Jump to content

Antispyware Protector???

seth5051

By seth5051
in Resolved Malware Removal Logs

 Share

Recommended Posts

seth5051

seth5051

Posted
Posted

Anyone know about 'Antispyware Protector'?? Seems like a variant of Antispyware 2009, but doesnt clean up with the latest MBAM.

running processes are 'antispymon.exe' and antispyprot.exe'

Google search and searching this forum doesnt result in much, unless im missing something.

If anyone can help, please post links or how to remove this.

below are MBAM and HiJackThis logs

tks in advance

Link to post
Share on other sites
seth5051

seth5051

Posted
  • Author
Posted

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 08:32:19, on 2/11/2009

Platform: Windows XP SP3 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\hkcmd.exe

C:\WINDOWS\system32\igfxpers.exe

C:\Program Files\Analog Devices\Core\smax4pnp.exe

C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe

C:\Program Files\HP\hpcoretech\hpcmpmgr.exe

C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb10.exe

C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe

C:\Program Files\iTunes\iTunesHelper.exe

C:\Program Files\AntiSpyware Protector\AntiSpyMon.exe

C:\PROGRA~1\AVG\AVG8\avgtray.exe

C:\Program Files\Messenger\msmsgs.exe

C:\PROGRA~1\AVG\AVG8\avgrsx.exe

C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe

C:\Program Files\Intuit\QuickBooks Pro\Components\QBAgent\qbdagent2002.exe

C:\PROGRA~1\AVG\AVG8\avgemc.exe

C:\Program Files\AntiSpyware Protector\AntiSpyProt.exe

C:\Program Files\HP\hpcoretech\comp\hptskmgr.exe

C:\Program Files\iPod\bin\iPodService.exe

C:\WINDOWS\system32\wuauclt.exe

C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

C:\WINDOWS\system32\rundll32.exe

O1 - Hosts: www.vav2008.com 217.20.175.74

O1 - Hosts: vav2008.com 217.20.175.74

O1 - Hosts: scanner.vavscan.com 217.20.175.74

O1 - Hosts: www.scanner.vavscan.com 217.20.175.74

O1 - Hosts: www.vavscan.com 217.20.175.74

O1 - Hosts: scan.vavscan.com 217.20.175.74

O1 - Hosts: www.scan.vavscan.com 217.20.175.74

O1 - Hosts: 217.20.175.74 www.vav2008.com

O1 - Hosts: 217.20.175.74 vav2008.com

O1 - Hosts: 217.20.175.74 scanner.vavscan.com

O1 - Hosts: 217.20.175.74 www.scanner.vavscan.com

O1 - Hosts: 217.20.175.74 www.vavscan.com

O1 - Hosts: 217.20.175.74 scan.vavscan.com

O1 - Hosts: 217.20.175.74 www.scan.vavscan.com

O1 - Hosts: www.vav2008.com 217.20.175.74

O1 - Hosts: vav2008.com 217.20.175.74

O1 - Hosts: scanner.vavscan.com 217.20.175.74

O1 - Hosts: www.scanner.vavscan.com 217.20.175.74

O1 - Hosts: www.vavscan.com 217.20.175.74

O1 - Hosts: scan.vavscan.com 217.20.175.74

O1 - Hosts: www.scan.vavscan.com 217.20.175.74

O1 - Hosts: 217.20.175.74 www.vav2008.com

O1 - Hosts: 217.20.175.74 vav2008.com

O1 - Hosts: 217.20.175.74 scanner.vavscan.com

O1 - Hosts: 217.20.175.74 www.scanner.vavscan.com

O1 - Hosts: 217.20.175.74 www.vavscan.com

O1 - Hosts: 217.20.175.74 scan.vavscan.com

O1 - Hosts: 217.20.175.74 www.scan.vavscan.com

O1 - Hosts: www.vav2008.com 217.20.175.74

O1 - Hosts: vav2008.com 217.20.175.74

O1 - Hosts: scanner.vavscan.com 217.20.175.74

O1 - Hosts: www.scanner.vavscan.com 217.20.175.74

O1 - Hosts: www.vavscan.com 217.20.175.74

O1 - Hosts: scan.vavscan.com 217.20.175.74

O1 - Hosts: www.scan.vavscan.com 217.20.175.74

O1 - Hosts: 217.20.175.74 www.vav2008.com

O1 - Hosts: 217.20.175.74 vav2008.com

O1 - Hosts: 217.20.175.74 scanner.vavscan.com

