Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Antivirus Action


  • This topic is locked This topic is locked
31 replies to this topic

#1 doughboy1

doughboy1

  • Members
  • 55 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Canada
  • Local time:07:51 AM

Posted 07 November 2010 - 11:35 PM

I need additonal help in getting rid of the Antivirus Action rogue. I have followed the link http://www.bleepingcomputer.com/virus-removal/remove-antivirus-action but did not work. Is there an alternative solution that seems to work. My system is basically unusable. Cannot connect to internet. hve to use second PC and copy downloads to flashdrive and copy to desktop.
the one part i dont know how to do is save the host file to the drivers/etc file.
19.We now need to delete the C:\Windows\System32\Drivers\etc\HOSTS file. Once it is deleted,(i deleted it) download the following HOSTS file that corresponds to your version of Windows (i downloaded XP hosts file) and save it in the C:\Windows\System32\Drivers\etc folder. (I dont know how to do this) If the contents of the HOSTS file opens in your browser when you click on a link below then right-click on the appropriate link and select Save Target As..., if in Internet Explorer, or Save Link As.., if in Firefox, to download the file.

Windows XP HOSTS File Download Link

BC AdBot (Login to Remove)

 


#2 AustrAlien

AustrAlien

    Inquisitor


  • Members
  • 6,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Cowra NSW Australia
  • Local time:09:51 PM

Posted 08 November 2010 - 12:23 AM

(i downloaded XP hosts file)

Locate the HOSTS file that you downloaded. Right-click on it and select "Cut".

Now navigate to

C:\Windows\System32\Drivers\etc <<< folder

In the folder "etc", find a blank area and right-click there, and select "Paste".
Done!

How's that now?

Edited by AustrAlien, 08 November 2010 - 12:24 AM.

AustrAlien
Google is my friend. Make Google your friend too.

Posted Image

#3 doughboy1

doughboy1
  • Topic Starter

  • Members
  • 55 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Canada
  • Local time:07:51 AM

Posted 08 November 2010 - 01:24 AM

thanks for the fast reply.
im having problems still.
here is what i downloaded:


# Copyright © 1993-1999 Microsoft Corp.
#
# This is a sample HOSTS file used by Microsoft TCP/IP for Windows.
#
# This file contains the mappings of IP addresses to host names. Each
# entry should be kept on an individual line. The IP address should
# be placed in the first column followed by the corresponding host name.
# The IP address and the host name should be separated by at least one
# space.
#
# Additionally, comments (such as these) may be inserted on individual
# lines or following the machine name denoted by a '#' symbol.
#
# For example:
#
# 102.54.94.97 rhino.acme.com # source server
# 38.25.63.10 x.acme.com # x client host

127.0.0.1 localhost

couple things are: what do i copy or cut? when i open the file it asks me what program i want to use to open, i choose wordpad???? i try to then cut and paste what part? i tried just the 127.0.0.1 localhost and it wont let me?????
what else can be done. i reboot and the problem isstill there. please let me know if i need to run dds or gmer etc?

#4 AustrAlien

AustrAlien

    Inquisitor


  • Members
  • 6,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Cowra NSW Australia
  • Local time:09:51 PM

Posted 08 November 2010 - 01:44 AM

please let me know if i need to run dds or gmer etc?

Not yet: Let's see if we can get this worked out first. Hopefully this last part of the fix will solve all your issues.

The HOSTS file is a simple text file that you can open with Notepad, Wordpad etc. That's fine. BUT .... I didn't want you to open it.

Make sure that is NOT open when you do this.
Using Windows Explorer, navigate to where you have downloaded the HOSTS file, and simply right-click on the file itself, and select "Cut" ... and then paste the file itself in the "etc" folder as in my previous post.
AustrAlien
Google is my friend. Make Google your friend too.

Posted Image

#5 doughboy1

doughboy1
  • Topic Starter

  • Members
  • 55 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Canada
  • Local time:07:51 AM

Posted 08 November 2010 - 01:54 AM

only thing is that the antivirus action virus wont allow me to open windows, or anything else on my computer. only can do a few things in safe mode im using another computer and saving the program/link on a usb stick and taking it to my computer and doing it like that.
i just successfully cut the program (i think) and pasted it into etc. i rebooted my computer in regular mode but the problem still exists. this one is difficult. now what? many thanks

Edited by doughboy1, 08 November 2010 - 02:32 AM.


#6 AustrAlien

AustrAlien

    Inquisitor


  • Members
  • 6,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Cowra NSW Australia
  • Local time:09:51 PM

Posted 08 November 2010 - 02:33 AM

Did you update update MBAM (Malwarebytes Anti-malware) before you scanned with it?
Are you loading Windows using Safe Mode with networking?

Please post the entire content of the MBAM (Malwarebytes Anti-malware) log(s).
You will find the logs by opening MBAM and clicking on the "Logs" tab.

I have great confidence in the guide that you are following, and it will be much simpler and quicker if we can achieve a satisfactory outcome with it, than to pursue other options. Let's keep working on it for a little while longer.

Edited by AustrAlien, 08 November 2010 - 02:34 AM.

AustrAlien
Google is my friend. Make Google your friend too.

Posted Image

#7 doughboy1

doughboy1
  • Topic Starter

  • Members
  • 55 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Canada
  • Local time:07:51 AM

Posted 08 November 2010 - 02:46 AM

i can't update as i can't access the internet from my computer. .

here are the latest 2 logs:
Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org

Database version: 4156

Windows 5.1.2600 Service Pack 3 (Safe Mode)
Internet Explorer 7.0.5730.13

11/7/2010 9:34:49 PM
mbam-log-2010-11-07 (21-34-49).txt

Scan type: Full scan (C:\|)
Objects scanned: 185192
Time elapsed: 25 minute(s), 39 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)


Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org

Database version: 4156

Windows 5.1.2600 Service Pack 3 (Safe Mode)
Internet Explorer 7.0.5730.13

11/7/2010 11:42:10 PM
mbam-log-2010-11-07 (23-42-10).txt

Scan type: Full scan (C:\|)
Objects scanned: 74057
Time elapsed: 24 minute(s), 53 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

Edited by doughboy1, 08 November 2010 - 03:19 AM.


#8 AustrAlien

AustrAlien

    Inquisitor


  • Members
  • 6,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Cowra NSW Australia
  • Local time:09:51 PM

Posted 08 November 2010 - 03:08 AM

by the way i ran a hjt log and there are a few things that don't look like they belong. i wont do anything until you say.

Please do NOT post any log from HJT or DDS here, as they are not allowed, and we are not allowed to comment on them in this (the Am I Infected?) forum area. Those logs are only to be used in the Malware Removal forum ( Virus, Trojan, Spyware, and Malware Removal Logs ).

I think the problem lies in not being able to update the definitions file in MBAM. The most recent I have seen is 5066, but yours is still only "Database version: 4156". If we can get that updated, it should work for you. (I just updated my own MBAM to database version 5072)

The definitions file can be updated manually by downloading to another computer, and then transferring to the troubled one, but before we do that I would like you to confirm that you are choosing "Safe Mode with networking" to load Windows. Having done that, open MBAM and attempt to update from the "Update" tab > Check for Updates. Let me know whether that works or not. If it doesn't work, we will try it manually.

As a side note: The BleepingComputer forum software has recently been updated and is still having teething troubles. Hence, you may notice that it is sometimes available, but sometimes not accessible. At the time of writing it is "down", and I will have to wait to post this reply. (Then again, it could just be my own internet server that is mucking me about this time .... I just never know!)
AustrAlien
Google is my friend. Make Google your friend too.

Posted Image

#9 doughboy1

doughboy1
  • Topic Starter

  • Members
  • 55 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Canada
  • Local time:07:51 AM

Posted 08 November 2010 - 03:12 AM

yes working in safe mode with networking.
when i check for updates it says an error has occured
mbam_error_updating etc
how do we do manually?

#10 AustrAlien

AustrAlien

    Inquisitor


  • Members
  • 6,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Cowra NSW Australia
  • Local time:09:51 PM

Posted 08 November 2010 - 03:14 AM

Internet Explorer – Lan settings
Uncheck “Use a proxy server” box. Click OK to close Lan Settings and Click OK to close Internet Explorer settings.

That is good: Do that.

Edited by AustrAlien, 08 November 2010 - 03:32 AM.

AustrAlien
Google is my friend. Make Google your friend too.

Posted Image

#11 doughboy1

doughboy1
  • Topic Starter

  • Members
  • 55 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Canada
  • Local time:07:51 AM

Posted 08 November 2010 - 03:20 AM

unchecked proxy box. edited last post removed hjt
ive also downloaded the newest version of malware on this computer. so need to know what to do to get it on my computer.....thanks again

Edited by doughboy1, 08 November 2010 - 03:30 AM.


#12 AustrAlien

AustrAlien

    Inquisitor


  • Members
  • 6,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Cowra NSW Australia
  • Local time:09:51 PM

Posted 08 November 2010 - 03:33 AM

Manually download MBAM definitions from here Malwarebytes' Anti-Malware Database
and transfer to the troubled computer.

Double-click on mbam-rules.exe to install. Your database version will then be fairly recent (but perhaps not the absolute latest).

NOW ... start following the guide from the beginning .... and hopefully all will turn out well. Good luck and let me know the result.

Edit: MBAM version itself has not been updated in quite some time and is still version 1.46, so there is no need to change the program itself, just update the database definitions.

Edited by AustrAlien, 08 November 2010 - 04:46 AM.

AustrAlien
Google is my friend. Make Google your friend too.

Posted Image

#13 doughboy1

doughboy1
  • Topic Starter

  • Members
  • 55 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Canada
  • Local time:07:51 AM

Posted 08 November 2010 - 04:39 AM

thanks.
when i reboot from mbam do i go back to safemode again to continue rest of steps or allow normal mode. i already changed the host, but do i do it again?
You should now click on the Remove Selected button to remove all the listed malware. MBAM will now delete all of the files and registry keys and add them to the programs quarantine. When removing the files, MBAM may require a reboot in order to remove some of them. If it displays a message stating that it needs to reboot, please allow it to do so. Once your computer has rebooted, and you are logged in, please continue with the rest of the steps.

#14 AustrAlien

AustrAlien

    Inquisitor


  • Members
  • 6,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Cowra NSW Australia
  • Local time:09:51 PM

Posted 08 November 2010 - 04:43 AM

when i reboot from mbam do i go back to safemode again to continue rest of steps or allow normal mode. i already changed the host, but do i do it again?

You must allow the computer to load Windows normally (not Safe Mode), in order to remove the infections.

Continue to follow the instructions concerning the HOSTS file, because I cannot be sure that the malware hasn't changed it again.
AustrAlien
Google is my friend. Make Google your friend too.

Posted Image

#15 AustrAlien

AustrAlien

    Inquisitor


  • Members
  • 6,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Cowra NSW Australia
  • Local time:09:51 PM

Posted 08 November 2010 - 04:47 AM

Please post the MBAM log when finished.
AustrAlien
Google is my friend. Make Google your friend too.

Posted Image




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users