Help with Vista Antivirus 2010

Hi, yesterday I discovered my computer to be infected with the Vista Antivirus 2010 virus. I've gotten many pop-ups, programs blocked, and troubles when I try to turn on my computer. I've downloaded rkill.exe and ran it (trying to follow the advice of another thread I found on this forum), and scanned my computer with Malwarebytes (my computer would not let me update it - perhaps the virus blocking it?). The first two times I scanned it without running rkill, it said my computer was clean - though my computer is clearly not.

Sorry that was so long winded! I'm extremely stressed because of this virus - thank you so much in advance!

 

Welcome to MajorGeeks!

If any of the scans will not run or download move on to the next one and let me know what happened like if there were any errors or if they just wouldn't download or run.

Try not to restart the computer until one of the tools we use does it for you or tells you to.

If one of the tools will not run just go on to the next one. Save the logs to post in your next reply.

1) Please download and run the below tool named Rkill (courtesy of BleepingComputer.com) which may help allow other programs to run.

There are 4 different versions. If one of them won't run then download and try to run the next one.

Vista and Windows 7 users need to right click Rkill and choose Run as Administrator

You only need to get one of these to run, not all of them. You may get warnings from your antivirus about this tool, ignore them or shutdown your antivirus.

* Rkill.com
* Rkill.scr
* Rkill.pif
* Rkill.exe

* Double-click on the Rkill desktop icon to run the tool.
* If using Vista or Windows 7 right-click on it and choose Run As Administrator.
* A black DOS box will briefly flash and then disappear. This is normal and indicates the tool ran successfully.
* When finished it will create a log.
* Please post the rkill.log in the next reply.

* If Rkill does not run from the first link, delete the file, then download and use the one provided in Link 2. If it does not work, repeat the process and attempt to use one of the remaining links until the tool runs.
* Do not reboot until instructed.
* If the tool does not run from any of the links provided, please let me know.


Once you've gotten one of them to run then try to immediately run the following.


2) Download and run exeHelper

* Please download exeHelper from Raktor to your desktop.
* Double-click on exeHelper.com to run the fix.
* A black window should pop up, press any key to close once the fix is completed.
* A log file named log.txt will be created in the directory where you ran exeHelper.com
* Add the log.txt file to your next message.

Note: If the window shows a message that says "Error deleting file", please re-run the program before posting a log - and post the two logs together (they will both be in the one file).



If you already have them installed, be sure to update Malwarebytes and SUPERAntiSpyware before the scan!

Now run this: Using Malwarebytes Anti-Malware

Now run this: SUPERAntiSpyware - running & getting a log

Now run this: Using MGtools

Logs needed:

• Rkill
• exeHelper
• Malwarebytes
• SUPERAntiSpyware
• MGlogs

 

Thank you so, so much for the reply, evilfantasy!
Before I follow your instructions, I want to let you know that yesterday, before you posted, I used this guide: http://www.bleepingcomputer.com/virus-removal/remove-internet-security-2010
After completing it, I thought that the virus had disappeared. Then when I tried to turn my computer off, it would not (it would not "log off"), and after I manually turned my computer off (using the power button), I had many problems trying to turn on my computer (it would almost start up, then the screen would remain blank). After multiple attempts, my computer finally turned on, but my CPU was high and again programs were blocked. I think there is still something wrong with my computer, even though I don't get multiple pop-ups from Vista Antivirus 2010 anymore, as turning on/off my computer are giving me such problems. Additionally, programs I open (internet, itunes, etc) are more frequently not responding/not opening at all.

Should I still follow your post, or does anything change?
Thank you so much, again.

 

Try following the instructions. It might work. If the OS is too damaged you might be looking at reinstalling it.

 

Thank you. Attached are the logs you requested I'll upload the final log, the MGtools one, in a new post.

 

I'm not sure if the MGtools is working, it has been "running analyse.exe" for a while now. I've followed all the directions.. It says "the user name could not be found."

 

Restart the computer and try it again.

Try running ComboFix first before MGtools.

If you already have ComboFix be sure to delete it and download a new copy.

