[rotation5]

so recently I've noticed that every time i do a scan with Norton internet security, anti virus doctor 2009 shows up and I literally mean every time, and every time it says its fixed but it just shows up again, i currently have 8 anti virus doctor 2009 in quarantine. I've run mbam and it doesn't even show up on the scan. also i looked up anti virus doctor 2009 and people say that it gives you a bunch of pop ups and other stuff but i haven't seen any thing other then its name when it shows up in the scan. another thing is in the details from the norton scan it list's two files. 1. c:\documents and settings\AVP 2009\1.dat 2.c:\documents and settings\AVP
but i use windows 7 which to my knowledge doesn't even have a documents and setting folder so im a bit confused and i could really use some help.

[Advertisements]

Please download The Comedian.exe by Rorschach112 to your desktop

• Please disable all of your antivirus/firewall before doing this step. Please visit HERE if you don't know how..
• Double click the program to run it. It will only take around several minutes to run.
• It will do a series of tasks and tell you when each one is finished.
• You will be prompted to press any key after each step
• When it is done it will close and exit itself automatically.
• You can delete The_Comedian.exe once it is finished

STOP! if you can't complete this step.. Tell me more about it..




NEXT


Please download OTS by OldTimer and unzip it to your Desktop..

Note: You must be logged on to the system with an account that has Administrator privileges to run this program.

• Close ALL OTHER PROGRAMS.
• Double-click on OTS to start the program (if you are running on Vista then right-click the program and choose Run as Administrator).
• At the top, tick on Scan All Users section
• At File Age set it to 90 Days
• In the Processes, Modules, Services, Drivers and Registry section, please set on Safe List.
• In the Files Created Within and Files Modified Within section, set it to File Age
• At the bottom, tick on all Safe List and Use Company Name WhiteList option
• Under Additional Scans, tick on the "Extras" button and then click the checkboxes in front of the following items to select them:
  
  • Reg - Disabled MS Config Items
    Reg - Drivers32
    Reg - Ext
    Reg - IE Explorer Bar
    Reg - NetSvcs
    Reg - Safeboot Minimal
    Reg - Safeboot Network
    File - Lop Check
    File - Purity Scan
    
  • Please copy/paste below script into Custom Scans box
    

    netsvcs
    %SYSTEMDRIVE%\*.exe
    /md5start
    eventlog.dll
    scecli.dll
    netlogon.dll
    cngaudit.dll
    sceclt.dll
    ntelogon.dll
    logevent.dll
    iaStor.sys
    nvstor.sys
    atapi.sys
    IdeChnDr.sys
    viasraid.sys
    AGP440.sys
    vaxscsi.sys
    nvatabus.sys
    viamraid.sys
    nvata.sys
    nvgts.sys
    iastorv.sys
    ViPrt.sys
    eNetHook.dll
    ahcix86.sys
    KR10N.sys
    nvstor32.sys
    ahcix86s.sys
    nvrd32.sys
    symmpi.sys
    adp3132.sys
    /md5stop
    %systemroot%\*. /mp /s
    CREATERESTOREPOINT
    %systemroot%\system32\*.dll /lockedfiles
    %systemroot%\Tasks\*.job /lockedfiles
    %systemroot%\system32\drivers\*.sys /lockedfiles
    %systemroot%\System32\config\*.sav

• Do NOT change any other settings.
• Now click the Run Scan button on the toolbar.
• Let it run unhindered until it finishes.
• When the scan is complete Notepad will open with the report file loaded in it.
• Click the Format menu and make sure that Wordwrap is not checked. If it is then click on it to uncheck it.

Attach the log in your next replies.. Don't post it.. It will be too large to fit into a single post..




NEXT


Please download GMER and unzip it to your Desktop. <<mirror>>
Please rename the random filename or GMER into GAMERS

• Open the renamed program and click on the Rootkit tab.
• Make sure all the boxes on the right of the screen are checked, EXCEPT for ‘Show All’.
• Click on Scan.
• When the scan has run click Copy and paste the results into a Notepad >> save it and attach in this thread.

IMPORTANT: Do NOT run any program while you are doing these scans as it may interfere with the output results




ATTACH these logs in your next reply

1. OTS
2. GMER

[fenzodahl512]

Please download The Comedian.exe by Rorschach112 to your desktop

• Please disable all of your antivirus/firewall before doing this step. Please visit HERE if you don't know how..
• Double click the program to run it. It will only take around several minutes to run.
• It will do a series of tasks and tell you when each one is finished.
• You will be prompted to press any key after each step
• When it is done it will close and exit itself automatically.
• You can delete The_Comedian.exe once it is finished

STOP! if you can't complete this step.. Tell me more about it..




NEXT


Please download OTS by OldTimer and unzip it to your Desktop..

Note: You must be logged on to the system with an account that has Administrator privileges to run this program.

• Close ALL OTHER PROGRAMS.
• Double-click on OTS to start the program (if you are running on Vista then right-click the program and choose Run as Administrator).
• At the top, tick on Scan All Users section
• At File Age set it to 90 Days
• In the Processes, Modules, Services, Drivers and Registry section, please set on Safe List.
• In the Files Created Within and Files Modified Within section, set it to File Age
• At the bottom, tick on all Safe List and Use Company Name WhiteList option
• Under Additional Scans, tick on the "Extras" button and then click the checkboxes in front of the following items to select them:
  
  • Reg - Disabled MS Config Items
    Reg - Drivers32
    Reg - Ext
    Reg - IE Explorer Bar
    Reg - NetSvcs
    Reg - Safeboot Minimal
    Reg - Safeboot Network
    File - Lop Check
    File - Purity Scan
    
  • Please copy/paste below script into Custom Scans box
    

    netsvcs
    %SYSTEMDRIVE%\*.exe
    /md5start
    eventlog.dll
    scecli.dll
    netlogon.dll
    cngaudit.dll
    sceclt.dll
    ntelogon.dll
    logevent.dll
    iaStor.sys
    nvstor.sys
    atapi.sys
    IdeChnDr.sys
    viasraid.sys
    AGP440.sys
    vaxscsi.sys
    nvatabus.sys
    viamraid.sys
    nvata.sys
    nvgts.sys
    iastorv.sys
    ViPrt.sys
    eNetHook.dll
    ahcix86.sys
    KR10N.sys
    nvstor32.sys
    ahcix86s.sys
    nvrd32.sys
    symmpi.sys
    adp3132.sys
    /md5stop
    %systemroot%\*. /mp /s
    CREATERESTOREPOINT
    %systemroot%\system32\*.dll /lockedfiles
    %systemroot%\Tasks\*.job /lockedfiles
    %systemroot%\system32\drivers\*.sys /lockedfiles
    %systemroot%\System32\config\*.sav

• Do NOT change any other settings.
• Now click the Run Scan button on the toolbar.
• Let it run unhindered until it finishes.
• When the scan is complete Notepad will open with the report file loaded in it.
• Click the Format menu and make sure that Wordwrap is not checked. If it is then click on it to uncheck it.

Attach the log in your next replies.. Don't post it.. It will be too large to fit into a single post..




NEXT


Please download GMER and unzip it to your Desktop. <<mirror>>
Please rename the random filename or GMER into GAMERS

• Open the renamed program and click on the Rootkit tab.
• Make sure all the boxes on the right of the screen are checked, EXCEPT for ‘Show All’.
• Click on Scan.
• When the scan has run click Copy and paste the results into a Notepad >> save it and attach in this thread.

IMPORTANT: Do NOT run any program while you are doing these scans as it may interfere with the output results




ATTACH these logs in your next reply

1. OTS
2. GMER

[rotation5]

here the ots log

Attached Files

•  ots_log.txt   385.64KB   510 downloads

[rotation5]

when i run gmer it says C:\windows\system32\config\system: the system cannot find the file specified. and when i click scan it says C:\windows\system32\config\system: this process cannot access the file because it is being used by another process. then it continues with the scan and says that theres nothing wrong

Edited by rotation5, 04 March 2010 - 07:10 PM.

[fenzodahl512]

Ok, just run GMER and post the log here.. If GMER cannot finish, just tell me where does it stuck

[rotation5]

Ok, just run GMER and post the log here.. If GMER cannot finish, just tell me where does it stuck

it dosent give me a log it just says GMER hasn't found any system modifcaton. oh and it wont let me check all the boxes i only have services, files, registry and ADS checked

Edited by rotation5, 04 March 2010 - 09:24 PM.

[fenzodahl512]

Hi, do you still have any problem with the computer? As far as I can tell, there's nothing wrong with the OTS log..

c:\documents and settings\AVP 2009
c:\documents and settings\AVP

Can you tell me more about those folders? And can you tell me more about what's inside the C:\Documents and Settings?

[rotation5]

the thing is i haven't had any problem at all no pop ups or anything. i was just worried cause it keeps showing up in the Norton scan. I'm not even sure how i got it cause i never downloaded it or anything. about the document and setting file i haven't been able to find them cause im using windows 7 which uses a different file as a substitute. i've looked at hidden folders ect. with no luck. so im kinda lost, and im wondering why it keeps coming back if Norton says it been removed or why im not seeing any symptoms.

Edited by rotation5, 04 March 2010 - 10:24 PM.

[fenzodahl512]

Please post me a screenshot of what Norton found

[rotation5]

ok here they are

Attached Thumbnails

• 
• 

[fenzodahl512]

Please download the OTM by OldTimer

• Save it to your Desktop.
• Please double-click OTM.exe to run it. (Vista users, please right click on OTM.exe and select "Run as an Administrator")
• Copy the codebox contents and paste it to the "Paste List of Files/Folders to Move" window (under the light Yellow bar)
  
  

  :processes
  explorer.exe
  
  :files
  C:\Documents and Settings\All Users\AVP 2009
  
  :commands
  [purity]
  [emptytemp]
  [start explorer]
  [reboot]

• Click the red Moveit! button.
• A log of files and folders moved will be created in the c:\_OTM\MovedFiles folder in the form of Date and Time (mmddyyyy_hhmmss.log). Please open this log in Notepad and post its contents in your next reply.
• Close OTM

If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.

[rotation5]

here you go




All processes killed
========== PROCESSES ==========
No active process named explorer.exe was found!
========== FILES ==========
C:\Documents and Settings\All Users\AVP 2009 folder moved successfully.
========== COMMANDS ==========

[EMPTYTEMP]

User: All Users

User: AppData

User: Default
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 33234 bytes
->Flash cache emptied: 41620 bytes

User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes
->Flash cache emptied: 0 bytes

User: Josh
->Temp folder emptied: 156920 bytes
->Temporary Internet Files folder emptied: 5652528 bytes
->Java cache emptied: 1647500 bytes
->FireFox cache emptied: 83308127 bytes
->Google Chrome cache emptied: 856432 bytes
->Flash cache emptied: 52244 bytes

User: Public

%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 0 bytes
%systemroot%\System32 .tmp files removed: 0 bytes
%systemroot%\System32 (64bit) .tmp files removed: 0 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 1216 bytes
%systemroot%\sysnative\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files folder emptied: 67627 bytes
RecycleBin emptied: 794112 bytes

Total Files Cleaned = 88.00 mb


OTM by OldTimer - Version 3.1.10.0 log created on 03052010_022521

Files moved on Reboot...
C:\Users\Josh\AppData\Local\Temp\FXSAPIDebugLogFile.txt moved successfully.
C:\Users\Josh\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\4NHYAAAU\download[1].aspx moved successfully.
File C:\Windows\temp\JET2F88.tmp not found!

Registry entries deleted on Reboot...

[fenzodahl512]

Ok, scan again with Norton.. Do you still received the same error?

[rotation5]

no it dosent, thanks alot. can i delete the moved folder now??

[fenzodahl512]

no it dosent, thanks alot. can i delete the moved folder now??

Err.. which folder?