Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

antivirus system pro [Moved]


  • This topic is locked This topic is locked
13 replies to this topic

#1 kornhusker1

kornhusker1

  • Members
  • 42 posts
  • OFFLINE
  •  
  • Local time:12:39 PM

Posted 22 November 2009 - 09:40 AM

Please help!

I was trying to download and run the DDS to post the requested logs but malware will not let me to www.bleepingcomputer.com!!! It redirects me to hxxp://osadwarekill2009.microsoft.com/block.php?r=59.5

"Internet Explorer warning- visiting this web site mat harm your computer

Most likely causes: .........

What you can try:
-purchase antivirus system pro"

I am on our spare computer...

I also can not run MBAM! When I try to open it a small window opens "application cannot be executed. The file mbam.exe is infected. Do you want to activate your antivirus software now? yes no"

Thank you in advance for your help!
Please advise...


Also- Just noticed that a program "power shell 1.0" was recently installed...

Edited by Orange Blossom, 22 November 2009 - 12:05 PM.
Deactivated link. ~ OB


BC AdBot (Login to Remove)

 


#2 Orange Blossom

Orange Blossom

    OBleepin Investigator


  • Moderator
  • 36,987 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Bloomington, IN
  • Local time:01:39 PM

Posted 22 November 2009 - 12:06 PM

As no logs have been posted, I am shifting this topic from the specialized HiJack This forum to the Am I Infected forum.

==>PLEASE DO NOT NOW POST LOGS<== unless a log is specifically requested.

Do you have access to another computer?

Orange Blossom :thumbsup:
Help us help you. If HelpBot replies, you MUST follow step 1 in its reply so we know you need help.

Orange Blossom

An ounce of prevention is worth a pound of cure

SpywareBlaster, WinPatrol Plus, ESET Smart Security, Malwarebytes' Anti-Malware, NoScript Firefox ext., Norton noscript

#3 kornhusker1

kornhusker1
  • Topic Starter

  • Members
  • 42 posts
  • OFFLINE
  •  
  • Local time:12:39 PM

Posted 22 November 2009 - 12:39 PM

Yes I do have access to another computer. Thanks for your reply! I look forward to your help!

#4 PropagandaPanda

PropagandaPanda


  • Malware Response Team
  • 10,433 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:01:39 PM

Posted 22 November 2009 - 03:30 PM

Hello kornhusker.

Before we continue, please give me some more information.

What operating system is the infected machine?
Do you have access to a removable drive that can be used to transfer files between the computers?

With Regards,
The Panda

#5 kornhusker1

kornhusker1
  • Topic Starter

  • Members
  • 42 posts
  • OFFLINE
  •  
  • Local time:12:39 PM

Posted 22 November 2009 - 05:03 PM

Thanks Panda!

Windows xp professional, and yes I do have a removable drive. I do seem to have access to the internet on the infected computer but seems limited. I definitely can not get www.bleepingcomputer.com!

#6 PropagandaPanda

PropagandaPanda


  • Malware Response Team
  • 10,433 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:01:39 PM

Posted 22 November 2009 - 07:43 PM

Hello kornhusker.

On the clean computer, run Flash Disinfector to prevent infections from coming to the clean computer. Plug in the portable drive before continuing.

Download and Run FlashDisinfector
  • Please download Flash_Disinfector.exe by sUBs and save it to your desktop.
  • Double-click Flash_Disinfector.exe to run it and follow any prompts that may appear.
  • The utility may ask you to insert your flash drive and/or other removable drives including your mobile phone. Please do so and allow the utility to clean up those drives as well.
  • Wait until it has finished scanning and then exit the program.
  • Reboot your computer when done.
Note: Flash_Disinfector will create a hidden folder named autorun.inf in each partition and every USB drive plugged in when you ran it. Don't delete this folder. It will help protect your drives from future infection.

Download the following files onto the portable drive. Save both these files with the extesion ".com", not ".exe"Plug the removable drive into the infected computer and follow the steps below.

Run RKill
Double click RKill.com to run it. A black command prompt window will open and close.

