Last night whilst I thought I was just doing some innocent browsing I received 2 malware alerts simultaneously.
Unfortunately I didn’t get the full details of the URLs but they included hxxp://searchant.org and hxxp://searchate.org. and were located in My Documents.
I tried to get rid of these but to no avail.
The first thing I noticed was that my Task Manager had been disabled. After this all my programs disappeared.
I fixed the Task Manager and then tried to run a boot scan which eventually ran and loaded Windows but I kept receiving the malware alerts.
Also, a Windows Recovery popup kept appearing asking me to fix some critical errors. Needless to say they wanted me to purchase an advanced version to fix the errors. Thankfully I didn’t do this as I now realise it was probably fake AV.
At this point I was unable to load anything and received Error 500 messages when trying to connect to the internet.
Not knowing what else to do, and as pretty much everything of value is backed up elsewhere, I did a factory setting restore.
I then reloaded the free avast software, performed a scan and pc analysis, and it now says I am fully protected.
This episode was obviously very worrying and now I’m worried that what I have done may not have cured the issue as I read on one of the threads that if doing a factory restore it should only be done after the malware has been cleansed.
I would be grateful for any help and advice anyone may have.
Hello.
Which rogue(fake av) infected you?Could you give me the name?
Please download and install Malwarebytes from here → www.malwarebytes.org
Donwload
Install
Update
Do not forget to update please.
Scan your computer for viruses
Post the log
Windows XP recovery is a fake defraggler.How did you manage to remove it?Is it still there?If so enter this serial → 8475082234984902023718742058948 to active the fake program and it will let you run malwarebytes.If you don’t enter the serial the program may block malwarebytes as well as other programs and you won’t be able to remove it.
Regards
You have malware and before you sign off your machine and stay off of it, please read the following:
I am going to refer you to our Certified Malware expert, named Essexboy. He will also review your logs and give you further instructions, however he comes on the forum late UK time. He will respond to you in this thread, so remember to check this thread daily.
Please do not make any further changes to your machine after you have provided the logs.
IMPORTANT: If you are on a home network, disconnect the affected machine from the network. Do not share a USB/flash drive with this affected machine. Do not use this machine unless Essexboy instructs you do to malware removal instructions; use a different machine to check email, sync your phone, etc. if possible.
Good. Have the alternate machine available for reading the forum instructions and have the infected one nearby if possible so you can follow his instructions. But disconnect if on a network. He usually comes on the forum around 6 - 7 PM your time.
This from an old Yahoo answer on a google search, does it ring any bells (excuse the terrible pun), e.g. are or were you on dial-up and did you have this software ?
Netwaiting is software installed with some dial-up modems, it "provides a mechanism to suspend a dialup internet connection on the modem line while the user uses the line for a voice communication." Basically it's so you can be online then, if someone actually tries to phone you, the modem will automatically disconnect so the phone rings and you can talk to whomever's calling you. This is only for dial-up though, if you're on broadband then Netwaiting is completely unnecessary.
Check and see if there is an add remove programs entry for it ?
In the first instance I would use msconfig (from the windows run command), startup tab and uncheck it to stop it running on boot.
Second, find the file and right click and select properties and see what information pertaining to company, etc. that is in it and report.
Whilst it is possibly this isn’t an issue or avast’s file system would have alerted instead of handing it off to the autosandbox. But it certainly needs checking out and we can do some things whilst waiting for essexboy to check out the OTS log.
Edit: I notice that netwaiting.exe is listed in the OTS log Processes Safe list.
Sorry David, in my eagerness to remove it, once I had stopped it running I got rid of it via the add/remove programs screen and forgot to find the file.
Not a great deal showing there - what are your current problems ?
Start OTS. Copy/Paste the information in the quotebox below into the panel where it says “Paste fix here” and then click the Run Fix button.
[Unregister Dlls]
[Registry - Safe List]
< Run [HKEY_USERS\S-1-5-21-2014454177-495743003-224157759-1005\] > -> HKEY_USERS\S-1-5-21-2014454177-495743003-224157759-1005\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
YN -> "ModemOnHold" -> C:\Program Files\NetWaiting\netwaiting.exe [C:\Program Files\NetWaiting\netWaiting.exe]
< Run [HKEY_USERS\S-1-5-21-2014454177-495743003-224157759-1006\] > -> HKEY_USERS\S-1-5-21-2014454177-495743003-224157759-1006\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
YN -> "ModemOnHold" -> C:\Program Files\NetWaiting\netwaiting.exe [C:\Program Files\NetWaiting\netWaiting.exe]
< Standard Profile Authorized Applications List > -> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List
YN -> "C:\Program Files\AVG\AVG10\avgmfapx.exe" -> [C:\Program Files\AVG\AVG10\avgmfapx.exe:*:Enabled:AVG Installer]
[Files/Folders - Created Within 30 Days]
NY -> AVG -> C:\Documents and Settings\Alan\Application Data\AVG
NY -> AVG PC Tuneup 2011 -> C:\Documents and Settings\All Users\Start Menu\Programs\AVG PC Tuneup 2011
NY -> AVG10 -> C:\Documents and Settings\Alan\Application Data\AVG10
NY -> AVG10 -> C:\Documents and Settings\All Users\Application Data\AVG10
NY -> AVG -> C:\Program Files\AVG
[File - Lop Check]
NY -> AVG -> C:\Documents and Settings\Alan\Application Data\AVG
NY -> AVG10 -> C:\Documents and Settings\Alan\Application Data\AVG10
NY -> AVG10 -> C:\Documents and Settings\All Users\Application Data\AVG10
[Custom Items]
:Files
ipconfig /flushdns /c
:end
[Empty Temp Folders]
[EmptyFlash]
[CreateRestorePoint]
The fix should only take a very short time. When the fix is completed a message box will popup telling you that it is finished. Click the Ok button and Notepad will open with a log of actions taken during the fix. Post that information back here
I will review the information when it comes back in.