need help wnpc antivirus

View previous topic View next topic Go down

need help wnpc antivirus

Post by shannonmac8 on Mon Jun 01, 2009 6:00 am

My mom's computer has got wnpc antivirus on it, which is a virus that I can't get off. This virus won't let me download any antivirus because (HTTP: Successfully connected to [You must be registered and logged in to see this link.]
warn FTP (Passive): Error 12029 connecting to [You must be registered and logged in to see this link.] A connection with the server could not be established
info HTTPS: Successfully connected to [You must be registered and logged in to see this link.]
error Could not make an FTP connection) somehow it has taken over the internet where the antivirus site can't connect to the server. I can get online but every few minutes it takes me to a site that says insecure internet activity threat of virus. There are two links which you can choose one to get full protection (which takes you to buy wnpc antivirus) or contine to website unprotected. Please help I have deleted the wnpc.exe but I need to get rid of the rest of the virus. Thank you!!

shannonmac8
Intermediate
Intermediate

Posts Posts : 76
Joined Joined : 2009-06-01
OS OS : xp
Points Points : 28392
# Likes # Likes : 0

View user profile

Back to top Go down

Re: need help wnpc antivirus

Post by Belahzur on Mon Jun 01, 2009 2:14 pm

Please download the current version of HijackThis from [You must be registered and logged in to see this link.]

  • Double click and run the installer.
  • It will install to C:\Program Files\Trend Micro\HijackThis\hijackthis.exe
  • After installing, you should get the user agreement, press accept and Hijack This will run.
  • Select Do a system scan and save a log file. This will open a notepad file of everything Hijack This found, copy and paste it back here.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34916
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : XP SP3 Media Centre
Points Points : 245059
# Likes # Likes : 1

View user profile

Back to top Go down

Re: need help wnpc antivirus

Post by shannonmac8 on Mon Jun 01, 2009 4:49 pm

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:48:27 PM, on 6/1/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16827)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\BitDefender\BitDefender Update Service\livesrv.exe
C:\Program Files\BitDefender\BitDefender 2009\vsserv.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Internet Explorer\Iexplore.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\agrsmsvc.exe
C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
C:\Program Files\NewTech Infosystems\NTI Backup Now 5\Client\Agentsvc.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\NewTech Infosystems\NTI Backup Now 5\BackupSvc.exe
C:\Program Files\NewTech Infosystems\NTI Backup Now 5\SchedulerSvc.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\CyberLink\Shared Files\RichVideo.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\NewTech Infosystems\NTI Backup Now 5\BkupTray.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\BitDefender\BitDefender 2009\bdagent.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = [You must be registered and logged in to see this link.]
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = [You must be registered and logged in to see this link.]
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = [You must be registered and logged in to see this link.]
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = [You must be registered and logged in to see this link.]
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = [You must be registered and logged in to see this link.]
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = [You must be registered and logged in to see this link.]
O2 - BHO: (no name) - {03FA024D-93E0-40B0-A695-58FC7EF4CA21} - C:\WINDOWS\system32\loyfsgde.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: WinInet Class - {39fc2065-c9c7-49cd-8942-44cc2dedc844} - C:\WINDOWS\ieocx.dll
O2 - BHO: (no name) - {3BAA766C-D267-4AEA-B75D-87857A73B74B} - c:\windows\system32\mejxbkg.dll
O2 - BHO: NCO 2.0 IE BHO - {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\2.6\coIEPlg.dll
O2 - BHO: Symantec Intrusion Prevention - {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - C:\PROGRA~1\COMMON~1\SYMANT~1\IDS\IPSBHO.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: Show Norton Toolbar - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\2.6\CoIEPlg.dll
O3 - Toolbar: Defender Pro Toolbar - {381FFDE8-2394-4f90-B10D-FC6124A40F8C} - C:\Program Files\BitDefender\BitDefender 2009\IEToolbar.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [BkupTray] "C:\Program Files\NewTech Infosystems\NTI Backup Now 5\BkupTray.exe"
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [LanguageShortcut] "C:\Program Files\CyberLink\PowerDVD\Language\Language.exe"
O4 - HKLM\..\Run: [UpdateP2GoShortCut] "C:\Program Files\CyberLink\Power2Go\MUITransfer\MUIStartMenu.exe" "C:\Program Files\CyberLink\Power2Go" UpdateWithCreateOnce "SOFTWARE\CyberLink\Power2Go\6.0"
O4 - HKLM\..\Run: [UpdatePSTShortCut] "C:\Program Files\CyberLink\DVD Suite\MUITransfer\MUIStartMenu.exe" "C:\Program Files\CyberLink\DVD Suite" UpdateWithCreateOnce "Software\CyberLink\PowerStarter"
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [ccApp] -
O4 - HKLM\..\Run: [osCheck] "C:\Program Files\Norton 360\osCheck.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [eRecoveryService] C:\Acer\Empowering Technology\eRecovery\eRAgent.exe
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1238302172\ee\AOLSoftware.exe
O4 - HKLM\..\Run: [BitDefender Antiphishing Helper] "C:\Program Files\BitDefender\BitDefender 2009\IEShow.exe"
O4 - HKLM\..\Run: [BDAgent] "C:\Program Files\BitDefender\BitDefender 2009\bdagent.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - [You must be registered and logged in to see this link.]
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\WINDOWS\system32\shdocvw.dll
O16 - DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} - [You must be registered and logged in to see this link.]
O20 - Winlogon Notify: cqbzpxkq - C:\WINDOWS\SYSTEM32\mejxbkg.dll
O23 - Service: Agere Modem Call Progress Audio (AgereModemAudio) - Agere Systems - C:\WINDOWS\system32\agrsmsvc.exe
O23 - Service: AOL Connectivity Service (AOL ACS) - AOL LLC - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
O23 - Service: BitDefender Arrakis Server (Arrakis3) - BitDefender S.R.L. [You must be registered and logged in to see this link.] - C:\Program Files\Common Files\BitDefender\BitDefender Arrakis Server\bin\Arrakis3.exe
O23 - Service: NTI Backup Now 5 Agent Service (BUNAgentSvc) - NewTech Infosystems, Inc. - C:\Program Files\NewTech Infosystems\NTI Backup Now 5\Client\Agentsvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe
O23 - Service: GameConsoleService - WildTangent, Inc. - C:\Program Files\eMachines Games\eMachines Game Console\GameConsoleService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: BitDefender Desktop Update Service (LIVESRV) - BitDefender SRL - C:\Program Files\Common Files\BitDefender\BitDefender Update Service\livesrv.exe
O23 - Service: LiveUpdate Notice - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: NTI Backup Now 5 Backup Service (NTIBackupSvc) - NewTech InfoSystems, Inc. - C:\Program Files\NewTech Infosystems\NTI Backup Now 5\BackupSvc.exe
O23 - Service: NTI Backup Now 5 Scheduler Service (NTISchedulerSvc) - Unknown owner - C:\Program Files\NewTech Infosystems\NTI Backup Now 5\SchedulerSvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared Files\RichVideo.exe
O23 - Service: Symantec Core LC - Unknown owner - C:\PROGRA~1\COMMON~1\SYMANT~1\CCPD-LC\symlcsvc.exe
O23 - Service: BitDefender Virus Shield (VSSERV) - BitDefender S. R. L. - C:\Program Files\BitDefender\BitDefender 2009\vsserv.exe

