Welcome guest. Before posting on our computer help forum, you must register. Click here it's easy and free.

« previous next »
Pages: [1]   Go Down

Author Topic: problem with crappy "Antivir Solution Pro" virus  (Read 6327 times)

0 Members and 1 Guest are viewing this topic.

haus_kat

  • Guest
problem with crappy "Antivir Solution Pro" virus
« on: August 08, 2010, 12:01:55 AM »
I was surfing a friend's Twitter while watching TV and clicked on a link to a photo they'd posted. I'm not sure what happened, as I wasn't really paying attention, but next I knew my browser (Firefox) has crashed (disappeared completely from the screen) so I went to re-start. While the computer was shutting down there was some message about updating. I thought it was unusual but didn't think anything of it (I assumed maybe I'd accidentally clicked the Microsoft update icon on the taskbar). When the computer came back on there was now the new "antivirus" software informing me my computer was infected.

I can't open "Add/Remove Programs", Microsoft anti-virus software that *was* on the computer (and updated seemingly every hour of every day, for all the good it did), etc (big surprise). It's been a while since I got virused and I can't remember what to do to get rid of infection. I did disconnect from the internet (I'm using another computer, my old one). *sigh* I'm so tired of this sort of waste of time. People that invent viruses should be annihilated. The last time I got a virus I had to spent hours every day for two weeks getting rid of it.

Logged

harry 48



    Egghead

  • lay back , relax and chill out
    • Thanked: 129
    • Yes
    • Yes
    • Yes
    • Dribbling Pensioner
  • Certifications: List
  • Experience: Familiar
  • OS: Windows 7
Re: problem with crappy "Antivir Solution Pro" virus
« Reply #1 on: August 08, 2010, 12:32:35 PM »
go here and complete it then post the 3 logs

http://www.computerhope.com/forum/index.php/topic,46313.0.html
Logged

haus_kat

  • Guest
Re: problem with crappy "Antivir Solution Pro" virus
« Reply #2 on: August 09, 2010, 05:47:56 PM »
Thanks for helping me :D I've been very stressed lately and getting virused has only added to things.

okay, I have run several scans of various programs, as was suggested. when some of the stuff seemed to be deleted, I felt it was maybe safe enough to try reconnecting to the internet to download updates to my Malewarebytes programs, then I ran scans again and it found more stuff and deleted it. I posted all the logs.

I had been surfing Twitter and trying to view and download a photo that a friend had posted and got the malware and viruses then, from that yfrog website where the photo was hosted.

[recovering disk space - old attachment deleted by admin]
« Last Edit: August 09, 2010, 06:01:05 PM by haus_kat »
Logged

harry 48



    Egghead

  • lay back , relax and chill out
    • Thanked: 129
    • Yes
    • Yes
    • Yes
    • Dribbling Pensioner
  • Certifications: List
  • Experience: Familiar
  • OS: Windows 7
Re: problem with crappy "Antivir Solution Pro" virus
« Reply #3 on: August 10, 2010, 07:57:45 AM »
an expert will be along to help you with the logs

in the mean time download and read this http://www.mywot.com/en/download/ie , it will let you know if a web site is safe to go into

Logged

SuperDave

  • Malware Removal Specialist
  • Moderator


    • Genius
    • Thanked: 1020
  • Certifications: List
  • Experience: Expert
  • OS: Windows 10
Re: problem with crappy "Antivir Solution Pro" virus
« Reply #4 on: August 10, 2010, 05:20:15 PM »
Hello and welcome to Computer Hope Forum. My name is Dave. I will be helping you out with your particular problem on your computer. I am working under the guidance of one of the specialist of this forum so it may take a bit longer to process your logs.

1. I will be working on your Malware issues. This may or may not solve other issues you have with your machine.
2. The fixes are specific to your problem and should only be used for this issue on this machine.
3. If you don't know or understand something, please don't hesitate to ask.
4. Please DO NOT run any other tools or scans while I am helping you.
5. It is important that you reply to this thread. Do not start a new topic.
6. Your security programs may give warnings for some of the tools I will ask you to use. Be assured, any links I give are safe.
7. Absence of symptoms does not mean that everything is clear.

Download Disable/Remove Windows Messenger to the desktop to remove Windows Messenger.

Do not confuse Windows Messenger with MSN Messenger because they are not the same. Windows Messenger is a frequent cause of popups.

Unzip the file on the desktop. Open the MessengerDisable.exe and choose the bottom box - Uninstall Windows Messenger and click Apply.

Exit out of MessengerDisable then delete the two files that were put on the desktop.
==========================================

Open HijackThis and select Do a system scan only

Place a check mark next to the following entries: (if there)

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=127.0.0.1:6522
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe"  -osboot
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

Important: Close all open windows except for HijackThis and then click Fix checked.

Once completed, exit HijackThis.

========================================

Download Security Check by screen317 from one of the following links and save it to your desktop.

Link 1
Link 2

* Unzip SecurityCheck.zip and a folder named Security Check should appear.
* Open the Security Check folder and double-click Security Check.bat
* Follow the on-screen instructions inside of the black box.
* A Notepad document should open automatically called checkup.txt
* Post the contents of that document in your next reply.

Note: If a security program requests permission from dig.exe to access the Internet, allow it to do so.

======================================

Download ComboFix by sUBs from one of the below links. 

Important! You MUST save ComboFix to your desktop

link # 1
Link # 2

Temporarily disable your Anti-virus and any Antispyware real time protection before performing a scan. Click this link to see a list of security programs that should be disabled and how to disable them.

Double click on ComboFix.exe & follow the prompts.

Vista users Right-Click on ComboFix.exe and select Run as administrator (you will receive a UAC prompt, please allow it)

Do not mouse-click ComboFix's window while it is running. That may cause it to stall.

When the scan completes it will open a text window.
 
Post the contents of that log in your next reply.

