Welcome to MalwareRemoval.com,
What if we told you that you could get malware removal help from experts, and that it was 100% free? MalwareRemoval.com provides free support for people with infected computers. Our help, and the tools we use are always 100% free. No hidden catch. We simply enjoy helping others. You enjoy a clean, safe computer.

Malware Removal Instructions

Sucked in by Red Cross Antivirus

MalwareRemoval.com provides free support for people with infected computers. Using plain language that anyone can understand, our community of volunteer experts will walk you through each step.

Sucked in by Red Cross Antivirus

Unread postby Rob11 » September 2nd, 2010, 10:09 pm

Hi, I recently got sucked in by a fake MSE screen that directed me to a tool called Red Cross Antivirus, which I sucked in like a worm on a hook. I removed the virus with Malwarebytes but my computer has been running slow ever since. I should mention that I didn't have MSE on this computer at the time, but thought the pop up was genuine because I have it (MSE) on my other computer. Here are my logs:

Logfile of Trend Micro HijackThis v2.0.3 (BETA)
Scan saved at 9:06:02 PM, on 9/2/2010
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
c:\Program Files\Microsoft Security Essentials\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\D-Link\D-Link RangeBooster N DWA-642\acs.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Microsoft Security Essentials\msseces.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\D-Link\D-Link RangeBooster N DWA-642\wirelesscm.exe
C:\Program Files\TrendMicro\HiJackThis\HiJackThis.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\wuauclt.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - (no file)
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - (no file)
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [MSSE] "c:\Program Files\Microsoft Security Essentials\msseces.exe" -hide -runkey
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-18\..\Run: [DWQueuedReporting] "c:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [DWQueuedReporting] "c:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'Default user')
O4 - Global Startup: Wireless Connection Manager.lnk = C:\Program Files\D-Link\D-Link RangeBooster N DWA-642\wirelesscm.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\Program Files\ICQ\ICQ.exe
O9 - Extra 'Tools' menuitem: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\Program Files\ICQ\ICQ.exe
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.emachines.com
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupda ... 5207816937
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\System32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\System32\browseui.dll
O23 - Service: Atheros Configuration Service (ACS) - Atheros - C:\Program Files\D-Link\D-Link RangeBooster N DWA-642\acs.exe
O23 - Service: Google Update Service (gupdate) (gupdate) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Unknown owner - C:\Program Files\Java\jre6\bin\jqs.exe (file missing)
O23 - Service: Jumpstart Wifi Protected Setup (jswpsapi) - Atheros Communications, Inc. - C:\Program Files\D-Link\D-Link RangeBooster N DWA-642\jswpsapi.exe

--
End of file - 4620 bytes


Adobe Acrobat 5.0
Adobe Flash Player 10 ActiveX
Adobe Flash Player 10 Plugin
AOL Instant Messenger (SM)
BitPim 1.0.7.20090303
Conexant AC-Link Audio
Critical Update for Windows Media Player 11 (KB959772)
DWA-642
FMS
Google Earth
Google Update Helper
HiJackThis
Hotfix for Windows Media Format 11 SDK (KB929399)
Hotfix for Windows Media Player 11 (KB939683)
Hotfix for Windows XP (KB952287)
ICQ
Intel(R) Extreme Graphics 2 Driver
Malwarebytes' Anti-Malware
Microsoft Antimalware
Microsoft Compression Client Pack 1.0 for Windows XP
Microsoft Office Professional Edition 2003
Microsoft Security Essentials
Microsoft Security Essentials
Microsoft User-Mode Driver Framework Feature Pack 1.0
Microsoft Works 7.0
Mozilla Firefox (3.5.10)
Netscape 6 (6.2.1)
Netscape ISP Dialer
Parallel Port Joystick
PeerGuardian 2.0
PowerDVD
RealPlayer Basic
Security Update for Windows Internet Explorer 8 (KB976325)
Security Update for Windows Internet Explorer 8 (KB978207)
Security Update for Windows Media Player (KB952069)
Security Update for Windows Media Player 11 (KB936782)
Security Update for Windows Media Player 11 (KB954154)
Security Update for Windows XP (KB923561)
Security Update for Windows XP (KB938464-v2)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951066)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952004)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB954459)
Security Update for Windows XP (KB954600)
Security Update for Windows XP (KB955069)
Security Update for Windows XP (KB956572)
Security Update for Windows XP (KB956802)
Security Update for Windows XP (KB956803)
Security Update for Windows XP (KB957097)
Security Update for Windows XP (KB958644)
Security Update for Windows XP (KB958687)
Security Update for Windows XP (KB959426)
Security Update for Windows XP (KB960225)
Security Update for Windows XP (KB960803)
Security Update for Windows XP (KB961371)
Security Update for Windows XP (KB961501)
Security Update for Windows XP (KB968537)
Security Update for Windows XP (KB969897)
Security Update for Windows XP (KB970238)
Security Update for Windows XP (KB971633)
Security Update for Windows XP (KB973346)
SoftK56 Data Fax
Synaptics Pointing Device Driver
Uniblue RegistryBooster 2
Update for Windows XP (KB951978)
Update for Windows XP (KB955839)
Update for Windows XP (KB967715)
Viewpoint Media Player
Winamp (remove only)
Windows Backup Utility
Windows Internet Explorer 8
Windows Media Format 11 runtime
Windows Media Format 11 runtime
Windows Media Player 11
Windows Media Player 11
Windows XP Service Pack 3
WinRAR archiver
Yahoo! Messenger
Rob11
Regular Member
 
Posts: 18
Joined: September 2nd, 2010, 9:53 pm
Advertisement
Register to Remove

Re: Sucked in by Red Cross Antivirus

Unread postby Cypher » September 4th, 2010, 7:50 am

Hi and welcome to Malware Removal Forum.
My name is Cypher, and I will be helping you with your malware problems.
If you no longer require help i would be grateful if you would let me know.

Before we start please note the following important guidelines.
  • The instructions being given are for YOUR computer and system only!.
    Using these instructions on a different computer, can damage that computer and possibly make it inoperable!
  • If you don't know or understand something, please don't hesitate to ask.
  • Only post your problem at One help site. Applying fixes from multiple help sites can cause problems.
  • Only reply to this thread do not start another, Please continue responding until I give you the "All Clean"
    Absence of symptoms does not mean that everything is clear.
  • Please DO NOT run any other tools or scans whilst I am helping you.
  • Please DO NOT install any other software (or hardware) during the cleaning process.
  • Print each set of instructions... if possible...your Internet connection will not be available during some fix processes.
  • Your security programs may give warnings for some of the tools I will ask you to use. Be assured, any links I give are safe.
  • Note: No Reply Within 3 Days Will Result In Your Topic Being Closed!

Note: If you haven't done so already, please read this topic ALL USERS OF THIS FORUM MUST READ THIS FIRST where the conditions for receiving help here are explained.
Please be aware that removing Malware is a potentially hazardous undertaking. I will take care not to knowingly suggest courses of action that might damage your computer. However it is impossible for me to foresee all interactions that may happen between the software on your computer and those we'll use to clear you of infection, and I cannot guarantee the safety of your system. It is possible that we might encounter situations where the only recourse is to re-format and re-install your operating system, or to necessitate you taking your computer to a repair shop.

Because of this, I advise you to backup any personal files and folders before you start.
Read Backup Made Easy
I removed the virus with Malwarebytes but my computer has been running slow ever since.

Post the log from this MBAM scan please, launch MBAM and click on logs, they are time dated.

Next.

  • Please download this tool from Microsoft.
  • Double click on MGADiag.exe to run it.
  • Click Continue.
  • The program will run. It takes a while to finish the diagnosis, please be patient.
  • Once done, click on Copy.
  • Open Notepad and paste the contents in the window.
  • Save this file and copy/paste it in your next reply.

Next.

RSIT (Random's System Information Tool)

Please download RSIT by random/random... and save it to your desktop.
  • Double click on RSIT.exe to run it.
  • Please read the disclaimer... click on Continue.
  • RSIT will start running. When done... 2 logs files...will be produced.
  • The first one, "log.txt", << will be maximized
  • The second one, "info.txt", << will be minimized.
Please post both... "log.txt" and "info.txt", file contents in your next reply.
(These logs can be lengthy, so post 1 log per reply please.)



Logs/Information to Post in your Next Reply

  • Malwarebytes log.
  • MGADiag log.
  • RSIT log.txt and info.txt contents.
  • Please give me an update on your computers performance.
User avatar
Cypher
Admin/Teacher
Admin/Teacher
 
Posts: 15148
Joined: October 29th, 2008, 12:49 pm
Location: Land Of The Leprechauns

Re: Sucked in by Red Cross Antivirus

Unread postby Rob11 » September 4th, 2010, 7:35 pm

Diagnostic Report (1.9.0027.0):
-----------------------------------------
Windows Validation Data-->
Validation Status: Genuine
Validation Code: 0
Cached Validation Code: N/A
Windows Product Key: *****-*****-J8BM6-MXPH6-3R2BW
Windows Product Key Hash: YMRVitCEjlJfwDQfjDvm97FbWA4=
Windows Product ID: 55277-OEM-2111907-00103
Windows Product ID Type: 2
Windows License Type: OEM SLP
Windows OS version: 5.1.2600.2.00010300.3.0.hom
ID: {DC959216-8A96-4DBF-A5A8-4C4B7FA525B6}(3)
Is Admin: Yes
TestCab: 0x0
LegitcheckControl ActiveX: Registered, 1.7.69.2
Signed By: Microsoft
Product Name: N/A
Architecture: N/A
Build lab: N/A
TTS Error: N/A
Validation Diagnostic: 025D1FF3-230-1
Resolution Status: N/A

Vista WgaER Data-->
ThreatID(s): N/A
Version: N/A

Windows XP Notifications Data-->
Cached Result: N/A, hr = 0x80070002
File Exists: No
Version: N/A, hr = 0x80070002
WgaTray.exe Signed By: N/A, hr = 0x80070002
WgaLogon.dll Signed By: N/A, hr = 0x80070002

OGA Notifications Data-->
Cached Result: N/A, hr = 0x80070002
Version: N/A, hr = 0x80070002
OGAExec.exe Signed By: N/A, hr = 0x80070002
OGAAddin.dll Signed By: N/A, hr = 0x80070002

OGA Data-->
Office Status: 100 Genuine
Microsoft Office Professional Edition 2003 - 100 Genuine
OGA Version: N/A, 0x80070002
Signed By: N/A, hr = 0x80070002
Office Diagnostics: 025D1FF3-230-1_E2AD56EA-765-d003_E2AD56EA-766-0_E2AD56EA-134-80004005

Browser Data-->
Proxy settings: N/A
User Agent: Mozilla/4.0 (compatible; MSIE 8.0; Win32)
Default Browser: C:\Program Files\Mozilla Firefox\firefox.exe
Download signed ActiveX controls: Prompt
Download unsigned ActiveX controls: Disabled
Run ActiveX controls and plug-ins: Allowed
Initialize and script ActiveX controls not marked as safe: Disabled
Allow scripting of Internet Explorer Webbrowser control: Disabled
Active scripting: Allowed
Script ActiveX controls marked as safe for scripting: Allowed

File Scan Data-->

Other data-->
Office Details: <GenuineResults><MachineData><UGUID>{DC959216-8A96-4DBF-A5A8-4C4B7FA525B6}</UGUID><Version>1.9.0027.0</Version><OS>5.1.2600.2.00010300.3.0.hom</OS><Architecture>x32</Architecture><PKey>*****-*****-*****-*****-3R2BW</PKey><PID>55277-OEM-2111907-00103</PID><PIDType>2</PIDType><SID>S-1-5-21-3246775384-3244968110-629098632</SID><SYSTEM><Manufacturer>EMACHINES </Manufacturer><Model>M2100 Series </Model></SYSTEM><BIOS><Manufacturer>AMI </Manufacturer><Version>NOTE BIOS Version /a6600F03 </Version><SMBIOSVersion major="2" minor="3"/><Date>20040218000000.000000+000</Date><SLPBIOS>EMACHINES</SLPBIOS></BIOS><HWID>0E853C07018400D2</HWID><UserLCID>0409</UserLCID><SystemLCID>0409</SystemLCID><TimeZone>Central Standard Time(GMT-06:00)</TimeZone><iJoin>0</iJoin><SBID><stat>2</stat><msppid></msppid><name>eMachines</name><model>M2105</model></SBID><OEM/><GANotification/></MachineData><Software><Office><Result>100</Result><Products><Product GUID="{90110409-6000-11D3-8CFE-0150048383C9}"><LegitResult>100</LegitResult><Name>Microsoft Office Professional Edition 2003</Name><Ver>11</Ver><Val>8B7E905C1EC2D00</Val><Hash>Ib1/+qtRsJptPhtJUyyPrB345Y8=</Hash><Pid>73931-640-0862982-57981</Pid><PidType>14</PidType></Product></Products><Applications><App Id="15" Version="11" Result="100"/><App Id="16" Version="11" Result="100"/><App Id="18" Version="11" Result="100"/><App Id="19" Version="11" Result="100"/><App Id="1A" Version="11" Result="100"/><App Id="1B" Version="11" Result="100"/><App Id="44" Version="11" Result="100"/></Applications></Office></Software></GenuineResults>

Licensing Data-->
N/A

Windows Activation Technologies-->
N/A

HWID Data-->
N/A

OEM Activation 1.0 Data-->
BIOS string matches: yes
Marker string from BIOS: 17B95:emachines inc|17B95:Gateway, Inc|16DC2:GENUINE C&C INC|F834:HITACHI, Ltd|F834:HITACHI, Ltd|F834:HITACHI, Ltd
Marker string from OEMBIOS.DAT: EMACHINES

OEM Activation 2.0 Data-->
N/A
Rob11
Regular Member
 
Posts: 18
Joined: September 2nd, 2010, 9:53 pm

Re: Sucked in by Red Cross Antivirus

Unread postby Rob11 » September 4th, 2010, 7:37 pm

Logfile of random's system information tool 1.08 (written by random/random)
Run by Bob at 2010-09-04 18:28:05
Microsoft Windows XP Home Edition Service Pack 3
System drive C: has 28 GB (75%) free of 38 GB
Total RAM: 479 MB (29% free)

Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 6:28:32 PM, on 9/4/2010
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
c:\Program Files\Microsoft Security Essentials\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\D-Link\D-Link RangeBooster N DWA-642\acs.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Microsoft Security Essentials\msseces.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\D-Link\D-Link RangeBooster N DWA-642\wirelesscm.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Bob\My Documents\Downloads\RSIT.exe
C:\Program Files\trend micro\Bob.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [MSSE] "c:\Program Files\Microsoft Security Essentials\msseces.exe" -hide -runkey
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-18\..\Run: [DWQueuedReporting] "c:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [DWQueuedReporting] "c:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'Default user')
O4 - Global Startup: Wireless Connection Manager.lnk = C:\Program Files\D-Link\D-Link RangeBooster N DWA-642\wirelesscm.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\Program Files\ICQ\ICQ.exe
O9 - Extra 'Tools' menuitem: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\Program Files\ICQ\ICQ.exe
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.emachines.com
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupda ... 5207816937
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\System32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\System32\browseui.dll
O23 - Service: Atheros Configuration Service (ACS) - Atheros - C:\Program Files\D-Link\D-Link RangeBooster N DWA-642\acs.exe
O23 - Service: Google Update Service (gupdate) (gupdate) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Jumpstart Wifi Protected Setup (jswpsapi) - Atheros Communications, Inc. - C:\Program Files\D-Link\D-Link RangeBooster N DWA-642\jswpsapi.exe

--
End of file - 4936 bytes
Rob11
Regular Member
 
Posts: 18
Joined: September 2nd, 2010, 9:53 pm

Re: Sucked in by Red Cross Antivirus

Unread postby Rob11 » September 4th, 2010, 7:38 pm

======Scheduled tasks folder======

C:\WINDOWS\tasks\GoogleUpdateTaskMachineCore.job
C:\WINDOWS\tasks\GoogleUpdateTaskMachineUA.job
C:\WINDOWS\tasks\MP Scheduled Scan.job

======Registry dump======

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}]
AcroIEHlprObj Class - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx [2001-04-16 37808]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{DBC80044-A445-435b-BC74-9C25C1C588A9}]
Java(tm) Plug-In 2 SSV Helper - C:\Program Files\Java\jre6\bin\jp2ssv.dll [2010-09-03 41760]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{E7E6F031-17CE-4C07-BC86-EABFE594F69C}]
JQSIEStartDetectorImpl Class - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll [2010-09-03 79648]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
"SynTPLpr"=C:\Program Files\Synaptics\SynTP\SynTPLpr.exe [2003-10-30 98304]
"SynTPEnh"=C:\Program Files\Synaptics\SynTP\SynTPEnh.exe [2003-10-30 499712]
"MSSE"=c:\Program Files\Microsoft Security Essentials\msseces.exe [2010-06-01 1093208]
"SunJavaUpdateSched"=C:\Program Files\Common Files\Java\Java Update\jusched.exe [2010-05-14 248552]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"=C:\WINDOWS\system32\ctfmon.exe [2008-04-13 15360]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DriverUpdaterPro]
C:\Program Files\iXi Tools\Driver Updater Pro\DriverUpdaterPro.exe -t []

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
C:\Program Files\Messenger\msmsgs.exe [2008-04-13 1695232]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
C:\Program Files\Java\jre6\bin\jusched.exe []

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Yahoo! Pager]
C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe [2007-03-01 4670968]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup
Wireless Connection Manager.lnk - C:\Program Files\D-Link\D-Link RangeBooster N DWA-642\wirelesscm.exe

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\igfxcui]
C:\WINDOWS\system32\igfxsrvc.dll [2003-07-10 319488]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll [2006-10-18 133632]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\MsMpSvc]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\UploadMgr]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"dontdisplaylastusername"=0
"legalnoticecaption"=
"legalnoticetext"=
"shutdownwithoutlogon"=1
"undockwithoutlogon"=1

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]
"NoDriveTypeAutoRun"=145

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]
"HonorAutoRunSetting"=1

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\system32\sessmgr.exe"="%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe"="C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe:*:Enabled:Yahoo! Messenger"
"%windir%\Network Diagnostic\xpnetdiag.exe"="%windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"C:\WINDOWS\system32\dpvsetup.exe"="C:\WINDOWS\system32\dpvsetup.exe:*:Enabled:Microsoft DirectPlay Voice Test"
"C:\WINDOWS\system32\rundll32.exe"="C:\WINDOWS\system32\rundll32.exe:*:Enabled:Run a DLL as an App"
"C:\Program Files\Real\RealPlayer\realplay.exe"="C:\Program Files\Real\RealPlayer\realplay.exe:*:Enabled:RealPlayer"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\system32\sessmgr.exe"="%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"%windir%\Network Diagnostic\xpnetdiag.exe"="%windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"

======List of files/folders created in the last 1 months======

2010-09-04 18:28:06 ----D---- C:\Program Files\trend micro
2010-09-04 18:28:05 ----D---- C:\rsit
2010-09-04 17:51:32 ----D---- C:\Documents and Settings\All Users\Application Data\Office Genuine Advantage
2010-09-03 10:14:03 ----D---- C:\Documents and Settings\All Users\Application Data\Sun
2010-09-03 10:13:56 ----D---- C:\Program Files\Common Files\Java
2010-09-03 10:13:13 ----A---- C:\WINDOWS\system32\javaws.exe
2010-09-03 10:13:13 ----A---- C:\WINDOWS\system32\javaw.exe
2010-09-03 10:13:13 ----A---- C:\WINDOWS\system32\deployJava1.dll
2010-09-03 10:13:12 ----A---- C:\WINDOWS\system32\java.exe
2010-09-03 10:11:30 ----D---- C:\Program Files\Java
2010-09-02 07:48:51 ----A---- C:\WINDOWS\system32\drivers\mbamswissarmy.sys
2010-09-02 07:48:44 ----A---- C:\WINDOWS\system32\drivers\mbam.sys
2010-09-02 07:48:43 ----D---- C:\Program Files\Malwarebytes' Anti-Malware
2010-09-02 06:24:26 ----N---- C:\WINDOWS\system32\MpSigStub.exe
2010-09-02 06:11:59 ----D---- C:\Documents and Settings\Bob\Application Data\VAP
2010-09-02 06:08:27 ----A---- C:\WINDOWS\system32\muweb.dll
2010-09-02 06:08:26 ----A---- C:\WINDOWS\system32\mucltui.dll.mui
2010-09-02 06:08:26 ----A---- C:\WINDOWS\system32\mucltui.dll
2010-09-02 06:08:20 ----D---- C:\WINDOWS\system32\SoftwareDistribution
2010-09-02 06:07:37 ----D---- C:\Program Files\Microsoft Security Essentials

======List of files/folders modified in the last 1 months======

2010-09-04 18:28:06 ----RD---- C:\Program Files
2010-09-04 18:26:29 ----SD---- C:\WINDOWS\Tasks
2010-09-04 18:25:00 ----D---- C:\Program Files\Mozilla Firefox
2010-09-04 18:24:06 ----HD---- C:\WINDOWS\inf
2010-09-04 18:24:04 ----D---- C:\WINDOWS\system32\CatRoot2
2010-09-04 18:21:55 ----D---- C:\WINDOWS\temp
2010-09-04 17:40:23 ----A---- C:\WINDOWS\SchedLgU.Txt
2010-09-03 10:14:02 ----SHD---- C:\WINDOWS\Installer
2010-09-03 10:13:56 ----D---- C:\Program Files\Common Files
2010-09-03 10:13:13 ----AD---- C:\WINDOWS\system32
2010-09-02 08:39:15 ----D---- C:\WINDOWS\system32\drivers
2010-09-02 08:28:04 ----D---- C:\WINDOWS\pss
2010-09-02 06:47:22 ----D---- C:\WINDOWS
2010-09-02 06:43:42 ----D---- C:\Documents and Settings\Bob\Application Data\uTorrent
2010-09-02 06:43:25 ----D---- C:\WINDOWS\Prefetch
2010-09-02 06:38:08 ----D---- C:\WINDOWS\occache
2010-09-02 06:21:24 ----SD---- C:\Documents and Settings\Bob\Application Data\Microsoft
2010-09-02 06:12:01 ----RSHDC---- C:\WINDOWS\system32\dllcache
2010-09-02 06:10:02 ----D---- C:\Program Files\PeerGuardian2
2010-09-02 06:08:23 ----D---- C:\WINDOWS\Help
2010-09-02 06:08:04 ----SD---- C:\Documents and Settings\All Users\Application Data\Microsoft
2010-09-02 06:07:19 ----D---- C:\WINDOWS\WinSxS

======List of drivers (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R0 ohci1394;Texas Instruments OHCI Compliant IEEE 1394 Host Controller; C:\WINDOWS\System32\DRIVERS\ohci1394.sys [2008-04-13 61696]
R1 intelppm;Intel Processor Driver; C:\WINDOWS\System32\DRIVERS\intelppm.sys [2008-04-13 36352]
R1 MpFilter;Microsoft Malware Protection Driver; C:\WINDOWS\system32\DRIVERS\MpFilter.sys [2010-03-25 151216]
R2 ASCTRM;ASCTRM; C:\WINDOWS\system32\drivers\ASCTRM.sys [2004-02-11 8552]
R2 mdmxsdk;mdmxsdk; C:\WINDOWS\System32\DRIVERS\mdmxsdk.sys [2002-12-11 11044]
R2 StreamDispatcher;StreamDispatcher; C:\WINDOWS\System32\DRIVERS\strmdisp.sys [2003-05-01 30592]
R3 {6080A529-897E-4629-A488-ABA0C29B635E};Intel(R) Graphics Platform (SoftBIOS) Driver; C:\WINDOWS\system32\drivers\ialmsbw.sys [2003-08-04 120094]
R3 {D31A0762-0CEB-444e-ACFF-B049A1F6FE91};Intel(R) Graphics Chipset (KCH) Driver; C:\WINDOWS\system32\drivers\ialmkchw.sys [2003-08-04 96858]
R3 AR5416;%ATHER.Service.DispName%; C:\WINDOWS\System32\DRIVERS\athw.sys [2008-01-17 1331136]
R3 bcm4sbxp;Broadcom 440x 10/100 Integrated Controller XP Driver; C:\WINDOWS\System32\DRIVERS\bcm4sbxp.sys [2003-06-30 43136]
R3 CAMCAUD;Conexant AMC Audio; C:\WINDOWS\system32\drivers\camcaud.sys [2003-09-26 291712]
R3 CAMCHALA;CAMCHALA; C:\WINDOWS\system32\drivers\camchal.sys [2003-09-26 272128]
R3 HSF_DP;HSF_DP; C:\WINDOWS\System32\DRIVERS\HSF_DP.sys [2003-05-01 1107200]
R3 HSFHWICH;HSFHWICH; C:\WINDOWS\System32\DRIVERS\HSFHWICH.sys [2003-05-01 165504]
R3 ialm;ialm; C:\WINDOWS\System32\DRIVERS\ialmnt5.sys [2003-08-04 91419]
R3 JSWSCIMD;jswscimd Service; C:\WINDOWS\System32\DRIVERS\jswscimd.sys [2007-08-28 57344]
R3 PPJoyBus;Parallel Port Joystick Bus device driver; C:\WINDOWS\system32\drivers\PPJoyBus.sys [2004-10-24 13952]
R3 PPortJoystick;Parallel Port Joystick device driver; C:\WINDOWS\system32\drivers\PPortJoy.sys [2004-10-24 28800]
R3 SynTP;Synaptics TouchPad Driver; C:\WINDOWS\System32\DRIVERS\SynTP.sys [2003-10-30 178432]
R3 usbuhci;Microsoft USB Universal Host Controller Miniport Driver; C:\WINDOWS\System32\DRIVERS\usbuhci.sys [2008-04-13 20608]
R3 winachsf;winachsf; C:\WINDOWS\System32\DRIVERS\HSF_CNXT.sys [2003-05-01 622848]
R3 WSIMD;wsimd Service; C:\WINDOWS\System32\DRIVERS\wsimd.sys [2007-12-13 57408]
S3 Arp1394;1394 ARP Client Protocol; C:\WINDOWS\System32\DRIVERS\arp1394.sys [2008-04-13 60800]
S3 hidusb;Microsoft HID Class Driver; C:\WINDOWS\System32\DRIVERS\hidusb.sys [2008-04-13 10368]
S3 mouhid;Mouse HID Driver; C:\WINDOWS\System32\DRIVERS\mouhid.sys [2003-03-31 12160]
S3 NIC1394;1394 Net Driver; C:\WINDOWS\System32\DRIVERS\nic1394.sys [2008-04-13 61824]
S3 SONYPVU1;Sony USB Filter Driver (SONYPVU1); C:\WINDOWS\System32\DRIVERS\SONYPVU1.SYS [2001-08-17 7552]
S3 usbprint;Microsoft USB PRINTER Class; C:\WINDOWS\System32\DRIVERS\usbprint.sys [2008-04-13 25856]
S3 USBSTOR;USB Mass Storage Driver; C:\WINDOWS\System32\DRIVERS\USBSTOR.SYS [2008-04-13 26368]
S3 wanatw;WAN Miniport (ATW); C:\WINDOWS\System32\DRIVERS\wanatw4.sys []
S3 WudfPf;Windows Driver Foundation - User-mode Driver Framework Platform Driver; C:\WINDOWS\system32\DRIVERS\WudfPf.sys [2006-09-28 77568]
S3 WudfRd;Windows Driver Foundation - User-mode Driver Framework Reflector; C:\WINDOWS\system32\DRIVERS\wudfrd.sys [2006-09-28 82944]

