# How do I delete anit-virus-1 from my computer?



## grampi (Feb 22, 2009)

*Someone please help!!!!!!!!!!!*

Somehow the initial part of the Anti-virus-1 software got onto my computer, now it constantly keeps messing with my computer's operation with popups and the "blue screen of death" trying to get me to pay for the software. I tried looking it up in "Add or Remove Programs" in my control panel, but it doesn't show up in there. It did show up when I did a search for files and programs and I selected to delete them, but it still keeps coming up. It's telling me I have spyware program Win32.Monster.fx on my computer that's trying to attack my computer. I ran my Malwarebytes scan and deleted all the infections it found, so wouldn't it have found this spyware and deleted it? If so, is the anti-virus-1 program just generating these messages to get me to buy their product? How do I get rid of it?


----------



## grampi (Feb 22, 2009)

Please someone help me with this, this thing is driving me nuts!!!!!!


----------



## Respital (Feb 22, 2009)

Get Malwarebytes and hijackthis from this thread, follow the instructions.


----------



## grampi (Feb 22, 2009)

Here's the hijackthis log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 5:37:41 PM, on 2/22/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Belkin\Belkin Wireless Network Utility\WLService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Belkin\Belkin Wireless Network Utility\WLanCfgG.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Documents and Settings\All Users.WINDOWS\Application Data\AV1\AV1.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpohmr08.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
C:\Program Files\LimeWire\LimeWire.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpoevm08.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\Bin\hpoSTS08.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://search.imesh.com/sidebar.html?src=ssb
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://search.imesh.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll
O1 - Hosts: 217.20.175.74 www.review.2009softwarereviews.com
O1 - Hosts: 217.20.175.74 review.2009softwarereviews.com
O1 - Hosts: 217.20.175.74 a1.review.zdnet.com
O1 - Hosts: 217.20.175.74 www.d1.reviews.cnet.com
O1 - Hosts: 217.20.175.74 www.reviews.toptenreviews.com
O1 - Hosts: 217.20.175.74 reviews.toptenreviews.com
O1 - Hosts: 217.20.175.74 www.reviews.download.com
O1 - Hosts: 217.20.175.74 reviews.download.com
O1 - Hosts: 217.20.175.74 www.reviews.pcadvisor.c.uk
O1 - Hosts: 217.20.175.74 reviews.pcadvisor.co.uk
O1 - Hosts: 217.20.175.74 www.reviews.pcmag.com
O1 - Hosts: 217.20.175.74 reviews.pcmag.com
O1 - Hosts: 217.20.175.74 www.reviews.pcpro.co.uk
O1 - Hosts: 217.20.175.74 reviews.pcpro.co.uk
O1 - Hosts: 217.20.175.74 www.reviews.reevoo.com
O1 - Hosts: 217.20.175.74 reviews.reevoo.com
O1 - Hosts: 217.20.175.74 www.reviews.riverstreams.co.uk
O1 - Hosts: 217.20.175.74 reviews.riverstreams.co.uk
O1 - Hosts: 217.20.175.74 www.reviews.techradar.com
O1 - Hosts: 217.20.175.74 reviews.techradar.com
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: UrlHelper Class - {474597C5-AB09-49d6-A4D5-2E8D7341384E} - C:\Program Files\iMesh Applications\iMesh MediaBar\iMeshIEHelper.dll
O2 - BHO: QWProtectBHO - {70FEAD04-A7FD-4B89-B814-8A8251C90EF7} - C:\Documents and Settings\All Users.WINDOWS\Application Data\AV1\QWProtect.dll
O2 - BHO: Java(tm) Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O2 - BHO: SingleInstance Class - {FDAD4DA1-61A2-4FD8-9C17-86F7AC245081} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\YTSingleInstance.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll
O4 - HKLM\..\Run: [WorksFUD] C:\Program Files\Microsoft Works\wkfud.exe
O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Program Files\Microsoft Works\WksSb.exe /AllUsers
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [Monitor calibration] C:\Documents and Settings\All Users.WINDOWS\Application Data\AV1\AV1i.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Startup: LimeWire On Startup.lnk = C:\Program Files\LimeWire\LimeWire.exe
O4 - Global Startup: hp psc 1000 series.lnk = ?
O4 - Global Startup: hpoddt01.exe.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {49232000-16E4-426C-A231-62846947304B} (SysData Class) - http://ipgweb.cce.hp.com/rdqaio2/downloads/sysinfo.cab
O16 - DPF: {6F15128C-E66A-490C-B848-5000B5ABEEAC} (HP Download Manager) - https://h20436.www2.hp.com/ediags/dex/secure/HPDEXAXO.cab
O16 - DPF: {73ECB3AA-4717-450C-A2AB-D00DAD9EE203} - http://h20270.www2.hp.com/ediags/gmn2/install/HPProductDetection.cab
O16 - DPF: {88D969C0-F192-11D4-A65F-0040963251E5} (XML DOM Document 4.0) - http://ipgweb.cce.hp.com/rdqaio2/downloads/msxml4.cab
O16 - DPF: {A9F8D9EC-3D0A-4A60-BD82-FBD64BAD370D} - http://h20264.www2.hp.com/ediags/dd/install/HPDriverDiagnosticsxp2k.cab
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Belkin Wireless USB Network Adapter (Belkin Wireless USB Network Adapter Service) - Unknown owner - C:\Program Files\Belkin\Belkin Wireless Network Utility\WLService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe

--
End of file - 7619 bytes

I'm running the Malwarebytes scan again right now to get it's log. I'll post that when it's done.


----------



## grampi (Feb 22, 2009)

Here's the Malwarebytes log:

Malwarebytes' Anti-Malware 1.31
Database version: 1551
Windows 5.1.2600 Service Pack 2

2/22/2009 12:59:14 PM
mbam-log-2009-02-22 (12-59-14).txt

Scan type: Full Scan (C:\|)
Objects scanned: 195702
Time elapsed: 2 hour(s), 24 minute(s), 14 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 1
Registry Keys Infected: 7
Registry Values Infected: 2
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
C:\Program Files\iMesh Applications\iMesh MediaBar\iMeshMediaBar.dll (Adware.SoftMate) -> Delete on reboot.

Registry Keys Infected:
HKEY_CLASSES_ROOT\imeshmediabar.stockbar (Adware.SoftMate) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\TypeLib\{6c380604-92b2-4633-becb-bde03fa45980} (Adware.SoftMate) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{4481c34a-10df-4c96-92a6-0ef31b6b95d6} (Adware.SoftMate) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{f9c23cd1-6da9-4e0b-8367-c6f9f1f78baf} (Adware.SoftMate) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{b7d3e479-cc68-42b5-a338-938ece35f419} (Adware.SoftMate) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{b7d3e479-cc68-42b5-a338-938ece35f419} (Adware.SoftMate) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\imeshmediabar.stockbar.1 (Adware.SoftMate) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar\{b7d3e479-cc68-42b5-a338-938ece35f419} (Adware.SoftMate) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Toolbar\WebBrowser\{b7d3e479-cc68-42b5-a338-938ece35f419} (Adware.SoftMate) -> Quarantined and deleted successfully.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\Program Files\iMesh Applications\iMesh MediaBar\iMeshMediaBar.dll (Adware.SoftMate) -> Quarantined and deleted successfully.


----------



## grampi (Feb 22, 2009)

My computer keeps showing these popup messages and they come up in a window from the computer's security center. It has the four colored shield in the corner (just like the security icon located in the control panel). It keeps saying my computer has 41 infections and that I need to complete my registration (meaning they want me to buy their software) before their system can remove the infectionss. The reason I question this is because I ran the Malwarebytes scan and it removed the infections it found, so why would there still be infections on my computer AFTER I ran this scan? Popup windows are constantly coming up from the little icons down on the bottom of my screen, and I'm constantly getting the narrow band of info that's located just underneath the box that runs across the top of my screen that contains the address bar and all the little icons (sorry, I don't know what that area is called). That message reads; "Internet Explorer has found an unregistered version of Anti-virus-1. To protect your computer, please register your Anti-virus-1." This message begins with a red shield with and "X" in it. I don't know how this Anti-virus-1 thing got on my computer, but now it won't leave me alone. It's constantly, AND I MEAN CONSTANTLY popping up windows while I'm on the computer. I have to keep closing the windows and sometimes this results in the "blue screen of death." WILL SOMEONE PLEASE HELP ME FIGURE OUT HOW TO GET RID OF THIS PROBLEM?????????


----------



## spearlymatt (Feb 22, 2009)

I feel bad for you man, I'm not entirely sure what your talking about, but I'm guessing it's a fake virus scan thing.


I had the same thing happen to a good laptop of mine.

Had to wipe everything and reinstall windows.


----------



## mcutra (Feb 22, 2009)

*re*

MAN  u should save ur data fast and FORMAT youre drive before that virus makes a big mess ok ......... Trust me i've had a lot of them........


----------



## grampi (Feb 22, 2009)

spearlymatt said:


> I feel bad for you man, I'm not entirely sure what your talking about, but I'm guessing it's a fake virus scan thing.
> 
> 
> I had the same thing happen to a good laptop of mine.
> ...



Yeah, I was hoping to be able to avoid that, but it ain't looking good.


----------



## grampi (Feb 22, 2009)

mcutra said:


> MAN  u should save ur data fast and FORMAT youre drive before that virus makes a big mess ok ......... Trust me i've had a lot of them........



I don't have anything on my computer that needs saving. Worst comes to worst I'll just reinstall Windows.


----------



## mcutra (Feb 22, 2009)

*Re*

And do it fast ...before its damages something like ur HDD (i've heard they could be very dangerous)


----------



## Respital (Feb 23, 2009)

Hello:

*Download and Run ComboFix*
*If you already have Combofix, please delete this copy and download it again as it's being updated regularly.*

*Download this file* from one of the three below listed places :

http://download.bleepingcomputer.com/sUBs/ComboFix.exe
http://www.forospyware.com/sUBs/ComboFix.exe
http://subs.geekstogo.com/ComboFix.exe

Then double click *combofix.exe* & follow the prompts.
When finished, it shall produce *a log* for you. *Post that log* in your next reply
*Note: Do not mouseclick combofix's window whilst it's running. That may cause it to stall*

Combofix should never take more that 20 minutes including the reboot if malware is detected.
If it does, open *Task Manager* then *Processes* tab (press ctrl, alt and del at the same time) and end any processes of *findstr, find, sed or swreg*, then combofix should continue.
If that happened we want to know, and also what process you had to end.

In your next reply i will need:

The ComboFix log
A fresh HiJackThis log
An update on how your computer is running


----------



## grampi (Feb 23, 2009)

I couldn't get combofix to finish downloading. I keep getting an error message that says "You cannot rename combofix as combofix(1). I click "OK" and nothing else happens. It gives me no other options. I tried downloading it several times to no avail.


----------



## Respital (Feb 23, 2009)

grampi said:


> I couldn't get combofix to finish downloading. I keep getting an error message that says "You cannot rename combofix as combofix(1). I click "OK" and nothing else happens. It gives me no other options. I tried downloading it several times to no avail.



Try saving it to a different location.


----------



## grampi (Feb 23, 2009)

Okay, I was able to get combofix to work. Here's it's log:

ComboFix 09-02-21.01 - Owner 2009-02-22 22:59:28.1 - NTFSx86
Microsoft Windows XP Home Edition  5.1.2600.2.1252.1.1033.18.254.57 [GMT -5:00]
Running from: c:\documents and settings\Owner\Desktop\ComboFix.exe
.

(((((((((((((((((((((((((   Files Created from 2009-01-23 to 2009-02-23  )))))))))))))))))))))))))))))))
.

2009-02-22 21:30 . 2004-08-20 15:50	159,744	--a------	c:\windows\system32\igfxres.dll
2009-02-22 21:29 . 2009-02-22 21:29	13,646	--a------	c:\windows\system32\wpa.bak
2009-02-22 21:23 . 2004-08-04 05:00	1,875,968	--a--c---	c:\windows\system32\dllcache\msir3jp.lex
2009-02-22 21:22 . 2004-08-04 05:00	13,463,552	--a--c---	c:\windows\system32\dllcache\hwxjpn.dll
2009-02-22 21:21 . 2004-08-04 05:00	1,677,824	--a--c---	c:\windows\system32\dllcache\chsbrkr.dll
2009-02-22 21:20 . 2009-02-22 21:20	<DIR>	d--------	c:\windows\LastGood.Tmp
2009-02-22 21:18 . 2009-02-22 21:18	749	-rah-----	c:\windows\WindowsShell.Manifest
2009-02-22 21:18 . 2009-02-22 21:18	749	-rah-----	c:\windows\system32\wuaucpl.cpl.manifest
2009-02-22 21:18 . 2009-02-22 21:18	749	-rah-----	c:\windows\system32\sapi.cpl.manifest
2009-02-22 21:18 . 2009-02-22 21:18	749	-rah-----	c:\windows\system32\ncpa.cpl.manifest
2009-02-22 21:18 . 2009-02-22 21:18	488	-rah-----	c:\windows\system32\logonui.exe.manifest
2009-02-22 17:37 . 2009-02-22 17:37	<DIR>	d--------	c:\program files\Trend Micro
2009-02-22 10:07 . 2009-02-22 10:07	<DIR>	d--------	c:\documents and settings\All Users.WINDOWS\Application Data\AV1
2009-02-20 23:16 . 2009-02-20 23:16	<DIR>	d--------	c:\documents and settings\All Users.WINDOWS\Application Data\338A
2009-02-16 11:45 . 2009-02-16 11:45	<DIR>	d--------	c:\documents and settings\All Users.WINDOWS\Application Data\1EA
2009-02-16 09:13 . 2009-02-16 09:13	<DIR>	d--------	c:\documents and settings\All Users.WINDOWS\Application Data\19FA
2009-02-15 23:48 . 2009-02-15 23:48	<DIR>	d--------	c:\documents and settings\All Users.WINDOWS\Application Data\F38A
2009-02-15 22:18 . 2009-02-15 22:18	<DIR>	d--------	c:\documents and settings\All Users.WINDOWS\Application Data\33DA
2009-02-15 22:12 . 2009-02-15 22:12	<DIR>	d--------	c:\program files\Windows Media Connect 2
2009-02-15 22:12 . 2004-08-04 05:00	221,184	--a------	c:\windows\system32\wmpns.dll
2009-02-15 22:08 . 2009-02-15 22:10	<DIR>	d--------	c:\windows\system32\drivers\UMDF
2009-02-15 22:08 . 2009-02-16 23:15	1,374	--a------	c:\windows\imsins.BAK
2009-02-15 22:01 . 2009-02-15 22:01	<DIR>	d--------	c:\documents and settings\All Users.WINDOWS\Application Data\B4E
2009-02-15 21:59 . 2009-02-15 22:00	<DIR>	d--------	c:\program files\iMesh Applications
2009-02-15 21:59 . 2008-09-25 08:20	483,328	--a------	c:\windows\system32\actskn45.ocx
2009-02-15 21:39 . 2009-02-22 13:01	36,357	--a------	c:\windows\setupapi.old
2009-02-15 21:30 . 2009-02-15 21:30	<DIR>	d--------	c:\documents and settings\Owner\WINDOWS
2009-02-15 21:30 . 1997-01-22 15:23	299,520	--a------	c:\windows\uninst.exe
2009-02-12 10:34 . 2009-02-22 23:15	<DIR>	d--------	c:\documents and settings\Owner\Application Data\LimeWire
2009-02-09 16:35 . 2009-02-09 16:35	410,984	--a------	c:\windows\system32\deploytk.dll
2009-02-09 16:35 . 2009-02-09 16:35	73,728	--a------	c:\windows\system32\javacpl.cpl
2009-01-25 21:53 . 2009-01-25 21:53	<DIR>	d--------	c:\program files\Common Files\Adobe AIR
2009-01-23 22:39 . 2009-01-23 22:39	<DIR>	d--------	c:\program files\Belkin
2009-01-23 22:39 . 2003-10-13 15:30	94,208	--a------	c:\windows\system32\GTW32N50.dll
2009-01-23 22:39 . 2004-04-30 15:12	40,960	--a------	c:\windows\system32\B11gUSB.dll
2009-01-23 22:39 . 2003-09-25 23:28	31,930	--a------	c:\windows\system32\GTNDIS3.VXD
2009-01-23 22:39 . 2003-09-25 22:15	15,872	--a------	c:\windows\system32\GTNDIS5.sys

.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-02-09 21:36	---------	d-----w	c:\program files\LimeWire
2009-02-09 21:35	---------	d-----w	c:\program files\Java
2009-02-07 15:50	---------	d-----w	c:\program files\Defraggler
2009-01-26 02:52	---------	d-----w	c:\program files\Common Files\Adobe
2009-01-25 14:34	---------	d--h--w	c:\program files\InstallShield Installation Information
2008-12-27 14:27	---------	d-----w	c:\documents and settings\All Users.WINDOWS\Application Data\Yahoo! Companion
2008-12-27 13:42	---------	d-----w	c:\program files\CCleaner
2008-12-27 13:42	---------	d-----w	c:\documents and settings\Owner\Application Data\Yahoo!
2008-12-26 19:58	---------	d-----w	c:\program files\Malwarebytes' Anti-Malware
2008-12-26 19:58	---------	d-----w	c:\documents and settings\Owner\Application Data\Malwarebytes
2008-12-26 19:58	---------	d-----w	c:\documents and settings\All Users.WINDOWS\Application Data\Malwarebytes
2008-12-17 00:49	6,239	----a-w	c:\documents and settings\Owner\bQE1kvp.exe
2008-12-16 20:13	6,239	----a-w	c:\documents and settings\Hoon\C31efp3.exe
2008-12-05 20:14	6,239	----a-w	c:\documents and settings\Owner\ksdKHsÿ.exe
2008-11-28 19:11	6,239	----a-w	c:\documents and settings\Owner\NndKT77.exe
2008-11-28 17:36	6,239	----a-w	c:\documents and settings\Owner\r23wn22.exe
2008-11-19 20:28	6,239	----a-w	c:\documents and settings\Owner\kp3w68N.exe
2008-11-06 22:57	6,239	----a-w	c:\documents and settings\Owner\jjjJI72.exe
2008-11-06 00:06	6,239	----a-w	c:\documents and settings\Owner\tjv6x6U.exe
2008-11-02 02:56	6,239	----a-w	c:\documents and settings\Owner\RxGlGf7.exe
2008-10-24 00:29	6,239	----a-w	c:\documents and settings\Owner\Gj508ÿO.exe
2008-10-14 12:32	6,239	----a-w	c:\documents and settings\Owner\uedtd3i.exe
2008-10-13 21:44	6,239	----a-w	c:\documents and settings\Owner\nf527Jm.exe
2008-10-13 14:14	6,239	----a-w	c:\documents and settings\Owner\fT1N43V.exe
2008-10-11 14:39	6,239	----a-w	c:\documents and settings\Owner\p4mIlpS.exe
2008-10-11 14:24	6,239	----a-w	c:\documents and settings\Owner\Jr4voQ3.exe
2008-10-04 17:43	6,239	----a-w	c:\documents and settings\Owner\F2k5IGA.exe
2008-10-03 01:51	6,239	----a-w	c:\documents and settings\Owner\NbcU468.exe
2008-09-22 00:40	6,239	----a-w	c:\documents and settings\Hoon\W5mF5xa.exe
2008-09-22 00:12	6,239	----a-w	c:\documents and settings\Owner\xGs0Ju1.exe
2008-09-09 20:51	6,239	----a-w	c:\documents and settings\Owner\lv6KOUg.exe
2008-09-08 17:11	6,239	----a-w	c:\documents and settings\Owner\fw4uddu.exe
2008-09-06 19:01	6,239	----a-w	c:\documents and settings\Hoon\hXUVd2j.exe
2008-09-06 18:54	6,239	----a-w	c:\documents and settings\Hoon\n0fqUiÿ.exe
2008-09-05 00:19	6,239	----a-w	c:\documents and settings\Hoon\deJMv7J.exe
2008-09-02 01:51	6,239	----a-w	c:\documents and settings\Hoon\Nmhk803.exe
2008-09-01 21:00	6,239	----a-w	c:\documents and settings\Owner\PPjQOLÿ.exe
2007-03-14 21:22	48,768	----a-w	c:\documents and settings\jim\Application Data\GDIPFONTCACHEV1.DAT
2007-03-12 14:25	48,768	----a-w	c:\documents and settings\Jim & Brenda\Application Data\GDIPFONTCACHEV1.DAT
2007-06-01 03:40	61,038	----a-w	c:\program files\mozilla firefox\components\jar50.dll
2007-06-01 03:40	49,256	----a-w	c:\program files\mozilla firefox\components\jsd3250.dll
2007-06-01 03:40	166,000	----a-w	c:\program files\mozilla firefox\components\xpinstal.dll
.

(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown 
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{474597C5-AB09-49d6-A4D5-2E8D7341384E}]
2008-09-02 09:04	398768	--a------	c:\program files\iMesh Applications\iMesh MediaBar\iMeshIEHelper.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{70FEAD04-A7FD-4B89-B814-8A8251C90EF7}]
2009-02-22 10:07	113664	--a------	c:\documents and settings\All Users.WINDOWS\Application Data\AV1\QWProtect.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-04 15360]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2004-08-04 1667584]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"WorksFUD"="c:\program files\Microsoft Works\wkfud.exe" [2001-10-05 24576]
"Microsoft Works Portfolio"="c:\program files\Microsoft Works\WksSb.exe" [2001-08-23 331830]
"Microsoft Works Update Detection"="c:\program files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe" [2001-08-16 28738]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-09-06 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-09-10 289576]
"SoundMAXPnP"="c:\program files\Analog Devices\Core\smax4pnp.exe" [2004-10-14 1404928]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2004-08-20 155648]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2004-08-20 118784]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2008-06-12 34672]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-02-09 136600]
"Monitor calibration"="c:\documents and settings\All Users.WINDOWS\Application Data\AV1\AV1i.exe" [2009-02-22 151040]

c:\documents and settings\Owner\Start Menu\Programs\Startup\
LimeWire On Startup.lnk - c:\program files\LimeWire\LimeWire.exe [2009-01-29 139776]

c:\documents and settings\All Users.WINDOWS\Start Menu\Programs\Startup\
hp psc 1000 series.lnk - c:\program files\Hewlett-Packard\Digital Imaging\bin\hpohmr08.exe [2003-04-09 147456]
hpoddt01.exe.lnk - c:\program files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe [2003-04-06 28672]
Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-02-13 83360]
Microsoft Works Calendar Reminders.lnk - c:\program files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe [2001-08-07 24633]

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\LimeWire\\LimeWire.exe"=
"c:\\Program Files\\iMesh Applications\\iMesh\\iMesh.exe"=

R3 BELKIN;Belkin Wireless G USB Network Adapter; [x]


--- Other Services/Drivers In Memory ---

*NewlyCreated* - PCIIDE
*NewlyCreated* - RASMAN
*Deregistered* - ALG
*Deregistered* - Apple Mobile Device
*Deregistered* - AudioSrv
*Deregistered* - Belkin Wireless USB Network Adapter Service
*Deregistered* - Bonjour Service
*Deregistered* - Browser
*Deregistered* - COMSysApp
*Deregistered* - CryptSvc
*Deregistered* - DcomLaunch
*Deregistered* - Dhcp
*Deregistered* - Dnscache
*Deregistered* - ERSvc
*Deregistered* - EventSystem
*Deregistered* - FastUserSwitchingCompatibility
*Deregistered* - helpsvc
*Deregistered* - ImapiService
*Deregistered* - iPod Service
*Deregistered* - JavaQuickStarterService
*Deregistered* - lanmanserver
*Deregistered* - lanmanworkstation
*Deregistered* - LmHosts
*Deregistered* - MDM
*Deregistered* - MSDTC
*Deregistered* - Netman
*Deregistered* - Nla
*Deregistered* - Pml Driver HPZ12
*Deregistered* - PolicyAgent
*Deregistered* - ProtectedStorage
*Deregistered* - RasMan
*Deregistered* - Raspti
*Deregistered* - Rdbss
*Deregistered* - RDPCDD
*Deregistered* - RpcSs
*Deregistered* - SamSs
*Deregistered* - Schedule
*Deregistered* - seclogon
*Deregistered* - SENS
*Deregistered* - SharedAccess
*Deregistered* - ShellHWDetection
*Deregistered* - Spooler
*Deregistered* - sr
*Deregistered* - srservice
*Deregistered* - Srv
*Deregistered* - SSDPSRV
*Deregistered* - stisvc
*Deregistered* - swenum
*Deregistered* - TapiSrv
*Deregistered* - Tcpip
*Deregistered* - TermService
*Deregistered* - Themes
*Deregistered* - TrkWks
*Deregistered* - Update
*Deregistered* - VgaSave
*Deregistered* - VolSnap
*Deregistered* - W32Time
*Deregistered* - Wanarp
*Deregistered* - WebClient
*Deregistered* - winmgmt
*Deregistered* - wscsvc
*Deregistered* - wuauserv
*Deregistered* - WZCSVC
.
Contents of the 'Scheduled Tasks' folder

2009-02-21 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 11:34]

2008-12-09 c:\windows\Tasks\FRU Task #Hewlett-Packard#hp psc 1200 series#1220313829.job
- c:\program files\Hewlett-Packard\Digital Imaging\Bin\hpqfrucl.exe [2007-02-16 21:13]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://search.imesh.com/
uInternet Settings,ProxyOverride = *.local
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-02-22 23:13:35
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...  

scanning hidden autostart entries ... 

scanning hidden files ...  

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2009-02-22 23:19:39
ComboFix-quarantined-files.txt  2009-02-23 04:19:32

Pre-Run: 57,222,971,392 bytes free
Post-Run: 59,003,944,960 bytes free

218	--- E O F ---	2009-02-17 04:15:43

Here's the hijackthis log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:46:32 PM, on 2/22/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Belkin\Belkin Wireless Network Utility\WLService.exe
C:\Program Files\Belkin\Belkin Wireless Network Utility\WLanCfgG.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Documents and Settings\All Users.WINDOWS\Application Data\AV1\AV1.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpohmr08.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
C:\Program Files\LimeWire\LimeWire.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpoevm08.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\Bin\hpoSTS08.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://search.imesh.com/sidebar.html?src=ssb
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://search.imesh.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll
O1 - Hosts: 217.20.175.74 www.review.2009softwarereviews.com
O1 - Hosts: 217.20.175.74 review.2009softwarereviews.com
O1 - Hosts: 217.20.175.74 a1.review.zdnet.com
O1 - Hosts: 217.20.175.74 www.d1.reviews.cnet.com
O1 - Hosts: 217.20.175.74 www.reviews.toptenreviews.com
O1 - Hosts: 217.20.175.74 reviews.toptenreviews.com
O1 - Hosts: 217.20.175.74 www.reviews.download.com
O1 - Hosts: 217.20.175.74 reviews.download.com
O1 - Hosts: 217.20.175.74 www.reviews.pcadvisor.c.uk
O1 - Hosts: 217.20.175.74 reviews.pcadvisor.co.uk
O1 - Hosts: 217.20.175.74 www.reviews.pcmag.com
O1 - Hosts: 217.20.175.74 reviews.pcmag.com
O1 - Hosts: 217.20.175.74 www.reviews.pcpro.co.uk
O1 - Hosts: 217.20.175.74 reviews.pcpro.co.uk
O1 - Hosts: 217.20.175.74 www.reviews.reevoo.com
O1 - Hosts: 217.20.175.74 reviews.reevoo.com
O1 - Hosts: 217.20.175.74 www.reviews.riverstreams.co.uk
O1 - Hosts: 217.20.175.74 reviews.riverstreams.co.uk
O1 - Hosts: 217.20.175.74 www.reviews.techradar.com
O1 - Hosts: 217.20.175.74 reviews.techradar.com
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: UrlHelper Class - {474597C5-AB09-49d6-A4D5-2E8D7341384E} - C:\Program Files\iMesh Applications\iMesh MediaBar\iMeshIEHelper.dll
O2 - BHO: QWProtectBHO - {70FEAD04-A7FD-4B89-B814-8A8251C90EF7} - C:\Documents and Settings\All Users.WINDOWS\Application Data\AV1\QWProtect.dll
O2 - BHO: Java(tm) Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O2 - BHO: SingleInstance Class - {FDAD4DA1-61A2-4FD8-9C17-86F7AC245081} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\YTSingleInstance.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll
O4 - HKLM\..\Run: [WorksFUD] C:\Program Files\Microsoft Works\wkfud.exe
O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Program Files\Microsoft Works\WksSb.exe /AllUsers
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [Monitor calibration] C:\Documents and Settings\All Users.WINDOWS\Application Data\AV1\AV1i.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Startup: LimeWire On Startup.lnk = C:\Program Files\LimeWire\LimeWire.exe
O4 - Global Startup: hp psc 1000 series.lnk = ?
O4 - Global Startup: hpoddt01.exe.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {49232000-16E4-426C-A231-62846947304B} (SysData Class) - http://ipgweb.cce.hp.com/rdqaio2/downloads/sysinfo.cab
O16 - DPF: {6F15128C-E66A-490C-B848-5000B5ABEEAC} (HP Download Manager) - https://h20436.www2.hp.com/ediags/dex/secure/HPDEXAXO.cab
O16 - DPF: {73ECB3AA-4717-450C-A2AB-D00DAD9EE203} - http://h20270.www2.hp.com/ediags/gmn2/install/HPProductDetection.cab
O16 - DPF: {88D969C0-F192-11D4-A65F-0040963251E5} (XML DOM Document 4.0) - http://ipgweb.cce.hp.com/rdqaio2/downloads/msxml4.cab
O16 - DPF: {A9F8D9EC-3D0A-4A60-BD82-FBD64BAD370D} - http://h20264.www2.hp.com/ediags/dd/install/HPDriverDiagnosticsxp2k.cab
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Belkin Wireless USB Network Adapter (Belkin Wireless USB Network Adapter Service) - Unknown owner - C:\Program Files\Belkin\Belkin Wireless Network Utility\WLService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe

--
End of file - 7673 bytes

As for what else I did with the computer, I completely reinstalled Windows and that stupid Anti-virus-1 was still present, and it was still claiming I had 41 infections on my computer, even though I also ran a complete Malwarebytes scan and it found 0 infections.


----------



## grampi (Feb 23, 2009)

There are many aspects of this issue I don't understand, but the one that's most puzzling is that Anti-virus-1 keeps popping up messages that say I have 41 infections on my computer when the Malwarebytes scans turned up nothing. I find it very difficult, if not impossible to believe if I actually have 41infections on my computer that Malwarebytes wouldn't detect them. This is why I think this Anti-virus-1 thing that's on my computer is some kind of spyware or malware disguised as a windows security program so it isn't being detected as an infection and it's just trying to get me to subscribe to an expensive security service I don't want or need, and it's just going to keep pestering the chit out of me until I cave in and purchase it. Well, I'm not going to, but I definitely need to figure out how to get this thing off of my computer. Reinstalling windows had no affect on it whatsoever. What can I do to get rid of this annoying thing?


----------



## grampi (Feb 23, 2009)

Respital

Have you had a chance to review my log files yet? Thanks.


----------



## ignys (Feb 23, 2009)

*Anti-Virus-1*

i suggest you to download Spyware Doctor and read this article about Anti-Virus-1 removal: http://www.2-spyware.com/remove-anti-virus-1.html


----------



## ceewi1 (Feb 24, 2009)

You are running an older version of Malwarebytes.  Update it to the latest version by clicking on the Update tab and then clicking *Check for Updates*.  Once done, run it again - with the latest updates it should be capable of removing this infection.  If not, I'll go through your ComboFix and give you manual removal instructions.

You mention that you've reinstalled Windows, have you done this since you posted the ComboFix log?  If so, please post a new one.


----------



## grampi (Feb 24, 2009)

My job keeps me away from home during the week and I only go home every other weekend, so I won't have access to the computer again until next weekend. 

I downloaded Spyware Doctor, ran the entire scan (it found 8 threats and 74 infections) and when I selected to remove the items, the program went into this payment thing where it wouldn't remove the infected items unless I paid. 

I'm very curious as to why Malwarebytes (even the older version) didn't pick up any of these infections. 

I will update Malwarebytes next weekend when I'm home and run another scan.


----------



## ceewi1 (Feb 25, 2009)

grampi said:


> I'm very curious as to why Malwarebytes (even the older version) didn't pick up any of these infections.


The infections themselves are updated very frequently.  If Malwarebytes' doesn't have the updated version in its database, it will most likely be unable to detect it.


----------



## grampi (Mar 7, 2009)

I believe anti-virus-1 is preventing my computer from being able to allow Malwarebytes to download updates. When I select "Check for updates" it just sits there showing no progress whatsoever. Now what do I do?


----------



## johnb35 (Mar 7, 2009)

My only advice to you would be to take the hard drive out and slave it to another system and run a full virus scan on it using AVG or one of the other free ones.  I've had to in the past do this exact same procedure to kill things that won't allow combofix, malwarebytes, and superantispyware to run.  Once AVG had quarantined the bad infections, I then put the drive back in the original machine and was able to use the other programs to update and then scan the drive.


----------



## grampi (Mar 7, 2009)

I completely reformatted my hard drive and reinstalled the operating system. That finally got rid of anti-virus-1. FWIW, Malwarebytes will not detect this virus. Anti-virus-1 was not allowing my computer to download an update of Malwarebytes, so I downloaded the updated version on my daughter's computer, burned it into a CD, then ran the scan on this computer from the CD. Once again it ran through the entire scan without finding a single infection. anti-vitus-1 must be invisable to Malwarebytes. If you're unfortunate enough to end up with this awful virus on your computer, don't waste your time trying to get rid of it with Malwarebytes cause it won't do the trick. You'll have to use other methods to get rid of it.


----------



## johnb35 (Mar 7, 2009)

One scanner will not catch everything, thats why you use multiple scanners which include Malwarebytes, Superantispyware, Combofix, an antivirus program, an online scanner, etc...  The 3 that usually work for me is AVG, Malwarebytes, and Combofix.

BUT, according to this page, Malwarebytes does remove this infection.

I noticed in your hijackthis log, that you had some host files that were infected. 

O1 - Hosts: 217.20.175.74 www.review.2009softwarereviews.com
O1 - Hosts: 217.20.175.74 review.2009softwarereviews.com
O1 - Hosts: 217.20.175.74 a1.review.zdnet.com
O1 - Hosts: 217.20.175.74 www.d1.reviews.cnet.com
O1 - Hosts: 217.20.175.74 www.reviews.toptenreviews.com
O1 - Hosts: 217.20.175.74 reviews.toptenreviews.com
O1 - Hosts: 217.20.175.74 www.reviews.download.com
O1 - Hosts: 217.20.175.74 reviews.download.com
O1 - Hosts: 217.20.175.74 www.reviews.pcadvisor.c.uk
O1 - Hosts: 217.20.175.74 reviews.pcadvisor.co.uk
O1 - Hosts: 217.20.175.74 www.reviews.pcmag.com
O1 - Hosts: 217.20.175.74 reviews.pcmag.com
O1 - Hosts: 217.20.175.74 www.reviews.pcpro.co.uk
O1 - Hosts: 217.20.175.74 reviews.pcpro.co.uk
O1 - Hosts: 217.20.175.74 www.reviews.reevoo.com
O1 - Hosts: 217.20.175.74 reviews.reevoo.com
O1 - Hosts: 217.20.175.74 www.reviews.riverstreams.co.uk
O1 - Hosts: 217.20.175.74 reviews.riverstreams.co.uk
O1 - Hosts: 217.20.175.74 www.reviews.techradar.com
O1 - Hosts: 217.20.175.74 reviews.techradar.com




Also your combofix log showed a lot of infections still present especially here....

2008-12-17 00:49 6,239 ----a-w c:\documents and settings\Owner\bQE1kvp.exe
2008-12-16 20:13 6,239 ----a-w c:\documents and settings\Hoon\C31efp3.exe
2008-12-05 20:14 6,239 ----a-w c:\documents and settings\Owner\ksdKHsÿ.exe
2008-11-28 19:11 6,239 ----a-w c:\documents and settings\Owner\NndKT77.exe
2008-11-28 17:36 6,239 ----a-w c:\documents and settings\Owner\r23wn22.exe
2008-11-19 20:28 6,239 ----a-w c:\documents and settings\Owner\kp3w68N.exe
2008-11-06 22:57 6,239 ----a-w c:\documents and settings\Owner\jjjJI72.exe
2008-11-06 00:06 6,239 ----a-w c:\documents and settings\Owner\tjv6x6U.exe
2008-11-02 02:56 6,239 ----a-w c:\documents and settings\Owner\RxGlGf7.exe
2008-10-24 00:29 6,239 ----a-w c:\documents and settings\Owner\Gj508ÿO.exe
2008-10-14 12:32 6,239 ----a-w c:\documents and settings\Owner\uedtd3i.exe
2008-10-13 21:44 6,239 ----a-w c:\documents and settings\Owner\nf527Jm.exe
2008-10-13 14:14 6,239 ----a-w c:\documents and settings\Owner\fT1N43V.exe
2008-10-11 14:39 6,239 ----a-w c:\documents and settings\Owner\p4mIlpS.exe
2008-10-11 14:24 6,239 ----a-w c:\documents and settings\Owner\Jr4voQ3.exe
2008-10-04 17:43 6,239 ----a-w c:\documents and settings\Owner\F2k5IGA.exe
2008-10-03 01:51 6,239 ----a-w c:\documents and settings\Owner\NbcU468.exe
2008-09-22 00:40 6,239 ----a-w c:\documents and settings\Hoon\W5mF5xa.exe
2008-09-22 00:12 6,239 ----a-w c:\documents and settings\Owner\xGs0Ju1.exe
2008-09-09 20:51 6,239 ----a-w c:\documents and settings\Owner\lv6KOUg.exe
2008-09-08 17:11 6,239 ----a-w c:\documents and settings\Owner\fw4uddu.exe
2008-09-06 19:01 6,239 ----a-w c:\documents and settings\Hoon\hXUVd2j.exe
2008-09-06 18:54 6,239 ----a-w c:\documents and settings\Hoon\n0fqUiÿ.exe
2008-09-05 00:19 6,239 ----a-w c:\documents and settings\Hoon\deJMv7J.exe
2008-09-02 01:51 6,239 ----a-w c:\documents and settings\Hoon\Nmhk803.exe
2008-09-01 21:00 6,239 ----a-w c:\documents and settings\Owner\PPjQOLÿ.exe


----------



## olzenkhaw (Mar 8, 2009)

Download the Anti-virus-1 removal tool at Softpedia:
http://www.softpedia.com/get/Antivirus/Remove-Anti-Virus-1.shtml or refer the removal guide at http://freeofvirus.blogspot.com/2009/03/anti-virus-1-removal-tool.html


----------

