Jump to content

This One is Tuff


Recommended Posts

A friend(??) was visiting last week and asked to borrow my computer. Two hours later he hollered that my computer wanted to log on to some Antivirus location and that thousands of errors were found on my system.

I discoverd that my Google link was being clobbered and it wanted me to go to Antivirus AV360. There were other symptoms too, like some applications not starting and many web pages either errored out; hung during load; loaded impartially, or ended with "page not found." About:blank was another frequent error.

I got on the web from another computer and began troubleshooting AV360. I found some "manual removal" reccomendations and many, many downloadable tools, most of which would scan but do nothing more unless you paid someone.

I contacted a computer consultant who advised me to download "combofix." He also reported another customer who had the same problem and that customer resolved all his problems with the combo tool.

I tried to load it on the affected computer and it won't run, not even in safe mode. Also the affected computer's web browser won't even go to the www.bleepingcomputer.com page where the docs and downloads for combofix are located. Similarly, the browser won't go to many other antivirus pages or execute other antivirus tools.

I was able to get combofix and magawarebytes to execute on the computer I'm usng to make this entry. I was on the MegaWare site and downloaded the HiJackThis tool that was recommended by the site. That tool won't run either. The Megaware page advised me to open this topic to document the problems I've been seeing.

Some tools I had on the computer and/or added to fix these problems, that do run and don't find any problems are:

Avira Antivirus Personal

Microsoft Defender

Ad-Aware

AVG-Free

Link to post
Share on other sites

After reading other topics on this forum I ran CCleaner and then after renaming some of the tools that wouldn't work I got the following from HiJackThis output.

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 2:44:14 PM, on 3/7/2009

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\Program Files\Windows Defender\MsMpEng.exe

C:\WINDOWS\System32\svchost.exe

D:\Program Files\aawservice.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe

C:\WINDOWS\Explorer.EXE

G:\Program Files\PhotoshopElementsFileAgent.exe

C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe

C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe

C:\PROGRA~1\AVG\AVG8\avgrsx.exe

C:\PROGRA~1\AVG\AVG8\avgnsx.exe

C:\Program Files\Hewlett-Packard\PC COE\IDA.EXE

C:\WINDOWS\system32\hkcmd.exe

C:\WINDOWS\system32\igfxpers.exe

C:\Program Files\Hewlett-Packard\PC COE\COEMsgDisplay.exe

C:\Program Files\Windows Defender\MSASCui.exe

C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\SEC\Natural Color Pro\NCProTray.exe

D:\Program Files\Verizon Wireless\VZAccess Manager\VZAccess Manager.exe

C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE

C:\Program Files\Hewlett-Packard\PC COE 3\OV CMS\radexecd.exe

C:\Program Files\Hewlett-Packard\PC COE 3\OV CMS\radsched.exe

C:\Program Files\Hewlett-Packard\PC COE 3\OV CMS\Radstgms.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\MsPMSPSv.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://athp.hp.com

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Hewlett-Packard

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll

O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll

O2 - BHO: (no name) - {D263FA6D-84CC-48A8-9AF6-C664362B7A5B} - (no file)

O4 - HKLM\..\Run: [RoxioEngineUtility] "C:\Program Files\Common Files\Roxio Shared\System\EngUtil.exe"

O4 - HKLM\..\Run: [RoxioDragToDisc] "C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe"

O4 - HKLM\..\Run: [iDA] C:\Program Files\Hewlett-Packard\PC COE\IDA.EXE

O4 - HKLM\..\Run: [igfxTray] C:\WINDOWS\system32\igfxtray.exe

O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe

O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe

O4 - HKLM\..\Run: [WatchDog] C:\Program Files\InterVideo\DVD Check\DVDCheck.exe

O4 - HKLM\..\Run: [COEMsgDisplay] C:\Program Files\Hewlett-Packard\PC COE\COEMsgDisplay.exe

O4 - HKLM\..\Run: [Adobe Photo Downloader] "G:\Program Files\apdproxy.exe"

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"

O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe

O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide

O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /min

O4 - HKLM\..\RunOnce: [Malwarebytes' Anti-Malware] D:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe /install /silent

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - HKCU\..\Run: [AV360RemovalTool] C:\Program Files\AV360RemovalTool\AV360RemovalTool.exe -boot

O4 - HKUS\S-1-5-18\..\RunOnce: [FlashPlayerUpdate] C:\WINDOWS\system32\Macromed\Flash\GetFlash.exe (User 'SYSTEM')

O4 - HKUS\.DEFAULT\..\RunOnce: [FlashPlayerUpdate] C:\WINDOWS\system32\Macromed\Flash\GetFlash.exe (User 'Default user')

O4 - Startup: VZAccess Manager.lnk = D:\Program Files\Verizon Wireless\VZAccess Manager\VZAccess Manager.exe

O4 - Global Startup: DVD Check.lnk = C:\Program Files\InterVideo\DVD Check\DVDCheck.exe

O4 - Global Startup: Microsoft Office.lnk = D:\Program Files\Office10\OSA.EXE

O4 - Global Startup: NCProTray.lnk = ?

