TechSpot

Rogueware/Fake Antivirus

By keemco5
Feb 2, 2010
  1. I have been hit with one of the fake antivirus programs that prompt you to buy their crappy program. I tried to do the eight steps this morning but am unable to run any program. All I get are popup windows that tell me whatever program I am trying to use is infected. My question is, how do I complete the 8 steps if I can't run anything?
     
  2. raybay

    raybay TS Evangelist Posts: 10,716   +6

    You clean them from your system using the same methods as removing the real stuff... Avira or Avast, MalwareBytes, SuperAntiSpyware, SpySweeper, Spyware Doctor, Windows Defender, Microsoft Security Essentials... Kaspersky, Nod32, etc.
    But NOT Adaware or Spybot. Not Symantec or Norton. Not McAfee. Not Computer Associates.
     
  3. keemco5

    keemco5 TS Rookie Topic Starter Posts: 19

    Thank you for the prompt reply, but I think you missed my point. I am not able to run ANY program. I tried using safe mode but AVG doesn't run normally in safe mode.
     
  4. keemco5

    keemco5 TS Rookie Topic Starter Posts: 19

  5. keemco5

    keemco5 TS Rookie Topic Starter Posts: 19

    Bobbye, can you review my logs or let me know if there is something else I should do?
     
  6. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +36

    Just did it.

    Main problem:
    PowerReg Scheduler: A registration scheduler. Periodically attempts to connect to the Internet. Gathers unknown information.

    Ir can be called Foistware and/or Adware because it isn't a virus or malware,but it is installed with other unrelated programs without your knowledge or permission. If you've found Stop Sign or topMoxie or other applications you don't remember installing, look in Start > Programs > StartUp. If Powerup Scheduler is there, that's likely the source of your aggravation

    To remove:
    Please reopen HijackThis to 'do system scan only'. Check the following entry if present: (Optional removal is in green)
    O4 - Startup: PowerReg Scheduler.exe
    O23 - Service: GameConsoleService - WildTangent, Inc. - C:\Program Files\HP Games\HP Game Console\GameConsoleService.exe
    >> See Optional 1

    Optional 1: Foistware
    Willd Tangent: Although its not technically considered spyware it does have built in components to update itself and gather information about the computer system

    Close all Windows except HijackThis and click on "Fix Checked."

    Boot into Safe Mode
    • Restart your computer and start pressing the F8 key on your keyboard.
    • Select the Safe Mode option when the Windows Advanced Options menu appears, and then press ENTER.

    Go to the Control Panel> Add/Remove Programs and uninstall any of the following:
    eAcceleration
    Stop-Sign
    Power Scheduler
    Wild Tangent
    >> also follow the onscreen prompts to remove the WT Driver.

    Click on Start> Run> type in services.msc> double click on GameConsoleService> change Startup type to Disabled> Stop the Service.

    Use Windows Explorer: Windows key+E> My Computer> Double click on Local Drive (C)> Programs> find each of the following and right click> Delete the folder:
    eAcceleration
    Stop-Sign
    Power Schedule
    GameConsoleService and/or Wild Tangent


    Reboot the computer into Normal Mode.
    Download SDFix HERE and save it to your Desktop.
    • Double click SDFix.exe and it will extract the files to %systemdrive%
      (Drive that contains the Windows Directory, typically C:\SDFix)

      Boot into Safe Mode
    • Restart your computer and start pressing the F8 key on your keyboard.
    • Select the Safe Mode option when the Windows Advanced Options menu appears, and then press ENTER.

      Run SDFix
    • Open the extracted SDFix folder and double click RunThis.bat to start the script.
    • Type Y to begin the cleanup process.
    • It will remove any Trojan Services and Registry Entries that it finds then prompt you to press any key to Reboot.
    • Press any Key and it will restart the PC.
    • When the PC restarts the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.
    • Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt
    • Attach Report.txt back here
    Follow with rescan in HJT. Attach both logs to next reply.
     
  7. keemco5

    keemco5 TS Rookie Topic Starter Posts: 19

  8. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +36

    Sorry, I'm running behind.

    Please do the following online scan and attach the log to next reply. Also give me current problems on system:

    Run Eset NOD32 Online AntiVirus Scanner HERE

    Note: You will need to use Internet Explorer for this scan.
    • Tick the box next to YES, I accept the Terms of Use.
    • Click Start
    • When asked, allow the Active X control to install
    • Disable your current Antivirus software. You can usually do this with its Notification Tray icon near the clock.
    • Click Start
    • Make sure that the option "Remove found threats" is Unchecked, and the option "Scan unwanted applications" is checked
    • Click Scan
    • Wait for the scan to finish
    • Re-enable your Antivirus software.
    • A logfile is created and located at C:\Program Files\EsetOnlineScanner\log.txt. Please include this on your post.
     
