Inactive Trojan Horse Agent3

Elen · Mar 7, 2012

Hello guys

I wrote another thread some time ago but it didn't appear :S If it appears later, sorry for posting 2nd.
My problem is a trojan which AVG is white-listing as Trojan Horse Agent3.WJV in WINDOWS/system32/drivers/acpi.sys. My PC runs Windows XP. Those are the preliminaries required:

Malwarebyte:

Malwarebytes Anti-Malware 1.60.1.1000
www.malwarebytes.org

Database version: v2012.03.07.01

Windows XP Service Pack 3 x86 NTFS
Internet Explorer 8.0.6001.18702
Administrator :: 1674-DF9D5B4F95 [administrator]

07.3.2012 г. 14:02:39
mbam-log-2012-03-07 (14-02-39).txt

Scan type: Quick scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 169503
Time elapsed: 7 minute(s), 53 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 2
HKLM\SOFTWARE\Microsoft\Security Center|AntiVirusDisableNotify (PUM.Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and repaired successfully.
HKLM\SOFTWARE\Microsoft\Security Center|UpdatesDisableNotify (PUM.Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and repaired successfully.

Folders Detected: 0
(No malicious items detected)

Files Detected: 2
C:\Documents and Settings\Administrator\Local Settings\Temp\253.tmp (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\Documents and Settings\Administrator\Local Settings\Temp\jar_cache8744490021329884550.tmp (Trojan.FakeAlert) -> Quarantined and deleted successfully.

(end)

gmer:

GMER 1.0.15.15641 - http://www.gmer.net
Rootkit quick scan 2012-03-07 14:35:32
Windows 5.1.2600 Service Pack 3 Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-3 ST3250820A rev.3.AAE
Running: u83rvlzx.exe; Driver: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\afayrfow.sys

---- Devices - GMER 1.0.15 ----

AttachedDevice \FileSystem\Ntfs \Ntfs AVGIDSFilter.Sys (IDS Application Activity Monitor Filter Driver./AVG Technologies CZ, s.r.o. )
AttachedDevice \FileSystem\Fastfat \Fat fltMgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)
AttachedDevice \FileSystem\Fastfat \Fat AVGIDSFilter.Sys (IDS Application Activity Monitor Filter Driver./AVG Technologies CZ, s.r.o. )

---- Threads - GMER 1.0.15 ----

Thread System [4:140] 822C739F
Thread System [4:664] 81D330F4

---- EOF - GMER 1.0.15 ----

dds:

.
DDS (Ver_2011-08-26.01) - NTFSx86
Internet Explorer: 8.0.6001.18702
Run by Administrator at 14:40:00 on 2012-03-07
Microsoft Windows XP Professional 5.1.2600.3.1251.359.1033.18.511.152 [GMT 2:00]
.
AV: AVG Anti-Virus Free Edition 2012 *Enabled/Updated* {17DDD097-36FF-435F-9E1B-52D74245D6BF}
.
============== Running Processes ===============
.
C:\PROGRA~1\AVG\AVG2012\avgrsx.exe
C:\Program Files\AVG\AVG2012\avgcsrvx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\AVG\AVG2012\avgtray.exe
C:\Program Files\Ask.com\Updater\Updater.exe
C:\WINDOWS\system32\ctfmon.exe
svchost.exe
C:\Program Files\AVG\AVG2012\avgwdsvc.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\AVG\AVG2012\AVGIDSAgent.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = about:blank
uURLSearchHooks: uTorrentControl2 Toolbar: {687578b9-7132-4a7a-80e4-30ee31099e03} - c:\program files\utorrentcontrol2\prxtbuTor.dll
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: uTorrentControl2 Toolbar: {687578b9-7132-4a7a-80e4-30ee31099e03} - c:\program files\utorrentcontrol2\prxtbuTor.dll
BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
BHO: Skype Plug-In: {ae805869-2e5c-4ed4-8f7b-f1f7851a4497} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
BHO: Ask Toolbar: {d4027c7f-154a-4066-a1ad-4243d8127440} - c:\program files\ask.com\GenericAskToolbar.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: uTorrentControl2 Toolbar: {687578b9-7132-4a7a-80e4-30ee31099e03} - c:\program files\utorrentcontrol2\prxtbuTor.dll
TB: Ask Toolbar: {d4027c7f-154a-4066-a1ad-4243d8127440} - c:\program files\ask.com\GenericAskToolbar.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [AVG_TRAY] "c:\program files\avg\avg2012\avgtray.exe"
mRun: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
mRun: [<NO NAME>]
mRun: [ApnUpdater] "c:\program files\ask.com\updater\Updater.exe"
dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE
IE: E&xport to Microsoft Excel - c:\progra~1\micros~3\office12\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~3\office12\ONBttnIE.dll
IE: {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~3\office12\REFIEBAR.DLL
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
TCP: DhcpNameServer = 78.128.36.1 193.24.240.25
TCP: Interfaces\{2F3FA8D9-E659-4470-9AB5-6BA72DD094EF} : DhcpNameServer = 78.128.36.1 193.24.240.25
Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:\program files\microsoft office\office12\GrooveSystemServices.dll
Handler: skype-ie-addon-data - {91774881-D725-4E58-B298-07617B9B86A8} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: Windows Desktop Search Namespace Manager: {56f9679e-7826-4c84-81f3-532071a8bcc5} - c:\program files\windows desktop search\MSNLNamespaceMgr.dll
SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\documents and settings\administrator\application data\mozilla\firefox\profiles\0z0654fc.default\
FF - plugin: c:\documents and settings\administrator\local settings\application data\google\update\1.3.21.99\npGoogleUpdate3.dll
FF - plugin: c:\program files\microsoft silverlight\2.0.40115.0\npctrlui.dll
.
============= SERVICES / DRIVERS ===============
.
R0 AVGIDSEH;AVGIDSEH;c:\windows\system32\drivers\AVGIDSEH.sys [2011-7-11 23120]
R0 Avgrkx86;AVG Anti-Rootkit Driver;c:\windows\system32\drivers\avgrkx86.sys [2011-9-13 32592]
R1 Avgldx86;AVG AVI Loader Driver;c:\windows\system32\drivers\avgldx86.sys [2011-10-7 230608]
R1 Avgmfx86;AVG Mini-Filter Resident Anti-Virus Shield;c:\windows\system32\drivers\avgmfx86.sys [2011-8-8 40016]
R1 dtsoftbus01;DAEMON Tools Virtual Bus Driver;c:\windows\system32\drivers\dtsoftbus01.sys [2012-2-17 232512]
R2 5606;5606;c:\docume~1\admini~1\locals~1\temp\5606.sys [2012-3-7 145408]
R2 AVGIDSAgent;AVGIDSAgent;c:\program files\avg\avg2012\AVGIDSAgent.exe [2011-10-12 4433248]
R2 avgwd;AVG WatchDog;c:\program files\avg\avg2012\avgwdsvc.exe [2011-8-2 192776]
R3 AVGIDSDriver;AVGIDSDriver;c:\windows\system32\drivers\AVGIDSDriver.sys [2011-7-11 134608]
R3 AVGIDSFilter;AVGIDSFilter;c:\windows\system32\drivers\AVGIDSFilter.sys [2011-7-11 24272]
R3 AVGIDSShim;AVGIDSShim;c:\windows\system32\drivers\AVGIDSShim.sys [2011-10-4 16720]
.
=============== Created Last 30 ================
.
.
==================== Find3M ====================
.
2012-02-17 17:40:17 232512 ----a-w- c:\windows\system32\drivers\dtsoftbus01.sys
2012-02-17 17:09:23 73728 ----a-w- c:\windows\system32\javacpl.cpl
2012-02-17 17:09:23 410984 ----a-w- c:\windows\system32\deploytk.dll
.
============= FINISH: 14:41:08,59 ===============

attach:

.
UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT
.
DDS (Ver_2011-08-26.01)
.
Microsoft Windows XP Professional
Boot Device: \Device\HarddiskVolume1
Install Date: 17.2.2012 г. 19:12:43
System Uptime: 07.3.2012 г. 14:19:36 (0 hours ago)
.
Motherboard: | | VT8367-8233
Processor: AMD Athlon(tm) processor | Socket A | 2000/133mhz
.
==== Disk Partitions =========================
.
A: is Removable
C: is FIXED (NTFS) - 78 GiB total, 22,91 GiB free.
D: is FIXED (NTFS) - 155 GiB total, 23,937 GiB free.
E: is CDROM ()
G: is CDROM ()
.
==== Disabled Device Manager Items =============
.
Class GUID: {4D36E972-E325-11CE-BFC1-08002BE10318}
Description: Realtek RTL8139/810x Family Fast Ethernet NIC
Device ID: PCI\VEN_10EC&DEV_8139&SUBSYS_813910EC&REV_10\3&61AAA01&0&60
Manufacturer: Realtek Semiconductor Corp.
Name: Realtek RTL8139/810x Family Fast Ethernet NIC
PNP Device ID: PCI\VEN_10EC&DEV_8139&SUBSYS_813910EC&REV_10\3&61AAA01&0&60
Service: RTL8023xp
.
==== System Restore Points ===================
.
RP1: 17.2.2012 г. 19:15:58 - System Checkpoint
RP2: 17.2.2012 г. 19:38:44 - Installed Adobe Reader 9.4.0 - Bulgarian.
RP3: 17.2.2012 г. 19:42:50 - Installed Microsoft Office Enterprise 2007
RP4: 17.2.2012 г. 19:51:54 - Printer Driver Send To Microsoft OneNote Driver Installed
RP5: 17.2.2012 г. 19:58:04 - Printer Driver Send To Microsoft OneNote Driver Installed
RP6: 17.2.2012 г. 20:00:03 - Installed SA Dictionary 2008 Beta 4.
RP7: 17.2.2012 г. 20:09:04 - Инсталиран REALTEK GbE & FE Ethernet PCI NIC Driver
RP8: 17.2.2012 г. 20:11:00 - Installed AVG 2012
RP9: 17.2.2012 г. 20:11:18 - Installed AVG 2012
RP10: 17.2.2012 г. 20:14:45 - Installed Platform
RP11: 19.2.2012 г. 00:45:49 - System Checkpoint
RP12: 20.2.2012 г. 10:14:55 - System Checkpoint
RP13: 21.2.2012 г. 12:34:17 - System Checkpoint
RP14: 22.2.2012 г. 19:46:16 - System Checkpoint
RP15: 23.2.2012 г. 19:47:00 - System Checkpoint
RP16: 24.2.2012 г. 20:46:17 - System Checkpoint
RP17: 25.2.2012 г. 20:51:48 - System Checkpoint
RP18: 26.2.2012 г. 21:50:14 - System Checkpoint
RP19: 27.2.2012 г. 22:30:53 - System Checkpoint
RP20: 28.2.2012 г. 22:51:48 - System Checkpoint
RP21: 29.2.2012 г. 23:51:49 - System Checkpoint
RP22: 02.3.2012 г. 00:52:17 - System Checkpoint
RP23: 03.3.2012 г. 01:50:56 - System Checkpoint
RP24: 04.3.2012 г. 02:50:57 - System Checkpoint
RP25: 05.3.2012 г. 03:50:57 - System Checkpoint
RP26: 06.3.2012 г. 04:50:57 - System Checkpoint
RP27: 07.3.2012 г. 07:11:25 - System Checkpoint
.
==== Installed Programs ======================
.
.
%WS4_ARP_DISPLAY%
Архиватор WinRAR
µTorrent
2007 Microsoft Office Suite Service Pack 2 (SP2)
Adobe Flash Player 10 Plugin
Adobe Reader 9.4.0 - Bulgarian
Ashampoo Burning Studio 6 FREE v.6.80
AVG 2012
Bulgarian Keyboards XP by G. Atanasov
CCleaner
DAEMON Tools Lite
Favorite-Games 5.15
Google Chrome
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
Hotfix for Windows XP (KB954550-v5)
Java(TM) 6 Update 13
K-Lite Mega Codec Pack 7.1.0
Malwarebytes Anti-Malware version 1.60.1.1000
Microsoft .NET Framework 2.0 Service Pack 2
Microsoft .NET Framework 3.0 Service Pack 2
Microsoft .NET Framework 3.5 SP1
Microsoft Office Access MUI (English) 2007
Microsoft Office Access Setup Metadata MUI (English) 2007
Microsoft Office Enterprise 2007
Microsoft Office Excel MUI (English) 2007
Microsoft Office Groove MUI (English) 2007
Microsoft Office Groove Setup Metadata MUI (English) 2007
Microsoft Office InfoPath MUI (English) 2007
Microsoft Office OneNote MUI (English) 2007
Microsoft Office Outlook MUI (English) 2007
Microsoft Office PowerPoint MUI (English) 2007
Microsoft Office Proof (English) 2007
Microsoft Office Proof (French) 2007
Microsoft Office Proof (Spanish) 2007
Microsoft Office Proofing (English) 2007
Microsoft Office Publisher MUI (English) 2007
Microsoft Office Shared MUI (English) 2007
Microsoft Office Shared Setup Metadata MUI (English) 2007
Microsoft Office Word MUI (English) 2007
Microsoft Silverlight
Microsoft Software Update for Web Folders (English) 12
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
Mozilla Firefox 4.0.1 (x86 bg)
MSXML 4.0 SP3 Parser
PandoraTV Toolbar
PandoraTV Toolbar Updater
Platform
REALTEK GbE & FE Ethernet PCI NIC Driver
SA Dictionary 2008 Beta 4
Skype Toolbars
Skype™ 5.3
The KMPlayer (remove only)
uTorrentControl2 Toolbar
VIA Audio Driver Setup Program
VIA Platform Device Manager
WebFldrs XP
Winamp
Windows Rights Management Client Backwards Compatibility SP2
Windows Rights Management Client with Service Pack 2
.
==== Event Viewer Messages From Past Week ========
.
07.3.2012 г. 14:21:07, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: viaagp
07.3.2012 г. 14:20:52, error: sr [1] - The System Restore filter encountered the unexpected error '0xC0000001' while processing the file '' on the volume 'HarddiskVolume1'. It has stopped monitoring the volume.
.
==== End Of File ===========================

What is next step to go?

Bobbye · Mar 7, 2012

Welcome to TechSpot! I'll help check the system:

Sometimes it takes a while for a new thread to go through the system- I have deleted the duplicate thread.

FYI: ACPI.sys Related to ACPI.sys ACPI Driver for NT from Microfost. This appears to be a legitimate entry. It is possible that it could be infected with malware so we'll check into that.

It is also possible that AVG is giving you a False Positive. However, you do have malware that needs to be removed.
===================================
I'd like you to run Combofix- but it won't run with AVG. You will need to temporarily uninstall AVG as follows:

Download AppRemover and save to the desktop

Double click the setup on the desktop> click Next
Select “Remove Security Application”
Let scan finish to determine security apps
A screen like below will appear:
Click on Next after choice has been made
Check the AVG program you want to uninstall
After uninstall shows complete, follow online prompts to Exit the program.

Temporary AV: Use one:
Microsoft Security Essentials
Comodo AV
Avast Free Version
=============================
Please note: If you have previously run Combofix and it's still on the system, please uninstall it. Then download the current version and do the scan: Uninstall directions, if needed

Click START> then RUN
Now type Combofix /Uninstall in the runbox and click OK. Note the space between the X and the U, it needs to be there.

--------------------------------------
Before you run the Combofix scan, please disable any security software you have running.

Download Combofix from HERE or HEREhttp://www.forospyware.com/sUBs/ComboFix.exe and save to the desktop

Double click combofix.exe

& follow the prompts.
If prompted for Recovery Console, please allow.
Once installed, you should see a blue screen prompt that says:
- The Recovery Console was successfully installed.[/b]
- Note: If Combofix was downloaded to a flash drive, the Recovery Console will not install- just bypass and go on.[/b]
- Note: No query will be made if the Recovery Console is already on the system.
.Close/disable all anti virus and anti malware programs
(If you need help with this, please see HERE)
.Close any open browsers.
.Click on Yes, to continue scanning for malware
.If Combofix asks you to update the program, allow
When the scan completes , a report will be generated-it will open a text window. Please paste the C:\ComboFix.txt in next reply..

Re-enable your Antivirus software.
Note 1:Do not mouse-click Combofix's window while it is running. That may cause it to stall.
Note 2:If you receive an error "Illegal operation attempted on a registry key that has been marked for deletion", restart the computer.
Note 3:CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.
======================================
To run the Eset Online Virus Scan:
If you use Internet Explorer:

Open the ESETOnlineScan
Skip to #4 to "Continue with the directions"

If you are using a browser other than Internet Explorer
Open Eset Smart Installer
[o] Click on the esetsmartinstaller_enu.exelink and save to the desktop.
[o] Double click on the desktop icon to run.
[o] After successful installation of the ESET Smart Installer, the ESET Online Scanner will be launched in a new Window
Continue with the directions.
Check 'Yes I accept terms of use.'
Click Start button
Accept any security warnings from your browser.
Uncheck 'Remove found threats'
Check 'Scan archives/
Leave remaining settings as is.
Press the Start button.
ESET will then download updates for itself, install itself, and begin scanning your computer. Please wait for the scan to finish.
When the scan completes, press List of found threats
Push Export of text file and save the file to your desktop using a unique name, such as ESETScan. Paste this log in your next reply.
Push the Back button, then Finish

NOTE: If no malware is found then no log will be produced. Let me know if this is the case.
===================================
Download CKScanner and save to your desktop.

Doubleclick CKScanner.exe and click Search For Files.
When the cursor hourglass disappears, click Save List To File.
A message box will verify that the file is saved.
Double-click the CKFiles.txt icon on your desktop and copy/paste the contents in your next reply.

=====================================
My Guidelines: please read and follow:

Be patient. Malware cleaning takes time. I am also working with other members while I am helping you.
Read my instructions carefully. If you don't understand or have a problem, ask me. Follow the order of the tasks I give you. Order is crucial in cleaning process.
If you have questions, or if a program doesn't work, stop and tell me about it. Don't try to get around it yourself.
File sharing programs should be uninstalled or disabled during the cleaning process..
Observe these:
[o] Don't follow directions given to someone else
[o] Don't use any other cleaning programs or scans while I'm helping you.
[o] Don't use a Registry cleaner or make any changes in the Registry.
[o] Don't download and install new programs- except those I give you.

Threads are closed after 5 days if there is no reply.
=============================
Please leave the log for Combofix, Eset scanner and CK Scanner in your next reply.

Do not use the uTorrent Toolbar or any other files sharing program while I'm am helping you.

Elen · Mar 7, 2012

Thank you for helping me, Bobbye

I uninstalled AVG, disabled firewall and uTorrent toolbar/application is inactive. Now combofix log showed this:

ComboFix 12-03-07.05 - Administrator 03.2012 г. 18:02:30.1.1 - x86
Microsoft Windows XP Professional 5.1.2600.3.1251.359.1033.18.511.201 [GMT 2:00]
Running from: c:\documents and settings\Administrator\Desktop\ComboFix.exe
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\windows\system32\kbdBF.dll
.
c:\windows\system32\drivers\usbehci.sys . . . is missing!!
.
.
((((((((((((((((((((((((( Files Created from 2012-02-07 to 2012-03-07 )))))))))))))))))))))))))))))))
.
.
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-04-14 16:37 . 2012-02-17 17:40 142296 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
.
.
------- Sigcheck -------
Note: Unsigned files aren't necessarily malware.
.
[-] 2009-04-18 . 25A740D70E8007814A48D3FA1B34FA34 . 361600 . . [5.1.2600.5649] . . c:\windows\system32\drivers\tcpip.sys
.
[-] 2009-04-18 . C951DB3D9B6EF3CF4B82454D30A8BF59 . 1614848 . . [5.1.2600.5512] . . c:\windows\system32\sfcfiles.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{687578b9-7132-4a7a-80e4-30ee31099e03}"= "c:\program files\uTorrentControl2\prxtbuTor.dll" [2011-05-09 176936]
.
[HKEY_CLASSES_ROOT\clsid\{687578b9-7132-4a7a-80e4-30ee31099e03}]
.
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{687578b9-7132-4a7a-80e4-30ee31099e03}]
2011-05-09 08:49 176936 ----a-w- c:\program files\uTorrentControl2\prxtbuTor.dll
.
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{D4027C7F-154A-4066-A1AD-4243D8127440}]
2012-01-03 14:31 1514152 ----a-w- c:\program files\Ask.com\GenericAskToolbar.dll
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{687578b9-7132-4a7a-80e4-30ee31099e03}"= "c:\program files\uTorrentControl2\prxtbuTor.dll" [2011-05-09 176936]
"{D4027C7F-154A-4066-A1AD-4243D8127440}"= "c:\program files\Ask.com\GenericAskToolbar.dll" [2012-01-03 1514152]
.
[HKEY_CLASSES_ROOT\clsid\{687578b9-7132-4a7a-80e4-30ee31099e03}]
.
[HKEY_CLASSES_ROOT\clsid\{d4027c7f-154a-4066-a1ad-4243d8127440}]
[HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd.1]
[HKEY_CLASSES_ROOT\TypeLib\{2996F0E7-292B-4CAE-893F-47B8B1C05B56}]
[HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd]
.
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{687578B9-7132-4A7A-80E4-30EE31099E03}"= "c:\program files\uTorrentControl2\prxtbuTor.dll" [2011-05-09 176936]
"{D4027C7F-154A-4066-A1AD-4243D8127440}"= "c:\program files\Ask.com\GenericAskToolbar.dll" [2012-01-03 1514152]
.
[HKEY_CLASSES_ROOT\clsid\{687578b9-7132-4a7a-80e4-30ee31099e03}]
.
[HKEY_CLASSES_ROOT\clsid\{d4027c7f-154a-4066-a1ad-4243d8127440}]
[HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd.1]
[HKEY_CLASSES_ROOT\TypeLib\{2996F0E7-292B-4CAE-893F-47B8B1C05B56}]
[HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ApnUpdater"="c:\program files\Ask.com\Updater\Updater.exe" [2012-01-03 1391272]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]
.
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2008-05-27 304128]
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck autochk *\0c:\progra~1\AVG\AVG2012\avgrsx.exe /sync /restart
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe ARM]
2010-09-20 21:07 932288 ----a-r- c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2010-09-23 02:47 35760 ----a-w- c:\program files\Adobe\Reader 9.0\Reader\reader_sl.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CTFMON.EXE]
2008-04-14 15:00 15360 ----a-w- c:\windows\system32\ctfmon.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DAEMON Tools Lite]
2011-08-02 07:33 4910912 ----a-w- c:\program files\DAEMON Tools Lite\DTLite.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Update]
2012-02-17 18:01 136176 ----atw- c:\documents and settings\Administrator\Local Settings\Application Data\Google\Update\GoogleUpdate.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\GrooveMonitor]
2008-10-25 09:44 31072 ----a-w- c:\program files\Microsoft Office\Office12\GrooveMonitor.exe
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
.
R1 dtsoftbus01;DAEMON Tools Virtual Bus Driver;c:\windows\system32\drivers\dtsoftbus01.sys [17.2.2012 г. 19:40 232512]
R2 5606;5606;\??\c:\docume~1\ADMINI~1\LOCALS~1\Temp\5606.sys --> c:\docume~1\ADMINI~1\LOCALS~1\Temp\5606.sys [?]
.
Contents of the 'Scheduled Tasks' folder
.
2012-03-06 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1606980848-706699826-839522115-500Core.job
- c:\documents and settings\Administrator\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2012-02-17 18:01]
.
2012-03-07 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1606980848-706699826-839522115-500UA.job
- c:\documents and settings\Administrator\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2012-02-17 18:01]
.
2012-03-07 c:\windows\Tasks\Scheduled Update for Ask Toolbar.job
- c:\program files\Ask.com\UpdateTask.exe [2012-01-03 14:31]
.
.
------- Supplementary Scan -------
.
uStart Page = about:blank
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office12\EXCEL.EXE/3000
TCP: DhcpNameServer = 78.128.36.1 193.24.240.25
FF - ProfilePath - c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\0z0654fc.default\
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2012-03-07 18:08
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\S-1-5-21-1606980848-706699826-839522115-500\Software\Microsoft\Internet Explorer\User Preferences]
@Denied: (2) (Administrator)
"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,db,e3,fc,3e,27,43,8b,44,90,83,9d,\
"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,db,e3,fc,3e,27,43,8b,44,90,83,9d,\
.
Completion time: 2012-03-07 18:10:15
ComboFix-quarantined-files.txt 2012-03-07 16:10
.
Pre-Run: 23*774*343*168 bytes free
Post-Run: 23*885*459*456 bytes free
.
WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
UnsupportedDebug="do not select this" /debug
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect
.
- - End Of File - - 028829928EA9989BC45A51713ED836BE

ESET scanning showed no malware found and didnt produce logs.
And CKScanner file is:

CKScanner - Additional Security Risks - These are not necessarily bad
scanner sequence 3.RP.11.OKNAAD
----- EOF -----

Bobbye · Mar 8, 2012

Okay then- between uTorrentControl2 and the Ask Toolbar, you had 21 processes loading from the Registry.

"Please run this Custom CFScript:

[1]. Close any open browsers.
[2]. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
[3]. Open notepad> click on Format> Uncheck 'Word Wrap> and copy/paste the text in the code below into it:

Code:

File::
c:\docume~1\ADMINI~1\LOCALS~1\Temp\5606.sys --> c:\docume~1\ADMINI~1\LOCALS~1\Temp\5606.sys
DDS::
uStart Page = about:blank
uURLSearchHooks: uTorrentControl2 Toolbar: {687578b9-7132-4a7a-80e4-30ee31099e03} - c:\program files\utorrentcontrol2\prxtbuTor.dll
BHO: uTorrentControl2 Toolbar: {687578b9-7132-4a7a-80e4-30ee31099e03} - c:\program files\utorrentcontrol2\prxtbuTor.dll
BHO: Ask Toolbar: {d4027c7f-154a-4066-a1ad-4243d8127440} - c:\program files\ask.com\GenericAskToolbar.dll
TB: uTorrentControl2 Toolbar: {687578b9-7132-4a7a-80e4-30ee31099e03} - c:\program files\utorrentcontrol2\prxtbuTor.dll
TB: Ask Toolbar: {d4027c7f-154a-4066-a1ad-4243d8127440} - c:\program files\ask.com\GenericAskToolbar.dll
mRun: [ApnUpdater] "c:\program files\ask.com\updater\Updater.exe"
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab

Registry::
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{687578b9-7132-4a7a-80e4-30ee31099e03}"=- 
[HKEY_CLASSES_ROOT\clsid\{687578b9-7132-4a7a-80e4-30ee31099e03}]
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{687578b9-7132-4a7a-80e4-30ee31099e03}]
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{D4027C7F-154A-4066-A1AD-4243D8127440}]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{687578b9-7132-4a7a-80e4-30ee31099e03}"=-
"{D4027C7F-154A-4066-A1AD-4243D8127440}"=- 
[HKEY_CLASSES_ROOT\clsid\{687578b9-7132-4a7a-80e4-30ee31099e03}]
[HKEY_CLASSES_ROOT\clsid\{d4027c7f-154a-4066-a1ad-4243d8127440}]
[HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd.1]
[HKEY_CLASSES_ROOT\TypeLib\{2996F0E7-292B-4CAE-893F-47B8B1C05B56}]
[HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd]
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{687578B9-7132-4A7A-80E4-30EE31099E03}"=-
"{D4027C7F-154A-4066-A1AD-4243D8127440}"=- 
[HKEY_CLASSES_ROOT\clsid\{687578b9-7132-4a7a-80e4-30ee31099e03}]
[HKEY_CLASSES_ROOT\clsid\{d4027c7f-154a-4066-a1ad-4243d8127440}]
[HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd.1]
[HKEY_CLASSES_ROOT\TypeLib\{2996F0E7-292B-4CAE-893F-47B8B1C05B56}]
[HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ApnUpdater"=-
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\Auth orizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=-

Clearjavacache::

Driver::
5606

Save this as CFScript.txt, in the same location as ComboFix.exe

Referring to the picture above, drag CFScript into ComboFix.exe

When finished, it will produce a log for you at C:\ComboFix.txt . Please paste into to your next reply.
======================================
Delete this Scheduled Task:
c:\windows\Tasks\Scheduled Update for Ask Toolbar
=========================================
Please update Java: Java Updates . Uninstall any earlier versions (2) in Add/Remove Programs as they are vulnerabilities for the system.

Be sure to check all download screens for any pre-check toolbars or BHO> if found, remove the check before the download..
=========================================
You are missing this driver: c:\windows\system32\drivers\usbehci.sys It is for a Miniport Driver from Microsoft.. I can have you see if there is one on your system if you have hardware for it that isn't working.
=====================================
Leave new logs and let me know how the system is doing in your next reply.

Elen · Mar 9, 2012

Hello again! I uninstalled utorrent toolbar(i dont need it) and reinstalled java. But i did something not according to your instructions, sorry :s I reinstalled my avg temporary while waiting for internet browsing. Now I fail to remove it and on top it doesnt work :s Its not showing on control panel programs, it doesnt start, appremover found it as failed uninstall but failed to remove it itself since combofix was anyway finding it as active app. So i ran combofix and it produced this:

ComboFix 12-03-07.05 - Administrator 03.2012 г. 14:25:25.2.1 - x86
Microsoft Windows XP Professional 5.1.2600.3.1251.359.1033.18.511.310 [GMT 2:00]
Running from: c:\documents and settings\Administrator\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Administrator\Desktop\CFScript.txt
AV: AVG Anti-Virus Free Edition 2012 *Enabled/Updated* {17DDD097-36FF-435F-9E1B-52D74245D6BF}
.
FILE ::
"c:\docume~1\ADMINI~1\LOCALS~1\Temp\5606.sys --> c:\docume~1\ADMINI~1\LOCALS~1\Temp\5606.sys"
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\program files\ask.com\GenericAskToolbar.dll
c:\program files\ask.com\updater\Updater.exe
.
c:\windows\system32\drivers\usbehci.sys . . . is missing!!
.
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
-------\Legacy_5606
-------\Service_5606
.
.
((((((((((((((((((((((((( Files Created from 2012-02-09 to 2012-03-09 )))))))))))))))))))))))))))))))
.
.
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-04-14 16:37 . 2012-02-17 17:40 142296 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
.
.
------- Sigcheck -------
Note: Unsigned files aren't necessarily malware.
.
[-] 2009-04-18 . 25A740D70E8007814A48D3FA1B34FA34 . 361600 . . [5.1.2600.5649] . . c:\windows\system32\drivers\tcpip.sys
.
[-] 2009-04-18 . C951DB3D9B6EF3CF4B82454D30A8BF59 . 1614848 . . [5.1.2600.5512] . . c:\windows\system32\sfcfiles.dll
.
((((((((((((((((((((((((((((( SnapShot@2012-03-07_16.08.42 )))))))))))))))))))))))))))))))))))))))))
.
+ 2012-03-09 12:35 . 2012-03-09 12:35 16384 c:\windows\Temp\Perflib_Perfdata_600.dat
+ 2011-09-13 04:30 . 2011-09-13 04:30 32592 c:\windows\system32\drivers\avgrkx86.sys
+ 2011-08-08 04:08 . 2011-08-08 04:08 40016 c:\windows\system32\drivers\avgmfx86.sys
+ 2011-10-04 04:21 . 2011-10-04 04:21 16720 c:\windows\system32\drivers\AVGIDSShim.sys
+ 2011-07-10 23:14 . 2011-07-10 23:14 24272 c:\windows\system32\drivers\AVGIDSFilter.sys
+ 2011-07-10 23:14 . 2011-07-10 23:14 23120 c:\windows\system32\drivers\AVGIDSEH.sys
+ 2012-03-09 11:41 . 2012-03-09 11:41 157472 c:\windows\system32\javaws.exe
+ 2012-03-09 11:41 . 2012-03-09 11:41 149280 c:\windows\system32\javaw.exe
+ 2012-03-09 11:41 . 2012-03-09 11:41 149280 c:\windows\system32\java.exe
+ 2011-07-10 23:14 . 2011-07-10 23:14 295248 c:\windows\system32\drivers\avgtdix.sys
+ 2011-10-07 04:23 . 2011-10-07 04:23 230608 c:\windows\system32\drivers\avgldx86.sys
+ 2011-07-10 23:14 . 2011-07-10 23:14 134608 c:\windows\system32\drivers\AVGIDSDriver.sys
+ 2012-03-09 11:41 . 2012-03-09 11:41 472808 c:\windows\system32\deployJava1.dll
+ 2012-03-09 11:41 . 2012-03-09 11:41 203776 c:\windows\Installer\261cb9d.msi
+ 2012-03-09 11:41 . 2012-03-09 11:41 901120 c:\windows\Installer\261cb97.msi
+ 2012-03-08 13:28 . 2012-03-08 13:28 4698112 c:\windows\Installer\49ff371.msi
+ 2012-03-08 13:27 . 2012-03-08 13:27 2186240 c:\windows\Installer\49ff36c.msi
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2012-01-18 254696]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]
.
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2008-05-27 304128]
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck autochk *\0c:\progra~1\AVG\AVG2012\avgrsx.exe /sync /restart
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe ARM]
2010-09-20 21:07 932288 ----a-r- c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2010-09-23 02:47 35760 ----a-w- c:\program files\Adobe\Reader 9.0\Reader\reader_sl.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CTFMON.EXE]
2008-04-14 15:00 15360 ----a-w- c:\windows\system32\ctfmon.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DAEMON Tools Lite]
2011-08-02 07:33 4910912 ----a-w- c:\program files\DAEMON Tools Lite\DTLite.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Update]
2012-02-17 18:01 136176 ----atw- c:\documents and settings\Administrator\Local Settings\Application Data\Google\Update\GoogleUpdate.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\GrooveMonitor]
2008-10-25 09:44 31072 ----a-w- c:\program files\Microsoft Office\Office12\GrooveMonitor.exe
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"c:\\Program Files\\AVG\\AVG2012\\avgnsx.exe"=
"c:\\Program Files\\AVG\\AVG2012\\avgdiagex.exe"=
"c:\\Program Files\\AVG\\AVG2012\\avgmfapx.exe"=
"c:\\Program Files\\AVG\\AVG2012\\avgemcx.exe"=
.
R0 AVGIDSEH;AVGIDSEH;c:\windows\system32\drivers\AVGIDSEH.sys [11.7.2011 г. 01:14 23120]
R0 Avgrkx86;AVG Anti-Rootkit Driver;c:\windows\system32\drivers\avgrkx86.sys [13.9.2011 г. 06:30 32592]
R1 Avgldx86;AVG AVI Loader Driver;c:\windows\system32\drivers\avgldx86.sys [07.10.2011 г. 06:23 230608]
R1 Avgtdix;AVG TDI Driver;c:\windows\system32\drivers\avgtdix.sys [11.7.2011 г. 01:14 295248]
R1 dtsoftbus01;DAEMON Tools Virtual Bus Driver;c:\windows\system32\drivers\dtsoftbus01.sys [17.2.2012 г. 19:40 232512]
R2 avgwd;AVG WatchDog;c:\program files\AVG\AVG2012\avgwdsvc.exe [02.8.2011 г. 06:09 192776]
R3 AVGIDSDriver;AVGIDSDriver;c:\windows\system32\drivers\AVGIDSDriver.sys [11.7.2011 г. 01:14 134608]
R3 AVGIDSFilter;AVGIDSFilter;c:\windows\system32\drivers\AVGIDSFilter.sys [11.7.2011 г. 01:14 24272]
R3 AVGIDSShim;AVGIDSShim;c:\windows\system32\drivers\AVGIDSShim.sys [04.10.2011 г. 06:21 16720]
S2 AVGIDSAgent;AVGIDSAgent;c:\program files\AVG\AVG2012\AVGIDSAgent.exe [12.10.2011 г. 06:25 4433248]
.
Contents of the 'Scheduled Tasks' folder
.
2012-03-08 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1606980848-706699826-839522115-500Core.job
- c:\documents and settings\Administrator\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2012-02-17 18:01]
.
2012-03-09 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1606980848-706699826-839522115-500UA.job
- c:\documents and settings\Administrator\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2012-02-17 18:01]
.
.
------- Supplementary Scan -------
.
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office12\EXCEL.EXE/3000
TCP: DhcpNameServer = 78.128.36.1 193.24.240.25
FF - ProfilePath - c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\0z0654fc.default\
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2012-03-09 14:35
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\S-1-5-21-1606980848-706699826-839522115-500\Software\Microsoft\Internet Explorer\User Preferences]
@Denied: (2) (Administrator)
"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,db,e3,fc,3e,27,43,8b,44,90,83,9d,\
"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,db,e3,fc,3e,27,43,8b,44,90,83,9d,\
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'explorer.exe'(1160)
c:\windows\system32\ieframe.dll
c:\windows\system32\msi.dll
c:\windows\system32\OneX.DLL
c:\windows\system32\eappprxy.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Java\jre6\bin\jqs.exe
c:\windows\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2012-03-09 14:37:10 - machine was rebooted
ComboFix-quarantined-files.txt 2012-03-09 12:37
ComboFix2.txt 2012-03-07 16:10
.
Pre-Run: 20*404*822*016 bytes free
Post-Run: 20*386*050*048 bytes free
.
- - End Of File - - 3CB641FC3B537DAF462044BC47107D74

I have no idea about this miniport driver. The pc is old, it may have not working elements in it(ports, there is an old floppy drive that doesnt work but have never been removed)
Except with the new avg problem, the system is working more or less smoothly, i dont see any difference in processing speed than before. I have to note also that windows has been reinstalled recently(2 weeks ago).

Bobbye · Mar 9, 2012

The instructions with the App Remover gave you a choice of 3 free antivirus programs to use in the absence of AVG. Any one of them would have protected the system and you would not have needed to reinstall AVG yet. But in the removal and reinstall, you likely damaged the installer, so it will have to be removed entry by entry.

I have to note also that windows has been reinstalled recently(2 weeks ago).

Noted: Install Date: 17.2.2012 г
RP1: 17.2.2012 г. 19:15:58 - System Checkpoint

And I see the same "r" in the Mbam log:
07.3.2012 г. 14:02:39
mbam-log-2012-03-07 (14-02-39).txt

Please tell me why you did a reinstall and what you used for the reinstall.
I also note that there are no Windows updates.
----------------------------------
Please run the MGA Diagnostics tool

You will be prompted to either “Run” or “Save” the tool. Choose to “Run” the tool and follow the on-screen prompts.
You will receive an Internet Explorer-Security Warning dialog box for the Windows Genuine Advantage Diagnostic Tool>
You must choose to Run this tool when prompted.
Once you are presented with the Diagnostics tool choose Continue to run the diagnostic report.
If the RESOLVE button is available after running the diagnostics, please click RESOLVE to allow the diagnostic tool to attempt a repair.
After running the MGA Diagnostic tool, click on the Windows tab and then click on Copy
Please return to this thread and Paste the results here for review.

------------------------------------------
This tool will is to look on the computer itself, in the documentation you received with the computer or with your retail purchase of Windows to see if you have a Certificate of Authenticity (COA). If you have one, tell us about the COA. Tell us:

1. What edition of Windows XP is it for, Home, Pro, or Media Center, or another version of Windows?
2. Does it read "OEM Software" or "OEM Product" in black lettering?
3. Or, does it have the computer manufacturer's name in black lettering?
4. DO NOT post the Product Key.

NOTE: The data collected with the Genuine Diagnostics Tool does NOT contain any information that can personally identify you and can be fully reviewed, by you, before being posted.

Elen · Mar 9, 2012

How to remove avg entry by entry?

Windows was reinstalled due to corrupt files, some driver files were damaged after a blackout and windows was not booting in normal mode. It was not me who reinstalled windows. It was a IT service which installed it, i didnt have any copy of windows. I think they used windows pro but i cant tell you more, sorry. Here's the MGA Diagnostic Tool result:
Diagnostic Report (1.9.0027.0):
-----------------------------------------
Windows Validation Data-->
Validation Status: Genuine
Validation Code: 0
Cached Validation Code: N/A
Windows Product Key: *****-*****-M6PX2-V96BF-8CKBJ
Windows Product Key Hash: n3MqC4LOVOQQgQUf4VrjJV6OaXI=
Windows Product ID: 76487-640-5536995-23577
Windows Product ID Type: 1
Windows License Type: Volume
Windows OS version: 5.1.2600.2.00010100.3.0.pro
ID: {D0D62ED3-6C87-4F64-8262-B108C7D1F275}(3)
Is Admin: Yes
TestCab: 0x0
LegitcheckControl ActiveX: Registered, 1.9.40.0
Signed By: Microsoft
Product Name: N/A
Architecture: N/A
Build lab: N/A
TTS Error: N/A
Validation Diagnostic: 025D1FF3-230-1
Resolution Status: N/A

Vista WgaER Data-->
ThreatID(s): N/A
Version: N/A

Windows XP Notifications Data-->
Cached Result: 0
File Exists: Yes
Version: 1.9.40.0
WgaTray.exe Signed By: Microsoft
WgaLogon.dll Signed By: Microsoft

OGA Notifications Data-->
Cached Result: N/A, hr = 0x80070002
Version: N/A, hr = 0x80070002
OGAExec.exe Signed By: N/A, hr = 0x80070002
OGAAddin.dll Signed By: N/A, hr = 0x80070002

OGA Data-->
Office Status: 100 Genuine
Microsoft Office Enterprise 2007 - 100 Genuine
OGA Version: N/A, 0x80070002
Signed By: N/A, hr = 0x80070002
Office Diagnostics: 025D1FF3-230-1_E2AD56EA-765-d003_E2AD56EA-766-0_E2AD56EA-134-80004005

Browser Data-->
Proxy settings: N/A
User Agent: Mozilla/4.0 (compatible; MSIE 8.0; Win32)
Default Browser: C:\Program Files\Internet Explorer\iexplore.exe
Download signed ActiveX controls: Prompt
Download unsigned ActiveX controls: Disabled
Run ActiveX controls and plug-ins: Allowed
Initialize and script ActiveX controls not marked as safe: Disabled
Allow scripting of Internet Explorer Webbrowser control: Disabled
Active scripting: Allowed
Script ActiveX controls marked as safe for scripting: Allowed

File Scan Data-->

Other data-->
Office Details: <GenuineResults><MachineData><UGUID>{D0D62ED3-6C87-4F64-8262-B108C7D1F275}</UGUID><Version>1.9.0027.0</Version><OS>5.1.2600.2.00010100.3.0.pro</OS><Architecture>x32</Architecture><PKey>*****-*****-*****-*****-8CKBJ</PKey><PID>76487-640-5536995-23577</PID><PIDType>1</PIDType><SID>S-1-5-21-1606980848-706699826-839522115</SID><SYSTEM><Manufacturer>VIA Technologies, Inc.</Manufacturer><Model>VT8367-8233</Model></SYSTEM><BIOS><Manufacturer>Phoenix Technologies, LTD</Manufacturer><Version>6.00 PG</Version><SMBIOSVersion major="2" minor="2"/><Date>20020902000000.000000+000</Date></BIOS><HWID>F79139170184205F</HWID><UserLCID>0402</UserLCID><SystemLCID>0409</SystemLCID><TimeZone>FLE Standard Time(GMT+02:00)</TimeZone><iJoin>0</iJoin><SBID><stat>3</stat><msppid></msppid><name></name><model></model></SBID><OEM/><GANotification><File Name="WgaTray.exe" Version="1.9.40.0"/><File Name="WgaLogon.dll" Version="1.9.40.0"/></GANotification></MachineData><Software><Office><Result>100</Result><Products><Product GUID="{90120000-0030-0000-0000-0000000FF1CE}"><LegitResult>100</LegitResult><Name>Microsoft Office Enterprise 2007</Name><Ver>12</Ver><Val>7480B9502DF0D86</Val><Hash>oYWOW5ayFE3pZ+jvTpuXYsY64JE=</Hash><Pid>89388-707-8722531-65183</Pid><PidType>14</PidType></Product></Products><Applications><App Id="15" Version="12" Result="100"/><App Id="16" Version="12" Result="100"/><App Id="18" Version="12" Result="100"/><App Id="19" Version="12" Result="100"/><App Id="1A" Version="12" Result="100"/><App Id="1B" Version="12" Result="100"/><App Id="44" Version="12" Result="100"/><App Id="A1" Version="12" Result="100"/><App Id="BA" Version="12" Result="100"/></Applications></Office></Software></GenuineResults>

Licensing Data-->
N/A

Windows Activation Technologies-->
N/A

HWID Data-->
N/A

OEM Activation 1.0 Data-->
BIOS string matches: yes
Marker string from BIOS: 1B7F7:Elitegroup Computer Systems Co Ltd
Marker string from OEMBIOS.DAT: N/A, hr = 0x80004005

OEM Activation 2.0 Data-->
N/A

The "r" you see in the logs translates like a "g" from cyrillic and reffers to a "year".

Bobbye · Mar 9, 2012

Thanks for explaining the "r".

The IT installed the OS using a Volume License. That number is repeated on X number of other machines. Once it's Activated by the user, the Volume status should be gone. But the install needs to be Activated. You will most likely not be able to get the Windows Updates until you do. One one log I see SP2, on another SP3 and yet in one log, I see 'unknown Windows.'

The pc is old, it may have not working elements in it(ports, there is an old floppy drive that doesnt work but have never been removed)

How was the original Windows OS installed and by whom?

I'd like you to see if you can get any updates on the system. You most likely will be blocked from doing so at which point you will need to contact Microsoft.

Elen · Mar 9, 2012

I dont remember how or by whom the original OS was installed, i was not always the one to manage it. I know there was a CD which was lost but i suspect it was not legit

I am able to turn on the updates. Do i need to activate something else or contact the IT service?

Bobbye · Mar 9, 2012

Can you actually get the Windows Update? If the system did not previously have a legitimate OS, you will have had to purchase the OS put on the system using the Volume License, Validate and Activate it- just like you would have had to do if you got a new computer with a Volume License.

Whatever the outcome, you will need to contact Microsoft to see if you can Active the OS properly.

Elen · Mar 9, 2012

It downloads the updates fine. Im getting confused.. what is not working in the OS as it is?Do I really need to go talk to MS? And what happend to the trojan? Did it get cleaned out?

Bobbye · Mar 12, 2012

Courtesy of AVG Forum:

Files which are marked as "Object is white-listed" have to be replaced

How To Replace A System File

It could happen that some system file is infected and cannot be healed. This could happen when the infection is watching the file (to infect it again immediately after any change). In this case, the file needs to be replaced in offline mode (when the host operating system is not running). Here is one way for restoring a specific system file:

Restore system files using the System File check utility:
1. Press the Windows logo key+R.
2. Type sfc /scannow and then click OK. This will check system files and may take a longer period of time.

You may need the OS CD or if you have the Recovery Console installed, you may be able to use that.

As long as you can get the updates, you are probably okay regarding Activation. But keep that in mind if the update process ceases to work.

Inactive Trojan Horse Agent3

Elen

Posts: 6 +0

Bobbye

Posts: 16,313 +36

Elen

Posts: 6 +0

Bobbye

Posts: 16,313 +36

Elen

Posts: 6 +0

Bobbye

Posts: 16,313 +36

Elen

Posts: 6 +0

Bobbye

Posts: 16,313 +36

Elen

Posts: 6 +0

Bobbye

Posts: 16,313 +36

Elen

Posts: 6 +0

Bobbye

Posts: 16,313 +36

Similar threads

Latest posts