Another Antivirus Pro infestation.

Stu_Pidasso · Aug 28, 2009

First I want to apologize, i dont know alot about these sort of things. I've been infected with Antivirus pro, among other things. I've tried many of the things i found around the net, nothing works, including the guide i found here. I'm dealing with things like braviax.exe, and cru629.dat. And seeing programs like antivirus pro and total security pop up. I've tried running all the normal scans like malewarebytes, spybot s&d, and avg. Either it closes the scan as soon as it starts, or it gives me the msg, "Windows cannot access the specified device, path, or file. You may not have the appropriate permissions to access the item." the only one that worked was Ad-aware, and it found one called Win32.Trojan.Crypt.

If someone could please lay out a step by step plan and explain each step so that i could understand that would rock. i think i've gotten rid of a few of the problems, like braviax and cru629, as i no longer see them.

again, thank u in advance.

TimW · Aug 31, 2009

Welcome to Major Geeks!

Please read ALL of this message including the notes before doing anything.

Pleases follow the instructions in the below link:

READ & RUN ME FIRST. Malware Removal Guide

and attach the requested logs when you finish these instructions.

**** If something does not run, write down the info to explain to us later but keep on going. ****

Do not assume that because one step does not work that they all will not. MGtools will frequently run even when all other tools will not.

After completing the READ & RUN ME and attaching your logs, make sure that you tell us what problems still remain ( if any still do )!

Helpful Notes:

If you run into problems trying to run the READ & RUN ME or any of the scans in normal boot mode, you can run the steps in safe boot mode but make sure you tell us what you did later when you post logs. See the below if you do not know how to boot in safe mode:

Starting your computer in Safe mode

If you have problems downloading on the problem PC, download the tools and the manual updates for SUPERAntiSpyware and Malwarebytes ( links are given in the READ & RUN ME) onto another PC and then burn to a CD. Then copy them to the problem PC. You will have to skip getting updates if (and only if) your internet connection does not work. Yes you could use a flash drive too but flash drives are writeable and infections can spread to them.

If you cannot seem to login to an infected user account, try using a different user account (if you have one) in either normal or safe boot mode and running only SUPERAntiSpyware and Malwarebytes while logged into this other user account. Then reboot and see if you can log into the problem user account. If you can then run SUPERAntiSpyware, Malwarebytes, ComboFix and MGtools on the infected account as requested in the instructions.

To avoid additional delay in getting a response, it is strongly advised that after completing the READ & RUN ME you also read this sticky:

Don't Bump! It Only Hurts You!!!

Any additional post is a bump which will add more delay. Once you attach the logs, your thread will be in the work queue and as stated our system works the oldest threads FIRST.

Stu_Pidasso · Aug 31, 2009

Thank you for your response. Here is what I am able, and unable to do:

I only have AVG installed at the moment. I dont know if your guide is referring to spyware and maleware scanners also, but avg is the only "antivirus" installed at the moment.

Did not see any Viewpoint applications to remove.

Uninstalled all Java programs that I saw, however, was unable to install the new one, I got a msg that said the administrator had set policies to prevent such actions.

I searched for the quarantine folders but was unable to find them. I am also unable to load up avg when I normally log on to do it from within the program.

used ccleaner on main account and admin account

right-clicked start menu, selected explore, selected tools, but no folder options. only Map Network Drive, Disconnect Network Drive, and Synchronize...

opened msconfig, startup mode already set to normal.

I went through my add/remove programs list, and saw no suspicious programs that is on that list. At least any that I saw.

Tried running SUPERAnti Spyware, scan closed itself after a few seconds. Tried to reopen, get a msg that says. "Windows cannot access the specified device, path, or file. You may not have the appropriate permissions to access the item."
Tried running Maleware bytes, it too closes itself, this time instantly. Attempt to reopen, same msg.
I'm pretty sure that i have have a 64x pc so I didnt wanna chance it. I however downloaded rootkit and combo fix in case u guys need me to run it.

Ran mgtools and enclosed the log.

I realize there wasnt much I could do, and it might not be much help. But I hope the log I attached is enough to get us started. Thanks again.

TimW · Sep 4, 2009

Ok, lets see if we cant clean this up a bit.

You appear to have Avenger installed, so we will use it.

Please disable all anti-virus and anti-spyware programs while we do the following (re-enable when you are finished):

Now Copy the bold text below to notepad. Save it as fixME.reg to your desktop. Be sure the "Save as" type is set to "all files" Once you have saved it double click it and allow it to merge with the registry.

