Go Back   Tech Support Forum > Security Center > Virus/Trojan/Spyware Help

User Tag List

can't install or uninstall programs

This is a discussion on can't install or uninstall programs within the Virus/Trojan/Spyware Help forums, part of the Tech Support Forum category. I've tried to install my printer software but when it gets to the last phase of the installation process it


Closed Thread
 
Thread Tools Search this Thread
Old 11-01-2011, 02:21 PM   #1
Registered Member
 
Join Date: Oct 2011
Posts: 43
OS: windows xp



I've tried to install my printer software but when it gets to the last phase of the installation process it says 'unable to install software' I tried to download and install AVG 2012 and the same thing it got to the last step and said set up error: general internal error: additional message:MSI engine: failed to install produce. Context: installation of AVG core, MSI action failed. I was in another forum trying to get this resolved to no avail, the moderator finally said that it sounds like I have a virus and sent me here. My computer is slow and sluggish, i have AVG 2011 installed but it has no components but shows that it is active and when i tried to disable it, there was an error there as well. So I've saved the two texts 'DDS and Attach' and i'll attach and copy and paste as instructed and wait for further instructions.

thanks, reedkwize1
DDS (Ver_2011-08-26.01) - NTFSx86
Internet Explorer: 8.0.6001.18702
Run by sam at 15:41:22 on 2011-11-01
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.511.274 [GMT -6:00]
.
AV: AVG Anti-Virus Free Edition 2011 *Enabled/Updated* {17DDD097-36FF-435F-9E1B-52D74245D6BF}
.
============== Running Processes ===============
.
C:\PROGRA~1\AVG\AVG10\avgchsvx.exe
C:\PROGRA~1\AVG\AVG10\avgrsx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\Explorer.EXE
C:\Program Files\AVG\AVG PC Tuneup 2011\BoostSpeed.exe
C:\Program Files\Lexmark Pro700 Series\lxeemon.exe
C:\Program Files\Lexmark Pro700 Series\ezprint.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\Real\RealPlayer\update\realsched.exe
C:\Program Files\AVG\AVG10\avgtray.exe
C:\WINDOWS\BCMSMMSG.exe
C:\Program Files\Google\Google Pinyin 2\GooglePinyinDaemon.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Creative\SBLive\Diagnostics\diagent.exe
C:\Program Files\OpenOffice.org 3\program\soffice.exe
C:\Program Files\Google\Google Pinyin 2\GooglePinyinService.exe
C:\Program Files\OpenOffice.org 3\program\soffice.bin
C:\Program Files\AVG\AVG10\Identity Protection\agent\bin\avgidsmonitor.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\rundll32.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://att.my.yahoo.com/
uSearch Page =
uDefault_Page_URL = hxxp://att.net
uWindow Title = Windows Internet Explorer provided by Yahoo!
uSearchAssistant =
mSearchAssistant =
uURLSearchHooks: AVG Security Toolbar BHO: {a3bc75a2-1f87-4686-aa43-5347d756017c} - c:\program files\avg\avg10\toolbar\IEToolbar.dll
mURLSearchHooks: AVG Security Toolbar BHO: {a3bc75a2-1f87-4686-aa43-5347d756017c} - c:\program files\avg\avg10\toolbar\IEToolbar.dll
BHO: &Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: RealPlayer Download and Record Plugin for Internet Explorer: {3049c3e9-b461-4bc5-8870-4c09146192ca} - c:\documents and settings\all users\application data\real\realplayer\browserrecordplugin\ie\rpbrowserrecordplugin.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg10\avgssie.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\program files\spybot - search & destroy\SDHelper.dll
BHO: AVG Security Toolbar BHO: {a3bc75a2-1f87-4686-aa43-5347d756017c} - c:\program files\avg\avg10\toolbar\IEToolbar.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.7.6406.1642\swg.dll
BHO: Lexmark Printable Web: {d2c5e510-be6d-42cc-9f61-e4f939078474} - c:\program files\lexmark printable web\bho.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
BHO: SingleInstance Class: {fdad4da1-61a2-4fd8-9c17-86f7ac245081} - c:\program files\yahoo!\companion\installs\cpn\YTSingleInstance.dll
TB: AVG Security Toolbar: {ccc7a320-b3ca-4199-b1a6-9f516dd69829} - c:\program files\avg\avg10\toolbar\IEToolbar.dll
TB: att.net Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
uRun: [SpybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe
mRun: [diagent] "c:\program files\creative\sblive\diagnostics\diagent.exe" startup
mRun: [UpdReg] c:\windows\UpdReg.EXE
mRun: [lxeemon.exe] "c:\program files\lexmark pro700 series\lxeemon.exe"
mRun: [EzPrint] "c:\program files\lexmark pro700 series\ezprint.exe"
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRun: [TkBellExe] "c:\program files\real\realplayer\update\realsched.exe" -osboot
mRun: [AVG_TRAY] c:\program files\avg\avg10\avgtray.exe
mRun: [BCMSMMSG] BCMSMMSG.exe
mRun: [NIS] "c:\program files\nortoninstaller\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\nis\2454b0ab\17.6.0.32\InstStub.exe" /RELAUNCH /RUNONCE /NOPROMPT /LIRELAUNCH /PRODID NIS
mRun: [Google Pinyin 2 Autoupdater] "c:\program files\google\google pinyin 2\GooglePinyinDaemon.exe"
mRun: [IMJPMIG8.1] "c:\windows\ime\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
mRun: [IMEKRMIG6.1] c:\windows\ime\imkr6_1\IMEKRMIG.EXE
mRun: [MSPY2002] c:\windows\system32\ime\pintlgnt\ImScInst.exe /SYNC
mRun: [PHIME2002ASync] c:\windows\system32\ime\tintlgnt\TINTSETP.EXE /SYNC
mRun: [PHIME2002A] c:\windows\system32\ime\tintlgnt\TINTSETP.EXE /IMEName
dRun: [DWQueuedReporting] "c:\progra~1\common~1\micros~1\dw\dwtrig20.exe" -t
StartupFolder: c:\docume~1\sam\startm~1\programs\startup\openof~1.lnk - c:\program files\openoffice.org 3\program\quickstart.exe
mPolicies-explorer: <NO NAME> =
IE: &Search - https://tbedits.retrogamer.com/one-to...F&n=2011070816
IE: Google Sidewiki... - c:\program files\google\google toolbar\component\GoogleToolbarDynamic_mui_en_7461B1589E8B4FB7.dll/cmsidewiki.html
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\program files\spybot - search & destroy\SDHelper.dll
LSP: mswsock.dll
DPF: {106E49CF-797A-11D2-81A2-00E02C015623} - hxxp://www.alternatiff.com/distribution/alternatiff-ax-w32-2.0.1.cab
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://download.microsoft.com/download/E/5/6/E5611B10-0D6D-4117-8430-A67417AA88CD/LegitCheckControl.cab
DPF: {4F29DE54-5EB7-4D76-B610-A86B5CD2A234} - hxxp://archives.gametap.com/static/cab_headless/GameTapWebPlayer.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {A4110378-789B-455F-AE86-3A1BFC402853} - hxxp://zone.msn.com/bingame/zpagames/zpa_shvl.cab55579.cab
DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} - hxxp://cdn2.zone.msn.com/binFramework/v10/ZPAFramework.cab102118.cab
DPF: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
TCP: DhcpNameServer = 192.168.1.254
TCP: Interfaces\{6A1BFBAA-114B-4F16-B8DE-2F883013D3C3} : DhcpNameServer = 192.168.1.254
Handler: avgsecuritytoolbar - {F2DDE6B2-9684-4A55-86D4-E255E237B77C} - c:\program files\avg\avg10\toolbar\IEToolbar.dll
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg10\avgpp.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
mASetup: {A509B1FF-37FF-4bFF-8CFF-4F3A747040FF} - c:\windows\system32\rundll32.exe c:\windows\system32\advpack.dll,launchinfsectionex c:\program files\internet explorer\clrtour.inf,DefaultInstall.ResetTour,,12
.
============= SERVICES / DRIVERS ===============
.
R0 AVGIDSEH;AVGIDSEH;c:\windows\system32\drivers\AVGIDSEH.sys [2010-9-13 25680]
R0 Avgrkx86;AVG Anti-Rootkit Driver;c:\windows\system32\drivers\avgrkx86.sys [2010-9-7 26064]
R1 Avgldx86;AVG AVI Loader Driver;c:\windows\system32\drivers\avgldx86.sys [2010-12-8 251728]
R1 Avgmfx86;AVG Mini-Filter Resident Anti-Virus Shield;c:\windows\system32\drivers\avgmfx86.sys [2010-9-7 34384]
R1 Avgtdix;AVG TDI Driver;c:\windows\system32\drivers\avgtdix.sys [2010-11-12 299984]
R3 AVGIDSDriver;AVGIDSDriver;c:\windows\system32\drivers\AVGIDSDriver.sys [2010-8-19 123472]
R3 AVGIDSFilter;AVGIDSFilter;c:\windows\system32\drivers\AVGIDSFilter.sys [2010-8-19 30288]
R3 AVGIDSShim;AVGIDSShim;c:\windows\system32\drivers\AVGIDSShim.sys [2010-8-19 26192]
S2 AVGIDSAgent;AVGIDSAgent;c:\program files\avg\avg10\identity protection\agent\bin\AVGIDSAgent.exe [2011-4-18 7398752]
S2 avgwd;AVG WatchDog;c:\program files\avg\avg10\avgwdsvc.exe [2011-2-8 269520]
S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2011-1-17 136176]
S2 lxee_device;lxee_device;c:\windows\system32\lxeecoms.exe -service --> c:\windows\system32\lxeecoms.exe -service [?]
S2 lxeeCATSCustConnectService;lxeeCATSCustConnectService;c:\windows\system32\spool\drivers\w32x86\3\lxeeserv.exe [2010-4-14 193192]
S3 AVG Security Toolbar Service;AVG Security Toolbar Service;c:\program files\avg\avg10\toolbar\ToolbarBroker.exe [2011-5-12 1025352]
S3 gupdatem;Google Update Service (gupdatem);c:\program files\google\update\GoogleUpdate.exe [2011-1-17 136176]
.
=============== Created Last 30 ================
.
2011-10-29 15:07:49 -------- d-----w- c:\windows\system32\wbem\repository\FS
2011-10-29 15:07:49 -------- d-----w- c:\windows\system32\wbem\Repository
.
==================== Find3M ====================
.
2011-09-17 21:29:22 2504760 ----a-w- c:\windows\system32\GooglePinyin2.ime
2011-09-11 07:46:34 50112 --sha-w- c:\windows\system32\c_26824.nl_
2011-09-01 00:59:13 72080 -c--a-w- C:\g2mdlhlpx.exe
.
=================== ROOTKIT ====================
.
Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer, GMER - Rootkit Detector and Remover
Windows 5.1.2600 Disk: ST360015A rev.3.33 -> Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-3
.
device: opened successfully
user: MBR read successfully
.
Disk trace:
called modules: ntoskrnl.exe CLASSPNP.SYS disk.sys >>UNKNOWN [0x81C79760]<<
_asm { MOV EAX, [ESP+0x4]; MOV ECX, [EAX+0x28]; PUSH EBP; MOV EBP, [ECX+0x4]; PUSH ESI; MOV ESI, [ESP+0x10]; PUSH EDI; MOV EDI, [ESI+0x60]; MOV AL, [EDI]; CMP AL, 0x16; JNZ 0x36; PUSH ESI; }
1 nt!IofCallDriver[0x804E3D45] -> \Device\Harddisk0\DR0[0x82350AB8]
3 CLASSPNP[0xF857705B] -> nt!IofCallDriver[0x804E3D45] -> [0x81BA3760]
\Driver\00001854[0x82114BE8] -> IRP_MJ_CREATE -> 0x81C79760
error: Read A device attached to the system is not functioning.
kernel: MBR read successfully
_asm { XOR AX, AX; MOV SS, AX; MOV SP, 0x7c00; STI ; PUSH AX; POP ES; PUSH AX; POP DS; CLD ; MOV SI, 0x7c1b; MOV DI, 0x61b; PUSH AX; PUSH DI; MOV CX, 0x1e5; REP MOVSB ; RETF ; MOV BP, 0x7be; MOV CL, 0x4; CMP [BP+0x0], CH; JL 0x2e; JNZ 0x3a; }
detected disk devices:
detected hooks:
\Driver\atapi DriverStartIo -> 0x822FF31B
user & kernel MBR OK
Warning: possible TDL3 rootkit infection !
.
============= FINISH: 15:42:25.84 ===============
Attached Files
File Type: zip attach.zip (3.2 KB, 34 views)
reedkwize1 is offline  
Sponsored Links
Advertisement
 
Old 11-01-2011, 03:22 PM   #2
Registered Member
 
Join Date: Oct 2011
Posts: 43
OS: windows xp



sorry I forgot to att the ark in the first post, here it is.

thanks, reedkwize1
Attached Files
File Type: txt ark.txt (11.6 KB, 64 views)
reedkwize1 is offline  
Old 11-01-2011, 07:23 PM   #3
TSF Security Manager
Emeritus
 
Ried's Avatar
 
Join Date: Jan 2005
Location: Ohio
Posts: 42,837
OS: WinXP Home, Vista, Windows 7 64bit



Hello reedkwize1,

You most certainly are infected.

Before we begin any removals, I'd like to gather as much info as possible. Please follow this next set of instructions carefully:

Download TDSSKiller.exe and save it to your desktop
  • Execute TDSSKiller.exe by doubleclicking on it.
  • Press Start Scan
  • If Malicious objects are found, do NOT select Cure. Change the action to Skip, and save the log.
  • Once complete, a log will be produced at the root drive which is typically C:\ ,for example, C:\TDSSKiller.<version_date_time>log.txt

Please post the contents of that log in your next reply.
__________________
Member of UNITE since 2006

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015

"It is one life whether we spend it laughing or weeping." "Take the time to laugh--it is the music of the soul."
Ried is offline  
Sponsored Links
Advertisement
 
Old 11-01-2011, 11:10 PM   #4
Registered Member
 
Join Date: Oct 2011
Posts: 43
OS: windows xp



I don't see where i can save the log, and you said a log would be created at the root drive, i believe mine is C:\ where would i go to attach it to my next reply...thanks in advance

reedkwize1
reedkwize1 is offline  
Old 11-02-2011, 04:23 AM   #5
TSF Security Manager
Emeritus
 
Ried's Avatar
 
Join Date: Jan 2005
Location: Ohio
Posts: 42,837
OS: WinXP Home, Vista, Windows 7 64bit



The log is automatically saved. You'll find it on the C:\ drive, named as I mentioned in my earlier post.

Attach it the same way you attached your ark log in Post 2. Or, if you prefer, you can copy/paste the contents of the log directly into the reply window.
__________________
Member of UNITE since 2006

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015

"It is one life whether we spend it laughing or weeping." "Take the time to laugh--it is the music of the soul."
Ried is offline  
Old 11-02-2011, 04:30 AM   #6
Registered Member
 
Join Date: Oct 2011
Posts: 43
OS: windows xp



here it is
Attached Files
File Type: txt TDSSKiller.2.6.14.0_02.11.2011_00.56.59_log.txt (46.2 KB, 72 views)
reedkwize1 is offline  
Old 11-02-2011, 04:35 AM   #7
TSF Security Manager
Emeritus
 
Ried's Avatar
 
Join Date: Jan 2005
Location: Ohio
Posts: 42,837
OS: WinXP Home, Vista, Windows 7 64bit



This is going to be rough. You have 2 very nasty infections - the Master Boot Record is infected and you have ZeroAccess on this machine.

Please be sure you've backed up any important documents, pictures, music, etc before you carry out the next set of instructions.


It will require more than 1 round to clean the system. Please stay with me until given the 'all clear' even if symptoms seem to abate.

Download ComboFix from one of these locations:

Link 1
Link 2


* IMPORTANT- Save ComboFix.exe to your Desktop

====================================================


Disable your AntiVirus and AntiSpyware applications as they will interfere with our tools and the removal. If you are unsure how to do this, please refer to our sticky topic How to disable your security applications

====================================================


Double click on ComboFix.exe & follow the prompts.

  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.

  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.





Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:





Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply for further review.

=======================================

After you have run ComboFix, run TDSSKiller again, and this time allow it to Cure what it finds.

Again, it will save a log on the C:\ drive for you. Post that log in your next reply, along with the C:\ComboFix.txt
__________________
Member of UNITE since 2006

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015

"It is one life whether we spend it laughing or weeping." "Take the time to laugh--it is the music of the soul."
Ried is offline  
Old 11-02-2011, 05:31 AM   #8
Registered Member
 
Join Date: Oct 2011
Posts: 43
OS: windows xp



when i tried to disable my AVG 2011, I got a message that read 'an error occurredwhen saving configuration. Connection is offline'. shoul i just uninstall it since i was going to upgrade to AVG 2012?
reedkwize1 is offline  
Old 11-02-2011, 06:01 AM   #9
TSF Security Manager
Emeritus
 
Ried's Avatar
 
Join Date: Jan 2005
Location: Ohio
Posts: 42,837
OS: WinXP Home, Vista, Windows 7 64bit



Yes. Uninstall it if the infections onboard will allow it. If not, try AVG's removal utility --> AVG - Download tools and utilities
__________________
Member of UNITE since 2006

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015

"It is one life whether we spend it laughing or weeping." "Take the time to laugh--it is the music of the soul."
Ried is offline  
Old 11-02-2011, 07:27 AM   #10
Registered Member
 
Join Date: Oct 2011
Posts: 43
OS: windows xp



i used the AVG removal utility and it removed AVG from my computer, but when i ran the combofix it still says that realtime scanners are still active. but i don't see it in the start menu and when i look in the security center it says that antivirus is on. but i don't see no signs of it anywhere else. what should i do?
reedkwize1 is offline  
Old 11-02-2011, 10:18 AM   #11
Registered Member
 
Join Date: Oct 2011
Posts: 43
OS: windows xp



is spybot search and destroy something that should be disabled as well? besides this i don't see anything else on here as far as anti virus goes.
reedkwize1 is offline  
Old 11-02-2011, 01:10 PM   #12
TSF Security Manager
Emeritus
 
Ried's Avatar
 
Join Date: Jan 2005
Location: Ohio
Posts: 42,837
OS: WinXP Home, Vista, Windows 7 64bit



Yes, if you have TeaTimer enabled, it needs to be disabled. Instructions on how to do that are in the link I gave you earlier for disabling protective programs.

As far as the AVG alerts are concerned, AVG has a bad habit of not de-registering itself with the Sec Center. OK your way through those alerts by ComboFix and allow it to run.
__________________
Member of UNITE since 2006

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015

"It is one life whether we spend it laughing or weeping." "Take the time to laugh--it is the music of the soul."
Ried is offline  
Old 11-02-2011, 02:32 PM   #13
Registered Member
 
Join Date: Oct 2011
Posts: 43
OS: windows xp



here they are.

ComboFix 11-11-02.01 - sam 11/02/2011 15:47:10.1.1 - x86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.511.331 [GMT -6:00]
Running from: c:\documents and settings\sam\Desktop\ComboFix.exe
AV: AVG Anti-Virus Free Edition 2011 *Enabled/Updated* {17DDD097-36FF-435F-9E1B-52D74245D6BF}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\All Users\SPL11E.tmp
c:\documents and settings\sam\Application Data\Adobe\plugs
c:\documents and settings\sam\Application Data\Adobe\shed
c:\documents and settings\sam\g2mdlhlpx.exe
c:\documents and settings\sam\Start Menu\Programs\Windows Recovery
c:\documents and settings\sam\WINDOWS
c:\documents and settings\Tarik Reed\Application Data\alot
C:\install.exe
c:\windows\$NtUninstallKB15380$
c:\windows\$NtUninstallKB15380$\2001188012\{1B372133-BFFA-4dba-9CCF-5474BED6A9F6}
c:\windows\$NtUninstallKB15380$\2001188012\L\hzygbiyu
c:\windows\$NtUninstallKB15380$\2001188012\loader.tlb
c:\windows\$NtUninstallKB15380$\2001188012\U\@00000001
c:\windows\$NtUninstallKB15380$\2001188012\U\@000000c0
c:\windows\$NtUninstallKB15380$\2001188012\U\@000000cb
c:\windows\$NtUninstallKB15380$\2001188012\U\@000000cf
c:\windows\$NtUninstallKB15380$\2001188012\U\@80000000
c:\windows\$NtUninstallKB15380$\2001188012\U\@800000c0
c:\windows\$NtUninstallKB15380$\2001188012\U\@800000cb
c:\windows\$NtUninstallKB15380$\2001188012\U\@800000cf
c:\windows\$NtUninstallKB15380$\3356476443
c:\windows\desktop
c:\windows\desktop\Hooked on Phonics Learn to Read.lnk
c:\windows\system32\c_26824.nls
.
Infected copy of c:\windows\system32\drivers\redbook.sys was found and disinfected
Restored copy from - The cat found it :)
c:\windows\system32\wuauclt.exe . . . is infected!!
.
Infected copy of c:\program files\Google\Update\GoogleUpdate.exe was found and disinfected
Restored copy from - c:\system volume information\_restore{13622D11-88D0-49EE-9D13-2A3B818D6C75}\RP27\A0026306.exe
.
Infected copy of c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe was found and disinfected
Restored copy from - c:\system volume information\_restore{13622D11-88D0-49EE-9D13-2A3B818D6C75}\RP20\A0017290.exe
.
c:\program files\Java\jre6\bin\jqs.exe . . . is infected!!
c:\program files\Java\jre6\bin\jqs.exe . . . was deleted!! You should re-install the program it pertains to
.
c:\windows\system32\lxeecoms.exe . . . is infected!!
c:\windows\system32\lxeecoms.exe . . . was deleted!! You should re-install the program it pertains to
.
c:\windows\system32\MsPMSPSv.exe . . . is infected!!
c:\windows\system32\MsPMSPSv.exe . . . was deleted!! You should re-install the program it pertains to
.
c:\program files\Yahoo!\SoftwareUpdate\YahooAUService.exe . . . is infected!!
c:\program files\Yahoo!\SoftwareUpdate\YahooAUService.exe . . . was deleted!! You should re-install the program it pertains to
.
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
-------\Service_.i8042prt
-------\Service_.mrxsmb
-------\Service_7747b4ac
.
.
((((((((((((((((((((((((( Files Created from 2011-10-02 to 2011-11-02 )))))))))))))))))))))))))))))))
.
.
2011-11-02 21:41 . 2004-08-04 03:59 57472 ----a-w- c:\windows\system32\drivers\redbook.sys
2011-11-02 15:30 . 2011-11-02 15:30 -------- d-----w- c:\windows\system32\CatRoot_bak
2011-11-02 14:42 . 2011-11-02 14:42 299984 ----a-w- c:\windows\system32\drivers\avgtdix.sys
2011-11-02 03:04 . 2011-11-02 03:04 -------- d--h--w- c:\windows\PIF
2011-10-29 15:10 . 2011-10-29 15:10 -------- d-sh--w- c:\documents and settings\Administrator\PrivacIE
2011-10-29 15:07 . 2011-10-29 15:07 -------- d-----w- c:\windows\system32\wbem\Repository
2011-10-29 00:22 . 2011-10-29 00:22 -------- d-----w- c:\windows\system32\config\systemprofile\IETldCache
2011-10-29 00:13 . 2011-10-29 00:13 -------- d-----w- c:\windows\system32\config\systemprofile\PrivacIE
2011-10-29 00:12 . 2011-10-29 00:12 -------- d-----w- c:\windows\system32\config\systemprofile\Application Data\Yahoo!
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-11-02 15:02 . 2011-09-10 02:31 50112 --sha-w- c:\windows\system32\c_26824.nl_
2011-09-17 21:29 . 2011-09-17 21:29 2504760 ----a-w- c:\windows\system32\GooglePinyin2.ime
2011-09-17 15:45 . 2011-01-29 16:45 664 -c--a-w- c:\documents and settings\Zakiya Reed\Local Settings\Application Data\d3d9caps.tmp
2011-09-01 00:59 . 2011-09-01 00:59 72080 -c--a-w- C:\g2mdlhlpx.exe
.
.
------- Sigcheck -------
Note: Unsigned files aren't necessarily malware.
.
[-] 2009-08-07 . C1BD669C43A9EF205C1568DC7183FAA8 . 53472 . . [7.4.7600.226] . . c:\windows\system32\wuauclt.exe
[-] 2008-04-14 . ED7262E52C31CF1625B65039102BC16C . 111104 . . [5.4.3790.5512] . . c:\windows\SoftwareDistribution\Download\9866fb57abdc0ea2f5d4e132d055ba4e\wuauclt.exe
[7] 2004-08-04 . 4126D27CECE4471E00E425411F7306B5 . 111104 . . [5.4.3790.2180] . . c:\windows\system32\dllcache\wuauclt.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2011-01-17 39408]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-03-05 2260480]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"diagent"="c:\program files\Creative\SBLive\Diagnostics\diagent.exe" [2002-04-03 135264]
"UpdReg"="c:\windows\UpdReg.EXE" [2000-05-11 90112]
"lxeemon.exe"="c:\program files\Lexmark Pro700 Series\lxeemon.exe" [2009-10-01 766632]
"EzPrint"="c:\program files\Lexmark Pro700 Series\ezprint.exe" [2009-10-01 139944]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2011-01-31 35760]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-09-21 932288]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-02-18 248040]
"TkBellExe"="c:\program files\Real\RealPlayer\update\realsched.exe" [2011-03-30 273544]
"BCMSMMSG"="BCMSMMSG.exe" [2003-08-29 122880]
"Google Pinyin 2 Autoupdater"="c:\program files\Google\Google Pinyin 2\GooglePinyinDaemon.exe" [2011-09-17 1377848]
"IMJPMIG8.1"="c:\windows\IME\imjp8_1\IMJPMIG.EXE" [2004-08-04 208952]
"IMEKRMIG6.1"="c:\windows\ime\imkr6_1\IMEKRMIG.EXE" [2004-08-04 44032]
"MSPY2002"="c:\windows\system32\IME\PINTLGNT\ImScInst.exe" [2004-08-04 59392]
"PHIME2002ASync"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-04 455168]
"PHIME2002A"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-04 455168]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-03-13 39264]
.
c:\documents and settings\Tarik Reed\Start Menu\Programs\Startup\
OpenOffice.org 3.2.lnk - c:\program files\OpenOffice.org 3\program\quickstart.exe [2010-5-20 1195008]
