clean or no???

So my free AVG was locking up on the same file every scan, c:system volume information\*.* Googled it and it came up with a generic trojan something. Anyway ran scan, SuperAnti-SPyware would not finish. It kept repeat scanning the c:windows directories?? So I'm attaching the other logs. Thanks for any help.

 

Hi GRWDAD,
Welcome to the Malware Forum!

Do you know when you first noticed this starting? Did it start happening after Activision Value came onto your computer on the 29th of April? Or DVDFab ? Or did it start before that?

Have you tried going back to an earlier restore point? If not, please try to set it back to just before you noticed this with AVG freezing. If you've never done this before, Go to Start / All Programs / Accessories / System Tools / System Restore
check the box to Restore my computer to an earlier time and click on Next. You'll see a calendar with highlighted dates. Choose one of the dates just preceeding these problems and allow your system to return to that date. See if the problem goes away.

Setting your computer back to an earlier date may remove the malware entry found by MalwareBytes, or alternatively, it may reactivate it. After you finish the above, if you decide to stay at the restore point rather than undoing the change, then you should reinstall Malware Bytes and allow it to run again.

Let me know how this goes?

abri

 

Well, see I crashed my machine a few weeks ago. I had to restore from an image, the image was from 2006! So I had to do all these updates and stuff including AVG. I still cannot get Adaware 2007 it install and am having trouble reinstalling Visio. Since I got this machine from DELL I have had registry issues. So anyway, I did a lot of updating in a short amount of time and my restores probably will not apply since they were so old anyway. Just wondering if anything showed up in the scans. AVG did pop up and saw there was a virus and let me move it to the vault. I haven't scanned since but will soon. Thanks for the help.

 

Hi GRWDAD,

Sorry, I got distracted! Please do the following:

1) Go to add/remove programs and uninstall the below:

- Viewpoint Media Player

2) If you do not use Windows Messenger (not to be confused with MSN Messenger!!) I would like you to run Disable/Remove Windows Messenger

3) Run C:\MGtools\analyse.exe by double clicking on it. This is really HijackThis (select Do a system scan only) and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://my.netzero.net/s/search?r=minisearch
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://my.netzero.net/s/search?r=minisearch
R1 - HKLM\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://my.netzero.net/s/search?r=minisearch
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
O4 - Startup: PowerReg Scheduler.exe
O4 - Global Startup: EZ-DUB Finder.lnk = C:\Program Files\EZ-DUB\EZ-DUB.exe
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)

After you click fix, just close hijackthis.

4) Now run CCleaner at the default setting with the Windows tab as the top one.

5) Please run C:\MGtools\GetLogs.bat and attach the fresh MGlogs.zip

Let me know how things are running now?

abri

 

Things seem to be running fine, but AVG still looks up on that one file. The "threat" popped up and I selected to move it to the vault. I was concerned why I couldn't get rid of that file. And what about Super Antispyware continuously scanning that loop?? Anywya, here is the log and thanks so much for the help.

 

Hi GRWDAD,

The file you mentioned in your first post that had been found by AVG and that you looked up in Google was c:system volume information\*.*
How did you look up this file *.* ?

I checked your logs and none of the things I asked you to have HijackThis fix were fixed and the Windows Messenger wasn't removed.. Usually when this happens, it's either because the instructions were not done in the order given and the log was produced before the removal instructions were run, or because there was a block from a piece of security software. If you did the instructions in the order I gave them to you, then I would like for you to go back and run the same instructions again, only this time, print them out and then physically disconnect your computer from the internet. Disable ALL your security software including any antispyware, antivirus and firewall you have running. Most can be disabled by right-clicking on the icon in the taskbar and looking for the option to disable them. For a few, you have to open the program and look for the disable setting.

Then starting with Step 2 do all the instructions again except for Step 1 which did get done.

After you've completed the instructions, be sure to RE-ENABLE all your security software BEFORE you reconnect to the internet.

Attach the logs here and let me know how this went!

Thanks.
abri

 

I search Google for C:system volume information\*.* and the information I read mentioned it being a virus. Plus AVG would stop scanning at this file everytime.


Sorry for the mix up with the file I sent. I did all you asked and Getlog.bat seemede to run all the way through. I'll try it again. I did select the things you said in HighJackthis and removed them.

 

Turned off ZoneAlarm and AVG. I don't know if anything else is running. I see no others in the right side taskbar.

Clicked the unistall box in the messanger removal stuff, hit enter, it said successfully removed.

Ran HighJackThis as you requested and the only entry I saw from before was the 09 extra button one. Selected it, clicked fix, and closed.

Ran CCleaner.

Deleted c:MGlogs.zip, ran GetLogs.bat. It appeared to run fine. Now I am posting the file MGlogs.zip, which is the only one I have.

Was wondering, in the HiJackThis, can I remove the Yahoo stuff and any other leftover things I see there?? THanks Again.

 

Hi GRWDAD,

Please do the following:

1) To remove the Yahoo! toolbar, please see this article:

How to Uninstall or Turn Off the Yahoo! Companion Toolbar

2) Reboot before continuing.

3) Now run C:\MGtools\analyse.exe by double clicking on it. This is really HijackThis (select Do a system scan only) and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:

O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

Did you set the following? If not, please fix it as well.

O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present


Optionally, you can consider fixing the following. The 04 items are startup items and you can look through those to see if the following or any others do not need to load at startup. The Yahoo! entries should not show up if you uninstalled it. If they are there and you completed the above removal, you can fix them.


O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKCU\..\Run: [NBJ] "C:\Program Files\Ahead\Nero BackItUp\NBJ.exe"


After you click fix, just close hijackthis.


4) After you complete the above, I would like to ask you to make a folder in C:\Program Files called HijackThis and move your analyse.exe program from the MGTools folder to the HijackThis folder. Additionally, go to the MGTools folder and open the folder called backups. Inside pull across the most recent backups file to the HijackThis folder you just created under C:\Program Files. HijackThis keeps a backup of items you restored, so if you find you want something of the above back, you can still find it this way.

5) Finally, after you've finished with the above, I would like for you to run an online scan from BitDefender that will look only at your System Volume Information folder which is where your restore points are stored. I would like to see if this scan also hangs up on the same set of files as your AVG. The BitDefender online scan has to be run with Internet Explorer and Active X has to be enabled. After you click on I agree and the Active X update has been installed, you will come to a screen with the button Start Scan. Do not click on this until you go to the box just above this button where you'll see two small bold red links. The upper link will allow you to select which part of your computer is to be scanned. See if you can set it to scan only the System Volumen Information folder. The link to the instructions for running the scan and producing a log which is usable for us afterwards can be found here: Running BitDefender Online Scan

6) Now run CCleaner at the default setting with the Windows tab as the top one.


Let me know how this goes?

abri

 

Went through it the first time, while I was cooking supper. I was checking on it and the last I remeber it was about 80% complete. The next time I came over, it was gone, no dialog box or anything. My children said they did nothing to it??? So I started it again, it looked different this time, the window, just the way it looked when it started. Anyway, it completed after about 1.5 hours and found nothing. Oh, one thing I remember from the first one was it had the older MGtools/backup files tagged as an infection. And said repair failed, file deleted. Anyway, what do you think? Thanks for the help again!

 

Hi GRWDAD,

I wanted to see if BitDefender picked up any infected restore points, which it didn't. Now I would like for you to go through the final cleanup instructions in the box below, which includes clearing all your previous restore points and setting a new one. After you do that, I would like for you to run the AVG scan again and see if you're still running into the same problem with the AVG scan.

abri