  9. keemco5

    keemco5 TS Rookie Topic Starter Posts: 19

  10. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +36

    I'd like you to check for this before we go any further:

    • Make sure to use Internet Explorer for this
    • Please go to VirSCAN.org FREE on-line scan service
    • Copy and paste the following file path into the "Suspicious files to scan" box on the top of the page:
      • c:\windows\system32\userinit.exe
    • Click on the Upload button
    • If a pop-up appears saying the file has been scanned already, please select the ReScan button.
    • Once the Scan is completed, click on the "Copy to Clipboard" button. This will copy the link of the report into the Clipboard.
    • Paste the contents of the Clipboard in your next reply.
    Also scan these,

    C:\WINDOWS\explorer.exe
    C:\WINDOWS\System32\svchost.exe


    The combination of the entries in the Eset scan indicates a possible Virut infection.

    Since this has gone on so long, please also rescan with HijackThis and attach new log.

    You will need to uninstall this pirated program if you want continued support:
    N:\Office2003\Extras\MathType 5.1\mtype_v5_1_keygen.exe
     
  11. keemco5

    keemco5 TS Rookie Topic Starter Posts: 19

    VirSCAN.org Scanned Report :
    Scanned time : 2010/02/20 21:45:29 (EST)
    Scanner results: Scanners did not find malware!
    File Name : userinit.exe
    File Size : 26112 byte
    File Type : PE32 executable for MS Windows (GUI) Intel 80386 32-bit
    MD5 : a93aee1928a9d7ce3e16d24ec7380f89
    SHA1 : 513f8bdf67a5a9e09803cfb61f590b39f2683853
    Online report : http://virscan.org/report/3856cb8e4f21c2e4705c5368a473fb86.html

    Scanner Engine Ver Sig Ver Sig Date Time Scan result
    a-squared 4.5.0.8 20100220030129 2010-02-20 4.26 -
    AhnLab V3 2010.02.21.00 2010.02.21 2010-02-21 1.08 -
    AntiVir 8.2.1.172 7.10.4.104 2010-02-19 0.07 -
    Antiy 2.0.18 20100219.3860160 2010-02-19 0.02 -
    Arcavir 2009 201002201651 2010-02-20 0.03 -
    Authentium 5.1.1 201002201827 2010-02-20 1.30 -
    AVAST! 4.7.4 100220-1 2010-02-20 0.01 -
    AVG 8.5.720 271.1.1/2700 2010-02-21 0.23 -
    BitDefender 7.81008.5285608 7.30473 2010-02-21 5.46 -
    ClamAV 0.95.3 10425 2010-02-21 0.01 -
    Comodo 3.13.579 3409 2010-02-20 0.89 -
    CP Secure 1.3.0.5 2010.02.21 2010-02-21 0.05 -
    Dr.Web 5.0.1.12222 2010.02.21 2010-02-21 5.65 -
    F-Prot 4.4.4.56 20100220 2010-02-20 1.29 -
    F-Secure 7.02.73807 2010.02.21.01 2010-02-21 10.08 -
    Fortinet 11.514- 11.514 2010-02-19 0.20 -
    GData 19.10615/19.767 20100221 2010-02-21 6.14 -
    ViRobot 20100219 2010.02.19 2010-02-19 0.42 -
    Ikarus T3.1.01.80 2010.02.20.75245 2010-02-20 4.63 -
    JiangMin 13.0.900 2010.02.08 2010-02-08 4.74 -
    Kaspersky 5.5.10 2010.02.21 2010-02-21 0.14 -
    KingSoft 2009.2.5.15 2010.2.21.7 2010-02-21 0.57 -
    McAfee 5.3.00 5898 2010-02-20 3.64 -
    Microsoft 1.5406 2010.02.21 2010-02-21 6.90 -
    Norman 6.01.09 6.01.00 2010-02-10 4.01 -
    Panda 9.05.01 2010.02.20 2010-02-20 1.85 -
    Trend Micro 9.120-1004 6.862.10 2010-02-20 0.03 -
    Quick Heal 10.00 2010.02.19 2010-02-19 1.36 -
    Rising 20.0 22.34.01.03 2010-02-09 1.07 -
    Sophos 3.04.1 4.50 2010-02-21 3.35 -
    Sunbelt 3.9.2405.2 5690 2010-02-20 2.85 -
    Symantec 1.3.0.24 20100220.006 2010-02-20 0.05 -
    nProtect 20100219.01 7397602 2010-02-19 4.73 -
    The Hacker 6.5.1.5 v00202 2010-02-20 0.39 -
    VBA32 3.12.12.2 20100218.2223 2010-02-18 2.75 -
    VirusBuster 4.5.11.10 10.119.66/2015355 2010-02-20 2.35 -


