Laptop infected with both antivirus pro 2010 and alpha antivirus help pls

View previous topic View next topic Go down

Laptop infected with both antivirus pro 2010 and alpha antivirus help pls

Post by bellastorm on 11th October 2009, 3:56 am

I downloaded hijack this and it opens and scans and about a second after the scan finishes it closes on its own. I tried running a scan with malwarebytes antivirus and it opens and closes as soon as I hit quick scan. Help me pls. I cant open any antivirus programs with out them closing or saying I don't have permission to access.. it keeps giving me different error messages. I also can't use the system restore it says contact the administrator.

bellastorm
Beginner
Beginner

Posts Posts : 3
Joined Joined : 2009-10-11
OS OS : windows xp
Points Points : 26155
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Laptop infected with both antivirus pro 2010 and alpha antivirus help pls

Post by Dr Jay on 11th October 2009, 8:45 am

Hi

Please download ComboFix by sUBs
[You must be registered and logged in to see this link.]

Please save the file to your Desktop, but rename it first:




Important information about ComboFix

Before the download:
  • Please copy and paste these instructions to Notepad and save to your Desktop, or print them - for easier access.
  • It is important to rename ComboFix before the download.
  • Please do not rename ComboFix to other names, but only the one indicated.

After the download:
  • Close any open browsers.
  • Very Important: Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results". [You must be registered and logged in to see this link.] if you don't know how.
  • WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
  • Please do not attempt to re-connect your machine back to the Internet until ComboFix has completely finished.
  • If there is no Internet connection after running ComboFix, then restart your computer to restore back your connection.

Running ComboFix:
  • Double click on svchost.exe & follow the prompts.
  • It will attempt to install the Recovery Console:




  • When ComboFix finishes, it will produce a report for you.
  • Please post the "C:\Combo-Fix.txt" in your next reply.


Troubleshooting ComboFix

Safe Mode:

If you still cannot get ComboFix to run, try booting into Safe Mode, and run it there.

(To boot into Safe Mode, tap F8 after BIOS, and just before the Windows
logo appears. A list of options will appear, select "Safe Mode.")

Re-downloading:

If this doesn't work either, try the same method (above method), but try to download it again, except name
ComboFix.exe to iexplore.exe, explorer.exe, or winlogon.exe.

Malware is known for blocking all "user" processes, except for its whitelist of system important processes such as iexplore.exe, explorer.exe, winlogon.exe.


Dr. Jay (DJ)


[You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.]

Dr Jay
Head Administrator
Head Administrator

Posts Posts : 14294
Joined Joined : 2009-09-06
Gender Gender : Male
OS OS : Windows 10 Home & Pro
Arch. Arch. : x64 (64-bit)
Protection Protection : Bitdefender Total Security
Points Points : 302921
# Likes # Likes : 10

View user profile

Back to top Go down

Laptop infected with both antivirus pro 2010 and alpha antivirus help pls

Post by bellastorm on 11th October 2009, 2:44 pm

DragonMaster Jay wrote:Hi

Please download ComboFix by sUBs
[You must be registered and logged in to see this link.]

Please save the file to your Desktop, but rename it first:




Important information about ComboFix

Before the download:
  • Please copy and paste these instructions to Notepad and save to your Desktop, or print them - for easier access.
  • It is important to rename ComboFix before the download.
  • Please do not rename ComboFix to other names, but only the one indicated.

After the download:
  • Close any open browsers.
  • Very Important: Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results". [You must be registered and logged in to see this link.] if you don't know how.
  • WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
  • Please do not attempt to re-connect your machine back to the Internet until ComboFix has completely finished.
  • If there is no Internet connection after running ComboFix, then restart your computer to restore back your connection.

Running ComboFix:
  • Double click on svchost.exe & follow the prompts.
  • It will attempt to install the Recovery Console:




  • When ComboFix finishes, it will produce a report for you.
  • Please post the "C:\Combo-Fix.txt" in your next reply.


Troubleshooting ComboFix

Safe Mode:

If you still cannot get ComboFix to run, try booting into Safe Mode, and run it there.

(To boot into Safe Mode, tap F8 after BIOS, and just before the Windows
logo appears. A list of options will appear, select "Safe Mode.")

Re-downloading:

If this doesn't work either, try the same method (above method), but try to download it again, except name
ComboFix.exe to iexplore.exe, explorer.exe, or winlogon.exe.

Malware is known for blocking all "user" processes, except for its whitelist of system important processes such as iexplore.exe, explorer.exe, winlogon.exe.





ComboFix 09-10-10.02 - Owner 10/11/2009 10:23.1.1 - NTFSx86
Running from: c:\documents and settings\Owner\Desktop\ComboFix.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\docume~1\Owner\LOCALS~1\Temp\csrss.exe
c:\docume~1\Owner\LOCALS~1\Temp\services.exe
c:\docume~1\Owner\LOCALS~1\Temp\svchost.exe
c:\docume~1\Owner\LOCALS~1\Temp\winlogon.exe
c:\documents and settings\All Users\Application Data\ajovojyz.vbs
c:\documents and settings\All Users\Application Data\asofimi._dl
c:\documents and settings\All Users\Application Data\azypyh.exe
c:\documents and settings\All Users\Application Data\bidaleda._sy
c:\documents and settings\All Users\Application Data\cofedal.inf
c:\documents and settings\All Users\Application Data\dyteqovy.sys
c:\documents and settings\All Users\Application Data\eleh.inf
c:\documents and settings\All Users\Application Data\ibexisiqi.dll
c:\documents and settings\All Users\Application Data\iryxoletoh.bin
c:\documents and settings\All Users\Application Data\ojite.dll
c:\documents and settings\All Users\Application Data\ruselobaq.dl
c:\documents and settings\All Users\Application Data\vuha.com
c:\documents and settings\All Users\Application Data\ynyqadicog.ban
c:\documents and settings\All Users\Documents\bihyhyjuj.scr
c:\documents and settings\All Users\Documents\ubuxosi._dl
c:\documents and settings\All Users\Documents\vasuhevef.exe
c:\documents and settings\All Users\Documents\woguleno.exe
c:\documents and settings\All Users\Documents\xufinyt.bin
c:\documents and settings\All Users\Documents\zowevabipi.vbs
c:\documents and settings\Carmen\ntuser.dll
c:\documents and settings\Carmen\Start Menu\Programs\Startup\scandisk.dll
c:\documents and settings\Carmen\Start Menu\Programs\Startup\scandisk.lnk
c:\documents and settings\Owner\Application Data\gojuxitiso._sy
c:\documents and settings\Owner\Application Data\ihora.bat
c:\documents and settings\Owner\Application Data\iniasd.txt
c:\documents and settings\Owner\Application Data\juco.reg
c:\documents and settings\Owner\Application Data\lizkavd.exe
c:\documents and settings\Owner\Application Data\Microsoft\Internet Explorer\Quick Launch\AntivirusPro_2010.lnk
c:\documents and settings\Owner\Application Data\nixevogy.pif
c:\documents and settings\Owner\Application Data\seres.exe
c:\documents and settings\Owner\Application Data\svcst.exe
c:\documents and settings\Owner\Application Data\wyrubyhol._sy
c:\documents and settings\Owner\Cookies\asipyny.vbs
c:\documents and settings\Owner\Cookies\fulydego.reg
c:\documents and settings\Owner\Cookies\ifupo.scr
c:\documents and settings\Owner\Cookies\kihovefy.dll
c:\documents and settings\Owner\Cookies\pefojupyqu.lib
c:\documents and settings\Owner\Cookies\ribomumur._dl
c:\documents and settings\Owner\Cookies\xizalicap.dll
c:\documents and settings\Owner\Cookies\yjufyzuw.com
c:\documents and settings\Owner\Desktop\AntivirusPro_2010.lnk
c:\documents and settings\Owner\Local Settings\Application Data\aqyfed.sys
c:\documents and settings\Owner\Local Settings\Application Data\bimujimibu.sys
c:\documents and settings\Owner\Local Settings\Application Data\botyhoton.exe
c:\documents and settings\Owner\Local Settings\Application Data\cabus.reg
c:\documents and settings\Owner\Local Settings\Application Data\ecat._sy
c:\documents and settings\Owner\Local Settings\Application Data\fycykadifa.bin
c:\documents and settings\Owner\Local Settings\Application Data\jukeqa.com
c:\documents and settings\Owner\Local Settings\Application Data\kakan.dl
c:\documents and settings\Owner\Local Settings\Application Data\orelu.ban
c:\documents and settings\Owner\Local Settings\Application Data\ozopeloges.bat
c:\documents and settings\Owner\Local Settings\Application Data\vedanypi.dll
c:\documents and settings\Owner\Local Settings\Application Data\vumibawile.inf
c:\documents and settings\Owner\Local Settings\Application Data\wuze.ban
c:\documents and settings\Owner\Local Settings\Temporary Internet Files\ejasukazy.db
c:\documents and settings\Owner\Local Settings\Temporary Internet Files\enekipanyz.scr
c:\documents and settings\Owner\Local Settings\Temporary Internet Files\exyvaroxaz.reg
c:\documents and settings\Owner\Local Settings\Temporary Internet Files\fywytite.bat
c:\documents and settings\Owner\Local Settings\Temporary Internet Files\imirofutyx.pif
c:\documents and settings\Owner\Local Settings\Temporary Internet Files\iwygobywe._dl
c:\documents and settings\Owner\Local Settings\Temporary Internet Files\nizuco._sy
c:\documents and settings\Owner\Local Settings\Temporary Internet Files\yrino.db
c:\documents and settings\Owner\Local Settings\Temporary Internet Files\zexowy.dat
c:\documents and settings\Owner\ntuser.dll
c:\documents and settings\Owner\Start Menu\Programs\AntivirusPro_2010
c:\documents and settings\Owner\Start Menu\Programs\AntivirusPro_2010\AntivirusPro_2010.lnk
c:\documents and settings\Owner\Start Menu\Programs\AntivirusPro_2010\Uninstall.lnk
c:\documents and settings\Owner\Start Menu\Programs\Startup\scandisk.dll
c:\documents and settings\Owner\Start Menu\Programs\Startup\scandisk.lnk
c:\program files\AntivirusPro_2010
c:\program files\AntivirusPro_2010\AntivirusPro_2010.cfg
c:\program files\AntivirusPro_2010\AntivirusPro_2010.exe
c:\program files\Common Files\akajenab.exe
c:\program files\Common Files\efiwylu.inf
c:\program files\Common Files\lejyqyhik.scr
c:\program files\Common Files\loseremule.bat
c:\program files\Common Files\lucycikipu._dl
c:\program files\Common Files\peluducod.exe
c:\program files\Common Files\pytury.pif
c:\program files\Common Files\rycu.dl
c:\program files\Common Files\zyri.scr
c:\windows\gadywi.dll
c:\windows\iryqi.bin
c:\windows\lapizusami.reg
c:\windows\lymati._sy
c:\windows\msa.exe
c:\windows\onitul.ban
c:\windows\qexasup.bin
c:\windows\system32\_scui.cpl
c:\windows\system32\~.exe
c:\windows\system32\AVR09.exe
c:\windows\system32\calc.dll
c:\windows\system32\critical_warning.html
c:\windows\system32\dm35ztnz2v.dll
c:\windows\system32\drivers\gasfkyijylevov.sys
c:\windows\system32\drivers\ndisrd.sys
c:\windows\system32\edymymaca.dll
c:\windows\system32\ehyhako.dll
c:\windows\system32\gasfkyeepabwwb.dat
c:\windows\system32\gasfkyehexjgvd.dll
c:\windows\system32\gasfkykwsflrpb.dll
c:\windows\system32\gasfkyltbqpauu.dll
c:\windows\system32\gasfkymtnbmusi.dll
c:\windows\system32\gasfkytiqobwuc.dll
c:\windows\system32\gasfkywilfwapq.dat
c:\windows\system32\gasfkyxxcqhupj.dll
c:\windows\system32\msxml71.dll
c:\windows\system32\ndisapi.dll
c:\windows\system32\ukeqymiku.dll
c:\windows\system32\vekuh.dll
c:\windows\system32\winhelper.dll
c:\windows\system32\winupdate.exe
c:\windows\system32\wofuxyfy.reg
c:\windows\system32\ygaxuni.exe
c:\windows\system32\yrobij.sys
c:\windows\towonykyg.bat
c:\windows\umekuw.bin
c:\windows\wetoqas.inf
c:\windows\win32k.sys
c:\windows\wyrar.bat
c:\windows\yviniguce.dl
c:\windows\yzus.inf

Infected copy of c:\windows\system32\eventlog.dll was found and disinfected
Restored copy from - c:\windows\system32\logevent.dll

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_gasfkyalkyxeol
-------\Legacy_NDISRD
-------\Legacy_{79007602-0CDB-4405-9DBF-1257BB3226ED}
-------\Service_gasfkyalkyxeol
-------\Service_NDISRD


((((((((((((((((((((((((( Files Created from 2009-09-11 to 2009-10-11 )))))))))))))))))))))))))))))))
.

2009-10-11 14:33 . 2009-10-11 14:33 -------- d-----w- c:\windows\system32\wbem\snmp
2009-10-11 14:33 . 2009-10-11 14:33 -------- d-----w- c:\windows\system32\xircom
2009-10-11 14:33 . 2009-10-11 14:33 -------- d-----w- c:\windows\system32\oobe
2009-10-11 14:33 . 2009-10-11 14:33 -------- d-----w- c:\windows\srchasst
2009-10-11 14:33 . 2009-10-11 14:33 -------- d-----w- c:\program files\microsoft frontpage
2009-10-11 03:06 . 2009-09-10 18:54 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-10-11 03:06 . 2009-10-11 03:25 -------- d-----w- C:\Malwarebytes' Anti-Malware
2009-10-11 03:06 . 2009-09-10 18:53 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-10-10 22:34 . 2009-10-10 22:34 13238 ----a-w- c:\documents and settings\Owner\Local Settings\Application Data\wixi.dat
2009-10-10 21:59 . 2009-10-10 21:59 13213 ----a-w- c:\program files\Common Files\tilesyho.dat
2009-10-10 21:59 . 2009-10-10 21:59 16268 ----a-w- c:\windows\system32\yvad.dat
2009-10-10 21:13 . 2009-10-10 21:13 -------- d-----w- c:\documents and settings\All Users\Application Data\SITEguard
2009-10-10 21:06 . 2009-10-10 21:06 -------- d-----w- c:\program files\Common Files\iS3
2009-10-10 21:06 . 2009-10-10 23:25 -------- d-----w- c:\documents and settings\All Users\Application Data\STOPzilla!
2009-10-10 20:41 . 2009-10-10 20:40 89552 --sh--w- c:\windows\system32\TerNa.exe
2009-10-10 20:40 . 2009-10-10 20:40 24576 ----a-w- C:\hgxs.exe
2009-10-05 23:41 . 2009-10-05 23:42 -------- d-----w- c:\program files\Common Files\Adobe
2009-10-05 23:37 . 2009-10-05 23:37 -------- d-----w- c:\program files\Common Files\Adobe AIR
2009-10-05 23:34 . 2009-10-11 03:44 -------- d-----w- c:\documents and settings\Owner\Local Settings\Application Data\Adobe
2009-10-05 23:32 . 2009-10-06 13:55 -------- d-----w- c:\documents and settings\All Users\Application Data\NOS
2009-09-27 19:34 . 2009-09-27 21:05 -------- d-----w- c:\documents and settings\Owner\Local Settings\Application Data\Deployment
2009-09-24 07:23 . 2009-09-24 07:23 -------- d-----w- c:\program files\Common Files\Uninstall
2009-09-22 20:41 . 2009-09-22 20:50 -------- d-----w- c:\documents and settings\Owner\Application Data\Move Networks
2009-09-21 03:32 . 2009-09-25 22:12 -------- d-----w- c:\documents and settings\Owner\Application Data\Paltalk
2009-09-20 15:09 . 2009-09-25 22:12 -------- d-----w- c:\documents and settings\Owner\Local Settings\Application Data\Yahoo!
2009-09-19 23:21 . 2009-09-19 23:21 -------- d-----w- c:\documents and settings\Owner\Local Settings\Application Data\Unity
2009-09-19 23:18 . 2009-10-06 03:45 -------- d-----w- c:\program files\Unity
2009-09-18 03:14 . 2009-09-18 03:14 -------- d-----w- c:\program files\Microsoft Reader
2009-09-18 03:14 . 2003-06-05 21:15 57436 ----a-w- c:\windows\DASShp.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-10-11 11:26 . 2009-10-11 11:26 15153 ----a-w- c:\program files\Common Files\qoqoloqa.db
2009-10-11 11:26 . 2009-10-11 11:26 10228 ----a-w- c:\documents and settings\All Users\Application Data\ziwiryh.dat
2009-10-11 02:06 . 2009-10-11 01:11 -------- d-----w- c:\documents and settings\Carmen\Application Data\Azureus
2009-10-11 01:52 . 2009-04-27 20:46 -------- d-----w- c:\documents and settings\Owner\Application Data\Azureus
2009-10-11 01:40 . 2009-07-28 19:20 -------- d-----w- c:\documents and settings\Owner\Application Data\EMBARQTOOLBAR
2009-10-11 01:16 . 2009-10-11 01:16 19676 ----a-w- c:\documents and settings\Owner\Application Data\bupukijo.dat
2009-10-11 01:16 . 2009-10-11 01:16 13467 ----a-w- c:\documents and settings\Owner\Application Data\rivovuqesy.dat
2009-10-11 01:11 . 2009-10-11 01:11 15368 ----a-w- c:\documents and settings\Carmen\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-10-11 00:59 . 2009-10-11 00:59 -------- d-----w- c:\documents and settings\Carmen\Application Data\Malwarebytes
2009-10-10 21:59 . 2009-10-10 21:59 19096 ----a-w- c:\documents and settings\Owner\Application Data\juvob.dat
2009-10-10 21:59 . 2009-10-10 21:59 18645 ----a-w- c:\program files\Common Files\icih.db
2009-10-10 21:59 . 2009-10-10 21:59 14276 ----a-w- c:\program files\Common Files\orevy.lib
2009-10-10 21:16 . 2009-10-10 21:16 184 ----a-w- c:\windows\system32\drivers\kgpcpy.cfg
2009-10-09 22:01 . 2009-04-16 23:13 -------- d-----w- c:\program files\Common Files\Symantec Shared
2009-10-06 03:40 . 2009-06-11 19:36 -------- d-----w- c:\program files\Common Files\Apple
2009-09-27 19:34 . 2009-04-27 20:46 15368 ----a-w- c:\documents and settings\Owner\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-09-26 19:54 . 2009-09-07 23:40 45 ----a-w- c:\documents and settings\Owner\jagex_runescape_preferences2.dat
2009-09-26 19:54 . 2009-05-27 22:34 38 -c--a-w- c:\documents and settings\Owner\jagex_runescape_preferences.dat
2009-09-18 03:14 . 2009-05-02 02:30 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-09-14 05:44 . 2009-04-08 01:27 -------- d-----w- c:\documents and settings\Owner\Application Data\LimeWire
2009-09-10 21:25 . 2009-09-10 08:03 -------- d-----w- c:\program files\ueejyp
2009-09-10 21:16 . 2009-09-10 21:16 -------- d-----w- c:\documents and settings\Owner\Application Data\Malwarebytes
2009-09-10 21:16 . 2009-09-10 21:16 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-09-07 21:25 . 2009-06-24 23:27 -------- d-----w- c:\program files\emote
2009-08-30 00:30 . 2009-08-16 14:05 -------- d-----w- c:\program files\Google
2009-08-30 00:21 . 2009-08-16 14:07 -------- d-----w- c:\program files\Common Files\Real
2009-08-29 17:21 . 2009-05-12 21:02 -------- d-----w- c:\documents and settings\All Users\Application Data\WildTangent
2009-08-25 19:56 . 2009-08-25 19:56 -------- d-----w- c:\documents and settings\All Users\Application Data\PlayFirst
2009-08-25 19:56 . 2009-08-23 20:37 -------- d-----w- c:\documents and settings\Owner\Application Data\PlayFirst
2009-08-18 07:30 . 2009-04-08 01:18 -------- d-----w- c:\program files\LimeWire
2009-08-16 15:12 . 2009-08-16 04:59 -------- d-----w- c:\program files\Nero
2009-08-16 15:05 . 2009-08-16 15:05 -------- d-----w- c:\program files\Instant CD & DVD Burner
2009-08-16 14:07 . 2009-04-08 00:43 348160 ----a-w- c:\windows\system32\msvcr71.dll
2009-08-16 14:07 . 2008-11-06 11:42 499712 ----a-w- c:\windows\system32\msvcp71.dll
2009-08-16 14:07 . 2009-08-16 14:07 -------- d-----w- c:\program files\Real
2009-08-12 16:42 . 2009-07-28 19:22 -------- d-----w- c:\program files\Virtual Assistant
2009-07-29 18:35 . 2009-07-29 18:35 17801 ----a-w- c:\windows\system32\drivers\AegisP.sys
2009-07-28 21:33 . 2009-08-05 15:57 25088 ----a-w- c:\windows\system32\msxml3a.dll
.

------- Sigcheck -------


[-] 2007-05-03 . A11391BE25035570AE4B8970920F2C74 . 360704 . . [5.1.2600.3002] . . c:\windows\system32\drivers\tcpip.sys

[-] 2007-05-01 . BE795BAF50B026D0822F45E050C307D3 . 3789312 . . [7.00.6000.16414] . . c:\windows\system32\mshtml.dll

[-] 2007-05-02 . D66456C66D07A423F2E48C2526AE260C . 1422336 . . [6.00.2900.2180] . . c:\windows\explorer.exe


c:\windows\system32\drivers\beep.sys ... is missing !!
c:\windows\system32\wscntfy.exe ... is missing !!
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-12 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"U.S. Robotics Wireless Manager UI"="c:\windows\system32\WLTRAY" [X]
"QuickTime Task"="c:\program files\K-Lite Codec Pack\QuickTime\qttask.exe" [2009-05-26 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-06-05 292136]
"Motive SmartBridge"="c:\progra~1\VIRTUA~1\SMARTB~1\SprintDSLAlert.exe" [2006-04-21 438359]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-02-27 35696]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"ShowDeskFix"="shell32" [X]
"nltide_3"="advpack.dll" - c:\windows\system32\advpack.dll [2007-05-03 124928]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoSMConfigurePrograms"= 1 (0x1)
"ForceClassicControlPanel"= 1 (0x1)

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"ForceClassicControlPanel"= 1 (0x1)
"NoSMConfigurePrograms"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"UpdatesDisableNotify"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\LimeWire\\LimeWire.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Program Files\\AIM6\\aim6.exe"=
"c:\\Program Files\\Vuze\\Azureus.exe"=
"c:\\WINDOWS\\Downloaded Program Files\\PurpleBean.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Documents and Settings\\Owner\\Local Settings\\Application Data\\Xenocode\\ApplianceCaches\\KumaClient.exe_v402D65F8\\Native\\STUBEXE\\@PROGRAMFILES@\\Kuma Games\\Kuma.exe"=
"c:\\Documents and Settings\\Owner\\Local Settings\\Application Data\\Xenocode\\ApplianceCaches\\KumaClient.exe_v21EC7D1F\\Native\\STUBEXE\\@PROGRAMFILES@\\Kuma Games\\Kuma.exe"=

R3 npggsvc;nProtect GameGuard Service;c:\windows\system32\GameMon.des [2009-04-14 2784285]
S2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [2007-01-04 24652]

.
Contents of the 'Scheduled Tasks' folder

2009-10-09 c:\windows\Tasks\Norton Security Scan for Owner.job
- c:\program files\Norton Security Scan\Norton Security Scan\Engine\2.3.0.44\Nss.exe [2009-07-29 23:58]
.
.
------- Supplementary Scan -------
.
uStart Page = [You must be registered and logged in to see this link.]
uInternet Connection Wizard,ShellNext = iexplore
IE: &Search
DPF: Microsoft XML Parser for Java - [You must be registered and logged in to see this link.]
FF - ProfilePath - c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\2teftrqw.default\
FF - prefs.js: browser.search.defaulturl - [You must be registered and logged in to see this link.]
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - [You must be registered and logged in to see this link.]
FF - prefs.js: keyword.URL - [You must be registered and logged in to see this link.]
FF - plugin: c:\documents and settings\Owner\Application Data\Move Networks\plugins\npqmp071505000010.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npijjiCHPlugin.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npijjiFFPlugin1.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npmozax.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npunagi2.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npViewpoint.dll
FF - plugin: c:\program files\Viewpoint\Viewpoint Media Player\npViewpoint.dll

---- FIREFOX POLICIES ----

.
- - - - ORPHANS REMOVED - - - -

HKCU-Run-AOL Dialer - c:\program files\Common Files\AOL\ACS\AOlDial.exe
HKCU-Run-Aim6 - (no file)
HKLM-Run-AlphaAV - c:\program files\AlphaAV\AlphaAV.exe
AddRemove-HijackThis - c:\documents and settings\Owner\My Documents\Downloads\HijackThis.exe



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, [You must be registered and logged in to see this link.]
Rootkit scan 2009-10-11 10:33
Windows 5.1.2600 Service Pack 2 NTFS

scanning hȋdden processes ...

scanning hȋdden autostart entries ...

scanning hȋdden files ...

scan completed successfully
hȋdden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet006\Services\npggsvc]
"ImagePath"="c:\windows\system32\GameMon.des -service"
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{1D4C8A81-B7AC-460A-8C23-98713C41D6B3}]
@Denied: (A 2) (Everyone)
@="IFlashBroker3"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{1D4C8A81-B7AC-460A-8C23-98713C41D6B3}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{1D4C8A81-B7AC-460A-8C23-98713C41D6B3}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(3716)
c:\windows\system32\SHDOCVW.dll
c:\progra~1\VIRTUA~1\SMARTB~1\SBHook.dll
c:\windows\system32\shimgvw.dll
c:\windows\system32\IEFRAME.dll
c:\windows\system32\NETSHELL.dll
c:\windows\system32\wpdshserviceobj.dll
c:\windows\system32\portabledevicetypes.dll
c:\windows\system32\portabledeviceapi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\BCMWLTRY.EXE
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Common Files\Motive\McciCMService.exe
c:\windows\system32\wltray.exe
c:\program files\iPod\bin\iPodService.exe
c:\windows\system32\WLTRYSVC.EXE
c:\windows\system32\BCMWLTRY.EXE
.
**************************************************************************
.
Completion time: 2009-10-11 10:38 - machine was rebooted
ComboFix-quarantined-files.txt 2009-10-11 14:38

Pre-Run: 1,341,018,112 bytes free
Post-Run: 1,371,791,360 bytes free

Current=6 Default=6 Failed=5 LastKnownGood=7 Sets=1,2,3,4,5,6,7
340

bellastorm
Beginner
Beginner

Posts Posts : 3
Joined Joined : 2009-10-11
OS OS : windows xp
Points Points : 26155
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Laptop infected with both antivirus pro 2010 and alpha antivirus help pls

Post by bellastorm on 11th October 2009, 3:19 pm

[You must be registered and logged in to see this link.] wrote:
DragonMaster Jay wrote:Hi

Please download ComboFix by sUBs
[You must be registered and logged in to see this link.]

Please save the file to your Desktop, but rename it first:




Important information about ComboFix

Before the download:
  • Please copy and paste these instructions to Notepad and save to your Desktop, or print them - for easier access.
  • It is important to rename ComboFix before the download.
  • Please do not rename ComboFix to other names, but only the one indicated.

After the download:
  • Close any open browsers.
  • Very Important: Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results". [You must be registered and logged in to see this link.] if you don't know how.
  • WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
  • Please do not attempt to re-connect your machine back to the Internet until ComboFix has completely finished.
  • If there is no Internet connection after running ComboFix, then restart your computer to restore back your connection.

Running ComboFix:
  • Double click on svchost.exe & follow the prompts.
  • It will attempt to install the Recovery Console:




  • When ComboFix finishes, it will produce a report for you.
  • Please post the "C:\Combo-Fix.txt" in your next reply.


Troubleshooting ComboFix

Safe Mode:

If you still cannot get ComboFix to run, try booting into Safe Mode, and run it there.

(To boot into Safe Mode, tap F8 after BIOS, and just before the Windows
logo appears. A list of options will appear, select "Safe Mode.")

Re-downloading:

If this doesn't work either, try the same method (above method), but try to download it again, except name
ComboFix.exe to iexplore.exe, explorer.exe, or winlogon.exe.

Malware is known for blocking all "user" processes, except for its whitelist of system important processes such as iexplore.exe, explorer.exe, winlogon.exe.





ComboFix 09-10-10.02 - Owner 10/11/2009 10:23.1.1 - NTFSx86
Running from: c:\documents and settings\Owner\Desktop\ComboFix.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\docume~1\Owner\LOCALS~1\Temp\csrss.exe
c:\docume~1\Owner\LOCALS~1\Temp\services.exe
c:\docume~1\Owner\LOCALS~1\Temp\svchost.exe
c:\docume~1\Owner\LOCALS~1\Temp\winlogon.exe
c:\documents and settings\All Users\Application Data\ajovojyz.vbs
c:\documents and settings\All Users\Application Data\asofimi._dl
c:\documents and settings\All Users\Application Data\azypyh.exe
c:\documents and settings\All Users\Application Data\bidaleda._sy
c:\documents and settings\All Users\Application Data\cofedal.inf
c:\documents and settings\All Users\Application Data\dyteqovy.sys
c:\documents and settings\All Users\Application Data\eleh.inf
c:\documents and settings\All Users\Application Data\ibexisiqi.dll
c:\documents and settings\All Users\Application Data\iryxoletoh.bin
c:\documents and settings\All Users\Application Data\ojite.dll
c:\documents and settings\All Users\Application Data\ruselobaq.dl
c:\documents and settings\All Users\Application Data\vuha.com
c:\documents and settings\All Users\Application Data\ynyqadicog.ban
c:\documents and settings\All Users\Documents\bihyhyjuj.scr
c:\documents and settings\All Users\Documents\ubuxosi._dl
c:\documents and settings\All Users\Documents\vasuhevef.exe
c:\documents and settings\All Users\Documents\woguleno.exe
c:\documents and settings\All Users\Documents\xufinyt.bin
c:\documents and settings\All Users\Documents\zowevabipi.vbs
c:\documents and settings\Carmen\ntuser.dll
c:\documents and settings\Carmen\Start Menu\Programs\Startup\scandisk.dll
c:\documents and settings\Carmen\Start Menu\Programs\Startup\scandisk.lnk
c:\documents and settings\Owner\Application Data\gojuxitiso._sy
c:\documents and settings\Owner\Application Data\ihora.bat
c:\documents and settings\Owner\Application Data\iniasd.txt
c:\documents and settings\Owner\Application Data\juco.reg
c:\documents and settings\Owner\Application Data\lizkavd.exe
c:\documents and settings\Owner\Application Data\Microsoft\Internet Explorer\Quick Launch\AntivirusPro_2010.lnk
c:\documents and settings\Owner\Application Data\nixevogy.pif
c:\documents and settings\Owner\Application Data\seres.exe
c:\documents and settings\Owner\Application Data\svcst.exe
c:\documents and settings\Owner\Application Data\wyrubyhol._sy
c:\documents and settings\Owner\Cookies\asipyny.vbs
c:\documents and settings\Owner\Cookies\fulydego.reg
c:\documents and settings\Owner\Cookies\ifupo.scr
c:\documents and settings\Owner\Cookies\kihovefy.dll
c:\documents and settings\Owner\Cookies\pefojupyqu.lib
c:\documents and settings\Owner\Cookies\ribomumur._dl
c:\documents and settings\Owner\Cookies\xizalicap.dll
c:\documents and settings\Owner\Cookies\yjufyzuw.com
c:\documents and settings\Owner\Desktop\AntivirusPro_2010.lnk
c:\documents and settings\Owner\Local Settings\Application Data\aqyfed.sys
c:\documents and settings\Owner\Local Settings\Application Data\bimujimibu.sys
c:\documents and settings\Owner\Local Settings\Application Data\botyhoton.exe
c:\documents and settings\Owner\Local Settings\Application Data\cabus.reg
c:\documents and settings\Owner\Local Settings\Application Data\ecat._sy
c:\documents and settings\Owner\Local Settings\Application Data\fycykadifa.bin
c:\documents and settings\Owner\Local Settings\Application Data\jukeqa.com
c:\documents and settings\Owner\Local Settings\Application Data\kakan.dl
c:\documents and settings\Owner\Local Settings\Application Data\orelu.ban
c:\documents and settings\Owner\Local Settings\Application Data\ozopeloges.bat
c:\documents and settings\Owner\Local Settings\Application Data\vedanypi.dll
c:\documents and settings\Owner\Local Settings\Application Data\vumibawile.inf
c:\documents and settings\Owner\Local Settings\Application Data\wuze.ban
c:\documents and settings\Owner\Local Settings\Temporary Internet Files\ejasukazy.db
c:\documents and settings\Owner\Local Settings\Temporary Internet Files\enekipanyz.scr
c:\documents and settings\Owner\Local Settings\Temporary Internet Files\exyvaroxaz.reg
c:\documents and settings\Owner\Local Settings\Temporary Internet Files\fywytite.bat
c:\documents and settings\Owner\Local Settings\Temporary Internet Files\imirofutyx.pif
c:\documents and settings\Owner\Local Settings\Temporary Internet Files\iwygobywe._dl
c:\documents and settings\Owner\Local Settings\Temporary Internet Files\nizuco._sy
c:\documents and settings\Owner\Local Settings\Temporary Internet Files\yrino.db
c:\documents and settings\Owner\Local Settings\Temporary Internet Files\zexowy.dat
c:\documents and settings\Owner\ntuser.dll
c:\documents and settings\Owner\Start Menu\Programs\AntivirusPro_2010
c:\documents and settings\Owner\Start Menu\Programs\AntivirusPro_2010\AntivirusPro_2010.lnk
c:\documents and settings\Owner\Start Menu\Programs\AntivirusPro_2010\Uninstall.lnk
c:\documents and settings\Owner\Start Menu\Programs\Startup\scandisk.dll
c:\documents and settings\Owner\Start Menu\Programs\Startup\scandisk.lnk
c:\program files\AntivirusPro_2010
c:\program files\AntivirusPro_2010\AntivirusPro_2010.cfg
c:\program files\AntivirusPro_2010\AntivirusPro_2010.exe
c:\program files\Common Files\akajenab.exe
c:\program files\Common Files\efiwylu.inf
c:\program files\Common Files\lejyqyhik.scr
c:\program files\Common Files\loseremule.bat
c:\program files\Common Files\lucycikipu._dl
c:\program files\Common Files\peluducod.exe
c:\program files\Common Files\pytury.pif
c:\program files\Common Files\rycu.dl
c:\program files\Common Files\zyri.scr
c:\windows\gadywi.dll
c:\windows\iryqi.bin
c:\windows\lapizusami.reg
c:\windows\lymati._sy
c:\windows\msa.exe
c:\windows\onitul.ban
c:\windows\qexasup.bin
c:\windows\system32\_scui.cpl
c:\windows\system32\~.exe
c:\windows\system32\AVR09.exe
c:\windows\system32\calc.dll
c:\windows\system32\critical_warning.html
c:\windows\system32\dm35ztnz2v.dll
c:\windows\system32\drivers\gasfkyijylevov.sys
c:\windows\system32\drivers\ndisrd.sys
c:\windows\system32\edymymaca.dll
c:\windows\system32\ehyhako.dll
c:\windows\system32\gasfkyeepabwwb.dat
c:\windows\system32\gasfkyehexjgvd.dll
c:\windows\system32\gasfkykwsflrpb.dll
c:\windows\system32\gasfkyltbqpauu.dll
c:\windows\system32\gasfkymtnbmusi.dll
c:\windows\system32\gasfkytiqobwuc.dll
c:\windows\system32\gasfkywilfwapq.dat
c:\windows\system32\gasfkyxxcqhupj.dll
c:\windows\system32\msxml71.dll
c:\windows\system32\ndisapi.dll
c:\windows\system32\ukeqymiku.dll
c:\windows\system32\vekuh.dll
c:\windows\system32\winhelper.dll
c:\windows\system32\winupdate.exe
c:\windows\system32\wofuxyfy.reg
c:\windows\system32\ygaxuni.exe
c:\windows\system32\yrobij.sys
c:\windows\towonykyg.bat
c:\windows\umekuw.bin
c:\windows\wetoqas.inf
c:\windows\win32k.sys
c:\windows\wyrar.bat
c:\windows\yviniguce.dl
c:\windows\yzus.inf

Infected copy of c:\windows\system32\eventlog.dll was found and disinfected
Restored copy from - c:\windows\system32\logevent.dll

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_gasfkyalkyxeol
-------\Legacy_NDISRD
-------\Legacy_{79007602-0CDB-4405-9DBF-1257BB3226ED}
-------\Service_gasfkyalkyxeol
-------\Service_NDISRD


((((((((((((((((((((((((( Files Created from 2009-09-11 to 2009-10-11 )))))))))))))))))))))))))))))))
.

2009-10-11 14:33 . 2009-10-11 14:33 -------- d-----w- c:\windows\system32\wbem\snmp
2009-10-11 14:33 . 2009-10-11 14:33 -------- d-----w- c:\windows\system32\xircom
2009-10-11 14:33 . 2009-10-11 14:33 -------- d-----w- c:\windows\system32\oobe
2009-10-11 14:33 . 2009-10-11 14:33 -------- d-----w- c:\windows\srchasst
2009-10-11 14:33 . 2009-10-11 14:33 -------- d-----w- c:\program files\microsoft frontpage
2009-10-11 03:06 . 2009-09-10 18:54 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-10-11 03:06 . 2009-10-11 03:25 -------- d-----w- C:\Malwarebytes' Anti-Malware
2009-10-11 03:06 . 2009-09-10 18:53 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-10-10 22:34 . 2009-10-10 22:34 13238 ----a-w- c:\documents and settings\Owner\Local Settings\Application Data\wixi.dat
2009-10-10 21:59 . 2009-10-10 21:59 13213 ----a-w- c:\program files\Common Files\tilesyho.dat
2009-10-10 21:59 . 2009-10-10 21:59 16268 ----a-w- c:\windows\system32\yvad.dat
2009-10-10 21:13 . 2009-10-10 21:13 -------- d-----w- c:\documents and settings\All Users\Application Data\SITEguard
2009-10-10 21:06 . 2009-10-10 21:06 -------- d-----w- c:\program files\Common Files\iS3
2009-10-10 21:06 . 2009-10-10 23:25 -------- d-----w- c:\documents and settings\All Users\Application Data\STOPzilla!
2009-10-10 20:41 . 2009-10-10 20:40 89552 --sh--w- c:\windows\system32\TerNa.exe
2009-10-10 20:40 . 2009-10-10 20:40 24576 ----a-w- C:\hgxs.exe
2009-10-05 23:41 . 2009-10-05 23:42 -------- d-----w- c:\program files\Common Files\Adobe
2009-10-05 23:37 . 2009-10-05 23:37 -------- d-----w- c:\program files\Common Files\Adobe AIR
2009-10-05 23:34 . 2009-10-11 03:44 -------- d-----w- c:\documents and settings\Owner\Local Settings\Application Data\Adobe
2009-10-05 23:32 . 2009-10-06 13:55 -------- d-----w- c:\documents and settings\All Users\Application Data\NOS
2009-09-27 19:34 . 2009-09-27 21:05 -------- d-----w- c:\documents and settings\Owner\Local Settings\Application Data\Deployment
2009-09-24 07:23 . 2009-09-24 07:23 -------- d-----w- c:\program files\Common Files\Uninstall
2009-09-22 20:41 . 2009-09-22 20:50 -------- d-----w- c:\documents and settings\Owner\Application Data\Move Networks
2009-09-21 03:32 . 2009-09-25 22:12 -------- d-----w- c:\documents and settings\Owner\Application Data\Paltalk
2009-09-20 15:09 . 2009-09-25 22:12 -------- d-----w- c:\documents and settings\Owner\Local Settings\Application Data\Yahoo!
2009-09-19 23:21 . 2009-09-19 23:21 -------- d-----w- c:\documents and settings\Owner\Local Settings\Application Data\Unity
2009-09-19 23:18 . 2009-10-06 03:45 -------- d-----w- c:\program files\Unity
2009-09-18 03:14 . 2009-09-18 03:14 -------- d-----w- c:\program files\Microsoft Reader
2009-09-18 03:14 . 2003-06-05 21:15 57436 ----a-w- c:\windows\DASShp.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-10-11 11:26 . 2009-10-11 11:26 15153 ----a-w- c:\program files\Common Files\qoqoloqa.db
2009-10-11 11:26 . 2009-10-11 11:26 10228 ----a-w- c:\documents and settings\All Users\Application Data\ziwiryh.dat
2009-10-11 02:06 . 2009-10-11 01:11 -------- d-----w- c:\documents and settings\Carmen\Application Data\Azureus
2009-10-11 01:52 . 2009-04-27 20:46 -------- d-----w- c:\documents and settings\Owner\Application Data\Azureus
2009-10-11 01:40 . 2009-07-28 19:20 -------- d-----w- c:\documents and settings\Owner\Application Data\EMBARQTOOLBAR
2009-10-11 01:16 . 2009-10-11 01:16 19676 ----a-w- c:\documents and settings\Owner\Application Data\bupukijo.dat
2009-10-11 01:16 . 2009-10-11 01:16 13467 ----a-w- c:\documents and settings\Owner\Application Data\rivovuqesy.dat
2009-10-11 01:11 . 2009-10-11 01:11 15368 ----a-w- c:\documents and settings\Carmen\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-10-11 00:59 . 2009-10-11 00:59 -------- d-----w- c:\documents and settings\Carmen\Application Data\Malwarebytes
2009-10-10 21:59 . 2009-10-10 21:59 19096 ----a-w- c:\documents and settings\Owner\Application Data\juvob.dat
2009-10-10 21:59 . 2009-10-10 21:59 18645 ----a-w- c:\program files\Common Files\icih.db
2009-10-10 21:59 . 2009-10-10 21:59 14276 ----a-w- c:\program files\Common Files\orevy.lib
2009-10-10 21:16 . 2009-10-10 21:16 184 ----a-w- c:\windows\system32\drivers\kgpcpy.cfg
2009-10-09 22:01 . 2009-04-16 23:13 -------- d-----w- c:\program files\Common Files\Symantec Shared
2009-10-06 03:40 . 2009-06-11 19:36 -------- d-----w- c:\program files\Common Files\Apple
2009-09-27 19:34 . 2009-04-27 20:46 15368 ----a-w- c:\documents and settings\Owner\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-09-26 19:54 . 2009-09-07 23:40 45 ----a-w- c:\documents and settings\Owner\jagex_runescape_preferences2.dat
2009-09-26 19:54 . 2009-05-27 22:34 38 -c--a-w- c:\documents and settings\Owner\jagex_runescape_preferences.dat
2009-09-18 03:14 . 2009-05-02 02:30 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-09-14 05:44 . 2009-04-08 01:27 -------- d-----w- c:\documents and settings\Owner\Application Data\LimeWire
2009-09-10 21:25 . 2009-09-10 08:03 -------- d-----w- c:\program files\ueejyp
2009-09-10 21:16 . 2009-09-10 21:16 -------- d-----w- c:\documents and settings\Owner\Application Data\Malwarebytes
2009-09-10 21:16 . 2009-09-10 21:16 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-09-07 21:25 . 2009-06-24 23:27 -------- d-----w- c:\program files\emote
2009-08-30 00:30 . 2009-08-16 14:05 -------- d-----w- c:\program files\Google
2009-08-30 00:21 . 2009-08-16 14:07 -------- d-----w- c:\program files\Common Files\Real
2009-08-29 17:21 . 2009-05-12 21:02 -------- d-----w- c:\documents and settings\All Users\Application Data\WildTangent
2009-08-25 19:56 . 2009-08-25 19:56 -------- d-----w- c:\documents and settings\All Users\Application Data\PlayFirst
2009-08-25 19:56 . 2009-08-23 20:37 -------- d-----w- c:\documents and settings\Owner\Application Data\PlayFirst
2009-08-18 07:30 . 2009-04-08 01:18 -------- d-----w- c:\program files\LimeWire
2009-08-16 15:12 . 2009-08-16 04:59 -------- d-----w- c:\program files\Nero
2009-08-16 15:05 . 2009-08-16 15:05 -------- d-----w- c:\program files\Instant CD & DVD Burner
2009-08-16 14:07 . 2009-04-08 00:43 348160 ----a-w- c:\windows\system32\msvcr71.dll
2009-08-16 14:07 . 2008-11-06 11:42 499712 ----a-w- c:\windows\system32\msvcp71.dll
2009-08-16 14:07 . 2009-08-16 14:07 -------- d-----w- c:\program files\Real
2009-08-12 16:42 . 2009-07-28 19:22 -------- d-----w- c:\program files\Virtual Assistant
2009-07-29 18:35 . 2009-07-29 18:35 17801 ----a-w- c:\windows\system32\drivers\AegisP.sys
2009-07-28 21:33 . 2009-08-05 15:57 25088 ----a-w- c:\windows\system32\msxml3a.dll
.

------- Sigcheck -------


[-] 2007-05-03 . A11391BE25035570AE4B8970920F2C74 . 360704 . . [5.1.2600.3002] . . c:\windows\system32\drivers\tcpip.sys

[-] 2007-05-01 . BE795BAF50B026D0822F45E050C307D3 . 3789312 . . [7.00.6000.16414] . . c:\windows\system32\mshtml.dll

[-] 2007-05-02 . D66456C66D07A423F2E48C2526AE260C . 1422336 . . [6.00.2900.2180] . . c:\windows\explorer.exe


c:\windows\system32\drivers\beep.sys ... is missing !!
c:\windows\system32\wscntfy.exe ... is missing !!
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-12 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"U.S. Robotics Wireless Manager UI"="c:\windows\system32\WLTRAY" [X]
"QuickTime Task"="c:\program files\K-Lite Codec Pack\QuickTime\qttask.exe" [2009-05-26 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-06-05 292136]
"Motive SmartBridge"="c:\progra~1\VIRTUA~1\SMARTB~1\SprintDSLAlert.exe" [2006-04-21 438359]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-02-27 35696]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"ShowDeskFix"="shell32" [X]
"nltide_3"="advpack.dll" - c:\windows\system32\advpack.dll [2007-05-03 124928]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoSMConfigurePrograms"= 1 (0x1)
"ForceClassicControlPanel"= 1 (0x1)

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"ForceClassicControlPanel"= 1 (0x1)
"NoSMConfigurePrograms"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"UpdatesDisableNotify"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\LimeWire\\LimeWire.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Program Files\\AIM6\\aim6.exe"=
"c:\\Program Files\\Vuze\\Azureus.exe"=
"c:\\WINDOWS\\Downloaded Program Files\\PurpleBean.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Documents and Settings\\Owner\\Local Settings\\Application Data\\Xenocode\\ApplianceCaches\\KumaClient.exe_v402D65F8\\Native\\STUBEXE\\@PROGRAMFILES@\\Kuma Games\\Kuma.exe"=
"c:\\Documents and Settings\\Owner\\Local Settings\\Application Data\\Xenocode\\ApplianceCaches\\KumaClient.exe_v21EC7D1F\\Native\\STUBEXE\\@PROGRAMFILES@\\Kuma Games\\Kuma.exe"=

R3 npggsvc;nProtect GameGuard Service;c:\windows\system32\GameMon.des [2009-04-14 2784285]
S2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [2007-01-04 24652]

.
Contents of the 'Scheduled Tasks' folder

2009-10-09 c:\windows\Tasks\Norton Security Scan for Owner.job
- c:\program files\Norton Security Scan\Norton Security Scan\Engine\2.3.0.44\Nss.exe [2009-07-29 23:58]
.
.
------- Supplementary Scan -------
.
uStart Page = [You must be registered and logged in to see this link.]
uInternet Connection Wizard,ShellNext = iexplore
IE: &Search
DPF: Microsoft XML Parser for Java - [You must be registered and logged in to see this link.]
FF - ProfilePath - c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\2teftrqw.default\
FF - prefs.js: browser.search.defaulturl - [You must be registered and logged in to see this link.]
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - [You must be registered and logged in to see this link.]
FF - prefs.js: keyword.URL - [You must be registered and logged in to see this link.]
FF - plugin: c:\documents and settings\Owner\Application Data\Move Networks\plugins\npqmp071505000010.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npijjiCHPlugin.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npijjiFFPlugin1.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npmozax.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npunagi2.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npViewpoint.dll
FF - plugin: c:\program files\Viewpoint\Viewpoint Media Player\npViewpoint.dll

---- FIREFOX POLICIES ----

.
- - - - ORPHANS REMOVED - - - -

HKCU-Run-AOL Dialer - c:\program files\Common Files\AOL\ACS\AOlDial.exe
HKCU-Run-Aim6 - (no file)
HKLM-Run-AlphaAV - c:\program files\AlphaAV\AlphaAV.exe
AddRemove-HijackThis - c:\documents and settings\Owner\My Documents\Downloads\HijackThis.exe



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, [You must be registered and logged in to see this link.]
Rootkit scan 2009-10-11 10:33
Windows 5.1.2600 Service Pack 2 NTFS

scanning hȋdden processes ...

scanning hȋdden autostart entries ...

scanning hȋdden files ...

scan completed successfully
hȋdden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet006\Services\npggsvc]
"ImagePath"="c:\windows\system32\GameMon.des -service"
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{1D4C8A81-B7AC-460A-8C23-98713C41D6B3}]
@Denied: (A 2) (Everyone)
@="IFlashBroker3"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{1D4C8A81-B7AC-460A-8C23-98713C41D6B3}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{1D4C8A81-B7AC-460A-8C23-98713C41D6B3}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(3716)
c:\windows\system32\SHDOCVW.dll
c:\progra~1\VIRTUA~1\SMARTB~1\SBHook.dll
c:\windows\system32\shimgvw.dll
c:\windows\system32\IEFRAME.dll
c:\windows\system32\NETSHELL.dll
c:\windows\system32\wpdshserviceobj.dll
c:\windows\system32\portabledevicetypes.dll
c:\windows\system32\portabledeviceapi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\BCMWLTRY.EXE
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Common Files\Motive\McciCMService.exe
c:\windows\system32\wltray.exe
c:\program files\iPod\bin\iPodService.exe
c:\windows\system32\WLTRYSVC.EXE
c:\windows\system32\BCMWLTRY.EXE
.
**************************************************************************
.
Completion time: 2009-10-11 10:38 - machine was rebooted
ComboFix-quarantined-files.txt 2009-10-11 14:38

Pre-Run: 1,341,018,112 bytes free
Post-Run: 1,371,791,360 bytes free

Current=6 Default=6 Failed=5 LastKnownGood=7 Sets=1,2,3,4,5,6,7
340




I was able to run malwarebytes now.. Here is the log..

Malwarebytes' Anti-Malware 1.41
Database version: 2941
Windows 5.1.2600 Service Pack 2

10/11/2009 11:16:35 AM
mbam-log-2009-10-11 (11-16-35).txt

Scan type: Quick Scan
Objects scanned: 97482
Time elapsed: 6 minute(s), 52 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 1
Registry Data Items Infected: 1
Folders Infected: 2
Files Infected: 5

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\ForceClassicControlPanel (Hijack.ControlPanelStyle) -> Quarantined and deleted successfully.

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

Folders Infected:
C:\Program Files\Common Files\Uninstall\AlphaAV (Rogue.AlphaAV) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Start Menu\AlphaAV (Rogue.AlphaAV) -> Quarantined and deleted successfully.

Files Infected:
C:\hgxs.exe (Trojan.FakeInit) -> Quarantined and deleted successfully.
C:\Program Files\Common Files\Uninstall\AlphaAV\Uninstall.lnk (Rogue.AlphaAV) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Start Menu\AlphaAV\Alpha Antivirus.lnk (Rogue.AlphaAV) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Start Menu\AlphaAV\Uninstall.lnk (Rogue.AlphaAV) -> Quarantined and deleted successfully.
C:\Documents and Settings\Owner\My Documents\downloads\winlogon.scr (Heuristics.Reserved.Word.Exploit) -> Quarantined and deleted successfully.

bellastorm
Beginner
Beginner

Posts Posts : 3
Joined Joined : 2009-10-11
OS OS : windows xp
Points Points : 26155
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Laptop infected with both antivirus pro 2010 and alpha antivirus help pls

Post by Dr Jay on 11th October 2009, 7:59 pm

Hi

Whew...do not be discouraged. This may seem like a lot to do, but as long as we get done with this process, the malware should vanish. Most of the tools in this post should not take more than a few minutes. Except for ComboFix, of course. Smile

Re-running ComboFix to remove infections:

  1. Close any open browsers.
  2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
  3. Open notepad and copy/paste the text in the quotebox below into it:

    File::
    c:\windows\system32\drivers\kgpcpy.cfg
    c:\documents and settings\Owner\Local Settings\Application Data\wixi.dat
    c:\program files\Common Files\tilesyho.dat
    c:\windows\system32\yvad.dat
    c:\windows\system32\TerNa.exe
    c:\program files\Common Files\qoqoloqa.db
    c:\documents and settings\All Users\Application Data\ziwiryh.dat
    c:\documents and settings\Owner\Application Data\bupukijo.dat
    c:\documents and settings\Owner\Application Data\rivovuqesy.dat
    c:\program files\Common Files\icih.db
    c:\program files\Common Files\orevy.lib

    Folder::
    c:\documents and settings\All Users\Application Data\SITEguard
    c:\program files\Common Files\iS3
    c:\documents and settings\All Users\Application Data\STOPzilla!
    c:\program files\ueejyp
    c:\program files\Viewpoint

    DDS::
    uStart Page = [You must be registered and logged in to see this link.]
    FF - prefs.js: keyword.URL - [You must be registered and logged in to see this link.]
    FF - plugin: c:\program files\Mozilla Firefox\plugins\npViewpoint.dll
    FF - plugin: c:\program files\Viewpoint\Viewpoint Media Player\npViewpoint.dll
  4. Save this as CFScript.txt, in the same location as ComboFix.exe



  5. Referring to the picture above, drag CFScript into ComboFix.exe
  6. When finished, it shall produce a log for you at C:\ComboFix.txt
  7. Please post the contents of the log in your next reply.


==

Please download SystemLook from one of the links below and save it to your Desktop.
[You must be registered and logged in to see this link.]
[You must be registered and logged in to see this link.]

  • Double-click SystemLook.exe to run it.
  • Copy the content of the following codebox into the main textfield:
    Code:

    :filefind
    scecli.dll
    netlogon.dll
    eventlog.dll
    winlogon.exe
    comres.dll
    crypt32.dll
    gpedit.dll
    rundll32.exe
    sfc.dll
    svchost.exe
    cngaudit.dll
    beep.sys
    wscntfy.exe

  • Click the Look button to start the scan.
  • When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.
Note: The log can also be found on your Desktop entitled SystemLook.txt

==

Please download [You must be registered and logged in to see this link.] and save it to your Desktop.
  • Right-click on SpiderKill.zip and click Extract All. Follow the prompts and read carefully, to save it to your Desktop.
  • Double-click on the SpiderKill folder, and then double-click on SpiderKill.bat and follow all the prompts in the program.
  • Within a minute, it will save its log titled SpiderKill.txt. Please post that in your next reply. You may have to use two or three posts to be able to fit the information in.


==

Please re-open Malwarebytes, click the Update tab, and click Check for Updates. Then, click the Scanner tab, select Perform Quick Scan, and press Scan. Remove selected, and post the log in your next reply.

==

In your next reply...please include the following logs:
-ComboFix log
-SystemLook log
-SpiderKill log
-Malwarebytes log

Also, please tell me how your computer is running.


Dr. Jay (DJ)


[You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.]

Dr Jay
Head Administrator
Head Administrator

Posts Posts : 14294
Joined Joined : 2009-09-06
Gender Gender : Male
OS OS : Windows 10 Home & Pro
Arch. Arch. : x64 (64-bit)
Protection Protection : Bitdefender Total Security
Points Points : 302921
# Likes # Likes : 10

View user profile

Back to top Go down

View previous topic View next topic Back to top

- Similar topics

 
Permissions in this forum:
You cannot reply to topics in this forum