Title of AVG Anti-Rootkit randomly changes

By elite801
Apr 2, 2008
  1. I just downloaded AVG Anti-Rootkit from and when I open it up after I installed and rebooted my computer, it shows random names on the taskbar such as Tcbxk2dZmm or DcHz5k0RgAqLRPRI. Does this mean I have spyware? Attached is a Hijackthis log
  2. Blind Dragon

    Blind Dragon TS Evangelist Posts: 3,908

    Hi elite801,

    Yes you are infected, I skimmed your log and noticed a few things

    Please have a read here-> Is your system infected? Read this before Cleaning or Formatting

    If you decide to clean your system please follow these Viruses/Spyware/Malware, preliminary removal instructions and post back in this thread with the requested logs. There should be at least 3.

    1)AVG log
    2)Combofix log
    3)Hijackthis log (Step 15)

    This thread is for the use of elite801 only. Please don't post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
  3. elite801

    elite801 TS Rookie Topic Starter

    taking awhile for me :dead:

    I use Firefox for everything and on step 9 it only cleans the IE stuff when using ccleaner. Is this ok?
  4. Blind Dragon

    Blind Dragon TS Evangelist Posts: 3,908

    Download and Run ATF Cleaner
    Download ATF Cleaner by Atribune to your desktop.

    Double-click ATF Cleaner.exe to open it.

    Under Main choose:
    Windows Temp
    Current User Temp
    All Users Temp
    Temporary Internet Files
    Java Cache

    *The other boxes are optional*
    Then click the Empty Selected button.

    Firefox or Opera:
    Click Firefox or Opera at the top and choose: Select All
    Click the Empty Selected button.
    NOTE: If you would like to keep your saved passwords, please click NO at the prompt.

    Click Exit on the Main menu to close the program.
  5. elite801

    elite801 TS Rookie Topic Starter

    Finished step 15. I used DSS instead of Combofix. and after I scanned with AVG anti-spyware I forgot to save a log X.X but I have a screenshot of the window with the stuff it found(had to save it as a monochrom bmp). Also, I keep getting an alert from Zonealarm saying nyhome-jdt.home is trying to connect.
  6. Blind Dragon

    Blind Dragon TS Evangelist Posts: 3,908

    Update your Java Runtime Environment
    • First try going to Start -> Control Panel -> double click Java
    • Select the Update Tab at the top of the Java console
    • Click the Check for Updates button at the bottom
    • If it finds the newer version (Java 6 Update 5) Follow the on screen instructions
    • After it installs the newest version Go back to Control Panel -> Add/remove programs
    • Uninstall any older versions of Java

    If for some reason you couldn't update through the above instructions.
    • Click the following link
      Java Runtime Environment 6 Update 5
    • The 4th option down is the one you want (click Download)
    • Check the box to agree to terms of service
    • Check the box for your operating system and click 'Download selected'at the bottom
    • After the install Go to Start-> Control Panel-> add/remove programs (Programs and features), and uninstall any old versions
    • Navigate to C:\programfiles\Java -> delete any subfolders except the jre1.6.0_05

    Viewpoint Manager is considered as foistware instead of malware since it is installed without user's approval but doesn't spy or do anything "bad". This may change, read Viewpoint to Plunge Into Adware.
    I recommend that you remove the Viewpoint products; however, decide for yourself. To uninstall the the Viewpoint components :
    1. Click Start, point to Settings, and then click Control Panel.
    2. In Control Panel, double-click Add or Remove Programs.
    3. In Add or Remove Programs, highlight >>Viewpoint component<< , click Remove.

      How to prevent it from being recreated every time you run the AOL software:
      • Open AOL
      • Go to Help on the toolbar
      • Select About AOL
      • Hit Ctrl D and a secret panel can be accessed which will allow you to disable all desktop and IM features associated with Viewpoint.

    1)Uninstall any of the following program(s) using Add/Remove Programs if they are present. To do this, go to Start > Settings > Control Panel and double-click on Add/Remove Programs. From within Add/Remove Programs highlight each one and select Remove.

