Alpha Antivirus Help!

View previous topic View next topic Go down

Alpha Antivirus Help!

Post by Tocowujo on 8th November 2009, 2:38 am

Hey, i'm helping my dad get rid of this program he contracted this morning on his Vista laptop. It doesn't allow him to open IE, so i am using my mac, and transferring all the software via USB drive. I tried the malwarebyte, superantispyware, and an online fix, but nȯne of them worked. The first time i ran malwarebyte it found 5 infections, i cleared them but after restarting, Alpha AV was still on the system as before. When i run it again it doesn't find anything. I tried spywaredoctor and it found the AlphaAV threat as well as some other minor ones, but naturally i couldn't remove them without paying for the program.
An interesting note, the process associated with Alpha AV is "alpha.exe" rather than the typical "alphaAV.exe" that i see on most help websites.

I ran combofix after reading some suggestion and copied the log to my computer, not sure what is preferable, but i will download and run hijackthis also if necessary...
Thanks!




ComboFix 09-11-07.02 - Owner 11/07/2009 18:15.1.2 - NTFSx86
MicrosoftĆ Windows Vistaô Home Premium 6.0.6002.2.1252.1.1033.18.1013.336 [GMT -6:00]
Running from: c:\users\Owner\Desktop\commy.exe
Command switches used :: /stepdel
AV: ESET NOD32 antivirus system 2.70 *On-access scanning enabled* (Updated) {E5E70D32-0101-4F12-8FB0-D96ACA4F34C0}
SP: SUPERAntiSpyware *disabled* (Updated) {222A897C-5018-402e-943F-7E7AC8560DA7}
SP: Windows Defender *enabled* (Outdated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}
* Resident AV is active

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\$recycle.bin\S-1-5-21-2152478756-3922319563-605102323-500
c:\$recycle.bin\S-1-5-21-2450969143-844794473-1312612106-500
c:\$recycle.bin\S-1-5-21-3569018428-901859288-1186912836-500
c:\$recycle.bin\S-1-5-21-4214898707-607555799-2004620691-500
c:\$recycle.bin\S-1-5-21-864547194-220137812-69340660-500
c:\program files\alot
c:\$recycle.bin\S-1-5-21-2152478756-3922319563-605102323-500\desktop.ini
c:\$recycle.bin\S-1-5-21-2450969143-844794473-1312612106-500\desktop.ini
c:\$recycle.bin\S-1-5-21-3569018428-901859288-1186912836-500\desktop.ini
c:\$recycle.bin\S-1-5-21-4214898707-607555799-2004620691-500\desktop.ini
c:\$recycle.bin\S-1-5-21-864547194-220137812-69340660-500\desktop.ini
c:\program files\alot\alotUninst.exe
c:\program files\alot\bin\alot.dll
c:\program files\alot\bin\ALOTSettings.exe
c:\programdata\ntuser.dat{0dd9af55-9d0b-11db-8678-0016d42a45f8}.TMContainer00000000000000000001.regtrans-ms
c:\programdata\ntuser.dat{0dd9af65-9d0b-11db-8678-0016d42a45f8}.TMContainer00000000000000000001.regtrans-ms

.
((((((((((((((((((((((((( Files Created from 2009-10-08 to 2009-11-08 )))))))))))))))))))))))))))))))
.

