Antivirus System PRO has claimed another victim

View previous topic View next topic Go down

Solved Antivirus System PRO has claimed another victim

Post by ssaifull on Sun Sep 06, 2009 11:09 pm

Antivirus System PRO has seized my system. I have attempted to download Malwarebytes but was stopped cold by Antivirus System PRO, then tried to follow the steps in order to make GeekPolice's job easier, however I was unable to do any of the following due to Antivirus System PRO:

- Update JAVA to Java SE Runtime Environment (JRE) 6 Update 16.
- Install JavaRa
- Install AdobeReader 9.1

As for the Windows critical updates, I am pretty confident I was up to date on those as this is my work computer and it pushes those updates to our computers when required.

I was however able to install TrendMicro HijackThis (after a 4-5 tries, Antivirus System PRO did it's best to stop me from doing this as well) and run a system scan and posted it below. I really hope you guys can help me!

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 6:52:25 PM, on 9/6/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\ActivCard\acautoreg.exe
C:\Program Files\Common Files\ActivCard\accoca.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\Program Files\cvsnt\cvsservice.exe
C:\Program Files\cvsnt\cvslock.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\PROGRA~1\sygate\ssa\syg_hp.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\oracle\product\10.2.0\client_1\bin\omtsreco.exe
C:\Program Files\Hewlett-Packard\PC COE 3\OV CMS\radexecd.exe
C:\Program Files\Hewlett-Packard\PC COE 3\OV CMS\radsched.exe
C:\Program Files\Hewlett-Packard\PC COE 3\OV CMS\Radstgms.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\Program Files\Symantec AntiVirus\SavRoam.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\Hewlett-Packard\IAM\bin\asghost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\ActivCard\ActivCard Gold\agquickp.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\Program Files\Hewlett-Packard\PC COE\IDA.EXE
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe
C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Hewlett-Packard\PC COE\COEMsgDisplay.exe
C:\Program Files\Microsoft IntelliPoint\ipoint.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\Hewlett-Packard\HP ProtectTools Security Manager\PTHOSTTR.EXE
C:\PROGRA~1\HPQ\Shared\HPQTOA~1.EXE
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\DNA\btdna.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\hcmnoe\noiesysguard.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\saifulla\Local Settings\Temporary Internet Files\Content.IE5\UZUZQY4A\winlogon[2].scr
C:\Program Files\Internet Explorer\iexplore.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = [You must be registered and logged in to see this link.]
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = [You must be registered and logged in to see this link.]
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = [You must be registered and logged in to see this link.]
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = [You must be registered and logged in to see this link.]
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Hewlett-Packard
O1 - Hosts: ::1 localhost
O1 - Hosts: 91.212.127.221 awareremover.microsoft.com
O1 - Hosts: 91.212.127.221 awareremover.com
O1 - Hosts: 91.212.127.221 [You must be registered and logged in to see this link.]
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program

Files\Adobe\ActiveX\AcroIEHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\PROGRA~1\MICROS~2\Office12\GRA8E1~1.DLL
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O2 - BHO: Credential Manager for HP ProtectTools - {DF21F1DB-80C6-11D3-9483-B03D0EC10000} - C:\Program

Files\Hewlett-Packard\IAM\Bin\ItIEAddIn.dll
O3 - Toolbar: (no name) - {DE9C389F-3316-41A7-809B-AA305ED9D922} - (no file)
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [QuickPassword] C:\Program Files\ActivCard\ActivCard Gold\agquickp.exe
O4 - HKLM\..\Run: [SmcService] C:\PROGRA~1\Sygate\SSA\smc.exe -startgui
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [IDA] C:\Program Files\Hewlett-Packard\PC COE\IDA.EXE
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [IntelWireless] "C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" /tf Intel PROSet/Wireless
O4 - HKLM\..\Run: [hpWirelessAssistant] C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe
O4 - HKLM\..\Run: [QlbCtrl] %ProgramFiles%\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe /Start
O4 - HKLM\..\Run: [WatchDog] C:\Program Files\InterVideo\DVD Check\DVDCheck.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [COEMsgDisplay] C:\Program Files\Hewlett-Packard\PC COE\COEMsgDisplay.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe"
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\ipoint.exe"
O4 - HKLM\..\Run: [googletalk] C:\Program Files\Google\Google Talk\googletalk.exe /autostart
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [PTHOSTTR] C:\Program Files\Hewlett-Packard\HP ProtectTools Security Manager\PTHOSTTR.EXE /Start
O4 - HKLM\..\Run: [CognizanceTS] rundll32.exe C:\PROGRA~1\HEWLET~1\IAM\Bin\ASTSVCC.dll,RegisterModule
O4 - HKLM\..\Run: [AT&T Communication Manager] "C:\Program Files\AT&T\Communication Manager\ATTCM.exe" -a
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [system tool] C:\Program Files\hcmnoe\noiesysguard.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Uniblue RegistryBooster 2] C:\Program Files\Uniblue\RegistryBooster 2\RegistryBooster.exe /S
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [BitTorrent DNA] "C:\Program Files\DNA\btdna.exe"
O4 - HKCU\..\Run: [MS AntiSpyware 2009] "C:\Documents and Settings\All Users\Application Data\CrucialSoft Ltd\MS

AntiSpyware 2009\msas2009.exe" /autorun
O4 - HKCU\..\Run: [system tool] C:\Program Files\hcmnoe\noiesysguard.exe
O4 - HKUS\S-1-5-18\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe (User 'Default

user')
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Reader\reader_sl.exe
O4 - Global Startup: Cisco Systems VPN Client.lnk = C:\Program Files\Cisco Systems\VPN Client\vpngui.exe
O4 - Global Startup: DVD Check.lnk = C:\Program Files\InterVideo\DVD Check\DVDCheck.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: Add to Google Photos Screensa&ver - [You must be registered and logged in to see this link.]
O8 - Extra context menu item: E&xport to Microsoft Excel - [You must be registered and logged in to see this link.]
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program

Files\Java\jre1.5.0_10\bin\ssv.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} -

C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: AIM Toolbar - {3369AF0D-62E9-4bda-8103-B4C75499B578} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra button: (no name) - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - (no file)
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network

ssaifull
Novice
Novice

Status :
Online
Offline

Posts : 33
Joined : 2009-09-06
OS : XP Professional

View user profile

Back to top Go down

Solved Re: Antivirus System PRO has claimed another victim

Post by ssaifull on Sun Sep 06, 2009 11:09 pm

Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program

Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: bmnet.dll
O10 - Unknown file in Winsock LSP: bmnet.dll
O10 - Unknown file in Winsock LSP: bmnet.dll
O14 - IERESET.INF: START_PAGE_URL=http://athp.hp.com
O15 - Trusted Zone: [You must be registered and logged in to see this link.]
O15 - Trusted Zone: [You must be registered and logged in to see this link.]
O15 - Trusted Zone: [You must be registered and logged in to see this link.]
O15 - Trusted Zone: [You must be registered and logged in to see this link.]
O15 - Trusted Zone: [You must be registered and logged in to see this link.]
O15 - Trusted Zone: [You must be registered and logged in to see this link.]
O15 - Trusted Zone: [You must be registered and logged in to see this link.] (HKLM)
O15 - Trusted Zone: [You must be registered and logged in to see this link.] (HKLM)
O15 - Trusted Zone: [You must be registered and logged in to see this link.] (HKLM)
O15 - Trusted Zone: [You must be registered and logged in to see this link.] (HKLM)
O15 - Trusted Zone: [You must be registered and logged in to see this link.] (HKLM)
O15 - Trusted Zone: [You must be registered and logged in to see this link.] (HKLM)
O16 - DPF: {00000033-9593-4264-8B29-930B3E4EDCCD} (HPVirtualRooms33 Class) -

[You must be registered and logged in to see this link.]
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) -

[You must be registered and logged in to see this link.]
O16 - DPF: {1851174C-97BD-4217-A0CC-E908F60D5B7A} (Hewlett-Packard Online Support Services) -

[You must be registered and logged in to see this link.]
O16 - DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} (EPUImageControl Class) -

[You must be registered and logged in to see this link.]
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) -

[You must be registered and logged in to see this link.]
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) -

[You must be registered and logged in to see this link.]
O16 - DPF: {857ABA85-8AB2-4C9E-8FAA-D2A963739859} (HPPKI Control) - [You must be registered and logged in to see this link.]
O16 - DPF: {8F0DF9DB-AA5A-4ED0-9176-1C4A9C762C59} (JNILoader Control) -

[You must be registered and logged in to see this link.]
O16 - DPF: {98C53984-8BF8-4D11-9B1C-C324FCA9CADE} (Loader Class v3) - [You must be registered and logged in to see this link.]
O16 - DPF: {A996E48C-D3DC-4244-89F7-AFA33EC60679} (Settings Class) - [You must be registered and logged in to see this link.]
O16 - DPF: {B49C4597-8721-4789-9250-315DFBD9F525} (IWinAmpActiveX Class) -

[You must be registered and logged in to see this link.]
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} (get_atlcom Class) -

[You must be registered and logged in to see this link.]
O16 - DPF: {E5F5D008-DD2C-4D32-977D-1A0ADF03058B} (JuniperSetupSP1 Control) -

[You must be registered and logged in to see this link.]
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = americas.cpqcorp.net
O17 - HKLM\Software\..\Telephony: DomainName = americas.hpqcorp.net
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = americas.cpqcorp.net
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: SearchList =

americas.cpqcorp.net,americas.hpqcorp.net,cpqcorp.net,hpqcorp.net
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList =

americas.cpqcorp.net,americas.hpqcorp.net,cpqcorp.net,hpqcorp.net
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MICROS~2\Office12\GR99D3~1.DLL
O20 - AppInit_DLLs: APSHook.dll
O20 - Winlogon Notify: OneCard - C:\Program Files\Hewlett-Packard\IAM\Bin\ASWLNPkg.dll
O23 - Service: ActivCard Gold Autoregister (acautoreg) - ActivCard S.A. - C:\Program Files\Common

Files\ActivCard\acautoreg.exe
O23 - Service: ActivCard Gold service (Accoca) - ActivCard - C:\Program Files\Common Files\ActivCard\accoca.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device

Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: AT&T RcAppSvc (ATTRcAppSvc) - SmithMicro Inc. - C:\Program Files\AT&T\Communication Manager\RcAppSvc.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: BrSplService (Brother XP spl Service) - Unknown owner - C:\WINDOWS\system32\brsvc01a.exe (file missing)
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec

Shared\ccEvtMgr.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec

Shared\ccSetMgr.exe
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN

Client\cvpnd.exe
O23 - Service: CVSNT (CVS) - GNU - C:\Program Files\cvsnt\cvsservice.exe
O23 - Service: CVSNT Locking Service (CVSLock) - Unknown owner - C:\Program Files\cvsnt\cvslock.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec

AntiVirus\DefWatch.exe
O23 - Service: Intel(R) PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Program

Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google

Updater\GoogleUpdaterService.exe
O23 - Service: hpqwmiex - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
O23 - Service: HP Sygate Icon Control (HPSygControl) - Hewlett-Packard Company - C:\PROGRA~1\sygate\ssa\syg_hp.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common

Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program

Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Lan Discover Agent (magaService) - Sygate Technologies, Inc. - C:\Program Files\Sygate\SSA\maga\maga.exe
O23 - Service: OracleMTSRecoveryService - Oracle Corporation - C:\oracle\product\10.2.0\client_1\bin\omtsreco.exe
O23 - Service: PictureTaker - LANovation - C:\WINDOWS\system32\PCTKRNT.SYS
O23 - Service: Radia Notify Daemon (radexecd) - Hewlett-Packard - C:\Program Files\Hewlett-Packard\PC COE 3\OV

CMS\radexecd.exe
O23 - Service: Radia Scheduler Daemon (radsched) - Hewlett-Packard - C:\Program Files\Hewlett-Packard\PC COE 3\OV

CMS\radsched.exe
O23 - Service: Radia MSI Redirector (Radstgms) - Hewlett-Packard - C:\Program Files\Hewlett-Packard\PC COE 3\OV

CMS\Radstgms.exe
O23 - Service: Intel(R) PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Program

Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Intel(R) PROSet/Wireless Service (S24EventMonitor) - Intel Corporation - C:\Program

Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Sygate Security Agent (SmcService) - Sygate Technologies, Inc. - C:\Program Files\Sygate\SSA\smc.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec

Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec

Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe

--
End of file - 17296 bytes

ssaifull
Novice
Novice

Status :
Online
Offline

Posts : 33
Joined : 2009-09-06
OS : XP Professional

View user profile

Back to top Go down

Solved Re: Antivirus System PRO has claimed another victim

Post by Belahzur on Mon Sep 07, 2009 8:52 pm

Hello.

  • Open HijackThis
  • Choose "Do a system scan only"
  • Check the boxes in front of these lines:


    O1 - Hosts: ::1 localhost
    O1 - Hosts: 91.212.127.221 awareremover.microsoft.com
    O1 - Hosts: 91.212.127.221 awareremover.com
    O1 - Hosts: 91.212.127.221 [You must be registered and logged in to see this link.]
    O3 - Toolbar: (no name) - {DE9C389F-3316-41A7-809B-AA305ED9D922} - (no file)
    O4 - HKLM\..\Run: [system tool] C:\Program Files\hcmnoe\noiesysguard.exe
    O4 - HKCU\..\Run: [system tool] C:\Program Files\hcmnoe\noiesysguard.exe
    O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
    O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
    O9 - Extra button: (no name) - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - (no file)


  • Press "Fix Checked"
  • Close Hijack This.

Please download and run this tool.

Download Malwarebytes' Anti-Malware from [You must be registered and logged in to see this link.]

Double Click mbam-setup.exe to install the application.

  • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart. (See Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
Note:
If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts.
Click OK to either and let MBAM proceed with the disinfection process.
If asked to restart the computer, please do so immediately.


Post the contents of the MBAM Log.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Status :
Online
Offline

Posts : 34916
Joined : 2008-08-03
Gender : Male
OS : XP SP3 Media Centre

View user profile

Back to top Go down

Solved Re: Antivirus System PRO has claimed another victim

Post by ssaifull on Tue Sep 08, 2009 8:10 am

I followed the steps you outlined and now I am FREE of that malware. THANK YOU SO MUCH!!!!!

I have made a donation to show my appreciation!


Posting the MBAM log as requested:

Malwarebytes' Anti-Malware 1.40
Database version: 2756
Windows 5.1.2600 Service Pack 2

9/8/2009 2:21:12 AM
mbam-log-2009-09-08 (02-21-12).txt

Scan type: Quick Scan
Objects scanned: 117770
Time elapsed: 9 minute(s), 38 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 2
Registry Values Infected: 1
Registry Data Items Infected: 3
Folders Infected: 6
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CURRENT_USER\SOFTWARE\CrucialSoft Ltd (Rogue.MSAntiSpyware) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\MS AntiSpyware 2009 5.7 (Rogue.MSAntiSpyware) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ms antispyware 2009 (Rogue.MSAntiSpyware) -> Quarantined and deleted successfully.

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\FirewallDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

Folders Infected:
C:\Documents and Settings\All Users\Application Data\CrucialSoft Ltd (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Application Data\CrucialSoft Ltd\MS AntiSpyware 2009 (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Application Data\CrucialSoft Ltd\MS AntiSpyware 2009\BASE (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Application Data\CrucialSoft Ltd\MS AntiSpyware 2009\DELETED (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Application Data\CrucialSoft Ltd\MS AntiSpyware 2009\LOG (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Application Data\CrucialSoft Ltd\MS AntiSpyware 2009\SAVED (Rogue.Multiple) -> Quarantined and deleted successfully.

Files Infected:
C:\Documents and Settings\All Users\Application Data\CrucialSoft Ltd\MS AntiSpyware 2009\LOG\20090107203948796.log (Rogue.Multiple) -> Quarantined and deleted successfully.

ssaifull
Novice
Novice

Status :
Online
Offline

Posts : 33
Joined : 2009-09-06
OS : XP Professional

View user profile

Back to top Go down

Solved Re: Antivirus System PRO has claimed another victim

Post by Belahzur on Tue Sep 08, 2009 2:10 pm


  • Please download DDS by sUBs to your Desktop (Important!!) from one of these locations:
    [You must be registered and logged in to see this link.]
    [You must be registered and logged in to see this link.]
  • Double click DDS.scr to run.
  • When complete, two logs will open. Save both of the report to your Desktop.
  • Copy and paste DDS.txt back here, I don't need to see attach.txt just yet.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Status :
Online
Offline

Posts : 34916
Joined : 2008-08-03
Gender : Male
OS : XP SP3 Media Centre

View user profile

Back to top Go down

Solved Re: Antivirus System PRO has claimed another victim

Post by ssaifull on Wed Sep 09, 2009 12:55 am

DDS (Ver_09-07-30.01) - NTFSx86
Run by saifulla at 19:50:46.03 on Tue 09/08/2009
Internet Explorer: 8.0.6001.18702
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.3071.1771 [GMT -4:00]

AV: Symantec AntiVirus Corporate Edition *On-access scanning enabled* (Updated) {FB06448E-52B8-493A-90F3-E43226D3305C}
FW: Sygate Security Agent *disabled* {BE898FE3-CD0B-4014-85A9-03DB9923DDB6}

============== Running Processes ===============

C:\WINDOWS\System32\svchost.exe -k Cognizance
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
svchost.exe
svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\ActivCard\acautoreg.exe
C:\Program Files\Common Files\ActivCard\accoca.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\Program Files\cvsnt\cvsservice.exe
C:\Program Files\cvsnt\cvslock.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\PROGRA~1\sygate\ssa\syg_hp.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\oracle\product\10.2.0\client_1\bin\omtsreco.exe
C:\Program Files\Hewlett-Packard\PC COE 3\OV CMS\radexecd.exe
C:\Program Files\Hewlett-Packard\PC COE 3\OV CMS\radsched.exe
C:\Program Files\Hewlett-Packard\PC COE 3\OV CMS\Radstgms.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\Program Files\Symantec AntiVirus\SavRoam.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\ActivCard\ActivCard Gold\agquickp.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\Program Files\Hewlett-Packard\PC COE\IDA.EXE
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe
C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Hewlett-Packard\PC COE\COEMsgDisplay.exe
C:\Program Files\Microsoft IntelliPoint\ipoint.exe
C:\PROGRA~1\HPQ\Shared\HPQTOA~1.EXE
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\Hewlett-Packard\HP ProtectTools Security Manager\PTHOSTTR.EXE
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\DNA\btdna.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Microsoft Office\Office12\OUTLOOK.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\saifulla\Local Settings\Temporary Internet Files\Content.IE5\HAI4MZ66\dds[1].scr

============== Pseudo HJT Report ===============

uStart Page = [You must be registered and logged in to see this link.]
uSearch Page = [You must be registered and logged in to see this link.]
uWindow Title = Microsoft Internet Explorer provided by Hewlett-Packard
uSearch Bar = [You must be registered and logged in to see this link.]
uSearchMigratedDefaultURL = [You must be registered and logged in to see this link.]
uSearchAssistant = [You must be registered and logged in to see this link.]
uSearchURL,(Default) = [You must be registered and logged in to see this link.]
mSearchAssistant = [You must be registered and logged in to see this link.]
mURLSearchHooks: H - No File
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\activex\AcroIEHelper.dll
BHO: DriveLetterAccess: {5ca3d70e-1895-11cf-8e15-001234567890} - c:\windows\system32\dla\tfswshx.dll
BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - c:\progra~1\micros~2\office12\GRA8E1~1.DLL
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre1.5.0_10\bin\ssv.dll
BHO: Credential Manager for HP ProtectTools: {df21f1db-80c6-11d3-9483-b03d0ec10000} - c:\program files\hewlett-packard\iam\bin\ItIEAddIn.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [Aim6]
uRun: [Uniblue RegistryBooster 2] c:\program files\uniblue\registrybooster 2\RegistryBooster.exe /S
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
uRun: [BitTorrent DNA] "c:\program files\dna\btdna.exe"
mRun: [dla] c:\windows\system32\dla\tfswctrl.exe
mRun: [QuickPassword] c:\program files\activcard\activcard gold\agquickp.exe
mRun: [SmcService] c:\progra~1\sygate\ssa\smc.exe -startgui
mRun: [ccApp] "c:\program files\common files\symantec shared\ccApp.exe"
mRun: [vptray] c:\progra~1\symant~1\VPTray.exe
mRun: [IDA] c:\program files\hewlett-packard\pc coe\IDA.EXE
mRun: [SoundMAXPnP] c:\program files\analog devices\core\smax4pnp.exe
mRun: [AGRSMMSG] AGRSMMSG.exe
mRun: [IntelWireless] "c:\program files\intel\wireless\bin\ifrmewrk.exe" /tf Intel PROSet/Wireless
mRun: [hpWirelessAssistant] c:\program files\hpq\hp wireless assistant\HP Wireless Assistant.exe
mRun: [QlbCtrl] %ProgramFiles%\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe /Start
mRun: [WatchDog] c:\program files\intervideo\dvd check\DVDCheck.exe
mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
mRun: [COEMsgDisplay] c:\program files\hewlett-packard\pc coe\COEMsgDisplay.exe
mRun: [SunJavaUpdateSched] "c:\program files\java\jre1.5.0_10\bin\jusched.exe"
mRun: [IntelliPoint] "c:\program files\microsoft intellipoint\ipoint.exe"
mRun: [googletalk] c:\program files\google\google talk\googletalk.exe /autostart
mRun: [GrooveMonitor] "c:\program files\microsoft office\office12\GrooveMonitor.exe"
mRun: [PTHOSTTR] c:\program files\hewlett-packard\hp protecttools security manager\PTHOSTTR.EXE /Start
mRun: [CognizanceTS] rundll32.exe c:\progra~1\hewlet~1\iam\bin\ASTSVCC.dll,RegisterModule
mRun: []
mRun: [AT&T Communication Manager] "c:\program files\at&t\communication manager\ATTCM.exe" -a
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
dRun: [swg] c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe

ssaifull
Novice
Novice

Status :
Online
Offline

Posts : 33
Joined : 2009-09-06
OS : XP Professional

View user profile

Back to top Go down

Solved Re: Antivirus System PRO has claimed another victim

Post by ssaifull on Wed Sep 09, 2009 12:55 am

StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adober~1.lnk - c:\program files\adobe\reader\reader_sl.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\ciscos~1.lnk - c:\program files\cisco systems\vpn client\vpngui.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\dvdche~1.lnk - c:\program files\intervideo\dvd check\DVDCheck.exe
uPolicies-explorer: NoWindowsUpdate = 0 (0x0)
mPolicies-explorer: NoWindowsUpdate = 0 (0x0)
mPolicies-explorer: NoMSAppLogo5ChannelNotify = 1 (0x1)
mPolicies-system: SynchronousMachineGroupPolicy = 0 (0x0)
mPolicies-system: SynchronousUserGroupPolicy = 0 (0x0)
mPolicies-system: DisableNT4Policy = 1 (0x1)
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: {c95fe080-8f5d-11d2-a20b-00aa003c157a}
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~2\office12\ONBttnIE.dll
IE: {3369AF0D-62E9-4bda-8103-B4C75499B578} - {DE9C389F-3316-41A7-809B-AA305ED9D922}
LSP: bmnet.dll
Trusted Zone: compaq.com\ie.config.asia
Trusted Zone: compaq.com\ie.config.eur
Trusted Zone: compaq.com\ie.config.im.hou
Trusted Zone: compaq.com\ie.config.jp
Trusted Zone: dec.com\ie.config.ecom
Trusted Zone: hp.com
Trusted Zone: tandem.com\ie.config
Trusted Zone: compaq.com\ie.config.asia
Trusted Zone: compaq.com\ie.config.eur
Trusted Zone: compaq.com\ie.config.im.hou
Trusted Zone: compaq.com\ie.config.jp
Trusted Zone: dec.com\ie.config.ecom
Trusted Zone: tandem.com\ie.config
DPF: Microsoft XML Parser for Java - [You must be registered and logged in to see this link.]
DPF: {00000033-9593-4264-8B29-930B3E4EDCCD} - [You must be registered and logged in to see this link.]
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - [You must be registered and logged in to see this link.]
DPF: {1851174C-97BD-4217-A0CC-E908F60D5B7A} - [You must be registered and logged in to see this link.]
DPF: {41564D57-9980-0010-8000-00AA00389B71} - [You must be registered and logged in to see this link.]
DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} - [You must be registered and logged in to see this link.]
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - [You must be registered and logged in to see this link.]
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - [You must be registered and logged in to see this link.]
DPF: {857ABA85-8AB2-4C9E-8FAA-D2A963739859} - [You must be registered and logged in to see this link.]
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - [You must be registered and logged in to see this link.]
DPF: {8F0DF9DB-AA5A-4ED0-9176-1C4A9C762C59} - [You must be registered and logged in to see this link.]
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - [You must be registered and logged in to see this link.]
DPF: {98C53984-8BF8-4D11-9B1C-C324FCA9CADE} - [You must be registered and logged in to see this link.]
DPF: {A996E48C-D3DC-4244-89F7-AFA33EC60679} - [You must be registered and logged in to see this link.]
DPF: {B49C4597-8721-4789-9250-315DFBD9F525} - [You must be registered and logged in to see this link.]
DPF: {CAFEEFAC-0015-0000-0010-ABCDEFFEDCBA} - [You must be registered and logged in to see this link.]
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - [You must be registered and logged in to see this link.]
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - [You must be registered and logged in to see this link.]
DPF: {E5F5D008-DD2C-4D32-977D-1A0ADF03058B} - [You must be registered and logged in to see this link.]
Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:\progra~1\micros~2\office12\GR99D3~1.DLL
Handler: qrev - {9DE24BAC-FC3C-42c4-9FC4-76B3FAFDBD90} - c:\progra~1\quests~1\toadfo~2\RNetPin.dll
Notify: AtiExtEvent - Ati2evxx.dll
Notify: NavLogon - c:\windows\system32\NavLogon.dll
Notify: OneCard - c:\program files\hewlett-packard\iam\bin\ASWLNPkg.dll
AppInit_DLLs: APSHook.dll
SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\progra~1\micros~2\office12\GRA8E1~1.DLL
LSA: Authentication Packages = msv1_0 setuid
LSA: Notification Packages = ASWLNPkg

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\saifulla\applic~1\mozilla\firefox\profiles\7fyi8myd.default\
FF - prefs.js: browser.search.defaulturl - [You must be registered and logged in to see this link.]
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - [You must be registered and logged in to see this link.]
FF - component: c:\documents and settings\saifulla\application

data\mozilla\firefox\profiles\7fyi8myd.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\components\googletoolbar.dll
FF - component: c:\documents and settings\saifulla\application

data\mozilla\firefox\profiles\7fyi8myd.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\components\metrics.dll
FF - plugin: c:\documents and settings\saifulla\application data\mozilla\firefox\profiles\7fyi8myd.default\extensions\{e2883e8f-472f-4fb0-9522-ac9bf37916a7}\plugins\np_gp.dll
FF - plugin: c:\program files\adobe\reader\browser\nppdf32.dll
FF - plugin: c:\program files\google\picasa3\npPicasa3.dll
FF - plugin: c:\program files\java\jre1.5.0_10\bin\NPJava11.dll
FF - plugin: c:\program files\java\jre1.5.0_10\bin\NPJava12.dll
FF - plugin: c:\program files\java\jre1.5.0_10\bin\NPJava13.dll
FF - plugin: c:\program files\java\jre1.5.0_10\bin\NPJava14.dll
FF - plugin: c:\program files\java\jre1.5.0_10\bin\NPJava32.dll
FF - plugin: c:\program files\java\jre1.5.0_10\bin\NPJPI150_10.dll
FF - plugin: c:\program files\java\jre1.5.0_10\bin\NPOJI610.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npbittorrent.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npViewpoint.dll
FF - plugin: c:\program files\viewpoint\viewpoint media player\npViewpoint.dll

============= SERVICES / DRIVERS ===============

R1 SAVRT;SAVRT;c:\program files\symantec antivirus\savrt.sys [2005-12-19 337592]
R1 SAVRTPEL;SAVRTPEL;c:\program files\symantec antivirus\Savrtpel.sys [2005-12-19 54968]
R2 acautoreg;ActivCard Gold Autoregister;c:\program files\common files\activcard\acautoreg.exe [2003-10-29 53248]
R2 Accoca;ActivCard Gold service;c:\program files\common files\activcard\accoca.exe [2004-5-12 143360]
R2 ASChannel;Local Communication Channel;c:\windows\system32\svchost.exe -k Cognizance [1979-12-31 14336]
R2 ccEvtMgr;Symantec Event Manager;c:\program files\common files\symantec shared\ccEvtMgr.exe [2006-3-7 192160]
R2 ccSetMgr;Symantec Settings Manager;c:\program files\common files\symantec shared\ccSetMgr.exe [2006-3-7 169632]
R2 CVS;CVSNT;c:\program files\cvsnt\cvsservice.exe [2004-8-19 35328]
R2 HPSygControl;HP Sygate Icon Control;c:\progra~1\sygate\ssa\syg_hp.exe [2006-10-4 40960]
R2 radexecd;Radia Notify Daemon;c:\program files\hewlett-packard\pc coe 3\ov cms\radexecd.exe [2005-5-4 217268]
R2 radsched;Radia Scheduler Daemon;c:\program files\hewlett-packard\pc coe 3\ov cms\radsched.exe [2004-8-25 245940]
R2 Radstgms;Radia MSI Redirector;c:\program files\hewlett-packard\pc coe 3\ov cms\Radstgms.exe [2004-10-22 327860]
R2 SavRoam;SAVRoam;c:\program files\symantec antivirus\SavRoam.exe [2006-5-26 115952]
R2 Symantec AntiVirus;Symantec AntiVirus;c:\program files\symantec antivirus\Rtvscan.exe [2006-5-26 1799408]
R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\viewpoint\common\ViewpointService.exe [2008-8-25 24652]
R3 akbus;ActivCard Virtual Reader Enumerator;c:\windows\system32\drivers\akbus.sys [2006-10-4 13567]
R3 akpcsc;ActivCard Virtual PC/SC Device Driver;c:\windows\system32\drivers\akpcsc.sys [2006-10-4 9537]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\common files\symantec shared\eengine\EraserUtilRebootDrv.sys [2009-9-1 102448]
R3 GTIPCI21;GTIPCI21;c:\windows\system32\drivers\gtipci21.sys [2006-10-11 88192]
R3 IFXTPM;IFXTPM;c:\windows\system32\drivers\ifxtpm.sys [2006-10-11 36352]
R3 NAVENG;NAVENG;c:\progra~1\common~1\symant~1\virusd~1\20090906.002\naveng.sys [2009-9-6 84912]
R3 NAVEX15;NAVEX15;c:\progra~1\common~1\symant~1\virusd~1\20090906.002\navex15.sys [2009-9-6 1323568]
R3 RadiaMsi;RadiaMsi;c:\windows\system32\drivers\radiamsi.sys [2004-9-10 21504]
R3 SmartUSB;SmartReader-USB;c:\windows\system32\drivers\smartusb.sys [2006-10-4 16566]
S0 zxcgrz;zxcgrz;c:\windows\system32\drivers\uutcg.sys --> c:\windows\system32\drivers\uutcg.sys [?]
S2 ASBroker;Logon Session Broker;c:\windows\system32\svchost.exe -k Cognizance [1979-12-31 14336]
S3 ATTRcAppSvc;AT&T RcAppSvc;c:\program files\at&t\communication manager\RcAppSvc.exe [2008-11-20 113152]
S3 magaService;Lan Discover Agent;c:\program files\sygate\ssa\maga\Maga.exe [2005-8-5 323670]
S3 pnetmdm;PdaNet Modem;c:\windows\system32\drivers\pnetmdm.sys [2008-5-17 9472]
S3 SWNC8U80;Sierra Wireless MUX NDIS Driver (UMTS80);c:\windows\system32\drivers\swnc8u80.sys [2008-8-20 168192]
S3 SWUMX80;Sierra Wireless USB MUX Driver (UMTS80);c:\windows\system32\drivers\swumx80.sys [2008-8-20 142976]
S4 vsdatant;vsdatant; [x]

=============== Created Last 30 ================

2009-09-08 02:10 --d----- c:\docume~1\saifulla\applic~1\Malwarebytes
2009-09-08 02:10 38,160 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-09-08 02:09 19,096 a------- c:\windows\system32\drivers\mbam.sys
2009-09-08 02:09 --d----- c:\program files\Malwarebytes' Anti-Malware
2009-09-08 02:09 --d----- c:\docume~1\alluse~1\applic~1\Malwarebytes
2009-09-05 19:28 --d----- c:\program files\hcmnoe
2009-08-28 16:53 --dsh--- c:\documents and settings\saifulla\IECompatCache
2009-08-26 03:24 --dsh--- c:\documents and settings\saifulla\PrivacIE
2009-08-26 03:22 --dsh--- c:\documents and settings\saifulla\IETldCache
2009-08-26 02:48 --d----- c:\windows\ie8updates
2009-08-26 02:44 -cd-h--- c:\windows\ie8
2009-08-26 02:39 100,352 -c------ c:\windows\system32\dllcache\iecompat.dll
2009-08-22 14:22 --d----- c:\program files\iPod
2009-08-22 14:21 --d----- c:\program files\iTunes

==================== Find3M ====================

2009-07-14 17:25 9,016 a------- c:\windows\hh.dat
2009-07-03 13:09 915,456 a------- c:\windows\system32\wininet.dll

============= FINISH: 19:52:33.64 ===============

ssaifull
Novice
Novice

Status :
Online
Offline

Posts : 33
Joined : 2009-09-06
OS : XP Professional

View user profile

Back to top Go down

Solved Re: Antivirus System PRO has claimed another victim

Post by Belahzur on Wed Sep 09, 2009 7:11 pm

Hello.

  • Download combofix from here
    [You must be registered and logged in to see this link.]
    [You must be registered and logged in to see this link.]

    1. If you are using Firefox, make sure that your download settings are as follows:

    * Tools->Options->Main tab
    * Set to "Always ask me where to Save the files".

    2. During the download, rename Combofix to Combo-Fix as follows:





    3. It is important you rename Combofix during the download, but not after.
    4. Please do not rename Combofix to other names, but only to the one indicated.
    5. Close any open browsers.
    6. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

  • We need to disable your local AV (Anti-virus) before running Combofix.
  • See [You must be registered and logged in to see this link.] for how to disable your AV.
  • Double click on ComboFix.exe.
  • Follow the prompts. NOTE:
  • ComboFix will check to see if the Microsoft Windows Recovery Console is installed.
    ***It's strongly recommended to have the Recovery Console installed before doing any malware removal.***

    **Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will automatically proceed with its scan.


  • The Recovery Console provides a recovery/repair mode should a problem occur during a Combofix run.



  • Allow ComboFix to download the Recovery Console.
  • Accept the End-User License Agreement.
  • The Recovery Console will be installed.
  • You will then get this next prompt that asks if you want to continue the malware scan, select yes



  • Allow combofix to run
  • Post C:\combofix.txt back here.

    Note:
    Do not mouseclick combofix's window whilst it's running. That may cause it to stall.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Status :
Online
Offline

Posts : 34916
Joined : 2008-08-03
Gender : Male
OS : XP SP3 Media Centre

View user profile

Back to top Go down

Solved Combo fix log

Post by ssaifull on Wed Sep 09, 2009 8:15 pm

ComboFix 09-09-09.01 - saifulla 09/09/2009 15:38.1.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.3071.2269 [GMT -4:00]
Running from: c:\documents and settings\saifulla\Desktop\Combo-Fix.exe
AV: Symantec AntiVirus Corporate Edition *On-access scanning disabled* (Updated) {FB06448E-52B8-493A-90F3-E43226D3305C}
FW: Sygate Security Agent *disabled* {BE898FE3-CD0B-4014-85A9-03DB9923DDB6}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\program files\hcmnoe
c:\program files\hcmnoe\noiesysguard.exe
c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat . . . . failed to delete
c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat . . . . failed to delete

----- BITS: Possible infected sites -----

[You must be registered and logged in to see this link.]
.
((((((((((((((((((((((((( Files Created from 2009-08-09 to 2009-09-09 )))))))))))))))))))))))))))))))
.

2009-09-08 06:10 . 2009-09-08 06:10 -------- d-----w- c:\documents and settings\saifulla\Application Data\Malwarebytes
2009-09-08 06:10 . 2009-08-03 17:36 38160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-09-08 06:09 . 2009-09-08 06:10 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-09-08 06:09 . 2009-09-08 06:09 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-09-08 06:09 . 2009-08-03 17:36 19096 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-09-06 22:48 . 2009-09-06 22:48 -------- d-----w- c:\program files\NOS
2009-09-06 22:48 . 2009-09-06 22:48 -------- d-----w- c:\documents and settings\All Users\Application Data\NOS
2009-08-28 20:53 . 2009-08-28 20:53 -------- d-sh--w- c:\documents and settings\saifulla\IECompatCache
2009-08-26 07:24 . 2009-08-26 07:24 -------- d-sh--w- c:\documents and settings\saifulla\PrivacIE
2009-08-26 07:22 . 2009-08-26 07:22 -------- d-sh--w- c:\documents and settings\saifulla\IETldCache
2009-08-26 07:22 . 2009-08-26 07:22 -------- d-sh--w- c:\documents and settings\LocalService\IETldCache
2009-08-26 06:48 . 2009-08-26 06:49 -------- d-----w- c:\windows\ie8updates
2009-08-26 06:44 . 2009-08-26 06:46 -------- dc-h--w- c:\windows\ie8
2009-08-26 06:39 . 2009-08-07 08:48 100352 -c----w- c:\windows\system32\dllcache\iecompat.dll
2009-08-22 18:22 . 2009-08-22 18:22 -------- d-----w- c:\program files\iPod
2009-08-22 18:21 . 2009-08-22 18:22 -------- d-----w- c:\program files\iTunes

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-09-09 20:03 . 2006-10-04 14:09 -------- d-----w- c:\program files\symantec antivirus
2009-09-09 20:01 . 2008-10-11 08:27 -------- d-----w- c:\documents and settings\saifulla\Application Data\DNA
2009-09-08 06:26 . 2008-10-11 08:27 -------- d-----w- c:\program files\DNA
2009-09-04 07:39 . 2009-07-07 20:14 -------- d-----w- c:\program files\RA2HP
2009-08-31 14:46 . 2007-04-10 19:16 75120 ----a-w- c:\documents and settings\saifulla\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-08-24 16:08 . 2006-10-04 14:51 -------- d-----w- c:\program files\Microsoft Works
2009-08-24 15:58 . 2007-07-18 22:41 -------- d-----w- c:\program files\Rational
2009-08-24 15:56 . 2007-06-25 19:26 -------- d-----w- c:\program files\IBM
2009-08-22 18:22 . 2008-09-28 04:25 -------- d-----w- c:\program files\Common Files\Apple
2009-08-20 17:10 . 2008-02-17 21:52 -------- d-----w- c:\program files\Where is M13
2009-07-29 18:19 . 2008-10-16 01:05 -------- d-----w- c:\documents and settings\saifulla\Application Data\Move Networks
2009-07-19 22:30 . 2007-09-05 19:37 -------- d-----w- c:\documents and settings\saifulla\Application Data\U3
2009-07-15 02:44 . 2008-03-11 18:27 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help
2009-07-14 21:25 . 2008-03-12 19:27 9016 ----a-w- c:\windows\hh.dat
2009-07-03 17:09 . 1980-01-01 00:00 915456 ----a-w- c:\windows\system32\wininet.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2004-10-13 1694208]
"BitTorrent DNA"="c:\program files\DNA\btdna.exe" [2008-12-19 342848]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"dla"="c:\windows\system32\dla\tfswctrl.exe" [2005-02-25 127037]
"QuickPassword"="c:\program files\ActivCard\ActivCard Gold\agquickp.exe" [2004-05-28 208896]
"SmcService"="c:\progra~1\Sygate\SSA\smc.exe" [2005-08-05 2582240]
"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2006-03-07 53408]
"vptray"="c:\progra~1\SYMANT~1\VPTray.exe" [2006-05-27 124656]
"IDA"="c:\program files\Hewlett-Packard\PC COE\IDA.EXE" [2007-07-11 176128]
"SoundMAXPnP"="c:\program files\Analog Devices\Core\smax4pnp.exe" [2005-05-20 925696]
"IntelWireless"="c:\program files\Intel\Wireless\Bin\ifrmewrk.exe" [2006-08-02 696320]
"hpWirelessAssistant"="c:\program files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe" [2006-02-14 454656]
"QlbCtrl"="c:\program files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe" [2006-03-02 131072]
"WatchDog"="c:\program files\InterVideo\DVD Check\DVDCheck.exe" [2004-10-26 184320]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2006-03-31 761946]
"COEMsgDisplay"="c:\program files\Hewlett-Packard\PC COE\COEMsgDisplay.exe" [2007-04-12 26624]
"SunJavaUpdateSched"="c:\program files\Java\jre1.5.0_10\bin\jusched.exe" [2006-11-09 49263]
"IntelliPoint"="c:\program files\Microsoft IntelliPoint\ipoint.exe" [2007-02-05 849280]
"googletalk"="c:\program files\Google\Google Talk\googletalk.exe" [2007-01-01 3739648]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2006-10-27 31016]
"PTHOSTTR"="c:\program files\Hewlett-Packard\HP ProtectTools Security Manager\PTHOSTTR.EXE" [2007-01-09 145184]
"CognizanceTS"="c:\progra~1\HEWLET~1\IAM\Bin\ASTSVCC.dll" [2003-12-22 17920]
"AT&T Communication Manager"="c:\program files\AT&T\Communication Manager\ATTCM.exe" [2008-12-01 33280]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-05-26 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-07-13 292128]
"AGRSMMSG"="AGRSMMSG.exe" - c:\windows\AGRSMMSG.exe [2005-12-12 88203]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Reader\reader_sl.exe [2005-9-23 29696]
Cisco Systems VPN Client.lnk - c:\program files\Cisco Systems\VPN Client\vpngui.exe [2008-8-29 1459392]
DVD Check.lnk - c:\program files\InterVideo\DVD Check\DVDCheck.exe [2007-4-6 184320]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"SynchronousMachineGroupPolicy"= 0 (0x0)
"SynchronousUserGroupPolicy"= 0 (0x0)
"DisableNT4Policy"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoMSAppLogo5ChannelNotify"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\OneCard]
2007-02-07 06:30 74240 ----a-r- c:\program files\Hewlett-Packard\IAM\Bin\ASWLNPkg.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=c:\windows\system32\APSHook.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Authentication Packages REG_MULTI_SZ msv1_0 setuid
Notification Packages REG_MULTI_SZ ASWLNPkg

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
"DisableNotifications"= 1 (0x1)
"DisableUnicastResponsesToMulticastBroadcast"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Altiris\\AClient\\AClntUsr.EXE"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Hewlett-Packard\\PC COE 3\\OV CMS\\radexecd.exe"=
"c:\\Program Files\\Hewlett-Packard\\PC COE 3\\OV CMS\\RADUISHELL.exe"=
"c:\\Program Files\\Hewlett-Packard\\PC COE 3\\OV CMS\\radtray.exe"=
"c:\\Program Files\\Google\\Google Talk\\googletalk.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Program Files\\AIM6\\aim6.exe"=
"c:\\Program Files\\DNA\\btdna.exe"=
"c:\\Program Files\\BitTorrent\\bittorrent.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Program Files\\AT&T\\Communication Manager\\SwiApiMux.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=

R2 acautoreg;ActivCard Gold Autoregister;c:\program files\Common Files\ActivCard\acautoreg.exe [10/29/2003 8:27 AM 53248]
R2 Accoca;ActivCard Gold service;c:\program files\Common Files\ActivCard\accoca.exe [5/12/2004 7:51 PM 143360]
R2 ASChannel;Local Communication Channel;c:\windows\System32\svchost.exe -k Cognizance [12/31/1979 8:00 PM 14336]
R2 CVS;CVSNT;c:\program files\cvsnt\cvsservice.exe [8/19/2004 4:39 AM 35328]
R2 HPSygControl;HP Sygate Icon Control;c:\progra~1\sygate\ssa\syg_hp.exe [10/4/2006 9:18 AM 40960]
R2 radexecd;Radia Notify Daemon;c:\program files\Hewlett-Packard\PC COE 3\OV CMS\radexecd.exe [5/4/2005 10:35 AM 217268]
R2 radsched;Radia Scheduler Daemon;c:\program files\Hewlett-Packard\PC COE 3\OV CMS\radsched.exe [8/25/2004 7:05 AM 245940]
R2 Radstgms;Radia MSI Redirector;c:\program files\Hewlett-Packard\PC COE 3\OV CMS\Radstgms.exe [10/22/2004 10:53 AM 327860]
R2 SavRoam;SAVRoam;c:\program files\symantec antivirus\SavRoam.exe [5/26/2006 9:01 PM 115952]
R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [8/25/2008 5:41 PM 24652]
R3 akbus;ActivCard Virtual Reader Enumerator;c:\windows\system32\drivers\akbus.sys [10/4/2006 9:15 AM 13567]
R3 akpcsc;ActivCard Virtual PC/SC Device Driver;c:\windows\system32\drivers\akpcsc.sys [10/4/2006 9:15 AM 9537]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [9/1/2009 2:01 PM 102448]
R3 GTIPCI21;GTIPCI21;c:\windows\system32\drivers\gtipci21.sys [10/11/2006 5:41 AM 88192]
R3 IFXTPM;IFXTPM;c:\windows\system32\drivers\ifxtpm.sys [10/11/2006 5:41 AM 36352]
R3 RadiaMsi;RadiaMsi;c:\windows\system32\drivers\radiamsi.sys [9/10/2004 9:45 AM 21504]
S0 zxcgrz;zxcgrz;c:\windows\system32\drivers\uutcg.sys --> c:\windows\system32\drivers\uutcg.sys [?]
S2 ASBroker;Logon Session Broker;c:\windows\System32\svchost.exe -k Cognizance [12/31/1979 8:00 PM 14336]
S3 ATTRcAppSvc;AT&T RcAppSvc;c:\program files\AT&T\Communication Manager\RcAppSvc.exe [11/20/2008 11:07 PM 113152]
S3 magaService;Lan Discover Agent;c:\program files\sygate\ssa\Maga\Maga.exe [8/5/2005 12:18 PM 323670]
S3 pnetmdm;PdaNet Modem;c:\windows\system32\drivers\pnetmdm.sys [5/17/2008 1:53 AM 9472]
S3 SmartUSB;SmartReader-USB;c:\windows\system32\drivers\smartusb.sys [10/4/2006 9:15 AM 16566]
S3 SWNC8U80;Sierra Wireless MUX NDIS Driver (UMTS80);c:\windows\system32\drivers\swnc8u80.sys [8/20/2008 2:35 PM 168192]
S3 SWUMX80;Sierra Wireless USB MUX Driver (UMTS80);c:\windows\system32\drivers\swumx80.sys [8/20/2008 2:36 PM 142976]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
Cognizance REG_MULTI_SZ ASBroker ASChannel

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}]
"c:\windows\system32\rundll32.exe" "c:\windows\system32\iedkcs32.dll",BrandIEActiveSetup SIGNUP
.
Contents of the 'Scheduled Tasks' folder

2009-08-22 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 16:34]

2009-09-09 c:\windows\Tasks\IDA{5B940D5F-0A3F-11D2-95B5-080009DC8202}001.job
- c:\program files\Hewlett-Packard\PC COE\coetl32.exe [2007-06-24 04:27]

2009-09-09 c:\windows\Tasks\IDA{884F3959-E5F7-11D1-9B15-080009F878E4}000.job
- c:\progra~1\HEWLET~1\PCCOE~1\reltrksi.dll [2006-07-20 21:14]
.
.
------- Supplementary Scan -------
.
uStart Page = [You must be registered and logged in to see this link.]
uSearchMigratedDefaultURL = [You must be registered and logged in to see this link.]
uSearchURL,(Default) = [You must be registered and logged in to see this link.]
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
IE: {{c95fe080-8f5d-11d2-a20b-00aa003c157a}
LSP: bmnet.dll
Trusted Zone: compaq.com\ie.config.asia
Trusted Zone: compaq.com\ie.config.eur
Trusted Zone: compaq.com\ie.config.im.hou
Trusted Zone: compaq.com\ie.config.jp
Trusted Zone: dec.com\ie.config.ecom
Trusted Zone: hp.com
Trusted Zone: tandem.com\ie.config
Trusted Zone: compaq.com\ie.config.asia
Trusted Zone: compaq.com\ie.config.eur
Trusted Zone: compaq.com\ie.config.im.hou
Trusted Zone: compaq.com\ie.config.jp
Trusted Zone: dec.com\ie.config.ecom
Trusted Zone: tandem.com\ie.config
DPF: Microsoft XML Parser for Java - [You must be registered and logged in to see this link.]
DPF: {8F0DF9DB-AA5A-4ED0-9176-1C4A9C762C59} - [You must be registered and logged in to see this link.]
DPF: {98C53984-8BF8-4D11-9B1C-C324FCA9CADE} - [You must be registered and logged in to see this link.]
FF - ProfilePath - c:\documents and settings\saifulla\Application Data\Mozilla\Firefox\Profiles\7fyi8myd.default\
FF - prefs.js: browser.search.defaulturl - [You must be registered and logged in to see this link.]
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - [You must be registered and logged in to see this link.]
FF - component: c:\documents and settings\saifulla\Application Data\Mozilla\Firefox\Profiles\7fyi8myd.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\components\googletoolbar.dll
FF - component: c:\documents and settings\saifulla\Application Data\Mozilla\Firefox\Profiles\7fyi8myd.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\components\metrics.dll
FF - plugin: c:\program files\Adobe\Reader\browser\nppdf32.dll
FF - plugin: c:\program files\Google\Picasa3\npPicasa3.dll
FF - plugin: c:\program files\Java\jre1.5.0_10\bin\NPJava11.dll
FF - plugin: c:\program files\Java\jre1.5.0_10\bin\NPJava12.dll
FF - plugin: c:\program files\Java\jre1.5.0_10\bin\NPJava13.dll
FF - plugin: c:\program files\Java\jre1.5.0_10\bin\NPJava14.dll
FF - plugin: c:\program files\Java\jre1.5.0_10\bin\NPJava32.dll
FF - plugin: c:\program files\Java\jre1.5.0_10\bin\NPJPI150_10.dll
FF - plugin: c:\program files\Java\jre1.5.0_10\bin\NPOJI610.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npbittorrent.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npViewpoint.dll
FF - plugin: c:\program files\Viewpoint\Viewpoint Media Player\npViewpoint.dll
.
- - - - ORPHANS REMOVED - - - -

HKCU-Run-Uniblue RegistryBooster 2 - c:\program files\Uniblue\RegistryBooster 2\RegistryBooster.exe
HKCU-Run-Aim6 - (no file)
HKU-Default-Run-swg - c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
Notify-dimsntfy - (no file)
AddRemove-AR System User 5.1 - c:\windows\ISUNINST.EXE -fc:\program files\AR System\Uninstall\user51.isu
AddRemove-HijackThis - c:\documents and settings\saifulla\Local Settings\Temporary Internet Files\Content.IE5\UZUZQY4A\HijackThis.exe
AddRemove-PAL - c:\windows\IsUninst.exe -y -fc:\program files\PAL\Uninstl\DeIsL1.isu



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, [You must be registered and logged in to see this link.]
Rootkit scan 2009-09-09 16:04
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\vsdatant]
"ImagePath"=""
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\DeterministicNetworks\DNE\Parameters]
"SymbolicLinkValue"=hex(6):5c,00,52,00,65,00,67,00,69,00,73,00,74,00,72,00,79,
00,5c,00,4d,00,41,00,43,00,48,00,49,00,4e,00,45,00,5c,00,53,00,79,00,73,00,\
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(1332)
c:\program files\Hewlett-Packard\IAM\bin\ocgina.dll
c:\program files\Hewlett-Packard\IAM\bin\ItMsg.dll
c:\program files\Hewlett-Packard\IAM\bin\HPBrand.dll
c:\program files\Hewlett-Packard\IAM\bin\ItTal.dll
c:\program files\Hewlett-Packard\IAM\bin\ItReports.DLL
c:\windows\system32\Ati2evxx.dll
c:\program files\Hewlett-Packard\IAM\Bin\ASWLNPkg.dll
c:\program files\Hewlett-Packard\IAM\Bin\ItDAC.dll
c:\program files\Hewlett-Packard\IAM\Bin\ASChnl.dll
c:\program files\Hewlett-Packard\IAM\Bin\TrayIcon.dll
c:\program files\Hewlett-Packard\IAM\Bin\STEngine.dll
c:\program files\Hewlett-Packard\IAM\Bin\BioAuth.dll
c:\program files\Hewlett-Packard\IAM\Bin\ASBIoAT.dll
c:\program files\Hewlett-Packard\IAM\Bin\ItVCClient.dll
c:\program files\Hewlett-Packard\IAM\Bin\AuthWiz.dll
c:\program files\Hewlett-Packard\IAM\Bin\ItVCard.dll
c:\windows\system32\xenroll.dll
c:\windows\system32\WININET.dll
c:\program files\Hewlett-Packard\IAM\Bin\TokenAuth.dll
c:\program files\Hewlett-Packard\IAM\Bin\ittalsnap.DLL
c:\program files\Hewlett-Packard\IAM\Bin\TpmAuth.dll
c:\program files\Hewlett-Packard\IAM\Bin\NetAdmin.dll

- - - - - - - > 'lsass.exe'(1388)
c:\windows\system32\setuid.dll
c:\program files\Hewlett-Packard\IAM\bin\ASWLNPkg.dll
c:\program files\Hewlett-Packard\IAM\bin\ItMsg.dll
c:\windows\system32\bmnet.dll

- - - - - - - > 'Explorer.exe'(5536)
c:\windows\system32\WININET.dll
c:\windows\system32\APSHook.dll
c:\program files\Hewlett-Packard\IAM\bin\ItClient.dll
c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_6b128700\MSVCR80.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\ati2evxx.exe
c:\program files\Intel\Wireless\Bin\EvtEng.exe
c:\program files\Intel\Wireless\Bin\S24EvMon.exe
c:\program files\Common Files\Symantec Shared\ccSetMgr.exe
c:\program files\Common Files\Symantec Shared\ccEvtMgr.exe
c:\program files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
c:\windows\system32\scardsvr.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Cisco Systems\VPN Client\cvpnd.exe
c:\program files\cvsnt\cvslock.exe
c:\program files\symantec antivirus\DefWatch.exe
c:\program files\Common Files\LightScribe\LSSrvc.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\oracle\product\10.2.0\client_1\BIN\omtsreco.exe
c:\program files\Intel\Wireless\Bin\RegSrvc.exe
c:\program files\symantec antivirus\Rtvscan.exe
c:\program files\Hewlett-Packard\Shared\hpqwmiex.exe
c:\windows\system32\ati2evxx.exe
c:\program files\Hewlett-Packard\IAM\Bin\asghost.exe
c:\program files\sygate\ssa\Smc.exe
c:\progra~1\HPQ\Shared\HPQTOA~1.EXE
c:\program files\iPod\bin\iPodService.exe
.
**************************************************************************
.
Completion time: 2009-09-09 16:09 - machine was rebooted
ComboFix-quarantined-files.txt 2009-09-09 20:09

Pre-Run: 3,620,028,416 bytes free
Post-Run: 4,239,978,496 bytes free

302

ssaifull
Novice
Novice

Status :
Online
Offline

Posts : 33
Joined : 2009-09-06
OS : XP Professional

View user profile

Back to top Go down

Solved Re: Antivirus System PRO has claimed another victim

Post by Belahzur on Wed Sep 09, 2009 9:56 pm

Click Start > Run and copy/paste the following bolded text into the Run box and click OK:

sc delete zxcgrz

Now do the same for this command.

Combofix /u



This will also reset your restore points.

How is the machine running now?


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Status :
Online
Offline

Posts : 34916
Joined : 2008-08-03
Gender : Male
OS : XP SP3 Media Centre

View user profile

Back to top Go down

Solved Re: Antivirus System PRO has claimed another victim

Post by ssaifull on Wed Sep 09, 2009 10:02 pm

I did the above.

The system is running 100% A-OK thank you very much! Not only did you rid me of the malware but you also free up about half a gig of hard disk space in the process! Thanks!

Thank You!

ssaifull
Novice
Novice

Status :
Online
Offline

Posts : 33
Joined : 2009-09-06
OS : XP Professional

View user profile

Back to top Go down

Solved Re: Antivirus System PRO has claimed another victim

Post by Dr Jay on Wed Sep 16, 2009 8:55 pm

Since this issue appears to be solved, this topic is now closed and being marked solved.

If you need the topic reopened, PM an administrator, moderator, or staff.


Dr. Jay (DJ)


[You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.]

Dr Jay
Head Administrator
Head Administrator

Status :
Online
Offline

Posts : 13707
Joined : 2009-09-06
Gender : Male
OS : Windows 10 Home & Pro

View user profile

Back to top Go down

View previous topic View next topic Back to top

- Similar topics

 
Permissions in this forum:
You cannot reply to topics in this forum