Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

firewall & anti-virus blocker adds shield to icons


  • This topic is locked This topic is locked
21 replies to this topic

#1 garyjs

garyjs

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:12:41 AM

Posted 28 February 2013 - 06:28 PM

This virus or malware prevents access to your firewall and anti-virus apps and shuts off internet access. I had to manually remove it from my desktop a few years ago, but now it's back on a friends laptop, and I cannot recall how I removed it the last time. The only indicator of its presence is the small shields it adds to the icons for anti-virus and firewall apps. it also installs those shields internally on Windows interface utilitys on the Control Panel and will not allow the user to make any changes to the system to remove it.

 
I need help, and thank you in advance!

Attached Files



BC AdBot (Login to Remove)

 


#2 garyjs

garyjs
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:12:41 AM

Posted 01 March 2013 - 11:32 AM

This morning I tried to use the system restore to get around the presence of the virus/malware infection. I first disabled the anti-virus/malware apps (ZoneAlarm & Advanced System Care 6) and attempted to restore to a point several days previous to the time the virus made itself known by the appearance of the shields on the icons on the desktop. No joy. I attempted about an even dozen times to restore to several different dates/times but every attempt met the same end: the system could not complete the restore, perhaps due to the presence of an anti-virus program active in the system. There was NO anti-virus app active.

 

I am well and truly stumped.



#3 nasdaq

nasdaq

  • Malware Response Team
  • 38,767 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:01:41 AM

Posted 02 March 2013 - 10:04 AM

Hello, Welcome to BleepingComputer.
I'm nasdaq and will be helping you.
 
If you can please print this topic it will make it easier for you to follow the instructions and complete all of the necessary steps.
===
Please download ComboFix from any of the links below, and save it to your desktop. For information regarding this download, please visit this web page: http://www.bleepingcomputer.com/combofix/how-to-use-combofix
 
IMPORTANT !!! Save ComboFix.exe to your Desktop
 
1. Close any open browsers.
2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
3. Do not install any other programs until this if fixed.
 
How to : Disable Anti-virus and Firewall...
http://www.bleepingcomputer.com/forums/topic114351.html
 
Double click on ComboFix.exe & follow the prompts.
  • When finished, it will produce a report for you.
  • Please post the C:\ComboFix.txt
Note: Do not mouse click ComboFix's window while it's running. That may cause it to stall
 
Note: If you have difficulty properly disabling your protective programs, refer to this link --> http://www.bleepingcomputer.com/forums/topic114351.html
 
Note: If after running ComboFix you get this error message "Illegal operation attempted on a registry key that has been marked for deletion." when attempting to run a program all you need to do is restart the computer to reset the registry.
===
 
Third party programs if not up to date can be the cause of infiltration an infection.
 
Please run this security check for my review.
 
Download Security Check by screen317 from here.
  • Save it to your Desktop.
  • Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
  • A Notepad document should open automatically called checkup.txt; please post the contents of that document.
===
 
Search and delete the AdWare, PUP (Potentially Unwanted Program) installed on your computer.
 
Please download AdwCleaner by Xplode onto your Desktop.
  • Close all open programs and internet browsers.
  • Double click on AdwCleaner.exe to run the tool.
  • Click on Delete tab follow the prompts.
  • A log file will automatically open after the scan has finished.
  • Please post the content of that log file with your next answer.
  • You can find the log file at C:\AdwCleaner[Rn].txt (n is a number).
Please post the logs and let me know if the problem persists.


#4 garyjs

garyjs
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:12:41 AM

Posted 02 March 2013 - 12:27 PM

Attached File  AdwCleanerS1.txt   12.11KB   2 downloadsAttached File  checkup.txt   990bytes   1 downloadsAttached File  combofix.txt   24.29KB   4 downloadsOkey-dokey, nasdaq. Thanks for your help. I DL'd the apps to my laptop, copied them onto a flash drive and then copied them onto the desktop of the infected laptop. I then ran them in the order you provided and saved the log files to the desktop. Then copied the logs to the flash drive, back to my laptop and am now posting them here for you. The AdWare app did delete many Registry entries but I do not think it managed to destroy the malware infecting the laptop.



