Go Back   Tech Support Forum > Security Center > Virus/Trojan/Spyware Help > Resolved HJT Threads

User Tag List

AVG System Tray/Software Issues

This is a discussion on AVG System Tray/Software Issues within the Resolved HJT Threads forums, part of the Tech Support Forum category. Hi and thanks in advance for any help anyone can provide. Just yesterday I was simply browsing the internet (nothing


 
 
Thread Tools Search this Thread
Old 10-19-2011, 11:41 PM   #1
Registered Member
 
Join Date: Oct 2011
Posts: 42
OS: Windows 8



Hi and thanks in advance for any help anyone can provide.

Just yesterday I was simply browsing the internet (nothing dodgy or malicious, atleast I thought) and an error message popped up saying that windows explorer had crashed, then I realised the AVG icon was removed from the system tray.

When I restarted my machine, it wouldn't complete the shut down process and turn off (still won't) and when I returned to windows AVG would again be removed from the tray. When I tried to run the app it said that a shield was missing but was unable to fix the problem.

I'm a bit stuck on where to begin, I tried to use system restore to reset to the previous days settings but AVG still had the same problems on startup.

Any advice or help would be great, see below my DDS report. I had trouble getting a "ARK.txt" file, because the program would just crash after scan instead of letting me save the txt file. Instead I used the alternate method described in the instructions.


Thanks again.




.
DDS (Ver_2011-08-26.01) - NTFSx86
Internet Explorer: 6.0.2900.5512 BrowserJavaVersion: 1.6.0_15
Run by Username at 19:37:16 on 2011-10-20
Microsoft Windows XP Professional 5.1.2600.3.1252.64.1033.18.3071.2357 [GMT 13:00]
.
AV: AVG Anti-Virus Free Edition 2011 *Disabled/Updated* {17DDD097-36FF-435F-9E1B-52D74245D6BF}
.
============== Running Processes ===============
.
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\Program Files\Tablet\Pen\Pen_TouchService.exe
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\AVG\AVG10\avgwdsvc.exe
C:\WINDOWS\4174197957:986395143.exe
C:\WINDOWS\system32\bgsvcgen.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Tablet\Pen\Pen_TouchUser.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Program Files\Canon\IJPLM\IJPLMSVC.EXE
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Splashtop\Splashtop Remote\Server\SRService.exe
C:\Program Files\Splashtop\Splashtop Software Updater\SSUService.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Tablet\Pen\Pen_Tablet.exe
C:\Program Files\Tablet\Pen\Pen_TabletUser.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\Tablet\Pen\Pen_Tablet.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIAAP.EXE
C:\Program Files\Bamboo Dock\BambooCore.exe
C:\Program Files\DivX\DivX Update\DivXUpdate.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Windows Media Player\WMPNSCFG.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\RALINK\Common\RaUI.exe
C:\Program Files\AVG\AVG10\avgnsx.exe
C:\Program Files\AVG\AVG10\avgemcx.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.google.com/
mDefault_Page_URL = Google
uInternet Settings,ProxyOverride = *.local
uURLSearchHooks: AVG Security Toolbar BHO: {a3bc75a2-1f87-4686-aa43-5347d756017c} - c:\program files\avg\avg10\toolbar\IEToolbar.dll
mURLSearchHooks: AVG Security Toolbar BHO: {a3bc75a2-1f87-4686-aa43-5347d756017c} - c:\program files\avg\avg10\toolbar\IEToolbar.dll
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: IeCatch5 Class: {2f364306-aa45-47b5-9f9d-39a8b94e7ef7} - c:\progra~1\flashget\jccatch.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg10\avgssie.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: AVG Security Toolbar BHO: {a3bc75a2-1f87-4686-aa43-5347d756017c} - c:\program files\avg\avg10\toolbar\IEToolbar.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
BHO: gFlash Class: {f156768e-81ef-470c-9057-481ba8380dba} - c:\progra~1\flashget\getflash.dll
TB: FlashGet Bar: {e0e899ab-f487-11d5-8d29-0050ba6940e3} - c:\progra~1\flashget\fgiebar.dll
TB: AVG Security Toolbar: {ccc7a320-b3ca-4199-b1a6-9f516dd69829} - c:\program files\avg\avg10\toolbar\IEToolbar.dll
TB: {A057A204-BACC-4D26-9990-79A187E2698E} - No File
uRun: [CTFMON.EXE] c:\windows\system32\ctfmon.exe
uRun: [SpybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe
uRun: [FlashGet 3] "c:\program files\flashget network\flashget 3\FlashGet3.exe" -minimize
uRun: [Audiogalaxy] "c:\documents and settings\username\local settings\application data\audiogalaxy\Audiogalaxy.exe" /startup
uRun: [WMPNSCFG] c:\program files\windows media player\WMPNSCFG.exe
mRun: [RTHDCPL] RTHDCPL.EXE
mRun: [SkyTel] SkyTel.EXE
mRun: [Alcmtr] ALCMTR.EXE
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [nwiz] nwiz.exe /install
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [googletalk] c:\program files\google\google talk\googletalk.exe /autostart
mRun: [NeroFilterCheck] c:\windows\system32\NeroCheck.exe
mRun: [avgnt] "c:\program files\avira\antivir personaledition classic\avgnt.exe" /min
mRun: [EPSON Stylus C67 Series] c:\windows\system32\spool\drivers\w32x86\3\E_FATIAAP.EXE /P23 "EPSON Stylus C67 Series" /O6 "USB001" /M "Stylus C67"
mRun: [Joystick 2 Mouse] c:\program files\joystick 2 mouse 3\Joystick 2 Mouse.exe /NoConfigure
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [AVG_TRAY] c:\program files\avg\avg10\avgtray.exe
mRun: [BambooCore] c:\program files\bamboo dock\BambooCore.exe
mRun: [DivXUpdate] "c:\program files\divx\divx update\DivXUpdate.exe" /CHECKNOW
mRun: [APSDaemon] "c:\program files\common files\apple\apple application support\APSDaemon.exe"
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [Malwarebytes' Anti-Malware] "c:\program files\malwarebytes' anti-malware\mbamgui.exe" /starttray
dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE
StartupFolder: c:\docume~1\username\startm~1\programs\startup\rauiex~1.lnk - c:\program files\ralink\common\RaUI.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\micros~1.lnk - c:\program files\microsoft office\office10\OSA.EXE
IE: Download All by FlashGet - c:\program files\flashget\jc_all.htm
IE: Download using FlashGet - c:\program files\flashget\jc_link.htm
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office10\EXCEL.EXE/3000
IE: {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
LSP: mswsock.dll
Trusted Zone: kuaiche.com\software
DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} - hxxp://download.bitdefender.com/resources/scan8/oscan8.cab
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1228727383812
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
TCP: DhcpNameServer = 192.168.1.254
TCP: Interfaces\{EF14CD9B-2D02-475A-9F5E-9AC6FED1C396} : DhcpNameServer = 192.168.1.254
Handler: avgsecuritytoolbar - {F2DDE6B2-9684-4A55-86D4-E255E237B77C} - c:\program files\avg\avg10\toolbar\IEToolbar.dll
Handler: cdo - {CD00020A-8B95-11D1-82DB-00C04FB1625D} - c:\program files\common files\microsoft shared\web folders\PKMCDO.DLL
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg10\avgpp.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL
Hosts: 127.0.0.1 www.spywareinfo.com
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\documents and settings\username\application data\mozilla\firefox\profiles\85jwgwcs.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - google.com
FF - prefs.js: keyword.URL - hxxp://search.avg.com/route/?d=4bfdb9f8&v=7.008.031.001&i=23&tp=ab&iy=&ychte=au&lng=en-GB&q=
FF - component: c:\program files\avg\avg10\firefox4\components\avgssff4.dll
FF - component: c:\program files\avg\avg10\toolbar\firefox\[email protected]\components\IGeared_tavgp_xputils3.dll
FF - component: c:\program files\avg\avg10\toolbar\firefox\[email protected]\components\IGeared_tavgp_xputils35.dll
FF - component: c:\program files\avg\avg10\toolbar\firefox\[email protected]\components\xpavgtbapi.dll
FF - plugin: c:\program files\adobe\reader 9.0\reader\air\nppdf32.dll
FF - plugin: c:\program files\divx\divx ovs helper\npovshelper.dll
FF - plugin: c:\program files\google\update\1.2.183.23\npGoogleOneClick8.dll
FF - plugin: c:\program files\google\update\1.2.183.29\npGoogleOneClick8.dll
FF - plugin: c:\program files\google\update\1.3.21.69\npGoogleUpdate3.dll
FF - plugin: c:\program files\k-lite codec pack\real\browser\plugins\nppl3260.dll
FF - plugin: c:\program files\k-lite codec pack\real\browser\plugins\nprpjplug.dll
FF - plugin: c:\program files\microsoft silverlight\4.0.60310.0\npctrlui.dll
FF - plugin: c:\program files\tabletplugins\npwacom.dll
FF - plugin: c:\program files\tvuplayer\npTVUAx.dll
FF - plugin: c:\program files\veetle\player\npvlc.dll
FF - plugin: c:\program files\veetle\plugins\npVeetle.dll
.
============= SERVICES / DRIVERS ===============
.
R0 AVGIDSEH;AVGIDSEH;c:\windows\system32\drivers\AVGIDSEH.sys [2010-9-13 22992]
R0 Avgrkx86;AVG Anti-Rootkit Driver;c:\windows\system32\drivers\avgrkx86.sys [2010-9-7 32592]
R1 Avgldx86;AVG AVI Loader Driver;c:\windows\system32\drivers\avgldx86.sys [2010-9-7 248656]
R1 Avgmfx86;AVG Mini-Filter Resident Anti-Virus Shield;c:\windows\system32\drivers\avgmfx86.sys [2010-9-7 34896]
R1 Avgtdix;AVG TDI Driver;c:\windows\system32\drivers\avgtdix.sys [2010-9-7 297168]
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2008-12-4 8944]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2008-12-4 55024]
R2 avgwd;AVG WatchDog;c:\program files\avg\avg10\avgwdsvc.exe [2011-2-8 269520]
R2 MBAMService;MBAMService;c:\program files\malwarebytes' anti-malware\mbamservice.exe [2008-12-20 366152]
R2 SplashtopRemoteService;Splashtop® Remote Service;c:\program files\splashtop\splashtop remote\server\SRService.exe [2011-9-9 518472]
R2 SSUService;Splashtop Software Updater Service;c:\program files\splashtop\splashtop software updater\SSUService.exe [2011-9-21 366408]
R2 TabletServicePen;TabletServicePen;c:\program files\tablet\pen\Pen_Tablet.exe [2011-4-20 4869488]
R2 TouchServicePen;Wacom Consumer Touch Service;c:\program files\tablet\pen\Pen_TouchService.exe [2011-4-20 416112]
R3 AVGIDSDriver;AVGIDSDriver;c:\windows\system32\drivers\AVGIDSDriver.sys [2010-8-19 134480]
R3 AVGIDSFilter;AVGIDSFilter;c:\windows\system32\drivers\AVGIDSFilter.sys [2010-8-19 24144]
R3 AVGIDSShim;AVGIDSShim;c:\windows\system32\drivers\AVGIDSShim.sys [2010-8-19 27216]
R3 libusb0;LibUsb-Win32 - Kernel Driver, Version 0.1.10.1;c:\windows\system32\drivers\libusb0.sys [2009-9-21 33792]
R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2008-12-20 22216]
R3 wacmoumonitor;Wacom Mode Helper;c:\windows\system32\drivers\wacmoumonitor.sys [2011-4-20 16240]
S2 AVGIDSAgent;AVGIDSAgent;c:\program files\avg\avg10\identity protection\agent\bin\AVGIDSAgent.exe [2011-8-18 7390560]
S2 dualshock3;DUALSHOCK3 Controller HID Minidriver (USB) Beta;c:\windows\system32\drivers\dualshock3.sys [2009-9-21 11392]
S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2010-5-17 136176]
S2 libusbd;LibUsb-Win32 - Daemon, Version 0.1.10.1;system32\libusbd-nt.exe --> system32\libusbd-nt.exe [?]
S3 aawservice;Lavasoft Ad-Aware Service;c:\program files\lavasoft\ad-aware\aawservice.exe [2008-9-10 611664]
S3 AVG Security Toolbar Service;AVG Security Toolbar Service;c:\program files\avg\avg10\toolbar\ToolbarBroker.exe [2011-5-13 1025352]
S3 gupdatem;Google Update Service (gupdatem);c:\program files\google\update\GoogleUpdate.exe [2010-5-17 136176]
S3 McComponentHostService;McAfee Security Scan Component Host Service;c:\program files\mcafee security scan\2.0.181\McCHSvc.exe [2010-1-16 227232]
S3 SASENUM;SASENUM;c:\program files\superantispyware\SASENUM.SYS [2008-12-4 7408]
.
=============== Created Last 30 ================
.
2011-10-19 09:29:50 -------- d-----w- c:\windows\system32\wbem\repository\FS
2011-10-19 09:29:50 -------- d-----w- c:\windows\system32\wbem\Repository
2011-10-19 09:21:22 48016 --sha-w- c:\windows\system32\c_69221.nl_
2011-10-19 09:02:30 -------- d-sh--w- c:\documents and settings\username\local settings\application data\c534cdf8
2011-10-13 07:37:49 -------- d-----w- c:\program files\iPod
2011-10-13 07:37:47 -------- d-----w- c:\program files\iTunes
2011-10-02 00:40:00 -------- d-----w- c:\program files\Combined Community Codec Pack
2011-10-01 03:05:44 -------- d-----w- c:\documents and settings\all users\application data\{3C0AACBF-B491-4BE5-BAF9-AA46E0629E42}
2011-10-01 02:55:08 -------- d-----w- c:\documents and settings\username\local settings\application data\PackageAware
2011-10-01 01:43:43 -------- d-----w- c:\documents and settings\username\application data\AnvSoft
2011-10-01 01:43:02 -------- d-----w- c:\program files\AnvSoft
2011-09-27 22:31:59 175616 ----a-w- c:\windows\system32\unrar.dll
2011-09-24 13:33:26 -------- d-----w- c:\documents and settings\username\local settings\application data\{62FE1C67-1742-45D6-82F7-AEEABC53D1A6}
.
==================== Find3M ====================
.
2011-10-19 09:38:18 41272 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-09-28 20:07:20 404640 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-09-25 22:41:20 611328 ----a-w- c:\windows\system32\uiautomationcore.dll
2011-09-25 22:41:20 220160 ----a-w- c:\windows\system32\oleacc.dll
2011-09-25 22:41:14 20480 ----a-w- c:\windows\system32\oleaccrc.dll
2011-09-09 09:12:13 599040 ----a-w- c:\windows\system32\crypt32.dll
2011-09-06 13:20:51 1858944 ----a-w- c:\windows\system32\win32k.sys
2011-09-05 13:56:22 667136 ----a-w- c:\windows\system32\wininet.dll
2011-09-05 13:56:22 61952 ----a-w- c:\windows\system32\tdc.ocx
2011-09-05 13:56:21 81920 ----a-w- c:\windows\system32\ieencode.dll
2011-09-05 12:35:09 369664 ----a-w- c:\windows\system32\html.iec
2011-08-31 04:00:50 22216 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-08-30 10:05:04 83816 ----a-w- c:\windows\system32\dns-sd.exe
2011-08-30 10:05:04 73064 ----a-w- c:\windows\system32\dnssd.dll
2011-08-30 10:05:04 50536 ----a-w- c:\windows\system32\jdns_sd.dll
2011-08-30 10:05:04 178536 ----a-w- c:\windows\system32\dnssdX.dll
2011-08-17 13:49:54 138496 ----a-w- c:\windows\system32\drivers\afd.sys
2011-08-12 00:51:26 26488 ----a-w- c:\windows\system32\spupdsvc.exe
2011-07-22 20:51:50 94208 ----a-w- c:\windows\system32\dpl100.dll
.
============= FINISH: 19:38:10.60 ===============
Attached Files
File Type: zip attach.zip (6.9 KB, 28 views)
Ralph123 is offline  
Sponsored Links
Advertisement
 
