Jump to content

Build Theme!
  •  
  • Infected?

WE'RE SURE THAT YOU'LL LOVE US!

Hey there! :wub: Looks like you're enjoying the discussion, but you're not signed up for an account. When you create an account, we remember exactly what you've read, so you always come right back where you left off. You also get notifications, here and via email, whenever new posts are made. You can like posts to share the love. :D Join 91804 other members! Anybody can ask, anybody can answer. Consistently helpful members may be invited to become staff. Here's how it works. Virus cleanup? Start here -> Malware Removal Forum.

Try What the Tech -- It's free!


Photo

[Resolved] Alpha Antivirus Removal


  • This topic is locked This topic is locked
21 replies to this topic

#1 jhurst

jhurst

    Authentic Member

  • Authentic Member
  • PipPip
  • 112 posts

Posted 02 October 2009 - 06:59 PM

Hello, I'm trying to remove the Alpha Antivirus virus on my computer. I have followed the self help instructions by running ATF and Malewarebytes. I removed selected on malewarebytes. He is the text log from Malewarebytes: Malwarebytes' Anti-Malware 1.41 Database version: 2775 Windows 5.1.2600 Service Pack 2 2009-10-02 20:52:28 mbam-log-2009-10-02 (20-52-28).txt Scan type: Quick Scan Objects scanned: 109888 Time elapsed: 9 minute(s), 34 second(s) Memory Processes Infected: 0 Memory Modules Infected: 0 Registry Keys Infected: 13 Registry Values Infected: 3 Registry Data Items Infected: 2 Folders Infected: 0 Files Infected: 5 Memory Processes Infected: (No malicious items detected) Memory Modules Infected: (No malicious items detected) Registry Keys Infected: HKEY_CLASSES_ROOT\main.bho (Trojan.BHO) -> Quarantined and deleted successfully. HKEY_CLASSES_ROOT\TypeLib\{8e3c68cd-f500-4a2a-8cb9-132bb38c3573} (Trojan.BHO) -> Quarantined and deleted successfully. HKEY_CLASSES_ROOT\Interface\{986a8ac1-ab4d-4f41-9068-4b01c0197867} (Trojan.BHO) -> Quarantined and deleted successfully. HKEY_CLASSES_ROOT\CLSID\{afd4ad01-58c1-47db-a404-fbe00a6c5486} (Trojan.BHO) -> Quarantined and deleted successfully. HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{afd4ad01-58c1-47db-a404-fbe00a6c5486} (Trojan.BHO) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{afd4ad01-58c1-47db-a404-fbe00a6c5486} (Trojan.BHO) -> Quarantined and deleted successfully. HKEY_CLASSES_ROOT\main.bho.1 (Trojan.BHO) -> Quarantined and deleted successfully. HKEY_CLASSES_ROOT\CLSID\{a77d3539-581d-450c-9e44-a84c415a6172} (Trojan.FakeAlert) -> Quarantined and deleted successfully. HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{a77d3539-581d-450c-9e44-a84c415a6172} (Trojan.FakeAlert) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{a77d3539-581d-450c-9e44-a84c415a6172} (Trojan.FakeAlert) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\rhc784j0e1k3 (Rogue.AntiVirusXP) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\rhc784j0e1k3 (Rogue.AntiVirusXP) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\skynetplqxtqod (Rootkit.TDSS) -> Quarantined and deleted successfully. Registry Values Infected: HKEY_CURRENT_USER\Environment\avapp (Rogue.PersonalAntiVirus) -> Quarantined and deleted successfully. HKEY_CURRENT_USER\Environment\avuninst (Rogue.PersonalAntiVirus) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\rhc784j0e1k3 (Rogue.AntiVirusXP) -> Quarantined and deleted successfully. Registry Data Items Infected: HKEY_CLASSES_ROOT\regfile\shell\open\command\(default) (Broken.OpenCommand) -> Bad: ("regedit.exe" "%1") Good: (regedit.exe "%1") -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully. Folders Infected: (No malicious items detected) Files Infected: C:\Program Files\Shared\lib.dll (Trojan.BHO) -> Delete on reboot. C:\WINDOWS\system32\msnaoladdon.dll (Trojan.FakeAlert) -> Delete on reboot. C:\Program Files\Shared\lib.sig (Adware.Deepdive) -> Quarantined and deleted successfully. C:\WINDOWS\system32\SKYNETnchhtcwq.dat (Rootkit.TDSS) -> Quarantined and deleted successfully. C:\WINDOWS\system32\SKYNETpmyjuywe.dat (Rootkit.TDSS) -> Quarantined and deleted successfully. Any suggestions what to do next?

    Advertisements

Register to Remove


#2 oldman960

oldman960

    Forum God

  • Classroom Teacher
  • 14,755 posts

Posted 02 October 2009 - 09:23 PM

Hi jhurst, welcome to the forum.

To make cleaning this machine easier
  • Please do not uninstall/install any programs unless asked to
    It is more difficult when files/programs are appearing in/disappearing from the logs.
  • Please do not run any scans other than those requested
  • Please follow all instructions in the order posted
  • All logs/reports, etc.. must be posted in Notepad. Please ensure that word wrap is unchecked. In notepad click format, uncheck word wrap if it is checked.
  • Do not attach any logs/reports, etc.. unless specifically requested to do so.
  • If you have problems with or do not understand the instructions, Please ask before continuing.
  • Please stay with this thread until given the All Clear. A absence of symptoms does not mean a clean machine.

Download the GMER Rootkit Scanner. Unzip it to your Desktop.

Before scanning, make sure all other running programs are closed and no other actions like a scheduled antivirus scan will occur while the scan is being performed. Do not use your computer for anything else during the scan.

Double-click gmer.exe. The program will begin to run.

**Caution**
These types of scans can produce false positives. Do NOT take any action on any
"<--- ROOKIT" entries unless advised!

If possible rootkit activity is found, you will be asked if you would like to perform a full scan.
  • Click NO
  • In the right panel, you will see a bunch of boxes that have been checked ... leave everything checked and ensure the Show all box is un-checked.
  • Now click the Scan button.
    Once the scan is complete, you may receive another notice about rootkit activity.
  • Click OK.
  • GMER will produce a log. Click on the [Save..] button, and in the File name area, type in "GMER.txt"
  • Save it where you can easily find it, such as your desktop.
If you do not receive notice about possible rootkit activity remain on the Rootkit/Malware tab & make sure the 'Show All' button is unticked.
  • Click the Scan button and let the program do its work. GMER will produce a log. Click on the [Save..] button, and in the File name area, type in "Gmer.txt" or it will save as a .log file which cannot be uploaded to your post.
  • Save it where you can easily find it, such as your desktop

Download OTListIt2 to your desktop.
  • Double click on OTL.exe to run it. Make sure all other windows are closed and to let it run uninterrupted.
  • When the window appears, underneath Output at the top change it to Minimal Output
  • Check the boxes beside LOP Check and Purity Check.
  • Click the Run Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
When the scan completes, it will open two notepad windows. OTL.Txt and Extras.Txt. These are saved in the same location as OTL.

Please copy (Edit->Select All, Edit->Copy) the contents of these files, one at a time, and post it with your next reply. You may need two posts to fit them all in.

Please post back with
  • GMER log
  • both OTL logs
Thanks

Proud Graduate of the WTT Classroon
If you are happy with the help you recieved, please consider making a Donation Posted Image
Curiosity didn't kill the cat. Ignorance did, curiosity was framed.
Learn how to protect Yourself

Posted Image

Threads will be closed if no response after 5 days.

#3 jhurst

jhurst

    Authentic Member

  • Authentic Member
  • PipPip
  • 112 posts

Posted 03 October 2009 - 05:37 AM

Hello,

I was able to get the GMER scan performed. Txt is below. I'm getting an error when I run OTL that advises "2099/1/1 12:00 is not a valid date and time" It hangs up at the same place each time I try to run the scan. Am I doing something wrong here.

GMER 1.0.15.15087 - http://www.gmer.net
Rootkit quick scan 2009-10-03 07:19:40
Windows 5.1.2600 Service Pack 2
Running: gmer.exe; Driver: C:\DOCUME~1\shurst\LOCALS~1\Temp\kglcipob.sys


---- Devices - GMER 1.0.15 ----

AttachedDevice \FileSystem\Ntfs \Ntfs SYMEVENT.SYS (Symantec Event Library/Symantec Corporation)
AttachedDevice \Driver\Tcpip \Device\Ip SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)
AttachedDevice \Driver\Tcpip \Device\Tcp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)
AttachedDevice \Driver\Tcpip \Device\Udp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)
AttachedDevice \Driver\Tcpip \Device\RawIp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass0 SynTP.sys (Synaptics Touchpad Driver/Synaptics, Inc.)
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass0 eabfiltr.sys (QLB PS/2 Keyboard filter driver/Hewlett-Packard Development Company, L.P.)

---- EOF - GMER 1.0.15 ----

#4 oldman960

oldman960

    Forum God

  • Classroom Teacher
  • 14,755 posts

Posted 03 October 2009 - 06:36 AM

Hi jhurst,

No you didn't do anything wrong. The tool couldn't interprt your time /date format.

Please download DDS and save it to your desktop.
  • Disable any script blocking protection
  • Double click dds.scr to run the tool.
  • When done, DDS.txt will open.
  • Click Yes at the next prompt for Optional Scan.
  • Save both reports to your desktop.
---------------------------------------------------

Please include the contents of the following in your next reply:

DDS.txt

Please attach the second file; Attach.txt. To attach a file, do the following:
  • Under the reply panel is the Attachments Panel
  • Browse for the attachment file you want to upload, then click the green Upload button
  • Once it has uploaded, click the Manage Current Attachments drop down box
  • Click on Posted Image to insert the attachment into your post

Thanks

Proud Graduate of the WTT Classroon
If you are happy with the help you recieved, please consider making a Donation Posted Image
Curiosity didn't kill the cat. Ignorance did, curiosity was framed.
Learn how to protect Yourself

Posted Image

Threads will be closed if no response after 5 days.

#5 jhurst

jhurst

    Authentic Member

  • Authentic Member
  • PipPip
  • 112 posts

Posted 03 October 2009 - 12:37 PM

Hello, I ran DDS however it only provided me with 1 Dds Report and an 1 Attach.txt report. It did not allow me to run an Optional Scan. I have included the DDS below: DDS (Ver_09-09-29.01) - NTFSx86 Run by shurst at 14:12:56.29 on 2009-10-03 Internet Explorer: 6.0.2900.2180 Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1015.372 [GMT -4:00] ============== Running Processes =============== C:\WINDOWS\system32\svchost -k DcomLaunch svchost.exe C:\WINDOWS\System32\svchost.exe -k netsvcs svchost.exe svchost.exe C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe C:\WINDOWS\system32\spoolsv.exe C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe C:\Program Files\Bonjour\mDNSResponder.exe C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe C:\Program Files\Symantec AntiVirus\DefWatch.exe C:\WINDOWS\SYSTEM32\DNTUS26.EXE C:\WINDOWS\SYSTEM32\DWRCS.EXE C:\Program Files\Pure Digital Technologies\FlipShare\FlipShareService.exe C:\WINDOWS\system32\svchost.exe -k hpdevmgmt C:\Program Files\Symantec AntiVirus\SavRoam.exe C:\WINDOWS\system32\svchost.exe -k imgsvc C:\Program Files\Symantec AntiVirus\Rtvscan.exe C:\WINDOWS\system32\mqsvc.exe C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe C:\WINDOWS\system32\mqtgsvc.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\SYSTEM32\DWRCST.exe C:\PROGRA~1\SYMANT~1\VPTray.exe C:\Program Files\Synaptics\SynTP\SynTPEnh.exe C:\Program Files\Common Files\Symantec Shared\ccApp.exe C:\Program Files\HP\HP Software Update\HPWuSchd2.exe C:\Program Files\Google\Gmail Notifier\gnotify.exe C:\Program Files\Common Files\Real\Update_OB\realsched.exe C:\WINDOWS\PixArt\PAC7302\Monitor.exe C:\Program Files\iTunes\iTunesHelper.exe C:\Program Files\AlphaAV\AlphaAV.exe C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe C:\Program Files\Microsoft ActiveSync\wcescomm.exe C:\PROGRA~1\MICROS~3\rapimgr.exe C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\iPod\bin\iPodService.exe C:\Program Files\interwise\participant\pull.exe C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe C:\Program Files\Infotriever\Agent\infoclient.exe C:\Program Files\Picaboo\Picaboo\PicabooMain.exe C:\Documents and Settings\shurst\Desktop\dds.scr ============== Pseudo HJT Report =============== uStart Page = hxxp://www.yahoo.com/ uSearch Page = hxxp://www.google.com uSearch Bar = hxxp://www.google.com/ie mDefault_Search_URL = hxxp://www.google.com/ie mStart Page = hxxp://www.yahoo.com uInternet Connection Wizard,ShellNext = iexplore uInternet Settings,ProxyOverride = *.local uSearchAssistant = hxxp://www.google.com/ie uSearchURL,(Default) = hxxp://www.google.com/search?q=%s mSearchAssistant = hxxp://www.google.com/ie uURLSearchHooks: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn0\yt.dll BHO: &Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - c:\program files\yahoo!\companion\installs\cpn0\yt.dll BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll BHO: RealPlayer Download and Record Plugin for Internet Explorer: {3049c3e9-b461-4bc5-8870-4c09146192ca} - c:\program files\real\realplayer\rpbrowserrecordplugin.dll BHO: DriveLetterAccess: {5ca3d70e-1895-11cf-8e15-001234567890} - c:\windows\system32\dla\DLASHX_W.DLL BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre1.5.0_06\bin\ssv.dll BHO: File Print FedEx Kinko's: {9566395f-43d2-4c64-b525-b501ffa276e2} - mscoree.dll BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.3.4501.1418\swg.dll BHO: Google Dictionary Compression sdch: {c84d72fe-e17d-4195-bb24-76c02e2e7c4e} - c:\program files\google\google toolbar\component\fastsearch_B7C5AC242193BB3E.dll TB: File Print FedEx Kinko's: {9566395f-43d2-4c64-b525-b501ffa276e2} - mscoree.dll TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn0\yt.dll TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll EB: &Taleo IE Sourcebar: {864b4d50-3b9a-11d2-b8db-00c04fa3471c} - c:\program files\taleo\sourcebar\RecruitforceBar.dll uRun: [updateMgr] "c:\program files\adobe\acrobat 7.0\reader\AdobeUpdateManager.exe" AcRdB7_0_9 -reboot 1 uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe" uRun: [H/PC Connection Agent] "c:\program files\microsoft activesync\wcescomm.exe" uRun: [Google Update] "c:\documents and settings\shurst\local settings\application data\google\update\GoogleUpdate.exe" /c mRun: [igfxhkcmd] c:\windows\system32\hkcmd.exe mRun: [vptray] c:\progra~1\symant~1\VPTray.exe mRun: [vdrdpup] c:\windows\system32\rundll32 c:\windows\system32\vdrdpup.dll,RegisterVirtualChannel mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe mRun: [MsmqIntCert] regsvr32 /s mqrt.dll mRun: [ccApp] "c:\program files\common files\symantec shared\ccApp.exe" mRun: [Synchronization Manager] %SystemRoot%\system32\mobsync.exe /logon mRun: [HP Software Update] c:\program files\hp\hp software update\HPWuSchd2.exe mRun: [{0228e555-4f9c-4e35-a3ec-b109a192b4c2}] c:\program files\google\gmail notifier\gnotify.exe mRun: [TkBellExe] "c:\program files\common files\real\update_ob\realsched.exe" -osboot mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime mRun: [PAC7302_Monitor] c:\windows\pixart\pac7302\Monitor.exe mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe" mRun: [AlphaAV] c:\program files\alphaav\AlphaAV.exe mRun: [Malwarebytes Anti-Malware (reboot)] "c:\malwarebytes anti malware\malwarebytes' anti-malware\mbam.exe" /runcleanupscript StartupFolder: c:\docume~1\shurst\startm~1\programs\startup\infotr~1.lnk - c:\program files\infotriever\agent\infoclient.exe StartupFolder: c:\docume~1\shurst\startm~1\programs\startup\picaboo.lnk - c:\program files\picaboo\picaboo\PicabooMain.exe StartupFolder: c:\docume~1\shurst\startm~1\programs\startup\roller~1.lnk - c:\documents and settings\shurst\local settings\temp\{791cea9a-a54c-463b-a4a7-cf63e5be13ee}\{907b4640-266b-4a21-92fb-cd1a86cd0f63}\ATR1.exe StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adober~1.lnk - c:\program files\adobe\acrobat 7.0\reader\reader_sl.exe StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hpdigi~1.lnk - c:\program files\hp\digital imaging\bin\hpqtra08.exe StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\pushcl~1.lnk - c:\program files\interwise\participant\pull.exe StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\servic~1.lnk - c:\program files\microsoft sql server\80\tools\binn\sqlmangr.exe uPolicies-explorer: DisablePersonalDirChange = 1 (0x1) IE: &ieSpell Options - c:\program files\iespell\iespell.dll/SPELLOPTION.HTM IE: Check &Spelling - c:\program files\iespell\iespell.dll/SPELLCHECK.HTM IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000 IE: Send To &Bluetooth - c:\program files\widcomm\bluetooth software\btsendto_ie_ctx.htm IE: {0E17D5B7-9F5D-4fee-9DF6-CA6EE38B68A8} - res://c:\program files\iespell\iespell.dll/SPELLCHECK.HTM IE: {1606D6F9-9D3B-4aea-A025-ED5B2FD488E7} - res://c:\program files\iespell\iespell.dll/SPELLOPTION.HTM IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBC} - c:\program files\java\jre1.5.0_06\bin\ssv.dll IE: {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - {2EAF5BB0-070F-11D3-9307-00C04FAE2D4F} - c:\progra~1\micros~3\INetRepl.dll IE: {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - {2EAF5BB0-070F-11D3-9307-00C04FAE2D4F} - c:\progra~1\micros~3\INetRepl.dll IE: {9239E4EC-C9A6-11D2-A844-00C04F68D538} - {864B4D50-3B9A-11D2-B8DB-00C04FA3471C} - c:\program files\taleo\sourcebar\RecruitforceBar.dll IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL Trusted Zone: adp.com\portal Trusted Zone: essbenefits.com\www.adpportal Trusted Zone: essbenefits.com\www.regencyhospital Trusted Zone: gilbaneco.com\tsapps Trusted Zone: adp.com\portal Trusted Zone: essbenefits.com\www.adpportal Trusted Zone: essbenefits.com\www.regencyhospital DPF: {240EEE8D-91DB-4D74-A87E-671026601333} - hxxp://tsapps.gilbaneco.com/eolupcli.cab DPF: {31435657-9980-0010-8000-00AA00389B71} - hxxp://download.microsoft.com/download/e/2/f/e2fcec4b-6c8b-48b7-adab-ab9c403a978f/wvc1dmo.cab DPF: {36E4E9BC-4D0C-41B4-90C9-37AFDBFAAD3C} - hxxps://download.infotriever.com/bin/ifhelper.cab DPF: {3E68E405-C6DE-49FF-83AE-41EE9F4C36CE} - hxxp://office.microsoft.com/officeupdate/content/opuc3.cab DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} - hxxp://photo1.walgreens.com/WalgreensActivia.cab DPF: {6E5E167B-1566-4316-B27F-0DDAB3484CF7} - hxxp://www.winkflash.com/photo/loaders/ImageUploader4.cab DPF: {7584C670-2274-4EFB-B00B-D6AABA6D3850} - hxxp://tsapps.gilbaneco.com/msrdp.cab DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} - hxxps://talentkeepers.webex.com/client/v_mywebex-t20/webex/ieatgpc.cab DPF: {FB5FBB7F-92B4-11D3-8332-00C04F8B209E} - hxxps://content101.mc.iconf.net/gcc_installer/webtour/astbrowserquery.cab Filter: text/html - {9d0e8008-6ceb-42a8-8ca3-c2c1cfd4fbe3} - Notify: igfxcui - igfxdev.dll Notify: NavLogon - c:\windows\system32\NavLogon.dll SecurityProviders: msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll, ================= FIREFOX =================== FF - ProfilePath - c:\docume~1\shurst\applic~1\mozilla\firefox\profiles\qbrteaog.default\ FF - prefs.js: browser.startup.homepage - hxxp://www.yahoo.com FF - component: c:\program files\real\realplayer\browserrecord\components\nprpbrowserrecordplugin.dll ============= SERVICES / DRIVERS =============== R1 SAVRT;SAVRT;c:\program files\symantec antivirus\savrt.sys [2005-12-19 337592] R1 SAVRTPEL;SAVRTPEL;c:\program files\symantec antivirus\Savrtpel.sys [2005-12-19 54968] R2 ccEvtMgr;Symantec Event Manager;c:\program files\common files\symantec shared\ccEvtMgr.exe [2006-3-7 192160] R2 ccSetMgr;Symantec Settings Manager;c:\program files\common files\symantec shared\ccSetMgr.exe [2006-3-7 169632] R2 FlipShare Service;FlipShare Service;c:\program files\pure digital technologies\flipshare\FlipShareService.exe [2008-11-13 439616] R2 SavRoam;SAVRoam;c:\program files\symantec antivirus\SavRoam.exe [2006-3-17 115952] R2 Symantec AntiVirus;Symantec AntiVirus;c:\program files\symantec antivirus\Rtvscan.exe [2006-3-17 1799408] R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\common files\symantec shared\eengine\EraserUtilRebootDrv.sys [2009-8-28 102448] R3 IFXTPM;IFXTPM;c:\windows\system32\drivers\ifxtpm.sys [2005-6-10 35968] R3 NAVENG;NAVENG;c:\progra~1\common~1\symant~1\virusd~1\20091002.003\naveng.sys [2009-10-2 84912] R3 NAVEX15;NAVEX15;c:\progra~1\common~1\symant~1\virusd~1\20091002.003\navex15.sys [2009-10-2 1323568] S3 PAC7302;PAC7302 VGA USB Camera;c:\windows\system32\drivers\PAC7302.SYS [2009-7-28 457856] ============== File Associations =============== scrfile="%1" %* =============== Created Last 30 ================ 2009-10-02 20:32 38,224 a------- c:\windows\system32\drivers\mbamswissarmy.sys 2009-10-02 20:23 <DIR> --d----- C:\Alpha 2009-09-30 19:58 <DIR> --d----- c:\program files\common files\Uninstall 2009-09-30 19:58 <DIR> --d----- c:\program files\AlphaAV 2009-09-10 12:02 <DIR> --d----- c:\program files\Shared ==================== Find3M ==================== 2009-09-10 14:53 19,160 a------- c:\windows\system32\drivers\mbam.sys 2009-07-10 02:01 43,520 a------- c:\windows\system32\CmdLineExt03.dll 2006-08-07 16:13 28,672 a------- c:\documents and settings\shurst\atwbxdet.dll ============= FINISH: 14:15:20.84 ===============

#6 jhurst

jhurst

    Authentic Member

  • Authentic Member
  • PipPip
  • 112 posts

Posted 03 October 2009 - 12:40 PM

The Attach.txt file has been included on this reply.

Attached Files



#7 oldman960

oldman960

    Forum God

  • Classroom Teacher
  • 14,755 posts

Posted 03 October 2009 - 12:42 PM

Hi jhusrt, Please post the Attach.txt Thanks

Proud Graduate of the WTT Classroon
If you are happy with the help you recieved, please consider making a Donation Posted Image
Curiosity didn't kill the cat. Ignorance did, curiosity was framed.
Learn how to protect Yourself

Posted Image

Threads will be closed if no response after 5 days.

#8 oldman960

oldman960

    Forum God

  • Classroom Teacher
  • 14,755 posts

Posted 03 October 2009 - 12:58 PM

Hi jhurst,

Sorry, we seemed to have cross posted. Your post with the Attach log wasn't there when I last posted.

Let's continue.

Please read through these instructions to familarize yourself with what to expect when this tool runs

Download ComboFix from one of these locations:

Link 1
Link 2

* IMPORTANT !!! Save ComboFix.exe to your Desktop

  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. Note: If you are having difficulty properly disabling your protective programs, or are unsure as to what programs need to be disabled, please refer to the information available through this link : How to Disable your Security Programs
  • Double click on ComboFix.exe & follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Posted Image


Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Posted Image

Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.

Notes:

1.Do not mouse-click Combofix's window while it is running. That may cause it to stall.
2. ComboFix may reset a number of Internet Explorer's settings, including making I-E the default browser.
3. Combofix prevents autorun of ALL CD, floppy and USB devices to assist with malware removal & increase security. If this is an issue or makes it difficult for you -- please tell your helper.
4. CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.

Pleae post back with the combofix log.

How is the computer?

Thanks

Proud Graduate of the WTT Classroon
If you are happy with the help you recieved, please consider making a Donation Posted Image
Curiosity didn't kill the cat. Ignorance did, curiosity was framed.
Learn how to protect Yourself

Posted Image

Threads will be closed if no response after 5 days.

#9 jhurst

jhurst

    Authentic Member

  • Authentic Member
  • PipPip
  • 112 posts

Posted 03 October 2009 - 03:59 PM

Hello oldman,

Combofix log is below. It appears as if Alpha Antivirus in no longer running and is no longer appearing in the task bar:



ComboFix 09-10-01.05 - shurst 2009-10-03 16:07.5.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1015.239 [GMT -4:00]
Running from: c:\documents and settings\shurst\Desktop\ComboFix.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat
c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat
c:\program files\Shared
c:\windows\Installer\53144c0.msi
c:\windows\jestertb.dll
c:\windows\system32\SYSInfo.ocx

----- BITS: Possible infected sites -----

hxxp://rhcvmsus:8530
.
((((((((((((((((((((((((( Files Created from 2009-09-03 to 2009-10-03 )))))))))))))))))))))))))))))))
.

2009-10-03 00:32 . 2009-09-10 18:54 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-10-03 00:23 . 2009-10-03 18:21 -------- d-----w- C:\Alpha
2009-09-30 23:58 . 2009-09-30 23:58 -------- d-----w- c:\program files\Common Files\Uninstall
2009-09-30 23:58 . 2009-09-30 23:58 -------- d-----w- c:\program files\AlphaAV

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-10-03 18:17 . 2006-05-01 15:47 -------- d-----w- c:\program files\Symantec AntiVirus
2009-09-13 13:26 . 2006-05-01 23:31 54832 ----a-w- c:\documents and settings\Administrator\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-09-10 18:53 . 2008-07-06 02:20 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-08-31 21:56 . 2006-08-02 23:44 -------- d-----w- c:\documents and settings\shurst\Application Data\Apple Computer
2009-08-28 22:06 . 2009-08-28 22:06 -------- d-----w- c:\documents and settings\shurst\Application Data\Snapfish
2009-08-28 21:07 . 2009-08-28 21:06 -------- d-----w- c:\documents and settings\All Users\Application Data\{8CD7F5AF-ECFA-4793-BF40-D8F42DBFF906}
2009-08-28 21:07 . 2007-05-20 23:11 -------- d-----w- c:\program files\iTunes
2009-08-28 21:07 . 2009-08-28 21:07 -------- d-----w- c:\program files\iPod
2009-07-10 06:01 . 2007-11-03 01:39 43520 ----a-w- c:\windows\system32\CmdLineExt03.dll
2008-12-19 00:34 . 2008-05-24 23:30 67688 ----a-w- c:\program files\mozilla firefox\components\jar50.dll
2008-12-19 00:34 . 2008-05-24 23:30 54368 ----a-w- c:\program files\mozilla firefox\components\jsd3250.dll
2008-12-19 00:34 . 2008-05-24 23:30 34944 ----a-w- c:\program files\mozilla firefox\components\myspell.dll
2008-12-19 00:34 . 2008-05-24 23:30 46712 ----a-w- c:\program files\mozilla firefox\components\spellchk.dll
2008-12-19 00:34 . 2008-05-24 23:30 172136 ----a-w- c:\program files\mozilla firefox\components\xpinstal.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"updateMgr"="c:\program files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [2006-03-30 313472]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2008-10-16 68856]
"H/PC Connection Agent"="c:\program files\Microsoft ActiveSync\wcescomm.exe" [2006-11-13 1289000]
"Google Update"="c:\documents and settings\shurst\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2009-06-01 133104]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2006-02-15 77824]
"vptray"="c:\progra~1\SYMANT~1\VPTray.exe" [2006-03-17 124656]
"vdrdpup"="c:\windows\system32\vdrdpup.dll" [2004-05-26 71680]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2005-11-10 761945]
"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2006-03-07 53408]
"Synchronization Manager"="c:\windows\system32\mobsync.exe" [2004-08-04 143360]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2007-03-12 49152]
"{0228e555-4f9c-4e35-a3ec-b109a192b4c2}"="c:\program files\Google\Gmail Notifier\gnotify.exe" [2005-07-15 479232]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2009-04-05 198160]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-05-26 413696]
"PAC7302_Monitor"="c:\windows\PixArt\PAC7302\Monitor.exe" [2006-11-03 319488]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-07-13 292128]
"AlphaAV"="c:\program files\AlphaAV\AlphaAV.exe" [2009-09-30 1593344]
"Malwarebytes Anti-Malware (reboot)"="c:\malwarebytes anti malware\Malwarebytes' Anti-Malware\mbam.exe" [2009-09-10 1312080]
"MsmqIntCert"="mqrt.dll" - c:\windows\system32\mqrt.dll [2004-08-04 177152]

c:\documents and settings\shurst\Start Menu\Programs\Startup\
Infotriever.lnk - c:\program files\Infotriever\Agent\infoclient.exe [2007-2-26 106496]
Picaboo.lnk - c:\program files\Picaboo\Picaboo\PicabooMain.exe [2007-10-22 577536]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-9-23 29696]
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2007-3-11 210520]
Push Client.LNK - c:\program files\interwise\participant\pull.exe [2007-10-17 843776]
Service Manager.lnk - c:\program files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe [2002-12-17 74308]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"DisablePersonalDirChange"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-3212715849-122152519-2943342953-17173\Scripts\Logon\1\0]
"Script"=\\Rhcfile0\Panda\3M\3m.bat

[HKLM\~\startupfolder\C:^Documents and Settings^shurst^Start Menu^Programs^Startup^RollerCoaster Tycoon 3 Registration.lnk]
path=c:\documents and settings\shurst\Start Menu\Programs\Startup\RollerCoaster Tycoon 3 Registration.lnk
backup=c:\windows\pss\RollerCoaster Tycoon 3 Registration.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\WINDOWS\\system32\\mqsvc.exe"=
"c:\program files\Microsoft ActiveSync\rapimgr.exe"= c:\program files\Microsoft ActiveSync\rapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager
"c:\program files\Microsoft ActiveSync\wcescomm.exe"= c:\program files\Microsoft ActiveSync\wcescomm.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Connection Manager
"c:\program files\Microsoft ActiveSync\WCESMgr.exe"= c:\program files\Microsoft ActiveSync\WCESMgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Application
"c:\\WINDOWS\\system32\\dpvsetup.exe"=
"c:\\Program Files\\Deer Hunter 3 Gold\\Deer Hunter 3 Gold.exe"=
"c:\\Documents and Settings\\shurst\\Local Settings\\Application Data\\Google\\Google Talk Plugin\\googletalkplugin.dll"=
"c:\\Documents and Settings\\shurst\\Local Settings\\Application Data\\Google\\Google Talk Plugin\\googletalkplugin.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"26675:TCP"= 26675:TCP:169.254.2.0/255.255.255.0:Enabled:ActiveSync Service

R2 FlipShare Service;FlipShare Service;c:\program files\Pure Digital Technologies\FlipShare\FlipShareService.exe [2008-11-13 439616]
R2 SavRoam;SAVRoam;c:\program files\Symantec AntiVirus\SavRoam.exe [2006-03-17 115952]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [2009-08-28 102448]
R3 IFXTPM;IFXTPM;c:\windows\system32\drivers\ifxtpm.sys [2005-06-10 35968]
S3 PAC7302;PAC7302 VGA USB Camera;c:\windows\system32\drivers\PAC7302.SYS [2009-07-28 457856]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
.
Contents of the 'Scheduled Tasks' folder

