Jump to content


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.

Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.


Possible fake AV program? - system crippled

  • This topic is locked This topic is locked
1 reply to this topic

#1 aocvirek


  • Members
  • 19 posts
  • Gender:Male
  • Location:Minnesota - U.S.
  • Local time:07:53 PM

Posted 11 August 2009 - 08:22 PM

Please note: The below text contains the original issue. I have since resolved it on my own, but would would still appreciate if someone could get back to me about looking through a DDS log to confirm that I got everything, and helping me figure out how my employee managed to get this, and how to prevent it in the future.

Ok, this looks like a fake AV program, but I have never seen one with all these effects before. Here is what I am seeing...

1.) 3 new icons on the desktop named "Setup.exe, Setup(2).exe, and Setup(3).exe"

2.) Bit-Defender AV is not running, and is missing from the system tray.

3.) Any attempts to start any program normally, flashes a black popup box with the message "program too big to fit in memory" for 1/2 a second, then fails to start. (Have tried starting from desktop, start menu, and Run program console without success.) Note: I managed to find 2 programs that worked with a roundabout startup. Firefox starts from an icon in the Start Menu quicktray, but not from any other icon.

4.) Windows will not start in Safe Mode. The screen blanks out, and it dumps me back to the startup config screen every time. It will start in normal mode just fine.

5.) I managed to run a contextual scan with Bit-Defender from the right-click menu using Windows Explorer on C: drive. It finds nothing. Unfortunately, mbam will not start in the same way despite being in the menu as well.

6.) When searching for information on the symptoms I am seeing, Firefox is often redirected to various sites, or to a site called "scan-pc-now.com" which shows a fake AV scan in progress and runs a self renewing prompt to download the program which requires the Firefox.exe process to be shut down from Task Manager to escape. Often when clicking on a computer security website page with information about this, it will display a failure to connect notice, and block the page.

7.) I have tried running mbam, and DDS.scr but both programs encounter the same issue with #3 above, so I am unable to post a log file for HJT.

At first, I figured it was Antivirus 2009, but I can't find any of the telltale processes in Task Manager, nor any of the usual .exe and .dll's that it installs. So I am stumped.

Any help with ID'ing the source would be greatly appreciated.

Update: I have found Windows Antivirus Pro malware in the C:\Program Files directory, and the svchast.exe process in Task Manager. However, the W.A.P. program itself is not listed as running in the program list, and the WinAntiviusPro.exe process is not in the process list either.

In addition, the hostage process for W.A.P. that I am familiar with denies program access with ad screens informing you that you must buy the full product to remove the myriad fake infections. I have never heard of it producing "program too big to fit in memory" errors when trying to start a program, or redirecting links to random websites.

In any event, the typical removal methods are not working since stopping the svchast.exe process does nothing. I still cannot run in Safe Mode or use mbam or DDS.

I have tried downloading a fresh mbam setup and renaming it and using the Kaspersky Online Scanner, but the mbam still will not start (#3 above remains) and the browser crashes as soon as Kaspersky starts to load.

Resolution: I managed to download a fresh setup for mbam and renamed it. Then I used the right-click menu to select "run-as" and switched from the default user "Owner/Admin" to the "Other user" option. I typed in "Owner" and used the Admin account password, and MBAM finally ran. It found around 41 infections total, and after removing all of them the symptoms stopped.

I ran another mbam scan, a Bit-Defender deep scan, and a Spybot S&D scan, and all have come back clean. Still, this is an office computer, so I would really like to have someone look at my DDS log and confirm that it is clean. I spent about 12hrs trying to fix this thing last night. If there is something in this log that I am missing, I want to know about it before it becomes a problem.

Also, since hiring this woman 3 months ago, this computer we share has been heavily infected on 3 occasions while I am out of the office. I am running up to date copies of Bit-Defender and Spybot S&D. I would like to get a better idea of how this lady keeps getting these infections and what additional measures I can take to protect this machine. (i.e. one of the guys from corporate recommended SuperAnti-Spyware. How does it stack up to Sb-S&D?)

I can provide copies of the mbam log with the virus entries it removed.

Edited by aocvirek, 12 August 2009 - 06:19 PM.

BC AdBot (Login to Remove)


#2 Orange Blossom

Orange Blossom

    OBleepin Investigator

  • Moderator
  • 37,049 posts
  • Gender:Not Telling
  • Location:Bloomington, IN
  • Local time:08:53 PM

Posted 27 August 2009 - 10:30 AM


I see that you have an HJT log posted here: http://www.bleepingcomputer.com/forums/t/252821/probable-skynet-rootkit/

We do not allow more than one topic for the same computer and the same issue as this causes confusion, and in this case may make the disinfection process more difficult.

This leaves you with a choice:

1) Have this thread reopened and the HiJack This log topic deleted


2) Keep this thread closed and wait for assistance in the HiJack This log forum. Please note that that forum is VERY busy.

Please send a Private Message indicating your choice.

Assuming you wish assistance in the HiJack This forum, you should NOT make further changes to your computer (install/uninstall programs, use special fix tools, delete files, edit the registry, etc) unless advised by a HJT Team member, nor should you continue to ask for help elsewhere. Doing so can result in system changes which may not show in the log you already posted. Further, any modifications you make on your own may cause confusion for the helper assisting you and could complicate the malware removal process which would extend the time it takes to clean your computer.

From this point on the HJT Team should be the only members that you take advice from, until they have verified your log as clean.

Please be patient. It may take a while to get a response because the HJT Team members are EXTREMELY busy working logs posted before yours. They are volunteers who will help you out as soon as possible. Once you have made your post and are waiting, please DO NOT make another reply until it has been responded to by a member of the HJT Team. Generally the staff checks the forum for postings that have 0 replies as this makes it easier for them to identify those who have not been helped. If you post another response there will be 1 reply. A team member, looking for a new log to work may assume another HJT Team member is already assisting you and not open the thread to respond. Please be patient. It may take a while to get a response but your log will be reviewed and answered as soon as possible

To avoid confusion, I am closing this topic. Good luck with your log.

Orange Blossom :thumbsup:
Help us help you. If HelpBot replies, you MUST follow step 1 in its reply so we know you need help.

Orange Blossom

An ounce of prevention is worth a pound of cure

SpywareBlaster, WinPatrol Plus, ESET Internet Security, NoScript Firefox ext.


0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users