TechSpot

Win32/heur sims 2

Solved
By tedus987
Mar 10, 2011
Topic Status:
Not open for further replies.
  1. hi,

    I'm having a major problem with my computer, first AVG flagged a WIN32/Heur virus on my sims 2 expansion pack, which i found odd...

    this has been the 42nd case where AVG has given a false positive and after reading 8 forums where they said AVG/HEUR = Heuristics i though the same, out of anger and frustration for AVG (at one point it highlighted malware-bytes as a n infection...) removed AVG (except link scanner and one other item, it's in the option when you go to remove.) and installed avast.

    now i can't access the internet, programs will not load, (freezing) and when they do if i go to try and update they lock, the'll scan for viruses fine, but it will lock when i try and update. i have disconnected my PC from the internet to avoid further viruses being downloaded.

    however i can still get in to safe mode and the computer runs at full speed, so it must be when i boot normally. i'm using avast to try to scan before boot. but still getting nowhere and i can't reinstall because of the one - time codes for a few of my applications.

    this post is at my uni machine so logs will take me a day to get. (not in on weekends so if asked on Friday it will be Monday.)

    virus scanners
    spy bot S&D
    Avast
    Malware bytes
    Zone alarm extrem security
  2. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +36

    Welcome to TechSpot! I'll help you sort this out.

    Going by the complaints of AVG and Win32/Heur we see on this board now, it is most likely that one of three things has happened:
    1. AVG released an update that caused it to pick up some processes and label them as Win32/Heur when they are legitimate processes.
    2. The system is infected with Win32/Heur.
    3. It is an indication of a more serious malware infector such as Virut or Ramnit.

    Unfortunately, we don't don't which until we get logs from scans and review them.
    ==========================================
    Edit: Win32/Heur details have been removed as they did not apply.
    ==========================================
    All of the above are the reasons we have to check all of the findings out- to either confirm the finding or look for other malware.
    IF you are using a flash drive, it is very possible the infection could have spread through that. So I recommend disinfecting the flash drive first:
    You may have a flash drive infection. These worms travel through your portable drives. If they have been connected to other machines, they may now be infected.
    1. Please download Flash_Disinfector.exe by sUBs and save it to your desktop.
    2. Double-click Flash_Disinfector.exe to run it and follow any prompts that may appear.
      Note: Some security programs will flag Flash_Disinfector as being some sort of malware, you can safely ignore these warnings
    3. The utility may ask you to insert your flash drive and/or other removable drives including your mobile phone. Please do so and allow the utility to clean up those drives as well.
    4. Wait until it has finished scanning and then exit the program.
    5. Reboot your computer when done.

    Note: Flash_Disinfector will create a hidden folder named autorun.inf in each partition and every USB drive plugged in when you ran it. Don't delete this folder. It will help protect your drives from future infection.
    =====================================
    When that has been done, if you cannot access the internet with the problem computer to download the following, you can use the flash drive:

    Please follow the steps in the Preliminary Virus and Malware Removal thread HERE.

    When you have finished, leave the logs for review in your next reply .
    NOTE: Logs must be pasted in the replies. Attached logs will not be reviewed.

    Please do not use any other cleaning programs or scans while I'm helping you, unless I direct you to. Do not use a Registry cleaner or make any changes in the Registry.
    ====================================
    Note: you should have only one antivirus program and one firewall on the system. You should either remove Avast or ZoneAlarm Extreme Security.
    Please reboot the computer when through.
  3. tedus987

    tedus987 TS Enthusiast Topic Starter Posts: 186

    ok

    ok, i'll do that, i'll post the logs on Monday.

    keep in mind i am majorly restricted to safe mode.
  4. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +36

    Okay, now that I've scared you to death>> turns out all or most of the AVG find of Win32/Heur , currently, is a False Positive. So you should follow this ASAP: http://www.techspot.com/vb/topic162350.html

    If t is a F/P, this update will fix it. If it does not and the problems continue, you should continue the scans. If needed, you can download the programs to a Flash Drive, then install them on the problem computer.

    IF you don't know if the Flash Drive is clean, do this first:
    These worms travel through your portable drives. If they have been connected to other machines, they may now be infected.

    Please disinfect all movable drives
    1. Please download Flash_Disinfector.exe by sUBs and save it to your desktop.
    2. Double-click Flash_Disinfector.exe to run it and follow any prompts that may appear.
      Note: Some security programs will flag Flash_Disinfector as being some sort of malware, you can safely ignore these warnings
    3. The utility may ask you to insert your flash drive and/or other removable drives including your mobile phone. Please do so and allow the utility to clean up those drives as well.
    4. Wait until it has finished scanning and then exit the program.
    5. Reboot your computer when done.

    Note: Flash_Disinfector will create a hidden folder named autorun.inf in each partition and every USB drive plugged in when you ran it. Don't delete this folder. It will help protect your drives from future infection.
    =================
  5. tedus987

    tedus987 TS Enthusiast Topic Starter Posts: 186

    logs

    i know the initial file was a F/P but i believe it is something Mal ware bytes isn't picking up, after i removed AVG that's when it all started.

    Malwarebytes log

    Malwarebytes' Anti-Malware 1.50.1.1100
    www.malwarebytes.org

    Database version: 5997

    Windows 5.1.2600 Service Pack 3 (Safe Mode)
    Internet Explorer 8.0.6001.18702

    10/03/2011 20:47:38
    mbam-log-2011-03-10 (20-47-38).txt

    Scan type: Full scan (C:\|E:\|G:\|)
    Objects scanned: 456532
    Time elapsed: 1 hour(s), 27 minute(s), 51 second(s)

    Memory Processes Infected: 0
    Memory Modules Infected: 0
    Registry Keys Infected: 0
    Registry Values Infected: 0
    Registry Data Items Infected: 0
    Folders Infected: 0
    Files Infected: 0

    Memory Processes Infected:
    (No malicious items detected)

    Memory Modules Infected:
    (No malicious items detected)

    Registry Keys Infected:
    (No malicious items detected)

    Registry Values Infected:
    (No malicious items detected)

    Registry Data Items Infected:
    (No malicious items detected)

    Folders Infected:
    (No malicious items detected)

    Files Infected:
    (No malicious items detected)

    GMER Log

    GMER 1.0.15.15530 - http://www.gmer.net
    Rootkit scan 2011-03-13 13:13:13
    Windows 5.1.2600 Service Pack 3 Harddisk1\DR1 -> \Device\Ide\IdeDeviceP4T0L0-1b ExcelStor_Technology_J9250S rev.GM2OA52A
    Running: dwkr9i6d.exe; Driver: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\kfdoyaob.sys


    ---- Kernel code sections - GMER 1.0.15 ----

    ? C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\mbr.sys The system cannot find the file specified. !

    ---- EOF - GMER 1.0.15 ----

    DDS logs

    .
    DDS (Ver_11-03-05.01) - NTFSx86 MINIMAL
    Run by Administrator at 9:41:27.39 on 13/03/2011
    Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_22
    Microsoft Windows XP Professional 5.1.2600.3.1252.44.1033.18.3070.2795 [GMT 0:00]
    .
    AV: ZoneAlarm Extreme Security Antivirus *Disabled/Updated* {5D467B10-818C-4CAB-9FF7-6893B5B8F3CF}
    AV: avast! Antivirus *Enabled/Updated* {7591DB91-41F0-48A3-B128-1A293FD8233D}
    FW: ZoneAlarm Extreme Security Firewall *Enabled*
    FW: ActiveArmor Firewall *Enabled*
    .
    ============== Running Processes ===============
    .
    C:\WINDOWS\system32\svchost -k DcomLaunch
    svchost.exe
    C:\WINDOWS\system32\svchost.exe -k netsvcs
    C:\WINDOWS\explorer.exe
    D:\dds.scr
    .
    ============== Pseudo HJT Report ===============
    .
    uSearch Page = hxxp://uk.rd.yahoo.com/customize/ycomp/defaults/sp/*http://uk.yahoo.com
    uSearch Bar = hxxp://uk.rd.yahoo.com/customize/ycomp/defaults/sb/*http://uk.yahoo.com/search/ie.html
    mSearchAssistant = hxxp://www.google.com/ie
    BHO: &Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
    BHO: AcroIEHlprObj Class: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
    BHO: RealPlayer Download and Record Plugin for Internet Explorer: {3049c3e9-b461-4bc5-8870-4c09146192ca} - c:\documents and settings\all users\application data\real\realplayer\browserrecordplugin\ie\rpbrowserrecordplugin.dll
    BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
    BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File
    BHO: Search Helper: {6ebf7485-159f-4bff-a14f-b9e3aac4465b} - c:\program files\microsoft\search enhancement pack\search helper\SEPsearchhelperie.dll
    BHO: ZoneAlarm Toolbar Registrar: {8a4a36c2-0535-4d2c-bd3d-496cb7eed6e3} - c:\program files\checkpoint\zaforcefield\trustchecker\bin\TrustCheckerIEPlugin.dll
    BHO: avast! WebRep: {8e5e2654-ad2d-48bf-ac2d-d17f00898d06} - c:\program files\avast software\avast\aswWebRepIE.dll
    BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
    BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
    BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.6.5805.1910\swg.dll
    BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
    BHO: Windows Live Toolbar Helper: {e15a8dc0-8516-42a1-81ea-dc94ec1acf10} - c:\program files\windows live\toolbar\wltcore.dll
    BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
    TB: Veoh Browser Plug-in: {d0943516-5076-4020-a3b5-aefaf26ab263} - c:\program files\veoh networks\veoh\plugins\reg\VeohToolbar.dll
    TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
    TB: Veoh Web Player Video Finder: {0fbb9689-d3d7-4f7a-a2e2-585b10099bfc} - c:\program files\veoh networks\veohwebplayer\VeohIEToolbar.dll
    TB: {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - No File
    TB: ZoneAlarm Toolbar: {ee2ac4e5-b0b0-4ec6-88a9-bca1a32ab107} - c:\program files\checkpoint\zaforcefield\trustchecker\bin\TrustCheckerIEPlugin.dll
    TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
    TB: &Windows Live Toolbar: {21fa44ef-376d-4d53-9b0f-8a89d3229068} - c:\program files\windows live\toolbar\wltcore.dll
    TB: avast! WebRep: {8e5e2654-ad2d-48bf-ac2d-d17f00898d06} - c:\program files\avast software\avast\aswWebRepIE.dll
    uRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE
    mRun: [C6501Sound] RunDll32 c6501.cpl,CMICtrlWnd
    mRun: [PCSuiteTrayApplication] c:\progra~1\nokia\nokiap~1\LAUNCH~1.EXE -startup
    mRun: [Google Desktop Search] "c:\program files\google\google desktop search\GoogleDesktop.exe" /startup
    mRun: [XboxStat] "c:\program files\microsoft xbox 360 accessories\XboxStat.exe" silentrun
    mRun: [C-Media Mixer] Mixer.exe /startup
    mRun: [CmPCIaudio] RunDll32 CMICNFG3.cpl,CMICtrlWnd
    mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
    mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
    mRun: [DivXUpdate] "c:\program files\divx\divx update\DivXUpdate.exe" /CHECKNOW
    mRun: [TkBellExe] "c:\program files\real\realplayer\update\realsched.exe" -osboot
    mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
    mRun: [avast] "c:\program files\avast software\avast\avastUI.exe" /nogui
    mRun: [Corel Photo Downloader] c:\program files\corel\corel snapfire plus\Corel Photo Downloader.exe
    mRun: [ZoneAlarm Client] "c:\program files\zone labs\zonealarm\zlclient.exe"
    mRunOnce: [AvgUninstallURL] cmd.exe /c start http://www.avg.com/ww.special-uninstallation-feedback-app?lic=OUxTRlJFRS1WUFVaNy1HMkNNWC1SWFBXQS1QM05aSC05RDIwQy0zN1RT"&"inst=NzctNTYxNTEyODYzLUtWMys3LUJBKzEtWEwrMS1UNC1GUDkyKzYtQkFSOUcrMS1UQjkrMi1GTCs5LUYxME0rNS1RSVgxKzQtWDIwMTArMi1GMTBNMTBDKzE"&"prod=55"&"ver=10.0.1204
    dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE
    dRunOnce: [ZAFFRegisterTrustChecker] "c:\windows\system32\regsvr32.exe" -s "c:\program files\checkpoint\zaforcefield\trustchecker\bin\TrustChecker.dll"
    dRunOnce: [ZAFFRegisterTrustCheckerIE] "c:\windows\system32\regsvr32.exe" -s "c:\program files\checkpoint\zaforcefield\trustchecker\bin\TrustCheckerIEPlugin.dll"
    StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adober~1.lnk - c:\program files\adobe\acrobat 7.0\reader\reader_sl.exe
    StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\interv~1.lnk - c:\program files\intervideo\common\bin\WinCinemaMgr.exe
    StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\micros~1.lnk - c:\program files\microsoft office\office10\OSA.EXE
    IE: {08E730A4-FB02-45BD-A900-01E4AD8016F6} - http://www.sky.com
    IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
    IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
    IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - c:\program files\windows live\writer\WriterBrowserExtension.dll
    IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
    DPF: {1E54D648-B804-468d-BC78-4AFFED8E262E} - hxxp://www.nvidia.com/content/DriverDownload/srl/3.0.0.0/srl_bin/sysreqlab3.cab
    DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1236737580375
    DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1236737555359
    DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab
    DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
    DPF: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab
    DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab
    DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
    Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
    AppInit_DLLs: c:\progra~1\google\google~1\GOEC62~1.DLL
    SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
    Hosts: 127.0.0.1 www.spywareinfo.com
    .
    ================= FIREFOX ===================
    .
    FF - ProfilePath - c:\docume~1\admini~1\applic~1\mozilla\firefox\profiles\6ndptuax.default\
    FF - prefs.js: keyword.URL - hxxp://search.avg.com/route/?d=4cd1b552&v=6.011.025.001&i=23&tp=ab&iy=&ychte=us&lng=en-GB&q=
    FF - component: c:\documents and settings\all users\application data\real\realplayer\browserrecordplugin\firefox\ext\components\nprpffbrowserrecordext.dll
    FF - component: c:\documents and settings\all users\application data\real\realplayer\browserrecordplugin\firefox\ext\components\nprpffbrowserrecordlegacyext.dll
    FF - component: c:\program files\checkpoint\zaforcefield\trustchecker\components\MozillaDownload.dll
    FF - component: c:\program files\checkpoint\zaforcefield\trustchecker\components\MozillaExtensions.dll
    FF - component: c:\program files\checkpoint\zaforcefield\trustchecker\components\TrustCheckerMozillaPlugin.dll
    FF - plugin: c:\documents and settings\all users\application data\real\realplayer\browserrecordplugin\mozillaplugins\nprphtml5videoshim.dll
    FF - plugin: c:\program files\divx\divx plus web player\npdivx32.dll
    FF - plugin: c:\program files\google\update\1.2.183.39\npGoogleOneClick8.dll
    FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
    FF - plugin: c:\program files\microsoft\office live\npOLW.dll
    FF - plugin: c:\program files\veoh networks\veoh\plugins\noreg\NPVeohVersion.dll
    FF - plugin: c:\program files\veoh networks\veohwebplayer\NPVeohTVPlugin.dll
    FF - plugin: c:\program files\veoh networks\veohwebplayer\npWebPlayerVideoPluginATL.dll
    FF - plugin: c:\program files\windows live\photo gallery\NPWLPG.dll
    FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\mozilla firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
    FF - Ext: Java Console: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA}
    FF - Ext: Java Console: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA}
    FF - Ext: Java Console: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}
    FF - Ext: Java Console: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA}
    FF - Ext: ForceField Toolbar: {FFB96CC1-7EB3-449D-B827-DB661701C6BB} - c:\program files\checkpoint\zaforcefield\TrustChecker
    FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\DotNetAssistantExtension
    FF - Ext: Java Quick Starter: jqs@sun.com - c:\program files\java\jre6\lib\deploy\jqs\ff
    FF - Ext: RealPlayer Browser Record Plugin: {ABDE892B-13A8-4d1b-88E6-365A6E755758} - c:\documents and settings\all users\application data\real\realplayer\browserrecordplugin\firefox\Ext
    FF - Ext: avast! WebRep: wrc@avast.com - c:\program files\avast software\avast\webrep\FF
    FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}
    .
    ============= SERVICES / DRIVERS ===============
    .
    S0 kl1;kl1;c:\windows\system32\drivers\kl1.sys [2011-3-12 128016]
    S1 aswSnx;aswSnx;c:\windows\system32\drivers\aswSnx.sys [2011-3-9 371544]
    S1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [2011-3-9 301528]
    S1 KLIF;Kaspersky Lab Driver;c:\windows\system32\drivers\klif.sys [2011-3-12 317072]
    S1 vsdatant;vsdatant;c:\windows\system32\vsdatant.sys [2010-3-21 528128]
    S2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2011-3-9 19544]
    S2 avast! Antivirus;avast! Antivirus;c:\program files\avast software\avast\AvastSvc.exe [2011-3-9 42184]
    S2 gupdate1c9c68995412b6;Google Update Service (gupdate1c9c68995412b6);c:\program files\google\update\GoogleUpdate.exe [2009-4-26 133104]
    S2 ISWKL;ZoneAlarm ForceField ISWKL;c:\program files\checkpoint\zaforcefield\ISWKL.sys [2009-10-14 26352]
    S2 IswSvc;ZoneAlarm ForceField IswSvc;c:\program files\checkpoint\zaforcefield\ISWSVC.exe [2009-10-14 493032]
    S2 vsmon;TrueVector Internet Monitor;c:\windows\system32\zonelabs\vsmon.exe -service --> c:\windows\system32\zonelabs\vsmon.exe -service [?]
    S3 ActionReplayDS;ActionReplayDS;c:\windows\system32\drivers\actionreplayds.sys [2009-12-19 29184]
    S3 c65013264;C-Media CM6501 Like Sound UDAX Interface;c:\windows\system32\drivers\c6501.sys [2009-3-7 1310720]
    S3 DAUpdaterSvc;Dragon Age: Origins - Content Updater;e:\installedgames\dragon age\bin_ship\daupdatersvc.service.exe [2011-1-5 25832]
    S3 GoogleDesktopManager-051210-111108;Google Desktop Manager 5.9.1005.12335;c:\program files\google\google desktop search\GoogleDesktop.exe [2009-3-7 30192]
    .
    =============== Created Last 30 ================
    .
    2011-03-12 18:46:03 -------- d-----w- c:\docume~1\admini~1\applic~1\MailFrontier
    2011-03-12 18:45:24 128016 ----a-w- c:\windows\system32\drivers\kl1.sys
    2011-03-10 00:22:01 -------- d-----w- c:\docume~1\admini~1\applic~1\Malwarebytes
    2011-03-09 23:53:53 -------- d-----w- c:\docume~1\admini~1\locals~1\applic~1\AVG Security Toolbar
    2011-03-09 23:53:25 -------- d-----w- c:\docume~1\admini~1\locals~1\applic~1\Mozilla
    2011-03-09 09:26:11 371544 ----a-w- c:\windows\system32\drivers\aswSnx.sys
    2011-03-09 09:25:27 40648 ----a-w- c:\windows\avastSS.scr
    2011-03-09 09:15:13 -------- d-----w- c:\windows\system32\wbem\repository\FS
    2011-03-09 09:15:13 -------- d-----w- c:\windows\system32\wbem\Repository
    2011-03-08 20:56:08 -------- d-----w- c:\program files\AVAST Software
    2011-03-08 20:56:08 -------- d-----w- c:\docume~1\alluse~1\applic~1\AVAST Software
    2011-02-26 23:34:34 48256 ----a-r- c:\windows\system32\drivers\jraid.sys
    2011-02-18 15:21:31 74072 ----a-w- c:\windows\system32\XAPOFX1_5.dll
    2011-02-18 15:21:31 527192 ----a-w- c:\windows\system32\XAudio2_7.dll
    2011-02-18 15:21:31 239960 ----a-w- c:\windows\system32\xactengine3_7.dll
    2011-02-18 15:21:30 2106216 ----a-w- c:\windows\system32\D3DCompiler_43.dll
    2011-02-18 15:21:30 1868128 ----a-w- c:\windows\system32\d3dcsx_43.dll
    2011-02-18 15:21:29 470880 ----a-w- c:\windows\system32\d3dx10_43.dll
    2011-02-18 15:21:29 248672 ----a-w- c:\windows\system32\d3dx11_43.dll
    2011-02-18 15:21:28 1998168 ----a-w- c:\windows\system32\D3DX9_43.dll
    2011-02-18 15:21:27 74072 ----a-w- c:\windows\system32\XAPOFX1_4.dll
    2011-02-18 15:21:27 528216 ----a-w- c:\windows\system32\XAudio2_6.dll
    2011-02-18 15:21:27 238936 ----a-w- c:\windows\system32\xactengine3_6.dll
    2011-02-18 15:21:26 22360 ----a-w- c:\windows\system32\X3DAudio1_7.dll
    .
    ==================== Find3M ====================
    .
    2011-02-09 13:53:52 270848 ----a-w- c:\windows\system32\sbe.dll
    2011-02-09 13:53:52 186880 ----a-w- c:\windows\system32\encdec.dll
    2011-02-02 07:58:35 2067456 ----a-w- c:\windows\system32\mstscax.dll
    2011-01-27 11:57:06 677888 ----a-w- c:\windows\system32\mstsc.exe
    2011-01-21 14:44:37 439296 ----a-w- c:\windows\system32\shimgvw.dll
    2011-01-07 14:09:02 290048 ----a-w- c:\windows\system32\atmfd.dll
    2010-12-31 13:10:33 1854976 ----a-w- c:\windows\system32\win32k.sys
    2010-12-22 12:34:28 301568 ----a-w- c:\windows\system32\kerberos.dll
    2010-12-20 23:59:20 916480 ----a-w- c:\windows\system32\wininet.dll
    2010-12-20 23:59:19 43520 ----a-w- c:\windows\system32\licmgr10.dll
    2010-12-20 23:59:19 1469440 ------w- c:\windows\system32\inetcpl.cpl
    2010-12-20 17:26:00 730112 ----a-w- c:\windows\system32\lsasrv.dll
    2010-12-20 12:55:26 385024 ----a-w- c:\windows\system32\html.iec
    .
    ============= FINISH: 9:42:17.17 ===============

    .
    UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
    IF REQUESTED, ZIP IT UP & ATTACH IT
    .
    DDS (Ver_11-03-05.01)
    .
    Microsoft Windows XP Professional
    Boot Device: \Device\HarddiskVolume2
    Install Date: 07/03/2009 10:48:16
    System Uptime: 13/03/2011 09:38:04 (0 hours ago)
    .
    Motherboard: ASUSTeK Computer INC. | | M2N-SLI
    Processor: AMD Athlon(tm) 64 X2 Dual Core Processor 5200+ | Socket AM2 | 2713/200mhz
    .
    ==== Disk Partitions =========================
    .
    A: is Removable
    C: is FIXED (NTFS) - 233 GiB total, 147.725 GiB free.
    D: is CDROM (CDFS)
    E: is FIXED (NTFS) - 466 GiB total, 396.175 GiB free.
    G: is FIXED (NTFS) - 373 GiB total, 352.943 GiB free.
    .
    ==== Disabled Device Manager Items =============
    .
    ==== System Restore Points ===================
    .
    No restore point in system.
    .
    ==== Installed Programs ======================
    .
    .
    AC3Filter (remove only)
    Action Replay Code Manager
    Adobe Download Manager
    Adobe Flash Player 10 ActiveX
    Adobe Flash Player 10 Plugin
    Adobe Reader 7.0
    Apple Application Support
    Apple Software Update
    avast! Free Antivirus
    Back to the Future: Ep 1 - It's About Time
    Back to the Future: Ep 2 - Get Tannen!
    C-Media 6501 Sound
    C-Media PCI Audio Device
    Call of Duty: Modern Warfare 2
    Call of Duty: Modern Warfare 2 - Multiplayer
    Combined Community Codec Pack 2006-07-28 (Remove Only)
    Corel Snapfire Plus
    Critical Update for Windows Media Player 11 (KB959772)
    DivX Converter
    DivX Plus DirectShow Filters
    DivX Setup
    DivX Version Checker
    Dragon Age: Origins
    Gamepad Pro USB
    Google Chrome
    Google Desktop
    Google Toolbar for Internet Explorer
    Google Update Helper
    Highlight Viewer (Windows Live Toolbar)
    Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
    Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
    Hotfix for Windows Media Format 11 SDK (KB929399)
    Hotfix for Windows Media Player 11 (KB939683)
    Hotfix for Windows XP (KB2158563)
    Hotfix for Windows XP (KB2443685)
    Hotfix for Windows XP (KB952287)
    Hotfix for Windows XP (KB954550-v5)
    Hotfix for Windows XP (KB954708)
    Hotfix for Windows XP (KB961118)
    Hotfix for Windows XP (KB970653-v3)
    Hotfix for Windows XP (KB976002-v5)
    Hotfix for Windows XP (KB976098-v2)
    Hotfix for Windows XP (KB979306)
    Hotfix for Windows XP (KB981793)
    InterVideo DVDCopy5
    Java Auto Updater
    Java(TM) 6 Update 22
    Java(TM) 6 Update 7
    Junk Mail filter update
    Killing Floor
    Left 4 Dead
    Left 4 Dead 2
    Left 4 Dead 2 Add-on Support
    Malwarebytes' Anti-Malware
    Map Button (Windows Live Toolbar)
    Microsoft .NET Framework 2.0 Service Pack 2
    Microsoft .NET Framework 3.0 Service Pack 2
    Microsoft .NET Framework 3.5 SP1
    Microsoft Application Error Reporting
    Microsoft Choice Guard
    Microsoft Compression Client Pack 1.0 for Windows XP
    Microsoft Internationalized Domain Names Mitigation APIs
    Microsoft Kernel-Mode Driver Framework Feature Pack 1.7
    Microsoft National Language Support Downlevel APIs
    Microsoft Office Live Add-in 1.3
    Microsoft Office XP Professional with FrontPage
    Microsoft Search Enhancement Pack
    Microsoft Silverlight
    Microsoft SQL Server 2005 Compact Edition [ENU]
    Microsoft Sync Framework Runtime Native v1.0 (x86)
    Microsoft Sync Framework Services Native v1.0 (x86)
    Microsoft User-Mode Driver Framework Feature Pack 1.0
    Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
    Microsoft Visual C++ 2005 Redistributable
    Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
    Microsoft Windows XP Video Decoder Checkup Utility
    Microsoft Xbox 360 Accessories 1.2
    Mozilla Firefox (3.6.15)
    MSVCRT
    MSXML 4.0 SP2 (KB954430)
    MSXML 4.0 SP2 (KB973688)
    MSXML 4.0 SP2 Parser and SDK
    Nokia Connectivity Cable Driver
    Nokia PC Connectivity Solution
    Nokia PC Suite
    NVIDIA Drivers
    NVIDIA nView Desktop Manager
    NVIDIA PhysX
    Oblivion
    Oblivion mod manager 1.1.12
    OGA Notifier 2.0.0048.0
    OpenOffice.org 3.0
    Paint.NET v3.36
    PC Probe II
    PCI Audio Driver
    QuickTime
    RealNetworks - Microsoft Visual C++ 2008 Runtime
    RealPlayer
    RealUpgrade 1.1
    Security Update for Microsoft .NET Framework 3.5 SP1 (KB2416473)
    Security Update for Windows Internet Explorer 7 (KB938127-v2)
    Security Update for Windows Internet Explorer 7 (KB961260)
    Security Update for Windows Internet Explorer 7 (KB963027)
    Security Update for Windows Internet Explorer 8 (KB2183461)
    Security Update for Windows Internet Explorer 8 (KB2360131)
    Security Update for Windows Internet Explorer 8 (KB2416400)
    Security Update for Windows Internet Explorer 8 (KB2482017)
    Security Update for Windows Internet Explorer 8 (KB971961)
    Security Update for Windows Internet Explorer 8 (KB976325)
    Security Update for Windows Internet Explorer 8 (KB978207)
    Security Update for Windows Internet Explorer 8 (KB981332)
    Security Update for Windows Internet Explorer 8 (KB982381)
    Security Update for Windows Media Player (KB2378111)
    Security Update for Windows Media Player (KB952069)
    Security Update for Windows Media Player (KB954155)
    Security Update for Windows Media Player (KB968816)
    Security Update for Windows Media Player (KB973540)
    Security Update for Windows Media Player (KB975558)
    Security Update for Windows Media Player (KB978695)
    Security Update for Windows Media Player 11 (KB936782)
    Security Update for Windows Media Player 11 (KB954154)
    Security Update for Windows XP (KB2079403)
    Security Update for Windows XP (KB2115168)
    Security Update for Windows XP (KB2121546)
    Security Update for Windows XP (KB2160329)
    Security Update for Windows XP (KB2229593)
    Security Update for Windows XP (KB2279986)
    Security Update for Windows XP (KB2286198)
    Security Update for Windows XP (KB2296011)
    Security Update for Windows XP (KB2296199)
    Security Update for Windows XP (KB2347290)
    Security Update for Windows XP (KB2360937)
    Security Update for Windows XP (KB2387149)
    Security Update for Windows XP (KB2393802)
    Security Update for Windows XP (KB2419632)
    Security Update for Windows XP (KB2423089)
    Security Update for Windows XP (KB2436673)
    Security Update for Windows XP (KB2440591)
    Security Update for Windows XP (KB2443105)
    Security Update for Windows XP (KB2476687)
    Security Update for Windows XP (KB2478960)
    Security Update for Windows XP (KB2478971)
    Security Update for Windows XP (KB2479628)
    Security Update for Windows XP (KB2479943)
    Security Update for Windows XP (KB2481109)
    Security Update for Windows XP (KB2483185)
    Security Update for Windows XP (KB2485376)
    Security Update for Windows XP (KB923561)
    Security Update for Windows XP (KB938464-v2)
    Security Update for Windows XP (KB941569)
    Security Update for Windows XP (KB946648)
    Security Update for Windows XP (KB950760)
    Security Update for Windows XP (KB950762)
    Security Update for Windows XP (KB950974)
    Security Update for Windows XP (KB951066)
    Security Update for Windows XP (KB951376-v2)
    Security Update for Windows XP (KB951698)
    Security Update for Windows XP (KB951748)
    Security Update for Windows XP (KB952004)
    Security Update for Windows XP (KB952954)
    Security Update for Windows XP (KB954459)
    Security Update for Windows XP (KB954600)
    Security Update for Windows XP (KB955069)
    Security Update for Windows XP (KB956572)
    Security Update for Windows XP (KB956744)
    Security Update for Windows XP (KB956802)
    Security Update for Windows XP (KB956803)
    Security Update for Windows XP (KB956841)
    Security Update for Windows XP (KB956844)
    Security Update for Windows XP (KB957097)
    Security Update for Windows XP (KB958644)
    Security Update for Windows XP (KB958687)
    Security Update for Windows XP (KB958690)
    Security Update for Windows XP (KB958869)
    Security Update for Windows XP (KB959426)
    Security Update for Windows XP (KB960225)
    Security Update for Windows XP (KB960715)
    Security Update for Windows XP (KB960803)
    Security Update for Windows XP (KB960859)
    Security Update for Windows XP (KB961371)
    Security Update for Windows XP (KB961373)
    Security Update for Windows XP (KB961501)
    Security Update for Windows XP (KB968537)
    Security Update for Windows XP (KB969059)
    Security Update for Windows XP (KB969898)
    Security Update for Windows XP (KB969947)
    Security Update for Windows XP (KB970238)
    Security Update for Windows XP (KB970430)
    Security Update for Windows XP (KB971468)
    Security Update for Windows XP (KB971486)
    Security Update for Windows XP (KB971557)
    Security Update for Windows XP (KB971633)
    Security Update for Windows XP (KB971657)
    Security Update for Windows XP (KB972270)
    Security Update for Windows XP (KB973346)
    Security Update for Windows XP (KB973354)
    Security Update for Windows XP (KB973507)
    Security Update for Windows XP (KB973525)
    Security Update for Windows XP (KB973869)
    Security Update for Windows XP (KB973904)
    Security Update for Windows XP (KB974112)
    Security Update for Windows XP (KB974318)
    Security Update for Windows XP (KB974392)
    Security Update for Windows XP (KB974571)
    Security Update for Windows XP (KB975025)
    Security Update for Windows XP (KB975467)
    Security Update for Windows XP (KB975560)
    Security Update for Windows XP (KB975561)
    Security Update for Windows XP (KB975562)
    Security Update for Windows XP (KB975713)
    Security Update for Windows XP (KB977165)
    Security Update for Windows XP (KB977816)
    Security Update for Windows XP (KB977914)
    Security Update for Windows XP (KB978037)
    Security Update for Windows XP (KB978251)
    Security Update for Windows XP (KB978262)
    Security Update for Windows XP (KB978338)
    Security Update for Windows XP (KB978542)
    Security Update for Windows XP (KB978601)
    Security Update for Windows XP (KB978706)
    Security Update for Windows XP (KB979309)
    Security Update for Windows XP (KB979482)
    Security Update for Windows XP (KB979559)
    Security Update for Windows XP (KB979683)
    Security Update for Windows XP (KB979687)
    Security Update for Windows XP (KB980195)
    Security Update for Windows XP (KB980218)
    Security Update for Windows XP (KB980232)
    Security Update for Windows XP (KB980436)
    Security Update for Windows XP (KB981322)
    Security Update for Windows XP (KB981852)
    Security Update for Windows XP (KB981957)
    Security Update for Windows XP (KB981997)
    Security Update for Windows XP (KB982132)
    Security Update for Windows XP (KB982214)
    Security Update for Windows XP (KB982665)
    Security Update for Windows XP (KB982802)
    Segoe UI
    SiSAGP driver
    Sky Broadband
    Sky Broadband Browser Branding
    Skype™ 5.0
    Smart Menus (Windows Live Toolbar)
    SmartCamera Ver 2.2
    Software Update for Web Folders
    Spybot - Search & Destroy
    Steam
    System Requirements Lab
    The Sims 2 Family Fun Stuff
    The Sims 2 Glamour Life Stuff
    The Sims 2 Open For Business
    The Sims™ 2 Bon Voyage
    The Sims™ 2 Double Deluxe
    The Sims™ 2 FreeTime
    The Sims™ 2 H&M® Fashion Stuff
    The Sims™ 2 IKEA® Home Stuff
    The Sims™ 2 Kitchen & Bath Interior Design Stuff
    The Sims™ 2 Mansion and Garden Stuff
    The Sims™ 2 Teen Style Stuff
    Try Corel Snapfire muvee autoProducer add on
    Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
    Update for Windows Internet Explorer 8 (KB976662)
    Update for Windows Internet Explorer 8 (KB978506)
    Update for Windows Internet Explorer 8 (KB980182)
    Update for Windows XP (KB2141007)
    Update for Windows XP (KB2345886)
    Update for Windows XP (KB2467659)
    Update for Windows XP (KB951978)
    Update for Windows XP (KB955759)
    Update for Windows XP (KB955839)
    Update for Windows XP (KB961503)
    Update for Windows XP (KB967715)
    Update for Windows XP (KB968389)
    Update for Windows XP (KB971737)
    Update for Windows XP (KB973687)
    Update for Windows XP (KB973815)
    USB PC Cam Zoom
    VC 9.0 Runtime
    VC80CRTRedist - 8.0.50727.4053
    Veoh Web Player
    VeohTV BETA
    WebFldrs XP
    Wii Max Media Manager Pro
    Windows Driver Package - Advanced Micro Devices (AmdK8) Processor (05/27/2006 1.3.2.0)
    Windows Driver Package - Nokia Modem (06/12/2006 6.81.0.21)
    Windows Genuine Advantage Notifications (KB905474)
    Windows Genuine Advantage Validation Tool (KB892130)
    Windows Imaging Component
    Windows Internet Explorer 7
    Windows Internet Explorer 8
    Windows Live Call
    Windows Live Communications Platform
    Windows Live Essentials
    Windows Live Favorites for Windows Live Toolbar
    Windows Live Mail
    Windows Live Messenger
    Windows Live Photo Gallery
    Windows Live Sign-in Assistant
    Windows Live Sync
    Windows Live Toolbar
    Windows Live Toolbar Extension (Windows Live Toolbar)
    Windows Live Upload Tool
    Windows Live Writer
    Windows Media Format 11 runtime
    Windows Media Player 11
    Windows Movie Maker 2.0
    Windows XP Service Pack 3
    WinRAR archiver
    Xvid 1.1.2 final uninstall
    Yahoo! Toolbar
    ZoneAlarm Extreme Security
    .
    ==== Event Viewer Messages From Past Week ========
    .
    12/03/2011 18:45:08, error: Service Control Manager [7019] - Circular dependency: The vsdatant service depends on a service in a group which starts later.
    12/03/2011 18:45:08, error: Service Control Manager [7017] - Detected circular dependencies demand starting vsdatant.
    12/03/2011 18:45:08, error: Service Control Manager [7001] - The TrueVector Internet Monitor service depends on the vsdatant service which failed to start because of the following error: Circular service dependency was specified.
    12/03/2011 18:33:27, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: Aavmker4 AFD AmdK8 AsIO aswRdr aswSnx aswSP aswTdi Fips IPSec kl1 KLIF MRxSmb NetBIOS NetBT RasAcd Rdbss Tcpip vsdatant
    12/03/2011 18:33:18, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service StiSvc with arguments "" in order to run the server: {A1F4E726-8CF1-11D1-BF92-0060081ED811}
    10/03/2011 21:31:29, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service wuauserv with arguments "" in order to run the server: {E60687F7-01A1-40AA-86AC-DB1CBF673334}
    09/03/2011 09:11:40, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: Aavmker4 AFD AmdK8 AsIO aswRdr aswSnx aswSP aswTdi Avgtdix Fips IPSec kl1 KLIF MRxSmb NetBIOS NetBT RasAcd Rdbss Tcpip vsdatant
    09/03/2011 09:11:40, error: Service Control Manager [7001] - The TrueVector Internet Monitor service depends on the vsdatant service which failed to start because of the following error: A device attached to the system is not functioning.
    09/03/2011 09:11:40, error: Service Control Manager [7001] - The TCP/IP NetBIOS Helper service depends on the AFD service which failed to start because of the following error: A device attached to the system is not functioning.
    09/03/2011 09:11:40, error: Service Control Manager [7001] - The IPSEC Services service depends on the IPSEC driver service which failed to start because of the following error: A device attached to the system is not functioning.
    09/03/2011 09:11:40, error: Service Control Manager [7001] - The DNS Client service depends on the TCP/IP Protocol Driver service which failed to start because of the following error: A device attached to the system is not functioning.
    09/03/2011 09:11:40, error: Service Control Manager [7001] - The DHCP Client service depends on the NetBios over Tcpip service which failed to start because of the following error: A device attached to the system is not functioning.
    09/03/2011 09:11:11, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service netman with arguments "" in order to run the server: {BA126AE5-2166-11D1-B1D0-00805FC1270E}
    09/03/2011 09:11:09, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service EventSystem with arguments "" in order to run the server: {1BE1F766-5536-11D1-B726-00C04FB926AF}
    09/03/2011 08:56:23, error: Service Control Manager [7009] - Timeout (30000 milliseconds) waiting for the ProtexisLicensing service to connect.
    09/03/2011 08:56:23, error: Service Control Manager [7000] - The ProtexisLicensing service failed to start due to the following error: The service did not respond to the start or control request in a timely fashion.
    06/03/2011 13:50:30, error: Dhcp [1002] - The IP address lease 192.168.0.2 for the Network Card with network address 001E8C9EA4CA has been denied by the DHCP server 192.168.0.1 (The DHCP Server sent a DHCPNACK message).
    .
    ==== End Of File ===========================
  6. tedus987

    tedus987 TS Enthusiast Topic Starter Posts: 186

    to clarify

    i know the initial detected file was a F/P that's why i swaped AVG with Avast, but i beleive it is something that attacked in mid swap.
  7. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +36

    Sorry about that lengthy Win32/Heur write up I left. Of course it was before we realized the bad AVG update was causing the problem-this time. But this finding by AVG can also indicate a file infector like Virut, so we have to check.

    But Now you have 2 antivirus programs and 2 firewalls running and that's not good.
    AV: ZoneAlarm Extreme Security Antivirus
    AV: avast! Antivirus
    FW: ZoneAlarm Extreme Security Firewall
    FW: ActiveArmor Firewall
    >>> There is not enough information in these logs to positively ID this Firewall. It can be legitimate or malware.

    Please remove one of each as multiples present vulnerabilities: Please use the removal below for whichever program you do not want to keep:
    To uninstall ZoneAlarm:(it appears that you have the suite)

    • [1] Go to Control Center> go to the Preferences tab of the Overview panel.
      [2] Clear the check box labeled Load ZoneAlarm at startup.
      [3] Reboot the computer.
      [4] In Windows start menu: Go to Start> Programs> Zone Labs
      [5] Click Uninstall ZoneAlarm.
      [6] During the uninstallation process, you will see a diaglog box titles "This is a security check from the Zone Labs security engine> Click YES in this dialog box.
    (Note about ZoneAlarm: If you decide to keep this suite, I will have you check some Services and settings. There are Errors indicating it isn't functioning correctly)

    Avast Removal
    Please reboot the computer when through.
    ======================================
    IF you previously had AVG, do you plan to reinstall ir after removing the other AV programs? There are some left over entries.
    ======================================
    Run Eset NOD32 Online AntiVirus scan HERE
    1. Tick the box next to YES, I accept the Terms of Use.
    2. Click Start
    3. When asked, allow the Active X control to install
    4. Disable your current Antivirus software. You can usually do this with its Notification Tray icon near the clock.
    5. Click Start
    6. Make sure that the option "Remove found threats" is Unchecked, and the option "Scan unwanted applications" is checked
    7. Click Scan
    8. Wait for the scan to finish
    9. Click on "Copy to Clipboard"> (you won't see the 'clipboard')
    10. Click anywhere in the post where you want the logs to go, the do Ctrl V. The log will be sent from the clipboard and pasted in the post.
    11. Re-enable your Antivirus software.
      NOTE: If you forget to copy to the clipboard you can find the log here:
      C:\Program Files\EsetOnlineScanner\log.txt. Please include this on your post.
    ==========================================
    Download Combofix to your desktop from one of these locations:
    Link 1
    Link 2
    • Double click combofix.exe & follow the prompts.
    • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. It is strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode if needed.
      **Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.
    • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
    • Query- Recovery Console image
      [​IMG]
    • Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:
      [​IMG]
    • .Click on Yes, to continue scanning for malware
    • .If Combofix asks you to update the program, allow
    • .Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
    • .Close any open browsers.
    • .Double click combofix.exe[​IMG] & follow the prompts to run.
    • When the scan completes , a report will be generated-it will open a text window. Please paste the C:\ComboFix.txt in next reply..
    Re-enable your Antivirus software.
    Notes:
    1. Do not mouse-click Combofix's window while it is running. That may cause it to stall.
    2. ComboFix may reset a number of Internet Explorer's settings, including making I-E the default browser.
    3. Combofix prevents autorun of ALL CD, floppy and USB devices to assist with malware removal & increase security. If this is an issue or makes it difficult for you -- please tell your helper.
    4. CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.
  8. tedus987

    tedus987 TS Enthusiast Topic Starter Posts: 186

    virus scanners

    zone alarm is my main firewall, it's virus scanner is disabled and not in monitoring mde to not conflict with avast.

    active armour is nVidia and i am trying to find a way to disable it.

    although i've had it for a year and never had any problem although i thought i unistalled it once.

    so i'll either remove it or at lease disable it.

    also i can't access Eset NOD32 from my home, my PC is offline, whatever on my pc is stopping me from accessing the internet. i'll run combo fix.

    also i have looked and i might be able to disable active armour, but it's built in to the board. (hura hura for asus)
  9. tedus987

    tedus987 TS Enthusiast Topic Starter Posts: 186

    Eset NOD32 question?

    is there a free non-trial version i could use to get the log from an offline computer?
  10. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +36

    No, you need to be online to run and online virus scanner. I have had a few members download the .exe file on flash drive and run it on problem computer. But since this can't be updated, I don't recommend it.

    Please go ahead with Combofix- you can use a flash drive for that. There is a part of Cobofix that checks for the Recovery Console and if you don't have it installed will offer it. But it can't be downloaded offline so just go on to the scan part of Combofix.

    I knew Active Armour was associated with Nvidia, but is has not CLSID after it like all the other security programs in the header do. For instance:
    AV: avast! Antivirus *Enabled/Updated* {7591DB91-41F0-48A3-B128-1A293FD8233D}
    FW: ActiveArmor Firewall *Enabled* no identification

    Nvidia forum suggest this:
    Click on Active Armor icon in Notification Area.
    Set Security Profile to OFF.
    That is usually a right click but if that does not bring up the correct screen, try a double click to open.

    I am not clear about your online status. Are you staying offline because of suspected malware? Can you actually boot into Normal Mode? Even if it causes problem later, it's important to see what's on the system and some processes don't run in Safe Mode.
    .
  11. tedus987

    tedus987 TS Enthusiast Topic Starter Posts: 186

    i can boot normally, but my PC slows very quickly, also i can run virus scanners, but my PC locks if i try to access Mozilla, or my anti virus locks if i try to update my AV software. i believe the virus is clogging the access and downloading more malicious software, for this reason i have also unplugged my PC from the internet.

    to post these logs i had to run as the admin in safe mode malicious software and then transfer the logs to a flash drive.

    OK, post logs tomorrow.
     
  12. tedus987

    tedus987 TS Enthusiast Topic Starter Posts: 186

    combo fix log

    ok here's the log, active armour can't be found, it's not in services, add/remove programs and i know i uninstalled it when i built swapped it for zone alarm.

    also can't install recovery console while not connected to the internet.
    -----------

    ComboFix 11-03-14.07 - Administrator 15/03/2011 21:57:26.1.2 - x86 MINIMAL
    Microsoft Windows XP Professional 5.1.2600.3.1252.44.1033.18.3070.2791 [GMT 0:00]
    Running from: D:\ComboFix.exe
    AV: avast! Antivirus *Enabled/Updated* {7591DB91-41F0-48A3-B128-1A293FD8233D}
    FW: ActiveArmor Firewall *Enabled* {EDC10449-64D1-46c7-A59A-EC20D662F26D}
    FW: ZoneAlarm Extreme Security Firewall *Enabled* {829BDA32-94B3-44F4-8446-F8FCFF809F8B}
    .
    WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
    .
    .
    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    c:\windows\Install.txt
    c:\windows\system32\Install.txt
    .
    .
    ((((((((((((((((((((((((( Files Created from 2011-02-15 to 2011-03-15 )))))))))))))))))))))))))))))))
    .
    .
    2011-03-12 18:46 . 2011-03-12 18:46 -------- d-----w- c:\documents and settings\Administrator\Application Data\MailFrontier
    2011-03-12 18:45 . 2009-10-12 18:15 128016 ----a-w- c:\windows\system32\drivers\kl1.sys
    2011-03-12 18:45 . 2010-08-29 02:53 69120 ----a-w- c:\windows\system32\zlcomm.dll
    2011-03-12 18:45 . 2010-08-29 02:53 103936 ----a-w- c:\windows\system32\zlcommdb.dll
    2011-03-10 00:22 . 2011-03-10 00:22 -------- d-----w- c:\documents and settings\Administrator\Application Data\Malwarebytes
    2011-03-09 23:53 . 2011-03-09 23:53 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\AVG Security Toolbar
    2011-03-09 23:53 . 2011-03-09 23:53 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Mozilla
    2011-03-09 09:26 . 2011-02-23 14:56 301528 ----a-w- c:\windows\system32\drivers\aswSP.sys
    2011-03-09 09:26 . 2011-02-23 14:54 19544 ----a-w- c:\windows\system32\drivers\aswFsBlk.sys
    2011-03-09 09:26 . 2011-02-23 14:55 25432 ----a-w- c:\windows\system32\drivers\aswRdr.sys
    2011-03-09 09:26 . 2011-02-23 14:55 49240 ----a-w- c:\windows\system32\drivers\aswTdi.sys
    2011-03-09 09:26 . 2011-02-23 14:56 371544 ----a-w- c:\windows\system32\drivers\aswSnx.sys
    2011-03-09 09:26 . 2011-02-23 14:55 102232 ----a-w- c:\windows\system32\drivers\aswmon2.sys
    2011-03-09 09:26 . 2011-02-23 14:55 96344 ----a-w- c:\windows\system32\drivers\aswmon.sys
    2011-03-09 09:26 . 2011-02-23 14:54 30680 ----a-w- c:\windows\system32\drivers\aavmker4.sys
    2011-03-09 09:25 . 2011-02-23 15:04 40648 ----a-w- c:\windows\avastSS.scr
    2011-03-09 09:25 . 2011-02-23 15:04 190016 ----a-w- c:\windows\system32\aswBoot.exe
    2011-03-09 09:15 . 2011-03-09 09:15 -------- d-----w- c:\windows\system32\wbem\Repository
    2011-03-08 20:56 . 2011-03-08 20:56 -------- d-----w- c:\program files\AVAST Software
    2011-03-08 20:56 . 2011-03-08 20:56 -------- d-----w- c:\documents and settings\All Users\Application Data\AVAST Software
    2011-03-08 17:30 . 2011-03-08 17:30 -------- d-----w- c:\documents and settings\VS removal & admin\Application Data\AVG10
    2011-02-26 23:34 . 2007-06-13 15:47 48256 ----a-r- c:\windows\system32\drivers\jraid.sys
    2011-02-18 15:21 . 2010-06-02 04:55 74072 ----a-w- c:\windows\system32\XAPOFX1_5.dll
    2011-02-18 15:21 . 2010-06-02 04:55 527192 ----a-w- c:\windows\system32\XAudio2_7.dll
    2011-02-18 15:21 . 2010-06-02 04:55 239960 ----a-w- c:\windows\system32\xactengine3_7.dll
    2011-02-18 15:21 . 2010-05-26 11:41 2106216 ----a-w- c:\windows\system32\D3DCompiler_43.dll
    2011-02-18 15:21 . 2010-05-26 11:41 1868128 ----a-w- c:\windows\system32\d3dcsx_43.dll
    2011-02-18 15:21 . 2010-05-26 11:41 470880 ----a-w- c:\windows\system32\d3dx10_43.dll
    2011-02-18 15:21 . 2010-05-26 11:41 248672 ----a-w- c:\windows\system32\d3dx11_43.dll
    2011-02-18 15:21 . 2010-05-26 11:41 1998168 ----a-w- c:\windows\system32\D3DX9_43.dll
    2011-02-18 15:21 . 2010-02-04 10:01 74072 ----a-w- c:\windows\system32\XAPOFX1_4.dll
    2011-02-18 15:21 . 2010-02-04 10:01 528216 ----a-w- c:\windows\system32\XAudio2_6.dll
    2011-02-18 15:21 . 2010-02-04 10:01 238936 ----a-w- c:\windows\system32\xactengine3_6.dll
    2011-02-18 15:21 . 2010-02-04 10:01 22360 ----a-w- c:\windows\system32\X3DAudio1_7.dll
    .
    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2011-02-09 13:53 . 2004-08-03 23:56 270848 ----a-w- c:\windows\system32\sbe.dll
    2011-02-09 13:53 . 2004-08-03 23:56 186880 ----a-w- c:\windows\system32\encdec.dll
    2011-02-02 07:58 . 2009-03-07 10:43 2067456 ----a-w- c:\windows\system32\mstscax.dll
    2011-01-27 11:57 . 2009-03-07 10:43 677888 ----a-w- c:\windows\system32\mstsc.exe
    2011-01-21 14:44 . 2005-10-15 11:50 439296 ----a-w- c:\windows\system32\shimgvw.dll
    2011-01-07 14:09 . 2004-08-03 23:56 290048 ----a-w- c:\windows\system32\atmfd.dll
    2010-12-31 13:10 . 2005-11-08 22:13 1854976 ----a-w- c:\windows\system32\win32k.sys
    2010-12-22 12:34 . 2005-11-23 16:43 301568 ----a-w- c:\windows\system32\kerberos.dll
    2010-12-20 23:59 . 2006-01-16 20:39 916480 ----a-w- c:\windows\system32\wininet.dll
    2010-12-20 23:59 . 2004-08-03 23:56 1469440 ------w- c:\windows\system32\inetcpl.cpl
    2010-12-20 23:59 . 2004-08-03 23:56 43520 ----a-w- c:\windows\system32\licmgr10.dll
    2010-12-20 18:09 . 2010-03-21 17:27 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
    2010-12-20 18:08 . 2010-03-21 17:27 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
    2010-12-20 17:26 . 2005-10-14 16:17 730112 ----a-w- c:\windows\system32\lsasrv.dll
    2010-12-20 12:55 . 2004-08-03 21:59 385024 ----a-w- c:\windows\system32\html.iec
    2010-08-11 09:38 . 2009-11-30 23:11 119808 ----a-w- c:\program files\mozilla firefox\components\GoogleDesktopMozilla.dll
    .
    .
    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\00avast]
    @="{472083B0-C522-11CF-8763-00608CC02F24}"
    [HKEY_CLASSES_ROOT\CLSID\{472083B0-C522-11CF-8763-00608CC02F24}]
    2011-02-23 15:04 122512 ----a-w- c:\program files\AVAST Software\Avast\ashShell.dll
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "Google Desktop Search"="c:\program files\Google\Google Desktop Search\GoogleDesktop.exe" [2010-08-11 30192]
    "XboxStat"="c:\program files\Microsoft Xbox 360 Accessories\XboxStat.exe" [2009-09-30 718688]
    "C-Media Mixer"="Mixer.exe" [2002-10-15 1818624]
    "QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2010-02-15 417792]
    "SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-05-14 248552]
    "DivXUpdate"="c:\program files\DivX\DivX Update\DivXUpdate.exe" [2010-09-16 1164584]
    "TkBellExe"="c:\program files\real\realplayer\update\realsched.exe" [2010-11-17 274608]
    "NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2009-07-14 13877248]
    "avast"="c:\program files\AVAST Software\Avast\avastUI.exe" [2011-02-23 3451496]
    "Corel Photo Downloader"="c:\program files\Corel\Corel Snapfire Plus\Corel Photo Downloader.exe" [2007-02-06 478800]
    "ZoneAlarm Client"="c:\program files\Zone Labs\ZoneAlarm\zlclient.exe" [2010-08-29 1039360]
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
    "AvgUninstallURL"="start http:" [X]
    .
    [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
    "CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]
    .
    [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
    "ZAFFRegisterTrustChecker"="-s" [X]
    "ZAFFRegisterTrustCheckerIE"="-s" [X]
    .
    c:\documents and settings\Luke\Start Menu\Programs\Startup\
    OpenOffice.org 3.0.lnk - c:\program files\OpenOffice.org 3\program\quickstart.exe [2008-12-15 384000]
    .
    c:\documents and settings\All Users\Start Menu\Programs\Startup\
    Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2004-12-14 29696]
    InterVideo WinCinema Manager.lnk - c:\program files\InterVideo\Common\Bin\WinCinemaMgr.exe [2009-3-7 303104]
    Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-2-13 83360]
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
    @="Driver"
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall]
    "DisableMonitoring"=dword:00000001
    .
    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
    "EnableFirewall"= 0 (0x0)
    .
    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
    "%windir%\\system32\\sessmgr.exe"=
    "c:\\Program Files\\Veoh Networks\\Veoh\\VeohClient.exe"=
    "c:\\Program Files\\Messenger\\msmsgs.exe"=
    "%windir%\\Network Diagnostic\\xpnetdiag.exe"=
    "c:\\Program Files\\Steam\\steam.exe"=
    "c:\\Program Files\\Veoh Networks\\VeohWebPlayer\\veohwebplayer.exe"=
    "c:\\WINDOWS\\system32\\ZoneLabs\\vsmon.exe"=
    "c:\\Program Files\\Steam\\steamapps\\common\\killingfloor\\System\\KillingFloor.exe"=
    "c:\\Program Files\\Steam\\steamapps\\common\\left 4 dead 2\\left4dead2.exe"=
    "c:\\Program Files\\Steam\\steamapps\\common\\left 4 dead\\left4dead.exe"=
    "c:\\Program Files\\Skype\\Phone\\Skype.exe"=
    "c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
    "c:\\Program Files\\Windows Live\\Sync\\WindowsLiveSync.exe"=
    .
    S1 aswSnx;aswSnx;c:\windows\system32\drivers\aswSnx.sys [09/03/2011 09:26 371544]
    S1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [09/03/2011 09:26 301528]
    S2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [09/03/2011 09:26 19544]
    S2 gupdate1c9c68995412b6;Google Update Service (gupdate1c9c68995412b6);c:\program files\Google\Update\GoogleUpdate.exe [26/04/2009 16:07 133104]
    S2 ISWKL;ZoneAlarm ForceField ISWKL;c:\program files\CheckPoint\ZAForceField\ISWKL.sys [14/10/2009 13:30 26352]
    S2 IswSvc;ZoneAlarm ForceField IswSvc;c:\program files\CheckPoint\ZAForceField\ISWSVC.exe [14/10/2009 13:30 493032]
    S3 ActionReplayDS;ActionReplayDS;c:\windows\system32\drivers\actionreplayds.sys [19/12/2009 17:38 29184]
    S3 c65013264;C-Media CM6501 Like Sound UDAX Interface;c:\windows\system32\drivers\c6501.sys [07/03/2009 12:44 1310720]
    S3 DAUpdaterSvc;Dragon Age: Origins - Content Updater;e:\installedgames\Dragon Age\bin_ship\daupdatersvc.service.exe [05/01/2011 18:30 25832]
    S3 GoogleDesktopManager-051210-111108;Google Desktop Manager 5.9.1005.12335;c:\program files\Google\Google Desktop Search\GoogleDesktop.exe [07/03/2009 12:54 30192]
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
    getPlusHelper REG_MULTI_SZ getPlusHelper
    .
    Contents of the 'Scheduled Tasks' folder
    .
    2011-03-04 c:\windows\Tasks\AppleSoftwareUpdate.job
    - c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 12:34]
    .
    2011-03-04 c:\windows\Tasks\defrag main drive.job
    - c:\windows\system32\defrag.exe [2004-08-03 00:12]
    .
    2011-03-07 c:\windows\Tasks\defrag slave 1.job
    - c:\windows\system32\defrag.exe [2004-08-03 00:12]
    .
    2011-03-08 c:\windows\Tasks\defrag slave 2.job
    - c:\windows\system32\defrag.exe [2004-08-03 00:12]
    .
    2011-03-10 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
    - c:\program files\Google\Update\GoogleUpdate.exe [2009-04-26 16:06]
    .
    2011-03-09 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
    - c:\program files\Google\Update\GoogleUpdate.exe [2009-04-26 16:06]
    .
    2011-03-10 c:\windows\Tasks\RealUpgradeLogonTaskS-1-5-21-602162358-492894223-839522115-1006.job
    - c:\program files\Real\RealUpgrade\realupgrade.exe [2010-11-05 11:33]
    .
    2011-03-09 c:\windows\Tasks\RealUpgradeScheduledTaskS-1-5-21-602162358-492894223-839522115-1006.job
    - c:\program files\Real\RealUpgrade\realupgrade.exe [2010-11-05 11:33]
    .
    .
    ------- Supplementary Scan -------
    .
    FF - ProfilePath - c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\6ndptuax.default\
    FF - prefs.js: keyword.URL - hxxp://search.avg.com/route/?d=4cd1b552&v=6.011.025.001&i=23&tp=ab&iy=&ychte=us&lng=en-GB&q=
    FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
    FF - Ext: Java Console: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA}
    FF - Ext: Java Console: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA}
    FF - Ext: Java Console: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}
    FF - Ext: Java Console: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA}
    FF - Ext: ForceField Toolbar: {FFB96CC1-7EB3-449D-B827-DB661701C6BB} - c:\program files\CheckPoint\ZAForceField\TrustChecker
    FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension
    FF - Ext: Java Quick Starter: jqs@sun.com - c:\program files\Java\jre6\lib\deploy\jqs\ff
    FF - Ext: RealPlayer Browser Record Plugin: {ABDE892B-13A8-4d1b-88E6-365A6E755758} - c:\documents and settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\Firefox\Ext
    FF - Ext: avast! WebRep: wrc@avast.com - c:\program files\AVAST Software\Avast\WebRep\FF
    FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}
    .
    - - - - ORPHANS REMOVED - - - -
    .
    Toolbar-{CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (no file)
    HKLM-Run-C6501Sound - c6501.cpl
    HKLM-Run-CmPCIaudio - CMICNFG3.cpl
    AddRemove-{7B63B2922B174135AFC0E1377DD81EC2} - c:\program files\DivX\DivXCodecUninstall.exe
    .
    .
    .
    **************************************************************************
    .
    catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2011-03-15 22:06
    Windows 5.1.2600 Service Pack 3 NTFS
    .
    scanning hidden processes ...
    .
    scanning hidden autostart entries ...
    .
    scanning hidden files ...
    .
    scan completed successfully
    hidden files: 0
    .
    **************************************************************************
    .
    --------------------- DLLs Loaded Under Running Processes ---------------------
    .
    - - - - - - - > 'explorer.exe'(1284)
    c:\windows\system32\WININET.dll
    c:\windows\system32\ieframe.dll
    .
    Completion time: 2011-03-15 22:12:11 - machine was rebooted
    ComboFix-quarantined-files.txt 2011-03-15 22:12
    .
    Pre-Run: 158,548,115,456 bytes free
    Post-Run: 158,409,502,720 bytes free
    .
    - - End Of File - - 6A27CD99FA10EEE0789B821152C1EC88
  13. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +36

    I will remove the Active Armour entry in the Combofix heading. Please tell me if you will be putting AVG back on the system or plan to keep Avast. There are a couple of entries I need ti deal with,

    Did you run the Temporary File Cleaner (TFC) when you started?

    It would be very helpful if you could 'limp' online long enough to run the Eset Virus scan.
  14. tedus987

    tedus987 TS Enthusiast Topic Starter Posts: 186

    i'm keeping with avast

    yes i did, as per the start the TFC was used

    not to sure if i can get online, when i run a browser it will refuse to acknowledge i have commanded it to open and lock up, also virus scanners freeze if i try to update them. i'll try to limp online tonight but if you don't see a response till tomorrow it's probably because i'm still being blocked.
  15. tedus987

    tedus987 TS Enthusiast Topic Starter Posts: 186

    OK, still can't get online, i can access my files but if i try to run an app, browser or anti virus while not in safe mode my pc just locks up on whatever the app was. (will lock up file window if i try to run via program files. will lock up task bar if tried from shortcut or start menu, and will lock up the desktop if i try to use a shortcut on the desktop.

    on top of that it's stopping a load of items from booting, (sound handler, avast, zone alarm, etc...)

    it seams if i try to connect to the internet, it gets worse. so i am full restricted to the still working safe mode, it says it has downloaded an update, but at the moment it might be best to burn the latest windows XP update to a CD just in case.

    will be here till 7:45PM GMT

    the only consolation is that i never use this PC for amazon, i have a high security laptop just for that. but this PC is where i do everything that doesn't involve money.

    it's already fully recovered from one serios virus a year before so as long as i can use safe mode there must be an answer.

    This is getting on my nerves, i want my PC back :(
  16. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +36

    Just to ease your mind, not everything loads when you're in Safe Mode. And if you choose Safe Mode with Networking, security programs don't load.

    I have already started on script for you to run. I noticed in the Event Viewer section that you might not have some Services set correctly:
    12/03/2011 18:45:08, error: Service Control Manager [7019] - Circular dependency: The vsdatant service depends on a service in a group which starts later.
    12/03/2011 18:45:08, error: Service Control Manager [7017] - Detected circular dependencies demand starting vsdatant.
    12/03/2011 18:45:08, error: Service Control Manager [7001] - The TrueVector Internet Monitor service depends on the vsdatant service which failed to start because of the following error: Circular service dependency was specified.

    These 3 refer to ZoneAlarm Services. A Service may run on it's own when needed or it may depend on other Services running to start. That what's happening here:

    Let's try this- it can be done in Safe Mode:

    Click on Start> Run> type in services.msc> enter> Double click on vsmon> Set the Startup type to Automatic> Click on the Dependencies tab> any other Service that THIS Service depends on to run must be set to at least Manual Startup type.

    If there is a Service named Vsdatant, set as you did for vsmon.

    Go back to the list of Services and find any other Services that were listed as a dependency for vsmon and make sure their Startup type is Manual or Automatic.

    Vsdatant is a driver for the ZoneAlarm Firewall service and I think the True Vector Service is vsmon>

    I'm going to take a supper break now- give me a while to go over all the logs again.
  17. tedus987

    tedus987 TS Enthusiast Topic Starter Posts: 186

    i meant that it wasn't loading when i trying to use normal mode to get online, is there anyway to access the internet via safe mode?
  18. tedus987

    tedus987 TS Enthusiast Topic Starter Posts: 186

    vsmon

    ok, it's not in services and i think i know why, back when i first got this i updated all my virus scanners, including zone alarm, by using offline updates, for zone alarm to update it has to save the product key in a file, uninstall itself, reconfigure, re-install itself, enter the product key automatically and then it initializes, and initializes the services....

    however that can't be done in safe mode... i updated zone alarm on the defiantly after the 12th, so the service hasn't been initalised. but i will do that once i can access it normally.
  19. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +36

    You can access using Safe Mode with Networking- but I don't recommend that because the security programs don't run.

    Safe Mode with Networking: Includes the services and drivers needed for network connectivity. Safe mode with networking enables logging on to the network, logon scripts, security, and Group Policy settings. Nonessential services and startup programs not related to networking do not run. Helpful if needed but should be used with caution as the security programs don't load in this mode.
  20. tedus987

    tedus987 TS Enthusiast Topic Starter Posts: 186

    ok, i'll try it tonight
  21. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +36

    Okay, fine.
  22. tedus987

    tedus987 TS Enthusiast Topic Starter Posts: 186

    ok, it's not in services but when i look at the processes it's still there... weird. but the zone alarm service is there, just not vsmon or Vsdatant.

    could they be under a diffrent name?
  23. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +36

    Your security programs are getting 'murky'. Please run the following so we can sort it out:

    Security Check

    Download Security Check by screen317 from HERE or HERE .
    • Save it to your Desktop.
    • Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
    • A Notepad document should open automatically called checkup.txt; please post the contents of that document.

    Use a flash drive to download if necessary, then install and run the scan on the problem computer.
  24. tedus987

    tedus987 TS Enthusiast Topic Starter Posts: 186

    Results of screen317's Security Check version 0.99.10
    Windows XP Service Pack 3
    Internet Explorer 8
    ``````````````````````````````
    Antivirus/Firewall Check:

    Windows Security Center service is not running! This report may not be accurate!
    Windows Firewall Disabled!
    avast! Free Antivirus
    ZoneAlarm Extreme Security
    Antivirus out of date!
    ```````````````````````````````
    Anti-malware/Other Utilities Check:

    Malwarebytes' Anti-Malware
    Java(TM) 6 Update 22
    Java(TM) 6 Update 7
    Out of date Java installed!
    Adobe Flash Player 10.2.152.32
    Adobe Reader 7.0
    Out of date Adobe Reader installed!
    Mozilla Firefox (3.6.15) Firefox Out of Date!
    ````````````````````````````````
    Process Check:
    objlist.exe by Laurent

    ``````````End of Log````````````

    ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------

    here's the log.

    keep in mind the out of date stuff is due to lack of internet.
  25. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +36

    I've gone back over the logs to try and find a problem and I cannot. So we will look for a rootkit that may be preventing the access: Please put this on a flash drive, then run on the problem computer:

    • Download the file TDSSKiller.zip and save to the desktop.
      (If you are unable to download the file for some reason, then TDSS may be blocking it. You would then need to download it first to a clean computer and then transfer it to the infected one using an external drive or USB flash drive.)
    • Right-click the tdsskiller.zip file> Select Extract All into a folder on the infected (or potentially infected) PC.
    • Double click on TDSSKiller.exe. to run the scan
    • When the scan is over, the utility outputs a list of detected objects with description.
      The utility automatically selects an action (Cure or Delete) for malicious objects.
      The utility prompts the user to select an action to apply to suspicious objects (Skip, by default).
    • Select the action Quarantine to quarantine detected objects.
      The default quarantine folder is in the system disk root folder, e.g.: C:\TDSSKiller_Quarantine\23.07.2010_15.31.43
    • After clicking Next, the utility applies selected actions and outputs the result.
    • A reboot is required after disinfection.
    Please paste log in next reply.

    About this:
    Anytime you update security programs, you should be online. That's the only way you can be sure you're getting the most current ones. My take on this comment is that somehow you saved updates and applied them when you were offline.

    Please give me a current description of the ongoing problems.
Topic Status:
Not open for further replies.


Add New Comment

TechSpot Members
Login or sign up for free,
it takes about 30 seconds.
You may also...


Get complete access to the TechSpot community. Join thousands of technology enthusiasts that contribute and share knowledge in our forum. Get a private inbox, upload your own photo gallery and more.