jordannnnnn Posted November 26, 2009 ID:162600 Share Posted November 26, 2009 So here I am. Obviously I have a problem with my computer and I need YOUR help.What you should know:-I have Malwarebytes, SuperAntiSpyware, Command AntiVirus, Spybot, Sygate Personal Firewall, & Ad-Aware on my laptop currently.I know that's overkill. Tell me what to keep.-Running XP-Recently had everything deleted and XP reinstalledThe Problem:Well, the problem is... I don't have a problem. I think. By that i mean, nothing appears to be wrong. I'm having no issues with anything on my computer.Yet, for some reason on 6 different occasions, a MalwareBytes scan found something called "Rogue.AntiVirus" in the registry keys category. Each has a different reference number but they're all called the same thing.Registry Keys Infected:HKEY_LOCAL_MACHINE\SOFTWARE\Antivirus (Rogue.AntiVirus) -It tells me its been quarantined and removed each time.-I'll go a day or two and do several more scans without it showing up again. Then out of nowhere, for what seems to be no apparent reason, the same thing comes back.Im not sure what it is or why this keeps happening and i sure would like to. -I have all the logs and reference #'s MBAM gave me if that helps.Any help resolving this issue would be GREATLY appreciated!! Link to post Share on other sites More sharing options...
Staff miekiemoes Posted November 27, 2009 Staff ID:162932 Share Posted November 27, 2009 Hi,1. Click the Start Menu.2. Click Run.3. Type in "mbam.exe /developer", without the quotes.4. Run the same type of scan you did before and save the logfile and post it.Also, * Download Trend Micro Hijack This Link to post Share on other sites More sharing options...
jordannnnnn Posted November 27, 2009 Author ID:163103 Share Posted November 27, 2009 **This may be confusing because this scan was one of the scans where nothing shows up...It showed up again just yesterday. It shows up 6 different times in my "Quarantine" section each time with a different reference #*** When the log actually does show the infection, this is what it always says is there:Registry Keys Infected:HKEY_LOCAL_MACHINE\SOFTWARE\Antivirus (Rogue.AntiVirus) Then MBAM claims to quarantine & remove it, but the same thing always seems to show up a few scans later...-Below are the logs you asked for... I'm not sure if they will help or not because i don't think they found anything.MBAM LOG:Malwarebytes' Anti-Malware 1.41Database version: 3245Windows 5.1.2600 Service Pack 311/27/2009 4:24:19 PMmbam-log-2009-11-27 (16-24-19).txtScan type: Quick ScanObjects scanned: 98554Time elapsed: 7 minute(s), 6 second(s)Memory Processes Infected: 0Memory Modules Infected: 0Registry Keys Infected: 0Registry Values Infected: 0Registry Data Items Infected: 0Folders Infected: 0Files Infected: 0Memory Processes Infected:(No malicious items detected)Memory Modules Infected:(No malicious items detected)Registry Keys Infected:(No malicious items detected)Registry Values Infected:(No malicious items detected)Registry Data Items Infected:(No malicious items detected)Folders Infected:(No malicious items detected)Files Infected:(No malicious items detected)--------------------------------------------------------------------------------------------HijackThis Log:Logfile of Trend Micro HijackThis v2.0.2Scan saved at 4:03:56 PM, on 11/27/2009Platform: Windows XP SP3 (WinNT 5.01.2600)MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)Boot mode: NormalRunning processes:C:\WINDOWS\System32\smss.exeC:\WINDOWS\system32\winlogon.exeC:\WINDOWS\system32\services.exeC:\WINDOWS\system32\lsass.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\System32\svchost.exeC:\Program Files\Sygate\SPF\smc.exeC:\WINDOWS\system32\spoolsv.exeC:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exeC:\Program Files\Bonjour\mDNSResponder.exeC:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\Explorer.EXEC:\WINDOWS\System32\igfxtray.exeC:\WINDOWS\System32\hkcmd.exeC:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exeC:\WINDOWS\BricoPacks\Vista Inspirat 2\RocketDock\RocketDock.exeC:\Program Files\Authentium\Command AntiVirus\avinitnt.exeC:\Program Files\Common Files\Authentium\AntiVirus\dvpapi.exeC:\Program Files\Authentium\Command AntiVirus\schscnt.exeC:\Program Files\Authentium\Command AntiVirus\dvprpt.exeC:\Program Files\Authentium\Command AntiVirus\avtray.exeC:\Program Files\Authentium\Command AntiVirus\untray.exeC:\Program Files\Spybot - Search & Destroy\SpybotSD.exeC:\Program Files\Skype\Toolbars\Shared\SkypeNames.exeC:\Program Files\Mozilla Firefox\firefox.exeC:\Program Files\Trend Micro\HijackThis\HijackThis.exeR0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = google.comR1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.localO2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dllO4 - HKLM\..\Run: [igfxTray] C:\WINDOWS\System32\igfxtray.exeO4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exeO4 - HKLM\..\Run: [avtray] C:\PROGRA~1\AUTHEN~1\COMMAN~1\avtray.exeO4 - HKLM\..\Run: [untray] C:\PROGRA~1\AUTHEN~1\COMMAN~1\untray.exeO4 - HKLM\..\Run: [dvprpt] C:\PROGRA~1\AUTHEN~1\COMMAN~1\dvprpt.exeO4 - HKLM\..\Run: [CSAV_CheckViruses] C:\PROGRA~1\AUTHEN~1\COMMAN~1\vchk.exeO4 - HKLM\..\Run: [Malwarebytes Anti-Malware (reboot)] "C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscriptO4 - HKLM\..\Run: [smcService] C:\PROGRA~1\Sygate\SPF\smc.exe -startguiO4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /autoO4 - HKCU\..\Run: [sUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exeO4 - S-1-5-18 Startup: RocketDock.lnk = C:\WINDOWS\BricoPacks\Vista Inspirat 2\RocketDock\RocketDock.exe (User 'SYSTEM')O4 - .DEFAULT Startup: RocketDock.lnk = C:\WINDOWS\BricoPacks\Vista Inspirat 2\RocketDock\RocketDock.exe (User 'Default user')O4 - Startup: RocketDock.lnk = C:\WINDOWS\BricoPacks\Vista Inspirat 2\RocketDock\RocketDock.exeO9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exeO9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exeO9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exeO9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exeO16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1257970541923O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1257970533301O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLLO20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dllO23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exeO23 - Service: avinitnt - Authentium, Inc. - C:\Program Files\Authentium\Command AntiVirus\avinitnt.exeO23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exeO23 - Service: DvpApi (dvpapi) - Authentium, Inc. - C:\Program Files\Common Files\Authentium\AntiVirus\dvpapi.exeO23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exeO23 - Service: Lavasoft Ad-Aware Service - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\AAWService.exeO23 - Service: Process Monitor (LVPrcSrv) - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exeO23 - Service: schscnt - Authentium, Inc. - C:\Program Files\Authentium\Command AntiVirus\schscnt.exeO23 - Service: Sygate Personal Firewall (SmcService) - Sygate Technologies, Inc. - C:\Program Files\Sygate\SPF\smc.exe--End of file - 5019 bytesThanks for your help!! Link to post Share on other sites More sharing options...
Staff miekiemoes Posted November 27, 2009 Staff ID:163107 Share Posted November 27, 2009 Hi,When the log actually does show the infection, this is what it always says is there:Registry Keys Infected:HKEY_LOCAL_MACHINE\SOFTWARE\Antivirus (Rogue.AntiVirus)Then MBAM claims to quarantine & remove it, but the same thing always seems to show up a few scans later...I think I already know what is happening here. I see you have command Antivirus installed here and it wouldn't suprise me it creates the same keyname as the rogue.Antivirus has.And that may explain why it always comes back afterwards, since Command Antivirus restores its key again.Anyway, we have removed detection for that key for now, so Malwarebytes won't detect it anymore.However, I still would like to have an export of that key, so I can have a look at it and verify it is really from your command Antivirus.To do this, Open notepad and copy and paste next present in the quotebox in it:regedit /e look.txt "HKEY_LOCAL_MACHINE\SOFTWARE\Antivirus"start notepad look.txtSave this as look.bat , choose to save as *all files and place it on your desktop. It should look like this: Doubleclick on it and notepad should open.Copy and paste the contents of it in your next reply. Link to post Share on other sites More sharing options...
jordannnnnn Posted November 27, 2009 Author ID:163112 Share Posted November 27, 2009 Windows Registry Editor Version 5.00[HKEY_LOCAL_MACHINE\SOFTWARE\Antivirus]@="" Link to post Share on other sites More sharing options...
Staff miekiemoes Posted November 27, 2009 Staff ID:163119 Share Posted November 27, 2009 Nothing under it. So can't say much here. But in either way, this key is harmless and I'm pretty sure your command antivirus created that one. I just googled and found this thread:http://forum.piriform.com/index.php?showto...amp;#entry95409Same key there and s(he) has Command Antivirus installed.Ccleaner (registry cleaning option in it) detected that key as orphaned (as it looks indeed like an orphaned key as there is no data under it) and deleted it, with as result that their Command Antivirus didn't work after reboot. So in either way, you are ok here - it's set by Command Antivirus. We removed this detection in malwarebytes now. Link to post Share on other sites More sharing options...
jordannnnnn Posted November 27, 2009 Author ID:163134 Share Posted November 27, 2009 Well thank you You've been VERY helpful!In my first post I listed what I'm currently using for protection:Malwarebytes, SuperAntiSpyware, Command AntiVirus, Spybot, Sygate Personal Firewall, & Ad-Aware I was also hoping to find out which of them i should keep and which to get rid of. Or, if I should get something completely different. Free would be the perfect price.I'm also thinking command antivirus could go. Tell me what you think.. You seem to have all the right answers. Link to post Share on other sites More sharing options...
Staff miekiemoes Posted November 28, 2009 Staff ID:163264 Share Posted November 28, 2009 Hi,Since I work for Malwarebytes, it's obvious to tell you to keep mbam.As for the other spywarescanners (SuperAntispyware, Spybot and Ad-aware), you can keep them as well since they don't interfere with eachother, but I wouldn't let all these different scanners startup with Windows, because it causes an extra slowdown. But I see this isn't the case here anyway, so you're ok there.Yes, keep Sygate as your personal firewall.For Command Antivirus - from what I've read so far, it isn't that great in detection, however that could have changed in a meanwhile, so who am I to judge, so, if you like it, keep it, if not, uninstall Command Antivirus and install another Antivirus instead. You can choose if you want a free one or not. You can find my recommendations on this page: http://users.telenet.be/bluepatchy/miekiemoes/Links.htmlHope this helps. Link to post Share on other sites More sharing options...
jordannnnnn Posted November 28, 2009 Author ID:163332 Share Posted November 28, 2009 I'm DEFINITELY going to keep Malwarebytes. I love it, it works, and the staff is helpful.I know I said that was the last question I'd bother you with.. but...I want to get rid of some of the clutter. I don't think I need all programs I listed having.If I only kept MBAM & Sygate, then download Avast, would I be protected? Or would there be anything else you would suggest having to keep intruders out?Thank you again.. you've been sooo helpful.I promise this really is my last question!! Link to post Share on other sites More sharing options...
Staff miekiemoes Posted November 28, 2009 Staff ID:163357 Share Posted November 28, 2009 If I only kept MBAM & Sygate, then download Avast, would I be protected?That's a good idea.You can also read my Prevention page with lots of info and tips how to prevent malware in the future.And if you want to improve speed/system performance after malware removal, take a look here.Extra note: Make sure your programs are up to date - because older versions may contain Security Leaks. To find out what programs need to be updated, please run the Secunia Software Inspector Scan. Link to post Share on other sites More sharing options...
Staff miekiemoes Posted November 30, 2009 Staff ID:164230 Share Posted November 30, 2009 Since this issue is resolved I will close the thread to prevent others from posting here. If you need assistance please start your own topic and someone will be happy to assist you. Link to post Share on other sites More sharing options...
Recommended Posts