Win 7 Antivirus 2012 ~ Virus Removal Help

[JennB213]

Hello,

I've had this virus since the 30th. when it started it immediately produced all the pop-up warnings as described by everybody else.

I used Task Manager to escape touching the program (Win 7 Antivirus 2012) ..
then I rebooted in Safe-Mode wNetworking and downloaded Malwarebytes and ran it.

It found several things ..

Malwarebytes Anti-Malware 1.60.0.1800
Malwarebytes : Free anti-malware, anti-virus and spyware removal download

Database version: v2011.12.31.02

Windows 7 Service Pack 1 x64 NTFS (Safe Mode/Networking)
Internet Explorer 8.0.7601.17514
Jennifer Burnette :: JENNIFERBURNETT [administrator]

Fri, 12/30/2011 11:30:29 PM
mbam-log-2011-12-30 (23-30-29).txt

Scan type: Full scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P <----No Clue what that means
Objects scanned: 320495
Time elapsed: 39 minute(s), 3 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 1
HKCR\.exe\shell\open\command| (Hijack.ExeFile)
-> Data: "C:\Users\Jennifer Burnette\AppData\Local\dwx.exe" -a "%1" %* -> Quarantined and deleted successfully.

Registry Data Items Detected: 4
HKCR\.exe| (Hijacked.exeFile) -> Bad: (pu4) Good: (exefile) -> Quarantined and repaired successfully.
HKLM\SOFTWARE\Clients\StartMenuInternet\FIREFOX.EXE\shell\open\command| (Hijack.StartMenuInternet) -> Bad: ("C:\Users\Jennifer Burnette\AppData\Local\dwx.exe" -a "C:\Program Files (x86)\Mozilla Firefox\firefox.exe") Good: (firefox.exe) -> Quarantined and repaired successfully.
HKLM\SOFTWARE\Clients\StartMenuInternet\FIREFOX.EXE\shell\safemode\command| (Hijack.StartMenuInternet) -> Bad: ("C:\Users\Jennifer Burnette\AppData\Local\dwx.exe" -a "C:\Program Files (x86)\Mozilla Firefox\firefox.exe" -safe-mode) Good: (firefox.exe -safe-mode) -> Quarantined and repaired successfully.
HKLM\SOFTWARE\Clients\StartMenuInternet\IEXPLORE.EXE\shell\open\command| (Hijack.StartMenuInternet) -> Bad: ("C:\Users\Jennifer Burnette\AppData\Local\dwx.exe" -a "C:\Program Files (x86)\Internet Explorer\iexplore.exe") Good: (iexplore.exe) -> Quarantined and repaired successfully.

Folders Detected: 0
(No malicious items detected)

Files Detected: 2
C:\Users\Jennifer Burnette\AppData\Local\dwx.exe (Trojan.FakeAV) -> Quarantined and deleted successfully.
C:\Users\Jennifer Burnette\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\12\f9046cc-5662e8c5 (Trojan.FakeAV) -> Quarantined and deleted successfully.

(end)

This shows I was using the free version, when I discovered the virus was continuing to come back I opted to do the Trial Version ... then ran just quick scan which showed RIGHT THEN I was okay.

Came back, it's like everytime I re-boot it's re-inventing itself.

It almost looks like it's tied to my Firefox, I can see where Malwarebytes is removing it and although right now, no pop-ups, I'm not trusting it especially since finding the following in my Control Panel - Notifications Area ...

Everytime I run Malwarebytes it adds to the total number of items removed but it's the same items, only changing maybe and .exe name.

I found Corinne's instruction for removal at another post .. Downloaded the TDSSkill and RKill, already had Malwarebytes so didn't have to do that.

I ran TDSSkill, no rootkits found ... Ran RKill, said process's were deleted while running ... Ran Malwarebytes again via Quick Scan and showed 0 ... thought great this may have got rid of it.

I rebooted the computer and decided to look at the Control Panel items again, imagine my surprise when I saw I now have a NEW file there for Win 7 Antivirus 2012. The OLD one was gud.exe and now this new one dwx.exe.

