Getting these pop ups saying my computer is infected asking me to purchase the full version. Looking on the Internet this seems like a scam. What is the best way to get rid of it by a novice? I unplugged my external drives and unplugged the network. It says I am at a threat for personal info to be stolen so buy the software to remove.

Is it too late? Should I take some corrective action for personal data.

Thanks in advance.

It's malware. If you have access to another PC (with up to date antivirus software) take your infected drive out and hook it up to the good pc and run a virus scan (with current virus definitions). This should remove the infected file. If this is not a possibility try to install antivirus software on your infected pc.

There are many free antivirus programs but, IMO it's worth the cost to have good protection.

Simple to fix.

First, on another computer, download RKill (http://www.bleepingcomputer.com/download/anti-virus/rkill) and put it on a thumbdrive. (keep that thumbdrive for possible future use). You need RKill because this will be loaded as a service even if you start in safe mode.

Now that you have that, restart the infected computer in safe mode by tapping F8 through the reboot process. Do Safe Mode with Networking.

Once this loads up, you may see the Antispyware trojan making some noise. Put in the thumbdrive, open it and run rkill. This may take a few minutes, but it will open up Notepad when it's done.

Next, open your browser and go to: http://www.malwarebytes.org/

Download the free version and run it. If you get any errors about being unable to connect to the Internet, let me know what browser you're using and we'll talk through disabling the proxy server.

Let this thing run, doing a full scan. It will likely find 4-6 pieces of Malware over the course of and hour or and hour and a half. When it's done, remove the malware if prompted and reboot.

Once your computer has rebooted again, run rkill again (just for fun) and do another complete scan with Malwarebytes. It should be fixed now.

There is a remnant in some variants that is not in the MWB library but *is* in MSSE, so you can substitute Malwarebytes for MS Security Essentials if you prefer.

Incidentally, the cause of this (and many other forms of) virus is because of an exploit in Flash. So make absolutely sure you have Flash and Java updated. If you ever get prompted for updates to Flash or Java, do not ignore them. Most people ignore them as a nuisance, but they're actually the biggest hole for non-open port infections.

If you use a good browser, have one AV app running and keep both updated you will be generally very safe.

Incidentally, I don't ever recommend removing a drive and bringing it to another computer. That's just overkill.

Simple to fix.

First, on another computer, download RKill (http://www.bleepingcomputer.com/download/anti-virus/rkill) and put it on a thumbdrive. (keep that thumbdrive for possible future use). You need RKill because this will be loaded as a service even if you start in safe mode.

Now that you have that, restart the infected computer in safe mode by tapping F8 through the reboot process. Do Safe Mode with Networking.

Once this loads up, you may see the Antispyware trojan making some noise. Put in the thumbdrive, open it and run rkill. This may take a few minutes, but it will open up Notepad when it's done.

Next, open your browser and go to: http://www.malwarebytes.org/

Download the free version and run it. If you get any errors about being unable to connect to the Internet, let me know what browser you're using and we'll talk through disabling the proxy server.

Let this thing run, doing a full scan. It will likely find 4-6 pieces of Malware over the course of and hour or and hour and a half. When it's done, remove the malware if prompted and reboot.

Once your computer has rebooted again, run rkill again (just for fun) and do another complete scan with Malwarebytes. It should be fixed now.

There is a remnant in some variants that is not in the MWB library but *is* in MSSE, so you can substitute Malwarebytes for MS Security Essentials if you prefer.

Incidentally, the cause of this (and many other forms of) virus is because of an exploit in Flash. So make absolutely sure you have Flash and Java updated. If you ever get prompted for updates to Flash or Java, do not ignore them. Most people ignore them as a nuisance, but they're actually the biggest hole for non-open port infections.

If you use a good browser, have one AV app running and keep both updated you will be generally very safe.

Thanks orangeblue I will try it when I get home. I knew it was a scam right away but it was doing it under the rouse of Microsoft security.

You want to be aware that some people have lost internet connections after cleaning up of this type infection. If this happens there are fixes for it so don't panic.

There are many free antivirus programs but, IMO it's worth the cost to have good protection.

I don't agree with this. There are free programs that are just as good as the paid programs at protecting you from malicious software and most of them are not as resource intensive as the paid ones.

I was using the windows security and updating frequently. Any other good
Paid or free ones out there. Most people overlook this stuff say it will never happen to them. Until it actually happens to them.

Microsoft Security Essentials, AVG, & Avast are all good free ones I have used in the past.

Good luck in getting it off..I've had that before and really does infect a lot of stuff. Basically I had to wipe out my hardrive and start over.

