Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Rootkit like activity and AVG 2011


  • This topic is locked This topic is locked
10 replies to this topic

#1 lxer96

lxer96

  • Members
  • 56 posts
  • OFFLINE
  •  
  • Local time:05:37 AM

Posted 14 July 2011 - 06:53 PM

Hello,
My computer was having search redirect and hidden file issues which now seem to be fixed after running through a barrage of tools with Broni in the I'm infected forum, he recommended that I come here to get help. There was a GMER entry stating rootkit like activity and I have not been able to remove AVG 2011. The original post is here.My link

DDS (Ver_2011-07-14.01) - NTFS_x86
Internet Explorer: 8.0.6001.18702
Run by Joey at 17:22:45 on 2011-07-14
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.502.194 [GMT -4:00]
.
AV: AVG Anti-Virus Free Edition 2011 *Enabled/Updated* {17DDD097-36FF-435F-9E1B-52D74245D6BF}
AV: AntiVir Desktop *Disabled/Updated* {AD166499-45F9-482A-A743-FDD3350758C7}
FW: AVG Firewall *Disabled*
.
============== Running Processes ================
.
\??\C:\PROGRA~1\AVG\AVG10\avgchsvx.exe
\??\C:\PROGRA~1\AVG\AVG10\avgrsx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir Desktop\sched.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\HP\QuickPlay\QPService.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe
C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe
C:\WINDOWS\ehome\ehtray.exe
C:\WINDOWS\system32\msdtc.exe
C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
C:\Program Files\Windows Media Player\WMPNSCFG.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\PrintKey2000\Printkey2000.exe
C:\Program Files\Avira\AntiVir Desktop\avguard.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Avira\AntiVir Desktop\avshadow.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\HP\Digital Imaging\bin\hpqimzone.exe
C:\WINDOWS\system32\mqsvc.exe
C:\WINDOWS\ehome\mcrdsvc.exe
C:\Program Files\Windows Media Player\WMPNetwk.exe
C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
C:\WINDOWS\system32\mqtgsvc.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k NetworkService
C:\WINDOWS\system32\svchost.exe -k LocalService
C:\WINDOWS\system32\svchost.exe -k LocalService
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\WINDOWS\system32\svchost.exe -k LocalService
C:\WINDOWS\system32\svchost.exe -k imgsvc
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.yahoo.com/
uSearch Bar = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=64&bd=pavilion&pf=laptop
uURLSearchHooks: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - <orphaned>
BHO: AcroIEHlprObj Class: {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
BHO: AVG Safe Search: {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - c:\program files\avg\avg10\avgssie.dll
BHO: Spybot-S&D IE Protection: {53707962-6F74-2D53-2644-206D7942484F} - c:\program files\spybot - search & destroy\SDHelper.dll
BHO: Java™ Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
uRun: [WMPNSCFG] c:\program files\windows media player\WMPNSCFG.exe
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [SpybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe
uRun: [Ssobijudu] rundll32.exe "c:\windows\mapft20.dll",Startup
mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRun: [RecGuard] c:\windows\sminst\RecGuard.exe
mRun: [QPService] "c:\program files\hp\quickplay\QPService.exe"
mRun: [QlbCtrl] c:\program files\hewlett-packard\hp quick launch buttons\QlbCtrl.exe /Start
mRun: [MsmqIntCert] regsvr32 /s mqrt.dll
mRun: [KernelFaultCheck] c:\windows\system32\dumprep 0 -k
mRun: [ISUSScheduler] "c:\program files\common files\installshield\updateservice\issch.exe" -start
mRun: [ISUSPM Startup] "c:\program files\common files\installshield\updateservice\isuspm.exe" -startup
mRun: [igfxtray] c:\windows\system32\igfxtray.exe
mRun: [igfxpers] c:\windows\system32\igfxpers.exe
mRun: [igfxhkcmd] c:\windows\system32\hkcmd.exe
mRun: [hpWirelessAssistant] c:\program files\hpq\hp wireless assistant\HP Wireless Assistant.exe
mRun: [HP Software Update] c:\program files\hp\hp software update\HPWuSchd2.exe
mRun: [High Definition Audio Property Page Shortcut] CHDAudPropShortcut.exe
mRun: [ehTray] c:\windows\ehome\ehtray.exe
mRun: [Cpqset] c:\program files\hewlett-packard\default settings\cpqset.exe
mRun: [AVG_TRAY] c:\program files\avg\avg10\avgtray.exe
mRun: [avgnt] "c:\program files\avira\antivir desktop\avgnt.exe" /min
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adober~1.lnk - c:\program files\adobe\acrobat 7.0\reader\reader_sl.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hpphot~1.lnk - c:\program files\hp\digital imaging\bin\hpqthb08.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\printk~1.lnk - c:\program files\printkey2000\Printkey2000.exe
uPolicies-Explorer: NoDriveTypeAutoRun = dword:145
mPolicies-Windows\System: Allow-LogonScript-NetbiosDisabled = dword:1
mPolicies-Explorer: NoDriveTypeAutoRun = dword:145
IE: E&xport to Microsoft Excel - c:\progra~1\micros~4\office11\EXCEL.EXE/3000
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503}
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\program files\spybot - search & destroy\SDHelper.dll
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1286755290072
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab
DPF: {C1FDEE68-98D5-4F42-A4DD-D0BECF5077EB} - hxxp://tools.ebayimg.com/eps/wl/activex/eBay_Enhanced_Picture_Control_v1-0-31-0.cab
DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
TCP: NameServer = 68.87.68.166 68.87.74.166
TCP: Interfaces\{A3E34F8B-8A3B-4793-946B-20B45B4A7396} : DHCPNameServer = 68.87.68.166 68.87.74.166
Handler: ipp - <Clsid value has no data>
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg10\avgpp.dll
Handler: msdaipp - <Clsid value has no data>
Notify: igfxcui - igfxdev.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
mASetup: {44BBA840-CC51-11CF-AAFA-00AA00B6015C} - "c:\program files\outlook express\setup50.exe" /APP:OE /CALLER:WINNT /user /install
mASetup: {7790769C-0471-11d2-AF11-00C04FA35D02} - "c:\program files\outlook express\setup50.exe" /APP:WAB /CALLER:WINNT /user /install
IFEO: Your Image File Name Here without a path - ntsd -d
.
============= SERVICES / DRIVERS ===============
.
R1 avgio;avgio;c:\program files\avira\antivir desktop\avgio.sys [2011-7-1 11608]
R1 Avgldx86;AVG AVI Loader Driver;c:\windows\system32\drivers\avgldx86.sys [2010-9-7 251728]
R1 Avgmfx86;AVG Mini-Filter Resident Anti-Virus Shield;c:\windows\system32\drivers\avgmfx86.sys [2010-9-7 34384]
R1 Avgtdix;AVG TDI Driver;c:\windows\system32\drivers\avgtdix.sys [2010-11-12 299984]
R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\avira\antivir desktop\sched.exe [2011-7-1 136360]
R2 AntiVirService;Avira AntiVir Guard;c:\program files\avira\antivir desktop\avguard.exe [2011-7-1 269480]
R2 avgntflt;avgntflt;c:\windows\system32\drivers\avgntflt.sys [2011-7-1 66616]
R2 McrdSvc;Media Center Extender Service;c:\windows\ehome\mcrdsvc.exe [2005-8-6 99328]
S0 Avgrkx86;AVG Anti-Rootkit Driver;c:\windows\system32\drivers\avgrkx86.sys --> c:\windows\system32\drivers\avgrkx86.sys [?]
S2 AVGIDSAgent;AVGIDSAgent;c:\program files\avg\avg10\identity protection\agent\bin\AVGIDSAgent.exe [2011-1-6 6128720]
S2 avgwd;AVG WatchDog;c:\program files\avg\avg10\avgwdsvc.exe [2010-10-22 265400]
S3 5U870CAP_VID_1262&PID_25FD;HP Pavilion Webcam ;c:\windows\system32\drivers\5U870CAP.sys [2006-6-6 61952]
S3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [2011-7-13 39984]
S4 AVGIDSDriver;AVGIDSDriver;c:\windows\system32\drivers\avgidsdriver.sys --> c:\windows\system32\drivers\AVGIDSDriver.Sys [?]
S4 AVGIDSEH;AVGIDSEH;c:\windows\system32\drivers\avgidseh.sys --> c:\windows\system32\drivers\AVGIDSEH.Sys [?]
S4 AVGIDSFilter;AVGIDSFilter;c:\windows\system32\drivers\avgidsfilter.sys --> c:\windows\system32\drivers\AVGIDSFilter.Sys [?]
S4 AVGIDSShim;AVGIDSShim;c:\windows\system32\drivers\avgidsshim.sys --> c:\windows\system32\drivers\AVGIDSShim.Sys [?]
.
=============== Created Last 30 ================
.
2011-07-14 00:51:19 -------- d-----w- c:\documents and settings\joey\application data\Malwarebytes
2011-07-14 00:50:52 39984 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-07-14 00:50:50 -------- d-----w- c:\documents and settings\all users\application data\Malwarebytes
2011-07-14 00:50:39 22712 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-07-14 00:50:38 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2011-07-06 23:58:49 -------- d-----w- c:\program files\Spybot - Search & Destroy
2011-07-06 23:58:49 -------- d-----w- c:\documents and settings\all users\application data\Spybot - Search & Destroy
2011-07-01 23:33:44 -------- d-----w- c:\documents and settings\joey\application data\Avira
2011-07-01 23:29:50 66616 ----a-w- c:\windows\system32\drivers\avgntflt.sys
2011-07-01 23:29:22 -------- d-----w- c:\program files\Avira
2011-07-01 23:29:22 -------- d-----w- c:\documents and settings\all users\application data\Avira
2011-07-01 23:12:52 -------- d-----w- c:\windows\SxsCaPendDel
2011-07-01 22:42:16 -------- d-----w- c:\program files\CCleaner
2011-07-01 19:53:43 -------- d-----w- C:\225f14f7021b5b64ea094e
2011-06-30 02:13:49 -------- d-----w- C:\$AVG
2011-06-29 22:18:17 -------- d-----w- c:\windows\system32\wbem\repository\FS
2011-06-29 22:18:17 -------- d-----w- c:\windows\system32\wbem\Repository
2011-06-28 22:31:48 105472 ------w- c:\windows\system32\dllcache\mup.sys
.
==================== Find3M ====================
.
2011-07-13 23:19:08 404640 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-06-02 14:02:05 1858944 ----a-w- c:\windows\system32\win32k.sys
2011-05-02 15:31:52 692736 ----a-w- c:\windows\system32\inetcomm.dll
2011-04-29 17:25:27 151552 ----a-w- c:\windows\system32\schannel.dll
2011-04-29 16:19:43 456320 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2011-04-26 14:11:12 11081728 ----a-w- c:\windows\system32\ieframe(2)(2).dll
2011-04-26 11:07:50 33280 ----a-w- c:\windows\system32\csrsrv.dll
2011-04-26 11:07:50 293376 ----a-w- c:\windows\system32\winsrv.dll
2011-04-25 16:11:12 916480 ----a-w- c:\windows\system32\wininet.dll
2011-04-25 16:11:12 916480 ----a-w- c:\windows\system32\wininet(2)(2).dll
2011-04-25 16:11:12 1211904 ----a-w- c:\windows\system32\urlmon(2)(2).dll
2011-04-25 16:11:11 43520 ----a-w- c:\windows\system32\licmgr10.dll
2011-04-25 16:11:11 1991680 ----a-w- c:\windows\system32\iertutil(2)(2).dll
2011-04-25 16:11:11 1469440 ------w- c:\windows\system32\inetcpl.cpl
2011-04-25 12:01:22 385024 ----a-w- c:\windows\system32\html.iec
2011-04-21 13:37:43 105472 ----a-w- c:\windows\system32\drivers\mup.sys
.
=================== ROOTKIT ====================
.
Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer, http://www.gmer.net
Windows 5.1.2600
.
CreateFile("\\.\PHYSICALDRIVE0"): The process cannot access the file because it is being used by another process.
device: opened successfully
user: error reading MBR
.
Disk trace:
called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll iaStor.sys
c:\windows\system32\drivers\iaStor.sys Intel Corporation Intel Matrix Storage Manager driver
1 ntkrnlpa!IofCallDriver[0x804EF1A6] -> \Device\Harddisk0\DR0[0x82DD08C8]
3 CLASSPNP[0xF8595FD7] -> ntkrnlpa!IofCallDriver[0x804EF1A6] -> \Device\00000084[0x82D6C300]
5 ACPI[0xF840C620] -> ntkrnlpa!IofCallDriver[0x804EF1A6] -> \Device\Ide\IAAStorageDevice-0[0x82DD1030]
kernel: MBR read successfully
_asm { XOR DI, DI; MOV SI, 0x200; MOV SS, DI; MOV SP, 0x7a00; MOV BX, 0x7a0; MOV CX, SI; MOV DS, BX; MOV ES, BX; REP MOVSB ; JMP FAR 0x7a0:0x7a; }
user != kernel MBR !!!
.
============= FINISH: 17:24:06.35 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:06:37 AM

Posted 15 July 2011 - 05:21 PM

Download ComboFix from one of the following locations:
Link 1
Link 2

VERY IMPORTANT !!! Save ComboFix.exe to your Desktop

* IMPORTANT - Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. If you have difficulty properly disabling your protective programs, refer to this link here

  • Double click on ComboFix.exe & follow the prompts.

Open notepad and copy/paste the text inside the codebox below into it:

REGISTRY::
[-HKEY_CURRENT_USER\AppEvents\EventLabels\avgtrayRSAlert]
[-HKEY_CURRENT_USER\AppEvents\EventLabels\avgtrayScanFinished]
[-HKEY_CURRENT_USER\AppEvents\EventLabels\avgtrayScanFinishedThreatFound]
[-HKEY_CURRENT_USER\AppEvents\EventLabels\avgtrayScanStarted]
[-HKEY_CURRENT_USER\AppEvents\EventLabels\avgtrayUpdEnd]
[-HKEY_CURRENT_USER\AppEvents\EventLabels\avgtrayUpdEndFail]
[-HKEY_CURRENT_USER\AppEvents\EventLabels\avgtrayUpdStart]
[-HKEY_CURRENT_USER\AppEvents\Schemes\Apps\avgtray]
[-HKEY_CURRENT_USER\Software\Avg]
[-HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\AVG9 Shell Extension]
[-HKEY_CLASSES_ROOT\.avgdx]
[-HKEY_CLASSES_ROOT\CLSID\{1152F8E0-69DB-4935-AFC3-59F8A5A86A3E}]
[-HKEY_CLASSES_ROOT\CLSID\{3CA2F312-6F6E-4B53-A66E-4E65E497C8C0}]
[-HKEY_CLASSES_ROOT\CLSID\{41B21542-2055-4212-A6F2-395CD109B14B}]
[-HKEY_CLASSES_ROOT\CLSID\{50A96677-4378-434d-9F4B-6B28B485933F}]
[-HKEY_CLASSES_ROOT\CLSID\{6F59E522-4689-156E-316C-D5B48819DE95}]
[-HKEY_CLASSES_ROOT\CLSID\{86E8C5B0-75B6-4ff2-B04F-6789CC7AE386}]
[-HKEY_CLASSES_ROOT\CLSID\{9F97547E-4609-42C5-AE0C-81C61FFAEBC3}]
[-HKEY_CLASSES_ROOT\CLSID\{EF0BB4CD-81FA-48AF-99B3-AB6C1F079BEC}]
[-HKEY_CLASSES_ROOT\CLSID\{F1FE4608-7924-4908-8E12-81CFA206F00A}]
[-HKEY_CLASSES_ROOT\CLSID\{F274614C-63F8-47D5-A4D1-FBDDE494F8D1}]
[-HKEY_CLASSES_ROOT\Folder\shellex\ContextMenuHandlers\AVG9 Shell Extension]
[-HKEY_CLASSES_ROOT\Installer\Features\36E852A15FD8BDA48923830A21D156BE]
[-HKEY_CLASSES_ROOT\Installer\Features\69BC3230A1222404483A39DE4E0799CF]
[-HKEY_CLASSES_ROOT\Installer\Features\CFD2C1F142D260E3CB8B271543DA9F98]
[-HKEY_CLASSES_ROOT\Installer\Products\36E852A15FD8BDA48923830A21D156BE]
[-HKEY_CLASSES_ROOT\Installer\Products\69BC3230A1222404483A39DE4E0799CF]
[-HKEY_CLASSES_ROOT\Installer\Products\CFD2C1F142D260E3CB8B271543DA9F98]
[-HKEY_CLASSES_ROOT\Installer\UpgradeCodes\06DD9E4F7F3FF9C41BC2BD64A2CE18FE]
[-HKEY_CLASSES_ROOT\Installer\UpgradeCodes\38F747DBDC97B4E459142E21199F9D10]
[-HKEY_CLASSES_ROOT\Installer\UpgradeCodes\41A387AA3A7A33D3590FA953D1350011]
[-HKEY_CLASSES_ROOT\LinkScannerIE.NavFilter]
[-HKEY_CLASSES_ROOT\LinkScannerIE.NavFilter.1]
[-HKEY_CLASSES_ROOT\MicroScanner.MicroScanner]
[-HKEY_CLASSES_ROOT\piffile\shellex\ContextMenuHandlers\AVG9 Shell Extension]
[-HKEY_CLASSES_ROOT\PROTOCOLS\Handler\linkscanner]
[-HKEY_LOCAL_MACHINE\SOFTWARE\AVG]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\DevDiv\VC]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\AVGSE.DLL]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{0323CB96-221A-4042-84A3-93EDE47099FC}]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{1A258E63-8DF5-4ADB-9832-38A0121D65EB}]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\AlwaysUnloadDll]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\AVG]
DRIVER::
Avg
AVGIDSAgent
AVGIDSDriver
AVGIDSEH
AVGIDSFilter
AVGIDSShim
Avgldx86
Avgmfx86
Avgrkx86
Avgtdix
avgwd
FOLDER::
%SYSTEMDRIVE%\$AVG
%COMMONAPPDATA%\AVG10
%COMMONAPPDATA%\MFAData
%COMMONPROGRAMS%\AVG 2011
%APPDATA%\AVG10
%PROGRAMFILES%\AVG
%SYSTEM%\drivers\AVG
File::
%COMMONAPPDATA%\Common Files\6F59E522-4689-156E-316C-D5B48819DE95.dat
%COMMONDESKTOP%\AVG 2011.lnk
%SYSTEM%\drivers\AVGIDSDriver.sys
%SYSTEM%\drivers\AVGIDSEH.sys
%SYSTEM%\drivers\AVGIDSFilter.sys
%SYSTEM%\drivers\AVGIDSShim.sys
%SYSTEM%\drivers\avgldx86.sys
%SYSTEM%\drivers\avgmfx86.sys
%SYSTEM%\drivers\avgrkx86.sys
%SYSTEM%\drivers\avgtdix.sys

Save this as CFScript_AVG2011.txt

Posted Image
  • Referring to the screenshot above, drag CFScript_AVG2011.txt into ComboFix.exe.


    As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.

  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Posted Image

  • Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Posted Image

  • Click on Yes, to continue scanning for malware.
When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.
Notes:
1. Do not mouse-click Combofix's window while it is running. That may cause it to stall.
2. Do not "re-run" Combofix. If you have a problem, reply back for further instructions.


Please make sure you include the combo fix log in your next reply as well as describe how your computer is running now

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#3 lxer96

lxer96
  • Topic Starter

  • Members
  • 56 posts
  • OFFLINE
  •  
  • Local time:05:37 AM

Posted 15 July 2011 - 08:37 PM

I get to the part where you drag the txt file into the combofix icon and my computer goes beep beep and says that I am about to use combofix to removes avg 2011 with brute force click yes to continue or no to cancel but there is only an ok button. I click on ok and it says it is dangerous to run combofix with avg installed. This is due to combofix's files/processes. It would be dangerous to continue. Please uninstal AVG or use another tool.

#4 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:06:37 AM

Posted 15 July 2011 - 08:44 PM

OK

Try the removal tool:

After uninstalling AVG from the Control Panel, also run the AVG remover from their site.

http://www.avg.com/us-en/download-tools

You may also use this tool to uninstall AVG:
http://www.appremover.com/get/appremover.exe

Instructions:
http://www.appremover.com/about/using-appremover.html

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#5 lxer96

lxer96
  • Topic Starter

  • Members
  • 56 posts
  • OFFLINE
  •  
  • Local time:05:37 AM

Posted 15 July 2011 - 09:16 PM

Trying to remove the program in the control panel does absolutely nothing and the appremovertool does not detect it as a full security program or a failed uninstall.

#6 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:06:37 AM

Posted 15 July 2011 - 09:19 PM

OK, then proceed with running ComboFix, I'll remove it entirely with a script afterwards

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#7 lxer96

lxer96
  • Topic Starter

  • Members
  • 56 posts
  • OFFLINE
  •  
  • Local time:05:37 AM

Posted 15 July 2011 - 10:03 PM

AVG removal tool seemed to work. I ran combofix also. It seems to run better now.

ComboFix 11-07-15.03 - Joey 07/15/2011 22:35:47.1.1 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.502.282 [GMT -4:00]
Running from: c:\documents and settings\Joey\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Joey\Desktop\CFScript_AVG2011.txt
AV: AntiVir Desktop *Disabled/Updated* {AD166499-45F9-482A-A743-FDD3350758C7}
AV: AVG Anti-Virus Free Edition 2011 *Enabled/Updated* {17DDD097-36FF-435F-9E1B-52D74245D6BF}
FW: AVG Firewall *Disabled* {8decf618-9569-4340-b34a-d78d28969b66}
.
FILE ::
"c:\documents and settings\All Users\Application Data\Common Files\6F59E522-4689-156E-316C-D5B48819DE95.dat"
"c:\documents and settings\All Users\Desktop\AVG 2011.lnk"
"c:\windows\system32\drivers\AVGIDSDriver.sys"
"c:\windows\system32\drivers\AVGIDSEH.sys"
"c:\windows\system32\drivers\AVGIDSFilter.sys"
"c:\windows\system32\drivers\AVGIDSShim.sys"
"c:\windows\system32\drivers\avgldx86.sys"
"c:\windows\system32\drivers\avgmfx86.sys"
"c:\windows\system32\drivers\avgrkx86.sys"
"c:\windows\system32\drivers\avgtdix.sys"
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
C:\$AVG
c:\documents and settings\All Users\Application Data\MFAData
c:\documents and settings\All Users\Application Data\MFAData\logs\mfa-20101026-172637.log
c:\documents and settings\All Users\Application Data\MFAData\logs\mfa-20101026-172715.log
c:\documents and settings\All Users\Application Data\MFAData\logs\mfa-20101124-225937.log
c:\documents and settings\All Users\Application Data\MFAData\logs\mfa-20101124-230507.log
c:\documents and settings\All Users\Application Data\MFAData\logs\mfa-20110212-151939.log
c:\documents and settings\All Users\Application Data\MFAData\logs\mfa-20110302-000833.log
c:\documents and settings\All Users\Application Data\MFAData\logs\mfa-20110629-003021.log
c:\documents and settings\All Users\Application Data\MFAData\logs\mfa-20110629-014902.log
c:\documents and settings\All Users\Application Data\MFAData\logs\mfa-20110629-021026.log
c:\documents and settings\All Users\Application Data\MFAData\logs\mfa-20110701-221654.log
c:\documents and settings\All Users\Application Data\MFAData\logs\mfa-20110701-222221.log
c:\documents and settings\All Users\Application Data\MFAData\logs\mfa-20110701-225221.log
c:\documents and settings\All Users\Application Data\MFAData\logs\mfa-20110701-230718.log
c:\documents and settings\All Users\Application Data\MFAData\logs\mfa-20110702-120544.log
c:\documents and settings\All Users\Application Data\MFAData\logs\mfa-20110714-031406.log
c:\documents and settings\All Users\Application Data\MFAData\logs\mfa-20110716-014642.log
c:\documents and settings\All Users\Application Data\MFAData\logs\mfa-20110716-021303.log
c:\documents and settings\All Users\Application Data\MFAData\logs\mfa-20110716-021853.log
c:\documents and settings\All Users\Application Data\MFAData\logs\msi-20101026-172715.log
c:\documents and settings\All Users\Application Data\MFAData\logs\msi-20101124-225937.log
c:\documents and settings\All Users\Application Data\MFAData\logs\msi-20101124-230507.log
c:\documents and settings\All Users\Application Data\MFAData\logs\msi-20110212-151939.log
c:\documents and settings\All Users\Application Data\MFAData\logs\msi-20110302-000833.log
c:\documents and settings\All Users\Application Data\MFAData\logs\msi-20110629-003021.log
c:\documents and settings\All Users\Application Data\MFAData\logs\msi-20110629-014902.log
c:\documents and settings\All Users\Application Data\MFAData\logs\msi-20110629-021026.log
c:\documents and settings\All Users\Application Data\MFAData\logs\msi-20110701-221654.log
c:\documents and settings\All Users\Application Data\MFAData\logs\msi-20110701-225221.log
c:\documents and settings\All Users\Application Data\MFAData\logs\msi-20110701-230718.log
c:\documents and settings\All Users\Application Data\MFAData\logs\msi-20110702-120544.log
c:\documents and settings\All Users\Application Data\MFAData\logs\msi-20110714-031406.log
c:\documents and settings\All Users\Application Data\MFAData\logs\msi-20110716-014642.log
c:\documents and settings\All Users\Application Data\MFAData\logs\msi-20110716-021303.log
c:\documents and settings\All Users\Application Data\MFAData\logs\msi-20110716-021853.log
c:\documents and settings\All Users\Application Data\MFAData\mfaurlconf.ini
c:\documents and settings\All Users\Application Data\MFAData\mkt\hi\Installation-Page_LinkScanner.html
c:\documents and settings\All Users\Application Data\MFAData\mkt\hi\Installation-Page_Smart-Scanning.html
c:\documents and settings\All Users\Application Data\MFAData\mkt\hi\Installation-Page_Social-Networking.html
c:\documents and settings\All Users\Application Data\MFAData\mkt\hi\Toolbar_wotoolbar.html
c:\documents and settings\All Users\Application Data\MFAData\mkt\res\LinkScanner-style.css
c:\documents and settings\All Users\Application Data\MFAData\mkt\res\LinkScanner.jpg
c:\documents and settings\All Users\Application Data\MFAData\mkt\res\Smart-Scanning.jpg
c:\documents and settings\All Users\Application Data\MFAData\mkt\res\SmartScanning-style.css
c:\documents and settings\All Users\Application Data\MFAData\mkt\res\Social-Networking.jpg
c:\documents and settings\All Users\Application Data\MFAData\mkt\res\SocialNetworking-style.css
c:\documents and settings\All Users\Application Data\MFAData\mkt\res\Toolbar-Selected.jpg
c:\documents and settings\All Users\Application Data\MFAData\mkt\res\Toolbar-Unselected.jpg
c:\documents and settings\All Users\Application Data\MFAData\mkt\res\ToolbarSelected-style.css
c:\documents and settings\All Users\Application Data\MFAData\mkt\res\ToolbarUnselected-style.css
c:\documents and settings\All Users\Application Data\MFAData\mkt\us\Installation-Page_LinkScanner.html
c:\documents and settings\All Users\Application Data\MFAData\mkt\us\Installation-Page_Smart-Scanning.html
c:\documents and settings\All Users\Application Data\MFAData\mkt\us\Installation-Page_Social-Networking.html
c:\documents and settings\All Users\Application Data\MFAData\mkt\us\Toolbar_wotoolbar.html
c:\documents and settings\All Users\Application Data\MFAData\pack\avg10infoavi.ctf
c:\documents and settings\All Users\Application Data\MFAData\pack\avg10infooi.ctf
c:\documents and settings\All Users\Application Data\MFAData\pack\avg10infowin.ctf
c:\documents and settings\All Users\Application Data\MFAData\pack\Avgx86.msi
c:\documents and settings\All Users\Application Data\MFAData\pack\bins\f10avgx1152lu.bin
c:\documents and settings\All Users\Application Data\MFAData\pack\bins\foi10cnet_lic8dn.bin
c:\documents and settings\All Users\Application Data\MFAData\pack\bins\foi10cnet_mis7be.bin
c:\documents and settings\All Users\Application Data\MFAData\pack\bins\poi10avgcom_lic8bc.bin
c:\documents and settings\All Users\Application Data\MFAData\pack\bins\poi10avgcom_mis36rg.bin
c:\documents and settings\All Users\Application Data\MFAData\pack\bins\w10alertmgx1152bb.bin
c:\documents and settings\All Users\Application Data\MFAData\pack\bins\w10alertmgx1388ru.bin
c:\documents and settings\All Users\Application Data\MFAData\pack\bins\w10antirkx1152hy.bin
c:\documents and settings\All Users\Application Data\MFAData\pack\bins\w10antirkx1388qr.bin
c:\documents and settings\All Users\Application Data\MFAData\pack\bins\w10antispmx1152fu.bin
c:\documents and settings\All Users\Application Data\MFAData\pack\bins\w10antispmx1388yl.bin
c:\documents and settings\All Users\Application Data\MFAData\pack\bins\w10antivirx1152gl.bin
c:\documents and settings\All Users\Application Data\MFAData\pack\bins\w10antivirx1388hj.bin
c:\documents and settings\All Users\Application Data\MFAData\pack\bins\w10aspamdbx1152ic.bin
c:\documents and settings\All Users\Application Data\MFAData\pack\bins\w10aspamdbx1388yn.bin
c:\documents and settings\All Users\Application Data\MFAData\pack\bins\w10avgx1388ah.bin
c:\documents and settings\All Users\Application Data\MFAData\pack\bins\w10avisx1152ja.bin
c:\documents and settings\All Users\Application Data\MFAData\pack\bins\w10avisx1388eg.bin
c:\documents and settings\All Users\Application Data\MFAData\pack\bins\w10basex1152bz.bin
c:\documents and settings\All Users\Application Data\MFAData\pack\bins\w10basex1388lj.bin
c:\documents and settings\All Users\Application Data\MFAData\pack\bins\w10corex1516ro.bin
c:\documents and settings\All Users\Application Data\MFAData\pack\bins\w10corex424re.bin
c:\documents and settings\All Users\Application Data\MFAData\pack\bins\w10emailsx1152qd.bin
c:\documents and settings\All Users\Application Data\MFAData\pack\bins\w10emailsx1388sb.bin
c:\documents and settings\All Users\Application Data\MFAData\pack\bins\w10fwx1152yz.bin
c:\documents and settings\All Users\Application Data\MFAData\pack\bins\w10fwx1388gl.bin
c:\documents and settings\All Users\Application Data\MFAData\pack\bins\w10guix1152rq.bin
c:\documents and settings\All Users\Application Data\MFAData\pack\bins\w10guix1388zp.bin
c:\documents and settings\All Users\Application Data\MFAData\pack\bins\w10idatx1152mr.bin
c:\documents and settings\All Users\Application Data\MFAData\pack\bins\w10idatx1388rg.bin
c:\documents and settings\All Users\Application Data\MFAData\pack\bins\w10idpx1152ca.bin
c:\documents and settings\All Users\Application Data\MFAData\pack\bins\w10idpx1388uh.bin
c:\documents and settings\All Users\Application Data\MFAData\pack\bins\w10ifwx1152hj.bin
c:\documents and settings\All Users\Application Data\MFAData\pack\bins\w10ifwx1388ry.bin
c:\documents and settings\All Users\Application Data\MFAData\pack\bins\w10lng_usx1152gw.bin
c:\documents and settings\All Users\Application Data\MFAData\pack\bins\w10lng_usx1388nr.bin
c:\documents and settings\All Users\Application Data\MFAData\pack\bins\w10onlnscx1152ns.bin
c:\documents and settings\All Users\Application Data\MFAData\pack\bins\w10onlnscx1388sb.bin
c:\documents and settings\All Users\Application Data\MFAData\pack\bins\w10resshldx1152pj.bin
c:\documents and settings\All Users\Application Data\MFAData\pack\bins\w10resshldx1388oy.bin
c:\documents and settings\All Users\Application Data\MFAData\pack\bins\w10srchsrfx1152qy.bin
c:\documents and settings\All Users\Application Data\MFAData\pack\bins\w10srchsrfx1388ws.bin
c:\documents and settings\All Users\Application Data\MFAData\pack\bins\w10sshttpbx1152xp.bin
c:\documents and settings\All Users\Application Data\MFAData\pack\bins\w10sshttpbx1388ur.bin
c:\documents and settings\All Users\Application Data\MFAData\pack\bins\w10systoolx1152tr.bin
c:\documents and settings\All Users\Application Data\MFAData\pack\bins\w10systoolx1388hm.bin
c:\documents and settings\All Users\Application Data\MFAData\pack\bins\w10tdidrvx1152le.bin
c:\documents and settings\All Users\Application Data\MFAData\pack\bins\w10tdidrvx1388xw.bin
c:\documents and settings\All Users\Application Data\MFAData\pack\bins\w10tuneupx1152um.bin
c:\documents and settings\All Users\Application Data\MFAData\pack\bins\w10tuneupx1388uy.bin
c:\documents and settings\All Users\Application Data\MFAData\pack\bins\w10update2x1152jr.bin
c:\documents and settings\All Users\Application Data\MFAData\pack\bins\w10update2x1388qs.bin
c:\documents and settings\All Users\Application Data\MFAData\pack\bins\w10updatex1152tj.bin
c:\documents and settings\All Users\Application Data\MFAData\pack\bins\w10updatex1388nq.bin
c:\documents and settings\All Users\Application Data\MFAData\pack\bins\w10xplx1152cu.bin
c:\documents and settings\All Users\Application Data\MFAData\pack\bins\w10xplx1388tf.bin
c:\documents and settings\All Users\Application Data\MFAData\pack\default_mis.mdf
c:\documents and settings\All Users\Application Data\MFAData\pack\default_mps.mdf
c:\documents and settings\All Users\Application Data\MFAData\pack\lic.mdf
c:\documents and settings\All Users\Application Data\MFAData\public_installation_log.xml
c:\documents and settings\All Users\Application Data\MFAData\SelfUpd\avgatend.stp
c:\documents and settings\All Users\Application Data\MFAData\SelfUpd\avgatupd.stp
c:\documents and settings\All Users\Application Data\MFAData\SelfUpd\avgmfapx.exe
c:\documents and settings\All Users\Application Data\MFAData\SelfUpd\avgmfarx.dll
c:\documents and settings\All Users\Application Data\MFAData\SelfUpd\avgntdumpx.exe
c:\documents and settings\All Users\Application Data\MFAData\SelfUpd\avgrunasx.exe
c:\documents and settings\All Users\Application Data\MFAData\SelfUpd\avgupd.sig
c:\documents and settings\All Users\Application Data\MFAData\SelfUpd\avgupdx.dll
c:\documents and settings\All Users\Application Data\MFAData\SelfUpd\bins\f10mfa1152ux.bin
c:\documents and settings\All Users\Application Data\MFAData\SelfUpd\bins\f10upd1152mp.bin
c:\documents and settings\All Users\Application Data\MFAData\SelfUpd\htmlayout.dll
c:\documents and settings\All Users\Application Data\MFAData\SelfUpd\license_cz.htm
c:\documents and settings\All Users\Application Data\MFAData\SelfUpd\license_da.htm
c:\documents and settings\All Users\Application Data\MFAData\SelfUpd\license_es.htm
c:\documents and settings\All Users\Application Data\MFAData\SelfUpd\license_fr.htm
c:\documents and settings\All Users\Application Data\MFAData\SelfUpd\license_ge.htm
c:\documents and settings\All Users\Application Data\MFAData\SelfUpd\license_hu.htm
c:\documents and settings\All Users\Application Data\MFAData\SelfUpd\license_id.htm
c:\documents and settings\All Users\Application Data\MFAData\SelfUpd\license_in.htm
c:\documents and settings\All Users\Application Data\MFAData\SelfUpd\license_it.htm
c:\documents and settings\All Users\Application Data\MFAData\SelfUpd\license_jp.htm
c:\documents and settings\All Users\Application Data\MFAData\SelfUpd\license_ko.htm
c:\documents and settings\All Users\Application Data\MFAData\SelfUpd\license_ms.htm
c:\documents and settings\All Users\Application Data\MFAData\SelfUpd\license_nl.htm
c:\documents and settings\All Users\Application Data\MFAData\SelfUpd\license_pb.htm
c:\documents and settings\All Users\Application Data\MFAData\SelfUpd\license_pl.htm
c:\documents and settings\All Users\Application Data\MFAData\SelfUpd\license_pt.htm
c:\documents and settings\All Users\Application Data\MFAData\SelfUpd\license_ru.htm
c:\documents and settings\All Users\Application Data\MFAData\SelfUpd\license_sc.htm
c:\documents and settings\All Users\Application Data\MFAData\SelfUpd\license_sk.htm
c:\documents and settings\All Users\Application Data\MFAData\SelfUpd\license_sp.htm
c:\documents and settings\All Users\Application Data\MFAData\SelfUpd\license_tr.htm
c:\documents and settings\All Users\Application Data\MFAData\SelfUpd\license_us.htm
c:\documents and settings\All Users\Application Data\MFAData\SelfUpd\license_zh.htm
c:\documents and settings\All Users\Application Data\MFAData\SelfUpd\license_zt.htm
c:\documents and settings\All Users\Application Data\MFAData\SelfUpd\mfaconf.txt
c:\documents and settings\All Users\Application Data\MFAData\SelfUpd\mfacz.lns
c:\documents and settings\All Users\Application Data\MFAData\SelfUpd\mfada.lns
c:\documents and settings\All Users\Application Data\MFAData\SelfUpd\mfaes.lns
c:\documents and settings\All Users\Application Data\MFAData\SelfUpd\mfafr.lns
c:\documents and settings\All Users\Application Data\MFAData\SelfUpd\mfage.lns
c:\documents and settings\All Users\Application Data\MFAData\SelfUpd\mfahu.lns
c:\documents and settings\All Users\Application Data\MFAData\SelfUpd\mfaid.lns
c:\documents and settings\All Users\Application Data\MFAData\SelfUpd\mfain.lns
c:\documents and settings\All Users\Application Data\MFAData\SelfUpd\mfait.lns
c:\documents and settings\All Users\Application Data\MFAData\SelfUpd\mfajp.lns
c:\documents and settings\All Users\Application Data\MFAData\SelfUpd\mfako.lns
c:\documents and settings\All Users\Application Data\MFAData\SelfUpd\mfams.lns
c:\documents and settings\All Users\Application Data\MFAData\SelfUpd\mfanl.lns
c:\documents and settings\All Users\Application Data\MFAData\SelfUpd\mfapb.lns
c:\documents and settings\All Users\Application Data\MFAData\SelfUpd\mfapl.lns
c:\documents and settings\All Users\Application Data\MFAData\SelfUpd\mfapt.lns
c:\documents and settings\All Users\Application Data\MFAData\SelfUpd\mfaru.lns
c:\documents and settings\All Users\Application Data\MFAData\SelfUpd\mfasc.lns
c:\documents and settings\All Users\Application Data\MFAData\SelfUpd\mfask.lns
c:\documents and settings\All Users\Application Data\MFAData\SelfUpd\mfasp.lns
c:\documents and settings\All Users\Application Data\MFAData\SelfUpd\mfatr.lns
c:\documents and settings\All Users\Application Data\MFAData\SelfUpd\mfaus.lns
c:\documents and settings\All Users\Application Data\MFAData\SelfUpd\mfavera.txt
c:\documents and settings\All Users\Application Data\MFAData\SelfUpd\mfaverx.txt
c:\documents and settings\All Users\Application Data\MFAData\SelfUpd\mfazh.lns
c:\documents and settings\All Users\Application Data\MFAData\SelfUpd\mfazt.lns
c:\documents and settings\All Users\Application Data\MFAData\state.dat
c:\documents and settings\Joey\Application Data\AVG10
c:\documents and settings\Joey\Application Data\AVG10\cfgall\usergui.cfg
c:\documents and settings\Joey\Application Data\PriceGong
c:\documents and settings\Joey\Application Data\PriceGong\Data\1.xml
c:\documents and settings\Joey\Application Data\PriceGong\Data\a.xml
c:\documents and settings\Joey\Application Data\PriceGong\Data\b.xml
c:\documents and settings\Joey\Application Data\PriceGong\Data\c.xml
c:\documents and settings\Joey\Application Data\PriceGong\Data\d.xml
c:\documents and settings\Joey\Application Data\PriceGong\Data\e.xml
c:\documents and settings\Joey\Application Data\PriceGong\Data\f.xml
c:\documents and settings\Joey\Application Data\PriceGong\Data\g.xml
c:\documents and settings\Joey\Application Data\PriceGong\Data\h.xml
c:\documents and settings\Joey\Application Data\PriceGong\Data\i.xml
c:\documents and settings\Joey\Application Data\PriceGong\Data\J.xml
c:\documents and settings\Joey\Application Data\PriceGong\Data\k.xml
c:\documents and settings\Joey\Application Data\PriceGong\Data\l.xml
c:\documents and settings\Joey\Application Data\PriceGong\Data\m.xml
c:\documents and settings\Joey\Application Data\PriceGong\Data\mru.xml
c:\documents and settings\Joey\Application Data\PriceGong\Data\n.xml
c:\documents and settings\Joey\Application Data\PriceGong\Data\o.xml
c:\documents and settings\Joey\Application Data\PriceGong\Data\p.xml
c:\documents and settings\Joey\Application Data\PriceGong\Data\q.xml
c:\documents and settings\Joey\Application Data\PriceGong\Data\r.xml
c:\documents and settings\Joey\Application Data\PriceGong\Data\s.xml
c:\documents and settings\Joey\Application Data\PriceGong\Data\t.xml
c:\documents and settings\Joey\Application Data\PriceGong\Data\u.xml
c:\documents and settings\Joey\Application Data\PriceGong\Data\v.xml
c:\documents and settings\Joey\Application Data\PriceGong\Data\w.xml
c:\documents and settings\Joey\Application Data\PriceGong\Data\x.xml
c:\documents and settings\Joey\Application Data\PriceGong\Data\y.xml
c:\documents and settings\Joey\Application Data\PriceGong\Data\z.xml
c:\documents and settings\Joey\Local Settings\Application Data\{8148EFC9-BEEA-419A-9D85-EDE19ABA76A8}
c:\documents and settings\Joey\Local Settings\Application Data\{8148EFC9-BEEA-419A-9D85-EDE19ABA76A8}\chrome.manifest
c:\documents and settings\Joey\Local Settings\Application Data\{8148EFC9-BEEA-419A-9D85-EDE19ABA76A8}\chrome\content\_cfg.js
c:\documents and settings\Joey\Local Settings\Application Data\{8148EFC9-BEEA-419A-9D85-EDE19ABA76A8}\chrome\content\overlay.xul
c:\documents and settings\Joey\Local Settings\Application Data\{8148EFC9-BEEA-419A-9D85-EDE19ABA76A8}\install.rdf
D:\Autorun.inf
.
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
-------\Legacy_AVGIDSDRIVER
-------\Legacy_AVGIDSEH
-------\Legacy_AVGIDSFILTER
-------\Legacy_AVGIDSSHIM
-------\Legacy_AVGLDX86
-------\Legacy_AVGTDIX
-------\Service_AVGIDSShim
.
.
((((((((((((((((((((((((( Files Created from 2011-06-16 to 2011-07-16 )))))))))))))))))))))))))))))))
.
.
2011-07-14 00:51 . 2011-07-14 00:51 -------- d-----w- c:\documents and settings\Joey\Application Data\Malwarebytes
2011-07-14 00:50 . 2011-05-29 13:11 39984 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-07-14 00:50 . 2011-07-14 00:50 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2011-07-14 00:50 . 2011-05-29 13:11 22712 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-07-14 00:50 . 2011-07-14 00:50 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2011-07-06 23:58 . 2011-07-07 01:39 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2011-07-06 23:58 . 2011-07-07 00:01 -------- d-----w- c:\program files\Spybot - Search & Destroy
2011-07-06 00:14 . 2011-07-06 00:14 -------- d-----w- c:\program files\Microsoft Silverlight
2011-07-02 11:31 . 2011-07-02 11:31 -------- d-sh--w- c:\documents and settings\LocalService\History
2011-07-02 11:31 . 2011-07-02 11:31 -------- d-sh--w- c:\documents and settings\LocalService\Temporary Internet Files
2011-07-01 23:33 . 2011-07-01 23:33 -------- d-----w- c:\documents and settings\Joey\Application Data\Avira
2011-07-01 23:29 . 2011-07-02 01:54 138192 ----a-w- c:\windows\system32\drivers\avipbb.sys
2011-07-01 23:29 . 2011-07-02 01:54 66616 ----a-w- c:\windows\system32\drivers\avgntflt.sys
2011-07-01 23:29 . 2010-06-17 19:27 45416 ----a-w- c:\windows\system32\drivers\avgntdd.sys
2011-07-01 23:29 . 2010-06-17 19:27 22360 ----a-w- c:\windows\system32\drivers\avgntmgr.sys
2011-07-01 23:29 . 2011-07-01 23:29 -------- d-----w- c:\program files\Avira
2011-07-01 23:29 . 2011-07-01 23:29 -------- d-----w- c:\documents and settings\All Users\Application Data\Avira
2011-07-01 23:12 . 2011-07-02 01:41 -------- d-----w- c:\windows\SxsCaPendDel
2011-07-01 22:42 . 2011-07-01 22:42 -------- d-----w- c:\program files\CCleaner
2011-07-01 19:53 . 2011-07-01 22:31 -------- d-----w- C:\225f14f7021b5b64ea094e
2011-06-30 02:09 . 2011-06-30 02:09 -------- d-----w- c:\documents and settings\Joey\Application Data\CyberLink
2011-06-29 22:18 . 2011-06-29 22:18 -------- d-----w- c:\windows\system32\wbem\Repository
2011-06-28 22:31 . 2011-04-21 13:37 105472 ------w- c:\windows\system32\dllcache\mup.sys
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-07-13 23:19 . 2011-05-22 23:40 404640 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-06-02 14:02 . 2006-03-16 04:00 1858944 ----a-w- c:\windows\system32\win32k.sys
2011-05-02 15:31 . 2006-03-16 04:00 692736 ----a-w- c:\windows\system32\inetcomm.dll
2011-04-29 17:25 . 2006-03-16 04:00 151552 ----a-w- c:\windows\system32\schannel.dll
2011-04-29 16:19 . 2005-01-19 12:26 456320 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2011-04-26 14:11 . 2009-03-08 08:39 11081728 ----a-w- c:\windows\system32\ieframe(2)(2).dll
2011-04-26 11:07 . 2006-03-16 04:00 33280 ----a-w- c:\windows\system32\csrsrv.dll
2011-04-26 11:07 . 2006-03-16 04:00 293376 ----a-w- c:\windows\system32\winsrv.dll
2011-04-25 16:11 . 2006-03-16 04:00 916480 ----a-w- c:\windows\system32\wininet.dll
2011-04-25 16:11 . 2006-03-16 04:00 916480 ----a-w- c:\windows\system32\wininet(2)(2).dll
2011-04-25 16:11 . 2006-03-16 04:00 1211904 ----a-w- c:\windows\system32\urlmon(2)(2).dll
2011-04-25 16:11 . 2009-03-08 08:32 1991680 ----a-w- c:\windows\system32\iertutil(2)(2).dll
2011-04-25 16:11 . 2006-03-16 04:00 43520 ----a-w- c:\windows\system32\licmgr10.dll
2011-04-25 16:11 . 2006-03-16 04:00 1469440 ------w- c:\windows\system32\inetcpl.cpl
2011-04-25 12:01 . 2006-03-16 04:00 385024 ----a-w- c:\windows\system32\html.iec
2011-04-21 13:37 . 2005-01-19 12:26 105472 ----a-w- c:\windows\system32\drivers\mup.sys
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2006-10-19 204288]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-03-05 2260480]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2006-06-17 794713]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-10-29 249064]
"RecGuard"="c:\windows\SMINST\RecGuard.exe" [2005-10-11 1187840]
"QPService"="c:\program files\HP\QuickPlay\QPService.exe" [2006-07-19 102400]
"QlbCtrl"="c:\program files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe" [2006-06-19 163840]
"MsmqIntCert"="mqrt.dll" [2009-06-25 177152]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2005-08-11 81920]
"ISUSPM Startup"="c:\program files\Common Files\InstallShield\UpdateService\isuspm.exe" [2005-08-11 249856]
"igfxtray"="c:\windows\system32\igfxtray.exe" [2006-03-22 94208]
"igfxpers"="c:\windows\system32\igfxpers.exe" [2006-03-22 118784]
"igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2006-03-22 77824]
"hpWirelessAssistant"="c:\program files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe" [2006-05-04 458752]
"HP Software Update"="c:\program files\Hp\HP Software Update\HPWuSchd2.exe" [2005-02-17 49152]
"High Definition Audio Property Page Shortcut"="CHDAudPropShortcut.exe" [2006-06-02 61952]
"ehTray"="c:\windows\ehome\ehtray.exe" [2005-08-06 64512]
"Cpqset"="c:\program files\Hewlett-Packard\Default Settings\cpqset.exe" [2006-06-19 40960]
"avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2011-03-28 281768]
.
c:\documents and settings\Default User\Start Menu\Programs\Startup\
Vongo Tray.lnk - c:\program files\Vongo\Tray.exe [N/A]
.
c:\documents and settings\Administrator\Start Menu\Programs\Startup\
Vongo Tray.lnk - c:\program files\Vongo\Tray.exe [N/A]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-9-24 29696]
HP Photosmart Premier Fast Start.lnk - c:\program files\HP\Digital Imaging\bin\hpqthb08.exe [2005-9-24 73728]
Printkey2000.lnk - c:\program files\PrintKey2000\Printkey2000.exe [2011-1-13 869376]
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"avgfws"=2 (0x2)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\WINDOWS\\system32\\mqsvc.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
.
S3 5U870CAP_VID_1262&PID_25FD;HP Pavilion Webcam ;c:\windows\system32\drivers\5U870CAP.sys [6/6/2006 4:39 PM 61952]
S3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [7/13/2011 8:50 PM 39984]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.yahoo.com/
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
TCP: DhcpNameServer = 68.87.68.166 68.87.74.166
.
- - - - ORPHANS REMOVED - - - -
.
HKCU-Run-Ssobijudu - c:\windows\mapft20.dll
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-07-15 22:52
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
Cpqset = c:\program files\Hewlett-Packard\Default Settings\cpqset.exe????????????L?@? ????[??????`?@?????L?@
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'explorer.exe'(3164)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\msi.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Avira\AntiVir Desktop\sched.exe
c:\windows\system32\msdtc.exe
c:\program files\Avira\AntiVir Desktop\avguard.exe
c:\windows\eHome\ehRecvr.exe
c:\program files\Avira\AntiVir Desktop\avshadow.exe
c:\windows\eHome\ehSched.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Common Files\LightScribe\LSSrvc.exe
c:\windows\system32\mqsvc.exe
c:\program files\Hewlett-Packard\Shared\hpqwmiex.exe
c:\windows\ehome\mcrdsvc.exe
c:\program files\Windows Media Player\WMPNetwk.exe
c:\program files\HP\Digital Imaging\bin\hpqimzone.exe
c:\windows\system32\mqtgsvc.exe
c:\windows\system32\dllhost.exe
c:\windows\eHome\ehmsas.exe
.
**************************************************************************
.
Completion time: 2011-07-15 22:59:44 - machine was rebooted
ComboFix-quarantined-files.txt 2011-07-16 02:59
.
Pre-Run: 34,452,099,072 bytes free
Post-Run: 34,813,526,016 bytes free
.
WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
UnsupportedDebug="do not select this" /debug
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Windows XP Media Center Edition" /noexecute=optin /fastdetect
.
- - End Of File - - B00AA0EBF620F1689E6298C3E8259427

#8 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:06:37 AM

Posted 15 July 2011 - 10:24 PM

Hi

Please do the following:

  • Please open your MalwareBytes AntiMalware Program
  • Click the Update Tab and search for updates
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish, so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected. <-- very important
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart. (See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the entire report in your next reply.

Extra Note:If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts, click OK to either and let MBAM proceed with the disinfection process, if asked to restart the computer, please do so immediately.



NEXT


Go here to run an online scanner from ESET.
  • Turn off the real time scanner of any existing antivirus program while performing the online scan
  • Tick the box next to YES, I accept the Terms of Use.
  • Click Start
  • When asked, allow the activeX control to install
  • Click Start
  • Make sure that the option Remove found threats is unticked and the Scan Archives option is ticked.
  • Click on Advanced Settings, ensure the options Scan for potentially unwanted applications, Scan for potentially unsafe applications, and Enable Anti-Stealth Technology are ticked.
  • Click Scan
  • Wait for the scan to finish
  • When the scan completes, press the LIST OF THREATS FOUND button
  • Press EXPORT TO TEXT FILE , name the file ESETSCAN and save it to your desktop
  • Include the contents of this report in your next reply.
  • Press the BACK button.
  • Press Finish

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#9 lxer96

lxer96
  • Topic Starter

  • Members
  • 56 posts
  • OFFLINE
  •  
  • Local time:05:37 AM

Posted 16 July 2011 - 08:02 AM

Done

Malwarebytes' Anti-Malware 1.51.1.1800
www.malwarebytes.org

Database version: 7156

Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

7/15/2011 11:36:49 PM
mbam-log-2011-07-15 (23-36-49).txt

Scan type: Quick scan
Objects scanned: 169043
Time elapsed: 5 minute(s), 51 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)


C:\WINDOWS\system32\drivers\VolSnap.sys_backup Win32/Olmasco.E trojan

#10 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:06:37 AM

Posted 16 July 2011 - 03:16 PM

Please navigate to the following file > right click and delete it

C:\WINDOWS\system32\drivers\VolSnap.sys_backup

make certain that there is a Volsnap.sys in the same folder so we can be certain this backup file is not the one being used, before we delete it.

NEXT

Posted Image Your Java is out of date.
Java™ 6 Update 24 can be updated from the Java control panel Start > Control Panel (Classic View) > Java (looks like a coffee cup) > Update Tab > Update Now.
An update should begin; > follow the prompts.


Clear Java cache

Go into the Control Panel and double-click the Java Icon. (looks like a coffee cup) If you do not see the icon, look to your left and click 'Switch to Classic View'.
  • On the General tab, under Temporary Internet Files, click the Settings button.
  • Next, click on the Delete Files button
  • There are two options in the window to clear the cache - Leave BOTH Checked
    • Applications and Applets
      Trace and Log Files
  • Click OK on Delete Temporary Files Window
    Note: This deletes ALL the Downloaded Applications and Applets from the CACHE.
  • Click OK to leave the Temporary Files Window
  • Click OK to leave the Java Control Panel.


NEXT

Please post a fresh DDS Log and advise how the computer is running now and if there are any outstanding issues

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#11 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:06:37 AM

Posted 23 July 2011 - 09:54 PM

Due to the lack of feedback, this topic is now closed.In the event you still have problems, please send me or any Moderator a Private Message and ask them to reopen this topic within the next 5 days. Please include a link to your topic in the Private Message. Thank you.

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users