Author Topic: [InActive K] win7 spyware tool virus  (Read 1599 times)

0 Members and 1 Guest are viewing this topic.

Offline sps2112

  • Bronze Member
  • Posts: 7
[InActive K] win7 spyware tool virus
« on: January 02, 2012, 07:24:56 am »
Please help!!!
can someone tell me how to remove the 'Win 7 Antispyware 2012' virus from my Dell Studio laptop!!!
i cannot access the internet from that computer.
« Last Edit: January 10, 2012, 03:14:31 am by kevinf80 »



Offline kevinf80

  • Malware Removal Staff
  • Diamond Member
  • Posts: 7363
Re: [InActive K] win7 spyware tool virus
« Reply #1 on: January 02, 2012, 09:06:54 am »
Hello sps2112 and welcome to SpywareHammer,

I'm kevinf80 and I will be helping with any malware issues you may have with your system.
  • Please be aware that some of the logs I may ask for can be very complex and can take a long time to decipher. I am a volunteer here with a job and family so I ask that you be patient when waiting for replies.
  • Please DO NOT run any scans/tools/fixes on your own as this will conflict with the tools we are going to use.
  • Either print or Save to Notepad all instructions and please follow them carefully, if there's something you don't understand or that will not work please let me know and we will go through it together.
  • Malware is often buggy and can be very unstable, with that in mind it is advisable to backup any important data before we begin.
  • If you do not reply within 72 hours the thread will be closed, if you need more time let me know. Likewise if I do not respond within 48 hours feel free to PM me.
  • If you have any P2P applications installed such as BitTorrent, uTorrent, Limewire etc etc, please uninstall them before we begin.
  • If you are using Cracked or Illegal software your thread will be locked and all help will cease.

We usually ask to see a HJT log before we will offer any assistance, in your case I think we can make an exception. OK do the following, these two tools will have to be d/l and transferred to the infected PC Desktop:

Step 1

Download RogueKiller to your desktop

  • Quit all running programs
  • For Vista/Seven, right click -> run as administrator, for XP simply run RogueKiller.exe
  • When prompted, type 1 and validate by tapping Enter
  • The RKreport.txt shall be generated next to the executable.
  • If the program is blocked, do not hesitate to try several times. If it really does not work (it could happen), rename it to winlogon.exe
Please post the contents of the RKreport.txt in your next Reply.

Step 2

Please download Farbar Service Scanner and run it on the computer with the issue.

  • Make sure the following options are checked:
    • Internet Services
    • Press "Scan".
    • It will create a log (FSS.txt) in the same directory the tool is run.
    • Please copy and paste the log to your reply.

    Let me see the two logs from those scan in your reply....

    Kevin[/list]

    Offline sps2112

    • Bronze Member
    • Posts: 7
    Re: [InActive K] win7 spyware tool virus
    « Reply #2 on: January 02, 2012, 10:09:03 am »
    Hi Kevin,
    Thank you for helping me.
    Forgive my ignorance here but I want to make sure you understand that I cannot access the internet on the laptop with the virus. I have tried several times to get on via IE and firefox. The virus seems to block the IE and my Bitdefender internet security is blocking the firefox...(side note...bitdefender security suite i have on both of my computers had just expired and my wife started browsing on our laptop before i renewed it...and whamo, here i am). I have renewed my license with bitdefender, and was able to get the new lincese key on the laptop with the virus. So i do have bitdefender running on the laptop but the virus seems to block any attempt at a scan.

    1 When you say to download the RK - you mean on my other computer (from which i am working on right now) that is fine?

    2 The Farbar service scanner - is that another download or part of the RK program?

    When you reply...please respond with understanding i have basic computer knowledge. You may need to spell things out a little more plainly to me. I apologize in advance if that is frustrating for you.

    Offline kevinf80

    • Malware Removal Staff
    • Diamond Member
    • Posts: 7363
    Re: [InActive K] win7 spyware tool virus
    « Reply #3 on: January 02, 2012, 10:13:00 am »
    Yep I did realize you had no connection, and yes I mean for you to d/l the two seperate tools on your other computer and transfer to the infected PC Desktop.....

    Offline sps2112

    • Bronze Member
    • Posts: 7
    Re: [InActive K] win7 spyware tool virus
    « Reply #4 on: January 02, 2012, 10:56:25 am »
    Hi Kevin,
    I have downloaded the two programs onto my desktop, copied them to a CD, then ran them on the infected computer. The Rouge killer program seemed to work..i hope i did it correctly. it did generate a txt document after i ran it. Here is what i got.....

    RogueKiller V6.2.1 [12/28/2011] by Tigzy
    mail: tigzyRK<at>gmail<dot>com
    Feedback: http://www.geekstogo.com/forum/files/file/413-roguekiller/
    Blog: http://tigzyrk.blogspot.com

    Operating System: Windows 7 (6.1.7601 Service Pack 1) 64 bits version
    Started in : Normal mode
    User: Home1 [Admin rights]
    Mode: Scan -- Date : 01/02/2012 11:33:02

    Bad processes: 1
    [WINDOW : Win 7 Antispyware 2012] bvq.exe -- C:\Users\Home1\AppData\Local\bvq.exe -> KILLED [TermProc]

    Registry Entries: 12
    [HJ] HKLM\[...]\NewStartPanel : {59031a47-3f72-44a7-89c5-5595fe6b30ee} (1) -> FOUND
    [HJ] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> FOUND
    [HJ] HKCU\[...]\ClassicStartMenu : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> FOUND
    [HJ] HKCU\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> FOUND
    [HJ] HKCU\[...]\ClassicStartMenu : {645FF040-5081-101B-9F08-00AA002F954E} (1) -> FOUND
    [HJ] HKCU\[...]\NewStartPanel : {645FF040-5081-101B-9F08-00AA002F954E} (1) -> FOUND
    [FILEASSO] HKCU\[...]Software\Classes\.exe\shell\open\command :  ("C:\Users\Home1\AppData\Local\bvq.exe" -a "%1" %*) -> FOUND
    [FILEASSO] HKCR\[...].exe\shell\open\command :  ("C:\Users\Home1\AppData\Local\bvq.exe" -a "%1" %*) -> FOUND
    [FILEASSO] HKCR\.exe :  (wm6) -> FOUND
    [FILEASSO] HKLM\[...]Software\Clients\StartMenuInternet\FIREFOX.EXE\shell\open\command :  ("C:\Users\Home1\AppData\Local\bvq.exe" -a "C:\Program Files (x86)\Mozilla Firefox\firefox.exe") -> FOUND
    [FILEASSO] HKLM\[...]Software\Clients\StartMenuInternet\FIREFOX.EXE\shell\safemode\command :  ("C:\Users\Home1\AppData\Local\bvq.exe" -a "C:\Program Files (x86)\Mozilla Firefox\firefox.exe" -safe-mode) -> FOUND
    [FILEASSO] HKLM\[...]Software\Clients\StartMenuInternet\IEXPLORE.EXE\shell\open\command :  ("C:\Users\Home1\AppData\Local\bvq.exe" -a "C:\Program Files (x86)\Internet Explorer\iexplore.exe") -> FOUND

    Particular Files / Folders:

    Driver: [NOT LOADED]

    Infection : Rogue.AntiSpy-AH

    HOSTS File:
    127.0.0.1   www.007guard.com
    127.0.0.1   007guard.com
    127.0.0.1   008i.com
    127.0.0.1   www.008k.com
    127.0.0.1   008k.com
    127.0.0.1   www.00hq.com
    127.0.0.1   00hq.com
    127.0.0.1   010402.com
    127.0.0.1   www.032439.com
    127.0.0.1   032439.com
    127.0.0.1   www.0scan.com
    127.0.0.1   0scan.com
    127.0.0.1   1000gratisproben.com
    127.0.0.1   www.1000gratisproben.com
    127.0.0.1   1001namen.com
    127.0.0.1   www.1001namen.com
    127.0.0.1   100888290cs.com
    127.0.0.1   www.100888290cs.com
    127.0.0.1   www.100sexlinks.com
    127.0.0.1   100sexlinks.com
    [...]


    MBR Check:

    +++++ PhysicalDrive0: +++++
    --- User ---
    [MBR] e7268e99c666489b19e0c68890f2a2db
    [BSP] 7604063f9306d4c3c722bddd444a7bf4 : Windows Vista MBR Code
    Partition table:
    0 - [XXXXXX] FAT16 [HIDDEN!] Offset (sectors): 63 | Size: 41 Mo
    1 - [ACTIVE] NTFS [VISIBLE] Offset (sectors): 80325 | Size: 15728 Mo
    2 - [XXXXXX] NTFS [VISIBLE] Offset (sectors): 30800325 | Size: 304302 Mo
    User = LL1 ... OK!
    User = LL2 ... OK!

    Finished : << RKreport[1].txt >>
    RKreport[1].txt

    I now have two things on my desktop from this:
    1. The RK text document
    2. RK Quarantine folder


    I tried to run the Farbar program but I was not able to get this to work. When i tried to run the pragram (as admin was the only way it would allow me)...it kept bringing up a notepad box that says "Cannot find the fss.txt file" Do you want to create a new file? I click on Yes - and it goes to an untitled notepad and then nothing happens. Not sure what to do from here.

    Offline kevinf80

    • Malware Removal Staff
    • Diamond Member
    • Posts: 7363
    Re: [InActive K] win7 spyware tool virus
    « Reply #5 on: January 02, 2012, 02:18:00 pm »
    OK, if you do not understand anything or need instructions clarifying just ask. We`ll do this anyway you want. If you do not understand anything or are unsure just post back and ask.
    I`m about here almost everyday, it will take as long as it takes. Don`t worry we`ll work through this and get you back to  normal...

    Quit all running programs and run RogueKiller once again.

    • For Vista/Seven, right click -> run as administrator, for XP simply run RogueKiller.exe
    • When prompted, type 2 and validate by tapping Enter
    • The RKreport.txt shall be generated next to the executable.
    • If the program is blocked, do not hesitate to try several times. If it really does not work (it could happen), rename it to winlogon.exe

    Please post the contents of the RKreport.txt in your next Reply.

    Next,

    Try Farbar Services Scanner again with "Internet Services" selected (ticked)..

    Post log from log from RogueKiller and FSS in reply..

    Kevin
    « Last Edit: January 02, 2012, 06:17:05 pm by kevinf80 »

    Offline sps2112

    • Bronze Member
    • Posts: 7
    Re: [InActive K] win7 spyware tool virus
    « Reply #6 on: January 02, 2012, 05:57:19 pm »
    Hi Kevin - Here is the Farbar text......



    Farbar Service Scanner
    Ran by Home1 (administrator) on 02-01-2012 at 18:47:58
    Microsoft Windows 7 Home Premium  Service Pack 1 (X64)
    Boot Mode: Normal
    ****************************************************************

    Internet Services:
    ============

    Connection Status:
    ==============
    Localhost is accessible.
    LAN connected.
    Attempt to access Google IP returned error: Google IP is offline
    Attempt to access Yahoo IP returend error: Yahoo IP is offline


    File Check:
    ========
    C:\Windows\System32\nsisvc.dll => MD5 is legit
    C:\Windows\System32\drivers\nsiproxy.sys => MD5 is legit
    C:\Windows\System32\dhcpcore.dll => MD5 is legit
    C:\Windows\System32\drivers\afd.sys => MD5 is legit
    C:\Windows\System32\drivers\tdx.sys => MD5 is legit
    C:\Windows\System32\Drivers\tcpip.sys => MD5 is legit
    C:\Windows\System32\dnsrslvr.dll => MD5 is legit
    C:\Windows\System32\svchost.exe => MD5 is legit
    C:\Windows\System32\rpcss.dll => MD5 is legit


    **** End of log ****


    Hi Kevin - Here is the Rogue Killer text.....



    RogueKiller V6.2.1 [12/28/2011] by Tigzy
    mail: tigzyRK<at>gmail<dot>com
    Feedback: http://www.geekstogo.com/forum/files/file/413-roguekiller/
    Blog: http://tigzyrk.blogspot.com

    Operating System: Windows 7 (6.1.7601 Service Pack 1) 64 bits version
    Started in : Normal mode
    User: Home1 [Admin rights]
    Mode: Scan -- Date : 01/02/2012 18:49:30

    Bad processes: 1
    [WINDOW : Win 7 Antispyware 2012] bvq.exe -- C:\Users\Home1\AppData\Local\bvq.exe -> KILLED [TermProc]

