Welcome to MalwareRemoval.com,
What if we told you that you could get malware removal help from experts, and that it was 100% free? MalwareRemoval.com provides free support for people with infected computers. Our help, and the tools we use are always 100% free. No hidden catch. We simply enjoy helping others. You enjoy a clean, safe computer.

Malware Removal Instructions

hjt log (probable AntiVirus System Pro infection)

MalwareRemoval.com provides free support for people with infected computers. Using plain language that anyone can understand, our community of volunteer experts will walk you through each step.

hjt log (probable AntiVirus System Pro infection)

Unread postby JFromSeattle » June 1st, 2010, 6:51 pm

Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 2:34:48 PM, on 6/1/2010
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: safe mode with network support

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\System32\winlogon.exe
C:\WINDOWS\System32\services.exe
C:\WINDOWS\System32\lsass.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\LogMeIn Hamachi\hamachi-2.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\Explorer.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Administrator\My Documents\Downloades\explorer.exe

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: - Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: - JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\AppleSyncNotifier.exe
O4 - HKLM\..\Run: [SunJavaUpdatesSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [Zune Launcher] "C:\Program Files\Zune\ZuneLauncher.exe"
O4 - HKLM\..\Run: [LogMeIn Hamachi Ui] "C:\Program Files\LogMeIn Hamachi\hamachi-2-ui.exe" --auto-start
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKLM\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Global Startup: ASUS WiFi-AP Solo.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Prgram files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Run Nintendo Wi-Fi USB Connector Registration Tool.lnk = C:\Program Files\WiFiConnector\NintendoWFCReg.exe
O4 - Global Startup: Windows Search.lnk = C:\Program Files\Windows Desktop Search\WindowsSearch.exe
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-2001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11D2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11D2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} (Facebook Photo Uploader 5 Control) - http://upload.facebook.com/controls/200 ... oader5.cab
O16 - DPF: {56762DEC-6B0D-4AB4-A8AD-989993B5D08B} (OnlineScanner Control) - http://www.eset.eu/buxus/docs/OnlineScanner.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupda ... 1380781746
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microso ... 5009530218
O16 - DPF: {BDBDE413-7B1C-4C68-A8FF-C5B2B4090876} (F-Secure Online Scanner 3.3) - http://support.f-secure.com/ols/fscax.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/s ... wflash.cab
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: Component Categories Cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} C:\WINDOWS\system32\browseui.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\ProgramFiles\Bonjour\mDNSResponder.exe
O23 - Service: LogMeIn Hamachi 2.0 Tunneling Engine (Hamachi2Svc) - LogMeIn Inc. - C:\Program Files\LogMeIn Hamachi\hamachi-2.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Prgram Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: NVIDIA Display Driver Service 9NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
O23 - Service: PnkBstrB - Unknown owner - C:\WINDOWS\system32\PnkBstrB.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\viewpointService.exe

--
End of file - 5732 bytes

* Yes, I know there's quite a lot of crap in there, but it isn't my primary machine.

Edit: Forgot to add uninstall list. I AM NOT BUMPING
Ad-Aware 2007
Adobe Acrobat and Reader 8.1.2 Security Update
Adobe Flash Player 10 AcitveX
Adobe Flash Player 10 Plugin
Adobe Reader 8.1.2
AIM 6
Apple Application Suppoty
Apple Mobile Device Support
Apple Software Update
ASUS WiFi-AP Solo
BOINC
Bonjour
Combined Community Codec Pack 2008-01-24
Counter-Strike
dBpoweramp FLAC Codec
DivX Codec
DivX Converter
DivX Player
DivX Web Player
ESET Online Scanner
EVE Online (remove only)
EVEMon
getPlus(R)_dll
Gunbound Revolution
Half-Life
Half-Life 2: Episode One
Half-Life 2: Episode Two
High Definition Audio Driver Package - KB888111
HijackThis 2.02
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
Hotfix for Windows Internet Explorer 7 (KB947864)
Hotfix for Windows Media Format 11 SDK (KB929399)
Hotfix for Windows Media Player 11 (KB939683)
Hotfix for Windows XP (KB915800-v4)
Hotfix for Windows XP (KB932716-v2)
Hotfix for Windows XP (KB952287)
Hotfix for Windows XP (KB961118)
Hotfix for Windows XP (KB976098-v2)
ijji Auto Installer
iTunes
Java(TM) 6 Update 15
Left 4 Dead
Left 4 Dead 2
LogMeIn Hamachi
Malwarebytes' Anti-Malware
Medieval II: Total War
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Security update (KB953297)
Microsoft .NET Framework 2.0 Service Pack 2
Microsoft .NET Framework 3.0 Service Pack 2
Microsoft .NET Framework 3.5 SP1
Microsoft Compression Client Pack 1.0 for Windows XP
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft Kernel-Mode Driver Framework Feature Pack 1.7
Microsoft Kernel-Mode Driver Framework Feature Pack 1.9
Microsoft National Language Support Downlevel APIs
Microsoft Silverlight
Microsoft User-Mode Driver Framework Feature Pack 1.9
Microsoft Visual C++ 2005 Redistributable
Microsoft WinUsb 1.0
Microsoft Word 200
MobileMe Control Panel
Mozilla Firefox (3.5.9)
Ninetendo Wi-Fi USB Connector Registration Tool
NVIDIA Drivers
NVIDIA PhysX v8.10.13
PCsync
Portal
Punkbuster Services
Quicktime
Rainbow Six Vegas 2
RealPlayer
RealUpgrade 1.0
Security Update for Windows Internet Explorer 7 (KB938127)
Security Update for Windows Internet Explorer 7 (KB939653)
Security Update for Windows Internet Explorer 7 (KB942615)
Security Update for Windows Internet Explorer 7 (KB953838)
Security Update for Windows Internet Explorer 7 (KB976325)
Security Update for Windows Media Player (KB952069)
Security Update for Windows Media Player (KB954155)
Security Update for Windows Media Player (KB968816)
Security Update for Windows Media Player (KB973540)
Security Update for Windows Media Player 11 (KB936782)
Security Update for Windows Media Player 11 (KB954154)
Security Update for Windows Search 4 - KB963093
Security Update for Windows XP (KB923561)
Security Update for Windows XP (KB923789)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951066)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951698)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB953839)
Security Update for Windows XP (KB954459)
Security Update for Windows XP (KB955069)
Security Update for Windows XP (KB956572)
Security Update for Windows XP (KB956744)
Security Update for Windows XP (KB956802)
Security Update for Windows XP (KB956803)
Security Update for Windows XP (KB956844)
Security Update for Windows XP (KB957097)
Security Update for Windows XP (KB958644)
Security Update for Windows XP (KB958687)
Security Update for Windows XP (KB958869)
Security Update for Windows XP (KB959426)
Security Update for Windows XP (KB960225)
Security Update for Windows XP (KB960803)
Security Update for Windows XP (KB960859)
Security Update for Windows XP (KB961371-v2)
Security Update for Windows XP (KB961501)
Security Update for Windows XP (KB969059)
Security Update for Windows XP (KB969947)
Security Update for Windows XP (KB970238)
Security Update for Windows XP (KB971486)
Security Update for Windows XP (KB971557)
Security Update for Windows XP (KB971633)
Security Update for Windows XP (KB971657)
Security Update for Windows XP (KB973354)
Security Update for Windows XP (KB973507)
Security Update for Windows XP (KB973525)
Security Update for Windows XP (KB973869)
Security Update for Windows XP (KB973904)
Security Update for Windows XP (KB974112)
Security Update for Windows XP (KB974318)
Security Update for Windows XP (KB974392)
Security Update for Windows XP (KB974571)
Security Update for Windows XP (KB975025)
Security Update for Windows XP (KB975467)
Sid Meier's Civilization 4
Sid Meier's Civilization 4 - Beyond the Sword
Sid Meier's Civilization 4 - Warlords
Sins of a Solar Empire
SoundMAX
Source SDK Base
Spybot - Search & Destroy
Star Wars JK II Jedi Outcast
Steam
TBS WMP Plug-in
Team Fortress 2
Titan Quest
Titan Quest: Immortal Throne
Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
Update for Windows XP (KB951072-v2)
Update for Windows XP (KB951978)
Update for Windows XP (KB955759)
Update for Windows XP (KB967715)
Update for Windows XP (KB968389)
Update for Windows XP (KB973687)
Update for Windows XP (KB973815)
Ventrilo Client
Viewpoint Media Player
Windows Driver Package - Advanced Micro Devices (AmdK8) Processor (05/27/2006 1.3.2.0)
Windows Easy Transfer
Windows Internet Explorer 8
Windows Media Format 11 runtime
Windows Media Player 11
Windows Search 4.0
Windows XP Service Pack 3
Xfire (remove only)
Yahoo! Messenger
Zune
Zune Language Pack (DE)
Zune Language Pack (ES)
Zune Language Pack (FR)
Zune Language Pack (IT)


I found a nifty folder on my desktop a few days ago around the time my Spybot Search & Destroy started screaming at me about a value named ojhrfuvu making a folder called rbkuordvc and a program called veipciitssd.exe. Along with this bundle of fun came syssvc.exe, which I used late to trace it. Soon after, I got a dummy virus scan which wouldn't allow me to Ctrl + Alt + Del it, so I pulled the plug on it.

I've run Malwarebytes and Spybot a couple of times in both Safe and Safe and Networking modes and neither have cured the problem. It disabled my sound, turned on my WindowsSearch (while destroying its functionality), changed the way my desktop displayed, and basically won't let me use internet explorer. Firefox works, except it won't allow me to post in this lovely forum, only log in.

Thanks for your time.
JFromSeattle
Active Member
 
Posts: 7
Joined: May 27th, 2010, 4:00 am
Advertisement
Register to Remove

Re: hjt log (probable AntiVirus System Pro infection)

Unread postby askey127 » June 3rd, 2010, 7:57 am

JFromSeattle,
-----------------------------------------------------------
There are some Issues with infections in relation to PunkBuster:
Your computer has installed gaming tools. Some of these, like Punkbuster, use spyware techniques to engage in the anti-piracy battle.
In the process, they take control of much of your PC, and they actually meet the definition of spyware/malware.
They are sometimes designed to prevent orderly removal or modification, and they have only limited respect for retaining the overall security and integrity of your machine.
It is not a certainty that your computer can be cleaned without breaking or removing some of these programs, and this could result in not being able to play the associated games, or corruption of your system.
Since we are dedicated to causing No Harm, we won't normally work on machines with this type of program installed without explicit permission from the owner.
If you want to continue using the machine in this way, you should consider using imaging software like Norton Ghost or Acronis TrueImage, or Terabyte Image, which can put your entire C: drive back into an earlier state whenever the infections or malfunctions get too severe.

If you really want to clean this machine, I will help, but if you so choose, understand there is NO assurance you will be able to do games afterwards.
There is also additional risk to the integrity of the system, since we have no way of knowing what system changes have been made by PB.

I would suggest proceeding as follows:
------------------------------------------------
Download and Run Rkill
Please download Rkill from one of the following links and save to your Desktop:
If you have to download one on a clean machine and transfer it to yours via a flash drive, do it.
The different links are just different names for the same program, so if an Antivirus flags one, try another.
One, Two,Three or Four
  • Double click on Rkill.
  • A command window will open then disappear upon completion, this is normal.
  • Please leave Rkill on the Desktop until otherwise advised.
Note: If your security software warns about Rkill, please ignore and allow the download to continue.
If you cannot get Rkill to run without being stopped, don't proceed further, and post back to tell me about it.
-----------------------------------------------------------
Remove Programs Using Control Panel
From Start, Settings, Control Panel or Start, Control Panel, click Add/Remove Programs.
Highlight each Entry, as follows, one by one, if it exists, and choose Remove :

Spybot S&D
Ad-Aware 2007

Take extra care in answering questions posed by any Uninstaller.
If Spybot asks whether you want to remove all settings, answer YES. If it reports that all settings could not be removed, that's OK.
-----------------------------------------------------------
Download a free AntiVirus Program
Download just one of these free anti-virus programs, update it and run a full scan. Have it fix anything it finds.
If you have to download one of the installers on a clean machine and transfer it to your desktop via a flash drive, do it.
Consider this an Emergency until you complete it!
Let me know how it goes.
Don't surf unnecessarily while doing this, even if you can.
askey127
User avatar
askey127
Admin/Teacher
Admin/Teacher
 
Posts: 13903
Joined: April 17th, 2005, 3:25 pm
Location: New Hampshire USA

Re: hjt log (probable AntiVirus System Pro infection)

Unread postby JFromSeattle » June 3rd, 2010, 3:45 pm

Thanks for the advice.

I'm more concerned with the presence of the things that were changing my registry, like syssvc.exe, but I'll give this a go. I'm not entirely certain how I managed to get PnkBstr on my computer anyway considering I've never played the associated game, so it could be worth a shot.

I won't be using the internet while doing it either, because I'm operating from my laptop right now and manually transcribing all the readouts I get.
JFromSeattle
Active Member
 
Posts: 7
Joined: May 27th, 2010, 4:00 am

Re: hjt log (probable AntiVirus System Pro infection)

Unread postby JFromSeattle » June 3rd, 2010, 4:07 pm

D/led and ran rkill, which turned up nothing.

-------------------------------------------

Uninstalled Ad-Aware and Spybot.

-------------------------------------------

Whilst doing the Microsoft Security Essentials thing, I got this message:

Virus & spyware definitions update failed

Microsoft Security Essentials wasn't able to check for virus & spyware definition updates.
Make sure your computer is connected to the Internet and try again.

Click 'Help' for more information about this problem.

Error code: 0x80072efe
Error description: Microsoft Security Essentials couldn't install the definition updates. Please try again later.

This was after about a third of the bar filled. I tried a second time, same results. It was definitely connected to the internet and everything.
JFromSeattle
Active Member
 
Posts: 7
Joined: May 27th, 2010, 4:00 am

Re: hjt log (probable AntiVirus System Pro infection)

Unread postby askey127 » June 4th, 2010, 7:34 am

JFromSeattle,
There are three downloads in the instructions below.
Run RKill again.
----------------------------------------------
Download FixPolicies.exe, a self-extracting ZIP archive, and save it to your Desktop.
You can get it from here:: http://downloads.malwareremoval.com/BillCastner/FixPolicies.exe
  • Double-click FixPolicies.exe.
  • Click the "Install" button on the bottom toolbar of the box that will open.
  • The program will create a new Folder called FixPolicies.
  • Double-click to Open the new Folder, and then double-click the file within: Fix_Policies.cmd.
  • A black box will briefly appear and then close.
----------------------------------------------
Download the Antivir installer and save it to the desktop: http://www.softpedia.com/get/Antivirus/AntiVir-Personal-Edition.shtml
Don't do anything with it yet.
----------------------------------------------
Download Temp File Cleaner
Download Temp File Cleaner and save it to your desktop.
Don't do anything with it yet.
----------------------------------------------
Remove Programs Using Control Panel
From Start, Settings, Control Panel or Start, Control Panel, click Add/Remove Programs.
Highlight each Entry, as follows, one by one, if it exists, and choose Remove :

Microsoft Security Essentials
Punkbuster Services

----------------------------------------------
Run Temp File Cleaner
Double click TFC on your desktop to Run it.
If it asks to Reboot, choose to do so. This will remove files that could not be removed while Windows was running.
After Restart, log back in to your usual account.
----------------------------------------------
Install Antivir from your desktop, have it update and run a full scan.
(You really have to find a way to download, update and scan with a good antivirus, or you will be in a situation where a reformat and Re-install of Windows is your only option).
If you cannot update, run the full scan anyway, and let me know when you post back.
----------------------------------------------
Let me know the results. If you can post the log from the scan, it would be helpful.
Directions to get the log from the scan are here:
Get Last Avira Report
Right click the red umbrella icon in the system tray and click Start Antivir
In the left pane, click Overview, then click Reports
There wil be reports titled Update and reports titled Scan. Find the most recent report in the list titled Scan
Click on the Report File button, or Right click the report and choose Display Report.
The report contents will come up in Notepad. Highlight the entire report (Ctrl+A) and copy to the clipboard (Ctrl+C).
Paste the contents (Ctrl+V) into your next reply.

askey127
User avatar
askey127
Admin/Teacher
Admin/Teacher
 
Posts: 13903
Joined: April 17th, 2005, 3:25 pm
Location: New Hampshire USA

Re: hjt log (probable AntiVirus System Pro infection)

Unread postby JFromSeattle » June 4th, 2010, 5:06 pm

Ran RKill again. Nothing turned up, as before.

-------

Downloaded and ran FixPolicies. So far as I know, it ran just fine.

-------

Removed both Microsofty Security Essentials and Punkbuster Services.

-------

Ran TFC and it removed something like 4840 mb of temp files across the system which was... startling.

------

Ran Avira Antivir. The most basic scan turned up nothing. Out of curiosity here, I tried to access Internet Explorer, which had previously not worked, leaving me to use Firefox. This time, it loaded just fine. I didn't surf, I just tested it, and immediately shut it down again and ran a full system scan of Avira Antivir. This is where it finally began to pay off because it picked up on TR/FraudPack.axdi, which was something Spybot and Malware picked up on before and was traced to the program I assumed to be causing all the problems. But wait, there's more than I really accounted for, which is simultaneously horrifying and relieving because at least we're getting somewhere....



Avira AntiVir Personal
Report file date: Friday, June 04, 2010 12:42

Scanning for 2189644 virus strains and unwanted programs.

The program is running as an unrestricted full version.
Online services are available:

Licensee : Avira AntiVir Personal - FREE Antivirus
Serial number : 0000149996-ADJIE-0000001
Platform : Windows XP
Windows version : (Service Pack 3) [5.1.2600]
Boot mode : Normally booted
Username : SYSTEM
Computer name : LAO-TZU

Version information:
BUILD.DAT : 10.0.0.567 32097 Bytes 4/19/2010 15:07:00
AVSCAN.EXE : 10.0.3.0 433832 Bytes 4/1/2010 20:37:38
AVSCAN.DLL : 10.0.3.0 46440 Bytes 4/1/2010 20:57:04
LUKE.DLL : 10.0.2.3 104296 Bytes 3/8/2010 02:33:04
LUKERES.DLL : 10.0.0.1 12648 Bytes 2/11/2010 07:40:49
VBASE000.VDF : 7.10.0.0 19875328 Bytes 11/6/2009 17:05:36
VBASE001.VDF : 7.10.1.0 1372672 Bytes 11/19/2009 03:27:49
VBASE002.VDF : 7.10.3.1 3143680 Bytes 1/20/2010 01:37:42
VBASE003.VDF : 7.10.3.75 996864 Bytes 1/26/2010 00:37:42
VBASE004.VDF : 7.10.4.203 1579008 Bytes 3/5/2010 19:29:03
VBASE005.VDF : 7.10.6.82 2494464 Bytes 4/15/2010 19:38:58
VBASE006.VDF : 7.10.7.218 2294784 Bytes 6/2/2010 19:39:06
VBASE007.VDF : 7.10.7.219 2048 Bytes 6/2/2010 19:39:06
VBASE008.VDF : 7.10.7.220 2048 Bytes 6/2/2010 19:39:07
VBASE009.VDF : 7.10.7.221 2048 Bytes 6/2/2010 19:39:07
VBASE010.VDF : 7.10.7.222 2048 Bytes 6/2/2010 19:39:07
VBASE011.VDF : 7.10.7.223 2048 Bytes 6/2/2010 19:39:07
VBASE012.VDF : 7.10.7.224 2048 Bytes 6/2/2010 19:39:07
VBASE013.VDF : 7.10.7.225 2048 Bytes 6/2/2010 19:39:08
VBASE014.VDF : 7.10.7.226 2048 Bytes 6/2/2010 19:39:08
VBASE015.VDF : 7.10.7.227 2048 Bytes 6/2/2010 19:39:08
VBASE016.VDF : 7.10.7.228 2048 Bytes 6/2/2010 19:39:08
VBASE017.VDF : 7.10.7.229 2048 Bytes 6/2/2010 19:39:09
VBASE018.VDF : 7.10.7.230 2048 Bytes 6/2/2010 19:39:09
VBASE019.VDF : 7.10.7.231 2048 Bytes 6/2/2010 19:39:09
VBASE020.VDF : 7.10.7.232 2048 Bytes 6/2/2010 19:39:09
VBASE021.VDF : 7.10.7.233 2048 Bytes 6/2/2010 19:39:09
VBASE022.VDF : 7.10.7.234 2048 Bytes 6/2/2010 19:39:10
VBASE023.VDF : 7.10.7.235 2048 Bytes 6/2/2010 19:39:10
VBASE024.VDF : 7.10.7.236 2048 Bytes 6/2/2010 19:39:10
VBASE025.VDF : 7.10.7.237 2048 Bytes 6/2/2010 19:39:10
VBASE026.VDF : 7.10.7.238 2048 Bytes 6/2/2010 19:39:10
VBASE027.VDF : 7.10.7.239 2048 Bytes 6/2/2010 19:39:11
VBASE028.VDF : 7.10.7.240 2048 Bytes 6/2/2010 19:39:11
VBASE029.VDF : 7.10.7.241 2048 Bytes 6/2/2010 19:39:11
VBASE030.VDF : 7.10.7.242 2048 Bytes 6/2/2010 19:39:11
VBASE031.VDF : 7.10.7.251 73728 Bytes 6/4/2010 19:39:12
Engineversion : 8.2.2.6
AEVDF.DLL : 8.1.2.0 106868 Bytes 6/4/2010 19:39:23
AESCRIPT.DLL : 8.1.3.31 1352058 Bytes 6/4/2010 19:39:23
AESCN.DLL : 8.1.6.1 127347 Bytes 6/4/2010 19:39:21
AESBX.DLL : 8.1.3.1 254324 Bytes 6/4/2010 19:39:24
AERDL.DLL : 8.1.4.6 541043 Bytes 6/4/2010 19:39:21
AEPACK.DLL : 8.2.1.1 426358 Bytes 3/19/2010 20:34:51
AEOFFICE.DLL : 8.1.1.0 201081 Bytes 6/4/2010 19:39:20
AEHEUR.DLL : 8.1.1.33 2724214 Bytes 6/4/2010 19:39:19
AEHELP.DLL : 8.1.11.5 242038 Bytes 6/4/2010 19:39:15
AEGEN.DLL : 8.1.3.10 377205 Bytes 6/4/2010 19:39:15
AEEMU.DLL : 8.1.2.0 393588 Bytes 6/4/2010 19:39:14
AECORE.DLL : 8.1.15.3 192886 Bytes 6/4/2010 19:39:14
AEBB.DLL : 8.1.1.0 53618 Bytes 6/4/2010 19:39:13
AVWINLL.DLL : 10.0.0.0 19304 Bytes 1/14/2010 20:03:38
AVPREF.DLL : 10.0.0.0 44904 Bytes 1/14/2010 20:03:35
AVREP.DLL : 10.0.0.8 62209 Bytes 2/19/2010 00:47:40
AVREG.DLL : 10.0.3.0 53096 Bytes 4/1/2010 20:35:46
AVSCPLR.DLL : 10.0.3.0 83816 Bytes 4/1/2010 20:39:51
AVARKT.DLL : 10.0.0.14 227176 Bytes 4/1/2010 20:22:13
AVEVTLOG.DLL : 10.0.0.8 203112 Bytes 1/26/2010 17:53:30
SQLITE3.DLL : 3.6.19.0 355688 Bytes 1/28/2010 20:57:58
AVSMTP.DLL : 10.0.0.17 63848 Bytes 3/16/2010 23:38:56
NETNT.DLL : 10.0.0.0 11624 Bytes 2/19/2010 22:41:00
RCIMAGE.DLL : 10.0.0.26 2550120 Bytes 1/28/2010 21:10:20
RCTEXT.DLL : 10.0.53.0 97128 Bytes 4/9/2010 22:14:29

Configuration settings for the scan:
Jobname.............................: Complete system scan
Configuration file..................: c:\program files\avira\antivir desktop\sysscan.avp
Logging.............................: low
Primary action......................: interactive
Secondary action....................: ignore
Scan master boot sector.............: on
Scan boot sector....................: on
Boot sectors........................: C:, D:, E:,
Process scan........................: on
Extended process scan...............: on
Scan registry.......................: on
Search for rootkits.................: on
Integrity checking of system files..: off
Scan all files......................: All files
Scan archives.......................: on
Recursion depth.....................: 20
Smart extensions....................: on
Macro heuristic.....................: on
File heuristic......................: medium

Start of the scan: Friday, June 04, 2010 12:42

Starting search for hidden objects.
c:\windows\explorer.exe
c:\WINDOWS\explorer.exe
[NOTE] The process is not visible.
c:\windows\explorer.exe

The scan of running processes will be started
Scan process 'rsmsink.exe' - '33' Module(s) have been scanned
Scan process 'avscan.exe' - '72' Module(s) have been scanned
Scan process 'avcenter.exe' - '63' Module(s) have been scanned
Scan process 'ctfmon.exe' - '30' Module(s) have been scanned
Scan process 'NOTEPAD.EXE' - '31' Module(s) have been scanned
Scan process 'msdtc.exe' - '45' Module(s) have been scanned
Scan process 'dllhost.exe' - '64' Module(s) have been scanned
Scan process 'dllhost.exe' - '50' Module(s) have been scanned
Scan process 'vssvc.exe' - '53' Module(s) have been scanned
Scan process 'avscan.exe' - '74' Module(s) have been scanned
Scan process 'avcenter.exe' - '42' Module(s) have been scanned
Scan process 'avconfig.exe' - '32' Module(s) have been scanned
Scan process 'avgnt.exe' - '54' Module(s) have been scanned
Scan process 'sched.exe' - '51' Module(s) have been scanned
Scan process 'avshadow.exe' - '31' Module(s) have been scanned
Scan process 'avguard.exe' - '61' Module(s) have been scanned
Scan process 'setup.exe' - '55' Module(s) have been scanned
Scan process 'presetup.exe' - '27' Module(s) have been scanned
Scan process 'avira_antivir_personal_en.exe' - '78' Module(s) have been scanned
Scan process 'explorer.exe' - '122' Module(s) have been scanned
Scan process 'AppleMobileDeviceService.exe' - '36' Module(s) have been scanned
Scan process 'ZuneBusEnum.exe' - '31' Module(s) have been scanned
Scan process 'alg.exe' - '38' Module(s) have been scanned
Scan process 'svchost.exe' - '35' Module(s) have been scanned
Scan process 'RUNDLL32.EXE' - '33' Module(s) have been scanned
Scan process 'spoolsv.exe' - '57' Module(s) have been scanned
Scan process 'svchost.exe' - '174' Module(s) have been scanned
Scan process 'svchost.exe' - '42' Module(s) have been scanned
Scan process 'svchost.exe' - '37' Module(s) have been scanned
Scan process 'svchost.exe' - '35' Module(s) have been scanned
Scan process 'svchost.exe' - '44' Module(s) have been scanned
Scan process 'svchost.exe' - '57' Module(s) have been scanned
Scan process 'lsass.exe' - '63' Module(s) have been scanned
Scan process 'services.exe' - '42' Module(s) have been scanned
Scan process 'winlogon.exe' - '75' Module(s) have been scanned
Scan process 'csrss.exe' - '12' Module(s) have been scanned
Scan process 'smss.exe' - '2' Module(s) have been scanned

Starting master boot sector scan:
Master boot sector HD0
[INFO] No virus was found!
Master boot sector HD1
[INFO] No virus was found!

Start scanning boot sectors:
Boot sector 'C:\'
[INFO] No virus was found!
Boot sector 'D:\'
[INFO] No virus was found!
Boot sector 'E:\'
[INFO] No virus was found!

Starting to scan executable files (registry).
The registry was scanned ( '1693' files ).


Starting the file scan:

Begin scan in 'C:\'
C:\Documents and Settings\Jay\Local Settings\Application Data\rbkuordvc\veipciitssd.exe
[DETECTION] Is the TR/FraudPack.axdi Trojan
C:\Old-30GB\Owner\Local Settings\Temp\alchem.inf
[DETECTION] Is the TR/Dldr.Alchemic.B Trojan
C:\Old-30GB\Owner\Local Settings\Temp\MiniBug.exe
[DETECTION] Contains recognition pattern of the ADSPY/SuspectModule.I adware or spyware
C:\Old-30GB\Owner\Local Settings\Temp\THI5DF5.tmp\WSEbate1.exe
[DETECTION] Contains recognition pattern of the DR/HelpExpress.A.12 dropper
C:\Old-30GB\Program Files\Mozilla Firefox\extensions\{BEE3E87E-E1C6-4bfe-BE9D-48E84271AB34}\components\whenu_ff.dll
[DETECTION] Contains recognition pattern of the ADSPY/SaveNow.CG adware or spyware
C:\QooBox\Quarantine\C\WINDOWS\system32\afinding.exe.vir
[DETECTION] Is the TR/ATRAPS.Gen Trojan
C:\QooBox\Quarantine\C\WINDOWS\system32\andt.sys.vir
[DETECTION] Is the TR/Agent.274944.C Trojan
C:\QooBox\Quarantine\C\WINDOWS\system32\perfs.exe.vir
[DETECTION] Is the TR/ATRAPS.Gen Trojan
C:\QooBox\Quarantine\C\WINDOWS\system32\routing.exe.vir
[DETECTION] Is the TR/ATRAPS.Gen Trojan
C:\QooBox\Quarantine\C\WINDOWS\system32\wserving.exe.vir
[DETECTION] Is the TR/ATRAPS.Gen Trojan
C:\WINDOWS\system32\asck.exe
[DETECTION] Is the TR/Agent.274944.C Trojan
C:\WINDOWS\system32\nftscpd.sys
[DETECTION] Is the TR/Delf.dbc.3 Trojan
C:\WINDOWS\system32\ntscpd.sys
[DETECTION] Is the TR/Delf.daj Trojan
C:\WINDOWS\system32\swand.sys
[DETECTION] Is the TR/Agent.274944.C Trojan
C:\WINDOWS\system32\xfst.sys
[DETECTION] Is the TR/VB.Downloader.Gen Trojan
Begin scan in 'D:\' <New Volume>
Begin scan in 'E:\' <DRV2_VOL1>

Beginning disinfection:
C:\WINDOWS\system32\xfst.sys
[DETECTION] Is the TR/VB.Downloader.Gen Trojan
[NOTE] The file was moved to the quarantine directory under the name '4f5dcde3.qua'.
C:\WINDOWS\system32\swand.sys
[DETECTION] Is the TR/Agent.274944.C Trojan
[NOTE] The file was moved to the quarantine directory under the name '57dce2b5.qua'.
C:\WINDOWS\system32\ntscpd.sys
[DETECTION] Is the TR/Delf.daj Trojan
[NOTE] The file was moved to the quarantine directory under the name '0595b85a.qua'.
C:\WINDOWS\system32\nftscpd.sys
[DETECTION] Is the TR/Delf.dbc.3 Trojan
[NOTE] The file was moved to the quarantine directory under the name '63a3f76e.qua'.
C:\WINDOWS\system32\asck.exe
[DETECTION] Is the TR/Agent.274944.C Trojan
[NOTE] The file was moved to the quarantine directory under the name '2636daa5.qua'.
C:\QooBox\Quarantine\C\WINDOWS\system32\wserving.exe.vir
[DETECTION] Is the TR/ATRAPS.Gen Trojan
[NOTE] The file was moved to the quarantine directory under the name '592fe8c4.qua'.
C:\QooBox\Quarantine\C\WINDOWS\system32\routing.exe.vir
[DETECTION] Is the TR/ATRAPS.Gen Trojan
[NOTE] The file was moved to the quarantine directory under the name '1587c472.qua'.
C:\QooBox\Quarantine\C\WINDOWS\system32\perfs.exe.vir
[DETECTION] Is the TR/ATRAPS.Gen Trojan
[NOTE] The file was moved to the quarantine directory under the name '699a842c.qua'.
C:\QooBox\Quarantine\C\WINDOWS\system32\andt.sys.vir
[DETECTION] Is the TR/Agent.274944.C Trojan
[NOTE] The file was moved to the quarantine directory under the name '44d6ab6e.qua'.
C:\QooBox\Quarantine\C\WINDOWS\system32\afinding.exe.vir
[DETECTION] Is the TR/ATRAPS.Gen Trojan
[NOTE] The file was moved to the quarantine directory under the name '5da190fc.qua'.
C:\Old-30GB\Program Files\Mozilla Firefox\extensions\{BEE3E87E-E1C6-4bfe-BE9D-48E84271AB34}\components\whenu_ff.dll
[DETECTION] Contains recognition pattern of the ADSPY/SaveNow.CG adware or spyware
[NOTE] The file was moved to the quarantine directory under the name '31e1bccf.qua'.
C:\Old-30GB\Owner\Local Settings\Temp\THI5DF5.tmp\WSEbate1.exe
[DETECTION] Contains recognition pattern of the DR/HelpExpress.A.12 dropper
[NOTE] The file was moved to the quarantine directory under the name '4078854f.qua'.
C:\Old-30GB\Owner\Local Settings\Temp\MiniBug.exe
[DETECTION] Contains recognition pattern of the ADSPY/SuspectModule.I adware or spyware
[NOTE] The file was moved to the quarantine directory under the name '4e5bb592.qua'.
C:\Old-30GB\Owner\Local Settings\Temp\alchem.inf
[DETECTION] Is the TR/Dldr.Alchemic.B Trojan
[NOTE] The file was moved to the quarantine directory under the name '0b69ccd3.qua'.
C:\Documents and Settings\Jay\Local Settings\Application Data\rbkuordvc\veipciitssd.exe
[DETECTION] Is the TR/FraudPack.axdi Trojan
[NOTE] The file was moved to the quarantine directory under the name '027cc877.qua'.


End of the scan: Friday, June 04, 2010 13:58
Used time: 1:12:55 Hour(s)

The scan has been done completely.

16813 Scanned directories
678295 Files were scanned
15 Viruses and/or unwanted programs were found
0 Files were classified as suspicious
0 files were deleted
0 Viruses and unwanted programs were repaired
15 Files were moved to quarantine
0 Files were renamed
0 Files cannot be scanned
678280 Files not concerned
2863 Archives were scanned
0 Warnings
15 Notes
522615 Objects were scanned with rootkit scan
2 Hidden objects were found

-------------

ATRAPS was something that I'd previously quarantined on my computer a few years back using ComboFix.
JFromSeattle
Active Member
 
Posts: 7
Joined: May 27th, 2010, 4:00 am

Re: hjt log (probable AntiVirus System Pro infection)

Unread postby JFromSeattle » June 4th, 2010, 5:43 pm

A few minutes ago I heard the desktop beep at me and it found TR/VB.Downloader.Gen again in C:\System Volume Information\_restore{5DE36FD4-EB32-4B04-B97D-D22D909A2825}\RP89\A0028676.sys, and I quarantined it again.
JFromSeattle
Active Member
 
Posts: 7
Joined: May 27th, 2010, 4:00 am

Re: hjt log (probable AntiVirus System Pro infection)

Unread postby askey127 » June 4th, 2010, 6:59 pm

JFrom Seattle,
Understand that ALL OF THIS is because you didn't have a proper good Antivirus program installed.
You may have made some browsing mistakes, but the absence of a good AV is a potential disaster.
-----------------------------------------------------------
Please DO NOT remove or quarantine anything else without asking.
What you have done is removed the last useful System Restore file, where the infection was stored, along with your prior system configuration.
We will make a correction here to fix that up.
-----------------------------------------------------------
Reset System Restore Points
  • Click Start > Help and Support
  • Click on ->Undo changes to your computer with System Restore.
  • Click Create A Restore Point then click Next. Give it a name it and then click Create, then Close.
  • Close Help and Support Center.
  • Click Start | Run and type Cleanmgr
  • Select (C: ) then click OK.
  • Click the More Options tab.
  • Click Clean Up in the System Restore Section.
This will remove all previous restore points except the newly created one.
This System Restore sequence is not to be done regularly, but only as a Special Case after the removal of malware.
----------------------------------------------------------------------------------
Run MalwareBytes' Anti-Malware
  • Start Malwarebytes' Anti-Malware.
  • Click on The Update tab. Choose Check for Updates.
  • If an update is found, it will download and install the latest version.
  • If necessary, start Malwarebytes Anti-Malware again.
  • Once the program is running, select Perform Quick Scan, then click Scan.
  • When the scan is complete, click OK, then Show Results to view the results.
  • If it found any malware items. Check all items except items in the C:\System Volume Information folder... and click Remove Selected.
  • When completed, a log will open in Notepad. Please save it to a convenient location, and post the contents in your reply.
  • The log can also be found using the "Logs" tab in the program. You can click any log listed to open its contents.
  • Recent logs are named by time/date stamp in this format : mbam-log-2010-mm-dd(hour-min-sec).txt

You are correct that we are making headway.
If you get any more alerts or notices, note down the exact item as you have in the past, and let me know before taking action.
Thanks,
askey127
User avatar
askey127
Admin/Teacher
Admin/Teacher
 
Posts: 13903
Joined: April 17th, 2005, 3:25 pm
Location: New Hampshire USA

Re: hjt log (probable AntiVirus System Pro infection)

Unread postby JFromSeattle » June 4th, 2010, 10:42 pm

Reset the restore points after making a fresh one.

-----

The Malwarebytes scan turned up clean.

The only other thing of note to happen was that while I was waiting for further instructions, there was something that popped up in C:\System Volume Information\_restore{5DE36FD4-EB32-4B04-B97D-D22D909A2825}\RP89\A0028678.sys that was identified as TR/Delf.daj, but it was quarantined. Since making the fresh restore point, I haven't had any detections.

Thanks for your help. Is there anything else I should be looking into for the moment? I much prefer the Avira scanner to most others that I've tried, so I'm using it to check up on my laptop now.
JFromSeattle
Active Member
 
Posts: 7
Joined: May 27th, 2010, 4:00 am

Re: hjt log (probable AntiVirus System Pro infection)

Unread postby askey127 » June 5th, 2010, 6:50 am

JFromSeattle,
-----------------------------------------------------------
Remove Programs Using Control Panel
From Start, Settings, Control Panel or Start, Control Panel, click Add/Remove Programs.
Highlight each Entry, as follows, one by one, if it exists, and choose Remove :
Adobe Reader 8.1.2
Java(TM) 6 Update 15

Take extra care in answering questions posed by any Uninstaller.
------------------------------------------------------------
Older versions of Java have been vulnerable to malware infections in the past. It is important to install the newest version and make sure all older ones have been removed.
Download the latest version of Java Runtime Environment from here : http://java.sun.com/javase/downloads/index.jsp, and install it to your computer.
In the first section on the page, labeled JDK 6 Update 20 (JDK or JRE), click on the button labeled Download JRE. Do NOT choose the button labeled "Download JDK".
Select the Platform Windows and check the box to agree to the license.
Choose the Windows Offline installation version and click on the link.
Download it, choose Save, and save it to your desktop.
Then doubleclick it on your desktop, and it will install the newest version of Java for you to use.
You can then remove the Installer from your desktop.
--------------------------------------------------------
You should Download and Install the newest version of Adobe Reader for reading pdf files, due to the vulnerabilities in earlier versions.
All versions numbered lower than 9.3 are vulnerable.
  • Go HERE and click on AdbeRdr930_en_US.exe to download the latest version of Adobe Acrobat Reader.
  • Save this file to your desktop and run it to install the latest version of Adobe Reader.

-----------------------------------------------------------
Install WinPatrol - Download and Install the Free WinPatrol, and view Instructions here: http://www.winpatrol.com/winpatrol.html
- WinPatrol is an active program that drops a "Scotty Dog" icon into the system tray (right click to check/change status), allows you to monitor/edit startups, services, Browser helpers, and prompts for permission if any program tries to change your system.

You should update and scan with Malwarebytes Antimalware every week or so. I would keep TFC for occasional use whenever temporary files need cleaning out. Avira should be set to update itself.
You should go to Control Panel, Security Center, and make sure that Automatic Updates are turned ON, with Firewall and Antivirus showing ON as well.
You should be good to go.
askey127
User avatar
askey127
Admin/Teacher
Admin/Teacher
 
Posts: 13903
Joined: April 17th, 2005, 3:25 pm
Location: New Hampshire USA

Re: hjt log (probable AntiVirus System Pro infection)

Unread postby JFromSeattle » June 6th, 2010, 3:59 pm

Yeah, I was figuring I probably ought to go around and update some of those things. Such is the peril of having a machine you only use once on a regular basis once every four months.

Okay, everything appears to be set up and good to go. Thanks a lot, I had no idea that there would be multiple things in there that I was combating. If I had tried to do it myself, I probably would have missed a few of the entries on there. I'll try to keep a better antivirus running from now on.
JFromSeattle
Active Member
 
Posts: 7
Joined: May 27th, 2010, 4:00 am

Re: hjt log (probable AntiVirus System Pro infection)

Unread postby askey127 » June 6th, 2010, 4:36 pm

this topic is now closed.

We are pleased we could help you resolve your computer's malware issues.

If you would like to make a comment or leave a compliment regarding the help you have received, please see Feedback for Our Helpers - Say "Thanks" Here.
User avatar
askey127
Admin/Teacher
Admin/Teacher
 
Posts: 13903
Joined: April 17th, 2005, 3:25 pm
Location: New Hampshire USA
Advertisement
Register to Remove


  • Similar Topics
    Replies
    Views
    Last post

Return to Infected? Virus, malware, adware, ransomware, oh my!



Who is online

Users browsing this forum: No registered users and 45 guests

Contact us:

Advertisements do not imply our endorsement of that product or service. Register to remove all ads. The forum is run by volunteers who donate their time and expertise. We make every attempt to ensure that the help and advice posted is accurate and will not cause harm to your computer. However, we do not guarantee that they are accurate and they are to be used at your own risk. All trademarks are the property of their respective owners.

Member site: UNITE Against Malware