Problems after getting rid of Antivirus Soft

View previous topic View next topic Go down

Problems after getting rid of Antivirus Soft

Post by sbartholow on 18th July 2010, 1:46 am

About a month ago, I had Antivirus Soft attack this computer, after about a week I was able to remove it. Soon after I began getting a new virusís (major ones like AV Suite and Sysinternals), at least one a week, which was uncommon. I upgraded and ran Malwarebyte, Ad-Aware, McAfee, and even ran an online scanner, which seemed to remove the problem only to have another one infecting soon after. Realizing that it was probably because Adobe and Java were outdated, I updated them but I am still having strange issues. Since that first attack, my computer has been noticeably sluggish to respond, many ďprogram has encountered an errorĒ messages pop up, mostly from Generic Host Processes for Win32, Google is often redirected to other websites, and random popups appear without user interaction. Many times on scheduled scans one of the security programs installed will still find something minor (like a generic Trojan) and remove it, yet after removal problems still occur. OTL is attached as a .doc because I couldn't attach it as a .txt.

sbartholow
Novice
Novice

Posts Posts : 6
Joined Joined : 2010-07-18
OS OS : XP
Points Points : 23438
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Problems after getting rid of Antivirus Soft

Post by Sneakyone on 18th July 2010, 3:36 am

Hi, Welcome to GeekPolice.net! Smile

Please run OTL.exe.

  • Copy the commands with file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose CopyCrying


    :OTL
    IE - HKLM\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
    IE - HKLM\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" =
    IE - HKLM\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyServer" = http=127.0.0.1:2028

    :Files
    C:\Documents and Settings\NetworkService\Local Settings\Application Data\vphhsuiyk
    C:\WINDOWS\System32\natetazu

    :commands
    [emptytemp]
    [resethosts]
    [reboot]



  • Return to OTL.exe, right click in the "Custom Scans/Fixes" window (under the light green bar) and choose Paste.

  • Click the red Run Fix button.
  • A fix log in Notepad will appear. Copy the contents of the fix log to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it in your next reply.
  • Close OTL.exe

If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.

If this fix becomes unresponsive, please move on to ComboFix.

======

Please download ComboFix from [You must be registered and logged in to see this link.]

[You must be registered and logged in to see this link.]

[You must be registered and logged in to see this link.]

Rename ComboFix.exe to commy.exe before you save it to your Desktop
  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools A guide to do this can be found [You must be registered and logged in to see this link.]
  • Click Start>Run then copy paste the following command into the Run box & click OK "%userprofile%\desktop\commy.exe" /stepdel
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console


Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:


  • Click on Yes, to continue scanning for malware.
  • When finished, it shall produce a log for you. Please include the contents of C:\ComboFix.txt in your next reply.



I'm livin' life in the fast lane.

Sneakyone
Master
Master

Posts Posts : 2707
Joined Joined : 2010-01-10
Gender Gender : Male
OS OS : Windows 7 Ultimate 64-bit
Protection Protection : Avast, Comodo Firewall, and Malwarebytes' Anti-Malware
Points Points : 56114
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Problems after getting rid of Antivirus Soft

Post by sbartholow on 18th July 2010, 8:51 pm

OTL became stalled so I did the combofix instead, around step 3 or 4 it came up with a message: "PEV.exe application error. The instruction at 0x0039a6a7 referenced memory at 0x78393aa7. The memory could not be "written" click ok to terminate or click cancel to debug" I left this message up and it eventually went away. Here is the log file from combofix:

ComboFix 10-07-16.02 - Bartholow 07/18/2010 15:59:25.1.2 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.2303.1727 [GMT -4:00]
Running from: c:\documents and settings\Bartholow\desktop\commy.exe
Command switches used :: /stepdel
AV: McAfee VirusScan *On-access scanning disabled* (Updated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
FW: McAfee Personal Firewall *disabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\program files\version.txt
c:\windows\Install.txt
c:\windows\system32\Install.txt

Infected copy of c:\windows\system32\drivers\atapi.sys was found and disinfected
Restored copy from - Kitty had a snack :p
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_IAS
-------\Service_Ias


((((((((((((((((((((((((( Files Created from 2010-06-18 to 2010-07-18 )))))))))))))))))))))))))))))))
.

2010-07-18 17:11 . 2010-07-18 17:11 -------- d-----w- C:\_OTL
2010-07-16 20:03 . 2010-06-14 14:31 744448 ------w- c:\windows\system32\dllcache\helpsvc.exe
2010-07-06 10:33 . 2010-07-06 10:33 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Apple Computer
2010-07-06 10:33 . 2010-07-06 10:33 -------- d-----w- c:\documents and settings\NetworkService\Application Data\Apple Computer
2010-07-02 22:08 . 2010-07-02 22:08 -------- d-----w- c:\program files\iPod
2010-07-02 22:08 . 2010-07-02 22:09 -------- d-----w- c:\documents and settings\All Users\Application Data\{429CAD59-35B1-4DBC-BB6D-1DB246563521}
2010-07-02 22:04 . 2010-07-02 22:05 -------- d-----w- c:\program files\QuickTime
2010-07-02 21:59 . 2010-07-02 21:59 -------- d-----w- c:\program files\Bonjour
2010-07-02 19:14 . 2010-07-02 19:14 -------- d-----w- c:\program files\ESET
2010-07-02 18:38 . 2010-07-02 18:38 -------- d-----w- c:\program files\Common Files\Adobe AIR
2010-07-02 18:37 . 2010-07-02 18:38 -------- d-----w- c:\documents and settings\Bartholow\Local Settings\Application Data\Adobe
2010-07-02 18:29 . 2010-04-12 21:29 411368 ----a-w- c:\windows\system32\deployJava1.dll
2010-07-02 02:09 . 2010-07-02 02:09 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\Help
2010-07-02 00:01 . 2010-07-02 00:01 141 ----a-w- c:\program files\drv_30282781.bat
2010-07-01 15:24 . 2010-07-01 15:24 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\vphhsuiyk
2010-06-29 15:10 . 2010-05-06 10:41 743424 ------w- c:\windows\system32\dllcache\iedvtool.dll
2010-06-29 14:55 . 2010-06-29 14:55 95024 ----a-w- c:\windows\system32\drivers\SBREDrv.sys
2010-06-29 14:51 . 2010-06-29 14:51 -------- dc-h--w- c:\documents and settings\All Users\Application Data\{74D08EB8-01D1-4BAE-91E3-F30C1B031AC6}

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-07-02 22:09 . 2005-12-31 05:07 -------- d-----w- c:\program files\iTunes
2010-07-02 22:08 . 2009-04-10 22:24 -------- d-----w- c:\program files\Common Files\Apple
2010-07-02 18:55 . 2009-07-21 21:31 -------- d-----w- c:\documents and settings\All Users\Application Data\NOS
2010-07-02 18:43 . 2003-11-22 19:30 -------- d-----w- c:\program files\Common Files\Adobe
2010-07-02 18:32 . 2003-11-03 12:37 -------- d-----w- c:\program files\Java
2010-07-02 18:30 . 2003-11-03 12:37 -------- d-----w- c:\program files\Common Files\Java
2010-07-02 11:24 . 2006-09-06 20:00 664 ----a-w- c:\windows\system32\d3d9caps.dat
2010-07-01 15:40 . 2005-06-03 00:51 -------- d-----w- c:\program files\McAfee
2010-06-29 14:55 . 2009-10-09 23:51 15880 ----a-w- c:\windows\system32\lsdelete.exe
2010-06-29 14:54 . 2009-08-08 20:02 64288 ----a-w- c:\windows\system32\drivers\Lbd.sys
2010-06-29 14:51 . 2004-01-09 19:28 -------- d-----w- c:\program files\Lavasoft
2010-06-16 05:42 . 2010-06-16 05:42 -------- d-----w- c:\documents and settings\NetworkService\Application Data\AdobeUM
2010-06-03 17:56 . 2003-11-22 20:59 -------- d-----w- c:\documents and settings\Bartholow\Application Data\AdobeUM
2010-05-18 20:35 . 2010-05-18 20:35 91424 ----a-w- c:\windows\system32\dnssd.dll
2010-05-18 20:35 . 2010-05-18 20:35 197920 ----a-w- c:\windows\system32\dnssdX.dll
2010-05-18 20:35 . 2010-05-18 20:35 107808 ----a-w- c:\windows\system32\dns-sd.exe
2010-05-06 10:41 . 2006-06-23 15:33 916480 ----a-w- c:\windows\system32\wininet.dll
2010-05-02 05:22 . 2002-08-29 11:00 1851264 ----a-w- c:\windows\system32\win32k.sys
2010-04-29 19:39 . 2010-05-06 00:50 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-04-29 19:39 . 2010-05-06 00:50 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-04-26 00:12 . 2003-11-05 22:45 47808 ----a-w- c:\documents and settings\Bartholow\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-04-20 05:30 . 2002-08-29 11:00 285696 ----a-w- c:\windows\system32\atmfd.dll
2010-04-20 00:47 . 2009-04-10 22:25 3062048 ----a-w- c:\windows\system32\usbaaplrc.dll
2010-04-20 00:47 . 2009-04-10 22:25 41984 ----a-w- c:\windows\system32\drivers\usbaapl.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTSyncU.exe"="c:\program files\Creative\Sync Manager Unicode\CTSyncU.exe" [2006-06-12 700416]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2003-11-03 151597]
"StorageGuard"="c:\program files\Common Files\Sonic\Update Manager\sgtray.exe" [2003-02-13 155648]
"PCMService"="c:\program files\Dell\Media Experience\PCMService.exe" [2003-08-27 204800]
"NvCplDaemon"="c:\windows\System32\NvCpl.dll" [2003-04-24 4616192]
"mswspl"="c:\program files\Dell AIO Printer A940\dlbabmgr.exe" [2003-02-17 86102]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2004-09-13 49152]
"FaxCenterServer"="c:\program files\Lexmark Fax Solutions\fm3032.exe" [2007-02-08 295856]
"DVDSentry"="c:\windows\System32\DSentry.exe" [2003-08-13 28672]
"dla"="c:\windows\system32\dla\tfswctrl.exe" [2003-08-06 114741]
"Dell AIO Printer A940"="c:\program files\Dell AIO Printer A940\dlbabmgr.exe" [2003-02-17 86102]
"ATICCC"="c:\program files\ATI Technologies\ATI.ACE\cli.exe" [2006-01-02 45056]
"mmtask"="c:\program files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe" [2004-07-01 53248]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2009-05-14 177472]
"nmctxth"="c:\program files\Common Files\Pure Networks Shared\Platform\nmctxth.exe" [2008-12-12 642856]
"Motive SmartBridge"="c:\progra~1\VIRTUA~2\SMARTB~1\SprintDSLAlert.exe" [2010-01-07 483415]
"lxczbmgr.exe"="c:\program files\Lexmark 1200 Series\lxczbmgr.exe" [2007-02-08 74672]
"mcui_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2010-04-02 1180976]
"Malwarebytes Anti-Malware (rootkit-scan)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2010-04-29 1090952]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-12-22 35760]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2009-12-11 948672]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2010-03-19 421888]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-06-15 141624]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"SWHelper"="c:\windows\system32\Macromed\Shockwave 8\PostUpdate.exe" [2010-06-24 53248]

c:\documents and settings\Bartholow\Start Menu\Programs\Startup\
Picture Motion Browser Media Check Tool.lnk - c:\program files\Sony\Sony Picture Utility\VolumeWatcher\SPUVolumeWatcher.exe [2008-3-9 344064]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
America Online 9.0 Tray Icon.lnk - c:\program files\America Online 9.0\aoltray.exe [2003-11-3 36953]
Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2003-11-3 24576]
EMBARQ Help.lnk - c:\program files\Virtual Assistant\bin\matcli.exe [2009-10-9 217088]
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2004-11-4 258048]
HP Image Zone Fast Start.lnk - c:\program files\HP\Digital Imaging\bin\hpqthb08.exe [2004-11-4 53248]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
SecurityProviders msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll, zwebauth.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\AIM\\aim.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\WINDOWS\\SYSTEM32\\lxczcoms.exe"=
"c:\\Program Files\\Common Files\\Mcafee\\McSvcHost\\McSvHost.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"67:UDP"= 67:UDP:DHCP Discovery Service

R0 Lbd;Lbd;c:\windows\SYSTEM32\DRIVERS\Lbd.sys [8/8/2009 4:02 PM 64288]
R1 mfetdi2k;McAfee Inc. mfetdi2k;c:\windows\SYSTEM32\DRIVERS\mfetdi2k.sys [5/9/2010 3:51 PM 82952]
R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [2/4/2010 11:52 AM 1352832]
R2 LinksysUpdater;Linksys Updater;c:\program files\Linksys\Linksys Updater\bin\LinksysUpdater.exe [11/13/2008 3:43 PM 204800]
R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;"c:\program files\Common Files\Mcafee\McSvcHost\McSvHost.exe" /McCoreSvc [5/9/2010 3:51 PM 271480]
R2 McMPFSvc;McAfee Personal Firewall;"c:\program files\Common Files\Mcafee\McSvcHost\McSvHost.exe" /McCoreSvc [5/9/2010 3:51 PM 271480]
R2 McNaiAnn;McAfee VirusScan Announcer;"c:\program files\Common Files\Mcafee\McSvcHost\McSvHost.exe" /McCoreSvc [5/9/2010 3:51 PM 271480]
R2 mfefire;McAfee Firewall Core Service;c:\program files\Common Files\Mcafee\SystemCore\mfefire.exe [5/9/2010 3:52 PM 188136]
R2 mfevtp;McAfee Validation Trust Protection Service;c:\program files\Common Files\Mcafee\SystemCore\mfevtps.exe [5/9/2010 3:51 PM 141792]
R3 cfwids;McAfee Inc. cfwids;c:\windows\SYSTEM32\DRIVERS\cfwids.sys [5/9/2010 3:51 PM 55456]
R3 mfefirek;McAfee Inc. mfefirek;c:\windows\SYSTEM32\DRIVERS\mfefirek.sys [5/9/2010 3:51 PM 312616]
R3 mfendiskmp;mfendiskmp;c:\windows\SYSTEM32\DRIVERS\mfendisk.sys [5/9/2010 3:51 PM 88480]
S3 jfdcd;jfdcd;\??\c:\docume~1\BARTHO~1\LOCALS~1\Temp\jfdcd.sys --> c:\docume~1\BARTHO~1\LOCALS~1\Temp\jfdcd.sys [?]
S3 mfendisk;McAfee Core NDIS Intermediate Filter;c:\windows\SYSTEM32\DRIVERS\mfendisk.sys [5/9/2010 3:51 PM 88480]
S3 mferkdet;McAfee Inc. mferkdet;c:\windows\SYSTEM32\DRIVERS\mferkdet.sys [5/9/2010 3:51 PM 83496]

--- Other Services/Drivers In Memory ---

*Deregistered* - mfeavfk01
.
Contents of the 'Scheduled Tasks' folder

2010-07-18 c:\windows\Tasks\Ad-Aware Update (Weekly).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2010-02-04 14:54]

2010-07-14 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2007-08-29 16:34]
.
.
------- Supplementary Scan -------
.
uStart Page = [You must be registered and logged in to see this link.]
mSearch Bar =
uInternet Settings,ProxyOverride = *.local
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
DPF: Microsoft XML Parser for Java - [You must be registered and logged in to see this link.]
.
- - - - ORPHANS REMOVED - - - -

HKCU-Run-Sonic RecordNow! - (no file)
HKLM-Run-MISAggregator - (no file)



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, [You must be registered and logged in to see this link.]
Rootkit scan 2010-07-18 16:26
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-149151807-4052898740-1945230209-1008\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.* *'*U%\OpenWithList]
@Class="Shell"

[HKEY_USERS\S-1-5-21-149151807-4052898740-1945230209-1008\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.*l*h%*%]
@Class="Shell"
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)

[HKEY_USERS\S-1-5-21-149151807-4052898740-1945230209-1008\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.*l*h%*%\OpenWithList]
@Class="Shell"

[HKEY_USERS\S-1-5-21-149151807-4052898740-1945230209-1008\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.* #Ů*Ų*]
@Class="Shell"
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)

[HKEY_USERS\S-1-5-21-149151807-4052898740-1945230209-1008\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.* #Ů*Ų*\OpenWithList]
@Class="Shell"

[HKEY_USERS\S-1-5-21-149151807-4052898740-1945230209-1008\Software\SecuROM\!CAUTION! NEVER A OR CHANGE ANY KEY*]
"??"=hex:a5,ea,e9,7f,00,9d,0d,a9,d4,1f,69,a6,f4,f1,04,ae,12,74,5a,4d,8f,e5,24,
c5,b8,f0,b2,fa,31,a2,5e,b3,d2,41,f8,ea,25,14,0a,04,4b,8d,ed,65,e8,a3,28,3c,\
"??"=hex:b5,60,ab,13,74,34,3d,76,40,37,43,7c,29,c5,f8,80

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{1A68D668-6DF3-702D-2A0852A803C1488D}\{D6F2E9CD-48BA-CDDC-BEA31B576464FCAF}\{421B9E29-5D23-2966-C9D7C1E976BC0884}*]
"PK3IM51V2WPW5YOPIRJ365XEIG1"=hex:01,00,01,00,00,00,00,00,c3,a2,73,89,0b,39,ad,
69,35,81,92,71,e8,29,5a,84,14,35,16,70,d8,6e,ff,61

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{48418982-249C-E344-B1C048196FA2EDFD}\{A41EB0B4-3EE0-E472-B7C2AAEB5A9566C4}\{DB4C8A45-FEFF-6FD9-65B4662880A15182}*]
"{3EE4C831-B7E0-4ed1-B9FC-EDC523C9612F}1"=hex:01,00,01,00,0c,00,00,00,1f,f1,4a,
51,1c,86,65,14,87,4c,de,40,12,89,ab,80,31,7e,9a,ab,57,11,78,f9,46,20,33,3d,\
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(1056)
c:\windows\system32\Ati2evxx.dll

- - - - - - - > 'explorer.exe'(5692)
c:\windows\system32\WININET.dll
c:\progra~1\VIRTUA~2\SMARTB~1\SBHook.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\System32\Ati2evxx.exe
c:\windows\system32\LEXBCES.EXE
c:\windows\system32\LEXPPS.EXE
c:\progra~1\COMMON~1\AOL\ACS\acsd.exe
c:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\windows\System32\CTsvcCDA.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\windows\system32\lxczcoms.exe
c:\windows\system32\java.exe
c:\windows\system32\Ati2evxx.exe
c:\program files\Common Files\Motive\McciCMService.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\windows\System32\PnkBstrA.exe
c:\windows\wanmpsvc.exe
c:\program files\Common Files\McAfee\SystemCore\mcshield.exe
c:\program files\Common Files\Pure Networks Shared\Platform\nmsrvc.exe
c:\program files\Dell AIO Printer A940\dlbabmon.exe
c:\program files\Lexmark 1200 Series\lxczbmon.exe
c:\program files\Virtual Assistant\bin\mpbtn.exe
c:\program files\HP\Digital Imaging\bin\hpqgalry.exe
c:\windows\System32\wbem\unsecapp.exe
c:\windows\system32\wscntfy.exe
c:\program files\iPod\bin\iPodService.exe
.
**************************************************************************
.
Completion time: 2010-07-18 16:44:56 - machine was rebooted
ComboFix-quarantined-files.txt 2010-07-18 20:44

Pre-Run: 8,743,096,320 bytes free
Post-Run: 9,807,826,944 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Home Edition" /fastdetect /NoExecute=OptIn

- - End Of File - - 371C83C91E8DB254226145344893F4AA


sbartholow
Novice
Novice

Posts Posts : 6
Joined Joined : 2010-07-18
OS OS : XP
Points Points : 23438
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Problems after getting rid of Antivirus Soft

Post by Sneakyone on 18th July 2010, 10:46 pm

Hi, Smile

Re-running ComboFix to remove infections:

  1. Close any open browsers.
  2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
  3. Open notepad and copy/paste the text in the quotebox below into it:

    Killall::

    Folder::
    c:\documents and settings\NetworkService\Local Settings\Application Data\vphhsuiyk

    Driver::
    jfdcd

    Reboot::


  4. Save this as CFScript.txt, in the same location as ComboFix.exe



  5. Referring to the picture above, drag CFScript into ComboFix.exe
  6. When finished, it shall produce a log for you at C:\ComboFix.txt
  7. Please post the contents of the log in your next reply.


I'm livin' life in the fast lane.

Sneakyone
Master
Master

Posts Posts : 2707
Joined Joined : 2010-01-10
Gender Gender : Male
OS OS : Windows 7 Ultimate 64-bit
Protection Protection : Avast, Comodo Firewall, and Malwarebytes' Anti-Malware
Points Points : 56114
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Problems after getting rid of Antivirus Soft

Post by sbartholow on 19th July 2010, 12:47 am

ComboFix 10-07-16.02 - Bartholow 07/18/2010 20:13:44.2.2 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.2303.1577 [GMT -4:00]
Running from: c:\documents and settings\Bartholow\Desktop\commy.exe
Command switches used :: c:\documents and settings\Bartholow\Desktop\CFScript.txt
AV: McAfee VirusScan *On-access scanning disabled* (Updated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
FW: McAfee Personal Firewall *disabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\NetworkService\Local Settings\Application Data\vphhsuiyk

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_JFDCD
-------\Service_jfdcd


((((((((((((((((((((((((( Files Created from 2010-06-19 to 2010-07-19 )))))))))))))))))))))))))))))))
.

2010-07-18 17:11 . 2010-07-18 17:11 -------- d-----w- C:\_OTL
2010-07-16 20:03 . 2010-06-14 14:31 744448 ------w- c:\windows\system32\dllcache\helpsvc.exe
2010-07-06 10:33 . 2010-07-06 10:33 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Apple Computer
2010-07-06 10:33 . 2010-07-06 10:33 -------- d-----w- c:\documents and settings\NetworkService\Application Data\Apple Computer
2010-07-02 22:08 . 2010-07-02 22:08 -------- d-----w- c:\program files\iPod
2010-07-02 22:08 . 2010-07-02 22:09 -------- d-----w- c:\documents and settings\All Users\Application Data\{429CAD59-35B1-4DBC-BB6D-1DB246563521}
2010-07-02 22:04 . 2010-07-02 22:05 -------- d-----w- c:\program files\QuickTime
2010-07-02 21:59 . 2010-07-02 21:59 -------- d-----w- c:\program files\Bonjour
2010-07-02 19:14 . 2010-07-02 19:14 -------- d-----w- c:\program files\ESET
2010-07-02 18:38 . 2010-07-02 18:38 -------- d-----w- c:\program files\Common Files\Adobe AIR
2010-07-02 18:37 . 2010-07-02 18:38 -------- d-----w- c:\documents and settings\Bartholow\Local Settings\Application Data\Adobe
2010-07-02 18:29 . 2010-04-12 21:29 411368 ----a-w- c:\windows\system32\deployJava1.dll
2010-07-02 02:09 . 2010-07-02 02:09 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\Help
2010-07-02 00:01 . 2010-07-02 00:01 141 ----a-w- c:\program files\drv_30282781.bat
2010-06-29 15:10 . 2010-05-06 10:41 743424 ------w- c:\windows\system32\dllcache\iedvtool.dll
2010-06-29 14:55 . 2010-06-29 14:55 95024 ----a-w- c:\windows\system32\drivers\SBREDrv.sys
2010-06-29 14:51 . 2010-06-29 14:51 -------- dc-h--w- c:\documents and settings\All Users\Application Data\{74D08EB8-01D1-4BAE-91E3-F30C1B031AC6}

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-07-02 22:09 . 2005-12-31 05:07 -------- d-----w- c:\program files\iTunes
2010-07-02 22:08 . 2009-04-10 22:24 -------- d-----w- c:\program files\Common Files\Apple
2010-07-02 18:55 . 2009-07-21 21:31 -------- d-----w- c:\documents and settings\All Users\Application Data\NOS
2010-07-02 18:43 . 2003-11-22 19:30 -------- d-----w- c:\program files\Common Files\Adobe
2010-07-02 18:32 . 2003-11-03 12:37 -------- d-----w- c:\program files\Java
2010-07-02 18:30 . 2003-11-03 12:37 -------- d-----w- c:\program files\Common Files\Java
2010-07-02 11:24 . 2006-09-06 20:00 664 ----a-w- c:\windows\system32\d3d9caps.dat
2010-07-01 15:40 . 2005-06-03 00:51 -------- d-----w- c:\program files\McAfee
2010-06-29 14:55 . 2009-10-09 23:51 15880 ----a-w- c:\windows\system32\lsdelete.exe
2010-06-29 14:54 . 2009-08-08 20:02 64288 ----a-w- c:\windows\system32\drivers\Lbd.sys
2010-06-29 14:51 . 2004-01-09 19:28 -------- d-----w- c:\program files\Lavasoft
2010-06-16 05:42 . 2010-06-16 05:42 -------- d-----w- c:\documents and settings\NetworkService\Application Data\AdobeUM
2010-06-03 17:56 . 2003-11-22 20:59 -------- d-----w- c:\documents and settings\Bartholow\Application Data\AdobeUM
2010-05-18 20:35 . 2010-05-18 20:35 91424 ----a-w- c:\windows\system32\dnssd.dll
2010-05-18 20:35 . 2010-05-18 20:35 197920 ----a-w- c:\windows\system32\dnssdX.dll
2010-05-18 20:35 . 2010-05-18 20:35 107808 ----a-w- c:\windows\system32\dns-sd.exe
2010-05-06 10:41 . 2006-06-23 15:33 916480 ----a-w- c:\windows\system32\wininet.dll
2010-05-02 05:22 . 2002-08-29 11:00 1851264 ----a-w- c:\windows\system32\win32k.sys
2010-04-29 19:39 . 2010-05-06 00:50 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-04-29 19:39 . 2010-05-06 00:50 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-04-26 00:12 . 2003-11-05 22:45 47808 ----a-w- c:\documents and settings\Bartholow\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-04-20 05:30 . 2002-08-29 11:00 285696 ----a-w- c:\windows\system32\atmfd.dll
2010-04-20 00:47 . 2009-04-10 22:25 3062048 ----a-w- c:\windows\system32\usbaaplrc.dll
2010-04-20 00:47 . 2009-04-10 22:25 41984 ----a-w- c:\windows\system32\drivers\usbaapl.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTSyncU.exe"="c:\program files\Creative\Sync Manager Unicode\CTSyncU.exe" [2006-06-12 700416]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2003-11-03 151597]
"StorageGuard"="c:\program files\Common Files\Sonic\Update Manager\sgtray.exe" [2003-02-13 155648]
"PCMService"="c:\program files\Dell\Media Experience\PCMService.exe" [2003-08-27 204800]
"NvCplDaemon"="c:\windows\System32\NvCpl.dll" [2003-04-24 4616192]
"mswspl"="c:\program files\Dell AIO Printer A940\dlbabmgr.exe" [2003-02-17 86102]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2004-09-13 49152]
"FaxCenterServer"="c:\program files\Lexmark Fax Solutions\fm3032.exe" [2007-02-08 295856]
"DVDSentry"="c:\windows\System32\DSentry.exe" [2003-08-13 28672]
"dla"="c:\windows\system32\dla\tfswctrl.exe" [2003-08-06 114741]
"Dell AIO Printer A940"="c:\program files\Dell AIO Printer A940\dlbabmgr.exe" [2003-02-17 86102]
"ATICCC"="c:\program files\ATI Technologies\ATI.ACE\cli.exe" [2006-01-02 45056]
"mmtask"="c:\program files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe" [2004-07-01 53248]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2009-05-14 177472]
"nmctxth"="c:\program files\Common Files\Pure Networks Shared\Platform\nmctxth.exe" [2008-12-12 642856]
"Motive SmartBridge"="c:\progra~1\VIRTUA~2\SMARTB~1\SprintDSLAlert.exe" [2010-01-07 483415]
"lxczbmgr.exe"="c:\program files\Lexmark 1200 Series\lxczbmgr.exe" [2007-02-08 74672]
"mcui_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2010-04-02 1180976]
"Malwarebytes Anti-Malware (rootkit-scan)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2010-04-29 1090952]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-12-22 35760]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2009-12-11 948672]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2010-03-19 421888]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-06-15 141624]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"SWHelper"="c:\windows\system32\Macromed\Shockwave 8\PostUpdate.exe" [2010-06-24 53248]

c:\documents and settings\Bartholow\Start Menu\Programs\Startup\
Picture Motion Browser Media Check Tool.lnk - c:\program files\Sony\Sony Picture Utility\VolumeWatcher\SPUVolumeWatcher.exe [2008-3-9 344064]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
America Online 9.0 Tray Icon.lnk - c:\program files\America Online 9.0\aoltray.exe [2003-11-3 36953]
Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2003-11-3 24576]
EMBARQ Help.lnk - c:\program files\Virtual Assistant\bin\matcli.exe [2009-10-9 217088]
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2004-11-4 258048]
HP Image Zone Fast Start.lnk - c:\program files\HP\Digital Imaging\bin\hpqthb08.exe [2004-11-4 53248]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
SecurityProviders msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll, zwebauth.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\AIM\\aim.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\WINDOWS\\SYSTEM32\\lxczcoms.exe"=
"c:\\Program Files\\Common Files\\Mcafee\\McSvcHost\\McSvHost.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"67:UDP"= 67:UDP:DHCP Discovery Service

R0 Lbd;Lbd;c:\windows\SYSTEM32\DRIVERS\Lbd.sys [8/8/2009 4:02 PM 64288]
R1 mfetdi2k;McAfee Inc. mfetdi2k;c:\windows\SYSTEM32\DRIVERS\mfetdi2k.sys [5/9/2010 3:51 PM 82952]
R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [2/4/2010 11:52 AM 1352832]
R2 LinksysUpdater;Linksys Updater;c:\program files\Linksys\Linksys Updater\bin\LinksysUpdater.exe [11/13/2008 3:43 PM 204800]
R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;"c:\program files\Common Files\Mcafee\McSvcHost\McSvHost.exe" /McCoreSvc [5/9/2010 3:51 PM 271480]
R2 McMPFSvc;McAfee Personal Firewall;"c:\program files\Common Files\Mcafee\McSvcHost\McSvHost.exe" /McCoreSvc [5/9/2010 3:51 PM 271480]
R2 McNaiAnn;McAfee VirusScan Announcer;"c:\program files\Common Files\Mcafee\McSvcHost\McSvHost.exe" /McCoreSvc [5/9/2010 3:51 PM 271480]
R2 mfefire;McAfee Firewall Core Service;c:\program files\Common Files\Mcafee\SystemCore\mfefire.exe [5/9/2010 3:52 PM 188136]
R2 mfevtp;McAfee Validation Trust Protection Service;c:\program files\Common Files\Mcafee\SystemCore\mfevtps.exe [5/9/2010 3:51 PM 141792]
R3 cfwids;McAfee Inc. cfwids;c:\windows\SYSTEM32\DRIVERS\cfwids.sys [5/9/2010 3:51 PM 55456]
R3 mfefirek;McAfee Inc. mfefirek;c:\windows\SYSTEM32\DRIVERS\mfefirek.sys [5/9/2010 3:51 PM 312616]
R3 mfendiskmp;mfendiskmp;c:\windows\SYSTEM32\DRIVERS\mfendisk.sys [5/9/2010 3:51 PM 88480]
S3 mfendisk;McAfee Core NDIS Intermediate Filter;c:\windows\SYSTEM32\DRIVERS\mfendisk.sys [5/9/2010 3:51 PM 88480]
S3 mferkdet;McAfee Inc. mferkdet;c:\windows\SYSTEM32\DRIVERS\mferkdet.sys [5/9/2010 3:51 PM 83496]

--- Other Services/Drivers In Memory ---

*Deregistered* - mfeavfk01
.
Contents of the 'Scheduled Tasks' folder

2010-07-19 c:\windows\Tasks\Ad-Aware Update (Weekly).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2010-02-04 14:54]

2010-07-14 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2007-08-29 16:34]
.
.
------- Supplementary Scan -------
.
uStart Page = [You must be registered and logged in to see this link.]
mSearch Bar =
uInternet Settings,ProxyOverride = *.local
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
DPF: Microsoft XML Parser for Java - [You must be registered and logged in to see this link.]
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, [You must be registered and logged in to see this link.]
Rootkit scan 2010-07-18 20:29
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-149151807-4052898740-1945230209-1008\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.* *'*U%\OpenWithList]
@Class="Shell"

[HKEY_USERS\S-1-5-21-149151807-4052898740-1945230209-1008\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.*l*h%*%]
@Class="Shell"
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)

[HKEY_USERS\S-1-5-21-149151807-4052898740-1945230209-1008\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.*l*h%*%\OpenWithList]
@Class="Shell"

[HKEY_USERS\S-1-5-21-149151807-4052898740-1945230209-1008\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.* #Ů*Ų*]
@Class="Shell"
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)

[HKEY_USERS\S-1-5-21-149151807-4052898740-1945230209-1008\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.* #Ů*Ų*\OpenWithList]
@Class="Shell"

[HKEY_USERS\S-1-5-21-149151807-4052898740-1945230209-1008\Software\SecuROM\!CAUTION! NEVER A OR CHANGE ANY KEY*]
"??"=hex:a5,ea,e9,7f,00,9d,0d,a9,d4,1f,69,a6,f4,f1,04,ae,12,74,5a,4d,8f,e5,24,
c5,b8,f0,b2,fa,31,a2,5e,b3,d2,41,f8,ea,25,14,0a,04,4b,8d,ed,65,e8,a3,28,3c,\
"??"=hex:b5,60,ab,13,74,34,3d,76,40,37,43,7c,29,c5,f8,80

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{1A68D668-6DF3-702D-2A0852A803C1488D}\{D6F2E9CD-48BA-CDDC-BEA31B576464FCAF}\{421B9E29-5D23-2966-C9D7C1E976BC0884}*]
"PK3IM51V2WPW5YOPIRJ365XEIG1"=hex:01,00,01,00,00,00,00,00,c3,a2,73,89,0b,39,ad,
69,35,81,92,71,e8,29,5a,84,14,35,16,70,d8,6e,ff,61

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{48418982-249C-E344-B1C048196FA2EDFD}\{A41EB0B4-3EE0-E472-B7C2AAEB5A9566C4}\{DB4C8A45-FEFF-6FD9-65B4662880A15182}*]
"{3EE4C831-B7E0-4ed1-B9FC-EDC523C9612F}1"=hex:01,00,01,00,0c,00,00,00,1f,f1,4a,
51,1c,86,65,14,87,4c,de,40,12,89,ab,80,31,7e,9a,ab,57,11,78,f9,46,20,33,3d,\
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(1056)
c:\windows\system32\Ati2evxx.dll

- - - - - - - > 'explorer.exe'(5164)
c:\windows\system32\WININET.dll
c:\progra~1\VIRTUA~2\SMARTB~1\SBHook.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\System32\Ati2evxx.exe
c:\windows\system32\LEXBCES.EXE
c:\windows\system32\LEXPPS.EXE
c:\progra~1\COMMON~1\AOL\ACS\acsd.exe
c:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\windows\System32\CTsvcCDA.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\windows\system32\lxczcoms.exe
c:\windows\system32\Ati2evxx.exe
c:\program files\Common Files\Motive\McciCMService.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\windows\System32\PnkBstrA.exe
c:\windows\wanmpsvc.exe
c:\program files\Common Files\McAfee\SystemCore\mcshield.exe
c:\program files\Common Files\Pure Networks Shared\Platform\nmsrvc.exe
c:\program files\Dell AIO Printer A940\dlbabmon.exe
c:\program files\Lexmark 1200 Series\lxczbmon.exe
c:\windows\system32\java.exe
c:\program files\Virtual Assistant\bin\mpbtn.exe
c:\program files\HP\Digital Imaging\bin\hpqgalry.exe
c:\program files\iPod\bin\iPodService.exe
c:\windows\System32\wbem\unsecapp.exe
c:\windows\system32\wscntfy.exe
c:\program files\Lavasoft\Ad-Aware\AAWTray.exe
.
**************************************************************************
.
Completion time: 2010-07-18 20:44:40 - machine was rebooted
ComboFix-quarantined-files.txt 2010-07-19 00:44
ComboFix2.txt 2010-07-18 20:44

Pre-Run: 9,793,220,608 bytes free
Post-Run: 9,751,707,648 bytes free

- - End Of File - - 12A2A07E946B73B34A428A657ADF2004

sbartholow
Novice
Novice

Posts Posts : 6
Joined Joined : 2010-07-18
OS OS : XP
Points Points : 23438
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Problems after getting rid of Antivirus Soft

Post by Sneakyone on 19th July 2010, 1:02 am

Hi, Smile

Please download Malwarebytes Anti-Malware from [You must be registered and logged in to see this link.].

Double Click mbam-setup.exe to install the application.

  • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Full Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart. (See Extra Note)
  • Please save the log to a location you will remember.
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy and paste the entire report in your next reply.

Extra Note:

If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediately.


I'm livin' life in the fast lane.

Sneakyone
Master
Master

Posts Posts : 2707
Joined Joined : 2010-01-10
Gender Gender : Male
OS OS : Windows 7 Ultimate 64-bit
Protection Protection : Avast, Comodo Firewall, and Malwarebytes' Anti-Malware
Points Points : 56114
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Problems after getting rid of Antivirus Soft

Post by sbartholow on 19th July 2010, 1:40 pm

While this was running McAfee found and removed a trojan. Here is the log from Malwarebytes:

Malwarebytes' Anti-Malware 1.46
[You must be registered and logged in to see this link.]

Database version: 4325

Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

7/19/2010 2:25:10 AM
mbam-log-2010-07-19 (02-25-10).txt

Scan type: Full scan (A:\|C:\|D:\|)
Objects scanned: 274143
Time elapsed: 3 hour(s), 37 minute(s), 28 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

sbartholow
Novice
Novice

Posts Posts : 6
Joined Joined : 2010-07-18
OS OS : XP
Points Points : 23438
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Problems after getting rid of Antivirus Soft

Post by Sneakyone on 19th July 2010, 7:22 pm

Hi, Smile

Please run a free online scan with the [You must be registered and logged in to see this link.]
Note: You will need to use Internet Explorer for this scan

  • Tick the box next to YES, I accept the Terms of Use
  • Click Start
  • When asked, allow the ActiveX control to install
  • Click Start
  • Make sure that the options Remove found threats and the option Scan unwanted applications is checked
  • Click Scan (This scan can take several hours, so please be patient)
  • Once the scan is completed, you may close the window
  • Use Notepad to open the logfile located at C:\Program Files\EsetOnlineScanner\log.txt
  • Copy and paste that log as a reply to this topic


I'm livin' life in the fast lane.

Sneakyone
Master
Master

Posts Posts : 2707
Joined Joined : 2010-01-10
Gender Gender : Male
OS OS : Windows 7 Ultimate 64-bit
Protection Protection : Avast, Comodo Firewall, and Malwarebytes' Anti-Malware
Points Points : 56114
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Problems after getting rid of Antivirus Soft

Post by sbartholow on 19th July 2010, 9:36 pm

ESETSmartInstaller@High as CAB hook log:
OnlineScanner.ocx - registred OK
# version=7
# iexplore.exe=8.00.6001.18702 (longhorn_ie8_rtm(wmbla).090308-0339)
# OnlineScanner.ocx=1.0.0.6211
# api_version=3.0.2
# EOSSerial=11c0f5ca58872d4c8ca0249c1f3e7782
# end=finished
# remove_checked=true
# archives_checked=false
# unwanted_checked=true
# unsafe_checked=false
# antistealth_checked=true
# utc_time=2010-07-19 09:33:43
# local_time=2010-07-19 05:33:43 (-0500, Eastern Daylight Time)
# country="United States"
# lang=1033
# osver=5.1.2600 NT Service Pack 3
# compatibility_mode=5121 16777173 100 75 5213084 10422520 0 0
# compatibility_mode=8192 67108863 100 0 549794 549794 0 0
# scanned=155294
# found=0
# cleaned=0
# scan_time=5741

sbartholow
Novice
Novice

Posts Posts : 6
Joined Joined : 2010-07-18
OS OS : XP
Points Points : 23438
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Problems after getting rid of Antivirus Soft

Post by Sneakyone on 19th July 2010, 9:48 pm

Hi, Smile

Your computer is now clean. Now, time to remove the tools used, and update your computer to prevent vulnerability.

Updating System Restore
Now to get you off to a good start we will clean your restore points so that all the bad stuff is gone for good. Then if you need to restore at some stage you will be clean. There are several ways to reset your restore points, but this is my method:
  • Select Start > All Programs > Accessories > System tools > System Restore.
  • On the dialogue box that appears select Create a Restore Point
  • Click NEXT
  • Enter a name e.g. Clean
  • Click CREATE.


You now have a clean restore point.

To get rid of the bad ones:
  • Select Start > All Programs > Accessories > System tools > Disk Cleanup.
  • In the Drop down box that appears select your main drive e.g. C
  • Click OK
  • The System will do a calculation of temporary/old files, and then display a dialogue box.
  • Select the More Options Tab.
  • At the bottom will be a System Restore box with a CLEANUP button click this
  • Accept the Warning and select OK again, the program will close and you are done.


========

Removing the tools
Now, to remove all of the tools we used and the files and folders they created, please do the following:

Download [You must be registered and logged in to see this link.] by OldTimer:
  • Save it to your Desktop.
  • Double click OTC.exe.
  • Click the CleanUp! button.
  • If you are prompted to Reboot during the cleanup, select Yes.
  • The tool will delete itself once it finishes.
    Note: If any tool, file or folder (belonging to the program we have used) hasn't been deleted, please delete it manually.


============

Service Pack upgrade
Please consider upgrading to Windows XP SP3, because it includes all previously released updates. It also includes a small number of new functionalities. Some of the updates that Service Pack 3 provides, you may not have. It is now available via Windows Update.

More info about SP3: [You must be registered and logged in to see this link.]

=====

Update Programs
Please download the newest version of Adobe Acrobat Reader from [You must be registered and logged in to see this link.]

Before installing: it is important to remove older versions of Acrobat Reader since it does not do so automatically and old versions still leave you vulnerable.
Go to the Control Panel and enter Add or Remove Programs.
Search in the list for all previous installed versions of Adobe Acrobat Reader. Uninstall/Remove each of them.

Once old versions are gone, please install the newest version.



Please download the newest version of Java from [You must be registered and logged in to see this link.].

Before installing: it is important to remove older versions of Java since it does not do so automatically and old versions still leave you vulnerable.
Go to the Control Panel and enter Add or Remove Programs.
Search in the list for all previous installed versions of Java (J2SE Runtime Environment). Please uninstall/remove each of them.

Once old versions are gone, please install the newest version.

=========

Here are some prevention tips I have provided:

1. Don't download files from untrusted websites or websites that seem suspious.

2. Don't use torrents they are a good way to get lots of malware.

3. Don't download and use cracks/warez/keygens they are illegal and are another good way to contract malware.

4. Disable autorun [You must be registered and logged in to see this link.] or [You must be registered and logged in to see this link.]

5. Always make sure you have the latest Windows updates. windowsupdate.microsoft.com

6. Don't ever click on the links inside of a popup.

7. Make sure you know what you install you can make sure it is not know for being a virus by just simply searching about it on google.

8. Use a Site Advisor so you don't go to sites that will infect you. [You must be registered and logged in to see this link.]

9. Also there are many holes and flaws in Internet Explorer I recommend using [You must be registered and logged in to see this link.] to keep you more safe.

10. Always keep your [You must be registered and logged in to see this link.] and Adobe updated.

11. Don't fall for the Scareware. What is Scareware? it is a website made to download a rogue Antivirus on your system that will scare you into buying their fake software due to false detections.

12. Always have a Firewall and a Antivirus.

Thanks for choosing GeekPolice, see [You must be registered and logged in to see this link.] if you would like to leave feedback or contribute to our site. Do you have any more questions?

For more information please visit [You must be registered and logged in to see this link.]


I'm livin' life in the fast lane.

Sneakyone
Master
Master

Posts Posts : 2707
Joined Joined : 2010-01-10
Gender Gender : Male
OS OS : Windows 7 Ultimate 64-bit
Protection Protection : Avast, Comodo Firewall, and Malwarebytes' Anti-Malware
Points Points : 56114
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Problems after getting rid of Antivirus Soft

Post by sbartholow on 20th July 2010, 12:12 am

Thank-you for your help!

sbartholow
Novice
Novice

Posts Posts : 6
Joined Joined : 2010-07-18
OS OS : XP
Points Points : 23438
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Problems after getting rid of Antivirus Soft

Post by Sneakyone on 20th July 2010, 12:16 am

You're welcome, glad I could help. Smile


I'm livin' life in the fast lane.

Sneakyone
Master
Master

Posts Posts : 2707
Joined Joined : 2010-01-10
Gender Gender : Male
OS OS : Windows 7 Ultimate 64-bit
Protection Protection : Avast, Comodo Firewall, and Malwarebytes' Anti-Malware
Points Points : 56114
# Likes # Likes : 0

View user profile

Back to top Go down

View previous topic View next topic Back to top

- Similar topics

 
Permissions in this forum:
You cannot reply to topics in this forum