How do I delete anit-virus-1 from my computer?

[grampi]

Someone please help!!!!!!!!!!!

Somehow the initial part of the Anti-virus-1 software got onto my computer, now it constantly keeps messing with my computer's operation with popups and the "blue screen of death" trying to get me to pay for the software. I tried looking it up in "Add or Remove Programs" in my control panel, but it doesn't show up in there. It did show up when I did a search for files and programs and I selected to delete them, but it still keeps coming up. It's telling me I have spyware program Win32.Monster.fx on my computer that's trying to attack my computer. I ran my Malwarebytes scan and deleted all the infections it found, so wouldn't it have found this spyware and deleted it? If so, is the anti-virus-1 program just generating these messages to get me to buy their product? How do I get rid of it?

 

[grampi]

Please someone help me with this, this thing is driving me nuts!!!!!!

 

[Respital]

Get Malwarebytes and hijackthis from this thread, follow the instructions.

 

[grampi]

Here's the hijackthis log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 5:37:41 PM, on 2/22/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Belkin\Belkin Wireless Network Utility\WLService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Belkin\Belkin Wireless Network Utility\WLanCfgG.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Documents and Settings\All Users.WINDOWS\Application Data\AV1\AV1.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpohmr08.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
C:\Program Files\LimeWire\LimeWire.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpoevm08.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\Bin\hpoSTS08.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://search.imesh.com/sidebar.html?src=ssb
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://search.imesh.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll
O1 - Hosts: 217.20.175.74 www.review.2009softwarereviews.com
O1 - Hosts: 217.20.175.74 review.2009softwarereviews.com
O1 - Hosts: 217.20.175.74 a1.review.zdnet.com
O1 - Hosts: 217.20.175.74 www.d1.reviews.cnet.com
O1 - Hosts: 217.20.175.74 www.reviews.toptenreviews.com
O1 - Hosts: 217.20.175.74 reviews.toptenreviews.com
O1 - Hosts: 217.20.175.74 www.reviews.download.com
O1 - Hosts: 217.20.175.74 reviews.download.com
O1 - Hosts: 217.20.175.74 www.reviews.pcadvisor.c.uk
O1 - Hosts: 217.20.175.74 reviews.pcadvisor.co.uk
O1 - Hosts: 217.20.175.74 www.reviews.pcmag.com
O1 - Hosts: 217.20.175.74 reviews.pcmag.com
O1 - Hosts: 217.20.175.74 www.reviews.pcpro.co.uk
O1 - Hosts: 217.20.175.74 reviews.pcpro.co.uk
O1 - Hosts: 217.20.175.74 www.reviews.reevoo.com
O1 - Hosts: 217.20.175.74 reviews.reevoo.com
O1 - Hosts: 217.20.175.74 www.reviews.riverstreams.co.uk
O1 - Hosts: 217.20.175.74 reviews.riverstreams.co.uk
O1 - Hosts: 217.20.175.74 www.reviews.techradar.com
O1 - Hosts: 217.20.175.74 reviews.techradar.com
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: UrlHelper Class - {474597C5-AB09-49d6-A4D5-2E8D7341384E} - C:\Program Files\iMesh Applications\iMesh MediaBar\iMeshIEHelper.dll
O2 - BHO: QWProtectBHO - {70FEAD04-A7FD-4B89-B814-8A8251C90EF7} - C:\Documents and Settings\All Users.WINDOWS\Application Data\AV1\QWProtect.dll
O2 - BHO: Java(tm) Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O2 - BHO: SingleInstance Class - {FDAD4DA1-61A2-4FD8-9C17-86F7AC245081} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\YTSingleInstance.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll
O4 - HKLM\..\Run: [WorksFUD] C:\Program Files\Microsoft Works\wkfud.exe
O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Program Files\Microsoft Works\WksSb.exe /AllUsers
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [Monitor calibration] C:\Documents and Settings\All Users.WINDOWS\Application Data\AV1\AV1i.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Startup: LimeWire On Startup.lnk = C:\Program Files\LimeWire\LimeWire.exe
O4 - Global Startup: hp psc 1000 series.lnk = ?
O4 - Global Startup: hpoddt01.exe.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {49232000-16E4-426C-A231-62846947304B} (SysData Class) - http://ipgweb.cce.hp.com/rdqaio2/downloads/sysinfo.cab
O16 - DPF: {6F15128C-E66A-490C-B848-5000B5ABEEAC} (HP Download Manager) - https://h20436.www2.hp.com/ediags/dex/secure/HPDEXAXO.cab
O16 - DPF: {73ECB3AA-4717-450C-A2AB-D00DAD9EE203} - http://h20270.www2.hp.com/ediags/gmn2/install/HPProductDetection.cab
O16 - DPF: {88D969C0-F192-11D4-A65F-0040963251E5} (XML DOM Document 4.0) - http://ipgweb.cce.hp.com/rdqaio2/downloads/msxml4.cab
O16 - DPF: {A9F8D9EC-3D0A-4A60-BD82-FBD64BAD370D} - http://h20264.www2.hp.com/ediags/dd/install/HPDriverDiagnosticsxp2k.cab
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Belkin Wireless USB Network Adapter (Belkin Wireless USB Network Adapter Service) - Unknown owner - C:\Program Files\Belkin\Belkin Wireless Network Utility\WLService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe

--
End of file - 7619 bytes

I'm running the Malwarebytes scan again right now to get it's log. I'll post that when it's done.

 

[grampi]

Here's the Malwarebytes log:

Malwarebytes' Anti-Malware 1.31
Database version: 1551
Windows 5.1.2600 Service Pack 2

2/22/2009 12:59:14 PM
mbam-log-2009-02-22 (12-59-14).txt

Scan type: Full Scan (C:\|)
Objects scanned: 195702
Time elapsed: 2 hour(s), 24 minute(s), 14 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 1
Registry Keys Infected: 7
Registry Values Infected: 2
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
C:\Program Files\iMesh Applications\iMesh MediaBar\iMeshMediaBar.dll (Adware.SoftMate) -> Delete on reboot.

Registry Keys Infected:
HKEY_CLASSES_ROOT\imeshmediabar.stockbar (Adware.SoftMate) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\TypeLib\{6c380604-92b2-4633-becb-bde03fa45980} (Adware.SoftMate) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{4481c34a-10df-4c96-92a6-0ef31b6b95d6} (Adware.SoftMate) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{f9c23cd1-6da9-4e0b-8367-c6f9f1f78baf} (Adware.SoftMate) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{b7d3e479-cc68-42b5-a338-938ece35f419} (Adware.SoftMate) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{b7d3e479-cc68-42b5-a338-938ece35f419} (Adware.SoftMate) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\imeshmediabar.stockbar.1 (Adware.SoftMate) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar\{b7d3e479-cc68-42b5-a338-938ece35f419} (Adware.SoftMate) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Toolbar\WebBrowser\{b7d3e479-cc68-42b5-a338-938ece35f419} (Adware.SoftMate) -> Quarantined and deleted successfully.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\Program Files\iMesh Applications\iMesh MediaBar\iMeshMediaBar.dll (Adware.SoftMate) -> Quarantined and deleted successfully.

 

[grampi]

My computer keeps showing these popup messages and they come up in a window from the computer's security center. It has the four colored shield in the corner (just like the security icon located in the control panel). It keeps saying my computer has 41 infections and that I need to complete my registration (meaning they want me to buy their software) before their system can remove the infectionss. The reason I question this is because I ran the Malwarebytes scan and it removed the infections it found, so why would there still be infections on my computer AFTER I ran this scan? Popup windows are constantly coming up from the little icons down on the bottom of my screen, and I'm constantly getting the narrow band of info that's located just underneath the box that runs across the top of my screen that contains the address bar and all the little icons (sorry, I don't know what that area is called). That message reads; "Internet Explorer has found an unregistered version of Anti-virus-1. To protect your computer, please register your Anti-virus-1." This message begins with a red shield with and "X" in it. I don't know how this Anti-virus-1 thing got on my computer, but now it won't leave me alone. It's constantly, AND I MEAN CONSTANTLY popping up windows while I'm on the computer. I have to keep closing the windows and sometimes this results in the "blue screen of death." WILL SOMEONE PLEASE HELP ME FIGURE OUT HOW TO GET RID OF THIS PROBLEM?????????

