Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

antivirus2009


  • Please log in to reply
19 replies to this topic

#1 tex

tex

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:06:43 AM

Posted 23 February 2009 - 02:09 AM

This keeps popping up and I can not get it off, I have tried using avast, spybot, registry mechanic, malwarebytes (which i got from this site and like), i've tried adaware and revo, plus going into the holding folder on my c drive and deleting the folder to antivirus 2009, im at wits end on what to do, can anyone help?

BC AdBot (Login to Remove)

 


#2 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:07:43 AM

Posted 23 February 2009 - 08:07 PM

MBAM should of be able to remove it. Let's try it again.

Make sure you update it first and then run a full scan.

post the log once it's done and I will take a look at it.

With Regards,
Extremeboy
Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.

#3 tex

tex
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:06:43 AM

Posted 25 February 2009 - 11:43 AM

Oh thank god lol, i',m about to go out of my mind. Now it has even hidden my toolbar and icons, although task manager still works so i will access programs through it.

#4 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,394 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:07:43 AM

Posted 25 February 2009 - 01:23 PM

Launch Task Manager, click the Applications Tab and select "New Task" at the bottom. Browse to the location of mbam.exe (default location is C:\Program Files\Malwarebytes Anti-Malware), double-click on it and then press "Ok" to launch the program.

Perform a scan as instructed by extremeboy and check all items found for removal. Don't forgot to reboot afterwards. Failure to reboot normally (not into safe mode) will prevent MBAM from removing all the malware. When done, click the Logs tab and copy/paste the contents of the new report in your next reply for his review.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#5 tex

tex
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:06:43 AM

Posted 25 February 2009 - 01:27 PM

Here it is, updated and run in full scan.


Malwarebytes' Anti-Malware 1.34
Database version: 1801
Windows 5.1.2600 Service Pack 3

2/25/2009 12:18:38 PM
mbam-log-2009-02-25 (12-18-38).txt

Scan type: Full Scan (C:\|D:\|)
Objects scanned: 189023
Time elapsed: 1 hour(s), 9 minute(s), 20 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 2
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Trojan.Agent) -> Data: c:\windows\system32\userinit.exe -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Trojan.Agent) -> Data: system32\userinit.exe -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

#6 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:07:43 AM

Posted 25 February 2009 - 04:25 PM

Hello again.

MBAM scan did not find any infection relating to "antivirus2009". Where do you still see sings of this infection on your computer still?

Please perform a GMER scan after answer that question please.

Download and Run Scan with GMER

We will use GMER to scan for rootkits.
  • Double-click on Gmer.exe to start the program.
  • Allow the gmer.sys driver to load if asked.
  • If it gives you a warning at program start about rootkit activity and asks if you want to run a scan...click NO.
  • Click the >>>
  • Click on Settings, then check the first five settings:
    • System Protection and Tracing
    • Processes
    • Save created processes to the log
    • Drivers
    • Save loaded drivers to the log
  • You will be prompted to restart your computer. Please do so.
  • After the reboot, run Gmer again and click on the Rootkit tab.[list]
  • Look at the right hand side (under Files) and uncheck all drives with the exception of your C drive.
  • Make sure all other boxes on the right of the screen are checked, EXCEPT for Show All.
  • Click on the Scan and wait for the scan to finish.
    Note: Before scanning, make sure all other running programs are closed and no other actions like a scheduled antivirus scan will occur while this scan completes. Also do not use your computer during the scan. You will know that the scan is done when the Stop buttons turns back to Scan.
  • When completed, click on the Copy button and right-click on your Desktop, choose New>Text document. Once the file is created, open it and right-click again and choose Paste. Save the file as gmer.txt and copy the information in your next reply.
If GMER doesn't work in Normal Mode try running it in Safe Mode

Important!:Please do not select the Show all checkbox during the scan..

With Regards,
Extremeboy
Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.

#7 tex

tex
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:06:43 AM

Posted 25 February 2009 - 08:26 PM

The antivirus 2009 classic windows keep popping up, "You have been infected", Scan Recommended ect. plus the background is all i see when the computer is running, even after several hours.

#8 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:07:43 AM

Posted 25 February 2009 - 08:56 PM

Hello.

Is this when you go on a particular site or something you get this warning or is it what you have on your background?

If it's the background you get that warning, show me a screen shot so I know what you are talking about exactly.

It's getting late here, I need to go soon.

With Regards,
Extremeboy
Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.

#9 tex

tex
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:06:43 AM

Posted 25 February 2009 - 09:53 PM

I'm not sure how to show you the screenshots, plus wouldn't a folder contain a virus.

The toolbar sometimes shows and sometimes doesn't.

#10 tex

tex
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:06:43 AM

Posted 25 February 2009 - 10:16 PM

Oh and it's a constant thing, the popups come from the point of starting up.

Here's the notes from the scan.


GMER 1.0.14.14536 - http://www.gmer.net
Rootkit scan 2009-02-25 21:15:32
Windows 5.1.2600 Service Pack 3


---- System - GMER 1.0.14 ----

SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwClose [0xEFF556B8]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwCreateKey [0xEFF55574]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwDeleteValueKey [0xEFF55A52]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwDuplicateObject [0xEFF5514C]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwOpenKey [0xEFF5564E]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwOpenProcess [0xEFF5508C]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwOpenThread [0xEFF550F0]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwQueryValueKey [0xEFF5576E]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwRestoreKey [0xEFF5572E]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwSetValueKey [0xEFF558AE]

---- User IAT/EAT - GMER 1.0.14 ----

IAT C:\WINDOWS\system32\services.exe[608] @ C:\WINDOWS\system32\services.exe [ADVAPI32.dll!CreateProcessAsUserW] 005C0002
IAT C:\WINDOWS\system32\services.exe[608] @ C:\WINDOWS\system32\services.exe [KERNEL32.dll!CreateProcessW] 005C0000
IAT C:\Program Files\Registry Mechanic\RegMech.exe[3796] @ C:\WINDOWS\system32\ole32.dll [ADVAPI32.dll!RegQueryValueA] 013CBCA0
IAT C:\Program Files\Registry Mechanic\RegMech.exe[3796] @ C:\WINDOWS\system32\ole32.dll [ADVAPI32.dll!RegCreateKeyExW] 013CBC50
IAT C:\Program Files\Registry Mechanic\RegMech.exe[3796] @ C:\WINDOWS\system32\ole32.dll [KERNEL32.dll!GetProcAddress] 013C7EA0
IAT C:\Program Files\Registry Mechanic\RegMech.exe[3796] @ C:\WINDOWS\system32\ole32.dll [KERNEL32.dll!LoadLibraryA] 013C9100
IAT C:\Program Files\Registry Mechanic\RegMech.exe[3796] @ C:\WINDOWS\system32\ole32.dll [KERNEL32.dll!CloseHandle] 013CAA10
IAT C:\Program Files\Registry Mechanic\RegMech.exe[3796] @ C:\WINDOWS\system32\ole32.dll [KERNEL32.dll!FreeLibrary] 013C9370
IAT C:\Program Files\Registry Mechanic\RegMech.exe[3796] @ C:\WINDOWS\system32\ole32.dll [KERNEL32.dll!LoadLibraryW] 013C9180
IAT C:\Program Files\Registry Mechanic\RegMech.exe[3796] @ C:\WINDOWS\system32\ole32.dll [KERNEL32.dll!CreateFileW] 013CA010
IAT C:\Program Files\Registry Mechanic\RegMech.exe[3796] @ C:\WINDOWS\system32\ole32.dll [KERNEL32.dll!GlobalUnlock] 013CB950
IAT C:\Program Files\Registry Mechanic\RegMech.exe[3796] @ C:\WINDOWS\system32\ole32.dll [KERNEL32.dll!GlobalLock] 013CB990
IAT C:\Program Files\Registry Mechanic\RegMech.exe[3796] @ C:\WINDOWS\system32\ole32.dll [KERNEL32.dll!GetProcessHeap] 013CBD30
IAT C:\Program Files\Registry Mechanic\RegMech.exe[3796] @ C:\WINDOWS\system32\ole32.dll [KERNEL32.dll!FindFirstFileW] 013CB810
