Vista Antivirus 2010 - Help to remove please

[micky77]

what is the likelihood of the trojan attaching itself to my memory sticks

Looking through the file this creates, I don't think it would. Hopefully Essexboys method will see you right.
I have just been reading about this malware on MBAM forum. Apparently renaming the set up file and the main exe file to com has had some success.Also as this is new MBAM would need to be recently updated.
http://forums.malwarebytes.org/index.php?s=61e6a3c671ab6b34e097b479f698224b&showtopic=38047&view=findpost&p=190712

[Pondus]

what is the likelihood of the trojan attaching itself to my memory sticks

Looking through the file this creates, I don't think it would. Hopefully Essexboys method will see you right.
I have just been reading about this malware on MBAM forum. Apparently renaming the set up file and the main exe file to com has had some success.Also as this is new MBAM would need to be recently updated.
http://forums.malwarebytes.org/index.php?s=61e6a3c671ab6b34e097b479f698224b&showtopic=38047&view=findpost&p=190712

Don`t know if this will have any effect on this bug, but there will be a new MBAM 1.45 release soon
http://forums.malwarebytes.org/index.php?showtopic=38860

[elton]

what is the likelihood of the trojan attaching itself to my memory sticks

Looking through the file this creates, I don't think it would. Hopefully Essexboys method will see you right.
I have just been reading about this malware on MBAM forum. Apparently renaming the set up file and the main exe file to com has had some success. Also as this is new MBAM would need to be recently updated.
http://forums.malwarebytes.org/index.php?s=61e6a3c671ab6b34e097b479f698224b&showtopic=38047&view=findpost&p=190712

Hi, just tried renaming as MBAM forum but no joy. Darn Trojan starts up each time. Tried renaming it because it was a quick go. Will try essexboys system later but need a new memory stick to transfer. Still have a reluctance to use those that I aleady have.

Thanks for your help.


The new version of MBAM looks good. Hope it's released sooner rather than later.

[essexboy]

Have you tried MBAM in safe mode ?

[elton]

I hadn't but will now.

Thanks

[elton]

Started in Safe Mode and the Trojan kicked in and wouldn't allow MBAM.

Used FixExe first and then allowed MBAM to install. It updated from version 3510 to 3702 and is currently scanning - this is as per the MBAM forum.

If this doesn't work, I have already prepared Erunt SysRestorepoint and OTL to a RW/CD [as per essexboy] and will try this.

Fingers crossed.



MBAM just finished 2 entries found

Rogue.multipleAV
ROGUE.Win7Antispyware2010

Both quarantined and deleted.

Lets see what heppens next.

[essexboy]

You might be able to run OTS in safe mode (in conjunction with fixexe) which will enable me to kill the services and winlogon keys.  I will add the destructions here

 To ensure that I get all the information this log will need to be attached (instructions at the end) if it is to large to attach then upload to Mediafire and post the sharing link.

Download OTS  to your Desktop

• Close ALL OTHER PROGRAMS.
  
• Double-click on OTS.exe to start the program.
  
• Check the box that says Scan All Users
  
• Under Additional Scans check the following:
• Reg - Shell Spawning
• File - Lop Check
• File - Purity Scan
• Evnt - EvtViewer (last 10)

• Under the Custom Scan box paste this in

netsvcs
%SYSTEMDRIVE%\*.exe
%SYSTEMDRIVE%\*.*
/md5start
eventlog.dll
scecli.dll
netlogon.dll
cngaudit.dll
sceclt.dll
ntelogon.dll
logevent.dll
iaStor.sys
nvstor.sys
atapi.sys
IdeChnDr.sys
viasraid.sys
AGP440.sys
vaxscsi.sys
nvatabus.sys
viamraid.sys
nvata.sys
nvgts.sys
iastorv.sys
ViPrt.sys
eNetHook.dll
ahcix86.sys
KR10N.sys
nvstor32.sys
ahcix86s.sys
nvrd32.sys
/md5stop
%systemroot%\*. /mp /s
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options /s
CREATERESTOREPOINT
%systemroot%\system32\*.dll /lockedfiles
%systemroot%\Tasks\*.job /lockedfiles

• Now click the Run Scan button on the toolbar.
  
• Let it run unhindered until it finishes.
• When the scan is complete Notepad will open with the report file loaded in it.
  
• Click the Format menu and make sure that Wordwrap is not checked. If it is then click on it to uncheck it.
  

Please attach the log in your next post.

[elton]

All done and file attached. Thanks essexboy.

[essexboy]

Looks like MBAM got it all - what problems are you having at the moment

Start OTS. Copy/Paste the information in the quotebox below into the pane where it says "Paste fix here" and then click the Run Fix button.

Code: [Select]

[Unregister Dlls]
[Registry - Safe List]
< MountPoints2 [HKEY_CURRENT_USER] > -> HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2
YN -> \{b0cfdaad-a124-11de-a561-00188b5f233e} ->
YN -> HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b0cfdaad-a124-11de-a561-00188b5f233e}\shell\AutoRun\command ->
YY -> \{b0cfdaad-a124-11de-a561-00188b5f233e}\shell\AutoRun\command\\"" -> O:\RunMe.exe [O:\RunMe.exe]
[Empty Temp Folders]


The fix should only take a very short time. When the fix is completed a message box will popup telling you that it is finished. Click the Ok button and Notepad will open with a log of actions taken during the fix. Post that information back here along with a new OTS log.

I will review the information when it comes back in.

Also let me know of any problems you encountered performing the steps above or any continuing problems you are still having with the computer.

[elton]

After running MBAM and posting the results from the OTS scan, I shut the PC down awaiting further info in this forum from the report log that I attached. So the PC has not been started since. Regrettably, I am currently in work and will be unable to start and try PC until later this evening.

I hope that MBAM got it all as you suggest and if so I am very grateful for your perseverance with me and for sharing your tools and knowledge. I will reply later with an update.

Thanks again essexboy if I wasn't in Carmarthenshire I'd be around to buy you a drink.

[computerfreaker]

Unfortunately on my one I can't even get her to run notepad, it is getting stopped in its tracks

I'm not completely familiar with this rogue AV, but if it's working from a blacklist-based list of programs to block you might find success with an alternative text editor, such as Notepad++ or PSPad.

[elton]

Came home early just to try my 'precious' and to my delight it appears all good and is working as I'd expect it. I only hope that it's not a false promise like I started with.

Ran OTS again as you requested and have attached the resultant file. I had to reboot to remove some files but when it restarted the results file was displayed.

Many thanks indeed essexboy [and others for offering me help at my desperate hour] I'll pour - and consume - a drink for each of you tonight and hope than no others get this nasty trojan.  

[essexboy]

Glad to be of help - if you run OTS and hit the clean up button it will remove itself

[elton]

That is so cool. Thanks again. 

[essexboy]

No problemo