Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Antiviral AV


  • This topic is locked This topic is locked
66 replies to this topic

#1 a4givensinner

a4givensinner

  • Members
  • 43 posts
  • OFFLINE
  •  
  • Local time:04:43 PM

Posted 16 February 2011 - 12:03 AM

Hi,

I'm new to this forum, I found it by searching for a way to remove Antiviral AV from my computer. I've been at this for about 6 hours now, and I'm at the end of my knowledge, and almost at the end of my proverbial rope.

I don't know how this virus got onto the computer. My daughter told me the computer was running slow, and then my husband said something about it going "slower and slower." My daughter was on poptropica and webkinz, and my husband was playing scrabble. I've been on facebook and hotmail. (In other words, nothing exciting). No one had been on the computer since I checked facebook this morning, then I came upstairs later in the afternoon and there were 30+ windows that had popped up with advertisements. I closed all of those windows and went to run a virus scan, and started getting error messages and our webpages were redirected to Antiviral AV.

Here's what I've done so far:
Deleted all temporary files from the past week (in regular mode)

Gone to control panel - internet options - connection - LAN settings - proxy
server (it was already unchecked)

System restore - unfortunately, the only option it would give me was to restore
to a point after I know I was infected.

Spybot search and destroy, downloaded and removed files found

Rkill - downloaded, but it isn't doing anything

Firefox - tools, options, advanced, network settings, no proxy (selected)

Ran spybot again

Click Start button and select Run. Type regedit into the box and click OK to
proceed. Once the Registry Editor is open, search for the registry key
"HKEY_LOCAL_MACHINE\Software\AntiVira Av." Right-click this registry key and
select Delete. (It wasn't there)

Search for file like %PROGRAM_FILES%\AntiVira Av. and delete it manually. (It
wasn't there)

Search for file like c:\Documents and Settings\All Users\Start Menu\AntiVira Av\
and delete it manually (It wasn't there)

Search for file like c:\Documents and Settings\All Users\AntiVira Av\ and delete
it manually (it wasn't there)

I've searched for antivira, av and *.exe files. I cannot find anything that looks remotely like the files my searches say I should be looking for.

I joined this group and followed the Preparation Guide (http://www.bleepingcomputer.com/forums/topic34773.html) and attached the DDS.txt and ark.txt.log files to this post.

I'm desperately hoping someone can help!

Thanks.

P.S. I have Windows XP, we use firefox, and I am running in safe mode w/ networking.

Sorry for the multiple replies. I also have system restore turned off, and have downloaded and run malwarebytes. When I searched for files (see initial post) I also searched hidden files/folders and I searched in My Computer, (not just C drive)

EDIT: Posts merged ~BP

We've continued to work on this. I've downloaded spydoctor; it's not finding anything on a full scan. I ran Rkill again; it closed two programs (I have the log). My husband was working on this tonight and went to another website (not asking questions, only looking at other posts) and found one that said:

Go to the registry, do a search for ACMru and delete the folder and all
it's subfolders. Normally you will find a backdoor trojan agent like "A0030882.exe" and
similar. No matter how often you run your virus scan that has picked it
up, and yet unable to find it to remove, so I resort to the registry to
delete these stupid files.

So he deleted the ACMru folder and rebooted.

This thing is still here...can anyone help?

Thanks

EDIT: Posts merged ~BP

Attached Files


Edited by Budapest, 17 February 2011 - 04:40 PM.


BC AdBot (Login to Remove)

 


#2 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:09:43 PM

Posted 21 February 2011 - 07:49 PM

Hi,

Welcome to Bleeping Computer. My name is m0le and I will be helping you with your log.
  • Please subscribe to this topic, if you haven't already. Click the Watch This Topic button at the top on the right.

  • Please avoid installing/uninstalling or updating any programs and attempting any unsupervised fixes or scans. This can make helping you impossible.

  • Please reply to this post so I know you are there.
The forum is busy and we need to have replies as soon as possible. If I haven't had a reply after 3 days I will bump the topic and if you do not reply by the following day after that then I will close the topic.

Once I receive a reply then I will return with your first instructions.

Thanks :thumbup2:
Posted Image
m0le is a proud member of UNITE

#3 a4givensinner

a4givensinner
  • Topic Starter

  • Members
  • 43 posts
  • OFFLINE
  •  
  • Local time:04:43 PM

Posted 23 February 2011 - 10:57 AM

Hi,

My husband had all but given up on getting an answer and was ready to reformat the hard drive, but has not done anything. I'm glad to see a reply here! Looking forward to knowing how to proceed. Thanks!!!

jodi

#4 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:09:43 PM

Posted 23 February 2011 - 05:48 PM

Redirections could mean rootkits so please run TDSSKiller

  • Download TDSSKiller and save it to your Desktop.

  • Extract its contents to your desktop and make sure TDSSKiller.exe (the contents of the zipped file) is on the Desktop itself, not within a folder on the desktop.

  • Go to Start > Run (Or you can hold down your Windows key and press R) and copy and paste the following into the text field. (make sure you include the quote marks) Then press OK.

    "%userprofile%\Desktop\TDSSKiller.exe" -l report.txt

  • Now click Start Scan.
  • If Malicious objects are found, ensure Cure is selected then click Continue > Reboot now.
  • Click Close
  • Finally press Report and copy and paste the contents into your next reply. If you've rebooted then the log will be found at C:\


Then MBRCheck

Please download MBRCheck to your desktop.

1. Double click MBRCheck.exe to run it (Right click and run as Administrator for Vista).
2. It will open a black window, please do not fix anything (if it gives you an option).
3. Exit that window and it will produce a log (MBRCheck_date_time).
4. Please post that log when you reply.
Posted Image
m0le is a proud member of UNITE

#5 a4givensinner

a4givensinner
  • Topic Starter

  • Members
  • 43 posts
  • OFFLINE
  •  
  • Local time:04:43 PM

Posted 23 February 2011 - 08:28 PM

TDSSKiller did not find anything. I am still in safe mode with networking. Should I still do the MBRCheck? I'm attaching the TDSSKiller report to this post.

Thanks!!!!!!

jodi

P.S. I am also going to be away at appointments most of the day tomorrow (February 24) so I will not be able to check posts again until evening. Thanks!

Attached Files



#6 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:09:43 PM

Posted 23 February 2011 - 08:32 PM

Come out of safe mode and boot normally then rerun TDSSKiller and then run MBRCheck.
Posted Image
m0le is a proud member of UNITE

#7 a4givensinner

a4givensinner
  • Topic Starter

  • Members
  • 43 posts
  • OFFLINE
  •  
  • Local time:04:43 PM

Posted 24 February 2011 - 05:17 PM

Okay, got that all done, here's the log. Thanks!

Attached Files



#8 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:09:43 PM

Posted 24 February 2011 - 07:10 PM

...and the TDSSKiller program please.
Posted Image
m0le is a proud member of UNITE

#9 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:09:43 PM

Posted 27 February 2011 - 09:13 PM

Hi,

I have not had a reply from you for 3 days. Can you please tell me if you still need help with your computer as I am unable to help other members with their problems while I have your topic still open. The time taken between posts can also change the situation with your PC making it more difficult to help you.

If you like you can PM me.

Thanks,


m0le
Posted Image
m0le is a proud member of UNITE

#10 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:09:43 PM

Posted 28 February 2011 - 07:13 PM

It appears that this issue is resolved, therefore I am closing the topic. If that is not the case and you need or wish to continue with this topic, please send me or any Moderator a Personal Message (PM) that you would like this topic re-opened.
Posted Image
m0le is a proud member of UNITE

#11 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:09:43 PM

Posted 03 March 2011 - 04:22 PM

This topic has been re-opened at the request of the person who originally posted. Please post the TDSSKiller log when you are ready :)

Edited by m0le, 03 March 2011 - 04:22 PM.

Posted Image
m0le is a proud member of UNITE

#12 a4givensinner

a4givensinner
  • Topic Starter

  • Members
  • 43 posts
  • OFFLINE
  •  
  • Local time:04:43 PM

Posted 05 March 2011 - 07:56 AM

That was probably why I couldn't find an attach option in the other window! Same file. I'll be home this afternoon; I haven't had a chance to assess the computer's behavior since I restarted last night. Thanks!

I'm still half asleep. Sorry!

Attached Files



#13 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:09:43 PM

Posted 06 March 2011 - 06:02 AM

That did remove the TDSS rootkit so that should make things much easier.

Please now run Combofix so we can check what else is there

Please download ComboFix from one of these locations:* IMPORTANT !!! Save ComboFix.exe to your Desktop making sure you rename it comfix.exe
  • Disable your AntiVirus and AntiSpyware applications including Firewalls, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. (Click on this link to see a list of programs that should be disabled. The list is not all inclusive.)
  • Double click on Comfix.exe & follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Posted Image


Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Posted Image


Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.
Posted Image
m0le is a proud member of UNITE

#14 a4givensinner

a4givensinner
  • Topic Starter

  • Members
  • 43 posts
  • OFFLINE
  •  
  • Local time:04:43 PM

Posted 06 March 2011 - 08:48 PM

Working on it. Thanks!

#15 a4givensinner

a4givensinner
  • Topic Starter

  • Members
  • 43 posts
  • OFFLINE
  •  
  • Local time:04:43 PM

Posted 08 March 2011 - 12:28 PM

My husband is going to help me with this tonight.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users