Windows XP unknown device:ROOT\LEGACY_ AVGIDSAGENT\SOFTWARE

September 8, 2012 at 17:39:23
Specs: Windows XP, atom
Hi,
I have following unknown device on my windows XP: ROOT\LEGACY_ AVGIDSAGENT\SOFTWARE and I'm not sure if this is a trojan/worm.
The machine is quite slow to log in to the main user and I have a feeling it
has something to do with this device. I have downloaded Hijack this. Here is the output:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:37:15 AM, on 9/09/2012
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\AVG\AVG2012\avgwdsvc.exe
C:\Program Files\Launch Manager\dsiwmis.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\IAANTMon.exe
C:\Program Files\Java\jre7\bin\jqs.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Sierra Wireless Inc\Common\SwiCardDetect.exe
C:\Program Files\eMachines\eMachines Updater\UpdaterService.exe
C:\Program Files\AVG\AVG2012\avgnsx.exe
C:\Program Files\UPHClean\uphclean.exe
C:\WINDOWS\system32\SearchIndexer.exe
C:\Program Files\Vodafone\Vodafone Mobile Connect\Bin\VMCService.exe
C:\Program Files\AVG\AVG2012\avgidsagent.exe
C:\Program Files\AVG\AVG2012\avgrsx.exe
C:\Program Files\AVG\AVG2012\avgcsrvx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\RTHDCPL.EXE
C:\WINDOWS\system32\igfxsrvc.exe
C:\WINDOWS\PLFSetL.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\AVG\AVG2012\avgtray.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Documents and Settings\TEMP\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\TEMP\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\TEMP\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\TEMP\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\TEMP\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\TEMP\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\TEMP\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\TEMP\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\TEMP\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\TEMP\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\TEMP\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\TEMP\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\TEMP\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://homepage.emachines.com/rdr.a...
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://homepage.emachines.com/rdr.a...
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://homepage.emachines.com/rdr.a...
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?Lin...
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?Lin...
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://homepage.emachines.com/rdr.a...
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: AVG Do Not Track - {31332EEF-CB9F-458F-AFEB-D30E9A66B6BA} - C:\Program Files\AVG\AVG2012\avgdtiex.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG2012\avgssie.dll
O2 - BHO: Java(tm) Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre7\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: SkypeIEPluginBHO - {AE805869-2E5C-4ED4-8F7B-F1F7851A4497} - C:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll
O2 - BHO: URLRedirectionBHO - {B4F3A835-0E21-4959-BA22-42B3008E02FF} - C:\PROGRA~1\MICROS~2\Office14\URLREDIR.DLL
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre7\bin\jp2ssv.dll
O4 - HKLM\..\Run: [IAAnotif] C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [AzMixerSel] C:\Program Files\Realtek\Audio\Drivers\AzMixerSel.exe
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [PLFSetL] C:\WINDOWS\PLFSetL.exe
O4 - HKLM\..\Run: [snp2uvc] rundll32.exe C:\WINDOWS\system32\csnp2uvc.dll,ResetCIDS
O4 - HKLM\..\Run: [SynTPEnh] %ProgramFiles%\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [AVG_TRAY] "C:\Program Files\AVG\AVG2012\avgtray.exe"
O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Google Update] "C:\Documents and Settings\TEMP\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" /c
O8 - Extra context menu item: Add to Google Photos Screensa&ver - res://C:\WINDOWS\system32\GPhotos.scr/200
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office14\EXCEL.EXE/3000
O8 - Extra context menu item: Google Sidewiki... - res://C:\Program Files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_7461B1589E8B4FB7.dll/cmsidewiki.html
O8 - Extra context menu item: Se&nd to OneNote - res://C:\PROGRA~1\MICROS~2\Office14\ONBttnIE.dll/105
O9 - Extra button: Blog This - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra 'Tools' menuitem: &Blog This in Windows Live Writer - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\Program Files\Microsoft Office\Office14\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: Se&nd to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\Program Files\Microsoft Office\Office14\ONBttnIE.dll
O9 - Extra button: AVG Do Not Track - {68BCFFE1-A2DA-4B40-9068-87ECBFC19D16} - C:\Program Files\AVG\AVG2012\avgdtiex.dll
O9 - Extra button: OneNote Lin&ked Notes - {789FE86F-6FC4-46A1-9849-EDE0DB0C95CA} - C:\Program Files\Microsoft Office\Office14\ONBttnIELinkedNotes.dll
O9 - Extra 'Tools' menuitem: OneNote Lin&ked Notes - {789FE86F-6FC4-46A1-9849-EDE0DB0C95CA} - C:\Program Files\Microsoft Office\Office14\ONBttnIELinkedNotes.dll
O9 - Extra button: Skype Click to Call - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - C:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll
O9 - Extra 'Tools' menuitem: Skype Click to Call - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - C:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/mic...
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG2012\avgpp.dll
O18 - Protocol: skype-ie-addon-data - {91774881-D725-4E58-B298-07617B9B86A8} - C:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O18 - Filter hijack: text/xml - {807573E5-5146-11D5-A672-00B0D022E945} - C:\Program Files\Common Files\Microsoft Shared\OFFICE14\MSOXMLMF.DLL
O23 - Service: AVGIDSAgent - AVG Technologies CZ, s.r.o. - C:\Program Files\AVG\AVG2012\avgidsagent.exe
O23 - Service: AVG WatchDog (avgwd) - AVG Technologies CZ, s.r.o. - C:\Program Files\AVG\AVG2012\avgwdsvc.exe
O23 - Service: Dritek WMI Service (DsiWMIService) - Dritek System Inc. - C:\Program Files\Launch Manager\dsiwmis.exe
O23 - Service: Google Update Service (gupdate) (gupdate) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: Google Update Service (gupdatem) (gupdatem) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Intel(R) Matrix Storage Event Monitor (IAANTMON) - Intel Corporation - C:\Program Files\Intel\Intel Matrix Storage Manager\IAANTMon.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Oracle Corporation - C:\Program Files\Java\jre7\bin\jqs.exe
O23 - Service: Mozilla Maintenance Service (MozillaMaintenance) - Mozilla Foundation - C:\Program Files\Mozilla Maintenance Service\maintenanceservice.exe
O23 - Service: Skype Updater (SkypeUpdate) - Skype Technologies - C:\Program Files\Skype\Updater\Updater.exe
O23 - Service: Sierra Wireless Card Detection Service (SwiCardDetectSvc) - Sierra Wireless, Inc. - C:\Program Files\Sierra Wireless Inc\Common\SwiCardDetect.exe
O23 - Service: Updater Service - Acer - C:\Program Files\eMachines\eMachines Updater\UpdaterService.exe
O23 - Service: User Profile Hive Cleanup (UPHClean) - Windows (R) Codename Longhorn DDK provider - C:\Program Files\UPHClean\uphclean.exe
O23 - Service: Vodafone Mobile Connect Service (VMCService) - Vodafone - C:\Program Files\Vodafone\Vodafone Mobile Connect\Bin\VMCService.exe

--
End of file - 11139 bytes

Any help interpreting this would be appreciated.
Cheers.


See More: Windows XP unknown device:ROOT\LEGACY_ AVGIDSAGENT\SOFTWARE

Report •


#1
September 8, 2012 at 18:45:43
Download Security Check by screen317 from one of the following links and save it to your desktop.
http://screen317.spywareinfoforum.o...
http://screen317.changelog.fr/Secur...
* Unzip SecurityCheck.zip and a folder named Security Check should appear.
* Save it to your Desktop.
* Double click SecurityCheck.exe. If you run Windows Vista or 7, right click and choose 'Run as Administrator'.
o If you are asked by Windows to run this program or not, please click 'Yes' or 'Run'.
o When you see a console window, press any key to continue scanning.
o Wait while it scans.
o If your firewall alerts you of Security Check, please press 'Allow' or similar.
* A Notepad document should open automatically after scan is completed. It will be called checkup.txt; please post the contents of that document.
Note: If a security program requests permission from dig.exe to access the Internet, allow it to do so.

Report •

#2
September 8, 2012 at 19:58:04
why do people insist on posting Hijackthis logs when they see the warning while posting? A HJT log is only to be posted when a qualified member requests it....

Some HELP in posting on Computing.net plus free progs and instructions 7 Golds


Report •

#3
September 8, 2012 at 20:00:02
As requested, here is the contents of checkup.txt:

Results of screen317's Security Check version 0.99.50
Windows XP Service Pack 3 x86
Internet Explorer 8
[b][u]``````````````Antivirus/Firewall Check:``````````````[/b][/u]
Windows Firewall Enabled!
AVG 2012
AVG2012 successfully updated!
[b][u]`````````Anti-malware/Other Utilities Check:`````````[/b][/u]
MVPS Hosts File
[color=red][b]Out of date HijackThis installed![/b][/color]
HijackThis 2.0.2
CCleaner
Java 7 Update 7
Adobe Flash Player 11.4.402.265
Adobe Reader X (10.1.4)
Mozilla Firefox (14.0.1)
[b][u]````````Process Check: objlist.exe by Laurent````````[/b][/u]
AVG avgwdsvc.exe
AVG avgtray.exe
AVG avgrsx.exe
AVG avgnsx.exe
AVG avgemc.exe
[b][u]`````````````````System Health check`````````````````[/b][/u]
Total Fragmentation on Drive C:: 2%
[b][u]````````````````````End of Log``````````````````````[/b][/u]

Cheers.


Report •

Related Solutions

#4
September 8, 2012 at 20:01:45
RE: HiJack This. Sorry - was just trying to go a few steps ahead and didn't know the forum rules. Won't do it again!

Report •

#5
September 8, 2012 at 20:09:18
Thanks for the log.

unknown device:ROOT\LEGACY_ AVGIDSAGENT\SOFTWARE

Where is this appearing?


Report •

#6
September 8, 2012 at 20:23:16
"didn't know the forum rules. Won't do it again!"
When this keeps happening, it tells me it is hard to find. Also the OP is usually under duress & struggling just to think straight.

Report •

#7
September 8, 2012 at 20:35:12
Hi,
It is appearing as an unknown device in device manager in windows xp home. I thought it could be a bridging driver or something from the latest free version of AVG to support legacies operating systems, such as XP, though not 100% sure. It also crossed my mind that it could be something to do with a trojan/worm. All I know is that this little machine takes forever to startup, spybot - S & D stopped working for some reason and xp seems to recognise ROOT\LEGACY_ AVGIDSAGENT\SOFTWARE as an 'unknown device'.
RE: HiJack This! - I was tracking through another forum post and saw that one of the respondents requested the hijack this file to be posted. That's why I thought it might have been helpful. When I replied the second time, I noticed the message. I was only trying to help. Won't do it again unless asked to do so.
Cheers.

Report •

#8
September 8, 2012 at 20:39:43
Thought it must be in Device Manager.

I'm with you, looks sus, process of elimination now, lets start with ESET.

Run ESET & post the log please.
http://www.eset.eu/online-scanner
http://www.eset.com/us/online-scanner
Why Would I Ever Need an Online Virus Scanner?
I already have an antivirus program installed, isn't that enough?
http://www.squidoo.com/the-best-fre...
Once onto a machine, malware can disable antivirus programs, prevent antimalware programs from downloading updates, or prevent a user from running antivirus scans or installing new antivirus software or malware removal tools. At this point even though you are aware the computer is infected, removal is very difficult.
How can I view the log file from ESET Online Scanner?
http://www.eset.eu/eset-online-scan...
The ESET Online Scanner saves a log file after running, which can be examined or sent in to ESET for further analysis. The path to the log file is "C:\Program Files\EsetOnlineScanner\log.txt". You can view this file by navigating to the directory and double-clicking on it in Windows Explorer, or by copying and pasting the path specification above (including the quotation marks) into the Start ? Run dialog box from the Start Menu on the desktop.


Report •

#9
September 8, 2012 at 22:43:34
Completely uninstall AVG anti-virus software with Revo Uninstaller:

http://www.revouninstaller.com

Install another Anti-Virus like MSSR or AVira

ARM Devices are the future, great British Design !


Report •

#10
September 8, 2012 at 22:57:52
Hi,
I did as you said. The result bought up zero infections, though, I couldn't/can't access My Computer very quickly now either and there is no :\Program Files\EsetOnlineScanner\log.txt file.
Cheers.

Report •

#11
September 8, 2012 at 23:00:25
Hi Jolli,
I don't particularly feel comfortable removing avg. I've been using it for years and never had a problem with it before. I don't even know if it is a problem considering the ESET online scanner didn't reveal any infections.
Cheers.

Report •

#12
September 8, 2012 at 23:40:14
"I don't particularly feel comfortable removing avg."
Fair enough as well, not that I use it, I switched from AVG about 4 years ago to MSE.

"ESET online scanner didn't reveal any infections"
I'm still waiting to see the log, may just get a clue.


Report •

#13
September 8, 2012 at 23:42:11
Jolicloud

"Completely uninstall AVG anti-virus software"

Malware Prevention
http://www.malwarevault.com/index.html
"There is no magic involved. The majority of malware is installed by the user themselves"


Report •

#14
September 8, 2012 at 23:49:10
"there is no :\Program Files\EsetOnlineScanner\log.txt file"

Opp's sorry, missed that.

Just a few more checks in the current direction, it's because the comp is running slow I am doing one direction at a time, rather than this way then that way, it all ends up in a big mess.

1: Download & run Unhide
http://www.bleepingcomputer.com/vir...
http://download.bleepingcomputer.co...
Once the program has been downloaded, double-click on the Unhide.exe icon on your desktop and allow the program to run, it does take some time, be patient. This program will remove the +H, or hidden, attribute from all the files on your hard drives. If there are any files that were purposely hidden by you, you will need to hide them again after this tool is run.

2: Reboot

3: Run Trojan.Zeroaccess Removal Tool
http://www.softpedia.com/get/Antivi...
http://www.softpedia.com/progScreen...
http://www.symantec.com/business/se...


Report •

#15
September 9, 2012 at 03:34:24
Hi Johnw,
Here is the log.txt:
ESETSmartInstaller@High as downloader log:
all ok
# version=7
# OnlineScannerApp.exe=1.0.0.1
# OnlineScanner.ocx=1.0.0.6583
# api_version=3.0.2
# EOSSerial=9b457fb00004b74abe38c573015c8867
# end=finished
# remove_checked=true
# archives_checked=true
# unwanted_checked=true
# unsafe_checked=false
# antistealth_checked=true
# utc_time=2012-09-09 08:12:29
# local_time=2012-09-09 06:12:29 (+1000, E. Australia Standard Time)
# country="Australia"
# lang=1033
# osver=5.1.2600 NT Service Pack 3
# compatibility_mode=512 16777215 100 0 0 0 0 0
# compatibility_mode=1024 16777175 100 0 10654248 10654248 0 0
# compatibility_mode=8192 67108863 100 0 0 0 0 0
# scanned=64840
# found=0
# cleaned=0
# scan_time=4534

Cheers.


Report •

#16
September 9, 2012 at 04:22:55
"Here is the log.txt"
Thanks frameworks, no extra clues there, just waiting for confirmation from my post14.
Log please. if it produces one.

Report •

#17
September 9, 2012 at 04:31:35
When finished my post 14, could you upload to a site of your choice, a screenshot of Disk Management please. Maximize the page for the SS.

How To Access Disk Management in Windows XP
http://pcsupport.about.com/od/windo...

PS: I'm in WA.


Report •


Ask Question