MicroAv.exe

[torchta]

MicroAv.exe does not show up as a virus and it is. It takes total control of the pc until you decided to purtches it  Micro Antivirus 2009  How do I send the file so it can get added. it came from a webpage and install on a users pc with out admin privleges

[sanctuaryforever]

send it to the following e-mail address with a description of what you believe it to be

virus@avast.com

It maybe safer to place it in a compressed folder with a password, include the password in the e-mail itself

ps if you can manually add it to the virus chest you can submit it from there

[DavidR]

Sounds like a different name for a familiar problem fake alerts/fraudulent AV, antivirus 2009, etc.

Download and run these, report the findings:
MalwareBytes Anti-Malware freeware version http://download.bleepingcomputer.com/malwarebytes/mbam-setup.exe, right click on the link and select Save As or Save File (As depending on your browser), save it to a location where you can find it easily later.

Also Try this tool, RogueRemover, available here http://www.malwarebytes.org/rogueremover.php, perhaps worth running this one first.

Also if you haven't already got this software (freeware), download, install, update and run it, preferably in safe mode and report the findings (it should product a log file).
SUPERantispyware On-Demand only in free version.

[kazzl]

I am having a similar problem. This is a nasty one. I contracted schmitfraud (sp?) almost a year ago, and cleaned that with no problem. This one is much more intelligent. It's also mean! It puts a bunch of porn icons on the desktop, and it changes as you try to fix the problem. It starts out with the original schmitfraud red screen, then goes to porn icons, then to just the bogus app icons.

I can get to certain websites on that computer, but not to this forum, nor other sites with malware removal software. It won't allow me to see my flash drive, even if I type in the drive letter manually where I have removal software. It hides my c:\ drive, but I can get to it manually. I found a file *setup*.exe that I was able to erase. It is obvious that it's a malware file, but I neglected to write the whole name down. I can't get anything to it to fix it other than doing this. I know that microav.exe is on my computer because it tries to keep from shutting down when I kill the computer, but I can't find it anywhere manually or by searching. If I try to use regedit or regedt32, I get this "Registry editing has been disabled by your administrator."  aarggh!

I'm in safe mode with networking. This is the only way I can do anything on that computer. From there I replaced my root files with my latest backup files. and also deleted a file named empa.exe that was created today after that, then I rebooted immediately (hard reboot).

I think I got this because I was trying to download a torrent file for Roxio. I'd already paid for Nero 8, which wouldn't install. I only want to get my pic files off of that computer, so I thought I'd just burn a cd and then wipe the whole drive because I was already in the process of backing up my other files. Gosh, I thought I was saving time...

I haven't seen one this nasty in years. It's a good thing I'll never know this jerk, because he/she/it would be punched and bleeding now if I did.   

Can someone help? I can do all the hijack this and other stuff if you can tell me how to get there from here...

[DavidR]

Check out your HOSTS file that is commonly used to stop you geting to help, e.g. anti-virus sites or forums.

HOSTS file redirect - 127.0.0.1 check your HOSTS file using notepad or a text editor of your choice, C:\WINDOWS\system32\drivers\etc\hosts or do a search for HOSTS to find it if not there. http://en.wikipedia.org/wiki/Hosts_file

Then hopefully you should be able to get a) this forum and b) download the above programs.

you could also try connecting to http://75.125.29.226/index.php, that is this forum but using the IP address an not avast.com which would be being redirected to your local computer (and obviously not able to display anything).

[kazzl]

Ok, that helped a bit. Thanks! Gosh, going to the hosts file takes me back a few years. I can get to the forum now, and all the way to the download link for the cleaner, but then I get a "failed to connect" message. I checked the hosts file again, and it seemed fine. Just in case I cleared a page return out of it, but still get the same result.

Btw, I was only able to get there in the first place with the ip. If I search google and try any other way or location, I get redirected to a variety of differently named sites for bogus av software, such as "cyber defender" and other pay per click links.

Checked root again and deleted a file that's just named "x" that was created today, and rebooted again.

You are sooo nice to help me. Thanks so much.

[DavidR]

Does your firewall have a DNS cache ?
You could also be being hit by a DNS infecter, try setting your internet connection (set in IE) to the OpenDNS servers, http://www.opendns.com ot by IP http://208.67.219.101

Try http://209.62.68.168/superantispywarefreevspro.html for the free version of superantispyware.

[kazzl]

  

Well, no luck so far...the opendns site is down today I think, so I can't get anything downloaded to help me out.

Here is what I can do manually, and I've made a teeny bit of progress in at least I'm getting to know how weird and evil these people are to try to get $20 bucks out of a person. Geez, I've paid for av software already! I'd gladly pay this and be done with this, but I can't even get the system to that point. I have 10 years of photos on that drive that I've been reorganizing and cleaning up. They are the only thing I have left on there, and of course they are the most important, so I was backing up the rest of the system without as much concern. Dang, I get down to the most important (to me) part and they slaughter me. 

This is just what I've learned today from you, and mostly trial and error. Thanks again. Hope it will help someone else avoid the hassle I've gone through.

1) Run Windows XP in Safe Mode with cmd line

2) Nav to documents and settings\userdir\local settings\temp
    a. Delete everything here. Use params if necessary to kill subdirs.
    b. Nav to your documents and settings\userdir\desktop. Delete any files that match *.url or *.lnk. The names will be obvious.

3) May not be necessary here, but the wscui.cpl file was killing me on mine, so I marked it as suspect:
    a. Go to c:\windows\system32 and rename suspect .cpl files to something like wscui.cpl.suspect (or hacked or something)
    b. Check the hosts file for any hacking. Mine should've been blank, but had a 192 address hacked in there.
        c:\windows\system32\drivers\etc is where mine is.

4) If you have a temp folder in your root drive, delete everything in it, again using params and/or rd to kill all subdirs.

5) Mine was infected with several diff binaries in the root. I deleted autorun.exe and a companion autorun.inf, a bogus one that even had a dog on the icon and I think he was peeing, and a few others.

6) Remove any dirs and/or files in your Program Files dir named MicroAV, microantivirus, or something similar. (check the web to be sure you don't kill a good dir.)

7) Restart Windows in safe mode w/networking support

Fix browser default pages and set network connection to go through opendns (see David's thread above).

9) that's where I am for today...

[DavidR]

I suspect the not getting to the opendns site may be related to your other problem, did yo try the IP address link I gave for it ?

There is nothing to download there, just that you change your DNS checks to their server and that should hopefully resolve DNS redirect.

I strongly doubt paying $20 would be the end of it as anyone that uses these tactics would be back for more or total control of your system.

Item 3. wscui.cpl is the windows security user interface (control panel) file and if the genuine file renaming it may mean you get an error either on boot or if you try to access the Security Center from the Control Panel.

[kazzl]

On OpenDNS, I didn't try to download, I just changed the proxy settings. However, when I did this I was endlessing looping through a message from that site that they were upgrading, so I assumed it was down. I've changed wscui.cpl back to it's regular name.

[kazzl]

Breakthrough I think! I toggled my flash drive around with my mouse a few times and my pc was able to detect it. Now I'm running SuperAntiSpyware Pro. Hope prevails!

It detected:
6 of Adware.Vunco/Variant-SixA,
2 of Trojan.Vundo-Variant/Small-GEN,
2 of Adware.Vundo Variant/Resident,
4 of Adware.Vundo Variant,
10 of Trojan.Vundo-Variant/NextGen,
17 of Traojan.Net-MSV/VPS-Variant,
34 of Adware.AdSponsor/ISM,
18 of Trojan.Unclassified/FQBEWLNA,
4 of Adware.Tracking Cookie,
15 of Trojan.Media-Codec,
3 of Trojan.DNSChanger-Codec,
13 of Desktop Hijacker.AboutYourPrivacy,
3 of Trojan.Net-MU/Gen,
1 of Rogue.AntiVirus 2008,
5 of Adware.Vundo Variant/Rel
2 of Adware.Vundo-Variant/J
2 of Trojan.Unknown Origina,
1 of Trojan.Vundo-Variant/Small
with
3  memory items
98 registry items
66 files
and a total of
168 threats detected.
This took 35 minutes.

On reboot, I got this error from Windows IE: cannot find file:///c:/windows/privacy_danger/index.htm.

My background was white. Back in business...

[Lisandro]

You're damned infected... I suggest:

1. Clean your temporary files.
2. Use (if possible in Windows Me) SUPERantispyware, MBAM or Spyware Terminator to scan for spywares and trojans. If any infection is detected, better and safer is send the file to Quarantine than to simple delete than.
3. Test your machine with (if possible in Windows Me) anti-rootkit applications. I suggest avast! antirootkit or Trend Micro RootkitBuster.
4. Make a HijackThis log to post here or, better, submit the RunScanner log to to on-line analysis.

[scorenix]

Jesus! I've been infected twice in three days. Each time I had to reinstall the system 'cause I've got an important exam only several days ahead thus no time to stuggle with this damn thing...I could't see my c and d hard drive(could get to them manully), only e left.
My anti-virus software is Kingsoft, but it could even start to scan the pc. My pc run really really slow and something was trying to connect to the internet backstage again and again.
anyway, it isn't that annoyed. I'll get to it after the exam...

[Lisandro]

Jesus! I've been infected twice in three days.
My anti-virus software is Kingsoft.

Why don't you uninstall it and install avast?

[elont]

OK, I've got the same virus. and it's tough as hell, its driving me nuts, especially because it's on my brothers PC and I (his older brother) have to fix it.

so I removed the micro AV folder and everything in it, I ran ccleaner and cleaned the registry, deleted the PChealth folder. made sure in msconfig there are no YUR*.exe files started when I  would start up the PC. so now when I scan with superantispyware or a program like that, It wont find any trace of micro AV, but still... I get those pop ups about my PC being infected, and these pornicons on my desktop. with ctrl+alt+delete I can stop the pop ups, but the porn Icons stay. and if I even can start the PC. it will just freeze in about 3 minutes... most of the time it will freeze in the screen were you can choose the user. the only way to use it is safe mode.

I also have show hidden folders in folder options

(using vista)
 
please help.. because it's driving me nuts...