"Personal AntiVirus"

View previous topic View next topic Go down

"Personal AntiVirus"

Post by mariealabama on 4th June 2009, 9:25 pm

that statement is about as true as "my dad is computer literate." Also, after we remove this can we please lock him out of downloading anything other than pictures and word documents? I had to remove antivirus 2008 last year, and this is just getting annoying...

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:15:54 PM, on 6/4/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\WgaTray.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\PAV\pav.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE
C:\WINDOWS\system32\msiexec.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = [You must be registered and logged in to see this link.]
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = [You must be registered and logged in to see this link.]
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = [You must be registered and logged in to see this link.]
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [SpybotSnD] "C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe" /autocheck /autofix /autoclose
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [AdobeUpdater] "C:\Program Files\Common Files\Adobe\Updater5\AdobeUpdater.exe"
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O9 - Extra button: PokerStars - {3AD14F0C-ED16-4e43-B6D8-661B03F6A1EF} - C:\Program Files\PokerStars\PokerStarsUpdate.exe
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - [You must be registered and logged in to see this link.]
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Unknown owner - C:\Program Files\Common Files\LightScribe\LSSrvc.exe

--
End of file - 3240 bytes

mariealabama
Intermediate
Intermediate

Posts Posts : 107
Joined Joined : 2009-04-10
Gender Gender : Female
OS OS : dual boot Win XP SP2 and Win 7 32 bit
Points Points : 28325
# Likes # Likes : 0

View user profile

Back to top Go down

Re: "Personal AntiVirus"

Post by Belahzur on 4th June 2009, 10:04 pm

I notice that you have Spybot's TeaTimer running. While this is normally a wonderful tool to protect against hijackers, it can also interfere with HijackThis fixes. So please disable TeaTimer by doing the following:
1) Run Spybot-S&D
2) Go to the Mode menu, and make sure "Advanced Mode" is selected
3) On the left hand side, choose Tools -> Resident
4) Uncheck "Resident TeaTimer" and OK any prompts
You can reenable TeaTimer once your system is clean.

Please make sure Teatimer is disable before we do this, otherwise this fix will fail.

Please download and run this tool.

Download Malwarebytes' Anti-Malware from [You must be registered and logged in to see this link.]

Double Click mbam-setup.exe to install the application.

  • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart. (See Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
Note:
If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts.
Click OK to either and let MBAM proceed with the disinfection process.
If asked to restart the computer, please do so immediately.


Post the contents of the MBAM Log.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34918
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : 7 Home Premium x64
Points Points : 245101
# Likes # Likes : 1

View user profile

Back to top Go down

Re: "Personal AntiVirus"

Post by mariealabama on 4th June 2009, 10:13 pm

1) Spybot is blocked
2) i have Malware Bytes, its blocked as well

i can't even open spybot to close tea timer, so I'll just do it though task manager

mariealabama
Intermediate
Intermediate

Posts Posts : 107
Joined Joined : 2009-04-10
Gender Gender : Female
OS OS : dual boot Win XP SP2 and Win 7 32 bit
Points Points : 28325
# Likes # Likes : 0

View user profile

Back to top Go down

Re: "Personal AntiVirus"

Post by mariealabama on 4th June 2009, 10:15 pm

I know that I have partialy confused the living daylights out of the virus... I disabled it from running on start-up, and I'm not getting annoying messages while I'm trying to type. This virus is REALLY annoying; its one of those that blocks all kinds of anti-virus programs.

mariealabama
Intermediate
Intermediate

Posts Posts : 107
Joined Joined : 2009-04-10
Gender Gender : Female
OS OS : dual boot Win XP SP2 and Win 7 32 bit
Points Points : 28325
# Likes # Likes : 0

View user profile

Back to top Go down

Re: "Personal AntiVirus"

Post by Belahzur on 4th June 2009, 10:28 pm

Mind if I ask why this machine doesn't have an AV installed on it?

In any case, lets use Combofix.


  • Download combofix from here
    [You must be registered and logged in to see this link.]
    [You must be registered and logged in to see this link.]

    1. If you are using Firefox, make sure that your download settings are as follows:

    * Tools->Options->Main tab
    * Set to "Always ask me where to Save the files".

    2. During the download, rename Combofix to Combo-Fix as follows:





    3. It is important you rename Combofix during the download, but not after.
    4. Please do not rename Combofix to other names, but only to the one indicated.
    5. Close any open browsers.
    6. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

  • Double click on ComboFix.exe.
  • Follow the prompts. NOTE:
  • ComboFix will check to see if the Microsoft Windows Recovery Console is installed.
    ***It's strongly recommended to have the Recovery Console installed before doing any malware removal.***

    **Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will automatically proceed with its scan.


  • The Recovery Console provides a recovery/repair mode should a problem occur during a Combofix run.



  • Allow ComboFix to download the Recovery Console.
  • Accept the End-User License Agreement.
  • The Recovery Console will be installed.
  • You will then get this next prompt that asks if you want to continue the malware scan, select yes



  • Allow combofix to run
  • Post C:\combofix.txt back here.

    Note:
    Do not mouseclick combofix's window whilst it's running. That may cause it to stall.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34918
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : 7 Home Premium x64
Points Points : 245101
# Likes # Likes : 1

View user profile

Back to top Go down

Re: "Personal AntiVirus"

Post by mariealabama on 4th June 2009, 10:51 pm

Simple explaination on the lack of an AV program, this is my dad's computer. When it was last in my hands, it had AVG 8.5. He also PAID for AV 2008 the virus....

ComboFix 09-06-04.04 - Administrator 06/04/2009 17:44.3 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1470.1175 [GMT -5:00]
Running from: c:\documents and settings\Administrator\Desktop\Combo-Fix.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\Administrator\Desktop\Personal Antivirus.lnk
c:\program files\PAV
c:\program files\PAV\pav.exe
c:\windows\system32\drivers\UACekixkflpujnucxl.sys
c:\windows\system32\msconfig.exe
c:\windows\system32\UACapjnrnkndlcsuwo.dll
c:\windows\system32\UACcupoigvaclhyony.dll
c:\windows\system32\UACdleauphwtjllwyq.dat
c:\windows\system32\UACgsobryiskfalaqw.log
c:\windows\system32\UACgsvrmkbgnahseca.dll
c:\windows\system32\uacinit.dll
c:\windows\system32\UACkdutyotdbglabme.dll
c:\windows\system32\UAClbrbialquqwudtx.log
c:\windows\system32\UACrpjjpjuouhultje.dll
c:\windows\system32\UACvtjbymlhyhwrajv.log
c:\windows\system32\winexplorer.dll

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_UACd.sys


((((((((((((((((((((((((( Files Created from 2009-05-04 to 2009-06-04 )))))))))))))))))))))))))))))))
.

2009-05-20 02:34 . 2009-06-04 21:26 -------- d-----w- c:\program files\Common Files\Uninstall
2009-05-12 08:00 . 2009-05-12 08:00 -------- d-----w- c:\windows\system32\KB905474
2009-05-12 08:00 . 2009-03-11 03:26 1403264 ----a-w- c:\windows\system32\KB905474\wganotifypackageinner.exe
2009-05-12 08:00 . 2009-03-11 03:18 453512 ----a-w- c:\windows\system32\KB905474\wgasetup.exe
2009-05-07 20:21 . 2009-05-12 22:37 1 ----a-w- c:\documents and settings\Administrator\Application Data\OpenOffice.org\3\user\uno_packages\cache\stamp.sys
2009-05-07 20:20 . 2009-05-07 20:20 -------- d-----w- c:\documents and settings\Administrator\Application Data\OpenOffice.org
2009-05-07 20:19 . 2009-05-07 20:19 -------- d-----w- c:\program files\JRE
2009-05-07 20:18 . 2009-05-07 20:18 -------- d-----w- c:\program files\OpenOffice.org 3

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-06-04 21:11 . 2008-12-23 07:13 -------- d-----w- c:\program files\RF Equilibrium
2009-06-04 21:11 . 2008-11-14 00:21 -------- d-----w- c:\program files\Ventrilo
2009-06-04 21:09 . 2008-06-07 18:42 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-05-13 08:01 . 2008-06-20 22:01 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help
2009-05-12 22:42 . 2006-03-18 14:46 74000 ----a-w- c:\documents and settings\Administrator\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-05-07 20:18 . 2008-12-22 08:25 410984 ----a-w- c:\windows\system32\deploytk.dll
2009-05-04 16:18 . 2009-05-04 16:16 -------- d-----w- c:\program files\Windows Live Safety Center
2009-04-15 11:26 . 2009-02-14 04:53 -------- d-----w- c:\program files\Google
2009-04-15 11:26 . 2008-06-07 18:42 -------- d-----w- c:\program files\Spybot - Search & Destroy
2009-03-24 23:55 . 2007-05-01 00:35 338 ----a-w- c:\documents and settings\Administrator\Application Data\wklnhst.dat
2008-06-20 16:47 . 2008-06-20 16:47 1077632 ----a-w- c:\program files\RegCureSetup_1501_RW.exe
2007-06-03 17:57 . 2006-03-16 20:51 61038 ----a-w- c:\program files\mozilla firefox\components\jar50.dll
2007-06-03 17:57 . 2006-03-16 20:51 49256 ----a-w- c:\program files\mozilla firefox\components\jsd3250.dll
2007-06-03 17:57 . 2006-03-16 20:51 166000 ----a-w- c:\program files\mozilla firefox\components\xpinstal.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-03 15360]
"AdobeUpdater"="c:\program files\Common Files\Adobe\Updater5\AdobeUpdater.exe" [2009-01-15 2356088]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-03-05 2260480]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2008-11-04 413696]
"SpybotSnD"="c:\program files\Spybot - Search & Destroy\SpybotSD.exe" [2009-01-26 5365592]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-05-07 148888]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"ForceClassicControlPanel"= 1 (0x1)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoSMHelp"= 1 (0x1)
"NoSMConfigurePrograms"= 1 (0x1)

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoSMHelp"= 1 (0x1)
"NoInternetIcon"= 1 (0x1)
"NoSMConfigurePrograms"= 1 (0x1)

[HKLM\~\startupfolder\C:^Documents and Settings^Administrator^Start Menu^Programs^Startup^OneNote 2007 Screen Clipper and Launcher.lnk]
path=c:\documents and settings\Administrator\Start Menu\Programs\Startup\OneNote 2007 Screen Clipper and Launcher.lnk
backup=c:\windows\pss\OneNote 2007 Screen Clipper and Launcher.lnkStartup

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=

S3 PRISM;D-Link Air Wireless Prism3 Adapter Driver;c:\windows\system32\drivers\PRISMNDS.sys [3/17/2006 5:31 AM 652288]
.
Contents of the 'Scheduled Tasks' folder

2009-03-26 c:\windows\Tasks\Spybot - Search & Destroy - Scheduled Task.job
- c:\program files\Spybot - Search & Destroy\SpybotSD.exe [2008-06-07 20:31]

2009-03-26 c:\windows\Tasks\Spybot - Search & Destroy Updater - Scheduled Task.job
- c:\program files\Spybot - Search & Destroy\SDUpdate.exe [2008-06-07 20:31]

2009-06-04 c:\windows\Tasks\WGASetup.job
- c:\windows\system32\KB905474\wgasetup.exe [2009-05-12 03:18]
.
- - - - ORPHANS REMOVED - - - -

SafeBoot-procexp90.Sys


.
------- Supplementary Scan -------
.
FF - ProfilePath - c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\tjp7wart.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - [You must be registered and logged in to see this link.]
FF - component: c:\program files\Mozilla Firefox\components\xpinstal.dll
FF - component: c:\program files\Mozilla Firefox\extensions\talkback@mozilla.org\components\qfaservices.dll

---- FIREFOX POLICIES ----
FF - user.js: yahoo.homepage.dontask - truec:\program files\Mozilla Firefox\greprefs\all.js - pref("network.cookie.p3plevel", 1); // 0=low, 1=medium, 2=high, 3=custom
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.enablePad", false); // Allow client to do proxy autodiscovery
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.search.param.Google.1.default", "chrome://branding/content/searchconfig.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.search.param.Google.1.custom", "chrome://branding/content/searchconfig.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("signon.prefillForms", true);
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, [You must be registered and logged in to see this link.]
Rootkit scan 2009-06-04 17:46
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2009-06-04 17:48
ComboFix-quarantined-files.txt 2009-06-04 22:48
ComboFix2.txt 2009-03-26 00:17
ComboFix3.txt 2008-07-15 02:30

Pre-Run: 67,700,076,544 bytes free
Post-Run: 67,689,287,680 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

134 --- E O F --- 2009-05-20 15:17

mariealabama
Intermediate
Intermediate

Posts Posts : 107
Joined Joined : 2009-04-10
Gender Gender : Female
OS OS : dual boot Win XP SP2 and Win 7 32 bit
Points Points : 28325
# Likes # Likes : 0

View user profile

Back to top Go down

Re: "Personal AntiVirus"

Post by mariealabama on 4th June 2009, 10:54 pm

everything seems to be working as well as it was, and malware bytes showed no infections. now i am going to install AVG on here and hopefully no one at my dad's house will uninstall it this time!

mariealabama
Intermediate
Intermediate

Posts Posts : 107
Joined Joined : 2009-04-10
Gender Gender : Female
OS OS : dual boot Win XP SP2 and Win 7 32 bit
Points Points : 28325
# Likes # Likes : 0

View user profile

Back to top Go down

Re: "Personal AntiVirus"

Post by Belahzur on 4th June 2009, 11:04 pm

Hello. A few leftovers to fix.
TeaTimer will open now, so make sure it's disabled before running this reg fix.

  • Now open a new notepad file.
  • Input this into the notepad file:

    Windows Registry Editor Version 5.00

    [-HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
    [-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
    [-HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]

  • Save this as fix.reg, save it to your desktop.
  • Double click fix.reg to run it.
  • Select yes to the registry merge prompt.

Click Start > Run and copy/paste the following bolded text into the Run box and click OK:

ComboFix /u



This will also reset your restore points.

How is the machine running now?


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34918
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : 7 Home Premium x64
Points Points : 245101
# Likes # Likes : 1

View user profile

Back to top Go down

View previous topic View next topic Back to top

- Similar topics

 
Permissions in this forum:
You cannot reply to topics in this forum