also @ TechSpot: Dell's thumb drive-sized computer will ship in July for $100

TechSpot

TechSpot News Products Downloads Forums

About
Sign in

Welcome to TechSpot

Why should I register?

Sign up for a new account or log in here:

Forgot your password?

Couldn't sign you in, please try again.

AVG secure search virus or clone mailer problem.

Discussion in 'Virus and Malware Removal' started by glhglh, Feb 20, 2013.

Post New Reply

Page 2 of 3

glhglh TechSpot Maniac Posts: 316

b2cnotiagent.exe
sure seems suspicious, although the Korean alphebet explaination of the Product owner "B2C NotiAgent MFC 응용 프로그램" simply says Application (응용) program (프로그램), the last little bit is just pu ro cu ram the english written in the Korean Alphebet. Maybe not so bad, but no reason to boot every time the computer is booted.

(I can still read and write Korean 45 years after serving as a peace corps volunteer there, amazing seeing how difficult it is for me to remember the name of a scanning program in the few seconds it takes me to unplug the usb drive from one computer, and put it in another computer. )

glhglh, Feb 22, 2013

#21
Broni Malware Annihilator Posts: 39,288 +175
Run OTL

Under the Custom Scans/Fixes box at the bottom, paste in the following

Code:

:OTL O4 - HKLM..\Run: [] File not found O18:64bit: - Protocol\Handler\livecall - No CLSID value found O18:64bit: - Protocol\Handler\msnim - No CLSID value found O18:64bit: - Protocol\Handler\skype4com - No CLSID value found O18:64bit: - Protocol\Handler\wlmailhtml - No CLSID value found O18:64bit: - Protocol\Handler\wlpg - No CLSID value found O21:64bit: - SSODL: WebCheck - {E6FB5E20-DE35-11CF-9C87-00AA005127ED} - No CLSID value found. O21 - SSODL: WebCheck - {E6FB5E20-DE35-11CF-9C87-00AA005127ED} - No CLSID value found. :Commands [purity] [emptytemp] [emptyjava] [emptyflash] [Reboot]

Then click the Run Fix button at the top

Let the program run unhindered, reboot the PC when it is done

You will get a log that shows the results of the fix. Please post it.

NOTE. If for any reason OTL stalls (most likely at "killing processes..." step) run the fix from safe mode.

Last scans...

Download Security Check from here or here and save it to your Desktop.

Double-click SecurityCheck.exe

Follow the onscreen instructions inside of the black box.

A Notepad document should open automatically called checkup.txt; please post the contents of that document.

NOTE 1. If one of your security applications (e.g., third-party firewall) requests permission to allow DIG.EXE access the Internet, allow it to do so.
NOTE 2 SecurityCheck may produce some false warning(s), so leave the results reading to me.

Please download Farbar Service Scanner (FSS) and run it on the computer with the issue.

Make sure the following options are checked:

Internet Services

Windows Firewall

System Restore

Security Center

Windows Update

Windows Defender

Press "Scan".

It will create a log (FSS.txt) in the same directory the tool is run.

Please copy and paste the log to your reply.

Download Temp File Cleaner (TFC)
Alternate download: http://www.itxassociates.com/OT-Tools/TFC.exe

Double click on TFC.exe to run the program.

Click on Start button to begin cleaning process.

TFC will close all running programs, and it may ask you to restart computer.

Please run a free online scan with the ESET Online Scanner

Disable your antivirus program

Tick the box next to YES, I accept the Terms of Use

Click Start

Accept any security warnings from your browser.

Check Scan archives

Click Start

ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.

When the scan completes, click on List of found threats

Click on Export to text file , and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.

NOTE. If Eset won't find any threats, it won't produce any log.
Broni, Feb 22, 2013

#22
glhglh TechSpot Maniac Posts: 316

I'm posting this otl log, it doesn't seem right.

It seems like the computer rebooted too fast in the OTL process.

Is it OK?

glhglh, Feb 22, 2013

#23
glhglh TechSpot Maniac Posts: 316

Files\Folders moved on Reboot...
C:\Users\Randy\AppData\Local\Temp\CVHLauncher(20130222170211ED0).log moved successfully.
C:\Users\Randy\AppData\Local\Temp\FXSAPIDebugLogFile.txt moved successfully.

PendingFileRenameOperations files...

Registry entries deleted on Reboot...

glhglh, Feb 22, 2013

#24
glhglh TechSpot Maniac Posts: 316

Checkup:

Results of screen317's Security Check version 0.99.59
Windows 7 Service Pack 1 x64 (UAC is enabled)
Internet Explorer 9
``````````````Antivirus/Firewall Check:``````````````
Windows Firewall Enabled!
Norton Internet Security
WMI entry may not exist for antivirus; attempting automatic update.
`````````Anti-malware/Other Utilities Check:`````````
Adobe Reader 10.1.5 Adobe Reader out of Date!
Google Chrome 24.0.1312.56
Google Chrome 24.0.1312.57
````````Process Check: objlist.exe by Laurent````````
Norton ccSvcHst.exe
SecurityCheck.exe
`````````````````System Health check`````````````````
Total Fragmentation on Drive C: 0%
````````````````````End of Log``````````````````````

Farbar Service Scanner Version: 20-02-2013
Ran by Randy (administrator) on 22-02-2013 at 17:52:48
Running from "F:\RRR Virus 2-19-2013"
Windows 7 Home Premium Service Pack 1 (X64)
Boot Mode: Normal
****************************************************************

Internet Services:
============

Connection Status:
==============
Attempt to access Local Host IP returned error: Localhost is blocked: Destination is offline
There is no connection to network.
Attempt to access Google IP returned error.
Attempt to access Google.com returned error: Other errors
Attempt to access Yahoo IP returned error.
Attempt to access Yahoo.com returned error: Other errors

Windows Firewall:
=============

Firewall Disabled Policy:
==================

System Restore:
============

System Restore Disabled Policy:
========================

Action Center:
============

Windows Update:
============

Windows Autoupdate Disabled Policy:
============================

Windows Defender:
==============
WinDefend Service is not running. Checking service configuration:
The start type of WinDefend service is set to Demand. The default start type is Auto.
The ImagePath of WinDefend service is OK.
The ServiceDll of WinDefend service is OK.

Windows Defender Disabled Policy:
==========================
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender]
"DisableAntiSpyware"=DWORD:1

Other Services:
==============

File Check:
========
C:\Windows\System32\nsisvc.dll => MD5 is legit
C:\Windows\System32\drivers\nsiproxy.sys => MD5 is legit
C:\Windows\System32\dhcpcore.dll => MD5 is legit
C:\Windows\System32\drivers\afd.sys => MD5 is legit
C:\Windows\System32\drivers\tdx.sys => MD5 is legit
C:\Windows\System32\Drivers\tcpip.sys => MD5 is legit
C:\Windows\System32\dnsrslvr.dll => MD5 is legit
C:\Windows\System32\mpssvc.dll => MD5 is legit
C:\Windows\System32\bfe.dll => MD5 is legit
C:\Windows\System32\drivers\mpsdrv.sys => MD5 is legit
C:\Windows\System32\SDRSVC.dll => MD5 is legit
C:\Windows\System32\vssvc.exe => MD5 is legit
C:\Windows\System32\wscsvc.dll => MD5 is legit
C:\Windows\System32\wbem\WMIsvc.dll => MD5 is legit
C:\Windows\System32\wuaueng.dll => MD5 is legit
C:\Windows\System32\qmgr.dll => MD5 is legit
C:\Windows\System32\es.dll => MD5 is legit
C:\Windows\System32\cryptsvc.dll => MD5 is legit
C:\Program Files\Windows Defender\MpSvc.dll => MD5 is legit
C:\Windows\System32\svchost.exe => MD5 is legit
C:\Windows\System32\rpcss.dll => MD5 is legit

**** End of log ****

I'm having a problem getting it back on our network. So I need to to that before eset.
\

glhglh, Feb 22, 2013

#25

Broni Malware Annihilator Posts: 39,288 +175

Turn computer off.
Wait 1 minute.
Restart and see how it goes.

Broni, Feb 22, 2013

#26

glhglh TechSpot Maniac Posts: 316

I gave up on the wireless. As windows has tried to make their program more "user friendly", it has become more difficult to track down the problem. The strange "drive Q" still shows, and when I tried to delete the program yahoo toolbar and the LG drivers, I was unable to.

when I looked at the wireless network tree, it kept showing a "public network", and I tried to turn the public network off. I removed the Norton and want to go back and to the Combofix part. Is it OK to do that?

I connected it to the wired network and can get to the internet.

The reason I want to go to combofix is Combofix kept giving me the notice about the antivirus program, even though I had manually stopped all of the services in the program, and in the services section.

So, shall I go on to eset.

glhglh, Feb 23, 2013

#27
glhglh TechSpot Maniac Posts: 316

The rogue killer run is different that it was yesterday.

Here is the log:

,RogueKiller V8.5.1 [Feb 21 2013] by Tigzy
mail : tigzyRK<at>gmail<dot>com
Feedback : http://www.geekstogo.com/forum/files/file/413-roguekiller/
Website : http://tigzy.geekstogo.com/roguekiller.php
Blog : http://tigzyrk.blogspot.com/
Operating System : Windows 7 (6.1.7601 Service Pack 1) 64 bits version
Started in : Normal mode
User : Randy [Admin rights]
Mode : Shortcuts HJfix -- Date : 02/23/2013 17:27:13
| ARK || FAK || MBR |
¤¤¤ Bad processes : 1 ¤¤¤
[SUSP PATH] Au_.exe -- C:\Users\Randy\AppData\Local\Temp\~nsu.tmp\Au_.exe [-] -> KILLED [TermProc]
¤¤¤ Driver : [NOT LOADED] ¤¤¤
¤¤¤ File attributes restored: ¤¤¤
Desktop: Success 0 / Fail 0
Quick launch: Success 0 / Fail 0
Programs: Success 0 / Fail 0
Start menu: Success 0 / Fail 0
User folder: Success 0 / Fail 0
My documents: Success 0 / Fail 0
My favorites: Success 0 / Fail 0
My pictures: Success 0 / Fail 0
My music: Success 0 / Fail 0
My videos: Success 0 / Fail 0
Local drives: Success 1 / Fail 0
Backup: [NOT FOUND]
Drives:
[C:] \Device\HarddiskVolume2 -- 0x3 --> Restored
[D:] \Device\HarddiskVolume3 -- 0x3 --> Restored
[E:] \Device\CdRom0 -- 0x5 --> Skipped
[F:] \Device\HarddiskVolume5 -- 0x2 --> Restored
[Q:] \Device\SftVol -- 0x3 --> Restored
Finished : << RKreport[5]_SC_02232013_02d1727.txt >>
RKreport[1]_S_02212013_02d1636.txt ; RKreport[2]_D_02212013_02d1648.txt ; RKreport[3]_S_02232013_02d1709.txt ; RKreport[4]_SC_02232013_02d1711.txt ; RKreport[5]_SC_02232013_02d1727.txt

glhglh, Feb 23, 2013

#28
Broni Malware Annihilator Posts: 39,288 +175

The reason I want to go to combofix is Combofix kept giving me the notice about the antivirus program, even though I had manually stopped all of the services in the program, and in the services section.

Combofix will do this sometimes. Nothing to worry about.
I still need Eset scan log.

Broni, Feb 23, 2013

#29
glhglh TechSpot Maniac Posts: 316

The rogues killer report I just ran is much different than the one I ran last night. this one found something au.exe, then was about to check each of the drives, including the Q, and restored it to something.

glhglh, Feb 23, 2013

#30
glhglh TechSpot Maniac Posts: 316

Yesterday I was unable to receive the properties of the Q drive. after this rogue killer I can read some of the properties, and under the owner of the drive, the label is "unable to display current owner" with the box to change owner. shall I change it to me (administrator)?
it is not the administrator, or the System (as is the recovery drive).

I think this is wrong.

glhglh, Feb 23, 2013

#31
glhglh TechSpot Maniac Posts: 316

It is also a [Q:] \Device\SftVol -- 0x3 --> Restored,

in order to see the permissions, I have to change the "owner".

glhglh, Feb 23, 2013

#32
Broni Malware Annihilator Posts: 39,288 +175

Leave that alone for now and give me Eset scan log.

Broni, Feb 23, 2013

#33
glhglh TechSpot Maniac Posts: 316

Eset found no threats, but eset spend 2 hours reviewing program files\wildtangent, and again in the users shortcut to it. it was also installed about the time the problems started.

glhglh, Feb 24, 2013

#34
Broni Malware Annihilator Posts: 39,288 +175

Wild Tangent games usually come preinstalled. Nothing to worry about.

What are the current issues?

Update Adobe Reader

You can download it from http://www.adobe.com/products/acrobat/readstep2.html
After installing the latest Adobe Reader, uninstall all previous versions (if present).
Note. If you already have Adobe Photoshop® Album Starter Edition installed or do not wish to have it installed UNcheck the box which says Also Download Adobe Photoshop® Album Starter Edition.

Alternatively, you can uninstall Adobe Reader (33.5 MB), download and install Foxit PDF Reader(3.5MB) from HERE.
It's a much smaller file to download and uses a lot less resources than Adobe Reader.
Note: When installing FoxitReader, make sure to UN-check any pre-checked toolbar, or any other garbage.

Broni, Feb 24, 2013

#35
glhglh TechSpot Maniac Posts: 316

I can't uninstall the "yahoo toolbar", this shows in Control Panel/Program and Features. It shows it was installed about the time the problems started, and does not show a size or version. It also does not show in the IE "manage add-ins" .

when I try to uninstall it, I get nothing, but I cannot uninstall anything else.

Also, The Q drive was created when the problem started. It is not a "system" file, has unknown owner, and using the "properties" box, I am unable to change the "owner". All other drives, show "SYSTEM" as the owner.
I want to delete this. Can I do this through hijack this (although I think that OTL is almost the same.

glhglh, Feb 24, 2013

#36
Broni Malware Annihilator Posts: 39,288 +175

I can't uninstall the "yahoo toolbar", this shows in Control Panel/Program and Features. It shows it was installed about the time the problems started, and does not show a size or version. It also does not show in the IE "manage add-ins" .

Most likely it's just dead entry. If it doesn't show in any browser leave it alone.
I you insist on removing that entry open "regedit", navigate to:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall
and delete "Yahoo! Companion"entry.

Where exactly do you see Q drive?

For x86 (x32) bit systems please download Listparts
For x64 bit systems please download Listparts64

Click on Scan button.

Scan result will open in Notepad.
Post it in your next reply.

Broni, Feb 24, 2013

#37
glhglh TechSpot Maniac Posts: 316

I'm frustrated,, On the RK report posted above, is shows:
Drives:
[C:] \Device\HarddiskVolume2 -- 0x3 --> Restored
[D:] \Device\HarddiskVolume3 -- 0x3 --> Restored
[E:] \Device\CdRom0 -- 0x5 --> Skipped
[F:] \Device\HarddiskVolume5 -- 0x2 --> Restored
[Q:] \Device\SftVol -- 0x3 --> Restored
Finished : << RKreport[5]_SC_02232013_02d1727.txt >>

Q: SFTVol.

In windows explorer, it shows Q, named Bad Drive.

but in the List64 report, I'm not sure it is there.

ListParts by Farbar Version: 16-01-2013
Ran by Randy (administrator) on 24-02-2013 at 13:49:41
Windows 7 (X64)
Running From: F:\RRR Virus 2-19-2013
Language: 0409
************************************************************

========================= Memory info ======================

Percentage of memory in use: 40%
Total physical RAM: 3561.37 MB
Available physical RAM: 2109.09 MB
Total Pagefile: 7120.92 MB
Available Pagefile: 5487.66 MB
Total Virtual: 8192 MB
Available Virtual: 8191.91 MB

======================= Partitions =========================

1 Drive c: () (Fixed) (Total:445.3 GB) (Free:397.71 GB) NTFS ==>[System with boot components (obtained from reading drive)]
2 Drive d: (Recovery) (Fixed) (Total:20.16 GB) (Free:2.19 GB) NTFS ==>[System with boot components (obtained from reading drive)]
4 Drive f: (USB20FD) (Removable) (Total:14.95 GB) (Free:14.89 GB) FAT32

Disk ### Status Size Free Dyn Gpt
-------- ------------- ------- ------- --- ---
Disk 0 Online 465 GB 0 B
Disk 1 Online 14 GB 0 B

Partitions of Disk 0:
===============

Disk ID: 915B52F3

Partition ### Type Size Offset
------------- ---------------- ------- -------
Partition 1 Primary 199 MB 1024 KB
Partition 2 Primary 445 GB 200 MB
Partition 3 Primary 20 GB 445 GB
Partition 4 Primary 103 MB 465 GB

======================================================================================================

Disk: 0
Partition 1
Type : 07
Hidden: No
Active: Yes

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 1 SYSTEM NTFS Partition 199 MB Healthy System (partition with boot components)

======================================================================================================

Disk: 0
Partition 2
Type : 07
Hidden: No
Active: No

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 2 C NTFS Partition 445 GB Healthy Boot

======================================================================================================

Disk: 0
Partition 3
Type : 07
Hidden: No
Active: No

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 3 D Recovery NTFS Partition 20 GB Healthy

======================================================================================================

Disk: 0
Partition 4
Type : 0C
Hidden: No
Active: No

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 4 HP_TOOLS FAT32 Partition 103 MB Healthy

======================================================================================================

Partitions of Disk 1:
===============

Disk ID: C3072E18

Partition ### Type Size Offset
------------- ---------------- ------- -------
Partition 1 Primary 14 GB 8104 KB

======================================================================================================

Disk: 1
Partition 1
Type : 0C
Hidden: No
Active: Yes

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 5 F USB20FD FAT32 Removable 14 GB Healthy

======================================================================================================

Windows Boot Manager
--------------------
identifier {bootmgr}
device partition=\Device\HarddiskVolume1
description Windows Boot Manager
locale en-US
inherit {globalsettings}
extendedinput Yes
default {current}
resumeobject {cd0acc27-dcc8-11e1-b953-ddd0e9dd35cd}
displayorder {current}
toolsdisplayorder {memdiag}
timeout 30
customactions 0x1000085000001
0x5400000f
custom:5400000f {96f102d4-2f75-11e2-b4dc-74e543244a4e}

Windows Boot Loader
-------------------
identifier {96f102d4-2f75-11e2-b4dc-74e543244a4e}
device ramdisk=[D:]\Recovery\WindowsRE\Winre.wim,{96f102d5-2f75-11e2-b4dc-74e543244a4e}
path \windows\system32\winload.exe
description Windows Recovery Environment
inherit {bootloadersettings}
osdevice ramdisk=[D:]\Recovery\WindowsRE\Winre.wim,{96f102d5-2f75-11e2-b4dc-74e543244a4e}
systemroot \windows
nx OptIn
winpe Yes

Windows Boot Loader
-------------------
identifier {current}
device partition=C:
path \Windows\system32\winload.exe
description Windows 7
locale en-US
inherit {bootloadersettings}
recoverysequence {96f102d4-2f75-11e2-b4dc-74e543244a4e}
recoveryenabled Yes
osdevice partition=C:
systemroot \Windows
resumeobject {cd0acc27-dcc8-11e1-b953-ddd0e9dd35cd}
nx OptIn

Resume from Hibernate
---------------------
identifier {cd0acc27-dcc8-11e1-b953-ddd0e9dd35cd}
device partition=C:
path \Windows\system32\winresume.exe
description Windows Resume Application
locale en-US
inherit {resumeloadersettings}
filedevice partition=C:
filepath \hiberfil.sys
debugoptionenabled No

Windows Memory Tester
---------------------
identifier {memdiag}
device partition=\Device\HarddiskVolume1
path \boot\memtest.exe
description Windows Memory Diagnostic
locale en-US
inherit {globalsettings}
badmemoryaccess Yes

EMS Settings
------------
identifier {emssettings}
bootems Yes

Debugger Settings
-----------------
identifier {dbgsettings}
debugtype Serial
debugport 1
baudrate 115200

RAM Defects
-----------
identifier {badmemory}

Global Settings
---------------
identifier {globalsettings}
inherit {dbgsettings}
{emssettings}
{badmemory}

Boot Loader Settings
--------------------
identifier {bootloadersettings}
inherit {globalsettings}
{hypervisorsettings}

Hypervisor Settings
-------------------
identifier {hypervisorsettings}
hypervisordebugtype Serial
hypervisordebugport 1
hypervisorbaudrate 115200

Resume Loader Settings
----------------------
identifier {resumeloadersettings}
inherit {globalsettings}

Device options
--------------
identifier {96f102d5-2f75-11e2-b4dc-74e543244a4e}
description Ramdisk Options
ramdisksdidevice partition=D:
ramdisksdipath \Recovery\WindowsRE\boot.sdi

****** End Of Log ******

I think the virus is off of this machine,, but want to make sure it cannot hurt our network again.

I'll try to get it on the wireless network. (I think that drive was created by someone outside of the network.

glhglh, Feb 24, 2013

#38
Broni Malware Annihilator Posts: 39,288 +175

Apparently Q drive comes from SoftGrid client which you have\had on your computer.
I can see this entry in OTL log:
[2013/02/14 00:04:39 | 000,000,000 | ---D | M] -- C:\Users\Randy\AppData\Roaming\SoftGrid Client
Read more here: http://social.technet.microsoft.com.../thread/d9d46885-d136-4ace-9cd9-3b881322b86a/

Anything else?

Broni, Feb 24, 2013

#39
glhglh TechSpot Maniac Posts: 316

Broni,

It's clean. I wasn't able to delete the Q drive yet, but the link will help.

I have to work tomorrow, but will try a couple of scans on the server tomorrow.

Are there any of the scans you think will work on that old 2003 server?

glhglh, Feb 25, 2013

#40

Page 2 of 3

Add New Comment

	Social Login & Guest Posting			TechSpot Members Login here or sign up for free, it takes about a minute.
Get complete access to the TechSpot community. Join thousands of technology enthusiasts that contribute and share knowledge in our forum. Get a private inbox, upload your own photo gallery and more.