Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Anti Virus System Pro Infection


  • Please log in to reply
5 replies to this topic

#1 kotch

kotch

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:06:20 PM

Posted 28 November 2009 - 12:31 PM

Hello,

I am having problems due to a system called Anit Virus System Pro (blue shield logo) that recently infected my computer causing pop ups that report various attacks and prevents me from browsing the internet as well as running programs to remove the infection.


Information about my Anti Virus System Pro Infection

Pop Ups
Security Warning (Grey Box in the middle of the screen) – "Application cannot be executed. The file mcshield.exe is infected. Do you want to activate your antivirus software now?"

Windows Security Alerty (Bottom Right from Shield logo) – "Application cannot be executed. The file mcupdate.exe is infected. Do you want to activate your antivirus software now?"

Antivirus System Pro alert (Bottom Right of screen) - The "Attack" numbers change each time, but BankerFox.A stays the same.
"Details
Attack from: 155.145.239, port 53750
Attack port: 38995
Threat: BankerFox.A

Infiltration Alert
Your computer is being attacked by an Internet Virus. It could be a password-stealing attack, a Trojan – dropper or similar."


Internet
When I open a new window I am always directed to - http://sysguard2010.microsoft.com/block.php?r=57.2
Randomly new windows will open for viagra.com and porn.com

Removal Attempts
I am not able to open "Add or Remove Programs" in the Control Panel. I get a Security Warning as mentioned above opens "...application "rundl32.exe" is infected."

Inherit, Fixtm and Anti-Malware programs are all blocked with a Security Warning pop up as mentioned above. My roommate has used the programs (got from bleeping computer) before to clean their computer.

Thanks in advance for any assistance.

kotch

BC AdBot (Login to Remove)

 


#2 xblindx

xblindx

  • Banned
  • 1,923 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:08:20 PM

Posted 28 November 2009 - 02:41 PM

You may read the removal guide from BC here

But I will help to outline the steps for you.

1) Download rkill
2) Run rkill.com by double clicking its icon

While rkill is running, if you get a message stating that rkill, or another executable, is an infection, ignore it, and let rkill.com finish. This is just the infection trying to stop rkill from disabling it. Please note, you may have to attempt to run rkill quite a few times before the malware process is terminated.

3) Download MBAM from here and save to your desktop
4) Install MBAM using the default options and being sure to leave both the Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware checked. if MBAM asks you to reboot your computer, please do NOT do so
5) MBAM will open automatically and should start downloading updates automatically.
6) Once the updates are downloaded perform a quick scan
7) After the scan, click the show results button
8) Make sure all the infections are checked and then click on the Remove Selected button to remove all the listed malware.

MBAM will now delete all of the files and registry keys and add them to the programs quarantine. When removing the files, MBAM may require a reboot in order to remove some of them. If it displays a message stating that it needs to reboot, please allow it to do so. Once your computer has rebooted, and you are logged in, please continue with the rest of the steps.

9) A scan log will open in notepad, review it and post it here if you like, and then close the window.

You should now be clean :thumbsup:

#3 kotch

kotch
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:06:20 PM

Posted 01 December 2009 - 08:45 PM

I was able to use the internet after RKill and MBAM ran, but got random windows opening for "wallstreet8news" or something. I reran the MBAM and the McAfee, but neither identified any infections. I shutdown the computer down one night and now it won't boot up. I am getting a black screen with white letters:

We apologize for the inconvenience, but Windows did not start successfully. A recent hardware or software change might have caused this.
If your computer stopped responding, restarted unexpectedly, or was automatically shut down to protect your files and folders, choose Last Known Configuration to revert to the most recent settings that worked.

If a previous startup attempt was interrupted due to a power failure or because the Power or Reset button was pressed, or if you aren’t sure what caused the problem, choose Start Windows Normally.

Safe Mode
Safe Mode with Networking
Safe Mode with Command Prompt
Last Known Good Configurations (your most recent settings that worked)
When I select 1 of the 3 options above a screen appears with lines of code reading:
Multi(0)disk(0)rdisk(0)partition(1)\WINDOWS\System32\DRIVERS\ - a bunch of different codes

Start Windows Normally

Use the up and down arrow keys to move the highlight to your choice.
Seconds until Windows stars: 30 second count down

After the 30 seconds expires the Microsoft Windows XP screen pops up, then Dell screen pops up and then it goes right back to the "We apologize.." message.


I am not able to see my desktop to load the results in the note pad log.

Thanks,
kotch

Edited by kotch, 01 December 2009 - 08:47 PM.


#4 Computer Pro

Computer Pro

  • Members
  • 2,448 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:07:20 PM

Posted 01 December 2009 - 08:48 PM

Have you tried Last Known Good Configuration?
Computer Pro

#5 kotch

kotch
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:06:20 PM

Posted 01 December 2009 - 09:39 PM

Yes, I have tried all four of the options.

When I select any of the options in blue I get a screen full of code that all start with "Multi(0)," but end with different code. The screen is not up long enough for me to write them all down.

Safe Mode
Safe Mode with Networking
Safe Mode with Command Prompt
Last Known Good Configurations (your most recent settings that worked)


Screen of code:
"Multi(0)disk(0)rdisk(0)partition(1)\WINDOWS\System32\DRIVERS\..." - a bunch of different codes

The computer will continously cycle over and over again. I don't know how to get it to reboot and stop displaying the "We apologize..." screen. It's driving me crazy. :thumbsup:

#6 xblindx

xblindx

  • Banned
  • 1,923 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:08:20 PM

Posted 02 December 2009 - 05:21 PM

You may want to post a new topic in the appropriate Operating System thread, with a link to this topic.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users