Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Windows Security Rogue Antivirus


  • Please log in to reply
No replies to this topic

#1 Robert Neville

Robert Neville

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:02:10 PM

Posted 25 February 2011 - 05:25 PM

Hello,

Yesterday night my dad's computer with Vista got a redirect from a website to a Windows Security Rogue Antivirus. I'm sure you guys know how that works, so I closed out mozilla firefox as fast as I could and disconnected my internet. From their I panicked a bit and ran a windows defender scan and a McAfee security center scan and both came up empty. However, I could tell something was still wrong because his task manager showed three unauthenticated processes: winlogon.exe, csrss(or something like that).exe, and rundll32.exe.
None of these tree processes allowed my to right-click and check properties, instead only giving an option to "run administrative task" or something like that.

My dad's computer only had McAfee and Windows Defender when this happened. However, I kept the computer on all night (because the McAfee scan took that long) and this morning I sucessfully installed an older version of Malewarebytes, which found 7 adware.coupons and deleted them. I still felt like that wasn't it, and the task manager processes hadn't gone away so I read a bunch of stuff about getting rid of rogue anti-viruses online and most things said, including on this site, to run RKill and then Malewarebytes again in safe mode.
At some point while I was in my morning class my dad had restarted his computer in normal mode from safe mode,
and since then McAfee is disabled.
I ended up restarting into safe mode and using RKill and the first time it ran, it disabled some malware process called
"xe"
So I ran malewarebytes and it still found nothing!
Then I downloaded SuperAntiSpyware from this computer I'm on and transferred it to my dad's computer with a jump drive.
SuperAntiSpyware found 79 adware cookies and 1 trojan, a
"Gen-WinLogon.exe (fake)
I let malewarebytes do its thing but McAfee was still disabled.
I installed and ran Spybot and the it found absolutely nothing! However, as it was scanning I noticed that it actaully
passed some virtumonde.sci and virtumonde.sdn files but did not flag them.
I went online and did my research to find that McAfee online says the winlogon.exe and rundll32.exe can be infected by virtumonde vundo trojans, so I am now at the only conclusion I can possibly have:
That my dad has some sort of Vundo virtumonde on his system.

So I again tried to run RKill, and ran it five times (some guy on another forum said he had to do so before he could anything) yet it found no malicious processes. Getting very ticked off, I went online on my computer and downloaded the most up to date version of
malewarebytes and put it on my dad's computer, as I mentioned the one I gave him that had already been on my computer was out-of-date.
I uninstalled it and tried to reinstall the new one, but now it "installs" really quick, says its finished, and doesn't actually install. I had renamed it to m.exe as some people online mentioned they tried, but it did not help.

So now what do I do? I can no longer install any malware programs I guess, or I just don't know what else to try installing.
And yes, my dad ran a HiJack this log this morning before we ever restarted the computer, and I compared it to an older log he had, and it was exactly the same, it didn't show anything unusual.

Should I go into normal mode and then try to install malewarebytes? Are there other techniques I can try to get rid of this or
even detect it? Also, I don't know if it is a Vundo but can I run a vundofix without first running malewarebytes?

Any help would be appreciated, Thanks

BC AdBot (Login to Remove)

 





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users