Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

failed to clean my laptop of win 7 antivirus 2012 virus


  • Please log in to reply
32 replies to this topic

#1 LA Juice

LA Juice

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:02:13 PM

Posted 18 January 2012 - 10:21 PM

Hi all and thank you for all your help here. I have been trolling the forum looking for advice on getting rid of the Win 7 antivirus 2012 virus.
I have an HP pavillion g7, OS: Windows 7 x64. I typically run McAfee and Superantispyware with daily scans by both.

the laptop began running slow a couple weeks ago and I could see weird pop ups coming and going before I could read then for the last 4 days Today, the Virus started posting the typical warning signs directing me to purchase etc... and would not let me access anything on the internet (firefox browser), redirected google and prevented me from accessing programs on my computer.


This morning I followed these clean up instructions:

http://www.bleepingcomputer.com/virus-removal/remove-win-7-antispyware-2012.

I ran fixNCR, RKill, TDSSKiller and malwarebytes just as described.

Afterward I downloaded Secunia PSI and updated the files it found problematic, except one java file that would not work.

Everything seemed to be ok, the Win7Antivirus2012 warning pop ups were gone, my browser (firefox) ran faster, the whole laptop ran faster. Several hours later McAfee began showing up, as a pop up telling me my computer needed fixes, and the firewall was turned off.

Nothing I do will turn the windows firewall on: I have tried doing it with the McAfee pop up screen, through McAfee's program screen, and through the control panel.

if i try to turn the firewall on through windows (control panel) I get an error "windows Firewall can't change some of your settings. Error code 0x80070424

It seems like the virus is still on my computer. Can you help?

I downloaded the security check "exe" and have pasted my checkup.txt below

Results of screen317's Security Check version 0.99.30
Windows 7 x64 (UAC is enabled)
Internet Explorer 9
``````````````````````````````
Antivirus/Firewall Check:

Windows Security Center service is not running! This report may not be accurate!
McAfee Total Protection
McAfee Online Backup
WMI entry may not exist for antivirus; attempting automatic update.
```````````````````````````````
Anti-malware/Other Utilities Check:

Secunia PSI (2.0.0.4003)
Java™ 6 Update 29
Java version out of date!
Adobe Reader X (10.1.2)
Mozilla Firefox (9.0.1)
````````````````````````````````
Process Check:
objlist.exe by Laurent

McAfee Online Backup MOBKbackup.exe
``````````End of Log````````````


thank you!
EDIT- it seems my computer no longer even has the windows firewall. I went to the microsoft website (http://support.microsoft.com/kb/2530126) trying to get the windows fire wall back up I tried all three methods of restoring the firewall offered here. None of the methods even found the firewall, and execution of a repair.bat failed (I have the txt document of the report if anyone wants to see it.)

Edited by LA Juice, 18 January 2012 - 10:45 PM.


BC AdBot (Login to Remove)

 


#2 narenxp

narenxp

  • BC Advisor
  • 16,371 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:India
  • Local time:02:13 PM

Posted 18 January 2012 - 10:54 PM

Download

FSS

Checkmark

Internet Services
Windows Firewall
System Restore
Security Center
Windows Update

Click on "Scan".
Please copy and paste the log to your reply.

#3 LA Juice

LA Juice
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:02:13 PM

Posted 18 January 2012 - 11:14 PM

ok, here it is. Whats next? and thank you!

Farbar Service Scanner Version: 18-01-2012 01
Ran by Tom (administrator) on 18-01-2012 at 20:13:53
Microsoft Windows 7 Home Premium Service Pack 1 (X64)
Boot Mode: Normal
****************************************************************

Internet Services:
============

Connection Status:
==============
Localhost is accessible.
LAN connected.
Google IP is accessible.
Yahoo IP is accessible.


Windows Firewall:
=============
MpsSvc Service is not running. Checking service configuration:
Checking Start type: Attention! Unable to open MpsSvc registry key. The service key does not exist.
Checking ImagePath: Attention! Unable to open MpsSvc registry key. The service key does not exist.
Checking ServiceDll: Attention! Unable to open MpsSvc registry key. The service key does not exist.

bfe Service is not running. Checking service configuration:
Checking Start type: Attention! Unable to open bfe registry key. The service key does not exist.
Checking ImagePath: Attention! Unable to open bfe registry key. The service key does not exist.
Checking ServiceDll: Attention! Unable to open bfe registry key. The service key does not exist.

mpsdrv Service is not running. Checking service configuration:
The start type of mpsdrv service is OK.
The ImagePath of mpsdrv service is OK.


Firewall Disabled Policy:
==================


System Restore:
============
SDRSVC Service is not running. Checking service configuration:
The start type of SDRSVC service is OK.
The ImagePath of SDRSVC service is OK.
The ServiceDll of SDRSVC service is OK.

VSS Service is not running. Checking service configuration:
The start type of VSS service is OK.
The ImagePath of VSS service is OK.


System Restore Disabled Policy:
========================


Security Center:
============
wscsvc Service is not running. Checking service configuration:
Checking Start type: Attention! Unable to open wscsvc registry key. The service key does not exist.
Checking ImagePath: Attention! Unable to open wscsvc registry key. The service key does not exist.
Checking ServiceDll: Attention! Unable to open wscsvc registry key. The service key does not exist.


Windows Update:
===========

File Check:
========
C:\Windows\System32\nsisvc.dll => MD5 is legit
C:\Windows\System32\drivers\nsiproxy.sys => MD5 is legit
C:\Windows\System32\dhcpcore.dll => MD5 is legit
C:\Windows\System32\drivers\afd.sys => MD5 is legit
C:\Windows\System32\drivers\tdx.sys => MD5 is legit
C:\Windows\System32\Drivers\tcpip.sys => MD5 is legit
C:\Windows\System32\dnsrslvr.dll => MD5 is legit
C:\Windows\System32\mpssvc.dll => MD5 is legit
C:\Windows\System32\bfe.dll => MD5 is legit
C:\Windows\System32\drivers\mpsdrv.sys => MD5 is legit
C:\Windows\System32\SDRSVC.dll => MD5 is legit
C:\Windows\System32\vssvc.exe => MD5 is legit
C:\Windows\System32\wscsvc.dll => MD5 is legit
C:\Windows\System32\wbem\WMIsvc.dll => MD5 is legit
C:\Windows\System32\wuaueng.dll => MD5 is legit
C:\Windows\System32\qmgr.dll => MD5 is legit
C:\Windows\System32\es.dll => MD5 is legit
C:\Windows\System32\cryptsvc.dll => MD5 is legit
C:\Windows\System32\svchost.exe => MD5 is legit
C:\Windows\System32\rpcss.dll => MD5 is legit


**** End of log ****

#4 narenxp

narenxp

  • BC Advisor
  • 16,371 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:India
  • Local time:02:13 PM

Posted 18 January 2012 - 11:33 PM

Download

http://public.avast.com/~gmerek/aswMBR.exe

Launch it, allow it to download latest Avast! virus definitions(in your case ignore it)

Click the "Scan" button to start scan.After scan finishes,click on Save log

Post the log results here

Good luck

#5 LA Juice

LA Juice
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:02:13 PM

Posted 18 January 2012 - 11:38 PM

Ok thanks, am trying. if I am having trouble getting the executable to run, do I need to rename it? EDIT- ok got it to run

Edited by LA Juice, 18 January 2012 - 11:39 PM.


#6 LA Juice

LA Juice
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:02:13 PM

Posted 18 January 2012 - 11:44 PM

well- running the avast crashed my OS. I launched the scan, it began to run and then I got blue screen, and had to reboot in safe mode (networking).

any idea what I should do now? I AM going to briefly log out and then log in from another computer, so that I can better read replies. will be back in less than 10 minutes

Edited by LA Juice, 18 January 2012 - 11:46 PM.


