Fake Windows Security Virus

May 10, 2011 at 16:43:46
Specs: Windows XP
Fake Windows Security Virus

I got this virus somehow on my computer. I downloaded and used MalWarebyte's Antimalware
under one of the other users on the system and several files were removed. However now when I go into my user, none of the programs are there. It shows on the main login screen that there are several emails but my email program is gone and there is NOTHING in my Start menu. I tried to Restore to an earlier point but it will not take. Help please!


See More: Fake Windows Security Virus

Report •


#1
May 10, 2011 at 20:32:13
cdruet,

Can you do the following to see if we can get some needed information:

Highlight and Copy all of the following text (in italics):

reg query HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /s >look.txt
start notepad look.txt
exit
cls

Click Start > Run, and, in the Open area, type: cmd
Press: Enter to open a command window.
Right-click by the blinking cursor in the command window and select: Paste

The command window will close and a log opens on your Desktop.
Please post the contents of the look.txt in your reply.

If going to Start > Run does not work to get to the command prompt, open Task Manager by pressing Ctrl Shift Esc simultaneously

In Task Manager, select: New Task (Run)

In the Open area, type: cmd


Report •

#2
May 11, 2011 at 04:45:35
OK thank you very much. This is what comes up:


! REG.EXE VERSION 3.0

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System
DisableRegistryTools REG_DWORD 0x0
DisableTaskMgr REG_DWORD 0x1


Also if I try to go into Task Manager it says it has been disabled by my administrator.


Report •

#3
May 11, 2011 at 05:04:58
Go to Start > Run once again

Highlight and copy each of the following (one at a time), and place in the Open area.
Then, Click: Enter/OK


reg add HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 0 /f

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 0 /f

Restart the computer

If it is a no-go from Start > Run, go back to using the command prompt as you did before, and enter each command, one at a time.

When done, type exit to go out of the command prompt.

Can you use Task Manager?


Report •

Related Solutions

#4
May 11, 2011 at 07:47:01
OK I did the above and can now run Task Manager - I couldn't before. However my programs are still not there - they are in the Control Panel where all the list shows up though

Report •

#5
May 11, 2011 at 08:17:45
Is this the virus: http://www.spywarehelpcenter.com/wi... ?

Visit my website www.spywarehelpcenter.com for more virus and spyware help.


Report •

#6
May 11, 2011 at 08:38:12
cdruet,

Give this program a whirl:

Download Unhide.exe to the Desktop:

http://download.bleepingcomputer.co...

Double-click Unhide.exe icon on your Desktop
Allow the program to run.

This program removes the hidden attribute from all the files on your hard drives.

Let us know how it goes.

If the program does not download, place the following address in your browser, but, without the quotes:

"http://download.bleepingcomputer.com/grinler/unhide.exe"


Report •

#7
Report •

#8
May 11, 2011 at 15:50:22
I did this and a notepad screen is just sitting there Processing c:\ blinking and the message
Please be patient while your files are made visible again.

Is this what it is supposed to be doing?

Also Xpuser4real - I read the Combofix page and am kind of leery of trying it - I am scared of doing something I cant undo - is it as involved as it sounds?

Thank you very much guys - I did what rsavage suggested and downloaded his program and it did come up with several files in the scan but when I went to click on Fix - I had to pay $20 to have it fixed and I don't have a credit card - I actually thought it would work too and was very disappointed


Report •

#9
May 11, 2011 at 16:08:56
OK - many of my files came back but not my desktop and I keep getting the message "An error has occuredon the script on this page. Do you want to continue running scripts on this page?

Also - while my start menu populates and the programs appear to be there, but the actual programs arent - I can see Microsoft Office but not Word, Outlook, etc - Would the Combofix fix that?


Report •

#10
May 11, 2011 at 16:46:37
The origional poster said
"I did what rsavage suggested and downloaded his program and it did come up with several files in the scan but when I went to click on Fix - I had to pay $20 to have it fixed"

It's funny, response #5 is trying push Stopzilla on his website when that is one of the WORST anti-spyware paid progs

Some HELP in posting on Computing.net plus free progs and instructions Cheers


Report •

#11
May 11, 2011 at 20:16:16
cdruet,

For using ComboFix, it is in your best interest to go to the following Forum:
http://www.techsupportforum.com/for...

Follow these instructions before asking for help:
http://www.techsupportforum.com/for...


ComboFix is a very powerful tool, and not for the untrained User. The creator of ComboFix is based at that forum, and you will get in-depth help from the experts who work there.


Report •

#12
May 11, 2011 at 22:37:29
If you opt to continue here, let’s open the Registry Editor to view the Registry.

Click: Start > Run
Once Run is open, type in regedit
Click OK

Once you have regedit open, you see the "folders" HKEY_CLASSES_ROOT, HKEY_CURRENT_USER, HKEY_LOCAL_MACHINE, HKEY_USERS, and HKEY_CURRENT_CONFIG

We need to go here:
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\

To get there, click on the [+] next to HKEY_LOCAL_MACHINE
Next, click the [+] next to the following, in sequence:
Software
Microsoft
Windows NT
CurrentVersion
Winlogon

Right click Winlogon, and select: Export

In the Export Registry File prompt, Save in: Desktop
File name: regexp1
Click: Save

The info will be on the Desktop as regexp1.reg


Follow the same procedure for:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options

When you get to: Image File Execution Options
Right click, and select Export.

In the Export Registry File prompt, Save in: Desktop
File name: regexp2
Click: Save

The info will be on the Desktop as regexp2.reg

Now, go to regexp1 on the Desktop, right click the reg file, and select:
Open with > Notepad
Notepad contains the info we need.

Do the same with regexp2


Please post the Notepad info from regexp1 and regexp2 in your reply.

>>Please do not do anything else with these files.<<


Report •

#13
May 11, 2011 at 23:31:13
'For using ComboFix, it is in your best interest to go to the following Forum:
<a href="http://www.techsupportforum.com/for...'</b>" target="_blank">http://www.techsupportforum.com/for...

I disagree. The link I gave in response #7 is the one you should use for combofix...I have been repairing PC's for over 10 yrs now and that is the most infomative site to use.

Some HELP in posting on Computing.net plus free progs and instructions Cheers


Report •

#14
May 12, 2011 at 14:38:45
cdruet,

Let’s see if this brings back your Desktop:

Press CTRL ALT Delete (simultaneously)
In the Windows Task Manager prompt, press: New Task…
In Create New Task, Open area, type in exactly the following: Explorer.exe
Click: OK

Any luck?


Report •

#15
May 12, 2011 at 14:52:25
I have a lot of the desktop back but still have the following problems:

When I go into the C: most of the files are blue with the extension sqm - when I go into My Computer, all drives, etc except C are black. C is blue and has files sqmdata00.sqm to sqmdata19.sqm and sqmnoopt00.sqm to 19

Also - I have tried to post the reg files you asked for twice but they are not showing up here on the site


Report •

#16
May 12, 2011 at 15:13:10
cdruet,

Check your private messages.


Report •

#17
May 12, 2011 at 16:11:16
Those are MSN Live Messenger sqmdata files.

To get rid of them:

Launch Notepad, (Start > Programs > Accessories > Notepad)
Copy/paste all the text below to Notepad:

@Echo off
attrib -H c:\*.sqm
del c:\*.sqm /Q
Exit

In Notepad, go to File (upper menu bar), and select: Save as
In the Save as prompt:
Save in: Desktop
File Name: sqm.bat
Save as Type: All files
Click: Save
Exit out of Notepad.

Next, on the Desktop, double click on sqm.bat

Restart the computer


Report •

#18
May 12, 2011 at 16:21:31
There are only a few extra files in C other than these. Did you receive the other reg files?

Report •

#19
May 12, 2011 at 18:19:49
Go back to post #6.

Use Unhide.exe, and make sure you select your C: drive


HHaven't checked email yet, but will shortly.

Let us know what happens after you use Unhide.exe


Report •

#20
May 12, 2011 at 19:00:41
cdruet,

Got your reg file exports. At first glance they look OK, however, want to compare them with another XP machine. Will probably not do that until tomorrow.

Any progress with Unhide.exe?

Are the .sqm files gone?

The situation now is that there are only a few files in your C: drive? Is this correct?


Report •

#21
May 12, 2011 at 21:01:09
Looked at the reg file exports.

Please do the following:

Open Notepad: Start > All Programs > Accessories > Notepad

Copy and paste ALL the Registry code that appears below into Notepad, including the REGEDIT4 portion

REGEDIT4

[HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
"Shell"=-

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"Shell"="Explorer.exe"

In Notepad go to File and select: Save as
Save as: shellfix.reg
Save to the Desktop

Now, go to the Desktop
Double click on the shellfix.reg file
When prompted, say yes to merge into Registry

Any improvement?


Report •

#22
May 12, 2011 at 21:34:32
looks like alot of registry editing, why not just try trojan remover and hitman pro?
Also, nothing was said about TDSS killer? These are all good utilities for removing problems like you have without messing with the registry. Just a thought

Some HELP in posting on Computing.net plus free progs and instructions Cheers


Report •

#23
May 13, 2011 at 06:12:55
I did Unhide again and rebooted then the Registry one but there is no change at all

Report •

#24
May 13, 2011 at 06:25:48
Are the .sqm files gone?

Is the situation now, that there are only a few files in your C: drive? Is this correct?

If not, please refresh my mind.

Thanks


Report •

#25
May 13, 2011 at 09:15:03
Sqm files are gone
Yes - there are only a few files on my c drive.
When we log on, everything is in the Control Panel but I can't access most of them - very little shows under My Computer on the C drive and half of it is blue, half black - I am sure that was not the case before. Also when you look at My Computer, A Drice, D drive, E, Documents are all black but C Drive is blue.

Thanks again for all your help.


Report •

#26
May 13, 2011 at 11:20:42
Check to see if the viewing of Hidden Files and Folders is enabled:
At your Desktop, go to Start > My Computer
Select the Tools menu and then Folder Options

After the new window appears select the View tab
In the list of options, select: Display the contents of system folders
Under the Hidden files and folders section select: Show hidden files and folders
Remove the checkmark from: Hide file extensions for known file types
Remove the checkmark from: Hide protected operating system files (Recommended)
Press the Apply button
Click OK

Can you see the files/folders in C:? Is their color normal?

When you initially used Malwarebytes, you mentioned it removed some files, etc. maybe in another User. Do you still have MBAM so that you can obtain its log and post it here? The logs are automatically saved and can be viewed by clicking the Logs tab.

Also, can you run Malwarebytes on your User account (I am pressuming your account has Computer Administrator rights. You can check by going to Control Panel, double-click User Accounts, and it should show the accounts on the computer.):

Before running MBAM, download iExplore.exe or eXplorer.exe, which are renamed copies of rKill:
http://www.bleepingcomputer.com/dow...

Save the file to the Desktop, and double-click on it.

Ignore any messages, and allow the file to run until the command window closes.

Without a reboot, download Malwarebytes’ Anti-Malware (black button with green and white icon) Save to the Desktop:
http://download.cnet.com/Malwarebyt...

Double-click mbam-setup.exe and follow the prompts to install the program.


Run Malwarfebytes’ AntiMalware and update the program.
Once updated, select Perform Full Scan and click the scan button.

When the scan finishes, click OK in the message box, and you will see the results of the scan.

Click the Remove Selected button to get rid of the malware.

When Malwarebytes finishes, you may be prompted to reboot. If so, reboot.


Please post the Malwarebytes log in your reply.


Report •

#27
May 14, 2011 at 07:24:09
I downloaded and ran Rkill and got the following message: The system canot find the path specified.

Then I downloaded MBAM again and for some reason right after the update finished my system rebooted. I ran rkill again and updated mbam and ran a full scan but it is saying nothing found. However, I did not realize it kept track of the logs and there is one in the folder from March 23 which is the first time I got this virus. I thought it had been completely removed - not sure. This is the log from then (March 23)

Malwarebytes' Anti-Malware 1.50.1.1100
www.malwarebytes.org

Database version: 6146

Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

3/23/2011 8:44:20 PM
mbam-log-2011-03-23 (20-44-20).txt

Scan type: Quick scan
Objects scanned: 185405
Time elapsed: 17 minute(s), 9 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 10
Registry Values Infected: 2
Registry Data Items Infected: 1
Folders Infected: 7
Files Infected: 5

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{A84E835E-1B9C-4FC0-980F-4B2DA3C6A2A7} (Adware.Comet) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Multimedia\WMPlayer\Schemes\f3pss (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avastui.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msmpeng.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avastsvc.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msascui.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msseces.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\AppID\{35B7E48B-9D81-4C6C-9578-5FD4F620D886} (Spyware.MarketScore) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{2E4A92AB-F2C0-456A-9935-B715439790D7} (Spyware.MarketScore) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell (Hijack.Shell.Gen) -> Value: Shell -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\egui.exe\Debugger (Security.Hijack) -> Value: Debugger -> Quarantined and deleted successfully.

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\FirewallDisableNotify (PUM.Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

Folders Infected:
c:\documents and settings\all users\application data\starware337 (Adware.Starware) -> Quarantined and deleted successfully.
c:\documents and settings\all users\application data\starware337\simpleupdate (Adware.Starware) -> Quarantined and deleted successfully.
c:\documents and settings\david & cindy\application data\errorsmart\Log (Rogue.ErrorSmart) -> Quarantined and deleted successfully.
c:\documents and settings\david & cindy\application data\errorsmart (Rogue.ErrorSmart) -> Quarantined and deleted successfully.
c:\documents and settings\david & cindy\application data\errorsmart\registry backups (Rogue.ErrorSmart) -> Quarantined and deleted successfully.
c:\documents and settings\david & cindy\start menu\Programs\freehdplay (Trojan.DNSChanger) -> Quarantined and deleted successfully.
c:\program files\freehdplay (Trojan.DNSChanger) -> Quarantined and deleted successfully.

Files Infected:
c:\documents and settings\all users\application data\starware337\simpleupdate\timermanagerconfig.xml (Adware.Starware) -> Quarantined and deleted successfully.
c:\documents and settings\david & cindy\application data\errorsmart\registry backups\2008-09-09_15-03-20.reg (Rogue.ErrorSmart) -> Quarantined and deleted successfully.
c:\documents and settings\david & cindy\application data\errorsmart\Log\2008 sep 12 - 09_09_19 pm_187.log (Rogue.ErrorSmart) -> Quarantined and deleted successfully.
c:\program files\freehdplay\uninstall.exe (Trojan.DNSChanger) -> Quarantined and deleted successfully.
c:\documents and settings\david & cindy\start menu\Programs\freehdplay\uninstall.lnk (Trojan.DNSChanger) -> Quarantined and deleted successfully.


I am going to go to the other Administrator account and see if the log there from the other day is any different and, if so will post it. Other than that nothing has changed. My C: has very few of the programs and in My Computer it is blue while all the rest are black. Thanks.


Report •

#28
May 14, 2011 at 07:37:39
This is the log from Malbyteware when I ran it under the other administrator May 10th at shortly after 5 pm; I ran another shortly after 6 and it also had issues so I will post it following this one:

5pm May 10, 2011

Malwarebytes' Anti-Malware 1.50.1.1100
www.malwarebytes.org

Database version: 6548

Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

5/10/2011 5:54:14 PM
mbam-log-2011-05-10 (17-54-14).txt

Scan type: Quick scan
Objects scanned: 42924
Time elapsed: 7 minute(s), 46 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 4
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 3

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{1962c5bc-e475-465b-823b-133e711bceb9} (Adware.Starware) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Settings\{E055C02E-6258-40FF-80A7-3BDA52FACAD7} (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{E055C02E-6258-40FF-80A7-3BDA52FACAD7} (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{B64F4A7C-97C9-11DA-8BDE-F66BAD1E3F3A} (Rogue.WinAntiVirus) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
c:\documents and settings\all users\application data\19193636.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
c:\documents and settings\all users\application data\xoenotqskssth.exe (Rogue.Installer.Gen) -> Quarantined and deleted successfully.
c:\documents and settings\david & cindy\local settings\Temp\ms0cfg32.exe (Rogue.Installer.Gen) -> Quarantined and deleted successfully.


6pm May 10, 2011:
Malwarebytes' Anti-Malware 1.50.1.1100
www.malwarebytes.org

Database version: 6548

Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

5/10/2011 6:57:33 PM
mbam-log-2011-05-10 (18-57-33).txt

Scan type: Full scan (C:\|D:\|)
Objects scanned: 241371
Time elapsed: 53 minute(s), 51 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 4
Registry Values Infected: 2
Registry Data Items Infected: 1
Folders Infected: 1
Files Infected: 8

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CURRENT_USER\SOFTWARE\SpywareBot (Rogue.SpywareBot) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Starware343 (Adware.Starware) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\MyToolBar (Adware.Softomate) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\afwserv.exe (Security.Hijack) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\{A0EF888D-0AF0-1033-0907-041025200001} (Trojan.Agent) -> Value: {A0EF888D-0AF0-1033-0907-041025200001} -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\{A0EF888D-0AEF-1033-0907-041025200001} (Trojan.Agent) -> Value: {A0EF888D-0AEF-1033-0907-041025200001} -> Quarantined and deleted successfully.

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableTaskMgr (PUM.Hijack.TaskManager) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

Folders Infected:
c:\documents and settings\david & cindy\start menu\Programs\windows recovery (Trojan.FakeAV) -> Quarantined and deleted successfully.

Files Infected:
c:\mytaxexpress\2008\bin\helpdesk2008.exe (PUP.Radmin) -> Not selected for removal.
c:\system volume information\_restore{abf1ee36-d9d5-4be8-a617-fb925754295a}\RP1637\A0156693.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
c:\system volume information\_restore{abf1ee36-d9d5-4be8-a617-fb925754295a}\RP1637\A0156694.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
c:\system volume information\_restore{abf1ee36-d9d5-4be8-a617-fb925754295a}\RP1694\A0160406.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
c:\system volume information\_restore{abf1ee36-d9d5-4be8-a617-fb925754295a}\RP1694\A0160407.exe (Rogue.Installer.Gen) -> Quarantined and deleted successfully.
c:\documents and settings\david & cindy\desktop\windows recovery.lnk (Trojan.FakeAV) -> Quarantined and deleted successfully.
c:\documents and settings\david & cindy\start menu\Programs\windows recovery\uninstall windows recovery.lnk (Trojan.FakeAV) -> Quarantined and deleted successfully.
c:\documents and settings\david & cindy\start menu\Programs\windows recovery\windows recovery.lnk (Trojan.FakeAV) -> Quarantined and deleted successfully.


Thanks again


Report •

#29
May 14, 2011 at 08:24:32
Fake antivirus is something like adware (trojan), which always renewel by the maker. It's because, all antivirus software ONLY can detect the malware (adware.trojan) IF ONLY they have add the malware ID (could be CRC or MD5 or etc) in their signature-database. Advance heuritic or Depth Scan not always solve this problem.
So, if I got trouble like this, I always use Hiren's BootCD (10.0.0 version is my favourite one) to delete and remove it from start up menu. I use AUTORUNS.EXE (included in the CD) to detect it, and ALWAYS success.
Sometimes I use Mini XP to checkdisk or FORCE delete file.
I downloaded Hiren's BootCD in http://go-thip.com/2011/04/29/eset-...
But, different with "real virus", coz a real virus ALWAYS infect/inject/embed file target (*.exe or *.html etc), and it only can be cleaned with antivirus with DISINFECTION ability (not delete the file).

Report •

#30
May 14, 2011 at 09:26:07
cdruet,

It looks as if MBAM took out some entries, and we took action to replace some Registry values, etc.

However, I am at a loss for ideas when it comes to those black and blue folders. You just can’t keep beating them up!!! :-) (Just some humor.)

Some in-depth diagnostic programs need to be run, but their report volume may exceed the capacity of what we can post here.

Please check your personal messages one more time...


Report •

#31
May 14, 2011 at 09:58:02
go back to response #22 and run those free utilities. You will be surprised what they will find...like I said earlier, the registry is nowhere to be fooling with at the best of times.
I have been repairing PC's for 10 yrs now and a fake AV is not hard to remove, providing you use the right tools.

Some HELP in posting on Computing.net plus free progs and instructions Cheers


Report •

Ask Question