Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Unable to remove Win 7 antispyware pro 2013


  • This topic is locked This topic is locked
5 replies to this topic

#1 Kikyo.enn

Kikyo.enn

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:08:18 AM

Posted 10 December 2012 - 02:12 AM

Hello!
I have tried to follow bleepingcomputer's guide (http://www.bleepingcomputer.com/virus-removal/remove-win-7-antispyware-pro-2013) but I'm still unable to remove the Win 7 antispyware pro 2013 virus! I am unable to proceed to step 4.
I am using a hp laptop with windows 7. I connect to the Internet using mobile broadband.
I started my laptop with safe mode with networking but I couldn't open Internet explorer, it will always be closed by the virus even if I left the virus window open. I am also unable to connect to the Internet.

PLEASE HELP!!! It's really inconvenient and I'm really worried.

BC AdBot (Login to Remove)

 


#2 Kikyo.enn

Kikyo.enn
  • Topic Starter

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:08:18 AM

Posted 10 December 2012 - 07:07 AM

Please help!!!

#3 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:08:18 PM

Posted 10 December 2012 - 10:11 AM

Please do the following:

Download the appropriate version for your system of the Farbar Recovery Scan Tool and save it to a flash drive.


Plug the flashdrive into the infected PC.

Enter System Recovery Options.

To enter System Recovery Options from the Advanced Boot Options:
  • Restart the computer.
  • As soon as the BIOS is loaded begin tapping the F8 key until Advanced Boot Options appears.
  • Use the arrow keys to select the Repair your computer menu item.
  • Choose your language settings, and then click Next.
  • Select the operating system you want to repair, and then click Next.
  • Select your user account and click Next.
To enter System Recovery Options by using Windows installation disc:
  • Insert the installation disc.
  • Restart your computer.
  • If prompted, press any key to start Windows from the installation disc. If your computer is not configured to start from a CD or DVD, check your BIOS settings.
  • Click Repair your computer.
  • Choose your language settings, and then click Next.
  • Select the operating system you want to repair, and then click Next.
  • Select your user account an click Next.
On the System Recovery Options menu you will get the following options:
Startup Repair
System Restore
Windows Complete PC Restore
Windows Memory Diagnostic Tool
Command Prompt
[*]Select Command Prompt
[*]In the command window type in notepad and press Enter.
[*]The notepad opens. Under File menu select Open.
[*]Select "Computer" and find your flash drive letter and close the notepad.
[*]In the command window type e:\frst.exe (for x64 bit version type e:\frst64) and press Enter
Note: Replace letter e with the drive letter of your flash drive.
[*]The tool will start to run.
[*]When the tool opens click Yes to the disclaimer.
[*]Place a check next to List Drivers MD5 as well as the default check marks that are already there
[*]Press Scan button.
[*]type exit and reboot the computer normally
[*]FRST will make a log (FRST.txt) on the flash drive, please copy and paste the log in your reply.[/list]

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#4 Kikyo.enn

Kikyo.enn
  • Topic Starter

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:08:18 AM

Posted 10 December 2012 - 10:43 AM

Hello, sorry for troubling you~
I have managed to complete all the steps on bleepingcomputer's guide and I think my computer is free of the virus now.
However I did not use "Safe mode with networking" as I could not connect to the internet this way.
I started my computer the usual way and followed all the steps. Will there be any problems this way? :(
Can you please help me check if the virus is completely removed?
Thank you soooooo much!!


Here are my logs from Malwarebytes Anti-Malware:

Malwarebytes Anti-Malware (Trial) 1.65.1.1000
www.malwarebytes.org

Database version: v2012.12.10.04

Windows 7 x64 NTFS
Internet Explorer 9.0.8112.16421
user :: USER-HP [administrator]

Protection: Disabled

10/12/2012 9:10:55 PM
mbam-log-2012-12-10 (21-10-55).txt

Scan type: Full scan (C:\|D:\|Q:\|)
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 547065
Time elapsed: 2 hour(s), 5 minute(s), 51 second(s)

Memory Processes Detected: 1
c:\windows\installer\{c9c44f43-d661-47f8-47d9-b72e26b2d36d}\syshost.exe (Trojan.Agent) -> 3020 -> Delete on reboot.