I was using the windows security and updating frequently. Any other good
Paid or free ones out there. Most people overlook this stuff say it will never happen to them. Until it actually happens to them.

Right off the bat I am not sure I know what you are referring to when you say "windows security." Do you mean Microsoft Security Essentials or something else?

I would also run ESET (free online scanner)

yes windows security essentials.

i tried to download that Rkill file and when i went to open it in safe mode it said it was not a win32 application. is there something i am doing wrong?

saw my own error, saw was looked like download now button but it was a banner to something else. got it now will try again.

Make sure it's a .com file.

You have what is called the Fake Av virus....easy to clean....there is a removal tool on major geeks.com.... look under spyware.malware.... we clean many a day at my shop

Why don't we try to stick with one thing at the time so as not to confuse him. What OBOB posted is a good start. Let him do that and then see if we need to go any further.

Make sure it's a .com file.

I used the .exe. File is that bad? Everything you said happened. The malwarebytes program locked up after about an hour so I killed it and ran it again.

Why don't we try to stick with one thing at the time so as not to confuse him. What OBOB posted is a good start. Let him do that and then see if we need to go any further.

Thanks

I used the .exe. File is that bad? Everything you said happened. The malwarebytes program locked up after about an hour so I killed it and ran it again.

No, that was OK as long as you got it from the link that OBOb provided. As the site says the reasons there are different downloads is to try to get around infections blocking the use of the program. Where one might not download and work another might.

Ok, it took over 5 hours for the Malwarebytes to run. It found 8 objects and i cleaned them off. I have the log file i can copy and paste to see what it cleaned. Well I am running it again just to see if it comes up zero.

After I do the second run i will make sure Microsoft Security Essentials is turned on again. Is there anything else I should check or do to make sure I am clean. Thanks for all the advice.

Why don't you go ahead and post the log from MalwareBytes so we can take a look at it. Then I would run a scan with your Security Essentials to see if it found anything.

Hopefully there is no personal information in the logs. After the second fun of Malwarebytes it found zero objects. rebooted and made sure Microsoft Security essentials was up to date and running. Is there anything else I can do to make sure there is not something lurking.

Malwarebytes Anti-Malware 1.60.0.1800
www.malwarebytes.org

Database version: v2012.01.13.05

Windows Vista Service Pack 2 x86 NTFS (Safe Mode/Networking)
Internet Explorer 9.0.8112.16421
Duane :: DUANE-PC [administrator]

1/13/2012 7:40:01 PM
mbam-log-2012-01-13 (19-40-01).txt

Scan type: Full scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 1066835
Time elapsed: 5 hour(s), 20 minute(s), 50 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 2
HKCR\CouponAlert_2pInstaller.Start (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKCR\CouponAlert_2pInstaller.Start.1 (Adware.MyWebSearch) -> Quarantined and deleted successfully.

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 3
HKLM\SOFTWARE\Clients\StartMenuInternet\FIREFOX.EX E\shell\open\command| (Hijack.StartMenuInternet) -> Bad: ("C:\Users\Duane\AppData\Local\tvj.exe" -a "C:\Program Files\Mozilla Firefox\firefox.exe") Good: (firefox.exe) -> Quarantined and repaired successfully.
HKLM\SOFTWARE\Clients\StartMenuInternet\FIREFOX.EX E\shell\safemode\command| (Hijack.StartMenuInternet) -> Bad: ("C:\Users\Duane\AppData\Local\tvj.exe" -a "C:\Program Files\Mozilla Firefox\firefox.exe" -safe-mode) Good: (firefox.exe -safe-mode) -> Quarantined and repaired successfully.
HKLM\SOFTWARE\Clients\StartMenuInternet\IEXPLORE.E XE\shell\open\command| (Hijack.StartMenuInternet) -> Bad: ("C:\Users\Duane\AppData\Local\tvj.exe" -a "C:\Program Files\Internet Explorer\iexplore.exe") Good: (iexplore.exe) -> Quarantined and repaired successfully.

Folders Detected: 0
(No malicious items detected)

Files Detected: 3
C:\Users\Duane\AppData\Local\tvj.exe (Trojan.ExeShell.Gen) -> Quarantined and deleted successfully.
C:\Users\Duane\AppData\Local\Temp\oiu0.56741609813 81792.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\Users\Angeline\AppData\Local\Temp\kolf0.4302941 7643250156.exe (Exploit.Drop.6) -> Quarantined and deleted successfully.

