Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Antivirus7, now cannot update or install anything


  • This topic is locked This topic is locked
11 replies to this topic

#1 Brent Matlock

Brent Matlock

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:07:11 PM

Posted 30 March 2010 - 01:17 PM

Last night i got a viruse i believe it was Antivirus7, or Win7 Antivirus... something to that effect.
anyway, i used the methods explained on the tutorials you guys provided, and i ran a fresh rKill.exe, and Mbam.exe that i had saved to disc just incase this should happen

my only problem is now i cannot install anything, i.e, Avast, Avira... avira says there is a windows update inprogress (even thou there isnt, i even tride updating them just to be sure, they all failed) and avast said there is a "side-by-side" error

can anyone help me with this please =(

i have a DDS log file if needed and i can get anything else that may be needed thanks in advance, ill provide information asap as im just sitting and refreshing my broweser waiting for replys =D

BC AdBot (Login to Remove)

 


#2 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,428 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:09:11 PM

Posted 30 March 2010 - 03:13 PM

Hello and welcome... Please follow our Removal Guide here Remove Antivirus7 or Antivirus 7 (Uninstall Guide)
You will move to the Automated Removal Instructions and follow those steps. They should get you past your difficulties.

After you completed that post your scan log here,let me know how things are.
The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
Copy and paste the contents of that report in your next reply. Be sure to post the complete log to include the top portion which shows MBAM's database version and your operating system.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#3 Brent Matlock

Brent Matlock
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:07:11 PM

Posted 30 March 2010 - 03:26 PM

My Mbam log from the actual event...

---------------------------------------------------------------------
Malwarebytes' Anti-Malware 1.45
www.malwarebytes.org

Database version: 3930

Windows 6.1.7600
Internet Explorer 8.0.7600.16385

3/29/2010 9:08:58 PM
mbam-log-2010-03-29 (21-08-58).txt

Scan type: Full scan (C:\|D:\|E:\|)
Objects scanned: 292253
Time elapsed: 39 minute(s), 58 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 2
Registry Keys Infected: 5
Registry Values Infected: 7
Registry Data Items Infected: 3
Folders Infected: 0
Files Infected: 42

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
c:\Windows\System32\FastUv32.dll (Backdoor.Bot) -> Delete on reboot.
c:\Windows\System32\Iasex.dll (Backdoor.Bot) -> Delete on reboot.

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\fastuserswitchingcompatibility (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\ias (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{a9ba40a1-74f1-52bd-f434-00b15a2c8953} (Trojan.Downloader) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{a9ba40a1-74f1-52bd-f434-00b15a2c8953} (Trojan.Downloader) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{a9ba40a1-74f1-52bd-f434-00b15a2c8953} (Trojan.Downloader) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\djijuzupijafer (Trojan.Hiloti) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\hsf87efjhdsf87f3jfsdi7fhsujfd (Trojan.Downloader) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\idstrf (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\winid (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\nofolderoptions (Hijack.FolderOptions) -> Delete on reboot.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\hsa8ffushf83hoigjhs98jgijg9sd8e (Trojan.Downloader) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ewrgetuj (Worm.Prolaco.M) -> Quarantined and deleted successfully.

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Clients\StartMenuInternet\IEXPLORE.EXE\shell\open\command\(default) (Hijack.StartMenuInternet) -> Bad: ("C:\Users\Owner\AppData\Local\ave.exe" /START "C:\Program Files (x86)\Internet Explorer\iexplore.exe") Good: (iexplore.exe) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions (Hijack.FolderOptions) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableTaskMgr (Hijack.TaskManager) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
c:\Windows\System32\FastUv32.dll (Backdoor.Bot) -> Delete on reboot.
c:\Windows\System32\Iasex.dll (Backdoor.Bot) -> Delete on reboot.
C:\Users\Owner\AppData\Local\FXLP45.dll (Trojan.Hiloti) -> Quarantined and deleted successfully.
C:\Users\Owner\AppData\Local\Temp\spoolsv.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Windows\SysWOW64\oxifs.dll (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Users\Owner\AppData\Local\Temp\248874888.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Users\Owner\AppData\Local\Temp\3448684932.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Users\Owner\AppData\Local\Temp\408133997.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Users\Owner\AppData\Local\Temp\997603.exe (Backdoor.Hostil) -> Quarantined and deleted successfully.
C:\Users\Owner\AppData\Local\Temp\ar6qhi2.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Users\Owner\AppData\Local\Temp\autofmtxp .exe (Malware.Packer.Gen) -> Quarantined and deleted successfully.
C:\Users\Owner\AppData\Local\Temp\avp .exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Users\Owner\AppData\Local\Temp\debug .exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Users\Owner\AppData\Local\Temp\drweb.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Users\Owner\AppData\Local\Temp\ecnrwamxso.exe (Trojan.Hiloti) -> Quarantined and deleted successfully.
C:\Users\Owner\AppData\Local\Temp\ewxomscanr.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\Users\Owner\AppData\Local\Temp\iexplarer.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Users\Owner\AppData\Local\Temp\login.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Users\Owner\AppData\Local\Temp\m8yb3h8yuoddhem.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Users\Owner\AppData\Local\Temp\n766j8p .exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Users\Owner\AppData\Local\Temp\Pxp.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Users\Owner\AppData\Local\Temp\services .exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Users\Owner\AppData\Local\Temp\smss.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Users\Owner\AppData\Local\Temp\system.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Users\Owner\AppData\Local\Temp\taskmgr.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Users\Owner\AppData\Local\Temp\win32 .exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Users\Owner\AppData\Local\Temp\winlogon.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Users\Owner\AppData\Local\Temp\xrenwcasmo.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Windows\System32\oxifs.dll (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Windows\System32\sndcast.sys (Rootkit.Agent) -> Quarantined and deleted successfully.
C:\Windows\System32\srv.net (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Windows\SysWOW64\FastUv32.dll (Backdoor.Bot) -> Delete on reboot.
C:\Windows\SysWOW64\Iasex.dll (Backdoor.Bot) -> Delete on reboot.
C:\Windows\SysWOW64\sndcast.sys (Rootkit.Agent) -> Quarantined and deleted successfully.
C:\Windows\SysWOW64\srv.net (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Windows\System32\certstore.dat (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Users\Owner\AppData\Local\Temp\win32.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Users\Owner\AppData\Local\Temp\jisfije9fjoiee.tmp (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Users\Owner\Local Settings\Application Data\ave.exe (Rogue.MultipleAV) -> Quarantined and deleted successfully.
C:\Users\Owner\AppData\Local\ave.exe (Rogue.MultipleAV) -> Quarantined and deleted successfully.
C:\Users\Owner\AppData\Local\Temp\n766j8p.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Users\Owner\AppData\Local\Temp\geurge.exe (Worm.Prolaco.M) -> Quarantined and deleted successfully.



---------------------------------------------
---------------------------------------------
and the one i did just before you asked me to post =D

----------------------------------------------
----------------------------------------------

Malwarebytes' Anti-Malware 1.45
www.malwarebytes.org

Database version: 3933

Windows 6.1.7600
Internet Explorer 8.0.7600.16385

3/30/2010 1:10:52 PM
mbam-log-2010-03-30 (13-10-52).txt

Scan type: Full scan (C:\|D:\|E:\|F:\|)
Objects scanned: 294638
Time elapsed: 33 minute(s), 11 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\Users\Owner\AppData\Local\Temp\rmwoncaxes.exe (Trojan.Fraudpack) -> Quarantined and deleted successfully.

#4 Brent Matlock

Brent Matlock
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:07:11 PM

Posted 30 March 2010 - 03:28 PM

also i would like to add that i did the post that you suggested, thats how i found you guys =D

thou its not spamming me or anything i fear there may of been registery changes of sorts, as i have gone thru all the Windows Update troubleshoots and i cannot resolve the issues at hand.

was somehow able to install Spybot S&D and im running it now to see what it finds but so far its nothing, about halfway thru

#5 Brent Matlock

Brent Matlock
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:07:11 PM

Posted 30 March 2010 - 03:33 PM

MRB log

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
kernel: error reading MBR

---------------------------------
DDS log


DDS (Ver_10-03-17.01) - NTFSX64
Run by Owner at 10:49:21.10 on Tue 03/30/2010
Internet Explorer: 8.0.7600.16385
Microsoft Windows 7 Home Premium 6.1.7600.0.1252.1.1033.18.9207.7507 [GMT -6:00]

Mod edit: removed mis placed DDS log~boopme

Edited by boopme, 30 March 2010 - 05:12 PM.


#6 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,428 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:09:11 PM

Posted 30 March 2010 - 05:11 PM

Hello, Two pieces of info .. first about these Backdoor trojan./bots and financials.
A backdoor Trojan can allow an attacker to
gain control of the system, log keystrokes, steal passwords, access personal
data, send malevolent outgoing traffic, and close the security warning
messages displayed by some anti-virus and security programs.

I would advise you to disconnect this PC from the Internet, and then go to
a known clean computer and change any passwords or security information held
on the infected computer. In particular, check whatever relates to online
banking financial transactions, shopping, credit cards, or sensitive
personal information. It is also wise to contact your financial institutions
to apprise them of your situation.

We will do our best to clean the computer of any infections seen on the log.
However, because of the nature of this Trojan, I cannot offer a total
guarantee that there are no remnants left in the system, or that the
computer will be trustworthy.

Many security experts believe that once infected with this type of Trojan,
the best course of action is to reformat and reinstall the Operating System.
Making this decision is based on what the computer is used for, and what
information can be accessed from it.


Second as you have produced a DDS log you may as well post it in the forum for their analysis and be certain you are clean.
The log needs to be posted in a new topic here: Virus, Trojan, Spyware, and Malware Removal Logs
I will be removing the one here.
Knowing the above, let us know if you wish to proceed.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#7 Brent Matlock

Brent Matlock
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:07:11 PM

Posted 30 March 2010 - 06:32 PM

Boopme, i would like to continue, i pretty much only use the computer for internet stuff, watching movies and playing online games ( i dont have to worry about getting my account stolen as i have an authenticator =D )

I was able to install SuperAntiSypware and it found 28 files mbam wasnt able to find, along with spybot s&d

thank you for your assistance thus far

#8 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,428 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:09:11 PM

Posted 30 March 2010 - 06:43 PM

That;s fine the best course is to have our MRT team dig out all traces..
Let me know if you got it posted there..
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#9 Brent Matlock

Brent Matlock
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:07:11 PM

Posted 30 March 2010 - 06:44 PM

That;s fine the best course is to have our MRT team dig out all traces..
Let me know if you got it posted there..


your talking about the dds in the thread you linked correct?

#10 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,428 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:09:11 PM

Posted 30 March 2010 - 06:51 PM

Yes ,so i can confirm it is correct etc and then I will close this one.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#11 Brent Matlock

Brent Matlock
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:07:11 PM

Posted 30 March 2010 - 06:52 PM

ok its up =D

#12 Budapest

Budapest

    Bleepin' Cynic


  • Moderator
  • 23,579 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:11 AM

Posted 30 March 2010 - 06:56 PM

New topic posted here: http://www.bleepingcomputer.com/forums/t/306044/computer-wont-allow-windows-updates-or-installing-programs/

Now that your log is properly posted, you should NOT make further changes to your computer (install/uninstall programs, use special fix tools, delete files, edit the registry, etc) unless advised by a Malware Removal Team member, nor should you continue to ask for help elsewhere. Doing so can result in system changes which may not show it the log you already posted. Further, any modifications you make on your own may cause confusion for the helper assisting you and could complicate the malware removal process which would extend the time it takes to clean your computer.

From this point on the Malware Removal Team should be the only members that you take advice from, until they have verified your log as clean.

Please be patient. It may take a while to get a response because the Malware Removal Team members are very busy working logs posted before yours. They are volunteers who will help you out as soon as possible. Once you have made your post and are waiting, please DO NOT make another reply until it has been responded to by a member of the Malware Removal Team. Generally the staff checks the forum for postings that have 0 replies as this makes it easier for them to identify those who have not been helped. If you post another response there will be 1 reply. A team member, looking for a new log to work may assume another HJT Team member is already assisting you and not open the thread to respond.

To avoid confusion, I am closing this topic

Edited by Budapest, 30 March 2010 - 07:17 PM.

The power of accurate observation is commonly called cynicism by those who haven't got it.

—George Bernard Shaw




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users