Assist with Antivirus System Pro

View previous topic View next topic Go down

Assist with Antivirus System Pro

Post by Capntreee on Fri Oct 23, 2009 3:21 am

Discovered Antivirus System Pro this afternoon as it hijacked my browser and started playing ads and displaying random websites. Read through a bunch of other forum logs to learn what I could. Downloaded Malwarebytes as I'd seen it recommended by many others. This program will not run because it can not locate mbam.exe despite being pointed to the correct folder. Extracted zip files a 2nd time to be sure. I could try HijackThis but I'm not certain that is what you'd request. Thanks in advance for your assistance.

Capntreee
Novice
Novice

Status :
Online
Offline

Posts : 6
Joined : 2009-10-23
OS : XP Pro SP2

View user profile

Back to top Go down

Re: Assist with Antivirus System Pro

Post by Dr Jay on Sat Oct 24, 2009 1:05 am

Please download ComboFix from [You must be registered and logged in to see this link.]

Rename ComboFix.exe to commy.exe before you save it to your Desktop
  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools A guide to do this can be found [You must be registered and logged in to see this link.]
  • Click Start>Run then copy paste the following command into the Run box & click OK "%userprofile%\desktop\commy.exe" /stepdel
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console


Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:


  • Click on Yes, to continue scanning for malware.
  • When finished, it shall produce a log for you. Please include the contents of C:\ComboFix.txt in your next reply.

I would also like to see a list of installed programs, so please do this:
Click Start > Run then copy/paste the following single-line command into the Run box and click OK:

C:\Qoobox\Add-Remove Programs.txt

In your next reply, please include the ComboFix log and the Add-Remove Programs log.


Dr. Jay (DJ)


[You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.]

Dr Jay
Head Administrator
Head Administrator

Status :
Online
Offline

Posts : 13708
Joined : 2009-09-06
Gender : Male
OS : Windows 10 Home & Pro

View user profile

Back to top Go down

Re: Assist with Antivirus System Pro

Post by Capntreee on Mon Oct 26, 2009 4:25 pm

ComboFix 09-10-25.02 - Terry Hanrahan 10/26/2009 8:56.1.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1014.621 [GMT -7:00]
Running from: c:\documents and settings\Terry Hanrahan\desktop\commy.exe
Command switches used :: /stepdel
FW: Norton Internet Worm Protection *disabled* {990F9400-4CEE-43EA-A83A-D013ADD8EA6E}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\All Users\Application Data\16440520
c:\windows\system32\bopetuza.exe
c:\windows\system32\figorana.exe
c:\windows\system32\kajoreji.exe
c:\windows\system32\losiyolu.exe
c:\windows\system32\rirozobi.exe
c:\windows\system32\sunemudu.exe
c:\windows\system32\vikatemo.exe
c:\docume~1\TERRYH~1\LOCALS~1\Temp\csrss.exe
c:\docume~1\TERRYH~1\LOCALS~1\Temp\lsass.exe
c:\docume~1\TERRYH~1\LOCALS~1\Temp\services.exe
c:\docume~1\TERRYH~1\LOCALS~1\Temp\svchost.exe
c:\docume~1\TERRYH~1\LOCALS~1\Temp\taskmgr.exe
c:\docume~1\TERRYH~1\LOCALS~1\Temp\winlogon.exe
c:\documents and settings\All Users\Application Data\16440520\16440520.exe
c:\documents and settings\Terry Hanrahan\ntuser.dll
c:\documents and settings\Terry Hanrahan\Start Menu\Programs\Startup\scandisk.dll
c:\documents and settings\Terry Hanrahan\Start Menu\Programs\Startup\scandisk.lnk
C:\LOG1.tmp
c:\windows\alorazohit.dll
c:\windows\syssvc.exe
c:\windows\system32\_000006_.tmp.dll
c:\windows\system32\_000007_.tmp.dll
c:\windows\system32\_000008_.tmp.dll
c:\windows\system32\_000009_.tmp.dll
c:\windows\system32\_000011_.tmp.dll
c:\windows\system32\~.exe
c:\windows\system32\6to4v32.dll
c:\windows\system32\calc.dll
c:\windows\system32\certstore.dat
c:\windows\system32\cz52cp7.dll
c:\windows\system32\FInstall.sys
c:\windows\system32\havomuzo.dll.tmp
c:\windows\system32\iehelper.dll
c:\windows\system32\Install.txt
c:\windows\system32\isapeep.sys
c:\windows\system32\midinuro.dll.tmp
c:\windows\system32\mulipiza.dll
c:\windows\system32\nutuhunu.dll.tmp
c:\windows\system32\sebimike.dll
c:\windows\system32\volosejo.dll
c:\windows\system32\yiwuyipa.dll
E:\Autorun.inf

Infected copy of c:\windows\system32\eventlog.dll was found and disinfected
Restored copy from - c:\i386\eventlog.dll

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_6TO4
-------\Legacy_{79007602-0CDB-4405-9DBF-1257BB3226ED}
-------\Service_6to4
-------\Legacy_isapeep
-------\Service_isapeep


((((((((((((((((((((((((( Files Created from 2009-09-26 to 2009-10-26 )))))))))))))))))))))))))))))))
.

