Jump to content

Cannot fully remove XP Antivirus 2012 Malware


jdeyong

Recommended Posts

"XP Antivirus 2012" has infected my computer. I'm able to update Malwarebytes and scan in Safe Mode and have removed several items, but am unable to fully remove the infection. The first scan done on the 23rd removed 57 items (log included below), since that scan the other scans have only found a few registry files. When I reboot into Normal mode the "XP Antivirus 2012" pop-ups come up at start-up, and I am unable to access the internet or use antivirus software.

I am also including a dds that I performed. Any help is greatly appreciated. Thanks.

SCAN:

Malwarebytes' Anti-Malware 1.51.2.1300

www.malwarebytes.org

Database version: 911122309

Windows 5.1.2600 Service Pack 3 (Safe Mode)

Internet Explorer 8.0.6001.18702

12/23/2011 8:48:23 PM

mbam-log-2011-12-23 (20-48-23).txt

Scan type: Full scan (C:\|D:\|)

Objects scanned: 274639

Time elapsed: 34 minute(s), 17 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 1

Registry Keys Infected: 5

Registry Values Infected: 6

Registry Data Items Infected: 4

Folders Infected: 2

Files Infected: 57

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

c:\documents and settings\networkservice\application data\Adobe\sp.DLL (TrojanProxy.Agent) -> Delete on reboot.

Registry Keys Infected:

HKEY_CLASSES_ROOT\CLSID\{96AFBE69-C3B0-4b00-8578-D933D2896EE2} (TrojanProxy.Agent) -> Quarantined and deleted successfully.

HKEY_CLASSES_ROOT\.fsharproj (Trojan.BHO) -> Quarantined and deleted successfully.

HKEY_CLASSES_ROOT\sp (TrojanProxy.Agent) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellIconOverlayIdentifiers\sp (TrojanProxy.Agent) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\SPService (TrojanProxy.Agent) -> Quarantined and deleted successfully.

Registry Values Infected:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MozillaAgent (Heuristics.Shuriken) -> Value: MozillaAgent -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{96AFBE69-C3B0-4B00-8578-D933D2896EE2} (TrojanProxy.Agent) -> Value: {96AFBE69-C3B0-4B00-8578-D933D2896EE2} -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{96AFBE69-C3B0-4b00-8578-D933D2896EE2} (TrojanProxy.Agent) -> Value: {96AFBE69-C3B0-4b00-8578-D933D2896EE2} -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SvcHost\netsvc (TrojanProxy.Agent) -> Value: netsvc -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\RTHDBPL (Trojan.Agent) -> Value: RTHDBPL -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\netcfgxwow.exe (Trojan.TracurW.Gen) -> Value: netcfgxwow.exe -> Quarantined and deleted successfully.

Registry Data Items Infected:

HKEY_LOCAL_MACHINE\SOFTWARE\Clients\StartMenuInternet\IEXPLORE.EXE\shell\open\command\(default) (Hijack.StartMenuInternet) -> Bad: ("C:\Documents and Settings\Owner.YOUR-0944CBA8B9\Local Settings\Application Data\ssi.exe" -a "C:\Program Files\Internet Explorer\iexplore.exe") Good: (iexplore.exe) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify (PUM.Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\FirewallDisableNotify (PUM.Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify (PUM.Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

Folders Infected:

c:\WINDOWS\system32\SysWoW32 (Trojan.Tracur) -> Quarantined and deleted successfully.

c:\documents and settings\owner.your-0944cba8b9\application data\SysWin (Trojan.Agent) -> Quarantined and deleted successfully.

