PC infected, not able to run any control panel functions, most new pro

Need a geek? Geeks to Go offers free, quality tech support -- in terms anyone can understand. Volunteers are waiting to help, friendly, technology experts who have knowledge to share, and enjoy helping others. Feel free to browse the site as a guest. However, you must log in to reply to existing topics, or to start a new topic. Other benefits of joining include richer forum features, and removal of all advertising. Learn more in our Welcome Guide Infected? Malware and Spyware Cleaning Guide. What are you waiting for? Click here to join for free today!

> Geeks to Go! » Security » Virus, Spyware and Trojan Removal

2 Pages

1 2 >

PC infected, not able to run any control panel functions, most new pro, Unknown infection

Options

chamber View Member Profile	Jul 7 2009, 11:39 AM Post #2
Trusted Helper Posts: 1,703 From: ~/ OS: Linux all the way!	Hello crjaramillo, Welcome to GeeksToGo! My name is chamber and I'll be helping you today. As I am still in training all of my posts have to checked by an expert so there may be some delay between replies. Before we proceed to clean your computer from malware there are some points you should consider that will make the process go smoother. Please have patience, logs take time to properly research so I will not be able to reply immediately. Make sure that you are set to receive an email when I do reply to this topic, this will ensure that you don't miss any replies. There are no silly questions so please just ask! Better safe than sorry. Please follow the steps exactly in the same order posted. If you can't perform a certain step, or you're unsure on what to do, please stop and let me know. NEVER fix anything in HijackThis or other programs on your own! This can be very dangerous and cause harm to your system. If you see a certain entry or program you're unsure about, just ask! Make sure you reply to this thread only, do not start new topics. Please read my posts completely before following the instructions.

chamber View Member Profile	Jul 7 2009, 03:34 PM Post #3
Trusted Helper Posts: 1,703 From: ~/ OS: Linux all the way!	Hi crjaramillo, Lets get to work then. Are you able to access safe mode? For the purpose of this fix AVZ can be run in safe mode if necessary. 1) Multiple antivirus You appear to have a couple of different antivirus programs on your system, Trend Micro and AVG. Having more than one antivirus program, rather than make you more secure will actually lower the security as they will conflict with each other and cause nasties to slip by. You say that Trend Micro is fully up to date therefore would you be wanting to keep that? If you do choose to remove AVG then HERE is a link to the AVG Removal Tool. If you are having any problems with this then please let me know. 2) AVZ Download avz4.zip from here Unzip it to your desktop to a folder named avz4 Double click on AVZ.exe to run it. Run an update by clicking the Auto Update button on the Right of the Log window: Click Start to begin the update Note: If you recieve an error message, chose a different source, then click Start again Start AVZ. Choose from the menu "File" => "Standard scripts " and mark the "Healing/Quarantine and Advanced System Analysis" check box. Click on the �Execute selected scripts�. Automatic scanning, healing and system check will be executed. A logfile (avz_sysinfo.htm) will be created and saved in the LOG folder in the AVZ directory as virusinfo_syscure.zip. It is necessary to reboot your machine, because AVZ might disturb some program operations (like antiviruses and firewall) during the system scan. All applications will work properly after the system restart. When restarted Start AVZ. Choose from the menu "File" => "Standard scripts " and mark the �Advanced System Analysis" check box. Click on the "Execute selected scripts". A system check will be automatically performed, and the created logfile (avz_sysinfo.htm) will be saved in the LOG folder in the AVZ directory as virusinfo_syscheck.zip. Attach both zip files to your next post To attach a file, do the following: Click Add Reply Under the reply panel is the Attachments Panel Browse for the attachment file you want to upload, then click the green Upload button Once it has uploaded, click the Manage Current Attachments drop down box Click on to insert the attachment into your post

chamber View Member Profile	Jul 11 2009, 07:22 AM Post #4
Trusted Helper Posts: 1,703 From: ~/ OS: Linux all the way!	Do you still require assistance?

crjaramillo View Member Profile	Jul 11 2009, 09:40 AM Post #5
Member Posts: 11 OS: Windows XP Pro	QUOTE (chamber @ Jul 11 2009, 06:22 AM) Do you still require assistance? I'm sorry, yes, Ive been busy with work and haven't been home much. I'll try to follow your instructions this afternoon. Thanks for your time

chamber View Member Profile	Jul 11 2009, 05:32 PM Post #6
Trusted Helper Posts: 1,703 From: ~/ OS: Linux all the way!	No problem. Post when ready.

crjaramillo View Member Profile	Jul 15 2009, 01:00 AM Post #7
Member Posts: 11 OS: Windows XP Pro	I ran the AVG removal tool as per your instructions, and then ran AVZ. Both programs were run from Safemode. Attached are the two .zip files that you requested. Thank you for your patience and time, they are much appreciated. virusinfo_syscheck.zip ( 18.26K ) Number of downloads: 8 virusinfo_syscure.zip ( 18.46K ) Number of downloads: 7

chamber View Member Profile	Jul 15 2009, 03:27 PM Post #8
Trusted Helper Posts: 1,703 From: ~/ OS: Linux all the way!	Hi crjaramillo, You're very welcome Can you run this in normal mode please? Please download ComboFix from Here or Here to your Desktop. Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved and renamed following this process directly to your desktop If you are using Firefox, make sure that your download settings are as follows: Tools->Options->Main tab Set to "Always ask me where to Save the files". During the download, rename Combofix to Combo-Fix as follows: It is important you rename Combofix during the download, but not after. Please do not rename Combofix to other names, but only to the one indicated. Close any open browsers. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix. ----------------------------------------------------------- Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results". Click on this link* to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.* ----------------------------------------------------------- Close any open browsers. WARNING: Combofix will disconnect your machine from the Internet as soon as it starts Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished. If there is no internet connection after running Combofix, then restart your computer to restore back your connection. ----------------------------------------------------------- Double click on combo-Fix.exe & follow the prompts. When finished, it will produce a report for you. Please post the "C:\Combo-Fix.txt" along with a OTL log for further review. Note: Do not mouseclick combo-fix's window while it's running. That may cause it to stall

chamber View Member Profile	Jul 19 2009, 11:37 AM Post #10
Trusted Helper Posts: 1,703 From: ~/ OS: Linux all the way!	Hi crjaramillo, Would you be able to run the AVG removal tool again, this time in normal mode? 1) CFScript 1. Close any open browsers. 2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix. 3. Open notepad and copy/paste the text in the quotebox below into it: QUOTE File:: c:\windows\system32\drivers\AVGIDSErHr.sys c:\program files\AVG\AVG8\IdentityProtection\agent\Bin\AVGIDSWatcher.exe c:\program files\AVG\AVG8\IdentityProtection\agent\driver\platform_XP\AVGIDSDriver.sys c:\program files\AVG\AVG8\IdentityProtection\agent\driver\platform_XP\AVGIDSFilter.sys c:\program files\AVG\AVG8\IdentityProtection\agent\driver\platform_XP\AVGIDSShim.sys c:\program files\AVG\AVG8\IdentityProtection\agent\Bin\AVGIDSAgent.exe Folder:: Registry:: Driver:: AVGIDSErHr AVGIDSWatcher AVGIDSDriver AVGIDSFilter AVGIDSShim AVGIDSAgent Save this as CFScript.txt, in the same location as ComboFix.exe Refering to the picture above, drag CFScript into ComboFix.exe When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply. 2) OTL Run OTL Under the Custom Scans/Fixes box at the bottom, paste in the following CODE :OTL PRC - C:\Program Files\AVG\AVG8\IdentityProtection\agent\Bin\AVGIDSWatcher.exe (AVG) O2 - BHO: (no name) - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - No CLSID value found. O15 - HKLM\..Trusted Domains: trymedia.com ([]http in Trusted sites) O15 - HKLM\..Trusted Domains: trymedia.com ([]https in Trusted sites) :Services :Reg :Files :Commands [purity] [emptytemp] [Reboot] Then click the Run Fix button at the top Let the program run unhindered, reboot the PC when it is done 3) Malwarebytes Please download Malwarebytes' Anti-Malware from Here. Double Click mbam-setup.exe to install the application. Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish. If an update is found, it will download and install the latest version. Once the program has loaded, select "Perform Quick Scan", then click Scan. The scan may take some time to finish,so please be patient. When the scan is complete, click OK, then Show Results to view the results. Make sure that everything is checked, and click Remove Selected. When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note) The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM. Copy&Paste the entire report in your next reply. Extra Note: If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediatly. In your reply I would like to see copied and pasted, 1) CFScript 2) Malwarebytes log 3) How is your computer running?

chamber View Member Profile	Jul 22 2009, 04:32 PM Post #11
Trusted Helper Posts: 1,703 From: ~/ OS: Linux all the way!	Hi, Do you still need help?

