Help
Hello people.
A computer at work totally unprotected (!) except by the XP firewall became infected back in August (!) with Windows Antivirus Pro. I followed the tutorial given on this site: http://www.bleepingcomputer.com/virus-remo...s-antivirus-pro
However, although the first bit of the procedure, downloading Fixtm.reg and merging it with the data in the registry, worked, so that I was able to use the Windows Task Manager, the process called Windows Antivirus Pro.exe was simply not in the processes list. The process svchast.exe was there and I did terminate it. However, I cannot open MBAM, previously installed on the computer, or indeed any other program (a window just momentarily opens and then closes). Yet Windows Antivirus Pro is very active, telling me that any site I go to has infected my computer and constantly offering me the wonderful opportunity to purchase this 'antivirus' program.
Any help much appreciated, but I should tell you that I am quite ignorant of computers!
Poltergeist.
Page 1 of 1
Windows Antivirus Pro
Back to top
#2
- To Insanity and Beyond
-
- Group: Global Moderator
- Posts: 48,761
- Joined: 10-September 04
- Gender:Male
- Location:NJ USA
Posted 19 November 2009 - 04:35 PM
Hello please run RKill and then MBAM.
Please download Rkill by Grinler and save it to your desktop.
You will need to run the application again if rebooting the computer occurs along the way.
Rerun MBAM (MalwareBytes) like this:
Open MBAM in normal mode and click Update tab, select Check for Updates,when done
click Scanner tab,select Quick scan and scan (normal mode).
After scan click Remove Selected, Post new scan log and Reboot into normal mode.
Please download Rkill by Grinler and save it to your desktop.
- Double-click on the Rkill desktop icon to run the tool.
- If using Vista, right-click on it and Run As Administrator.
- A black DOS box will briefly flash and then disappear. This is normal and indicates the tool ran successfully.
- If not, delete the file, then download and use the one provided in Link 2.
- If it does not work, repeat the process and attempt to use one of the remaining links until the tool runs.
- If the tool does not run from any of the links provided, please let me know.
You will need to run the application again if rebooting the computer occurs along the way.
Rerun MBAM (MalwareBytes) like this:
Open MBAM in normal mode and click Update tab, select Check for Updates,when done
click Scanner tab,select Quick scan and scan (normal mode).
After scan click Remove Selected, Post new scan log and Reboot into normal mode.
How do I get help? Who is helping me?
Staying Updated Calendar of Updates.
For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....
Become a BleepingComputer fan: Facebook
Staying Updated Calendar of Updates.
For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....
Become a BleepingComputer fan: Facebook
#3
- New Member
-
- Group: Members
- Posts: 10
- Joined: 04-November 09
Posted 20 November 2009 - 04:21 PM
Many thanks for your help, boopme. I'm off work for some days but will try your suggestions when I get back.
Poltergeist.
Poltergeist.
#4
- To Insanity and Beyond
-
- Group: Global Moderator
- Posts: 48,761
- Joined: 10-September 04
- Gender:Male
- Location:NJ USA
Posted 20 November 2009 - 06:49 PM
Ok I'll clean that up and await your logs when you return., If you can in the meantime disconnect it from the Internet.
How do I get help? Who is helping me?
Staying Updated Calendar of Updates.
For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....
Become a BleepingComputer fan: Facebook
Staying Updated Calendar of Updates.
For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....
Become a BleepingComputer fan: Facebook
#5
- New Member
-
- Group: Members
- Posts: 10
- Joined: 04-November 09
Posted 03 December 2009 - 01:02 PM
Hello, boopme.
Sorry it has taken me so long to reply. I became ill towards the end of the planned time off work and therefore ended up away from work longer than intended.
I got rid of Windows Antivirus Pro quickly and effortlessly following your directions. The first link you provided worked straight off.
Thanks, boopme - you're a star!
I am now going to try to post the two logs I got from MBAM. I say 'try' because I've never done this before and as I said in my first post, I'm pretty ignorant of the ways of computers. I say 'two logs' because first I did a quick scan (as advised) and then later did a complete one. I should also say that the date (and time) on the first one is incorrect: time and date like everything else on the computer being messed up by Windows Antivirus Pro.
Malwarebytes' Anti-Malware 1.41
Database version: 2775
Windows 5.1.2600 Service Pack 3
28/04/2005 01:50:10
mbam-log-2005-04-28 (01-50-10).txt
Scan type: Quick Scan
Objects scanned: 99568
Time elapsed: 3 minute(s), 56 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 2
Registry Keys Infected: 10
Registry Values Infected: 0
Registry Data Items Infected: 1
Folders Infected: 7
Files Infected: 47
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
C:\WINDOWS\SYSTEM32\dddesot.dll (Rogue.ASC-AntiSpyware) -> Delete on reboot.