O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present

O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000

O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL

O9 - Extra button: (no name) - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - (no file)

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll

O14 - IERESET.INF: START_PAGE_URL=http://athp.hp.com

O15 - Trusted Zone: http://ie.config.asia.compaq.com

O15 - Trusted Zone: http://ie.config.eur.compaq.com

O15 - Trusted Zone: http://ie.config.im.hou.compaq.com

O15 - Trusted Zone: http://ie.config.jp.compaq.com

O15 - Trusted Zone: http://ie.config.ecom.dec.com

O15 - Trusted Zone: http://ie.config.tandem.com

O15 - Trusted Zone: http://ie.config.asia.compaq.com (HKLM)

O15 - Trusted Zone: http://ie.config.eur.compaq.com (HKLM)

O15 - Trusted Zone: http://ie.config.im.hou.compaq.com (HKLM)

O15 - Trusted Zone: http://ie.config.jp.compaq.com (HKLM)

O15 - Trusted Zone: http://ie.config.ecom.dec.com (HKLM)

O15 - Trusted Zone: http://ie.config.tandem.com (HKLM)

O16 - DPF: {00000014-9593-4264-8B29-930B3E4EDCCD} (HPVirtualRooms14 Class) - https://www.rooms.hp.com/vRoom_Cab/WebHPVCInstall14.cab

O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - https://www.apple.com/qtactivex/qtplugin.cab

O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204

O16 - DPF: {2AF5BD25-90C5-4EEC-88C5-B44DC2905D8B} (DownloadManager Control) - http://dlm.tools.akamai.com/dlmanager/vers...vex-2.2.0.8.cab

O16 - DPF: {90C9629E-CD32-11D3-BBFB-00105A1F0D68} (InstallShield International Setup Player) - http://www.lowrance.com/software/PCSoftwar...332C/isetup.cab

O16 - DPF: {A1BFBE93-8D91-427C-965B-72088CFAADF4} (CCertificateDelete Object) - https://digitalbadge.external.hp.com/vpn/vscertdel.cab

O17 - HKLM\System\CCS\Services\Tcpip\..\{10E3A9EE-D4B4-483E-9C4A-FCA383F4E33C}: NameServer = 192.168.0.1,192.168.1.1

O17 - HKLM\System\CCS\Services\Tcpip\..\{9F6B35B6-B791-442A-9413-1F88EB9E2F88}: NameServer = 69.78.96.14 66.174.92.14

O17 - HKLM\System\CS1\Services\Tcpip\Parameters: SearchList = AMERICAS.cpqcorp.net,AMERICAS.hpqcorp.net,hpqcorp.net,cpqcorp.net

O17 - HKLM\System\CS1\Services\Tcpip\..\{10E3A9EE-D4B4-483E-9C4A-FCA383F4E33C}: NameServer = 192.168.0.1,192.168.1.1

O17 - HKLM\System\CS3\Services\Tcpip\Parameters: SearchList = AMERICAS.cpqcorp.net,AMERICAS.hpqcorp.net,hpqcorp.net,cpqcorp.net

O17 - HKLM\System\CS3\Services\Tcpip\..\{10E3A9EE-D4B4-483E-9C4A-FCA383F4E33C}: NameServer = 192.168.0.1,192.168.1.1

O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList = AMERICAS.cpqcorp.net,AMERICAS.hpqcorp.net,hpqcorp.net,cpqcorp.net

O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll

O20 - AppInit_DLLs: c:\windows\system32\vitamine.dll

O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dll

O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - D:\Program Files\aawservice.exe

O23 - Service: Adobe Active File Monitor V4 (AdobeActiveFileMonitor4.0) - Unknown owner - G:\Program Files\PhotoshopElementsFileAgent.exe

O23 - Service: Avira AntiVir Personal - Free Antivirus Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe

O23 - Service: Avira AntiVir Personal - Free Antivirus Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe

O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe

O23 - Service: Google Update Service (gupdate1c967ae84c9dec4) (gupdate1c967ae84c9dec4) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe

O23 - Service: Lan Discover Agent (magaService) - Unknown owner - C:\Program Files\Sygate\SSA\maga\maga.exe (file missing)

O23 - Service: PictureTaker - LANovation - C:\WINDOWS\system32\PCTKRNT.SYS

O23 - Service: Radia Notify Daemon (radexecd) - Hewlett-Packard - C:\Program Files\Hewlett-Packard\PC COE 3\OV CMS\radexecd.exe

O23 - Service: Radia Scheduler Daemon (radsched) - Hewlett-Packard - C:\Program Files\Hewlett-Packard\PC COE 3\OV CMS\radsched.exe

O23 - Service: Radia MSI Redirector (Radstgms) - Hewlett-Packard - C:\Program Files\Hewlett-Packard\PC COE 3\OV CMS\Radstgms.exe

--

End of file - 9177 bytes

By renaming I was able to get MBAM installed on my affected system but I am, as yet, unable to get it to execute. I'm still digging and will post progress updates.

Link to post
Share on other sites

  • Root Admin

Please visit this webpage for instructions for downloading ComboFix to your
DESKTOP
:
how-to-use-combofix

Please ensure you read this guide carefully and install the Recovery Console first.

NOTE!!:

You must save and run
ComboFix.exe
on your DESKTOP and not from any other folder.

Also,
DO NOT
click the mouse or launch any other applications while this is running or it may stall the program

Additional links to download the tool:

Note:

The
Windows Recovery Console
will allow you to boot up into a special recovery (repair) mode. This allows us to more easily help you should your computer have a problem after an attempted removal of malware. It is a simple procedure that will only take a few moments of your time.

Once installed, you should see a blue screen prompt that says:

The Recovery Console was successfully installed.

Please continue as follows:
  • Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
  • Click
    Yes
    to allow ComboFix to continue scanning for malware.

  • When the tool is finished, it will produce a report for you.

  • Please post the
    C:\ComboFix.txt
    along with a
    new HijackThis log
    so we may continue cleaning the system.

Link to post
Share on other sites

Please visit this webpage for instructions for downloading ComboFix to your
DESKTOP
:

Please ensure you read this guide carefully and install the Recovery Console first.

NOTE!!:
You must save and run
ComboFix.exe
on your DESKTOP and not from any other folder.
Also,
DO NOT
click the mouse or launch any other applications while this is running or it may stall the program

Additional links to download the tool:

http://www.forospyware.com/sUBs/ComboFix.exe' rel="external nofollow">

Note:
The
Windows Recovery Console
will allow you to boot up into a special recovery (repair) mode. This allows us to more easily help you should your computer have a problem after an attempted removal of malware. It is a simple procedure that will only take a few moments of your time.
Once installed, you should see a blue screen prompt that says:

The Recovery Console was successfully installed.
Please continue as follows:
  • Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

  • Click
    Yes
    to allow ComboFix to continue scanning for malware.

  • When the tool is finished, it will produce a report for you.

  • Please post the
    C:\ComboFix.txt
    along with a
    new HijackThis log
    so we may continue cleaning the system.

I already had a "Recovery Console" boot option but it wanted to log on as "Administrator" I was unable to find the correct password but that led me to discover I had an administrator called STadmin.

I booted normally and logged in as Stadmin. With that login I discoverd I could run Malwarebytes Anti-Malware (MBAM). However I was unable to "update" MBAM with that user. I'll have to figure out why STadmin didn't have network functionality. However, MBAM did remove 8 things it found. When that was done I rebooted everything normally and as my normal user (the one that was broken and caused this post) I was able run MBAM again and this time update MBAM. I was still unable to run ComboFix.

Once again, I ran a complete MBAM after update and this time if found two more keys that were corrupt. I let MBAM remove them and now I could run ComboFix.

At this point everything seems to be running normally. At least I can now get to webpages that errored before and my browser "appears" to be normal again. I'll post more if other problems are detected or returned.

Many thanks for the forum. It was nice to discover I'm not the only one getting hit with this &**()*&^ stuff. Thanks also from the "experts" who provide the inputs.

Link to post
Share on other sites

  • Root Admin

Due to the lack of feedback this Topic is closed to prevent others from posting here. If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.

Other members who need assistance please start your own topic in a new thread. Thanks!

The fixes and advice in this thread are for this machine only. Do not apply the instructions from this thread to your own machine. Please start a new thread describing your issue and someone will be along to assist you.

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.