.
c:\documents and settings\sam\Start Menu\Programs\Startup\
OpenOffice.org 3.2.lnk - c:\program files\OpenOffice.org 3\program\quickstart.exe [2010-5-20 1195008]
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck autochk *\0c:\progra~1\AVG\AVG10\avgchsvx.exe /sync\0c:\progra~1\AVG\AVG10\avgrsx.exe /sync /restart\0sprestrt
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\keyboard layouts\e0200804]
Ime File REG_SZ GOOGLEPINYIN2.IME
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BCMSMMSG]
2003-08-29 10:59 122880 ----a-w- c:\windows\BCMSMMSG.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ErrorTeck]
2010-04-08 13:07 4804336 ----a-w- c:\program files\ErrorTeck\ErrorTeck.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
2008-04-14 00:12 1695232 ------w- c:\program files\Messenger\msmsgs.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
2003-10-06 20:16 5058560 ----a-w- c:\windows\system32\nvcpl.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
2011-01-17 21:09 39408 ----a-w- c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"DisableNotifications"= 1 (0x1)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\AVG\\AVG10\\avgmfapx.exe"=
"c:\\Program Files\\Abbyy FineReader 6.0 Sprint\\Scan\\ScanMan6.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\WINDOWS\\system32\\usmt\\migwiz.exe"=
"c:\\Program Files\\Research In Motion\\BlackBerry Desktop\\Rim.Desktop.exe"=
"c:\\Program Files\\AVG\\AVG10\\avgdiagex.exe"=
"c:\\Program Files\\AVG\\AVG10\\avgnsx.exe"=
"c:\\Program Files\\AVG\\AVG10\\avgemcx.exe"=
"c:\\Program Files\\Lexmark Pro700 Series\\lexocr.exe"=
.
R1 Avgtdix;AVG TDI Driver;c:\windows\system32\drivers\avgtdix.sys [11/2/2011 8:42 AM 299984]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe /svc --> c:\program files\Google\Update\GoogleUpdate.exe [?]
S2 lxee_device;lxee_device;c:\windows\system32\lxeecoms.exe -service --> c:\windows\system32\lxeecoms.exe -service [?]
S2 lxeeCATSCustConnectService;lxeeCATSCustConnectService;c:\windows\system32\spool\drivers\w32x86\3\lxeeserv.exe [4/14/2010 7:01 PM 193192]
S3 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe /medsvc --> c:\program files\Google\Update\GoogleUpdate.exe [?]
.
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{A509B1FF-37FF-4bFF-8CFF-4F3A747040FF}]
2009-03-08 09:32 128512 ----a-w- c:\windows\system32\advpack.dll
.
Contents of the 'Scheduled Tasks' folder
.
2011-11-02 c:\windows\Tasks\RealUpgradeLogonTaskS-1-5-18.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2011-01-24 19:25]
.
2011-11-02 c:\windows\Tasks\RealUpgradeLogonTaskS-1-5-21-1454471165-1606980848-682003330-1003.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2011-01-24 19:25]
.
2011-11-02 c:\windows\Tasks\RealUpgradeLogonTaskS-1-5-21-1454471165-1606980848-682003330-1004.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2011-01-24 19:25]
.
2011-11-02 c:\windows\Tasks\RealUpgradeLogonTaskS-1-5-21-1454471165-1606980848-682003330-1005.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2011-01-24 19:25]
.
2011-11-02 c:\windows\Tasks\RealUpgradeLogonTaskS-1-5-21-1454471165-1606980848-682003330-1006.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2011-01-24 19:25]
.
2011-10-29 c:\windows\Tasks\RealUpgradeScheduledTaskS-1-5-18.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2011-01-24 19:25]
.
2011-11-02 c:\windows\Tasks\RealUpgradeScheduledTaskS-1-5-21-1454471165-1606980848-682003330-1003.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2011-01-24 19:25]
.
2011-11-02 c:\windows\Tasks\RealUpgradeScheduledTaskS-1-5-21-1454471165-1606980848-682003330-1004.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2011-01-24 19:25]
.
2011-10-29 c:\windows\Tasks\RealUpgradeScheduledTaskS-1-5-21-1454471165-1606980848-682003330-1005.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2011-01-24 19:25]
.
2011-10-31 c:\windows\Tasks\RealUpgradeScheduledTaskS-1-5-21-1454471165-1606980848-682003330-1006.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2011-01-24 19:25]
.
2011-11-02 c:\windows\Tasks\User_Feed_Synchronization-{0401F06E-20AF-4CF4-A7CF-4C5C56DB7D28}.job
- c:\windows\system32\msfeedssync.exe [2009-03-08 10:31]
.
2011-11-02 c:\windows\Tasks\User_Feed_Synchronization-{19085521-0AEE-4155-B0DA-4F13FF0D34C9}.job
- c:\windows\system32\msfeedssync.exe [2009-03-08 10:31]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://att.my.yahoo.com/
uSearchAssistant =
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_7461B1589E8B4FB7.dll/cmsidewiki.html
TCP: DhcpNameServer = 192.168.1.254
DPF: {4F29DE54-5EB7-4D76-B610-A86B5CD2A234} - hxxp://archives.gametap.com/static/cab_headless/GameTapWebPlayer.cab
.
- - - - ORPHANS REMOVED - - - -
.
HKLM-Run-NIS - c:\program files\NortonInstaller\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS\2454B0AB\17.6.0.32\InstStub.exe
SafeBoot-84859783.sys
MSConfigStartUp-Retrogamer_2z Browser Plugin Loader - c:\progra~1\RETROG~2\bar\1.bin\2zbrmon.exe
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, GMER - Rootkit Detector and Remover
Rootkit scan 2011-11-02 16:16
Windows 5.1.2600 Service Pack 2 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\S-1-5-21-1454471165-1606980848-682003330-1003\Software\Microsoft\SystemCertificates\AddressBook*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'explorer.exe'(2596)
c:\windows\system32\WININET.dll
c:\windows\system32\msi.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\OpenOffice.org 3\program\soffice.exe
c:\program files\OpenOffice.org 3\program\soffice.bin
c:\program files\Google\Google Pinyin 2\GooglePinyinService.exe
.
**************************************************************************
.
Completion time: 2011-11-02 16:24:44 - machine was rebooted
ComboFix-quarantined-files.txt 2011-11-02 22:24
.
Pre-Run: 46,273,523,712 bytes free
Post-Run: 47,257,280,512 bytes free
.
WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
UnsupportedDebug="do not select this" /debug
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect
.
- - End Of File - - 8C4080BD2E0E0F73A368EC12DA0786BB
Attached Files
File Type: txt ComboFix.txt (14.8 KB, 57 views)
File Type: txt TDSSKiller.2.6.14.0_02.11.2011_16.27.04_log.txt (41.9 KB, 59 views)
reedkwize1 is offline  
Old 11-02-2011, 05:14 PM   #14
TSF Security Manager
Emeritus
 
Ried's Avatar
 
Join Date: Jan 2005
Location: Ohio
Posts: 42,837
OS: WinXP Home, Vista, Windows 7 64bit



It's looking better, but we're not out of the woods yet. Read through this entire procedure and if you have any questions, please ask them before you begin. Then either print out, or copy this page to Notepad and save to your desktop for reference as you will not have any browsers open while you are carrying out portions of these instructions.


***************************************************

Open notepad and copy/paste the text in the code box below into it:

Quote:
File::
c:\windows\system32\c_26824.nl
Save this as "CFScript.txt", and as Type: All Files (*.*)
in the same location as ComboFix.exe

***************************************************

Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

***************************************************





Refering to the picture above, drag CFScript into ComboFix.exe

When finished, post the contents of the C:\ComboFix.txt
__________________
Member of UNITE since 2006

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015

"It is one life whether we spend it laughing or weeping." "Take the time to laugh--it is the music of the soul."
Ried is offline  
Old 11-02-2011, 08:42 PM   #15
Registered Member
 
Join Date: Oct 2011
Posts: 43
OS: windows xp



Ok here we go

ComboFix 11-11-02.01 - sam 11/02/2011 22:17:38.2.1 - x86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.511.367 [GMT -6:00]
Running from: c:\documents and settings\sam\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\sam\Desktop\CFScript.txt
AV: AVG Anti-Virus Free Edition 2011 *Enabled/Updated* {17DDD097-36FF-435F-9E1B-52D74245D6BF}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\windows\system32\wuauclt.exe . . . is infected!!
.
.
((((((((((((((((((((((((( Files Created from 2011-10-03 to 2011-11-03 )))))))))))))))))))))))))))))))
.
.
2011-11-02 21:41 . 2004-08-04 03:59 57472 -c--a-w- c:\windows\system32\dllcache\redbook.sys
2011-11-02 21:41 . 2004-08-04 03:59 57472 ----a-w- c:\windows\system32\drivers\redbook.sys
2011-11-02 15:30 . 2011-11-02 15:30 -------- d-----w- c:\windows\system32\CatRoot_bak
2011-11-02 14:42 . 2011-11-02 14:42 299984 ----a-w- c:\windows\system32\drivers\avgtdix.sys
2011-11-02 03:04 . 2011-11-02 03:04 -------- d--h--w- c:\windows\PIF
2011-10-29 15:10 . 2011-10-29 15:10 -------- d-sh--w- c:\documents and settings\Administrator\PrivacIE
2011-10-29 15:07 . 2011-10-29 15:07 -------- d-----w- c:\windows\system32\wbem\Repository
2011-10-29 00:22 . 2011-10-29 00:22 -------- d-----w- c:\windows\system32\config\systemprofile\IETldCache
2011-10-29 00:13 . 2011-10-29 00:13 -------- d-----w- c:\windows\system32\config\systemprofile\PrivacIE
2011-10-29 00:12 . 2011-10-29 00:12 -------- d-----w- c:\windows\system32\config\systemprofile\Application Data\Yahoo!
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-11-02 15:02 . 2011-09-10 02:31 50112 --sha-w- c:\windows\system32\c_26824.nl_
2011-09-17 21:29 . 2011-09-17 21:29 2504760 ----a-w- c:\windows\system32\GooglePinyin2.ime
2011-09-17 15:45 . 2011-01-29 16:45 664 -c--a-w- c:\documents and settings\Zakiya Reed\Local Settings\Application Data\d3d9caps.tmp
2011-09-01 00:59 . 2011-09-01 00:59 72080 -c--a-w- C:\g2mdlhlpx.exe
.
.
------- Sigcheck -------
Note: Unsigned files aren't necessarily malware.
.
[-] 2009-08-07 . C1BD669C43A9EF205C1568DC7183FAA8 . 53472 . . [7.4.7600.226] . . c:\windows\system32\wuauclt.exe
[-] 2008-04-14 . ED7262E52C31CF1625B65039102BC16C . 111104 . . [5.4.3790.5512] . . c:\windows\SoftwareDistribution\Download\9866fb57abdc0ea2f5d4e132d055ba4e\wuauclt.exe
[7] 2004-08-04 . 4126D27CECE4471E00E425411F7306B5 . 111104 . . [5.4.3790.2180] . . c:\windows\system32\dllcache\wuauclt.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2011-01-17 39408]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-03-05 2260480]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"diagent"="c:\program files\Creative\SBLive\Diagnostics\diagent.exe" [2002-04-03 135264]
"UpdReg"="c:\windows\UpdReg.EXE" [2000-05-11 90112]
"lxeemon.exe"="c:\program files\Lexmark Pro700 Series\lxeemon.exe" [2009-10-01 766632]
"EzPrint"="c:\program files\Lexmark Pro700 Series\ezprint.exe" [2009-10-01 139944]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2011-01-31 35760]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-09-21 932288]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-02-18 248040]
"TkBellExe"="c:\program files\Real\RealPlayer\update\realsched.exe" [2011-03-30 273544]
"BCMSMMSG"="BCMSMMSG.exe" [2003-08-29 122880]
"Google Pinyin 2 Autoupdater"="c:\program files\Google\Google Pinyin 2\GooglePinyinDaemon.exe" [2011-09-17 1377848]
"IMJPMIG8.1"="c:\windows\IME\imjp8_1\IMJPMIG.EXE" [2004-08-04 208952]
"IMEKRMIG6.1"="c:\windows\ime\imkr6_1\IMEKRMIG.EXE" [2004-08-04 44032]
"MSPY2002"="c:\windows\system32\IME\PINTLGNT\ImScInst.exe" [2004-08-04 59392]
"PHIME2002ASync"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-04 455168]
"PHIME2002A"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-04 455168]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-03-13 39264]
.
c:\documents and settings\Tarik Reed\Start Menu\Programs\Startup\
OpenOffice.org 3.2.lnk - c:\program files\OpenOffice.org 3\program\quickstart.exe [2010-5-20 1195008]
.
c:\documents and settings\sam\Start Menu\Programs\Startup\
OpenOffice.org 3.2.lnk - c:\program files\OpenOffice.org 3\program\quickstart.exe [2010-5-20 1195008]
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck autochk *\0c:\progra~1\AVG\AVG10\avgchsvx.exe /sync\0c:\progra~1\AVG\AVG10\avgrsx.exe /sync /restart\0sprestrt
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\keyboard layouts\e0200804]
Ime File REG_SZ GOOGLEPINYIN2.IME
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BCMSMMSG]
2003-08-29 10:59 122880 ----a-w- c:\windows\BCMSMMSG.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ErrorTeck]
2010-04-08 13:07 4804336 ----a-w- c:\program files\ErrorTeck\ErrorTeck.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
2008-04-14 00:12 1695232 ------w- c:\program files\Messenger\msmsgs.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
2003-10-06 20:16 5058560 ----a-w- c:\windows\system32\nvcpl.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
2011-01-17 21:09 39408 ----a-w- c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"DisableNotifications"= 1 (0x1)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\AVG\\AVG10\\avgmfapx.exe"=
"c:\\Program Files\\Abbyy FineReader 6.0 Sprint\\Scan\\ScanMan6.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\WINDOWS\\system32\\usmt\\migwiz.exe"=
"c:\\Program Files\\Research In Motion\\BlackBerry Desktop\\Rim.Desktop.exe"=
"c:\\Program Files\\AVG\\AVG10\\avgdiagex.exe"=
"c:\\Program Files\\AVG\\AVG10\\avgnsx.exe"=
"c:\\Program Files\\AVG\\AVG10\\avgemcx.exe"=
"c:\\Program Files\\Lexmark Pro700 Series\\lexocr.exe"=
.
R1 Avgtdix;AVG TDI Driver;c:\windows\system32\drivers\avgtdix.sys [11/2/2011 8:42 AM 299984]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe /svc --> c:\program files\Google\Update\GoogleUpdate.exe [?]
S2 lxee_device;lxee_device;c:\windows\system32\lxeecoms.exe -service --> c:\windows\system32\lxeecoms.exe -service [?]
S2 lxeeCATSCustConnectService;lxeeCATSCustConnectService;c:\windows\system32\spool\drivers\w32x86\3\lxeeserv.exe [4/14/2010 7:01 PM 193192]
S3 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe /medsvc --> c:\program files\Google\Update\GoogleUpdate.exe [?]
.
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{A509B1FF-37FF-4bFF-8CFF-4F3A747040FF}]
2009-03-08 09:32 128512 ----a-w- c:\windows\system32\advpack.dll
.
Contents of the 'Scheduled Tasks' folder
.
2011-11-03 c:\windows\Tasks\RealUpgradeLogonTaskS-1-5-18.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2011-01-24 19:25]
.
2011-11-03 c:\windows\Tasks\RealUpgradeLogonTaskS-1-5-21-1454471165-1606980848-682003330-1003.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2011-01-24 19:25]
.
2011-11-03 c:\windows\Tasks\RealUpgradeLogonTaskS-1-5-21-1454471165-1606980848-682003330-1004.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2011-01-24 19:25]
.
2011-11-03 c:\windows\Tasks\RealUpgradeLogonTaskS-1-5-21-1454471165-1606980848-682003330-1005.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2011-01-24 19:25]
.
2011-11-03 c:\windows\Tasks\RealUpgradeLogonTaskS-1-5-21-1454471165-1606980848-682003330-1006.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2011-01-24 19:25]
.
2011-10-29 c:\windows\Tasks\RealUpgradeScheduledTaskS-1-5-18.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2011-01-24 19:25]
.
2011-11-03 c:\windows\Tasks\RealUpgradeScheduledTaskS-1-5-21-1454471165-1606980848-682003330-1003.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2011-01-24 19:25]
.
2011-11-03 c:\windows\Tasks\RealUpgradeScheduledTaskS-1-5-21-1454471165-1606980848-682003330-1004.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2011-01-24 19:25]
.
2011-10-29 c:\windows\Tasks\RealUpgradeScheduledTaskS-1-5-21-1454471165-1606980848-682003330-1005.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2011-01-24 19:25]
.
2011-10-31 c:\windows\Tasks\RealUpgradeScheduledTaskS-1-5-21-1454471165-1606980848-682003330-1006.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2011-01-24 19:25]
.
2011-11-03 c:\windows\Tasks\User_Feed_Synchronization-{0401F06E-20AF-4CF4-A7CF-4C5C56DB7D28}.job
- c:\windows\system32\msfeedssync.exe [2009-03-08 10:31]
.
2011-11-03 c:\windows\Tasks\User_Feed_Synchronization-{19085521-0AEE-4155-B0DA-4F13FF0D34C9}.job
- c:\windows\system32\msfeedssync.exe [2009-03-08 10:31]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://att.my.yahoo.com/
uSearchAssistant =
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_7461B1589E8B4FB7.dll/cmsidewiki.html
TCP: DhcpNameServer = 192.168.1.254
DPF: {4F29DE54-5EB7-4D76-B610-A86B5CD2A234} - hxxp://archives.gametap.com/static/cab_headless/GameTapWebPlayer.cab
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, GMER - Rootkit Detector and Remover
Rootkit scan 2011-11-02 22:31
Windows 5.1.2600 Service Pack 2 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\S-1-5-21-1454471165-1606980848-682003330-1003\Software\Microsoft\SystemCertificates\AddressBook*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'explorer.exe'(1984)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\msi.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
Completion time: 2011-11-02 22:35:14
ComboFix-quarantined-files.txt 2011-11-03 04:35
.
Pre-Run: 47,197,921,280 bytes free
Post-Run: 47,223,463,936 bytes free
.
- - End Of File - - 6784B8A7051B0C7B17656FD508AB1ED9
Attached Files
File Type: txt ComboFix.txt (11.3 KB, 76 views)
reedkwize1 is offline  
Old 11-02-2011, 08:48 PM   #16
TSF Security Manager
Emeritus
 
Ried's Avatar
 
Join Date: Jan 2005
Location: Ohio
Posts: 42,837
OS: WinXP Home, Vista, Windows 7 64bit



That file is still there and patching wuauclt.exe. Please run a new scan with gmer.exe, same as you did before:

Double click gmer.exe and the initial scan will begin.
  • If it gives you a warning about rootkit activity and asks if you want to run a full scan...click on NO, then use the following settings for a more complete scan..



    Click the image to enlarge it


  • In the right panel, you will see several boxes that have been checked. Ensure the following are UNCHECKED ...
    • IAT/EAT
    • Drives/Partition other than Systemdrive (typically C:\)
    • Show All (don't miss this one)
  • Then click the Scan button & wait for it to finish.
  • Once done click on the [Save..] button, and in the File name area, type in ark2.txt or it will save as a .log file which cannot be uploaded to your post.
  • Save it where you can easily find it, such as your desktop

**Caution**
Rootkit scans often produce false positives. Do NOT take any action on any "<--- ROOKIT" entries
__________________
Member of UNITE since 2006

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015

"It is one life whether we spend it laughing or weeping." "Take the time to laugh--it is the music of the soul."
Ried is offline  
Old 11-02-2011, 10:38 PM   #17
Registered Member
 
Join Date: Oct 2011
Posts: 43
OS: windows xp



here we go.
Attached Files
File Type: txt ark.txt (6.1 KB, 69 views)
reedkwize1 is offline  
Old 11-03-2011, 07:56 PM   #18
TSF Security Manager
Emeritus
 
Ried's Avatar
 
Join Date: Jan 2005
Location: Ohio
Posts: 42,837
OS: WinXP Home, Vista, Windows 7 64bit



Thanks. Let's try this one more time.

Open notepad and copy/paste the text in the code box below into it:

Quote:
FCopy::
c:\windows\system32\dllcache\wuauclt.exe | c:\windows\system32\wuauclt.exe

File::
c:\windows\system32\c_26824.nl_

Save this as "CFScript.txt", and as Type: All Files (*.*)
in the same location as ComboFix.exe

***************************************************

Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

***************************************************





Refering to the picture above, drag CFScript into ComboFix.exe

When finished, post the C:\ComboFix.txt
__________________
Member of UNITE since 2006

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015

"It is one life whether we spend it laughing or weeping." "Take the time to laugh--it is the music of the soul."
Ried is offline  
Old 11-03-2011, 08:30 PM   #19
Registered Member
 
Join Date: Oct 2011
Posts: 43
OS: windows xp



do i attach the combo fix to the post or do i copy and paste it? i'm dragging the cfscript into the combofix now, just need to know how to put it with the next post.

reedkwize1
reedkwize1 is offline  
Old 11-03-2011, 08:40 PM   #20
TSF Security Manager
Emeritus
 
Ried's Avatar
 
Join Date: Jan 2005
Location: Ohio
Posts: 42,837
OS: WinXP Home, Vista, Windows 7 64bit



Copy/paste contents is best, thanks. :)
__________________
Member of UNITE since 2006

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015

"It is one life whether we spend it laughing or weeping." "Take the time to laugh--it is the music of the soul."
Ried is offline  
Closed Thread

Thread Tools Search this Thread
Search this Thread:

Advanced Search

Similar Threads
Thread Thread Starter Forum Replies Last Post
Install programs on a remote computer(HDD)
Hi everyone! I've got a dilema. That is: that I have a slow general storage drive that is becoming full. A fast HDD for recording onto with fraps and for programs that I won't use with fraps. I then have an SSD as my main drive which gets VERY full VERY quickly. I then have another computer that...
deviess File and Application Sharing 16 11-01-2011 04:15 PM
Fresh install into restore while keeping programs on another disk.
A while back I accidentally uninstalled Windows Media Player from my Windows 7. Yeah, sure, no big deal. Download it again! There are none! Go Microsoft! Or even better, crawdad, you can go turn it on again in the features menu! Wrong. It says it can't run or be updated due to it being registered...
CoronaryCrawdad Windows 7 , Windows Vista Support 13 04-05-2011 02:50 PM
Install programs via batch script
Hello, I need help with creating batch script which install programs in Win XP (Win 7). I have a part of it... Here is source code: @echo off set installed_app=C:\app\temp\installed_app.txt set regexport=C:\app\temp\regexport.txt
polo939 Windows XP Support 0 03-25-2011 08:16 AM
[SOLVED] Suspected malware
Hello, I was directed here from the XP Support section by spunk.funk on account of suspected malware. I have provided a link to the thread if you want to use it. https://www.techsupportforum.com/forums/f10/solved-dcom-server-process-launcher-service-terminated-unexpectedly-557477.html Long...
speedo1998 Resolved HJT Threads 8 03-21-2011 04:03 AM
Canned Speeches
The canned speech below represents the format of choice while you are training in the Academy. We expect ALL trainees to use this basic reply and the only differences in the format that will be allowed will be additional tools that are used during certain fixes. Most of these tools will be used...
Horse The Supply Room 8 09-22-2008 09:42 AM

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is on
Smilies are on
[IMG] code is on
HTML code is Off
Trackbacks are Off
Pingbacks are Off
Refbacks are Off


Post a Question


» Site Navigation
 > FAQ
  > 10.0.0.2
Powered by vBadvanced CMPS v3.2.3


All times are GMT -7. The time now is 02:34 AM.


Powered by vBulletin® Version 3.8.8
Copyright ©2000 - 2020, vBulletin Solutions, Inc.
vBulletin Security provided by vBSecurity v2.2.2 (Pro) - vBulletin Mods & Addons Copyright © 2020 DragonByte Technologies Ltd.
User Alert System provided by Advanced User Tagging v3.1.0 (Pro) - vBulletin Mods & Addons Copyright © 2020 DragonByte Technologies Ltd.
Copyright 2001 - 2018, Tech Support Forum

Windows 10 - Windows 7 - Windows XP - Windows Vista - Trojan Removal - Spyware Removal - Virus Removal - Networking - Security - Top Web Hosts