1. Computer problem? Tech Support Guy is completely free -- paid for by advertisers and donations. Click here to join today! If you're new to Tech Support Guy, we highly recommend that you visit our Guide for New Members.

Removed rogue (ave.exe); Still lacking some functions?

Discussion in 'Virus & Other Malware Removal' started by wyoming101, Apr 3, 2010.

Thread Status:
Not open for further replies.
  1. wyoming101

    wyoming101 Thread Starter

    Joined:
    Apr 3, 2010
    Messages:
    1
    Hello,

    First, I am a Mac user attempting to remove Malware (Trojans/Rogues) on a Windows XP SP3 system to help a friend. So I hope you'll forgive my lack of familiarity in regards to terminology etc.

    I have included logs and I think the problems will be relatively easy to solve. I greatly appreciate any advice anyone can give.

    The problem became apparent a few days ago when XP Defender 2010 (ave.exe) became the dominant presence upon my friend's desktop. I tried the most frequently suggested removal methods but could not launch Malwarebytes Anti-Malware and eventually could only boot in Safe Mode but still couldn't launch Malwarebytes. Finally, I was able to run ComboFix, which ran successfully from Safe Mode. Following the ComboFix automated reboot and log creation, I was able run Malwarebytes which performed a full scan. Malwarebytes found a few more infected objects and removed them. After Malwarebytes completed the scan Windows Automatic Updates requested that I restart, which I did. At that point, I assumed everything was resolved but no I am unsure.

    I am 90% certain that I have successfully removed the rogue security application and possibly other malware but the system seems to lack some function. For instance, it can't seem to connect to the internet. This might be a result of my limited knowledge of Windows XP systems? Also, I would like return my friend's computer as streamlined as possible and I suspect there are many Startup Items and Applications which may not be malicious but should be removed. I would like suggestions as to what should be uninstalled/removed.

    Below, I will post the logs and uninstall lists in the order they were created. If this post is too long I will post additional logs/lists in a subsequent post.

    Again, I appreciate any help anyone can provide.

    Thanks

    ComboFix Log

    ComboFix 10-04-01.02 - Administrator 04/03/2010 0:23.2.2 - x86 NETWORK
    Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1526.1243 [GMT -6:00]
    Running from: F:\ComboFix.exe
    .

    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .

    c:\documents and settings\Administrator\Local Settings\Application Data\ave.exe
    c:\documents and settings\Administrator\rundll32 .exe
    c:\documents and settings\Administrator\rundll32.exe
    c:\documents and settings\All Users\Application Data\_VOIDmfeklnmal.dll
    c:\documents and settings\All Users\Favorites\_favdata.dat
    c:\documents and settings\Caro\agrsmmsg .exe
    c:\documents and settings\Caro\Local Settings\Application Data\av.exe
    c:\documents and settings\Caro\Local Settings\Application Data\ave.exe
    c:\documents and settings\Caro\Local Settings\Application Data\MSASCui.exe
    c:\documents and settings\Caro\ndstray .exe
    c:\documents and settings\Caro\rundll32 .exe
    c:\documents and settings\Caro\rundll32.exe
    c:\documents and settings\Caro\tctrliohook .exe
    c:\documents and settings\Caro\tfncky .exe
    c:\documents and settings\Caro\tpsmain .exe
    c:\documents and settings\Caro\zoominghook .exe
    c:\program files\Adobe\acrotray .exe
    c:\program files\Internet Explorer\js.mui
    c:\program files\Internet Explorer\wmpscfgs.exe
    c:\windows\_VOIDkbccdxbvtp
    c:\windows\_VOIDkbccdxbvtp\_VOIDd.sys
    c:\windows\AppPatch\AcAdProc.dll
    c:\windows\system32\_VOIDaouohsbckk.dat
    c:\windows\system32\_VOIDfhixupxthw.dat
    c:\windows\system32\_VOIDidieigrdbj.dll
    c:\windows\system32\_VOIDiugnbclnru.dat
    c:\windows\system32\_VOIDjrojsierri.dat
    c:\windows\system32\_VOIDjuprrxvmpe.dll
    c:\windows\system32\_VOIDtccdsipotu.dll
    c:\windows\system32\_VOIDtkocqptuni.dll
    c:\windows\system32\_VOIDutodmsmekl.dll
    c:\windows\system32\_VOIDutqxewmtti.dat
    c:\windows\system32\_VOIDxlgehtespp.dll
    c:\windows\system32\_VOIDxmbfpufpxt.dat
    c:\windows\system32\_VOIDyfulpsetqx.dat
    c:\windows\system32\_VOIDypetnwkbwp.dat
    c:\windows\system32\agrsmmsg .exe
    c:\windows\system32\app_dll.dll
    c:\windows\system32\ctfmon .exe
    c:\windows\system32\hkcmd .exe
    c:\windows\system32\igfxpers .exe
    c:\windows\system32\igfxtray .exe
    c:\windows\system32\jesafijo.dll
    c:\windows\system32\ndstray .exe
    c:\windows\system32\rundll32 .exe
    c:\windows\system32\tctrliohook .exe
    c:\windows\system32\tfncky .exe
    c:\windows\system32\Thumbs.db
    c:\windows\system32\tpsmain .exe
    c:\windows\system32\zoominghook .exe

    .
    ((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
    .

    -------\Legacy__VOIDKBCCDXBVTP
    -------\Service__VOIDkbccdxbvtp


    ((((((((((((((((((((((((( Files Created from 2010-03-03 to 2010-04-03 )))))))))))))))))))))))))))))))
    .

    2010-04-03 06:40 . 2010-04-03 06:40 -------- d-----w- c:\windows\LastGood
    2010-03-31 18:24 . 2010-03-31 18:24 92504 ----a-w- c:\documents and settings\Administrator\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
    2010-03-31 13:35 . 2010-03-22 03:14 30720 ----a-w- c:\documents and settings\Caro\tpsmain.exe
    2010-03-31 13:35 . 2010-03-22 03:14 30720 ----a-w- c:\documents and settings\Caro\zoominghook.exe
    2010-03-31 13:35 . 2010-03-31 13:35 -------- d-----w- c:\documents and settings\All Users\Application Data\06cbc70
    2010-03-31 13:35 . 2010-03-22 03:14 30720 ----a-w- c:\documents and settings\Caro\tfncky.exe
    2010-03-31 13:35 . 2010-03-22 03:13 30720 ----a-w- c:\documents and settings\Caro\tctrliohook.exe
    2010-03-31 13:35 . 2010-03-22 03:13 30720 ----a-w- c:\documents and settings\Caro\ndstray.exe
    2010-03-31 13:35 . 2010-03-22 03:13 30720 ----a-w- c:\documents and settings\Caro\agrsmmsg.exe
    2010-03-31 13:29 . 2010-03-24 01:18 30720 ----a-w- c:\windows\system32\tfncky.exe
    2010-03-31 13:29 . 2010-03-24 01:19 30720 ----a-w- c:\windows\system32\ndstray.exe
    2010-03-31 13:28 . 2010-03-24 01:19 30720 ----a-w- c:\windows\system32\agrsmmsg.exe
    2010-03-31 13:27 . 2010-03-31 13:29 -------- d-----w- c:\documents and settings\All Users\Application Data\Update
    2010-03-31 04:05 . 2010-03-31 04:05 552 ----a-w- c:\windows\system32\d3d8caps.dat
    2010-03-31 04:05 . 2010-03-24 01:50 1324 ----a-w- c:\windows\system32\d3d9caps.dat
    2010-03-31 04:05 . 2010-03-31 04:05 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Adobe
    2010-03-24 05:34 . 2010-03-24 05:34 -------- d-----w- c:\program files\Trend Micro
    2010-03-24 01:52 . 2010-03-24 01:52 -------- d-----w- c:\documents and settings\Administrator\Application Data\DivX
    2010-03-24 01:51 . 2009-09-23 12:55 64288 ----a-w- c:\windows\system32\drivers\Lbd.sys
    2010-03-22 18:50 . 2010-03-24 00:18 -------- d-----w- c:\program files\CCleaner
    2010-03-10 20:09 . 2009-10-23 15:28 3558912 -c----w- c:\windows\system32\dllcache\moviemk.exe

    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2010-04-03 06:36 . 2005-12-27 04:23 30720 ----a-w- c:\windows\system32\ctfmon.exe
    2010-03-31 13:35 . 2010-03-31 13:35 2282496 ----a-w- c:\documents and settings\All Users\Application Data\06cbc70\SG06cb.exe
    2010-03-31 13:29 . 2010-03-31 13:29 30720 ----a-w- c:\windows\system32\OLD23.tmp
    2010-03-31 00:28 . 2005-12-27 18:02 -------- d-----w- c:\program files\Common Files\Java
    2010-03-31 00:22 . 2010-03-31 00:22 503808 ----a-w- c:\documents and settings\Caro\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-6dcf34ec-n\msvcp71.dll
    2010-03-31 00:22 . 2010-03-31 00:22 499712 ----a-w- c:\documents and settings\Caro\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-6dcf34ec-n\jmc.dll
    2010-03-31 00:22 . 2010-03-31 00:22 348160 ----a-w- c:\documents and settings\Caro\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-6dcf34ec-n\msvcr71.dll
    2010-03-31 00:22 . 2010-03-31 00:22 61440 ----a-w- c:\documents and settings\Caro\Application Data\Sun\Java\Deployment\SystemCache\6.0\17\6d0ad391-2aa44b09-n\decora-sse.dll
    2010-03-31 00:22 . 2010-03-31 00:22 12800 ----a-w- c:\documents and settings\Caro\Application Data\Sun\Java\Deployment\SystemCache\6.0\17\6d0ad391-2aa44b09-n\decora-d3d.dll
    2010-03-31 00:21 . 2005-12-27 18:02 -------- d-----w- c:\program files\Java
    2010-03-29 21:24 . 2010-03-24 01:44 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
    2010-03-29 21:24 . 2010-03-24 01:44 20824 ----a-w- c:\windows\system32\drivers\mbam.sys
    2010-03-26 01:21 . 2009-02-20 02:43 -------- d-----w- c:\program files\Digsby
    2010-03-25 16:05 . 2010-03-25 16:05 315354 ----a-w- c:\documents and settings\All Users\Application Data\Update\seupd.exe
    2010-03-25 13:18 . 2010-03-25 13:18 1082244 ----a-w- c:\documents and settings\All Users\Application Data\Update\tbsk.exe
    2010-03-24 05:47 . 2004-08-03 22:59 96512 ----a-w- c:\windows\system32\drivers\atapi.sys
    2010-03-24 05:38 . 2010-03-24 01:18 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
    2010-03-24 01:52 . 2009-11-03 06:59 -------- dc-h--w- c:\documents and settings\All Users\Application Data\{CFBD8779-FAAB-4357-84F2-1EC8619FADA6}
    2010-03-24 01:47 . 2010-03-24 01:47 -------- d-----w- c:\program files\DCleaner
    2010-03-24 01:23 . 2010-03-24 01:23 -------- d-----w- c:\documents and settings\Administrator\Application Data\Malwarebytes
    2010-03-24 01:19 . 2005-12-28 00:18 30720 ----a-w- c:\windows\system32\hkcmd.exe
    2010-03-24 01:19 . 2007-08-22 21:12 -------- d-----w- c:\program files\iTunes
    2010-03-24 01:19 . 2005-12-27 17:23 -------- d-----w- c:\program files\ltmoh
    2010-03-24 01:18 . 2006-07-12 19:22 -------- d-----w- c:\program files\Protector Suite QL
    2010-03-24 01:18 . 2010-02-20 00:44 -------- d-----w- c:\program files\QuickTime
    2010-03-24 01:18 . 2005-12-05 22:50 30720 ----a-w- c:\windows\system32\tctrliohook.exe
    2010-03-24 01:18 . 2005-12-27 18:31 30720 ----a-w- c:\windows\system32\tpsmain.exe
    2010-03-24 01:18 . 2005-06-06 17:58 30720 ----a-w- c:\windows\system32\zoominghook.exe
    2010-03-24 01:18 . 2005-12-27 16:51 -------- d-----w- c:\program files\Apoint2K
    2010-03-24 00:54 . 2010-03-24 00:54 30720 ----a-w- c:\documents and settings\Administrator\agrsmmsg.exe
    2010-03-24 00:54 . 2010-03-24 00:54 30720 ----a-w- c:\documents and settings\Administrator\ndstray.exe
    2010-03-24 00:54 . 2010-03-24 00:54 30720 ----a-w- c:\documents and settings\Administrator\tctrliohook.exe
    2010-03-24 00:54 . 2010-03-24 00:54 30720 ----a-w- c:\documents and settings\Administrator\tfncky.exe
    2010-03-24 00:54 . 2010-03-24 00:54 30720 ----a-w- c:\documents and settings\Administrator\tpsmain.exe
    2010-03-24 00:54 . 2010-03-24 00:54 30720 ----a-w- c:\documents and settings\Administrator\zoominghook.exe
    2010-03-23 01:27 . 2007-06-28 02:40 -------- d-----w- c:\program files\utorrent
    2010-03-23 01:27 . 2007-06-28 02:40 -------- d-----w- c:\documents and settings\Caro\Application Data\uTorrent
    2010-03-22 03:19 . 2007-06-28 02:46 -------- d-----w- c:\documents and settings\Caro\Application Data\Skype
    2010-03-22 01:51 . 2005-12-28 00:18 30720 ----a-w- c:\windows\system32\igfxpers.exe
    2010-03-21 23:18 . 2009-02-02 05:22 -------- d-----w- c:\program files\Ninja
    2010-03-21 22:05 . 2009-01-04 23:18 -------- d-----w- c:\documents and settings\Caro\Application Data\skypePM
    2010-03-09 10:28 . 2009-03-24 00:33 411368 ----a-w- c:\windows\system32\deploytk.dll
    2010-03-08 00:13 . 2009-10-22 20:57 217088 ----a-w- c:\documents and settings\Caro\Application Data\Mozilla\Firefox\Profiles\1y3q76em.default\extensions\[email protected]\components\Shim.dll
    2010-02-24 16:16 . 2009-10-02 22:29 181632 ------w- c:\windows\system32\MpSigStub.exe
    2010-02-20 00:49 . 2010-02-20 00:49 -------- d-----w- c:\program files\iPod
    2010-02-20 00:48 . 2007-07-05 04:19 -------- d-----w- c:\program files\Common Files\Apple
    2010-02-20 00:36 . 2010-02-20 00:36 72488 ----a-w- c:\documents and settings\All Users\Application Data\Apple Computer\Installer Cache\iTunes 9.0.3.15\SetupAdmin.exe
    2010-01-06 19:08 . 2010-01-16 21:54 4726272 ----a-w- c:\documents and settings\Caro\Application Data\Mozilla\Firefox\Profiles\1y3q76em.default\extensions\[email protected]\libs\cooliris190.dll
    2010-01-06 19:08 . 2010-01-16 21:54 57856 ----a-w- c:\documents and settings\Caro\Application Data\Mozilla\Firefox\Profiles\1y3q76em.default\extensions\[email protected]\components\coolirisstub.dll
    2010-01-06 19:08 . 2010-01-16 21:54 545280 ----a-w- c:\documents and settings\Caro\Application Data\Mozilla\Firefox\Profiles\1y3q76em.default\extensions\[email protected]\libs\PicLensHelper.exe
    2010-01-06 19:08 . 2010-01-16 21:54 4725760 ----a-w- c:\documents and settings\Caro\Application Data\Mozilla\Firefox\Profiles\1y3q76em.default\extensions\[email protected]\libs\cooliris192.dll
    2010-01-06 19:08 . 2010-01-16 21:54 344064 ----a-w- c:\documents and settings\Caro\Application Data\Mozilla\Firefox\Profiles\1y3q76em.default\extensions\[email protected]\libs\LaunchCooliris.exe
    2010-01-06 19:08 . 2010-01-16 21:54 153600 ----a-w- c:\documents and settings\Caro\Application Data\Mozilla\Firefox\Profiles\1y3q76em.default\extensions\[email protected]\plugins\npcoolirisplugin.dll
    2010-01-06 19:08 . 2010-01-16 21:54 103424 ----a-w- c:\documents and settings\Caro\Application Data\Mozilla\Firefox\Profiles\1y3q76em.default\extensions\[email protected]\libs\pixomatic.dll
    2010-01-05 10:00 . 2005-12-27 04:23 832512 ------w- c:\windows\system32\wininet.dll
    2010-01-03 16:36 . 2010-01-03 16:36 56827 ----a-w- c:\documents and settings\All Users\Application Data\Update\tbupd.exe
    2009-09-25 16:41 . 2009-09-25 16:41 1044480 ----a-w- c:\program files\mozilla firefox\plugins\libdivx.dll
    2009-09-25 16:41 . 2009-09-25 16:41 200704 ----a-w- c:\program files\mozilla firefox\plugins\ssldivx.dll
    1601-01-01 00:03 . 1601-01-01 00:03 201728 --sha-w- c:\windows\system32\fipuyuko.exe
     
As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 733,556 other people just like you!

Thread Status:
Not open for further replies.

Short URL to this thread: https://techguy.org/914502

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice