Computer infected?

derrick

I did a malwarebytes scan earlier and it was clear, but am now getting pop ups informing that my computer is infected and not allowing me into programmes, and when clicking on the pop up it requires me to purchase "Antispyware soft"

I have tried to activate malwarebytes and get the pop up;- Windows Security Alert. Application cannot be executed. The file mbam.exe is infected. Do you want to activate your antivirus software now?

AVG Free 9.0 has the pop up "Windows Security Alert. Application cannot be executed. The file avgui.exe is infected. Do you want to activate your antivirus software now?"

Spybot S&D has the pop up "Windows Security Alert. Application cannot be executed. The file spybotsd.exe is infected. Do you want to activate your antivirus software now?

Hijackthis has the pop up Windows Security Alert. Application cannot be executed. The file hijackthis.exe is infected. Do you want to activate your antivirus software now?

Word has the pop up "Windows Security Alert. Application cannot be executed. The file winword.exe is infected. Do you want to activate your antivirus software now?


Open office has the pop up "Windows Security Alert. Application cannot be executed. The file soffice.exe is infected. Do you want to activate your antivirus software now?

How do I overcome this without purchasing something?

Donnie

Vista or XP?

Browntoa

follow this

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

and post the log file

you may need to rename the combofix file to something else to get it to run

derrick

Donnie wrote: »

Vista or XP?

XP. Firefox browser

Browntoa wrote: »

follow this

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

and post the log file

you may need to rename the combofix file to something else to get it to run

Sorry have not been back on, but I tried shutting down and rebooting, but then could not get onto the web, (would not even let me in via Safe Mode). I have been told by someone who knows computers and my ISP, (Virgin.net), that I have the “ANTIVIRUS 2010 bug” that is a pain to remove. OS is Windows XP Home Edition, with Firefox as my default browser.

I have now managed to get in via Safe Mode and have done scans, (whilst disconnected from the web), with AVG FREE 9.0, Spybot S&D, and Malwarebytes

AVG is showing a lot of files as;- “Locked file. Not tested. And, LOG Locked files. Not tested, some of these as example are;-
\UserClass.dat
ce\CardSpaceSP2.db.shadow
C:\Documents and Settings/NetworkService/ntuser.dat.
ce\CardSpaceSP2.db
C:System Volume Information\

AVG stopped or finished whilst I was away from the computer and there is no record of its scan! Although when I went back top AVG, (still in Safe Mode), it had ticked “clean automatically” from the window,” Command Line Composer”

Malwarebytes scan log; -
ww.malwarebytes.org

Database version: 4052

Windows 5.1.2600 Service Pack 3 (Safe Mode)
Internet Explorer 8.0.6001.18702

23/05/2010 14:16:02
mbam-log-2010-05-23 (14-16-02).txt

Scan type: Full scan (C:\|D:\|)
Objects scanned: 184903
Time elapsed: 1 hour(s), 23 minute(s), 19 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 4
Registry Values Infected: 2
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\avsuite (Rogue.AntivirusSuite) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\avsuite (Rogue.AntivirusSuite) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\avsoft (Trojan.Fraudpack) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\avsoft (Trojan.Fraudpack) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\oxdbmskq (Rogue.AntivirusSuite.Gen) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\oxdbmskq (Rogue.AntivirusSuite.Gen) -> Quarantined and deleted successfully.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\Documents and Settings\user\Local Settings\Application Data\otfyntans\kdhtggbtssd.exe (Rogue.AntivirusSuite.Gen) -> Quarantined and deleted successfully.


Spybot S&D found the following which I have deleted;-
1 – Double Click Tracking Cookie

1 – Fraud.sysguard Malware

1 – Spywareinfo. trafficZ


I have just reconnected to the web, and there is nothing at the moment popping up informing me I have a problem, so maybe it is fixed?

Combofix seems drastic?



.

Browntoa

not drastic, you have a "rogue antivirus" infection , combofix will remove bits that malwarebytes does not. I've never had a problem running combofix on PC's

aliEnRIK

You never updated malwarebytes before running it. id recommend updating and running another full scan then run combofix (Im 90% sure your still infected)

derrick

Browntoa wrote: »

not drastic, you have a "rogue antivirus" infection , combofix will remove bits that malwarebytes does not. I've never had a problem running combofix on PC's

Might try later! Not to sure, is it just a case of running a scan similar to Malwarebytes?

aliEnRIK wrote: »

You never updated malwarebytes before running it. id recommend updating and running another full scan then run combofix (Im 90% sure your still infected)

It would not allow me to in safe mode, but will do so now then run a new scan.

Browntoa

combofix combines a lot of individual tools to remove rootkits, smitfraud infections (like yours) etc , it sets a restore point and then does its thing step by step , at the end it may reboot or not but either way you need to wait until the log file pops up on your screen

make sure you click on the update tab on malwarebytes and updating the program before scanning

derrick

Browntoa wrote: »

combofix combines a lot of individual tools to remove rootkits, smitfraud infections (like yours) etc , it sets a restore point and then does its thing step by step , at the end it may reboot or not but either way you need to wait until the log file pops up on your screen

make sure you click on the update tab on malwarebytes and updating the program before scanning

Did so, scan is running now, will do the Combofix tomorrow.

derrick

Malwarebytes scan finished, 1 infected file, (deleted), logfile;-

Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org

Database version: 4132

Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

23/05/2010 18:34:04
mbam-log-2010-05-23 (18-34-04).txt

Scan type: Full scan (C:\|D:\|)
Objects scanned: 190962
Time elapsed: 2 hour(s), 17 minute(s), 4 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\System Volume Information\_restore{E808AF18-CA43-4F60-B644-CBD80FB747BD}\RP541\A0146862.exe (Trojan.Agent.Gen) -> Quarantined and deleted successfully.


Do I still need to do the Combofix?

.

aliEnRIK

Yes, I certainly think you should