Antivirus.NET
Pandut 05 Feb 2011
Yep.
I did some research and found out that Antivirus.NET is a rouge program bent on making my PC's life hell. It started by blocking my internet access, but I managed to fix that with the help of some friends but the problem still remains.
Avast isn't doing squat. Boot-time scans, full scans and what have you aren't picking up anything. I tried out a new program called Vipre that was said to be able to remove Antivirus.NET but hasn't found anything either which is starting to irritate me.
Here's a HijackThis! log.
Every solution I look for online usually requires me to buy a 50$ program, which to be frank there's no way in hell I'm doing that.
EDIT: Also, I get redirected to spam sites every time I search for alternate anti-virus programs.
Edited by Sobek, 05 February 2011 - 07:35.
I did some research and found out that Antivirus.NET is a rouge program bent on making my PC's life hell. It started by blocking my internet access, but I managed to fix that with the help of some friends but the problem still remains.
Avast isn't doing squat. Boot-time scans, full scans and what have you aren't picking up anything. I tried out a new program called Vipre that was said to be able to remove Antivirus.NET but hasn't found anything either which is starting to irritate me.
Here's a HijackThis! log.
Logfile of Trend Micro HijackThis v2.0.4 Scan saved at 2:29:49 AM, on 2/5/2011 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\nvsvc32.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\system32\spoolsv.exe C:\Program Files\TortoiseSVN\bin\TSVNCache.exe C:\WINDOWS\RTHDCPL.EXE C:\WINDOWS\system32\RUNDLL32.EXE C:\Program Files\uTorrent\uTorrent.exe C:\Program Files\Java\jre6\bin\jqs.exe C:\WINDOWS\system32\PnkBstrA.exe C:\WINDOWS\system32\PnkBstrB.exe C:\Program Files\Sunbelt Software\VIPRE\SBAMSvc.exe C:\Program Files\Sunbelt Software\VIPRE\SBPIMSvc.exe C:\Program Files\Sunbelt Software\VIPRE\SBAMTray.exe C:\WINDOWS\system32\wuauclt.exe C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\plugin-container.exe C:\Program Files\Trend Micro\HiJackThis\HiJackThis.exe O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file) O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll O2 - BHO: Java Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe" O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup O4 - HKLM\..\Run: [nwiz] C:\Program Files\NVIDIA Corporation\nView\nwiz.exe /installquiet O4 - HKLM\..\Run: [SBAMTray] "C:\Program Files\Sunbelt Software\VIPRE\SBAMTray.exe" O4 - HKCU\..\Run: [uTorrent] "C:\Program Files\uTorrent\uTorrent.exe" O4 - HKCU\..\Run: [ybwderkk] C:\DOCUME~1\Pandut\LOCALS~1\Temp\vgrhrdlxj\icgbdpisjmo.exe O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe O23 - Service: PnkBstrB - Unknown owner - C:\WINDOWS\system32\PnkBstrB.exe O23 - Service: VIPRE Antivirus (SBAMSvc) - Sunbelt Software - C:\Program Files\Sunbelt Software\VIPRE\SBAMSvc.exe O23 - Service: SB Recovery Service (SBPIMSvc) - Sunbelt Software - C:\Program Files\Sunbelt Software\VIPRE\SBPIMSvc.exe -- End of file - 3804 bytes
Every solution I look for online usually requires me to buy a 50$ program, which to be frank there's no way in hell I'm doing that.
EDIT: Also, I get redirected to spam sites every time I search for alternate anti-virus programs.
Edited by Sobek, 05 February 2011 - 07:35.
Dauth 05 Feb 2011
Right looks like a few issues in this. Though you may have to try to find a dedicated removal program.
Remove the following lines
The last two just mean you'll boot better.
Here is a set of instructions to remove it.
http://www.bleepingcomputer.com/virus-remo...-antivirus-.net
Remove the following lines
Quote
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)
O4 - HKCU\..\Run: [ybwderkk] C:\DOCUME~1\Pandut\LOCALS~1\Temp\vgrhrdlxj\icgbdpisjmo.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O4 - HKCU\..\Run: [ybwderkk] C:\DOCUME~1\Pandut\LOCALS~1\Temp\vgrhrdlxj\icgbdpisjmo.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
The last two just mean you'll boot better.
Here is a set of instructions to remove it.
http://www.bleepingcomputer.com/virus-remo...-antivirus-.net
Pandut 05 Feb 2011
Dauth, on 5 Feb 2011, 1:38, said:
Right looks like a few issues in this. Though you may have to try to find a dedicated removal program.
Remove the following lines
The last two just mean you'll boot better.
Here is a set of instructions to remove it.
http://www.bleepingcomputer.com/virus-remo...-antivirus-.net
Remove the following lines
Quote
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)
O4 - HKCU\..\Run: [ybwderkk] C:\DOCUME~1\Pandut\LOCALS~1\Temp\vgrhrdlxj\icgbdpisjmo.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O4 - HKCU\..\Run: [ybwderkk] C:\DOCUME~1\Pandut\LOCALS~1\Temp\vgrhrdlxj\icgbdpisjmo.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
The last two just mean you'll boot better.
Here is a set of instructions to remove it.
http://www.bleepingcomputer.com/virus-remo...-antivirus-.net
I axed those four lines. But those instructions on how to get rid of the virus aren't helping. RKill or whatever it's called only found 2 corrupted files and deleted those, and Malware Bytes isn't picking up anything. To make matters worse, my PC is now running incredibly slow and I am getting redirected to spam sites whenever I search for something on google.
Dauth 06 Feb 2011
Then get a live CD of ubuntu put that in. Copy anything you want to save while in ubuntu and then wipe and re-install. Tbh every computer should be wiped once a year anyway.
Raven 06 Feb 2011
Why not try Kaspersky Internet Security 2010 trial version and run a scan. So far it hasn't failed me.
Pandut 06 Feb 2011
Dauth, on 6 Feb 2011, 8:43, said:
Then get a live CD of ubuntu put that in. Copy anything you want to save while in ubuntu and then wipe and re-install. Tbh every computer should be wiped once a year anyway.
Tbh, that's going to be a last resort. I've made a small bit of progress and my PC isn't running as slow as it was before. I switched back to Avast and right at the moment I'm just getting redirected to spam sites whenever I go online. That along with pop-up ads so I'm pretty sure this is just internet related. I'm still trying to purge the virus, or at least what's left of it as I'm pretty sure I nabbed a part of it. The Antivirus.NET thing isn't bugging me anymore which is a good sign I think.
Golan 06 Feb 2011
I'd highly suggest not to assume the malware of such kind has been purged unless you have replaced all executables on your computer, i.e. a full reinstall. Scareware has a tendency of infecting every type of executable, including proper AV programs as well as system critical resources. Every program on your HDD is potentially corrupted, so any removal action or reports of success is unreliable.
The only reliable way of fixing such a corruption is running scans and removal programs from an external storage (boot disk etc.) before booting your OS which still leaves only a slight possibility of malware hibernating on important files. It can oftentimes break your OS however, as such scareware has a tendency of infecting system executables (Windows Expolrer etc.) or dlls that cannot be fixed or replaced without reinstalling the OS from scratch.
If you have any important data on your computer, try accessing it by forcing the virus into hibernation, accessing it from a well protected network-computer or running a unrelated OS, such as Ubuntu as Dauth mentioned, then safe any non-executable data to external storage and wipe the system clean.
The only reliable way of fixing such a corruption is running scans and removal programs from an external storage (boot disk etc.) before booting your OS which still leaves only a slight possibility of malware hibernating on important files. It can oftentimes break your OS however, as such scareware has a tendency of infecting system executables (Windows Expolrer etc.) or dlls that cannot be fixed or replaced without reinstalling the OS from scratch.
If you have any important data on your computer, try accessing it by forcing the virus into hibernation, accessing it from a well protected network-computer or running a unrelated OS, such as Ubuntu as Dauth mentioned, then safe any non-executable data to external storage and wipe the system clean.
Pandut 06 Feb 2011
Ugh. I have a few more things I can try, but if none of them actually work then I'll consider a full-system wipe. And to be honest, I would prefer not doing it. All that's really happening right now, since yesterday is site redirecting and an occasional pop-up ad. I'm trying the Kaspersky 2011 trial, and it keeps picking up a file labeled "MEM:RootKit.Win32.TDSS.fa" even though it's been deleted/disinfected/repaired/quarantined who knows how many times. Did a bit of research and this type of file is responsible for installing fake AV programs on PC's and that Kaspersky is infact the best way to get rid of it.
Wanderer 06 Feb 2011
The problem is that it's hiding in system-files and every time you get rid of it, it just reappears from there. The AV-program can't access it unless you can run the AV before windows is fully on.
CJ 06 Feb 2011
It could actually be even hiding in your MBR, which would simply prevent any AV from removing it since it gets unleashed as soon as you boot your PC... (That kind of viruses requires you to use the fixmbr command of the Win 7 installation DVD, or something similar to it)
Wanderer 07 Feb 2011
Some AV programs can be put to be run before windows boots up so you can clean the comp
Check out a program called malwarebytes. It's really effective but you need to be abit carefull with it
Edited by Wanderer, 07 February 2011 - 00:23.
Check out a program called malwarebytes. It's really effective but you need to be abit carefull with it
Edited by Wanderer, 07 February 2011 - 00:23.
Pandut 07 Feb 2011
Wanderer, on 6 Feb 2011, 17:17, said:
Some AV programs can be put to be run before windows boots up so you can clean the comp
Check out a program called malwarebytes. It's really effective but you need to be abit carefull with it
Check out a program called malwarebytes. It's really effective but you need to be abit carefull with it
I already have Malware Bytes .
Some good news: After doing a 5 hour scan with Kaspersky 2011 and it's respective Virus Removal Tool it has detected and removed a crap-load of files accused of being infected. After a re-boot everything seems to be running fine now. No redirects, no pop-ups. I'm still being a little over-cuatious and running additional scans with Malware Bytes and Spybot Search & Destroy.