Virus acting as a virus scan, run scan but it does not remove.

I have had to deal with this in the past but i do not remeber how i got it off before. Its my daughters laptop thats infected now. If someone can give some advice i would appreciate it.

I am unable to do much of anything, if i click fast enough i can run malwarebytes scan, it detects some stuff quarantines it but the problem is still there after reboot.

hey nicole,

what is the name of this virus?

please post your malwarebytes log

Saty

not sure of the name, cannot post the log because im working from my laptop. The one that is infected is totally useless. It looks like a windows scan window. “windows security alert” thats what pops up. hope this helps.

there should be a name on the fake scanner, all rogues have this so try to pinpoint which on is difficult with just this information.

you can try a running a avast bootscan

you can try running malwarebytes in safe mode.

you can try also try this other on demand free scanner.

http://www.superantispyware.com/

be sure you update both malwarebytes and superantispyware before running the scan, sometimes the rogue virus will block this from happening, if this doesnt happen, you;ll need to go to safe mode with networking and try to get the updates.

when you get a chance please post the logs.

Saty

how do i run it in “safe mode”?

I missunderstood you,

windows seurity alert,

Im thinking malwarebytes and or superatispyware should get rid of this, if not, post the logs and someone will offer more assist if needed

Saty

Safe mode,

power off, and power back on while tapping the F8 key,

Saty

thank you

NAME is TROJAN Fraudpack

your welcome,

If non of that works here something for you to review.

I think this is the rogue you have. The steps shown are very similar with gettting rid of rogues.

http://www.bleepingcomputer.com/virus-removal/remove-security-central

let us know how things go and if you have any questions

good luck

Saty

heres the log
Malwarebytes’ Anti-Malware 1.46
www.malwarebytes.org

Database version: 4052

Windows 5.1.2600 Service Pack 3 (Safe Mode)
Internet Explorer 7.0.5730.13

4/30/2010 5:05:02 PM
mbam-log-2010-04-30 (17-05-02).txt

Scan type: Quick scan
Objects scanned: 128656
Time elapsed: 10 minute(s), 23 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 1
Registry Values Infected: 2
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 4

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\avsuite (Rogue.AntivirusSuite) → Quarantined and deleted successfully.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\twsuhcxp (Rogue.AntivirusSuite) → Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\asam (Trojan.Agent) → Quarantined and deleted successfully.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\Documents and Settings\Suhail Ferrer\Local Settings\Application Data\owevtwhjm\towqtkwtssd.exe (Rogue.AntivirusSuite) → Quarantined and deleted successfully.
C:\Documents and Settings\Suhail Ferrer\Desktop\o.dat (Rogue.AntivirusSuite) → Quarantined and deleted successfully.
C:\Documents and Settings\Suhail Ferrer\Local Settings\Temp\BAHD.exe (Rogue.AntivirusSuite) → Quarantined and deleted successfully.
C:\Documents and Settings\Suhail Ferrer\Local Settings\Application Data\asam.exe (Trojan.Agent) → Quarantined and deleted successfully.

nicole,

looks good, id suggest downloading, updating and running that superantispyware that i mentioned earlier just to get a second opinion.

hows your computer acting? better? no problems?

just a side note, i see your still running IE7, you may wish to upgrade to IE8. IE 8 is more secure than IE7.

Saty

Yeah its working better, i cant get on the internet though unless im in safe mode??? any tips?

hmm, in normal mode you cant the browser to open? But you can in safe mode networking?

your poxy setting might have been changed in normal mode. I dont know if you were using them before… you can go to tools, internet options, lan settings and see if they are different that what you had.

i suggest you download, update and scan with superantispyware to double check things.

Sat

see if step 4 to 7 here will help you get back online

Remove Antivirus Suite (Uninstall Guide)
http://www.bleepingcomputer.com/virus-removal/remove-antivirus-suite

Probably needs a final manual clean

Download OTL to your Desktop

[]Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.
[
]Under the Custom Scan box paste this in


netsvcs
%SYSTEMDRIVE%*.exe
/md5start
eventlog.dll
scecli.dll
netlogon.dll
cngaudit.dll
sceclt.dll
ntelogon.dll
logevent.dll
iaStor.sys
nvstor.sys
atapi.sys
IdeChnDr.sys
viasraid.sys
AGP440.sys
vaxscsi.sys
nvatabus.sys
viamraid.sys
nvata.sys
nvgts.sys
iastorv.sys
ViPrt.sys
eNetHook.dll
ahcix86.sys
KR10N.sys
nvstor32.sys
ahcix86s.sys
nvrd32.sys
symmpi.sys
adp3132.sys
mv61xx.sys
nvraid.sys
/md5stop
%systemroot%*. /mp /s
CREATERESTOREPOINT
%systemroot%\system32*.dll /lockedfiles
%systemroot%\Tasks*.job /lockedfiles
%systemroot%\system32\drivers*.sys /lockedfiles
%systemroot%\System32\config*.sav
%systemroot%\system32\drivers*.sys /90

[*]Click the Run Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.

[*]When the scan completes, it will open two notepad windows. OTL.Txt and Extras.Txt. These are saved in the same location as OTL.
[*]Attach both logs

got it thanks!!

got what ?..you have internett back ?