Personal Antivirus and Inactive search engines

View previous topic View next topic Go down

Personal Antivirus and Inactive search engines

Post by sesshi317 on Wed Jul 22, 2009 9:26 pm

Recently got infected with Personal Antivirus and tried to manually delete it through Windows search, after numerous attempts to install Malwarebyte's Anti-malware and SuperAntivirus to no avail. Also, all of my search toolbars don't work, even after going to the search engine website. Currently running Comodo Internet Security because Webroot Websweeper has recently been damaged and will not scan. Please help.

sesshi317
Novice
Novice

Status :
Online
Offline

Posts : 9
Joined : 2009-07-22
OS : xp home

View user profile

Back to top Go down

Re: Personal Antivirus and Inactive search engines

Post by sesshi317 on Wed Jul 22, 2009 9:31 pm

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:31:16 PM, on 7/23/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16850)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\Program Files\Webroot\WebrootSecurity\WRConsumerService.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Internet Explorer\Iexplore.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\System32\igfxtray.exe
C:\WINDOWS\System32\hkcmd.exe
C:\Program Files\AT&T\Internet Security Wizard\ISW.exe
C:\Program Files\FastAccessDSL\HelpCenter43\bin\sprtcmd.exe
C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Common Files\Motive\McciCMService.exe
C:\Program Files\Common Files\Lanovation\PrismXL\PRISMXL.SYS
C:\WINDOWS\sySTEM32\SvchoSt.ExE
C:\WINDOWS\System32\svchost.exe
C:\Documents and Settings\Frank\Desktop\winlogon.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = [You must be registered and logged in to see this link.]
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = [You must be registered and logged in to see this link.]
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = [You must be registered and logged in to see this link.]
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = [You must be registered and logged in to see this link.]
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = [You must be registered and logged in to see this link.]
R3 - URLSearchHook: (no name) - 0579B4B6-0293-4d73-B02D-5EBB0BA0F0A2} - (no file)
R3 - URLSearchHook: (no name) - CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
R3 - URLSearchHook: (no name) - EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
R3 - URLSearchHook: (no name) - {0579B4B6-0293-4d73-B02D-5EBB0BA0F0A2} - C:\Program Files\AskSBar\SrchAstt\1.bin\A2SRCHAS.DLL
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Ask Search Assistant BHO - {0579B4B1-0293-4d73-B02D-5EBB0BA0F0A2} - C:\Program Files\AskSBar\SrchAstt\1.bin\A2SRCHAS.DLL
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: AT&&T Toolbar - {4E7BD74F-2B8D-469E-94BE-FD60BB9AAE29} - C:\PROGRA~1\ATTTOO~1\ATTTOO~1.DLL (file missing)
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.1.1309.15642\swg.dll
O2 - BHO: Google Dictionary Compression sdch - {C84D72FE-E17D-4195-BB24-76C02E2E7C4E} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_A8904FB862BD9564.dll
O3 - Toolbar: AT&&T Toolbar - {4E7BD74F-2B8D-469E-94BE-FD60BB9AAE29} - C:\PROGRA~1\ATTTOO~1\ATTTOO~1.DLL (file missing)
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll
O3 - Toolbar: (no name) - {A057A204-BACC-4D26-9990-79A187E2698E} - (no file)
O3 - Toolbar: HopSurf toolbar - {E9FAB13D-4600-49E1-90D1-EE961C859D39} - C:\Program Files\Comodo\HopSurfToolbar\HopSurfToolbar_IE.dll
O4 - HKLM\..\Run: [IgfxTray] "C:\WINDOWS\System32\igfxtray.exe"
O4 - HKLM\..\Run: [HotKeysCmds] "C:\WINDOWS\System32\hkcmd.exe"
O4 - HKLM\..\Run: [ISW.exe] "C:\Program Files\AT&T\Internet Security Wizard\ISW.exe" /AUTORUN
O4 - HKLM\..\Run: [HelpCenter4.1] "C:\Program Files\FastAccessDSL\HelpCenter43\bin\sprtcmd.exe" /P HelpCenter4.1
O4 - HKLM\..\Run: [SSBkgdUpdate] "C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" -Embedding -boot
O4 - HKLM\..\Run: [PaperPort PTD] "C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe"
O4 - HKLM\..\Run: [IndexSearch] "C:\Program Files\ScanSoft\PaperPort\IndexSearch.exe"
O4 - HKLM\..\Run: [PPort11reminder] "C:\Program Files\ScanSoft\PaperPort\Ereg\Ereg.exe" -r "C:\Documents and Settings\All Users\Application Data\ScanSoft\PaperPort\11\Config\Ereg\Ereg.ini"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - [You must be registered and logged in to see this link.]
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2\bin\npjpi142.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2\bin\npjpi142.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: HopSurf - {ED98F8D1-09AC-4107-B2FF-91DBE011B0C5} - C:\Program Files\Comodo\HopSurfToolbar\HopSurfToolbar_IE.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {9C23D886-43CB-43DE-B2DB-112A68D7E10A} (MySpace Uploader Control) - [You must be registered and logged in to see this link.]
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - [You must be registered and logged in to see this link.]
O16 - DPF: {D4323BF2-006A-4440-A2F5-27E3E7AB25F8} (Virtools WebPlayer Class) - [You must be registered and logged in to see this link.]
O18 - Filter: x-sdch - {B1759355-3EEC-4C1E-B0F1-B719FE26E377} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_A8904FB862BD9564.dll
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: McciCMService - Motive Communications, Inc. - C:\Program Files\Common Files\Motive\McciCMService.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: PrismXL - Lanovation - C:\Program Files\Common Files\Lanovation\PrismXL\PRISMXL.SYS
O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot Software, Inc. ([You must be registered and logged in to see this link.] - C:\Program Files\Webroot\WebrootSecurity\SpySweeper.exe
O23 - Service: Webroot Client Service (WRConsumerService) - Webroot Software, Inc. - C:\Program Files\Webroot\WebrootSecurity\WRConsumerService.exe