======List of services (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R2 ACS;Atheros Configuration Service; C:\Program Files\D-Link\D-Link RangeBooster N DWA-642\acs.exe [2007-12-13 467028]
R2 JavaQuickStarterService;Java Quick Starter; C:\Program Files\Java\jre6\bin\jqs.exe [2010-09-03 153376]
R2 MsMpSvc;Microsoft Antimalware Service; c:\Program Files\Microsoft Security Essentials\MsMpEng.exe [2010-03-25 17904]
S2 gupdate;Google Update Service (gupdate); C:\Program Files\Google\Update\GoogleUpdate.exe [2009-08-02 133104]
S3 jswpsapi;Jumpstart Wifi Protected Setup; C:\Program Files\D-Link\D-Link RangeBooster N DWA-642\jswpsapi.exe [2008-04-16 356434]
S3 ose;Office Source Engine; C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE [2003-07-28 89136]
S3 WMPNetworkSvc;Windows Media Player Network Sharing Service; C:\Program Files\Windows Media Player\WMPNetwk.exe [2006-10-18 913408]
S3 WudfSvc;Windows Driver Foundation - User-mode Driver Framework; C:\WINDOWS\system32\svchost.exe [2008-04-13 14336]

-----------------EOF-----------------
Rob11
Regular Member
 
Posts: 18
Joined: September 2nd, 2010, 9:53 pm

Re: Sucked in by Red Cross Antivirus

Unread postby Rob11 » September 4th, 2010, 8:23 pm

Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org

Database version: 4529

Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

9/4/2010 7:21:07 PM
mbam-log-2010-09-04 (19-21-07).txt

Scan type: Quick scan
Objects scanned: 156464
Time elapsed: 41 minute(s), 24 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)
Rob11
Regular Member
 
Posts: 18
Joined: September 2nd, 2010, 9:53 pm

Re: Sucked in by Red Cross Antivirus

Unread postby Rob11 » September 4th, 2010, 8:32 pm

Performance is better. It had been bogging down quite a bit to the point where it was barely usable, but doesn't seem to be as bad, but drop down menus still are hanging up from time to time. CPU usage is at 100%. This computer is running Windows XP SP3.
Rob11
Regular Member
 
Posts: 18
Joined: September 2nd, 2010, 9:53 pm

Re: Sucked in by Red Cross Antivirus

Unread postby Cypher » September 5th, 2010, 5:54 am

Hi Rob11.
The Malwarebytes' Anti-Malware log you posted is a recent one i need to see the log where Red Cross Antivirus was removed.
Post that log in you're next reply.
Performance is better. It had been bogging down quite a bit to the point where it was barely usable

Random Access Memory Advice:
Total RAM: 479 MB
Though Microsoft claims XP will run with a 512 MB of system memory installed in my opinion a minimum of 2 GB is far better, this is part of you're problem.

If you wish to upgrade the installed memory in your system, Crucial have a small scanner (CrucialScan.exe) which is perfectly safe to download and run in Admin' mode.. Which will advise if your system can support any upgraded memory modules. They cater for the US/UK and Europe.



Back Up registry with ERUNT

  • Please use the following link and download ERUNT to your desktop. HERE
  • Click on the erunt-setup.exe
  • Follow the prompts to install ERUNT
  • Choose language
  • A set up window will pop up. It will ask: Create ERUNT entry in to the Start up folder, answer NO

    Image
  • Backup your registry to the default location

Note: To restore your registry (if needed), go to the folder and start ERDNT.exe

Next.

Download and run OTM

Download OTM.exe by Old Timer and save it to your Desktop.
  • Double-click OTM.exe to run it.
  • Right-click then copy the following code, Do not include the word Code.
    Code: Select all
    :Reg
    [-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DriverUpdaterPro]
    [-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
    [-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
    [-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Yahoo! Pager]
    
    :Files
    C:\Documents and Settings\Bob\Application Data\VAP
    C:\Documents and Settings\Bob\Application Data\uTorrent
    
    :Commands
    [emptytemp]
    [start explorer]
    [Reboot]
    

    • Return to OTM, right-click then paste the code into the blank box below Image
    • Next click on the large Image button.
    • OTM may ask to reboot the machine. Please do so if asked.
    • Copy everything in the Results window (under the green bar), and paste it in your next reply.

NOTE: If you are unable to copy/paste from this window (as will be the case if the machine was rebooted), open Notepad (Start->All Programs->Accessories->Notepad), click File->Open, in the File Name box enter *.log and press the Enter key, navigate to the C:\_OTM\MovedFiles folder, and open the newest .log file present, and copy/paste the contents of that document back here in your next post.

Next.

RSIT (Random's System Information Tool)

  • Ensure rsit.exe is on your desktop
  • Click the Windows Start then Run
  • Copy/paste the following into the run box & click OK, Do not include the word Quote:
  • "%userprofile%\desktop\rsit.exe" /info
  • Click Continue at the disclaimer screen
  • Once it has finished, two logs will open, log.txt <<will be maximized and info.txt <<will be minimized
  • Copy & paste the contents of both logs in your next reply


Logs/Information to Post in your Next Reply

  • Malwarebytes log.
  • OTM log.
  • RSIT log.txt and info.txt contents.
  • Please give me an update on your computers performance.
User avatar
Cypher
Admin/Teacher
Admin/Teacher
 
Posts: 15148
Joined: October 29th, 2008, 12:49 pm
Location: Land Of The Leprechauns

Re: Sucked in by Red Cross Antivirus

Unread postby Rob11 » September 5th, 2010, 9:25 am

Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org

Database version: 4529

Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

9/2/2010 8:27:45 AM
mbam-log-2010-09-02 (08-27-45).txt

Scan type: Quick scan
Objects scanned: 156155
Time elapsed: 33 minute(s), 2 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 1
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 4

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\shell (Trojan.FakeAlert) -> Quarantined and deleted successfully.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\Documents and Settings\Bob\Application Data\antispy1.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\Documents and Settings\Bob\Application Data\tmp.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\Documents and Settings\Bob\My Documents\downloads\freemovie.exe (Rogue.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\Bob\Local Settings\Temporary Internet Files\Content.IE5\OXQZW9AN\setup_rca[1].exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
Rob11
Regular Member
 
Posts: 18
Joined: September 2nd, 2010, 9:53 pm

Re: Sucked in by Red Cross Antivirus

Unread postby Rob11 » September 5th, 2010, 10:39 am

All processes killed
========== REGISTRY ==========
Registry key HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DriverUpdaterPro\ not found.
Registry key HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS\ not found.
Registry key HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched\ not found.
Registry key HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Yahoo! Pager\ not found.
========== FILES ==========
File/Folder C:\Documents and Settings\Bob\Application Data\VAP not found.
File/Folder C:\Documents and Settings\Bob\Application Data\uTorrent not found.
========== COMMANDS ==========

[EMPTYTEMP]

User: Administrator
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes

User: All Users

User: Bob
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 578116968 bytes
->Java cache emptied: 19810974 bytes
->FireFox cache emptied: 37627616 bytes
->Flash cache emptied: 46857 bytes

User: Bob 1
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 32902 bytes

User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 32768 bytes
->Flash cache emptied: 41 bytes

User: LocalService
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 32902 bytes

User: NetworkService
->Temp folder emptied: 58244 bytes
->Temporary Internet Files folder emptied: 33170 bytes

%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 39097 bytes
%systemroot%\System32 .tmp files removed: 2577 bytes
%systemroot%\System32\dllcache .tmp files removed: 0 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 82212406 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temp folder emptied: 0 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temporary Internet Files folder emptied: 33728 bytes
RecycleBin emptied: 261823118 bytes

Total Files Cleaned = 935.00 mb


OTM by OldTimer - Version 3.1.15.0 log created on 09052010_092056

Files moved on Reboot...
File C:\WINDOWS\temp\TMP00000003D12CB3D929A05760 not found!

Registry entries deleted on Reboot...
Rob11
Regular Member
 
Posts: 18
Joined: September 2nd, 2010, 9:53 pm

Re: Sucked in by Red Cross Antivirus

Unread postby Rob11 » September 5th, 2010, 10:51 am

hijack this logs:

Logfile of random's system information tool 1.08 (written by random/random)
Run by Bob at 2010-09-05 09:49:23
Microsoft Windows XP Home Edition Service Pack 3
System drive C: has 29 GB (77%) free of 38 GB
Total RAM: 479 MB (44% free)

Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 9:49:48 AM, on 9/5/2010
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
c:\Program Files\Microsoft Security Essentials\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\D-Link\D-Link RangeBooster N DWA-642\acs.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\notepad.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Microsoft Security Essentials\msseces.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\D-Link\D-Link RangeBooster N DWA-642\wirelesscm.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\Bob\desktop\rsit.exe
C:\Program Files\trend micro\Bob.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [MSSE] "c:\Program Files\Microsoft Security Essentials\msseces.exe" -hide -runkey
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-18\..\Run: [DWQueuedReporting] "c:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [DWQueuedReporting] "c:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'Default user')
O4 - Global Startup: Wireless Connection Manager.lnk = C:\Program Files\D-Link\D-Link RangeBooster N DWA-642\wirelesscm.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\Program Files\ICQ\ICQ.exe
O9 - Extra 'Tools' menuitem: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\Program Files\ICQ\ICQ.exe
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.emachines.com
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupda ... 5207816937
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\System32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\System32\browseui.dll
O23 - Service: Atheros Configuration Service (ACS) - Atheros - C:\Program Files\D-Link\D-Link RangeBooster N DWA-642\acs.exe
O23 - Service: Google Update Service (gupdate) (gupdate) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Jumpstart Wifi Protected Setup (jswpsapi) - Atheros Communications, Inc. - C:\Program Files\D-Link\D-Link RangeBooster N DWA-642\jswpsapi.exe

--
End of file - 4978 bytes
Rob11
Regular Member
 
Posts: 18
Joined: September 2nd, 2010, 9:53 pm

Re: Sucked in by Red Cross Antivirus

Unread postby Rob11 » September 5th, 2010, 10:52 am

======Scheduled tasks folder======

C:\WINDOWS\tasks\GoogleUpdateTaskMachineCore.job
C:\WINDOWS\tasks\GoogleUpdateTaskMachineUA.job
C:\WINDOWS\tasks\MP Scheduled Scan.job

======Registry dump======

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}]
AcroIEHlprObj Class - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx [2001-04-16 37808]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{DBC80044-A445-435b-BC74-9C25C1C588A9}]
Java(tm) Plug-In 2 SSV Helper - C:\Program Files\Java\jre6\bin\jp2ssv.dll [2010-09-03 41760]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{E7E6F031-17CE-4C07-BC86-EABFE594F69C}]
JQSIEStartDetectorImpl Class - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll [2010-09-03 79648]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
"SynTPLpr"=C:\Program Files\Synaptics\SynTP\SynTPLpr.exe [2003-10-30 98304]
"SynTPEnh"=C:\Program Files\Synaptics\SynTP\SynTPEnh.exe [2003-10-30 499712]
"MSSE"=c:\Program Files\Microsoft Security Essentials\msseces.exe [2010-06-01 1093208]
"SunJavaUpdateSched"=C:\Program Files\Common Files\Java\Java Update\jusched.exe [2010-05-14 248552]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"=C:\WINDOWS\system32\ctfmon.exe [2008-04-13 15360]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup
Wireless Connection Manager.lnk - C:\Program Files\D-Link\D-Link RangeBooster N DWA-642\wirelesscm.exe

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\igfxcui]
C:\WINDOWS\system32\igfxsrvc.dll [2003-07-10 319488]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll [2006-10-18 133632]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\MsMpSvc]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\UploadMgr]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"dontdisplaylastusername"=0
"legalnoticecaption"=
"legalnoticetext"=
"shutdownwithoutlogon"=1
"undockwithoutlogon"=1

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]
"NoDriveTypeAutoRun"=145

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]
"HonorAutoRunSetting"=1

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\system32\sessmgr.exe"="%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe"="C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe:*:Enabled:Yahoo! Messenger"
"%windir%\Network Diagnostic\xpnetdiag.exe"="%windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"C:\WINDOWS\system32\dpvsetup.exe"="C:\WINDOWS\system32\dpvsetup.exe:*:Enabled:Microsoft DirectPlay Voice Test"
"C:\WINDOWS\system32\rundll32.exe"="C:\WINDOWS\system32\rundll32.exe:*:Enabled:Run a DLL as an App"
"C:\Program Files\Real\RealPlayer\realplay.exe"="C:\Program Files\Real\RealPlayer\realplay.exe:*:Enabled:RealPlayer"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\system32\sessmgr.exe"="%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"%windir%\Network Diagnostic\xpnetdiag.exe"="%windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"

======List of files/folders created in the last 1 months======

2010-09-05 09:06:42 ----D---- C:\_OTM
2010-09-05 08:59:06 ----D---- C:\WINDOWS\ERDNT
2010-09-05 08:58:08 ----D---- C:\Program Files\ERUNT
2010-09-04 18:28:06 ----D---- C:\Program Files\trend micro
2010-09-04 18:28:05 ----D---- C:\rsit
2010-09-04 17:51:32 ----D---- C:\Documents and Settings\All Users\Application Data\Office Genuine Advantage
2010-09-03 10:14:03 ----D---- C:\Documents and Settings\All Users\Application Data\Sun
2010-09-03 10:13:56 ----D---- C:\Program Files\Common Files\Java
2010-09-03 10:13:13 ----A---- C:\WINDOWS\system32\javaws.exe
2010-09-03 10:13:13 ----A---- C:\WINDOWS\system32\javaw.exe
2010-09-03 10:13:13 ----A---- C:\WINDOWS\system32\deployJava1.dll
2010-09-03 10:13:12 ----A---- C:\WINDOWS\system32\java.exe
2010-09-03 10:11:30 ----D---- C:\Program Files\Java
2010-09-02 07:48:51 ----A---- C:\WINDOWS\system32\drivers\mbamswissarmy.sys
2010-09-02 07:48:44 ----A---- C:\WINDOWS\system32\drivers\mbam.sys
2010-09-02 07:48:43 ----D---- C:\Program Files\Malwarebytes' Anti-Malware
2010-09-02 06:24:26 ----N---- C:\WINDOWS\system32\MpSigStub.exe
2010-09-02 06:08:27 ----A---- C:\WINDOWS\system32\muweb.dll
2010-09-02 06:08:26 ----A---- C:\WINDOWS\system32\mucltui.dll.mui
2010-09-02 06:08:26 ----A---- C:\WINDOWS\system32\mucltui.dll
2010-09-02 06:08:20 ----D---- C:\WINDOWS\system32\SoftwareDistribution
2010-09-02 06:07:37 ----D---- C:\Program Files\Microsoft Security Essentials

======List of files/folders modified in the last 1 months======

2010-09-05 09:49:18 ----D---- C:\WINDOWS\Prefetch
2010-09-05 09:45:50 ----D---- C:\WINDOWS\system32\CatRoot2
2010-09-05 09:34:53 ----SD---- C:\WINDOWS\Tasks
2010-09-05 09:32:58 ----D---- C:\Program Files\Mozilla Firefox
2010-09-05 09:30:28 ----D---- C:\WINDOWS\temp
2010-09-05 09:28:12 ----A---- C:\WINDOWS\SchedLgU.Txt
2010-09-05 09:26:22 ----D---- C:\WINDOWS
2010-09-05 09:26:22 ----AD---- C:\WINDOWS\system32
2010-09-05 09:11:03 ----HD---- C:\WINDOWS\inf
2010-09-05 09:08:26 ----HD---- C:\WINDOWS\$hf_mig$
2010-09-05 08:58:08 ----RD---- C:\Program Files
2010-09-05 08:53:07 ----D---- C:\WINDOWS\system32\CatRoot
2010-09-03 10:14:02 ----SHD---- C:\WINDOWS\Installer
2010-09-03 10:13:56 ----D---- C:\Program Files\Common Files
2010-09-02 08:39:15 ----D---- C:\WINDOWS\system32\drivers
2010-09-02 08:28:37 ----D---- C:\WINDOWS\pss
2010-09-02 06:38:08 ----D---- C:\WINDOWS\occache
2010-09-02 06:21:24 ----SD---- C:\Documents and Settings\Bob\Application Data\Microsoft
2010-09-02 06:12:01 ----RSHDC---- C:\WINDOWS\system32\dllcache
2010-09-02 06:10:02 ----D---- C:\Program Files\PeerGuardian2
2010-09-02 06:08:23 ----D---- C:\WINDOWS\Help
2010-09-02 06:08:04 ----SD---- C:\Documents and Settings\All Users\Application Data\Microsoft
2010-09-02 06:07:19 ----D---- C:\WINDOWS\WinSxS

======List of drivers (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R0 ohci1394;Texas Instruments OHCI Compliant IEEE 1394 Host Controller; C:\WINDOWS\System32\DRIVERS\ohci1394.sys [2008-04-13 61696]
R1 intelppm;Intel Processor Driver; C:\WINDOWS\System32\DRIVERS\intelppm.sys [2008-04-13 36352]
R1 MpFilter;Microsoft Malware Protection Driver; C:\WINDOWS\system32\DRIVERS\MpFilter.sys [2010-03-25 151216]
R2 ASCTRM;ASCTRM; C:\WINDOWS\system32\drivers\ASCTRM.sys [2004-02-11 8552]
R2 mdmxsdk;mdmxsdk; C:\WINDOWS\System32\DRIVERS\mdmxsdk.sys [2002-12-11 11044]
R2 StreamDispatcher;StreamDispatcher; C:\WINDOWS\System32\DRIVERS\strmdisp.sys [2003-05-01 30592]
R3 {6080A529-897E-4629-A488-ABA0C29B635E};Intel(R) Graphics Platform (SoftBIOS) Driver; C:\WINDOWS\system32\drivers\ialmsbw.sys [2003-08-04 120094]
R3 {D31A0762-0CEB-444e-ACFF-B049A1F6FE91};Intel(R) Graphics Chipset (KCH) Driver; C:\WINDOWS\system32\drivers\ialmkchw.sys [2003-08-04 96858]
R3 AR5416;%ATHER.Service.DispName%; C:\WINDOWS\System32\DRIVERS\athw.sys [2008-01-17 1331136]
R3 bcm4sbxp;Broadcom 440x 10/100 Integrated Controller XP Driver; C:\WINDOWS\System32\DRIVERS\bcm4sbxp.sys [2003-06-30 43136]
R3 CAMCAUD;Conexant AMC Audio; C:\WINDOWS\system32\drivers\camcaud.sys [2003-09-26 291712]
R3 CAMCHALA;CAMCHALA; C:\WINDOWS\system32\drivers\camchal.sys [2003-09-26 272128]
R3 HSF_DP;HSF_DP; C:\WINDOWS\System32\DRIVERS\HSF_DP.sys [2003-05-01 1107200]
R3 HSFHWICH;HSFHWICH; C:\WINDOWS\System32\DRIVERS\HSFHWICH.sys [2003-05-01 165504]
R3 ialm;ialm; C:\WINDOWS\System32\DRIVERS\ialmnt5.sys [2003-08-04 91419]
R3 JSWSCIMD;jswscimd Service; C:\WINDOWS\System32\DRIVERS\jswscimd.sys [2007-08-28 57344]
R3 PPJoyBus;Parallel Port Joystick Bus device driver; C:\WINDOWS\system32\drivers\PPJoyBus.sys [2004-10-24 13952]
R3 PPortJoystick;Parallel Port Joystick device driver; C:\WINDOWS\system32\drivers\PPortJoy.sys [2004-10-24 28800]
R3 SynTP;Synaptics TouchPad Driver; C:\WINDOWS\System32\DRIVERS\SynTP.sys [2003-10-30 178432]
R3 usbuhci;Microsoft USB Universal Host Controller Miniport Driver; C:\WINDOWS\System32\DRIVERS\usbuhci.sys [2008-04-13 20608]
R3 winachsf;winachsf; C:\WINDOWS\System32\DRIVERS\HSF_CNXT.sys [2003-05-01 622848]
R3 WSIMD;wsimd Service; C:\WINDOWS\System32\DRIVERS\wsimd.sys [2007-12-13 57408]
S3 Arp1394;1394 ARP Client Protocol; C:\WINDOWS\System32\DRIVERS\arp1394.sys [2008-04-13 60800]
S3 hidusb;Microsoft HID Class Driver; C:\WINDOWS\System32\DRIVERS\hidusb.sys [2008-04-13 10368]
S3 mouhid;Mouse HID Driver; C:\WINDOWS\System32\DRIVERS\mouhid.sys [2003-03-31 12160]
S3 NIC1394;1394 Net Driver; C:\WINDOWS\System32\DRIVERS\nic1394.sys [2008-04-13 61824]
S3 SONYPVU1;Sony USB Filter Driver (SONYPVU1); C:\WINDOWS\System32\DRIVERS\SONYPVU1.SYS [2001-08-17 7552]
S3 usbprint;Microsoft USB PRINTER Class; C:\WINDOWS\System32\DRIVERS\usbprint.sys [2008-04-13 25856]
S3 USBSTOR;USB Mass Storage Driver; C:\WINDOWS\System32\DRIVERS\USBSTOR.SYS [2008-04-13 26368]
S3 wanatw;WAN Miniport (ATW); C:\WINDOWS\System32\DRIVERS\wanatw4.sys []
S3 WudfPf;Windows Driver Foundation - User-mode Driver Framework Platform Driver; C:\WINDOWS\system32\DRIVERS\WudfPf.sys [2006-09-28 77568]
S3 WudfRd;Windows Driver Foundation - User-mode Driver Framework Reflector; C:\WINDOWS\system32\DRIVERS\wudfrd.sys [2006-09-28 82944]

======List of services (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R2 ACS;Atheros Configuration Service; C:\Program Files\D-Link\D-Link RangeBooster N DWA-642\acs.exe [2007-12-13 467028]
R2 JavaQuickStarterService;Java Quick Starter; C:\Program Files\Java\jre6\bin\jqs.exe [2010-09-03 153376]
R2 MsMpSvc;Microsoft Antimalware Service; c:\Program Files\Microsoft Security Essentials\MsMpEng.exe [2010-03-25 17904]
S2 gupdate;Google Update Service (gupdate); C:\Program Files\Google\Update\GoogleUpdate.exe [2009-08-02 133104]
S3 jswpsapi;Jumpstart Wifi Protected Setup; C:\Program Files\D-Link\D-Link RangeBooster N DWA-642\jswpsapi.exe [2008-04-16 356434]
S3 ose;Office Source Engine; C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE [2003-07-28 89136]
S3 WMPNetworkSvc;Windows Media Player Network Sharing Service; C:\Program Files\Windows Media Player\WMPNetwk.exe [2006-10-18 913408]
S3 WudfSvc;Windows Driver Foundation - User-mode Driver Framework; C:\WINDOWS\system32\svchost.exe [2008-04-13 14336]

