Aces High Bulletin Board
General Forums => Hardware and Software => Topic started by: Mar on July 11, 2009, 05:26:02 PM
-
I just started the computer up and I get a window that looks like this:
(http://www.removal-instructions.com/spyware_images/personalantivirus_pic1.png)
I immediately know something's wrong. I've never even heard of Personal Antivirus, let alone downloaded it. I bring up task manager, I see 2 processes I've never seen before: pav.exe and NetFilter.exe. I immediately terminate the programs and then run a search for them. I find NETFILTER.EXE-04869CD2.pf and PAV.EXE-0C17BFE5.pf in C:\WINDOWS\Prefetch. I also find NetFilter in the system32 folder. I try to open IE to get info on these but IE keeps crashing. Luckily I have firefox, and it has no problems running. I find out that it's a highly complex and intelligent Trojan.
Uh-oh.
Well, I search the web on how to remove it and proceed to do so manually. However, I don't seem to have acquired the full blast of this thing because: (1) there was only one file in the folder "Personal Antivirus" in Program Files, which was pav.exe, (2) I didn't find any of the registry entries that I was told to remove, and (3) there weren't any of the indicated processes running in the background other than pav.exe. Looks like I got pretty lucky this time, but of course not everything is what it looks like.
I deleted all of the files I found, but IE still won't run. I'm going to play it safe and try a system restore, and hope that the restore hasn't been infected as well.
If anyone has recommendations or more info on this Trojan please let me know. This is my first serious infection and I'm not going to take it lightly.
-
I've found that infections like these somehow always start with a rootkit.
Download, Install, and Run the following utilities to see if they remove this malicious software:
AVG Anti-Rootkit Free (http://www.softpedia.com/get/Antivirus/AVG-Anti-Rootkit.shtml)
Spybot Search & Destroy (http://download.cnet.com/Spybot-Search-amp-Destroy/3000-8022_4-10122137.html?tag=mncol)
-
One of these two completely removed it for me.. I forget which:
http://www.superantispyware.com/ (http://www.superantispyware.com/)
http://www.malwarebytes.org/ (http://www.malwarebytes.org/)
-
Malwarebytes, that's the one I was forgetting! Thanks Tigger.
-
Malwarebytes will get rid of it.
Threatfire stops most rootkits from ever happening.
-
Anyone for a plate of screwed?
When I said that not everything is what it looks like, I was right on. Just a few days ago I got hit, hard.
I gotta admit, this is nuts, even by my standards.I've been going bonkers trying to get AVG and malwarebytes to clean up this mess. AVG has never been able to finish a full scan, the computer just shuts off when it gets near the end. At first I thought it was because the computer is overheating, but one time the computer just tried to restart itself and failed. I did a full scan with malwarebytes (which was able to finish) and found and removed an even 200 threats, then I restarted the computer normaly (forgot to mention all my scans took place in safe mode) and AVG starts spewing out warnings of trojans as soon as I connect to the internet. So I go back into safe mode and have AVG run another scan which finds at least 30 more trojans before the computer shuts off (again). So much crap going on I can't remember it all. Today I decided to check out threatfire and I have it running right now. The thing is, now AVG is going absolutely insane. It is constantly detecting anything that opens as a trojan, including itself. All I have to do is open notepad and I immediately get threat warnings, first only identifying notepad as a trojan, then saying that avgcsrvx.exe is a trojan. I myself have never heard of an anti-virus identifying itself as a virus.
So far ThreatFire hasn't detected anything. I'm going to try re-installing AVG and see what happens.
This has been the craziest time I've ever had on this thing.
What do you guys think about this? Think I got singled out by an expert hacker or something? Why didn't malwarebytes get it clean, and why is AVG going nuts? And do you think ThreatFire can keep this crap from happening again? Important questions that require informed answers.
-
You need to back up any data you want to save onto a SEPARATE drive... then reinstall windows... then SCAN the backup drive for viruses, etc.. then copy your backed up data back...
At this point a repartition/format/reinstall is all you can do for a reliable fix.
-
You need to back up any data you want to save onto a SEPARATE drive... then reinstall windows... then SCAN the backup drive for viruses, etc.. then copy your backed up data back...
At this point a repartition/format/reinstall is all you can do for a reliable fix.
+1
For serious infections, the amount of time that you back your data (which is ALWAYS good to do periodically), reformat, install windows, and copy the data back is generally a time saver. Plus you don't have the headache of trying to find that one program that gets rid of that one spyware/virus and then there's the concern "is it really gone?"
-
AVG Sucks and used it only once. I consider AVG Free itself a virus, as remnants of it were still on my old PC from a proper Uninstall.
Get ESET NOD 32. Don't screw around this time.
