System Antivirus Pro 2009

View previous topic View next topic Go down

System Antivirus Pro 2009

Post by Aprius on Tue Nov 10, 2009 10:42 pm

Hey. I saw this up, but I also read int he newbie thing, that I'm not supposed to post on his topic, and I don't want any trouble, haha.

So yeah, as I've stated, I have a "rogue antivirus software" on my computer, and I'm posting a HijackThis log now. ** It hasn't been doing anything lately (The System Pro Virus) But I've also been Using Mbam frequently, but I know it won't "fix" it.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 5:39:59 PM, on 11/10/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16915)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\DNA\btdna.exe
C:\Program Files\NCSoft\Launcher\NCLauncher.exe
C:\WINDOWS\system32\taskmgr.exe
C:\Program Files\NETGEAR\WN111\wn111.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\BitTorrent\bittorrent.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Sun\SDK\jdk\bin\java.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = [You must be registered and logged in to see this link.]
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = [You must be registered and logged in to see this link.]
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = [You must be registered and logged in to see this link.]
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = [You must be registered and logged in to see this link.]
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = [You must be registered and logged in to see this link.]
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = [You must be registered and logged in to see this link.]
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = [You must be registered and logged in to see this link.]
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - c:\program files\real\realplayer\rpbrowserrecordplugin.dll
O2 - BHO: (no name) - {5B901C4C-0D73-4BCE-8DEB-19A2DEA3B52B} - (no file)
O2 - BHO: Search Helper - {6EBF7485-159F-4bff-A14F-B9E3AAC4465B} - C:\Program Files\Microsoft\Search Enhancement Pack\Search Helper\SEPsearchhelperie.dll
O2 - BHO: Java(tm) Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Windows Live Toolbar Helper - {E15A8DC0-8516-42A1-81EA-DC94EC1ACF10} - C:\Program Files\Windows Live\Toolbar\wltcore.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: (no name) - {0BF43445-2F28-4351-9252-17FE6E806AA0} - (no file)
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: &Windows Live Toolbar - {21FA44EF-376D-4D53-9B0F-8A89D3229068} - C:\Program Files\Windows Live\Toolbar\wltcore.dll
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Malwarebytes Anti-Malware (reboot)] "C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [BitTorrent DNA] "C:\Program Files\DNA\btdna.exe"
O4 - HKCU\..\Run: [NCsoft Launcher] C:\Program Files\NCSoft\Launcher\NCLauncher.exe /Minimized
O4 - Startup: SDK Tray Menu.lnk = ?
O4 - Global Startup: GamersFirst LIVE!.lnk = C:\Program Files\GamersFirst\LIVE!\Live.exe
O4 - Global Startup: NETGEAR WN111 Smart Wizard.lnk = C:\Program Files\NETGEAR\WN111\wn111.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - [You must be registered and logged in to see this link.]
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: Run IMVU - {d9288080-1baa-4bc4-9cf8-a92d743db949} - C:\Documents and Settings\FAMILY\Start Menu\Programs\IMVU\Run IMVU.lnk (file missing)
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - [You must be registered and logged in to see this link.]
O16 - DPF: {74C861A1-D548-4916-BC8A-FDE92EDFF62C} - [You must be registered and logged in to see this link.]
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - Winlogon Notify: khfcbyx - khfcbyx.dll (file missing)
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: McAfee Real-time Scanner (McShield) - Unknown owner - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe (file missing)
O23 - Service: McAfee SystemGuards (McSysmon) - Unknown owner - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe (file missing)
O23 - Service: nProtect GameGuard Service (npggsvc) - Unknown owner - C:\WINDOWS\system32\GameMon.des.exe (file missing)
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
O23 - Service: PrismXL - New Boundary Technologies, Inc. - C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe

--
End of file - 7413 bytes


I would also Like to point out, if It matters, that this particular infection, is a trojan.zlob, and it has carried a few vundos. I've heard from friends, that Zlob's are pretty dangerous, and IF possible, would like some tips on anything else I should do.

Please And Thanks,
--Fido


[You must be registered and logged in to see this link.]

Aprius
Intermediate
Intermediate

Posts Posts : 90
Joined Joined : 2009-11-10
Gender Gender : Male
OS OS : Windows 7 64Bit
Protection Protection : Hijack This!, Ccleaner, MalwareBytes,Avast!
Points Points : 26332
# Likes # Likes : 0

View user profile

Back to top Go down

Re: System Antivirus Pro 2009

Post by Belahzur on Wed Nov 11, 2009 12:40 am

Hello.

  • Open HijackThis
  • Choose "Do a system scan only"
  • Check the boxes in front of these lines:


    O2 - BHO: (no name) - {5B901C4C-0D73-4BCE-8DEB-19A2DEA3B52B} - (no file)
    O3 - Toolbar: (no name) - {0BF43445-2F28-4351-9252-17FE6E806AA0} - (no file)
    O20 - Winlogon Notify: khfcbyx - khfcbyx.dll (file missing)



  • Press "Fix Checked"
  • Close Hijack This.

Please download and run this tool.

Download Malwarebytes' Anti-Malware from [You must be registered and logged in to see this link.]

Double Click mbam-setup.exe to install the application.

  • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart. (See Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
Note:
If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts.
Click OK to either and let MBAM proceed with the disinfection process.
If asked to restart the computer, please do so immediately.


Post the contents of the MBAM Log.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34916
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : XP SP3 Media Centre
Points Points : 245059
# Likes # Likes : 1

View user profile

Back to top Go down

Re: System Antivirus Pro 2009

Post by Aprius on Wed Nov 11, 2009 1:41 am

Malwarebytes' Anti-Malware 1.41
Database version: 2775
Windows 5.1.2600 Service Pack 2

11/10/2009 8:40:55 PM
mbam-log-2009-11-10 (20-40-55).txt

Scan type: Quick Scan
Objects scanned: 144354
Time elapsed: 15 minute(s), 14 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 1
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CURRENT_USER\SOFTWARE\AvScan (Trojan.FakeAlert) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)


[You must be registered and logged in to see this link.]

Aprius
Intermediate
Intermediate

Posts Posts : 90
Joined Joined : 2009-11-10
Gender Gender : Male
OS OS : Windows 7 64Bit
Protection Protection : Hijack This!, Ccleaner, MalwareBytes,Avast!
Points Points : 26332
# Likes # Likes : 0

View user profile

Back to top Go down

Re: System Antivirus Pro 2009

Post by Belahzur on Wed Nov 11, 2009 1:47 am

lease re-open Malwarebytes, click the Update tab, and click Check for Updates. Then, click the Scanner tab, select Perform Quick Scan, and press Scan.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34916
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : XP SP3 Media Centre
Points Points : 245059
# Likes # Likes : 1

View user profile

Back to top Go down

Re: System Antivirus Pro 2009

Post by Aprius on Wed Nov 11, 2009 1:52 am

Yeah, I started after I realized what version I had. <.<' Sorry man.


[You must be registered and logged in to see this link.]

Aprius
Intermediate
Intermediate

Posts Posts : 90
Joined Joined : 2009-11-10
Gender Gender : Male
OS OS : Windows 7 64Bit
Protection Protection : Hijack This!, Ccleaner, MalwareBytes,Avast!
Points Points : 26332
# Likes # Likes : 0

View user profile

Back to top Go down

Re: System Antivirus Pro 2009

Post by Aprius on Wed Nov 11, 2009 1:59 am

Still feel like an Idiot, but here's the new and updated one. 31 infected files. Yowzers. xD


Malwarebytes' Anti-Malware 1.41
Database version: 3143
Windows 5.1.2600 Service Pack 2

11/10/2009 8:58:12 PM
mbam-log-2009-11-10 (20-58-12).txt

Scan type: Quick Scan
Objects scanned: 155845
Time elapsed: 14 minute(s), 46 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 4
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 27

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{b6d223f6-c185-49a2-ba7e-a03e84744702} (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\atapi (Rootkit) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\atapi (Rootkit) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\atapi (Rootkit) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\system32\27rNnnBev.mph (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\Ow8oxUZs.mph (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\ANTFgyGDhshx.mph (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\cqAqKgrT9h.mph (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\fsd84gQZT.mph (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\fTY4KLZyHLT1.mph (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\IeeLPvDFpWubT.mph (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\jcfx7C3Px.mph (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\KUXSfgy4hKie.mph (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\l1tcIC6gT.mph (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\MsVZWvDum.mph (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\V39nhi6eCXv.mph (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\vWSwfq1wP65.mph (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\vXkUF3SCn.mph (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\lK7YD7wmxL.mph (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\xqDS2dWsO.mph (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\YqYT4cQ7.mph (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\ZyLs8jNJ.mph (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\tqdTYWa.mph (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\3n8APWl.mph (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\7npfZy7mhcX.mph (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\9hCLVLZV.mph (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\9LPioTGLldyE.mph (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\9WH6P4ji.mph (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\UiCGfWs7PTrH.mph (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\EkJD1LAa.mph (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\drivers\atapi.sys (Rootkit) -> Quarantined and deleted successfully.


I'm Restarting my PC now.


[You must be registered and logged in to see this link.]

Aprius
Intermediate
Intermediate

Posts Posts : 90
Joined Joined : 2009-11-10
Gender Gender : Male
OS OS : Windows 7 64Bit
Protection Protection : Hijack This!, Ccleaner, MalwareBytes,Avast!
Points Points : 26332
# Likes # Likes : 0

View user profile

Back to top Go down

Re: System Antivirus Pro 2009

Post by Belahzur on Wed Nov 11, 2009 9:47 pm

Hello.
Bad news, a false positive in MBAM is causing major problems for a lot of people right now, and you've been caught by this problem too.

Sadly your machine wont boot anymore, do you have your XP disc?


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34916
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : XP SP3 Media Centre
Points Points : 245059
# Likes # Likes : 1

View user profile

Back to top Go down

Re: System Antivirus Pro 2009

Post by Aprius on Wed Nov 11, 2009 10:11 pm

*Sigh* No, I do not. I have a Windows 98 disk, and some serials, but apparently it's a burnt cd, and I've no clue how i got it, or whether or not it will work.

Is this partially my fault? Like, if I didn't Quar and delete those files, would I have had this problem?

Also, I have Mbam on THIS computer, should I delete it?


[You must be registered and logged in to see this link.]

Aprius
Intermediate
Intermediate

Posts Posts : 90
Joined Joined : 2009-11-10
Gender Gender : Male
OS OS : Windows 7 64Bit
Protection Protection : Hijack This!, Ccleaner, MalwareBytes,Avast!
Points Points : 26332
# Likes # Likes : 0

View user profile

Back to top Go down

Re: System Antivirus Pro 2009

Post by Belahzur on Wed Nov 11, 2009 11:01 pm

Hello.
No, not your fault, a slight error in MBAM, see here:
[You must be registered and logged in to see this link.]

We can try a system restore, hopefully there is a restore point in there somewhere.

Do you have another machine (the machine your using now?) that can write to CD's? usually Windows let you do a drag-and-drop to burn CD's, we can try and use the ultimate boot CD's as other have on the MBAM forums.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34916
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : XP SP3 Media Centre
Points Points : 245059
# Likes # Likes : 1

View user profile

Back to top Go down

View previous topic View next topic Back to top

- Similar topics

 
Permissions in this forum:
You cannot reply to topics in this forum