    Registry Entries: 12
    [HJ] HKLM\[...]\NewStartPanel : {59031a47-3f72-44a7-89c5-5595fe6b30ee} (1) -> FOUND
    [HJ] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> FOUND
    [HJ] HKCU\[...]\ClassicStartMenu : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> FOUND
    [HJ] HKCU\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> FOUND
    [HJ] HKCU\[...]\ClassicStartMenu : {645FF040-5081-101B-9F08-00AA002F954E} (1) -> FOUND
    [HJ] HKCU\[...]\NewStartPanel : {645FF040-5081-101B-9F08-00AA002F954E} (1) -> FOUND
    [FILEASSO] HKCU\[...]Software\Classes\.exe\shell\open\command :  ("C:\Users\Home1\AppData\Local\bvq.exe" -a "%1" %*) -> FOUND
    [FILEASSO] HKCR\[...].exe\shell\open\command :  ("C:\Users\Home1\AppData\Local\bvq.exe" -a "%1" %*) -> FOUND
    [FILEASSO] HKCR\.exe :  (l7s) -> FOUND
    [FILEASSO] HKLM\[...]Software\Clients\StartMenuInternet\FIREFOX.EXE\shell\open\command :  ("C:\Users\Home1\AppData\Local\bvq.exe" -a "C:\Program Files (x86)\Mozilla Firefox\firefox.exe") -> FOUND
    [FILEASSO] HKLM\[...]Software\Clients\StartMenuInternet\FIREFOX.EXE\shell\safemode\command :  ("C:\Users\Home1\AppData\Local\bvq.exe" -a "C:\Program Files (x86)\Mozilla Firefox\firefox.exe" -safe-mode) -> FOUND
    [FILEASSO] HKLM\[...]Software\Clients\StartMenuInternet\IEXPLORE.EXE\shell\open\command :  ("C:\Users\Home1\AppData\Local\bvq.exe" -a "C:\Program Files (x86)\Internet Explorer\iexplore.exe") -> FOUND

    Particular Files / Folders:

    Driver: [NOT LOADED]

    Infection : Rogue.AntiSpy-AH

    HOSTS File:
    127.0.0.1   www.007guard.com
    127.0.0.1   007guard.com
    127.0.0.1   008i.com
    127.0.0.1   www.008k.com
    127.0.0.1   008k.com
    127.0.0.1   www.00hq.com
    127.0.0.1   00hq.com
    127.0.0.1   010402.com
    127.0.0.1   www.032439.com
    127.0.0.1   032439.com
    127.0.0.1   www.0scan.com
    127.0.0.1   0scan.com
    127.0.0.1   1000gratisproben.com
    127.0.0.1   www.1000gratisproben.com
    127.0.0.1   1001namen.com
    127.0.0.1   www.1001namen.com
    127.0.0.1   100888290cs.com
    127.0.0.1   www.100888290cs.com
    127.0.0.1   www.100sexlinks.com
    127.0.0.1   100sexlinks.com
    [...]


    MBR Check:

    +++++ PhysicalDrive0: +++++
    --- User ---
    [MBR] e7268e99c666489b19e0c68890f2a2db
    [BSP] 7604063f9306d4c3c722bddd444a7bf4 : Windows Vista MBR Code
    Partition table:
    0 - [XXXXXX] FAT16 [HIDDEN!] Offset (sectors): 63 | Size: 41 Mo
    1 - [ACTIVE] NTFS [VISIBLE] Offset (sectors): 80325 | Size: 15728 Mo
    2 - [XXXXXX] NTFS [VISIBLE] Offset (sectors): 30800325 | Size: 304302 Mo
    User = LL1 ... OK!
    User = LL2 ... OK!

    +++++ PhysicalDrive1: +++++
    --- User ---
    [MBR] 3f35ef15d899e7d2ba7b99202119f352
    [BSP] 3cb5995104823a911ed30282ae7ea67a : MBR Code unknown
    Partition table:
    0 - [ACTIVE] FAT16 [VISIBLE] Offset (sectors): 32 | Size: 65 Mo
    User = LL1 ... OK!
    Error reading LL2 MBR!