#7 narenxp

narenxp

  • BC Advisor
  • 16,371 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:India
  • Local time:02:13 PM

Posted 18 January 2012 - 11:46 PM

Launch Farbar service scanner again and type

consrv.dll in search box,click on search files

Post the generated log

#8 LA Juice

LA Juice
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:02:13 PM

Posted 19 January 2012 - 12:06 AM

run FSS while in safe mode?

#9 narenxp

narenxp

  • BC Advisor
  • 16,371 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:India
  • Local time:02:13 PM

Posted 19 January 2012 - 12:08 AM

Go ahead :thumbup2:

Edited by narenxp, 19 January 2012 - 12:08 AM.


#10 LA Juice

LA Juice
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:02:13 PM

Posted 19 January 2012 - 12:30 AM

ok, done. here is the result

Farbar Service Scanner Version: 18-01-2012 01
Ran by Tom (administrator) on 18-01-2012 at 21:07:48
Windows 7 Home Premium Service Pack 1 (X64)

************************************************
================== Search: "consrv.dll" ===================

====== End Of Search ======

your move chief!

#11 narenxp

narenxp

  • BC Advisor
  • 16,371 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:India
  • Local time:02:13 PM

Posted 19 January 2012 - 03:20 AM

To be on safer side before running registry fixes i would suggest you to


Can you boot into normal mode? If you can boot into normal mode ,try this

Download

http://www.snapfiles.com/get/erunt.html

Install it and backup your registry to C:/Windows/erdnt

Now Download the registry files

http://www.mediafire.com/?317ea53a883288d

http://www.mediafire.com/?z6aw8j7997qa7j9

http://www.mediafire.com/?3g2d9ijwwe5aa75

Download three files

Launch them one by one,click YES when you get a prompt


Launch and import them to registry

If it opens as a notepad,right click on them

Click on OPEN WITH

Click on BROWSE

navigate to C:/WINDOWS and select REGEDIT and click ok

Now you should get a UAC prompt,click YES

Restart your PC

Now,open RUN and type

regedit and click ok

go to

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\BFE

Right click on it-permissions

Click on ADD and type

Everyone and click ok

Now Click on Everyone

Below you have permission for users

Select full control and click ok

Now,open RUN and type

services.msc and click ok

start base filtering engine service and then windows firewall service

Good luck

Edited by narenxp, 19 January 2012 - 03:20 AM.


#12 LA Juice

LA Juice
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:02:13 PM

Posted 19 January 2012 - 12:02 PM

Ok- Im back and will follow your instructions and see what happens. Thanks!

#13 LA Juice

LA Juice
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:02:13 PM

Posted 19 January 2012 - 12:32 PM

Ok, I am stalled at this point: "navigate to C:/WINDOWS and select REGEDIT and click ok"

I cannot find the REGEDIT file folder in C:/Windows. What am I missing/ failing to understand? I did a google search "find registry in windows 7, but everyone send me to the start button, run method.

#14 narenxp

narenxp

  • BC Advisor
  • 16,371 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:India
  • Local time:02:13 PM

Posted 19 January 2012 - 03:32 PM

Lets try this

Rename the registry files from

bfe.reg.txt to bfe.reg
firewall.reg.txt to firewall.reg
wscsvc64.reg.txt to wscsvc64.reg

Try to launch it now,click YES when you get the UAC prompt

OR

click on start button and type

REGEDIT and press ENTER

Click on FILE-IMPORT

import all the three files and proceed with other instructions

Good luck

#15 LA Juice

LA Juice
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:02:13 PM

Posted 19 January 2012 - 04:29 PM

OK your process worked-THANK YOU! I got through the whole process, the control panel and mcAfee show the firewall is on. I really hope that virus is gone for good.Of course after all the other threads I have read with this problem, I fear I will still have to remain vigilant.

Last questions: I have run Malwarebytes, TDSS, SuperAntiSpyware in both safe and normal modes in the last 24 hours, but do you think I should do it again? What about changing my systems clock to 6 days ahead and then running the virus scans- do you think there is any merit to taking these extra steps?




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users