Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

need help removing winantiviruspro and other infections [CLOSED]


  • This topic is locked This topic is locked

#1
pdsc

pdsc

    New Member

  • Member
  • Pip
  • 1 posts
not sure what my pc is infected with, but i think i having problems with winantiviruspro, spools.exe, and others. It seems i can't keep my pc clean. I ran adaware, spyboot S&D, Malwarebytes, and, super antispyware. I've followed instruction on "read this before you post hijackthis".

They seem to re-enable themselves in msconfig startup and disable my AVG antivirus program.

I've recently updated windows also.

My logs:


Malwarebytes' Anti-Malware 1.15
Database version: 844

10:05:41 PM 06/09/2008
mbam-log-6-9-2008 (22-05-41).txt

Scan type: Quick Scan
Objects scanned: 57265
Time elapsed: 5 minute(s), 8 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 1
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\3be5406b (Trojan.Vundo) -> Quarantined and deleted successfully.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)



SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 06/09/2008 at 10:22 PM

Application Version : 4.15.1000

Core Rules Database Version : 3478
Trace Rules Database Version: 1469

Scan type : Complete Scan
Total Scan Time : 00:15:34

Memory items scanned : 345
Memory threats detected : 0
Registry items scanned : 5523
Registry threats detected : 0
File items scanned : 10657
File threats detected : 21

Adware.180solutions/Seekmo/Zango
C:\SYSTEM VOLUME INFORMATION\_RESTORE{8D290BB5-E59C-462B-A0EE-E8949A1E4344}\RP54\A0001550.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{8D290BB5-E59C-462B-A0EE-E8949A1E4344}\RP65\A0003709.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{8D290BB5-E59C-462B-A0EE-E8949A1E4344}\RP65\A0003710.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{8D290BB5-E59C-462B-A0EE-E8949A1E4344}\RP65\A0003711.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{8D290BB5-E59C-462B-A0EE-E8949A1E4344}\RP65\A0003712.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{8D290BB5-E59C-462B-A0EE-E8949A1E4344}\RP65\A0003713.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{8D290BB5-E59C-462B-A0EE-E8949A1E4344}\RP65\A0003714.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{8D290BB5-E59C-462B-A0EE-E8949A1E4344}\RP65\A0003716.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{8D290BB5-E59C-462B-A0EE-E8949A1E4344}\RP65\A0003718.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{8D290BB5-E59C-462B-A0EE-E8949A1E4344}\RP65\A0003719.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{8D290BB5-E59C-462B-A0EE-E8949A1E4344}\RP65\A0003720.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{8D290BB5-E59C-462B-A0EE-E8949A1E4344}\RP65\A0003721.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{8D290BB5-E59C-462B-A0EE-E8949A1E4344}\RP65\A0003722.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{8D290BB5-E59C-462B-A0EE-E8949A1E4344}\RP65\A0003723.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{8D290BB5-E59C-462B-A0EE-E8949A1E4344}\RP65\A0003724.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{8D290BB5-E59C-462B-A0EE-E8949A1E4344}\RP65\A0003725.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{8D290BB5-E59C-462B-A0EE-E8949A1E4344}\RP65\A0003726.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{8D290BB5-E59C-462B-A0EE-E8949A1E4344}\RP65\A0003727.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{8D290BB5-E59C-462B-A0EE-E8949A1E4344}\RP65\A0003736.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{8D290BB5-E59C-462B-A0EE-E8949A1E4344}\RP7\A0000028.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{8D290BB5-E59C-462B-A0EE-E8949A1E4344}\RP9\A0000138.EXE