I've tried checking in Task Manager process's and start up ... NOTHING !!
I've also tried checking msconfig.exe, startup and services ... NOTHING !!

I totally have NO CLUE where or what to do next.

Is there ANYBODY that can help me .. I'd appreciate it so very much.

Thank you in advance for even reading this.

Jenn

 

[Golden]

Hi Jenn,

It sounds like you need something a bit more powerful to tackle this - this something should only be used under professional guidance so I'll message Corinne and Jacee and ask them to look at this for you.

Regards,
Golden

*EDIT : Have messaged them to ask them to look at this for you.

 

[Night Hawk]

There's a few removal tools available like the VIPRE Rescue Program I've used to remove similar types of infections like I-Worm viruses disguished as spyware removal programs. One actually locked the owner out of his desktop by creating a new administrator account.

The VRP removed it on the spot once the system was booted in safe mode to create a desktop shortcut there for the stand alone tool. You simply download that to the drive or any folder and when you double click on it a new temp will be created where it will run from. No installation required.

For a detailed guide on removing this type of malware you can also look over Malware Removal Guide for Windows

The guide there not only points to different programs but has instructions for use with each one. Plus it has a followup with fixing post disinfection problems that can appear.

 

[JennB213]

Hi Jenn,

It sounds like you need something a bit more powerful to tackle this - this something should only be used under professional guidance so I'll message Corinne and Jacee and ask them to look at this for you.

Regards,
Golden

*EDIT : Have messaged them to ask them to look at this for you.

Hi Golden,

Thank YOU so much for passing along my message.

This is the weirdest thing ever, it really looks like this is re-inventing itself via FireFox ...
I hope I don't have to get rid of Firefox ...
Iprefer it so much more than Internet Explorer.

Again, Thanks so much for helping me and for taking the time to read.

Regards, Jenn

 

[JennB213]

There's a few removal tools available like the VIPRE Rescue Program I've used to remove similar types of infections like I-Worm viruses disguished as spyware removal programs. One actually locked the owner out of his desktop by creating a new administrator account.

The VRP removed it on the spot once the system was booted in safe mode to create a desktop shortcut there for the stand alone tool. You simply download that to the drive or any folder and when you double click on it a new temp will be created where it will run from. No installation required.

For a detailed guide on removing this type of malware you can also look over Malware Removal Guide for Windows

The guide there not only points to different programs but has instructions for use with each one. Plus it has a followup with fixing post disinfection problems that can appear.

Hi Night Hawk,

THANK YOU so much for your help.

Question ::
Are you telling me to download the tool (Like to the Desktop)
Then boot into Safe-Mode before I activate the Tool.

It's real late here in Tennessee so I'm going to go onto bed tonight then check back here in the morning plus go read the Malware Removal Guide.

If you can think of anything else that might help me I would appreciate it.

Thank you so much for taking the time to read my message and to gtive me the help and direction you've shared.

Regards, Jenn

 

[Night Hawk]

If you can access the normal desktop despite the virus and double click on anything that will start the program itself. That can be the desktop or any folder of choice for keeping it onhand.

The first thing it will do is create it's own folder you can remove later once everything is back to normal. As it runs you will a command prompt type window appear and watch as it removes traces as well. Some confuse that for deleting other files off the drive without knowing it corrects any attempted recoding of mainly system files.

Note this only frees up Windows from a virus but doesn't scan the entire drive for bugs while the latest version has some options for scans. The instructions for use are seen on the download page itself.

 

[JennB213]

If you can access the normal desktop despite the virus and double click on anything that will start the program itself. That can be the desktop or any folder of choice for keeping it onhand.

The first thing it will do is create it's own folder you can remove later once everything is back to normal. As it runs you will a command prompt type window appear and watch as it removes traces as well. Some confuse that for deleting other files off the drive without knowing it corrects any attempted recoding of mainly system files.

Note this only frees up Windows from a virus but doesn't scan the entire drive for bugs while the latest version has some options for scans. The instructions for use are seen on the download page itself.

Thank YOU Night Hawk for being patient with a Novice. Once at Vipre Rescue and after reading the entire article I do understand the procedure.

I won't have to boot into safe mode to run Vipre Rescue as currently even though I know the virus is still here I'm not having the pop-ups, browser redirects, or .exe issues.

I think my main issue now is just knowing it is still lurking in the background.

I'm currently running a thorough virus scan with Avast (my normal antivirus) and then will do the second one using Malwarebytes.

Avast IS currently updating virus definitions with no problems, as is Malwarebytes.

I know they say not to run two Antivirus's simultaneously but since trying to remove this Win 7 Antivirus 2012 and accepting the Trial of Malwarebytes I guess that's what I'm doing. Is Malwarebytes an AntiVirus program too or is it only actively scanning for Malware ?? Little confused on that.

I read your suggested article on Removal of Malware and it is VERY helpful and VERY easy for even a novice to understand. I bookmarked the page so I can get back to it quickly.

As I said, I'm currently running a thorough scan right now with Avast and then will let Malwarebytes run, depending on what they show I will know how to proceed.

However, when I see these items in Control Panel Notification Area it really scares me .. I'm afraid to use my online banking on this computer until I'm POSITIVE I have removed everything.

Right now I kinda feel like the computer is winning

...
but I AM going to keep trying.

I want to Thank YOU for your help, will post back after SCANS are completed.

Jenn

 

[bigcitycat]

I hate to say this because I love Windows but don't online bank with a windows pc. Download a copy of Ubuntu and burn it to disc. Boot your pc with the dvd in your dvd player and select try without installing. Plugin internet directly and bank with it as a live dvd. Guaranteed safe.

Download Ubuntu | Ubuntu

 

[JennB213]

I hate to say this because I love Windows but don't online bank with a windows pc. Download a copy of Ubuntu and burn it to disc. Boot your pc with the dvd in your dvd player and select try without installing. Plugin internet directly and bank with it as a live dvd. Guaranteed safe.

Download Ubuntu | Ubuntu

Well WOW, Thank you so much BigCityCat, had no clue that could even be done. I certainly will check into that ..

I try and be real cautious about Online Banking changing the password frequently.

Just knowing these things were still showing on my computer was creeping me out,

I did feel better after the TDSSkill found NO Rootkits.

Everybody here has been so nice & helpful, it's totally appreciated.

Jenn

 

[Night Hawk]

I tested both Malwarebytes and Avast against a few other programs and then was referred to another back in May 2010 which so far has proven itself over and over again for finding things you would never know was there!

At first it was AVG against Avast and AVG won out. Then it was a freeware called Spyware Terminator finding more then Malwarebytes. The big surprize however wraps antispyware, antiadware, antirootkit detection and removal into it's antivirus and web security protections being the main VIPRE program.

The VIPRE Internet Security 2012 update went on over the VIPRE Home Premium av program and so far has found two old supposed XP utility files, one a zip file, stored on other drives as trojans in disguise.

I suggest dumping the two you have on now and giving the 30 day trial of VIPRE a good run. The initial scan can be set to go over every drive you have installed on the system as well as clean things up.

When the two license expires in May of this year I'll be going with their lifetime offer. This one apparently wraps up what would 3 or 4 other programs and does run quietly in the background like no program was even installed. It has a light footprint on resources with updates going right on without the need to restart each time.

Hopefully the bug you have there hasn't already done it's damage. I had to get VIPRE on two infected machines where the bogus software type I-Worm had already trashed the system registry forcing a full clean install on a Vista laptop and another older XP desktop. It was on the XP build where the new admin was created to lock the user out.

On both machines VIPRE cleaned the virus out but too late from the malware damage seen to save the Windows installation. Some of these newer bugs are designed to do just that trash the OS! And even if you are able to save your 7 install there the restore points will be no good! Make sure to turn off the System Restore feature long enough to see all present points deleted. You may want to manually create some after once you know the machine is totally free of anything leftover.

 

[JennB213]

@ Night Hawk

Hi Night Hawk,

I am not really sure where I need to start up on the Malware Removal instrutions.
It appears Win 7 Antivirus is only showing up now in my Control Panel Notification area.

