Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Fake AntiVirus?


  • Please log in to reply
27 replies to this topic

#1 xoxo_jennifer

xoxo_jennifer

  • Members
  • 23 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Canada!
  • Local time:07:10 PM

Posted 15 March 2010 - 12:23 PM

So somehow how I got this fake antivirus/fake windows security center onto my computer. I've read the page on how to get rid of it, but I can't open MBAM or re-install it. Everytime I try to open MBAM the antivirus thing pops up, and I have to goto Windows Task Manager to get rid of it. So I'm really unsure of what to do since MBAM isn't responding. Any help to solve this is appreciated =).

BC AdBot (Login to Remove)

 


#2 hamluis

hamluis

    Moderator


  • Moderator
  • 55,734 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Killeen, TX
  • Local time:06:10 PM

Posted 15 March 2010 - 12:36 PM

Is This what's on your system?

There are a number of these types of malware items, so you need to be specific as to which one is on your system...if you intend to get rid of it.

Louis

#3 garmanma

garmanma

    Computer Masochist


  • Staff Emeritus
  • 27,809 posts
  • OFFLINE
  •  
  • Location:Cleveland, Ohio
  • Local time:07:10 PM

Posted 15 March 2010 - 01:38 PM

After you kill it in Task Manager, start a new task and type explorer.exe
Rename mbam.exe to mbam.com
Mark
Posted Image
why won't my laptop work?

Having grandkids is God's way of giving you a 2nd chance because you were too busy working your butt off the 1st time around
Do not send me PMs with problems that should be posted in the forums. Keep it in the forums, so everyone benefits
Become a BleepingComputer fan: Facebook and Twitter

#4 xoxo_jennifer

xoxo_jennifer
  • Topic Starter

  • Members
  • 23 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Canada!
  • Local time:07:10 PM

Posted 15 March 2010 - 01:42 PM

Is This what's on your system?

There are a number of these types of malware items, so you need to be specific as to which one is on your system...if you intend to get rid of it.

Louis


Yep, that is the one I am referring to. Sorry I wasn't specific.

#5 xoxo_jennifer

xoxo_jennifer
  • Topic Starter

  • Members
  • 23 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Canada!
  • Local time:07:10 PM

Posted 22 March 2010 - 11:38 AM

Uh, Im not sure if my topic was forgotten or something ..
So I guess Im bumping it.
The situation has just gotten worse, I cant seem to really open any problem without it saying that it is missing, so I dont know what to do. Somehow I got on to the internet, but a lot of programs are just not working now.

#6 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,199 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:07:10 PM

Posted 22 March 2010 - 01:39 PM

Helo, Garmanma has passed awy. I am still trying to sort thru all his topics..
So have you used the GUIDE .... How to remove XP SecurityCenter (Removal Instructions) and do all the steps?

Is this an XP or Vista machine/

Can you post back the scan log?
The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
Copy and paste the contents of that report in your next reply. Be sure to post the complete log to include the top portion which shows MBAM's database version and your operating system.

Are the errors of A "Cannot find...", "Could not run...", "Error loading... or "specific module could not be found" message?
can you be more specific on yhis?
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#7 xoxo_jennifer

xoxo_jennifer
  • Topic Starter

  • Members
  • 23 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Canada!
  • Local time:07:10 PM

Posted 22 March 2010 - 02:29 PM

I'm sorry I would have been more patient if I had known.
It is an XP.
Every program I try to open I have to an 'Open With' finder, and then I have to actually select it. MBAM will not open I search it, click on it, then it says "Run-time error '440'". And then it just closes.
I'm currently doing a SUPERAntiSpyware search, so maybe that will help, I can see if I can post that log.

#8 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,199 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:07:10 PM

Posted 22 March 2010 - 02:49 PM

No problem ,you did not know.
If needed.
Runtime error 0 or 440
?Please copy and paste the following text in the Code box exactly as written into notepad (not wordpad or any other text editor):

regsvr32 "C:\Program Files\Malwarebytes' Anti-Malware\mbamext.dll"
regsvr32 "C:\Program Files\Malwarebytes' Anti-Malware\ssubtmr6.dll"
regsvr32 "C:\Program Files\Malwarebytes' Anti-Malware\vbalsgrid6.ocx"

?Once you've done that click on File and select Save As...
?In the Save dialogue box click on the drop down menu next to Save as type and select All Files
?Name the file MBAM Fix.bat (the .bat extension is very important)
?Save the file to your desktop and double click it to run it on XP. For Vista please right click on it and choose Run As Admin
?Click OK to each of the 3 dialog boxes that should show a success message for each file registered
?If you get an error that REGSVR32 "is not recognized as an internal or external command, operable program or batch file", then ensure that the file REGSVR32.EXE exists in the %WINDIR%\SYSTEM32 folder. If it's not found there you can copy if from another Computer running the same operating system and service pack level.
If that doesn't fix it then please download and install the Microsoft Visual Basic Common Controls from HERE to see if it helps.
{Credit Tigger93 @MBAM}


If you still get the what program do i want to open file issue....
Go here to Doug KNox's Windows® XP File Association Fixes
Run 9th down on left... EXE File Association Fix ... the EXE not EML one.


First you MUST BACK UP the registry. This step involves making changes in the registry. Always back up your registry before making any changes.

Go to Start » Run and type: regedit
Click OK.
On the left side, click to highlight My Computer at the top.
Go up to File » Export
Make sure in that window there is a tick next to "All" under Export Branch.
Leave the "Save As Type" as "Registration Files".
Under "Filename" put RegBackup.
Choose to save it to C:\
Click save and then go to File » Exit.

Or you can download and use ERUNT which is an excellent free tool that allows you to to take a snapshot (backup) of your registry before making changes and restore it when needed.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#9 xoxo_jennifer

xoxo_jennifer
  • Topic Starter

  • Members
  • 23 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Canada!
  • Local time:07:10 PM

Posted 24 March 2010 - 01:30 PM

Malwarebytes' Anti-Malware 1.43
Database version: 3458
Windows 5.1.2600 Service Pack 2
Internet Explorer 8.0.6001.18241

23/03/2010 7:59:05 AM
mbam-log-2010-03-23 (07-59-05).txt

Scan type: Full Scan (C:\|D:\|)
Objects scanned: 513902
Time elapsed: 13 hour(s), 30 minute(s), 2 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 3
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\FirewallDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
C:\Qoobox\Quarantine\C\WINDOWS\system32\memman.vxd.vir (Rogue.sysCleaner) -> Quarantined and deleted successfully.

---

So I got Mbam working. I feel like I still do not have this virus completely off my computer though. In my windows task manager there are processes running in which I do not recognize. And Im going to need help with all the program opening problems. I dont understand what to do =(.

#10 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,199 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:07:10 PM

Posted 24 March 2010 - 02:22 PM

Hi,I know it is neither always simple nor easy to get rid of some malwares. We still need to get more scan logs.

Your MBAm now needs an update and Full scan,
Rerun MBAM (MalwareBytes) like this:

Open MBAM in normal mode and click Update tab, select Check for Updates,when done
click Scanner tab,select FULL scan and scan (normal mode).
After scan click Remove Selected, Post new scan log and Reboot into normal mode.



Next run ATF and SAS: If you cannot access Safe Mode,run in normal ,but let me know.

Note: On Vista, "Windows Temp" is disabled. To empty "Windows Temp" ATF-Cleaner must be "Run as an Administrator".

From your regular user account..
Download Attribune's ATF Cleaner and then SUPERAntiSpyware , Free Home Version. Save both to desktop ..
DO NOT run yet.
Open SUPER from icon and install and Update it
Under Scanner Options make sure the following are checked (leave all others unchecked):
Close browsers before scanning.
Scan for tracking cookies.
Terminate memory threats before quarantining
.
Click the "Close" button to leave the control center screen and exit the program. DO NOT run yet.

Now reboot into Safe Mode: How to enter safe mode(XP)
Using the F8 Method
Restart your computer.
When the machine first starts again it will generally list some equipment that is installed in your machine, amount of memory, hard drives installed etc. At this point you should gently tap the F8 key repeatedly until you are presented with a Windows XP Advanced Options menu.
Select the option for Safe Mode using the arrow keys.
Then press enter on your keyboard to boot into Safe Mode
.

Double-click ATF-Cleaner.exe to run the program.
Under Main "Select Files to Delete" choose: Select All.
Click the Empty Selected button.

If you use Firefox or Opera browser click that browser at the top and choose: Select All
Click the Empty Selected button.
If you would like to keep your saved passwords, please click No at the prompt.
Click Exit on the Main menu to close the program
.

NOW Scan with SUPER
Open from the desktop icon or the program Files list
On the left, make sure you check C:\Fixed Drive.
Perform a Complete scan. After scan,Verify they are all checked.
Click OK on the summary screen to quarantine all found items.
If asked if you want to reboot, click "Yes" and reboot normally.

To retrieve the removal information after reboot, launch SUPERAntispyware again.
Click Preferences, then click the Statistics/Logs tab.
Under Scanner Logs, double-click SUPERAntiSpyware Scan Log.
If there are several logs, click the current dated log and press View log.
A text file will open in your default text editor.
Please copy and paste the Scan Log results in your next reply.
Click Close to exit the program.


