Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infected with "Anitvirus Soft"


  • This topic is locked This topic is locked
2 replies to this topic

#1 eze3141

eze3141

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:06:03 PM

Posted 12 February 2010 - 05:08 PM

"Antivirus Soft" automaticly runs when I log on and when I try to open a program an error message says somthing like "that program contains a virus so we wont let it run, do you want to repair it?" Yes takes you to their website, No closes the message.
MBAM dosn't recognise it as malware and I don't know how to get rid of it. I have to use safe mode so it won't block all my programs from starting up. It started this morning, I havn't downloaded anything recently or opened any suspecious emails so I don't know where it came from.
I went through the steps bleepingcomputers sugestedand and it hasn't gotten rid of it. (I was able use the internet thanks to it though)


DDS (Ver_09-12-01.01) - NTFSx86 NETWORK
Run by Administrator at 17:04:27.39 on 12/02/2010
Internet Explorer: 7.0.5730.13
Microsoft Windows XP Home Edition 5.1.2600.3.1252.44.1033.18.957.574 [GMT 0:00]


============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\system32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\Program Files\Spyware Doctor\pctsAuxs.exe
C:\Program Files\Spyware Doctor\pctsSvc.exe
C:\Program Files\Spyware Doctor\pctsTray.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\ODEJ09EF\dds[1].scr

============== Pseudo HJT Report ===============

mDefault_Page_URL = hxxp://uk.yahoo.com
mStart Page = hxxp://uk.yahoo.com
uURLSearchHooks: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
mURLSearchHooks: H - No File
BHO: &Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
BHO: HP Print Enhancer: {0347c33e-8762-4905-bf09-768834316c61} - c:\program files\hp\digital imaging\smart web printing\hpswp_printenhancer.dll
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: PC Tools Browser Guard BHO: {2a0f3d1b-0909-4ff4-b272-609cce6054e7} - c:\program files\spyware doctor\bdt\PCTBrowserDefender.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg8\avgssie.dll
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
BHO: SingleInstance Class: {fdad4da1-61a2-4fd8-9c17-86f7ac245081} - c:\program files\yahoo!\companion\installs\cpn\YTSingleInstance.dll
BHO: HP Smart BHO Class: {ffffffff-cf4e-4f2b-bdc2-0e72e116a856} - c:\program files\hp\digital imaging\smart web printing\hpswp_BHO.dll
TB: Veoh Browser Plug-in: {d0943516-5076-4020-a3b5-aefaf26ab263} - c:\program files\veoh networks\veoh\plugins\reg\VeohToolbar.dll
TB: {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - No File
TB: PC Tools Browser Guard: {472734ea-242a-422b-adf8-83d1e48cc825} - c:\program files\spyware doctor\bdt\PCTBrowserDefender.dll
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
EB: HP Smart Web Printing: {555d4d79-4bd2-4094-a395-cfc534424a05} - c:\program files\hp\digital imaging\smart web printing\hpswp_bho.dll
uRun: [CTFMON.EXE] c:\windows\system32\ctfmon.exe
uRun: [msnmsgr] "c:\program files\windows live\messenger\msnmsgr.exe" /background
mRun: [SMSERIAL] sm56hlpr.exe
mRun: [SoundMan] SOUNDMAN.EXE
mRun: [NeroFilterCheck] c:\windows\system32\NeroCheck.exe
mRun: [Broadcom Wireless Manager UI] c:\windows\system32\WLTRAY
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [HP Software Update] c:\program files\hp\hp software update\HPWuSchd2.exe
mRun: [ektcrxhv] c:\documents and settings\new123\local settings\application data\gyjkud\sadlsftav.exe
mRun: [Malwarebytes' Anti-Malware] "c:\program files\malwarebytes' anti-malware\mbamgui.exe" /starttray
mRun: [ISTray] "c:\program files\spyware doctor\pctsTray.exe"
dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hpdigi~1.lnk - c:\program files\hp\digital imaging\bin\hpqtra08.exe
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
IE: {DDE87865-83C5-48c4-8357-2F5B1AA84522} - {DDE87865-83C5-48c4-8357-2F5B1AA84522} - c:\program files\hp\digital imaging\smart web printing\hpswp_BHO.dll
DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} - hxxp://gfx1.hotmail.com/mail/w2/resources/MSNPUpld.cab
DPF: {5C6698D9-7BE4-4122-8EC5-291D84DBD4A0} - hxxp://upload.facebook.com/controls/FacebookPhotoUploader3.cab
DPF: {5D6F45B3-9043-443D-A792-115447494D24} - hxxp://messenger.zone.msn.com/EN-GB/a-UNO1/GAME_UNO1.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_16-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} - hxxp://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
DPF: {CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_16-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_16-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab

============= SERVICES / DRIVERS ===============

R0 PCTCore;PCTools KDS;c:\windows\system32\drivers\PCTCore.sys [2010-2-12 207792]
R2 sdAuxService;PC Tools Auxiliary Service;c:\program files\spyware doctor\pctsAuxs.exe [2010-2-12 359624]
R2 sdCoreService;PC Tools Security Service;c:\program files\spyware doctor\pctsSvc.exe [2010-2-12 1141712]
S2 Browser Defender Update Service;Browser Defender Update Service;c:\program files\spyware doctor\bdt\BDTUpdateService.exe [2010-2-12 112592]
S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2009-12-28 135664]
S2 litsgt;litsgt;c:\windows\system32\drivers\litsgt.sys [2008-4-17 137344]
S2 MBAMService;MBAMService;c:\program files\malwarebytes' anti-malware\mbamservice.exe [2009-6-3 236368]
S2 tansgt;tansgt;c:\windows\system32\drivers\tansgt.sys [2008-4-17 12032]
S3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2009-6-3 19160]

=============== Created Last 30 ================

2010-02-12 16:47:28 0 d-----w- c:\documents and settings\administrator\Tracing
2010-02-12 16:26:34 891008 ----a-w- C:\avg_free_stb_en_9_39_free.exe
2010-02-12 16:24:41 0 d-----w- c:\program files\CCleaner
2010-02-12 16:17:34 3310608 ----a-w- C:\ccsetup225.exe
2010-02-12 15:48:01 0 d-----w- c:\docume~1\admini~1\applic~1\AVG8
2010-02-12 15:13:00 767952 ----a-w- c:\windows\BDTSupport.dll
2010-02-12 15:12:59 882 ----a-w- c:\windows\RegSDImport.xml
2010-02-12 15:12:59 880 ----a-w- c:\windows\RegISSImport.xml
2010-02-12 15:12:59 165840 ----a-w- c:\windows\PCTBDRes.dll
2010-02-12 15:12:59 1640400 ----a-w- c:\windows\PCTBDCore.dll
2010-02-12 15:12:59 149456 ----a-w- c:\windows\SGDetectionTool.dll
2010-02-12 15:12:59 131 ----a-w- c:\windows\IDB.zip
2010-02-12 15:12:59 1152444 ----a-w- c:\windows\UDB.zip
2010-02-12 15:11:40 7387 ----a-w- c:\windows\system32\drivers\pctgntdi.cat
2010-02-12 15:11:40 233136 ----a-w- c:\windows\system32\drivers\pctgntdi.sys
2010-02-12 15:11:35 87784 ----a-w- c:\windows\system32\drivers\PCTAppEvent.sys
2010-02-12 15:11:35 7412 ----a-w- c:\windows\system32\drivers\PCTAppEvent.cat
2010-02-12 15:11:35 7383 ----a-w- c:\windows\system32\drivers\pctcore.cat
2010-02-12 15:11:35 207792 ----a-w- c:\windows\system32\drivers\PCTCore.sys
2010-02-12 15:11:30 7383 ----a-w- c:\windows\system32\drivers\pctplsg.cat
2010-02-12 15:11:30 70408 ----a-w- c:\windows\system32\drivers\pctplsg.sys
2010-02-12 15:11:21 0 d-----w- c:\program files\Spyware Doctor
2010-02-12 15:11:21 0 d-----w- c:\program files\common files\PC Tools
2010-02-12 15:11:21 0 d-----w- c:\docume~1\alluse~1\applic~1\PC Tools
2010-02-10 23:26:01 0 d-----w- c:\program files\MSXML 4.0
2010-02-09 23:25:22 0 d-----w- c:\docume~1\alluse~1\applic~1\WEBREG
2010-02-09 23:21:37 16496 ----a-r- c:\windows\system32\drivers\HPZipr12.sys
2010-02-09 23:21:36 49920 ----a-r- c:\windows\system32\drivers\HPZid412.sys
2010-02-09 23:21:03 123904 ----a-w- c:\windows\system32\hpf3l70v.dll
2010-02-09 23:21:02 452408 ----a-r- c:\windows\system32\hpzids01.dll
2010-02-09 23:20:22 21568 ----a-r- c:\windows\system32\drivers\HPZius12.sys
2010-02-09 23:19:43 712704 ----a-r- c:\windows\system32\hposwia_d02c.dll
2010-02-09 23:19:43 589824 ----a-r- c:\windows\system32\hpost_d02c.dll
2010-02-09 23:19:43 372736 ----a-r- c:\windows\system32\hppldcoi.dll
2010-02-09 23:19:43 315392 ----a-r- c:\windows\system32\hposc_d02a.dll
2010-02-09 23:19:43 309760 ----a-r- c:\windows\system32\difxapi.dll
2010-02-09 23:10:58 0 d-----w- c:\program files\common files\HP
2010-02-09 23:10:19 0 d-----w- c:\program files\common files\Hewlett-Packard
2010-02-09 23:07:46 15104 ----a-w- c:\windows\system32\drivers\usbscan.sys
2010-02-09 23:06:28 0 d-----w- c:\program files\HP
2010-02-09 23:04:33 586 ------w- c:\windows\hpomdl44.dat
2010-02-09 23:04:33 163048 ----a-w- c:\windows\hpoins44.dat
2010-02-06 20:13:29 32 ----a-r- c:\documents and settings\all users\hash.dat

==================== Find3M ====================

2010-01-12 22:10:16 411368 ----a-w- c:\windows\system32\deploytk.dll
2010-01-07 16:07:14 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-01-07 16:07:04 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-01-05 10:00:29 832512 ----a-w- c:\windows\system32\wininet.dll
2010-01-05 10:00:21 78336 ----a-w- c:\windows\system32\ieencode.dll
2010-01-05 10:00:20 17408 ----a-w- c:\windows\system32\corpol.dll
2010-01-04 20:06:33 691696 ----a-w- c:\windows\system32\drivers\sptd.sys
2009-12-31 16:50:03 353792 ----a-w- c:\windows\system32\drivers\srv.sys
2009-12-16 18:43:27 343040 ----a-w- c:\windows\system32\mspaint.exe
2009-12-14 07:08:23 33280 ----a-w- c:\windows\system32\csrsrv.dll
2009-12-08 19:27:51 2189184 ----a-w- c:\windows\system32\ntoskrnl.exe
2009-12-08 18:43:50 2066048 ----a-w- c:\windows\system32\ntkrnlpa.exe
2009-11-27 17:11:44 17920 ----a-w- c:\windows\system32\msyuv.dll
2009-11-27 17:11:44 1291776 ----a-w- c:\windows\system32\quartz.dll
2009-11-27 16:07:35 8704 ----a-w- c:\windows\system32\tsbyuv.dll
2009-11-27 16:07:35 28672 ----a-w- c:\windows\system32\msvidc32.dll
2009-11-27 16:07:34 84992 ----a-w- c:\windows\system32\avifil32.dll
2009-11-27 16:07:34 48128 ----a-w- c:\windows\system32\iyuv_32.dll
2009-11-27 16:07:34 11264 ----a-w- c:\windows\system32\msrle32.dll
2006-05-03 10:06:54 163328 -csh--r- c:\windows\system32\flvDX.dll
2007-02-21 11:47:16 31232 -csh--r- c:\windows\system32\msfDX.dll
2007-12-17 13:43:00 27648 -csh--w- c:\windows\system32\Smab0.dll
2009-03-03 22:26:15 32768 -csha-w- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012009030320090304\index.dat
2009-08-08 07:47:15 16384 -csha-w- c:\windows\temp\cookies\index.dat
2009-08-08 07:47:15 16384 -csha-w- c:\windows\temp\history\history.ie5\index.dat
2009-08-08 07:47:15 49152 -csha-w- c:\windows\temp\temporary internet files\content.ie5\index.dat

============= FINISH: 17:04:59.31 ===============


Attached Files



BC AdBot (Login to Remove)

 


#2 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,708 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:08:03 PM

Posted 12 February 2010 - 05:57 PM

Hi eze3141,

Welcome to Virus/Trojan/Spyware/Malware Removal (VTSMR) forum. I am going to assist you with your problem.

Please refrain from making any changes to your system (scanning or running other tools, updating Windows, installing applications, removing files, etc.) from now on as it might interfere with our fixes. Please let me know in your next reply if you agree with this.

I see from the log you are using a registry cleaner. It is even scheduled to run. Here at BC we do not recommend using registry cleaners as it might irreversibly damage your computer.

Note 1: We prefer to run Combofix in normal mode. You might be able to do that after doing step 1 and rebooting. If it couldn't run in normal mode run it in Safe Mode with Networking but when requires a reboot reboot to normal mode.

Note 2: PC Tool might flag a component of ComboFix as Nircmd and remove it. Please don't allow it. The tool is needed to find and remove the malware. That component is a tool that can be used both by malware developers and malware removers.
  1. Go to start > Run copy and paste the following line in the run box and click OK:

    reg delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v ektcrxhv /f

    A window flashes it is normal.

  2. Reboot the computer.

  3. Please download DeFogger to your desktop.

    Double click DeFogger to run the tool.
    • The application window will appear
    • Click the Disable button to disable your CD Emulation drivers
    • Click Yes to continue
    • A 'Finished!' message will appear
    • Click OK
    • If DeFogger ask to reboot the machine - click OK
    IMPORTANT! If you receive an error message while running DeFogger, please post the log defogger_disable which will appear on your desktop.

    Do not re-enable these drivers until otherwise instructed.

  4. Download ComboFix from one of these locations:

    Link 1
    Link 2
    Link 3

    * IMPORTANT !!! Save ComboFix.exe to your Desktop

    • Disable your AntiVirus and AntiSpyware applications. They may otherwise interfere with our tools. (Information on A/V control HERE)
    • Double click on ComboFix.exe & follow the prompts.
    • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
    • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

    **Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.



    Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:



    Click on Yes, to continue scanning for malware.

    When finished, it shall produce a log for you. Please copy and paste the C:\ComboFix.txt in your next reply.


#3 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,708 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:08:03 PM

Posted 17 February 2010 - 02:29 PM

This thread will now be closed due to lack of activity.

If you need this topic reopened, please send me a PM within two days and I will reopen it for you.

If you should have a new issue, please start a new topic.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users