Also got the "Your PC Protector" Virus

View previous topic View next topic Go down

Also got the "Your PC Protector" Virus

Post by PanzerschreckLeopard on 2nd February 2010, 3:12 pm

When I got the virus, yahoo messenger and steam stopped popping up like usual...now they go fine. And the PC protector window doesn't constantly come up.

I ran combofix, and here's my result. What next?




ComboFix 10-02-01.03 - User 02/02/2010 9:57.1.1 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3062.2626 [GMT -5]
Running from: c:\documents and settings\User\My Documents\Downloads\ComboFix.exe
AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\All Users.\documents\settings
c:\documents and settings\All Users.\documents\settings\cbss.dll
c:\documents and settings\All Users\Documents\Settings\cbss.dll
c:\program files\adc32.dll
c:\program files\alggui.exe
c:\program files\nuar.old
c:\program files\svchost.exe
c:\program files\wp3.dat
c:\program files\wp4.dat
c:\windows\system32\SIntf16.dll

Infected copy of c:\windows\system32\DRIVERS\atapi.sys was found and disinfected
Restored copy from - Kitty ate it :p
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_ADBUPD
-------\Service_AdbUpd


((((((((((((((((((((((((( Files Created from 2010-01-02 to 2010-02-02 )))))))))))))))))))))))))))))))
.

2010-02-02 14:43 . 2010-01-07 20:41 2066200 ----a-w- c:\documents and settings\All Users\Application Data\avg8\update\backup\avgcorex.dll
2010-02-02 14:41 . 2010-02-02 14:41 39936 ----a-w- c:\program files\adgamma.exe
2010-02-01 19:12 . 2010-02-01 19:12 -------- d-----w- c:\program files\schtml
2010-02-01 18:09 . 2010-02-01 18:09 -------- d-----w- C:\Your PC Protector
2010-02-01 18:08 . 2010-02-01 18:08 36 ----a-w- c:\program files\skynet.dat
2010-02-01 18:08 . 2010-02-02 14:47 -------- d-----w- c:\program files\Your PC Protector
2010-02-01 04:44 . 2010-02-01 04:44 -------- d-----w- c:\documents and settings\User\Application Data\Microsoft Games
2010-02-01 04:40 . 2010-02-01 04:40 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Games
2010-02-01 04:35 . 2010-02-01 04:35 -------- d-----w- c:\program files\Microsoft Games
2010-01-31 00:55 . 2010-01-31 00:55 297 ----a-w- c:\windows\EReg072.dat
2010-01-24 05:24 . 2010-01-24 05:24 -------- d-----w- c:\documents and settings\User\Application Data\TS3Client
2010-01-24 05:22 . 2010-01-24 05:22 -------- d-----w- c:\documents and settings\User\Local Settings\Application Data\TeamSpeak 3 Client
2010-01-17 05:30 . 2010-01-17 05:30 -------- d-----w- c:\windows\system32\config\systemprofile\Local Settings\Application Data\Adobe
2010-01-12 00:54 . 2010-01-12 00:54 -------- d-----w- c:\documents and settings\User\Local Settings\Application Data\Help
2010-01-05 23:16 . 2010-01-05 23:16 -------- d-----w- c:\documents and settings\Darwin\Local Settings\Application Data\Mozilla
2010-01-04 22:29 . 2009-08-07 00:23 274288 ----a-w- c:\windows\system32\mucltui.dll
2010-01-04 22:29 . 2009-08-07 00:23 215920 ----a-w- c:\windows\system32\muweb.dll
2010-01-03 21:11 . 2010-01-21 18:10 -------- d-----w- c:\program files\Microsoft Silverlight

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-02-02 15:04 . 2009-12-09 01:12 -------- d-----w- c:\program files\Steam
2010-02-02 15:04 . 2009-12-08 22:33 -------- d-----w- c:\documents and settings\User\Application Data\OpenOffice.org2
2010-02-01 19:19 . 2009-12-08 22:33 1 ----a-w- c:\documents and settings\User\Application Data\OpenOffice.org2\user\uno_packages\cache\stamp.sys
2010-01-31 21:17 . 2009-12-12 04:20 -------- d-----w- c:\program files\Maxis
2010-01-31 04:07 . 2008-04-14 12:00 12400 ----a-w- c:\windows\system32\drivers\secdrv.sys
2010-01-30 19:14 . 2008-04-14 12:00 96512 ----a-w- c:\windows\system32\drivers\atapi.sys
2010-01-19 22:58 . 2009-08-25 19:11 -------- d--h--w- c:\program files\InstallShield Installation Information
2010-01-19 22:58 . 2009-12-03 23:44 -------- d-----w- c:\program files\EA GAMES
2010-01-11 02:03 . 2009-12-24 02:12 -------- d-----w- c:\documents and settings\User\Application Data\FileZilla
2010-01-09 21:45 . 2009-12-12 04:23 868 ----a-w- c:\windows\eReg.dat
2010-01-09 21:33 . 2009-12-03 23:44 -------- d-----w- c:\program files\GameSpy Arcade
2010-01-08 01:15 . 2009-12-24 02:12 -------- d-----w- c:\program files\FileZilla FTP Client
2010-01-03 06:47 . 2010-01-03 06:47 -------- d-----w- c:\program files\MSBuild
2010-01-03 06:47 . 2010-01-03 06:47 -------- d-----w- c:\program files\Reference Assemblies
2010-01-03 04:36 . 2010-01-03 04:36 -------- d-----w- c:\program files\SystemRequirementsLab
2010-01-03 04:36 . 2010-01-03 04:36 138240 ----a-w- c:\documents and settings\User\Application Data\SystemRequirementsLab\SRLProxy_srl_4_1_14_0_d.dll
2010-01-03 04:36 . 2010-01-03 04:36 138240 ----a-w- c:\documents and settings\User\Application Data\SystemRequirementsLab\SRLProxy_srl_4_1_14_0_c.dll
2010-01-03 04:36 . 2010-01-03 04:36 138240 ----a-w- c:\documents and settings\User\Application Data\SystemRequirementsLab\SRLProxy_srl_4_1_14_0_b.dll
2010-01-03 04:36 . 2010-01-03 04:36 138240 ----a-w- c:\documents and settings\User\Application Data\SystemRequirementsLab\SRLProxy_srl_4_1_14_0_a.dll
2010-01-03 04:36 . 2010-01-03 04:36 -------- d-----w- c:\documents and settings\User\Application Data\SystemRequirementsLab
2010-01-02 21:43 . 2010-01-02 21:38 -------- d-----w- c:\program files\Microsoft DirectX SDK (August 2009)
2010-01-02 21:38 . 2010-01-02 21:38 93512 ----a-w- c:\windows\dxsdkuninst.exe
2010-01-02 19:22 . 2010-01-02 19:22 -------- d-----w- c:\documents and settings\User\Application Data\Tropico 3
2010-01-02 19:20 . 2010-01-02 18:54 -------- d-----w- c:\program files\Tropico 3
2009-12-25 20:37 . 2009-12-25 20:37 -------- d-----w- c:\program files\Common Files\Adobe
2009-12-24 04:01 . 2009-12-10 00:42 -------- d-----w- c:\program files\Tropico
2009-12-24 02:06 . 2009-12-24 02:06 -------- d-----w- c:\documents and settings\User\Application Data\SmartFTP
2009-12-24 02:05 . 2009-12-24 02:05 -------- d-----w- c:\program files\SmartFTP Client
2009-12-22 17:09 . 2009-12-18 23:33 -------- d-----w- c:\program files\World of Warcraft
2009-12-22 14:24 . 2009-12-22 14:08 -------- d-----w- c:\documents and settings\All Users\Application Data\Blizzard Entertainment
2009-12-21 19:14 . 2008-04-14 12:00 916480 ----a-w- c:\windows\system32\wininet.dll
2009-12-19 01:53 . 2009-12-19 01:53 -------- d-----w- c:\documents and settings\All Users\Application Data\Blizzard
2009-12-19 01:35 . 2009-12-04 00:01 21840 ----atw- c:\windows\system32\SIntfNT.dll
2009-12-19 01:35 . 2009-12-04 00:01 17212 ----atw- c:\windows\system32\SIntf32.dll
2009-12-19 01:12 . 2009-12-18 23:33 -------- d-----w- c:\program files\Common Files\Blizzard Entertainment
2009-12-16 00:27 . 2009-12-16 00:27 -------- d-----w- c:\program files\Windows Media Connect 2
