Patreon LogoYour support makes Blue Moon possible (Patreon)

in dire need of help

Raziel99

Pulsar
Joined
Jan 15, 2009
Right now, i need help from the more technical of those here at bm. im fighting a virus on my laptop, and it has stalled or stop me almost every time. i will go into detail on it if i can get back online with it, but right now, i cant even get to login. after it boots up, the screen goes dark, shows the mouse pointer, but stays there. how can i at least fix that before i go on to fight this virus/malware?
 
what i have done so far was to run a few different diagnostics, checked if i could yurn off the infected prograb before startup, and i have even tried to load up a previous state, all to no avail. safe modes load up with the same black screen problem.
 
I was gonna say if you could get into Safe Mode, (I used Safe Mode with Networking when I had the rogue anti virus program.) Use Firefox to get on the internet. For whatever reason FF is unaffected by viruses...which is weird but cool. Get the usual anti malware programs, and set to seek and destroy the virus. I went a little further and used ComboFix to clean up after everything and set it all straight. Though Combofix only works with XP and earlier so....yeah. But other than that I wouldn't know what else to do. Well if you can get to the normal desktop and get the Task Bar at the bottom of the screen to show, before ANYTHING starts to load, right click it, bring up the task manager, go to processes and find the proccess(es) for the virus and deactivate them before they start up. I'd have to guess by they way you describe the computer it sounds like a worm virus.
 
its the Vista antivirus pro malware. it has taken over my windows defender, sadly. and i have a program to get rid of it, but i need to be able to get to my desktop, which i cant, which is the bigger problem. once i can get on safemode with networking, i should be ok, but before i can even login, the screen goes black/dark gray. that is the biggest issue.
 
Yep I had the same virus. Use Malware Bytes, and either Avira Antivirus or Avast to keep it out. I went to safe mode and killed it. It started up with everything but the program itself which magically installed itself on to my computer telling me everything is infected. Except FF. Again that was weird but convenient. If you can't do that, try the task bar thing, THEN the malware bytes and shit. Also if you're having trouble getting to the login screen when the blue screen comes up keep hitting escape and it will bring up a boot menu. You want to select the C drive to load first it will take you directly to the login screen and load only the C drive. Which is what you want really. Then it will load everything else rather slowly. Which is a good thing. So if you can do that then do the whole right click task bar and end the processes and shit.
 
Thanks for the help, i'll check that when i get home. the funny thing is that it said firefox was infected with a trojan and hassled me everytime i tried to open it, so its getting smarter. but i think the program i have is what you suggested. so heres to crossing my fingers. and if all else fails, destructive restore. but with everything on my laptop, i hope it doesnt come to that.
 
If you have Vista, then you should be fine with a complete format. Vista likes to put EVERYTHING as a backup on the D drive. So a complete format of the C drive should be fine. Just hope Vista didn't royally fuck itself and put the virus on the D drive too.
 
nothing has helped yet. i havent been given a menu option for what drivers to have on, what drives to have on, etc. add that debugging makes you have to do the login - where it does the black screen and does nothing - and most of those options do that too! im doing memory diagnostics right now just so i dont rip my hair out.
 
<!-- m --><a class="postlink" rel="nofollow" href="http://www.bleepingcomputer.com/virus-r">http://www.bleepingcomputer.com/virus-r</a><!-- m --> ... vista-2010
<!-- m --><a class="postlink" rel="nofollow" href="http://getridof-virus-infected-for-free.blogspot.com/">http://getridof-virus-infected-for-free.blogspot.com/</a><!-- m -->
<!-- m --><a class="postlink" rel="nofollow" href="http://www.spywareremove.com/removeVist">http://www.spywareremove.com/removeVist</a><!-- m --> ... o2010.html
<!-- m --><a class="postlink" rel="nofollow" href="http://www.xp-vista.com/spyware-removal">http://www.xp-vista.com/spyware-removal</a><!-- m --> ... ivirus-pro

