Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Removing Vista Internet Security malware


  • This topic is locked This topic is locked
13 replies to this topic

#1 Otaku1031

Otaku1031

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Newark, CA
  • Local time:07:08 PM

Posted 20 February 2010 - 01:38 AM

Hi all,
One of my machines is infected with this bug. I followed the instructions on this site as to removal, but was unable to download the fixexe.reg file. The download window just sits there saying that it's "Getting File Information". I waited about an hour before giving up; is there another way to obtain this file?

BTW, running MalwareBytes (full scan) did not remove the bug. I assume this is because I was unable to obtain and install the fixexe.reg file. I did have to install the MalwareBytes program by means of a thumb drive. All help greatly appreciated!

Gary

BC AdBot (Login to Remove)

 


#2 garmanma

garmanma

    Computer Masochist


  • Members
  • 27,809 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Cleveland, Ohio
  • Local time:10:08 PM

Posted 20 February 2010 - 09:59 AM

I will ask and see if there is an alternate source or a work around
Mark
Posted Image
why won't my laptop work?

Having grandkids is God's way of giving you a 2nd chance because you were too busy working your butt off the 1st time around
Do not send me PMs with problems that should be posted in the forums. Keep it in the forums, so everyone benefits
Become a BleepingComputer fan: Facebook and Twitter

#3 Otaku1031

Otaku1031
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Newark, CA
  • Local time:07:08 PM

Posted 20 February 2010 - 03:25 PM

I will ask and see if there is an alternate source or a work around



Thanks, Mark. Much appreciated.

#4 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,717 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:09:08 PM

Posted 20 February 2010 - 05:42 PM

Just tested and no problem downloading fixexe.reg

Do you have another computer you can download it from?

Alteratively you can create the fixexe.reg file by copying the following text from the below codebox into a file called fixexe.reg:

Windows Registry Editor Version 5.00

[-HKEY_CURRENT_USER\Software\Classes\.exe\shell\open\command]

[-HKEY_CURRENT_USER\Software\Classes\secfile\shell\open\command]

[-HKEY_CLASSES_ROOT\.exe\shell\open\command]

[HKEY_CLASSES_ROOT\.exe]
@="exefile"
"Content Type"="application/x-msdownload"

[-HKEY_CLASSES_ROOT\secfile]


#5 Otaku1031

Otaku1031
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Newark, CA
  • Local time:07:08 PM

Posted 20 February 2010 - 06:36 PM

Thanks, Grinler. I feel like an idiot just now. Clicking the link doesn't work for me, but doing a "Save Target As" downloads the file. I'll post results of the MalwareBytes re-scan after installing the .reg file.

#6 Otaku1031

Otaku1031
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Newark, CA
  • Local time:07:08 PM

Posted 20 February 2010 - 11:07 PM

I installed the fixexe.reg file, but got an error msg about some of the registry keys being in use, so apparently not all of the file was written to the registry. I ran MalwareBytes again, but it did not remove the Vista Internet Security bug. Should I install the fixexe.reg file under Safe Mode and try MalwareBytes again?

Some additional info:
There are two different users on this machine. User A has the bug, user B does not. I have run MalwareBytes on both users.
In the Task Manager window, a file named av.exe shows up. I can stop the program, but it immediately re-starts. I'm assuming that this is the bug file executable, although there are likely a lot more files that it dropped on the drive. I can't find the location of this file, or any other properties for that matter.
The version of MalwareBytes that I'm using was last updated around the end of December 2009. Perhaps this version doesn't recognize the bug. Since it's a free copy, I can't update it, nor did it update itself after installation.

I'm about out of bullets - anyone got any advice? As always, all help is appreciated!

#7 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,717 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:09:08 PM

Posted 21 February 2010 - 09:02 AM

You can update the free version. It definitely wont find it if you do not update it.

#8 Otaku1031

Otaku1031
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Newark, CA
  • Local time:07:08 PM

Posted 21 February 2010 - 11:02 AM

There is an "Update" button on the Update tab screen, but it's grayed out and does nothing. There was no indication of an update being run following installation, and the last update is indicated as around late December.
Should I re-install MalwareBytes and see if it updates? Perhaps the update function is being blocked by the bug?

#9 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,717 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:09:08 PM

Posted 21 February 2010 - 01:40 PM

Yes, download and reinstall the latest version of mbam. It will come with the latest definitions.

#10 Otaku1031

Otaku1031
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Newark, CA
  • Local time:07:08 PM

Posted 21 February 2010 - 02:05 PM

Thanks again, Grinler. The version I used a couple of days ago was 1.43; I now have 1.44. Regarding my previous note about getting a error msg when installing the fixexe.reg. file, do you think there are any issues there? Here's what happened:

I installed the fixexe.reg file, but got an error msg about some of the registry keys being in use, so apparently not all of the file was written to the registry.

I'll post results of the next MalwareBytes scan. Thanks for your help!

#11 adam_mizer

adam_mizer

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:07:08 PM

Posted 21 February 2010 - 02:21 PM

The fixreg didn't work for me too!

It seems a manual edit of the registry worked best.
I still have one issue, but if you make the manual entry in the registry your problems should be fixed.
Grinler can you write down steps for manual entry?
I can't fully understand what fixexe.reg would exactly write in there????

#12 Otaku1031

Otaku1031
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Newark, CA
  • Local time:07:08 PM

Posted 21 February 2010 - 09:50 PM

I ran the full scan with MalwareBytes ver. 1.44, but the bug is still on the machine. In Task Manager I can see a process running called av.exe *32. When I shut this down, it immediately reloads about 10 instances of that process. I can't find the file on the hard drive.
I'm about ready to format the drive and start from scratch.

Has the MalwareBytes 1.44 solution worked for anyone else on this forum? If so, can you describe the exact sequence of events that resulted in successfully removing this bug?

#13 Otaku1031

Otaku1031
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Newark, CA
  • Local time:07:08 PM

Posted 22 February 2010 - 12:58 AM

Update:
I ran the MalwareBytes 1.44 under Safe Mode - no change, the bug still lives. A bit of info that I didn't post earlier that may be relevant: when loading the infected user settings, I get two error msgs -

"Error loading C:\Windows\system32\NvMcTray.dll. The module cannot be found."
and
"Error loading C:\Windows\system32\NvCpl.dll. The module cannot be found."

These msgs do not show up when loading the non-infected user settings. Could this be part of the problem?

#14 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,717 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:09:08 PM

Posted 22 February 2010 - 04:55 PM

Follow these steps and pm me a link to the topic:

http://www.bleepingcomputer.com/forums/t/34773/preparation-guide-for-use-before-using-malware-removal-tools-and-requesting-help/

I am closing this topic as I will help you there so I can gather some samples.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users