Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Antivirus / Antimalware Programs Get Closed and Deleted When Scanning + Scour Redirect


  • This topic is locked This topic is locked
2 replies to this topic

#1 ryante

ryante

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:08:25 PM

Posted 16 September 2011 - 05:24 PM

I just recently got back home after being out of town for quite some time and my fiance's computer has these two major problems.

I've used AVG and Malwarebytes to try and scan and when do, the close down and get deleted. So does GMER.

On another note, possibly tied to the same problem, I've got the Scour redirect on here also.

Here is my DDS log. Again GMER.EXE gets closed when I get to the step where I am supposed to let it scan after unchecking the options in the guide, so I have no log from gmer, although it does detect something.

.
DDS (Ver_2011-08-26.01) - NTFSx86 NETWORK
Internet Explorer: 7.0.6000.17037
Run by Veronica at 17:05:21 on 2011-09-16
.
============== Running Processes ===============
.
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.ask.com/?l=dis&o=102944&gct=hp
uSearch Bar = hxxp://home.peoplepc.com/search
uDefault_Page_URL = hxxp://www.google.com/ig/dell?hl=en&client=dell-usuk&channel=us&ibd=0070413
mDefault_Page_URL = hxxp://www.google.com/ig/dell?hl=en&client=dell-usuk&channel=us&ibd=0070413
uInternet Settings,ProxyServer = http=127.0.0.1:5577
mSearchAssistant = hxxp://home.peoplepc.com/search
uURLSearchHooks: H - No File
uURLSearchHooks: UrlSearchHook Class: {00000000-6e41-4fd3-8538-502f5495e5fc} - c:\program files\ask.com\GenericAskToolbar.dll
mURLSearchHooks: PageRage Toolbar: {9565115d-c7d6-46d3-bd63-b67b481a4368} - c:\program files\pagerage\prxtbPag0.dll
mURLSearchHooks: WhiteSmoke Bar Toolbar: {167d9323-f7cc-48f5-948a-6f012831a69f} - c:\program files\whitesmoke_bar\prxtbWhit.dll
mURLSearchHooks: WhiteSmoke Bar Toolbar: {167d9323-f7cc-48f5-948a-6f012831a69f} - c:\program files\whitesmoke_bar\prxtbWhit.dll
mURLSearchHooks: H - No File
BHO: WhiteSmoke Bar Toolbar: {167d9323-f7cc-48f5-948a-6f012831a69f} - c:\program files\whitesmoke_bar\prxtbWhit.dll
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: TW_BHO Class: {1e1b2879-88ff-11d2-8d96-ffffac95951f} - c:\program files\macro toolsworks\mtwbho.dll
BHO: Conduit Engine : {30f9b915-b755-4826-820b-08fba6bd249d} - c:\program files\conduitengine\prxConduitEngine.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg2012\avgssie.dll
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre1.6.0\bin\ssv.dll
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: PageRage Toolbar: {9565115d-c7d6-46d3-bd63-b67b481a4368} - c:\program files\pagerage\prxtbPag0.dll
BHO: Shop to Win 3: {9f56a04a-4886-48f7-b8b2-376f30fc27df} - c:\program files\shop to win 3\Shop to Win 3.dll
BHO: Somoto Toolbar: {c3721e85-f0ac-4b7e-ae4c-3e738011dc9d} - c:\program files\somototoolbar\vmntemplateX.dll
BHO: CBrowserHelperObject Object: {ca6319c0-31b7-401e-a518-a07c3db8f777} - c:\program files\bae\BAE.dll
BHO: Ask Toolbar: {d4027c7f-154a-4066-a1ad-4243d8127440} - c:\program files\ask.com\GenericAskToolbar.dll
TB: PageRage Toolbar: {9565115d-c7d6-46d3-bd63-b67b481a4368} - c:\program files\pagerage\prxtbPag0.dll
TB: Conduit Engine : {30f9b915-b755-4826-820b-08fba6bd249d} - c:\program files\conduitengine\prxConduitEngine.dll
TB: Somoto Toolbar: {c3721e85-f0ac-4b7e-ae4c-3e738011dc9d} - c:\program files\somototoolbar\vmntemplateX.dll
TB: Ask Toolbar: {d4027c7f-154a-4066-a1ad-4243d8127440} - c:\program files\ask.com\GenericAskToolbar.dll
TB: IspAssistant Add-on: {6da1e850-9f71-4b3c-81a4-d9eeef6fcd50} - c:\program files\ispassistant addon\ispassistant.dll
TB: FinderQuery Add-on: {adc66251-6410-4a15-9499-7d73c6994b25} - c:\program files\finderquery addon\finderquery.dll
TB: WhiteSmoke Bar Toolbar: {167d9323-f7cc-48f5-948a-6f012831a69f} - c:\program files\whitesmoke_bar\prxtbWhit.dll
uRun: [msnmsgr] "c:\program files\windows live\messenger\msnmsgr.exe" /background
uRun: [Google Update] "c:\users\veronica\appdata\local\google\update\GoogleUpdate.exe" /c
uRun: [ares] "c:\program files\ares\Ares.exe" -h
mRun: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
mRun: [SigmatelSysTrayApp] sttray.exe
mRun: [IAAnotif] "c:\program files\intel\intel matrix storage manager\Iaanotif.exe"
mRun: [ISUSScheduler] "c:\program files\common files\installshield\updateservice\issch.exe" -start
mRun: [ISUSPM Startup] c:\progra~1\common~1\instal~1\update~1\ISUSPM.exe -startup
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [<NO NAME>]
mRun: [ApnUpdater] "c:\program files\ask.com\updater\Updater.exe"
mRun: [AVG_TRAY] "c:\program files\avg\avg2012\avgtray.exe"
mRun: [itype] "c:\program files\microsoft intellitype pro\itype.exe"
mRun: [MSConfig] "c:\windows\system32\msconfig.exe" /auto
mRunOnce: [Malwarebytes' Anti-Malware] c:\program files\malwarebytes' anti-malware\mbamgui.exe /install /silent
mRunOnce: [GrpConv] grpconv -o
dRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\digita~1.lnk - c:\program files\digital line detect\DLG.exe
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\micros~1.lnk - c:\program files\microsoft office\office10\OSA.EXE
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\nikonm~1.lnk - c:\program files\common files\nikon\monitor\NkMonitor.exe
dPolicies-explorer: HideSCAHealth = 1 (0x1)
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0000-ABCDEFFEDCBC} - c:\program files\java\jre1.6.0\bin\npjpi160.dll
LSP: mswsock.dll
DPF: {B3E32D88-8E7F-468F-B0E2-3A300FD4A82C} - hxxp://myitlab.pearsoned.com/Pegasus/Modules/SIMIntegration/Resources/ax/stub.cab
TCP: DhcpNameServer = 192.168.1.254
TCP: Interfaces\{0AAE0C21-57F7-4C1B-8A6D-C2AC2A0E46E4} : DhcpNameServer = 192.168.1.254
Handler: cdo - {CD00020A-8B95-11D1-82DB-00C04FB1625D} - c:\program files\common files\microsoft shared\web folders\PKMCDO.DLL
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg2012\avgpp.dll
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
Handler: viprotocol - {B658800C-F66E-4EF3-AB85-6C0C227862A9} - c:\program files\common files\avg secure search\viprotocolinstaller\8.0.1\ViProtocol.dll
STS: amaretti: {2fdde73c-273e-4e55-84dc-455de06e4866} - c:\windows\system32\zdwii.dll
.
============= SERVICES / DRIVERS ===============
.
.
=============== Created Last 30 ================
.
2011-09-13 17:08:19 -------- d-----w- C:\Conduit
2011-09-12 22:06:09 50112 --sha-w- c:\windows\system32\c_69545.nl_
2011-09-12 22:05:00 -------- d-----w- c:\windows\pss
2011-09-12 21:06:04 -------- d-----w- c:\program files\AVG Secure Search
2011-09-11 16:38:27 41272 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-09-11 16:38:23 22216 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-09-11 16:38:23 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2011-09-11 16:08:41 -------- d-----w- c:\program files\common files\AVG Secure Search
2011-09-11 16:06:46 -------- d-----w- c:\users\veronica\appdata\roaming\AVG2012
2011-09-11 16:06:25 -------- d-----w- c:\programdata\AVG2012
2011-09-11 03:06:13 -------- d-----w- c:\program files\Microsoft IntelliType Pro
2011-08-18 23:40:38 -------- d-----w- c:\users\veronica\appdata\local\Solid State Networks
.
==================== Find3M ====================
.
2011-08-10 21:39:48 396136 ----a-w- c:\windows\system32\itpcoin82.dll
2011-07-27 23:57:18 7680 ----a-w- c:\windows\system\svchost.exe
2011-07-11 06:14:38 295248 ----a-w- c:\windows\system32\drivers\avgtdix.sys
2011-07-11 06:14:02 24272 ----a-w- c:\windows\system32\drivers\AVGIDSFilter.sys
2011-07-11 06:14:02 16720 ----a-w- c:\windows\system32\drivers\AVGIDSShim.sys
2011-07-11 06:14:00 23120 ----a-w- c:\windows\system32\drivers\AVGIDSEH.sys
2011-07-11 06:13:58 134736 ----a-w- c:\windows\system32\drivers\AVGIDSDriver.sys
2011-07-11 06:13:46 229840 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2011-07-11 06:13:42 32464 ----a-w- c:\windows\system32\drivers\avgrkx86.sys
.
============= FINISH: 17:06:10.16 ===============


Thanks for the help in advance.

Attached Files



BC AdBot (Login to Remove)

 


#2 nasdaq

nasdaq

  • Malware Response Team
  • 38,933 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:10:25 PM

Posted 21 September 2011 - 09:20 AM

Hello, Welcome to BleepingComputer.
I'm nasdaq and will be helping you.

If you can please print this topic it will make it easier for you to follow the instructions and complete all of the necessary steps.
===

If you did not set this proxy server please check with your Internet Provider and ask if you need it.
uInternet Settings,ProxyServer = http=127.0.0.1:5577

If not remove the proxy settings.

In Internet Explorer go to Tools - Internet Options - Connections Tab - Lan Settings and remove the reference to 127.0.0.1:5577 if found, then uncheck "Use a proxy server" and check "Automatically detect settings".
===

If you use Firefox in Tools Menu > Options... > Advanced Tab > Network Tab > Connection > Settings. Select the Auto-detect proxy settings for this network option
===


Please Download
TDSSKiller.zip

>>> Double-click on TDSSKiller.exe to run the application.
  • Click on the Start Scan button and wait for the scan and disinfection process to be over.
  • If an infected file is detected, the default action will be Cure, click on Continue
    Posted Image
  • If a suspicious file is detected, the default action will be Skip, click on Continue
    Posted Image
  • If you are asked to reboot the computer to complete the process, click on the Reboot Now button. A report will be automatically saved at the root of the System drive ((usually C:\) in the form of "TDSSKiller.[Version]_[Date]_[Time]_log.txt" (for example, C:\TDSSKiller.2.2.0_20.12.2009_15.31.43_log.txt). Please copy and paste the contents of that file here.
  • If no reboot is required, click on Report. A log file will appear. Please copy and paste the contents of that file in your next reply.
===

Download http://public.avast.com/~gmerek/aswMBR.exe (aswMBR.exe) ( 511KB ) to your desktop. Double click the aswMBR.exe to run it

  • Click the "Scan" button to start scan.
  • Upon completion of the scan, click Save log, and save it to your desktop. (Note - do not select any Fix at this time) <- IMPORTANT
  • Please post the contents of that log in your next reply.
There shall also be a file on your desktop named MBR.dat. Right click that file and select Send To>Compressed (zipped) folder. Please attach that zipped file in your next reply.
===

Please run the DDS tool and post the fresh log.

Include the other logs also.

#3 nasdaq

nasdaq

  • Malware Response Team
  • 38,933 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:10:25 PM

Posted 27 September 2011 - 08:44 AM

Due to the lack of feedback, this topic is now closed.

In the event you still have problems, please send me or any Moderator a Private Message and ask them to reopen this topic within the next 5 days. Please include a link to your topic in the Private Message. Thank you.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users