O1 - Hosts: 217.20.175.74 www.scanner.vavscan.com

O1 - Hosts: 217.20.175.74 www.vavscan.com

O1 - Hosts: 217.20.175.74 scan.vavscan.com

O1 - Hosts: 217.20.175.74 www.scan.vavscan.com

O1 - Hosts: www.vav2008.com 217.20.175.74

O1 - Hosts: vav2008.com 217.20.175.74

O1 - Hosts: scanner.vavscan.com 217.20.175.74

O1 - Hosts: www.scanner.vavscan.com 217.20.175.74

O1 - Hosts: www.vavscan.com 217.20.175.74

O1 - Hosts: scan.vavscan.com 217.20.175.74

O1 - Hosts: www.scan.vavscan.com 217.20.175.74

O1 - Hosts: 217.20.175.74 www.vav2008.com

O1 - Hosts: 217.20.175.74 vav2008.com

O1 - Hosts: 217.20.175.74 scanner.vavscan.com

O1 - Hosts: 217.20.175.74 www.scanner.vavscan.com

O1 - Hosts: 217.20.175.74 www.vavscan.com

O1 - Hosts: 217.20.175.74 scan.vavscan.com

O1 - Hosts: 217.20.175.74 www.scan.vavscan.com

O1 - Hosts: www.vav2008.com 217.20.175.74

O1 - Hosts: vav2008.com 217.20.175.74

O1 - Hosts: scanner.vavscan.com 217.20.175.74

O1 - Hosts: www.scanner.vavscan.com 217.20.175.74

O1 - Hosts: www.vavscan.com 217.20.175.74

O1 - Hosts: scan.vavscan.com 217.20.175.74

O1 - Hosts: www.scan.vavscan.com 217.20.175.74

O1 - Hosts: 217.20.175.74 www.vav2008.com

O1 - Hosts: 217.20.175.74 vav2008.com

O1 - Hosts: 217.20.175.74 scanner.vavscan.com

O1 - Hosts: 217.20.175.74 www.scanner.vavscan.com

O1 - Hosts: 217.20.175.74 www.vavscan.com

O1 - Hosts: 217.20.175.74 scan.vavscan.com

O1 - Hosts: 217.20.175.74 www.scan.vavscan.com

O1 - Hosts: www.vav2008.com 217.20.175.74

O1 - Hosts: vav2008.com 217.20.175.74

O1 - Hosts: scanner.vavscan.com 217.20.175.74

O1 - Hosts: www.scanner.vavscan.com 217.20.175.74

O1 - Hosts: www.vavscan.com 217.20.175.74

O1 - Hosts: scan.vavscan.com 217.20.175.74

O1 - Hosts: www.scan.vavscan.com 217.20.175.74

O1 - Hosts: 217.20.175.74 www.vav2008.com

O1 - Hosts: 217.20.175.74 vav2008.com

O1 - Hosts: 217.20.175.74 scanner.vavscan.com

O1 - Hosts: 217.20.175.74 www.scanner.vavscan.com

O1 - Hosts: 217.20.175.74 www.vavscan.com

O1 - Hosts: 217.20.175.74 scan.vavscan.com

O1 - Hosts: 217.20.175.74 www.scan.vavscan.com

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll

O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe

O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe

O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe

O4 - HKLM\..\Run: [soundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe

O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"

O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide

O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"

O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb10.exe

O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe"

O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup

O4 - HKLM\..\Run: [iSUSPM] "C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe" -scheduler

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"

O4 - HKLM\..\Run: [ASPMonitor] C:\Program Files\AntiSpyware Protector\AntiSpyMon.exe

O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe

O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background

O4 - HKUS\S-1-5-18\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe (User 'SYSTEM')

O4 - HKUS\.DEFAULT\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe (User 'Default user')

O4 - Startup: AntiSpy Protector.lnk = C:\Program Files\AntiSpyware Protector\AntiSpyProt.exe

O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe

O4 - Global Startup: Event Reminder.lnk = ?

O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE

O4 - Global Startup: QuickBooks 2002 Delivery Agent.lnk = C:\Program Files\Intuit\QuickBooks Pro\Components\QBAgent\qbdagent2002.exe

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O16 - DPF: {149E45D8-163E-4189-86FC-45022AB2B6C9} (SpinTop DRM Control) - file://C:\Program Files\Bejeweled 2\Images\stg_drm.ocx

O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://photos.walmart.com/WalmartActivia.cab

O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace.com/upload/MySpaceUploader1006.cab

O16 - DPF: {74C861A1-D548-4916-BC8A-FDE92EDFF62C} - http://mediaplayer.walmart.com/installer/install.cab

O16 - DPF: {9059F30F-4EB1-4BD2-9FDC-36F43A218F4A} (Microsoft RDP Client Control (redist)) - https://www.comfortsite.com/EBiz/Applicatio...SApps/msrdp.cab

O16 - DPF: {9600F64D-755F-11D4-A47F-0001023E6D5A} (Shutterfly Picture Upload Plugin) - http://web1.shutterfly.com/downloads/Uploader.cab

O16 - DPF: {CC450D71-CC90-424C-8638-1F2DBAC87A54} (ArmHelper Control) - file://C:\Program Files\Bejeweled 2\Images\armhelper.ocx

O16 - DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7} (get_atlcom Class) - http://wwwimages.adobe.com/www.adobe.com/p...obat/nos/gp.cab

O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll

O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~2\GOEC62~1.DLL,avgrsstx.dll

O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

O23 - Service: AVG Free8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe

O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe

O23 - Service: getPlus® Helper - NOS Microsystems Ltd. - C:\Program Files\NOS\bin\getPlus_HelperSvc.exe

O23 - Service: Google Desktop Manager 5.7.806.10245 (GoogleDesktopManager-061008-081103) - Google - C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe

O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe

--

End of file - 10367 bytes

Link to post
Share on other sites
seth5051

seth5051

Posted
  • Author
Posted

quick scan with MBAM

Malwarebytes' Anti-Malware 1.33

Database version: 1732

Windows 5.1.2600 Service Pack 3

2/6/2009 1:29:11 PM

mbam-log-2009-02-06 (13-29-11).txt

Scan type: Quick Scan

Objects scanned: 68906

Time elapsed: 19 minute(s), 19 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 0

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

(No malicious items detected)

Link to post
Share on other sites
seth5051

seth5051

Posted
  • Author
Posted

full scan with MBAM

Malwarebytes' Anti-Malware 1.33

Database version: 1732

Windows 5.1.2600 Service Pack 2

2/6/2009 6:11:06 AM

mbam-log-2009-02-06 (06-11-06).txt

Scan type: Full Scan (C:\|)

Objects scanned: 124016

Time elapsed: 39 minute(s), 19 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 0

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

(No malicious items detected)

Link to post
Share on other sites
  • Root Admin
AdvancedSetup

AdvancedSetup

Posted
  • Root Admin
Posted

Please visit this webpage for instructions for downloading ComboFix to your
DESKTOP
:
how-to-use-combofix

Please ensure you read this guide carefully and install the Recovery Console first.

NOTE!!:

You must save and run
ComboFix.exe
on your DESKTOP and not from any other folder.

Also,
DO NOT
click the mouse or launch any other applications while this is running or it may stall the program

Additional links to download the tool:

Note:

The
Windows Recovery Console
will allow you to boot up into a special recovery (repair) mode. This allows us to more easily help you should your computer have a problem after an attempted removal of malware. It is a simple procedure that will only take a few moments of your time.

Once installed, you should see a blue screen prompt that says:

The Recovery Console was successfully installed.

Please continue as follows:
  • Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
  • Click
    Yes
    to allow ComboFix to continue scanning for malware.

  • When the tool is finished, it will produce a report for you.

  • Please post the
    C:\ComboFix.txt
    along with a
    new HijackThis log
    so we may continue cleaning the system.

Link to post
Share on other sites
seth5051

seth5051

Posted
  • Author
Posted

Before running combofix I decided to check for MalwareBytes updates. There were updates available. So ran another scan and it appears to have cleaned up this spyware.

Latest MalwareBytes Log

Malwarebytes' Anti-Malware 1.34

Database version: 1755

Windows 5.1.2600 Service Pack 3

2/12/2009 3:33:51 PM

mbam-log-2009-02-12 (15-33-51).txt

Scan type: Quick Scan

Objects scanned: 80773

Time elapsed: 17 minute(s), 2 second(s)

Memory Processes Infected: 1

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 1

Registry Data Items Infected: 0

Folders Infected: 5

Files Infected: 29

Memory Processes Infected:

C:\Program Files\AntiSpyware Protector\AntiSpyMon.exe (Rogue.AntiSpywareProtector) -> Unloaded process successfully.

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\aspmonitor (Rogue.AntiSpyProtector) -> Quarantined and deleted successfully.

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

C:\Program Files\AntiSpyware Protector (Rogue.AntiSpyProtector) -> Quarantined and deleted successfully.

C:\Program Files\AntiSpyware Protector\PDB (Rogue.AntiSpyProtector) -> Quarantined and deleted successfully.

C:\Program Files\AntiSpyware Protector\Quarantine (Rogue.AntiSpyProtector) -> Quarantined and deleted successfully.

C:\Program Files\AntiSpyware Protector\WAV (Rogue.AntiSpyProtector) -> Quarantined and deleted successfully.

C:\Documents and Settings\Owner\Start Menu\Programs\AntiSpyware Protector (Rogue.AntiSpywareProtector) -> Quarantined and deleted successfully.

Files Infected:

C:\Program Files\AntiSpyware Protector\AntiSpyMon.exe (Rogue.AntiSpyProtector) -> Quarantined and deleted successfully.

C:\Program Files\AntiSpyware Protector\AntiSpyProt.chm (Rogue.AntiSpyProtector) -> Quarantined and deleted successfully.

C:\Program Files\AntiSpyware Protector\AntiSpyProt.exe (Rogue.AntiSpyProtector) -> Quarantined and deleted successfully.

C:\Program Files\AntiSpyware Protector\AntiSpyProt.ini (Rogue.AntiSpyProtector) -> Quarantined and deleted successfully.

C:\Program Files\AntiSpyware Protector\AntiSpyProt.lind (Rogue.AntiSpyProtector) -> Quarantined and deleted successfully.

C:\Program Files\AntiSpyware Protector\AntiSpyProt.log (Rogue.AntiSpyProtector) -> Quarantined and deleted successfully.

C:\Program Files\AntiSpyware Protector\AntiSpyProt_vp.sdb (Rogue.AntiSpyProtector) -> Quarantined and deleted successfully.

C:\Program Files\AntiSpyware Protector\AntiSpyware Protector Home Page.url (Rogue.AntiSpyProtector) -> Quarantined and deleted successfully.

C:\Program Files\AntiSpyware Protector\ASPIE.dll (Rogue.AntiSpyProtector) -> Quarantined and deleted successfully.

C:\Program Files\AntiSpyware Protector\aspy_cfg.ini (Rogue.AntiSpyProtector) -> Quarantined and deleted successfully.

C:\Program Files\AntiSpyware Protector\ASWhiteList.cfg (Rogue.AntiSpyProtector) -> Quarantined and deleted successfully.

C:\Program Files\AntiSpyware Protector\background.jpeg (Rogue.AntiSpyProtector) -> Quarantined and deleted successfully.

C:\Program Files\AntiSpyware Protector\ckrdr.exe (Rogue.AntiSpyProtector) -> Quarantined and deleted successfully.

C:\Program Files\AntiSpyware Protector\install_stat1.tmp (Rogue.AntiSpyProtector) -> Quarantined and deleted successfully.

C:\Program Files\AntiSpyware Protector\quarantine.dat (Rogue.AntiSpyProtector) -> Quarantined and deleted successfully.

C:\Program Files\AntiSpyware Protector\ReadMe.txt (Rogue.AntiSpyProtector) -> Quarantined and deleted successfully.

C:\Program Files\AntiSpyware Protector\report.xml (Rogue.AntiSpyProtector) -> Quarantined and deleted successfully.

C:\Program Files\AntiSpyware Protector\Uninstall.exe (Rogue.AntiSpyProtector) -> Quarantined and deleted successfully.

C:\Program Files\AntiSpyware Protector\PDB\4Dec2008.pdb (Rogue.AntiSpyProtector) -> Quarantined and deleted successfully.

C:\Program Files\AntiSpyware Protector\PDB\StartupList.pdb (Rogue.AntiSpyProtector) -> Quarantined and deleted successfully.

C:\Program Files\AntiSpyware Protector\WAV\Alert.wav (Rogue.AntiSpyProtector) -> Quarantined and deleted successfully.

C:\Program Files\AntiSpyware Protector\WAV\Deleted.wav (Rogue.AntiSpyProtector) -> Quarantined and deleted successfully.

C:\Program Files\AntiSpyware Protector\WAV\Warning.wav (Rogue.AntiSpyProtector) -> Quarantined and deleted successfully.

C:\Documents and Settings\Owner\Start Menu\Programs\AntiSpyware Protector\AntiSpy Monitor.lnk (Rogue.AntiSpywareProtector) -> Quarantined and deleted successfully.

C:\Documents and Settings\Owner\Start Menu\Programs\AntiSpyware Protector\AntiSpy Protector Home.lnk (Rogue.AntiSpywareProtector) -> Quarantined and deleted successfully.

C:\Documents and Settings\Owner\Start Menu\Programs\AntiSpyware Protector\AntiSpy Protector.lnk (Rogue.AntiSpywareProtector) -> Quarantined and deleted successfully.

C:\Documents and Settings\Owner\Start Menu\Programs\AntiSpyware Protector\Documentation.lnk (Rogue.AntiSpywareProtector) -> Quarantined and deleted successfully.

C:\Documents and Settings\Owner\Start Menu\Programs\AntiSpyware Protector\ReadMe.lnk (Rogue.AntiSpywareProtector) -> Quarantined and deleted successfully.

C:\Documents and Settings\Owner\Start Menu\Programs\Startup\AntiSpy Protector.lnk (Rogue.AntiSpywareProtector) -> Quarantined and deleted successfully.

Link to post
Share on other sites
seth5051

seth5051

Posted
  • Author
Posted

and latest hijackthis log

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 16:07:49, on 2/12/2009

Platform: Windows XP SP3 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\PROGRA~1\AVG\AVG8\avgrsx.exe

C:\PROGRA~1\AVG\AVG8\avgemc.exe

C:\PROGRA~1\AVG\AVG8\avgnsx.exe

C:\Program Files\AVG\AVG8\avgcsrvx.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\hkcmd.exe

