WiredWX Christian Hobby Weather Tools
Would you like to react to this message? Create an account in a few clicks or log in to continue.

WiredWX Christian Hobby Weather ToolsLog in

 


Alpha Antivirus Help!

2 posters

descriptionAlpha Antivirus Help! EmptyAlpha Antivirus Help!8th November 2009, 2:38 am

more_horiz
Hey, i'm helping my dad get rid of this program he contracted this morning on his Vista laptop. It doesn't allow him to open IE, so i am using my mac, and transferring all the software via USB drive. I tried the malwarebyte, superantispyware, and an online fix, but nȯne of them worked. The first time i ran malwarebyte it found 5 infections, i cleared them but after restarting, Alpha AV was still on the system as before. When i run it again it doesn't find anything. I tried spywaredoctor and it found the AlphaAV threat as well as some other minor ones, but naturally i couldn't remove them without paying for the program.
An interesting note, the process associated with Alpha AV is "alpha.exe" rather than the typical "alphaAV.exe" that i see on most help websites.

I ran combofix after reading some suggestion and copied the log to my computer, not sure what is preferable, but i will download and run hijackthis also if necessary...
Thanks!




ComboFix 09-11-07.02 - Owner 11/07/2009 18:15.1.2 - NTFSx86
MicrosoftÆ Windows Vistaô Home Premium 6.0.6002.2.1252.1.1033.18.1013.336 [GMT -6:00]
Running from: c:\users\Owner\Desktop\commy.exe
Command switches used :: /stepdel
AV: ESET NOD32 antivirus system 2.70 *On-access scanning enabled* (Updated) {E5E70D32-0101-4F12-8FB0-D96ACA4F34C0}
SP: SUPERAntiSpyware *disabled* (Updated) {222A897C-5018-402e-943F-7E7AC8560DA7}
SP: Windows Defender *enabled* (Outdated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}
* Resident AV is active

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\$recycle.bin\S-1-5-21-2152478756-3922319563-605102323-500
c:\$recycle.bin\S-1-5-21-2450969143-844794473-1312612106-500
c:\$recycle.bin\S-1-5-21-3569018428-901859288-1186912836-500
c:\$recycle.bin\S-1-5-21-4214898707-607555799-2004620691-500
c:\$recycle.bin\S-1-5-21-864547194-220137812-69340660-500
c:\program files\alot
c:\$recycle.bin\S-1-5-21-2152478756-3922319563-605102323-500\desktop.ini
c:\$recycle.bin\S-1-5-21-2450969143-844794473-1312612106-500\desktop.ini
c:\$recycle.bin\S-1-5-21-3569018428-901859288-1186912836-500\desktop.ini
c:\$recycle.bin\S-1-5-21-4214898707-607555799-2004620691-500\desktop.ini
c:\$recycle.bin\S-1-5-21-864547194-220137812-69340660-500\desktop.ini
c:\program files\alot\alotUninst.exe
c:\program files\alot\bin\alot.dll
c:\program files\alot\bin\ALOTSettings.exe
c:\programdata\ntuser.dat{0dd9af55-9d0b-11db-8678-0016d42a45f8}.TMContainer00000000000000000001.regtrans-ms
c:\programdata\ntuser.dat{0dd9af65-9d0b-11db-8678-0016d42a45f8}.TMContainer00000000000000000001.regtrans-ms

.
((((((((((((((((((((((((( Files Created from 2009-10-08 to 2009-11-08 )))))))))))))))))))))))))))))))
.

2009-11-08 00:25 . 2009-11-08 00:27 -------- d-----w- c:\users\Owner\AppData\Local\temp
2009-11-08 00:25 . 2009-11-08 00:25 -------- d-----w- c:\users\Default\AppData\Local\temp
2009-11-07 17:58 . 2009-11-07 17:58 117760 ----a-w- c:\users\Owner\AppData\Roaming\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
2009-11-07 17:58 . 2009-11-07 17:58 -------- d-----w- c:\programdata\SUPERAntiSpyware.com
2009-11-07 17:57 . 2009-11-07 17:57 4096 d-----w- c:\program files\SUPERAntiSpyware
2009-11-07 17:57 . 2009-11-07 17:57 -------- d-----w- c:\users\Owner\AppData\Roaming\SUPERAntiSpyware.com
2009-11-07 17:56 . 2009-11-07 17:56 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2009-11-07 17:05 . 2009-11-07 17:05 -------- d-----w- c:\program files\Common Files\AAntivirusUninstall
2009-11-07 17:05 . 2009-11-07 17:05 -------- d-----w- c:\program files\AAntivirus
2009-10-28 15:25 . 2009-09-10 14:58 310784 ----a-w- c:\windows\system32\unregmp2.exe
2009-10-28 15:25 . 2009-09-10 14:59 8147456 ----a-w- c:\windows\system32\wmploc.DLL
2009-10-14 19:37 . 2009-09-10 16:48 218624 ----a-w- c:\windows\system32\msv1_0.dll
2009-10-14 19:35 . 2009-09-04 11:41 60928 ----a-w- c:\windows\system32\msasn1.dll
2009-10-14 19:35 . 2009-09-14 09:29 144896 ----a-w- c:\windows\system32\drivers\srv2.sys
2009-10-14 19:35 . 2009-05-08 12:53 604672 ----a-w- c:\windows\system32\WMSPDMOD.DLL
2009-10-12 17:03 . 2009-10-12 17:03 -------- d-----w- c:\program files\Microsoft
2009-10-12 17:01 . 2009-10-12 17:00 411368 ----a-w- c:\windows\system32\deploytk.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-11-07 18:47 . 2009-03-05 18:38 4096 d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-11-03 02:42 . 2009-10-02 15:58 195456 ------w- c:\windows\system32\MpSigStub.exe
2009-10-15 12:51 . 2006-11-02 11:18 4096 d-----w- c:\program files\Windows Mail
2009-10-12 17:00 . 2007-01-05 23:14 -------- d-----w- c:\program files\Java
2009-09-10 20:54 . 2009-03-05 18:38 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-09-10 20:53 . 2009-03-05 18:38 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-08-29 00:27 . 2009-09-02 23:28 4240384 ----a-w- c:\windows\system32\GameUXLegacyGDFs.dll
2009-08-29 00:14 . 2009-09-02 23:28 28672 ----a-w- c:\windows\system32\Apphlpdm.dll
2009-08-27 05:22 . 2009-10-14 19:36 916480 ----a-w- c:\windows\system32\wininet.dll
2009-08-27 05:17 . 2009-10-14 19:36 109056 ----a-w- c:\windows\system32\iesysprep.dll
2009-08-27 05:17 . 2009-10-14 19:36 71680 ----a-w- c:\windows\system32\iesetup.dll
2009-08-27 03:42 . 2009-10-14 19:36 133632 ----a-w- c:\windows\system32\ieUnatt.exe
2009-08-14 16:27 . 2009-09-09 14:17 904776 ----a-w- c:\windows\system32\drivers\tcpip.sys
2009-08-14 15:53 . 2009-09-09 14:17 17920 ----a-w- c:\windows\system32\netevent.dll
2009-08-14 13:49 . 2009-09-09 14:17 9728 ----a-w- c:\windows\system32\TCPSVCS.EXE
2009-08-14 13:49 . 2009-09-09 14:17 17920 ----a-w- c:\windows\system32\ROUTE.EXE
2009-08-14 13:49 . 2009-09-09 14:17 11264 ----a-w- c:\windows\system32\MRINFO.EXE
2009-08-14 13:49 . 2009-09-09 14:17 27136 ----a-w- c:\windows\system32\NETSTAT.EXE
2009-08-14 13:49 . 2009-09-09 14:17 19968 ----a-w- c:\windows\system32\ARP.EXE
2009-08-14 13:49 . 2009-09-09 14:17 8704 ----a-w- c:\windows\system32\HOSTNAME.EXE
2009-08-14 13:49 . 2009-09-09 14:17 10240 ----a-w- c:\windows\system32\finger.exe
2009-08-14 13:48 . 2009-09-09 14:17 30720 ----a-w- c:\windows\system32\drivers\tcpipreg.sys
2009-08-14 13:48 . 2009-09-09 14:17 105984 ----a-w- c:\windows\system32\netiohlp.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"TOSCDSPD"="c:\program files\TOSHIBA\TOSCDSPD\TOSCDSPD.exe" [2006-11-10 417792]
"Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2009-04-11 1233920]
"ehTray.exe"="c:\windows\ehome\ehTray.exe" [2008-01-19 125952]
"Search Protection"="c:\program files\Yahoo!\Search Protection\SearchProtection.exe" [2009-02-03 111856]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2008-12-30 39408]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Windows Defender"="c:\program files\Windows Defender\MSASCui.exe" [2008-01-19 1008184]
"LtMoh"="c:\program files\ltmoh\Ltmoh.exe" [2005-12-16 188416]
"TPwrMain"="c:\program files\TOSHIBA\Power Saver\TPwrMain.EXE" [2006-12-20 411768]
"HSON"="c:\program files\TOSHIBA\TBS\HSON.exe" [2006-12-08 55416]
"SmoothView"="c:\program files\Toshiba\SmoothView\SmoothView.exe" [2006-12-12 448632]
"00TCrdMain"="c:\program files\TOSHIBA\FlashCards\TCrdMain.exe" [2006-12-15 530552]
"HWSetup"="c:\program files\TOSHIBA\Utilities\HWSetup.exe" [2006-11-01 413696]
"SVPWUTIL"="c:\program files\TOSHIBA\Utilities\SVPWUTIL.exe" [2006-01-19 421888]
"KeNotify"="c:\program files\TOSHIBA\Utilities\KeNotify.exe" [2006-11-07 34352]
"nod32kui"="c:\program files\Eset\nod32kui.exe" [2007-09-02 949376]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-12 39792]
"YSearchProtection"="c:\program files\Yahoo!\Search Protection\SearchProtection.exe" [2009-02-03 111856]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2008-02-12 141848]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2008-02-12 166424]
"Persistence"="c:\windows\system32\igfxpers.exe" [2008-02-12 133656]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2009-03-20 1451304]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-10-12 149280]
"Microsoft Default Manager"="c:\program files\Microsoft\Search Enhancement Pack\Default Manager\DefMgr.exe" [2009-02-03 233304]
"RtHDVCpl"="RtHDVCpl.exe" - c:\windows\RtHDVCpl.exe [2006-11-09 3784704]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-09-03 21:21 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"aux"=wdmaud.drv

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=""
"FirewallOverride"=""

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiSpyware]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc]
"VistaSp2"=hex(b):c6,03,14,3c,c4,f6,c9,01

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc\S-1-5-21-2450969143-844794473-1312612106-1000]
"EnableNotificationsRef"=dword:00000001

R1 nod32drv;nod32drv;c:\windows\System32\drivers\nod32drv.sys [9/2/2007 12:44 PM 15424]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [10/12/2009 9:24 PM 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [10/12/2009 9:24 PM 74480]
R3 NETw5v32;Intel(R) Wireless WiFi Link 5000 Series Adapter Driver for Windows Vista 32 Bit;c:\windows\System32\drivers\NETw5v32.sys [11/17/2008 2:40 PM 3668480]
S3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [10/12/2009 9:24 PM 7408]

--- Other Services/Drivers In Memory ---

*NewlyCreated* - MBR
*NewlyCreated* - PROCEXP113
*Deregistered* - mbr
*Deregistered* - PROCEXP113

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{A509B1FF-37FF-4bFF-8CFF-4F3A747040FF}]
c:\windows\system32\rundll32.exe c:\windows\system32\advpack.dll,LaunchINFSectionEx c:\program files\Internet Explorer\clrtour.inf,DefaultInstall.ResetTour,,12
.
Contents of the 'Scheduled Tasks' folder

2009-11-07 c:\windows\Tasks\AAntivirus.job
- c:\program files\AAntivirus\alpha.exe [2009-11-07 17:05]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.yahoo.com/?fr=fp-yie8
uSearchURL,(Default) = hxxp://www.google.com/keyword/%s
Trusted Zone: usaa.com\www
Trusted Zone: yahoo.com
Trusted Zone: yahoo.com\us.f622.mail
.
- - - - ORPHANS REMOVED - - - -

WebBrowser-{604BC32A-9680-40D1-9AC6-E06B23A1BA4C} - (no file)
AddRemove-alotToolbar - c:\program files\alot\alotUninst.exe



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-11-07 18:26
Windows 6.0.6002 Service Pack 2 NTFS

scanning hȋdden processes ...

scanning hȋdden autostart entries ...

HKCU\Software\Microsoft\Windows\CurrentVersion\Run
TOSCDSPD = c:\program files\TOSHIBA\TOSCDSPD\TOSCDSPD.exe?/i???????['C~????\?8?\?p?\???\???

scanning hȋdden files ...

scan completed successfully
hȋdden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
"MSCurrentCountry"=dword:000000b5
.
Completion time: 2009-11-08 18:30
ComboFix-quarantined-files.txt 2009-11-08 00:30

Pre-Run: 111,334,653,952 bytes free
Post-Run: 111,514,812,416 bytes free

- - End Of File - - 0E35474719107474BCEEC53583284DE5

descriptionAlpha Antivirus Help! EmptyRe: Alpha Antivirus Help!8th November 2009, 9:10 pm

more_horiz
Please download the OTMoveIt by OldTimer.

  • Save it to your desktop.
  • Please double-click OTM.exe to run it.
  • Copy the bolded text below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):


    :files
    c:\windows\Tasks\AAntivirus.job
    c:\program files\AAntivirus

    :reg
    [HKEY_LOCAL_MACHINE\software\microsoft\security center]
    "AntiVirusOverride"=-
    "FirewallOverride"=-


  • Return to OTMoveIt, right click in the "Paste instructions for items to be Moved" window (under the light blue bar) and choose Paste.
  • Click the red Moveit! button.
  • Copy everything in the Results window (under the green bar) to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it in your next reply.
  • Close OTMoveIt
If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.

Please post the OTMoveIt log.

............................................................................................

Site Admin / Security Administrator

Virus Removal ~ OS Support ~ Have we helped you? Help us! ~ GeekChat
- Please PM me if I fail to respond within 24hrs.
Alpha Antivirus Help! DXwU4
Alpha Antivirus Help! VvYDg

descriptionAlpha Antivirus Help! EmptyRe: Alpha Antivirus Help!9th November 2009, 12:03 am

more_horiz
Ok, so NOD 32 just found and destroyed Alpha AV randomly earlier. For some reason Internet Explorer(8) continues to freeze up and not respond the instant i open it. It works fine in safe mode, so I cleared the browsing history and temp files while in safe mode, but it still doesn't work normally.

Thanks again!

descriptionAlpha Antivirus Help! EmptyRe: Alpha Antivirus Help!9th November 2009, 1:16 am

more_horiz
Internet Explorer is always buggy like that, I recommend you don't use it and switch to Firefox.

www.firefox.com

............................................................................................

Site Admin / Security Administrator

Virus Removal ~ OS Support ~ Have we helped you? Help us! ~ GeekChat
- Please PM me if I fail to respond within 24hrs.
Alpha Antivirus Help! DXwU4
Alpha Antivirus Help! VvYDg

descriptionAlpha Antivirus Help! EmptyRe: Alpha Antivirus Help!

more_horiz
privacy_tip Permissions in this forum:
You cannot reply to topics in this forum