My (other) laptop has been hit with this AntiVira AV virus, and I am having a heck of a time removing it. Here is what I've tried:
1) Run McAfee (both in Normal mode and in Safe mode) -- did not detect the virus
2) Downloaded and ran PC Tools Spyware Doctor (in Safe mode) -- detected several hundred "tracking cookies," all of which were labeled as a "low threat." Could not delete them without purchasing the full version of Spyware Doctor, and I'm trying as many free solutions first.
3) Followed these instructions to the T (Safe mode, run RKill, run Malwarebytes Anti-Malware) -- detected two trojan viruses and deleted them. Yay! The log report is attached to this post
But...when I re-started my computer after this, the AntiVira AV is still there, and still as aggressive as before.
Can anybody help me get rid of this thing? Thank you in advance!
Hi Edik415,
Can you please post the log, instead of attaching it?
Thanks.
What is new way to post the log?
Hi,
Copy and paste.
Here it is! (In fact, I was an idiot and attached the wrong file anyway...)
---
Malwarebytes' Anti-Malware 1.50.1.1100
www.malwarebytes.org
Database version: 5783
Windows 6.0.6002 Service Pack 2 (Safe Mode)
Internet Explorer 8.0.6001.19019
2/17/2011 8:56:13 AM
mbam-log-2011-02-17 (08-56-13).txt
Scan type: Full scan (C:\|)
Objects scanned: 366746
Time elapsed: 1 hour(s), 10 minute(s), 24 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 1
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
(No malicious items detected)
Registry Keys Infected:
HKEY_CURRENT_USER\SOFTWARE\g043oqxanu (Trojan.FakeAlert) -> Quarantined and deleted successfully.
Registry Values Infected:
(No malicious items detected)
Registry Data Items Infected:
(No malicious items detected)
Folders Infected:
(No malicious items detected)
Files Infected:
c:\Windows\Temp\tmp00000001eb6fb4d9eef4b7b8 (Trojan.Dropper) -> Quarantined and deleted successfully.
Hi,
Please do the following:
Start > Run > Msconfig.
Please tell me if you see anything suspicious there, before we can continue.
Thanks.
Sorry it took so long for me to check this -- had a late dinner!
I'm not sure if this is everything, but one of the items listed under "Startup" (in System Configuration) is "fbveaibb" from an unknown manufacturer. The command listed is "C:\Users\Edik\AppData\Local\Temp\dddplahjy\uvyirivsikk.exe"
That one looks pretty suspicious. It has a check mark next to it, to run at startup. Should I uncheck this?
Ok! I unchecked that goofy-looking file, so that it would not boot up on startup (operating under the assumption that, if it screws up something important, I can always go back in and re-check it).
Good news -- the AntiVira AV program does NOT boot up when I restart the machine. I do get a weird error that says "Windows has blocked some startup programs," which refers to MalwareBytes. Not sure why that was blocked (or what blocked it), but AntiVira AV does not run.
Less good news -- I haven't actually REMOVED that file, just kept it from booting when the machine starts up. I don't know if I can just go to that temporary directory, delete the file, and be back in business or not. It seems like it should be more complicated than that...
Any thoughts?
I think I might have done it!
Once I disabled that [random letters].exe file from startup, I updated my MalwareBytes, ran it again, and it located THAT .exe file as a Trojan of sorts, along with two others (this is in addition to the two that I deleted earlier). I had MWB delete those, and it APPEARS to be gone.
I'm holding off on a major celebration, just in case it re-appears. But I've restarted several times now since then, and it seems ok. Going to run another full McAfee scan to be sure...
Does it sound like I'm in the clear?
Thanks for your help!!
You may be okay now. I tried earlier to post to say that Malwarebytes should be run in normal mode rather than in Safe Mode, but got caught by the System Outage.
Avira AV is a rogue program, so if you delete the executable most of the problem goes away. What's left is a mess of registry changes and temp files, which a program like CCleaner will be able to deal with. One thing to be wary of is that these programs are getting more sophisticated, so the just-delete-the-program approach may not work for ever. But for now, you should be okay (let's hope so).
To be on the safe side you might want to run a second anti-malware program, such as SuperAntiSpyware or Microsoft's Windows Defender. Both of these are compatible with McAfee (the paid-for version of Malwarebytes isn't, since the two programs will conflict).
New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.
Thousands of customers use the McAfee Community for peer-to-peer and expert product support. Enjoy these benefits with a free membership: