Jump to content
Paulw

Agent L Virus

Recommended Posts

Hello,

My computer keeps crashing so suspected a virus / malware. I ran Malwarebytes which found some Adware but nothing more.

Malwarebytes cleared it but it kept coming back so I ran and installed Avira which found Agent L virus amongst others and cleared it.

The problem is still happening could someone have a look at my logs and let me know if there is something ive missed.

(GMER keeps crashing when i run it in normal mode so ARK.txt is from a safemode run of the program)

Attach.txt and ARK.txt zipped and attached. DDS details below:

DDS (Ver_10-12-12.02) - NTFSx86

Run by Paul at 11:50:12.28 on 20/01/2011

Internet Explorer: 6.0.2900.5512

Microsoft Windows XP Professional 5.1.2600.3.1252.44.1033.18.2937.2055 [GMT 0:00]

AV: AntiVir Desktop *Disabled/Outdated* {AD166499-45F9-482A-A743-FDD3350758C7}

AV: McAfee VirusScan *Enabled/Updated* {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}

FW: McAfee Personal Firewall *Enabled*

============== Running Processes ===============

C:\PROGRA~1\AVG\AVG10\avgchsvx.exe

C:\WINDOWS\system32\svchost -k DcomLaunch

svchost.exe

C:\WINDOWS\System32\svchost.exe -k netsvcs

svchost.exe

svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Avira\AntiVir Desktop\sched.exe

svchost.exe

C:\Program Files\Avira\AntiVir Desktop\avguard.exe

C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe

C:\Program Files\Avira\AntiVir Desktop\avshadow.exe

C:\Program Files\AVG\AVG10\avgwdsvc.exe

C:\Program Files\Bonjour\mDNSResponder.exe

C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe

C:\Program Files\Java\jre6\bin\jqs.exe

C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe

C:\Program Files\Common Files\Motive\McciCMService.exe

C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe

c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe

c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe

C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe

C:\Program Files\AVG\AVG10\avgnsx.exe

C:\Program Files\McAfee\MPF\MPFSrv.exe

C:\Program Files\McAfee\MSK\MskSrver.exe

C:\Program Files\Sony\PMB\PMBDeviceInfoProvider.exe

C:\WINDOWS\system32\svchost.exe -k imgsvc

C:\WINDOWS\system32\ThpSrv.exe

C:\WINDOWS\system32\TODDSrv.exe

c:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtSrv.exe

C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe

C:\Program Files\AVG\AVG10\Identity Protection\Agent\Bin\AVGIDSAgent.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\TOSHIBA\Bluetooth Toshiba Stack\ItSecMng.exe

C:\Program Files\TOSHIBA\ConfigFree\NDSTray.exe

C:\Program Files\Toshiba\Windows Utilities\Hotkey.exe

C:\WINDOWS\system32\TPSMain.exe

c:\PROGRA~1\mcafee.com\agent\mcagent.exe

C:\Program Files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe

C:\Program Files\TOSHIBA\TOSHIBA Direct Disc Writer\ddwmon.exe

C:\WINDOWS\system32\igfxext.exe

C:\WINDOWS\system32\igfxtray.exe

C:\WINDOWS\system32\igfxsrvc.exe

C:\WINDOWS\system32\igfxpers.exe

C:\Program Files\Apoint2K\Apoint.exe

C:\Program Files\Camera Assistant Software for Toshiba\traybar.exe

C:\WINDOWS\system32\thpsrv.exe

C:\Program Files\TOSHIBA\Controls\VolumeIndicator.exe

C:\Program Files\TOSHIBA\ConfigFree\CFSServ.exe

C:\WINDOWS\system32\TPSBattM.exe

C:\Program Files\Sony\PMB\PMBVolumeWatcher.exe

C:\Program Files\Camera Assistant Software for Toshiba\CEC_MAIN.exe

C:\Program Files\AVG\AVG10\avgtray.exe

C:\Program Files\Apoint2K\Apntex.exe

C:\Program Files\Apoint2K\HidFind.exe

C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe

C:\Program Files\Avira\AntiVir Desktop\avgnt.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Documents and Settings\Paul\Local Settings\Application Data\Google\Update\1.2.183.39\GoogleCrashHandler.exe

C:\Program Files\Logitech\SetPoint\SetPoint.exe

C:\Documents and Settings\Paul\Application Data\Dropbox\bin\Dropbox.exe

C:\Program Files\Common Files\Logishrd\KHAL2\KHALMNPR.EXE

C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe

C:\Program Files\AVG\AVG10\Identity Protection\agent\bin\avgidsmonitor.exe

C:\Documents and Settings\Paul\Local Settings\Application Data\Google\Chrome\Application\chrome.exe

C:\Documents and Settings\Paul\Local Settings\Application Data\Google\Chrome\Application\chrome.exe

C:\PROGRA~1\AVG\AVG10\avgrsx.exe

C:\Program Files\AVG\AVG10\avgcsrvx.exe

C:\Documents and Settings\Paul\Desktop\Defogger.exe

C:\Documents and Settings\Paul\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://bt.yahoo.com/

uSearch Page = hxxp://www.google.com

uSearch Bar = hxxp://www.google.com/ie

uDefault_Search_URL = hxxp://www.google.com/ie

uSearchAssistant = hxxp://www.google.com/ie

uSearchURL,(Default) = hxxp://www.google.com/search?q=%s

uURLSearchHooks: H - No File

BHO: {02478D38-C3F9-4efb-9B51-7695ECA05670} - No File

BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll

BHO: McAfee Phishing Filter: {377c180e-6f0e-4d4c-980f-f45bd3d40cf4} - c:\progra~1\mcafee\msk\mcapbho.dll

BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg10\avgssie.dll

BHO: scriptproxy: {7db2d5a0-7241-4e79-b68d-6309f01c5231} - c:\program files\mcafee\virusscan\scriptsn.dll

BHO: Java Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll

BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll

TB: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - No File

uRun: [Google Update] "c:\documents and settings\paul\local settings\application data\google\update\GoogleUpdate.exe" /c

uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe

mRun: [iTSecMng] %ProgramFiles%\TOSHIBA\Bluetooth Toshiba Stack\ItSecMng.exe /START

mRun: [NDSTray.exe] NDSTray.exe

mRun: [Toshiba Hotkey Utility] "c:\program files\toshiba\windows utilities\Hotkey.exe" /lang en

mRun: [TPSMain] TPSMain.exe

mRun: [smoothView] c:\program files\toshiba\toshiba zooming utility\SmoothView.exe

mRun: [DDWMon] c:\program files\toshiba\toshiba direct disc writer\\ddwmon.exe

mRun: [topi] c:\program files\toshiba\toshiba online product information\topi.exe -startup

mRun: [igfxTray] c:\windows\system32\igfxtray.exe

mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe

mRun: [Persistence] c:\windows\system32\igfxpers.exe

mRun: [Apoint] c:\program files\apoint2k\Apoint.exe

mRun: [Camera Assistant Software] "c:\program files\camera assistant software for toshiba\traybar.exe" /start

mRun: [ThpSrv] c:\windows\system32\thpsrv /logon

mRun: [Toshiba Controls Utility] "c:\program files\toshiba\controls\VolumeIndicator.exe"

mRun: [CFSServ.exe] CFSServ.exe -NoClient

mRun: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k

mRun: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE

mRun: [PMBVolumeWatcher] c:\program files\sony\pmb\PMBVolumeWatcher.exe

mRun: [AVG_TRAY] c:\program files\avg\avg10\avgtray.exe

mRun: [Malwarebytes' Anti-Malware] "c:\program files\malwarebytes' anti-malware\mbamgui.exe" /starttray

mRun: [mcagent_exe] c:\program files\mcafee.com\agent\mcagent.exe /runkey

mRun: [avgnt] "c:\program files\avira\antivir desktop\avgnt.exe" /min

dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE

StartupFolder: c:\docume~1\paul\startm~1\programs\startup\dropbox.lnk - c:\documents and settings\paul\application data\dropbox\bin\Dropbox.exe

StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\logite~1.lnk - c:\program files\logitech\setpoint\SetPoint.exe

IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200

IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000

IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe

IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe

IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL

DPF: {44C1E3A2-B594-401C-B27A-D1B4476E4797} - hxxps://mail.cpt-uk.org/XTSAC.cab

DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} - hxxp://download.eset.com/special/eos/OnlineScanner.cab

DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_14-windows-i586.cab

DPF: {CAFEEFAC-0016-0000-0006-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_06-windows-i586.cab

DPF: {CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_14-windows-i586.cab

DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_14-windows-i586.cab

DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab

Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg10\avgpp.dll

Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL

Notify: GoToAssist - c:\program files\citrix\gotoassist\570\G2AWinLogon.dll

Notify: igfxcui - igfxdev.dll

Notify: LBTWlgn - c:\program files\common files\logishrd\bluetooth\LBTWlgn.dll

============= SERVICES / DRIVERS ===============

R0 AVGIDSEH;AVGIDSEH;c:\windows\system32\drivers\AVGIDSEH.sys [2010-9-13 25680]

R0 Avgrkx86;AVG Anti-Rootkit Driver;c:\windows\system32\drivers\avgrkx86.sys [2010-9-7 26064]

R0 Thpdrv;TOSHIBA HDD Protection Driver;c:\windows\system32\drivers\thpdrv.sys [2008-1-11 21120]

R0 Thpevm;TOSHIBA HDD Protection - Shock Sensor Driver;c:\windows\system32\drivers\Thpevm.sys [2007-9-4 6528]

R1 avgio;avgio;c:\program files\avira\antivir desktop\avgio.sys [2011-1-19 11608]

R1 Avgldx86;AVG AVI Loader Driver;c:\windows\system32\drivers\avgldx86.sys [2010-9-7 251728]

R1 Avgmfx86;AVG Mini-Filter Resident Anti-Virus Shield;c:\windows\system32\drivers\avgmfx86.sys [2010-9-7 34384]

R1 Avgtdix;AVG TDI Driver;c:\windows\system32\drivers\avgtdix.sys [2010-9-7 299984]

R1 mfehidk;McAfee Inc.;c:\windows\system32\drivers\mfehidk.sys [2011-1-19 201288]

R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\avira\antivir desktop\sched.exe [2011-1-19 135336]

R2 AntiVirService;Avira AntiVir Guard;c:\program files\avira\antivir desktop\avguard.exe [2011-1-19 267944]

R2 AVGIDSAgent;AVGIDSAgent;c:\program files\avg\avg10\identity protection\agent\bin\AVGIDSAgent.exe [2010-11-23 6128208]

R2 avgntflt;avgntflt;c:\windows\system32\drivers\avgntflt.sys [2011-1-19 61960]

R2 avgwd;AVG WatchDog;c:\program files\avg\avg10\avgwdsvc.exe [2010-10-22 265400]

R2 MBAMService;MBAMService;c:\program files\malwarebytes' anti-malware\mbamservice.exe [2010-9-16 363344]

R2 McProxy;McAfee Proxy Service;c:\progra~1\common~1\mcafee\mcproxy\mcproxy.exe [2011-1-19 359248]

R2 McShield;McAfee Real-time Scanner;c:\progra~1\mcafee\viruss~1\mcshield.exe [2011-1-19 144704]

R2 PMBDeviceInfoProvider;PMBDeviceInfoProvider;c:\program files\sony\pmb\PMBDeviceInfoProvider.exe [2009-10-24 360224]

R2 tdudf;TOSHIBA UDF File System Driver;c:\windows\system32\drivers\tdudf.sys [2007-3-26 105856]

R2 trudf;TOSHIBA DVD-RAM UDF File System Driver;c:\windows\system32\drivers\trudf.sys [2007-2-19 134016]

R3 AVGIDSDriver;AVGIDSDriver;c:\windows\system32\drivers\AVGIDSDriver.sys [2010-8-19 123472]

R3 AVGIDSFilter;AVGIDSFilter;c:\windows\system32\drivers\AVGIDSFilter.sys [2010-8-19 30288]

R3 AVGIDSShim;AVGIDSShim;c:\windows\system32\drivers\AVGIDSShim.sys [2010-8-19 26192]

R3 CnxtHdAudAddService;Microsoft UAA Function Driver for High Definition Audio Service;c:\windows\system32\drivers\CHDAud.sys [2008-7-10 732160]

R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2010-9-16 20952]

R3 McSysmon;McAfee SystemGuards;c:\progra~1\mcafee\viruss~1\mcsysmon.exe [2011-1-19 695624]

R3 mfeavfk;McAfee Inc.;c:\windows\system32\drivers\mfeavfk.sys [2011-1-19 79304]

R3 mfebopk;McAfee Inc.;c:\windows\system32\drivers\mfebopk.sys [2011-1-19 35240]

R3 mfesmfk;McAfee Inc.;c:\windows\system32\drivers\mfesmfk.sys [2011-1-19 40488]

R3 O2MDRDR;O2MDRDR;c:\windows\system32\drivers\o2media.sys [2011-1-18 47448]

R3 QIOMem;Generic IO & Memory Access;c:\windows\system32\drivers\QIOMem.sys [2007-5-29 6912]

S0 tclondrv;tclondrv;c:\windows\system32\drivers\tclondrv.sys --> c:\windows\system32\drivers\tclondrv.sys [?]

S1 SASDIFSV;SASDIFSV;\??\e:\sasdifsv.sys --> e:\SASDIFSV.SYS [?]

S1 SASKUTIL;SASKUTIL;\??\e:\saskutil.sys --> e:\SASKUTIL.SYS [?]

S2 Sukoku Service;Sukoku Service;"c:\documents and settings\all users\application data\sukoku\sukoku125.exe" "c:\program files\sukoku\sukoku.dll" service --> c:\documents and settings\all users\application data\sukoku\sukoku125.exe [?]

S3 mferkdk;McAfee Inc.;c:\windows\system32\drivers\mferkdk.sys [2011-1-19 33800]

=============== Created Last 30 ================

2011-01-19 16:42:41 -------- d-----w- c:\windows\system32\NtmsData

2011-01-19 15:18:24 -------- d-----w- c:\docume~1\paul\applic~1\Avira

2011-01-19 15:03:30 61960 ----a-w- c:\windows\system32\drivers\avgntflt.sys

2011-01-19 15:03:29 -------- d-----w- c:\program files\Avira

2011-01-19 15:03:29 -------- d-----w- c:\docume~1\alluse~1\applic~1\Avira

2011-01-19 14:04:47 143360 ----a-w- c:\windows\system32\dunzip32.dll

2011-01-19 14:04:05 33800 ----a-w- c:\windows\system32\drivers\mferkdk.sys

2011-01-19 14:04:04 79304 ----a-w- c:\windows\system32\drivers\mfeavfk.sys

2011-01-19 14:04:04 40488 ----a-w- c:\windows\system32\drivers\mfesmfk.sys

2011-01-19 14:04:04 35240 ----a-w- c:\windows\system32\drivers\mfebopk.sys

2011-01-19 14:04:04 201288 ----a-w- c:\windows\system32\drivers\mfehidk.sys

2011-01-19 14:04:02 113952 ----a-w- c:\windows\system32\drivers\Mpfp.sys

2011-01-19 14:03:44 -------- d-----w- c:\program files\McAfee.com

2011-01-19 14:03:38 -------- d-----w- c:\program files\common files\McAfee

2011-01-19 14:03:33 -------- d-----w- c:\program files\McAfee

2011-01-18 15:08:31 47448 ----a-w- c:\windows\system32\drivers\o2media.sys

2011-01-18 15:00:00 -------- d-----w- c:\docume~1\alluse~1\applic~1\PC Drivers HeadQuarters

2011-01-18 13:35:42 -------- d-----w- c:\program files\ESET

==================== Find3M ====================

2010-11-29 17:38:30 94208 ----a-w- c:\windows\system32\QuickTimeVR.qtx

2010-11-29 17:38:30 69632 ----a-w- c:\windows\system32\QuickTime.qts

2010-11-18 18:12:44 81920 ----a-w- c:\windows\system32\isign32.dll

2010-11-09 14:52:35 249856 ----a-w- c:\windows\system32\odbc32.dll

2010-11-05 05:05:36 667136 ----a-w- c:\windows\system32\wininet.dll

2010-11-05 05:05:36 61952 ----a-w- c:\windows\system32\tdc.ocx

2010-11-05 05:05:35 81920 ----a-w- c:\windows\system32\ieencode.dll

2010-11-03 12:59:07 369664 ----a-w- c:\windows\system32\html.iec

2010-10-28 13:13:22 290048 ----a-w- c:\windows\system32\atmfd.dll

2010-10-26 13:25:00 1853312 ----a-w- c:\windows\system32\win32k.sys

============= FINISH: 11:51:33.64 ===============

Malwarebytes LOG:

Malwarebytes' Anti-Malware 1.50.1.1100

www.malwarebytes.org

Database version: 5552

Windows 5.1.2600 Service Pack 3 (Safe Mode)

Internet Explorer 6.0.2900.5512

19/01/2011 11:34:33

mbam-log-2011-01-19 (11-34-33).txt

Scan type: Full scan (C:\|)

Objects scanned: 260927

Time elapsed: 42 minute(s), 40 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 4

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

c:\system volume information\_restore{4dbb43b7-0f45-4a0c-a9a1-b9abf121c8a9}\RP39\A0041204.dll (Adware.DoubleD.Gen) -> Quarantined and deleted successfully.

c:\system volume information\_restore{4dbb43b7-0f45-4a0c-a9a1-b9abf121c8a9}\RP39\A0041205.dll (Adware.DoubleD) -> Quarantined and deleted successfully.

c:\system volume information\_restore{4dbb43b7-0f45-4a0c-a9a1-b9abf121c8a9}\RP39\A0041206.dll (Adware.DoubleD) -> Quarantined and deleted successfully.

c:\system volume information\_restore{4dbb43b7-0f45-4a0c-a9a1-b9abf121c8a9}\RP39\A0041208.exe (Adware.DoubleD) -> Quarantined and deleted successfully.

Logs.zip

Share this post


Link to post
Share on other sites

Hi Paulw and Welcome to Malwarebytes!

I see you have Avira and AVG Anti-Virus in your computer. Two Anti-Virus Programs take up an enormous amount of your computer's resources when they are actively scanning your computer. Having two anti-virus programs running at the same time can cause your computer to run very slow, become unstable and even, in rare cases, crash.

Use the uninstaller below:

http://www.appremover.com/get/appremover.exe

Click on Run on the box that pops up and follow the prompts.

Restart your computer completes removal of AVG Antivirus.

TFC(Temp File Cleaner):

  • Please download TFC to your desktop,
  • Save any unsaved work. TFC will close all open application windows.
  • Double-click TFC.exe to run the program.
  • If prompted, click "Yes" to reboot.

Note: Save your work. TFC will automatically close any open programs, let it run uninterrupted. It shouldn't take longer take a couple of minutes, and may only take a few seconds. Only if needed will you be prompted to reboot.

In Normal mode run Malwarebytes:

Update Run Malwarebytes

  • Launch Malwarebytes' Anti-Malware
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the entire report in your next reply.

Extra Note:

If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediatly.

Share this post


Link to post
Share on other sites
Hi Paulw and Welcome to Malwarebytes!

I see you have Avira and AVG Anti-Virus in your computer. Two Anti-Virus Programs take up an enormous amount of your computer's resources when they are actively scanning your computer. Having two anti-virus programs running at the same time can cause your computer to run very slow, become unstable and even, in rare cases, crash.

Use the uninstaller below:

http://www.appremover.com/get/appremover.exe

Click on Run on the box that pops up and follow the prompts.

Restart your computer completes removal of AVG Antivirus.

TFC(Temp File Cleaner):

  • Please download TFC to your desktop,
  • Save any unsaved work. TFC will close all open application windows.
  • Double-click TFC.exe to run the program.
  • If prompted, click "Yes" to reboot.

Note: Save your work. TFC will automatically close any open programs, let it run uninterrupted. It shouldn't take longer take a couple of minutes, and may only take a few seconds. Only if needed will you be prompted to reboot.

In Normal mode run Malwarebytes:

Update Run Malwarebytes

  • Launch Malwarebytes' Anti-Malware
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the entire report in your next reply.

Extra Note:

If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediatly.

Hello Kenny,

Thanks for getting back to me. Here's the MBAM report:

Malwarebytes' Anti-Malware 1.50.1.1100

www.malwarebytes.org

Database version: 5560

Windows 5.1.2600 Service Pack 3

Internet Explorer 6.0.2900.5512

20/01/2011 15:12:40

mbam-log-2011-01-20 (15-12-40).txt

Scan type: Quick scan

Objects scanned: 161467

Time elapsed: 4 minute(s), 14 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 0

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

(No malicious items detected)

Share this post


Link to post
Share on other sites

There are some older versions of Java on your computer. These can be a source of infection.

[javaicon.gif

Your Java is out of date. Older versions have vulnerabilities that malware can use to infect your system. Please follow these steps to remove older version Java components and update.

  • Download the latest version of Java Runtime Environment (JRE) 6 and save it to your desktop.
  • Scroll down to where it says Java SE Runtime Environment (JRE) - JRE 6 Update 23 -
  • Click the Download button to the right.
  • Select the Windows platform from the dropdown menu.
  • Read the License Agreement and then check the box that says: I agree to the Java SE Runtime Environment 6u16 with JavaFX 1 License Agreement. Click on Continue.The page will refresh.
  • Click on the link to download Windows Offline Installation and save the file to your desktop.
  • Close any programs you may have running - especially your web browser.
  • Go to Start > Settings > Control Panel, double-click on Add/Remove Programs and remove all older versions of Java.
  • Check (highlight) any item with Java Runtime Environment (JRE or J2SE or Java) in the name.
  • Click the Remove or Change/Remove button.
  • Repeat as many times as necessary to remove each Java versions.
  • Reboot your computer once all Java components are removed.
  • Then from your desktop double-click on jre-6u123 -windows-i586-p.exe to install the newest version.

  • After the install is complete, go into the Control Panel (using Classic View) and double-click the Java Icon. (looks like a coffee cup)
    • On the General tab, under Temporary Internet Files, click the Settings button.
    • Next, click on the Delete Files button
    • There are two options in the window to clear the cache - Leave BOTH Checked
      • Applications and Applets
        Trace and Log Files

      [*]Click OK on Delete Temporary Files Window

      Note: This deletes ALL the Downloaded Applications and Applets from the CACHE.

      [*]Click OK to leave the Temporary Files Window

      [*]Click OK to leave the Java Control Panel.

To test your Java Run-time, you may go to this page http://www.java.com/en/download/help/testvm.xml

When all is well, you should see Java Version: 1.6.0_23 from Sun Microsystems Inc.

-------------------------------------------------------------------

Some final items:

It's a good idea to Flush your System Restore after removing malware and create a new restore point.

You should
to prevent possible reinfection from an old one.

Some of the malware you picked up could have been saved in System Restore.

Since this is a protected directory your tools cannot access to delete these files, they sometimes can reinfect your system if you accidentally use an old restore point.

Setting a new restore point AFTER cleaning your system will help prevent this and enable your computer to
"roll-back"
to a clean working state.

The easiest and safest way to do this is
:
  • Go to
    Start
    >
    Programs
    >
    Accessories
    >
    System Tools
    and click "
    System Restore
    ".

  • If the shortcut is missing you can also click on
    START
    >
    RUN
    > and type in
    %SystemRoot%\system32\restore\rstrui.exe
    and click OK

  • Choose the radio button marked "
    Create a Restore Point
    " on the first screen then click "
    Next
    ".

  • Give the new Restore Point a name, then click "
    Create
    ".

  • The new point will be stamped with the current date and time. Keep a log of this so you can find it easily should you need to use System Restore.

  • Then use the
    Disk Cleanup
    to remove all but the most recently created Restore Point.

  • Go to
    Start
    >
    Run
    and type:
    Cleanmgr.exe

  • Select the drive where Windows is installed and click "
    Ok
    ". Disk Cleanup will scan your files for several minutes, then open.

  • Click the "
    More Options
    " tab, then click the "
    Clean up
    " button under System Restore.

  • Click Ok. You will be prompted with "
    Are you sure you want to delete all but the most recent restore point?
    "

  • Click
    Yes
    , then click Ok.

  • Click
    Yes
    again when prompted with "
    Are you sure you want to perform these actions?
    "

  • Disk Cleanup will remove the files and close automatically.

  • On the
    Disk Cleanup
    tab, if the
    System Restore: Obsolete Data Stores
    entry is available remove them also.

  • These are files that were created before Windows was reformatted or reinstalled. They are obsolete and you can delete them.

selectdrivecleanup.pngselectdrivecleanup1.png

Additional information

Microsoft KB article: How to turn off and turn on System Restore in Windows XP

Bert Kinney's site: All about Windows System Restore

Share this post


Link to post
Share on other sites
There are some older versions of Java on your computer. These can be a source of infection.

[javaicon.gif

Your Java is out of date. Older versions have vulnerabilities that malware can use to infect your system. Please follow these steps to remove older version Java components and update.

  • Download the latest version of Java Runtime Environment (JRE) 6 and save it to your desktop.
  • Scroll down to where it says Java SE Runtime Environment (JRE) - JRE 6 Update 23 -
  • Click the Download button to the right.
  • Select the Windows platform from the dropdown menu.
  • Read the License Agreement and then check the box that says: I agree to the Java SE Runtime Environment 6u16 with JavaFX 1 License Agreement. Click on Continue.The page will refresh.
  • Click on the link to download Windows Offline Installation and save the file to your desktop.
  • Close any programs you may have running - especially your web browser.
  • Go to Start > Settings > Control Panel, double-click on Add/Remove Programs and remove all older versions of Java.
  • Check (highlight) any item with Java Runtime Environment (JRE or J2SE or Java) in the name.
  • Click the Remove or Change/Remove button.
  • Repeat as many times as necessary to remove each Java versions.
  • Reboot your computer once all Java components are removed.
  • Then from your desktop double-click on jre-6u123 -windows-i586-p.exe to install the newest version.

  • After the install is complete, go into the Control Panel (using Classic View) and double-click the Java Icon. (looks like a coffee cup)
    • On the General tab, under Temporary Internet Files, click the Settings button.
    • Next, click on the Delete Files button
    • There are two options in the window to clear the cache - Leave BOTH Checked
      • Applications and Applets
        Trace and Log Files

      [*]Click OK on Delete Temporary Files Window

      Note: This deletes ALL the Downloaded Applications and Applets from the CACHE.

      [*]Click OK to leave the Temporary Files Window

      [*]Click OK to leave the Java Control Panel.

To test your Java Run-time, you may go to this page http://www.java.com/en/download/help/testvm.xml

When all is well, you should see Java Version: 1.6.0_23 from Sun Microsystems Inc.

-------------------------------------------------------------------

Some final items:

It's a good idea to Flush your System Restore after removing malware and create a new restore point.

You should
to prevent possible reinfection from an old one.

Some of the malware you picked up could have been saved in System Restore.

Since this is a protected directory your tools cannot access to delete these files, they sometimes can reinfect your system if you accidentally use an old restore point.

Setting a new restore point AFTER cleaning your system will help prevent this and enable your computer to
"roll-back"
to a clean working state.

The easiest and safest way to do this is
:
  • Go to
    Start
    >
    Programs
    >
    Accessories
    >
    System Tools
    and click "
    System Restore
    ".

  • If the shortcut is missing you can also click on
    START
    >
    RUN
    > and type in
    %SystemRoot%\system32\restore\rstrui.exe
    and click OK

  • Choose the radio button marked "
    Create a Restore Point
    " on the first screen then click "
    Next
    ".

  • Give the new Restore Point a name, then click "
    Create
    ".

  • The new point will be stamped with the current date and time. Keep a log of this so you can find it easily should you need to use System Restore.

  • Then use the
    Disk Cleanup
    to remove all but the most recently created Restore Point.

  • Go to
    Start
    >
    Run
    and type:
    Cleanmgr.exe

  • Select the drive where Windows is installed and click "
    Ok
    ". Disk Cleanup will scan your files for several minutes, then open.

  • Click the "
    More Options
    " tab, then click the "
    Clean up
    " button under System Restore.

  • Click Ok. You will be prompted with "
    Are you sure you want to delete all but the most recent restore point?
    "

  • Click
    Yes
    , then click Ok.

  • Click
    Yes
    again when prompted with "
    Are you sure you want to perform these actions?
    "

  • Disk Cleanup will remove the files and close automatically.

  • On the
    Disk Cleanup
    tab, if the
    System Restore: Obsolete Data Stores
    entry is available remove them also.

  • These are files that were created before Windows was reformatted or reinstalled. They are obsolete and you can delete them.

selectdrivecleanup.pngselectdrivecleanup1.png

Additional information

Microsoft KB article: How to turn off and turn on System Restore in Windows XP

Bert Kinney's site: All about Windows System Restore

Share this post


Link to post
Share on other sites

Hi Kenny,

That's done thank you. I just ran Avira again and it found 1 instance ADWARE/DoubleD.A.98 which has been quarantined

Paul

Share this post


Link to post
Share on other sites

Hi,

Please run this online scan

ESET Online Scanner

Note: You can use either Internet Explorer or Mozilla FireFox for this scan. You will however may need to disable your current installed Anti-Virus, how to do so can be read here.

  • Please go here then click on: EOLS1.gif
  • Select the option YES, I accept the Terms of Use then click on: EOLS2.gif
  • When prompted allow the Add-On/Active X to install.
  • Make sure that the option Remove found threats is NOT checked, and the option Scan archives is checked.
  • Now click on Advanced Settings and select the following:

    • Scan for potentially unwanted applications
    • Scan for potentially unsafe applications
    • Enable Anti-Stealth Technology

[*]Now click on: EOLS3.gif

[*]The virus signature database... will begin to download. Be patient this make take some time depending on the speed of your Internet Connection.

[*]When completed the Online Scan will begin automatically.

[*]Do not touch either the Mouse or keyboard during the scan otherwise it may stall.

[*]When completed select Uninstall application on close if you so wish, make sure you copy the logfile first!

[*]Now click on: EOLS4.gif

[*]Use notepad to open the logfile located at C:\Program Files\ESET\EsetOnlineScanner\log.txt.

[*]Copy and paste that log as a reply to this topic.

Note: Do not forget to re-enable your Anti-Virus application after running the above scan!

Share this post


Link to post
Share on other sites
Hi,

Please run this online scan

ESET Online Scanner

Note: You can use either Internet Explorer or Mozilla FireFox for this scan. You will however may need to disable your current installed Anti-Virus, how to do so can be read here.

  • Please go here then click on: EOLS1.gif
  • Select the option YES, I accept the Terms of Use then click on: EOLS2.gif
  • When prompted allow the Add-On/Active X to install.
  • Make sure that the option Remove found threats is NOT checked, and the option Scan archives is checked.
  • Now click on Advanced Settings and select the following:

    • Scan for potentially unwanted applications
    • Scan for potentially unsafe applications
    • Enable Anti-Stealth Technology

[*]Now click on: EOLS3.gif

[*]The virus signature database... will begin to download. Be patient this make take some time depending on the speed of your Internet Connection.

[*]When completed the Online Scan will begin automatically.

[*]Do not touch either the Mouse or keyboard during the scan otherwise it may stall.

[*]When completed select Uninstall application on close if you so wish, make sure you copy the logfile first!

[*]Now click on: EOLS4.gif

[*]Use notepad to open the logfile located at C:\Program Files\ESET\EsetOnlineScanner\log.txt.

[*]Copy and paste that log as a reply to this topic.

Note: Do not forget to re-enable your Anti-Virus application after running the above scan!

Thanks Kenny,

Here's the log:

ESETSmartInstaller@High as CAB hook log:

OnlineScanner.ocx - registred OK

# version=7

# IEXPLORE.EXE=6.00.2900.5512 (xpsp.080413-2105)

# OnlineScanner.ocx=1.0.0.6419

# api_version=3.0.2

# EOSSerial=7ee79b4acb890142931fdfaafc5e6d50

# end=finished

# remove_checked=true

# archives_checked=false

# unwanted_checked=true

# unsafe_checked=true

# antistealth_checked=true

# utc_time=2011-01-18 02:26:56

# local_time=2011-01-18 02:26:56 (+0000, GMT Standard Time)

# country="United Kingdom"

# lang=1033

# osver=5.1.2600 NT Service Pack 3

# compatibility_mode=1032 16777214 100 96 187411 38648337 0 0

# compatibility_mode=8192 67108863 100 0 3803 3803 0 0

# scanned=105346

# found=11

# cleaned=11

# scan_time=2873

C:\Documents and Settings\All Users\Application Data\{F14A989E-0102-460B-ADB5-BC208314A307}\OFFLINE\29A73ACD\3E688669\stb0.dll a variant of Win32/Adware.DoubleD.AB application (cleaned by deleting - quarantined) 00000000000000000000000000000000 C

C:\Documents and Settings\Paul\Application Data\Sun\Java\Deployment\cache\6.0\24\20f951d8-4101c84c probably a variant of Win32/Agent.RPSVWU trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C

C:\Documents and Settings\Paul\Local Settings\Temporary Internet Files\Content.IE5\0BJFXP7L\CAFYWBJH.php Win32/Adware.SpywareProtect2009 application (cleaned by deleting - quarantined) 00000000000000000000000000000000 C

C:\Documents and Settings\Paul\Local Settings\Temporary Internet Files\Content.IE5\0BJFXP7L\CAU3CXWH.php Win32/Adware.SpywareProtect2009 application (cleaned by deleting - quarantined) 00000000000000000000000000000000 C

C:\Documents and Settings\Paul\Local Settings\Temporary Internet Files\Content.IE5\45WW23SL\CA7ASJV1.php Win32/Adware.SpywareProtect2009 application (cleaned by deleting - quarantined) 00000000000000000000000000000000 C

C:\Documents and Settings\Paul\Local Settings\Temporary Internet Files\Content.IE5\45WW23SL\CAZUORFL.php Win32/Adware.SpywareProtect2009 application (cleaned by deleting - quarantined) 00000000000000000000000000000000 C

C:\Documents and Settings\Paul\Local Settings\Temporary Internet Files\Content.IE5\MAGC5LMM\CA0LQ5LU.php Win32/Adware.SpywareProtect2009 application (cleaned by deleting - quarantined) 00000000000000000000000000000000 C

C:\Documents and Settings\Paul\Local Settings\Temporary Internet Files\Content.IE5\MAGC5LMM\CAEVGXTA.php Win32/Adware.SpywareProtect2009 application (cleaned by deleting - quarantined) 00000000000000000000000000000000 C

C:\Documents and Settings\Paul\Local Settings\Temporary Internet Files\Content.IE5\QHPB0W8X\userip[2].asp Win32/Adware.SpywareProtect2009 application (cleaned by deleting - quarantined) 00000000000000000000000000000000 C

C:\System Volume Information\_restore{4DBB43B7-0F45-4A0C-A9A1-B9ABF121C8A9}\RP39\A0041207.dll a variant of Win32/Adware.DoubleD.AL application (cleaned by deleting - quarantined) 00000000000000000000000000000000 C

C:\System Volume Information\_restore{4DBB43B7-0F45-4A0C-A9A1-B9ABF121C8A9}\RP39\A0041209.dll a variant of Win32/Adware.DoubleD.AB application (cleaned by deleting - quarantined) 00000000000000000000000000000000 C

# version=7

# IEXPLORE.EXE=6.00.2900.5512 (xpsp.080413-2105)

# OnlineScanner.ocx=1.0.0.6419

# api_version=3.0.2

# EOSSerial=7ee79b4acb890142931fdfaafc5e6d50

# end=finished

# remove_checked=false

# archives_checked=true

# unwanted_checked=true

# unsafe_checked=true

# antistealth_checked=true

# utc_time=2011-01-21 01:15:06

# local_time=2011-01-21 01:15:06 (+0000, GMT Standard Time)

# country="United Kingdom"

# lang=1033

# osver=5.1.2600 NT Service Pack 3

# compatibility_mode=1797 16775145 100 93 13760 32145066 72926 0

# compatibility_mode=8192 67108863 100 0 257975 257975 0 0

# scanned=94514

# found=1

# cleaned=0

# scan_time=3589

C:\Documents and Settings\All Users\Application Data\{F14A989E-0102-460B-ADB5-BC208314A307}\OFFLINE\mFileBagIDE.dll\bag\FFToolbar.xpi a variant of Win32/Adware.DoubleD.AL application (unable to clean) 00000000000000000000000000000000 I

Share this post


Link to post
Share on other sites

Hold the phone. Just seen this:

C:\Documents and Settings\All Users\Application Data\{F14A989E-0102-460B-ADB5-BC208314A307}\OFFLINE\mFileBagIDE.dll\bag\FFToolbar.xpi

Please download the OTM by OldTimer.

  • Save it to your desktop.
  • Please double-click OTM.exe to run it. (Vista users, please right click on OTM.exe and select "Run as an Administrator")
  • Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):
    :Services

    :Reg

    :Files
    C:\Documents and Settings\All Users\Application Data\{F14A989E-0102-460B-ADB5-BC208314A307}\OFFLINE\mFileBagIDE.dll\bag\FFToolbar.xpi
    :Commands
    [purity]
    [resethosts]
    [emptytemp]
    [CREATERESTOREPOINT]
    [EMPTYFLASH]
    [Reboot]


  • Return to OTM, right click in the "Paste instructions for items to be Move" window (under the light Yellow bar) and choose Paste.
  • Click the red Moveit! button.
  • A log of files and folders moved will be created in the c:\_OTM\MovedFiles folder in the form of Date and Time (mmddyyyy_hhmmss.log). Please open this log in Notepad and post its contents in your next reply.
  • Close OTM

If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.

Share this post


Link to post
Share on other sites
Hold the phone. Just seen this:

C:\Documents and Settings\All Users\Application Data\{F14A989E-0102-460B-ADB5-BC208314A307}\OFFLINE\mFileBagIDE.dll\bag\FFToolbar.xpi

Please download the OTM by OldTimer.

  • Save it to your desktop.
  • Please double-click OTM.exe to run it. (Vista users, please right click on OTM.exe and select "Run as an Administrator")
  • Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):
    :Services

    :Reg

    :Files
    C:\Documents and Settings\All Users\Application Data\{F14A989E-0102-460B-ADB5-BC208314A307}\OFFLINE\mFileBagIDE.dll\bag\FFToolbar.xpi
    :Commands
    [purity]
    [resethosts]
    [emptytemp]
    [CREATERESTOREPOINT]
    [EMPTYFLASH]
    [Reboot]


  • Return to OTM, right click in the "Paste instructions for items to be Move" window (under the light Yellow bar) and choose Paste.
  • Click the red Moveit! button.
  • A log of files and folders moved will be created in the c:\_OTM\MovedFiles folder in the form of Date and Time (mmddyyyy_hhmmss.log). Please open this log in Notepad and post its contents in your next reply.
  • Close OTM

If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.

Hi Kenny,

Here's the log:

All processes killed

========== SERVICES/DRIVERS ==========

========== REGISTRY ==========

========== FILES ==========

C:\Documents and Settings\All Users\Application Data\{F14A989E-0102-460B-ADB5-BC208314A307}\OFFLINE\mFileBagIDE.dll\bag\FFToolbar.xpi moved successfully.

========== COMMANDS ==========

HOSTS file reset successfully

[EMPTYTEMP]

User: Administrator

->Temp folder emptied: 0 bytes

->Temporary Internet Files folder emptied: 0 bytes

User: All Users

User: CPT Scotland

->Temp folder emptied: 0 bytes

->Temporary Internet Files folder emptied: 0 bytes

->Flash cache emptied: 0 bytes

User: Default User

->Temp folder emptied: 0 bytes

->Temporary Internet Files folder emptied: 0 bytes

User: LocalService

->Temp folder emptied: 0 bytes

->Temporary Internet Files folder emptied: 33170 bytes

User: NetworkService

->Temp folder emptied: 0 bytes

->Temporary Internet Files folder emptied: 33170 bytes

User: Paul

->Temp folder emptied: 9339162 bytes

->Temporary Internet Files folder emptied: 560531 bytes

->Java cache emptied: 177764 bytes

->Google Chrome cache emptied: 28479954 bytes

->Flash cache emptied: 434 bytes

%systemdrive% .tmp files removed: 0 bytes

%systemroot% .tmp files removed: 0 bytes

%systemroot%\System32 .tmp files removed: 0 bytes

%systemroot%\System32\dllcache .tmp files removed: 0 bytes

%systemroot%\System32\drivers .tmp files removed: 0 bytes

Windows Temp folder emptied: 250851 bytes

%systemroot%\system32\config\systemprofile\Local Settings\Temp folder emptied: 0 bytes

%systemroot%\system32\config\systemprofile\Local Settings\Temporary Internet Files folder emptied: 0 bytes

RecycleBin emptied: 0 bytes

Total Files Cleaned = 37.00 mb

Restore point Set: OTM Restore Point (0)

OTM by OldTimer - Version 3.1.17.2 log created on 01212011_143047

Share this post


Link to post
Share on other sites

That got it!

To remove all of the tools we used and the files and folders they created, please do the following:

Please download OTC.exe by OldTimer:

  • Save it to your Desktop.
  • Double click OTC.exe.
  • Click the CleanUp! button.
  • If you are prompted to Reboot during the cleanup, select Yes.
  • The tool will delete itself once it finishes.

Note: If any tool, file or folder (belonging to the program we have used) hasn't been deleted, please delete it manually.

Share this post


Link to post
Share on other sites
That got it!

To remove all of the tools we used and the files and folders they created, please do the following:

Please download OTC.exe by OldTimer:

  • Save it to your Desktop.
  • Double click OTC.exe.
  • Click the CleanUp! button.
  • If you are prompted to Reboot during the cleanup, select Yes.
  • The tool will delete itself once it finishes.

Note: If any tool, file or folder (belonging to the program we have used) hasn't been deleted, please delete it manually.

Thanks Kenny,

Is that the computer clean now?

Paul

Share this post


Link to post
Share on other sites

Since this issue is resolved I will close the thread to prevent others from posting here. If you need assistance please start your own topic and someone will be happy to assist you.

Share this post


Link to post
Share on other sites
Guest
This topic is now closed to further replies.

  • Recently Browsing   0 members

    No registered users viewing this page.

×

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.