Download ComboFix© by sUBs from one of the below links. Be sure top save it to the Desktop.

Link #1
Link #2

**Note: It is important that it is saved directly to your Desktop

Close any open Web browsers. (Firefox, Internet Explorer, etc) before starting ComboFix.

Temporarily disable your antivirus and any antispyware real time protection before performing a scan. Click this link to see a list of security programs that should be disabled and how to disable them.

Double click combofix.exe & follow the prompts.
Vista users Right-Click on ComboFix.exe and select Run as administrator (you will receive a UAC prompt, please allow it)
When finished ComboFix will produce a log for you.
Post the ComboFix log in your next reply.

Important: Do not mouseclick ComboFix's window while it is running. That may cause it to stall.

Remember to re-enable your antivirus and antispyware protection when ComboFix is complete.

If you have problems with ComboFix usage, see How to use ComboFix

 

It worked!

 

Okay try ComboFix now.

 

Attached is my ComboFix log

 

Go to Add or Remove Programs and uninstall:

• Browser Address Error Redirector
• Java(TM) 6 Update 10
• Java(TM) 6 Update 7

Now install the new version of Java. Updating Sun Java


Next run CCleaner.

Now run OTC.

Clean out your temporary internet files and temp files.

Download TFC by OldTimer to your desktop.

Double-click TFC.exe to run it.

Note: If you are running on Vista, right-click on the file and choose Run As Administrator

TFC will close all programs when run, so make sure you have saved all your work before you begin.

* Click the Start button to begin the cleaning process.
* Depending on how often you clean temp files, execution time should be anywhere from a few seconds to a minute or two.
* Please let TFC run uninterrupted until it is finished.

Once TFC is finished it should restart your computer. If it does not, please manually restart the computer yourself to ensure a complete cleaning.


After the computer has restarted let me know how it's running now.

 

I ran everything & cleared out my temporary files.

Earlier in the day, for a couple of hours when I was running all the scans you gave me, my computer was working like it was before - it turned on/off fine and CPU was low.

However, now, it seems like my computer went back to malfunctioning - CPU has stayed consistently in the 30-60% range, and I again cannot seem to turn it off successfully (it will not stop "logging off"). Additionally, when I tried a multiple of times to open the task manager to better look at what was taking up so much CPU, it would not open. I'm not really quite sure what's going on here..

 

Attach a new MGtools log and also run the below. Using MGtools


Download the latest version of Kaspersky GetSystemInfo (GSI) and save it to your desktop.

* Close all other applications running on your system.
* Double click GetSystemInfo.exe to open it.
* Click the Settings button.
* Set it to Maximum
* IMPORTANT! Click Customize - choose Driver / Ports tab and
* Uncheck Scan Ports.
* Click Create Report to run it.
* It will create a zip folder called GetSystemInfo_XXXXXXXXXXXXXX.zip on your desktop.

* Upload the zip folder to the Kaspersky GSI Parser and click the Submit button.

Copy and paste the URL (link in the address bar) of the GSI Parser report (not the log) in your next reply.

 

Thank you. I ran everything - GetSystem was difficult, I had to restart my computer many times before it would let me "run as administrator", otherwise it wouldn't let me adjust my settings. Still, my computer is acting very strangely - either it works fine or terribly (i.e., maintaining high CPU, impossible to turn on/off, blocked programs, etc).

http://www.getsysteminfo.com/read.php?file=1c4a46af97fd9735c7102cfbaca393fc

 

Please go to Jotti's malware scan
(If more than one file needs scanned they must be done separately and logs posted for each one)

* Copy the file path in the below Code box:

Code:

C:\Windows\System32\wininet.dll

* At the upload site, click once inside the window next to Browse.
* Press Ctrl+V on the keyboard (both at the same time) to paste the file path into the window.
* Next click Submit file
* Your file will possibly be entered into a queue which normally takes less than a minute to clear.
* This will perform a scan across multiple different virus scanning engines.
* Important: Wait for all of the scanning engines to complete.
* Once the scan is finished, Copy and then Paste the link in the address bar into your next reply.