Essexboy View Member Profile	Jul 23 2009, 02:04 PM Post #12
GeekU Moderator Posts: 18,766 From: Darkest Cornwall OS: Vista Ultimate & Windows 7	Due to lack of feedback, this topic has been closed. If you need this topic reopened, please contact a staff member. This applies only to the original topic starter. Everyone else please begin a New Topic.

crjaramillo View Member Profile	Jul 30 2009, 10:49 PM Post #13
Member Posts: 11 OS: Windows XP Pro	CFScript: File:: c:\windows\system32\drivers\AVGIDSErHr.sys c:\program files\AVG\AVG8\IdentityProtection\agent\Bin\AVGIDSWatcher.exe c:\program files\AVG\AVG8\IdentityProtection\agent\driver\platform_XP\AVGIDSDriver.sys c:\program files\AVG\AVG8\IdentityProtection\agent\driver\platform_XP\AVGIDSFilter.sys c:\program files\AVG\AVG8\IdentityProtection\agent\driver\platform_XP\AVGIDSShim.sys c:\program files\AVG\AVG8\IdentityProtection\agent\Bin\AVGIDSAgent.exe Folder:: Registry:: Driver:: AVGIDSErHr AVGIDSWatcher AVGIDSDriver AVGIDSFilter AVGIDSShim AVGIDSAgent ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ MalwareBytes Log: Malwarebytes' Anti-Malware 1.39 Database version: 2502 Windows 5.1.2600 Service Pack 3 7/30/2009 9:41:27 PM mbam-log-2009-07-30 (21-41-27).txt Scan type: Quick Scan Objects scanned: 108607 Time elapsed: 3 minute(s), 33 second(s) Memory Processes Infected: 0 Memory Modules Infected: 0 Registry Keys Infected: 0 Registry Values Infected: 0 Registry Data Items Infected: 0 Folders Infected: 0 Files Infected: 0 Memory Processes Infected: (No malicious items detected) Memory Modules Infected: (No malicious items detected) Registry Keys Infected: (No malicious items detected) Registry Values Infected: (No malicious items detected) Registry Data Items Infected: (No malicious items detected) Folders Infected: (No malicious items detected) Files Infected: (No malicious items detected) ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ I posted the contents of "CFScript", did you mean for me to post the CF log? PC is still slow to respond and everything is slow to open, although Control Panel items open and function. Internet Explorer takes forever to open and load a page, and takes between 60-100% CPU usage for the length of time that it takes to do so. I did notice that, after running the fix in CF, IE seemed to function normally, however after the OTL reboot, it was back to creeping along.

chamber View Member Profile	Jul 31 2009, 12:35 AM Post #14
Trusted Helper Posts: 1,703 From: ~/ OS: Linux all the way!	Hi, IF you could post the ComboFix log that woul be great.

crjaramillo View Member Profile	Jul 31 2009, 12:39 AM Post #15
Member Posts: 11 OS: Windows XP Pro	CF Log: ComboFix 09-07-29.04 - HP_Administrator 07/30/2009 16:38.3.2 - NTFSx86 Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2046.1461 [GMT -7:00] Running from: c:\documents and settings\HP_Administrator\Desktop\Taz\Combo-Fix.exe Command switches used :: c:\documents and settings\HP_Administrator\Desktop\Taz\CFScript.txt AV: Trend Micro Internet Security On-access scanning disabled (Updated) {7D2296BC-32CC-4519-917E-52E652474AF5} FW: Trend Micro Personal Firewall disabled {3E790E9E-6A5D-4303-A7F9-185EC20F3EB6} FILE :: "c:\program files\AVG\AVG8\IdentityProtection\agent\Bin\AVGIDSAgent.exe" "c:\program files\AVG\AVG8\IdentityProtection\agent\Bin\AVGIDSWatcher.exe" "c:\program files\AVG\AVG8\IdentityProtection\agent\driver\platform_XP\AVGIDSDriver.sys" "c:\program files\AVG\AVG8\IdentityProtection\agent\driver\platform_XP\AVGIDSFilter.sys" "c:\program files\AVG\AVG8\IdentityProtection\agent\driver\platform_XP\AVGIDSShim.sys" "c:\windows\system32\drivers\AVGIDSErHr.sys" . ((((((((((((((((((((((((( Files Created from 2009-06-28 to 2009-07-30 ))))))))))))))))))))))))))))))) . 2009-07-25 22:41 . 2009-07-25 22:41 -------- d-----w- C:\_OTL 2009-07-07 09:01 . 2009-07-07 09:01 -------- d-----w- C:\VundoFix Backups 2009-07-07 07:26 . 2009-07-07 07:26 -------- d-----w- c:\program files\ERUNT 2009-07-04 03:42 . 2009-07-04 03:42 -------- d-----w- C:\Rooter$ 2009-07-04 02:25 . 2008-04-14 00:11 21504 ----a-w- c:\windows\system32\hidserv.dll 2009-07-04 02:25 . 2008-04-13 18:39 14592 ----a-w- c:\windows\system32\drivers\kbdhid.sys . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2009-07-30 18:17 . 2008-12-02 20:21 -------- d-----w- c:\documents and settings\All Users\Application Data\Google Updater 2009-07-26 01:35 . 2009-05-29 05:31 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware 2009-07-25 22:38 . 2007-05-05 08:46 -------- d-----w- c:\program files\Apple Software Update 2009-07-13 20:36 . 2009-05-29 05:31 38160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys 2009-07-13 20:36 . 2009-05-29 05:31 19096 ----a-w- c:\windows\system32\drivers\mbam.sys 2009-06-26 16:50 . 2004-08-10 04:00 666624 ----a-w- c:\windows\system32\wininet.dll 2009-06-26 16:50 . 2004-08-10 04:00 81920 ------w- c:\windows\system32\ieencode.dll 2009-06-16 14:36 . 2004-08-10 04:00 81920 ------w- c:\windows\system32\fontsub.dll 2009-06-16 14:36 . 2004-08-10 04:00 119808 ------w- c:\windows\system32\t2embed.dll 2009-06-03 19:09 . 2004-08-10 04:00 1291264 ----a-w- c:\windows\system32\quartz.dll 2009-05-22 08:02 . 2009-03-03 07:55 225296 ----a-w- c:\windows\system32\drivers\tmxpflt.sys 2009-05-22 08:00 . 2009-03-03 07:55 36368 ----a-w- c:\windows\system32\drivers\tmpreflt.sys 2009-05-22 07:45 . 2009-03-03 07:55 1220120 ----a-w- c:\windows\system32\drivers\vsapint.sys 2009-05-18 04:38 . 2008-06-20 03:43 89784 ----a-w- c:\documents and settings\LocalService\Local Settings\Application Data\GDIPFONTCACHEV1.DAT 2009-05-18 04:34 . 2009-05-18 04:34 152576 ----a-w- c:\documents and settings\HP_Administrator\Application Data\Sun\Java\jre1.6.0_13\lzma.dll 2009-05-16 03:46 . 2009-05-16 03:46 1915520 ----a-w- c:\documents and settings\HP_Administrator\Application Data\Macromedia\Flash Player\www.macromedia.com\bin\fpupdateax\fpupdateax.exe 2009-05-11 18:37 . 2009-01-07 04:25 34062 ----a-w- c:\documents and settings\HP_Administrator\Application Data\Move Networks\ie_bin\Uninst.exe 2009-05-07 15:32 . 2004-08-10 04:00 345600 ------w- c:\windows\system32\localspl.dll 2009-01-08 06:29 . 2009-01-08 06:29 3493888 ----a-w- c:\program files\launchpadremoval.exe 2008-12-27 01:17 . 2008-12-27 01:16 3231826 ----a-w- c:\program files\eMule0.49b-Installer1.exe 2008-12-02 20:21 . 2008-12-02 20:21 1028776 ----a-w- c:\program files\Google Updater.exe 2008-11-25 19:20 . 2008-11-25 19:20 28868320 ----a-w- c:\program files\FileFormatConverters.exe 2008-11-07 22:27 . 2008-11-07 22:26 1234120 ----a-w- c:\program files\wrar380.exe 2008-11-07 20:46 . 2008-11-07 20:46 3407848 ----a-w- c:\program files\YouSendItExpressSetup1_7_3.exe 2008-11-07 20:44 . 2008-11-07 20:43 3453896 ----a-w- c:\program files\YouSendItOutlookSetup2_5_0.exe 2007-05-16 19:55 . 2007-05-16 19:55 22 --sha-w- c:\windows\SMINST\HPCD.sys . ((((((((((((((((((((((((((((( SnapShot@2009-07-19_07.30.49 ))))))))))))))))))))))))))))))))))))))))) . + 2009-07-12 02:41 . 2009-07-12 02:41 97280 c:\windows\WinSxS\x86_Microsoft.VC80.ATL_1fc8b3b9a1e18e3b_8.0.50727.4053_x-ww_473666fd\ATL80.dll + 2008-02-07 10:51 . 2009-05-26 11:40 17272 c:\windows\system32\spmsg.dll - 2008-02-07 10:51 . 2008-07-09 07:38 17272 c:\windows\system32\spmsg.dll + 2004-08-10 04:00 . 2009-06-26 16:50 81920 c:\windows\system32\dllcache\ieencode.dll - 2004-08-10 04:00 . 2009-04-29 04:46 81920 c:\windows\system32\dllcache\ieencode.dll + 2004-08-10 04:00 . 2009-06-16 14:36 81920 c:\windows\system32\dllcache\fontsub.dll - 2007-05-16 18:29 . 2009-07-11 04:21 23040 c:\windows\Installer\{91CA0409-6000-11D3-8CFE-0150048383C9}\unbndico.exe + 2007-05-16 18:29 . 2009-07-19 09:24 23040 c:\windows\Installer\{91CA0409-6000-11D3-8CFE-0150048383C9}\unbndico.exe - 2007-05-16 18:29 . 2009-07-11 04:21 61440 c:\windows\Installer\{91CA0409-6000-11D3-8CFE-0150048383C9}\pubs.exe + 2007-05-16 18:29 . 2009-07-19 09:24 61440 c:\windows\Installer\{91CA0409-6000-11D3-8CFE-0150048383C9}\pubs.exe - 2007-05-16 18:29 . 2009-07-11 04:21 27136 c:\windows\Installer\{91CA0409-6000-11D3-8CFE-0150048383C9}\oisicon.exe + 2007-05-16 18:29 . 2009-07-19 09:24 27136 c:\windows\Installer\{91CA0409-6000-11D3-8CFE-0150048383C9}\oisicon.exe + 2007-05-16 18:29 . 2009-07-19 09:24 11264 c:\windows\Installer\{91CA0409-6000-11D3-8CFE-0150048383C9}\mspicons.exe - 2007-05-16 18:29 . 2009-07-11 04:21 11264 c:\windows\Installer\{91CA0409-6000-11D3-8CFE-0150048383C9}\mspicons.exe - 2007-05-16 18:29 . 2009-07-11 04:21 12288 c:\windows\Installer\{91CA0409-6000-11D3-8CFE-0150048383C9}\cagicon.exe + 2007-05-16 18:29 . 2009-07-19 09:24 12288 c:\windows\Installer\{91CA0409-6000-11D3-8CFE-0150048383C9}\cagicon.exe + 2007-05-16 18:29 . 2009-07-19 09:24 4096 c:\windows\Installer\{91CA0409-6000-11D3-8CFE-0150048383C9}\opwicon.exe - 2007-05-16 18:29 . 2009-07-11 04:21 4096 c:\windows\Installer\{91CA0409-6000-11D3-8CFE-0150048383C9}\opwicon.exe - 2004-08-10 04:00 . 2009-04-29 04:46 620032 c:\windows\system32\urlmon.dll + 2004-08-10 04:00 . 2009-06-26 16:50 620032 c:\windows\system32\urlmon.dll - 2004-08-10 04:00 . 2009-04-29 04:46 666624 c:\windows\system32\dllcache\wininet.dll + 2004-08-10 04:00 . 2009-06-26 16:50 666624 c:\windows\system32\dllcache\wininet.dll - 2004-08-10 04:00 . 2009-04-29 04:46 620032 c:\windows\system32\dllcache\urlmon.dll + 2004-08-10 04:00 . 2009-06-26 16:50 620032 c:\windows\system32\dllcache\urlmon.dll + 2004-08-10 04:00 . 2009-06-16 14:36 119808 c:\windows\system32\dllcache\t2embed.dll + 2009-07-29 07:00 . 2009-07-29 07:00 248832 c:\windows\Installer\108d2ec6.msi - 2007-05-16 18:29 . 2009-07-11 04:21 409600 c:\windows\Installer\{91CA0409-6000-11D3-8CFE-0150048383C9}\xlicons.exe + 2007-05-16 18:29 . 2009-07-19 09:24 409600 c:\windows\Installer\{91CA0409-6000-11D3-8CFE-0150048383C9}\xlicons.exe + 2007-05-16 18:29 . 2009-07-19 09:24 286720 c:\windows\Installer\{91CA0409-6000-11D3-8CFE-0150048383C9}\wordicon.exe - 2007-05-16 18:29 . 2009-07-11 04:21 286720 c:\windows\Installer\{91CA0409-6000-11D3-8CFE-0150048383C9}\wordicon.exe + 2007-05-16 18:29 . 2009-07-19 09:24 249856 c:\windows\Installer\{91CA0409-6000-11D3-8CFE-0150048383C9}\pptico.exe - 2007-05-16 18:29 . 2009-07-11 04:21 249856 c:\windows\Installer\{91CA0409-6000-11D3-8CFE-0150048383C9}\pptico.exe + 2007-05-16 18:29 . 2009-07-19 09:24 794624 c:\windows\Installer\{91CA0409-6000-11D3-8CFE-0150048383C9}\outicon.exe - 2007-05-16 18:29 . 2009-07-11 04:21 794624 c:\windows\Installer\{91CA0409-6000-11D3-8CFE-0150048383C9}\outicon.exe + 2007-05-16 18:29 . 2009-07-19 09:24 135168 c:\windows\Installer\{91CA0409-6000-11D3-8CFE-0150048383C9}\misc.exe - 2007-05-16 18:29 . 2009-07-11 04:21 135168 c:\windows\Installer\{91CA0409-6000-11D3-8CFE-0150048383C9}\misc.exe + 2004-08-10 04:00 . 2009-07-18 16:05 1509888 c:\windows\system32\shdocvw.dll + 2004-08-10 04:00 . 2009-07-18 16:05 3069440 c:\windows\system32\mshtml.dll + 2004-08-10 04:00 . 2009-07-18 16:05 1509888 c:\windows\system32\dllcache\shdocvw.dll + 2004-08-10 04:00 . 2009-06-03 19:09 1291264 c:\windows\system32\dllcache\quartz.dll + 2004-08-10 04:00 . 2009-07-18 16:05 3069440 c:\windows\system32\dllcache\mshtml.dll + 2009-06-30 18:30 . 2009-06-30 18:30 5520384 c:\windows\Installer\69fec7.msp + 2007-05-01 18:50 . 2009-07-07 15:10 24539592 c:\windows\system32\MRT.exe . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . Note empty entries & legit default entries are not shown REGEDIT4 [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\VirtualExpanderFile.1] @="{E4000AC4-5E5F-4956-807A-C5854405D64F}" [HKEY_CLASSES_ROOT\CLSID\{E4000AC4-5E5F-4956-807A-C5854405D64F}] 2008-02-09 21:16 73728 ----a-w- c:\windows\system32\VirtualExpander\VEShellExt.dll [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2008-04-14 1695232] "PhotoShow Deluxe Media Manager"="c:\progra~1\Ahead\Ahead\data\Xtras\mssysmgr.exe" [2004-05-12 196608] "ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360] "swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2008-12-02 39408] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "ehTray"="c:\windows\ehome\ehtray.exe" [2005-08-06 64512] "IAAnotif"="c:\program files\Intel\Intel Matrix Storage Manager\iaanotif.exe" [2005-10-13 139264] "HPHUPD08"="c:\program files\HP\Digital Imaging\{33D6CC28-9F75-4d1b-A11D-98895B3A3729}\hphupd08.exe" [2005-06-02 49152] "DISCover"="c:\program files\DISC\DISCover.exe" [2006-03-16 1077248] "DiscUpdateManager"="c:\program files\DISC\DiscUpdMgr.exe" [2006-03-16 61440] "DMAScheduler"="c:\program files\HP DigitalMedia Archive\DMAScheduler.exe" [2006-03-20 90112] "Recguard"="c:\windows\SMINST\RECGUARD.EXE" [2005-07-23 237568] "HPBootOp"="c:\program files\Hewlett-Packard\HP Boot Optimizer\HPBootOp.exe" [2006-02-16 249856] "HP Software Update"="c:\program files\HP\HP Software Update\HPwuSchd2.exe" [2005-12-16 49152] "NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 155648] "QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2007-05-05 282624] "REGSHAVE"="c:\program files\REGSHAVE\REGSHAVE.EXE" [2002-02-05 53248] "Adobe Photo Downloader"="c:\program files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe" [2007-03-09 63712] "SunJavaUpdateSched"="c:\program files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 144784] "Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-12 39792] "WinampAgent"="c:\program files\Winamp\winampa.exe" [2008-04-01 36352] "UfSeAgnt.exe"="c:\program files\Trend Micro\Internet Security\UfSeAgnt.exe" [2009-04-01 995528] "Google Desktop Search"="c:\program files\Google\Google Desktop Search\GoogleDesktop.exe" [2009-05-18 30192] "NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2007-08-28 8466432] "nwiz"="nwiz.exe" - c:\windows\system32\nwiz.exe [2007-08-28 1626112] "Logitech Utility"="Logi_MwX.Exe" - c:\windows\LOGI_MWX.EXE [2002-11-08 19968] "RTHDCPL"="RTHDCPL.EXE" - c:\windows\RTHDCPL.EXE [2007-10-25 16855552] [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run] "DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-03-23 39264] "OE"="c:\program files\Trend Micro\Internet Security\TMAS_OE\TMAS_OEMon.exe" [2009-03-14 492808] c:\documents and settings\HP_Administrator\Start Menu\Programs\Startup\ VirtualExpander.lnk - c:\windows\system32\VirtualExpander\VirtualExpander.exe [2008-2-9 474808] c:\documents and settings\All Users\Start Menu\Programs\Startup\ Exif Launcher.lnk - c:\program files\FinePixViewer\QuickDCF.exe [2002-1-9 200704] HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2005-12-15 282624] Updates From HP.lnk - c:\program files\Updates from HP\9972322\Program\Updates from HP.exe [2006-6-14 36903] [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\TrendAntiVirus] "DisableMonitoring"=dword:00000001 [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\TrendFirewall] "DisableMonitoring"=dword:00000001 [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile] "EnableFirewall"= 0 (0x0) [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqCopy.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpfccopy.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"= "c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqPhUnl.exe"= "c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqDIA.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqnrs08.exe"= "c:\\Program Files\\DISC\\DISCover.exe"= "c:\\Program Files\\DISC\\DiscStreamHub.exe"= "c:\\Program Files\\DISC\\myFTP.exe"= "c:\\Program Files\\Updates from HP\\9972322\\Program\\Updates from HP.exe"= "c:\\Program Files\\Messenger\\msmsgs.exe"= "c:\\Program Files\\iTunes\\iTunes.exe"= "c:\\Program Files\\eMule\\emule.exe"= "%windir%\\Network Diagnostic\\xpnetdiag.exe"= R0 pavboot;pavboot;c:\windows\system32\drivers\pavboot.sys [5/29/2009 12:37 AM 28544] R2 tmpreflt;tmpreflt;c:\windows\system32\drivers\tmpreflt.sys [3/3/2009 12:55 AM 36368] R3 CXFALCON;Conexant Falcon II NTSC Video Capture;c:\windows\system32\drivers\cxfalcon.sys [6/14/2006 8:00 PM 82048] R3 tmcfw;Trend Micro Common Firewall Service;c:\windows\system32\drivers\TM_CFW.sys [7/29/2008 9:06 AM 335376] R3 WN5301;LIteon Wireless PCI Network Adapter Service;c:\windows\system32\drivers\wn5301.sys [6/14/2006 8:00 PM 468768] S2 tmevtmgr;tmevtmgr;c:\windows\system32\drivers\tmevtmgr.sys [3/3/2009 12:47 AM 50192] S2 TmPfw;Trend Micro Personal Firewall;c:\program files\Trend Micro\Internet Security\TmPfw.exe [3/3/2009 12:47 AM 497008] S2 TmProxy;Trend Micro Proxy Service;c:\program files\Trend Micro\Internet Security\TmProxy.exe [3/3/2009 12:47 AM 677128] S3 GoogleDesktopManager-092308-165331;Google Desktop Manager 5.8.809.23506;c:\program files\Google\Google Desktop Search\GoogleDesktop.exe [5/18/2009 3:05 AM 30192] . Contents of the 'Scheduled Tasks' folder 2009-07-30 c:\windows\Tasks\AppleSoftwareUpdate.job - c:\program files\Apple Software Update\SoftwareUpdate.exe [2007-01-10 22:42] 2009-07-30 c:\windows\Tasks\Google Software Updater.job - c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2007-05-02 07:27] . . ------- Supplementary Scan ------- . uSearch Page = hxxp://www.google.com uSearch Bar = hxxp://www.google.com/ie uSearchURL,(Default) = hxxp://www.google.com/search?q=%s IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\OFFICE11\EXCEL.EXE/3000 IE: Easy-WebPrint Add To Print List - c:\program files\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.html IE: Easy-WebPrint High Speed Print - c:\program files\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.html IE: Easy-WebPrint Preview - c:\program files\Canon\Easy-WebPrint\Resource.dll/RC_Preview.html IE: Easy-WebPrint Print - c:\program files\Canon\Easy-WebPrint\Resource.dll/RC_Print.html . ************************************************************************ catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2009-07-30 16:42 Windows 5.1.2600 Service Pack 3 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden files: 0 ************************************************************************ . --------------------- DLLs Loaded Under Running Processes --------------------- - - - - - - - > 'explorer.exe'(2432) c:\windows\system32\nview.dll c:\windows\system32\VirtualExpander\VEShellExt.dll c:\windows\system32\nvwddi.dll c:\windows\system32\WPDShServiceObj.dll c:\windows\system32\PortableDeviceTypes.dll c:\windows\system32\PortableDeviceApi.dll . Completion time: 2009-07-30 16:45 ComboFix-quarantined-files.txt 2009-07-30 23:44 ComboFix2.txt 2009-07-19 22:28 ComboFix3.txt 2009-07-19 07:40 Pre-Run: 251,993,645,056 bytes free Post-Run: 251,998,801,920 bytes free 228 --- E O F --- 2009-07-29 07:00 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Also, even after running the AVG removal tool again the last time, I'm still showing files in C:\Program Files\AVG\AVG8\Identity Protection\agent Thanks for your time

« Next Oldest · Virus, Spyware and Trojan Removal · Next Newest »

2 Pages

1 2 >

1 User(s) are reading this topic (1 Guests and 0 Anonymous Users)

0 Members:

Topic Title	Replies / Views	Topic Information
Virus, Spyware and Trojan Removal Infected with trojan not able to run exe files [CLOSED]	2 / 422	1st July 2007 - 04:50 AM sg2papa started - last by Essexboy
Virus, Spyware and Trojan Removal GoogleInstaller and 25A0.tmp have stopped working, Not able to run MBA 12	16 / 164	13th August 2009 - 05:12 PM neuralimplosions started - last by emeraldnzl
Virus, Spyware and Trojan Removal Multiple Infections. Cleaners/Scanners not able to run.	2 / 90	9th September 2009 - 04:48 PM JakeMettle started - last by BHowett
Windows XP�, 2000, 2003, NT not able to install any program	0 / 61	6th October 2009 - 12:27 PM bigdogalex started - last by bigdogalex