(end)

I like to run eset online scanner after any infection. It's not absolutely necessary but it sure won't hurt anything. Link is below.

http://www.eset.com/us/online-scanner/

No worry about the log you posted it doesn't show any info that could be used against you. As you see from the log you had Fake Alert Trojan and MBAM took care of it.

For the future make sure you keep all of your programs as up to date as possible. As OBOB said earlier Java and Flash are often exploited due to people not updating them. Also use caution with what you click on. If it is the least bit suspicious my suggestion is to not open it. Good common sense approaches to surfing and opening emails will go a long way to help with avoiding infections in the future.

By the way if you use the Eset let it clean anything it finds. If you have any more questions just ask.

Microsoft Security Essentials found 12 items.

Some may have been old. This computer is about 5-6 years old.

What did it find? Might want to run another Quick Scan with MalwareBytes. It shouldn't take very long this time.

By the way if you didn't update the definitions in MalwareBytes make sure to do that before running it again.

ran the www.eset.com scan and it found one file but it was a file that Microsoft Security Essentials found several monthes ago.

ran Malwarebytes again and did not find anything. defnitions were up to date.

That sounds good. Looks like you are OK now.

You guys were alot of help before. Malwarebytes keep finding this trojan.agent.gen, I deleted it and it came back. Is there something I can do to get rid of it permanently?

I assume you're booting in safe mode before running this?

Yes I followed the same steps above.

When I run eset should it be in safe mode. It found three files in websearch

Both Microsoft essentials and eset catch nothing in safe mode. And yes Microsoft security essentials is up to date

Don't boot into safe mode and run MalwareBytes that way. Then post the log it produces. Make sure you do an update MalwareBytes before doing so.

Did not find anything in non safe mode

3/26/2012 12:10:48 AM
mbam-log-2012-03-26 (00-10-48).txt

Scan type: Full scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 759928
Time elapsed: 4 hour(s), 42 minute(s), 45 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 0
(No malicious items detected)

(end)

Run it in normal startup mode and see what if finds.

Yeah the log above was in normal startup mode. I'll run again in safe mode to see if it catches anything.

Are you have some kind of symptoms now that is affecting your computer?

Well I have not really been using it since the re infection. But it did seems slow before like taking a long time for programs to load and not so much now. Also not getting that you been affected popups since the first time I ran malware bytes. I think I might have gotten rid of it but just being cautious.

Since you ran MBAM a few times in both normal and safe mode coupled with neither Eset or Security Essentials finding nothing it appears you are OK. If you start having anymore bad symptoms then it might require further examination but as it is I don't believe you have anything to worry about.

Here is the log I get from MalwareBytes when I run it in Safe Mode. It catches that one file, but it only catches it in Safe Mode and both virus scanners catch nothing

3/26/2012 4:53:55 PM
mbam-log-2012-03-26 (16-53-55).txt

Scan type: Full scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 757811
Time elapsed: 2 hour(s), 53 minute(s), 12 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 1
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Once|GrpConv (Trojan.Agent.Gen) -> Data: grpconv -o -> Quarantined and deleted successfully.

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 0
(No malicious items detected)

(end)

Try running Eset in normal startup mode and see if it catches anything else.

I have already and it caught one thing initially but after that nothing. The only thing that catches anything between Eset, Micrsoft Security Essentials, or Malware Bytes in normal startup or safemode is Malware Bytes in Safemode.

Also when I run Rkill in safe mode after the first time it shuts down nothing.

The first time I ran rkill it stopped stuff, Malware Bytes found something and Eset found something.

It's not surprising rkill is not shutting things down. If it doesn't find processes that would stop MBAM or other anti-malware programs then it won't shut anything down. What we are seeing in the MBAM report is a registry entry. However there is no associated file showing up which is good. Without a file to call up the registry entry really is no threat but I don't know why it keeps coming back.

One question: Have you rebooted your computer since you ran MBAM? If you haven't before doing anything else do that.

And the just for the heck of it do a search for the following file:

grpconv.exe

Yes I usually reboot after a scan. Also could not find that file grpconv.exe or grpconv

Any reccommendations on other spyware scanners I could run?

You could download and run SuperAntiSpyware remover. Like MBAM it is user friendly and could possibly have some definitions that MBAM doesn't have. There are more powerful tools to use but at this point I wouldn't suggest them since you are not having any symptoms and all I have seen is one registry entry. Here is a link to SuperAntiSpyware if you want to use it. I had SAS on my computer for a long time but took it off since he seemed to cause a little performance problems. You can always install it, run it, and then remove it if you want to.

http://superantispyware.com/