HELP! Windows says I'm infected, Avast says I'm clean

[tmcevil]

Two days ago, out of the blue, my desktop system started displaying all kinds of security alerts from the Windows Antivirus Center:
- It's not displaying now, but there was a list of (I think) a couple hundred or more "infected" files.
- A Firewall Alert that said "your computer is being attacked from a remote machine", and it gives an Attacker IP address and an Attack Type of "RCPT exploit".
- Something called "Windows Defender" said that it has detected spyware.  Also saw a msg. that an IE Monster process is found, and that it would send passwords from IE to other websites!
- Periodically, it opens an Antivirus Center Firewall Alert window, which says that "it has prevented a program from accessing the Internet", "iexplore.exe is infected with a Trojan worm which has tried to use it to connect to a remote host and send your credit card information".  Then, it asks if "I want to activate the Antivirus Center and remove all the threats" (for a mere $79.95!), or to "continue unprotected".  This window can not even be closed - I either have to select one of the 2 mentioned options, or shut down my computer to make it go away!
   After seeing the list of "infected" files, I opened my Avast free antivirus software and ran a "full scan".  It ran for over 50 minutes, tested 68.7 GB (over 235K files), and reported "No threat found"!  I have Avast antivirus, program version 5.0.677, virus definitions version 110505-1.
   Does anyone know why I might be getting this conflicting info. from Windows vs. Avast, and how I resolve it?  One of the stranger things is that I have "Windows Security Center" turned "OFF", so where does Microsoft get the nerve to be scanning my files without my permission?

Tim McEvilly

[Pondus]

you are infected with a Fake security program

Read all before you start...

Remove Antivirus Center (Uninstall Guide)
http://www.bleepingcomputer.com/virus-removal/remove-antivirus-center

I have Avast antivirus, program version 5.0.677

Latest version is 6.0.1091

[pcclean3453]

Try a boot-time scan and see what the log says. Search the internet for rogue AVs and search your computer for them in Windows Explorer. Post back and attach the avast! log with it. (Additional Options-Attach-Browse).




                                        Good Luck!





                       

[SofiaBrown]

run avast's virus cleaner application hope this helps you.

[SafeSurf]

Only the reply in Post #1 will work for Fake security program.

[iknoebl]

I'm having the same problem with a fake XP anti-virus. This is the second time in three days. I'll follow the advice in the first post and see what happens.

Any other suggestions?

Thanks

[essexboy]

Hi, you probably have some elements left that are respawning 

Download RogueKiller to your desktop
 

• Quit all running programs
• For Vista/Seven, right click -> run as administrator, for XP simply run RogueKiller.exe
• When prompted, type 1 and validate
• The RKreport.txt shall be generated next to the executable.
• If the program is blocked, do not hesitate to try several times. If it really does not work (it could happen), rename it to winlogon.exe 

Please post the contents of the RKreport.txt in your next Reply.

THEN

Download aswMBR.exe ( 511KB ) to your desktop.
 
Double click the aswMBR.exe to run it
 
Click the "Scan" button to start scan

 
On completion of the scan click save log, save it to your desktop and post in your next reply


AND FINALLY

Download OTS to your Desktop and double-click on it to run it

• Make sure you close all other programs and don't use the PC while the scan runs.
  
• Select All Users
  
• Under additional scans select the following

Reg - Disabled MS Config Items
Reg - Drivers32
Reg - NetSvcs
Reg - SafeBoot Minimal
Reg - Shell Spawning
Evnt - EventViewer Logs (Last 10 Errors)
File - Lop Check

• Under the Custom Scan box paste this in

netsvcs
%SYSTEMDRIVE%\*.exe
/md5start
explorer.exe
winlogon.exe
Userinit.exe
svchost.exe
/md5stop
%systemroot%\*. /mp /s
hklm\software\clients\startmenuinternet|command /rs
hklm\software\clients\startmenuinternet|command /64 /rs
CREATERESTOREPOINT

• Now click the Run Scan button on the toolbar. Make sure not to use the PC while the program is running or it will freeze.
  
• When the scan is complete Notepad will open with the report file loaded in it.
• Please attach the log in your next post.

[iknoebl]

I followed the instructions on the site that Pondus posted in the first response post and it worked! Thanks. I used a second computer to open the instruction file and open the links and then typed in the addresses on the infected computer. So far, so good.

[linux731]

Two days ago, out of the blue, my desktop system started displaying all kinds of security alerts from the Windows Antivirus Center:
- It's not displaying now, but there was a list of (I think) a couple hundred or more "infected" files.
- A Firewall Alert that said "your computer is being attacked from a remote machine", and it gives an Attacker IP address and an Attack Type of "RCPT exploit".
- Something called "Windows Defender" said that it has detected spyware.  Also saw a msg. that an IE Monster process is found, and that it would send passwords from IE to other websites!
- Periodically, it opens an Antivirus Center Firewall Alert window, which says that "it has prevented a program from accessing the Internet", "iexplore.exe is infected with a Trojan worm which has tried to use it to connect to a remote host and send your credit card information".  Then, it asks if "I want to activate the Antivirus Center and remove all the threats" (for a mere $79.95!), or to "continue unprotected".  This window can not even be closed - I either have to select one of the 2 mentioned options, or shut down my computer to make it go away!
   After seeing the list of "infected" files, I opened my Avast free antivirus software and ran a "full scan".  It ran for over 50 minutes, tested 68.7 GB (over 235K files), and reported "No threat found"!  I have Avast antivirus, program version 5.0.677, virus definitions version 110505-1.
   Does anyone know why I might be getting this conflicting info. from Windows vs. Avast, and how I resolve it?  One of the stranger things is that I have "Windows Security Center" turned "OFF", so where does Microsoft get the nerve to be scanning my files without my permission?

Tim McEvilly

It is a virus. Follow the instructions above.

[SafeSurf]

Essexboy is a Certified Malware Removal Expert.  Please follow his instructions and he will guide you through the malware removal process.  Thank you.