icetoll Posted June 15, 2008 ID:20372 Share Posted June 15, 2008 Hi, I am a very distressed person trying to get rid of infections on my computer. I am Using Vista SP1. I ran a scan on AVG 8.0 recently and it found 477 warnings. All of them are in the HKLM/software/internet explorer/activex compatibility/(bunch of scrambled letters). I moved them to the virus vault.Then I ran a scan on MBAM and this is the log : Malwarebytes' Anti-Malware 1.17Database version: 8562:06:42 PM 6/15/2008mbam-log-6-15-2008 (14-06-42).txtScan type: Quick ScanObjects scanned: 42803Time elapsed: 7 minute(s), 19 second(s)Memory Processes Infected: 0Memory Modules Infected: 0Registry Keys Infected: 0Registry Values Infected: 0Registry Data Items Infected: 1Folders Infected: 0Files Infected: 0Memory Processes Infected:(No malicious items detected)Memory Modules Infected:(No malicious items detected)Registry Keys Infected:(No malicious items detected)Registry Values Infected:(No malicious items detected)Registry Data Items Infected:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Start_ShowRun (Hijack.StartMenu) -> Bad: (0) Good: (1) -> Quarantined and deleted successfully.Folders Infected:(No malicious items detected)Files Infected:(No malicious items detected)Next, I ran pandascan but it was taking too long, so i decided to just post these logs up first. I will post the panda scan log later.After this i ran HiJackThis And This is the Log I got:Logfile of Trend Micro HijackThis v2.0.2Scan saved at 2:15:11 PM, on 6/15/2008Platform: Windows Vista SP1 (WinNT 6.00.1905)MSIE: Internet Explorer v7.00 (7.00.6001.18000)Boot mode: NormalRunning processes:C:\Windows\System32\smss.exeC:\Windows\system32\csrss.exeC:\Windows\system32\csrss.exeC:\Windows\system32\wininit.exeC:\Windows\system32\services.exeC:\Windows\system32\lsass.exeC:\Windows\system32\lsm.exeC:\Windows\system32\winlogon.exeC:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exeC:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exeC:\Windows\system32\svchost.exeC:\Windows\system32\SLsvc.exeC:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exeC:\Windows\System32\ZoneLabs\vsmon.exeC:\Windows\System32\spoolsv.exeC:\Windows\system32\svchost.exeC:\Windows\system32\Dwm.exeC:\Windows\system32\taskeng.exeC:\Windows\Explorer.EXEC:\Program Files\Windows Defender\MSASCui.exeC:\Program Files\Synaptics\SynTP\SynTPEnh.exeC:\Program Files\Intel\Intel Matrix Storage Manager\IAAnotif.exeC:\Windows\system32\taskeng.exeC:\Program Files\LG Software\LG Magnifier\MagnifyingGlass.exeC:\Windows\RtHDVCpl.exeC:\Program Files\LG Software\On Screen Display\HotKey.exeC:\Program Files\LG Software\BatteryMiser\BatteryMiser5.exeC:\Program Files\Winamp\winampa.exeC:\Program Files\Java\jre1.6.0_05\bin\jusched.exeC:\Windows\WindowsMobile\wmdSync.exeC:\Program Files\Zone Labs\ZoneAlarm\zlclient.exeC:\Windows\System32\igfxtray.exeC:\Windows\System32\hkcmd.exeC:\Windows\System32\igfxpers.exeC:\Program Files\AVG\AVG8\avgtray.exeC:\Program Files\Spyware Doctor\pctsTray.exeC:\Windows\system32\igfxsrvc.exeC:\Windows\system32\taskeng.exeC:\Windows\system32\agrsmsvc.exeC:\PROGRA~1\AVG\AVG8\avgwdsvc.exeC:\Windows\system32\svchost.exeC:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exeC:\Windows\system32\svchost.exeC:\Program Files\Spyware Doctor\pctsAuxs.exeC:\Program Files\Spyware Doctor\pctsSvc.exeC:\Windows\system32\svchost.exeC:\Windows\System32\svchost.exeC:\Windows\system32\SearchIndexer.exeC:\Program Files\Spybot - Search & Destroy\SDWinSec.exeC:\Program Files\Mozilla Firefox\firefox.exeC:\PROGRA~1\AVG\AVG8\avgrsx.exeC:\PROGRA~1\AVG\AVG8\avgemc.exeC:\Windows\system32\svchost.exeC:\Windows\system32\wbem\wmiprvse.exeC:\Windows\system32\wbem\wmiprvse.exeC:\Program Files\Windows Media Player\wmpnscfg.exeC:\Program Files\Windows Media Player\wmpnetwk.exe\?\C:\Windows\system32\wbem\WMIADAP.EXEC:\Windows\system32\DllHost.exeC:\Program Files\Trend Micro\HijackThis\HijackThis.exeR1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = \blank.htmR0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = O1 - Hosts: ::1 localhostO2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dllO2 - BHO: IeCatch5 Class - {2F364306-AA45-47B5-9F9D-39A8B94E7EF7} - C:\PROGRA~1\FlashGet\jccatch.dllO2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll (file missing)O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dllO2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dllO2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dllO2 - BHO: gFlash Class - {F156768E-81EF-470C-9057-481BA8380DBA} - C:\PROGRA~1\FlashGet\getflash.dllO3 - Toolbar: FlashGet Bar - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\fgiebar.dllO4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hideO4 - HKLM\..