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 1
HKLM\SYSTEM\CURRENTCONTROLSET\SERVICES\SYSHOST32 (Trojan.Agent) -> Quarantined and deleted successfully.

Registry Values Detected: 1
HKLM\SYSTEM\CurrentControlSet\Services\syshost32|ImagePath (Trojan.Agent) -> Data: "C:\Windows\Installer\{C9C44F43-D661-47F8-47D9-B72E26B2D36D}\syshost.exe" /service -> Quarantined and deleted successfully.

Registry Data Items Detected: 1
HKLM\SOFTWARE\Clients\StartMenuInternet\IEXPLORE.EXE\shell\open\command| (Hijack.StartMenuInternet) -> Bad: ("C:\Users\user\AppData\Local\bky.exe" -a "C:\Program Files (x86)\Internet Explorer\iexplore.exe") Good: (iexplore.exe) -> Quarantined and repaired successfully.

Folders Detected: 0
(No malicious items detected)

Files Detected: 10
C:\Users\user\AppData\Local\bky.exe (Trojan.Lameshield) -> Quarantined and deleted successfully.
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\JU8ADKUR\data[1].exe (Trojan.Lameshield) -> Quarantined and deleted successfully.
C:\Users\user\Downloads\SoftonicDownloader_for_adobe-photoshop.exe (PUP.OfferBundler.ST) -> Quarantined and deleted successfully.
C:\Users\user\Videos\SoftonicDownloader_for_photo-editor.exe (PUP.OfferBundler.ST) -> Quarantined and deleted successfully.
c:\windows\syshost.exe (Trojan.Downloader) -> Delete on reboot.
c:\users\user\appdata\local\temp\syshost.exe (Spyware.Agent) -> Delete on reboot.
c:\windows\serviceprofiles\localservice\appdata\local\temp\syshost.exe (Spyware.Agent) -> Delete on reboot.
c:\windows\serviceprofiles\networkservice\appdata\local\temp\syshost.exe (Spyware.Agent) -> Delete on reboot.
c:\windows\temp\syshost.exe (Spyware.Agent) -> Delete on reboot.
c:\windows\installer\{c9c44f43-d661-47f8-47d9-b72e26b2d36d}\syshost.exe (Trojan.Agent) -> Delete on reboot.

(end)

#5 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:08:18 PM

Posted 10 December 2012 - 01:15 PM

please run the following:

Refer to the ComboFix User's Guide

  • Download ComboFix from the following location:

    Link

    * IMPORTANT !!! Place ComboFix.exe on your Desktop
  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with ComboFix.
    You can get help on disabling your protection programs here
  • Double click on ComboFix.exe & follow the prompts.
  • Your desktop may go blank. This is normal. It will return when ComboFix is done. ComboFix may reboot your machine. This is normal.
  • When finished, it shall produce a log for you. Post that log in your next reply

    Note:
    Do not mouseclick combofix's window whilst it's running. That may cause it to stall.


    ---------------------------------------------------------------------------------------------
  • Ensure your AntiVirus and AntiSpyware applications are re-enabled.

    ---------------------------------------------------------------------------------------------

NOTE: If you encounter a message "illegal operation attempted on registry key that has been marked for deletion" and no programs will run - please just reboot and that will resolve that error.

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#6 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:08:18 PM

Posted 17 December 2012 - 09:41 PM

Due to the lack of feedback, this topic is now closed.In the event you still have problems, please send me or any Moderator a Private Message and ask them to reopen this topic within the next 5 days. Please include a link to your topic in the Private Message. Thank you.

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users