Author Topic: Personal Antivirus Infection  (Read 1483 times)

Offline Mar

  • Gold Member
  • *****
  • Posts: 2203
Personal Antivirus Infection
« on: July 11, 2009, 05:26:02 PM »
I just started the computer up and I get a window that looks like this:



I immediately know something's wrong. I've never even heard of Personal Antivirus, let alone downloaded it. I bring up task manager, I see 2 processes I've never seen before: pav.exe and NetFilter.exe. I immediately terminate the programs and then run a search for them. I find NETFILTER.EXE-04869CD2.pf and PAV.EXE-0C17BFE5.pf in C:\WINDOWS\Prefetch. I also find NetFilter in the system32 folder. I try to open IE to get info on these but IE keeps crashing. Luckily I have firefox, and it has no problems running. I find out that it's a highly complex and intelligent Trojan.

Uh-oh.

Well, I search the web on how to remove it and proceed to do so manually. However, I don't seem to have acquired the full blast of this thing because: (1) there was only one file in the folder "Personal Antivirus" in Program Files, which was pav.exe, (2) I didn't find any of the registry entries that I was told to remove, and (3) there weren't any of the indicated processes running in the background other than pav.exe. Looks like I got pretty lucky this time, but of course not everything is what it looks like.

I deleted all of the files I found, but IE still won't run. I'm going to play it safe and try a system restore, and hope that the restore hasn't been infected as well.


If anyone has recommendations or more info on this Trojan please let me know. This is my first serious infection and I'm not going to take it lightly.
𝒻𝓇𝑜𝓂 𝓉𝒽𝑒 𝓈𝒽𝒶𝒹𝑜𝓌𝓈 𝑜𝒻 𝓌𝒶𝓇'𝓈 𝓅𝒶𝓈𝓉 𝒶 𝒹𝑒𝓂𝑜𝓃 𝑜𝒻 𝓉𝒽𝑒 𝒶𝒾𝓇 𝓇𝒾𝓈𝑒𝓈 𝒻𝓇𝑜𝓂 𝓉𝒽𝑒 𝑔𝓇𝒶𝓋𝑒

  "Onward to the land of kings—via the sky of aces!"
  Oh, and zack1234 rules. :old:

Offline Denholm

  • Plutonium Member
  • *******
  • Posts: 9667
      • No. 603 Squadron
Re: Personal Antivirus Infection
« Reply #1 on: July 11, 2009, 07:07:35 PM »
I've found that infections like these somehow always start with a rootkit.

Download, Install, and Run the following utilities to see if they remove this malicious software:

AVG Anti-Rootkit Free

Spybot Search & Destroy
Get your Daily Dose of Flame!
FlameThink.com
No. 603 Squadron... Visit us on the web, if you dare.

Drug addicts are always disappointed after eating Pot Pies.

Offline Tigger29

  • Gold Member
  • *****
  • Posts: 2568
Re: Personal Antivirus Infection
« Reply #2 on: July 11, 2009, 09:01:46 PM »
One of these two completely removed it for me.. I forget which:

http://www.superantispyware.com/

http://www.malwarebytes.org/

Offline Denholm

  • Plutonium Member
  • *******
  • Posts: 9667
      • No. 603 Squadron
Re: Personal Antivirus Infection
« Reply #3 on: July 11, 2009, 09:25:20 PM »
Malwarebytes, that's the one I was forgetting! Thanks Tigger.
Get your Daily Dose of Flame!
FlameThink.com
No. 603 Squadron... Visit us on the web, if you dare.

Drug addicts are always disappointed after eating Pot Pies.

Offline Ghosth

  • AH Training Corps (retired)
  • Plutonium Member
  • *******
  • Posts: 8497
      • http://332nd.org
Re: Personal Antivirus Infection
« Reply #4 on: July 12, 2009, 06:57:44 AM »
Malwarebytes will get rid of it.

Threatfire stops most rootkits from ever happening.

Offline Mar

  • Gold Member
  • *****
  • Posts: 2203
Re: Personal Antivirus Infection
« Reply #5 on: July 17, 2009, 05:54:37 PM »
Anyone for a plate of screwed?

When I said that not everything is what it looks like, I was right on. Just a few days ago I got hit, hard.

I gotta admit, this is nuts, even by my standards.I've been going bonkers trying to get AVG and malwarebytes to clean up this mess. AVG has never been able to finish a full scan, the computer just shuts off when it gets near the end. At first I thought it was because the computer is overheating, but one time the computer just tried to restart itself and failed. I did a full scan with malwarebytes (which was able to finish) and found and removed an even 200 threats, then I restarted the computer normaly (forgot to mention all my scans took place in safe mode) and AVG starts spewing out warnings of trojans as soon as I connect to the internet. So I go back into safe mode and have AVG run another scan which finds at least 30 more trojans before the computer shuts off (again). So much crap going on I can't remember it all. Today I decided to check out threatfire and I have it running right now. The thing is, now AVG is going absolutely insane. It is constantly detecting anything that opens as a trojan, including itself. All I have to do is open notepad and I immediately get threat warnings, first only identifying notepad as a trojan, then saying that avgcsrvx.exe is a trojan. I myself have never heard of an anti-virus identifying itself as a virus.