-----------------EOF-----------------
Rob11
Regular Member
 
Posts: 18
Joined: September 2nd, 2010, 9:53 pm

Re: Sucked in by Red Cross Antivirus

Unread postby Rob11 » September 5th, 2010, 10:53 am

info.txt logfile of random's system information tool 1.08 2010-09-05 09:49:55

======Uninstall list======

-->rundll32.exe setupapi.dll,InstallHinfSection DefaultUninstall 132 C:\WINDOWS\INF\PCHealth.inf
Adobe Acrobat 5.0-->C:\WINDOWS\ISUNINST.EXE -f"C:\Program Files\Common Files\Adobe\Acrobat 5.0\NT\Uninst.isu" -c"C:\Program Files\Common Files\Adobe\Acrobat 5.0\NT\Uninst.dll"
Adobe Flash Player 10 ActiveX-->C:\WINDOWS\System32\Macromed\Flash\uninstall_activeX.exe
Adobe Flash Player 10 Plugin-->C:\WINDOWS\System32\Macromed\Flash\uninstall_plugin.exe
AOL Instant Messenger (SM)-->c:\program files\aim\uninstll.exe -LOG= c:\program files\aim\install.log -OEM=
BitPim 1.0.7.20090303-->"C:\Program Files\BitPim\unins000.exe"
Conexant AC-Link Audio-->CIAunwdm.exe
Critical Update for Windows Media Player 11 (KB959772)-->"C:\WINDOWS\$NtUninstallKB959772_WM11$\spuninst\spuninst.exe"
DWA-642-->C:\Program Files\InstallShield Installation Information\{6F6F39E3-D24D-4EEE-9AEA-DEDAF991385D}\setup.exe -runfromtemp -l0x0009 -removeonly
ERUNT 1.1j-->"C:\Program Files\ERUNT\unins000.exe"
FMS-->C:\Program Files\FMS\Uninstall.exe
Google Earth-->MsiExec.exe /X{F7B0939E-58DF-11DF-B3A6-005056806466}
Google Update Helper-->MsiExec.exe /I{A92DAB39-4E2C-4304-9AB6-BC44E68B55E2}
HiJackThis-->MsiExec.exe /X{0761C9A8-8F3A-4216-B4A7-B7AFBF24A24A}
Hotfix for Windows Media Format 11 SDK (KB929399)-->"C:\WINDOWS\$NtUninstallKB929399$\spuninst\spuninst.exe"
Hotfix for Windows Media Player 11 (KB939683)-->"C:\WINDOWS\$NtUninstallKB939683$\spuninst\spuninst.exe"
Hotfix for Windows XP (KB952287)-->"C:\WINDOWS\$NtUninstallKB952287$\spuninst\spuninst.exe"
ICQ-->C:\PROGRA~1\ICQ\ICQUninstall.EXE
Intel(R) Extreme Graphics 2 Driver-->RUNDLL32.EXE C:\WINDOWS\System32\ialmrem.dll,UninstallW2KIGfx PCI\VEN_8086&DEV_3582
Java(TM) 6 Update 21-->MsiExec.exe /X{26A24AE4-039D-4CA4-87B4-2F83216021FF}
Malwarebytes' Anti-Malware-->"C:\Program Files\Malwarebytes' Anti-Malware\unins000.exe"
Microsoft Antimalware-->MsiExec.exe /X{E62A1F01-07B7-4541-A835-EE5B0BF064C2}
Microsoft Compression Client Pack 1.0 for Windows XP-->"C:\WINDOWS\$NtUninstallMSCompPackV1$\spuninst\spuninst.exe"
Microsoft Office Professional Edition 2003-->MsiExec.exe /I{90110409-6000-11D3-8CFE-0150048383C9}
Microsoft Security Essentials-->C:\Program Files\Microsoft Security Essentials\setup.exe /x
Microsoft Security Essentials-->MsiExec.exe /I{EF98A02A-1748-4762-9B7D-5ED1600520D5}
Microsoft User-Mode Driver Framework Feature Pack 1.0-->"C:\WINDOWS\$NtUninstallWudf01000$\spuninst\spuninst.exe"
Microsoft Works 7.0-->MsiExec.exe /I{764D06D8-D8DE-411E-A1C8-D9E9380F8A84}
Mozilla Firefox (3.5.10)-->C:\Program Files\Mozilla Firefox\uninstall\helper.exe
Netscape 6 (6.2.1)-->C:\WINDOWS\N6Uninst.exe /ua "6.2.1 (en)"
Netscape ISP Dialer-->"C:\Program Files\Netscape ISP Dialer\uninstall.exe"
Parallel Port Joystick-->C:\WINDOWS\unvise32.exe C:\Program Files\Parallel Port Joystick\uninstal.log
PeerGuardian 2.0-->"C:\Program Files\PeerGuardian2\unins000.exe"
PowerDVD-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{6811CAA0-BF12-11D4-9EA1-0050BAE317E1}\Setup.exe" -uninstall
RealPlayer Basic-->C:\Program Files\Common Files\Real\Update\\rnuninst.exe RealNetworks|RealPlayer|6.0
Security Update for Windows Internet Explorer 8 (KB976325)-->"C:\WINDOWS\ie8updates\KB976325-IE8\spuninst\spuninst.exe"
Security Update for Windows Internet Explorer 8 (KB978207)-->"C:\WINDOWS\ie8updates\KB978207-IE8\spuninst\spuninst.exe"
Security Update for Windows Media Player (KB952069)-->"C:\WINDOWS\$NtUninstallKB952069_WM9$\spuninst\spuninst.exe"
Security Update for Windows Media Player 11 (KB936782)-->"C:\WINDOWS\$NtUninstallKB936782_WMP11$\spuninst\spuninst.exe"
Security Update for Windows Media Player 11 (KB954154)-->"C:\WINDOWS\$NtUninstallKB954154_WM11$\spuninst\spuninst.exe"
Security Update for Windows XP (KB923561)-->"C:\WINDOWS\$NtUninstallKB923561$\spuninst\spuninst.exe"
Security Update for Windows XP (KB938464-v2)-->"C:\WINDOWS\$NtUninstallKB938464-v2$\spuninst\spuninst.exe"
Security Update for Windows XP (KB941569)-->"C:\WINDOWS\$NtUninstallKB941569$\spuninst\spuninst.exe"
Security Update for Windows XP (KB946648)-->"C:\WINDOWS\$NtUninstallKB946648$\spuninst\spuninst.exe"
Security Update for Windows XP (KB950762)-->"C:\WINDOWS\$NtUninstallKB950762$\spuninst\spuninst.exe"
Security Update for Windows XP (KB950974)-->"C:\WINDOWS\$NtUninstallKB950974$\spuninst\spuninst.exe"
Security Update for Windows XP (KB951066)-->"C:\WINDOWS\$NtUninstallKB951066$\spuninst\spuninst.exe"
Security Update for Windows XP (KB951376-v2)-->"C:\WINDOWS\$NtUninstallKB951376-v2$\spuninst\spuninst.exe"
Security Update for Windows XP (KB951748)-->"C:\WINDOWS\$NtUninstallKB951748$\spuninst\spuninst.exe"
Security Update for Windows XP (KB952004)-->"C:\WINDOWS\$NtUninstallKB952004$\spuninst\spuninst.exe"
Security Update for Windows XP (KB952954)-->"C:\WINDOWS\$NtUninstallKB952954$\spuninst\spuninst.exe"
Security Update for Windows XP (KB954459)-->"C:\WINDOWS\$NtUninstallKB954459$\spuninst\spuninst.exe"
Security Update for Windows XP (KB954600)-->"C:\WINDOWS\$NtUninstallKB954600$\spuninst\spuninst.exe"
Security Update for Windows XP (KB955069)-->"C:\WINDOWS\$NtUninstallKB955069$\spuninst\spuninst.exe"
Security Update for Windows XP (KB956572)-->"C:\WINDOWS\$NtUninstallKB956572$\spuninst\spuninst.exe"
Security Update for Windows XP (KB956802)-->"C:\WINDOWS\$NtUninstallKB956802$\spuninst\spuninst.exe"
Security Update for Windows XP (KB956803)-->"C:\WINDOWS\$NtUninstallKB956803$\spuninst\spuninst.exe"
Security Update for Windows XP (KB957097)-->"C:\WINDOWS\$NtUninstallKB957097$\spuninst\spuninst.exe"
Security Update for Windows XP (KB958644)-->"C:\WINDOWS\$NtUninstallKB958644$\spuninst\spuninst.exe"
Security Update for Windows XP (KB958687)-->"C:\WINDOWS\$NtUninstallKB958687$\spuninst\spuninst.exe"
Security Update for Windows XP (KB959426)-->"C:\WINDOWS\$NtUninstallKB959426$\spuninst\spuninst.exe"
Security Update for Windows XP (KB960225)-->"C:\WINDOWS\$NtUninstallKB960225$\spuninst\spuninst.exe"
Security Update for Windows XP (KB960803)-->"C:\WINDOWS\$NtUninstallKB960803$\spuninst\spuninst.exe"
Security Update for Windows XP (KB961371)-->"C:\WINDOWS\$NtUninstallKB961371$\spuninst\spuninst.exe"
Security Update for Windows XP (KB961501)-->"C:\WINDOWS\$NtUninstallKB961501$\spuninst\spuninst.exe"
Security Update for Windows XP (KB968537)-->"C:\WINDOWS\$NtUninstallKB968537$\spuninst\spuninst.exe"
Security Update for Windows XP (KB969897)-->"C:\WINDOWS\$NtUninstallKB969897$\spuninst\spuninst.exe"
Security Update for Windows XP (KB970238)-->"C:\WINDOWS\$NtUninstallKB970238$\spuninst\spuninst.exe"
Security Update for Windows XP (KB971633)-->"C:\WINDOWS\$NtUninstallKB971633$\spuninst\spuninst.exe"
Security Update for Windows XP (KB973346)-->"C:\WINDOWS\$NtUninstallKB973346$\spuninst\spuninst.exe"
SoftK56 Data Fax-->C:\Program Files\CONEXANT\CNXT_MODEM_PCI_VEN_8086&DEV_24C6&SUBSYS_202F161F\HXFSETUP.EXE -U -Iem202f5.inf
Synaptics Pointing Device Driver-->rundll32.exe "C:\Program Files\Synaptics\SynTP\SynISDLL.dll",standAloneUninstall
Uniblue RegistryBooster 2-->"C:\Program Files\Uniblue\RegistryBooster 2\unins000.exe"
Update for Windows XP (KB951978)-->"C:\WINDOWS\$NtUninstallKB951978$\spuninst\spuninst.exe"
Update for Windows XP (KB955839)-->"C:\WINDOWS\$NtUninstallKB955839$\spuninst\spuninst.exe"
Update for Windows XP (KB967715)-->"C:\WINDOWS\$NtUninstallKB967715$\spuninst\spuninst.exe"
Viewpoint Media Player-->C:\Program Files\Viewpoint\Viewpoint Experience Technology\mtsAxInstaller.exe /u
Winamp (remove only)-->"C:\Program Files\Winamp\UninstWA.exe"
Windows Backup Utility-->MsiExec.exe /I{76EFFC7C-17A6-479D-9E47-8E658C1695AE}
Windows Internet Explorer 8-->"C:\WINDOWS\ie8\spuninst\spuninst.exe"
Windows Media Format 11 runtime-->"C:\Program Files\Windows Media Player\wmsetsdk.exe" /UninstallAll
Windows Media Format 11 runtime-->"C:\WINDOWS\$NtUninstallWMFDist11$\spuninst\spuninst.exe"
Windows Media Player 11-->"C:\Program Files\Windows Media Player\Setup_wm.exe" /Uninstall
Windows Media Player 11-->"C:\WINDOWS\$NtUninstallwmp11$\spuninst\spuninst.exe"
Windows XP Service Pack 3-->"C:\WINDOWS\$NtServicePackUninstall$\spuninst\spuninst.exe"
WinRAR archiver-->C:\Program Files\WinRAR\uninstall.exe
Yahoo! Messenger-->C:\PROGRA~1\Yahoo!\MESSEN~1\UNWISE.EXE /U C:\PROGRA~1\Yahoo!\MESSEN~1\INSTALL.LOG

======Security center information======

AV: Microsoft Security Essentials

======System event log======

Computer Name: YOUR-7M4XLFMC8T
Event Code: 7000
Message: The Java Quick Starter service failed to start due to the following error:
The system cannot find the file specified.


Record Number: 11525
Source Name: Service Control Manager
Time Written: 20100822222528.000000-300
Event Type: error
User:

Computer Name: YOUR-7M4XLFMC8T
Event Code: 1000
Message: Your computer has lost the lease to its IP address 192.10.10.105 on the
Network Card with network address 00179A2C0D33.

Record Number: 11518
Source Name: Dhcp
Time Written: 20100819064820.000000-300
Event Type: error
User:

Computer Name: YOUR-7M4XLFMC8T
Event Code: 1003
Message: Your computer was not able to renew its address from the network (from the
DHCP Server) for the Network Card with network address 00179A2C0D33. The following
error occurred:
The semaphore timeout period has expired.
.
Your computer will continue to try and obtain an address on its own from
the network address (DHCP) server.

Record Number: 11517
Source Name: Dhcp
Time Written: 20100819064820.000000-300
Event Type: warning
User:

Computer Name: YOUR-7M4XLFMC8T
Event Code: 7000
Message: The Java Quick Starter service failed to start due to the following error:
The system cannot find the file specified.


Record Number: 11492
Source Name: Service Control Manager
Time Written: 20100814083529.000000-300
Event Type: error
User:

Computer Name: YOUR-7M4XLFMC8T
Event Code: 1003
Message: Your computer was not able to renew its address from the network (from the
DHCP Server) for the Network Card with network address 00179A2C0D33. The following
error occurred:
The operation was canceled by the user.
.
Your computer will continue to try and obtain an address on its own from
the network address (DHCP) server.

Record Number: 11486
Source Name: Dhcp
Time Written: 20100812060415.000000-300
Event Type: warning
User:

=====Application event log=====

Computer Name: YOUR-7M4XLFMC8T
Event Code: 63
Message: A provider, HiPerfCooker_v1, has been registered in the WMI namespace, Root\WMI, to use the LocalSystem account. This account is privileged and the provider may cause a security violation if it does not correctly impersonate user requests.

Record Number: 111
Source Name: WinMgmt
Time Written: 20090617211623.000000-300
Event Type: warning
User: YOUR-7M4XLFMC8T\Bob

Computer Name: YOUR-7M4XLFMC8T
Event Code: 63
Message: A provider, OffProv11, has been registered in the WMI namespace, Root\MSAPPS11, to use the LocalSystem account. This account is privileged and the provider may cause a security violation if it does not correctly impersonate user requests.

Record Number: 109
Source Name: WinMgmt
Time Written: 20090617115546.000000-300
Event Type: warning
User: NT AUTHORITY\SYSTEM

Computer Name: YOUR-7M4XLFMC8T
Event Code: 1002
Message: Hanging application bitpimw.exe, version 0.0.0.4729, hang module hungapp, version 0.0.0.0, hang address 0x00000000.

Record Number: 103
Source Name: Application Hang
Time Written: 20090616232020.000000-300
Event Type: error
User:

Computer Name: YOUR-7M4XLFMC8T
Event Code: 1517
Message: Windows saved user YOUR-7M4XLFMC8T\Bob registry while an application or service was still using the registry during log off. The memory used by the user's registry has not been freed. The registry will be unloaded when it is no longer in use.


This is often caused by services running as a user account, try configuring the services to run in either the LocalService or NetworkService account.

Record Number: 20
Source Name: Userenv
Time Written: 20090616215353.000000-300
Event Type: warning
User: NT AUTHORITY\SYSTEM

Computer Name: YOUR-7M4XLFMC8T
Event Code: 1015
Message: Failed to connect to server. Error: 0x800401F0

Record Number: 8
Source Name: MsiInstaller
Time Written: 20090616214746.000000-300
Event Type: warning
User:

======Environment variables======

"ComSpec"=%SystemRoot%\system32\cmd.exe
"Path"=%SystemRoot%\system32;%SystemRoot%;%SystemRoot%\System32\Wbem
"windir"=%SystemRoot%
"OS"=Windows_NT
"PROCESSOR_ARCHITECTURE"=x86
"PROCESSOR_LEVEL"=15
"PROCESSOR_IDENTIFIER"=x86 Family 15 Model 2 Stepping 9, GenuineIntel
"PROCESSOR_REVISION"=0209
"NUMBER_OF_PROCESSORS"=1
"PATHEXT"=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH
"TEMP"=%SystemRoot%\TEMP
"TMP"=%SystemRoot%\TEMP
"FP_NO_HOST_CHECK"=NO

-----------------EOF-----------------
Rob11
Regular Member
 
Posts: 18
Joined: September 2nd, 2010, 9:53 pm

Re: Sucked in by Red Cross Antivirus

Unread postby Rob11 » September 5th, 2010, 10:55 am

Update on performance:

Seems better but still hangs up when starting programs
Rob11
Regular Member
 
Posts: 18
Joined: September 2nd, 2010, 9:53 pm

Re: Sucked in by Red Cross Antivirus

Unread postby Cypher » September 5th, 2010, 11:40 am

Hi Rob11.

Re-run OTM
  • Double-click OTM.exe to run it.
  • Right-click then copy the following code, Do not include the word Code.
    Code: Select all
    :Files
    C:\WINDOWS\system32\drivers\etc\hosts
    
    :Commands
    [emptytemp]
    [start explorer]
    [Reboot]
    

    • Return to OTM, right-click then paste the code into the blank box below Image
    • Next click on the largeImage button.
    • OTM may ask to reboot the machine. Please do so if asked.
    • Copy everything in the Results window (under the green bar), and paste it in your next reply.

NOTE: If you are unable to copy/paste from this window (as will be the case if the machine was rebooted), open Notepad (Start->All Programs->Accessories->Notepad), click File->Open, in the File Name box enter *.log and press the Enter key, navigate to the C:\_OTM\MovedFiles folder, and open the newest .log file present, and copy/paste the contents of that document back here in your next post.

Next.

Download HostsXpert and unzip it to your desktop.
  • Double click on HostsXpert.exe to launch the programme.
  • When prompted with:
    HOSTS file does not exist, press OK to create HOSTS file, Cancel to quit.
  • Select OK.
  • Check to see if top button on left hand side says Make Writable?
    • If it does. click on it then proceed to next instruction.
    • If not, just proceed to next instruction
  • Click on Restore MS Hosts File to restore your Hosts file to its default condition
  • When prompted to confirm, click OK.
  • Click on the Download button (lower left hand side)
    • Click on MVPs Hosts... button.
    • Click on Replace button.
    • Press OK in the box that pops up. (HostsXpert will now download and update your Hosts file)
  • When finished.
    • Click on File Handling button.
    • Click on Make Read Only? to secure it against infection.
  • Exit the programme.

Next.

RSIT (Random's System Information Tool)

  • Ensure rsit.exe is on your desktop
  • Click the Windows Start then Run
  • Copy/paste the following into the run box & click OK, Do not include the word Quote:
  • "%userprofile%\desktop\rsit.exe" /info
  • Click Continue at the disclaimer screen
  • Once it has finished, two logs will open, log.txt <<will be maximized and info.txt <<will be minimized
  • Copy & paste the contents of both logs in your next reply

Next.

Disable Microsoft Security Essentials

  • Open MSE and go to Settings > Real Time Protection.
  • Then uncheck "Turn on real time protection".
  • Exit MSE when done.
  • Note: Don't forget to Re-enable it after the below scan.

Next.

ESET online scannner

Note: You can use either Internet Explorer or Mozilla FireFox for this scan.

Note: If you are using Windows Vista, open your browser by right-clicking on its icon and select 'Run as administrator' to perform this scan.

  • Hold down Control then click on the following link to open a new window to ESET online scannner
  • Then click on: Image
    Note: If using Mozilla Firefox you will need to download esetsmartinstaller_enu.exe when prompted then double click on it to install.
    All of the below instructions are compatible with either Internet Explorer or Mozilla FireFox.
  • Select the option YES, I accept the Terms of Use then click on: Image
  • When prompted allow the Add-On/Active X to install.
  • Make sure that the option Remove found threats is NOT checked, and the option Scan archives is checked.
  • Now click on Advanced Settings and select the following:
    • Scan for potentially unwanted applications
    • Scan for potentially unsafe applications
    • Enable Anti-Stealth Technology
  • Now click on: Image
  • The virus signature database... will begin to download. Be patient this make take some time depending on the speed of your Internet Connection.
  • When completed the Online Scan will begin automatically.
  • Do not touch either the Mouse or keyboard during the scan otherwise it may stall.
  • When completed select Uninstall application on close if you so wish, make sure you copy the logfile first!
  • Now click on: Image
  • Use notepad to open the logfile located at C:\Program Files\ESET\EsetOnlineScanner\log.txt.
  • Copy and paste that log as a reply to this topic.


Logs/Information to Post in your Next Reply

  • RSIT log.txt and info.txt contents.
  • ESET log.
  • Please give me an update on your computers performance.
User avatar
Cypher
Admin/Teacher
Admin/Teacher
 
Posts: 15148
Joined: October 29th, 2008, 12:49 pm
Location: Land Of The Leprechauns
Advertisement
Register to Remove

Next

Return to Infected? Virus, malware, adware, ransomware, oh my!



Who is online

Users browsing this forum: No registered users and 475 guests

Contact us:

Advertisements do not imply our endorsement of that product or service. Register to remove all ads. The forum is run by volunteers who donate their time and expertise. We make every attempt to ensure that the help and advice posted is accurate and will not cause harm to your computer. However, we do not guarantee that they are accurate and they are to be used at your own risk. All trademarks are the property of their respective owners.

Member site: UNITE Against Malware