-
Agreed on Nod32... the nice thing about it is it seems to put a much smaller load on the computer than most anti-virus programs do. Heck, I leave it running when I'm on AH.
-
Try the NOD32 online scan first, www.eset.com/onlinescan
But you really SHOULD format and reinstall. There's no guarantee any AV will be able to clean your computer.
If you're on laptop, create a 20gb partition for the OS and programs. Rest for data. If you're using desktop get a new harddrive for a new OS installation they're dirt cheap.
-
Just a suggestion if your going to reinstall your OS, if you don't have a mirror imaging software, like ghost, acronis, and others on the market. Get it, do backups on intervals , preferably to second hardrive. If this were to happen again or your harddrive goes bad you have a backup image to fall back on. Then you don't end up reinstalling everything again. You can erase your harddrive or use new hardrive, use recovery disc (ghost has 1), boot up your PC ,load back up image, your ready to roll.
cattb/timo
-
What do you guys think about this? Think I got singled out by an expert hacker or something? Why didn't malwarebytes get it clean, and why is AVG going nuts? And do you think ThreatFire can keep this crap from happening again? Important questions that require informed answers.
As others have said, download and install NOD32 onto that system. Combined with the tools mentioned above it should get rid of the infections. Once again, scan using AVG Anti-Rootkit Free (unplug the Internet cord while you're scanning). It should pick up the original infections.
-
1. Back up all your data.... Once that's done, scan it on another machine that you know is clean....
2. Do a low level format of your hard drive.. This is the only absolute way to fully format and "zero" out every sector of the drive.. Reformatting with windows never formats the
the boot sector(where viruses can reside)..
3. Reinstall your OS and be sure to get all the updates..
As others have said here, AVG is junk and is inherently known for lots of falls positives and truly fails to remove or block anything.. If you are looking for something free,
Antivir http://www.free-av.com/en/trialpay_download/1/avira_antivir_personal__free_antivirus.html (http://www.free-av.com/en/trialpay_download/1/avira_antivir_personal__free_antivirus.html) is absolutely the best thing you can get that doesn't expire after
30 days.. It's made in Germany.. Germans make good stuff.. I've using it for years and have never ever once got an infection ever.. This uses very little resources and runs quietly
in the background not inhibiting performance one bit. The only issue is that every time it updates, it'll give you a little advertisement to buy the registered version.. However, I disable
auto update while playing AH and this neutralizes this issues..
After installing your antivirus software, you'll want to download and install SpywareBlaster http://www.javacoolsoftware.com/spywareblaster.html (http://www.javacoolsoftware.com/spywareblaster.html).
This will actually prevent malware from being installed on your machine.. It's not a scanner and it only needs to be run to update (about every 2 weeks)..
It makes changes to your registry that blocks any malware from installing itself on your machine.. I consider this a very important part of my defense..
Next, you'll want to install a software firewall such as Sunbelt http://www.sunbeltsoftware.com/Home-Home-Office/Sunbelt-Personal-Firewall/ (http://www.sunbeltsoftware.com/Home-Home-Office/Sunbelt-Personal-Firewall/).. Again
this is free to use.. They give you 30 days of the Professional Version which downgrades to the free version after that.. But the free version works great!
The Professional Version has features you'll probably never use.. Anyhow, this is another good one that uses very little resources..
Lastly, you need to be behind a router with a firewall....Absolutely.. Even if you just connect 1 computer to it.. The hardware firewall in a router is detrimental
to your PC's security as well as the any others that are on your network.. Be sure that the wireless security and router login setup is taken care of as well..
AMENDMENT!!
Don't low level format your drive if you are going to use a restore partition such as included with Dell, HP, etc..
That is unless you have the a physical copy of the restore disks..
-
Hmm...
First: Would a Trojan or virus be able to get into a locked .rar file?
Second: I can tell now that AVG is junk, but does anyone know what can possibly make it go crazy like this?
If worst comes to worst I can use the HP Recovery drive to restore windows to it's original state without losing any data currently here. That means that the viruses can still be there, but not active, since the registry and settings are restored to what they were out of the box. However, I would really rather not go through that hassle as it takes about 2 days for the process to complete and once it does I will have to re-install all the programs I have and bring my settings back the way I like them, which can also take another 2 days.
Aside from that, ThreatFire seems to be doing a good job on it's own, and unless there are virus programs that can conceal themselves from Task Manager there shouldn't be anything that can get past me. I ask if a virus can get into a password-locked .rar file because the only information that can be used to steal my identity on this computer is in such a file. I should be fairly safe right now if there isn't.
-
I believe that's exactly what a rootkit is; something that integrates itself directly into the Windows kernel, making it undetectable without certain tools.
I also suggest using something more professional if you're going to encrypt things, like TrueCrypt. WinRAR is the secondary haven (next to ActiveX and IFrames) for viruses on their way to delivery.
-
Hmm...
First: Would a Trojan or virus be able to get into a locked .rar file?
Second: I can tell now that AVG is junk, but does anyone know what can possibly make it go crazy like this?
If worst comes to worst I can use the HP Recovery drive to restore windows to it's original state without losing any data currently here. That means that the viruses can still be there, but not active, since the registry and settings are restored to what they were out of the box. However, I would really rather not go through that hassle as it takes about 2 days for the process to complete and once it does I will have to re-install all the programs I have and bring my settings back the way I like them, which can also take another 2 days.
Aside from that, ThreatFire seems to be doing a good job on it's own, and unless there are virus programs that can conceal themselves from Task Manager there shouldn't be anything that can get past me. I ask if a virus can get into a password-locked .rar file because the only information that can be used to steal my identity on this computer is in such a file. I should be fairly safe right now if there isn't.
At this point doing anything but a full format means risking your personal information, internet banking credentials etc. Would be fun to know how you got it, clicked a hack.rar or freepr0n.rar open?
-
It shouldn't be able to get the information out of such a file, no, esp not if its password protected.
And thats something you can do with most any software. Winzip, winrar should all be able to password protect a compressed file.
The other way to go that I havn't seen mentioned, is to make either a dos level virus scanner CD then tell the computer to boot from the cd/dvd. Or to use a Linux distro that can boot off a CD/DVD without actually installing to your hard drive. Many of them will have a good antivirus as part of the package. Umbutu, Mepis, are just a couple of the possibilities. Since your not in windows, none of the files will be protected, hidden.
(Same basic idea as the dos level scanner) Hit them from behind where they have no cover.
Here they do it with a flash drive.
http://askthegeek.kennyhart.com/2005/12/how-to-make-bootable-thumb-drive-virus.html (http://askthegeek.kennyhart.com/2005/12/how-to-make-bootable-thumb-drive-virus.html)
-
At this point doing anything but a full format means risking your personal information, internet banking credentials etc. Would be fun to know how you got it, clicked a hack.rar or freepr0n.rar open?
Firstly, I'm not into this "pr0n" stuff.
Secondly, I most likely got this mess via my brother constantly downloading and installing freeware games, which I've now forbidden him to do.
Thirdly, I'm saying it's not my fault (no offence). I'm the one here that's been keeping the viruses out in the first place.
So now that the source of the viruses has been taken care of and the fact is known that the existing viruses on here (if there are any left) cannot get into the locked file (as Ghosth pointed out), there should be no problem. The only exception would be if a program can view my screen or log keystrokes without being detected by ThreatFire or Task Manager. So far every time something happened there was a program on task manager that I did not recognize, and the something that was happening stopped when I terminated the program. In other words, nothing currently on this machine can escape detection of Task Manager as far as I've seen.
Now that flash drive is a good idea, I'll have to get one and try it out.
-
Firstly, I'm not into this "pr0n" stuff.
Secondly, I most likely got this mess via my brother constantly downloading and installing freeware games, which I've now forbidden him to do.
Thirdly, I'm saying it's not my fault (no offence). I'm the one here that's been keeping the viruses out in the first place.
So now that the source of the viruses has been taken care of and the fact is known that the existing viruses on here (if there are any left) cannot get into the locked file (as Ghosth pointed out), there should be no problem. The only exception would be if a program can view my screen or log keystrokes without being detected by ThreatFire or Task Manager. So far every time something happened there was a program on task manager that I did not recognize, and the something that was happening stopped when I terminated the program. In other words, nothing currently on this machine can escape detection of Task Manager as far as I've seen.
Now that flash drive is a good idea, I'll have to get one and try it out.
You cannot be sure you're clean without a format after an infection of this kind. I wouldn't use the box for any banking etc. without full format and reinstall.
-
I just responded to my daughter's request for help with that darned Personal AV yesterday. It creates a folder for itself in C:\program files and in C:\program files\common files\. Actually I even saw an uninstall for it under C:\program files\common files folder but I elected to nuke em all personally and then ran CCleaner to get rid of the left behind trash and she's been good to go.
All the Best...
Jay
awDoc1
-
Be careful with that. I used a similar method to get rid of a very similar bug. However, I went ahead and ran some scans after I thought I removed it. 45 infections and two days later the bug was finally gone.
Just because it doesn't show, doesn't mean it isn't there.
-
Personally I don't understand the point of trying to clean a system when far more certain and faster way is to either load a fresh image or just reinstall. Peace of mind and a fresh system.
-
For me, the majority of what I learned about computers was gained when I took control of an infected system then cleaned it out. While I understand that reformatting is the easier and safer means of destroying an infection. I would have never been at my level of knowledge about the internal workings of a computer today unless I tried repairing it myself. Plus there's always the part of some people not having a Windows Installer, not having a backup of personal files, not having a recovery disk/partition. There are multiple reasons why people don't reformat. Mine is for knowledge.
