Can not remove Anitivir pro

View previous topic View next topic Go down

Can not remove Anitivir pro

Post by LordZet on Fri Jul 23, 2010 12:49 pm

It prevents my windows explorer from loading

Using mbam and quick scan shows nothing wrong...even in safe mode. It's outdated and i cant update it.

I did find:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\setup.exe (Rogue.Installer) -> No action taken.


C:\Program Files\setup.exe (Rogue.Installer) -> No action taken.

Edit again:
I found 2 files ending in tssd.exe

buihqratssd.exe
BUIHQRATSSD.EXE -2AF8DD0A.pf

i found the containing folder but it activated even in safe mode with networking...

LordZet
Intermediate
Intermediate

Status :
Online
Offline

Posts : 100
Joined : 2009-08-26
OS : XP

View user profile

Back to top Go down

Re: Can not remove Anitivir pro

Post by Dr Jay on Fri Jul 23, 2010 6:43 pm

Hello, and welcome to GeekPolice.

Please note the following information about the malware forum:
  • Only Tech Officers, Global Moderators, Administrators, and Malware Advisors are allowed to give advice on removing malware from your computer.
  • From this point on, please do not make any more changes to your computer; such as install/uninstall programs, use special fix tools, delete files, edit the registry, etc. - unless advised by the staff I noted above.
  • Please do not ask for help elsewhere (in this site or other sites). Doing so can result in system changes, which may not show up in the logs you post.
  • If you have already asked for help somewhere, please post the link to the topic you were helped.
  • We try our best to reply quickly, but for any reason we do not reply in two days, do one of two things:

    Reply to this topic with the word BUMP, or
    see [You must be registered and logged in to see this link.].

  • Lastly, keep in mind that we are volunteers, so you do not have to pay for malware removal. Persist in this topic until its close, and your computer is declared clean.





Please visit this webpage for a tutorial on downloading and running ComboFix:

[You must be registered and logged in to see this link.]

See the area: Using ComboFix, and when done, post the log back here.


Dr. Jay (DJ)


[You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.]

Dr Jay
Head Administrator
Head Administrator

Status :
Online
Offline

Posts : 13712
Joined : 2009-09-06
Gender : Male
OS : Windows 10 Home & Pro

View user profile

Back to top Go down

Re: Can not remove Anitivir pro

Post by LordZet on Fri Jul 23, 2010 6:45 pm

Errr...theres been some changes. I should say, it ran in safe mode because I accidentally clicked it.

I restarted and removed the file. But theres still 1 file left in my windows folder I dont want to remove it because I don't really wnat to risk destroying my PC by tampering with files in my windows folder.


Last edited by LordZet on Fri Jul 23, 2010 6:49 pm; edited 2 times in total

LordZet
Intermediate
Intermediate

Status :
Online
Offline

Posts : 100
Joined : 2009-08-26
OS : XP

View user profile

Back to top Go down

Re: Can not remove Anitivir pro

Post by Dr Jay on Fri Jul 23, 2010 6:46 pm

Ok. Try to run ComboFix, and see if it helps.


Dr. Jay (DJ)


[You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.]

Dr Jay
Head Administrator
Head Administrator

Status :
Online
Offline

Posts : 13712
Joined : 2009-09-06
Gender : Male
OS : Windows 10 Home & Pro

View user profile

Back to top Go down

Re: Can not remove Anitivir pro

Post by LordZet on Fri Jul 23, 2010 6:48 pm

in safe mode with networking?

LordZet
Intermediate
Intermediate

Status :
Online
Offline

Posts : 100
Joined : 2009-08-26
OS : XP

View user profile

Back to top Go down

Re: Can not remove Anitivir pro

Post by Dr Jay on Fri Jul 23, 2010 6:51 pm

Sure.


Dr. Jay (DJ)


[You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.]

Dr Jay
Head Administrator
Head Administrator

Status :
Online
Offline

Posts : 13712
Joined : 2009-09-06
Gender : Male
OS : Windows 10 Home & Pro

View user profile

Back to top Go down

Re: Can not remove Anitivir pro

Post by LordZet on Fri Jul 23, 2010 7:53 pm

ComboFix 10-07-22.06 - gap 07/23/2010 14:03:44.10.2 - x86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.1023.637 [GMT -5:00]
Running from: c:\documents and settings\gap\Desktop\ComboFix.exe
AV: AntiVir Desktop *On-access scanning disabled* (Outdated) {AD166499-45F9-482A-A743-FDD3350758C7}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\gap\Recent\Thumbs.db
c:\program files\\setup.exe
c:\program files\Setup.exe
c:\windows\system32\312614.dll
c:\windows\system32\35068410.dll
c:\windows\system32\6979374.dll
c:\windows\system32\7118909.dll
c:\windows\system32\spool\prtprocs\w32x86\00002eee.tmp
c:\windows\system32\Thumbs.db
c:\windows\xpsp1hfm.log

c:\windows\system32\proquota.exe was missing
Restored copy from - c:\windows\ServicePackFiles\i386\proquota.exe

.
((((((((((((((((((((((((( Files Created from 2010-06-23 to 2010-07-23 )))))))))))))))))))))))))))))))
.

2010-07-23 19:32 . 2004-08-04 07:56 50176 -c--a-w- c:\windows\system32\dllcache\proquota.exe
2010-07-23 19:32 . 2004-08-04 07:56 50176 ----a-w- c:\windows\system32\proquota.exe
2010-07-23 18:54 . 2010-07-23 18:53 388608 ----a-w- c:\windows\system32\CF27380.exe
2010-07-23 13:43 . 2010-07-23 15:58 -------- d-----w- c:\documents and settings\gap\Local Settings\Application Data\New Folder
2010-07-23 12:26 . 2010-07-23 12:26 -------- d-----w- c:\program files\New Folder
2010-07-23 12:15 . 2010-07-23 12:15 -------- d-----w- C:\New Folder

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-07-21 01:22 . 2010-03-13 00:57 -------- d-----w- c:\program files\Diablo II
2010-07-17 20:32 . 2009-12-03 18:00 98304 ----a-w- c:\documents and settings\All Users\Application Data\NexonUS\NGM\npNxGameUS.dll
2010-07-17 20:32 . 2009-12-03 18:00 401408 ----a-w- c:\documents and settings\All Users\Application Data\NexonUS\NGM\NGMResource.dll
2010-07-17 20:32 . 2009-12-03 18:00 258352 ----a-w- c:\documents and settings\All Users\Application Data\NexonUS\NGM\unicows.dll
2010-07-17 20:32 . 2009-12-03 18:00 126976 ----a-w- c:\documents and settings\All Users\Application Data\NexonUS\NGM\nxgameus.dll
2010-07-17 20:32 . 2009-12-03 18:00 765952 ----a-w- c:\documents and settings\All Users\Application Data\NexonUS\NGM\NGMDll.dll
2010-07-17 20:32 . 2009-12-03 18:00 172032 ----a-w- c:\documents and settings\All Users\Application Data\NexonUS\NGM\NGM.exe
2010-06-02 21:38 . 2009-09-10 02:42 -------- d-----w- c:\documents and settings\All Users\Application Data\NOS
2010-06-02 02:58 . 2010-06-02 02:58 -------- d-----w- c:\documents and settings\gap\Application Data\com.adobe.mauby.4875E02D9FB21EE389F73B8D1702B320485DF8CE.1
2010-06-01 21:16 . 2010-06-01 21:16 86016 ----a-w- c:\documents and settings\All Users\Application Data\NOS\Adobe_Downloads\arh.exe
2010-05-26 22:18 . 2007-09-17 01:15 -------- d-----w- c:\documents and settings\gap\Application Data\Image Zone Express
2010-05-26 21:37 . 2010-05-26 21:37 503808 ----a-w- c:\documents and settings\gap\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-7d0581b9-n\msvcp71.dll
2010-05-26 21:37 . 2010-05-26 21:37 61440 ----a-w- c:\documents and settings\gap\Application Data\Sun\Java\Deployment\SystemCache\6.0\50\5535ab32-57e3a4d5-n\decora-sse.dll
2010-05-26 21:37 . 2010-05-26 21:37 499712 ----a-w- c:\documents and settings\gap\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-7d0581b9-n\jmc.dll
2010-05-26 21:37 . 2010-05-26 21:37 348160 ----a-w- c:\documents and settings\gap\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-7d0581b9-n\msvcr71.dll
2010-05-26 21:37 . 2010-05-26 21:37 12800 ----a-w- c:\documents and settings\gap\Application Data\Sun\Java\Deployment\SystemCache\6.0\50\5535ab32-57e3a4d5-n\decora-d3d.dll
2010-05-26 21:31 . 2008-09-23 10:58 -------- d-----w- c:\program files\Messenger Plus! Live
2010-02-20 05:35 . 2010-02-20 05:09 255768 ----a-w- c:\program files\setup.inx
2010-02-20 05:35 . 2010-02-20 05:09 1669931 ----a-w- c:\program files\setup.isn
2010-02-20 05:35 . 2010-02-20 05:09 680456660 ----a-w- c:\program files\data2.cab
2010-02-20 05:34 . 2010-02-20 05:09 576000 ----a-w- c:\program files\ISSetup.dll
2010-02-20 05:34 . 2010-02-20 05:09 1061129 ----a-w- c:\program files\data1.cab
2010-02-20 05:33 . 2010-02-20 05:09 21494 ----a-w- c:\program files\0x0409.ini
2010-02-20 05:33 . 2010-02-20 05:09 473 ----a-w- c:\program files\layout.bin
2010-02-20 05:33 . 2010-02-20 05:09 354857 ----a-w- c:\program files\data1.hdr
2010-02-20 05:33 . 2010-02-20 05:09 1224 ----a-w- c:\program files\setup.ini
2001-06-20 21:19 . 2001-06-19 21:34 40960 ----a-w- c:\program files\ACMonitor_X83.exe
2009-05-04 21:47 . 2008-05-15 21:07 0 --sh--w- c:\windows\SDE078CD8.tmp
2007-02-16 13:54 . 2007-01-23 02:02 8026400 --sha-w- c:\windows\system32\drivers\fidbox.dat
2007-02-16 07:52 . 2007-01-23 02:02 68384 --sha-w- c:\windows\system32\drivers\fidbox2.dat
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"msnmsgr"="c:\program files\Windows Live\Messenger\msnmsgr.exe" [2009-07-26 3883856]
"Aim6"="c:\program files\AIM6\aim6.exe" [2008-10-31 50480]
"Google Update"="c:\documents and settings\gap\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2009-05-19 133104]
"Pando Media Booster"="c:\program files\Pando Networks\Media Booster\PMB.exe" [2010-01-25 2937528]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2009-03-02 209153]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2006-12-11 49152]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-11-11 417792]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2010-04-04 36272]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-06-09 976832]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-02-18 248040]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2007-1-2 210520]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck autochk *\0Partizan

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk
backup=c:\windows\pss\HP Digital Imaging Monitor.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=c:\windows\pss\Microsoft Office.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Quicken Scheduled Updates.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Quicken Scheduled Updates.lnk
backup=c:\windows\pss\Quicken Scheduled Updates.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Remocon Driver.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Remocon Driver.lnk
backup=c:\windows\pss\Remocon Driver.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Timer Recording Manager.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Timer Recording Manager.lnk
backup=c:\windows\pss\Timer Recording Manager.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^gap^Start Menu^Programs^Startup^Xfire.lnk]
path=c:\documents and settings\gap\Start Menu\Programs\Startup\Xfire.lnk
backup=c:\windows\pss\Xfire.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AGRSMMSG]
2003-05-23 18:43 88363 ----a-w- c:\windows\AGRSMMSG.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AIM]
2005-08-05 20:08 67160 ----a-w- c:\program files\AIM\aim.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ATICCC]
2006-01-02 22:41 45056 ----a-w- c:\program files\ATI Technologies\ATI.ACE\CLI.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ATIPTA]
2005-05-13 02:05 344064 ----a-w- c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
2004-08-04 07:56 15360 ------w- c:\windows\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ezShieldProtector for Px]
2002-08-20 18:29 40960 ----a-w- c:\windows\system32\ezSP_Px.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HotKeysCmds]
2003-04-07 07:07 114688 ----a-w- c:\windows\system32\hkcmd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
2006-12-11 02:52 49152 ----a-w- c:\program files\HP\HP Software Update\hpwuSchd2.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IgfxTray]
2003-04-07 07:19 155648 ----a-w- c:\windows\system32\igfxtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Lexmark X83 Button Manager]
2001-06-14 17:42 53248 ----a-w- c:\progra~1\LEXMAR~1\AcBtnMgr_X83.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Lexmark X83 Button Monitor]
2001-10-18 15:25 40960 ----a-w- c:\progra~1\LEXMAR~1\ACMonitor_X83.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PrinTray]
2002-06-27 08:47 36864 ----a-w- c:\windows\system32\spool\drivers\w32x86\3\printray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2009-11-11 05:08 417792 ----a-w- c:\program files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VAIO Recovery]
2003-04-20 05:08 28672 ----a-w- c:\windows\SONYSYS\VAIO Recovery\PartSeal.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VAIO Update 2]
2004-01-17 11:36 135168 ----a-w- c:\program files\Sony\VAIO Update 2\VAIOUpdt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Windows Defender]
2006-11-04 00:20 866584 ----a-w- c:\program files\Windows Defender\MSASCui.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"Sony TV Tuner Manager"=3 (0x3)
"Sony TV Tuner Controller"=3 (0x3)
"Giga Pocket Hardware Detector"=2 (0x2)
"SymWSC"=2 (0x2)
"SAVScan"=3 (0x3)
"navapsvc"=3 (0x3)
"ccSetMgr"=2 (0x2)
"ccPwdSvc"=3 (0x3)
"ccProxy"=2 (0x2)
"ccEvtMgr"=2 (0x2)
"AntiVirService"=3 (0x3)
"AntiVirScheduler"=2 (0x2)
"iPodService"=3 (0x3)
"RDSessMgr"=3 (0x3)
"RasMan"=3 (0x3)
"RasAuto"=3 (0x3)
"VAIOMediaPlatform-VideoServer-UPnP"=2 (0x2)
"VAIOMediaPlatform-VideoServer-HTTP"=2 (0x2)
"VAIOMediaPlatform-VideoServer-AppServer"=2 (0x2)
"VAIOMediaPlatform-Mobile-Gateway"=3 (0x3)
"VAIOMediaPlatform-IntegratedServer-UPnP"=2 (0x2)
"VAIOMediaPlatform-IntegratedServer-HTTP"=2 (0x2)
"VAIOMediaPlatform-IntegratedServer-AppServer"=2 (0x2)
"VAIO Entertainment UPnP Client Adapter"=3 (0x3)
"VAIO Entertainment TV Device Arbitration Service"=3 (0x3)
"VAIO Entertainment File Import Service"=2 (0x2)
"VAIO Entertainment Aggregation and Control Service"=3 (0x3)
"idsvc"=3 (0x3)

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\AIM6\\aim6.exe"=
"c:\\Program Files\\THQ\\Dawn of War - Dark Crusade\\DarkCrusade.exe"=
"c:\\Program Files\\Unreal Tournament 2004\\System\\UT2004.exe"=
"c:\\Program Files\\AIM\\aim.exe"=
"c:\\Documents and Settings\\gap\\Desktop\\postal2\\Postal2STP\\System\\Postal2.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Nexon\\DFO\\DFO.exe"=
"c:\\WINDOWS\\system32\\fxsclnt.exe"=
"c:\\Program Files\\Pando Networks\\Media Booster\\PMB.exe"=
"c:\\Program Files\\EA GAMES\\Command & Conquer The First Decade\\Command & Conquer(tm) Tiberian Sun(tm)\\SUN\\Game.exe"=
"c:\\Program Files\\LucasArts\\Star Wars Empire at War Forces of Corruption\\swfoc.exe"=
"c:\\Documents and Settings\\All Users\\Application Data\\NexonUS\\NGM\\NGM.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"56476:TCP"= 56476:TCP:Pando Media Booster
"56476:UDP"= 56476:UDP:Pando Media Booster
"56980:TCP"= 56980:TCP:Pando Media Booster
"56980:UDP"= 56980:UDP:Pando Media Booster
"57917:TCP"= 57917:TCP:Pando Media Booster
"57917:UDP"= 57917:UDP:Pando Media Booster
"8375:TCP"= 8375:TCP:League of Legends Launcher
"8375:UDP"= 8375:UDP:League of Legends Launcher

