close

Privacy guaranteed - Your email is not shared with anyone.

Anti Virus Pro 2009 (Malware) Grrrrrrr!

Discussion in 'Tech Talk' started by Chad Landry, Nov 11, 2008.

  1. Chad Landry

    Chad Landry Cajunator® CLM

    Joined:
    Jun 18, 2005
    Messages:
    38,164
    Likes Received:
    21
    Location:
    Corpus Christi, TX
    Well, my wife done clicked the wrong popup again. This time none of the anti-malware programs will run, and it has my "System Restore" disabled.

    Any time I try to run any of the programs, "Malwarebytes", "Superantispyware", "HiJackThis", or "ComboFix", none will run except for "HiJackThis", and it comes back showing that everything is fine.

    I even deleted McAfee (again), because it was running in safe mode.

    This crap did something to my registry to where I can't even run any of these programs in safe mode.

    I'm about to reformat and reinstall Windows (again). Sigh.

    I told my wife that this is the last time, and that next time she can learn this stuff for herself.

    I download these programs on my laptop, then transfer them via memory stick to the desktop PC, and they won't run on it.

    She's pretty sure she clicked "OK" on a popup that asked if she wanted to fix her spyware problem.
     
  2. Blitzer

    Blitzer Cool Cat

    Joined:
    Jan 15, 2004
    Messages:
    12,111
    Likes Received:
    0
    Location:
    The communist's play ground of OHIO
    NOD32 will kill the critters, I am slowly moving every PC from Zone Alarm Internet suite to NOD32. It works on a Pent 2 laptop with 128MB of RAM! Mighty tough software too.
     

  3. B. Somm

    B. Somm Lady B/Team OAF Millennium Member CLM

    Joined:
    Sep 17, 1999
    Messages:
    1,472
    Likes Received:
    8
    Location:
    Northern Mexico...AKA: Arizona
    One of those damn things got me the other day! :steamed:

    I had to restart my computer several times before I could get my Spyware stuff up & running.

    When I got the popup, I clicked cancel as I didn't recognize the "program" that was informing me that my computer was infected with spyware. It started downloading it's "fix" anyway. Locked up my computer.

    Things seem to be running ok now. The only sites that I had gone to were my AOL mail, GT in the Outpost Forum and Photobucket. There was also a Flash Player update that kept coming up when I got my computer back up. Pissed me off royally!

    B. :sigh:
     
  4. Chad Landry

    Chad Landry Cajunator® CLM

    Joined:
    Jun 18, 2005
    Messages:
    38,164
    Likes Received:
    21
    Location:
    Corpus Christi, TX
    Downloading NOD32 now, Blitzer. I'll try anything to keep from having to do another reformat on that machine.
     
  5. srhoades

    srhoades

    Joined:
    Jul 14, 2000
    Messages:
    2,806
    Likes Received:
    15
    It's pretty easy to disable in the registry
    hkey local machine > software > microsoft > windows > current version > run
    and hkey current user "" "" "" ""

    Once you remove those entries restart and go into safemode with networking (so malwarebytes can update if needed). Malwarebytes should remove it. I should know I just removed it about 2 hours ago from a customers computer.

    If your wife is prone to his behaviour you can purchase the paid version of malwarebytes, it then runs as active protection and catches it in the act.
     
  6. Chad Landry

    Chad Landry Cajunator® CLM

    Joined:
    Jun 18, 2005
    Messages:
    38,164
    Likes Received:
    21
    Location:
    Corpus Christi, TX
    I found several different lists of registry values to delete on different sites, and couldn't find any of the listed values in the registry.

    Once I've done running Blitzer's recommendation, I'll try it again.

    So far the NOD32 has found zero threats although the malware popups keep popping up.
     
  7. srhoades

    srhoades

    Joined:
    Jul 14, 2000
    Messages:
    2,806
    Likes Received:
    15
    I would give combofix a whirl too. It's pretty effective.

    Also, if you have a linux live cd you can just delete the program in the program files entry. It's usually called AV09 or XPAV09 or even all spelled out.
     
  8. ppcrusa

    ppcrusa

    Joined:
    Dec 13, 2002
    Messages:
    496
    Likes Received:
    0
    Location:
    ...
    It doesn't matter if she clicked ok,cancel, or even the red X at the top of the popup. At that point it was infected anyway. That Antivirus 2009 crap has caused me more heartache and pain than any other infection I've ran across at work. It all boils down to going to shady sites and hunting down that next "Freebie" or discount. I feel for ya.
     
