Antivirus 2009

[gerritvk]

Sounds like I have the same problem as many of the other posters,

This is client’s computer that I am working on; she also installed anivirus 2009, good thing she didn't pay for it as it suggested to her.

Other people have attempted to remove it with failing that's why she called me, at arriving to her house and Googleing one thing and clicking on the Google result I noticed it was not opening the page that I click it was opening another window that had ads on it. so I figured maybe ie got infected.

So I typed in firefox.com and downloaded that, but same thing, when I went to one of the results page it gave me a page could not be found and it would do it on almost every site I went onto.

So I pinged Google and got the right ip back, then I pinged bleepingcomputer.com and I noticed it was the ip was 127.0.0.1.

I brought the computer back to my house for diagnostics, and so I could look up how to remove it.

Was wondering if anyone could assist me with other errors and removing anything else.
Currently ran malwarebyres, I clicked remove selected.
Attached hijackthis log
Attached malwarebyres log


Thanks for all the great help

 

[adweston]

You'll need to find a way to download Combofix. Combofix eats that AV2009 garbage for breakfast.

 

[gerritvk]

You'll need to find a way to download Combofix. Combofix eats that AV2009 garbage for breakfast.

ok good I did that allready

Just triple checking the machine

thanks

 

[kimsland]

-> No action taken on MBAM scan, for found issues

Download and Run Malwarebytes' Anti-Malware
Please download Malwarebytes' Anti-Malware to your desktop.

• Double-click mbam-setup.exe and follow the prompts to install the program.
• At the end, be sure a checkmark is placed next to:
  • Update Malwarebytes' Anti-Malware
  • Launch Malwarebytes' Anti-Malware
• Then click Finish.
• If an update is found, it will download and install the latest version.
• Once the program has loaded, select Perform full scan, then click Scan.
• When the scan is complete, click OK, then Show Results to view the results.
• Be sure that everything is checked, and click Remove Selected. <========= Not Done

Please re-run Malwarebytes
Confirm updated (third tab)
Then do the above quoted message, but this time "Remove all found issues"

By the way, you will need to then restart, and run (and attach) a new HJT log

Always best to check the logs in these issues

Edit:

Have a look at:

UPDATED 8-step Viruses/Spyware/Malware Preliminary Removal Instructions

Also can I ask why are you in Safe Mode on HJT ? Does the computer boot to normal mode at all ?

Info on Combofix
Lots of info on its use here: http://www.bleepingcomputer.com/combofix/how-to-use-combofix
Direct download here: https://www.techspot.com/downloads/5587-combofix.html

Save it to a location that you can easily find later (in Safe Mode) ie directly to C drive

Restart your computer to Safe Mode (by repeatedly pressing F8 on your keyboard before Windows starts)
Log into your Administrator account
Locate the previously downloaded Combofix
Double click on it to run, answering any prompts along the way
Note: during Combofix scan (lasting up to 10mins) your Desktop and clock may reset (all normal)

Once Combofix has finished, save the log file to be attached to a new reply
Restart back to Normal mode, and attach the Combofix log

 

[gerritvk]

Sorry those are the logs before

Here is the logs after running all the removal software. looks as clean as you can get it.

 

[kimsland]

Malwarebytes' Anti-Malware updated
But you performed a quick (4minute) scan

Please restart it, update it (just in case of new updates)
And do a full scan

 

[gerritvk]

sorry that was the wrong log, I did do a full scan and it found nothing.

 

[gbalkam]

This is a varition of the Smitfraud virus. It is a fake antivirus application that requires you to purchase the software to remove it. Download the latest smitfraud repair tool. You can also try sourceforge.net and download clamwin antivirus, running this will remove the parts of the infection that keep your computer from connecting to antivirus sites. I've tried this and found it worked because... the smitfraud does not know clamwin IS an antivirus program. As near as I can figure. It is also probably a variation of the Vundo (Vundu?) virus which is sometimes bundled along with smitfraud.
This virus disables existing antivirus software and anti-spy/malware software and it one SOB to get rid of. Knowing that it is a smitfraud variation is half the battle.

 

[kimsland]

Run Smitfraudfix

• Download Smitfraudfix by S!ri from HERE
• Reboot your computer in Safe Mode (before the Windows icon appears, tap the F8 key continually)
• Double-click SmitfraudFix.exe
• Select 2 and hit Enter to delete infected files.
• You will be prompted: Do you want to clean the registry ? answer Y (yes) and hit Enter in order to remove the Desktop background and clean registry keys associated with the infection.
• The tool will now check if wininet.dll is infected. You may be prompted to replace the infected file (if found): Replace infected file ? answer Y (yes) and hit Enter to restore a clean file.
• A reboot may be needed to finish the cleaning process. The report can be found at the root of the system drive, usually at C:\rapport.txt