Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Antivirus Pro 2010 Infection & its resolution


  • Please log in to reply
No replies to this topic

#1 Ali Jan

Ali Jan

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:06:20 AM

Posted 01 October 2009 - 01:03 PM

Hello, I have been visiting this forum in the past (usually via Google) and have always found it very useful in resolution of any computer related problems. This is my first post!

My OS is XP Service Pack 3 with Latest AVG, updated Malware Bytes Anti Malware, Ad-Aware Anniversary Edit and COMODO firewall

Yesterday, while browsing on my laptop it suddenly restarted on its own and when it powered on again it installed Antivirus Pro 2010 (Fake Antivirus which is Spyware) at the same time AVG detected a Generic14 Trojan B** and sent it to the virus vault.

Antivirus Pro 2010 started immediately giving fake windows-like popup baloons about my antivirus being ineffective and that I should allow the Antivirus Pro 2010 to scan my computer. I disconnected my LAN from the internet immediately and ran Malware Bytes Anti Malware which removed the malicious software, however I had to use some Manual steps as well (see below): Logs of first MBAM scan are here:

Malwarebytes' Anti-Malware 1.41
Database version: 2874
Windows 5.1.2600 Service Pack 3

30/09/2009 13:07:10
mbam-log-2009-09-30 (13-07-10).txt

Scan type: Quick Scan
Objects scanned: 99219
Time elapsed: 5 minute(s), 36 second(s)

Memory Processes Infected: 2
Memory Modules Infected: 0
Registry Keys Infected: 2
Registry Values Infected: 5
Registry Data Items Infected: 0
Folders Infected: 3
Files Infected: 13

Memory Processes Infected:
C:\Documents and Settings\Ali Jan\Application Data\seres.exe (Trojan.Agent) -> Unloaded process successfully.
C:\Documents and Settings\Ali Jan\Application Data\svcst.exe (Trojan.Agent) -> Unloaded process successfully.

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\AntivirusPro_2010 (Rogue.AntiVirusPro2010) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\AntivirusPro_2010 (Rogue.AntiVirusPro2010) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\antivirus pro 2010 (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\12cfg214-k641-12sf-n85p (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\mserv (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\svchost (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\taskman (Trojan.Agent) -> Quarantined and deleted successfully.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
C:\Program Files\AntivirusPro_2010 (Rogue.AntiVirusPro2010) -> Quarantined and deleted successfully.
C:\Documents and Settings\Ali Jan\Start Menu\Programs\AntivirusPro_2010 (Rogue.AntiVirusPro2010) -> Quarantined and deleted successfully.
C:\RECYCLER\S-1-5-21-0243936033-3052116371-381863308-1811 (Trojan.Agent) -> Quarantined and deleted successfully.

Files Infected:
C:\Program Files\AntivirusPro_2010\AntivirusPro_2010.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\Documents and Settings\Ali Jan\Application Data\lizkavd.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\Documents and Settings\Ali Jan\Local Settings\Temporary Internet Files\Content.IE5\R30FVPKZ\loaderadv563[1].exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\Program Files\AntivirusPro_2010\AntivirusPro_2010.cfg (Rogue.AntiVirusPro2010) -> Quarantined and deleted successfully.
C:\Documents and Settings\Ali Jan\Start Menu\Programs\AntivirusPro_2010\AntivirusPro_2010.lnk (Rogue.AntiVirusPro2010) -> Quarantined and deleted successfully.
C:\Documents and Settings\Ali Jan\Start Menu\Programs\AntivirusPro_2010\Uninstall.lnk (Rogue.AntiVirusPro2010) -> Quarantined and deleted successfully.
C:\RECYCLER\S-1-5-21-0243936033-3052116371-381863308-1811\Desktop.ini (Trojan.Agent) -> Quarantined and deleted successfully.
C:\RECYCLER\S-1-5-21-0243936033-3052116371-381863308-1811\vsbntlo.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\Ali Jan\Application Data\seres.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\Ali Jan\Application Data\svcst.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\~.exe (Backdoor.Bot) -> Quarantined and deleted successfully.
C:\Documents and Settings\Ali Jan\Desktop\AntivirusPro_2010.lnk (Rogue.AntiVirusPro2010) -> Quarantined and deleted successfully.
C:\Documents and Settings\Ali Jan\Application Data\Microsoft\Internet Explorer\Quick Launch\AntivirusPro_2010.lnk (Rogue.AntiVirusPro2010) -> Quarantined and deleted successfully.


======

When I restarted the computer and ran MBAM in full scan mode again it detected one persisting trojan:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\taskman (Trojan.Agent)

It would get deleted and quarantined successfully at the end of the scan but only to reappear the next time after each computer restart

I then cleaned my computer of all temp files etc via CCleaner in an attempt to get to the source of the infection. Also turned off restore.

I also checked my Hijackthis! log but didnt notice anything new

However I did notice five or six very suspicious looking .exe files in C:\ and in ...Windows\Temp Documents & Settings\Temp and Documents & settings\Application Data ...Windows\System32 folders (modified time was same as the time of virus attack so I figured they were somehow connected however AVG or MBAM was not detecting them as virus) << ** In hindsight, I could have also found all these files by carrying out an advances windows search for any files modified at the time of malicious forced install

One was called 288.exe and another was ~~.exe and the third was 551.exe (ranging b/w 80-90 KB in size) **Some .db files with unusual names remained but I did not delete those**

After manually deleting the .exe files (they were not locked) I restarted the computer this time in safe mode and then ran MBAM again. During the scan a window "explorer has encountered a problem bla bla" opened repeatedly which i closed every now and then to allow the scan to complete.

The scan detected HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\taskman (Trojan.Agent) and this time cleared it for good.

Since yesterday my laptop has been running well ( I ran online Onecare Windows Live scan and also Microsofts Malicious Removal Tool without finding anything significant) I can now be assured that its virus free..

So my advice is for all those who are affected to be sure to run MBAM in safe mode and to delete those files manually (matching date ones) to ensure all remnants are rooted out as this Antivirus Pro 2010 is one extremely annoying and resistant pest.

Thought I'd share my experience on this forum, might come in useful to somebody :thumbsup:

Cheers and thanks for reading.

Ali Jan
Pakistan

Edited by Ali Jan, 02 October 2009 - 08:12 AM.


BC AdBot (Login to Remove)

 





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users