GeekPolice Tech TutorialsLog in

 

Share

descriptionInfected with Antivirus System Pro

more_horiz
hi friends. ive had this problem for like 2 days already and the only way i can work around this is through a guest account. my other accounts are infected and i cant open ANY files.

so far ive downloaded malwarebytes' anti-malware but i cant open the program, so i downloaded hijack this. i got the log for it i just need help on figuring out what to do from here

immediate help would be nice; thank you kindly!

descriptionRe: Infected with Antivirus System Pro

more_horiz
Please download the current version of HijackThis from HERE

  • Double click and run the installer.
  • It will install to C:\Program Files\Trend Micro\HijackThis\hijackthis.exe
  • After installing, you should get the user agreement, press accept and Hijack This will run.
  • Select Do a system scan and save a log file. This will open a notepad file of everything Hijack This found, copy and paste it back here.

descriptionRe: Infected with Antivirus System Pro

more_horiz
Logfile of Trend Micro HijackThis v2.0.3 (BETA)
Scan saved at 1:24:39 PM, on 12/31/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0013)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\msiexec.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\userinit.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\Program Files\Camera Assistant Software for ViewSonic\traybar.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Documents and Settings\Roa\Local Settings\Application Data\fkkexu\riiisysguard.exe
C:\Documents and Settings\Crosser\Local Settings\Application Data\eiyolp\xvypsysguard.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\AIM6\aim6.exe
C:\Documents and Settings\Crosser\Local Settings\Application Data\eiyolp\xvypsysguard.exe
C:\Program Files\Camera Assistant Software for ViewSonic\CEC_MAIN.exe
C:\Program Files\AIM6\aolsoftware.exe
C:\Program Files\TrendMicro\HiJackThis\HiJackThis.exe
C:\Program Files\AIM6\aolsoftware.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.myspace.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.myspace.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.myspace.com/
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.porno.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Windows Internet Explorer provided by MySpace
O2 - BHO: (no name) - {598F4775-6FB6-477B-9842-E0426824E077} - C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\~DP4D.dll (file missing)
O2 - BHO: Java(tm) Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: FearFM Toolbar - {bab31fc4-cb97-46f4-9565-26d65225cc2c} - C:\Program Files\FearFM\tbFea1.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: FearFM Toolbar - {bab31fc4-cb97-46f4-9565-26d65225cc2c} - C:\Program Files\FearFM\tbFea1.dll
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [Camera Assistant Software] "C:\Program Files\Camera Assistant Software for ViewSonic\traybar.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [tqicphku] C:\Documents and Settings\Roa\Local Settings\Application Data\fkkexu\riiisysguard.exe
O4 - HKLM\..\Run: [qeqxngvr] C:\Documents and Settings\Crosser\Local Settings\Application Data\eiyolp\xvypsysguard.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Aim6] "C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp
O4 - HKCU\..\Run: [qeqxngvr] C:\Documents and Settings\Crosser\Local Settings\Application Data\eiyolp\xvypsysguard.exe
O4 - HKUS\S-1-5-21-746137067-1682526488-682003330-501\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime (User 'Guest')
O4 - HKUS\S-1-5-21-746137067-1682526488-682003330-501\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe (User 'Guest')
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O17 - HKLM\System\CCS\Services\Tcpip\..\{1FFF9554-5A30-48BC-B48C-2E794CB52EA7}: NameServer = 85.255.112.13,85.255.112.110
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 85.255.112.13,85.255.112.110
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: NameServer = 85.255.112.13,85.255.112.110
O17 - HKLM\System\CS3\Services\Tcpip\Parameters: NameServer = 85.255.112.13,85.255.112.110
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.112.13,85.255.112.110
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe

--
End of file - 7804 bytes

descriptionRe: Infected with Antivirus System Pro

more_horiz
Hello.

  • Open HijackThis
  • Choose "Do a system scan only"
  • Check the boxes in front of these lines:


    R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.porno.com/
    O2 - BHO: (no name) - {598F4775-6FB6-477B-9842-E0426824E077} - C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\~DP4D.dll (file missing)
    O4 - HKLM\..\Run: [tqicphku] C:\Documents and Settings\Roa\Local Settings\Application Data\fkkexu\riiisysguard.exe
    O4 - HKLM\..\Run: [qeqxngvr] C:\Documents and Settings\Crosser\Local Settings\Application Data\eiyolp\xvypsysguard.exe
    O4 - HKCU\..\Run: [qeqxngvr] C:\Documents and Settings\Crosser\Local Settings\Application Data\eiyolp\xvypsysguard.exe
    O17 - HKLM\System\CCS\Services\Tcpip\..\{1FFF9554-5A30-48BC-B48C-2E794CB52EA7}: NameServer = 85.255.112.13,85.255.112.110
    O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 85.255.112.13,85.255.112.110
    O17 - HKLM\System\CS2\Services\Tcpip\Parameters: NameServer = 85.255.112.13,85.255.112.110
    O17 - HKLM\System\CS3\Services\Tcpip\Parameters: NameServer = 85.255.112.13,85.255.112.110
    O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.112.13,85.255.112.110


  • Press "Fix Checked"
  • Close Hijack This.

Please download and run this tool.

Download Malwarebytes' Anti-Malware from Here

Double Click mbam-setup.exe to install the application.

  • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart. (See Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
Note:
If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts.
Click OK to either and let MBAM proceed with the disinfection process.
If asked to restart the computer, please do so immediately.


Post the contents of the MBAM Log.

descriptionRe: Infected with Antivirus System Pro

more_horiz
okay im good up to the point where i finish downloading Malwarebytes' Anti-Malware i cant open it Sad tearing

descriptionRe: Infected with Antivirus System Pro

more_horiz
Hello.

  • Download combofix from here
    Link 1
    Link 2

    1. If you are using Firefox, make sure that your download settings are as follows:

    * Tools->Options->Main tab
    * Set to "Always ask me where to Save the files".

    2. During the download, rename Combofix to Combo-Fix as follows:





    3. It is important you rename Combofix during the download, but not after.
    4. Please do not rename Combofix to other names, but only to the one indicated.
    5. Close any open browsers.
    6. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

  • We need to disable your local AV (Anti-virus) before running Combofix.
  • See HERE for how to disable your AV.
  • Double click on ComboFix.exe.
  • Follow the prompts. NOTE:
  • ComboFix will check to see if the Microsoft Windows Recovery Console is installed.
    ***It's strongly recommended to have the Recovery Console installed before doing any malware removal.***

    **Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will automatically proceed with its scan.


  • The Recovery Console provides a recovery/repair mode should a problem occur during a Combofix run.



  • Allow ComboFix to download the Recovery Console.
  • Accept the End-User License Agreement.
  • The Recovery Console will be installed.
  • You will then get this next prompt that asks if you want to continue the malware scan, select yes



  • Allow combofix to run
  • Post C:\combofix.txt back here.

    Note:
    Do not mouseclick combofix's window whilst it's running. That may cause it to stall.

descriptionRe: Infected with Antivirus System Pro

more_horiz
ComboFix 09-12-31.06 - Crosser 12/31/2009 15:46:23.1.2 - x86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1023.587 [GMT -8:00]
Running from: c:\documents and settings\Crosser\Desktop\Combo-Fix.exe
AV: Symantec AntiVirus Corporate Edition *On-access scanning disabled* (Outdated) {FB06448E-52B8-493A-90F3-E43226D3305C}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\autorun.inf
c:\documents and settings\Crosser\Local Settings\Application Data\eiyolp
c:\documents and settings\Crosser\Local Settings\Application Data\eiyolp\xvypsysguard.exe
c:\documents and settings\Roa\Local Settings\Application Data\fkkexu
c:\documents and settings\Roa\Local Settings\Application Data\fkkexu\riiisysguard.exe
c:\windows\kb913800.exe
c:\windows\system32\drivers\gxvxcuwpjtxhbhdlyrqmltkmxmhlbppqlculq.sys
c:\windows\system32\drivers\gxvxcwyjkydvrodtfsqrucjcxjkmsbituchyf.sys
c:\windows\system32\drivers\gxvxcxrlnmsbnrjbpxesvxbfamtnopxmoysft.sys
c:\windows\system32\drivers\gxvxcxumkbpxnmwrriltxpylnberrngemqxfs.sys
c:\windows\system32\drivers\gxvxcykvpppmkpfvrbnyauqbuxymetadativl.sys
c:\windows\system32\drivers\gxvxcyxurrvkbsivielesixrerxkwnsftymeh.sys
c:\windows\system32\gxvxccounter
c:\windows\system32\gxvxcmoqxihovbnriqsiwwbdaibardlyxeoaf.dll
D:\autorun.inf

