Can't remove Antivirus Software Pro

View previous topic View next topic Go down

Can't remove Antivirus Software Pro

Post by kill-em on 2nd July 2009, 7:25 pm

I successfully downloaded & used GP's Malwarebytes' Anti-Malware software 2 weeks ago to remove the blue-shielded "Antivirus Software Pro" virus that had infected my computer. Thank You!

Unfortunately, this same computer got infected again yesterday (sidenote: I think it's happening when my kids go to one or more online game sites, including playhub.com. Any comment / confirmation by GP on this website and/or other game sites to absolutely avoid?)

Back to the problem: I clicked the Malwarebytes icon on my desktop thinking it would quickly eradicate the 'Pro' virus again; however, nothing happened. I tried removing the Malwarebytes (via Control Panel "Add or Remove Programs") and then downloaded the software again using the forum software link on your website. After a long time installing, it never launched automatically (as I remembering it doing 2 weeks ago) and double clicking the icon still produces nothing.

Looking for help! and - if when it's removed again) seeking any add'l advice on how to prevent this insidious #$@% virus from getting me again. Thanks in advance!

kill-em
Novice
Novice

Posts Posts : 11
Joined Joined : 2009-07-01
OS OS : XP Home Edition
Points Points : 27203
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Can't remove Antivirus Software Pro

Post by Origin on 2nd July 2009, 7:35 pm

Hello Kill-em,

Welcome to Geek Police, my name is Origin and I will be helping you today. Please keep the following in mind:

  • If you do not get a reply from me or another helper within 2 days, please reply to your topic with the phrase BUMP
  • If you have any cracked/pirated software in your computer delete them or we will not help you.
  • Only follow advise from Geek Police Staff and not a regular member.
  • Do NOT run any tool without Geek Police supervision as it could hinder your system useless.


I did visit the website where your kids play games and I did notice it had a lot of ads, these ads can contain malicious files that could infect your computer. While you can block the ads, I recommend you tell your children to use this website as it is safer to be on: [You must be registered and logged in to see this link.]

Please download the current version of HijackThis from [You must be registered and logged in to see this link.]

  • Double click and run the installer.
  • It will install to C:\Program Files\Trend Micro\HijackThis\hijackthis.exe
  • After installing, you should get the user agreement, press accept and Hijack This will run.
  • Select Do a system scan and save a log file. This will open a notepad file of everything Hijack This found, copy and paste it back here.


While my help is always free, please consider donating to keep this site alive: [You must be registered and logged in to see this link.]

[You must be registered and logged in to see this link.]

Origin
Master
Master

Posts Posts : 2685
Joined Joined : 2009-05-05
Gender Gender : Male
OS OS : Windows Xp Sp3
Points Points : 31523
# Likes # Likes : 0

View user profile

Back to top Go down

Trying....

Post by kill-em on 2nd July 2009, 10:25 pm

Origin,

Thanks for getting back and the tips on my kids' game sites. To be sure, I'm running 100% legal software (OS, etc.)

I'm communicating with you via my home-office computer which sits next to my kids' / personal computer (the one that's infected.) It's so bad right now, I'm having a hard time even getting a browser window to open your forum (to click on the link you advised). By the time I login to your website and try to click on my posts, etc. this $%&# virus 'kills' the IE page & replaces it with a mock IE warning screen with "recommended" action link that takes you to purchase the hoax Antivirus System Pro software!

I'll keep trying to do as you've instructed on the infected computer; but is there another way to get this Hijack This software downloaded to the infected machine?

P.S. please forgive the paranoia, but your website says to only follow instructions of tech support staff...how can I verify you are who you say you are? -Thanks!

kill-em
Novice
Novice

Posts Posts : 11
Joined Joined : 2009-07-01
OS OS : XP Home Edition
Points Points : 27203
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Can't remove Antivirus Software Pro

Post by Belahzur on 2nd July 2009, 11:30 pm

Hello.
Please be assured, Origin is tech staff here. All members under tech staff have a green username and "Tech Staff" under their name. Where as I am a general moderator of the entire forum, and I help here too. Smile


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34918
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : 7 Home Premium x64
Points Points : 245111
# Likes # Likes : 1

View user profile

Back to top Go down

Finally got Hijack this to run...

Post by kill-em on 2nd July 2009, 11:52 pm

Here's cc of the logfile: Please advise. Thank you!

