I was recently attacked by this rogue anti-virus program called Antivirus 2010 Security Center. I tried using malwarebytes and other software which could help me counter this problem but the rogue somehow disabled them. As a last resort i tried removing the program by uninstalling it through the control panel, it did work the mad popups stopped and blocks were finished but my anti-virus programs kept on getting disabled. I don’t know what is going on.
I currently use windows 7, my anti-virus softwares are avast free version, malwarebytes, super anti spyware, spybot search and destroy and spyware doctor with antivirus all of them except spyware doctor keep on getting disabled.
Try running hitman pro first and then Malwarebytes, and update MBAM before you run it
Hitman Pro 3 - Second Opinion Malware Scanner http://www.surfright.nl/en/hitmanpro
Hitman Pro in Force Breach Mode http://hitmanpro.wordpress.com/2010/03/16/hitman-pro-in-force-breach-mode/
How to remove Antivirus 2010 (Uninstall Instructions)
http://www.bleepingcomputer.com/virus-removal/remove-antivirus-2010
malwarebytes, super anti spyware, spybot search and destroy and spyware doctor with antivirus all of them except spyware doctorremove Spyware Doctor + AV as you already have avast! antivirus. Running two AV can/will make mysterious windows errors, and False positive detections. And you don`t need it when you have MalwareBytes. i would also remove SpyBot S&D as it is no good
I tried hitman pro but it didn’t work after some time(5 mins or so) it also got disabled.
by disable i mean when i run it, it says:
Cannot find the specified device,file or path you may not have the appropriate permission to access the item
Avast and MalwareBytes also dont run anymore so i had to get other alternatives.
How to remove Antivirus 2010 (Uninstall Instructions) http://www.bleepingcomputer.com/virus-removal/remove-antivirus-2010
Tried it, it didn’t work.
Can you do this ?
Follow this guide from Essexboy and post the log`s
http://forum.avast.com/index.php?topic=53253.0
To avoid using 20 post with copy and paste you have to attach the log`s
Lower left corner: Additional Options > Attach ( OTL.Txt and Extras.Txt.)
Since you are running windows 7, try this. It worked for me.
- Reboot the computer.
- When the Windows splash screen comes up, push and hold the power button until the computer shuts off.
- Turn the computer back on. When the option appears to “repair” select it and let it run.
- When the computer reboots after the repair, MBAM should then function normally. Avast may need to be repaired by “Fix it Now”
- Start MBAM, perform a manual update, run a quick scan and quarentine what it finds.
- Get Avast running and run a quick scan and send whatever it finds to the chest.
- Reboot and you should be good to go.
I can only vouch for this process on Windows 7 with its magical self healing properties.
Here you go.
Since you are running windows 7, try this. It worked for me.
- Reboot the computer.
- When the Windows splash screen comes up, push and hold the power button until the computer shuts off.
- Turn the computer back on. When the option appears to “repair” select it and let it run.
- When the computer reboots after the repair, MBAM should then function normally. Avast may need to be repaired by “Fix it Now”
- Start MBAM, perform a manual update, run a quick scan and quarentine what it finds.
- Get Avast running and run a quick scan and send whatever it finds to the chest.
- Reboot and you should be good to go.
I can only vouch for this process on Windows 7 with its magical self healing properties.
Tried it, it didn’t work
But i will try the “Fix it now” part
OK super, i will PM Essexboy. he usually enters the forum late UK time so in about 2-4 hour maybe
Avast says that the system is unsecured. I press fix now but nothing happens
There is some cloaked malware there
Run OTL
[*]Under the Custom Scans/Fixes box at the bottom, paste in the following
:OTL SRV - [2010/07/20 18:29:13 | 000,028,762 | ---- | M] (MyWebSearch.com) [Auto | Running] -- C:\Program Files\MyWebSearch\bar\1.bin\MWSSVC.EXE -- (MyWebSearchService) DRV - [2010/03/24 09:37:04 | 000,018,432 | ---- | M] () [Kernel | System | Running] -- C:\Windows\system32\synigaac.dll -- (synigaac.dll) IE - HKCU\..\URLSearchHook: {00A6FAF6-072E-44cf-8957-5838F569A31D} - C:\Program Files\MyWebSearch\bar\1.bin\MWSSRCAS.DLL (MyWebSearch.com) FF - HKLM\software\mozilla\Firefox\Extensions\\m3ffxtbr@mywebsearch.com: C:\Program Files\MyWebSearch\bar\1.bin [2010/09/22 14:09:17 | 000,000,000 | ---D | M] O2 - BHO: (MyWebSearch Search Assistant BHO) - {00A6FAF1-072E-44cf-8957-5838F569A31D} - C:\Program Files\MyWebSearch\bar\1.bin\MWSSRCAS.DLL (MyWebSearch.com) O2 - BHO: (mwsBar BHO) - {07B18EA1-A523-4961-B6BB-170DE4475CCA} - C:\Program Files\MyWebSearch\bar\1.bin\MWSBAR.DLL (MyWebSearch.com) O3 - HKLM\..\Toolbar: (My Web Search) - {07B18EA9-A523-4961-B6BB-170DE4475CCA} - C:\Program Files\MyWebSearch\bar\1.bin\MWSBAR.DLL (MyWebSearch.com) O3 - HKLM\..\Toolbar: (no name) - {381FFDE8-2394-4F90-B10D-FC6124A40F8C} - No CLSID value found. O3 - HKCU\..\Toolbar\WebBrowser: (My Web Search) - {07B18EA9-A523-4961-B6BB-170DE4475CCA} - C:\Program Files\MyWebSearch\bar\1.bin\MWSBAR.DLL (MyWebSearch.com) O4 - HKLM..\Run: [My Web Search Bar Search Scope Monitor] C:\Program Files\MyWebSearch\bar\1.bin\M3SRCHMN.EXE (MyWebSearch.com) O4 - HKLM..\Run: [MyWebSearch Email Plugin] C:\PROGRA~1\MYWEBS~1\bar\1.bin\mwsoemon.exe File not found O4 - HKCU..\Run: [MyWebSearch Email Plugin] C:\PROGRA~1\MYWEBS~1\bar\1.bin\mwsoemon.exe File not found O4 - HKCU..\Run: [Steam] c:\program files\steamy\steam.exe File not found:Files
ipconfig /flushdns /c:Commands
[purity]
[resethosts]
[emptytemp]
[EMPTYFLASH]
[CREATERESTOREPOINT]
[Reboot]
[*]Then click the Run Fix button at the top
[*]Let the program run unhindered, reboot the PC when it is done
[*]Open OTL again and click the Quick Scan button. Post the log it produces in your next reply.
THEN
Download ComboFix from one of these locations:
* IMPORTANT !!! Save ComboFix.exe to your Desktop
[*]Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools
[*]Double click on ComboFix.exe & follow the prompts.
When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.
Here is the Log
All processes killed
========== OTL ==========
Service MyWebSearchService stopped successfully!
Service MyWebSearchService deleted successfully!
C:\Program Files\MyWebSearch\bar\1.bin\MWSSVC.EXE moved successfully.
Service synigaac.dll stopped successfully!
Service synigaac.dll deleted successfully!
C:\Windows\System32\synigaac.dll moved successfully.
Registry value HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\URLSearchHooks\\{00A6FAF6-072E-44cf-8957-5838F569A31D} deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{00A6FAF6-072E-44cf-8957-5838F569A31D}\ deleted successfully.
C:\Program Files\MyWebSearch\bar\1.bin\MWSSRCAS.DLL moved successfully.
Registry value HKEY_LOCAL_MACHINE\software\mozilla\Firefox\Extensions\\m3ffxtbr@mywebsearch.com deleted successfully.
C:\Program Files\MyWebSearch\bar\1.bin\chrome folder moved successfully.
C:\Program Files\MyWebSearch\bar\1.bin folder moved successfully.
Registry key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{00A6FAF1-072E-44cf-8957-5838F569A31D}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{00A6FAF1-072E-44cf-8957-5838F569A31D}\ deleted successfully.
File C:\Program Files\MyWebSearch\bar\1.bin\MWSSRCAS.DLL not found.
Registry key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{07B18EA1-A523-4961-B6BB-170DE4475CCA}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{07B18EA1-A523-4961-B6BB-170DE4475CCA}\ deleted successfully.
File C:\Program Files\MyWebSearch\bar\1.bin\MWSBAR.DLL not found.
Registry value HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Toolbar\\{07B18EA9-A523-4961-B6BB-170DE4475CCA} deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{07B18EA9-A523-4961-B6BB-170DE4475CCA}\ deleted successfully.
File C:\Program Files\MyWebSearch\bar\1.bin\MWSBAR.DLL not found.
Registry value HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Toolbar\\{381FFDE8-2394-4F90-B10D-FC6124A40F8C} deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{381FFDE8-2394-4F90-B10D-FC6124A40F8C}\ not found.
Registry value HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\\{07B18EA9-A523-4961-B6BB-170DE4475CCA} deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{07B18EA9-A523-4961-B6BB-170DE4475CCA}\ not found.
File C:\Program Files\MyWebSearch\bar\1.bin\MWSBAR.DLL not found.
Registry value HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\\My Web Search Bar Search Scope Monitor deleted successfully.
File C:\Program Files\MyWebSearch\bar\1.bin\M3SRCHMN.EXE not found.
Registry value HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\\MyWebSearch Email Plugin deleted successfully.
Registry value HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\\MyWebSearch Email Plugin deleted successfully.
Registry value HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\\Steam deleted successfully.
========== FILES ==========
< ipconfig /flushdns /c >
Windows IP Configuration
Successfully flushed the DNS Resolver Cache.
D:\Downloads\cmd.bat deleted successfully.
D:\Downloads\cmd.txt deleted successfully.
========== COMMANDS ==========
C:\Windows\System32\drivers\etc\Hosts moved successfully.
HOSTS file reset successfully
[EMPTYTEMP]
User: All Users
User: Default
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 33170 bytes
User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes
User: Happymate
->Temp folder emptied: 864695 bytes
->Temporary Internet Files folder emptied: 77576453 bytes
->Java cache emptied: 830875 bytes
->Google Chrome cache emptied: 96262318 bytes
->Flash cache emptied: 28425 bytes
User: Public
%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 0 bytes
%systemroot%\System32 .tmp files removed: 0 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 1051104 bytes
RecycleBin emptied: 0 bytes
Total Files Cleaned = 168.00 mb
[EMPTYFLASH]
User: All Users
User: Default
User: Default User
User: Happymate
->Flash cache emptied: 0 bytes
User: Public
Total Flash Files Cleaned = 0.00 mb
OTL by OldTimer - Version 3.2.14.1 log created on 09222010_220310
Files\Folders moved on Reboot...
C:\Windows\temp\TMP00000017CF8A5E1AE806EF63 moved successfully.
C:\Windows\temp\TMP00000019ABA7DAC705289E44 moved successfully.
Registry entries deleted on Reboot...
I am now using ComboFix.
Er combofix taking alot of time.
It can take anywhere up to 20 minutes or so dependant on the infections it finds
This is the ComboFix Log
What problems are you experiencing now ?
Malware Bytes is working perfectly again and i am reinstalling avast! antivirus.
MBAM found some infected items.
Thank you,essexboy.
The MBAM Log
Memory Processes Infected: (No malicious items detected)Memory Modules Infected:
(No malicious items detected)Registry Keys Infected:
HKEY_CLASSES_ROOT\Interface{07b18eaa-a523-4961-b6bb-170de4475cca} (Adware.MyWebSearch) → Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface{07b18eac-a523-4961-b6bb-170de4475cca} (Adware.MyWebSearch) → Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface{1093995a-ba37-41d2-836e-091067c4ad17} (Adware.MyWebSearch) → Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface{120927bf-1700-43bc-810f-fab92549b390} (Adware.MyWebSearch) → Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface{17de5e5e-bfe3-4e83-8e1f-8755795359ec} (Adware.MyWebSearch) → Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface{1f52a5fa-a705-4415-b975-88503b291728} (Adware.MyWebSearch) → Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface{247a115f-06c2-4fb3-967d-2d62d3cf4f0a} (Adware.MyWebSearch) → Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface{2e3537fc-cf2f-4f56-af54-5a6a3dd375cc} (Adware.MyWebSearch) → Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface{2e9937fc-cf2f-4f56-af54-5a6a3dd375cc} (Adware.MyWebSearch) → Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface{3e1656ed-f60e-4597-b6aa-b6a58e171495} (Adware.MyWebSearch) → Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface{3e53e2cb-86db-4a4a-8bd9-ffeb7a64df82} (Adware.MyWebSearch) → Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface{3e720451-b472-4954-b7aa-33069eb53906} (Adware.MyWebSearch) → Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface{3e720453-b472-4954-b7aa-33069eb53906} (Adware.MyWebSearch) → Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface{63d0ed2b-b45b-4458-8b3b-60c69bbbd83c} (Adware.MyWebSearch) → Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface{63d0ed2d-b45b-4458-8b3b-60c69bbbd83c} (Adware.MyWebSearch) → Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface{6e74766c-4d93-4cc0-96d1-47b8e07ff9ca} (Adware.MyWebSearch) → Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface{72ee7f04-15bd-4845-a005-d6711144d86a} (Adware.MyWebSearch) → Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface{741de825-a6f0-4497-9aa6-8023cf9b0fff} (Adware.MyWebSearch) → Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface{7473d291-b7bb-4f24-ae82-7e2ce94bb6a9} (Adware.MyWebSearch) → Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface{7473d293-b7bb-4f24-ae82-7e2ce94bb6a9} (Adware.MyWebSearch) → Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface{7473d295-b7bb-4f24-ae82-7e2ce94bb6a9} (Adware.MyWebSearch) → Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface{7473d297-b7bb-4f24-ae82-7e2ce94bb6a9} (Adware.MyWebSearch) → Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface{90449521-d834-4703-bb4e-d3aa44042ff8} (Adware.MyWebSearch) → Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface{991aac62-b100-47ce-8b75-253965244f69} (Adware.MyWebSearch) → Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface{a626cdbd-3d13-4f78-b819-440a28d7e8fc} (Adware.MyWebSearch) → Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface{bbabdc90-f3d5-4801-863a-ee6ae529862d} (Adware.MyWebSearch) → Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface{cf54be1c-9359-4395-8533-1657cf209cfe} (Adware.MyWebSearch) → Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface{d6ff3684-ad3b-48eb-bbb4-b9e6c5a355c1} (Adware.MyWebSearch) → Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface{de38c398-b328-4f4c-a3ad-1b5e4ed93477} (Adware.MyWebSearch) → Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface{e342af55-b78a-4cd0-a2bb-da7f52d9d25e} (Adware.MyWebSearch) → Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface{e342af55-b78a-4cd0-a2bb-da7f52d9d25f} (Adware.MyWebSearch) → Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface{e79dfbc9-5697-4fbd-94e5-5b2a9c7c1612} (Adware.MyWebSearch) → Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface{e79dfbcb-5697-4fbd-94e5-5b2a9c7c1612} (Adware.MyWebSearch) → Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface{eb9e5c1c-b1f9-4c2b-be8a-27d6446fdaf8} (Adware.MyWebSearch) → Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface{f87d7fb5-9dc5-4c8c-b998-d8dfe02e2978} (Adware.MyWebSearch) → Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID{1e0de227-5ce4-4ea3-ab0c-8b03e1aa76bc} (Adware.MyWebSearch) → Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Typelib{d518921a-4a03-425e-9873-b9a71756821e} (Adware.MyWebSearch) → Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Typelib{e47caee0-deea-464a-9326-3f2801535a4d} (Adware.MyWebSearch) → Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Typelib{f42228fb-e84e-479e-b922-fbbd096e792c} (Adware.MyWebSearch) → Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\RunDll32Policy\f3ScrCtr.dll (Adware.MyWebSearch) → Quarantined and deleted successfully.Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Media\WMSDK\Sources\f3popularscreensavers (Adware.MyWebSearch) → Quarantined and deleted successfully.Registry Data Items Infected:
(No malicious items detected)Folders Infected:
(No malicious items detected)Files Infected:
(No malicious items detected)
Nice - they were registry orphans from mywebsearch ;D
Lets clear my bits and bobs now
Looking at that I am a happy bunny
I will remove my tools now and give some recommendations, but I would like you to run for 24 hours or so and come back if you have any problems
Now the best part of the day ----- Your log now appears clean
A good workman always cleans up after himself so…The following will implement some cleanup procedures as well as reset System Restore points:
Run OTL
[*]Under the Custom Scans/Fixes box at the bottom, paste in the following
:Commands [resethosts] [purity] [emptytemp] [EMPTYFLASH] [Reboot]
[*]Then click the Run Fix button at the top
[*]Let the program run unhindered, reboot the PC when it is done
Click Start > Run and copy/paste the following bolded text into the Run box and click OK:
ComboFix /Uninstall
Run OTL and hit the cleanup button. It will remove all the programmes we have used plus itself. MBAM can be uninstalled via control panel add/remove along with ERUNT. But they may be useful tools to keep
We will now confirm that your hidden files are set to that, as some of the tools I use will change that
[*]Click Start.
[*]Open My Computer.
[*]Select the Tools menu and click Folder Options.
[*]Select the View Tab.
[*]Under the Hidden files and folders heading select Do not show hidden files and folders.
[]Click Yes to confirm.
[]Click OK.
SPRING CLEAN
Download and run Puran Disc Defragmenter
Now that you are clean, to help protect your computer in the future I recommend that you get the following free programmes:
[*]SpywareBlaster to help prevent spyware from installing in the first place.
http://img233.imageshack.us/img233/7729/mbamicontw5.gif
Malwarebytes. Run weekly to keep your system clean
It is critical to have both a firewall and anti virus to protect your system and to keep them updated.
To keep your operating system up to date visit
[*]Microsoft Windows Update
To learn more about how to protect yourself while on the internet read our little guide How did I get infected in the first place ?
Keep safe
Did as you said, thx