PC virus has managed to get through ESET... any advice

Andy...step by step manual removal instructions HERE

files associated with this crappy thing you've got;



Associated Antivir, Antivir 2010, and Antivir Antivirus Files:
c:\Documents and Settings\All Users\Start Menu\AV
c:\Documents and Settings\All Users\Start Menu\AV\Antivir.lnk
c:\Documents and Settings\All Users\Start Menu\AV\Uninstall.lnk
%UserProfile%\Desktop\Antivir.lnk
c:\Program Files\AV
c:\Program Files\AV\antivir.exe
c:\Program Files\Common Files\Uninstall
c:\Program Files\Common Files\Uninstall\AV
c:\Program Files\Common Files\Uninstall\AV\Uninstall.lnk
c:\Program Files\AntivirAV
c:\Program Files\AntivirAV\Antivir.exe
c:\Program Files\AntivirAV\unins000.dat
c:\Program Files\AntivirAV\unins000.exe
c:\WINDOWS\system32\UpdateCheck.dll
%UserProfile%\Desktop\Antivir.lnk
%UserProfile%\Start Menu\Programs\ANTIVIR Antivirus
%UserProfile%\Start Menu\Programs\ANTIVIR Antivirus\Antivir.lnk
%UserProfile%\Start Menu\Programs\ANTIVIR Antivirus\Uninstall ANTIVIR Antivirus.lnk​
Associated Antivir, Antivir 2010, and Antivir Antivirus Windows Registry Information:
HKEY_CURRENT_USER\Software\EVAACD
HKEY_CLASSES_ROOT\CLSID\{35A5B43B-CB8A-49CA-A9F4-D3B308D2E3CC}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{35A5B43B-CB8A-49CA-A9F4-D3B308D2E3CC}
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run "AV"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\User Agent\post platform "WinNT-EVI 25.11.2009"
HKEY_CURRENT_USER\Software\FNULL246
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{6A23338A-C725-48D0-BA96-B12FDD22DD39}_is1​
 
Andy download and save the full version of SASW, install it whilst in safe mode and then restart and run in normal mode. SASW will run the malware won't stop it. Then run the Microsoft security and don't forget the proxy server bit because neither SASW or MSS will be able to update until you take the check out of. The box. Do that after running SASW. I'm on the mobile at the moment and the battery is about to go so good luck.
 
Andy, I'm guessing that you can't even get into any useful function to work on your PC. I had this one some time ago and used these guys http://www.geekstogo.com/forum/topic/2852-malware-and-spyware-cleaning-guide/
I couldn't get the self-help to work so had to register for a response. The good thing is you can log into this from another PC and then carry out the actions on your infected one.
I've got no association with this site but all I can say is that it worked for me at no charge, although they do say you can make a donation if you want.

NB I've had no spam or anything since I registered.
 
Can you boot into safe mode again (F8), then login as administrator, then choose the Run box, type msconfig and you should get a box titled "System Configuration Utility".

Tick selective startup, then go to the "services" tab, tick the bottom box "hide all Microsoft service" and untick any remaining boxes (unless you are quite clear what they are and know that they are not part of the problem). Then go to the "startup" tab and untick any box that is not a piece of software you know that you installed. Anything in Fanum's list of stuff should be unticked in particular.

Tick on OK to restart the machine. When it starts run your Superantispyware and Microsoft essentials again. When that is done, go to options on your web browser, find the connection settins and make sure "no proxy" is ticked, otherwise you won't connect to the internet. When you can get onto the internet, check updates for Superantispyware and Microsoft essentials then run them again.

I suspect that when a solution to antivir appears on the web somewhere, the writers of the virus produce an update which makes those methods not work. Same with the tools perhaps?
 
shugie said:
Can you boot into safe mode again (F8), then login as administrator, then choose the Run box, type msconfig and you should get a box titled "System Configuration Utility". Did this no problem:thumb2

Tick selective startup, then go to the "services" tab, tick the bottom box "hide all Microsoft service" and untick any remaining boxes (unless you are quite clear what they are and know that they are not part of the problem). Then go to the "startup" tab and untick any box that is not a piece of software you know that you installed. Anything in Fanum's list of stuff should be unticked in particular.Also did this no problem - I unticked all the boxes

Tick on OK to restart the machine. Did this in normal mode not safe mode
When it starts run your Superantispyware and Microsoft essentials again. I can't run the antispyware as the virus won't let me unless its in Safemode:(

..
Click to expand...
:(

Sould I have restarted in safe mode to run the antivirus or just let it restart in normal mode!!

Many thanks again

AndyT:thumb2
 
Fanum said:
Andy...step by step manual removal instructions HERE
Click to expand...

