AntivirusIS on only one user profile?

Discussion in 'Malware Help (A Specialist Will Reply)' started by scoop113, Oct 1, 2010.

  1. scoop113

    scoop113 Private E-2

    Greetings folks,

    Thanks in advance for any help.

    I'm running Windows XP Pro SP3 on a Dell Dimension E521. We have it set up with two user profiles, one for me and one for my wife.

    It appears my wife picked up some malware called AntivirusIS. It's scareware that only affected her user profile. Mine operates fine.

    The infection initially prevented any Web surfing and opened porn sites when trying. It also prevents access to the Program Files folder and would not allow me to run any type of anti-virus or anti-malware programs under her profile.

    So I ran through the Read Me process under my user profile. The exception was Root Repeal, which opened but would not run. SuperAntiSpyware found and fixed one infection.

    That returned Web surfing functionality, but I believe we're still infected because access to the Program Files folder is still denied.

    I now seem to have the ability to run anti-virus under her profile. Should I go back through the entire process under her profile now?

    Logs are attached for all but Root Repeal.

    I look forward to your kind assistance.

    Regards,
    Mike
     

    Attached Files:

    scoop113, Oct 1, 2010
    #1
  2. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    Yes, please run the entire process under her user account and attach the logs. ;)
     
    TimW, Oct 1, 2010
    #2
  3. scoop113

    scoop113 Private E-2

    Here are the new logs, except for Root Repeal. That still won't run. While installing, I get an "invalid PE image" error. Then when I start a scan, it stops at "initializing" and completely locks the computer, requiring a hard reset.

    Internet is running well, but I'm still locked out of the Program Files folder. That's the only symptom of infection I've encountered, but I haven't used the computer for anything other than attempts at disinfection.
     

    Attached Files:

    scoop113, Oct 1, 2010
    #3
  4. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    Sorry for the delay, I was out of town yesterday. I am not seeing any malware in those logs. I suggest that you post in the software forum for your issue with the Program folder.

    If you are not having any other malware problems, it is time to do our final steps:

    1. We recommend you keep SUPERAntiSpyware and Malwarebytes Anti-Malware for scanning/removal of malware. Unless you purchase them, they provide no real time protection. They do not use any significant amount of resources ( except a little disk space ) until you run a scan.We recommend them for doing backup scans when you suspect a malware infection.
    2. If we had you use ComboFix, uninstall ComboFix (This uninstall will only work as written if you installed ComboFix on your Desktop like we requested.)
      • Click START then RUN and enter the below into the run box and then click OK. Note the quotes are required
      • "%userprofile%\Desktop\combofix" /uninstall
        • Notes: The space between the combofix" and the /uninstall, it must be there.
        • This will uninstall ComboFix and also reset hidden files and folders settings back to Windows defaults.


    3. Go back to step 6 of the READ ME and renable your Disk Emulation software with Defogger if you had disabled it.
    4. Any other miscellaneous tools we may have had you install or download can be uninstalled and deleted.
    5. If we had you download any registry patches like fixme.reg or fixWLK.reg (or any others), you can delete these files now.
    6. If running Vista, it is time to make sure you have reenabled UAC by double clicking on the C:\MGtools\enableUAC.reg file and allowing it to be added to the registry.
    7. Go to add/remove programs and uninstall HijackThis.
    8. Goto the C:\MGtools folder and find the MGclean.bat file. Double click on this file to run this cleanup program that will remove files and folders related to MGtools and some other items from our cleaning procedures.
    9. If you are running Win 7, Vista, Windows XP or Windows ME, do the below:
      • Refer to the cleaning procedures pointed to by step 7 of the READ ME
        for your Window version and see the instructions to Disable System Restore which will flush your Restore Points.
      • Then reboot and Enable System Restore to create a new clean Restore Point.

    10. After doing the above, you should work thru the below link:




    Support MajorGeeks with Geek Wear!
     
    TimW, Oct 3, 2010
    #4
  5. scoop113

    scoop113 Private E-2

    Thanks Tim.

    One possible hitch: While I was turning my security software back on, I realized that the firewall had been running when I ran the scans on my wife's user profile. Would that cause false results in the logs?

    Also, I've since found that I'm not able to run AVG or Spybot S&D from her profile, but they run fine on mine. :(
     
    scoop113, Oct 5, 2010
    #5
  6. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    Your firewall should not have been a problem. Have you uninstalled each of them and after running CCleaner, tried re-installing them?
     
    TimW, Oct 5, 2010
    #6

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds