Author Topic: antivirus 2010 (Read 2360 times)

DREDIOCK · « **Reply #45 on:** January 19, 2010, 06:51:17 AM »

Update.

Dont count on ESET to stop it. My daughter walking into the room last night.

"Daddy. I think mommies computer has a virus...."

Sure enough "Antivirus 2010" is running asking for updates,warning that the computer is infected, popup afer popup comming up

Malwarebyes anti maleware got rid of it easy enough. But ESET Smart Security did NOT stop it.

Interestingly enough. It was listed in the quarantine (along with 20 other things it did stop or prevent in the last couple weeks) though even though it didnt stop Antivirus 2010 from running or installing itself.

DREDIOCK · « **Reply #46 on:** January 19, 2010, 06:56:13 AM »

Quote from: sluggish on January 16, 2010, 10:08:32 AM

STAY AWAY FROM TEH PRON!!1!1!

Actually most of the dangers these days seem to be from site kids tend to visit rather then the adult oriented sites.
Not saying pron sites dont sometimes have viruses. But most of the viruses/trojans/maleware I've come across have been from kids sites my daughter or her friends have visited and not mine or their parents.

CAP1 · « **Reply #47 on:** January 19, 2010, 07:55:11 AM »

Quote from: DREDIOCK on January 19, 2010, 06:51:17 AM

Update.

Dont count on ESET to stop it. My daughter walking into the room last night.

"Daddy. I think mommies computer has a virus...."

Sure enough "Antivirus 2010" is running asking for updates,warning that the computer is infected, popup afer popup comming up

Malwarebyes anti maleware got rid of it easy enough. But ESET Smart Security did NOT stop it.

Interestingly enough. It was listed in the quarantine (along with 20 other things it did stop or prevent in the last couple weeks) though even though it didnt stop Antivirus 2010 from running or installing itself.

run superantispyware, and spybot search and destroy too. they both found things that malewarebytes didn't......just like malewarebytes found things the others didn't.

below is the log from lalewarebytes.......

Malwarebytes' Anti-Malware 1.44
Database version: 3510
Windows 5.1.2600 Service Pack 2
Internet Explorer 7.0.5730.13

1/16/2010 1:53:14 PM
mbam-log-2010-01-16 (13-53-14).txt

Scan type: Full Scan (C:\|)
Objects scanned: 226609
Time elapsed: 38 minute(s), 59 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 6
Registry Values Infected: 1
Registry Data Items Infected: 8
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{43bf8cd1-c5d5-2230-7bb2-98f22c2b7dc6} (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{3446af26-b8d7-199b-4cfc-6fd764ca5c9f} (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{4776c4dc-e894-7c06-2148-5d73cef5f905} (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{43bf8cd1-c5d5-2230-7bb2-98f22c2b7dc6} (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{3446af26-b8d7-199b-4cfc-6fd764ca5c9f} (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{4776c4dc-e894-7c06-2148-5d73cef5f905} (Backdoor.Bot) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Network\uid (Malware.Trace) -> Quarantined and deleted successfully.

Registry Data Items Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\ActiveDesktop\NoChangingWallpaper (Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoActiveDesktopChanges (Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoSetActiveDesktop (Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\activedesktop\NoChangingWallpaper (Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoActiveDesktopChanges (Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoSetActiveDesktop (Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableTaskMgr (Hijack.TaskManager) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Hijack.Userinit) -> Bad: (C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\sdra64.exe,) Good: (Userinit.exe) -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\system32\41.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.

this was the first pass with malewarebytes....after superantispyware said it was clean.

CAP1 · « **Reply #48 on:** January 19, 2010, 07:57:20 AM »

Quote from: MORAY37 on January 19, 2010, 12:04:29 AM

Don't you know my girlfriend's laptop got gobbled today by this "windows 2010 " root kit? Probably the same one that got you.

Combofix killed it within 5 mins of the first sign of infection....of course this was done through window after window of bad grammatical "your computer is infected..." windows. Actually forced an image onto her background (same horrible grammar lol)....dunno if i've seen that before. It also wouldn't let any of her spyware or malware finish their scans, which i found interesting as well.

There's nothing important on her computer (just lesson plans,she's a teacher) so I made her change any passwords for external stuff. I don't think a full wipe is in order, in this case.

Anyway, Combofix killed it. Just FYI.

you wouldn't have a link to the combofix would you?

i googled it yesterday, and there's about 10 pages of results.........

Denholm · « **Reply #49 on:** January 19, 2010, 08:57:27 AM »

Quote from: DREDIOCK on January 19, 2010, 06:51:17 AM

Update.

