Antivirus Security Pro Pop-ups Virus

Viruses and worms
1

Currently, I have a virus; I am not able to go to websites without being intercepted. Also, I can’t bring up taskmgr. Every time that I try, I get: “Warning! Infected file detected”. Then, it prompts me to either “buy Full Edition” or Continue. For the information, it states that Suspicious activity detected in the application taskmgr.exe similar to the behavior of the virus Win32/Conficker.X. To restore the application’s full operation, you must use the full edition of Antivirus Security Pro. When I attempt to go to a website, it’s intercepted and states: Activate Antivirus Security Pro, and enable safe web surfing (recommended). And, it states: Ignore warnings and visit that site in the current state (not recommended). I can not get very far. So, now I am on another computer opening up this topic.

Can someone please help guide me through this?

Thank you,

I’ve run several utilities. Attached are the logs; however, Extras.txt did not pop up when OTL was executed.

2

we need the following logs please. AdwCleaner / Malwarebytes / OTL / aswMBR

http://forum.avast.com/index.php?topic=53253.0 if trouble running any tool, try from safe mode

You may download tool on another comp and move over with a USB stick

malware removers are notified, it may take some hours before they arrive

3

Hi,

I just uploaded a file with the AdwCleaner, Malwarebytes and OTL logs. I will need to download aswMBR and run that. I will attach it after I shift everything around…THX

4

aswMBR version 0.9.9.1771 Copyright(c) 2011 AVAST Software
Run date: 2013-10-21 01:04:40

01:04:40.119 OS Version: Windows x64 6.1.7601 Service Pack 1
01:04:40.119 Number of processors: 2 586 0x2A07
01:04:40.120 ComputerName: VTMCKOY-PC UserName: vtmckoy
01:04:42.359 Initialize success
01:04:42.601 AVAST engine defs: 13102000
01:04:58.386 Disk 0 (boot) \Device\Harddisk0\DR0 → \Device\Ide\IAAStorageDevice-1
01:04:58.392 Disk 0 Vendor: WDC_WD50 02.0 Size: 476940MB BusType: 3
01:04:58.545 Disk 0 MBR read successfully
01:04:58.547 Disk 0 MBR scan
01:04:58.551 Disk 0 Windows 7 default MBR code
01:04:58.558 Disk 0 Partition 1 80 (A) 07 HPFS/NTFS NTFS 200 MB offset 2048
01:04:58.574 Disk 0 Partition 2 00 07 HPFS/NTFS NTFS 431938 MB offset 411648
01:04:58.577 Disk 0 Partition - 00 0F Extended LBA 29692 MB offset 885020672
01:04:58.606 Disk 0 Partition 3 00 12 Compaq diag NTFS 15109 MB offset 945829888
01:04:58.638 Disk 0 Partition 4 00 07 HPFS/NTFS NTFS 29691 MB offset 885022720
01:04:58.693 Disk 0 scanning C:\windows\system32\drivers
01:05:08.280 Service scanning
01:05:28.106 Modules scanning
01:05:28.125 Disk 0 trace - called modules:
01:05:28.143 ntoskrnl.exe CLASSPNP.SYS disk.sys iaStor.sys hal.dll
01:05:28.155 1 nt!IofCallDriver → \Device\Harddisk0\DR0[0xfffffa80064ee360]
01:05:28.164 3 CLASSPNP.SYS[fffff88001b3d43f] → nt!IofCallDriver → \Device\Ide\IAAStorageDevice-1[0xfffffa80046fe050]
01:05:29.053 AVAST engine scan C:\windows
01:05:32.188 AVAST engine scan C:\windows\system32
01:07:47.274 AVAST engine scan C:\windows\system32\drivers
01:07:59.104 AVAST engine scan C:\Users\vtmckoy
01:13:25.726 AVAST engine scan C:\ProgramData
01:16:12.418 Scan finished successfully
01:17:00.987 Disk 0 MBR has been saved successfully to “C:\Users\vtmckoy\Desktop\Threat102013\ASWmbr\MBR.dat”
01:17:00.993 The log file has been saved successfully to “C:\Users\vtmckoy\Desktop\Threat102013\ASWmbr\aswMBR.txt”
01:17:49.283 Disk 0 MBR has been saved successfully to “E:\PCIssues102013\AntiVirusSoftware\ASWmbr\MBR.dat”
01:17:49.298 The log file has been saved successfully to “E:\PCIssues102013\AntiVirusSoftware\ASWmbr\aswMBR.txt”

5

Hi vtmckoy, OTL do not see Conficker

Please download DDS and save it to your Desktop from here:
http://www.bleepingcomputer.com/download/dds/dl/104/

Double click to run the tool, click the Start button.

  • When done, DDS will open two (2) logs:
    1. DDS.txt
    2. Attach.txt

Save both reports to your desktop. DDS.txt and Attach.txt attach back to topic.

Next

Please download Farbar Recovery Scan Tool by Farbar and save it to your desktop.

Note: You need to run the version compatibale with your system. If you are not sure which version applies to your system download both of them and try to run them.
Only one of them will run on your system, that will be the right version.

[*]Double-click to run it. When the tool opens click Yes to disclaimer.
[*]Under Optional Scan ensure “List BCD” and “Driver MD5” are ticked.
[*]Press Scan button.
[*]It will make a log (FRST.txt) in the same directory the tool is run. Please attach it to your reply.
[*]The first time the tool is run, it makes also another log (Addition.txt). Please attach it to your reply.

6

Hi,

After I ran the initial scans, the initial state of my computer improved. So, OTL probably fixed Conficker. Attached are the requested files. Also, I am not getting millions of pop-ups like I use to; but, when I try to view a website, in Firefox, I am getting: “The proxy server is refusing connections”. In IE, I am redirected to an aol page and it says that IE cannot display this page.

Thx…

7
So, OTL probably fixed Conficker.
nope....OTL has not done anything yet, just made a diagnostic log. ;)
8

ok…it wasn’t OTL; but it was probably MBAM. I know in one of them I selected everything and clicked remove. After I rebooted, my laptop was in a much better state than previously–even though right now I am not able to get online. At least, I wasn’t getting all of the Antivirus Security Pro Popups asking me to buy products–along with other popups.

9

Check USB storage devices / removable drives

Download MCShield from one of the following links:

MyCity - Official download link
Softpedija - Mirror download link

[*] Double click MCShield-Setup to install the application.
[*] Wait a few seconds to MCShield finish initial scan.
Recommendation to under General and Scanner tab you click on Defaults button to choose recommended options.
[*] Connect your USB storage devices to the computer one at a time. Scanning will be done automatically.

When all scanning is done, you need to attach a logreport that MCShield has created.

Start → All Programs → MCShield → Logs

Attach here → AllScans.txt

Explanation: USB storage devices are all the USB devices that get their own partition letter at connecting to the PC,
e.g. flash drives (thumb/pen drives, USB sticks), external HDDs, MP3/MP4 players, digital cameras,
memory cards (SD cards, Sony Memory Stick, MultiMedia Cards etc.), some mobile phones, some GPS navigation devices etc.

---- > Next

1. Open notepad and copy/paste the text present inside the code box below.
To do this highlight the contents of the box and right click on it. Paste this into the open notepad.
NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to the operating system


Start
HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.aol.com/?mtmhp=hyplogusaolp00000023&.....729F4D220B
SearchScopes: HKLM - DefaultScope {9BB47C17-9C68-4BB3-B188-DD9AF0FD2406} URL =
SearchScopes: HKCU - {443789B7-F39C-4b5c-9287-DA72D38F4FE6} URL = http://slirsredirect.search.aol.com/redirector/sredir?sredir=843&q={SearchTerms}&s_it=adknowledgeaol-ie&tb_uuid=CBA2355C0C3D4DF2A52A94729F4D220B&tb_oid=21-10-2013&tb_mrud=21-10-2013
CHR Plugin: (Best Buy pc app Detector) - C:\ProgramData\Best Buy pc app\npBestBuyPcAppDetector.dll No File
C:\ProgramData\Best Buy pc app 
2013-10-20 21:43 - 2013-10-21 01:28 - 00000000 ____D C:\Users\vtmckoy\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Antivirus Security Pro
2013-10-20 21:42 - 2013-10-21 00:36 - 00000000 ____D C:\ProgramData\ig37Uavn
2013-10-21 01:28 - 2013-10-20 21:43 - 00000000 ____D C:\Users\vtmckoy\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Antivirus Security Pro
C:\Users\vtmckoy\AppData\Local\Temp\aol_trio.exe
2013-10-21 00:10 - 2013-10-21 00:10 - 00003866 _____ C:\windows\System32\Tasks\BrowserSafeguard Update Task
MountPoints2: {2e4a5984-10a8-11e1-82c5-f0def159d4b6} - E:\DigitalPhotoViewer.exe
MountPoints2: {7f5a2ccd-33db-11e1-bfd9-f0def159d4b6} - E:\VZAccess_Manager.exe /z detect
Task: {2FA6ABCB-88E0-463D-ACEC-8500DF2E7FA6} - System32\Tasks\BrowserSafeguard Update Task => C:\Program Files (x86)\Browsersafeguard\uninstall.browsersafeguard.exe
End

2. Save notepad as fixlist.txt to your Desktop.
NOTE: => It’s important that both files, FRST and fixlist.txt are in the same location or the fix will not work.

3. Run FRST/FRST64 and press the Fix button just once and wait.
If the tool needed a restart please make sure you let the system to restart normally and let the tool completes its run after restart.

The tool will make a log on the Desktop (Fixlog.txt). Please attach it to your reply.
Note: If the tool warned you about the outdated version please download and run the updated version.

10

Hi,

Attached are the requested logs…thx

11

Any problems?

12

Same problems. I have not able to get online. When I click on a website, it states: “The proxy server is refusing connections” in FireFox. In IE, it states: “Internet Explorer cannot display the webpage”. In Chrome, it says: “Unable to connect to the proxy server”. In FireFox, I did restore defaults and I can get my home page of google. However, I can’t go any further. I keep getting the proxy message.

Initially, I was getting all of the pop-ups and could not run any executables. After, I ran the initial scans and MBAM with fixed, there were very few pop-ups and I was able to run executables again. At first, I couldn’t bring up taskmgr or anything. But, now, I cannot pull up any websites due to the proxy message.

13

Download TDSSKiller and save it to your desktop

Execute TDSSKiller.exe by doubleclicking on it.
Confirm “End user Licence Agreement” and “KSN Statement” dialog box by clicking on Accept button.

[*] Press Start Scan
[*] If Suspicious object is detected, the default action will be Skip, click on Continue.
[*] If Malicious objects are found, select Cure.

Once complete, a log will be produced at the root drive which is typically C:\ ,for example, C:\TDSSKiller.<version_date_time>log.txt

Please post the contents of that log in your next reply.

Rerun FRST

14

Attached are the requested files. You stated to rerun FRST; however, I’m not sure what options you wanted me to select. I checked “List BCD” and “Driver MD5”. I did not check “Addition txt”; then, I clicked “Scan”. Let me know if you want me to rerun it with different options. Thx…

15

In Firefox, I went to Options/Network/Settings; the “Use system proxy settings” button was checked. I unchecked it and checked the “Auto-detect proxy settings for this network” and now I am able to view websites. In IE8, Tools/Internet Options/Connections/LAN Settings under Proxy Server, the “Use a proxy server for your LAN” was checked. I unchecked it and now I am able to view websites. I am not sure what they really suppose to be; but, now I am able to get on the internet.

16

Please download Farbar Service Scanner and run it on the computer with the issue.
[*]Make sure the following options are checked:

[*]Internet Services
[*]Windows Firewall
[*]System Restore
[*]Security Center/Action Center
[*]Windows Update
[*]Windows Defender

[*]Press “Scan”.
[]It will create a log (FSS.txt) in the same directory the tool is run.
[]Please copy and paste the log to your reply.

17

Attached are the requested file. Thank you…

18

Scan with Combofix:

[*] Please download ComboFix by sUBs and save it to your Desktop.
You may read how Combofix works here.

[*] Temporarily disable your AntiVirus program, usually via a right click on the System Tray icon. They may interfere with Combofix.
If you are unsure how to do this please read this or this Instruction.

[*] Run ComboFix. Click on I Agree! & follow the prompts.
Note: If you see a message like “Illegal operation attempted on a registry key that has been marked for deletion” just restart your computer.

[*] When finished, it will produce a report for you. Please attach log reports (ComboFix.txt) back to topic.
(typical log location: C:\ComboFix.txt )

19

Attached is the requested file. Thx…

20

It is necessary to uninstall ComboFix :

[*] Click Start (or
http://amf.mycity.rs/pg/images/VistaStartButton.png
) then Run.

On Windows7 or Vista you may use Start Search field if Run is not available.

[*] In the line of text type in (Copy) the following:

ComboFix /Uninstall

Note that there is a space between " ComboFix " and " /Uninstall " .

[*] then click OK (or press Enter ).

Wait for the uninstall process is complete.

1. Open notepad and copy/paste the text present inside the code box below.
To do this highlight the contents of the box and right click on it. Paste this into the open notepad.
NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to the operating system


U3 BcmSqlStartupSvc;
U2 CLKMSVC10_3A60B698;
U2 CLKMSVC10_C3B3B687;
U2 DriverService;
U2 IAStorDataMgrSvc;
U2 iATAgentService;
U2 idealife Update Service;
U3 IGRS;
U2 IviRegMgr;
S4 LMIRfsClientNP; No ImagePath
U2 nvUpdatusService;
U2 Oasis2Service;
U2 PCCarerService;
U2 ReadyComm.DirectRouter;
U2 RichVideo;
U2 RtLedService;
U2 SeaPort;
U2 SoftwareService;
U3 SQLWriter;
U2 Stereo Service;

2. Save notepad as fixlist.txt to your Desktop.
NOTE: => It’s important that both files, FRST and fixlist.txt are in the same location or the fix will not work.

3. Run FRST/FRST64 and press the Fix button just once and wait.
If the tool needed a restart please make sure you let the system to restart normally and let the tool completes its run after restart.

The tool will make a log on the Desktop (Fixlog.txt). Please attach it to your reply.
Note: If the tool warned you about the outdated version please download and run the updated version.

Any problems?