AVG keeps finding news instances of... something

Status
Not open for further replies.
Hi Kenny,

Have you decided what antivirus program you are going to use? There may still be some conflict with the two that will seriously degrade your computers performance. I would recommend removing one of them completely. Let me know which one that you want to get rid of and I will get you the removal tool for it. :)
----------

Please download aswMBR to your desktop.

  • Double click the aswMBR icon to run it.
  • Click the Scan button to start scan.
  • When it finishes, press the save log button, save the logfile to your desktop and post its contents in your next reply.


Click the image to enlarge it
----------

In your next reply let me know which antivirus program you would like to remove and then post the log created by aswMBR.exe.
 
Jeff, the bug is still here. :( I just got another detection notice from AVG.

To respond to your last post, I've been with AVG for awhile so I'll think I'll stick with that. Can I keep ad-aware on my machine for occasional scans without using the active real-time AV?

I have to run now, but I'll run that scan that you mention when I get home.

Thanks for your continued help!
 
Hi Kenny

What is AVG showing? That may help us target this better. :)

Yes you can keep Ad-Aware if you choose but be sure it is not running in real-time.

No hurry with the scan. I apologize that this is taking so long but sometimes malware removal can sometimes be quite a task. :)
 
Hey Jeff. I understand this can take time. I appreciate you sticking with me through it!!

Here's a screenshot of the AVG threat detection. Should I go ahead with that scan now?
 
Hi Kenny,

Thanks for the screenshot. :bigthumb: That won't be a problem at all. When we remove ComboFix that file will be removed too.

Go ahead and run aswMBR with the instructions I gave you earlier and then post that log when you get it.
 
Hi Kenny,

  • Please open Notepad (Start -> Run -> type notepad in the Open field -> OK) and copy and paste the text present inside the code box below:
    Code: 
    Driver::
WINRM

NetSvc::
WINRM

Registry::
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"5985:TCP"=-
  • Save this as CFScript.txt and change the "Save as type" to "All Files" and place it on your desktop.

    CFScriptB-4.gif

  • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before following the steps below. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
  • Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.
  • ComboFix will now run a scan on your system. It may reboot your system when it finishes. This is normal.
  • When finished, it shall produce a log for you. Copy and paste the contents of the log in your next reply.
CAUTION: Do not mouse-click ComboFix's window while it is running. That may cause it to stall.
----------
 
ComboFix 11-11-05.02 - moe 11/05/2011 17:01:56.4.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1918.1301 [GMT 1:00]
Running from: c:\documents and settings\moe\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\moe\Desktop\CFScript.txt
AV: AVG Anti-Virus Free Edition 2012 *Disabled/Updated* {17DDD097-36FF-435F-9E1B-52D74245D6BF}
AV: Lavasoft Ad-Watch Live! Anti-Virus *Disabled/Updated* {A1C4F2E0-7FDE-4917-AFAE-013EFC3EDE33}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
-------\Service_WinRM
.
.
((((((((((((((((((((((((( Files Created from 2011-10-05 to 2011-11-05 )))))))))))))))))))))))))))))))
.
.
2011-11-05 16:32 . 2011-11-05 16:32 17408 ----a-w- c:\windows\system32\rpcnetp.dll
2011-11-05 16:28 . 2011-11-05 16:28 17408 ----a-w- c:\windows\system32\rpcnetp.exe
2011-11-03 12:18 . 2011-11-03 12:18 -------- d-----w- c:\program files\ESET
2011-11-01 11:25 . 2011-11-01 11:26 -------- d-----w- c:\program files\ERUNT
2011-10-25 13:05 . 2011-11-03 21:31 -------- d-----w- c:\program files\MALWAREBYTES ANTI-MALWARE
2011-10-24 17:59 . 2011-10-24 17:59 -------- d-----w- C:\$AVG
2011-10-24 10:09 . 2011-10-24 10:09 -------- d-----w- c:\documents and settings\moe\Application Data\AVG2012
2011-10-24 10:07 . 2011-10-24 10:22 -------- d-----w- c:\documents and settings\All Users\Application Data\AVG2012
2011-10-21 00:46 . 2011-10-21 00:46 -------- d-----w- c:\program files\AVIcodec
2011-10-21 00:38 . 2011-10-21 00:38 -------- d-----w- c:\documents and settings\moe\Application Data\DDMSettings
2011-10-17 16:36 . 2011-10-17 16:36 -------- d-sh--w- c:\windows\system32\config\systemprofile\IETldCache
2011-10-13 05:01 . 2011-10-13 05:01 -------- d-sh--w- c:\documents and settings\Default User\IETldCache
2011-10-12 18:51 . 2011-10-12 18:51 -------- d-----w- c:\program files\Common Files\xing shared
2011-10-12 18:50 . 2011-10-12 18:51 -------- d-----w- c:\program files\Real
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-11-04 14:28 . 2011-09-25 13:12 44544 ----a-w- c:\windows\system32\agremove.exe
2011-11-01 09:48 . 2011-08-23 21:19 172544 ----a-w- c:\windows\system32\RemoteControl.dll
2011-10-07 05:23 . 2011-01-07 12:41 230608 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2011-10-04 05:21 . 2011-02-10 13:53 16720 ----a-w- c:\windows\system32\drivers\AVGIDSShim.sys
2011-09-26 09:41 . 2008-12-22 17:48 220160 ----a-w- c:\windows\system32\oleacc.dll
2011-09-26 09:41 . 2008-07-30 01:59 611328 ----a-w- c:\windows\system32\uiautomationcore.dll
2011-09-26 09:41 . 2008-12-22 17:48 20480 ----a-w- c:\windows\system32\oleaccrc.dll
2011-09-13 04:30 . 2011-03-16 22:03 32592 ----a-w- c:\windows\system32\drivers\avgrkx86.sys
2011-09-09 09:12 . 2008-04-14 11:41 599040 ----a-w- c:\windows\system32\crypt32.dll
2011-09-06 13:20 . 2008-04-14 07:00 1858944 ----a-w- c:\windows\system32\win32k.sys
2011-08-31 15:00 . 2011-08-28 21:25 22216 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-08-28 21:01 . 2011-08-28 21:16 16432 ----a-w- c:\windows\system32\lsdelete.exe
2011-08-28 21:01 . 2011-08-28 21:01 101720 ----a-w- c:\windows\system32\drivers\SBREDrv.sys
2011-08-22 23:48 . 2008-12-22 18:03 916480 ----a-w- c:\windows\system32\wininet.dll
2011-08-22 23:48 . 2008-12-22 18:03 43520 ------w- c:\windows\system32\licmgr10.dll
2011-08-22 23:48 . 2008-12-22 18:02 1469440 ------w- c:\windows\system32\inetcpl.cpl
2011-08-22 11:56 . 2008-12-22 18:02 385024 ------w- c:\windows\system32\html.iec
2011-08-18 13:25 . 2011-08-28 20:58 64512 ----a-w- c:\windows\system32\drivers\Lbd.sys
2011-08-17 13:49 . 2008-04-14 06:49 138496 ----a-w- c:\windows\system32\drivers\afd.sys
2011-08-08 04:08 . 2011-03-01 20:25 40016 ----a-w- c:\windows\system32\drivers\avgmfx86.sys
.
.
------- Sigcheck -------
Note: Unsigned files aren't necessarily malware.
.
[-] 2008-12-22 . 362BC5AF8EAF712832C58CC13AE05750 . 1614848 . . [5.1.2600.5512] . . c:\windows\system32\sfcfiles.dll
.
((((((((((((((((((((((((((((( SnapShot@2011-11-02_00.35.43 )))))))))))))))))))))))))))))))))))))))))
.
+ 2011-11-05 16:34 . 2011-11-05 16:33 32768 c:\windows\temp\Temporary Internet Files\Content.IE5\index.dat
- 2011-11-02 00:34 . 2011-11-02 00:34 32768 c:\windows\temp\Temporary Internet Files\Content.IE5\index.dat
+ 2011-11-05 16:34 . 2011-11-05 16:33 16384 c:\windows\temp\History\History.IE5\index.dat
- 2011-11-02 00:34 . 2011-11-02 00:34 16384 c:\windows\temp\History\History.IE5\index.dat
- 2011-11-02 00:34 . 2011-11-02 00:34 16384 c:\windows\temp\Cookies\index.dat
+ 2011-11-05 16:34 . 2011-11-05 16:33 16384 c:\windows\temp\Cookies\index.dat
+ 2011-11-02 23:05 . 2011-11-02 23:05 442368 c:\windows\ERDNT\AutoBackup\11-3-2011\Users\00000002\UsrClass.dat
+ 2011-11-02 23:05 . 2005-10-20 11:02 163328 c:\windows\ERDNT\AutoBackup\11-3-2011\ERDNT.EXE
+ 2011-11-04 10:00 . 2011-11-04 10:00 4671488 c:\windows\Installer\83812d4.msi
+ 2011-11-04 09:49 . 2011-11-04 09:49 4674560 c:\windows\Installer\8381294.msi
+ 2011-11-05 16:39 . 2011-11-05 16:40 17780736 c:\windows\ERDNT\AutoBackup\11-5-2011\Users\00000001\NTUSER.DAT
+ 2011-11-02 23:04 . 2011-11-02 23:05 17780736 c:\windows\ERDNT\AutoBackup\11-3-2011\Users\00000001\NTUSER.DAT
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="c:\program files\Common Files\Nero\Lib\NMBgMonitor.exe" [2007-08-03 202024]
"pamela.exe"="c:\program files\Pamela\Pamela.exe" [2011-11-01 11909120]
"Skype"="c:\program files\Skype\Phone\Skype.exe" [2011-10-13 17351304]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Broadcom Wireless Manager UI"="c:\windows\system32\WLTRAY.exe" [2007-03-17 1392640]
"ATICCC"="c:\program files\ATI Technologies\ATI.ACE\CLIStart.exe" [2006-05-10 90112]
"SigmatelSysTrayApp"="c:\program files\SigmaTel\C-Major Audio\WDM\stsystra.exe" [2007-05-10 405504]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2006-03-08 761947]
"TrueImageMonitor.exe"="c:\program files\Acronis\TrueImageHome\TrueImageMonitor.exe" [2007-09-14 2595480]
"AcronisTimounterMonitor"="c:\program files\Acronis\TrueImageHome\TimounterMonitor.exe" [2007-09-14 905056]
"Acronis Scheduler2 Service"="c:\program files\Common Files\Acronis\Schedule2\schedhlp.exe" [2007-09-14 140568]
"AVG_TRAY"="c:\program files\AVG\AVG2012\avgtray.exe" [2011-10-24 2415456]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2010-11-29 421888]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2011-07-19 421736]
"NeroFilterCheck"="c:\program files\Common Files\Nero\Lib\NeroCheck.exe" [2007-03-01 153136]
"NBKeyScan"="c:\program files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe" [2007-08-08 1828136]
"VX1000"="c:\windows\vVX1000.exe" [2009-06-26 757248]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2011-06-06 937920]
"TkBellExe"="c:\program files\Real\RealPlayer\update\realsched.exe" [2011-10-12 273528]
.
c:\documents and settings\moe\Start Menu\Programs\Startup\
Dropbox.lnk - c:\documents and settings\moe\Application Data\Dropbox\bin\Dropbox.exe [2011-7-20 24176560]
ERUNT AutoBackup.lnk - c:\program files\ERUNT\AUTOBACK.EXE [2005-10-20 38912]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Device Detector 3.lnk - c:\program files\Olympus\DeviceDetector\DevDtct2.exe [2011-7-21 114688]
Windows Search.lnk - c:\program files\Windows Desktop Search\WindowsSearch.exe [2008-5-27 123904]
.
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2009-05-25 304128]
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck autochk *\0lsdelete\0c:\progra~1\AVG\AVG2012\avgrsx.exe /sync /restart
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DivXUpdate]
2011-07-28 23:08 1259376 ----a-w- c:\program files\DivX\DivX Update\DivXUpdate.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
2011-10-12 18:50 273528 ----a-w- c:\program files\Real\RealPlayer\Update\realsched.exe
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
"DisableUnicastResponsesToMulticastBroadcast"= 0 (0x0)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Documents and Settings\\moe\\Local Settings\\Application Data\\Google\\Google Talk Plugin\\googletalkplugin.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Documents and Settings\\moe\\Application Data\\Dropbox\\bin\\Dropbox.exe"=
"c:\\Program Files\\Google\\Google Earth\\client\\googleearth.exe"=
"c:\\WINDOWS\\system32\\dpvsetup.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"c:\\Program Files\\AVG\\AVG2012\\avgmfapx.exe"=
"c:\\Program Files\\AVG\\AVG2012\\avgnsx.exe"=
"c:\\Program Files\\AVG\\AVG2012\\avgdiagex.exe"=
"c:\\Program Files\\AVG\\AVG2012\\avgemcx.exe"=
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009
.
R0 AVGIDSEH;AVGIDSEH;c:\windows\system32\drivers\AVGIDSEH.sys [2/22/2011 3:13 PM 23120]
R0 Avgrkx86;AVG Anti-Rootkit Driver;c:\windows\system32\drivers\avgrkx86.sys [3/16/2011 11:03 PM 32592]
R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [8/28/2011 9:58 PM 64512]
R1 Avgldx86;AVG AVI Loader Driver;c:\windows\system32\drivers\avgldx86.sys [1/7/2011 1:41 PM 230608]
R1 Avgtdix;AVG TDI Driver;c:\windows\system32\drivers\avgtdix.sys [4/5/2011 7:59 AM 295248]
R2 avgwd;AVG WatchDog;c:\program files\AVG\AVG2012\avgwdsvc.exe [8/2/2011 5:09 AM 192776]
R2 hshld;Hotspot Shield Service;c:\program files\Hotspot Shield\bin\openvpnas.exe [10/6/2011 1:21 AM 288088]
R2 HssWd;Hotspot Shield Monitoring Service;c:\program files\Hotspot Shield\bin\hsswd.exe -product HSS --> c:\program files\Hotspot Shield\bin\hsswd.exe -product HSS [?]
RUnknown rpcnetp;rpcnetp; [x]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [3/18/2010 8:16 PM 130384]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [7/21/2011 2:19 AM 136176]
S3 AVGIDSAgent;AVGIDSAgent;c:\program files\AVG\AVG2012\AVGIDSAgent.exe [10/12/2011 6:25 AM 4433248]
S3 AVGIDSDriver;AVGIDSDriver;c:\windows\system32\drivers\AVGIDSDriver.sys [4/15/2011 4:28 AM 134608]
S3 AVGIDSFilter;AVGIDSFilter;c:\windows\system32\drivers\AVGIDSFilter.sys [2/10/2011 2:53 PM 24272]
S3 AVGIDSShim;AVGIDSShim;c:\windows\system32\drivers\AVGIDSShim.sys [2/10/2011 2:53 PM 16720]
S3 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [7/21/2011 2:19 AM 136176]
S3 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [8/18/2011 2:25 PM 2152152]
S3 Lavasoft Kernexplorer;Lavasoft helper driver;c:\program files\Lavasoft\Ad-Aware\kernexplorer.sys [8/18/2011 2:25 PM 15232]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe [3/18/2010 8:16 PM 753504]
.
--- Other Services/Drivers In Memory ---
.
*NewlyCreated* - RPCNETP
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
WINRM REG_MULTI_SZ WINRM
.
Contents of the 'Scheduled Tasks' folder
.
2011-11-03 c:\windows\Tasks\Ad-Aware Update (Weekly).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2011-08-18 21:02]
.
2011-11-01 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2011-06-01 22:57]
.
2011-11-05 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2011-07-21 01:19]
.
2011-11-05 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2011-07-21 01:19]
.
2011-11-05 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2025429265-842925246-1801674531-1004Core.job
- c:\documents and settings\moe\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2011-07-15 03:49]
.
2011-11-05 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2025429265-842925246-1801674531-1004UA.job
- c:\documents and settings\moe\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2011-07-15 03:49]
.
2011-11-05 c:\windows\Tasks\RealUpgradeLogonTaskS-1-5-21-2025429265-842925246-1801674531-1004.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2011-09-27 11:40]
.
2011-11-05 c:\windows\Tasks\RealUpgradeScheduledTaskS-1-5-21-2025429265-842925246-1801674531-1004.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2011-09-27 11:40]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://mail.google.com/mail/?source=navclient-ff&shva=1#inbox
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_E11712C84EA7E12B.dll/cmsidewiki.html
TCP: DhcpNameServer = 192.168.2.1
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-11-05 17:35
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(1748)
c:\windows\system32\Ati2evxx.dll
c:\windows\System32\BCMLogon.dll
.
- - - - - - - > 'explorer.exe'(3820)
c:\windows\system32\WININET.dll
c:\program files\Windows Desktop Search\deskbar.dll
c:\program files\Windows Desktop Search\en-us\dbres.dll.mui
c:\program files\Windows Desktop Search\dbres.dll
c:\program files\Windows Desktop Search\wordwheel.dll
c:\program files\Windows Desktop Search\en-us\msnlExtRes.dll.mui
c:\program files\Windows Desktop Search\msnlExtRes.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\progra~1\AVG\AVG2012\avgrsx.exe
c:\program files\AVG\AVG2012\avgcsrvx.exe
c:\windows\system32\Ati2evxx.exe
c:\windows\system32\Ati2evxx.exe
c:\windows\System32\WLTRYSVC.EXE
c:\windows\System32\bcmwltry.exe
c:\program files\Common Files\Acronis\Schedule2\schedul2.exe
c:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Hotspot Shield\HssWPR\hsssrv.exe
c:\program files\Hotspot Shield\bin\hsswd.exe
c:\program files\Nero\Nero8\Nero BackItUp\NBService.exe
c:\windows\System32\rpcnetp.exe
c:\program files\Common Files\Acronis\Fomatik\TrueImageTryStartService.exe
c:\program files\AVG\AVG2012\avgnsx.exe
c:\windows\system32\SearchIndexer.exe
c:\windows\system32\wscntfy.exe
c:\program files\ATI Technologies\ATI.ACE\CLI.EXE
c:\program files\Common Files\Nero\Lib\NMIndexingService.exe
c:\program files\Common Files\Nero\Lib\NMIndexStoreSvr.exe
c:\windows\system32\wbem\wmiapsrv.exe
c:\program files\ATI Technologies\ATI.ACE\cli.exe
.
**************************************************************************
.
Completion time: 2011-11-05 17:48:36 - machine was rebooted
ComboFix-quarantined-files.txt 2011-11-05 16:48
ComboFix2.txt 2011-11-03 23:25
ComboFix3.txt 2011-11-03 10:45
ComboFix4.txt 2011-11-02 00:48
.
Pre-Run: 40,878,555,136 bytes free
Post-Run: 40,913,092,608 bytes free
.
- - End Of File - - 05ADAB2A9DBAA5DDA2F8B3C7AC44C1B0
 
Hi Kenny,

Would you please run ESET online scan again and then post the log that is created into your next reply. :)
 
Hi Kenny,

I need some information on some unidentified files. We will use Virustotal Please submit these files for analysis

To submit a file to virustotal, please click VirusTotal

Use Choose a File and browse to and select the following bolded file (one at a time if more than one file is listed)

C:\Documents and Settings\moe\My Documents\Misc\Soft32Downloader-for-Realtek-RTL81698110-Family-Gigabit-Ethernet-NIC.exe

scroll down a bit and click "send file", wait for the results and post them in your next reply.

Please note that sometimes the scans take a few minutes. Please ensure that the scan has completed and the results are complete before submitting the next sample. Also please make sure each result is clearly identified as to which sample they belong to.
----------
 
Not sure how you wanted it but I copied and pasted it, and attached a PDF of the same thing.

File name: Soft32Downloader-for-Realtek-RTL81698110-Family-Gigabit-E[...].exe
Submission date: 2011-11-07 01:06:25 (UTC)
Current status: finished
Result: 5/ 43 (11.6%)

Antivirus Version Last Update Result
AhnLab-V3 2011.11.05.02 2011.11.06 -
AntiVir 7.11.17.28 2011.11.06 -
Antiy-AVL 2.0.3.7 2011.11.06 Trojan/Win32.FakeAV.gen
Avast 6.0.1289.0 2011.11.06 Win32:Malware-gen
AVG 10.0.0.1190 2011.11.06 -
BitDefender 7.2 2011.11.07 -
ByteHero 1.0.0.1 2011.11.04 -
CAT-QuickHeal 11.00 2011.11.06 -
ClamAV 0.97.3.0 2011.11.07 -
Commtouch 5.3.2.6 2011.11.06 -
Comodo 10691 2011.11.07 -
DrWeb 5.0.2.03300 2011.11.07 -
Emsisoft 5.1.0.11 2011.11.07 -
eSafe 7.0.17.0 2011.11.06 -
eTrust-Vet 36.1.8657 2011.11.05 -
F-Prot 4.6.5.141 2011.11.06 -
F-Secure 9.0.16440.0 2011.11.06 -
Fortinet 4.3.370.0 2011.11.06 -
GData 22 2011.11.07 Win32:Malware-gen
Ikarus T3.1.1.107.0 2011.11.06 -
Jiangmin 13.0.900 2011.11.06 -
K7AntiVirus 9.117.5398 2011.11.05 -
Kaspersky 9.0.0.837 2011.11.07 -
McAfee 5.400.0.1158 2011.11.07 -
McAfee-GW-Edition 2010.1D 2011.11.06 -
Microsoft 1.7801 2011.11.06 -
NOD32 6606 2011.11.07 -
Norman 6.07.13 2011.11.06 -
nProtect 2011-11-06.01 2011.11.06 -
Panda 10.0.3.5 2011.11.06 -
PCTools 8.0.0.5 2011.11.07 -
Prevx 3.0 2011.11.07 -
Rising 23.82.02.02 2011.11.02 -
Sophos 4.71.0 2011.11.06 -
SUPERAntiSpyware 4.40.0.1006 2011.11.05 -
Symantec 20111.2.0.82 2011.11.07 -
TheHacker 6.7.0.1.338 2011.11.06 Trojan/FakeAV.ebvf
TrendMicro 9.500.0.1008 2011.11.06 -
TrendMicro-HouseCall 9.500.0.1008 2011.11.07 -
VBA32 3.12.16.4 2011.11.04 Trojan.FakeAV.ebvf
VIPRE 10984 2011.11.07 -
ViRobot 2011.11.5.4757 2011.11.06 -
VirusBuster 14.1.49.0 2011.11.06 -
Additional informationShow all
MD5 : 6cb581e1daeb9b08084be84f536a9fcb
SHA1 : cf197fb5cbce38b01ebe507f8162908689731589
SHA256: f1717ec7d13a6a450ca8c569dd9e0006b64ce23ec4bc2bfa8ce8d36e04fd4343
 
Hi Kenny,

That was just the way I needed to see that report. :)

Please do the following...

Click Start > Run > type CMD > press OK and this opens the command prompt.

Copy the contents of the code box > right click in the command window and select paste
Code: 
del C:\Documents and Settings\moe\My Documents\Misc\Soft32Downloader-for-Realtek-RTL81698110-Family-Gigabit-Ethernet-NIC.exe
Press Enter
----------

Please run DDS once more and post the newly created log into your next reply.

How is your system running?
 
jeffce said:
Hi Kenny,

That was just the way I needed to see that report. :)

Please do the following...

Click Start > Run > type CMD > press OK and this opens the command prompt.

Copy the contents of the code box > right click in the command window and select paste
Code: 
del C:\Documents and Settings\moe\My Documents\Misc\Soft32Downloader-for-Realtek-RTL81698110-Family-Gigabit-Ethernet-NIC.exe
Press Enter
----------
Click to expand...

Jeff, when I do this I get "The system cannot find the path specified". Just to be clear, from the cmd prompt I start off in "c:\Documents and Settings\moe>" so when I copy and paste the code box, it looks like "c:\Documents and Settings\moe>del C:\Documents and Settings\moe\My Documents\Misc\Soft32Downloader-for-Realtek-RTL81698110-Family-Gigabit-Ethernet-NIC.exe"

Is that right? Do I need to change the directory first?
 
Hi Kenny,

Yes be sure to change the directory to C:Windows\system32 Then attempt to rerun using this code below

Code: 
del "C:\Documents and Settings\moe\My Documents\Misc\Soft32Downloader-for-Realtek-RTL81698110-Family-Gigabit-Ethernet-NIC.exe"

Once you get that finished be sure to run DDS again and let me know how your system is running. :)
 
.
DDS (Ver_2011-08-26.01) - NTFSx86
Internet Explorer: 8.0.6001.18702
Run by moe at 15:23:40 on 2011-11-07
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1918.1402 [GMT 1:00]
.
AV: AVG Anti-Virus Free Edition 2012 *Enabled/Updated* {17DDD097-36FF-435F-9E1B-52D74245D6BF}
AV: Lavasoft Ad-Watch Live! Anti-Virus *Disabled/Updated* {A1C4F2E0-7FDE-4917-AFAE-013EFC3EDE33}
.
============== Running Processes ===============
.
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\Ati2evxx.exe
svchost.exe
svchost.exe
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\AVG\AVG2012\avgwdsvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Hotspot Shield\bin\openvpnas.exe
C:\Program Files\Hotspot Shield\HssWPR\hsssrv.exe
C:\Program Files\Hotspot Shield\bin\hsswd.exe
C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Common Files\Acronis\Fomatik\TrueImageTryStartService.exe
C:\Program Files\AVG\AVG2012\avgnsx.exe
C:\WINDOWS\system32\SearchIndexer.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\WINDOWS\system32\WLTRAY.exe
C:\Program Files\ATI Technologies\ATI.ACE\CLI.EXE
C:\Program Files\SigmaTel\C-Major Audio\WDM\stsystra.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Acronis\TrueImageHome\TrueImageMonitor.exe
C:\Program Files\Acronis\TrueImageHome\TimounterMonitor.exe
C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe
C:\Program Files\AVG\AVG2012\avgtray.exe
C:\WINDOWS\vVX1000.exe
C:\Program Files\Common Files\Nero\Lib\NMBgMonitor.exe
C:\Program Files\Olympus\DeviceDetector\DevDtct2.exe
C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe
C:\Program Files\Windows Desktop Search\WindowsSearch.exe
C:\Program Files\Common Files\Nero\Lib\NMIndexStoreSvr.exe
C:\WINDOWS\system32\wbem\wmiapsrv.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\WINDOWS\explorer.exe
C:\Program Files\DivX\DivX Update\DivXUpdate.exe
C:\Program Files\Real\RealPlayer\update\realsched.exe
C:\Program Files\AVG\AVG2012\avgrsx.exe
C:\Program Files\AVG\AVG2012\avgcsrvx.exe
C:\Program Files\AVG\AVG2012\AVGIDSAgent.exe
C:\WINDOWS\system32\ntvdm.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://mail.google.com/mail/?source=navclient-ff&shva=1#inbox
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: RealPlayer Download and Record Plugin for Internet Explorer: {3049c3e9-b461-4bc5-8870-4c09146192ca} - c:\documents and settings\all users\application data\real\realplayer\browserrecordplugin\ie\rpbrowserrecordplugin.dll
BHO: DivX Plus Web Player HTML5 <video>: {326e768d-4182-46fd-9c16-1449a49795f4} - c:\program files\divx\divx plus web player\ie\divxhtml5\DivXHTML5.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg2012\avgssie.dll
uRun: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "c:\program files\common files\nero\lib\NMBgMonitor.exe"
uRun: [pamela.exe] "c:\program files\pamela\Pamela.exe"
uRun: [Skype] "c:\program files\skype\phone\Skype.exe" /nosplash /minimized
mRun: [Broadcom Wireless Manager UI] c:\windows\system32\WLTRAY.exe
mRun: [ATICCC] "c:\program files\ati technologies\ati.ace\CLIStart.exe"
mRun: [SigmatelSysTrayApp] %ProgramFiles%\SigmaTel\C-Major Audio\WDM\stsystra.exe
mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
mRun: [TrueImageMonitor.exe] c:\program files\acronis\trueimagehome\TrueImageMonitor.exe
mRun: [AcronisTimounterMonitor] c:\program files\acronis\trueimagehome\TimounterMonitor.exe
mRun: [Acronis Scheduler2 Service] "c:\program files\common files\acronis\schedule2\schedhlp.exe"
mRun: [AVG_TRAY] "c:\program files\avg\avg2012\avgtray.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [NeroFilterCheck] c:\program files\common files\nero\lib\NeroCheck.exe
mRun: [NBKeyScan] "c:\program files\nero\nero8\nero backitup\NBKeyScan.exe"
mRun: [VX1000] c:\windows\vVX1000.exe
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [TkBellExe] "c:\program files\real\realplayer\update\realsched.exe" -osboot
StartupFolder: c:\docume~1\moe\startm~1\programs\startup\dropbox.lnk - c:\documents and settings\moe\application data\dropbox\bin\Dropbox.exe
StartupFolder: c:\docume~1\moe\startm~1\programs\startup\erunta~1.lnk - c:\program files\erunt\AUTOBACK.EXE
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\device~1.lnk - c:\program files\olympus\devicedetector\DevDtct2.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\window~1.lnk - c:\program files\windows desktop search\WindowsSearch.exe
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\google\google toolbar\component\GoogleToolbarDynamic_mui_en_E11712C84EA7E12B.dll/cmsidewiki.html
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1310704740187
TCP: DhcpNameServer = 192.168.2.1
TCP: Interfaces\{437F6C09-69C6-43A2-96BA-F21E51DDE9BA} : DhcpNameServer = 192.168.2.1
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg2012\avgpp.dll
Notify: AtiExtEvent - Ati2evxx.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: Windows Desktop Search Namespace Manager: {56f9679e-7826-4c84-81f3-532071a8bcc5} - c:\program files\windows desktop search\MSNLNamespaceMgr.dll
.
============= SERVICES / DRIVERS ===============
.
R0 AVGIDSEH;AVGIDSEH;c:\windows\system32\drivers\AVGIDSEH.sys [2011-2-22 23120]
R0 Avgrkx86;AVG Anti-Rootkit Driver;c:\windows\system32\drivers\avgrkx86.sys [2011-3-16 32592]
R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2011-8-28 64512]
R1 Avgldx86;AVG AVI Loader Driver;c:\windows\system32\drivers\avgldx86.sys [2011-1-7 230608]
R1 Avgmfx86;AVG Mini-Filter Resident Anti-Virus Shield;c:\windows\system32\drivers\avgmfx86.sys [2011-3-1 40016]
R1 Avgtdix;AVG TDI Driver;c:\windows\system32\drivers\avgtdix.sys [2011-4-5 295248]
R2 AVGIDSAgent;AVGIDSAgent;c:\program files\avg\avg2012\AVGIDSAgent.exe [2011-10-12 4433248]
R2 avgwd;AVG WatchDog;c:\program files\avg\avg2012\avgwdsvc.exe [2011-8-2 192776]
R2 hshld;Hotspot Shield Service;c:\program files\hotspot shield\bin\openvpnas.exe [2011-10-6 288088]
R2 HssWd;Hotspot Shield Monitoring Service;c:\program files\hotspot shield\bin\hsswd.exe -product hss --> c:\program files\hotspot shield\bin\hsswd.exe -product HSS [?]
R3 AVGIDSDriver;AVGIDSDriver;c:\windows\system32\drivers\AVGIDSDriver.sys [2011-4-15 134608]
R3 AVGIDSFilter;AVGIDSFilter;c:\windows\system32\drivers\AVGIDSFilter.sys [2011-2-10 24272]
R3 AVGIDSShim;AVGIDSShim;c:\windows\system32\drivers\AVGIDSShim.sys [2011-2-10 16720]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2011-7-21 136176]
S3 gupdatem;Google Update Service (gupdatem);c:\program files\google\update\GoogleUpdate.exe [2011-7-21 136176]
S3 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\lavasoft\ad-aware\AAWService.exe [2011-8-18 2152152]
S3 Lavasoft Kernexplorer;Lavasoft helper driver;c:\program files\lavasoft\ad-aware\kernexplorer.sys [2011-8-18 15232]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\microsoft.net\framework\v4.0.30319\wpf\WPFFontCache_v0400.exe [2010-3-18 753504]
.
=============== Created Last 30 ================
.
2011-11-03 12:18:20 -------- d-----w- c:\progra~1\ESET
2011-11-02 00:07:48 -------- d-sha-r- C:\cmdcons
2011-11-02 00:01:55 98816 ----a-w- c:\windows\sed.exe
2011-11-02 00:01:55 518144 ----a-w- c:\windows\SWREG.exe
2011-11-02 00:01:55 256000 ----a-w- c:\windows\PEV.exe
2011-11-02 00:01:55 208896 ----a-w- c:\windows\MBR.exe
2011-10-25 13:05:55 -------- d-----w- c:\progra~1\MALWAREBYTES ANTI-MALWARE
2011-10-24 17:59:58 -------- d-----w- C:\$AVG
2011-10-24 10:09:21 -------- d-----w- c:\docume~1\moe\applic~1\AVG2012
2011-10-24 10:07:25 -------- d-----w- c:\docume~1\alluse~1\application data\AVG2012
2011-10-21 00:46:53 -------- d-----w- c:\progra~1\AVIcodec
2011-10-21 00:38:03 -------- d-----w- c:\docume~1\moe\applic~1\DDMSettings
2011-10-17 15:33:56 -------- d-----w- c:\windows\pss
2011-10-12 18:51:12 -------- d-----w- c:\progra~1\common~1\xing shared
.
==================== Find3M ====================
.
2011-11-05 16:50:39 44544 ----a-w- c:\windows\system32\agremove.exe
2011-11-01 09:48:49 172544 ----a-w- c:\windows\system32\RemoteControl.dll
2011-10-07 05:23:48 230608 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2011-10-04 05:21:42 16720 ----a-w- c:\windows\system32\drivers\AVGIDSShim.sys
2011-09-26 09:41:20 611328 ----a-w- c:\windows\system32\uiautomationcore.dll
2011-09-26 09:41:20 220160 ----a-w- c:\windows\system32\oleacc.dll
2011-09-26 09:41:14 20480 ----a-w- c:\windows\system32\oleaccrc.dll
2011-09-13 04:30:10 32592 ----a-w- c:\windows\system32\drivers\avgrkx86.sys
2011-09-09 09:12:13 599040 ----a-w- c:\windows\system32\crypt32.dll
2011-09-06 13:20:51 1858944 ----a-w- c:\windows\system32\win32k.sys
2011-08-31 15:00:50 22216 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-08-28 21:01:49 16432 ----a-w- c:\windows\system32\lsdelete.exe
2011-08-28 21:01:49 101720 ----a-w- c:\windows\system32\drivers\SBREDrv.sys
2011-08-22 23:48:55 916480 ----a-w- c:\windows\system32\wininet.dll
2011-08-22 23:48:54 43520 ------w- c:\windows\system32\licmgr10.dll
2011-08-22 23:48:54 1469440 ------w- c:\windows\system32\inetcpl.cpl
2011-08-22 11:56:39 385024 ------w- c:\windows\system32\html.iec
2011-08-18 13:25:12 64512 ----a-w- c:\windows\system32\drivers\Lbd.sys
2011-08-17 13:49:54 138496 ----a-w- c:\windows\system32\drivers\afd.sys
.
============= FINISH: 15:25:31.95 ===============
 
I have to run out right now, but I'll post again in a few hours to let you know how it's running. (I need time to try a few things to see). :)
 
kenny5277 said:
BTW, my machine was just performing very slowly. Extremely slowly. So I checked the task manager and noticed that the CPU was working at a consistent 40-60% but the idle process was close to 99%, and there was very little activity from any other processes in the list. (is this indicative of a rootkit?)

Anyway, I just wanted to update the thread since this is new since my last post.
Click to expand...

Hey Jeff. Regarding this post, this problem is still there. My machine takes over 15 minutes to boot-up. Once it does, using Process Explorer, I see that a very high % of the CPU is being used on "Hardware Interrupts and DPCs" (often 30-50%). Is this a hardware problem? I don't think I had this problem before I posted the above quote from page 1 of this thread. But is it possible this is unrelated to the malware problem and just coincidental?
 
Hi Kenny,

Try to hook up your internet with a hardline (wired) connection directly and see if you are still having the problem.
 
Status
Not open for further replies.
Back
Top