Fake AV:Defense Center

It appears to be a rootkit, as an Avast! Bootscan detected 2 files, and they were just PuPs, not the fake AV.
And, I need to remove it from my Grandma’s computer. Any help is appreciated, I can’t get to IE/FF with the infected computer, nor can Avast seem to detect it. Help me!

Try free Mbam…!
http://www.malwarebytes.org/mbam.php
asyn

I have no way to put it on the infected computer… :cry: otherwise I would have, as my normal computer has SAS and MBAM on it… It’s just my brother’s ridiculous websurfing habits, he always seems to get viruses (he looks at failblog ALOT…)

Try Hitman Pro.

How to Start Hitman Pro in Force Breach Mode

I CANNOT DOWNLOAD ANYTHING… I have no way to get it on the infected computer, because the IE is hijacked, and she doesn’t have FF.

Download it to your machine, save it to an usb stick and use it there…!
asyn

I would have done that earlier, but I don’t have one.

Do you have a another computer that is not infected? If so, we are going to try OTLPE.

First

Download ISOBurner which will allow you to burn OTLPE.iso image to CD.

Next

  • Download the OTLPE.iso to your computer and burn it to the CD using ISOBurner. Information on how to burn an ISO image using ISOBurner can be found here.

NOTE: This file is 292Mb in size so it may take some time to download.

  • When the file has finished downloading, double-click on it and ISOBurner will automatically open and prompt you to burn the ISO image to a CD.

Save the following text to your USB stick (if you have one) as scan.txt. It must be named this, or the automated scan won’t work.

  • Copy the lines in the codebox below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy) (Without copying the word “Code”):
/md5start
iaStor.sys
nvstor.sys
atapi.sys
IdeChnDr.sys
viasraid.sys
AGP440.sys
vaxscsi.sys
nvatabus.sys
viamraid.sys
nvata.sys
nvgts.sys
iastorv.sys
ViPrt.sys
ahcix86.sys
KR10N.sys
nvstor32.sys
ahcix86s.sys
nvrd32.sys
symmpi.sys
adp3132.sys
Si3112r.sys
/md5stop
  • Reboot your system using the boot CD you just created.

Note:If you do not know how to set your computer to boot from CD, please follow the steps here.

  • When the CD has finished booting your computer, you should now see a REATOGO-X-PE desktop.

  • Double-click on the OTLPE icon that is on the desktop.

  • When asked Do you wish to load the remote registry, select Yes.

  • When asked Do you wish to load remote user profile(s) for scanning, select Yes.

  • Ensure the box Automatically Load All Remaining Users is checked and press OK.

  • OTL should now start. Change the following settings list:

  • Change Drivers to Use SafeList

  • Double click in the custom scan area

  • You should be presented with a message Do you wish to load a custom scan from a file? Click Yes.

  • Browse to the scan.txt file on your USB stick, and click Open. The custom scan will then appear in the Custom Scans/Fixes window.

  • Press the Run Scan button to start the scan.

  • When finished, the OTL.txt log file will be saved in the folder C:.

  • If you do not have an Internet connection to the post the contents of the OTL.txt file, then copy this file to a USB drive.

  • Then post the contents of the OTL.txt file in your next reply.

You could either buy one (they’re rather cheap) or borrow one from a friend.
asyn

bran,

A quick suggestion…

trying safe mode with networking, as you didnt state youve tried it yet. If you dont know how to get to safe mode. power down the puter, then power up, while imediately start tapping the F8 key. A new menu will come up, chose safe mode networking. Then try to connect to Internet Explorer, If IE doenst connect go to Tools>internet options>connections>lan settings. Make sure the proxy is unchecked.

once IE works, download malwarebtyes from the link previously posted, update and run, while still in safe mode.

Hopefully this will work for you.

http://www.bleepingcomputer.com/virus-removal/remove-defense-center
http://forums.malwarebytes.org/index.php?showtopic=54634

Sat

Hi Sat,
depends on the infection his grandma got, but it’s sure worth a try…!
asyn

I’ve disabled the process for the fake AV, but now I cannot get on the internet. I suspect DNS server problems, because skype works fine, but I still can’t use IE, it doesn’t see the connection. The problem being is that every time I try to change the settings explorer locks up (because it’s a 4 year old prebuilt piece of crap, most likely…)

I also don’t have any CDs handy… (or a cd burner, for that matter.) Plus, that link is broken or something.

Try OTLPE (as written in my previous post) and essexboy will look at your log.

But I don’t have a way to get it to the infected computer.

I have no way to put it on the infected computer... Cry otherwise I would have, as my normal computer has SAS and MBAM on it.. It's just my brother's ridiculous websurfing habits, he always seems to get viruses (he looks at failblog ALOT...)
I CANNOT DOWNLOAD ANYTHING... I have no way to get it on the infected computer, because the IE is hijacked, and she doesn't have FF.

Also, I found the files and moved them to chest and sent them to Avast! Hopefully it will detect it in the future…

Now the ONLY problem it’s having now, because the virus seems to be somewhat/mostly gone, and hasn’t come back after a few restarts,
is that I cannot connect to the internet using IE, and I may need to reinstall or something like that, but as I’ve said four times now, I have no way to get it to the infected computer.

Signing out, should be back sometime tomorrow.

Then take it to a computer repair shop. They’ll probably may have to reformat and re-install your OS or may suggest that you have to buy a new computer, probably a Vista or Windows 7. You will, however, may have to backup your personal files. If you aren’t able to back up personal files onto a CD, then you will have to start over.

avast! may be able to detect it using heuristics, so you could create a custom scan and turn up the heuristics…

It may be that a proxy has been set in IE…

Try opening internet explorer -->tools -->internet options → ‘connections’ tab → ‘LAN settings’ button → UNcheck ‘Use a proxy server for your LAN’