Fallout Studios Forums

Yep.

I did some research and found out that Antivirus.NET is a rouge program bent on making my PC's life hell. It started by blocking my internet access, but I managed to fix that with the help of some friends but the problem still remains.

Avast isn't doing squat. Boot-time scans, full scans and what have you aren't picking up anything. I tried out a new program called Vipre that was said to be able to remove Antivirus.NET but hasn't found anything either which is starting to irritate me.

Here's a HijackThis! log.

Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 2:29:49 AM, on 2/5/2011
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\TortoiseSVN\bin\TSVNCache.exe
C:\WINDOWS\RTHDCPL.EXE
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\uTorrent\uTorrent.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\WINDOWS\system32\PnkBstrB.exe
C:\Program Files\Sunbelt Software\VIPRE\SBAMSvc.exe
C:\Program Files\Sunbelt Software\VIPRE\SBPIMSvc.exe
C:\Program Files\Sunbelt Software\VIPRE\SBAMTray.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Mozilla Firefox\plugin-container.exe
C:\Program Files\Trend Micro\HiJackThis\HiJackThis.exe

O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] C:\Program Files\NVIDIA Corporation\nView\nwiz.exe /installquiet
O4 - HKLM\..\Run: [SBAMTray] "C:\Program Files\Sunbelt Software\VIPRE\SBAMTray.exe"
O4 - HKCU\..\Run: [uTorrent] "C:\Program Files\uTorrent\uTorrent.exe"
O4 - HKCU\..\Run: [ybwderkk] C:\DOCUME~1\Pandut\LOCALS~1\Temp\vgrhrdlxj\icgbdpisjmo.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
O23 - Service: PnkBstrB - Unknown owner - C:\WINDOWS\system32\PnkBstrB.exe
O23 - Service: VIPRE Antivirus (SBAMSvc) - Sunbelt Software - C:\Program Files\Sunbelt Software\VIPRE\SBAMSvc.exe
O23 - Service: SB Recovery Service (SBPIMSvc) - Sunbelt Software - C:\Program Files\Sunbelt Software\VIPRE\SBPIMSvc.exe

--
End of file - 3804 bytes

Every solution I look for online usually requires me to buy a 50$ program, which to be frank there's no way in hell I'm doing that.

EDIT: Also, I get redirected to spam sites every time I search for alternate anti-virus programs.
Edited by Sobek, 05 February 2011 - 07:35.

Right looks like a few issues in this. Though you may have to try to find a dedicated removal program.

Remove the following lines

Quote

The last two just mean you'll boot better.

Here is a set of instructions to remove it.

http://www.bleepingcomputer.com/virus-remo...-antivirus-.net

Dauth, on 5 Feb 2011, 1:38, said:

I axed those four lines. But those instructions on how to get rid of the virus aren't helping. RKill or whatever it's called only found 2 corrupted files and deleted those, and Malware Bytes isn't picking up anything. To make matters worse, my PC is now running incredibly slow and I am getting redirected to spam sites whenever I search for something on google.

Then get a live CD of ubuntu put that in. Copy anything you want to save while in ubuntu and then wipe and re-install. Tbh every computer should be wiped once a year anyway.

Why not try Kaspersky Internet Security 2010 trial version and run a scan. So far it hasn't failed me.

Dauth, on 6 Feb 2011, 8:43, said:

Tbh, that's going to be a last resort. I've made a small bit of progress and my PC isn't running as slow as it was before. I switched back to Avast and right at the moment I'm just getting redirected to spam sites whenever I go online. That along with pop-up ads so I'm pretty sure this is just internet related. I'm still trying to purge the virus, or at least what's left of it as I'm pretty sure I nabbed a part of it. The Antivirus.NET thing isn't bugging me anymore which is a good sign I think.

I'd highly suggest not to assume the malware of such kind has been purged unless you have replaced all executables on your computer, i.e. a full reinstall. Scareware has a tendency of infecting every type of executable, including proper AV programs as well as system critical resources. Every program on your HDD is potentially corrupted, so any removal action or reports of success is unreliable.
The only reliable way of fixing such a corruption is running scans and removal programs from an external storage (boot disk etc.) before booting your OS which still leaves only a slight possibility of malware hibernating on important files. It can oftentimes break your OS however, as such scareware has a tendency of infecting system executables (Windows Expolrer etc.) or dlls that cannot be fixed or replaced without reinstalling the OS from scratch.

If you have any important data on your computer, try accessing it by forcing the virus into hibernation, accessing it from a well protected network-computer or running a unrelated OS, such as Ubuntu as Dauth mentioned, then safe any non-executable data to external storage and wipe the system clean.

Ugh. I have a few more things I can try, but if none of them actually work then I'll consider a full-system wipe. And to be honest, I would prefer not doing it. All that's really happening right now, since yesterday is site redirecting and an occasional pop-up ad. I'm trying the Kaspersky 2011 trial, and it keeps picking up a file labeled "MEM:RootKit.Win32.TDSS.fa" even though it's been deleted/disinfected/repaired/quarantined who knows how many times. Did a bit of research and this type of file is responsible for installing fake AV programs on PC's and that Kaspersky is infact the best way to get rid of it.

The problem is that it's hiding in system-files and every time you get rid of it, it just reappears from there. The AV-program can't access it unless you can run the AV before windows is fully on.

It could actually be even hiding in your MBR, which would simply prevent any AV from removing it since it gets unleashed as soon as you boot your PC... (That kind of viruses requires you to use the fixmbr command of the Win 7 installation DVD, or something similar to it)

Some AV programs can be put to be run before windows boots up so you can clean the comp

Check out a program called malwarebytes. It's really effective but you need to be abit carefull with it
Edited by Wanderer, 07 February 2011 - 00:23.

Wanderer, on 6 Feb 2011, 17:17, said:

I already have Malware Bytes .

Some good news: After doing a 5 hour scan with Kaspersky 2011 and it's respective Virus Removal Tool it has detected and removed a crap-load of files accused of being infected. After a re-boot everything seems to be running fine now. No redirects, no pop-ups. I'm still being a little over-cuatious and running additional scans with Malware Bytes and Spybot Search & Destroy.

Why don't you try running a boot scan with Avast?

Hobbesy, on 7 Feb 2011, 12:49, said:

Sobek, on 5 Feb 2011, 7:31, said: