-
AVG keeps finding news instances of... something
A0105378.exe is the file that AVG keeps finding and ultimately quarantining. But it's come up 3 or 4 times in the last day.
Many thanks in advance!
.
DDS (Ver_2011-08-26.01) - NTFSx86
Internet Explorer: 8.0.6001.18702
Run by moe at 12:31:17 on 2011-11-01
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1918.349 [GMT 1:00]
.
AV: AVG Anti-Virus Free Edition 2012 *Enabled/Updated* {17DDD097-36FF-435F-9E1B-52D74245D6BF}
AV: Lavasoft Ad-Watch Live! Anti-Virus *Enabled/Updated* {A1C4F2E0-7FDE-4917-AFAE-013EFC3EDE33}
.
============== Running Processes ===============
.
C:\PROGRA~1\AVG\AVG2012\avgrsx.exe
C:\Program Files\AVG\AVG2012\avgcsrvx.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
svchost.exe
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\AVG\AVG2012\avgwdsvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Hotspot Shield\bin\openvpnas.exe
C:\Program Files\Hotspot Shield\HssWPR\hsssrv.exe
C:\Program Files\Hotspot Shield\bin\hsswd.exe
C:\Program Files\AVG\AVG2012\avgnsx.exe
C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Common Files\Acronis\Fomatik\TrueImageTryStartService.exe
C:\WINDOWS\system32\SearchIndexer.exe
C:\Program Files\AVG\AVG2012\AVGIDSAgent.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\WLTRAY.exe
C:\Program Files\SigmaTel\C-Major Audio\WDM\stsystra.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Acronis\TrueImageHome\TrueImageMonitor.exe
C:\Program Files\Acronis\TrueImageHome\TimounterMonitor.exe
C:\Program Files\ATI Technologies\ATI.ACE\CLI.EXE
C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe
C:\Program Files\AVG\AVG2012\avgtray.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\vVX1000.exe
C:\Program Files\Common Files\Nero\Lib\NMBgMonitor.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Olympus\DeviceDetector\DevDtct2.exe
C:\Program Files\Windows Desktop Search\WindowsSearch.exe
C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe
C:\Documents and Settings\moe\Application Data\Dropbox\bin\Dropbox.exe
C:\Program Files\Common Files\Nero\Lib\NMIndexStoreSvr.exe
C:\WINDOWS\system32\wbem\wmiapsrv.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\DivX\DivX Update\DivXUpdate.exe
C:\Program Files\Real\RealPlayer\update\realsched.exe
C:\Documents and Settings\moe\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\moe\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\moe\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\moe\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\moe\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\moe\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\moe\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\moe\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\moe\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\moe\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\moe\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\moe\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\moe\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\moe\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\moe\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\moe\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\moe\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\moe\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\moe\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\moe\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\moe\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\moe\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\moe\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\moe\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\moe\Local Settings\Application Data\Google\Google Talk Plugin\googletalkplugin.exe
C:\WINDOWS\system32\SearchProtocolHost.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://mail.google.com/mail/?source=navclient-ff&shva=1#inbox
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uDefault_Page_URL = about:blank
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: RealPlayer Download and Record Plugin for Internet Explorer: {3049c3e9-b461-4bc5-8870-4c09146192ca} - c:\documents and settings\all users\application data\real\realplayer\browserrecordplugin\ie\rpbrowserrecordplugin.dll
BHO: DivX Plus Web Player HTML5 <video>: {326e768d-4182-46fd-9c16-1449a49795f4} - c:\program files\divx\divx plus web player\ie\divxhtml5\DivXHTML5.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg2012\avgssie.dll
BHO: Hotspot Shield Class: {f9e4a054-e9b1-4bc3-83a3-76a1ae736170} - c:\program files\hotspot shield\hssie\HssIE.dll
TB: {2318C2B1-4965-11D4-9B18-009027A5CD4F} - No File
TB: {A057A204-BACC-4D26-9990-79A187E2698E} - No File
TB: {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - No File
uRun: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "c:\program files\common files\nero\lib\NMBgMonitor.exe"
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [Google Update] "c:\documents and settings\moe\local settings\application data\google\update\GoogleUpdate.exe" /c
uRun: [pamela.exe] "c:\program files\pamela\Pamela.exe"
uRun: [Skype] "c:\program files\skype\phone\Skype.exe" /nosplash /minimized
mRun: [Broadcom Wireless Manager UI] c:\windows\system32\WLTRAY.exe
mRun: [ATICCC] "c:\program files\ati technologies\ati.ace\CLIStart.exe"
mRun: [SigmatelSysTrayApp] %ProgramFiles%\SigmaTel\C-Major Audio\WDM\stsystra.exe
mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
mRun: [TrueImageMonitor.exe] c:\program files\acronis\trueimagehome\TrueImageMonitor.exe
mRun: [AcronisTimounterMonitor] c:\program files\acronis\trueimagehome\TimounterMonitor.exe
mRun: [Acronis Scheduler2 Service] "c:\program files\common files\acronis\schedule2\schedhlp.exe"
mRun: [AVG_TRAY] "c:\program files\avg\avg2012\avgtray.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [NeroFilterCheck] c:\program files\common files\nero\lib\NeroCheck.exe
mRun: [NBKeyScan] "c:\program files\nero\nero8\nero backitup\NBKeyScan.exe"
mRun: [VX1000] c:\windows\vVX1000.exe
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [TkBellExe] "c:\program files\real\realplayer\update\realsched.exe" -osboot
dRunOnce: [_nltide_2] regsvr32 /s /n /i:U shell32
StartupFolder: c:\docume~1\moe\startm~1\programs\startup\dropbox.lnk - c:\documents and settings\moe\application data\dropbox\bin\Dropbox.exe
StartupFolder: c:\docume~1\moe\startm~1\programs\startup\erunta~1.lnk - c:\program files\erunt\AUTOBACK.EXE
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\device~1.lnk - c:\program files\olympus\devicedetector\DevDtct2.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\window~1.lnk - c:\program files\windows desktop search\WindowsSearch.exe
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\google\google toolbar\component\GoogleToolbarDynamic_mui_en_E11712C84EA7E12B.dll/cmsidewiki.html
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
Trusted Zone: microsoft.com\support
Trusted Zone: speedtest.net\www
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1310704740187
TCP: DhcpNameServer = 192.168.2.1
TCP: Interfaces\{437F6C09-69C6-43A2-96BA-F21E51DDE9BA} : DhcpNameServer = 192.168.2.1
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg2012\avgpp.dll
Notify: AtiExtEvent - Ati2evxx.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: Windows Desktop Search Namespace Manager: {56f9679e-7826-4c84-81f3-532071a8bcc5} - c:\program files\windows desktop search\MSNLNamespaceMgr.dll
LSA: Authentication Packages = msv1_0 relog_ap
Hosts: 127.0.0.1 www.spywareinfo.com
.
============= SERVICES / DRIVERS ===============
.
R0 AVGIDSEH;AVGIDSEH;c:\windows\system32\drivers\AVGIDSEH.sys [2011-2-22 23120]
R0 Avgrkx86;AVG Anti-Rootkit Driver;c:\windows\system32\drivers\avgrkx86.sys [2011-3-16 32592]
R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2011-8-28 64512]
R1 Avgldx86;AVG AVI Loader Driver;c:\windows\system32\drivers\avgldx86.sys [2011-1-7 229840]
R1 Avgmfx86;AVG Mini-Filter Resident Anti-Virus Shield;c:\windows\system32\drivers\avgmfx86.sys [2011-3-1 40016]
R1 Avgtdix;AVG TDI Driver;c:\windows\system32\drivers\avgtdix.sys [2011-4-5 295248]
R2 AVGIDSAgent;AVGIDSAgent;c:\program files\avg\avg2012\AVGIDSAgent.exe [2011-9-12 5265248]
R2 avgwd;AVG WatchDog;c:\program files\avg\avg2012\avgwdsvc.exe [2011-8-2 192776]
R2 hshld;Hotspot Shield Service;c:\program files\hotspot shield\bin\openvpnas.exe [2011-10-6 288088]
R2 HssWd;Hotspot Shield Monitoring Service;c:\program files\hotspot shield\bin\hsswd.exe -product hss --> c:\program files\hotspot shield\bin\hsswd.exe -product HSS [?]
R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\lavasoft\ad-aware\AAWService.exe [2011-8-18 2152152]
R3 AVGIDSDriver;AVGIDSDriver;c:\windows\system32\drivers\AVGIDSDriver.sys [2011-4-15 134608]
R3 AVGIDSFilter;AVGIDSFilter;c:\windows\system32\drivers\AVGIDSFilter.sys [2011-2-10 24272]
R3 AVGIDSShim;AVGIDSShim;c:\windows\system32\drivers\AVGIDSShim.sys [2011-2-10 16720]
R3 Lavasoft Kernexplorer;Lavasoft helper driver;c:\program files\lavasoft\ad-aware\kernexplorer.sys [2011-8-18 15232]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2011-7-21 136176]
S3 gupdatem;Google Update Service (gupdatem);c:\program files\google\update\GoogleUpdate.exe [2011-7-21 136176]
S3 WinRM;Windows Remote Management (WS-Management);c:\windows\system32\svchost.exe -k WINRM [2008-4-14 14336]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\microsoft.net\framework\v4.0.30319\wpf\WPFFontCache_v0400.exe [2010-3-18 753504]
.
=============== Created Last 30 ================
.
2011-10-25 13:05:55 -------- d-----w- c:\program files\MALWAREBYTES ANTI-MALWARE
2011-10-24 17:59:58 -------- d--h--w- C:\$AVG
2011-10-24 10:09:21 -------- d-----w- c:\documents and settings\moe\application data\AVG2012
2011-10-24 10:07:25 -------- d-----w- c:\documents and settings\all users\application data\AVG2012
2011-10-21 00:46:53 -------- d-----w- c:\program files\AVIcodec
2011-10-21 00:38:03 -------- d-----w- c:\documents and settings\moe\application data\DDMSettings
2011-10-17 15:33:56 -------- d-----w- c:\windows\pss
2011-10-12 18:51:12 -------- d-----w- c:\program files\common files\xing shared
.
==================== Find3M ====================
.
2011-11-01 09:48:49 172544 ----a-w- c:\windows\system32\RemoteControl.dll
2011-10-31 10:37:55 44544 ----a-w- c:\windows\system32\agremove.exe
2011-09-26 09:41:20 611328 ----a-w- c:\windows\system32\uiautomationcore.dll
2011-09-26 09:41:20 220160 ----a-w- c:\windows\system32\oleacc.dll
2011-09-26 09:41:14 20480 ----a-w- c:\windows\system32\oleaccrc.dll
2011-09-13 04:30:10 32592 ----a-w- c:\windows\system32\drivers\avgrkx86.sys
2011-09-09 09:12:13 599040 ----a-w- c:\windows\system32\crypt32.dll
2011-09-06 13:20:51 1858944 ----a-w- c:\windows\system32\win32k.sys
2011-08-31 15:00:50 22216 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-08-28 21:01:49 16432 ----a-w- c:\windows\system32\lsdelete.exe
2011-08-28 21:01:49 101720 ----a-w- c:\windows\system32\drivers\SBREDrv.sys
2011-08-22 23:48:55 916480 ----a-w- c:\windows\system32\wininet.dll
2011-08-22 23:48:54 43520 ------w- c:\windows\system32\licmgr10.dll
2011-08-22 23:48:54 1469440 ------w- c:\windows\system32\inetcpl.cpl
2011-08-22 11:56:39 385024 ------w- c:\windows\system32\html.iec
2011-08-18 13:25:12 64512 ----a-w- c:\windows\system32\drivers\Lbd.sys
2011-08-17 13:49:54 138496 ----a-w- c:\windows\system32\drivers\afd.sys
.
============= FINISH: 12:32:33.25 ===============
-
-
Thanks Jeff for taking on my case.
(Incidentally, "show all" is unchecked by default, yes? I left it unchecked.)
-
BTW, my machine was just performing very slowly. Extremely slowly. So I checked the task manager and noticed that the CPU was working at a consistent 40-60% but the idle process was close to 99%, and there was very little activity from any other processes in the list. (is this indicative of a rootkit?)
Anyway, I just wanted to update the thread since this is new since my last post.
-
Hi Kenny5277,
I see that you have both AVG and Lavasoft antivirus programs running at the same time. Having more than one antivirus program actively running at the same time can seriously degrade the performance of your computer. Please uninstall either AVG or Lavasoft using Add/Remove Programs.
------------
Please read through these instructions to familarize yourself with what to expect when this tool runs
Download ComboFix from one of these locations:
Link 1
Link 2
* IMPORTANT !!! Save ComboFix.exe to your Desktop
- Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. Note: If you are having difficulty properly disabling your protective programs, or are unsure as to what programs need to be disabled, please refer to the information available through this link : How to Disable your Security Programs
- Double click on ComboFix.exe & follow the prompts.
- As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
- Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.
Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:
Click on Yes, to continue scanning for malware.
When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.
Notes:
1.Do not mouse-click Combofix's window while it is running. That may cause it to stall.
2. ComboFix may reset a number of Internet Explorer's settings, including making I-E the default browser.
3. CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.
----------
-
I didn't realize that when I installed Ad-Aware, that there was also an antivirus component (or I guess I assumed Ad-watch was somehow distinct). I believe I've deactivated Ad-watch. Should I uninstall Ad-Aware?
ComboFix.txt attached.
-
Hi Kenny5277
It isn't necessary to uninstall Ad-aware but just be sure that the real-time antivirus scanner is not on if you are going to use AVG. Just as an option you could use the Ad-aware antivirus and remove AVG completely and then there would be no chance of conflicts. If you choose to remove AVG let me know because there is a special tool we can use to remove it completely as AVG many times will leave a lot of extras on a computer.
----------
I need some information on some unidentified files. We will use Virustotal Please submit these files for analysis
To submit a file to virustotal, please click VirusTotal
copy and paste the following into the upload a file box (one at a time if more than one file is listed)
c:\windows\system32\rpcnetp.exe
scroll down a bit and click "send file", wait for the results and post them in your next reply.
Please note that sometimes the scans take a few minutes. Please ensure that the scan has completed and the results are complete before submitting the next sample. Also please make sure each result is clearly identified as to which sample they belong to.
----------
Please download SystemLook from one of the links below and save it to your Desktop.
Download Mirror #1
Download Mirror #2
- Right-click and Run as Administrator SystemLook.exe to run it.
- Copy the content of the following codebox into the main textfield:
Code:
:filefind
*sfcfiles.dll
- Click the Look button to start the scan.
- When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.
Note: The log can also be found on your Desktop entitled SystemLook.txt
----------
In your next reply please post the logs created by VirusTotal and SystemLook.
-
Jeff, looking at the VirusTotal page I don't see a field where I can copy and paste the file address. I only see a "choose file" button which opens windows explorer. But when I look in the location for the file you mention it's not there.
Am I missing something obvious here?
-
Another question. With regard to SystemLook, and running as an administrator. From the right-click menu, I click "run as" and then a window pops up giving me the option to run on my account (Moe), another unused account (Korby), or as "Administrator" which is password protected. I've always just used Moe for everything which I believe has full admin rights. I actually didn't know there was another account called "Administrator". (It's not present on the log on screen).
The point is, "Administrator" is passworded and I don't know what the password is. Can I run it on my account if it has admin privileges?
-
Hi,
Don't worry about the VirusTotal instructions for now. We can come back to that if need be.
---------
In regards to SystemLook please just double click to run it. That was my fault as I put the instructions for a Vista/7 system down instead of Windows XP.
Posting Permissions
- You may not post new threads
- You may not post replies
- You may not post attachments
- You may not edit your posts
-
Forum Rules