C:\WINDOWS\SYSTEM32\tapi.nfo (Trojan.Agent) -> Delete on reboot.
Registry Keys Infected:
HKEY_CLASSES_ROOT\CLSID\{f54af7de-6038-4026-8433-cc30e3f17212} (Rogue.ASC-AntiSpyware) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{f54af7de-6038-4026-8433-cc30e3f17212} (Rogue.ASC-AntiSpyware) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{f54af7de-6038-4026-8433-cc30e3f17212} (Rogue.ASC-AntiSpyware) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\antippro2009_12 (Trojan.Dropper) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\antippro2009_12 (Trojan.Dropper) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\antippro2009_12 (Trojan.Dropper) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Windows antiVirus pro (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Win AntiVirus Pro (Rogue.WindowsAntiVirus) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Enum\Root\LEGACY_ANTIPPRO2009_12 (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_USERS\S-1-5-18\SOFTWARE\Windows antiVirus pro (Malware.Trace) -> Quarantined and deleted successfully.
Registry Values Infected:
(No malicious items detected)
Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell (Hijack.Shell) -> Bad: (Explorer.exe rundll32.exe tapi.nfo beforeglav) Good: (Explorer.exe) -> Quarantined and deleted successfully.
Folders Infected:
C:\Program Files\dynamic toolbar (Adware.2020search) -> Quarantined and deleted successfully.
C:\Program Files\dynamic toolbar\EIRCOMT (Adware.2020search) -> Quarantined and deleted successfully.
C:\Program Files\dynamic toolbar\EIRCOMT\Cache (Adware.2020search) -> Quarantined and deleted successfully.
C:\Program Files\Windows AntiVirus Pro (Rogue.WindowsAntiVirus) -> Quarantined and deleted successfully.
C:\Program Files\Windows AntiVirus Pro\tmp (Rogue.WindowsAntiVirus) -> Quarantined and deleted successfully.
C:\Program Files\Windows AntiVirus Pro\tmp\images (Rogue.WindowsAntiVirus) -> Quarantined and deleted successfully.
C:\Documents and Settings\ILHS\Start Menu\Programs\Windows AntiVirus Pro (Rogue.WindowsAntiVirus) -> Quarantined and deleted successfully.
Files Infected:
C:\WINDOWS\SYSTEM32\dddesot.dll (Rogue.ASC-AntiSpyware) -> Delete on reboot.
C:\WINDOWS\SYSTEM32\tapi.nfo (Trojan.Agent) -> Delete on reboot.
C:\Documents and Settings\ILHS\Local Settings\Temp\B4.tmp (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\svchast.exe (Trojan.Dropper) -> Quarantined and deleted successfully.
C:\Program Files\dynamic toolbar\EIRCOMT\Cache\ErrorLog.txt (Adware.2020search) -> Quarantined and deleted successfully.
C:\Program Files\Windows AntiVirus Pro\msvcm80.dll (Rogue.WindowsAntiVirus) -> Quarantined and deleted successfully.
C:\Program Files\Windows AntiVirus Pro\msvcp80.dll (Rogue.WindowsAntiVirus) -> Quarantined and deleted successfully.
C:\Program Files\Windows AntiVirus Pro\msvcr80.dll (Rogue.WindowsAntiVirus) -> Quarantined and deleted successfully.
C:\Program Files\Windows AntiVirus Pro\Windows Antivirus Pro.exe (Rogue.WindowsAntiVirus) -> Quarantined and deleted successfully.
C:\Program Files\Windows AntiVirus Pro\tmp\dbsinit.exe (Rogue.WindowsAntiVirus) -> Quarantined and deleted successfully.
C:\Program Files\Windows AntiVirus Pro\tmp\wispex.html (Rogue.WindowsAntiVirus) -> Quarantined and deleted successfully.
C:\Program Files\Windows AntiVirus Pro\tmp\images\i1.gif (Rogue.WindowsAntiVirus) -> Quarantined and deleted successfully.
C:\Program Files\Windows AntiVirus Pro\tmp\images\i2.gif (Rogue.WindowsAntiVirus) -> Quarantined and deleted successfully.
C:\Program Files\Windows AntiVirus Pro\tmp\images\i3.gif (Rogue.WindowsAntiVirus) -> Quarantined and deleted successfully.
C:\Program Files\Windows AntiVirus Pro\tmp\images\j1.gif (Rogue.WindowsAntiVirus) -> Quarantined and deleted successfully.
C:\Program Files\Windows AntiVirus Pro\tmp\images\j2.gif (Rogue.WindowsAntiVirus) -> Quarantined and deleted successfully.
