Computer Security & Viruses/avg is disabled

Advertisement

Expert: - 5/17/2009


Question
QUESTION: avg is not functioning properly,it is not opening and I found AVG antivirus & antispyware would not connect to the control centre.I can't run Task Manager or remove programmes as i get the message "*** has been disabled by your administrator" when I try to use them.

As per ur advice i have downloaded the hijackthis and saved a log file

*********************************************************
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 6:59:15 PM, on 5/16/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:WINDOWSSystem32smss.exe
C:WINDOWSsystem32winlogon.exe
C:WINDOWSsystem32services.exe
C:WINDOWSsystem32lsass.exe
C:WINDOWSsystem32svchost.exe
C:WINDOWSSystem32svchost.exe
C:WINDOWSsystem32spoolsv.exe
C:WINDOWSExplorer.EXE
C:WINDOWSsystem32KHATRA.exe
C:PROGRA~1AVGAVG8avgwdsvc.exe
C:WINDOWSsystem32cisvc.exe
C:WINDOWSsystem32inetsrvinetinfo.exe
C:PROGRA~1AVGAVG8avgtray.exe
C:Program FilesDAPDAP.EXE
C:Program FilesSUPERAntiSpywareSUPERAntiSpyware.exe
C:WINDOWSsystem32ctfmon.exe
C:Program FilesNeroNero 7InCDInCDsrv.exe
C:Program FilesCyberLinkShared filesRichVideo.exe
C:WINDOWSSystem32snmp.exe
C:Program FilesSigmaTelC-Major AudioWDMSTacSV.exe
C:WINDOWSsystem32   lntsvr.exe
C:PROGRA~1AVGAVG8avgrsx.exe
C:WINDOWSsystem32mqsvc.exe
C:WINDOWSsystem32mqtgsvc.exe
C:WINDOWSXplorer.exe
C:WINDOWSSystemgHost.exe
C:Program FilesAVGAVG8avgscanx.exe
C:Program FilesAVGAVG8avgcsrvx.exe
C:Program FilesInternet Exploreriexplore.exe
C:PROGRA~1AVGAVG8aAvgApi.exe
C:WINDOWSsystem32cidaemon.exe
C:WINDOWSsystem32cidaemon.exe
C:Program FilesAllExpertsAllExperts.exe

R0 - HKCUSoftwareMicrosoftInternet ExplorerMain,Start Page = about:blank
R1 - HKCUSoftwareMicrosoftInternet ExplorerMain,Window Title = Internet Exploiter
F3 - REG:win.ini: load=C:WINDOWSsystem32KHATRA.exe
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:Program FilesAdobeAcrobat 7.0ActiveXAcroIEHelper.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:Program FilesAVGAVG8avgssie.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:PROGRA~1MICROS~2Office12GRA8E1~1.DLL
O2 - BHO: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:PROGRA~1AVGAVG8AVGTOO~1.DLL
O3 - Toolbar: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:PROGRA~1AVGAVG8AVGTOO~1.DLL
O4 - HKLM..Run: [SMSERIAL] C:WINDOWSsystem32KHATRA.exe
O4 - HKLM..Run: [GrooveMonitor] C:WINDOWSXplorer.exe
O4 - HKLM..Run: [AVG8_TRAY] C:PROGRA~1AVGAVG8avgtray.exe
O4 - HKLM..Run: [Xplorer] "C:WINDOWSXplorer.exe" /Windows
O4 - HKCU..Run: [] C:Documents and SettingsAll UsersApplication Datacrazya.exe
O4 - HKCU..Run: [DownloadAccelerator] "C:Program FilesDAPDAP.EXE" /STARTUP
O4 - HKCU..Run: [SUPERAntiSpyware] C:Program FilesSUPERAntiSpywareSUPERAntiSpyware.exe
O4 - HKCU..Run: [ctfmon.exe] C:WINDOWSsystem32ctfmon.exe
O4 - HKCU..Run: [Uniblue RegistryBooster 2009] C:Program FilesUniblueRegistryBoosterRegistryBooster.exe /S
O4 - HKLM..PoliciesExplorerRun: [status] thb
O4 - HKLM..PoliciesExplorerRun: [G_Host] "C:WINDOWSSystemgHost.exe" /Reproduce
O4 - Global Startup: (Empty).LNK = C:KHATRA.exe
O7 - HKCUSoftwareMicrosoftWindowsCurrentVersionPoliciesSystem, DisableRegedit=1
O8 - Extra context menu item: &Clean Traces - C:Program FilesDAPPrivacy Packagedapcleanerie.htm
O8 - Extra context menu item: &Download with &DAP - C:Program FilesDAPdapextie.htm
O8 - Extra context menu item: Download &all with DAP - C:Program FilesDAPdapextie2.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:PROGRA~1MICROS~2Office12EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:Program FilesJavaj2re1.4.2_03in
pjpi142_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:Program FilesJavaj2re1.4.2_03in
pjpi142_03.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:PROGRA~1MICROS~2Office12ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:PROGRA~1MICROS~2Office12ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:PROGRA~1MICROS~2Office12REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:Program FilesMessengermsmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:Program FilesMessengermsmsgs.exe
O17 - HKLMSystemCCSServicesTcpip..{618D2BCC-A5D8-4985-9A53-34D50B60327F}: NameServer = 218.248.255.139 218.248.255.212
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:PROGRA~1MICROS~2Office12GR99D3~1.DLL
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:Program FilesAVGAVG8avgpp.dll
O20 - Winlogon Notify: !SASWinLogon - C:Program FilesSUPERAntiSpywareSASWINLO.dll
O20 - Winlogon Notify: avgrsstarter - C:WINDOWSSYSTEM32avgrsstx.dll
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:PROGRA~1AVGAVG8avgwdsvc.exe
O23 - Service: InCD Helper (InCDsrv) - Nero AG - C:Program FilesNeroNero 7InCDInCDsrv.exe
O23 - Service: NBService - Nero AG - C:Program FilesNeroNero 7Nero BackItUpNBService.exe
O23 - Service: NMIndexingService - Nero AG - C:Program FilesCommon FilesAheadLibNMIndexingService.exe
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:Program FilesCyberLinkShared filesRichVideo.exe
O23 - Service: SigmaTel Audio Service (STacSV) - SigmaTel, Inc. - C:Program FilesSigmaTelC-Major AudioWDMSTacSV.exe

--
End of file - 5677 bytes


ANSWER: Hi Mani

Your HJT log is not formateed properly, making it difficult to read.  Your entries look like:

Running processes:
C:WINDOWSSystem32smss.exe
C:WINDOWSsystem32winlogon.exe

Where they should look like this:

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe

Please run another scan and when notepad opens, right-click in the box, choose Select All, then Copy and Paste the log into a follow-up to me.  Thanks.

Brian

---------- FOLLOW-UP ----------

QUESTION:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 5:11:05 PM, on 5/17/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\KHATRA.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\WINDOWS\system32\cisvc.exe
C:\WINDOWS\system32\inetsrv\inetinfo.exe
C:\Program Files\Nero\Nero 7\InCD\InCDsrv.exe
C:\WINDOWS\system32\sessmgr.exe
C:\Program Files\CyberLink\Shared files\RichVideo.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\Program Files\DAP\DAP.EXE
C:\WINDOWS\System32\snmp.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\SigmaTel\C-Major Audio\WDM\STacSV.exe
C:\WINDOWS\system32\tlntsvr.exe
C:\WINDOWS\system32\mqsvc.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\WINDOWS\system32\mqtgsvc.exe
C:\WINDOWS\Xplorer.exe
C:\WINDOWS\System\gHost.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\PROGRA~1\AVG\AVG8\aAvgApi.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\AVG\AVG8\avgupd.exe
C:\Program Files\AllExperts\AllExperts.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Internet Exploiter
F3 - REG:win.ini: load=C:\WINDOWS\system32\KHATRA.exe
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\PROGRA~1\MICROS~2\Office12\GRA8E1~1.DLL
O2 - BHO: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL
O3 - Toolbar: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL
O4 - HKLM\..\Run: [SMSERIAL] C:\WINDOWS\system32\KHATRA.exe
O4 - HKLM\..\Run: [GrooveMonitor] C:\WINDOWS\Xplorer.exe
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [Xplorer] "C:\WINDOWS\Xplorer.exe" /Windows
O4 - HKCU\..\Run: [] C:\Documents and Settings\All Users\Application Data\crazya.exe
O4 - HKCU\..\Run: [DownloadAccelerator] "C:\Program Files\DAP\DAP.EXE" /STARTUP
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Uniblue RegistryBooster 2009] C:\Program Files\Uniblue\RegistryBooster\RegistryBooster.exe /S
O4 - HKLM\..\Policies\Explorer\Run: [status] thb
O4 - HKLM\..\Policies\Explorer\Run: [G_Host] "C:\WINDOWS\System\gHost.exe" /Reproduce
O4 - Global Startup: (Empty).LNK = C:\KHATRA.exe
O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1
O8 - Extra context menu item: &Clean Traces - C:\Program Files\DAP\Privacy Package\dapcleanerie.htm
O8 - Extra context menu item: &Download with &DAP - C:\Program Files\DAP\dapextie.htm
O8 - Extra context menu item: Download &all with DAP - C:\Program Files\DAP\dapextie2.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O17 - HKLM\System\CCS\Services\Tcpip\..\{618D2BCC-A5D8-4985-9A53-34D50B60327F}: NameServer = 218.248.255.139 218.248.255.212
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MICROS~2\Office12\GR99D3~1.DLL
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dll
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: InCD Helper (InCDsrv) - Nero AG - C:\Program Files\Nero\Nero 7\InCD\InCDsrv.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared files\RichVideo.exe
O23 - Service: SigmaTel Audio Service (STacSV) - SigmaTel, Inc. - C:\Program Files\SigmaTel\C-Major Audio\WDM\STacSV.exe

--
End of file - 5649 bytes


Answer
Hi Mani

Please download ComboFix from this link:
http://download.bleepingcomputer.com/sUBs/ComboFix.exe
Save it to your desktop.
Double-click on the ComboFix icon found on your desktop. Please note, that once you start ComboFix you should not click anywhere on the ComboFix window as it can cause the program to stall.  If the program asks you to install the Windows Recovery Console, please allow it to do so.  ComboFix will now start scanning your computer for known infections. This procedure can take some time, so please be patient.  If you see your Windows desktop disappear, do not worry. This is normal and ComboFix will restore your desktop before it is finished. ComboFix may also restart your computer.  Do not intervene.  Eventually you will see a new screen that states the program is almost finished and telling you the programs log file, or report, will be located at C:\ComboFix.txt.  It will then display the log file automatically for you.  Please post that log along with a new HJT log here in a follow up.

Brian

Computer Security & Viruses

All Answers

Answers by Expert:

Ask Experts

Volunteer

Brian Benosky

Expertise

I will help you in eradicating malware and all forms of virus/trojans/adware. I can answer all PC-related hardware issues. I can also troubleshoot Windows OS errors (all versions) and other software problems. HijackThis logs are a MUST for virus related help. If you do not know how to do this, I have posted easy-to-follow instructions on the Ask a Question page. Every computer infection is different, so I will give you personal instructions on how to remove the malware, not a 'pat' answer. You can be assured of a prompt, polite, and knowledgeable response in all regards.

Experience

I have over 25 years experience in using, building, and repairing computers. I have helped over two thousand people here on AllExperts, with consistent Top Feedback Scores. Please look at my answers here: http://en.allexperts.com/q/Computer-Security-Viruses-1737/indexExp_84308.htm I am also a Top Contributor of General Computing answers in Yahoo! Questions.

Education/Credentials
College Educated Self-taught Computer Skills

©2012 About.com, a part of The New York Times Company. All rights reserved.