Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Hit with Antivirus Soft, maybe other trojans. Help!


  • Please log in to reply
10 replies to this topic

#1 ClaraZ

ClaraZ

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:02:53 PM

Posted 24 March 2010 - 08:16 PM

Hi, I've visited BleepingComputer over the past three weeks frequently as I attempt to debug my computer. After I've tried the easy stuff, I decided to get direct help. Here's the story:
I have an Acer Aspire 5516 with Windows Vista Home Basic, 32-bit, with Service Pack 1. I am the only user, and I believe I have administrative control.

A few weeks ago I had a rogue antispyware program pop up on me - which I immediately suspected as bad news. I foolishly clicked on my task bar's popup thinking it was my own antivirus alerting me. When I realized it wanted me to pay to remove things, I knew it was a bug! Warnings, IE popups, and trouble with task manager were showing consistent with Antivirus Soft. I tried to install ad aware and it prevented me. Instead, I got AdAware on a CD from a friend, booted my computer up and tried to install. Of course the bug tried to prevent this. I rebooted and the second I logged in, I pulled up taskmanager. From there I looked at my processes and recognized one I had never seen: QVIJSFTAV.EXE I promptly terminated this and then was able to install AdAware. Of course, I couldn't update it, but it did find a few things which it attempted to repair. I haven't had the telltale AntivirusSoft issues since then.
AdAware Scan Statistics gave the followings:
Cookies - 7 of them found and all removed.
Win32.Trojan.Fraudpack - Malware - Quantity Found = 2, TAI = 10, Both were quarantined


Additional eyebrow raiser: I don't ever remember Windows Defender running on my computer until this all hit. Now it always runs but I didn't even know what it was until I saw the icon in my task bar. The process running is MSASCui and it checks out as a Defender file.

I then scanned with my Avast 4.8 and it came up with nothing. I upgraded to Avast 5.0. That found nothing.
I suspected something was up and then downloaded Superantispyware. Here's that log:
Application Version : 4.34.1000

Core Rules Database Version : 4596
Trace Rules Database Version: 1978

Scan type : Complete Scan
Total Scan Time : 00:41:19

Memory items scanned : 838
Memory threats detected : 0
Registry items scanned : 7051
Registry threats detected : 2
File items scanned : 24160
File threats detected : 6

Rogue.AntivirusSoft
[cwwbient] C:\USERS\CLARA ROSE\APPDATA\LOCAL\MDGKKT\QVIJSFTAV.EXE
C:\USERS\CLARA ROSE\APPDATA\LOCAL\MDGKKT\QVIJSFTAV.EXE
HKU\S-1-5-21-3025230197-1300459986-1840717630-1000\Software\avsoft

Adware.Tracking Cookie
C:\Users\Clara Rose\AppData\Roaming\Microsoft\Windows\Cookies\clara_rose@www.windowsmedia[2].txt
C:\Users\Clara Rose\AppData\Roaming\Microsoft\Windows\Cookies\clara_rose@atdmt[2].txt
C:\Users\Clara Rose\AppData\Roaming\Microsoft\Windows\Cookies\Low\clara_rose@ads.cnn[1].txt
C:\Users\Clara Rose\AppData\Roaming\Microsoft\Windows\Cookies\Low\clara_rose@revsci[2].txt

Trojan.Agent/Gen
C:\WINDOWS\MPLAYERPLGN.DLL

I don't know if things were removed 100% or not because I continued to have issues. I downloaded MalwareBytes. I couldn't update that, AdAware, or SAS. I have since learned about the LAN settings change and fixed that. I now have no issue updating, so far as I know. However, I have discovered new problems - I can not boot into SafeMode via F8. Or any of its variants. This is what happens:
1. Turn on or Reboot Compuer
2. Press F8 immediately, rapidly until:
3. Boot screen appears to select Repair Computer, Safe Modes etc
4. Select Safe Mode or Safe Mode with Networking
5. Boots up to a black screen and large oversized mouse cursor.
6. Hangs up and reboots. I never reach the sign-in screen or Windows.


I tried accessing Computer Repair instead of SafeMode and I have no problem entering that so far as I know. I ran System Repair but it doesn't find anything wrong. In my fiddlings - and I do define it as such - I have on two separate occasions been able to access Safe Mode with or without Networking - but no internet. At no one time have I done anything that I could recognize as having fixed my computer enough to regain Safe Mode.

A friend of mine suggested that I have a rootkit. *Lovely* He suggested I download TrendMicro's Rootkit Buster. I've fought with this program before when opening it as an ordinary program. A box pops up that says "Unable to copy driver to system32\drivers. The program will now terminate. Verify that you are logged in as an administrator an" This is followed by the message "Tmcomm service cannot be installed or does not exist. The program files may be damaged. Restart the program. If the problem persists, obtain a new copy of the program" When I used to run it as an Administrator, it would give me a message akin to it could access the drivers or files were already being accessed. It wouldn't work.

