HELP:Another victim of Windows Antivirus Pro

View previous topic View next topic Go down

Re: HELP:Another victim of Windows Antivirus Pro

Post by a9jc14 on 3rd September 2009, 12:53 am

log.txt from combo fix directory as it popped up in Notepad - trimming the previous stuff and starting at the Drivers/Services section.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_{79007602-0CDB-4405-9DBF-1257BB3226ED}
-------\Legacy_{79007602-0CDB-4405-9DBF-1257BB3226EE}


((((((((((((((((((((((((( Files Created from 2009-08-03 to 2009-09-03 )))))))))))))))))))))))))))))))
.

2009-09-01 22:45 . 2009-09-01 22:45 2560 ----a-w- c:\windows\system32\drivers\mchInjDrv.sys
2009-08-28 03:54 . 2009-08-28 03:54 -------- d-----w- c:\documents and settings\James\Application Data\Cropper
2009-08-28 02:16 . 2009-08-28 02:16 411368 ----a-w- c:\windows\system32\deploytk.dll
2009-08-28 01:50 . 2009-08-28 01:50 -------- d-----w- c:\documents and settings\James\Local Settings\Application Data\AVG Security Toolbar
2009-08-28 01:35 . 2009-08-03 17:36 38160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-08-28 01:35 . 2009-08-03 17:36 19096 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-08-27 01:25 . 2009-08-27 01:25 -------- d-sh--w- c:\documents and settings\Administrator\IECompatCache
2009-08-27 01:24 . 2009-08-27 01:24 -------- d-sh--w- c:\documents and settings\Administrator\PrivacIE
2009-08-27 01:24 . 2009-08-27 01:24 -------- d-sh--w- c:\documents and settings\Administrator\IETldCache
2009-08-26 23:23 . 2009-09-03 00:27 -------- d--h--w- C:\$AVG8.VAULT$
2009-08-26 23:21 . 2009-08-26 23:21 -------- d-----w- c:\documents and settings\All Users\Application Data\Downloaded Installations
2009-08-26 23:21 . 2009-08-26 23:21 12552 ----a-w- c:\windows\system32\drivers\avgrkx86.sys
2009-08-26 23:21 . 2009-08-26 23:21 11952 ----a-w- c:\windows\system32\avgrsstx.dll
2009-08-26 23:21 . 2009-08-26 23:21 108552 ----a-w- c:\windows\system32\drivers\avgtdix.sys
2009-08-26 23:21 . 2009-08-26 23:21 335240 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2009-08-26 23:21 . 2009-08-26 23:21 27784 ----a-w- c:\windows\system32\drivers\avgmfx86.sys
2009-08-26 23:21 . 2009-09-02 22:51 -------- d-----w- c:\windows\system32\drivers\Avg
2009-08-26 23:21 . 2009-08-26 23:21 -------- d-----w- c:\documents and settings\All Users\Application Data\AVG Security Toolbar
2009-08-26 23:20 . 2009-08-26 23:20 -------- d-----w- c:\program files\AVG
2009-08-26 23:20 . 2009-08-26 23:20 -------- d-----w- c:\documents and settings\All Users\Application Data\avg8
2009-08-26 23:17 . 2009-08-26 23:17 -------- d-----w- c:\documents and settings\James\Application Data\AVG8
2009-08-26 22:53 . 2009-08-26 22:53 -------- d-----w- c:\documents and settings\James\Application Data\Malwarebytes
2009-08-26 22:44 . 2009-08-26 22:44 -------- d-----w- c:\documents and settings\James\Application Data\GetRightToGo
2009-08-26 22:35 . 2009-09-01 23:27 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-08-26 22:35 . 2009-08-26 22:35 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-08-26 22:06 . 2009-08-26 22:06 -------- d-----w- C:\07baf296970b2ff7d2d03ccd43f2b309
2009-08-26 03:48 . 2009-08-26 03:48 -------- d-sh--w- c:\documents and settings\LocalService\IETldCache
