Spyware, Viruses, & Security forum

General discussion

Serious Advanced Virus Removal Infection - HELP!

by ryank79 / August 15, 2009 11:55 PM PDT

My computer has been hit the Avanced Virus Removal and everything I try to do to get rid of it doesn't work.

I started by downloading Malwarebytes and running it. As soon as it starts to scan it disappears. I then renamed the .exe file when installing with the same result. After that I tried right clicking on the short cut, hitting properties, and then find target to get into malware.exe folder from there - no luck.

I then went to my program files; C:\Program Files\Malwarebytes' Anti-Malware, hoping it would be there - nothing.

After that I read that a system restore can help, but when I go to restore my computer through help and support it says the application is infected and won't open it.

I've also tried other spyware/malware removal software such as SuperAntiSpyware, Avira, and SpyTools with the same results.

I'm using a Dell XPS 410 and it runs on Windows XP. Everything I've tried to do has been while the computer is in "safe mode with networking."

I'm losing my mind. Any help and suggestions are much appreciated. Thanks.

Post a reply
Discussion is locked
You are posting a reply to: Serious Advanced Virus Removal Infection - HELP!
The posting of advertisements, profanity, or personal attacks is prohibited. Please refer to our CNET Forums policies for details. All submitted content is subject to our Terms of Use.
Track this discussion and email me when there are updates

If you're asking for technical help, please be sure to include all your system info, including operating system, model number, and any other specifics related to the problem. Also please exercise your best judgment when posting in the forums--revealing personal information such as your e-mail address, telephone number, and address is not recommended.

You are reporting the following post: Serious Advanced Virus Removal Infection - HELP!
This post has been flagged and will be reviewed by our staff. Thank you for helping us maintain CNET's great community.
Sorry, there was a problem flagging this post. Please try again now or at a later time.
If you believe this post is offensive or violates the CNET Forums' Usage policies, you can report it below (this will not automatically remove the post). Once reported, our moderators will be notified and the post will be reviewed.
Collapse -
Re: advanced virus remover
by Kees Bakker / August 16, 2009 12:01 AM PDT
Collapse -
advanced virus remover
by ryank79 / August 16, 2009 12:18 AM PDT

thanks kees. i'm actually going to try spyhunter first, before removing it manually.

Collapse -
Manual Removal for AV2009
by ryank79 / August 16, 2009 12:31 AM PDT

I tried removing it manually. I got through the first step - removing it in the program files, but when I tried to get into windows task manager, by hitting "start" and then "run" and then typing either tskmgr or cmd I got:

Application can not be executed. File infected. Please update your antivirus software.

same thing happens when i hit ctrl+alt+del or ctrl+shift+esc

Advice?

Collapse -
An alternative for task manager:
by Kees Bakker / August 16, 2009 12:39 AM PDT
Collapse -
itty bitty process manager
by ryank79 / August 16, 2009 12:47 AM PDT

i can't download it. says "unknown error" in my browser. i'm using safari (explorer and chrome won't even open)

Collapse -
Try this link
by roddy32 / August 16, 2009 1:03 AM PDT
Collapse -
more itty bitty
by ryank79 / August 16, 2009 1:20 AM PDT
In reply to: Try this link

ok, downloaded and ran it from the .zip file.

here is where i'm at:
Process list saved on 11:16:30 AM, on 8/16/2009
Platform: WinNT 5.01.2600 SP3

[pid] [full path to filename] [file version] [company name]
856 C:\WINDOWS\System32\smss.exe 5.1.2600.5512 Microsoft Corporation
908 C:\WINDOWS\system32\csrss.exe 5.1.2600.5512 Microsoft Corporation
932 C:\WINDOWS\system32\winlogon.exe 5.1.2600.5512 Microsoft Corporation
976 C:\WINDOWS\system32\services.exe 5.1.2600.5755 Microsoft Corporation
988 C:\WINDOWS\system32\lsass.exe 5.1.2600.5512 Microsoft Corporation
1156 C:\WINDOWS\system32\svchost.exe 5.1.2600.5512 Microsoft Corporation
1284 C:\WINDOWS\system32\svchost.exe 5.1.2600.5512 Microsoft Corporation
1460 C:\WINDOWS\system32\svchost.exe 5.1.2600.5512 Microsoft Corporation
1556 C:\WINDOWS\system32\svchost.exe 5.1.2600.5512 Microsoft Corporation
1716 C:\WINDOWS\system32\svchost.exe 5.1.2600.5512 Microsoft Corporation
2040 C:\WINDOWS\Explorer.exe 6.0.2900.5512 Microsoft Corporation
716 C:\WINDOWS\system32\svchost.exe 5.1.2600.5512 Microsoft Corporation
1228 C:\WINDOWS\system32\ctfmon.exe 5.1.2600.5512 Microsoft Corporation
1380 C:\WINDOWS\system32\svchost.exe 5.1.2600.5512 Microsoft Corporation
1396 C:\Program Files\Safari\Safari.exe 4.530.19.1 Apple Inc.
1124 C:\WINDOWS\system32\winupdate.exe 4.4.0.3385 Microsoft Corporation
568 C:\WINDOWS\msf.exe
624 C:\WINDOWS\system32\ctfmon.exe 5.1.2600.5512 Microsoft Corporation
1564 C:\Documents and Settings\Ryan\Local Settings\Application Data\Google\Google Talk Plugin\googletalkplugin.exe 1.0.0.0 Google
876 C:\DOCUME~1\Ryan\LOCALS~1\Temp\q.exe
1916 C:\DOCUME~1\Ryan\LOCALS~1\Temp\Temporary Directory 1 for ibprocman.zip\IBProcMan.exe 1.4.0.0 Soeperman Enterprises Ltd.

