Removal of fake antispyware/virus programs

Discussion in 'Malware Help - MG (A Specialist Will Reply)' started by Jordan Rivers, Sep 21, 2010.

  1. Jordan Rivers

    Jordan Rivers Private E-2

    What to say? I appreciate your taking time to look at my wifes logs. I tried to take care of it by myself, but it seems to be more than I can handle. In a month and a half, she has somehow managed to have 4 fake antivirus/spyware programs infect her computer over that time. We have owned this one since new/it is E-machines 5212/P4-sp3/IE-8/1224 ram. It seems as I thought I was able to do some fixing following MG directions, and thought I had taken care of business in the first couple of infections, but evidently not. Every week and a half or so, the infections return, even though Malwarebytes updated/Spywareblaster updated/spybot s&d updated/Avast updated (I had to change from Avast to Microsoft Security Essentials, as the infecton had rendered Avast inoperative)/SuperAntispyware updated, and I even had set her up to use VM at boot(which I thought would take care of infection from the net.). The first three time I removed the infections, it seems like all went well, but evidently it didn`t. This last time, I booted the computer, the screen went black, and the lingo advised me that windows had to reinstall orphaned files. Never had that happen to this computer. I had to let it do it, it wouldn`t stop(also, the files had something about $130 in their description). After that, windows advised my it had to do a check disk, and it did it, I had no choice, after that, Windows booted, after the boot Avast was turned off/and Malwarebytes was inoperative, I knew the computer was infected again. Infected 4 times in a month and a half, all infections are rogues which always return, if not with that name, with another, even while running a virtual machine. My logs are included, they don`t show much, a rogue antivirus/spyware infection, supposedly fixed by combofix, and Microsoft Security Essentials. There has to be more to fix than that, it keeps coming back(I wish I knew how to read a Hi-Jack this log.)
     

    Attached Files:

    Jordan Rivers, Sep 21, 2010
    #1
  2. Jordan Rivers

    Jordan Rivers Private E-2

    My additional logs:
     

    Attached Files:

    Jordan Rivers, Sep 21, 2010
    #2
  3. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    You have 1024 MB of RAM not 1224 ;)

    The free Malwarebytes provides no protection. It is just an after the fact scanner. Spybot without Teatimer also provides no active protection. SpywareBlaster also has no active protection. Yes Spybot's Immunization and SpywareBlaster's features do provide some activeX and bad download site protection but this is not active malware protection. Yes we do recommend using them but they are not enough.

    If you keep getting infected, it is because of where people are surfing and what it being downloaded/run. Also you do not have a good firewall installed. You are using the very less than adequate Windows fireall. Have you read this >>> How to Protect yourself from malware!

    I have no idea what you are referring to.


    Just because they keep coming back, it does not mean they you were still infected. Most of the time it is new infection. Downloading stuff like below is a frequent source of these rogue antispyware tool infections:
    Code:
    2010-09-07 17:29 . 2010-06-14 15:13  c:\program files\Free Video Joiner
    NOTE: You should not be making changes to your system after obtaining and attaching logs. Example, you just said you uninstalled Avast but your ComboFix log showed Avast installed. Basically your logs are now giving us incorrect status on your system.

    I strongly recommend that you cleanup your C drive root folder. You are saving things here and you should not be doing that on a long term basis. It slows your PC down, provides an easy hiding place for malware, and some scanners will delete executables found in the root folder since it is not a safe or recommended place to store them.

    I also recommend you remove most of those C:\WINDOWS\system32\drivers\etc\hosts file backups. You don't need them. Just keep the most recent backup. Spybot will make another on the next update too.

    Your logs are basically clean but we have a few things to fix including leftovers from McAfee and possible cleanup from you having uninstalled Avast which frequenly leaves things behind, so we will remove them just incase.

