So I uninstall AVG from my computer the add/remove program way and then I used the uninstaller from the link that was provided. But… combo fix is still finding avg on my computer. Im not sure what to do now… sorry for being so tardy…
Did you reboot after uninstalling with the AVG uninstaller? If so, wait for Essexboy to respond to you as he may need to use a different tool.
If combofix still finds AVG then run a fresh OTL scan for me and I will manually remove whatever is left
I ran a fresh otl and I wasnt sure if you wanted me to do the custom scan or not so I did a custom scan and a non custom scan.
Here they are.
Ci=ould you open the logs and then save them as ANSI please as they are currently in unicode
This should be correct.
OK once this has run - then retry combofix, ensuring that it is saved to your desktop, if it fails then run from safe mode
Run OTL
[*]Under the Custom Scans/Fixes box at the bottom, paste in the following
:OTL DRV - File not found [Kernel | System | Stopped] -- C:\WINDOWS\System32\drivers\irpbsbib.sys -- (irpbsbib) DRV - File not found [Kernel | System | Stopped] -- C:\WINDOWS\System32\drivers\ggiiltac.sys -- (ggiiltac) FF - prefs.js..browser.search.defaultenginename: "AVG Secure Search" FF - prefs.js..browser.search.selectedEngine: "AVG Secure Search" FF - prefs.js..keyword.URL: "http://search.avg.com/route/?d=4bc48ed5&v=6.010.006.004&i=23&tp=ab&iy=&ychte=us&lng=en-US&q=" O2 - BHO: (no name) - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - No CLSID value found. O4 - HKU\S-1-5-21-1606980848-1343024091-839522115-1003..\Run: [{1BDE61A7-23D0-66A0-42E0-39EE539F51A5}] C:\Documents and Settings\Calvin\Application Data\Qiwau\yfqup.exe () O4 - HKU\S-1-5-21-1606980848-1343024091-839522115-1003..\Run: [4shared Desktop] C:\Program Files\4shared Desktop\desktop.exe File not found O4 - Startup: C:\Documents and Settings\Administrator\Start Menu\Programs\Startup\coopx.exe () O4 - Startup: C:\Documents and Settings\Administrator\Start Menu\Programs\Startup\fanaze.exe () O4 - Startup: C:\Documents and Settings\Calvin\Start Menu\Programs\Startup\icsaeh.exe () O4 - Startup: C:\Documents and Settings\Default User\Start Menu\Programs\Startup\azaw.exe () O4 - Startup: C:\Documents and Settings\Default User\Start Menu\Programs\Startup\etqoat.exe () [2010/12/04 09:55:02 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Calvin\Application Data\Qiwau [2010/12/04 09:55:02 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Calvin\Application Data\Obwi [2010/12/04 09:54:59 | 000,160,800 | ---- | M] () -- C:\Documents and Settings\Calvin\Start Menu\Programs\Startup\icsaeh.exe [2010/11/22 15:31:14 | 954,142,924 | ---- | M] () -- C:\Documents and Settings\Calvin\Desktop\Zack And Miri Make A Porno ((2008)) DVDrip(divx)BigbrO.AVI [2010/12/04 09:54:59 | 000,160,800 | ---- | C] () -- C:\Documents and Settings\Calvin\Start Menu\Programs\Startup\icsaeh.exe [2010/11/25 11:12:31 | 954,142,924 | ---- | C] () -- C:\Documents and Settings\Calvin\Desktop\Zack And Miri Make A Porno ((2008)) DVDrip(divx)BigbrO.AVI [2010/12/04 09:56:29 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Calvin\Application Data\Obwi [2010/12/04 09:55:02 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Calvin\Application Data\Qiwau:Files
ipconfig /flushdns /c:Commands
[purity]
[resethosts]
[emptytemp]
[EMPTYFLASH]
[CREATERESTOREPOINT]
[Reboot]
[*]Then click the Run Fix button at the top
[*]Let the program run unhindered, reboot the PC when it is done
[*]Open OTL again and click the Quick Scan button. Post the log it produces in your next reply.
Okay So I ran the fix and it produced a log I assume. So that will be the 1st attachment. The second attachment is the new quick scan log. I ran the custom one. Let me know if you want me to just do a regular scan and I will. But… after the fix, combo fix is still finding traces of avg on the computer… One tough cookie…
By the way, I really appreciate you guys for this.
The second upload is in unicode. I re saved it.
could you run AVG remover again
Then I will use a different tool to check for malware. But, let me know what your current problems are in the next post
Download avz4.zip from here
[*]Unzip it to your desktop to a folder named avz4
[*]Double click on AVZ.exe to run it.
[*]Run an update by clicking the Auto Update button on the Right of the Log window:
http://i768.photobucket.com/albums/xx326/perplexus13/malware/avz-update-button.png
[*]Click Start to begin the update
Note: If you recieve an error message, chose a different source, then click Start again
[*] Start AVZ.
[*] Choose from the menu “File” => "Standard scripts " and mark the "Advanced System Analysis with Malware removal mode enabled " check box.
http://perplexus.geekstogo.com/avz-standardscripts-asa-removal.png
[*] Click on the “Execute selected scripts”.
[*] Automatic scanning, healing and system check will be executed.
[*] A logfile (avz_sysinfo.htm) will be created and saved in the LOG folder in the AVZ directory as virusinfo_syscure.zip.
[] It is necessary to reboot your machine, because AVZ might disturb some program operations (like antiviruses and firewall) during the system scan.
[] All applications will work properly after the system restart.
When restarted
[*] Start AVZ.
[*] Choose from the menu “File” => "Standard scripts " and mark the “Advanced System Analysis " check box.
http://i768.photobucket.com/albums/xx326/perplexus13/malware/avz-standardscripts.png
[*] Click on the “Execute selected scripts”.
[*] A system check will be automatically performed, and the created logfile (avz_sysinfo.htm) will be saved in the LOG folder in the AVZ directory as virusinfo_syscheck.zip.
Upload both virusinfo_syscure.zip and virusinfo_syscheck.zip to Mediafire and post the sharing link.
I click the link to download avz4 and I get a “404 not found” The requested resource was not found. So… I googled it and every link that i found for it gave me the same exact error message. Is it my computer???
OK that means we still have a major problem
I have uploaded a copy to my site for you - find it here http://cid-32d8666f4048075b.office.live.com/self.aspx/Malware%20files/avz4.zip
Okay cool. Again I really appreciate this. Im working on it now.
http://www.mediafire.com/?6ikbe916cvknlcf
(SYSCURE.ZIP)
http://www.mediafire.com/?fsyabs2vfeef7tk
(SYSCHECK.ZIP)
Intriguing as all I can see on AVZ is traces of CA antivirus
Could you try combofix from safe mode please and let me know the result
I just tried it out and I… got the same avg error message… Lost cause huh…?
Lets check for the TDL
Please read carefully and follow these steps.
[*]Download TDSSKiller and save it to your Desktop.
[*]Extract its contents to your desktop.
[*]Once extracted, open the TDSSKiller folder and doubleclick on TDSSKiller.exe to run the application, then on Start Scan.
http://i466.photobucket.com/albums/rr21/JSntgRvr/TDSSKillermain.png
[*]If an infected file is detected, the default action will be Cure, click on Continue.
http://i466.photobucket.com/albums/rr21/JSntgRvr/TDSSKillerMal-1.png
[*]If a suspicious file is detected, the default action will be Skip, click on Continue.
http://i466.photobucket.com/albums/rr21/JSntgRvr/TDSSKillerSuspicious.png
[*]It may ask you to reboot the computer to complete the process. Click on Reboot Now.
http://i466.photobucket.com/albums/rr21/JSntgRvr/TDSSKillerCompleted.png
[*]If no reboot is require, click on Report. A log file should appear. Please copy and paste the contents of that file here.
[*]If a reboot is required, the report can also be found in your root directory, (usually C:\ folder) in the form of “TDSSKiller.[Version][Date][Time]_log.txt”. Please copy and paste the contents of that file here.
THEN
http://www.geekstogo.com/misc/guide_icons/gmer.png
GMER Rootkit Scanner - Download - Homepage
[] Download GMER
[] Extract the contents of the zipped file to desktop.
[*] Double click GMER.exe.
http://img.photobucket.com/albums/v666/sUBs/gmer_zip.gif
[*] If it gives you a warning about rootkit activity and asks if you want to run a full scan…click on NO, then use the following settings for a more complete scan…
[*] In the right panel, you will see several boxes that have been checked. Ensure the following are UNCHECKED …
[] IAT/EAT
[] Drives/Partition other than Systemdrive (typically C:)
[*] Show All (don’t miss this one)
http://www.geekstogo.com/misc/guide_icons/GMER_thumb.jpg
Click the image to enlarge it
[*] Then click the Scan button & wait for it to finish.
[*] Once done click on the [Save…] button, and in the File name area, type in “ark.txt”
[*]Save the log where you can easily find it, such as your desktop.
CautionRootkit scans often produce false positives. Do NOT take any action on any “<— ROOKIT” entries
Please copy and paste the report into your Post.