Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Google search redirects & regedit, cmd won't run, AVG will not update


  • This topic is locked This topic is locked
114 replies to this topic

#1 pawilderness

pawilderness

  • Members
  • 65 posts
  • OFFLINE
  •  
  • Local time:02:36 AM

Posted 06 March 2010 - 05:58 PM

First time post for help with malware, I searched my problem and this forum had a lot of posts with success. I tried as much as I could on my own with standard virus scanners. I hope I didn't mix and match too much.
I have used AVG on this pc for several years. Once I noticed I was unable to access or update AVG and I was getting redirected on google searches I tried these scanners:
ATF Cleaner, MBAM (quick and full system, safe mode and regular), SuperAntiSpyware (quick and full system, safe mode and regular), Trojan Remover and rmagent_en (recommended fix from AVG).

System:
Windows XP, Dell desktop, AVG 8.5 and IE 7.0

Problems:
google searches redirect
AVG has not updated since 2/17, when selcting update receive message 'access to server forbidden'
Cannot run regedit or cmd commands
Tried to run GMR exe and system freezes and I lose the desktop - have to reboot. (unable to attach the ark txt)



DDS (Ver_09-12-01.01) - NTFSx86
Run by Chase at 16:30:11.67 on Sat 03/06/2010
Internet Explorer: 7.0.5730.11
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.1022.652 [GMT -5:00]

AV: AVG Anti-Virus Free *On-access scanning enabled* (Outdated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
FW: Norton Internet Security *disabled* {825036E0-9F94-4752-8789-8B92454AF49B}
FW: *disabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}

============== Running Processes ===============

C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
SVCHOST.EXE
C:\WINDOWS\System32\svchost.exe -k netsvcs
SVCHOST.EXE
SVCHOST.EXE
C:\WINDOWS\system32\spoolsv.exe
SVCHOST.EXE
C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Intel\Intel Application Accelerator\iaantmon.exe
C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\WINDOWS\wanmpsvc.exe
C:\Program Files\Western Digital\WD SmartWare\WD Drive Manager\WDDMService.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgnsx.exe
C:\Program Files\Western Digital\WD SmartWare\Front Parlor\WDSmartWareBackgroundService.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\Program Files\AVG\AVG8\avgcsrvx.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\Program Files\QuickTime\QTTask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\Chase\Desktop\dds.scr

============== Pseudo HJT Report ===============

uSearchMigratedDefaultUrl = hxxp://www.mywebsearch.com/jsp/cfg_redir2.jsp?id=ZNxdm414CXUS&fl=0&ptb=W2mUQrlORd_yZFu7d7iVDQ&url=http://edits.mywebsearch.com/toolbaredits/barsearch.jhtml&st=sb&searchfor={searchTerms}
uInternet Settings,ProxyOverride = *.local
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://as.weatherstudio.com/dp/search?x=wKX1ILEOi+UdWpSlz2q9Dzn13Emww/YwbwL0QoyVdgceajRZXxbLG1bKUqoWm9MnE+Iq6VTimU/1FaIqqVK1qRgnLXqLH7RAsGs3oZ1pZX12b3ZtOqzXZcXwvUpGTwADWdcT8BP4c/0=
uURLSearchHooks: H - No File
uURLSearchHooks: H - No File
uURLSearchHooks: H - No File
uURLSearchHooks: H - No File
uURLSearchHooks: H - No File
uURLSearchHooks: AVG Security Toolbar BHO: {a3bc75a2-1f87-4686-aa43-5347d756017c} - c:\program files\avg\avg8\toolbar\IEToolbar.dll
uURLSearchHooks: N/A: {0579b4b6-0293-4d73-b02d-5ebb0ba0f0a2} - c:\program files\asksbar\srchastt\1.bin\A2SRCHAS.DLL
mURLSearchHooks: AOLTBSearch Class: {ea756889-2338-43db-8f07-d1ca6fb9c90d} - c:\program files\aol\aim toolbar 5.0\aoltb.dll
mURLSearchHooks: N/A: {d73f49b6-b51b-4d32-a3b7-bd04b8342f53} - c:\program files\morpheusbar\srchastt\1.bin\MBSRCAS.DLL
mURLSearchHooks: N/A: {0579b4b6-0293-4d73-b02d-5ebb0ba0f0a2} - c:\program files\asksbar\srchastt\1.bin\A2SRCHAS.DLL
mURLSearchHooks: AVG Security Toolbar BHO: {a3bc75a2-1f87-4686-aa43-5347d756017c} - c:\program files\avg\avg8\toolbar\IEToolbar.dll
BHO: Ask Search Assistant BHO: {0579b4b1-0293-4d73-b02d-5ebb0ba0f0a2} - c:\program files\asksbar\srchastt\1.bin\A2SRCHAS.DLL
BHO: AcroIEHlprObj Class: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg8\avgssie.dll
BHO: MorpheusToolbar BHO: {3f3714a1-89a4-46be-8af3-d0c9d1fb03f9} - c:\program files\morpheusbar\bar\1.bin\MORPHBAR.DLL
BHO: DriveLetterAccess: {5ca3d70e-1895-11cf-8e15-001234567890} - c:\windows\system32\dla\tfswshx.dll
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre1.6.0_02\bin\ssv.dll
BHO: AOL Toolbar Launcher: {7c554162-8cb7-45a4-b8f4-8ea1c75885f9} - c:\program files\aol\aim toolbar 5.0\aoltb.dll
BHO: CNisExtBho Class: {9ecb9560-04f9-4bbc-943d-298ddf1699e1} - c:\program files\common files\symantec shared\adblocking\NISShExt.dll
BHO: AVG Security Toolbar BHO: {a3bc75a2-1f87-4686-aa43-5347d756017c} - c:\program files\avg\avg8\toolbar\IEToolbar.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.5.4723.1820\swg.dll
BHO: CNavExtBho Class: {bdf3e430-b101-42ad-a544-fadc6b084872} - c:\program files\norton internet security\norton antivirus\NavShExt.dll
TB: {BA52B914-B692-46c4-B683-905236F6F655} - No File
TB: Web assistant: {0b53eac3-8d69-4b9e-9b19-a37c9a5676a7} - c:\program files\common files\symantec shared\adblocking\NISShExt.dll
TB: Morpheus Toolbar: {3f3714a9-89a4-46be-8af3-d0c9d1fb03f9} - c:\program files\morpheusbar\bar\1.bin\MORPHBAR.DLL
TB: Norton AntiVirus: {42cdd1bf-3ffb-4238-8ad1-7859df00b1d6} - c:\program files\norton internet security\norton antivirus\NavShExt.dll
TB: AIM Toolbar: {de9c389f-3316-41a7-809b-aa305ed9d922} - c:\program files\aol\aim toolbar 5.0\aoltb.dll
TB: AVG Security Toolbar: {ccc7a320-b3ca-4199-b1a6-9f516dd69829} - c:\program files\avg\avg8\toolbar\IEToolbar.dll
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
TB: AIM Search: {40d41a8b-d79b-43d7-99a7-9ee0f344c385} - blank
TB: {A057A204-BACC-4D26-9990-79A187E2698E} - No File
EB: Real.com: {fe54fa40-d68c-11d2-98fa-00c0f0318afe} - c:\windows\system32\Shdocvw.dll
uRun: [MoneyAgent] "c:\program files\microsoft money\system\mnyexpr.exe"
uRun: [ares] "c:\program files\ares\Ares.exe" -h
uRun: [DellSupport] "c:\program files\dellsupport\DSAgnt.exe" /startup
uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"
uRun: [Aim6]
uRun: [Magentic] c:\progra~1\magentic\bin\Magentic.exe /c
uRun: [IncrediMail] c:\program files\incredimail\bin\IncMail.exe /c
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [TkBellExe] "c:\program files\common files\real\update_ob\realsched.exe" -osboot
mRun: [AVG8_TRAY] c:\progra~1\avg\avg8\avgtray.exe
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [TrojanScanner] c:\program files\trojan remover\Trjscan.exe /boot
mRun: [combofix] c:\worksnow32089w\cf26733.cfxxe /c c:\worksnow32089w\Combobatch.bat
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\wddmst~1.lnk - c:\program files\western digital\wd smartware\wd drive manager\WDDMStatus.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\wdsmar~1.lnk - c:\program files\western digital\wd smartware\front parlor\WDSmartWare.exe
IE: &AIM Search - c:\program files\aim toolbar\AIMBar.dll/aimsearch.htm
IE: &AOL Toolbar Search - c:\program files\aol\aim toolbar 5.0\resources\en-us\local\search.html
IE: E&xport to Microsoft Excel - c:\progra~1\mi1933~1\office10\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\google\google toolbar\component\GoogleToolbarDynamic_mui_en_96D6FF0C6D236BF8.dll/cmsidewiki.html
IE: {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - c:\program files\aim\aim.exe
IE: {d81ca86b-ef63-42af-bee3-4502d9a03c2d} - http://wwws.musicmatch.com/mmz/openWebRadio.html
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {08B0E5C0-4FCB-11CF-AAA5-00401C608501}
IE: {3369AF0D-62E9-4bda-8103-B4C75499B578} - {DE9C389F-3316-41A7-809B-AA305ED9D922} - c:\program files\aol\aim toolbar 5.0\aoltb.dll
IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - {FE54FA40-D68C-11d2-98FA-00C0F0318AFE} - c:\windows\system32\Shdocvw.dll
DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} - hxxp://upload.facebook.com/controls/2008.10.10_v5.5.8/FacebookPhotoUploader5.cab
DPF: {1239CC52-59EF-4DFA-8C61-90FFA846DF7E} - hxxp://www.musicnotes.com/download/mnviewer.cab
DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} - hxxp://upload.facebook.com/controls/FacebookPhotoUploader.cab
DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} - hxxp://upload.facebook.com/controls/2009.07.28_v5.5.8.1/FacebookPhotoUploader55.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_02-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
DPF: {917623D1-D8E5-11D2-BE8B-00104B06BDE3} - hxxp://floridakeysmedia.tv/axiscam/Codebase/AxisCamControl.ocx
DPF: {CAFEEFAC-0015-0000-0008-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_08-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_02-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_02-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/swflash.cab
DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} - hxxp://www.popcap.com/games/popcaploader_v6.cab
Handler: cdo - {CD00020A-8B95-11D1-82DB-00C04FB1625D} - c:\program files\common files\microsoft shared\web folders\PKMCDO.DLL
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg8\avgpp.dll
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.dll
Notify: avgrsstarter - avgrsstx.dll
SEH: Microsoft AntiMalware ShellExecuteHook: {091eb208-39dd-417d-a5dd-7e2c2d8fb9cb} - c:\progra~1\window~4\MpShHook.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL

============= SERVICES / DRIVERS ===============

R1 AvgLdx86;AVG AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2008-5-21 335240]
R1 AvgMfx86;AVG On-access Scanner Minifilter Driver x86;c:\windows\system32\drivers\avgmfx86.sys [2008-5-21 27784]
R1 AvgTdiX;AVG8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2008-5-21 108552]
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2010-2-17 12872]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2010-2-17 66632]
R2 avg8emc;AVG8 E-mail Scanner;c:\progra~1\avg\avg8\avgemc.exe [2008-7-5 908056]
R2 avg8wd;AVG8 WatchDog;c:\progra~1\avg\avg8\avgwdsvc.exe [2008-7-5 297752]
R2 navapsvc;Norton AntiVirus Auto Protect Service;c:\program files\norton internet security\norton antivirus\navapsvc.exe [2003-8-17 158376]
R2 NAVEX15;NAVEX15;c:\progra~1\common~1\symant~1\virusd~1\20031015.009\NAVEX15.SYS [2007-8-15 539576]
R2 SAVRTPEL;SAVRTPEL;c:\program files\norton internet security\norton antivirus\Savrtpel.sys [2003-8-6 35008]
R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\viewpoint\common\ViewpointService.exe [2007-1-11 24652]
R2 WDDMService;WD SmartWare Drive Manager;c:\program files\western digital\wd smartware\wd drive manager\WDDMService.exe [2009-11-13 110592]
R2 WDSmartWareBackgroundService;WD SmartWare Background Service;c:\program files\western digital\wd smartware\front parlor\WDSmartWareBackgroundService.exe [2009-6-16 20480]
R3 NAVENG;NAVENG;c:\progra~1\common~1\symant~1\virusd~1\20031015.009\NAVENG.SYS [2007-8-15 67800]
R3 SAVRT;SAVRT;c:\program files\norton internet security\norton antivirus\savrt.sys [2003-8-6 300736]
R3 SAVScan;SAVScan;c:\program files\norton internet security\norton antivirus\SAVScan.exe [2003-8-9 193816]
S0 Agja47;Agja47; [x]
S2 ccProxy;Symantec Network Proxy;c:\program files\common files\symantec shared\ccProxy.exe [2003-10-20 218272]
S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2010-2-8 135664]
S2 v7ksewii;Print Spooler Service;c:\windows\system32\ztdcemqks.exe /service --> c:\windows\system32\ztdcemqks.exe [?]
S3 ccPwdSvc;Symantec Password Validation;c:\program files\common files\symantec shared\CCPWDSVC.EXE [2003-10-20 87664]
S3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [2010-2-26 38224]
S3 SASENUM;SASENUM;c:\program files\superantispyware\SASENUM.SYS [2010-2-17 12872]
S3 WDC_SAM;WD SCSI Pass Thru driver;c:\windows\system32\drivers\wdcsam.sys [2010-1-19 11520]
S4 WinDefend;Windows Defender Service;c:\program files\windows defender\MsMpEng.exe [2006-4-3 14032]

=============== Created Last 30 ================

2010-03-06 21:27:04 0 ----a-w- c:\documents and settings\chase\defogger_reenable
2010-03-02 02:13:17 1982 ----a-w- c:\windows\system32\tmp.reg
2010-02-27 01:46:01 0 d-sha-r- C:\cmdcons
2010-02-27 01:44:35 98816 ----a-w- c:\windows\sed.exe
2010-02-27 01:44:35 77312 ----a-w- c:\windows\MBR.exe
2010-02-27 01:44:35 261632 ----a-w- c:\windows\PEV.exe
2010-02-27 01:44:35 161792 ----a-w- c:\windows\SWREG.exe
2010-02-27 01:44:22 0 d-s---w- C:\worksnow32089w
2010-02-27 01:42:15 0 d-s---w- C:\worksnow
2010-02-27 01:42:14 388608 ----a-w- c:\windows\system32\CF16555.exe
2010-02-27 01:00:35 0 d-----w- c:\program files\Trend Micro
2010-02-26 17:45:59 0 d-----w- c:\docume~1\chase\applic~1\Malwarebytes
2010-02-26 17:45:51 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-02-26 17:45:49 0 d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes
2010-02-26 17:45:48 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-02-26 17:45:48 0 d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-02-26 16:55:32 552 ----a-w- c:\windows\system32\d3d8caps.dat
2010-02-26 15:23:51 0 d-----w- c:\docume~1\alluse~1\applic~1\SUPERAntiSpyware.com
2010-02-26 15:23:31 0 d-----w- c:\program files\SUPERAntiSpyware
2010-02-26 15:23:31 0 d-----w- c:\docume~1\chase\applic~1\SUPERAntiSpyware.com
2010-02-26 14:57:05 77312 ----a-w- c:\windows\system32\ztvunace26.dll
2010-02-26 14:57:05 75264 ----a-w- c:\windows\system32\unacev2.dll
2010-02-26 14:57:05 69632 ----a-w- c:\windows\system32\ztvcabinet.dll
2010-02-26 14:57:05 162304 ----a-w- c:\windows\system32\ztvunrar36.dll
2010-02-26 14:57:05 153088 ----a-w- c:\windows\system32\UNRAR3.dll
2010-02-26 14:57:02 0 d-----w- c:\program files\Trojan Remover
2010-02-26 14:57:02 0 d-----w- c:\docume~1\chase\applic~1\Simply Super Software
2010-02-26 14:57:02 0 d-----w- c:\docume~1\alluse~1\applic~1\Simply Super Software
2010-02-26 14:42:10 0 d-----w- c:\docume~1\chase\applic~1\AVG8
2010-02-26 01:24:13 0 d-----w- c:\windows\system32\wbem\Repository
2010-02-25 06:28:21 0 d-----w- C:\AVGTemp

==================== Find3M ====================

2010-02-03 00:43:05 48840 ----a-w- c:\docume~1\chase\applic~1\GDIPFONTCACHEV1.DAT
2009-12-31 16:14:12 352640 ------w- c:\windows\system32\dllcache\srv.sys
2009-12-31 15:33:06 70656 ------w- c:\windows\system32\dllcache\ie4uinit.exe
2009-12-31 15:33:06 13824 ------w- c:\windows\system32\dllcache\ieudinit.exe
2009-12-18 13:05:43 634648 ------w- c:\windows\system32\dllcache\iexplore.exe
2009-12-18 13:04:09 161792 ------w- c:\windows\system32\dllcache\ieakui.dll
2009-12-16 12:58:04 343040 ----a-w- c:\windows\system32\mspaint.exe
2009-12-16 12:58:04 343040 ------w- c:\windows\system32\dllcache\mspaint.exe
2009-12-14 07:35:35 33280 ----a-w- c:\windows\system32\csrsrv.dll
2009-12-14 07:35:35 33280 ------w- c:\windows\system32\dllcache\csrsrv.dll
2009-12-08 18:55:25 2180352 ------w- c:\windows\system32\dllcache\ntoskrnl.exe
2009-12-08 18:53:08 2136064 ----a-w- c:\windows\system32\ntoskrnl.exe
2009-12-08 18:53:08 2136064 ------w- c:\windows\system32\dllcache\ntkrnlmp.exe
2009-12-08 18:19:32 2057728 ------w- c:\windows\system32\dllcache\ntkrnlpa.exe
2009-12-08 18:19:32 2015744 ----a-w- c:\windows\system32\ntkrnlpa.exe
2009-12-08 18:19:32 2015744 ------w- c:\windows\system32\dllcache\ntkrpamp.exe
2009-12-08 08:59:48 474112 ------w- c:\windows\system32\dllcache\shlwapi.dll
2004-11-03 23:00:24 848 --sha-w- c:\windows\system32\KGyGaAvL.sys

============= FINISH: 16:31:51.18 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 myrti

myrti

    Sillyberry


  • Malware Study Hall Admin
  • 33,771 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:At home
  • Local time:08:36 AM

Posted 09 March 2010 - 06:51 PM

Hello and welcome to Bleeping Computer

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine.

Please include a clear description of the problems you're having, along with any steps you may have performed so far.

Please refrain from running tools or applying updates other than those we suggest while we are cleaning up your computer. The reason for this is so we know what is going on with the machine at any time. Some programs can interfere with others and hamper the recovery process.

Even if you have already provided information about your PC, we need a new log to see what has changed since you originally posted your problem.
We need to create an OTL Report
  1. Please download OTL from one of the following mirrors:
  2. Save it to your desktop.
  3. Double click on the icon on your desktop.
  4. Click the "Scan All Users" checkbox.
  5. In the custom scan box paste the following:
    CODE
    netsvcs
    msconfig
    safebootminimal
    safebootnetwork
    activex
    drivers32
    %systemroot%\system32\*.dll /lockedfiles
    %systemroot%\Tasks\*.job /lockedfiles
    /md5start
    eventlog.dll
    scecli.dll
    netlogon.dll
    cngaudit.dll
    sceclt.dll
    ntelogon.dll
    logevent.dll
    iaStor.sys
    nvstor.sys
    atapi.sys
    IdeChnDr.sys
    viasraid.sys
    AGP440.sys
    vaxscsi.sys
    nvatabus.sys
    viamraid.sys
    nvata.sys
    nvgts.sys
    iastorv.sys
    ViPrt.sys
    eNetHook.dll
    ahcix86.sys
    KR10N.sys
    nvstor32.sys
    ahcix86s.sys
    nvrd32.sys
    /md5stop
    %systemroot%\*. /mp /s
  6. Push the button.
  7. Two reports will open, copy and paste them in a reply here:
    • OTL.txt <-- Will be opened
    • Extra.txt<--Will be minimized

In the upper right hand corner of the topic you will see a button called Options. If you click on this in the drop-down menu you can choose Track this topic. I suggest you do this and select Immediate E-Mail notification and click on Proceed. This way you will be advised when we respond to your topic and facilitate the cleaning of your machine.

After 5 days if a topic is not replied to we assume it has been abandoned and it is closed.

regards myrti

is that a bird?  a plane? nooo it's the flying blueberry!

If I have been helping you and haven't replied in 2 days, feel free to shoot me a PM! Please don't send help request via PM, unless I am already helping you. Use the forums!

 

Follow BleepingComputer on: Facebook | Twitter | Google+


#3 pawilderness

pawilderness
  • Topic Starter

  • Members
  • 65 posts
  • OFFLINE
  •  
  • Local time:02:36 AM

Posted 10 March 2010 - 12:06 AM

myrti,
Thanks for your reply.
I uploaded Extras and OTL txt files.
As far as any changes since posting problem;
I downloaded service pack 3 for XP yesterday. I believed the AVG still scans on schedule, just it is unable to update.
Everyday I tried to self help by running scans with Malwarebytes and SuperAnti Spyware just to keep the system stable, but it is fragile and freezes, so I have a good laptop next to the desktop to refer to your posts.

Avg is still blocked or unable to access the server for updates.
Google searches randomly redirect.
System will freeze periodically.
When trying to run regedit, nothing happens.

Attached Files



#4 myrti

myrti

    Sillyberry


  • Malware Study Hall Admin
  • 33,771 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:At home
  • Local time:08:36 AM

Posted 10 March 2010 - 08:47 AM

Hi,

please run a scan with gmer next:
Please download GMER from one of the following locations and save it to your desktop:
  • Main Mirror
    This version will download a randomly named file (Recommended)
  • Zipped Mirror
    This version will download a zip file you will need to extract first. If you use this mirror, please extract the zip file to your desktop.
  • Disconnect from the Internet and close all running programs.
  • Temporarily disable any real-time active protection so your security programs will not conflict with gmer's driver.
  • Double-click on the randomly named GMER file (i.e. n7gmo46c.exe) and allow the gmer.sys driver to load if asked.
  • Note: If you downloaded the zipped version, extract the file to its own folder such as C:\gmer and then double-click on gmer.exe.


  • GMER will open to the Rootkit/Malware tab and perform an automatic quick scan when first run. (do not use the computer while the scan is in progress)
  • If you receive a WARNING!!! about rootkit activity and are asked to fully scan your system...click NO.
  • Now click the Scan button. If you see a rootkit warning window, click OK.
  • When the scan is finished, click the Save... button to save the scan results to your Desktop. Save the file as gmer.log.
  • Click the Copy button and paste the results into your next reply.
  • Exit GMER and re-enable all active protection when done.
-- If you encounter any problems, try running GMER in Safe Mode.

regards myrti

is that a bird?  a plane? nooo it's the flying blueberry!

If I have been helping you and haven't replied in 2 days, feel free to shoot me a PM! Please don't send help request via PM, unless I am already helping you. Use the forums!

 

Follow BleepingComputer on: Facebook | Twitter | Google+


#5 pawilderness

pawilderness
  • Topic Starter

  • Members
  • 65 posts
  • OFFLINE
  •  
  • Local time:02:36 AM

Posted 10 March 2010 - 10:29 PM

Ok, here's the latest..

Unable to post gmer.log for your review, could not get gmer to finish.
Downloaded random gmer from Main Mirror.
Disconnected from internet, and turned off resident shield on AVG 8.5.
GMER exe runs after clicking scan button, but reboots system after 5 minutes into scan.
Tried to run gmer in safe mode, and lost desktop after about 5 minutes into scan and system went into a reboot cycle on and off. Hard booted, enabled shield and reconnected to internet to post.

Update on system operation; When switching users, log off and select different account system will freeze (black screen)and needs rebooted.



#6 myrti

myrti

    Sillyberry


  • Malware Study Hall Admin
  • 33,771 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:At home
  • Local time:08:36 AM

Posted 11 March 2010 - 12:51 PM

Hi,

please uncheck the devices option in gmer and try to run it once more. If that doesn't work we will use different tools.

regards myrti

is that a bird?  a plane? nooo it's the flying blueberry!

If I have been helping you and haven't replied in 2 days, feel free to shoot me a PM! Please don't send help request via PM, unless I am already helping you. Use the forums!

 

Follow BleepingComputer on: Facebook | Twitter | Google+


#7 pawilderness

pawilderness
  • Topic Starter

  • Members
  • 65 posts
  • OFFLINE
  •  
  • Local time:02:36 AM

Posted 11 March 2010 - 08:30 PM

hi myrti,
It was scary, but I made it back.

Disconnected from internet, Disabled resident shield AVG, ran gmer, unchecked devices.

Ten minutes into scan, got a blue screen with white text. part of message is below;
A problem has been detected and windows has been shut down to prevent damage to your computer.
....
....
Beginning dump of physical memeory...

Rebooted into safe mode, tried gmer again and unchecked devices, stopped or froze a minute into scan, couldn't get anything to happen, lost desktop, hard booted

microsoft error/message window 'system has recovered from a serious error', didn't send report,
turned internet back on to post.

lets try another tool smile.gif

#8 pawilderness

pawilderness
  • Topic Starter

  • Members
  • 65 posts
  • OFFLINE
  •  
  • Local time:02:36 AM

Posted 11 March 2010 - 09:36 PM

FYI update.
After posting while still online a simple google search started various pop ups and alerts. I couldn't stop them and didn't want to click on anything, so I rebooted into safe mode. Noticed Anti Virus Plus on desktop so I ran MBAM quick scan and had 14 hits.
rogue.antivirusplus
trojan.fake alert
trojan.dropper
...removed and probably stay offline and use my laptop for now.
-will wait on your suggestion, thanks


#9 myrti

myrti

    Sillyberry


  • Malware Study Hall Admin
  • 33,771 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:At home
  • Local time:08:36 AM

Posted 12 March 2010 - 09:30 AM

Hi,

hmm, I seem to have no luck with gmer lately. dry.gif
Please run a scan with rootrepeal instead:
  • Download RootRepeal from the following location and save it to your desktop.
  • Extract the contents of RootRepeal.zip, to your desktop.
  • Double click on your desktop.
  • Click on the report tab, then click scan
  • Check all seven boxes:
    Drivers
    Files
    Processes
    SSDT
    Stealth Objects
    Hidden Services
    Shadow SSDT
  • Click Ok
  • Check the box for your main system drive (Usually C:), and press Ok.
  • Allow RootRepeal to run a scan of your system. This may take some time.
  • Once the scan completes, Click the Save Report button. Save the log as RootRepeal.txt and post it in your next reply.

Please also run a scan with mbr:
Please download mbr.exe and save it to your root directory, usually C:\ <- (Important!).
  • Go to Start > Run and type: cmd.exe
  • press Ok.
  • At the command prompt type: c:\mbr.exe -t >"C:\mbr.log"
  • press Enter.
  • A "DOS" box will open and quickly disappear. That is normal.
  • A log file named mbr.log will be created and saved to the root of the system drive (usually C:\).
  • Copy and paste the results of the mbr.log in your next reply.

regards myrti

is that a bird?  a plane? nooo it's the flying blueberry!

If I have been helping you and haven't replied in 2 days, feel free to shoot me a PM! Please don't send help request via PM, unless I am already helping you. Use the forums!

 

Follow BleepingComputer on: Facebook | Twitter | Google+


#10 pawilderness

pawilderness
  • Topic Starter

  • Members
  • 65 posts
  • OFFLINE
  •  
  • Local time:02:36 AM

Posted 13 March 2010 - 03:49 AM

Here's the latest,

Attached RootRepeal.txt and copy and paste mbr.log

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
called modules: ntoskrnl.exe CLASSPNP.SYS disk.sys iaStor.sys hal.dll
kernel: MBR read successfully
user & kernel MBR OK

Attached Files



#11 myrti

myrti

    Sillyberry


  • Malware Study Hall Admin
  • 33,771 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:At home
  • Local time:08:36 AM

Posted 13 March 2010 - 07:29 AM

Hi,

please run a scan with ComboFix next:
Please download ComboFix from one of these locations:

Link 1
Link 2

* IMPORTANT !!! Save ComboFix.exe to your Desktop
  • Temporarily disable isable your AntiVirus and AntiSpyware applications. They may otherwise interfere with our tools
    Usually this can be done via a right click on the System Tray icon, check this tutorial for disabling the most common security programs: Link

  • Double click on ComboFix.exe & follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.



Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:



Click on Yes, to continue scanning for malware.

When finished, it will produce a log for you. Please include the C:\ComboFix.txt in your next reply.

This tool is not a toy and not for everyday use.
ComboFix SHOULD NOT be used unless requested by a forum helper


If you need help, see this link:
http://www.bleepingcomputer.com/combofix/how-to-use-combofix

regards myrti

is that a bird?  a plane? nooo it's the flying blueberry!

If I have been helping you and haven't replied in 2 days, feel free to shoot me a PM! Please don't send help request via PM, unless I am already helping you. Use the forums!

 

Follow BleepingComputer on: Facebook | Twitter | Google+


#12 pawilderness

pawilderness
  • Topic Starter

  • Members
  • 65 posts
  • OFFLINE
  •  
  • Local time:02:36 AM

Posted 13 March 2010 - 09:30 AM

good morning - that was easy.

ComboFix.txt attached.

Attached Files



#13 myrti

myrti

    Sillyberry


  • Malware Study Hall Admin
  • 33,771 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:At home
  • Local time:08:36 AM

Posted 13 March 2010 - 02:47 PM

Hi,

your logs show two anti virus programs to be installed:
I do not recommend that you have more than one anti virus product installed and running on your computer at a time. The reason for this is that if both products have their automatic (Real-Time) protection switched on, then those products which do not encrypt the virus strings within them can cause other anti virus products to cause "false alarms". It can also lead to a clash as both products fight for access to files which are opened again this is the resident/automatic protection. In general terms, the two programs may conflict and cause:
1) False Alarms: When the anti virus software tells you that your PC has a virus when it actually doesn't.
2) System Performance Problems: Your system may lock up due to both products attempting to access the same file at the same time.
Therefore please go to add/remove in the control panel and remove either AVG or Symantec.

We need to remove a couple of leftovers:
1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Open notepad and copy/paste the text in the quotebox below into it:

QUOTE
File::
c:\windows\system32\ztdcemqks.exe
Driver::
Agja47
v7ksewii


Save this as CFScript.txt, in the same location as ComboFix.exe




Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.

regards myrti

Edited by myrti, 13 March 2010 - 02:47 PM.

is that a bird?  a plane? nooo it's the flying blueberry!

If I have been helping you and haven't replied in 2 days, feel free to shoot me a PM! Please don't send help request via PM, unless I am already helping you. Use the forums!

 

Follow BleepingComputer on: Facebook | Twitter | Google+


#14 pawilderness

pawilderness
  • Topic Starter

  • Members
  • 65 posts
  • OFFLINE
  •  
  • Local time:02:36 AM

Posted 13 March 2010 - 07:42 PM

Thanks for the advice on dual antivirus.
Symantec came with Dell, Once expired I tried to remove by uninstall years ago when I added AVG.

removed symantec/norton
add/remove stated last used 2007
kept stopping during uninstall but I kept hitting ignore and appeared to work its way through

disconnected from internet, disabled avg8 resident shield added CFScript to Combofix
first time got message Combo will have to reboot windows and ended with empty desktop and no function-
rebooted, created new CFScript.txt tried again, and worked fine.
here's the ComboFix.txt
thanks

#15 myrti

myrti

    Sillyberry


  • Malware Study Hall Admin
  • 33,771 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:At home
  • Local time:08:36 AM

Posted 14 March 2010 - 05:18 AM

Hi,

you forgot to copy the log into your last reply. wink.gif Please post it into your next reply.
Please click HERE and follow the instructions in STEP 3 to download and run the norton removal tool.

regards myrti

is that a bird?  a plane? nooo it's the flying blueberry!

If I have been helping you and haven't replied in 2 days, feel free to shoot me a PM! Please don't send help request via PM, unless I am already helping you. Use the forums!

 

Follow BleepingComputer on: Facebook | Twitter | Google+





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users