Author Topic: please help ? virus or what? (Read 13295 times)

computeridiot · « **on:** October 01, 2008, 06:36:42 AM »

I recently was on here as I had puter problems. A kind person did every scan possible and checked my logs and I thought everything was ok.

Since then however I have come on my puter today and everytime I put in a website I am re-directed to another, I can't get on to any website I want and the only reason I can get on this one is cus it was bookmarked.

I have run an avast scan and it came up with nothing I have also done a trogen and malware scan which came up with one thing but it has not solved the problem.

I can't download anything not even from avast to update as it redirects to another site. Any advice before I just go and pay for a new puter is appreciated.

I do have hijack this and c.c. cleaner from when I was asked to download them before.

Carbon Dudeoxide · « **Reply #1 on:** October 01, 2008, 06:44:18 AM »

Run a HijackThis Scan again and post your findings.

computeridiot · « **Reply #2 on:** October 01, 2008, 06:48:35 AM »

Just to update you when I did a scan with avast before it kept coming up with some files that could not be scanned, but another of your helpers having checked everything out said that it was ok. However going into avast log I see none of the updates have downloaded since the 28th.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 13:47:02, on 01/10/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16705)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\Program Files\Analog Devices\SoundMAX\SMTray.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\ScanSoft\OmniPageSE\opware32.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\Voyager 105 ADSL Modem\dslstat.exe
C:\Program Files\Voyager 105 ADSL Modem\dslagent.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\Program Files\Ahead\InCD\InCD.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\QuickTime\qttask.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\PROGRA~1\Comodo\CBOClean\BOC427.exe
C:\Program Files\PC Tools Firewall Plus\FirewallGUI.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\OLYMPUS\OLYMPUS Master\Monitor.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Program Files\Samsung\Digimax Viewer 2.1\STImgBrowser.exe
C:\Program Files\SAGEM\SAGEM F@st 800-840\dslmon.exe
C:\Program Files\Google\Google Updater\GoogleUpdater.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\WINDOWS\system32\sistray.exe
C:\Program Files\Comodo\CBOClean\BOCORE.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\Program Files\PC Tools Firewall Plus\FWService.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.ebay.co.uk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
F3 - REG:win.ini: load=
F3 - REG:win.ini: run=
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\3.0.1225.9868\swg.dll
O2 - BHO: SpoofStick BHO - {CBA74CDA-DF78-4AD9-954E-3B15D0A993DE} - C:\Program Files\CoreStreet\SpoofStick\SpoofStickBHO.dll
O3 - Toolbar: SpoofStick - {4D46ED77-1429-4CF6-8F63-C84B5D710BAF} - C:\Program Files\CoreStreet\SpoofStick\SpoofStick.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [Smapp] C:\Program Files\Analog Devices\SoundMAX\SMTray.exe
O4 - HKLM\..\Run: [Omnipage] C:\Program Files\ScanSoft\OmniPageSE\opware32.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [DSLSTATEXE] C:\Program Files\Voyager 105 ADSL Modem\dslstat.exe icon
O4 - HKLM\..\Run: [DSLAGENTEXE] C:\Program Files\Voyager 105 ADSL Modem\dslagent.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKLM\..\Run: [InCD] C:\Program Files\Ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [SiSUSBRG] C:\WINDOWS\SiSUSBrg.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [OM_Monitor] C:\Program Files\OLYMPUS\OLYMPUS Master\FirstStart.exe
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [BOC-427] C:\PROGRA~1\Comodo\CBOClean\BOC427.exe
O4 - HKLM\..\Run: [00PCTFW] "C:\Program Files\PC Tools Firewall Plus\FirewallGUI.exe" -s
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [OM_Monitor] C:\Program Files\OLYMPUS\OLYMPUS Master\Monitor.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Digimax Viewer 2.1.lnk = ?
O4 - Global Startup: DSLMON.lnk = C:\Program Files\SAGEM\SAGEM F@st 800-840\dslmon.exe
O4 - Global Startup: Google Updater.lnk = C:\Program Files\Google\Google Updater\GoogleUpdater.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Utility Tray.lnk = C:\WINDOWS\system32\sistray.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {266B9238-31A5-4B53-9039-272FE846DF9D} (DiameterTransfer Control) - http://www.sis.com/download/SISTransfer.cab
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/FacebookPhotoUploader.cab
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - http://download.divx.com/webplayer/stage6/windows/DivXBrowserPlugin.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1164234819625
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {BB21F850-63F4-4EC9-BF9D-565BD30C9AE9} (a-squared Scanner) - http://ax.emsisoft.com/asquared.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{3E839371-2795-4956-BB28-8A7ACB106382}: NameServer = 217.72.162.2,217.72.163.3
O17 - HKLM\System\CCS\Services\Tcpip\..\{C2B5F731-0548-452B-8891-80B10F733E87}: NameServer = 212.159.6.10 212.159.6.9
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: BOCore - COMODO - C:\Program Files\Comodo\CBOClean\BOCORE.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InCD Helper (InCDsrv) - Ahead Software AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: PC Tools Firewall Plus (PCToolsFirewallPlus) - PC Tools - C:\Program Files\PC Tools Firewall Plus\FWService.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe

--
End of file - 8813 bytes

computeridiot · « **Reply #3 on:** October 01, 2008, 08:09:14 AM »

Anyone there please?

