Avast WEBforum
Other => Viruses and worms => Topic started by: blankenstein on April 27, 2010, 02:46:50 AM
-
let me preface this by saying that i am to computers what Corky from Life Goes On is to Mensa. so please bear with me as i have a very limited knowledge of computers. my machine is running windows xp.
so i have had the awesome luck of contracting the icpp-online trojan scam. from what i've seen so far, people aren't having a terribly hard time getting rid of it, but my experience with it so far is a little different from everyone else's. i managed to get it last night while i was stumbling around the internet. i clicked on a link to open up a video and suddenly firefox crashed and asks if i want to send an error report, which i subsequently refuse. just after that, a fake anti-virus program pops multiple windows and tells me i'm infected. two icons appeared on the desktop that i know i didn't put there. closing out the fake program was useless as more windows popped up, so i attempted to restart the machine. after rebooting and logging in, just after the blue "Welcome" screen, the icpp warning pops up. behind this dialogue window the screen is black. i can't see my desktop. trying to close the fake warning is met with another pop up that tells me to choose one of the options on the previous window. opening the task manager to close it THAT way doesn't work either, as the trojan has apparently hijacked and changed my administration details and took the option to open task manager away.
so, i'm at a standstill. i can't go in and use my anti virus software since i can't even access my desktop, which obviously means i can't download another one either. a friend of mine suggested downloading an AVG program that is bootable from a USB drive. i tried that and apparently the virus is too new and wasn't detected. does anyone have any suggestions as to how to get rid of this thing? i've exhausted all the options i can think of (which, granted, isn't much) and i'd like to not have format and reinstall everything if i don't have to. if anyone can help me out here, i would be eternally grateful. thanks in advance.
-
I have the same problem, and got it the same way.
here's some additional stuff:
going into regular safe-mode doesn't help, it's there too.
going into safe mode with prompt works - I get command prompt, so that's good. you can run programs from a jump drive that way.
I've run malwarebytes and ad-aware to no avail.
currently going to try this: http://www.p2pfreak.com/forum/bar/4011-iccp-foundation-mal-ware-removal.html
-
let me know how that works for you... i've been driving myself friggin crazy trying to find a solution to this. not sure if that method will work for me, since i can't access task manager. =\
-
You haven't provided much information that will help us identify what kind of Fake AV.
If it is a virus not on record, reports should be coming soon
what is this message exactly (if you can) - 'the icpp warning pops up'
we have this outline - icpp malware removal
http://www.p2pfreak.com/forum/bar/4011-iccp-foundation-mal-ware-removal.html
and this report - http://www.threatexpert.com/report.aspx?md5=d4b12487470460653459a54769e974e2
can you go into Start -> regedit - the registry editor opens, so be very careful and follow directions -
- go to Edit in the toolbar menu across the top of the page, click and select Find from the dropdown menu
- type in 'iqmanager' without the quotations and press Find next - see what comes up from the search
- press F3 every time you want to Find the next instance of iqmanager
refer to above linl to see how yr system compares
http://www.threatexpert.com/report.aspx?md5=d4b12487470460653459a54769e974e2
Dont change anything in registry, instead reply post here so we know what we are dealing with
-
Here is a new tool you can try. Can be run from USB. Instructions on website
VIPRE Rescue Program
http://live.sunbeltsoftware.com/
There is also
SUPERAntiSpyware Portable Scanner http://www.superantispyware.com/portablescanner.html
Dr.Web® LiveCD http://www.freedrweb.com/livecd/
How does it work? http://www.freedrweb.com/livecd/how_it_works/
-
Thanks Pondus.
Okay Blankenstein, you don't have to go to Registry if you don't want ( - is dangerous in there)
Here's a bit more on this nasty
http://www.f-secure.com/weblog/archives/00001931.html
-
thanks for the advice. sorry i wasn't more clear on what i was dealing with. like i said in my first post, i'm not much of a tech person and trying to get rid of this thing on my own has been hell. i'm hoping i can do it so i don't have to call up one of my computer savvy friends and bug him to deal with it for me, so thanks for the help! i'll try these methods out today and see if they work. i'll let you guys know. thanks again!
