Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

"Resident Shield alert" message from AVG


  • This topic is locked This topic is locked
2 replies to this topic

#1 Jgiambi

Jgiambi

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:10:56 PM

Posted 24 July 2011 - 03:07 PM

So, I got infected with some nasty spyware/malware/trojans. I ran through the guide of using Rkill & MalwareBytes Anti-Malware program and it caught some things (see attachment). I later ran it again and it didn't seem to catch anything (again, see attachment for the log), so I thought everything was fine. However, this morning I started getting "Resident Shield alert" messages from AVG telling me I have a couple trojans on my computer. I'm suspecting this is a hi-jacked AVG message I'm getting.

So, I tried to go through the guidelines for posting here but I couldn't get past the GMER Log step (tried twice--keep getting blue-screen of death flashed and my computer suddenly started rebooting in the middle of the scan). Would trying it in Safe Mode help (or would that not give accurate information?)? Here's the log from the "Windows has recovered from an unexpected shutdown":

Problem signature:
  Problem Event Name:	BlueScreen
  OS Version:	6.1.7600.2.0.0.256.48
  Locale ID:	1033

Additional information about the problem:
  BCCode:	1000008e
  BCP1:	C0000005
  BCP2:	82D3F795
  BCP3:	ADEA1B2C
  BCP4:	00000000
  OS Version:	6_1_7600
  Service Pack:	0_0
  Product:	256_1

Files that help describe the problem:
  C:\Windows\Minidump\072411-49857-01.dmp
  C:\Users\Azure\AppData\Local\Temp\WER-398832-0.sysdata.xml

Read our privacy statement online:
  http://go.microsoft.com/fwlink/?linkid=104288&clcid=0x0409

If the online privacy statement is not available, please read our privacy statement offline:
  C:\Windows\system32\en-US\erofflps.txt

.
DDS (Ver_2011-06-23.01) - NTFSx86 
Internet Explorer: 8.0.7600.16385  BrowserJavaVersion: 1.6.0_26
Run by Azure at 11:50:29 on 2011-07-24
Microsoft Windows 7 Professional   6.1.7600.0.1252.1.1033.18.1014.304 [GMT -7:00]
.
AV: AVG Anti-Virus Free *Enabled/Updated* {5A2746B1-DEE9-F85A-FBCD-ADB11639C5F0}
SP: AVG Anti-Virus Free *Enabled/Updated* {E146A755-F8D3-F7D4-C17D-96C36DBE8F4D}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
============== Running Processes ===============
.
C:\Windows\system32\wininit.exe
C:\Program Files\AVG\AVG9\avgchsvx.exe
C:\Program Files\AVG\AVG9\avgrsx.exe
C:\Program Files\AVG\AVG9\avgcsrvx.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\ibmpmsvc.exe
C:\Windows\system32\svchost.exe -k RPCSS
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\system32\taskhost.exe
C:\Program Files\AVG\AVG9\avgwdsvc.exe
C:\Windows\Explorer.EXE
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Program Files\Secunia\PSI\PSIA.exe
C:\Program Files\Secunia\PSI\sua.exe
C:\Program Files\DivX\DivX Update\DivXUpdate.exe
C:\Program Files\AVG\AVG9\avgtray.exe
C:\Windows\System32\hkcmd.exe
C:\Windows\system32\igfxsrvc.exe
C:\Windows\System32\igfxpers.exe
C:\Program Files\Logitech\SetPointP\SetPoint.exe
C:\Program Files\Adobe\Reader 9.0\Reader\reader_sl.exe
C:\Program Files\AVG\AVG9\avgnsx.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\Microsoft Application Virtualization Client\sftvsa.exe
C:\Users\Azure\Local Settings\Apps\F.lux\flux.exe
C:\Windows\system32\svchost.exe -k imgsvc
C:\Program Files\AVG\AVG9\avgemc.exe
C:\Windows\System32\StikyNot.exe
C:\Program Files\Secunia\PSI\psi_tray.exe
C:\Program Files\Common Files\LogiShrd\KHAL3\KHALMNPR.EXE
C:\Program Files\AVG\AVG9\avgcsrvx.exe
C:\Windows\system32\SearchIndexer.exe
C:\Windows\System32\svchost.exe -k WerSvcGroup
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\conhost.exe
C:\Windows\system32\wbem\wmiprvse.exe
.
============== Pseudo HJT Report ===============
.
BHO: {11d95f5a-a616-42be-ab37-5ef1758a1e14} - c:\windows\system32\api-ms-win-core-heap-l1-1-032.dll
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg9\avgssie.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
uRun: [uTorrent] "c:\program files\utorrent\uTorrent.exe"
uRun: [F.lux] "c:\users\azure\local settings\apps\f.lux\flux.exe" /noshow
uRun: [PeerGuardian] c:\program files\peerguardian2\pg2.exe
uRun: [RESTART_STICKY_NOTES] c:\windows\system32\StikyNot.exe
uRun: [Google Update] "c:\users\azure\appdata\local\google\update\GoogleUpdate.exe" /c
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [DivXUpdate] "c:\program files\divx\divx update\DivXUpdate.exe" /CHECKNOW
mRun: [AVG9_TRAY] c:\progra~1\avg\avg9\avgtray.exe
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [Persistence] c:\windows\system32\igfxpers.exe
mRun: [EvtMgr6] c:\program files\logitech\setpointp\SetPoint.exe /launchGaming
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [Malwarebytes' Anti-Malware] "c:\program files\malwarebytes' anti-malware\mbamgui.exe" /starttray
mRun: [Malwarebytes' Anti-Malware (reboot)] "c:\program files\malwarebytes' anti-malware\mbam.exe" /runcleanupscript
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\secuni~1.lnk - c:\program files\secunia\psi\psi_tray.exe
uPolicies-explorer: HideSCAHealth = 1 (0x1)
mPolicies-system: ConsentPromptBehaviorAdmin = 5 (0x5)
mPolicies-system: ConsentPromptBehaviorUser = 3 (0x3)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0026-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
TCP: DhcpNameServer = 192.168.0.1
TCP: Interfaces\{35E0869A-3A8B-4958-AB1B-D31CF6327E1C} : DhcpNameServer = 192.168.0.1
TCP: Interfaces\{35E0869A-3A8B-4958-AB1B-D31CF6327E1C}\351636B672370234F6666656560223 : DhcpNameServer = 10.1.10.1
TCP: Interfaces\{80D010E7-9E68-48E0-8648-2042857103E5} : DhcpNameServer = 192.168.0.1
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg9\avgpp.dll
Notify: igfxcui - igfxdev.dll
Notify: LBTWlgn - c:\program files\common files\logishrd\bluetooth\LBTWlgn.dll
AppInit_DLLs: avgrsstx.dll
mASetup: {D9B934D0-6A20-450E-9F69-F5595636C28E} - "c:\program files\hummingbird\connectivity\13.00\accessories\HumSettings.exe" INSTALL=ALL NoFreeWhenWOW64=1  LOGGINGLEVEL=5 
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\users\azure\appdata\roaming\mozilla\firefox\profiles\5bpalqva.default\
FF - plugin: c:\progra~1\micros~2\office14\NPSPWRAP.DLL
FF - plugin: c:\program files\adobe\reader 9.0\reader\air\nppdf32.dll
FF - plugin: c:\program files\divx\divx plus web player\npdivx32.dll
FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\users\azure\appdata\local\google\update\1.3.21.57\npGoogleUpdate3.dll
FF - plugin: c:\windows.old\program files\mozilla firefox\plugins\npdeployJava1.dll
FF - plugin: c:\windows.old\program files\mozilla firefox\plugins\NPLV82Win32.dll
FF - plugin: c:\windows.old\program files\mozilla firefox\plugins\nplv85win32.dll
.
============= SERVICES / DRIVERS ===============
.
R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2010-8-8 216400]
R1 AvgMfx86;AVG Free On-access Scanner Minifilter Driver x86;c:\windows\system32\drivers\avgmfx86.sys [2010-8-8 29584]
R1 AvgTdiX;AVG Free Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2010-8-8 243152]
R2 avg9emc;AVG Free E-mail Scanner;c:\program files\avg\avg9\avgemc.exe [2010-8-8 921952]
R2 avg9wd;AVG Free WatchDog;c:\program files\avg\avg9\avgwdsvc.exe [2010-8-8 308136]
R2 Secunia PSI Agent;Secunia PSI Agent;c:\program files\secunia\psi\psia.exe [2011-4-18 993848]
R2 Secunia Update Agent;Secunia Update Agent;c:\program files\secunia\psi\sua.exe [2011-4-18 399416]
R3 b57nd60x;Broadcom NetXtreme Gigabit Ethernet - NDIS 6.0;c:\windows\system32\drivers\b57nd60x.sys [2009-7-13 229888]
R3 LEqdUsb;Logitech SetPoint Unifying KMDF USB Filter;c:\windows\system32\drivers\LEqdUsb.sys [2010-3-18 40912]
R3 LHidEqd;Logitech SetPoint Unifying KMDF HID Filter;c:\windows\system32\drivers\LHidEqd.sys [2010-3-18 10448]
R3 netw5v32;Intel(R) Wireless WiFi Link 5000 Series Adapter Driver for Windows Vista 32 Bit;c:\windows\system32\drivers\netw5v32.sys [2009-6-10 4231168]
R3 sftfs;sftfs;c:\program files\microsoft application virtualization client\drivers\SftFSlh.sys [2009-9-23 543064]
R3 sftplay;sftplay;c:\program files\microsoft application virtualization client\drivers\sftplaylh.sys [2009-9-23 190312]
R3 sftvol;sftvol;c:\program files\microsoft application virtualization client\drivers\SftVollh.sys [2009-9-23 14680]
R3 sftvsa;Application Virtualization Service Agent;c:\program files\microsoft application virtualization client\sftvsa.exe [2009-9-23 203608]
R3 SrvHsfHDA;SrvHsfHDA;c:\windows\system32\drivers\VSTAZL3.SYS [2009-7-13 207360]
R3 SrvHsfV92;SrvHsfV92;c:\windows\system32\drivers\VSTDPV3.SYS [2009-7-13 980992]
R3 SrvHsfWinac;SrvHsfWinac;c:\windows\system32\drivers\VSTCNXT3.SYS [2009-7-13 661504]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S2 cvhsvc;Client Virtualization Handler;c:\program files\common files\microsoft shared\virtualization handler\CVHSVC.EXE [2009-9-26 819600]
S2 MBAMService;MBAMService;c:\program files\malwarebytes' anti-malware\mbamservice.exe [2011-7-23 366640]
S2 sftlist;Application Virtualization Client;c:\program files\microsoft application virtualization client\sftlist.exe [2009-9-23 447832]
S2 WdiServiceHost32;Diagnostic Service Host ;c:\windows\system32\biocpl32.exe [2011-7-16 561152]
S3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2011-7-23 22712]
S3 osppsvc;Office Software Protection Platform;c:\program files\common files\microsoft shared\officesoftwareprotectionplatform\OSPPSVC.EXE [2009-9-26 4639136]
S3 PSI;PSI;c:\windows\system32\drivers\psi_mf.sys [2010-9-1 15544]
S3 Sftredir;Sftredir;c:\windows\system32\drivers\Sftredirlh.sys [2009-9-23 21848]
S3 StorSvc;Storage Service;c:\windows\system32\svchost.exe -k LocalSystemNetworkRestricted [2009-7-13 20992]
S3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\wat\WatAdminSvc.exe [2011-5-1 1343400]
.
=============== Created Last 30 ================
.
2011-07-24 07:24:46	--------	d-----w-	c:\users\azure\appdata\local\Secunia PSI
2011-07-24 07:24:24	--------	d-----w-	c:\program files\Secunia
2011-07-23 23:30:54	--------	d-----w-	c:\users\azure\appdata\roaming\Malwarebytes
2011-07-23 23:30:44	41272	----a-w-	c:\windows\system32\drivers\mbamswissarmy.sys
2011-07-23 23:30:42	--------	d-----w-	c:\programdata\Malwarebytes
2011-07-23 23:30:39	22712	----a-w-	c:\windows\system32\drivers\mbam.sys
2011-07-23 23:30:39	--------	d-----w-	c:\program files\Malwarebytes' Anti-Malware
2011-07-17 05:34:22	561152	----a-w-	c:\programdata\api-ms-win-core-heap-l1-1-032.exe
2011-07-17 05:34:18	561152	----a-w-	c:\windows\system32\biocpl32.exe
2011-07-13 05:46:06	290816	----a-w-	c:\windows\system32\KernelBase.dll
2011-07-13 05:46:05	3584	---ha-w-	c:\windows\system32\api-ms-win-core-libraryloader-l1-1-0.dll
2011-06-28 23:09:19	294912	----a-w-	c:\windows\system32\umpnpmgr.dll
2011-06-28 23:09:14	1401856	----a-w-	c:\windows\system32\mssrch.dll
2011-06-28 23:09:13	1553920	----a-w-	c:\windows\system32\tquery.dll
2011-06-28 23:09:08	666624	----a-w-	c:\windows\system32\mssvp.dll
2011-06-28 23:09:08	428032	----a-w-	c:\windows\system32\SearchIndexer.exe
2011-06-28 23:09:08	337408	----a-w-	c:\windows\system32\mssph.dll
2011-06-28 23:09:01	86528	----a-w-	c:\windows\system32\SearchFilterHost.exe
2011-06-28 23:09:01	59392	----a-w-	c:\windows\system32\msscntrs.dll
2011-06-28 23:09:01	197120	----a-w-	c:\windows\system32\mssphtb.dll
2011-06-28 23:09:01	164352	----a-w-	c:\windows\system32\SearchProtocolHost.exe
.
==================== Find3M  ====================
.
2011-07-24 07:59:08	472808	----a-w-	c:\windows\system32\deployJava1.dll
2011-07-23 06:49:55	243152	----a-w-	c:\windows\system32\drivers\avgtdix.sys
2011-06-11 02:37:19	2332672	----a-w-	c:\windows\system32\win32k.sys
2011-06-02 05:59:55	169984	----a-w-	c:\windows\system32\winsrv.dll
2011-06-02 05:55:31	271872	----a-w-	c:\windows\system32\conhost.exe
2011-06-02 03:45:49	6144	---ha-w-	c:\windows\system32\api-ms-win-security-base-l1-1-0.dll
2011-06-02 03:45:49	4608	---ha-w-	c:\windows\system32\api-ms-win-core-threadpool-l1-1-0.dll
2011-06-02 03:45:49	3584	---ha-w-	c:\windows\system32\api-ms-win-core-xstate-l1-1-0.dll
2011-06-02 03:45:49	3072	---ha-w-	c:\windows\system32\api-ms-win-core-util-l1-1-0.dll
2011-05-28 03:00:02	1638912	----a-w-	c:\windows\system32\mshtml.tlb
2011-05-04 02:43:59	222720	----a-w-	c:\windows\system32\drivers\mrxsmb10.sys
2011-05-04 02:43:48	96256	----a-w-	c:\windows\system32\drivers\mrxsmb20.sys
2011-05-04 02:43:41	123392	----a-w-	c:\windows\system32\drivers\mrxsmb.sys
2011-05-03 04:50:29	740864	----a-w-	c:\windows\system32\inetcomm.dll
2011-04-29 02:57:34	311296	----a-w-	c:\windows\system32\drivers\srv.sys
2011-04-29 02:57:21	309760	----a-w-	c:\windows\system32\drivers\srv2.sys
2011-04-29 02:57:13	114176	----a-w-	c:\windows\system32\drivers\srvnet.sys
2011-04-27 02:33:46	78336	----a-w-	c:\windows\system32\drivers\dfsc.sys
.
============= FINISH: 11:53:25.74 ===============

Attached Files


Edited by Jgiambi, 24 July 2011 - 07:18 PM.


BC AdBot (Login to Remove)

 


#2 HelpBot

HelpBot

    Bleepin' Binary Bot


  • Bots
  • 12,660 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:56 PM

Posted 03 August 2011 - 03:10 PM

Hello and welcome to Bleeping Computer!

I am HelpBot: an automated program designed to help the Bleeping Computer Staff better assist you!

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

To help Bleeping Computer better assist you please perform the following steps:

***************************************************

First, I need to know if you still need help! To tell me this, please click on http://www.bleepingcomputer.com/logreply/411021 and follow the instructions there. If you no longer need help, this is all you need to do. If you do need help please continue below.

***************************************************

If you still need help, I would like you to post a Reply to this topic (click the "Add Reply" button in the lower right hand of this page). In that reply, please include the following information:

  • If you have not done so already, include a clear description of the problems you're having, along with any steps you may have performed so far.
  • A new DDS and GMER log. For your convenience, you will find the instructions for generating these logs repeated at the bottom of this post.
    • Please do this even if you have previously posted logs for us.
    • If you were unable to produce the logs originally please try once more.
    • If you are unable to create a log please provide detailed information about your installed Windows Operating System including the Version, Edition and if it is a 32bit or a 64bit system.
    • If you are unsure about any of these characteristics just post what you can and we will guide you.
  • Please tell us if you have your original Windows CD/DVD available.
  • Upon completing the above steps and posting a reply, another staff member will review your topic and do their best to resolve your issues.

Thank you for your patience, and again sorry for the delay.

***************************************************

We need to see some information about what is happening in your machine. Please perform the following scan again:

  • Download DDS by sUBs from one of the following links if you no longer have it available. Save it to your desktop.
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explanation about the tool. No input is needed, the scan is running.
  • Notepad will open with the results.
  • Follow the instructions that pop up for posting the results.
  • Close the program window, and delete the program from your desktop.
Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Information on A/V control HERE


We also need a new log from the GMER anti-rootkit Scanner.

Please note that if you are running a 64-bit version of Windows you will not be able to run GMER and you may skip this step.

Please first disable any CD emulation programs using the steps found in this topic:

Why we request you disable CD Emulation when receiving Malware Removal Advice


Then create another GMER log and post it as an attachment to the reply where you post your new DDS log. Instructions on how to properly create a GMER log can be found here:

How to create a GMER log


As I am just a silly little program running on the BleepingComputer.com servers, please do not send me private messages as I do not know how to read and reply to them! Thanks!

#3 HelpBot

HelpBot

    Bleepin' Binary Bot


  • Bots
  • 12,660 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:56 PM

Posted 08 August 2011 - 03:15 PM

Hello again!

I haven't heard from you in 5 days. Therefore, I am going to assume that you no longer need our help, and close this topic.

If you do still need help, please send a Private Message to any Moderator within the next five days. Be sure to include a link to your topic in your Private Message.

Thank you for using Bleeping Computer, and have a great day!




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users