Jump to content


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.

Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.


Not sure I am clean

  • This topic is locked This topic is locked
3 replies to this topic

#1 Chizzler


  • Members
  • 12 posts
  • Gender:Male
  • Local time:09:10 AM

Posted 05 January 2012 - 11:03 PM

Hello. I have recently been infected with the Vista Antivirus 2012 malware. I thought I killed it twice but it came back two weeks later. I cleaned it a 3rd time, but I don't feel confident that's it's really gone. Is there any reliable way too be sure?

Here's some background, it's lengthy but I want to give as much info as I can:
I have a Dell computer running 64-bit Vista Home Premium (service pack 2). I was using Microsoft Security Essentials for a couple of years with no problem until a feww weeks ago the rogue antivirus popped up on my screeen. (It may be coincidence, but it happened while I-Tunes was doing a program update.) At first I thought Microsoft had repackaged MSE--the virus looks very authentic. MSE had been disabled and replaced with the virus. I was able to kill the process in task mgr, rebooted in safe mode, installed Malwarebytes Antimalware from a flash drive and did a scan. Internet Explorer was broken so I scanned with out-dated definitions. MBAM still found and quarantined several files. Just as a precaution, I also ran a scan with a free version of Emisoft Anti-malware that I had installed once some time ago. Emisoft found and removed another file. I couldn't get any browsers or MSE to work, so I used system restore to roll back a few days. Everything seemed to be working again and I re-activated MSE and ran a full scan, found nothing. Just for the heck of it I ran the Emisoft and MBAM scans again, all finding nothing, so I thought I was home free.

About two weeks later, the same thing happened. This time I couldn't kill the process long enough to run any scans, so I system restored back one day. I actually had problems doing the system restore even in safe mode, so I booted in Repair mode and did a system restore from Repair mode. I scanned and cleaned with MBAM, MSE and Emisoft. Emisoft found a few infections--the others found no threats. Most of the infected files where found in the Java\Deployment\Cache folder, so I turned off the Java auto-updater. Just to be sure, I downloaded and ran Super Anti-spyware, which found a few cookies but nothing serious. I rebooted and ran scans from all engines again, all coming up clean.

Later that same day, the malware popped up again. I repeated the same process to restore back two days again and did another bunch of scans until they all reported no threats. The next day I found removal instructions from this website, disabled system restore, and went through the entire procedure from RKill & TDSSKiller thru MBAM. TDSSKiller identified a "suspicious" sptd.sys, but there was no "cure" option so I skipped it. Otherwise, none of the scans found anything. As a precaution, I performed an online scan with Trend Micro Housecalls, which only found a few low risk cookies. Because MBAM seems to hang my PC in normal mode, I did most of the scanning in safe mode. I un-installed MSE and downloaded it from Microsoft, but I have not re-installed it yet. I did re-enable system restore, but all the restore points are from after my last battery of clean scans. For now I have Emisoft running with full time Guard. I have rebooted a few times and run repeated scans with MBAM(safe mode) and Emisoft (normal mode), always showing no threats. I also ran TDSSKiller again in normal mode and found the same suspicious file. I have since also un-installed JAva. I plan to re-install from their website. Meanwhile, I am afraid to allow any program updates except the virus scanners. Maybe I'm just paranoid.

If this virus didn't already come back twice, I would not be concerned. I just don't know if I missed something or if ther is a hole in my security. It got thru once. I often work from home through VPN/remote desktop connection, but I am afraid to do it now. I don't want to bring dowm my whole office.

Does anyone have any suggestions other than wait and see? I would appreciate any advice.
Thank you in advance.

BC AdBot (Login to Remove)


#2 cryptodan


    Bleepin Madman

  • Members
  • 21,868 posts
  • Gender:Male
  • Location:Catonsville, Md
  • Local time:02:10 PM

Posted 05 January 2012 - 11:33 PM

Firstly, I would like to commend you on fighting this issue and taking the guts to admit that you need further help. With that said Please post your TDSSKiller Log in a new topic following the directions here:

Please follow the instructions in ==>Malware Removal and Log Section Preparation Guide<==.

Once the proper logs are created, then make a NEW TOPIC and post it ==>HERE<== Please include the link to this topic in your new topic and a description of your computer issues and what you have done to resolve them.

If you can produce at least some of the logs, then please create the new topic and explain what happens when you try to create the log(s) that you couldn't get. If you cannot produce any of the logs, then still post the topic and explain that you followed the Prep. Guide, were unable to create the logs, and describe what happens when you try to create the logs.

Once you have created the new topic, please reply back here with a link to the new topic.

Most importantly please be patient till you get a reply to your topic.

#3 Chizzler

  • Topic Starter

  • Members
  • 12 posts
  • Gender:Male
  • Local time:09:10 AM

Posted 06 January 2012 - 09:35 PM

Thank you so much for responding so quickly! I've sarted a new post here:

My new post

The new post contains logs from TDSSKiller and DDS. PLease let me know if I do anything wrong. I am not used to working with forums.

Thanks again.

#4 Queen-Evie


    Official Bleepin' G.R.I.T.S. (and proud of it)

  • Members
  • 16,485 posts
  • Gender:Female
  • Location:My own little corner of the universe (somewhere in Alabama). It's OK, they know me here
  • Local time:09:10 AM

Posted 06 January 2012 - 10:13 PM

Since you have posted your logs: Please refrain from asking for further help from other members or staff until the Malware Removal Team has checked your posted log. The Malware Removal Team work very hard to investigate a unique solution to your problem and you will receive individual expert assistance. This takes time and effort so we ask you to please be patient while waiting for assistance and NOT to make further changes to your computer (install/uninstall programs, use special fix tools, delete files, edit the registry, etc) unless advised by a Malware Removal Team member. Any modifications you make on your own can result in system changes which may not show it the log you already posted. Further, following advice outside of that post may cause confusion for the team member assisting you and could complicate the malware removal process which would extend the time it takes to clean your computer.

The Malware Removal Team should be the only members that you take advice from, until they have verified your log as clean. If you followed any other advice already, please ensure you inform the Malware Removal Team Team Helper when they respond to assist you with your log. This will help them know what has been done and they probably will ask for an updated log.

Please be patient. It may take a while to get a response because the Malware Removal Team members are very busy working logs posted before yours. They are volunteers who will help you out as soon as possible. Once you have made your post and are waiting, please DO NOT "bump" your post or make another reply until it has been responded to by a member of the HJT Team. Generally the staff checks the forum for postings that have 0 replies as this makes it easier for them to identify those who have not been helped. If you post another response there will be 1 reply. A team member, looking for a new log to work may assume another Malware Removal Team member is already assisting you and not open the thread to respond.

This topic is now closed.

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users