Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Antivirus.net


  • Please log in to reply
9 replies to this topic

#1 cottondog

cottondog

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:05:53 AM

Posted 01 February 2011 - 08:13 PM

My sons computer got the maleware "Antivirus.net" s I found the removal method page here. The rkill worked,and I managed to stop it. I then ran maleware bits(which was already on the computer)but it didn't find anything. I tried to use the internet but I got a message saying it couldn't connect, I ran a diog. and it says my firewalls are turned on, but according to my computer they are not.I tried to turn them on then off but it made no diff.
please excuse my slowness ,I am running back and forth with a flash drive!



DDS (Ver_10-12-12.02) - NTFSx86
Run by Admin at 17:54:14.81 on Tue 02/01/2011
Internet Explorer: 7.0.5730.11
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.255.42 [GMT -6:00]


============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Rundll32.exe
C:\Program Files\SweetIM\Messenger\SweetIM.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Registry Mechanic\RegMech.exe
C:\Program Files\DAEMON Tools Lite\DTLite.exe
C:\WINDOWS\system32\pzip.exe
C:\Program Files\Traffic Shaper XP Server\bcserver.service
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
L:\dds.scr

============== Pseudo HJT Report ===============

uSearch Page = hxxp://us.rd.yahoo.com/customize/ie/defaults/sp/msgr9/*http://www.yahoo.com
uStart Page = hxxp://www.yahoo.com/
uSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr9/*http://www.yahoo.com/ext/search/search.html
mDefault_Page_URL = hxxp://www.yahoo.com/
mDefault_Search_URL = hxxp://us.rd.yahoo.com/customize/ie/defaults/su/msgr9/*http://www.yahoo.com
mSearch Page = hxxp://us.rd.yahoo.com/customize/ie/defaults/sp/msgr9/*http://www.yahoo.com
mStart Page = hxxp://www.yahoo.com/
mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr9/*http://www.yahoo.com/ext/search/search.html
uInternet Settings,ProxyServer = http=127.0.0.1:8992
uInternet Settings,ProxyOverride = <local>
uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ie/defaults/su/msgr9/*http://www.yahoo.com
uURLSearchHooks: SweetIM ToolbarURLSearchHook Class: {eee6c35d-6118-11dc-9c72-001320c79847} - c:\program files\sweetim\toolbars\internet explorer\mgHelper.dll
mURLSearchHooks: SweetIM ToolbarURLSearchHook Class: {eee6c35d-6118-11dc-9c72-001320c79847} - c:\program files\sweetim\toolbars\internet explorer\mgHelper.dll
mWinlogon: SfcDisable=-99 (0xffffff9d)
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Yahooo Search Protection: {25bc7718-0bfa-40ea-b381-4b2d9732d686} - c:\program files\yahoo!\search protection\ysp.dll
BHO: WormRadar.com IESiteBlocker.NavFilter: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - AVG Safe Search
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: SweetIM Toolbar Helper: {eee6c35c-6118-11dc-9c72-001320c79847} - c:\program files\sweetim\toolbars\internet explorer\mgToolbarIE.dll
TB: SweetIM Toolbar for Internet Explorer: {eee6c35b-6118-11dc-9c72-001320c79847} - c:\program files\sweetim\toolbars\internet explorer\mgToolbarIE.dll
TB: DAEMON Tools Toolbar: {32099aac-c132-4136-9e9a-4e364a424e17} - c:\program files\daemon tools toolbar\DTToolbar.dll
uRun: [CTFMON.EXE] c:\windows\system32\ctfmon.exe
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
uRun: [Messenger (Yahoo!)] ~"c:\progra~1\yahoo!\messen~1\YahooMessenger.exe" -quiet
uRun: [RegistryMechanic] c:\program files\registry mechanic\RegMech.exe /H
uRun: [DAEMON Tools Lite] "c:\program files\daemon tools lite\DTLite.exe" -autorun
uRun: [jockgvjx] c:\docume~1\admin\locals~1\temp\lrragtbfb\pcwceuisjmo.exe
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [P17Helper] Rundll32 P17.dll,P17Helper
mRun: [SweetIM] c:\program files\sweetim\messenger\SweetIM.exe
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRunOnce: [AvgUninstallURL] cmd.exe /c start http://www.avg.com/ww.special-uninstallation-feedback-appf?lic=OQBBAFYARgBSAEUARQAtAFYATgBKADMAMgAtAEcAMwBMAEEAQQAtAEEANAA4ADkAUgAtADkAVQBKAEsARgAtAEUASwBLADMAWAA"&"inst=NwA3AC0ANAAyADEANAA4ADUAMQA1ADMALQBGAFAAOQArADYALQBUAEIAOQArADIALQBGAEwAKwA5AC0ARgA5AE0AKwAxAC0ARgA5AE0ANwBBACsANQAtAFgATwAzADYAKwAxAC0ARgA5AE0ANwBDACsAMgA"&"prod=90"&"ver=9.0.872
dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE
StartupFolder: c:\docume~1\admin\startm~1\programs\startup\pzipex~1.lnk - c:\windows\system32\pzip.exe
IE: Free YouTube Download - c:\documents and settings\admin\application data\dvdvideosoftiehelpers\youtubedownload.htm
IE: Free YouTube to Mp3 Converter - c:\documents and settings\admin\application data\dvdvideosoftiehelpers\youtubetomp3.htm
IE: {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {BBF74FB9-ABCD-4678-880A-2511DAABB5E1} - {25BC7718-0BFA-40EA-B381-4B2D9732D686} - c:\program files\yahoo!\search protection\ysp.dll
DPF: {1E54D648-B804-468d-BC78-4AFFED8E262F} - hxxp://www.nvidia.com/content/DriverDownload/srl/3.0.0.4/srl_bin/sysreqlab_nvd.cab
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1291922914781
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1291922891921
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\wpdshserviceobj.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\admin\applic~1\mozilla\firefox\profiles\b04mcvkv.default\
FF - prefs.js: network.proxy.http - 127.0.0.1
FF - prefs.js: network.proxy.http_port - 5643
FF - prefs.js: network.proxy.type - 0
FF - component: c:\documents and settings\admin\application data\mozilla\firefox\profiles\b04mcvkv.default\extensions\dttoolbar@toolbarnet.com\components\DTToolbarFF.dll
FF - plugin: c:\program files\windows live\photo gallery\NPWLPG.dll
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\mozilla firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: XULRunner: {C3811080-1FCD-49EC-9827-40878D878790} - c:\documents and settings\admin\local settings\application data\{C3811080-1FCD-49EC-9827-40878D878790}
FF - Ext: DAEMON Tools Toolbar: DTToolbar@toolbarnet.com - %profile%\extensions\DTToolbar@toolbarnet.com

============= SERVICES / DRIVERS ===============

S2 Third_Party_Install.exe;Your Service;"c:\program files\youdagames\jade rousseau - the fall of sant antonio\third_party_install.exe" --> c:\program files\youdagames\jade rousseau - the fall of sant antonio\Third_Party_Install.exe [?]

=============== Created Last 30 ================

2011-01-19 16:44:30 -------- d-sh--w- C:\found.002
2011-01-03 00:50:05 -------- d-----w- c:\docume~1\alluse~1\applic~1\Fugazo

==================== Find3M ====================


============= FINISH: 17:54:50.46 ===============
Attached File  ark.txt   1.42KB   3 downloads

BC AdBot (Login to Remove)

 


#2 shelf life

shelf life

  • Malware Response Team
  • 2,657 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:@localhost
  • Local time:07:53 AM

Posted 06 February 2011 - 04:54 PM

hi cottondog,

Your post is a few days old. If you still need help simply reply back.

How Can I Reduce My Risk to Malware?


#3 cottondog

cottondog
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:05:53 AM

Posted 06 February 2011 - 05:12 PM

Yes I still Need help!
Thanks; cottondog

#4 shelf life

shelf life

  • Malware Response Team
  • 2,657 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:@localhost
  • Local time:07:53 AM

Posted 06 February 2011 - 06:23 PM

We will get another download to use first as a check for any malware. Its called Combofix. There is a guide to read first. Read through the guide then apply the directions on your own machine. Post the log:

Guide to using Combofix

How Can I Reduce My Risk to Malware?


#5 cottondog

cottondog
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:05:53 AM

Posted 07 February 2011 - 02:48 PM

OK. I ran the Combo fix and here is The log file.
Again I really appreciate your help!
cottondogAttached File  ComboFix.txt   10.18KB   3 downloads

#6 shelf life

shelf life

  • Malware Response Team
  • 2,657 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:@localhost
  • Local time:07:53 AM

Posted 07 February 2011 - 06:05 PM

ok we will use combofix to remove some things;

click Start, then Run and type Notepad and click OK.
Copy/paste the text in the code box below into notepad:

DDS:
uInternet Settings,ProxyServer = http=127.0.0.1:8992
FireFox::
FF - prefs.js: network.proxy.http_port - 1036
FF - prefs.js: network.proxy.http - 127.0.0.1
File::
C:\WINDOWS\system32\pzip.exe
c:\docume~1\admin\locals~1\temp\lrragtbfb\pcwceuisjmo.exe

Name the Notepad file CFScript.txt and Save it to your desktop.
Now locate the file you just saved (CFScript.txt) and the combofix icon, both on your desktop
Using your mouse drag the CFScript right on top of the combofix icon and release, combofix will run and produce a new log
Please post the new combofix.

How Can I Reduce My Risk to Malware?


#7 cottondog

cottondog
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:05:53 AM

Posted 07 February 2011 - 08:37 PM

Here it is!
Thanks cottendogAttached File  log.txt   7.77KB   2 downloads

#8 shelf life

shelf life

  • Malware Response Team
  • 2,657 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:@localhost
  • Local time:07:53 AM

Posted 08 February 2011 - 04:45 PM

Ok that looks good. Check Malwarebytes for updates and do a scan with it. I think we are done other than some clean up.

How Can I Reduce My Risk to Malware?


#9 cottondog

cottondog
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:05:53 AM

Posted 08 February 2011 - 09:10 PM

Great! Thank you very very much, This site has saved me several times!
cottondog

#10 shelf life

shelf life

  • Malware Response Team
  • 2,657 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:@localhost
  • Local time:07:53 AM

Posted 10 February 2011 - 07:11 PM

Hi,

You can remove combofix like this:

start>run (classic start menu) and type in;
combofix /uninstall
click ok or enter
Note the space after the x and before the /

note that the free version of malwarebytes must be updated manually and a scan started manually.
Its good practice to check for updates on a regular basis even if you dont scan with it at that time.

You can make a new restore point, the how and the why:

One of the features of Windows XP,Vista and Windows7 is the System Restore option, however if malware infects a computer it is possible that the malware could be backed up in the System Restore archive. Therefore, clearing the restore points is a good idea after malware is removed and your computer appears to be functioning ok.

To reset your restore points, please note that you will need to log into your computer with an account which has full administrator access. You will know if the account has administrator access because you will be able to see the System Restore tab. If the tab is missing, you are logged in under a limited account.

(winXP)

1. Turn off System Restore. (deletes old possibly infected restore point)
On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
Check Turn off System Restore.
Click Apply, and then click OK.

2. Reboot.

3. Turn ON System Restore.(creates a new restore points on a clean system)
On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
UN-Check *Turn off System Restore*.
Click Apply, and then click OK, then reboot

And last are some tips to help you remain malware free:


10 Tips for Prevention and Avoidance of Malware:
There is no reason why your computer can not stay malware free.


No software can think for you. Help yourself. In no special order:

1) It is essential to keep your operating system (Windows) browser (IE, FireFox, Chrome, Opera) and other software up to date to "patch" vulnerabilities that could be exploited. Visit Windows Update frequently or use the Windows auto-update feature. Staying updated is also essential for other web based applications like Java, Adobe Flash/Reader, iTunes etc. More and more third party applications are being targeted. Use the auto-update features available in most software. Not sure if you are using the latest version of software? Check their version status and get the updates here.

2) Know what you are installing to your computer. Alot of software can come bundled with unwanted add-ons, like adware, toolbars and malware. More and more legitimate software is installing useless toolbars if not unchecked first. Do not install any files from ads, popups or random links. Do not fall for fake warnings about virus and trojans being found on your computer and you are then prompted to install software to remedy this. See also the signs that you may have malware on your computer.

3) Install and keep updated: one antivirus and two or three anti-malware applications. If not updated they will soon be worthless. If either of these frequently find malware then its time to *review your computer habits*.

4) Refrain from clicking on links or attachments via E-Mail, IM, IRC, Chat Rooms, Blogs or Social Networking Sites, no matter how tempting or legitimate the message may seem. See also E-mail phishing Tricks.

5) Do not click on ads/pop ups or offers from websites requesting that you need to install software to your computer--*for any reason*. Use the Alt+F4 keys to close the window.

6) Don't click on offers to "scan" your computer. Install ActiveX Objects with care. Do you trust the website to install components?

7) Consider the use of limited (non-privileged) accounts for everyday use, rather than administrator accounts. Limited accounts can help prevent *malware from installing and lessen its potential impact.* This is exactly what user account control (UAC) in Windows Vista and Windows 7 attempts to address.

8) Install and understand the *limitations* of a software firewall.

9) A tool for automatically hardening and securing Internet Explorer 8.0. Requires site registration for downloading. Changes some of the default settings of IE 8.0, Read the FAQ's. Or see a slide show Here and do it yourself. How to harden FireFox. for safer surfing.

10) Warez, cracks etc are very popular for carrying malware payloads. If you look for these you will encounter malware. If you download/install files via p2p networks you will encounter malware. Can you really trust the source of the file?


More info/tips with pictures, links below

Happy Safe Surfing.

How Can I Reduce My Risk to Malware?





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users