    Finished : << RKreport[1].txt >>
    RKreport[1].txt






    Offline kevinf80

    • Malware Removal Staff
    • Diamond Member
    • Posts: 7363
    Re: [InActive K] win7 spyware tool virus
    « Reply #7 on: January 02, 2012, 06:22:43 pm »
    Quit all running programs and run RogueKiller once again.

    • For Vista/Seven, right click -> run as administrator, for XP simply run RogueKiller.exe
    • When prompted, type 2 and validate by tapping Enter
    • The RKreport.txt shall be generated next to the executable.
    • If the program is blocked, do not hesitate to try several times. If it really does not work (it could happen), rename it to winlogon.exe

    Please post the contents of the RKreport.txt in your next Reply.

    Next,

    Quit all running programs and run RogueKiller once again.

    • For Vista/Seven, right click -> run as administrator, for XP simply run RogueKiller.exe
    • When prompted, type 3 and validate by tapping Enter
    • The RKreport.txt shall be generated next to the executable.
    • If the program is blocked, do not hesitate to try several times. If it really does not work (it could happen), rename it to winlogon.exe

    Please post the contents of the RKreport.txt in your next Reply.

    Let me see those two logs, FSS does not indicate any issues with your connection settings. Do you have a connection?

    Kevin




    Offline sps2112

    • Bronze Member
    • Posts: 7
    Re: [InActive K] win7 spyware tool virus
    « Reply #8 on: January 02, 2012, 06:52:16 pm »
    Hi Kevin,
    there are no running programs in the infected laptop. I believe there is an internet connection. Although when i try to get on the internet, the bit defendefender internet security is blocking this from happening. I do not know if that is because of the virus. If I am supposed to disable  bit defender, I am not sure how to do that.

    Anyway, I ran the two RK as you said to do...here they are

    Selected # 2....

    RogueKiller V6.2.1 [12/28/2011] by Tigzy
    mail: tigzyRK<at>gmail<dot>com
    Feedback: http://www.geekstogo.com/forum/files/file/413-roguekiller/
    Blog: http://tigzyrk.blogspot.com

    Operating System: Windows 7 (6.1.7601 Service Pack 1) 64 bits version
    Started in : Normal mode
    User: Home1 [Admin rights]
    Mode: Remove -- Date : 01/02/2012 19:43:00

    Bad processes: 1
    [WINDOW : Win 7 Antispyware 2012] bvq.exe -- C:\Users\Home1\AppData\Local\bvq.exe -> KILLED [TermProc]

    Registry Entries: 11
    [HJ] HKLM\[...]\NewStartPanel : {59031a47-3f72-44a7-89c5-5595fe6b30ee} (1) -> REPLACED (0)
    [HJ] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> REPLACED (0)
    [HJ] HKCU\[...]\ClassicStartMenu : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> REPLACED (0)
    [HJ] HKCU\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> REPLACED (0)
    [HJ] HKCU\[...]\ClassicStartMenu : {645FF040-5081-101B-9F08-00AA002F954E} (1) -> REPLACED (0)
    [HJ] HKCU\[...]\NewStartPanel : {645FF040-5081-101B-9F08-00AA002F954E} (1) -> REPLACED (0)
    [FILEASSO] HKCU\[...]Software\Classes\.exe\shell\open\command :  ("C:\Users\Home1\AppData\Local\bvq.exe" -a "%1" %*) -> REPLACED ("%1" %*)
    [FILEASSO] HKCR\[...].exe :  (Lu6) -> REPLACED (exefile)
    [FILEASSO] HKLM\[...]Software\Clients\StartMenuInternet\FIREFOX.EXE\shell\open\command :  ("C:\Users\Home1\AppData\Local\bvq.exe" -a "C:\Program Files (x86)\Mozilla Firefox\firefox.exe") -> REPLACED ("C:\Program Files (x86)\mozilla firefox\firefox.exe")
    [FILEASSO] HKLM\[...]Software\Clients\StartMenuInternet\FIREFOX.EXE\shell\safemode\command :  ("C:\Users\Home1\AppData\Local\bvq.exe" -a "C:\Program Files (x86)\Mozilla Firefox\firefox.exe" -safe-mode) -> REPLACED ("C:\Program Files (x86)\mozilla firefox\firefox.exe" -safe-mode)
    [FILEASSO] HKLM\[...]Software\Clients\StartMenuInternet\IEXPLORE.EXE\shell\open\command :  ("C:\Users\Home1\AppData\Local\bvq.exe" -a "C:\Program Files (x86)\Internet Explorer\iexplore.exe") -> REPLACED ("C:\Program Files (x86)\internet explorer\iexplore.exe")

    Particular Files / Folders:

    Driver: [NOT LOADED]

    Infection : Rogue.AntiSpy-AH

    HOSTS File:
    127.0.0.1   www.007guard.com
    127.0.0.1   007guard.com
    127.0.0.1   008i.com
    127.0.0.1   www.008k.com
    127.0.0.1   008k.com
    127.0.0.1   www.00hq.com
    127.0.0.1   00hq.com
    127.0.0.1   010402.com
    127.0.0.1   www.032439.com
    127.0.0.1   032439.com
    127.0.0.1   www.0scan.com
    127.0.0.1   0scan.com
    127.0.0.1   1000gratisproben.com
    127.0.0.1   www.1000gratisproben.com
    127.0.0.1   1001namen.com
    127.0.0.1   www.1001namen.com
    127.0.0.1   100888290cs.com
    127.0.0.1   www.100888290cs.com
    127.0.0.1   www.100sexlinks.com
    127.0.0.1   100sexlinks.com
    [...]


    MBR Check:

    +++++ PhysicalDrive0: +++++
    --- User ---
    [MBR] e7268e99c666489b19e0c68890f2a2db
    [BSP] 7604063f9306d4c3c722bddd444a7bf4 : Windows Vista MBR Code
    Partition table:
    0 - [XXXXXX] FAT16 [HIDDEN!] Offset (sectors): 63 | Size: 41 Mo
    1 - [ACTIVE] NTFS [VISIBLE] Offset (sectors): 80325 | Size: 15728 Mo
    2 - [XXXXXX] NTFS [VISIBLE] Offset (sectors): 30800325 | Size: 304302 Mo
    User = LL1 ... OK!
    User = LL2 ... OK!

    +++++ PhysicalDrive1: +++++
    --- User ---
    [MBR] 3f35ef15d899e7d2ba7b99202119f352
    [BSP] 3cb5995104823a911ed30282ae7ea67a : MBR Code unknown
    Partition table:
    0 - [ACTIVE] FAT16 [VISIBLE] Offset (sectors): 32 | Size: 65 Mo
    User = LL1 ... OK!
    Error reading LL2 MBR!

    Finished : << RKreport[2].txt >>
    RKreport[1].txt ; RKreport[2].txt



    Here is # 3.....



    RogueKiller V6.2.1 [12/28/2011] by Tigzy
    mail: tigzyRK<at>gmail<dot>com
    Feedback: http://www.geekstogo.com/forum/files/file/413-roguekiller/
    Blog: http://tigzyrk.blogspot.com

    Operating System: Windows 7 (6.1.7601 Service Pack 1) 64 bits version
    Started in : Normal mode
    User: Home1 [Admin rights]
    Mode: HOSTSFix --  Date : 01/02/2012 19:43:29

    Bad processes: 0

    Driver: [NOT LOADED]

    HOSTS File:
    127.0.0.1   www.007guard.com
    127.0.0.1   007guard.com
    127.0.0.1   008i.com
    127.0.0.1   www.008k.com
    127.0.0.1   008k.com
    127.0.0.1   www.00hq.com
    127.0.0.1   00hq.com
    127.0.0.1   010402.com
    127.0.0.1   www.032439.com
    127.0.0.1   032439.com
    127.0.0.1   www.0scan.com
    127.0.0.1   0scan.com
    127.0.0.1   1000gratisproben.com
    127.0.0.1   www.1000gratisproben.com
    127.0.0.1   1001namen.com
    127.0.0.1   www.1001namen.com
    127.0.0.1   100888290cs.com
    127.0.0.1   www.100888290cs.com
    127.0.0.1   www.100sexlinks.com
    127.0.0.1   100sexlinks.com
    [...]


