Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Winx XP avgui.exe prevented by a software restriction policy


  • This topic is locked This topic is locked
7 replies to this topic

#1 jenbGFC

jenbGFC

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:08:17 PM

Posted 10 December 2014 - 02:21 PM

Thank you for helping with this.

 

I was also getting the same error for Malwarebyes. I booted into safe mode and was able to update Malwarebytes and run it.

 

Malwarebytes now runs fine in the regular version of windows.

I have run a bunch of random tools from an online Kapersky scan to combofix (and may have made things worse as my internet connection on this pc seems flakier now).

 

I have uninstalled and reinstalled avg to no avail. This is a paid 2012 version that has a valid license until 2017.

 

Please advise how to proceed?

 

Thank you!

 

 



BC AdBot (Login to Remove)

 


m

#2 nasdaq

nasdaq

  • Malware Response Team
  • 38,256 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:08:17 PM

Posted 15 December 2014 - 09:55 AM

Hello, Welcome to BleepingComputer.
I'm nasdaq and will be helping you.

If you can please print this topic it will make it easier for you to follow the instructions and complete all of the necessary steps in the order listed.
===

Please download AdwCleaner by Xplode onto your Desktop.
  • Close all open programs and internet browsers.
  • Double click on AdwCleaner.exe to run the tool.
  • Click the Scan button and wait for the process to complete.
  • Click the Report button and the report will open in Notepad.
IMPORTANT
  • If you click the Clean button all items listed in the report will be removed.
If you find some false positive items or programs that you wish to keep, Close the AdwCleaner windows.
  • Close all open programs and internet browsers.
  • Double click on AdwCleaner.exe to run the tool.
  • Click the Scan button and wait for the process to complete.
  • Check off the element(s) you wish to keep.
  • Click on the Clean button follow the prompts.
  • A log file will automatically open after the scan has finished.
  • Please post the content of that log file with your next answer.
  • You can find the log file at C:\AdwCleaner[Sn].txt (n is a number).
===

Download the version of this tool for your operating system.
Farbar Recovery Scan Tool (64 bit)
Farbar Recovery Scan Tool (32 bit)
and save it to a folder on your computer's Desktop.
Double-click to run it. When the tool opens click Yes to disclaimer.
Press Scan button.
It will make a log (FRST.txt) in the same directory the tool is run. Please copy and paste it to your reply.
The first time the tool is run, it makes also another log (Addition.txt). Please attach it to your reply.
===

Please paste the logs in your next reply DO NOT ATTACH THEM unless specified.
To attach a file select the "More Reply Option" and follow the instructions.

How is the computer running?
Wait for further instructions.
===

#3 jenbGFC

jenbGFC
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:08:17 PM

Posted 15 December 2014 - 12:45 PM

Thank you, nasdaq.

AdwCleaner log:

# AdwCleaner v4.105 - Report created 15/12/2014 at 12:23:49
# Updated 08/12/2014 by Xplode
# Database : 2014-12-08.2 [Local]
# Operating System : Microsoft Windows XP Service Pack 3 (32 bits)
# Username : frontdesk2 - FRONTDESK2
# Running from : C:\Documents and Settings\frontdesk2\Desktop\adwcleaner_4.105.exe
# Option : Clean

***** [ Services ] *****

***** [ Files / Folders ] *****

***** [ Scheduled Tasks ] *****

***** [ Shortcuts ] *****

***** [ Registry ] *****

***** [ Browsers ] *****

-\\ Internet Explorer v8.0.6001.18702

-\\ Google Chrome v39.0.2171.95

*************************

AdwCleaner[R0].txt - [777 octets] - [15/12/2014 12:20:36]
AdwCleaner[S0].txt - [699 octets] - [15/12/2014 12:23:49]

########## EOF - C:\AdwCleaner\AdwCleaner[S0].txt - [758 octets] ##########

FRST.txt:

Scan result of Farbar Recovery Scan Tool (FRST) (x86) Version: 14-12-2014 01
Ran by frontdesk2 (administrator) on FRONTDESK2 on 15-12-2014 12:33:00
Running from C:\Documents and Settings\frontdesk2\Desktop
Loaded Profile: frontdesk2 (Available profiles: USER & gfcfront1 & Administrator & gfcfront1 & frontdesk2 & Administrator)
Platform: Microsoft Windows XP Professional Service Pack 3 (X86) OS Language: English (United States)
Internet Explorer Version 8
Boot Mode: Normal
Tutorial for Farbar Recovery Scan Tool: http://www.geekstogo.com/forum/topic/335081-frst-tutorial-how-to-use-farbar-recovery-scan-tool/

==================== Processes (Whitelisted) =================

(If an entry is included in the fixlist, the process will be closed. The file will not be moved.)

(AVG Technologies CZ, s.r.o.) C:\PROGRA~1\AVG\AVG2012\avgrsx.exe
(AVG Technologies CZ, s.r.o.) C:\Program Files\AVG\AVG2012\avgcsrvx.exe
(ATI Technologies Inc.) C:\WINDOWS\system32\ati2evxx.exe
(ATI Technologies Inc.) C:\WINDOWS\system32\ati2evxx.exe
(AVG Technologies CZ, s.r.o.) C:\Program Files\AVG\AVG2012\avgfws.exe
(AVG Technologies CZ, s.r.o.) C:\Program Files\AVG\AVG2012\avgwdsvc.exe
(Sun Microsystems, Inc.) C:\Program Files\Java\jre6\bin\jqs.exe
(AVG Technologies CZ, s.r.o.) C:\Program Files\AVG\AVG2012\avgidsagent.exe
(AVG Technologies CZ, s.r.o.) C:\Program Files\AVG\AVG2012\avgnsx.exe
(AVG Technologies CZ, s.r.o.) C:\Program Files\AVG\AVG2012\avgemcx.exe
(VIA Technologies, Inc.) C:\Program Files\VIA\VIAudioi\HDADeck\HDeck.exe
(ASUSTeK Computer Inc.) C:\Program Files\ASUS\EPU-4 Engine\FourEngine.exe
(Sun Microsystems, Inc.) C:\Program Files\Java\jre6\bin\jusched.exe
(Advanced Micro Devices Inc.) C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
(SPIS Ltd, New Zealand) C:\Program Files\TurboNote\tbnote.exe
(ATI Technologies Inc.) C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CCC.exe
(Microsoft Corporation) C:\Program Files\Internet Explorer\iexplore.exe
(AVG Technologies CZ, s.r.o.) C:\Program Files\AVG\AVG2012\avgcsrvx.exe
(Microsoft Corporation) C:\Program Files\Internet Explorer\iexplore.exe

==================== Registry (Whitelisted) ==================

(If an entry is included in the fixlist, the registry item will be restored to default or removed. The file will not be moved.)

HKLM\...\Run: [HDAudDeck] => C:\Program Files\VIA\VIAudioi\HDADeck\HDeck.exe [33685504 2009-10-27] (VIA Technologies, Inc.)
HKLM\...\Run: [StartCCC] => C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe [98304 2009-07-29] (Advanced Micro Devices, Inc.)
HKLM\...\Run: [Six Engine] => C:\Program Files\ASUS\EPU-4 Engine\FourEngine.exe [5822464 2009-10-15] (ASUSTeK Computer Inc.)
HKLM\...\Run: [SunJavaUpdateSched] => C:\Program Files\Java\jre6\bin\jusched.exe [148888 2010-07-07] (Sun Microsystems, Inc.)
HKLM\...\Run: [Synchronization Manager] => C:\WINDOWS\system32\mobsync.exe [143360 2008-04-13] (Microsoft Corporation)
HKLM\...\Run: [Adobe Reader Speed Launcher] => C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe [37296 2012-01-03] (Adobe Systems Incorporated)
HKLM\...\Run: [Adobe ARM] => C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe [958576 2013-04-04] (Adobe Systems Incorporated)
HKLM\...\Run: [Malwarebytes Anti-Malware (reboot)] => C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe [1090952 2010-04-29] (Malwarebytes Corporation)
HKLM\...\Run: [AVG_TRAY] => C:\Program Files\AVG\AVG2012\avgtray.exe [2598520 2012-11-19] (AVG Technologies CZ, s.r.o.)
HKLM Group Policy restriction on software: C:\Documents and Settings\All Users\Application Data\Malwarebytes <====== ATTENTION
HKLM Group Policy restriction on software: C:\Program Files\Malwarebytes' Anti-Malware <====== ATTENTION
HKLM Group Policy restriction on software: C:\Program Files\AVG\ <====== ATTENTION
HKLM Group Policy restriction on software: C:\Program\AVG\AVG2012 <====== ATTENTION
HKLM Group Policy restriction on software: C:\Program Files\AVG <====== ATTENTION
Winlogon\Notify\AtiExtEvent: C:\WINDOWS\system32\Ati2evxx.dll (ATI Technologies Inc.)
HKU\S-1-5-21-1800967455-1536777382-3252555664-1154\...\Run: [Deployment] => rundll32 "C:\Documents and Settings\frontdesk2\Local Settings\Application Data\Adobe\Deployment\jiaajhnn.dll",DllRegisterServer
Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\TurboNote.lnk
ShortcutTarget: TurboNote.lnk -> C:\Program Files\TurboNote\tbnote.exe (SPIS Ltd, New Zealand)
Startup: C:\Documents and Settings\frontdesk2\Start Menu\Programs\Startup\time.lnk
ShortcutTarget: time.lnk -> C:\Documents and Settings\frontdesk2\Desktop\time.bat ()
BootExecute: autocheck autochk * C:\PROGRA~1\AVG\AVG2012\avgrsx.exe /sync /restart

==================== Internet (Whitelisted) ====================

(If an item is included in the fixlist, if it is a registry item it will be removed or restored to default.)

HKLM\SOFTWARE\Policies\Microsoft\Internet Explorer: Policy restriction <======= ATTENTION
HKU\S-1-5-21-1800967455-1536777382-3252555664-1154\SOFTWARE\Policies\Microsoft\Internet Explorer: Policy restriction <======= ATTENTION
HKU\.DEFAULT\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
HKU\.DEFAULT\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=msnhome
HKU\S-1-5-21-1800967455-1536777382-3252555664-1154\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
HKU\S-1-5-21-1800967455-1536777382-3252555664-1154\Software\Microsoft\Internet Explorer\Main,Start Page = http://gardinerfamilychiropractic.com/
SearchScopes: HKU\.DEFAULT -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
SearchScopes: HKU\S-1-5-19 -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
SearchScopes: HKU\S-1-5-20 -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
BHO: Adobe PDF Link Helper -> {18DF081C-E8AD-4283-A596-FA578C2EBDC3} -> C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll (Adobe Systems Incorporated)
BHO: Java™ Plug-In 2 SSV Helper -> {DBC80044-A445-435b-BC74-9C25C1C588A9} -> C:\Program Files\Java\jre6\bin\jp2ssv.dll (Sun Microsystems, Inc.)
BHO: JQSIEStartDetectorImpl Class -> {E7E6F031-17CE-4C07-BC86-EABFE594F69C} -> C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll (Sun Microsystems, Inc.)
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1277929109264
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} https://fpdownload.macromedia.com/get/shockwave/cabs/flash/swflash.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
Tcpip\..\Interfaces\{E2499BF8-8114-45BA-8D13-80E21319D3F2}: [NameServer] 192.168.1.5,64.222.212.243

FireFox:
========
FF Plugin: @Microsoft.com/NpCtrl,version=1.0 -> c:\Program Files\Microsoft Silverlight\5.1.30514.0\npctrl.dll ( Microsoft Corporation)
FF Plugin: @microsoft.com/WPF,version=3.5 -> c:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\NPWPF.dll (Microsoft Corporation)
FF Plugin: @tools.google.com/Google Update;version=3 -> C:\Program Files\Google\Update\1.3.25.11\npGoogleUpdate3.dll (Google Inc.)
FF Plugin: @tools.google.com/Google Update;version=9 -> C:\Program Files\Google\Update\1.3.25.11\npGoogleUpdate3.dll (Google Inc.)
FF Plugin: Adobe Reader -> C:\Program Files\Adobe\Reader 9.0\Reader\AIR\nppdf32.dll (Adobe Systems Inc.)
FF HKLM\...\Firefox\Extensions: [{20a82645-c095-46ed-80e3-08825760534b}] - c:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension
FF Extension: Microsoft .NET Framework Assistant - c:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension [2010-06-30]
FF HKLM\...\Firefox\Extensions: [jqs@sun.com] - C:\Program Files\Java\jre6\lib\deploy\jqs\ff
FF Extension: Java Quick Starter - C:\Program Files\Java\jre6\lib\deploy\jqs\ff [2010-07-07]

Chrome:
=======
CHR Profile: C:\Documents and Settings\frontdesk2\Local Settings\Application Data\Google\Chrome\User Data\Default
CHR Extension: (Google Slides) - C:\Documents and Settings\frontdesk2\Local Settings\Application Data\Google\Chrome\User Data\Default\Extensions\aapocclcgogkmnckokdopfmhonfmgoek [2014-10-23]
CHR Extension: (Google Docs) - C:\Documents and Settings\frontdesk2\Local Settings\Application Data\Google\Chrome\User Data\Default\Extensions\aohghmighlieiainnegkcijnfilokake [2014-10-23]
CHR Extension: (Google Drive) - C:\Documents and Settings\frontdesk2\Local Settings\Application Data\Google\Chrome\User Data\Default\Extensions\apdfllckaahabafndbhieahigkjlhalf [2014-10-23]
CHR Extension: (Google Voice Search Hotword (Beta)) - C:\Documents and Settings\frontdesk2\Local Settings\Application Data\Google\Chrome\User Data\Default\Extensions\bepbmhgboaologfdajaanbcjmnhjmhfn [2014-11-05]
CHR Extension: (YouTube) - C:\Documents and Settings\frontdesk2\Local Settings\Application Data\Google\Chrome\User Data\Default\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo [2014-10-23]
CHR Extension: (Google Search) - C:\Documents and Settings\frontdesk2\Local Settings\Application Data\Google\Chrome\User Data\Default\Extensions\coobgpohoikkiipiblmjeljniedjpjpf [2014-10-23]
CHR Extension: (Google Sheets) - C:\Documents and Settings\frontdesk2\Local Settings\Application Data\Google\Chrome\User Data\Default\Extensions\felcaaldnbdncclmgdcncolpebgiejap [2014-10-23]
CHR Extension: (Google Wallet) - C:\Documents and Settings\frontdesk2\Local Settings\Application Data\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda [2014-10-23]
CHR Extension: (Gmail) - C:\Documents and Settings\frontdesk2\Local Settings\Application Data\Google\Chrome\User Data\Default\Extensions\pjkljhegncpnkpknbcohdijeoejaedia [2014-10-23]

========================== Services (Whitelisted) =================

(If an entry is included in the fixlist, the service will be removed from the registry. The file will not be moved unless listed separately.)

R2 avgfws; C:\Program Files\AVG\AVG2012\avgfws.exe [2322000 2014-11-04] (AVG Technologies CZ, s.r.o.)
R2 AVGIDSAgent; C:\Program Files\AVG\AVG2012\avgidsagent.exe [5175856 2013-10-16] (AVG Technologies CZ, s.r.o.)
R2 avgwd; C:\Program Files\AVG\AVG2012\avgwdsvc.exe [193288 2012-02-14] (AVG Technologies CZ, s.r.o.)
R2 JavaQuickStarterService; C:\Program Files\Java\jre6\bin\jqs.exe [152984 2010-07-07] (Sun Microsystems, Inc.)

==================== Drivers (Whitelisted) ====================

(If an entry is included in the fixlist, the service will be removed from the registry. The file will not be moved unless listed separately.)

R1 AmdPPM; C:\WINDOWS\System32\DRIVERS\AmdPPM.sys [33792 2007-04-16] (Advanced Micro Devices)
R1 AsIO; C:\WINDOWS\System32\drivers\AsIO.sys [12400 2007-12-17] ()
R3 Avgfwdx; C:\WINDOWS\System32\DRIVERS\avgfwdx.sys [30944 2012-01-12] (AVG Technologies CZ, s.r.o.)
S3 Avgfwfd; C:\WINDOWS\System32\DRIVERS\avgfwdx.sys [30944 2012-01-12] (AVG Technologies CZ, s.r.o.)
R3 AVGIDSDriver; C:\WINDOWS\System32\DRIVERS\avgidsdriverx.sys [142176 2012-12-10] (AVG Technologies CZ, s.r.o. )
R3 AVGIDSFilter; C:\WINDOWS\System32\DRIVERS\avgidsfilterx.sys [24144 2011-12-23] (AVG Technologies CZ, s.r.o. )
R0 AVGIDSHX; C:\WINDOWS\System32\DRIVERS\avgidshx.sys [24896 2012-04-19] (AVG Technologies CZ, s.r.o. )
R3 AVGIDSShim; C:\WINDOWS\System32\DRIVERS\avgidsshimx.sys [17232 2011-12-23] (AVG Technologies CZ, s.r.o. )
R1 Avgldx86; C:\WINDOWS\System32\DRIVERS\avgldx86.sys [250080 2012-11-08] (AVG Technologies CZ, s.r.o.)
R1 Avgmfx86; C:\WINDOWS\System32\DRIVERS\avgmfx86.sys [41040 2011-12-23] (AVG Technologies CZ, s.r.o.)
R0 Avgrkx86; C:\WINDOWS\System32\DRIVERS\avgrkx86.sys [31952 2012-01-31] (AVG Technologies CZ, s.r.o.)
R1 Avgtdix; C:\WINDOWS\System32\DRIVERS\avgtdix.sys [302368 2014-11-04] (AVG Technologies CZ, s.r.o.)
R3 L1c; C:\WINDOWS\System32\DRIVERS\l1c51x86.sys [44032 2009-07-28] (Atheros Communications, Inc.)
R3 MTsensor; C:\WINDOWS\System32\DRIVERS\ASACPI.sys [5810 2004-08-13] ()
R3 VIAHdAudAddService; C:\WINDOWS\System32\drivers\viahduaa.sys [1425280 2009-10-20] (VIA Technologies, Inc.)
S3 catchme; \??\C:\DOCUME~1\FRONTD~1\LOCALS~1\Temp\catchme.sys [X]
S4 IntelIde; No ImagePath
U5 ScsiPort; C:\WINDOWS\system32\drivers\scsiport.sys [96384 2008-04-13] (Microsoft Corporation)

==================== NetSvcs (Whitelisted) ===================

(If an item is included in the fixlist, it will be removed from the registry. Any associated file could be listed separately to be moved.)

==================== One Month Created Files and Folders ========

(If an entry is included in the fixlist, the file\folder will be moved.)

2014-12-15 12:29 - 2014-12-15 12:33 - 00000000 ____D () C:\FRST
2014-12-15 12:29 - 2014-12-15 12:29 - 01111040 _____ (Farbar) C:\Documents and Settings\frontdesk2\Desktop\FRST.exe
2014-12-15 12:20 - 2014-12-15 12:23 - 00000000 ____D () C:\AdwCleaner
2014-12-15 12:18 - 2014-12-15 12:18 - 02166272 _____ () C:\Documents and Settings\frontdesk2\Desktop\adwcleaner_4.105.exe
2014-12-10 13:05 - 2014-12-10 13:05 - 00000702 _____ () C:\Documents and Settings\All Users\Desktop\AVG 2012.lnk
2014-12-10 13:05 - 2014-12-10 13:05 - 00000000 ____D () C:\Documents and Settings\frontdesk2\Application Data\AVG2012
2014-12-10 13:05 - 2014-12-10 13:05 - 00000000 ____D () C:\Documents and Settings\All Users\Start Menu\Programs\AVG
2014-12-10 13:04 - 2014-12-10 13:04 - 00000000 ___HD () C:\$AVG
2014-12-10 12:55 - 2012-05-22 08:28 - 154210488 _____ (AVG Technologies) C:\Documents and Settings\frontdesk2\Desktop\avg_ipw_x86_all_2012_2176a4990.exe
2014-12-10 12:51 - 2014-12-15 12:33 - 00000000 ____D () C:\Documents and Settings\frontdesk2\Local Settings\temp
2014-12-10 12:51 - 2014-12-10 12:51 - 00008097 _____ () C:\Documents and Settings\frontdesk2\Desktop\ComboFix.txt
2014-12-10 12:51 - 2014-12-10 12:51 - 00000000 ____D () C:\Documents and Settings\USER\Local Settings\temp
2014-12-10 12:51 - 2014-12-10 12:51 - 00000000 ____D () C:\Documents and Settings\NetworkService\Local Settings\temp
2014-12-10 12:51 - 2014-12-10 12:51 - 00000000 ____D () C:\Documents and Settings\LocalService\Local Settings\temp
2014-12-10 12:51 - 2014-12-10 12:51 - 00000000 ____D () C:\Documents and Settings\gfcfront1\Local Settings\temp
2014-12-10 12:51 - 2014-12-10 12:51 - 00000000 ____D () C:\Documents and Settings\Default User\Local Settings\temp
2014-12-10 12:51 - 2014-12-10 12:51 - 00000000 ____D () C:\Documents and Settings\Administrator\Local Settings\temp
2014-12-10 12:51 - 2014-12-10 12:51 - 00000000 ____D () C:\Documents and Settings\Administrator.GFC\Local Settings\temp
2014-12-10 12:27 - 2011-06-26 01:45 - 00256000 _____ () C:\WINDOWS\PEV.exe
2014-12-10 12:27 - 2010-11-07 12:20 - 00208896 _____ () C:\WINDOWS\MBR.exe
2014-12-10 12:27 - 2009-04-19 23:56 - 00060416 _____ (NirSoft) C:\WINDOWS\NIRCMD.exe
2014-12-10 12:27 - 2000-08-30 19:00 - 00518144 _____ (SteelWerX) C:\WINDOWS\SWREG.exe
2014-12-10 12:27 - 2000-08-30 19:00 - 00406528 _____ (SteelWerX) C:\WINDOWS\SWSC.exe
2014-12-10 12:27 - 2000-08-30 19:00 - 00212480 _____ (SteelWerX) C:\WINDOWS\SWXCACLS.exe
2014-12-10 12:27 - 2000-08-30 19:00 - 00098816 _____ () C:\WINDOWS\sed.exe
2014-12-10 12:27 - 2000-08-30 19:00 - 00080412 _____ () C:\WINDOWS\grep.exe
2014-12-10 12:27 - 2000-08-30 19:00 - 00068096 _____ () C:\WINDOWS\zip.exe
2014-12-10 12:26 - 2014-12-10 12:51 - 00000000 ____D () C:\Qoobox
2014-12-10 12:26 - 2014-12-10 12:33 - 00000000 ____D () C:\WINDOWS\erdnt
2014-12-10 12:23 - 2014-12-15 12:33 - 00013174 _____ () C:\Documents and Settings\frontdesk2\Desktop\FRST.txt
2014-12-10 12:12 - 2014-12-15 12:29 - 00000000 ____D () C:\Documents and Settings\frontdesk2\Desktop\malware and virus tools
2014-12-09 20:36 - 2014-12-09 20:36 - 00000000 ____D () C:\Documents and Settings\frontdesk2\Application Data\Microsoft Corporation
2014-12-09 20:16 - 2014-12-10 13:05 - 00022629 _____ () C:\WINDOWS\setupapi.log
2014-12-09 19:24 - 2014-12-09 19:24 - 00000777 _____ () C:\Documents and Settings\All Users\Desktop\Malwarebytes Anti-Malware.lnk
2014-12-09 19:24 - 2014-12-09 19:24 - 00000000 ____D () C:\Program Files\Malwarebytes Anti-Malware
2014-12-09 19:24 - 2014-12-09 19:24 - 00000000 ____D () C:\Documents and Settings\All Users\Start Menu\Programs\Malwarebytes Anti-Malware
2014-12-09 19:24 - 2014-11-21 06:14 - 00054360 _____ (Malwarebytes Corporation) C:\WINDOWS\system32\Drivers\mbamchameleon.sys
2014-12-09 18:25 - 2014-12-09 19:22 - 00002862 _____ () C:\Documents and Settings\frontdesk2\Desktop\avgrep.txt

==================== One Month Modified Files and Folders =======

(If an entry is included in the fixlist, the file\folder will be moved.)

2014-12-15 12:28 - 2010-06-29 22:41 - 00572418 _____ () C:\WINDOWS\system32\PerfStringBackup.INI
2014-12-15 12:25 - 2010-06-30 02:56 - 01243153 _____ () C:\WINDOWS\WindowsUpdate.log
2014-12-15 12:25 - 2006-02-28 07:00 - 00013646 _____ () C:\WINDOWS\system32\wpa.dbl
2014-12-15 12:24 - 2014-10-23 08:03 - 00000882 _____ () C:\WINDOWS\Tasks\GoogleUpdateTaskMachineCore.job
2014-12-15 12:24 - 2014-03-17 06:19 - 00000232 _____ () C:\WINDOWS\Tasks\Microsoft Windows XP End of Service Notification Logon.job
2014-12-15 12:24 - 2011-07-29 09:15 - 00000159 _____ () C:\WINDOWS\wiadebug.log
2014-12-15 12:24 - 2011-07-29 09:15 - 00000050 _____ () C:\WINDOWS\wiaservc.log
2014-12-15 12:24 - 2011-03-15 17:52 - 00000178 ___SH () C:\Documents and Settings\frontdesk2\ntuser.ini
2014-12-15 12:24 - 2010-07-07 09:07 - 00000112 _____ () C:\WINDOWS\system32\config\netlogon.ftl
2014-12-15 12:24 - 2010-06-30 03:15 - 00524288 _____ () C:\WINDOWS\system32\config\ACEEvent.evt
2014-12-15 12:24 - 2010-06-30 03:03 - 00032570 _____ () C:\WINDOWS\SchedLgU.Txt
2014-12-15 12:24 - 2010-06-30 03:03 - 00000006 ____H () C:\WINDOWS\Tasks\SA.DAT
2014-12-15 12:24 - 2010-06-29 22:34 - 00000000 ____D () C:\WINDOWS\security
2014-12-15 12:13 - 2014-10-23 08:03 - 00000886 _____ () C:\WINDOWS\Tasks\GoogleUpdateTaskMachineUA.job
2014-12-15 07:11 - 2011-02-12 11:56 - 00000000 ____D () C:\WINDOWS\system32\Drivers\AVG
2014-12-13 11:53 - 2013-07-22 06:12 - 00000000 ____D () C:\WINDOWS\system32\MRT
2014-12-13 11:50 - 2010-07-01 08:09 - 109818608 _____ (Microsoft Corporation) C:\WINDOWS\system32\MRT.exe
2014-12-12 12:26 - 2011-09-22 12:30 - 00000000 ____D () C:\Documents and Settings\frontdesk2\Local Settings\Application Data\Deployment
2014-12-10 13:19 - 2011-12-15 14:04 - 00000000 ____D () C:\Documents and Settings\All Users\Application Data\AVG2012
2014-12-10 13:02 - 2011-02-12 11:49 - 00000000 ____D () C:\Documents and Settings\All Users\Application Data\MFAData
2014-12-10 13:00 - 2010-07-01 09:14 - 00114904 _____ (Malwarebytes Corporation) C:\WINDOWS\system32\Drivers\mbamswissarmy.sys
2014-12-10 12:59 - 2010-07-01 09:25 - 00000000 ____D () C:\Program Files\Spybot - Search & Destroy
2014-12-10 12:50 - 2006-02-28 07:00 - 00000227 _____ () C:\WINDOWS\system.ini
2014-12-10 12:45 - 2010-07-01 09:25 - 00000000 ____D () C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2014-12-10 12:38 - 2010-06-30 02:55 - 00000000 ____D () C:\WINDOWS\system32\Restore
2014-12-10 12:34 - 2010-06-29 22:34 - 00000000 ____D () C:\WINDOWS\repair
2014-12-10 12:33 - 2010-07-07 09:19 - 00000000 ____D () C:\Documents and Settings\gfcfront1.FRONT1WS\Local Settings\Temp
2014-12-10 11:42 - 2011-03-09 14:30 - 00000000 ____D () C:\Program Files\TurboNote
2014-12-10 08:11 - 2011-03-15 17:51 - 00000000 ____D () C:\Documents and Settings\frontdesk2
2014-12-09 20:36 - 2010-07-09 06:44 - 00000000 ____D () C:\Documents and Settings\All Users\Start Menu\Programs\Future Health Inc
2014-12-09 20:17 - 2013-10-19 10:41 - 01041136 _____ () C:\Documents and Settings\LocalService\Local Settings\Application Data\FontCache3.0.0.0.dat
2014-12-09 20:08 - 2012-04-04 15:53 - 00000000 ____D () C:\WINDOWS\Minidump
2014-12-09 19:24 - 2010-07-01 09:14 - 00000000 ____D () C:\Documents and Settings\All Users\Application Data\Malwarebytes
2014-12-09 17:36 - 2013-02-16 12:09 - 00000000 __HDC () C:\WINDOWS\$NtUninstallKB2802968$
2014-12-09 14:54 - 2011-03-15 19:39 - 00002473 _____ () C:\Documents and Settings\frontdesk2\Desktop\Microsoft Word.lnk
2014-12-08 15:00 - 2014-03-17 06:19 - 00000226 _____ () C:\WINDOWS\Tasks\Microsoft Windows XP End of Service Notification Monthly.job
2014-12-02 07:40 - 2014-03-29 07:21 - 00000000 ____D () C:\Documents and Settings\All Users\FH_VOS
2014-11-21 17:40 - 2012-01-09 16:18 - 00000664 _____ () C:\WINDOWS\system32\d3d9caps.dat
2014-11-21 06:14 - 2010-07-01 09:14 - 00023256 _____ (Malwarebytes Corporation) C:\WINDOWS\system32\Drivers\mbam.sys

Some content of TEMP:
====================
C:\Documents and Settings\frontdesk2\Local Settings\temp\Quarantine.exe
C:\Documents and Settings\frontdesk2\Local Settings\temp\sqlite3.dll

==================== Bamital & volsnap Check =================

(There is no automatic fix for files that do not pass verification.)

C:\WINDOWS\explorer.exe => File is digitally signed
C:\WINDOWS\system32\winlogon.exe => File is digitally signed
C:\WINDOWS\system32\svchost.exe => File is digitally signed
C:\WINDOWS\system32\services.exe => File is digitally signed
C:\WINDOWS\system32\User32.dll => File is digitally signed
C:\WINDOWS\system32\userinit.exe => File is digitally signed
C:\WINDOWS\system32\rpcss.dll => File is digitally signed
C:\WINDOWS\system32\Drivers\volsnap.sys => File is digitally signed

==================== End Of Log ============================

 

No change to avgui.exe prevented by a software restriction policy.

Attached Files



#4 nasdaq

nasdaq

  • Malware Response Team
  • 38,256 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:08:17 PM

Posted 15 December 2014 - 01:58 PM

Open notepad (Start =>All Programs => Accessories => Notepad). Please copy the entire contents of the code box below.
start

CloseProcesses:

HKLM Group Policy restriction on software: C:\Documents and Settings\All Users\Application Data\Malwarebytes <====== ATTENTION
HKLM Group Policy restriction on software: C:\Program Files\Malwarebytes' Anti-Malware <====== ATTENTION
HKLM Group Policy restriction on software: C:\Program Files\AVG\ <====== ATTENTION
HKLM Group Policy restriction on software: C:\Program\AVG\AVG2012 <====== ATTENTION
HKLM Group Policy restriction on software: C:\Program Files\AVG <====== ATTENTION
HKU\S-1-5-21-1800967455-1536777382-3252555664-1154\...\Run: [Deployment] => rundll32 "C:\Documents and Settings\frontdesk2\Local Settings\Application Data\Adobe\Deployment\jiaajhnn.dll",DllRegisterServer
HKLM\SOFTWARE\Policies\Microsoft\Internet Explorer: Policy restriction <======= ATTENTION
HKU\S-1-5-21-1800967455-1536777382-3252555664-1154\SOFTWARE\Policies\Microsoft\Internet Explorer: Policy restriction <======= ATTENTION
SearchScopes: HKU\.DEFAULT -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
SearchScopes: HKU\S-1-5-19 -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
SearchScopes: HKU\S-1-5-20 -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
CHR Extension: (Google Wallet) - C:\Documents and Settings\frontdesk2\Local Settings\Application Data\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda [2014-10-23]
S3 catchme; \??\C:\DOCUME~1\FRONTD~1\LOCALS~1\Temp\catchme.sys [X]
S4 IntelIde; No ImagePath

End
Save the files as fixlist.txt into the same folder as FRST

Run FRST and click Fix only once and wait.

Restart the computer normally to reset the registry.

The tool will create a log Fixlog.txt please post it to your reply.
===

Download Security Check by screen317 from here
  • Save it to your Desktop.
  • Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
  • A Notepad document should open automatically called checkup.txt; please post the contents of that document.
p.s.
If the SecurityCheck program fails to run for any reason, run it as an Administrator.

If the site is busy or not available use this mirror site:
http://www.bleepingcomputer.com/download/securitycheck/

How is the computer running now?

======

#5 jenbGFC

jenbGFC
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:08:17 PM

Posted 16 December 2014 - 08:16 AM

checkup.txt:

 Results of screen317's Security Check version 0.99.93 
 Windows XP Service Pack 3 x86  
 Internet Explorer 8 
``````````````Antivirus/Firewall Check:``````````````
 Windows Security Center service is not running! This report may not be accurate!
 Windows Firewall Disabled! 
 WMI entry may not exist for antivirus; attempting automatic update.
 AVG2012 successfully updated!
`````````Anti-malware/Other Utilities Check:`````````
 CCleaner    
 Java™ 6 Update 13 
 Java version 32-bit out of Date!
 Adobe Flash Player 10 Flash Player out of Date!
 Adobe Reader 9 Adobe Reader out of Date!
 Google Chrome (39.0.2171.71)
 Google Chrome (39.0.2171.95)
````````Process Check: objlist.exe by Laurent```````` 
 AVG avgwdsvc.exe
 AVG avgtray.exe
 AVG avgrsx.exe
 AVG avgnsx.exe
 AVG avgemc.exe
`````````````````System Health check`````````````````
 Total Fragmentation on Drive C:: 13% Defragment your hard drive soon! (Do NOT defrag if SSD!)
````````````````````End of Log``````````````````````

Everything is running correctly now. You are the best!



#6 nasdaq

nasdaq

  • Malware Response Team
  • 38,256 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:08:17 PM

Posted 16 December 2014 - 10:07 AM

Your version of Java is outdated and needs to be updated to take advantage of fixes that have eliminated security vulnerabilities.
The latest version is Java 7 Update 71 for the 32 bit Operating system.
Java 8 Update 25 for the 64 bit Operating system.

You can manually check your present version and update as recommended.
https://www.java.com/en/download/installed.jsp

Be careful not to install malware posing as Java update!
Important read this blog.
http://blog.trendmicro.com/trendlabs-security-intelligence/malware-poses-as-an-update-for-java-0-day-fix/

Quoted from the page.
"In light of the recent events surrounding Java, users must seriously consider their use of Java. Do they really need it? If yes, make sure that users follow the steps we recommended and get the security update directly from the official oracle website." at:
http://www.oracle.com/technetwork/java/javase/downloads/index.html

How to disable Java in your browsers
http://www.infoworld.com/t/web-browsers/how-disable-java-in-your-browsers-210882


If present remove the old version(s) of Java using the Add/Remove Programs applet.

Java™ 6 Update 13

===

Get the latest version of the Adobe Reader.
http://get.adobe.com/reader/
Before your download I suggest you unckeck the box on the top right "Yes, install McAfee Security Scan Plus - optional" this is not required if you are not a McAfee subscriber. While the installation is in progress you can also deny the installation of any other programs that may be suggested.

When installed remove your old version of the Reader using the Add/Remove Programs applet if present.
<<<>>>

Critical vulnerabilities have been identified in old version of Adobe Flash Player please get the latest version.

Flash test site:
http://www.adobe.com/software/flash/about/
Install the new version or if you have the latest close the windows.

Flash Player Help / Find version
http://helpx.adobe.com/flash-player/kb/find-version-flash-player.html#main_Find_the_Flash_Player_version_installed_on_your_machine
===

If all is well.

To learn more about how to protect yourself while on the internet read this little guide Best security practices Keep safe.
http://www.bleepingcomputer.com/forums/t/407147/answers-to-common-security-questions-best-practices/
===

#7 jenbGFC

jenbGFC
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:08:17 PM

Posted 17 December 2014 - 12:42 PM

All is great, thank you again!



#8 nasdaq

nasdaq

  • Malware Response Team
  • 38,256 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:08:17 PM

Posted 17 December 2014 - 01:37 PM

It appears that this issue is resolved, therefore I am closing the topic. If that is not the case and you need or wish to continue with this topic, please send me or any Moderator a Personal Message (PM) that you would like this topic re-opened.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users