Old 10-21-2011, 02:05 PM   #2
Security Team
Moderator, Analyst
Rangemaster, TSF Academy
 
chemist's Avatar
 
Join Date: Oct 2007
Location: Georgia
Posts: 29,790
OS: XP/Win7/Win10



Hello and Welcome to TSF.

Please Subscribe to this Thread to get immediate notification of replies as soon as they are posted. To do this click Thread Tools, then click Subscribe to this Thread. Make sure it is set to Instant notification by email, then click Add Subscription.

Please note that the forum is very busy and if I don't hear from you within three days this thread will be closed.

------------------------------------------------------

One or more of the identified infections is a backdoor trojan/rootkit.

This type of infection allows hackers to remotely control your computer, log keystrokes, steal critical system information, and download and execute files without your knowledge.

If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.

Please refer to Microsoft's Online Safety article for tips on creating a strong password.

Do not change passwords or do any transactions from the infected computer until it has been cleaned.

------------------------------------------------------

Please note that these fixes are not instantaneous. Most infections require more than one round to properly eradicate.

Please stay with me until given the 'all clear' even if symptoms seemingly abate.

Kindly follow my instructions and please do no fixing on your own or running of scanners unless requested by a helper.

------------------------------------------------------

If there are any personal files, pics, etc. on your computer you cannot live without, back them up now just as a precaution.

Emergency Backup Procedure - Tech Support Forum

------------------------------------------------------

Please download ComboFix and Save it to your Desktop.

**Note: It is important that it is saved directly to your desktop**

First, we need to install the Windows Recovery Console.

The Windows Recovery Console will allow you to boot up into a special recovery(repair) mode, if needed. This allows us to help you in the case that your computer has a problem after an attempted removal of malware. Also, ComboFix will not address certain types of malware unless the RC is installed. It is a simple procedure that will only take a few moments of your time.

Download the file from this Microsoft page:

Download Details - Microsoft Download Center - Windows XP Professional with Service Pack 2 Utility: Setup Disks for Floppy Boot Install

Do not be concerned that this file is for SP2 if you have SP3. It will work just fine on your system.

Save it as it is originally named to your Desktop.

Now close all open windows and programs, including all antivirus and antispyware programs. Get help here



Then drag the setup package onto ComboFix.exe and drop it. Follow the prompts to start ComboFix and when prompted, agree to the End-User License Agreement to install the Recovery Console.

As part of installing the Recovery Console, ComboFix will begin to run. Your desktop may disappear. This is normal. It will return.

ComboFix will now automatically install the Windows Recovery Console onto your computer, which will show up as a new option when booting up your computer. Do not select the Windows Recovery Console option when you start your computer unless requested to by a helper.

Once the Recovery Console is installed, this blue window will appear:



Please continue as follows:
  • Close/disable all antivirus and antispyware programs so they do not interfere with the running of ComboFix. Get help here
  • Please click Yes to continue scanning for malware.
  • Your desktop may go blank. This is normal. It will return when ComboFix is done. ComboFix may reboot your machine. This is normal.
When the tool is finished, it will produce a log for you.

Please post that log, C:\ComboFix.txt, in your next reply.

Please re-enable your antivirus before posting the ComboFix.txt log.

------------------------------------------------------
__________________
Our services are free, but you may contribute to the author of ComboFix via PayPal

Proud member of UNITE

Microsoft MVP - Consumer Security 2014, 2015
chemist is offline  
Old 10-21-2011, 04:45 PM   #3
Registered Member
 
Join Date: Oct 2011
Posts: 42
OS: Windows 8



Thanks for your help, AVG resident shield and ID protection is still down.

Here is the report:

ComboFix 11-10-21.06 - Username 22/10/2011 12:17:15.1.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.64.1033.18.3071.2457 [GMT 13:00]
Running from: c:\documents and settings\Username\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Username\Desktop\WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
AV: AVG Anti-Virus Free Edition 2011 *Disabled/Updated* {17DDD097-36FF-435F-9E1B-52D74245D6BF}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\Username\Application Data\inst.exe
c:\documents and settings\Username\Local Settings\Application Data\c534cdf8
c:\documents and settings\Username\Local Settings\Application Data\c534cdf8\@
c:\documents and settings\Username\Local Settings\Application Data\c534cdf8\U\[email protected]
c:\documents and settings\Username\Local Settings\Application Data\c534cdf8\U\[email protected]
c:\documents and settings\Username\Local Settings\Application Data\c534cdf8\X
c:\documents and settings\Username\Local Settings\Temporary Internet Files\udDownload[1].tmp
c:\documents and settings\Username\Start Menu\Programs\Startup\RaUI.exe.lnk
c:\documents and settings\Username\WINDOWS
c:\windows\$NtUninstallKB63283$
c:\windows\$NtUninstallKB63283$\1749149025
c:\windows\$NtUninstallKB63283$\3308572152\@
c:\windows\$NtUninstallKB63283$\3308572152\L\jruleqzn
c:\windows\$NtUninstallKB63283$\3308572152\loader.tlb
c:\windows\$NtUninstallKB63283$\3308572152\U\@00000001
c:\windows\$NtUninstallKB63283$\3308572152\U\@000000c0
c:\windows\$NtUninstallKB63283$\3308572152\U\@000000cb
c:\windows\$NtUninstallKB63283$\3308572152\U\@000000cf
c:\windows\$NtUninstallKB63283$\3308572152\U\@80000000
c:\windows\$NtUninstallKB63283$\3308572152\U\@800000c0
c:\windows\$NtUninstallKB63283$\3308572152\U\@800000cb
c:\windows\$NtUninstallKB63283$\3308572152\U\@800000cf
c:\windows\{2521BB91-29B1-4d7e-9137-AC9875D77735}
c:\windows\help\tours\htmltour\unlock_playing.htm
c:\windows\system32\
c:\windows\system32\404Fix.exe
c:\windows\system32\Agent.OMZ.Fix.exe
c:\windows\system32\c_69221.nls
c:\windows\system32\dumphive.exe
c:\windows\system32\IEDFix.C.exe
c:\windows\system32\IEDFix.exe
c:\windows\system32\o4Patch.exe
c:\windows\system32\Process.exe
c:\windows\system32\SrchSTS.exe
c:\windows\system32\VACFix.exe
c:\windows\system32\VCCLSID.exe
c:\windows\system32\WS2Fix.exe
.
Infected copy of c:\windows\system32\drivers\cdrom.sys was found and disinfected
Restored copy from - The cat found it :)
Infected copy of c:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe was found and disinfected
Restored copy from - c:\system volume information\_restore{559D852D-6005-4F94-95DB-026D1057D817}\RP998\A0148692.exe
.
Infected copy of c:\program files\AVG\AVG10\avgwdsvc.exe was found and disinfected
Restored copy from - c:\system volume information\_restore{559D852D-6005-4F94-95DB-026D1057D817}\RP999\A0152752.exe
.
Infected copy of c:\windows\system32\bgsvcgen.exe was found and disinfected
Restored copy from - c:\system volume information\_restore{559D852D-6005-4F94-95DB-026D1057D817}\RP998\A0148693.exe
.
Infected copy of c:\program files\Canon\IJPLM\IJPLMSVC.EXE was found and disinfected
Restored copy from - c:\system volume information\_restore{559D852D-6005-4F94-95DB-026D1057D817}\RP998\A0148694.exe
.
Infected copy of c:\program files\Java\jre6\bin\jqs.exe was found and disinfected
Restored copy from - c:\system volume information\_restore{559D852D-6005-4F94-95DB-026D1057D817}\RP998\A0148695.exe
.
Infected copy of c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe was found and disinfected
Restored copy from - c:\system volume information\_restore{559D852D-6005-4F94-95DB-026D1057D817}\RP999\A0149784.exe
.
Infected copy of c:\windows\system32\nvsvc32.exe was found and disinfected
Restored copy from - c:\windows\system32\ReinstallBackups\0002\DriverFiles\nvsvc32.exe
.
Infected copy of c:\program files\Splashtop\Splashtop Remote\Server\SRService.exe was found and disinfected
Restored copy from - c:\system volume information\_restore{559D852D-6005-4F94-95DB-026D1057D817}\RP998\A0148696.exe
.
Infected copy of c:\program files\Splashtop\Splashtop Software Updater\SSUService.exe was found and disinfected
Restored copy from - c:\system volume information\_restore{559D852D-6005-4F94-95DB-026D1057D817}\RP998\A0148697.exe
.
Infected copy of c:\windows\system32\bgsvcgen.exe was found and disinfected
Restored copy from - c:\system volume information\_restore{559D852D-6005-4F94-95DB-026D1057D817}\RP998\A0148693.exe
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
-------\Service_c534cdf8
.
.
((((((((((((((((((((((((( Files Created from 2011-09-21 to 2011-10-21 )))))))))))))))))))))))))))))))
.
.
2011-10-21 23:13 . 2008-04-13 11:10 62976 -c--a-w- c:\windows\system32\dllcache\cdrom.sys
2011-10-21 23:13 . 2008-04-13 11:10 62976 ----a-w- c:\windows\system32\drivers\cdrom.sys
2011-10-19 09:29 . 2011-10-19 09:29 -------- d-----w- c:\windows\system32\wbem\Repository
2011-10-19 09:21 . 2011-10-19 09:31 48016 --sha-w- c:\windows\system32\c_69221.nl_
2011-10-13 07:37 . 2011-10-13 07:37 -------- d-----w- c:\program files\iPod
2011-10-13 07:37 . 2011-10-13 07:38 -------- d-----w- c:\program files\iTunes
2011-10-02 07:03 . 2011-10-02 07:03 -------- d-----w- c:\documents and settings\NetworkService\Application Data\DivX
2011-10-02 00:40 . 2011-10-02 00:40 -------- d-----w- c:\program files\Combined Community Codec Pack
2011-10-01 03:05 . 2011-10-01 03:05 -------- d-----w- c:\documents and settings\All Users\Application Data\{3C0AACBF-B491-4BE5-BAF9-AA46E0629E42}
2011-10-01 02:55 . 2011-10-01 02:55 -------- d-----w- c:\documents and settings\Username\Local Settings\Application Data\PackageAware
2011-10-01 01:43 . 2011-10-01 01:43 -------- d-----w- c:\documents and settings\Username\Application Data\AnvSoft
2011-10-01 01:43 . 2011-10-01 01:43 -------- d-----w- c:\program files\AnvSoft
2011-09-27 22:31 . 2011-03-02 10:43 175616 ----a-w- c:\windows\system32\unrar.dll
2011-09-24 13:33 . 2011-09-24 13:33 -------- d-----w- c:\documents and settings\Username\Local Settings\Application Data\{62FE1C67-1742-45D6-82F7-AEEABC53D1A6}
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-10-19 09:38 . 2008-12-19 22:17 41272 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-09-28 20:07 . 2011-05-24 06:05 404640 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-09-25 22:41 . 2008-07-29 07:59 611328 ----a-w- c:\windows\system32\uiautomationcore.dll
2011-09-25 22:41 . 2004-08-04 12:00 220160 ----a-w- c:\windows\system32\oleacc.dll
2011-09-25 22:41 . 2004-08-04 12:00 20480 ----a-w- c:\windows\system32\oleaccrc.dll
2011-09-09 09:12 . 2004-08-04 12:00 599040 ----a-w- c:\windows\system32\crypt32.dll
2011-09-06 13:20 . 2004-08-04 12:00 1858944 ----a-w- c:\windows\system32\win32k.sys
2011-09-05 13:56 . 2004-08-04 12:00 667136 ----a-w- c:\windows\system32\wininet.dll
2011-09-05 13:56 . 2004-08-04 12:00 61952 ----a-w- c:\windows\system32\tdc.ocx
2011-09-05 13:56 . 2004-08-04 12:00 81920 ----a-w- c:\windows\system32\ieencode.dll
2011-09-05 12:35 . 2004-08-04 12:00 369664 ----a-w- c:\windows\system32\html.iec
2011-08-31 04:00 . 2008-12-19 22:17 22216 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-08-30 10:05 . 2011-08-30 10:05 83816 ----a-w- c:\windows\system32\dns-sd.exe
2011-08-30 10:05 . 2011-08-30 10:05 73064 ----a-w- c:\windows\system32\dnssd.dll
2011-08-30 10:05 . 2011-08-30 10:05 50536 ----a-w- c:\windows\system32\jdns_sd.dll
2011-08-30 10:05 . 2011-08-30 10:05 178536 ----a-w- c:\windows\system32\dnssdX.dll
2011-08-17 13:49 . 2004-08-04 12:00 138496 ----a-w- c:\windows\system32\drivers\afd.sys
2011-08-12 00:51 . 2008-09-04 23:55 26488 ----a-w- c:\windows\system32\spupdsvc.exe
2011-09-30 08:47 . 2011-04-30 01:20 134104 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{A3BC75A2-1F87-4686-AA43-5347D756017C}"= "c:\program files\AVG\AVG10\Toolbar\IEToolbar.dll" [2011-05-29 2495816]
.
[HKEY_CLASSES_ROOT\clsid\{a3bc75a2-1f87-4686-aa43-5347d756017c}]
.
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A3BC75A2-1F87-4686-AA43-5347D756017C}]
2011-05-29 23:33 2495816 ----a-w- c:\program files\AVG\AVG10\Toolbar\IEToolbar.dll
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{CCC7A320-B3CA-4199-B1A6-9F516DD69829}"= "c:\program files\AVG\AVG10\Toolbar\IEToolbar.dll" [2011-05-29 2495816]
.
[HKEY_CLASSES_ROOT\clsid\{ccc7a320-b3ca-4199-b1a6-9f516dd69829}]
.
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{CCC7A320-B3CA-4199-B1A6-9F516DD69829}"= "c:\program files\AVG\AVG10\Toolbar\IEToolbar.dll" [2011-05-29 2495816]
.
[HKEY_CLASSES_ROOT\clsid\{ccc7a320-b3ca-4199-b1a6-9f516dd69829}]
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-03-05 2260480]
"Audiogalaxy"="c:\documents and settings\Username\Local Settings\Application Data\Audiogalaxy\Audiogalaxy.exe" [2011-06-15 2953448]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2006-10-18 204288]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RTHDCPL"="RTHDCPL.EXE" [2007-07-05 16380416]
"SkyTel"="SkyTel.EXE" [2007-06-15 1826816]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-07-26 13570048]
"nwiz"="nwiz.exe" [2008-07-26 1657376]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2008-07-26 86016]
"googletalk"="c:\program files\Google\Google Talk\googletalk.exe" [2007-01-01 3739648]
"NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-08 155648]
"EPSON Stylus C67 Series"="c:\windows\System32\spool\DRIVERS\W32X86\3\E_FATIAAP.EXE" [2005-01-24 98304]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2011-09-07 37296]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2011-03-30 937920]
"AVG_TRAY"="c:\program files\AVG\AVG10\avgtray.exe" [2011-09-09 2338656]
"BambooCore"="c:\program files\Bamboo Dock\BambooCore.exe" [2011-05-11 629848]
"DivXUpdate"="c:\program files\DivX\DivX Update\DivXUpdate.exe" [2011-07-28 1259376]
"APSDaemon"="c:\program files\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2011-09-26 59240]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2011-10-09 421736]
"Malwarebytes' Anti-Malware"="c:\program files\Malwarebytes' Anti-Malware\mbamgui.exe" [2011-08-31 449608]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-13 15360]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-2-13 83360]
.
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-12 77824]
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck autochk *\0c:\progra~1\AVG\AVG10\avgchsvx.exe /sync\0c:\progra~1\AVG\AVG10\avgrsx.exe /sync /restart
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]
@="Service"
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Google\\Google Talk\\googletalk.exe"=
"c:\\Program Files\\FlashGet\\flashget.exe"=
"c:\\Program Files\\Nero\\Nero 7\\Nero Home\\NeroHome.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Program Files\\SopCast\\adv\\SopAdver.exe"=
"c:\\Program Files\\SopCast\\SopCast.exe"=
"c:\\Program Files\\VideoLAN\\VLC\\vlc.exe"=
"c:\\Program Files\\StreamTorrent 1.0\\StreamTorrent.exe"=
"c:\\Program Files\\Java\\jre6\\bin\\javaw.exe"=
"c:\\Program Files\\AVG\\AVG10\\avgmfapx.exe"=
"c:\\Program Files\\Remote Mouse\\server\\server.exe"=
"c:\\Program Files\\ServeToMe\\Contents\\Windows\\ServeToMe.exe"=
"c:\\Program Files\\Splashtop\\Splashtop Remote\\Server\\SRServer.exe"=
"c:\\Program Files\\Splashtop\\Splashtop Remote\\Server\\SRFeature.exe"=
"c:\\Program Files\\Splashtop\\Splashtop Remote\\Server\\DataProxy.exe"=
"c:\\Program Files\\Splashtop\\Splashtop Remote\\Server\\inputserv.exe"=
"c:\\Program Files\\Splashtop\\Splashtop Remote\\Server\\SRLogin.exe"=
"c:\\Program Files\\Common Files\\Apple\\Apple Application Support\\WebKit2WebProcess.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\AVG\\AVG10\\avgdiagex.exe"=
"c:\\Program Files\\AVG\\AVG10\\avgnsx.exe"=
"c:\\Program Files\\AVG\\AVG10\\avgemcx.exe"=
"c:\\Program Files\\Google\\Update\\GoogleUpdate.exe"=
.
R0 AVGIDSEH;AVGIDSEH;c:\windows\system32\drivers\AVGIDSEH.sys [13/09/2010 4:27 p.m. 22992]
R0 Avgrkx86;AVG Anti-Rootkit Driver;c:\windows\system32\drivers\avgrkx86.sys [7/09/2010 3:48 a.m. 32592]
R1 Avgldx86;AVG AVI Loader Driver;c:\windows\system32\drivers\avgldx86.sys [7/09/2010 3:48 a.m. 248656]
R1 Avgtdix;AVG TDI Driver;c:\windows\system32\drivers\avgtdix.sys [7/09/2010 3:49 a.m. 297168]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [4/12/2008 1:50 p.m. 8944]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [4/12/2008 1:50 p.m. 55024]
R2 avgwd;AVG WatchDog;c:\program files\AVG\AVG10\avgwdsvc.exe [8/02/2011 6:33 a.m. 269520]
R2 SplashtopRemoteService;Splashtop® Remote Service;c:\program files\Splashtop\Splashtop Remote\Server\SRService.exe [9/09/2011 12:13 p.m. 518472]
R2 SSUService;Splashtop Software Updater Service;c:\program files\Splashtop\Splashtop Software Updater\SSUService.exe [21/09/2011 9:27 p.m. 366408]
R2 TabletServicePen;TabletServicePen;c:\program files\Tablet\Pen\Pen_Tablet.exe [20/04/2011 3:59 p.m. 4869488]
R2 TouchServicePen;Wacom Consumer Touch Service;c:\program files\Tablet\Pen\Pen_TouchService.exe [20/04/2011 4:10 p.m. 416112]
R3 AVGIDSDriver;AVGIDSDriver;c:\windows\system32\drivers\AVGIDSDriver.sys [19/08/2010 9:42 p.m. 134480]
R3 AVGIDSFilter;AVGIDSFilter;c:\windows\system32\drivers\AVGIDSFilter.sys [19/08/2010 9:42 p.m. 24144]
R3 AVGIDSShim;AVGIDSShim;c:\windows\system32\drivers\AVGIDSShim.sys [19/08/2010 9:42 p.m. 27216]
R3 libusb0;LibUsb-Win32 - Kernel Driver, Version 0.1.10.1;c:\windows\system32\drivers\libusb0.sys [21/09/2009 10:15 p.m. 33792]
R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [20/12/2008 11:17 a.m. 22216]
R3 pcouffin;VSO Software pcouffin;c:\windows\system32\drivers\pcouffin.sys [4/01/2011 3:23 p.m. 47360]
R3 wacmoumonitor;Wacom Mode Helper;c:\windows\system32\drivers\wacmoumonitor.sys [20/04/2011 4:00 p.m. 16240]
S2 AVGIDSAgent;AVGIDSAgent;c:\program files\AVG\AVG10\Identity Protection\Agent\Bin\AVGIDSAgent.exe [18/08/2011 2:33 a.m. 7390560]
S2 dualshock3;DUALSHOCK3 Controller HID Minidriver (USB) Beta;c:\windows\system32\drivers\dualshock3.sys [21/09/2009 10:35 p.m. 11392]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [17/05/2010 1:01 p.m. 136176]
S2 libusbd;LibUsb-Win32 - Daemon, Version 0.1.10.1;system32\libusbd-nt.exe --> system32\libusbd-nt.exe [?]
S2 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [20/12/2008 11:17 a.m. 363344]
S3 AVG Security Toolbar Service;AVG Security Toolbar Service;c:\program files\AVG\AVG10\Toolbar\ToolbarBroker.exe [13/05/2011 9:37 a.m. 1025352]
S3 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [17/05/2010 1:01 p.m. 136176]
S3 McComponentHostService;McAfee Security Scan Component Host Service;c:\program files\McAfee Security Scan\2.0.181\McCHSvc.exe [16/01/2010 1:49 a.m. 227232]
S3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [4/12/2008 1:50 p.m. 7408]
.
Contents of the 'Scheduled Tasks' folder
.
2011-10-18 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2011-06-01 05:57]
.
2011-10-21 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-05-17 06:08]
.
2011-10-21 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-05-17 06:08]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uInternet Settings,ProxyOverride = *.local
IE: Download All by FlashGet - c:\program files\FlashGet\jc_all.htm
IE: Download using FlashGet - c:\program files\FlashGet\jc_link.htm
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office10\EXCEL.EXE/3000
Trusted Zone: kuaiche.com\software
Handler: avgsecuritytoolbar - {F2DDE6B2-9684-4A55-86D4-E255E237B77C} - c:\program files\AVG\AVG10\Toolbar\IEToolbar.dll
FF - ProfilePath - c:\documents and settings\Username\Application Data\Mozilla\Firefox\Profiles\85jwgwcs.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - google.com
FF - prefs.js: keyword.URL - hxxp://search.avg.com/route/?d=4bfdb9f8&v=7.008.031.001&i=23&tp=ab&iy=&ychte=au&lng=en-GB&q=
.
- - - - ORPHANS REMOVED - - - -
.
HKCU-Run-FlashGet 3 - c:\program files\FlashGet Network\FlashGet 3\FlashGet3.exe
HKLM-Run-avgnt - c:\program files\Avira\AntiVir PersonalEdition Classic\avgnt.exe
HKLM-Run-Joystick 2 Mouse - c:\program files\Joystick 2 Mouse 3\Joystick 2 Mouse.exe
AddRemove-KB923789 - c:\windows\system32\MacroMed\Flash\genuinst.exe
AddRemove-TVUPlayer - c:\program files\TVUPlayer\uninst.exe
AddRemove-{09FF4DB8-7DE9-4D47-B7DB-915DB7D9A8CA} - c:\documents and settings\All Users\Application Data\{3C0AACBF-B491-4BE5-BAF9-AA46E0629E42}\bm_installer.exe
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, GMER - Rootkit Detector and Remover
Rootkit scan 2011-10-22 12:33
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'explorer.exe'(3220)
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
c:\windows\system32\bgsvcgen.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Canon\IJPLM\IJPLMSVC.EXE
c:\program files\Tablet\Pen\Pen_TouchUser.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\windows\system32\nvsvc32.exe
c:\program files\Tablet\Pen\Pen_TabletUser.exe
c:\program files\Windows Media Player\WMPNetwk.exe
c:\windows\system32\wscntfy.exe
c:\program files\AVG\AVG10\avgnsx.exe
c:\program files\AVG\AVG10\avgemcx.exe
c:\windows\RTHDCPL.EXE
c:\windows\system32\RUNDLL32.EXE
.
**************************************************************************
.
Completion time: 2011-10-22 12:38:54 - machine was rebooted
ComboFix-quarantined-files.txt 2011-10-21 23:38
.
Pre-Run: 63,276,683,264 bytes free
Post-Run: 65,272,995,840 bytes free
.
WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
UnsupportedDebug="do not select this" /debug
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect /usepmtimer
.
Current=2 Default=2 Failed=3 LastKnownGood=4 Sets=1,2,3,4
- - End Of File - - 530883B9EDC39D0F51D0204851C1F675


Thanks.
Ralph123 is offline  
Sponsored Links
Advertisement
 
Old 10-21-2011, 06:47 PM   #4
Security Team
Moderator, Analyst
Rangemaster, TSF Academy
 
chemist's Avatar
 
Join Date: Oct 2007
Location: Georgia
Posts: 29,790
OS: XP/Win7/Win10



Hello Ralph123. You're welcome.

You may have to uninstall, reboot, then re-install AVG to solve that problem.

First, see if the next ComboFix run solves the problem.

------------------------------------------------------

Your hard drive is almost full. Having too little free space on your hard drive can compromise system performance.

Quote:
C: is FIXED (NTFS) - 596 GiB total, 53.201 GiB free.
I suggest you move pictures, music, etc. to an external drive or USB stick if you have one and uninstall any programs that are never or hardly ever used.

------------------------------------------------------

Disable your antivirus and antispyware applications, usually via a right-click on the System Tray icon. They may otherwise interfere with ComboFix.

Open Notepad and copy/paste all the text in the codebox below into Notepad:

Code:
https://www.techsupportforum.com/forums/f50/avg-system-tray-software-issues-607367.html#post3482475

ClearJavaCache::

Collect::
c:\windows\system32\c_69221.nl_
Save this Notepad file as CFScript.txt to your Desktop and then close the file.





Referring to the picture above, drag CFScript onto ComboFix

If you are prompted to update ComboFix and have an internet connection, please choose Yes

Your desktop may go blank. This is normal. It will return when ComboFix is done. ComboFix may reboot your machine. This is normal.

When finished, it shall produce a log for you. Please post that log, ComboFix.txt in your next reply.

Please re-enable your antivirus before posting the ComboFix.txt log.

------------------------------------------------------

**Note**

When CF finishes running, the ComboFix log will open along with a message box--do not be alarmed. With the above script, ComboFix will capture files to submit for analysis.
  • Ensure you are connected to the internet and click OK on the message box.
------------------------------------------------------
__________________
Our services are free, but you may contribute to the author of ComboFix via PayPal

Proud member of UNITE

Microsoft MVP - Consumer Security 2014, 2015
chemist is offline  
Old 10-21-2011, 08:10 PM   #5
Registered Member
 
Join Date: Oct 2011
Posts: 42
OS: Windows 8



AVG seems to have the same issues, heres the new log:

ComboFix 11-10-21.06 - Username 22/10/2011 15:54:06.2.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.64.1033.18.3071.2272 [GMT 13:00]
Running from: c:\documents and settings\Username\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Username\Desktop\CFScript.txt
AV: AVG Anti-Virus Free Edition 2011 *Disabled/Updated* {17DDD097-36FF-435F-9E1B-52D74245D6BF}
.
file zipped: c:\windows\system32\c_69221.nl_
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\windows\system32\c_69221.nl_
.
.
((((((((((((((((((((((((( Files Created from 2011-09-22 to 2011-10-22 )))))))))))))))))))))))))))))))
.
.
2011-10-21 23:13 . 2008-04-13 11:10 62976 -c--a-w- c:\windows\system32\dllcache\cdrom.sys
2011-10-21 23:13 . 2008-04-13 11:10 62976 ----a-w- c:\windows\system32\drivers\cdrom.sys
2011-10-19 09:29 . 2011-10-19 09:29 -------- d-----w- c:\windows\system32\wbem\Repository
2011-10-13 07:37 . 2011-10-13 07:37 -------- d-----w- c:\program files\iPod
2011-10-13 07:37 . 2011-10-13 07:38 -------- d-----w- c:\program files\iTunes
2011-10-02 07:03 . 2011-10-02 07:03 -------- d-----w- c:\documents and settings\NetworkService\Application Data\DivX
2011-10-02 00:40 . 2011-10-02 00:40 -------- d-----w- c:\program files\Combined Community Codec Pack
2011-10-01 03:05 . 2011-10-01 03:05 -------- d-----w- c:\documents and settings\All Users\Application Data\{3C0AACBF-B491-4BE5-BAF9-AA46E0629E42}
2011-10-01 02:55 . 2011-10-01 02:55 -------- d-----w- c:\documents and settings\Username\Local Settings\Application Data\PackageAware
2011-10-01 01:43 . 2011-10-01 01:43 -------- d-----w- c:\documents and settings\Username\Application Data\AnvSoft
2011-10-01 01:43 . 2011-10-01 01:43 -------- d-----w- c:\program files\AnvSoft
2011-09-27 22:31 . 2011-03-02 10:43 175616 ----a-w- c:\windows\system32\unrar.dll
2011-09-24 13:33 . 2011-09-24 13:33 -------- d-----w- c:\documents and settings\Username\Local Settings\Application Data\{62FE1C67-1742-45D6-82F7-AEEABC53D1A6}
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-10-19 09:38 . 2008-12-19 22:17 41272 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-09-28 20:07 . 2011-05-24 06:05 404640 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-09-25 22:41 . 2008-07-29 07:59 611328 ----a-w- c:\windows\system32\uiautomationcore.dll
2011-09-25 22:41 . 2004-08-04 12:00 220160 ----a-w- c:\windows\system32\oleacc.dll
2011-09-25 22:41 . 2004-08-04 12:00 20480 ----a-w- c:\windows\system32\oleaccrc.dll
2011-09-09 09:12 . 2004-08-04 12:00 599040 ----a-w- c:\windows\system32\crypt32.dll
2011-09-06 13:20 . 2004-08-04 12:00 1858944 ----a-w- c:\windows\system32\win32k.sys
2011-09-05 13:56 . 2004-08-04 12:00 667136 ----a-w- c:\windows\system32\wininet.dll
2011-09-05 13:56 . 2004-08-04 12:00 61952 ----a-w- c:\windows\system32\tdc.ocx
2011-09-05 13:56 . 2004-08-04 12:00 81920 ----a-w- c:\windows\system32\ieencode.dll
2011-09-05 12:35 . 2004-08-04 12:00 369664 ----a-w- c:\windows\system32\html.iec
2011-08-31 04:00 . 2008-12-19 22:17 22216 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-08-30 10:05 . 2011-08-30 10:05 83816 ----a-w- c:\windows\system32\dns-sd.exe
2011-08-30 10:05 . 2011-08-30 10:05 73064 ----a-w- c:\windows\system32\dnssd.dll
2011-08-30 10:05 . 2011-08-30 10:05 50536 ----a-w- c:\windows\system32\jdns_sd.dll
2011-08-30 10:05 . 2011-08-30 10:05 178536 ----a-w- c:\windows\system32\dnssdX.dll
2011-08-17 13:49 . 2004-08-04 12:00 138496 ----a-w- c:\windows\system32\drivers\afd.sys
2011-08-12 00:51 . 2008-09-04 23:55 26488 ----a-w- c:\windows\system32\spupdsvc.exe
2011-09-30 08:47 . 2011-04-30 01:20 134104 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
.
.
((((((((((((((((((((((((((((( [email protected]_23.33.21 )))))))))))))))))))))))))))))))))))))))))
.
+ 2011-10-22 03:01 . 2011-10-22 03:01 16384 c:\windows\Temp\Perflib_Perfdata_c0.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{A3BC75A2-1F87-4686-AA43-5347D756017C}"= "c:\program files\AVG\AVG10\Toolbar\IEToolbar.dll" [2011-05-29 2495816]
.
[HKEY_CLASSES_ROOT\clsid\{a3bc75a2-1f87-4686-aa43-5347d756017c}]
.
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A3BC75A2-1F87-4686-AA43-5347D756017C}]
2011-05-29 23:33 2495816 ----a-w- c:\program files\AVG\AVG10\Toolbar\IEToolbar.dll
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{CCC7A320-B3CA-4199-B1A6-9F516DD69829}"= "c:\program files\AVG\AVG10\Toolbar\IEToolbar.dll" [2011-05-29 2495816]
.
[HKEY_CLASSES_ROOT\clsid\{ccc7a320-b3ca-4199-b1a6-9f516dd69829}]
.
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{CCC7A320-B3CA-4199-B1A6-9F516DD69829}"= "c:\program files\AVG\AVG10\Toolbar\IEToolbar.dll" [2011-05-29 2495816]
.
[HKEY_CLASSES_ROOT\clsid\{ccc7a320-b3ca-4199-b1a6-9f516dd69829}]
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-03-05 2260480]
"Audiogalaxy"="c:\documents and settings\Username\Local Settings\Application Data\Audiogalaxy\Audiogalaxy.exe" [2011-06-15 2953448]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2006-10-18 204288]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RTHDCPL"="RTHDCPL.EXE" [2007-07-05 16380416]
"SkyTel"="SkyTel.EXE" [2007-06-15 1826816]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-07-26 13570048]
"nwiz"="nwiz.exe" [2008-07-26 1657376]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2008-07-26 86016]
"googletalk"="c:\program files\Google\Google Talk\googletalk.exe" [2007-01-01 3739648]
"NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-08 155648]
"EPSON Stylus C67 Series"="c:\windows\System32\spool\DRIVERS\W32X86\3\E_FATIAAP.EXE" [2005-01-24 98304]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2011-09-07 37296]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2011-03-30 937920]
"AVG_TRAY"="c:\program files\AVG\AVG10\avgtray.exe" [2011-09-09 2338656]
"BambooCore"="c:\program files\Bamboo Dock\BambooCore.exe" [2011-05-11 629848]
"DivXUpdate"="c:\program files\DivX\DivX Update\DivXUpdate.exe" [2011-07-28 1259376]
"APSDaemon"="c:\program files\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2011-09-26 59240]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2011-10-09 421736]
"Malwarebytes' Anti-Malware"="c:\program files\Malwarebytes' Anti-Malware\mbamgui.exe" [2011-08-31 449608]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-13 15360]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-2-13 83360]
.
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-12 77824]
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck autochk *\0c:\progra~1\AVG\AVG10\avgchsvx.exe /sync\0c:\progra~1\AVG\AVG10\avgrsx.exe /sync /restart
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]
@="Service"
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Google\\Google Talk\\googletalk.exe"=
"c:\\Program Files\\FlashGet\\flashget.exe"=
"c:\\Program Files\\Nero\\Nero 7\\Nero Home\\NeroHome.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Program Files\\SopCast\\adv\\SopAdver.exe"=
"c:\\Program Files\\SopCast\\SopCast.exe"=
"c:\\Program Files\\VideoLAN\\VLC\\vlc.exe"=
"c:\\Program Files\\StreamTorrent 1.0\\StreamTorrent.exe"=
"c:\\Program Files\\Java\\jre6\\bin\\javaw.exe"=
"c:\\Program Files\\AVG\\AVG10\\avgmfapx.exe"=
"c:\\Program Files\\Remote Mouse\\server\\server.exe"=
"c:\\Program Files\\ServeToMe\\Contents\\Windows\\ServeToMe.exe"=
"c:\\Program Files\\Splashtop\\Splashtop Remote\\Server\\SRServer.exe"=
"c:\\Program Files\\Splashtop\\Splashtop Remote\\Server\\SRFeature.exe"=
"c:\\Program Files\\Splashtop\\Splashtop Remote\\Server\\DataProxy.exe"=
"c:\\Program Files\\Splashtop\\Splashtop Remote\\Server\\inputserv.exe"=
"c:\\Program Files\\Splashtop\\Splashtop Remote\\Server\\SRLogin.exe"=
"c:\\Program Files\\Common Files\\Apple\\Apple Application Support\\WebKit2WebProcess.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\AVG\\AVG10\\avgdiagex.exe"=
"c:\\Program Files\\AVG\\AVG10\\avgnsx.exe"=
"c:\\Program Files\\AVG\\AVG10\\avgemcx.exe"=
"c:\\Program Files\\Google\\Update\\GoogleUpdate.exe"=
.
R0 AVGIDSEH;AVGIDSEH;c:\windows\system32\drivers\AVGIDSEH.sys [13/09/2010 4:27 p.m. 22992]
R0 Avgrkx86;AVG Anti-Rootkit Driver;c:\windows\system32\drivers\avgrkx86.sys [7/09/2010 3:48 a.m. 32592]
R1 Avgldx86;AVG AVI Loader Driver;c:\windows\system32\drivers\avgldx86.sys [7/09/2010 3:48 a.m. 248656]
R1 Avgtdix;AVG TDI Driver;c:\windows\system32\drivers\avgtdix.sys [7/09/2010 3:49 a.m. 297168]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [4/12/2008 1:50 p.m. 8944]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [4/12/2008 1:50 p.m. 55024]
R2 avgwd;AVG WatchDog;c:\program files\AVG\AVG10\avgwdsvc.exe [8/02/2011 6:33 a.m. 269520]
R2 SplashtopRemoteService;Splashtop® Remote Service;c:\program files\Splashtop\Splashtop Remote\Server\SRService.exe [9/09/2011 12:13 p.m. 518472]
R2 SSUService;Splashtop Software Updater Service;c:\program files\Splashtop\Splashtop Software Updater\SSUService.exe [21/09/2011 9:27 p.m. 366408]
R2 TabletServicePen;TabletServicePen;c:\program files\Tablet\Pen\Pen_Tablet.exe [20/04/2011 3:59 p.m. 4869488]
R2 TouchServicePen;Wacom Consumer Touch Service;c:\program files\Tablet\Pen\Pen_TouchService.exe [20/04/2011 4:10 p.m. 416112]
R3 AVGIDSDriver;AVGIDSDriver;c:\windows\system32\drivers\AVGIDSDriver.sys [19/08/2010 9:42 p.m. 134480]
R3 AVGIDSFilter;AVGIDSFilter;c:\windows\system32\drivers\AVGIDSFilter.sys [19/08/2010 9:42 p.m. 24144]
R3 AVGIDSShim;AVGIDSShim;c:\windows\system32\drivers\AVGIDSShim.sys [19/08/2010 9:42 p.m. 27216]
R3 libusb0;LibUsb-Win32 - Kernel Driver, Version 0.1.10.1;c:\windows\system32\drivers\libusb0.sys [21/09/2009 10:15 p.m. 33792]
R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [20/12/2008 11:17 a.m. 22216]
R3 pcouffin;VSO Software pcouffin;c:\windows\system32\drivers\pcouffin.sys [4/01/2011 3:23 p.m. 47360]
R3 wacmoumonitor;Wacom Mode Helper;c:\windows\system32\drivers\wacmoumonitor.sys [20/04/2011 4:00 p.m. 16240]
S2 AVGIDSAgent;AVGIDSAgent;c:\program files\AVG\AVG10\Identity Protection\Agent\Bin\AVGIDSAgent.exe [18/08/2011 2:33 a.m. 7390560]
S2 dualshock3;DUALSHOCK3 Controller HID Minidriver (USB) Beta;c:\windows\system32\drivers\dualshock3.sys [21/09/2009 10:35 p.m. 11392]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [17/05/2010 1:01 p.m. 136176]
S2 libusbd;LibUsb-Win32 - Daemon, Version 0.1.10.1;system32\libusbd-nt.exe --> system32\libusbd-nt.exe [?]
S2 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [20/12/2008 11:17 a.m. 363344]
S3 AVG Security Toolbar Service;AVG Security Toolbar Service;c:\program files\AVG\AVG10\Toolbar\ToolbarBroker.exe [13/05/2011 9:37 a.m. 1025352]
S3 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [17/05/2010 1:01 p.m. 136176]
S3 McComponentHostService;McAfee Security Scan Component Host Service;c:\program files\McAfee Security Scan\2.0.181\McCHSvc.exe [16/01/2010 1:49 a.m. 227232]
S3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [4/12/2008 1:50 p.m. 7408]
.
Contents of the 'Scheduled Tasks' folder
.
2011-10-18 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2011-06-01 05:57]
.
2011-10-22 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-05-17 06:08]
.
2011-10-21 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-05-17 06:08]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uInternet Settings,ProxyOverride = *.local
IE: Download All by FlashGet - c:\program files\FlashGet\jc_all.htm
IE: Download using FlashGet - c:\program files\FlashGet\jc_link.htm
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office10\EXCEL.EXE/3000
Trusted Zone: kuaiche.com\software
TCP: DhcpNameServer = 192.168.1.254
Handler: avgsecuritytoolbar - {F2DDE6B2-9684-4A55-86D4-E255E237B77C} - c:\program files\AVG\AVG10\Toolbar\IEToolbar.dll
FF - ProfilePath - c:\documents and settings\Username\Application Data\Mozilla\Firefox\Profiles\85jwgwcs.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - google.com
FF - prefs.js: keyword.URL - hxxp://search.avg.com/route/?d=4bfdb9f8&v=7.008.031.001&i=23&tp=ab&iy=&ychte=au&lng=en-GB&q=
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, GMER - Rootkit Detector and Remover
Rootkit scan 2011-10-22 16:01
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'explorer.exe'(3432)
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
c:\windows\system32\bgsvcgen.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Tablet\Pen\Pen_TouchUser.exe
c:\program files\Canon\IJPLM\IJPLMSVC.EXE
c:\program files\Java\jre6\bin\jqs.exe
c:\windows\system32\nvsvc32.exe
c:\program files\Tablet\Pen\Pen_TabletUser.exe
c:\program files\Windows Media Player\WMPNetwk.exe
c:\program files\AVG\AVG10\avgnsx.exe
c:\windows\system32\wscntfy.exe
c:\program files\AVG\AVG10\avgemcx.exe
c:\windows\RTHDCPL.EXE
c:\windows\system32\RUNDLL32.EXE
.
**************************************************************************
.
Completion time: 2011-10-22 1624 - machine was rebooted
ComboFix-quarantined-files.txt 2011-10-22 03:06
ComboFix2.txt 2011-10-21 23:38
.
Pre-Run: 65,277,939,712 bytes free
Post-Run: 65,267,642,368 bytes free
.
WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
UnsupportedDebug="do not select this" /debug
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect /usepmtimer
.
Current=2 Default=2 Failed=3 LastKnownGood=4 Sets=1,2,3,4
- - End Of File - - E0ABFF7C8A8AACD2DDC895FCB8AE4724
Upload was successful
Ralph123 is offline  
Old 10-21-2011, 08:14 PM   #6
Security Team
Moderator, Analyst
Rangemaster, TSF Academy
 
chemist's Avatar
 
Join Date: Oct 2007
Location: Georgia
Posts: 29,790
OS: XP/Win7/Win10



Hello again, Ralph123. Thanks for submitting the file.

Try uninstalling, rebooting, then re-installing AVG. Let me know.

------------------------------------------------------
__________________
Our services are free, but you may contribute to the author of ComboFix via PayPal

Proud member of UNITE

Microsoft MVP - Consumer Security 2014, 2015
chemist is offline  
Old 10-21-2011, 08:44 PM   #7
Registered Member
 
Join Date: Oct 2011
Posts: 42
OS: Windows 8



Yup, did the trick - AVG is happy now!
Ralph123 is offline  
Old 10-21-2011, 09:39 PM   #8
Registered Member
 
Join Date: Oct 2011
Posts: 42
OS: Windows 8



Just did a full scan with AVG and found 49 threats, removed them all which was nice. any interest?

"Scan ""Whole computer scan"" completed."
"Infections";"47";"47";"0"
"Spyware";"2";"2";"0"
"Folders selected for scanning:";"Whole computer scan"
"Scan started:";"Saturday, 22 October 2011, 4:48:14 p.m."
"Scan finished:";"Saturday, 22 October 2011, 5:35:11 p.m. (46 minute(s) 57 second(s))"
"Total object scanned:";"1316269"
"User who launched the scan:";"Username"

"Infections"
"";"File";"Infection";"Result"
"";"C:\System Volume Information\_restore{559D852D-6005-4F94-95DB-026D1057D817}\RP999\A0154865.ini";"Trojan horse BackDoor.Generic14.AVBQ";"Moved to Virus Vault"
"";"C:\System Volume Information\_restore{559D852D-6005-4F94-95DB-026D1057D817}\RP999\A0154864.sys";"Trojan horse BackDoor.Generic14.ANAA";"Moved to Virus Vault"
"";"C:\System Volume Information\_restore{559D852D-6005-4F94-95DB-026D1057D817}\RP999\A0153865.ini";"Trojan horse BackDoor.Generic14.AVBQ";"Moved to Virus Vault"
"";"C:\System Volume Information\_restore{559D852D-6005-4F94-95DB-026D1057D817}\RP999\A0153864.sys";"Trojan horse BackDoor.Generic14.ANAA";"Moved to Virus Vault"
"";"C:\System Volume Information\_restore{559D852D-6005-4F94-95DB-026D1057D817}\RP999\A0153860.ini";"Trojan horse BackDoor.Generic14.AVBQ";"Moved to Virus Vault"
"";"C:\System Volume Information\_restore{559D852D-6005-4F94-95DB-026D1057D817}\RP999\A0153859.sys";"Trojan horse BackDoor.Generic14.ANAA";"Moved to Virus Vault"
"";"C:\System Volume Information\_restore{559D852D-6005-4F94-95DB-026D1057D817}\RP999\A0152860.ini";"Trojan horse BackDoor.Generic14.AVBQ";"Moved to Virus Vault"
"";"C:\System Volume Information\_restore{559D852D-6005-4F94-95DB-026D1057D817}\RP999\A0152859.sys";"Trojan horse BackDoor.Generic14.ANAA";"Moved to Virus Vault"
"";"C:\System Volume Information\_restore{559D852D-6005-4F94-95DB-026D1057D817}\RP999\A0152821.ini";"Trojan horse BackDoor.Generic14.AVBQ";"Moved to Virus Vault"
"";"C:\System Volume Information\_restore{559D852D-6005-4F94-95DB-026D1057D817}\RP999\A0152820.sys";"Trojan horse BackDoor.Generic14.ANAA";"Moved to Virus Vault"
"";"C:\System Volume Information\_restore{559D852D-6005-4F94-95DB-026D1057D817}\RP999\A0152813.ini";"Trojan horse BackDoor.Generic14.AVBQ";"Moved to Virus Vault"
"";"C:\System Volume Information\_restore{559D852D-6005-4F94-95DB-026D1057D817}\RP999\A0152812.sys";"Trojan horse BackDoor.Generic14.ANAA";"Moved to Virus Vault"
"";"C:\System Volume Information\_restore{559D852D-6005-4F94-95DB-026D1057D817}\RP999\A0152769.ini";"Trojan horse BackDoor.Generic14.AVBQ";"Moved to Virus Vault"
"";"C:\System Volume Information\_restore{559D852D-6005-4F94-95DB-026D1057D817}\RP999\A0152768.sys";"Trojan horse BackDoor.Generic14.ANAA";"Moved to Virus Vault"
"";"C:\System Volume Information\_restore{559D852D-6005-4F94-95DB-026D1057D817}\RP999\A0152767.exe";"Virus identified Win32/Katusha.A";"Healed"
"";"C:\System Volume Information\_restore{559D852D-6005-4F94-95DB-026D1057D817}\RP999\A0152766.exe";"Virus identified Win32/Katusha.A";"Healed"
"";"C:\System Volume Information\_restore{559D852D-6005-4F94-95DB-026D1057D817}\RP999\A0152742.ini";"Trojan horse BackDoor.Generic14.AVBQ";"Moved to Virus Vault"
"";"C:\System Volume Information\_restore{559D852D-6005-4F94-95DB-026D1057D817}\RP999\A0152741.sys";"Trojan horse BackDoor.Generic14.ANAA";"Moved to Virus Vault"
"";"C:\System Volume Information\_restore{559D852D-6005-4F94-95DB-026D1057D817}\RP999\A0149751.exe";"Virus identified Win32/Katusha.A";"Healed"
"";"C:\System Volume Information\_restore{559D852D-6005-4F94-95DB-026D1057D817}\RP999\A0149739.sys";"Trojan horse BackDoor.Generic14.ANAA";"Moved to Virus Vault"
"";"C:\System Volume Information\_restore{559D852D-6005-4F94-95DB-026D1057D817}\RP998\A0148708.ini";"Trojan horse BackDoor.Generic14.AVBQ";"Moved to Virus Vault"
"";"C:\System Volume Information\_restore{559D852D-6005-4F94-95DB-026D1057D817}\RP998\A0148707.exe";"Virus identified Win32/Katusha.A";"Healed"
"";"C:\System Volume Information\_restore{559D852D-6005-4F94-95DB-026D1057D817}\RP997\A0148631.exe";"Virus identified Win32/Katusha.A";"Healed"
"";"C:\System Volume Information\_restore{559D852D-6005-4F94-95DB-026D1057D817}\RP997\A0148574.exe";"Virus identified Win32/Katusha.A";"Healed"
"";"C:\System Volume Information\_restore{559D852D-6005-4F94-95DB-026D1057D817}\RP997\A0148573.exe";"Virus identified Win32/Katusha.A";"Healed"
"";"C:\System Volume Information\_restore{559D852D-6005-4F94-95DB-026D1057D817}\RP997\A0148572.exe";"Virus identified Win32/Katusha.A";"Healed"
"";"C:\System Volume Information\_restore{559D852D-6005-4F94-95DB-026D1057D817}\RP997\A0148571.exe";"Virus identified Win32/Katusha.A";"Healed"
"";"C:\System Volume Information\_restore{559D852D-6005-4F94-95DB-026D1057D817}\RP997\A0148570.exe";"Virus identified Win32/Katusha.A";"Healed"
"";"C:\System Volume Information\_restore{559D852D-6005-4F94-95DB-026D1057D817}\RP997\A0148569.exe";"Virus identified Win32/Katusha.A";"Healed"
"";"C:\System Volume Information\_restore{559D852D-6005-4F94-95DB-026D1057D817}\RP997\A0148568.exe";"Virus identified Win32/Katusha.A";"Healed"
"";"C:\System Volume Information\_restore{559D852D-6005-4F94-95DB-026D1057D817}\RP997\A0148567.exe";"Virus identified Win32/Katusha.A";"Healed"
"";"C:\System Volume Information\_restore{559D852D-6005-4F94-95DB-026D1057D817}\RP1001\A0158921.exe";"Virus identified Win32/Katusha.A";"Healed"
"";"C:\System Volume Information\_restore{559D852D-6005-4F94-95DB-026D1057D817}\RP1001\A0158920.exe";"Virus identified Win32/Katusha.A";"Healed"
"";"C:\System Volume Information\_restore{559D852D-6005-4F94-95DB-026D1057D817}\RP1001\A0158919.exe";"Virus identified Win32/Katusha.A";"Healed"
"";"C:\System Volume Information\_restore{559D852D-6005-4F94-95DB-026D1057D817}\RP1001\A0158918.exe";"Virus identified Win32/Katusha.A";"Healed"
"";"C:\System Volume Information\_restore{559D852D-6005-4F94-95DB-026D1057D817}\RP1001\A0158917.exe";"Virus identified Win32/Katusha.A";"Healed"
"";"C:\System Volume Information\_restore{559D852D-6005-4F94-95DB-026D1057D817}\RP1001\A0158916.exe";"Virus identified Win32/Katusha.A";"Healed"
"";"C:\System Volume Information\_restore{559D852D-6005-4F94-95DB-026D1057D817}\RP1001\A0158915.exe";"Virus identified Win32/Katusha.A";"Healed"
"";"C:\System Volume Information\_restore{559D852D-6005-4F94-95DB-026D1057D817}\RP1001\A0158914.exe";"Virus identified Win32/Katusha.A";"Healed"
"";"C:\System Volume Information\_restore{559D852D-6005-4F94-95DB-026D1057D817}\RP1001\A0158913.exe";"Virus identified Win32/Katusha.A";"Healed"
"";"C:\System Volume Information\_restore{559D852D-6005-4F94-95DB-026D1057D817}\RP1001\A0158865.sys";"Trojan horse BackDoor.Generic14.ANAA";"Moved to Virus Vault"
"";"C:\System Volume Information\_restore{559D852D-6005-4F94-95DB-026D1057D817}\RP1001\A0157865.ini";"Trojan horse BackDoor.Generic14.AVBQ";"Moved to Virus Vault"
"";"C:\System Volume Information\_restore{559D852D-6005-4F94-95DB-026D1057D817}\RP1001\A0157864.sys";"Trojan horse BackDoor.Generic14.ANAA";"Moved to Virus Vault"
"";"C:\System Volume Information\_restore{559D852D-6005-4F94-95DB-026D1057D817}\RP1001\A0156865.ini";"Trojan horse BackDoor.Generic14.AVBQ";"Moved to Virus Vault"
"";"C:\System Volume Information\_restore{559D852D-6005-4F94-95DB-026D1057D817}\RP1001\A0156864.sys";"Trojan horse BackDoor.Generic14.ANAA";"Moved to Virus Vault"
"";"C:\System Volume Information\_restore{559D852D-6005-4F94-95DB-026D1057D817}\RP1000\A0155865.ini";"Trojan horse BackDoor.Generic14.AVBQ";"Moved to Virus Vault"
"";"C:\System Volume Information\_restore{559D852D-6005-4F94-95DB-026D1057D817}\RP1000\A0155864.sys";"Trojan horse BackDoor.Generic14.ANAA";"Moved to Virus Vault"

"Spyware"
"";"File";"Infection";"Result"
"";"C:\System Volume Information\_restore{559D852D-6005-4F94-95DB-026D1057D817}\RP1005\A0159669.exe";"Potentially harmful program Crack.FH";"Moved to Virus Vault"
"";"C:\Program Files\DVDFab 8\Patch.exe";"Potentially harmful program Crack.FH";"Moved to Virus Vault"
Ralph123 is offline  
Old 10-22-2011, 12:54 AM   #9
Security Team
Moderator, Analyst
Rangemaster, TSF Academy
 
chemist's Avatar
 
Join Date: Oct 2007
Location: Georgia
Posts: 29,790
OS: XP/Win7/Win10



Hello again, Ralph123.

Quote:
C:\Program Files\DVDFab 8\Patch.exe";"Potentially harmful program Crack.FH
This is one reason your computer is infected. Visiting cracksites/warezsites - and other questionable/illegal sites is always a risk.

Even a single click on the site can drop multiple forms of very serious malware, many of which disable your onboard protection, and System Restore.

If you install the cracked software, you are running executable files from these dubious, unknown sources. You are in effect giving these sources access to information on your hard disk, and potential control over the operation of your computer.

Additionally, cracked programs are illegal. Before posting for help, uninstall any such applications.

Referring to the Forum Rules which you should have read at the time of Registering at this forum, TSF does not support illegal activity. As such, be advised that any request for assistance in removing malware may go unanswered, or may be discontinued, if the cracked (illegal) software is still present on the machine.

------------------------------------------------------

==== Installed Programs ====

DVDFab 8.0.5.0 (18/11/2010)

------------------------------------------------------
__________________
Our services are free, but you may contribute to the author of ComboFix via PayPal

Proud member of UNITE

Microsoft MVP - Consumer Security 2014, 2015
chemist is offline  
Old 10-22-2011, 03:28 AM   #10
Registered Member
 
Join Date: Oct 2011
Posts: 42
OS: Windows 8


Thanks for the help anyway.
Ralph123 is offline  
Old 10-22-2011, 12:04 PM   #11
Security Team
Moderator, Analyst
Rangemaster, TSF Academy
 
chemist's Avatar
 
Join Date: Oct 2007
Location: Georgia
Posts: 29,790
OS: XP/Win7/Win10



Not willing to uninstall the program?
__________________
Our services are free, but you may contribute to the author of ComboFix via PayPal

Proud member of UNITE

Microsoft MVP - Consumer Security 2014, 2015
chemist is offline  
Old 10-22-2011, 12:33 PM   #12
Registered Member
 
Join Date: Oct 2011
Posts: 42
OS: Windows 8



Of course, its been uninstalled. I just assumed that I wasn't going to be getting any more help.
Ralph123 is offline  
Old 10-22-2011, 12:45 PM   #13
Security Team
Moderator, Analyst
Rangemaster, TSF Academy
 
chemist's Avatar
 
Join Date: Oct 2007
Location: Georgia
Posts: 29,790
OS: XP/Win7/Win10



Hello again, Ralph123. Just a bit more to make sure you are clean. Any remaining issues?

Please download Malwarebytes' Anti-Malware and Save it to your Desktop.
  • Double-click mbam-setup.exe and follow the prompts to install the program.
  • At the end, be sure a checkmark is placed next to the following:
    • Update Malwarebytes' Anti-Malware
    • Launch Malwarebytes' Anti-Malware
  • Then click Finish.
  • If an update is found, it will download and install the latest version.
  • Under the Scanner tab, select Perform quick scan, then click Scan.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Be sure that everything is checked, and click Remove Selected.
  • When completed, a log will open in Notepad and you may be prompted to Restart your computer.(See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy/Paste the entire report in your next reply.
Extra Note:
If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts. Click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediately.


------------------------------------------------------

Your Java is out of date.

Java(TM) 6 Update 15 can be updated from the Java Control Panel. Go Start > Control Panel(Classic View) > Java (looks like a coffee cup) > Update Tab > Update Now. An update should begin; follow the prompts.

Make sure you untick the box next to whatever free program they prompt you to install, unless you want it.
  • After the install is complete, go back to your Control Panel(using Classic View) and click the Java icon. (looks like a coffee cup)
    • On the General tab, under Temporary Internet Files, click the Settings button.
    • Next, click on the Delete Files button.
    • There are two options in the window to clear the cache - Leave BOTH Checked
      • Applications and Applets
      • Trace and Log Files
    • Click OK on Delete Temporary Files Window.
      Note: This deletes ALL the Downloaded Applications and Applets from the CACHE
    • Click OK to leave the Temporary Files Window.
    • Click OK to leave the Java Control Panel.
------------------------------------------------------

Please run this online scan to help look for remnants. Ensure your external and/or USB drives are inserted during the scan.

Go here and click 'ESET Online Scanner'.
  • If you are not using Internet Explorer, double-click esetsmartinstaller_enu.exe to install it, then click 'Run'.
  • Turn off the real-time scanner of any existing antivirus program while performing the online scan.
  • Tick the box next to YES, I accept the Terms of Use.
  • Click Start
  • If using Internet Explorer, allow the ActiveX control to install when asked.
  • Make sure that the option Remove found threats is unticked and the Scan Archives option is ticked.
  • Click on Advanced Settings and ensure these options are ticked:
    • Scan for potentially unwanted applications
    • Scan for potentially unsafe applications
    • Enable Anti-Stealth Technology
  • Next to 'Current scan targets: Operating memory, Local drives', click the Change.. button.
  • Tick all the boxes that correspond to your external/inserted drives.
  • Click Start
  • Wait for the scan to finish, then click 'Finish'.
  • Use Notepad to open the logfile located at C:\Program Files\Eset\Eset Online Scanner\log.txt
  • Do NOT be alarmed by what you see in the report. Many of the finds have likely been quarantined.
  • Copy/paste that log as a reply to this topic.
------------------------------------------------------

Please post the following in your next reply:

MBAM log
ESET report
__________________
Our services are free, but you may contribute to the author of ComboFix via PayPal

Proud member of UNITE

Microsoft MVP - Consumer Security 2014, 2015
chemist is offline  
Old 10-22-2011, 03:51 PM   #14
Registered Member
 
Join Date: Oct 2011
Posts: 42
OS: Windows 8



All of the AVG issues were fixed, and following complete scans came back clean.

Malwarebytes:

Malwarebytes' Anti-Malware 1.51.2.1300
Malwarebytes : Free anti-malware, anti-virus and spyware removal download

Database version: 8001

Windows 5.1.2600 Service Pack 3
Internet Explorer 6.0.2900.5512

23/10/2011 8:51:50 a.m.
mbam-log-2011-10-23 (08-51-50).txt

Scan type: Quick scan
Objects scanned: 185763
Time elapsed: 1 minute(s), 30 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)







ESET:

[email protected] as downloader log:
all ok
[email protected] as downloader log:
all ok
# version=7
# OnlineScannerApp.exe=1.0.0.1
# OnlineScanner.ocx=1.0.0.6528
# api_version=3.0.2
# EOSSerial=fee8d53b82eb3a44a3b8ac4fbd78d425
# end=finished
# remove_checked=false
# archives_checked=true
# unwanted_checked=true
# unsafe_checked=true
# antistealth_checked=true
# utc_time=2011-10-22 10:41:02
# local_time=2011-10-23 11:41:02 (+1200, New Zealand Daylight Time)
# country="New Zealand"
# lang=1033
# osver=5.1.2600 NT Service Pack 3
# compatibility_mode=512 16777215 100 0 89588253 89588253 0 0
# compatibility_mode=1024 16777175 100 0 0 0 0 0
# compatibility_mode=8192 67108863 100 0 616 616 0 0
# scanned=265166
# found=44
# cleaned=0
# scan_time=9181
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\WinBankerfgv.zip Win32/Bagle.gen.zip worm (unable to clean) 00000000000000000000000000000000 I
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\WinBankerfgv1.zip Win32/Bagle.gen.zip worm (unable to clean) 00000000000000000000000000000000 I
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\WinBankerfgv2.zip Win32/Bagle.gen.zip worm (unable to clean) 00000000000000000000000000000000 I
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\WinBankerfgv3.zip Win32/Bagle.gen.zip worm (unable to clean) 00000000000000000000000000000000 I
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\WinBankerfgv4.zip Win32/Bagle.gen.zip worm (unable to clean) 00000000000000000000000000000000 I
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\WinBankerfgv5.zip Win32/Bagle.gen.zip worm (unable to clean) 00000000000000000000000000000000 I
C:\Documents and Settings\Username\Local Settings\Application Data\Mozilla\Firefox\Profiles\85jwgwcs.default\Cache\E\2E\8F344d01 JS/Kryptik.E trojan (unable to clean) 00000000000000000000000000000000 I
C:\Documents and Settings\Username\Local Settings\Application Data\Mozilla\Firefox\Profiles\85jwgwcs.default\Cache\F\18\10FA8d01 JS/Kryptik.E trojan (unable to clean) 00000000000000000000000000000000 I
C:\Documents and Settings\Username\My Documents\Anti-Virus\SmitfraudFix.exe multiple threats (unable to clean) 00000000000000000000000000000000 I
C:\Documents and Settings\Username\My Documents\Anti-Virus\SmitfraudFix\Process.exe Win32/PrcView application (unable to clean) 00000000000000000000000000000000 I
C:\Documents and Settings\Username\My Documents\Anti-Virus\SmitfraudFix\restart.exe Win32/Shutdown.NAA application (unable to clean) 00000000000000000000000000000000 I
C:\Qoobox\Quarantine\[4]-Submit_2011-10-22_15.54.03.zip a variant of Win32/Sirefef.CR trojan (unable to clean) 00000000000000000000000000000000 I
C:\Qoobox\Quarantine\C\Documents and Settings\Username\Local Settings\Application Data\c534cdf8\X.vir Win32/Sirefef.DD trojan (unable to clean) 00000000000000000000000000000000 I
C:\Qoobox\Quarantine\C\Program Files\AVG\AVG10\avgwdsvc.exe.vir Win32/Patched.HN trojan (unable to clean) 00000000000000000000000000000000 I
C:\Qoobox\Quarantine\C\Program Files\Canon\IJPLM\IJPLMSVC.EXE.vir Win32/Patched.HN trojan (unable to clean) 00000000000000000000000000000000 I
C:\Qoobox\Quarantine\C\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe.vir Win32/Patched.HN trojan (unable to clean) 00000000000000000000000000000000 I
C:\Qoobox\Quarantine\C\Program Files\Java\jre6\bin\jqs.exe.vir Win32/Patched.HN trojan (unable to clean) 00000000000000000000000000000000 I
C:\Qoobox\Quarantine\C\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe.vir Win32/Patched.HN trojan (unable to clean) 00000000000000000000000000000000 I
C:\Qoobox\Quarantine\C\Program Files\Splashtop\Splashtop Remote\Server\SRService.exe.vir Win32/Patched.HN trojan (unable to clean) 00000000000000000000000000000000 I
C:\Qoobox\Quarantine\C\Program Files\Splashtop\Splashtop Software Updater\SSUService.exe.vir Win32/Patched.HN trojan (unable to clean) 00000000000000000000000000000000 I
C:\Qoobox\Quarantine\C\WINDOWS\assembly\GAC_MSIL\desktop.ini.vir a variant of Win32/Sirefef.CH trojan (unable to clean) 00000000000000000000000000000000 I
C:\Qoobox\Quarantine\C\WINDOWS\system32\bgsvcgen.exe.vir Win32/Patched.HN trojan (unable to clean) 00000000000000000000000000000000 I
C:\Qoobox\Quarantine\C\WINDOWS\system32\nvsvc32.exe.vir Win32/Patched.HN trojan (unable to clean) 00000000000000000000000000000000 I
C:\Qoobox\Quarantine\C\WINDOWS\system32\Process.exe.vir Win32/PrcView application (unable to clean) 00000000000000000000000000000000 I
C:\Qoobox\Quarantine\C\WINDOWS\system32\Drivers\cdrom.sys.vir a variant of Win32/Rootkit.Kryptik.DM trojan (unable to clean) 00000000000000000000000000000000 I
C:\SDFix\apps\Process.exe Win32/PrcView application (unable to clean) 00000000000000000000000000000000 I
C:\System Volume Information\_restore{559D852D-6005-4F94-95DB-026D1057D817}\RP1001\A0158908.exe Win32/PrcView application (unable to clean) 00000000000000000000000000000000 I
C:\System Volume Information\_restore{559D852D-6005-4F94-95DB-026D1057D817}\RP1001\A0159357.old Win32/Patched.HN trojan (unable to clean) 00000000000000000000000000000000 I
C:\System Volume Information\_restore{559D852D-6005-4F94-95DB-026D1057D817}\RP1001\A0159360.old Win32/Patched.HN trojan (unable to clean) 00000000000000000000000000000000 I
C:\System Volume Information\_restore{559D852D-6005-4F94-95DB-026D1057D817}\RP1001\A0159394.rbf Win32/Patched.HN trojan (unable to clean) 00000000000000000000000000000000 I
C:\System Volume Information\_restore{559D852D-6005-4F94-95DB-026D1057D817}\RP1005\A0159576.rbf Win32/Patched.HN trojan (unable to clean) 00000000000000000000000000000000 I
C:\System Volume Information\_restore{559D852D-6005-4F94-95DB-026D1057D817}\RP1005\A0159578.rbf Win32/Patched.HN trojan (unable to clean) 00000000000000000000000000000000 I
C:\System Volume Information\_restore{559D852D-6005-4F94-95DB-026D1057D817}\RP979\A0142057.exe Win32/RegistryBooster application (unable to clean) 00000000000000000000000000000000 I
C:\System Volume Information\_restore{559D852D-6005-4F94-95DB-026D1057D817}\RP979\A0142058.exe Win32/RegistryBooster application (unable to clean) 00000000000000000000000000000000 I
C:\System Volume Information\_restore{559D852D-6005-4F94-95DB-026D1057D817}\RP979\A0142059.exe Win32/RegistryBooster application (unable to clean) 00000000000000000000000000000000 I
C:\System Volume Information\_restore{559D852D-6005-4F94-95DB-026D1057D817}\RP979\A0142060.exe Win32/RegistryBooster application (unable to clean) 00000000000000000000000000000000 I
C:\System Volume Information\_restore{559D852D-6005-4F94-95DB-026D1057D817}\RP979\A0142061.exe Win32/RegistryBooster application (unable to clean) 00000000000000000000000000000000 I
C:\System Volume Information\_restore{559D852D-6005-4F94-95DB-026D1057D817}\RP979\A0142062.exe Win32/RegistryBooster application (unable to clean) 00000000000000000000000000000000 I
C:\System Volume Information\_restore{559D852D-6005-4F94-95DB-026D1057D817}\RP979\A0143074.exe a variant of Win32/InstallCore.D application (unable to clean) 00000000000000000000000000000000 I
C:\System Volume Information\_restore{559D852D-6005-4F94-95DB-026D1057D817}\RP979\A0143075.exe a variant of Win32/InstallCore.D application (unable to clean) 00000000000000000000000000000000 I
C:\System Volume Information\_restore{559D852D-6005-4F94-95DB-026D1057D817}\RP979\A0143076.exe a variant of Win32/InstallCore.D application (unable to clean) 00000000000000000000000000000000 I
C:\System Volume Information\_restore{559D852D-6005-4F94-95DB-026D1057D817}\RP979\A0143078.exe a variant of Win32/InstallCore.D application (unable to clean) 00000000000000000000000000000000 I
C:\System Volume Information\_restore{559D852D-6005-4F94-95DB-026D1057D817}\RP979\A0143080.exe Win32/RegistryBooster application (unable to clean) 00000000000000000000000000000000 I
C:\System Volume Information\_restore{559D852D-6005-4F94-95DB-026D1057D817}\RP998\A0148687.sys a variant of Win32/Rootkit.Kryptik.EL trojan (unable to clean) 00000000000000000000000000000000 I
Ralph123 is offline  
Old 10-22-2011, 04:38 PM   #15
Security Team
Moderator, Analyst
Rangemaster, TSF Academy
 
chemist's Avatar
 
Join Date: Oct 2007
Location: Georgia
Posts: 29,790
OS: XP/Win7/Win10



Hello again, Ralph123. Qoobox is ComboFix's quarantine folder. System Volume Information is where Windows keeps old system restore points. Both will get deleted when we uninstall ComboFix.

*Note - If Username is not you actual username, you will have to replace Username with your actual username in the script below(4 places):

Open Notepad and copy/paste the entire contents of the codebox below into Notepad:

Code:
@echo off
if exist "%temp%\log.txt" del "%temp%\log.txt"

for %%g in (

"C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\WinBankerfgv.zip"
"C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\WinBankerfgv1.zip"
"C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\WinBankerfgv2.zip"
"C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\WinBankerfgv3.zip"
"C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\WinBankerfgv4.zip"
"C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\WinBankerfgv5.zip"
"C:\Documents and Settings\Username\Local Settings\Application Data\Mozilla\Firefox\Profiles\85jwgwcs.default\Cache\E\2E\8F344d01"
"C:\Documents and Settings\Username\Local Settings\Application Data\Mozilla\Firefox\Profiles\85jwgwcs.default\Cache\F\18\10FA8d01"
"C:\Documents and Settings\Username\My Documents\Anti-Virus\SmitfraudFix.exe"

) do (
del /a/f/q %%g >nul 2>&1
if exist %%g echo.%%~g>>"%temp%\log.txt"
)

for %%g in (

"C:\SDFix"
"C:\Documents and Settings\Username\My Documents\Anti-Virus\SmitfraudFix"


) do (
rd /s/q %%g >nul 2>&1
if exist %%g echo.%%~g>>"%temp%\log.txt"
)

if exist "%temp%\log.txt" ( start notepad "%temp%\log.txt"
) else echo.Deleted Successfully !!

pause
del %0
Save this Notepad file as fix.bat and choose to Save as type: - All Files then close the Notepad file.
It should look like this:

Double-click on fix.bat to run it.

Tell me what it says in your next reply. Press any key to continue.

------------------------------------------------------
__________________
Our services are free, but you may contribute to the author of ComboFix via PayPal

Proud member of UNITE

Microsoft MVP - Consumer Security 2014, 2015
chemist is offline  
Old 10-22-2011, 04:46 PM   #16
Registered Member
 
Join Date: Oct 2011
Posts: 42
OS: Windows 8



I think it said "delete successful" and then removed itself from the desktop. I was expecting it to run something after the key press.
Ralph123 is offline  
Old 10-22-2011, 04:48 PM   #17
Security Team
Moderator, Analyst
Rangemaster, TSF Academy
 
chemist's Avatar
 
Join Date: Oct 2007
Location: Georgia
Posts: 29,790
OS: XP/Win7/Win10



Hello again, Ralph123. Worked as it should, no worries.

------------------------------------------------------

Congratulations. Well done! Your logs appear clean. You should be good to go.

As far as those infected objects listed in the ESET report, those are safely tucked away in ComboFix's quarantine folder or in old System Restore Points, which we will be taking care of now.

Please disable AVG before uninstalling ComboFix and then re-enable it after doing so.

Go to Start >> Run and Copy/Paste the following single-line command into the Run box and click OK:

combofix /uninstall

This will uninstall ComboFix and delete ComboFix's quarantine folder. It will also implement some cleanup procedures, remove old System Restore Points which contain previous infections, and create a fresh, clean System Restore Point.

Please re-enable your antivirus program and any other antispyware programs disabled earlier if you haven't already.

You can safely delete any tools downloaded or any logs, files, and any shortcuts on your desktop that were created during this fix.

Empty your Recycle Bin if it does not do so automatically.

------------------------------------------------------

MICROSOFT UPDATES
It is very important that you get all of the critical updates for your Operating System and Internet Explorer. Keeping your OS and browser up to date will help make you less susceptible to attacks by Trojans and viruses. Please go to Microsoft and download all the critical updates to help prevent possible re-infection.

Also, support is ending for some versions of Windows > Windows End of Support Information - Windows Help & How-to

SPYWARE PREVENTION
In light of your recent problem, I'm sure you'd like to avoid any future infections. Please read this well written article: To help protect your computer in the future I recommend that you get the following free programs if you do not already have them:
  • WOT, Web of Trust, warns you about risky websites that try to scam visitors, deliver malware or send spam. Protect your computer against online threats by using WOT as your front-line layer of protection when browsing or searching in unfamiliar territory. WOT's color-coded icons show you ratings for 21 million websites, helping you avoid the dangerous sites:
    • Green to go
    • Yellow for caution
    • Red to stop
    WOT has an add-on available for both Firefox and IE.
  • SpywareBlaster prevents the installation of ActiveX-based malware, blocks cookies, and restricts the actions of "bad" sites. See tutorial here
  • MVPS HOSTS FILE replaces your current HOSTS file with one that will restrict known ad sites from serving you unsolicited advertisements. It basically prevents your computer from connecting to those sites by redirecting the attempted connections to 127.0.0.1, which is the IP of your local computer. See guide here and for Windows Vista here
    • Download Host.zip and Save it to your Desktop.
    • Right-click hosts.zip and select 'Extract all files' or 'Extract files...'.
    • Follow the prompts and click 'Finish'.
    • This will open the newly created hosts folder on your Desktop.
    • Double-click on the included mvps.bat file, this will rename the existing HOSTS file to HOSTS.MVP, then it will copy the included updated HOSTS file to the correct location on your machine.
    • Once updated you should see another prompt that the task was completed.
Keep your antivirus program and antispyware programs updated and scan with them on a regular basis.

Please respond to this thread one more time so we can mark this thread as resolved.
__________________
Our services are free, but you may contribute to the author of ComboFix via PayPal

Proud member of UNITE

Microsoft MVP - Consumer Security 2014, 2015
chemist is offline  
Old 10-22-2011, 05:12 PM   #18
Registered Member
 
Join Date: Oct 2011
Posts: 42
OS: Windows 8



Great, thank you very much for your help and super fast response times. You made the process really easy.

Thanks.
Ralph123 is offline  
Old 10-22-2011, 08:18 PM   #19
Security Team
Moderator, Analyst
Rangemaster, TSF Academy
 
chemist's Avatar
 
Join Date: Oct 2007
Location: Georgia
Posts: 29,790
OS: XP/Win7/Win10



You're very welcome, Ralph123! Glad to have helped.
__________________
Our services are free, but you may contribute to the author of ComboFix via PayPal

Proud member of UNITE

Microsoft MVP - Consumer Security 2014, 2015
chemist is offline  
 

Thread Tools Search this Thread
Search this Thread:

Advanced Search

Similar Threads
Thread Thread Starter Forum Replies Last Post
Video and Sound lag in full screen videos + 0x116 BSODs
Hello guys... So I have recently formatted my computer and whenever I play a video on fullscreen, the video will lag a lot and the sound will be buggy and cracky.... Also, for example, I am playing Assassin's Creed II at the moment and this also happens in the cut scenes... This has all happened...
rudy_eila BSOD, App Crashes And Hangs 28 09-01-2011 02:49 AM
Blue Screen - EpicSight
I've been having blue screens for a long time now. Ever since I did a lot of hardware upgrades, they have been constant. Also, ontop of the blue screens, my internet will randomly go out. A message pops up while troubleshooting that goes something like "Problems with (something) gateway closed". I...
EpicSight BSOD, App Crashes And Hangs 39 07-13-2011 05:08 PM
Laptop screen randomly works
A while back I dropped my (HP dv9925nr) laptop. Not wanting to send it in to get replaced, I ordered a replacement screen. There was a singular difference in this replacement screen: it was a matte finish instead of a glossy one. After the install the screen worked well. It turned on, it even...
pho Laptop Support 16 06-16-2011 06:42 PM
Browser Redirect Issue
I have been having an issue with both IE and Firefox redirecting Google search results a majority of the time. I had done a scan with Spybot Search & Destroy prior to posting here and "Fraud.WindowsProtectionSuite" (15 entries) and "Microsoft.Windows.RedirectedHosts" (3 entries) were the only...
bob2881 Resolved HJT Threads 21 02-21-2011 06:48 PM
Problem with E-mail attaching stuff
I keep getting Delivery Status Notification (Failure) from my Hotmail account. It says this: >>>>>>>>>> Hotmail Active Viewhttps://gfx2.hotmail.com/mail/w4/pr04/ltr/clear.gif 1 attachment (1.4 KB) https://gfx1.hotmail.com/mail/w4/pr04/ltr/at48/default.pngRe hey.eml Download(1.1 KB)
GenghisTron Virus/Trojan/Spyware Help 21 01-21-2011 06:55 AM

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is on
Smilies are on
[IMG] code is on
HTML code is Off
Trackbacks are Off
Pingbacks are Off
Refbacks are Off


Post a Question


» Site Navigation
 > FAQ
  > 10.0.0.2
Powered by vBadvanced CMPS v3.2.3


All times are GMT -7. The time now is 06:45 AM.


Powered by vBulletin® Version 3.8.8
Copyright ©2000 - 2020, vBulletin Solutions, Inc.
vBulletin Security provided by vBSecurity v2.2.2 (Pro) - vBulletin Mods & Addons Copyright © 2020 DragonByte Technologies Ltd.
User Alert System provided by Advanced User Tagging v3.1.0 (Pro) - vBulletin Mods & Addons Copyright © 2020 DragonByte Technologies Ltd.
Copyright 2001 - 2018, Tech Support Forum

Windows 10 - Windows 7 - Windows XP - Windows Vista - Trojan Removal - Spyware Removal - Virus Removal - Networking - Security - Top Web Hosts