    Resetted HOSTS:
    127.0.0.1   localhost

    Finished : << RKreport[3].txt >>
    RKreport[1].txt ; RKreport[2].txt ; RKreport[3].txt



     

    Offline kevinf80

    • Malware Removal Staff
    • Diamond Member
    • Posts: 7363
    Re: [InActive K] win7 spyware tool virus
    « Reply #9 on: January 02, 2012, 07:08:40 pm »
    What do you mean by this there are no running programs in the infected laptop

    Is BitDefender your security system? what makes you believe it is blocking your connection

    Offline sps2112

    • Bronze Member
    • Posts: 7
    Re: [InActive K] win7 spyware tool virus
    « Reply #10 on: January 02, 2012, 07:39:19 pm »
    What I meant was that before I ran the RK program..you always say "quit all running programs. I only meant to say that there were no programs open when I ran the RK.
    Yes, Bit Defender is the internet security suite installed on the laptop. When the virus was constantly popping up - if i tried Internet explorer or firefox to get on the interenet, a bit defender message wouls come up to say that it stopped that process. That is not exactly what it said, but it was a message from Bit Defender.

    NOW - I do not know what happened since I ran those last 2 Rouge Killer tasks you asked me to do, but I shut down the computer afterward and since i have started it back up...I HAVE NOT SEEN THE VIRUS POP UP! I am able to get on the internet, and it seems to be gone.

    Would running those last two RK tasks have gotten rid of the virus??? It seems unlikely, but I have to say...I don't see it popping up anymore.

    Not sure if i should be worried or happy


    Offline kevinf80

    • Malware Removal Staff
    • Diamond Member
    • Posts: 7363
    Re: [InActive K] win7 spyware tool virus
    « Reply #11 on: January 03, 2012, 03:09:47 am »
    Yes RogueKiller has done a very good job for us, it has removed the rogue hijacker and reset the necessary associations back to there correct defaults.

    To be thorough I`d like you to run an online AV scan to ensure there are no remnants of the infection remaining:

    Run ESET Online Scan
    • Hold down Control and click on the following link to open ESET OnlineScan in a new window.
    ESET OnlineScan
    • Click the button.
    • For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
    • Click on to download the ESET Smart Installer. Save it to your desktop.
    • Double click on the icon on your desktop.
    • Check
    • Click the button.
    • Accept any security warnings from your browser.
    • Check
    • Leave the tick out of remove found threats
    • Push the Start button.
    • ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
    • When the scan completes, push
    • Push , and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
    • Push the button.
    • Push
    You can refer to this animation by neomage if needed.
    Frequently asked questions available Here  Please read them before running the scan.

    Also be aware this scan can take several hours to complete depending on the size of your system.

    ESET log can be found here "C:\Program Files\ESET\EsetOnlineScanner\log.txt".

    Next,

    Run the following so we can see an overview of your security, the staus of Java and Adobe etc...

    Download Security Check by screen317 from HERE or HERE.
    Save it to your Desktop.
    Double click SecurityCheck.exe (Vista or Windows 7 users right click and select "Run as Administrator") and follow the onscreen instructions inside of the black box. Press any key when asked.
    A Notepad document should open automatically called checkup.txt; please post the contents of that document.

    Let me see those two logs, also give an update on how your system is responding and if you have any remaing issues or concerns....

    Kevin :t

    Offline sps2112

    • Bronze Member
    • Posts: 7
    Re: [InActive K] win7 spyware tool virus
    « Reply #12 on: January 03, 2012, 07:44:18 pm »
    Hi Kevin,
    Thank you for all your help.
    I will run the scans as you suggest...I might have to read it a few (more) times to understand all that you wrote there. I will get it though.
    Back to work today so please give me a few to get this done. I will try to do it tonight but it might have to be tomorrow.
    thanks again!

    ....on the surface I guess...seems to be workin fine!

    Offline kevinf80

    • Malware Removal Staff
    • Diamond Member
    • Posts: 7363
    Re: [InActive K] win7 spyware tool virus
    « Reply #13 on: January 04, 2012, 02:51:20 am »
    OK, thanks for the update, just post the logs when you`re ready. Be aware the ESET scan can take several hours to complete, it is very thorough but well worth the effort...

    Kevin  :t

    Offline kevinf80

    • Malware Removal Staff
    • Diamond Member
    • Posts: 7363
    Re: [InActive K] win7 spyware tool virus
    « Reply #14 on: January 07, 2012, 05:05:16 pm »
    You still with us sps2112