[snurg]

Hi guys.

Long time since I've been on this great site & am pleased to see you guys are still about. It's been about 6 years ago i think since i last used your much appreciated expertise.

Anyhow i have some type of hijacked malware problem on one of my computers which runs XP. Its a fake virus scanner thing that has hijacked the PC & it wont allow any program to operate at all until you opt into their constantly popped-up pretend scanner box, and then its asks to click the box to purchase a copy their [bleep] software product. If you click 'no thanks' it just sits there anyways & doesn't allow anything to run properly. Even the good old 'control-alt-delete' function is affected. AVG is currently the loaded virus protector on the PC.

I've already scanned using all twice - AVG, Trend online, Spybot Search&Destroy, & also run CCleaner with no success. I cant even identify the name of the thing, whatever it is, so i cant even follow directions via your comprehensive removal guides.

Your help is requested.

EDIT: i managed to photograph the screen of the affected PC. note that i was unable to start my screen capture program

Edited by snurg, 05 January 2011 - 02:24 AM.

[Advertisements]

Hi
. My name is Michael and I am here to help you fix your computer.
If you have already received help elsewhere please inform me so that this topic can be closed.
If you haven't, please keep reading:
Note: Before we start the process you should:

• POST your logs, don't attach them, as it makes it harder to read.
• Save or print these instructions as a part of the fix will be in safe mode where you will not be able to access the internet.
• Disable ANY programs that offer real-time protection features while executing my instructions. That includes your antivirus, antispyware, windows defender or any other program that offers protection. When you're clean or waiting for my next set of instructions, re-enable them .If you need any help disabling them, ask.
• Each time I instruct you to download a file to use it, please do it even if I have told you before to download it again. This is because these tools are frequently updated to detect newer infections.
• Last, as most of the tools we use here need administrative rights in order to function properly, I expect that you will be running them from an administrator account.

Sorry for the late replay


Hi lets try this first, if it fails go to Plan B

Notes:

• If using Firefox right-click on any download links and choose Save As
• If you don't have internet access from the infected computer, then download these tools from a clean computer to your USB Stick, and from there transfer them to your infected computer's desktop.

Please download OTH to your desktop
Please download OTL to your desktop
Please download Scan.txt to your desktop

Double click the OTH file to run it and click Kill All Processes, your desktop will go blank.



Then select Start OTL. OTL will now run

• Double-click on the Custom Scans box and a message box will popup asking if you want to load a custom scan from a file
  Select Scan.txt that you downloaded
  
• Click the Quick Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
  
• When the scan completes, it will open two notepad windows. OTL.Txt and Extras.Txt. These are saved in the same location as OTL.
  
• Click the Internet Explorer button, post these logs in your Virus Removal topic.

Plan B

Download Rkill from here : there are several flavours to choose from, if one does not work then try the next

*rkill.com
*rkill.scr
*rkill.pif


Once it is downloaded, double-click on rkill in order to automatically attempt to stop any processes associated with Security Central and other Rogue programs. Please be patient while the program looks for various malware programs and ends them. When it has finished, the black window will automatically close and you can continue with the next step. If you get a message that rkill is an infection, do not be concerned. This message is just a fake warning given by Security Central when it terminates programs that may potentially remove it. If you run into these infections warnings that close Rkill, a trick is to leave the warning on the screen and then run Rkill again. By not closing the warning, this typically will allow you to bypass the malware trying to protect itself so that rkill can terminate Security Central . So, please try running Rkill until malware is no longer running. You will then be able to proceed with the rest of my instructions.

Do not reboot your computer after running rkill as the malware programs will start again.

Then run OTL as above

[michaelg9]

Hi
. My name is Michael and I am here to help you fix your computer.
If you have already received help elsewhere please inform me so that this topic can be closed.
If you haven't, please keep reading:
Note: Before we start the process you should:

• POST your logs, don't attach them, as it makes it harder to read.
• Save or print these instructions as a part of the fix will be in safe mode where you will not be able to access the internet.
• Disable ANY programs that offer real-time protection features while executing my instructions. That includes your antivirus, antispyware, windows defender or any other program that offers protection. When you're clean or waiting for my next set of instructions, re-enable them .If you need any help disabling them, ask.
• Each time I instruct you to download a file to use it, please do it even if I have told you before to download it again. This is because these tools are frequently updated to detect newer infections.
• Last, as most of the tools we use here need administrative rights in order to function properly, I expect that you will be running them from an administrator account.

Sorry for the late replay


Hi lets try this first, if it fails go to Plan B

Notes:

• If using Firefox right-click on any download links and choose Save As
• If you don't have internet access from the infected computer, then download these tools from a clean computer to your USB Stick, and from there transfer them to your infected computer's desktop.

Please download OTH to your desktop
Please download OTL to your desktop
Please download Scan.txt to your desktop

Double click the OTH file to run it and click Kill All Processes, your desktop will go blank.



Then select Start OTL. OTL will now run

• Double-click on the Custom Scans box and a message box will popup asking if you want to load a custom scan from a file
  Select Scan.txt that you downloaded
  
• Click the Quick Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
  
• When the scan completes, it will open two notepad windows. OTL.Txt and Extras.Txt. These are saved in the same location as OTL.
  
• Click the Internet Explorer button, post these logs in your Virus Removal topic.

Plan B

Download Rkill from here : there are several flavours to choose from, if one does not work then try the next

*rkill.com
*rkill.scr
*rkill.pif


Once it is downloaded, double-click on rkill in order to automatically attempt to stop any processes associated with Security Central and other Rogue programs. Please be patient while the program looks for various malware programs and ends them. When it has finished, the black window will automatically close and you can continue with the next step. If you get a message that rkill is an infection, do not be concerned. This message is just a fake warning given by Security Central when it terminates programs that may potentially remove it. If you run into these infections warnings that close Rkill, a trick is to leave the warning on the screen and then run Rkill again. By not closing the warning, this typically will allow you to bypass the malware trying to protect itself so that rkill can terminate Security Central . So, please try running Rkill until malware is no longer running. You will then be able to proceed with the rest of my instructions.

Do not reboot your computer after running rkill as the malware programs will start again.

Then run OTL as above

[snurg]

hi michaelg9

thanks for responding but....

given most of you guys took so long to respond to my post for help (michael excepted) i took the initiative to fix it myself. All i did was go through all the old current fix solutions on the forums thus listed here, until one of them cracked it...basically good old trial & error.

the affected PC seems to be all clear for the moment. I even taught myself how to evaluate the OLT report (not a pro geek but i do know how to code stuff) and gosh be darned if it isn't an easy process once you know how to read it. Even ran a version of NOD32 just to check it for goodness. seems the virus is all gone.

i think most of these hijackers are generic programs & replicated by the a-holes just to divert traffic on their website so i figured a process which worked before for someone else had to work. i guess genius does come through perseverance & a shitload of boring hours of reading & tasking at the keyboard.

live & learn brothers & sisters

but i will let you know if things aren't what they seem as golden.

thanks anyways

[michaelg9]

Hey,

Ok then. First be careful when doing things on your own, as things aren't always that good.
If you want to make sure that you're clean, you can post a log here to confirm, or if you want I can leave this topic open for some days for you to see if everything is OK and then highlight you some stuff to stay clear.
Your choice