Run OTS
  • Double-click on OTS.exe to start the program. If you are running on Vista then right-click the program and choose Run as Administrator.
  • Now click the Run Scan button on the toolbar.
  • When the scan is complete Notepad will open with the report file loaded in it.
  • Use the Add Reply button in the forum and Attach the scan back here (do not copy/paste it as it will be too big to fit into the post). It will be located in the OTScanIt folder and named OTScanIt.txt.
DowRun Scan with GMER
  • Close all other open programs as there is a slight chance your computer will crash.
  • Double click the GMER program ******.exe. Your security programs may detect GMER's driver trying to load. Allow it.
  • You may see a warning saying "GMER has detected rootkit activity". If so, select NO.
  • Leaving the settings at default, click Scan.
  • When the scan is complete, click Save and save the log onto your desktop.
Please include the log in your next reply.

Move all the logs back onto the removable drive.

Using the clean computer, post the logs in a new topic in the Malware Removal Forum.

When that is done, please post back into this topic with a link to the newly created topic.

With Regards,
The Panda

#7 kornhusker1

kornhusker1
  • Topic Starter

  • Members
  • 42 posts
  • OFFLINE
  •  
  • Local time:12:39 PM

Posted 22 November 2009 - 11:19 PM

I tried running rkill. Unfortunately, the same screen pops up saying:
application cannot be executed. The file rkill.com is infected. Do you want to activate your antivirus software now? yes no"

I also tried running OTS.

No luck... Can I try anything else?

#8 PropagandaPanda

PropagandaPanda


  • Malware Response Team
  • 10,433 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:01:39 PM

Posted 23 November 2009 - 04:30 PM

Hello.

Please try those steps in Safe Mode.

With Regards,
The Panda

#9 kornhusker1

kornhusker1
  • Topic Starter

  • Members
  • 42 posts
  • OFFLINE
  •  
  • Local time:12:39 PM

Posted 23 November 2009 - 06:56 PM

Thanks again for your reply Panda!

Unfortunately, I can not open windows in safe mode. I tried several times. It tells me that my username and password are incorrect (when they are not). However, I can open windows normally (not in safe mode) but can not open anything (not even a word document). I can go on the internet but it is limited as I described earlier.

Is there anything else I could try? This seems like a pretty bad virus!

Should I bother trying to move any of the documents to my flash drive or are they all infected?

Thanks for your help!

#10 PropagandaPanda

PropagandaPanda


  • Malware Response Team
  • 10,433 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:01:39 PM

Posted 23 November 2009 - 07:13 PM

Hello kornhusker1.

Should I bother trying to move any of the documents to my flash drive or are they all infected?

Only move data files, such as text documents, music, pictures. Do not copy any program files.

Please try running those tools in normal mode again. This time, before running each, rename it to "svchost.exe".

Tell me how it goes.

With Regards,
The Panda

#11 kornhusker1

kornhusker1
  • Topic Starter

  • Members
  • 42 posts
  • OFFLINE
  •  
  • Local time:12:39 PM

Posted 23 November 2009 - 07:46 PM

Thanks! I was able to run rkill now! :thumbsup: When I try to run OTS it gives me "range check error" and can not run the scan!

Also, looking ahead... I am unclear about the directions under run OTS:

"•Use the Add Reply button in the forum and Attach the scan back here (do not copy/paste it as it will be too big to fit into the post). It will be located in the OTScanIt folder and named OTScanIt.txt."

Do I do this from the infected computer?

As always-
Thank you

Edited by kornhusker1, 24 November 2009 - 06:57 AM.


#12 PropagandaPanda

PropagandaPanda


  • Malware Response Team
  • 10,433 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:01:39 PM

Posted 24 November 2009 - 04:25 PM

Hello.

Knowing that RKill runs when renamed like that gives me a good indication of what infection this is. We'll require more powerful tools than permitted in this forum.

Please create a new topic in the Malware Removal Forum. Note in the topic that I asked you to create it, and include a link back to this topic.

When that is done, post into this topic also with a link to the other. I'll give you further directions then.

With Regards,
The Panda

#13 kornhusker1

kornhusker1
  • Topic Starter

  • Members
  • 42 posts
  • OFFLINE
  •  
  • Local time:12:39 PM

Posted 24 November 2009 - 06:25 PM

thanks so much! Here is the link as you requested! :thumbsup:

http://www.bleepingcomputer.com/forums/t/273742/antivirus-system-pro-rkill-only-runs-when-renamed/

#14 PropagandaPanda

PropagandaPanda


  • Malware Response Team
  • 10,433 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:01:39 PM

Posted 24 November 2009 - 07:08 PM

Hello.

I have replied to the new topic. Please now post all replies there.

I'll ask for this topic to be closed.

With Regards,
The Panda




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users