Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Fake antivirus "protection system" please help!


  • Please log in to reply
9 replies to this topic

#1 michellew1221

michellew1221

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:10:57 AM

Posted 20 August 2009 - 02:32 PM

i have a fake anti-virus called 'protection system' on my computer. It continually has pop-ups informing me that my system is infected and that i need to use 'protection system'. It has also tried to unistall AVG about 4-5 times.
I have run malwarebtyes and AVG software. I tried running ad-aware but it didn't seem to find anything. *when i downloaded malwarebytes and HJT i had to change both the file names before i could install them* Please help!!!
On a different site i read something about 'rootrepeal'.. i dled that and ran a scan, i have the report from that scan included as well.

Malwarebytes' Anti-Malware 1.40
Database version: 2551
Windows 5.1.2600 Service Pack 3

8/20/2009 10:44:35 AM
mbam-log-2009-08-20 (10-44-35).txt

Scan type: Quick Scan
Objects scanned: 97055
Time elapsed: 5 minute(s), 18 second(s)

Memory Processes Infected: 1
Memory Modules Infected: 1
Registry Keys Infected: 4
Registry Values Infected: 2
Registry Data Items Infected: 0
Folders Infected: 2
Files Infected: 14

Memory Processes Infected:
C:\Program Files\Protection System\psystem.exe (Rogue.ProtectionSystem) -> Unloaded process successfully.

Memory Modules Infected:
\\?\globalroot\systemroot\system32\UACmosoxtbqlm.dll (Rogue.Agent) -> Delete on reboot.

Registry Keys Infected:
HKEY_CLASSES_ROOT\CLSID\{5e2121ee-0300-11d4-8d3b-444553540000} (Rogue.ProtectionSystem) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\CoreGuard (Rogue.CoreGuard2009) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\UAC (Rootkit.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Prot ection System (Rogue.ProtectionSystem) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\protection system (Rogue.ProtectionSystem) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{5e2121ee-0300-11d4-8d3b-444553540000} (Rogue.ProtectionSystem) -> Quarantined and deleted successfully.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
C:\Program Files\Protection System (Rogue.ProtectionSystem) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Start Menu\Programs\Protection System (Rogue.ProtectionSystem) -> Quarantined and deleted successfully.

Files Infected:
\\?\globalroot\systemroot\system32\UACmosoxtbqlm.dll (Rogue.Agent) -> Quarantined and deleted successfully.
C:\Program Files\Protection System\psystem.exe (Rogue.ProtectionSystem) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\wingenocx.dll (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\Program Files\Protection System\blacklist.cga (Rogue.ProtectionSystem) -> Quarantined and deleted successfully.
C:\Program Files\Protection System\core.cga (Rogue.ProtectionSystem) -> Quarantined and deleted successfully.
C:\Program Files\Protection System\coreext.dll (Rogue.ProtectionSystem) -> Quarantined and deleted successfully.
C:\Program Files\Protection System\firewall.dll (Rogue.ProtectionSystem) -> Quarantined and deleted successfully.
C:\Program Files\Protection System\help.ico (Rogue.ProtectionSystem) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Start Menu\Programs\Protection System\Protection System Support.lnk (Rogue.ProtectionSystem) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Start Menu\Programs\Protection System\Protection System.lnk (Rogue.ProtectionSystem) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Start Menu\Programs\Protection System\Uninstall Protection System.lnk (Rogue.ProtectionSystem) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\uacinit.dll (Trojan.Agent) -> Delete on reboot.
C:\Documents and Settings\All Users\Desktop\Protection System.lnk (Rogue.ProtectionSystem) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Desktop\Protection System Support.lnk (Rogue.Link) -> Quarantined and deleted successfully.



Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:45:23 AM, on 8/20/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16876)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
C:\Program Files\AVG\AVG8\avgcsrvx.exe
C:\WINDOWS\system32\dllhost.exe
C:\PROGRA~1\AVG\AVG8\avgnsx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Internet Explorer\Iexplore.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\ehome\ehtray.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Stardock\ObjectDock\ObjectDock.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\net.exe
C:\WINDOWS\system32\net1.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Malwarebytes' Anti-Malware\click me.exe
C:\Program Files\Java\jre6\bin\jucheck.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://bcctoday.sunybroome.edu/cp/home/loginf
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R3 - URLSearchHook: AVG Security Toolbar BHO - {A3BC75A2-1F87-4686-AA43-5347D756017C} - C:\Program Files\AVG\AVG8\Toolbar\IEToolbar.dll
R3 - URLSearchHook: (no name) - *{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\PROGRA~1\MICROS~3\Office12\GRA8E1~1.DLL
O2 - BHO: Java™ Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: AVG Security Toolbar BHO - {A3BC75A2-1F87-4686-AA43-5347D756017C} - C:\Program Files\AVG\AVG8\Toolbar\IEToolbar.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: AVG Security Toolbar - {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - C:\Program Files\AVG\AVG8\Toolbar\IEToolbar.dll
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] CHDAudPropShortcut.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [QlbCtrl.exe] C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe /Start
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\RunOnce: [Malwarebytes Anti-Malware (reboot)] "C:\Program Files\Malwarebytes' Anti-Malware\click me.exe" /runcleanupscript
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Startup: Stardock ObjectDock.lnk = C:\Program Files\Stardock\ObjectDock\ObjectDock.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office12\EXCEL.EXE/3000
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {73ECB3AA-4717-450C-A2AB-D00DAD9EE203} (GMNRev Class) - http://h20270.www2.hp.com/ediags/gmn...Detection2.cab
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MICROS~3\Office12\GR99D3~1.DLL
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dll
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: AVG Free8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: hpqwmiex - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Lavasoft Ad-Aware Service - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe

--
End of file - 7774 bytes

ROOTREPEAL REPORT


==================================================
Scan Start Time: 2009/08/20 15:06
Program Version: Version 1.3.5.0
Windows Version: Windows XP Media Center Edition SP3
==================================================

Drivers
-------------------
Name: dump_iaStor.sys
Image Path: C:\WINDOWS\System32\Drivers\dump_iaStor.sys
Address: 0x96F59000 Size: 819200 File Visible: No Signed: -
Status: -

Name: icidpxsc.sys
Image Path: C:\WINDOWS\system32\drivers\icidpxsc.sys
Address: 0xA5E67000 Size: 61440 File Visible: No Signed: -
Status: -

Name: rootrepeal.sys
Image Path: C:\WINDOWS\system32\drivers\rootrepeal.sys
Address: 0x95A92000 Size: 49152 File Visible: No Signed: -
Status: -

Hidden/Locked Files
-------------------
Path: C:\WINDOWS\system32\uacinit.dll
Status: Invisible to the Windows API!

Path: C:\WINDOWS\system32\UACivssvtewux.dll
Status: Invisible to the Windows API!

Path: C:\WINDOWS\system32\UACixdqjbpjru.dll
Status: Invisible to the Windows API!

Path: C:\WINDOWS\system32\UACmosoxtbqlm.dll
Status: Invisible to the Windows API!

Path: C:\WINDOWS\system32\UACndtfwbuabm.dat
Status: Invisible to the Windows API!

Path: C:\WINDOWS\system32\UACuybigieisx.dll
Status: Invisible to the Windows API!

Path: C:\WINDOWS\Temp\UAC421.tmp
Status: Invisible to the Windows API!

Path: C:\WINDOWS\Temp\uac5089.tmp
Status: Invisible to the Windows API!

Path: C:\WINDOWS\Temp\uac50ec.tmp
Status: Invisible to the Windows API!

Path: C:\WINDOWS\Temp\uac555c.tmp
Status: Invisible to the Windows API!

Path: C:\WINDOWS\Temp\uac584a.tmp
Status: Invisible to the Windows API!

Path: C:\WINDOWS\Temp\uac5b95.tmp
Status: Invisible to the Windows API!

Path: C:\WINDOWS\Temp\uac601a.tmp
Status: Invisible to the Windows API!

Path: C:\WINDOWS\Temp\uac63da.tmp
Status: Invisible to the Windows API!

Path: C:\WINDOWS\Temp\uac65c7.tmp
Status: Invisible to the Windows API!

Path: C:\WINDOWS\Temp\UAC6740.tmp
Status: Invisible to the Windows API!

Path: C:\WINDOWS\Temp\uac6a1d.tmp
Status: Invisible to the Windows API!

Path: C:\WINDOWS\Temp\uac6cdc.tmp
Status: Invisible to the Windows API!

Path: C:\WINDOWS\Temp\uac6ff9.tmp
Status: Invisible to the Windows API!

Path: C:\WINDOWS\Temp\uac747d.tmp
Status: Invisible to the Windows API!

Path: C:\WINDOWS\Temp\uac8448.tmp
Status: Invisible to the Windows API!

Path: C:\WINDOWS\Temp\uac88e9.tmp
Status: Invisible to the Windows API!

Path: C:\WINDOWS\Temp\uacae60.tmp
Status: Invisible to the Windows API!

Path: C:\WINDOWS\Temp\uacb16e.tmp
Status: Invisible to the Windows API!

Path: C:\WINDOWS\Temp\uacb371.tmp
Status: Invisible to the Windows API!

Path: C:\WINDOWS\Temp\UACb584.tmp
Status: Invisible to the Windows API!

Path: C:\WINDOWS\Temp\uacb5c3.tmp
Status: Invisible to the Windows API!

Path: C:\WINDOWS\Temp\uacb8e0.tmp
Status: Invisible to the Windows API!

Path: C:\WINDOWS\Temp\uacbede.tmp
Status: Invisible to the Windows API!

Path: C:\WINDOWS\Temp\uaccdd4.tmp
Status: Invisible to the Windows API!

Path: C:\WINDOWS\Temp\UACd11b.tmp
Status: Invisible to the Windows API!

Path: C:\WINDOWS\Temp\uacd19d.tmp
Status: Invisible to the Windows API!

Path: C:\WINDOWS\Temp\uacd256.tmp
Status: Invisible to the Windows API!

Path: C:\WINDOWS\Temp\uacd2bf.tmp
Status: Invisible to the Windows API!

Path: C:\WINDOWS\Temp\uacd3fe.tmp
Status: Invisible to the Windows API!

Path: C:\WINDOWS\Temp\uacd498.tmp
Status: Invisible to the Windows API!

Path: C:\WINDOWS\Temp\uacd5f2.tmp
Status: Invisible to the Windows API!

Path: C:\WINDOWS\Temp\UACd5fd.tmp
Status: Invisible to the Windows API!

Path: C:\WINDOWS\Temp\uacd825.tmp
Status: Invisible to the Windows API!

Path: C:\WINDOWS\Temp\uacd8a0.tmp
Status: Invisible to the Windows API!

Path: C:\WINDOWS\Temp\uacd965.tmp
Status: Invisible to the Windows API!

Path: C:\WINDOWS\Temp\uacdb22.tmp
Status: Invisible to the Windows API!

Path: C:\WINDOWS\Temp\uace1c7.tmp
Status: Invisible to the Windows API!

Path: C:\WINDOWS\Temp\uace3ca.tmp
Status: Invisible to the Windows API!

Path: C:\WINDOWS\Temp\UACf740.tmp
Status: Invisible to the Windows API!

Path: C:\WINDOWS\Temp\uacf758.tmp
Status: Invisible to the Windows API!

Path: C:\WINDOWS\Temp\uac184f.tmp
Status: Invisible to the Windows API!

Path: C:\WINDOWS\Temp\uacce9d.tmp
Status: Invisible to the Windows API!

Path: C:\WINDOWS\system32\drivers\UACehrlovmpxi.sys
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\Owner\Local Settings\Temp\UACab2b.tmp
Status: Invisible to the Windows API!

Path: c:\documents and settings\owner\local settings\temp\fla19.tmp
Status: Size mismatch (API: 21990841, Raw: 21401017)

Stealth Objects
-------------------
Object: Hidden Module [Name: UACixdqjbpjru.dll]
Process: svchost.exe (PID: 1172) Address: 0x10000000 Size: 65536

Object: Hidden Module [Name: UACivssvtewux.dll]
Process: Explorer.EXE (PID: 2772) Address: 0x10000000 Size: 49152

Hidden Services
-------------------
Service Name: UACd.sys
Image Path: C:\WINDOWS\system32\drivers\UACehrlovmpxi.sys

==EOF==

BC AdBot (Login to Remove)

 


#2 SifuMike

SifuMike

    malware expert


  • Staff Emeritus
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:07:57 AM

Posted 22 August 2009 - 02:55 PM

Hi michellew1221,

We will run ComboFix.

You should NOT use Combofix unless you have been instructed to do so by a Malware Removal Expert.
It is intended by its creator to be used under the guidance and supervision of an Malware Removal Expert, not for private use.

Using this tool incorrectly could lead to disastrous problems with your operating system such as preventing it from ever starting again.
Please read Combofix's Disclaimer.
Further, ComboFix logs are not permitted outside the HijackThis forums and then only when requested by a HJT Team member.

You need to disable your AVG Antivirus before running ComboFix, as it will prevent it from running.

To disable AVG antivirus:
Please open the AVG Control Center program -> double-click on the "AVG Resident Shield" component (looks like this: Posted Image) -> deselect the "Turn on AVG Resident Shield" checkmark and save the setting.
When you need to enable the AVG Resident Shield, ( I€™ll let you know when) just open the AVG Control Center program -> double-click on the "AVG Resident Shield" component -> select the "Turn on AVG Resident Shield" checkmark and save the setting.

Note: If you already have a copy of ComboFix on your system it is essential that you delete it before downloading this copy.

Please visit this webpage for instructions for downloading and running ComboFix:
http://www.bleepingcomputer.com/combofix/how-to-use-combofix

To work properly, you must install ComboFix on the Desktop..
Post the log from ComboFix in your next reply,

A caution - ComboFix may reset a number of Internet Explorer's settings, including making IE the default browser.
ComboFix prevents autorun of ALL CD, floppy and USB devices to assist with malware removal and increase security. If this is an issue or makes it difficult for you -- please tell me.
Have no other programs running. Your Task Bar should be clear of any program entries including your Browser.
Do not run Combofix more than once.
Do not touch your mouse/keyboard until the scan has completed, as this may cause the process to stall or your computer to lock.
The scan will temporarily disable your desktop, and if interrupted may leave your desktop disabled. If this occurs, please reboot to restore the desktop.
Even when ComboFix appears to be doing nothing, look at your Drive light. If it is flashing, Combofix is still at work.
If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#3 michellew1221

michellew1221
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:10:57 AM

Posted 23 August 2009 - 09:50 PM

thank you!
here is my log from comobfix:


ComboFix 09-08-22.06 - Owner 08/23/2009 22:42.1.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2038.1607 [GMT -4:00]
Running from: c:\documents and settings\Owner\Desktop\ComboFix.exe
AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\program files\IEToolbar
c:\windows\jnnmp1381.exe
c:\windows\kqph00568.exe
c:\windows\system32\drivers\UACehrlovmpxi.sys
c:\windows\system32\images
c:\windows\system32\images\i1.gif
c:\windows\system32\images\i2.gif
c:\windows\system32\images\i3.gif
c:\windows\system32\images\j1.gif
c:\windows\system32\images\j2.gif
c:\windows\system32\images\j3.gif
c:\windows\system32\images\jj1.gif
c:\windows\system32\images\jj2.gif
c:\windows\system32\images\jj3.gif
c:\windows\system32\images\l1.gif
c:\windows\system32\images\l2.gif
c:\windows\system32\images\l3.gif
c:\windows\system32\images\pix.gif
c:\windows\system32\images\t1.gif
c:\windows\system32\images\t2.gif
c:\windows\system32\images\up1.gif
c:\windows\system32\images\up2.gif
c:\windows\system32\images\w1.gif
c:\windows\system32\images\w11.gif
c:\windows\system32\images\w2.gif
c:\windows\system32\images\w3.gif
c:\windows\system32\images\w3.jpg
c:\windows\system32\images\wt1.gif
c:\windows\system32\images\wt2.gif
c:\windows\system32\images\wt3.gif
c:\windows\system32\resdll.dll
c:\windows\system32\UACivssvtewux.dll
c:\windows\system32\UACixdqjbpjru.dll
c:\windows\system32\UACmosoxtbqlm.dll
c:\windows\system32\UACndtfwbuabm.dat
c:\windows\system32\UACuybigieisx.dll
c:\windows\system32\wscsvc32.exe

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_UACd.sys
-------\Legacy_UACd.sys


((((((((((((((((((((((((( Files Created from 2009-07-24 to 2009-08-24 )))))))))))))))))))))))))))))))
.

2009-08-21 08:30 . 2009-08-24 02:33 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2009-08-21 08:29 . 2009-08-24 02:41 -------- d-----w- c:\program files\Spyware Doctor
2009-08-20 19:04 . 2009-08-20 19:04 0 ----a-w- c:\documents and settings\Owner\settings.dat
2009-08-20 05:39 . 2009-08-20 05:39 -------- d-----w- c:\program files\Trend Micro
2009-08-20 05:12 . 2009-08-24 02:29 -------- d-----w- c:\documents and settings\All Users\Application Data\Lavasoft
2009-08-20 03:43 . 2009-08-20 03:43 -------- d-----w- c:\documents and settings\Owner\Application Data\Malwarebytes
2009-08-20 03:22 . 2009-08-03 17:36 38160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-08-20 03:22 . 2009-08-20 03:22 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-08-20 03:22 . 2009-08-03 17:36 19096 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-08-20 03:22 . 2009-08-20 05:29 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-08-20 02:45 . 2009-08-20 02:45 -------- d-----w- C:\_OTM
2009-08-20 01:26 . 2009-08-20 01:26 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Apple
2009-08-12 17:10 . 2009-08-12 17:10 664 ----a-w- c:\windows\system32\d3d9caps.dat
2009-08-12 12:46 . 2009-07-10 13:27 1315328 -c----w- c:\windows\system32\dllcache\msoe.dll
2009-08-06 13:57 . 2009-08-06 13:57 -------- d-----w- c:\documents and settings\Owner\Application Data\acccore
2009-08-06 13:57 . 2009-08-06 13:57 -------- d-----w- c:\documents and settings\Owner\Local Settings\Application Data\AOL OCP
2009-08-06 13:57 . 2009-08-06 13:57 -------- d-----w- c:\documents and settings\Owner\Local Settings\Application Data\AOL
2009-08-06 13:56 . 2009-08-06 13:56 -------- d-----w- c:\documents and settings\All Users\Application Data\Viewpoint
2009-08-06 13:56 . 2009-08-06 13:56 -------- d-----w- c:\program files\Viewpoint
2009-08-06 13:56 . 2009-08-06 13:56 -------- d-----w- c:\documents and settings\All Users\Application Data\acccore
2009-08-06 13:56 . 2009-08-06 13:58 -------- d-----w- c:\documents and settings\All Users\Application Data\AOL OCP
2009-08-06 13:56 . 2009-08-06 13:56 -------- d-----w- c:\documents and settings\All Users\Application Data\AOL
2009-08-06 13:56 . 2009-08-06 13:56 -------- d-----w- c:\program files\Common Files\AOL
2009-08-06 13:55 . 2009-08-06 13:57 -------- d-----w- c:\program files\AIM6
2009-08-06 07:46 . 2009-08-06 07:46 -------- d-----w- c:\windows\system32\scripting
2009-08-06 07:46 . 2009-08-06 07:46 -------- d-----w- c:\windows\l2schemas
2009-08-06 07:46 . 2009-08-06 07:46 -------- d-----w- c:\windows\system32\en
2009-08-06 07:46 . 2009-08-06 07:46 -------- d-----w- c:\windows\system32\bits
2009-08-06 06:46 . 2009-08-06 07:35 -------- d-----w- c:\windows\system32\NtmsData
2009-08-05 09:01 . 2009-08-05 09:01 204800 -c----w- c:\windows\system32\dllcache\mswebdvd.dll
2009-08-04 04:40 . 2009-08-04 04:40 -------- d-----w- c:\windows\ServicePackFiles
2009-08-04 04:35 . 2008-04-14 00:09 811064 -c----w- c:\windows\system32\dllcache\imjp81k.dll
2009-08-04 01:23 . 2009-06-29 16:12 52224 -c----w- c:\windows\system32\dllcache\msfeedsbs.dll
2009-08-04 01:23 . 2009-06-29 16:12 459264 -c----w- c:\windows\system32\dllcache\msfeeds.dll
2009-08-04 01:23 . 2009-07-19 13:32 6067200 -c----w- c:\windows\system32\dllcache\ieframe.dll
2009-08-04 01:23 . 2009-06-29 16:12 268288 -c----w- c:\windows\system32\dllcache\iertutil.dll
2009-08-04 01:23 . 2009-06-29 11:07 13824 -c----w- c:\windows\system32\dllcache\ieudinit.exe
2009-08-04 01:23 . 2009-06-29 16:12 63488 -c----w- c:\windows\system32\dllcache\icardie.dll
2009-08-04 01:23 . 2009-06-29 16:12 380928 -c----w- c:\windows\system32\dllcache\ieapfltr.dll
2009-08-04 01:23 . 2009-06-29 08:33 2452872 -c----w- c:\windows\system32\dllcache\ieapfltr.dat
2009-08-01 20:44 . 2009-08-01 20:45 1962544 ------w- c:\documents and settings\All Users\Application Data\NOS\Adobe_Downloads\install_flash_player_ax.exe
2009-08-01 20:44 . 2009-08-03 00:34 -------- d-----w- c:\documents and settings\All Users\Application Data\NOS
2009-08-01 20:44 . 2009-08-02 21:24 -------- d-----w- c:\program files\NOS
2009-07-29 15:13 . 2009-08-21 08:51 -------- d-----w- c:\program files\Snood 4
2009-07-28 15:03 . 2009-07-28 15:03 -------- d-----w- c:\program files\iPod
2009-07-28 15:03 . 2009-07-28 15:03 -------- d-----w- c:\program files\iTunes
2009-07-28 14:55 . 2009-07-28 14:55 75040 ------w- c:\documents and settings\All Users\Application Data\Apple Computer\Installer Cache\iTunes 8.2.1.6\SetupAdmin.exe
2009-07-27 13:24 . 2006-10-26 23:56 32592 ------w- c:\windows\system32\msonpmon.dll
2009-07-27 13:23 . 2009-07-27 13:23 -------- d-----w- c:\program files\Microsoft Works
2009-07-27 13:23 . 2009-07-27 13:23 -------- d-----w- c:\program files\MSBuild
2009-07-27 13:18 . 2009-07-27 13:22 -------- d-----w- c:\windows\SHELLNEW
2009-07-27 13:18 . 2009-07-27 13:18 -------- d-----w- c:\documents and settings\Owner\Local Settings\Application Data\Microsoft Help
2009-07-27 13:18 . 2009-08-13 13:41 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help
2009-07-27 13:17 . 2009-07-27 13:17 -------- d--h--r- C:\MSOCache

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-08-21 08:45 . 2009-07-02 20:37 -------- d-----w- c:\documents and settings\All Users\Application Data\avg8
2009-08-19 18:15 . 2009-07-06 18:14 -------- d-----w- c:\documents and settings\Owner\Application Data\LimeWire
2009-08-10 18:30 . 2009-07-06 18:03 -------- d-----w- c:\program files\LimeWire
2009-08-10 06:24 . 2009-07-02 00:55 74184 ----a-w- c:\documents and settings\Owner\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-08-06 07:48 . 2009-05-21 18:40 86811 ----a-w- c:\windows\pchealth\helpctr\OfflineCache\index.dat
2009-08-05 20:25 . 2009-07-02 14:09 -------- d-----w- c:\documents and settings\Owner\Application Data\Apple Computer
2009-08-05 20:24 . 2009-07-02 14:08 -------- d-----w- c:\documents and settings\All Users\Application Data\Apple
2009-08-05 09:01 . 2009-08-04 04:35 204800 ----a-w- c:\windows\system32\mswebdvd.dll
2009-08-02 00:20 . 2009-07-02 20:37 -------- d-----w- c:\documents and settings\All Users\Application Data\AVG Security Toolbar
2009-08-01 13:18 . 2009-07-07 21:12 -------- d-----w- c:\program files\Microsoft Silverlight
2009-07-28 15:03 . 2009-07-02 14:08 -------- d-----w- c:\program files\Common Files\Apple
2009-07-27 13:14 . 2009-07-15 19:42 -------- d-----w- c:\program files\OpenOffice.org 2.4
2009-07-27 13:14 . 2009-07-15 20:16 -------- d-----w- c:\documents and settings\Owner\Application Data\OpenOffice.org2
2009-07-23 21:13 . 2009-07-15 20:17 1 ------w- c:\documents and settings\Owner\Application Data\OpenOffice.org2\user\uno_packages\cache\stamp.sys
2009-07-17 19:01 . 2009-08-04 04:35 58880 ----a-w- c:\windows\system32\atl.dll
2009-07-16 03:43 . 2009-07-16 03:43 -------- d-----w- c:\program files\Alarm Clock
2009-07-13 14:08 . 2006-03-15 11:00 286720 ----a-w- c:\windows\system32\wmpdxm.dll
2009-07-10 00:08 . 2009-07-02 20:37 335752 ------w- c:\windows\system32\drivers\avgldx86.sys
2009-07-07 16:33 . 2009-07-07 16:33 -------- d-----w- c:\documents and settings\All Users\Application Data\Hewlett-Packard
2009-07-07 02:44 . 2009-07-07 20:55 937984 ------w- c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\xxrmhapn.default\extensions\piclens@cooliris.com\libs\PicLensHelper.exe
2009-07-07 02:44 . 2009-07-07 20:55 65536 ------w- c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\xxrmhapn.default\extensions\piclens@cooliris.com\components\coolirisstub.dll
2009-07-07 02:44 . 2009-07-07 20:55 106496 ------w- c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\xxrmhapn.default\extensions\piclens@cooliris.com\plugins\npcoolirisplugin.dll
2009-07-07 02:44 . 2009-07-07 20:55 103424 ------w- c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\xxrmhapn.default\extensions\piclens@cooliris.com\libs\pixomatic.dll
2009-07-07 02:44 . 2009-07-07 20:55 4722688 ------w- c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\xxrmhapn.default\extensions\piclens@cooliris.com\libs\cooliris19.dll
2009-07-07 02:44 . 2009-07-07 20:55 344064 ------w- c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\xxrmhapn.default\extensions\piclens@cooliris.com\libs\LaunchCooliris.exe
2009-07-06 18:04 . 2009-07-06 18:04 410984 ------w- c:\windows\system32\deploytk.dll
2009-07-06 18:04 . 2009-07-06 18:04 -------- d-----w- c:\program files\Java
2009-07-06 18:04 . 2009-07-06 18:04 152576 ------w- c:\documents and settings\Owner\Application Data\Sun\Java\jre1.6.0_11\lzma.dll
2009-07-06 18:03 . 2009-07-06 18:03 -------- d-----w- c:\program files\Common Files\Adobe
2009-07-04 07:26 . 2009-07-04 07:26 -------- d-----w- c:\documents and settings\Owner\Application Data\InterVideo
2009-07-02 20:37 . 2009-07-02 20:37 11952 ------w- c:\windows\system32\avgrsstx.dll
2009-07-02 20:37 . 2009-07-02 20:37 108552 ------w- c:\windows\system32\drivers\avgtdix.sys
2009-07-02 20:37 . 2009-07-02 20:37 27784 ------w- c:\windows\system32\drivers\avgmfx86.sys
2009-07-02 20:37 . 2009-07-02 20:37 -------- d-----w- c:\program files\AVG
2009-07-02 15:43 . 2009-07-02 15:43 -------- d-----w- c:\program files\Stardock
2009-07-02 15:43 . 2009-07-02 15:43 -------- d-----w- c:\program files\Common Files\Stardock
2009-07-02 14:09 . 2009-07-02 14:09 -------- d-----w- c:\documents and settings\All Users\Application Data\{8CD7F5AF-ECFA-4793-BF40-D8F42DBFF906}
2009-07-02 14:08 . 2009-07-02 14:08 -------- d-----w- c:\program files\Bonjour
2009-07-02 14:08 . 2009-07-02 14:08 -------- d-----w- c:\program files\QuickTime
2009-07-02 14:08 . 2009-07-02 14:08 -------- d-----w- c:\documents and settings\All Users\Application Data\Apple Computer
2009-07-02 14:08 . 2009-07-02 14:08 -------- d-----w- c:\program files\Apple Software Update
2009-07-02 05:31 . 2009-07-02 05:31 0 ------w- c:\windows\nsreg.dat
2009-07-01 02:19 . 2009-07-02 05:36 106496 ------w- c:\documents and settings\Owner\Application Data\Mozilla\Plugins\npcoolirisplugin.dll
2009-07-01 02:19 . 2009-07-02 05:36 65536 ------w- c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\xxrmhapn.default\extensions\piclens@cooliris.com-trash\components\coolirisstub.dll
2009-07-01 02:19 . 2009-07-02 05:36 4734976 ------w- c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\xxrmhapn.default\extensions\piclens@cooliris.com-trash\libs\cooliris19.dll
2009-06-29 16:12 . 2006-03-15 11:00 827392 ----a-w- c:\windows\system32\wininet.dll
2009-06-29 16:12 . 2006-03-15 11:00 78336 ----a-w- c:\windows\system32\ieencode.dll
2009-06-29 16:12 . 2006-03-15 11:00 17408 ------w- c:\windows\system32\corpol.dll
2009-06-16 14:36 . 2009-08-04 04:35 81920 ----a-w- c:\windows\system32\fontsub.dll
2009-06-16 14:36 . 2009-08-04 04:35 119808 ----a-w- c:\windows\system32\t2embed.dll
2009-06-14 20:07 . 2009-07-06 17:54 1004800 ------w- c:\documents and settings\All Users\Application Data\AVG Security Toolbar\IEToolbar.dll
2009-06-12 12:31 . 2009-08-04 04:36 80896 ----a-w- c:\windows\system32\tlntsess.exe
2009-06-12 12:31 . 2009-08-04 04:35 76288 ----a-w- c:\windows\system32\telnet.exe
2009-06-10 14:13 . 2009-08-04 04:35 84992 ----a-w- c:\windows\system32\avifil32.dll
2009-06-10 13:19 . 2009-08-04 04:36 2066432 ----a-w- c:\windows\system32\mstscax.dll
2009-06-10 06:14 . 2009-08-04 04:35 132096 ----a-w- c:\windows\system32\wkssvc.dll
2009-06-05 18:42 . 2009-07-02 14:08 39424 ------w- c:\windows\system32\drivers\usbaapl.sys
2009-06-05 18:42 . 2009-07-02 14:08 2060288 ------w- c:\windows\system32\usbaaplrc.dll
2009-06-03 19:09 . 2009-08-04 04:35 1291264 ------w- c:\windows\system32\quartz.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{A3BC75A2-1F87-4686-AA43-5347D756017C}"= "c:\program files\AVG\AVG8\Toolbar\IEToolbar.dll" [2009-06-26 1008896]

[HKEY_CLASSES_ROOT\clsid\{a3bc75a2-1f87-4686-aa43-5347d756017c}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A3BC75A2-1F87-4686-AA43-5347D756017C}]
2009-06-26 14:36 1008896 ------w- c:\program files\AVG\AVG8\Toolbar\IEToolbar.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{CCC7A320-B3CA-4199-B1A6-9F516DD69829}"= "c:\program files\AVG\AVG8\Toolbar\IEToolbar.dll" [2009-06-26 1008896]

[HKEY_CLASSES_ROOT\clsid\{ccc7a320-b3ca-4199-b1a6-9f516dd69829}]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{CCC7A320-B3CA-4199-B1A6-9F516DD69829}"= "c:\program files\AVG\AVG8\Toolbar\IEToolbar.dll" [2009-06-26 1008896]

[HKEY_CLASSES_ROOT\clsid\{ccc7a320-b3ca-4199-b1a6-9f516dd69829}]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2008-04-14 1695232]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray"="c:\windows\ehome\ehtray.exe" [2004-08-10 59392]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2006-09-06 98304]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2006-09-06 114688]
"Persistence"="c:\windows\system32\igfxpers.exe" [2006-09-06 94208]
"QlbCtrl.exe"="c:\program files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe" [2007-10-19 202032]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-05-27 413696]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2009-07-02 1948440]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-02-27 35696]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-07-06 136600]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2006-10-27 31016]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-07-13 292128]
"High Definition Audio Property Page Shortcut"="CHDAudPropShortcut.exe" - c:\windows\system32\CHDAudPropShortcut.exe [2006-07-27 61952]

c:\documents and settings\Owner\Start Menu\Programs\Startup\
Stardock ObjectDock.lnk - c:\program files\Stardock\ObjectDock\ObjectDock.exe [2009-7-2 3450608]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-07-02 20:37 11952 ------w- c:\windows\system32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgemc.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgnsx.exe"=
"c:\\Program Files\\LimeWire\\LimeWire.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Program Files\\AIM6\\aim6.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [7/2/2009 4:37 PM 335752]
R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [7/2/2009 4:37 PM 108552]
R2 avg8emc;AVG Free8 E-mail Scanner;c:\progra~1\AVG\AVG8\avgemc.exe [7/2/2009 4:37 PM 907032]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [7/2/2009 4:37 PM 298776]
R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [8/6/2009 9:56 AM 24652]
.
Contents of the 'Scheduled Tasks' folder

2009-08-20 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 19:34]
.
- - - - ORPHANS REMOVED - - - -

HKCU-Run-Aim6 - (no file)


.
------- Supplementary Scan -------
.
uStart Page = hxxp://bcctoday.sunybroome.edu/cp/home/loginf
uInternet Settings,ProxyOverride = *.local
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office12\EXCEL.EXE/3000
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
FF - ProfilePath - c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\xxrmhapn.default\
FF - prefs.js: browser.search.selectedEngine - Yahoo! Search
FF - prefs.js: browser.startup.homepage - facebook.com
FF - prefs.js: keyword.URL - hxxp://us.yhs.search.yahoo.com/avg/search?fr=yhs-avg&type=yahoo_avg_hs2-tb-web_us&p=
FF - component: c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\xxrmhapn.default\extensions\piclens@cooliris.com\components\coolirisstub.dll
FF - component: c:\program files\AVG\AVG8\Firefox\components\avgssff.dll
FF - component: c:\program files\AVG\AVG8\Toolbar\Firefox\avg@igeared\components\IGeared_tavgp_xputils2.dll
FF - component: c:\program files\AVG\AVG8\Toolbar\Firefox\avg@igeared\components\IGeared_tavgp_xputils3.dll
FF - component: c:\program files\AVG\AVG8\Toolbar\Firefox\avg@igeared\components\IGeared_tavgp_xputils35.dll
FF - component: c:\program files\AVG\AVG8\Toolbar\Firefox\avg@igeared\components\xpavgtbapi.dll
FF - plugin: c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\xxrmhapn.default\extensions\piclens@cooliris.com\plugins\npcoolirisplugin.dll
FF - plugin: c:\documents and settings\Owner\Application Data\Mozilla\plugins\npcoolirisplugin.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\np-mswmp.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npViewpoint.dll
FF - plugin: c:\program files\Viewpoint\Viewpoint Media Player\npViewpoint.dll

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("media.enforce_same_site_origin", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("media.cache_size", 51200);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("media.ogg.enabled", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("media.wave.enabled", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("media.autoplay.enabled", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.urlbar.autocomplete.enabled", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("capability.policy.mailnews.*.wholeText", "noAccess");
c:\program files\Mozilla Firefox\greprefs\all.js - pref("dom.storage.default_quota", 5120);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("content.sink.event_probe_rate", 3);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.http.prompt-temp-redirect", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("layout.css.dpi", -1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("layout.css.devPixelsPerPx", -1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("gestures.enable_single_finger_input", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("dom.max_chrome_script_run_time", 0);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.tcp.sendbuffer", 131072);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("geo.enabled", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.remember_cert_checkbox_default_setting", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr", "moz35");
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-cjkt", "moz35");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.blocklist.level", 2);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.urlbar.restrict.typed", "~");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.urlbar.default.behavior", 0);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.history", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.formdata", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.passwords", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.downloads", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.cookies", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.cache", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.sessions", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.offlineApps", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.siteSettings", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.history", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.formdata", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.passwords", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.downloads", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.cookies", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.cache", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.sessions", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.offlineApps", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.siteSettings", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.sanitize.migrateFx3Prefs", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.ssl_override_behavior", 2);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("security.alternate_certificate_error_page", "certerror");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.privatebrowsing.autostart", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.privatebrowsing.dont_prompt_on_enter", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("geo.wifi.uri", "https://www.google.com/loc/json");
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-08-23 22:46
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10c.exe,-101"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}\Elevation]
"Enabled"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10c.exe"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{1D4C8A81-B7AC-460A-8C23-98713C41D6B3}]
@Denied: (A 2) (Everyone)
@="IFlashBroker3"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{1D4C8A81-B7AC-460A-8C23-98713C41D6B3}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{1D4C8A81-B7AC-460A-8C23-98713C41D6B3}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
Completion time: 2009-08-24 22:48
ComboFix-quarantined-files.txt 2009-08-24 02:48

Pre-Run: 91,521,671,168 bytes free
Post-Run: 92,464,025,600 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Windows XP Media Center Edition" /noexecute=optin /fastdetect

345 --- E O F --- 2009-08-13 13:41

#4 SifuMike

SifuMike

    malware expert


  • Staff Emeritus
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:07:57 AM

Posted 23 August 2009 - 10:14 PM

Hi michellew1221,

Did you just install Spyware Doctor? :thumbup2: You should not be installing or running any new programs while I am fixing your computer! Just makes my job more difficult.

I see Viewpoint installed.
Viewpoint Manager is considered as foistware instead of malware since it is installed without users approval but doesn't spy or do anything "bad".

This will change from what we know in 2006 read this article: http://www.clickz.com/news/article.php/3561546

I suggest you remove the program now, if you did not install it.

Go to Start > Settings > Control Panel > Add/Remove Programs and remove the following programs if present.

Viewpoint
Viewpoint Manager
Viewpoint Media Player


If you uninstalled, please navigate to and delete the following folders
C:\Program Files\Viewpoint

***************

Please do a scan with Kaspersky Online Scanner. Please note: Kaspersky requires Java Runtime Environment (JRE) be installed before scanning for malware, as ActiveX is no longer being used.)

If you are using Windows Vista, open your browser by right-clicking on its icon and select 'Run as administrator' to perform this scan.
  • Open the Kaspersky WebScanner
    page.
  • Click on the Posted Image button on the main page.
  • The program will launch and fill in the Information section on the left.
  • Read the "Requirements and Limitations" then press the Posted Image button.
  • The program will begin downloading the latest program and definition files. It may take a while so please be patient and let it finish.
  • Once the files have been downloaded, click on the Posted Image ...button.
    In the scan settings make sure the following are selected:
    • Detect malicious programs of the following categories:
      Viruses, Worms, Trojan Horses, Rootkits
      Spyware, Adware, Dialers and other potentially dangerous programs
    • Scan compound files (doesn't apply to the File scan area):
      Archives
      Mail databases
      By default the above items should already be checked.
    • Click the Posted Image button, if you made any changes.
  • Now under the Scan section on the left:

    Select My Computer
  • The program will now start and scan your system. This will run for a while, be patient and let it finish.
  • Once the scan is complete, click on View scan report
  • Now, click on the Save Report as button.
  • In the drop down box labeled Files of type change the type to Text file.
  • Save the file to your desktop.
  • Copy and paste that information in your next post even if it finds nothing.
You can refer to this animation by sundavis if needed.

Edited by SifuMike, 23 August 2009 - 10:19 PM.

If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#5 michellew1221

michellew1221
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:10:57 AM

Posted 23 August 2009 - 11:39 PM

again, thank you for your help.. i uninstalled viewpoint media player. the other 2 weren't on the add/remove list. the program file folder wasn't there either. I downloaded spyware doctor about 2 days ago, it wasn't used and uninstalled before using combofix. sorry!

here is the report from kaspersky

--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7.0: scan report
Monday, August 24, 2009
Operating system: Microsoft Windows XP Professional Service Pack 3 (build 2600)
Kaspersky Online Scanner version: 7.0.26.13
Last database update: Monday, August 24, 2009 05:37:50
Records in database: 2682597
--------------------------------------------------------------------------------

Scan settings:
scan using the following database: extended
Scan archives: yes
Scan e-mail databases: yes

Scan area - My Computer:
C:\
D:\

Scan statistics:
Objects scanned: 40044
Threats found: 5
Infected objects found: 7
Suspicious objects found: 0
Scan duration: 00:48:31


File name / Threat / Threats count
C:\Qoobox\Quarantine\C\WINDOWS\jnnmp1381.exe.vir Infected: not-a-virus:WebToolbar.Win32.TJ2.a 1
C:\Qoobox\Quarantine\C\WINDOWS\kqph00568.exe.vir Infected: Trojan-Downloader.Win32.Small.kdj 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\UACivssvtewux.dll.vir Infected: Packed.Win32.TDSS.y 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\UACixdqjbpjru.dll.vir Infected: Packed.Win32.TDSS.y 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\UACmosoxtbqlm.dll.vir Infected: Trojan.Win32.Tdss.anrc 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\UACuybigieisx.dll.vir Infected: Packed.Win32.TDSS.y 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\wscsvc32.exe.vir Infected: not-a-virus:FraudTool.Win32.Agent.vz 1

Selected area has been scanned.

#6 SifuMike

SifuMike

    malware expert


  • Staff Emeritus
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:07:57 AM

Posted 24 August 2009 - 12:03 AM

Hi michellew1221,

Looks good! :thumbup2: Everything Kaspersky found was previously quarantined.
We will be removing those quarantined files shortly.

Please tell me how your computer is running.

We still have the program clean up to do.
If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#7 michellew1221

michellew1221
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:10:57 AM

Posted 24 August 2009 - 12:11 AM

right now it seems to be running great. I don't have any of the annoying pop-ups or notifications from the virus that I was dealing with before.
My system seems to be running just as it was before anything infected it :thumbup2: I noticed google was being redirected before, and that is no longer happening either :)

#8 SifuMike

SifuMike

    malware expert


  • Staff Emeritus
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:07:57 AM

Posted 24 August 2009 - 12:22 AM

Hi michellew1221,

Sounds like we have you clean. :)

Now we will do the program clean up.

Uninstall ComboFix, go to to Start > Run & type in ComboFix /u
Make sure there's a space between Combofix and /
Then hit enter.

This will uninstall Combofix, delete any of its related folders and files (Qoobox
VundoFix Backups, Avenger, _OTM3), reset your clock settings, hide file extensions, hide the system/hidden files and resets System Restore again.

Please read and follow
How did I get infected?, With steps so it does not happen again!</a>
as well as
How to prevent Malware' by miekiemoes

If you want to improve speed/system performance after malware removal, take a look [url="http://users.telenet.be/bluepatchy/miekiemoes/slowcomputer.html"] here.

Now you are good to go! :thumbup2:

Edited by SifuMike, 24 August 2009 - 12:24 AM.

If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#9 michellew1221

michellew1221
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:10:57 AM

Posted 24 August 2009 - 02:13 PM

thank you, thank you, thank you! my laptop is running great. thank you for your time and advice!

#10 SifuMike

SifuMike

    malware expert


  • Staff Emeritus
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:07:57 AM

Posted 24 August 2009 - 04:59 PM

Your most welcome. It's always nice to hear that someone appreciates the help we are giving. :thumbup2:
If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users