--
End of file - 9727 bytes

shannonmac8
Intermediate
Intermediate

Posts Posts : 76
Joined Joined : 2009-06-01
OS OS : xp
Points Points : 28392
# Likes # Likes : 0

View user profile

Back to top Go down

Re: need help wnpc antivirus

Post by Belahzur on Mon Jun 01, 2009 4:58 pm

Hello.
Before dealing with the malware, we need to remove a few other things first.

  • Open HijackThis.
  • When Hijack This opens, click "Open the Misc Tools section"
  • Then select "Open Uninstall Manager"
  • Click on "Save List..." (generates uninstall_list.txt)
  • Click Save, copy and paste the results in your next post.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34916
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : XP SP3 Media Centre
Points Points : 245059
# Likes # Likes : 1

View user profile

Back to top Go down

Re: need help wnpc antivirus

Post by shannonmac8 on Mon Jun 01, 2009 6:26 pm

2007 Microsoft Office Suite Service Pack 1 (SP1)
2007 Microsoft Office Suite Service Pack 1 (SP1)
2007 Microsoft Office Suite Service Pack 1 (SP1)
2007 Microsoft Office Suite Service Pack 1 (SP1)
2007 Microsoft Office Suite Service Pack 1 (SP1)
2007 Microsoft Office Suite Service Pack 1 (SP1)
2007 Microsoft Office Suite Service Pack 1 (SP1)
2007 Microsoft Office Suite Service Pack 1 (SP1)
2007 Microsoft Office Suite Service Pack 1 (SP1)
2007 Microsoft Office Suite Service Pack 1 (SP1)
Abexo Free Registry Cleaner
Adobe Flash Player ActiveX
Adobe Reader 8.1.2
Agere Systems PCI-SV92EX Soft Modem
AOL Uninstaller (Choose which Products to Remove)
AppCore
Backup
ccCommon
Compatibility Pack for the 2007 Office system
CyberLink DVD Suite
CyberLink DVD Suite
CyberLink Power2Go
CyberLink Power2Go
CyberLink PowerDVD
Defender Pro 5-in-1
eMachines Games
GearDrvs
GearDrvs
HijackThis 2.0.2
Hotfix for Windows XP (KB952287)
Java(TM) 6 Update 13
Java(TM) 6 Update 5
Malwarebytes' Anti-Malware
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Hotfix (KB928366)
Microsoft .NET Framework 2.0
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft National Language Support Downlevel APIs
Microsoft Office Excel MUI (English) 2007
Microsoft Office Home and Student 2007
Microsoft Office Home and Student 2007
Microsoft Office OneNote MUI (English) 2007
Microsoft Office PowerPoint MUI (English) 2007
Microsoft Office PowerPoint Viewer 2007 (English)
Microsoft Office Proof (English) 2007
Microsoft Office Proof (French) 2007
Microsoft Office Proof (Spanish) 2007
Microsoft Office Proofing (English) 2007
Microsoft Office Shared MUI (English) 2007
Microsoft Office Shared Setup Metadata MUI (English) 2007
Microsoft Office Suite Activation Assistant
Microsoft Office Word MUI (English) 2007
Microsoft Visual C++ 2005 Redistributable
Microsoft Works
Norton 360
Norton 360
Norton 360 (Symantec Corporation)
Norton 360 HTMLHelp
Norton Confidential Core
NTI Backup Now 5
NTI Media Maker 8
NVIDIA Drivers
Realtek High Definition Audio Driver
Security Update for Microsoft Office PowerPoint 2007 (KB957789)
Security Update for Windows Internet Explorer 7 (KB938127-v2)
Security Update for Windows Internet Explorer 7 (KB961260)
Security Update for Windows Internet Explorer 7 (KB963027)
Security Update for Windows Media Player (KB952069)
Security Update for Windows XP (KB923561)
Security Update for Windows XP (KB938464-v2)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB950760)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951066)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951698)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952004)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB954459)
Security Update for Windows XP (KB954600)
Security Update for Windows XP (KB955069)
Security Update for Windows XP (KB956572)
Security Update for Windows XP (KB956802)
Security Update for Windows XP (KB956803)
Security Update for Windows XP (KB956841)
Security Update for Windows XP (KB957097)
Security Update for Windows XP (KB958644)
Security Update for Windows XP (KB958687)
Security Update for Windows XP (KB958690)
Security Update for Windows XP (KB959426)
Security Update for Windows XP (KB960225)
Security Update for Windows XP (KB960715)
Security Update for Windows XP (KB960803)
Security Update for Windows XP (KB961373)
SPBBC 32bit
Symantec Real Time Storage Protection Component
Symantec Technical Support Controls
Update for 2007 Microsoft Office System (KB967642)
Update for Windows XP (KB898461)
Update for Windows XP (KB951978)
Update for Windows XP (KB955839)
Update for Windows XP (KB967715)
Viewpoint Media Player
Windows Internet Explorer 7

shannonmac8
Intermediate
Intermediate

Posts Posts : 76
Joined Joined : 2009-06-01
OS OS : xp
Points Points : 28392
# Likes # Likes : 0

View user profile

Back to top Go down

Re: need help wnpc antivirus

Post by Belahzur on Mon Jun 01, 2009 7:09 pm

Hello.

You are running two antivirus', I see from the uninstall list you have Norton/Symantec installed, along with BitDefender. This is a bad idea as they can conflict and cause more problems. I would recommend that you remove Norton/Symantec to avoid conflict and other future problems.

Completely Uninstall Norton software using:

Instructions

  1. Please download and save SymNRT.exe to your desktop.
  2. Close all programs and double click on the tool.
  3. Follow the on-screen instructions.
  4. Restart the computer if asked.
  5. Then delete the SymNRT.exe tool from your desktop.
  6. Open the Program Files folder on your local disk ( normally C: )
  7. Find and delete the following folders (if present):
    [list]
  8. Norton AntiVirus
  9. Norton Internet Security
  10. Norton SystemWorks
  11. Norton Personal Firewall

Go to Start > Control Panel > Add/Remove Programs and remove the following programs if present.

    Adobe Reader 8.1.2
    Java(TM) 6 Update 13
    Java(TM) 6 Update 5
    Norton 360
    Norton 360
    Norton 360 (Symantec Corporation)
    Norton 360 HTMLHelp
    Norton Confidential Core
    Symantec Real Time Storage Protection Component
    Symantec Technical Support Controls
    Viewpoint Media Player

Next,

  • Open HijackThis
  • Choose "Do a system scan only"
  • Check the boxes in front of these lines:


    O2 - BHO: (no name) - {03FA024D-93E0-40B0-A695-58FC7EF4CA21} - C:\WINDOWS\system32\loyfsgde.dll
    O2 - BHO: WinInet Class - {39fc2065-c9c7-49cd-8942-44cc2dedc844} - C:\WINDOWS\ieocx.dll
    O2 - BHO: (no name) - {3BAA766C-D267-4AEA-B75D-87857A73B74B} - c:\windows\system32\mejxbkg.dll
    O20 - Winlogon Notify: cqbzpxkq - C:\WINDOWS\SYSTEM32\mejxbkg.dll


  • Press "Fix Checked"
  • Close Hijack This.

Please download and run this tool.

Download Malwarebytes' Anti-Malware from [You must be registered and logged in to see this link.]

Double Click mbam-setup.exe to install the application.

  • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart. (See Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
Note:
If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts.
Click OK to either and let MBAM proceed with the disinfection process.
If asked to restart the computer, please do so immediately.


Post the contents of the MBAM Log.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34916
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : XP SP3 Media Centre
Points Points : 245059
# Likes # Likes : 1

View user profile

Back to top Go down

Re: need help wnpc antivirus

Post by shannonmac8 on Mon Jun 01, 2009 9:17 pm

I cant remove Java(TM) 6 update 13 becuase during the installation process it says it needs to close iexplorer.exe and jqs.exe which are processes running automatically. The internet explorer is not open. I click to close them and my computer goes blue and restarts by itself. When it restarts says it suffered a fatal error. I then tried to download malwarebytes it gets to the end and says finishing installation but it never does also after a few minutes makes my screen blue and restarts by itself. When it came back on tried to click the icon on my desktop of malwrebytes that was there but wouldnt open. Deleted and tried to install again but no luck same thing so i deleted it. What do I do now???

shannonmac8
Intermediate
Intermediate

Posts Posts : 76
Joined Joined : 2009-06-01
OS OS : xp
Points Points : 28392
# Likes # Likes : 0

View user profile

Back to top Go down

Re: need help wnpc antivirus

Post by shannonmac8 on Mon Jun 01, 2009 9:17 pm

I did remove the rest and did do the hijack fix.

shannonmac8
Intermediate
Intermediate

Posts Posts : 76
Joined Joined : 2009-06-01
OS OS : xp
Points Points : 28392
# Likes # Likes : 0

View user profile

Back to top Go down

Re: need help wnpc antivirus

Post by Belahzur on Mon Jun 01, 2009 9:27 pm


  • Download combofix from here
    [You must be registered and logged in to see this link.]
    [You must be registered and logged in to see this link.]

    1. If you are using Firefox, make sure that your download settings are as follows:

    * Tools->Options->Main tab
    * Set to "Always ask me where to Save the files".

    2. During the download, rename Combofix to Combo-Fix as follows:





    3. It is important you rename Combofix during the download, but not after.
    4. Please do not rename Combofix to other names, but only to the one indicated.
    5. Close any open browsers.
    6. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

  • We need to disable your local AV (Anti-virus) before running Combofix.
  • See [You must be registered and logged in to see this link.] for how to disable your AV. (BitDefender)
  • Double click on ComboFix.exe.
  • Follow the prompts. NOTE:
  • ComboFix will check to see if the Microsoft Windows Recovery Console is installed.
    ***It's strongly recommended to have the Recovery Console installed before doing any malware removal.***

    **Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will automatically proceed with its scan.


  • The Recovery Console provides a recovery/repair mode should a problem occur during a Combofix run.



  • Allow ComboFix to download the Recovery Console.
  • Accept the End-User License Agreement.
  • The Recovery Console will be installed.
  • You will then get this next prompt that asks if you want to continue the malware scan, select yes



  • Allow combofix to run
  • Post C:\combofix.txt back here.

    Note:
    Do not mouseclick combofix's window whilst it's running. That may cause it to stall.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34916
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : XP SP3 Media Centre
Points Points : 245059
# Likes # Likes : 1

View user profile

Back to top Go down

Re: need help wnpc antivirus

Post by shannonmac8 on Mon Jun 01, 2009 10:09 pm

ComboFix 09-05-31.06 - Janet Duross 06/01/2009 17:59.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.894.656 [GMT -4:00]
Running from: c:\documents and settings\Janet Duross\My Documents\Combo-Fix.exe
AV: Defender Pro Antivirus *On-access scanning disabled* (Updated) {6C4BB89C-B0ED-4F41-A29C-4373888923BB}
FW: Defender Pro Firewall *enabled* {4055920F-2E99-48A8-A270-4243D2B8F242}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\ieocx.dll
c:\windows\system32\drivers\ajhvbqgv.sys
c:\windows\system32\drivers\mwfmfibc.sys
c:\windows\system32\drivers\UACukvjnccvacnalkk.sys
c:\windows\system32\jvndqtk.dll
c:\windows\system32\loyfsgde.dll
c:\windows\system32\mejxbkg.dll
c:\windows\system32\rqchhxyh.dll
c:\windows\system32\UACalpvdxwqobwafpu.dll
c:\windows\system32\UACegwpeqfwwicxtcl.dll
c:\windows\system32\UACfoyamjbnmkfoxwy.dll
c:\windows\system32\uacinit.dll
c:\windows\system32\UAClbhwjvmdtrgmhfy.log
c:\windows\system32\UAClucklrptxxqucny.dll
c:\windows\system32\UACrmbwkswddsejmtw.log
c:\windows\system32\UACrohsrinydluegqq.dll
c:\windows\system32\UACvkalxcpgpgubfce.dat
c:\windows\system32\UACwdtyuvwvhnuelgk.log

Infected copy of c:\windows\system32\sfcfiles.dll was found and disinfected
Restored copy from - c:\windows\system32\dllcache\sfcfiles.dll

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_UACd.sys
-------\Legacy_MWFMFIBC
-------\Legacy_SFC
-------\Legacy_UCISANKG
-------\Service_mwfmfibc
-------\Service_sfc
-------\Service_ucisankg


((((((((((((((((((((((((( Files Created from 2009-05-01 to 2009-06-01 )))))))))))))))))))))))))))))))
.

2009-06-01 21:00 . 2009-06-01 21:47 81984 ----a-w- c:\windows\system32\bdod.bin
2009-06-01 20:53 . 2009-06-01 20:53 -------- d-----w- c:\documents and settings\Janet Duross\Local Settings\Application Data\tgbqnoae
2009-06-01 20:53 . 2009-06-01 20:53 -------- d-----w- c:\documents and settings\Janet Duross\Application Data\tgbqnoae
2009-06-01 20:12 . 2009-06-01 20:12 -------- d-----w- c:\windows\system32\LogFiles
2009-06-01 18:05 . 2009-06-01 18:05 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\tgbqnoae
2009-06-01 18:05 . 2009-06-01 18:05 -------- d-----w- c:\documents and settings\NetworkService\Application Data\tgbqnoae
2009-06-01 16:48 . 2009-06-01 16:48 -------- d-----w- c:\program files\Trend Micro
2009-06-01 04:11 . 2009-06-01 21:48 -------- d-----w- c:\program files\Common Files\BitDefender
2009-05-31 23:59 . 2008-10-16 18:06 268648 ----a-w- c:\windows\system32\mucltui.dll
2009-05-31 23:59 . 2008-10-16 18:06 208744 ----a-w- c:\windows\system32\muweb.dll
2009-05-31 21:11 . 2009-05-31 21:11 -------- d-----w- c:\documents and settings\Janet Duross\Application Data\Template
2009-05-31 20:59 . 2009-05-31 20:59 -------- d-----w- c:\documents and settings\Janet Duross\Local Settings\Application Data\Mozilla
2009-05-31 20:56 . 2009-05-31 20:56 -------- d-----w- c:\documents and settings\All Users\Application Data\McAfee
2009-05-31 19:21 . 2009-05-31 19:21 -------- d-----w- c:\program files\Common Files\PC Tools
2009-05-31 01:37 . 2004-12-07 14:11 258352 ----a-w- c:\windows\system32\unicows.dll
2009-05-31 01:37 . 2006-09-11 15:56 526184 ----a-w- c:\windows\system32\XceedCry.dll
2009-05-31 01:37 . 2006-12-21 19:18 497496 ----a-w- c:\windows\system32\XceedZip.dll
2009-05-31 01:37 . 2006-09-11 15:53 276352 ----a-w- c:\windows\system32\XceedSco.dll
2009-05-30 18:41 . 2009-05-26 17:20 40160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-05-30 18:41 . 2009-05-30 18:41 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-05-30 18:41 . 2009-05-26 17:19 19096 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-05-30 17:35 . 2009-05-30 17:35 -------- d-----w- c:\documents and settings\Janet Duross\Option
2009-05-30 03:07 . 2009-05-30 03:07 193 ----a-w- c:\documents and settings\Janet Duross\Application Data\asd.bat
2009-05-23 04:13 . 2009-05-23 04:13 -------- d-----w- c:\documents and settings\Janet Duross\Local Settings\Application Data\Identities

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-06-01 20:22 . 2008-10-29 01:22 -------- d-----w- c:\program files\Java
2009-06-01 20:06 . 2009-03-29 04:21 -------- d-----w- c:\documents and settings\Janet Duross\Application Data\Symantec
2009-06-01 20:06 . 2008-10-29 01:27 -------- d-----w- c:\program files\Common Files\Symantec Shared
2009-06-01 20:04 . 2008-10-29 01:50 -------- d-----w- c:\documents and settings\All Users\Application Data\Symantec
2009-06-01 19:47 . 2008-10-29 01:30 -------- d-----w- c:\program files\Common Files\Adobe
2009-06-01 07:01 . 2008-10-29 01:19 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help
2009-05-31 21:11 . 2009-05-31 21:11 0 ----a-w- c:\documents and settings\Janet Duross\Application Data\wklnhst.dat
2009-05-31 21:05 . 2008-10-29 01:17 -------- d-----w- c:\program files\Microsoft.NET
2009-05-31 20:20 . 2008-10-29 01:09 -------- d---a-w- c:\documents and settings\All Users\Application Data\Temp
2009-03-30 23:35 . 2008-10-29 00:51 76487 ----a-w- c:\windows\pchealth\helpctr\OfflineCache\index.dat
2009-03-29 05:20 . 2009-03-29 05:20 410984 ----a-w- c:\windows\system32\deploytk.dll
2009-03-29 04:47 . 2009-03-29 04:46 57261736 ----a-w- c:\documents and settings\All Users\Application Data\AOL Downloads\waol\0.4337.29.1\setup.exe
2009-03-29 04:46 . 2009-03-29 04:46 335 ----a-w- c:\windows\nsreg.dat
2009-03-29 04:22 . 2009-03-29 04:22 60664 ----a-w- c:\documents and settings\Janet Duross\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-03-06 14:22 . 2008-04-14 22:00 284160 ----a-w- c:\windows\system32\pdh.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-02-25 8491008]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2008-02-25 81920]
"BkupTray"="c:\program files\NewTech Infosystems\NTI Backup Now 5\BkupTray.exe" [2008-04-07 34040]
"RemoteControl"="c:\program files\CyberLink\PowerDVD\PDVDServ.exe" [2007-03-15 71216]
"LanguageShortcut"="c:\program files\CyberLink\PowerDVD\Language\Language.exe" [2007-01-09 52256]
"UpdateP2GoShortCut"="c:\program files\CyberLink\Power2Go\MUITransfer\MUIStartMenu.exe" [2008-06-14 210216]
"UpdatePSTShortCut"="c:\program files\CyberLink\DVD Suite\MUITransfer\MUIStartMenu.exe" [2008-09-25 210216]
"IMJPMIG8.1"="c:\windows\IME\imjp8_1\IMJPMIG.EXE" [2008-04-14 208952]
"MSPY2002"="c:\windows\system32\IME\PINTLGNT\ImScInst.exe" [2008-04-14 59392]
"PHIME2002ASync"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2008-04-14 455168]
"PHIME2002A"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2008-04-14 455168]
"eRecoveryService"="c:\acer\Empowering Technology\eRecovery\eRAgent.exe" [2008-07-10 421888]
"HostManager"="c:\program files\Common Files\AOL\1238302172\ee\AOLSoftware.exe" [2008-11-06 41264]
"nwiz"="nwiz.exe" - c:\windows\system32\nwiz.exe [2008-02-25 1626112]
"RTHDCPL"="RTHDCPL.EXE" - c:\windows\RTHDCPL.exe [2008-05-16 16862720]

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"UpdatesDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\NewTech Infosystems\\NTI Backup Now 5\\Client\\Agentsvc.exe"=
"c:\\Program Files\\NewTech Infosystems\\NTI Backup Now 5\\BackupSvc.exe"=
"c:\\Program Files\\NewTech Infosystems\\NTI Backup Now 5\\SchedulerSvc.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Program Files\\Common Files\\aol\\acs\\AOLDial.exe"=
"c:\\Program Files\\Common Files\\aol\\acs\\AOLacsd.exe"=
"c:\\Program Files\\Common Files\\aol\\1238302172\\ee\\aolsoftware.exe"=
"c:\\Program Files\\Common Files\\aol\\TopSpeed\\3.0\\aoltpsd3.exe"=
"c:\\Program Files\\Common Files\\aol\\Loader\\aolload.exe"=
"c:\\Program Files\\Common Files\\aol\\System Information\\sinf.exe"=

R2 BUNAgentSvc;NTI Backup Now 5 Agent Service;c:\program files\NewTech Infosystems\NTI Backup Now 5\Client\Agentsvc.exe [3/3/2008 5:11 PM 16384]
R2 NTIBackupSvc;NTI Backup Now 5 Backup Service;c:\program files\NewTech Infosystems\NTI Backup Now 5\BackupSvc.exe [4/7/2008 2:42 AM 50424]
R2 NTISchedulerSvc;NTI Backup Now 5 Scheduler Service;c:\program files\NewTech Infosystems\NTI Backup Now 5\SchedulerSvc.exe [4/4/2008 7:03 AM 131072]

--- Other Services/Drivers In Memory ---

*NewlyCreated* - MWFMFIBC
*Deregistered* - mwfmfibc
.
Contents of the 'Scheduled Tasks' folder
.
- - - - ORPHANS REMOVED - - - -

BHO-{03FA024D-93E0-40B0-A695-58FC7EF4CA21} - c:\windows\system32\loyfsgde.dll
HKLM-Run-LaunchApp - (no file)
SafeBoot-procexp90.Sys


.
------- Supplementary Scan -------
.
uStart Page = [You must be registered and logged in to see this link.]
mStart Page = [You must be registered and logged in to see this link.]
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} - [You must be registered and logged in to see this link.]
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, [You must be registered and logged in to see this link.]
Rootkit scan 2009-06-01 18:03
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\SAVRT]
"ImagePath"="-"

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\SNDSrvc]
"ImagePath"="-"
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\savedump.exe
c:\windows\system32\rundll32.exe
c:\windows\system32\agrsmsvc.exe
c:\program files\Common Files\aol\acs\AOLacsd.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Common Files\LightScribe\LSSrvc.exe
c:\windows\system32\nvsvc32.exe
c:\program files\CyberLink\Shared Files\RichVideo.exe
c:\windows\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2009-06-01 18:05 - machine was rebooted
ComboFix-quarantined-files.txt 2009-06-01 22:05

Pre-Run: 64,926,449,664 bytes free
Post-Run: 64,977,973,248 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect

188 --- E O F --- 2009-06-01 07:01

shannonmac8
Intermediate
Intermediate

Posts Posts : 76
Joined Joined : 2009-06-01
OS OS : xp
Points Points : 28392
# Likes # Likes : 0

View user profile

Back to top Go down

Re: need help wnpc antivirus

Post by Belahzur on Tue Jun 02, 2009 12:16 am

Now open a new notepad file.
Input this into the notepad file:

KILLALL::

Driver::
MWFMFIBC

Folder::
c:\documents and settings\Janet Duross\Local Settings\Application Data\tgbqnoae
c:\documents and settings\Janet Duross\Application Data\tgbqnoae
c:\documents and settings\NetworkService\Local Settings\Application Data\tgbqnoae
c:\documents and settings\NetworkService\Application Data\tgbqnoae

Registry::
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"UpdatesDisableNotify"=-

Save this as CFScript.txt, save it to your desktop also.
Then drag and drop CFScript.txt into combofix as seen below:


This will open combofix again, agree to it's terms and allow it to run.
It may want to reboot after it's done. (It will warn you if it wants to)
Post the resulting log back here.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34916
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : XP SP3 Media Centre
Points Points : 245059
# Likes # Likes : 1

View user profile

Back to top Go down

Re: need help wnpc antivirus

Post by shannonmac8 on Tue Jun 02, 2009 3:21 am

ComboFix 09-05-31.06 - Janet Duross 06/01/2009 23:14.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.894.565 [GMT -4:00]
Running from: c:\documents and settings\Janet Duross\My Documents\Combo-Fix.exe
Command switches used :: c:\documents and settings\Janet Duross\Desktop\CFScript.txt
AV: Defender Pro Antivirus *On-access scanning disabled* (Updated) {6C4BB89C-B0ED-4F41-A29C-4373888923BB}
FW: Defender Pro Firewall *enabled* {4055920F-2E99-48A8-A270-4243D2B8F242}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\Janet Duross\Application Data\tgbqnoae
c:\documents and settings\Janet Duross\Application Data\tgbqnoae\profiles.ini
c:\documents and settings\Janet Duross\Application Data\tgbqnoae\Profiles\cp9z0zn4.default\cert8.db
c:\documents and settings\Janet Duross\Application Data\tgbqnoae\Profiles\cp9z0zn4.default\compatibility.ini
c:\documents and settings\Janet Duross\Application Data\tgbqnoae\Profiles\cp9z0zn4.default\compreg.dat
c:\documents and settings\Janet Duross\Application Data\tgbqnoae\Profiles\cp9z0zn4.default\cookies.sqlite
c:\documents and settings\Janet Duross\Application Data\tgbqnoae\Profiles\cp9z0zn4.default\formhistory.sqlite
c:\documents and settings\Janet Duross\Application Data\tgbqnoae\Profiles\cp9z0zn4.default\key3.db
c:\documents and settings\Janet Duross\Application Data\tgbqnoae\Profiles\cp9z0zn4.default\localstore.rdf
c:\documents and settings\Janet Duross\Application Data\tgbqnoae\Profiles\cp9z0zn4.default\parent.lock
c:\documents and settings\Janet Duross\Application Data\tgbqnoae\Profiles\cp9z0zn4.default\permissions.sqlite
c:\documents and settings\Janet Duross\Application Data\tgbqnoae\Profiles\cp9z0zn4.default\places.sqlite-journal
c:\documents and settings\Janet Duross\Application Data\tgbqnoae\Profiles\cp9z0zn4.default\places.sqlite-stmtjrnl
c:\documents and settings\Janet Duross\Application Data\tgbqnoae\Profiles\cp9z0zn4.default\places.sqlite
c:\documents and settings\Janet Duross\Application Data\tgbqnoae\Profiles\cp9z0zn4.default\pluginreg.dat
c:\documents and settings\Janet Duross\Application Data\tgbqnoae\Profiles\cp9z0zn4.default\prefs.js
c:\documents and settings\Janet Duross\Application Data\tgbqnoae\Profiles\cp9z0zn4.default\secmod.db
c:\documents and settings\Janet Duross\Application Data\tgbqnoae\Profiles\cp9z0zn4.default\webappsstore.sqlite
c:\documents and settings\Janet Duross\Application Data\tgbqnoae\Profiles\cp9z0zn4.default\xpti.dat
c:\documents and settings\Janet Duross\Local Settings\Application Data\tgbqnoae
c:\documents and settings\Janet Duross\Local Settings\Application Data\tgbqnoae\Profiles\cp9z0zn4.default\urlclassifier3.sqlite
c:\documents and settings\Janet Duross\Local Settings\Application Data\tgbqnoae\Profiles\cp9z0zn4.default\XPC.mfl
c:\documents and settings\NetworkService\Application Data\tgbqnoae
c:\documents and settings\NetworkService\Application Data\tgbqnoae\profiles.ini
c:\documents and settings\NetworkService\Application Data\tgbqnoae\Profiles\cp9z0zn4.default\cert8.db
c:\documents and settings\NetworkService\Application Data\tgbqnoae\Profiles\cp9z0zn4.default\compatibility.ini
c:\documents and settings\NetworkService\Application Data\tgbqnoae\Profiles\cp9z0zn4.default\compreg.dat
c:\documents and settings\NetworkService\Application Data\tgbqnoae\Profiles\cp9z0zn4.default\cookies.sqlite
c:\documents and settings\NetworkService\Application Data\tgbqnoae\Profiles\cp9z0zn4.default\formhistory.sqlite
c:\documents and settings\NetworkService\Application Data\tgbqnoae\Profiles\cp9z0zn4.default\key3.db
c:\documents and settings\NetworkService\Application Data\tgbqnoae\Profiles\cp9z0zn4.default\localstore.rdf
c:\documents and settings\NetworkService\Application Data\tgbqnoae\Profiles\cp9z0zn4.default\permissions.sqlite
c:\documents and settings\NetworkService\Application Data\tgbqnoae\Profiles\cp9z0zn4.default\places.sqlite
c:\documents and settings\NetworkService\Application Data\tgbqnoae\Profiles\cp9z0zn4.default\pluginreg.dat
c:\documents and settings\NetworkService\Application Data\tgbqnoae\Profiles\cp9z0zn4.default\prefs.js
c:\documents and settings\NetworkService\Application Data\tgbqnoae\Profiles\cp9z0zn4.default\secmod.db
c:\documents and settings\NetworkService\Application Data\tgbqnoae\Profiles\cp9z0zn4.default\webappsstore.sqlite
c:\documents and settings\NetworkService\Application Data\tgbqnoae\Profiles\cp9z0zn4.default\xpti.dat
c:\documents and settings\NetworkService\Local Settings\Application Data\tgbqnoae
c:\documents and settings\NetworkService\Local Settings\Application Data\tgbqnoae\Profiles\cp9z0zn4.default\urlclassifier3.sqlite
c:\documents and settings\NetworkService\Local Settings\Application Data\tgbqnoae\Profiles\cp9z0zn4.default\XPC.mfl

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_MWFMFIBC


((((((((((((((((((((((((( Files Created from 2009-05-02 to 2009-06-02 )))))))))))))))))))))))))))))))
.

2009-06-01 21:00 . 2009-06-01 21:47 81984 ----a-w- c:\windows\system32\bdod.bin
2009-06-01 20:12 . 2009-06-01 20:12 -------- d-----w- c:\windows\system32\LogFiles
2009-06-01 16:48 . 2009-06-01 16:48 -------- d-----w- c:\program files\Trend Micro
2009-06-01 04:11 . 2009-06-01 21:48 -------- d-----w- c:\program files\Common Files\BitDefender
2009-05-31 23:59 . 2008-10-16 18:06 268648 ----a-w- c:\windows\system32\mucltui.dll
2009-05-31 23:59 . 2008-10-16 18:06 208744 ----a-w- c:\windows\system32\muweb.dll
2009-05-31 21:11 . 2009-05-31 21:11 -------- d-----w- c:\documents and settings\Janet Duross\Application Data\Template
2009-05-31 20:59 . 2009-05-31 20:59 -------- d-----w- c:\documents and settings\Janet Duross\Local Settings\Application Data\Mozilla
2009-05-31 20:56 . 2009-05-31 20:56 -------- d-----w- c:\documents and settings\All Users\Application Data\McAfee
2009-05-31 19:21 . 2009-05-31 19:21 -------- d-----w- c:\program files\Common Files\PC Tools
2009-05-31 01:37 . 2004-12-07 14:11 258352 ----a-w- c:\windows\system32\unicows.dll
2009-05-31 01:37 . 2006-09-11 15:56 526184 ----a-w- c:\windows\system32\XceedCry.dll
2009-05-31 01:37 . 2006-12-21 19:18 497496 ----a-w- c:\windows\system32\XceedZip.dll
2009-05-31 01:37 . 2006-09-11 15:53 276352 ----a-w- c:\windows\system32\XceedSco.dll
2009-05-30 18:41 . 2009-05-26 17:20 40160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-05-30 18:41 . 2009-05-30 18:41 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-05-30 18:41 . 2009-05-26 17:19 19096 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-05-30 17:35 . 2009-05-30 17:35 -------- d-----w- c:\documents and settings\Janet Duross\Option
2009-05-30 03:07 . 2009-05-30 03:07 193 ----a-w- c:\documents and settings\Janet Duross\Application Data\asd.bat
2009-05-23 04:13 . 2009-05-23 04:13 -------- d-----w- c:\documents and settings\Janet Duross\Local Settings\Application Data\Identities

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-06-01 20:22 . 2008-10-29 01:22 -------- d-----w- c:\program files\Java
2009-06-01 20:06 . 2009-03-29 04:21 -------- d-----w- c:\documents and settings\Janet Duross\Application Data\Symantec
2009-06-01 20:06 . 2008-10-29 01:27 -------- d-----w- c:\program files\Common Files\Symantec Shared
2009-06-01 20:04 . 2008-10-29 01:50 -------- d-----w- c:\documents and settings\All Users\Application Data\Symantec
2009-06-01 19:47 . 2008-10-29 01:30 -------- d-----w- c:\program files\Common Files\Adobe
2009-06-01 07:01 . 2008-10-29 01:19 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help
2009-05-31 21:11 . 2009-05-31 21:11 0 ----a-w- c:\documents and settings\Janet Duross\Application Data\wklnhst.dat
2009-05-31 21:05 . 2008-10-29 01:17 -------- d-----w- c:\program files\Microsoft.NET
2009-05-31 20:20 . 2008-10-29 01:09 -------- d---a-w- c:\documents and settings\All Users\Application Data\Temp
2009-03-30 23:35 . 2008-10-29 00:51 76487 ----a-w- c:\windows\pchealth\helpctr\OfflineCache\index.dat
2009-03-29 05:20 . 2009-03-29 05:20 410984 ----a-w- c:\windows\system32\deploytk.dll
2009-03-29 04:47 . 2009-03-29 04:46 57261736 ----a-w- c:\documents and settings\All Users\Application Data\AOL Downloads\waol\0.4337.29.1\setup.exe
2009-03-29 04:46 . 2009-03-29 04:46 335 ----a-w- c:\windows\nsreg.dat
2009-03-29 04:22 . 2009-03-29 04:22 60664 ----a-w- c:\documents and settings\Janet Duross\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-03-06 14:22 . 2008-04-14 22:00 284160 ----a-w- c:\windows\system32\pdh.dll
.

((((((((((((((((((((((((((((( [You must be registered and logged in to see this link.] )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-06-02 03:17 . 2009-06-02 03:17 16384 c:\windows\temp\Perflib_Perfdata_70.dat
+ 2008-10-29 01:34 . 2009-06-01 22:07 63016 c:\windows\system32\perfc009.dat
- 2008-10-29 01:34 . 2009-06-01 21:14 63016 c:\windows\system32\perfc009.dat
+ 2008-10-29 01:34 . 2009-06-01 22:07 402406 c:\windows\system32\perfh009.dat
- 2008-10-29 01:34 . 2009-06-01 21:14 402406 c:\windows\system32\perfh009.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-02-25 8491008]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2008-02-25 81920]
"BkupTray"="c:\program files\NewTech Infosystems\NTI Backup Now 5\BkupTray.exe" [2008-04-07 34040]
"RemoteControl"="c:\program files\CyberLink\PowerDVD\PDVDServ.exe" [2007-03-15 71216]
"LanguageShortcut"="c:\program files\CyberLink\PowerDVD\Language\Language.exe" [2007-01-09 52256]
"UpdateP2GoShortCut"="c:\program files\CyberLink\Power2Go\MUITransfer\MUIStartMenu.exe" [2008-06-14 210216]
"UpdatePSTShortCut"="c:\program files\CyberLink\DVD Suite\MUITransfer\MUIStartMenu.exe" [2008-09-25 210216]
"IMJPMIG8.1"="c:\windows\IME\imjp8_1\IMJPMIG.EXE" [2008-04-14 208952]
"MSPY2002"="c:\windows\system32\IME\PINTLGNT\ImScInst.exe" [2008-04-14 59392]
"PHIME2002ASync"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2008-04-14 455168]
"PHIME2002A"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2008-04-14 455168]
"eRecoveryService"="c:\acer\Empowering Technology\eRecovery\eRAgent.exe" [2008-07-10 421888]
"HostManager"="c:\program files\Common Files\AOL\1238302172\ee\AOLSoftware.exe" [2008-11-06 41264]
"nwiz"="nwiz.exe" - c:\windows\system32\nwiz.exe [2008-02-25 1626112]
"RTHDCPL"="RTHDCPL.EXE" - c:\windows\RTHDCPL.exe [2008-05-16 16862720]

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\NewTech Infosystems\\NTI Backup Now 5\\Client\\Agentsvc.exe"=
"c:\\Program Files\\NewTech Infosystems\\NTI Backup Now 5\\BackupSvc.exe"=
"c:\\Program Files\\NewTech Infosystems\\NTI Backup Now 5\\SchedulerSvc.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Program Files\\Common Files\\aol\\acs\\AOLDial.exe"=
"c:\\Program Files\\Common Files\\aol\\acs\\AOLacsd.exe"=
"c:\\Program Files\\Common Files\\aol\\1238302172\\ee\\aolsoftware.exe"=
"c:\\Program Files\\Common Files\\aol\\TopSpeed\\3.0\\aoltpsd3.exe"=
"c:\\Program Files\\Common Files\\aol\\Loader\\aolload.exe"=
"c:\\Program Files\\Common Files\\aol\\System Information\\sinf.exe"=

R2 BUNAgentSvc;NTI Backup Now 5 Agent Service;c:\program files\NewTech Infosystems\NTI Backup Now 5\Client\Agentsvc.exe [3/3/2008 5:11 PM 16384]
R2 NTIBackupSvc;NTI Backup Now 5 Backup Service;c:\program files\NewTech Infosystems\NTI Backup Now 5\BackupSvc.exe [4/7/2008 2:42 AM 50424]
R2 NTISchedulerSvc;NTI Backup Now 5 Scheduler Service;c:\program files\NewTech Infosystems\NTI Backup Now 5\SchedulerSvc.exe [4/4/2008 7:03 AM 131072]

--- Other Services/Drivers In Memory ---

*NewlyCreated* - UBHELPER
.
.
------- Supplementary Scan -------
.
uStart Page = [You must be registered and logged in to see this link.]
mStart Page = [You must be registered and logged in to see this link.]
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} - [You must be registered and logged in to see this link.]
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, [You must be registered and logged in to see this link.]
Rootkit scan 2009-06-01 23:17
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\SAVRT]
"ImagePath"="-"

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\SNDSrvc]
"ImagePath"="-"
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\rundll32.exe
c:\windows\system32\agrsmsvc.exe
c:\program files\Common Files\aol\acs\AOLacsd.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Common Files\LightScribe\LSSrvc.exe
c:\windows\system32\nvsvc32.exe
c:\program files\CyberLink\Shared Files\RichVideo.exe
c:\windows\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2009-06-02 23:19 - machine was rebooted
ComboFix-quarantined-files.txt 2009-06-02 03:19
ComboFix2.txt 2009-06-01 22:05

Pre-Run: 64,958,488,576 bytes free
Post-Run: 64,997,990,400 bytes free

192 --- E O F --- 2009-06-01 07:01

shannonmac8
Intermediate
Intermediate

Posts Posts : 76
Joined Joined : 2009-06-01
OS OS : xp
Points Points : 28392
# Likes # Likes : 0

View user profile

Back to top Go down

Re: need help wnpc antivirus

Post by Origin on Tue Jun 02, 2009 3:22 am

Click Start > Run and copy/paste the following bolded text into the Run box and click OK:

ComboFix /u



This will also reset your restore points.

How is the machine running now?


While my help is always free, please consider donating to keep this site alive: [You must be registered and logged in to see this link.]

[You must be registered and logged in to see this link.]

Origin
Master
Master

Posts Posts : 2685
Joined Joined : 2009-05-05
Gender Gender : Male
OS OS : Windows Xp Sp3
Points Points : 31473
# Likes # Likes : 0

View user profile

Back to top Go down

Re: need help wnpc antivirus

Post by shannonmac8 on Tue Jun 02, 2009 3:24 am

It seems to be good so far. Thank you!!!

shannonmac8
Intermediate
Intermediate

Posts Posts : 76
Joined Joined : 2009-06-01
OS OS : xp
Points Points : 28392
# Likes # Likes : 0

View user profile

Back to top Go down

View previous topic View next topic Back to top

- Similar topics

 
Permissions in this forum:
You cannot reply to topics in this forum