AV Security is really getting around...Help

View previous topic View next topic Go down

AV Security is really getting around...Help

Post by Nativetexan2 on Sun 04 Jul 2010, 1:31 pm

I was doing some research when the ugly AV Secutiry window popped up. How do I get rid of it. I am running Vista Premium Home Edition. I was able to Log on in Safe mode with networking to get on MS Explorer. I ran Malwarebytes and it found one infection that I deleted but that didn't help.

Nativetexan2

Newbie Surfer
Newbie Surfer

Posts : 48
Joined : 2010-07-04
Operating System : Windows 7 Professional

View user profile

Back to top Go down

Re: AV Security is really getting around...Help

Post by chiaz on Sun 04 Jul 2010, 2:13 pm

Hi Nativetexan2,

Welcome! A few things before we start....
1. Please Read All Instructions Carefully.
2. If you don't understand something, stop and ask! Don't keep going on.
3. Perform all instructions in Normal Mode unless otherwise stated.
4. Please do not run any other tools or scans whilst I am helping you.
5. If you have to go away for an extended period of time, let me know.
6. Please continue to respond until I give you the "All Clear".
(Just because you can't see a problem doesn't mean it isn't there)


Please download ComboFix from BleepingComputer.com

Alternate link: GeeksToGo.com


Rename ComboFix.exe to commy.exe before you save it to your Desktop
  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools A guide to do this can be found here
  • Click Start then copy paste the following command into the search box & hit enter: "%userprofile%\desktop\commy.exe" /stepdel
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. This will not install in Vista. Just continue scanning, and skip the console install.
  • When finished, it shall produce a log for you. Please include the contents of C:\ComboFix.txt in your next reply.

chiaz

Malware Advisor
Malware Advisor

Posts : 126
Joined : 2010-03-16
Operating System : Vista

View user profile

Back to top Go down

Re: AV Security is really getting around...Help

Post by Nativetexan2 on Sun 04 Jul 2010, 2:52 pm

Just to clarify, I can not connect to the internet in normal mode. I'll have to download from Safe mode then restart in normal to run any applications.

Nativetexan2

Newbie Surfer
Newbie Surfer

Posts : 48
Joined : 2010-07-04
Operating System : Windows 7 Professional

View user profile

Back to top Go down

Re: AV Security is really getting around...Help

Post by Nativetexan2 on Sun 04 Jul 2010, 3:32 pm

When I run that I get the user account control box. I clicked on "allow" but nothing happens. I do get the AV security warning box.

Application cannot be executed. The file commy.exe is infected. Do you want to activate your antivirus software now?

Nativetexan2

Newbie Surfer
Newbie Surfer

Posts : 48
Joined : 2010-07-04
Operating System : Windows 7 Professional

View user profile

Back to top Go down

Re: AV Security is really getting around...Help

Post by chiaz on Sun 04 Jul 2010, 3:39 pm

Download RKill by Grinler
Version 1
Version 2

  • Download Version 1.
  • Save it to your Desktop.
  • Double click the RKill desktop icon.
    If you are using Vista please right click and run as Admin!
  • A black screen will briefly flash indicating a successful run.
  • If this does not occur please delete that application and download Version 2.
  • Continue process until the tool runs.
  • If the tool does not run from any of the links tell me about it.
This only kills the active infection, the actual infection will not be gone.

==============

Now try running ComboFix once more.

chiaz

Malware Advisor
Malware Advisor

Posts : 126
Joined : 2010-03-16
Operating System : Vista

View user profile

Back to top Go down

Re: AV Security is really getting around...Help

Post by Nativetexan2 on Sun 04 Jul 2010, 4:28 pm

That worked. Combofix is running but I have a problem. I have tried to close AVG antivirus but can not. I right clicked the system tray but there is no exit to click on. I opened AVG and exited the program but Combofix says it is still active. Should I just remove the program entirely from the computer or continue running combofix?

Nativetexan2

Newbie Surfer
Newbie Surfer

Posts : 48
Joined : 2010-07-04
Operating System : Windows 7 Professional

View user profile

Back to top Go down

Re: AV Security is really getting around...Help

Post by chiaz on Sun 04 Jul 2010, 4:35 pm

If you're sure you have ended AVG, ignore any warnings that you get about it and proceed with ComboFix.

chiaz

Malware Advisor
Malware Advisor

Posts : 126
Joined : 2010-03-16
Operating System : Vista

View user profile

Back to top Go down

Re: AV Security is really getting around...Help

Post by Nativetexan2 on Sun 04 Jul 2010, 4:40 pm

Got a message about a newer version of Combofix available. Should I update?