So far ThreatFire hasn't detected anything. I'm going to try re-installing AVG and see what happens.

This has been the craziest time I've ever had on this thing.


What do you guys think about this? Think I got singled out by an expert hacker or something? Why didn't malwarebytes get it clean, and why is AVG going nuts? And do you think ThreatFire can keep this crap from happening again? Important questions that require informed answers.
𝒻𝓇𝑜𝓂 𝓉𝒽𝑒 𝓈𝒽𝒶𝒹𝑜𝓌𝓈 𝑜𝒻 𝓌𝒶𝓇'𝓈 𝓅𝒶𝓈𝓉 𝒶 𝒹𝑒𝓂𝑜𝓃 𝑜𝒻 𝓉𝒽𝑒 𝒶𝒾𝓇 𝓇𝒾𝓈𝑒𝓈 𝒻𝓇𝑜𝓂 𝓉𝒽𝑒 𝑔𝓇𝒶𝓋𝑒

  "Onward to the land of kings—via the sky of aces!"
  Oh, and zack1234 rules. :old:

Offline Tigger29

  • Gold Member
  • *****
  • Posts: 2568
Re: Personal Antivirus Infection
« Reply #6 on: July 17, 2009, 07:04:10 PM »
You need to back up any data you want to save onto a SEPARATE drive... then reinstall windows... then SCAN the backup drive for viruses, etc.. then copy your backed up data back...

At this point a repartition/format/reinstall is all you can do for a reliable fix.

Offline Fulmar

  • Gold Member
  • *****
  • Posts: 3936
      • Aces High Movie Database
Re: Personal Antivirus Infection
« Reply #7 on: July 17, 2009, 07:36:35 PM »
You need to back up any data you want to save onto a SEPARATE drive... then reinstall windows... then SCAN the backup drive for viruses, etc.. then copy your backed up data back...

At this point a repartition/format/reinstall is all you can do for a reliable fix.
+1
For serious infections, the amount of time that you back your data (which is ALWAYS good to do periodically), reformat, install windows, and copy the data back is generally a time saver.  Plus you don't have the headache of trying to find that one program that gets rid of that one spyware/virus and then there's the concern "is it really gone?"
In game callsign: not currently flying
Flying off and on since Warbirds
Aces High Movies available at www.derstuhl.net/ahmd2 - no longer aceshighmovies.com - not updated either

Offline Masherbrum

  • Radioactive Member
  • *******
  • Posts: 22408
Re: Personal Antivirus Infection
« Reply #8 on: July 17, 2009, 11:12:45 PM »
AVG Sucks and used it only once.   I consider AVG Free itself a virus, as remnants of it were still on my old PC from a proper Uninstall.   

Get ESET NOD 32.   Don't screw around this time.   
-=Most Wanted=-

FSO Squad 412th FNVG
http://worldfamousfridaynighters.com/
Co-Founder of DFC

Offline Delirium

  • Platinum Member
  • ******
  • Posts: 7276
Re: Personal Antivirus Infection
« Reply #9 on: July 18, 2009, 12:38:04 AM »
Agreed on Nod32... the nice thing about it is it seems to put a much smaller load on the computer than most anti-virus programs do. Heck, I leave it running when I'm on AH.
Delirium
80th "Headhunters"
Retired AH Trainer (but still teach the P38 selectively)

I found an air leak in my inflatable sheep and plugged the hole! Honest!

Offline MrRiplEy[H]

  • Persona Non Grata
  • Plutonium Member
  • *******
  • Posts: 11633
Re: Personal Antivirus Infection
« Reply #10 on: July 18, 2009, 02:28:29 AM »
Try the NOD32 online scan first, www.eset.com/onlinescan

But you really SHOULD format and reinstall. There's no guarantee any AV will be able to clean your computer.

If you're on laptop, create a 20gb partition for the OS and programs. Rest for data. If you're using desktop get a new harddrive for a new OS installation they're dirt cheap.
Definiteness of purpose is the starting point of all achievement. –W. Clement Stone

Offline cattb

  • Silver Member
  • ****
  • Posts: 1163
Re: Personal Antivirus Infection
« Reply #11 on: July 18, 2009, 03:49:56 AM »
Just a suggestion if your going to reinstall your OS, if you don't have a mirror imaging software, like ghost, acronis, and others on the market. Get it, do backups on intervals , preferably to second hardrive. If this were to happen again or your harddrive goes bad you have a backup image to fall back on. Then you don't end up reinstalling everything again. You can erase your harddrive or use new hardrive, use recovery disc (ghost has 1), boot up your PC ,load back up image, your ready to roll.
cattb/timo
:Salute Easy8 EEK GUS Betty

Offline Denholm

  • Plutonium Member
  • *******
  • Posts: 9667
      • No. 603 Squadron
Re: Personal Antivirus Infection
« Reply #12 on: July 18, 2009, 11:08:17 AM »
What do you guys think about this? Think I got singled out by an expert hacker or something? Why didn't malwarebytes get it clean, and why is AVG going nuts? And do you think ThreatFire can keep this crap from happening again? Important questions that require informed answers.

As others have said, download and install NOD32 onto that system. Combined with the tools mentioned above it should get rid of the infections. Once again, scan using AVG Anti-Rootkit Free (unplug the Internet cord while you're scanning). It should pick up the original infections.
Get your Daily Dose of Flame!
FlameThink.com
No. 603 Squadron... Visit us on the web, if you dare.

Drug addicts are always disappointed after eating Pot Pies.

Offline Anodizer

  • Silver Member
  • ****
  • Posts: 1940
Re: Personal Antivirus Infection
« Reply #13 on: July 18, 2009, 03:34:08 PM »
1. Back up all your data....  Once that's done, scan it on another machine that you know is clean.... 
2. Do a low level format of your hard drive..  This is the only absolute way to fully format and "zero" out every sector of the drive..  Reformatting with windows never formats the
    the boot sector(where viruses can reside).. 
3. Reinstall your OS and be sure to get all the updates..

As others have said here, AVG is junk and is inherently known for lots of falls positives and truly fails to remove or block anything..  If you are looking for something free,
Antivir http://www.free-av.com/en/trialpay_download/1/avira_antivir_personal__free_antivirus.html is absolutely the best thing you can get that doesn't expire after
30 days..  It's made in Germany..  Germans make good stuff..  I've using it for years and have never ever once got an infection ever..  This uses very little resources and runs quietly
in the background not inhibiting performance one bit.  The only issue is that every time it updates, it'll give you a little advertisement to buy the registered version..  However, I disable
auto update while playing AH and this neutralizes this issues..

After installing your antivirus software, you'll want to download and install SpywareBlaster http://www.javacoolsoftware.com/spywareblaster.html.
This will actually prevent malware from being installed on your machine..  It's not a scanner and it only needs to be run to update (about every 2 weeks)..
It makes changes to your registry that blocks any malware from installing itself on your machine..  I consider this a very important part of my defense..

Next, you'll want to install a software firewall such as Sunbelt http://www.sunbeltsoftware.com/Home-Home-Office/Sunbelt-Personal-Firewall/..  Again
this is free to use..  They give you 30 days of the Professional Version which downgrades to the free version after that..  But the free version works great! 
The Professional Version has features you'll probably never use..  Anyhow, this is another good one that uses very little resources.. 

Lastly, you need to be behind a router with a firewall....Absolutely..  Even if you just connect 1 computer to it..  The hardware firewall in a router is detrimental
to your PC's security as well as the any others that are on your network..  Be sure that the wireless security and router login setup is taken care of as well..

AMENDMENT!!
Don't low level format your drive if you are going to use a restore partition such as included with Dell, HP, etc..
That is unless you have the a physical copy of the restore disks..
« Last Edit: July 18, 2009, 04:26:11 PM by Anodizer »
I like classy, beautiful, intelligent woman that say the "F" word a lot....

80th FS "Headhunters"

Offline Mar

  • Gold Member
  • *****
  • Posts: 2203
Re: Personal Antivirus Infection
« Reply #14 on: July 18, 2009, 04:23:25 PM »
Hmm...

First: Would a Trojan or virus be able to get into a locked .rar file?

Second: I can tell now that AVG is junk, but does anyone know what can possibly make it go crazy like this?

If worst comes to worst I can use the HP Recovery drive to restore windows to it's original state without losing any data currently here. That means that the viruses can still be there, but not active, since the registry and settings are restored to what they were out of the box. However, I would really rather not go through that hassle as it takes about 2 days for the process to complete and once it does I will have to re-install all the programs I have and bring my settings back the way I like them, which can also take another 2 days.

Aside from that, ThreatFire seems to be doing a good job on it's own, and unless there are virus programs that can conceal themselves from Task Manager there shouldn't be anything that can get past me. I ask if a virus can get into a password-locked .rar file because the only information that can be used to steal my identity on this computer is in such a file. I should be fairly safe right now if there isn't.
𝒻𝓇𝑜𝓂 𝓉𝒽𝑒 𝓈𝒽𝒶𝒹𝑜𝓌𝓈 𝑜𝒻 𝓌𝒶𝓇'𝓈 𝓅𝒶𝓈𝓉 𝒶 𝒹𝑒𝓂𝑜𝓃 𝑜𝒻 𝓉𝒽𝑒 𝒶𝒾𝓇 𝓇𝒾𝓈𝑒𝓈 𝒻𝓇𝑜𝓂 𝓉𝒽𝑒 𝑔𝓇𝒶𝓋𝑒

  "Onward to the land of kings—via the sky of aces!"
  Oh, and zack1234 rules. :old: