critical system warning + trojans .. help !!

pennymakespounds

Think the kids have messed up the pc..... there's boxes appearing telling me i've got trojans ...worms . password steakers ? ...
troj win32.agent.azsy is continuosly shown in a warning box .

seems there's also a program called "personal antivirus"(orange shield icon?) downloaded . telling me there's hundreds of problems but i need to pay for download to cure .

Also..whilst it's shown as a new download ...i can't "personal antivirus" anywhere in the "addd/delete programs list" ??

I've got ccleaner .. avg...adaware ... spybot and zonealarm


Advice please as to what i should do ?

thanks techies .. you always come to my rescue !!

Browntoa

those are false notifications (although it is a serious infection, do not do secure transactions until we have cleaned it)

follow this

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

and post the log

takes about 20 minutes to run

Browntoa

then this (about 20 - 30 minutes to run , either I or AlienRik will decipher the logs for you)



Please download Malwarebytes Anti-Malware and save it to your desktop.

• Make sure you are connected to the Internet.
• Double-click on mbam-setup.exe to install the application.
• When the installation begins, follow the prompts and do not make any changes to default settings.
• When installation has finished, make sure you leave both of these checked:
  • Update Malwarebytes' Anti-Malware
  • Launch Malwarebytes' Anti-Malware
• Then click Finish.
• MBAM will automatically start and you will be asked to update the program before performing a scan. If an update is found, the program will automatically update itself. Press the OK button to close that box and continue. If you encounter any problems while downloading the updates, manually download them from here and just double-click on mbam-rules.exe to install.
• On the Scanner tab:
  • Make sure the "Perform Quick Scan" option is selected.
  • Then click on the Scan button.
• If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
• The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
• When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
• Click OK to close the message box and continue with the removal process.
• Back at the main Scanner screen, click on the Show Results button to see a list of any malware that was found.
• Make sure that everything is checked, and click Remove Selected.
• When removal is completed, a log report will open in Notepad.
• The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
• Copy and paste the contents of that report in your next reply and exit MBAM.

Note: If MBAM encounters a file that is difficult to remove, you may be asked to reboot your computer so it can proceed with the disinfection process. Regardless if prompted to restart the computer or not, please do so immediately. Failure to reboot normally (not into safe mode) will prevent MBAM from removing all the malware. MBAM may make changes to your registry as part of its disinfection routine. If you're using other security programs that detect registry changes, they may alert you after scanning with MBAM. Please permit the program to allow the changes.

[Deleted User]

pennymakespounds wrote: »

"personal antivirus"

Run the above programs in safe mode, then again in normal mode. Make sure you update Malwarebytes too.

Then run an antivirus scan.

I've had problems removing Personal Antivirus before. The only way I've removed it is by deleting the files / reg keys mentioned at the end of this document.

After this I'd also suggest running hijackthis. You'll need to post a log of what it reports.

Browntoa

neither Malwarebytes (it reboots itself if it needs to delete stuff) or combofix (must be run in normal mode ) need to be run in Safe mode

an Antivius scan will not deal with this Vundo type infection now its infected

Combifix will remove the infection , following it with Malwrebyte will remove any outstanding junk

pennymakespounds

BROWNTOA .. combo fix log .
I'm also getting a W32 [EMAIL="Ackamtta.B@mm"]Ackamtta.B@mm[/EMAIL] waring and on personal virus a "windows meta file vulnability waring ?


ComboFix 09-07-07.A2 - xxxxxxxxxxxxx07/07/2009 22:21.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1013.379 [GMT 1:00]
Running from: c:\documents and settings\xxxxxxxxx\Desktop\ComboFix.exe
AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
FW: ZoneAlarm Firewall *enabled* {829BDA32-94B3-44F4-8446-F8FCFF809F8B}
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
c:\documents and settings\xxxxxxxx\Desktop\Personal Antivirus.lnk
C:\test.txt
c:\windows\COUPON~1.OCX
c:\windows\Installer\153250b.msp
c:\windows\Installer\164426.msp
c:\windows\Installer\164437.msp
c:\windows\Installer\164449.msp
c:\windows\Installer\16445b.msp
c:\windows\Installer\2327c85.msp
c:\windows\Installer\2327c9b.msp
c:\windows\Installer\25af27.msp
c:\windows\Installer\26c6c2.msp
c:\windows\Installer\323af49.msp
c:\windows\Installer\4ab2fc.msp
c:\windows\Installer\8843ab.msp
c:\windows\Installer\90aae9.msp
c:\windows\Installer\958e7f.msp
c:\windows\system32\AutoRun.inf
c:\windows\system32\drivers\RKHit.sys
c:\windows\system32\msxmlm.dll
.
((((((((((((((((((((((((( Files Created from 2009-06-07 to 2009-07-07 )))))))))))))))))))))))))))))))
.
2009-07-07 20:53 . 2009-07-07 20:53

---

d--h--w- c:\windows\PIF
2009-07-07 20:33 . 2009-07-07 20:33

---

d

---

w- c:\program files\Common Files\Uninstall
2009-07-07 20:33 . 2009-07-07 20:33

---

d

---

w- c:\program files\PersonalAV
2009-07-02 16:55 . 2009-06-14 15:07 1004800 ----a-w- c:\documents and settings\All Users\Application Data\AVG Security Toolbar\IEToolbar.dll
2009-07-02 08:32 . 2009-07-02 16:55

---

d

---

w- c:\documents and settings\All Users\Application Data\AVG Security Toolbar
2009-07-02 08:32 . 2009-07-02 08:32

---

d

---

w- c:\documents and settings\LocalService\Application Data\AVGTOOLBAR
2009-06-16 08:55 . 2009-06-16 08:55

---

d

---

w- c:\program files\iPod
2009-06-16 08:51 . 2009-06-16 08:52

---

d

---

w- c:\program files\QuickTime
2009-06-16 08:41 . 2009-06-16 08:41 75048 ----a-w- c:\documents and settings\All Users\Application Data\Apple Computer\Installer Cache\iTunes 8.2.0.23\SetupAdmin.exe
2009-06-13 14:35 . 2003-08-27 10:29 65536 ----a-w- c:\windows\wanmpsvc.exe
2009-06-10 14:27 . 2009-06-10 14:27 152576 ----a-w- c:\documents and settings\xxxxxxxxxxxx\Application Data\Sun\Java\jre1.6.0_14\lzma.dll
2009-06-10 08:07 . 2009-04-30 21:22 12800

---

w- c:\windows\system32\dllcache\xpshims.dll
2009-06-10 08:07 . 2009-04-30 21:22 246272

---

w- c:\windows\system32\dllcache\ieproxy.dll
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-07-07 21:34 . 2008-12-08 15:05 173248544 --sha-w- c:\windows\system32\drivers\fidbox.dat
2009-07-07 21:33 . 2009-07-07 21:33 0 ----a-w- c:\windows\system32\msxmlm.dll.tmp
2009-07-07 21:30 . 2008-12-08 15:05 2031044 --sha-w- c:\windows\system32\drivers\fidbox.idx
2009-07-07 21:11 . 2007-11-21 13:25

---

d

---

w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-07-06 11:11 . 2009-06-17 15:09 25440 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\update\savapibridge.dll
2009-07-06 11:11 . 2009-06-17 15:09 1630560 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\update\Resources.dll
2009-07-06 11:10 . 2009-06-17 15:09 2353480 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\update\Ad-Aware.exe
2009-07-02 08:32 . 2009-03-07 19:14 11952 ----a-w- c:\windows\system32\avgrsstx.dll
2009-07-02 08:32 . 2009-03-07 19:14 327688 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2009-07-02 08:32 . 2009-03-07 19:14 27784 ----a-w- c:\windows\system32\drivers\avgmfx86.sys
2009-06-17 07:43 . 2009-02-16 10:27 6402350 -c--a-w- c:\windows\Internet Logs\tvDebug.zip
2009-06-16 08:55 . 2008-01-12 22:54

---

d

---

w- c:\program files\iTunes
2009-06-16 08:55 . 2008-01-12 22:53

---

d

---

w- c:\program files\Common Files\Apple
2009-06-11 18:57 . 2009-01-15 15:27

---

d

---

w- c:\documents and settings\All Users\Application Data\DVD Shrink
2009-06-10 14:28 . 2007-11-16 14:23

---

d

---

w- c:\program files\Java
2009-06-10 14:18 . 2008-07-25 13:04

---

d

---

w- c:\program files\Windows Desktop Search
2009-06-10 12:35 . 2007-11-16 14:36

---

d

---

w- c:\program files\Microsoft Works
2009-06-06 17:10 . 2008-03-31 07:09

---

d

---

w- c:\program files\Glary Utilities
2009-06-05 10:42 . 2009-03-14 18:21 2060288 ----a-w- c:\windows\system32\usbaaplrc.dll
2009-06-05 10:42 . 2008-01-12 22:53 39424 ----a-w- c:\windows\system32\drivers\usbaapl.sys
2009-05-28 10:20 . 2009-05-28 10:20 15688 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\update\lsdelete.exe
2009-05-28 10:20 . 2009-05-17 13:17 15688 ----a-w- c:\windows\system32\lsdelete.exe
2009-05-24 23:24 . 2008-05-26 21:18 350208 ----a-w- c:\windows\system32\mssph.dll
2009-05-21 10:33 . 2009-05-13 08:01 410984 ----a-w- c:\windows\system32\deploytk.dll
2009-05-18 16:28 . 2007-11-20 19:25

---

d

---

w- c:\documents and settings\All Users\Application Data\AOL
2009-05-18 16:28 . 2009-05-18 13:52

---

d

---

w- c:\program files\AOL 9.0
2009-05-18 14:08 . 2009-05-18 13:55

---

d

---

w- c:\program files\AOL Companion
2009-05-18 13:55 . 2009-05-18 13:55

---

d

---

w- c:\program files\AOL Toolbar
2009-05-18 13:55 . 2007-11-20 19:25

---

d

---

w- c:\program files\Common Files\AOL
2009-05-18 13:54 . 2007-11-20 19:25

---

d

---

w- c:\program files\Common Files\aolshare
2009-05-18 13:05 . 2009-05-18 13:06 1547264 ----a-w- c:\windows\Internet Logs\xDB1.tmp
2009-05-15 16:20 . 2009-05-15 16:20 64160 ----a-w- c:\windows\system32\drivers\Lbd.sys
2009-05-15 16:20 . 2009-05-15 16:20 64160 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\update\Drivers\32\lbd.sys
2009-05-15 16:07 . 2009-05-15 16:07

---

dc-h--w- c:\documents and settings\All Users\Application Data\{7972B2E5-3E09-4E5E-81B7-FE5819D6772F}
2009-05-15 16:07 . 2009-05-15 16:07

---

d

---

w- c:\program files\Lavasoft
2009-05-15 16:07 . 2007-11-21 13:23

---

d

---

w- c:\program files\Common Files\Wise Installation Wizard
2009-05-13 08:00 . 2009-05-13 08:00 152576 -c--a-w- c:\documents and settings\xxxxxxxxxxx\Application Data\Sun\Java\jre1.6.0_13\lzma.dll
2009-05-13 05:15 . 2004-08-10 12:51 915456 ----a-w- c:\windows\system32\wininet.dll
2009-05-12 14:12 . 2007-11-16 14:25 26144 ----a-w- c:\windows\system32\spupdsvc.exe
2009-05-07 15:32 . 2004-08-10 12:51 345600 ----a-w- c:\windows\system32\localspl.dll
2009-05-02 13:46 . 2009-03-07 19:14 108552 ----a-w- c:\windows\system32\drivers\avgtdix.sys
2009-04-28 16:43 . 2009-04-28 16:43 10134 -c--a-r- c:\documents and settings\xxxxxxxxxx\Application Data\Microsoft\Installer\{4CCC7F68-A437-4559-A840-F5E010934951}\ARPPRODUCTICON.exe
2009-04-28 16:38 . 2008-07-03 13:43 10134 -c--a-r- c:\documents and settings\xxxxxxxxxxx\Application Data\Microsoft\Installer\{CAE7D1D9-3794-4169-B4DD-964ADBC534EE}\ARPPRODUCTICON.exe
2009-04-17 12:26 . 2004-08-10 12:51 1847168 ----a-w- c:\windows\system32\win32k.sys
2009-04-15 14:51 . 2004-08-10 12:51 585216 ----a-w- c:\windows\system32\rpcrt4.dll
2007-12-07 11:53 . 2007-12-07 11:53 8 --sh--r- c:\windows\system32\59065AF6A4.sys
2008-08-10 21:35 . 2007-12-07 11:53 3766 --sha-w- c:\windows\system32\KGyGaAvL.sys
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{201f27d4-3704-41d6-89c1-aa35e39143ed}]
2008-10-16 18:22 333192 ----a-w- c:\program files\AskBarDis\bar\bin\askBar.dll
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A3BC75A2-1F87-4686-AA43-5347D756017C}]
2009-06-14 15:07 1004800 ----a-w- c:\program files\AVG\AVG8\Toolbar\IEToolbar.dll
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
"Window Washer"="c:\program files\Webroot\Washer\wwDisp.exe" [2007-11-26 1206600]
"TomTomHOME.exe"="c:\program files\TomTom HOME 2\TomTomHOMERunner.exe" [2009-04-24 251240]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-03-05 2260480]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2009-04-14 68856]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2007-07-16 142104]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2007-07-16 162584]
"Persistence"="c:\windows\system32\igfxpers.exe" [2007-07-16 138008]
"ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2006-10-03 221184]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2006-10-03 81920]
"dscactivate"="c:\program files\Dell Support Center\gs_agent\custom\dsca.exe" [2008-03-11 16384]
"%FP%Friendly fts.exe"="c:\program files\VoyagerTest\fts.exe" [2003-05-06 72192]
"DSLSTATEXE"="c:\program files\BT Voyager 105 ADSL Modem\dslstat.exe" [2003-06-28 1658965]
"DSLAGENTEXE"="c:\program files\BT Voyager 105 ADSL Modem\dslagent.exe" [2003-08-19 16384]
"HostManager"="c:\program files\Common Files\AOL\1195645476\ee\AOLSoftware.exe" [2006-11-17 50736]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2008-06-12 34672]
"DellSupportCenter"="c:\program files\Dell Support Center\bin\sprtcmd.exe" [2008-08-13 206064]
"OrderReminder"="c:\program files\Hewlett-Packard\OrderReminder\OrderReminder.exe" [2006-01-30 98304]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2009-05-13 177472]
"ZoneAlarm Client"="c:\program files\Zone Labs\ZoneAlarm\zlclient.exe" [2007-09-06 919016]
"NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 155648]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2009-07-02 1948440]
"Ad-Watch"="c:\program files\Lavasoft\Ad-Aware\AAWTray.exe" [2009-07-01 520024]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-05-21 148888]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-06-05 292136]
"PersonalAV"="c:\program files\PersonalAV\pav.exe" [2009-07-07 1880064]
"RTHDCPL"="RTHDCPL.EXE" - c:\windows\RTHDCPL.EXE [2007-07-16 16132608]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]
c:\documents and settings\All Users\Start Menu\Programs\Startup\
AOL 9.0 Tray Icon.lnk - c:\program files\AOL 9.0\aoltray.exe [2009-5-18 156784]
AOL Companion.lnk - c:\program files\AOL Companion\companion.exe [2009-5-18 250992]
Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2007-11-16 24576]
Windows Search.lnk - c:\program files\Windows Desktop Search\WindowsSearch.exe [2008-5-26 123904]
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2009-05-24 304128]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-07-02 08:32 11952 ----a-w- c:\windows\system32\avgrsstx.dll
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ lsdelete
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
backup=c:\windows\pss\HP Digital Imaging Monitor.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^LUMIX Simple Viewer.lnk]
backup=c:\windows\pss\LUMIX Simple Viewer.lnkCommon Startup
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-disabled]
"AOLDialer"=c:\program files\Common Files\AOL\ACS\AOLDial.exe
"RealTray"=c:\program files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
"HostManager"=c:\program files\Common Files\AOL\1195645476\ee\AOLSoftware.exe
"PDVDDXSrv"="c:\program files\CyberLink\PowerDVD DX\PDVDDXSrv.exe"
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" -atboottime
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall]
"DisableMonitoring"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Common Files\\AOL\\ACS\\AOLacsd.exe"=
"c:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\AOL\\RC\\regClient.exe"=
"c:\\Program Files\\AOL 9.0 VR\\waol.exe"=
"c:\\Program Files\\Common Files\\AOL\\TopSpeed\\3.0\\aoltpsd3.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Program Files\\Common Files\\AOL\\System Information\\sinf.exe"=
"c:\\Program Files\\AOL 9.0 VRa\\waol.exe"=
"c:\\Program Files\\Common Files\\AOL\\1195645476\\ee\\aolsoftware.exe"=
"c:\\Program Files\\Hp\\Digital Imaging\\bin\\hpqste08.exe"=
"c:\\Program Files\\Hp\\Digital Imaging\\bin\\hposid01.exe"=
"c:\\Program Files\\Hp\\Digital Imaging\\bin\\hpqscnvw.exe"=
"c:\\Program Files\\Hp\\Digital Imaging\\bin\\hpqkygrp.exe"=
"c:\\Program Files\\Hp\\Digital Imaging\\bin\\hpfccopy.exe"=
"c:\\Program Files\\Hp\\Digital Imaging\\Unload\\HpqPhUnl.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgnsx.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [15/05/2009 17:20 64160]
R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [07/03/2009 20:14 327688]
R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [07/03/2009 20:14 108552]
R2 ASKService;ASKService;c:\program files\AskBarDis\bar\bin\AskService.exe [08/12/2008 13:20 464264]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [07/03/2009 20:14 298776]
R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [09/03/2009 20:06 1029456]
R2 TomTomHOMEService;TomTomHOMEService;c:\program files\TomTom HOME 2\TomTomHOMEService.exe [24/04/2009 12:57 92008]
R2 wwEngineSvc;Window Washer Engine;c:\program files\Webroot\Washer\WasherSvc.exe [29/12/2007 14:17 598856]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}]
"c:\windows\system32\rundll32.exe" "c:\windows\system32\iedkcs32.dll",BrandIEActiveSetup SIGNUP
.
Contents of the 'Scheduled Tasks' folder
2009-07-06 c:\windows\Tasks\Ad-Aware Update (Weekly).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-03-09 07:48]
2009-07-07 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 11:34]
2009-07-07 c:\windows\Tasks\GlaryInitialize.job
- c:\program files\Glary Utilities\initialize.exe [2009-06-06 10:39]
.
.

---

Supplementary Scan

---

.
uStart Page = hxxp://www.aol.com/
uInternet Settings,ProxyOverride = *.local
IE: &AOL Toolbar Search
IE: E&xport to Microsoft Excel
DPF: {DEB21AD3-FDA4-42F6-B57D-EE696A675EE8} - hxxp://asp03.photoprintit.de/microsite/12849//defaults/activex/IPSUploader.cab
.
**************************************************************************
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-07-07 22:32
Windows 5.1.2600 Service Pack 3 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...

c:\windows\system32\msxmlm.dll.tmp 0 bytes
scan completed successfully
hidden files: 1
**************************************************************************
.

---

DLLs Loaded Under Running Processes

---

- - - - - - - > 'explorer.exe'(2276)
c:\windows\system32\WININET.dll
c:\program files\Windows Desktop Search\deskbar.dll
c:\program files\Windows Desktop Search\en-us\dbres.dll.mui
c:\program files\Windows Desktop Search\dbres.dll
c:\program files\Windows Desktop Search\wordwheel.dll
c:\program files\Windows Desktop Search\en-us\msnlExtRes.dll.mui
c:\program files\Windows Desktop Search\msnlExtRes.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\program files\Roxio\Drag-to-Disc\Shellex.dll
c:\windows\system32\DLAAPI_W.DLL
c:\windows\system32\CDRTC.DLL
c:\program files\Roxio\Drag-to-Disc\ShellRes.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.

---

Other Running Processes

---

.
c:\windows\system32\ZoneLabs\vsmon.exe
c:\progra~1\COMMON~1\AOL\ACS\AOLacsd.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\windows\system32\PSIService.exe
c:\program files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatch9.exe
c:\program files\AVG\AVG8\avgrsx.exe
c:\progra~1\AVG\AVG8\avgnsx.exe
c:\program files\AVG\AVG8\avgcsrvx.exe
c:\program files\Glary Utilities\Integrator.exe
c:\program files\Dell Support Center\bin\sprtsvc.exe
c:\windows\wanmpsvc.exe
c:\windows\system32\searchindexer.exe
c:\windows\system32\wbem\unsecapp.exe
c:\windows\system32\igfxsrvc.exe
c:\windows\system32\searchprotocolhost.exe
c:\program files\iPod\bin\iPodService.exe
c:\windows\system32\searchfilterhost.exe
.
**************************************************************************
.
Completion time: 2009-07-07 22:38 - machine was rebooted
ComboFix-quarantined-files.txt 2009-07-07 21:38
Pre-Run: 290,957,733,888 bytes free
Post-Run: 290,859,339,776 bytes free
WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect
279 --- E O F --- 2009-06-28 22:40

Blackpool_Saver

what you should do is have your own computer.

pennymakespounds

malaware log

Malwarebytes' Anti-Malware 1.38
Database version: 2388
Windows 5.1.2600 Service Pack 3
07/07/2009 23:30:56
mbam-log-2009-07-07 (23-30-56).txt
Scan type: Quick Scan
Objects scanned: 95135
Time elapsed: 5 minute(s), 35 second(s)
Memory Processes Infected: 1
Memory Modules Infected: 0
Registry Keys Infected: 1
Registry Values Infected: 3
Registry Data Items Infected: 0
Folders Infected: 3
Files Infected: 4
Memory Processes Infected:
C:\Program Files\PersonalAV\pav.exe (Rogue.PersonalAntiVirus) -> Unloaded process successfully.
Memory Modules Infected:
(No malicious items detected)
Registry Keys Infected:
HKEY_CLASSES_ROOT\CLSID\{a77d3539-581d-450c-9e44-a84c415a6172} (Trojan.FakeAlert) -> Quarantined and deleted successfully.
Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\personalav (Rogue.PersonalAntiVirus) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Environment\avapp (Rogue.PersonalAntiVirus) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Environment\avuninst (Rogue.PersonalAntiVirus) -> Quarantined and deleted successfully.
Registry Data Items Infected:
(No malicious items detected)
Folders Infected:
C:\Program Files\PersonalAV (Rogue.PersonalAntiVirus) -> Quarantined and deleted successfully.
C:\Program Files\Common Files\Uninstall\PersonalAV (Rogue.PersonalAntiVirus) -> Quarantined and deleted successfully.
c:\documents and settings\All Users\Start Menu\PersonalAV (Rogue.PersonalAntiVirus) -> Quarantined and deleted successfully.
Files Infected:
c:\program files\personalav\pav.exe (Rogue.PersonalAntiVirus) -> Quarantined and deleted successfully.
c:\program files\common files\uninstall\personalav\Uninstall.lnk (Rogue.PersonalAntiVirus) -> Quarantined and deleted successfully.
c:\documents and settings\all users\start menu\personalav\Personal Antivirus.lnk (Rogue.PersonalAntiVirus) -> Quarantined and deleted successfully.
c:\documents and settings\all users\start menu\personalav\Uninstall.lnk (Rogue.PersonalAntiVirus) -> Quarantined and deleted successfully.

GunJack

starting to look better how's it behaving ??

might be an idea now to run hiJack This as mentioned earlier...post the log back here..

aliEnRIK

Id suggest updating malwarebytes and running a FULL scan now

Uninstall the ASK toolbar (ASKBARDIS)

Turn off Spybots 'TEA TIMER' mode (At least until we get this sorted) ~
Open Spybot
Change Mode (Top) to ADVANCED
Select TOOLS then RESIDENT
UNTICK 'Resident TEA TIMER' (Leave 'SD Helper' TICKED)

Id recommend uninstalling ADAWARE
Its next to useless these days

Download CCLEANER
http://www.ccleaner.com/download/builds/downloading-slim
Run the CLEANER scan
Then run the REGISTRY scan (Backup the registry when it asks)

reboot

Download HIJACK THIS (Make sure you click 'DOWNLOAD LATEST VERSION')
http://www.filehippo.com/download_hijackthis/
Click DO A SCAN AND SAVE A LOGFILE (Takes seconds) then post the log so we can see whats running
(do NOT do anything else with Hijack but scan and post the FULL log)

pennymakespounds

gunjack .. turned pc on this morning .. all peaceful !.. nothing flashing . maybe just a bit slow ?

alienrik will do those now.