Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

Windows Antivirus Pro Infection - Please Help!

Started by yacback , Aug 17 2009 03:36 PM

  • Please log in to reply

#1
yacback
Posted 17 August 2009 - 03:36 PM

yacback

    New Member

  • Member
  • Pip
  • 3 posts
Hi all,

I was recently infected by this nasty virus/spyware: Windows Antivirus Pro. I tried using superantispyware pro to clean my machine, and it actually seemed to help a bit, but it did not completely clear the spyware from my computer. My system is running a bit slower than usual, and my background image still has embedded text which says "DANGER!!! Your computer is INFECTED! etc."

I read a recent post regarding this same virus, and so I tried to run Combo-fix on my system. Here is the log...( NOTE: I did in fact disable Nortons Antivirus before the scan, but there was still a prompt that said to turn it off...not sure why that happened). Anyways, the log:


ComboFix 09-08-10.06 - Steve 08/17/2009 17:11.4.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.1023.523 [GMT -4:00]
Running from: c:\documents and settings\Steve\Desktop\Combo-Fix.exe
AV: Symantec AntiVirus Corporate Edition *On-access scanning enabled* (Updated) {FB06448E-52B8-493A-90F3-E43226D3305C}
.

((((((((((((((((((((((((( Files Created from 2009-07-17 to 2009-08-17 )))))))))))))))))))))))))))))))
.

2009-08-16 16:41 . 2008-12-11 12:38 159600 ----a-w- c:\windows\system32\drivers\pctgntdi.sys
2009-08-16 16:41 . 2009-04-03 14:18 130936 ----a-w- c:\windows\system32\drivers\PCTCore.sys
2009-08-16 16:41 . 2008-12-18 15:16 73840 ----a-w- c:\windows\system32\drivers\PCTAppEvent.sys
2009-08-16 16:41 . 2009-08-17 20:49 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2009-08-16 16:41 . 2009-08-16 16:42 -------- d-----w- c:\program files\Common Files\PC Tools
2009-08-16 16:41 . 2008-12-10 15:36 64392 ----a-w- c:\windows\system32\drivers\pctplsg.sys
2009-08-16 16:40 . 2009-08-16 16:42 -------- d-----w- c:\program files\Spyware Doctor
2009-08-16 16:40 . 2009-08-16 16:40 -------- d-----w- c:\documents and settings\Steve\Application Data\PC Tools
2009-08-16 16:40 . 2009-08-16 16:40 -------- d-----w- c:\documents and settings\All Users\Application Data\PC Tools
2009-08-16 16:38 . 2008-11-27 22:47 -------- d---a-w- c:\windows\system32\images
2009-08-16 16:01 . 2009-08-16 16:46 0 ----a-w- c:\windows\ppp4.dat
2009-08-16 16:01 . 2009-08-16 16:46 1 ----a-w- c:\windows\ppp3.dat
2009-08-16 16:01 . 2009-08-16 16:01 36 ----a-w- c:\windows\system32\sysnet.dat

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-08-17 21:17 . 2008-02-26 05:18 -------- d-----w- c:\documents and settings\Steve\Application Data\DNA
2009-08-17 20:41 . 2007-04-01 02:09 -------- d-----w- c:\program files\Symantec AntiVirus
2009-08-17 18:57 . 2008-02-26 05:18 -------- d-----w- c:\program files\DNA
2009-08-16 17:14 . 2008-01-20 21:39 -------- d-----w- c:\program files\SUPERAntiSpyware
2009-08-05 09:11 . 2007-03-25 23:50 204800 ----a-w- c:\windows\system32\mswebdvd.dll
2009-07-31 21:44 . 2009-01-06 02:34 -------- d-----w- c:\program files\Microsoft Silverlight
2009-07-17 18:55 . 2001-08-18 12:00 58880 ----a-w- c:\windows\system32\atl.dll
2009-07-13 06:18 . 2004-08-04 07:56 233472 ------w- c:\windows\system32\wmpdxm.dll
2009-07-01 18:09 . 2009-07-01 18:09 -------- d-----w- c:\documents and settings\All Users\Application Data\Trymedia
2009-07-01 18:08 . 2009-07-01 18:08 -------- d-----w- c:\documents and settings\All Users\Application Data\Sony Online Entertainment
2009-07-01 18:08 . 2009-07-01 18:08 -------- d-----w- c:\program files\Sony Online Entertainment
2009-06-26 16:18 . 2004-01-08 20:23 659456 ----a-w- c:\windows\system32\wininet.dll
2009-06-26 16:18 . 2004-08-04 07:56 81920 ------w- c:\windows\system32\ieencode.dll
2009-06-25 08:44 . 2001-08-18 12:00 724480 ----a-w- c:\windows\system32\lsasrv.dll
2009-06-25 08:44 . 2001-08-18 12:00 59392 ----a-w- c:\windows\system32\wdigest.dll
2009-06-25 08:44 . 2001-08-18 12:00 56320 ----a-w- c:\windows\system32\secur32.dll
2009-06-25 08:44 . 2001-08-18 12:00 298496 ----a-w- c:\windows\system32\kerberos.dll
2009-06-25 08:44 . 2001-08-18 12:00 168448 ----a-w- c:\windows\system32\schannel.dll
2009-06-25 08:44 . 2001-08-18 12:00 133632 ----a-w- c:\windows\system32\msv1_0.dll
2009-06-22 11:34 . 2001-08-18 12:00 92544 ----a-w- c:\windows\system32\drivers\ksecdd.sys
2009-06-16 14:55 . 2001-08-18 12:00 82432 ----a-w- c:\windows\system32\fontsub.dll
2009-06-16 14:55 . 2001-08-18 12:00 119808 ----a-w- c:\windows\system32\t2embed.dll
2009-06-12 11:50 . 2001-08-18 12:00 76288 ----a-w- c:\windows\system32\telnet.exe
2009-06-10 14:21 . 2001-08-18 12:00 84992 ----a-w- c:\windows\system32\avifil32.dll
2009-06-10 06:32 . 2001-08-18 12:00 132096 ----a-w- c:\windows\system32\wkssvc.dll
2009-06-05 07:42 . 2007-03-25 23:13 655872 ----a-w- c:\windows\system32\mstscax.dll
2009-06-03 19:27 . 2007-03-25 23:50 1290752 ----a-w- c:\windows\system32\quartz.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"BitTorrent DNA"="c:\program files\DNA\btdna.exe" [2008-12-18 342848]
"RegistryMechanic"="c:\program files\Registry Mechanic\RegMech.exe" [2009-06-30 2836376]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 155648]
"{0228e555-4f9c-4e35-a3ec-b109a192b4c2}"="c:\program files\Google\Gmail Notifier\gnotify.exe" [2005-07-15 479232]
"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2004-06-10 66680]
"vptray"="c:\progra~1\SYMANT~1\VPTray.exe" [2004-08-03 124232]
"Acrobat Assistant 7.0"="c:\program files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe" [2004-12-14 483328]
"SunJavaUpdateSched"="c:\program files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 144784]
"HPDJ Taskbar Utility"="c:\windows\system32\spool\drivers\w32x86\3\hpztsb09.exe" [2003-07-28 188416]
"HP Software Update"="c:\program files\Hewlett-Packard\HP Software Update\HPWuSchd.exe" [2003-06-25 49152]
"HP Component Manager"="c:\program files\HP\hpcoretech\hpcmpmgr.exe" [2003-10-23 233472]
"DeviceDiscovery"="c:\program files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe" [2003-05-21 229437]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Acrobat Speed Launcher.lnk - c:\windows\Installer\{AC76BA86-1033-0000-7760-000000000002}\SC_Acrobat.exe [2007-4-5 25214]
Adobe Gamma.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2005-3-16 113664]
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Reader 8.0\Reader\reader_sl.exe [2006-10-23 40048]
Adobe Reader Synchronizer.lnk - c:\program files\Adobe\Reader 8.0\Reader\AdobeCollabSync.exe [2006-10-23 734872]
Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-2-13 83360]

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\0]
Source= c:\windows\system32\onhelp.htm
FriendlyName= tets