Carbon Dudeoxide · « **Reply #4 on:** October 01, 2008, 08:10:43 AM »

Quote from: computeridiot on October 01, 2008, 08:09:14 AM

Anyone there please?

I am afraid only our Malware Specialists can help you with the log. Unfortunately there aren't online now, but they will be soon.

computeridiot · « **Reply #5 on:** October 01, 2008, 08:50:04 AM »

Thanks for that. I am thinking it may be more than just malware as I just tried to do a system restore to a few days ago when my updates and puter was working normally and when I selected a restore point and clicked next nothing happened.

So I am thinking unless a genius can sort me out I will need to get a new puter, so anyones help much appreciated.

alyoob · « **Reply #6 on:** October 01, 2008, 08:59:53 AM »

Computeridiot what are your computer specifics are you using an hp, dell, gateway or another brand of computer

Carbon Dudeoxide · « **Reply #7 on:** October 01, 2008, 09:01:42 AM »

Quote from: computeridiot on October 01, 2008, 08:50:04 AM

So I am thinking unless a genius can sort me out I will need to get a new puter,

Don't worry, we have many geniuses here.

Carbon Dudeoxide · « **Reply #8 on:** October 01, 2008, 09:02:23 AM »

Quote from: alyoob on October 01, 2008, 08:59:53 AM

Computeridiot what are your computer specifics are you using an hp, dell, gateway or another brand of computer

Alyoob, please leave the Computer Virus and Spyware section for the Malware Specialists.
Do not try to diagnose the problem yourself as we have professionals who know exactly what they are doing.

Would you like to learn to fight Malware?
http://www.computerhope.com/forum/index.php/topic,57605.0.html

computeridiot · « **Reply #9 on:** October 01, 2008, 10:07:15 AM »

Can someone help me? Its been hours and others are getting help but no one is replying to me?

evilfantasy · « **Reply #10 on:** October 01, 2008, 10:33:12 AM »

Post the other two logs from here http://www.computerhope.com/forum/index.php/topic,46313.0.html

Then a new HijackThis scan.

computeridiot · « **Reply #11 on:** October 01, 2008, 10:46:59 AM »

BUT that is my whole problem....I can't. When I click to access a site it either comes up as page can't be displayed or it re-directs me to a completely different site. That is why I can't even up date my antivirus as it can't connect to the site cus I guess its been redirected.

evilfantasy · « **Reply #12 on:** October 01, 2008, 11:34:35 AM »

Please print these instructions as they will be needed later when Internet access is not available.

Download SDFix by AndyManchesta and save it to your desktop. http://rapidshare.com/files/149534018/SDFix.exe.html

When using this tool, you must use the Administrator's account or an account with Administrative rights

Double click SDFix.exe and it will extract the files to %systemdrive%
(this is the drive that contains the Windows Directory, typically C:\SDFix).
DO NOT use it just yet.

Reboot your computer in Safe Mode using the F8 method. To do this, restart your computer and after hearing your computer beep once during startup (but before the Windows icon appears) press the F8 key repeatedly. A menu will appear with several options. Use the arrow keys to navigate and select the option to run Windows in "Safe Mode".

Open the SDFix folder and double click RunThis.bat to start the script.

Type Y to begin the cleanup process.
It will remove any Trojan Services or Registry Entries found then prompt you to press any key to Reboot.
Press any Key and it will restart the PC.
When the PC restarts, the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.
Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt.
Copy and paste the contents of the results file Report.txt in your next reply along with a new HijackThis log.

computeridiot · « **Reply #13 on:** October 01, 2008, 11:42:01 AM »

I can't seem to do system restore and whilst I can get on some sites others come up as can't be displayed. Do you think its my browser? I tried firefox as well but its the same.

But my avast was up to date and it did not find anything neither did a trogan scan.

I did c.c. clean and got it to fix things on that with a back up.

What does this other scan do as I have never had to do safe mode and a bit nervous about doing it.

evilfantasy · « **Reply #14 on:** October 01, 2008, 11:44:21 AM »

It will fix the problems you are having. I need logs, it is impossible to guess at the multitude of problems without seeing logs.

computeridiot · « **Reply #15 on:** October 01, 2008, 11:53:01 AM »

It says free user or premium user what do i select as it didn't give me a choice on administrator rights.

evilfantasy · « **Reply #16 on:** October 01, 2008, 11:54:08 AM »

Free user.

Just follow the instructions and boot into safe mode then wait for the tool to run.

computeridiot · « **Reply #17 on:** October 01, 2008, 12:18:05 PM »

Problem 1. I got safe mode, put the arrow key up to select it, nothing happened so I pressed the return key, got a load of techie jargon that just sat there. So I pressed enter/return again and it gave me options of safe mode / safemode with networking or safe mode with prompt command, keyed up to safe mode again, got the techie jargon and we went round and round in circles, in the end I had to select normal start up to get back in again.

Problem 2. I then got a firewall warning that OCR aware (32-bit) was attempting to monitor or intercept system events, what is it and do I allow or block.

evilfantasy · « **Reply #18 on:** October 01, 2008, 12:25:29 PM »

Download Malwarebytes' Anti-Malware (MBAM) http://rapidshare.com/files/150037339/mbam-setup.exe.html

Double-click mbam-setup.exe and follow the prompts to install the program.
At the end, be sure a checkmark is placed next to the following:
Update Malwarebytes' Anti-Malware
Launch Malwarebytes' Anti-Malware

Then click Finish.
If an update is found, it will download and install the latest version.
Once the program has loaded, select Perform quick scan, then click Scan.
When the scan is complete, click OK, then Show Results to view the results.
Be sure that everything is checked, and click Remove Selected.
When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
Copy and Paste the entire report in your next reply.

Extra Note: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts, click OK to either and let MBAM proceed with the disinfection process, if asked to restart the computer, please do so immediately.

computeridiot · « **Reply #19 on:** October 01, 2008, 12:29:01 PM »

Thought that was the one I just tried to do??

What do I do about the firewall warning do I accept or block?

computeridiot · « **Reply #20 on:** October 01, 2008, 12:41:41 PM »

Will do the scan, but need to know about the firewall warning, was it to do with the thing I just downloaded the first one and if so do I select block?

evilfantasy · « **Reply #21 on:** October 01, 2008, 12:52:58 PM »

You shouldn't get any warnings from Malwarebytes' Anti-Malware, if you do then allow it to run.

Blocking things while downloading them sort of defeats the whole process....

computeridiot · « **Reply #22 on:** October 01, 2008, 12:58:09 PM »

No i didn't block anything from malwarebytes but I did get a lot of requests from my firewall for access which I allowed.

The other pop up came after I tried safe mode and don't know if it was connected with the previous thing you asked me to download or not so I just blocked it anyway.

Heres the scan and funnily enough after I ran it avast updated automatically which it hasn't been able to today.

Malwarebytes' Anti-Malware 1.28
Database version: 1226
Windows 5.1.2600 Service Pack 3

01/10/2008 19:50:08
mbam-log-2008-10-01 (19-50-08).txt

Scan type: Quick Scan
Objects scanned: 41057
Time elapsed: 2 minute(s), 51 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 2
Registry Values Infected: 0
Registry Data Items Infected: 3
Folders Infected: 0
Files Infected: 2

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\tdssdata (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\tdss (Trojan.Agent) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SecurityProviders (Broken.SecurityProviders) -> Bad: (msapsspc.dllschannel.dlldigest.dllmsnss pc.dll) Good: (msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Trojan.Agent) -> Data: c:\windows\system32\ -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Trojan.Agent) -> Data: system32\ -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\system32\ (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\drivers\ (Trojan.Agent) -> Quarantined and deleted successfully.

evilfantasy · « **Reply #23 on:** October 01, 2008, 01:01:47 PM »

You will have to turn off all of your protection to run ComboFix. Directions will be included if you need them.

Download HostsXpert

Unzip HostXpert to your Desktop
Open up the HostXpert program.
Make sure that the "Make Hosts Writable?" button in the upper right corner is enabled.
Click Create Back Up
Then click on Restore Microsoft's Host Files
Close the HostXpert program

.
Note: if you use SpywareBlaster, Spybot and/or IE-SPYAD, it will be necessary to re-install the protection they afford. For SpywareBlaster, run the program and select Enable all protection. For Spybot run the program and select Immunize. For IE-SPYAD, run the batch file and reinstall the protection.

----------

Download ComboFix by sUBs from one of the below links. Be sure top save it to the Desktop.

Link #1
Link #2

**Note: It is important that it is saved directly to your Desktop

Close any open Web browsers. (Firefox, Internet Explorer, etc) before starting ComboFix.

Temporarily disable your antivirus, and any antispyware real time protection before performing a scan. Click this link to see a list of security programs that should be disabled and how to disable them.

Double click combofix.exe & follow the prompts.
When finished ComboFix will produce a log for you.
Post the ComboFix log and a new HijackThis log in your next reply.

Important: Do not mouseclick ComboFix's window while it is running. That may cause it to stall.

Remember to re-enable your antivirus and antispyware protection when ComboFix is complete.

computeridiot · « **Reply #24 on:** October 01, 2008, 01:03:24 PM »

Do i need to do that as the last scan seems to have sorted the problem out and can get on the sites ok now but will do so if you still advise it.

evilfantasy · « **Reply #25 on:** October 01, 2008, 01:07:14 PM »

Please keep following all instructions until I give the all clear. Lack of symptoms is not a reliable indication that the malware is gone.

computeridiot · « **Reply #26 on:** October 01, 2008, 01:09:34 PM »

OK will do. We did do all this a few weeks ago and I have a firewall / antivirus / spyware thingies so how did I get those trojans?

Off to do as requested.

computeridiot · « **Reply #27 on:** October 01, 2008, 01:17:52 PM »

Problems again, i clicked on hostsxpert and it came up with a site called funkytoad.com and said what i want'ed didn't exist.

