Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Antivirus System PRO rogue anti-spyware


  • This topic is locked This topic is locked
4 replies to this topic

#1 MongoTuslan

MongoTuslan

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:02:27 AM

Posted 29 November 2009 - 11:53 PM

This afternoon, the malware Antivirus System PRO popped up on my system. I performed an internet search and
followed the directions from this web page:
http://www.bleepingcomputer.com/virus-remo...irus-system-pro

using these applications:
rkill.com
Malwarebytes' Anti-Malware

rkill.com worked pretty well to shut down ASP, and Malwarebytes' Anti-Malware found and quarantined a related registry key, but when I reboot, ASP just pops back up. I have also tried scanning with Symantec Anti-Virus and CCleaner. I also tried removing the Ethernet cable from the PC before rebooting, and ASP still pops up. Also, after running rkill.com I can't get Internet connections (broadband router to DSL), although the LAN seems to work.

Here is the DDS log. I have attached the attach.txt and the mbam-log in a ZIP file. I do not have a report from RootRepeal as it seems to want to take all night, so I'll post it tomorrow.

Thanks in advance for your help!


DDS (Ver_09-11-29.01) - NTFSx86
Run by Avery Davis at 19:20:21.98 on Sun 11/29/2009
Internet Explorer: 8.0.6001.18702
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2046.1350 [GMT -7:00]


============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\WebWeaver\WebWeaver.exe
C:\Program Files\CinemaNow\CinemaNow Media Manager\CinemanowSvc.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
C:\Program Files\NVIDIA Corporation\nTune\nTuneService.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\Program Files\Common Files\Roxio Shared\SharedCOM8\RoxMediaDB.exe
C:\Program Files\Common Files\Roxio Shared\SharedCOM8\RoxWatch.exe
C:\Documents and Settings\All Users\Application Data\Laplink\Laplink Gold\tsircusr.exe
C:\WINDOWS\system32\nvraidservice.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
C:\WINDOWS\Logi_MwX.Exe
C:\Program Files\Logitech\G-series Software\LGDCore.exe
C:\Program Files\Logitech\G-series Software\LCDMon.exe
C:\Program Files\Maplom\Maplom.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Roxio\Easy Media Creator 8\Drag to Disc\DrgToDsc.exe
C:\Program Files\Logitech\G-series Software\Applets\LCDMedia.exe
C:\Program Files\Logitech\G-series Software\Applets\LCDClock.exe
C:\Program Files\Google\Quick Search Box\GoogleQuickSearchBox.exe
C:\Program Files\Roxio 2010\5.0\CPMonitor.exe
C:\Program Files\Roxio 2010\Roxio Burn\RoxioBurnLauncher.exe
C:\WINDOWS\system32\VxBlockServer.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\TiVo Shared\Transfer\TiVoTransfer.exe
C:\Program Files\TiVo\Desktop\TiVoNotify.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\RayV\RayV\RayV.exe
C:\Program Files\Belkin\Nostromo\nost_LM.exe
C:\Program Files\Logitech\SetPoint\SetPoint.exe
C:\Program Files\QUICKENW\QWDLLS.EXE
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\Common Files\TiVo Shared\Beacon\TiVoBeacon.exe
C:\Program Files\Common Files\Logishrd\KHAL2\KHALMNPR.EXE
C:\WINDOWS\System32\TSIRCSRV.EXE
C:\Program Files\UPHClean\uphclean.exe
C:\WINDOWS\system32\UStorSrv.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin32\nSvcAppFlt.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin32\nSvcIp.exe
C:\WINDOWS\system32\wbem\unsecapp.exe
C:\WINDOWS\system32\LLMirrorMonitor.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe
C:\Documents and Settings\Avery Davis\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.mindspring.com/~avery/
uInternet Settings,ProxyServer = http=127.0.0.1:5555
uInternet Settings,ProxyOverride = <local>
mWinlogon: Userinit=c:\windows\system32\userinit.exe,c:\documents and settings\all users\application data\laplink\laplink gold\tsircusr.exe,
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.3.4501.1418\swg.dll
BHO: Google Dictionary Compression sdch: {c84d72fe-e17d-4195-bb24-76c02e2e7c4e} - c:\program files\google\google toolbar\component\fastsearch_B7C5AC242193BB3E.dll
BHO: MSN Toolbar Helper: {d2ce3e00-f94a-4740-988e-03dc2f38c34f} - c:\program files\msn\toolbar\3.0.0983.0\msneshellx.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: MSN Toolbar: {1e61ed7c-7cb8-49d6-b9e9-ab4c880c8414} - c:\program files\msn\toolbar\3.0.0983.0\msneshellx.dll
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
TB: {604BC32A-9680-40D1-9AC6-E06B23A1BA4C} - No File
uRun: [NVIDIA nTune] "c:\program files\nvidia corporation\ntune\nTuneCmd.exe" clear
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [igndlm.exe] c:\program files\download manager\DLM.exe /windowsstart /startifwork
uRun: [Steam] "c:\program files\steam\steam.exe" -silent
uRun: [TivoTransfer] "c:\program files\common files\tivo shared\transfer\TiVoTransfer.exe" /service /registry /auto:TivoTransfer
uRun: [TivoNotify] "c:\program files\tivo\desktop\TiVoNotify.exe" /service /registry /auto:TivoNotify
uRun: [TivoServer] "c:\program files\tivo\desktop\TiVoServer.exe" /service /registry
uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"
uRun: [RayV] c:\program files\rayv\rayv\RayV.exe /background
uRun: [wgfylswm] c:\documents and settings\avery davis\local settings\application data\xnqiib\kiwtsysguard.exe
mRun: [NVRaidService] c:\windows\system32\nvraidservice.exe
mRun: [SoundMAXPnP] c:\program files\analog devices\core\smax4pnp.exe
mRun: [SoundMAX] "c:\program files\analog devices\soundmax\Smax4.exe" /tray
mRun: [AsusStartupHelp] c:\program files\asus\aasp\1.00.16\AsRunHelp.exe
mRun: [Launch Ai Booster] "c:\program files\asus\ai booster\OverClk.exe"
mRun: [vptray] c:\progra~1\symant~1\symant~1\vptray.exe
mRun: [Logitech Utility] Logi_MwX.Exe
mRun: [<NO NAME>]
mRun: [Launch LGDCore] "c:\program files\logitech\g-series software\LGDCore.exe" /SHOWHIDE
mRun: [Launch LCDMon] "c:\program files\logitech\g-series software\LCDMon.exe"
mRun: [Maplom] c:\program files\maplom\Maplom.exe /silent
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [nwiz] nwiz.exe /install
mRun: [ISUSScheduler] "c:\program files\common files\installshield\updateservice\issch.exe" -start
mRun: [NeroFilterCheck] c:\windows\system32\NeroCheck.exe
mRun: [RoxioDragToDisc] "c:\program files\roxio\easy media creator 8\drag to disc\DrgToDsc.exe"
mRun: [RoxWatchTray] "c:\program files\common files\roxio shared\12.0\sharedcom\RoxWatchTray12.exe"
mRun: [SideWinderTrayV4] c:\progra~1\mi948f~1\gameco~1\common\SWTrayV4.exe
mRun: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [Google Quick Search Box] "c:\program files\google\quick search box\GoogleQuickSearchBox.exe" /autorun
mRun: [BrStsWnd] c:\program files\brownie\BrstsWnd.exe Autorun
mRun: [CPMonitor] "c:\program files\roxio 2010\5.0\CPMonitor.exe"
mRun: [Desktop Disc Tool] "c:\program files\roxio 2010\roxio burn\RoxioBurnLauncher.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [wgfylswm] c:\documents and settings\avery davis\local settings\application data\xnqiib\kiwtsysguard.exe
mRun: [Malwarebytes' Anti-Malware] "c:\program files\malwarebytes' anti-malware\mbamgui.exe" /starttray
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\billmi~1.lnk - c:\program files\quickenw\BILLMIND.EXE
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\loadou~1.lnk - c:\program files\belkin\nostromo\nost_LM.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\logite~1.lnk - c:\program files\logitech\setpoint\SetPoint.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\quicke~1.lnk - c:\program files\quickenw\QWDLLS.EXE
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\winzip~1.lnk - c:\program files\winzip\WZQKPICK.EXE
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
LSP: %SYSTEMROOT%\system32\nvLsp.dll
Trusted Zone: cinemanow.com
Trusted Zone: qflix.com
Trusted Zone: roxio.com
Trusted Zone: sonic.com\redirect
Trusted Zone: sonic.com\redirect2
DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} - hxxp://go.microsoft.com/fwlink/?linkid=58813
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://go.microsoft.com/fwlink/?linkid=39204
DPF: {1E54D648-B804-468d-BC78-4AFFED8E262E} - hxxp://www.nvidia.com/content/DriverDownload/srl/3.0.0.0/srl_bin/sysreqlab3.cab
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1197846318937
DPF: {74DBCB52-F298-4110-951D-AD2FF67BC8AB} - hxxp://www.nvidia.com/content/DriverDownload/nforce/NvidiaSmartScan.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {B8A48F42-30E1-48f8-AE87-7BD7C75DB8AA} - hxxp://www.systemrequirementslab.com/srl_bin/sysreqlab_test.cab
DPF: {C7DB51B4-BCF7-4923-8874-7F1A0DC92277} - hxxp://office.microsoft.com/officeupdate/content/opuc4.cab
DPF: {CAFEEFAC-0016-0000-0006-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_06-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
DPF: {E5F5D008-DD2C-4D32-977D-1A0ADF03058B} - hxxps://rsvpn.raytheon.com/dana-cached/setup/JuniperSetupSP1.cab
Notify: LBTWlgn - c:\program files\common files\logishrd\bluetooth\LBTWlgn.dll
Notify: NavLogon - c:\windows\system32\NavLogon.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

============= SERVICES / DRIVERS ===============

R1 NEOFLTR_530_11339;Juniper Networks TDI Filter Driver (NEOFLTR_530_11339);c:\windows\system32\drivers\NEOFLTR_530_11339.sys [2006-11-20 57063]
R1 tsircmir;LapLink Mirror Driver Miniport;c:\windows\system32\drivers\tsircmir.sys [2008-1-28 8880]
R2 BRS_WebWeaver;BRS WebWeaver;c:\program files\webweaver\WebWeaver.exe [2005-12-3 403968]
R2 CinemaNow Service;CinemaNow Service;c:\program files\cinemanow\cinemanow media manager\CinemaNowSvc.exe [2009-6-23 127352]
R2 MBAMService;MBAMService;c:\program files\malwarebytes' anti-malware\mbamservice.exe [2009-11-29 269648]
R2 NAVAPEL;NAVAPEL;c:\program files\symantec_client_security\symantec antivirus\Navapel.sys [2003-8-11 30208]
R2 Norton AntiVirus Server;Symantec AntiVirus Client;c:\progra~1\symant~1\symant~1\Rtvscan.exe [2004-2-12 655482]
R2 TivoBeacon2;TiVo Beacon;c:\program files\common files\tivo shared\beacon\TiVoBeacon.exe [2008-7-9 868864]
R2 TSISER;TSISER;c:\windows\system32\drivers\tsiser.sys [2008-1-28 37552]
R2 TSISTRMX;Traveling Software Stream Driver;c:\windows\system32\drivers\tsistrmx.sys [2008-1-28 13488]
R3 bcgame;Nostromo HID Device Minidriver;c:\windows\system32\drivers\bcgame.sys [2003-7-24 22821]
R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2009-11-29 19160]
R3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [2009-11-29 38224]
R3 NAVAP;NAVAP;c:\progra~1\symant~1\symant~1\NAVAP.sys [2003-8-11 224768]
R3 NAVENG;NAVENG;c:\progra~1\common~1\symant~1\virusd~1\20091126.016\NAVENG.sys [2009-11-26 84912]
R3 NAVEX15;NAVEX15;c:\progra~1\common~1\symant~1\virusd~1\20091126.016\NAVEX15.sys [2009-11-26 1323568]
R3 TSIKBF5;Traveling Software Keyboard Filter Driver;c:\windows\system32\drivers\tsikbf5.sys [2008-1-28 23216]
R3 TSIMSF5;Traveling Software Mouse Filter Driver;c:\windows\system32\drivers\tsimsf5.sys [2008-1-28 18992]
S2 RoxWatch12;Roxio Hard Drive Watcher 12;c:\program files\common files\roxio shared\12.0\sharedcom\RoxWatch12.exe [2009-7-24 219632]
S3 RoxMediaDB12;RoxMediaDB12;c:\program files\common files\roxio shared\12.0\sharedcom\RoxMediaDB12.exe [2009-7-24 1116656]

=============== Created Last 30 ================

2009-11-29 23:03:55 0 d-----w- c:\program files\CCleaner
2009-11-29 23:00:12 103424 ----a-w- c:\windows\system32\DCLibrary_nat.dll
2009-11-29 22:59:51 0 d-----w- c:\program files\DriverCleanerDotNET
2009-11-29 22:58:58 0 d-----w- c:\program files\Drivercleaner
2009-11-29 21:09:50 0 d-----w- c:\docume~1\averyd~1\applic~1\Malwarebytes
2009-11-29 21:09:47 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-11-29 21:09:46 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-11-29 21:09:46 0 d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes
2009-11-29 21:09:45 0 d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-11-15 03:36:26 0 d-----w- c:\program files\RealVNC
2009-11-11 06:08:24 94208 ----a-w- c:\windows\system32\QuickTimeVR.qtx
2009-11-11 06:08:24 69632 ----a-w- c:\windows\system32\QuickTime.qts

==================== Find3M ====================

2009-10-11 11:17:27 411368 ----a-w- c:\windows\system32\deploytk.dll
2009-09-11 14:18:39 136192 ----a-w- c:\windows\system32\msv1_0.dll
2009-09-04 21:03:36 58880 ----a-w- c:\windows\system32\msasn1.dll
2008-12-28 02:00:02 24 ----a-w- c:\program files\TaskAssign.ini
2008-09-07 01:14:17 107505240 ----a-w- c:\program files\TrueImage10.0_s_en.exe
2008-09-07 01:03:42 14195357 ----a-w- c:\program files\LLG12_EN.exe
2008-09-07 01:03:41 5121352 ----a-w- c:\program files\LavasoftFileShredder.exe
2008-09-07 01:02:47 11730328 ----a-w- c:\program files\LLG2008_EN.exe
2008-09-07 00:42:19 2680431 ----a-w- c:\program files\Gold2008_UG_EN.pdf
2008-09-07 00:36:41 942945 ----a-w- c:\program files\Gold2008_QSG_EN.pdf
2004-05-13 01:56:40 226304 ----a-w- c:\program files\TaskAssign.exe
2008-08-02 05:47:14 32768 --sha-w- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008080120080802\index.dat

============= FINISH: 19:20:49.93 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 MongoTuslan

MongoTuslan
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:02:27 AM

Posted 02 December 2009 - 12:15 AM

Update: I was going to upload the report from RootRepeal, but it hasn't finished yet. I started it up Sunday evening and it ran overnight, all day Monday, a second overnight, and now all day Tuesday and it is still going. My disk access light is on steadily, NVIDIA Monitor reports the CPU usage at 18%, but the disk usage is at 0%. I tried starting Task Manager, and NVIDIA Monitor showed disk usage for that, but then it went back down to 0%. RootRepeal says it is "scanning", and it displays a file name and path which changes every few minutes. Task manager processes shows activity in the following:
System Idle Process = 98% or 99%
VxBlockServer.exe = usually 01, sometimes 02 or 00
NVMonitor.exe = sometimes 01 or 02
taskmgr.exe = sometimes 01
explorer.exe = sometimes 01
mbamservice.exe = sometimes 01
csrss.exe
lsass.exe

Should I just let RootRepeal keep running, or should a stop and restart it? Any other suggestions?

Thanks!

#3 MongoTuslan

MongoTuslan
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:02:27 AM

Posted 02 December 2009 - 11:30 PM

Update: I was going to upload the report from RootRepeal, but it hasn't finished yet.

I found the problem with RootRepeal running so slowly. I had not disabled my anti-virus realtime protection (although I thought I had). Once I did this, RootRepeal finished pretty quickly. I only ran it on the C: drive. My F: drive is a RAID, and when I tried to run RootRepeal, I got BSD crash. The attached files are the error reports associated with this.

I would aprecieate any advice as the ASD still pops up when I reboot even though MBAM and SAV give clean reports.

ROOTREPEAL © AD, 2007-2009
==================================================
Scan Start Time: 2009/12/02 20:57
Program Version: Version 1.3.5.0
Windows Version: Windows XP SP3
==================================================

Drivers
-------------------
Name: dump_diskdump.sys
Image Path: C:\WINDOWS\System32\Drivers\dump_diskdump.sys
Address: 0xAB621000 Size: 16384 File Visible: No Signed: -
Status: -

Name: dump_nvgts.sys
Image Path: C:\WINDOWS\System32\Drivers\dump_nvgts.sys
Address: 0xAB195000 Size: 151552 File Visible: No Signed: -
Status: -

Name: rootrepeal.sys
Image Path: C:\WINDOWS\system32\drivers\rootrepeal.sys
Address: 0xAA845000 Size: 49152 File Visible: No Signed: -
Status: -

Name: uphcleanhlp.sys
Image Path: C:\WINDOWS\system32\Drivers\uphcleanhlp.sys
Address: 0xAABF5000 Size: 8960 File Visible: No Signed: -
Status: -

Hidden/Locked Files
-------------------
Path: C:\Documents and Settings\All Users\Documents\Shared Files\UT2004\RedOrchestra\RO_33_FullInstaller.exe:{D29FEF8F-97E5-7B58-5AA9-B47C30916144}
Status: Visible to the Windows API, but not on disk.

SSDT
-------------------
#: 263 Function Name: NtUnloadKey
Status: Hooked by "C:\WINDOWS\system32\Drivers\uphcleanhlp.sys" at address 0xaabf56d0

==EOF==

Attached Files



#4 MongoTuslan

MongoTuslan
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:02:27 AM

Posted 03 December 2009 - 01:04 AM

I would aprecieate any advice as the ASP still pops up when I reboot even though MBAM and SAV give clean reports.

It's fixed! I went back to the "Remove Antivirus System Pro (Uninstall Guide)" to m ake sure I hadn't missed anything, and it seems I had. I sure don't remember seeing the section on fixing Internet access when I looked at this a couple weeks ago, but it worked this evening and it allowed MBAM to get updates, after which a quick scan found additional malware keys and files and deleted them. After rebooting, I am free (at last!) :( of ASP! Thank you, bleepingcomputers, for the uninstall guide, thank you , Grinler, for rkill.com, and thank you, Malwarebytes, for MBAM. I now have three MBAM licenses for the three PCs we have in the house which are used the most for Internet access.

Edited by MongoTuslan, 03 December 2009 - 01:07 AM.


#5 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:09:27 AM

Posted 12 December 2009 - 01:42 PM

Great news, thanks for letting me know :(

--------------------------------------------------------------------------------

Since this issue appears to be resolved ... this topic has been closed. Glad we could help. :(

If you're the topic starter, and need this topic reopened, please contact me via pm with the address of the thread.

Everyone else please begin a New Topic.
Posted Image
m0le is a proud member of UNITE




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users