GeekPolice
Welcome to GeekPolice.net!

From "wow" to "whoa" - we're teaching practical technology and helping others with tech support. Join our family here!

You are viewing the forum as a "Guest" which doesn't give you member privileges to ask questions or post comments.

Take 30 seconds to register or log in below and unlock the limitations of this website to discover new computer knowledge!

Antivirus system pro

View previous topic View next topic Go down

Antivirus system pro

Post by Leo Smith on Mon Nov 16, 2009 3:06 pm

Once again I turn to the gurus of malware removal. I have something called antivirus system pro and it is being a pain to remove.
Your assistance would be greatly appreciated. Here is a hijack log to start:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:02:09 AM, on 11/16/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16915)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
C:\Program Files\Google\Update\1.2.183.13\GoogleCrashHandler.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\RealVNC\VNC4\WinVNC4.exe
C:\PROGRA~1\AVG\AVG8\avgam.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgnsx.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\AVG\AVG8\avgcsrvx.exe
C:\DOCUME~1\Meliski\LOCALS~1\Temp\d.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Documents and Settings\Meliski\Local Settings\Application Data\ygyend\lroksysguard.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\AVG\AVG8\avgcsrvx.exe
C:\Documents and Settings\All Users\Defence\smss.exe
C:\WINDOWS\srcdll.exe
C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
C:\WINDOWS\system32\opeia.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\FastNetSrv.exe
C:\Program Files\AVG\AVG8\avgupd.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\system32\lsm32.sys

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = [You must be registered and logged in to see this link.]
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = [You must be registered and logged in to see this link.]
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = [You must be registered and logged in to see this link.]
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = [You must be registered and logged in to see this link.]
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = [You must be registered and logged in to see this link.]
R3 - URLSearchHook: AVG Security Toolbar BHO - {A3BC75A2-1F87-4686-AA43-5347D756017C} - C:\Program Files\AVG\AVG8\Toolbar\IEToolbar.dll
R3 - URLSearchHook: (no name) - *{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
O1 - Hosts: ::1 localhost
O1 - Hosts: [You must be registered and logged in to see this link.]
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.2.4204.1700\swg.dll
O3 - Toolbar: AVG Security Toolbar - {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - C:\Program Files\AVG\AVG8\Toolbar\IEToolbar.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKLM\..\Run: [IAAnotif] "C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe"
O4 - HKLM\..\Run: [nwiz] C:\Program Files\NVIDIA Corporation\nView\nwiz.exe /install
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [Acrobat Assistant 8.0] "C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe"
O4 - HKLM\..\Run: [DLA] C:\WINDOWS\System32\DLA\DLACTRLW.EXE
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [qbnlbtve] C:\Documents and Settings\Meliski\Local Settings\Application Data\ygyend\lroksysguard.exe
O4 - HKLM\..\Run: [Malwarebytes Anti-Malware (reboot)] "C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [AdobeUpdater] "C:\Program Files\Common Files\Adobe\Updater5\AdobeUpdater.exe"
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [WSD] "C:\Documents and Settings\All Users\Application Data\01b8a72\WS01b8.exe" /s
O4 - HKCU\..\Run: [Defence] "C:\Documents and Settings\All Users\Defence\smss.exe" -SystemDefence
O4 - HKCU\..\Run: [MailBlocker] C:\DOCUME~1\Meliski\LOCALS~1\Temp\d.exe
O4 - HKCU\..\Run: [qbnlbtve] C:\Documents and Settings\Meliski\Local Settings\Application Data\ygyend\lroksysguard.exe
O4 - HKCU\..\Run: [ttool] C:\WINDOWS\srcdll.exe
O8 - Extra context menu item: Append to existing PDF - [You must be registered and logged in to see this link.] Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert link target to Adobe PDF - [You must be registered and logged in to see this link.] Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - [You must be registered and logged in to see this link.] Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - [You must be registered and logged in to see this link.] Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - [You must be registered and logged in to see this link.] Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - [You must be registered and logged in to see this link.] Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - [You must be registered and logged in to see this link.] Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - [You must be registered and logged in to see this link.] Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: E&xport to Microsoft Excel - [You must be registered and logged in to see this link.]
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: [You must be registered and logged in to see this link.]
O16 - DPF: {1E54D648-B804-468d-BC78-4AFFED8E262F} (System Requirements Lab) - [You must be registered and logged in to see this link.]
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - [You must be registered and logged in to see this link.]
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = McgAshDom
O17 - HKLM\Software\..\Telephony: DomainName = McgAshDom
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = McgAshDom
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = McgAshDom
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dll
O23 - Service: Autodesk Licensing Service - Autodesk - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: Autodesk Network Licensing Service - Autodesk, Inc. - C:\Program Files\Common Files\Autodesk Shared\Service\AdskNetSrv.exe
O23 - Service: AVG8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: fastnetsrv Service (fastnetsrv) - Netopsystems A - C:\WINDOWS\system32\FastNetSrv.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Google Update Service (gupdate) (gupdate) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Intel(R) Matrix Storage Event Monitor (IAANTMON) - Intel Corporation - C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
O23 - Service: NetMeeting Remote Desktop Sharing (mnmsrvc) - Unknown owner - C:\WINDOWS\system32\mnmsrvc.exe (file missing)
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Remote Desktop Help Session Manager (RDSessMgr) - Unknown owner - C:\WINDOWS\system32\sessmgr.exe (file missing)
O23 - Service: Smart Card (SCardSvr) - Unknown owner - C:\WINDOWS\System32\SCardSvr.exe
O23 - Service: VNC Server Version 4 (WinVNC4) - RealVNC Ltd. - C:\Program Files\RealVNC\VNC4\WinVNC4.exe
O24 - Desktop Component 0: (no name) - [You must be registered and logged in to see this link.]

--
End of file - 10131 bytes

Leo Smith
Intermediate
Intermediate

Status :
Online
Offline

Posts : 87
Joined : 2009-05-07
Gender : Male
OS : XP
Points : 28285
# Likes : 0

View user profile

Back to top Go down

Re: Antivirus system pro

Post by Leo Smith on Mon Nov 16, 2009 3:40 pm

I have downloaded your version of malwarebytes and ran a scan.
Malwarebytes will not update so I ran that version of your download.
MW scanned found files and removed but did not get rid of antivirus system pro. Malwarebytes log:

Malwarebytes' Anti-Malware 1.41
Database version: 2797
Windows 5.1.2600 Service Pack 3

11/16/2009 10:27:59 AM
mbam-log-2009-11-16 (10-27-59).txt

Scan type: Quick Scan
Objects scanned: 111464
Time elapsed: 11 minute(s), 34 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 2
Registry Values Infected: 7
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CURRENT_USER\SOFTWARE\AvScan (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\XML (Trojan.FakeAlert) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\BuildW (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\guid (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\i (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\uid (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\Ulrn (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\Update (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\UpdateNew (Malware.Trace) -> Quarantined and deleted successfully.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\system32\iehelper.dll (Trojan.BHO) -> Quarantined and deleted successfully.

Leo Smith
Intermediate
Intermediate

Status :
Online
Offline

Posts : 87
Joined : 2009-05-07
Gender : Male
OS : XP
Points : 28285
# Likes : 0

View user profile

Back to top Go down

Re: Antivirus system pro

Post by Belahzur on Mon Nov 16, 2009 6:34 pm

Please re-open Malwarebytes, click the Update tab, and click Check for Updates. Then, click the Scanner tab, select Perform Quick Scan, and press Scan.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Status :
Online
Offline

Posts : 34916
Joined : 2008-08-03
Gender : Male
OS : XP SP3 Media Centre
Points : 245039
# Likes : 1

View user profile

Back to top Go down

Re: Antivirus system pro

Post by Leo Smith on Mon Nov 16, 2009 7:11 pm

Malwarebytes will not update.
In the mean time I found a win32/virut infection.
I ran AVG virut removal tool and now I have a blank desktop with no start bar.
Any ideas on that?

Leo Smith
Intermediate
Intermediate

Status :
Online
Offline

Posts : 87
Joined : 2009-05-07
Gender : Male
OS : XP
Points : 28285
# Likes : 0

View user profile

Back to top Go down

Re: Antivirus system pro

Post by Leo Smith on Mon Nov 16, 2009 7:57 pm

After reloading explorer.exe I was able to update malwarebytes. I am running a scan now and will post log.

Leo Smith
Intermediate
Intermediate

Status :
Online
Offline

Posts : 87
Joined : 2009-05-07
Gender : Male
OS : XP
Points : 28285
# Likes : 0

View user profile

Back to top Go down

Re: Antivirus system pro

Post by Leo Smith on Mon Nov 16, 2009 8:05 pm

it appears that antuvirus pro is now gone. now I just get a box at start up that says: to finish the procees the computer must restart. do you want to restart? as far as I can tell the message is not associated with any program.
here is my log file:


Malwarebytes' Anti-Malware 1.41
Database version: 3181
Windows 5.1.2600 Service Pack 3

11/16/2009 2:58:42 PM
mbam-log-2009-11-16 (14-58-42).txt

Scan type: Quick Scan
Objects scanned: 124163
Time elapsed: 5 minute(s), 12 second(s)

Memory Processes Infected: 4
Memory Modules Infected: 1
Registry Keys Infected: 12
Registry Values Infected: 16
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 36

Memory Processes Infected:
C:\Documents and Settings\Meliski\Local Settings\Temp\d.exe (Trojan.Downloader) -> Unloaded process successfully.
C:\Documents and Settings\All Users\Defence\smss.exe (Trojan.Buzus) -> Unloaded process successfully.
C:\WINDOWS\system32\FastNetSrv.exe (Backdoor.Bot) -> Unloaded process successfully.
C:\WINDOWS\srcdll.exe (Trojan.Agent) -> Unloaded process successfully.

Memory Modules Infected:
c:\WINDOWS\system32\BtwSrv.dll (Backdoor.Bot) -> Delete on reboot.

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\btwsrv (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\btwsrv (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\btwsrv (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\btwsrv (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\fastnetsrv (Backdoor.Refpron) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Enum\Root\LEGACY_BTWSRV (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\AvScan (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\XML (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\fastnetsrv (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\fastnetsrv (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\fastnetsrv (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Enum\Root\LEGACY_FASTNETSRV (Backdoor.Bot) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\defence (Trojan.Buzus) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\mailblocker (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\AppCertDlls\appsecdll (Spyware.Passwords) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\BuildW (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\guid (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\i (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\uid (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\Ulrn (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\Update (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\UpdateNew (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\mBt (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\udfa (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\mfa (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\qbnlbtve (Trojan.FakeAlert.N) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\qbnlbtve (Trojan.FakeAlert.N) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ttool (Trojan.Agent) -> Quarantined and deleted successfully.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
c:\WINDOWS\system32\BtwSrv.dll (Backdoor.Bot) -> Delete on reboot.
C:\Documents and Settings\Meliski\Local Settings\Temp\d.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Defence\smss.exe (Trojan.Buzus) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\wmdtc.exe (Backdoor.Bot) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\iehelper.dll (Trojan.BHO) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\opeia.exe (Backdoor.Bot) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\rdolib.dll (Spyware.Passwords) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\mscert.dll (Spyware.Passwords) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\txpxr_584576297539.b1k (Backdoor.Bot) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\txpxr_75942169851.b1k (Backdoor.Bot) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\VRT2C1.tmp (Backdoor.Bot) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\VRT5.tmp (Backdoor.Bot) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\tmp0_661416843043.bk.old (Backdoor.Bot) -> Quarantined and deleted successfully.
C:\Documents and Settings\Meliski\Local Settings\Temp\e.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Documents and Settings\Meliski\Local Settings\Temp\c.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Documents and Settings\Meliski\Local Settings\Temp\50549.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\456V83GB\w[1].bin (Backdoor.Bot) -> Quarantined and deleted successfully.
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\456V83GB\w[2].bin (Backdoor.Bot) -> Quarantined and deleted successfully.
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\456V83GB\w[3].bin (Backdoor.Bot) -> Quarantined and deleted successfully.
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\IVQ34BCD\w[1].bin (Backdoor.Bot) -> Quarantined and deleted successfully.
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\IVQ34BCD\w[2].bin (Backdoor.Bot) -> Quarantined and deleted successfully.
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\IVQ34BCD\w[3].bin (Backdoor.Bot) -> Quarantined and deleted successfully.
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\U7WXA5I7\w[1].bin (Backdoor.Bot) -> Quarantined and deleted successfully.
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\U7WXA5I7\w[2].bin (Backdoor.Bot) -> Quarantined and deleted successfully.
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\U7WXA5I7\w[3].bin (Backdoor.Bot) -> Quarantined and deleted successfully.
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\W3YZIJ2F\w[1].bin (Backdoor.Bot) -> Quarantined and deleted successfully.
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\W3YZIJ2F\w[2].bin (Backdoor.Bot) -> Quarantined and deleted successfully.
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\W3YZIJ2F\w[3].bin (Backdoor.Bot) -> Quarantined and deleted successfully.
C:\WINDOWS\Tasks\{66BA574B-1E11-49b8-909C-8CC9E0E8E015}.job (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\lsm32.sys (Backdoor.Bot) -> Quarantined and deleted successfully.
C:\Documents and Settings\Meliski\Start Menu\Programs\Security Tool.LNK (Rogue.SecurityTool) -> Quarantined and deleted successfully.
C:\WINDOWS\Tasks\{35DC3473-A719-4d14-B7C1-FD326CA84A0C}.job (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\FastNetSrv.exe (Backdoor.Bot) -> Quarantined and deleted successfully.
C:\Documents and Settings\Meliski\Local Settings\Temp\4ae722ee372680dc8798164166873fa5.exe (Trojan.Dropper) -> Quarantined and deleted successfully.
C:\Documents and Settings\Meliski\Local Settings\Application Data\ygyend\lroksysguard.exe (Trojan.FakeAlert.N) -> Delete on reboot.
C:\WINDOWS\srcdll.exe (Trojan.Agent) -> Quarantined and deleted successfully.

