Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Antivirus Xp 2008


  • Please log in to reply
1 reply to this topic

#1 Vuzrak

Vuzrak

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:06:14 AM

Posted 10 September 2008 - 12:17 AM

This computer that I'm working on is infected with Antivirus XP 2008, I have ran Malwarebyte's Anti-Malware with the latest updates and it seems to remove it, but after the computer reboots I get the "Antivirus XP 2008 License Agreement" screen.

OS: Windows 2003 Server R2, Standard Edition, SP2, used as a Terminal Server

Couple notes, ComboFix will not install on 2003, Superantispyware free version also refuse to install.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:12:38 PM, on 9/9/2008
Platform: Windows 2003 SP2 (WinNT 5.02.3790)
MSIE: Internet Explorer v7.00 (7.00.6000.16674)
Boot mode: Normal

Running processes:
C:\Documents and Settings\xyz.admin\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\brsvc01a.exe
C:\WINDOWS\system32\brss01a.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\NCCICredit\UpdateService.exe
C:\WINDOWS\system32\PMService.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
C:\WINDOWS\system32\lsass.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\TEMP\dgwC.tmp
C:\Program Files\Trend Micro\Client Server Security Agent\ntrtscan.exe
C:\WINDOWS\System32\snmp.exe
C:\WINDOWS\System32\WScript.exe
C:\Program Files\Trend Micro\Client Server Security Agent\tmlisten.exe
C:\Program Files\XenSource\xenservice.exe
C:\Program Files\Trend Micro\Client Server Security Agent\OfcPfwSvc.exe
C:\WINDOWS\TEMP\YF4756.EXE
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Temp\.tt14.tmp
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Malwarebytes' Anti-Malware\mbamtrayctrl.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Trend Micro\Client Server Security Agent\pccntmon.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\DvzCommon\DvzMsgr.exe
C:\WINDOWS\system32\taskmgr.exe
e:\Download\HiJackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = res://shdoclc.dll/softAdmin.htm
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\system32\blank.htm
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http://xyzfilter.xyz.local:3128
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,
O4 - HKLM\..\Run: [OfficeScanNT Monitor] "C:\Program Files\Trend Micro\Client Server Security Agent\pccntmon.exe" -HideWindow
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [lphc9acj0e72c] C:\WINDOWS\system32\lphc9acj0e72c.exe
O4 - HKLM\..\Run: [inrhccacj0e72c] C:\WINDOWS\Temp\.tt14.tmp.exe /CR=E08AC8ADEEC613C39E30C48EA611036B6688E98AA2682835D46039D1B772B03D6986894B298CE58C7C15D5FF7D523BF264AE8DCFE5C696BF6C51579CBE5B7D85D943481E1ECE09780F6B3699889DFA70A2873A98A6E6FA
O4 - HKLM\..\RunOnce: [TSC] "C:\Program Files\Trend Micro\Client Server Security Agent\tsc.exe" /HD
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-19\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'Default user')
O4 - Startup: ARGIS Quick Launch.lnk = C:\Program Files\MPI\Mpi.Argis.Vm\Mpi.Argis.Vm.Client.exe
O4 - Startup: Service Manager.lnk = C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
O4 - Global Startup: Dataviz Messenger.lnk = C:\WINDOWS\DvzCommon\DvzMsgr.exe
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~1\OFFICE11\EXCEL.EXE/3000
O10 - Broken Internet access because of LSP provider 'c:\documents and settings\xyz.admin\windows\system32\mswsock.dll' missing
O15 - Trusted Zone: http://service.gm.com
O15 - Trusted Zone: http://*.imgsv01
O15 - Trusted Zone: http://service.gm.com (HKLM)
O15 - ESC Trusted Zone: http://runonce.msn.com
O16 - DPF: CM_AdvancedCAB - https://www.gs.reyrey.com/common/ClientChec...AdvancedCAB.CAB
O16 - DPF: JVMDetect - https://w03.dealerconnect.chrysler.com/fina...t/jvmdetect.cab
O16 - DPF: PrintTemplateViewerCab - https://www.gs.reyrey.com/clientdll/printtemplateviewer.cab
O16 - DPF: websignsup - https://w03.dealerconnect.chrysler.com/fina.../websignsup.cab
O16 - DPF: {00134F72-5284-44F7-95A8-52A619F70751} (ObjWinNTCheck Class) - https://xyzapp.xyz.local:4343/officescan/co...ll/WinNTChk.cab
O16 - DPF: {0742B9EF-8C83-41CA-BFBA-830A59E23533} (Microsoft Data Collection Control) - https://support.microsoft.com/OAS/ActiveX/MSDcode.cab
O16 - DPF: {08D75BC1-D2B5-11D1-88FC-0080C859833B} (OfficeScan Corp Edition Web-Deployment SetupCtrl Class) - https://xyzmain.xyz.local:4343/officescan/c...stall/setup.cab
O16 - DPF: {1663ed61-23eb-11d2-b92f-008048fdd814} (MeadCo ScriptX Advanced) - https://www.nccicredit.com/nccicredit/Meadco/smsx.cab
O16 - DPF: {31175300-AC0E-11D4-A326-00104B37A903} (VirtualChannel Class) - http://imgsv01/dv/cab/RRE2GSCTSServer.cab
O16 - DPF: {5EFE8CB1-D095-11D1-88FC-0080C859833B} (OfficeScan Corp Edition Web-Deployment ObjRemoveCtrl Class) - https://xyzapp.xyz.local:4343/officescan/co.../RemoveCtrl.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1167281066616
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1167281138415
O16 - DPF: {8569D715-FF88-44BA-8D1D-AD3E59543DDE} (ActiveReports Viewer2) - http://www.vehicledata.com/webforms/Report...rts/arview2.cab
O16 - DPF: {9BBB3919-F518-4D06-8209-299FC243FC30} (Encrypt Class) - https://xyzapp.xyz.local:4343/SMB/console/h...root/AtxEnc.cab
O16 - DPF: {9DCD8EB7-E925-45C9-9321-8CA843FBED40} (Security Server Management Console) - https://xyzapp.xyz.local:4343/SMB/console/h.../AtxConsole.cab
O16 - DPF: {AC6E313D-FE79-11D3-BF9F-00105A9D6E6E} (RRE2GSCFileDownload.FileDownload) - http://imgsv01/dv/cab/RRE2GSCFileDownload.CAB
O16 - DPF: {ACB05A74-1939-4142-B780-C48060418D62} (rrdvCreateFileOCX.rrdvCreateFile) - http://imgsv01/dv/cab/rrdvCreateFileOCX.CAB
O16 - DPF: {BF891E15-BD3F-11D3-9AA1-444553540000} (TVC_HyperView Class) - http://imgsv01/dv/cab/TVC_ViewerCab.CAB
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = xyz.LOCAL
O17 - HKLM\Software\..\Telephony: DomainName = xyz.LOCAL
O17 - HKLM\System\CCS\Services\Tcpip\..\{6453102A-F1A5-4C58-BB27-6D323001185F}: NameServer = 10.253.206.248,10.253.206.250
O17 - HKLM\System\CCS\Services\Tcpip\..\{DE5AC984-66DD-4825-94C7-5A31E2EE6111}: NameServer = 10.253.206.248
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = xyz.LOCAL
O17 - HKLM\System\CS1\Services\Tcpip\..\{6453102A-F1A5-4C58-BB27-6D323001185F}: NameServer = 10.253.206.248,10.253.206.250
O20 - Winlogon Notify: ztbczj - ztbczj.dll (file missing)
O23 - Service: AutoUpdate+ NT Service - Unknown owner - C:\Program Files\NCCICredit\UpdateService.exe
O23 - Service: BrSplService (Brother XP spl Service) - brother Industries Ltd - C:\WINDOWS\system32\brsvc01a.exe
O23 - Service: Energy Star™ EZ GPO Power Management Configuration Tool (EPA_GPO_PMService) - TerraNovum - C:\WINDOWS\system32\PMService.exe
O23 - Service: IntegraLink SMART Agent Service - Integralink - C:\Program Files\IntegraLink\IntegraLink SMART Agent\IntegraLinkSMARTAgent.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Trend Micro Client/Server Security Agent RealTime Scan (ntrtscan) - Trend Micro Inc. - C:\Program Files\Trend Micro\Client Server Security Agent\ntrtscan.exe
O23 - Service: Trend Micro Client/Server Security Agent Personal Firewall (OfcPfwSvc) - Trend Micro Inc. - C:\Program Files\Trend Micro\Client Server Security Agent\OfcPfwSvc.exe
O23 - Service: Trend Micro Client/Server Security Agent Listener (tmlisten) - Trend Micro Inc. - C:\Program Files\Trend Micro\Client Server Security Agent\tmlisten.exe
O23 - Service: XenSource WinGuest Service (xensvc) - XenSource, Inc - C:\Program Files\XenSource\xenservice.exe

--
End of file - 9077 bytes



I tried removing the following lines but they keep coming back
O4 - HKLM\..\Run: [lphc9acj0e72c] C:\WINDOWS\system32\lphc9acj0e72c.exe
O4 - HKLM\..\Run: [inrhccacj0e72c] C:\WINDOWS\Temp\.tt14.tmp.exe /CR=E08AC8ADEEC613C39E30C48EA611036B6688E98AA2682835D46039D1B772B03D6986894B298CE58C7C15D5FF7D523BF264AE8DCFE5C696BF6C51579CBE5B7D85D943481E1ECE09780F6B3699889DFA70A2873A98A6E6FA

BC AdBot (Login to Remove)

 


#2 Rahina

Rahina

    Security Helper


  • Members
  • 681 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Finland
  • Local time:05:14 PM

Posted 13 September 2008 - 09:24 AM

Please download Malwarebytes' Anti-Malware and save it to your desktop.
alternate download link 1
alternate download link 2
  • Double-click mbam-setup.exe to install the application.
  • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • If you have trouble with the update process, please download the latest updates here.
  • Double-click the mbam-rules.exe file on your desktop and let it update the application.
  • Once the program has loaded, select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish, so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to restart. (see extra note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Please copy and paste the entire report in your next reply. :thumbsup:
Extra note:
If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts, click OK to either and let MBAM proceed with the disinfection process, if asked to restart the computer, please do so immediately. Failure to reboot will prevent MBAM from removing all the malware.
[ Antivirus ] [ Firewall ] [ Spywareblaster ] [ Malwarebytes Anti-Malware ] [ Windows update ] [ Firefox ] [ WinPatrol ] [ ATF Cleaner ]

If i have helped you, donate to help me continue helping others. Posted Image
Posted Image Posted Image




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users