C:\WINDOWS\system32\igfxpers.exe

C:\Program Files\Analog Devices\Core\smax4pnp.exe

C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe

C:\Program Files\HP\hpcoretech\hpcmpmgr.exe

C:\Program Files\AVG\AVG8\avgcsrvx.exe

C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb10.exe

C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe

C:\Program Files\iTunes\iTunesHelper.exe

C:\PROGRA~1\AVG\AVG8\avgtray.exe

C:\Program Files\Messenger\msmsgs.exe

C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe

C:\Program Files\Intuit\QuickBooks Pro\Components\QBAgent\qbdagent2002.exe

C:\Program Files\iPod\bin\iPodService.exe

C:\WINDOWS\system32\wuauclt.exe

C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

C:\Program Files\AVG\AVG8\avgupd.exe

O1 - Hosts: www.vav2008.com 217.20.175.74

O1 - Hosts: vav2008.com 217.20.175.74

O1 - Hosts: scanner.vavscan.com 217.20.175.74

O1 - Hosts: www.scanner.vavscan.com 217.20.175.74

O1 - Hosts: www.vavscan.com 217.20.175.74

O1 - Hosts: scan.vavscan.com 217.20.175.74

O1 - Hosts: www.scan.vavscan.com 217.20.175.74

O1 - Hosts: 217.20.175.74 www.vav2008.com

O1 - Hosts: 217.20.175.74 vav2008.com

O1 - Hosts: 217.20.175.74 scanner.vavscan.com

O1 - Hosts: 217.20.175.74 www.scanner.vavscan.com

O1 - Hosts: 217.20.175.74 www.vavscan.com

O1 - Hosts: 217.20.175.74 scan.vavscan.com

O1 - Hosts: 217.20.175.74 www.scan.vavscan.com

O1 - Hosts: www.vav2008.com 217.20.175.74

O1 - Hosts: vav2008.com 217.20.175.74

O1 - Hosts: scanner.vavscan.com 217.20.175.74

O1 - Hosts: www.scanner.vavscan.com 217.20.175.74

O1 - Hosts: www.vavscan.com 217.20.175.74

O1 - Hosts: scan.vavscan.com 217.20.175.74

O1 - Hosts: www.scan.vavscan.com 217.20.175.74

O1 - Hosts: 217.20.175.74 www.vav2008.com

O1 - Hosts: 217.20.175.74 vav2008.com

O1 - Hosts: 217.20.175.74 scanner.vavscan.com

O1 - Hosts: 217.20.175.74 www.scanner.vavscan.com

O1 - Hosts: 217.20.175.74 www.vavscan.com

O1 - Hosts: 217.20.175.74 scan.vavscan.com

O1 - Hosts: 217.20.175.74 www.scan.vavscan.com

O1 - Hosts: www.vav2008.com 217.20.175.74

O1 - Hosts: vav2008.com 217.20.175.74

O1 - Hosts: scanner.vavscan.com 217.20.175.74

O1 - Hosts: www.scanner.vavscan.com 217.20.175.74

O1 - Hosts: www.vavscan.com 217.20.175.74

O1 - Hosts: scan.vavscan.com 217.20.175.74

O1 - Hosts: www.scan.vavscan.com 217.20.175.74

O1 - Hosts: 217.20.175.74 www.vav2008.com

O1 - Hosts: 217.20.175.74 vav2008.com

O1 - Hosts: 217.20.175.74 scanner.vavscan.com

O1 - Hosts: 217.20.175.74 www.scanner.vavscan.com

O1 - Hosts: 217.20.175.74 www.vavscan.com

O1 - Hosts: 217.20.175.74 scan.vavscan.com

O1 - Hosts: 217.20.175.74 www.scan.vavscan.com

O1 - Hosts: www.vav2008.com 217.20.175.74

O1 - Hosts: vav2008.com 217.20.175.74

O1 - Hosts: scanner.vavscan.com 217.20.175.74

O1 - Hosts: www.scanner.vavscan.com 217.20.175.74

O1 - Hosts: www.vavscan.com 217.20.175.74

O1 - Hosts: scan.vavscan.com 217.20.175.74

O1 - Hosts: www.scan.vavscan.com 217.20.175.74

O1 - Hosts: 217.20.175.74 www.vav2008.com

O1 - Hosts: 217.20.175.74 vav2008.com

O1 - Hosts: 217.20.175.74 scanner.vavscan.com

O1 - Hosts: 217.20.175.74 www.scanner.vavscan.com

O1 - Hosts: 217.20.175.74 www.vavscan.com

O1 - Hosts: 217.20.175.74 scan.vavscan.com

O1 - Hosts: 217.20.175.74 www.scan.vavscan.com

O1 - Hosts: www.vav2008.com 217.20.175.74

O1 - Hosts: vav2008.com 217.20.175.74

O1 - Hosts: scanner.vavscan.com 217.20.175.74

O1 - Hosts: www.scanner.vavscan.com 217.20.175.74

O1 - Hosts: www.vavscan.com 217.20.175.74

O1 - Hosts: scan.vavscan.com 217.20.175.74

O1 - Hosts: www.scan.vavscan.com 217.20.175.74

O1 - Hosts: 217.20.175.74 www.vav2008.com

O1 - Hosts: 217.20.175.74 vav2008.com

O1 - Hosts: 217.20.175.74 scanner.vavscan.com

O1 - Hosts: 217.20.175.74 www.scanner.vavscan.com

O1 - Hosts: 217.20.175.74 www.vavscan.com

O1 - Hosts: 217.20.175.74 scan.vavscan.com

O1 - Hosts: 217.20.175.74 www.scan.vavscan.com

O1 - Hosts: www.vav2008.com 217.20.175.74

O1 - Hosts: vav2008.com 217.20.175.74

O1 - Hosts: scanner.vavscan.com 217.20.175.74

O1 - Hosts: www.scanner.vavscan.com 217.20.175.74

O1 - Hosts: www.vavscan.com 217.20.175.74

O1 - Hosts: scan.vavscan.com 217.20.175.74

O1 - Hosts: www.scan.vavscan.com 217.20.175.74

O1 - Hosts: 217.20.175.74 www.vav2008.com

O1 - Hosts: 217.20.175.74 vav2008.com

O1 - Hosts: 217.20.175.74 scanner.vavscan.com

O1 - Hosts: 217.20.175.74 www.scanner.vavscan.com

O1 - Hosts: 217.20.175.74 www.vavscan.com

O1 - Hosts: 217.20.175.74 scan.vavscan.com

O1 - Hosts: 217.20.175.74 www.scan.vavscan.com

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll

O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe

O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe

O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe

O4 - HKLM\..\Run: [soundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe

O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"

O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide

O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"

O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb10.exe

O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe"

O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup

O4 - HKLM\..\Run: [iSUSPM] "C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe" -scheduler

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"

O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe

O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background

O4 - HKUS\S-1-5-18\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe (User 'SYSTEM')

O4 - HKUS\.DEFAULT\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe (User 'Default user')

O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe

O4 - Global Startup: Event Reminder.lnk = ?

O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE

O4 - Global Startup: QuickBooks 2002 Delivery Agent.lnk = C:\Program Files\Intuit\QuickBooks Pro\Components\QBAgent\qbdagent2002.exe

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O16 - DPF: {149E45D8-163E-4189-86FC-45022AB2B6C9} (SpinTop DRM Control) - file://C:\Program Files\Bejeweled 2\Images\stg_drm.ocx

O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://photos.walmart.com/WalmartActivia.cab

O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace.com/upload/MySpaceUploader1006.cab

O16 - DPF: {74C861A1-D548-4916-BC8A-FDE92EDFF62C} - http://mediaplayer.walmart.com/installer/install.cab

O16 - DPF: {9059F30F-4EB1-4BD2-9FDC-36F43A218F4A} (Microsoft RDP Client Control (redist)) - https://www.comfortsite.com/EBiz/Applicatio...SApps/msrdp.cab

O16 - DPF: {9600F64D-755F-11D4-A47F-0001023E6D5A} (Shutterfly Picture Upload Plugin) - http://web1.shutterfly.com/downloads/Uploader.cab

O16 - DPF: {CC450D71-CC90-424C-8638-1F2DBAC87A54} (ArmHelper Control) - file://C:\Program Files\Bejeweled 2\Images\armhelper.ocx

O16 - DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7} (get_atlcom Class) - http://wwwimages.adobe.com/www.adobe.com/p...obat/nos/gp.cab

O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll

O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~2\GOEC62~1.DLL

O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dll

O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

O23 - Service: AVG Free8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe

O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe

O23 - Service: getPlus® Helper - NOS Microsystems Ltd. - C:\Program Files\NOS\bin\getPlus_HelperSvc.exe

O23 - Service: Google Desktop Manager 5.7.806.10245 (GoogleDesktopManager-061008-081103) - Google - C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe

O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe

--

End of file - 10202 bytes

Link to post
Share on other sites
  • Root Admin
AdvancedSetup

AdvancedSetup

Posted
  • Root Admin
Posted

Please delete or rename your HOSTS file. C:\WINDOWS\SYSTEM32\DRIVERS\ETC\hosts

You can rename it hosts.old if you like, or delete it and create a new one with only this in it.

127.0.0.1	   localhost

Then restart your computer and download and run this AV scanner and let me know what it finds.

Download to the desktop: Dr.Web CureIt

  • Doubleclick the drweb-cureit.exe file and Allow to run the express scan
  • This will scan the files currently running in memory and when something is found, click the yes button when it asks you if you want to cure it. This is only a short scan.
  • Once the short scan has finished, Click Options > Change settings
  • Choose the "Scan"-tab, remove the mark at "Heuristic analysis".
  • Back at the main window, mark the drives that you want to scan.
  • Select all drives. A red dot shows which drives have been chosen.
  • Click the green arrow at the right, and the scan will start.
  • Click 'Yes to all' if it asks if you want to cure/move the file.
  • When the scan has finished, look if you can click next icon next to the files found:
    check.gif
    If so, click it and then click the next icon right below and select Move incurable as you'll see in next image:
    move.gif
    This will move it to the %userprofile%\DoctorWeb\quarantaine-folder if it can't be cured. (this in case if we need samples)
  • After selecting, in the Dr.Web CureIt menu on top, click file and choose save report list
  • Save the report to your desktop. The report will be called DrWeb.csv
  • Close Dr.Web Cureit.
  • Reboot your computer!! Because it could be possible that files in use will be moved/deleted during reboot.
  • After reboot, post the contents of the log from Dr.Web you saved previously in your next reply with a new hijackthis log.
Link to post
Share on other sites
Guest
This topic is now closed to further replies.
 Share
Go to topic listing

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.