R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [9/15/2009 4:34 PM 108289]
S2 BulkUsb;Genesys Logic USB Scanner Controller NT 5.0;c:\windows\system32\drivers\usbscan.sys [10/28/2004 9:45 AM 15104]
S2 WinDefend;Windows Defender;c:\program files\Windows Defender\MsMpEng.exe [11/3/2006 7:19 PM 13592]
S3 cpuz130;cpuz130;\??\c:\docume~1\gap\LOCALS~1\Temp\cpuz130\cpuz_x32.sys --> c:\docume~1\gap\LOCALS~1\Temp\cpuz130\cpuz_x32.sys [?]
S4 VAIO Entertainment File Import Service;VAIO Entertainment File Import Service;c:\program files\Common Files\Sony Shared\VAIO Entertainment\VzCdb\VzFw.exe [6/26/2004 8:19 PM 86098]
S4 VAIO Entertainment UPnP Client Adapter;VAIO Entertainment UPnP Client Adapter;c:\program files\Common Files\Sony Shared\VAIO Entertainment\VCSW\VCSW.exe -RunBySCM --> c:\program files\Common Files\Sony Shared\VAIO Entertainment\VCSW\VCSW.exe -RunBySCM [?]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{A509B1FF-37FF-4bFF-8CFF-4F3A747040FF}]
2009-03-08 10:32 128512 ----a-w- c:\windows\system32\advpack.dll
.
Contents of the 'Scheduled Tasks' folder

2010-07-22 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2185701209-1548109994-1205914860-1005Core.job
- c:\documents and settings\gap\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-05-19 18:42]

2010-07-23 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2185701209-1548109994-1205914860-1005UA.job
- c:\documents and settings\gap\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-05-19 18:42]

2004-07-25 c:\windows\Tasks\Registration reminder 1.job
- c:\windows\System32\OOBE\oobebaln.exe [2004-03-31 07:56]

2010-07-22 c:\windows\Tasks\WebReg Photosmart C4200 series.job
- c:\program files\HP\Digital Imaging\bin\hpqwrg.exe [2006-12-11 02:36]
.
.
------- Supplementary Scan -------
.
uStart Page = [You must be registered and logged in to see this link.]
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyServer = http=127.0.0.1:5643
uInternet Settings,ProxyOverride =
uSearchURL,(Default) = [You must be registered and logged in to see this link.]
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
Trusted Zone: microsoft.com\windowsupdate
Trusted Zone: microsoft.com\[You must be registered and logged in to see this link.]
Trusted Zone: windowsupdate.com
DPF: {7623BE59-D4CF-4379-ABC4-B39E11854D66} - [You must be registered and logged in to see this link.]
FF - ProfilePath - c:\documents and settings\gap\Application Data\Mozilla\Firefox\Profiles\tiz06pr6.default\
FF - prefs.js: browser.startup.homepage - [You must be registered and logged in to see this link.]
FF - plugin: c:\documents and settings\All Users\Application Data\NexonUS\NGM\npNxGameUS.dll
FF - plugin: c:\documents and settings\gap\Application Data\Move Networks\plugins\npqmp071701000002.dll
FF - plugin: c:\documents and settings\gap\Local Settings\Application Data\Google\Update\1.2.183.29\npGoogleOneClick8.dll
FF - plugin: c:\documents and settings\gap\Local Settings\Application Data\Yahoo!\BrowserPlus\2.9.2\Plugins\npybrowserplus_2.9.2.dll
FF - plugin: c:\program files\Java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npActiveGS.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\NPAdbESD.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npdeployJava1.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npPandoWebInst.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npunagi2.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.lu", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.nu", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.nz", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--p1ai", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbayh7gpa", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.tel", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
.
- - - - ORPHANS REMOVED - - - -

HKCU-Run-gysklrhk - c:\documents and settings\gap\Local Settings\Application Data\yuajobmxq\buihqratssd.exe
HKLM-Run-gysklrhk - c:\documents and settings\gap\Local Settings\Application Data\yuajobmxq\buihqratssd.exe
MSConfigStartUp-AceGain LiveUpdate - c:\acegain live update\LiveUpdate.exe
MSConfigStartUp-AVG7_CC - c:\progra~1\Grisoft\AVG7\avgcc.exe
MSConfigStartUp-iTunesHelper - c:\itunes\iTunesHelper.exe
MSConfigStartUp-MsnMsgr - c:\program files\MSN Messenger\MsnMsgr.Exe
MSConfigStartUp-SunJavaUpdateSched - c:\program files\Java\jre1.6.0_02\bin\jusched.exe
MSConfigStartUp-updateMgr - c:\program files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe
AddRemove-HijackThis - c:\documents and settings\gap\Desktop\HijackThis.exe



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, [You must be registered and logged in to see this link.]
Rootkit scan 2010-07-23 14:35
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, [You must be registered and logged in to see this link.]

device: opened successfully
user: MBR read successfully
called modules: ntoskrnl.exe catchme.sys CLASSPNP.SYS disk.sys ACPI.sys hal.dll atapi.sys >>UNKNOWN [0x86EED8C6]<<
kernel: MBR read successfully
detected MBR rootkit hooks:
\Driver\Disk -> CLASSPNP.SYS @ 0xf78d3fc3
\Driver\ACPI -> ACPI.sys @ 0xf7826cb8
\Driver\atapi -> atapi.sys @ 0xf77e19f2
IoDeviceObjectType -> DeleteProcedure -> ntoskrnl.exe @ 0x8059e1a2
ParseProcedure -> ntoskrnl.exe @ 0x8057c745
\Device\Harddisk0\DR0 -> DeleteProcedure -> ntoskrnl.exe @ 0x8059e1a2
ParseProcedure -> ntoskrnl.exe @ 0x8057c745
NDIS: Intel(R) PRO/100 VE Network Connection -> SendCompleteHandler -> NDIS.sys @ 0xf76eaba0
PacketIndicateHandler -> NDIS.sys @ 0xf76f7b21
SendHandler -> NDIS.sys @ 0xf76d587b
user & kernel MBR OK

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(736)
c:\windows\system32\Ati2evxx.dll
.
Completion time: 2010-07-23 14:46:41
ComboFix-quarantined-files.txt 2010-07-23 19:46
ComboFix2.txt 2009-09-04 23:24

Pre-Run: 10,942,210,048 bytes free
Post-Run: 15,470,657,536 bytes free

- - End Of File - - 70D0914D589FF28320FB291A3712E4F7

LordZet
Intermediate
Intermediate

Status :
Online
Offline

Posts : 100
Joined : 2009-08-26
OS : XP

View user profile

Back to top Go down

Re: Can not remove Anitivir pro

Post by Dr Jay on Fri Jul 23, 2010 8:48 pm

Re-running ComboFix to remove infections:

  • Close any open browsers.
  • Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
  • Open notepad and copy/paste the text in the box below into it:
    killall::

    DDS::
    uInternet Settings,ProxyServer = http=127.0.0.1:5643
    uInternet Settings,ProxyOverride =

    MBR::

    Reboot::
  • Save this as CFScript.txt, in the same location as ComboFix.exe



  • Referring to the picture above, drag CFScript into ComboFix.exe
  • When finished, it shall produce a log for you at C:\ComboFix.txt
  • Please post the contents of the log in your next reply.


Dr. Jay (DJ)


[You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.]

Dr Jay
Head Administrator
Head Administrator

Status :
Online
Offline

Posts : 13712
Joined : 2009-09-06
Gender : Male
OS : Windows 10 Home & Pro

View user profile

Back to top Go down

Re: Can not remove Anitivir pro

Post by LordZet on Fri Jul 23, 2010 8:55 pm

My interent isnt hijacked...and I can't find any trace of it. You sure?

Also...why did my setup.exe get deleted? Was that a false positive?

LordZet
Intermediate
Intermediate

Status :
Online
Offline

Posts : 100
Joined : 2009-08-26
OS : XP

View user profile

Back to top Go down

Re: Can not remove Anitivir pro

Post by Dr Jay on Fri Jul 23, 2010 9:07 pm

Not sure it was a false positive or not.

Even if the Internet is not hijacked, the settings show a rogue proxy server.



Dr. Jay (DJ)


[You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.]

Dr Jay
Head Administrator
Head Administrator

Status :
Online
Offline

Posts : 13712
Joined : 2009-09-06
Gender : Male
OS : Windows 10 Home & Pro

View user profile

Back to top Go down

View previous topic View next topic Back to top

- Similar topics

 
Permissions in this forum:
You cannot reply to topics in this forum