Inactive Vista Anti-Spyware 2011 can't install malware bytes

[KingFresca]

I don't know how I ended up with this virus on my laptop, but I cannot do anything with my computer now because of it. I'm currently in safemode trying to install malware bytes but the installer won't come up, I'm quite certain the virus is blocking it. Any help would be amazing. Please help!

 

[Bobbye]

Welcome to TechSpot! I can help with the malware, but will need more information:

1. How did you know you had this malware on the system?
2. Do you have a flash drive? You can download the programs to the flash drive, then install and run on the problem computer.
3. Explain this please: "I cannot do anything with my computer now."
4. The installer doesn't work in Safe Mode.
5. What happens when you try to boot in to Normal Mode?

I can help you run the scans but I need for you to give me something to work with.
========================================
This is what we start with: Please follow the steps in the Preliminary Virus and Malware Removal thread HERE.

When you have finished, leave the logs for review in your next reply .
NOTE: Logs must be pasted in the replies. Attached logs will not be reviewed.

Please do not use any other cleaning programs or scans while I'm helping you, unless I direct you to. Do not use a Registry cleaner or make any changes in the Registry.

 

[KingFresca]

Hey thanks so much for the help.

1. I just saw Vista Anti-Spyware and had never seen it before, so I hopped on my desktop computer and looked it up.
2. I have an external harddrive.
3. It won't let me access the internet, or open up antivirus programs
4. Whoops...
5. It starts up as normal, but when I try to access the internet or anything like that it doesn't allow me to do so. I am also unable to start antivirus programs.

I am currently downloading programs from the 8 step process onto my external harddrive.

 

[KingFresca]

I am at step 3 of the 8 step process and the installer for malware bytes will not open on my laptop.

 

[Bobbye]

Okay, back at you:
1. Where or how did you 'see' Vista Antispyware 2011? Was there some kind if alert? Message? You can't run the antivirus, so you didn't find it there. Did you get a popup saying you have this?
5.

when I try to access the internet or anything like that it doesn't allow me to do so.

You probably think this tells me a lot> it doesn't:
We have to be very specific in this forum> knowing what happens when you try to do something within the system can give us an idea of how to proceed:

1. So how does "it" not "allow" internet access?
2. What happens when you try? When you launch the browser, what happens?
3. Does it say a. 'server not available' or b. 'connection broken by server' or c. does the hour glass just sit there?
4. What do you mean by "anything like that."?[/b]

You get the idea? Try to at least get the Malwarebytes scan done so I can see what we're working with.

 

[KingFresca]

1. Whenever I try to doubleclick google chrome, a pop-up comes up stating "Vista Anti-Spyware has blocked a program from accessing the internet. When I attempt to access my homepage (www.aol.com) it says Google Chrome Alert. Visiting this site may pose a threat to your system! What I mean by anything like that, would be anything that needs an internet connection seems to be locked out due to this virus.

I've attempted to run malware bytes but each time I try to run the program, it never opens up.

 

[Bobbye]

Thank you- that's what I needed to know.
About the rogue Vista AntiSpyware:
When installed, this rogue pretends to be an update for Windows installed via Automatic Updates. It will then install itself as a single executable called AV.exe that uses very aggressive techniques to make it so that you cannot remove it. Once started, the rogue itself, like all other rogues, will scan your computer and state that there are numerous infections on it.

This rogue is designed to scam you out of your money by hijacking your computer and trying to trick you into thinking you are infected. Please use a flash drive to download the following> you will not be able to download them with the infected computer:
1. Download Malwarebytes. to the flash drive.
2. Download FixExe.reg to the flash drive.
3. Connect the flash drive to the infected computer.
4. Make sure the rogue program is running on the infected computer If it is not, you can launch it by running any program on your computer as that will trigger the rogue program to run. Once running, do not close it during the entire length of this guide.
5. Open the drive that corresponds to the flash drive
6. Once open, double-click on the FixExe.reg file. Click on the Yes to allow the data.
7. Double click the mbam-setup.exe and follow any prompts to run.
8. Make sure you leave both Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware checked. Then click on the Finish button.
9. Select Perform Full Scan on the Scanner tab> Press Scan,
10. When the scan is finished, you will see this image:

11.Click OK. You will be returned to the main scanner screen
12.Click on the Show Results button.
13.Click on Remove Selected button to remove all the listed malware.
14.If message stating reboot is needed, please allow it to do so. Once your computer has rebooted, and you are logged in, please continue with the rest of the steps.
15.When MBAM has finished removing the malware, the scan log will display in Notepad. Please check on Format and uncheck Word Wrap in Notepad.
16. Copy the log and paste it in your next reply
(Directions and image courtesy BleepingComputer)
================================
Once I check this log and make sure the removals were done, you should be able to go on to the next scans. Please note: there may be other entries needing removal, so this cleaning should be completed.