2009-12-13 18:07 . 2009-12-13 18:06 -------- d-----w- c:\program files\Lexmark 1200 Series
2009-12-12 21:22 . 2009-12-12 21:22 -------- d-----w- c:\program files\Auran
2009-12-12 17:31 . 2009-12-06 02:10 43520 ----a-w- c:\windows\system32\CmdLineExt03.dll
2009-12-11 01:14 . 2009-12-11 01:14 255127 ----a-w- c:\windows\Railroad Tycoon 2 Platinum Uninstaller.exe
2009-12-11 01:14 . 2009-12-11 01:14 -------- d-----w- c:\program files\Global Star Software
2009-12-11 01:14 . 2009-12-11 00:55 -------- d-----w- c:\documents and settings\User\Application Data\GetRightToGo
2009-12-11 00:51 . 2009-12-06 02:02 -------- d-----w- c:\program files\Railroad Tycoon 3
2009-12-10 21:52 . 2009-12-10 21:52 -------- d-----w- c:\documents and settings\Kira\Application Data\Yahoo!
2009-12-09 12:18 . 2009-12-08 15:30 -------- d-----w- c:\documents and settings\All Users\Application Data\NOS
2009-12-08 21:05 . 2009-12-08 21:03 -------- d-----w- c:\documents and settings\User\Application Data\Yahoo!
2009-12-08 21:04 . 2009-12-08 21:03 -------- d-----w- c:\documents and settings\All Users\Application Data\Yahoo! Companion
2009-12-08 21:03 . 2009-12-08 21:03 -------- d-----w- c:\documents and settings\All Users\Application Data\Yahoo!
2009-12-08 21:03 . 2009-12-08 21:01 -------- d-----w- c:\program files\Yahoo!
2009-12-08 20:48 . 2009-12-08 20:48 0 ----a-w- c:\windows\nsreg.dat
2009-12-08 16:26 . 2009-12-08 16:26 -------- d-----w- c:\program files\ZyXEL G-202
2009-12-08 16:26 . 2009-12-08 16:26 -------- d-----w- c:\documents and settings\User\Application Data\InstallShield
2009-12-08 15:32 . 2009-09-29 22:17 11952 ----a-w- c:\windows\system32\avgrsstx.dll
2009-12-08 15:32 . 2009-09-29 22:17 335240 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2009-12-08 15:32 . 2009-09-29 22:17 27784 ----a-w- c:\windows\system32\drivers\avgmfx86.sys
2009-12-06 02:13 . 2009-12-06 02:13 -------- d-----w- c:\program files\directx
2009-12-05 20:33 . 2009-12-05 20:33 -------- d-----w- c:\program files\Sierra On-Line
2009-12-05 16:53 . 2009-12-05 16:53 -------- d-----w- c:\program files\18 Wheels of Steel American Long Haul
2009-12-04 02:18 . 2009-12-04 02:18 107888 ----a-w- c:\windows\system32\CmdLineExt.dll
2009-12-01 21:04 . 2009-08-25 17:12 87263 ----a-w- c:\windows\pchealth\helpctr\OfflineCache\index.dat
2009-11-21 15:51 . 2008-04-14 12:00 471552 ----a-w- c:\windows\AppPatch\aclayers.dll
2009-11-21 08:46 . 2009-11-21 08:46 86016 ----a-w- c:\windows\system32\frapsvid.dll
2009-11-10 20:39 . 2009-12-08 21:03 607472 ----a-w- c:\documents and settings\All Users\Application Data\Yahoo!\YUpdater\yupdater.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Messenger (Yahoo!)"="c:\progra~1\Yahoo!\Messenger\YahooMessenger.exe" [2009-11-10 5244216]
"Steam"="c:\program files\Steam\Steam.exe" [2009-12-09 1217808]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SunJavaUpdateSched"="c:\program files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 132496]
"igfxtray"="c:\windows\system32\igfxtray.exe" [2006-03-24 94208]
"igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2006-03-24 77824]
"igfxpers"="c:\windows\system32\igfxpers.exe" [2006-03-24 118784]
"SoundMAXPnP"="c:\program files\Analog Devices\Core\smax4pnp.exe" [2004-10-14 1404928]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2009-12-11 2043160]
"RemoteControl"="c:\program files\CyberLink\PowerDVD\PDVDServ.exe" [2003-11-01 32768]
"Lexmark 1200 Series"="c:\program files\Lexmark 1200 Series\lxczbmgr.exe" [2006-07-13 57344]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-10-03 35696]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2009-09-04 935288]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"Adobe Loader"="c:\program files\adgamma.exe" [2010-02-02 39936]

c:\documents and settings\User\Start Menu\Programs\Startup\
OpenOffice.org 2.3.lnk - c:\program files\OpenOffice.org 2.3\program\quickstart.exe [2007-8-17 393216]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
ZyXEL G-202 Wireless Adapter Utility.lnk - c:\program files\ZyXEL G-202\ZyXEL G-202.exe [2009-12-8 10801152]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-12-08 15:32 11952 ----a-w- c:\windows\system32\avgrsstx.dll

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [9/29/2009 5:17 PM 335240]
R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [9/29/2009 5:17 PM 108552]
R2 avg8emc;AVG Free8 E-mail Scanner;c:\progra~1\AVG\AVG8\avgemc.exe [9/29/2009 5:17 PM 908056]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [9/29/2009 5:17 PM 297752]
R2 ZDCNDIS5;ZDCNDIS5 NDIS5.1 Protocol Driver;c:\windows\system32\ZDCndis5.sys [12/8/2009 11:26 AM 20736]
R3 ZG760_XP;ZyXEL 802.11g XG762 1211 Driver;c:\windows\system32\drivers\WlanGZXP.SYS [12/8/2009 11:26 AM 519168]
S0 cerc6;cerc6; [x]
S2 ztmtdiy;ztmtdiy;\??\c:\windows\system32\drivers\sqxrqxmjops.sys --> c:\windows\system32\drivers\sqxrqxmjops.sys [?]
S3 BRGSp50;BRGSp50 NDIS Protocol Driver;c:\windows\system32\drivers\BRGSp50.sys [12/8/2009 11:26 AM 20608]
S3 oflpydin;oflpydin;\??\c:\docume~1\User\LOCALS~1\Temp\oflpydin.sys --> c:\docume~1\User\LOCALS~1\Temp\oflpydin.sys [?]
S3 rt2870;Ralink 802.11n USB Wireless LAN Card Driver;c:\windows\system32\drivers\rt2870.sys [9/29/2009 4:22 PM 627072]
.
.
------- Supplementary Scan -------
.
FF - ProfilePath - c:\documents and settings\User\Application Data\Mozilla\Firefox\Profiles\p9khj3ef.default\
FF - prefs.js: browser.startup.homepage - [You must be registered and logged in to see this link.]
FF - hȋdden: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
FF - user.js: yahoo.ytff.general.dontshowhpoffer - true.
- - - - ORPHANS REMOVED - - - -

URLSearchHooks-CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
BHO-{77DC0Baa-3235-4ba9-8BE8-aa9EB678FA02} - c:\program files\adc32.dll
Toolbar-{CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (no file)
WebBrowser-{CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (no file)



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, [You must be registered and logged in to see this link.]
Rootkit scan 2010-02-02 10:03
Windows 5.1.2600 Service Pack 3 NTFS

scanning hȋdden processes ...

scanning hȋdden autostart entries ...

scanning hȋdden files ...

scan completed successfully
hȋdden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(2148)
c:\windows\system32\WININET.dll
c:\program files\SmartFTP Client\en-US\sfShellTools.dll.mui
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\LEXBCES.EXE
c:\windows\system32\LEXPPS.EXE
c:\program files\Electronic Arts\Medal of Honor Airborne\UnrealEngine3\MOHAGame\pb\PnkBstrA.exe
c:\program files\Yahoo!\SoftwareUpdate\YahooAUService.exe
c:\progra~1\AVG\AVG8\avgrsx.exe
c:\progra~1\AVG\AVG8\avgnsx.exe
c:\program files\AVG\AVG8\avgcsrvx.exe
c:\windows\system32\wscntfy.exe
c:\program files\Lexmark 1200 Series\lxczbmon.exe
c:\program files\OpenOffice.org 2.3\program\soffice.exe
c:\program files\OpenOffice.org 2.3\program\soffice.BIN
.
**************************************************************************
.
Completion time: 2010-02-02 10:07:00 - machine was rebooted
ComboFix-quarantined-files.txt 2010-02-02 15:06

Pre-Run: 436,878,905,344 bytes free
Post-Run: 437,154,885,632 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

- - End Of File - - 415742A181DB99AED87EF0B9640F870B

PanzerschreckLeopard
Intermediate
Intermediate

Posts Posts : 72
Joined Joined : 2010-02-01
Gender Gender : Male
OS OS : Windows XP
Points Points : 25627
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Also got the "Your PC Protector" Virus

Post by Belahzur on 2nd February 2010, 7:10 pm

Hello.

  1. Close any open browsers.
  2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
  3. Open notepad and copy/paste the text in the quotebox below into it:

    File::
    c:\program files\adgamma.exe
    c:\program files\skynet.dat

    Folder::
    C:\Your PC Protector
    c:\program files\Your PC Protector

    DirLook::
    c:\program files\schtml

    Driver::
    cerc6
    ztmtdiy
    oflpydin
  4. Save this as CFScript.txt, in the same location as ComboFix.exe



  5. Referring to the picture above, drag CFScript into ComboFix.exe
  6. When finished, it shall produce a log for you at C:\ComboFix.txt
  7. Please post the contents of the log in your next reply.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34918
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : 7 Home Premium x64
Points Points : 245091
# Likes # Likes : 1

View user profile

Back to top Go down

Re: Also got the "Your PC Protector" Virus

Post by PanzerschreckLeopard on 2nd February 2010, 7:54 pm

Here you go. I will note that everything seemed to work fine since the 1st time using combofix. But you know more than me. Goofy





ComboFix 10-02-01.05 - User 02/02/2010 14:41:47.2.1 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3062.2434 [GMT -5:00]
Running from: c:\documents and settings\User\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\User\Desktop\CFScript.txt
AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}

FILE ::
"c:\program files\adgamma.exe"
"c:\program files\skynet.dat"
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\program files\adgamma.exe
c:\program files\skynet.dat
c:\program files\Your PC Protector
C:\Your PC Protector
c:\your pc protector\Your PC Protector.lnk

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_OFLPYDIN
-------\Service_cerc6
-------\Service_oflpydin
-------\Service_ztmtdiy


((((((((((((((((((((((((( Files Created from 2010-01-02 to 2010-02-02 )))))))))))))))))))))))))))))))
.

2010-02-02 14:43 . 2010-01-07 20:41 2066200 ----a-w- c:\documents and settings\All Users\Application Data\avg8\update\backup\avgcorex.dll
2010-02-01 19:12 . 2010-02-01 19:12 -------- d-----w- c:\program files\schtml
2010-02-01 04:44 . 2010-02-01 04:44 -------- d-----w- c:\documents and settings\User\Application Data\Microsoft Games
2010-02-01 04:40 . 2010-02-01 04:40 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Games
2010-02-01 04:35 . 2010-02-01 04:35 -------- d-----w- c:\program files\Microsoft Games
2010-01-31 00:55 . 2010-01-31 00:55 297 ----a-w- c:\windows\EReg072.dat
2010-01-24 05:24 . 2010-01-24 05:24 -------- d-----w- c:\documents and settings\User\Application Data\TS3Client
2010-01-24 05:22 . 2010-01-24 05:22 -------- d-----w- c:\documents and settings\User\Local Settings\Application Data\TeamSpeak 3 Client
2010-01-17 05:30 . 2010-01-17 05:30 -------- d-----w- c:\windows\system32\config\systemprofile\Local Settings\Application Data\Adobe
2010-01-12 00:54 . 2010-01-12 00:54 -------- d-----w- c:\documents and settings\User\Local Settings\Application Data\Help
2010-01-05 23:16 . 2010-01-05 23:16 -------- d-----w- c:\documents and settings\Darwin\Local Settings\Application Data\Mozilla
2010-01-04 22:29 . 2009-08-07 00:23 274288 ----a-w- c:\windows\system32\mucltui.dll
2010-01-04 22:29 . 2009-08-07 00:23 215920 ----a-w- c:\windows\system32\muweb.dll
2010-01-03 21:11 . 2010-01-21 18:10 -------- d-----w- c:\program files\Microsoft Silverlight

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-02-02 19:48 . 2009-12-08 22:33 -------- d-----w- c:\documents and settings\User\Application Data\OpenOffice.org2
2010-02-02 19:47 . 2009-12-09 01:12 -------- d-----w- c:\program files\Steam
2010-02-02 15:57 . 2009-08-28 19:32 14304 ----a-w- c:\documents and settings\User\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-02-02 15:16 . 2009-12-08 22:33 1 ----a-w- c:\documents and settings\User\Application Data\OpenOffice.org2\user\uno_packages\cache\stamp.sys
2010-01-31 21:17 . 2009-12-12 04:20 -------- d-----w- c:\program files\Maxis
2010-01-31 04:07 . 2008-04-14 12:00 12400 ----a-w- c:\windows\system32\drivers\secdrv.sys
2010-01-30 19:14 . 2008-04-14 12:00 96512 ------w- c:\windows\system32\drivers\atapi.sys
2010-01-19 22:58 . 2009-08-25 19:11 -------- d--h--w- c:\program files\InstallShield Installation Information
2010-01-19 22:58 . 2009-12-03 23:44 -------- d-----w- c:\program files\EA GAMES
2010-01-11 02:03 . 2009-12-24 02:12 -------- d-----w- c:\documents and settings\User\Application Data\FileZilla
2010-01-09 21:45 . 2009-12-12 04:23 868 ----a-w- c:\windows\eReg.dat
2010-01-09 21:33 . 2009-12-03 23:44 -------- d-----w- c:\program files\GameSpy Arcade
2010-01-08 01:15 . 2009-12-24 02:12 -------- d-----w- c:\program files\FileZilla FTP Client
2010-01-03 06:47 . 2010-01-03 06:47 -------- d-----w- c:\program files\MSBuild
2010-01-03 06:47 . 2010-01-03 06:47 -------- d-----w- c:\program files\Reference Assemblies
2010-01-03 04:36 . 2010-01-03 04:36 -------- d-----w- c:\program files\SystemRequirementsLab
2010-01-03 04:36 . 2010-01-03 04:36 138240 ----a-w- c:\documents and settings\User\Application Data\SystemRequirementsLab\SRLProxy_srl_4_1_14_0_d.dll
2010-01-03 04:36 . 2010-01-03 04:36 138240 ----a-w- c:\documents and settings\User\Application Data\SystemRequirementsLab\SRLProxy_srl_4_1_14_0_c.dll
2010-01-03 04:36 . 2010-01-03 04:36 138240 ----a-w- c:\documents and settings\User\Application Data\SystemRequirementsLab\SRLProxy_srl_4_1_14_0_b.dll
2010-01-03 04:36 . 2010-01-03 04:36 138240 ----a-w- c:\documents and settings\User\Application Data\SystemRequirementsLab\SRLProxy_srl_4_1_14_0_a.dll
2010-01-03 04:36 . 2010-01-03 04:36 -------- d-----w- c:\documents and settings\User\Application Data\SystemRequirementsLab
2010-01-02 21:43 . 2010-01-02 21:38 -------- d-----w- c:\program files\Microsoft DirectX SDK (August 2009)
2010-01-02 21:38 . 2010-01-02 21:38 93512 ----a-w- c:\windows\dxsdkuninst.exe
2010-01-02 19:22 . 2010-01-02 19:22 -------- d-----w- c:\documents and settings\User\Application Data\Tropico 3
2010-01-02 19:20 . 2010-01-02 18:54 -------- d-----w- c:\program files\Tropico 3
2009-12-25 20:37 . 2009-12-25 20:37 -------- d-----w- c:\program files\Common Files\Adobe
2009-12-24 04:01 . 2009-12-10 00:42 -------- d-----w- c:\program files\Tropico
2009-12-24 02:06 . 2009-12-24 02:06 -------- d-----w- c:\documents and settings\User\Application Data\SmartFTP
2009-12-24 02:05 . 2009-12-24 02:05 -------- d-----w- c:\program files\SmartFTP Client
2009-12-22 17:09 . 2009-12-18 23:33 -------- d-----w- c:\program files\World of Warcraft
2009-12-22 14:24 . 2009-12-22 14:08 -------- d-----w- c:\documents and settings\All Users\Application Data\Blizzard Entertainment
2009-12-21 19:14 . 2008-04-14 12:00 916480 ------w- c:\windows\system32\wininet.dll
2009-12-19 01:53 . 2009-12-19 01:53 -------- d-----w- c:\documents and settings\All Users\Application Data\Blizzard
2009-12-19 01:35 . 2009-12-04 00:01 21840 ----atw- c:\windows\system32\SIntfNT.dll
2009-12-19 01:35 . 2009-12-04 00:01 17212 ----atw- c:\windows\system32\SIntf32.dll
2009-12-19 01:12 . 2009-12-18 23:33 -------- d-----w- c:\program files\Common Files\Blizzard Entertainment
2009-12-16 00:27 . 2009-12-16 00:27 -------- d-----w- c:\program files\Windows Media Connect 2
2009-12-13 18:07 . 2009-12-13 18:06 -------- d-----w- c:\program files\Lexmark 1200 Series
2009-12-12 21:22 . 2009-12-12 21:22 -------- d-----w- c:\program files\Auran
2009-12-12 17:31 . 2009-12-06 02:10 43520 ----a-w- c:\windows\system32\CmdLineExt03.dll
2009-12-11 01:14 . 2009-12-11 01:14 255127 ----a-w- c:\windows\Railroad Tycoon 2 Platinum Uninstaller.exe
2009-12-11 01:14 . 2009-12-11 01:14 -------- d-----w- c:\program files\Global Star Software
2009-12-11 01:14 . 2009-12-11 00:55 -------- d-----w- c:\documents and settings\User\Application Data\GetRightToGo
2009-12-11 00:51 . 2009-12-06 02:02 -------- d-----w- c:\program files\Railroad Tycoon 3
2009-12-10 21:52 . 2009-12-10 21:52 -------- d-----w- c:\documents and settings\Kira\Application Data\Yahoo!
2009-12-09 12:18 . 2009-12-08 15:30 -------- d-----w- c:\documents and settings\All Users\Application Data\NOS
2009-12-08 21:05 . 2009-12-08 21:03 -------- d-----w- c:\documents and settings\User\Application Data\Yahoo!
2009-12-08 21:04 . 2009-12-08 21:03 -------- d-----w- c:\documents and settings\All Users\Application Data\Yahoo! Companion
2009-12-08 21:03 . 2009-12-08 21:03 -------- d-----w- c:\documents and settings\All Users\Application Data\Yahoo!
2009-12-08 21:03 . 2009-12-08 21:01 -------- d-----w- c:\program files\Yahoo!
2009-12-08 20:48 . 2009-12-08 20:48 0 ----a-w- c:\windows\nsreg.dat
2009-12-08 16:26 . 2009-12-08 16:26 -------- d-----w- c:\program files\ZyXEL G-202
2009-12-08 16:26 . 2009-12-08 16:26 -------- d-----w- c:\documents and settings\User\Application Data\InstallShield
2009-12-08 15:32 . 2009-09-29 22:17 11952 ----a-w- c:\windows\system32\avgrsstx.dll
2009-12-08 15:32 . 2009-09-29 22:17 335240 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2009-12-08 15:32 . 2009-09-29 22:17 27784 ----a-w- c:\windows\system32\drivers\avgmfx86.sys
2009-12-06 02:13 . 2009-12-06 02:13 -------- d-----w- c:\program files\directx
2009-12-05 20:33 . 2009-12-05 20:33 -------- d-----w- c:\program files\Sierra On-Line
2009-12-05 16:53 . 2009-12-05 16:53 -------- d-----w- c:\program files\18 Wheels of Steel American Long Haul
2009-12-04 02:18 . 2009-12-04 02:18 107888 ----a-w- c:\windows\system32\CmdLineExt.dll
2009-12-01 21:04 . 2009-08-25 17:12 87263 ----a-w- c:\windows\pchealth\helpctr\OfflineCache\index.dat
2009-11-21 15:51 . 2008-04-14 12:00 471552 ----a-w- c:\windows\AppPatch\aclayers.dll
2009-11-21 08:46 . 2009-11-21 08:46 86016 ----a-w- c:\windows\system32\frapsvid.dll
2009-11-10 20:39 . 2009-12-08 21:03 607472 ----a-w- c:\documents and settings\All Users\Application Data\Yahoo!\YUpdater\yupdater.exe
.

(((((((((((((((((((((((((((((((((((((((((((( Look )))))))))))))))))))))))))))))))))))))))))))))))))))))))))
.
---- Directory of c:\program files\schtml ----

2010-02-01 19:12 . 2009-12-14 22:54 9309 ----a-w- c:\program files\schtml\wispex.html
2010-02-01 19:12 . 2008-11-27 23:34 1912 ----a-w- c:\program files\schtml\images\w3.jpg
2010-02-01 19:12 . 2008-11-21 21:57 119 ----a-w- c:\program files\schtml\images\wt3.gif
2010-02-01 19:12 . 2008-11-21 21:47 621 ----a-w- c:\program files\schtml\images\t1.gif
2010-02-01 19:12 . 2008-11-21 22:17 1015 ----a-w- c:\program files\schtml\images\t2.gif
2010-02-01 19:12 . 2008-11-21 21:28 5568 ----a-w- c:\program files\schtml\images\up1.gif
2010-02-01 19:12 . 2008-11-21 21:29 696 ----a-w- c:\program files\schtml\images\up2.gif
2010-02-01 19:12 . 2008-11-21 21:56 3028 ----a-w- c:\program files\schtml\images\w1.gif
2010-02-01 19:12 . 2008-11-21 22:08 3431 ----a-w- c:\program files\schtml\images\w11.gif
2010-02-01 19:12 . 2008-11-21 21:56 47 ----a-w- c:\program files\schtml\images\w2.gif
2010-02-01 19:12 . 2008-11-27 23:30 3430 ----a-w- c:\program files\schtml\images\w3.gif
2010-02-01 19:12 . 2008-11-21 21:57 176 ----a-w- c:\program files\schtml\images\wt1.gif
2010-02-01 19:12 . 2008-11-21 21:57 51 ----a-w- c:\program files\schtml\images\wt2.gif
2010-02-01 19:12 . 2008-11-21 22:14 114 ----a-w- c:\program files\schtml\images\jj1.gif
2010-02-01 19:12 . 2008-11-21 22:14 48 ----a-w- c:\program files\schtml\images\jj2.gif
2010-02-01 19:12 . 2008-11-21 22:40 105 ----a-w- c:\program files\schtml\images\jj3.gif
2010-02-01 19:12 . 2008-11-21 21:39 3749 ----a-w- c:\program files\schtml\images\l1.gif
2010-02-01 19:12 . 2008-11-21 21:39 92 ----a-w- c:\program files\schtml\images\l2.gif
2010-02-01 19:12 . 2008-11-21 21:40 468 ----a-w- c:\program files\schtml\images\l3.gif
2010-02-01 19:12 . 2008-11-21 22:44 70 ----a-w- c:\program files\schtml\images\pix.gif
2010-02-01 19:12 . 2008-11-21 22:17 1744 ----a-w- c:\program files\schtml\images\i1.gif
2010-02-01 19:12 . 2008-11-21 22:17 1663 ----a-w- c:\program files\schtml\images\i2.gif
2010-02-01 19:12 . 2008-11-21 22:17 1689 ----a-w- c:\program files\schtml\images\i3.gif
2010-02-01 19:12 . 2008-11-21 22:12 3957 ----a-w- c:\program files\schtml\images\j1.gif
2010-02-01 19:12 . 2008-11-21 22:12 47 ----a-w- c:\program files\schtml\images\j2.gif
2010-02-01 19:12 . 2008-11-27 23:33 3857 ----a-w- c:\program files\schtml\images\j3.gif
2010-02-01 19:12 . 2009-10-19 21:02 36864 --sha-w- c:\program files\schtml\images\Thumbs.db
2010-02-01 19:12 . 2009-10-09 20:19 27136 ----a-w- c:\program files\schtml\images\word.doc
2010-02-01 19:12 . 2010-02-01 19:12 152884 ----a-w- c:\program files\schtml\dbsinit.exe


((((((((((((((((((((((((((((( [You must be registered and logged in to see this link.] )))))))))))))))))))))))))))))))))))))))))
.
+ 2010-02-02 19:46 . 2010-02-02 19:46 40960 c:\windows\temp\rtdrvmon.exe
- 2010-02-02 15:03 . 2010-02-02 15:03 40960 c:\windows\temp\rtdrvmon.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Messenger (Yahoo!)"="c:\progra~1\Yahoo!\Messenger\YahooMessenger.exe" [2009-11-10 5244216]
"Steam"="c:\program files\Steam\Steam.exe" [2009-12-09 1217808]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SunJavaUpdateSched"="c:\program files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 132496]
"igfxtray"="c:\windows\system32\igfxtray.exe" [2006-03-24 94208]
"igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2006-03-24 77824]
"igfxpers"="c:\windows\system32\igfxpers.exe" [2006-03-24 118784]
"SoundMAXPnP"="c:\program files\Analog Devices\Core\smax4pnp.exe" [2004-10-14 1404928]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2009-12-11 2043160]
"RemoteControl"="c:\program files\CyberLink\PowerDVD\PDVDServ.exe" [2003-11-01 32768]
"Lexmark 1200 Series"="c:\program files\Lexmark 1200 Series\lxczbmgr.exe" [2006-07-13 57344]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-10-03 35696]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2009-09-04 935288]

c:\documents and settings\User\Start Menu\Programs\Startup\
OpenOffice.org 2.3.lnk - c:\program files\OpenOffice.org 2.3\program\quickstart.exe [2007-8-17 393216]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
ZyXEL G-202 Wireless Adapter Utility.lnk - c:\program files\ZyXEL G-202\ZyXEL G-202.exe [2009-12-8 10801152]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-12-08 15:32 11952 ----a-w- c:\windows\system32\avgrsstx.dll

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\ZyXEL G-202\\ZyXEL G-202.exe"=

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [9/29/2009 5:17 PM 335240]
R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [9/29/2009 5:17 PM 108552]
R2 avg8emc;AVG Free8 E-mail Scanner;c:\progra~1\AVG\AVG8\avgemc.exe [9/29/2009 5:17 PM 908056]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [9/29/2009 5:17 PM 297752]
R2 ZDCNDIS5;ZDCNDIS5 NDIS5.1 Protocol Driver;c:\windows\system32\ZDCndis5.sys [12/8/2009 11:26 AM 20736]
R3 ZG760_XP;ZyXEL 802.11g XG762 1211 Driver;c:\windows\system32\drivers\WlanGZXP.SYS [12/8/2009 11:26 AM 519168]
S3 BRGSp50;BRGSp50 NDIS Protocol Driver;c:\windows\system32\drivers\BRGSp50.sys [12/8/2009 11:26 AM 20608]
S3 rt2870;Ralink 802.11n USB Wireless LAN Card Driver;c:\windows\system32\drivers\rt2870.sys [9/29/2009 4:22 PM 627072]
.
.
------- Supplementary Scan -------
.
FF - ProfilePath - c:\documents and settings\User\Application Data\Mozilla\Firefox\Profiles\p9khj3ef.default\
FF - prefs.js: browser.startup.homepage - [You must be registered and logged in to see this link.]
FF - hȋdden: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
FF - user.js: yahoo.ytff.general.dontshowhpoffer - true.
- - - - ORPHANS REMOVED - - - -

HKU-Default-Run-Adobe Loader - c:\program files\adgamma.exe



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, [You must be registered and logged in to see this link.]
Rootkit scan 2010-02-02 14:47
Windows 5.1.2600 Service Pack 3 NTFS

scanning hȋdden processes ...

scanning hȋdden autostart entries ...

scanning hȋdden files ...

scan completed successfully
hȋdden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(1056)
c:\windows\system32\WININET.dll
c:\program files\SmartFTP Client\en-US\sfShellTools.dll.mui
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\LEXBCES.EXE
c:\windows\system32\LEXPPS.EXE
c:\program files\Electronic Arts\Medal of Honor Airborne\UnrealEngine3\MOHAGame\pb\PnkBstrA.exe
c:\program files\Yahoo!\SoftwareUpdate\YahooAUService.exe
c:\progra~1\AVG\AVG8\avgrsx.exe
c:\progra~1\AVG\AVG8\avgnsx.exe
c:\program files\AVG\AVG8\avgcsrvx.exe
c:\windows\system32\wscntfy.exe
c:\program files\Lexmark 1200 Series\lxczbmon.exe
c:\program files\OpenOffice.org 2.3\program\soffice.exe
c:\program files\OpenOffice.org 2.3\program\soffice.BIN
.
**************************************************************************
.
Completion time: 2010-02-02 14:50:40 - machine was rebooted
ComboFix-quarantined-files.txt 2010-02-02 19:50
ComboFix2.txt 2010-02-02 15:07

Pre-Run: 437,115,330,560 bytes free
Post-Run: 437,080,821,760 bytes free

- - End Of File - - 9447D66B16123FC6B47833A39185406C

PanzerschreckLeopard
Intermediate
Intermediate

Posts Posts : 72
Joined Joined : 2010-02-01
Gender Gender : Male
OS OS : Windows XP
Points Points : 25627
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Also got the "Your PC Protector" Virus

Post by Belahzur on 2nd February 2010, 8:36 pm

Hello.
Do you know what this folder is?

c:\program files\schtml

Please download [You must be registered and logged in to see this link.] to your desktop
  • Please double-click TFC.exe to run it. (Note: If you are running on Vista, right-click on the file and choose Run As Administrator).
  • It will close all programs when run, so make sure you have saved all your work before you begin.
  • Click the Start
    button to begin the process. Depending on how often you clean temp
    files, execution time should be anywhere from a few seconds to a minute
    or two. Let it run uninterrupted to completion.
  • Once it's finished it should reboot your machine. If it does not, please manually reboot the machine yourself to ensure a complete clean.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34918
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : 7 Home Premium x64
Points Points : 245091
# Likes # Likes : 1

View user profile

Back to top Go down

Re: Also got the "Your PC Protector" Virus

Post by PanzerschreckLeopard on 2nd February 2010, 8:45 pm

Just did such. That's it? I'm rid of it?

PanzerschreckLeopard
Intermediate
Intermediate

Posts Posts : 72
Joined Joined : 2010-02-01
Gender Gender : Male
OS OS : Windows XP
Points Points : 25627
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Also got the "Your PC Protector" Virus

Post by Belahzur on 3rd February 2010, 1:05 am

Should be, logs look okay to me, how are they for you?


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34918
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : 7 Home Premium x64
Points Points : 245091
# Likes # Likes : 1

View user profile

Back to top Go down

Re: Also got the "Your PC Protector" Virus

Post by PanzerschreckLeopard on 3rd February 2010, 1:19 am

Everything is working normally.

PanzerschreckLeopard
Intermediate
Intermediate

Posts Posts : 72
Joined Joined : 2010-02-01
Gender Gender : Male
OS OS : Windows XP
Points Points : 25627
# Likes # Likes : 0

View user profile

Back to top Go down

View previous topic View next topic Back to top

- Similar topics

 
Permissions in this forum:
You cannot reply to topics in this forum