Jump to content

fake AV - can't run anything (literally)


Recommended Posts

I am sending this from another computer (which has SpybotS+D, MBAM and SpywareBlaster all up to date, and recently scanned, so is presumably uninfected).

I cannot run much of anything on the infected computer. It is running Windows Vista (SP1). The symptom is a bunch of warnings from a fake antivirus called "Security Tool". When I try to run a program, I get a warning that the program is infected and won't let me run it.

I can copy a file from the uninfected computer to the infected one via a flash drive (though I know I will have to be careful to scan it when I try to use it again). So, prior to making this post, I had downloaded the MBAM installer onto the good computer, copied it to the flash drive, copied it from the flash to the desktop of the bad computer - double-clicking it won't run - renaming it to other things (like "explorer.exe" or "winlogon.exe" also have not worked.

I am assuming there is still something I can do to retake command of the infected computer - to the point where I can at least get MBAM to install - and eventually to run it and do a scan.

I am awaiting your assistance.

Link to post
Share on other sites

Thanks - that seems to have gotten rid of the fake warnings.

I couldn't run any of the exehelper programs but I was eventually able to install and run MBAM, which removed a total of 54 threats.

Not all fixed yet though. I still need to post from the clean computer, because none of my web browsers can access any website (yet I know I have internet access because MBAM downloaded a chunk of updates, and I can navigate on our home network).

I got the HJT installer via the good computer and installer via flash drive. Ran HJT (as admin) and got the attached log:

What can I do about the web browsers - is it the "redirection problem" mentioned in some of the postings?

---

Welcome to the forum.

See if following this guide works.

Make sure you run both rkill and exehelper.

Most important....update MBAM before you run it.

Post the logs back here, Good Luck....MrC

hijackthisreport.txt

Link to post
Share on other sites

You want to run HJT and fix these:

[*]Close all programs leaving only HijackThis running. Place a check against each of the following, making sure you get them all and not any others by mistake:

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=127.0.0.1:6092

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =

O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)

O4 - HKCU\..\Run: [rmnzhp] RUNDLL32.EXE C:\Users\admin\AppData\Local\Temp\mswyxtnd.dll,w

Click on Fix Checked when finished and exit HijackThis.

Reboot and See if you can get on the net now.

---------------------------

What can I do about the web browsers - is it the "redirection problem" mentioned in some of the postings?

No, redirects would be if you used a search engine and you got redirected from there.

I would double check these settings and also compare them to one of the other computers settings.

You said you were on a home network right?

Are all the computers able to "talk" to each other?

Open up Internet Explorer, and when the program is open, click on the Tools menu and then select Internet Options.

Another way to get to your Internet Properties:

Go to your Start Button > Run > copy and paste this in: inetcpl.cpl > Click OK

Now click on the Connections Now click on the Lan Settings

Under the Proxy Server section, please uncheck the checkbox labeled Use a proxy server for your LAN.

Then press the OK button to close this screen.

Then press the OK button to close the Internet Options screen.

Now that you have disabled the proxy server you will be able to browse the web again with Internet Explorer.

Let me know, MrC

Link to post
Share on other sites

Thanks MrCharlie - all is working clean and perky now.

You want to run HJT and fix these:

[*]Close all programs leaving only HijackThis running. Place a check against each of the following, making sure you get them all and not any others by mistake:

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=127.0.0.1:6092

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =

O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)

O4 - HKCU\..\Run: [rmnzhp] RUNDLL32.EXE C:\Users\admin\AppData\Local\Temp\mswyxtnd.dll,w

Click on Fix Checked when finished and exit HijackThis.

Reboot and See if you can get on the net now.

---------------------------

No, redirects would be if you used a search engine and you got redirected from there.

I would double check these settings and also compare them to one of the other computers settings.

You said you were on a home network right?

Are all the computers able to "talk" to each other?

Let me know, MrC

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.