web redirect - fake antivirus pop ups - super slow
Started by
Big O
, Dec 28 2010 05:23 PM
#76
Posted 05 January 2011 - 11:33 PM
#77
Posted 05 January 2011 - 11:50 PM
Downloaded UPHClean and confirmed it was started and ready to go.
D/L Dial-A-Fix and ran it. It had several pop up errors, all ERROR 127. It read as follows
C:\windows\system32\iesetup.dll is not registerable or the file is corrupt. Your version is: 8.00.6001.18702. Please contact Dial-A-Fix so an exception can be made for your vresion of this file.
That was the first couple, the the remaining ones all read the same except the .dll was different as well as the version:
mshtml.dll (8.00.6001.18999)
msrating.dll (8.00.6001.18702)
occache.dll (8.00.6001.18992)
pngfilt.dll (8.00.6001.18702)
webcheck.dll (8.00.6001.18702)
rebooting now and will try one of the other programs to see if we can get one to work.
D/L Dial-A-Fix and ran it. It had several pop up errors, all ERROR 127. It read as follows
C:\windows\system32\iesetup.dll is not registerable or the file is corrupt. Your version is: 8.00.6001.18702. Please contact Dial-A-Fix so an exception can be made for your vresion of this file.
That was the first couple, the the remaining ones all read the same except the .dll was different as well as the version:
mshtml.dll (8.00.6001.18999)
msrating.dll (8.00.6001.18702)
occache.dll (8.00.6001.18992)
pngfilt.dll (8.00.6001.18702)
webcheck.dll (8.00.6001.18702)
rebooting now and will try one of the other programs to see if we can get one to work.
#78
Posted 06 January 2011 - 05:29 AM
Looks like Dial-A-Fix may not have been updated to handle IE8.
Hopefully your silence means you went to bed and not that you can't boot.
Ron
Hopefully your silence means you went to bed and not that you can't boot.
Ron
#79
Posted 06 January 2011 - 09:38 AM
Shoot, my last post must not have taken, I rebooted and tried mbr and dds and both locked up again and the same spot.
#80
Posted 06 January 2011 - 11:11 AM
OK. Can you verify that Avira is now updating properly?
I'm going to call in the cavalry on this one and ask in our internal forum if anyone has seen something similar.
Ron
I'm going to call in the cavalry on this one and ask in our internal forum if anyone has seen something similar.
Ron
#81
Posted 06 January 2011 - 06:15 PM
Avira just updated with no problems.
#82
Posted 06 January 2011 - 06:20 PM
Appears Google Update Service is broken so I'd just uninstall it
I went to add/remove programs and did not find anything relating to Google Update Service. Where would i go to uninstall it.
I went to add/remove programs and did not find anything relating to Google Update Service. Where would i go to uninstall it.
#83
Posted 06 January 2011 - 08:44 PM
Start, Run, services.msc, OK to bring up the services menu. See if you can find a google update in the list. Right click on it and select properties and then set Startup type:Disabled, OK
#84
Posted 07 January 2011 - 11:28 AM
Besides the above let's see if there are any traces of avg left:
Start, Run, cmd, OK
copy and paste the result if any in a reply.
Ron
Start, Run, cmd, OK
cd \ dir /a /s avg* > \junk.txt notepad junk.txt
copy and paste the result if any in a reply.
Ron
#85
Posted 07 January 2011 - 04:57 PM
Volume in drive C has no label.
Volume Serial Number is 7029-4374
Directory of C:\Documents and Settings\All Users\Application Data
12/29/2010 02:37 PM <DIR> avg8
0 File(s) 0 bytes
Directory of C:\Documents and Settings\All Users\Application Data\Avira\AntiVir Desktop\LOGFILES
01/07/2011 03:51 PM 45,064 avguard.log
1 File(s) 45,064 bytes
Directory of C:\Documents and Settings\All Users\Application Data\Avira\AntiVir Desktop\TEMP
01/07/2011 03:51 PM 36,648,916 avguard.tmp
01/07/2011 03:51 PM <DIR> AVGUARD_0bec2c9e
1 File(s) 36,648,916 bytes
Directory of C:\Documents and Settings\Tim Oakley\Application Data
03/07/2010 11:13 AM <DIR> AVG8
0 File(s) 0 bytes
Directory of C:\Documents and Settings\Tim Oakley\Desktop
12/30/2010 09:55 AM 1,420,784 avgremover.log
12/29/2010 02:35 PM 1,086,304 avg_remover_stf_x86_2011_1165.exe
2 File(s) 2,507,088 bytes
Directory of C:\Documents and Settings\Tim Oakley\Recent
12/29/2010 03:56 PM 508 avgremover.lnk
1 File(s) 508 bytes
Directory of C:\Downloads
05/02/2008 10:13 AM 47,787,248 avg_free_stf_en_8_100a1295.exe
1 File(s) 47,787,248 bytes
Directory of C:\Program Files\Avira\AntiVir Desktop
06/17/2010 02:27 PM 435,560 avghook.dll
12/13/2010 08:39 AM 89,448 avgio.dll
06/17/2010 02:27 PM 11,608 avgio.sys
12/13/2010 08:39 AM 281,768 avgnt.exe
12/13/2010 08:40 AM 2,373 avgntflt.inf
12/13/2010 08:39 AM 267,944 avguard.exe
6 File(s) 1,088,701 bytes
Directory of C:\WINDOWS\Prefetch
12/29/2010 10:47 AM 27,768 AVGCMGR.EXE-1D29CBA8.pf
12/29/2010 10:06 AM 29,718 AVGCSRVX.EXE-2F45B5C7.pf
2 File(s) 57,486 bytes
Directory of C:\WINDOWS\system32\drivers
06/17/2010 02:27 PM 45,416 avgntdd.sys
12/13/2010 08:40 AM 61,960 avgntflt.sys
06/17/2010 02:27 PM 22,360 avgntmgr.sys
3 File(s) 129,736 bytes
Total Files Listed:
17 File(s) 88,264,747 bytes
3 Dir(s) 38,658,002,944 bytes free
Volume Serial Number is 7029-4374
Directory of C:\Documents and Settings\All Users\Application Data
12/29/2010 02:37 PM <DIR> avg8
0 File(s) 0 bytes
Directory of C:\Documents and Settings\All Users\Application Data\Avira\AntiVir Desktop\LOGFILES
01/07/2011 03:51 PM 45,064 avguard.log
1 File(s) 45,064 bytes
Directory of C:\Documents and Settings\All Users\Application Data\Avira\AntiVir Desktop\TEMP
01/07/2011 03:51 PM 36,648,916 avguard.tmp
01/07/2011 03:51 PM <DIR> AVGUARD_0bec2c9e
1 File(s) 36,648,916 bytes
Directory of C:\Documents and Settings\Tim Oakley\Application Data
03/07/2010 11:13 AM <DIR> AVG8
0 File(s) 0 bytes
Directory of C:\Documents and Settings\Tim Oakley\Desktop
12/30/2010 09:55 AM 1,420,784 avgremover.log
12/29/2010 02:35 PM 1,086,304 avg_remover_stf_x86_2011_1165.exe
2 File(s) 2,507,088 bytes
Directory of C:\Documents and Settings\Tim Oakley\Recent
12/29/2010 03:56 PM 508 avgremover.lnk
1 File(s) 508 bytes
Directory of C:\Downloads
05/02/2008 10:13 AM 47,787,248 avg_free_stf_en_8_100a1295.exe
1 File(s) 47,787,248 bytes
Directory of C:\Program Files\Avira\AntiVir Desktop
06/17/2010 02:27 PM 435,560 avghook.dll
12/13/2010 08:39 AM 89,448 avgio.dll
06/17/2010 02:27 PM 11,608 avgio.sys
12/13/2010 08:39 AM 281,768 avgnt.exe
12/13/2010 08:40 AM 2,373 avgntflt.inf
12/13/2010 08:39 AM 267,944 avguard.exe
6 File(s) 1,088,701 bytes
Directory of C:\WINDOWS\Prefetch
12/29/2010 10:47 AM 27,768 AVGCMGR.EXE-1D29CBA8.pf
12/29/2010 10:06 AM 29,718 AVGCSRVX.EXE-2F45B5C7.pf
2 File(s) 57,486 bytes
Directory of C:\WINDOWS\system32\drivers
06/17/2010 02:27 PM 45,416 avgntdd.sys
12/13/2010 08:40 AM 61,960 avgntflt.sys
06/17/2010 02:27 PM 22,360 avgntmgr.sys
3 File(s) 129,736 bytes
Total Files Listed:
17 File(s) 88,264,747 bytes
3 Dir(s) 38,658,002,944 bytes free
#86
Posted 07 January 2011 - 07:43 PM
I see two empty avg8 folders. Can't imagine that they are causing a problem but go ahead and delete:
C:\Documents and Settings\All Users\Application Data\avg8
and
C:\Documents and Settings\Tim Oakley\Application Data\AVG8
Also the two files in Prefetch:
C:\WINDOWS\Prefetch\AVGCMGR.EXE-1D29CBA8.pf
and
C:\WINDOWS\Prefetch\AVGCSRVX.EXE-2F45B5C7.pf
Then see if Combofix still hangs. Is it still warning you about AVG? I think we are past that but one of the guys in our private forum wanted to be sure.
Ron
C:\Documents and Settings\All Users\Application Data\avg8
and
C:\Documents and Settings\Tim Oakley\Application Data\AVG8
Also the two files in Prefetch:
C:\WINDOWS\Prefetch\AVGCMGR.EXE-1D29CBA8.pf
and
C:\WINDOWS\Prefetch\AVGCSRVX.EXE-2F45B5C7.pf
Then see if Combofix still hangs. Is it still warning you about AVG? I think we are past that but one of the guys in our private forum wanted to be sure.
Ron
#87
Posted 07 January 2011 - 08:20 PM
It is still warning about avg. I will go delete those files/folders and give it a shot
#88
Posted 07 January 2011 - 08:59 PM
Combofix is still acting like AVG is running/active. It asked to update to current version again and I allowed it. It is currently running the scan (where it normally hangs up) and we will see how it behaves now.
Earlier before you posted AVIRA ran a scan and found 6 infected files, 5 of which were in system restore locations. It moved all files. I can post a log if it is useful.
Earlier before you posted AVIRA ran a scan and found 6 infected files, 5 of which were in system restore locations. It moved all files. I can post a log if it is useful.
Edited by Big O, 07 January 2011 - 09:09 PM.
#89
Posted 07 January 2011 - 09:11 PM
locked up the system again/still.
#90
Posted 07 January 2011 - 09:39 PM
Let me see Avira's log.
Since Combofix starts running after warning about AVG then I think it's not the problem. There is something else going on.
Let's try IceSword:
Please download and unzip Icesword to its own folder on your desktop
If you get a lot of "red entries" in an IceSword log, don't panic.
Step 1 : Close all windows and run IceSword. Click the Processes tab and watch for processes displayed in red color. A red colored process in this list indicates that it's hidden. Write down the PathName of any processes in red color. Then click on LOG at the top left. It will prompt you to save the log, call this Processes and save it to your desktop.
Step 2 : Click the Win32 Services tab and look out for red colored entries in the services list. Write down the Module name of any services in red color, you will need to expand out the Module tab to see the full name. Then click on LOG. It will prompt you to save the log, call this Services and save it to your desktop.
Step 3 : Click the Startup tab and look out for red colored entries in the startup list. Write down the Path of any startup entries in red color. Then click on LOG. It will prompt you to save the log, call this Startup and save it to your desktop.
Step 4 : Click the SSDT tab and check for red colored entries. If there are any, write down the KModule name.
Step 5 : Click the Message Hooks tab and check for any entries that are underneath Type and labelled WH_KEYBOARD. Write down the Process Path of these entries if present.
Now post all of the data collected under the headings for :
Processes
Win32 Services
Startup
SSDT
Message Hooks
Note in the above instructions they want you to write down the path and file name of red items. Often the same path and file name will occur many times. I only need for you to write down each unique path/filename.
Ron
Since Combofix starts running after warning about AVG then I think it's not the problem. There is something else going on.
Let's try IceSword:
Please download and unzip Icesword to its own folder on your desktop
If you get a lot of "red entries" in an IceSword log, don't panic.
Step 1 : Close all windows and run IceSword. Click the Processes tab and watch for processes displayed in red color. A red colored process in this list indicates that it's hidden. Write down the PathName of any processes in red color. Then click on LOG at the top left. It will prompt you to save the log, call this Processes and save it to your desktop.
Step 2 : Click the Win32 Services tab and look out for red colored entries in the services list. Write down the Module name of any services in red color, you will need to expand out the Module tab to see the full name. Then click on LOG. It will prompt you to save the log, call this Services and save it to your desktop.
Step 3 : Click the Startup tab and look out for red colored entries in the startup list. Write down the Path of any startup entries in red color. Then click on LOG. It will prompt you to save the log, call this Startup and save it to your desktop.
Step 4 : Click the SSDT tab and check for red colored entries. If there are any, write down the KModule name.
Step 5 : Click the Message Hooks tab and check for any entries that are underneath Type and labelled WH_KEYBOARD. Write down the Process Path of these entries if present.
Now post all of the data collected under the headings for :
Processes
Win32 Services
Startup
SSDT
Message Hooks
Note in the above instructions they want you to write down the path and file name of red items. Often the same path and file name will occur many times. I only need for you to write down each unique path/filename.
Ron
Similar Topics
0 user(s) are reading this topic
0 members, 0 guests, 0 anonymous users