    VirSCAN.org Scanned Report :
    Scanned time : 2010/02/20 21:49:19 (EST)
    Scanner results: Scanners did not find malware!
    File Name : svchost.exe
    File Size : 14336 byte
    File Type : PE32 executable for MS Windows (GUI) Intel 80386 32-bit
    MD5 : 27c6d03bcdb8cfeb96b716f3d8be3e18
    SHA1 : 49083ae3725a0488e0a8fbbe1335c745f70c4667
    Online report : http://virscan.org/report/348c687419a23efa6b5ad51cc01e4829.html

    Scanner Engine Ver Sig Ver Sig Date Time Scan result
    a-squared 4.5.0.8 20100220030129 2010-02-20 5.09 -
    AhnLab V3 2010.02.21.00 2010.02.21 2010-02-21 1.33 -
    AntiVir 8.2.1.172 7.10.4.104 2010-02-19 0.56 -
    Antiy 2.0.18 20100219.3860160 2010-02-19 0.02 -
    Arcavir 2009 201002201651 2010-02-20 0.03 -
    Authentium 5.1.1 201002201827 2010-02-20 1.28 -
    AVAST! 4.7.4 100220-1 2010-02-20 0.00 -
    AVG 8.5.720 271.1.1/2700 2010-02-21 0.22 -
    BitDefender 7.81008.5285608 7.30473 2010-02-21 5.45 -
    ClamAV 0.95.3 10425 2010-02-21 0.01 -
    Comodo 3.13.579 3409 2010-02-20 1.00 -
    CP Secure 1.3.0.5 2010.02.21 2010-02-21 0.05 -
    Dr.Web 5.0.1.12222 2010.02.21 2010-02-21 5.54 -
    F-Prot 4.4.4.56 20100220 2010-02-20 1.26 -
    F-Secure 7.02.73807 2010.02.21.01 2010-02-21 0.11 -
    Fortinet 11.514- 11.514 2010-02-19 0.87 -
    GData 19.10615/19.767 20100221 2010-02-21 10.70 -
    ViRobot 20100219 2010.02.19 2010-02-19 0.56 -
    Ikarus T3.1.01.80 2010.02.20.75245 2010-02-20 4.74 -
    JiangMin 13.0.900 2010.02.08 2010-02-08 17.65 -
    Kaspersky 5.5.10 2010.02.21 2010-02-21 0.07 -
    KingSoft 2009.2.5.15 2010.2.21.7 2010-02-21 0.77 -
    McAfee 5.3.00 5898 2010-02-20 3.61 -
    Microsoft 1.5406 2010.02.21 2010-02-21 7.58 -
    Norman 6.01.09 6.01.00 2010-02-10 4.01 -
    Panda 9.05.01 2010.02.20 2010-02-20 5.04 -
    Trend Micro 9.120-1004 6.862.10 2010-02-20 0.07 -
    Quick Heal 10.00 2010.02.19 2010-02-19 1.42 -
    Rising 20.0 22.34.01.03 2010-02-09 1.22 -
    Sophos 3.04.1 4.50 2010-02-21 3.43 -
    Sunbelt 3.9.2405.2 5690 2010-02-20 2.77 -
    Symantec 1.3.0.24 20100220.006 2010-02-20 0.05 -
    nProtect 20100219.01 7397602 2010-02-19 4.38 -
    The Hacker 6.5.1.5 v00202 2010-02-20 0.47 -
    VBA32 3.12.12.2 20100218.2223 2010-02-18 2.65 -
    VirusBuster 4.5.11.10 10.119.66/2015355 2010-02-20 2.33 -

    VirSCAN.org Scanned Report :
    Scanned time : 2010/02/20 21:54:53 (EST)
    Scanner results: Scanners did not find malware!
    File Name : explorer.exe
    File Size : 1033728 byte
    File Type : PE32 executable for MS Windows (GUI) Intel 80386 32-bit
    MD5 : 12896823fb95bfb3dc9b46bcaedc9923
    SHA1 : 9d2bf84874abc5b6e9a2744b7865c193c08d362f
    Online report : http://virscan.org/report/6e075ab2cdd95511ab1a5cbe0e0d32fa.html

    Scanner Engine Ver Sig Ver Sig Date Time Scan result
    a-squared 4.5.0.8 20100220030129 2010-02-20 4.53 -
    AhnLab V3 2010.02.21.00 2010.02.21 2010-02-21 1.52 -
    AntiVir 8.2.1.172 7.10.4.104 2010-02-19 0.41 -
    Antiy 2.0.18 20100219.3860160 2010-02-19 0.04 -
    Arcavir 2009 201002201651 2010-02-20 0.09 -
    Authentium 5.1.1 201002201827 2010-02-20 2.34 -
    AVAST! 4.7.4 100220-1 2010-02-20 0.06 -
    AVG 8.5.720 271.1.1/2700 2010-02-21 0.23 -
    BitDefender 7.81008.5285608 7.30473 2010-02-21 5.43 -
    ClamAV 0.95.3 10425 2010-02-21 0.18 -
    Comodo 3.13.579 3409 2010-02-20 1.57 -
    CP Secure 1.3.0.5 2010.02.21 2010-02-21 0.12 -
    Dr.Web 5.0.1.12222 2010.02.21 2010-02-21 5.86 -
    F-Prot 4.4.4.56 20100220 2010-02-20 2.46 -
    F-Secure 7.02.73807 2010.02.21.01 2010-02-21 0.14 -
    Fortinet 11.514- 11.514 2010-02-19 0.26 -
    GData 19.10615/19.767 20100221 2010-02-21 6.95 -
    ViRobot 20100219 2010.02.19 2010-02-19 0.42 -
    Ikarus T3.1.01.80 2010.02.20.75245 2010-02-20 4.62 -
    JiangMin 13.0.900 2010.02.08 2010-02-08 7.55 -
    Kaspersky 5.5.10 2010.02.21 2010-02-21 0.08 -
    KingSoft 2009.2.5.15 2010.2.21.7 2010-02-21 0.68 -
    McAfee 5.3.00 5898 2010-02-20 3.64 -
    Microsoft 1.5406 2010.02.21 2010-02-21 8.53 -
    Norman 6.01.09 6.01.00 2010-02-10 6.01 -
    Panda 9.05.01 2010.02.20 2010-02-20 2.11 -
    Trend Micro 9.120-1004 6.862.10 2010-02-20 0.04 -
    Quick Heal 10.00 2010.02.19 2010-02-19 1.66 -
    Rising 20.0 22.34.01.03 2010-02-09 1.44 -
    Sophos 3.04.1 4.50 2010-02-21 4.14 -
    Sunbelt 3.9.2405.2 5690 2010-02-20 4.48 -
    Symantec 1.3.0.24 20100220.006 2010-02-20 0.08 -
    nProtect 20100219.01 7397602 2010-02-19 4.59 -
    The Hacker 6.5.1.5 v00202 2010-02-20 0.56 -
    VBA32 3.12.12.2 20100218.2223 2010-02-18 4.93 -
    VirusBuster 4.5.11.10 10.119.66/2015355 2010-02-20 2.89 -


    View attachment hijackthis022010.log

    I also uninstalled the entire folder which contained the keygen in it. I didn't even know that was there.
    Thanks for your help.
     
     
  12. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +36

    Please download OTMovit by Old Timer and save to your desktop.
    • Double-click OTMoveIt3.exe to run it. (Vista users, please right click on OTMoveit3.exe and select "Run as an Administrator")
    • Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):

      Code:
      :Processes	
      
      :Services
      
      :Reg
      
      :Files  
      C:\Program Files\HJT\ComboFix.exe	
      C:\Program Files\MSConfig CleanUp\MSConfigCleanUp.exe	
      N:\Office2003\Extras\MathType 5.1\mtype_v5_1_keygen.exe	
      L:\\Program Files\\BearShare Test\\BearShare.exe
      
      :Commands
      [purity]
      [emptytemp]
      [start explorer]
      [Reboot]
    • Return to OTMoveIt3, right click in the "Paste Instructions for Items to be Moved" window and choose Paste.
    • Click the red Moveit! button.
    • A log of files and folders moved will be created in the c:\_OTMoveIt\MovedFiles folder in the form of Date and Time (mmddyyyy_hhmmss.log). Please open this log in Notepad and post its contents in your next reply.
    • Close OTMoveIt3
    If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.

    Please,let me know what the system status is at this point. Have original malware problems been resolved. are there any other related problems?
     
  13. keemco5

    keemco5 TS Rookie Topic Starter Posts: 19

    I'll post the moveit results shortly. I just wanted to answer the question about the status of my pc. It seems to be running fine with no more symptoms of the fake antivirus program. I think the fake may have inadvertently been uploaded from facebook. AVG caught something the other night when my daughter was on facebook. Thankfully she came and got me to see what was happening.

    Moveit results coming right up.

    View attachment 02232010_220251.log

    Could you explain exactly what the moveit program does? I think I know but I'd like to be sure.
     
  14. keemco5

    keemco5 TS Rookie Topic Starter Posts: 19

    I think the delay on the windows closing is gone after the moveit step was run. Thanks
     
Topic Status:
Not open for further replies.


Add New Comment

TechSpot Members
Login or sign up for free,
it takes about 30 seconds.
You may also...


Get complete access to the TechSpot community. Join thousands of technology enthusiasts that contribute and share knowledge in our forum. Get a private inbox, upload your own photo gallery and more.