Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Antivirus 2009


  • This topic is locked This topic is locked
2 replies to this topic

#1 kaleihoku92

kaleihoku92

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:09:55 PM

Posted 09 July 2008 - 10:09 PM

A few days ago, the Antivirus 2009 pop-up appeared on my computer. It stated that I had 41 infections. My Internet acsess began acting up, stating that the website is harmful to my computer.
In order to remove them, I have to pay for the service.
After a bit of research, I discovered that it was a scam and attempted to remove it from my computer, via standard means (control panel, programs and features, uninstall). It appeared that some files were removed, but many were left behind. Those that remained still indicated that I had 41 infections and messed up with my access to the internet, by continuing to indicate that the websites posed a threat.
I found a website that showed how to remove the 'program'. I downloaded Malwarebytes' Anti-Malware, and let it scan my computer, finding files on my computer tha needed to be removed. I did so thinking that it was all over and the Anitvirus program was gone, but Unfortunately, the problem remains.

Every so often it'll pop open saying I have 41 Infections and I really need to register and but the program so my computer doesn't crash. Also, a blue screen will pop up and say that if it's the first time I'm seeing it to just restart the computer or if I continuously see it I have to register and buy Antivirus 2009.
I have McAfee Security Center on my laptop as well, but downloaded it after the Anitivirus 2009 appeared in hopes that it would delete it as well.

That website with the Malwarebytes' Anti-Malware instructions led me to this page as well, http://www.bleepingcomputer.com/forums/t/34773/preparation-guide-for-use-before-using-malware-removal-tools-and-requesting-help/
Which brought me here after downloading the necessarry files.
Does anyone have any ideas on how I can thoroughly remove this malicious program and restore my computer?
Thanks, in advance.
(Also, those instructions told me to post the following in here as well. O:)
(Main.txt)

Deckard's System Scanner v20071014.68
Run by Garianne on 2008-07-09 16:34:26
Computer is in Normal Mode.
--------------------------------------------------------------------------------

-- Last 5 Restore Point(s) --
15: 2008-07-10 00:55:29 UTC - RP43 - Windows Update
14: 2008-07-09 05:04:39 UTC - RP42 - Installed Ad-Aware
13: 2008-07-07 00:30:58 UTC - RP41 - Removed Corel Paint Shop Pro Photo X2.
12: 2008-07-06 23:25:21 UTC - RP40 - Installed Kaspersky Anti-Virus 7.0.
11: 2008-07-04 00:50:53 UTC - RP39 - Windows Update


-- First Restore Point --
1: 2008-06-19 06:30:51 UTC - RP29 - Scheduled Checkpoint


Backed up registry hives.
Performed disk cleanup.

Percentage of Memory in Use: 76% (more than 75%).
Total Physical Memory: 1014 MiB (1024 MiB recommended).


-- HijackThis (run as Garianne.exe) --------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:38:30 PM, on 7/9/2008
Platform: Windows Vista (WinNT 6.00.1904)
MSIE: Internet Explorer v7.00 (7.00.6000.16681)
Boot mode: Normal

Running processes:
c:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Windows\System32\igfxtray.exe
C:\Windows\system32\igfxsrvc.exe
C:\Windows\System32\hkcmd.exe
C:\Windows\System32\igfxpers.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Program Files\AIM6\aim6.exe
C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
C:\Windows\ehome\ehtray.exe
C:\Program Files\Antivirus 2009\av2009.exe
C:\Windows\ehome\ehmsas.exe
C:\Program Files\Common Files\AOL\Loader\aolload.exe
C:\Program Files\AIM6\aolsoftware.exe
C:\Program Files\Internet Explorer\IEUser.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Users\Garianne\Desktop\dss.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe
C:\Windows\system32\SearchFilterHost.exe
C:\PROGRA~1\TRENDM~1\HIJACK~1\Garianne.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://safesearch.cyberdefender.com/smallsearch.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - URLSearchHook: TorrentMan Toolbar - {7c5c0f58-e061-457d-9033-77307f5ed00c} - C:\Program Files\TorrentMan\tbTor0.dll
O1 - Hosts: ::1 localhost
O2 - BHO: McAntiPhishingBHO - {377C180E-6F0E-4D4C-980F-F45BD3D40CF4} - c:\PROGRA~1\mcafee\msk\mcapbho.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O2 - BHO: TorrentMan Toolbar - {7c5c0f58-e061-457d-9033-77307f5ed00c} - C:\Program Files\TorrentMan\tbTor0.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan\scriptsn.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: TorrentMan Toolbar - {7c5c0f58-e061-457d-9033-77307f5ed00c} - C:\Program Files\TorrentMan\tbTor0.dll
O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
O4 - HKLM\..\Run: [IgfxTray] C:\Windows\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\Windows\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\Windows\system32\igfxpers.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [mcagent_exe] C:\Program Files\McAfee.com\Agent\mcagent.exe /runkey
O4 - HKCU\..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun
O4 - HKCU\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter
O4 - HKCU\..\Run: [Aim6] "C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe
O4 - HKCU\..\Run: [44708205482402575236053291257162] C:\Program Files\Antivirus 2009\av2009.exe
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O13 - Gopher Prefix:
O16 - DPF: {459E93B6-150E-45D5-8D4B-45C66FC035FE} (get_atlcom Class) - http://apps.corel.com/nos_dl_manager_dev/p...IEGetPlugin.ocx
O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace.com/upload/MySpaceUploader1006.cab
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.6.0) - http://sdlc-esd.sun.com/ESD42/JSCDL/jre/6u...ows-i586-jc.cab
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: McAfee Anti-Spam Service (MSK80Service) - McAfee, Inc. - C:\Program Files\McAfee\MSK\MskSrver.exe
O23 - Service: ProtexisLicensing - Unknown owner - C:\Windows\system32\PSIService.exe

--
End of file - 7615 bytes

-- File Associations -----------------------------------------------------------

.reg - regfile - shell\open\command - regedit.exe "%1" %*
.scr - scrfile - shell\open\command - "%1" %*


-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

All drivers whitelisted.


-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

R2 Apple Mobile Device - "c:\program files\common files\apple\mobile device support\bin\applemobiledeviceservice.exe"
R2 Bonjour Service - "c:\program files\bonjour\mdnsresponder.exe"


-- Device Manager: Disabled ----------------------------------------------------

No disabled devices found.


-- Scheduled Tasks -------------------------------------------------------------

2008-07-06 21:40:05 338 --a------ C:\Windows\Tasks\McQcTask.job
2008-07-06 21:40:05 346 --a------ C:\Windows\Tasks\McDefragTask.job


-- Files created between 2008-06-09 and 2008-07-09 -----------------------------

2008-07-09 16:37:51 0 d-------- C:\Program Files\Trend Micro
2008-07-08 19:05:42 0 d-------- C:\Program Files\Lavasoft
2008-07-08 19:05:39 0 d-------- C:\Users\All Users\Lavasoft
2008-07-08 19:04:06 0 d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-07-06 15:40:41 0 d-------- C:\Users\All Users\Malwarebytes
2008-07-06 15:40:39 0 d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-07-06 15:01:08 143360 --a------ C:\Windows\system32\dunzip32.dll
2008-07-06 14:57:40 0 d-------- C:\Program Files\McAfee.com
2008-07-06 14:57:36 0 d-------- C:\Program Files\Common Files\McAfee
2008-07-06 14:57:30 0 d-------- C:\Program Files\McAfee
2008-07-06 14:16:21 0 d-------- C:\Users\All Users\McAfee
2008-07-06 13:26:27 0 d-------- C:\Users\All Users\Kaspersky Lab
2008-07-06 13:24:54 0 d-------- C:\kav
2008-07-06 12:51:41 0 d-------- C:\Program Files\Antivirus 2009
2008-06-28 15:28:05 0 d-------- C:\Users\All Users\Adobe Systems
2008-06-28 15:27:58 0 d-------- C:\Program Files\Common Files\Adobe Systems Shared
2008-06-28 14:05:14 0 d-------- C:\Program Files\Scripting Guide
2008-06-28 14:04:22 0 d-------- C:\Program Files\Plug-Ins
2008-06-28 14:04:03 0 d-------- C:\Program Files\Samples
2008-06-28 14:04:03 0 d-------- C:\Program Files\Required
2008-06-28 14:04:03 0 d-------- C:\Program Files\Presets
2008-06-28 14:04:03 0 d-------- C:\Program Files\Help
2008-06-28 14:04:03 0 d-------- C:\Program Files\Common Files\Adobe
2008-06-28 14:04:02 0 d-------- C:\Users\All Users\Adobe
2008-06-28 14:04:02 0 d-------- C:\Program Files\Legal
2008-06-28 14:04:02 0 d-------- C:\Program Files\Activation
2008-06-28 12:14:22 0 d-------- C:\Program Files\7-Zip
2008-06-28 12:12:06 0 d-------- C:\Program Files\TorrentMan
2008-06-28 12:12:06 0 d-------- C:\Program Files\Conduit
2008-06-28 12:10:35 0 d-------- C:\Program Files\BitLord
2008-06-15 15:24:49 0 d-------- C:\Program Files\Common Files\xing shared
2008-06-15 15:24:36 0 d-------- C:\Program Files\Real
2008-06-15 15:24:34 0 d-------- C:\Program Files\Common Files\Real
2008-06-11 17:25:16 0 d-------- C:\Users\All Users\Google
2008-06-11 17:25:11 0 d-------- C:\Program Files\Google
2008-06-11 17:23:48 0 d-------- C:\Program Files\Java
2008-06-11 17:22:22 0 d-------- C:\Program Files\Common Files\Java
2008-06-10 17:16:50 0 d-------- C:\Program Files\Microsoft Works
2008-06-10 17:14:34 0 d-------- C:\Windows\PCHEALTH
2008-06-10 17:14:34 0 d-------- C:\Program Files\Microsoft.NET
2008-06-10 17:11:49 0 d-------- C:\Users\All Users\Microsoft Help


-- Find3M Report ---------------------------------------------------------------

2008-07-09 16:26:19 174 --ahs---- C:\Program Files\desktop.ini
2008-07-09 14:58:02 0 d-------- C:\Program Files\Windows Mail
2008-07-08 19:04:06 0 d-------- C:\Program Files\Common Files
2008-07-06 18:03:19 0 d-------- C:\Users\Garianne\AppData\Roaming\gtk-2.0
2008-07-06 15:40:46 0 d-------- C:\Users\Garianne\AppData\Roaming\Malwarebytes
2008-07-06 14:38:19 0 d-------- C:\Program Files\Corel
2008-07-06 14:38:17 0 d-------- C:\Users\Garianne\AppData\Roaming\Corel
2008-06-28 19:04:54 2828 --ahs---- C:\Windows\system32\KGyGaAvL.sys
2008-06-28 19:04:54 88 -r-hs---- C:\Windows\system32\114371B299.sys
2008-06-28 19:01:04 0 d-------- C:\Users\Garianne\AppData\Roaming\Adobe
2008-06-28 15:24:07 663 --a------ C:\Program Files\install.adb
2008-06-15 15:36:26 0 d-------- C:\Users\Garianne\AppData\Roaming\Real
2008-06-15 12:11:34 0 d-------- C:\Users\Garianne\AppData\Roaming\Google
2008-06-03 11:49:31 0 d-------- C:\Program Files\MSXML 4.0
2008-06-01 16:58:26 0 d-------- C:\Users\Garianne\AppData\Roaming\InstallShield
2008-05-27 19:16:55 0 d-------- C:\Program Files\GIMP-2.0
2008-05-25 19:11:21 0 d-------- C:\Users\Garianne\AppData\Roaming\Apple Computer
2008-05-25 19:10:55 0 d-------- C:\Program Files\iTunes
2008-05-25 19:10:49 0 d-------- C:\Program Files\iPod
2008-05-25 19:04:40 0 d-------- C:\Program Files\Bonjour
2008-05-25 19:04:16 0 d-------- C:\Program Files\QuickTime
2008-05-25 19:02:01 0 d-------- C:\Program Files\Apple Software Update
2008-05-25 18:59:55 0 d-------- C:\Program Files\Common Files\Apple
2008-05-25 10:03:21 0 d-------- C:\Users\Garianne\AppData\Roaming\acccore
2008-05-25 10:03:00 0 d-------- C:\Program Files\AIM6
2008-05-25 10:02:00 0 d-------- C:\Program Files\Common Files\AOL
2008-05-24 21:16:25 0 d-------- C:\Program Files\Windows Calendar
2008-05-24 21:16:22 0 d-------- C:\Program Files\Windows Defender
2008-05-24 21:16:14 0 d-------- C:\Program Files\Windows Sidebar
2008-05-24 20:10:05 0 d-------- C:\Program Files\Common Files\DVDVideoSoft
2008-05-24 20:10:02 0 d-------- C:\Program Files\DVDVideoSoft
2008-05-24 14:30:00 0 d-------- C:\Program Files\Windows Photo Gallery
2008-05-24 14:30:00 0 d-------- C:\Program Files\Windows NT
2008-05-24 14:30:00 0 d-------- C:\Program Files\Windows Journal
2008-05-24 14:30:00 0 d-------- C:\Program Files\Windows Collaboration
2008-05-24 14:29:59 0 d-------- C:\Program Files\Reference Assemblies
2008-05-24 14:29:59 0 d-------- C:\Program Files\Movie Maker
2008-05-24 14:29:59 0 d-------- C:\Program Files\Microsoft Games
2008-05-24 14:29:58 0 d-------- C:\Program Files\Common Files\SpeechEngines
2008-05-24 13:11:14 0 d-------- C:\Users\Garianne\AppData\Roaming\Macromedia
2008-05-24 12:06:04 0 d-------- C:\Users\Garianne\AppData\Roaming\Identities


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{377C180E-6F0E-4D4C-980F-F45BD3D40CF4}]
11/26/2007 10:46 AM 324936 --a------ c:\PROGRA~1\mcafee\msk\mcapbho.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{7c5c0f58-e061-457d-9033-77307f5ed00c}]
05/21/2008 12:43 AM 1526296 --a------ C:\Program Files\TorrentMan\tbTor0.dll

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser]
"{7C5C0F58-E061-457D-9033-77307F5ED00C}"= C:\Program Files\TorrentMan\tbTor0.dll [05/21/2008 12:43 AM 1526296]

[-HKEY_CLASSES_ROOT\CLSID\{7C5C0F58-E061-457D-9033-77307F5ED00C}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Windows Defender"="C:\Program Files\Windows Defender\MSASCui.exe" [05/24/2008 07:36 PM]
"IgfxTray"="C:\Windows\system32\igfxtray.exe" [02/11/2008 08:13 PM]
"HotKeysCmds"="C:\Windows\system32\hkcmd.exe" [02/11/2008 08:13 PM]
"Persistence"="C:\Windows\system32\igfxpers.exe" [02/11/2008 08:13 PM]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [03/28/2008 11:37 PM]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [03/30/2008 10:36 AM]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe" [03/25/2008 04:28 AM]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [06/15/2008 03:24 PM]
"mcagent_exe"="C:\Program Files\McAfee.com\Agent\mcagent.exe" [11/01/2007 07:12 PM]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Sidebar"="C:\Program Files\Windows Sidebar\sidebar.exe" [05/24/2008 07:12 PM]
"WindowsWelcomeCenter"="oobefldr.dll,ShowWelcomeCenter" []
"Aim6"="C:\Program Files\AIM6\aim6.exe" [03/25/2008 10:21 AM]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe" [06/14/2008 09:46 AM]
"ehTray.exe"="C:\Windows\ehome\ehTray.exe" [11/02/2006 02:35 AM]
"44708205482402575236053291257162"="C:\Program Files\Antivirus 2009\av2009.exe" [07/06/2008 12:51 PM]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"=2 (0x2)

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\AppInfo]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\KeyIso]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\NTDS]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ProfSvc]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sacsvr]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\SWPRV]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\TabletInputService]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\TBS]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\TrustedInstaller]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\VDS]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\volmgr.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\volmgrx.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{533C5B84-EC70-11D2-9505-00C04F79DEAF}]
@="Volume shadow copy"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{6BDD1FC1-810F-11D0-BEC7-08002BE2092F}]
@="IEEE 1394 Bus host controllers"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{D48179BE-EC20-11D1-B6B8-00C04FA372A7}]
@="SBP2 IEEE 1394 Devices"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{D94EE5D8-D189-4994-83D2-F68D7D41B0E6}]
@="SecurityDevices"

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
LocalSystemNetworkRestricted hidserv UxSms WdiSystemHost Netman trkwks AudioEndpointBuilder WUDFSvc irmon sysmain IPBusEnum dot3svc PcaSvc EMDMgmt TabletInputService wlansvc WPDBusEnum

*Newly Created Service* - MBAMCATCHME

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{22d6f312-b0f6-11d0-94ab-0080c74c7e95}]
C:\Windows\system32\unregmp2.exe /ShowWMP

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{6BF52A52-394A-11d3-B153-00C04F79FAA6}]
%SystemRoot%\system32\unregmp2.exe /FirstLogon /Shortcuts /RegBrowsers /ResetMUI



-- End of Deckard's System Scanner: finished at 2008-07-09 16:40:08 ------------


(extra.txt)

Deckard's System Scanner v20071014.68
Extra logfile - please post this as an attachment with your post.
--------------------------------------------------------------------------------

-- System Information ----------------------------------------------------------

Microsoft® Windows Vista™ Home Premium (build 6000)
Architecture: X86; Language: English

CPU 0: Intel® Pentium® Dual CPU T2310 @ 1.46GHz
Percentage of Memory in Use: 79%
Physical Memory (total/avail): 1013.81 MiB / 207.46 MiB
Pagefile Memory (total/avail): 2283.76 MiB / 1312.75 MiB
Virtual Memory (total/avail): 2047.88 MiB / 1917.78 MiB

C: is Fixed (NTFS) - 101.49 GiB total, 34.14 GiB free.
D: is Fixed (NTFS) - 10.3 GiB total, 3.88 GiB free.
E: is CDROM (No Media)
F: is Removable (No Media)

\\.\PHYSICALDRIVE0 - WDC WD1200BEVS-22UST0 ATA Device - 111.79 GiB - 2 partitions
\PARTITION0 - Installable File System - 10.3 GiB - D:
\PARTITION1 (bootable) - Installable File System - 101.49 GiB - C:

\\.\PHYSICALDRIVE1 - Generic- Multi-Card USB Device



-- Security Center -------------------------------------------------------------

AUOptions is scheduled to auto-install.
Windows Internal Firewall is disabled.

FW: McAfee Personal Firewall v (McAfee)
AV: McAfee VirusScan v (McAfee)
AS: McAfee VirusScan v (McAfee)
AS: Windows Defender v1.1.1505.0 (Microsoft Corporation) Disabled

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]


-- Environment Variables -------------------------------------------------------

ALLUSERSPROFILE=C:\ProgramData
APPDATA=C:\Users\Garianne\AppData\Roaming
CLASSPATH=.;C:\Program Files\QuickTime\QTSystem\QTJava.zip
CommonProgramFiles=C:\Program Files\Common Files
COMPUTERNAME=GARIANNE-PC
ComSpec=C:\Windows\system32\cmd.exe
FP_NO_HOST_CHECK=NO
HOMEDRIVE=C:
HOMEPATH=\Users\Garianne
LOCALAPPDATA=C:\Users\Garianne\AppData\Local
LOGONSERVER=\\GARIANNE-PC
NUMBER_OF_PROCESSORS=2
OS=Windows_NT
Path=C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Program Files\QuickTime\QTSystem\
PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC
PROCESSOR_ARCHITECTURE=x86
PROCESSOR_IDENTIFIER=x86 Family 6 Model 15 Stepping 13, GenuineIntel
PROCESSOR_LEVEL=6
PROCESSOR_REVISION=0f0d
ProgramData=C:\ProgramData
ProgramFiles=C:\Program Files
PROMPT=$P$G
PUBLIC=C:\Users\Public
QTJAVA=C:\Program Files\QuickTime\QTSystem\QTJava.zip
SystemDrive=C:
SystemRoot=C:\Windows
TEMP=C:\Users\Garianne\AppData\Local\Temp
TMP=C:\Users\Garianne\AppData\Local\Temp
USERDOMAIN=Garianne-PC
USERNAME=Garianne
USERPROFILE=C:\Users\Garianne
windir=C:\Windows


-- User Profiles ---------------------------------------------------------------

Garianne


-- Add/Remove Programs ---------------------------------------------------------

--> C:\Program Files\Common Files\Real\Update_OB\r1puninst.exe RealNetworks|RealPlayer|6.0
7-Zip 4.57 --> "C:\Program Files\7-Zip\Uninstall.exe"
Ad-Aware --> MsiExec.exe /I{DED53B0B-B67C-4244-AE6A-D6FD3C28D1EF}
Adobe Flash Player ActiveX --> C:\Windows\system32\Macromed\Flash\uninstall_activeX.exe
Adobe Photoshop CS2 --> msiexec /I {236BB7C4-4419-42FD-0409-1E257A25E34D}
AIM 6 --> C:\Program Files\AIM6\uninst.exe
Apple Mobile Device Support --> MsiExec.exe /I{44734179-8A79-4DEE-BB08-73037F065543}
Apple Software Update --> MsiExec.exe /I{B74F042E-E1B9-4A5B-8D46-387BB172F0A4}
BitLord 1.1 --> C:\Program Files\BitLord\uninst.exe
Bonjour --> MsiExec.exe /I{47BF1BD6-DCAC-468F-A0AD-E5DECC2211C3}
Free YouTube to iPod Converter version 3.1 --> "C:\Program Files\DVDVideoSoft\Free YouTube to iPod Converter\unins000.exe"
Free YouTube to Mp3 Converter version 3.1 --> "C:\Program Files\DVDVideoSoft\Free YouTube to Mp3 Converter\unins000.exe"
GIMP 2.4.5 --> "C:\Program Files\GIMP-2.0\setup\unins000.exe"
Google Toolbar for Internet Explorer --> MsiExec.exe /I{DBEA1034-5882-4A88-8033-81C4EF0CFA29}
Google Toolbar for Internet Explorer --> regsvr32 /u /s "c:\program files\google\googletoolbar2.dll"
Intel® Graphics Media Accelerator Driver --> C:\Windows\system32\igxpun.exe -uninstall
iTunes --> MsiExec.exe /I{585776BC-4BD6-4BD2-A19A-1D6CB44A403B}
Java™ 6 Update 6 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0160060}
Malwarebytes' Anti-Malware --> "C:\Program Files\Malwarebytes' Anti-Malware\unins000.exe"
McAfee SecurityCenter --> C:\Program Files\McAfee\MSC\mcuninst.exe
Microsoft Office Access MUI (English) 2007 --> MsiExec.exe /X{90120000-0015-0409-0000-0000000FF1CE}
Microsoft Office Access Setup Metadata MUI (English) 2007 --> MsiExec.exe /X{90120000-0117-0409-0000-0000000FF1CE}
Microsoft Office Excel MUI (English) 2007 --> MsiExec.exe /X{90120000-0016-0409-0000-0000000FF1CE}
Microsoft Office Outlook MUI (English) 2007 --> MsiExec.exe /X{90120000-001A-0409-0000-0000000FF1CE}
Microsoft Office PowerPoint MUI (English) 2007 --> MsiExec.exe /X{90120000-0018-0409-0000-0000000FF1CE}
Microsoft Office Professional 2007 --> MsiExec.exe /X{91120000-0014-0000-0000-0000000FF1CE}
Microsoft Office Professional 2007 Trial --> "C:\Program Files\Common Files\Microsoft Shared\OFFICE12\Office Setup Controller\setup.exe" /uninstall PROR /dll OSETUP.DLL
Microsoft Office Proof (English) 2007 --> MsiExec.exe /X{90120000-001F-0409-0000-0000000FF1CE}
Microsoft Office Proof (French) 2007 --> MsiExec.exe /X{90120000-001F-040C-0000-0000000FF1CE}
Microsoft Office Proof (Spanish) 2007 --> MsiExec.exe /X{90120000-001F-0C0A-0000-0000000FF1CE}
Microsoft Office Proofing (English) 2007 --> MsiExec.exe /X{90120000-002C-0409-0000-0000000FF1CE}
Microsoft Office Publisher MUI (English) 2007 --> MsiExec.exe /X{90120000-0019-0409-0000-0000000FF1CE}
Microsoft Office Shared MUI (English) 2007 --> MsiExec.exe /X{90120000-006E-0409-0000-0000000FF1CE}
Microsoft Office Shared Setup Metadata MUI (English) 2007 --> MsiExec.exe /X{90120000-0115-0409-0000-0000000FF1CE}
Microsoft Office Word MUI (English) 2007 --> MsiExec.exe /X{90120000-001B-0409-0000-0000000FF1CE}
MSXML 4.0 SP2 (KB936181) --> MsiExec.exe /I{C04E32E0-0416-434D-AFB9-6969D703A9EF}
MSXML 4.0 SP2 (KB941833) --> MsiExec.exe /I{C523D256-313D-4866-B36A-F3DE528246EF}
QuickTime --> MsiExec.exe /I{1838C5A2-AB32-4145-85C1-BB9B8DFA24CD}
RealPlayer --> C:\Program Files\Common Files\Real\Update_OB\r1puninst.exe RealNetworks|RealPlayer|6.0
Rhapsody Player Engine --> MsiExec.exe /I{22DE1881-9D24-4981-B5CC-EC7E9F2F4D52}
TorrentMan Toolbar --> C:\PROGRA~1\TORREN~1\UNWISE.EXE C:\PROGRA~1\TORREN~1\INSTALL.LOG
Uninstall 1.0.0.0 --> "C:\Program Files\Common Files\DVDVideoSoft\unins000.exe"


-- Application Event Log -------------------------------------------------------

Event Record #/Type2413 / Success
Event Submitted/Written: 07/09/2008 04:26:03 PM
Event ID/Source: 5617 / WinMgmt
Event Description:


Event Record #/Type2412 / Success
Event Submitted/Written: 07/09/2008 04:26:01 PM
Event ID/Source: 5615 / WinMgmt
Event Description:


Event Record #/Type2410 / Success
Event Submitted/Written: 07/09/2008 04:25:46 PM
Event ID/Source: 902 / Software Licensing Service
Event Description:
The Software Licensing service has started.

Event Record #/Type2401 / Warning
Event Submitted/Written: 07/09/2008 04:23:39 PM
Event ID/Source: 1530 / profsvc
Event Description:
Windows detected your registry file is still in use by other applications or services. The file will be unloaded now. The applications or services that hold your registry file may not function properly afterwards.

DETAIL -
5 user registry handles leaked from \Registry\User\S-1-5-21-1486869034-1003872835-1881656183-1000:
Process 1004 (\Device\HarddiskVolume2\Windows\System32\svchost.exe) has opened key \REGISTRY\USER\S-1-5-21-1486869034-1003872835-1881656183-1000
Process 1004 (\Device\HarddiskVolume2\Windows\System32\svchost.exe) has opened key \REGISTRY\USER\S-1-5-21-1486869034-1003872835-1881656183-1000\Software\Policies\Microsoft\SystemCertificates
Process 1004 (\Device\HarddiskVolume2\Windows\System32\svchost.exe) has opened key \REGISTRY\USER\S-1-5-21-1486869034-1003872835-1881656183-1000\Software\Microsoft\SystemCertificates\SmartCardRoot
Process 1004 (\Device\HarddiskVolume2\Windows\System32\svchost.exe) has opened key \REGISTRY\USER\S-1-5-21-1486869034-1003872835-1881656183-1000\Software\Microsoft\SystemCertificates\Root
Process 1004 (\Device\HarddiskVolume2\Windows\System32\svchost.exe) has opened key \REGISTRY\USER\S-1-5-21-1486869034-1003872835-1881656183-1000\Software\Microsoft\SystemCertificates\trust

Event Record #/Type2361 / Success
Event Submitted/Written: 07/09/2008 02:50:41 PM
Event ID/Source: 5617 / WinMgmt
Event Description:




-- Security Event Log ----------------------------------------------------------

No Errors/Warnings found.


-- System Event Log ------------------------------------------------------------

Event Record #/Type16657 / Warning
Event Submitted/Written: 07/09/2008 04:24:24 PM
Event ID/Source: 4001 / Microsoft-Windows-WLAN-AutoConfig
Event Description:


Event Record #/Type16648 / Error
Event Submitted/Written: 07/09/2008 04:24:03 PM
Event ID/Source: 10010 / DCOM
Event Description:
{C2BFE331-6739-4270-86C9-493D9A04CD38}

Event Record #/Type16642 / Warning
Event Submitted/Written: 07/09/2008 03:50:33 PM
Event ID/Source: 4226 / Tcpip
Event Description:
TCP/IP has reached the security limit imposed on the number of concurrent TCP connect attempts.

Event Record #/Type16641 / Warning
Event Submitted/Written: 07/09/2008 03:34:57 PM
Event ID/Source: 4226 / Tcpip
Event Description:
TCP/IP has reached the security limit imposed on the number of concurrent TCP connect attempts.

Event Record #/Type16640 / Warning
Event Submitted/Written: 07/09/2008 03:29:39 PM
Event ID/Source: 4226 / Tcpip
Event Description:
TCP/IP has reached the security limit imposed on the number of concurrent TCP connect attempts.



-- End of Deckard's System Scanner: finished at 2008-07-09 16:40:08 ------------

BC AdBot (Login to Remove)

 


m

#2 SifuMike

SifuMike

    malware expert


  • Staff Emeritus
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:12:55 AM

Posted 12 July 2008 - 10:33 PM

Hello kaleihoku92,

Your Java is out of date. Older versions have vulnerabilities that malware can use to infect your system. Please follow these steps to remove older version Java components and update.

Updating Java:
  • Download the latest version of  Java Runtime Environment (JRE) 6 Update 7.
  • Scroll down to where it says "Java Runtime Environment (JRE) 6 Update 7".
  • Click the "Download" button to the right.
  • Check the box that says: "Accept License Agreement".
  • The page will refresh.
  • Click on the link to download Windows Offline Installation, Multi-language  jre-6u7-windows-i586.exe and save to your desktop.
  • Close any programs you may have running - especially your web browser.
  • Go to Start > Control Panel double-click on Add/Remove programs and remove all older versions of Java.
    Examples of older versions in Add or Remove Programs:
    Java 2 Runtime Environment, SE v1.4.2
    J2SE Runtime Environment 5.0
    J2SE Runtime Environment 5.0 Update 6
  • Check any item with Java Runtime Environment (JRE or J2SE) in the name.
  • Click the Remove or Change/Remove button.
  • Repeat as many times as necessary to remove each Java versions.
  • Reboot your computer once all Java components are removed.
  • Then from your desktop double-click on jre-6u7-windows-i586-p.exe to install the newest version.
Reboot your computer.


Download CCleaner and install it. (default location is best). Do not run it yet!

Beginners Guide to CCleaner

*******************************************

Please disable Windows Defender before running Hijackthis, as it will prevent registry changes.


To disable Windows Defender:
Open Windows Defender.
Click on Tools, General Settings.
Scroll down and uncheck Turn on real-time protection (recommended).
After you uncheck this, click on the Save button and close Windows Defender.

You can enable it after we have your computer clean.


Please run HijackThis and click "Scan." Place checks next to the following entries, if present:

O4 - HKCU\..\Run: [44708205482402575236053291257162] C:\Program Files\Antivirus 2009\av2009.exe

Close all browsers and other windows except for HijackThis, and click "Fix checked"


*******************************************

Please download the
OTMoveIt2 by OldTimer.
  • Save it to your desktop.
  • Please double-click OTMoveIt2.exe to run it.
    (if you are running on Vista then right-click the program and choose Run as Administrator).
  • Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy):

    C:\Program Files\Antivirus 2009

  • Return to OTMoveIt2, right click on the "Paste List of Files/Folders to be moved" window and choose Paste.
  • Click the red Moveit! button.
  • Copy everything on the Results window to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it on your next reply.
  • Note : If a reboot was necessary or you needed to Exit before posting the log, you will find a copy of the log at the root of the drive where OTMoveIt is installed, usually at :
    C:\_OTMoveIt2\MovedFiles\********_******.log
    (where "********_******" is the "date_time")
  • Close OTMoveIt2
If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.

Caution: Be careful of what you copy and paste with this tool. OTMoveIt2 is a powerful program, designed to move highly persistent files and folders. Not following the directions as instructed or using incorrectly could lead to disastrous problems with your operating system.



*******************************************

*NOTE* CCleaner deletes EVERYTHING out of temp/temporary folders and does not make backups.

Let's empty the temp files:

Run CCleaner.

CAUTION: Please do NOT use the Issues or Registry button. This is a built-in registry cleaner. If you don't know how to use it, you may cause irreparable damage to your system.

1. Starting with v1.27.260, CCleaner installs the Yahoo Toolbar as an option which IS checkmarked by default during the installation.
IF you do NOT want it, REMOVE the checkmark when provided with the option OR download the toolbarfree Basic version instead of the Standard Build.


2. Before first use, select Options > Advanced and UNCHECK "Only delete files in Windows Temp folder older than 48 hours"

3. Then select the items you wish to clean up.

In the Windows Tab:
Clean all entries in the "Internet Explorer" section except Autocomplete Forum History.
Clean all the entries in the "Windows Explorer" section.
Clean all entries in the "System" section except for Start Menu Shortcuts and Desktop Shortcuts.
Clean any others that you choose.

In the Applications Tab:
Clean all including cookies in the Firefox/Mozilla section if you use it.
Clean all in the Opera section if you use it.
Clean Sun Java in the Internet Section.
Clean any others that you choose.

4. Click the "Run Cleaner" button.
5. A pop up box will appear advising this process will permanently delete files from your system.
6. Click "OK" and it will scan and clean your system.
7. Click "exit" when done.

If it asks you to reboot at the end, click NO.

CCleaner should be run with the above settings for each User Account!

*******************************************

Reboot your computer.

We must fix all your file associations:

To repair the faulty file associations, please do the following:
Make sure that DSS.exe is located on your Desktop.
Click on your START button, then choose Run. A little box will appear.
Now copy and paste all the following in bold (including the "" marks into the run box and click OK.

"%userprofile%\desktop\dss.exe" /daft


This will start DSS in a different way. A small window will appear.
Click on the Scan button.
If it finds faulty file associations, they will appear in red beside a checkbox. If this occurs, just place a tick in the boxes in question.
Click the Fix button.
Re-scan and save a logfile. By default, it will save as daft.txt.

Post the contents of that logfile, a new Hijackthis log, OTMoveIt2 log, and tell me how your computer is running.

Edited by SifuMike, 12 July 2008 - 10:52 PM.

If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#3 SifuMike

SifuMike

    malware expert


  • Staff Emeritus
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:12:55 AM

Posted 20 July 2008 - 01:41 PM

Due to inactivity, this thread will now be closed. If you need this topic reopened, please contact me or a member of the HJT Team and we will reopen it for you. Include the address of this thread in your request. If you should have a new issue, please start a new topic. This applies only to the original topic starter. Everyone else please begin a New Topic.
If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users