Jump to content

Antivirus Suite Removal


Recommended Posts

Originally posted on August 23 at 11:01 am. I posted in the general forum by mistake, and I'm putting it where it should be. I'm still dead in the water.

Any help is appreciated. Thanks in advance.

Hi Folks,

First and foremost, thank you for this forum. I'm accessing you from my wifi connected laptop. Without that, I'd be in worse shape than I currently am.

I've about sixty hours into trying to remove the malware Antivirus Suite. and apparently the Koobface virus. I did manage to run a boot of Windows Malware Removal tool that identified the koobface virus. I got the virus somehow last week and I've been working the issue ever since. I have read through your forum and numerous postings on the net and tried the usual fixes to no avail. The infection is on the home desktop, which is shared by family. My children both have Facebook accounts, although in fairness, I'm not sure if that was the infection portal.

Nevertheless, I started getting the AV Suite pop ups. I tried to get to task manager to stop the, process but could not. I could not run any programs from that point on. I booted via F8, and one time only, could get to safe mode, but could not activate any antivirus software that I use. After that, the only option that I could load was the repair your computer line, and then get tp a command prompt. If I try anything else, the system tries to repair, fails at a repair, and cannot restart. My only option is to shut down, reboot, and F8 it again.

I tried to load your program, but always get an error stating that the msvbvm60.dll file is missing. I have gotten into the registry and the file is in fact there, despite the warning otherwise. I have tried to install Hijack This, but get a warning that the oledlg.dll file is missing, but that too, is in the registry. I have renamed the mbam file in an effort to spoof the malware, to no avail. I downloaded the tdsskiller program, but see nothing that looks funny. I cannot load rootrepeal, because it's an rar file. (I don't know how to do that) I am downloading programs via a flash drive and moving to the desktop to load from there.

I have spoken with some IT friends who are suggesting a reinstall of Windows 7, but I'm reluctant to do that because I have numerous programs that would be burdensome to reinstall. I do use Carbonite for cloud backup of data. I'm convinced by reading your forum that the malware can be removed. I presume it's just a matter of the correct order of fix.

Please let me know if you have any questions. Thank you again for your insight.

Lastly, I'm patient enough to see this through; it's a matter of pride at this point. I'll fall on my sword before they win. Thankfully, the laptop is at hand.

Link to post
Share on other sites

Hi,

Download ComboFix from one of these locations:

Link 1

Link 2

* IMPORTANT !!! Save ComboFix.exe to your Desktop

  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. Here is a guide on how to disable them:
    Click me
    If you can't disable them then just continue on.
  • Double click on ComboFix.exe & follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

RcAuto1.gif

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

whatnext.png

Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt log in your next reply.

Link to post
Share on other sites

Hi Gammo,

Thanks for the reply.

I downloaded combofix to a flash drive. I can only get to a command prompt. The flash is designated K:. I try to load there via the combofix.exe command. The program starts to load and I get a warning message that says, "Not Admin." I am the admin, of course. A pop up window behind that asks if I want to restart the computer. The only two options to log on at the restart for "Repair your Computer," is Keith (which is me) and Me. I've tried both to load the combofix. Neither works.

I'm stymied.

Thanks for your help.

Keith

Link to post
Share on other sites

Hi,

So you can't boot Windows normally? We can work outside Windows:

Follow these first steps on another PC:

First, copy this scan.txt to a USB drive.

Please print these instruction out so that you know what you are doing.

OTLPEStd.exe

Size: 97,697,047b / 93.1Mb

MD5: E29EEBA00CCA665A2F04B8695469D986

  1. Download OTLPEStd.exe to your desktop.
  2. Ensure that you have a blank CD in the drive.
  3. Double click OTLPEStd.exe and this will then open imgburn to burn the file to CD.
  4. Reboot the infected system using the boot CD you just created.
    Note : If you do not know how to set your computer to boot from CD follow the steps here.
  5. As the CD needs to detect your hardware and load the operating system, I would recommend a nice cup of tea whilst it loads. :)
  6. Your system should now display a Reatogo desktop.
    Note : as you are running from CD it is not exactly speedy.
  7. Double-click on the OTLPE icon.
  8. Select the Windows folder of the infected drive if it asks for a location.
  9. When asked "Do you wish to load the remote registry", select Yes.
  10. When asked "Do you wish to load remote user profile(s) for scanning", select Yes.
  11. Ensure the box "Automatically Load All Remaining Users" is checked and press OK.
  12. OTL should now start.
  13. Double-click on the Custom Scans/Fixes box and a message box will popup asking if you want to load a custom scan from a file.
    Select Scan.txt on your USB drive.
  14. Press Run Scan to start the scan.
  15. When finished, the file will be saved in drive C:\OTL.txt.
  16. Copy this file to your USB drive if you do not have internet connection on this system.
  17. Right click the file and select send to : select the USB drive.
  18. Confirm that it has copied to the USB drive by selecting it
  19. You can backup any files that you wish from this OS
  20. Please post the contents of the C:\OTL.txt file in your reply.

scan.txt

Link to post
Share on other sites

Hi Gammo.

I downloaded the scan.txt to a usb drive.

I then burned the OTLPEStd.exe file to my desktop. I sent to my E: drive and burned to a dvd. I loaded that into the infected computer and ran the .exe file from the cd drive.

I can see the new file on the infected computer. When I give the command to execute the OTLPEStd.exe file, it asks me if I want to burn to a CD. I reply Yes, and the process starts. A pop up window indicates that files are extracting, and when it goes to about the 15% mark, the program stops and no more downloads occur. If I look to the E: dir, there is nothing there except the original .exe file.

It's a tenacious little bugger, this viurs.

Link to post
Share on other sites

You have to download OTLPE to a normal harddrive.

Put a blank CD in your computer.

Run OTLPE in order to burn it to the blank CD.

NOTE: Don't copy anything (including the OTLPE .exe file) to the CD yourself. By running the .exe file from the Desktop OTLPE copies itself to the CD.

Link to post
Share on other sites

Gammo,

Please walk me through this.

My infected computer has only the command prompt at this point.

I'm accessing the malwarebytes forum via my wifi laptop.

I downloaded the exe file to my laptop, saved to my desktop there, then burned it to dvd, and then installed that dvd in the cd rom drive of the infected computer. Once there, and from the command prompt, I ran the exe file.

Am I doing the process incorrectly? I'm not sure how to load the exe file on the infected computer, if that is the case.

Thanks.

Link to post
Share on other sites

Gammo,

alright, I understand.

I did do that.

I have checked the bios and they are set to boot the cd drive first.

When the system reboots, I can see a flash of light in the cd drive, but then the sytem defaults to a "repair the computer' popup, wherein the popup says that the system is trying to repair itself. It then fails to repair, and asks if I want to send a message to Mother Microsoft. I press NO, and then the only option the first popup gives me is to finish or restart. If I finish, it's a complete shutdown of the system. If I restart, we're back to the trying to repair the computer popup.

Hope this helps.

Link to post
Share on other sites

Ya know, my friend Dirk from Amsterdam says the same damn thing :)

Ok, I'll try to make this as clear as I can. Please let me know if I'm not clear.

I have two computers.

The Infected Computer, my desktop, only allows me to get to a command prompt. No matter what I do to change the boot order in bios, I cannot get the OTLPEStd. exe (hereinafter called the OT disc) to boot. I have tried all the settings in case my drive allocations got spoofed or changed in the bios. I'm not sure that can happen, but I've tried from the cd rom, the hard drive, floppy, and ethernet. Nothing works to boot the OT disc. The light flashes briefly in the drive, but that's it. See more below for running the program from a command prompt.

My other NonInfected Computer is a laptop that is connected to you via a wifi ethernet connection.

You thought maybe the OT disc had not burned correctly. I inserted it in the laptop, and double clicked on the OT disc exe command. It loaded, and completed extracted the information to the 100% mark. I then got a pop up window which I believe said ISO Burn on it. It showed "parameters" of the disc and start options. I closed it down as you suggested.

I take it that the disc is okay and that the program is complete on there since it worked on my laptop. As far as the Infected Computer goes, if I try to have the disc autoboot, it will not happen. If I go to a command prompt and enter otlpestd.exe, it starts to load, extracts approximately 16% of the data, and then stops. I've tried it a number of times and the result is always the same. In short, no matter what exe file I try to load from the command prompt, I get some sort of error. I'm no brain at this, but I presume there's something resident that is stopping the loading of most of the fixit programs.

I hope I'm clear. Thanks, and I'm still stumped.

Link to post
Share on other sites

I'll try to explain this to you. otlpestd.exe is NOT OTL PE. It contains an ISO of OTLPE and a burning program.

You have to doubleclick otlpestd.exe on your non-infected computer.

This will extract the OTLPE ISO and start the burning program, so that you can burn the extracted ISO to a blank CD.

otlpestd.exe itself will not be burned to the CD. Only the content of the ISO file will be burned to the CD.

I think you have somehow burned otlpestd.exe to the CD? :)

I closed it down as you suggested.

The burning program? I didn't tell you to close anything. You'll have to use the burning program to burn OTLPE to the blank CD.

Link to post
Share on other sites

Gammo,

I am at the reatogo screen. I doubleclicked on the OTLPE icon. When asked for a drive, the only one that was highlighted (like a hyperlink) was the C drive. When I clicked on it, I got a pop up message that said "Target is not Windows 2000 or later" I tried all the drives and folders that showed up and the result was the same. I'm still at the reatogo-x-pe homepage.

Some good progress, my friend. I'm stuck and need your advice.

As an aside, I'm out for an hour to see my son's high school marching band, and I'll be back after that.

Thank you for your help, and see your shortly.

Keith

Link to post
Share on other sites

Gammo,

Good morning for me and good afternoon to you.

The program successfully loaded. As you advised, I went to the c:\windows and it worked. I am now at a OTLE PE Version window which allows options for scanning, etc.

When I double click on the Custom Scans and Fixes bar, a window opens defaulting to My Documents (with subfolders of Music, etc.) the file scan.txt defaults in the file name window, but when I try to navigate to the USB drive, either by the moving up icon, or the drop down menu, I tet the following popup warning, Access violation at address 7CA0C936 in module "shell32.dll. Read of Address 000000006.

If I go to my computer from the desktop in Reotogo, the USB drive is not recognized.

Thanks.

Link to post
Share on other sites

When the scan is completed, a log file will be saved as C:\OTL.txt.

You have to post the contents of this file in your next reply. If you have internet connection in OTLPE, then you can just use the web browser to post it.

Copy this file to your USB drive, if you do not have internet connection on this system.

  • Right click the file and select send to : select the USB drive.
  • Confirm that it has copied to the USB drive by selecting it
  • Put the USB stick in your clean computer.
  • Then use your web browser to post the contents of the C:\OTL.txt file in your reply.

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.