Nativetexan2

Newbie Surfer
Newbie Surfer

Posts : 48
Joined : 2010-07-04
Operating System : Windows 7 Professional

View user profile

Back to top Go down

Re: AV Security is really getting around...Help

Post by chiaz on Sun 04 Jul 2010, 4:41 pm

Yes.

chiaz

Malware Advisor
Malware Advisor

Posts : 126
Joined : 2010-03-16
Operating System : Vista

View user profile

Back to top Go down

Re: AV Security is really getting around...Help

Post by Nativetexan2 on Sun 04 Jul 2010, 5:15 pm

ComboFix 10-07-03.04 - Office Depot 07/04/2010 0:47.1.2 - x86
Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.1.1033.18.1791.972 [GMT -5:00]
Running from: c:\users\Office Depot\Desktop\commy.exe
Command switches used :: /stepdel
AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
SP: AVG Anti-Virus Free *enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\users\Office Depot\AppData\Local\qyteibvvr
c:\users\Office Depot\AppData\Local\qyteibvvr\hregcbjtssd.exe
c:\users\Office Depot\AppData\Roaming\.#
c:\users\Office Depot\AppData\Roaming\.#\MBX@B14@18B2990.###
c:\users\Office Depot\AppData\Roaming\.#\MBX@B14@18B29C0.###
c:\users\Office Depot\AppData\Roaming\.#\MBX@B14@18B29F0.###
c:\users\Office Depot\AppData\Roaming\.#\MBX@EB8@1C92990.###
c:\users\Office Depot\AppData\Roaming\.#\MBX@EB8@1C929C0.###
c:\users\Office Depot\AppData\Roaming\.#\MBX@EB8@1C929F0.###
F:\Autorun.inf

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_RelevantKnowledge


((((((((((((((((((((((((( Files Created from 2010-06-04 to 2010-07-04 )))))))))))))))))))))))))))))))
.

2010-07-04 05:55 . 2010-07-04 05:55 -------- d-----w- c:\users\Default\AppData\Local\temp
2010-06-25 08:02 . 2010-06-25 08:02 -------- d-----w- c:\program files\Microsoft.NET
2010-06-24 08:00 . 2009-11-08 15:55 99176 ----a-w- c:\windows\system32\PresentationHostProxy.dll
2010-06-24 08:00 . 2009-11-08 15:55 49472 ----a-w- c:\windows\system32\netfxperf.dll
2010-06-24 08:00 . 2009-11-08 15:55 297808 ----a-w- c:\windows\system32\mscoree.dll
2010-06-24 08:00 . 2009-11-08 15:55 295264 ----a-w- c:\windows\system32\PresentationHost.exe
2010-06-24 08:00 . 2009-11-08 15:55 1130824 ----a-w- c:\windows\system32\dfshim.dll
2010-06-23 19:00 . 2010-04-16 16:43 28672 ----a-w- c:\windows\system32\Apphlpdm.dll
2010-06-23 19:00 . 2010-04-16 14:39 4240384 ----a-w- c:\windows\system32\GameUXLegacyGDFs.dll
2010-06-10 03:34 . 2010-05-01 14:13 2037248 ----a-w- c:\windows\system32\win32k.sys

