Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Personal Antivirus (pav.exe) infection


  • Please log in to reply
1 reply to this topic

#1 joetrusty

joetrusty

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:10:42 PM

Posted 06 July 2009 - 11:10 AM

My computer is infected by pav. As soon as I turn my pc on the pav scan window pops up along with various "windows" type messages about infections my computer has etc. When I open up the internet my home page comes up for about 4 seconds, then it's taken over by the brown pav screen. Anytime I type in a URL pav takes over. I installed and ran combofix and from what I can understand, it's log says it deleted a personal antivirus.lnk. I don't seem to be getting those brown windows that take over every page now, but it still brings up the scan window where it prompts you to scan. this screen "critical system warning" messages won't go away. Obviously my machine is still infected. I have included the logs as instructed in the preparation guide. The Combofix log is available should it be needed. I hope someone can assist. Than you.


DDS (Ver_09-06-26.01) - NTFSx86
Run by Nadia at 11:31:26.63 on Mon 07/06/2009
Internet Explorer: 7.0.5730.13
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.511.271 [GMT -4:00]

AV: avast! antivirus 4.8.1335 [VPS 090701-0] *On-access scanning enabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}

============== Running Processes ===============

E:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
E:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
E:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
E:\Program Files\Alwil Software\Avast4\ashServ.exe
E:\WINDOWS\Explorer.EXE
E:\WINDOWS\system32\spoolsv.exe
E:\Program Files\Alwil Software\Avast4\setup\avast.setup
E:\WINDOWS\SYSTEM32\USRmlnkA.exe
E:\Program Files\Java\jre6\bin\jusched.exe
E:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
E:\Program Files\PersonalAV\pav.exe
E:\WINDOWS\system32\NetFilter.exe
E:\WINDOWS\SYSTEM32\USRshutA.exe
E:\WINDOWS\system32\ctfmon.exe
E:\WINDOWS\SYSTEM32\USRmlnkA.exe
E:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
E:\Program Files\iWin Games\iWinTrusted.exe
E:\Program Files\Java\jre6\bin\jqs.exe
E:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
E:\Program Files\Alwil Software\Avast4\ashWebSv.exe
E:\Program Files\Internet Explorer\IEXPLORE.EXE
E:\Documents and Settings\Nadia\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.yahoo.com
mStart Page = hxxp://www.yahoo.com
uURLSearchHooks: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - e:\program files\yahoo!\companion\installs\cpn\yt.dll
BHO: &Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - e:\program files\yahoo!\companion\installs\cpn\yt.dll
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - e:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Java™ Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - e:\program files\java\jre6\bin\ssv.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - e:\program files\google\google toolbar\GoogleToolbar.dll
BHO: {ab8e0d65-11ae-4750-bd49-d47b319d76cf} - No File
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - e:\program files\google\googletoolbarnotifier\5.1.1309.3572\swg.dll
BHO: Google Dictionary Compression sdch: {c84d72fe-e17d-4195-bb24-76c02e2e7c4e} - e:\program files\google\google toolbar\component\fastsearch_219B3E1547538286.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - e:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - e:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
BHO: {fcbab366-1368-46d8-8e8c-34e7bafae409} - No File
BHO: SingleInstance Class: {fdad4da1-61a2-4fd8-9c17-86f7ac245081} - e:\program files\yahoo!\companion\installs\cpn\YTSingleInstance.dll
TB: &Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - e:\program files\google\google toolbar\GoogleToolbar.dll
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - e:\program files\yahoo!\companion\installs\cpn\yt.dll
uRun: [ctfmon.exe] e:\windows\system32\ctfmon.exe
uRun: [DW6] "e:\program files\the weather channel fw\desktop\DesktopWeather.exe"
uRun: [swg] e:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe
mRun: [USRpdA] e:\windows\system32\usrmlnka.exe runservices \device\3cpipe-USRpdA
mRun: [SunJavaUpdateSched] "e:\program files\java\jre6\bin\jusched.exe"
mRun: [avast!] e:\progra~1\alwils~1\avast4\ashDisp.exe
mRun: [Adobe Reader Speed Launcher] "e:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [PersonalAV] e:\program files\personalav\pav.exe
mRun: [MSDRV] NetFilter.exe
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - e:\program files\messenger\msmsgs.exe
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
DPF: {CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab

============= SERVICES / DRIVERS ===============

R1 aswSP;avast! Self Protection;e:\windows\system32\drivers\aswSP.sys [2009-4-15 114768]
R2 aswFsBlk;aswFsBlk;e:\windows\system32\drivers\aswFsBlk.sys [2009-4-15 20560]
R2 avast! Antivirus;avast! Antivirus;e:\program files\alwil software\avast4\ashServ.exe [2009-4-15 138680]
R2 iWinTrusted;iWinTrusted;e:\program files\iwin games\iWinTrusted.exe [2009-4-27 78104]
R3 avast! Mail Scanner;avast! Mail Scanner;e:\program files\alwil software\avast4\ashMaiSv.exe [2009-4-15 254040]
R3 avast! Web Scanner;avast! Web Scanner;e:\program files\alwil software\avast4\ashWebSv.exe [2009-4-15 352920]
R3 ES1370;Creative AudioPCI (ES1370), SB PCI 64/128 (WDM);e:\windows\system32\drivers\es1370mp.sys [2009-2-26 37120]

=============== Created Last 30 ================

2009-07-06 10:20 <DIR> -cd----- e:\windows\system32\dllcache\cache
2009-07-06 10:19 0 a------- e:\windows\system32\msxmlm.dll.tmp
2009-07-06 10:13 <DIR> a-dshr-- E:\cmdcons
2009-07-06 10:00 161,792 a------- e:\windows\SWREG.exe
2009-07-06 10:00 155,136 a------- e:\windows\PEV.exe
2009-07-06 10:00 98,816 a------- e:\windows\sed.exe
2009-07-02 14:07 61,440 a------- e:\windows\system32\ndisapi.dll
2009-07-02 14:07 54,272 a------- e:\windows\system32\NetFilter.exe
2009-07-02 14:07 28,672 a------- e:\windows\system32\NFUninstall.exe
2009-07-02 14:07 24,576 a------- e:\windows\system32\drivers\ndisrd.sys
2009-07-02 14:07 <DIR> --d----- e:\program files\common files\Uninstall
2009-07-02 14:05 <DIR> --d----- e:\program files\PersonalAV
2009-06-15 11:55 <DIR> --d----- e:\program files\Sony Online Entertainment

==================== Find3M ====================

2009-05-25 13:59 4,096 a------- e:\windows\d3dx.dat
2009-03-03 13:55 32,768 a--sh--- e:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012009022320090302\index.dat
2009-03-03 13:55 32,768 a--sh--- e:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012009030320090304\index.dat

============= FINISH: 11:31:52.61 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 random/random

random/random

  • Malware Response Team
  • 2,704 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:42 AM

Posted 09 July 2009 - 11:58 AM

Please upload this file:

E:\WINDOWS\system32\NetFilter.exe


To either jotti or virustotal, and then copy and paste the results as a reply to this topic.

After that:

Please download Malwarebytes' Anti-Malware to your desktop.
  • Double-click mbam-setup.exe and follow the prompts to install the program.
  • Be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select Perform full scan, then click Scan.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Be sure that everything is checked, and click Remove Selected.
  • When completed, a log will open in Notepad. Please save it to a convenient location. The log can also be opened by going to Start > All Programs > Malwarebytes' Anti-Malware > Logs > log-date.txt
Post back with the Malwarebytes' Anti-Malware log and a new HijackThis log. Also, please post the combofix log.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users