Rapid Antivirus

View previous topic View next topic Go down

Rapid Antivirus

Post by Seylan on 16th August 2009, 7:42 pm

I have been unable to completely remove Rapid Antivirus.

I have gotten rid of some of its components by starting in Safe Mode and manually deleting anything that had that name. However, it still shows up in my HijackThis log.

Morever, ever since then I have been unable to browse the internet on any browser save Safari. I have tried uninstalling and re-installing all my other browsers to no avail.

I followed these instructions:
[You must be registered and logged in to see this link.]

And here is the log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:18:37 PM, on 8/16/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16876)
Boot mode: Normal

Running processes:
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Archivos de programa\HP\HP Software Update\HPWuSchd2.exe
C:\Archivos de programa\QuickTime\qttask.exe
C:\ARCHIV~1\AVG\AVG8\avgtray.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Archivos de programa\Kodak\Kodak EasyShare software\bin\EasyShare.exe
C:\Archivos de programa\Kodak\KODAK Software Updater\7288971\Program\Kodak Software Updater.exe
C:\Archivos de programa\Microsoft Office\Office\3082\OLFSNT40.EXE
C:\WINDOWS\System32\svchost.exe
C:\ARCHIV~1\AVG\AVG8\avgwdsvc.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\Archivos de programa\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
C:\ARCHIV~1\AVG\AVG8\avgrsx.exe
C:\WINDOWS\System32\svchost.exe
C:\Archivos de programa\AVG\AVG8\avgcsrvx.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\System32\svchost.exe
C:\Archivos de programa\Java\jre6\bin\jqs.exe
C:\WINDOWS\System32\wbem\wmiapsrv.exe
C:\Archivos de programa\Safari\Safari.exe
C:\WINDOWS\system32\msiexec.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Archivos de programa\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = [You must be registered and logged in to see this link.]
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = [You must be registered and logged in to see this link.]
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = [You must be registered and logged in to see this link.]
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = [You must be registered and logged in to see this link.]
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = [You must be registered and logged in to see this link.]
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = [You must be registered and logged in to see this link.]
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = [You must be registered and logged in to see this link.]
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Vínculos
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Archivos de programa\Yahoo!\Companion\Installs\cpn0\yt.dll
R3 - URLSearchHook: AVG Security Toolbar BHO - {A3BC75A2-1F87-4686-AA43-5347D756017C} - (no file)
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\sdra64.exe,C:\WINDOWS\system32\twex.exe,
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Archivos de programa\Archivos comunes\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - (no file)
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - (no file)
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)
O2 - BHO: Search Helper - {6EBF7485-159F-4bff-A14F-B9E3AAC4465B} - (no file)
O2 - BHO: Windows Live Aplicación auxiliar de inicio de sesión - {9030D464-4C02-4ABF-8ECC-5164760863C6} - (no file)
O2 - BHO: AVG Security Toolbar BHO - {A3BC75A2-1F87-4686-AA43-5347D756017C} - (no file)
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - (no file)
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - (no file)
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Archivos de programa\Java\jre6\bin\jp2ssv.dll
O2 - BHO: Windows Live Toolbar Helper - {E15A8DC0-8516-42A1-81EA-DC94EC1ACF10} - (no file)
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Archivos de programa\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\archivos de programa\google\googletoolbar2.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Archivos de programa\Yahoo!\Companion\Installs\cpn0\yt.dll
O3 - Toolbar: &Windows Live Toolbar - {21FA44EF-376D-4D53-9B0F-8A89D3229068} - C:\Archivos de programa\Windows Live\Toolbar\wltcore.dll
O3 - Toolbar: AVG Security Toolbar - {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - C:\Archivos de programa\AVG\AVG8\Toolbar\IEToolbar.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [HP Software Update] "C:\Archivos de programa\HP\HP Software Update\HPWuSchd2.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Archivos de programa\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [AVG8_TRAY] C:\ARCHIV~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [gserve] C:\WINDOWS\system32\gserve.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Archivos de programa\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Archivos de programa\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Archivos de programa\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [agent.exe] C:\Archivos de programa\PC\agent.exe
O4 - HKCU\..\Policies\Explorer\Run: [Msn] c:\FXdbe.exe
O4 - HKCU\..\Policies\Explorer\Run: [MsnHost] c:\FXdbe.exe
O4 - HKCU\..\Policies\Explorer\Run: [MsnLoad] c:\FXdbe.exe
O4 - HKCU\..\Policies\Explorer\Run: [MsnConvert] c:\FXdbe.exe
O4 - HKCU\..\Policies\Explorer\Run: [MsnMessendger] c:\FXdbe.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SERVICIO LOCAL')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Servicio de red')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O4 - Startup: Rapid Antivirus.lnk = C:\Archivos de programa\Rapid Antivirus\Rapid Antivirus.exe
O4 - Global Startup: Kodak EasyShare software.lnk = C:\Archivos de programa\Kodak\Kodak EasyShare software\bin\EasyShare.exe
O4 - Global Startup: KODAK Software Updater.lnk = C:\Archivos de programa\Kodak\KODAK Software Updater\7288971\Program\Kodak Software Updater.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Archivos de programa\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Puerto Symantec Fax Starter Edition.lnk = C:\Archivos de programa\Microsoft Office\Office\3082\OLFSNT40.EXE
O8 - Extra context menu item: Add to Google Photos Screensa&ver - [You must be registered and logged in to see this link.]
O8 - Extra context menu item: Add to Windows &Live Favorites - [You must be registered and logged in to see this link.]
O9 - Extra button: Blog This - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Archivos de programa\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra 'Tools' menuitem: &Blog This in Windows Live Writer - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Archivos de programa\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Archivos de programa\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O9 - Extra button: (no name) - {7B6E4BB4-8464-47CF-9A5B-F82F6B408A6E} - (no file)
O9 - Extra 'Tools' menuitem: GoGoData AdBuster - {7B6E4BB4-8464-47CF-9A5B-F82F6B408A6E} - (no file)
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Archivos de programa\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Archivos de programa\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - [You must be registered and logged in to see this link.]
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Archivos de programa\AVG\AVG8\avgpp.dll
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\ARCHIV~1\ARCHIV~1\Skype\SKYPE4~1.DLL
O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dll
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\ARCHIV~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Unknown owner - C:\Archivos de programa\Archivos comunes\Symantec Shared\ccSvcHst.exe (file missing)
O23 - Service: Google Updater Service (gusvc) - Google - C:\Archivos de programa\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Archivos de programa\Java\jre6\bin\jqs.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Remote Administrator Service (r_server) - Unknown owner - C:\WINDOWS\system32\drivers\str\svchost.exe (file missing)

--
End of file - 9797 bytes

Seylan
Novice
Novice

Posts Posts : 12
Joined Joined : 2009-08-16
OS OS : XP
Points Points : 26744
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Rapid Antivirus

Post by Seylan on 16th August 2009, 7:47 pm

I use AVG Anti-Virus Free Version.

Here is what it found on its last scan:

"C:\WINDOWS\system32\userinit.exe";"Trojan horse Generic14.MRJ";"Object is white-listed (critical/system file that should not be removed)"

I also use Malwarebytes' Anti-Malware.

Here is the log on the last scan:

Malwarebytes' Anti-Malware 1.33
Database version: 1654
Windows 5.1.2600 Service Pack 3

8/13/2009 4:15:19 PM
mbam-log-2009-08-13 (16-15-18).txt

Scan type: Quick Scan
Objects scanned: 71576
Time elapsed: 16 minute(s), 32 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 3
Registry Values Infected: 1
Registry Data Items Infected: 3
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CLASSES_ROOT\CLSID\{d032570a-5f63-4812-a094-87d007c23012} (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{d032570a-5f63-4812-a094-87d007c23012} (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{d032570a-5f63-4812-a094-87d007c23012} (Trojan.BHO) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Network\UID (Malware.Trace) -> Quarantined and deleted successfully.

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Trojan.Agent) -> Data: c:\windows\system32\userinit.exe -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Trojan.Agent) -> Data: system32\userinit.exe -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell (Hijack.Shell) -> Bad: (Explorer.exe rundll32.exe italc.ifo before1main) Good: (Explorer.exe) -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

Seylan
Novice
Novice

Posts Posts : 12
Joined Joined : 2009-08-16
OS OS : XP
Points Points : 26744
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Rapid Antivirus

Post by Seylan on 16th August 2009, 7:55 pm

Also, I used HijackThis to remove the Rapid Anti-Virus entry it showed, but I still have the problem of not being able to use any browser but Safari.

The problem arose the day I got that virus.

Seylan
Novice
Novice

Posts Posts : 12
Joined Joined : 2009-08-16
OS OS : XP
Points Points : 26744
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Rapid Antivirus

Post by Seylan on 16th August 2009, 8:48 pm

I have also tried using SystemLook to give you more details, but when I open the program the buttons don't do anything-- clicking 'Look' prompts no action. The only button that works is the 'Exit' button.

Seylan
Novice
Novice

Posts Posts : 12
Joined Joined : 2009-08-16
OS OS : XP
Points Points : 26744
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Rapid Antivirus

Post by Belahzur on 16th August 2009, 9:16 pm

Hello.

  • Open HijackThis
  • Choose "Do a system scan only"
  • Check the boxes in front of these lines:


    R3 - URLSearchHook: AVG Security Toolbar BHO - {A3BC75A2-1F87-4686-AA43-5347D756017C} - (no file)
    F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\sdra64.exe,C:\WINDOWS\system32\twex.exe,
    O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
    O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - (no file)
    O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - (no file)
    O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)
    O2 - BHO: Search Helper - {6EBF7485-159F-4bff-A14F-B9E3AAC4465B} - (no file)
    O2 - BHO: Windows Live Aplicación auxiliar de inicio de sesión - {9030D464-4C02-4ABF-8ECC-5164760863C6} - (no file)
    O2 - BHO: AVG Security Toolbar BHO - {A3BC75A2-1F87-4686-AA43-5347D756017C} - (no file)
    O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - (no file)
    O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - (no file)
    O2 - BHO: Windows Live Toolbar Helper - {E15A8DC0-8516-42A1-81EA-DC94EC1ACF10} - (no file)
    O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
    O4 - HKLM\..\Run: [gserve] C:\WINDOWS\system32\gserve.exe
    O4 - HKCU\..\Policies\Explorer\Run: [Msn] c:\FXdbe.exe
    O4 - HKCU\..\Policies\Explorer\Run: [MsnHost] c:\FXdbe.exe
    O4 - HKCU\..\Policies\Explorer\Run: [MsnLoad] c:\FXdbe.exe
    O4 - HKCU\..\Policies\Explorer\Run: [MsnConvert] c:\FXdbe.exe
    O4 - HKCU\..\Policies\Explorer\Run: [MsnMessendger] c:\FXdbe.exe
    O23 - Service: Remote Administrator Service (r_server) - Unknown owner - C:\WINDOWS\system32\drivers\str\svchost.exe (file missing)


  • Press "Fix Checked"
  • Close Hijack This.

Please download and run this tool.

Download Malwarebytes' Anti-Malware from [You must be registered and logged in to see this link.]

Double Click mbam-setup.exe to install the application.

  • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart. (See Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
Note:
If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts.
Click OK to either and let MBAM proceed with the disinfection process.
If asked to restart the computer, please do so immediately.


Post the contents of the MBAM Log.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34918
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : 7 Home Premium x64
Points Points : 245111
# Likes # Likes : 1

View user profile

Back to top Go down

Re: Rapid Antivirus

Post by Seylan on 16th August 2009, 10:32 pm

I did as told with HijackThis and MBAM.

MBAM told me to reboot to finish the cleaning process, so I did that. I'm currently running another scan.

Browsers other than Safari still don't browse the internet for me.

Here is the log from the last MBAM scan:

Malwarebytes' Anti-Malware 1.40
Database version: 2636
Windows 5.1.2600 Service Pack 3

8/16/2009 5:17:17 PM
mbam-log-2009-08-16 (17-17-17).txt

Scan type: Quick Scan
Objects scanned: 113934
Time elapsed: 24 minute(s), 54 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 3
Registry Values Infected: 4
Registry Data Items Infected: 2
Folders Infected: 2
Files Infected: 12

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Privacy center (Rogue.PrivacyCenter) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\UAC (Rootkit.Trace) -> Quarantined and deleted successfully.
HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{43BF8CD1-C5D5-2230-7BB2-98F22C2B7DC6} (Spyware.Zbot) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Agent.exe (Trojan.Fraudtool) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main\w32id (Spyware.OnlineGames) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main\XML2u (Spyware.OnlineGames) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Network\UID (Malware.Trace) -> Quarantined and deleted successfully.

Registry Data Items Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell (Hijack.Shell) -> Bad: (C:\Archivos de programa\PC\pc.exe) Good: (Explorer.exe) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Hijack.Userinit) -> Bad: (C:\WINDOWS\SYSTEM32\Userinit.exe,C:\WINDOWS\system32\sdra64.exe,C:\WINDOWS\system32\twex.exe,) Good: (Userinit.exe) -> Quarantined and deleted successfully.

Folders Infected:
C:\WINDOWS\system32\lowsec (Stolen.data) -> Delete on reboot.
C:\WINDOWS\system32\twain32 (Backdoor.Bot) -> Delete on reboot.

Files Infected:
C:\WINDOWS\system32\lowsec\local.ds (Stolen.data) -> Delete on reboot.
C:\WINDOWS\system32\lowsec\user.ds (Stolen.data) -> Delete on reboot.
C:\WINDOWS\system32\lowsec\user.ds.lll (Stolen.data) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\twain32\local.ds (Backdoor.Bot) -> Delete on reboot.
C:\WINDOWS\system32\twain32\user.ds (Backdoor.Bot) -> Delete on reboot.
C:\WINDOWS\system32\twain32\user.ds.lll (Backdoor.Bot) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\uacinit.dll (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\Administrador\Configuración local\Temp\ie3.tmp (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\Propietario\Configuración local\Temp\ie3.tmp (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\UACcikjonkd.log (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\UACgrrybtpl.dat (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\drivers\UACdwklnnai.sys (Trojan.Agent) -> Quarantined and deleted successfully.


Last edited by Seylan on 16th August 2009, 10:35 pm; edited 1 time in total (Reason for editing : Being more specific about what I did)

Seylan
Novice
Novice

Posts Posts : 12
Joined Joined : 2009-08-16
OS OS : XP
Points Points : 26744
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Rapid Antivirus

Post by Seylan on 16th August 2009, 10:57 pm

Doing another MBAM scan showed 2 infections. It says they were removed successfully but I still can't browse any browsers other than Safari.

Here is the log for the last MBAM scan:

Malwarebytes' Anti-Malware 1.40
Database version: 2636
Windows 5.1.2600 Service Pack 3

8/16/2009 5:53:44 PM
mbam-log-2009-08-16 (17-53-44).txt

Scan type: Quick Scan
Objects scanned: 113774
Time elapsed: 21 minute(s), 42 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 2
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{494e6cec-7483-a4ee-0938-895519a84bc7} (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{494e6cec-7483-a4ee-0938-895519a84bc7} (Backdoor.Bot) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

Seylan
Novice
Novice

Posts Posts : 12
Joined Joined : 2009-08-16
OS OS : XP
Points Points : 26744
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Rapid Antivirus

Post by Seylan on 16th August 2009, 11:05 pm

AVG Anti-Virus Resident Shield shows this threat:

Resident Shield detection

Trojan horse Generic14.MRJ
C:\WINDOWS\system32\userinit.exe
Object is white-listed (critical/system file that should not be removed)
8/16/2009, 5:52:21 PM
File C:\Archivos de programa\Malwarebytes' Anti-Malware\mbam.exe

Seylan
Novice
Novice

Posts Posts : 12
Joined Joined : 2009-08-16
OS OS : XP
Points Points : 26744
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Rapid Antivirus

Post by Belahzur on 17th August 2009, 2:01 pm

Hello.
userinit is patched, so we'll fix that now.
Hello.

  • Download combofix from here
    [You must be registered and logged in to see this link.]
    [You must be registered and logged in to see this link.]

    1. If you are using Firefox, make sure that your download settings are as follows:

    * Tools->Options->Main tab
    * Set to "Always ask me where to Save the files".

    2. During the download, rename Combofix to Combo-Fix as follows:





    3. It is important you rename Combofix during the download, but not after.
    4. Please do not rename Combofix to other names, but only to the one indicated.
    5. Close any open browsers.
    6. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

  • We need to disable your local AV (Anti-virus) before running Combofix.
  • See [You must be registered and logged in to see this link.] for how to disable your AV.
  • Double click on ComboFix.exe.
  • Follow the prompts. NOTE:
  • ComboFix will check to see if the Microsoft Windows Recovery Console is installed.
    ***It's strongly recommended to have the Recovery Console installed before doing any malware removal.***

    **Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will automatically proceed with its scan.


  • The Recovery Console provides a recovery/repair mode should a problem occur during a Combofix run.



  • Allow ComboFix to download the Recovery Console.
  • Accept the End-User License Agreement.
  • The Recovery Console will be installed.
  • You will then get this next prompt that asks if you want to continue the malware scan, select yes



  • Allow combofix to run
  • Post C:\combofix.txt back here.

    Note:
    Do not mouseclick combofix's window whilst it's running. That may cause it to stall.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34918
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : 7 Home Premium x64
Points Points : 245111
# Likes # Likes : 1

View user profile

Back to top Go down

Re: Rapid Antivirus

Post by Seylan on 17th August 2009, 9:41 pm

Done as instructed. Here are the results:

ComboFix 09-08-10.06 - Propietario 08/17/2009 16:19.1.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.3082.18.1022.535 [GMT -5:00]
Running from: c:\documents and settings\Propietario\Escritorio\Combo-Fix.exe
AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\docume~1\PROPIE~1\CONFIG~1\Temp\IadHide5.dll
c:\documents and settings\All Users\Datos de programa\Microsoft\Network\Downloader\qmgr0.dat
c:\documents and settings\All Users\Datos de programa\Microsoft\Network\Downloader\qmgr1.dat
c:\documents and settings\Propietario\Configuración local\Temp\IadHide5.dll
c:\windows\Installer\2b133b90.msi
c:\windows\Installer\5f30a.msi
c:\windows\Installer\winamp.msi
c:\windows\system32\ak
c:\windows\system32\mdm.exe
c:\windows\system32\tb.dr

----- BITS: Possible infected sites -----

[You must be registered and logged in to see this link.]
Infected copy of c:\windows\system32\userinit.exe was found and disinfected
Restored copy from - c:\windows\ServicePackFiles\i386\userinit.exe


.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_MYWEBSEARCHSERVICE
-------\Legacy_R_SERVER
-------\Legacy_TDSSSERV.SYS
-------\Legacy_UACd.sys
-------\Service_r_server
-------\Service_TDSSserv.sys
-------\Service_UACd.sys


((((((((((((((((((((((((( Files Created from 2009-07-17 to 2009-08-17 )))))))))))))))))))))))))))))))
.

2009-08-17 21:08 . 2009-08-17 21:14 -------- d-s---w- C:\ComboFix
2009-08-16 18:51 . 2009-08-16 18:51 411368 ----a-w- c:\windows\system32\deploytk.dll
2009-08-16 18:38 . 2009-08-16 18:38 -------- d-----w- c:\archivos de programa\Trend Micro
2009-08-15 20:00 . 2009-08-15 20:00 3942047 ----a-w- c:\documents and settings\All Users\Datos de programa\Malwarebytes\Malwarebytes' Anti-Malware\mbam-setup.exe
2009-08-12 14:16 . 2009-07-10 13:27 1315328 -c----w- c:\windows\system32\dllcache\msoe.dll
2009-08-06 08:06 . 2009-08-06 08:06 -------- d-----w- c:\windows\system32\XPSViewer
2009-08-06 08:06 . 2009-08-06 08:06 -------- d-----w- c:\archivos de programa\MSBuild
2009-08-06 08:06 . 2009-08-06 08:06 -------- d-----w- c:\archivos de programa\Reference Assemblies
2009-08-06 08:05 . 2008-07-06 12:06 89088 -c----w- c:\windows\system32\dllcache\filterpipelineprintproc.dll
2009-08-06 08:05 . 2008-07-06 12:06 575488 -c----w- c:\windows\system32\dllcache\xpsshhdr.dll
2009-08-06 08:05 . 2008-07-06 12:06 575488 ------w- c:\windows\system32\xpsshhdr.dll
2009-08-06 08:05 . 2008-07-06 12:06 117760 ------w- c:\windows\system32\prntvpt.dll
2009-08-06 08:05 . 2008-07-06 10:50 597504 -c----w- c:\windows\system32\dllcache\printfilterpipelinesvc.exe
2009-08-06 08:05 . 2009-08-06 08:05 -------- d-----w- C:\4422e01d0b62eb1dcdcf4c5e9a
2009-08-06 08:05 . 2008-07-06 12:06 1676288 -c----w- c:\windows\system32\dllcache\xpssvcs.dll
2009-08-06 08:05 . 2008-07-06 12:06 1676288 ------w- c:\windows\system32\xpssvcs.dll
2009-08-05 09:00 . 2009-08-05 09:00 205312 -c----w- c:\windows\system32\dllcache\mswebdvd.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-08-16 19:14 . 2007-06-06 13:29 -------- d-----w- c:\archivos de programa\Archivos comunes\Adobe
2009-08-16 18:59 . 2007-09-01 21:30 -------- d-----w- c:\archivos de programa\Java
2009-08-15 20:02 . 2009-01-20 16:00 -------- d-----w- c:\archivos de programa\Malwarebytes' Anti-Malware
2009-08-15 20:02 . 2007-12-01 19:00 -------- d-----w- c:\archivos de programa\Spyware Terminator
2009-08-14 16:24 . 2008-08-14 08:47 -------- d-----w- c:\archivos de programa\Safari
2009-08-06 21:52 . 2008-08-14 08:54 42312 ---ha-w- c:\windows\system32\mlfcache.dat
2009-08-06 08:19 . 2009-01-20 19:24 -------- d-----w- c:\documents and settings\All Users\Datos de programa\avg8
2009-08-06 08:19 . 2009-03-15 19:09 -------- d-----w- c:\archivos de programa\Microsoft Silverlight
2009-08-06 08:11 . 2001-08-24 12:00 50938 ----a-w- c:\windows\system32\perfc00A.dat
2009-08-06 08:11 . 2001-08-24 12:00 361834 ----a-w- c:\windows\system32\perfh00A.dat
2009-08-05 09:00 . 2001-08-24 12:00 205312 ----a-w- c:\windows\system32\mswebdvd.dll
2009-08-03 18:36 . 2009-01-20 16:00 38160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-08-03 18:36 . 2009-01-20 16:00 19096 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-08-02 13:51 . 2009-05-15 01:34 335752 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2009-07-17 19:03 . 2001-08-24 12:00 58880 ----a-w- c:\windows\system32\atl.dll
2009-07-14 04:43 . 2004-08-19 22:42 286208 ------w- c:\windows\system32\wmpdxm.dll
2009-07-13 14:37 . 2009-07-01 13:14 -------- d-----w- c:\documents and settings\All Users\Datos de programa\AVG Security Toolbar
2009-07-11 02:41 . 2008-02-25 06:03 1878984 ----a-w- c:\documents and settings\Propietario\Datos de programa\Macromedia\Flash Player\[You must be registered and logged in to see this link.]
2009-07-01 13:14 . 2009-07-01 13:14 -------- d-----w- c:\documents and settings\LocalService\Datos de programa\AVGTOOLBAR
2009-07-01 13:13 . 2009-05-15 01:34 11952 ----a-w- c:\windows\system32\avgrsstx.dll
2009-07-01 13:13 . 2009-05-15 01:34 27784 ----a-w- c:\windows\system32\drivers\avgmfx86.sys
2009-06-29 15:57 . 2001-08-24 12:00 827392 ----a-w- c:\windows\system32\wininet.dll
2009-06-29 15:57 . 2004-08-19 22:42 78336 ----a-w- c:\windows\system32\ieencode.dll
2009-06-29 15:57 . 2001-08-24 12:00 17408 ----a-w- c:\windows\system32\corpol.dll
2009-06-25 08:26 . 2001-08-24 12:00 734720 ----a-w- c:\windows\system32\lsasrv.dll
2009-06-25 08:26 . 2001-08-24 12:00 56832 ----a-w- c:\windows\system32\secur32.dll
2009-06-25 08:26 . 2001-08-24 12:00 54272 ----a-w- c:\windows\system32\wdigest.dll
2009-06-25 08:26 . 2001-08-24 12:00 301568 ----a-w- c:\windows\system32\kerberos.dll
2009-06-25 08:26 . 2001-08-24 12:00 147456 ----a-w- c:\windows\system32\schannel.dll
2009-06-25 08:26 . 2001-08-24 12:00 136192 ----a-w- c:\windows\system32\msv1_0.dll
2009-06-24 11:18 . 2001-08-24 12:00 92928 ----a-w- c:\windows\system32\drivers\ksecdd.sys
2009-06-16 14:39 . 2001-08-24 12:00 81920 ----a-w- c:\windows\system32\fontsub.dll
2009-06-16 14:39 . 2001-08-24 12:00 119808 ----a-w- c:\windows\system32\t2embed.dll
2009-06-15 10:44 . 2001-08-24 12:00 78336 ----a-w- c:\windows\system32\telnet.exe
2009-06-14 21:07 . 2009-07-13 14:37 1004800 ----a-w- c:\documents and settings\All Users\Datos de programa\AVG Security Toolbar\IEToolbar.dll
2009-06-10 14:21 . 2007-06-05 15:28 2066432 ----a-w- c:\windows\system32\mstscax.dll
2009-06-10 14:14 . 2001-08-24 12:00 85504 ----a-w- c:\windows\system32\avifil32.dll
2009-06-10 06:15 . 2001-08-24 12:00 132096 ----a-w- c:\windows\system32\wkssvc.dll
2009-06-03 19:10 . 2001-08-24 12:00 1297408 ----a-w- c:\windows\system32\quartz.dll
2007-06-21 02:00 . 2007-06-21 02:00 702644 ----a-w- c:\archivos de programa\JUN2007_d3dx10_34_x64.cab
2007-06-21 02:00 . 2007-06-21 02:00 702072 ----a-w- c:\archivos de programa\JUN2007_d3dx10_34_x86.cab
2007-06-21 02:00 . 2007-06-21 02:00 1611374 ----a-w- c:\archivos de programa\JUN2007_d3dx9_34_x64.cab
2007-06-21 02:00 . 2007-06-21 02:00 200722 ----a-w- c:\archivos de programa\JUN2007_XACT_x64.cab
2007-06-21 02:00 . 2007-06-21 02:00 1610886 ----a-w- c:\archivos de programa\JUN2007_d3dx9_34_x86.cab
2007-06-21 02:00 . 2007-06-21 02:00 156509 ----a-w- c:\archivos de programa\JUN2007_XACT_x86.cab
2007-06-21 02:00 . 2007-06-21 02:00 45302 ----a-w- c:\archivos de programa\dxdllreg_x86.cab
2005-02-16 16:06 . 2007-12-01 17:51 218112 ----a-w- c:\archivos de programa\HijackThis.exe
1999-03-31 08:51 . 1999-03-31 08:51 99840 ----a-w- c:\archivos de programa\Archivos comunes\IRAABOUT.DLL
1998-12-09 00:53 . 1998-12-09 00:53 70144 ----a-w- c:\archivos de programa\Archivos comunes\IRAMDMTR.DLL
1998-12-09 00:53 . 1998-12-09 00:53 48640 ----a-w- c:\archivos de programa\Archivos comunes\IRALPTTR.DLL
1998-12-09 00:53 . 1998-12-09 00:53 31744 ----a-w- c:\archivos de programa\Archivos comunes\IRAWEBTR.DLL
1998-12-09 00:53 . 1998-12-09 00:53 186368 ----a-w- c:\archivos de programa\Archivos comunes\IRAREG.DLL
1998-12-09 00:53 . 1998-12-09 00:53 17920 ----a-w- c:\archivos de programa\Archivos comunes\IRASRIAL.DLL
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{CCC7A320-B3CA-4199-B1A6-9F516DD69829}"= "c:\archivos de programa\AVG\AVG8\Toolbar\IEToolbar.dll" [2009-06-26 1008896]

[HKEY_CLASSES_ROOT\clsid\{ccc7a320-b3ca-4199-b1a6-9f516dd69829}]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{CCC7A320-B3CA-4199-B1A6-9F516DD69829}"= "c:\archivos de programa\AVG\AVG8\Toolbar\IEToolbar.dll" [2009-06-26 1008896]

[HKEY_CLASSES_ROOT\clsid\{ccc7a320-b3ca-4199-b1a6-9f516dd69829}]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="c:\archivos de programa\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-07-27 68856]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2005-06-21 155648]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2005-06-21 126976]
"HP Software Update"="c:\archivos de programa\HP\HP Software Update\HPWuSchd2.exe" [2004-09-13 49152]
"QuickTime Task"="c:\archivos de programa\QuickTime\qttask.exe" [2006-09-01 282624]
"AVG8_TRAY"="c:\archiv~1\AVG\AVG8\avgtray.exe" [2009-07-01 1948440]
"SunJavaUpdateSched"="c:\archivos de programa\Java\jre6\bin\jusched.exe" [2009-08-16 149280]
"Adobe Reader Speed Launcher"="c:\archivos de programa\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-02-27 35696]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\System32\CTFMON.EXE" [2008-04-14 15360]

c:\documents and settings\All Users\Men£ Inicio\Programas\Inicio\
Kodak EasyShare software.lnk - c:\archivos de programa\Kodak\Kodak EasyShare software\bin\EasyShare.exe [2007-2-20 282624]
KODAK Software Updater.lnk - c:\archivos de programa\Kodak\KODAK Software Updater\7288971\Program\Kodak Software Updater.exe [2004-2-13 16423]
Microsoft Office.lnk - c:\archivos de programa\Microsoft Office\Office\OSA9.EXE [1999-2-17 65588]
Puerto Symantec Fax Starter Edition.lnk - c:\archivos de programa\Microsoft Office\Office\3082\OLFSNT40.EXE [1999-3-31 46077]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-07-01 13:13 11952 ----a-w- c:\windows\system32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Archivos de programa\\World of Warcraft\\WoW-1.12.0-enUS-downloader.exe"=
"c:\\Archivos de programa\\World of Warcraft\\WoW-1.12.x-to-2.0.1-enUS-patch-downloader.exe"=
"c:\\Archivos de programa\\World of Warcraft\\WoW-2.3.0-enUS-downloader.exe"=
"c:\\Archivos de programa\\Messenger\\msmsgs.exe"=
"c:\\Archivos de programa\\Skype\\Phone\\Skype.exe"=
"c:\\Archivos de programa\\Kodak\\KODAK Software Updater\\7288971\\Program\\Kodak Software Updater.exe"=
"c:\\Archivos de programa\\Kodak\\Kodak EasyShare software\\bin\\EasyShare.exe"=
"c:\\Archivos de programa\\Mozilla Firefox\\firefox.exe"=
"c:\\Archivos de programa\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Archivos de programa\\Windows Live\\Sync\\WindowsLiveSync.exe"=
"c:\\Archivos de programa\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Archivos de programa\\AVG\\AVG8\\avgupd.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3724:TCP"= 3724:TCP:Blizzard Downloader: 3724
"24333:TCP"= 24333:TCP:BitComet 24333 TCP
"24333:UDP"= 24333:UDP:BitComet 24333 UDP

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [5/14/2009 8:34 PM 335752]
R2 avg8wd;AVG Free8 WatchDog;c:\archiv~1\AVG\AVG8\avgwdsvc.exe [5/14/2009 8:33 PM 298776]
R2 fssfltr;FssFltr;c:\windows\system32\drivers\fssfltr_tdi.sys [3/15/2009 2:08 PM 55152]
S3 fsssvc;Windows Live Family Safety;c:\archivos de programa\Windows Live\Family Safety\fsssvc.exe [2/6/2009 6:08 PM 533360]
.
Contents of the 'Scheduled Tasks' folder

2009-08-15 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\archivos de programa\Apple Software Update\SoftwareUpdate.exe [2008-07-30 17:34]
.
- - - - ORPHANS REMOVED - - - -

HKLM-Run-NWEReboot - (no file)


.
------- Supplementary Scan -------
.
uDefault_Search_URL = [You must be registered and logged in to see this link.]
uSearchMigratedDefaultUrl = [You must be registered and logged in to see this link.]
mSearch Bar = [You must be registered and logged in to see this link.]
uSearchURL,(Default) = [You must be registered and logged in to see this link.]
IE: &Search
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: Add to Windows &Live Favorites - [You must be registered and logged in to see this link.]
FF - ProfilePath - c:\documents and settings\Propietario\Datos de programa\Mozilla\Firefox\Profiles\x19ech94.default\
FF - prefs.js: browser.search.selectedEngine - Yahoo! Search
FF - prefs.js: network.proxy.http - 127.0.0.1
FF - prefs.js: network.proxy.http_port - 445
FF - prefs.js: network.proxy.type - 1
FF - component: c:\archivos de programa\AVG\AVG8\Firefox\components\avgssff.dll
FF - component: c:\archivos de programa\AVG\AVG8\Toolbar\Firefox\avg@igeared\components\IGeared_tavgp_xputils2.dll
FF - component: c:\archivos de programa\AVG\AVG8\Toolbar\Firefox\avg@igeared\components\IGeared_tavgp_xputils3.dll
FF - component: c:\archivos de programa\AVG\AVG8\Toolbar\Firefox\avg@igeared\components\IGeared_tavgp_xputils35.dll
FF - component: c:\archivos de programa\AVG\AVG8\Toolbar\Firefox\avg@igeared\components\xpavgtbapi.dll
FF - plugin: c:\archivos de programa\Google\Picasa3\npPicasa3.dll
FF - plugin: c:\archivos de programa\Windows Live\Photo Gallery\NPWLPG.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
.

Seylan
Novice
Novice

Posts Posts : 12
Joined Joined : 2009-08-16
OS OS : XP
Points Points : 26744
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Rapid Antivirus

Post by Seylan on 17th August 2009, 9:41 pm

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, [You must be registered and logged in to see this link.]
Rootkit scan 2009-08-17 16:29
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(3996)
c:\windows\system32\WININET.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\archivos de programa\Java\jre6\bin\jqs.exe
c:\windows\system32\HPZipm12.exe
c:\archivos de programa\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
c:\archivos de programa\AVG\AVG8\avgrsx.exe
c:\archivos de programa\AVG\AVG8\avgcsrvx.exe
c:\windows\system32\wscntfy.exe
c:\windows\system32\wbem\wmiapsrv.exe
**************************************************************************
.
Completion time: 2009-08-17 16:35 - machine was rebooted
ComboFix-quarantined-files.txt 2009-08-17 21:35

Pre-Run: 11,055,853,568 bytes libres
Post-Run: 13,004,988,416 bytes libres

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /fastdetect /NoExecute=OptIn

242 --- E O F --- 2009-08-13 08:03

Seylan
Novice
Novice

Posts Posts : 12
Joined Joined : 2009-08-16
OS OS : XP
Points Points : 26744
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Rapid Antivirus

Post by Seylan on 17th August 2009, 9:44 pm

Problem still persists.

Seylan
Novice
Novice

Posts Posts : 12
Joined Joined : 2009-08-16
OS OS : XP
Points Points : 26744
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Rapid Antivirus

Post by Seylan on 18th August 2009, 6:40 pm

[You must be registered and logged in to see this link.] wrote:Problem still persists.

Update: After restarting the computer again, all of my browsers can surf the web normally, instead of just Safari. Am I now free of viruses/malware, or do you think the real problem goes deeper?

Seylan
Novice
Novice

Posts Posts : 12
Joined Joined : 2009-08-16
OS OS : XP
Points Points : 26744
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Rapid Antivirus

Post by Belahzur on 18th August 2009, 8:39 pm

Hello.
The malware is gone, just one last thing I want to check.

  • Open HijackThis.
  • When Hijack This opens, click "Open the Misc Tools section"
  • Then select "Open Uninstall Manager"
  • Click on "Save List..." (generates uninstall_list.txt)
  • Click Save, copy and paste the results in your next post.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34918
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : 7 Home Premium x64
Points Points : 245111
# Likes # Likes : 1

View user profile

Back to top Go down

Re: Rapid Antivirus

Post by Seylan on 19th August 2009, 3:05 pm

Alright. Some elements are in Spanish, so please let me know if you need anything translated. I should have offered to do this for you from the first post. Sorry.

Here is the log from the HijackThis Uninstall Manager:


Actualización crítica para el Reproductor de Windows Media 11 (KB959772)
Actualización de seguridad para el Reproductor de Windows Media (KB952069)
Actualización de seguridad para el Reproductor de Windows Media (KB973540)
Actualización de seguridad para el Reproductor de Windows Media 11 (KB936782)
Actualización de seguridad para el Reproductor de Windows Media 11 (KB954154)
Actualización de seguridad para el Reproductor de Windows Media 9 (KB917734)
Actualización de seguridad para Windows Internet Explorer 7 (KB938127-v2)
Actualización de seguridad para Windows Internet Explorer 7 (KB958215)
Actualización de seguridad para Windows Internet Explorer 7 (KB960714)
Actualización de seguridad para Windows Internet Explorer 7 (KB961260)
Actualización de seguridad para Windows Internet Explorer 7 (KB963027)
Actualización de seguridad para Windows Internet Explorer 7 (KB969897)
Actualización de seguridad para Windows Internet Explorer 7 (KB972260)
Actualización de seguridad para Windows XP (KB923561)
Actualización de seguridad para Windows XP (KB923789)
Actualización de seguridad para Windows XP (KB938464)
Actualización de seguridad para Windows XP (KB938464-v2)
Actualización de seguridad para Windows XP (KB941569)
Actualización de seguridad para Windows XP (KB946648)
Actualización de seguridad para Windows XP (KB950759)
Actualización de seguridad para Windows XP (KB950760)
Actualización de seguridad para Windows XP (KB950762)
Actualización de seguridad para Windows XP (KB950974)
Actualización de seguridad para Windows XP (KB951066)
Actualización de seguridad para Windows XP (KB951376)
Actualización de seguridad para Windows XP (KB951376-v2)
Actualización de seguridad para Windows XP (KB951698)
Actualización de seguridad para Windows XP (KB951748)
Actualización de seguridad para Windows XP (KB952004)
Actualización de seguridad para Windows XP (KB952954)
Actualización de seguridad para Windows XP (KB953838)
Actualización de seguridad para Windows XP (KB953839)
Actualización de seguridad para Windows XP (KB954211)
Actualización de seguridad para Windows XP (KB954459)
Actualización de seguridad para Windows XP (KB954600)
Actualización de seguridad para Windows XP (KB955069)
Actualización de seguridad para Windows XP (KB956390)
Actualización de seguridad para Windows XP (KB956391)
Actualización de seguridad para Windows XP (KB956572)
Actualización de seguridad para Windows XP (KB956744)
Actualización de seguridad para Windows XP (KB956802)
Actualización de seguridad para Windows XP (KB956803)
Actualización de seguridad para Windows XP (KB956841)
Actualización de seguridad para Windows XP (KB957095)
Actualización de seguridad para Windows XP (KB957097)
Actualización de seguridad para Windows XP (KB958644)
Actualización de seguridad para Windows XP (KB958687)
Actualización de seguridad para Windows XP (KB958690)
Actualización de seguridad para Windows XP (KB959426)
Actualización de seguridad para Windows XP (KB960225)
Actualización de seguridad para Windows XP (KB960715)
Actualización de seguridad para Windows XP (KB960803)
Actualización de seguridad para Windows XP (KB960859)
Actualización de seguridad para Windows XP (KB961371)
Actualización de seguridad para Windows XP (KB961373)
Actualización de seguridad para Windows XP (KB961501)
Actualización de seguridad para Windows XP (KB968537)
Actualización de seguridad para Windows XP (KB969898)
Actualización de seguridad para Windows XP (KB970238)
Actualización de seguridad para Windows XP (KB971557)
Actualización de seguridad para Windows XP (KB971633)
Actualización de seguridad para Windows XP (KB971657)
Actualización de seguridad para Windows XP (KB973346)
Actualización de seguridad para Windows XP (KB973354)
Actualización de seguridad para Windows XP (KB973507)
Actualización de seguridad para Windows XP (KB973869)
Actualización para Windows XP (KB951072-v2)
Actualización para Windows XP (KB951978)
Actualización para Windows XP (KB955839)
Actualización para Windows XP (KB961503)
Actualización para Windows XP (KB967715)
Actualización para Windows XP (KB968389)
Actualización para Windows XP (KB973815)
Adobe Flash Player ActiveX
Adobe Flash Player Plugin
Adobe Reader 9.1.3
Apple Software Update
AVG Free 8.5
CCScore
Choice Guard
Compatibility Pack for the 2007 Office system
Compresor WinRAR
CoreAAC Audio Decoder (remove only)
ESSCDBK
ESScore
ESSgui
ESSini
ESSPCD
ESSSONIC
ESSTOOLS
essvatgt
Google Toolbar for Internet Explorer
Highlight Viewer (Windows Live Toolbar)
HijackThis 2.0.2
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
HP Driver Diagnostics
HP PSC & OfficeJet 4.7
HP PSC & Officejet 5.3.B Corporate Edition
HP Software Update
Intel Application Accelerator
Intel(R) Extreme Graphics Driver
Intel(R) PRO Network Adapters and Drivers
Java(TM) 6 Update 16
Junk Mail filter update
kgcbaby
kgcbase
kgchday
kgchlwn
kgcinvt
kgckids
kgcmove
kgcvday
Kodak EasyShare software
KSU
Malwarebytes' Anti-Malware
Map Button (Windows Live Toolbar)
Microsoft .NET Framework 2.0 Service Pack 2
Microsoft .NET Framework 3.0 Service Pack 2
Microsoft .NET Framework 3.5 SP1
Microsoft .NET Framework 3.5 SP1
Microsoft Compression Client Pack 1.0 for Windows XP
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft National Language Support Downlevel APIs
Microsoft Office 2000 Disco 2
Microsoft Office 2000 Premium
Microsoft Search Enhancement Pack
Microsoft Silverlight
Microsoft SQL Server 2005 Compact Edition [ENU]
Microsoft Sync Framework Runtime Native v1.0 (x86)
Microsoft Sync Framework Services Native v1.0 (x86)
Microsoft User-Mode Driver Framework Feature Pack 1.0
Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
Microsoft Visual C++ 2005 Redistributable
Mozilla Firefox (3.0.10)
MSVCRT
MSXML 4.0 SP2 (KB927978)
MSXML 4.0 SP2 (KB936181)
MSXML 4.0 SP2 (KB954430)
netbrdg
Notifier
OfotoXMI
Opera 9.64
PCDADDIN
PCDHELP
Picasa 3
QuickTime
Reproductor de Windows Media 11
Revisión para el Reproductor de Windows Media 11 (KB939683)
Revisión para Windows XP (KB952287)
Revisión para Windows XP (KB961118)
Safari
Security Update for CAPICOM (KB931906)
Security Update for CAPICOM (KB931906)
Segoe UI
SFR
SHASTA
SKIN0001
SKINXSDK
Skype™ 3.5
Smart Menus (Windows Live Toolbar)
staticcr
tooltips
Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
VPRINTOL
Windows Imaging Component
Windows Live Asistente para el inicio de sesión
Windows Live Call
Windows Live Communications Platform
Windows Live Essentials
Windows Live Essentials
Windows Live Family Safety
Windows Live Favorites for Windows Live Toolbar
Windows Live Mail
Windows Live Messenger
Windows Live Photo Gallery
Windows Live Sync
Windows Live Toolbar
Windows Live Toolbar Extension (Windows Live Toolbar)
Windows Live Upload Tool
Windows Live Writer
Windows Media Format 11 runtime
Windows Media Format 11 runtime
Windows Media Player 11
Windows XP Service Pack 3
WIRELESS
Yahoo! Toolbar

Seylan
Novice
Novice

Posts Posts : 12
Joined Joined : 2009-08-16
OS OS : XP
Points Points : 26744
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Rapid Antivirus

Post by Belahzur on 19th August 2009, 7:10 pm

Hello.
I do this everyday, I can read any log in any language by now, mainly because everything stays the same, just some folder names and minor things have changed, but I can guess what they are.

Click Start > Run and copy/paste the following bolded text into the Run box and click OK:

ComboFix /u



This will also reset your restore points.

How is the machine running now?


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34918
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : 7 Home Premium x64
Points Points : 245111
# Likes # Likes : 1

View user profile

Back to top Go down

View previous topic View next topic Back to top

- Similar topics

 
Permissions in this forum:
You cannot reply to topics in this forum