IAT C:\Program Files\Registry Mechanic\RegMech.exe[3796] @ C:\WINDOWS\system32\ole32.dll [KERNEL32.dll!DuplicateHandle] 013CA970
IAT C:\Program Files\Registry Mechanic\RegMech.exe[3796] @ C:\WINDOWS\system32\ole32.dll [KERNEL32.dll!CreateThread] 013C9930
IAT C:\Program Files\Registry Mechanic\RegMech.exe[3796] @ C:\WINDOWS\system32\ole32.dll [KERNEL32.dll!LoadLibraryExW] 013C92E0
IAT C:\Program Files\Registry Mechanic\RegMech.exe[3796] @ C:\WINDOWS\system32\ole32.dll [KERNEL32.dll!GetEnvironmentStringsW] 013C9660
IAT C:\Program Files\Registry Mechanic\RegMech.exe[3796] @ C:\WINDOWS\system32\ole32.dll [KERNEL32.dll!IsDebuggerPresent] 013CC2B0
IAT C:\Program Files\Registry Mechanic\RegMech.exe[3796] @ C:\WINDOWS\system32\ole32.dll [KERNEL32.dll!ReadFile] 013CA360
IAT C:\Program Files\Registry Mechanic\RegMech.exe[3796] @ C:\WINDOWS\system32\ole32.dll [KERNEL32.dll!SetFilePointer] 013CA7D0
IAT C:\Program Files\Registry Mechanic\RegMech.exe[3796] @ C:\WINDOWS\system32\ole32.dll [KERNEL32.dll!MapViewOfFileEx] 013CAE90
IAT C:\Program Files\Registry Mechanic\RegMech.exe[3796] @ C:\WINDOWS\system32\ole32.dll [KERNEL32.dll!CreateFileMappingW] 013CAC20
IAT C:\Program Files\Registry Mechanic\RegMech.exe[3796] @ C:\WINDOWS\system32\ole32.dll [KERNEL32.dll!MapViewOfFile] 013CAE10
IAT C:\Program Files\Registry Mechanic\RegMech.exe[3796] @ C:\WINDOWS\system32\ole32.dll [KERNEL32.dll!OpenFileMappingW] 013CB2F0
IAT C:\Program Files\Registry Mechanic\RegMech.exe[3796] @ C:\WINDOWS\system32\ole32.dll [KERNEL32.dll!UnmapViewOfFile] 013CB000
IAT C:\Program Files\Registry Mechanic\RegMech.exe[3796] @ C:\WINDOWS\system32\ole32.dll [KERNEL32.dll!LoadLibraryExA] 013C9250
IAT C:\Program Files\Registry Mechanic\RegMech.exe[3796] @ C:\WINDOWS\system32\ole32.dll [KERNEL32.dll!TerminateProcess] 013C97E0
IAT C:\Program Files\Registry Mechanic\RegMech.exe[3796] @ C:\WINDOWS\system32\ole32.dll [KERNEL32.dll!GlobalAlloc] 013CBA70
IAT C:\Program Files\Registry Mechanic\RegMech.exe[3796] @ C:\WINDOWS\system32\ole32.dll [KERNEL32.dll!FlushViewOfFile] 013CAD60
IAT C:\Program Files\Registry Mechanic\RegMech.exe[3796] @ C:\WINDOWS\system32\ole32.dll [KERNEL32.dll!GetFileSize] 013CA910
IAT C:\Program Files\Registry Mechanic\RegMech.exe[3796] @ C:\WINDOWS\system32\ole32.dll [KERNEL32.dll!WriteFile] 013CA790
IAT C:\Program Files\Registry Mechanic\RegMech.exe[3796] @ C:\WINDOWS\system32\ole32.dll [KERNEL32.dll!GetFileType] 013CAB20
IAT C:\Program Files\Registry Mechanic\RegMech.exe[3796] @ C:\WINDOWS\system32\ole32.dll [KERNEL32.dll!GetACP] 013CBD50
IAT C:\Program Files\Registry Mechanic\RegMech.exe[3796] @ C:\WINDOWS\system32\ole32.dll [KERNEL32.dll!CreateFileMappingA] 013CAB60
IAT C:\Program Files\Registry Mechanic\RegMech.exe[3796] @ C:\WINDOWS\system32\ole32.dll [USER32.dll!LoadIconW] 013CBFF0
IAT C:\Program Files\Registry Mechanic\RegMech.exe[3796] @ C:\WINDOWS\system32\ole32.dll [USER32.dll!LoadCursorW] 013CBF90
IAT C:\Program Files\Registry Mechanic\RegMech.exe[3796] @ C:\WINDOWS\system32\ole32.dll [USER32.dll!CreateDialogParamW] 013CC1E0
IAT C:\Program Files\Registry Mechanic\RegMech.exe[3796] @ C:\WINDOWS\system32\ole32.dll [USER32.dll!DialogBoxParamW] 013CC280
IAT C:\Program Files\Registry Mechanic\RegMech.exe[3796] @ C:\WINDOWS\system32\ole32.dll [USER32.dll!LoadStringW] 013CC0B0