-
For me, the majority of what I learned about computers was gained when I took control of an infected system then cleaned it out. While I understand that reformatting is the easier and safer means of destroying an infection. I would have never been at my level of knowledge about the internal workings of a computer today unless I tried repairing it myself. Plus there's always the part of some people not having a Windows Installer, not having a backup of personal files, not having a recovery disk/partition. There are multiple reasons why people don't reformat. Mine is for knowledge.
Except that when you're dealing with a rootkit or advanced viruses the maker has infinitely higher knowledge on how to hide the bad code from you. That's the problem.
-
Except that when you're dealing with a rootkit or advanced viruses the maker has infinitely higher knowledge on how to hide the bad code from you. That's the problem.
Absolutely.
-
Yes, that was quite evident since the computer was infected without the knowledge of the user. That's also why I use a wide variety of scanners along with basic knowledge to weed out and destroy the infections.
I'm not disagreeing that the infection might not be completely removed. I'm simply saying that by attempting to remove the infection I have gained more knowledge about computers. That's my only reason for fighting as opposed to wiping.
-
Anyone for a plate of screwed?
When I said that not everything is what it looks like, I was right on. Just a few days ago I got hit, hard.
I gotta admit, this is nuts, even by my standards.I've been going bonkers trying to get AVG and malwarebytes to clean up this mess. AVG has never been able to finish a full scan, the computer just shuts off when it gets near the end. At first I thought it was because the computer is overheating, but one time the computer just tried to restart itself and failed. I did a full scan with malwarebytes (which was able to finish) and found and removed an even 200 threats, then I restarted the computer normaly (forgot to mention all my scans took place in safe mode) and AVG starts spewing out warnings of trojans as soon as I connect to the internet. So I go back into safe mode and have AVG run another scan which finds at least 30 more trojans before the computer shuts off (again). So much crap going on I can't remember it all. Today I decided to check out threatfire and I have it running right now. The thing is, now AVG is going absolutely insane. It is constantly detecting anything that opens as a trojan, including itself. All I have to do is open notepad and I immediately get threat warnings, first only identifying notepad as a trojan, then saying that avgcsrvx.exe is a trojan. I myself have never heard of an anti-virus identifying itself as a virus.
So far ThreatFire hasn't detected anything. I'm going to try re-installing AVG and see what happens.
This has been the craziest time I've ever had on this thing.
What do you guys think about this? Think I got singled out by an expert hacker or something? Why didn't malwarebytes get it clean, and why is AVG going nuts? And do you think ThreatFire can keep this crap from happening again? Important questions that require informed answers.
huh, I'm running the free version just fine. I usually download it every couple of months, then delete it. If I get another virus, re-download the latest free version.
-
in the best 2 weeks our store has gotten like 100 of those machines infected with Personal AV.. malwarebytes has taken care of 99% of the issues. for 24/7 protection you can get a lifetime license for 24.99 for personal computers.( which we sell to the customers infected to prevent happening again).
-
Personally I don't understand the point of trying to clean a system when far more certain and faster way is to either load a fresh image or just reinstall. Peace of mind and a fresh system.
+1
if you're going to use a cloner, take the image directly after installing the OS and all your software, and before connecting to your network or adding your data. dont clone your data, restore data from a current backup.
The hardware firewall in a router is detrimental to your PC's security as well as the any others that are on your network.
:huh
-
:huh
Not sure English is his native language. I think he might have meant something along the lines of "determinate." In any case, he meant a hardware firewall is important. :D
-
ok that makes sense :aok
-
I had to clean this fake AV up before Mars it took quite a long time, I had to do a lot of google searching :lol
I would have been better and faster to just do a fresh install which is what you should probably do mate.
-
If I get another virus
Sounds to me like you mean "When".
IMO, these 3 things are axiomatic:
1) free AV is worth about what you pay for it.
2) And even the best commercial AV doesn't stand a chance if you browse stupidly.
3) But even without ANY AV, a fully patched system can stay clean for a LOOOOONG time if not used for social networking sites, pr0n, or P2P.
Hence, the large discrepency between users and their rate of success with /evaluations of various A/V packages.
<S>
-
Plus there's always the part of some people not having a Windows Installer, not having a backup of personal files, not having a recovery disk/partition. There are multiple reasons why people don't reformat. Mine is for knowledge.
I'm one of them people. I do have a recovery disk, but as I said I'd rather use that as a last resort.
Anyway, so far no problems. I think "browsing stupidly" was the source of these viruses, but as I said I've now fixed that problem, so there shouldn't be any more problems with viruses.
Thank you all for your help.