I was recently infected by this nasty virus/spyware: Windows Antivirus Pro. I tried using superantispyware pro to clean my machine, and it actually seemed to help a bit, but it did not completely clear the spyware from my computer. My system is running a bit slower than usual, and my background image still has embedded text which says "DANGER!!! Your computer is INFECTED! etc."
I read a recent post regarding this same virus, and so I tried to run Combo-fix on my system. Here is the log...( NOTE: I did in fact disable Nortons Antivirus before the scan, but there was still a prompt that said to turn it off...not sure why that happened). Anyways, the log:
ComboFix 09-08-10.06 - Steve 08/17/2009 17:11.4.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.1023.523 [GMT -4:00]
Running from: c:\documents and settings\Steve\Desktop\Combo-Fix.exe
AV: Symantec AntiVirus Corporate Edition *On-access scanning enabled* (Updated) {FB06448E-52B8-493A-90F3-E43226D3305C}
.
((((((((((((((((((((((((( Files Created from 2009-07-17 to 2009-08-17 )))))))))))))))))))))))))))))))
.
2009-08-16 16:41 . 2008-12-11 12:38 159600 ----a-w- c:\windows\system32\drivers\pctgntdi.sys
2009-08-16 16:41 . 2009-04-03 14:18 130936 ----a-w- c:\windows\system32\drivers\PCTCore.sys
2009-08-16 16:41 . 2008-12-18 15:16 73840 ----a-w- c:\windows\system32\drivers\PCTAppEvent.sys
2009-08-16 16:41 . 2009-08-17 20:49 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2009-08-16 16:41 . 2009-08-16 16:42 -------- d-----w- c:\program files\Common Files\PC Tools
2009-08-16 16:41 . 2008-12-10 15:36 64392 ----a-w- c:\windows\system32\drivers\pctplsg.sys
2009-08-16 16:40 . 2009-08-16 16:42 -------- d-----w- c:\program files\Spyware Doctor
2009-08-16 16:40 . 2009-08-16 16:40 -------- d-----w- c:\documents and settings\Steve\Application Data\PC Tools
2009-08-16 16:40 . 2009-08-16 16:40 -------- d-----w- c:\documents and settings\All Users\Application Data\PC Tools
2009-08-16 16:38 . 2008-11-27 22:47 -------- d---a-w- c:\windows\system32\images
2009-08-16 16:01 . 2009-08-16 16:46 0 ----a-w- c:\windows\ppp4.dat
2009-08-16 16:01 . 2009-08-16 16:46 1 ----a-w- c:\windows\ppp3.dat
2009-08-16 16:01 . 2009-08-16 16:01 36 ----a-w- c:\windows\system32\sysnet.dat
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-08-17 21:17 . 2008-02-26 05:18 -------- d-----w- c:\documents and settings\Steve\Application Data\DNA
2009-08-17 20:41 . 2007-04-01 02:09 -------- d-----w- c:\program files\Symantec AntiVirus
2009-08-17 18:57 . 2008-02-26 05:18 -------- d-----w- c:\program files\DNA
2009-08-16 17:14 . 2008-01-20 21:39 -------- d-----w- c:\program files\SUPERAntiSpyware
2009-08-05 09:11 . 2007-03-25 23:50 204800 ----a-w- c:\windows\system32\mswebdvd.dll
2009-07-31 21:44 . 2009-01-06 02:34 -------- d-----w- c:\program files\Microsoft Silverlight
2009-07-17 18:55 . 2001-08-18 12:00 58880 ----a-w- c:\windows\system32\atl.dll
2009-07-13 06:18 . 2004-08-04 07:56 233472 ------w- c:\windows\system32\wmpdxm.dll
2009-07-01 18:09 . 2009-07-01 18:09 -------- d-----w- c:\documents and settings\All Users\Application Data\Trymedia
2009-07-01 18:08 . 2009-07-01 18:08 -------- d-----w- c:\documents and settings\All Users\Application Data\Sony Online Entertainment
2009-07-01 18:08 . 2009-07-01 18:08 -------- d-----w- c:\program files\Sony Online Entertainment
2009-06-26 16:18 . 2004-01-08 20:23 659456 ----a-w- c:\windows\system32\wininet.dll
2009-06-26 16:18 . 2004-08-04 07:56 81920 ------w- c:\windows\system32\ieencode.dll
2009-06-25 08:44 . 2001-08-18 12:00 724480 ----a-w- c:\windows\system32\lsasrv.dll
2009-06-25 08:44 . 2001-08-18 12:00 59392 ----a-w- c:\windows\system32\wdigest.dll
2009-06-25 08:44 . 2001-08-18 12:00 56320 ----a-w- c:\windows\system32\secur32.dll
2009-06-25 08:44 . 2001-08-18 12:00 298496 ----a-w- c:\windows\system32\kerberos.dll
2009-06-25 08:44 . 2001-08-18 12:00 168448 ----a-w- c:\windows\system32\schannel.dll
2009-06-25 08:44 . 2001-08-18 12:00 133632 ----a-w- c:\windows\system32\msv1_0.dll
2009-06-22 11:34 . 2001-08-18 12:00 92544 ----a-w- c:\windows\system32\drivers\ksecdd.sys
2009-06-16 14:55 . 2001-08-18 12:00 82432 ----a-w- c:\windows\system32\fontsub.dll
2009-06-16 14:55 . 2001-08-18 12:00 119808 ----a-w- c:\windows\system32\t2embed.dll
2009-06-12 11:50 . 2001-08-18 12:00 76288 ----a-w- c:\windows\system32\telnet.exe
2009-06-10 14:21 . 2001-08-18 12:00 84992 ----a-w- c:\windows\system32\avifil32.dll
2009-06-10 06:32 . 2001-08-18 12:00 132096 ----a-w- c:\windows\system32\wkssvc.dll
2009-06-05 07:42 . 2007-03-25 23:13 655872 ----a-w- c:\windows\system32\mstscax.dll
2009-06-03 19:27 . 2007-03-25 23:50 1290752 ----a-w- c:\windows\system32\quartz.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"BitTorrent DNA"="c:\program files\DNA\btdna.exe" [2008-12-18 342848]
"RegistryMechanic"="c:\program files\Registry Mechanic\RegMech.exe" [2009-06-30 2836376]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 155648]
"{0228e555-4f9c-4e35-a3ec-b109a192b4c2}"="c:\program files\Google\Gmail Notifier\gnotify.exe" [2005-07-15 479232]
"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2004-06-10 66680]
"vptray"="c:\progra~1\SYMANT~1\VPTray.exe" [2004-08-03 124232]
"Acrobat Assistant 7.0"="c:\program files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe" [2004-12-14 483328]
"SunJavaUpdateSched"="c:\program files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 144784]
"HPDJ Taskbar Utility"="c:\windows\system32\spool\drivers\w32x86\3\hpztsb09.exe" [2003-07-28 188416]
"HP Software Update"="c:\program files\Hewlett-Packard\HP Software Update\HPWuSchd.exe" [2003-06-25 49152]
"HP Component Manager"="c:\program files\HP\hpcoretech\hpcmpmgr.exe" [2003-10-23 233472]
"DeviceDiscovery"="c:\program files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe" [2003-05-21 229437]
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Acrobat Speed Launcher.lnk - c:\windows\Installer\{AC76BA86-1033-0000-7760-000000000002}\SC_Acrobat.exe [2007-4-5 25214]
Adobe Gamma.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2005-3-16 113664]
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Reader 8.0\Reader\reader_sl.exe [2006-10-23 40048]
Adobe Reader Synchronizer.lnk - c:\program files\Adobe\Reader 8.0\Reader\AdobeCollabSync.exe [2006-10-23 734872]
Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-2-13 83360]
[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\0]
Source= c:\windows\system32\onhelp.htm
FriendlyName= tets
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2006-12-20 77824]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2007-04-19 18:41 294912 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.dll
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdauxservice]
@=""
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdcoreservice]
@=""
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\Program Files\\DNA\\btdna.exe"=
"c:\\Program Files\\BitTorrent\\bittorrent.exe"=
"c:\\Documents and Settings\\Steve\\My Documents\\nestc042\\NESTCL95.EXE"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=
R0 PCTCore;PCTools KDS;c:\windows\system32\drivers\PCTCore.sys [8/16/2009 12:41 PM 130936]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [10/10/2006 2:53 PM 5632]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [2/27/2007 1:39 PM 32256]
S3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [2/16/2006 6:51 PM 4096]
S3 SavRoam;SAVRoam;c:\program files\Symantec AntiVirus\SavRoam.exe [8/2/2004 8:36 PM 173392]
S3 sdAuxService;PC Tools Auxiliary Service;c:\program files\Spyware Doctor\pctsAuxs.exe [8/16/2009 12:41 PM 348752]
--- Other Services/Drivers In Memory ---
*Deregistered* - mchInjDrv
.
Contents of the 'Scheduled Tasks' folder
2009-08-12 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2007-08-29 19:57]
.
.
------- Supplementary Scan -------
.
uStart Page = about:blank
uInternet Settings,ProxyOverride = *.local
IE: Convert link target to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office10\EXCEL.EXE/3000
FF - ProfilePath - c:\documents and settings\Steve\Application Data\Mozilla\Firefox\Profiles\7t9aeptc.default\
FF - prefs.js: browser.search.selectedEngine - Yahoo Search
FF - prefs.js: browser.startup.homepage - hxxp://www.google.ca/webhp?hl=en
FF - prefs.js: keyword.URL - hxxp://search.freecause.com/search?fr=freecause&ourmark=3&type=56939&ei=utf-8&yahoo_domain=search.yahoo.com&p=
FF - component: c:\documents and settings\Steve\Application Data\Mozilla\Firefox\Profiles\7t9aeptc.default\extensions\{f02289b7-b23a-49b1-a7da-b60880e69629}\components\Engine.dll
FF - plugin: c:\documents and settings\Steve\Application Data\Mozilla\Firefox\Profiles\7t9aeptc.default\extensions\[email protected]\platform\WINNT_x86-msvc\plugins\npmnqmp071301000019.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npbittorrent.dll
.
**************************************************************************
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-08-17 17:18
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Installer\UserData\LocalSystem\Components\|"|w*]
"5E7CEC10DF0760D4F8DAFB12FDC06CCD"="02:\\Software\\Adobe\\FeatureSubscriptions\\DVAAdobeDocMeta\\{01CEC7E5-70FD-4D06-8FAD-BF21DF0CC6DC}\\Registered"
.
--------------------- DLLs Loaded Under Running Processes ---------------------
- - - - - - - > 'winlogon.exe'(632)
c:\program files\SUPERAntiSpyware\SASWINLO.dll
- - - - - - - > 'explorer.exe'(1472)
c:\windows\System32\shdoclc.dll
c:\windows\IME\SPGRMR.DLL
c:\program files\Common Files\Microsoft Shared\Ink\SKCHUI.DLL
.
Completion time: 2009-08-17 17:22
ComboFix-quarantined-files.txt 2009-08-17 21:22
ComboFix2.txt 2009-08-17 21:04
ComboFix3.txt 2008-01-21 22:21
ComboFix4.txt 2008-01-21 14:55
Pre-Run: 7,291,617,280 bytes free
Post-Run: 7,279,616,000 bytes free
162 --- E O F --- 2009-08-17 02:07
So, what's the next step?? Any help is much appreciated. Thanks so much in advance. Cheers,