1. Computer problem? Tech Support Guy is completely free -- paid for by advertisers and donations. Click here to join today! If you're new to Tech Support Guy, we highly recommend that you visit our Guide for New Members.

WinAntiVirusPro? Trojan?

Discussion in 'Virus & Other Malware Removal' started by yadkin, Jul 13, 2006.

Thread Status:
Not open for further replies.
Advertisement
  1. yadkin

    yadkin Thread Starter

    Joined:
    Jul 12, 2006
    Messages:
    23
    I've gotten rid of some of the compoenents but can't completely eliminate. Pop up for WinAntiVirusPro surfaces when computer is rebooted each time. Any advice is appreciated. Where should I start?
     
  2. dvk01

    dvk01 Moderator Malware Specialist

    Joined:
    Dec 14, 2002
    Messages:
    56,272
    First Name:
    Derek
    go to here and download 'Hijack This!' self installer. Save it to the desktop or other suitable place. DO NOT just press run from the website Double click on the file and it will install to C:\program files\hijackthis and create an entry in the start menu and an optional shortcut on desktop.
    Click on the entry in start menu or on the desktop to run HijackThis
    Click the "Scan" button, when the scan is finished the scan button will become "Save Log" click that and save the log.
    Go to where you saved the log and click on "Edit > Select All" then click on "Edit > Copy" then Paste the log back here in a reply.
    It will possibly show issues deserving our attention, but most of what it lists will be harmless or even required,
    so do NOT fix anything yet.
    Someone here will be happy to help you analyze the results.
     
  3. yadkin

    yadkin Thread Starter

    Joined:
    Jul 12, 2006
    Messages:
    23
    Thanks a million for responding! Here's the Hijack:

    Logfile of HijackThis v1.99.1
    Scan saved at 6:54:12 PM, on 7/13/2006
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\Explorer.EXE
    C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
    C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
    C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
    C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
    C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
    C:\Program Files\Real\RealPlayer\RealPlay.exe
    C:\Program Files\QuickTime\qttask.exe
    C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
    C:\WINDOWS\wanmpsvc.exe
    C:\Program Files\Microsoft Office\Office\OSA.EXE
    C:\Program Files\Common Files\Symantec Shared\Security

    Center\SymWSC.exe
    C:\Program Files\Common Files\Companion Wizard\compwiz.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Program Files\Hijackthis\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =

    www.yahoo.com
    R1 - HKLM\Software\Microsoft\Internet

    Explorer\Main,Default_Page_URL = http://www.yahoo.com/
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =

    www.yahoo.com
    R3 - URLSearchHook: Yahoo! Toolbar -

    {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program

    Files\Yahoo!\Companion\Installs\cpn0\yt.dll
    O2 - BHO: Yahoo! Toolbar Helper -

    {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program

    Files\Yahoo!\Companion\Installs\cpn0\yt.dll
    O2 - BHO: Yahoo! IE Services Button -

    {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program

    Files\Yahoo!\Common\yiesrvc.dll
    O2 - BHO: CNavExtBho Class -

    {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program

    Files\Norton AntiVirus\NavShExt.dll
    O3 - Toolbar: Norton AntiVirus -

    {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program

    Files\Norton AntiVirus\NavShExt.dll
    O3 - Toolbar: Yahoo! Toolbar -

    {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program

    Files\Yahoo!\Companion\Installs\cpn0\yt.dll
    O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
    O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
    O4 - HKLM\..\Run: [NeroCheck]

    C:\WINDOWS\system32\NeroCheck.exe
    O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common

    Files\Symantec Shared\ccApp.exe"
    O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common

    Files\Symantec Shared\ccRegVfy.exe"
    O4 - HKLM\..\Run: [RealTray] C:\Program

    Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program

    Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [Symantec NetDriver Monitor]

    C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
    O4 - HKLM\..\Run: [CompanionWizard] "C:\Program

    Files\Common Files\Companion Wizard\compwiz.exe"
    O4 - HKLM\..\Run: [AVG7_CC]

    C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
    O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN

    Messenger\MsnMsgr.Exe" /background
    O4 - Startup: Microsoft Find Fast.lnk = C:\Program Files\Microsoft

    Office\Office\FINDFAST.EXE
    O4 - Startup: Office Startup.lnk = C:\Program Files\Microsoft

    Office\Office\OSA.EXE
    O4 - Global Startup: Adobe Reader Speed Launch.lnk =

    C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
    O4 - Global Startup: America Online 9.0 Tray Icon.lnk =

    C:\Program Files\America Online 9.0\aoltray.exe
    O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program

    Files\Yahoo!\Common/ycsrch.htm
    O8 - Extra context menu item: Yahoo! &Dictionary -

    file:///C:\Program Files\Yahoo!\Common/ycdict.htm
    O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program

    Files\Yahoo!\Common/ycmap.htm
    O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program

    Files\Yahoo!\Common/ycsms.htm
    O9 - Extra button: Yahoo! Services -

    {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program

    Files\Yahoo!\Common\yiesrvc.dll
    O9 - Extra button: PartyPoker.com -

    {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program

    Files\PartyPoker\PartyPoker.exe (file missing)
    O9 - Extra 'Tools' menuitem: PartyPoker.com -

    {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program

    Files\PartyPoker\PartyPoker.exe (file missing)
    O9 - Extra button: Real.com -

    {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} -

    C:\WINDOWS\System32\Shdocvw.dll
    O9 - Extra button: Messenger -

    {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program

    Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger -

    {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program

    Files\Messenger\msmsgs.exe
    O10 - Unknown file in Winsock LSP: c:\program files\winantivirus

    pro 2006\mailscan.dll
    O10 - Unknown file in Winsock LSP: c:\program files\winantivirus

    pro 2006\mailscan.dll
    O10 - Unknown file in Winsock LSP: c:\program files\winantivirus

    pro 2006\mailscan.dll
    O10 - Unknown file in Winsock LSP: c:\program files\winantivirus

    pro 2006\mailscan.dll
    O10 - Unknown file in Winsock LSP: c:\program files\winantivirus

    pro 2006\mailscan.dll
    O10 - Unknown file in Winsock LSP: c:\program files\winantivirus

    pro 2006\mailscan.dll
    O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE}

    (Symantec AntiVirus scanner) -

    http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.

    cab
    O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C}

    (WUWebControl Class) -

    http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/

    client/wuweb_site.cab?1121722006046
    O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5}

    (Symantec RuFSI Utility Class) -

    http://security.symantec.com/sscv6/SharedContent/common/bin/ca

    bsa.cab
    O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1}

    (ActiveScan Installer Class) -

    http://acs.pandasoftware.com/activescan/as5free/asinst.cab
    O20 - Winlogon Notify: WgaLogon -

    C:\WINDOWS\SYSTEM32\WgaLogon.dll
    O23 - Service: AOL Connectivity Service (AOL ACS) - America

    Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
    O23 - Service: Automatic LiveUpdate Scheduler - Symantec

    Corporation - C:\Program

    Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
    O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT,

    s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
    O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT,

    s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
    O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o.

    - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
    O23 - Service: LiveUpdate - Symantec Corporation -

    C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
    O23 - Service: ScriptBlocking Service (SBService) - Symantec

    Corporation -

    C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
    O23 - Service: SymWMI Service (SymWSC) - Symantec

    Corporation - C:\Program Files\Common Files\Symantec

    Shared\Security Center\SymWSC.exe
    O23 - Service: WAN Miniport (ATW) Service

    (WANMiniportService) - America Online, Inc. -

    C:\WINDOWS\wanmpsvc.exe
     
  4. dvk01

    dvk01 Moderator Malware Specialist

    Joined:
    Dec 14, 2002
    Messages:
    56,272
    First Name:
    Derek
    that scambled on posting

    rescan with HJt & when you copy it select wordwrap
     
  5. yadkin

    yadkin Thread Starter

    Joined:
    Jul 12, 2006
    Messages:
    23
    Sorry...reposting

    Logfile of HijackThis v1.99.1
    Scan saved at 6:54:12 PM, on 7/13/2006
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\Explorer.EXE
    C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
    C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
    C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
    C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
    C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
    C:\Program Files\Real\RealPlayer\RealPlay.exe
    C:\Program Files\QuickTime\qttask.exe
    C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
    C:\WINDOWS\wanmpsvc.exe
    C:\Program Files\Microsoft Office\Office\OSA.EXE
    C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
    C:\Program Files\Common Files\Companion Wizard\compwiz.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Program Files\Hijackthis\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = www.yahoo.com
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com/
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = www.yahoo.com
    R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
    O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
    O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
    O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
    O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
    O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
    O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
    O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
    O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
    O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
    O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
    O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
    O4 - HKLM\..\Run: [CompanionWizard] "C:\Program Files\Common Files\Companion Wizard\compwiz.exe"
    O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
    O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
    O4 - Startup: Microsoft Find Fast.lnk = C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
    O4 - Startup: Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE
    O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
    O4 - Global Startup: America Online 9.0 Tray Icon.lnk = C:\Program Files\America Online 9.0\aoltray.exe
    O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
    O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
    O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
    O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
    O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
    O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyPoker\PartyPoker.exe (file missing)
    O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyPoker\PartyPoker.exe (file missing)
    O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O10 - Unknown file in Winsock LSP: c:\program files\winantivirus pro 2006\mailscan.dll
    O10 - Unknown file in Winsock LSP: c:\program files\winantivirus pro 2006\mailscan.dll
    O10 - Unknown file in Winsock LSP: c:\program files\winantivirus pro 2006\mailscan.dll
    O10 - Unknown file in Winsock LSP: c:\program files\winantivirus pro 2006\mailscan.dll
    O10 - Unknown file in Winsock LSP: c:\program files\winantivirus pro 2006\mailscan.dll
    O10 - Unknown file in Winsock LSP: c:\program files\winantivirus pro 2006\mailscan.dll
    O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
    O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1121722006046
    O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
    O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
    O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
    O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
    O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
    O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
    O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
    O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
    O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
    O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
    O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
    O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe
     
  6. yadkin

    yadkin Thread Starter

    Joined:
    Jul 12, 2006
    Messages:
    23
    Derek...I can't get rid of O10...it resurfaces persistently. When the WinAntiVirusPro started running, I had pop ups and icons on the tool bar, and IE was slow. I ran Spybot to try to correct the registry problem but it doesn't go away...I must be missing something else.. What's my next step?
     
  7. dvk01

    dvk01 Moderator Malware Specialist

    Joined:
    Dec 14, 2002
    Messages:
    56,272
    First Name:
    Derek
    first


    Download LSPfix here: http://www.cexx.org/lspfix.htm
    and now run the LSPFIX application. You will see a list of files in the left hand pane and possibly some in the right hand pane. Tick the"I know what i'm doing" box & select any instances of c:\program files\winantivirus pro 2006\mailscan.dll that are in the left hand keep pane and move them to the right hand remove pane, DO NOT MOVE ANY OTHER FILES, press finish and the program will do anything necessary


    then before we blindly delete files & folders with this one

    • Download WinPFind
    • Right Click the Zip Folder and Select "Extract All"
    • Extract it somewhere you will remember like the Desktop
    • Dont do anything with it yet!

    Reboot into Safe Mode
    Restart your computer and as soon as it starts booting up again continuously tap F8. A menu should come up where you will be given the option to enter Safe Mode.

    Doubleclick WinPFind.exe
    • Now Click "Start Scan"
    • It will scan the entire System, so please be patient!
    • Once the Scan is Complete
      • Reboot back to Normal Mode!
      • Go to the WinPFind folder
      • Locate WinPFind.txt
      • Place those results in the next post!.
     
  8. Sponsor

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 733,556 other people just like you!

Loading...
Thread Status:
Not open for further replies.

Short URL to this thread: https://techguy.org/482997

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice