Welcome guest. Before posting on our computer help forum, you must register. Click here it's easy and free.

Author Topic: virus  (Read 9044 times)

0 Members and 1 Guest are viewing this topic.

dyjodapa

    Topic Starter


    Rookie

    virus
    « on: September 04, 2010, 06:00:59 PM »
    Hi,

    I ran both Malwarebytes and Superanti Spyware both came back clean. But when I scanned with Avast it found 25+ infections. Also this computer cannot get internet. I am posting a HijackThis log below:

    Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 7:19:48 PM, on 9/4/2010
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
    Boot mode: Normal

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\Emsisoft\Online Armor\OAcat.exe
    C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\wscntfy.exe
    C:\PROGRA~1\ALWILS~1\Avast5\avastUI.exe
    C:\Program Files\Messenger\msmsgs.exe
    C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
    C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
    C:\WINDOWS\system32\wuauclt.exe
    C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

    O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
    O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll
    O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.3.4501.1418\swg.dll
    O2 - BHO: Google Dictionary Compression sdch - {C84D72FE-E17D-4195-BB24-76C02E2E7C4E} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_B7C5AC242193BB3E.dll
    O3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll
    O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
    O4 - HKLM\..\Run: [avast5] C:\PROGRA~1\ALWILS~1\Avast5\avastUI.exe /nogui
    O4 - HKLM\..\Run: [@OnlineArmor GUI] "C:\Program Files\Emsisoft\Online Armor\OAui.exe"
    O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
    O4 - HKCU\..\Run: [swg] "C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe"
    O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O12 - Plugin for .pdf: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll
    O16 - DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7} (get_atlcom Class) - http://wwwimages.adobe.com/www.adobe.com/products/acrobat/nos/gp.cab
    O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL
    O23 - Service: avast! Antivirus - AVAST Software - C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
    O23 - Service: avast! Mail Scanner - AVAST Software - C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
    O23 - Service: avast! Web Scanner - AVAST Software - C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
    O23 - Service: getPlus(R) Helper - NOS Microsystems Ltd. - C:\Program Files\NOS\bin\getPlus_HelperSvc.exe
    O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
    O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
    O23 - Service: InstallShield Licensing Service - Macrovision                                                     - C:\Program Files\Common Files\InstallShield Shared\Service\InstallShield Licensing Service.exe
    O23 - Service: Online Armor Helper Service (OAcat) - Emsi Software GmbH - C:\Program Files\Emsisoft\Online Armor\OAcat.exe
    O23 - Service: Online Armor (SvcOnlineArmor) - Emsi Software GmbH - C:\Program Files\Emsisoft\Online Armor\oasrv.exe

    --
    End of file - 3957 bytes
    « Last Edit: September 04, 2010, 06:19:47 PM by dyjodapa »

    SuperDave

    • Malware Removal Specialist
    • Moderator


    • Genius
    • Thanked: 1020
    • Certifications: List
    • Experience: Expert
    • OS: Windows 10
    Re: virus
    « Reply #1 on: September 05, 2010, 07:12:54 PM »
    Hello and welcome to Computer Hope Forum. My name is Dave. I will be helping you out with your particular problem on your computer. I am working under the guidance of one of the specialist of this forum so it may take a bit longer to process your logs.

    1. I will be working on your Malware issues. This may or may not solve other issues you have with your machine.
    2. The fixes are specific to your problem and should only be used for this issue on this machine.
    3. If you don't know or understand something, please don't hesitate to ask.
    4. Please DO NOT run any other tools or scans while I am helping you.
    5. It is important that you reply to this thread. Do not start a new topic.
    6. Your security programs may give warnings for some of the tools I will ask you to use. Be assured, any links I give are safe.
    7. Absence of symptoms does not mean that everything is clear.

    You may have to download and transfer any programs to the computer you're using now and transfer them to the infected computer with a CD-RW or a USB storage device. I prefer a CD because a storage device can get infected. If you use a storage device hold the shift key down while inserting the USB storage device for about 10 secs. You will also have to transfer the logs you receive back to the good computer using the same method until we can get the computer back on-line.
    *************************************
    Download the Fix IE Utility to your desktop.

    Before running the utility, make sure that all your Internet Explorer windows are closed!

    * Extract the contents of the .zip file to your desktop.
    * Double click the Fix IE Utility button to run the tool.
    * Click Run Utility
    * Click OK when you see 'Re-registered all files'
    * Open Internet Explorer and see how it works.

    Windows 8 and Windows 10 dual boot with two SSD's

    dyjodapa

      Topic Starter


      Rookie

      Re: virus
      « Reply #2 on: September 05, 2010, 07:16:31 PM »
      Dave,

      What I meant by the internet isn't working is I don't have any connection to connect it to.

      Thanks

      SuperDave

      • Malware Removal Specialist
      • Moderator


      • Genius
      • Thanked: 1020
      • Certifications: List
      • Experience: Expert
      • OS: Windows 10
      Re: virus
      « Reply #3 on: September 06, 2010, 05:13:18 PM »
      Are you connected to a modem or a router? I don't understand when you say you don't have any connection to connect it to. Please explain.
      Windows 8 and Windows 10 dual boot with two SSD's

      dyjodapa

        Topic Starter


        Rookie

        Re: virus
        « Reply #4 on: September 06, 2010, 06:34:30 PM »
        Hi Dave,

        Okay most of my connections are to my router. I took a wireless card from a diffrent computer and put it in the infected one. But even though it worked on the other computer in the same location it didn't work on the infected one. The wireless card is a TP link TL-WN353G.

        SuperDave

        • Malware Removal Specialist
        • Moderator


        • Genius
        • Thanked: 1020
        • Certifications: List
        • Experience: Expert
        • OS: Windows 10
        Re: virus
        « Reply #5 on: September 07, 2010, 01:11:53 PM »
        Please download the Fix IE Utility on another computer and transfer it to the infected computer and follow the instructions in Reply # 1
        Windows 8 and Windows 10 dual boot with two SSD's

        dyjodapa

          Topic Starter


          Rookie

          Re: virus
          « Reply #6 on: September 07, 2010, 08:31:38 PM »
          Still no luck getting on the internet.

          SuperDave

          • Malware Removal Specialist
          • Moderator


          • Genius
          • Thanked: 1020
          • Certifications: List
          • Experience: Expert
          • OS: Windows 10
          Re: virus
          « Reply #7 on: September 08, 2010, 10:36:28 AM »
          Please uninstall HJT from your computer, download this one and run another scan. The previous scan seems incomplete. Also run these other scans and post the logs.

          Please download: HiJackThis to your Desktop.
          • Double Click the HijackThis icon, located on your Desktop.
          • By Default, it will install to: C:\Program Files\Trend Micro\HijackThis
          • Accept the license agreement.
          • Click the Open the Misc Tools section button.
          • Place a checkmark beside Calculate MD5 of files if possible. Then, click Back.
          • Click Do a System Scan and Save a Logfile. Or, if you see a white screen, click Scan.
          • Please post the log in your next reply.
          ************************************
          SUPERAntiSpyware

          If you already have SUPERAntiSpyware be sure to check for updates before scanning!


          Download SuperAntispyware Free Edition (SAS)
          * Double-click the icon on your desktop to run the installer.
          * When asked to Update the program definitions, click Yes
          * If you encounter any problems while downloading the updates, manually download and unzip them from here
          * Next click the Preferences button.

          •Under Start-Up Options uncheck Start SUPERAntiSpyware when Windows starts
          * Click the Scanning Control tab.
          * Under Scanner Options make sure only the following are checked:

          •Close browsers before scanning
          •Scan for tracking cookies
          •Terminate memory threats before quarantining
          Please leave the others unchecked

          •Click the Close button to leave the control center screen.

          * On the main screen click Scan your computer
          * On the left check the box for the drive you are scanning.
          * On the right choose Perform Complete Scan
          * Click Next to start the scan. Please be patient while it scans your computer.
          * After the scan is complete a summary box will appear. Click OK
          * Make sure everything in the white box has a check next to it, then click Next
          * It will quarantine what it found and if it asks if you want to reboot, click Yes

          •To retrieve the removal information please do the following:
          •After reboot, double-click the SUPERAntiSpyware icon on your desktop.
          •Click Preferences. Click the Statistics/Logs tab.

          •Under Scanner Logs, double-click SUPERAntiSpyware Scan Log.

          •It will open in your default text editor (preferably Notepad).
          •Save the notepad file to your desktop by clicking (in notepad) File > Save As...

          * Save the log somewhere you can easily find it. (normally the desktop)
          * Click close and close again to exit the program.
          *Copy and Paste the log in your post.
          **************************************
          Please download Malwarebytes Anti-Malware from here.

          Double Click mbam-setup.exe to install the application.
          • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes Anti-Malware, then click Finish.
          • If an update is found, it will download and install the latest version.
          • Once the program has loaded, select "Perform Full Scan", then click Scan.
          • The scan may take some time to finish,so please be patient.
          • When the scan is complete, click OK, then Show Results to view the results.
          • Make sure that everything is checked, and click Remove Selected.
          • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart. (See Extra Note)
          • Please save the log to a location you will remember.
          • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
          • Copy and paste the entire report in your next reply.
          Extra Note:

          If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediately.
          Windows 8 and Windows 10 dual boot with two SSD's

          dyjodapa

            Topic Starter


            Rookie

            Re: virus
            « Reply #8 on: September 09, 2010, 03:09:50 PM »
            Here are the logs.

            Thanks

            Logfile of Trend Micro HijackThis v2.0.2
            Scan saved at 6:50:36 PM, on 9/8/2010
            Platform: Windows XP SP2 (WinNT 5.01.2600)
            MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
            Boot mode: Normal

            Running processes:
            C:\WINDOWS\System32\smss.exe
            C:\WINDOWS\system32\winlogon.exe
            C:\WINDOWS\system32\services.exe
            C:\WINDOWS\system32\lsass.exe
            C:\WINDOWS\system32\svchost.exe
            C:\WINDOWS\System32\svchost.exe
            C:\Program Files\Emsisoft\Online Armor\OAcat.exe
            C:\WINDOWS\Explorer.EXE
            C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
            C:\WINDOWS\system32\spoolsv.exe
            C:\WINDOWS\System32\svchost.exe
            C:\WINDOWS\system32\wscntfy.exe
            C:\PROGRA~1\ALWILS~1\Avast5\avastUI.exe
            C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
            C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
            C:\Program Files\TP-LINK\TL-WN313G_353G_353GD\RtWLan.exe
            C:\WINDOWS\system32\wuauclt.exe
            C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

            R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
            R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
            R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
            O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll (filesize 75128 bytes, MD5 E96C752BBA0E22330A43258FC800200E)
            O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll (filesize 256112 bytes, MD5 783AD24A77CD964B9888F27535FCC56E)
            O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.3.4501.1418\swg.dll (filesize 762864 bytes, MD5 927558FA159FED54852692D729039E67)
            O2 - BHO: Google Dictionary Compression sdch - {C84D72FE-E17D-4195-BB24-76C02E2E7C4E} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_B7C5AC242193BB3E.dll (filesize 458736 bytes, MD5 CB84DFAFF68CD27E840251343B9B8E99)
            O3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll (filesize 256112 bytes, MD5 783AD24A77CD964B9888F27535FCC56E)
            O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe" (filesize 34672 bytes, MD5 69B16C7B7746BA5C642FC05B3561FC73)
            O4 - HKLM\..\Run: [avast5] C:\PROGRA~1\ALWILS~1\Avast5\avastUI.exe /nogui
            O4 - HKLM\..\Run: [@OnlineArmor GUI] "C:\Program Files\Emsisoft\Online Armor\OAui.exe" (filesize 6854984 bytes, MD5 83A94A797C3D23EF02AFA5F73B691D0C)
            O4 - HKCU\..\Run: [swg] "C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" (filesize 68856 bytes, MD5 E616A6A6E91B0A86F2F6217CDE835FFE)
            O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exeC:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
            O4 - Global Startup: TP-LINK Wireless Utility.lnk = C:\Program Files\TP-LINK\TL-WN313G_353G_353GD\RtWLan.exe (filesize 790528 bytes, MD5 0CD0E64A950F2A5B9F5BF9FE982F2304)
            O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (filesize 1667584 bytes, MD5 B53343FE60A33EE765C2476D50D27B26)
            O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (filesize 1667584 bytes, MD5 B53343FE60A33EE765C2476D50D27B26)
            O12 - Plugin for .pdf: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll (filesize 103792 bytes, MD5 6DE7BF0DADC0881F7ED82D9FCC998B89)
            O16 - DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7} (get_atlcom Class) - http://wwwimages.adobe.com/www.adobe.com/products/acrobat/nos/gp.cab
            O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.DLLC:\Program Files\SUPERAntiSpyware\SASWINLO.DLL
            O23 - Service: avast! Antivirus - AVAST Software - C:\Program Files\Alwil Software\Avast5\AvastSvc.exeC:\Program Files\Alwil Software\Avast5\AvastSvc.exe
            O23 - Service: avast! Mail Scanner - AVAST Software - C:\Program Files\Alwil Software\Avast5\AvastSvc.exeC:\Program Files\Alwil Software\Avast5\AvastSvc.exe
            O23 - Service: avast! Web Scanner - AVAST Software - C:\Program Files\Alwil Software\Avast5\AvastSvc.exeC:\Program Files\Alwil Software\Avast5\AvastSvc.exe
            O23 - Service: getPlus(R) Helper - NOS Microsystems Ltd. - C:\Program Files\NOS\bin\getPlus_HelperSvc.exeC:\Program Files\NOS\bin\getPlus_HelperSvc.exe
            O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exeC:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
            O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exeC:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
            O23 - Service: InstallShield Licensing Service - Macrovision                                                     - C:\Program Files\Common Files\InstallShield Shared\Service\InstallShield Licensing Service.exeC:\Program Files\Common Files\InstallShield Shared\Service\InstallShield Licensing Service.exe
            O23 - Service: Online Armor Helper Service (OAcat) - Emsi Software GmbH - C:\Program Files\Emsisoft\Online Armor\OAcat.exeC:\Program Files\Emsisoft\Online Armor\OAcat.exe
            O23 - Service: Online Armor (SvcOnlineArmor) - Emsi Software GmbH - C:\Program Files\Emsisoft\Online Armor\oasrv.exeC:\Program Files\Emsisoft\Online Armor\oasrv.exe

            --
            End of file - 5732 bytes


            SUPERAntiSpyware Scan Log
            http://www.superantispyware.com

            Generated 09/08/2010 at 10:44 PM

            Application Version : 4.41.1000

            Core Rules Database Version : 5472
            Trace Rules Database Version: 3284

            Scan type       : Complete Scan
            Total Scan Time : 03:48:03

            Memory items scanned      : 377
            Memory threats detected   : 0
            Registry items scanned    : 3658
            Registry threats detected : 0
            File items scanned        : 73366
            File threats detected     : 11

            Adware.Unknown Origin
               C:\QOOBOX\QUARANTINE\C\PROGRAM FILES\COMMON FILES\FFIW\FFIWD\CLASS-BARREL.VIR
               C:\QOOBOX\QUARANTINE\C\PROGRAM FILES\COMMON FILES\FFIW\FFIWD\VOCABULARY.VIR

            Adware.ClickSpring
               C:\SYSTEM VOLUME INFORMATION\_RESTORE{F33DCF01-FD1C-46EA-996C-995155498677}\RP88\A0051186.EXE
               C:\SYSTEM VOLUME INFORMATION\_RESTORE{F33DCF01-FD1C-46EA-996C-995155498677}\RP88\A0051187.EXE

            Trojan.Fake-Drop/Gen
               C:\WINNT\BASE64.TMP
               C:\WINNT\ZIP1.TMP
               C:\WINNT\ZIP2.TMP
               C:\WINNT\ZIP3.TMP
               C:\WINNT\ZIPPED.TMP

            Trojan.Unknown Origin
               C:\WINNT\SYSTEM32\NIPGBATCFQH.BMP

            Browser Hijacker.Rogue-Gen
               C:\WINNT\WEB\DEF.HTM

            Malwarebytes' Anti-Malware 1.46
            www.malwarebytes.org

            Database version: 4052

            Windows 5.1.2600 Service Pack 2
            Internet Explorer 6.0.2900.2180

            9/9/2010 8:28:28 AM
            mbam-log-2010-09-09 (08-28-28).txt

            Scan type: Full scan (C:\|)
            Objects scanned: 203429
            Time elapsed: 55 minute(s), 47 second(s)

            Memory Processes Infected: 0
            Memory Modules Infected: 0
            Registry Keys Infected: 0
            Registry Values Infected: 0
            Registry Data Items Infected: 0
            Folders Infected: 0
            Files Infected: 0

            Memory Processes Infected:
            (No malicious items detected)

            Memory Modules Infected:
            (No malicious items detected)

            Registry Keys Infected:
            (No malicious items detected)

            Registry Values Infected:
            (No malicious items detected)

            Registry Data Items Infected:
            (No malicious items detected)

            Folders Infected:
            (No malicious items detected)

            Files Infected:
            (No malicious items detected)

            SuperDave

            • Malware Removal Specialist
            • Moderator


            • Genius
            • Thanked: 1020
            • Certifications: List
            • Experience: Expert
            • OS: Windows 10
            Re: virus
            « Reply #9 on: September 09, 2010, 04:16:10 PM »
            Download Disable/Remove Windows Messenger to the desktop to remove Windows Messenger.

            Do not confuse Windows Messenger with MSN Messenger because they are not the same. Windows Messenger is a frequent cause of popups.

            Unzip the file on the desktop. Open the MessengerDisable.exe and choose the bottom box - Uninstall Windows Messenger and click Apply.

            Exit out of MessengerDisable then delete the two files that were put on the desktop.

            ***********************************

            Open HijackThis and select Do a system scan only

            Place a check mark next to the following entries: (if there)

            O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (filesize 1667584 bytes, MD5 B53343FE60A33EE765C2476D50D27B26)
            O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (filesize 1667584 bytes, MD5 B53343FE60A33EE765C2476D50D27B26)


            Important: Close all open windows except for HijackThis and then click Fix checked.

            Once completed, exit HijackThis.
            *************************************
            Download ComboFix by sUBs from one of the below links. 

            Important! You MUST save ComboFix to your desktop

            link # 1
            Link # 2

            Temporarily disable your Anti-virus and any Antispyware real time protection before performing a scan. Click this link to see a list of security programs that should be disabled and how to disable them.

            Double click on ComboFix.exe & follow the prompts.

            Vista users Right-Click on ComboFix.exe and select Run as administrator (you will receive a UAC prompt, please allow it)

            Do not mouse-click ComboFix's window while it is running. That may cause it to stall.

            When the scan completes it will open a text window.
             
            Post the contents of that log in your next reply.

            Remember to re-enable your Anti-virus and Antispyware protection when ComboFix is complete.
            Windows 8 and Windows 10 dual boot with two SSD's

            dyjodapa

              Topic Starter


              Rookie

              Re: virus
              « Reply #10 on: September 09, 2010, 05:20:11 PM »
              here is the log

              ComboFix 10-09-09.03 - Williamson 09/09/2010  18:06:39.2.1 - x86
              Running from: E:\ComboFix.exe
              AV: avast! Antivirus *On-access scanning disabled* (Outdated) {7591DB91-41F0-48A3-B128-1A293FD8233D}
              AV: Defender Pro Antivirus *On-access scanning disabled* (Outdated) {6C4BB89C-B0ED-4F41-A29C-4373888923BB}
              FW: Defender Pro Firewall *enabled* {4055920F-2E99-48A8-A270-4243D2B8F242}

              WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
              .

              (((((((((((((((((((((((((   Files Created from 2010-08-09 to 2010-09-09  )))))))))))))))))))))))))))))))
              .

              2010-09-09 21:33 . 2010-09-09 21:33   --------   d-----w-   c:\windows\LastGood
              2010-09-07 00:16 . 2010-09-07 00:16   21035   ----a-w-   c:\windows\system32\drivers\AegisP.sys
              2010-09-07 00:15 . 2007-07-18 20:22   306688   ----a-w-   c:\windows\system32\drivers\rtl8185.sys
              2010-09-07 00:15 . 2006-11-15 21:23   38144   ----a-w-   c:\windows\system32\drivers\EAPPkt.sys
              2010-09-07 00:15 . 2010-09-07 00:15   --------   d-----w-   c:\windows\system32\TP-LINK Wireless Adapter Driver and Utility
              2010-09-07 00:15 . 2010-09-07 00:15   --------   d-----w-   c:\program files\TP-LINK
              2010-09-04 18:12 . 2010-09-04 18:13   --------   d-----w-   c:\documents and settings\Williamson\Application Data\OnlineArmor
              2010-09-04 18:12 . 2010-09-04 18:12   --------   d-----w-   c:\documents and settings\All Users.WINDOWS\Application Data\OnlineArmor
              2010-08-26 02:12 . 2010-09-08 22:36   63488   ----a-w-   c:\documents and settings\Williamson\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10006.dll
              2010-08-26 02:12 . 2010-08-26 02:12   52224   ----a-w-   c:\documents and settings\Williamson\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10005.dll
              2010-08-26 02:11 . 2010-09-08 22:35   117760   ----a-w-   c:\documents and settings\Williamson\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
              2010-08-26 02:09 . 2010-08-26 02:10   --------   d-----w-   c:\program files\SUPERAntiSpyware
              2010-08-26 02:06 . 2010-07-07 17:25   22600   ----a-w-   c:\windows\system32\drivers\OAmon.sys
              2010-08-26 02:06 . 2010-07-07 17:25   28232   ----a-w-   c:\windows\system32\drivers\OAnet.sys
              2010-08-26 02:06 . 2010-07-07 17:25   236104   ----a-w-   c:\windows\system32\drivers\OADriver.sys
              2010-08-26 02:06 . 2010-08-26 02:06   --------   d-----w-   c:\program files\Emsisoft
              2010-08-26 00:39 . 2010-06-28 20:32   17744   ----a-w-   c:\windows\system32\drivers\aswFsBlk.sys
              2010-08-26 00:39 . 2010-06-28 20:37   165456   ----a-w-   c:\windows\system32\drivers\aswSP.sys
              2010-08-26 00:39 . 2010-06-28 20:33   23376   ----a-w-   c:\windows\system32\drivers\aswRdr.sys
              2010-08-26 00:39 . 2010-06-28 20:37   46672   ----a-w-   c:\windows\system32\drivers\aswTdi.sys
              2010-08-26 00:39 . 2010-06-28 20:32   100176   ----a-w-   c:\windows\system32\drivers\aswmon2.sys
              2010-08-26 00:39 . 2010-06-28 20:32   94544   ----a-w-   c:\windows\system32\drivers\aswmon.sys
              2010-08-26 00:39 . 2010-06-28 20:32   28880   ----a-w-   c:\windows\system32\drivers\aavmker4.sys
              2010-08-26 00:38 . 2010-06-28 20:57   38848   ----a-w-   c:\windows\avastSS.scr
              2010-08-26 00:38 . 2010-06-28 20:57   165032   ----a-w-   c:\windows\system32\aswBoot.exe
              2010-08-26 00:38 . 2010-08-26 00:38   --------   d-----w-   c:\program files\Alwil Software
              2010-08-26 00:38 . 2010-08-26 00:38   --------   d-----w-   c:\documents and settings\All Users.WINDOWS\Application Data\Alwil Software
              2010-08-20 18:01 . 2001-08-18 03:36   5632   ----a-w-   c:\windows\system32\ptpusb.dll
              2010-08-20 18:01 . 2004-08-04 04:58   15104   -c--a-w-   c:\windows\system32\dllcache\usbscan.sys
              2010-08-20 18:01 . 2004-08-04 04:58   15104   ----a-w-   c:\windows\system32\drivers\usbscan.sys
              2010-08-20 18:01 . 2004-08-04 06:56   159232   ----a-w-   c:\windows\system32\ptpusd.dll
              2010-08-20 00:59 . 2010-08-20 00:59   --------   d-----w-   c:\documents and settings\Williamson\Application Data\InstallShield
              2010-08-20 00:18 . 2010-08-20 00:18   --------   d-----w-   c:\documents and settings\Williamson\Application Data\Malwarebytes
              2010-08-20 00:18 . 2010-04-29 20:39   38224   ----a-w-   c:\windows\system32\drivers\mbamswissarmy.sys
              2010-08-20 00:18 . 2010-08-20 00:18   --------   d-----w-   c:\documents and settings\All Users.WINDOWS\Application Data\Malwarebytes
              2010-08-20 00:18 . 2010-04-29 20:39   20952   ----a-w-   c:\windows\system32\drivers\mbam.sys
              2010-08-20 00:18 . 2010-08-20 00:18   --------   d-----w-   c:\program files\Malwarebytes' Anti-Malware
              2010-08-19 17:50 . 2009-11-27 17:33   17920   -c----w-   c:\windows\system32\dllcache\msyuv.dll
              2010-08-19 17:50 . 2009-11-27 17:33   1291264   -c----w-   c:\windows\system32\dllcache\quartz.dll
              2010-08-19 17:50 . 2009-12-14 07:35   33280   -c----w-   c:\windows\system32\dllcache\csrsrv.dll
              2010-08-19 17:50 . 2010-02-26 06:12   474112   -c----w-   c:\windows\system32\dllcache\shlwapi.dll
              2010-08-19 17:50 . 2008-10-23 13:01   283648   -c----w-   c:\windows\system32\dllcache\gdi32.dll
              2010-08-19 17:49 . 2009-08-05 09:11   204800   -c----w-   c:\windows\system32\dllcache\mswebdvd.dll
              2010-08-18 16:23 . 2010-08-18 16:23   --------   d-----w-   c:\documents and settings\Williamson\Local Settings\Application Data\Identities
              2010-08-18 16:09 . 2010-08-18 16:09   --------   d-----w-   c:\documents and settings\Williamson\Local Settings\Application Data\Adobe
              2010-08-18 00:44 . 2010-08-18 00:44   --------   d-----w-   c:\documents and settings\All Users.WINDOWS\Application Data\SUPERAntiSpyware.com
              2010-08-18 00:44 . 2010-08-18 00:44   --------   d-----w-   c:\documents and settings\Williamson\Application Data\SUPERAntiSpyware.com
              2010-08-17 23:53 . 2010-08-17 23:53   --------   d-----w-   c:\program files\Trend Micro

              .
              ((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
              .
              2010-09-07 00:15 . 2002-03-21 00:12   --------   d--h--w-   c:\program files\InstallShield Installation Information
              2010-08-24 02:42 . 2010-01-01 22:26   --------   d-----w-   c:\program files\Common Files\BitDefender
              2010-08-24 02:41 . 2010-01-11 02:47   81984   ----a-w-   c:\windows\system32\bdod.bin
              .

              (((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
              .
              .
              *Note* empty entries & legit default entries are not shown
              REGEDIT4

              [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
              "swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2008-09-30 68856]

              [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
              "Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2008-06-12 34672]
              "avast5"="c:\progra~1\ALWILS~1\Avast5\avastUI.exe" [2010-06-28 2837864]
              "@OnlineArmor GUI"="c:\program files\Emsisoft\Online Armor\OAui.exe" [2010-07-07 6854984]

              c:\documents and settings\All Users.WINDOWS\Start Menu\Programs\Startup\
              TP-LINK Wireless Utility.lnk - c:\program files\TP-LINK\TL-WN313G_353G_353GD\RtWLan.exe [2010-9-6 790528]

              [hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
              "{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]
              "{4F07DA45-8170-4859-9B5F-037EF2970034}"= "c:\progra~1\Emsisoft\ONLINE~1\oaevent.dll" [2010-07-07 924488]

              [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
              2009-09-03 22:21   548352   ----a-w-   c:\program files\SUPERAntiSpyware\SASWINLO.DLL

              [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
              "%windir%\\system32\\sessmgr.exe"=

              R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [8/25/2010 7:39 PM 165456]
              R1 OADevice;OADriver;c:\windows\system32\drivers\OADriver.sys [8/25/2010 9:06 PM 236104]
              R1 OAmon;OAmon;c:\windows\system32\drivers\OAmon.sys [8/25/2010 9:06 PM 22600]
              R1 OAnet;OAnet;c:\windows\system32\drivers\OAnet.sys [8/25/2010 9:06 PM 28232]
              R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [2/17/2010 1:25 PM 12872]
              R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [5/10/2010 1:41 PM 67656]
              R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [8/25/2010 7:39 PM 17744]
              R2 EAPPkt;Realtek EAPPkt Protocol;c:\windows\system32\drivers\EAPPkt.sys [9/6/2010 7:15 PM 38144]
              R2 OAcat;Online Armor Helper Service;c:\program files\Emsisoft\Online Armor\oacat.exe [8/25/2010 9:06 PM 1283400]
              S2 SvcOnlineArmor;Online Armor;c:\program files\Emsisoft\Online Armor\oasrv.exe [8/25/2010 9:06 PM 3364680]
              .
              Contents of the 'Scheduled Tasks' folder

              2008-05-11 c:\windows\Tasks\Disk Cleanup.job
              - c:\windows\system32\cleanmgr.exe [2001-08-30 07:56]
              .
              .
              ------- Supplementary Scan -------
              .
              uSearch Page = hxxp://www.google.com
              uSearch Bar = hxxp://www.google.com/ie
              uSearchAssistant = hxxp://www.google.com/ie
              uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
              .

              **************************************************************************

              catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
              Rootkit scan 2010-09-09 18:19
              Windows 5.1.2600 Service Pack 2 NTFS

              scanning hidden processes ... 

              scanning hidden autostart entries ...

              scanning hidden files ... 

              scan completed successfully
              hidden files: 0

              **************************************************************************
              .
              --------------------- LOCKED REGISTRY KEYS ---------------------

              [HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\IMAIL]
              @DACL=(02 0000)
              "Installed"="1"
              @=""

              [HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MAPI]
              @DACL=(02 0000)
              "NoChange"="1"
              "Installed"="1"
              @=""

              [HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MSFS]
              @DACL=(02 0000)
              "Installed"="1"
              @=""
              .
              --------------------- DLLs Loaded Under Running Processes ---------------------

              - - - - - - - > 'winlogon.exe'(448)
              c:\program files\SUPERAntiSpyware\SASWINLO.DLL
              .
              Completion time: 2010-09-09  18:23:54
              ComboFix-quarantined-files.txt  2010-09-09 23:23
              ComboFix2.txt  2010-09-06 06:11

              Pre-Run: 2,842,435,584 bytes free
              Post-Run: 2,902,962,176 bytes free

              - - End Of File - - 9367A6B62AA466156924C53B223BDD0D

              SuperDave

              • Malware Removal Specialist
              • Moderator


              • Genius
              • Thanked: 1020
              • Certifications: List
              • Experience: Expert
              • OS: Windows 10
              Re: virus
              « Reply #11 on: September 10, 2010, 01:21:23 PM »
              The log shows that you're running two AV programs on your computer. avast! Antivirus and Defender Pro Antivirus. You should never run more than one AV and on firewall progam on your computer. One will have to be disabled. You can still use both for scanning purposes.

              Download the GMER Rootkit Scanner. Unzip it to your Desktop.

              Before scanning, make sure all other running programs are closed and no other actions like a scheduled antivirus scan will occur while the scan is being performed. Do not use your computer for anything else during the scan.

              Double-click gmer.exe. The program will begin to run.

              **Caution**
              These types of scans can produce false positives. Do NOT take any action on any
              "<--- ROOKIT" entries unless advised!

              If possible rootkit activity is found, you will be asked if you would like to perform a full scan.
              • Click NO
              • In the right panel, you will see a bunch of boxes that have been checked ... leave everything checked and ensure the Show all box is un-checked.
              • Now click the Scan button.
              • Once the scan is complete, you may receive another notice about rootkit activity.
              • Click OK.
              • GMER will produce a log. Click on the [Save..] button, and in the File name area, type in "GMER.txt"
              • Save it where you can easily find it, such as your desktop.
              Windows 8 and Windows 10 dual boot with two SSD's

              dyjodapa

                Topic Starter


                Rookie

                Re: virus
                « Reply #12 on: September 10, 2010, 03:58:29 PM »
                Dave,

                When I try to save the log i get a message that says not enough system resources to save.

                SuperDave

                • Malware Removal Specialist
                • Moderator


                • Genius
                • Thanked: 1020
                • Certifications: List
                • Experience: Expert
                • OS: Windows 10
                Re: virus
                « Reply #13 on: September 10, 2010, 04:32:12 PM »
                How much RAM are you running? (Right-click on My Computer and select Properties. You should see how much RAM you have.) How much free space do you have on your C: drive? ( Open My Computer, right-click on the C: drive and you will see how much free space you have.)
                Windows 8 and Windows 10 dual boot with two SSD's

                dyjodapa

                  Topic Starter


                  Rookie

                  Re: virus
                  « Reply #14 on: September 10, 2010, 04:47:40 PM »
                  128MB of ram and free space on hard drive 2.72 GB.