Jump to content


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.

Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.


AVG Threat detected continual pop-up

  • Please log in to reply
4 replies to this topic

#1 chrystaline


  • Members
  • 2 posts
  • Local time:12:33 AM

Posted 07 June 2010 - 10:16 PM

So, I am somewhat of a computard crazy.gif AVG keeps telling me that it has blocked a threat - Exploit Rouge Scanner type 889 (File Name: Microsoft.msn.com.quenti.info/?data=Mig..... some crazy jumble of letters) I'm unsure whether it is a virus or something else. What ever it is I would really appreciate if someone could tell me how to remove it from my computer. I keep envisioning this worm eating it's way thru my computer's brain and the pop-ups are getting really annoying.
Oh, and I'm not entirely sure, but I suspect it came from video sent in a message via facebook - titled something like "video of you?" So any Faceboogers be wary.
Thank You in advance to anyone who can help.

Edited by Pandy, 08 June 2010 - 05:22 PM.
Moved from AII at Starbuck's request ~Pandy

BC AdBot (Login to Remove)



#2 Starbuck


    'r Brudiwr

  • Malware Response Team
  • 4,148 posts
  • Gender:Male
  • Location:Midlands, UK
  • Local time:04:33 AM

Posted 08 June 2010 - 06:39 AM

Hi chrystaline and welcome to Bleeping Computer.

Follow the steps below and let me have the reports that are asked for:

Step 1
Download TFC by OldTimer to your desktop
  • Please double-click TFC.exe to run it. (Note: If you are running on Vista, right-click on the file and choose Run As Administrator).
  • It will close all programs when run, so make sure you have saved all your work before you begin.
  • Click the Start button to begin the process. Depending on how often you clean temp files, execution time should be anywhere from a few seconds to a minute or two. Let it run uninterrupted to completion.
  • Once it's finished it should reboot your machine. If it does not, please manually reboot the machine yourself to ensure a complete clean.

Step 2
Please download:
and save it to your Desktop.
Run the tool by clicking on it.

If you get a message that rkill is an infection, do not be concerned. This message is just a fake warning given by the malware when it terminates programs that may potentially remove it. If you run into these infections warnings that close Rkill, a trick is to leave the warning on the screen and then run Rkill again. By not closing the warning, this typically will allow you to bypass the malware trying to protect itself .

If the malware is persistant, you may have to RKill a number of times.
When it has finished, the black window will automatically close and you can continue with the next step.

Please do not reboot your system until you have completed the following step, or the Malware will restart itself:

Step 3
Please download Malwarebytes Anti-Malware and save it to your desktop.
  • Make sure you are connected to the Internet.
  • Double-click on Download_mbam-setup.exe to install the application.
  • When the installation begins, follow the prompts and do not make any changes to default settings.
  • When installation has finished, make sure you leave both of these checked:
    • Update Malwarebytes' Anti-Malware
    • Launch Malwarebytes' Anti-Malware
  • Then click Finish.
  • MBAM will automatically start and you will be asked to update the program before performing a scan. If an update is found, the program will automatically update itself. Press the OK button to close that box and continue. If you encounter any problems while downloading the updates, manually download them from here and just double-click on mbam-rules.exe to install.
  • On the Scanner tab:
    • Make sure the "Perform Full Scan" option is selected.
    • Then click on the Scan button.
  • If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
  • The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
  • When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  • Click OK to close the message box and continue with the removal process.
  • Back at the main Scanner screen, click on the Show Results button to see a list of any malware that was found.
  • Make sure that everything is checked, and click Remove Selected.
  • When removal is completed, a log report will open in Notepad and you may be prompted to restart your computer. (see Note below)
  • The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
  • Copy and paste the contents of that report in your next reply and exit MBAM.
Note: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts. Click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediately. Failure to reboot will prevent MBAM from removing all the malware.

In your next reply, please submit:
MBAM scan report



#3 chrystaline

  • Topic Starter

  • Members
  • 2 posts
  • Local time:12:33 AM

Posted 08 June 2010 - 04:25 PM

Just to mention I defrag and delete cookies on a weekly basis (and since infection) to try and keep the sys clean.

