Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Vista Antivirus Pro 2010 - Unable to Remove


  • This topic is locked This topic is locked
4 replies to this topic

#1 eabb

eabb

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:08:34 AM

Posted 15 March 2010 - 05:34 AM

My laptop has been taken over by the Vista Antivirus Pro 2010 virus. This started approximately 24 hours ago. My first step was to use a restore point, but no restore point was available (that was unusual). My regular anti-virus software (Norton) did not detect nor remove the virus, and I downloaded Microsoft's security program (and during that process had to uninstall Norton) and that did not work either. Initially it was nuisance value only (pop-ups), then it started preventing me from using Internet Explorer, now my computer only starts perhaps once out of every 6 times. I have managed to back-up the majority of my important files.

I then followed to the letter your "Automated Removal Instructions for Antivirus Pro 2010 using Malwarebytes' Anti-Malware" however this did not fix the problem.

Then, as I was still having problems after completing the above instructions I followed the steps outlined in the topic linked - "Preparation Guide For Use Before Using Malware Removal Tools and Requesting Help".

All of your suggestions and downloads I am following using a desktop computer then transferring data to and from my laptop using a flash drive stick.

I have been unable to create a GMER Log. I downloaded GMER, extracted it and ran it, it runs just fine, but at the end when I can see items listed under "Type, Name, Value" etc I click on Save and then the program freezes. I have rebooted the computer and retried running this 7 times, but so far with no success. I am running it again now, I clicked on Save and named the file before I clicked on Start but it is taking literally hours so if it works I'll update my post, if not, would you please have any suggestions for me? With warm regards and thanks in advance, Erin.


DDS (Ver_09-12-01.01) - NTFSx86
Run by Owner at 7:53:34.90 on Mon 15/03/2010
Internet Explorer: 7.0.6001.18000
Microsoft® Windows Vista™ Home Basic 6.0.6001.1.1252.61.1033.18.2549.1515 [GMT 11:00]

SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}

============== Running Processes ===============

C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k rpcss
c:\Program Files\Microsoft Security Essentials\MsMpEng.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k GPSvcGroup
C:\Windows\system32\SLsvc.exe
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Windows\System32\svchost.exe -k Akamai
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Users\Owner\AppData\Local\av.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Windows\system32\svchost.exe -k hpdevmgmt
C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
C:\Windows\System32\svchost.exe -k HPZ12
C:\Windows\System32\svchost.exe -k HPZ12
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Program Files\CyberLink\Shared Files\RichVideo.exe
C:\Windows\system32\svchost.exe -k imgsvc
C:\Windows\System32\svchost.exe -k WerSvcGroup
C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\DRIVERS\xaudio.exe
C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
C:\Windows\System32\alg.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QLBCTRL.exe
C:\WINDOWS\System32\SupportAppXL\AutoDect.exe
C:\Program Files\HP\QuickPlay\QPService.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Windows\system32\taskeng.exe
C:\Program Files\HP\HP Software Update\hpwuSchd2.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\IAAnotif.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\WINDOWS\System32\igfxtray.exe
C:\Program Files\Apoint2K\Apoint.exe
C:\WINDOWS\System32\igfxpers.exe
C:\Program Files\Microsoft Security Essentials\msseces.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\igfxsrvc.exe
C:\Program Files\Apoint2K\Apntex.exe
C:\Program Files\Hewlett-Packard\HP wireless Assistant\WiFiMsg.EXE
C:\Program Files\Hewlett-Packard\Shared\HpqToaster.exe
C:\Program Files\iPod\bin\iPodService.exe
c:\Program Files\Hewlett-Packard\HP Health Check\hphc_service.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\WUDFHost.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\vssvc.exe
C:\Windows\System32\svchost.exe -k swprv
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe
C:\Users\Owner\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com.au/
mStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_au&c=81&bd=Presario&pf=laptop
mDefault_Page_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_au&c=81&bd=Presario&pf=laptop
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: Skype add-on (mastermind): {22bf413b-c6d2-4d91-82a9-a0f997ba588c} - c:\program files\skype\toolbars\internet explorer\SkypeIEPlugin.dll
BHO: {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - No File
BHO: FrostWire Toolbar: {d4027c7f-154a-4066-a1ad-4243d8127440} - c:\program files\ask.com\GenericAskToolbar.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
TB: {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - No File
TB: RefresherBand Class: {b24ba06e-fb7b-4757-95c2-dc01125f750e} - c:\progra~1\yrefresher\YRefresher.dll
TB: FrostWire Toolbar: {d4027c7f-154a-4066-a1ad-4243d8127440} - c:\program files\ask.com\GenericAskToolbar.dll
TB: {47833539-D0C5-4125-9FA8-0819E2EAAC93} - No File
TB: {2318C2B1-4965-11D4-9B18-009027A5CD4F} - No File
uRun: [OnlineTextBuddy]
uRun: [WMPNSCFG] c:\program files\windows media player\WMPNSCFG.exe
uRun: [AdobeUpdater] "c:\program files\common files\adobe\updater5\AdobeUpdater.exe"
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [Persistence] c:\windows\system32\igfxpers.exe
mRun: [Apoint] c:\program files\apoint2k\Apoint.exe
mRun: [IAAnotif] "c:\program files\intel\intel matrix storage manager\Iaanotif.exe"
mRun: [QPService] "c:\program files\hp\quickplay\QPService.exe"
mRun: [QlbCtrl] %ProgramFiles%\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe /Start
mRun: [UCam_Menu] "c:\program files\cyberlink\youcam\muitransfer\muistartmenu.exe" "c:\program files\cyberlink\youcam" update "software\cyberlink\youcam\1.0"
mRun: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
mRun: [hpqSRMon] c:\program files\hp\digital imaging\bin\hpqSRMon.exe
mRun: [HP Health Check Scheduler] [ProgramFilesFolder]Hewlett-Packard\HP Health Check\HPHC_Scheduler.exe
mRun: [HP Software Update] c:\program files\hp\hp software update\HPWuSchd2.exe
mRun: [hpWirelessAssistant] c:\program files\hewlett-packard\hp wireless assistant\HPWAMain.exe
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [AdobeCS4ServiceManager] "c:\program files\common files\adobe\cs4servicemanager\CS4ServiceManager.exe" -launchedbylogin
mRun: [autodetect] c:\windows\system32\supportappxl\AutoDect.exe
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [MSSE] "c:\program files\microsoft security essentials\msseces.exe" -hide -runkey
mRun: [Malwarebytes Anti-Malware (reboot)] "c:\program files\malwarebytes' anti-malware\mbam.exe" /runcleanupscript
dRunOnce: [<NO NAME>]
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\hpdigi~1.lnk - c:\program files\hp\digital imaging\bin\hpqtra08.exe
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\micros~1.lnk - c:\program files\microsoft office\office10\OSA.EXE
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: &ieSpell Options - c:\program files\iespell\iespell.dll/SPELLOPTION.HTM
IE: Append Link Target to Existing PDF - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Check &Spelling - c:\program files\iespell\iespell.dll/SPELLCHECK.HTM
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office10\EXCEL.EXE/3000
IE: Lookup on Merriam Webster - file://c:\program files\iespell\Merriam Webster.HTM
IE: Lookup on Wikipedia - file://c:\program files\iespell\wikipedia.HTM
IE: {0E17D5B7-9F5D-4fee-9DF6-CA6EE38B68A8} - res://c:\program files\iespell\iespell.dll/SPELLCHECK.HTM
IE: {1606D6F9-9D3B-4aea-A025-ED5B2FD488E7} - res://c:\program files\iespell\iespell.dll/SPELLOPTION.HTM
IE: {5067A26B-1337-4436-8AFE-EE169C2DA79F} - {77BF5300-1474-4EC7-9980-D32B190E9B07} - c:\program files\skype\toolbars\internet explorer\SkypeIEPlugin.dll
IE: {77BF5300-1474-4EC7-9980-D32B190E9B07} - {77BF5300-1474-4EC7-9980-D32B190E9B07} - c:\program files\skype\toolbars\internet explorer\SkypeIEPlugin.dll
Handler: cdo - {CD00020A-8B95-11D1-82DB-00C04FB1625D} - c:\program files\common files\microsoft shared\web folders\PKMCDO.DLL
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\Skype4COM.dll
Notify: igfxcui - igfxdev.dll

============= SERVICES / DRIVERS ===============

R1 MpFilter;Microsoft Malware Protection Driver;c:\windows\system32\drivers\MpFilter.sys [2009-12-2 149040]
R2 Akamai;Akamai NetSession Interface;c:\windows\system32\svchost.exe -k Akamai [2009-8-24 21504]
R3 MpNWMon;Microsoft Malware Protection Network Driver;c:\windows\system32\drivers\MpNWMon.sys [2009-12-2 42368]
S3 massfilter;ZTE Mass Storage Filter Driver;c:\windows\system32\drivers\massfilter.sys [2009-10-17 7168]

=============== Created Last 30 ================

2010-03-14 12:16:28 0 d-----w- c:\users\owner\appdata\roaming\Malwarebytes
2010-03-14 12:16:23 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-03-14 12:16:20 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-03-14 12:16:20 0 d-----w- c:\programdata\Malwarebytes
2010-03-14 12:16:19 0 d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-03-14 10:13:13 0 d-----w- c:\program files\Microsoft Security Essentials
2010-03-03 11:47:09 0 d-----w- c:\programdata\GameHouse
2010-03-03 11:42:33 0 d-----w- c:\windows\TextTwist 2
2010-03-03 11:42:33 0 d-----w- c:\program files\TextTwist 2
2010-03-01 22:23:16 0 d-----w- c:\users\owner\appdata\roaming\Axialis
2010-03-01 22:23:15 0 d-----w- c:\program files\IconWorkshop
2010-02-24 04:09:52 523776 ----a-w- c:\windows\system32\RMActivate_isv.exe
2010-02-24 04:09:52 511488 ----a-w- c:\windows\system32\RMActivate.exe
2010-02-24 04:09:52 472576 ----a-w- c:\windows\system32\secproc_isv.dll
2010-02-24 04:09:52 472064 ----a-w- c:\windows\system32\secproc.dll
2010-02-24 04:09:52 347136 ----a-w- c:\windows\system32\RMActivate_ssp.exe
2010-02-24 04:09:52 346624 ----a-w- c:\windows\system32\RMActivate_ssp_isv.exe
2010-02-24 04:09:51 329216 ----a-w- c:\windows\system32\msdrm.dll
2010-02-24 04:09:51 151040 ----a-w- c:\windows\system32\secproc_ssp_isv.dll
2010-02-24 04:09:51 151040 ----a-w- c:\windows\system32\secproc_ssp.dll
2010-02-24 03:03:33 2048 ----a-w- c:\windows\system32\tzres.dll
2010-02-21 12:08:51 0 d-----w- c:\users\owner\appdata\roaming\FrostWire
2010-02-21 12:07:08 0 d-----w- c:\program files\Ask.com
2010-02-21 12:06:35 0 d-----w- c:\program files\FrostWire
2010-02-20 06:12:53 8704 ----a-w- c:\windows\system32\SpOrder.dll
2010-02-18 04:25:03 0 d-----w- c:\program files\iPod

==================== Find3M ====================

2010-03-14 10:03:18 86016 ----a-w- c:\windows\inf\infstor.dat
2010-03-14 10:03:18 51200 ----a-w- c:\windows\inf\infpub.dat
2010-03-14 10:03:18 143360 ----a-w- c:\windows\inf\infstrng.dat
2010-03-01 09:02:38 109152 ----a-w- c:\users\owner\appdata\roaming\GDIPFONTCACHEV1.DAT
2010-02-23 22:16:06 181632 ------w- c:\windows\system32\MpSigStub.exe
2010-01-08 10:51:48 51716 ----a-w- c:\windows\system32\pdf995mon.dll
2010-01-08 10:51:48 249856 ----a-w- c:\windows\system32\pdfmona.dll
2009-12-28 12:35:50 11776 ----a-w- c:\windows\system32\tsbyuv.dll
2009-12-28 12:35:00 1314816 ----a-w- c:\windows\system32\quartz.dll
2009-12-28 12:32:34 22528 ----a-w- c:\windows\system32\msyuv.dll
2009-12-28 12:32:32 31744 ----a-w- c:\windows\system32\msvidc32.dll
2009-12-28 12:32:32 123904 ----a-w- c:\windows\system32\msvfw32.dll
2009-12-28 12:32:25 13312 ----a-w- c:\windows\system32\msrle32.dll
2009-12-28 12:31:22 82944 ----a-w- c:\windows\system32\mciavi32.dll
2009-12-28 12:31:01 50176 ----a-w- c:\windows\system32\iyuv_32.dll
2009-12-28 12:28:43 91136 ----a-w- c:\windows\system32\avifil32.dll
2009-12-28 12:28:43 65024 ----a-w- c:\windows\system32\avicap32.dll
2009-12-20 11:17:19 18432 ----a-w- c:\windows\ss3unstl.exe
2009-12-20 09:32:09 763376 ----a-w- c:\windows\system32\Robert Pattinson.scr
2009-12-18 13:05:50 833024 ----a-w- c:\windows\system32\wininet.dll
2009-12-18 13:01:56 78336 ----a-w- c:\windows\system32\ieencode.dll
2009-12-18 10:14:30 26624 ----a-w- c:\windows\system32\ieUnatt.exe
2009-08-26 23:54:42 174 --sha-w- c:\program files\desktop.ini
2009-08-26 23:40:06 665600 ----a-w- c:\windows\inf\drvindex.dat
2006-11-02 12:39:34 30674 ----a-w- c:\windows\inf\perflib\0409\perfd.dat
2006-11-02 12:39:34 30674 ----a-w- c:\windows\inf\perflib\0409\perfc.dat
2006-11-02 12:39:34 287440 ----a-w- c:\windows\inf\perflib\0409\perfi.dat
2006-11-02 12:39:34 287440 ----a-w- c:\windows\inf\perflib\0409\perfh.dat
2006-11-02 09:20:21 287440 ----a-w- c:\windows\inf\perflib\0000\perfi.dat
2006-11-02 09:20:21 287440 ----a-w- c:\windows\inf\perflib\0000\perfh.dat
2006-11-02 09:20:19 30674 ----a-w- c:\windows\inf\perflib\0000\perfd.dat
2006-11-02 09:20:19 30674 ----a-w- c:\windows\inf\perflib\0000\perfc.dat
2009-09-02 00:45:22 88 --sha-r- c:\windows\system32\0DA1C4C3FC.sys
2009-09-02 00:45:28 3766 --sha-w- c:\windows\system32\KGyGaAvL.sys
2009-08-26 21:46:22 245760 --sha-w- c:\windows\system32\config\systemprofile\appdata\roaming\microsoft\windows\ietldcache\index.dat

============= FINISH: 7:53:49.86 ===============






Attached Files



BC AdBot (Login to Remove)

 


#2 thewall

thewall

  • Malware Response Team
  • 6,425 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:05:34 PM

Posted 17 March 2010 - 08:14 PM

Hello eabb smile.gif Welcome to the BC HijackThis Log and Analysis forum. I will be assisting you in cleaning up your system.


I ask that you refrain from running tools other than those we suggest while we are cleaning up your computer. The reason for this is so we know what is going on with the machine at any time. Some programs can interfere with others and hamper the recovery process.



In the upper right hand corner of the topic you will see a button called Options. If you click on this in the drop-down menu you can choose Track this topic. By doing this and then choosing Immediate E-Mail notification and then clicking on Proceed you will be advised when we respond the your topic and facilitate the cleaning of your machine.


Please keep in mind that we have a large backlog of users just like yourself waiting to be helped so try to be as timely as possible in your replies. Since we do this on a part-time voluntary basis we are limited on how many logs we can respond to and keep open due to time restraints. If you have to be away or can't answer for some other reason just let me know. Thank you for your understanding.



After 5 days if a topic is not replied to we assume it has been abandoned and it is closed.





I would like to get a GMER log if at all possible. Try disabling your Windows Defender along with any other Antivirus or AntiSpyware program you may have and run it once again. Instructions can be found Here. If it still does not seem to want to run uncheck the following and try again:


  • Registry
  • Files









Note: Please post the log in the reply window and do not make it an attachment. Do this with all subsequent replies unless I ask otherwise.







Thanks,



thewall





If I have helped you then please consider donating so I can continue the fight against malware Posted Image
All donations go directly to the helper

Posted Image

Due to the large amount of backlogs we have I cannot respond to PMs for help unless I am already working with you

#3 eabb

eabb
  • Topic Starter

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:08:34 AM

Posted 18 March 2010 - 01:08 AM

ASSISTANCE NO LONGER REQUIRED

Thank you so much for your reply. Unfortunately I had some dreadful work deadlines to meet and I had to take the laptop into a computer repair shop yesterday. Prior to this I ran the computer in safe mode and removed (backed up) all of my personal data. He immediately took out my hard drive and attached it to another computer, then ran Microsoft Security Essentials over it and ended up fixing it. It took around 4 hours (not sure how much of that time he was actually doing anything with the computer) and cost me $50 Australian, which was worth it from the point of view of allowing me to get work done. I would have liked to get more information from him so I could potentially help others or myself again should it happen but unfortunately when I went to collect it he was flat out and I couldn't ask more questions.

I have now decided to use the above program to try and prevent this from happening again, but I must say it was one of the most stressful experiences of my life, and I really appreciate your website and your personal assistance, even though in this case I no longer require help.

Thank you once again for your assistance. Regards, Erin.



#4 thewall

thewall

  • Malware Response Team
  • 6,425 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:05:34 PM

Posted 18 March 2010 - 10:22 AM

I totally understand and appreciate you letting me know. The main thing is you got it fixed.

When he reloaded the programs did he update your Java? It was out of date and you had another leftover version still on the machine which is an area of Malware exploitation.
If I have helped you then please consider donating so I can continue the fight against malware Posted Image
All donations go directly to the helper

Posted Image

Due to the large amount of backlogs we have I cannot respond to PMs for help unless I am already working with you

#5 thewall

thewall

  • Malware Response Team
  • 6,425 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:05:34 PM

Posted 21 March 2010 - 07:53 PM

Since this issue appears to be resolved ... this Topic has been closed.

If your the topic starter, and need this topic reopened, please contact me via pm with the address of the thread.

Everyone else please begin a New Topic.
If I have helped you then please consider donating so I can continue the fight against malware Posted Image
All donations go directly to the helper

Posted Image

Due to the large amount of backlogs we have I cannot respond to PMs for help unless I am already working with you




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users