Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

"Essential Cleaner" fake AV


  • Please log in to reply
2 replies to this topic

#1 johro404

johro404

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:05:58 PM

Posted 06 May 2011 - 10:35 PM

I searched for this problem on the forums and couldn't find it posted. Sorry in advance if I missed it. I followed this yahoo post to the bleepingcomputer forums:

http://answers.yahoo.com/question/index?qid=20110506163318AAhZuhH

In a nutshell, when I log in I get this fake anti-virus scan by "Essential Cleaner" that only takes 30 seconds (a real scan takes an hour) that finds "36 viruses." At that point, I get popup reminders that I'm infected, memory errors, and eventually BSOD.

I booted into safe mode and ran rkill (thanks for those who posted about rkill in the yahoo post above) and it noted issues with:

Rkill was run on 05/06/2011 at 19:09:39.
Operating System: Windows ™ Vista Home Premium

Processes terminated by Rkill or while it was running:

C:\Windows\SysWOW64\InfDefaultInstall.exe
C:\Windows\SysWOW64\runonce.exe

Rkill completed on 05/06/2011 at 19:09:43


Even after running rkill, neither Malware Bytes nor AVG found the malware. The original poster above said he manually deleted the infected files, but this doesn't seem like a good idea. The two files mentioned in the rkill logged are date stamped 1/20/08, so I worry about these being necessary system files that are just infected.

Any thoughts anyone? In the meantime, I may try the other scanner utilities mentioned in the yahoo post.

BC AdBot (Login to Remove)

 


#2 johro404

johro404
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:05:58 PM

Posted 06 May 2011 - 11:30 PM

Quick update:

I uploaded the two files stopped by rkill to Jotti, and neither were infected.

http://virusscan.jotti.org/en

#3 johro404

johro404
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:05:58 PM

Posted 07 May 2011 - 12:08 AM

I believe I've fixed my problem. In case it helps someone else, I did the following in "safe mode with networking" after running rkill (which I had to rename with a .scr extension to get around the malware).

SuperAntiSpyware found a little over 100 tracking cookies, which was nice but not my problem.

Hitman Pro 3 also cleaned up some more cookies and quarantined:

C:\ProgramData\iN06509CgCoI06509\iN06509CgCoI06509.exe

I think this was my problem.

Hope that helps someone.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users