HKEY_CURRENT_USER\Software\Classes\.exe\shell\open\command "(Default)" = "av.exe" /START "%1? %*"
HKEY_CURRENT_USER\Software\Classes\secfile\shell\open\command "(Default)" = "av.exe" /START "%1? %*"
HKEY_CLASSES_ROOT\.exe\shell\open\command "(Default)" = "av.exe" /START "%1? %*"
HKEY_CLASSES_ROOT\secfile\shell\open\command "(Default)" = "av.exe" /START "%1? %*"
HKEY_LOCAL_MACHINE\SOFTWARE\Clients\StartMenuInternet\FIREFOX.EXE\shell\open\command "(Default)" = "av.exe" /START "firefox.exe"
HKEY_LOCAL_MACHINE\SOFTWARE\Clients\StartMenuInternet\FIREFOX.EXE\shell\safemode\command "(Default)" = "av.exe" /START "firefox.exe" -safe-mode
HKEY_LOCAL_MACHINE\SOFTWARE\Clients\StartMenuInternet\IEXPLORE.EXE\shell\open\command "(Default)" = "av.exe" /START "iexplore.exe"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center "AntiVirusOverride" = "1"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center "FirewallOverride" = "1"

%Documents and Settings%\[UserName]\Application Data\av.exe
%Documents and Settings%\[UserName]\Application Data\WRblt8464P

All of those have suggestions of programs to use, solutions to rid it of your computer, and How to manually get into your systems and eradicate it. If you can get Task Manager open through alternative means, go to processes and look for "Av.exe" that the antivirus pro malware. End it before anything can load and start up. You have to be quick about it. Till then it's one of those I'd have to see it to fix it things. This is also why I love XP. So simple to navigate through hehehe. Out of date maybe, but still very simple :) And those above are the registry keys it creates to override your shit and hijack it. If you can open the registry search for those by following the string, and then delete them one by one. Specifically the last two.

Also, Biiiig Note for those who don't know and are using Windows 7 which was originally thought immune to the Antivirus Pro virus.

<!-- m --><a class="postlink" rel="nofollow" href="http://www.pandasecurity.com/homeusers/">http://www.pandasecurity.com/homeusers/</a><!-- m --> ... antivirus/

It's evolved with adding the name "Panda" to it and is now compatible to Windows 7. Stay away from it. Seriously.
 
I know what the main piece of the malware is. i guess the ultimate question that will help me here is this: how do i open task manager without booting up or logging in?
 
Hmmm, I would think your biggest bet is to hit F1 during the blue screen and open the Supervisor screen. I wouldn't set a password just yet to protect the supervisor, being the virus might change it on you. There might be the task manager option in there. As far as I know that's what I use when I want to get around shit without going through the main page of things. The virus blocking Safe Mode means whoever made it, evolved it. There's no case of it blocking Safe Mode. Except one and that guy just trashed his computer and got a new one. But Seeing as you have everything on this laptop I don't think you want to do that.
 
if it only stopped safe mode, it wouldn't be a problem. but its stopping everything! i cant even get on normally now.
 
Ooh, the maker of this is smart. i forced it to shut down so i can try to repair startup, but the bugger has stopped the startup repair option. when it is chosen, it refreshes the options until you pick startup normally. then the usual black screen.
 
Shit. The next best thing I can think of is professional help. Like maybe Vek or something. It's acting totally different from when I got it.
 
i have no idea how ill get in contact with him. thank god that i have the installation disks. ill try using them before i strangle myself
 
Wait! i can get rid of the fucker! i can get into command prompt! please, i need the commands to delete this thing, since it's not active because i'm currently loaded from a disk. i dont know the commands. i run vista, if that helps.
 
Also, if it helps, the command that it opens to is X:\Sources>

if i could have someone walk me through this, i would be eternally grateful.
 
Uhh.. I unfortunately just ended up wiping my computer completely when this happened Dx No one else could fix it.. so I wiped it and upgraded to Windows 7 >.<
 
Im not giving up unless this doesnt work. if i cant delete it or stop it from this part, ill have no choice. but its in my sight, i just need the commands to kill it with the command prompt start that i have posted earlier
 
You can open the command prompt? Awesome! Type notepad and press Enter.
Notepad opens. Copy all the text below into Notepad.

Windows Registry Editor Version 5.00

[-HKEY_CURRENT_USER\Software\Classes\.exe]
[-HKEY_CURRENT_USER\Software\Classes\secfile]
[-HKEY_CLASSES_ROOT\secfile]
[-HKEY_CLASSES_ROOT\.exe\shell\open\command]

[HKEY_CLASSES_ROOT\exefile\shell\open\command]
@="\"%1\" %*"

[HKEY_CLASSES_ROOT\.exe]
@="exefile"
"Content Type"="application/x-msdownload"

Save this as fix.reg to your Desktop (remember to select Save as file type: All files in Notepad.)
Double Click fix.reg and click YES for confirm.
Reboot your computer.

Then run Malwarebytes etc. You get the idea. Also another thing to do is give the command ""SFC /scannow" and hit enter from the CMD Prompt. It will scan through all Microsoft protected files and replace the corrupted ones with original microsoft ones. Which will give a little leeway to remove the virus. Which again might also allow the use of an anti-malware program.
 
Damn, lost my message. lets try again.

in command prompt through OS disk that came with laptop. file couldnt be saved to desktop, so i put it in c: . i need the command prompt line to activate it from here, because from what i know, i cant get to desktop yet. and the other prompt that i was given didn't work.

near the end, i think. thank you, king
 
Strike that, i opened the file and it saved to registry. i dont know if that changed the disk or the computer, but i hope it did the latter. either way, i still cant get into login. is there a way to get the malware to download and scan while i'm here? it didnt finish when i tried to earlier before these problems... wait. i think i have a idea
 
i can get into my c: drive, so if i can be told where the files are, i can delete them.
 
They will be all over the C: Drive. In the registry and everything so manually killing it will take some time.

To get into the registry click Start and then Run and in the Open field type REGEDIT and hit enter. This gets into the system registry. Altering the registry can be damage windows. But try looking for the following registry entries and delete them.

HKEY_CURRENT_USER\Software\AvScan

HKEY_CLASSES_ROOT\CLSID\{BAD4551D-9B24-42cb-9BCD-818CA2DA7B6 3}

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion \Explorer\Browser Helper Objects\{BAD4551D-9B24-42cb-9BCD-818CA2DA7B63}

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\ Run "system tool"

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\ Run

HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\LinksBar\ItemCache
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\LowRegistry\Extensions
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Recovery
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SQM\PIDs
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchScopes
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{DBC80044-A445-435B-BC74-9C25C1C588A9}
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{E7E6F031-17CE-4C07-BC86-EABFE594F69C}
HKEY_LOCAL_MACHINE\SOFTWARE\AntivirusPro_2010
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\ESENT\Process\[ORIGINAL FILE NAME]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\AntivirusPro_2010

This is for the DLL's of the virus

AVEngn.dll htmlayout.dll pthreadVC2.dll msvcm80.dll msvcp80.dll msvcr80.dll

the files. Generally you will find this in C:/Program Files/AV (or Antivirus Pro or whatever) that or C:/WINDOWS/System32/<insert whatever name here> so on and so forth.

AntivirusPro_2010.lnk
bojag.dl
aqepe.dat
nyxuj.com
Uninstall.lnk
ebapepyno.db
emuziwe.pif
ugozuf._sy uxitavo.dl
carugy.com
yquxihet.exe
ojupegos.pif
qanof.bin
yrihoka.lib
zecorykyp.lib
AntivirusPro_2010.cfg
AntivirusPro_2010.exe
AVEngn.dll
daily.cvd
htmlayout.dll
Microsoft.VC80.CRT.manifest msvcm80.dll
msvcp80.dll
msvcr80.dll
pthreadVC2.dll
Uninstall.exe
wscui.cpl
medoqokeqo.exe
ycevykazu.vbs
yhabozix.vbs _scui.cpl
azasal.bin dinubem.dl
exifoton.dll
mifiryvele.exe
ralun.sys

This is the directory to the virus. This will lead to the rest of it most likely.

c:\Program Files\AntivirusPro_2010
 
You'll have to read them from left to right like a book, each word is the name of the folder you're looking for. It's literally a string of instructions to find the file, program, driver, etc. Just follow the bread crumbs so to speak.
 
Back
Top Bottom