Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Closed fake pop-up, now can't access MBAM or AVG


  • Please log in to reply
8 replies to this topic

#1 Derren

Derren

  • Members
  • 133 posts
  • OFFLINE
  •  
  • Local time:01:15 PM

Posted 15 November 2014 - 06:13 PM

I closed what I think was a fake AVG pop-up that only gave me the option to click one button. It said something about protecting me from a virus.

 

I couldn't get the window to move or go away, and I thought perhaps this really was AVG trying to protect me. So I clicked the button.

 

After that I got many repeated winpatrol pop-ups asking me if I wanted to allow something. I kept clicking no, but they kept coming. And then a browser window opened about annoying winpatrol pop-ups.

 

This went on for a few minutes, then I tried to run MBAM but it would not run. Instead I get a message: "This program is blocked by group policy. For more information, contact your system administrator."

 

So I restarted the system. Now AVG won't launch and I get the same group policy message when I try to access it.

 

I have tried the "Run as Administrator" option but the same group policy message appears.

 

I cannot get MBAM or AVG to run now, Every time I get the group policy message.

 

The winpatrol pop-ups have stopped and I'm posting from the affected computer.

 

Thank you.

 

PS My machine is a 32 bit running Windows Vista.


Edited by Derren, 15 November 2014 - 06:15 PM.


BC AdBot (Login to Remove)

 


#2 Alex&Vanko

Alex&Vanko

  • Banned
  • 1,394 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:10:15 PM

Posted 20 November 2014 - 06:34 PM

Start menu->Control Panel->Administrative tools->Local Security Policies->Software restriction policies and Aplication Control Policies-Applocker

What is the situation about them?Just to see.

 

Thank you!



#3 Derren

Derren
  • Topic Starter

  • Members
  • 133 posts
  • OFFLINE
  •  
  • Local time:01:15 PM

Posted 20 November 2014 - 07:16 PM

No software restriction policies defined.



#4 Alex&Vanko

Alex&Vanko

  • Banned
  • 1,394 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:10:15 PM

Posted 20 November 2014 - 07:29 PM

icon1337347931.pngPlease download RKill by Grinler HERE and save it to your desktop.
There are 2 different versions. If one of them won't run then download and try to run the other one.
You only need to get one of these to run, not all of them. You may get warnings from your antivirus about this tool, ignore them or shutdown your antivirus.
Before we begin, you should disable your anti-malware softwares you have installed so they do not interfere RKill running as some anti-malware softwares detect RKill as malicious. Please refer to this page if you are not sure how.
    Double-click on Rkill on your desktop to run it. (If you are using Windows Vista, please right-click on it and select Run As Administrator)
    A black screen will appear and then disappear. Please do not worry, that is normal. This means that the tool has been successfully executed.
    If nothing happens or if the tool does not run, please let me know in your next reply.
    A log pops up at the end of the run. This log file is located at C:\rkill.log.
    Please post the log in your next reply.
 

icon1348768721.jpgDownload Screen317 Security Check HERE and save it to your Desktop.
* Double-click SecurityCheck.exe
* Follow the onscreen instructions inside of the black box.
* A Notepad document should open automatically called checkup.txt
* Please post the contents of that document.
Note:: If any security program requests permission to access the Internet, allow it to do so

icon1337954655.pngPlease download MiniToolBox HERE to your desktop to run it.
Checkmark the following boxes:
* List content of Hosts
* Flush DNS
* Report IE Proxy Settings
* Reset IE Proxy Settings
* Report FF Proxy Settings
* Reset FF Proxy Settings
* List last 10 Event Viewer log
* List Installed Programs
* List Devices (do NOT change any settings here)
* List Users, Partitions and Memory size
Note: When using "Reset FF Proxy Settings" option Firefox should be closed.
Click Go and Copy / Paste the result. (result.txt)

icon1337952077.pngPlease download Farbar Service Scanner (FSS) HERE and run it on the computer with the issue.

    Make sure the following options are checked:
        Internet Services
        Windows Firewall
        System Restore
        Security Center/Action Center
        Windows Update
        Windows Defender
        Other Services
    Press "Scan".
    It will create a log (FSS.txt) in the same directory the tool is run.
    Please copy and paste the log to your reply.

logo.jpgDownload Malwarebytes Anti-Rootkit HERE
    Warning! Malwarebytes Anti-Rootkit needs to be run from an account with administrator rights.
    Double click on downloaded file. OK self extracting prompt.
    MBAR will start. Click "Next" to continue.
    Click in the following screen "Update" to obtain the latest malware definitions.
    Once the update is complete select "Next" and click "Scan".
    When the scan is finished and no malware has been found select "Exit".
    If malware was detected, make sure to check all the items and click "Cleanup". Reboot your computer.
    Open the MBAR folder located on your Desktop and paste the content of the following files in your next reply:
    "mbar-log-{date} (xx-xx-xx).txt"
    "system-log.txt"


 

Thank you!



#5 Derren

Derren
  • Topic Starter

  • Members
  • 133 posts
  • OFFLINE
  •  
  • Local time:01:15 PM

Posted 24 November 2014 - 07:29 AM

I will do just as you say.

 

Work will keep me away from my home pc for at least another day. The earliest I begin these steps is Tuesday Nov. 25.

 

Thank you,

 

Derren



#6 Derren

Derren
  • Topic Starter

  • Members
  • 133 posts
  • OFFLINE
  •  
  • Local time:01:15 PM

Posted 26 November 2014 - 07:04 AM

RKill Log:

 

Rkill 2.6.8 by Lawrence Abrams (Grinler)
Copyright 2008-2014 BleepingComputer.com
More Information about Rkill can be found at this link:
 
Program started at: 11/25/2014 07:15:29 PM in x86 mode.
Windows Version: Windows Vista ™ Business Service Pack 2
 
Checking for Windows services to stop:
 
 * No malware services found to stop.
 
Checking for processes to terminate:
 
 * No malware processes found to kill.
 
Checking Registry for malware related settings:
 
 * No issues found in the Registry.
 
Resetting .EXE, .COM, & .BAT associations in the Windows Registry.
  * HKLM\Software\Classes\exefile\shell\open\command\\IsolatedCommand was changed. It was reset to "%1" %*!
 
  * HKLM\Software\Classes\exefile\shell\runas\command\\IsolatedCommand was changed. It was reset to "%1" %*!
 
 
Performing miscellaneous checks:
 
 * System Restore Disabled
 
   [HKLM\SOFTWARE\Policies\Microsoft\Windows NT\SystemRestore]
   "DisableConfig" = dword:00000001
 
 * System Restore Disabled
 
   [HKLM\SOFTWARE\Policies\Microsoft\Windows NT\SystemRestore]
   "DisableSR" = dword:00000001
 
 * ALERT: ZEROACCESS Reparse Point/Junction found!
 
     * C:\Windows\$NtUninstallKB62280$ => c:\windows\system32\config\ [Dir]
 
Checking Windows Service Integrity: 
 
 * WPCSvc [Missing Service]
 
 * iphlpsvc [Missing ImagePath]
 
Searching for Missing Digital Signatures: 
 
 * No issues found.
 
Checking HOSTS File: 
 
 * HOSTS file entries found: 
 
  ÿþ1 2 7 . 0 . 0 . 1               l o c a l h o s t 
 
   : : 1               l o c a l h o s t 
 
   
 
Program finished at: 11/25/2014 07:17:43 PM
Execution time: 0 hours(s), 2 minute(s), and 13 seconds(s)
 
checkup.txt:
 

 Results of screen317's Security Check version 0.99.90  
 Windows Vista Service Pack 2 x86 (UAC is disabled!)  
 Internet Explorer 9  
 Internet Explorer 8  
``````````````Antivirus/Firewall Check:`````````````` 
 Windows Firewall Enabled!  
 WMI entry may not exist for antivirus; attempting automatic update. 
`````````Anti-malware/Other Utilities Check:````````` 
 WinPatrol 
 SpywareBlaster 4.5    
 Spybot - Search & Destroy 
 Java 7 Update 60  
 Java version out of Date! 
 Adobe Flash Player 15.0.0.223  
 Adobe Reader 9 Adobe Reader out of Date! 
 Google Chrome (39.0.2171.65) 
 Google Chrome (39.0.2171.71) 
 Google Chrome (chrome.exe..) 
 Google Chrome (debug.log..) 
 Google Chrome (Dictionaries...) 
 Google Chrome (First Run...) 
 Google Chrome (old_chrome.exe..) 
 Google Chrome (Plugins...) 
````````Process Check: objlist.exe by Laurent````````  
 Windows Defender MSASCui.exe 
 WinPatrol winpatrol.exe 
 AVG avgwdsvc.exe 
 AVG avgrsx.exe 
 AVG avgnsx.exe 
 AVG avgemc.exe 
 Windows Defender MSASCui.exe   
 BillP Studios WinPatrol WinPatrol.exe  
`````````````````System Health check````````````````` 
 Total Fragmentation on Drive C: 4 % Defragment your hard drive soon! (Do NOT defrag if SSD!)
````````````````````End of Log`````````````````````` 
 
result.txt:

MiniToolBox by Farbar  Version: 21-07-2014
Ran by Derren (administrator) on 25-11-2014 at 19:33:01
Running from "C:\Users\Derren\Desktop"
Microsoft® Windows Vista™ Business  Service Pack 2 (X86)
Boot Mode: Normal
***************************************************************************
 
========================= Flush DNS: ===================================
 
FSS.txt:

Farbar Service Scanner Version: 21-07-2014
Ran by Derren (administrator) on 25-11-2014 at 19:46:22
Running from "C:\Users\Derren\Desktop"
Microsoft® Windows Vista™ Business  Service Pack 2 (X86)
Boot Mode: Normal
****************************************************************
 
Internet Services:
============
 
Connection Status:
==============
Localhost is accessible.
LAN connected.
Google IP is accessible.
Google.com is accessible.
Yahoo.com is accessible.
 
 
Windows Firewall:
=============
 
Firewall Disabled Policy: 
==================
 
 
System Restore:
============
 
mbar log:

Farbar Service Scanner Version: 21-07-2014
Ran by Derren (administrator) on 25-11-2014 at 19:46:22
Running from "C:\Users\Derren\Desktop"
Microsoft® Windows Vista™ Business  Service Pack 2 (X86)
Boot Mode: Normal
****************************************************************
 
Internet Services:
============
 
Connection Status:
==============
Localhost is accessible.
LAN connected.
Google IP is accessible.
Google.com is accessible.
Yahoo.com is accessible.
 
 
Windows Firewall:
=============
 
Firewall Disabled Policy: 
==================
 
 
System Restore:
============
 
system-log.txt:

---------------------------------------
Malwarebytes Anti-Rootkit BETA 1.08.2.1001
 
© Malwarebytes Corporation 2011-2012
 
OS version: 6.0.6002 Windows Vista Service Pack 2 x86
 
Account is Administrative
 
Internet Explorer version: 9.0.8112.16421
 
File system is: NTFS
Disk drives: C:\ DRIVE_FIXED, D:\ DRIVE_FIXED, E:\ DRIVE_FIXED
CPU speed: 2.660000 GHz
Memory total: 2109263872, free: 1156276224
 
Downloaded database version: v2014.11.26.02
Downloaded database version: v2014.11.22.01
Initializing...
======================
------------ Kernel report ------------
     11/25/2014 20:27:42
------------ Loaded modules -----------
\SystemRoot\system32\ntkrnlpa.exe
\SystemRoot\system32\hal.dll
\SystemRoot\system32\kdcom.dll
\SystemRoot\system32\mcupdate_GenuineIntel.dll
\SystemRoot\system32\PSHED.dll
\SystemRoot\system32\BOOTVID.dll
\SystemRoot\system32\CLFS.SYS
\SystemRoot\system32\CI.dll
\SystemRoot\system32\drivers\Wdf01000.sys
\SystemRoot\system32\drivers\WDFLDR.SYS
\SystemRoot\system32\drivers\acpi.sys
\SystemRoot\system32\drivers\WMILIB.SYS
\SystemRoot\system32\drivers\msisadrv.sys
\SystemRoot\system32\drivers\pci.sys
\SystemRoot\System32\drivers\partmgr.sys
\SystemRoot\system32\drivers\volmgr.sys
\SystemRoot\System32\drivers\volmgrx.sys
\SystemRoot\system32\drivers\pciide.sys
\SystemRoot\system32\drivers\PCIIDEX.SYS
\SystemRoot\System32\drivers\mountmgr.sys
\SystemRoot\system32\drivers\iastor.sys
\SystemRoot\system32\drivers\atapi.sys
\SystemRoot\system32\drivers\ataport.SYS
\SystemRoot\System32\Drivers\SbAlg.sys
\SystemRoot\system32\drivers\fltmgr.sys
\SystemRoot\system32\drivers\fileinfo.sys
\SystemRoot\System32\Drivers\SbFsLock.sys
\SystemRoot\System32\Drivers\ksecdd.sys
\SystemRoot\system32\drivers\ndis.sys
\SystemRoot\system32\drivers\msrpc.sys
\SystemRoot\system32\drivers\NETIO.SYS
\SystemRoot\System32\drivers\tcpip.sys
\SystemRoot\System32\drivers\fwpkclnt.sys
\SystemRoot\System32\Drivers\Ntfs.sys
\SystemRoot\system32\drivers\volsnap.sys
\SystemRoot\System32\Drivers\spldr.sys
\SystemRoot\System32\Drivers\SafeBoot.sys
\SystemRoot\System32\Drivers\mup.sys
\SystemRoot\System32\drivers\ecache.sys
\SystemRoot\system32\drivers\disk.sys
\SystemRoot\system32\drivers\CLASSPNP.SYS
\SystemRoot\system32\drivers\crcdisk.sys
\SystemRoot\system32\DRIVERS\avgrkx86.sys
\SystemRoot\system32\DRIVERS\avglogx.sys
\SystemRoot\system32\DRIVERS\avgmfx86.sys
\SystemRoot\system32\DRIVERS\avgidshx.sys
\SystemRoot\system32\DRIVERS\tunnel.sys
\SystemRoot\system32\DRIVERS\tunmp.sys
\SystemRoot\system32\DRIVERS\nvlddmkm.sys
\SystemRoot\System32\Drivers\nvBridge.kmd
\SystemRoot\System32\drivers\dxgkrnl.sys
\SystemRoot\System32\drivers\watchdog.sys
\SystemRoot\system32\DRIVERS\HDAudBus.sys
\SystemRoot\system32\DRIVERS\HECI.sys
\SystemRoot\system32\DRIVERS\serial.sys
\SystemRoot\system32\DRIVERS\serenum.sys
\SystemRoot\system32\DRIVERS\e1e6032.sys
\SystemRoot\system32\DRIVERS\usbuhci.sys
\SystemRoot\system32\DRIVERS\USBPORT.SYS
\SystemRoot\system32\DRIVERS\usbehci.sys
\SystemRoot\system32\DRIVERS\i8042prt.sys
\SystemRoot\system32\DRIVERS\mouclass.sys
\SystemRoot\system32\DRIVERS\kbdclass.sys
\SystemRoot\system32\DRIVERS\parport.sys
\SystemRoot\system32\DRIVERS\fdc.sys
\SystemRoot\system32\drivers\tpm.sys
\SystemRoot\system32\DRIVERS\cdrom.sys
\SystemRoot\system32\DRIVERS\intelppm.sys
\SystemRoot\system32\DRIVERS\wmiacpi.sys
\SystemRoot\system32\DRIVERS\msiscsi.sys
\SystemRoot\system32\DRIVERS\storport.sys
\SystemRoot\system32\DRIVERS\TDI.SYS
\SystemRoot\system32\DRIVERS\rasl2tp.sys
\SystemRoot\system32\DRIVERS\ndistapi.sys
\SystemRoot\system32\DRIVERS\ndiswan.sys
\SystemRoot\system32\DRIVERS\raspppoe.sys
\SystemRoot\system32\DRIVERS\raspptp.sys
\SystemRoot\system32\DRIVERS\rassstp.sys
\SystemRoot\system32\DRIVERS\rdpdr.sys
\SystemRoot\system32\DRIVERS\termdd.sys
\SystemRoot\system32\DRIVERS\serscan.sys
\SystemRoot\system32\DRIVERS\swenum.sys
\SystemRoot\system32\DRIVERS\ks.sys
\SystemRoot\system32\DRIVERS\mssmbios.sys
\SystemRoot\system32\DRIVERS\umbus.sys
\SystemRoot\system32\DRIVERS\usbhub.sys
\SystemRoot\System32\Drivers\NDProxy.SYS
\SystemRoot\system32\drivers\nvhda32v.sys
\SystemRoot\system32\drivers\portcls.sys
\SystemRoot\system32\drivers\drmk.sys
\SystemRoot\system32\drivers\ADIHdAud.sys
\SystemRoot\System32\drivers\psd.sys
\SystemRoot\System32\Drivers\Fs_Rec.SYS
\SystemRoot\System32\Drivers\Null.SYS
\SystemRoot\System32\Drivers\Beep.SYS
\SystemRoot\system32\DRIVERS\HIDPARSE.SYS
\SystemRoot\System32\drivers\vga.sys
\SystemRoot\System32\drivers\VIDEOPRT.SYS
\SystemRoot\System32\DRIVERS\RDPCDD.sys
\SystemRoot\system32\drivers\rdpencdd.sys
\SystemRoot\System32\Drivers\Msfs.SYS
\SystemRoot\System32\Drivers\Npfs.SYS
\SystemRoot\System32\DRIVERS\rasacd.sys
\SystemRoot\system32\DRIVERS\tdx.sys
\SystemRoot\system32\DRIVERS\avgtdix.sys
\SystemRoot\System32\DRIVERS\netbt.sys
\SystemRoot\system32\DRIVERS\smb.sys
\SystemRoot\system32\drivers\afd.sys
\SystemRoot\system32\DRIVERS\pacer.sys
\SystemRoot\system32\DRIVERS\netbios.sys
\SystemRoot\system32\DRIVERS\wanarp.sys
\SystemRoot\System32\Drivers\RsvLock.SYS
\SystemRoot\system32\DRIVERS\rdbss.sys
\SystemRoot\system32\drivers\nsiproxy.sys
\SystemRoot\system32\drivers\csc.sys
\SystemRoot\System32\Drivers\dfsc.sys
\SystemRoot\system32\DRIVERS\avgldx86.sys
\SystemRoot\system32\DRIVERS\avgidsshimx.sys
\SystemRoot\system32\DRIVERS\avgidsdriverx.sys
\SystemRoot\system32\DRIVERS\cdfs.sys
\SystemRoot\System32\Drivers\crashdmp.sys
\SystemRoot\System32\Drivers\dump_dumpata.sys
\SystemRoot\System32\Drivers\dump_atapi.sys
\SystemRoot\System32\Drivers\dump_SbHiber.sys
\SystemRoot\System32\win32k.sys
\SystemRoot\System32\drivers\Dxapi.sys
\SystemRoot\system32\DRIVERS\monitor.sys
\SystemRoot\System32\TSDDD.dll
\SystemRoot\System32\cdd.dll
\SystemRoot\system32\drivers\luafv.sys
\SystemRoot\system32\drivers\spsys.sys
\SystemRoot\system32\DRIVERS\lltdio.sys
\SystemRoot\system32\DRIVERS\rspndr.sys
\SystemRoot\system32\drivers\HTTP.sys
\SystemRoot\System32\DRIVERS\srvnet.sys
\SystemRoot\system32\DRIVERS\bowser.sys
\SystemRoot\System32\drivers\mpsdrv.sys
\SystemRoot\system32\drivers\mrxdav.sys
\SystemRoot\system32\DRIVERS\mrxsmb.sys
\SystemRoot\system32\DRIVERS\mrxsmb10.sys
\SystemRoot\system32\DRIVERS\mrxsmb20.sys
\SystemRoot\System32\DRIVERS\srv2.sys
\SystemRoot\System32\DRIVERS\srv.sys
\SystemRoot\system32\DRIVERS\parvdm.sys
\SystemRoot\system32\drivers\peauth.sys
\SystemRoot\System32\Drivers\secdrv.SYS
\SystemRoot\System32\drivers\tcpipreg.sys
\SystemRoot\System32\ATMFD.DLL
\??\C:\Windows\system32\drivers\mbamchameleon.sys
\??\C:\Windows\system32\drivers\MBAMSwissArmy.sys
\windows\System32\ntdll.dll
----------- End -----------
Done!
<<<1>>>
Upper Device Name: \Device\Harddisk0\DR0
Upper Device Object: 0xffffffff8651bac8
Upper Device Driver Name: \Driver\disk\
Lower Device Name: \Device\Ide\IdeDeviceP2T0L0-2\
Lower Device Object: 0xffffffff859fc8a0
Lower Device Driver Name: \Driver\atapi\
<<<2>>>
Physical Sector Size: 512
Drive: 0, DevicePointer: 0xffffffff8651bac8, DeviceName: \Device\Harddisk0\DR0\, DriverName: \Driver\disk\
--------- Disk Stack ------
DevicePointer: 0xffffffff8661ed18, DeviceName: Unknown, DriverName: \Driver\partmgr\
DevicePointer: 0xffffffff8651b0e0, DeviceName: Unknown, DriverName: \Driver\SafeBoot\
DevicePointer: 0xffffffff8651bac8, DeviceName: \Device\Harddisk0\DR0\, DriverName: \Driver\disk\
DevicePointer: 0xffffffff85a7ad28, DeviceName: Unknown, DriverName: \Driver\ACPI\
DevicePointer: 0xffffffff859fc8a0, DeviceName: \Device\Ide\IdeDeviceP2T0L0-2\, DriverName: \Driver\atapi\
------------ End ----------
Alternate DeviceName: Unknown, DriverName: \Driver\SafeBoot\
Upper DeviceData: 0x0, 0x0, 0x0
Lower DeviceData: 0x0, 0x0, 0x0
<<<3>>>
Volume: C:
File system type: NTFS
SectorSize = 512, ClusterSize = 4096, MFTRecordSize = 1024, MFTIndexSize = 4096 bytes
<<<2>>>
<<<3>>>
Volume: C:
File system type: NTFS
SectorSize = 512, ClusterSize = 4096, MFTRecordSize = 1024, MFTIndexSize = 4096 bytes
Scanning drivers directory: C:\WINDOWS\SYSTEM32\drivers...
File user open failed: C:\WINDOWS\SYSTEM32\drivers\SafeBoot.sys (0x00000020)
Done!
Drive 0
This is a System drive
Scanning MBR on drive 0...
Inspecting partition table:
MBR Signature: 55AA
Disk Signature: 3833069C
 
Partition information:
 
    Partition 0 type is Primary (0x7)
    Partition is ACTIVE.
    Partition starts at LBA: 2048  Numsec = 282982927
    Partition file system is NTFS
    Partition is bootable
 
    Partition 1 type is Primary (0x7)
    Partition is NOT ACTIVE.
    Partition starts at LBA: 282984975  Numsec = 25270816
 
    Partition 2 type is Primary (0x7)
    Partition is NOT ACTIVE.
    Partition starts at LBA: 308256768  Numsec = 4093952
 
    Partition 3 type is Other (0x72)
    Partition is NOT ACTIVE.
    Partition starts at LBA: 312351795  Numsec = 208845
 
Disk Size: 160041885696 bytes
Sector size: 512 bytes
 
Done!
Infected: C:\ProgramData\IoleqUllib\IoleqUllib.dat --> [Spyware.Vawtrak]
Infected: HKU\S-1-5-21-399089533-3685514525-3991642726-1000\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN|IoleqUllib --> [Spyware.Vawtrak]
File "c:\programdata\avg2013\chjw\1050dfc01722fca4.dat:e84e1c0f-5d36-4676-ba26-78367098b256" is sparse (flags = 32768)
File "c:\programdata\avg2013\chjw\30a3ddb31ca160f2.dat:d167c65d-d0f7-4a4c-970f-9e400bef4472" is sparse (flags = 32768)
File "c:\programdata\avg2013\chjw\74ace373ace32e74.dat:8c98e368-b723-4f1a-acc9-9c4eff6eec25" is sparse (flags = 32768)
File "c:\programdata\avg2013\chjw\74ace373ace32e74.dat:fc52dd75-1873-4065-8990-95560b80ee70" is sparse (flags = 32768)
Infected: C:\ProgramData\NugzIcjid\NugzIcjid.dat --> [Spyware.Vawtrak]
Infected: C:\ProgramData\OidsAzeb\OidsAzeb.dat --> [Spyware.Vawtrak]
Infected: C:\Users\Derren\AppData\Local\Temp\sysrestore.exe --> [Trojan.Agent.ED]
Infected: C:\Users\Derren\AppData\Local\Temp\disktool.exe --> [Trojan.Packed.kvt]
File "C:\windows\System32\config\systemprofile\AppData\Local\Avg2013\log\avgcore.log.1" is compressed (flags = 1)
File "C:\windows\System32\config\systemprofile\AppData\Local\Avg2013\log\avgcore.log.6" is compressed (flags = 1)
File "C:\windows\System32\config\systemprofile\AppData\Local\Avg2013\log\avgcfg.log.1" is compressed (flags = 1)
Infected: C:\windows\Installer\{2E12DA11-E64C-4B1C-91F7-B3BA6BCF148A}\msiexec.exe --> [Trojan.Clicker]
Infected: C:\windows\Installer\{352BC17A-648C-4239-AC25-97304F7ECF01}\msiexec.exe --> [Backdoor.Bot]
Infected: C:\windows\Installer\{3576A311-412E-48FD-8C44-3BF2B341F48D}\msiexec.exe --> [Trojan.Rupest]
Infected: C:\windows\Installer\{45B3202C-50A0-4825-B018-5449C5F9A7EE}\msiexec.exe --> [Backdoor.Bot]
Infected: C:\windows\Installer\{94C9BEFD-FD5F-45CE-A829-3CA7F78F3EE1}\msiexec.exe --> [Trojan.FakeMS.ED]
Infected: C:\windows\Installer\{983E4D42-20C2-4785-BF2F-A5E0EAB5F3E7}\msiexec.exe --> [Trojan.Pseudo.isct]
Infected: C:\windows\Installer\{A0B6B8B2-6F59-49D1-AC4B-5D5912FC5BE9}\msiexec.exe --> [Spyware.Vawtrak]
Infected: C:\windows\Installer\{7649027F-9CE7-412C-8301-E74B7B9A44B8}\msiexec.exe --> [Trojan.Rupest]
Infected: C:\windows\Installer\{1F94C197-3583-44EC-92F5-2E0CB4FAD4D2}\msiexec.exe --> [Spyware.Vawtrak]
Infected: C:\windows\Installer\{63CF16A8-432D-4746-B63C-F354E7E6FA65}\msiexec.exe --> [Trojan.Rupest]
Infected: C:\windows\Installer\{6743D2BD-B7D6-495C-8A21-06650DA345FA}\msiexec.exe --> [Trojan.Agent]
Infected: C:\windows\Installer\{73447F9E-0FE8-453A-8001-2FFC1F3ED5C0}\msiexec.exe --> [Trojan.Pseudo.isct]
Infected: C:\windows\Installer\{46CE3008-B006-4672-978A-1D3F1C03CF5B}\msiexec.exe --> [Trojan.FakeMS.ED]
Infected: C:\windows\Installer\{50D7D681-0707-4176-81AD-14AE9AE4B472}\msiexec.exe --> [Trojan.Clicker]
Infected: C:\windows\Installer\{57567299-B94A-4412-8DCA-4085F3435509}\msiexec.exe --> [Trojan.Pseudo.isct]
Infected: C:\windows\Installer\{6066DB4F-7C39-4267-A911-FEE08A461EF2}\msiexec.exe --> [Trojan.Rupest]
Infected: C:\windows\Installer\{622140A3-D4E7-41E8-BA90-046BA8B48145}\msiexec.exe --> [Trojan.Agent.EDHE]
Infected: C:\windows\Installer\{C6D8EA93-A8BD-4A78-9FE3-16F136B7DBCA}\msiexec.exe --> [Trojan.Agent]
Infected: C:\windows\Installer\{D18ED5F8-65D7-4820-BE10-C6E5ED618F0E}\msiexec.exe --> [Trojan.Agent]
Infected: C:\windows\Installer\{D40CCC44-AA9E-4888-9E2D-919A31686A25}\msiexec.exe --> [Spyware.Vawtrak]
Infected: C:\windows\Installer\{F6F2C34B-D236-44D9-AAF1-1BEB4302B2E7}\msiexec.exe --> [Trojan.Clicker]
Infected: C:\windows\Installer\{793C68C2-F938-4BBF-A5AE-388D784C1CA7}\msiexec.exe --> [Trojan.Agent]
Infected: C:\windows\Installer\{83E0B800-4C50-4EB8-AEDD-9E25F1F97B51}\msiexec.exe --> [Trojan.Clicker]
File "c:\windows\$ntuninstallkb62280$\485945278\@" is compressed (flags = 1)
File "c:\windows\$ntuninstallkb62280$\485945278\bckfg.tmp" is compressed (flags = 1)
File "c:\windows\$ntuninstallkb62280$\485945278\cfg.ini" is compressed (flags = 1)
File "c:\windows\$ntuninstallkb62280$\485945278\desktop.ini" is compressed (flags = 1)
File "c:\windows\$ntuninstallkb62280$\485945278\keywords" is compressed (flags = 1)
File "c:\windows\$ntuninstallkb62280$\485945278\kwrd.dll" is compressed (flags = 1)
File "c:\windows\$ntuninstallkb62280$\485945278\lsflt7.ver" is compressed (flags = 1)
File "c:\windows\$ntuninstallkb62280$\485945278\l\vhtmwbun" is compressed (flags = 1)
Infected: c:\windows\$ntuninstallkb62280$\485945278\l\vhtmwbun --> [Backdoor.0Access]
File "c:\windows\$ntuninstallkb62280$\485945278\u\00000001.@" is compressed (flags = 1)
Infected: c:\windows\$ntuninstallkb62280$\485945278\u\00000001.@ --> [Backdoor.0Access]
File "c:\windows\$ntuninstallkb62280$\485945278\u\00000002.@" is compressed (flags = 1)
Infected: c:\windows\$ntuninstallkb62280$\485945278\u\00000002.@ --> [Backdoor.0Access]
File "c:\windows\$ntuninstallkb62280$\485945278\u\00000004.@" is compressed (flags = 1)
Infected: c:\windows\$ntuninstallkb62280$\485945278\u\00000004.@ --> [Backdoor.0Access]
File "c:\windows\$ntuninstallkb62280$\485945278\u\80000000.@" is compressed (flags = 1)
Infected: c:\windows\$ntuninstallkb62280$\485945278\u\80000000.@ --> [Backdoor.0Access]
File "c:\windows\$ntuninstallkb62280$\485945278\u\80000004.@" is compressed (flags = 1)
Infected: c:\windows\$ntuninstallkb62280$\485945278\u\80000004.@ --> [Backdoor.0Access]
File "c:\windows\$ntuninstallkb62280$\485945278\u\80000032.@" is compressed (flags = 1)
Infected: c:\windows\$ntuninstallkb62280$\485945278\u\80000032.@ --> [Backdoor.0Access]
Infected: c:\windows\$ntuninstallkb62280$\2249208800 --> [Backdoor.0Access]
Infected: c:\windows\$ntuninstallkb62280$\485945278 --> [Backdoor.0Access]
Infected: c:\windows\$ntuninstallkb62280$\485945278\@ --> [Backdoor.0Access]
Infected: c:\windows\$ntuninstallkb62280$\485945278\bckfg.tmp --> [Backdoor.0Access]
Infected: c:\windows\$ntuninstallkb62280$\485945278\cfg.ini --> [Backdoor.0Access]
Infected: c:\windows\$ntuninstallkb62280$\485945278\desktop.ini --> [Backdoor.0Access]
Infected: c:\windows\$ntuninstallkb62280$\485945278\keywords --> [Backdoor.0Access]
Infected: c:\windows\$ntuninstallkb62280$\485945278\kwrd.dll --> [Backdoor.0Access]
Infected: c:\windows\$ntuninstallkb62280$\485945278\lsflt7.ver --> [Backdoor.0Access]
Infected: c:\windows\$ntuninstallkb62280$\485945278\l --> [Backdoor.0Access]
Infected: c:\windows\$ntuninstallkb62280$\485945278\u --> [Backdoor.0Access]
Infected: HKLM\SOFTWARE\POLICIES\MICROSOFT\WINDOWS NT\SYSTEMRESTORE|DisableConfig --> [Windows.Tool.Disabled]
Scan finished
Creating System Restore point...
Cleaning up...
Executing an action fixdamage.exe...
Success!
Queuing an action fixdamage.exe
Removal scheduling successful. System shutdown needed.
System shutdown occurred
=======================================
 
 


#7 Condobloke

Condobloke

    Outback Aussie @ 54.2101 N, 0.2906 W


  • Members
  • 5,959 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:15 AM

Posted 30 November 2014 - 05:04 PM

G'day Derren, sorry you 'slipped through the cracks ".....

 

I have taken a look at your RKill log and it shows 

 

 * ALERT: ZEROACCESS Reparse Point/Junction found!
This result is shown again and again in the FSS log...
 
Infected: c:\windows\$ntuninstallkb62280$\485945278\bckfg.tmp --> [Backdoor.0Access]
Infected: c:\windows\$ntuninstallkb62280$\485945278\cfg.ini --> [Backdoor.0Access]
Infected: c:\windows\$ntuninstallkb62280$\485945278\desktop.ini --> [Backdoor.0Access]
Infected: c:\windows\$ntuninstallkb62280$\485945278\keywords --> [Backdoor.0Access]
Infected: c:\windows\$ntuninstallkb62280$\485945278\kwrd.dll --> [Backdoor.0Access]
Infected: c:\windows\$ntuninstallkb62280$\485945278\lsflt7.ver --> [Backdoor.0Access]
 
This will necessitate moving your topic to the MRL area...
 
Please open a new topic HERE starting at step #6
 
Please do all the steps that you can....however if you are unable to do any of them, do not worry , simply move onto the next step.
 
I usually have a prepared speech for this eventuality, however it has gone to the 'ethers' ......so we will just have to make do.
 
if you have any problems posting the new topic....just post back in this topic and I will reply as quickly as i am able to.....or you can send me a PM.
 
Good Luck
 
 
Brian
 
 
 
 
 
 

Condobloke ...Outback Australian  fed up with Windows antics...??....LINUX IS THE ANSWER....I USE LINUX MINT 18.3  EXCLUSIVELY.

“A man travels the world in search of what he needs and returns home to find it."

It has been said that time heals all wounds. I don't agree. The wounds remain. Time - the mind, protecting its sanity - covers them with some scar tissue and the pain lessens, but it is never gone. Rose Kennedy

 GcnI1aH.jpg

 

 


#8 Derren

Derren
  • Topic Starter

  • Members
  • 133 posts
  • OFFLINE
  •  
  • Local time:01:15 PM

Posted 30 November 2014 - 05:47 PM

I have started the new thread. Thank you for your help!

 

-Derren



#9 Condobloke

Condobloke

    Outback Aussie @ 54.2101 N, 0.2906 W


  • Members
  • 5,959 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:15 AM

Posted 30 November 2014 - 06:01 PM

New Topic can be found HERE

 

 

That is cool.

 

Now....be patient....the Experts there are Extremely busy.

 

 

In the meantime, do not add any replies to your new topic. This will increase your waiting time.

 

8-sm.gif - What to expect now that you have created your topic.

Now that your topic is posted, you should be patient and wait for someone to look at your log in order to advise as to what you should do. Everyone who works on this site is a volunteer, and there are a lot more people requesting help than there are helpers able to provide it. The current avg response time is about 5 days, but hopefully sooner, before someone can get back to you regarding your problem. While you are waiting we request that you do not do the following as it may affect the help you receive:

  • Do not attempt to fix any of the entries that you find within these logs as it may cause damage to your computer's configuration. Any helper who answers topics in this forum is trained on how to interpret these logs. As there is a lot of wrong information on the Web, those who are not trained may remove entries that appear suspicious according to information you find, but are in fact legitimate programs.
     
  • Do not post at another site asking for the same help for the same computer unless you previously have asked us to close your topic. If we find that you have posted for help at another site regarding the same problem, we will be forced to close your topic here. This is because two different sites can give conflicting advice, which makes it harder for our helpers to provide quality help.
     
  • Last, but not least, be patient. I know it is very stressful to have a computer with a potential malware infection, but unfortunately it will take some time to get to your topic. We will, though, get to you and attempt to resolve your issues to the utmost of our ability.

 

Above all...Good Luck !!

 

Brian


Condobloke ...Outback Australian  fed up with Windows antics...??....LINUX IS THE ANSWER....I USE LINUX MINT 18.3  EXCLUSIVELY.

“A man travels the world in search of what he needs and returns home to find it."

It has been said that time heals all wounds. I don't agree. The wounds remain. Time - the mind, protecting its sanity - covers them with some scar tissue and the pain lessens, but it is never gone. Rose Kennedy

 GcnI1aH.jpg

 

 





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users