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-07-02 22:03 . 2010-01-22 03:41 -------- d-----w- c:\users\Office Depot\AppData\Roaming\HpUpdate
2010-06-29 11:59 . 2008-07-26 05:23 -------- d-----w- c:\users\Office Depot\AppData\Roaming\LimeWire
2010-06-11 05:12 . 2008-07-26 05:20 -------- d-----w- c:\program files\Common Files\Java
2010-06-10 08:36 . 2006-11-02 11:18 -------- d-----w- c:\program files\Windows Mail
2010-06-05 17:11 . 2010-06-05 17:11 98304 ----a-w- c:\users\Office Depot\AppData\Roaming\LimeWire\browser\xulrunner\smime3.dll
2010-06-05 13:12 . 2009-04-09 05:32 -------- d-----w- c:\program files\Microsoft Silverlight
2010-06-02 13:07 . 2009-02-02 15:12 242896 ----a-w- c:\windows\system32\drivers\avgtdix.sys
2010-06-02 13:07 . 2008-07-23 06:29 29584 ----a-w- c:\windows\system32\drivers\avgmfx86.sys
2010-05-26 17:06 . 2010-06-10 03:35 34304 ----a-w- c:\windows\system32\atmlib.dll
2010-05-26 14:47 . 2010-06-10 03:35 289792 ----a-w- c:\windows\system32\atmfd.dll
2010-05-26 00:33 . 2009-04-09 05:28 -------- d-----w- c:\program files\Microsoft
2010-05-21 13:10 . 2010-05-21 13:10 -------- d-----w- c:\program files\iTunes
2010-05-21 13:10 . 2010-05-21 13:10 -------- d-----w- c:\program files\iPod
2010-05-21 13:10 . 2008-07-25 05:52 -------- d-----w- c:\program files\Common Files\Apple
2010-05-21 13:07 . 2010-05-21 13:07 -------- d-----w- c:\program files\Bonjour
2010-05-21 13:05 . 2010-05-21 13:05 73000 ----a-w- c:\programdata\Apple Computer\Installer Cache\iTunes 9.1.1.12\SetupAdmin.exe
2010-05-13 01:55 . 2008-12-30 06:32 -------- d-----w- c:\program files\LimeWire
2010-05-13 00:33 . 2008-02-26 07:57 -------- d-----w- c:\program files\Common Files\Adobe
2010-05-06 03:40 . 2008-07-25 05:54 -------- d-----w- c:\users\Office Depot\AppData\Roaming\Apple Computer
2010-05-04 05:59 . 2010-06-10 03:35 916480 ----a-w- c:\windows\system32\wininet.dll
2010-05-04 05:55 . 2010-06-10 03:35 71680 ----a-w- c:\windows\system32\iesetup.dll
2010-05-04 05:55 . 2010-06-10 03:35 109056 ----a-w- c:\windows\system32\iesysprep.dll
2010-05-04 04:31 . 2010-06-10 03:35 133632 ----a-w- c:\windows\system32\ieUnatt.exe
2010-04-24 01:00 . 2010-04-24 01:00 690952 ----a-w- c:\programdata\Microsoft\eHome\Packages\MCESpotlight\MCESpotlight\SpotlightResources.dll
2010-04-23 14:13 . 2010-05-25 22:23 2048 ----a-w- c:\windows\system32\tzres.dll
2010-04-16 16:43 . 2010-06-23 19:00 173056 ----a-w- c:\windows\AppPatch\AcXtrnal.dll
2010-04-16 16:43 . 2010-06-23 19:00 458752 ----a-w- c:\windows\AppPatch\AcSpecfc.dll
2010-04-16 16:43 . 2010-06-23 19:00 542720 ----a-w- c:\windows\AppPatch\AcLayers.dll
2010-04-16 16:43 . 2010-06-23 19:00 2159616 ----a-w- c:\windows\AppPatch\AcGenral.dll
2010-04-08 18:20 . 2010-04-08 18:20 91424 ----a-w- c:\windows\system32\dnssd.dll
2010-04-08 18:20 . 2010-04-08 18:20 107808 ----a-w- c:\windows\system32\dns-sd.exe
2010-04-07 03:33 . 2010-04-07 03:33 45056 ----a-w- c:\programdata\Real\RealPlayer\BrowserRecordPlugin\ThinShims\rpnpshimwmp.dll
2010-04-07 03:33 . 2010-04-07 03:33 45056 ----a-w- c:\programdata\Real\RealPlayer\BrowserRecordPlugin\ThinShims\rpnpshimswf.dll
2010-04-07 03:33 . 2010-04-07 03:33 45056 ----a-w- c:\programdata\Real\RealPlayer\BrowserRecordPlugin\ThinShims\rpnpshimrp.dll
2010-04-07 03:33 . 2010-04-07 03:33 45056 ----a-w- c:\programdata\Real\RealPlayer\BrowserRecordPlugin\ThinShims\rpnpshimqt.dll
2010-04-07 03:33 . 2010-04-07 03:33 49152 ----a-w- c:\programdata\Real\RealPlayer\BrowserRecordPlugin\Firefox\Ext\Components\nprpffbrowserrecordext.dll
2010-04-07 03:33 . 2010-04-07 03:33 40960 ----a-w- c:\programdata\Real\RealPlayer\BrowserRecordPlugin\Chrome\Hook\rpchromebrowserrecordhelper.dll
2010-04-07 03:33 . 2010-04-07 03:33 308808 ----a-w- c:\programdata\Real\RealPlayer\BrowserRecordPlugin\Common\rpmainbrowserrecordplugin.dll
2010-04-07 03:33 . 2010-04-07 03:33 14848 ----a-w- c:\programdata\Real\RealPlayer\BrowserRecordPlugin\MozillaPlugins\nprphtml5videoshim.dll
2010-04-07 03:33 . 2010-03-16 05:43 341600 ----a-w- c:\programdata\Real\RealPlayer\BrowserRecordPlugin\IE\rpbrowserrecordplugin.dll
2010-04-05 17:01 . 2010-06-10 03:35 67072 ----a-w- c:\windows\system32\asycfilt.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{A3BC75A2-1F87-4686-AA43-5347D756017C}"= "c:\program files\AVG\AVG9\Toolbar\IEToolbar.dll" [2010-04-19 2117704]

