Removal of anti-virus 2010 trojan - help please!!!

glicky

For some reason this virus has gotten on my computer and will not let me into the internet.

I've run spybot and it has said it's removed it - when I reboot yes, the program isn't there, but the moment I go into IE it comes back again.

I then ran spybot in safe mode and it even took over that.

I've run Malwarebytes full scan updated to the latest version and it never found it. I've run cc cleaner, but it's still there.

How can I get rid of this damn virus? - it won't let me do anything in my computer - I'm on my other computer by the way.

I'd appreciate your help as soon as possible please as it's the main computer and the one I'm using is very old and slow.

Thank you in andvance.

turbobob

Theres a guide to remove that here http://www.bleepingcomputer.com/virus-removal/remove-antivirus-2010

glicky

turbobob wrote: »

Theres a guide to remove that here http://www.bleepingcomputer.com/virus-removal/remove-antivirus-2010

Thanks, but I've run Malwarebytes and it didn't come up with an infection - it does in Spybot - I remove it and reboot, all seems OK and then the moment I start up IE, it comes back again :mad:

I've done a hijack this log in another thread - is there anything else I can do please?

Browntoa

follow this

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

and post the log file

glicky

Browntoa wrote: »

follow this

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

and post the log file

Thank you - doing it now

Browntoa

if it won't run download the following file to your desktop.



rkill.com Download Link

double-click on the rkill.com in order to automatically attempt to stop any processes

while the program looks for various malware programs and ends them. When it has finished, the black window will automatically close and you can continue with the next step. If you get a message that rkill is an infection, do not be concerned. This message is just a fake warning given by Antivirus System Pro when it terminates programs that may potentially remove it. If you run into these infections warnings that close Rkill, a trick is to leave the warning on the screen and then run Rkill again. By not closing the warning, this typically will allow you to bypass the malware trying to protect itself so that rkill can terminate Antivirus System Pro . So, please try running Rkill until malware is no longer running. You will then be able to proceed with the rest of the guide.

Do not reboot your computer after running rkill as the malware programs will start again.


(text sourced from http://www.bleepingcomputer.com/virus-removal/remove-antivirus-system-pro )

glicky

I'm running Combofix on my infected computer and will copy and paste results on flash pen and post them on here.

Thank goodness it's running on there - I downloaded the program onto a flash pen, so didn't have to go into IE on the infected computer. Hopefully you will understand my gobble de goop - I'm not that good with computers

glicky

HERE'S MY COMBOFIX LOG:


ComboFix 10-01-27.03 - Sandra 27/01/2010 21:16:03.1.2 - x86
Microsoft® Windows Vista™ Home Premium 6.0.6001.1.1252.44.1033.18.2038.968 [GMT 0:00]
Running from: F:\ComboFix.exe
SP: Spybot - Search and Destroy *disabled* (Updated) {ED588FAF-1B8F-43B4-ACA8-8E3C85DADBE9}
SP: SUPERAntiSpyware *disabled* (Updated) {222A897C-5018-402e-943F-7E7AC8560DA7}
SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\$recycle.bin\S-1-5-21-1299641467-4069592350-592652695-500
c:\$recycle.bin\S-1-5-21-3748389908-218703416-2939671690-500
c:\users\Sandra\AppData\Roaming\inst.exe
c:\windows\struct~.ini

.
((((((((((((((((((((((((( Files Created from 2009-12-27 to 2010-01-27 )))))))))))))))))))))))))))))))
.

2010-01-27 20:49 . 2010-01-27 20:50 388096 ----a-r- c:\users\Sandra\AppData\Roaming\Microsoft\Installer\{0761C9A8-8F3A-4216-B4A7-B7AFBF24A24A}\HiJackThis.exe
2010-01-27 20:49 . 2010-01-27 20:49

---

d

---

w- c:\program files\TrendMicro
2010-01-27 17:33 . 2010-01-27 17:33 345600 --sha-w- c:\users\Sandra\AppData\Local\av.exe
2010-01-26 01:10 . 2010-01-26 01:10

---

d

---

w- c:\program files\Veetle
2010-01-22 14:30 . 2010-01-22 14:30 47360 ----a-w- c:\windows\system32\drivers\pcouffin.sys
2010-01-22 14:30 . 2010-01-22 14:30 47360 ----a-w- c:\users\Sandra\AppData\Roaming\pcouffin.sys
2010-01-21 14:02 . 2010-01-27 09:44

---

d

---

w- c:\users\Sandra\AppData\Roaming\vlc
2010-01-13 07:58 . 2009-10-19 14:27 156672 ----a-w- c:\windows\system32\t2embed.dll
2010-01-13 07:58 . 2009-10-19 14:24 72704 ----a-w- c:\windows\system32\fontsub.dll
2010-01-11 19:06 . 2010-01-11 19:06

---

d

---

w- c:\program files\Common Files\xing shared

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-01-27 19:17 . 2009-07-23 10:42

---

d

---

w- c:\programdata\Spybot - Search & Destroy
2010-01-27 19:13 . 2008-07-05 05:13 12 ----a-w- c:\windows\bthservsdp.dat
2010-01-27 18:22 . 2009-07-21 18:19 117760 ----a-w- c:\users\Sandra\AppData\Roaming\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
2010-01-27 17:48 . 2008-07-05 06:30

---

d

---

w- c:\program files\Common Files\Adobe
2010-01-27 12:28 . 2009-07-21 18:27

---

d

---

w- c:\users\Sandra\AppData\Roaming\uTorrent
2010-01-27 12:16 . 2009-07-21 17:46

---

d

---

w- c:\users\Sandra\AppData\Roaming\Vso
2010-01-24 11:41 . 2009-07-21 18:10

---

d

---

w- c:\program files\Malwarebytes' Anti-Malware
2010-01-22 16:07 . 2009-11-18 11:46

---

d

---

w- c:\program files\Glary Utilities
2010-01-22 14:30 . 2009-07-21 17:46

---

d

---

w- c:\program files\vso
2010-01-20 07:51 . 2009-08-06 19:19

---

d

---

w- c:\program files\Microsoft Silverlight
2010-01-17 10:16 . 2009-07-21 18:03

---

d

---

w- c:\users\Sandra\AppData\Roaming\Any Video Converter
2010-01-14 11:12 . 2009-10-03 00:49 181120

---

w- c:\windows\system32\MpSigStub.exe
2010-01-14 03:11 . 2009-12-19 02:44 52224 ----a-w- c:\users\Sandra\AppData\Roaming\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10005.dll
2010-01-14 03:01 . 2008-07-05 06:26

---

d

---

w- c:\programdata\Microsoft Help
2010-01-13 12:23 . 2006-11-02 11:18

---

d

---

w- c:\program files\Windows Mail
2010-01-11 19:07 . 2009-07-21 18:37

---

d

---

w- c:\program files\Common Files\Real
2010-01-11 19:06 . 2006-07-11 17:35 348160 ----a-w- c:\windows\system32\msvcr71.dll
2010-01-11 10:23 . 2009-12-04 05:03 5115824 ----a-w- c:\programdata\Malwarebytes\Malwarebytes' Anti-Malware\mbam-setup.exe
2010-01-07 16:07 . 2009-07-21 18:10 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-01-07 16:07 . 2009-07-21 18:10 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-12-23 08:44 . 2009-11-18 11:51

---

d

---

w- c:\users\Sandra\AppData\Roaming\GlarySoft
2009-12-18 13:05 . 2010-01-22 09:16 833024 ----a-w- c:\windows\system32\wininet.dll
2009-12-18 13:01 . 2010-01-22 09:16 78336 ----a-w- c:\windows\system32\ieencode.dll
2009-12-18 10:14 . 2010-01-22 09:16 26624 ----a-w- c:\windows\system32\ieUnatt.exe
2009-12-07 23:12 . 2009-12-04 23:58

---

d

---

w- c:\program files\Coupon Printer
2009-12-04 22:57 . 2009-07-21 18:16

---

d

---

w- c:\program files\SopCast
2009-12-03 23:23 . 2009-07-29 15:49

---

d

---

w- c:\users\Sandra\AppData\Roaming\dvdcss
2009-11-09 13:22 . 2009-12-11 00:05 24064 ----a-w- c:\windows\system32\nshhttp.dll
2009-11-09 13:20 . 2009-12-11 00:05 31232 ----a-w- c:\windows\system32\httpapi.dll
2009-11-09 11:04 . 2009-12-11 00:05 411136 ----a-w- c:\windows\system32\drivers\http.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2008-01-21 1233920]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Apoint"="c:\program files\Apoint2K\Apoint.exe" [2007-03-11 159744]
"IAAnotif"="c:\program files\Intel\Intel Matrix Storage Manager\iaanotif.exe" [2007-07-25 174616]
"OnScreenDisplay"="c:\program files\Hewlett-Packard\HP QuickTouch\HPKBDAPP.exe" [2007-09-04 554320]
"Windows Defender"="c:\program files\Windows Defender\MSASCui.exe" [2008-01-21 1008184]
"hpWirelessAssistant"="c:\program files\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe" [2007-09-13 480560]
"WAWifiMessage"="c:\program files\Hewlett-Packard\HP Wireless Assistant\WiFiMsg.exe" [2007-01-08 311296]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2008-02-11 141848]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2008-02-11 166424]
"Persistence"="c:\windows\system32\igfxpers.exe" [2008-02-11 133656]
"MSSE"="c:\program files\Microsoft Security Essentials\msseces.exe" [2009-09-13 1048392]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2009-12-18 40368]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2009-12-11 948672]

c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
HP Digital Imaging Monitor.lnk - c:\program files\Hp\Digital Imaging\bin\hpqtra08.exe [2007-1-2 210520]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableLUA"= 0 (0x0)
"EnableUIADesktopToggle"= 0 (0x0)

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2008-12-22 11:05 356352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"aux"=wdmaud.drv

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"LightScribe Control Panel"=c:\program files\Common Files\LightScribe\LightScribeControlPanel.exe -hidden
"SUPERAntiSpyware"=c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
"HP Software Update"=c:\program files\Hp\HP Software Update\HPWuSchd2.exe
"HotKeysCmds"=c:\windows\system32\hkcmd.exe
"QPService"="c:\program files\HP\QuickPlay\QPService.exe"
"IgfxTray"=c:\windows\system32\igfxtray.exe
"Persistence"=c:\windows\system32\igfxpers.exe
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe"
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" -osboot

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-disabled]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" -osboot

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [26/05/2009 09:05 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [26/05/2009 09:05 72944]
R2 SBSDWSCService;SBSD Security Center Service;c:\program files\Spybot - Search & Destroy\SDWinSec.exe [24/08/2009 08:56 1153368]
R3 MpNWMon;Microsoft Malware Protection Network Driver;c:\windows\System32\drivers\MpNWMon.sys [18/06/2009 18:48 42480]
R3 NETw5v32;Intel(R) Wireless WiFi Link 5000 Series Adapter Driver for Windows Vista 32 Bit;c:\windows\System32\drivers\NETw5v32.sys [17/11/2008 14:40 3668480]
S3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [26/05/2009 09:05 7408]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
bthsvcs REG_MULTI_SZ BthServ
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{10880D85-AAD9-4558-ABDC-2AB1552D831F}]
2007-08-24 00:34 451872 ----a-w- c:\program files\Common Files\LightScribe\LSRunOnce.exe
.
Contents of the 'Scheduled Tasks' folder

2010-01-27 c:\windows\Tasks\GlaryInitialize.job
- c:\program files\Glary Utilities\initialize.exe [2009-11-18 23:01]

2010-01-27 c:\windows\Tasks\User_Feed_Synchronization-{76EE52B3-B311-49C3-89E1-06A6011CA0B7}.job
- c:\windows\system32\msfeedssync.exe [2008-01-21 02:24]
.
.

---

Supplementary Scan

---

.
uStart Page = hxxp://www.justine-henin.be/en.php
mStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_us&c=81&bd=Pavilion&pf=laptop
IE: &ieSpell Options - c:\program files\ieSpell\iespell.dll/SPELLOPTION.HTM
IE: Check &Spelling - c:\program files\ieSpell\iespell.dll/SPELLCHECK.HTM
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office14\EXCEL.EXE/3000
IE: S&end to OneNote - c:\progra~1\MICROS~3\Office14\ONBttnIE.dll/105
IE: Send image to &Bluetooth Device... - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
IE: Send page to &Bluetooth Device... - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
FF - ProfilePath - c:\users\Sandra\AppData\Roaming\Mozilla\Firefox\Profiles\bm7gpty8.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.justine-henin.be/public/forum_main.asp?lang=en&DisplayLang=E&subjects=
FF - plugin: c:\program files\Microsoft\Office Live\npOLW.dll
FF - plugin: c:\program files\Viewpoint\Viewpoint Experience Technology\npViewpoint.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
.
- - - - ORPHANS REMOVED - - - -

WebBrowser-{D4027C7F-154A-4066-A1AD-4243D8127440} - (no file)



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-01-27 21:28
Windows 6.0.6001 Service Pack 1 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.

---

LOCKED REGISTRY KEYS

---

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
Completion time: 2010-01-27 21:32:29
ComboFix-quarantined-files.txt 2010-01-27 21:32

Pre-Run: 158,895,792,128 bytes free
Post-Run: 158,821,076,992 bytes free

- - End Of File - - 0F060A7EFBA996909D33E96ABE472814

Browntoa

has it stopped the infection ??

can you now update Malwarebytes and scan ??

suspect that torrent downloader you have was the way the infection arrived on the PC

AlienRik may find some odds and ends on the combofix log that need fixing, he will post instructions if need be

glicky

Browntoa wrote: »

has it stopped the infection ??

can you now update Malwarebytes and scan ??

suspect that torrent downloader you have was the way the infection arrived on the PC

AlienRik may find some odds and ends on the combofix log that need fixing, he will post instructions if need be

I'm running Malwarebytes in safe mode on that computer and we will see if it brings anything up. Once that has finished, I will reboot and see what happens - here's crossing fingers.

What torrent downloader is that please?

Thank you once again for your help. Hopefully AlienRik may come along

EDIT: Does that mean Combofix "fixed" it? Did it remove the registry or whatever the infection was?

Browntoa

this torrent downloader

c:\users\Sandra\AppData\Roaming\uTorrent

did you update Malwarebytes ??

combofix did delete some stuff , it removes multiple infections at once so hopefully yes