[Okta Webinar] Learn how to a build a cloud-first strategyRegister Now

x
?
Solved

Trouble removing "Additional Guard" Rogue Software

Posted on 2009-12-17
5
Medium Priority
?
651 Views
Last Modified: 2013-11-08
I've been working on this XP Pro SP3 computer for an entire day!  It has the Additional Guard rogue software on it.

It stopped the antivirus and Task Manager from working and browser hijacked to bogus sites.

I've run Malwarebytes AntiMalware, Smitfraudfix, SDFix.  Removed over 700 infections.  Still have it.  Tried manual removal in safe mode using instructions found at various web sites - deleted specified registry keys, named files, tried to unreg the .dlls as instructed.  This got the computer at least usable but Additional Guard is still running!  And when I browse to Google.com it's a Netherlands home page!

Now I can access Task Manager but none of the processes match what is listed on the web.  I used Process Explorer as well.

Anyone have any firsthand experience with this bug?  I'm out of ideas at this point and the client can't run her business without the computer...
0
Comment
Question by:sweetladoo
  • 2
  • 2
5 Comments
 
LVL 22

Expert Comment

by:optoma
ID: 26078084
You could run a live cd scanner or slave the drive in another machine and scan again with Mbam and an anti-virus software.

If you do that make note of any deletions as if legit system files were infected and thus deleted, they would have to be replaced for the machie to boot correctly afterwards.
0
 
LVL 47

Expert Comment

by:rpggamergirl
ID: 26078372
Try OTS and show us the log.
Download OTS to your Desktop and double-click on it to extract the files. It will create a folder named OTS on your desktop.
http://oldtimer.geekstogo.com/OTS.exe

Open the OTS folder and double-click on OTS.exe to start the program. Make sure you close all other programs and don't use the PC while the scan runs.
Now click the Run Scan button on the toolbar. Make sure not to use the PC while the program is running or it will freeze.
When the scan is complete Notepad will open with the report file loaded in it.
Click the Format menu and make sure that Wordwrap is not checked. If it is then click on it to uncheck it.
Use the Add Reply button and post the information back here in an attachment. I will review it when it comes in. The last line is < End of Report >, so make sure that is the last line in the attached report.



OR:
You can try this beta version of ComboFix, at your own risk.(NOTE: it is still beta)
http://download.bleepingcomputer.com/sUBs/Beta/KittyFix.exe

Now STOP all your monitoring programs (Antivirus/Antispyware, Guards and Shields) as they could easily interfere with ComboFix.
Double click combofix.exe & follow the prompts.
When finished, it will produce a log. Please save that log and attach it in your next reply by pasting it in the "Code Snippet" or "Attach File" window.
Re-enable all the programs that were disabled during the running of ComboFix..

Note:
Do not mouse-click combofix's window while it is running. That may cause it to stall.
CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.

We also need to see the logfile.
0
 

Author Comment

by:sweetladoo
ID: 26081617
Ran Kaspersky CD Scanner, didn't find anything

ComboFix/Kittyfix log posted below.  It recognized that Additional Guard was running but doesn't see it as rogue software
ComboFix 09-12-17.03 - Host Susan 12/18/2009  10:59:23.1.2 - x86
Microsoft Windows XP Professional  5.1.2600.3.1252.1.1033.18.3518.2870 [GMT -5:00]
Running from: c:\temp\KittyFix.exe
AV: Additional Guard *On-access scanning enabled* (Updated) {2F2B00AB-E848-4B9B-9845-EF4620120D60}
AV: avast! antivirus 4.8.1368 [VPS 091218-0] *On-access scanning disabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}
FW: Additional Guard *enabled* {4583E239-6E7C-4AA8-A954-1FF4A8DFC208}
.

(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\recycler\S-1-5-21-527237240-179605362-725345543-500
c:\windows\Fonts\RandFont.dll
c:\windows\kb913800.exe
c:\windows\system32\tmp.reg
D:\Autorun.inf

.
(((((((((((((((((((((((((((((((((((((((   Drivers/Services   )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_MYWEBSEARCHSERVICE
-------\Legacy_PASSWORD


(((((((((((((((((((((((((   Files Created from 2009-11-18 to 2009-12-18  )))))))))))))))))))))))))))))))
.

2009-12-18 15:57 . 2009-12-18 15:24	3857212	----a-r-	c:\temp\KittyFix.exe
2009-12-18 02:23 . 2009-12-18 02:23	--------	d-----w-	c:\documents and settings\All Users\Application Data\Kaspersky Lab
2009-12-17 22:59 . 2009-12-17 22:59	--------	d-----w-	c:\documents and settings\Admin\Application Data\Online Backup
2009-12-17 16:16 . 2009-11-24 23:49	48560	----a-w-	c:\windows\system32\drivers\aswTdi.sys
2009-12-17 16:16 . 2009-11-24 23:48	23120	----a-w-	c:\windows\system32\drivers\aswRdr.sys
2009-12-17 16:16 . 2009-11-24 23:47	27408	----a-w-	c:\windows\system32\drivers\aavmker4.sys
2009-12-17 16:16 . 2009-11-24 23:47	97480	----a-w-	c:\windows\system32\AvastSS.scr
2009-12-17 16:16 . 2009-11-24 23:51	93424	----a-w-	c:\windows\system32\drivers\aswmon.sys
2009-12-17 16:16 . 2009-11-24 23:50	94160	----a-w-	c:\windows\system32\drivers\aswmon2.sys
2009-12-17 16:16 . 2009-11-24 23:50	114768	----a-w-	c:\windows\system32\drivers\aswSP.sys
2009-12-17 16:16 . 2009-11-24 23:50	20560	----a-w-	c:\windows\system32\drivers\aswFsBlk.sys
2009-12-17 16:16 . 2009-11-24 23:54	1280480	----a-w-	c:\windows\system32\aswBoot.exe
2009-12-17 16:16 . 2009-12-17 16:16	--------	d-----w-	c:\program files\Alwil Software
2009-12-17 16:03 . 2009-12-17 16:03	578560	----a-w-	c:\windows\system32\dllcache\user32.dll
2009-12-17 16:01 . 2009-12-17 16:01	--------	d-----w-	c:\windows\ERUNT
2009-12-17 15:26 . 2009-12-17 12:32	793200	----a-w-	c:\temp\Norton_Removal_Tool.exe
2009-12-17 12:25 . 2009-12-17 12:25	--------	d-----w-	c:\program files\Belarc
2009-12-17 12:25 . 2008-02-27 17:49	3840	----a-w-	c:\windows\system32\drivers\BANTExt.sys
2009-12-17 11:49 . 2009-12-17 11:49	--------	d-----w-	c:\documents and settings\Administrator\Application Data\Malwarebytes
2009-12-17 11:45 . 2009-12-17 11:45	--------	d-sh--w-	c:\documents and settings\Administrator\IETldCache
2009-12-17 11:38 . 2009-12-17 11:38	--------	d-----w-	c:\temp\SmitfraudFix
2009-12-17 03:48 . 2009-12-17 03:48	--------	d-----w-	C:\SAV32CLI
2009-12-17 02:19 . 2009-12-17 02:20	1529241	----a-w-	C:\SDFix.exe
2009-12-17 02:19 . 2009-12-17 16:11	--------	d-----w-	C:\SDFix
2009-12-17 02:18 . 2009-12-17 02:17	389120	----a-w-	c:\windows\system32\CF2632.exe
2009-12-16 16:16 . 2009-12-16 16:22	--------	d---a-w-	c:\documents and settings\All Users\Application Data\TEMP
2009-12-16 16:14 . 2009-12-18 15:57	--------	d-----w-	C:\temp
2009-12-16 15:38 . 2009-12-17 15:36	--------	d-----w-	c:\documents and settings\All Users\Application Data\avg9
2009-12-16 15:21 . 2009-12-16 15:21	--------	d-----w-	c:\documents and settings\TEST\Application Data\AVG8
2009-12-15 18:35 . 2009-12-15 18:35	--------	d-----w-	c:\documents and settings\Admin\Local Settings\Application Data\Intuit
2009-12-15 18:35 . 2009-12-15 18:35	--------	d-----w-	c:\documents and settings\Admin\Local Settings\Application Data\Identities
2009-12-15 18:35 . 2009-12-15 18:35	--------	d-----w-	c:\documents and settings\Admin\Application Data\Windows Desktop Search
2009-12-15 18:33 . 2007-04-11 15:01	--------	d-----w-	c:\documents and settings\Admin\Local Settings\Application Data\Microsoft Help
2009-12-15 18:33 . 2006-09-07 02:49	--------	d-----w-	c:\documents and settings\Admin\Local Settings\Application Data\ApplicationHistory
2009-12-15 18:33 . 2006-09-07 02:44	--------	d-----w-	c:\documents and settings\Admin\Application Data\Intuit
2009-12-15 18:33 . 2006-09-07 02:42	--------	d-----w-	c:\documents and settings\Admin\WINDOWS
2009-12-15 18:33 . 2006-09-07 02:34	--------	d-----w-	c:\documents and settings\Admin\Local Settings\Application Data\Wildtangent
2009-12-15 18:33 . 2006-09-07 02:09	--------	d-----w-	c:\documents and settings\Admin\Local Settings\Application Data\{3248F0A6-6813-11D6-A77B-00B0D0150060}
2009-12-15 18:33 . 2009-12-15 18:34	--------	d-----w-	c:\documents and settings\Admin

.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-12-18 06:26 . 2008-12-08 23:15	--------	d-----w-	c:\documents and settings\TEST\Application Data\Online Backup
2009-12-18 06:14 . 2008-10-02 13:52	--------	d-----w-	c:\program files\LogMeIn
2009-12-17 15:28 . 2006-09-07 03:00	--------	d-----w-	c:\program files\Common Files\Symantec Shared
2009-12-16 15:19 . 2007-06-04 14:09	--------	d-----w-	c:\program files\MSECACHE
2009-12-16 14:41 . 2008-12-04 23:23	4641	----a-w-	c:\documents and settings\All Users\Application Data\Intuit\QuickBooks 2007\qbbackup.sys
2009-12-16 13:39 . 2006-09-07 02:04	--------	d-----w-	c:\program files\GemMaster
2009-12-16 13:39 . 2006-09-07 02:44	--------	d-----w-	c:\program files\DivX
2009-12-16 13:20 . 2008-12-03 23:00	--------	d-----w-	c:\program files\Malwarebytes' Anti-Malware
2009-12-16 13:20 . 2009-12-16 13:20	4844295	----a-w-	c:\documents and settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\mbam-setup.exe
2009-12-15 18:35 . 2009-12-15 18:33	104176	----a-w-	c:\documents and settings\Admin\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-12-15 18:35 . 2009-12-15 18:33	128	----a-w-	c:\documents and settings\Admin\Local Settings\Application Data\fusioncache.dat
2009-12-09 08:06 . 2007-03-20 13:48	--------	d-----w-	c:\documents and settings\All Users\Application Data\Microsoft Help
2009-12-03 21:14 . 2008-12-03 23:00	38224	----a-w-	c:\windows\system32\drivers\mbamswissarmy.sys
2009-12-03 21:13 . 2008-12-03 23:00	19160	----a-w-	c:\windows\system32\drivers\mbam.sys
2009-11-26 00:06 . 2009-08-28 12:57	--------	d-----w-	c:\documents and settings\TEST\Application Data\HpUpdate
2009-11-24 14:06 . 2006-09-07 02:09	--------	d-----w-	c:\program files\Java
2009-11-24 14:05 . 2009-11-24 14:05	152576	----a-w-	c:\documents and settings\TEST\Application Data\Sun\Java\jre1.6.0_17\lzma.dll
2009-11-24 14:05 . 2009-11-24 14:05	79488	----a-w-	c:\documents and settings\TEST\Application Data\Sun\Java\jre1.6.0_17\gtapi.dll
2009-11-24 04:13 . 2008-02-27 15:09	--------	d-----w-	c:\program files\Windows Live
2009-11-10 20:52 . 2007-06-13 21:01	--------	d-----w-	c:\program files\Common Files\Adobe
2009-10-29 07:45 . 2004-08-09 21:00	916480	----a-w-	c:\windows\system32\wininet.dll
2009-10-21 05:38 . 2004-08-09 21:00	75776	----a-w-	c:\windows\system32\strmfilt.dll
2009-10-21 05:38 . 2004-08-09 21:00	25088	----a-w-	c:\windows\system32\httpapi.dll
2009-10-20 16:20 . 2004-08-09 21:00	265728	----a-w-	c:\windows\system32\drivers\http.sys
2009-10-13 10:30 . 2004-08-09 21:00	270336	----a-w-	c:\windows\system32\oakley.dll
2009-10-12 13:38 . 2004-08-09 21:00	149504	----a-w-	c:\windows\system32\rastls.dll
2009-10-12 13:38 . 2004-08-09 21:00	79872	----a-w-	c:\windows\system32\raschap.dll
2009-10-11 09:17 . 2009-01-22 17:09	411368	----a-w-	c:\windows\system32\deploytk.dll
2009-10-10 18:14 . 2009-10-10 18:14	552	----a-w-	c:\windows\system32\d3d8caps.dat
2009-10-08 20:42 . 2009-06-03 17:53	104176	----a-w-	c:\documents and settings\user2\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-10-02 06:31 . 2008-12-05 02:28	816392	----a-w-	c:\documents and settings\All Users\Application Data\Intuit\QuickBooks 2007\Components\DownloadQB17\Patch\qbpatch2.exe
2009-10-01 16:51 . 2008-10-02 13:53	83288	----a-w-	c:\windows\system32\LMIRfsClientNP.dll
2009-10-01 16:51 . 2008-10-02 13:53	87352	----a-w-	c:\windows\system32\LMIinit.dll
2009-10-01 16:51 . 2008-08-27 18:44	28984	----a-w-	c:\windows\system32\LMIport.dll
2008-07-18 13:16 . 2008-07-18 13:16	0	-c--a-w-	c:\program files\error.dat
2008-03-10 13:49 . 2008-03-09 18:31	88	-csh--r-	c:\windows\system32\A4E32A147C.sys
2008-03-10 13:49 . 2008-03-09 18:31	2516	--sha-w-	c:\windows\system32\KGyGaAvL.sys
.

(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown 
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"msnmsgr"="c:\program files\Windows Live\Messenger\MsnMsgr.Exe" [2009-07-26 3883856]
"OnlineBackupScheduler"="c:\program files\QuickBooks Online Backup\OnlineBackup.exe" [2007-11-02 610304]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"PPort9reminder"="c:\program files\ScanSoft\PaperPort\WebEreg\Ereg.exe" [2004-10-27 729088]
"ehTray"="c:\windows\ehome\ehtray.exe" [2005-09-29 67584]
"itype"="c:\program files\Microsoft IntelliType Pro\itype.exe" [2008-06-10 1442888]
"IntelliPoint"="c:\program files\Microsoft IntelliPoint\ipoint.exe" [2008-06-10 1406024]
"LogMeIn GUI"="c:\program files\LogMeIn\x86\LogMeInSystray.exe" [2008-07-24 63048]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-03-31 413696]
"avast!"="c:\progra~1\ALWILS~1\Avast4\ashDisp.exe" [2009-11-24 81000]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"RunNarrator"="Narrator.exe" [2008-04-14 53760]

c:\documents and settings\Admin\Start Menu\Programs\Startup\
PinMcLnk.lnk - c:\hp\bin\cloaker.exe [2006-9-6 27136]

c:\documents and settings\user2\Start Menu\Programs\Startup\
PinMcLnk.lnk - c:\hp\bin\cloaker.exe [2006-9-6 27136]

c:\documents and settings\user7\Start Menu\Programs\Startup\
PinMcLnk.lnk - c:\hp\bin\cloaker.exe [2006-9-6 27136]

c:\documents and settings\Administrator\Start Menu\Programs\Startup\
Pin.lnk - c:\hp\bin\CLOAKER.EXE [2006-9-6 27136]
PinMcLnk.lnk - c:\hp\bin\cloaker.exe [2006-9-6 27136]

c:\documents and settings\Guest\Start Menu\Programs\Startup\
PinMcLnk.lnk - c:\hp\bin\cloaker.exe [2006-9-6 27136]

c:\documents and settings\QBDataServiceUser17.SUSANS\Start Menu\Programs\Startup\
Pin.lnk - c:\hp\bin\CLOAKER.EXE [2006-9-6 27136]
PinMcLnk.lnk - c:\hp\bin\cloaker.exe [2006-9-6 27136]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Online Backup Scheduler.lnk - c:\windows\Installer\{A9255718-8A40-45F9-B738-93655FBD4F6F}\_C90BDFE323B95CEE248723.exe [2008-12-8 1078]
QuickBooks Database Server Manager.lnk - c:\program files\Common Files\Intuit\QuickBooks\QBServerUtilityMgr.exe [2009-9-16 140576]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2009-05-25 304128]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LMIinit]
2009-10-01 16:51	87352	----a-w-	c:\windows\system32\LMIinit.dll

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^QuickBooks Update Agent.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\QuickBooks Update Agent.lnk
backup=c:\windows\pss\QuickBooks Update Agent.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Windows Search.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Windows Search.lnk
backup=c:\windows\pss\Windows Search.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^HP_Administrator^Start Menu^Programs^Startup^OneNote 2007 Screen Clipper and Launcher.lnk]
path=c:\documents and settings\HP_Administrator\Start Menu\Programs\Startup\OneNote 2007 Screen Clipper and Launcher.lnk
backup=c:\windows\pss\OneNote 2007 Screen Clipper and Launcher.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^TEST^Start Menu^Programs^Startup^OneNote 2007 Screen Clipper and Launcher.lnk]
path=c:\documents and settings\TEST\Start Menu\Programs\Startup\OneNote 2007 Screen Clipper and Launcher.lnk
backup=c:\windows\pss\OneNote 2007 Screen Clipper and Launcher.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^TEST^Start Menu^Programs^Startup^PinMcLnk.lnk]
path=c:\documents and settings\TEST\Start Menu\Programs\Startup\PinMcLnk.lnk
backup=c:\windows\pss\PinMcLnk.lnkStartup
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Desktop Search

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe ARM]
2009-09-04 17:08	935288	----a-r-	c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2009-10-03 09:08	35696	----a-w-	c:\program files\Adobe\Reader 9.0\Reader\reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Alcmtr]
2005-05-03 15:43	69632	----a-w-	c:\windows\ALCMTR.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AlwaysReady Power Message APP]
2005-08-02 23:19	77312	----a-w-	c:\windows\arpwrmsg.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BrMfcWnd]
2007-03-02 20:32	630784	------w-	c:\program files\Brother\Brmfcmon\BrMfcWnd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ControlCenter3]
2006-11-07 23:03	65536	------w-	c:\program files\Brother\ControlCenter3\BrCtrCen.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DMAScheduler]
2006-04-13 09:05	90112	----a-w-	c:\program files\HP DigitalMedia Archive\DMAScheduler.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ftutil2]
2004-06-07 14:05	106496	----a-w-	c:\windows\system32\ftutil2.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HelpCenter]
2006-10-30 16:00	192512	-c--a-w-	c:\program files\BellSouth\HelpCenter\bin\sprtcmd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
2007-05-08 20:24	54840	----a-w-	c:\program files\HP\HP Software Update\hpwuSchd2.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HPBootOp]
2006-02-15 22:34	249856	----a-w-	c:\program files\Hewlett-Packard\HP Boot Optimizer\HPBootOp.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HPDJ Taskbar Utility]
2006-01-13 06:58	188416	----a-w-	c:\windows\system32\spool\drivers\w32x86\3\hpztsb09.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IndexSearch]
2005-03-17 18:45	40960	----a-w-	c:\program files\ScanSoft\PaperPort\IndexSearch.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSPM Startup]
2004-07-27 23:50	221184	----a-w-	c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSScheduler]
2004-07-27 23:50	81920	----a-w-	c:\program files\Common Files\InstallShield\UpdateService\issch.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Malwarebytes Anti-Malware (reboot)]
2009-12-03 21:14	1394000	----a-w-	c:\program files\Malwarebytes' Anti-Malware\mbam.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
2008-04-14 00:12	1695232	----a-w-	c:\program files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
2006-05-09 15:50	7311360	----a-w-	c:\windows\system32\nvcpl.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]
2006-05-09 15:50	1519616	----a-w-	c:\windows\system32\nwiz.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PaperPort PTD]
2005-03-17 18:25	57393	----a-w-	c:\program files\ScanSoft\PaperPort\pptd40nt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2009-03-31 03:25	413696	----a-w-	c:\program files\QuickTime\qttask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Recguard]
2005-07-22 22:14	237568	----a-w-	c:\windows\SMINST\Recguard.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Reminder]
2004-12-14 02:23	663552	-c--a-w-	c:\windows\CREATOR\Remind_XP.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RTHDCPL]
2007-10-25 08:57	16855552	----a-w-	c:\windows\RTHDCPL.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SSBkgdUpdate]
2003-10-14 14:22	155648	------w-	c:\program files\Common Files\ScanSoft Shared\SSBkgdUpdate\SSBkgdUpdate.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2009-10-11 09:17	149280	----a-w-	c:\program files\Java\jre6\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
2008-04-29 13:34	185896	----a-w-	c:\program files\Common Files\Real\Update_OB\realsched.exe

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Updates from HP\\9972322\\Program\\Updates from HP.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqPhUnl.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqDIA.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqnrs08.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Intuit\\QuickBooks 2007\\QBDBMgrN.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Windows Live\\Sync\\WindowsLiveSync.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:*:Disabled:@xpsp2res.dll,-22009

R1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [12/17/2009 11:16 AM 114768]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [12/17/2009 11:16 AM 20560]
R2 LMIInfo;LogMeIn Kernel Information Provider;c:\program files\LogMeIn\x86\rainfo.sys [7/24/2008 5:46 PM 12856]
R2 LMIRfsDriver;LogMeIn Remote File System Driver;c:\windows\system32\drivers\LMIRfsDriver.sys [10/2/2008 8:53 AM 47640]
R2 QuickBooksDB17;QuickBooksDB17;c:\progra~1\Intuit\QUICKB~1\QBDBMgrN.exe -hvQuickBooksDB17 --> c:\progra~1\Intuit\QUICKB~1\QBDBMgrN.exe -hvQuickBooksDB17 [?]
S3 ADM8511;ADMtek ADM8511/AN986 USB To Fast Ethernet Converter;c:\windows\system32\drivers\ADM8511.SYS [9/11/2007 10:05 AM 20160]
S3 radpms;Driver for RADPMS Device;c:\windows\system32\drivers\radpms.sys [7/24/2008 5:45 PM 12192]
S4 LMIRfsClientNP;LMIRfsClientNP; [x]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12	REG_MULTI_SZ   	Pml Driver HPZ12 Net Driver HPZ12
.
------- Supplementary Scan -------
.
DPF: {30985566-E01F-11D2-85DB-EA44DE000000} - hxxp://www2.callsunshine.com/irthinternet/IrthInternetLibrary/IRTHMapDisplay.cab
.
- - - - ORPHANS REMOVED - - - -

Toolbar-Locked - (no file)
WebBrowser-{604BC32A-9680-40D1-9AC6-E06B23A1BA4C} - (no file)
MSConfigStartUp-ccApp - c:\program files\Common Files\Symantec Shared\ccApp.exe
MSConfigStartUp-FBSearch - c:\program files\Search Guard Plus\SearchGuardPlus.exe
MSConfigStartUp-SGPUpdater - c:\program files\Search Guard PlusU\sgpUpdaters.exe
MSConfigStartUp-vptray - c:\progra~1\SYMANT~1\VPTray.exe
MSConfigStartUp-Weather - c:\progra~1\AWS\WEATHE~1\Weather.exe



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-12-18 11:13
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...  

scanning hidden autostart entries ... 

scanning hidden files ...  

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(524)
c:\windows\system32\LMIinit.dll

- - - - - - - > 'lsass.exe'(580)
c:\windows\system32\LMIRfsClientNP.dll

- - - - - - - > 'explorer.exe'(1076)
c:\windows\system32\WININET.dll
c:\program files\Windows Desktop Search\deskbar.dll
c:\program files\Windows Desktop Search\en-us\dbres.dll.mui
c:\program files\Windows Desktop Search\dbres.dll
c:\program files\Windows Desktop Search\wordwheel.dll
c:\program files\Windows Desktop Search\en-us\msnlExtRes.dll.mui
c:\program files\Windows Desktop Search\msnlExtRes.dll
c:\progra~1\WINDOW~1\wmpband.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Alwil Software\Avast4\aswUpdSv.exe
c:\program files\Alwil Software\Avast4\ashServ.exe
c:\windows\arservice.exe
c:\windows\eHome\ehRecvr.exe
c:\windows\eHome\ehSched.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Common Files\LightScribe\LSSrvc.exe
c:\program files\LogMeIn\x86\RaMaint.exe
c:\program files\LogMeIn\x86\LogMeIn.exe
c:\program files\LogMeIn\x86\LMIGuardian.exe
c:\program files\Common Files\Motive\McciCMService.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\windows\system32\nvsvc32.exe
c:\windows\system32\PSIService.exe
c:\progra~1\Intuit\QUICKB~1\QBDBMgrN.exe
c:\program files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
c:\windows\ehome\mcrdsvc.exe
c:\windows\system32\SearchIndexer.exe
c:\program files\Alwil Software\Avast4\ashMaiSv.exe
c:\program files\Alwil Software\Avast4\ashWebSv.exe
c:\windows\system32\dllhost.exe
c:\program files\Microsoft IntelliPoint\dpupdchk.exe
c:\program files\LogMeIn\x86\LMIGuardian.exe
c:\windows\eHome\ehmsas.exe
c:\program files\Common Files\Intuit\QuickBooks\QBCFMonitorService.exe
.
**************************************************************************
.
Completion time: 2009-12-18  11:19:36 - machine was rebooted
ComboFix-quarantined-files.txt  2009-12-18 16:19

Pre-Run: 197,874,225,152 bytes free
Post-Run: 197,802,184,704 bytes free

- - End Of File - - B0C8A2E2FCB61923CED8CAAEEF0C6695

Open in new window

0
 
LVL 47

Accepted Solution

by:
rpggamergirl earned 2000 total points
ID: 26084828
sweetladoo,

Thanks for the CF log.

Please follow the steps I mentioned in my article(with images) and delete both the Additional Guard Antivirus and Firewall entries.
http://www.experts-exchange.com/articles/Virus_and_Spyware/Anti-Virus/Can%27t-Install-an-Antivirus-Windows-Security-Center-still-detects-previous-AV.html 


Click on Start menu > Run > type in:

wbemtest

Click OK
Connect to root\SecurityCenter
 
You would need to change the root\default to root\securitycenter
Click on Query tab
Type in SELECT * FROM AntivirusProduct
Click on Apply
In the Query result window, highlight the offending antivirus and click Delete.
 
After deleting the Additional Guard antivirus entry, proceed to remove its Firewall entry as well, you then replace your query to select Firewall - SELECT * FROM FirewallProduct.
0
 

Author Closing Comment

by:sweetladoo
ID: 31667367
Thank you rpggamergirl
0

Featured Post

Upgrade your Question Security!

Add Premium security features to your question to ensure its privacy or anonymity. Learn more about your ability to control Question Security today.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Ransomware continues to be a growing problem for both personal and business users alike and Antivirus companies are still struggling to find a reliable way to protect you from this dangerous threat.
This article investigates the question of whether a computer can really be cleaned once it has been infected, and what the best ways of cleaning a computer might be (in this author's opinion).
Established in 1997, Technology Architects has become one of the most reputable technology solutions companies in the country. TA have been providing businesses with cost effective state-of-the-art solutions and unparalleled service that is designed…
Email security requires an ever evolving service that stays up to date with counter-evolving threats. The Email Laundry perform Research and Development to ensure their email security service evolves faster than cyber criminals. We apply our Threat…
Suggested Courses

834 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question