Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

"antivirus system pro"


  • This topic is locked This topic is locked
20 replies to this topic

#1 howardsan

howardsan

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:12:59 AM

Posted 23 June 2009 - 03:44 PM

If anyone could help me I'd be eternally grateful. I have some how picked up this "antivirus system pro" rogue anti-spyware program. And can't get rid of it. I've tried using the malwarebytes program in this link http://www.bleepingcomputer.com/virus-remo...irus-system-pro ,but I can't even get it to install. I think this program or some other I may be unaware of may be blocking the installation. It keeps rerouting my homepage to some bs site trying to sell me this junk malware. I also can't update ad-aware which i think is because of this program. I did manage to run a DDS scan which I hope is helpful. Any help would be deeply appreciated.





DDS (Ver_09-05-14.01) - NTFSx86
Run by John at 16:35:24.81 on Tue 06/23/2009
Internet Explorer: 7.0.5730.11
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1.#QNAN.1487 [GMT -4:00]

AV: Panda Antivirus 2008 *On-access scanning disabled* (Updated) {EEE2D94A-D4C1-421A-AB2C-2CE8FE51747A}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\Program Files\Panda Security\Panda Antivirus 2008\pavsrv51.exe
C:\Program Files\Panda Security\Panda Antivirus 2008\AVENGINE.EXE
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Panda Security\Panda Antivirus 2008\PsCtrls.exe
C:\Program Files\Common Files\Panda Software\PavShld\pavprsrv.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\WINDOWS\system32\PnkBstrB.exe
C:\Program Files\Panda Security\Panda Antivirus 2008\PsImSvc.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Internet Explorer\Iexplore.exe
C:\WINDOWS\system32\CTHELPER.EXE
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\DNA\btdna.exe
C:\Program Files\Microsoft ActiveSync\wcescomm.exe
C:\WINDOWS\sysguard.exe
C:\PROGRA~1\MICROS~3\rapimgr.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Documents and Settings\John\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.yahoo.com/
uInternet Connection Wizard,ShellNext = iexplore
BHO: AcroIEHlprObj Class: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
BHO: BHO: {71848431-9c3e-4217-9f76-4772c41e44e5} - c:\windows\system32\iehelper.dll
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre1.5.0_11\bin\ssv.dll
BHO: {7E853D72-626A-48EC-A868-BA8D5E23E045} - No File
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} -
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [BitTorrent DNA] "c:\program files\dna\btdna.exe"
uRun: [H/PC Connection Agent] "c:\program files\microsoft activesync\wcescomm.exe"
uRun: [system tool] c:\windows\sysguard.exe
mRun: [Launch Ai Booster] "c:\program files\asus\ai booster\OverClk.exe"
mRun: [CTHelper] CTHELPER.EXE
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [nwiz] nwiz.exe /install
mRun: [APVXDWIN] "c:\program files\panda security\panda antivirus 2008\APVXDWIN.EXE" /s
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [QuickTime Task] "c:\program files\k-lite codec pack\quicktime\qttask.exe" -atboottime
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office10\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - {2EAF5BB0-070F-11D3-9307-00C04FAE2D4F} - c:\progra~1\micros~3\INetRepl.dll
IE: {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - {2EAF5BB0-070F-11D3-9307-00C04FAE2D4F} - c:\progra~1\micros~3\INetRepl.dll
LSP: c:\program files\panda security\panda antivirus 2008\pavlsp.dll
Trusted Zone: aol.com\free
DPF: {05D44720-58E3-49E6-BDF6-D00330E511D3} - hxxp://zone.msn.com/binFrameWork/v10/StagingUI.cab55579.cab
DPF: {0A5FD7C5-A45C-49FC-ADB5-9952547D5715} - hxxp://www.creative.com/su/ocx/15026/CTSUEng.cab
DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} - hxxp://upload.facebook.com/controls/2008.10.10_v5.5.8/FacebookPhotoUploader5.cab
DPF: {15B782AF-55D8-11D1-B477-006097098764} - hxxp://lms.jetnet.aa.com/wbt/o/o9/cab/awswaxd.cab
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://go.microsoft.com/fwlink/?linkid=48835
DPF: {2D8ED06D-3C30-438B-96AE-4D110FDC1FB8} - hxxp://acs.pandasoftware.com/activescan/cabs/as2stubie.cab
DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} - hxxp://www.fileplanet.com/fpdlmgr/cabs/FPDC_2.2.2.89.cab
DPF: {3BB54395-5982-4788-8AF4-B5388FFDD0D8} - hxxp://zone.msn.com/BinFrameWork/v10/ZBuddy.cab55579.cab
DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} - hxxp://www2.snapfish.com/SnapfishActivia.cab
DPF: {4871A87A-BFDD-4106-8153-FFDE2BAC2967} - hxxp://dlm.tools.akamai.com/dlmanager/versions/activex/dlm-activex-2.2.4.1.cab
DPF: {5736C456-EA94-4AAC-BB08-917ABDD035B3} - hxxp://zone.msn.com/binframework/v10/ZPAChat.cab55579.cab
DPF: {67A5F8DC-1A4B-4D66-9F24-A704AD929EEE} - hxxp://www.nvidia.com/content/DriverDownload/srl/2.0.0.1/sysreqlab2.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_11-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
DPF: {9BDF4724-10AA-43D5-BD15-AEA0D2287303} - hxxp://zone.msn.com/bingame/zpagames/zpa_txhe.cab55579.cab
DPF: {A30FBBDC-FA29-4606-8565-14AADCCA6708} - hxxps://photos.riteaid.com/control/RiteAidOneHourPhotoOnline.cab
DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} - hxxp://cdn2.zone.msn.com/binFramework/v10/ZIntro.cab56649.cab
DPF: {C6D25826-96AE-462F-A852-BB33B882B723} - hxxp://kroger.storefront.com/images/global/activex/SFImageUpload1_4.CAB
DPF: {CAFEEFAC-0015-0000-0010-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_10-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0011-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_11-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_11-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
DPF: {D4323BF2-006A-4440-A2F5-27E3E7AB25F8} - hxxp://a532.g.akamai.net/f/532/6712/5m/virtools.download.akamai.com/6712/player/install3.5/installer.exe
DPF: {DA2AA6CF-5C7A-4B71-BC3B-C771BB369937} - hxxp://zone.msn.com/binframework/v10/StProxy.cab55579.cab
DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} - hxxp://www.creative.com/su/ocx/15026/CTPID.cab
Handler: cdo - {CD00020A-8B95-11D1-82DB-00C04FB1625D} - c:\program files\common files\microsoft shared\web folders\PKMCDO.DLL
Handler: cetihpz - {CF184AD3-CDCB-4168-A3F7-8E447D129300} - c:\program files\hp\hpcoretech\comp\hpuiprot.dll
Notify: avldr - avldr.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: Microsoft AntiMalware ShellExecuteHook: {091eb208-39dd-417d-a5dd-7e2c2d8fb9cb} - c:\progra~1\window~4\MpShHook.dll

============= SERVICES / DRIVERS ===============

R0 pavboot;pavboot;c:\windows\system32\drivers\pavboot.sys [2009-4-24 28544]
R1 ShldDrv;Panda File Shield Driver;c:\windows\system32\drivers\ShlDrv51.sys [2008-6-2 38968]
R2 Panda Software Controller;Panda Software Controller;c:\program files\panda security\panda antivirus 2008\PsCtrlS.exe [2008-6-2 169264]
R2 pavdrv;pavdrv;c:\windows\system32\drivers\pavdrv51.sys [2008-6-2 83896]
R2 PavProc;Panda Process Protection Driver;c:\windows\system32\drivers\PavProc.sys [2008-6-2 178872]
R2 PavPrSrv;Panda Process Protection Service;c:\program files\common files\panda software\pavshld\PavPrSrv.exe [2008-6-2 63024]
R2 PAVSRV;Panda anti-virus service;c:\program files\panda security\panda antivirus 2008\PAVSRV51.EXE [2008-6-2 148272]
S2 gupdate1c99f4a53d832a6;Google Update Service (gupdate1c99f4a53d832a6);c:\program files\google\update\GoogleUpdate.exe [2009-3-7 133104]
S3 krdpdre;krdpdre;\??\c:\docume~1\john\locals~1\temp\krdpdre.sys --> c:\docume~1\john\locals~1\temp\krdpdre.sys [?]
S3 samhid;samhid;c:\windows\system32\drivers\Samhid.sys [2006-11-5 7548]
S4 WinDefend;Windows Defender Service;c:\program files\windows defender\MsMpEng.exe [2006-4-3 14032]

=============== Created Last 30 ================

2009-06-23 16:31 18,224 a------- c:\windows\system32\pfdnnt.exe
2009-06-23 12:31 38,160 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-06-23 12:31 19,096 a------- c:\windows\system32\drivers\mbam.sys
2009-06-23 12:31 <DIR> --d----- c:\program files\Malwarebytes' Anti-Malware
2009-06-23 12:31 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Malwarebytes
2009-06-23 12:13 173,056 a------- c:\windows\system32\lsp.dll
2009-06-23 12:13 93,696 a------- c:\windows\syssvc.exe
2009-06-23 11:56 13,824 a------- c:\windows\system32\iehelper.dll
2009-06-22 17:33 299,024 a---h--- c:\windows\sysguard.exe

==================== Find3M ====================

2009-05-07 11:32 345,600 a------- c:\windows\system32\localspl.dll
2009-04-29 00:56 827,392 a------- c:\windows\system32\wininet.dll
2009-04-29 00:55 78,336 a------- c:\windows\system32\ieencode.dll
2009-04-17 08:26 1,847,168 a------- c:\windows\system32\win32k.sys
2009-04-15 10:51 585,216 a------- c:\windows\system32\rpcrt4.dll
2008-08-30 15:43 32,768 a--sh--- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008083020080831\index.dat

============= FINISH: 16:36:15.01 ===============

BC AdBot (Login to Remove)

 


#2 schrauber

schrauber

    Mr.Mechanic


  • Malware Response Team
  • 24,794 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Munich,Germany
  • Local time:05:59 AM

Posted 27 June 2009 - 01:55 PM

Hello howardsan and welcome to Bleeping Computer

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine.

If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.

Upon completing the steps below another staff member will review and take the steps necessary with you to get your machine back in working order clean and free of malware.

If you have already posted a DDS log, please do so again, as your situation may have changed.
Use the 'Add Reply' and add the new log to this thread.


Thanks and again sorry for the delay.

We need to see some information about what is happening in your machine. Please perform the following scan:
  • Download DDS by sUBs from one of the following links. Save it to your desktop.
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explaination about the tool. No input is needed, the scan is running.
  • Notepad will open with the results.
  • Follow the instructions that pop up for posting the results.
  • Close the program window, and delete the program from your desktop.
Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Information on A/V control HERE
regards,
schrauber

Posted Image
Posted Image

If I've not posted back within 48 hrs., feel free to send a PM with your topic link. Thank you!

If I have helped you then please consider donating to continue the fight against malware Posted Image

#3 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:11:59 PM

Posted 01 July 2009 - 11:29 PM

Due to the lack of feedback this Topic is closed.

If you need this topic reopened, please request this by sending the moderating team a PM with the address of the thread. This applies only to the original topic starter.

Everyone else please begin a New Topic
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#4 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:11:59 PM

Posted 03 July 2009 - 05:57 PM

Thread reopened at the request of topic starter. :thumbup2:
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#5 Baabiouz

Baabiouz

    Finnish Malware Fighter


  • Members
  • 3,355 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Finland
  • Local time:07:59 AM

Posted 05 July 2009 - 05:00 AM

Hello

Please do a scan with Kaspersky Online Scanner

Note: If you are using Windows Vista, open your browser by right-clicking on its icon and select 'Run as administrator' to perform this scan.

Click on the Accept button and install any components it needs.
  • The program will install and then begin downloading the latest definition files.
  • After the files have been downloaded on the left side of the page in the Scan section select My Computer
  • This will start the program and scan your system.
  • The scan will take a while, so be patient and let it run.
  • Once the scan is complete, click on View scan report
  • Now, click on the Save Report as button.
  • Save the file to your desktop.
  • Copy and paste that information in your next post.
Please post Kaspersky results and a fresh DDS reports back here :thumbup2:
Posted Image

#6 howardsan

howardsan
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:12:59 AM

Posted 07 July 2009 - 11:13 AM

Thank you for your help baa. This latest rogue anti-spyware is even worse than the last. It wont allow me to open any programs and has hijacked my desktop. It now is all blue with 1's and 0's all over it and a big message saying "Warning! You are in danger! Your computer is infected with spyware! etc..etc..." It also occasionally plays strange music and other noises on my pc.This one seems to be called "system security". It wont allow me to open or run dds and when I try the kapersky online scan, it gives me an error message after it updates..failed to start or something along those lines...

#7 Baabiouz

Baabiouz

    Finnish Malware Fighter


  • Members
  • 3,355 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Finland
  • Local time:07:59 AM

Posted 07 July 2009 - 01:31 PM

Hello

Okay, let's try run Mbam and Combofix :thumbup2:

Step #1
Malwarebytes' Anti-Malware
Download Malwarebytes' Anti-Malware here and save to your desktop.
  • Double-click mbam-setup.exe and follow the prompts to install the program.
  • At the end, be sure a checkmark is placed next to:
    Update Malwarebytes' Anti-Malware
    Launch Malwarebytes' Anti-Malware
  • Then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select Perform full scan, then click Scan.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Be sure that everything is checked, and click Remove Selected.
  • When completed, a log will open in Notepad. Please copy and paste the log back into your next reply
    Note:
  • The log can also be found here:
    C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\mbam-log-date (time).txt
  • Or via the Logs tab when Malwarebytes' Anti-Malware is started.
Step #2
Download Combofix from any of the links below. You must rename it before saving it. Save it to your desktop.

Link 1
Link 2
Link 3

Posted Image


Posted Image
--------------------------------------------------------------------

Double click on Combo-Fix.exe & follow the prompts.
  • When finished, it will produce a report for you.
  • Please post the C:\ComboFix.txt along with a HijackThis log so we can continue cleaning the system.
Note:
Do not mouseclick combofix's window while it's running. That may cause it to stall


Step #3
Please post Mbam results, Combofix log and a fresh DDS log back here.
If you have problems, please feel free to ask help :)
Posted Image

#8 howardsan

howardsan
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:12:59 AM

Posted 07 July 2009 - 02:58 PM

ok...so I tried all 3 but none of them were allowed to run. I even had malwarebytes already previously installed due to my last problem but everytime i tried to run those or any other programs, that fraudulant anti-virus pops up and says cthelper.exe is infected and the programs aren't allowed to run.

#9 Baabiouz

Baabiouz

    Finnish Malware Fighter


  • Members
  • 3,355 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Finland
  • Local time:07:59 AM

Posted 07 July 2009 - 10:21 PM

Hello

Let's try run Combofix.exe in 'safe mode with command prompt'.

First move your Combo-fix.exe to C dirve. C:\Combo-fix.exe

Then reboot into Safe Mode with Command Prompt by continuously tapping the F8 key as soon as the computer begins to boot. A menu should come up where you will be given the option to enter Safe Mode with Command Prompt.

First type cd/ and hit enter.
Then type Combo-fix.exe and hit enter. This should launch Combo-fix.exe. Then follow instructions to run it. :thumbup2:

When Combofix reboots your computer, restart back in Safe Mode with Command Prompt, so Combofix can finish malware removing correct.

Then reboot into normal mode and post C:\Combofix.log back here :)
Posted Image

#10 howardsan

howardsan
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:12:59 AM

Posted 08 July 2009 - 01:11 PM

baa...i'm sorry for being such an idiot, but I saved the combofix to the c-drive like yoiu said...at least i think i did, but when i try the combo-fix.exe command in safe mode, it says "combo-fix.exe is not recognized as an internal or external command, operable program or batch file."....again..i apologize for being such a pain...

Edited by howardsan, 08 July 2009 - 01:11 PM.


#11 Baabiouz

Baabiouz

    Finnish Malware Fighter


  • Members
  • 3,355 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Finland
  • Local time:07:59 AM

Posted 08 July 2009 - 01:31 PM

Try C:\Combo-fix.exe or C:\Combofix.exe

EDIT:
Did you type first cd/ ?

Edited by Baabiouz, 08 July 2009 - 01:32 PM.

Posted Image

#12 howardsan

howardsan
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:12:59 AM

Posted 08 July 2009 - 01:45 PM

cool....the c:\combo-fix.exe works...but it says i need to shut off my panda antivirus first...is it ok to leave it on and if not how do i shut it off in safe mode? I can't even access it out of safe mode because of this crapware i have

#13 howardsan

howardsan
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:12:59 AM

Posted 08 July 2009 - 02:19 PM

While I wait for your response I wanted to tell you that DDS also initiated itself while I was in safe mode. Here is a copy of the print out.




DDS (Ver_09-06-26.01) - NTFSx86 MINIMAL
Run by at 14:52:55.75 on Wed 07/08/2009
Internet Explorer: 7.0.5730.11
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.2047.1792 [GMT -4:00]

AV: Panda Antivirus 2008 *On-access scanning enabled* (Updated) {EEE2D94A-D4C1-421A-AB2C-2CE8FE51747A}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\system32\svchost.exe -k netsvcs
C:\DOCUME~1\John\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.yahoo.com/
uInternet Connection Wizard,ShellNext = iexplore
BHO: AcroIEHlprObj Class: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
BHO: XML Class: {500bca15-57a7-4eaf-8143-8c619470b13d} - c:\windows\system32\msxml71.dll
BHO: BHO: {71848431-9c3e-4217-9f76-4772c41e44e5} - c:\windows\system32\iehelper.dll
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre1.5.0_11\bin\ssv.dll
BHO: {7E853D72-626A-48EC-A868-BA8D5E23E045} - No File
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} -
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [BitTorrent DNA] "c:\program files\dna\btdna.exe"
uRun: [H/PC Connection Agent] "c:\program files\microsoft activesync\wcescomm.exe"
uRun: [net] "c:\windows\system32\net.net"
uRun: [Cognac] c:\docume~1\john\locals~1\temp\9.tmp.exe
mRun: [Launch Ai Booster] "c:\program files\asus\ai booster\OverClk.exe"
mRun: [CTHelper] CTHELPER.EXE
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [nwiz] nwiz.exe /install
mRun: [APVXDWIN] "c:\program files\panda security\panda antivirus 2008\APVXDWIN.EXE" /s
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [QuickTime Task] "c:\program files\k-lite codec pack\quicktime\qttask.exe" -atboottime
mRun: [net] "c:\windows\system32\net.net"
mRun: [15588124] c:\documents and settings\all users\application data\15588124\15588124.exe
mRun: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office10\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - {2EAF5BB0-070F-11D3-9307-00C04FAE2D4F} - c:\progra~1\micros~3\INetRepl.dll
IE: {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - {2EAF5BB0-070F-11D3-9307-00C04FAE2D4F} - c:\progra~1\micros~3\INetRepl.dll
LSP: c:\program files\panda security\panda antivirus 2008\pavlsp.dll
Trusted Zone: aol.com\free
DPF: {05D44720-58E3-49E6-BDF6-D00330E511D3} - hxxp://zone.msn.com/binFrameWork/v10/StagingUI.cab55579.cab
DPF: {0A5FD7C5-A45C-49FC-ADB5-9952547D5715} - hxxp://www.creative.com/su/ocx/15026/CTSUEng.cab
DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} - hxxp://upload.facebook.com/controls/2008.10.10_v5.5.8/FacebookPhotoUploader5.cab
DPF: {15B782AF-55D8-11D1-B477-006097098764} - hxxp://lms.jetnet.aa.com/wbt/o/o9/cab/awswaxd.cab
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://go.microsoft.com/fwlink/?linkid=48835
DPF: {2D8ED06D-3C30-438B-96AE-4D110FDC1FB8} - hxxp://acs.pandasoftware.com/activescan/cabs/as2stubie.cab
DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} - hxxp://www.fileplanet.com/fpdlmgr/cabs/FPDC_2.2.2.89.cab
DPF: {3BB54395-5982-4788-8AF4-B5388FFDD0D8} - hxxp://zone.msn.com/BinFrameWork/v10/ZBuddy.cab55579.cab
DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} - hxxp://www2.snapfish.com/SnapfishActivia.cab
DPF: {4871A87A-BFDD-4106-8153-FFDE2BAC2967} - hxxp://dlm.tools.akamai.com/dlmanager/versions/activex/dlm-activex-2.2.4.1.cab
DPF: {5736C456-EA94-4AAC-BB08-917ABDD035B3} - hxxp://zone.msn.com/binframework/v10/ZPAChat.cab55579.cab
DPF: {67A5F8DC-1A4B-4D66-9F24-A704AD929EEE} - hxxp://www.nvidia.com/content/DriverDownload/srl/2.0.0.1/sysreqlab2.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_11-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
DPF: {9BDF4724-10AA-43D5-BD15-AEA0D2287303} - hxxp://zone.msn.com/bingame/zpagames/zpa_txhe.cab55579.cab
DPF: {A30FBBDC-FA29-4606-8565-14AADCCA6708} - hxxps://photos.riteaid.com/control/RiteAidOneHourPhotoOnline.cab
DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} - hxxp://cdn2.zone.msn.com/binFramework/v10/ZIntro.cab56649.cab
DPF: {C6D25826-96AE-462F-A852-BB33B882B723} - hxxp://kroger.storefront.com/images/global/activex/SFImageUpload1_4.CAB
DPF: {CAFEEFAC-0015-0000-0010-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_10-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0011-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_11-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_11-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
DPF: {D4323BF2-006A-4440-A2F5-27E3E7AB25F8} - hxxp://a532.g.akamai.net/f/532/6712/5m/virtools.download.akamai.com/6712/player/install3.5/installer.exe
DPF: {DA2AA6CF-5C7A-4B71-BC3B-C771BB369937} - hxxp://zone.msn.com/binframework/v10/StProxy.cab55579.cab
DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} - hxxp://www.creative.com/su/ocx/15026/CTPID.cab
Handler: cdo - {CD00020A-8B95-11D1-82DB-00C04FB1625D} - c:\program files\common files\microsoft shared\web folders\PKMCDO.DLL
Handler: cetihpz - {CF184AD3-CDCB-4168-A3F7-8E447D129300} - c:\program files\hp\hpcoretech\comp\hpuiprot.dll
Notify: avldr - avldr.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: Microsoft AntiMalware ShellExecuteHook: {091eb208-39dd-417d-a5dd-7e2c2d8fb9cb} - c:\progra~1\window~4\MpShHook.dll

============= SERVICES / DRIVERS ===============

S0 pavboot;pavboot;c:\windows\system32\drivers\pavboot.sys [2009-4-24 28544]
S1 ShldDrv;Panda File Shield Driver;c:\windows\system32\drivers\ShlDrv51.sys [2008-6-2 38968]
S2 gupdate1c99f4a53d832a6;Google Update Service (gupdate1c99f4a53d832a6);c:\program files\google\update\GoogleUpdate.exe [2009-3-7 133104]
S2 msncache;msncache;c:\windows\system32\svchost.exe -k netsvcs [2004-8-4 14336]
S2 Panda Software Controller;Panda Software Controller;c:\program files\panda security\panda antivirus 2008\PsCtrlS.exe [2008-6-2 169264]
S2 pavdrv;pavdrv;c:\windows\system32\drivers\pavdrv51.sys [2008-6-2 83896]
S2 PavProc;Panda Process Protection Driver;c:\windows\system32\drivers\PavProc.sys [2008-6-2 178872]
S3 krdpdre;krdpdre;\??\c:\docume~1\john\locals~1\temp\krdpdre.sys --> c:\docume~1\john\locals~1\temp\krdpdre.sys [?]
S3 PavPrSrv;Panda Process Protection Service;c:\program files\common files\panda software\pavshld\PavPrSrv.exe [2008-6-2 63024]
S3 PAVSRV;Panda anti-virus service;c:\program files\panda security\panda antivirus 2008\PAVSRV51.EXE [2008-6-2 148272]
S3 samhid;samhid;c:\windows\system32\drivers\Samhid.sys [2006-11-5 7548]
S4 WinDefend;Windows Defender Service;c:\program files\windows defender\MsMpEng.exe [2006-4-3 14032]

=============== Created Last 30 ================

2009-07-08 14:42 161,792 a------- c:\windows\SWREG.exe
2009-07-08 14:42 155,136 a------- c:\windows\PEV.exe
2009-07-08 14:42 98,816 a------- c:\windows\sed.exe
2009-07-08 13:57 3,047,008 a----r-- C:\Combo-fix.exe.exe
2009-07-03 10:56 181 a------- c:\windows\system32\t1p1_226550515546.b1k
2009-07-03 10:56 157 a------- c:\windows\system32\t1p0_678759894228.b1k
2009-07-03 10:55 123,904 a------- c:\windows\msa.exe
2009-07-03 10:55 208,900 a------- c:\windows\system32\msxml71.dll
2009-07-03 10:55 135,168 a------- c:\windows\system32\tpsaxyd.exe
2009-07-03 10:55 8 a------- c:\windows\system32\comsa32.sys
2009-07-03 10:54 <DIR> --d----- c:\docume~1\alluse~1\applic~1\15588124
2009-07-03 10:54 67,072 a------- c:\windows\system32\UACemrdltowxejuypf.dll
2009-07-03 10:54 25,600 a------- c:\windows\system32\UAClqadwoptnwxnhqkbh.dll
2009-07-03 10:54 53,760 a------- c:\windows\system32\drivers\UACaeicsywbpktmnbg.sys
2009-07-03 10:54 110,592 a------- c:\windows\system32\net.net
2009-06-27 17:01 0 a------- C:\backup.reg
2009-06-27 17:01 135,168 a------- C:\zip.exe
2009-06-27 17:01 19,286 a------- C:\cleanup.exe
2009-06-27 17:01 574 a------- C:\cleanup.bat
2009-06-23 12:31 38,160 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-06-23 12:31 19,096 a------- c:\windows\system32\drivers\mbam.sys
2009-06-23 12:31 <DIR> --d----- c:\program files\Malwarebytes' Anti-Malware
2009-06-23 12:31 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Malwarebytes
2009-06-23 12:13 173,056 a------- c:\windows\system32\lsp.dll
2009-06-23 12:13 93,696 a------- c:\windows\syssvc.exe
2009-06-22 17:33 6,354 a------- c:\windows\system32\uacinit.dll
2009-06-22 17:33 310 a------- c:\windows\system32\UACdkvdlvkyxwmqgpeme.dat
2009-06-22 17:33 26,624 a------- c:\windows\system32\UACflotepxurumftapqp.dll

==================== Find3M ====================

2009-05-07 11:32 345,600 a------- c:\windows\system32\localspl.dll
2009-04-29 00:56 827,392 a------- c:\windows\system32\wininet.dll
2009-04-29 00:55 78,336 a------- c:\windows\system32\ieencode.dll
2009-04-17 08:26 1,847,168 a------- c:\windows\system32\win32k.sys
2009-04-15 10:51 585,216 a------- c:\windows\system32\rpcrt4.dll
2008-08-30 15:43 32,768 a--sh--- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008083020080831\index.dat

============= FINISH: 14:54:25.65 ===============

#14 Baabiouz

Baabiouz

    Finnish Malware Fighter


  • Members
  • 3,355 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Finland
  • Local time:07:59 AM

Posted 09 July 2009 - 08:19 AM

Hello

cool....the c:\combo-fix.exe works...but it says i need to shut off my panda antivirus first...is it ok to leave it on and if not how do i shut it off in safe mode? I can't even access it out of safe mode because of this crapware i have

No need to turn off Panda because you can't do it :thumbup2:

Edited by Baabiouz, 09 July 2009 - 08:20 AM.

Posted Image

#15 howardsan

howardsan
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:12:59 AM

Posted 09 July 2009 - 06:37 PM

ok...so I launched combofix. The blue screen comes up and says combofix is preparing to run. A few seconds later I get an error message titled "CFScript name error" the message says" Were you trying to run CFScript? The name, CFScript appears to be incorrectly spelt." There is an "OK" button at the bottom of the message and when I push it, the program seems to close. DDS seems to keep launching itself when I enter safe mode....could this cause the error?

Edited by howardsan, 09 July 2009 - 06:45 PM.





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users