Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

AntispywareSoft Rogue.antisoft / Trojan Dropper/win-nv removal


  • This topic is locked This topic is locked
9 replies to this topic

#1 Peaty

Peaty

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:06:10 AM

Posted 24 April 2010 - 10:11 AM

I've offered to help my cousin remove malware from her laptop. I've done this sort of thing before but this one is being a real bugger.

Laptop is running Win XP Home it had SP2 I've since updated it to SP3 McAfee was installed but had not been updated in over a year.

When I received the laptop it had all the pop-ups and issues associated with Antispyware Soft. The exe extension was not working, none of the removal tools I have would load or execute. I could not get it to boot into safemode.


I was able to get the portable version of SuperAntiSpyware (SAS) to run because it uses a .com extension. That enabled me to remove many items on a reboot. I then ran a reg fix for the .exe and turned off system restore.

I removed McAfee and installed Avast (did standard and boot time scan), installed and ran Dr. Web cure-it, SAS, Malwarebytes, windows malicious software removal tool, ccleaner and windows defender. After all the scanning and rebooting I thought I was in the clear, however one issue did remain that I was working on. I could not get the windows update to work via the window website nor was windows defender able to connect to the server to update.

Since I thought I was in the clear I then proceed to update the firmware, drivers and install windows SP3 and continued to work on getting win update to work. After I installed SP3 (used the redistributable version) I was doing some other tweaks when once again the pop ups started from AntispywareSoft pop-ups again! I went through the above procedure again but I also added Spybot and Spywareblaster. I also ran them again in safemode (system restore was still off) Many of the same items were found with with some new items with Spybot after all the previous scans were done. I apologize for not getting the items that were found I forgot to write them down.

Where I am now is, once again everything seems fine even windows update and defender update are working again (I've updated to the latest security service packs etc). After scanning with everything I have installed, I'm getting no infections found. I'm currently running Panda Activescan 2.0 from their website and doing another full Dr. Web Cure-it scan in safemode. The laptop has been running for about a day and a half with no issues. My question is, is there a way to be sure I've cleared everything out? I plan on running the Laptop for a few days more to be sure before sending it back.

Thanks you in advance for taking the time to review my issue.

Regards,

Peaty

BC AdBot (Login to Remove)

 


#2 certifiedgeek

certifiedgeek

  • Members
  • 172 posts
  • OFFLINE
  •  
  • Local time:07:10 AM

Posted 24 April 2010 - 10:35 AM

Maybe other people will also chime in on this, but unfortunately there is not a way to be 100% sure it's gone. It's a good indication if you aren't experiencing any more symptoms, and it sounds like you've done a bunch of scans which put the odds in your favor.

The types of malware that are very hard to detect are rootkit based since it's there job to hide from all the malware scanners you can throw at it. Have you ran any rootkit scanners yet?

Maybe you should follow the instructions http://www.bleepingcomputer.com/forums/t/34773/preparation-guide-for-use-before-using-malware-removal-tools-and-requesting-help/ which would require you to run a couple of log generating scans and then post in the forum listed at the bottom of the instructions to get an expert opinion on if you're clean now.

#3 Orange Blossom

Orange Blossom

    OBleepin Investigator


  • Moderator
  • 36,804 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Bloomington, IN
  • Local time:07:10 AM

Posted 24 April 2010 - 07:00 PM

Hello,

Yes, a deeper look at your machine is necessary.
To restate the above in a different way: Please follow the instructions in ==>This Guide<==.

Once the proper logs are created, then make a NEW TOPIC and post it ==>HERE<==

If you can produce at least some of the logs, then please create the new topic. If you cannot produce any of the logs, then post back here and we will provide you with further instructions.

Orange Blossom :thumbsup:
Help us help you. If HelpBot replies, you MUST follow step 1 in its reply so we know you need help.

Orange Blossom

An ounce of prevention is worth a pound of cure

SpywareBlaster, WinPatrol Plus, ESET Smart Security, Malwarebytes' Anti-Malware, NoScript Firefox ext., Norton noscript

#4 Peaty

Peaty
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:06:10 AM

Posted 25 April 2010 - 02:50 PM

Thank you, will do. FWIW so far everything is still working fine with no return of the malware. Still in all I would like to be sure as possible. I realize there is no such thing a zero risk :thumbsup:

#5 certifiedgeek

certifiedgeek

  • Members
  • 172 posts
  • OFFLINE
  •  
  • Local time:07:10 AM

Posted 25 April 2010 - 07:31 PM

Glad to hear that things are still working as they should. Have you cleared out your restore points just make sure it can't come back later?

If not, check out this post by boopme that details how it can be done to help prevent reinfection later on.

#6 Peaty

Peaty
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:06:10 AM

Posted 25 April 2010 - 08:12 PM

I just finished doing all the items in the link and will post in a new section soon. I did have system restore off and ran CCleaner quite a few times but I will also do as you suggest, thanks. I'm not sure if CCleaner gets rid of those or not.

#7 certifiedgeek

certifiedgeek

  • Members
  • 172 posts
  • OFFLINE
  •  
  • Local time:07:10 AM

Posted 25 April 2010 - 08:19 PM

If you already had system restore turned off, then you don't have to do it because they are deleted when you reboot when it is turned off.

I would do one more scan with MBAM in normal mode, and then follow that with SAS in safe mode, followed by an online scanner such as BitDefender.

Then test out IE or Firefox by searching for "free antivirus" and then trying to click on the first few links that pop up. Any redirects or pop ups? Try doing some basic browsing and try other searches such as "avast", "avg", or any other legitimate malware scanner. A lot of times, malware won' let you go to certain sites or will redirect you at will to sites you didn't mean to go to.

Let me know what happens and if you have any more questions.

#8 Peaty

Peaty
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:06:10 AM

Posted 26 April 2010 - 10:58 AM

I've been able to go to the Avast site among others and have had no redirects. I've been running Avast, MWB and SAS pretty much non stop (with each update). It's still working fine, I did post my logs here as instructed:

http://www.bleepingcomputer.com/forums/t/312601/antispywaresoft-rogueantisoft-trojan-dropperwin-nv-removed/

I'm thinking the original issue is fixed but I know sometimes when one infects your system it opens the door for other stuff. I will try BitDefender too, thanks for the suggestion.

Peaty

#9 certifiedgeek

certifiedgeek

  • Members
  • 172 posts
  • OFFLINE
  •  
  • Local time:07:10 AM

Posted 26 April 2010 - 11:20 AM

Your welcome and I wish you the best. Take care! Let me know what you find out from the other topic you posted, if you don't mind.

#10 Orange Blossom

Orange Blossom

    OBleepin Investigator


  • Moderator
  • 36,804 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Bloomington, IN
  • Local time:07:10 AM

Posted 26 April 2010 - 08:34 PM

Hello,

If you have system restore turned off, PLEASE turn it back on. The system restore will be purged as a final step in the malware removal process. Disabling System Restore as the first step when attempting to clean a system or when scanning for malware is not advisable. Unfortunately, some anti-virus vendors still recommend doing this before attempting malware removal and many folks follow that advice. This is really not a good practice when dealing with infected computer systems. Turning System Restore off and then turning it back on has some risk associated with it since that feature does not always work as intended. Further, there is always a possibility of something going wrong during the malware removal process and you end up with more problems. If an incident renders your system problematic or unbootable, you can use System Restore to return it to a previous working state. Without a restore point to fall back on, you are left with a limited means of restoring your system to a usable condition. Disabling this feature could mean having to perform a repair install (or reformat in worst case scenarios) if you're unable to fix any problems which System Restore may be able to correct. Although System Restore is not always 100% guaranteed to work all the time, it at least gives you another option before resorting to more drastic measures.

"System Restore and malware removal - what is best practice?"
"Should I purge all my restore point BEFORE removing infection?"

Now that you have posted a log here: http://www.bleepingcomputer.com/forums/t/312601/antispywaresoft-rogueantisoft-trojan-dropperwin-nv-removed/ you should NOT make further changes to your computer (install/uninstall programs, use special fix tools, delete files, edit the registry, etc) unless advised by a MRT Team member, nor should you ask for help elsewhere. Doing so can result in system changes which may not show in the log you already posted. Further, any modifications you make on your own may cause confusion for the helper assisting you and could complicate the malware removal process which would extend the time it takes to clean your computer.

From this point on the MRT Team should be the only members that you take advice from, until they have verified your log as clean.

Please be patient. It may take a while to get a response because the MRT Team members are EXTREMELY busy working logs posted before yours. They are volunteers who will help you out as soon as possible. Once you have made your post and are waiting, please DO NOT make another reply until it has been responded to by a member of the MRT Team. Generally the staff checks the forum for postings that have 0 replies as this makes it easier for them to identify those who have not been helped. If you post another response there will be 1 reply. A team member, looking for a new log to work may assume another MRT Team member is already assisting you and not open the thread to respond.

Please be patient. It may take several days to get a response but your log will be reviewed and answered as soon as possible. I advise checking your topic once a day for responses as the e-mail notification system is unreliable.

To avoid confusion, I am closing this topic. Good luck with your log.

Orange Blossom :thumbsup:
Help us help you. If HelpBot replies, you MUST follow step 1 in its reply so we know you need help.

Orange Blossom

An ounce of prevention is worth a pound of cure

SpywareBlaster, WinPatrol Plus, ESET Smart Security, Malwarebytes' Anti-Malware, NoScript Firefox ext., Norton noscript




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users