Jump to content

Help removing AntiVirGear unable to run Malwarebytes


Recommended Posts

Hello everyone,

I appreciate any help you can give me. I think I have

My desktop is blue, and in the center of the screen there is a box that states

"Your Computer has been Infected!

System has been stopped due to a serious malfunction.

Spyware activity has been detected.

It is recommenced to use spyware removal tool to prevent data loss.

Do not use the computer before all spyware removed."

There is also a constant "Advanced Virus Remover" pop up indicator from my taskbar. When I close it. It'll just come right back up.

My PC is now running extremely slow. I've attempted to run Malwarebytes, however the scan stops after a few seconds telling me I have a runtime error '5'

I'm also unable to boot in safemode. Please Help!!

Thanks, Maria

I ran Hijackthis and here is my log.

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 2:09:34 PM, on 8/13/2009

Platform: Windows XP SP3 (WinNT 5.01.2600)

MSIE: Internet Explorer v7.00 (7.00.6000.16876)

Boot mode: Normal

Running processes:

C:\WINDOWS\system32\csrss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\Ati2evxx.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Intel\Wireless\Bin\EvtEng.exe

C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe

C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\LEXBCES.EXE

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\system32\LEXPPS.EXE

C:\WINDOWS\system32\svchost.exe

C:\NOKIAMGR\System32\GCSServer.exe

C:\NOKIAMGR\System32\gcssync.exe

c:\program files\mcafee.com\agent\mcdetect.exe

c:\PROGRA~1\mcafee.com\vso\mcshield.exe

c:\PROGRA~1\mcafee.com\agent\mctskshd.exe

C:\PROGRA~1\McAfee.com\PERSON~1\MPFSERVICE.exe

C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe

C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\wdfmgr.exe

C:\WINDOWS\System32\alg.exe

C:\WINDOWS\system32\wbem\wmiprvse.exe

C:\Program Files\Intel\Wireless\Bin\ZcfgSvc.exe

C:\WINDOWS\system32\Ati2evxx.exe

C:\WINDOWS\Explorer.exe

C:\PROGRA~1\Intel\Wireless\Bin\1XConfig.exe

C:\Program Files\McAfee.com\VSO\mcvsshld.exe

C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe

C:\Program Files\McAfee.com\VSO\oasclnt.exe

C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe

C:\PROGRA~1\mcafee.com\agent\mcagent.exe

C:\WINDOWS\system32\LVCOMSX.EXE

C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe

C:\WINDOWS\system32\dla\tfswctrl.exe

C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe

C:\Program Files\Apoint\Apoint.exe

C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe

C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Clearwire.exe

C:\Program Files\Apoint\Apntex.exe

C:\PROGRA~1\McAfee.com\PERSON~1\MpfAgent.exe

C:\Program Files\Digital Line Detect\DLG.exe

C:\WINDOWS\system32\wscntfy.exe

C:\WINDOWS\system32\wuauclt.exe

C:\Program Files\Common Files\Real\Update_OB\realsched.exe

C:\Documents and Settings\mark\Local Settings\Application Data\Google\Chrome\Application\chrome.exe

c:\program files\mcafee.com\agent\mcupdate.exe

C:\Documents and Settings\mark\Local Settings\Application Data\Google\Chrome\Application\chrome.exe

C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

C:\WINDOWS\system32\wbem\wmiprvse.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.dell4me.com/myway

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost

R3 - URLSearchHook: Yahoo!

Link to post
Share on other sites

Welcome to Malwarebytes!!!! ;)

We need to see some additional information about what is happening in your machine.

Please perform the following scan:

  • Download DDS by sUBs from one of the following links. Save it to your desktop.

    [*]Double click on the DDS icon, allow it to run.

    [*]A small box will open, with an explanation about the tool.

    [*]When done, DDS will open two (2) logs

    1. DDS.txt

    2. Attach.txt

    [*] Save both reports to your desktop.

    [*] The instructions here ask you to attach the Attach.txt.

    DDS.jpg

    [*]Instead of attaching, please copy/past both logs into your next reply.

    [*]Close the program window, and delete the program from your desktop.

Please note: You may have to disable any script protection running if the scan fails to run.

After downloading the tool, disconnect from the internet and disable all antivirus protection.

Run the scan, enable your A/V and reconnect to the internet.

Information on A/V control HERE

Link to post
Share on other sites

Welcome to Malwarebytes!!!! :rolleyes:

We need to see some additional information about what is happening in your machine.

Please perform the following scan:

  • Download DDS by sUBs from one of the following links. Save it to your desktop.

    [*]Double click on the DDS icon, allow it to run.

    [*]A small box will open, with an explanation about the tool.

    [*]When done, DDS will open two (2) logs

    1. DDS.txt

    2. Attach.txt

    [*] Save both reports to your desktop.

    [*] The instructions here ask you to attach the Attach.txt.

    DDS.jpg

    [*]Instead of attaching, please copy/past both logs into your next reply.

    [*]Close the program window, and delete the program from your desktop.

Please note: You may have to disable any script protection running if the scan fails to run.

After downloading the tool, disconnect from the internet and disable all antivirus protection.

Run the scan, enable your A/V and reconnect to the internet.

Information on A/V control HERE

sjpritch25,

Thank you so much for your help! The forum will not allow me to post the logs. It is telling me that the post is too long and that I need to reduce the message. Would you mind if I just send you the logs through PM?

Link to post
Share on other sites

Please download the OTM.exe by OldTimer.

  • Save it to your desktop.
  • Please double-click OTM.exe to run it.
  • Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):
    :processes
    explorer.exe
    :files
    c:\windows\system32\sdra64.exe
    c:\windows\system32\winupdate.exe
    c:\windows\system32\logon.exe
    c:\windows\system32\AVR09.exe
    c:\windows\system32\winhelper.dll
    c:\windows\system32\critical_warning.html
    :reg
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
    "Shell"="Explorer.exe"
    "Userinit"="C:\\WINDOWS\\system32\\userinit.exe,"
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "winupdate.exe"=-
    [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
    "DisableTaskMgr"=-
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
    "NoSetActiveDesktop"=dword:000000000
    "NoActiveDesktopChanges"=dword:00000000
    [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
    "NoActiveDesktopChanges"=dword:00000000
    "NoSetActiveDesktop"=dword:00000000
    :commands
    [start explorer]
    [emptytemp]


  • Return to OTMoveIt3, right click in the "Paste List Of Files/Patterns To Search For and Move" window (under the yellow bar) and choose Paste.
  • Click the red Moveit! button.
  • Click Ok to allow OTM reboot your machine.
  • After reboot, a log file will appear. Copy the contents to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it in your next reply.
  • Close OTM

Link to post
Share on other sites

Hope you don't mind me posting in your thread Bastos : )

I'm in the exact same boat you are. Friends computer has the same thing you do. I've booted into safe mode / networking. Ran Malwarebytes, Avg8.5, Spybot, and then eventually ran SpyDoctor. All of these seemed to remove everything. I reboot. Everything seems clean and not 5 minutes later every bit of its back at full force. I've tried manually going in and deleting everything including in the registry. The virus tends to stop a lot of programs from running even in safe mode the AVR will pop up.

Very intrested in seeing how to resolve this issue : )

Link to post
Share on other sites

  • 2 weeks later...

Little update. I went ahead and backed up what music was on the machine with a few word documents. This was all backed up onto an external Hard Drive. I used a flash drive to store the drivers till I was done reformatting the machine and had windows loaded. After windows was installed and up I plugged the flash drive in and installed the Internet driver. Not half a second later the virus came back. After 3 installs of windows I finally figured out that the virus had infected my Flash drive, the external hdd, and it took a long format just to make sure the virus was gone. Installed AVG 8.5 and Malwarebytes. Ran both before installing the Internet driver to scan all my devices. It killed everything and I finally was able to get the machine running again. Short of doing just scanning the machine with the virus on there even with the "Fixes" out there none of them seem to of worked.

Link to post
Share on other sites

 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.