Any ideas?

computeridiot · « **Reply #28 on:** October 01, 2008, 01:23:21 PM »

Yep still have problems, clicked on the BBC weather site and got something really weird, its very random.

computeridiot · « **Reply #29 on:** October 01, 2008, 01:25:13 PM »

OK think i have found hostxpert on another site so will download it and let you know.

computeridiot · « **Reply #30 on:** October 01, 2008, 01:27:25 PM »

Oh this one is called hostsxpert with an s is that the same one. Let me know and if it is I will carry on.

computeridiot · « **Reply #31 on:** October 01, 2008, 02:03:37 PM »

ComboFix 08-09-30.03 - Jill 2008-10-01 20:43:32.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.107 [GMT 1:00]
Running from: C:\Documents and Settings\Jill\Desktop\ComboFix.exe
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\system32\drivers\tdssserv.sys
C:\WINDOWS\system32\tdssadw.dll
C:\WINDOWS\system32\TDSSerrors.log
C:\WINDOWS\system32\tdssinit.dll
C:\WINDOWS\system32\tdssl.dll
C:\WINDOWS\system32\TDSSlog.dll
C:\WINDOWS\system32\tdssmain.dll
C:\WINDOWS\system32\tdssserf.dll
C:\WINDOWS\system32\TDSSserf1.dll
C:\WINDOWS\system32\tdssservers.dat
C:\WINDOWS\system32\windows_update.exe

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_MCHINJDRV
-------\Legacy_TDSSSERV
-------\Service_TDSSserv

((((((((((((((((((((((((( Files Created from 2008-09-01 to 2008-10-01 )))))))))))))))))))))))))))))))
.

2008-10-01 19:00 . 2008-09-28 23:28   <DIR>   d----c---   C:\SDFix
2008-10-01 18:00 . 2008-10-01 18:00   <DIR>   d--------   C:\Documents and Settings\Jill\Application Data\RegFixPro

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-10-01 19:52   ---------   d---a-w   C:\Documents and Settings\All Users\Application Data\TEMP
2008-10-01 18:53   ---------   d-----w   C:\Program Files\Malwarebytes' Anti-Malware
2008-10-01 17:16   ---------   d-----w   C:\Program Files\Google
2008-10-01 17:13   ---------   d-----w   C:\Documents and Settings\All Users\Application Data\Google Updater
2008-09-28 10:26   38,572   ----a-w   C:\Documents and Settings\Jill\Application Data\wklnhst.dat
2008-09-28 08:43   ---------   d-----w   C:\Documents and Settings\All Users\Application Data\BOC427
2008-09-27 22:31   ---------   d-----w   C:\Program Files\SpywareBlaster
2008-09-23 08:43   ---------   d-----w   C:\Documents and Settings\Jill\Application Data\Canon
2008-09-21 17:07   ---------   d-----w   C:\Program Files\LimeWire
2008-09-21 16:56   ---------   d-----w   C:\Documents and Settings\Jill\Application Data\LimeWire
2008-08-31 00:45   ---------   d-----w   C:\Program Files\a-squared Free
2008-08-31 00:14   ---------   d-----w   C:\Documents and Settings\Jill\Application Data\Malwarebytes
2008-08-31 00:14   ---------   d-----w   C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-08-30 12:57   ---------   d-----w   C:\Program Files\PC Tools Firewall Plus
2008-08-30 12:50   ---------   d-----w   C:\Documents and Settings\Jill\Application Data\PCToolsFirewallPlus
2008-08-30 12:47   ---------   d-----w   C:\Program Files\Common Files\PC Tools
2008-08-30 11:33   ---------   d-----w   C:\Program Files\Comodo
2008-08-28 20:19   ---------   d-----w   C:\Program Files\Alwil Software
2008-08-28 20:02   ---------   d-----w   C:\Documents and Settings\All Users\Application Data\Avg8
2008-08-25 18:20   ---------   d-----w   C:\Program Files\HP
2008-08-24 17:41   ---------   d-----w   C:\Program Files\Java
2008-08-17 20:11   ---------   d-----w   C:\Program Files\Trend Micro
2008-08-17 17:57   ---------   d-----w   C:\Program Files\Spybot - Search & Destroy
2008-08-17 17:57   ---------   d-----w   C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-08-17 17:52   262,144   ----a-w   C:\Program Files\Uninstall Spy Blocker.dll
2008-08-17 17:50   ---------   d-----w   C:\Documents and Settings\All Users\Application Data\MailFrontier
2008-08-17 14:01   38,472   ----a-w   C:\WINDOWS\system32\drivers\mbamswissarmy.sys
2008-08-17 14:01   17,144   ----a-w   C:\WINDOWS\system32\drivers\mbam.sys
2008-08-05 14:58   58,136   ----a-w   C:\WINDOWS\system32\drivers\FWAuthdriver.sys
2008-07-14 04:09   212,728   ----a-w   C:\WINDOWS\CMDLIC.DLL
2008-07-14 04:09   205,560   ----a-w   C:\WINDOWS\UNBOC.EXE
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\ctfmon.exe" [2008-04-14 15360]
"OM_Monitor"="C:\Program Files\OLYMPUS\OLYMPUS Master\Monitor.exe" [2006-05-16 57344]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-04-03 68856]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Smapp"="C:\Program Files\Analog Devices\SoundMAX\SMTray.exe" [2003-05-05 143360]
"Omnipage"="C:\Program Files\ScanSoft\OmniPageSE\opware32.exe" [2002-06-03 49152]
"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2001-07-09 155648]
"RemoteControl"="C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe" [2003-12-08 32768]
"DSLSTATEXE"="C:\Program Files\Voyager 105 ADSL Modem\dslstat.exe" [2004-05-27 1659050]
"DSLAGENTEXE"="C:\Program Files\Voyager 105 ADSL Modem\dslagent.exe" [2004-05-27 16384]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 144784]
"InCD"="C:\Program Files\Ahead\InCD\InCD.exe" [2004-07-16 1409136]
"HP Software Update"="C:\Program Files\HP\HP Software Update\HPWuSchd2.exe" [2007-05-08 54840]
"SiSUSBRG"="C:\WINDOWS\SiSUSBrg.exe" [2002-07-12 106496]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2006-11-13 77824]
"OM_Monitor"="C:\Program Files\OLYMPUS\OLYMPUS Master\FirstStart.exe" [2006-05-16 40960]
"BOC-427"="C:\PROGRA~1\Comodo\CBOClean\BOC427.exe" [2008-07-14 351480]
"00PCTFW"="C:\Program Files\PC Tools Firewall Plus\FirewallGUI.exe" [2008-08-05 2611096]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2008-04-14 15360]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Gamma Loader.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2006-03-14 113664]
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 29696]
Digimax Viewer 2.1.lnk - C:\Program Files\Samsung\Digimax Viewer 2.1\STImgBrowser.exe [2006-03-14 634880]
DSLMON.lnk - C:\Program Files\SAGEM\SAGEM F@st 800-840\dslmon.exe [2006-05-20 962660]
Google Updater.lnk - C:\Program Files\Google\Google Updater\GoogleUpdater.exe [2006-08-19 124912]
HP Digital Imaging Monitor.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe [2005-09-24 282624]
Utility Tray.lnk - C:\WINDOWS\system32\sistray.exe [2005-09-29 331776]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"VIDC.MJPG"= pvmjpg21.dll

