Jump to content

Virus removed - update issues


Recommended Posts

Hello

I had a virus detected and quarantined. Clear scans followed.

I have an auto update warning in taskbar. Attempts to turn auto updates on from balloon fail and prompt to turn on from control panel/system/etc. In there it indicates that auto update is on. Going to ms updates fails.

Defrogger seemed to work but I was NOT prompted to restart computer.

Thanks in advance for your help!

--

defogger_disable by jpshortstuff (23.02.10.1)

Log created at 11:42 on 13/06/2011 (maddie)

Checking for autostart values...

HKCU\~\Run values retrieved.

HKLM\~\Run values retrieved.

Checking for services/drivers...

-=E.O.F=-

---

Scan type: Quick scan

Objects scanned: 192495

Time elapsed: 6 minute(s), 13 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 0

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

(No malicious items detecte

--

.

DDS (Ver_2011-06-12.02) - NTFSx86

Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_23

Run by maddie at 11:44:18 on 2011-06-13

Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.2550.1576 [GMT -5:00]

.

AV: Outpost Security Suite *Disabled/Updated* {8A20CA2A-9E02-4A64-923B-0A38208EB7FD}

AV: AntiVir Desktop *Enabled/Updated* {AD166499-45F9-482A-A743-FDD3350758C7}

FW: Outpost Security Suite *Enabled*

.

============== Running Processes ===============

.

C:\WINDOWS\system32\svchost.exe -k DcomLaunch

svchost.exe

C:\WINDOWS\System32\svchost.exe -k netsvcs

svchost.exe

svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Avira\AntiVir Desktop\sched.exe

svchost.exe

C:\WINDOWS\Explorer.EXE

C:\PROGRA~1\Agnitum\OUTPOS~1\acs.exe

C:\PROGRA~1\Agnitum\OUTPOS~1\op_mon.exe

C:\Program Files\Avira\AntiVir Desktop\avgnt.exe

C:\Program Files\iTunes\iTunesHelper.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\Avira\AntiVir Desktop\avguard.exe

C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe

C:\Program Files\Bonjour\mDNSResponder.exe

C:\Program Files\Java\jre6\bin\jqs.exe

C:\Program Files\Avira\AntiVir Desktop\avshadow.exe

C:\Program Files\Maxtor\Sync\SyncServices.exe

C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE

C:\Program Files\Common Files\PC Tools\sMonitor\StartManSvc.exe

C:\WINDOWS\system32\HPZipm12.exe

C:\WINDOWS\system32\svchost.exe -k imgsvc

C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

C:\WINDOWS\system32\wscntfy.exe

C:\Program Files\iPod\bin\iPodService.exe

C:\WINDOWS\System32\svchost.exe -k HTTPFilter

c:\program files\avira\antivir desktop\avcenter.exe

C:\WINDOWS\system32\dllhost.exe

C:\Program Files\Mozilla Firefox\firefox.exe

C:\Program Files\Mozilla Firefox\plugin-container.exe

C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe

C:\WINDOWS\System32\vssvc.exe

C:\WINDOWS\system32\dllhost.exe

C:\WINDOWS\SYSTEM32\SOL.EXE

C:\WINDOWS\system32\NOTEPAD.EXE

.

============== Pseudo HJT Report ===============

.

uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8

uStart Page = hxxp://espn.go.com/

uInternet Connection Wizard,ShellNext = iexplore

uInternet Settings,ProxyOverride = *.local

uSearchAssistant = hxxp://www.google.com/ie

uSearchURL,(Default) = hxxp://www.google.com/search?q=%s

uURLSearchHooks: H - No File

mURLSearchHooks: H - No File

BHO: {02478D38-C3F9-4EFB-9B51-7695ECA05670} - No File

BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll

BHO: WormRadar.com IESiteBlocker.NavFilter: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - AVG Safe Search

BHO: DriveLetterAccess: {5ca3d70e-1895-11cf-8e15-001234567890} - c:\windows\system32\dla\DLASHX_W.DLL

BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.6.5805.1910\swg.dll

BHO: Java Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll

BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll

TB: {BA52B914-B692-46c4-B683-905236F6F655} - No File

TB: {2318C2B1-4965-11d4-9B18-009027A5CD4F} - No File

TB: {0B53EAC3-8D69-4B9E-9B19-A37C9A5676A7} - No File

TB: {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - No File

TB: {4982D40A-C53B-4615-B15B-B5B5E98D167C} - No File

TB: {C4069E3A-68F1-403E-B40E-20066696354B} - No File

TB: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - No File

TB: {472734EA-242A-422B-ADF8-83D1E48CC825} - No File

uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe

mRun: [OutpostMonitor] "c:\progra~1\agnitum\outpos~1\op_mon.exe" /tray /noservice

mRun: [OutpostFeedBack] "c:\program files\agnitum\outpost security suite free\feedback.exe" /dump:os_startup

mRun: [avgnt] "c:\program files\avira\antivir desktop\avgnt.exe" /min

mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 10.0\reader\Reader_sl.exe"

mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime

mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"

IE: Google Sidewiki... - c:\program files\google\google toolbar\component\GoogleToolbarDynamic_mui_en_E11712C84EA7E12B.dll/cmsidewiki.html

IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe

IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe

IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL

IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - {FE54FA40-D68C-11d2-98FA-00C0F0318AFE} - c:\windows\system32\Shdocvw.dll

LSP: c:\program files\common files\pc tools\lsp\PCTLsp.dll

DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} - hxxp://support.dell.com/systemprofiler/SysPro.CAB

DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://go.microsoft.com/fwlink/?linkid=39204

DPF: {1F2F4C9E-6F09-47BC-970D-3C54734667FE} - hxxps://www-secure.symantec.com/techsupp/asa/LSSupCtl.cab

DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab}

DPF: {43E3F87D-DE7F-4087-BD4F-0DC854981158} - hxxp://download.microsoft.com/download/7/3/8/7384c441-3721-41ee-ae15-b678888f00dd/clearadj.CAB

DPF: {4B48D5DF-9021-45F7-A240-60304302A215} - hxxp://download.microsoft.com/download/b/d/b/bdb4e4ee-63b2-45ff-9d84-33205bf43143/WebCleaner.cab

DPF: {6A344D34-5231-452A-8A57-D064AC9B7862} - hxxps://webdl.symantec.com/activex/symdlmgr.cab

DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_23-windows-i586.cab

DPF: {A9F8D9EC-3D0A-4A60-BD82-FBD64BAD370D} - hxxp://h20264.www2.hp.com/ediags/dd/install/HPDriverDiagnosticsxp2k.cab

DPF: {CAFEEFAC-0014-0000-0000-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.4.0/jinstall-1_4_0-windows-i586.cab

DPF: {CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_23-windows-i586.cab

DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_23-windows-i586.cab

DPF: {DE22A7AB-A739-4C58-AD52-21F9CD6306B7} - hxxp://download.microsoft.com/download/7/E/6/7E6A8567-DFE4-4624-87C3-163549BE2704/clearadj.cab

DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab

TCP: DhcpNameServer = 97.64.183.164 97.64.209.37

TCP: Interfaces\{F6A0A0FE-245F-46DA-BD28-C2ED131709B0} : DhcpNameServer = 97.64.183.164 97.64.209.37

Notify: igfxcui - igfxdev.dll

SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

Hosts: 127.0.0.1 www.spywareinfo.com

.

================= FIREFOX ===================

.

FF - ProfilePath - c:\documents and settings\maddie\application data\mozilla\firefox\profiles\yxfglg3x.default\

FF - prefs.js: browser.startup.homepage - hxxp://espn.go.com/

FF - prefs.js: network.proxy.type - 0

FF - plugin: c:\documents and settings\maddie\application data\move networks\plugins\npqmp071503000010.dll

FF - plugin: c:\documents and settings\maddie\application data\move networks\plugins\npqmp071701000002.dll

FF - plugin: c:\program files\google\google earth\plugin\npgeplugin.dll

FF - plugin: c:\program files\google\google updater\2.4.1536.6592\npCIDetect13.dll

FF - plugin: c:\program files\google\update\1.2.183.39\npGoogleOneClick8.dll

FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll

.

---- FIREFOX POLICIES ----

FF - user.js: yahoo.ytff.general.dontshowhpoffer - true

============= SERVICES / DRIVERS ===============

.

R1 avgio;avgio;c:\program files\avira\antivir desktop\avgio.sys [2011-4-21 11608]

R1 SandBox;SandBox;c:\windows\system32\drivers\SandBox.sys [2010-12-30 710696]

R1 SBRE;SBRE;c:\windows\system32\drivers\SBREDrv.sys [2010-9-16 95024]

R2 acssrv;Agnitum Client Security Service;c:\progra~1\agnitum\outpos~1\acs.exe [2010-12-30 2067936]

R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\avira\antivir desktop\sched.exe [2011-4-21 136360]

R2 AntiVirService;Avira AntiVir Guard;c:\program files\avira\antivir desktop\avguard.exe [2011-4-21 269480]

R2 avgntflt;avgntflt;c:\windows\system32\drivers\avgntflt.sys [2011-4-21 61960]

R2 PCToolsSSDMonitorSvc;PC Tools Startup and Shutdown Monitor service;c:\program files\common files\pc tools\smonitor\StartManSvc.exe [2011-4-21 632792]

R2 Symantec Core LC;Symantec Core LC;c:\program files\common files\symantec shared\ccpd-lc\symlcsvc.exe [2006-8-22 1251720]

R3 afw;Agnitum firewall driver;c:\windows\system32\drivers\afw.sys [2010-12-30 34280]

R3 afwcore;afwcore;c:\windows\system32\drivers\afwcore.sys [2010-12-30 267624]

S0 Lbd;Lbd;c:\windows\system32\drivers\lbd.sys --> c:\windows\system32\drivers\Lbd.sys [?]

S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]

S3 ASWFilt;ASWFilt;c:\windows\system32\filt\ASWFilt.dll [2010-12-30 72352]

S3 VBEngNT;VBEngNT;c:\windows\system32\drivers\VBEngNT.sys [2010-12-30 241088]

S3 VBFilt;VBFilt;c:\windows\system32\filt\VBFilt.dll [2010-12-30 36288]

S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\microsoft.net\framework\v4.0.30319\wpf\WPFFontCache_v0400.exe [2010-3-18 753504]

S4 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2009-12-20 135664]

.

=============== Created Last 30 ================

.

2011-05-31 15:06:14 1025824 ----a-w- c:\windows\system32\drivers\vbcorent.sys

2011-05-27 10:03:57 39984 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2011-05-27 10:03:52 22712 ----a-w- c:\windows\system32\drivers\mbam.sys

2011-05-27 10:03:52 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

2011-05-24 08:49:40 404640 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl

2011-05-16 04:59:06 -------- d-----w- c:\program files\iPod

2011-05-16 04:59:03 -------- d-----w- c:\program files\iTunes

2011-05-16 04:59:03 -------- d-----w- c:\documents and settings\all users\application data\{429CAD59-35B1-4DBC-BB6D-1DB246563521}

2011-05-16 04:55:04 -------- d-----w- c:\program files\Bonjour

.

==================== Find3M ====================

.

2011-04-06 21:20:16 91424 ----a-w- c:\windows\system32\dnssd.dll

2011-04-06 21:20:16 197920 ----a-w- c:\windows\system32\dnssdX.dll

2011-04-06 21:20:16 107808 ----a-w- c:\windows\system32\dns-sd.exe

.

============= FINISH: 11:46:05.78 ===============

attach.zip

Link to post
Share on other sites

Welcome back, Mike.

Looks like you're running 2 anti-virus programs.

Outpost Security Suite

AntiVir

Never install more than one Antivirus and Firewall! Rather than giving you extra protection, it will decrease the reliability of it seriously!

The reason for this is that if both products have their automatic (Real-Time) protection switched on, your system may lock up due to both software products attempting to access the same file at the same time.

Also because more than one Antivirus and Firewall installed are not compatible with each other, it can cause system performance problems and a serious system slowdown.

Please do not delete anything unless instructed to.

I see also that you're using Outpost firewall so I would uninstall AntiVir

1.Click Start > Settings > Control Panel.

2.Next, open Add/Remove Programs and remove either:

AntiVir

After the above, reboot and let me know how it's running.

Link to post
Share on other sites

Thanks Mr Tate.

I uninstalled Antivir. I guess I had thought that the Outpost was just operating as a firewall. I was able to get the auto updates back on a few days ago. I did not insert it as it was not the most recent scan log when I posted, but below is the MBAM log that first indicated the infection that seemed to cause the issues late sunday. Thanks.

-------------------------

Malwarebytes' Anti-Malware 1.51.0.1200

www.malwarebytes.org

Database version: 6845

Windows 5.1.2600 Service Pack 3

Internet Explorer 8.0.6001.18702

6/13/2011 2:51:23 AM

mbam-log-2011-06-13 (02-51-23).txt

Scan type: Quick scan

Objects scanned: 191738

Time elapsed: 9 minute(s), 56 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 3

Folders Infected: 0

Files Infected: 1

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify (PUM.Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify (PUM.Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\FirewallDisableNotify (PUM.Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

Folders Infected:

(No malicious items detected)

Files Infected:

c:\documents and settings\maddie\local settings\application data\dxs.exe (Trojan.ExeShell.Gen) -> Quarantined and deleted successfully.

Link to post
Share on other sites

The computer seems to be behaving ok. In the last few days it has seemed to have some pauses that are a bit out of character, but nothing has really hung or acted completely out of whack. Below is the latest MBAM log. Thanks

Malwarebytes' Anti-Malware 1.51.0.1200

www.malwarebytes.org

Database version: 6873

Windows 5.1.2600 Service Pack 3

Internet Explorer 8.0.6001.18702

6/16/2011 5:10:32 PM

mbam-log-2011-06-16 (17-10-32).txt

Scan type: Quick scan

Objects scanned: 192371

Time elapsed: 4 minute(s), 31 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 0

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

(No malicious items detected)

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.