Remember to re-enable your Anti-virus and Antispyware protection when ComboFix is complete.
Logged
Windows 8 and Windows 10 dual boot with two SSD's

haus_kat

  • Guest
Re: problem with crappy "Antivir Solution Pro" virus
« Reply #5 on: August 16, 2010, 06:14:38 PM »
ComboFix 10-08-16.03 - Mike 08/16/2010  19:50:53.2.1 - x86
Microsoft Windows XP Home Edition  5.1.2600.2.1252.1.1033.18.502.93 [GMT -4:00]
Running from: c:\documents and settings\Mike\Desktop\ComboFix.exe
AV: Microsoft Security Essentials *On-access scanning disabled* (Updated) {BCF43643-A118-4432-AEDE-D861FCBCFCDF}
FW: Online Armor Firewall *enabled* {B797DAA0-7E2E-4711-8BB3-D12744F1922A}
.

(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\csftxctl.ocx
c:\windows\system32\zlibwapi.dll

.
(((((((((((((((((((((((((   Files Created from 2010-07-16 to 2010-08-16  )))))))))))))))))))))))))))))))
.

2010-08-09 21:32 . 2010-08-09 21:31   423656   ----a-w-   c:\windows\system32\deployJava1.dll
2010-08-08 05:45 . 2010-08-09 21:40   --------   d-----w-   c:\documents and settings\Mike\Local Settings\Application Data\mgurgilcv
2010-08-06 03:38 . 2010-08-06 03:38   --------   d-----w-   c:\documents and settings\Mike\Application Data\SanDisk

.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-08-09 22:40 . 2010-08-09 22:40   503808   ----a-w-   c:\documents and settings\Mike\Application Data\Sun\Java\Deployment\SystemCache\6.0\4\7ec4bf04-421a23bf-n\msvcp71.dll
2010-08-09 22:40 . 2010-08-09 22:40   499712   ----a-w-   c:\documents and settings\Mike\Application Data\Sun\Java\Deployment\SystemCache\6.0\4\7ec4bf04-421a23bf-n\jmc.dll
2010-08-09 22:40 . 2010-08-09 22:40   61440   ----a-w-   c:\documents and settings\Mike\Application Data\Sun\Java\Deployment\SystemCache\6.0\42\4488892a-25238486-n\decora-sse.dll
2010-08-09 22:40 . 2010-08-09 22:40   12800   ----a-w-   c:\documents and settings\Mike\Application Data\Sun\Java\Deployment\SystemCache\6.0\42\4488892a-25238486-n\decora-d3d.dll
2010-08-09 22:40 . 2010-08-09 22:40   348160   ----a-w-   c:\documents and settings\Mike\Application Data\Sun\Java\Deployment\SystemCache\6.0\4\7ec4bf04-421a23bf-n\msvcr71.dll
2010-08-09 21:32 . 2006-05-09 10:35   --------   d-----w-   c:\program files\Common Files\Java
2010-08-09 21:31 . 2010-08-09 21:31   0   ----a-w-   c:\windows\system32\REN75.tmp
2010-08-09 21:31 . 2010-08-09 21:31   0   ----a-w-   c:\windows\system32\REN74.tmp
2010-08-09 21:31 . 2010-08-09 21:31   0   ----a-w-   c:\windows\system32\REN73.tmp
2010-08-09 21:29 . 2009-06-17 23:57   --------   d-----w-   c:\program files\Malwarebytes' Anti-Malware
2010-08-08 07:05 . 2009-06-17 21:23   117760   -c--a-w-   c:\documents and settings\Mike\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
2010-08-08 06:37 . 2008-03-16 17:16   --------   d-----w-   c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2010-08-08 06:09 . 2010-08-08 06:09   297728   ----a-w-   c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\LocalCopy\{D43E3E5B-09B3-C44F-F7D8-4F82B4FF73E1}-wtwftgxtssd.exe
2010-08-06 20:00 . 2010-08-06 19:53   106942640   ----a-w-   c:\documents and settings\Mike\Application Data\SanDisk\Sansa Updater\Sansa Media Converter.EXE
2010-08-06 03:38 . 2010-08-06 03:38   354744   ----a-w-   c:\documents and settings\Mike\Application Data\SanDisk\Sansa Updater\SansaUpdaterInstall.exe
2010-08-06 03:38 . 2010-08-06 03:38   79872   ----a-w-   c:\documents and settings\Mike\Application Data\SanDisk\Sansa Updater\SansaDispatch.exe
2010-08-06 03:38 . 2010-08-06 03:38   574344   ----a-w-   c:\documents and settings\Mike\Application Data\SanDisk\Sansa Updater\SansaUpdater.exe
2010-07-11 00:45 . 2009-12-06 08:46   --------   d-----w-   c:\documents and settings\Mike\Application Data\OnlineArmor
2010-07-10 12:37 . 2010-07-10 12:37   --------   d-----w-   c:\program files\Microsoft Security Essentials
2010-06-14 14:30 . 2004-08-04 21:00   743936   ----a-w-   c:\windows\pchealth\helpctr\binaries\helpsvc.exe
2010-06-01 17:37 . 2009-12-06 08:23   221568   ------w-   c:\windows\system32\MpSigStub.exe
2010-05-19 18:13 . 2010-05-19 18:13   55648   ---ha-w-   c:\windows\system32\mlfcache.dat
2009-03-11 19:36 . 2008-03-29 05:23   67688   ----a-w-   c:\program files\mozilla firefox\components\jar50.dll
2009-03-11 19:36 . 2008-03-29 05:23   54368   ----a-w-   c:\program files\mozilla firefox\components\jsd3250.dll
2009-03-11 19:36 . 2008-03-29 05:23   34944   ----a-w-   c:\program files\mozilla firefox\components\myspell.dll
2009-03-11 19:36 . 2008-03-29 05:23   46712   ----a-w-   c:\program files\mozilla firefox\components\spellchk.dll
2009-03-11 19:36 . 2008-03-29 05:23   172136   ----a-w-   c:\program files\mozilla firefox\components\xpinstal.dll
.

(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SansaDispatch"="c:\documents and settings\Mike\Application Data\SanDisk\Sansa Updater\SansaDispatch.exe" [2010-08-06 79872]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"hpWirelessAssistant"="c:\program files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe" [2006-02-15 454656]
"igfxtray"="c:\windows\system32\igfxtray.exe" [2006-03-23 94208]
"igfxpers"="c:\windows\system32\igfxpers.exe" [2006-03-23 118784]
"High Definition Audio Property Page Shortcut"="CHDAudPropShortcut.exe" [2006-04-18 61952]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2006-03-04 761948]
"QPService"="c:\program files\HP\QuickPlay\QPService.exe" [2006-04-12 102400]
"HP Software Update"="c:\program files\Hp\HP Software Update\HPWuSchd2.exe" [2005-02-17 49152]
"QlbCtrl"="c:\program files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe" [2006-03-07 131072]
"Cpqset"="c:\program files\HPQ\Default Settings\cpqset.exe" [2006-02-22 40960]
"RecGuard"="c:\windows\SMINST\RecGuard.exe" [2005-10-11 1187840]
"ISUSPM Startup"="c:\program files\Common Files\InstallShield\UpdateService\isuspm.exe" [2005-08-11 249856]
"@OnlineArmor GUI"="c:\program files\Tall Emu\Online Armor\oaui.exe" [2009-11-26 6621384]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-11-11 417792]
"MSSE"="c:\program files\Microsoft Security Essentials\msseces.exe" [2010-06-01 1093208]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-05-14 248552]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-02-26 437160]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]
"{4F07DA45-8170-4859-9B5F-037EF2970034}"= "c:\progra~1\TALLEM~1\ONLINE~1\oaevent.dll" [2009-11-26 923336]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2008-12-22 16:05   356352   ----a-w-   c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe"
"Reminder"=c:\windows\CREATOR\Remind_XP.exe
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" -atboottime

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=

R1 OADevice;OADriver;c:\windows\system32\drivers\OADriver.sys [12/6/2009 4:46 AM 221264]
R1 OAmon;OAmon;c:\windows\system32\drivers\OAmon.sys [12/6/2009 4:46 AM 24656]
R1 OAnet;OAnet;c:\windows\system32\drivers\OAnet.sys [12/6/2009 4:46 AM 29776]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [5/26/2009 10:05 AM 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [5/26/2009 10:05 AM 72944]
R2 OAcat;Online Armor Helper Service;c:\program files\Tall Emu\Online Armor\oacat.exe [12/6/2009 4:45 AM 1282248]
S2 SvcOnlineArmor;Online Armor;c:\program files\Tall Emu\Online Armor\oasrv.exe [12/6/2009 4:45 AM 3291336]
S3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [5/26/2009 10:05 AM 7408]

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{10880D85-AAD9-4558-ABDC-2AB1552D831F}]
2008-12-07 04:18   451872   ----a-w-   c:\program files\Common Files\LightScribe\LSRunOnce.exe
.
Contents of the 'Scheduled Tasks' folder

2010-07-22 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 17:34]

2010-08-16 c:\windows\Tasks\MP Scheduled Scan.job
- c:\program files\Microsoft Security Essentials\MpCmdRun.exe [2010-03-26 01:40]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.verizon.net/central/appmanager/portal/vzcentral#Scene_1
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uInternet Connection Wizard,ShellNext = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q306&bd=presario&pf=laptop
uInternet Settings,ProxyOverride = <local>
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
FF - ProfilePath - c:\documents and settings\Mike\Application Data\Mozilla\Firefox\Profiles\ob5qjy7g.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.perezhilton.com.
FF - component: c:\program files\Mozilla Firefox\components\xpinstal.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
.
- - - - ORPHANS REMOVED - - - -

HKCU-Run-IndxStoreSvr_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA} - c:\program files\Common Files\Nero\Lib\NMIndexStoreSvr.exe
AddRemove-HijackThis - c:\program files\Trend Micro\HijackThis\HijackThis.exe



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-08-16 19:59
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ... 

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
  Cpqset = c:\program files\HPQ\Default Settings\cpqset.exe?????? ???@???????????????@? ????[??????(?@???????@
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
  SansaDispatch = c:\documents and settings\Mike\Application Data\SanDisk\Sansa Updater\SansaDispatch.exe?d?i?v?>? ? ?<?/?b?o?d?y?>? ? ?<?/?h?t?m?l?>???G???]?N?D?H?d?x???T?>?<?/?T?A?G?_?E?N?D?_

scanning hidden files ... 

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\IMAIL]
@DACL=(02 0000)
"Installed"="1"

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MAPI]
@DACL=(02 0000)
"Installed"="1"
"NoChange"="1"

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MSFS]
@DACL=(02 0000)
"Installed"="1"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(488)
c:\program files\SUPERAntiSpyware\SASWINLO.dll
c:\windows\system32\WININET.dll
.
Completion time: 2010-08-16  20:04:43
ComboFix-quarantined-files.txt  2010-08-17 00:04

Pre-Run: 1,521,696,768 bytes free
Post-Run: 1,545,035,776 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect

- - End Of File - - 03ABF1FDB333A4BD880F6A407C4E6C74


[recovering disk space - old attachment deleted by admin]
Logged

haus_kat

  • Guest
Re: problem with crappy "Antivir Solution Pro" virus
« Reply #6 on: August 16, 2010, 06:15:45 PM »
harry: I already have WOT
Logged

SuperDave

  • Malware Removal Specialist
  • Moderator


    • Genius
    • Thanked: 1020
  • Certifications: List
  • Experience: Expert
  • OS: Windows 10
Re: problem with crappy "Antivir Solution Pro" virus
« Reply #7 on: August 16, 2010, 07:26:47 PM »
Is your computer working any better?

Re-running ComboFix to remove infections:

  • Close any open browsers.
  • Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
  • Open notepad and copy/paste the text in the quotebox below into it:
    Quote
    KillAll::

    File::
    c:\windows\system32\REN75.tmp
    c:\windows\system32\REN74.tmp
    c:\windows\system32\REN73.tmp

  • Save this as CFScript.txt, in the same location as ComboFix.exe



  • Referring to the picture above, drag CFScript into ComboFix.exe
  • When finished, it shall produce a log for you at C:\ComboFix.txt
  • Please post the contents of the log in your next reply.

**************************************

* Download the following tool: RootRepeal - Rootkit Detector
* Direct download link is here: RootRepeal.zip

* Close all programs and temporarily disable your anti-virus, Firewall and any anti-malware real-time protection before performing a scan.
* Click this link to see a list of such programs and how to disable them.

* Extract the program file to a new folder such as C:\RootRepeal
* Run the program RootRepeal.exe and go to the REPORT tab and click on the Scan button.
* Select ALL of the checkboxes and then click OK and it will start scanning your system.
* If you have multiple drives you only need to check the C: drive or the one Windows is installed on.
* When done, click on Save Report
* Save it to the same location where you ran it from, such as C:RootRepeal
* Save it as rootrepeal.txt
* Then open that log and select all and copy/paste it back on your next reply please.
* Close RootRepeal.
Logged
Windows 8 and Windows 10 dual boot with two SSD's

haus_kat

  • Guest
Re: problem with crappy "Antivir Solution Pro" virus
« Reply #8 on: August 17, 2010, 09:56:11 PM »


ComboFix 10-08-16.03 - Mike 08/16/2010  19:50:53.2.1 - x86
Microsoft Windows XP Home Edition  5.1.2600.2.1252.1.1033.18.502.93 [GMT -4:00]
Running from: c:\documents and settings\Mike\Desktop\ComboFix.exe
AV: Microsoft Security Essentials *On-access scanning disabled* (Updated) {BCF43643-A118-4432-AEDE-D861FCBCFCDF}
FW: Online Armor Firewall *enabled* {B797DAA0-7E2E-4711-8BB3-D12744F1922A}
.

(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\csftxctl.ocx
c:\windows\system32\zlibwapi.dll

.
(((((((((((((((((((((((((   Files Created from 2010-07-16 to 2010-08-16  )))))))))))))))))))))))))))))))
.

2010-08-09 21:32 . 2010-08-09 21:31   423656   ----a-w-   c:\windows\system32\deployJava1.dll
2010-08-08 05:45 . 2010-08-09 21:40   --------   d-----w-   c:\documents and settings\Mike\Local Settings\Application Data\mgurgilcv
2010-08-06 03:38 . 2010-08-06 03:38   --------   d-----w-   c:\documents and settings\Mike\Application Data\SanDisk

.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-08-09 22:40 . 2010-08-09 22:40   503808   ----a-w-   c:\documents and settings\Mike\Application Data\Sun\Java\Deployment\SystemCache\6.0\4\7ec4bf04-421a23bf-n\msvcp71.dll
2010-08-09 22:40 . 2010-08-09 22:40   499712   ----a-w-   c:\documents and settings\Mike\Application Data\Sun\Java\Deployment\SystemCache\6.0\4\7ec4bf04-421a23bf-n\jmc.dll
2010-08-09 22:40 . 2010-08-09 22:40   61440   ----a-w-   c:\documents and settings\Mike\Application Data\Sun\Java\Deployment\SystemCache\6.0\42\4488892a-25238486-n\decora-sse.dll
2010-08-09 22:40 . 2010-08-09 22:40   12800   ----a-w-   c:\documents and settings\Mike\Application Data\Sun\Java\Deployment\SystemCache\6.0\42\4488892a-25238486-n\decora-d3d.dll
2010-08-09 22:40 . 2010-08-09 22:40   348160   ----a-w-   c:\documents and settings\Mike\Application Data\Sun\Java\Deployment\SystemCache\6.0\4\7ec4bf04-421a23bf-n\msvcr71.dll
2010-08-09 21:32 . 2006-05-09 10:35   --------   d-----w-   c:\program files\Common Files\Java
2010-08-09 21:31 . 2010-08-09 21:31   0   ----a-w-   c:\windows\system32\REN75.tmp
2010-08-09 21:31 . 2010-08-09 21:31   0   ----a-w-   c:\windows\system32\REN74.tmp
2010-08-09 21:31 . 2010-08-09 21:31   0   ----a-w-   c:\windows\system32\REN73.tmp
2010-08-09 21:29 . 2009-06-17 23:57   --------   d-----w-   c:\program files\Malwarebytes' Anti-Malware
2010-08-08 07:05 . 2009-06-17 21:23   117760   -c--a-w-   c:\documents and settings\Mike\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
2010-08-08 06:37 . 2008-03-16 17:16   --------   d-----w-   c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2010-08-08 06:09 . 2010-08-08 06:09   297728   ----a-w-   c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\LocalCopy\{D43E3E5B-09B3-C44F-F7D8-4F82B4FF73E1}-wtwftgxtssd.exe
2010-08-06 20:00 . 2010-08-06 19:53   106942640   ----a-w-   c:\documents and settings\Mike\Application Data\SanDisk\Sansa Updater\Sansa Media Converter.EXE
2010-08-06 03:38 . 2010-08-06 03:38   354744   ----a-w-   c:\documents and settings\Mike\Application Data\SanDisk\Sansa Updater\SansaUpdaterInstall.exe
2010-08-06 03:38 . 2010-08-06 03:38   79872   ----a-w-   c:\documents and settings\Mike\Application Data\SanDisk\Sansa Updater\SansaDispatch.exe
2010-08-06 03:38 . 2010-08-06 03:38   574344   ----a-w-   c:\documents and settings\Mike\Application Data\SanDisk\Sansa Updater\SansaUpdater.exe
2010-07-11 00:45 . 2009-12-06 08:46   --------   d-----w-   c:\documents and settings\Mike\Application Data\OnlineArmor
2010-07-10 12:37 . 2010-07-10 12:37   --------   d-----w-   c:\program files\Microsoft Security Essentials
2010-06-14 14:30 . 2004-08-04 21:00   743936   ----a-w-   c:\windows\pchealth\helpctr\binaries\helpsvc.exe
2010-06-01 17:37 . 2009-12-06 08:23   221568   ------w-   c:\windows\system32\MpSigStub.exe
2010-05-19 18:13 . 2010-05-19 18:13   55648   ---ha-w-   c:\windows\system32\mlfcache.dat
2009-03-11 19:36 . 2008-03-29 05:23   67688   ----a-w-   c:\program files\mozilla firefox\components\jar50.dll
2009-03-11 19:36 . 2008-03-29 05:23   54368   ----a-w-   c:\program files\mozilla firefox\components\jsd3250.dll
2009-03-11 19:36 . 2008-03-29 05:23   34944   ----a-w-   c:\program files\mozilla firefox\components\myspell.dll
2009-03-11 19:36 . 2008-03-29 05:23   46712   ----a-w-   c:\program files\mozilla firefox\components\spellchk.dll
2009-03-11 19:36 . 2008-03-29 05:23   172136   ----a-w-   c:\program files\mozilla firefox\components\xpinstal.dll
.

(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SansaDispatch"="c:\documents and settings\Mike\Application Data\SanDisk\Sansa Updater\SansaDispatch.exe" [2010-08-06 79872]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"hpWirelessAssistant"="c:\program files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe" [2006-02-15 454656]
"igfxtray"="c:\windows\system32\igfxtray.exe" [2006-03-23 94208]
"igfxpers"="c:\windows\system32\igfxpers.exe" [2006-03-23 118784]
"High Definition Audio Property Page Shortcut"="CHDAudPropShortcut.exe" [2006-04-18 61952]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2006-03-04 761948]
"QPService"="c:\program files\HP\QuickPlay\QPService.exe" [2006-04-12 102400]
"HP Software Update"="c:\program files\Hp\HP Software Update\HPWuSchd2.exe" [2005-02-17 49152]
"QlbCtrl"="c:\program files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe" [2006-03-07 131072]
"Cpqset"="c:\program files\HPQ\Default Settings\cpqset.exe" [2006-02-22 40960]
"RecGuard"="c:\windows\SMINST\RecGuard.exe" [2005-10-11 1187840]
"ISUSPM Startup"="c:\program files\Common Files\InstallShield\UpdateService\isuspm.exe" [2005-08-11 249856]
"@OnlineArmor GUI"="c:\program files\Tall Emu\Online Armor\oaui.exe" [2009-11-26 6621384]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-11-11 417792]
"MSSE"="c:\program files\Microsoft Security Essentials\msseces.exe" [2010-06-01 1093208]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-05-14 248552]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-02-26 437160]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]
"{4F07DA45-8170-4859-9B5F-037EF2970034}"= "c:\progra~1\TALLEM~1\ONLINE~1\oaevent.dll" [2009-11-26 923336]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2008-12-22 16:05   356352   ----a-w-   c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe"
"Reminder"=c:\windows\CREATOR\Remind_XP.exe
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" -atboottime

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=

R1 OADevice;OADriver;c:\windows\system32\drivers\OADriver.sys [12/6/2009 4:46 AM 221264]
R1 OAmon;OAmon;c:\windows\system32\drivers\OAmon.sys [12/6/2009 4:46 AM 24656]
R1 OAnet;OAnet;c:\windows\system32\drivers\OAnet.sys [12/6/2009 4:46 AM 29776]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [5/26/2009 10:05 AM 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [5/26/2009 10:05 AM 72944]
R2 OAcat;Online Armor Helper Service;c:\program files\Tall Emu\Online Armor\oacat.exe [12/6/2009 4:45 AM 1282248]
S2 SvcOnlineArmor;Online Armor;c:\program files\Tall Emu\Online Armor\oasrv.exe [12/6/2009 4:45 AM 3291336]
S3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [5/26/2009 10:05 AM 7408]

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{10880D85-AAD9-4558-ABDC-2AB1552D831F}]
2008-12-07 04:18   451872   ----a-w-   c:\program files\Common Files\LightScribe\LSRunOnce.exe
.
Contents of the 'Scheduled Tasks' folder

2010-07-22 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 17:34]

2010-08-16 c:\windows\Tasks\MP Scheduled Scan.job
- c:\program files\Microsoft Security Essentials\MpCmdRun.exe [2010-03-26 01:40]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.verizon.net/central/appmanager/portal/vzcentral#Scene_1
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uInternet Connection Wizard,ShellNext = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q306&bd=presario&pf=laptop
uInternet Settings,ProxyOverride = <local>
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
FF - ProfilePath - c:\documents and settings\Mike\Application Data\Mozilla\Firefox\Profiles\ob5qjy7g.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.perezhilton.com.
FF - component: c:\program files\Mozilla Firefox\components\xpinstal.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
.
- - - - ORPHANS REMOVED - - - -

HKCU-Run-IndxStoreSvr_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA} - c:\program files\Common Files\Nero\Lib\NMIndexStoreSvr.exe
AddRemove-HijackThis - c:\program files\Trend Micro\HijackThis\HijackThis.exe



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-08-16 19:59
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ... 

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
  Cpqset = c:\program files\HPQ\Default Settings\cpqset.exe?????? ???@???????????????@? ????[??????(?@???????@
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
  SansaDispatch = c:\documents and settings\Mike\Application Data\SanDisk\Sansa Updater\SansaDispatch.exe?d?i?v?>? ? ?<?/?b?o?d?y?>? ? ?<?/?h?t?m?l?>???G???]?N?D?H?d?x???T?>?<?/?T?A?G?_?E?N?D?_

scanning hidden files ... 

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\IMAIL]
@DACL=(02 0000)
"Installed"="1"

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MAPI]
@DACL=(02 0000)
"Installed"="1"
"NoChange"="1"

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MSFS]
@DACL=(02 0000)
"Installed"="1"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(488)
c:\program files\SUPERAntiSpyware\SASWINLO.dll
c:\windows\system32\WININET.dll
.
Completion time: 2010-08-16  20:04:43
ComboFix-quarantined-files.txt  2010-08-17 00:04

Pre-Run: 1,521,696,768 bytes free
Post-Run: 1,545,035,776 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect

- - End Of File - - 03ABF1FDB333A4BD880F6A407C4E6C74















Logged

haus_kat

  • Guest
Re: problem with crappy "Antivir Solution Pro" virus
« Reply #9 on: August 17, 2010, 09:56:56 PM »
ROOTREPEAL (c) AD, 2007-2009
==================================================
Scan Start Time:      2010/08/17 21:10
Program Version:      Version 1.3.5.0
Windows Version:      Windows XP SP2
==================================================

Drivers
-------------------
Name: catchme.sys
Image Path: C:\ComboFix\catchme.sys
Address: 0xA0E6F000   Size: 31744   File Visible: No   Signed: -
Status: -

Name: Combo-Fix.sys
Image Path: Combo-Fix.sys
Address: 0xF8675000   Size: 60416   File Visible: No   Signed: -
Status: -

Name: dump_iaStor.sys
Image Path: C:\WINDOWS\System32\Drivers\dump_iaStor.sys
Address: 0x9C574000   Size: 876544   File Visible: No   Signed: -
Status: -

Name: mbr.sys
Image Path: C:\DOCUME~1\Mike\LOCALS~1\Temp\mbr.sys
Address: 0xF899D000   Size: 20864   File Visible: No   Signed: -
Status: -

Name: PROCEXP113.SYS
Image Path: C:\WINDOWS\system32\Drivers\PROCEXP113.SYS
Address: 0xA2403000   Size: 7872   File Visible: No   Signed: -
Status: -

Name: rootrepeal.sys
Image Path: C:\WINDOWS\system32\drivers\rootrepeal.sys
Address: 0x9BCE8000   Size: 49152   File Visible: No   Signed: -
Status: -

SSDT
-------------------
#: 017   Function Name: NtAllocateVirtualMemory
Status: Hooked by "C:\WINDOWS\system32\drivers\OADriver.sys" at address 0xa28f0180

#: 019   Function Name: NtAssignProcessToJobObject
Status: Hooked by "C:\WINDOWS\system32\drivers\OADriver.sys" at address 0xa28f09c0

#: 031   Function Name: NtConnectPort
Status: Hooked by "C:\WINDOWS\system32\drivers\OADriver.sys" at address 0xa28ee7f0

#: 037   Function Name: NtCreateFile
Status: Hooked by "C:\WINDOWS\system32\drivers\OADriver.sys" at address 0xa28fd9e0

#: 046   Function Name: NtCreatePort
Status: Hooked by "C:\WINDOWS\system32\drivers\OADriver.sys" at address 0xa28ee4a0

#: 047   Function Name: NtCreateProcess
Status: Hooked by "C:\WINDOWS\system32\drivers\OADriver.sys" at address 0xa28eb070

#: 048   Function Name: NtCreateProcessEx
Status: Hooked by "C:\WINDOWS\system32\drivers\OADriver.sys" at address 0xa28eb460

#: 050   Function Name: NtCreateSection
Status: Hooked by "C:\WINDOWS\system32\drivers\OADriver.sys" at address 0xa28eab30

#: 053   Function Name: NtCreateThread
Status: Hooked by "C:\WINDOWS\system32\drivers\OADriver.sys" at address 0xa28eca00

#: 057   Function Name: NtDebugActiveProcess
Status: Hooked by "C:\WINDOWS\system32\drivers\OADriver.sys" at address 0xa28ed660

#: 068   Function Name: NtDuplicateObject
Status: Hooked by "C:\WINDOWS\system32\drivers\OADriver.sys" at address 0xa28ee170

#: 097   Function Name: NtLoadDriver
Status: Hooked by "C:\WINDOWS\system32\drivers\OADriver.sys" at address 0xa28ef8a0

#: 116   Function Name: NtOpenFile
Status: Hooked by "C:\WINDOWS\system32\drivers\OADriver.sys" at address 0xa28fe110

#: 122   Function Name: NtOpenProcess
Status: Hooked by "C:\WINDOWS\system32\drivers\OADriver.sys" at address 0xa28ec390

#: 125   Function Name: NtOpenSection
Status: Hooked by "C:\WINDOWS\system32\drivers\OADriver.sys" at address 0xa28eadd0

#: 128   Function Name: NtOpenThread
Status: Hooked by "C:\WINDOWS\system32\drivers\OADriver.sys" at address 0xa28ecf20

#: 137   Function Name: NtProtectVirtualMemory
Status: Hooked by "C:\WINDOWS\system32\drivers\OADriver.sys" at address 0xa28f0600

#: 145   Function Name: NtQueryDirectoryFile
Status: Hooked by "C:\WINDOWS\system32\drivers\OADriver.sys" at address 0xa28efd10

#: 180   Function Name: NtQueueApcThread
Status: Hooked by "C:\WINDOWS\system32\drivers\OADriver.sys" at address 0xa28f0b60

#: 200   Function Name: NtRequestWaitReplyPort
Status: Hooked by "C:\WINDOWS\system32\drivers\OADriver.sys" at address 0xa28ef3f0

#: 204   Function Name: NtRestoreKey
Status: Hooked by "C:\WINDOWS\system32\drivers\OADriver.sys" at address 0xa28fd670

#: 206   Function Name: NtResumeThread
Status: Hooked by "C:\WINDOWS\system32\drivers\OADriver.sys" at address 0xa28eddc0

#: 210   Function Name: NtSecureConnectPort
Status: Hooked by "C:\WINDOWS\system32\drivers\OADriver.sys" at address 0xa28eebe0

#: 213   Function Name: NtSetContextThread
Status: Hooked by "C:\WINDOWS\system32\drivers\OADriver.sys" at address 0xa28ed440

#: 240   Function Name: NtSetSystemInformation
Status: Hooked by "C:\WINDOWS\system32\drivers\OADriver.sys" at address 0xa28ed800

#: 249   Function Name: NtShutdownSystem
Status: Hooked by "C:\WINDOWS\system32\drivers\OADriver.sys" at address 0xa28ef770

#: 253   Function Name: NtSuspendProcess
Status: Hooked by "C:\WINDOWS\system32\drivers\OADriver.sys" at address 0xa28edfa0

#: 254   Function Name: NtSuspendThread
Status: Hooked by "C:\WINDOWS\system32\drivers\OADriver.sys" at address 0xa28edbc0

#: 255   Function Name: NtSystemDebugControl
Status: Hooked by "C:\WINDOWS\system32\drivers\OADriver.sys" at address 0xa28ed9f0

#: 257   Function Name: NtTerminateProcess
Status: Hooked by "C:\WINDOWS\system32\drivers\OADriver.sys" at address 0xa28ec790

#: 258   Function Name: NtTerminateThread
Status: Hooked by "C:\WINDOWS\system32\drivers\OADriver.sys" at address 0xa28ed210

#: 262   Function Name: NtUnloadDriver
Status: Hooked by "C:\WINDOWS\system32\drivers\OADriver.sys" at address 0xa28efad0

#: 277   Function Name: NtWriteVirtualMemory
Status: Hooked by "C:\WINDOWS\system32\drivers\OADriver.sys" at address 0xa28f07d0

==EOF==
Logged

SuperDave

  • Malware Removal Specialist
  • Moderator


    • Genius
    • Thanked: 1020
  • Certifications: List
  • Experience: Expert
  • OS: Windows 10
Re: problem with crappy "Antivir Solution Pro" virus
« Reply #10 on: August 18, 2010, 06:39:24 PM »
Did you run the ComboFix script as instructed in Reply # 7 ?