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\WINDOWS\\system32\\spool\\drivers\\w32x86\\3\\SAGENT4.EXE"=
"C:\\Program Files\\THQ\\Dawn of War - Dark Crusade\\DarkCrusade.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"C:\\Program Files\\MSN Messenger\\livecall.exe"=
"C:\\Program Files\\LimeWire\\LimeWire.exe"=

R1 aswSP;avast! Self Protection;C:\WINDOWS\system32\drivers\aswSP.sys [2008-07-19 78416]
R1 pctfw2;pctfw2;C:\WINDOWS\system32\drivers\pctfw2.sys [2008-07-28 160792]
R2 aswFsBlk;aswFsBlk;C:\WINDOWS\system32\DRIVERS\aswFsBlk.sys [2008-07-19 20560]
R3 FWAuth;FWAuth Driver;C:\WINDOWS\system32\drivers\FWAuthDriver.sys [2008-08-05 58136]
S3 CoachUsb;Coach Digital Camera on USB;C:\WINDOWS\system32\DRIVERS\CoachUsb.sys [2007-03-22 50368]
S3 CoachVid;CoachVid;C:\WINDOWS\system32\DRIVERS\CoachVid.sys [2007-03-22 45344]
S3 SiSCom;SISCom_Com;D:\Drivers\Display\WinXP_2K\utilDLL\SiSCom.sys [ ]
.
Contents of the 'Scheduled Tasks' folder
.
.
------- Supplementary Scan -------
.
FireFox -: Profile - C:\Documents and Settings\Jill\Application Data\Mozilla\Firefox\Profiles\kn2oh0jn.default\
FireFox -: prefs.js - SEARCH.DEFAULTURL - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=
FireFox -: prefs.js - STARTUP.HOMEPAGE - hxxp://www.ebay.co.uk/
.
.
------- File Associations -------
.
txtfile=C:\WINDOWS\NOTEPAD.EXE %1
.

**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-10-01 20:50:25
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\PROGRA~1\Comodo\CBOClean\BOCore.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\Program Files\PC Tools Firewall Plus\FWService.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
.
**************************************************************************
.
Completion time: 2008-10-01 20:57:54 - machine was rebooted
ComboFix-quarantined-files.txt 2008-10-01 19:57:43
ComboFix2.txt 2008-08-31 01:24:57

Pre-Run: 15,345,455,104 bytes free
Post-Run: 15,301,177,344 bytes free

162   --- E O F ---   2008-09-10 23:00:51

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 21:03:21, on 01/10/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16705)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Comodo\CBOClean\BOCORE.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\Program Files\PC Tools Firewall Plus\FWService.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Analog Devices\SoundMAX\SMTray.exe
C:\Program Files\ScanSoft\OmniPageSE\opware32.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\Voyager 105 ADSL Modem\dslstat.exe
C:\Program Files\Voyager 105 ADSL Modem\dslagent.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\Program Files\Ahead\InCD\InCD.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\PC Tools Firewall Plus\FirewallGUI.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\OLYMPUS\OLYMPUS Master\Monitor.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Samsung\Digimax Viewer 2.1\STImgBrowser.exe
C:\Program Files\SAGEM\SAGEM F@st 800-840\dslmon.exe
C:\Program Files\Google\Google Updater\GoogleUpdater.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\WINDOWS\system32\sistray.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.ebay.co.uk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
F3 - REG:win.ini: load=
F3 - REG:win.ini: run=
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll (file missing)
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\3.0.1225.9868\swg.dll
O2 - BHO: SpoofStick BHO - {CBA74CDA-DF78-4AD9-954E-3B15D0A993DE} - C:\Program Files\CoreStreet\SpoofStick\SpoofStickBHO.dll
O3 - Toolbar: SpoofStick - {4D46ED77-1429-4CF6-8F63-C84B5D710BAF} - C:\Program Files\CoreStreet\SpoofStick\SpoofStick.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll (file missing)
O4 - HKLM\..\Run: [Smapp] C:\Program Files\Analog Devices\SoundMAX\SMTray.exe
O4 - HKLM\..\Run: [Omnipage] C:\Program Files\ScanSoft\OmniPageSE\opware32.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [DSLSTATEXE] C:\Program Files\Voyager 105 ADSL Modem\dslstat.exe icon
O4 - HKLM\..\Run: [DSLAGENTEXE] C:\Program Files\Voyager 105 ADSL Modem\dslagent.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKLM\..\Run: [InCD] C:\Program Files\Ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [SiSUSBRG] C:\WINDOWS\SiSUSBrg.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [OM_Monitor] C:\Program Files\OLYMPUS\OLYMPUS Master\FirstStart.exe
O4 - HKLM\..\Run: [BOC-427] C:\PROGRA~1\Comodo\CBOClean\BOC427.exe
O4 - HKLM\..\Run: [00PCTFW] "C:\Program Files\PC Tools Firewall Plus\FirewallGUI.exe" -s
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [OM_Monitor] C:\Program Files\OLYMPUS\OLYMPUS Master\Monitor.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Digimax Viewer 2.1.lnk = ?
O4 - Global Startup: DSLMON.lnk = C:\Program Files\SAGEM\SAGEM F@st 800-840\dslmon.exe
O4 - Global Startup: Google Updater.lnk = C:\Program Files\Google\Google Updater\GoogleUpdater.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Utility Tray.lnk = C:\WINDOWS\system32\sistray.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {266B9238-31A5-4B53-9039-272FE846DF9D} (DiameterTransfer Control) - http://www.sis.com/download/SISTransfer.cab
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} - http://upload.facebook.com/controls/FacebookPhotoUploader.cab
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - http://download.divx.com/webplayer/stage6/windows/DivXBrowserPlugin.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1164234819625
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {BB21F850-63F4-4EC9-BF9D-565BD30C9AE9} (a-squared Scanner) - http://ax.emsisoft.com/asquared.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{3E839371-2795-4956-BB28-8A7ACB106382}: NameServer = 217.72.162.2,217.72.163.3
O17 - HKLM\System\CCS\Services\Tcpip\..\{C2B5F731-0548-452B-8891-80B10F733E87}: NameServer = 212.159.6.10 212.159.6.9
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: BOCore - COMODO - C:\Program Files\Comodo\CBOClean\BOCORE.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InCD Helper (InCDsrv) - Ahead Software AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: PC Tools Firewall Plus (PCToolsFirewallPlus) - PC Tools - C:\Program Files\PC Tools Firewall Plus\FWService.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe

--
End of file - 8492 bytes

computeridiot · « **Reply #32 on:** October 01, 2008, 02:06:58 PM »

Please read this as well.

I had big probs when I went to do combofix.

I downloaded it and turned off my antivirus.

Then I had a load of 3-4 pop ups from boclean to say I had trogans and they had removed it but to prevent start up I had to get rid of the file as well, so I did this, but I had this the other day as well.

Then the whole system shut down, when it rebooted I did combofix.

THEN I HAD A POP UP TO SAY THAT REGISTRY EDITOR WANTED TO CHANGE THE REGISTRY WHILST COMBOFIX WAS SCANNING SO I CLICKED TO AGREE.

PLEASE TELL ME WHAT TO DO.

evilfantasy · « **Reply #33 on:** October 01, 2008, 02:35:19 PM »

Quote

PLEASE TELL ME WHAT TO DO.

I am. Just calm down. The warnings are from the tools we are using. There is a lot of malware but we are getting close to getting it all now.

Again if you get any warnings while running these next steps DO NOT block them from running.

----------

Open HijackThis and select Do a system scan only.

Place a check mark next to the following entries: (if there)

- F3 - REG:win.ini: load=
- F3 - REG:win.ini: run=
- O17 - HKLM\System\CCS\Services\Tcpip\..\{3E839371-2795-4956-BB28-8A7ACB106382}: NameServer = 217.72.162.2,217.72.163.3

Important: Close all windows except for HijackThis and then click Fix checked.

Exit HijackThis.

----------

Note: the below instructions were created specifically for this user. If you are not this user, DO NOT follow these directions as they could damage the workings of your system

Delete these files/folders, as follows:

1. Go to Start > Run > type Notepad.exe and click OK to open Notepad.
It must be Notepad, not Wordpad.
2. Copy the text in the below code box by highlighting all the text and pressing Ctrl+C

Code: [Select]

KillAll::

Driver::
MCHINJDRV
TDSSSERV
TDSSserv

Folder::
C:\Documents and Settings\Jill\Application Data\RegFixPro

3. Go to the Notepad window and click Edit > Paste
4. Then click File > Save
5. Name the file CFScript.txt - Save the file to your Desktop
6. Then drag the CFScript (hold the left mouse button while dragging the file) and drop it (release the left mouse button) into ComboFix.exe as you see in the screenshot below. Important: Perform this instruction carefully!

ComboFix will begin to execute, just follow the prompts.
After reboot (in case it asks to reboot), it will produce a log for you.
Post that log (Combofix.txt) in your next reply.

Note: Do not mouseclick ComboFix's window while it is running. That may cause your system to freeze

----------

Download ATF Cleaner by Atribune to your Desktop.

Alternate download link

Note: Vista users must use Run As Administrator

Under Main: Select Files to Delete choose: Select All.
Click the Empty Selected button.
If you use Firefox browser click Firefox at the top and choose: Select All
Click the Empty Selected button.
If you would like to keep your saved passwords click No at the prompt.
If you use Opera browser click Opera at the top and choose: Select All
Click the Empty Selected button.
If you would like to keep your saved passwords click No at the prompt.
Click Exit on the Main menu to close the program.

.
Note that your system will run slower for a reboot or two after having used this tool so don't panic.

Important: Restart the computer before continuing.

computeridiot · « **Reply #34 on:** October 01, 2008, 03:53:54 PM »

OK BIGggggggggg problems now.

I did what you said and whilst the notepad thing didn't disappear off the desktop it did make combofix start up.

But it went on for over 4o minutes doing nothing but saying it was scanning so in the end I stopped it !!!!!!!!!!!!!!

Didn't know what else to do as before when it scanned it didn't take so long.

What should I do.

Also whenever I have to log in here I have to re-set my password as i won't accept it and then I have to wait to get a new one via email.

evilfantasy · « **Reply #35 on:** October 01, 2008, 03:57:57 PM »

Click START then RUN
Now type Combofix /u in the runbox
Make sure there's a space between Combofix and /u
Then hit Enter.

The above procedure will:
Delete the following:
ComboFix and its associated files and folders.
Reset the clock settings.
Hide file extensions, if required.
Hide System/Hidden files, if required.
Set a new, clean Restore Point.

.
----------

Download OTCleanIt.exe and save it to your Desktop.

Double-click OTCleanIt.exe.
Click the CleanUp! button.
Select Yes when the "Begin cleanup Process?" prompt appears.
If you are prompted to Reboot during the cleanup, select Yes.
The tool will delete itself once it finishes, if not delete it yourself.

.
Restart the computer.

----------

Run this online scan.

This scanner requires Internet Explorer

Use the ESET Nod32 Online Scanner

1. Check the box next to YES, I accept the Terms of Use.
2. Click Start
3. When asked, allow the activex control to install
4. Click Start
5. Make sure that the option Remove found threats and the option Scan unwanted applications is check marked.
6. Click Scan
7. Wait for the scan to finish
8. Use notepad to open the logfile located at C:\Program Files\EsetOnlineScanner\log.txt
9. Add the C:\Program Files\EsetOnlineScanner\log.txt log into your next reply.

evilfantasy · « **Reply #36 on:** October 01, 2008, 04:00:29 PM »

Forgot to add this.

Reset Web Settings & Default Security Settings

Select Internet Options, then the Advanced Tab and then the Reset button under Reset Internet Explorer Settings.

computeridiot · « **Reply #37 on:** October 01, 2008, 04:55:39 PM »

# version=4
# OnlineScanner.ocx=1.0.0.635
# OnlineScannerDLLA.dll=1, 0, 0, 79
# OnlineScannerDLLW.dll=1, 0, 0, 78
# OnlineScannerUninstaller.exe=1, 0, 0, 49
# vers_standard_module=3486 (20081001)
# vers_arch_module=1.064 (20080214)
# vers_adv_heur_module=1.066 (20070917)
# EOSSerial=8104178ce9618740859336436968967d
# end=finished
# remove_checked=true
# unwanted_checked=true
# utc_time=2008-10-01 10:50:28
# local_time=2008-10-01 11:50:28 (+0000, GMT Daylight Time)
# country="United Kingdom"
# osver=5.1.2600 NT Service Pack 3
# scanned=217583
# found=0
# scan_time=2310

Why is it I have to set a forgot password everytime I get timed out? It won't remember it and says it is invalid when I use the same one everytime.

computeridiot · « **Reply #38 on:** October 01, 2008, 05:10:11 PM »

OK i did a reset of default settings in tools > internet options and had to reboot.

Then it wouldn't let me online again so I had to reboot again and then got on.

But it is giving me messages like choosing options etc, do I have to reset everything?

computeridiot · « **Reply #39 on:** October 01, 2008, 05:11:05 PM »

I have also lost spoofstick and google toolbar?

evilfantasy · « **Reply #40 on:** October 01, 2008, 05:15:19 PM »

You may need to re-install them.

Did you try this?

Reset Web Settings & Default Security Settings

Open IE

Select Tools, Internet Options, then the Advanced Tab and then the Reset button under Reset Internet Explorer Settings.

computeridiot · « **Reply #41 on:** October 01, 2008, 05:17:56 PM »

Thats what I did and then it told me to reboot and then I had trouble reconnecting had to reboot again before it connected.

Now I have other options just as though I am starting with my new browser plus all my saved passwords are gone....hope I remember them

evilfantasy · « **Reply #42 on:** October 01, 2008, 05:19:19 PM »

Sorry but the browser settings were messed up due to the virus.

Is everything else running OK now?

computeridiot · « **Reply #43 on:** October 01, 2008, 05:21:41 PM »

Seems to be ok.

But can you tell me why this has happened?

If you remember we went through all this a few weeks bad and you completely sorted me out and I was clean.

So as I have comodo boclean /avast / firewall / spywareblaster etc why did I have such a lot of trogans?

evilfantasy · « **Reply #44 on:** October 01, 2008, 05:23:17 PM »

You clicked a bad link, or email attachment or downloaded a bad download. I don't know.

computeridiot · « **Reply #45 on:** October 01, 2008, 05:25:06 PM »

Will my system restore work now, should I try it?

