Javascript Disabled Detected

You currently have javascript disabled. Several functions may not work. Please re-enable javascript to access full functionality.

Antivirus System Pro [Solved]

Started by goostar , Nov 08 2009 10:12 PM

This topic is locked

#1
goostar

Posted 08 November 2009 - 10:12 PM

Member

Member
79 posts

I'm back to my favorite spyware fix forum!

I've got an HP Pavillion 8710 laptop running XP. I got hit with Antivirus System Pro this evening and this little bugger has me stumped. I can't find it with aVast antivirus. AVG doesn't do anything. I've tried downloading other fixes I've read about in this forum and they are quickly disabled followed by an alert that says that file is infected. I do a HiJackThis scan and it disables notepad from saving a logfile. It keeps taking me to porn and viagra sites and keeps asking me if i want to activate my antivirus software.

HELP!!!!!

#2
hammerman

Posted 09 November 2009 - 07:21 AM

Member 4k

Member
4,183 posts

Hello goostar and welcome to GeeksToGo

I'm hammerman and I'm going to help you fix your problem.

Before we begin, here are some guidelines which will help us both in fixing your problem.

I suggest you print or save any instructions I give you for easy reference. We may be using Safe mode and you will not always be able to access this thread. You can copy and paste these instructions into Notepad and then save the text file to your Desktop. If you need any help with this or further clarification, please let me know.
Please do no attach logs or post them in Quote/Code boxes unless requested.
When posting logs, please ensure Word Wrap is turned off in Notepad. Open Notepad, select Format on the menu bar and make sure that Word Wrap is unchecked.
Please follow the steps exactly in the same order posted. If you can't perform a certain step, or you're unsure on what to do, please stop and let me know.
If in doubt about anything, please ask.

Please follow these steps.

-- Step 1 --

Please download exeHelper to your desktop.
Double-click on exeHelper.com to run the fix.
A black window should pop up, press any key to close once the fix is completed.
Post the contents of log.txt (Will be created in the directory where you ran exeHelper.com)
Note: If the window shows a message that says "Error deleting file", please re-run the program before posting a log - and post the two logs together (they will both be in the one file).

-- Step 2 --

To ensure that I get all the information, this log will need to be attached (instructions at the end).

Download OTS to your Desktop

Close ALL OTHER PROGRAMS.
Double-click on OTS.exe to start the program.
Check the box that says Scan All Users
Under Additional Scans check the following:
- Reg - Approved Shell Extensions
- Reg - Desktop Components
- Reg - Disabled MS Config Items
- Reg - Drivers32
- Reg - File Associations
- Reg - NetSvcs
- Reg - SafeBoot Minimal
- Reg - SafeBoot Network
- Reg - Shell Spawning
- Reg - Uninstall List
- File - Lop Check
- File - Purity Scan
- Evnt - EvtViewer (last 10)
Under the Custom Scans box at the bottom left paste the following in

%ALLUSERSPROFILE%\Application Data\*.
%ALLUSERSPROFILE%\Application Data\*.exe /s
%APPDATA%\*.
%APPDATA%\*.exe /s
%SYSTEMDRIVE%\*.exe
%SYSTEMDRIVE%\eventlog.dll /s /md5
%SYSTEMDRIVE%\scecli.dll /s /md5
%SYSTEMDRIVE%\netlogon.dll /s /md5
%SYSTEMDRIVE%\cngaudit.dll /s /md5
%SYSTEMDRIVE%\sceclt.dll /s /md5
%SYSTEMDRIVE%\ntelogon.dll /s /md5
%SYSTEMDRIVE%\logevent.dll /s /md5
%SYSTEMDRIVE%\iaStor.sys /s /md5
%SYSTEMDRIVE%\nvstor.sys /s /md5
%SYSTEMDRIVE%\atapi.sys /s /md5
%SYSTEMDRIVE%\IdeChnDr.sys /s /md5
%SYSTEMDRIVE%\viasraid.sys /s /md5
%SYSTEMDRIVE%\AGP440.sys /s /md5
%SYSTEMDRIVE%\vaxscsi.sys /s /md5
Now click the Run Scan button on the toolbar.
Let it run unhindered until it finishes.
When the scan is complete Notepad will open with the report file loaded in it.
Click the Format menu and make sure that Wordwrap is not checked. If it is then click on it to uncheck it.

Please attach the log in your next post.

To attach a file, do the following:

Click Add Reply
Under the reply panel is the Attachments Panel
Browse for the attachment file you want to upload, then click the green Upload button
Once it has uploaded, click the Manage Current Attachments drop down box
Click on to insert the attachment into your post

-- Step 3 --

Download SysProt Antirootkit from the link below (you will find it at the bottom of the page under attachments, or you can get it from one of the mirrors).

http://sites.google....rotantirootkit/

Unzip it into a folder on your desktop.

Start the Sysprot.exe program.

Click on the Log tab.
In the Write to log box select all items.
Click on the Create Log button on the bottom right.
After a few seconds a new Window should appear.
Make sure Scan all drives is selected and click on the Start button.
When it is complete a new Window will appear to indicate that the scan is finished.
The log will be created and saved automatically in the same folder. Open the text file and copy/paste the log here.

#3
goostar

Posted 09 November 2009 - 07:52 AM

Member

Topic Starter
Member
79 posts

Thanks for the quick reply.
I downloaded exeHelper.exe but each time I tried to run it, the black box would disappear and a message that says "exehelper.exe is infected" appears. I've tried several times to run it but it gets disabled each time.

#4
hammerman

Posted 09 November 2009 - 07:57 AM

Member 4k

Member
4,183 posts

Hi,

Can you try the next 2 steps.

#5
goostar

Posted 09 November 2009 - 08:18 AM

Member

Topic Starter
Member
79 posts

I couldn't do the OTS.exe step because it kept disabling the program.
I was able to download the SysProt.exe program and run a scan. The text file was saved to the folder but it won't let me open the file without disabling it quickly. And of course, it tells me that the file is infected.

#6
hammerman

Posted 09 November 2009 - 08:26 AM

Member 4k

Member
4,183 posts

Hi,

Download avz4.zip from here

Unzip it to your desktop to a folder named avz4
Double click on AVZ.exe to run it.
Run an update by clicking the Auto Update button on the Right of the Log window:
Click Start to begin the update

Note: If you recieve an error message, chose a different source, then click Start again

Start AVZ.
Choose from the menu "File" => "Standard scripts " and mark the "Healing/Quarantine and Advanced System Analysis" check box.
Click on the “Execute selected scripts”.
Automatic scanning, healing and system check will be executed.
A logfile (avz_sysinfo.htm) will be created and saved in the LOG folder in the AVZ directory as virusinfo_syscure.zip.
It is necessary to reboot your machine, because AVZ might disturb some program operations (like antiviruses and firewall) during the system scan.
All applications will work properly after the system restart.

When restarted

Start AVZ.
Choose from the menu "File" => "Standard scripts " and mark the “Advanced System Analysis" check box.
Click on the "Execute selected scripts".
A system check will be automatically performed, and the created logfile (avz_sysinfo.htm) will be saved in the LOG folder in the AVZ directory as virusinfo_syscheck.zip.

Attach both virusinfo_syscure.zip and virusinfo_syscheck.zip to your next post

To attach a file, do the following:

Click Add Reply
Under the reply panel is the Attachments Panel
Browse for the attachment file you want to upload, then click the green Upload button
Once it has uploaded, click the Manage Current Attachments drop down box
Click on to insert the attachment into your post

#7
goostar

Posted 09 November 2009 - 08:48 AM

Member

Topic Starter
Member
79 posts

I downloaded the file and unzipped it. When I doubleclick on AVZ.exe, I get the same "file is infected" alert and it won't open.
I'm sorry this is such a pain. This seems to be a tough little critter.

#8
hammerman

Posted 09 November 2009 - 08:50 AM

Member 4k

Member
4,183 posts

Try running AVZ from Safe mode.

#9
goostar

Posted 09 November 2009 - 09:05 AM

Member

Topic Starter
Member
79 posts

I tried to boot into safe mode, but after i select safe mode and the OS, it goes to a blank blue screen and won't boot up.

#10
hammerman

Posted 09 November 2009 - 09:12 AM

Member 4k

Member
4,183 posts

Hi,

Please download SafeBoot Repair here by sUBs
Close all windows and programs.
Double click the SafeBootKeyRepair.exe and allow it to run.

Then try and enter Safe mode again and run AVZ.

#11
goostar

Posted 09 November 2009 - 09:24 AM

Member

Topic Starter
Member
79 posts

Guess what? I downloaded the safebootkeyrepair file and it keeps getting blocked from opening.

AUGH!!!!

#12
hammerman

Posted 09 November 2009 - 10:10 AM

Member 4k

Member
4,183 posts

Hi,

Please download ComboFix from Here or Here to your Desktop.

**Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved and renamed following this process directly to your desktop**

If you are using Firefox, make sure that your download settings are as follows:
- Tools->Options->Main tab
- Set to "Always ask me where to Save the files".
During the download, rename Combofix to svchost.com as follows:
It is important you rename Combofix during the download, but not after.
Please do not rename Combofix to other names, but only to the one indicated.
Close any open browsers.
Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

-----------------------------------------------------------
- Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
- Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.
  
  -----------------------------------------------------------
- Close any open browsers.
- WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
- Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
- If there is no internet connection after running Combofix, then restart your computer to restore back your connection.
-----------------------------------------------------------
Double click on svchost.com & follow the prompts.
When finished, it will produce a report for you.
Please post the "C:\Combo-Fix.txt" for further review.

**Note: Do not mouseclick combo-fix's window while it's running. That may cause it to stall**

#13
goostar

Posted 09 November 2009 - 11:08 AM

Member

Topic Starter
Member
79 posts

I downloaded and renamed the file but it gets shut down when i try to open it. the status bar appears like it's trying to open but gets shut down followed by numerous messages that it's infected.

#14
hammerman

Posted 09 November 2009 - 11:23 AM

Member 4k

Member
4,183 posts

Hi,

Please follow these steps.

-- Step 1 --

Click on start then Run...
In the Open: window, type msconfig and OK
Select Startup tab and click on Disable All
Select Services tab and check Hide All Microsoft Services. Then click on Disable All. Ensure Microsoft services are NOT disabled.
Click on OK and restart your computer

-- Step 2 --

Double-click on exeHelper.com to run the fix.
A black window should pop up, press any key to close once the fix is completed.
Post the contents of log.txt (Will be created in the directory where you ran exeHelper.com)

Note: If the window shows a message that says "Error deleting file", please re-run the program before posting a log - and post the two logs together (they will both be in the one file).

#15
goostar

Posted 09 November 2009 - 12:00 PM

Member

Topic Starter
Member
79 posts

AHA! That worked!
Here's the log from exeHelper:

exeHelper by Raktor
Build 20091021
Run at 11:57:54 on 11/09/09
Now searching...
Checking for numerical processes...
Checking for bad processes...
Checking for bad files...
Checking for bad registry entries...
Resetting filetype association for .exe
Resetting filetype association for .com
Resetting userinit and shell values...
Resetting policies...
--Finished--