#5 garyjs

garyjs
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:12:41 AM

Posted 02 March 2013 - 12:34 PM

Attached File  AdwCleanerR1.txt   11.94KB   0 downloadsThere is a 2nd AdWare flog file. I am attaching it here for you:

 



#6 nasdaq

nasdaq

  • Malware Response Team
  • 38,767 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:01:41 AM

Posted 02 March 2013 - 01:51 PM

That was a good cleanup.
 
Please download Farbar Service Scanner and run it on the computer with the issue.
  • Make sure the following options are checked:
  • Internet Services
  • Windows Firewall
  • System Restore
  • Security Center/Action center
  • Windows Update
  • Windows Defender
  • Press "Scan".
  • It will create a log (FSS.txt) in the same directory the tool is run.
  • Please copy and paste the log to your reply.


  • #7 garyjs

    garyjs
    • Topic Starter

    • Members
    • 18 posts
    • OFFLINE
    •  
    • Local time:12:41 AM

    Posted 02 March 2013 - 02:50 PM

    Attached File  FSS.txt   2.23KB   3 downloadsThe FSS.txt is attached....



    #8 nasdaq

    nasdaq

    • Malware Response Team
    • 38,767 posts
    • OFFLINE
    •  
    • Gender:Male
    • Location:Montreal, QC. Canada
    • Local time:01:41 AM

    Posted 03 March 2013 - 08:45 AM


    Localhost is accessible.
    LAN connected.
    Attempt to access Google IP returned error. Google IP is offline
    Attempt to access Google.com returned error: Other errors
    Attempt to access Yahoo IP returned error. Yahoo IP is offline
    Attempt to access Yahoo.com returned error: Other errors

     

     
    Is this error relevant.
    Can you connect to the internet?
    ===
     
    Please download RogueKiller© by Tigzy from one of the links below and save it to your desktop. 
     
     
    Quit all running programs.
     
    For Windows XP, double-click to start.
    For Vista or Windows 7, do a right-click on the program, select Run as Administrator to start, & when prompted Allow to run.
     
    Click Scan to scan the system. 
    When the scan completes > Close out the program > Don't Fix anything!
     
    Don't run any other options, they're not all bad!!!!!!!
     
    Post back the report which should be located on your desktop.
    ====


    #9 garyjs

    garyjs
    • Topic Starter

    • Members
    • 18 posts
    • OFFLINE
    •  
    • Local time:12:41 AM

    Posted 03 March 2013 - 11:48 AM

    Hi, Nasdaq:

     

    I really did not expect a response from you on Sunday, though I am quite happy you did. My roommate is suffering terrible withdrawals without her laptop up and running....

     

    We have a wi-fi hotspot int he house and her laptop has been working just fine with it until this virus/malware struck. So no, her infected machine has lost the connection (though it does 'see' the connection it cannot send or receive data). I DL your apps to a flash drive and move them between my laptop and hers. Here is the log file you requested.

    Attached Files



    #10 nasdaq

    nasdaq

    • Malware Response Team
    • 38,767 posts
    • OFFLINE
    •  
    • Gender:Male
    • Location:Montreal, QC. Canada
    • Local time:01:41 AM

    Posted 04 March 2013 - 09:25 AM

     
    Run RogueKiller again and click Scan
    When the scan completes > click on the Registry tab
    Put a check next to all of these item below and uncheck the rest: (if found)
     
    [HJPOL] HKLM\[...]\System : DisableRegistryTools (0) -> FOUND
    [HJPOL] HKLM\[...]\Wow6432Node\System : DisableRegistryTools (0) -> FOUND
     
    Now click Delete on the right hand column under Options
     
    Post back the report which should be located on your desktop.
    ===
     
    Please download MiniToolBox to Desktop and run it.
     
    Check mark the following boxes:

    • Flush DNS


    • Report IE Proxy Settings


    • Reset IE Proxy Settings


    • Report FF Proxy Settings


    • Reset FF Proxy Settings


    • List content of Hosts


    • List IP configuration


    • List Winsock Entries


    • List last 10 Event Viewer log


    • List installed programs

    Click Go and copy/paste the log (Result.txt) into your next post.
    Note: When using "Reset FF Proxy Settings" option Firefox should be closed.
    ===
     
    Please download Farbar Service Scanner and run it on the computer with the issue.
    •  


    • Make sure the following options are checked:


    • Internet Services


    • Windows Firewall


    • System Restore


    • Security Center/Action center


    • Windows Update


    • Windows Defender


    • Press "Scan".


    • It will create a log (FSS.txt) in the same directory the tool is run.


    • Please copy and paste the log to your reply.

     
    p.s.
    Can she start in Safe Mode with Internetconnectivity?


    #11 garyjs

    garyjs
    • Topic Starter

    • Members
    • 18 posts
    • OFFLINE
    •  
    • Local time:12:41 AM

    Posted 04 March 2013 - 10:37 AM

    Attached File  FSS04Feb.txt   2.23KB   2 downloadsAttached File  MTBResult.txt   21.67KB   2 downloadsAttached File  RKreport3_D_03042013_02d1016.txt   2.44KB   1 downloadsHi,nasdaq: Here are the 3 log files you requested. In addition, you asked if the affected laptop could access the internet. The answer is that it used to be able to, but has lost that ability due to this critter we are trying to kill.



    #12 nasdaq

    nasdaq

    • Malware Response Team
    • 38,767 posts
    • OFFLINE
    •  
    • Gender:Male
    • Location:Montreal, QC. Canada
    • Local time:01:41 AM

    Posted 04 March 2013 - 01:32 PM

    1. Click on Start button.
       2. Type Cmd in the Start Search text box.
       3. Press Ctrl-Shift-Enter keyboard shortcut to run Command Prompt as Administrator. Allow elevation request.
       4. Type netsh int ip reset in the Command Prompt shell, and then press the Enter key.
       5. Restart the computer.
     
    The command will remove all user configured settings on and return it to original default state by rewriting pertinent registry keys that are used by the Internet Protocol (TCP/IP) stack to achieve the same result as the removal and the reinstallation of the protocol.
    ===
     
    If that fails try this.
     
    Clear the ARP cache
     
    Instructions under this heading.
    How to Clear the APR Cache in Windows 7
    ===
     
    Keep me posted.


    #13 garyjs

    garyjs
    • Topic Starter

    • Members
    • 18 posts
    • OFFLINE
    •  
    • Local time:12:41 AM

    Posted 04 March 2013 - 03:32 PM

    I ran the command line as you stated. The reset was successful but while the system 'sees' the wi-fi connection as it should be, there is no 'connection' to it.



    #14 nasdaq

    nasdaq

    • Malware Response Team
    • 38,767 posts
    • OFFLINE
    •  
    • Gender:Male
    • Location:Montreal, QC. Canada
    • Local time:01:41 AM

    Posted 05 March 2013 - 08:59 AM

    Create a new User account and give it the Administrator rights.

     

    How to:

     

    http://www.howtogeek.com/howto/5261/beginner-geek-add-a-new-user-account-in-windows-7/

     

    Can you now connect with this new user?



    #15 garyjs

    garyjs
    • Topic Starter

    • Members
    • 18 posts
    • OFFLINE
    •  
    • Local time:12:41 AM

    Posted 05 March 2013 - 10:02 AM

    Hi, nasdaq:

     

    I set up a new user - TestAdmin - and gave it Admin rights. After logging in as TestAdmin and having the OS set up the new desktop I found there was NO internet access, and the virus/malware has spread throughout the new login. I have done 3 screen caps (BMP;s) to give you some idea of how invasive this critter is, but they are all too large for your upload utility to accept. Sorry 'bout that. But if you could see them, you would note the presence of the blue&yellow shields throughout the desktop and the Control Panel windows. This thing is all over the OS, nasdaq...






    0 user(s) are reading this topic

    0 members, 0 guests, 0 anonymous users