Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

MS AntiVirus 2009 Removal Help


  • This topic is locked This topic is locked
5 replies to this topic

#1 mikep77

mikep77

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:08:41 AM

Posted 17 February 2009 - 06:34 AM

I've cleaned out 100's of various forms of spyware/malware but Im stuck on this one. I'm trying to clean out a computer that's infected with MS AntiVirus 2009. I have been working on this machine for hours and I just cant get the rest of it out.

I have the rogue screens gone, but everytime I plug in to the internet, msas2009.exe appears in the Task Manager. Also, under c:\documents and settings\all users\application data, a folder called Crucial Soft with the MS AntiSpyware 2009 folder appears with an alert about a file called _ad6.exe not being able to run in 16 bit mode. Sometimes the file is _ad5.exe

I have run MalwareBytes in both quick and full mode. It does find the registry entries and folder, but like I said they come back as soon as I plug into the internet.

Here's a HJT log, along with a ComboFix log.

HJT:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 06:30:23, on 2/17/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\System32\hkcmd.exe
C:\Program Files\Dell AIO Printer A960\dlbfbmgr.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\AIM\aim.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Dell AIO Printer A960\dlbfbmon.exe
C:\WINDOWS\system32\taskmgr.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Java\jre6\bin\java.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

O2 - BHO: Java™ Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\3.0.1225.9868\swg.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [Dell AIO Printer A960] "C:\Program Files\Dell AIO Printer A960\dlbfbmgr.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKUS\S-1-5-18\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe (User 'Default user')
O8 - Extra context menu item: &AOL Toolbar Search - c:\program files\aol\aol toolbar 2.0\resources\en-US\local\search.html
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe

--
End of file - 4801 bytes


COMBOFIX:


ComboFix 09-02-15.01 - angelica 2009-02-17 4:43:45.3 - NTFSx86 MINIMAL
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.382.250 [GMT -5:00]
Running from: c:\documents and settings\angelica\Desktop\ComboFix.exe
AV: McAfee VirusScan *On-access scanning enabled* (Updated)
FW: McAfee Personal Firewall Plus *enabled*

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((( Files Created from 2009-01-17 to 2009-02-17 )))))))))))))))))))))))))))))))
.

2009-02-17 04:11 . 2008-04-14 05:42 1,306,624 --------- c:\windows\system32\msxml6.dll
2009-02-17 04:11 . 2008-04-14 05:42 1,306,624 -----c--- c:\windows\system32\dllcache\msxml6.dll
2009-02-17 04:11 . 2008-04-14 05:41 136,192 --------- c:\windows\system32\aaclient.dll
2009-02-17 04:11 . 2008-04-13 22:57 79,872 --------- c:\windows\system32\msxml6r.dll
2009-02-17 04:11 . 2008-04-13 22:57 79,872 -----c--- c:\windows\system32\dllcache\msxml6r.dll
2009-02-17 04:11 . 2008-04-14 05:42 10,752 --------- c:\windows\system32\smtpapi.dll
2009-02-17 04:11 . 2008-04-14 05:42 9,728 --------- c:\windows\system32\rwnh.dll
2009-02-17 04:09 . 2009-02-17 04:09 <DIR> d-------- c:\windows\system32\scripting
2009-02-17 04:09 . 2008-04-14 05:42 712,704 --------- c:\windows\system32\windowscodecs.dll
2009-02-17 04:09 . 2008-04-14 05:42 346,112 --------- c:\windows\system32\windowscodecsext.dll
2009-02-17 04:09 . 2008-04-14 05:42 276,992 --------- c:\windows\system32\wmphoto.dll
2009-02-17 04:09 . 2008-04-14 05:42 69,120 --------- c:\windows\system32\wlanapi.dll
2009-02-17 04:09 . 2008-04-14 05:42 53,248 --------- c:\windows\system32\tsgqec.dll
2009-02-17 04:09 . 2008-04-14 05:42 50,688 --------- c:\windows\system32\tspkg.dll
2009-02-17 04:08 . 2009-02-17 04:08 <DIR> d-------- c:\windows\system32\en
2009-02-17 04:08 . 2009-02-17 04:08 <DIR> d-------- c:\windows\l2schemas
2009-02-17 02:58 . 2008-04-13 22:06 144,384 --------- c:\windows\system32\drivers\hdaudbus.sys
2009-02-17 02:58 . 2008-04-14 00:10 10,240 --------- c:\windows\system32\drivers\sffp_mmc.sys
2009-02-17 02:56 . 2006-12-29 00:31 19,569 --a------ c:\windows\006439_.tmp
2009-02-17 02:42 . 2009-02-17 04:18 <DIR> d-------- C:\caec1c51d5a00e56156114
2009-02-17 02:03 . 2009-02-17 02:03 410,984 --a------ c:\windows\system32\deploytk.dll
2009-02-17 01:16 . 2009-02-17 04:48 <DIR> d-------- c:\windows\system32\CatRoot2
2009-02-17 01:11 . 2009-02-17 01:11 <DIR> d-------- c:\program files\Trend Micro
2009-02-16 04:21 . 2009-02-17 00:04 <DIR> d-------- c:\windows\system32\inf
2009-02-16 03:29 . 2009-02-16 03:29 <DIR> d-------- c:\program files\Windows Resource Kits

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-02-17 07:03 --------- d-----w c:\program files\Java
2009-02-16 09:20 --------- d-----w c:\program files\Malwarebytes' Anti-Malware
2009-02-11 15:19 38,496 ----a-w c:\windows\system32\drivers\mbamswissarmy.sys
2009-02-11 15:19 15,504 ----a-w c:\windows\system32\drivers\mbam.sys
2009-01-04 05:58 --------- d-----w c:\program files\Apple Software Update
2009-01-04 04:11 --------- d-----w c:\program files\LimeWire
2005-11-19 00:45 4,755,456 ----a-w c:\documents and settings\Family Photos\AbsolutePoker5_7_10.exe
2005-01-16 03:13 534,104 ----a-w c:\documents and settings\Family Photos\psa2011_ytb01_DLM_enu_full.exe
.

------- Sigcheck -------

2004-08-04 02:56 31744 f70974432450a4947e1f457f41f4dc03 c:\windows\$NtServicePackUninstall$\svchost.exe
2008-04-14 05:42 31744 c935c4d776bcda2760fdb83090e6515c c:\windows\ServicePackFiles\i386\svchost.exe
2004-08-04 02:56 31744 5051282a74254d0f5a47a99823ec09dc c:\windows\SoftwareDistribution\Download\e9500597a78495f397efb821e37bf356\backup\svchost.exe
2008-04-14 05:42 31744 ab630897c73d2f96fab92433699ed50c c:\windows\system32\svchost.exe

2008-04-14 05:42 1051136 804edc4c9c52543e88367eb8509c4a97 c:\windows\explorer.exe
2007-06-13 06:26 1050624 b8016e906ae316d18f0e299006002c3d c:\windows\$hf_mig$\KB938828\SP2QFE\explorer.exe
2007-06-13 05:23 1050624 2a8df3b003478f82f6268dcaaf20be24 c:\windows\$NtServicePackUninstall$\explorer.exe
2004-08-04 02:56 1049600 290f1079ce77925db0a7c71d0a954dfc c:\windows\$NtUninstallKB938828$\explorer.exe
2008-04-14 05:42 1051136 a9402be9516c7e5ccaf5c8e27909dc70 c:\windows\ServicePackFiles\i386\explorer.exe

2004-08-04 02:56 125440 f320362bf1212d0630f9bab995f647b9 c:\windows\$NtServicePackUninstall$\services.exe
2008-04-14 05:42 125952 fbbe8557467739e483ea2004851c0bb2 c:\windows\ServicePackFiles\i386\services.exe
2004-08-04 02:56 125440 1e27e998c9dcf38fe984d106ce430edf c:\windows\SoftwareDistribution\Download\e9500597a78495f397efb821e37bf356\backup\services.exe
2008-04-14 05:42 125952 081248dcd840b84813db14fe8b970ecb c:\windows\system32\services.exe

2004-08-04 02:56 32768 4afbf6cdb6dba7a83bbd23de8f91bde3 c:\windows\$NtServicePackUninstall$\ctfmon.exe
2008-04-14 05:42 32768 4e0700f5fcf07a323f727f14e272a4b6 c:\windows\ServicePackFiles\i386\ctfmon.exe
2008-04-14 05:42 32768 b92468a571b919aae838fb4536a04096 c:\windows\system32\ctfmon.exe

2005-06-10 18:53 75264 d04ef7b51f26941e22e2f5e703e050f0 c:\windows\$hf_mig$\KB896423\SP2GDR\spoolsv.exe
2005-06-10 19:17 75264 67c713d8f1c9958022f2a1d236f076ff c:\windows\$hf_mig$\KB896423\SP2QFE\spoolsv.exe
2005-06-10 18:53 75264 51d44d36178f92040c08866a682b242b c:\windows\$NtServicePackUninstall$\spoolsv.exe
2004-08-04 02:56 75264 a5eea3ae40ce0caa5aa51200b0b15a62 c:\windows\$NtUninstallKB896423$\spoolsv.exe
2003-07-16 11:40 68608 cb615883b82f939cb2e8dd0d7995af7f c:\windows\$NtUninstallKB896423_0$\spoolsv.exe
2008-04-14 05:42 75264 a54dc8fd40a6f40a081ea2519e7f4f1e c:\windows\ServicePackFiles\i386\spoolsv.exe
2008-04-14 05:42 75264 8b42818907a6d7b22a640d11d1f9e593 c:\windows\system32\spoolsv.exe

2004-08-04 02:56 41984 3b1c8888431757db2f4c679a8c77dd3d c:\windows\$NtServicePackUninstall$\userinit.exe
2008-04-14 05:42 43520 7e4c6662b00531812f7ea005660cc09a c:\windows\ServicePackFiles\i386\userinit.exe
2008-04-14 05:42 43520 ba012600f29839f81d873c4b8e35301f c:\windows\system32\userinit.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AIM"="c:\program files\AIM\aim.exe" [2006-08-01 67112]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-06-23 68856]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"TSClientMSIUninstaller"="c:\windows\Installer\TSClientMsiTrans\tscuinst.vbs" [2007-10-30 13801]
"TSClientAXDisabler"="c:\windows\Installer\TSClientMsiTrans\tscdsbl.bat" [2008-01-18 2247]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="c:\windows\System32\igfxtray.exe" [2003-04-06 176128]
"HotKeysCmds"="c:\windows\System32\hkcmd.exe" [2003-04-06 135168]
"Dell AIO Printer A960"="c:\program files\Dell AIO Printer A960\dlbfbmgr.exe" [2003-09-21 290816]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-02-17 136600]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-01-15 267048]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-06-23 68856]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\a.exe]
"Debugger"=c:\windows\system32\alg.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\matrix31290.exe]
"Debugger"=c:\windows\system32\alg.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\~tmpa.exe]
"Debugger"=c:\windows\system32\alg.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\~tmpb.exe]
"Debugger"=c:\windows\system32\alg.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\~tmpc.exe]
"Debugger"=c:\windows\system32\alg.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\A Verizon App]
--a------ 2005-05-23 12:20 50744 c:\progra~1\VERIZO~1\HELPSU~1\VERIZO~1.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Motive SmartBridge]
--a------ 2005-04-13 18:51 405504 c:\progra~1\VERIZO~1\HELPSU~1\SMARTB~1\MotiveSB.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
--a------ 2008-04-14 05:42 1712640 c:\program files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\msnmsgr]
--a------ 2005-06-14 09:05 6877184 c:\program files\MSN Messenger\msnmsgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
--a------ 2001-07-09 10:50 176128 c:\windows\system32\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2008-01-10 15:27 405504 c:\program files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RemoteControl]
--a------ 2003-10-31 18:42 53248 c:\program files\CyberLink\PowerDVD\PDVDServ.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"WMPNetworkSvc"=3 (0x3)
"spkrmon"=2 (0x2)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\WINDOWS\\system32\\LEXPPS.EXE"=
"c:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"c:\\Program Files\\AIM\\aim.exe"=
"c:\\StubInstaller.exe"=
"c:\\Program Files\\LimeWire\\LimeWire.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:*:Disabled:@xpsp2res.dll,-22009

S2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [2007-07-24 45132]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{4d2c61be-da2a-11dd-86c4-000bdb8b6f3e}]
\Shell\Auto\command - E:\Start.exe
\Shell\AutoRun\command - c:\windows\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Start.exe
.
Contents of the 'Scheduled Tasks' folder

2009-01-04 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 12:34]
.
- - - - ORPHANS REMOVED - - - -

HKU-Default-Run-MS AntiSpyware 2009 - c:\documents and settings\All Users\Application Data\CrucialSoft Ltd\MS AntiSpyware 2009\msas2009.exe


.
------- Supplementary Scan -------
.
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: &AOL Toolbar Search - c:\program files\aol\aol toolbar 2.0\resources\en-US\local\search.html
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-02-17 04:51:42
Windows 5.1.2600 Service Pack 3 NTFS

detected NTDLL code modification:
ZwOpenFile

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-57989841-73586283-839522115-1006\Software\SecuROM\!CAUTION! NEVER A OR CHANGE ANY KEY*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(232)
c:\program files\Bonjour\mdnsNSP.dll
.
Completion time: 2009-02-17 4:56:35 - machine was rebooted
ComboFix-quarantined-files.txt 2009-02-17 09:56:32

Pre-Run: 806,686,720 bytes free
Post-Run: 777,035,776 bytes free

176

BC AdBot (Login to Remove)

 


#2 mikep77

mikep77
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:08:41 AM

Posted 17 February 2009 - 12:18 PM

I made a typo, it is MS AntiSpyware 2009.

Also, I ran a Kaspersky Online Scan - it found over 3000 infected files, most of them are .exe's infected with Virus.Win32.Virut.ce

Are these real or false positives? Its basically all the .exe's on this computer, ranging from Program Files to Windows system exe's

Help!

#3 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:07:41 AM

Posted 17 February 2009 - 01:17 PM

Hello mikep77,

Are these real or false positives? Its basically all the .exe's on this computer, ranging from Program Files to Windows system exe's

I'm sorry to say that's how a file infector works. It will take over every file on the system. :thumbup2: You obviously have a lot more going on that just one rogue program. My best and safest advice would be to start over with a clean reformat and reinstall.

Regards,
tea
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#4 mikep77

mikep77
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:08:41 AM

Posted 17 February 2009 - 01:29 PM

MalwareBytes is not picking up ANY of these .exe's. Who should I trust?

#5 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:07:41 AM

Posted 17 February 2009 - 01:43 PM

Try this then :

Please download and run Bit Defender 8 online scanner
  • Install the program and then follow the prompts to download all available updates.
  • Select Antivirus and then click the Settings button. Click Default. Click Ok.
  • Select Local Drives and click Scan.
  • When the scan is complete save the log and post it back here in your next reply.
Thanks,
tea
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#6 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:07:41 AM

Posted 01 March 2009 - 05:45 PM

Due to the lack of feedback this Topic is closed.

If you need this topic reopened, please request this by sending the moderating team a PM with the address of the thread. This applies only to the original topic starter.

Everyone else please begin a New Topic
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users