2009-08-26 02:57 . 2008-12-11 12:38 159600 ----a-w- c:\windows\system32\drivers\pctgntdi.sys
2009-08-26 02:57 . 2009-09-01 22:52 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2009-08-26 02:57 . 2009-09-01 01:30 206256 ----a-w- c:\windows\system32\drivers\PCTCore.sys
2009-08-26 02:57 . 2008-12-18 15:16 73840 ----a-w- c:\windows\system32\drivers\PCTAppEvent.sys
2009-08-26 02:57 . 2009-08-26 02:58 -------- d-----w- c:\program files\Common Files\PC Tools
2009-08-26 02:57 . 2008-12-10 15:36 64392 ----a-w- c:\windows\system32\drivers\pctplsg.sys
2009-08-26 02:57 . 2009-09-01 01:37 -------- d-----w- c:\program files\Spyware Doctor
2009-08-26 02:57 . 2009-08-26 02:57 -------- d-----w- c:\documents and settings\James\Application Data\PC Tools
2009-08-26 02:57 . 2009-08-26 02:57 -------- d-----w- c:\documents and settings\All Users\Application Data\PC Tools
2009-08-26 02:35 . 2009-08-26 02:35 -------- d-sh--w- c:\documents and settings\James\IECompatCache
2009-08-26 02:34 . 2009-08-26 02:34 -------- d-sh--w- c:\documents and settings\James\PrivacIE
2009-08-26 02:34 . 2009-08-26 02:34 -------- d-----w- c:\documents and settings\All Users\Application Data\Office Genuine Advantage
2009-08-26 02:34 . 2009-08-26 02:34 -------- d-sh--w- c:\documents and settings\James\IETldCache
2009-08-26 02:33 . 2009-08-26 02:33 -------- d-sh--w- c:\windows\system32\config\systemprofile\IETldCache
2009-08-26 02:30 . 2009-08-26 02:30 -------- dc-h--w- c:\windows\ie8
2009-08-26 02:23 . 2009-09-02 00:08 -------- d-----w- c:\program files\Spybot - Search & Destroy
2009-08-26 02:23 . 2009-09-02 00:08 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-08-26 01:23 . 2009-08-26 01:23 -------- d-----w- c:\program files\Windows Defender
2009-08-25 23:19 . 2009-08-25 23:19 -------- d-----w- C:\spoolerlogs
2009-08-25 04:27 . 2009-08-25 04:27 -------- d-----w- c:\documents and settings\James\Local Settings\Application Data\WMTools Downloaded Files
2009-08-20 23:05 . 2009-08-20 23:05 -------- d-----w- c:\windows\system32\XPSViewer
2009-08-20 23:05 . 2009-08-20 23:05 -------- d-----w- c:\program files\Reference Assemblies
2009-08-20 23:05 . 2008-07-06 12:06 89088 -c----w- c:\windows\system32\dllcache\filterpipelineprintproc.dll
2009-08-20 23:05 . 2008-07-06 12:06 575488 -c----w- c:\windows\system32\dllcache\xpsshhdr.dll
2009-08-20 23:05 . 2008-07-06 12:06 575488 ------w- c:\windows\system32\xpsshhdr.dll
2009-08-20 23:05 . 2008-07-06 12:06 1676288 -c----w- c:\windows\system32\dllcache\xpssvcs.dll
2009-08-20 23:05 . 2008-07-06 12:06 1676288 ------w- c:\windows\system32\xpssvcs.dll
2009-08-20 23:05 . 2008-07-06 12:06 117760 ------w- c:\windows\system32\prntvpt.dll
2009-08-20 23:05 . 2008-07-06 10:50 597504 -c----w- c:\windows\system32\dllcache\printfilterpipelinesvc.exe
2009-08-20 23:05 . 2009-08-20 23:05 -------- d-----w- C:\a384f8360b852a1076416118
2009-08-20 23:05 . 2009-08-25 23:20 -------- d-----w- c:\windows\SxsCaPendDel
2009-08-19 22:39 . 2009-08-19 22:40 -------- d-----w- c:\documents and settings\All Users\Application Data\Blizzard Entertainment
2009-08-12 01:28 . 2009-07-10 13:27 1315328 -c----w- c:\windows\system32\dllcache\msoe.dll
2009-08-05 09:01 . 2009-08-05 09:01 204800 -c----w- c:\windows\system32\dllcache\mswebdvd.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-09-02 03:09 . 2007-03-02 11:04 -------- d-----w- c:\program files\World of Warcraft
