Any attempts to start any program normally, flashes a black popup box with the message "program too big to fit in memory" for 1/2 a second, then fails to start. (Have tried starting from desktop, start menu, and Run program console without success.) Note: I managed to find 2 programs that worked with a roundabout startup. Firefox starts from an icon in the Start Menu quicktray, but not from any other icon.
4.) Windows will not start in Safe Mode. The screen blanks out, and it dumps me back to the startup config screen every time. It will start in normal mode just fine.
5.) I managed to run a contextual scan with Bit-Defender from the right-click menu using Windows Explorer on C: drive. It finds nothing. Unfortunately, mbam will not start in the same way despite being in the menu as well.
6.) When searching for information on the symptoms I am seeing, Firefox is often redirected to various sites, or to a site called "scan-pc-now.com" which shows a fake AV scan in progress and runs a self renewing prompt to download the program which requires the Firefox.exe process to be shut down from Task Manager to escape. Often when clicking on a computer security website page with information about this, it will display a failure to connect notice, and block the page.
7.) I have tried running mbam, and DDS.scr but both programs encounter the same issue with #3 above, so I am unable to post a log file for HJT.
At first, I figured it was Antivirus 2009, but I can't find any of the telltale processes in Task Manager, nor any of the usual .exe and .dll's that it installs. So I am stumped.
Any help with ID'ing the source would be greatly appreciated.
Update: I have found Windows Antivirus Pro malware in the C:\Program Files directory, and the svchast.exe process in Task Manager. However, the W.A.P. program itself is not listed as running in the program list, and the WinAntiviusPro.exe process is not in the process list either.
In addition, the hostage process for W.A.P. that I am familiar with denies program access with ad screens informing you that you must buy the full product to remove the myriad fake infections. I have never heard of it producing "program too big to fit in memory" errors when trying to start a program, or redirecting links to random websites.
In any event, the typical removal methods are not working since stopping the svchast.exe process does nothing. I still cannot run in Safe Mode or use mbam or DDS.
I have tried downloading a fresh mbam setup and renaming it and using the Kaspersky Online Scanner, but the mbam still will not start (#3 above remains) and the browser crashes as soon as Kaspersky starts to load.
Resolution: I managed to download a fresh setup for mbam and renamed it. Then I used the right-click menu to select "run-as" and switched from the default user "Owner/Admin" to the "Other user" option. I typed in "Owner" and used the Admin account password, and MBAM finally ran. It found around 41 infections total, and after removing all of them the symptoms stopped.
I ran another mbam scan, a Bit-Defender deep scan, and a Spybot S&D scan, and all have come back clean. Still, this is an office computer, so I would really like to have someone look at my DDS log and confirm that it is clean. I spent about 12hrs trying to fix this thing last night. If there is something in this log that I am missing, I want to know about it before it becomes a problem.
Also, since hiring this woman 3 months ago, this computer we share has been heavily infected on 3 occasions while I am out of the office. I am running up to date copies of Bit-Defender and Spybot S&D. I would like to get a better idea of how this lady keeps getting these infections and what additional measures I can take to protect this machine. (i.e. one of the guys from corporate recommended SuperAnti-Spyware. How does it stack up to Sb-S&D?)
I can provide copies of the mbam log with the virus entries it removed.
Edited by aocvirek, 12 August 2009 - 06:19 PM.