C:\Program Files\Windows AntiVirus Pro\tmp\images\j3.gif (Rogue.WindowsAntiVirus) -> Quarantined and deleted successfully.
C:\Program Files\Windows AntiVirus Pro\tmp\images\jj1.gif (Rogue.WindowsAntiVirus) -> Quarantined and deleted successfully.
C:\Program Files\Windows AntiVirus Pro\tmp\images\jj2.gif (Rogue.WindowsAntiVirus) -> Quarantined and deleted successfully.
C:\Program Files\Windows AntiVirus Pro\tmp\images\jj3.gif (Rogue.WindowsAntiVirus) -> Quarantined and deleted successfully.
C:\Program Files\Windows AntiVirus Pro\tmp\images\l1.gif (Rogue.WindowsAntiVirus) -> Quarantined and deleted successfully.
C:\Program Files\Windows AntiVirus Pro\tmp\images\l2.gif (Rogue.WindowsAntiVirus) -> Quarantined and deleted successfully.
C:\Program Files\Windows AntiVirus Pro\tmp\images\l3.gif (Rogue.WindowsAntiVirus) -> Quarantined and deleted successfully.
C:\Program Files\Windows AntiVirus Pro\tmp\images\pix.gif (Rogue.WindowsAntiVirus) -> Quarantined and deleted successfully.
C:\Program Files\Windows AntiVirus Pro\tmp\images\t1.gif (Rogue.WindowsAntiVirus) -> Quarantined and deleted successfully.
C:\Program Files\Windows AntiVirus Pro\tmp\images\t2.gif (Rogue.WindowsAntiVirus) -> Quarantined and deleted successfully.
C:\Program Files\Windows AntiVirus Pro\tmp\images\Thumbs.db (Rogue.WindowsAntiVirus) -> Quarantined and deleted successfully.
C:\Program Files\Windows AntiVirus Pro\tmp\images\up1.gif (Rogue.WindowsAntiVirus) -> Quarantined and deleted successfully.
C:\Program Files\Windows AntiVirus Pro\tmp\images\up2.gif (Rogue.WindowsAntiVirus) -> Quarantined and deleted successfully.
C:\Program Files\Windows AntiVirus Pro\tmp\images\w1.gif (Rogue.WindowsAntiVirus) -> Quarantined and deleted successfully.
C:\Program Files\Windows AntiVirus Pro\tmp\images\w11.gif (Rogue.WindowsAntiVirus) -> Quarantined and deleted successfully.
C:\Program Files\Windows AntiVirus Pro\tmp\images\w2.gif (Rogue.WindowsAntiVirus) -> Quarantined and deleted successfully.
C:\Program Files\Windows AntiVirus Pro\tmp\images\w3.gif (Rogue.WindowsAntiVirus) -> Quarantined and deleted successfully.
C:\Program Files\Windows AntiVirus Pro\tmp\images\w3.jpg (Rogue.WindowsAntiVirus) -> Quarantined and deleted successfully.
C:\Program Files\Windows AntiVirus Pro\tmp\images\wt1.gif (Rogue.WindowsAntiVirus) -> Quarantined and deleted successfully.
C:\Program Files\Windows AntiVirus Pro\tmp\images\wt2.gif (Rogue.WindowsAntiVirus) -> Quarantined and deleted successfully.
C:\Program Files\Windows AntiVirus Pro\tmp\images\wt3.gif (Rogue.WindowsAntiVirus) -> Quarantined and deleted successfully.
C:\Documents and Settings\ILHS\Start Menu\Programs\Windows AntiVirus Pro\Windows Antivirus Pro.lnk (Rogue.WindowsAntiVirus) -> Quarantined and deleted successfully.
C:\Documents and Settings\ILHS\Desktop\Windows Antivirus Pro.lnk (Rogue.WindowsAntiVirus) -> Quarantined and deleted successfully.
C:\WINDOWS\SYSTEM32\bennuar.old (Malware.Trace) -> Quarantined and deleted successfully.
C:\WINDOWS\SYSTEM32\bincd32.dat (Malware.Trace) -> Quarantined and deleted successfully.
C:\WINDOWS\SYSTEM32\desot.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINDOWS\SYSTEM32\onhelp.htm (Malware.Trace) -> Quarantined and deleted successfully.
C:\WINDOWS\SYSTEM32\sonhelp.htm (Malware.Trace) -> Quarantined and deleted successfully.
C:\WINDOWS\SYSTEM32\sysnet.dat (Malware.Trace) -> Quarantined and deleted successfully.
C:\WINDOWS\ppp3.dat (Malware.Trace) -> Quarantined and deleted successfully.
C:\WINDOWS\ppp4.dat (Malware.Trace) -> Quarantined and deleted successfully.
------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
Malwarebytes' Anti-Malware 1.41
Database version: 2775
Windows 5.1.2600 Service Pack 3
02/12/2009 12:50:16
mbam-log-2009-12-02 (12-50-16).txt
Scan type: Full Scan (C:\|)
Objects scanned: 139218
Time elapsed: 16 minute(s), 9 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 3
Files Infected: 18
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
(No malicious items detected)
Registry Keys Infected:
(No malicious items detected)
Registry Values Infected:
(No malicious items detected)
Registry Data Items Infected:
(No malicious items detected)
Folders Infected:
C:\Program Files\dynamic toolbar (Adware.2020search) -> Quarantined and deleted successfully.
C:\Program Files\dynamic toolbar\EIRCOMT (Adware.2020search) -> Quarantined and deleted successfully.
C:\Program Files\dynamic toolbar\EIRCOMT\Cache (Adware.2020search) -> Quarantined and deleted successfully.
Files Infected:
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP682\A0223603.exe (Rogue.WindowsAntiVirus) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP682\A0223605.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP682\A0223669.dll (Rogue.ASC-AntiSpyware) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP682\A0223701.exe (Rogue.WindowsAntiVirus) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP682\A0223702.dll (Rogue.ASC-AntiSpyware) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP682\A0223709.exe (Rogue.WindowsAntiVirus) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP682\A0223710.dll (Rogue.ASC-AntiSpyware) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP682\A0224718.exe (Rogue.WindowsAntiVirus) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP682\A0223713.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP682\A0224709.exe (Rogue.WindowsAntiVirus) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP682\A0224710.dll (Rogue.ASC-AntiSpyware) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP682\A0224711.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP682\A0224719.dll (Rogue.ASC-AntiSpyware) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP682\A0224720.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP682\A0224727.exe (Rogue.WindowsAntiVirus) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP682\A0224728.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP695\A0234900.exe (Antivirus2009) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP704\A0239887.exe (Antivirus2009) -> Quarantined and deleted successfully.
Sorry it has taken me so long to reply. I became ill towards the end of the planned time off work and therefore ended up away from work longer than intended.
I got rid of Windows Antivirus Pro quickly and effortlessly following your directions. The first link you provided worked straight off.
Thanks, boopme - you're a star!
I am now going to try to post the two logs I got from MBAM. I say 'try' because I've never done this before and as I said in my first post, I'm pretty ignorant of the ways of computers. I say 'two logs' because first I did a quick scan (as advised) and then later did a complete one. I should also say that the date (and time) on the first one is incorrect: time and date like everything else on the computer being messed up by Windows Antivirus Pro.
Malwarebytes' Anti-Malware 1.41
Database version: 2775
Windows 5.1.2600 Service Pack 3
28/04/2005 01:50:10
mbam-log-2005-04-28 (01-50-10).txt
Scan type: Quick Scan
Objects scanned: 99568
Time elapsed: 3 minute(s), 56 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 2
Registry Keys Infected: 10
Registry Values Infected: 0
Registry Data Items Infected: 1
Folders Infected: 7
Files Infected: 47
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
C:\WINDOWS\SYSTEM32\dddesot.dll (Rogue.ASC-AntiSpyware) -> Delete on reboot.
C:\WINDOWS\SYSTEM32\tapi.nfo (Trojan.Agent) -> Delete on reboot.
Registry Keys Infected:
HKEY_CLASSES_ROOT\CLSID\{f54af7de-6038-4026-8433-cc30e3f17212} (Rogue.ASC-AntiSpyware) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{f54af7de-6038-4026-8433-cc30e3f17212} (Rogue.ASC-AntiSpyware) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{f54af7de-6038-4026-8433-cc30e3f17212} (Rogue.ASC-AntiSpyware) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\antippro2009_12 (Trojan.Dropper) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\antippro2009_12 (Trojan.Dropper) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\antippro2009_12 (Trojan.Dropper) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Windows antiVirus pro (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Win AntiVirus Pro (Rogue.WindowsAntiVirus) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Enum\Root\LEGACY_ANTIPPRO2009_12 (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_USERS\S-1-5-18\SOFTWARE\Windows antiVirus pro (Malware.Trace) -> Quarantined and deleted successfully.
Registry Values Infected:
(No malicious items detected)
Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell (Hijack.Shell) -> Bad: (Explorer.exe rundll32.exe tapi.nfo beforeglav) Good: (Explorer.exe) -> Quarantined and deleted successfully.
Folders Infected:
C:\Program Files\dynamic toolbar (Adware.2020search) -> Quarantined and deleted successfully.
C:\Program Files\dynamic toolbar\EIRCOMT (Adware.2020search) -> Quarantined and deleted successfully.
C:\Program Files\dynamic toolbar\EIRCOMT\Cache (Adware.2020search) -> Quarantined and deleted successfully.
C:\Program Files\Windows AntiVirus Pro (Rogue.WindowsAntiVirus) -> Quarantined and deleted successfully.
C:\Program Files\Windows AntiVirus Pro\tmp (Rogue.WindowsAntiVirus) -> Quarantined and deleted successfully.
C:\Program Files\Windows AntiVirus Pro\tmp\images (Rogue.WindowsAntiVirus) -> Quarantined and deleted successfully.
C:\Documents and Settings\ILHS\Start Menu\Programs\Windows AntiVirus Pro (Rogue.WindowsAntiVirus) -> Quarantined and deleted successfully.
Files Infected:
C:\WINDOWS\SYSTEM32\dddesot.dll (Rogue.ASC-AntiSpyware) -> Delete on reboot.
C:\WINDOWS\SYSTEM32\tapi.nfo (Trojan.Agent) -> Delete on reboot.
C:\Documents and Settings\ILHS\Local Settings\Temp\B4.tmp (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\svchast.exe (Trojan.Dropper) -> Quarantined and deleted successfully.
C:\Program Files\dynamic toolbar\EIRCOMT\Cache\ErrorLog.txt (Adware.2020search) -> Quarantined and deleted successfully.
C:\Program Files\Windows AntiVirus Pro\msvcm80.dll (Rogue.WindowsAntiVirus) -> Quarantined and deleted successfully.
C:\Program Files\Windows AntiVirus Pro\msvcp80.dll (Rogue.WindowsAntiVirus) -> Quarantined and deleted successfully.
C:\Program Files\Windows AntiVirus Pro\msvcr80.dll (Rogue.WindowsAntiVirus) -> Quarantined and deleted successfully.
C:\Program Files\Windows AntiVirus Pro\Windows Antivirus Pro.exe (Rogue.WindowsAntiVirus) -> Quarantined and deleted successfully.
C:\Program Files\Windows AntiVirus Pro\tmp\dbsinit.exe (Rogue.WindowsAntiVirus) -> Quarantined and deleted successfully.
C:\Program Files\Windows AntiVirus Pro\tmp\wispex.html (Rogue.WindowsAntiVirus) -> Quarantined and deleted successfully.
C:\Program Files\Windows AntiVirus Pro\tmp\images\i1.gif (Rogue.WindowsAntiVirus) -> Quarantined and deleted successfully.
C:\Program Files\Windows AntiVirus Pro\tmp\images\i2.gif (Rogue.WindowsAntiVirus) -> Quarantined and deleted successfully.
C:\Program Files\Windows AntiVirus Pro\tmp\images\i3.gif (Rogue.WindowsAntiVirus) -> Quarantined and deleted successfully.
C:\Program Files\Windows AntiVirus Pro\tmp\images\j1.gif (Rogue.WindowsAntiVirus) -> Quarantined and deleted successfully.
C:\Program Files\Windows AntiVirus Pro\tmp\images\j2.gif (Rogue.WindowsAntiVirus) -> Quarantined and deleted successfully.
C:\Program Files\Windows AntiVirus Pro\tmp\images\j3.gif (Rogue.WindowsAntiVirus) -> Quarantined and deleted successfully.
C:\Program Files\Windows AntiVirus Pro\tmp\images\jj1.gif (Rogue.WindowsAntiVirus) -> Quarantined and deleted successfully.
C:\Program Files\Windows AntiVirus Pro\tmp\images\jj2.gif (Rogue.WindowsAntiVirus) -> Quarantined and deleted successfully.
C:\Program Files\Windows AntiVirus Pro\tmp\images\jj3.gif (Rogue.WindowsAntiVirus) -> Quarantined and deleted successfully.
C:\Program Files\Windows AntiVirus Pro\tmp\images\l1.gif (Rogue.WindowsAntiVirus) -> Quarantined and deleted successfully.
C:\Program Files\Windows AntiVirus Pro\tmp\images\l2.gif (Rogue.WindowsAntiVirus) -> Quarantined and deleted successfully.
C:\Program Files\Windows AntiVirus Pro\tmp\images\l3.gif (Rogue.WindowsAntiVirus) -> Quarantined and deleted successfully.
C:\Program Files\Windows AntiVirus Pro\tmp\images\pix.gif (Rogue.WindowsAntiVirus) -> Quarantined and deleted successfully.
C:\Program Files\Windows AntiVirus Pro\tmp\images\t1.gif (Rogue.WindowsAntiVirus) -> Quarantined and deleted successfully.
C:\Program Files\Windows AntiVirus Pro\tmp\images\t2.gif (Rogue.WindowsAntiVirus) -> Quarantined and deleted successfully.
C:\Program Files\Windows AntiVirus Pro\tmp\images\Thumbs.db (Rogue.WindowsAntiVirus) -> Quarantined and deleted successfully.
C:\Program Files\Windows AntiVirus Pro\tmp\images\up1.gif (Rogue.WindowsAntiVirus) -> Quarantined and deleted successfully.
C:\Program Files\Windows AntiVirus Pro\tmp\images\up2.gif (Rogue.WindowsAntiVirus) -> Quarantined and deleted successfully.
C:\Program Files\Windows AntiVirus Pro\tmp\images\w1.gif (Rogue.WindowsAntiVirus) -> Quarantined and deleted successfully.
C:\Program Files\Windows AntiVirus Pro\tmp\images\w11.gif (Rogue.WindowsAntiVirus) -> Quarantined and deleted successfully.
C:\Program Files\Windows AntiVirus Pro\tmp\images\w2.gif (Rogue.WindowsAntiVirus) -> Quarantined and deleted successfully.
C:\Program Files\Windows AntiVirus Pro\tmp\images\w3.gif (Rogue.WindowsAntiVirus) -> Quarantined and deleted successfully.
C:\Program Files\Windows AntiVirus Pro\tmp\images\w3.jpg (Rogue.WindowsAntiVirus) -> Quarantined and deleted successfully.
C:\Program Files\Windows AntiVirus Pro\tmp\images\wt1.gif (Rogue.WindowsAntiVirus) -> Quarantined and deleted successfully.
C:\Program Files\Windows AntiVirus Pro\tmp\images\wt2.gif (Rogue.WindowsAntiVirus) -> Quarantined and deleted successfully.
C:\Program Files\Windows AntiVirus Pro\tmp\images\wt3.gif (Rogue.WindowsAntiVirus) -> Quarantined and deleted successfully.
C:\Documents and Settings\ILHS\Start Menu\Programs\Windows AntiVirus Pro\Windows Antivirus Pro.lnk (Rogue.WindowsAntiVirus) -> Quarantined and deleted successfully.
C:\Documents and Settings\ILHS\Desktop\Windows Antivirus Pro.lnk (Rogue.WindowsAntiVirus) -> Quarantined and deleted successfully.
C:\WINDOWS\SYSTEM32\bennuar.old (Malware.Trace) -> Quarantined and deleted successfully.
C:\WINDOWS\SYSTEM32\bincd32.dat (Malware.Trace) -> Quarantined and deleted successfully.
C:\WINDOWS\SYSTEM32\desot.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINDOWS\SYSTEM32\onhelp.htm (Malware.Trace) -> Quarantined and deleted successfully.
C:\WINDOWS\SYSTEM32\sonhelp.htm (Malware.Trace) -> Quarantined and deleted successfully.
C:\WINDOWS\SYSTEM32\sysnet.dat (Malware.Trace) -> Quarantined and deleted successfully.
C:\WINDOWS\ppp3.dat (Malware.Trace) -> Quarantined and deleted successfully.
C:\WINDOWS\ppp4.dat (Malware.Trace) -> Quarantined and deleted successfully.
------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
Malwarebytes' Anti-Malware 1.41
Database version: 2775
Windows 5.1.2600 Service Pack 3
02/12/2009 12:50:16
mbam-log-2009-12-02 (12-50-16).txt
Scan type: Full Scan (C:\|)
Objects scanned: 139218
Time elapsed: 16 minute(s), 9 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 3
Files Infected: 18
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
(No malicious items detected)
Registry Keys Infected:
(No malicious items detected)
Registry Values Infected:
(No malicious items detected)
Registry Data Items Infected:
(No malicious items detected)
Folders Infected:
C:\Program Files\dynamic toolbar (Adware.2020search) -> Quarantined and deleted successfully.
C:\Program Files\dynamic toolbar\EIRCOMT (Adware.2020search) -> Quarantined and deleted successfully.
C:\Program Files\dynamic toolbar\EIRCOMT\Cache (Adware.2020search) -> Quarantined and deleted successfully.
Files Infected:
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP682\A0223603.exe (Rogue.WindowsAntiVirus) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP682\A0223605.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP682\A0223669.dll (Rogue.ASC-AntiSpyware) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP682\A0223701.exe (Rogue.WindowsAntiVirus) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP682\A0223702.dll (Rogue.ASC-AntiSpyware) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP682\A0223709.exe (Rogue.WindowsAntiVirus) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP682\A0223710.dll (Rogue.ASC-AntiSpyware) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP682\A0224718.exe (Rogue.WindowsAntiVirus) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP682\A0223713.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP682\A0224709.exe (Rogue.WindowsAntiVirus) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP682\A0224710.dll (Rogue.ASC-AntiSpyware) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP682\A0224711.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP682\A0224719.dll (Rogue.ASC-AntiSpyware) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP682\A0224720.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP682\A0224727.exe (Rogue.WindowsAntiVirus) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP682\A0224728.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP695\A0234900.exe (Antivirus2009) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP704\A0239887.exe (Antivirus2009) -> Quarantined and deleted successfully.
#6
- To Insanity and Beyond
-
- Group: Global Moderator
- Posts: 48,761
- Joined: 10-September 04
- Gender:Male
- Location:NJ USA
Posted 03 December 2009 - 02:02 PM
Thanks and you're welcome,we are almost done.
Rerun MBAM (MalwareBytes) like this:
Open MBAM in normal mode and click Update tab, select Check for Updates,when done
click Scanner tab,select Quick scan and scan (normal mode).
After scan click Remove Selected, Post new scan log and Reboot into normal mode.
Rerun MBAM (MalwareBytes) like this:
Open MBAM in normal mode and click Update tab, select Check for Updates,when done
click Scanner tab,select Quick scan and scan (normal mode).
After scan click Remove Selected, Post new scan log and Reboot into normal mode.
How do I get help? Who is helping me?
Staying Updated Calendar of Updates.
For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....
Become a BleepingComputer fan: Facebook
Staying Updated Calendar of Updates.
For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....
Become a BleepingComputer fan: Facebook
#7
- New Member
-
- Group: Members
- Posts: 10
- Joined: 04-November 09
Posted 04 December 2009 - 12:47 PM
OK, back again, boopme.
I updated MBAM (in fact, got a new version of it as well as updating) and did a quick scan which found some bad stuff. Then I sent the report to MBAM and did a full scan which, as you can see from the second of the two logs, uncovered nothing. So it seems everything is peachy-dee, but I'll wait for your verdict.
Malwarebytes' Anti-Malware 1.42
Database version: 3291
Windows 5.1.2600 Service Pack 3
Internet Explorer 6.0.2900.5512
04/12/2009 10:42:27
mbam-log-2009-12-04 (10-42-27).txt
Scan type: Quick Scan
Objects scanned: 112036
Time elapsed: 4 minute(s), 14 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 1
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 3
Files Infected: 1
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
(No malicious items detected)
Registry Keys Infected:
HKEY_CLASSES_ROOT\idid (Trojan.Sasfix) -> Quarantined and deleted successfully.
Registry Values Infected:
(No malicious items detected)
Registry Data Items Infected:
(No malicious items detected)
Folders Infected:
C:\Program Files\dynamic toolbar (Adware.2020search) -> Quarantined and deleted successfully.
C:\Program Files\dynamic toolbar\EIRCOMT (Adware.2020search) -> Quarantined and deleted successfully.
C:\Program Files\dynamic toolbar\EIRCOMT\Cache (Adware.2020search) -> Quarantined and deleted successfully.
Files Infected:
C:\Program Files\dynamic toolbar\EIRCOMT\Cache\T19281.tmp (Adware.2020search) -> Quarantined and deleted successfully.
*****************************************************************************************************************************************************************************************************
Malwarebytes' Anti-Malware 1.42
Database version: 3291
Windows 5.1.2600 Service Pack 3
Internet Explorer 6.0.2900.5512
04/12/2009 11:03:37
mbam-log-2009-12-04 (11-03-37).txt
Scan type: Full Scan (C:\|)
Objects scanned: 150166
Time elapsed: 16 minute(s), 30 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
(No malicious items detected)
Registry Keys Infected:
(No malicious items detected)
Registry Values Infected:
(No malicious items detected)
Registry Data Items Infected:
(No malicious items detected)
Folders Infected:
(No malicious items detected)
Files Infected:
(No malicious items detected)
I updated MBAM (in fact, got a new version of it as well as updating) and did a quick scan which found some bad stuff. Then I sent the report to MBAM and did a full scan which, as you can see from the second of the two logs, uncovered nothing. So it seems everything is peachy-dee, but I'll wait for your verdict.
Malwarebytes' Anti-Malware 1.42
Database version: 3291
Windows 5.1.2600 Service Pack 3
Internet Explorer 6.0.2900.5512
04/12/2009 10:42:27
mbam-log-2009-12-04 (10-42-27).txt
Scan type: Quick Scan
Objects scanned: 112036
Time elapsed: 4 minute(s), 14 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 1
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 3
Files Infected: 1
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
(No malicious items detected)
Registry Keys Infected:
HKEY_CLASSES_ROOT\idid (Trojan.Sasfix) -> Quarantined and deleted successfully.
Registry Values Infected:
(No malicious items detected)
Registry Data Items Infected:
(No malicious items detected)
Folders Infected:
C:\Program Files\dynamic toolbar (Adware.2020search) -> Quarantined and deleted successfully.
C:\Program Files\dynamic toolbar\EIRCOMT (Adware.2020search) -> Quarantined and deleted successfully.
C:\Program Files\dynamic toolbar\EIRCOMT\Cache (Adware.2020search) -> Quarantined and deleted successfully.
Files Infected:
C:\Program Files\dynamic toolbar\EIRCOMT\Cache\T19281.tmp (Adware.2020search) -> Quarantined and deleted successfully.
*****************************************************************************************************************************************************************************************************
Malwarebytes' Anti-Malware 1.42
Database version: 3291
Windows 5.1.2600 Service Pack 3
Internet Explorer 6.0.2900.5512
04/12/2009 11:03:37
mbam-log-2009-12-04 (11-03-37).txt
Scan type: Full Scan (C:\|)
Objects scanned: 150166
Time elapsed: 16 minute(s), 30 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
(No malicious items detected)
Registry Keys Infected:
(No malicious items detected)
Registry Values Infected:
(No malicious items detected)
Registry Data Items Infected:
(No malicious items detected)
Folders Infected:
(No malicious items detected)
Files Infected:
(No malicious items detected)
#8
- To Insanity and Beyond
-
- Group: Global Moderator
- Posts: 48,761
- Joined: 10-September 04
- Gender:Male
- Location:NJ USA
Posted 04 December 2009 - 03:32 PM
Well looks great to me!! If there are no more issues on that end then...
Now you should Create a New Restore Point to prevent possible reinfection from an old one. Some of the malware you picked up could have been backed up, renamed and saved in System Restore. Since this is a protected directory your tools cannot access to delete these files, they sometimes can reinfect your system if you accidentally use an old restore point. Setting a new restore point AFTER cleaning your system will help prevent this and enable your computer to "roll-back" to a clean working state.
The easiest and safest way to do this is:
Now you should Create a New Restore Point to prevent possible reinfection from an old one. Some of the malware you picked up could have been backed up, renamed and saved in System Restore. Since this is a protected directory your tools cannot access to delete these files, they sometimes can reinfect your system if you accidentally use an old restore point. Setting a new restore point AFTER cleaning your system will help prevent this and enable your computer to "roll-back" to a clean working state.
The easiest and safest way to do this is:
- Go to Start > Programs > Accessories > System Tools and click "System Restore".
- Choose the radio button marked "Create a Restore Point" on the first screen then click "Next". Give the R.P. a name, then click "Create". The new point will be stamped with the current date and time. Keep a log of this so you can find it easily should you need to use System Restore.
- Then use Disk Cleanup to remove all but the most recently created Restore Point.
- Go to Start > Run and type: Cleanmgr
- Click "Ok". Disk Cleanup will scan your files for several minutes, then open.
- Click the "More Options" tab, then click the "Clean up" button under System Restore.
- Click Ok. You will be prompted with "Are you sure you want to delete all but the most recent restore point?"
- Click Yes, then click Ok.
- Click Yes again when prompted with "Are you sure you want to perform these actions?"
- Disk Cleanup will remove the files and close automatically.
How do I get help? Who is helping me?
Staying Updated Calendar of Updates.
For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....
Become a BleepingComputer fan: Facebook
Staying Updated Calendar of Updates.
For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....
Become a BleepingComputer fan: Facebook
#9
- New Member
-
- Group: Members
- Posts: 10
- Joined: 04-November 09
Posted 04 December 2009 - 04:02 PM
OK, boopme, I'll do as you say, create a new restore point and run Disk Cleanup and with any luck you won't hear from me again on this subject. Thank you very much for your help...and now I'm going to toddle off down the road to the pub.
Poltergeist
Poltergeist
This post has been edited by Poltergeist: 04 December 2009 - 04:03 PM
#10
- To Insanity and Beyond
-
- Group: Global Moderator
- Posts: 48,761
- Joined: 10-September 04
- Gender:Male
- Location:NJ USA
Posted 04 December 2009 - 04:28 PM
You're most welcome,as new malware is getting stronger and harder to remove, please take a moment to read quietman7's excellent prevention tips in post 6 here
Click >>>> Tips to protect yourself against malware:
You can always stop by on pizza nite
Click >>>> Tips to protect yourself against malware:
You can always stop by on pizza nite
How do I get help? Who is helping me?
Staying Updated Calendar of Updates.
For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....
Become a BleepingComputer fan: Facebook
Staying Updated Calendar of Updates.
For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....
Become a BleepingComputer fan: Facebook
Share this topic:
Page 1 of 1