Does the AVG Antirootkit Programme need AVG Anti-virus to work?

Hi,

No it doesn't. You can install it and run it on its own. It will be saved to the same parent directory (C:\Program Files\Grisoft\) as the other AVG software.
If you have any virus/malware related issues, may I suggest that you visit this thread HERE before you decide whether to clean or reformat your system.

Should you decide to clean your computer, please go ahead with the Viruses/Spyware/Malware, preliminary removal instructions steps to cleaning your computer.

Thereafter, please post fresh HijackThis, AVG Antispyware and Combofix logs as attachments into this thread. Do not copy and paste if not it will be ignored and/or removed by the moderators.


Regards,
Your friendly Momok =)

This thread is for the use of Jacal only. Please don't post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.

Thanks for the infomation, its cause i already have Norton Internet Security installed on this machine. So was just wondering. Thanks again for clearing that up for me. I will attach the logs as soon as i am finished

I have a problem ... I cannot get onto the site that Step 10 is carrying me too. Please help I have tried using both Mozilla Firefox and Internet Explorer. Non of them will load the page.

Hi,

In that case please carry on with the rest of the steps, and post the requested log files (AVG Antispyware, HijackThis and ComboFix) when you are done.


Regards,
Your friendly Momok =)

This thread is for the use of Jacal only. Please don't post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.

Just the HijackThis and Combofix you gonna be getting because Norton is installed on the machine. hehe :P

Hi,

Please go ahead and install AVG AntiSpyware.
It is different from AVG Antivirus and its role in the cleaning process is often important as it detects several infections and trojans that other software does not. (like norton) I will need to see the log at least once.


Regards,
Your friendly Momok =)

This thread is for the use of Jacal only. Please don't post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.

I have the Anti-spyware installed :P just not the anti-virus. I am doing the part where i am to be in safe mode now on the computer and talking through another.

Here are the files from the process. Sorry it took so long.

Attached Files

	ComboFix.txt (16.1 KB, 1 views)
	hijackthis.log (8.7 KB, 3 views)
	Report-Scan-20070513-133457.txt (7.6 KB, 1 views)

Hi,

No worries =) I went to sleep anyway

Your system is infected with a variety of malware

(Please back up your registry before you do the next step)

You may wish to copy and paste these instructions on notepad for easier reference later.

Boot into safe mode under your normal user name. See how HERE

Next turn on "Show all files and folders, including hidden and system". See how HERE

Go to start > run and type services.msc. Press the enter key.
Search for the following services(if there) double click to select stop if they are running. Set the startup type to disabled. Click apply/ok for each service you disable.

BSplayer_WhenUSave_Installer
user32.dll
rare
Shell23

Go to start > Control Panel > Add and Remove Programs.
Remove anything related to the following:

BSplayer_WhenUSave_Installer
Video ActiveX Access
VideoEggPublisher

Open your task manager by pressing holding ctrl, alt and pressing del. Alternatively, use ctrl + shift + esc. Go to the processes tab, and end the following processes, if found:

iesmn.exe
VideoEggPublisher.exe

After that, run HijackThis and fix the following entries, if found (do this by placing a tick in the check boxes beside these entries and clicking "Fix checked"):

O3 - Toolbar: Protection Bar - {31615D5C-5126-448A-818A-A7CDFEE85A9B} - C:\Program Files\Video ActiveX Access\iesbpl.dll (file missing)

O4 - HKLM\..\Run: [BSplayer_WhenUSave_Installer] C:\Program Files\BSplayer_WhenUSave_Installer\BSplayer_WhenUSave_Installer.exe

O4 - HKLM\..\Policies\Explorer\Run: [user32.dll] C:\Program Files\Video ActiveX Access\iesmn.exe

Fix all O6 entries Do this if this is your personal system or the aministrator did not set any such restrictions.

O16 - DPF: {AF2E62B6-F9E1-4D4F-A10A-9DC8E6DCBCC0} - http://update.videoegg.com/Install/W...gPublisher.exe

O21 - SSODL: rdihost - {14906C60-AA68-44FC-92E8-01F391E310F2} - rdihost.dll (file missing)

O22 - SharedTaskScheduler: heterandrous - {735e980d-45d2-4777-af82-9923d3c8d3ae} - C:\WINDOWS\system32\kgkdbsk.dll (file missing)

Close HJT.

Navigate in Windows Explorer and delete the following files and folders in bold.

C:\WINDOWS\Cafezee Client Uninstaller.exe
C:\WINDOWS\system32\kgkdbsk.dll
C:\WINDOWS\system32\Explorer.exe
C:\Program Files\Video ActiveX Access\

Go to Start > Run and type regedit. Press Enter.
Navigate manually to HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run and delete the following keys:
"Shell23"="C:\\WINDOWS\\system32\\Explorer "
"BSplayer_WhenUSave_Installer"="C:\\Program Files\\BSplayer_WhenUSave_Installer\\BSplayer_WhenUSave_Installer.exe"

Next, navigate manually to HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explo rer\run and delete the following:
"rare"="C:\\Program Files\\Video ActiveX Access\\imsmain.exe"
"user32.dll"="C:\\Program Files\\Video ActiveX Access\\iesmn.exe"

Also, press ctrl + F and search for all instances of the following and delete them.
kgkdbsk.dll
rdihost.dll
Driveinfo.exe
sxs.exe
Close the program.

Reboot into normal mode and rehide your protected OS files.

Thereafter, please post fresh HJT and ComboFix logs from normal mode as an attachment into this thread.


Regards,
Your friendly Momok =)

This thread is for the use of Jacal only. Please don't post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.

Umm i noticed that you have Cafezee in the list, but that program is the software that i use for the internet cafe that this computer is in, also could you please advise as to which are the registries that i am to back up. Thanks

Another thing i noticed :P i read too fast lol .. umm the process to back up registry is for Windows 2000, where as this computer is running Windows XP Professional.

Here are the new HJT and ComboFix logs.

Attached Files

	ComboFix.txt (14.7 KB, 4 views)
	hijackthis.log (7.6 KB, 2 views)

Hi,

Thank you for telling me about Cafezee. I just found it extremely suspicious since there were no hits in google, and I did not notice any similar software on your system.

Please reboot into safe mode and show all hidden files and folders again.

Open taskmanager and end the following processes if found:
sxs.exe
toy.exe
driveinfo.exe

Run HijackThis and fix the following entries:

O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Toolbars\Restrictions present

O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Toolbars\Restrictions present

Close HJT.


Please use the search function in windows explorer and delete all instances of the following:
sxs.exe
toy.exe
driveinfo.exe

Also, do the same for the above 3 files in windows registry. (start > run > regedit. press ctrl + f)

Reboot into normal mode and rehide your OS files.

Thereafter, please post fresh HJT and ComboFix logs as attachments. Thanks.



Regards,
Your friendly Momok =)

This thread is for the use of Jacal only. Please don't post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.

Here you go

Attached Files

	hijackthis.log (7.9 KB, 1 views)
	ComboFix.txt (14.7 KB, 2 views)

You might want to copy and paste these instructions into a notepad file. Then you can have the file open in safe mode, so you can follow the instructions easier.

Boot into safe mode, under your normal user name(NOT THE ADMINISTRATOR ACCOUNT). See how HERE.

In Windows Explorer, turn on "Show all files and folders, including hidden and system". See how HERE.

Go to add remove programmes in your control panel and uninstall anything to do with(if there).

Avi Player

Close control panel.

Open your task manager, by holding down the ctrl and alt keys and pressing the delete key.

Click on the processes tab and end process for(if there).

AviPlayer.exe

Close task manager.

Run HJT with no other programmes open(except notepad). Click the scan button. Have HJT fix the following, by placing a tick in the little box next to(if there).

O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)

O4 - HKLM\..\Run: [Shell23] C:\WINDOWS\system32\Explorer

O4 - HKCU\..\Run: [Avi Player] "C:\Program Files\Avi Player\AviPlayer.exe" hmw

O16 - DPF: {77E32299-629F-43C6-AB77-6A1E6D7663F6} - http://atv.disney.go.com/global/down.../OTOYAX29b.cab

Click on the fix checked button.

Close HJT.

Locate and delete the following bold files and/or directories(if there).

C:\Program Files\Avi Player<Delete the entire folder.
C:\WINDOWS\system32\Explorer.exe<This is nasty and the legit explorer.exe runs from the Window folder and not the system32 folder.

Reboot into normal mode and rehide your protected OS files.

Post a fresh HJT log and let us know if you`re still having problems.

Regards Howard

[color=red]This thread is for the use of[/color] Jacal [color=red]only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.[/color]

First thing though, does the Explorer.exe look anything like a blue square-ish symbol, if so that is part of the Cafezee program, because it is through that i can use the main computer and set all the other computer's main homepages.

Explorer.exe looks like a mycomputer icon and runs from the C:\windows\explorer.exe. Yours is running from C:\windows\system32. However, if you have doubts as to whether the file is legit or not, I suggest you do the following.

Please visit this link [color=blue]http://virusscan.jotti.org/[/color]
* Click the Browse... button
* Navigate to the following file [color=purple]C:\WINDOWS\system32\Explorer.exe[/color]
* Click [color=blue]Open[/color]
* Please let me know the results.

Regards Howard

[color=red]This thread is for the use of[/color] Jacal [color=red]only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.[/color]

Don't worry I am sure that it is apart of the Cafezee program, because when i deleted last time it had a problem running the program because of that file missing. The Program has a Server and Client mode, the server mode does not have it but the Client mode does because from the Server you can set the Explorer home page for the Clients from the Server.

I don`t disbelieve you and it`s your call, but I strongly suggest you get that file checked out over at Jotti`s or http://www.kaspersky.com/remoteviruschk.html

Regards Howard

[color=red]This thread is for the use of[/color] Jacal [color=red]only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.[/color]

Alright I will. Jotti says the file is ok and kaspersky says the file is too big to scan.

Hi,

Please post the requested log files when you are done with the instructions.
Thanks.


Regards,
Your friendly Momok =)

This thread is for the use of Jacal only. Please don't post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.

Hey sorry this took so long had some guy on the computer that just wouldn't want to get off it to let me continue working on it (customers -sigh- ). Well here are the logs and the system so far is moving a lot better, have not seen any pops from since starting this process. Thanks much guys.

Attached Files

	ComboFix.txt (14.6 KB, 4 views)
	hijackthis.log (6.4 KB, 3 views)