Fortress Forever

Go Back   Fortress Forever > Off Topic > Tech

Reply
 
Thread Tools Display Modes
Old 07-26-2011, 02:28 AM   #1
oaties
 
Join Date: Nov 2010
Gametype: Capture the Flag
Posts Rated Helpful 38 Times
Help me remove this virus Vista

I'm not sure it is a virus, but, yesterday my younger brother accidentally installed one of those fake antivirus programs (Vista Internet Security 2012) that spams you with fake virus alerts and tries to force you to upgrade it.

Anyways, it ran every time an exe file was run, so I changed in the registery to allow exe files and I managed to run Malware Bytes and Spybot S&D to remove it. All was fine, and fun in FF/TFC was had.

Now tomorrow, I wake up and try to launch steam, and I get the error: "Windows cannot access the specified device, path, or file. You may not have the appropriate permissions to access the item."

This happened with all of my exe's, including MalwareBytes and SpybotS&D, so basically I can't run them. I am able to re-install the programs, but shortly into a scan they crash and attempting to open them again gives me the same error;
"Windows cannot access the specified device, path, or file. You may not have the appropriate permissions to access the item."

It also re-directs my search results, for example if I select a result on google after searching it will re-direct me to advertisement sites instead of the site I was intending to go to through google.

This is really pissing me off now, I've been trying to fix it for hours with no success. Does anyone have any idea?
oaties is offline   Reply With Quote


Old 07-26-2011, 02:54 AM   #2
Hammock
D&A Member
 
Join Date: Sep 2007
Posts Rated Helpful 13 Times
Format C:\

But seriously though, can you boot into safe mode? If so, can you run things normally?

That fake antivirus shit is annoying, sometimes it's tricky sometimes it's super easy to get rid of.

Try doing a system restore from a few days previous, that would be the first thing I'd try.
Hammock is offline   Reply With Quote


Old 07-26-2011, 03:48 AM   #3
oaties
 
Join Date: Nov 2010
Gametype: Capture the Flag
Posts Rated Helpful 38 Times
Quote:
Originally Posted by Hammock View Post
Format C:\

But seriously though, can you boot into safe mode? If so, can you run things normally?

That fake antivirus shit is annoying, sometimes it's tricky sometimes it's super easy to get rid of.

Try doing a system restore from a few days previous, that would be the first thing I'd try.
Yes. I can run in safe mode. The thing is, regardless of how im running it, all anti malware processes get killed by this virus when I run them.

I think I disabled system restore quite some time ago.

Last edited by oaties; 07-26-2011 at 03:49 AM.
oaties is offline   Reply With Quote


Old 07-26-2011, 05:28 AM   #4
rodox
dunkaroos
 
rodox's Avatar
 
Join Date: Apr 2008
Location: Michigan
Class/Position: Railgun
Posts Rated Helpful 2 Times
Send a message via AIM to rodox
Download rkill. Download the one that is named iexplore.exe so the malware doesn't try to kill it. Run it and let it kill the malware processes. Download either Malwarebytes or Superantispyware. I prefer Superantispyware. Update either before scanning. Remove what it finds. Optionally use Combofix to clean some things up after removing the malware. Do all of this in normal mode and not safe mode. That should get rid of it, if not check out that Bleepingcomputer site for a specific tutorial.
rodox is offline   Reply With Quote


Old 07-26-2011, 01:19 PM   #5
SomeOldGuy
older than dirt
 
SomeOldGuy's Avatar
 
Join Date: Mar 2007
Location: just east of the jug handle
Posts Rated Helpful 9 Times
First, temporarily disable system restore.
If you need it, instructions are here:
http://support.microsoft.com/kb/310405

I've had some success before by renaming the Malwarebytes mbam.exe to something else, then just running the renamed mbam.exe in safe mode.

For running superantispyware, here is the various howto options:
http://www.superantispyware.com/supp...ay.html?faq=71


Then I'd do as rodox said and after the renamed Malwarebytes run do Superantispyware followed by combofix to do a more thorough cleaning.

Google for the particular fake a/v that was downloaded to see if there are specific instructions on how to get rid of it.

Once clean, then re-enable system restore.

But I have to say that in the long run regardless of what you do you may have to do a clean install of Windows to get rid of it.
SomeOldGuy is offline   Reply With Quote


Old 07-26-2011, 03:16 PM   #6
Deadly Furby
Elder Scroll
 
Deadly Furby's Avatar
 
Join Date: Mar 2007
Location: Cell Block 17
Posts Rated Helpful 13 Times
Here are instructions for manual removal that you can find at the 2-spyware site: http://www.2-spyware.com/remove-vist...rity-2012.html

Remove Vista Internet Security 2012


Delete registry values:
HKEY_USERS\.DEFAULT\Software\Microsoft\Internet Explorer\BrowserEmulation "TLDUpdates" = '1'
HKEY_CURRENT_USER\Software\Classes\.exe\shell\open \command "(Default)" = '"%LocalAppData%\kdn.exe" -a "%1" %*'
HKEY_CURRENT_USER\Software\Classes\exefile\shell\o pen\command "(Default)" = '"%LocalAppData%\kdn.exe" -a "%1" %*'
HKEY_CLASSES_ROOT\.exe\shell\open\command "(Default)" = '"%LocalAppData%\kdn.exe" -a "%1" %*'
HKEY_LOCAL_MACHINE\SOFTWARE\Clients\StartMenuInter net\FIREFOX.EXE\shell\open\command "(Default)" = '"%LocalAppData%\kdn.exe" -a "C:\Program Files\Mozilla Firefox\firefox.exe"'
HKEY_LOCAL_MACHINE\SOFTWARE\Clients\StartMenuInter net\FIREFOX.EXE\shell\safemode\command "(Default)" = '"%LocalAppData%\kdn.exe" -a "C:\Program Files\Mozilla Firefox\firefox.exe" -safe-mode'
HKEY_LOCAL_MACHINE\SOFTWARE\Clients\StartMenuInter net\IEXPLORE.EXE\shell\open\command "(Default)" = '"%LocalAppData%\kdn.exe" -a "C:\Program Files\Internet Explorer\iexplore.exe"'
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center "AntiVirusOverride" = '1'
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center "FirewallOverride" = '1'


Delete files:

%AllUsersProfile%\U3F7PNVFNCSJK2E86ABFBJ5H %LocalAppData%\ppn.exe %Temp%\U3F7PNVFNCSJK2E86ABFBJ5H

%LocalAppData%\U3F7PNVFNCSJK2E86ABFBJ5H %AppData%\TEMPLATES\U3F7PNVFNCSJK2E86ABFBJ5H
Deadly Furby is offline   Reply With Quote


Old 07-26-2011, 08:11 PM   #7
Icculus
D&A Member
 
Icculus's Avatar
 
Join Date: Mar 2007
Location: New Hampshire
Posts Rated Helpful 0 Times
Quote:
Originally Posted by rodox View Post
Download rkill. Download the one that is named iexplore.exe so the malware doesn't try to kill it. Run it and let it kill the malware processes. Download either Malwarebytes or Superantispyware. I prefer Superantispyware. Update either before scanning. Remove what it finds. Optionally use Combofix to clean some things up after removing the malware. Do all of this in normal mode and not safe mode. That should get rid of it, if not check out that Bleepingcomputer site for a specific tutorial.
^^ This.

We run into that virus at work a lot and the stuff Rodox listed works great to clean it out. We use MBAM though. I haven't tried Superantispyware.

-Icculus
Icculus is offline   Reply With Quote


Old 07-29-2011, 08:16 PM   #8
zE
Pew pew ze beams
 
zE's Avatar
 
Join Date: Jan 2008
Gametype: Gathers
Affiliations: pew pew
Posts Rated Helpful 11 Times
I had one of those virus that blocked all my anti virus and spywares programs, and renaming the Malwarebytes did worked for me D :
zE is offline   Reply With Quote


Reply


Currently Active Users Viewing This Thread: 1 (0 members and 1 guests)
 
Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump


All times are GMT. The time now is 12:59 PM.


Powered by vBulletin® Version 3.8.7
Copyright ©2000 - 2019, vBulletin Solutions, Inc.