  9. Chad Landry

    Chad Landry Cajunator® CLM

    Joined:
    Jun 18, 2005
    Messages:
    38,164
    Likes Received:
    21
    Location:
    Corpus Christi, TX
    I have on "Local Machine".../run/optional components/ (then 4 sub folders)

    /imail

    /mapi

    and

    /msfs

    Under current user, I have "run" with six items under it.

    Do I just delete the entire "run" folder?
     
  10. ppcrusa

    ppcrusa

    Joined:
    Dec 13, 2002
    Messages:
    496
    Likes Received:
    0
    Location:
    ...
    Yeah but the newest variant of that scum sucking malware also downloads friends to come and play too. Usually in the form of trojans. They immediately load up into processes and download yet more. It is like a giant snowball effect, except in this case it is brown and it stinks.
     
  11. srhoades

    srhoades

    Joined:
    Jul 14, 2000
    Messages:
    2,806
    Likes Received:
    15

    No, don't delete any of those. If you just click run, the entries will be on the right. Look for one that is starting the offending program.
     
  12. Chad Landry

    Chad Landry Cajunator® CLM

    Joined:
    Jun 18, 2005
    Messages:
    38,164
    Likes Received:
    21
    Location:
    Corpus Christi, TX
    I have no way of knowing which one is starting the offending program, as they are not named anything near av2009, or any variant there of.
     
  13. tantrix

    tantrix J'aimeLouisiane

    Joined:
    Dec 27, 2003
    Messages:
    6,289
    Likes Received:
    0
    Location:
    Louisiana, CSA
    .....
     
    Last edited: Nov 11, 2008
  14. Chad Landry

    Chad Landry Cajunator® CLM

    Joined:
    Jun 18, 2005
    Messages:
    38,164
    Likes Received:
    21
    Location:
    Corpus Christi, TX
    NOD32 went through the entire scan and found nothing.

    I'm gonna uninstall it and then run Avast. That's what I have on my personal machine.
     
  15. James Markov

    James Markov

    Joined:
    Mar 2, 2006
    Messages:
    828
    Likes Received:
    1
    Location:
    Converse, Texas
    Same thing happened here-Spybot, AVG , and finally Commadore firewall helped. Also CC Cleaner is nice...
     
  16. Chad Landry

    Chad Landry Cajunator® CLM

    Joined:
    Jun 18, 2005
    Messages:
    38,164
    Likes Received:
    21
    Location:
    Corpus Christi, TX
    srhoades, I have under "Current User/..../run/ four items

    Default Reg_sz (value not set)

    brastk reg_sz c:windows/system32/brastk.exe

    ctfmon.exe reg_sz c:windows/system32/ctfmon.exe

    svchost.exe reg_sz c:windows/system32/drivers/svchost.exe
     
  17. tantrix

    tantrix J'aimeLouisiane

    Joined:
    Dec 27, 2003
    Messages:
    6,289
    Likes Received:
    0
    Location:
    Louisiana, CSA
    Here ya go cj...try it.

    1) Go to Start>Run and type in "msconfig".
    2) Go over to the tab named "Startup" and click disable all. Reboot.
    3) Download Avast Home, Spybot, and Adaware. Install and update all 3.
    4) Reboot and hit F8 during startup. Select "start computer in safe mode" and hit enter.
    5) Do a thorough scan with all 3 of the programs above...Avast 1st, Spybot 2nd, and Adaware 3rd.
    6) Report back. :supergrin:
     
  18. Chad Landry

    Chad Landry Cajunator® CLM

    Joined:
    Jun 18, 2005
    Messages:
    38,164
    Likes Received:
    21
    Location:
    Corpus Christi, TX
    NOD32 found nothing, but now I notice that the malware prevents NOD32 from downloading updates.
     
  19. Chad Landry

    Chad Landry Cajunator® CLM

    Joined:
    Jun 18, 2005
    Messages:
    38,164
    Likes Received:
    21
    Location:
    Corpus Christi, TX
    <---- slaps head

    I forgot about msconfig.

    I just ran it like that and used system restore. Rebooting now. Next I'll see what happens with Malwarebytes.

    Of course, there were so many programs in startup that were hiding from me in other places.

    Thanks for that advice, Tantrix. I think this may get it!
     
  20. BAILIFF

    BAILIFF Piece Officer

    Joined:
    Oct 14, 2006
    Messages:
    5,578
    Likes Received:
    11
    Location:
    I'm over here now.