Bogus antispyware

[Blind Dragon]

I still see some remnants of zlob.downloader/ we already removed some of this but just to be sure

Avenger by Swandog

• Download Avenger by Swandog and unzip it to your Desktop.
  
  Note: This program must be run from an account with Administrator priviledges.
  
  
• Open the Avenger folder and double click Avenger.exe to launch the programme.
• Copy the text in the code box below and Paste it into the Input script here: box.

Files to delete:
C:\WINDOWS\fmsxwqs.exe
C:\WINDOWS\altvxvm.dll
C:\WINDOWS\bokpkov.dll
C:\WINDOWS\drnpfdxxsn.dll
C:\WINDOWS\etlrlws.dll
C:\WINDOWS\Installer\WinRom.dll
C:\WINDOWS\Installer\zip.dll
C:\WINDOWS\System32\msram.dll
C:\Program Files\antiviirus.exe
C:\Program Files\tmp0.exe

Registry keys to delete:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\antiviirus

• Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.
  
  
• Ensure the following:
  • Scan for Rootkits is checked.
  • Automatically disable any rootkits found is Unchecked.
• Press the Execute key.
• Avenger will now process the script you've pasted (this may involve more than one re-boot), when finished it will produce a log file.
• Attach the log back here please. (it can also be found at C:\avenger.txt)

------------------------------------------------------------------------------------------------------

Download to your Desktop this self-extracting ZIP archive FixPolicies.exe

• Double-click FixPolicies.exe
• Click the Install button on the bottom toolbar of the box that will open.
• The program will create a new Folder called FixPolicies
• Double-click to Open the new Folder, and then double-click the file named Fix_Policies.cmd
• A black box will briefly appear and then close. This will enable your Control Panel, Task Manager and stop any Administrative warnings.

The instructions given in this thread are for the use of pbjam only. Please don't post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.

 

[pbjam]

hi, i copy\pasted the text in the box but got an error when i hit execute, it says" invalid script, a valid script must begin with a command directive, aborting execution." i apologize for my non technical abilities

 

[Blind Dragon]

**Removed*** Accidental double post

 

[Blind Dragon]

Let's try this make sure the word 'Registry' is on the first line with no spaces in front of it

Registry keys to delete:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\antiviirus

Files to delete:
C:\WINDOWS\fmsxwqs.exe
C:\WINDOWS\altvxvm.dll
C:\WINDOWS\bokpkov.dll
C:\WINDOWS\drnpfdxxsn.dll
C:\WINDOWS\etlrlws.dll
C:\WINDOWS\Installer\WinRom.dll
C:\WINDOWS\Installer\zip.dll
C:\WINDOWS\System32\msram.dll
C:\Program Files\antiviirus.exe
C:\Program Files\tmp0.exe

The instructions given in this thread are for the use of pbjam only. Please don't post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.

 

[pbjam]

Hi, sorry, no go, same error. i made sure there was no space. when i paste it, it puts everything in one line ,as opposed to them listed like your post.

 

[Blind Dragon]

No problem,

CFScript

Open notepad and copy/paste the text in the code box below into it:
NOTE* make sure to only highlight and copy what is inside the quote box nothing out side of it.
Also ..

Pay particular attention to this :-

Make sure the word File:: is on the first line of the text file you save (no blank line above it, & no space in front of it)

File::
C:\WINDOWS\fmsxwqs.exe
C:\WINDOWS\altvxvm.dll
C:\WINDOWS\bokpkov.dll
C:\WINDOWS\drnpfdxxsn.dll
C:\WINDOWS\etlrlws.dll
C:\WINDOWS\Installer\WinRom.dll
C:\WINDOWS\Installer\zip.dll
C:\WINDOWS\System32\msram.dll
C:\Program Files\antiviirus.exe
C:\Program Files\tmp0.exe

Registry::
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\antiviirus

*Remove the space in the last word "antiviirus"

Save this as CFScript.txt

Then drag the CFScript.txt into ComboFix.exe as you see in the screenshot below.

This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a fresh HJT log.

 

[pbjam]

Success!

finally. one colon in the command

 

[Blind Dragon]

Any more problems? The bad entry is finally removed.

Run housecall and kaspersky again and see if they find anything. If not:

Go to start -> Run -> type in combofix /u
*note the space between
*This uninstalls combofix
*removes vundofix backups
*removes quarentine files
*creates a fresh clean restore point

Remove Hijackthis from Start-> control panel -> add/remove programs
Remove the 3 tools from step 10 (smitfraud, vundofix,virtumondobegone) by dragging to the recycle bin

I recommend you keep
1 anti virus program (AVG not anti spyware)
1 firewall
Spybot S&D, Adaware 2007, AVG Anti Spyware if you want but the version we downloaded is a 30 day trial

keep them updated.

You can also turn on tea timer in Spybot:

• Click on Mode at the top and make sure that Advanced is checked
• Expand the Tools tab in the left pane
• Single click on the Resident Icon also in the left pane
• check Resident "TeaTimer" (Protection of over-all system settings) Active
• Close spybot

Also under Tools you can double-click System Startup in the right pane and disable programs from running at startup. This will free up system resources. For example if you don't use MSN Messenger everytime you run your computer you can disable it, then when you want to use it you can launch it through Start -> all programs, or make a shortcut on the desktop for it. That way it doesn't use resources when you aren't using it. Don't disable any entries in green though.

:Set correct settings for files:

• Click Start > My Computer > Tools menu (at top of page) > Folder Options > View tab.
• Under "Hidden files and folders" if necessary select Do not show hidden files and folders.
• If unchecked please check Hide protected operating system files (Recommended)
• If necessary check "Display content of system folders"
• If necessary Uncheck Hide file extensions for known file types.
• Click OK

:clear system restore points:

• 
  This is a good time to clear your existing system restore points and establish a new clean restore point:
  • Go to Start > All Programs > Accessories > System Tools > System Restore
  • Select Create a restore point, and Ok it.
  • Next, go to Start > Run and type in cleanmgr
  • Select the More options tab
  • Choose the option to clean up system restore and OK it.
  This will remove all restore points except the new one you just created.

 

[pbjam]

ok, its all good. running smooth, no popups, no mysterious files, all the clean up stuff is gone. one last thing, the norton subscr. has run out, should i uninstall and use the internet stuff? thanx again.

ok i think im good. thanks for the help.

 

[Blind Dragon]

I would recommend running norton removal tool found http://service1.symantec.com/SUPPORT/tsgeninfo.nsf/docid/2005033108162039

then run 1 anti-virus, 1 firewall, and a combonation of anti-spyware