2009-11-08 00:25 . 2009-11-08 00:27 -------- d-----w- c:\users\Owner\AppData\Local\temp
2009-11-08 00:25 . 2009-11-08 00:25 -------- d-----w- c:\users\Default\AppData\Local\temp
2009-11-07 17:58 . 2009-11-07 17:58 117760 ----a-w- c:\users\Owner\AppData\Roaming\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
2009-11-07 17:58 . 2009-11-07 17:58 -------- d-----w- c:\programdata\SUPERAntiSpyware.com
2009-11-07 17:57 . 2009-11-07 17:57 4096 d-----w- c:\program files\SUPERAntiSpyware
2009-11-07 17:57 . 2009-11-07 17:57 -------- d-----w- c:\users\Owner\AppData\Roaming\SUPERAntiSpyware.com
2009-11-07 17:56 . 2009-11-07 17:56 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2009-11-07 17:05 . 2009-11-07 17:05 -------- d-----w- c:\program files\Common Files\AAntivirusUninstall
2009-11-07 17:05 . 2009-11-07 17:05 -------- d-----w- c:\program files\AAntivirus
2009-10-28 15:25 . 2009-09-10 14:58 310784 ----a-w- c:\windows\system32\unregmp2.exe
2009-10-28 15:25 . 2009-09-10 14:59 8147456 ----a-w- c:\windows\system32\wmploc.DLL
2009-10-14 19:37 . 2009-09-10 16:48 218624 ----a-w- c:\windows\system32\msv1_0.dll
2009-10-14 19:35 . 2009-09-04 11:41 60928 ----a-w- c:\windows\system32\msasn1.dll
2009-10-14 19:35 . 2009-09-14 09:29 144896 ----a-w- c:\windows\system32\drivers\srv2.sys
2009-10-14 19:35 . 2009-05-08 12:53 604672 ----a-w- c:\windows\system32\WMSPDMOD.DLL
2009-10-12 17:03 . 2009-10-12 17:03 -------- d-----w- c:\program files\Microsoft
2009-10-12 17:01 . 2009-10-12 17:00 411368 ----a-w- c:\windows\system32\deploytk.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-11-07 18:47 . 2009-03-05 18:38 4096 d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-11-03 02:42 . 2009-10-02 15:58 195456 ------w- c:\windows\system32\MpSigStub.exe
2009-10-15 12:51 . 2006-11-02 11:18 4096 d-----w- c:\program files\Windows Mail
2009-10-12 17:00 . 2007-01-05 23:14 -------- d-----w- c:\program files\Java
2009-09-10 20:54 . 2009-03-05 18:38 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-09-10 20:53 . 2009-03-05 18:38 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-08-29 00:27 . 2009-09-02 23:28 4240384 ----a-w- c:\windows\system32\GameUXLegacyGDFs.dll
2009-08-29 00:14 . 2009-09-02 23:28 28672 ----a-w- c:\windows\system32\Apphlpdm.dll
2009-08-27 05:22 . 2009-10-14 19:36 916480 ----a-w- c:\windows\system32\wininet.dll
2009-08-27 05:17 . 2009-10-14 19:36 109056 ----a-w- c:\windows\system32\iesysprep.dll
2009-08-27 05:17 . 2009-10-14 19:36 71680 ----a-w- c:\windows\system32\iesetup.dll
2009-08-27 03:42 . 2009-10-14 19:36 133632 ----a-w- c:\windows\system32\ieUnatt.exe
2009-08-14 16:27 . 2009-09-09 14:17 904776 ----a-w- c:\windows\system32\drivers\tcpip.sys
2009-08-14 15:53 . 2009-09-09 14:17 17920 ----a-w- c:\windows\system32\netevent.dll
2009-08-14 13:49 . 2009-09-09 14:17 9728 ----a-w- c:\windows\system32\TCPSVCS.EXE
2009-08-14 13:49 . 2009-09-09 14:17 17920 ----a-w- c:\windows\system32\ROUTE.EXE
2009-08-14 13:49 . 2009-09-09 14:17 11264 ----a-w- c:\windows\system32\MRINFO.EXE
2009-08-14 13:49 . 2009-09-09 14:17 27136 ----a-w- c:\windows\system32\NETSTAT.EXE
2009-08-14 13:49 . 2009-09-09 14:17 19968 ----a-w- c:\windows\system32\ARP.EXE
2009-08-14 13:49 . 2009-09-09 14:17 8704 ----a-w- c:\windows\system32\HOSTNAME.EXE
2009-08-14 13:49 . 2009-09-09 14:17 10240 ----a-w- c:\windows\system32\finger.exe
2009-08-14 13:48 . 2009-09-09 14:17 30720 ----a-w- c:\windows\system32\drivers\tcpipreg.sys
2009-08-14 13:48 . 2009-09-09 14:17 105984 ----a-w- c:\windows\system32\netiohlp.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"TOSCDSPD"="c:\program files\TOSHIBA\TOSCDSPD\TOSCDSPD.exe" [2006-11-10 417792]
"Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2009-04-11 1233920]
"ehTray.exe"="c:\windows\ehome\ehTray.exe" [2008-01-19 125952]
"Search Protection"="c:\program files\Yahoo!\Search Protection\SearchProtection.exe" [2009-02-03 111856]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2008-12-30 39408]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Windows Defender"="c:\program files\Windows Defender\MSASCui.exe" [2008-01-19 1008184]
"LtMoh"="c:\program files\ltmoh\Ltmoh.exe" [2005-12-16 188416]
"TPwrMain"="c:\program files\TOSHIBA\Power Saver\TPwrMain.EXE" [2006-12-20 411768]
"HSON"="c:\program files\TOSHIBA\TBS\HSON.exe" [2006-12-08 55416]
"SmoothView"="c:\program files\Toshiba\SmoothView\SmoothView.exe" [2006-12-12 448632]
"00TCrdMain"="c:\program files\TOSHIBA\FlashCards\TCrdMain.exe" [2006-12-15 530552]
"HWSetup"="c:\program files\TOSHIBA\Utilities\HWSetup.exe" [2006-11-01 413696]
"SVPWUTIL"="c:\program files\TOSHIBA\Utilities\SVPWUTIL.exe" [2006-01-19 421888]
"KeNotify"="c:\program files\TOSHIBA\Utilities\KeNotify.exe" [2006-11-07 34352]
"nod32kui"="c:\program files\Eset\nod32kui.exe" [2007-09-02 949376]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-12 39792]
"YSearchProtection"="c:\program files\Yahoo!\Search Protection\SearchProtection.exe" [2009-02-03 111856]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2008-02-12 141848]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2008-02-12 166424]
"Persistence"="c:\windows\system32\igfxpers.exe" [2008-02-12 133656]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2009-03-20 1451304]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-10-12 149280]
"Microsoft Default Manager"="c:\program files\Microsoft\Search Enhancement Pack\Default Manager\DefMgr.exe" [2009-02-03 233304]
"RtHDVCpl"="RtHDVCpl.exe" - c:\windows\RtHDVCpl.exe [2006-11-09 3784704]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-09-03 21:21 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"aux"=wdmaud.drv

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=""
"FirewallOverride"=""

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiSpyware]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc]
"VistaSp2"=hex(b):c6,03,14,3c,c4,f6,c9,01

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc\S-1-5-21-2450969143-844794473-1312612106-1000]
"EnableNotificationsRef"=dword:00000001

R1 nod32drv;nod32drv;c:\windows\System32\drivers\nod32drv.sys [9/2/2007 12:44 PM 15424]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [10/12/2009 9:24 PM 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [10/12/2009 9:24 PM 74480]
R3 NETw5v32;Intel(R) Wireless WiFi Link 5000 Series Adapter Driver for Windows Vista 32 Bit;c:\windows\System32\drivers\NETw5v32.sys [11/17/2008 2:40 PM 3668480]
S3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [10/12/2009 9:24 PM 7408]

--- Other Services/Drivers In Memory ---

*NewlyCreated* - MBR
*NewlyCreated* - PROCEXP113
*Deregistered* - mbr
*Deregistered* - PROCEXP113

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{A509B1FF-37FF-4bFF-8CFF-4F3A747040FF}]
c:\windows\system32\rundll32.exe c:\windows\system32\advpack.dll,LaunchINFSectionEx c:\program files\Internet Explorer\clrtour.inf,DefaultInstall.ResetTour,,12
.
Contents of the 'Scheduled Tasks' folder

2009-11-07 c:\windows\Tasks\AAntivirus.job
- c:\program files\AAntivirus\alpha.exe [2009-11-07 17:05]
.
.
------- Supplementary Scan -------
.
uStart Page = [You must be registered and logged in to see this link.]
uSearchURL,(Default) = [You must be registered and logged in to see this link.]
Trusted Zone: usaa.com\www
Trusted Zone: yahoo.com
Trusted Zone: yahoo.com\us.f622.mail
.
- - - - ORPHANS REMOVED - - - -

WebBrowser-{604BC32A-9680-40D1-9AC6-E06B23A1BA4C} - (no file)
AddRemove-alotToolbar - c:\program files\alot\alotUninst.exe



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, [You must be registered and logged in to see this link.]
Rootkit scan 2009-11-07 18:26
Windows 6.0.6002 Service Pack 2 NTFS

scanning hȋdden processes ...

scanning hȋdden autostart entries ...

HKCU\Software\Microsoft\Windows\CurrentVersion\Run
TOSCDSPD = c:\program files\TOSHIBA\TOSCDSPD\TOSCDSPD.exe?/i???????['C~????\?8?\?p?\???\???

scanning hȋdden files ...

scan completed successfully
hȋdden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
"MSCurrentCountry"=dword:000000b5
.
Completion time: 2009-11-08 18:30
ComboFix-quarantined-files.txt 2009-11-08 00:30

Pre-Run: 111,334,653,952 bytes free
Post-Run: 111,514,812,416 bytes free

- - End Of File - - 0E35474719107474BCEEC53583284DE5

Tocowujo
Beginner
Beginner

Posts Posts : 2
Joined Joined : 2009-11-08
OS OS : Mac OS X
Points Points : 25874
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Alpha Antivirus Help!

Post by Belahzur on 8th November 2009, 9:10 pm

Please download the [You must be registered and logged in to see this link.].

  • Save it to your desktop.
  • Please double-click OTM.exe to run it.
  • Copy the bolded text below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose CopyCrying


    :files
    c:\windows\Tasks\AAntivirus.job
    c:\program files\AAntivirus

    :reg
    [HKEY_LOCAL_MACHINE\software\microsoft\security center]
    "AntiVirusOverride"=-
    "FirewallOverride"=-


  • Return to OTMoveIt, right click in the "Paste instructions for items to be Moved" window (under the light blue bar) and choose Paste.
  • Click the red Moveit! button.
  • Copy everything in the Results window (under the green bar) to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it in your next reply.
  • Close OTMoveIt
If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.

Please post the OTMoveIt log.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34918
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : 7 Home Premium x64
Points Points : 245091
# Likes # Likes : 1

View user profile

Back to top Go down

Re: Alpha Antivirus Help!

Post by Tocowujo on 9th November 2009, 12:03 am

Ok, so NOD 32 just found and destroyed Alpha AV randomly earlier. For some reason Internet Explorer(8) continues to freeze up and not respond the instant i open it. It works fine in safe mode, so I cleared the browsing history and temp files while in safe mode, but it still doesn't work normally.

Thanks again!

Tocowujo
Beginner
Beginner

Posts Posts : 2
Joined Joined : 2009-11-08
OS OS : Mac OS X
Points Points : 25874
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Alpha Antivirus Help!

Post by Belahzur on 9th November 2009, 1:16 am

Internet Explorer is always buggy like that, I recommend you don't use it and switch to Firefox.

[You must be registered and logged in to see this link.]


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34918
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : 7 Home Premium x64
Points Points : 245091
# Likes # Likes : 1

View user profile

Back to top Go down

View previous topic View next topic Back to top

- Similar topics

 
Permissions in this forum:
You cannot reply to topics in this forum