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2006-12-20 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2007-04-19 18:41 294912 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdauxservice]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdcoreservice]
@=""

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\Program Files\\DNA\\btdna.exe"=
"c:\\Program Files\\BitTorrent\\bittorrent.exe"=
"c:\\Documents and Settings\\Steve\\My Documents\\nestc042\\NESTCL95.EXE"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=

R0 PCTCore;PCTools KDS;c:\windows\system32\drivers\PCTCore.sys [8/16/2009 12:41 PM 130936]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [10/10/2006 2:53 PM 5632]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [2/27/2007 1:39 PM 32256]
S3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [2/16/2006 6:51 PM 4096]
S3 SavRoam;SAVRoam;c:\program files\Symantec AntiVirus\SavRoam.exe [8/2/2004 8:36 PM 173392]
S3 sdAuxService;PC Tools Auxiliary Service;c:\program files\Spyware Doctor\pctsAuxs.exe [8/16/2009 12:41 PM 348752]

--- Other Services/Drivers In Memory ---

*Deregistered* - mchInjDrv
.
Contents of the 'Scheduled Tasks' folder

2009-08-12 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2007-08-29 19:57]
.
.
------- Supplementary Scan -------
.
uStart Page = about:blank
uInternet Settings,ProxyOverride = *.local
IE: Convert link target to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office10\EXCEL.EXE/3000
FF - ProfilePath - c:\documents and settings\Steve\Application Data\Mozilla\Firefox\Profiles\7t9aeptc.default\
FF - prefs.js: browser.search.selectedEngine - Yahoo Search
FF - prefs.js: browser.startup.homepage - hxxp://www.google.ca/webhp?hl=en
FF - prefs.js: keyword.URL - hxxp://search.freecause.com/search?fr=freecause&ourmark=3&type=56939&ei=utf-8&yahoo_domain=search.yahoo.com&p=
FF - component: c:\documents and settings\Steve\Application Data\Mozilla\Firefox\Profiles\7t9aeptc.default\extensions\{f02289b7-b23a-49b1-a7da-b60880e69629}\components\Engine.dll
FF - plugin: c:\documents and settings\Steve\Application Data\Mozilla\Firefox\Profiles\7t9aeptc.default\extensions\[email protected]\platform\WINNT_x86-msvc\plugins\npmnqmp071301000019.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npbittorrent.dll
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-08-17 17:18
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Installer\UserData\LocalSystem\Components\|"|w*]
"5E7CEC10DF0760D4F8DAFB12FDC06CCD"="02:\\Software\\Adobe\\FeatureSubscriptions\\DVAAdobeDocMeta\\{01CEC7E5-70FD-4D06-8FAD-BF21DF0CC6DC}\\Registered"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(632)
c:\program files\SUPERAntiSpyware\SASWINLO.dll

- - - - - - - > 'explorer.exe'(1472)
c:\windows\System32\shdoclc.dll
c:\windows\IME\SPGRMR.DLL
c:\program files\Common Files\Microsoft Shared\Ink\SKCHUI.DLL
.
Completion time: 2009-08-17 17:22
ComboFix-quarantined-files.txt 2009-08-17 21:22
ComboFix2.txt 2009-08-17 21:04
ComboFix3.txt 2008-01-21 22:21
ComboFix4.txt 2008-01-21 14:55

Pre-Run: 7,291,617,280 bytes free
Post-Run: 7,279,616,000 bytes free

162 --- E O F --- 2009-08-17 02:07


So, what's the next step?? Any help is much appreciated. Thanks so much in advance. Cheers,
  • 0

Advertisements

#2
yacback
Posted 18 August 2009 - 10:57 PM

yacback

    New Member

  • Topic Starter
  • Member
  • Pip
  • 3 posts
* bump *
  • 0

#3
yacback
Posted 23 August 2009 - 07:20 PM

yacback

    New Member

  • Topic Starter
  • Member
  • Pip
  • 3 posts
this forum sucks
  • 0
Back to Virus, Spyware, Malware Removal · Next Unread Topic →




Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

  1. Geeks to Go Community
  2. Security
  3. Virus, Spyware, Malware Removal

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP