[Big O]

I did not have the cd (preloaded) and it offered me the option to skip making a copy of the file and still proceed. About 4-5 times throughout the whole thing.

[Advertisements]

Downloaded UPHClean and confirmed it was started and ready to go.

D/L Dial-A-Fix and ran it. It had several pop up errors, all ERROR 127. It read as follows

C:\windows\system32\iesetup.dll is not registerable or the file is corrupt. Your version is: 8.00.6001.18702. Please contact Dial-A-Fix so an exception can be made for your vresion of this file.

That was the first couple, the the remaining ones all read the same except the .dll was different as well as the version:

mshtml.dll (8.00.6001.18999)
msrating.dll (8.00.6001.18702)
occache.dll (8.00.6001.18992)
pngfilt.dll (8.00.6001.18702)
webcheck.dll (8.00.6001.18702)

rebooting now and will try one of the other programs to see if we can get one to work.

[Big O]

Downloaded UPHClean and confirmed it was started and ready to go.

D/L Dial-A-Fix and ran it. It had several pop up errors, all ERROR 127. It read as follows

C:\windows\system32\iesetup.dll is not registerable or the file is corrupt. Your version is: 8.00.6001.18702. Please contact Dial-A-Fix so an exception can be made for your vresion of this file.

That was the first couple, the the remaining ones all read the same except the .dll was different as well as the version:

mshtml.dll (8.00.6001.18999)
msrating.dll (8.00.6001.18702)
occache.dll (8.00.6001.18992)
pngfilt.dll (8.00.6001.18702)
webcheck.dll (8.00.6001.18702)

rebooting now and will try one of the other programs to see if we can get one to work.

[RKinner]

Looks like Dial-A-Fix may not have been updated to handle IE8.

Hopefully your silence means you went to bed and not that you can't boot.

Ron

[Big O]

Shoot, my last post must not have taken, I rebooted and tried mbr and dds and both locked up again and the same spot.

[RKinner]

OK. Can you verify that Avira is now updating properly?

I'm going to call in the cavalry on this one and ask in our internal forum if anyone has seen something similar.

Ron

[Big O]

Avira just updated with no problems.

[Big O]

Appears Google Update Service is broken so I'd just uninstall it

I went to add/remove programs and did not find anything relating to Google Update Service. Where would i go to uninstall it.

[RKinner]

Start, Run, services.msc, OK to bring up the services menu. See if you can find a google update in the list. Right click on it and select properties and then set Startup type:Disabled, OK

[RKinner]

Besides the above let's see if there are any traces of avg left:

Start, Run, cmd, OK

cd  \

dir  /a  /s  avg*  > \junk.txt

notepad  junk.txt

copy and paste the result if any in a reply.

Ron

[Big O]

Volume in drive C has no label.
Volume Serial Number is 7029-4374

Directory of C:\Documents and Settings\All Users\Application Data

12/29/2010 02:37 PM <DIR> avg8
0 File(s) 0 bytes

Directory of C:\Documents and Settings\All Users\Application Data\Avira\AntiVir Desktop\LOGFILES

01/07/2011 03:51 PM 45,064 avguard.log
1 File(s) 45,064 bytes

Directory of C:\Documents and Settings\All Users\Application Data\Avira\AntiVir Desktop\TEMP

01/07/2011 03:51 PM 36,648,916 avguard.tmp
01/07/2011 03:51 PM <DIR> AVGUARD_0bec2c9e
1 File(s) 36,648,916 bytes

Directory of C:\Documents and Settings\Tim Oakley\Application Data

03/07/2010 11:13 AM <DIR> AVG8
0 File(s) 0 bytes

Directory of C:\Documents and Settings\Tim Oakley\Desktop

12/30/2010 09:55 AM 1,420,784 avgremover.log
12/29/2010 02:35 PM 1,086,304 avg_remover_stf_x86_2011_1165.exe
2 File(s) 2,507,088 bytes

Directory of C:\Documents and Settings\Tim Oakley\Recent

12/29/2010 03:56 PM 508 avgremover.lnk
1 File(s) 508 bytes

Directory of C:\Downloads

05/02/2008 10:13 AM 47,787,248 avg_free_stf_en_8_100a1295.exe
1 File(s) 47,787,248 bytes

Directory of C:\Program Files\Avira\AntiVir Desktop

06/17/2010 02:27 PM 435,560 avghook.dll
12/13/2010 08:39 AM 89,448 avgio.dll
06/17/2010 02:27 PM 11,608 avgio.sys
12/13/2010 08:39 AM 281,768 avgnt.exe
12/13/2010 08:40 AM 2,373 avgntflt.inf
12/13/2010 08:39 AM 267,944 avguard.exe
6 File(s) 1,088,701 bytes

Directory of C:\WINDOWS\Prefetch

12/29/2010 10:47 AM 27,768 AVGCMGR.EXE-1D29CBA8.pf
12/29/2010 10:06 AM 29,718 AVGCSRVX.EXE-2F45B5C7.pf
2 File(s) 57,486 bytes

Directory of C:\WINDOWS\system32\drivers

06/17/2010 02:27 PM 45,416 avgntdd.sys
12/13/2010 08:40 AM 61,960 avgntflt.sys
06/17/2010 02:27 PM 22,360 avgntmgr.sys
3 File(s) 129,736 bytes

Total Files Listed:
17 File(s) 88,264,747 bytes
3 Dir(s) 38,658,002,944 bytes free

[RKinner]

I see two empty avg8 folders. Can't imagine that they are causing a problem but go ahead and delete:

C:\Documents and Settings\All Users\Application Data\avg8
and
C:\Documents and Settings\Tim Oakley\Application Data\AVG8

Also the two files in Prefetch:

C:\WINDOWS\Prefetch\AVGCMGR.EXE-1D29CBA8.pf
and
C:\WINDOWS\Prefetch\AVGCSRVX.EXE-2F45B5C7.pf

Then see if Combofix still hangs. Is it still warning you about AVG? I think we are past that but one of the guys in our private forum wanted to be sure.

Ron

[Big O]

It is still warning about avg. I will go delete those files/folders and give it a shot

[Big O]

Combofix is still acting like AVG is running/active. It asked to update to current version again and I allowed it. It is currently running the scan (where it normally hangs up) and we will see how it behaves now.

Earlier before you posted AVIRA ran a scan and found 6 infected files, 5 of which were in system restore locations. It moved all files. I can post a log if it is useful.

Edited by Big O, 07 January 2011 - 09:09 PM.

[Big O]

locked up the system again/still.

[RKinner]

Let me see Avira's log.

Since Combofix starts running after warning about AVG then I think it's not the problem. There is something else going on.

Let's try IceSword:

Please download and unzip Icesword to its own folder on your desktop


If you get a lot of "red entries" in an IceSword log, don't panic.

Step 1 : Close all windows and run IceSword. Click the Processes tab and watch for processes displayed in red color. A red colored process in this list indicates that it's hidden. Write down the PathName of any processes in red color. Then click on LOG at the top left. It will prompt you to save the log, call this Processes and save it to your desktop.


Step 2 : Click the Win32 Services tab and look out for red colored entries in the services list. Write down the Module name of any services in red color, you will need to expand out the Module tab to see the full name. Then click on LOG. It will prompt you to save the log, call this Services and save it to your desktop.


Step 3 : Click the Startup tab and look out for red colored entries in the startup list. Write down the Path of any startup entries in red color. Then click on LOG. It will prompt you to save the log, call this Startup and save it to your desktop.


Step 4 : Click the SSDT tab and check for red colored entries. If there are any, write down the KModule name.


Step 5 : Click the Message Hooks tab and check for any entries that are underneath Type and labelled WH_KEYBOARD. Write down the Process Path of these entries if present.



Now post all of the data collected under the headings for :

Processes
Win32 Services
Startup
SSDT
Message Hooks

Note in the above instructions they want you to write down the path and file name of red items. Often the same path and file name will occur many times. I only need for you to write down each unique path/filename.


Ron