2009-09-01 01:30 . 2009-09-01 01:30 7396 ----a-w- c:\windows\system32\drivers\pctcore.cat
2009-08-29 13:24 . 2006-12-22 02:38 -------- d-----w- c:\program files\Juice
2009-08-28 02:21 . 2006-08-24 02:30 -------- d-----w- c:\program files\Java
2009-08-26 03:24 . 2006-08-20 04:14 177648 ----a-w- c:\documents and settings\James\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-08-26 02:27 . 2006-08-20 04:42 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help
2009-08-26 02:25 . 2007-02-27 04:53 -------- d-----w- c:\program files\Microsoft Works
2009-08-26 02:16 . 2009-05-23 22:34 -------- d-----w- c:\program files\Unity
2009-08-26 00:37 . 2006-09-16 04:21 -------- d--h--r- c:\documents and settings\James\Application Data\yahoo!
2009-08-26 00:37 . 2006-09-16 04:17 -------- d-----w- c:\documents and settings\All Users\Application Data\yahoo!
2009-08-26 00:37 . 2006-08-23 19:34 -------- d-----w- c:\program files\The Learning Company
2009-08-26 00:36 . 2006-12-01 04:43 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Corporation
2009-08-21 01:34 . 2008-11-05 23:59 313984 ----a-w- c:\documents and settings\James\Application Data\MobMapUpdater\MobMapUpdaterExternals.dll
2009-08-20 23:05 . 2007-02-27 04:53 -------- d-----w- c:\program files\MSBuild
2009-08-19 04:07 . 2008-03-24 01:23 -------- d-----w- c:\documents and settings\James\Application Data\teamspeak2
2009-08-05 09:01 . 2003-03-31 12:00 204800 ----a-w- c:\windows\system32\mswebdvd.dll
2009-08-03 19:07 . 2009-08-03 19:07 403816 ----a-w- c:\windows\system32\OGACheckControl.dll
2009-08-03 19:07 . 2009-08-03 19:07 322928 ----a-w- c:\windows\system32\OGAAddin.dll
2009-08-03 19:07 . 2009-08-03 19:07 230768 ----a-w- c:\windows\system32\OGAEXEC.exe
2009-07-22 21:23 . 2009-07-22 21:23 74760 ----a-w- c:\windows\system32\drivers\UniversalDD.sys
2009-07-22 21:23 . 2009-07-22 21:23 25608 ----a-w- c:\windows\system32\drivers\AVGIDSErHr.sys
2009-07-20 11:48 . 2009-07-20 11:48 -------- d-----w- c:\program files\Sony Online Entertainment
2009-07-17 19:01 . 2003-03-31 12:00 58880 ----a-w- c:\windows\system32\atl.dll
2009-07-14 03:43 . 2006-08-20 04:08 286208 ----a-w- c:\windows\system32\wmpdxm.dll
2009-06-16 14:36 . 2003-03-31 12:00 81920 ----a-w- c:\windows\system32\fontsub.dll
2009-06-16 14:36 . 2003-03-31 12:00 119808 ----a-w- c:\windows\system32\t2embed.dll
2009-06-12 12:31 . 2003-03-31 12:00 80896 ----a-w- c:\windows\system32\tlntsess.exe
2009-06-12 12:31 . 2003-03-31 12:00 76288 ----a-w- c:\windows\system32\telnet.exe
2009-06-12 02:24 . 2009-06-12 02:24 75048 ----a-w- c:\documents and settings\All Users\Application Data\Apple Computer\Installer Cache\iTunes 8.2.0.23\SetupAdmin.exe
2009-06-10 14:13 . 2003-03-31 12:00 84992 ----a-w- c:\windows\system32\avifil32.dll
2009-06-10 13:19 . 2006-08-20 03:30 2066432 ----a-w- c:\windows\system32\mstscax.dll
2009-06-10 06:14 . 2003-03-31 12:00 132096 ----a-w- c:\windows\system32\wkssvc.dll
2009-06-05 15:42 . 2009-06-12 02:26 2060288 ----a-w- c:\windows\system32\usbaaplrc.dll
2009-06-05 15:42 . 2008-08-05 03:38 39424 ----a-w- c:\windows\system32\drivers\usbaapl.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"HPHUPD08"="c:\program files\HP\Digital Imaging\{33D6CC28-9F75-4d1b-A11D-98895B3A3729}\hphupd08.exe" [2005-06-01 49152]
"IMJPMIG8.1"="c:\windows\IME\imjp8_1\IMJPMIG.EXE" [2004-08-04 208952]
"IMEKRMIG6.1"="c:\windows\ime\imkr6_1\IMEKRMIG.EXE" [2003-03-31 44032]
"MSPY2002"="c:\windows\system32\IME\PINTLGNT\ImScInst.exe" [2004-08-04 59392]
"PHIME2002ASync"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-04 455168]
"PHIME2002A"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-04 455168]
"NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2006-01-12 155648]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2007-12-26 8523776]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2009-05-14 177472]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2007-12-26 81920]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-05-26 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-06-05 292136]
"Windows Defender"="c:\program files\Windows Defender\MSASCui.exe" [2006-11-03 866584]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2009-08-26 2007832]
"AVGIDS"="c:\program files\AVG\AVG8\IdentityProtection\agent\bin\AVGIDSUI.exe" [2009-07-22 1600008]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-08-28 149280]
"SigmatelSysTrayApp"="stsystra.exe" - c:\windows\stsystra.exe [2005-03-22 339968]
"Kernel and Hardware Abstraction Layer"="KHALMNPR.EXE" - c:\windows\KHALMNPR.Exe [2008-02-29 76304]
"nwiz"="nwiz.exe" - c:\windows\system32\nwiz.exe [2007-12-26 1626112]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2008-11-04 435096]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Logitech SetPoint.lnk - c:\program files\Logitech\SetPoint\SetPoint.exe [2009-1-9 805392]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LBTWlgn]
2008-05-02 07:42 72208 ----a-w- c:\program files\Common Files\Logitech\Bluetooth\LBTWLgn.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-08-26 23:21 11952 ----a-w- c:\windows\system32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdauxservice]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdcoreservice]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WdfLoadGroup]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Kodak\\Kodak EasyShare software\\bin\\EasyShare.exe"=
"c:\\Program Files\\Microsoft Games\\Age of Empires II\\EMPIRES2.ICD"=
"c:\\Program Files\\Microsoft Games\\Age of Empires II\\age2_x1\\age2_x1.icd"=
"c:\\WINDOWS\\system32\\dplaysvr.exe"=
"c:\\Program Files\\GameSpy Arcade\\Aphex.exe"=
"c:\\Program Files\\Microsoft Games\\Age of Empires III\\age3.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\World of Warcraft\\BackgroundDownloader.exe"=
"c:\\WINDOWS\\system32\\dpvsetup.exe"=
"c:\\Program Files\\Electronic Arts\\EADM\\Core.exe"=
"c:\\Program Files\\Ventrilo\\Ventrilo.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\World of Warcraft\\Launcher.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\World of Warcraft\\WoW-3.1.3.9947-to-3.2.0.10192-enUS-downloader.exe"=
"c:\\Program Files\\World of Warcraft\\WoW-3.2.0.10192-to-3.2.0.10314-enUS-downloader.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgam.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgdiag.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgdiagex.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgnsx.exe"=