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_gxvxcserv.sys
-------\Legacy_gxvxcserv.sys


((((((((((((((((((((((((( Files Created from 2009-12-01 to 2010-01-01 )))))))))))))))))))))))))))))))
.

2009-12-31 22:37 . 2009-12-30 22:55 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-12-31 22:37 . 2009-12-31 22:37 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-12-31 22:37 . 2009-12-31 22:37 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-12-31 22:37 . 2009-12-30 22:54 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-12-31 21:35 . 2009-12-31 21:35 -------- d-----w- c:\documents and settings\Crosser\Local Settings\Application Data\Conduit
2009-12-31 21:19 . 2009-12-31 21:19 -------- d-----w- c:\program files\TrendMicro
2009-12-31 20:49 . 2009-12-31 20:52 -------- d-----w- c:\documents and settings\Guest\Application Data\Azureus
2009-12-31 04:18 . 2009-12-31 04:18 -------- d-----w- c:\documents and settings\Guest\Application Data\vlc
2009-12-31 03:10 . 2009-12-31 22:22 -------- d-----w- c:\documents and settings\Crosser\Local Settings\Application Data\FearFM
2009-12-31 03:05 . 2009-12-31 03:05 -------- dc----w- c:\windows\system32\DRVSTORE
2009-12-28 08:24 . 2009-12-28 08:24 -------- d-----w- c:\documents and settings\Crosser\Application Data\acccore
2009-12-28 08:24 . 2009-12-28 08:24 -------- d-----w- c:\documents and settings\Crosser\Local Settings\Application Data\AOL OCP
2009-12-28 08:24 . 2009-12-28 08:24 -------- d-----w- c:\documents and settings\Crosser\Local Settings\Application Data\AOL
2009-12-28 08:24 . 2009-12-28 08:24 -------- d-----w- c:\documents and settings\Crosser\Local Settings\Application Data\Mozilla
2009-12-28 07:55 . 2009-12-28 07:55 28648 ----a-w- c:\documents and settings\Crosser\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-12-28 07:54 . 2009-12-28 08:22 -------- d-----w- c:\documents and settings\Crosser\Application Data\Apple Computer
2009-12-28 00:15 . 2009-12-28 00:15 -------- d-----w- c:\documents and settings\Guest\Local Settings\Application Data\Mozilla
2009-12-15 01:01 . 2009-12-15 01:01 28648 ----a-w- c:\documents and settings\Guest\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-12-15 01:01 . 2009-12-15 01:01 -------- d-----w- c:\documents and settings\Guest\Application Data\KingsIsle Entertainment
2009-12-15 01:01 . 2009-12-15 01:01 -------- d-----w- c:\documents and settings\Guest\Application Data\InstallShield Installation Information

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-12-31 23:58 . 2009-02-13 02:23 -------- d-----w- c:\program files\Symantec AntiVirus
2009-12-31 21:19 . 2009-12-31 21:19 388096 ----a-r- c:\documents and settings\Crosser\Application Data\Microsoft\Installer\{0761C9A8-8F3A-4216-B4A7-B7AFBF24A24A}\HiJackThis.exe
2009-12-31 17:42 . 2009-03-05 00:21 664 ----a-w- c:\windows\system32\d3d9caps.dat
2009-12-31 03:06 . 2009-07-07 22:13 -------- d-----w- c:\documents and settings\Guest\Application Data\Apple Computer
2009-12-31 02:58 . 2009-08-27 08:17 -------- d-----w- c:\program files\VirtualDJ
2009-12-31 02:50 . 2009-07-07 22:13 664 ----a-w- c:\documents and settings\Guest\Local Settings\Application Data\d3d9caps.tmp
2009-12-29 04:35 . 2009-12-15 01:02 819880 ----a-w- c:\documents and settings\Guest\Application Data\KingsIsle Entertainment\Wizard101\PatchClient\BankB\WizardLauncher.exe
2009-12-29 04:35 . 2009-12-15 01:01 819880 ----a-w- c:\documents and settings\Guest\Application Data\KingsIsle Entertainment\Wizard101\PatchClient\BankA\WizardLauncher.exe
2009-12-29 04:35 . 2009-12-15 01:02 73728 ----a-w- c:\documents and settings\Guest\Application Data\KingsIsle Entertainment\Wizard101\PatchClient\BankB\PatchClientUIRsrc-En.dll
2009-12-29 04:35 . 2009-12-15 01:01 73728 ----a-w- c:\documents and settings\Guest\Application Data\KingsIsle Entertainment\Wizard101\PatchClient\BankA\PatchClientUIRsrc-En.dll
2009-12-29 04:35 . 2009-12-15 01:02 39424 ----a-w- c:\documents and settings\Guest\Application Data\KingsIsle Entertainment\Wizard101\PatchClient\BankB\ConfiguratorResEnglish.dll
2009-12-29 04:35 . 2009-12-15 01:02 103080 ----a-w- c:\documents and settings\Guest\Application Data\KingsIsle Entertainment\Wizard101\PatchClient\BankB\Configurator.exe
2009-12-29 04:35 . 2009-12-15 01:01 39424 ----a-w- c:\documents and settings\Guest\Application Data\KingsIsle Entertainment\Wizard101\PatchClient\BankA\ConfiguratorResEnglish.dll
2009-12-29 04:35 . 2009-12-15 01:01 103080 ----a-w- c:\documents and settings\Guest\Application Data\KingsIsle Entertainment\Wizard101\PatchClient\BankA\Configurator.exe
2009-12-27 20:05 . 2009-03-06 03:50 -------- d-----w- c:\documents and settings\Roa\Application Data\LimeWire
2009-12-18 03:16 . 2009-11-24 01:16 79488 ----a-w- c:\documents and settings\Roa\Application Data\Sun\Java\jre1.6.0_17\gtapi.dll
2009-12-15 01:09 . 2009-12-15 01:09 449536 ----a-w- c:\documents and settings\Guest\Application Data\KingsIsle Entertainment\Wizard101\Data\GameData\ZoneData\_Shared\WorldData\Sound\Miles72a\mss32.dll
2009-12-15 01:09 . 2009-12-15 01:09 389120 ----a-w- c:\documents and settings\Guest\Application Data\KingsIsle Entertainment\Wizard101\Data\GameData\ZoneData\_Shared\WorldData\Sound\Miles\mss32.dll
2009-12-15 01:05 . 2009-12-15 01:05 59904 ----a-w- c:\documents and settings\Guest\Application Data\KingsIsle Entertainment\Wizard101\Bin\zlib1.dll
2009-12-15 01:05 . 2009-12-15 01:05 626688 ----a-w- c:\documents and settings\Guest\Application Data\KingsIsle Entertainment\Wizard101\Bin\msvcr80.dll
2009-12-15 01:05 . 2009-12-15 01:05 548864 ----a-w- c:\documents and settings\Guest\Application Data\KingsIsle Entertainment\Wizard101\Bin\msvcp80.dll
2009-12-15 01:05 . 2009-12-15 01:05 389120 ----a-w- c:\documents and settings\Guest\Application Data\KingsIsle Entertainment\Wizard101\Bin\mss32.dll
2009-12-15 01:04 . 2009-12-15 01:04 1101824 ----a-w- c:\documents and settings\Guest\Application Data\KingsIsle Entertainment\Wizard101\Bin\mfc80.dll
2009-12-15 01:04 . 2009-12-15 01:04 1645320 ----a-w- c:\documents and settings\Guest\Application Data\KingsIsle Entertainment\Wizard101\Bin\gdiplus.dll
2009-12-15 01:04 . 2009-12-15 01:04 1045128 ----a-w- c:\documents and settings\Guest\Application Data\KingsIsle Entertainment\Wizard101\Bin\dbghelp.dll
2009-12-15 01:04 . 2009-12-15 01:04 2414360 ----a-w- c:\documents and settings\Guest\Application Data\KingsIsle Entertainment\Wizard101\Bin\d3dx9_31.dll
2009-12-15 01:04 . 2009-12-15 01:04 16429736 ----a-w- c:\documents and settings\Guest\Application Data\KingsIsle Entertainment\Wizard101\Bin\WizardGraphicalClient.exe
2009-12-15 01:03 . 2009-12-15 01:03 135168 ----a-w- c:\documents and settings\Guest\Application Data\KingsIsle Entertainment\Wizard101\Bin\StringTableEditorMFC.dll
2009-12-15 01:03 . 2009-12-15 01:03 2 ----a-w- c:\documents and settings\Guest\Application Data\KingsIsle Entertainment\Wizard101\Bin\PropertyClassSystem.dll
2009-12-15 01:03 . 2009-12-15 01:03 73728 ----a-w- c:\documents and settings\Guest\Application Data\KingsIsle Entertainment\Wizard101\Bin\PatchClientUIRsrc-En.dll
2009-12-15 01:03 . 2009-12-15 01:03 49152 ----a-w- c:\documents and settings\Guest\Application Data\KingsIsle Entertainment\Wizard101\Bin\MG_Shockalock.dll
2009-12-15 01:03 . 2009-12-15 01:03 40960 ----a-w- c:\documents and settings\Guest\Application Data\KingsIsle Entertainment\Wizard101\Bin\MG_PotionMotion.dll
2009-12-15 01:03 . 2009-12-15 01:03 53248 ----a-w- c:\documents and settings\Guest\Application Data\KingsIsle Entertainment\Wizard101\Bin\MG_HotShots.dll
2009-12-15 01:03 . 2009-12-15 01:03 94208 ----a-w- c:\documents and settings\Guest\Application Data\KingsIsle Entertainment\Wizard101\Bin\MG_Dueling_Diego.dll
2009-12-15 01:03 . 2009-12-15 01:03 24576 ----a-w- c:\documents and settings\Guest\Application Data\KingsIsle Entertainment\Wizard101\Bin\MG_Concentration.dll
2009-12-15 01:03 . 2009-12-15 01:03 49152 ----a-w- c:\documents and settings\Guest\Application Data\KingsIsle Entertainment\Wizard101\Bin\MG_ChooChooZoo.dll
2009-12-15 01:03 . 2009-12-15 01:03 2 ----a-w- c:\documents and settings\Guest\Application Data\KingsIsle Entertainment\Wizard101\Bin\KIPlatformWebService.dll
2009-12-15 01:02 . 2009-12-15 01:02 2 ----a-w- c:\documents and settings\Guest\Application Data\KingsIsle Entertainment\Wizard101\Bin\KIPlatformDb.dll
2009-12-15 01:02 . 2009-12-15 01:02 2 ----a-w- c:\documents and settings\Guest\Application Data\KingsIsle Entertainment\Wizard101\Bin\KIHousingServer.dll
2009-12-15 01:02 . 2009-12-15 01:02 2 ----a-w- c:\documents and settings\Guest\Application Data\KingsIsle Entertainment\Wizard101\Bin\KIDatabaseMySQLC.dll
2009-12-14 07:02 . 2009-12-15 01:01 59904 ----a-w- c:\documents and settings\Guest\Application Data\KingsIsle Entertainment\Wizard101\PatchClient\BankA\zlib1.dll
2009-12-14 07:02 . 2009-12-15 01:01 37032 ----a-w- c:\documents and settings\Guest\Application Data\KingsIsle Entertainment\Wizard101\Wizard101.exe
2009-12-14 07:02 . 2009-12-15 01:02 495616 ----a-w- c:\documents and settings\Guest\Application Data\KingsIsle Entertainment\Wizard101\PatchClient\BankB\SkinCrafterDll.dll
2009-12-14 07:02 . 2009-12-15 01:02 207872 ----a-w- c:\documents and settings\Guest\Application Data\KingsIsle Entertainment\Wizard101\PatchClient\BankB\patchw32.dll
2009-12-14 07:02 . 2009-12-15 01:02 1645320 ----a-w- c:\documents and settings\Guest\Application Data\KingsIsle Entertainment\Wizard101\PatchClient\BankB\gdiplus.dll
2009-12-14 07:02 . 2009-12-15 01:01 495616 ----a-w- c:\documents and settings\Guest\Application Data\KingsIsle Entertainment\Wizard101\PatchClient\BankA\SkinCrafterDll.dll
2009-12-14 07:02 . 2009-12-15 01:01 207872 ----a-w- c:\documents and settings\Guest\Application Data\KingsIsle Entertainment\Wizard101\PatchClient\BankA\patchw32.dll
2009-12-14 07:02 . 2009-12-15 01:01 1645320 ----a-w- c:\documents and settings\Guest\Application Data\KingsIsle Entertainment\Wizard101\PatchClient\BankA\gdiplus.dll
2009-12-11 03:44 . 2009-03-05 00:39 -------- d-----w- c:\program files\Vuze
2009-12-11 03:44 . 2009-03-05 00:41 -------- d-----w- c:\documents and settings\Roa\Application Data\Azureus
2009-12-11 00:35 . 2009-04-20 00:49 10686001 ----a-w- c:\documents and settings\Roa\Application Data\Azureus\plugins\azump\mplayer.exe
2009-11-28 02:07 . 2009-03-05 00:19 -------- d-----w- c:\program files\Safari
2009-11-28 02:04 . 2009-11-28 02:04 79144 ----a-w- c:\documents and settings\All Users\Application Data\Apple Computer\Installer Cache\Safari 5.31.21.10\SetupAdmin.exe
2009-11-07 23:39 . 2009-03-05 00:47 -------- d-----w- c:\program files\LimeWire
2009-11-07 23:00 . 2009-11-07 22:59 -------- d-----w- c:\program files\iTunes
2009-11-07 22:59 . 2009-11-07 22:59 -------- d-----w- c:\program files\iPod
2009-11-07 22:59 . 2009-03-05 00:29 -------- d-----w- c:\program files\Common Files\Apple
2009-11-07 22:49 . 2009-11-07 22:49 79144 ----a-w- c:\documents and settings\All Users\Application Data\Apple Computer\Installer Cache\iTunes 9.0.2.25\SetupAdmin.exe
2009-10-07 23:14 . 2009-10-07 23:13 7621144 ---h--w- c:\documents and settings\Danilo\Application Data\mjusbsp\ar00000\upgrade.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Aim6"="c:\program files\AIM6\aim6.exe" [2009-05-19 49968]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-03 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AGRSMMSG"="AGRSMMSG.exe" [2004-07-22 88361]
"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2006-07-20 52896]
"vptray"="c:\progra~1\SYMANT~1\VPTray.exe" [2006-09-28 125168]
"Camera Assistant Software"="c:\program files\Camera Assistant Software for ViewSonic\traybar.exe" [2007-08-20 774144]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-09-05 417792]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-10-29 141600]

c:\documents and settings\Danilo\Start Menu\Programs\Startup\
OneNote 2007 Screen Clipper and Launcher.lnk - c:\program files\Microsoft Office\Office12\ONENOTEM.EXE [2006-10-26 98632]

c:\documents and settings\Roa\Start Menu\Programs\Startup\
OneNote 2007 Screen Clipper and Launcher.lnk - c:\program files\Microsoft Office\Office12\ONENOTEM.EXE [2006-10-26 98632]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"wuauserv"=2 (0x2)
"wscsvc"=2 (0x2)
"WMConnectCDS"=3 (0x3)

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Program Files\\AIM6\\aim6.exe"=
"c:\\Program Files\\Vuze\\Azureus.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\LimeWire\\LimeWire.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=

R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [3/4/2009 4:29 PM 24652]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [8/28/2009 7:01 PM 102448]
S3 {439FAEC5-095A-43C2-9290A2A59C80A007};{439FAEC5-095A-43C2-9290A2A59C80A007};c:\windows\System32\svchost.exe -k netsvcs [8/3/2004 3:56 PM 14336]
S3 SavRoam;SAVRoam;c:\program files\Symantec AntiVirus\SavRoam.exe [9/27/2006 8:33 PM 116464]

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
{439FAEC5-095A-43C2-9290A2A59C80A007}
.
Contents of the 'Scheduled Tasks' folder

2009-12-26 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 20:34]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.myspace.com/
mStart Page = hxxp://www.myspace.com/
FF - ProfilePath - c:\documents and settings\Crosser\Application Data\Mozilla\Firefox\Profiles\9584y075.default\
FF - plugin: c:\program files\Mozilla Firefox\plugins\npViewpoint.dll
FF - plugin: c:\program files\Viewpoint\Viewpoint Media Player\npViewpoint.dll
.
- - - - ORPHANS REMOVED - - - -

HKCU-Run-qeqxngvr - c:\documents and settings\Crosser\Local Settings\Application Data\eiyolp\xvypsysguard.exe
AddRemove-FreeHDplay - c:\program files\FreeHDplay\Uninstall.exe



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-12-31 16:11
Windows 5.1.2600 Service Pack 2 NTFS

scanning hȋdden processes ...

scanning hȋdden autostart entries ...

scanning hȋdden files ...

scan completed successfully
hȋdden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\{439FAEC5-095A-43C2-9290A2A59C80A007}]
"ServiceDll"="c:\docume~1\Crosser\LOCALS~1\Temp\45.tmp"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(1492)
c:\windows\system32\msi.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Common Files\Symantec Shared\ccSetMgr.exe
c:\program files\Common Files\Symantec Shared\ccEvtMgr.exe
c:\program files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Symantec AntiVirus\DefWatch.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Symantec AntiVirus\Rtvscan.exe
c:\windows\AGRSMMSG.exe
c:\program files\iPod\bin\iPodService.exe
c:\program files\AIM6\aolsoftware.exe
.
**************************************************************************
.
Completion time: 2009-12-31 16:16:28 - machine was rebooted
ComboFix-quarantined-files.txt 2010-01-01 00:16

Pre-Run: 73,467,285,504 bytes free
Post-Run: 75,776,794,624 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

- - End Of File - - 984308396920727CE7487868B85FA15D

descriptionRe: Infected with Antivirus System Pro

more_horiz
Hello.

  1. Close any open browsers.
  2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
  3. Open notepad and copy/paste the text in the quotebox below into it:

    Driver::
    {439FAEC5-095A-43C2-9290A2A59C80A007}

    NetSvc::
    {439FAEC5-095A-43C2-9290A2A59C80A007}

    Registry::
    [-HKEY_LOCAL_MACHINE\System\ControlSet002\Services\{439FAEC5-095A-43C2-9290A2A59C80A007}]

  4. Save this as CFScript.txt, in the same location as ComboFix.exe



  5. Referring to the picture above, drag CFScript into ComboFix.exe
  6. When finished, it shall produce a log for you at C:\ComboFix.txt
  7. Please post the contents of the log in your next reply.
Permissions in this forum:
You cannot reply to topics in this forum