--
End of file - 7783 bytes


Last edited by sesshi317 on Thu Jul 23, 2009 5:34 pm; edited 1 time in total (Reason for editing : updated hijackthis after uninstalling antimalware and comodo)

sesshi317
Novice
Novice

Status :
Online
Offline

Posts : 9
Joined : 2009-07-22
OS : xp home

View user profile

Back to top Go down

ran combofix and theres the results

Post by sesshi317 on Thu Jul 23, 2009 6:09 pm

ComboFix 09-07-23.01 - Frank 07/23/2009 13:56.1.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.503.345 [GMT -4:00]
Running from: c:\documents and settings\Frank\My Documents\Combo-Fix.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\docume~1\ALLUSE~1\APPLIC~1\Microsoft\Network\Downloader\qmgr0.dat
c:\docume~1\ALLUSE~1\APPLIC~1\Microsoft\Network\Downloader\qmgr1.dat
c:\program files\sFX
c:\program files\sFX\SfX.DlL
c:\program files\sFX\sfX.sYs
c:\windows\010112010146118114.dat
c:\windows\0101120101464849.dat
c:\windows\934fdfg34fgjf23
c:\windows\Installer\9902e64.msi
c:\windows\pp10.exe
c:\windows\system32\drivers\UACbwqvdltobl.sys
c:\windows\system32\uacinit.dll
c:\windows\system32\UACjyirjlktli.dll
c:\windows\system32\UACkewmixmyxp.dll
c:\windows\system32\UACltqfworpib.dll
c:\windows\system32\UACmpqjnsdrpw.dat
c:\windows\system32\UACoduxfuyuvl.dll

----- BITS: Possible infected sites -----

[You must be registered and logged in to see this link.]
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_UACd.sys
-------\Legacy_SFX
-------\Legacy_SFXDRV
-------\Service_sfx
-------\Service_sFxdrv


((((((((((((((((((((((((( Files Created from 2009-06-23 to 2009-07-23 )))))))))))))))))))))))))))))))
.

2009-07-22 18:45 . 2009-07-22 18:55 1520 ----a-w- c:\windows\system32\drivers\sfi.dat
2009-07-22 18:13 . 2009-07-22 18:13 -------- d-----w- c:\documents and settings\Frank\Application Data\Comodo
2009-07-22 18:11 . 2009-07-23 17:29 -------- d-----w- c:\program files\COMODO
2009-07-22 17:26 . 2009-07-22 20:28 -------- d-----w- c:\program files\VS Revo Group
2009-07-21 20:29 . 2009-07-22 20:35 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-07-21 20:06 . 2009-07-21 20:06 -------- d-----w- c:\documents and settings\Frank\Application Data\Auslogics
2009-07-21 20:06 . 2009-07-21 20:06 -------- d-----w- c:\program files\Auslogics
2009-07-19 01:37 . 2009-07-19 01:37 -------- d-----w- c:\program files\bfgclient
2009-07-19 01:36 . 2009-07-19 01:37 -------- d-----w- c:\docume~1\ALLUSE~1\APPLIC~1\BigFishGamesCache
2009-07-19 01:32 . 2009-07-21 13:13 24 ----a-w- c:\windows\popcinfot.dat
2009-07-19 01:32 . 2009-07-19 01:32 -------- d-----w- c:\program files\PopCap Games
2009-07-19 01:32 . 2009-07-19 01:32 0 ----a-w- c:\windows\popcreg.dat
2009-07-18 15:21 . 2009-07-18 15:21 -------- d-----w- c:\documents and settings\Frank\Application Data\Malwarebytes
2009-07-18 15:20 . 2009-07-18 15:20 -------- d-----w- c:\docume~1\ALLUSE~1\APPLIC~1\Malwarebytes
2009-07-18 02:31 . 2009-06-22 14:58 24576 ----a-w- c:\windows\system32\drivers\ndisrd.sys
2009-07-18 02:31 . 2009-05-14 09:58 61440 ----a-w- c:\windows\system32\ndisapi.dll
2009-07-18 02:27 . 2009-07-18 02:27 -------- d-----w- c:\program files\Common Files\Uninstall
2009-07-18 02:27 . 2009-07-21 18:25 -------- d-----w- c:\program files\PersonalAV
2009-07-17 22:01 . 2009-07-21 18:06 -------- d-----w- c:\docume~1\ALLUSE~1\APPLIC~1\Norton
2009-07-17 22:01 . 2009-07-17 22:01 -------- d-----w- c:\docume~1\ALLUSE~1\APPLIC~1\Symantec
2009-07-17 22:00 . 2009-07-17 22:00 -------- d-----w- c:\docume~1\ALLUSE~1\APPLIC~1\NortonInstaller
2009-06-30 03:49 . 2001-08-18 02:36 5632 ----a-w- c:\windows\system32\ptpusb.dll
2009-06-30 03:49 . 2008-04-13 17:45 15104 -c--a-w- c:\windows\system32\dllcache\usbscan.sys
2009-06-30 03:49 . 2008-04-13 17:45 15104 ----a-w- c:\windows\system32\drivers\usbscan.sys
2009-06-30 03:49 . 2008-04-13 23:12 159232 ----a-w- c:\windows\system32\ptpusd.dll
2009-06-23 23:50 . 2009-07-21 18:06 -------- d-----w- c:\program files\Common Files\Symantec Shared
2009-06-23 23:49 . 2009-07-21 18:06 -------- d-----w- c:\program files\Norton Security Scan
2009-06-23 22:40 . 2009-06-23 22:40 -------- d-----w- c:\docume~1\ALLUSE~1\APPLIC~1\3DVIA
2009-06-23 22:39 . 2007-07-19 22:14 3727720 ----a-w- c:\windows\system32\d3dx9_35.dll