[HKEY_CLASSES_ROOT\clsid\{a3bc75a2-1f87-4686-aa43-5347d756017c}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A3BC75A2-1F87-4686-AA43-5347D756017C}]
2010-04-19 15:25 2117704 ----a-w- c:\program files\AVG\AVG9\Toolbar\IEToolbar.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{CCC7A320-B3CA-4199-B1A6-9F516DD69829}"= "c:\program files\AVG\AVG9\Toolbar\IEToolbar.dll" [2010-04-19 2117704]

[HKEY_CLASSES_ROOT\clsid\{ccc7a320-b3ca-4199-b1a6-9f516dd69829}]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{CCC7A320-B3CA-4199-B1A6-9F516DD69829}"= "c:\program files\AVG\AVG9\Toolbar\IEToolbar.dll" [2010-04-19 2117704]

[HKEY_CLASSES_ROOT\clsid\{ccc7a320-b3ca-4199-b1a6-9f516dd69829}]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\egisPSDP]
@="{30A0A3F6-38AC-4C53-BB8B-0D95238E25BA}"
[HKEY_CLASSES_ROOT\CLSID\{30A0A3F6-38AC-4C53-BB8B-0D95238E25BA}]
2008-01-03 10:00 39472 ----a-w- c:\acer\Empowering Technology\eDataSecurity\x86\PSDProtect.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2009-04-11 1233920]
"EasyLinkAdvisor"="c:\program files\Linksys EasyLink Advisor\LinksysAgent.exe" [2007-03-15 454784]
"ehTray.exe"="c:\windows\ehome\ehTray.exe" [2008-01-21 125952]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2008-01-21 202240]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RtHDVCpl"="RtHDVCpl.exe" [2007-07-06 4669440]
"SMSERIAL"="c:\program files\Motorola\SMSERIAL\sm56hlpr.exe" [2009-10-26 1458176]
"HostManager"="c:\program files\Common Files\AOL\1217564602\ee\AOLSoftware.exe" [2008-06-24 41824]
"Windows Mobile Device Center"="c:\windows\WindowsMobile\wmdc.exe" [2007-05-31 648072]
"mxomssmenu"="c:\program files\Maxtor\OneTouch Status\maxmenumgr.exe" [2008-07-21 169312]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\AppleSyncNotifier.exe" [2010-04-13 47392]
"EZGigMonitor.exe"="c:\program files\Apricorn\EZ Gig II\EZGigMonitor.exe" [2007-10-09 1169264]
"AcronisTimounterMonitor"="c:\program files\Apricorn\EZ Gig II\TimounterMonitor.exe" [2007-10-09 1949480]
"Apricorn Scheduler Service"="c:\program files\Common Files\Apricorn\Schedule2\schedhlp.exe" [2007-10-09 148712]
"Adobe Photo Downloader"="c:\program files\Adobe\Photoshop Elements 6.0\apdproxy.exe" [2007-09-11 67488]
"Malwarebytes Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2009-09-10 1312080]
"AVG9_TRAY"="c:\progra~1\AVG\AVG9\avgtray.exe" [2010-06-02 2065248]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2010-03-12 49208]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2010-04-07 202256]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2010-03-18 421888]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2010-04-02 40368]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-03-24 952768]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-04-28 142120]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-02-18 248040]

c:\users\Office Depot\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
HotSync Manager.lnk - c:\palm\HOTSYNC.EXE [2004-4-13 299008]

c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2009-5-21 275768]
Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-2-13 83360]
Snagit 9.lnk - c:\program files\TechSmith\Snagit 9\Snagit32.exe [2009-10-15 6287176]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=c:\windows\System32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"

[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^Empowering Technology Launcher.lnk]
backup=c:\windows\\pss\Empowering Technology Launcher.lnkStartup
path=c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\Empowering Technology Launcher.lnk

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Acer Assist Launcher]
2007-02-02 18:05 1261568 ----a-w- c:\program files\Acer Assist\launcher.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Acer Empowering Technology Monitor]
2008-01-10 02:43 326176 ----a-w- c:\acer\Empowering Technology\SysMonitor.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Acer Product Registration]
2007-10-15 20:43 3387392 ----a-w- c:\program files\Acer Registration\ACE1.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BkupTray]
2008-01-23 20:33 34552 ----a-w- c:\program files\NewTech Infosystems\NTI Backup Now 5\BkupTray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\eDataSecurity Loader]
2008-01-03 09:55 521776 ----a-w- c:\acer\Empowering Technology\eDataSecurity\x86\eDSLoader.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ehTray.exe]
2008-01-21 02:25 125952 ----a-w- c:\windows\ehome\ehtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PCMMediaSharing]
2008-01-26 02:49 204908 ----a-w- c:\program files\Acer Arcade Live\Acer HomeMedia Connect\Kernel\DMS\PCMMediaSharing.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\StartCCC]
2006-11-10 18:35 90112 ----a-w- c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Windows Defender]
2008-01-21 02:23 1008184 ----a-w- c:\program files\Windows Defender\MSASCui.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WindowsWelcomeCenter]
2009-04-11 06:28 2153472 ----a-w- c:\windows\System32\oobefldr.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc]
"VistaSp2"=hex(b):1e,1c,e6,84,f8,34,ca,01

R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]
R2 RGFILERW;RGFILERW;c:\windows\system32\Drivers\RGFILERW.SYS [x]
R3 Acer HomeMedia Connect Service;Acer HomeMedia Connect Service;c:\program files\Acer Arcade Live\Acer HomeMedia Connect\Kernel\DMS\CLMSServer.exe [2008-01-26 269448]
R3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe [2010-03-18 753504]
R4 BUNAgentSvc;NTI Backup Now 5 Agent Service;c:\program files\NewTech Infosystems\NTI Backup Now 5\Client\Agentsvc.exe [2008-01-23 21752]
R4 NTIBackupSvc;NTI Backup Now 5 Backup Service;c:\program files\NewTech Infosystems\NTI Backup Now 5\BackupSvc.exe [2008-01-23 49152]
R4 NTISchedulerSvc;NTI Backup Now 5 Scheduler Service;c:\program files\NewTech Infosystems\NTI Backup Now 5\SchedulerSvc.exe [2008-01-23 131072]
S1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\System32\Drivers\avgldx86.sys [2010-03-15 216200]
S1 AvgTdiX;AVG8 Network Redirector;c:\windows\System32\Drivers\avgtdix.sys [2010-06-02 242896]
S2 avg9wd;AVG Free WatchDog;c:\program files\AVG\AVG9\avgwdsvc.exe [2010-03-15 308064]
S2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [2007-01-04 24652]


[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
WindowsMobile REG_MULTI_SZ wcescomm rapimgr
LocalServiceRestricted REG_MULTI_SZ WcesComm RapiMgr
LocalServiceAndNoImpersonation REG_MULTI_SZ FontCache
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
HPService REG_MULTI_SZ HPSLPSVC
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
.
Contents of the 'Scheduled Tasks' folder

2010-07-04 c:\windows\Tasks\User_Feed_Synchronization-{778E61E6-1D2E-4282-8402-E15FD89B81C9}.job
- c:\windows\system32\msfeedssync.exe [2010-06-10 04:30]
.
.
------- Supplementary Scan -------
.
mStart Page = [You must be registered and logged in to see this link.]
uInternet Settings,ProxyOverride =
uInternet Settings,ProxyServer = http=127.0.0.1:5577
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office10\EXCEL.EXE/3000
Trusted Zone: intuit.com\ttlc
DPF: {6BAB93B7-1917-4214-A7D2-874FA6DB4740} - [You must be registered and logged in to see this link.]
.
- - - - ORPHANS REMOVED - - - -

WebBrowser-{8FF5E180-ABDE-46EB-B09E-D2AAB95CABE3} - (no file)
WebBrowser-{604BC32A-9680-40D1-9AC6-E06B23A1BA4C} - (no file)
HKCU-Run-Aim6 - (no file)
HKCU-Run-Uniblue RegistryBooster 2009 - c:\program files\uniblue\registrybooster\StartRegistryBooster.exe
HKCU-Run-culcdvim - c:\users\Office Depot\AppData\Local\qyteibvvr\hregcbjtssd.exe
HKLM-Run-Regen - c:\program files\OnSpec\All Users\Regen\Regen.exe
MSConfigStartUp-Acer Tour Reminder - c:\acer\AcerTour\Reminder.exe
MSConfigStartUp-Apanel - c:\acersw\config\NewSetApanel.cmd
MSConfigStartUp-isCfgWiz - c:\program files\Common Files\Symantec Shared\OPC\{C86EA115-FACD-4aa8-BFA2-398C677D0936}\SYMCUW.exe



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, [You must be registered and logged in to see this link.]
Rootkit scan 2010-07-04 00:59
Windows 6.0.6002 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil10h_ActiveX.exe,-101"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil10h_ActiveX.exe"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"

[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
"MSCurrentCountry"=dword:000000b5
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'lsass.exe'(868)
c:\windows\system32\relog_ap.dll

- - - - - - - > 'Explorer.exe'(3528)
c:\acer\Empowering Technology\eDataSecurity\x86\PSDProtect.dll
c:\acer\Empowering Technology\eDataSecurity\x86\sysenv.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\Ati2evxx.exe
c:\windows\system32\Ati2evxx.exe
c:\program files\Common Files\Apricorn\Schedule2\schedul2.exe
c:\program files\Adobe\Photoshop Elements 6.0\PhotoshopElementsFileAgent.exe
c:\program files\Common Files\AOL\ACS\AOLAcsd.exe
c:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\acer\Empowering Technology\eDataSecurity\x86\eDSService.exe
c:\program files\Common Files\LightScribe\LSSrvc.exe
c:\program files\Maxtor\Sync\SyncServices.exe
c:\program files\CyberLink\Shared Files\RichVideo.exe
c:\program files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
c:\acer\Empowering Technology\eRecovery\eRecoveryService.exe
c:\program files\AVG\AVG9\avgnsx.exe
c:\windows\system32\WUDFHost.exe
c:\program files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
c:\program files\AVG\AVG9\avgchsvx.exe
c:\program files\AVG\AVG9\avgrsx.exe
c:\program files\AVG\AVG9\avgcsrvx.exe
c:\program files\Common Files\Intuit\Update Service\IntuitUpdateService.exe
c:\\?\c:\windows\system32\wbem\WMIADAP.EXE
c:\program files\Windows Media Player\wmpnetwk.exe
.
**************************************************************************
.
Completion time: 2010-07-04 01:06:05 - machine was rebooted
ComboFix-quarantined-files.txt 2010-07-04 06:06

Pre-Run: 73,777,295,360 bytes free
Post-Run: 75,574,525,952 bytes free

- - End Of File - - 2B7D005CBC4B97EF57299DA083E0BFA7

Nativetexan2

Newbie Surfer
Newbie Surfer

Posts : 48
Joined : 2010-07-04
Operating System : Windows 7 Professional

View user profile

Back to top Go down

Re: AV Security is really getting around...Help

Post by Nativetexan2 on Sun 04 Jul 2010, 5:40 pm

It's 1:30 am and I am going to bed. I'll check on things in the morning.

Nativetexan2

Newbie Surfer
Newbie Surfer

Posts : 48
Joined : 2010-07-04
Operating System : Windows 7 Professional

View user profile

Back to top Go down

Re: AV Security is really getting around...Help

Post by chiaz on Sun 04 Jul 2010, 6:21 pm

I see that you have ViewPoint installed on your PC. We usually consider this optional to remove. Please read here for more information, as well as removal instructions.

Now run a free online scan with the ESET Online Scanner.
Note: You will need to use Internet Explorer for this scan
    .
  • Tick the box next to YES, I accept the Terms of Use.
  • Click Start.
  • When asked, allow the ActiveX control to install.
  • Click Start.
  • Make sure that the options Remove found threats and the option Scan unwanted applications is checked
  • Click Scan (This scan can take several hours, so please be patient)
  • Once the scan is completed, you may close the window.
  • Use Notepad to open the logfile located at C:\Program Files\EsetOnlineScanner\log.txt
  • Copy and paste that log as a reply to this topic.



chiaz

Malware Advisor
Malware Advisor

Posts : 126
Joined : 2010-03-16
Operating System : Vista

View user profile

Back to top Go down

Re: AV Security is really getting around...Help

Post by Nativetexan2 on Mon 05 Jul 2010, 1:33 am

Running the ESET online scanner now.

Nativetexan2

Newbie Surfer
Newbie Surfer

Posts : 48
Joined : 2010-07-04
Operating System : Windows 7 Professional

View user profile

Back to top Go down

Re: AV Security is really getting around...Help

Post by Nativetexan2 on Mon 05 Jul 2010, 1:47 am

I went to get a cup of coffee and the scan stopped. Message said scan stopped by user but I wasn't at the computer...The log file below.

ESETSmartInstaller@High as CAB hook log:
OnlineScanner.ocx - registred OK
esets_scanner_update returned -1 esets_gle=53251

Nativetexan2

Newbie Surfer
Newbie Surfer

Posts : 48
Joined : 2010-07-04
Operating System : Windows 7 Professional

View user profile

Back to top Go down

Re: AV Security is really getting around...Help

Post by Nativetexan2 on Mon 05 Jul 2010, 2:09 am

I found the problem. My power saver stopped the program. Changed power saver to NEVER and rerunning ESET scan.

Nativetexan2

Newbie Surfer
Newbie Surfer

Posts : 48
Joined : 2010-07-04
Operating System : Windows 7 Professional

View user profile

Back to top Go down

Re: AV Security is really getting around...Help

Post by Nativetexan2 on Mon 05 Jul 2010, 3:33 am

ESET Log below:

ESETSmartInstaller@High as CAB hook log:
OnlineScanner.ocx - registred OK
esets_scanner_update returned -1 esets_gle=53251
esets_scanner_update returned -1 esets_gle=53251
esets_scanner_update returned -1 esets_gle=53251

Nativetexan2

Newbie Surfer
Newbie Surfer

Posts : 48
Joined : 2010-07-04
Operating System : Windows 7 Professional

View user profile

Back to top Go down

Re: AV Security is really getting around...Help

Post by chiaz on Mon 05 Jul 2010, 11:12 am

Did the scan complete this time round?

chiaz

Malware Advisor
Malware Advisor

Posts : 126
Joined : 2010-03-16
Operating System : Vista

View user profile

Back to top Go down

Re: AV Security is really getting around...Help

Post by Nativetexan2 on Mon 05 Jul 2010, 1:29 pm

Yes it did...took over an hour and a half.

Nativetexan2

Newbie Surfer
Newbie Surfer

Posts : 48
Joined : 2010-07-04
Operating System : Windows 7 Professional

View user profile

Back to top Go down

Re: AV Security is really getting around...Help

Post by chiaz on Mon 05 Jul 2010, 1:34 pm

OK if the ESET scanner came back clean, and if your PC is running fine now, then you should be all good to go.

To uninstall ComboFix

  • Click the Start button. Click Run. For Vista: type in Run in the Start search, and click on Run in the results pane.
  • In the field, type in ComboFix /uninstall



(Note: Make sure there's a space between the word ComboFix and the forward-slash.)

  • Then, press Enter, or click OK.
  • This will uninstall ComboFix, delete its folders and files, hide System files and folders, and reset System Restore.

chiaz

Malware Advisor
Malware Advisor

Posts : 126
Joined : 2010-03-16
Operating System : Vista

View user profile

Back to top Go down

Re: AV Security is really getting around...Help

Post by Sponsored content Today at 11:15 pm


Sponsored content


Back to top Go down

View previous topic View next topic Back to top


 
Permissions in this forum:
You cannot reply to topics in this forum