Please ask any needed questions,post logs and Let us know how the PC is running now.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#11 xoxo_jennifer

xoxo_jennifer
  • Topic Starter

  • Members
  • 23 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Canada!
  • Local time:07:10 PM

Posted 25 March 2010 - 04:10 PM

MBAM doesnt seem to want to update. Everytime I try I get the error "732 (12929, 0)" ...

#12 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,199 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:07:10 PM

Posted 25 March 2010 - 04:16 PM

Ok run the SAS first, it may kill more malware that are stopping MBAM. Afterthat scan post the SAS log and try MBAM again.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#13 xoxo_jennifer

xoxo_jennifer
  • Topic Starter

  • Members
  • 23 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Canada!
  • Local time:07:10 PM

Posted 25 March 2010 - 04:23 PM

Would you like me to do that in safe mode or normal?
If so, is it just SAS you want me to run first before any other program?
Sorry I just want to get this right.
*Just checked SAS, and it to will not update its definitions it says to make sure my firewall isnt blocking SAS from updating .. -_-
Should I try uninstalling and re-installing these programs?

Edited by xoxo_jennifer, 25 March 2010 - 04:26 PM.


#14 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,199 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:07:10 PM

Posted 25 March 2010 - 07:28 PM

Hi, we are having difficulty brought on by the malware. We need to get a scan SAS would be best in safe but if we have to run in normal. If you can't update it run it and it will still remove things.

Or we can un and reinstall both as the next fix for MBAM is that.
Run FixExe.reg

FixExe.reg
....click Run when the box opens


MBAM 732 error

This routine will confirm that Internet Explorer is set to the Online mode.
Click on START - RUN and Copy/Paste the following into the run line (On Vista you can use the Search line) and click OK

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings" /v GlobalUserOffline /t REG_DWORD /d 0 /f


1. Uninstall Malwarebytes' Anti-Malware using Add/Remove programs in the control panel.
2. Restart your computer (very important).
3. Download and run this utility. Mbam clean
4. It will ask to restart your computer (please allow it to).
5. After the computer restarts, install the latest version from here. http://www.malwarebytes.org/mbam-download.php
Note: You will need to reactivate the program using the license you were sent.
Note: If using Free version, ignore the part about putting in your license key and activating.
Run RKILL (see below)
Launch the program and set the Protection and Registration.
Then go to the UPDATE tab if not done during installation and check for updates.
Restart the computer again and verify that MBAM is in the task tray and run a Quick Scan and post that log.


RKill....

Please download Rkill by Grinler and save it to your desktop.Link 2
Link 3
Link 4
  • Double-click on the Rkill desktop icon to run the tool.
  • If using Vista, right-click on it and Run As Administrator.
  • A black DOS box will briefly flash and then disappear. This is normal and indicates the tool ran successfully.
  • If not, delete the file, then download and use the one provided in Link 2.
  • If it does not work, repeat the process and attempt to use one of the remaining links until the tool runs.
  • If the tool does not run from any of the links provided, please let me know.
You will need to run the application again if rebooting the computer occurs along the way as the malware programs will start again.

Edited by boopme, 25 March 2010 - 07:30 PM.

How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#15 xoxo_jennifer

xoxo_jennifer
  • Topic Starter

  • Members
  • 23 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Canada!
  • Local time:07:10 PM

Posted 30 March 2010 - 11:30 AM

Hi sorry it's taken me a while to respond.
I ran SAS in safe mode, and things went well. After the scan was done I restarted into normal mode, and I can now open programs again without the 'Open With ..' box popping up.

SUPERAntiSpyware Scan Log

Generated 03/26/2010 at 00:17 AM
Application Version : 4.24.1004
Core Rules Database Version : 4708
Trace Rules Database Version: 2520

Scan type : Complete Scan
Total Scan Time : 01:40:28

Memory items scanned : 164
Memory threats detected : 0
Registry items scanned : 7472
Registry threats detected : 3
File items scanned : 28013
File threats detected : 9

Rogue.AntivirusSoft
[ybngrhin] C:\DOCUMENTS AND SETTINGS\FAMILY2\LOCAL SETTINGS\APPLICATION DATA\MQHALD\JMJKSFTAV.EXE
C:\DOCUMENTS AND SETTINGS\FAMILY2\LOCAL SETTINGS\APPLICATION DATA\MQHALD\JMJKSFTAV.EXE
[ybngrhin] C:\DOCUMENTS AND SETTINGS\FAMILY2\LOCAL SETTINGS\APPLICATION DATA\MQHALD\JMJKSFTAV.EXE
HKU\S-1-5-21-2603718324-3241358993-1498607776-1015\Software\avsoft

Edited by xoxo_jennifer, 30 March 2010 - 11:31 AM.





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users