It gives me the option to Kill Processes (as well as Run and Refresh.) I'm not sure which processes to kill. I don't want to crash my computer by choosing the wrong one, and I don't see the processes listed here http://www.spywareremove.com/removeAdvancedVirusRemover.html

Very confused now.

Collapse -
I don't see anthing obvious there but
by roddy32 / August 16, 2009 2:25 AM PDT
In reply to: more itty bitty

sometimes these things hide in legit places.


Bleeping Computer, which I much prefer over SpywareRemove also has removal instructions but if you scroll down past the ads on the page, you will see that it involves MBAM which you are having problems with.
http://www.bleepingcomputer.com/virus-removal/remove-advanced-virus-remover

Perhaps the best thing for you to do would be to post a HJT log at ONE of the forums below.

CNET does not analyze HJT logs but below is a list of some of the forums that do. You will have to join to post as you did at CNET.


Download HijackThis from http://www.trendsecure.com/portal/en-US/_download/HiJackThis.exe
Save it in your desktop. Double-click HijackThis.exe
Click Scan and save log.

Please post a log at ONE of the below forums. Please be patient with them they are busy.

1. http://www.lognrock.com/forum/index.php?showforum=5
2. http://forum.securitycadets.com/index.php?showforum=2
3. http://www.temerc.com/forums/viewforum.php?f=12
4. http://www.malwarebytes.org/forums/index.php?showforum=7
5. http://www.bleepingcomputer.com/forums/forum22.html

Good luck and please let us know how you are doing.

Collapse -
bad news
by ryank79 / August 16, 2009 2:52 AM PDT

I downloaded HijackThis and scanned and saved. However, when I went to look at it it had disappeared. I went to do the scan again and got this message:

"Windows can not access the specified device, path, or file. You may not have the appropriate permissions to access the item."

I have no idea what to do now. I did read in the forums that downloading malwarebytes to flashdrive and running it from there might help. Thoughts?

Collapse -
I would post your
by roddy32 / August 16, 2009 2:58 AM PDT
In reply to: bad news

problem in ONE of the HJT forums I listed in my previous post. Just explain exactly what is going on. They are trained for malware removal and would be able to help you more than we can here.

Collapse -
Thanks
by ryank79 / August 16, 2009 3:15 AM PDT
In reply to: I would post your

I will try that.

do you think downloading malwarebytes onto a flashdrive from another computer might help, or are we past that?

Collapse -
I would do whatever the expert says
by roddy32 / August 16, 2009 3:20 AM PDT
In reply to: Thanks

at the HJT forum.

Collapse -
Good, I see you posted at one of
by roddy32 / August 16, 2009 3:10 AM PDT
In reply to: bad news

of the forums. Please be patient with them because they are busy. Happy

Collapse -
876 C:\DOCUME~1\Ryan\LOCALS~1\Temp\q.exe
by R. Proffitt Forum moderator / August 16, 2009 2:39 AM PDT
In reply to: more itty bitty

What is that?

Collapse -
q.exe
by ryank79 / August 16, 2009 2:53 AM PDT

no idea.

Collapse -
(NT) Kill it and see what happens, it is a temp file anyway
by roddy32 / August 16, 2009 2:59 AM PDT
In reply to: q.exe
Collapse -
I'd kill that.
by R. Proffitt Forum moderator / August 16, 2009 3:41 AM PDT
In reply to: q.exe

An q.exe running from temp? Not a good thing.

Collapse -
q.exe
by ryank79 / August 16, 2009 3:50 AM PDT
In reply to: I'd kill that.

i killed it.

Collapse -
This One Can Be Nasty
by Bugbatter / August 16, 2009 8:59 AM PDT
In reply to: q.exe

Unless you have an older version, this is not going to be a one-shot fix. The newest variant of this is nastier than the older one, in that if you initially delete its files, they will break things. It's like saying, "Buy my product, or I'll break your computer."
For that reason, there is a procedure to follow for cleaning.
Following Roddy's suggestion to post in a malware removal forum is the way to go with this -- if it is not too late.

Collapse -
You need a bootable CD
by johnccholmes / August 16, 2009 1:10 PM PDT

If you cannot run MBAM, you probably want to stop wasting your time and just download Avira's free rescue CD. you are going to need a clean computer to do this, with a CD burner and a blank CD. The link for the downloadable image is here:

http://free-av.com/en/tools/12/avira_antivir_rescue_system.html

Just follow the directions, burn the disk, and boot off the disk on the infected system. Make sure that any files you want to delete are not critical system files. If you need to do research on the internet on that 2nd clean PC before deleting files, then I would do that. This approach will probably save you time in the end.

After running a scan from a bootable CD, you then should be able to run MBAM, SAS, and AVP.

Kaspersky Labs makes a free virus tool, based off their KAV 7 enginge, with full virus definitions, updated several times a day. The AVP tool is available here:

http://devbuilds.kaspersky-labs.com/devbuilds/AVPTool/

It is digitally signed by kaspersky labs.

Popular Forums
icon
Computer Help 47,885 discussions
icon
Computer Newbies 10,322 discussions
icon
iPhones, iPods, & iPads 3,188 discussions
icon
Security 30,333 discussions
icon
TVs & Home Theaters 20,177 discussions
icon
HDTV Picture Setting 1,932 discussions
icon
Phones 15,713 discussions
icon
Windows 7 6,210 discussions
icon
Networking & Wireless 14,510 discussions

Big stars on small screens

Smosh tells CNET what it took to make it big online

Internet sensations Ian Hecox and Anthony Padilla discuss how YouTube has changed and why among all their goals, "real TV" isn't an ambition.