---- Devices - GMER 1.0.14 ----

AttachedDevice \FileSystem\Ntfs \Ntfs aswMon2.SYS (avast! File System Filter Driver for Windows XP/ALWIL Software)
AttachedDevice \Driver\Tcpip \Device\Ip aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)
AttachedDevice \Driver\Tcpip \Device\Tcp aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)
AttachedDevice \Driver\Tcpip \Device\Udp aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)
AttachedDevice \Driver\Tcpip \Device\RawIp aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)

---- EOF - GMER 1.0.14 ----

#11 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:07:43 AM

Posted 26 February 2009 - 04:33 PM

Hello.

The GMER log looks clean.

Tutorials on how to take a screenshot: http://www.wikihow.com/Take-a-Screenshot-i...crosoft-Windows
http://www.microsoft.com/windowsxp/using/s...screenshot.mspx

With Regards,
Extremeboy
Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.

#12 tex

tex
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:06:43 AM

Posted 26 February 2009 - 04:37 PM

I have the screenshots im just not sure how to attach them to this site.

#13 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:07:43 AM

Posted 26 February 2009 - 05:19 PM

Hello.

Please upload it to Media Fire instead then.

Upload File to MediaFire
Please upload the picture using MediaFire.
  • Go to Media Fire
  • Click the Large Green button that says UPLOAD FILE TO MEDIAFIRE
  • When asked do you have a MediaFire account please select: I want to upload without an account
  • A Browser window shall then appear
  • Navigate to the picture you want to send to me and click on the file to highlight it.
  • Then select Open
  • Another page shall appear, after it finish loading please select the big green button that says: START UPLOAD
  • Follow any prompts after that to finish the upload process
  • When the Upload is complete, under the Sharing URL: please copy and paste that link in your next reply so I can download and see it.
Tell me how it goes and post the sharing URL and answers to my question.

With Regards,
Extremeboy
Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.

#14 tex

tex
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:06:43 AM

Posted 26 February 2009 - 06:51 PM

Here are my screenshots, I hope they show what you need to see.


http://www.mediafire.com/?tjygxcrztaj

http://www.mediafire.com/?zxqn9pecsq5

http://www.mediafire.com/?mkh4jlj59au

http://www.mediafire.com/?sa0m5mbrfwo

#15 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:07:43 AM

Posted 26 February 2009 - 09:48 PM

Hello.

Seems it's still there. Please run Superanti-spyware and see if it can detect it and remove any remaining parts. Do you still "AntiVirus 2009 in your add/remove panel?

Download and Run SUPERAntiSpyware
We will run a scan with SuperAntiSpyware.
  • Download SUPERAntiSpyware to your desktop.
  • Double-click SUPERAntiSpyware.exe and use the default settings for installation. Delete the installer after use.
  • An icon will be created on your desktop. Double-click that icon to launch the program.
  • If asked to update the program definitions, click "Yes". If not, update the definitions before scanning by selecting "Check for Updates".
    If you encounter any problems while downloading the updates, manually download and unzip them from here.
  • Under "Configuration and Preferences", click the Preferences button.
  • Click the Scanning Control tab.
  • Under Scanner Options make sure the following are checked (leave all others unchecked):
    • Close browsers before scanning.
    • Scan for tracking cookies.
    • Terminate memory threats before quarantining.
  • Click the "Close" button to leave the control center screen.
  • Back on the main screen, under Scan for Harmful Software, click Scan your computer.
  • On the left, make sure you check C:\Fixed Drive (or whatever drive your system is installed on).
  • On the right, under Complete Scan, choose Perform Complete Scan.
  • Click Next to start the scan. Please be patient while it scans your computer.
  • After the scan is complete, a Scan Summary box will appear with potentially harmful items that were detected. Click OK.
  • Make sure everything has a checkmark next to it and click Next.
  • A notification will appear saying that "Quarantine and Removal is Complete". Click OK and then click the Finish button to return to the main menu.
  • If asked if you want to reboot, click Yes.
  • To retrieve the removal information after reboot, launch SUPERAntispyware again.
    • Click Preferences, then click the Statistics/Logs tab.
    • Under Scanner Logs, double-click SUPERAntiSpyware Scan Log.
    • If there are several logs, click the current dated log and press View log. A text file will open in your default text editor.
    • Please copy and paste the Scan Log results in your next reply.
  • Click Close to exit the program.
With Regards,
Extremeboy
Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users