2009-10-23 02:35 . 2009-10-23 02:35 -------- d-----w- c:\documents and settings\Terry Hanrahan\Application Data\Malwarebytes
2009-10-23 02:35 . 2009-09-10 21:54 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-10-23 02:35 . 2009-10-23 02:41 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-10-23 02:35 . 2009-10-23 02:35 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-10-23 02:35 . 2009-09-10 21:53 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-10-22 23:06 . 2009-10-26 14:24 0 ----a-r- c:\windows\Dlujuqole.bin
2009-10-22 23:06 . 2009-10-26 15:21 120 ----a-w- c:\windows\Eceqoboxebo.dat
2009-10-22 23:06 . 2009-10-22 23:06 -------- d-----w- c:\documents and settings\Terry Hanrahan\Local Settings\Application Data\{9168E96F-B4D7-47A2-B989-D8D5557CDCCC}
2009-10-22 23:00 . 2009-10-26 14:29 0 ----a-r- c:\windows\win32k.sys
2009-10-22 23:00 . 2009-10-22 23:00 52224 ----a-w- C:\ldvx.exe
2009-10-22 23:00 . 2009-10-22 23:00 50176 ----a-w- C:\qsdhs.exe
2009-10-22 23:00 . 2009-10-22 23:00 250368 ----a-w- C:\dtacmawh.exe
2009-10-22 18:34 . 2009-10-22 18:34 -------- d-----w- c:\documents and settings\Terry Hanrahan\Local Settings\Application Data\Temp
2009-09-28 15:56 . 2009-08-29 07:36 6067200 ------w- c:\windows\system32\dllcache\ieframe.dll
2009-09-28 15:56 . 2009-08-29 07:36 52224 ------w- c:\windows\system32\dllcache\msfeedsbs.dll
2009-09-28 15:56 . 2009-08-29 07:36 459264 ------w- c:\windows\system32\dllcache\msfeeds.dll
2009-09-28 15:56 . 2009-08-29 07:36 268288 ------w- c:\windows\system32\dllcache\iertutil.dll
2009-09-28 15:56 . 2009-08-29 07:36 63488 ------w- c:\windows\system32\dllcache\icardie.dll
2009-09-28 15:56 . 2009-08-29 07:36 380928 ------w- c:\windows\system32\dllcache\ieapfltr.dll
2009-09-28 15:56 . 2009-08-28 10:28 13824 ------w- c:\windows\system32\dllcache\ieudinit.exe
2009-09-28 15:56 . 2009-06-29 08:33 2452872 ------w- c:\windows\system32\dllcache\ieapfltr.dat

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-10-26 16:05 . 2007-10-09 15:47 -------- d-----w- c:\program files\Dl_cats
2009-10-23 21:35 . 2007-10-12 16:00 848 --sha-w- c:\documents and settings\All Users\Application Data\KGyGaAvL.sys
2009-09-28 21:26 . 2007-05-18 18:12 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help
2009-09-11 14:03 . 2004-08-11 22:00 136192 ----a-w- c:\windows\system32\msv1_0.dll
2009-09-10 16:39 . 2008-09-17 22:13 58472 ----a-w- c:\documents and settings\Guest\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-09-08 14:08 . 2007-05-18 18:24 58472 ----a-w- c:\documents and settings\Administrator\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-09-04 20:45 . 2004-08-11 22:00 58880 ----a-w- c:\windows\system32\msasn1.dll
2009-08-29 07:36 . 2004-08-11 22:00 832512 ----a-w- c:\windows\system32\wininet.dll
2009-08-29 07:36 . 2004-08-11 22:00 78336 ----a-w- c:\windows\system32\ieencode.dll
2009-08-29 07:36 . 2004-08-11 22:00 17408 ------w- c:\windows\system32\corpol.dll
2009-08-26 08:16 . 2004-08-11 22:00 247326 ----a-w- c:\windows\system32\strmdll.dll
2009-08-07 02:24 . 2004-08-11 22:12 327896 ----a-w- c:\windows\system32\wucltui.dll
2009-08-07 02:24 . 2004-08-11 22:12 209632 ----a-w- c:\windows\system32\wuweb.dll
2009-08-07 02:24 . 2007-04-17 05:45 44768 ----a-w- c:\windows\system32\wups2.dll
2009-08-07 02:24 . 2004-08-11 22:12 35552 ----a-w- c:\windows\system32\wups.dll
2009-08-07 02:24 . 2004-08-11 22:12 53472 ----a-w- c:\windows\system32\wuauclt.exe
2009-08-07 02:24 . 2004-08-11 22:00 96480 ----a-w- c:\windows\system32\cdm.dll
2009-08-07 02:23 . 2004-08-11 22:12 575704 ----a-w- c:\windows\system32\wuapi.dll
2009-08-07 02:23 . 2004-08-11 22:12 1929952 ----a-w- c:\windows\system32\wuaueng.dll
2009-08-05 09:11 . 2004-08-11 22:00 204800 ----a-w- c:\windows\system32\mswebdvd.dll
2009-08-04 12:51 . 2004-08-11 22:00 2185984 ----a-w- c:\windows\system32\ntoskrnl.exe
2009-08-04 12:02 . 2004-08-04 03:59 2062976 ----a-w- c:\windows\system32\ntkrnlpa.exe
2007-10-23 19:31 . 2007-10-09 22:27 88 --sh--r- c:\windows\system32\D9F34FE0B0.sys
2009-07-23 23:07 . 2009-07-23 23:07 91648 --sha-w- c:\windows\system32\hesonida.dll
2009-07-22 23:06 . 2009-07-22 23:06 39424 --sha-w- c:\windows\system32\hofonike.dll
2009-07-23 11:07 . 2009-07-23 11:07 39424 --sha-w- c:\windows\system32\husiwolo.dll
2009-07-24 23:08 . 2009-07-24 23:08 39424 --sha-w- c:\windows\system32\jakokoba.dll
2009-07-26 15:09 . 2009-07-26 15:09 39424 --sha-w- c:\windows\system32\kufubabe.dll
2009-07-26 15:10 . 2009-07-26 15:10 53248 --sha-w- c:\windows\system32\lanimaye.dll
2009-07-23 11:07 . 2009-07-23 11:07 53760 --sha-w- c:\windows\system32\liroteyu.dll
2009-07-25 11:08 . 2009-07-25 11:08 39424 --sha-w- c:\windows\system32\mekerozu.dll
2009-07-25 23:08 . 2009-07-25 23:08 39424 --sha-w- c:\windows\system32\mimedefa.dll
2009-07-24 23:08 . 2009-07-24 23:08 91648 --sha-w- c:\windows\system32\ruwodote.dll
2009-07-24 11:07 . 2009-07-24 11:07 39424 --sha-w- c:\windows\system32\siyasago.dll
2009-07-23 23:07 . 2009-07-23 23:07 53760 --sha-w- c:\windows\system32\tofiraji.dll
2009-07-22 23:06 . 2009-07-22 23:06 1051170 --sha-w- c:\windows\system32\tolujuwi.exe
2009-07-24 11:07 . 2009-07-24 11:07 91648 --sha-w- c:\windows\system32\wuhetoso.dll
2009-07-26 15:09 . 2009-07-26 15:09 53248 --sha-w- c:\windows\system32\wutivoba.dll
2009-07-22 23:06 . 2009-07-22 23:06 91648 --sha-w- c:\windows\system32\yivivaso.dll
2009-07-23 23:07 . 2009-07-23 23:07 39424 --sha-w- c:\windows\system32\zewufodo.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{9da0b9bf-558b-4255-941b-aebc45e8d263}]
2009-07-26 15:10 53248 --sha-w- c:\windows\system32\lanimaye.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DellSupport"="c:\program files\Dell Support\DSAgnt.exe" [2006-08-29 395776]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2004-10-13 1694208]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-08-19 68856]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2006-07-21 98304]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2006-07-21 86016]
"Persistence"="c:\windows\system32\igfxpers.exe" [2006-07-21 81920]
"IAAnotif"="c:\program files\Intel\Intel Matrix Storage Manager\Iaanotif.exe" [2006-07-06 151552]
"DMXLauncher"="c:\program files\Dell\Media Experience\DMXLauncher.exe" [2005-10-05 94208]
"Google Desktop Search"="c:\program files\Google\Google Desktop Search\GoogleDesktop.exe" [2007-05-18 169984]
"Symantec PIF AlertEng"="c:\program files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" [2007-03-13 517768]
"dlcxmon.exe"="c:\program files\Dell Photo AIO Printer 926\dlcxmon.exe" [2007-01-12 292336]
"MemoryCardManager"="c:\program files\Dell Photo AIO Printer 926\memcard.exe" [2006-11-04 304008]
"DLCXCATS"="c:\windows\System32\spool\DRIVERS\W32X86\3\DLCXtime.dll" [2006-10-16 106496]
"Act.Outlook.Service"="c:\program files\ACT\Act for Windows\Act.Outlook.Service.exe" [2007-08-13 9728]
"Act! Preloader"="c:\program files\ACT\Act for Windows\ActSage.exe" [2007-08-14 1351680]
"PinnacleDriverCheck"="c:\windows\system32\PSDrvCheck.exe" [2004-03-11 406016]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2007-10-26 98304]
"Acrobat Assistant 8.0"="c:\program files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe" [2007-05-11 624248]
"SigmatelSysTrayApp"="stsystra.exe" - c:\windows\stsystra.exe [2006-07-24 282624]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Notification Packages REG_MULTI_SZ scecli lerpripn.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\ACT\\Act for Windows\\ActSage.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\WINDOWS\\system32\\dlcxcoms.exe"=
"c:\\Program Files\\Google\\Google Desktop Search\\GoogleDesktop.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"135:TCP"= 135:TCP:TCP Port 135
"5000:TCP"= 5000:TCP:TCP Port 5000
"5001:TCP"= 5001:TCP:TCP Port 5001
"5002:TCP"= 5002:TCP:TCP Port 5002
"5003:TCP"= 5003:TCP:TCP Port 5003
"5004:TCP"= 5004:TCP:TCP Port 5004
"5005:TCP"= 5005:TCP:TCP Port 5005
"5006:TCP"= 5006:TCP:TCP Port 5006
"5007:TCP"= 5007:TCP:TCP Port 5007
"5008:TCP"= 5008:TCP:TCP Port 5008
"5009:TCP"= 5009:TCP:TCP Port 5009
"5010:TCP"= 5010:TCP:TCP Port 5010
"5011:TCP"= 5011:TCP:TCP Port 5011
"5012:TCP"= 5012:TCP:TCP Port 5012
"5013:TCP"= 5013:TCP:TCP Port 5013
"5014:TCP"= 5014:TCP:TCP Port 5014
"5015:TCP"= 5015:TCP:TCP Port 5015
"5016:TCP"= 5016:TCP:TCP Port 5016
"5017:TCP"= 5017:TCP:TCP Port 5017
"5018:TCP"= 5018:TCP:TCP Port 5018
"5019:TCP"= 5019:TCP:TCP Port 5019
"5020:TCP"= 5020:TCP:TCP Port 5020

R2 BtwSrv;BtwSrv;c:\windows\system32\svchost.exe -k netsvcs [8/11/2004 3:00 PM 14336]
R2 dlcx_device;dlcx_device;c:\windows\system32\dlcxcoms.exe -service --> c:\windows\system32\dlcxcoms.exe -service [?]
R2 fastnetsrv;fastnetsrv Service;c:\windows\system32\FastNetSrv.exe [8/4/2004 3:00 AM 47616]
R2 MSSQL$ACT7;SQL Server (ACT7);c:\program files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe [2/10/2007 5:29 AM 29178224]
S2 ACT! Scheduler;ACT! Scheduler;c:\program files\ACT\Act for Windows\Act.Scheduler.exe [10/12/2007 8:58 AM 65536]

--- Other Services/Drivers In Memory ---

*NewlyCreated* - BTWSRV
*Deregistered* - mbr

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
BtwSrv
.
.
------- Supplementary Scan -------
.
uStart Page = [You must be registered and logged in to see this link.]
uSearchMigratedDefaultURL = [You must be registered and logged in to see this link.]
mSearch Bar = [You must be registered and logged in to see this link.]
uSearchURL,(Default) = [You must be registered and logged in to see this link.]
IE: Append to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert link target to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
.
- - - - ORPHANS REMOVED - - - -

BHO-{A2234B15-23F2-42AD-F4E4-00AAC39C0004} - c:\windows\system32\cz52cp7.dll
BHO-{bdb69a0a-605f-2a61-34fe-0879f029086c} - c:\windows\alorazohit.dll
HKCU-Run-updateMgr - c:\program files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe
HKLM-Run-Jwawikoqatu - c:\windows\alorazohit.dll
HKLM-Run-16440520 - c:\docume~1\ALLUSE~1\APPLIC~1\16440520\16440520.exe
HKLM-Run-hofisonuz - c:\windows\system32\mulipiza.dll
HKLM-Run-zamuvayube - volosejo.dll
SharedTaskScheduler-{A2234B15-23F2-42AD-F4E4-00AAC39C0004} - c:\windows\system32\cz52cp7.dll
SharedTaskScheduler-{360bcfc7-1d3d-41f9-9b64-af527f962c6c} - c:\windows\system32\mulipiza.dll
SSODL-damasozun-{360bcfc7-1d3d-41f9-9b64-af527f962c6c} - c:\windows\system32\mulipiza.dll



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, [You must be registered and logged in to see this link.]
Rootkit scan 2009-10-26 09:05
Windows 5.1.2600 Service Pack 2 NTFS

scanning hȋdden processes ...

scanning hȋdden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
DLCXCATS = rundll32 c:\windows\System32\spool\DRIVERS\W32X86\3\DLCXtime.dll,_RunDLLEntry@16???????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????

scanning hȋdden files ...


c:\windows\irc.txt 6 bytes

scan completed successfully
hȋdden files: 1

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'lsass.exe'(776)
c:\windows\lerpripn.dll
c:\windows\system32\WININET.dll

- - - - - - - > 'explorer.exe'(3588)
c:\windows\system32\WININET.dll
c:\progra~1\WINDOW~2\wmpband.dll
c:\windows\system32\ieframe.dll
c:\windows\lerpripn.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
c:\windows\system32\dlcxcoms.exe
c:\program files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\common files\protexis\license service\psiservice_2.exe
c:\program files\Microsoft SQL Server\90\Shared\sqlbrowser.exe
c:\program files\Microsoft SQL Server\90\Shared\sqlwriter.exe
c:\program files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
c:\windows\system32\wdfmgr.exe
c:\windows\system32\wmdtc.exe
c:\windows\system32\wscntfy.exe
c:\commy\CF32395.exe
c:\program files\Google\Google Desktop Search\GoogleDesktopIndex.exe
c:\program files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
c:\windows\system32\lsm32.sys
c:\program files\Symantec\LiveUpdate\AUpdate.exe
c:\progra~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
c:\commy\PEV.cfxxe
.
**************************************************************************
.
Completion time: 2009-10-26 9:08 - machine was rebooted
ComboFix-quarantined-files.txt 2009-10-26 16:08

Pre-Run: 39,674,515,456 bytes free
Post-Run: 40,190,828,544 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

- - End Of File - - 176D1987F6466B7193A65970D879F715





ACT! by Sage Premium 2008 (10.0)
Adobe Acrobat 8 Standard
Adobe Acrobat 8.1.1 Standard
Adobe Flash Player 10 ActiveX
Adobe Reader 8.1.1
AutoUpdate
Corel Paint Shop Pro Photo XI
Dell CinePlayer
Dell Driver Reset Tool
Dell Photo AIO Printer 926
Dell Support 3.2.1
Dell System Restore
DiscAPI (Studio 10)
DivX
Google Desktop
Google Toolbar for Internet Explorer
High Definition Audio Driver Package - KB835221
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
Hotfix for Windows XP (KB896256)
Hotfix for Windows XP (KB906569)
Hotfix for Windows XP (KB908673)
Hotfix for Windows XP (KB909095)
Hotfix for Windows XP (KB914440)
Hotfix for Windows XP (KB915865)
Hotfix for Windows XP (KB921411)
Hotfix for Windows XP (KB952287)
Hotfix for Windows XP (KB954550-v5)
Hotfix for Windows XP (KB961118)
Hotfix for Windows XP (KB970653-v3)
Intel(R) Graphics Media Accelerator Driver
Intel(R) Matrix Storage Manager
Intel(R) PRO Network Connections
J2SE Runtime Environment 5.0 Update 6
Java(TM) 6 Update 13
Java(TM) 6 Update 3
LiveUpdate 3.0 (Symantec Corporation)
LiveUpdate Notice (Symantec Corporation)
Malwarebytes' Anti-Malware
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Security Update (KB953297)
Microsoft .NET Framework 2.0 Service Pack 2
Microsoft .NET Framework 3.0 Service Pack 2
Microsoft .NET Framework 3.5 SP1
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft National Language Support Downlevel APIs
Microsoft Office Basic 2007
Microsoft Office Excel MUI (English) 2007
Microsoft Office Live Meeting 2005
Microsoft Office Outlook MUI (English) 2007
Microsoft Office Professional Edition 2003
Microsoft Office Proof (English) 2007
Microsoft Office Proof (French) 2007
Microsoft Office Proof (Spanish) 2007
Microsoft Office Proofing (English) 2007
Microsoft Office Shared MUI (English) 2007
Microsoft Office Shared Setup Metadata MUI (English) 2007
Microsoft Office Word MUI (English) 2007
Microsoft Plus! Digital Media Edition Installer
Microsoft Plus! Photo Story 2 LE
Microsoft Software Update for Web Folders (English) 12
Microsoft SQL Server 2005
Microsoft SQL Server 2005 Express Edition (ACT7)
Microsoft SQL Server Native Client
Microsoft SQL Server Setup Support Files (English)
Microsoft SQL Server VSS Writer
MSXML 4.0 SP2 (KB936181)
MSXML 4.0 SP2 (KB954430)
MSXML 6 Service Pack 2 (KB954459)
Pinnacle Instant DVD Recorder
QuickTime
RAPID (Studio 10)
SearchAssist
Security Update for Step By Step Interactive Training (KB923723)
Security Update for Windows Internet Explorer 7 (KB938127-v2)
Security Update for Windows Internet Explorer 7 (KB972260)
Security Update for Windows Internet Explorer 7 (KB974455)
Security Update for Windows Media Player (KB911564)
Security Update for Windows Media Player (KB952069)
Security Update for Windows Media Player (KB954155)
Security Update for Windows Media Player (KB968816)
Security Update for Windows Media Player (KB973540)
Security Update for Windows Media Player 10 (KB936782)
Security Update for Windows Media Player 6.4 (KB925398)
Security Update for Windows XP (KB893756)
Security Update for Windows XP (KB896358)
Security Update for Windows XP (KB896423)
Security Update for Windows XP (KB896424)
Security Update for Windows XP (KB896428)
Security Update for Windows XP (KB899587)
Security Update for Windows XP (KB899588)
Security Update for Windows XP (KB899591)
Security Update for Windows XP (KB900725)
Security Update for Windows XP (KB901017)
Security Update for Windows XP (KB901214)
Security Update for Windows XP (KB902400)
Security Update for Windows XP (KB904706)
Security Update for Windows XP (KB905414)
Security Update for Windows XP (KB905749)
Security Update for Windows XP (KB908519)
Security Update for Windows XP (KB908531)
Security Update for Windows XP (KB911562)
Security Update for Windows XP (KB911927)
Security Update for Windows XP (KB912919)
Security Update for Windows XP (KB913580)
Security Update for Windows XP (KB914388)
Security Update for Windows XP (KB914389)
Security Update for Windows XP (KB917344)
Security Update for Windows XP (KB917422)
Security Update for Windows XP (KB917953)
Security Update for Windows XP (KB918118)
Security Update for Windows XP (KB918439)
Security Update for Windows XP (KB919007)
Security Update for Windows XP (KB920213)
Security Update for Windows XP (KB920670)
Security Update for Windows XP (KB920683)
Security Update for Windows XP (KB920685)
Security Update for Windows XP (KB921503)
Security Update for Windows XP (KB922819)
Security Update for Windows XP (KB923191)
Security Update for Windows XP (KB923414)
Security Update for Windows XP (KB923561)
Security Update for Windows XP (KB923689)
Security Update for Windows XP (KB923694)
Security Update for Windows XP (KB923789)
Security Update for Windows XP (KB923980)
Security Update for Windows XP (KB924191)
Security Update for Windows XP (KB924270)
Security Update for Windows XP (KB924496)
Security Update for Windows XP (KB924667)
Security Update for Windows XP (KB925902)
Security Update for Windows XP (KB926255)
Security Update for Windows XP (KB926436)
Security Update for Windows XP (KB927779)
Security Update for Windows XP (KB927802)
Security Update for Windows XP (KB928090)
Security Update for Windows XP (KB928255)
Security Update for Windows XP (KB928843)
Security Update for Windows XP (KB929123)
Security Update for Windows XP (KB929969)
Security Update for Windows XP (KB930178)
Security Update for Windows XP (KB931261)
Security Update for Windows XP (KB931784)
Security Update for Windows XP (KB932168)
Security Update for Windows XP (KB933729)
Security Update for Windows XP (KB935839)
Security Update for Windows XP (KB935840)
Security Update for Windows XP (KB936021)
Security Update for Windows XP (KB937143)
Security Update for Windows XP (KB937894)
Security Update for Windows XP (KB938127)
Security Update for Windows XP (KB938464)
Security Update for Windows XP (KB938829)
Security Update for Windows XP (KB939653)
Security Update for Windows XP (KB941202)
Security Update for Windows XP (KB941568)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB941644)
Security Update for Windows XP (KB941693)
Security Update for Windows XP (KB942615)
Security Update for Windows XP (KB943055)
Security Update for Windows XP (KB943460)
Security Update for Windows XP (KB943485)
Security Update for Windows XP (KB944338)
Security Update for Windows XP (KB944533)
Security Update for Windows XP (KB944653)
Security Update for Windows XP (KB945553)
Security Update for Windows XP (KB946026)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB947864)
Security Update for Windows XP (KB948590)
Security Update for Windows XP (KB948881)
Security Update for Windows XP (KB950749)
Security Update for Windows XP (KB950759)
Security Update for Windows XP (KB950760)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951066)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951376)
Security Update for Windows XP (KB951698)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952004)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB953838)
Security Update for Windows XP (KB953839)
Security Update for Windows XP (KB954211)
Security Update for Windows XP (KB954600)
Security Update for Windows XP (KB955069)
Security Update for Windows XP (KB956572)
Security Update for Windows XP (KB956802)
Security Update for Windows XP (KB956803)
Security Update for Windows XP (KB956841)
Security Update for Windows XP (KB956844)
Security Update for Windows XP (KB957097)
Security Update for Windows XP (KB958215)
Security Update for Windows XP (KB958470)
Security Update for Windows XP (KB958644)
Security Update for Windows XP (KB958687)
Security Update for Windows XP (KB958690)
Security Update for Windows XP (KB958869)
Security Update for Windows XP (KB959426)
Security Update for Windows XP (KB960225)
Security Update for Windows XP (KB960714)
Security Update for Windows XP (KB960715)
Security Update for Windows XP (KB960803)
Security Update for Windows XP (KB960859)
Security Update for Windows XP (KB961371)
Security Update for Windows XP (KB961373)
Security Update for Windows XP (KB961501)
Security Update for Windows XP (KB963027)
Security Update for Windows XP (KB968537)
Security Update for Windows XP (KB969059)
Security Update for Windows XP (KB969897)
Security Update for Windows XP (KB969898)
Security Update for Windows XP (KB970238)
Security Update for Windows XP (KB971032)
Security Update for Windows XP (KB971486)
Security Update for Windows XP (KB971557)
Security Update for Windows XP (KB971633)
Security Update for Windows XP (KB971657)
Security Update for Windows XP (KB971961)
Security Update for Windows XP (KB972260)
Security Update for Windows XP (KB973346)
Security Update for Windows XP (KB973354)
Security Update for Windows XP (KB973507)
Security Update for Windows XP (KB973525)
Security Update for Windows XP (KB973869)
Security Update for Windows XP (KB974112)
Security Update for Windows XP (KB974571)
Security Update for Windows XP (KB975025)
Security Update for Windows XP (KB975467)
SmartSound Quicktracks Plugin
Sonic Activation Module
Symantec KB-DocID:2003093015493306
Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
Update for Windows XP (KB894391)
Update for Windows XP (KB898461)
Update for Windows XP (KB900485)
Update for Windows XP (KB904942)
Update for Windows XP (KB910437)
Update for Windows XP (KB911280)
Update for Windows XP (KB912945)
Update for Windows XP (KB916595)
Update for Windows XP (KB920872)
Update for Windows XP (KB922582)
Update for Windows XP (KB925720)
Update for Windows XP (KB927891)
Update for Windows XP (KB930916)
Update for Windows XP (KB931836)
Update for Windows XP (KB932823-v3)
Update for Windows XP (KB933360)
Update for Windows XP (KB936357)
Update for Windows XP (KB938828)
Update for Windows XP (KB942763)
Update for Windows XP (KB942840)
Update for Windows XP (KB946627)
Update for Windows XP (KB951072-v2)
Update for Windows XP (KB955839)
Update for Windows XP (KB967715)
Update for Windows XP (KB968389)
Update for Windows XP (KB973815)
WebFldrs XP
Windows Genuine Advantage Notifications (KB905474)
Windows Imaging Component
Windows Installer 3.1 (KB893803)
Windows Internet Explorer 7
Windows Media Format Runtime
Windows Media Player 10
Windows XP Hotfix - KB873339
Windows XP Hotfix - KB885250
Windows XP Hotfix - KB885835
Windows XP Hotfix - KB885836
Windows XP Hotfix - KB886185
Windows XP Hotfix - KB887472
Windows XP Hotfix - KB888302
Windows XP Hotfix - KB889673
Windows XP Hotfix - KB890859
Windows XP Hotfix - KB891781

Capntreee
Novice
Novice

Status :
Online
Offline

Posts : 6
Joined : 2009-10-23
OS : XP Pro SP2

View user profile

Back to top Go down

Re: Assist with Antivirus System Pro

Post by Capntreee on Mon Oct 26, 2009 4:27 pm

Perhaps I'm wrong but Combofix didn't seem to work completely. I now see the 'folder option' under the Tools drop down menu but I still got some random audio track start playing even as I'm typing this reply

Capntreee
Novice
Novice

Status :
Online
Offline

Posts : 6
Joined : 2009-10-23
OS : XP Pro SP2

View user profile

Back to top Go down

Re: Assist with Antivirus System Pro

Post by Capntreee on Mon Oct 26, 2009 4:29 pm

"How to invest in a bull market" advert started playing but no window opened ?!? Then it stopped. This is not making sense.

Capntreee
Novice
Novice

Status :
Online
Offline

Posts : 6
Joined : 2009-10-23
OS : XP Pro SP2

View user profile

Back to top Go down

Re: Assist with Antivirus System Pro

Post by Belahzur on Mon Oct 26, 2009 6:04 pm

Hello.


  1. Close any open browsers.
  2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
  3. Open notepad and copy/paste the text in the quotebox below into it:

    File::
    c:\windows\Dlujuqole.bin
    c:\windows\Eceqoboxebo.dat
    c:\windows\win32k.sys
    C:\ldvx.exe
    C:\qsdhs.exe
    C:\dtacmawh.exe
    c:\windows\system32\hesonida.dll
    c:\windows\system32\hofonike.dll
    c:\windows\system32\husiwolo.dll
    c:\windows\system32\jakokoba.dll
    c:\windows\system32\kufubabe.dll
    c:\windows\system32\lanimaye.dll
    c:\windows\system32\liroteyu.dll
    c:\windows\system32\mekerozu.dll
    c:\windows\system32\mimedefa.dll
    c:\windows\system32\ruwodote.dll
    c:\windows\system32\siyasago.dll
    c:\windows\system32\tofiraji.dll
    c:\windows\system32\tolujuwi.exe
    c:\windows\system32\wuhetoso.dll
    c:\windows\system32\wutivoba.dll
    c:\windows\system32\yivivaso.dll
    c:\windows\system32\zewufodo.dll
    c:\windows\lerpripn.dll

    Registry::
    [-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{9da0b9bf-558b-4255-941b-aebc45e8d263}]
    [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
    "Notification Packages"=hex(7):73,63,65,63,6c,69,00,00

    Driver::
    BtwSrv
    fastnetsrv

    NetSvc::
    BtwSrv

  4. Save this as CFScript.txt, in the same location as ComboFix.exe



  5. Referring to the picture above, drag CFScript into ComboFix.exe
  6. When finished, it shall produce a log for you at C:\ComboFix.txt
  7. Please post the contents of the log in your next reply.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Status :
Online
Offline

Posts : 34916
Joined : 2008-08-03
Gender : Male
OS : XP SP3 Media Centre

View user profile

Back to top Go down

Re: Assist with Antivirus System Pro

Post by Belahzur on Mon Oct 26, 2009 6:04 pm

Hello.


  1. Close any open browsers.
  2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
  3. Open notepad and copy/paste the text in the quotebox below into it:

    File::
    c:\windows\Dlujuqole.bin
    c:\windows\Eceqoboxebo.dat
    c:\windows\win32k.sys
    C:\ldvx.exe
    C:\qsdhs.exe
    C:\dtacmawh.exe
    c:\windows\system32\hesonida.dll
    c:\windows\system32\hofonike.dll
    c:\windows\system32\husiwolo.dll
    c:\windows\system32\jakokoba.dll
    c:\windows\system32\kufubabe.dll
    c:\windows\system32\lanimaye.dll
    c:\windows\system32\liroteyu.dll
    c:\windows\system32\mekerozu.dll
    c:\windows\system32\mimedefa.dll
    c:\windows\system32\ruwodote.dll
    c:\windows\system32\siyasago.dll
    c:\windows\system32\tofiraji.dll
    c:\windows\system32\tolujuwi.exe
    c:\windows\system32\wuhetoso.dll
    c:\windows\system32\wutivoba.dll
    c:\windows\system32\yivivaso.dll
    c:\windows\system32\zewufodo.dll
    c:\windows\lerpripn.dll

    Registry::
    [-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{9da0b9bf-558b-4255-941b-aebc45e8d263}]
    [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
    "Notification Packages"=hex(7):73,63,65,63,6c,69,00,00

    Driver::
    BtwSrv
    fastnetsrv

    NetSvc::
    BtwSrv

  4. Save this as CFScript.txt, in the same location as ComboFix.exe



  5. Referring to the picture above, drag CFScript into ComboFix.exe
  6. When finished, it shall produce a log for you at C:\ComboFix.txt
  7. Please post the contents of the log in your next reply.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Status :
Online
Offline

Posts : 34916
Joined : 2008-08-03
Gender : Male
OS : XP SP3 Media Centre

View user profile

Back to top Go down

Re: Assist with Antivirus System Pro

Post by Capntreee on Wed Oct 28, 2009 4:25 pm

This program will not permit Notepad to open. In a system tray dialog box it claims "Security Tool Warning" notepad.exe is infacted with worm lsas.blaster.keyloger ; this worm is trying to send your credit card details using notepad.exe to a remote host"

This in nonsense as this PC does not contain ANY credit card details. The Antivirus System Pro program has simply takenover Notepad so that I cannot follow your removal instructions. Help!

Capntreee
Novice
Novice

Status :
Online
Offline

Posts : 6
Joined : 2009-10-23
OS : XP Pro SP2

View user profile

Back to top Go down

Re: Assist with Antivirus System Pro

Post by Capntreee on Wed Oct 28, 2009 5:16 pm

Additionally the program has now also disabled System Restore; disabled the Command window; disabled Add/Remove Programs; disabled the Security center and removed all icons from the Desktop.

It provides a similar warning dialog box for each program claiming, in the 3rd person, that the program "lsas.blaster.keyloger" has infected all of them and now they cannot bne opened. Great...

Capntreee
Novice
Novice

Status :
Online
Offline

Posts : 6
Joined : 2009-10-23
OS : XP Pro SP2

View user profile

Back to top Go down

Re: Assist with Antivirus System Pro

Post by Belahzur on Wed Oct 28, 2009 9:25 pm

Please download exeHelper from one of the two links.
[You must be registered and logged in to see this link.]
[You must be registered and logged in to see this link.]

  • Double-click on exeHelper.com or exeHelper.scr to run the fix.
  • A black window should pop up, press any key to close once the fix is completed.
  • Post the contents of log.txt (Will be created in the directory where you ran exeHelper.com)
Note: If the window shows a message that says "Error deleting file", please re-run the program before posting a log - and post the two logs together (they will both be in the one file).


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Status :
Online
Offline

Posts : 34916
Joined : 2008-08-03
Gender : Male
OS : XP SP3 Media Centre

View user profile

Back to top Go down

View previous topic View next topic Back to top

- Similar topics

 
Permissions in this forum:
You cannot reply to topics in this forum