a9jc14
Novice
Novice

Posts Posts : 23
Joined Joined : 2009-08-28
OS OS : XP Pro
Points Points : 26635
# Likes # Likes : 0

View user profile

Back to top Go down

Re: HELP:Another victim of Windows Antivirus Pro

Post by a9jc14 on 3rd September 2009, 12:53 am

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"63176:UDP"= 63176:UDP:bittorrent
"3724:TCP"= 3724:TCP:Blizzard Downloader
"6112:TCP"= 6112:TCP:Blizzard Downloader

R2 AVGIDSAgent;AVGIDSAgent;c:\program files\AVG\AVG8\IdentityProtection\agent\Bin\AVGIDSAgent.exe AVGIDSAgent [x]
R2 bvtv;bvtv;c:\windows\system32\drivers\ejame.sys [x]
R2 imtcq;imtcq;c:\windows\system32\drivers\wrsmnixk.sys [x]
R2 pcuwhv;pcuwhv;c:\windows\system32\drivers\kbvurtru.sys [x]
R2 uiha;uiha;c:\windows\system32\drivers\fmarpf.sys [x]
R2 WinDefend;Windows Defender;c:\program files\Windows Defender\MsMpEng.exe [2006-11-03 13592]
R3 sdAuxService;PC Tools Auxiliary Service;c:\program files\Spyware Doctor\pctsAuxs.exe [2009-01-07 348752]
S0 AVGIDSErHr;AVGIDSErHr;c:\windows\System32\Drivers\AVGIDSErHr.sys [2009-07-22 25608]
S0 AvgRkx86;avgrkx86.sys;c:\windows\System32\Drivers\avgrkx86.sys [2009-08-26 12552]
S0 PCTCore;PCTools KDS;c:\windows\system32\drivers\PCTCore.sys [2009-09-01 206256]
S1 AvgLdx86;AVG AVI Loader Driver x86;c:\windows\System32\Drivers\avgldx86.sys [2009-08-26 335240]
S1 AvgTdiX;AVG8 Network Redirector;c:\windows\System32\Drivers\avgtdix.sys [2009-08-26 108552]
S1 vcdrom;Virtual CD-ROM Device Driver;c:\documents and settings\James\Desktop\winxpvirtualcdcontrolpanel_21\VCdRom.sys [2001-12-19 8576]
S2 avg8wd;AVG8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [2009-08-26 297752]
S2 AVGIDSWatcher;AVGIDSWatcher;c:\program files\AVG\AVG8\IdentityProtection\agent\Bin\AVGIDSWatcher.exe [2009-07-22 571912]
S3 AVGIDSDriver;AVGIDSDriver;c:\program files\AVG\AVG8\IdentityProtection\agent\driver\platform_XP\AVGIDSDriver.sys [2009-07-22 121352]
S3 AVGIDSFilter;AVGIDSFilter;c:\program files\AVG\AVG8\IdentityProtection\agent\driver\platform_XP\AVGIDSFilter.sys [2009-07-22 30216]
S3 AVGIDSShim;AVGIDSShim;c:\program files\AVG\AVG8\IdentityProtection\agent\driver\platform_XP\AVGIDSShim.sys [2009-07-22 27232]


--- Other Services/Drivers In Memory ---

*NewlyCreated* - GTNDIS5

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}]
"c:\windows\system32\rundll32.exe" "c:\windows\system32\iedkcs32.dll",BrandIEActiveSetup SIGNUP
.
Contents of the 'Scheduled Tasks' folder

2008-12-24 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-04-11 16:34]

2009-09-02 c:\windows\Tasks\User_Feed_Synchronization-{CE6DEC4C-11F6-4A92-A5DE-FCC379398C45}.job
- c:\windows\system32\msfeedssync.exe [2006-10-17 08:31]
.
- - - - ORPHANS REMOVED - - - -

URLSearchHooks-{A3BC75A2-1F87-4686-AA43-5347D756017C} - (no file)
HKCU-Run-DellSupportCenter - c:\program files\Dell Support Center\bin\sprtcmd.exe


.
------- Supplementary Scan -------
.
uStart Page = [You must be registered and logged in to see this link.]
uDefault_Search_URL = [You must be registered and logged in to see this link.]
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = [You must be registered and logged in to see this link.]
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
DPF: {594ECDD4-A991-4208-A7B7-00DDAD9BE328} - [You must be registered and logged in to see this link.]
FF - ProfilePath - c:\documents and settings\James\Application Data\Mozilla\Firefox\Profiles\kikq9fna.default\
FF - component: c:\program files\AVG\AVG8\Firefox\components\avgssff.dll
FF - component: c:\program files\AVG\AVG8\Toolbar\Firefox\avg@igeared\components\IGeared_tavgp_xputils2.dll
FF - component: c:\program files\AVG\AVG8\Toolbar\Firefox\avg@igeared\components\IGeared_tavgp_xputils3.dll
FF - component: c:\program files\AVG\AVG8\Toolbar\Firefox\avg@igeared\components\IGeared_tavgp_xputils35.dll
FF - component: c:\program files\AVG\AVG8\Toolbar\Firefox\avg@igeared\components\xpavgtbapi.dll
FF - plugin: c:\progra~1\SONYON~1\npsoe.dll
FF - plugin: c:\program files\Picasa2\npPicasa3.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, [You must be registered and logged in to see this link.]
Rootkit scan 2009-09-02 20:45
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-790525478-682003330-905396711-1003\Software\SecuROM\License information*]
"datasecu"=hex:e0,40,7d,3a,2d,42,bb,02,be,59,98,bc,66,7e,8b,c4,51,d4,7e,b6,26,
e6,55,71,9a,18,ea,7a,27,50,f8,00,6c,69,25,a8,a9,e9,5a,9d,b5,68,6e,41,41,a3,\
"rkeysecu"=hex:3e,80,9e,c4,40,b4,90,83,87,8e,33,49,64,ac,f8,d9

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10c.exe,-101"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}\Elevation]
"Enabled"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10c.exe"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{1D4C8A81-B7AC-460A-8C23-98713C41D6B3}]
@Denied: (A 2) (Everyone)
@="IFlashBroker3"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{1D4C8A81-B7AC-460A-8C23-98713C41D6B3}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{1D4C8A81-B7AC-460A-8C23-98713C41D6B3}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(720)
c:\program files\common files\logitech\bluetooth\LBTWlgn.dll
c:\program files\common files\logitech\bluetooth\LBTServ.dll

- - - - - - - > 'explorer.exe'(2528)
c:\program files\Logitech\SetPoint\GameHook.dll
c:\program files\Logitech\SetPoint\lgscroll.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\OneX.DLL
c:\windows\system32\eappprxy.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
Completion time: 2009-09-03 20:47
ComboFix-quarantined-files.txt 2009-09-03 00:47

Pre-Run: 12,964,921,344 bytes free
Post-Run: 12,933,541,888 bytes free

917 --- E O F --- 2009-09-02 22:51

a9jc14
Novice
Novice

Posts Posts : 23
Joined Joined : 2009-08-28
OS OS : XP Pro
Points Points : 26635
# Likes # Likes : 0

View user profile

Back to top Go down

Re: HELP:Another victim of Windows Antivirus Pro

Post by Belahzur on 3rd September 2009, 3:10 pm

Please download the [You must be registered and logged in to see this link.].

  • Save it to your desktop.
  • Please double-click OTM.exe to run it.
  • Copy the bolded text below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose CopyCrying


    :services
    bvtv
    imtcq
    pcuwhv
    uiha


  • Return to OTMoveIt, right click in the "Paste instructions for items to be Moved" window (under the light blue bar) and choose Paste.
  • Click the red Moveit! button.
  • Copy everything in the Results window (under the green bar) to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it in your next reply.
  • Close OTMoveIt
If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.

Please post the OTMoveIt log.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34918
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : 7 Home Premium x64
Points Points : 245111
# Likes # Likes : 1

View user profile

Back to top Go down

Re: HELP:Another victim of Windows Antivirus Pro

Post by a9jc14 on 3rd September 2009, 10:18 pm

========== SERVICES/DRIVERS ==========

Service\Driver bvtv deleted successfully.

Service\Driver imtcq deleted successfully.

Service\Driver pcuwhv deleted successfully.

Service\Driver uiha deleted successfully.

OTM by OldTimer - Version 3.0.0.6 log created on 09032009_181738

a9jc14
Novice
Novice

Posts Posts : 23
Joined Joined : 2009-08-28
OS OS : XP Pro
Points Points : 26635
# Likes # Likes : 0

View user profile

Back to top Go down

Re: HELP:Another victim of Windows Antivirus Pro

Post by Belahzur on 3rd September 2009, 10:43 pm

We can remove OTMoveIt now.

  • Please double-click OTM.exe to run it again.
  • Press the green CleanUp! button.
  • Press Yes cleanup process prompt, do the same for the reboot prompt.
How is the machine running now?


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34918
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : 7 Home Premium x64
Points Points : 245111
# Likes # Likes : 1

View user profile

Back to top Go down

Re: HELP:Another victim of Windows Antivirus Pro

Post by a9jc14 on 3rd September 2009, 11:04 pm

Wonderfully thank you!!!!
It boots up fine now and MalwareBytes reports that it's clean.
Should I post another HijackThis log?

I'm experiencing two problems:
1) If I open the AVG control panel and tell it to "Scan Now" then it just ignores me. I don't see any scan window popup or anything. I got the "free" version if that matters. Should I uninstall and reinstall to see if that fixes it? Try a repair first?

2) Windows Defender pops up a message when the computer starts up telling me that it cannot run. I may have inadvertently disabled a service that it needs in order to startup or run. I try to keep unnecessary services disabled unless I need them - like WWW Publishing and SQL Server. In an attempt to figure out what was wrong with Defender I uninstalled and and re-ran the install hoping that it would fix whatever it needed. It complained that "The Installer has insufficent privledges to modify this file c:\program files\Windows Defender\MsMpEng.exe"

And lastly - Do I want to stick with AVG and does that cover "spyware / malware / viruses / trojans / rootkits" or do I want to run AVG & Spyware Doctor or some other combination?

a9jc14
Novice
Novice

Posts Posts : 23
Joined Joined : 2009-08-28
OS OS : XP Pro
Points Points : 26635
# Likes # Likes : 0

View user profile

Back to top Go down

Re: HELP:Another victim of Windows Antivirus Pro

Post by a9jc14 on 3rd September 2009, 11:33 pm

I fixed the Windows Defender problem - MsMpEng.exe was still hanging around even after install. I used the file delete tool and told it to delete that file and it rebooted and did the job. After MsMpEng.exe was deleted I was able to sucessfully install defender with no problem.

Do I even *want* Windows Defender installed? Is it's protection "worth it" or not really?

AVG's "start scan now" still doesn't seem to do anything.

a9jc14
Novice
Novice

Posts Posts : 23
Joined Joined : 2009-08-28
OS OS : XP Pro
Points Points : 26635
# Likes # Likes : 0

View user profile

Back to top Go down

Re: HELP:Another victim of Windows Antivirus Pro

Post by Origin on 4th September 2009, 1:36 am

Download the GMER rootkit scan from here: [You must be registered and logged in to see this link.]

  1. Unzip it and start GMER.
  2. Click the >>> tab and then click the Scan button.
  3. Once done, click the Copy button.
  4. This will copy the results to your clipboard.
  5. Paste the results in your next reply.
Note:
If you're having problems with running GMER.exe, try it in safe mode. This tools works in safe mode.
You can also try renaming it since some malware blocks GMER.


While my help is always free, please consider donating to keep this site alive: [You must be registered and logged in to see this link.]

[You must be registered and logged in to see this link.]

Origin
Master
Master

Posts Posts : 2685
Joined Joined : 2009-05-05
Gender Gender : Male
OS OS : Windows Xp Sp3
Points Points : 31523
# Likes # Likes : 0

View user profile

Back to top Go down

Re: HELP:Another victim of Windows Antivirus Pro

Post by a9jc14 on 4th September 2009, 9:50 am

GMER 1.0.15.15077 [VET5GK7W.EXE.exe] - [You must be registered and logged in to see this link.]
Rootkit scan 2009-09-04 05:50:28
Windows 5.1.2600 Service Pack 3


---- System - GMER 1.0.15 ----

SSDT \??\C:\Program Files\AVG\AVG8\IdentityProtection\agent\driver\platform_XP\AVGIDSShim.sys (IDS Application Activity Monitor Loader Driver./AVG Technologies ) ZwClose [0xBAC298A0]
SSDT PCTCore.sys (PC Tools KDS Core Driver/PC Tools) ZwCreateKey [0xBA6CAD72]
SSDT PCTCore.sys (PC Tools KDS Core Driver/PC Tools) ZwCreateProcess [0xBA6AB9A6]
SSDT PCTCore.sys (PC Tools KDS Core Driver/PC Tools) ZwCreateProcessEx [0xBA6ABB98]
SSDT PCTCore.sys (PC Tools KDS Core Driver/PC Tools) ZwDeleteKey [0xBA6CB568]
SSDT PCTCore.sys (PC Tools KDS Core Driver/PC Tools) ZwDeleteValueKey [0xBA6CB820]
SSDT PCTCore.sys (PC Tools KDS Core Driver/PC Tools) ZwOpenKey [0xBA6C9A80]
SSDT \??\C:\Program Files\AVG\AVG8\IdentityProtection\agent\driver\platform_XP\AVGIDSShim.sys (IDS Application Activity Monitor Loader Driver./AVG Technologies ) ZwOpenProcess [0xBAC298D0]
SSDT PCTCore.sys (PC Tools KDS Core Driver/PC Tools) ZwRenameKey [0xBA6CBC8A]
SSDT PCTCore.sys (PC Tools KDS Core Driver/PC Tools) ZwSetValueKey [0xBA6CB036]
SSDT \??\C:\Program Files\AVG\AVG8\IdentityProtection\agent\driver\platform_XP\AVGIDSShim.sys (IDS Application Activity Monitor Loader Driver./AVG Technologies ) ZwTerminateProcess [0xBAC29980]
SSDT \??\C:\Program Files\AVG\AVG8\IdentityProtection\agent\driver\platform_XP\AVGIDSShim.sys (IDS Application Activity Monitor Loader Driver./AVG Technologies ) ZwTerminateThread [0xBAC29A20]
SSDT \??\C:\Program Files\AVG\AVG8\IdentityProtection\agent\driver\platform_XP\AVGIDSShim.sys (IDS Application Activity Monitor Loader Driver./AVG Technologies ) ZwWriteVirtualMemory [0xBAC29AC0]