;*******************************************************************************
*********************************************************************************
*******************
ANALYSIS: 2008-06-09 23:02:17
PROTECTIONS: 1
MALWARE: 8
SUSPECTS: 0
;*******************************************************************************
*********************************************************************************
*******************
PROTECTIONS
Description Version Active Updated
;===============================================================================
=================================================================================
===================
AVG Anti-Virus Free 8.0 Yes Yes
;===============================================================================
=================================================================================
===================
MALWARE
Id Description Type Active Severity Disinfectable Disinfected Location
;===============================================================================
=================================================================================
===================
00283886 Bck/Ravmon.B Virus/Trojan No 1 Yes No C:\System Volume Information\_restore{8D290BB5-E59C-462B-A0EE-E8949A1E4344}\RP66\A0003747.exe
03042157 Spyware/Virtumonde Spyware No 1 Yes No C:\System Volume Information\_restore{8D290BB5-E59C-462B-A0EE-E8949A1E4344}\RP66\A0003754.dll
03042695 Spyware/Virtumonde Spyware No 1 Yes No C:\System Volume Information\_restore{8D290BB5-E59C-462B-A0EE-E8949A1E4344}\RP66\A0003773.dll
03042695 Spyware/Virtumonde Spyware No 1 Yes No C:\Documents and Settings\Twin\Local Settings\Temporary Internet Files\Content.IE5\QPVG54VQ\kb456456[1]
03042730 Adware/Antivirus2008 Adware No 0 Yes No C:\Program Files\SAV\sav.exe
03052904 Spyware/Virtumonde Spyware No 1 Yes No C:\System Volume Information\_restore{8D290BB5-E59C-462B-A0EE-E8949A1E4344}\RP66\A0003771.dll
03052998 Spyware/Virtumonde Spyware No 1 Yes No C:\System Volume Information\_restore{8D290BB5-E59C-462B-A0EE-E8949A1E4344}\RP66\A0003753.dll
03052998 Spyware/Virtumonde Spyware No 1 Yes No C:\Documents and Settings\Twin\Local Settings\Temporary Internet Files\Content.IE5\BN9BRH8W\kb767887[1]
03053256 Trj/Downloader.MDW Virus/Trojan No 1 Yes No C:\System Volume Information\_restore{8D290BB5-E59C-462B-A0EE-E8949A1E4344}\RP65\A0003739.exe
03053256 Trj/Downloader.MDW Virus/Trojan No 1 Yes No C:\System Volume Information\_restore{8D290BB5-E59C-462B-A0EE-E8949A1E4344}\RP69\A0003933.exe
03053256 Trj/Downloader.MDW Virus/Trojan No 1 Yes No C:\System Volume Information\_restore{8D290BB5-E59C-462B-A0EE-E8949A1E4344}\RP69\A0003926.exe
03053256 Trj/Downloader.MDW Virus/Trojan No 1 Yes No C:\System Volume Information\_restore{8D290BB5-E59C-462B-A0EE-E8949A1E4344}\RP66\A0003745.exe
03053410 Spyware/Virtumonde Spyware No 1 Yes No C:\System Volume Information\_restore{8D290BB5-E59C-462B-A0EE-E8949A1E4344}\RP66\A0003774.dll
;===============================================================================
=================================================================================
===================
SUSPECTS
Sent Location R
;===============================================================================
=================================================================================
===================
;===============================================================================
=================================================================================
===================
VULNERABILITIES
Id Severity Description R
;===============================================================================
=================================================================================
===================
184380 MEDIUM MS08-002 R
184379 MEDIUM MS08-001 R
182048 HIGH MS07-069 R
182046 HIGH MS07-067 R
182043 HIGH MS07-064 R
179553 HIGH MS07-061 R
176382 HIGH MS07-057 R
176383 HIGH MS07-058 R
170911 HIGH MS07-050 R
170907 HIGH MS07-046 R
170906 HIGH MS07-045 R
170904 HIGH MS07-043 R
164915 HIGH MS07-035 R
164913 HIGH MS07-033 R
164911 HIGH MS07-031 R
160623 HIGH MS07-027 R
157262 HIGH MS07-022 R
157261 HIGH MS07-021 R
157260 HIGH MS07-020 R
157259 HIGH MS07-019 R
156477 HIGH MS07-017 R
150253 HIGH MS07-016 R
150249 HIGH MS07-013 R
150248 HIGH MS07-012 R
150247 HIGH MS07-011 R
150243 HIGH MS07-008 R
150242 HIGH MS07-007 R
150241 MEDIUM MS07-006 R
141034 HIGH MS06-076 R
141033 MEDIUM MS06-075 R
141030 HIGH MS06-072 R
137571 HIGH MS06-070 R
137568 HIGH MS06-067 R
133387 MEDIUM MS06-065 R
133386 MEDIUM MS06-064 R
133385 MEDIUM MS06-063 R
133379 HIGH MS06-057 R
131654 HIGH MS06-055 R
129977 MEDIUM MS06-053 R
129976 MEDIUM MS06-052 R
126093 HIGH MS06-051 R
126092 MEDIUM MS06-050 R
126087 HIGH MS06-046 R
126086 MEDIUM MS06-045 R
126083 HIGH MS06-042 R
126082 HIGH MS06-041 R
126081 HIGH MS06-040 R
123421 HIGH MS06-036 R
123420 HIGH MS06-035 R
120825 MEDIUM MS06-032 R
120823 MEDIUM MS06-030 R
120818 HIGH MS06-025 R
120815 HIGH MS06-022 R
120814 HIGH MS06-021 R
117384 MEDIUM MS06-018 R
114666 HIGH MS06-015 R
114664 HIGH MS06-013 R
108744 MEDIUM MS06-008 R
108743 MEDIUM MS06-007 R
108742 MEDIUM MS06-006 R
104567 HIGH MS06-002 R
104237 HIGH MS06-001 R
96574 HIGH MS05-053 R
93395 HIGH MS05-051 R
93394 HIGH MS05-050 R
93454 MEDIUM MS05-049 R
;===============================================================================
=================================================================================
===================



Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:33:36 PM, on 06/09/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\IFXSPMGT.exe
C:\WINDOWS\system32\IFXTCS.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\LogMeIn\x86\RaMaint.exe
C:\Program Files\LogMeIn\x86\LogMeIn.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\ProtectTools\Embedded Security Software\PSDsrvc.EXE
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
C:\Program Files\ProtectTools\Embedded Security Software\PSDrt.exe
C:\Documents and Settings\Twin\Desktop\HiJackThis.exe
C:\WINDOWS\system32\wuauclt.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.hp.com/
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [Reminder] C:\WINDOWS\Creator\Remind_XP.exe
O4 - HKLM\..\Run: [3be5406b] rundll32.exe "C:\WINDOWS\system32\byorfvrk.dll",b
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKCU\..\Run: [WinAntivirusPro] C:\Program Files\WinAntivirusPro3.8\WinAntivirusPro.exe
O4 - HKCU\..\RunOnce: [SpybotDeletingD758] cmd /c del "C:\WINDOWS\system32\byXPIcyx.dll_old"
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://C:\Program Files\Google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {2D8ED06D-3C30-438B-96AE-4D110FDC1FB8} (ActiveScan 2.0 Installer Class) - http://acs.pandasoft...s/as2stubie.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.mi...b?1213070801625
O16 - DPF: {FD0B6769-6490-4A91-AA0A-B5AE0DC75AC9} (Performance Viewer Activex Control) - https://secure.logme...trl.cab?lmi=100
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - AppInit_DLLs: avgrsstx.dll
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL
O20 - Winlogon Notify: rqRigHXP - rqRigHXP.dll (file missing)
O20 - Winlogon Notify: __c00B1B9F - C:\WINDOWS\
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: hpqwmiex - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: Security Platform Management Service (IFXSpMgtSrv) - Infineon Technologies AG - C:\WINDOWS\system32\IFXSPMGT.exe
O23 - Service: Trusted Platform Core Service (IFXTCS) - Infineon Technologies AG - C:\WINDOWS\system32\IFXTCS.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: LogMeIn Maintenance Service (LMIMaint) - LogMeIn, Inc. - C:\Program Files\LogMeIn\x86\RaMaint.exe
O23 - Service: LogMeIn - LogMeIn, Inc. - C:\Program Files\LogMeIn\x86\LogMeIn.exe
O23 - Service: PC Angel (PCA) - SoftThinks - C:\WINDOWS\SMINST\PCAngel.exe
O23 - Service: Personal Secure Drive Service (PersonalSecureDriveService) - Infineon Technologies AG - C:\Program Files\ProtectTools\Embedded Security Software\PSDsrvc.EXE
O23 - Service: RoxMediaDB9 - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxMediaDB9.exe
O23 - Service: stllssvr - MicroVision Development, Inc. - C:\Program Files\Common Files\SureThing Shared\stllssvr.exe

--
End of file - 6111 bytes
  • 0

Advertisements


#2
Rorschach112

Rorschach112

    Ralphie

  • Retired Staff
  • 47,710 posts
Hello

Please download Deckard's System Scanner (DSS) and save it to your Desktop.
  • Close all other windows before proceeding.
  • Double-click on dss.exe and follow the prompts.
  • If your anti-virus or firewall complains, please allow this script to run as it is not malicious.
  • When it has finished, dss will open two Notepads main.txt and extra.txt -- please copy (CTRL+A and then CTRL+C) and paste (CTRL+V) the contents of main.txt and extra.txt in your next reply.




Please do an online scan with Kaspersky WebScanner

Click on Kaspersky Online Scanner and click Accept

You will be prompted to install an ActiveX component from Kaspersky, Click Yes.
  • The program will launch and then begin downloading the latest definition files:
  • Once the files have been downloaded click on NEXT
  • Now click on Scan Settings
  • In the scan settings make that the following are selected:
    • Scan using the following Anti-Virus database:
    Extended (if available otherwise Standard)
    • Scan Options:
    Scan Archives
    Scan Mail Bases
  • Click OK
  • Now under select a target to scan:Select My Computer
  • This will program will start and scan your system.
  • The scan will take a while so be patient and let it run.
  • Once the scan is complete it will display if your system has been infected.
    • Now click on the Save as Text button:
  • Save the file to your desktop.
  • Copy and paste that information in your next post.

  • 0

#3
Rorschach112

Rorschach112

    Ralphie

  • Retired Staff
  • 47,710 posts
Due to lack of feedback, this topic has been closed.

If you need this topic reopened, please contact a staff member. This applies only to the original topic starter. Everyone else please begin a New Topic.
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP