7 replies to this topic

[goodhikers]

[Note: I apologize if another post I sent today about this topic should materialize...I sent it right before I left for work early this morning, but in my search for it on the forum this afternoon, I don't see it.]

My problem is with malware which identifies itself as Antivirus Plus. My wife mistakenly clicked on a button warning of infection, which subsequently loaded the program onto our computer. She thought it was a warning from McAfee, which was our antivirus protection program (was...it did nothing to protect our computer from this threat).

This malware appears to behave in similar fashion to Antivirus xp, Antivirus 2008, Antivirus 2009, etc. That is, numerious pop-up warning screens that are very similar in look and feel to those other malware screens. It has also blocked both Internet Explorer and Firefox from accessing searches which contain "Hijackthis!" nor will it allow hijackthis to run (usual behavior noted here -- quick ht! screen flash, but not enough time to access the site). It also disabled my windows explorer search capabilities.

What I've done so far:
- Loaded Malwarebyte anti-malware software which found several pieces of malware: Trojan.BHO, Adware.MyWebSearch, Trojan.FakeAlert, Rogue.AntivirusPlus, Trojan.Agent (have the full logs).
- Replaced infected rundll.exe with rundll.exe from i386 folder.
- Subsequently loaded spyware doctor 6.0 (have full logs)
- Subsequently loaded Norton 360 (note: would not load prior to malwarebyte's fix). Not a great fan of Norton, but have lots of backup files which use Norton format.
- Restored WinExplorer search functions using instructions from MS

Current problems:
- Still cannot search in either IE or Firefox anything with the works "hijackthis"...both programs close down immediately
- Still cannot launch hijackthis!


Bottom line: some elements of the infection are still there, even though Malwarebyte's anti-malware reports a clean system (as does Spyware doctor).

What's the next step to completely rid my system of all remnants of this malware?

Thanks,
Ed G
goodhikers

[nosirrah]

Please rename HJT and run it again , this should work .

If not it is likely that you have the new notify loaded security app blocker , there are ways to capture that as well .

[goodhikers]

nosirrah, on Dec 1 2008, 05:45 PM, said:

Please rename HJT and run it again , this should work .

If not it is likely that you have the new notify loaded security app blocker , there are ways to capture that as well .

Thanks much!

I just got an email about my morning post...which was already reviewed by your colleagues. Don't know why I could not find it earlier.

Anyway, that post is entitled: Antivirus Plus Infection - cannot completely clean, Used Malwarebytes anti-malware but still have symptoms. Since they've already added several other comments and I don't want to monopolize your resources--I imagine we should consolidate into that string and close this one.

By the way, renaming HJT didn't work. Your colleagues requested a runscanner log, which I have just posted there.

Once again, thanks for your help. Sorry I split my single problem into two posts--unintentional.

--Ed G

[nosirrah]

If it is the notify loaded security block then RunScanner will indeed work , it was one of only a very few that did last night when I hit it for the first time .

Make sure that you get the dll that is causing this to us .

[Jaxryley]

A tip that may work for HJT if it won't run.

If you are able to open a cmd window then drag and drop Hijackthis.exe into it and hit enter.

This way it may run as a .com instead of an .exe and generate a log that way?

[goodhikers]

nosirrah, on Dec 1 2008, 06:29 PM, said:

If it is the notify loaded security block then RunScanner will indeed work , it was one of only a very few that did last night when I hit it for the first time .

Make sure that you get the dll that is causing this to us .

Will do.

Note: I have posted my runscanner log to my original post and its subsequent replies in the "General Malwarebytes' Anti-Malware Forum" (again, sorry that I posted the same problem twice--my computer problems are causing me to use three separate computers and I lost track).

Should I repost it here as well?

Thanks,
Ed

[nosirrah]

Jaxryley, on Dec 1 2008, 06:45 PM, said:

A tip that may work for HJT if it won't run.

If you are able to open a cmd window then drag and drop Hijackthis.exe into it and hit enter.

This way it may run as a .com instead of an .exe and generate a log that way?

Nope , its blocked by window title in this case , hexing the exe is the only way to bypass .

[nosirrah]

goodhikers, on Dec 1 2008, 06:50 PM, said:

Will do.

Note: I have posted my runscanner log to my original post and its subsequent replies in the "General Malwarebytes' Anti-Malware Forum" (again, sorry that I posted the same problem twice--my computer problems are causing me to use three separate computers and I lost track).

Should I repost it here as well?

Thanks,
Ed

Nope , what you have done should be fine .