Recently as I searched for the official exorcism of Rogue Antivirus Soft, I learned about RKill, which I downloaded, installed, and ran without problem. The programs files it would stop are:
C:\Users\ClaraR\Appdata\Local\Temp\RtkbtMnt.exe
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe
C:\Users\Clara Rose\Desktop\SuperAntiSpywarePortable\rkill.com

Now, so long as I first run RKill, I can then run Rootkit Buster - but it doesn't find anything. I've run the March Microsoft Malicious Removal Tool - it finds nothing.
So the ultimate question is - am I clean but a bug damaged safe mode, or is the bug still around and blocking safe mode?
I have the following antiX programs installed - not all of them running at the same time persay:
Avast 5.0 (always on)
Windows Defender? - P.S. Ever since I ran the most recent RKill today and ran Rootkit Buster, Defender mysteriously disappeared from my processes and task bar
AdAware (on until I kill it on my task bar)
SuperAntiSpyware - not sure it it's on or not
MalwareBytes AntiMalware
Trendmicro Rootkit Buster
RKill

Help me Obi Wan Kenobi, you're my only hope! Thank you!

Clara

BC AdBot (Login to Remove)

 


#2 ClaraZ

ClaraZ
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:02:53 PM

Posted 25 March 2010 - 12:08 AM

I would also like to add that I also have HijackThis. When I try to plain open this it starts to run the scan but then gets stuck with the following message:

For some reason your system denied write access to the Hosts file. If any hijacked domains are in this file, HijackThis may NOT be able to fix this. If that happens, you need to edit the file yourself. To do this, click Start, Run and type: notepad C:\Windows\System32\drivers\etc\hosts and press Enter. Find the line(s) HijackThis reports and delete them. Save the file as "hosts." (with quotes), and reboot. For Vista: simply, exit HijackThis, right click on the HijackThis icon, choose 'Run as administrator'.
I'll click on Okay and it still generates a file. It does not give me any problems if I run it as an administrator - but having never used it, I don't know what to look for in any way shape or form.

When I went to restart my computer tonight I was notified in my start launch that I had updates and the computer would shut down after making them (Little red box with classic shield). Amazingly - there were 26 of these. After allowing these to be made, I tried for kicks to see if I could get into safe mode. Low and behold - I could. While there, I actually had internet. This is a change from the other few times. I ran RKill but it didn't stop anything aside from itself. I then updated MalwareBytes and ran a full scan. It didn't find anything amiss. I then ran a full AdAware scan. Nothing found. I tried to boot in Safe Mode a second time and I've lost Safe Mode again. Strangely enough, in normal mode, I have the same signal telling me I have updates to make. After making 26 updates, wouldn't I have made enough already??? :thumbsup:
Searching back in my mind, I think I might have made an update before and then the computer had reached safemode, but I'm not certain.

My dad is no slouch in the home computer repair and he seems to think I'm on a witch hunt. Whatever had gone wrong has been fixed and if I install anything else, I'm just going to do serious system damage sooner or later. He's always been my computer guru and has helped a lot of people. I trust him, but I think there really is a problem.

#3 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 60,821 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:09:53 PM

Posted 25 March 2010 - 02:26 PM

As no logs have been posted, I am shifting this topic from the specialized Malware Removal forum to the Am I Infected forum.

==>PLEASE DO NOT NOW POST LOGS<== unless a log is specifically requested.

Please describe the issues you are experiencing with your computer.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#4 ClaraZ

ClaraZ
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:02:53 PM

Posted 25 March 2010 - 03:19 PM

My current and biggest problem is that I can no longer boot fully into Safe Mode or its other variants. When I select Safe Mode, it runs the list of drivers, goes to a black screen with an oversized arrow for about 20 seconds, and then promptly restarts the computer. Yesterday I was informed that there were updates to make (26 in all) which I decided to let the computer perform at shutdown. When I turned the computer back on, I decided to try Safe Mode, and it worked. However, on again restarting my computer Safe Mode is gone, again. And Vista is also telling me I have still more updates to make - which I find highly suspicious.
Additional eyebrow raisers include:
1. I have to run RKill several times before the only thing it closes is itself.
2. I still have problems with HijackThis when run (without selecting Run as Admin) and gets stuck with the hosts section.

I'm wondering if I didn't completely remove whatever bug(s) I caught and/or damaged my computer in the process. Thanks for any and all insight.

#5 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 60,821 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:09:53 PM

Posted 25 March 2010 - 03:23 PM

Lets do a rootkit scan first here.

GMER
-------
Please download GMER from one of the following locations and save it to your desktop:
  • Main Mirror
    This version will download a randomly named file (Recommended)
  • Zipped Mirror
    This version will download a zip file you will need to extract first. If you use this mirror, please extract the zip file to your desktop.
  • Disconnect from the Internet and close all running programs.
  • Temporarily disable any real-time active protection so your security programs will not conflict with gmer's driver.
  • Double-click on the randomly named GMER file (i.e. n7gmo46c.exe) and allow the gmer.sys driver to load if asked.
  • Note: If you downloaded the zipped version, extract the file to its own folder such as C:\gmer and then double-click on gmer.exe.

    Posted Image
  • GMER will open to the Rootkit/Malware tab and perform an automatic quick scan when first run. (do not use the computer while the scan is in progress)
  • If you receive a WARNING!!! about rootkit activity and are asked to fully scan your system...click NO.
  • Now click the Scan button. If you see a rootkit warning window, click OK.
  • When the scan is finished, click the Save... button to save the scan results to your Desktop. Save the file as gmer.log.
  • Click the Copy button and paste the results into your next reply.
  • Exit GMER and re-enable all active protection when done.
-- If you encounter any problems, try running GMER in Safe Mode.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#6 ClaraZ

ClaraZ
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:02:53 PM

Posted 26 March 2010 - 02:03 AM

What a lovely evening this is turning into... :thumbsup: :flowers:
I downloaded GMER via Main Mirrow to my desktop and opened it. No problem there so far as I know. It started its initial run through and I think it finished? It just sat there for a few minutes so I proceeded with the scan.
It got part way through the scan and was listing a bunch of things, to the extent that the window was filled and it became necessary to scroll down to see the new items. Only I couldn't.
I waited about 5-6 minutes as it just sat there only to realize that I had lost several minutes on my clock. I thought perhaps something had locked up, so I tried to access Task Manager.
Bad Choice. My computer just sat there for a minute or so and I didn't know what was going to happen Then the screen went blank for a bit and a message popped up that said "Log on process has failed to create the security options dialog." and a box said "Failure - security options"
After another couple minutes I got the standard Task Manager Northern Lights image on my screen with the message "Please Wait" and the little wheel turning. I waited another five minutes and then turned off the computer. I turned it back on, it made the standard statement that Windows did not shut down properly and gave the safe mode start up options. Won't boot in safe mode *Still* It rebooted into normal mode and the clock had fixed itself. After the full boot, I turned off the computer.
Question 1 - if I turned off the wireless in my first boot, shouldn't it stay off when I finally reboot??? Any time I turn off the computer, if the wireless was off, it's reconnected.
Question 2 - How do I completely turn off Avast? I can stop the realtime scanning, but I can't seem to shut down the program entirely. Even if I pull up the processes in Task Manager, it won't let me do it there.
Thank you again for your help.

#7 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 60,821 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:09:53 PM

Posted 26 March 2010 - 05:04 AM

Hi, can you please try to run GMER with Devices and IAT/EAT unchecked?

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#8 ClaraZ

ClaraZ
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:02:53 PM

Posted 31 March 2010 - 01:57 AM

Hi, Sorry it's taken me so long to get back to you. I had a friend take a look at the computer and it took him a few days to get to it. When I got the computer back, I tried to run GMER without Devices and IAT/EAT, but realized I still had Avast running. I tried to stop GMER and access Avast, but it stopped working.
The computer at that point got hung up so I rebooted and attempted to access SafeMode for kicks - low and behold - I got it!!!
I tried running GMER here and although it took about 20-30 minutes to scan everything, it came up clean. Maybe things are fine??? Especially if SafeMode seems to be back... or at least it's been so much more robust. I know my friend took off AdAware, Superantispyware, MalwareBytes, Hijackthis, and I think possibly Avast and replaced it with AVG. I've since switched back to Avast. Somehow things seem to be better...

#9 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 60,821 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:09:53 PM

Posted 31 March 2010 - 06:06 AM

I tried running GMER here and although it took about 20-30 minutes to scan everything, it came up clean. Maybe things are fine??? Especially if SafeMode seems to be back... or at least it's been so much more robust. I know my friend took off AdAware, Superantispyware, MalwareBytes, Hijackthis, and I think possibly Avast and replaced it with AVG. I've since switched back to Avast. Somehow things seem to be better...

How do you know GMER came up clean???

Since your friend is fixing things, I have NO clue what has been happening to your computer. Its absolutely fine to let someone look at your computer, but please choose where you want to be helped. I can't work with you if everything changes after every post (like now).

IMHO uninstalling MBAM and replacing Avast with AVG is a bad move, but thats your own choice.

Please let me know if you wish to continue here or not.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#10 ClaraZ

ClaraZ
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:02:53 PM

Posted 01 April 2010 - 11:54 PM

Hi Elise,

I really appreciate the assistance that you're provided me, as exasperating as I've been. My computer at this point seems to be running fine now, so far as I can tell. I realize that I've had a few too many fingers in the pie. For the time being, I think I'll pretend that the case has been closed and hope for the best. Thank you for your help again.

Clara

#11 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 60,821 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:09:53 PM

Posted 02 April 2010 - 02:25 AM

Okay, good to hear everything is fine :thumbsup:

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users