-
Hallo blankenstein,
You can also set to a previous System Restore point, if you know exactly when this rogue program infection occurred.
How to: http://support.microsoft.com/kb/306084
groetjes,
polonus
-
unfortunately, i was a doofus and never made a restore point in the first place. i tried restarting from a restore point, hoping that i had forgotten that i made one, but nope.
-
well... good news is that the viprerescue program managed to quarantine the trojan and i was able to get rid of the infection with malewarebytes, but the bad news is literally every single program won't work. if i try to run any program at all, the "Open with" window comes up. closing that window prompts me to either "run" or "save" whatever program i attempted to open. neither running nor saving the program works. so now i've got my computer back, but it's just as useless as if i had just left it infected...
i really, really hate computers right now. *sigh*
-
oh lets not panic here
1. Can you open the computer in Safe Mode?
When you turn computer on, start tapping F8 key until screen opens up with options, one of which is Safe Mode.
Let us know if you can open Safe Mode - be patient, takes a while, a few steps, for it to open up
2. Do you have yr Windows installation CD that you got with the computer.
And some more info please - system specifications - like I have below in my system profile
-
Also
3. can you go to Control Panel and open up Add/Remove Programs (XP) or Uninstall program (Vista / Win7)
Do you have IQ Manager or something like that in there
4. What about Task Manager - still wont open?
What has most likely happened here is that complete removal had not been done prior to yr reboot.
When you rebooted, the virus - let us say IQ manager - most likely re-formed itself with the start process.
-
well... good news is that the viprerescue program managed to quarantine the trojan and i was able to get rid of the infection with malewarebytes, but the bad news is literally every single program won't work. if i try to run any program at all, the "Open with" window comes up.
it's a little funny how we're almost on the same timeline. I just got to this part. One thing that's working for me when trying to run a program is choosing the same program from the 'open with' menu.
so if i'm trying to run avast and the 'open with' window comes up, i choose avast again from 'other programs' and it'll come up. I'm currently updating my virus definition database with avast and I'll run a scan - i'll let you know what happens.
other news:
after the ICPP copyright portion, there's a 'antimalware doctor' portion. I haven't been able to defeat this guy yet.
-
hi g1184
do you still have an IQ manager in your Add/Remove Programs in Control Panel or in Processes in Task Manager?
there are chances you can break the back of this Fake AV if you can uninstall or at least stop the nasty from run while you rid yr system of it. Services is another place to look. Start -> right-click (My) Computer-> choose Manage-> click through Services and Applications to get Services window to open, and check for IQ Manager.
-
Try Hitman Pro - Second Opinion Malware Scanner (http://www.surfright.nl/en/hitmanpro).
How To Start Hitman Pro in Force Breach Mode (http://hitmanpro.wordpress.com/2010/03/16/hitman-pro-in-force-breach-mode/).
-
hi g1184
do you still have an IQ manager in your Add/Remove Programs in Control Panel or in Processes in Task Manager?
there are chances you can break the back of this Fake AV if you can uninstall or at least stop the nasty from run while you rid yr system of it. Services is another place to look. Start -> right-click (My) Computer-> choose Manage-> click through Services and Applications to get Services window to open, and check for IQ Manager.
the updated avast virus database got antimalware doctor to stop loading on startup, so that's one step forward. Both Antimalware Doctor and Digital Protection are still "installed" on my computer, though they're not running anymore. I now have rundll32 problems when i try to open add/remove programs though.
The services idea is good, i'll check there too. thanks!
-
after an updated Malwarebytes scan, i'm almost 100% in the clear. :D
-
Sounds good. I think the antivirus people will soon be well onto the makeup of this Fake AV.