Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Virus or trojan is blocking AVG updates


  • This topic is locked This topic is locked
12 replies to this topic

#1 Boertjie

Boertjie

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:02:43 PM

Posted 27 May 2009 - 06:40 AM

Good afternoon,

A trojan or virus is blocking my AVG updates and I am unbable to open Google links. I tried full SuperAntiSpyware, Malwarebytes and AVG scans, but no luck. Please Help!!!!

This is the DDS log:

DDS (Ver_09-05-14.01) - NTFSx86
Run by Administrator at 13:13:07.90 on Wed 05/27/2009
Internet Explorer: 6.0.2900.2180
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1022.673 [GMT 2:00]

AV: AVG Anti-Virus Free *On-access scanning disabled* (Outdated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}

============== Running Processes ===============

C:\WINDOWS2\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS2\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS2\system32\spoolsv.exe
C:\WINDOWS2\System32\svchost.exe -k Akamai
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\McAfee\Common Framework\FrameworkService.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgnsx.exe
C:\WINDOWS2\Explorer.EXE
C:\WINDOWS2\system32\wscntfy.exe
C:\Program Files\McAfee\Common Framework\UdaterUI.exe
C:\WINDOWS2\system32\carpserv.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\Program Files\Registry Mechanic\RegMech.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\McAfee\Common Framework\McTray.exe
C:\Program Files\IVT Corporation\BlueSoleil\BlueSoleil.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\Metacafe\MetacafeAgent.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Documents and Settings\Administrator.GEPF-96Y92NAEY6\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.co.za/
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg8\avgssie.dll
BHO: AVG Security Toolbar: {a057a204-bacc-4d26-9990-79a187e2698e} - c:\progra~1\avg\avg8\AVGTOO~1.DLL
TB: AVG Security Toolbar: {a057a204-bacc-4d26-9990-79a187e2698e} - c:\progra~1\avg\avg8\AVGTOO~1.DLL
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
uRun: [RegistryMechanic] c:\program files\registry mechanic\RegMech.exe /H
uRun: [SUPERAntiSpyware] c:\program files\superantispyware\SUPERAntiSpyware.exe
mRun: [McAfeeUpdaterUI] "c:\program files\mcafee\common framework\UdaterUI.exe" /StartedFromRunKey
mRun: [CARPService] carpserv.exe
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"
mRun: [AVG8_TRAY] c:\progra~1\avg\avg8\avgtray.exe
StartupFolder: c:\docume~2\admini~2.gep\startm~1\programs\startup\metacafe.lnk - c:\program files\metacafe\MetacafeAgent.exe
StartupFolder: c:\docume~2\alluse~2.win\startm~1\programs\startup\blueso~1.lnk - c:\program files\ivt corporation\bluesoleil\BlueSoleil.exe
StartupFolder: c:\docume~2\alluse~2.win\startm~1\programs\startup\metacafe.lnk - c:\program files\metacafe\MetacafeAgent.exe
StartupFolder: c:\docume~2\alluse~2.win\startm~1\programs\startup\winzip~1.lnk - c:\program files\winzip\WZQKPICK.EXE
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: {c95fe080-8f5d-11d2-a20b-00aa003c157a}
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
Trusted Zone: workflow
DPF: DirectAnimation Java Classes - file://c:\windows2\java\classes\dajava.cab
DPF: Microsoft XML Parser for Java - file://c:\windows2\java\classes\xmldso.cab
DPF: {FFB3A759-98B1-446F-BDA9-909C6EB18CC7} - hxxp://utilities.pcpitstop.com/Optimize2/pcpitstop2.dll
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg8\avgpp.dll
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.dll
Notify: avgrsstarter - avgrsstx.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL

============= SERVICES / DRIVERS ===============

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows2\system32\drivers\avgldx86.sys [2009-3-31 325640]
R1 AvgMfx86;AVG Free On-access Scanner Minifilter Driver x86;c:\windows2\system32\drivers\avgmfx86.sys [2008-7-10 27656]
R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows2\system32\drivers\avgtdix.sys [2009-3-31 108552]
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2009-3-23 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2009-3-23 72944]
R2 Akamai;Akamai;c:\windows2\system32\svchost.exe -k Akamai [2002-8-29 14336]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\avg\avg8\avgwdsvc.exe [2009-3-31 298264]
R2 McAfeeFramework;McAfee Framework Service;c:\program files\mcafee\common framework\FrameworkService.exe [2008-4-16 104000]
R3 ALiIRDA;ALi Infrared Device Driver;c:\windows2\system32\drivers\alifir.sys [2008-4-16 26624]
R3 SASENUM;SASENUM;c:\program files\superantispyware\SASENUM.SYS [2009-3-23 7408]
S3 iBcT0201;iBurst Modem Type02-01;c:\windows2\system32\drivers\ibct0201.sys --> c:\windows2\system32\drivers\iBcT0201.sys [?]
S3 iBurst;iBurst Modem;c:\windows2\system32\drivers\iburst.sys --> c:\windows2\system32\drivers\iBurst.sys [?]
S3 iBurstu;iBurst Terminal;c:\windows2\system32\drivers\iburstu.sys --> c:\windows2\system32\drivers\iBurstu.sys [?]

=============== Created Last 30 ================

2009-05-27 07:59 <DIR> --d----- c:\docume~2\admini~2.gep\applic~1\Malwarebytes
2009-05-27 07:58 15,504 a------- c:\windows2\system32\drivers\mbam.sys
2009-05-27 07:58 38,496 a------- c:\windows2\system32\drivers\mbamswissarmy.sys
2009-05-27 07:58 <DIR> --d----- c:\program files\Malwarebytes' Anti-Malware
2009-05-27 07:58 <DIR> --d----- c:\docume~2\alluse~2.win\applic~1\Malwarebytes
2009-05-25 14:29 <DIR> --d----- c:\program files\Filseclab
2009-05-25 14:11 <DIR> --ds---- C:\ComboFix
2009-05-13 07:35 <DIR> --d----- c:\program files\common files\Filseclab
2009-04-30 05:48 <DIR> --d----- c:\docume~2\alluse~2.win\applic~1\SUPERAntiSpyware.com
2009-04-30 05:48 <DIR> --d----- c:\program files\SUPERAntiSpyware
2009-04-30 05:48 <DIR> --d----- c:\docume~2\admini~2.gep\applic~1\SUPERAntiSpyware.com
2009-04-30 05:47 <DIR> --d----- c:\program files\common files\Wise Installation Wizard
2009-04-28 20:01 <DIR> --d----- c:\docume~2\alluse~2.win\applic~1\PCPitstop

==================== Find3M ====================

2009-03-31 19:49 10,520 a------- c:\windows2\system32\avgrsstx.dll
2009-03-31 19:49 108,552 a------- c:\windows2\system32\drivers\avgtdix.sys
2009-03-31 19:49 325,640 a------- c:\windows2\system32\drivers\avgldx86.sys
2009-03-24 06:07 5,497 a------- c:\windows2\system32\uacinit.dll.vir
1998-02-10 17:34 128,000 a------- c:\program files\UNWISE.EXE

============= FINISH: 13:13:57.57 ===============

Thank You in advance!!!!

BC AdBot (Login to Remove)

 


#2 thcbytes

thcbytes

  • Malware Response Team
  • 14,790 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:07:43 AM

Posted 08 June 2009 - 09:16 AM

Hello and welcome to Bleeping Computer

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine.

If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.

Upon completing the steps below another staff member will review and take the steps necessary with you to get your machine back in working order clean and free of malware.

If you have already posted a DDS log, please do so again, as your situation may have changed.
Use the 'Add Reply' and add the new log to this thread.


Thanks and again sorry for the delay.

We need to see some information about what is happening in your machine. Please perform the following scan:
  • Download DDS by sUBs from one of the following links. Save it to your desktop.
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explaination about the tool. No input is needed, the scan is running.
  • Notepad will open with the results.
  • Follow the instructions that pop up for posting the results.
  • Close the program window, and delete the program from your desktop.
Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Information on A/V control HERE
Proud member - Unified Network of Instructors and Trained Eliminators
Posted Image

I do not accept personal donations for assistance provided. I would ask that you instead consider donating the greatest gift - Organ Donation. Your organs are of no use to you when your gone. You will save a life that would otherwise be lost!

http://donatelife.net/register-now/

#3 Boertjie

Boertjie
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:02:43 PM

Posted 09 June 2009 - 07:19 AM

Thank you for your reply thcbytes,

I was not able to resolve the problem. A trojan or virus is blocking my AVG updates and I am unbable to open Google links. I tried full SuperAntiSpyware, Malwarebytes and AVG scans, but no luck.

This is the DDS scan log file:
DDS (Ver_09-05-14.01) - NTFSx86
Run by Administrator at 14:05:05.65 on Tue 06/09/2009
Internet Explorer: 6.0.2900.2180
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1022.628 [GMT 2:00]

AV: AVG Anti-Virus Free *On-access scanning disabled* (Outdated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}

============== Running Processes ===============

C:\WINDOWS2\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS2\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS2\system32\spoolsv.exe
C:\WINDOWS2\System32\svchost.exe -k Akamai
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\McAfee\Common Framework\FrameworkService.exe
C:\WINDOWS2\Explorer.EXE
C:\Program Files\McAfee\Common Framework\UdaterUI.exe
C:\WINDOWS2\system32\carpserv.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\Program Files\McAfee\Common Framework\McTray.exe
C:\Program Files\Registry Mechanic\RegMech.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\IVT Corporation\BlueSoleil\BlueSoleil.exe
C:\Program Files\Metacafe\MetacafeAgent.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\WINDOWS2\system32\wscntfy.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\PROGRA~1\AVG\AVG8\avgnsx.exe
C:\Documents and Settings\Administrator.GEPF-96Y92NAEY6\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.co.za/
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg8\avgssie.dll
BHO: AVG Security Toolbar: {a057a204-bacc-4d26-9990-79a187e2698e} - c:\progra~1\avg\avg8\AVGTOO~1.DLL
TB: AVG Security Toolbar: {a057a204-bacc-4d26-9990-79a187e2698e} - c:\progra~1\avg\avg8\AVGTOO~1.DLL
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
uRun: [RegistryMechanic] c:\program files\registry mechanic\RegMech.exe /H
uRun: [SUPERAntiSpyware] c:\program files\superantispyware\SUPERAntiSpyware.exe
mRun: [McAfeeUpdaterUI] "c:\program files\mcafee\common framework\UdaterUI.exe" /StartedFromRunKey
mRun: [CARPService] carpserv.exe
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"
mRun: [AVG8_TRAY] c:\progra~1\avg\avg8\avgtray.exe
StartupFolder: c:\docume~2\admini~2.gep\startm~1\programs\startup\metacafe.lnk - c:\program files\metacafe\MetacafeAgent.exe
StartupFolder: c:\docume~2\alluse~2.win\startm~1\programs\startup\blueso~1.lnk - c:\program files\ivt corporation\bluesoleil\BlueSoleil.exe
StartupFolder: c:\docume~2\alluse~2.win\startm~1\programs\startup\metacafe.lnk - c:\program files\metacafe\MetacafeAgent.exe
StartupFolder: c:\docume~2\alluse~2.win\startm~1\programs\startup\winzip~1.lnk - c:\program files\winzip\WZQKPICK.EXE
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: {c95fe080-8f5d-11d2-a20b-00aa003c157a}
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
Trusted Zone: workflow
DPF: DirectAnimation Java Classes - file://c:\windows2\java\classes\dajava.cab
DPF: Microsoft XML Parser for Java - file://c:\windows2\java\classes\xmldso.cab
DPF: {FFB3A759-98B1-446F-BDA9-909C6EB18CC7} - hxxp://utilities.pcpitstop.com/Optimize2/pcpitstop2.dll
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg8\avgpp.dll
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.dll
Notify: avgrsstarter - avgrsstx.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL

============= SERVICES / DRIVERS ===============

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows2\system32\drivers\avgldx86.sys [2009-3-31 325640]
R1 AvgMfx86;AVG Free On-access Scanner Minifilter Driver x86;c:\windows2\system32\drivers\avgmfx86.sys [2008-7-10 27656]
R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows2\system32\drivers\avgtdix.sys [2009-3-31 108552]
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2009-3-23 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2009-3-23 72944]
R2 Akamai;Akamai;c:\windows2\system32\svchost.exe -k Akamai [2002-8-29 14336]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\avg\avg8\avgwdsvc.exe [2009-3-31 298264]
R2 McAfeeFramework;McAfee Framework Service;c:\program files\mcafee\common framework\FrameworkService.exe [2008-4-16 104000]
R3 ALiIRDA;ALi Infrared Device Driver;c:\windows2\system32\drivers\alifir.sys [2008-4-16 26624]
R3 SASENUM;SASENUM;c:\program files\superantispyware\SASENUM.SYS [2009-3-23 7408]
S3 iBcT0201;iBurst Modem Type02-01;c:\windows2\system32\drivers\ibct0201.sys --> c:\windows2\system32\drivers\iBcT0201.sys [?]
S3 iBurst;iBurst Modem;c:\windows2\system32\drivers\iburst.sys --> c:\windows2\system32\drivers\iBurst.sys [?]
S3 iBurstu;iBurst Terminal;c:\windows2\system32\drivers\iburstu.sys --> c:\windows2\system32\drivers\iBurstu.sys [?]

=============== Created Last 30 ================

2009-06-07 16:27 <DIR> --d----- c:\program files\Program Files
2009-05-27 07:59 <DIR> --d----- c:\docume~2\admini~2.gep\applic~1\Malwarebytes
2009-05-27 07:58 15,504 a------- c:\windows2\system32\drivers\mbam.sys
2009-05-27 07:58 38,496 a------- c:\windows2\system32\drivers\mbamswissarmy.sys
2009-05-27 07:58 <DIR> --d----- c:\program files\Malwarebytes' Anti-Malware
2009-05-27 07:58 <DIR> --d----- c:\docume~2\alluse~2.win\applic~1\Malwarebytes
2009-05-25 14:29 <DIR> --d----- c:\program files\Filseclab
2009-05-25 14:11 <DIR> --ds---- C:\ComboFix
2009-05-13 07:35 <DIR> --d----- c:\program files\common files\Filseclab

==================== Find3M ====================

2009-03-31 19:49 10,520 a------- c:\windows2\system32\avgrsstx.dll
2009-03-24 06:07 5,497 a------- c:\windows2\system32\uacinit.dll.vir
1998-02-10 17:34 128,000 a------- c:\program files\UNWISE.EXE

============= FINISH: 14:05:59.92 ===============

Attached Files



#4 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:12:43 PM

Posted 11 June 2009 - 06:59 PM

Hi Boertjie

Welcome to Bleeping Computer. My name is m0le and I will be helping you with your log.

Please give me a little time to go through your log and I will get back to you with your first instructions. Don't worry I won't abandon you.
  • Please subscribe to this topic, if you haven't already, and wait for me to get back to you.
  • Please avoid installing/uninstalling or updating any programs and attempting any unsupervised fixes or scans. This can make helping you impossible.
  • Please reply to this post so I know you are there.
The forum is busy and we need to have replies as soon as possible. If I haven't had a reply after 3 days I will bump the topic and if you do not reply by the following day then I will close the topic.

Thanks :thumbup2:
Posted Image
m0le is a proud member of UNITE

#5 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:12:43 PM

Posted 11 June 2009 - 07:13 PM

Hi Boertjie,

I see that you have downloaded Combofix. Have you run it? If so can you find the log so that I can see what it did.

It will look something like the filepath below. The number after ComboFix should be the highest number, this may be 1 if you have run it only once.

C:\qoobox\ComboFix1.txt 2009-06-01 17:07:26


First we need to see if there's anything nasty hidden away

We need to scan for Rootkits with GMER
  • Please download GMER from one of the following locations, and save it to your desktop:
    • Main Mirror
      This version will download a randomly named file (Recommended)
    • Zip Mirror
      This version will download a zip file you will need to extract first. If you use this mirror, please extract the zip file to your desktop.
  • Close any and all open programs, as this process may crash your computer.
  • Double click Posted Image or Posted Image on your desktop.
  • Allow the gmer.sys driver to load if asked.
  • You may see this window. If you do, click No.
    Posted Image
  • Click on Posted Image and wait for the scan to finish.
  • If you see a rootkit warning window, click OK.
  • Push Posted Image and save the logfile to your desktop.
  • Copy and Paste the contents of that file in your next post.


Then

We need to create an OTL Report
  • Please download OTL from one of the following mirrors:
  • Save it to your desktop.
  • Double click on the Posted Image icon on your desktop.
  • Click the "Scan All Users" checkbox.
  • Push the Posted Image button.
  • Two reports will open, copy and paste them in a reply here:
    • OTListIt.txt <-- Will be opened
    • Extra.txt <-- Will be minimized
Don't forget the Combofix log if there is one.

Thanks :thumbup2:
Posted Image
m0le is a proud member of UNITE

#6 Boertjie

Boertjie
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:02:43 PM

Posted 12 June 2009 - 09:52 AM

Hallo Mole, thank you for your reply.

The GMER application runs for a while an then the laptop re-starts. I need to switch the laptop off and on again. Windows appear with the message that "The system has recovered from a serious error"

I was able to run OTL. Mcafee found the following on my memory stick: W32/Autorun.worm.n.

Please find attached other log files.

Many thanks!!!

Attached Files



#7 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:12:43 PM

Posted 13 June 2009 - 04:11 PM

Hi Boertjie,

I see remnants of a rootkit on the old Combofix log.

McAfee seems to have spotted a drive infection too.

Please delete your copy of Combofix as below:

Delete ComboFix and Clean Up
Click Start > Run and type combofix /u click OK (Note the space between combofix and /u)
Posted Image
Please advise if this step is missed for any reason as it performs some important actions.

Then redownload it as per these instructions.

Please download ComboFix from one of these locations:* IMPORTANT !!! Save ComboFix.exe to your Desktop but rename it Combo-Fix.exe
  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. (Click on this link to see a list of programs that should be disabled. The list is not all inclusive.)
  • Double click on Combo-Fix.exe & follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Posted Image


Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Posted Image


Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.

Let's see what it produces. :thumbup2:
Posted Image
m0le is a proud member of UNITE

#8 Boertjie

Boertjie
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:02:43 PM

Posted 15 June 2009 - 08:42 AM

Hi mOle

Here are the new Combo-Fix log as requested.
I was able to run GMER by uninstalling Registry Mecanic. This is the GMER log:
GMER 1.0.15.14972 - http://www.gmer.net
Rootkit scan 2009-06-16 09:17:20
Windows 5.1.2600 Service Pack 2


---- System - GMER 1.0.15 ----

SSDT \??\C:\Program Files\SUPERAntiSpyware\SASKUTIL.sys (SASKUTIL.SYS/SUPERAdBlocker.com and SUPERAntiSpyware.com) ZwTerminateProcess [0xF6A95DF0]

Code \??\C:\DOCUME~2\ADMINI~2.GEP\LOCALS~1\Temp\catchme.sys pIofCallDriver

---- Kernel code sections - GMER 1.0.15 ----

? C:\DOCUME~2\ADMINI~2.GEP\LOCALS~1\Temp\catchme.sys The system cannot find the file specified. !
? C:\WINDOWS2\system32\Drivers\PROCEXP90.SYS The system cannot find the file specified. !

---- Devices - GMER 1.0.15 ----

AttachedDevice \Driver\Tcpip \Device\Ip avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\Tcpip \Device\Tcp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\Tcpip \Device\Udp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\Tcpip \Device\RawIp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \FileSystem\Fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)

---- Files - GMER 1.0.15 ----

File C:\WINDOWS2\Temp\d6360d93-10dc-4f15-a58a-8d21ba61c388.tmp 1024 bytes

---- EOF - GMER 1.0.15 ----


Best regards

Attached Files


Edited by Boertjie, 16 June 2009 - 02:24 AM.


#9 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:12:43 PM

Posted 16 June 2009 - 04:00 PM

Hi Boertjie,

The Gmer and Combofix logs don't show much.

What symptoms are you getting now?

Let's try an online scan

Please run a BitDefender Online Scan
  • Click I Agree to agree to the EULA.
  • Allow the ActiveX control to install when prompted.
  • Click Click here to scan to begin the scan.
  • Please refrain from using the computer until the scan is finished. This might take a while to run, but it is important that nothing else is running while you scan.
  • When the scan is finished, click on Click here to export the scan results.
  • Save the report to your desktop so you can post it in your next reply.
Thanks :thumbup2:
Posted Image
m0le is a proud member of UNITE

#10 Boertjie

Boertjie
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:02:43 PM

Posted 18 June 2009 - 02:33 AM

Hi mOle,

The problem was that AVG would not update and only Google would open, but no links.

But, good news, the problem (whatever is was) is gone. I was able to update AVG with no problems. The Bitdefender scan found no viruses.
The only problem is that Mcafee found the following on my memory stick: W32/Autorun.worm.n. Any sugesstions? I think that the problems I had came form this memory stick in the first place.

Best regards

Boertjie

#11 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:12:43 PM

Posted 18 June 2009 - 06:36 AM

The memory stick can be cleaned.

Let's try this method.

Please download Flash_Disinfector.exe by sUBs and save it to your desktop.
  • Double-click Flash_Disinfector.exe to run it and follow any prompts that may appear.
  • The utility may ask you to insert your flash drive and/or other removable drives. Please do so and allow the utility to clean up those drives as well.
  • Hold down the Shift key when inserting the drive until Windows detects it to keep autorun.inf from executing if it is present.
  • Wait until it has finished scanning and then exit the program.
  • Reboot your computer when done.
Note: As part of its routine, Flash_Disinfector will create a hidden folder named autorun.inf in each partition and every USB drive that was plugged in when you ran it. Do not delete this folder...it will help protect your drives from future infection by keeping the autorun file from being installed on the root drive and running other malicious files.

Let me know how that goes. :thumbup2:
Posted Image
m0le is a proud member of UNITE

#12 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:12:43 PM

Posted 21 June 2009 - 03:52 AM

Hi Boertjie,

I have not had a reply from you for 3 days. Can you please tell me if you still need help with your computer as I am unable to help other members with their problems while I have your topic still open.

If you like you can PM me.

Thanks,


m0le
Posted Image
m0le is a proud member of UNITE

#13 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:12:43 PM

Posted 22 June 2009 - 02:10 PM

Since this issue appears to be resolved ... this topic has been closed. Glad we could help. :thumbup2:

If you're the topic starter, and need this topic reopened, please contact me via pm with the address of the thread.

Everyone else please begin a New Topic.
Posted Image
m0le is a proud member of UNITE




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users