1. You are viewing our forum as a guest. For full access please Register. WindowsBBS.com is completely free, paid for by advertisers and donations.

Inactive Antivirus Live - please help me remove

Discussion in 'Malware and Virus Removal Archive' started by work4crown, 2009/12/07.

  1. 2009/12/07
    work4crown

    work4crown Inactive Thread Starter

    Joined:
    2009/12/07
    Messages:
    2
    Likes Received:
    0
    [Inactive] Antivirus Live - please help me remove

    My Dad has an Acer Netbook with 32 bit Windows XP on it. It is infected with the 'Antivirus Live' virus.

    Dad says he sees lots of new icons showing up in the task bar. He can't access the internet or anything through the control panel. Many things are blocked by this virus. He can't access things in 'My Documents'. There are many pop-up windows that say he is infected. There is an offer to clean his computer if he will give them money.

    I found a thread on your website where someone had a similar problem so I was hoping you could help us too.
    http://www.windowsbbs.com/malware-virus-removal/89164-resolved-antivirus-live-removal.html

    I am using 'Remote Assistance' to access his computer in 'Safe mode with networking' since Dad and I live in different states. I have made the log files from DDS as the post instructions said to.

    Let me know and thanks! :D

    DDS

    DDS (Ver_09-12-01.01) - NTFSx86 NETWORK
    Run by Administrator at 19:19:15.07 on Mon 12/07/2009
    Internet Explorer: 8.0.6001.18702
    Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1012.687 [GMT -5:00]

    AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}

    ============== Running Processes ===============

    C:\WINDOWS\system32\svchost -k DcomLaunch
    svchost.exe
    C:\WINDOWS\system32\svchost.exe -k netsvcs
    svchost.exe
    svchost.exe
    C:\WINDOWS\system32\sessmgr.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\WINDOWS\system32\RDSHOST.exe
    C:\WINDOWS\explorer.exe
    C:\WINDOWS\PCHealth\HelpCtr\Binaries\HelpCtr.exe
    C:\Program Files\internet explorer\iexplore.exe
    C:\Program Files\internet explorer\iexplore.exe
    C:\Program Files\internet explorer\iexplore.exe
    C:\Documents and Settings\Administrator\Desktop\dds.scr

    ============== Pseudo HJT Report ===============

    uStart Page = hxxp://www.google.com/
    BHO: {02478D38-C3F9-4efb-9B51-7695ECA05670} - No File
    BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
    BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg8\avgssie.dll
    BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre1.6.0_07\bin\ssv.dll
    TB: {0BF43445-2F28-4351-9252-17FE6E806AA0} - No File
    uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
    uRunOnce: [AcerScrSav] c:\windows\acer\run_NB.exe
    mRun: [LaunchApp] Alaunch
    mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
    mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
    mRun: [Persistence] c:\windows\system32\igfxpers.exe
    mRun: [RTHDCPL] RTHDCPL.EXE
    mRun: [AzMixerSel] c:\program files\realtek\audio\installshield\AzMixerSel.exe
    mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
    mRun: [IMJPMIG8.1] "c:\windows\ime\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
    mRun: [MSPY2002] c:\windows\system32\ime\pintlgnt\ImScInst.exe /SYNC
    mRun: [PHIME2002ASync] c:\windows\system32\ime\tintlgnt\TINTSETP.EXE /SYNC
    mRun: [PHIME2002A] c:\windows\system32\ime\tintlgnt\TINTSETP.EXE /IMEName
    mRun: [LManager] c:\progra~1\launch~1\QtZgAcer.EXE
    mRun: [Google Desktop Search] "c:\program files\google\google desktop search\GoogleDesktop.exe" /startup
    mRun: [PLFSetL] c:\windows\PLFSetL.exe
    mRun: [eRecoveryService] c:\acer\empowering technology\erecovery\eRAgent.exe
    mRun: [AVG8_TRAY] c:\progra~1\avg\avg8\avgtray.exe
    mRun: [Conime] %windir%\system32\conime.exe
    mRun: [EKIJ5000StatusMonitor] c:\windows\system32\spool\drivers\w32x86\3\EKIJ5000MUI.exe
    mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
    IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
    IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
    IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBC} - c:\program files\java\jre1.6.0_07\bin\npjpi160_07.dll
    IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~2\office12\ONBttnIE.dll
    IE: {7F9DB11C-E358-4ca6-A83D-ACC663939424} - {9999A076-A9E2-4C99-8A2B-632FC9429223} - c:\program files\bonjour\ExplorerPlugin.dll
    IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
    DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
    DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
    DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
    Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg8\avgpp.dll
    Notify: avgrsstarter - avgrsstx.dll
    Notify: igfxcui - igfxdev.dll
    SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

    ============= SERVICES / DRIVERS ===============

    R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2009-3-25 108552]
    S1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2009-3-25 335240]
    S1 AvgMfx86;AVG Free On-access Scanner Minifilter Driver x86;c:\windows\system32\drivers\avgmfx86.sys [2009-3-25 27784]
    S2 avg8emc;AVG Free8 E-mail Scanner;c:\progra~1\avg\avg8\avgemc.exe [2009-7-25 908056]
    S2 avg8wd;AVG Free8 WatchDog;c:\progra~1\avg\avg8\avgwdsvc.exe [2009-7-25 297752]
    S2 Kodak AiO Network Discovery Service;Kodak AiO Network Discovery Service;c:\program files\kodak\aio\center\EKDiscovery.exe [2009-1-19 279960]
    S2 KodakSvc;Kodak AiO Device Service;c:\program files\kodak\aio\center\KodakSvc.exe [2009-1-19 38296]
    S3 GoogleDesktopManager-110309-193829;Google Desktop Manager 5.9.911.3589;c:\program files\google\google desktop search\GoogleDesktop.exe [2009-3-25 30192]
    S3 JMCR;JMCR;c:\windows\system32\drivers\jmcr.sys [2009-3-25 96856]

    =============== Created Last 30 ================

    2009-12-08 00:02:46 0 d-sha-r- C:\cmdcons
    2009-12-08 00:01:25 98816 ----a-w- c:\windows\sed.exe
    2009-12-08 00:01:25 77312 ----a-w- c:\windows\MBR.exe
    2009-12-08 00:01:25 260608 ----a-w- c:\windows\PEV.exe
    2009-12-08 00:01:25 161792 ----a-w- c:\windows\SWREG.exe
    2009-12-07 15:21:34 0 d-sh--w- c:\documents and settings\administrator\IECompatCache
    2009-12-07 05:07:00 0 d-----w- c:\docume~1\admini~1\applic~1\OpenOffice.org
    2009-12-05 21:05:08 90112 --sha-r- c:\windows\system32\ddemll.dll
    2009-12-05 21:05:08 0 d-----w- c:\program files\DivXCodecs
    2009-12-02 18:01:26 0 d-----w- c:\program files\Windows Media Connect 2
    2009-12-02 17:59:18 0 d-----w- C:\a380bd3ed8fd1936a34fa851
    2009-12-02 17:59:13 0 d-----w- c:\windows\system32\LogFiles
    2009-12-02 17:58:26 0 d-----w- C:\a71146b67068d1d5e7f23e531395aad2
    2009-12-02 17:30:56 0 d-----w- c:\windows\system32\wbem\Repository
    2009-11-25 23:46:58 0 d-----w- c:\program files\Edmark
    2009-11-25 23:12:13 0 d-----w- C:\BRLLIANT
    2009-11-15 19:27:55 0 d-sh--w- c:\documents and settings\administrator\PrivacIE
    2009-11-15 19:15:12 0 d-sh--w- c:\documents and settings\administrator\IETldCache
    2009-11-15 19:13:36 0 d-----w- c:\docume~1\admini~1\applic~1\SiteAdvisor
    2009-11-15 00:04:44 0 d-----w- c:\docume~1\alluse~1\applic~1\16297025
    2009-11-15 00:04:39 0 d-----w- c:\docume~1\alluse~1\applic~1\53359025
    2009-11-15 00:04:28 0 d-----w- c:\docume~1\alluse~1\applic~1\34424219
    2009-11-11 16:41:15 274288 ----a-w- c:\windows\system32\mucltui.dll
    2009-11-11 16:41:15 215920 ----a-w- c:\windows\system32\muweb.dll
    2009-11-11 16:41:15 16736 ----a-w- c:\windows\system32\mucltui.dll.mui

    ==================== Find3M ====================

    2009-09-11 14:18:39 136192 ----a-w- c:\windows\system32\msv1_0.dll
    2008-08-15 17:51:40 32768 -csha-w- c:\windows\system32\config\systemprofile\local settings\application data\microsoft\feeds cache\index.dat
    2009-03-25 18:42:39 32768 -csha-w- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012009032520090326\index.dat

    ============= FINISH: 19:19:28.96 ===============


    Todd
     
    work4crown,
    #1
  2. 2009/12/07
    broni

    broni Moderator Malware Analyst

    Joined:
    2002/08/01
    Messages:
    21,701
    Likes Received:
    116
    Please download ComboFix from [color= "Red"]Here[/color] or [color= "#FF0000"]Here[/color] to your Desktop.

    **Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved directly to your desktop**
    • Please, never rename Combofix unless instructed.
    • Close any open browsers.
    • Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
    • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results ".
    • Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.
    NOTE. If Combofix asks you to install Recovery Console, please allow it.
    • Close any open browsers.
    • WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
    • Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
    • If there is no internet connection after running Combofix, then restart your computer to restore back your connection.
    • Double click on combofix.exe & follow the prompts.
    • When finished, it will produce a report for you.
    • Please post the "C:\ComboFix.txt" along with a new HijackThis log for further review.
    **Note: Do not mouseclick combofix's window while it's running. That may cause it to stall**

    Make sure, you re-enable your security programs, when you're done with Combofix.

    DO NOT make any other changes to your computer (like installing programs, using other cleaning tools, etc.), until it's officially declared clean!!!


    Download HijackThis:
    http://www.trendsecure.com/portal/en-US/tools/security_tools/hijackthis/download
    by clicking on Download HijackThis Installer
    Install, and run it.
    Post HijackTHis log.
    Do NOT attempt to fix anything!

    NOTE. If you're using Vista, right click on HijackThis, and click Run as Administrator
     
    broni,
    #2


  3. to hide this advert.

  4. 2009/12/08
    work4crown

    work4crown Inactive Thread Starter

    Joined:
    2009/12/07
    Messages:
    2
    Likes Received:
    0
    Thank you

    Hi Broni, it looks like we won't need to work through a debug after all. My dad backed up his data and ran the Acer erecovery program which restored his computer to factory default. Sorry to waste your time - thanks for the great info and great website!!!

    Todd
     
    work4crown,
    #3
  5. 2009/12/08
    broni

    broni Moderator Malware Analyst

    Joined:
    2002/08/01
    Messages:
    21,701
    Likes Received:
    116
    Not a problem :)
     
    broni,
    #4

Share This Page

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Accept Learn More...