Logged
Windows 8 and Windows 10 dual boot with two SSD's

haus_kat

  • Guest
Re: problem with crappy "Antivir Solution Pro" virus
« Reply #11 on: August 18, 2010, 09:16:57 PM »
I thought I did. Is there something wrong?
Logged

SuperDave

  • Malware Removal Specialist
  • Moderator


    • Genius
    • Thanked: 1020
  • Certifications: List
  • Experience: Expert
  • OS: Windows 10
Re: problem with crappy "Antivir Solution Pro" virus
« Reply #12 on: August 19, 2010, 12:34:17 PM »
Quote from: haus_kat on August 18, 2010, 09:16:57 PM
I thought I did. Is there something wrong?
No. I think you just ran another scan with ComboFix. Please run the script and post the log.
Logged
Windows 8 and Windows 10 dual boot with two SSD's

haus_kat

  • Guest
Re: problem with crappy "Antivir Solution Pro" virus
« Reply #13 on: August 22, 2010, 10:23:58 AM »
okay, I made the text file as instructed and dropped it into the ComboFix but then I noticed that after it finished running the scan (and after it re-booted my computer) that the text file I'd made and dropped into ComboFix had disappeared. Was it supposed to do that?

Here is the scan log it produced:

ComboFix 10-08-21.06 - Mike 08/22/2010  12:08:34.4.1 - x86
Microsoft Windows XP Home Edition  5.1.2600.2.1252.1.1033.18.502.318 [GMT -4:00]
Running from: c:\documents and settings\Mike\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Mike\Desktop\CFScript.txt
AV: Microsoft Security Essentials *On-access scanning disabled* (Updated) {BCF43643-A118-4432-AEDE-D861FCBCFCDF}
FW: Online Armor Firewall *enabled* {B797DAA0-7E2E-4711-8BB3-D12744F1922A}

FILE ::
"c:\windows\system32\REN73.tmp"
"c:\windows\system32\REN74.tmp"
"c:\windows\system32\REN75.tmp"
.

(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\Mike\Favorites\Callaway Golf - A better game by design..url
c:\documents and settings\Mike\Favorites\eBay Forums PLEASE HELP I think I have a virus ....url
c:\documents and settings\Mike\Favorites\HubbleSite -- Out of the ordinary...out of this world..url
c:\documents and settings\Mike\Favorites\Online Application Form - Arctic Express, Inc..url

.
(((((((((((((((((((((((((   Files Created from 2010-07-22 to 2010-08-22  )))))))))))))))))))))))))))))))
.

2010-08-18 01:10 . 2010-08-18 01:10   0   ----a-w-   C:\settings.dat
2010-08-18 01:09 . 2009-08-13 15:14   472064   ----a-w-   C:\RootRepeal.exe
2010-08-09 21:32 . 2010-08-09 21:31   423656   ----a-w-   c:\windows\system32\deployJava1.dll
2010-08-08 05:45 . 2010-08-09 21:40   --------   d-----w-   c:\documents and settings\Mike\Local Settings\Application Data\mgurgilcv
2010-08-06 03:38 . 2010-08-06 03:38   --------   d-----w-   c:\documents and settings\Mike\Application Data\SanDisk

.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-08-21 05:06 . 2006-05-09 13:24   --------   d-----w-   c:\program files\Common Files\LightScribe
2010-08-21 05:01 . 2009-02-09 08:02   --------   d-----w-   c:\program files\InterActual
2010-08-19 23:59 . 2006-05-09 13:03   --------   d-----w-   c:\program files\WildTangent
2010-08-19 23:47 . 2009-12-17 17:22   --------   d-----w-   c:\program files\PopCap Games
2010-08-09 21:32 . 2006-05-09 10:35   --------   d-----w-   c:\program files\Common Files\Java
2010-08-09 21:29 . 2009-06-17 23:57   --------   d-----w-   c:\program files\Malwarebytes' Anti-Malware
2010-08-08 06:37 . 2008-03-16 17:16   --------   d-----w-   c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2010-07-11 00:45 . 2009-12-06 08:46   --------   d-----w-   c:\documents and settings\Mike\Application Data\OnlineArmor
2010-07-10 12:37 . 2010-07-10 12:37   --------   d-----w-   c:\program files\Microsoft Security Essentials
2010-06-14 14:30 . 2004-08-04 21:00   743936   ----a-w-   c:\windows\pchealth\helpctr\binaries\helpsvc.exe
2010-06-01 17:37 . 2009-12-06 08:23   221568   ------w-   c:\windows\system32\MpSigStub.exe
2009-03-11 19:36 . 2008-03-29 05:23   67688   ----a-w-   c:\program files\mozilla firefox\components\jar50.dll
2009-03-11 19:36 . 2008-03-29 05:23   54368   ----a-w-   c:\program files\mozilla firefox\components\jsd3250.dll
2009-03-11 19:36 . 2008-03-29 05:23   34944   ----a-w-   c:\program files\mozilla firefox\components\myspell.dll
2009-03-11 19:36 . 2008-03-29 05:23   46712   ----a-w-   c:\program files\mozilla firefox\components\spellchk.dll
2009-03-11 19:36 . 2008-03-29 05:23   172136   ----a-w-   c:\program files\mozilla firefox\components\xpinstal.dll
.

(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SansaDispatch"="c:\documents and settings\Mike\Application Data\SanDisk\Sansa Updater\SansaDispatch.exe" [2010-08-06 79872]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"hpWirelessAssistant"="c:\program files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe" [2006-02-15 454656]
"igfxtray"="c:\windows\system32\igfxtray.exe" [2006-03-23 94208]
"igfxpers"="c:\windows\system32\igfxpers.exe" [2006-03-23 118784]
"High Definition Audio Property Page Shortcut"="CHDAudPropShortcut.exe" [2006-04-18 61952]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2006-03-04 761948]
"QPService"="c:\program files\HP\QuickPlay\QPService.exe" [2006-04-12 102400]
"HP Software Update"="c:\program files\Hp\HP Software Update\HPWuSchd2.exe" [2005-02-17 49152]
"QlbCtrl"="c:\program files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe" [2006-03-07 131072]
"Cpqset"="c:\program files\HPQ\Default Settings\cpqset.exe" [2006-02-22 40960]
"RecGuard"="c:\windows\SMINST\RecGuard.exe" [2005-10-11 1187840]
"ISUSPM Startup"="c:\program files\Common Files\InstallShield\UpdateService\isuspm.exe" [2005-08-11 249856]
"@OnlineArmor GUI"="c:\program files\Tall Emu\Online Armor\oaui.exe" [2009-11-26 6621384]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-11-11 417792]
"MSSE"="c:\program files\Microsoft Security Essentials\msseces.exe" [2010-06-01 1093208]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-05-14 248552]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2008-09-16 180269]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-02-26 437160]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]
"{4F07DA45-8170-4859-9B5F-037EF2970034}"= "c:\progra~1\TALLEM~1\ONLINE~1\oaevent.dll" [2009-11-26 923336]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2008-12-22 16:05   356352   ----a-w-   c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe"
"Reminder"=c:\windows\CREATOR\Remind_XP.exe
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" -atboottime

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=

R1 OADevice;OADriver;c:\windows\system32\drivers\OADriver.sys [12/6/2009 4:46 AM 221264]
R1 OAmon;OAmon;c:\windows\system32\drivers\OAmon.sys [12/6/2009 4:46 AM 24656]
R1 OAnet;OAnet;c:\windows\system32\drivers\OAnet.sys [12/6/2009 4:46 AM 29776]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [5/26/2009 10:05 AM 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [5/26/2009 10:05 AM 72944]
S3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [5/26/2009 10:05 AM 7408]
.
Contents of the 'Scheduled Tasks' folder

2010-08-22 c:\windows\Tasks\MP Scheduled Scan.job
- c:\program files\Microsoft Security Essentials\MpCmdRun.exe [2010-03-26 01:40]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.verizon.net/central/appmanager/portal/vzcentral#Scene_1
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uInternet Connection Wizard,ShellNext = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q306&bd=presario&pf=laptop
uInternet Settings,ProxyOverride = <local>
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
FF - ProfilePath - c:\documents and settings\Mike\Application Data\Mozilla\Firefox\Profiles\ob5qjy7g.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.perezhilton.com.
FF - component: c:\program files\Mozilla Firefox\components\xpinstal.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-08-22 12:20
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ... 

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
  Cpqset = c:\program files\HPQ\Default Settings\cpqset.exe?????? ???@???????????????@? ???HZ??????(?@???????@
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
  SansaDispatch = c:\documents and settings\Mike\Application Data\SanDisk\Sansa Updater\SansaDispatch.exe?d?i?v?>? ? ?<?/?b?o?d?y?>? ? ?<?/?h?t?m?l?>???G???]?N?D?H?d?x???T?>?<?/?T?A?G?_?E?N?D?_

scanning hidden files ... 

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\IMAIL]
@DACL=(02 0000)
"Installed"="1"

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MAPI]
@DACL=(02 0000)
"Installed"="1"
"NoChange"="1"

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MSFS]
@DACL=(02 0000)
"Installed"="1"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(492)
c:\program files\SUPERAntiSpyware\SASWINLO.dll
c:\windows\system32\WININET.dll

- - - - - - - > 'explorer.exe'(2176)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
c:\windows\system32\browselc.dll
c:\progra~1\SPYBOT~1\SDHelper.dll
c:\windows\system32\shdoclc.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Microsoft Security Essentials\MsMpEng.exe
c:\program files\Tall Emu\Online Armor\OAcat.exe
c:\program files\Tall Emu\Online Armor\oasrv.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Common Files\LightScribe\LSSrvc.exe
c:\windows\system32\fxssvc.exe
c:\program files\Hewlett-Packard\Shared\hpqwmiex.exe
c:\windows\system32\wscntfy.exe
c:\program files\Tall Emu\Online Armor\OAhlp.exe
c:\progra~1\HPQ\Shared\HPQTOA~1.EXE
.
**************************************************************************
.
Completion time: 2010-08-22  12:37:19 - machine was rebooted
ComboFix-quarantined-files.txt  2010-08-22 16:37
ComboFix2.txt  2010-08-18 00:56
ComboFix3.txt  2010-08-17 00:04

Pre-Run: 954,286,080 bytes free
Post-Run: 1,040,084,992 bytes free

- - End Of File - - 3FBB34D420279F3E65C67872B6F12F63
Logged

SuperDave

  • Malware Removal Specialist
  • Moderator


    • Genius
    • Thanked: 1020
  • Certifications: List
  • Experience: Expert
  • OS: Windows 10
Re: problem with crappy "Antivir Solution Pro" virus
« Reply #14 on: August 22, 2010, 10:46:36 AM »
Quote
Was it supposed to do that?
Don't worry about it. We'll be getting rid of all those tools soon.

Please read here for more information about WildTangent. Your choice if you want to remove it or not.

If you choose to follow my advice, please follow these instructions.

Go to Start > Control Panel > Add/Remove Programs and remove the following programs.

WildTangent Web Driver
**********************************
Download the GMER Rootkit Scanner. Unzip it to your Desktop.

Before scanning, make sure all other running programs are closed and no other actions like a scheduled antivirus scan will occur while the scan is being performed. Do not use your computer for anything else during the scan.

Double-click gmer.exe. The program will begin to run.

**Caution**
These types of scans can produce false positives. Do NOT take any action on any "<--- ROOKIT" entries unless advised!

If possible rootkit activity is found, you will be asked if you would like to perform a full scan.
  • Click NO
  • In the right panel, you will see a bunch of boxes that have been checked ... leave everything checked and ensure the Show all box is un-checked.
  • Now click the Scan button.
  • Once the scan is complete, you may receive another notice about rootkit activity.
  • Click OK.
  • GMER will produce a log. Click on the [Save..] button, and in the File name area, type in "GMER.txt"
  • Save it where you can easily find it, such as your desktop.
Logged
Windows 8 and Windows 10 dual boot with two SSD's
Pages: [1]   Go Up
« previous next »