Dont count on ESET to stop it. My daughter walking into the room last night.

"Daddy. I think mommies computer has a virus...."

Sure enough "Antivirus 2010" is running asking for updates,warning that the computer is infected, popup afer popup comming up

Malwarebyes anti maleware got rid of it easy enough. But ESET Smart Security did NOT stop it.

Interestingly enough. It was listed in the quarantine (along with 20 other things it did stop or prevent in the last couple weeks) though even though it didnt stop Antivirus 2010 from running or installing itself.

TilDeath put it in simple terms for me, I'll share the same information with you...

ESET products are better at preventing the initial infection than removing the infection itself. If you download the virus and open it, it's too late.

CAP1 · « **Reply #50 on:** January 19, 2010, 09:03:53 AM »

Quote from: Denholm on January 19, 2010, 08:57:27 AM

TilDeath put it in simple terms for me, I'll share the same information with you...

ESET products are better at preventing the initial infection than removing the infection itself. If you download the virus and open it, it's too late.

den...the problem.......i didn't download anything. the wndow popped up in the middle of my screen..i clicked nothing, just hit the reset button.....but that fast it was in my machine.

Denholm · « **Reply #51 on:** January 19, 2010, 09:25:06 AM »

You don't have to these days. With ActiveX and Java around, all you have to do is look at a picture.

CAP1 · « **Reply #52 on:** January 19, 2010, 09:50:00 AM »

Quote from: Denholm on January 19, 2010, 09:25:06 AM

You don't have to these days. With ActiveX and Java around, all you have to do is look at a picture.

hhmm/....is it possible that some of the pictures i loaded onto photobucket couldve gotten infected?

MORAY37 · « **Reply #53 on:** January 19, 2010, 10:57:54 AM »

Quote from: CAP1 on January 19, 2010, 07:57:20 AM

you wouldn't have a link to the combofix would you?

i googled it yesterday, and there's about 10 pages of results.........

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

The download site is "bleepingcomputer.com" which is kind of hidden. There is a warning about how powerful it is, etc. When you use it, if you don't have "windows recovery console" installed, make sure you let it put it on.

Do not download it from any site that asks for money.

If you decide to use it... have patience.... it will take about 25 minutes to a half hour with this "Windows 2010" rootkit. (At least that's how long it took for my GF's computer) It found it within the first 2 minutes of scan and determined it was a rootkit, which required a clean reboot, which it will do itself.

The only time you should have to touch it is after any reboot, as you may have to select your user in the windows startup ("Welcome") screen again. There are long pauses in activity, just let it go. It is especially long when you are waiting for the log,( although my GF's computer was heavily fragmented).

As well, please speak with someone who knows how powerful this program is. It seems that all the tech forums like it for exactly this infection, though.

Good luck. (All of what I said is on the first page of the link I provided as well.)

MORAY37 · « **Reply #54 on:** January 19, 2010, 11:24:38 AM »

Quote from: CAP1 on January 19, 2010, 07:55:11 AM

run superantispyware, and spybot search and destroy too. they both found things that malewarebytes didn't......just like malewarebytes found things the others didn't.

below is the log from lalewarebytes.......

Malwarebytes' Anti-Malware 1.44
Database version: 3510
Windows 5.1.2600 Service Pack 2
Internet Explorer 7.0.5730.13

1/16/2010 1:53:14 PM
mbam-log-2010-01-16 (13-53-14).txt

Scan type: Full Scan (C:\|)
Objects scanned: 226609
Time elapsed: 38 minute(s), 59 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 6
Registry Values Infected: 1
Registry Data Items Infected: 8
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{43bf8cd1-c5d5-2230-7bb2-98f22c2b7dc6} (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{3446af26-b8d7-199b-4cfc-6fd764ca5c9f} (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{4776c4dc-e894-7c06-2148-5d73cef5f905} (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{43bf8cd1-c5d5-2230-7bb2-98f22c2b7dc6} (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{3446af26-b8d7-199b-4cfc-6fd764ca5c9f} (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{4776c4dc-e894-7c06-2148-5d73cef5f905} (Backdoor.Bot) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Network\uid (Malware.Trace) -> Quarantined and deleted successfully.