Leo Smith
Intermediate
Intermediate

Status :
Online
Offline

Posts : 87
Joined : 2009-05-07
Gender : Male
OS : XP
Points : 28285
# Likes : 0

View user profile

Back to top Go down

Re: Antivirus system pro

Post by Belahzur on Mon Nov 16, 2009 8:22 pm

Your computer has multiple infections, including a backdoor. A backdoor gives intruders complete control of your computer, logs your keystrokes, steal personal information, etc.

You are strongly advised to do the following:

  • Disconnect the computer from the Internet and from any networked computers until it is cleaned.
  • Back up all your important data except programs. The programs can be reinstalled back from the original disc or from the Net.
  • Call all your banks, financial institutions, credit card companies and inform them that you may be a victim of identity theft and put a watch on your accounts. If you don't mind the hassle, change all your account numbers.
  • From a clean computer, change all your passwords (ISP login password, your email address(es) passwords, financial accounts, PayPal, eBay, Amazon, online groups and forums and any other online activities you carry out which require a username and password).
Do NOT change your passwords from this computer as the attacker will be able to get all the new passwords and transaction records.

Hello.

  • Download combofix from here
    [You must be registered and logged in to see this link.]
    [You must be registered and logged in to see this link.]

    1. If you are using Firefox, make sure that your download settings are as follows:

    * Tools->Options->Main tab
    * Set to "Always ask me where to Save the files".

    2. During the download, rename Combofix to Combo-Fix as follows:





    3. It is important you rename Combofix during the download, but not after.
    4. Please do not rename Combofix to other names, but only to the one indicated.
    5. Close any open browsers.
    6. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

  • We need to disable your local AV (Anti-virus) before running Combofix.
  • See [You must be registered and logged in to see this link.] for how to disable your AV.
  • Double click on ComboFix.exe.
  • Follow the prompts. NOTE:
  • ComboFix will check to see if the Microsoft Windows Recovery Console is installed.
    ***It's strongly recommended to have the Recovery Console installed before doing any malware removal.***

    **Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will automatically proceed with its scan.


  • The Recovery Console provides a recovery/repair mode should a problem occur during a Combofix run.



  • Allow ComboFix to download the Recovery Console.
  • Accept the End-User License Agreement.
  • The Recovery Console will be installed.
  • You will then get this next prompt that asks if you want to continue the malware scan, select yes



  • Allow combofix to run
  • Post C:\combofix.txt back here.

    Note:
    Do not mouseclick combofix's window whilst it's running. That may cause it to stall.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Status :
Online
Offline

Posts : 34916
Joined : 2008-08-03
Gender : Male
OS : XP SP3 Media Centre
Points : 245039
# Likes : 1

View user profile

Back to top Go down

Re: Antivirus system pro

Post by Leo Smith on Tue Nov 17, 2009 4:08 am

Every time I try to install combo-fix I get:
Date Error: 2009-11-16
Check your settings

Leo Smith
Intermediate
Intermediate

Status :
Online
Offline

Posts : 87
Joined : 2009-05-07
Gender : Male
OS : XP
Points : 28285
# Likes : 0

View user profile

Back to top Go down

Re: Antivirus system pro

Post by Leo Smith on Tue Nov 17, 2009 2:45 pm

I finally got combofix to run. Here is the log:

ComboFix 09-11-17.01 - Meliski 11/17/2009 9:35.1.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3326.2651 [GMT -5:00]
Running from: c:\documents and settings\Meliski\Desktop\schrauber.exe
AV: AVG Anti-Virus Network Edition *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\docume~1\Meliski\LOCALS~1\Temp\0.EXE
c:\windows\Install.txt
c:\windows\system32\3829264.exe
c:\windows\system32\4562014.exe
c:\windows\system32\8105433.exe
c:\windows\system32\Install.txt

Infected copy of c:\windows\system32\svchost.exe was found and disinfected
Restored copy from - c:\system volume information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP119\A0015614.exe

Infected copy of c:\windows\system32\spoolsv.exe was found and disinfected
Restored copy from - c:\system volume information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP119\A0015608.exe

.
((((((((((((((((((((((((( Files Created from 2009-10-17 to 2009-11-17 )))))))))))))))))))))))))))))))
.

2009-11-17 04:12 . 2008-04-14 00:12 33280 ----a-w- c:\windows\system32\rundll32.exe
2009-11-17 04:12 . 2008-04-14 00:12 33280 ----a-w- c:\windows\system32\dllcache\rundll32.exe
2009-11-16 19:51 . 2008-04-14 00:12 1033728 ----a-w- c:\windows\explorer.exe
2009-11-16 00:35 . 2009-11-16 00:35 -------- d-----w- c:\program files\Trend Micro
2009-11-15 22:57 . 2009-11-15 22:57 110592 ----a-w- c:\documents and settings\Meliski\Application Data\U3\00001680D7749AD3\cleanup.exe
2009-11-15 22:57 . 2009-11-15 22:57 -------- d-----w- c:\documents and settings\Meliski\Application Data\U3
2009-11-14 12:21 . 2009-11-14 12:21 664 ----a-w- c:\windows\system32\d3d9caps.dat
2009-11-13 22:54 . 2009-11-16 19:59 -------- d-----w- c:\documents and settings\Meliski\Local Settings\Application Data\ygyend
2009-11-13 21:20 . 2009-11-15 21:20 348 ----a-w- c:\windows\system32\uses32.dat
2009-11-13 21:19 . 2009-11-16 19:58 -------- d-----w- c:\documents and settings\All Users\Defence
2009-11-13 21:18 . 2009-11-13 21:32 0 ----a-w- c:\documents and settings\All Users\Application Data\01b8a72\WS01b8.exe
2009-11-13 21:16 . 2009-11-13 21:32 -------- d-----w- c:\documents and settings\All Users\Application Data\01b8a72
2009-11-11 21:18 . 2008-04-13 19:45 26368 ----a-w- c:\windows\system32\dllcache\usbstor.sys
2009-11-03 12:55 . 2009-11-03 12:55 -------- d-----w- c:\documents and settings\Meliski\Application Data\AVG8

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-11-16 18:22 . 2009-08-04 20:33 -------- d-----w- c:\documents and settings\All Users\Application Data\avg8
2009-11-16 15:14 . 2009-09-19 18:00 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-11-16 00:38 . 2009-08-04 20:57 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help
2009-11-15 01:43 . 2009-10-12 13:24 -------- d-----w- c:\program files\QuickTime
2009-11-14 01:08 . 2009-08-05 00:50 -------- d-----w- c:\program files\McGill
2009-11-14 00:47 . 2009-08-04 21:24 -------- d-----w- c:\program files\AutoCAD Civil 3D 2009
2009-11-14 00:31 . 2009-08-04 21:13 -------- d-----w- c:\program files\AutoCAD 2009
2009-11-11 22:36 . 2009-09-19 17:40 404352 ----a-w- c:\documents and settings\LocalService\Local Settings\Application Data\FontCache3.0.0.0.dat
2009-10-26 19:37 . 2009-08-06 13:12 -------- d-----w- c:\documents and settings\All Users\Application Data\FLEXnet
2009-10-12 13:25 . 2009-10-12 13:25 -------- d-----w- c:\program files\Common Files\Apple
2009-10-12 13:24 . 2009-10-12 13:24 -------- d-----w- c:\documents and settings\All Users\Application Data\Apple Computer
2009-09-24 23:16 . 2009-09-15 13:11 -------- d-----w- c:\program files\Google
2009-09-21 12:50 . 2009-08-05 00:44 57152 ----a-w- c:\documents and settings\Meliski\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-09-19 18:00 . 2009-09-19 18:00 -------- d-----w- c:\documents and settings\Meliski\Application Data\Malwarebytes
2009-09-19 18:00 . 2009-09-19 18:00 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-09-19 17:53 . 2009-09-19 17:53 -------- d-----w- c:\program files\CCleaner
2009-09-19 17:42 . 2009-09-19 17:42 -------- d-----w- c:\documents and settings\All Users\Application Data\Office Genuine Advantage
2009-09-19 17:35 . 2009-08-04 20:59 -------- d-----w- c:\program files\Microsoft Works
2009-09-17 13:00 . 2009-09-17 13:00 130 ----a-w- c:\documents and settings\Meliski\Local Settings\Application Data\fusioncache.dat
2009-09-11 14:18 . 2004-08-11 22:00 136192 ----a-w- c:\windows\system32\msv1_0.dll
2009-09-10 19:54 . 2009-09-19 18:00 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-09-10 19:53 . 2009-09-19 18:00 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-09-04 21:03 . 2004-08-11 22:00 58880 ----a-w- c:\windows\system32\msasn1.dll
2009-08-29 07:36 . 2004-08-11 22:00 832512 ----a-w- c:\windows\system32\wininet.dll
2009-08-29 07:36 . 2004-08-11 22:00 78336 ----a-w- c:\windows\system32\ieencode.dll
2009-08-29 07:36 . 2004-08-11 22:00 17408 ------w- c:\windows\system32\corpol.dll
2009-08-26 08:00 . 2004-08-11 22:00 247326 ----a-w- c:\windows\system32\strmdll.dll
2008-03-07 20:49 . 2008-03-07 20:49 9285632 ----a-w- c:\program files\HydraflowExpress.exe
2008-03-07 20:49 . 2008-03-07 20:49 5693440 ----a-w- c:\program files\Hydro2007.exe
2008-03-07 20:49 . 2008-03-07 20:49 7053312 ----a-w- c:\program files\Storm2009.exe
2008-03-07 20:49 . 2008-03-07 20:49 6850 ----a-w- c:\program files\Storm2009.ini
2008-03-07 20:49 . 2008-03-07 20:49 2602 ----a-w- c:\program files\AllFields.rpt
2008-03-07 20:48 . 2008-03-07 20:48 3883846 ----a-w- c:\program files\Storm_Sewers_User_Guide.pdf
2008-03-07 20:48 . 2008-03-07 20:48 1216 ----a-w- c:\program files\Express.ini
2008-03-07 20:48 . 2008-03-07 20:48 884140 ----a-w- c:\program files\Hydrographs.chm
2008-03-07 20:48 . 2008-03-07 20:48 482979 ----a-w- c:\program files\Storm_Sewers.chm
2008-03-07 20:48 . 2008-03-07 20:48 2928916 ----a-w- c:\program files\Hydrographs_User_Guide.pdf
2008-03-07 20:48 . 2008-03-07 20:48 1180801 ----a-w- c:\program files\Express_User_Guide.pdf
2007-10-05 15:40 . 2007-10-05 15:40 9512 ----a-w- c:\program files\Hydro2007.ini
2007-04-30 20:38 . 2007-04-30 20:38 598 ----a-w- c:\program files\Storm2008.exe.manifest
2007-03-21 21:07 . 2007-03-21 21:07 486562 ----a-w- c:\program files\Sample2007.gpw
2007-03-21 20:48 . 2007-03-21 20:48 85431 ----a-w- c:\program files\PondToolsExample.gpw
2007-03-21 19:44 . 2007-03-21 19:44 141075 ----a-w- c:\program files\PreandPostDevelopment2007.gpw
2007-02-07 20:28 . 2007-02-07 20:28 208841 ----a-w- c:\program files\WatershedBasics2007.gpw
2007-01-24 15:29 . 2007-01-24 15:29 288 ----a-w- c:\program files\Sample.pcp
2006-12-13 16:29 . 2006-12-13 16:29 8783 ----a-w- c:\program files\Sample.cds
2006-12-13 16:17 . 2006-12-13 16:17 392 ----a-w- c:\program files\SampleFHA.idf
2006-12-13 16:17 . 2006-12-13 16:17 327790 ----a-w- c:\program files\Interconnected.gpw
2006-10-09 20:47 . 2006-10-09 20:47 5117 ----a-w- c:\program files\SampleExpress.hxp
2006-02-07 20:43 . 2006-02-07 20:43 508 ----a-w- c:\program files\FLZone1H.IDF
2006-01-26 20:13 . 2006-01-26 20:13 189 ----a-w- c:\program files\SampleExpress.pcp
2005-11-14 16:39 . 2005-11-14 16:39 426 ----a-w- c:\program files\SampleExpress.IDF
2005-04-01 14:54 . 2005-04-01 14:54 637 ----a-w- c:\program files\HydraflowExpress.exe.manifest
2004-10-18 22:29 . 2004-10-18 22:29 508 ----a-w- c:\program files\FLZone1.IDF
2004-04-02 13:47 . 2004-04-02 13:47 8715 ----a-w- c:\program files\NJWaterQuality.cds
2003-12-15 22:01 . 2003-12-15 22:01 9554 ----a-w- c:\program files\TypeIIAsCustom.cds
2003-02-06 21:22 . 2003-02-06 21:22 596 ----a-w- c:\program files\Hydro2007.exe.manifest
2001-08-18 10:00 . 2001-08-18 10:00 7376 ----a-w- c:\program files\InsJunct.WAV
2001-08-18 10:00 . 2001-08-18 10:00 1290 ----a-w- c:\program files\Undo.WAV
1999-08-20 16:18 . 1999-08-20 16:18 13920 ----a-w- c:\program files\DelLine.wav
1999-01-21 13:55 . 1999-01-21 13:55 382 ----a-w- c:\program files\Click.wav
1999-01-21 13:55 . 1999-01-21 13:55 1128 ----a-w- c:\program files\Snapped.WAV
1999-01-21 13:55 . 1999-01-21 13:55 10200 ----a-w- c:\program files\AddLine.wav
1996-04-12 22:19 . 1996-04-12 22:19 11520 ----a-w- c:\program files\Compute.wav
.

------- Sigcheck -------

[-] 2008-04-14 . 5BABF3B3CF6CE55634621A2AA68B209F . 26112 . . [5.1.2600.5512] . . c:\windows\system32\userinit.exe

[-] 2008-04-14 . 8C17D6E9E373E5128450F0DF8F16E8D7 . 13824 . . [5.1.2600.5512] . . c:\windows\system32\wscntfy.exe
[-] 2004-08-04 . 6A037311F714B269A95FA27C0D036E09 . 13824 . . [5.1.2600.2180] . . c:\windows\$NtServicePackUninstall$\wscntfy.exe

[-] 2008-04-14 . A8CF07F993626AFBE3DCD129BAE198D7 . 15360 . . [5.1.2600.5512] . . c:\windows\ServicePackFiles\i386\ctfmon.exe
[-] 2008-04-14 . A8CF07F993626AFBE3DCD129BAE198D7 . 15360 . . [5.1.2600.5512] . . c:\windows\system32\ctfmon.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{A3BC75A2-1F87-4686-AA43-5347D756017C}"= "c:\program files\AVG\AVG8\Toolbar\IEToolbar.dll" [2009-09-02 1107200]

[HKEY_CLASSES_ROOT\clsid\{a3bc75a2-1f87-4686-aa43-5347d756017c}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{CCC7A320-B3CA-4199-B1A6-9F516DD69829}"= "c:\program files\AVG\AVG8\Toolbar\IEToolbar.dll" [2009-09-02 1107200]

[HKEY_CLASSES_ROOT\clsid\{ccc7a320-b3ca-4199-b1a6-9f516dd69829}]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{CCC7A320-B3CA-4199-B1A6-9F516DD69829}"= "c:\program files\AVG\AVG8\Toolbar\IEToolbar.dll" [2009-09-02 1107200]

[HKEY_CLASSES_ROOT\clsid\{ccc7a320-b3ca-4199-b1a6-9f516dd69829}]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AdobeUpdater"="c:\program files\Common Files\Adobe\Updater5\AdobeUpdater.exe" [2009-08-06 2356088]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2009-09-15 39408]
"WSD"="c:\documents and settings\All Users\Application Data\01b8a72\WS01b8.exe" [2009-11-13 0]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IAAnotif"="c:\program files\Intel\Intel Matrix Storage Manager\Iaanotif.exe" [2007-07-27 178712]
"nwiz"="c:\program files\NVIDIA Corporation\nView\nwiz.exe" [2009-07-09 1657376]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2009-11-02 2028312]
"Acrobat Assistant 8.0"="c:\program files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe" [2008-10-15 623992]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2004-07-27 81920]
"Malwarebytes Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2009-09-10 1312080]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2009-07-14 13877248]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"DisableCAD"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-08-04 20:33 11952 ----a-w- c:\windows\system32\avgrsstx.dll

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"5900:TCP"= 5900:TCP:vnctcp
"5900:UDP"= 5900:UDP:vncudp

R0 AvgRkx86;avgrkx86.sys;c:\windows\system32\drivers\avgrkx86.sys [8/4/2009 3:33 PM 12552]
R1 AvgLdx86;AVG AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [8/4/2009 3:33 PM 335240]
R1 AvgTdiX;AVG8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [8/4/2009 3:33 PM 108552]
R2 avg8emc;AVG8 E-mail Scanner;c:\progra~1\AVG\AVG8\avgemc.exe [8/4/2009 3:33 PM 908056]
R2 avg8wd;AVG8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [8/4/2009 3:33 PM 297752]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [9/15/2009 8:11 AM 133104]

--- Other Services/Drivers In Memory ---

*Deregistered* - mbr

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
BtwSrv
.
Contents of the 'Scheduled Tasks' folder

2009-11-14 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 16:34]

2009-11-17 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2009-09-15 13:11]

2009-11-17 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-09-15 13:11]

2009-11-17 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-09-15 13:11]
.
.
------- Supplementary Scan -------
.
uStart Page = [You must be registered and logged in to see this link.]
IE: Append to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert link target to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
Trusted Zone: mcgillengineers.com\vision
DPF: {1E54D648-B804-468d-BC78-4AFFED8E262F} - [You must be registered and logged in to see this link.]
FF - ProfilePath - c:\documents and settings\Meliski\Application Data\Mozilla\Firefox\Profiles\jl3y13n1.default\
FF - prefs.js: browser.startup.homepage - [You must be registered and logged in to see this link.]
FF - plugin: c:\program files\Google\Google Earth\plugin\npgeplugin.dll
FF - plugin: c:\program files\Google\Google Updater\2.4.1698.5652\npCIDetect13.dll
FF - plugin: c:\program files\Google\Update\1.2.183.13\npGoogleOneClick8.dll
FF - hȋdden: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);
.
- - - - ORPHANS REMOVED - - - -

HKLM-Run-DLA - c:\windows\System32\DLA\DLACTRLW.EXE
HKLM-Run-SigmatelSysTrayApp - stsystra.exe



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, [You must be registered and logged in to see this link.]
Rootkit scan 2009-11-17 09:40
Windows 5.1.2600 Service Pack 3 NTFS

scanning hȋdden processes ...

scanning hȋdden autostart entries ...

scanning hȋdden files ...

scan completed successfully
hȋdden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(2836)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\nvsvc32.exe
c:\program files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
c:\program files\Google\Update\1.2.183.13\GoogleCrashHandler.exe
c:\program files\RealVNC\VNC4\WinVNC4.exe
c:\progra~1\AVG\AVG8\avgam.exe
c:\progra~1\AVG\AVG8\avgrsx.exe
c:\progra~1\AVG\AVG8\avgnsx.exe
c:\program files\AVG\AVG8\avgcsrvx.exe
c:\program files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
.
**************************************************************************
.
Completion time: 2009-11-17 09:43 - machine was rebooted
ComboFix-quarantined-files.txt 2009-11-17 14:43

Pre-Run: 53,615,087,616 bytes free
Post-Run: 53,943,267,328 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

- - End Of File - - 6A11A97FD0080B8C6F3CC22D21415D1D

Leo Smith
Intermediate
Intermediate

Status :
Online
Offline

Posts : 87
Joined : 2009-05-07
Gender : Male
OS : XP
Points : 28285
# Likes : 0

View user profile

Back to top Go down

Re: Antivirus system pro

Post by Belahzur on Tue Nov 17, 2009 3:23 pm

Hello.

Wow, this machine is lucky to be alive with this amount of damage.

  1. Close any open browsers.
  2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
  3. Open notepad and copy/paste the text in the quotebox below into it:

    File::
    c:\windows\system32\uses32.dat

    Folder::
    c:\documents and settings\Meliski\Local Settings\Application Data\ygyend
    c:\documents and settings\All Users\Application Data\01b8a72

    Registry::
    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "WSD"=-

    Driver::
    BtwSrv

    NetSvc::
    BtwSrv
  4. Save this as CFScript.txt, in the same location as ComboFix.exe



  5. Referring to the picture above, drag CFScript into ComboFix.exe
  6. When finished, it shall produce a log for you at C:\ComboFix.txt
  7. Please post the contents of the log in your next reply.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Status :
Online
Offline

Posts : 34916
Joined : 2008-08-03
Gender : Male
OS : XP SP3 Media Centre
Points : 245039
# Likes : 1

View user profile

Back to top Go down

Re: Antivirus system pro

Post by Leo Smith on Tue Nov 17, 2009 3:50 pm

The next combofix.txt:

ComboFix 09-11-17.01 - Meliski 11/17/2009 10:43.2.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3326.2786 [GMT -5:00]
Running from: c:\documents and settings\Meliski\Desktop\schrauber.exe
Command switches used :: c:\documents and settings\Meliski\Desktop\CFScript.txt
AV: AVG Anti-Virus Network Edition *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}

FILE ::
"c:\windows\system32\uses32.dat"
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\All Users\Application Data\01b8a72
c:\documents and settings\All Users\Application Data\01b8a72\WS01b8.exe
c:\documents and settings\Meliski\Local Settings\Application Data\ygyend
c:\windows\system32\uses32.dat

.
((((((((((((((((((((((((( Files Created from 2009-10-17 to 2009-11-17 )))))))))))))))))))))))))))))))
.

2009-11-17 04:12 . 2008-04-14 00:12 33280 ----a-w- c:\windows\system32\rundll32.exe
2009-11-17 04:12 . 2008-04-14 00:12 33280 ----a-w- c:\windows\system32\dllcache\rundll32.exe
2009-11-16 19:51 . 2008-04-14 00:12 1033728 ------w- c:\windows\explorer.exe
2009-11-16 00:35 . 2009-11-16 00:35 -------- d-----w- c:\program files\Trend Micro
2009-11-15 22:57 . 2009-11-15 22:57 110592 ----a-w- c:\documents and settings\Meliski\Application Data\U3\00001680D7749AD3\cleanup.exe
2009-11-15 22:57 . 2009-11-15 22:57 -------- d-----w- c:\documents and settings\Meliski\Application Data\U3
2009-11-14 12:21 . 2009-11-14 12:21 664 ----a-w- c:\windows\system32\d3d9caps.dat
2009-11-13 21:19 . 2009-11-16 19:58 -------- d-----w- c:\documents and settings\All Users\Defence
2009-11-11 21:18 . 2008-04-13 19:45 26368 ----a-w- c:\windows\system32\dllcache\usbstor.sys
2009-11-03 12:55 . 2009-11-03 12:55 -------- d-----w- c:\documents and settings\Meliski\Application Data\AVG8

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-11-16 18:22 . 2009-08-04 20:33 -------- d-----w- c:\documents and settings\All Users\Application Data\avg8
2009-11-16 15:14 . 2009-09-19 18:00 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-11-16 00:38 . 2009-08-04 20:57 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help
2009-11-15 01:43 . 2009-10-12 13:24 -------- d-----w- c:\program files\QuickTime
2009-11-14 01:08 . 2009-08-05 00:50 -------- d-----w- c:\program files\McGill
2009-11-14 00:47 . 2009-08-04 21:24 -------- d-----w- c:\program files\AutoCAD Civil 3D 2009
2009-11-14 00:31 . 2009-08-04 21:13 -------- d-----w- c:\program files\AutoCAD 2009
2009-11-11 22:36 . 2009-09-19 17:40 404352 ----a-w- c:\documents and settings\LocalService\Local Settings\Application Data\FontCache3.0.0.0.dat
2009-10-26 19:37 . 2009-08-06 13:12 -------- d-----w- c:\documents and settings\All Users\Application Data\FLEXnet
2009-10-12 13:25 . 2009-10-12 13:25 -------- d-----w- c:\program files\Common Files\Apple
2009-10-12 13:24 . 2009-10-12 13:24 -------- d-----w- c:\documents and settings\All Users\Application Data\Apple Computer
2009-09-24 23:16 . 2009-09-15 13:11 -------- d-----w- c:\program files\Google
2009-09-21 12:50 . 2009-08-05 00:44 57152 ----a-w- c:\documents and settings\Meliski\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-09-19 18:00 . 2009-09-19 18:00 -------- d-----w- c:\documents and settings\Meliski\Application Data\Malwarebytes
2009-09-19 18:00 . 2009-09-19 18:00 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-09-19 17:53 . 2009-09-19 17:53 -------- d-----w- c:\program files\CCleaner
2009-09-19 17:42 . 2009-09-19 17:42 -------- d-----w- c:\documents and settings\All Users\Application Data\Office Genuine Advantage
2009-09-19 17:35 . 2009-08-04 20:59 -------- d-----w- c:\program files\Microsoft Works
2009-09-17 13:00 . 2009-09-17 13:00 130 ----a-w- c:\documents and settings\Meliski\Local Settings\Application Data\fusioncache.dat
2009-09-11 14:18 . 2004-08-11 22:00 136192 ----a-w- c:\windows\system32\msv1_0.dll
2009-09-10 19:54 . 2009-09-19 18:00 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-09-10 19:53 . 2009-09-19 18:00 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-09-04 21:03 . 2004-08-11 22:00 58880 ----a-w- c:\windows\system32\msasn1.dll
2009-08-29 07:36 . 2004-08-11 22:00 832512 ------w- c:\windows\system32\wininet.dll
2009-08-29 07:36 . 2004-08-11 22:00 78336 ----a-w- c:\windows\system32\ieencode.dll
2009-08-29 07:36 . 2004-08-11 22:00 17408 ------w- c:\windows\system32\corpol.dll
2009-08-26 08:00 . 2004-08-11 22:00 247326 ----a-w- c:\windows\system32\strmdll.dll
2008-03-07 20:49 . 2008-03-07 20:49 9285632 ----a-w- c:\program files\HydraflowExpress.exe
2008-03-07 20:49 . 2008-03-07 20:49 5693440 ----a-w- c:\program files\Hydro2007.exe
2008-03-07 20:49 . 2008-03-07 20:49 7053312 ----a-w- c:\program files\Storm2009.exe
2008-03-07 20:49 . 2008-03-07 20:49 6850 ----a-w- c:\program files\Storm2009.ini
2008-03-07 20:49 . 2008-03-07 20:49 2602 ----a-w- c:\program files\AllFields.rpt
2008-03-07 20:48 . 2008-03-07 20:48 3883846 ----a-w- c:\program files\Storm_Sewers_User_Guide.pdf
2008-03-07 20:48 . 2008-03-07 20:48 1216 ----a-w- c:\program files\Express.ini
2008-03-07 20:48 . 2008-03-07 20:48 884140 ----a-w- c:\program files\Hydrographs.chm
2008-03-07 20:48 . 2008-03-07 20:48 482979 ----a-w- c:\program files\Storm_Sewers.chm
2008-03-07 20:48 . 2008-03-07 20:48 2928916 ----a-w- c:\program files\Hydrographs_User_Guide.pdf
2008-03-07 20:48 . 2008-03-07 20:48 1180801 ----a-w- c:\program files\Express_User_Guide.pdf
2007-10-05 15:40 . 2007-10-05 15:40 9512 ----a-w- c:\program files\Hydro2007.ini
2007-04-30 20:38 . 2007-04-30 20:38 598 ----a-w- c:\program files\Storm2008.exe.manifest
2007-03-21 21:07 . 2007-03-21 21:07 486562 ----a-w- c:\program files\Sample2007.gpw
2007-03-21 20:48 . 2007-03-21 20:48 85431 ----a-w- c:\program files\PondToolsExample.gpw
2007-03-21 19:44 . 2007-03-21 19:44 141075 ----a-w- c:\program files\PreandPostDevelopment2007.gpw
2007-02-07 20:28 . 2007-02-07 20:28 208841 ----a-w- c:\program files\WatershedBasics2007.gpw
2007-01-24 15:29 . 2007-01-24 15:29 288 ----a-w- c:\program files\Sample.pcp
2006-12-13 16:29 . 2006-12-13 16:29 8783 ----a-w- c:\program files\Sample.cds
2006-12-13 16:17 . 2006-12-13 16:17 392 ----a-w- c:\program files\SampleFHA.idf
2006-12-13 16:17 . 2006-12-13 16:17 327790 ----a-w- c:\program files\Interconnected.gpw
2006-10-09 20:47 . 2006-10-09 20:47 5117 ----a-w- c:\program files\SampleExpress.hxp
2006-02-07 20:43 . 2006-02-07 20:43 508 ----a-w- c:\program files\FLZone1H.IDF
2006-01-26 20:13 . 2006-01-26 20:13 189 ----a-w- c:\program files\SampleExpress.pcp
2005-11-14 16:39 . 2005-11-14 16:39 426 ----a-w- c:\program files\SampleExpress.IDF
2005-04-01 14:54 . 2005-04-01 14:54 637 ----a-w- c:\program files\HydraflowExpress.exe.manifest
2004-10-18 22:29 . 2004-10-18 22:29 508 ----a-w- c:\program files\FLZone1.IDF
2004-04-02 13:47 . 2004-04-02 13:47 8715 ----a-w- c:\program files\NJWaterQuality.cds
2003-12-15 22:01 . 2003-12-15 22:01 9554 ----a-w- c:\program files\TypeIIAsCustom.cds
2003-02-06 21:22 . 2003-02-06 21:22 596 ----a-w- c:\program files\Hydro2007.exe.manifest
2001-08-18 10:00 . 2001-08-18 10:00 7376 ----a-w- c:\program files\InsJunct.WAV
2001-08-18 10:00 . 2001-08-18 10:00 1290 ----a-w- c:\program files\Undo.WAV
1999-08-20 16:18 . 1999-08-20 16:18 13920 ----a-w- c:\program files\DelLine.wav
1999-01-21 13:55 . 1999-01-21 13:55 382 ----a-w- c:\program files\Click.wav
1999-01-21 13:55 . 1999-01-21 13:55 1128 ----a-w- c:\program files\Snapped.WAV
1999-01-21 13:55 . 1999-01-21 13:55 10200 ----a-w- c:\program files\AddLine.wav
1996-04-12 22:19 . 1996-04-12 22:19 11520 ----a-w- c:\program files\Compute.wav
.

------- Sigcheck -------

[-] 2008-04-14 . 5BABF3B3CF6CE55634621A2AA68B209F . 26112 . . [5.1.2600.5512] . . c:\windows\system32\userinit.exe

[-] 2008-04-14 . 8C17D6E9E373E5128450F0DF8F16E8D7 . 13824 . . [5.1.2600.5512] . . c:\windows\system32\wscntfy.exe
[-] 2004-08-04 . 6A037311F714B269A95FA27C0D036E09 . 13824 . . [5.1.2600.2180] . . c:\windows\$NtServicePackUninstall$\wscntfy.exe

[-] 2008-04-14 . A8CF07F993626AFBE3DCD129BAE198D7 . 15360 . . [5.1.2600.5512] . . c:\windows\ServicePackFiles\i386\ctfmon.exe
[-] 2008-04-14 . A8CF07F993626AFBE3DCD129BAE198D7 . 15360 . . [5.1.2600.5512] . . c:\windows\system32\ctfmon.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{A3BC75A2-1F87-4686-AA43-5347D756017C}"= "c:\program files\AVG\AVG8\Toolbar\IEToolbar.dll" [2009-09-02 1107200]

[HKEY_CLASSES_ROOT\clsid\{a3bc75a2-1f87-4686-aa43-5347d756017c}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{CCC7A320-B3CA-4199-B1A6-9F516DD69829}"= "c:\program files\AVG\AVG8\Toolbar\IEToolbar.dll" [2009-09-02 1107200]

[HKEY_CLASSES_ROOT\clsid\{ccc7a320-b3ca-4199-b1a6-9f516dd69829}]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{CCC7A320-B3CA-4199-B1A6-9F516DD69829}"= "c:\program files\AVG\AVG8\Toolbar\IEToolbar.dll" [2009-09-02 1107200]

[HKEY_CLASSES_ROOT\clsid\{ccc7a320-b3ca-4199-b1a6-9f516dd69829}]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AdobeUpdater"="c:\program files\Common Files\Adobe\Updater5\AdobeUpdater.exe" [2009-08-06 2356088]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2009-09-15 39408]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IAAnotif"="c:\program files\Intel\Intel Matrix Storage Manager\Iaanotif.exe" [2007-07-27 178712]
"nwiz"="c:\program files\NVIDIA Corporation\nView\nwiz.exe" [2009-07-09 1657376]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2009-11-02 2028312]
"Acrobat Assistant 8.0"="c:\program files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe" [2008-10-15 623992]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2004-07-27 81920]
"Malwarebytes Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2009-09-10 1312080]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2009-07-14 13877248]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"DisableCAD"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-08-04 20:33 11952 ----a-w- c:\windows\system32\avgrsstx.dll

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"5900:TCP"= 5900:TCP:vnctcp
"5900:UDP"= 5900:UDP:vncudp

R0 AvgRkx86;avgrkx86.sys;c:\windows\system32\drivers\avgrkx86.sys [8/4/2009 3:33 PM 12552]
R1 AvgLdx86;AVG AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [8/4/2009 3:33 PM 335240]
R1 AvgTdiX;AVG8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [8/4/2009 3:33 PM 108552]
R2 avg8emc;AVG8 E-mail Scanner;c:\progra~1\AVG\AVG8\avgemc.exe [8/4/2009 3:33 PM 908056]
R2 avg8wd;AVG8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [8/4/2009 3:33 PM 297752]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [9/15/2009 8:11 AM 133104]

--- Other Services/Drivers In Memory ---

*Deregistered* - mbr
*Deregistered* - PROCEXP113

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
.
Contents of the 'Scheduled Tasks' folder

2009-11-14 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 16:34]

2009-11-17 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2009-09-15 13:11]

2009-11-17 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-09-15 13:11]

2009-11-17 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-09-15 13:11]
.
.
------- Supplementary Scan -------
.
uStart Page = [You must be registered and logged in to see this link.]
IE: Append to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert link target to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
Trusted Zone: mcgillengineers.com\vision
DPF: {1E54D648-B804-468d-BC78-4AFFED8E262F} - [You must be registered and logged in to see this link.]
FF - ProfilePath - c:\documents and settings\Meliski\Application Data\Mozilla\Firefox\Profiles\jl3y13n1.default\
FF - prefs.js: browser.startup.homepage - [You must be registered and logged in to see this link.]
FF - hȋdden: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, [You must be registered and logged in to see this link.]
Rootkit scan 2009-11-17 10:46
Windows 5.1.2600 Service Pack 3 NTFS

scanning hȋdden processes ...

scanning hȋdden autostart entries ...

scanning hȋdden files ...

scan completed successfully
hȋdden files: 0

**************************************************************************
.
Completion time: 2009-11-17 10:47
ComboFix-quarantined-files.txt 2009-11-17 15:47
ComboFix2.txt 2009-11-17 14:43

Pre-Run: 53,991,989,248 bytes free
Post-Run: 53,975,048,192 bytes free

- - End Of File - - BA42346044F739489D0ADADFF13D0B6F

Leo Smith
Intermediate
Intermediate

Status :
Online
Offline

Posts : 87
Joined : 2009-05-07
Gender : Male
OS : XP
Points : 28285
# Likes : 0

View user profile

Back to top Go down

Re: Antivirus system pro

Post by Belahzur on Tue Nov 17, 2009 3:56 pm

Click Start > Run and copy/paste the following bolded text into the Run box and click OK:

ComboFix /u



This will also reset your restore points.

How is the machine running now?


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Status :
Online
Offline

Posts : 34916
Joined : 2008-08-03
Gender : Male
OS : XP SP3 Media Centre
Points : 245039
# Likes : 1

View user profile

Back to top Go down

Re: Antivirus system pro

Post by Leo Smith on Tue Nov 17, 2009 4:03 pm

I ran combofix /u. Is it suppose to run another scan?

Leo Smith
Intermediate
Intermediate

Status :
Online
Offline

Posts : 87
Joined : 2009-05-07
Gender : Male
OS : XP
Points : 28285
# Likes : 0

View user profile

Back to top Go down

Re: Antivirus system pro

Post by Leo Smith on Tue Nov 17, 2009 4:04 pm

By the way, Where are you located?

Leo Smith
Intermediate
Intermediate

Status :
Online
Offline

Posts : 87
Joined : 2009-05-07
Gender : Male
OS : XP
Points : 28285
# Likes : 0

View user profile

Back to top Go down

Re: Antivirus system pro

Post by Belahzur on Tue Nov 17, 2009 4:10 pm

No, no more scans. I'm somewhere in England. Shh a secret

You didn't say how the machine is running. Smile


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Status :
Online
Offline

Posts : 34916
Joined : 2008-08-03
Gender : Male
OS : XP SP3 Media Centre
Points : 245039
# Likes : 1

View user profile

Back to top Go down

Re: Antivirus system pro

Post by Leo Smith on Tue Nov 17, 2009 4:14 pm

Every time I run combofix /u it starts another scan which twice so far has ended up with the blue screen of death. I just did combofix /u again and it is running another scan and now preparing a log report.

I am in North Carolina and just noticed the time difference is why I asked

Leo Smith
Intermediate
Intermediate

Status :
Online
Offline

Posts : 87
Joined : 2009-05-07
Gender : Male
OS : XP
Points : 28285
# Likes : 0

View user profile

Back to top Go down

Re: Antivirus system pro

Post by Belahzur on Tue Nov 17, 2009 4:23 pm

If you /u command isn't working right, just close it off and delete the C:\Qoobox folder and delete Combofix from your Desktop. Smile


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Status :
Online
Offline

Posts : 34916
Joined : 2008-08-03
Gender : Male
OS : XP SP3 Media Centre
Points : 245039
# Likes : 1

View user profile

Back to top Go down

Re: Antivirus system pro

Post by Leo Smith on Tue Nov 17, 2009 4:30 pm

Am I cured? Everything seems to be running fine except for every time I start the machine I have a box that pops up that says:
The computer must be restarted before updating can continue. Would you like to restart now?

you can not close this box unless you click yes or no.
This has been happening sincewe noticed the virus.

Leo Smith
Intermediate
Intermediate

Status :
Online
Offline

Posts : 87
Joined : 2009-05-07
Gender : Male
OS : XP
Points : 28285
# Likes : 0

View user profile

Back to top Go down

Re: Antivirus system pro

Post by Belahzur on Tue Nov 17, 2009 9:39 pm

It's a Windows Update, allow it to reboot.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Status :
Online
Offline

Posts : 34916
Joined : 2008-08-03
Gender : Male
OS : XP SP3 Media Centre
Points : 245039
# Likes : 1

View user profile

Back to top Go down

Re: Antivirus system pro

Post by Leo Smith on Wed Nov 18, 2009 7:24 pm

Thank you for your help.

Leo Smith
Intermediate
Intermediate

Status :
Online
Offline

Posts : 87
Joined : 2009-05-07
Gender : Male
OS : XP
Points : 28285
# Likes : 0

View user profile

Back to top Go down

View previous topic View next topic Back to top

- Similar topics

 
Permissions in this forum:
You cannot reply to topics in this forum