Also 2 other problems. I clicked on shut down online protection with avast before using that other scan that you instructed. Now I have lost the blue icon in the bottom right tray, how do I get it back should I uninstal and re-instal avast?

computeridiot · « **Reply #46 on:** October 01, 2008, 05:27:30 PM »

Oh and one other thing, why do I have to keep resetting my password on this site? It keeps saying wrong password when I have to log in when it isn't and I have had to do it 6 times tonight everytime I had to reboot.

evilfantasy · « **Reply #47 on:** October 01, 2008, 05:29:05 PM »

Not sure why. You might need to clear the browser cache.

1. From the Tools menu, select Internet Options... .

2. Choose the General tab.

3. Under Browsing history, click Delete... .

4. Next to "Temporary Internet Files", click Delete files... .

5. Click Close, and then click OK to exit.

You might need to re-install anything that has stopped working.

Disable the System Restore Utility to prevent re-infection from an old one

1) Right click the My Computer icon on the Desktop and click on Properties.
2) Click on the System Restore tab.
3) Put a check mark next to Turn off System Restore on All Drives
4) Click the OK button.
5) You will be prompted to restart the computer. Click the Yes button.

Now re-enable System Restore

To re-enable the System Restore Utility, follow steps one to five and on step three remove the check mark next to 'Turn off System Restore on All Drives'.

1) Right click the My Computer icon on the Desktop and click on Properties.
2) Click on the System Restore tab.
3) Remove the check mark next to Turn off System Restore on All Drives
4) Click the OK button.

computeridiot · « **Reply #48 on:** October 01, 2008, 05:40:52 PM »

Done system restore but can you help with a few other things.

1. Got that pop up again from firewall it says this

OCR Aware (32-bit)
OCR Aware (32-bit) is attempting to monitor and/or intercept system events. This hook monitors messages before the system sends them to the destination window procedure. The hook procedure is associated with all existing threads running in the same desktop as the calling thread.
Only allow this if you know the application is Safe.

Do I allow or deny??

2. When I logged on I got a screen asking me to download IE 7 but I already have 7 do why is it asking me.

3. I lost my avast icon when I switched off resident protection, do I have to uninstal and reinstal to get it back?

evilfantasy · « **Reply #49 on:** October 01, 2008, 05:44:00 PM »

See here http://www.auditmypc.com/process/opware32.asp

You may need to re-install anything that has stopped working. IE 7 included.

computeridiot · « **Reply #50 on:** October 01, 2008, 05:46:19 PM »

But surely internet explorer 7 must be working as I am on the internet and using it?

evilfantasy · « **Reply #51 on:** October 01, 2008, 05:51:57 PM »

Yes but something is wrong. Reinstalling it should replace whatever files or whatever, settings maybe, that are not working right.

computeridiot · « **Reply #52 on:** October 01, 2008, 05:56:14 PM »

OK so do i just click on to download it or do i have to uninstal something first?

evilfantasy · « **Reply #53 on:** October 01, 2008, 06:06:10 PM »

First go here to Download IE 7 to the desktop. (Don't install it yet)

Uninstall the version of IE you have installed now, to do so follow these steps:
Click Start
Click Control Panel
Double click Add or Remove Programs
Scroll down until you find Internet Explore
Then click Change/Remove, and follow the prompts.

[/list]

Note: If you are unable to see IE7 in Add or Remove Programs follow these steps:

[/COLOR]

Click Start
Click Run
Type or copy and paste, into the text box:

%windir%\ie7\spuninst\spuninst.exe
Then Press Enter
Restart your computer.
- Install the fresh version of Internet Explorer 7.

computeridiot · « **Reply #54 on:** October 01, 2008, 06:14:40 PM »

Ok I have downloaded it to my desktop and will do the rest tomorrow as it is nearly 2 in the morning !!

I am a bit scared of mucking around with IE so I pray I don't lose the internet with doing it, will feel braver tomorrow.

I have also uninstalled avast and will reinstal that and other things tomorrow.

Can I just say that if I don't get anymore problems just a BIG thank you for your patience, skill and time.

Is it wrong of me to offer to paypal you some money or the site for the profeesional advice, if so give me an email addy to use.

If not goodnight and thank you.

Computer Hope Forum

News:

Author Topic: please help ? virus or what? (Read 13295 times)

computeridiot

Carbon Dudeoxide

computeridiot

computeridiot

Carbon Dudeoxide

computeridiot

alyoob

Carbon Dudeoxide

Carbon Dudeoxide

computeridiot

evilfantasy

computeridiot

evilfantasy

computeridiot

evilfantasy

computeridiot

evilfantasy

computeridiot

evilfantasy

computeridiot

computeridiot

evilfantasy

computeridiot

evilfantasy

computeridiot

evilfantasy

computeridiot

computeridiot

computeridiot

computeridiot

computeridiot

computeridiot

computeridiot

evilfantasy

computeridiot

evilfantasy

evilfantasy

computeridiot

computeridiot

computeridiot

evilfantasy

computeridiot

evilfantasy

computeridiot

evilfantasy

computeridiot

computeridiot

evilfantasy

computeridiot

evilfantasy

computeridiot

evilfantasy

computeridiot

evilfantasy

computeridiot