Registry Data Items Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\ActiveDesktop\NoChangingWallpaper (Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoActiveDesktopChanges (Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoSetActiveDesktop (Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\activedesktop\NoChangingWallpaper (Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoActiveDesktopChanges (Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoSetActiveDesktop (Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableTaskMgr (Hijack.TaskManager) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Hijack.Userinit) -> Bad: (C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\sdra64.exe,) Good: (Userinit.exe) -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\system32\41.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.

this was the first pass with malewarebytes....after superantispyware said it was clean.

Honestly, I'm worried that Malwarebytes got the symptoms here and not the sickness. It seems to have found all the things the root was doing..... but not the "windows 2010" virus.

CAP1 · « **Reply #55 on:** January 19, 2010, 12:10:59 PM »

Quote from: MORAY37 on January 19, 2010, 11:24:38 AM

Honestly, I'm worried that Malwarebytes got the symptoms here and not the sickness. It seems to have found all the things the root was doing..... but not the "windows 2010" virus.

THAT SCAN WAS THE third thing i ran. i ran symantec first, along with superantispyware. symantec found antivirus2009.rogue(i think) in 2 places.
superantispyware found something like 70 things....about 20 were just cookies, the rest were trojans, antivirus2010.rogue, trojan.fake, and some others........

i've been running superantispyware, and malewarebytes every day now.......till my computer guy comes to get this machine.

MORAY37 · « **Reply #56 on:** January 19, 2010, 12:48:42 PM »

Quote from: CAP1 on January 19, 2010, 12:10:59 PM

THAT SCAN WAS THE third thing i ran. i ran symantec first, along with superantispyware. symantec found antivirus2009.rogue(i think) in 2 places.
superantispyware found something like 70 things....about 20 were just cookies, the rest were trojans, antivirus2010.rogue, trojan.fake, and some others........

i've been running superantispyware, and malewarebytes every day now.......till my computer guy comes to get this machine.

Like I said, try Combofix after you back everything up. It really is a last ditch attempt prior to a full wipe.

I wish I could show you the report from her computer last night, but I deleted it accidentally while cleaning the C: drive.

It had all the things you posted, plus another whole file that said "Windows Antivirus 2010" or something like that.

Quote

Repair Tool of the Week: Combofix

Combofix is a freeware, portable application designed to scan a computer for known malware and, if found, attempt to remove it. I personally use this application very frequently in conjunction with SmitFraudFix to remove Win Antivirus 2008 and its variants. In addition to removing many different rogueware products, it also shows you a log of files that were created or modified in the last month to help you locate potential malware it didnt detect. For example, if there is a randomly named .dll file in the system32 folder that was created on the day of the infection but all other files are dated years ago when Windows was installed, its probably something to do with the virus.

from
http://www.technibble.com/repair-tool-of-the-week-combofix/

Denholm · « **Reply #57 on:** January 19, 2010, 01:29:41 PM »

AVG Anti-Rootkit Free will probably pick up the initial infection (rootkit). That's why I recommended to use it if the infections came back. In regards to your photos on photobucket... I doubt they were infected. However, I know some of the advertisements on mediafire have attempted to wedge a port open on my system. Therefore its completely logical to assume other websites also have such advertisements (whether they know it or not) infecting computers.

Additionally, Flash and ActiveScript are a great combination when it comes to delivering spyware, malware, and even viruses.

Mano · « **Reply #58 on:** January 19, 2010, 02:10:08 PM »

my mom's computer got that one. I booted to safe mode (winxp) and did the Restore to a previous date.......3 days ago. Then did a virus scan in safe mode. It found 3 viruses, but not the antivirus 2010. I also did a boot scan and an
extensive scan. I suspect I will eventually have to format the hard drive and re install everything......I hope not. Before running the Windows Restore I could not access any windows programs other than control panel. None of the programs in control panel would boot up. Good luck out there!

<S>
Mano

Denholm · « **Reply #59 on:** January 19, 2010, 02:13:57 PM »

Give AVG Anti-Rootkit Free a go. See if it resolves any of your troubles.

Aces High Bulletin Board

Author Topic: antivirus 2010 (Read 2360 times)

DREDIOCK

Re: antivirus 2010

DREDIOCK

Re: antivirus 2010

CAP1

Re: antivirus 2010

CAP1

Re: antivirus 2010

Denholm

Re: antivirus 2010

CAP1

Re: antivirus 2010

Denholm

Re: antivirus 2010

CAP1

Re: antivirus 2010

MORAY37

Re: antivirus 2010

MORAY37

Re: antivirus 2010

CAP1

Re: antivirus 2010

MORAY37

Re: antivirus 2010

Denholm

Re: antivirus 2010

Mano

Re: antivirus 2010

Denholm

Re: antivirus 2010