REGEDIT4

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
"SpybotSD TeaTimer"=-
"Windows System Recover!"=-

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentVersion\Run]
"Irateh"=-
"13819844"=-

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon]
"Userinit"="C:\WINDOWS\system32\userinit.exe,"

[HKEY_LOCAL_MACHINE\software\Microsoft\windows\currentversion\Explorer\sharedtaskscheduler]
"{BF56A325-23F2-42AD-F4E4-00AAC39CAA53}"=-

Click to expand...

Make sure that you tell me if you receive a success message about adding the above
to the registry. If you do not get a success message, it definitely did not work.

* Run avenger.exe by double-clicking on it.
* -Do not change any check box options!!
* Copy everything in the Quote box below, and paste it into the Input script here: part of the window:

Files to delete:
C:\Documents and Settings\Compaq_Administrator\Local Settings\Application Data\{200E0CA1-C1B5-490D-AC6E-5C59341257C3}
C:\Documents and Settings\All Users\Application Data\13819844
C:\WINDOWS\sorry.exe
C:\Documents and Settings\All Users\Application Data\13819844\13819844.exe
C:\WINDOWS\okacelote.dll
C:\osps.exe
C:\pvewnn.exe
C:\WINDOWS\ppp3.dat
C:\WINDOWS\ppp4.dat
C:\WINDOWS\svchast.exe
C:\WINDOWS\system32\AVR09.exe
C:\WINDOWS\system32\dddesot.dll
C:\WINDOWS\system32\onhelp.htm
C:\WINDOWS\system32\sonhelp.htm
C:\WINDOWS\system32\sysnet.dat
C:\WINDOWS\system32\tajf83ikdmf.dll
C:\WINDOWS\system32\winhelper.dll
C:\WINDOWS\system32\winupdate.exe
C:\WINDOWS\system32\wisdstr.exe
C:\WINDOWS\Temp\cab124647DFW2S39JD.tmp
C:\Documents and Settings\Compaq_Administrator\Local Settings\Temp\cab124647DFW2S39JD.tmp
C:\WINDOWS\Tasks\{7B02EF0B-A410-4938-8480-9BA26420A627}.job

Folders to delete:
C:\Documents and Settings\All Users\Application Data\13819844
C:\Documents and Settings\Compaq_Administrator\Local Settings\Application Data\{200E0CA1-C1B5-490D-AC6E-5C59341257C3}

Programs to launch on reboot:
C:\Documents and Settings\Compaq_Administrator\Desktop\ComboFix.exe
Click to expand...

* Now click the Execute button.
* Click Yes to the prompt to confirm you want to execute.
* Click Yes to the Reboot now? question that will appear when Avenger finishes running.
* Your PC should reboot, if not, reboot it yourself.
* A log file from Avenger will be produced at C:\avenger.txt and it will popup for you to view when you login after reboot.
-
Now run Ccleaner to clean out only temp files and nothing else!

Now run the C:\MGtools\GetLogs.bat file by double clicking on it (Note: if using Vista, don't double click, use right click and select Run As Administrator).

Then attach the below logs:
* C:\Avenger.txt
* C:\ComboFix.txt
* C:\MGlogs.zip

Make sure you tell me how things are working now!

chaslang · Sep 4, 2009

Stu_Pidasso,

I see you logged in. If it is not already to late. DO NOT appy the fixME.reg patch from the last fix. If you have already applied it and see this message before rebooting then do not reboot and do not run the Avenger fix which will force a reboot.

TimW · Sep 4, 2009

@stu....I have edited the fixme.reg patch that was missing a comma. The fix will be ok to run now, if you havent already. If you have, and have not rebooted...then apply the reg patch again with the edited comma included.

Then you can run the Avenger fix.

Stu_Pidasso · Sep 4, 2009

ok so...

i disabled all my antivirus and antispyware the best i knew how.

copied txt, and saved it fixME.reg, i got the "successfully entered" msg when i double clicked it.

opened avenger, copied and entered that txt into the input field, hit execute and it told me to reboot... so i did. it rebooted and nothing from avenger opened up. I also cannot find the avenger log in C:\, also, combofix did not seem to run.

ran ccleaner and cleaned temp files only. Something like 90mbs were deleted.

tried to run the mglogs getlogs.bat but it flashed up and gave me some msg about how the ability to edit the registry had been disabled by an admin. I tried it again, this time is just flashed the black screen. However, no logs were left.

soo... I have no logs to provide to you. I'm not sure why mgtools didn't wanna run this time. but hopefully you do. i hppe to hear from you soon so we can give it another shot and get this under control. If I luck out and get mgtools to run, i'll post the log. Thanks.

Stu_Pidasso · Sep 4, 2009

uh o.... i just saw your two previous post...

Stu_Pidasso · Sep 4, 2009

as u probably guessed. I applied all those edits, and I rebooted several times... Sorry, I was at work for a couple hours and came back for my lunch break and applied the fix's without paying attention to the posts

Stu_Pidasso · Sep 4, 2009

can i still use the new fix after i have rebooted?

TimW · Sep 4, 2009

If you are able to boot up to your user account, then yes. You can re-apply the new modified fixme.reg patch. Make sure you recreate it so that you have the correct settings.

Avenger should be where I indicated it would be.

Open task manager, new process and put in MGTools.exe....see if it will run and give you a log.

If it will not, then download the latest version of MGtools and save it to your root folder. Overwrite your previous MGtools.exe file with this one. Run the exe and tell me what happens. Attach the log if it runs to completion.

Stu_Pidasso · Sep 5, 2009

i applied the new regedit, but i am still not able to get avenger to make a log. I assume its not even running. I set it up to run, and reboot when it ask. But it just boots and loads like normal. I checked the root folder but did not see avenger.txt. I also cannot get mgtools to give me another log sometimes it tells me i dont have the access to edit registry, or it just flashes a black screen. It makes a log zip, but it doesnt have all the logs in it. just the getunkey one. I'm lost here, not sure what to do. I hope you have more ideas, or something else to try... Is it possible for me to go threw and manually do the avenger steps... like deleting the files manually? Sigh. Anyways, I'd like to thank you for your time, and I hope we can get this worked out.

Stu_Pidasso · Sep 7, 2009

So... Am I beyond help? I hope not. I would really hate to have to reformat at this time. I was hopin u guys could help.

TimW · Sep 11, 2009

Of course you can try deleting those files and folders manually. We can also have you try doing an online scan:
Using BitDefender Online Scan.

Lets first do this>

Please boot with your xp disc in the drive, and go to the recovery console.
At the command prompt type in ( assuming your disc drive is e, change it if it isn't):
copy e:\i386\\eventlog.dll C:\WINDOWS\system32\eventlog.dll
hit enter .....then type in exit.
Then reboot.

Now:

You MUST follow these steps exactly and they MUST be performed in the order written.

Download The Avenger by Swandog46, and save it to your Desktop.

Extract avenger.exe from the Zip file and save it to your desktop but DO NOT RUN IT.

Now download and save the below two files to the root folder of your Windows boot drive. Normally this would be drive C. If you do this correctly, you will then see C:\MGtools.exe and FixAVP.exe

MGtools

FixAVP

Now run MGtools.exe by following the instructions given here Using MGtools which will help your understand how to run it and what will happen. You don't need to worry about attaching the MGlogs.zip file that it mentions yet because we have more to do and new log will be obtained later.

Now run the FixAVP.exe file by double clicking on it. This will attempt to automatically run Avenger (which you downloaded above) and it should also try to reboot your PC so don't be alarmed when this happens.

After Reboot, and if all goes well, a new scan by MGtools should automatically take place because Avenger will try to run C:\MGtools\GetLogs.bat which will begin all the scans again.

When GetLogs.bat finishes running, there will be a new C:\MGlogs.zip file and now it will be time to attach it to your next message. Make sure that you allow GetLogs.bat to finish running. It will tell you when it is finished. Do not close the command prompt window on your own until it is finished.

Click to expand...

NOTE: Obviously you do not need to download Avenger since you already have it installed, but you should download the latest version of MGTools as it has been changed to support this fix.

Log in or Sign up

Another Antivirus Pro infestation.

Stu_Pidasso Private E-2

TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

Stu_Pidasso Private E-2

Attached Files:

MGlogs.zip

TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

chaslang MajorGeeks Admin - Master Malware Expert Staff Member

TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

Stu_Pidasso Private E-2

Stu_Pidasso Private E-2

Stu_Pidasso Private E-2

Stu_Pidasso Private E-2

TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

Stu_Pidasso Private E-2

Stu_Pidasso Private E-2

TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member