 

[spearlymatt]

I feel bad for you man, I'm not entirely sure what your talking about, but I'm guessing it's a fake virus scan thing.


I had the same thing happen to a good laptop of mine.

Had to wipe everything and reinstall windows.

 

[mcutra]

re

MAN u should save ur data fast and FORMAT youre drive before that virus makes a big mess ok ......... Trust me i've had a lot of them........

 

[grampi]

I feel bad for you man, I'm not entirely sure what your talking about, but I'm guessing it's a fake virus scan thing.


I had the same thing happen to a good laptop of mine.

Had to wipe everything and reinstall windows.

Yeah, I was hoping to be able to avoid that, but it ain't looking good.

 

[grampi]

MAN u should save ur data fast and FORMAT youre drive before that virus makes a big mess ok ......... Trust me i've had a lot of them........

I don't have anything on my computer that needs saving. Worst comes to worst I'll just reinstall Windows.

 

[mcutra]

Re

And do it fast ...before its damages something like ur HDD (i've heard they could be very dangerous)

 

[Respital]

Hello:

Download and Run ComboFix
If you already have Combofix, please delete this copy and download it again as it's being updated regularly.

• Download this file from one of the three below listed places :
  
  http://download.bleepingcomputer.com/sUBs/ComboFix.exe
  http://www.forospyware.com/sUBs/ComboFix.exe
  http://subs.geekstogo.com/ComboFix.exe
  
• Then double click combofix.exe & follow the prompts.
• When finished, it shall produce a log for you. Post that log in your next reply

Note: Do not mouseclick combofix's window whilst it's running. That may cause it to stall

Combofix should never take more that 20 minutes including the reboot if malware is detected.
If it does, open Task Manager then Processes tab (press ctrl, alt and del at the same time) and end any processes of findstr, find, sed or swreg, then combofix should continue.
If that happened we want to know, and also what process you had to end.

In your next reply i will need:

• The ComboFix log
• A fresh HiJackThis log
• An update on how your computer is running

 

[grampi]

I couldn't get combofix to finish downloading. I keep getting an error message that says "You cannot rename combofix as combofix(1). I click "OK" and nothing else happens. It gives me no other options. I tried downloading it several times to no avail.

 

[Respital]

I couldn't get combofix to finish downloading. I keep getting an error message that says "You cannot rename combofix as combofix(1). I click "OK" and nothing else happens. It gives me no other options. I tried downloading it several times to no avail.

Try saving it to a different location.

 

[grampi]

Okay, I was able to get combofix to work. Here's it's log:

ComboFix 09-02-21.01 - Owner 2009-02-22 22:59:28.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.254.57 [GMT -5:00]
Running from: c:\documents and settings\Owner\Desktop\ComboFix.exe
.

((((((((((((((((((((((((( Files Created from 2009-01-23 to 2009-02-23 )))))))))))))))))))))))))))))))
.

2009-02-22 21:30 . 2004-08-20 15:50 159,744 --a------ c:\windows\system32\igfxres.dll
2009-02-22 21:29 . 2009-02-22 21:29 13,646 --a------ c:\windows\system32\wpa.bak
2009-02-22 21:23 . 2004-08-04 05:00 1,875,968 --a--c--- c:\windows\system32\dllcache\msir3jp.lex
2009-02-22 21:22 . 2004-08-04 05:00 13,463,552 --a--c--- c:\windows\system32\dllcache\hwxjpn.dll
2009-02-22 21:21 . 2004-08-04 05:00 1,677,824 --a--c--- c:\windows\system32\dllcache\chsbrkr.dll
2009-02-22 21:20 . 2009-02-22 21:20 <DIR> d-------- c:\windows\LastGood.Tmp
2009-02-22 21:18 . 2009-02-22 21:18 749 -rah----- c:\windows\WindowsShell.Manifest
2009-02-22 21:18 . 2009-02-22 21:18 749 -rah----- c:\windows\system32\wuaucpl.cpl.manifest
2009-02-22 21:18 . 2009-02-22 21:18 749 -rah----- c:\windows\system32\sapi.cpl.manifest
2009-02-22 21:18 . 2009-02-22 21:18 749 -rah----- c:\windows\system32\ncpa.cpl.manifest
2009-02-22 21:18 . 2009-02-22 21:18 488 -rah----- c:\windows\system32\logonui.exe.manifest
2009-02-22 17:37 . 2009-02-22 17:37 <DIR> d-------- c:\program files\Trend Micro
2009-02-22 10:07 . 2009-02-22 10:07 <DIR> d-------- c:\documents and settings\All Users.WINDOWS\Application Data\AV1
2009-02-20 23:16 . 2009-02-20 23:16 <DIR> d-------- c:\documents and settings\All Users.WINDOWS\Application Data\338A
2009-02-16 11:45 . 2009-02-16 11:45 <DIR> d-------- c:\documents and settings\All Users.WINDOWS\Application Data\1EA
2009-02-16 09:13 . 2009-02-16 09:13 <DIR> d-------- c:\documents and settings\All Users.WINDOWS\Application Data\19FA
2009-02-15 23:48 . 2009-02-15 23:48 <DIR> d-------- c:\documents and settings\All Users.WINDOWS\Application Data\F38A
2009-02-15 22:18 . 2009-02-15 22:18 <DIR> d-------- c:\documents and settings\All Users.WINDOWS\Application Data\33DA
2009-02-15 22:12 . 2009-02-15 22:12 <DIR> d-------- c:\program files\Windows Media Connect 2
2009-02-15 22:12 . 2004-08-04 05:00 221,184 --a------ c:\windows\system32\wmpns.dll
2009-02-15 22:08 . 2009-02-15 22:10 <DIR> d-------- c:\windows\system32\drivers\UMDF
2009-02-15 22:08 . 2009-02-16 23:15 1,374 --a------ c:\windows\imsins.BAK
2009-02-15 22:01 . 2009-02-15 22:01 <DIR> d-------- c:\documents and settings\All Users.WINDOWS\Application Data\B4E
2009-02-15 21:59 . 2009-02-15 22:00 <DIR> d-------- c:\program files\iMesh Applications
2009-02-15 21:59 . 2008-09-25 08:20 483,328 --a------ c:\windows\system32\actskn45.ocx
2009-02-15 21:39 . 2009-02-22 13:01 36,357 --a------ c:\windows\setupapi.old
2009-02-15 21:30 . 2009-02-15 21:30 <DIR> d-------- c:\documents and settings\Owner\WINDOWS
2009-02-15 21:30 . 1997-01-22 15:23 299,520 --a------ c:\windows\uninst.exe
2009-02-12 10:34 . 2009-02-22 23:15 <DIR> d-------- c:\documents and settings\Owner\Application Data\LimeWire
2009-02-09 16:35 . 2009-02-09 16:35 410,984 --a------ c:\windows\system32\deploytk.dll
2009-02-09 16:35 . 2009-02-09 16:35 73,728 --a------ c:\windows\system32\javacpl.cpl
2009-01-25 21:53 . 2009-01-25 21:53 <DIR> d-------- c:\program files\Common Files\Adobe AIR
2009-01-23 22:39 . 2009-01-23 22:39 <DIR> d-------- c:\program files\Belkin
2009-01-23 22:39 . 2003-10-13 15:30 94,208 --a------ c:\windows\system32\GTW32N50.dll
2009-01-23 22:39 . 2004-04-30 15:12 40,960 --a------ c:\windows\system32\B11gUSB.dll
2009-01-23 22:39 . 2003-09-25 23:28 31,930 --a------ c:\windows\system32\GTNDIS3.VXD
2009-01-23 22:39 . 2003-09-25 22:15 15,872 --a------ c:\windows\system32\GTNDIS5.sys

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-02-09 21:36 --------- d-----w c:\program files\LimeWire
2009-02-09 21:35 --------- d-----w c:\program files\Java
2009-02-07 15:50 --------- d-----w c:\program files\Defraggler
2009-01-26 02:52 --------- d-----w c:\program files\Common Files\Adobe
2009-01-25 14:34 --------- d--h--w c:\program files\InstallShield Installation Information
2008-12-27 14:27 --------- d-----w c:\documents and settings\All Users.WINDOWS\Application Data\Yahoo! Companion
2008-12-27 13:42 --------- d-----w c:\program files\CCleaner
2008-12-27 13:42 --------- d-----w c:\documents and settings\Owner\Application Data\Yahoo!
2008-12-26 19:58 --------- d-----w c:\program files\Malwarebytes' Anti-Malware
2008-12-26 19:58 --------- d-----w c:\documents and settings\Owner\Application Data\Malwarebytes
2008-12-26 19:58 --------- d-----w c:\documents and settings\All Users.WINDOWS\Application Data\Malwarebytes
2008-12-17 00:49 6,239 ----a-w c:\documents and settings\Owner\bQE1kvp.exe
2008-12-16 20:13 6,239 ----a-w c:\documents and settings\Hoon\C31efp3.exe
2008-12-05 20:14 6,239 ----a-w c:\documents and settings\Owner\ksdKHsÿ.exe
2008-11-28 19:11 6,239 ----a-w c:\documents and settings\Owner\NndKT77.exe
2008-11-28 17:36 6,239 ----a-w c:\documents and settings\Owner\r23wn22.exe
2008-11-19 20:28 6,239 ----a-w c:\documents and settings\Owner\kp3w68N.exe
2008-11-06 22:57 6,239 ----a-w c:\documents and settings\Owner\jjjJI72.exe
2008-11-06 00:06 6,239 ----a-w c:\documents and settings\Owner\tjv6x6U.exe
2008-11-02 02:56 6,239 ----a-w c:\documents and settings\Owner\RxGlGf7.exe
2008-10-24 00:29 6,239 ----a-w c:\documents and settings\Owner\Gj508ÿO.exe
2008-10-14 12:32 6,239 ----a-w c:\documents and settings\Owner\uedtd3i.exe
2008-10-13 21:44 6,239 ----a-w c:\documents and settings\Owner\nf527Jm.exe
2008-10-13 14:14 6,239 ----a-w c:\documents and settings\Owner\fT1N43V.exe
2008-10-11 14:39 6,239 ----a-w c:\documents and settings\Owner\p4mIlpS.exe
2008-10-11 14:24 6,239 ----a-w c:\documents and settings\Owner\Jr4voQ3.exe
2008-10-04 17:43 6,239 ----a-w c:\documents and settings\Owner\F2k5IGA.exe
2008-10-03 01:51 6,239 ----a-w c:\documents and settings\Owner\NbcU468.exe
2008-09-22 00:40 6,239 ----a-w c:\documents and settings\Hoon\W5mF5xa.exe
2008-09-22 00:12 6,239 ----a-w c:\documents and settings\Owner\xGs0Ju1.exe
2008-09-09 20:51 6,239 ----a-w c:\documents and settings\Owner\lv6KOUg.exe
2008-09-08 17:11 6,239 ----a-w c:\documents and settings\Owner\fw4uddu.exe
2008-09-06 19:01 6,239 ----a-w c:\documents and settings\Hoon\hXUVd2j.exe
2008-09-06 18:54 6,239 ----a-w c:\documents and settings\Hoon\n0fqUiÿ.exe
2008-09-05 00:19 6,239 ----a-w c:\documents and settings\Hoon\deJMv7J.exe
2008-09-02 01:51 6,239 ----a-w c:\documents and settings\Hoon\Nmhk803.exe
2008-09-01 21:00 6,239 ----a-w c:\documents and settings\Owner\PPjQOLÿ.exe
2007-03-14 21:22 48,768 ----a-w c:\documents and settings\jim\Application Data\GDIPFONTCACHEV1.DAT
2007-03-12 14:25 48,768 ----a-w c:\documents and settings\Jim & Brenda\Application Data\GDIPFONTCACHEV1.DAT
2007-06-01 03:40 61,038 ----a-w c:\program files\mozilla firefox\components\jar50.dll
2007-06-01 03:40 49,256 ----a-w c:\program files\mozilla firefox\components\jsd3250.dll
2007-06-01 03:40 166,000 ----a-w c:\program files\mozilla firefox\components\xpinstal.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{474597C5-AB09-49d6-A4D5-2E8D7341384E}]
2008-09-02 09:04 398768 --a------ c:\program files\iMesh Applications\iMesh MediaBar\iMeshIEHelper.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{70FEAD04-A7FD-4B89-B814-8A8251C90EF7}]
2009-02-22 10:07 113664 --a------ c:\documents and settings\All Users.WINDOWS\Application Data\AV1\QWProtect.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-04 15360]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2004-08-04 1667584]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"WorksFUD"="c:\program files\Microsoft Works\wkfud.exe" [2001-10-05 24576]
"Microsoft Works Portfolio"="c:\program files\Microsoft Works\WksSb.exe" [2001-08-23 331830]
"Microsoft Works Update Detection"="c:\program files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe" [2001-08-16 28738]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-09-06 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-09-10 289576]
"SoundMAXPnP"="c:\program files\Analog Devices\Core\smax4pnp.exe" [2004-10-14 1404928]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2004-08-20 155648]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2004-08-20 118784]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2008-06-12 34672]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-02-09 136600]
"Monitor calibration"="c:\documents and settings\All Users.WINDOWS\Application Data\AV1\AV1i.exe" [2009-02-22 151040]

c:\documents and settings\Owner\Start Menu\Programs\Startup\
LimeWire On Startup.lnk - c:\program files\LimeWire\LimeWire.exe [2009-01-29 139776]

c:\documents and settings\All Users.WINDOWS\Start Menu\Programs\Startup\
hp psc 1000 series.lnk - c:\program files\Hewlett-Packard\Digital Imaging\bin\hpohmr08.exe [2003-04-09 147456]
hpoddt01.exe.lnk - c:\program files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe [2003-04-06 28672]
Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-02-13 83360]
Microsoft Works Calendar Reminders.lnk - c:\program files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe [2001-08-07 24633]

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\LimeWire\\LimeWire.exe"=
"c:\\Program Files\\iMesh Applications\\iMesh\\iMesh.exe"=

R3 BELKIN;Belkin Wireless G USB Network Adapter; [x]


--- Other Services/Drivers In Memory ---

*NewlyCreated* - PCIIDE
*NewlyCreated* - RASMAN
*Deregistered* - ALG
*Deregistered* - Apple Mobile Device
*Deregistered* - AudioSrv
*Deregistered* - Belkin Wireless USB Network Adapter Service
*Deregistered* - Bonjour Service
*Deregistered* - Browser
*Deregistered* - COMSysApp
*Deregistered* - CryptSvc
*Deregistered* - DcomLaunch
*Deregistered* - Dhcp
*Deregistered* - Dnscache
*Deregistered* - ERSvc
*Deregistered* - EventSystem
*Deregistered* - FastUserSwitchingCompatibility
*Deregistered* - helpsvc
*Deregistered* - ImapiService
*Deregistered* - iPod Service
*Deregistered* - JavaQuickStarterService
*Deregistered* - lanmanserver
*Deregistered* - lanmanworkstation
*Deregistered* - LmHosts
*Deregistered* - MDM
*Deregistered* - MSDTC
*Deregistered* - Netman
*Deregistered* - Nla
*Deregistered* - Pml Driver HPZ12
*Deregistered* - PolicyAgent
*Deregistered* - ProtectedStorage
*Deregistered* - RasMan
*Deregistered* - Raspti
*Deregistered* - Rdbss
*Deregistered* - RDPCDD
*Deregistered* - RpcSs
*Deregistered* - SamSs
*Deregistered* - Schedule
*Deregistered* - seclogon
*Deregistered* - SENS
*Deregistered* - SharedAccess
*Deregistered* - ShellHWDetection
*Deregistered* - Spooler
*Deregistered* - sr
*Deregistered* - srservice
*Deregistered* - Srv
*Deregistered* - SSDPSRV
*Deregistered* - stisvc
*Deregistered* - swenum
*Deregistered* - TapiSrv
*Deregistered* - Tcpip
*Deregistered* - TermService
*Deregistered* - Themes
*Deregistered* - TrkWks
*Deregistered* - Update
*Deregistered* - VgaSave
*Deregistered* - VolSnap
*Deregistered* - W32Time
*Deregistered* - Wanarp
*Deregistered* - WebClient
*Deregistered* - winmgmt
*Deregistered* - wscsvc
*Deregistered* - wuauserv
*Deregistered* - WZCSVC
.
Contents of the 'Scheduled Tasks' folder

2009-02-21 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 11:34]

2008-12-09 c:\windows\Tasks\FRU Task #Hewlett-Packard#hp psc 1200 series#1220313829.job
- c:\program files\Hewlett-Packard\Digital Imaging\Bin\hpqfrucl.exe [2007-02-16 21:13]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://search.imesh.com/
uInternet Settings,ProxyOverride = *.local
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-02-22 23:13:35
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2009-02-22 23:19:39
ComboFix-quarantined-files.txt 2009-02-23 04:19:32

Pre-Run: 57,222,971,392 bytes free
Post-Run: 59,003,944,960 bytes free

218 --- E O F --- 2009-02-17 04:15:43

Here's the hijackthis log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:46:32 PM, on 2/22/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Belkin\Belkin Wireless Network Utility\WLService.exe
C:\Program Files\Belkin\Belkin Wireless Network Utility\WLanCfgG.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Documents and Settings\All Users.WINDOWS\Application Data\AV1\AV1.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpohmr08.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
C:\Program Files\LimeWire\LimeWire.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpoevm08.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\Bin\hpoSTS08.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://search.imesh.com/sidebar.html?src=ssb
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://search.imesh.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll
O1 - Hosts: 217.20.175.74 www.review.2009softwarereviews.com
O1 - Hosts: 217.20.175.74 review.2009softwarereviews.com
O1 - Hosts: 217.20.175.74 a1.review.zdnet.com
O1 - Hosts: 217.20.175.74 www.d1.reviews.cnet.com
O1 - Hosts: 217.20.175.74 www.reviews.toptenreviews.com
O1 - Hosts: 217.20.175.74 reviews.toptenreviews.com
O1 - Hosts: 217.20.175.74 www.reviews.download.com
O1 - Hosts: 217.20.175.74 reviews.download.com
O1 - Hosts: 217.20.175.74 www.reviews.pcadvisor.c.uk
O1 - Hosts: 217.20.175.74 reviews.pcadvisor.co.uk
O1 - Hosts: 217.20.175.74 www.reviews.pcmag.com
O1 - Hosts: 217.20.175.74 reviews.pcmag.com
O1 - Hosts: 217.20.175.74 www.reviews.pcpro.co.uk
O1 - Hosts: 217.20.175.74 reviews.pcpro.co.uk
O1 - Hosts: 217.20.175.74 www.reviews.reevoo.com
O1 - Hosts: 217.20.175.74 reviews.reevoo.com
O1 - Hosts: 217.20.175.74 www.reviews.riverstreams.co.uk
O1 - Hosts: 217.20.175.74 reviews.riverstreams.co.uk
O1 - Hosts: 217.20.175.74 www.reviews.techradar.com
O1 - Hosts: 217.20.175.74 reviews.techradar.com
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: UrlHelper Class - {474597C5-AB09-49d6-A4D5-2E8D7341384E} - C:\Program Files\iMesh Applications\iMesh MediaBar\iMeshIEHelper.dll
O2 - BHO: QWProtectBHO - {70FEAD04-A7FD-4B89-B814-8A8251C90EF7} - C:\Documents and Settings\All Users.WINDOWS\Application Data\AV1\QWProtect.dll
O2 - BHO: Java(tm) Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O2 - BHO: SingleInstance Class - {FDAD4DA1-61A2-4FD8-9C17-86F7AC245081} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\YTSingleInstance.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll
O4 - HKLM\..\Run: [WorksFUD] C:\Program Files\Microsoft Works\wkfud.exe
O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Program Files\Microsoft Works\WksSb.exe /AllUsers
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [Monitor calibration] C:\Documents and Settings\All Users.WINDOWS\Application Data\AV1\AV1i.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Startup: LimeWire On Startup.lnk = C:\Program Files\LimeWire\LimeWire.exe
O4 - Global Startup: hp psc 1000 series.lnk = ?
O4 - Global Startup: hpoddt01.exe.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {49232000-16E4-426C-A231-62846947304B} (SysData Class) - http://ipgweb.cce.hp.com/rdqaio2/downloads/sysinfo.cab
O16 - DPF: {6F15128C-E66A-490C-B848-5000B5ABEEAC} (HP Download Manager) - https://h20436.www2.hp.com/ediags/dex/secure/HPDEXAXO.cab
O16 - DPF: {73ECB3AA-4717-450C-A2AB-D00DAD9EE203} - http://h20270.www2.hp.com/ediags/gmn2/install/HPProductDetection.cab
O16 - DPF: {88D969C0-F192-11D4-A65F-0040963251E5} (XML DOM Document 4.0) - http://ipgweb.cce.hp.com/rdqaio2/downloads/msxml4.cab
O16 - DPF: {A9F8D9EC-3D0A-4A60-BD82-FBD64BAD370D} - http://h20264.www2.hp.com/ediags/dd/install/HPDriverDiagnosticsxp2k.cab
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Belkin Wireless USB Network Adapter (Belkin Wireless USB Network Adapter Service) - Unknown owner - C:\Program Files\Belkin\Belkin Wireless Network Utility\WLService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe

--
End of file - 7673 bytes

As for what else I did with the computer, I completely reinstalled Windows and that stupid Anti-virus-1 was still present, and it was still claiming I had 41 infections on my computer, even though I also ran a complete Malwarebytes scan and it found 0 infections.

 

[grampi]

There are many aspects of this issue I don't understand, but the one that's most puzzling is that Anti-virus-1 keeps popping up messages that say I have 41 infections on my computer when the Malwarebytes scans turned up nothing. I find it very difficult, if not impossible to believe if I actually have 41infections on my computer that Malwarebytes wouldn't detect them. This is why I think this Anti-virus-1 thing that's on my computer is some kind of spyware or malware disguised as a windows security program so it isn't being detected as an infection and it's just trying to get me to subscribe to an expensive security service I don't want or need, and it's just going to keep pestering the chit out of me until I cave in and purchase it. Well, I'm not going to, but I definitely need to figure out how to get this thing off of my computer. Reinstalling windows had no affect on it whatsoever. What can I do to get rid of this annoying thing?

 

[grampi]

Respital

Have you had a chance to review my log files yet? Thanks.

 

[ignys]

Anti-Virus-1

i suggest you to download Spyware Doctor and read this article about Anti-Virus-1 removal: http://www.2-spyware.com/remove-anti-virus-1.html

 

[ceewi1]

You are running an older version of Malwarebytes. Update it to the latest version by clicking on the Update tab and then clicking Check for Updates. Once done, run it again - with the latest updates it should be capable of removing this infection. If not, I'll go through your ComboFix and give you manual removal instructions.

You mention that you've reinstalled Windows, have you done this since you posted the ComboFix log? If so, please post a new one.

 

[grampi]

My job keeps me away from home during the week and I only go home every other weekend, so I won't have access to the computer again until next weekend.

I downloaded Spyware Doctor, ran the entire scan (it found 8 threats and 74 infections) and when I selected to remove the items, the program went into this payment thing where it wouldn't remove the infected items unless I paid.

I'm very curious as to why Malwarebytes (even the older version) didn't pick up any of these infections.

I will update Malwarebytes next weekend when I'm home and run another scan.