I have tried the suggested downloads to no avail. Click on TFC link reads:
Opening TFC.exe
you have chosen to open TFC.exe
which is a:Application
would you like to save this file?
I then click: SAVE FILE

Immediately it comes up on my downloads as CANCELED
Then I try right click option to START and it appears to download, yet I cannot locate it (via file path or computer "search")
I move the cursor over apparent downloaded file reads:
From: http://oldtimer.geekstogo.com/TFC.exe
To: C:\Documents and settings\HP_Administrator\My Documents\Downloads\TFC.exe
File Size: File not found
Time to complete: <00:01
Average speed: Unknown
Obviously right click option to open or open containing folder does not work since there is no file to be found. It gives option to "delete from system", which is confusing since I can't find it

Next I tried manually typing in link addy, with same results (same with RKill, Malwarebytes Anti-Malware link tells me "problem loading page""file not found" ).

My guess, this has a self-defense mode, preventing me from downloading software to remove it, scary.

AVG Virus Vault lists:
Infection: Trojan Horse Proxy AKGV. C:\Documents and Settings\HP_Administrator\Local Settings\Temp\zpskon_1276008504.exe
Infection: Trojan Horse Proxy AKGV. C:\Documents and Settings\HP_Administrator\Temporary Internet Files\Content.IE5\5Z37HX0E\ws[2].exe
Infection: Virus Identified Worm/Koobface.AB c:\Documents and Settings\HP_Administrator\Temporary Internet Files\Content.IE5\UNS18Z0T\se1ws[1].exe

looked up koobface on Wikipedia: http://en.wikipedia.org/wiki/Koobface

I have since had confirmation that it was the video that was infected:

**FACEBOOK MESSAGE TITLED: (no subject) Prviate ivdeo wtih you and yuor firend. Who opsted it?**
I will not post the video addy for fear of the spread of infection.

AVG is still popping up every 5 min or so with "Blocked Threat" messages, mostly Exploit Rouge Scanner (type 889), one time listed Exploit Neosploit Toolkit type 11?? (missed the last couple #'s) and Koobface Worm detected which I vaulted.

Unsure of where to go from here. Will deleting or emptying items from the vault remove the worm? Or should I keep them vaulted for ID purposes in case it is necessary to call in a professional IT? Thanks again for any help/solution provided

#4 Starbuck


    'r Brudiwr

  • Malware Response Team
  • 4,148 posts
  • Gender:Male
  • Location:Midlands, UK
  • Local time:04:33 AM

Posted 08 June 2010 - 05:03 PM

Hi chrystaline,

Will deleting or emptying items from the vault remove the worm?
While the items are in the vault, they are safe.
Best to leave them there.

Please bare with me whilst i get this topic moved.
Once i know it's been moved we can continue with the process.
There are certain tools we can't use in this forum.



#5 Starbuck


    'r Brudiwr

  • Malware Response Team
  • 4,148 posts
  • Gender:Male
  • Location:Midlands, UK
  • Local time:04:33 AM

Posted 08 June 2010 - 05:32 PM

Hi chrystaline,

Please note these programs must be downloaded to the Desktop.

  • Download OTL to your desktop.
    right click on the link and select 'Save Link/Target As'.

    if you have problems, try this download link:

  • Download OTH to your desktop.
right click on the link and select 'Save Link/Target As'.

Open Notepad - it must be Notepad, not Wordpad.
Copy the text below in the code box by highlighting all the text and pressing Ctrl+C
%systemroot%\*. /mp /s
%systemroot%\system32\*.dll /lockedfiles
%systemroot%\Tasks\*.job /lockedfiles
%systemroot%\system32\drivers\*.sys /lockedfiles

Go to the Notepad window and click Edit >> Paste
Then click File >> Save
Name the file Scan
Make sure that the Save as Type is set to Text Documents
and save to the Desktop.

Run Programs
  • Click on the OTH icon to run the program.

  • Click on the button.
    Your Desktop will go blank.
  • Now click on the button.

  • When the window appears, underneath Output at the top change it to Minimal Output.
  • Check the boxes beside LOP Check and Purity Check.
  • Double click in the Custom Scans/Fixes window (under the blue bar)
  • A message box will popup asking if you want to load a custom scan from a file
  • Select the file you saved earlier (Scan.txt)
  • Now click on the button.

When the scan has completed, click on the button.
This will load your browser so that you can copy/paste the OTL.txt and Extra.txt reports in your next reply.

If you prefer to use FireFox or another browser:
click on 'Start Misc Program' and select it

Once posted:
Click on the button to restart your computer.


0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users