Rogue.AndromedaAV

[petrohawk]

Hello

Malwarebytes, finds, and removes, then it keeps showing back up again. Can anyone help with this?

Malwarebytes' Anti-Malware 1.41

Database version: 3221

Windows 5.1.2600 Service Pack 3

26-Nov-2009 08:55:18 AM

mbam-log-2009-11-26 (08-55-18).txt

Scan type: Quick Scan

Objects scanned: 129547

Time elapsed: 4 minute(s), 0 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 1

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 0

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

HKEY_CLASSES_ROOT\*\shell\av (Rogue.AndromedaAv) -> Quarantined and deleted successfully.

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

(No malicious items detected)

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 08:46:18, on 26-Nov-2009

Platform: Windows XP SP3 (WinNT 5.01.2600)

MSIE: Internet Explorer v8.00 (8.00.6001.18702)

Boot mode: Normal

Running processes:

G:\WINDOWS\System32\smss.exe

G:\WINDOWS\system32\csrss.exe

G:\WINDOWS\system32\winlogon.exe

G:\WINDOWS\system32\services.exe

G:\WINDOWS\system32\lsass.exe

G:\WINDOWS\system32\svchost.exe

G:\WINDOWS\system32\svchost.exe

G:\WINDOWS\System32\svchost.exe

G:\WINDOWS\System32\svchost.exe

G:\WINDOWS\system32\ZoneLabs\vsmon.exe

G:\Program Files\CheckPoint\ZAForceField\IswSvc.exe

G:\WINDOWS\system32\spoolsv.exe

G:\Program Files\Creative\Shared Files\CTAudSvc.exe

G:\WINDOWS\Explorer.EXE

G:\Program Files\ContentWatch\Internet Protection\cwsvc.exe

G:\Program Files\Flip Video\FlipShare\FlipShareService.exe

G:\Program Files\IObit\IObit Security 360\IS360srv.exe

G:\Program Files\Google\Update\GoogleUpdate.exe

G:\Program Files\Google\Update\1.2.183.13\GoogleCrashHandler.exe

G:\WINDOWS\system32\wfxsnt40.exe

G:\PROGRA~1\WinFax\WFXSWTCH.exe

G:\Program Files\BillP Studios\WinPatrol\winpatrol.exe

G:\Program Files\Java\jre6\bin\jqs.exe

G:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE

G:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe

G:\Program Files\iTunes\iTunesHelper.exe

G:\Program Files\PCPitstop\PCPitstopScheduleService.exe

G:\Program Files\Trend Micro\RUBotted\TMRUBotted.exe

G:\Program Files\LAN Voice Chat\Speechs.exe

G:\WINDOWS\System32\svchost.exe

G:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe

G:\WINDOWS\system32\WFXSVC.EXE

G:\WINDOWS\system32\MsPMSPSv.exe

G:\Program Files\WinFax\WFXMOD32.EXE

G:\Program Files\PhoneBOT\bin\pbservice.exe

G:\WINDOWS\System32\wbem\unsecapp.exe

G:\WINDOWS\system32\wbem\wmiprvse.exe

G:\WINDOWS\System32\wbem\unsecapp.exe

G:\Program Files\iPod\bin\iPodService.exe

G:\WINDOWS\system32\wscntfy.exe

G:\WINDOWS\System32\alg.exe

G:\Program Files\Zone Labs\ZoneAlarm\MailFrontier\mantispm.exe

G:\Program Files\CheckPoint\ZAForceField\ForceField.exe

G:\Program Files\IObit\IObit SmartDefrag\IObit SmartDefrag.exe

G:\Program Files\Malwarebytes' Anti-Malware\mbam.exe

G:\Program Files\Mozilla Firefox\firefox.exe

G:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local

R3 - URLSearchHook: XfireXO Toolbar - {5e5ab302-7f65-44cd-8211-c1d4caaccea3} - G:\Program Files\XfireXO\tbXfir.dll

O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)

O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - G:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll

O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - G:\PROGRA~1\Spybot - Search & Destroy\SDHelper.dll

O2 - BHO: XfireXO Toolbar - {5e5ab302-7f65-44cd-8211-c1d4caaccea3} - G:\Program Files\XfireXO\tbXfir.dll

O2 - BHO: ZoneAlarm Toolbar Registrar - {8A4A36C2-0535-4D2C-BD3D-496CB7EED6E3} - G:\Program Files\CheckPoint\ZAForceField\TrustChecker\bin\TrustCheckerIEPlugin.dll

O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - (no file)

O2 - BHO: (no name) - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - (no file)

O2 - BHO: (no name) - {C84D72FE-E17D-4195-BB24-76C02E2E7C4E} - (no file)

O2 - BHO: Java Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - G:\Program Files\Java\jre6\bin\jp2ssv.dll

O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - G:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll

O3 - Toolbar: ZoneAlarm Toolbar - {EE2AC4E5-B0B0-4EC6-88A9-BCA1A32AB107} - G:\Program Files\CheckPoint\ZAForceField\TrustChecker\bin\TrustCheckerIEPlugin.dll

O3 - Toolbar: XfireXO Toolbar - {5e5ab302-7f65-44cd-8211-c1d4caaccea3} - G:\Program Files\XfireXO\tbXfir.dll

O4 - HKLM\..\Run: [WinFaxAppPortStarter] wfxsnt40.exe

O4 - HKLM\..\Run: [WFXSwtch] G:\PROGRA~1\WinFax\WFXSWTCH.exe

O4 - HKLM\..\Run: [sBDrvDet] G:\Program Files\Creative\SB Drive Det\SBDrvDet.exe /r

O4 - HKLM\..\Run: [WinPatrol] G:\Program Files\BillP Studios\WinPatrol\winpatrol.exe -expressboot

O4 - HKLM\..\Run: [nwiz] G:\Program Files\NVIDIA Corporation\nView\nwiz.exe /install

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE G:\WINDOWS\system32\NvCpl.dll,NvStartup

O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE G:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit

O4 - HKLM\..\Run: [ZoneAlarm Client] "G:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"

O4 - HKLM\..\Run: [REGSHAVE] G:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN

O4 - HKLM\..\Run: [iTunesHelper] "G:\Program Files\iTunes\iTunesHelper.exe"

O4 - HKUS\S-1-5-18\..\Run: [DWQueuedReporting] "G:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'SYSTEM')

O4 - HKUS\.DEFAULT\..\Run: [DWQueuedReporting] "G:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'Default user')

O4 - Startup: PrintScreen (2).lnk = G:\Program Files\Gadwin Systems\PrintScreen\PrintScreen.exe

O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - G:\PROGRA~1\Spybot - Search & Destroy\SDHelper.dll

O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - G:\PROGRA~1\Spybot - Search & Destroy\SDHelper.dll

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - G:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - G:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O10 - Unknown file in Winsock LSP: g:\windows\system32\cwalsp.dll

O10 - Unknown file in Winsock LSP: g:\windows\system32\cwalsp.dll

O10 - Unknown file in Winsock LSP: g:\windows\system32\cwalsp.dll

O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/betapit/PCPitStop.CAB

O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204

O16 - DPF: {1E54D648-B804-468d-BC78-4AFFED8E262F} (System Requirements Lab) - http://www.nvidia.com/content/DriverDownlo...sreqlab_nvd.cab

O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - G:\Program Files\Yahoo!\Common\Yinsthelper.dll

O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1238284641671

O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1238284939343

O16 - DPF: {6F15128C-E66A-490C-B848-5000B5ABEEAC} (HP Download Manager) - https://h20436.www2.hp.com/ediags/dex/secure/HPDEXAXO.cab

O16 - DPF: {73ECB3AA-4717-450C-A2AB-D00DAD9EE203} (GMNRev Class) - http://h20270.www2.hp.com/ediags/gmn2/inst...tDetection2.cab

O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/flas...ent/swflash.cab

O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} (Creative Software AutoUpdate Support Package) - http://ccfiles.creative.com/Web/softwareup...15109/CTPID.cab

O16 - DPF: {FFB3A759-98B1-446F-BDA9-909C6EB18CC7} (PCPitstop Exam) - http://utilities.pcpitstop.com/Optimize3/pcpitstop2.dll

O23 - Service: Creative Audio Engine Licensing Service - Creative Labs - G:\Program Files\Common Files\Creative Labs Shared\Service\CTAELicensing.exe

O23 - Service: Creative Audio Service (CTAudSvcService) - Creative Technology Ltd - G:\Program Files\Creative\Shared Files\CTAudSvc.exe

O23 - Service: ContentWatch (CwAltaService20) - ContentWatch, Inc. - G:\Program Files\ContentWatch\Internet Protection\cwsvc.exe

O23 - Service: FlipShare Service - Unknown owner - G:\Program Files\Flip Video\FlipShare\FlipShareService.exe

O23 - Service: Google Update Service (gupdate1c9b02f32cdb1e4) (gupdate1c9b02f32cdb1e4) - Google Inc. - G:\Program Files\Google\Update\GoogleUpdate.exe

O23 - Service: Google Software Updater (gusvc) - Google - G:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - G:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe

O23 - Service: iPod Service - Apple Inc. - G:\Program Files\iPod\bin\iPodService.exe

O23 - Service: IS360service - IObit - G:\Program Files\IObit\IObit Security 360\IS360srv.exe

O23 - Service: ZoneAlarm ForceField IswSvc (IswSvc) - Check Point Software Technologies - G:\Program Files\CheckPoint\ZAForceField\IswSvc.exe

O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - G:\Program Files\Java\jre6\bin\jqs.exe

O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - G:\WINDOWS\System32\nvsvc32.exe

O23 - Service: PCPitstop Scheduling - PC Pitstop LLC - G:\Program Files\PCPitstop\PCPitstopScheduleService.exe

O23 - Service: PhoneBOT Service (PhoneBOTService) - ThePhoneBOT.com - G:\Program Files\PhoneBOT\bin\pbservice.exe

O23 - Service: Pml Driver HPZ12 - HP - G:\WINDOWS\system32\HPZipm12.exe

O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies - G:\Program Files\WinPcap\rpcapd.exe

O23 - Service: Trend Micro RUBotted Service (RUBotted) - Trend Micro Inc. - G:\Program Files\Trend Micro\RUBotted\TMRUBotted.exe

O23 - Service: Glasovne poruke (Speechsrv) - Unknown owner - G:\Program Files\LAN Voice Chat\Speechs.exe

O23 - Service: StarWind AE Service (StarWindServiceAE) - Rocket Division Software - G:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe

O23 - Service: TrueVector Internet Monitor (vsmon) - Check Point Software Technologies LTD - G:\WINDOWS\system32\ZoneLabs\vsmon.exe

O23 - Service: WinFax PRO (wfxsvc) - Symantec Corporation - G:\WINDOWS\system32\WFXSVC.EXE

--

End of file - 10592 bytes

[miekiemoes]

Hi,

The Rogue Andromedia detection is actually a small read error in mbam. It sees the key in the wrong place since it has a problem with the * char in the registry.

Open notepad and copy and paste next present in the quotebox below in it:

(don't forget to copy and paste REGEDIT4)

REGEDIT4

[-HKEY_CLASSES_ROOT\av]

Save this as fix.reg Choose to save as *all files and place it on your desktop.

It should look like this:

Doubleclick on it and when it asks you if you want to merge the contents to the registry, click yes/ok.

Let me know if that fixed it.

[miekiemoes]

Due to the lack of feedback this topic is closed to prevent others from posting here. If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.

Other members who need assistance please start your own topic in a new thread. Thanks!