WiredWX Hobby Weather ToolsLog in

 


Antivir Preventing all d/loaded exes

2 posters

descriptionAntivir Preventing all d/loaded exes - Page 2 EmptyRe: Antivir Preventing all d/loaded exes

more_horiz
Latest Log:

ComboFix 10-08-02.01 - Brian 08/02/2010 20:08:17.2.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3071.2239 [GMT -4:00]
Running from: c:\documents and settings\Brian\My Documents\My Received Files\Combo-Fix.exe
Command switches used :: c:\documents and settings\Brian\My Documents\My Received Files\CFScript.txt
AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
.

((((((((((((((((((((((((( Files Created from 2010-07-03 to 2010-08-03 )))))))))))))))))))))))))))))))
.

2010-08-02 21:32 . 2010-08-02 21:32 -------- d-----w- c:\documents and settings\Brian\Application Data\Malwarebytes
2010-08-02 21:32 . 2010-04-29 19:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-08-02 21:32 . 2010-08-02 21:32 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-08-02 21:32 . 2010-08-02 21:32 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2010-08-02 21:32 . 2010-04-29 19:39 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-08-01 23:25 . 2010-08-01 23:25 -------- d-----w- C:\_OTL
2010-07-31 23:36 . 2010-07-31 23:37 -------- d-----w- c:\program files\Common Files\PC Tools
2010-07-31 23:36 . 2010-08-02 21:28 -------- d-----w- c:\program files\Spyware Doctor
2010-07-31 23:35 . 2010-08-02 21:28 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2010-07-29 19:24 . 2010-07-29 19:24 -------- d-----w- c:\windows\Cache
2010-07-29 19:24 . 2010-08-02 21:27 -------- d-----w- c:\program files\Coupons
2010-07-21 13:47 . 2010-07-21 13:47 1615200 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgssie.dll
2010-07-21 13:46 . 2010-07-21 13:46 1373536 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgssff.dll
2010-07-21 13:46 . 2010-07-21 13:46 1107296 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgxpl.dll
2010-07-21 13:46 . 2010-07-21 13:46 4368224 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgcorex.dll
2010-07-16 14:10 . 2010-07-16 14:10 242896 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgtdix.sys
2010-07-16 14:10 . 2010-07-16 14:10 216200 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgldx86.sys
2010-07-16 14:09 . 2010-07-16 14:09 12536 ----a-w- c:\windows\system32\avgrsstx.dll
2010-07-16 14:07 . 2010-07-16 14:07 813336 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avginet.dll
2010-07-16 14:07 . 2010-07-16 14:07 624920 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgiproxy.exe
2010-07-16 14:07 . 2010-07-16 14:07 1690464 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgupd.dll
2010-07-16 14:07 . 2010-07-16 14:07 1038688 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgupd.exe
2010-07-14 12:37 . 2010-06-14 14:31 744448 -c----w- c:\windows\system32\dllcache\helpsvc.exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-08-02 20:51 . 2009-05-20 13:18 -------- d-----w- c:\documents and settings\Brian\Application Data\Canon
2010-08-02 19:50 . 2009-05-11 23:21 1890 --sha-w- c:\documents and settings\All Users\Application Data\KGyGaAvL.sys
2010-08-02 19:50 . 2009-05-11 23:21 1890 --sha-w- c:\documents and settings\All Users\Application Data\KGyGaAvL.sys
2010-08-02 19:19 . 2009-05-11 22:33 -------- d-----w- c:\program files\Perfect PRO Office1.1.2
2010-08-02 19:02 . 2010-03-22 14:14 0 ----a-w- c:\documents and settings\Brian\Local Settings\Application Data\prvlcl.dat
2010-08-02 18:41 . 2009-05-11 18:46 -------- d-----w- c:\documents and settings\Brian\Application Data\WTablet
2010-07-16 14:09 . 2009-05-11 22:00 243024 ----a-w- c:\windows\system32\drivers\avgtdix.sys
2010-07-16 14:08 . 2009-05-11 22:00 216400 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2010-06-22 17:00 . 2009-05-11 22:27 -------- d-----w- c:\program files\Common Files\Adobe AIR
2010-06-22 16:59 . 2010-06-22 17:00 53632 ----a-w- c:\documents and settings\Brian\Application Data\Macromedia\Flash Player\www.macromedia.com\bin\airappinstaller\airappinstaller.exe
2010-06-15 23:58 . 2010-06-15 23:58 -------- d-----w- c:\program files\Google
2010-06-14 14:31 . 2008-03-26 22:40 744448 ----a-w- c:\windows\pchealth\helpctr\binaries\helpsvc.exe
2010-06-11 11:07 . 2010-06-11 11:07 -------- d-----w- c:\documents and settings\LocalService\Application Data\WTablet
2010-06-03 02:41 . 2010-06-03 02:41 3600384 ----a-w- c:\windows\system32\GPhotos.scr
2010-06-02 18:51 . 2009-05-11 22:00 29584 ----a-w- c:\windows\system32\drivers\avgmfx86.sys
2010-05-26 21:23 . 2010-05-26 21:23 348160 ----a-w- c:\documents and settings\Brian\Application Data\Sun\Java\Deployment\cache\6.0\46\f84c6ae-68bbbe06-n\msvcr71.dll
2010-05-26 21:23 . 2010-05-26 21:23 503808 ----a-w- c:\documents and settings\Brian\Application Data\Sun\Java\Deployment\cache\6.0\46\f84c6ae-68bbbe06-n\msvcp71.dll
2010-05-26 21:23 . 2010-05-26 21:23 499712 ----a-w- c:\documents and settings\Brian\Application Data\Sun\Java\Deployment\cache\6.0\46\f84c6ae-68bbbe06-n\jmc.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2007-11-28 8491008]
"nwiz"="nwiz.exe" [2007-11-28 1626112]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2007-11-28 81920]
"RTHDCPL"="RTHDCPL.EXE" [2007-10-16 16855552]
"Recguard"="c:\windows\SMINST\RECGUARD.EXE" [2005-07-19 999424]
"NeroFilterCheck"="c:\program files\Common Files\Ahead\Lib\NeroCheck.exe" [2007-03-01 153136]
"Omnipage"="c:\program files\ScanSoft\OmniPageSE\opware32.exe" [2002-06-03 49152]
"Corel File Shell Monitor"="c:\program files\Corel\Corel Paint Shop Pro Photo X2\CorelIOMonitor.exe" [2008-08-08 16712]
"Iomega Startup Options"="c:\program files\Iomega\Common\ImgStart.exe" [2000-06-02 32768]
"Iomega Drive Icons"="c:\program files\Iomega\DriveIcons\ImgIcon.exe" [2000-06-13 36864]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-01-05 413696]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-09-22 149280]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2010-04-04 36272]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-06-09 976832]
"AVG9_TRAY"="c:\progra~1\AVG\AVG9\avgtray.exe" [2010-07-16 2065760]
"MaxMenuMgr"="c:\program files\Seagate\SeagateManager\FreeAgent Status\StxMenuMgr.exe" [2009-09-26 185640]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"RunNarrator"="Narrator.exe" [2008-04-14 53760]

c:\documents and settings\Brian\Start Menu\Programs\Startup\
Eudora.lnk - c:\program files\Qualcomm\eudora\Eudora.exe [2009-5-11 3429888]
Mozilla Firefox.lnk - c:\program files\Mozilla Firefox\firefox.exe [2009-5-11 908280]
Shortcut to TweetDeck.exe.lnk - c:\program files\TweetDeck\TweetDeck.exe [2010-6-3 95232]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
NkvMon.exe.lnk - c:\program files\Nikon\NkView6\NkvMon.exe [2010-5-6 233472]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2009-05-25 304128]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2010-07-16 14:09 12536 ----a-w- c:\windows\system32\avgrsstx.dll

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Documents and Settings\\Brian\\Application Data\\Macromedia\\Flash Player\\www.macromedia.com\\bin\\octoshape\\octoshape.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\ws_ftp\\ws_ftp95.exe"=
"c:\\Program Files\\Skype\\Plugin Manager\\skypePM.exe"=
"c:\\Program Files\\AVG\\AVG9\\avgupd.exe"=
"c:\\Program Files\\AVG\\AVG9\\avgnsx.exe"=
"c:\\Program Files\\Nero\\Nero 7\\Nero Home\\NeroHome.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

R1 AvgLdx86;AVG AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [5/11/2009 6:00 PM 216400]
R1 AvgTdiX;AVG8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [5/11/2009 6:00 PM 243024]
R2 avg9wd;AVG Free WatchDog;c:\program files\AVG\AVG9\avgwdsvc.exe [7/16/2010 10:09 AM 308136]
R2 FreeAgentGoNext Service;Seagate Service;c:\program files\Seagate\SeagateManager\Sync\FreeAgentService.exe [9/25/2009 11:32 PM 189736]
R2 TabletServiceWacom;TabletServiceWacom;c:\windows\system32\Wacom_Tablet.exe [5/11/2009 2:45 PM 1373480]
R4 PCTCore;PCTools KDS;c:\windows\system32\drivers\PCTCore.sys --> c:\windows\system32\drivers\PCTCore.sys [?]
.
.
------- Supplementary Scan -------
.
uStart Page = file:///C:/Documents%20and%20Settings/Brian/My%20Documents/2-webfile-start/start.htm
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
FF - ProfilePath - c:\documents and settings\Brian\Application Data\Mozilla\Firefox\Profiles\oqz08cas.default\
FF - prefs.js: browser.startup.homepage - file:///C:/Documents%20and%20Settings/Brian/My%20Documents/2-webfile-start/start.htm
FF - component: c:\program files\AVG\AVG9\Firefox\components\avgssff.dll
FF - plugin: c:\program files\eMusic Download Manager\plugin\npemusic.dll
FF - plugin: c:\program files\Google\Picasa3\npPicasa3.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-08-02 20:09
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(3228)
c:\windows\system32\WININET.dll
c:\program files\ScanSoft\OmniPageSE\ophook32.dll
c:\program files\Iomega\DriveIcons\IMGHOOK.DLL
c:\windows\system32\ieframe.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
Completion time: 2010-08-02 20:11:07
ComboFix-quarantined-files.txt 2010-08-03 00:11
ComboFix2.txt 2010-08-02 23:04

Pre-Run: 163,743,440,896 bytes free
Post-Run: 163,730,903,040 bytes free

- - End Of File - - 8A161A4A221B233D216367C6B89E1C48

descriptionAntivir Preventing all d/loaded exes - Page 2 EmptyRe: Antivir Preventing all d/loaded exes

more_horiz
Hello.

Click Start > Run and copy/paste the following bolded text into the Run box and click OK:

ComboFix /uninstall

This will also reset your restore points.

Run ESET Online Scan
Please do an online scan with ESET Online Scanner. Please use Internet Explorer as it uses ActiveX.

  • Check (tick) this box: YES, I accept the Terms of Use.
  • Click on the Start button next to it.
  • When prompted to run ActiveX. click Yes.
  • You will be asked to install an ActiveX. Click Install.
  • Once installed, the scanner will be initialized.
  • After the scanner is initialized, click Start.
  • Check (tick) Remove found threats box.
  • Check (tick) Scan unwanted applications.
  • Click on Scan.
  • It will start scanning. Please be patient.
  • Once the scan is done, the log will be saved here: C:\Program Files\esetonlinescanner\log.txt.

descriptionAntivir Preventing all d/loaded exes - Page 2 EmptyRe: Antivir Preventing all d/loaded exes

more_horiz
You didn't say to submit the log, but here it is:

ESETSmartInstaller@High as CAB hook log:
OnlineScanner.ocx - registred OK
# version=7
# iexplore.exe=7.00.6000.17055 (vista_gdr.100414-0533)
# OnlineScanner.ocx=1.0.0.6211
# api_version=3.0.2
# EOSSerial=211dca5f0d94654090e73c00d93ed802
# end=finished
# remove_checked=true
# archives_checked=false
# unwanted_checked=true
# unsafe_checked=false
# antistealth_checked=true
# utc_time=2010-08-04 02:24:40
# local_time=2010-08-03 10:24:40 (-0500, Eastern Daylight Time)
# country="United States"
# lang=1033
# osver=5.1.2600 NT Service Pack 3
# compatibility_mode=1024 16777191 100 0 10785694 10785694 0 0
# compatibility_mode=8192 67108863 100 0 0 0 0 0
# scanned=453328
# found=1
# cleaned=1
# scan_time=5426
C:\Documents and Settings\Brian\Start Menu\Programs\Accessories\PowerReg SchedulerV2.exe Win32/PowerReg application (cleaned by deleting - quarantined) 00000000000000000000000000000000 C

descriptionAntivir Preventing all d/loaded exes - Page 2 EmptyRe: Antivir Preventing all d/loaded exes

more_horiz
Hello.
How is the machine running now?

descriptionAntivir Preventing all d/loaded exes - Page 2 EmptyRe: Antivir Preventing all d/loaded exes

more_horiz
Greetings;

The machine has been running well since about the second step (although I certainly understand the value of being thorough).

Am I about to get the "all clear" ?

B

descriptionAntivir Preventing all d/loaded exes - Page 2 EmptyRe: Antivir Preventing all d/loaded exes

more_horiz
Yep, all looks good here, no signs of malware from what I can see.

descriptionAntivir Preventing all d/loaded exes - Page 2 EmptyRe: Antivir Preventing all d/loaded exes

more_horiz
Thank you again.

descriptionAntivir Preventing all d/loaded exes - Page 2 EmptyRe: Antivir Preventing all d/loaded exes

more_horiz
privacy_tip Permissions in this forum:
You cannot reply to topics in this forum