Jump to content

Windows Security Problem


monsieurhappy

Recommended Posts

Your PC is infected with malware that tries to trick you into installing a (probably rogue) antivirus software.

The windows show reports of alleged attacks that never took place. The dialogs are imitations of Windows security dialogs (style and icons), but not the real thing.

I see you have Avira Antivirus installed, it's a shame you got infected. Check that Avira is still working, run an update and do a full system scan. This might take 1-2 hours.

Download Malwarebytes' Anti-Malware (free edition). Disable Avira's 'Antivir Guard' (right click on the icon in the systray) before running the scan. On installation the program will automatically run an update and do a full system scan. Make sure the update completes (it might take several minutes to download). The scan might take up to 2 hours. Enable Avira's Guard after the scan finished. Be sure to tell Malwarebytes to remove the found threads.

You could run Malwarebytes first, since Avira let it slip through. I am curious though whether Avira will pick it up on a full system scan.

Be careful to not download any unknown tool to remove this malware or any other virus. A typical Google search will bring up many hits in the search result that will be malicious programs themselves. I recommend to download only from respectable sources such as download.com, softpedia.com, filehippo.com etc. These downloads are 100% malware/spyware free (and only very view might contain adware).

If you run into problems downloading updates for either Avira or Malwarebytes the fake Antivir software might have messed around with some browser or system settings. Download from a different computer or better, report back here.

welo

Link to comment
Share on other sites

Thanks. As in my other post, after hitting the button to pay for removal program, problem instantly disappeared.

I will follow your advice though and download Malwarebytes and see what happens.

I did run Avira after I first noticed this problem but it didn't pick up anything.

I still think this has something to do with Microsoft as it went away so easily after hitting that button.

Sorry about the 2 threads, I was going crazy trying to get rid of the problem.

Edited by monsieurhappy
Link to comment
Share on other sites

Here is an article on howto remove this or a similiar trojan:

http://www.bleepingcomputer.com/virus-remo...t-security-2010

And here is more: http://answers.yahoo.com/question/index?qi...26083947AAE17Xl

This thing might be more tricky then expected. Malwarebytes will be the first choice. You might want to download it on a different computer, transfer to a USB thumb drive, and then start your computer in safe mode to install and run it.

If you don't know what the heck I'm talking about report back to get more specific instructions. :)

welo

Link to comment
Share on other sites

Thanks supernova for reporting the double post, didn't see it yet.

And Mr Happy, if you think that the problem is 'solved' now, after doing what this fake/malicious program wanted you to do, you are pretty naive. Never seen any of those crime movies where the blackmailers or kidnappers ask for more and more and more money? :)

Your PC is still infected, even if the program doesn't nag you anymore (for now?). Who knows what else it is doing in the background.

As long as you don't do internet banking, use your credit card, use your PC for any serious work or rely on it for any other reasons, then just keep going. Everything is OK, don't worry :D

welo

Edited by welo
Link to comment
Share on other sites

I have now downloaded Malwarebytes from Welos link. Updated it and ran it 2 times.

First run picked up quite a few problems that Avira missed.

Put them in quarantine, never sure about this, should I delete them?

2nd run was clear. ( Not connected to internet )

Ran Avira again and found 4 problems not detected before.

When I try this link:-

http://www.bleepingcomputer.com/virus-remo...t-security-2010

I get 404 Not Found

Is there still something stopping me from accessing site?

The other link:-

http://answers.yahoo.com/question/index?qi...26083947AAE17Xl

Works OK

I've not had any more pop-ups from original problem.

Link to comment
Share on other sites

Hopefully it's worked for me too!

I've never had these problems before until I started downloading torrents, serves me right you could say!

It is so annoying though when you search for a program to get rid of these parasites and find so many that offer a "Free scan" and then demand money for the program to get rid of the problems their scan has found!

Link to comment
Share on other sites

Sorry, my bad. Here is the link.

http://www.bleepingcomputer.com/virus-remo...t-security-2010

You might wanna watch your computer closely for the next view weeks. Run full computer scans regularly (weekly) and keep the programs up2date. You might want to download yet another app to scan your PC, e.g. ESET NOD32 free online scanner (direct link to the installer, this one is safe, trust me :)), and SuperAntispyware .(freeware edition).

What you have to understand is that trojans and malware often download updated versions of malicious software from the internet and try to install those on your system. Therefore it is possible that only those parts of the malicious programs were removed that the antivirus or anti-malware software already knows about.

Quarantine is fine. If you are sure the file is 'evil' you can delete it right away. But usually it is safe to keep files in the quarantine. If the scanner had a false positive (happens) you can easily get it back from there, if you delete files the files are usually lost.

The files in the quarantine will be renamed and cannot be executed anymore. When running more than one anti-virus or -malware scanner then sometimes one program picks up files from the quarantine of the other program, but this is no problem.

Stay away from torrents that contain executable files (programs, keygens, etc). Movies and music are OK, as long as they are not fake and lure you into running an executable. Never download any missing 'CODEC' online. Get the K-Lite package if your PC cannot playback a movie or sound file.

Link to comment
Share on other sites

I think I still have a problem because the links you've posted will not load.

http://www.bleepingcomputer.com/virus-remo...t-security-2010 404 Not Found

ESET NOD32 free online scanner 404 Not Found

SuperAntispyware Server not found

I have run Malwarebytes' Anti-Malware (free edition) again and it doesn't find anything.

All my programs seem to be working except 1. I'm not getting those annoying pop-ups I was yesterday.

The program that is not working properly is dvdFlick which I use to burn dvd's. I have been using this program for a few weeks without a hitch. It encodes movies etc. and then burns to dvd for use in any dvd player. It uses IMGburn which with a tick in the box burns to dvd after the encoding. Now it will not allow me to tick the box for the burn.

I have also noticed for a few days now that if I use Google to try to find a program, particularly antivirus or malware that it comes up with the 404 Not Found.

Any ideas?

Please!

Link to comment
Share on other sites

There is malicious software that actually manipulates your browser or other network settings to make it difficult for you to download security related software.

But let's not jump to conclusions, it might as well just be a problem with your provider or something else.

Please answer the following questions carefully.

1. Do the following links work?

a. http://www.bleepingcomputer.com/virus-remo...t-security-2010

b. http://tiny.cc/Zw5gg

c. Copy past the following URL to your browser's address bar

www.bleepingcomputer.com/virus-removal/remove-internet-security-2010

d. http://www.bleepingcomputer.com

2. Can you give some of the other URLs that do not work?

3. Did you try reloading/refreshing the browser when a URL would not load correctly? Did the page then load or not?

4. Can you check your DNS settings. What is your current setting? 'Obtain a DNS server automatically' or 'Use the following DNS server addresses?

Please write down any DNS server address that is configured.

You can follow this guide to check and also to change your DNS server settings to openDNS (which is basically a good thing to do with many Thai ISPs anyway): http://www.sevenforums.com/tutorials/15037...indows-7-a.html (if the URL is working for you LOL), you can also use this tiny url.

5. Start your computer in SAFE MODE (tutorial) and do a full computer scan with Malwarebytes again. Disconnect your PC from the internet during that operation.

welo

Edited by welo
Link to comment
Share on other sites

Sorry for the delay in replying but had to pop out.

After last post I was able to access ESET NOD32 manually at cnet.com

I downloaded it and ran it.

It found 4 or 5 problems that it got rid of but 1 -

Operating memory-Win32/Olmarik trojan -action selection postponed until scan completion

This wasn't dealt with as when I ran ESET NOD32 a 2nd time it was found straight away.

I have just got back in the house and I have tried the links you have posted.

a. http://www.bleepingcomputer.com/virus-remo...t-security-2010 This now works.

b. http://tiny.cc/Zw5gg This also works.

d. http://www.bleepingcomputer.com This also works.

Cannot Access Certain Websites - Conficker Virus This link posted by Supernova also works.

I need a bit of time to check out the other things you have asked me to do so I'll get back as soon as possible.

BTW the 2nd time I ran ESET NOD 32 I was disconnected from internet.

I will get back soon.

Thanks for your perseverance.

Edited by monsieurhappy
Link to comment
Share on other sites

If you're able to access *microsoft.com, anti-virus/malware sites, you should be in the clear. :D

I agree.

I would still check the DNS settings just to make sure.

However, if repeated scans bring up infections again and again there is the risk that you've got a nasty trojan hiding in your system that keeps re-infecting your PC with other trojans and viruses.

The question is whether you eventually find the evil mastermind :)

Of course there is always the hope that the one you just found was the last one. :D

You also have to distinguish between minor infections (cookies, infections in the browser's temporary files folder, etc) and the heavy stuff such as real trojans actually still running in the background. So if some minor infections show up again and again this is nothing to worry about.

Keep up the repeated scans, best to run them in safe mode, if you are eager to try new stuff you might even boot from a rescue CD, e.g. Kaspersky's rescue CD.

On the issue of your DVD writing software. Best to re-install those tools, maybe some of the program files were infected and have been removed. Maybe the issue is not related.

welo

Link to comment
Share on other sites

Yes I was able to access the microsoft.com, anti-virus/malware sites.

I downloaded Microsoft Windows Malicious Software Removal Tool and ran it........Nothing found.

I have since ran ESET NOD 32 again and it is still indicating this Olmarik trojan.

Looking this up on Google I found a site for the removal of this.

Please bear in mind I am NOT a computer expert!

I did the first test which required looking in the registry but could not find anything related to Olmarik.

I was a bit wary of trying the other tests! So left it at that.

I have also downloaded the software dvdflick again but the problem is still there.

I will try to access their forums to see if I can get help.

I do appreciate all your efforts, I am sitting with the windows open so that I don't break the glass when I chuck the computer out!!

Sorry! only joking!

Link to comment
Share on other sites

Did a search on the Olmarik trojan and it actually confirms my assumptions:

  • What is named Win32/Olmarik.D trojan in the ESET database is known as DNSChanger.f.gen.a!e770f528fd79 at McAfee's virus info website (reference). Well, maybe it is not exactly the trojan variant that you've got (often there are many different variations), but it tells me that it might very well have changed your DNS server settings. This can cause 404 errors (and might as well used for more serious things like redirecting you to a fake internet banking website and such).
  • The Olmarik trojan is one of the annoying kind and hard to get rid off. Just be prepared that you are only half way through getting control back over your PC.

If you don't get rid of Olmarik, you'll be back where you've started from very soon. The trojan will download other trojans and cause more troubles. I recommend keeping your computer disconnected from the internet and only connect if you absolutely need it.

If you have a second computer this would be ideal. Read forums and download software there.

You might also consider:

  • asking a professional to clean the PC for you
  • consider reinstalling your OS from scratch, maybe you've been thinking about a 'fresh start' anyway. Maybe upgrade to Windows 7 :)
  • or you keep fighting and beat that bloody bastard yourself

Before you continue another question: Did you run ESET in Safe Mode (F8). If not, do so! It is very likely that it can remove the virus in Safe Mode! If yes,keep reading...

Just keep shooting at the bastard, but get some more guns...

Do all scans in Safe Mode (F8 on startup) AFTER you installed the program and used its update function.

1. Never used it before, but this tool makes very much sense to me.

RKill http://download.bleepingcomputer.com/grinler/rkill.com

Will try to kill any malware processes, thus disable any measures of self-defense the trojan might implement.

Tutorial here, scroll down until you find the section explaining RKill. Then continue with...

2.

SuperAntiSpyware http://download.cnet.com/SuperAntiSpyware-...4-10523889.html

(Follow this guide to get detailed instructions)

3.

Kaspersky Removal Tool http://www.softpedia.com/get/Antivirus/Kas...oval-Tool.shtml

(This doesn't require an update and therefore no internet connection. It's virus database is limited but focuses on stubborn viruses/trojans)

4.

I can also recommend Kaspersky's rescue CD. You can download the ISO image here and burn it on a cd. Then boot it. The advantage is that since Windows is not running there is no way the virus can protect itself, because it is not active. This is even better than doing a scan in Safe Mode (F8).

Unfortunately you will need a cable (ethernet) connection to your router in order for the program to get the latest update, wireless is not supported. Both update (only the first time) and system scan will take quite some time.

Sure you won't be bored for the next hours or days :D

welo

Edited by welo
Link to comment
Share on other sites

I went into "safe mode" but couldn't fathom how to run the program.

I told you I'm NOT an expert.

At one stage I tried running a CD and found it wasn't recognised so in the "device manager" I found a yellow mark next to dvd player. Doing some searching in forums, someone said "why don't you uninstall dvd player, then reboot and let Windows install it."

I hope that makes sense to you.

I did that and it worked so I reinstalled my dvdFlick program and the problem I was having with that had gone away.

I realise I may NOT yet be out of the woods but I've used so many anti virus/spyware programs today that the buggar should be worn out! I know I am!

I will be trying some more of your advice later but right now I need a rest! LOL

Thanks for your help.

Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
  • Recently Browsing   0 members

    • No registered users viewing this page.



×
×
  • Create New...