Files Infected:

c:\WINDOWS\temp\_ex-68.exe (Heuristics.Shuriken) -> Quarantined and deleted successfully.

c:\documents and settings\networkservice\application data\Adobe\sp.DLL (TrojanProxy.Agent) -> Quarantined and deleted successfully.

c:\WINDOWS\temp\kna0.07762028727015158.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.

c:\WINDOWS\system32\020000007f567afe1347c.manifest (Malware.Trace) -> Quarantined and deleted successfully.

c:\WINDOWS\system32\020000007f567afe1347o.manifest (Malware.Trace) -> Quarantined and deleted successfully.

c:\WINDOWS\system32\020000007f567afe1347p.manifest (Malware.Trace) -> Quarantined and deleted successfully.

c:\WINDOWS\system32\020000007f567afe1347s.manifest (Malware.Trace) -> Quarantined and deleted successfully.

c:\WINDOWS\system32\gnuhashes.ini (Trojan.Tracur) -> Quarantined and deleted successfully.

c:\documents and settings\owner.your-0944cba8b9\local settings\Temp\sghj0.1862973153909635.exe (Exploit.Drop.6) -> Quarantined and deleted successfully.

c:\WINDOWS\system32\SysWoW32\mu1653398827v12.kwd (Trojan.Tracur) -> Quarantined and deleted successfully.

c:\WINDOWS\system32\SysWoW32\mu1653398827v12 (Trojan.Tracur) -> Quarantined and deleted successfully.

c:\WINDOWS\system32\SysWoW32\mu1653398827v13 (Trojan.Tracur) -> Quarantined and deleted successfully.

c:\WINDOWS\system32\SysWoW32\mu1653398827v13.kwd (Trojan.Tracur) -> Quarantined and deleted successfully.

c:\WINDOWS\system32\SysWoW32\mu1653398827v14 (Trojan.Tracur) -> Quarantined and deleted successfully.

c:\WINDOWS\system32\SysWoW32\mu1653398827v14.kwd (Trojan.Tracur) -> Quarantined and deleted successfully.

c:\WINDOWS\system32\SysWoW32\mu1653398827v15 (Trojan.Tracur) -> Quarantined and deleted successfully.

c:\WINDOWS\system32\SysWoW32\mu1653398827v15.kwd (Trojan.Tracur) -> Quarantined and deleted successfully.

c:\WINDOWS\system32\SysWoW32\mu1653398827v4 (Trojan.Tracur) -> Quarantined and deleted successfully.

c:\WINDOWS\system32\SysWoW32\mu1653398827v4.kwd (Trojan.Tracur) -> Quarantined and deleted successfully.

c:\WINDOWS\system32\SysWoW32\mu1653398827v5 (Trojan.Tracur) -> Quarantined and deleted successfully.

c:\WINDOWS\system32\SysWoW32\mu1653398827v5.kwd (Trojan.Tracur) -> Quarantined and deleted successfully.

c:\WINDOWS\system32\SysWoW32\mu1653398827v6 (Trojan.Tracur) -> Quarantined and deleted successfully.

c:\WINDOWS\system32\SysWoW32\mu1653398827v6.kwd (Trojan.Tracur) -> Quarantined and deleted successfully.

c:\WINDOWS\system32\SysWoW32\mu1653398827v7 (Trojan.Tracur) -> Quarantined and deleted successfully.

c:\WINDOWS\system32\SysWoW32\mu1653398827v7.kwd (Trojan.Tracur) -> Quarantined and deleted successfully.

c:\WINDOWS\system32\SysWoW32\wu1653398827v0 (Trojan.Tracur) -> Quarantined and deleted successfully.

c:\WINDOWS\system32\SysWoW32\wu1653398827v0.kwd (Trojan.Tracur) -> Quarantined and deleted successfully.

c:\WINDOWS\system32\SysWoW32\wu1653398827v1 (Trojan.Tracur) -> Quarantined and deleted successfully.

c:\WINDOWS\system32\SysWoW32\wu1653398827v1.kwd (Trojan.Tracur) -> Quarantined and deleted successfully.

c:\WINDOWS\system32\SysWoW32\wu1653398827v10 (Trojan.Tracur) -> Quarantined and deleted successfully.

c:\WINDOWS\system32\SysWoW32\wu1653398827v10.kwd (Trojan.Tracur) -> Quarantined and deleted successfully.

c:\WINDOWS\system32\SysWoW32\wu1653398827v11 (Trojan.Tracur) -> Quarantined and deleted successfully.

c:\WINDOWS\system32\SysWoW32\wu1653398827v11.kwd (Trojan.Tracur) -> Quarantined and deleted successfully.

c:\WINDOWS\system32\SysWoW32\wu1653398827v2 (Trojan.Tracur) -> Quarantined and deleted successfully.

c:\WINDOWS\system32\SysWoW32\wu1653398827v2.kwd (Trojan.Tracur) -> Quarantined and deleted successfully.

c:\WINDOWS\system32\SysWoW32\wu1653398827v3 (Trojan.Tracur) -> Quarantined and deleted successfully.

c:\WINDOWS\system32\SysWoW32\wu1653398827v3.kwd (Trojan.Tracur) -> Quarantined and deleted successfully.

c:\WINDOWS\system32\SysWoW32\wu1653398827v8 (Trojan.Tracur) -> Quarantined and deleted successfully.

c:\WINDOWS\system32\SysWoW32\wu1653398827v8.kwd (Trojan.Tracur) -> Quarantined and deleted successfully.

c:\WINDOWS\system32\SysWoW32\wu1653398827v9 (Trojan.Tracur) -> Quarantined and deleted successfully.

c:\WINDOWS\system32\SysWoW32\wu1653398827v9.kwd (Trojan.Tracur) -> Quarantined and deleted successfully.

c:\WINDOWS\system32\SysWoW32\_u1653398827v0 (Trojan.Tracur) -> Quarantined and deleted successfully.

c:\WINDOWS\system32\SysWoW32\_u1653398827v1 (Trojan.Tracur) -> Quarantined and deleted successfully.

c:\WINDOWS\system32\SysWoW32\_u1653398827v10 (Trojan.Tracur) -> Quarantined and deleted successfully.

c:\WINDOWS\system32\SysWoW32\_u1653398827v11 (Trojan.Tracur) -> Quarantined and deleted successfully.

c:\WINDOWS\system32\SysWoW32\_u1653398827v12 (Trojan.Tracur) -> Quarantined and deleted successfully.

c:\WINDOWS\system32\SysWoW32\_u1653398827v13 (Trojan.Tracur) -> Quarantined and deleted successfully.

c:\WINDOWS\system32\SysWoW32\_u1653398827v14 (Trojan.Tracur) -> Quarantined and deleted successfully.

c:\WINDOWS\system32\SysWoW32\_u1653398827v15 (Trojan.Tracur) -> Quarantined and deleted successfully.

c:\WINDOWS\system32\SysWoW32\_u1653398827v2 (Trojan.Tracur) -> Quarantined and deleted successfully.

c:\WINDOWS\system32\SysWoW32\_u1653398827v3 (Trojan.Tracur) -> Quarantined and deleted successfully.

c:\WINDOWS\system32\SysWoW32\_u1653398827v4 (Trojan.Tracur) -> Quarantined and deleted successfully.

c:\WINDOWS\system32\SysWoW32\_u1653398827v5 (Trojan.Tracur) -> Quarantined and deleted successfully.

c:\WINDOWS\system32\SysWoW32\_u1653398827v6 (Trojan.Tracur) -> Quarantined and deleted successfully.

c:\WINDOWS\system32\SysWoW32\_u1653398827v7 (Trojan.Tracur) -> Quarantined and deleted successfully.

c:\WINDOWS\system32\SysWoW32\_u1653398827v8 (Trojan.Tracur) -> Quarantined and deleted successfully.

c:\WINDOWS\system32\SysWoW32\_u1653398827v9 (Trojan.Tracur) -> Quarantined and deleted successfully.

DDS:

.

DDS (Ver_2011-08-26.01) - NTFSx86 NETWORK

Internet Explorer: 8.0.6001.18702

Run by Administrator at 20:40:33 on 2011-12-24

Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.446.87 [GMT -5:00]

.

AV: Lavasoft Ad-Watch Live! Anti-Virus *Enabled/Updated* {A1C4F2E0-7FDE-4917-AFAE-013EFC3EDE33}

AV: Symantec AntiVirus Corporate Edition *Enabled/Updated* {FB06448E-52B8-493A-90F3-E43226D3305C}

.

============== Running Processes ===============

.

C:\WINDOWS\system32\svchost -k DcomLaunch

svchost.exe

C:\WINDOWS\system32\svchost.exe -k netsvcs

svchost.exe

svchost.exe

C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\Internet Explorer\IEXPLORE.EXE

C:\Program Files\Internet Explorer\IEXPLORE.EXE

.

============== Pseudo HJT Report ===============

.

uSearch Bar = hxxp://www.google.com/ie

uStart Page = hxxp://www.gateway.com/

BHO: {02067278-2352-4674-8a57-21e111b1ce0f} - c:\windows\system32\atipdlxx32.dll

BHO: &Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - c:\program files\yahoo!\companion\installs\cpn0\yt.dll

BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll

BHO: DivX Plus Web Player HTML5 <video>: {326e768d-4182-46fd-9c16-1449a49795f4} - c:\program files\divx\divx plus web player\ie\divxhtml5\DivXHTML5.dll

BHO: Ad-Aware Security Toolbar: {6c97a91e-4524-4019-86af-2aa2d567bf5c} - c:\program files\adawaretb\adawareDx.dll

BHO: Bing Bar Helper: {d2ce3e00-f94a-4740-988e-03dc2f38c34f} - "c:\program files\microsoft\bingbar\BingExt.dll"

BHO: Java Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll

BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll

BHO: SingleInstance Class: {fdad4da1-61a2-4fd8-9c17-86f7ac245081} - c:\program files\yahoo!\companion\installs\cpn0\YTSingleInstance.dll

TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn0\yt.dll

TB: Bing Bar: {8dcb7100-df86-4384-8842-8fa844297b3f} - "c:\program files\microsoft\bingbar\BingExt.dll"

TB: Ad-Aware Security Toolbar: {6c97a91e-4524-4019-86af-2aa2d567bf5c} - c:\program files\adawaretb\adawareDx.dll

uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe

mRun: [ehTray] c:\windows\ehome\ehtray.exe

mRun: [NeroFilterCheck] c:\windows\system32\NeroCheck.exe

mRun: [ATIPTA] "c:\program files\ati technologies\ati control panel\atiptaxx.exe"

mRun: [RemoteControl] "c:\program files\cyberlink\powerdvd\PDVDServ.exe"

mRun: [synTPLpr] "c:\program files\synaptics\syntp\SynTPLpr.exe"

mRun: [synTPEnh] "c:\program files\synaptics\syntp\SynTPEnh.exe"

mRun: [sunKist] "c:\program files\digital media reader\shwicon2k.exe"

mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime

mRun: [userFaultCheck] %systemroot%\system32\dumprep 0 -u

mRun: [HP Software Update] c:\program files\hp\hp software update\HPWuSchd2.exe

mRun: [CXMon] "c:\program files\hewlett-packard\photosmart\photo imaging\Hpi_Monitor.exe"

mRun: [share-to-Web Namespace Daemon] c:\program files\hewlett-packard\photosmart\hp share-to-web\hpgs2wnd.exe

mRun: [ccApp] "c:\program files\common files\symantec shared\ccApp.exe"

mRun: [vptray] c:\progra~1\symant~1\VPTray.exe

mRun: [<NO NAME>]

mRun: [Microsoft Default Manager] "c:\program files\microsoft\search enhancement pack\default manager\DefMgr.exe" -resume

mRun: [sunJavaUpdateSched] c:\program files\java\jre6\bin\jusched.exe

mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"

mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"

mRun: [DivXUpdate] "c:\program files\divx\divx update\DivXUpdate.exe" /CHECKNOW

mRun: [Ad-Aware Browsing Protection] "c:\documents and settings\all users\application data\ad-aware browsing protection\adawarebp.exe"

mRun: [Malwarebytes' Anti-Malware (reboot)] "c:\program files\malwarebytes' anti-malware\mbam.exe" /runcleanupscript

StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hpdigi~1.lnk - c:\program files\hp\digital imaging\bin\hpqtra08.exe

StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\monitor.lnk - c:\program files\sandisk\sandisk transfermate\SD Monitor.exe

IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000

IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe

IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe

IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0024-ABCDEFFEDCBC} - c:\program files\java\jre6\bin\npjpi160_24.dll

IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL

IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - {FE54FA40-D68C-11d2-98FA-00C0F0318AFE} - c:\windows\system32\Shdocvw.dll

LSP: mswsock.dll

DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} - hxxp://www.apple.com/qtactivex/qtplugin.cab

DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} - hxxp://upload.facebook.com/controls/2008.10.10_v5.5.8/FacebookPhotoUploader5.cab

DPF: {3E68E405-C6DE-49FF-83AE-41EE9F4C36CE} - hxxp://office.microsoft.com/officeupdate/content/opuc3.cab

DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} - hxxp://by106fd.bay106.hotmail.msn.com/resources/MsnPUpld.cab

DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} - hxxp://upload.facebook.com/controls/2009.07.28_v5.5.8.1/FacebookPhotoUploader55.cab

DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab

DPF: {CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab

DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab

DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab

DPF: {E77F23EB-E7AB-4502-8F37-247DBAF1A147} - hxxp://gfx2.hotmail.com/mail/w4/pr01/photouploadcontrol/MSNPUpld.cab

DPF: {EB387D2F-E27B-4D36-979E-847D1036C65D} - hxxp://h30043.www3.hp.com/hpdj/en/check/qdiagh.cab?326

TCP: DhcpNameServer = 65.32.5.111 65.32.5.112

TCP: Interfaces\{FA458D5C-8FA7-4F13-AEE2-EEC0D5E9FB93} : DhcpNameServer = 65.32.5.111 65.32.5.112

Notify: AtiExtEvent - Ati2evxx.dll

Notify: NavLogon - c:\windows\system32\NavLogon.dll

Notify: WRNotifier - WRLogonNTF.dll

AppInit_DLLs: c:\windows\system32\LFPCD11N32.dll

SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

Hosts: 69.72.252.254 www.google-analytics.com.

Hosts: 69.72.252.254 ad-emea.doubleclick.net.

Hosts: 69.72.252.254 www.statcounter.com.

Hosts: 184.95.41.155 www.google-analytics.com.

Hosts: 184.95.41.155 ad-emea.doubleclick.net.

.

Note: multiple HOSTS entries found. Please refer to Attach.txt

.

============= SERVICES / DRIVERS ===============

.

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2011-9-4 64512]

R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\lavasoft\ad-aware\AAWService.exe [2011-11-3 2152152]

S1 SAVRT;SAVRT;c:\program files\symantec antivirus\savrt.sys [2004-8-6 301200]

S2 BBUpdate;BBUpdate;c:\program files\microsoft\bingbar\SeaPort.EXE [2011-6-15 249648]

S2 ccEvtMgr;Symantec Event Manager;c:\program files\common files\symantec shared\ccEvtMgr.exe [2004-8-6 255096]

S2 ccSetMgr;Symantec Settings Manager;c:\program files\common files\symantec shared\ccSetMgr.exe [2004-8-6 242808]

S2 MBAMService;MBAMService;c:\program files\malwarebytes' anti-malware\mbamservice.exe [2008-9-4 366152]

S2 McrdSvc;Media Center Extender Service;c:\windows\ehome\mcrdsvc.exe [2005-8-5 99328]

S2 napagent32;Network Access Protection Agent ;c:\windows\system32\wuaueng32.exe --> c:\windows\system32\wuaueng32.exe [?]

S2 SAVRTPEL;SAVRTPEL;c:\program files\symantec antivirus\Savrtpel.sys [2004-8-6 37008]

S2 Symantec AntiVirus;Symantec AntiVirus;c:\program files\symantec antivirus\Rtvscan.exe [2004-8-6 1258712]

S3 AMDMSRIO;AMDMSRIO;\??\c:\docume~1\admini~1\locals~1\temp\safe to delete 3_0_4_8\amdmsrio.sys --> c:\docume~1\admini~1\locals~1\temp\safe to delete 3_0_4_8\AMDMSRIO.sys [?]

S3 BBSvc;Bing Bar Update Service;c:\program files\microsoft\bingbar\BBSvc.EXE [2011-7-7 195336]

S3 ccPwdSvc;Symantec Password Validation;c:\program files\common files\symantec shared\ccPwdSvc.exe [2004-8-6 87160]

S3 HSFHWATI;HSFHWATI;c:\windows\system32\drivers\HSFHWATI.sys [2005-12-12 200192]

S3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2008-9-4 22216]

S3 MBAMSwissArmy;MBAMSwissArmy;\??\c:\windows\system32\drivers\mbamswissarmy.sys --> c:\windows\system32\drivers\mbamswissarmy.sys [?]

S3 NAVENG;NAVENG;c:\progra~1\common~1\symant~1\virusd~1\20110502.002\naveng.sys [2011-5-6 86136]

S3 NAVEX15;NAVEX15;c:\progra~1\common~1\symant~1\virusd~1\20110502.002\navex15.sys [2011-5-6 1393144]

S3 NPF;WinPcap Packet Driver (NPF);c:\windows\system32\drivers\npf.sys [2011-12-23 50704]

S3 SavRoam;SAVRoam;c:\program files\symantec antivirus\SavRoam.exe [2004-8-6 169192]

.

=============== File Associations ===============

.

regfile=regedit.exe "%1" %*

scrfile="%1" %*

.

=============== Created Last 30 ================

.

2011-12-24 01:02:40 -------- d-sh--w- c:\documents and settings\administrator\PrivacIE

2011-12-23 12:14:09 50704 ----a-w- c:\windows\system32\drivers\npf.sys

2011-12-23 12:14:09 281104 ----a-w- c:\windows\system32\wpcap.dll

2011-12-23 12:14:09 100880 ----a-w- c:\windows\system32\Packet.dll

2011-12-21 00:22:53 -------- d-----w- c:\documents and settings\administrator\local settings\application data\Symantec

2011-12-21 00:18:08 -------- d-sh--w- c:\documents and settings\administrator\IETldCache

2011-12-20 23:06:56 -------- d-----w- c:\documents and settings\administrator\application data\Malwarebytes

2011-12-02 14:41:22 -------- d-----w- c:\documents and settings\all users\application data\Ad-Aware Browsing Protection

2011-12-02 14:41:19 -------- d-----w- c:\program files\Toolbar Cleaner

2011-12-02 14:41:12 -------- d-----w- c:\program files\adawaretb

.

==================== Find3M ====================

.

2011-12-25 00:09:27 26112 ----a-w- c:\windows\system32\userinit.exe

2011-12-02 14:47:50 16432 ----a-w- c:\windows\system32\lsdelete.exe

2011-11-29 01:17:41 414368 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl

2011-11-23 13:25:32 1859584 ----a-w- c:\windows\system32\win32k.sys

2011-11-04 19:20:51 916992 ----a-w- c:\windows\system32\wininet.dll

2011-11-04 19:20:51 43520 ----a-w- c:\windows\system32\licmgr10.dll

2011-11-04 19:20:51 1469440 ----a-w- c:\windows\system32\inetcpl.cpl

2011-11-04 11:23:59 385024 ----a-w- c:\windows\system32\html.iec

2011-11-03 17:06:56 64512 ----a-w- c:\windows\system32\drivers\Lbd.sys

2011-11-01 16:07:10 1288704 ----a-w- c:\windows\system32\ole32.dll

2011-10-28 05:31:48 33280 ----a-w- c:\windows\system32\csrsrv.dll

2011-10-25 13:33:08 2192768 ----a-w- c:\windows\system32\ntoskrnl.exe

2011-10-25 12:52:03 2069376 ----a-w- c:\windows\system32\ntkrnlpa.exe

2011-10-14 22:38:00 456192 ----a-w- c:\windows\system32\encdec.dll

2011-10-10 14:22:41 692736 ----a-w- c:\windows\system32\inetcomm.dll

2011-09-28 07:06:50 599040 ----a-w- c:\windows\system32\crypt32.dll

2011-09-26 15:41:20 611328 ----a-w- c:\windows\system32\uiautomationcore.dll

2011-09-26 15:41:20 220160 ----a-w- c:\windows\system32\oleacc.dll

2011-09-26 15:41:14 20480 ----a-w- c:\windows\system32\oleaccrc.dll

2004-08-10 19:00:00 94784 -csh--w- c:\windows\twain.dll

2008-04-14 00:12:07 50688 --sh--w- c:\windows\twain_32.dll

2006-02-17 02:33:10 1216 -csh--w- c:\windows\Twunk_16.dll

2006-02-17 02:33:10 1216 -csh--w- c:\windows\Twunk_32.dll

2011-02-08 13:33:55 978944 --sha-w- c:\windows\system32\mfc42.dll

2008-04-14 00:12:01 57344 --sha-w- c:\windows\system32\msvcirt.dll

2008-04-14 00:12:01 413696 --sha-w- c:\windows\system32\msvcp60.dll

2008-04-14 00:12:01 343040 --sha-w- c:\windows\system32\msvcrt.dll

2010-12-20 17:32:15 551936 --sha-w- c:\windows\system32\oleaut32.dll

2008-04-14 00:12:02 84992 --sha-w- c:\windows\system32\olepro32.dll

2008-04-14 00:12:32 11776 --sha-w- c:\windows\system32\regsvr32.exe

2011-06-23 01:08:45 203776 --sh--w- c:\windows\system32\unrar.exe

2011-06-23 01:08:40 203776 --sh--w- c:\windows\system32\63699e828dc19ff73f64832c2baf26df\unrar.exe

.

============= FINISH: 20:41:52.42 ===============

Link to post
Share on other sites

:welcome:

Whether you wish to continue with cleaning or not, you should be aware that you may have been infected by a backdoor trojan. This type of program has the ability to steal passwords and other information from your system. If you are using your computer for sensitive purposes such as internet banking then I recommend you take the following steps immediately:

  • Use another, uninfected computer to change all your internet passwords, especially ones with financial implications such as banks, paypal, ebay, etc. You should also change the passwords for any other site you use.
  • Call your bank(s), credit card company or any other institution which may be affected and advise them that your login/password or credit card information may have been stolen and ask what steps to take with regard to your account.
  • Consider what other private information could possibly have been taken from your computer and take appropriate steps
  • Removing this infection can also disable the ability to connect to the internet.

This infection can almost certainly be cleaned, but as the malware could be configured to run any program a remote attacker requires, it will be impossible to be 100% sure that the machine is clean, if this is unacceptable to you then you should consider reformatting the system partition and reinstalling Windows as this is the only 100% sure answer.

Please post back to let me know how you wish to proceed.

Link to post
Share on other sites

That's what I would do if I were you.

Be sure to do a Clean Install and not just a Repair Install.

You are also showing 2 anti-virus programs active:

AV: Lavasoft Ad-Watch Live! Anti-Virus *Enabled/Updated* {A1C4F2E0-7FDE-4917-AFAE-013EFC3EDE33}

AV: Symantec AntiVirus Corporate Edition *Enabled/Updated* {FB06448E-52B8-493A-90F3-E43226D3305C}

Never install more than one Antivirus and Firewall! Rather than giving you extra protection, it will decrease the reliability of it seriously!

The reason for this is that if both products have their automatic (Real-Time) protection switched on, your system may lock up due to both software products attempting to access the same file at the same time.

Also because more than one Antivirus and Firewall installed are not compatible with each other, it can cause system performance problems and a serious system slowdown.

Link to post
Share on other sites

Glad we could help. :)

If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.

Other members who need assistance please start your own topic in a new thread. Thanks!

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.