    Browser Enhancer
    CiD Help
    CiD Manager
    Download Plugin for Internet Explorer
    Messenger Plus
    Ultimate Browser Enhance
    Window Search
    Window Searching
    Zone Media

    2)Setup" is now displayed. Click on the Uninstall button. Note: options displayed on the first screen are not related to the sponsor program.

    3)The sponsor screen is now displayed (if you don't see it, search for it in your Task Bar). To prove that someone is currently reading the screen, you have to type the code that is displayed. Once you enter the code, press Uninstall.

    4)If you entered the code properly, the program will ask you to confirm that you want to uninstall. You must answer "Yes" to this question, else, you won't have another chance of uninstalling.

    5)Reboot your computer (into safe mode, read instructions below)

    You might want to copy and paste these instructions into a notepad file, and save it to your desktop. Then you can have the file open in safe mode, so you can follow the instructions easier.

    Boot into Safe Mode
    • Restart your computer and start pressing the F8 key on your keyboard.
    • Select the Safe Mode option when the Windows Advanced Options menu appears, and then press ENTER.

    Run Hijackthis and Select Do A System Scan Only
    Put a check mark next to the following entries:

    R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
    O2 - BHO: (no name) - {31FF080D-12A3-439A-A2EF-4BA95A3148E8} - (no file)
    O3 - Toolbar: (no name) - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - (no file)
    O4 - HKLM\..\Run: [Each Bird Upload Mfcd] C:\Documents and Settings\All Users\Application Data\Info mags each bird\balmford.exe

    Select Fix Checked

    Close Hijackthis

    Show hidden files through windows explorer
    • Access Windows Explorer by clicking Start, point to All Programs, Accesories, and then click Windows Explorer. Or hold the windows key and press E
    • On the Tools menu in Windows Explorer, click Folder Options.
    • Click the View tab.
    • Under Hidden files and folders, click Show hidden files and folders and Turn Hide protected operating system files off.

    Use Windows Explorer to navigate to and delete the following folders:

    C:\Documents and Settings\All Users\Application Data\Info mags each bird <-This folder only

    Restart your computer into normal mode

    Run a new scan with Hijackthis and attach the log
  7. kritius

    kritius TS Guru Posts: 2,084

    C:\Documents and Settings\All Users\Application Data\Info mags each bird

  8. Blind Dragon

    Blind Dragon TS Evangelist Posts: 3,908

    I am almost positive
  9. kritius

    kritius TS Guru Posts: 2,084

    NoLop without the CLSID?
  10. elite801

    elite801 TS Rookie Topic Starter

    Here's the new Hijackthis Log
  11. Blind Dragon

    Blind Dragon TS Evangelist Posts: 3,908

    Everything looks ok in that log, time to double check it.

    Run Kaspersky Online AV Scanner

    Order to use it you have to use Internet Explorer.
    Go to Kaspersky and click the Accept button at the end of the page.

    Note for Internet Explorer 7 users: If at any time you have trouble with the accept button of the licence, click on the Zoom tool located at the right bottom of the IE window and set the zoom to 75 %. Once the license accepted, reset to 100%.
    • Read the Requirements and limitations before you click Accept.
    • Allow the ActiveX download if necessary.
    • Once the database has downloaded, click Next.
    • Click Scan Settings and change the "Scan using the following antivirus database" from standard to extended and then click OK.
    • Click on "My Computer"
    • When the scan has completed, click Save Report As...
    • Enter a name for the file in the Filename: text box and then click the down arrow to the right of Save as type: and select text file (*.txt)
    • Click Save - by default the file will be saved to your Desktop, but you can change this if you wish.
    Attach the report into your next reply
Topic Status:
Not open for further replies.

Similar Topics

Add New Comment

You need to be a member to leave a comment. Join thousands of tech enthusiasts and participate.
TechSpot Account You may also...