Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

HiJack This log, AVG Malware Unremovable...


  • This topic is locked This topic is locked
2 replies to this topic

#1 DanielVincentKelley

DanielVincentKelley

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:07:38 PM

Posted 08 January 2014 - 09:31 PM

Here's the problem, way back when, I installed AVG thinking they were a reputable company. I've since found out they use shady business practices, like hijacking search and homepage and newtab functions on browsers and they hide the code they used to do it on your PC either in a Windows Temp folder where nobody will ever look or 7 layers off the root in the AppData directory or some other hidden nonsense. Since I've been seeking this virus on my computer, my documents and settings folder became inaccessible, trying to open it I get a message telling me I don't have permission. Then trying to adjust the permission signed in as an administrator I get denied adjusting the permission. Finally I took ownership of the folder away from the system and finally I was able to open the documents and settings folder. I was prompted to check the documents and settings folder because I found an article titled something like, AVG is Malware. And the guy listed everywhere on the harddrive and in the registry they installed their hackjob malware pretending to be an antivirus. Anyhow, I got into the documents and settings folder and the folder he listed to look for in there, wasn't there. I know they change these things, as their malware is discovered and people begin to get smart to how to remove it, they swap the directory, bury it deeper, put up more obstacles. So, I haven't found the offending software yet, I know this because it's still doing the same thing, which is particularly, when I open OR CLOSE Firefox, the contents of Firefox's Prefs.js file are manipulated, somehow AVG has a software on my computer that either opening or closing firefox, causes this string of garbage to be written into my prefs.js file:

user_pref("avg.install.disableHPGuard", false);
user_pref("avg.install.disableSPGuard", false);
user_pref("avg.install.guardCountInit", 156);
user_pref("avg.install.guardPopupCountInit", -1);
user_pref("avg.install.guardSPCountInit", 156);
user_pref("avg.install.guardSPPopupCountInit", -1);
user_pref("avg.install.guard_xpcom", 0);
user_pref("avg.install.guards_inactive", 1);

I searched on my harddrive, looking inside the whole text of all the files including system and hidden directories for disableHPGuard... And I found a bunch of offending dot JS files, Java script that contained that text, disabledHPGuard. I figured, if it needs to write that text into the file, it must contain that text itself. So, I thought I got lucky, I deleted everything on my harddrive that contained that text, but it didn't fix the problem. Opening or closing FF causes this modification to the Prefs.js still. The real problem is though, that with whatever that "install guard" is guarding on my computer, against my will, it changes my newtab setting to AVG search, away from my firefox default newtab page which shows all the websites I've visited the most, which is what I prefer, obviously. Otherwise I wouldn't be on here complaining and looking for help, right?

While opening or closing Firefox causes all that text above to be replaced in my prefs.js, regardless of how many times I delete it and save the file, it's not any of those settings that causes the newtab hijack. What modifies the prefs.js and thus hijacks my newtab setting is this line, which is added to my prefs.js upon my opening a newtab:

user_pref("avg.userPreferences.newtabDisabledByUser",false)

If I toggle that to true, AVG allows me to have my newtab set to firefox default. But it's irritating me to no end that they have this malware on my computer, that they're at ease to hack my prefs.js to enter "user preferences" which are in fact NOT my preferences and are in fact offensive to me that they insist upon entering themselves in my prefs file and it burns me that avg has a program on my computer, apparently running in the background or attached to my firefox launch, that molests my settings. I can't be sure that it's not doing some other nefarious work on my computer, like opening a port to hackers to avail my computer as a proxy for hack work where the hacking being done is a felony crime that I might get framed up for. I don't know that they're not transmitting my every move online to AVG headquarters and profiteering the spy game, selling my data to the CIA to support the cocaine habit of AVG founders Jan Gritzbach and Tomáš Hofer. I don't know. And when something I don't know too much about yet is egregiously offensive, and that be known, I do my best to exterminate that thing. So that's what I'm doing, and what I'm hoping you guys will help me do, exterminate this AVG garbage from my computer, vanquish it to the pits of hell.

Are you with me?

I've run numerous programs AVG claims are a complete uninstall of their toolbar and of their antivirus software, none of those kept avg from molesting my prefs.js time and again. I've run ComboFix, jRT, Sophos AntiVirus, AdwCleaner, none of those killed this AVG zombie. I deleted every reference in my registry to avg and to vtoolbar, no joy. I deleted everything on my harddrive that had avg in it's name, every file, every folder.

