[ryank79]

Hello.

I'm in a jam. I've been trying to manually remove the advanced virus removal virus from my computer and have run up against some problems. This is after trying to run several spyware programs; everytime I would run, for example, malwarebytes, it would disappear.

I ran an itty bitty process manager and came up with this:
Process list saved on 12:58:44 PM, on 8/16/2009
Platform: WinNT 5.01.2600 SP3

[pid] [full path to filename] [file version] [company name]
856 C:\WINDOWS\System32\smss.exe 5.1.2600.5512 Microsoft Corporation
908 C:\WINDOWS\system32\csrss.exe 5.1.2600.5512 Microsoft Corporation
932 C:\WINDOWS\system32\winlogon.exe 5.1.2600.5512 Microsoft Corporation
976 C:\WINDOWS\system32\services.exe 5.1.2600.5755 Microsoft Corporation
988 C:\WINDOWS\system32\lsass.exe 5.1.2600.5512 Microsoft Corporation
1156 C:\WINDOWS\system32\svchost.exe 5.1.2600.5512 Microsoft Corporation
1284 C:\WINDOWS\system32\svchost.exe 5.1.2600.5512 Microsoft Corporation
1460 C:\WINDOWS\system32\svchost.exe 5.1.2600.5512 Microsoft Corporation
1556 C:\WINDOWS\system32\svchost.exe 5.1.2600.5512 Microsoft Corporation
1716 C:\WINDOWS\system32\svchost.exe 5.1.2600.5512 Microsoft Corporation
2040 C:\WINDOWS\Explorer.exe 6.0.2900.5512 Microsoft Corporation
716 C:\WINDOWS\system32\svchost.exe 5.1.2600.5512 Microsoft Corporation
1228 C:\WINDOWS\system32\ctfmon.exe 5.1.2600.5512 Microsoft Corporation
1380 C:\WINDOWS\system32\svchost.exe 5.1.2600.5512 Microsoft Corporation
1396 C:\Program Files\Safari\Safari.exe 4.530.19.1 Apple Inc.
1124 C:\WINDOWS\system32\winupdate.exe 4.4.0.3385 Microsoft Corporation
568 C:\WINDOWS\msf.exe
624 C:\WINDOWS\system32\ctfmon.exe 5.1.2600.5512 Microsoft Corporation
1564 C:\Documents and Settings\Ryan\Local Settings\Application Data\Google\Google Talk Plugin\googletalkplugin.exe 1.0.0.0 Google
1848 C:\DOCUME~1\Ryan\LOCALS~1\Temp\q.exe
2016 C:\DOCUME~1\Ryan\LOCALS~1\Temp\Temporary Directory 2 for ibprocman.zip\IBProcMan.exe 1.4.0.0 Soeperman Enterprises Ltd.

Another forum pointed out this as being questionable: 1848 C:\DOCUME~1\Ryan\LOCALS~1\Temp\q.exe

I also tried HiJackThis, but the virus won't let me access it, so I can't run a scan. Any advice would be VERY appreciated. I feel like I've tried everything. Very confused.

I also read that downloading malwarebytes on a flashdrive and running it from there might work. Any advice there?

Thanks.

This post has been edited by ryank79: 16 August 2009 - 05:11 PM

[Fred Flintstone]

Hi ryank79..

Let's see if ComboFix will run here, (the renaming part is important)

Please visit this webpage for download links, and instructions for running the tool:

http://www.bleepingc...to-use-combofix

NOTE: When saving the file, rename it to Combo-Fix.exe << note the added hyphen..

* Ensure you have disabled all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

Please include the C:\ComboFix.txt in your next reply for further review.

Thanks

Fred..

[ryank79]

ComboFix, once installed, disappeared. I renamed and disabled all anti-virus/spyware software. It started to load and then vanished.

[Fred Flintstone]

Hi again..

Please copy/paste the following code box into a new notepad (not wordpad) document.

@ECHO OFF
DIR /a/s C:\WINDOWS\scecli.dll >Log.txt
START Log.txt
DEL %0

Save it to your Desktop as look.bat. Save it as:
File Type: All Files (not as a text document or it wont work).
Name: look.bat

Locate look.bat on your Desktop and double-click it. When notepad opens, copy/paste the content in your next reply.

Then:

• Download avz4en.zip here
  
• Unzip it to a folder on your desktop
  
• Double click on AVZ.exe
  
• Click on the webupdate icon
  
• Click on the start button.
  
• Wait for the update to finish
  
• You will get a message that says "Automatic update completed successfully. Update has been successfully downloaded and installed"
  
• Click OK
  
• Under the search parameter tab, change the heuristic analysis mode to "Maximum heuristics level" and tick the box next to "Extended analysis
  
• Make sure that the following options are selected
  
  • Detect API hooks and rootkits
    
  • Check SPI / LSP settings
    
  • Search for keyloggers
    
  • Search for TCP/UDP ports used by trojan horses
  
  
• Make sure the following options are not selected
  
  • Block user-mode rootkits
    
  • Block kernel-mode rootkits
    
  • Automatically correct SPI/LSP errors
    
  • Perform healing
  
  
• Under the file types tab select all files
  
• Under the search range tab, select the following options
  
  • Check running processes
    
  • Heuristic system check
  
  
• Make sure that all the Disks listed are selected
  
• Click start and wait for the scan to finish
  
• When the scan has finished click on the save icon
  
• Leave the default name of avz_log and save it to your desktop
  
• This will put the file avz_log.txt on your desktop, please post the contents of that file also..

Thanks

Fred..

This post has been edited by Fred Flintstone: 16 August 2009 - 07:31 PM

[Fred Flintstone]

Due to inactivity, this thread will now be closed. If you need this topic reopened, please contact a Staff member. Include the address of this thread in your request. This applies only to the original topic starter. Should you have a new issue, please start a New Topic.