 

[KingFresca]

Was able to get Malaware Bytes installed on my laptop. Burned the exe to a disk on my working non-infected computer. Here is my log.


Malwarebytes' Anti-Malware 1.50.1.1100
www.malwarebytes.org

Database version: 6481

Windows 6.0.6002 Service Pack 2
Internet Explorer 8.0.6001.19048

4/30/2011 9:39:32 PM
mbam-log-2011-04-30 (21-39-32).txt

Scan type: Quick scan
Objects scanned: 157949
Time elapsed: 2 minute(s), 38 second(s)

Memory Processes Infected: 4
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 1
Registry Data Items Infected: 4
Folders Infected: 0
Files Infected: 3

Memory Processes Infected:
c:\Users\Kathy\AppData\Local\gif.exe (Trojan.FakeMS) -> 2264 -> Unloaded process successfully.
c:\Users\Kathy\AppData\Local\gif.exe (Trojan.FakeMS) -> 2224 -> Unloaded process successfully.
c:\Users\Kathy\AppData\Local\gif.exe (Trojan.FakeMS) -> 4668 -> Unloaded process successfully.
c:\Users\Kathy\AppData\Local\gif.exe (Trojan.FakeMS) -> 3080 -> Unloaded process successfully.

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
HKEY_CLASSES_ROOT\.exe\shell\open\command\(default) (Hijack.ExeFile) -> Value: (default) -> Quarantined and deleted successfully.

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Clients\StartMenuInternet\FIREFOX.EXE\shell\open\command\(default) (Hijack.StartMenuInternet) -> Bad: ("C:\Users\Kathy\AppData\Local\gif.exe" -a "C:\Program Files (x86)\Mozilla Firefox\firefox.exe") Good: (firefox.exe) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Clients\StartMenuInternet\FIREFOX.EXE\shell\safemode\command\(default) (Hijack.StartMenuInternet) -> Bad: ("C:\Users\Kathy\AppData\Local\gif.exe" -a "C:\Program Files (x86)\Mozilla Firefox\firefox.exe" -safe-mode) Good: (firefox.exe -safe-mode) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Clients\StartMenuInternet\IEXPLORE.EXE\shell\open\command\(default) (Hijack.StartMenuInternet) -> Bad: ("C:\Users\Kathy\AppData\Local\gif.exe" -a "C:\Program Files (x86)\Internet Explorer\iexplore.exe") Good: (iexplore.exe) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\exefile\shell\open\command\(default) (Broken.OpenCommand) -> Bad: ("C:\Users\Kathy\AppData\Local\gif.exe" -a "%1" %*) Good: ("%1" %*) -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
c:\Users\Kathy\AppData\Local\gif.exe (Trojan.FakeMS) -> Quarantined and deleted successfully.
c:\Users\Kathy\local settings\gif.exe (Trojan.FakeMS) -> Quarantined and deleted successfully.
c:\Users\Kathy\local settings\application data\gif.exe (Trojan.FakeMS) -> Quarantined and deleted successfully.

 

[KingFresca]

had not even seen this reply when I had got malaware bytes to load onto my computer. don't know if that affects anything.

 

[KingFresca]

So my internet is working again with only using Malaware Bytes... should I still use FixExe.reg?

 

[Bobbye]

That's a start! Hold off on FixExe.reg for now. Instead, let's get on track with these scans- getting the internet back doesn't mean all the malware entries are gone!

Please run DDS. You will find the link in the thread reference I left for you in Reply #2> "This is what we start with.." That will produce 2 logs: DDS.txt and Attach.txt Please leave both in your next reply. (Note: You do not need to zip the attach.txt log)
============================================
Follow with Please note: If you have Combofix on the desktop already, please uninstall it. The download the current version and do the scan:
Uninstall directions

Download Combofix from HERE or HEREhttp://www.forospyware.com/sUBs/ComboFix.exe and save to the desktop

• Double click combofix.exe & follow the prompts.
• ComboFix will check to see if the Microsoft Windows Recovery Console is installed. It is recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode if needed.
  **Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.
• Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
• Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:
  
  
• .Click on Yes, to continue scanning for malware
• .If Combofix asks you to update the program, allow
• .Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
• .Close any open browsers.
• .Double click combofix.exe
  
  & follow the prompts to run.
• When the scan completes , a report will be generated-it will open a text window. Please paste the C:\ComboFix.txt in next reply..

Re-enable your Antivirus software.
Notes:
1. Do not mouse-click Combofix's window while it is running. That may cause it to stall.
2. ComboFix may reset a number of Internet Explorer's settings, including making I-E the default browser.
3. Combofix prevents autorun of ALL CD, floppy and USB devices to assist with malware removal & increase security. If this is an issue or makes it difficult for you -- please tell your helper.
4. CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.

Leave the 2 DDS logs and Combofix log in next reply.

Keep Malwarebytes. I will have you run a Full Scan later.