Antivirus software blocked! Options

[mattek33]

now we will see what will be...i reboot the comp and antivirus is still there...now i am scaning the system

[Don Pelotas]

now we will see what will be...i reboot the comp and antivirus is still there...now i am scaning the system

What AV? Did you read my post?

[mattek33]

i will check the system with bd, kaspersky and f-secure I must be shure!

[ngr]

Hello, i have the same problem
I can´t install Kapersky Internet Security 6 and i can´t boot in secure mod.

Here is my Hijack log:

CODE

Logfile of HijackThis v1.99.1
Scan saved at 12:03:42, on 21/02/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16414)

Running processes:
E:\WINDOWS\System32\smss.exe
E:\WINDOWS\SYSTEM32\winlogon.exe
E:\WINDOWS\system32\services.exe
E:\WINDOWS\system32\lsass.exe
E:\WINDOWS\system32\svchost.exe
E:\WINDOWS\System32\svchost.exe
E:\WINDOWS\system32\spoolsv.exe
E:\WINDOWS\Explorer.EXE
C:\AppServ\Apache2.2\bin\httpd.exe
E:\WINDOWS\system32\cisvc.exe
C:\AppServ\mysql\bin\mysqld-nt.exe
C:\Archivos de programa\NetLimiter 2 Pro\nlsvc.exe
E:\WINDOWS\system32\nvsvc32.exe
E:\WINDOWS\system32\IoctlSvc.exe
C:\AppServ\Apache2.2\bin\httpd.exe
C:\Archivos de programa\NetLimiter 2 Pro\NLClient.exe
E:\WINDOWS\system32\ctfmon.exe
C:\Archivos de programa\UnHackMe\hackmon.exe
E:\Archivos de programa\Internet Explorer\iexplore.exe
E:\Archivos de programa\Internet Explorer\iexplore.exe
E:\WINDOWS\SYSTEM32\cidaemon.exe
E:\DOCUME~1\Nicolas\CONFIG~1\Temp\Rar$EX00.250\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.google.es/ie?hl={SUB_RFC1766}
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.google.es/ie?hl={SUB_RFC1766}
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://www.google.es/preferences?hl={SUB_RFC1766}
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Vínculos
R3 - URLSearchHook: (no name) - {FDA71F0E-2DF2-5ABA-391C-6EBEB85FA2BE} - (no file)
O3 - Toolbar: (no name) - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - (no file)
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [ClamWin] "c:\Archivos de programa\ClamWin\bin\ClamTray.exe" --logon
O4 - HKCU\..\Run: [ctfmon.exe] E:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [UnHackMe Monitor] c:\Archivos de programa\UnHackMe\hackmon.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: Descargar con FDM - file://C:\Archivos de programa\Free Download Manager\dllink.htm
O8 - Extra context menu item: Descargar selección con FDM - file://C:\Archivos de programa\Free Download Manager\dlselected.htm
O8 - Extra context menu item: Descargar todo con FDM - file://C:\Archivos de programa\Free Download Manager\dlall.htm
O8 - Extra context menu item: E&xportar a Microsoft Excel - res://C:\ARCHIV~1\OFFICE~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - E:\Archivos de programa\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - E:\Archivos de programa\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O12 - Plugin for .spop: E:\Archivos de programa\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {04F414E9-E352-4BC3-963D-7BFE5A5F31A9} - http://scripts.dlv4.com/binaries/egaccess4/egaccess4_1064_XP.cab
O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://download.ewido.net/ewidoOnlineScan.cab
O16 - DPF: {1CD4E2DC-2DA0-4154-8723-38CB04FB6A58} -
O16 - DPF: {525019DF-8282-40DC-A0E0-13C076889F66} (InstallerSf Control) - http://www.softonic.com/sinespias/installer.cab
O16 - DPF: {56393399-041A-4650-94C7-13DFCB1F4665} (PSFormX Control) - http://www3.ca.com/securityadvisor/pestscan/pestscan.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase9602.cab
O16 - DPF: {71DA2A4E-ACB3-4065-9E41-8BC42EABE427} - http://scripts.dlv4.com/binaries/IA/svcia32_ES_XP.cab
O16 - DPF: {87C1805D-C5AE-4455-AB39-E245BB516136} - http://scripts.dlv4.com/binaries/egaccess4/egaccess4_1059_XP.cab
O16 - DPF: {8D8BAF56-B581-4B90-A549-C4AC6B03F1BB} - http://scripts.downloadv3.com/binaries/EGDAccess/EGDACCESS_1074_XP.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {AF7410C1-FBA3-415E-800A-4110CED40536} -
O16 - DPF: {B1826A9F-4AA0-4510-BA77-9013E74E4B9B} - http://www.trendmicro.com/spyware-scan/as4web.cab
O16 - DPF: {B1E2B96C-12FE-45E2-BEF1-44A219113CDD} (SABScanProcesses Class) - http://www.superadblocker.com/activex/sabspx.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "E:\ARCHIV~1\MSNMES~2\msgrapp.dll" (file missing)
O20 - Winlogon Notify: NavLogon - E:\WINDOWS\
O20 - Winlogon Notify: SASWinLogon - C:\Archivos de programa\SUPERAntiSpyware\SASWINLO.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - E:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Apache - Unknown owner - C:\AppServ\Apache\Apache.exe" --ntservice (file missing)
O23 - Service: Apache2.2 - Unknown owner - C:\AppServ\Apache2.2\bin\httpd.exe" -k runservice (file missing)
O23 - Service: AVG Anti-Spyware Guard - Unknown owner - C:\Archivos de programa\Grisoft\AVG Anti-Spyware 7.5\guard.exe (file missing)
O23 - Service: MySql - Unknown owner - C:/AppServ/mysql/bin/mysqld-nt.exe
O23 - Service: NetLimiter (nlsvc) - Locktime Software - C:\Archivos de programa\NetLimiter 2 Pro\nlsvc.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - E:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PLFlash DeviceIoControl Service - Prolific Technology Inc. - E:\WINDOWS\system32\IoctlSvc.exe
O23 - Service: Windows Archiver (winarc) - Unknown owner - E:\WINDOWS\devldr.exe (file missing)

thanks for your help,
Nicolas

[Lucian Bara]

try a rootkit scan with gmer: http://www.gmer.net/
and post the log, is anything found?

[ngr]

I don´t paste all the log beacause it´s very long, but Gmer found these:

GMER 1.0.12.12027 - http://www.gmer.net
Rootkit scan 2007-02-21 13:51:40
Windows 5.1.2600 Service Pack 2


---- System - GMER 1.0.12 ----

SSDT \??\E:\Documents and Settings\Nicolas\Datos de programa\hidires\m_hook.sys ZwCreateFile
SSDT \??\E:\Documents and Settings\Nicolas\Datos de programa\hidires\m_hook.sys ZwEnumerateKey
SSDT \??\E:\Documents and Settings\Nicolas\Datos de programa\hidires\m_hook.sys ZwOpenProcess
SSDT \??\E:\Documents and Settings\Nicolas\Datos de programa\hidires\m_hook.sys ZwQueryDirectoryFile
SSDT \??\E:\Documents and Settings\Nicolas\Datos de programa\hidires\m_hook.sys ZwQueryKey
SSDT \??\E:\Documents and Settings\Nicolas\Datos de programa\hidires\m_hook.sys

---- Services - GMER 1.0.12 ----

Service E:\Documents and Settings\Nicolas\Datos de programa\hidires\m_hook.sys [MANUAL] m_hook <-- ROOTKIT !!!

---- EOF - GMER 1.0.12 ----

[Lucian Bara]

right click thw m_hook.sys in the service tab and choose "delete this service".
Also, are there any hidden processes in the process tab (if i recall they are displayed in red)?

[ngr]

Thank, i clen it with GMER and then i finally can install Kaspersky .

Thanks for all your help!