\Run: [synTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exeO4 - HKLM\..\Run: [iAAnotif] "C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe"O4 - HKLM\..\Run: [LG Magnifier] %ProgramFiles%\LG Software\LG Magnifier\MagnifyingGlass.exeO4 - HKLM\..\Run: [RtHDVCpl] RtHDVCpl.exeO4 - HKLM\..\Run: [KeybdUtility] C:\Program Files\LG Software\On Screen Display\HotKey.exeO4 - HKLM\..\Run: [batteryMiser 5] C:\Program Files\LG Software\BatteryMiser\BatteryMiser5.exeO4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp\winampa.exe"O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"O4 - HKLM\..\Run: [Windows Mobile-based device management] %windir%\WindowsMobile\wmdSync.exeO4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"O4 - HKLM\..\Run: [igfxTray] C:\Windows\system32\igfxtray.exeO4 - HKLM\..\Run: [HotKeysCmds] C:\Windows\system32\hkcmd.exeO4 - HKLM\..\Run: [Persistence] C:\Windows\system32\igfxpers.exeO4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exeO4 - HKLM\..\Run: [iSTray] "C:\Program Files\Spyware Doctor\pctsTray.exe"O4 - HKCU\..\Run: [sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRunO4 - HKCU\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenterO4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\Windows Live\Messenger\msnmsgr.exe" /backgroundO4 - HKCU\..\Run: [DAEMON Tools Lite] "C:\Program Files\DAEMON Tools Lite\daemon.exe" -autorunO4 - HKUS\S-1-5-19\..\Run: [sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')O4 - HKUS\S-1-5-20\..\Run: [sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')O8 - Extra context menu item: Download All by FlashGet - C:\Program Files\FlashGet\jc_all.htmO8 - Extra context menu item: Download using FlashGet - C:\Program Files\FlashGet\jc_link.htmO8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dllO9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dllO9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLLO9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\flashget.exeO9 - Extra 'Tools' menuitem: &FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\flashget.exeO9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dllO9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dllO13 - Gopher Prefix: O16 - DPF: {4A85DBE0-BFB2-4119-8401-186A7C6EB653} - http://messenger.zone.msn.com/binary/MJSS.cab69309.cabO16 - DPF: {5D6F45B3-9043-443D-A792-115447494D24} (UnoCtrl Class) - http://messenger.zone.msn.com/EN-US/a-UNO1/GAME_UNO1.cabO16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://messenger.zone.msn.com/binary/ZIntro.cab56649.cabO16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab56907.cabO16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cabO16 - DPF: {F5A7706B-B9C0-4C89-A715-7A0C6B05DD48} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineS...er.cab56986.cabO20 - AppInit_DLLs: avgrsstx.dllO23 - Service: Agere Modem Call Progress Audio (AgereModemAudio) - Agere Systems - C:\Windows\system32\agrsmsvc.exeO23 - Service: AVG8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exeO23 - Service: AVG8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exeO23 - Service: Intel® Matrix Storage Event Monitor (IAANTMON) - Intel Corporation - C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exeO23 - Service: SBSD Security Center Service (SBSDWSCService) - Safer Networking Ltd. - C:\Program Files\Spybot - Search & Destroy\SDWinSec.exeO23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\pctsAuxs.exeO23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\pctsSvc.exeO23 - Service: TrueVector Internet Monitor (vsmon) - Check Point Software Technologies LTD - C:\Windows\System32\ZoneLabs\vsmon.exe--End of file - 9903 bytesI would appreciate any help available. Link to post Share on other sites More sharing options...
icetoll Posted June 15, 2008 Author ID:20380 Share Posted June 15, 2008 I couldnt manage to run panda scan or ESET.... I hope the above information suffice.... Please reply ASAP :'( Link to post Share on other sites More sharing options...
ctrlaltdelete Posted June 15, 2008 ID:20382 Share Posted June 15, 2008 I'm pretty sure those warnings from AVG were all False Positivses.AVG 8 detects the registry entries made by Spywareblaster or Spybot S & D but does not look at the value.So, Spywareblaster or Spybot S & D creates killbits to prevent malware and AVG removes the protection again..... AVG said;"The situation, which you have described is caused by incompatibilitybetween AVG and Spyware Blaster security application on your computerand we would like to recommend you to uninstall Spyware Blaster andall the other security applications from your computer (if you areusing any) to avoid possible conflict situations between AVG and theother software.An "ActiveX Compatibility" registry key is a result of the "Immunize" function included in some anti-spyware programs (e.g.: "Spybot search & destroy", "Spyware blaster",...)The key contains the same registry entries as the actual threats, thus preventing them from working correctly. Some anti-spyware programs use this method to prevent launching of the malware. Unfortunately, these parts are still detected by AVG signatures and that is why AVG marks them as infected.To assure protection provided by AVG against these threats, it is not possible to remove such signatures from AVG virus bases.Because of this, "Immunize" function included in above mentioned softwares is NOT compatible with AVG products."Javacool said;"This simply isn't correct.A.) The contents of the registry are not the same as the actual threats. They are very specific, and easily detectable as valid "kill bits" (simply looking for a value of 1024, which is used to set the kill bit). It should be little more than a few lines of code on AVG's end to fix the false positives.B.) Those registry locations/entries, even if not marked as kill bits, are largely just remnants anyway. By themselves, they can do no harm. So while it may be nice to clean them up (if they aren't valid entries) when deleting an actual threat, the severity is largely overstated in AVG's FAQ text.C.) SpywareBlaster's ActiveX protection and Spybot S & D's immunize function are both, by default, compatible with any anti-virus program, including AVG. The issue here is AVG's behavior, which is unfortunately flagging valid entries as malicious. The fix, on AVG's end, would likely be very simple and quick to implement."I don't know why you are not able to run ESET online scanner or Panda's. Don't see any signs of malware in your HijackThis log. Link to post Share on other sites More sharing options...
icetoll Posted June 15, 2008 Author ID:20384 Share Posted June 15, 2008 Ok Thanks A lot. AVG lists them all as trojans/downloaders/hijackers/adwares. So I moved them to the virus vault anyway. Is it okay to leave it there? Or Should I restore them? And Is there really need to uninstall Spybot S & D? I will try to post the panda scan log... still trying to access the web. I know... I m an idiot. Sorry for taking up your time. Thanks Loads. EDIT : Oh and btw, I've got a few tracking cookies on my system too. Its in the appdata/roaming/mozilla or IE/... Yep. are they dangerous? I just use the web to surf stuff. I don't do any online transactions. And If I delete the account with the tracking cookies in it, will it be okay? I really know nuts about computers. Thanks for the help. Link to post Share on other sites More sharing options...
ctrlaltdelete Posted June 15, 2008 ID:20385 Share Posted June 15, 2008 Cookies are no threat. Trackingcookies are used to give you personalized ads or something like that.Another expert told me that the problem with ESET online scanner (and probably other online scanners) may be solved by running Internet Explorer as admin (rightclick, run as..) Is it okay to leave it there? Or Should I restore them?You can run the application again which put them there (Spybot S & D or SpywareBlaster) and after that a scan with AVG 8 will show you the same warnings. Link to post Share on other sites More sharing options...
ctrlaltdelete Posted June 15, 2008 ID:20403 Share Posted June 15, 2008 Update Java.Uninstall all Java and Java Runtime and install the latest, Java Runtime Environment (JRE) 6 Update 6 from this page;http://java.sun.com/javase/downloads/index.jspLet us know if the online scan with ESET or Panda did find something. Link to post Share on other sites More sharing options...
icetoll Posted June 16, 2008 Author ID:20429 Share Posted June 16, 2008 Ok thanks for all the help. ESET scan didn't detect any threats. I think i may have just wasted your time. Sorry and thanks. Link to post Share on other sites More sharing options...
ctrlaltdelete Posted June 16, 2008 ID:20466 Share Posted June 16, 2008 Sorry?AVG's False Positives confused you. If you ever have any (security related) doubts about your PC just ask. Link to post Share on other sites More sharing options...
JeanInMontana Posted June 22, 2008 ID:20919 Share Posted June 22, 2008 Let's be positive here and run a scan with the new MBAM version 1.18 and post a new HJT log after that scan. Link to post Share on other sites More sharing options...
JeanInMontana Posted June 30, 2008 ID:21488 Share Posted June 30, 2008 Since this topic has had no reply for over 5 days it will be closed to prevent other from posting into it. Should you decide to resume with your assistance PM any staff member and we will be happy to reopen the topic. Note: the fixes in this topic are for this system only. Applying them to your system can cause severe damage and result in utter system failure. If you need help start your own topic and someone will be happy to assist you. Link to post Share on other sites More sharing options...
Recommended Posts