Jump to content

XP Internet Security 2010 virus + residual viruses after removal.


Recommended Posts

LOGS Below "history"

----------- history---------

Note XP Internet Security 2010/Ave.exe virus appears removed. However there seems to be residual viruses that MB, and other AV software is either not detecting or cleaning. The residual viruses may have been from another undetected infection, but only showed after the XPinternetsecurity2010/ave.exe infection and cleaning.

I was 1st infected with the XP Internet Security virus on Sun apr 4.

I was 2nd infected this past Sunday 4/11.

In both cases I used Malwarebytes to detect and clean.

In both cases a residual virus is left, and none of the virus detectors can find it.

(see symptoms below)

History

System is an XP Home Media,

For Anti Virus I run for resident protection Avast Free, Superantispyware Pro, and Malwarebytes has been used when either of the other two can't detect or clean a virus.

Per the symptoms when the virus first executes it locks up all exe including the AV programs.

I rebooted to Windows Safe Mode, found I still couldn't run any AV software, didn't read the thing about changing the malwarebytes.exe to .com until a few days ago. So I restored the system to 5 days earlier, and thus was able to run AV, from safe mode I first uninstalled and then reinstalled Malwarebytes and MB found the offending files and did a clean. I then reinstalled all AV and scanned with all each found something.

However there was a residual virus still in place (symptoms below).

Both infections were started when my son visited each sunday and got on the computer. And the XP Internet Security screens started appearing.

2nd infestation, I again rebooted to Safe Mode, this time uninstalled Malwarebytes and then used MB clean to clean up the install. Next I installed a latest copy + rules, still couldn't run, so changed the malwarebytes exe to .com. Ran malwarebytes it found the infestation Ave.exe and 10 other infections. Did the clean, and again have residual virus issues.

Residual Virus, is first detected by Avast,

AVAST Logs

1AVAST Logs

12.04.2010 14:41:33 Network Shield: blocked access to malicious site [ C:\WINDOWS\system32\svchost.exe ( 1240 ) ]

12.04.2010 14:54:14 Network Shield: blocked access to malicious site [ C:\WINDOWS\system32\svchost.exe ( 1240 ) ]

13.04.2010 01:41:28 Network Shield: blocked access to malicious site [ C:\WINDOWS\system32\svchost.exe ( 1260 ) ]

13.04.2010 05:47:18 Network Shield: blocked access to malicious site [ C:\WINDOWS\system32\svchost.exe ( 1244 ) ]

13.04.2010 15:56:02 Network Shield: blocked access to malicious site [ C:\WINDOWS\system32\svchost.exe ( 1244 ) ]

4/13/2010 3:56:01 PM C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\13NM0E38\in[1].htm [L] HTML:RedirME-inf [Trj] (0)

File was successfully moved to chest...

4/13/2010 9:17:16 PM C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\7LFRMI05\data[1].htm [L] JS:Prontexi-AO [Trj] (0)

While moving file to chest, error occurred: The process cannot access the file because it is being used by another process

During the file delete, error occurred: The process cannot access the file because it is being used by another process

During the file delete, error occurred: The process cannot access the file because it is being used by another process

While moving file to chest, error occurred: The process cannot access the file because it is being used by another process

While moving file to chest, error occurred: The process cannot access the file because it is being used by another process

*

4/13/2010 3:56:01 PM C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\13NM0E38\in[1].htm [L] HTML:RedirME-inf [Trj] (0)

File was successfully moved to chest...

4/13/2010 9:17:16 PM C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\7LFRMI05\data[1].htm [L] JS:Prontexi-AO [Trj] (0)

While moving file to chest, error occurred: The process cannot access the file because it is being used by another process

During the file delete, error occurred: The process cannot access the file because it is being used by another process

During the file delete, error occurred: The process cannot access the file because it is being used by another process

While moving file to chest, error occurred: The process cannot access the file because it is being used by another process

While moving file to chest, error occurred: The process cannot access the file because it is being used by another process

*

Unfortunately I don't know what is triggering the svchost.exe or what site is trying to be accessed.

I have no clue what is triggering this, it happens at various times of day. If I do a boot scan with Avast it has found a few infections but not every time, after the above residual runs. Further I have scanned multiple times with Malwarebytes and SAS, with no results.

I need help to clean the remaining virus off my system.

--------- end history-

Attach.zip

MBam_Logs.zip

Link to post
Share on other sites

Hello and welcome to Malwarebytes

We apologize for the delay in responding to your request for help. Please note that your topic was not intentionally overlooked.

If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine.

Please include a clear description of the problems you're having, along with any steps you may have performed so far.

Please refrain from running tools or applying updates other than those we suggest while we are cleaning up your computer. The reason for this is so we know what is going on with the machine at any time. Some programs can interfere with others and hamper the recovery process.

Even if you have already provided information about your PC, we need a new log to see what has changed since you originally posted your problem.

  1. Please download OTL from one of the following mirrors:

[*]Save it to your desktop.

[*]Double click on the otlDesktopIcon.png icon on your desktop.

[*]Click the "Scan All Users" checkbox.

[*]In the custom scan box paste the following:

netsvcs
msconfig
safebootminimal
safebootnetwork
activex
drivers32
%systemroot%\system32\*.dll /lockedfiles
%systemroot%\Tasks\*.job /lockedfiles
/md5start
eventlog.dll
scecli.dll
netlogon.dll
cngaudit.dll
sceclt.dll
ntelogon.dll
logevent.dll
iaStor.sys
nvstor.sys
atapi.sys
IdeChnDr.sys
viasraid.sys
AGP440.sys
vaxscsi.sys
nvatabus.sys
viamraid.sys
nvata.sys
nvgts.sys
iastorv.sys
ViPrt.sys
eNetHook.dll
ahcix86.sys
KR10N.sys
nvstor32.sys
ahcix86s.sys
nvrd32.sys
/md5stop
%systemroot%\*. /mp /s

[*]Push the runscanbutton.png button.

[*]Two reports will open, copy and paste them in a reply here:

  • OTL.txt <-- Will be opened
  • Extra.txt<--Will be minimized

After 5 days if a topic is not replied to we assume it has been abandoned and it is closed.

regards myrti

Link to post
Share on other sites

  • Root Admin

Due to the lack of feedback this Topic is closed to prevent others from posting here. If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.

Other members who need assistance please start your own topic in a new thread. Thanks!

The fixes and advice in this thread are for this machine only. Do not apply the instructions from this thread to your own machine. Please start a new thread describing your issue and someone will be along to assist you.

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.