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:43:25 PM, on 7/2/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16850)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Internet Explorer\Iexplore.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\BCMSMMSG.exe
C:\Program Files\QuickTime\QTTask.exe
C:\Program Files\ContentWatch\Internet Protection\cwtray.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Program Files\McAfee.com\Agent\mcagent.exe
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\windows\ld11.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\WINDOWS\sysguard.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hposol08.exe
C:\Program Files\ContentWatch\Internet Protection\cwsvc.exe
C:\Program Files\APC\APC PowerChute Personal Edition\apcsystray.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpoevm08.exe
C:\Program Files\APC\APC PowerChute Personal Edition\mainserv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\program files\common files\mcafee\mna\mcnasvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\System32\HPZipm12.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\Program Files\Internet Explorer\Iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = [You must be registered and logged in to see this link.]
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = [You must be registered and logged in to see this link.]
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = [You must be registered and logged in to see this link.]
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = [You must be registered and logged in to see this link.]
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = [You must be registered and logged in to see this link.]
O1 - Hosts: ::1 localhost
O1 - Hosts: 209.44.111.62 antispy.microsoft.com
O1 - Hosts: 209.44.111.62 antiaware-pro.com
O1 - Hosts: 209.44.111.62 [You must be registered and logged in to see this link.]
O2 - BHO: BHO - {029D18CB-8632-463c-93B7-C210AE50C722} - C:\WINDOWS\system32\iehelper.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan\scriptsn.dll
O2 - BHO: ShowDHLToolbar Class - {905BEDEF-14B4-4B49-A97A-875326A61911} - C:\Program Files\DHL\DHLToolbar\DHL Worldwide Airwaybill Tracking Toolbar.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.1.1309.15642\swg.dll
O2 - BHO: Google Dictionary Compression sdch - {C84D72FE-E17D-4195-BB24-76C02E2E7C4E} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_A8904FB862BD9564.dll
O3 - Toolbar: DHL Toolbar - {82CC2983-CA87-4D46-B33B-D285BD667A56} - C:\Program Files\DHL\DHLToolbar\DHL Worldwide Airwaybill Tracking Toolbar.dll
O3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll
O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [cwcptray] C:\Program Files\ContentWatch\Internet Protection\cwtray.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKLM\..\Run: [mcagent_exe] "C:\Program Files\McAfee.com\Agent\mcagent.exe" /runkey
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [googletalk] C:\Program Files\Google\Google Talk\googletalk.exe /autostart
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKLM\..\Run: [sysldtray] C:\windows\ld11.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [LowRiskFileTypes] C:\WINDOWS\sysguard.exe
O4 - HKUS\S-1-5-18\..\RunOnce: [RunNarrator] Narrator.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [RunNarrator] Narrator.exe (User 'Default user')
O4 - Global Startup: APC UPS Status.lnk = ?
O4 - Global Startup: hpoddt01.exe.lnk = ?
O4 - Global Startup: officejet 6100.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - [You must be registered and logged in to see this link.]
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: Show/Hide DHL Toolbar - {82CC2983-CA87-4D46-B33B-D285BD667A56} - C:\Program Files\DHL\DHLToolbar\DHL Worldwide Airwaybill Tracking Toolbar.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Broken Internet access because of LSP provider 'c:\program files\bonjour\mdnsnsp.dll' missing
O16 - DPF: {1239CC52-59EF-4DFA-8C61-90FFA846DF7E} (Musicnotes Viewer) - [You must be registered and logged in to see this link.]
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - [You must be registered and logged in to see this link.]
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - [You must be registered and logged in to see this link.]
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - [You must be registered and logged in to see this link.]
O16 - DPF: {88D969C0-F192-11D4-A65F-0040963251E5} (XML DOM Document 4.0) - [You must be registered and logged in to see this link.]
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.6.0) - [You must be registered and logged in to see this link.]
O16 - DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7} (get_atlcom Class) - [You must be registered and logged in to see this link.]
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - [You must be registered and logged in to see this link.]
O16 - DPF: {D4323BF2-006A-4440-A2F5-27E3E7AB25F8} (Virtools WebPlayer Class) - [You must be registered and logged in to see this link.]
O17 - HKLM\System\CCS\Services\Tcpip\..\{4EAB100A-3509-4CE9-9179-A2FC9F6CC06C}: NameServer = 68.94.156.1,68.94.157.1
O18 - Filter: x-sdch - {B1759355-3EEC-4C1E-B0F1-B719FE26E377} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_A8904FB862BD9564.dll
O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL
O23 - Service: APC UPS Service - American Power Conversion Corporation - C:\Program Files\APC\APC PowerChute Personal Edition\mainserv.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Unknown owner - C:\Program Files\Bonjour\mDNSResponder.exe (file missing)
O23 - Service: ContentWatch (CwAltaService20) - ContentWatch, Inc. - C:\Program Files\ContentWatch\Internet Protection\cwsvc.exe
O23 - Service: GoogleDesktopManager - Google - C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\program files\common files\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe

--
End of file - 10643 bytes

kill-em
Novice
Novice

Posts Posts : 11
Joined Joined : 2009-07-01
OS OS : XP Home Edition
Points Points : 27203
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Can't remove Antivirus Software Pro

Post by Belahzur on 3rd July 2009, 12:22 am

Hello.

  • Open HijackThis
  • Choose "Do a system scan only"
  • Check the boxes in front of these lines:


    O1 - Hosts: ::1 localhost
    O1 - Hosts: 209.44.111.62 antispy.microsoft.com
    O1 - Hosts: 209.44.111.62 antiaware-pro.com
    O1 - Hosts: 209.44.111.62 [You must be registered and logged in to see this link.]
    O2 - BHO: BHO - {029D18CB-8632-463c-93B7-C210AE50C722} - C:\WINDOWS\system32\iehelper.dll
    O4 - HKLM\..\Run: [sysldtray] C:\windows\ld11.exe
    O4 - HKCU\..\Run: [LowRiskFileTypes] C:\WINDOWS\sysguard.exe


  • Press "Fix Checked"
  • Close Hijack This.

Please download and run this tool.

Download Malwarebytes' Anti-Malware from [You must be registered and logged in to see this link.]

Double Click mbam-setup.exe to install the application.

  • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart. (See Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
Note:
If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts.
Click OK to either and let MBAM proceed with the disinfection process.
If asked to restart the computer, please do so immediately.


Post the contents of the MBAM Log.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34918
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : 7 Home Premium x64
Points Points : 245111
# Likes # Likes : 1

View user profile

Back to top Go down

Malwarebytes' doesn't run?...

Post by kill-em on 3rd July 2009, 6:30 am

Good news (and bad?)...

I successfully followed Belahzur's instructions using HijackThis to checkmark and fix the processes indicated. It seems to have stopped the "Antivirus System Pro" dead in its tracks; and I seem to have control of my computer back. Thank you!!!!!!!!! Smile

I then downloaded and installed Malwarebytes' software from the link provided and made "sure a checkmark [was] placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click[ed] Finish."

However, nothing happens (i.e. no add'l dialog boxes or screen options appear allowing me to "select 'Perform Quick Scan, then click Scan", etc.) So I removed the Malwarebytes' software using Control Panel's Add or Remove Programs (incl. rebooting computer as prompted to complete the uninstall process.)

I then went and downloaded using same MBAM link on GP forum post; it seemed to install fine with minor exception of saying "Malware folder already exists, do you want to copy files to this folder" (I said 'yes'). It then continued installing, including user agreement and then the dialog box with 2 checkboxes for "update" and "launch" (both checked) but again nothing happened. Note: I've left 1 IE window opened (to your website) when installing / and attempting to run MBAM. Would that make a difference? (I'll try it once more with all windows closed, but not sure it will matter.)

Any other ideas?

kill-em
Novice
Novice

Posts Posts : 11
Joined Joined : 2009-07-01
OS OS : XP Home Edition
Points Points : 27203
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Can't remove Antivirus Software Pro

Post by Belahzur on 3rd July 2009, 3:44 pm

Hello.


  • Download combofix from here
    [You must be registered and logged in to see this link.]
    [You must be registered and logged in to see this link.]

    1. If you are using Firefox, make sure that your download settings are as follows:

    * Tools->Options->Main tab
    * Set to "Always ask me where to Save the files".

    2. During the download, rename Combofix to Combo-Fix as follows:





    3. It is important you rename Combofix during the download, but not after.
    4. Please do not rename Combofix to other names, but only to the one indicated.
    5. Close any open browsers.
    6. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

  • We need to disable your local AV (Anti-virus) before running Combofix.
  • See [You must be registered and logged in to see this link.] for how to disable your AV. (Mcafee)
  • Double click on ComboFix.exe.
  • Follow the prompts. NOTE:
  • ComboFix will check to see if the Microsoft Windows Recovery Console is installed.
    ***It's strongly recommended to have the Recovery Console installed before doing any malware removal.***

    **Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will automatically proceed with its scan.


  • The Recovery Console provides a recovery/repair mode should a problem occur during a Combofix run.



  • Allow ComboFix to download the Recovery Console.
  • Accept the End-User License Agreement.
  • The Recovery Console will be installed.
  • You will then get this next prompt that asks if you want to continue the malware scan, select yes



  • Allow combofix to run
  • Post C:\combofix.txt back here.

    Note:
    Do not mouseclick combofix's window whilst it's running. That may cause it to stall.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34918
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : 7 Home Premium x64
Points Points : 245111
# Likes # Likes : 1

View user profile

Back to top Go down

Re: Can't remove Antivirus Software Pro

Post by kill-em on 4th July 2009, 6:20 am

Hello.

I did all as you instructed. Combofix.txt (found in Combo-fix folder) as follows:

ComboFix 09-07-03.03 - Rick Allred 07/03/2009 19:31:23.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.767.530 [GMT -7:00]
Running from: C:\Documents and Settings\Rick Allred\Desktop\Combo-Fix.exe
AV: McAfee VirusScan *On-access scanning disabled* (Updated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
.

Is my computer clean? Should I try to run MBAM now?..

kill-em
Novice
Novice

Posts Posts : 11
Joined Joined : 2009-07-01
OS OS : XP Home Edition
Points Points : 27203
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Can't remove Antivirus Software Pro

Post by kill-em on 4th July 2009, 6:28 am

P.S. I forgot to mention that as ComboFix was installing Windows Recovery Console it brought up dialog box that said something about detecting presence of "root" something (can't remember now) and said to take note / write down a listing of 7 files that might be needed upon restarting the computer. All were in folder C:\windows\system32\drivers\ and all began with "UAC" and had very long names (1 example: UACrumlkafkabenxfcmv.sys), etc.

When computer restarted I was never asked for the file names; and the computer seems to be running normally...

kill-em
Novice
Novice

Posts Posts : 11
Joined Joined : 2009-07-01
OS OS : XP Home Edition
Points Points : 27203
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Can't remove Antivirus Software Pro

Post by Belahzur on 4th July 2009, 2:05 pm

Hello.
Heh, just as I guessed, a rootkit was present.

The log wasn't full, either you didn't copy/paste it all, or Combofix didn't run fully correctly.

Please try running Combofix again.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34918
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : 7 Home Premium x64
Points Points : 245111
# Likes # Likes : 1

View user profile

Back to top Go down

Re-ran Combo-Fix

Post by kill-em on 8th July 2009, 5:42 pm

Thanks for you ongoing help. Smile I re-ran Combo-fix. Here's the resulting log. Please advise if any further action needed to ensure my computer is 'clean'. Thanks.

ComboFix 09-07-07.A9 - Rick Allred 07/08/2009 10:22.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.767.458 [GMT -7:00]
Running from: c:\documents and settings\Rick Allred\Desktop\Combo-Fix.exe
AV: McAfee VirusScan *On-access scanning disabled* (Updated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
* Resident AV is active

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
---- Previous Run -------
.
c:\windows\010112010146118114.dat
c:\windows\freddy49.exe
c:\windows\Installer\e94aec9.msp
c:\windows\Installer\e94aed8.msp
c:\windows\Installer\e94aee7.msp
c:\windows\Installer\e94aef6.msp
c:\windows\ld11.exe
c:\windows\ld12.exe
c:\windows\strt_1246567643.exe
c:\windows\strt_1246579860.exe
c:\windows\sysguard.exe
c:\windows\system32\drivers\UACrvmlkafkabenxfcmu.sys
c:\windows\system32\UACdboljijfjobcqrsek.dll
c:\windows\system32\UACdinethnyxbcpthewr.log
c:\windows\system32\UACfedgrklvegmkajcvj.dll
c:\windows\system32\uacinit.dll
c:\windows\system32\UAClynapjpxejepualso.dat
c:\windows\system32\UACpaeulvebutpvaoykx.dll
c:\windows\system32\UACxtfndpcoybirxjgwo.dll
c:\windows\system32\wbem\proquota.exe

c:\windows\system32\proquota.exe was missing
Restored copy from - c:\windows\ServicePackFiles\i386\proquota.exe

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_UACd.sys
-------\Legacy_DRV
-------\Legacy_WKSPATCH
-------\Service_drv


((((((((((((((((((((((((( Files Created from 2009-06-08 to 2009-07-08 )))))))))))))))))))))))))))))))
.

2009-07-04 02:42 . 2008-04-14 00:12 50176 -c--a-w- c:\windows\system32\dllcache\proquota.exe
2009-07-04 02:42 . 2008-04-14 00:12 50176 ----a-w- c:\windows\system32\proquota.exe
2009-07-03 06:44 . 2009-06-17 18:27 38160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-07-03 06:44 . 2009-06-17 18:27 19096 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-07-02 23:17 . 2009-07-02 23:17 -------- d-----w- c:\program files\Trend Micro
2009-07-02 21:12 . 2009-07-03 06:37 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-07-01 16:14 . 2009-07-04 02:44 -------- d-----w- c:\program files\drv
2009-06-24 05:04 . 2009-06-24 05:04 -------- d-----w- c:\documents and settings\Rick Allred\Application Data\Malwarebytes
2009-06-24 05:04 . 2009-06-24 05:04 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-06-23 19:44 . 2009-06-24 05:57 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2009-06-22 02:45 . 2009-06-24 06:01 -------- d-----w- c:\program files\VideoLAN

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-06-24 20:32 . 2007-12-24 06:20 -------- d-----w- c:\documents and settings\Rick Allred\Application Data\U3
2009-06-24 20:22 . 2009-06-24 20:22 0 ----a-w- C:\LOGE1.tmp
2009-06-23 18:54 . 2006-10-11 01:17 -------- d-----w- c:\program files\McAfee
2009-06-05 04:52 . 2009-03-08 15:19 -------- d-----w- c:\program files\StarSonata
2009-05-25 16:51 . 2009-05-23 15:34 -------- d-----w- c:\program files\Sony Online Entertainment
2009-05-24 02:21 . 2009-05-24 02:21 0 ----a-w- C:\LOG8FE.tmp
2009-05-18 22:08 . 2009-05-18 22:08 0 ----a-w- c:\windows\nsreg.dat
2009-05-17 17:21 . 2009-05-17 17:21 0 ----a-w- C:\LOG195.tmp
2009-05-17 14:50 . 2009-05-17 14:50 0 ----a-w- C:\LOG154.tmp
2009-05-07 15:32 . 2002-09-03 16:39 345600 ----a-w- c:\windows\system32\localspl.dll
2009-04-29 04:56 . 2004-02-07 01:05 827392 ----a-w- c:\windows\system32\wininet.dll
2009-04-29 04:55 . 2004-08-04 07:56 78336 ----a-w- c:\windows\system32\ieencode.dll
2009-04-28 02:19 . 2008-02-02 06:04 34062 ----a-w- c:\documents and settings\Rick Allred\Application Data\Move Networks\ie_bin\Uninst.exe
2009-04-28 02:19 . 2009-04-28 02:19 1047072 ----a-w- c:\documents and settings\Rick Allred\Application Data\Move Networks\MoveMediaPlayer_071303000006.exe
2009-04-17 12:26 . 2002-09-03 17:11 1847168 ----a-w- c:\windows\system32\win32k.sys
2009-04-15 14:51 . 2004-05-05 15:36 585216 ----a-w- c:\windows\system32\rpcrt4.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-07-07 68856]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\windows\System32\NvCpl.dll" [2003-03-14 4493312]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-01-05 413696]
"cwcptray"="c:\program files\ContentWatch\Internet Protection\cwtray.exe" [2007-05-30 396592]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2006-06-13 180269]
"Google Desktop Search"="c:\program files\Google\Google Desktop Search\GoogleDesktop.exe" [2007-07-31 1836544]
"mcagent_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2009-01-09 645328]
"Adobe Photo Downloader"="c:\program files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe" [2007-03-09 63712]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-12 39792]
"googletalk"="c:\program files\Google\Google Talk\googletalk.exe" [2007-01-01 3739648]
"SunJavaUpdateSched"="c:\program files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 144784]
"BCMSMMSG"="BCMSMMSG.exe" - c:\windows\BCMSMMSG.exe [2003-08-29 122880]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"RunNarrator"="Narrator.exe" - c:\windows\system32\narrator.exe [2008-04-14 53760]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
APC UPS Status.lnk - c:\program files\APC\APC PowerChute Personal Edition\Display.exe [2004-5-3 209016]
hpoddt01.exe.lnk - c:\program files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe [2003-4-6 28672]
officejet 6100.lnk - c:\program files\Hewlett-Packard\Digital Imaging\bin\hposol08.exe [2003-4-6 147456]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\CwWLEvent]
2006-02-21 16:50 868352 ----a-w- c:\program files\ContentWatch\Internet Protection\common\cwplc001.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HotSync Manager.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\HotSync Manager.lnk
backup=c:\windows\pss\HotSync Manager.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=c:\windows\pss\Microsoft Office.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^QuickBooks Update Agent.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\QuickBooks Update Agent.lnk
backup=c:\windows\pss\QuickBooks Update Agent.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^WinZip Quick Pick.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\WinZip Quick Pick.lnk
backup=c:\windows\pss\WinZip Quick Pick.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\WINDOWS\\system32\\java.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Google\\Google Talk\\googletalk.exe"=
"c:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"8085:TCP"= 8085:TCP:drv

R1 drvdrv;drvdrv;c:\program files\drv\drv.sys [7/1/2009 9:14 AM 9344]
R2 CwAltaService20;ContentWatch;c:\program files\ContentWatch\Internet Protection\cwsvc.exe [12/1/2007 7:05 AM 1217840]
S3 npggsvc;nProtect GameGuard Service;c:\windows\system32\GameMon.des -service --> c:\windows\system32\GameMon.des -service [?]
S3 smp_lpt;smp_lpt;c:\windows\system32\drivers\smp_LPT.sys [12/30/2008 9:48 PM 37928]

--- Other Services/Drivers In Memory ---

*Deregistered* - dump_wmimmc

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
drv REG_MULTI_SZ drv
.
Contents of the 'Scheduled Tasks' folder

2009-06-25 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 19:34]

2009-06-15 c:\windows\Tasks\McDefragTask.job
- c:\windows\system32\defrag.exe [2002-09-03 00:12]

2009-07-01 c:\windows\Tasks\McQcTask.job
- c:\program files\mcafee\mqc\QcConsol.exe [2006-10-11 18:53]
.
- - - - ORPHANS REMOVED - - - -

Notify-WgaLogon - (no file)


.
------- Supplementary Scan -------
.
uStart Page = [You must be registered and logged in to see this link.]
uSearchMigratedDefaultURL = [You must be registered and logged in to see this link.]
uInternet Connection Wizard,ShellNext = iexplore
uSearchURL,(Default) = [You must be registered and logged in to see this link.]
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office10\EXCEL.EXE/3000
LSP: c:\windows\system32\cwalsp.dll
TCP: {4EAB100A-3509-4CE9-9179-A2FC9F6CC06C} = 68.94.156.1,68.94.157.1
DPF: DirectAnimation Java Classes - [You must be registered and logged in to see this link.]
DPF: Microsoft XML Parser for Java - [You must be registered and logged in to see this link.]
FF - ProfilePath - c:\documents and settings\Rick Allred\Application Data\Mozilla\Firefox\Profiles\53v7rhhp.default\
FF - plugin: c:\progra~1\SONYON~1\npsoe.dll
FF - plugin: c:\program files\Real\RealOne Player\Netscape6\nppl3260.dll
FF - plugin: c:\program files\Real\RealOne Player\Netscape6\nprjplug.dll
FF - plugin: c:\program files\Real\RealOne Player\Netscape6\nprpjplug.dll
FF - plugin: c:\program files\Unity\WebPlayer\loader\npUnity3D32.dll
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, [You must be registered and logged in to see this link.]
Rootkit scan 2009-07-08 10:34
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...


**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\npggsvc]
"ImagePath"="c:\windows\system32\GameMon.des -service"
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-1757981266-813497703-839522115-1004\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{E5F952F5-FF1F-E43C-4BD3-0249710167B2}*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
"oajibnhepeipoggaokgdihcdblmlfa"=hex:62,61,68,6b,00,b1
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'lsass.exe'(748)
c:\windows\system32\cwalsp.dll
c:\windows\system32\wxbase28u_vc_CW.dll
.
Completion time: 2009-07-08 10:38
ComboFix-quarantined-files.txt 2009-07-08 17:37

Pre-Run: 10,931,187,712 bytes free
Post-Run: 11,445,796,864 bytes free

191 --- E O F --- 2009-07-02 18:57

kill-em
Novice
Novice

Posts Posts : 11
Joined Joined : 2009-07-01
OS OS : XP Home Edition
Points Points : 27203
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Can't remove Antivirus Software Pro

Post by Belahzur on 8th July 2009, 5:55 pm

Hello.

Now open a new notepad file.
Input this into the notepad file:

KILLALL::

Driver::
drvdrv
npggsvc

File::
C:\LOGE1.tmp
C:\LOG8FE.tmp
C:\LOG195.tmp
C:\LOG154.tmp

Registry::
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
"drv"=-
[-HKEY_LOCAL_MACHINE\System\ControlSet001\Services\npggsvc]

RegNull::
[HKEY_USERS\S-1-5-21-1757981266-813497703-839522115-1004\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{E5F952F5-FF1F-E43C-4BD3-0249710167B2}*]

Save this as CFScript.txt, save it to your desktop also.
Then drag and drop CFScript.txt into combofix as seen below:


This will open combofix again, agree to it's terms and allow it to run.
It may want to reboot after it's done. (It will warn you if it wants to)
Post the resulting log back here.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34918
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : 7 Home Premium x64
Points Points : 245111
# Likes # Likes : 1

View user profile

Back to top Go down

Re: Can't remove Antivirus Software Pro

Post by kill-em on 8th July 2009, 8:12 pm

Did as you instructed. Here's the log file:

ComboFix 09-07-08.01 - Rick Allred 07/08/2009 12:31.3 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.767.472 [GMT -7:00]
Running from: c:\documents and settings\Rick Allred\Desktop\Combo-Fix.exe
Command switches used :: c:\documents and settings\Rick Allred\Desktop\CFScript.txt
AV: McAfee VirusScan *On-access scanning disabled* (Updated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}

FILE ::
"C:\LOG154.tmp"
"C:\LOG195.tmp"
"C:\LOG8FE.tmp"
"C:\LOGE1.tmp"
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\LOG154.tmp
C:\LOG195.tmp
C:\LOG8FE.tmp
C:\LOGE1.tmp

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_DRVDRV
-------\Service_drvdrv


((((((((((((((((((((((((( Files Created from 2009-06-08 to 2009-07-08 )))))))))))))))))))))))))))))))
.

2009-07-04 02:42 . 2008-04-14 00:12 50176 -c--a-w- c:\windows\system32\dllcache\proquota.exe
2009-07-04 02:42 . 2008-04-14 00:12 50176 ----a-w- c:\windows\system32\proquota.exe
2009-07-03 06:44 . 2009-06-17 18:27 38160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-07-03 06:44 . 2009-06-17 18:27 19096 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-07-02 23:17 . 2009-07-02 23:17 -------- d-----w- c:\program files\Trend Micro
2009-07-02 21:12 . 2009-07-03 06:37 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-07-01 16:14 . 2009-07-04 02:44 -------- d-----w- c:\program files\drv
2009-06-24 05:04 . 2009-06-24 05:04 -------- d-----w- c:\documents and settings\Rick Allred\Application Data\Malwarebytes
2009-06-24 05:04 . 2009-06-24 05:04 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-06-23 19:44 . 2009-06-24 05:57 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2009-06-22 02:45 . 2009-06-24 06:01 -------- d-----w- c:\program files\VideoLAN

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-07-08 19:26 . 2004-07-06 14:35 105680 ----a-w- c:\documents and settings\Rick Allred\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-06-24 20:32 . 2007-12-24 06:20 -------- d-----w- c:\documents and settings\Rick Allred\Application Data\U3
2009-06-23 18:54 . 2006-10-11 01:17 -------- d-----w- c:\program files\McAfee
2009-06-05 04:52 . 2009-03-08 15:19 -------- d-----w- c:\program files\StarSonata
2009-05-25 16:51 . 2009-05-23 15:34 -------- d-----w- c:\program files\Sony Online Entertainment
2009-05-18 22:08 . 2009-05-18 22:08 0 ----a-w- c:\windows\nsreg.dat
2009-05-07 15:32 . 2002-09-03 16:39 345600 ----a-w- c:\windows\system32\localspl.dll
2009-04-29 04:56 . 2004-02-07 01:05 827392 ----a-w- c:\windows\system32\wininet.dll
2009-04-29 04:55 . 2004-08-04 07:56 78336 ----a-w- c:\windows\system32\ieencode.dll
2009-04-28 02:19 . 2008-02-02 06:04 34062 ----a-w- c:\documents and settings\Rick Allred\Application Data\Move Networks\ie_bin\Uninst.exe
2009-04-28 02:19 . 2009-04-28 02:19 1047072 ----a-w- c:\documents and settings\Rick Allred\Application Data\Move Networks\MoveMediaPlayer_071303000006.exe
2009-04-17 12:26 . 2002-09-03 17:11 1847168 ----a-w- c:\windows\system32\win32k.sys
2009-04-15 14:51 . 2004-05-05 15:36 585216 ----a-w- c:\windows\system32\rpcrt4.dll
.

((((((((((((((((((((((((((((( [You must be registered and logged in to see this link.] )))))))))))))))))))))))))))))))))))))))))
.
+ 2004-05-03 23:50 . 2009-07-08 19:28 32768 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
- 2004-05-03 23:50 . 2009-07-08 13:52 32768 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2004-05-03 23:50 . 2009-07-08 19:28 32768 c:\windows\system32\config\systemprofile\Cookies\index.dat
- 2004-05-03 23:50 . 2009-07-08 13:52 32768 c:\windows\system32\config\systemprofile\Cookies\index.dat
+ 2004-05-03 14:50 . 2009-07-08 19:39 342624 c:\windows\system32\FNTCACHE.DAT
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-07-07 68856]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\windows\System32\NvCpl.dll" [2003-03-14 4493312]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-01-05 413696]
"cwcptray"="c:\program files\ContentWatch\Internet Protection\cwtray.exe" [2007-05-30 396592]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2006-06-13 180269]
"Google Desktop Search"="c:\program files\Google\Google Desktop Search\GoogleDesktop.exe" [2007-07-31 1836544]
"mcagent_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2009-01-09 645328]
"Adobe Photo Downloader"="c:\program files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe" [2007-03-09 63712]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-12 39792]
"googletalk"="c:\program files\Google\Google Talk\googletalk.exe" [2007-01-01 3739648]
"SunJavaUpdateSched"="c:\program files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 144784]
"BCMSMMSG"="BCMSMMSG.exe" - c:\windows\BCMSMMSG.exe [2003-08-29 122880]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"RunNarrator"="Narrator.exe" - c:\windows\system32\narrator.exe [2008-04-14 53760]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
APC UPS Status.lnk - c:\program files\APC\APC PowerChute Personal Edition\Display.exe [2004-5-3 209016]
hpoddt01.exe.lnk - c:\program files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe [2003-4-6 28672]
officejet 6100.lnk - c:\program files\Hewlett-Packard\Digital Imaging\bin\hposol08.exe [2003-4-6 147456]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\CwWLEvent]
2006-02-21 16:50 868352 ----a-w- c:\program files\ContentWatch\Internet Protection\common\cwplc001.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HotSync Manager.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\HotSync Manager.lnk
backup=c:\windows\pss\HotSync Manager.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=c:\windows\pss\Microsoft Office.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^QuickBooks Update Agent.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\QuickBooks Update Agent.lnk
backup=c:\windows\pss\QuickBooks Update Agent.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^WinZip Quick Pick.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\WinZip Quick Pick.lnk
backup=c:\windows\pss\WinZip Quick Pick.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\WINDOWS\\system32\\java.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Google\\Google Talk\\googletalk.exe"=
"c:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"8085:TCP"= 8085:TCP:drv

R2 CwAltaService20;ContentWatch;c:\program files\ContentWatch\Internet Protection\cwsvc.exe [12/1/2007 7:05 AM 1217840]
S3 smp_lpt;smp_lpt;c:\windows\system32\drivers\smp_LPT.sys [12/30/2008 9:48 PM 37928]
.
Contents of the 'Scheduled Tasks' folder

2009-06-25 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 19:34]

2009-06-15 c:\windows\Tasks\McDefragTask.job
- c:\windows\system32\defrag.exe [2002-09-03 00:12]

2009-07-01 c:\windows\Tasks\McQcTask.job
- c:\program files\mcafee\mqc\QcConsol.exe [2006-10-11 18:53]
.
.
------- Supplementary Scan -------
.
uStart Page = [You must be registered and logged in to see this link.]
uSearchMigratedDefaultURL = [You must be registered and logged in to see this link.]
uInternet Connection Wizard,ShellNext = iexplore
uSearchURL,(Default) = [You must be registered and logged in to see this link.]
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office10\EXCEL.EXE/3000
LSP: c:\windows\system32\cwalsp.dll
TCP: {4EAB100A-3509-4CE9-9179-A2FC9F6CC06C} = 68.94.156.1,68.94.157.1
DPF: DirectAnimation Java Classes - [You must be registered and logged in to see this link.]
DPF: Microsoft XML Parser for Java - [You must be registered and logged in to see this link.]
FF - ProfilePath - c:\documents and settings\Rick Allred\Application Data\Mozilla\Firefox\Profiles\53v7rhhp.default\
FF - plugin: c:\progra~1\SONYON~1\npsoe.dll
FF - plugin: c:\program files\Real\RealOne Player\Netscape6\nppl3260.dll
FF - plugin: c:\program files\Real\RealOne Player\Netscape6\nprjplug.dll
FF - plugin: c:\program files\Real\RealOne Player\Netscape6\nprpjplug.dll
FF - plugin: c:\program files\Unity\WebPlayer\loader\npUnity3D32.dll
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, [You must be registered and logged in to see this link.]
Rootkit scan 2009-07-08 12:40
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...


**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'lsass.exe'(752)
c:\windows\system32\cwalsp.dll
c:\windows\system32\wxbase28u_vc_CW.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\APC\APC PowerChute Personal Edition\mainserv.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\windows\system32\nvsvc32.exe
c:\windows\system32\wdfmgr.exe
c:\windows\system32\wscntfy.exe
c:\program files\APC\APC PowerChute Personal Edition\apcsystray.exe
c:\program files\Hewlett-Packard\Digital Imaging\bin\hpoevm08.exe
c:\windows\system32\HPZipm12.exe
c:\program files\Hewlett-Packard\Digital Imaging\bin\hposts08.exe
c:\program files\Java\jre1.6.0_07\bin\jucheck.exe
c:\program files\Common Files\McAfee\MNA\McNASvc.exe
c:\progra~1\McAfee\MSC\mcmscsvc.exe
c:\progra~1\McAfee\VIRUSS~1\Mcshield.exe
c:\progra~1\McAfee\VIRUSS~1\mcsysmon.exe
c:\progra~1\COMMON~1\McAfee\McProxy\McProxy.exe
.
**************************************************************************
.
Completion time: 2009-07-08 13:01 - machine was rebooted
ComboFix-quarantined-files.txt 2009-07-08 19:59
ComboFix2.txt 2009-07-08 17:38

Pre-Run: 11,451,568,128 bytes free
Post-Run: 11,439,595,520 bytes free

183 --- E O F --- 2009-07-02 18:57

kill-em
Novice
Novice

Posts Posts : 11
Joined Joined : 2009-07-01
OS OS : XP Home Edition
Points Points : 27203
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Can't remove Antivirus Software Pro

Post by Origin on 8th July 2009, 8:14 pm

Can you run a malwarebytes quick scan for me and post the log back here Smile


While my help is always free, please consider donating to keep this site alive: [You must be registered and logged in to see this link.]

[You must be registered and logged in to see this link.]

Origin
Master
Master

Posts Posts : 2685
Joined Joined : 2009-05-05
Gender Gender : Male
OS OS : Windows Xp Sp3
Points Points : 31523
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Can't remove Antivirus Software Pro

Post by kill-em on 8th July 2009, 10:17 pm

Ran MBAM. Resulting log looks positive (see below). Pls advise if add'l action is needed.

I very much appreciate GP's support through this issue. I'm also very disappointed that my antivirus software provider (McAfee) failed twice to prevent the Anti Virus Software Pro infection and I am looking for a new provider. I have a friend in IT who recommends "AVAST". Does GP have an opinion on the 'best' antivirus / malware software?

Thank You!

Malwarebytes' Anti-Malware 1.38
Database version: 2297
Windows 5.1.2600 Service Pack 3

7/8/2009 3:09:09 PM
mbam-log-2009-07-08 (15-09-09).txt

Scan type: Quick Scan
Objects scanned: 94265
Time elapsed: 14 minute(s), 5 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

kill-em
Novice
Novice

Posts Posts : 11
Joined Joined : 2009-07-01
OS OS : XP Home Edition
Points Points : 27203
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Can't remove Antivirus Software Pro

Post by Origin on 9th July 2009, 12:07 am

Click Start > Run and copy/paste the following bolded text into the Run box and click OK:

ComboFix /u



This will also reset your restore points.

How is the machine running now?


While my help is always free, please consider donating to keep this site alive: [You must be registered and logged in to see this link.]

[You must be registered and logged in to see this link.]

Origin
Master
Master

Posts Posts : 2685
Joined Joined : 2009-05-05
Gender Gender : Male
OS OS : Windows Xp Sp3
Points Points : 31523
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Can't remove Antivirus Software Pro

Post by kill-em on 9th July 2009, 4:07 am

Below is the result of the MBAM log. Pls advise if any action needed. Also, I'm very disappointed in my antivirus software (McAfee) as it has failed to prevent infections of the Antivirus Software Pro malware on two separate occasions. A friend of mine who works in IT recommended "AVAST". I also have Trend Micro PC-cillin on another machine. Does GP have any recommendation as to the best antivirus & malware software?

Thanks again for all your help! Bow or Thanks

kill-em
Novice
Novice

Posts Posts : 11
Joined Joined : 2009-07-01
OS OS : XP Home Edition
Points Points : 27203
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Can't remove Antivirus Software Pro

Post by kill-em on 9th July 2009, 4:08 am

Ooops. Forgot to post MBAM log:

Malwarebytes' Anti-Malware 1.38
Database version: 2297
Windows 5.1.2600 Service Pack 3

7/8/2009 3:09:09 PM
mbam-log-2009-07-08 (15-09-09).txt

Scan type: Quick Scan
Objects scanned: 94265
Time elapsed: 14 minute(s), 5 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

kill-em
Novice
Novice

Posts Posts : 11
Joined Joined : 2009-07-01
OS OS : XP Home Edition
Points Points : 27203
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Can't remove Antivirus Software Pro

Post by Origin on 9th July 2009, 4:17 am

Everything looks clean Smile

Click Start > Run and copy/paste the following bolded text into the Run box and click OK:

ComboFix /u



This will also reset your restore points.

How is the machine running now?


While my help is always free, please consider donating to keep this site alive: [You must be registered and logged in to see this link.]

[You must be registered and logged in to see this link.]

Origin
Master
Master

Posts Posts : 2685
Joined Joined : 2009-05-05
Gender Gender : Male
OS OS : Windows Xp Sp3
Points Points : 31523
# Likes # Likes : 0

View user profile

Back to top Go down

View previous topic View next topic Back to top

- Similar topics

 
Permissions in this forum:
You cannot reply to topics in this forum