    Uninstall the below software:
    Viewpoint Media Player <-- should have been uninstalled in step 5 of the READ ME


    Now we need to use ComboFix
    • Make sure that combofix.exe that you downloaded while doing the READ & RUN ME is on your Desktop but Do not run it!
      • If it is not on your Desktop, the below will not work.
    • Also make sure you have shut down all protection software (antivirus, antispyware...etc) or they may get in the way of allowing ComboFix to run properly.
    • If ComboFix tells you it has expired or need to be updated to a new version, make sure you allow it to update.
    • Open Notepad and copy/paste the text in the below quote box into it:
    • Save the above as CFscript.txt and make sure you save it to the same location (should be on your Desktop) as ComboFix.exe
    • At this point, you MUST EXIT ALL BROWSERS NOW before continuing!
    • You should have both the ComboFix.exe and CFScript.txt icons on your Desktop.
    • Now use your mouse to drag CFscript.txt on top of ComboFix.exe
    • Follow the prompts.
    • When it finishes, a log will be produced named c:\combofix.txt
    • I will ask for this log below
    Note:

    Do not mouseclick combofix's window while it is running. That may cause it to stall.


    Now run Ccleaner. Only use the Run Cleaner button. Do not run anything else on any other forms.

    Now run the C:\MGtools\GetLogs.bat file by double clicking on it (Note: if using Vista or Win7, don't double click, use right click and select Run As Administrator).


    Then attach the below logs:
    • C:\ComboFix.txt
    • C:\MGlogs.zip
    Make sure you tell me how things are working now!
     
    chaslang, Sep 22, 2010
    #3
  4. Jordan Rivers

    Jordan Rivers Private E-2

    chaslang, thanks for taking the time to review my problem, and to take a look at my logs. So far I have per your instructions: cleaned up the host file backups, as well as the C:\ drive root folder. I have uninstalled Viewpoint Media Player as well as the left overs from Free Video Joiner. I have also picked up the latest version of Comodo Firewall.
    The problem I am having now is that Comodo is having a fit when I try to run Combofix with the attachments you provided installed on Combofix. Comodo wants acceptance for dozens of items that I have no idea if I should accept or not. I accepted a few, and then I thought, heck I have no idea if what I am accepting is connected to Combofix or not, and should I be accepting or not. I will await your instructions before I do anything else.
    I didn`t want to continue untill I heard back from you as to how to continue.

    Thanks
    Jordan
     
    Jordan Rivers, Sep 22, 2010
    #4
  5. dr.moriarty

    dr.moriarty Malware Super Sleuth Staff Member

    Please note the instructions that chaslang gave you:

     
    dr.moriarty, Sep 22, 2010
    #5
  6. Jordan Rivers

    Jordan Rivers Private E-2

    Well, this is what I had a little concern about, and it happened. All I was trying to do was turn off Comodo, tried right click on tray icon, and chose disable, and in the main Comodo Summary window, I chose stop all activities. I then tried to run Combofix. Well, Comodo continued to run and froze Combofix and my computer. The computer wouldn`t turn off normally, so I had to push the start/stop button for 5 seconds to get the computer to shut off. When I turned it back on, guess what? "NO INTERNET". I turned the computer back off, then back on, Comodo window came up stating I was joining a new network #2, and I thought that was what I needed to do to restart my internet, so I clicked ok. I at the present time have no internet, just great. In the process of trying to fix my computer, I end up with more problems, you gotta love it. What to do?
     
    Jordan Rivers, Sep 23, 2010
    #6
  7. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Uninstall Comodo and then make sure you have completed my last fix. That last fix tried to address a possible problem with your internet connection which was trying to use a proxy server which you most likely do not use.
     
    chaslang, Sep 23, 2010
    #7
  8. Jordan Rivers

    Jordan Rivers Private E-2

    I did some research, and got myself back online, and took care of the proxy server. Thanks for taking the time to school me in some things I was lacking in knowledge on. I appreciate the time, and effort you put into helping me.

    Regards
    Jordan
     
    Jordan Rivers, Sep 24, 2010
    #8
  9. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    You're welcome. You need to attach the follow up logs I requested so that we can continue and possibly finish up if everything is working okay.
     
    chaslang, Sep 24, 2010
    #9

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds