WiredWX Hobby Weather ToolsLog in

 


descriptionTrouble deleting PersonalAV EmptyTrouble deleting PersonalAV

more_horiz
I have been trying to do everything to get this off of my computer. I downloaded malwarebytes on to a flash drive from another computer and then installed it in safe mode with networking, and the program wouldn't run. I tried to manually remove it with directions from spywarevoid.com, but the virus won't allow me to save the changes. I tried a system restore for the day before I got the virus, and the restore won't work. And no matter what website I go to to download a spyware remover, the spyware blocks me from actually downloading. The spyware wont let my internet connection work on safe mode with networking, it only works on regular startup, where I cant download anything to fix it. I need help; I've tried everything I know and nothing seems to work. I spent my hard earned money on my laptop and will do anything to save it. Please help!



Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:39:39 AM, on 8/8/2009
Platform: Windows Vista SP1 (WinNT 6.00.1905)
MSIE: Internet Explorer v7.00 (7.00.6001.18000)
Boot mode: Normal

Running processes:
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Windows\system32\taskeng.exe
C:\Windows\RtHDVCpl.exe
C:\Acer\Empowering Technology\eDataSecurity\eDSLoader.exe
C:\Acer\Empowering Technology\eAudio\eAudio.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Program Files\Acer Arcade Deluxe\Play Movie\PMVService.exe
C:\Windows\system32\wbem\unsecapp.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Windows\System32\rundll32.exe
C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Windows\System32\NetFilter.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Windows\ehome\ehtray.exe
C:\Program Files\Creative\Sync Manager Unicode\CTSyncU.exe
C:\Program Files\AIM6\aim6.exe
C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE
C:\Windows\System32\rundll32.exe
C:\Windows\ehome\ehmsas.exe
C:\Users\MARYIO~1\AppData\Local\Temp\RtkBtMnt.exe
C:\Acer\Empowering Technology\ENET\ENMTRAY.EXE
C:\Acer\Empowering Technology\EPOWER\EPOWER_DMC.EXE
C:\Acer\Empowering Technology\ACER.EMPOWERING.FRAMEWORK.SUPERVISOR.EXE
C:\Program Files\AIM6\aolsoftware.exe
C:\Windows\system32\wuauclt.exe
C:\Program Files\Internet Explorer\ieuser.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Windows\system32\Macromed\Flash\FlashUtil10b.exe
C:\Users\MARYIOTTIGL\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\6R9CWV8G\winlogon[2].exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://safesearch.cyberdefender.com/smallsearch.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://en.us.acer.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://en.us.acer.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ycomp/defaults/su/*http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - URLSearchHook: (no name) - ~EA756889-2338-43DB-8F07-D1CA6FB9C90D} - (no file)
R3 - URLSearchHook: (no name) - ~CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
R3 - URLSearchHook: (no name) - ~EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
R3 - URLSearchHook: MyIdentityDefender - {A26503FE-B3B8-4910-A9DC-9CBD25C6B8D6} - C:\Users\MARYIOTTIGL\AppData\LocalLow\CyberDefender\cdmyidd.dll
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll
O1 - Hosts: ::1 localhost
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {1E8A6170-7264-4D0F-BEAE-D42A53123C75} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.0\NppBho.dll
O2 - BHO: AskBar BHO - {201f27d4-3704-41d6-89c1-aa35e39143ed} - C:\Program Files\AskBarDis\bar\bin\askBar.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll
O2 - BHO: AOL Toolbar Launcher - {7C554162-8CB7-45A4-B8F4-8EA1C75885F9} - C:\Program Files\AOL\AIM Toolbar 5.0\aoltb.dll
O2 - BHO: MyIdentityDefender - {A26503FE-B3B8-4910-A9DC-9CBD25C6B8D6} - C:\Users\MARYIOTTIGL\AppData\LocalLow\CyberDefender\cdmyidd.dll
O2 - BHO: &Helper - {A77D3539-581D-450C-9E44-A84C415A6172} - C:\Windows\System32\msxmlm.dll (file missing)
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: MSN Toolbar Helper - {d2ce3e00-f94a-4740-988e-03dc2f38c34f} - C:\Program Files\MSN\Toolbar\3.0.0988.2\msneshellx.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: SingleInstance Class - {FDAD4DA1-61A2-4FD8-9C17-86F7AC245081} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\YTSingleInstance.dll
O3 - Toolbar: Acer eDataSecurity Management - {5CBE3B7C-1E47-477e-A7DD-396DB0476E29} - C:\Windows\system32\eDStoolbar.dll
O3 - Toolbar: Show Norton Toolbar - {90222687-F593-4738-B738-FBEE9C7B26DF} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.0\UIBHO.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll
O3 - Toolbar: AIM Toolbar - {DE9C389F-3316-41A7-809B-AA305ED9D922} - C:\Program Files\AOL\AIM Toolbar 5.0\aoltb.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: MyIdentityDefender - {A26503FE-B3B8-4910-A9DC-9CBD25C6B8D6} - C:\Users\MARYIOTTIGL\AppData\LocalLow\CyberDefender\cdmyidd.dll
O3 - Toolbar: MSN Toolbar - {1E61ED7C-7CB8-49d6-B9E9-AB4C880C8414} - C:\Program Files\MSN\Toolbar\3.0.0988.2\msneshellx.dll
O3 - Toolbar: Ask Toolbar - {3041d03e-fd4b-44e0-b742-2d9b88305f98} - C:\Program Files\AskBarDis\bar\bin\askBar.dll
O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
O4 - HKLM\..\Run: [ALaunch] C:\Acer\ALaunch\AlaunchClient.exe
O4 - HKLM\..\Run: [RtHDVCpl] RtHDVCpl.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [eDataSecurity Loader] C:\Acer\Empowering Technology\eDataSecurity\eDSloader.exe
O4 - HKLM\..\Run: [eAudio] "C:\Acer\Empowering Technology\eAudio\eAudio.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [osCheck] "C:\Program Files\Norton Internet Security\osCheck.exe"
O4 - HKLM\..\Run: [PLFSet] rundll32.exe C:\Windows\PLFSet.dll,PLFDefSetting
O4 - HKLM\..\Run: [LManager] C:\PROGRA~1\LAUNCH~1\QtZgAcer.EXE
O4 - HKLM\..\Run: [PlayMovie] "C:\Program Files\Acer Arcade Deluxe\Play Movie\PMVService.exe"
O4 - HKLM\..\Run: [Acer Product Registration] "C:\Program Files\Acer Registration\ACE1.exe" /startup
O4 - HKLM\..\Run: [Acer Assist Launcher] C:\Program Files\Acer Assist\launcher.exe
O4 - HKLM\..\Run: [Acer Tour Reminder] C:\Acer\AcerTour\Reminder.exe
O4 - HKLM\..\Run: [SetPanel] C:\Acer\APanel\APanel.cmd
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [Symantec PIF AlertEng] "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /a /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\AlertEng.dll"
O4 - HKLM\..\Run: [Skytel] Skytel.exe
O4 - HKLM\..\Run: [NvSvc] RUNDLL32.EXE C:\Windows\system32\nvsvc.dll,nvsvcStart
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\Windows\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\Windows\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [YSearchProtection] "C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [MSDRV] NetFilter.exe
O4 - HKCU\..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun
O4 - HKCU\..\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe
O4 - HKCU\..\Run: [Search Protection] C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe
O4 - HKCU\..\Run: [YSearchProtection] C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe
O4 - HKCU\..\Run: [CTSyncU.exe] "C:\Program Files\Creative\Sync Manager Unicode\CTSyncU.exe"
O4 - HKCU\..\Run: [Aim6] "C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - Startup: OneNote 2007 Screen Clipper and Launcher.lnk = C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE
O4 - Global Startup: Empowering Technology Launcher.lnk = C:\Acer\Empowering Technology\eAPLauncher.exe
O8 - Extra context menu item: &AIM Search - c:\program files\aol\aim toolbar 5.0\resources\en-US\local\search.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: AIM Toolbar - {3369AF0D-62E9-4bda-8103-B4C75499B578} - C:\Program Files\AOL\AIM Toolbar 5.0\aoltb.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O13 - Gopher Prefix:
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {EA6246B4-F380-443F-8727-9AEA3371146C} (CPlayFirstWeddingDashControl Object) - http://pogo.oberon-media.com/online2/pogo/wedding_dash/WeddingDash.1.0.0.47.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{7296032E-989A-4E3B-9C40-AB77BC2D8645}: NameServer = 85.255.112.118,85.255.112.143
O17 - HKLM\System\CCS\Services\Tcpip\..\{C7C092D2-2CF1-40E8-92C4-B9A0513BC422}: NameServer = 85.255.112.118,85.255.112.143
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 85.255.112.118,85.255.112.143
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: NameServer = 85.255.112.118,85.255.112.143
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.112.118,85.255.112.143
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll
O23 - Service: Agere Modem Call Progress Audio (AgereModemAudio) - Agere Systems - C:\Windows\system32\agrsmsvc.exe
O23 - Service: ALaunch Service (ALaunchService) - Unknown owner - C:\Acer\ALaunch\ALaunchSvc.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe
O23 - Service: dlbu_device - - C:\Windows\system32\dlbucoms.exe
O23 - Service: eDataSecurity Service - HiTRSUT - C:\Acer\Empowering Technology\eDataSecurity\eDSService.exe
O23 - Service: eLock Service (eLockService) - Acer Inc. - C:\Acer\Empowering Technology\eLock\Service\eLockServ.exe
O23 - Service: eNet Service - Acer Inc. - C:\Acer\Empowering Technology\eNet\eNet Service.exe
O23 - Service: eRecovery Service (eRecoveryService) - Acer Inc. - C:\Acer\Empowering Technology\eRecovery\eRecoveryService.exe
O23 - Service: eSettings Service (eSettingsService) - Unknown owner - C:\Acer\Empowering Technology\eSettings\Service\capuserv.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Symantec IS Password Validation (ISPwdSvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\isPwdSvc.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: LiveUpdate Notice Service Ex (LiveUpdate Notice Ex) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: LiveUpdate Notice Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
O23 - Service: MobilityService - Unknown owner - C:\Acer\Mobility Center\MobilityService.exe
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared Files\RichVideo.exe
O23 - Service: Symantec Core LC - Unknown owner - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Symantec AppCore Service (SymAppCore) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe
O23 - Service: ePower Service (WMIService) - acer - C:\Acer\Empowering Technology\ePower\ePowerSvc.exe
O23 - Service: Yahoo! Updater (YahooAUService) - Yahoo! Inc. - C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe

descriptionTrouble deleting PersonalAV EmptyRe: Trouble deleting PersonalAV

more_horiz
Please download and run this tool.

Download Malwarebytes' Anti-Malware from Here

Double Click mbam-setup.exe to install the application.

  • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart. (See Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
Note:
If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts.
Click OK to either and let MBAM proceed with the disinfection process.
If asked to restart the computer, please do so immediately.


Post the contents of the MBAM Log.

descriptionTrouble deleting PersonalAV EmptyRe: Trouble deleting PersonalAV

more_horiz
Even though my internet connection is fine, when I try to open the page to MalwareBytes it says internet explorer cannot display the webpage. This is what I've been having so much trouble with because I just cannot access this page no matter what.

descriptionTrouble deleting PersonalAV EmptyRe: Trouble deleting PersonalAV

more_horiz
wait nevermind! some kind of magic way i got it to run by changing the name of the file. although i think it fixed most of the problems, i still think i have other adware in the system because if i search something on yahoo or google it takes you to some other crazy thing. when i tried running yahoo antispy it had some stuff on it called alureon zp, and trymedia, and alureon abg. any help for these?

Malwarebytes' Anti-Malware 1.40
Database version: 2551
Windows 6.0.6001 Service Pack 1

8/8/2009 5:53:15 PM
mbam-log-2009-08-08 (17-53-15).txt

Scan type: Quick Scan
Objects scanned: 86375
Time elapsed: 4 minute(s), 33 second(s)

Memory Processes Infected: 1
Memory Modules Infected: 0
Registry Keys Infected: 4
Registry Values Infected: 4
Registry Data Items Infected: 12
Folders Infected: 1
Files Infected: 5

Memory Processes Infected:
C:\Windows\System32\NetFilter.exe (Trojan.Agent) -> Unloaded process successfully.

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CLASSES_ROOT\CLSID\{a77d3539-581d-450c-9e44-a84c415a6172} (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{a77d3539-581d-450c-9e44-a84c415a6172} (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{a77d3539-581d-450c-9e44-a84c415a6172} (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\antispywarexp2009 (Rogue.AntiSpywareXP) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\ForceClassicControlPanel (Hijack.ControlPanelStyle) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Environment\avapp (Rogue.PersonalAntiVirus) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Environment\avuninst (Rogue.PersonalAntiVirus) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\msdrv (Trojan.Agent) -> Quarantined and deleted successfully.

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\FirewallDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\NameServer (Trojan.DNSChanger) -> Data: 85.255.112.118,85.255.112.143 -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{7296032e-989a-4e3b-9c40-ab77bc2d8645}\NameServer (Trojan.DNSChanger) -> Data: 85.255.112.118,85.255.112.143 -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{c7c092d2-2cf1-40e8-92c4-b9a0513bc422}\NameServer (Trojan.DNSChanger) -> Data: 85.255.112.118,85.255.112.143 -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters\NameServer (Trojan.DNSChanger) -> Data: 85.255.112.118,85.255.112.143 -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters\Interfaces\{7296032e-989a-4e3b-9c40-ab77bc2d8645}\NameServer (Trojan.DNSChanger) -> Data: 85.255.112.118,85.255.112.143 -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters\Interfaces\{c7c092d2-2cf1-40e8-92c4-b9a0513bc422}\NameServer (Trojan.DNSChanger) -> Data: 85.255.112.118,85.255.112.143 -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\Tcpip\Parameters\NameServer (Trojan.DNSChanger) -> Data: 85.255.112.118,85.255.112.143 -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\Tcpip\Parameters\Interfaces\{7296032e-989a-4e3b-9c40-ab77bc2d8645}\NameServer (Trojan.DNSChanger) -> Data: 85.255.112.118,85.255.112.143 -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\Tcpip\Parameters\Interfaces\{c7c092d2-2cf1-40e8-92c4-b9a0513bc422}\NameServer (Trojan.DNSChanger) -> Data: 85.255.112.118,85.255.112.143 -> Quarantined and deleted successfully.

Folders Infected:
C:\Program Files\Common Files\Uninstall\PersonalAV (Rogue.PersonalAntiVirus) -> Quarantined and deleted successfully.

Files Infected:
C:\Program Files\Common Files\Uninstall\PersonalAV\Uninstall.lnk (Rogue.PersonalAntiVirus) -> Quarantined and deleted successfully.
C:\autorun.inf (Trojan.Agent) -> Quarantined and deleted successfully.
C:\RECYCLER\S-9-4-94-100000603-100006964-100024249-2077.com (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Windows\System32\gaopdxcounter (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Windows\System32\NetFilter.exe (Trojan.Agent) -> Quarantined and deleted successfully.

descriptionTrouble deleting PersonalAV EmptyRe: Trouble deleting PersonalAV

more_horiz

  • Download combofix from here
    Link 1
    Link 2
1. If you are using Firefox, make sure that your download settings are as follows:

* Tools->Options->Main tab
* Set to "Always ask me where to Save the files".

2. During the download, rename Combofix to Combo-Fix as follows:

Trouble deleting PersonalAV CF_download_FF

Trouble deleting PersonalAV CF_download_rename

3. It is important you rename Combofix during the download, but not after.
4. Please do not rename Combofix to other names, but only to the one indicated.
5. Close any open browsers.
6. We need to disable your local AV (Anti-virus) before running Combofix.

  • See HERE for how to disable your AV.
  • Double click on ComboFix.exe.
  • Follow the prompts. NOTE:
  • Allow combofix to run
  • Post C:\combofix.txt back here.

    Note:
    Do not mouse click combofix's window whilst it's running. That may cause it to stall.

descriptionTrouble deleting PersonalAV EmptyRe: Trouble deleting PersonalAV

more_horiz
ComboFix 09-08-08.02 - MARYIOTTIGL 08/08/2009 23:42.1.2 - NTFSx86
Microsoft®️ Windows Vista™️ Home Premium 6.0.6001.1.1252.1.1033.18.1790.749 [GMT -4:00]
Running from: c:\users\MARYIOTTIGL\New Folder\Combo-Fix.exe
AV: Norton Internet Security *On-access scanning disabled* (Outdated) {E10A9785-9598-4754-B552-92431C1C35F8}
FW: Norton Internet Security *enabled* {7C21A4C9-F61F-4AC4-B722-A6E19C16F220}
SP: Norton Internet Security *enabled* (Outdated) {CBB7EE13-8244-4DAB-8B55-D5C7AA91E59A}
SP: Windows Defender *disabled* (Outdated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\$recycle.bin\S-1-5-21-3904042694-4056775795-324234733-500
c:\windows\system32\drivers\gaopdxotbjccbwmxqwjcehviioeonuxuixrnci.sys
c:\windows\system32\gaopdxcounter
c:\windows\system32\gaopdxnqptridetexfdxpxbpxgftqtmpejrxum.dll
c:\windows\system32\msxmlm.dll.tmp
D:\autorun.inf

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_gaopdxserv.sys
-------\Legacy_gaopdxserv.sys


((((((((((((((((((((((((( Files Created from 2009-07-09 to 2009-08-09 )))))))))))))))))))))))))))))))
.

2009-08-09 03:51 . 2009-08-09 03:56 -------- d-----w- c:\users\MARYIOTTIGL\AppData\Local\temp
2009-08-08 21:41 . 2009-08-08 21:41 -------- d-----w- c:\users\MARYIOTTIGL\AppData\Roaming\Malwarebytes
2009-08-08 15:15 . 2009-08-03 17:36 38160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-08-08 15:15 . 2009-08-08 15:15 -------- d-----w- c:\programdata\Malwarebytes
2009-08-08 15:15 . 2009-08-03 17:36 19096 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-08-08 14:53 . 2009-02-12 09:35 38208 ----a-w- c:\users\MARYIOTTIGL\AppData\Roaming\Macromedia\Flash Player\www.macromedia.com\bin\airappinstaller\airappinstaller.exe
2009-08-08 14:52 . 2009-08-08 14:52 -------- d-----w- c:\program files\Common Files\Adobe AIR
2009-08-08 14:52 . 2009-08-08 14:52 86016 ----a-w- c:\programdata\NOS\Adobe_Downloads\arh.exe
2009-08-08 14:52 . 2009-08-08 15:18 -------- d-----w- c:\programdata\NOS
2009-08-08 14:52 . 2009-08-08 15:18 -------- d-----w- c:\program files\NOS
2009-08-08 05:13 . 2009-08-08 05:15 124216720 ----a-w- c:\users\MARYIOTTIGL\jdk-6u14-javafx-1_2-windows-i586.exe
2009-08-08 05:12 . 2009-08-08 05:19 -------- d-----w- c:\users\MARYIOTTIGL\.SunDownloadManager
2009-08-08 03:29 . 2007-10-23 13:27 110592 ----a-w- c:\users\MARYIOTTIGL\AppData\Roaming\U3\temp\cleanup.exe
2009-08-08 00:33 . 2009-08-08 00:33 -------- d-----w- C:\HiTRUSTDrive
2009-08-08 00:26 . 2008-05-02 14:41 3493888 ---ha-w- c:\users\MARYIOTTIGL\AppData\Roaming\U3\temp\Launchpad Removal.exe
2009-08-07 22:50 . 2009-08-08 21:41 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-08-06 04:40 . 2009-08-06 04:40 -------- d-----w- c:\program files\Common Files\Scanner
2009-08-06 04:40 . 2009-08-08 03:39 -------- d-----w- c:\program files\CA Yahoo! Anti-Spy
2009-08-06 04:12 . 2009-06-22 14:58 22016 ----a-w- c:\windows\system32\drivers\Ndisrd.sys
2009-08-06 04:12 . 2009-06-22 14:58 13312 ----a-w- c:\windows\system32\drivers\snetcfg.exe
2009-08-06 04:12 . 2009-05-14 09:58 61440 ----a-w- c:\windows\system32\ndisapi.dll
2009-08-06 04:11 . 2009-08-08 21:53 -------- d-----w- c:\program files\Common Files\Uninstall
2009-07-23 00:36 . 2009-07-23 00:37 -------- d-----w- c:\program files\Coupons
2009-07-18 02:15 . 2009-07-18 02:15 -------- d-----w- c:\program files\iPod
2009-07-18 02:15 . 2009-07-18 02:15 -------- d-----w- c:\program files\iTunes
2009-07-18 02:11 . 2009-07-18 02:11 75040 ----a-w- c:\programdata\Apple Computer\Installer Cache\iTunes 8.2.1.6\SetupAdmin.exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-08-08 15:14 . 2009-03-17 01:29 1356 ----a-w- c:\users\MARYIOTTIGL\AppData\Local\d3d9caps.dat
2009-08-08 15:13 . 2008-05-18 16:23 -------- d-----w- c:\users\MARYIOTTIGL\AppData\Roaming\U3
2009-08-08 14:57 . 2008-04-11 02:59 -------- d-----w- c:\program files\Common Files\Adobe
2009-08-02 17:09 . 2008-02-27 01:34 27905 ----a-w- c:\users\MARYIOTTIGL\AppData\Roaming\nvModes.dat
2009-07-18 02:18 . 2009-03-12 01:19 -------- d-----w- c:\program files\Safari
2009-07-18 02:15 . 2009-02-10 01:12 -------- d-----w- c:\program files\Common Files\Apple
2009-06-26 02:14 . 2009-06-26 02:14 488960 ----a-w- c:\users\MARYIOTTIGL\AppData\Roaming\Macromedia\Flash Player\www.macromedia.com\bin\octoshape\pmv302-0811070-0-main.dll
2009-06-26 02:14 . 2009-06-26 02:14 319488 ----a-w- c:\users\MARYIOTTIGL\AppData\Roaming\Macromedia\Flash Player\www.macromedia.com\bin\octoshape\octoshape.exe
2009-06-18 20:30 . 2009-06-18 20:30 -------- d-----w- c:\program files\iTunes(5)
2009-06-18 20:30 . 2009-06-18 20:30 -------- d-----w- c:\program files\iPod(4)
2009-06-15 02:53 . 2008-09-19 23:46 1915520 ----a-w- c:\users\MARYIOTTIGL\AppData\Roaming\Macromedia\Flash Player\www.macromedia.com\bin\fpupdateax\fpupdateax.exe
2009-06-12 14:18 . 2007-08-07 10:47 -------- d-----w- c:\program files\Acer GameZone
2009-06-12 14:10 . 2008-07-08 02:08 -------- d-----w- c:\program files\Java
2009-06-12 13:47 . 2009-04-10 22:30 -------- d-----w- c:\program files\AIM6
2009-06-12 13:46 . 2008-05-19 00:43 -------- d-----w- c:\programdata\Viewpoint
2009-05-19 01:38 . 2008-02-26 01:06 109000 ----a-w- c:\users\MARYIOTTIGL\AppData\Local\GDIPFONTCACHEV1.DAT
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{A26503FE-B3B8-4910-A9DC-9CBD25C6B8D6}"= "c:\users\MARYIOTTIGL\AppData\LocalLow\CyberDefender\cdmyidd.dll" [2008-10-30 3827016]

[HKEY_CLASSES_ROOT\clsid\{a26503fe-b3b8-4910-a9dc-9cbd25c6b8d6}]
[HKEY_CLASSES_ROOT\Cdmyidd.SecurityToolbar.1]
[HKEY_CLASSES_ROOT\TypeLib\{CD24EB02-9831-4838-99D0-726D411B1328}]
[HKEY_CLASSES_ROOT\Cdmyidd.SecurityToolbar]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{201f27d4-3704-41d6-89c1-aa35e39143ed}]
2008-09-09 02:08 279944 ----a-w- c:\program files\AskBarDis\bar\bin\askBar.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A26503FE-B3B8-4910-A9DC-9CBD25C6B8D6}]
2008-10-30 00:12 3827016 ----a-w- c:\users\MARYIOTTIGL\AppData\LocalLow\CyberDefender\cdmyidd.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{A26503FE-B3B8-4910-A9DC-9CBD25C6B8D6}"= "c:\users\MARYIOTTIGL\AppData\LocalLow\CyberDefender\cdmyidd.dll" [2008-10-30 3827016]
"{3041d03e-fd4b-44e0-b742-2d9b88305f98}"= "c:\program files\AskBarDis\bar\bin\askBar.dll" [2008-09-09 279944]

[HKEY_CLASSES_ROOT\clsid\{a26503fe-b3b8-4910-a9dc-9cbd25c6b8d6}]
[HKEY_CLASSES_ROOT\Cdmyidd.SecurityToolbar.1]
[HKEY_CLASSES_ROOT\TypeLib\{CD24EB02-9831-4838-99D0-726D411B1328}]
[HKEY_CLASSES_ROOT\Cdmyidd.SecurityToolbar]

[HKEY_CLASSES_ROOT\clsid\{3041d03e-fd4b-44e0-b742-2d9b88305f98}]
[HKEY_CLASSES_ROOT\TypeLib\{4b1c1e16-6b34-430e-b074-5928eca4c150}]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{A26503FE-B3B8-4910-A9DC-9CBD25C6B8D6}"= "c:\users\MARYIOTTIGL\AppData\LocalLow\CyberDefender\cdmyidd.dll" [2008-10-30 3827016]
"{3041D03E-FD4B-44E0-B742-2D9B88305F98}"= "c:\program files\AskBarDis\bar\bin\askBar.dll" [2008-09-09 279944]

[HKEY_CLASSES_ROOT\clsid\{a26503fe-b3b8-4910-a9dc-9cbd25c6b8d6}]
[HKEY_CLASSES_ROOT\Cdmyidd.SecurityToolbar.1]
[HKEY_CLASSES_ROOT\TypeLib\{CD24EB02-9831-4838-99D0-726D411B1328}]
[HKEY_CLASSES_ROOT\Cdmyidd.SecurityToolbar]

[HKEY_CLASSES_ROOT\clsid\{3041d03e-fd4b-44e0-b742-2d9b88305f98}]
[HKEY_CLASSES_ROOT\TypeLib\{4b1c1e16-6b34-430e-b074-5928eca4c150}]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2008-01-19 1233920]
"ehTray.exe"="c:\windows\ehome\ehTray.exe" [2008-01-19 125952]
"Search Protection"="c:\program files\Yahoo!\Search Protection\SearchProtection.exe" [2008-10-07 111856]
"YSearchProtection"="c:\program files\Yahoo!\Search Protection\SearchProtection.exe" [2008-10-07 111856]
"CTSyncU.exe"="c:\program files\Creative\Sync Manager Unicode\CTSyncU.exe" [2007-07-17 868352]
"Aim6"="c:\program files\AIM6\aim6.exe" [2009-05-19 49968]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2008-01-19 202240]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Windows Defender"="c:\program files\Windows Defender\MSASCui.exe" [2008-01-19 1008184]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2007-05-07 857648]
"eDataSecurity Loader"="c:\acer\Empowering Technology\eDataSecurity\eDSloader.exe" [2007-04-25 457216]
"eAudio"="c:\acer\Empowering Technology\eAudio\eAudio.exe" [2007-06-11 1286144]
"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2006-11-21 107112]
"osCheck"="c:\program files\Norton Internet Security\osCheck.exe" [2006-11-21 22696]
"PLFSet"="c:\windows\PLFSet.dll" [2007-04-25 45056]
"LManager"="c:\progra~1\LAUNCH~1\QtZgAcer.EXE" [2007-08-16 707080]
"PlayMovie"="c:\program files\Acer Arcade Deluxe\Play Movie\PMVService.exe" [2007-05-24 206952]
"Acer Product Registration"="c:\program files\Acer Registration\ACE1.exe" [2007-02-02 3383296]
"Acer Assist Launcher"="c:\program files\Acer Assist\launcher.exe" [2007-02-02 1261568]
"Acer Tour Reminder"="c:\acer\AcerTour\Reminder.exe" [2007-05-22 151552]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2007-08-24 33648]
"Symantec PIF AlertEng"="c:\program files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" [2008-01-29 583048]
"NvSvc"="c:\windows\system32\nvsvc.dll" [2007-05-10 86016]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2007-05-10 8429568]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2007-05-10 81920]
"YSearchProtection"="c:\program files\Yahoo!\Search Protection\SearchProtection.exe" [2008-10-07 111856]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-05-26 413696]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-03-09 148888]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-07-13 292128]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-02-27 35696]
"RtHDVCpl"="RtHDVCpl.exe" - c:\windows\RtHDVCpl.exe [2007-05-17 4468736]
"Skytel"="Skytel.exe" - c:\windows\SkyTel.exe [2007-05-17 1826816]

c:\users\MARYIOTTIGL\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
OneNote 2007 Screen Clipper and Launcher.lnk - c:\program files\Microsoft Office\Office12\ONENOTEM.EXE [2007-12-7 101440]

c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
Empowering Technology Launcher.lnk - c:\acer\Empowering Technology\eAPLauncher.exe [2007-8-7 535336]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"UacDisableNotify"=dword:00000001
"InternetSettingsDisableNotify"=dword:00000001
"AutoUpdateDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\DomainProfile]
"EnableFirewall"= 0 (0x0)
"DoNotAllowExceptions"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\FirewallRules]
"{FB498B97-BD1A-4DA6-9653-5499B54E5B02}"= UDP:c:\program files\Microsoft Office\Office12\ONENOTE.EXE:Microsoft Office OneNote
"{B924930E-EF04-41B7-82D8-998D82D5FB3E}"= TCP:c:\program files\Microsoft Office\Office12\ONENOTE.EXE:Microsoft Office OneNote
"{6E3B8E31-3EB1-42AE-AD73-CB3CEF4D2C89}"= c:\program files\Acer Arcade Deluxe\Acer Arcade Deluxe\Acer Arcade Deluxe.exe:Acer Arcade Deluxe
"{690F9576-D658-4DF0-8EEA-7C13D04A71D0}"= c:\program files\Acer Arcade Deluxe\VideoMagician\VideoMagician.exe:VideoMagician
"{0D64D28C-20E1-427A-8A24-07B5321644EA}"= c:\program files\Acer Arcade Deluxe\HomeMedia\HomeMedia.exe:HomeMedia
"{1500FA78-5012-4AA2-8186-3E4E713E2124}"= c:\program files\Acer Arcade Deluxe\DV Wizard\DV Wizard.exe:DV Wizard
"{D685DF25-6F13-44E3-9928-5854D9D4BA9D}"= c:\program files\Acer Arcade Deluxe\DVDivine\DVDivine.exe:DVDivine
"{77AD1BF3-46A1-4D3F-BCDA-8713D442FCA4}"= c:\program files\Acer Arcade Deluxe\Play Movie\PlayMovie.exe:Play Movie
"{C723FB77-9CB1-40C8-8976-D0F9056C3FCF}"= c:\program files\Acer Arcade Deluxe\Play Movie\PMVService.exe:Play Movie Resident Program
"{2A8AFCDB-4106-4F8D-AEFE-13F21B04323A}"= TCP:6004|c:\program files\Microsoft Office\Office12\outlook.exe:Microsoft Office Outlook

descriptionTrouble deleting PersonalAV EmptyRe: Trouble deleting PersonalAV

more_horiz
"{736E90C5-ED29-4155-9F2E-21F88A5350DF}"= UDP:c:\program files\Microsoft Office\Office12\GROOVE.EXE:Microsoft Office Groove
"{38D92B6B-9FEE-40CE-98F9-4E6F68751716}"= TCP:c:\program files\Microsoft Office\Office12\GROOVE.EXE:Microsoft Office Groove
"{58B75B88-FCE6-40E1-9E53-6CD25782F349}"= UDP:c:\program files\Common Files\AOL\Loader\aolload.exe:AOL Loader
"{088FCE00-CBCB-4480-A8FA-CE5704B678A9}"= TCP:c:\program files\Common Files\AOL\Loader\aolload.exe:AOL Loader
"{90F957F1-7771-43A3-88B6-C6B121D9192E}"= UDP:c:\program files\AIM6\aim6.exe:AIM
"{1593201F-16EE-4126-A321-36F273D42D8A}"= TCP:c:\program files\AIM6\aim6.exe:AIM
"{8B31603D-4B6F-411D-ABA0-0BB59E51F840}"= UDP:c:\windows\System32\dlbucoms.exe:Photo AIO Printer 942 Server
"{A16AE737-F56E-4593-A556-912D7AF4B444}"= TCP:c:\windows\System32\dlbucoms.exe:Photo AIO Printer 942 Server
"{A5ACCFAD-EF58-42D8-8C43-BC2A1FA4B4AA}"= UDP:c:\program files\LimeWire\LimeWire.exe:LimeWire
"{EF1723CC-B308-4D4F-9D8E-B8F36C61D269}"= TCP:c:\program files\LimeWire\LimeWire.exe:LimeWire
"{8F313FD2-1CBB-4AB4-B44D-77E32DD17D83}"= UDP:c:\program files\Bonjour\mDNSResponder.exe:Bonjour
"{FFE64005-3677-4164-AEF1-6680F0420A71}"= TCP:c:\program files\Bonjour\mDNSResponder.exe:Bonjour
"{3B94B841-482F-492D-A815-A4B1B8102EA4}"= UDP:c:\program files\Orb Networks\Orb\bin\Orb.exe:Orb
"{E2552F6F-E708-4ED8-A9B1-640E47D42AC6}"= TCP:c:\program files\Orb Networks\Orb\bin\Orb.exe:Orb
"{781D4C33-0FC6-42A6-AF7D-4F2CB1CB0EF1}"= UDP:c:\program files\Orb Networks\Orb\bin\OrbTray.exe:OrbTray
"{26C49C07-A1D1-42FA-A304-098480EBE13A}"= TCP:c:\program files\Orb Networks\Orb\bin\OrbTray.exe:OrbTray
"{B912D68B-E900-41A6-94BB-8E8FB12BBC86}"= UDP:c:\program files\Orb Networks\Orb\bin\OrbIR.exe:OrbIR
"{A9D52F13-2462-4CD5-B05F-7D3F063CFCDD}"= TCP:c:\program files\Orb Networks\Orb\bin\OrbIR.exe:OrbIR
"{752F8140-DA74-44EE-B42E-0BCAA94C4876}"= UDP:c:\program files\Orb Networks\Orb\bin\OrbStreamerClient.exe:Orb Stream Client
"{0399CC6C-0C1D-467F-9F41-C1DABAD7BF80}"= TCP:c:\program files\Orb Networks\Orb\bin\OrbStreamerClient.exe:Orb Stream Client
"{106638F2-4AE5-4C24-A878-1DBC27B4432B}"= UDP:c:\program files\Orb Networks\Orb\bin\xmltv.exe:OrbTVGuide
"{F489C458-E9E9-401D-9DFD-4B2C0E5A606D}"= TCP:c:\program files\Orb Networks\Orb\bin\xmltv.exe:OrbTVGuide
"{77B498BA-8C4A-4930-A7CD-2378349438B0}"= UDP:c:\program files\iTunes\iTunes.exe:iTunes
"{0C1E52A3-32D8-442F-A704-65D1C075F3D8}"= TCP:c:\program files\iTunes\iTunes.exe:iTunes

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\PublicProfile]
"EnableFirewall"= 0 (0x0)
"DoNotAllowExceptions"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\StandardProfile]
"EnableFirewall"= 0 (0x0)
"DoNotAllowExceptions"= 0 (0x0)

R1 IDSvix86;Symantec Intrusion Prevention Driver;c:\progra~2\Symantec\DEFINI~1\SymcData\idsdefs\20080513.001\IDSvix86.sys [5/14/2008 9:54 PM 261680]
R2 {49DE1C67-83F8-4102-99E0-C16DCC7EEC796};{49DE1C67-83F8-4102-99E0-C16DCC7EEC796};c:\program files\Acer Arcade Deluxe\Play Movie\000.fcl [2/13/2008 2:05 PM 13560]
R2 ALaunchService;ALaunch Service;c:\acer\ALaunch\ALaunchSvc.exe [8/7/2007 7:08 AM 50688]
R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [5/18/2008 8:43 PM 24652]
R3 NdisrdMP;NdisrdMP;c:\windows\System32\drivers\Ndisrd.sys [8/6/2009 12:12 AM 22016]
R3 SYMNDISV;SYMNDISV;c:\windows\System32\drivers\symndisv.sys [10/30/2007 8:55 PM 37936]
R3 winbondcir;Winbond IR Transceiver;c:\windows\System32\drivers\winbondcir.sys [3/15/2007 1:25 PM 43008]
S3 Ndisrd;WinpkFilter Service;c:\windows\System32\drivers\Ndisrd.sys [8/6/2009 12:12 AM 22016]

--- Other Services/Drivers In Memory ---

*NewlyCreated* - COMHOST
.
Contents of the 'Scheduled Tasks' folder

2009-08-08 c:\windows\Tasks\Norton Internet Security - Run Full System Scan - MARYIOTTIGL.job
- c:\progra~1\NORTON~1\NORTON~1\Navw32.exe [2006-11-21 04:41]

2009-08-09 c:\windows\Tasks\SDMsgUpdate (TE).job
- c:\progra~1\SMARTD~1\Messages\SDNotify.exe [2008-03-19 12:53]
.
- - - - ORPHANS REMOVED - - - -

URLSearchHooks-~EA756889-2338-43DB-8F07-D1CA6FB9C90D} - (no file)
URLSearchHooks-~CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
URLSearchHooks-~EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
WebBrowser-{604BC32A-9680-40D1-9AC6-E06B23A1BA4C} - (no file)
HKCU-Run-WindowsWelcomeCenter - (no file)
HKCU-Run-Acer Tour Reminder - (no file)
HKLM-Run-ALaunch - c:\acer\ALaunch\AlaunchClient.exe
HKLM-Run-SetPanel - c:\acer\APanel\APanel.cmd
HKLM-Run-Acer Tour - (no file)
HKLM-Run-eRecoveryService - (no file)


.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.yahoo.com/
uSearchMigratedDefaultURL = hxxp://search.yahoo.com/search?p={searchTerms}&ei=utf-8&fr=b1ie7
mStart Page = hxxp://en.us.acer.yahoo.com
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ycomp/defaults/su/*http://www.yahoo.com
IE: &AIM Search - c:\program files\aol\aim toolbar 5.0\resources\en-US\local\search.html
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-08-08 23:56
Windows 6.0.6001 Service Pack 1 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\{49DE1C67-83F8-4102-99E0-C16DCC7EEC796}]
"ImagePath"="\??\c:\program files\Acer Arcade Deluxe\Play Movie\000.fcl"
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
"MSCurrentCountry"=dword:000000b5
.
------------------------ Other Running Processes ------------------------
.
c:\windows\System32\audiodg.exe
c:\program files\Common Files\Symantec Shared\ccSvcHst.exe
c:\program files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
c:\windows\System32\agrsmsvc.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Symantec\LiveUpdate\AluSchedulerSvc.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\windows\System32\dlbucoms.exe
c:\acer\Empowering Technology\eDataSecurity\eDSService.exe
c:\acer\Empowering Technology\eLock\Service\eLockServ.exe
c:\acer\Empowering Technology\eNet\eNet Service.exe
c:\program files\Common Files\LightScribe\LSSrvc.exe
c:\acer\Mobility Center\MobilityService.exe
c:\program files\CyberLink\Shared Files\RichVideo.exe
c:\program files\Yahoo!\SoftwareUpdate\YahooAUService.exe
c:\acer\Empowering Technology\eRecovery\eRecoveryService.exe
c:\acer\Empowering Technology\eSettings\Service\capuserv.exe
c:\acer\Empowering Technology\ePower\ePowerSvc.exe
c:\windows\System32\iashost.exe
c:\windows\System32\wbem\unsecapp.exe
c:\windows\System32\wbem\unsecapp.exe
c:\program files\Windows Media Player\wmpnetwk.exe
.
**************************************************************************
.
Completion time: 2009-08-09 0:03 - machine was rebooted
ComboFix-quarantined-files.txt 2009-08-09 04:03

Pre-Run: 6,395,936,768 bytes free
Post-Run: 7,214,923,776 bytes free

289 --- E O F --- 2009-04-06 21:02

descriptionTrouble deleting PersonalAV EmptyRe: Trouble deleting PersonalAV

more_horiz
Hello.
Nearly done now.

  • Open HijackThis.
  • When Hijack This opens, click "Open the Misc Tools section"
  • Then select "Open Uninstall Manager"
  • Click on "Save List..." (generates uninstall_list.txt)
  • Click Save, copy and paste the results in your next post.

descriptionTrouble deleting PersonalAV EmptyRe: Trouble deleting PersonalAV

more_horiz
when i saved it, nothing popped up or happened at all. all the problems that went away yesterday are back, and Im pretty positive this thing has come back. im really confused at to what to do now because, just as before, malwarebytes wont run anymore. :-(

descriptionTrouble deleting PersonalAV EmptyRe: Trouble deleting PersonalAV

more_horiz
Can you run Combofix again?

descriptionTrouble deleting PersonalAV EmptyRe: Trouble deleting PersonalAV

more_horiz
when i try to run it nothing appears.

descriptionTrouble deleting PersonalAV EmptyRe: Trouble deleting PersonalAV

more_horiz
Delete it and re-download it, try running it then.

descriptionTrouble deleting PersonalAV EmptyRe: Trouble deleting PersonalAV

more_horiz
i cannot locate the file anywhere :-(

descriptionTrouble deleting PersonalAV EmptyRe: Trouble deleting PersonalAV

more_horiz

  • Please download DDS by sUBs to your Desktop (Important!!) from one of these locations:
    Link 1
    Link 2
  • Double click DDS.scr to run.
  • When complete, two logs will open. Save both of the report to your Desktop.
  • Copy and paste DDS.txt back here, I don't need to see attach.txt.

descriptionTrouble deleting PersonalAV EmptyRe: Trouble deleting PersonalAV

more_horiz
privacy_tip Permissions in this forum:
You cannot reply to topics in this forum