2009-06-23 22:39 . 2006-09-28 20:05 2414360 ----a-w- c:\windows\system32\d3dx9_31.dll
2009-06-23 22:38 . 2009-06-23 22:38 -------- d-----w- c:\windows\Logs
2009-06-23 22:38 . 2009-06-23 22:38 -------- d-----w- c:\program files\Virtools
2009-06-23 20:49 . 2009-06-23 20:56 -------- d-----w- c:\windows\system32\Adobe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-07-22 19:46 . 2008-11-14 22:28 -------- d-----w- c:\program files\Common Files\Motive
2009-07-21 18:16 . 2009-05-23 00:37 -------- d-----w- c:\program files\EA GAMES
2009-07-21 17:53 . 2008-09-01 18:27 -------- d-----w- c:\docume~1\ALLUSE~1\APPLIC~1\avg8
2009-07-18 14:58 . 2008-11-14 22:58 -------- d-----w- c:\program files\ATTToolbar
2009-06-26 03:17 . 2008-11-14 22:58 -------- d-----w- c:\docume~1\ALLUSE~1\APPLIC~1\ATTToolbar
2009-06-16 14:36 . 2003-03-31 12:00 119808 ----a-w- c:\windows\system32\t2embed.dll
2009-06-03 19:09 . 2003-05-30 13:00 1291264 ----a-w- c:\windows\system32\quartz.dll
2009-05-31 01:57 . 2009-05-31 01:57 -------- d-----w- c:\docume~1\ALLUSE~1\APPLIC~1\Kodak
2009-05-31 00:54 . 2009-05-31 00:54 -------- d-----w- c:\documents and settings\Frank\Application Data\Walgreens
2009-05-23 02:12 . 2009-05-23 02:12 107888 ----a-w- c:\windows\system32\CmdLineExt.dll
2009-05-14 21:55 . 2009-05-14 21:55 245408 ----a-w- c:\windows\system32\unicows.dll
2009-05-14 18:05 . 2009-03-31 22:23 530083 ----a-w- C:\HC4DecommissionScheduler.exe
2009-05-07 15:32 . 2003-03-31 12:00 345600 ----a-w- c:\windows\system32\localspl.dll
2009-04-29 04:56 . 2003-03-31 12:00 827392 ----a-w- c:\windows\system32\wininet.dll
2009-04-29 04:55 . 2008-09-01 17:24 78336 ----a-w- c:\windows\system32\ieencode.dll
2008-11-16 15:05 . 2008-11-16 15:05 1190421 -c--a-w- c:\program files\attachments_2008_11_16.zip
2008-11-15 07:37 . 2008-11-15 07:37 37017688 -c--a-w- c:\program files\SpySweeperRegSetup_EN.exe
2008-09-01 18:31 . 2008-09-01 18:31 7499056 -c--a-w- c:\program files\Firefox Setup 3[1].0.1.exe
2008-09-01 18:25 . 2008-09-01 18:24 48367896 -c--a-w- c:\program files\avg_free_stf_en_8_138a1332.exe
2008-09-01 18:14 . 2008-09-01 18:14 20659224 -c--a-w- c:\program files\dotnetredist.exe
2008-09-01 18:13 . 2008-09-01 18:13 354304 -c--a-w- c:\program files\GWAssistantSetup.msi
2009-07-22 03:53 . 2008-09-01 18:32 134648 ----a-w- c:\program files\mozilla firefox\components\brwsrcmp.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{0579B4B6-0293-4d73-B02D-5EBB0BA0F0A2}"= "c:\program files\AskSBar\SrchAstt\1.bin\A2SRCHAS.DLL" [2008-11-15 66912]

[HKEY_CLASSES_ROOT\clsid\{0579b4b6-0293-4d73-b02d-5ebb0ba0f0a2}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{0579B4B1-0293-4d73-B02D-5EBB0BA0F0A2}]
2008-11-15 07:41 66912 ----a-w- c:\program files\AskSBar\SrchAstt\1.bin\A2SRCHAS.DLL

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\BackupIconOverlayId]
@="{2EE61E5C-8F94-4AAB-8A80-D2A8CD1FEDAD}"
[HKEY_CLASSES_ROOT\CLSID\{2EE61E5C-8F94-4AAB-8A80-D2A8CD1FEDAD}]
2008-10-12 18:11 238968 ----a-w- c:\program files\Webroot\WebrootSecurity\Backup\CtxMenu_1_0_0_9.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2008-04-14 1695232]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2009-02-28 39408]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="c:\windows\System32\igfxtray.exe" [2004-01-30 155648]
"HotKeysCmds"="c:\windows\System32\hkcmd.exe" [2004-01-30 118784]
"ISW.exe"="c:\program files\AT&T\Internet Security Wizard\ISW.exe" [2007-05-03 2061816]
"HelpCenter4.1"="c:\program files\FastAccessDSL\HelpCenter43\bin\sprtcmd.exe" [2008-06-18 198184]
"SSBkgdUpdate"="c:\program files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" [2006-10-25 210472]
"PaperPort PTD"="c:\program files\ScanSoft\PaperPort\pptd40nt.exe" [2007-10-12 29984]
"IndexSearch"="c:\program files\ScanSoft\PaperPort\IndexSearch.exe" [2007-10-12 46368]
"PPort11reminder"="c:\program files\ScanSoft\PaperPort\Ereg\Ereg.exe" [2007-08-31 328992]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-09-01 77824]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-02-27 35696]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WebrootSpySweeperService]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WRConsumerService]
@="Service"

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^America Online 9.0 Tray Icon.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\America Online 9.0 Tray Icon.lnk
backup=c:\windows\pss\America Online 9.0 Tray Icon.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"WebrootSpySweeperService"=2 (0x2)
"sfx"=2 (0x2)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\att-nap\\McciBrowser.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"8085:TCP"= 8085:TCP:sfx

R0 ssfs0bbc;ssfs0bbc;c:\windows\system32\drivers\ssfs0bbc.sys [10/2/2008 5:15 AM 29808]
R2 WRConsumerService;Webroot Client Service;c:\program files\Webroot\WebrootSecurity\WRConsumerService.exe [11/15/2008 3:41 AM 1066360]
R3 DLKRTS;D-Link DFE-530TX+ PCI Adapter;c:\windows\system32\drivers\DLKRTS.SYS [9/1/2008 2:11 PM 45568]

--- Other Services/Drivers In Memory ---

*Deregistered* - NDISRD

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
UxTuneUp
.
- - - - ORPHANS REMOVED - - - -

URLSearchHooks-0579B4B6-0293-4d73-B02D-5EBB0BA0F0A2} - (no file)
URLSearchHooks-CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
URLSearchHooks-EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)


.
------- Supplementary Scan -------
.
uStart Page = [You must be registered and logged in to see this link.]
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
IE: {{ED98F8D1-09AC-4107-B2FF-91DBE011B0C5} - {6BBCFF8E-D837-4DA4-9141-1F645B34A179} - c:\program files\Comodo\HopSurfToolbar\HopSurfToolbar_IE.dll
DPF: {9C23D886-43CB-43DE-B2DB-112A68D7E10A} - [You must be registered and logged in to see this link.]
FF - ProfilePath - c:\docume~1\Frank\APPLIC~1\Mozilla\Firefox\Profiles\lwz7mq47.default\
FF - prefs.js: browser.search.defaulturl - [You must be registered and logged in to see this link.]
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - [You must be registered and logged in to see this link.]
FF - prefs.js: keyword.URL - [You must be registered and logged in to see this link.]
FF - component: c:\program files\Comodo\HopSurfToolbar\hopsurfext_ff3\components\hopsurf.dll
FF - plugin: c:\program files\Java\j2re1.4.2\bin\NPJava11.dll
FF - plugin: c:\program files\Java\j2re1.4.2\bin\NPJava12.dll
FF - plugin: c:\program files\Java\j2re1.4.2\bin\NPJava13.dll
FF - plugin: c:\program files\Java\j2re1.4.2\bin\NPJava14.dll
FF - plugin: c:\program files\Java\j2re1.4.2\bin\NPJava32.dll
FF - plugin: c:\program files\Java\j2re1.4.2\bin\NPJPI142.dll
FF - plugin: c:\program files\Java\j2re1.4.2\bin\NPOJI610.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\NPAskSBr.dll
FF - plugin: c:\program files\Viewpoint\Viewpoint Experience Technology\npViewpoint.dll
FF - plugin: c:\program files\Virtools\3D Life Player\npvirtools.dll
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, [You must be registered and logged in to see this link.]
Rootkit scan 2009-07-23 14:02
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(2448)
c:\program files\Webroot\WebrootSecurity\Backup\CtxMenu_1_0_0_9.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Common Files\Motive\McciCMService.exe
c:\program files\Common Files\Lanovation\PrismXL\PRISMXL.SYS
c:\program files\Webroot\WebrootSecurity\SpySweeper.exe
c:\windows\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2009-07-23 14:05 - machine was rebooted
ComboFix-quarantined-files.txt 2009-07-23 18:05

Pre-Run: 72,522,506,240 bytes free
Post-Run: 73,212,674,048 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /fastdetect /NoExecute=OptIn

211 --- E O F --- 2009-07-15 07:08

sesshi317
Novice
Novice

Status :
Online
Offline

Posts : 9
Joined : 2009-07-22
OS : xp home

View user profile

Back to top Go down

Re: Personal Antivirus and Inactive search engines

Post by sesshi317 on Thu Jul 23, 2009 6:20 pm

Malwarebytes' Anti-Malware 1.39
Database version: 2488
Windows 5.1.2600 Service Pack 3

7/23/2009 2:19:08 PM
mbam-log-2009-07-23 (14-19-08).txt

Scan type: Quick Scan
Objects scanned: 82568
Time elapsed: 3 minute(s), 38 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 2
Registry Data Items Infected: 0
Folders Infected: 2
Files Infected: 2

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
HKEY_CURRENT_USER\Environment\avapp (Rogue.PersonalAntiVirus) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Environment\avuninst (Rogue.PersonalAntiVirus) -> Quarantined and deleted successfully.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
C:\Program Files\PersonalAV (Rogue.PersonalAntiVirus) -> Quarantined and deleted successfully.
C:\Program Files\Common Files\Uninstall\PersonalAV (Rogue.PersonalAntiVirus) -> Quarantined and deleted successfully.

Files Infected:
c:\program files\common files\uninstall\personalav\Uninstall.lnk (Rogue.PersonalAntiVirus) -> Quarantined and deleted successfully.
C:\Documents and Settings\Frank\Desktop\winlogon.exe (Heuristics.Reserved.Word.Exploit) -> Quarantined and deleted successfully.

sesshi317
Novice
Novice

Status :
Online
Offline

Posts : 9
Joined : 2009-07-22
OS : xp home

View user profile

Back to top Go down

Re: Personal Antivirus and Inactive search engines

Post by sesshi317 on Thu Jul 23, 2009 6:20 pm

so am i good?

sesshi317
Novice
Novice

Status :
Online
Offline

Posts : 9
Joined : 2009-07-22
OS : xp home

View user profile

Back to top Go down

Re: Personal Antivirus and Inactive search engines

Post by Origin on Fri Jul 24, 2009 7:20 pm

Now open a new notepad file.
Input this into the notepad file:

Folder::
c:\program files\PersonalAV

Registry::
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{0579B4B1-0293-4d73-B02D-5EBB0BA0F0A2}]
"c:\program files\AskSBar\SrchAstt\1.bin\A2SRCHAS.DLL"=-
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"8085:TCP"=-

Driver::
ssfs0bbc



Save this as CFScript.txt, save it to your desktop also.
Then drag and drop CFScript.txt into combofix as seen below:


This will open combofix again, agree to it's terms and allow it to run.
It may want to reboot after it's done. (It will warn you if it wants to)
Post the resulting log back here.


While my help is always free, please consider donating to keep this site alive: [You must be registered and logged in to see this link.]

[You must be registered and logged in to see this link.]

Origin
Master
Master

Status :
Online
Offline

Posts : 2685
Joined : 2009-05-05
Gender : Male
OS : Windows Xp Sp3

View user profile

Back to top Go down

Re: Personal Antivirus and Inactive search engines

Post by sesshi317 on Sun Jul 26, 2009 5:52 am

I'm getting en error message saying windows can't access the file.

sesshi317
Novice
Novice

Status :
Online
Offline

Posts : 9
Joined : 2009-07-22
OS : xp home

View user profile

Back to top Go down

Re: Personal Antivirus and Inactive search engines

Post by Belahzur on Sun Jul 26, 2009 5:29 pm

Hello.
What file? see if you can run this script.

Go to Start > Control Panel > Add/Remove Programs and remove the following programs.

    Ask Toolbar

Now open a new notepad file.
Input this into the notepad file:

Registry::
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"sfx"=-
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"8085:TCP"=-

Save this as CFScript.txt, save it to your desktop also.
Then drag and drop CFScript.txt into combofix as seen below:


This will open combofix again, agree to it's terms and allow it to run.
It may want to reboot after it's done. (It will warn you if it wants to)
Post the resulting log back here.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Status :
Online
Offline

Posts : 34916
Joined : 2008-08-03
Gender : Male
OS : XP SP3 Media Centre

View user profile

Back to top Go down

Re: Personal Antivirus and Inactive search engines

Post by sesshi317 on Mon Jul 27, 2009 4:54 am

whenever i drag the notepad file into combofix, an error message pops up saying it can't access the file

sesshi317
Novice
Novice

Status :
Online
Offline

Posts : 9
Joined : 2009-07-22
OS : xp home

View user profile

Back to top Go down

Re: Personal Antivirus and Inactive search engines

Post by Belahzur on Mon Jul 27, 2009 9:30 pm

Hello.

Please download the [You must be registered and logged in to see this link.].

  • Save it to your desktop.
  • Please double-click OTM.exe to run it.
  • Copy the bolded text below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose CopyCrying


    :reg
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
    "sfx"=-
    [HKLM\System\CurrentControlSet\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
    "8085:TCP"=-


  • Return to OTMoveIt, right click in the "Paste instructions for items to be Moved" window (under the light blue bar) and choose Paste.
  • Click the red Moveit! button.
  • Copy everything in the Results window (under the green bar) to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it in your next reply.
  • Close OTMoveIt
If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.

Please post the OTMoveIt log.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Status :
Online
Offline

Posts : 34916
Joined : 2008-08-03
Gender : Male
OS : XP SP3 Media Centre

View user profile

Back to top Go down

Re: Personal Antivirus and Inactive search engines

Post by sesshi317 on Tue Jul 28, 2009 12:01 am

========== REGISTRY ==========
Registry value HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services\\sfx deleted successfully.
Registry value HKEY_LOCAL_MACHINE\System\CurrentControlSet\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List\\8085:TCP deleted successfully.

OTM by OldTimer - Version 3.0.0.5 log created on 07272009_195921

sesshi317
Novice
Novice

Status :
Online
Offline

Posts : 9
Joined : 2009-07-22
OS : xp home

View user profile

Back to top Go down

Re: Personal Antivirus and Inactive search engines

Post by Belahzur on Tue Jul 28, 2009 5:23 pm

Hello.
That should do it now, how is the machine running?


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Status :
Online
Offline

Posts : 34916
Joined : 2008-08-03
Gender : Male
OS : XP SP3 Media Centre

View user profile

Back to top Go down

Re: Personal Antivirus and Inactive search engines

Post by sesshi317 on Thu Jul 30, 2009 6:09 pm

everything works fine now thanks. sorry this all took so long, my cousin monopolizes the computer all the time so its difficult to fix everything, lol. oh, one thing though. the internet seems to stop working after i enable my comodo firewall. it didn't happen before i got rid of everything.

sesshi317
Novice
Novice

Status :
Online
Offline

Posts : 9
Joined : 2009-07-22
OS : xp home

View user profile

Back to top Go down

Re: Personal Antivirus and Inactive search engines

Post by Belahzur on Thu Jul 30, 2009 6:41 pm

The firewall is probably set too strong in security. Uninstall Comodo if needed.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Status :
Online
Offline

Posts : 34916
Joined : 2008-08-03
Gender : Male
OS : XP SP3 Media Centre

View user profile

Back to top Go down

View previous topic View next topic Back to top

- Similar topics

 
Permissions in this forum:
You cannot reply to topics in this forum