Solved: "Antivirus Live" icon in tray, Can't run any AV - Page 2

**dvk01** · 23-Jan-2010, 06:40 AM **#16**

that isn't showing any obvious rogue antivirus problems

can you boot to normal mode & run combofix

patmac · 23-Jan-2010, 10:35 AM **#17**

Here's the Combofix log after booting in to normal mode, on the Admin account. Something is up though. I got a message stating that IE is currently not your default browser, and it is, always has been. So far have not gotten any pop ups about antivirus.

ComboFix 10-01-22.03 - Patrick 2010-01-23 9:12.2.1 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1023.549 [GMT -5:00]
Running from: c:\documents and settings\Patrick\Desktop\Combo-Fix.exe
AV: AVG Anti-Virus *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
.

((((((((((((((((((((((((( Files Created from 2009-12-23 to 2010-01-23 )))))))))))))))))))))))))))))))
.

2010-01-06 20:31 . 2010-01-06 20:31 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Google
2010-01-06 18:24 . 2010-01-06 18:26 -------- d-----w- C:\Temp5
2010-01-06 03:53 . 2010-01-06 03:53 -------- d-----w- c:\documents and settings\Brian\Local Settings\Application Data\Temp
2009-12-29 21:27 . 2009-12-29 21:27 -------- d-----w- c:\program files\Gillware Inc
2009-12-29 21:27 . 2009-12-29 21:27 -------- d-----w- c:\documents and settings\Patrick\Application Data\Gillware Inc
2009-12-29 21:14 . 2009-12-29 21:14 -------- d-----w- c:\documents and settings\Brian\Application Data\Gillware Inc

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-01-23 14:02 . 2008-07-11 15:49 -------- d-----w- c:\documents and settings\All Users\Application Data\Google Updater
2010-01-19 12:16 . 2007-02-14 20:43 174096 ----a-w- c:\documents and settings\Brian\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-01-16 18:49 . 2008-09-01 01:12 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-01-16 18:48 . 2008-09-06 23:15 5115824 ----a-w- c:\documents and settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\mbam-setup.exe
2010-01-11 17:19 . 2009-03-26 01:32 1 ----a-w- c:\documents and settings\Brian\Application Data\OpenOffice.org\3\user\uno_packages\cache\stamp.sys
2010-01-07 21:07 . 2008-09-01 01:12 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-01-07 21:07 . 2008-09-01 01:12 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-01-06 03:48 . 2007-02-02 23:59 -------- d-----w- c:\program files\Google
2009-12-10 12:29 . 2009-12-10 12:29 2468632 ----a-w- c:\windows\system32\AutoPartNt.exe
2009-12-08 23:08 . 2002-12-12 17:43 174096 ----a-w- c:\documents and settings\Patrick\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-12-08 22:27 . 2009-12-08 22:27 152704 ----a-w- c:\windows\system32\drivers\afcdp.sys
2009-12-08 22:27 . 2009-12-08 22:26 -------- d-----w- c:\program files\Common Files\Acronis
2009-12-08 22:27 . 2009-12-08 22:27 902432 ----a-w- c:\windows\system32\drivers\tdrpm251.sys
2009-12-08 22:26 . 2009-12-08 22:26 570016 ----a-w- c:\windows\system32\drivers\timntr.sys
2009-12-08 22:26 . 2009-12-08 22:26 156928 ----a-w- c:\windows\system32\drivers\snapman.sys
2009-12-08 22:26 . 2009-12-08 22:26 -------- d-----w- c:\program files\Acronis
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2008-04-14 1695232]
"MoneyAgent"="c:\program files\Microsoft Money\System\Money Express.exe" [2001-07-25 184376]
"NvMediaCenter"="c:\windows\system32\NVMCTRAY.DLL" [2003-10-06 49152]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2008-09-16 1833296]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2003-10-06 5058560]
"nwiz"="nwiz.exe" [2003-10-06 741376]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-05-27 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-07-10 289064]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2010-01-16 2043160]
"CanonMyPrinter"="c:\program files\Canon\MyPrinter\BJMyPrt.exe" [2008-03-17 1848648]
"CanonSolutionMenu"="c:\program files\Canon\SolutionMenu\CNSLMAIN.exe" [2008-12-11 722256]
"TrueImageMonitor.exe"="c:\program files\Acronis\TrueImageHome\TrueImageMonitor.exe" [2009-08-27 5044248]
"Acronis Scheduler2 Service"="c:\program files\Common Files\Acronis\Schedule2\schedhlp.exe" [2009-08-27 357384]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"RunNarrator"="Narrator.exe" [2008-04-14 53760]

c:\documents and settings\Patrick\Start Menu\Programs\Startup\
OpenOffice.org 3.0.lnk - c:\program files\OpenOffice.org 3\program\quickstart.exe [2008-12-15 384000]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Gamma Loader.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2004-10-4 113664]
America Online 7.0 Tray Icon.lnk - c:\program files\America Online 7.0\aoltray.exe [2002-12-7 32839]
Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2002-12-7 45056]
Memory Stick Monitor.lnk - c:\program files\MSAC-FD1\MSSTAT.EXE [2002-12-14 204800]
Microsoft Works Calendar Reminders.lnk - c:\program files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe [2001-8-7 24633]
WinZip Quick Pick.lnk - c:\program files\WinZip\WZQKPICK.EXE [2003-4-18 106560]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\Shell ExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2006-12-20 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-08-31 18:28 11952 ----a-w- c:\windows\SYSTEM32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=c:\windows\SYSTEM32\avgrsstx.dll

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\Auth orizedApplications\List]
"c:\\WINDOWS\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\ItsDeductible2006\\ItsDeductible10.exe"=
"c:\\Program Files\\Starcraft\\StarCraft.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgemc.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgnsx.exe"=
"%windir%\\system32\\sessmgr.exe"=

R0 AvgRkx86;avgrkx86.sys;c:\windows\SYSTEM32\DRIVERS\avgrkx86.sys [2008-08-20 12552]
R0 ppa;Iomega Parallel Port Filter Driver;c:\windows\SYSTEM32\DRIVERS\ppa.sys [2003-01-17 17792]
R0 tdrpman251;Acronis Try&Decide and Restore Points filter (build 251);c:\windows\SYSTEM32\DRIVERS\tdrpm251.sys [2009-12-08 902432]
R1 AvgLdx86;AVG AVI Loader Driver x86;c:\windows\SYSTEM32\DRIVERS\avgldx86.sys [2008-08-20 335240]
R1 AvgTdiX;AVG8 Network Redirector;c:\windows\SYSTEM32\DRIVERS\avgtdix.sys [2008-08-20 108552]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [2006-10-10 5632]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [2007-02-27 32256]
R2 afcdpsrv;Acronis Nonstop Backup service;c:\program files\Common Files\Acronis\CDP\afcdpsrv.exe [2009-12-08 2326912]
R2 avg8emc;AVG8 E-mail Scanner;c:\progra~1\AVG\AVG8\avgemc.exe [2009-01-23 908056]
R2 avg8wd;AVG8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [2009-01-23 297752]
R2 FPMSNT;FPMSNT;c:\windows\SYSTEM32\DRIVERS\FPMSNT.SYS [2002-12-14 113812]
R2 Sdselect;Sdselect;c:\windows\SYSTEM32\DRIVERS\sdselect.sys [2002-12-14 73296]
R3 afcdp;afcdp;c:\windows\SYSTEM32\DRIVERS\afcdp.sys [2009-12-08 152704]
S2 AdobeActiveFileMonitor;Adobe Active File Monitor;c:\program files\Adobe\Photoshop Elements 3.0\PhotoshopElementsFileAgent.exe [2004-10-04 98304]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [2010-01-05 135664]
S2 PhotoshopElementsDeviceConnect;Photoshop Elements Device Connect;c:\program files\Adobe\Photoshop Elements 3.0\PhotoshopElementsDeviceConnect.exe [2004-10-04 118784]
S3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [2006-02-16 4096]
.
Contents of the 'Scheduled Tasks' folder

2010-01-23 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2007-02-08 11:05]

2010-01-23 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-01-06 03:48]

2010-01-22 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-01-06 03:48]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = *.local
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
Trusted Zone: aol.com\free
Trusted Zone: turbotax.com
DPF: DirectAnimation Java Classes - file://c:\windows\Java\classes\dajava.cab
DPF: Garmin Communicator Plug-In - hxxps://my.garmin.com/static/m/cab/2.6.4/GarminAxControl.CAB
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
DPF: vzTCPConfig - hxxp://www2.verizon.net/help/fios_settings/include/vzTCPConfig.CAB
.
- - - - ORPHANS REMOVED - - - -

HKCU-Run-Microsoft Works Update Detection - c:\program files\Microsoft Works\WkDetect.exe

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-01-23 09:20
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Fdc]
"ImagePath"=multi:"System32\DRIVERS\fdc.sys\00"
"KeepImagePath"=multi:"System32\DRIVERS\fdc.sys\00"
"SDImagePath"=multi:"System32\DRIVERS\fdc.sys\00"
--

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Flpydisk]
"ImagePath"=multi:"System32\Drivers\Sdfloppy.sys\00"
"KeepImagePath"=multi:"System32\DRIVERS\flpydisk.sys\00"
"SDImagePath"=multi:"System32\Drivers\Sdfloppy.sys\00"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Fdc]
"ImagePath"=multi:"System32\DRIVERS\fdc.sys\00"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Fdc]
"ImagePath"=multi:"System32\DRIVERS\fdc.sys\00"
"KeepImagePath"=multi:"System32\DRIVERS\fdc.sys\00"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Fdc]
"ImagePath"=multi:"System32\DRIVERS\fdc.sys\00"
"KeepImagePath"=multi:"System32\DRIVERS\fdc.sys\00"
"SDImagePath"=multi:"System32\DRIVERS\fdc.sys\00"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Flpydisk]
"ImagePath"=multi:"System32\Drivers\Sdfloppy.sys\00"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Flpydisk]
"ImagePath"=multi:"System32\Drivers\Sdfloppy.sys\00"
"KeepImagePath"=multi:"System32\DRIVERS\flpydisk.sys\00"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Flpydisk]
"ImagePath"=multi:"System32\Drivers\Sdfloppy.sys\00"
"KeepImagePath"=multi:"System32\DRIVERS\flpydisk.sys\00"
"SDImagePath"=multi:"System32\Drivers\Sdfloppy.sys\00"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Iomega Activity Disk2]
"ImagePath"="\"\""
.
Completion time: 2010-01-23 09:24:40
ComboFix-quarantined-files.txt 2010-01-23 14:24
ComboFix2.txt 2010-01-22 20:10

Pre-Run: 92,734,164,992 bytes free
Post-Run: 92,692,111,360 bytes free

Current=1 Default=1 Failed=0 LastKnownGood=4 Sets=1,2,3,4
- - End Of File - - 6E4AC65770A830D5755B8B11CFA466C1

**dvk01** · 23-Jan-2010, 10:53 AM **#18**

try tdss killer from http://support.kaspersky.com/viruses...?qid=208280684

post back with its log and we can go from there

patmac · 12:29 PM

Ran it, black window said it was complete, under results there were all zeroes. said to hit any ket to continue which I did. Is that scan supposed to take about 1 second??

I updated and ran Malwarebytes, it found something which itsays it deleted;

mbam-log-2010-01-23 (11-18-08).txt

Scan type: Full Scan (C:\|)
Objects scanned: 230890
Time elapsed: 41 minute(s), 43 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\Qoobox\Quarantine\C\Documents and Settings\Brian\Local Settings\Application Data\dalydk\joyisysguard.exe.vir (Trojan.FakeAlert) -> Quarantined and deleted successfully.

**dvk01** · 23-Jan-2010, 01:20 PM **#20**

* Run Kaspersky online virus scan Kaspersky Online Scanner.

After the updates have downloaded, click on the "Scan Settings" button.
select the (b)"Spyware, Adware, Dialers and other potentially dangerous programs" for the scan.
Under "Please select a target to scan", click "My Computer".
When the scan is finished, Save the results from the scan!

Note: Kavscan is a scanner only & won't fix anything but will normally find the most infected files so it's report gives us a good place to work from

If that won't run then
Run an online antivirus check from one of the following sites
http://security.symantec.com/default.asp?
http://housecall.trendmicro.com/
http://www.pandasoftware.com/activescan/
http://www.bitdefender.com/scan8/ie.html

patmac · 23-Jan-2010, 04:53 PM **#21**

How do I save the report? I know it comes up with save report button. I saved it to my desktop and it shows up as an html file. Is that only becuase I did not change the file extensions before saving or it really is in that format?

**dvk01** · 23-Jan-2010, 05:26 PM **#22**

yes it does sometimes save it in html format

you can't attach html here but you can send it to me via

please upload that to http://www.thespykiller.co.uk/index.php?board=1.0 so we can examine the files

Just press new topic, fill in the needed details and just give a link to your post here & then press the browse button and then navigate to & select the files on your computer, When the file is listed in the windows press send to upload the file

patmac · 23-Jan-2010, 06:30 PM **#23**

I'll also try uploading the html file to thespykiller, not sure how I'll make out with that.

--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7.0: scan report
Saturday, January 23, 2010
Operating system: Microsoft Windows XP Home Edition Service Pack 3 (build 2600)
Kaspersky Online Scanner version: 7.0.26.13
Last database update: Saturday, January 23, 2010 17:57:31
Records in database: 3362612
--------------------------------------------------------------------------------

Scan settings:
scan using the following database: extended
Scan archives: yes
Scan e-mail databases: yes

Scan area - My Computer:
A:\
C:\
D:\

Scan statistics:
Objects scanned: 96820
Threats found: 1
Infected objects found: 1
Suspicious objects found: 0
Scan duration: 02:21:43

File name / Threat / Threats count
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1270\A0060489.exe Infected: Trojan.Win32.FraudPack.akem 1

Selected area has been scanned.

**dvk01** · 23-Jan-2010, 07:02 PM **#24**

*Follow these steps to uninstall Combofix and the other tools it downloaded to remove the malware*
* Click START then RUN
* Now type Combofix /Uninstall in the runbox and click OK. Note the space between the X and the /U, it needs to be there.

This will also purge the restore folder and clear any malware that has been put in there. Now Empty Recycle bin on desktop Then reboot.

go here http://www.thespykiller.co.uk/index.php?page=3 for info on how to tighten your security settings and how to help prevent future attacks.

and scan here http://secunia.com/software_inspector/ for out of date & vulnerable common applications on your computer and update whatever it suggests

Then pay an urgent visit to windows update & make sure you are fully updated, that will help to plug the security holes that let these pests on in the first place

patmac · 23-Jan-2010, 09:47 PM **#25**

OK. I did as you requested in your last post. I just checked System Restore, and my old points are still there. Is this the same as what you mentioned..."the system restore folder will be purged"?

I will do the other suggestions as well, but have a few questions that will hopefully help me be smarter with all this:

What did I have and what cleaned it up? Combofix in Safe Mode? Combofix in Normal Mode?

Was this a fly by thing? I only visit regular sites, no porn or adult stuff. Did being on a Limited User account mean anything?

I have AVG paid and Malwarebytes Free, I just updated and scanned with both a few days before this all started. Are these two things good to have? Would the paid version of Mbam be better? Would it work along with AVG?

**dvk01** · 24-Jan-2010, 06:44 AM **#26**

Turn off system restore by following instructions here
for XP http://www.thespykiller.co.uk/index.php?page=8
or for Vista http://www.bleepingcomputer.com/tuto...torial143.html

then re-enable it afterwards

CF normally clears restore points & I don't know why it hasn't this time

patmac · 24-Jan-2010, 09:10 AM **#27**

OK, I should have remembered to try that. Am I good to go? Any chance of answering some of my questions in post#25?

I know I'm behind on the Windows updates, is that really the main problem here? Thanks for your time.

**dvk01** · 24-Jan-2010, 02:57 PM **#28**

windows updates are vitally important and so are all the other vulnerable software that secunia scan will find

when you haven't got all updates then infected adverts & vulnerabilities can infect you on normally safe sites

patmac · 24-Jan-2010, 03:40 PM **#29**

OK thanks, so I am clean?

Also, I have an external case for my IDE internal drives. Is it possible to clean an infected drive outside the case, in an external case? How could I save Combofix to the Desktop in the external case? I cloned this drive we were working on a few weeks ago. I have many emails on it that now, thanks to you I can get to. I just want to know for the future...could I pull the infected drive, install the clone, then work on the infected drive while it is in the external case? I am in the process of learning how to do images and backups so the emails etc can be backed up currently.

**dvk01** · 24-Jan-2010, 04:40 PM **#30**

Yes, you can scan a drive in an external holder BUT the danger is that an antivirus will delete a vital system file because it isn't active & when you put it back into the machine, it won't boot

You can't use combofix or a rootkit scanner in that situation though as they work on the active drive

However you can replace infected system files when in an external holder easily

Tag Cloud
acer asus bios bsod computer crash desktop drive driver drivers error ethernet excel freeze gaming hard drive hardware hdmi internet laptop mac malware memory missing monitor motherboard mouse netgear network printer problem ram registry router slow software sound toshiba trojan usb video virus vista wifi windows windows 7 windows 7 32 bit windows 7 64 bit windows xp wireless

Currently Active Users Viewing This Thread: 1 (0 members and 1 guests)

Find the solution to yourcomputer problem!

Find the solution to your
computer problem!