Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infected by program titled: Windows Critical Scanner


  • This topic is locked This topic is locked
15 replies to this topic

#1 BallyZACA

BallyZACA

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:09:06 AM

Posted 16 April 2012 - 10:53 AM

Attn: BleepingCom Tech:

Appreciate ANY help you guys can provide in ridding my computer of this program, don't know what to call it, but a scam to fleece individuals out of $19.95, by trespassing on my privacy. Please provide ANY information about how I may track-down these criminals, so as, my son and his law firm can bring them to justice via a class-action suit, even by those who PAID their ransoms and purchased this scam program titled: Windows Critical Scanner! Be advised I still have the e-mail with the hot-link I clicked-on and can provide "IF" it may help locate these bast**ds!

Also, please accept my apologies for including the hot-link in my initial contact, thinking it might help to solve the problem? Obviously, it was the wrong thing to do, but have NO previous experience with these issues.

Sincerely,
Curt Butler
XXXXXXXXXXXXXXXXX

BELOW THE REQUESTED .TXT (ITEMS 6-9) FROM THE PREPARATION GUIDE; ANY ADDITL. HELP REQUIRED, PLEASE ASK!

Attached Files


Edited by jgweed, 17 April 2012 - 07:01 AM.


BC AdBot (Login to Remove)

 


#2 BallyZACA

BallyZACA
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:09:06 AM

Posted 16 April 2012 - 11:05 AM

appears the ark.txt file didn't attach to my previous e-mail? Will attach to this reply (below). Also, be advised the GMER file which you advised may take some time to complete, be advised it took hours to complete? And noticed nothing was added to the ark.txt list after the first minute (or, two)?? Also, noticed the program ran through many .temp files and believe even programs that have long since been deleted from my HDD?? Is this normal?? And, would like to remove ALL .temp files from my computer, any directions please provide, or where I might locate online??

Thanks,
Curt Butler
XXXXXXXXXXXXXXXXXXXX

-END-

[Moderator edit: E-mail address removed to prevent spambot harvesting. jgw]

Attached Files

  • Attached File  ark.txt   5.27KB   3 downloads

Edited by jgweed, 17 April 2012 - 07:00 AM.


#3 nasdaq

nasdaq

  • Malware Response Team
  • 38,756 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:04:06 AM

Posted 19 April 2012 - 10:40 AM

Hello, Welcome to BleepingComputer.
I'm nasdaq and will be helping you.

If you can please print this topic it will make it easier for you to follow the instructions and complete all of the necessary steps.
===

Please download Malwarebytes Anti-Malware and save it to your desktop.
  • alternate download link 2
    • Make sure you are connected to the Internet.
    • Double-click on Download_mbam-setup.exe to install the application.
    • When the installation begins, follow the prompts and do not make any changes to default settings.
    • When installation has finished, make sure you leave both of these checked:[list]
    • Update Malwarebytes' Anti-Malware
    • Launch Malwarebytes' Anti-Malware
  • Then click Finish.
  • MBAM will automatically start and you will be asked to update the program before performing a scan. If an update is found, the program will automatically update itself. Press the OK button to close that box and continue. If you encounter any problems while downloading the updates, manually download them from here and just double-click on mbam-rules.exe to install.
  • On the Scanner tab:
    • Make sure the "Perform Quick Scan" option is selected.
    • Then click on the Scan button.
  • If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
  • The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
  • When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  • Click OK to close the message box and continue with the removal process.
  • Back at the main Scanner screen, click on the Show Results button to see a list of any malware that was found.
  • Make sure that everything is checked, and click Remove Selected.
  • When removal is completed, a log report will open in Notepad and you may be prompted to restart your computer. (see Note below)
  • The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
  • Copy and paste the contents of that report in your next reply and exit MBAM.
Note: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts. Click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediately. Failure to reboot will prevent MBAM from removing all the malware.

For complete or visual instructions on installing and running Malwarebytes Anti-Malware please read this link

Post back with the Malwarebytes Anti-Malware log once it's complete.
===

Third party programs if not up to date can be an open door for an infection

Please run this security check for my review.

Download Security Check by screen317 from here.
  • Save it to your Desktop.
  • Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
  • A Notepad document should open automatically called checkup.txt; please post the contents of that document.
===

Please post the logs and let me know what problem persists.

p.s. we have now way of knowing how you were infected with this FakeMalware.

#4 BallyZACA

BallyZACA
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:09:06 AM

Posted 19 April 2012 - 11:58 AM

... Attached is the checkup.txt file, however, didn't downld. and install the Malware Anti-Malware (Buy) file, as my HDD has existing software that works fine. This was a simple error on my behalf of "clicking withing thinking"! Spybot has I believe removed the problem, however, I believe it still lies dormant. The is another Malware program called "Windows Crucial Scanner", which I believe is the forerunner of "Windows Critical Scanner"? Am a bit surprised that TDDSKiller didn't have a fix, but ran it after dwnld/install of Spybot; and, can't find anything within my Registry that relates to the HKEY files identified within the fix instructions for Windows Crucial Scanner? [Please Note: the difference between the two programs, i.e., the words "Crucial" and "Critical", and I'd been infected by the latter].

Thx. Curt

Attached Files



#5 nasdaq

nasdaq

  • Malware Response Team
  • 38,756 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:04:06 AM

Posted 19 April 2012 - 01:34 PM

There is no need for you to buy Malwarebytes. The paid version has more function that is all.

Security issue.

Get the latest version of the Adobe Reader.
http://get.adobe.com/reader/
Before your download I suggest you unckeck the box on the top right "Include in your download" this is not required. While the installation is in progress you can also deny the installation of any other programs that may be suggested.

When installed remove your old version of the Reader using the Add/Remove Programs applet if present.
===

Please download ComboFix from one of these locations:

Link 1
Link 2

* IMPORTANT !!! Save ComboFix.exe to your Desktop

  • Disable your Anti-Virus and Anti-Spyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools
  • Double click on ComboFix.exe & follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
  • Some Rookit infection may damage your boot sector. The Windows Recovery Console may be needed to restore it. Do not bypass this installation. You may regret it.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Posted Image


Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Posted Image

Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.

Note: If you have difficulty properly disabling your protection programs, refer to this link --> http://www.bleepingcomputer.com/forums/topic114351.html

Do not mouse click ComboFix's window while it's running. That may cause it to stall
===

Please post the ComboFix log for my review.

#6 BallyZACA

BallyZACA
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:09:06 AM

Posted 19 April 2012 - 07:38 PM

What a nightmare... dwnld/installed Adobe X... attempted to locate previous version (9.0+) and it wasn't there... assume version X (10.0+) overwrote or deleted it?

Next dwnld/installed... ComboFix... disabled everything except ZoneAlarm & Windows Security Essentials, the latter (WSE) can't determine "HOW" to shut it down?? Only right-click option offered is OPEN?

Also while ComboFix was running... ZoneAlarm continued to give me Yellow & Red Alerts caused by ComboFix, but continued to authorize (maybe 20+ times), finally got a warning message that related that ComboFix had issues with WSE, but continued until a final message - "continue at your own risk, you may damage your computer!" (something to that effect); and, of course, CXL the process clicking DENY to continuing alerts coming from ZoneAlarm (4-or-5 times).

That's where I left it and am gonna' hit the rack... it's 2:30am here; and, have had enuf' for the 4th day of doing nothing but fighting Malware and Trojans. Oh, by the way WSE did show a deleted program from recent reinstalled history, having deleted and reinstalled the program due to conflict with this damn "Windows Critical Scanner"! The deleted file was titled "Rogue:Win32/FakePAV" - Severe - Description: Dangerous, executes commands from an attacker.

Thanks for the help... "HELP"!! Need directions on "HOW" to disable WSE "IF" you want me to proceed with the ComboFix program??

Curt

-END-

#7 nasdaq

nasdaq

  • Malware Response Team
  • 38,756 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:04:06 AM

Posted 20 April 2012 - 08:09 AM

Before we go any further please download and run Malwarebytes.
GO to
http://www.malwarebytes.org/

Click the Download button and follow the instructions. It's free.

Please post the log for my review.

#8 BallyZACA

BallyZACA
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:09:06 AM

Posted 20 April 2012 - 01:10 PM

Dwmld. and installed Malwarebytes... ran program... saved the log.txt file... clicked and deleted some 609 objects identified (believe that was the figure), but after was unable to locate the log.txt file?? If, I'd of known it was going to be deleted on closing I would have copied it and pasted into a new .txt file, especially since I had saved the log and it was lying on my desktop. Don't know what happened?? Could run program again, but it will be missing the deleted files, which I assume you wanted to view??

Let me know what to do from here??

Curt

-END-

#9 nasdaq

nasdaq

  • Malware Response Team
  • 38,756 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:04:06 AM

Posted 20 April 2012 - 01:31 PM

Run ComboFix and post the log if you can.

If no joy then run this tool.

  • Download OTL to your Desktop.
  • Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.
  • When the window appears, underneath Output at the top change it to Minimal Output.
  • Check the boxes beside LOP Check and Purity Check.
  • Under the Custom Scan box paste this in

    netsvcs
    %SYSTEMDRIVE%\*.exe
    %systemroot%\system32\drivers\*.sys /90
    %systemroot%\*. /mp /s
    c:\$recycle.bin\*.* /s
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update\Results\Install|LastSuccessTime /rs
    /md5start
    eventlog.dll
    scecli.dll
    netlogon.dll
    cngaudit.dll
    sceclt.dll
    ntelogon.dll
    logevent.dll
    iaStor.sys
    nvstor.sys
    atapi.sys
    IdeChnDr.sys
    viasraid.sys
    AGP440.sys
    vaxscsi.sys
    nvatabus.sys
    viamraid.sys
    nvata.sys
    nvgts.sys
    iastorv.sys
    ViPrt.sys
    eNetHook.dll
    explorer.exe
    svchost.exe
    userinit.exe
    qmgr.dll
    proquota.exe
    kernel32.dll
    ndis.sys
    autochk.exe
    spoolsv.exe
    xmlprov.dll
    ntmssvc.dll
    mswsock.dll
    Beep.SYS
    ntfs.sys
    termsrv.dll
    sfcfiles.dll
    st3shark.sys
    ahcix86.sys
    srsvc.dll
    /md5stop
  • Click the Run Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
  • When the scan completes, it will open two notepad windows. OTL.Txt and Extras.Txt. These are saved in the same location as OTL.
  • Please copy (Edit->Select All, Edit->Copy) the contents of these files, one at a time, and post it with your next reply. You may need two posts to fit them all in.
===

#10 BallyZACA

BallyZACA
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:09:06 AM

Posted 20 April 2012 - 07:05 PM

OK deleted MSE from the HDD, so as, to avoid another conflict with ComboFix, and disabled ZoneAlarm... then I ran ComboFix... at the point it asked to update MS Counsole I clicked YES, and lost my internet connection (possibly before?), however, encountered this yesterday at the same point; however, the AutoScan appears to continue to run and am hopeful, there will be files to transfer to your attention in the morning, as it appears this is going to be more than a 10-minute solution, or even double the time, but more like hours!

Thx! Back at ya' in the AM... Curt

-END-

#11 BallyZACA

BallyZACA
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:09:06 AM

Posted 21 April 2012 - 04:00 AM

Awakened this morning to find ComboFix had completed the log file, however, the MS Console option to add files never popped-up again. Believe that can be updated/set outside of ComboFix, as I came across it somewhere in the tools drop-down window (I believe?). Anyway, attached is C:ComboFix.txt.

Curt

-END-

Attached Files



#12 nasdaq

nasdaq

  • Malware Response Team
  • 38,756 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:04:06 AM

Posted 21 April 2012 - 10:15 AM

The log is clean.

Any remaining issues?

#13 BallyZACA

BallyZACA
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:09:06 AM

Posted 21 April 2012 - 10:43 AM

Am I to understand... that's it, problem solved??

Thanks for the program "Malwarebytes Anti-Malware", its the first time I've seen a company offer their program on a trial basis, which gives the user the FULL use of the program to perform ALL functions of the program during the evaluation period. Because of this never seen before option I will be a buyer of the program; and, furthermore, it works better than ANY of many similar Virus/Trojan/Malware removal and tune-up programs offered. Thx!

Curt (aka, Cyber-Vigilante)

-END-

#14 nasdaq

nasdaq

  • Malware Response Team
  • 38,756 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:04:06 AM

Posted 21 April 2012 - 01:03 PM

Glad we could help.

Time for some housekeeping

The following will implement some cleanup procedures as well as reset System Restore points:

Click Start > Run and copy/paste the following bold text into the Run box and click OK:

ComboFix /Uninstall
===

Delete the other tools we used.

#15 BallyZACA

BallyZACA
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:09:06 AM

Posted 22 April 2012 - 04:52 PM

Thanks for ALL your help and ANYONE who aided me in solving the "Windows Critical Scanner" issue... you guys/gals at BleepingCom are the best. Thx Again!

Curt

-END-




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users