Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

AVG detects several programs as virus infection


  • This topic is locked This topic is locked
5 replies to this topic

#1 fritizilog

fritizilog

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:02:17 PM

Posted 13 May 2011 - 12:37 PM

Hi everyone!

I'm helping my cousin fix his computer problem using LogMeIn. AVG detects programs as infection and he can't do anything as AVG continues to pop up during normal mode. I already ran a scan using malwarebytes and SuperAntiSpyware but no luck. Hope you can help me and my cousin.

Thanks in advance.

.
DDS (Ver_11-03-05.01) - NTFSx86 NETWORK
Run by Administrator at 9:38:42.39 on Fri 05/13/2011
Internet Explorer: 8.0.6001.18702
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.502.329 [GMT -7:00]
.
AV: AVG Internet Security 2011 *Enabled/Updated* {17DDD097-36FF-435F-9E1B-52D74245D6BF}
FW: AVG Firewall *Enabled*
.
============== Running Processes ===============
.
C:\WINDOWS\system32\svchost.exe -k DcomLaunch
C:\WINDOWS\system32\svchost.exe -k rpcss
C:\WINDOWS\system32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k NetworkService
C:\WINDOWS\system32\svchost.exe -k LocalService
C:\WINDOWS\Explorer.EXE
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\LMIR0001.tmp\LMI_Rescue_srv.exe
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\LMIR0001.tmp\LMI_Rescue.exe
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\LMIR0001.tmp\LMI_Rescue_srv.exe
C:\Program Files\Microsoft\Search Enhancement Pack\SCServer\SCServer.exe
C:\Documents and Settings\Administrator\Desktop\dds.scr
C:\WINDOWS\system32\wbem\wmiprvse.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.msn.com
mURLSearchHooks: H - No File
mWinlogon: Userinit=c:\windows\system32\userinit.exe,,c:\program files\ijtyenwe\qpllongu.exe
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg10\avgssie.dll
BHO: Search Helper: {6ebf7485-159f-4bff-a14f-b9e3aac4465b} - c:\program files\microsoft\search enhancement pack\search helper\SEPsearchhelperie.dll
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre1.6.0_06\bin\ssv.dll
BHO: Windows Live ID Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.6.6209.1142\swg.dll
BHO: Bing Bar BHO: {d2ce3e00-f94a-4740-988e-03dc2f38c34f} - c:\program files\msn toolbar\platform\5.0.1449.0\npwinext.dll
TB: @c:\program files\msn toolbar\platform\5.0.1449.0\npwinext.dll,-100: {8dcb7100-df86-4384-8842-8fa844297b3f} - c:\program files\msn toolbar\platform\5.0.1449.0\npwinext.dll
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
uRun: [SUPERAntiSpyware] c:\program files\superantispyware\SUPERAntiSpyware.exe
mRun: [DLCXCATS] rundll32 c:\windows\system32\spool\drivers\w32x86\3\DLCXtime.dll,_RunDLLEntry@16
mRun: [AVG_TRAY] c:\program files\avg\avg10\avgtray.exe
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0006-ABCDEFFEDCBC} - c:\program files\java\jre1.6.0_06\bin\ssv.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
Trusted Zone: internet
Trusted Zone: mcafee.com
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_06-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0006-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_06-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_06-windows-i586.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg10\avgpp.dll
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.DLL
Notify: GoToAssist - c:\program files\citrix\gotoassist\615\G2AWinLogon.dll
Notify: igfxcui - igfxdev.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\docume~1\admini~1\applic~1\mozilla\firefox\profiles\y2m6neos.default\
FF - component: c:\program files\avg\avg10\firefox\components\avgssff.dll
FF - component: c:\program files\microsoft\search enhancement pack\search helper\firefoxextension\searchhelperextension\components\SEPsearchhelperff.dll
FF - plugin: c:\program files\google\update\1.2.183.23\npGoogleOneClick8.dll
FF - plugin: c:\program files\mcafee\supportability\mvt\NPMVTPlugin.dll
FF - plugin: c:\program files\msn toolbar\platform\5.0.1449.0\npwinext.dll
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\mozilla firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Search Helper Extension: {27182e60-b5f3-411c-b545-b44205977502} - c:\program files\microsoft\search enhancement pack\search helper\firefoxextension\SearchHelperExtension
FF - Ext: AVG Safe Search: {3f963a5b-e555-4543-90e2-c3908898db71} - c:\program files\avg\avg10\Firefox
.
============= SERVICES / DRIVERS ===============
.
R0 AVGIDSEH;AVGIDSEH;c:\windows\system32\drivers\AVGIDSEH.sys [2011-2-22 22992]
R0 Avgrkx86;AVG Anti-Rootkit Driver;c:\windows\system32\drivers\avgrkx86.sys [2011-3-16 32592]
R1 Avgtdix;AVG TDI Driver;c:\windows\system32\drivers\avgtdix.sys [2011-4-5 297168]
R2 LMIRescue_42b593a8-b17b-4aa6-8d5a-3464872feddb;LogMeIn Rescue (42b593a8-b17b-4aa6-8d5a-3464872feddb);c:\docume~1\admini~1\locals~1\temp\lmir0001.tmp\LMI_Rescue_srv.exe [2011-5-13 2482552]
R3 Avgfwdx;Avgfwdx;c:\windows\system32\drivers\avgfwdx.sys [2010-7-12 30432]
S1 Avgldx86;AVG AVI Loader Driver;c:\windows\system32\drivers\avgldx86.sys [2011-1-7 248656]
S1 Avgmfx86;AVG Mini-Filter Resident Anti-Virus Shield;c:\windows\system32\drivers\avgmfx86.sys [2011-3-1 34896]
S1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2010-2-17 12872]
S1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2010-5-10 67656]
S2 avgfws;AVG Firewall;c:\program files\avg\avg10\avgfws.exe [2011-3-9 2708024]
S2 AVGIDSAgent;AVGIDSAgent;c:\program files\avg\avg10\identity protection\agent\bin\AVGIDSAgent.exe [2011-4-18 7398752]
S2 avgwd;AVG WatchDog;c:\program files\avg\avg10\avgwdsvc.exe [2011-2-8 269520]
S2 dlcx_device;dlcx_device;c:\windows\system32\dlcxcoms.exe -service --> c:\windows\system32\dlcxcoms.exe -service [?]
S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2011-1-27 136176]
S2 LMIRescue_fe95a062-26e5-4dc9-9ede-a4e44a607139;LogMeIn Rescue (fe95a062-26e5-4dc9-9ede-a4e44a607139);c:\docume~1\admini~1\locals~1\temp\lmir0001.tmp\LMI_Rescue_srv.exe [2011-5-13 2482552]
S2 McrdSvc;Media Center Extender Service;c:\windows\ehome\mcrdsvc.exe [2005-8-5 99328]
S3 Avgfwfd;AVG network filter service;c:\windows\system32\drivers\avgfwdx.sys [2010-7-12 30432]
S3 AVGIDSDriver;AVGIDSDriver;c:\windows\system32\drivers\AVGIDSDriver.sys [2011-4-14 134480]
S3 AVGIDSFilter;AVGIDSFilter;c:\windows\system32\drivers\AVGIDSFilter.sys [2011-2-10 24144]
S3 AVGIDSShim;AVGIDSShim;c:\windows\system32\drivers\AVGIDSShim.sys [2011-2-10 27216]
.
=============== Created Last 30 ================
.
2011-05-13 15:20:48 -------- d-----w- c:\docume~1\alluse~1\applic~1\SUPERAntiSpyware.com
2011-05-13 15:20:48 -------- d-----w- c:\docume~1\admini~1\applic~1\SUPERAntiSpyware.com
2011-05-13 15:20:34 -------- d-----w- c:\program files\SUPERAntiSpyware
2011-05-13 14:54:17 -------- d-----w- c:\windows\system32\LogFiles
2011-05-13 13:40:26 -------- d-----w- c:\windows\system32\drivers\AVG
2011-05-13 13:40:26 -------- d-----w- c:\docume~1\alluse~1\applic~1\AVG10
2011-05-12 19:13:07 -------- d-sha-r- C:\cmdcons
2011-05-12 19:09:43 98816 ----a-w- c:\windows\sed.exe
2011-05-12 19:09:43 89088 ----a-w- c:\windows\MBR.exe
2011-05-12 19:09:43 256512 ----a-w- c:\windows\PEV.exe
2011-05-12 17:52:04 953856 -c----w- c:\windows\system32\dllcache\mfc40u.dll
2011-05-12 17:51:06 617472 -c----w- c:\windows\system32\dllcache\comctl32.dll
2011-05-12 17:46:55 40960 -c----w- c:\windows\system32\dllcache\ndproxy.sys
2011-05-12 16:46:52 -------- d-----w- c:\docume~1\admini~1\applic~1\Malwarebytes
2011-05-12 16:46:49 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-05-12 16:46:48 -------- d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes
2011-05-12 16:46:45 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-05-12 16:46:45 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2011-05-12 15:23:42 -------- d-----w- c:\docume~1\admini~1\locals~1\applic~1\Mozilla
2011-05-12 13:01:35 -------- d-----w- c:\windows\pss
2011-04-15 04:28:42 134480 ----a-w- c:\windows\system32\drivers\AVGIDSDriver.sys
.
==================== Find3M ====================
.
2011-03-07 05:33:50 692736 ----a-w- c:\windows\system32\inetcomm.dll
2011-03-04 06:37:06 420864 ----a-w- c:\windows\system32\vbscript.dll
2011-03-03 13:21:11 1857920 ----a-w- c:\windows\system32\win32k.sys
2011-02-22 23:06:29 916480 ----a-w- c:\windows\system32\wininet.dll
2011-02-22 23:06:29 43520 ----a-w- c:\windows\system32\licmgr10.dll
2011-02-22 23:06:29 1469440 ------w- c:\windows\system32\inetcpl.cpl
2011-02-22 11:41:59 385024 ----a-w- c:\windows\system32\html.iec
2011-02-17 12:32:12 5120 ----a-w- c:\windows\system32\xpsp4res.dll
2011-02-15 12:56:39 290432 ----a-w- c:\windows\system32\atmfd.dll
.
============= FINISH: 9:39:43.54 ===============

Attached File  Attach.txt   14.09KB   0 downloadsAttached File  DDS.txt   9.57KB   0 downloadsAttached File  gmer.txt   55KB   4 downloads

EDIT: Please be patient. There are over 290 unanswered topics in this forum at present and the current average wait time to receive help is 9 days. ~Budapest

Edited by Budapest, 15 May 2011 - 04:18 PM.


BC AdBot (Login to Remove)

 


#2 B-boy/StyLe/

B-boy/StyLe/

    Bleepin' Freestyler


  • Malware Response Team
  • 8,307 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Bulgaria
  • Local time:09:17 AM

Posted 22 May 2011 - 05:46 AM

Hello and welcome to Bleeping Computer

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

Please take note:

  • If you have since resolved the original problem you were having, we would appreciate you letting us know.
  • If you are unable to create a log because your computer cannot start up successfully please provide detailed information about your installed Windows Operating System including the Version, Edition and if it is a 32bit or a 64bit system.
    • If you are unsure about any of these characteristics just post what you can and we will guide you.
  • Please tell us if you have your original Windows CD/DVD available.
  • If you are unable to perform the steps we have recommended please try one more time and if unsuccessful alert us of such and we will design an alternate means of obtaining the necessary information.
  • If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.
  • Upon completing the steps below another staff member will review your topic an do their best to resolve your issues.
  • If you have already posted a DDS log, please do so again, as your situation may have changed.
  • Use the 'Add Reply' and add the new log to this thread.

We need to see some information about what is happening in your machine. Please perform the following scan again:

  • Download DDS by sUBs from one of the following links if you no longer have it available. Save it to your desktop.
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explanation about the tool. No input is needed, the scan is running.
  • Notepad will open with the results.
  • Follow the instructions that pop up for posting the results.
  • Close the program window, and delete the program from your desktop.
Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Information on A/V control HERE


We also need a new log from the GMER anti-rootkit Scanner.

Please note that if you are running a 64-bit version of Windows you will not be able to run GMER and you may skip this step.

Please first disable any CD emulation programs using the steps found in this topic:

Why we request you disable CD Emulation when receiving Malware Removal Advice

Then create another GMER log and post it as an attachment to the reply where you post your new DDS log. Instructions on how to properly create a GMER log can be found here:

How to create a GMER log


Thanks and again sorry for the delay.


Regards,
Georgi :hello:

cXfZ4wS.png


#3 B-boy/StyLe/

B-boy/StyLe/

    Bleepin' Freestyler


  • Malware Response Team
  • 8,307 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Bulgaria
  • Local time:09:17 AM

Posted 26 May 2011 - 05:34 AM

Hi fritizilog,



It's been several days. Do you still need help on this?
This thread will be closed if you don't respond within 48 hours.



Regards,
Georgi

cXfZ4wS.png


#4 fritizilog

fritizilog
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:02:17 PM

Posted 26 May 2011 - 07:01 AM

Sorry I already fixed the problem. Thanks!

#5 B-boy/StyLe/

B-boy/StyLe/

    Bleepin' Freestyler


  • Malware Response Team
  • 8,307 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Bulgaria
  • Local time:09:17 AM

Posted 26 May 2011 - 07:22 AM

Sorry I already fixed the problem. Thanks!



Ok thanks for letting me know.
Btw your logs indicated a RAMNIT infection

c:\program files\ijtyenwe\qpllongu.exe



Just in case I'll give you my recommendations:



My advice is to do a format of all partitions (except the recovery one if you have a such) and then to reinstall Windows from scratch.

This infection can spread very easily so if backup or other drives are infected, when reconnected they will start the whole process over again.

You should only back up your data such as pictures, music, documents.

Do not back up any system files or installers as they may be infected.<-- Important :exclame:





:step1: When you rebuild the system, install an antivirus software and make sure your it is turned on and up-to-date.

New viruses come out every minute, so it is essential that you have the latest signatures for your antivirus program to provide you with the best possible protection against malicious software.

Note:
You should only have one antivirus installed at a time. Having more than one antivirus program installed at once is likely to cause conflicts and may very well decrease the overall protection as well as impair the performance of your PC.





:step2: Also be sure that you re-download all drivers and software you need from their website after the wipe. Do not use old installers. They are probably infected.




:step3: Finally, do not forget to disable the Autoplay feature in Windows to avoid future problems.


You can use Flash_Desinfector as described below:


Please download Flash_Disinfector.exe by sUBs and save it to your desktop.
  • Double-click Flash_Disinfector.exe to run it and follow any prompts that may appear.
  • The utility may ask you to insert your flash drive and/or other removable drives. Please do so and allow the utility to clean up those drives as well.
  • Hold down the Shift key when inserting the drive until Windows detects it to keep autorun.inf from executing if it is present.
  • Wait until it has finished scanning and then exit the program.
  • Reboot your computer when done.
Note: As part of its routine, Flash_Disinfector will create a hidden folder named autorun.inf in each partition and every USB drive that was plugged in when you ran it. Do not delete this folder...it will help protect your drives from future infection by keeping the autorun file from being installed on the root drive and running other malicious files.



Some programs may recognize it as malware - this is a false positive alarm.



:step4: Also I highly recommend that you use Mozilla Firefox + NoScript add-ons to disable the dangerous iframes and JavaScript fragments used by Virut/Sality/Ramnit/Parite and the other polymorphic threats.

Posted Image

Keep in mind that the iframes and Javascripts objects are not always malicious. Some web sites will still need them to visualize the web content properly.





:step5: Don't use pirated software !!

Avoid using cracks and unknown programs from sources you don't trust. There are MANY alternative open-source applications.

Malware writers just love cracks and keygens, and will often attach malicious code into them. By using cracks and/or keygens, you are asking for problems, so my advice is;

Stay away from them!



:step6:



Check suspicious files on VirusTotal before running them on your own computer.
Run untrusted programs inside BufferZone or Sandboxie to avoid an infection.



This is an absolutely massive amount of work to be done there but this is the only safest way.



I suggest you to take a look here:
http://users.telenet.be/bluepatchy/miekiemoes/prevention.html



Regards,
Georgi

cXfZ4wS.png


#6 B-boy/StyLe/

B-boy/StyLe/

    Bleepin' Freestyler


  • Malware Response Team
  • 8,307 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Bulgaria
  • Local time:09:17 AM

Posted 29 May 2011 - 09:01 PM

It appears that this issue is resolved, therefore I am closing the topic. If that is not the case and you need or wish to continue with this topic, please send me or any Moderator a Personal Message (PM) that you would like this topic re-opened.

cXfZ4wS.png





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users