I ran a Thorough Scan x 2 (Avast & Malwarebytes) per Malware Removal instructions.

First using Avast ... got 0 issues,

Next I ran Malwarebytes, came up again with 0
I also checked the Quarantined Tab, just to be sure, only the same 10 were there.

That made me feel better until I checked Control > Notifications Area Icons and saw that mess.

I'm still NOT having issues with pop ups, browser redirects, exe issues ..

Any suggestions on where I should begin to clear those items out of my Control Panel ...

I seriously hate knowing those three items are still showing ::
Proxycheck.exe > gud.exe > dwx.exe

I have also used CCleaner to clear out all the old temp files.

Do you think dumping my Restore points would help ???

I'm kind of at a loss now, don't know what to do to get rid of three things.

I already tried to find them via Task Manager > Process's & services ..
Also msconfig.exe > StartUp & Services .. NO LUCK with either of those.

Thank you so much for all the help and direction, hope you can figure this one out.

Jenn

 

[JennB213]

@ BigCityCat (RE: Ubuntu)

I hate to say this because I love Windows but don't online bank with a windows pc. Download a copy of Ubuntu and burn it to disc. Boot your pc with the dvd in your dvd player and select try without installing. Plugin internet directly and bank with it as a live dvd. Guaranteed safe.

Download Ubuntu | Ubuntu

Hi BigCityCat,

Mission accomplished .. I did it, I created the CD to use and my Laptop booted right to it with no issues.

Once on the Desktop I opened Firefox, connected with my Wireless then pulled up my banking site and managed to take care of business with no problem.

Then I decided to look/play around and see what I could understand.

Somehow that CD even had my D:\ drive storage items on it .. listed under a Data Icon. They were a mess, none alphabetical and I couldn't find a way to straighten them out but still when I opened the individual folders things were there and I understood the concept.

After playing around for awhile when I got ready to sigh out of it I couldn't figure how in the world to stop the CD .... I looked everywhere under every Menu no buttons to do it buy.

Finally went back to the Desktop and searched for HELP ..
Immediately the Log Out and Shut Down buttons became visible.
Boy was I LOST for a moment .. good learning experience.

Thank you so much for the input to help me with my online banking.

Have a Good Evening.

Huggs

Jenn

 

[indianacarnie]

Remove Win 7 Antispyware 2012 and Vista Antivirus 2012 name changing rogue (Uninstall Guide)

I've used instructions from these people before on an unrelated problem and was completely satisfied. Good luck!

 

[Night Hawk]

That shows it to be the same worm type virus I saw VIPRE clean right off. They like to trash Windows even once you have them off entirely when you later start running into various problems!

For the 30 day trial which will work you would first need to uninstall Avast being another av program. This type of virus generally doesn't try to recode files you have stored on the drive like other viruses but mainly targets the registry and some system files.

I would recommend backing things up just in case you end up needing to wipe the drive clean for a fresh install. Later once everything was back on creating a full system image to be stored on a separate drive would be the idea. The restoration of an image will wipe the drive for you during the process.

 

[bigcitycat]

I hate to say this because I love Windows but don't online bank with a windows pc. Download a copy of Ubuntu and burn it to disc. Boot your pc with the dvd in your dvd player and select try without installing. Plugin internet directly and bank with it as a live dvd. Guaranteed safe.

Download Ubuntu | Ubuntu

Hi BigCityCat,

Mission accomplished .. I did it, I created the CD to use and my Laptop booted right to it with no issues.

Once on the Desktop I opened Firefox, connected with my Wireless then pulled up my banking site and managed to take care of business with no problem.

Then I decided to look/play around and see what I could understand.

Somehow that CD even had my D:\ drive storage items on it .. listed under a Data Icon. They were a mess, none alphabetical and I couldn't find a way to straighten them out but still when I opened the individual folders things were there and I understood the concept.

After playing around for awhile when I got ready to sigh out of it I couldn't figure how in the world to stop the CD .... I looked everywhere under every Menu no buttons to do it buy.

Finally went back to the Desktop and searched for HELP ..
Immediately the Log Out and Shut Down buttons became visible.
Boy was I LOST for a moment .. good learning experience.

Thank you so much for the input to help me with my online banking.

Have a Good Evening.

Huggs

Jenn

Happy to help. Glad it was a good experience.

 

[JennB213]

@ indianacarnie

Remove Win 7 Antispyware 2012 and Vista Antivirus 2012 name changing rogue (Uninstall Guide)

I've used instructions from these people before on an unrelated problem and was completely satisfied. Good luck!

Thank YOU so much and I appreciate your time and the link.

Jenn

 

[bigcitycat]

Jenn
Check this article as to why.
Security Fix - Avoid Windows Malware: Bank on a Live CD

 

[JennB213]

That shows it to be the same worm type virus I saw VIPRE clean right off. They like to trash Windows even once you have them off entirely when you later start running into various problems!

For the 30 day trial which will work you would first need to uninstall Avast being another av program. This type of virus generally doesn't try to recode files you have stored on the drive like other viruses but mainly targets the registry and some system files.

I would recommend backing things up just in case you end up needing to wipe the drive clean for a fresh install. Later once everything was back on creating a full system image to be stored on a separate drive would be the idea. The restoration of an image will wipe the drive for you during the process.

Thank You so much Night Hawk,

Since I'm not having the pop-ups, re-direct issues or any other virus related problems right now I really don't want to have to reformat my computer.

Right now my scans are coming up clean and I can't find anything that the Fake Virus is doing except those 3 entries showing in the Notification Area Icons, which I would love to get rid of but not enough to reformat.

I read some articles today about understand the Registry finally felt comfortable enough to venture in and look around.

I found BOTH the gud.exe and the dwx.exe in the Registry under the Key HKEY_CLASSES_ROOT\Local Settings\Software\Microsoft\Windows\Shell\MuiCache.

Being a novice I backed out of the Registry without doing anything but wondered what would have happened if I had deleted those two values.

Anyway I think I'll try to find a Registry program that will help me to delete those two items without fear ..

I never did find anything on the proxychecker.exe but I have found how to hide it within the Notification Area.

Again,Thank YOU so much I appreciate the time you've devoted trying to help me.

Jenn

 

[Night Hawk]

You're welcome!

You would have been better dumping the entry for the gud.exe or rather that being the alias name used for the VC1.exe which is added into the registry as a start up item for trojan dropping and other things while remaining hidden. This isn't the only malware it's been seen with.

It's basically the same thing for the dwx.exe file being another trojan dropper added into the reg as a start up item. Those two will help auto load the main virus as the system starts up. They work much as backdoor trojans.

On each you first find the file location before removing the reg entry and then restart the system before attempting to manually delete the files from the drive. The restart will insure the processes have ended once the reg entries are no longer there to start them up again.

When editing the registry I can understand your concerns. You have to treat everything like a separate file or folder where you want to be looking only one thing at a time and verify any changes you make are for that one thing only. But if your av or other security programs are not able to remove them for you you end up doing the manual walk and just have to confirm those two and those two only are deleted there.

As for the ProxyChecker.exe file that's not a malware. One report on it can be seen at ProxyChecker Antivirus Scan Results - ProxyChecker 100% Clean Program

ProxyChecker basically checks lists of proxies. This is mainly used as a network tool and not anything to be worried about according to that plus other information on it. The other two you have there however get the bad rep one first seen in 2009 and the other in 2010 the gud.exe being the older of the two and far more widespread with other fake programs.

 

[JennB213]

@ Night Hawk

NightHawk,

I wanted you to know I haven't bailed on you.
My daughter's little dog was run over & killed today by her roommate.
We are all really big dog lovers and I've been with her.
I'm so tore up, don't feel like I can handle computer today.

I will write back to you tomorrow.
I am going to take your suggest and delete those two value's,
but probably not a good idea for me right now, brain to scattered.

Talk to you tomorrow.

Thank YOU for all your input and help.

Jenn