ZomgGuitarz1234
2010-07-25, 02:26
This thing just wont die! I mean I tried removing it with spybot and malware bytes but it keeps coming back :sad:
Its also is attacking my drivers. I know this because it ruined my sound driver, and internet driver (I was lucky because I keep a copy of my driver installer devicer on my flashdrives incase of crap like this) and its bring its little friend this fake anti-virus program called 'antivirus doctor'
I'd like to post that one log you guys always ask for BUT IT SCREWS WITH MY DOWNLOADS! Basically what it does is, the download cancels the first time, so then I try to download it again and it downloads like part of the file so it doesn't work.
idk how long I got before it decides to screw with my startup stuff, so I can't even turn my computer on (happened before to me, spookily similar scenario)
Updated malware bytes and it picked up a ****ton of virus' i didn't see before
Heres the log
Malwarebytes' Anti-Malware 1.45
www.malwarebytes.org (http://www.malwarebytes.org)
Database version: 3944
Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702
4/1/2010 11:44:11 AM
mbam-log-2010-04-01 (11-44-11).txt
Scan type: Quick scan
Objects scanned: 103850
Time elapsed: 12 minute(s), 34 second(s)
Memory Processes Infected: 1
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 2
Registry Data Items Infected: 6
Folders Infected: 0
Files Infected: 1
Memory Processes Infected:
C:\Documents and Settings\Steve\Local Settings\Application Data\ave.exe (Rogue.MultipleAV) -> Unloaded process successfully.
Memory Modules Infected:
(No malicious items detected)
Registry Keys Infected:
(No malicious items detected)
Registry Values Infected:
HKEY_CLASSES_ROOT\.exe\shell\open\command\(default) (Hijack.ExeFile) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\secfile\shell\open\command\(default) (Rogue.MultipleAV) -> Quarantined and deleted successfully.
Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Clients\StartMenuInternet\FIREFOX.EXE\shell\open\command\(default) (Hijack.StartMenuInternet) -> Bad: ("C:\Documents and Settings\Steve\Local Settings\Application Data\ave.exe" /START "C:\Program Files\Mozilla Firefox\firefox.exe") Good: (firefox.exe) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Clients\StartMenuInternet\IEXPLORE.EXE\shell\open\command\(default) (Hijack.StartMenuInternet) -> Bad: ("C:\Documents and Settings\Steve\Local Settings\Application Data\ave.exe" /START "C:\Program Files\Internet Explorer\iexplore.exe") Good: (iexplore.exe) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Clients\StartMenuInternet\FIREFOX.EXE\shell\safemode\command\(default) (Hijack.StartMenuInternet) -> Bad: ("C:\Documents and Settings\Steve\Local Settings\Application Data\ave.exe" /START "C:\Program Files\Mozilla Firefox\firefox.exe" -safe-mode) Good: (firefox.exe -safe-mode) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\FirewallDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
Folders Infected:
(No malicious items detected)
Files Infected:
C:\Documents and Settings\Steve\Local Settings\Application Data\ave.exe (Rogue.MultipleAV) -> Quarantined and deleted successfully.
--
Alright I've found the file which is
C:\Documents and Settings\<name>\Application data\ogix.exe
And the registry value which is
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\TaskMan
HOWEVER
I can't delete both because THEY KEEP COMMING BACK (I only can see ogix.exe through Malware Bytes, if I look in the folder itself with hidden folders enabled, I can't see it)
Its also is attacking my drivers. I know this because it ruined my sound driver, and internet driver (I was lucky because I keep a copy of my driver installer devicer on my flashdrives incase of crap like this) and its bring its little friend this fake anti-virus program called 'antivirus doctor'
I'd like to post that one log you guys always ask for BUT IT SCREWS WITH MY DOWNLOADS! Basically what it does is, the download cancels the first time, so then I try to download it again and it downloads like part of the file so it doesn't work.
idk how long I got before it decides to screw with my startup stuff, so I can't even turn my computer on (happened before to me, spookily similar scenario)
Updated malware bytes and it picked up a ****ton of virus' i didn't see before
Heres the log
Malwarebytes' Anti-Malware 1.45
www.malwarebytes.org (http://www.malwarebytes.org)
Database version: 3944
Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702
4/1/2010 11:44:11 AM
mbam-log-2010-04-01 (11-44-11).txt
Scan type: Quick scan
Objects scanned: 103850
Time elapsed: 12 minute(s), 34 second(s)
Memory Processes Infected: 1
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 2
Registry Data Items Infected: 6
Folders Infected: 0
Files Infected: 1
Memory Processes Infected:
C:\Documents and Settings\Steve\Local Settings\Application Data\ave.exe (Rogue.MultipleAV) -> Unloaded process successfully.
Memory Modules Infected:
(No malicious items detected)
Registry Keys Infected:
(No malicious items detected)
Registry Values Infected:
HKEY_CLASSES_ROOT\.exe\shell\open\command\(default) (Hijack.ExeFile) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\secfile\shell\open\command\(default) (Rogue.MultipleAV) -> Quarantined and deleted successfully.
Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Clients\StartMenuInternet\FIREFOX.EXE\shell\open\command\(default) (Hijack.StartMenuInternet) -> Bad: ("C:\Documents and Settings\Steve\Local Settings\Application Data\ave.exe" /START "C:\Program Files\Mozilla Firefox\firefox.exe") Good: (firefox.exe) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Clients\StartMenuInternet\IEXPLORE.EXE\shell\open\command\(default) (Hijack.StartMenuInternet) -> Bad: ("C:\Documents and Settings\Steve\Local Settings\Application Data\ave.exe" /START "C:\Program Files\Internet Explorer\iexplore.exe") Good: (iexplore.exe) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Clients\StartMenuInternet\FIREFOX.EXE\shell\safemode\command\(default) (Hijack.StartMenuInternet) -> Bad: ("C:\Documents and Settings\Steve\Local Settings\Application Data\ave.exe" /START "C:\Program Files\Mozilla Firefox\firefox.exe" -safe-mode) Good: (firefox.exe -safe-mode) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\FirewallDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
Folders Infected:
(No malicious items detected)
Files Infected:
C:\Documents and Settings\Steve\Local Settings\Application Data\ave.exe (Rogue.MultipleAV) -> Quarantined and deleted successfully.
--
Alright I've found the file which is
C:\Documents and Settings\<name>\Application data\ogix.exe
And the registry value which is
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\TaskMan
HOWEVER
I can't delete both because THEY KEEP COMMING BACK (I only can see ogix.exe through Malware Bytes, if I look in the folder itself with hidden folders enabled, I can't see it)