Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Malware Antisoft Virus Registry Changes


  • Please log in to reply
6 replies to this topic

#1 Ryabolan

Ryabolan

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:01:25 AM

Posted 23 February 2010 - 10:07 PM

Hi
I am new to the forum and hope I am not wasting your time or posting in the wrong place.

I have just spent 2 days struggling thorugh the removal of Antisoft Virus malware infestation (one of those that produces fake Virus alerts to make you buy their product, but also wrecks a few registry settings to expose your system).

I spent hours searching through registry settings comparing them to a clean system, and a couple that came up (that weren't listed in help guides I had seen) were:

THE FIRST ONE DOES SHOW IN REMOVAL GUIDES SORRY - THE SECOND DOES NOT
1/ lowriskfiletypes (spelling might be wrong but search registry on lowrisk and it will come up) .exe
2/ disallowed publisher sites were copied into trusted publisher sites Certificates for (I think) HKCU or HKLM. Search on trusted and you can then expand the tree to show Certificates.

Not very technical I am afraid, but Nortons and Malwarebytes found the infestation and removed it - these were extra hidden bits that might help someone else remove the infection better.

Edited by Ryabolan, 24 February 2010 - 03:30 AM.


BC AdBot (Login to Remove)

 


#2 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,231 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:11:25 AM

Posted 23 February 2010 - 10:26 PM

Hello I will move this from XP to the Am I Infected forum as you are.

Please follow the Automated Removal Instructions for Antivirus Soft using Malwarebytes' Anti-Malware: from our guide here
Remove Antivirus Soft (Uninstall Guide)

Post back the scan log and tell me how it's doing now.
The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
Copy and paste the contents of that report in your next reply. Be sure to post the complete log to include the top portion which shows MBAM's database version and your operating system.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#3 Ryabolan

Ryabolan
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:01:25 AM

Posted 23 February 2010 - 11:59 PM

Hello I will move this from XP to the Am I Infected forum as you are

I have already followed that guide and used the kill program, MBAM (and Norton's for good luck), and think that I have knocked the virus part out. Thanks for your advice though - I will run MBAM and post the results as you suggest because I really am not a technical expert.

I still found those changed registry items after I'd done all that I could find to do - and I thought it might be useful back on the XP forum because if the entries remain after the cleanout many users will be thinking they have a safe system when they are still vulnerable.

EDIT: Original post above corrected. My apologies - only one of the things I'd raised was excluded form the removal guides: The part about it copying Disallowed Publishers into the Trusted Publishers list.

Cheers

Ryabolan

Edited by Ryabolan, 24 February 2010 - 03:33 AM.


#4 Ryabolan

Ryabolan
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:01:25 AM

Posted 24 February 2010 - 03:28 AM

Summary of infection:
I started receiving the Antisoft Virus alerts when I was browsing and watching online TV broadcasts and after a short time of panicking trying to work out how to stop everything I held the power button on my computer to shut it down. I pulled my network cable out then started up a clean PC on my home network to investigate.

I found instructions on how to get rid of it (not the best ones initially) and I tried a heap of things that had some effect. I am afraid I am not very clear on all that I did and the order, but here is my best go at it:

I restarted offline in Safe Mode, ran Nortons Internet Security scan, then stopped it part way through when I found another site telling me I should run the RKill tool first to stop the malware. The result was a partial scan reporting some infections as removed (2xTrojan.FakeAV). I then downloaded the MBAM setup file onto a flash drive and copied it to the infected desktop, turned off my safe PC, reconnected my infected one and rebooted in Safe Mode again. I ran the MBAM setup, updates and scan - although I think I ran it just in Safe Mode not Safe Mode with Networking so it didn't find my User files. It reported a couple of error files which I asked it to fix. I then rebooted in Safe Mode with Networking and ran the MBAM again - finding another few infected files and again asking it to fix them. Finally I ran Norton's Internet Security full system scan all the way through and it found the last of the infected files that I have uncovered.

Both MBAM and Nortons now come up clean.

My Display options got messed up somewhere throughout this (maybe the Safe Mode doesn't include Themes), as did my Windows Internet Security - the Security Centre, Windows Defender and Windows Firewall wouldn't start. After a lot more searching I found ways to restart (and in some cases re-enable) necessary Services and got them going.

I have stepped through a lot of Registry settings using online guides and comparing with a clean PC at home and found and fixed a number of entries.

Finally, I have run the Preparing for Removal and Removing processes from your website as you suggested.

I AM INCLUDING THE 2 INFECTION MBAM LOGS, AND MOST RECENT CLEAN ONE BELOW - if you need any of the DDS or ARK logs from the DDS and GMER steps I have them on my desktop ready, but I'll save you from them for now.

Thanks for your response above and I appreciate it may take some time for you to get a look at this - but thanks in advance for your effort.

MBAM RUN 1
Malwarebytes' Anti-Malware 1.44
Database version: 3510
Windows 5.1.2600 Service Pack 3 (Safe Mode)
Internet Explorer 8.0.6001.18702

22/02/2010 9:42:49 PM
mbam-log-2010-02-22 (21-42-49).txt

Scan type: Quick Scan
Objects scanned: 140247
Time elapsed: 18 minute(s), 56 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 2
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\FirewallDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

MBAM RUN 2
Malwarebytes' Anti-Malware 1.44
Database version: 3774
Windows 5.1.2600 Service Pack 3 (Safe Mode)
Internet Explorer 8.0.6001.18702

22/02/2010 9:59:05 PM
mbam-log-2010-02-22 (21-59-05).txt

Scan type: Quick Scan
Objects scanned: 147347
Time elapsed: 12 minute(s), 4 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 2
Registry Values Infected: 2
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\avsoft (Trojan.Fraudpack) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\avsoft (Trojan.Fraudpack) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\rtjkefpn (Trojan.FakeAlert.Gen) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\rtjkefpn (Trojan.FakeAlert.Gen) -> Quarantined and deleted successfully.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

MBAM CLEAN RUN 3
Malwarebytes' Anti-Malware 1.44
Database version: 3782
Windows 5.1.2600 Service Pack 3 (Safe Mode)
Internet Explorer 8.0.6001.18702

24/02/2010 5:25:02 PM
mbam-log-2010-02-24 (17-25-02).txt

Scan type: Full Scan (C:\|)
Objects scanned: 246718
Time elapsed: 40 minute(s), 36 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

#5 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,231 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:11:25 AM

Posted 24 February 2010 - 11:06 AM

Hi, that was good I suspect some more so we need to run maybe 2 more tools.

Next run ATF and SAS: If you cannot access Safe Mode,run in normal ,but let me know.

Note: On Vista, "Windows Temp" is disabled. To empty "Windows Temp" ATF-Cleaner must be "Run as an Administrator".

From your regular user account..
Download Attribune's ATF Cleaner and then SUPERAntiSpyware , Free Home Version. Save both to desktop ..
DO NOT run yet.
Open SUPER from icon and install and Update it
Under Scanner Options make sure the following are checked (leave all others unchecked):
Close browsers before scanning.
Scan for tracking cookies.
Terminate memory threats before quarantining
.
Click the "Close" button to leave the control center screen and exit the program. DO NOT run yet.

Now reboot into Safe Mode: How to enter safe mode(XP)
Using the F8 Method
Restart your computer.
When the machine first starts again it will generally list some equipment that is installed in your machine, amount of memory, hard drives installed etc. At this point you should gently tap the F8 key repeatedly until you are presented with a Windows XP Advanced Options menu.
Select the option for Safe Mode using the arrow keys.
Then press enter on your keyboard to boot into Safe Mode
.

Double-click ATF-Cleaner.exe to run the program.
Under Main "Select Files to Delete" choose: Select All.
Click the Empty Selected button.

If you use Firefox or Opera browser click that browser at the top and choose: Select All
Click the Empty Selected button.
If you would like to keep your saved passwords, please click No at the prompt.
Click Exit on the Main menu to close the program
.

NOW Scan with SUPER
Open from the desktop icon or the program Files list
On the left, make sure you check C:\Fixed Drive.
Perform a Complete scan. After scan,Verify they are all checked.
Click OK on the summary screen to quarantine all found items.
If asked if you want to reboot, click "Yes" and reboot normally.

To retrieve the removal information after reboot, launch SUPERAntispyware again.
Click Preferences, then click the Statistics/Logs tab.
Under Scanner Logs, double-click SUPERAntiSpyware Scan Log.
If there are several logs, click the current dated log and press View log.
A text file will open in your default text editor.
Please copy and paste the Scan Log results in your next reply.
Click Close to exit the program.


Please ask any needed questions,post logs and Let us know how the PC is running now.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#6 Ryabolan

Ryabolan
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:01:25 AM

Posted 25 February 2010 - 01:06 AM

Thanks again for your time and effort.

Here is the log file from SuperAntiSpyware run in Safe Mode (as opposed to Safe With Netwoking):

SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 02/25/2010 at 02:56 PM

Application Version : 4.34.1000

Core Rules Database Version : 4618
Trace Rules Database Version: 2430

Scan type : Complete Scan
Total Scan Time : 03:07:55

Memory items scanned : 241
Memory threats detected : 0
Registry items scanned : 6701
Registry threats detected : 0
File items scanned : 110705
File threats detected : 1

Adware.Tracking Cookie
C:\Documents and Settings\Robert\Cookies\robert@videoegg.adbureau[2].txt

I have had no trouble with my PC since I got the clean MBAM and Norton results further up the message history - it will only be something hidden that makes me vulnerable without my knowledge now I think (hope anyway). Norton's removes Tracking Cookies every time I run it - one of the downsides of having grandchildren playing free online games.

Regards

Ryabolan

#7 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,231 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:11:25 AM

Posted 28 February 2010 - 05:19 PM

You're welcome. If all's good here then...

Now you should Create a New Restore Point to prevent possible reinfection from an old one. Some of the malware you picked up could have been backed up, renamed and saved in System Restore. Since this is a protected directory your tools cannot access to delete these files, they sometimes can reinfect your system if you accidentally use an old restore point. Setting a new restore point AFTER cleaning your system will help prevent this and enable your computer to "roll-back" to a clean working state.

The easiest and safest way to do this is:
  • Go to Start > Programs > Accessories > System Tools and click "System Restore".
  • Choose the radio button marked "Create a Restore Point" on the first screen then click "Next". Give the R.P. a name, then click "Create". The new point will be stamped with the current date and time. Keep a log of this so you can find it easily should you need to use System Restore.
  • Then use Disk Cleanup to remove all but the most recently created Restore Point.
  • Go to Start > Run and type: Cleanmgr
  • Click "Ok". Disk Cleanup will scan your files for several minutes, then open.
  • Click the "More Options" tab, then click the "Clean up" button under System Restore.
  • Click Ok. You will be prompted with "Are you sure you want to delete all but the most recent restore point?"
  • Click Yes, then click Ok.
  • Click Yes again when prompted with "Are you sure you want to perform these actions?"
  • Disk Cleanup will remove the files and close automatically.
Vista and Windows 7 users can refer to these links: Create a New Restore Point in Vista or Windows 7 and Disk Cleanup in Vista.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users