Hi Bill - this is the actual virus I seem to have "AntiSpycraft.com which is listed on the site you gave me...... http://www.spywareremove.com/removeAntispycraftcom.html
However the directions to remove it I can't use as step 1 is to open task manager but this thing immediately shuts it down within half a second.
I tried running their spyware program but the pc won't connect to any site on the internet apart from their bogus antivirus site and the malware program needs access to the net to run....aaarrrggghhhhh

Looks like i'm stuffed on this one. Just going to try and down load the full version of Superntispyware that Dickieboy suggested and give that a go. If that fails I don't know what I can do:(:(:(:(:(
 
AndyT said:
Hi Bill - this is the actual virus I seem to have "AntiSpycraft.com which is listed on the site you gave me...... http://www.spywareremove.com/removeAntispycraftcom.html
However the directions to remove it I can't use as step 1 is to open task manager but this thing immediately shuts it down within half a second.
I tried running their spyware program but the pc won't connect to any site on the internet apart from their bogus antivirus site and the malware program needs access to the net to run....aaarrrggghhhhh

Looks like i'm stuffed on this one. Just going to try and down load the full version of Superntispyware that Dickieboy suggested and give that a go. If that fails I don't know what I can do:(:(:(:(:(
Click to expand...

You need to boot the machine from a CD so that nothing is loaded from the corrupted hard drive. I'd boot the machine to a DOS prompt and then manually delete the files and edit the registry. You could do similar with a linux variant.

If you are not confident with this then get a man in or just nuke the drive and reinstall windows from scratch. Of course you have a back-up of all your data...
 
I think your'e right Wessie (I mean get someone in who understands these things). I downloaded the SASW professional and tried running that but it couldn't run in normal mode and found nothing in the safe mode......


Not sure what to do now so off to my bed:(
 
Andy if it's stopped SASW running in normal mode that is a tuffy because when that program is installed it has a default setting which is supposed to stop a malware from preventing it from running.

Another way I've defeated it though is to install the free version of AVAST antivirus in safe mode. On completion of the installation you are asked if you want to run a bootscan and obviously in this case you select yes and restart.
That way is a lot simpler than having to download and burn a boot disc but achieves the same end.
The boot scan can take anything from 30mins to a couple of hours.
When avast comes across the malware file it stops and gives you 10 options of which you select option 2. 'delete all files' don't worry because the 'all files' is in regard to the malware, avast will then continue scanning and if it finds anything else will give you the same options.
If you do this and it's successful don't forget the LAN settings.
 
AndyT said:
:(

Sould I have restarted in safe mode to run the antivirus or just let it restart in normal mode!!

Many thanks again

AndyT:thumb2
Click to expand...

restart in normal mode, if possible, the antivirus software can't work in safe mode
 
Another more worrying thing has happened in the last 5 minutes is that I got a cold call from someone saying that they wanted tospeak to me as they see I am having issues with my pc and wanted to let me give them control of it............
I asked how he knew I was having problems and how he got my tel number!! He replied that he go the info from when I bought the pc (which was about 2 years ago) and working on behalf of Microsoft..... It all sounded very suspicious, I asked him for his number so I could check him out and call him back. He was very pushy but finally agreed to give me his number which is a Manchester number.

Has anyone heard of anything similar before where microsoft would just call out of the blue to help you out like this....
 
AndyT said:
Another more worrying thing has happened in the last 5 minutes is that I got a cold call from someone saying that they wanted tospeak to me as they see I am having issues with my pc and wanted to let me give them control of it............
I asked how he knew I was having problems and how he got my tel number!! He replied that he go the info from when I bought the pc (which was about 2 years ago) and working on behalf of Microsoft..... It all sounded very suspicious, I asked him for his number so I could check him out and call him back. He was very pushy but finally agreed to give me his number which is a Manchester number.

Has anyone heard of anything similar before where microsoft would just call out of the blue to help you out like this....
Click to expand...

Scary stuff.......................remote access stalking:eek:
 
AndyT said:
Another more worrying thing has happened in the last 5 minutes is that I got a cold call from someone saying that they wanted tospeak to me as they see I am having issues with my pc and wanted to let me give them control of it............
I asked how he knew I was having problems and how he got my tel number!! He replied that he go the info from when I bought the pc (which was about 2 years ago) and working on behalf of Microsoft..... It all sounded very suspicious, I asked him for his number so I could check him out and call him back. He was very pushy but finally agreed to give me his number which is a Manchester number.

Has anyone heard of anything similar before where microsoft would just call out of the blue to help you out like this....
Click to expand...


Yep - there are a lot of these scams around. I had a call like that yesterday - the second one I've had this year. They are quite convincing if you are not familiar with computers and some good friends of mine were taken in for a while and it ended up getting quite nasty.

But listen carefully to what they say and you can spot the BS ("Microsoft only sell hardware not software" was one classic said to me).

Best advice is ring off pronto. More fun advice is tell them exactly what they can do with themselves, cast doubt on their origins and then ring off.
 
AndyT said:
Another more worrying thing has happened in the last 5 minutes is that I got a cold call from someone saying that they wanted tospeak to me as they see I am having issues with my pc and wanted to let me give them control of it............
I asked how he knew I was having problems and how he got my tel number!! He replied that he go the info from when I bought the pc (which was about 2 years ago) and working on behalf of Microsoft..... It all sounded very suspicious, I asked him for his number so I could check him out and call him back. He was very pushy but finally agreed to give me his number which is a Manchester number.

Has anyone heard of anything similar before where microsoft would just call out of the blue to help you out like this....
Click to expand...

No, that's a new one on me. The idea of Microsoft ringing someone to offer help is more than unusual. My first conclusion is that it is a scam.

Presumably this virus has trawled information from your pc and sent it somewhere. I suggested you keep it disconnected from the network until it is sorted out.
 
AndyT said:
Another more worrying thing has happened in the last 5 minutes is that I got a cold call from someone saying that they wanted tospeak to me as they see I am having issues with my pc and wanted to let me give them control of it............
I asked how he knew I was having problems and how he got my tel number!! He replied that he go the info from when I bought the pc (which was about 2 years ago) and working on behalf of Microsoft..... It all sounded very suspicious, I asked him for his number so I could check him out and call him back. He was very pushy but finally agreed to give me his number which is a Manchester number.

Has anyone heard of anything similar before where microsoft would just call out of the blue to help you out like this....
Click to expand...

:eek

Never heard of that, sounds exceptionally dodgy to me :eek:

Do you have a windows install disc Andy?

I'm thinking the best and fastest way out of this is to bung that in and reload windows from scratch...as part of the process you'll be able to reformat the drive.

Hopefully, this thing you have won't have infected the boot section as well....but don't worry about that at the moment....none of the info I've seen on it mentions that possibility

There are many step by step guides to reinstalling, and we can talk you through it here if necessary....I'm happy to sit on the phone with you later if you need a but of virtual hand-holding, but have a read of this first...it's not difficult to do :)
 
AndyT said:
Another more worrying thing has happened in the last 5 minutes is that I got a cold call from someone saying that they wanted tospeak to me as they see I am having issues with my pc and wanted to let me give them control of it............
I asked how he knew I was having problems and how he got my tel number!! He replied that he go the info from when I bought the pc (which was about 2 years ago) and working on behalf of Microsoft..... It all sounded very suspicious, I asked him for his number so I could check him out and call him back. He was very pushy but finally agreed to give me his number which is a Manchester number.

Has anyone heard of anything similar before where microsoft would just call out of the blue to help you out like this....
Click to expand...

Its the latest of scams and not based on any previous attacks on your pc.

Its usually an area thing and near me in Chislehurst there has been lots of it, profiling areas with lots of older people but potentially wealthy are good prey.

They say they're from any number or Microsoft, Google, Anti-Virus companies etc.

They spout bullshit usually about already having access to your pc and can see problems but need your assistance help them resolve issues- thats cos they don't have access to your machine YET but they can fairly quickly if you allow them.
 
I thought as much - the swines. Well the number on the phone said the call was from "out of area"... the number he gave me was 0161 408 2896 which is probably some poor ald ladies house...

I've got all the discs and original MS software so looks like its a reintall job....something for a rainy day of which we have been having lot of recently.

Many thanks everyone for all your help. No doubt I'll have more questions when reloading everything:D

thanks again
Andy
 
AndyT said:
I thought as much - the swines. Well the number on the phone said the call was from "out of area"... the number he gave me was 0161 408 2896 which is probably some poor ald ladies house...

I've got all the discs and original MS software so looks like its a reintall job....something for a rainy day of which we have been having lot of recently.

Many thanks everyone for all your help. No doubt I'll have more questions when reloading everything:D

thanks again
Andy
Click to expand...

Andy, just before you dump every thing off the computer, you HAVE rung Nod
i take it! they are very helpfull and took control of my machine some time ago
and cleaned it up. I got 2 years free cos they virus got through the system:D

ESET UK
Tel : 0845 838 0832
Fax : 0845 838 0834

Cheers. Lyn.
 
bustupbiker said:
Andy, just before you dump every thing off the computer, you HAVE rung Nod
i take it! they are very helpfull and took control of my machine some time ago
and cleaned it up. I got 2 years free cos they virus got through the system:D

ESET UK
Tel : 0845 838 0832
Fax : 0845 838 0834

Cheers. Lyn.
Click to expand...

What a good idea:blast
 
Success........

Well, I was away all day yesterday picking up another bike so today I called ESET and within 10 mins my pc was cleaned and I also saw he removed over 2GB of spam jpegs which had been left on there by this bug...

Thanks everyone for all the help:beerjug:

For info he said ESET NOD32 is anti virus and doesnt tackle Malware so suggested Running Malwarebyte on a regular basis similar to NOD32:thumb2
 
Nippy Normans supply Touratech, Wunderlich, Desert Fox and many other makes of accessories.
You must log in or register to reply here.


Back
Top Bottom