 

Thank you, here is the link:
http://virusscan.jotti.org/en/scanr...2c0c/ba99544f73ce3bec4bd48b3fc08902429b22a198

 

1. Go to Start > Run > type Notepad.exe and click OK to open Notepad.
It must be Notepad, not Wordpad.
2. Copy the text in the below code box by highlighting all the text and pressing Ctrl+C

Code:

KillAll::

Folder::
C:\Users\Z\AppData\Local\4O12713318kj

3. Go to the Notepad window and click Edit > Paste
4. Then click File > Save
5. Name the file CFScript.txt - Save the file to your Desktop
6. Then drag the CFScript (hold the left mouse button while dragging the file) and drop it (release the left mouse button) into ComboFix.exe as you see in the screenshot below. Important: Perform this instruction carefully!



ComboFix will begin to execute, just follow the prompts.
After reboot (in case it asks to reboot), it will produce a log for you.
Post that log (Combofix.txt) in your next reply.

Note: Do not mouseclick ComboFix's window while it is running. That may cause your system to freeze

 

It's attached : )

 

I'm really not seeing anything to indicate that the computer is infected. The only thing I can think of is maybe updating to SP2 through Windows Updates might help the stability issues.

First it would be best to clean up the mess we have made doing this cleaning.

1. We recommend you keep SUPERAntiSpyware and Malwarebytes Anti-Malware for scanning/removal of malware. Unless you purchase them, they provide no protection. They do not use any significant amount of resources ( except a little disk space ) until you run a scan.
2. If we used Pocket Killbox during your cleanup, do the below
   • Run Pocket Killbox and select File, Cleanup, Delete All Backups
3. If we had you use ComboFix, uninstall ComboFix (This uninstall will only work as written if you installed ComboFix on your Desktop like we requested.)
   • Click START then RUN and enter the below into the run box and then click OK. Note the quotes are required
   • "%userprofile%\Desktop\combofix" /uninstall
     • Notes: The space between the combofix" and the /uninstall, it must be there.
     • This will uninstall ComboFix and also reset hidden files and folders settings back to Windows defaults.
4. Any other miscellaneous tools we may have had you install or download can be uninstalled and deleted.
5. If we had you download any registry patches like fixme.reg or fixWLK.reg (or any others), you can delete these files now.
6. If running Vista, it is time to make sure you have re-enabled UAC by double clicking on the C:\MGtools\enableUAC.reg file and allowing it to be added to the registry.
7. Go to add/remove programs and uninstall HijackThis.
8. Go to the C:\MGtools folder and find the MGclean.bat file. Double click on this file to run this cleanup program that will remove files and folders related to MGtools and some other items from our cleaning procedures.
9. If you are running Vista, Windows XP or Windows ME, do the below:
   • Refer to the cleaning procedures in step 3 the READ ME for your Window version and see the instructions to Disable System Restore which will flush your Restore Points.
   • Then reboot and Enable System Restore to create a new clean Restore Point.
10. Go to Microsoft Windows Update and get all critical security updates including SP2.
11. After doing the above, you should work through the below link:
    • How to Protect yourself from malware!

 

I want to thank you so much so helping me! I'm very relieved that there is no indication of a virus! I will try updating my system as you suggested, hopefully it will become more stable.

However, I do have a question - I can't seem to type in the "%userprofile%\Desktop\combofix" /uninstall into ComboFix. I had originally downloaded directly to my desktop, then accidentally moved it into a folder on my desktop. Is this the reason why I can't uninstall it? Are there other ways to? I tried to reinstall it onto my desktop again, but it wouldn't allow me to type in anything either.

Thank you so much again

 

You can just continue on. Running the MGclean.bat should remove it also.

You can check to make sure the folders are gone and delete them manually if needed. If still present delete the ComboFix.exe file, C:\ComboFix folder, C:\QooBox folder, C:\WINDOWS\nircmd.exe, C:\combofix.txt and C:\ComboFix-quarantined-files.txt

 

Thank you, thank you so much for spending your time to help me. I really appreciate it!

 

Your welcome.

Safe surfing.