2009-10-03 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 16:34]

2009-10-03 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-3212715849-122152519-2943342953-17173Core.job
- c:\documents and settings\shurst\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-06-01 15:32]

2009-10-03 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-3212715849-122152519-2943342953-17173UA.job
- c:\documents and settings\shurst\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-06-01 15:32]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.yahoo.com/
uSearch Page = hxxp://www.google.com
uSearch Bar = hxxp://www.google.com/ie
mStart Page = hxxp://www.yahoo.com
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: &ieSpell Options - c:\program files\ieSpell\iespell.dll/SPELLOPTION.HTM
IE: Check &Spelling - c:\program files\ieSpell\iespell.dll/SPELLCHECK.HTM
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
IE: Send To &Bluetooth - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
Trusted Zone: adp.com\portal
Trusted Zone: essbenefits.com\www.adpportal
Trusted Zone: essbenefits.com\www.regencyhospital
Trusted Zone: gilbaneco.com\tsapps
Trusted Zone: adp.com\portal
Trusted Zone: essbenefits.com\www.adpportal
Trusted Zone: essbenefits.com\www.regencyhospital
DPF: {240EEE8D-91DB-4D74-A87E-671026601333} - hxxp://tsapps.gilbaneco.com/eolupcli.cab
DPF: {36E4E9BC-4D0C-41B4-90C9-37AFDBFAAD3C} - hxxps://download.infotriever.com/bin/ifhelper.cab
DPF: {FB5FBB7F-92B4-11D3-8332-00C04F8B209E} - hxxps://content101.mc.iconf.net/gcc_installer/webtour/astbrowserquery.cab
FF - ProfilePath - c:\documents and settings\shurst\Application Data\Mozilla\Firefox\Profiles\qbrteaog.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.yahoo.com
FF - component: c:\program files\Mozilla Firefox\components\xpinstal.dll
FF - component: c:\program files\Real\RealPlayer\browserrecord\components\nprpbrowserrecordplugin.dll
.
- - - - ORPHANS REMOVED - - - -

AddRemove-KRISTAL Audio Engine - c:\program files\Kreatives.org\KRISTAL Audio Engine\Uninstall.exe



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-10-03 16:18
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(988)
c:\windows\system32\igfxdev.dll
.
Completion time: 2009-10-03 16:23
ComboFix-quarantined-files.txt 2009-10-03 20:23
ComboFix2.txt 2008-07-06 02:11

Pre-Run: 25,357,553,664 bytes free
Post-Run: 25,509,687,296 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

170

#10 oldman960

oldman960

    Forum God

  • Classroom Teacher
  • 14,755 posts

Posted 03 October 2009 - 04:37 PM

Hi jhurst,

Looks better.

We will use combofix again but run it differently.

Please follow all previous instructions regarding security programs.

Open a new Notepad session
  • Click the Start button, click run
  • in the run box type notepad
  • click ok
  • In the notepad, Click "Format" and be certain that Word Wrap is not checked.
  • Copy and paste all the text in the code box below into the Notepad. Do Not copy the word CODE

Folder::
C:\Alpha
c:\program files\Common Files\Uninstall
c:\program files\AlphaAV

Registry::
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AlphaAV"=-

In the notepad
  • Click File, Save as..., and set the Save in to your Desktop
  • In the filename box, type (including quotation marks) as the filename: "CFScript.txt"
  • Click save
Using your mouse left button, drag the new file CFscript.txt and drop it on the ComboFix.exe icon as shown below.

This will start ComboFix again.Close all browser/windows first.

**Note: Do not mouseclick combofix's window while it's running. That may cause it to stall**

Posted Image



You have this program installed, Malwarebytes' Anti-Malware (MBAM). Please update it and run a scan.

Open MBAM

  • Click the Update tab
  • Click Check for Updates
  • If an update is found, it will download and install the latest version.
  • The program will close to update and reopen.
  • Once the program has loaded, select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the entire report in your next reply.
Extra Note:
If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediatly.

Please post back with
  • combofix log
  • MBAM log

Any problems?

Thanks

Proud Graduate of the WTT Classroon
If you are happy with the help you recieved, please consider making a Donation Posted Image
Curiosity didn't kill the cat. Ignorance did, curiosity was framed.
Learn how to protect Yourself

Posted Image

Threads will be closed if no response after 5 days.

    Advertisements

Register to Remove


#11 jhurst

jhurst

    Authentic Member

  • Authentic Member
  • PipPip
  • 112 posts

Posted 03 October 2009 - 09:40 PM

Good evening oldman. Both programs have been run. I will paste the Combo Fix log file first and follow-up with the Malewarebytes log second:

ComboFix 09-10-01.05 - shurst 2009-10-03 22:53.6.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1015.219 [GMT -4:00]
Running from: c:\documents and settings\shurst\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\shurst\Desktop\CFScript.txt
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Alpha
c:\alpha\Attach.txt
c:\alpha\DDS.txt
c:\alpha\GMER.txt
c:\alpha\log.txt
c:\alpha\mbam-log-2009-10-02 (20-52-28).txt
c:\alpha\OTL.exe
c:\program files\AlphaAV
c:\program files\AlphaAV\AlphaAV.exe
c:\program files\Common Files\Uninstall
c:\program files\Common Files\Uninstall\AlphaAV\Uninstall.lnk

.
((((((((((((((((((((((((( Files Created from 2009-09-04 to 2009-10-04 )))))))))))))))))))))))))))))))
.

2009-10-03 00:32 . 2009-09-10 18:54 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-10-03 18:17 . 2006-05-01 15:47 -------- d-----w- c:\program files\Symantec AntiVirus
2009-09-13 13:26 . 2006-05-01 23:31 54832 ----a-w- c:\documents and settings\Administrator\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-09-10 18:53 . 2008-07-06 02:20 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-08-31 21:56 . 2006-08-02 23:44 -------- d-----w- c:\documents and settings\shurst\Application Data\Apple Computer
2009-08-28 22:06 . 2009-08-28 22:06 -------- d-----w- c:\documents and settings\shurst\Application Data\Snapfish
2009-08-28 21:07 . 2009-08-28 21:06 -------- d-----w- c:\documents and settings\All Users\Application Data\{8CD7F5AF-ECFA-4793-BF40-D8F42DBFF906}
2009-08-28 21:07 . 2007-05-20 23:11 -------- d-----w- c:\program files\iTunes
2009-08-28 21:07 . 2009-08-28 21:07 -------- d-----w- c:\program files\iPod
2009-07-10 06:01 . 2007-11-03 01:39 43520 ----a-w- c:\windows\system32\CmdLineExt03.dll
2008-12-19 00:34 . 2008-05-24 23:30 67688 ----a-w- c:\program files\mozilla firefox\components\jar50.dll
2008-12-19 00:34 . 2008-05-24 23:30 54368 ----a-w- c:\program files\mozilla firefox\components\jsd3250.dll
2008-12-19 00:34 . 2008-05-24 23:30 34944 ----a-w- c:\program files\mozilla firefox\components\myspell.dll
2008-12-19 00:34 . 2008-05-24 23:30 46712 ----a-w- c:\program files\mozilla firefox\components\spellchk.dll
2008-12-19 00:34 . 2008-05-24 23:30 172136 ----a-w- c:\program files\mozilla firefox\components\xpinstal.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"updateMgr"="c:\program files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [2006-03-30 313472]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2008-10-16 68856]
"H/PC Connection Agent"="c:\program files\Microsoft ActiveSync\wcescomm.exe" [2006-11-13 1289000]
"Google Update"="c:\documents and settings\shurst\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2009-06-01 133104]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2006-02-15 77824]
"vptray"="c:\progra~1\SYMANT~1\VPTray.exe" [2006-03-17 124656]
"vdrdpup"="c:\windows\system32\vdrdpup.dll" [2004-05-26 71680]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2005-11-10 761945]
"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2006-03-07 53408]
"Synchronization Manager"="c:\windows\system32\mobsync.exe" [2004-08-04 143360]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2007-03-12 49152]
"{0228e555-4f9c-4e35-a3ec-b109a192b4c2}"="c:\program files\Google\Gmail Notifier\gnotify.exe" [2005-07-15 479232]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2009-04-05 198160]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-05-26 413696]
"PAC7302_Monitor"="c:\windows\PixArt\PAC7302\Monitor.exe" [2006-11-03 319488]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-07-13 292128]
"Malwarebytes Anti-Malware (reboot)"="c:\malwarebytes anti malware\Malwarebytes' Anti-Malware\mbam.exe" [2009-09-10 1312080]
"MsmqIntCert"="mqrt.dll" - c:\windows\system32\mqrt.dll [2004-08-04 177152]

c:\documents and settings\shurst\Start Menu\Programs\Startup\
Infotriever.lnk - c:\program files\Infotriever\Agent\infoclient.exe [2007-2-26 106496]
Picaboo.lnk - c:\program files\Picaboo\Picaboo\PicabooMain.exe [2007-10-22 577536]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-9-23 29696]
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2007-3-11 210520]
Push Client.LNK - c:\program files\interwise\participant\pull.exe [2007-10-17 843776]
Service Manager.lnk - c:\program files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe [2002-12-17 74308]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"DisablePersonalDirChange"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-3212715849-122152519-2943342953-17173\Scripts\Logon\1\0]
"Script"=\\Rhcfile0\Panda\3M\3m.bat

[HKLM\~\startupfolder\C:^Documents and Settings^shurst^Start Menu^Programs^Startup^RollerCoaster Tycoon 3 Registration.lnk]
path=c:\documents and settings\shurst\Start Menu\Programs\Startup\RollerCoaster Tycoon 3 Registration.lnk
backup=c:\windows\pss\RollerCoaster Tycoon 3 Registration.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\WINDOWS\\system32\\mqsvc.exe"=
"c:\program files\Microsoft ActiveSync\rapimgr.exe"= c:\program files\Microsoft ActiveSync\rapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager
"c:\program files\Microsoft ActiveSync\wcescomm.exe"= c:\program files\Microsoft ActiveSync\wcescomm.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Connection Manager
"c:\program files\Microsoft ActiveSync\WCESMgr.exe"= c:\program files\Microsoft ActiveSync\WCESMgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Application
"c:\\WINDOWS\\system32\\dpvsetup.exe"=
"c:\\Program Files\\Deer Hunter 3 Gold\\Deer Hunter 3 Gold.exe"=
"c:\\Documents and Settings\\shurst\\Local Settings\\Application Data\\Google\\Google Talk Plugin\\googletalkplugin.dll"=
"c:\\Documents and Settings\\shurst\\Local Settings\\Application Data\\Google\\Google Talk Plugin\\googletalkplugin.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"26675:TCP"= 26675:TCP:169.254.2.0/255.255.255.0:Enabled:ActiveSync Service

R2 FlipShare Service;FlipShare Service;c:\program files\Pure Digital Technologies\FlipShare\FlipShareService.exe [2008-11-13 439616]
R2 SavRoam;SAVRoam;c:\program files\Symantec AntiVirus\SavRoam.exe [2006-03-17 115952]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [2009-08-28 102448]
R3 IFXTPM;IFXTPM;c:\windows\system32\drivers\ifxtpm.sys [2005-06-10 35968]
S3 PAC7302;PAC7302 VGA USB Camera;c:\windows\system32\drivers\PAC7302.SYS [2009-07-28 457856]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
.
Contents of the 'Scheduled Tasks' folder

2009-10-03 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 16:34]

2009-10-03 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-3212715849-122152519-2943342953-17173Core.job
- c:\documents and settings\shurst\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-06-01 15:32]

2009-10-04 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-3212715849-122152519-2943342953-17173UA.job
- c:\documents and settings\shurst\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-06-01 15:32]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.yahoo.com/
uSearch Page = hxxp://www.google.com
uSearch Bar = hxxp://www.google.com/ie
mStart Page = hxxp://www.yahoo.com
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: &ieSpell Options - c:\program files\ieSpell\iespell.dll/SPELLOPTION.HTM
IE: Check &Spelling - c:\program files\ieSpell\iespell.dll/SPELLCHECK.HTM
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
IE: Send To &Bluetooth - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
Trusted Zone: adp.com\portal
Trusted Zone: essbenefits.com\www.adpportal
Trusted Zone: essbenefits.com\www.regencyhospital
Trusted Zone: gilbaneco.com\tsapps
Trusted Zone: adp.com\portal
Trusted Zone: essbenefits.com\www.adpportal
Trusted Zone: essbenefits.com\www.regencyhospital
DPF: {240EEE8D-91DB-4D74-A87E-671026601333} - hxxp://tsapps.gilbaneco.com/eolupcli.cab
DPF: {36E4E9BC-4D0C-41B4-90C9-37AFDBFAAD3C} - hxxps://download.infotriever.com/bin/ifhelper.cab
DPF: {FB5FBB7F-92B4-11D3-8332-00C04F8B209E} - hxxps://content101.mc.iconf.net/gcc_installer/webtour/astbrowserquery.cab
FF - ProfilePath - c:\documents and settings\shurst\Application Data\Mozilla\Firefox\Profiles\qbrteaog.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.yahoo.com
FF - component: c:\program files\Mozilla Firefox\components\xpinstal.dll
FF - component: c:\program files\Real\RealPlayer\browserrecord\components\nprpbrowserrecordplugin.dll
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-10-03 23:06
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(988)
c:\windows\system32\igfxdev.dll
.
Completion time: 2009-10-04 23:11
ComboFix-quarantined-files.txt 2009-10-04 03:11
ComboFix2.txt 2009-10-03 20:23
ComboFix3.txt 2008-07-06 02:11

Pre-Run: 25,471,758,336 bytes free
Post-Run: 25,450,483,712 bytes free

162


Malwarebytes' Anti-Malware 1.41
Database version: 2902
Windows 5.1.2600 Service Pack 2

2009-10-03 23:25:39
mbam-log-2009-10-03 (23-25-39).txt

Scan type: Quick Scan
Objects scanned: 111535
Time elapsed: 6 minute(s), 27 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\Documents and Settings\shurst\Desktop\Alpha Antivirus.lnk (Rogue.AlphaAV) -> Quarantined and deleted successfully.

#12 oldman960

oldman960

    Forum God

  • Classroom Teacher
  • 14,755 posts

Posted 03 October 2009 - 10:59 PM

Hi jhurst,

Looking better.

Is there any reason these sites are in the Trusted Zone? Did you place them there?

Trusted Zone: adp.com\portal
Trusted Zone: essbenefits.com\www.adpportal
Trusted Zone: essbenefits.com\www.regencyhospital
Trusted Zone: gilbaneco.com\tsapps
Trusted Zone: adp.com\portal
Trusted Zone: essbenefits.com\www.adpportal
Trusted Zone: essbenefits.com\www.regencyhospital



You have old vulnerable java installed.
If Information Bar pop-ups up, right-click on it and say it's OK to display the blocked content.
  • Select the platform (Windows, in your case), mutli language.
  • Accept the license agreement, click continue.
You do not have to install the Java Web Start ActiveX Control
  • Scroll down and click on Windows Offline Installation,
  • Save the file jre-6u16-windows-i586-p.exe to your desktop;
Do not select Run . Do not install it yet.

When the download is complete, close your browser.

Open Control Panel > Add/Remove Programs and uninstall

J2SE Runtime Environment 5.0 Update 6

Do not uninstall Java TM 6 Update 16 if found! :yeah:

Reboot your computer.

  • Double-click on the saved file ( jre-6u16-windows-i586-p.exe) to install the update.
  • Delete the downloaded installation file after completing the above procedure and reboot if not prompted to do so.

Next, clear the java cache

To clear the Java Plug-in cache:
  • Click Start > Control Panel.
  • Double-click the Java icon in the control panel.
  • On the General tab, Click Settings under Temporary Internet Files.
  • On the Temporary Files Settings screen, Click Delete Files.
  • check all boxes
  • Click OK

*Note
It is recommended to disable onboard antivirus program and antispyware programs while performing scans so there are no conflicts and it will speed up scan time.
Please don't go surfing while your resident protection is disabled!
Once the scan is finished remember to re-enable your antivirus along with your antispyware programs.



Please go to Kaspersky website and perform an online antivirus scan.
  • Read through the requirements and privacy statement and click on Accept button.
  • It will start downloading and installing the scanner and virus definitions.
  • You will be prompted to install an application from Kaspersky. Click Run.
  • When the downloads have finished, click on Settings.
  • Make sure these boxes are checked (ticked). If they are not, please tick them and click on the Save button
    • Spyware, Adware, Dialers, and other potentially dangerous programs
    • Archives
    • Mail databases
  • Click on My Computerr under Scan.
  • Once the scan is complete, it will display the results. Click on View Scan Report.
  • You will see a list of infected items there. Click on Save Report As....
  • Change the Files of type to Text file (.txt)
  • Set the Save In to Desktop
  • click the Save button.
  • Please post this log in your next reply along with a new DDS log.

Thanks

Proud Graduate of the WTT Classroon
If you are happy with the help you recieved, please consider making a Donation Posted Image
Curiosity didn't kill the cat. Ignorance did, curiosity was framed.
Learn how to protect Yourself

Posted Image

Threads will be closed if no response after 5 days.

#13 jhurst

jhurst

    Authentic Member

  • Authentic Member
  • PipPip
  • 112 posts

Posted 04 October 2009 - 07:06 PM

Good evening oldman....sorry for the delayed response. I am currently working on the list of items below. The Kaspersky antivirus scan is running and appears it will take some time to get the results. I will plan on posting the log tomorrow evening. Reagrding the other items below: The Trusted Zone items are sites that I recognize. They all are associated with past or present employer sites. I have made the recommended changes to the Java program and updated per your directions. I have cleared the Java cache. Kaspersky scan is currently 5% complete. Thank you for your assistance up to this point. It does appear the Alpha Antivirus has been eliminated. I'll update the Kaspersky log as soon as possible. jhurst

#14 oldman960

oldman960

    Forum God

  • Classroom Teacher
  • 14,755 posts

Posted 04 October 2009 - 11:36 PM

Hi jhurst, Thanks for the update. Kaspersky can take awhile to complete. Please be patient.

Proud Graduate of the WTT Classroon
If you are happy with the help you recieved, please consider making a Donation Posted Image
Curiosity didn't kill the cat. Ignorance did, curiosity was framed.
Learn how to protect Yourself

Posted Image

Threads will be closed if no response after 5 days.

#15 jhurst

jhurst

    Authentic Member

  • Authentic Member
  • PipPip
  • 112 posts

Posted 05 October 2009 - 05:19 PM

Hello oldman, I have saved the log results from the Kaspersky scan and included them below. Thanks.... -------------------------------------------------------------------------------- KASPERSKY ONLINE SCANNER 7.0: scan report Monday, October 5, 2009 Operating system: Microsoft Windows XP Professional Service Pack 2 (build 2600) Kaspersky Online Scanner version: 7.0.26.13 Last database update: Monday, October 05, 2009 00:05:14 Records in database: 2910524 -------------------------------------------------------------------------------- Scan settings: scan using the following database: extended Scan archives: yes Scan e-mail databases: yes Scan area - My Computer: C:\ D:\ H:\ Scan statistics: Objects scanned: 107235 Threats found: 1 Infected objects found: 1 Suspicious objects found: 0 Scan duration: 03:44:42 File name / Threat / Threats count C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0ADC0000\4AFE8497.VBN Infected: Trojan-GameThief.Win32.OnLineGames.bmty 1 Selected area has been scanned.

Related Topics



0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users