---- Devices - GMER 1.0.15 ----

AttachedDevice \FileSystem\Ntfs \Ntfs AVGIDSFilter.sys (IDS Application Activity Monitor Filter Driver./AVG Technologies )
AttachedDevice \Driver\Tcpip \Device\Ip avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\Tcpip \Device\Tcp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\Tcpip \Device\Udp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\Tcpip \Device\RawIp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \FileSystem\Fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)
AttachedDevice \FileSystem\Fastfat \Fat AVGIDSFilter.sys (IDS Application Activity Monitor Filter Driver./AVG Technologies )

---- Files - GMER 1.0.15 ----

File C:\WINDOWS\Temp\19b91e0c-1dcc-4d91-9d62-853ce5ea8990.tmp 0 bytes
File C:\WINDOWS\Temp\89600970-4905-4c16-a7b8-28227ff890ae.tmp 0 bytes

---- EOF - GMER 1.0.15 ----

a9jc14
Novice
Novice

Posts Posts : 23
Joined Joined : 2009-08-28
OS OS : XP Pro
Points Points : 26635
# Likes # Likes : 0

View user profile

Back to top Go down

Re: HELP:Another victim of Windows Antivirus Pro

Post by Belahzur on 4th September 2009, 3:20 pm

Hello.
The malware you had can corrupt software, that's why AVG isn't working, same thing as Windows Defender.

Uninstall AVG, then re-install it.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34918
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : 7 Home Premium x64
Points Points : 245111
# Likes # Likes : 1

View user profile

Back to top Go down

Re: HELP:Another victim of Windows Antivirus Pro

Post by a9jc14 on 4th September 2009, 11:27 pm

AVG would not uninstall because it was getting hung on avgscanx.exe. I used MalwareBytes' file deletion tool to delete the file and replaced it with a dummy text file in case the AVG installer checked to make sure there was a file there to delete and re-ran the uninstaller. That time it worked. I reinstalled and the scan function works again. Super!!

Okay - absolute last problem - Windows Update won't install the most recent updates. It failed. Is it the same problem as these last two issues - a locked file? If so how do I figure out which file?

a9jc14
Novice
Novice

Posts Posts : 23
Joined Joined : 2009-08-28
OS OS : XP Pro
Points Points : 26635
# Likes # Likes : 0

View user profile

Back to top Go down

Re: HELP:Another victim of Windows Antivirus Pro

Post by Belahzur on 5th September 2009, 7:44 pm

Darn, I'm guessing no file info then.

Press Start > Run.
Type in cmd, then press enter.

At the DOS prompt execute the following commands, one by one.
Press the enter key after each entry.

regsvr32 urlmon.dll
regsvr32 Shdocvw.dll
regsvr32 Msjava.dll
regsvr32 Actxprxy.dll
regsvr32 Oleaut32.dll
regsvr32 Mshtml.dll
regsvr32 Browseui.dll
regsvr32 Shell32.dll

Type Exit press enter to return the operating mode.

Reboot normally.

Is updates available now?


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34918
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : 7 Home Premium x64
Points Points : 245111
# Likes # Likes : 1

View user profile

Back to top Go down

View previous topic View next topic Back to top

- Similar topics

 
Permissions in this forum:
You cannot reply to topics in this forum