 

This is my HiJack this log:

 

Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 5:50:59 PM, on 1/8/2014
Platform: Windows Vista SP2 (WinNT 6.00.1906)
MSIE: Internet Explorer v8.00 (8.00.6001.18865)
Boot mode: Normal

Running processes:
C:\Windows\system32\Dwm.exe
C:\Windows\system32\taskeng.exe
C:\Program Files\Rising\RAV\RsTray.exe
C:\Windows\System32\mobsync.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Windows\explorer.exe
C:\Program Files\Mozilla Firefox 4.0 Beta 12\firefox.exe
C:\Users\Dan\AppData\Roaming\Mozilla\Firefox\Profiles\dsqwe18s.default-1368835401750\extensions\{E173B749-DB5B-4fd2-BA0E-94ECEA0CA55B}\components\afom.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Program Files\Trend Micro\HiJackThis\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://search.zonealarm.com/?src=hp&tbid=base2013&Lan=en&gu=1439e8547a7d4f02a85208540b5326d6&tu=10G90007s2B0008&sku=&tstsId=&ver=&
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Zonealarm Helper Object - {2A841F7A-A014-4DA5-B6D9-8B913DFB7A8C} - C:\Program Files\Check Point Software Technologies LTD\zonealarm\1.8.11.11\bh\zonealarm.dll (file missing)
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)
O2 - BHO: Search Helper - {6EBF7485-159F-4bff-A14F-B9E3AAC4465B} - C:\Program Files\Microsoft\Search Enhancement Pack\Search Helper\SearchHelper.dll
O2 - BHO: Java™ Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre7\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Password Manager Browser Helper Object - {BF468356-BB7E-42D7-9F15-4F3B9BCFCED2} - C:\Program Files\Lenovo\Client Security Solution\tvtpwm_ie_com.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre7\bin\jp2ssv.dll
O2 - BHO: Windows Live Toolbar Helper - {E15A8DC0-8516-42A1-81EA-DC94EC1ACF10} - C:\Program Files\Windows Live\Toolbar\wltcore.dll
O3 - Toolbar: &Windows Live Toolbar - {21FA44EF-376D-4D53-9B0F-8A89D3229068} - C:\Program Files\Windows Live\Toolbar\wltcore.dll
O3 - Toolbar: ZoneAlarm Security Toolbar - {438FAE3E-BDEF-44D3-AB8B-0C7C8350DF59} - C:\Program Files\Check Point Software Technologies LTD\zonealarm\1.8.11.11\zonealarmTlbr.dll (file missing)
O4 - HKLM\..\Run: [RavTRAY] "C:\Program Files\Rising\RAV\RSTRAY.EXE" -system
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre7\bin\jp2iexp.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre7\bin\jp2iexp.dll
O9 - Extra button: Blog This - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra 'Tools' menuitem: &Blog This in Windows Live Writer - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra button: (no name) - {F4F55DC8-0B69-4DFE-BA94-CB677B88B2A3} - C:\Program Files\Lenovo\Client Security Solution\tvtpwm_ie_com.dll
O9 - Extra 'Tools' menuitem: Lenovo Password Manager... - {F4F55DC8-0B69-4DFE-BA94-CB677B88B2A3} - C:\Program Files\Lenovo\Client Security Solution\tvtpwm_ie_com.dll
O9 - Extra button: HiDownload - {F4FBA929-A891-492C-A0F6-5C79CC4F1742} - C:\Program Files\StreamingStar\HiDownload_Platinum\HiDownloadPlatinum.exe (HKCU)
O15 - Trusted Zone: my.magicjack.com
O15 - Trusted Zone: reg.talk4free.com
O17 - HKLM\System\CCS\Services\Tcpip\..\{87E83D6F-0B63-4793-9CF1-44958C3C158A}: NameServer = 75.75.75.75,75.75.76.76
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\Windows\system32\browseui.dll
O23 - Service: DDNIOEMService - Digital Delivery Networks, Inc. - C:\Program Files\DDNI\SBITS\DDNIOEMService.exe
O23 - Service: dlbk_device -   - C:\Windows\system32\dlbkcoms.exe
O23 - Service: Google Update Service (gupdate) (gupdate) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: Google Update Service (gupdatem) (gupdatem) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: Intel® Matrix Storage Event Monitor (IAANTMON) - Intel Corporation - C:\Program Files\Intel\Intel Matrix Storage Manager\IAANTMon.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: IviRegMgr - InterVideo - C:\Program Files\Common Files\InterVideo\RegMgr\iviRegMgr.exe
O23 - Service: Mozilla Maintenance Service (MozillaMaintenance) - Mozilla Foundation - C:\Program Files\Mozilla Maintenance Service\maintenanceservice.exe
O23 - Service: NMSAccess - Unknown owner - C:\Program Files\Blaze Media Pro\NMSAccess32.exe
O23 - Service: Power Manager DBC Service - Lenovo - C:\Program Files\ThinkPad\Utilities\PWMDBSVC.EXE
O23 - Service: RoxMediaDB10 - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\10.0\SharedCOM\RoxMediaDB10.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies, Inc. - C:\Program Files\WinPcap\rpcapd.exe
O23 - Service: Rsd Service (RsMgrSvc) - Beijing Rising Information Technology Co., Ltd. - C:\Program Files\Rising\RSD\RsMgrSvc.exe
O23 - Service: Rav Service (RsRavMon) - Beijing Rising Information Technology Co., Ltd. - C:\Program Files\Rising\RAV\RavMonD.exe
O23 - Service: SBSD Security Center Service (SBSDWSCService) - Safer Networking Ltd. - C:\Program Files\Spybot - Search & Destroy\SDWinSec.exe
O23 - Service: SessionLauncher - Unknown owner - C:\Users\ADMINI~1\AppData\Local\Temp\DX9\SessionLauncher.exe (file missing)
O23 - Service: Sophos Virus Removal Tool (SophosVirusRemovalTool) - Sophos Limited - C:\Program Files\Sophos\Sophos Virus Removal Tool\SVRTservice.exe
O23 - Service: stllssvr - MicroVision Development, Inc. - C:\Program Files\Common Files\SureThing Shared\stllssvr.exe
O23 - Service: ThinkVantage Registry Monitor Service - Lenovo Group Limited - c:\Program Files\Common Files\Lenovo\tvt_reg_monitor_svc.exe
O23 - Service: TSS Core Service (TSSCoreService) - Lenovo - C:\Program Files\Lenovo\Client Security Solution\tvttcsd.exe
O23 - Service: TVT Backup Protection Service - Unknown owner - C:\Program Files\Lenovo\Rescue and Recovery\rrpservice.exe
O23 - Service: TVT Backup Service - Lenovo Group Limited - C:\Program Files\Lenovo\Rescue and Recovery\rrservice.exe
O23 - Service: TVT Scheduler - Lenovo Group Limited - c:\Program Files\Common Files\Lenovo\Scheduler\tvtsched.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Unknown owner - C:\Program Files\CheckPoint\ZoneAlarm\vsmon.exe (file missing)
--
End of file - 8113 bytes

 

Honestly, I don't think this malware is listed in there.

 

Any thoughts on where to go from here? I'm thinking, what might help, is a program that logs everything that's going on, on my computer when firefox is opened or closed. But I found out, event viewer only logs firefox crashes and not everything firefox does. So, unless there's some other solution out there, that performs such a function, then I don't know how to better narrow it down to a particular offending file.

 

In closing, DAMN YOU AVG and to the members of the BleepingComputer forum, PLEASE HELP ME!?

Thanks,

DanielVincentKelley



BC AdBot (Login to Remove)

 


#2 HelpBot

HelpBot

    Bleepin' Binary Bot


  • Bots
  • 12,701 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:08:38 PM

Posted 13 January 2014 - 09:35 PM

Hello and welcome to Bleeping Computer!

I am HelpBot: an automated program designed to help the Bleeping Computer Staff better assist you! This message contains very important information, so please read through all of it before doing anything.

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

To help Bleeping Computer better assist you please perform the following steps:

***************************************************

step1.gif In order to continue receiving help at BleepingComputer.com, YOU MUST tell me if you still need help or if your issue has already been resolved on your own or through another resource! To tell me this, please click on the following link and follow the instructions there.

CLICK THIS LINK >>> http://www.bleepingcomputer.com/logreply/520162 <<< CLICK THIS LINK



If you no longer need help, then all you needed to do was the previous instructions of telling me so. You can skip the rest of this post. If you do need help please continue with Step 2 below.

***************************************************

step2.gifIf you still need help, I would like you to post a Reply to this topic (click the "Add Reply" button in the lower right hand of this page). In that reply, please include the following information:

  • If you have not done so already, include a clear description of the problems you're having, along with any steps you may have performed so far.
  • A new DDS log. For your convenience, you will find the instructions for generating these logs repeated at the bottom of this post.
    • Please do this even if you have previously posted logs for us.
    • If you were unable to produce the logs originally please try once more.
    • If you are unable to create a log please provide detailed information about your installed Windows Operating System including the Version, Edition and if it is a 32bit or a 64bit system.
    • If you are unsure about any of these characteristics just post what you can and we will guide you.
  • Please tell us if you have your original Windows CD/DVD available.
  • Upon completing the above steps and posting a reply, another staff member will review your topic and do their best to resolve your issues.

Thank you for your patience, and again sorry for the delay.

***************************************************

We need to see some information about what is happening in your machine. Please perform the following scan again:

  • Download DDS by sUBs from the following link if you no longer have it available and save it to your destop.

    DDS.com Download Link
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explanation about the tool. No input is needed, the scan is running.
  • Notepad will open with the results.
  • Follow the instructions that pop up for posting the results.
  • Close the program window, and delete the program from your desktop.
Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Information on A/V control can be found HERE.

As I am just a silly little program running on the BleepingComputer.com servers, please do not send me private messages as I do not know how to read and reply to them! Thanks!

#3 HelpBot

HelpBot

    Bleepin' Binary Bot


  • Bots
  • 12,701 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:08:38 PM

Posted 18 January 2014 - 09:40 PM

Hello again!

I haven't heard from you in 5 days. Therefore, I am going to assume that you no longer need our help, and close this topic.

If you do still need help, please send a Private Message to any Moderator within the next five days. Be sure to include a link to your topic in your Private Message.

Thank you for using Bleeping Computer, and have a great day!




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users