Computer Hope

Software => Computer viruses and spyware => Topic started by: brianm on January 05, 2008, 10:40:52 AM

Title: Can somebody give me some help......please!!
Post by: brianm on January 05, 2008, 10:40:52 AM

Hi, My pc (or should I say my AVG) is reporting 2 bugs. I have tried everything I can think of to try to fix them without any success.
I have run all the step suggested on your site but they all come back and say that my pc has no bugs / viruses.
The problem started over the Christmas holidays when AVG anti virus reported that while opening "C:\windows\system32\dsoundh.dll" it had detected "Trojan Horse Generic9.akav". It gives me the option to heal or delete (I have tried both) but after rebooting my pc, the file is still exists (as well as being in the virus vault).
The second problem I have is when running AVG anti spyware, it reports "Trojan.BHO.agz" and again it doesn't appear to be able to fix the problem.
I am currently running my pc with system restore turned off.
I have attaced my hijackthis file (which shows the file "C:\windows\system32\dsoundh.dll" but try as I might I cannot delete it, even in safe mode or by using special programs like unlocker).
I would be most grateful for any help that can be offered & Please let me know if you require any further information.
Many thanks,
Brian

[file cleanup - saving space - attachment deleted by admin]

Title: Re: Can somebody give me some help......please!!
Post by: evilfantasy on January 05, 2008, 11:00:59 AM

Open HijackThis and select Do a system scan only then place a check mark next to:

O2 - BHO: (no name) - {35B8D79B-5575-4669-A2DD-FE45775F5E82} - C:\WINDOWS\system32\dsoundh.dll
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - blank (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE (file missing)
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE (file missing)

Close all windows except for HijackThis and click Fix checked

Please download ATF Cleaner by Atribune. ATF Cleaner.exe (http://www.atribune.org/ccount/click.php?id=1)

Make sure that all browser windows are closed.

Double-click ATF-Cleaner.exe to run the program.
Under Main choose: Select All and UNCHECK Cookies.
Click the Empty Selected button.

If you use Firefox browser

Click Firefox at the top and choose: Select All and UNCHECK Cookies.
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.

If you use Opera browser

Click Opera at the top and choose: Select All and UNCHECK Cookies.
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.

Click Exit on the Main ATF Cleaner menu to close the program.

Let us know how things are now.

Exit Hijackthis.

EDIT Sorry Broni we crossed up. He has ran the removal steps already.

Title: Re: Can somebody give me some help......please!!
Post by: Broni on January 05, 2008, 11:06:16 AM

OK. I'm gonna remove my post, then.

Title: Re: Can somebody give me some help......please!!
Post by: brianm on January 05, 2008, 03:10:27 PM

Hi, Many thanks for your reply.

I have done as you requested, but I an still getting the virus alert.

The AVG anti virus is still popping complaining about the "dsoundh.dll" and I noticed in the latest Hijackthis file that the "02-BHO:(no name)...........C:\Windows\system32\dsoundh.dll" is still present.

Should I have run this in safe mode ?

I have attached the latest hijackthis file "hijackthis2"

Thanks for you help.
Brian

[file cleanup - saving space - attachment deleted by admin]

Title: Re: Can somebody give me some help......please!!
Post by: evilfantasy on January 05, 2008, 03:31:39 PM

Copy this file path C:\WINDOWS\system32\dsoundh.dll (highlight and press ctrl+C)

Go to www.viruschief.com

Paste the file path in the window under Quick Scan: (press ctrl+V on the keyboard to paste)

Click Scan.

You will see a message:
ENG: It can take up to 1 minute before your scan starts, please wait!
GER: Es kann bis zu einer Minute dauern bis Ihr Scan startet, bitte warten!

Once the scan is complete, copy the text in the window under BB Code and paste it into the next post.

Title: Re: Can somebody give me some help......please!!
Post by: brianm on January 05, 2008, 03:54:45 PM

Hi

Sorry am I doing something wrong, each time I click on scan the page refreshes with "Upload/Formular error!"

Title: Re: Can somebody give me some help......please!!
Post by: evilfantasy on January 05, 2008, 04:08:30 PM

Run HijackThis and try to fix the entry again.

If needed do it in Safe Mode.

Let me know how it went.

Title: Re: Can somebody give me some help......please!!
Post by: brianm on January 05, 2008, 04:24:09 PM

Ran hijack thisand tried to fix the "c:\windows\system32\dsoundh.dll", but the file is still there when I run the next hijackthis.

file attached.

[file cleanup - saving space - attachment deleted by admin]

Title: Re: Can somebody give me some help......please!!
Post by: evilfantasy on January 05, 2008, 04:27:42 PM

Please download DrWeb CureIt (http://ftp://ftp.drweb.com/pub/drweb/cureit/drweb-cureit.exe) & save it to your desktop.

Scan with DrWeb-CureIt as follows:

Double-click on drweb-cureit.exe and then click Start.
An Express Scan of your PC notice will appear.
Under Start the Express Scan Now Click OK to start.
- This is a short scan that will scan the files currently running in memory and when something is found, click the Yes button when it asks you if you want to cure it.
Once the short scan has finished, Click Options > Change settings
Choose the Scan tab and UNcheck Heuristic analysis and click OK
Back at the main window, select the Complete scan button.
Then click the Start Scanning button and the scan will start.
- (The green arrow button on the right)
When done, a message will be displayed at the bottom advising if any viruses were found.
Click Select all
- Choose Cure and from the options select Delete incurable
- This will move it to the C:\Documents and Settings\userprofile\DoctorWeb\Quarantine folder if it can't be cured.
Next, in the Dr.Web CureIt menu on top, click file and choose Save report list.
Save the DrWeb.csv report to your Desktop.
Exit Dr.Web Cureit.

Important! Reboot your computer because it could be possible that files in use will be moved/deleted during reboot.

After reboot, Right-click the Dr.Web log on the desktop and choose Open With > Notepad
- Copy and paste that log in the next reply

Title: Re: Can somebody give me some help......please!!
Post by: brianm on January 06, 2008, 10:24:27 AM

Hi, I didn't finish running the tests untill 1:45 am this morning, so I didn't leave the results at that time.
After running Dr Web the popup warning has stopped and the file C:\windows\system32\dsoundh.dll no longer exists.

I am hoping that this has fixed the problem.

Thank you very much for your help, I would not have been able to fix it by my self.

I have attached the Drweb & a hijack this log.
I will run through my normal AVG scans just to make sure that every thing is o.k.

Thanks again,
Brian

[file cleanup - saving space - attachment deleted by admin]

Title: Re: Can somebody give me some help......please!!
Post by: evilfantasy on January 06, 2008, 01:25:06 PM

Looks good.

This is a good time to clear your infected system restore points and establish a new clean restore point:

Go to Start > All Programs > Accessories > System Tools > System Restore
Select Create a restore point, and click Next.
Next, go to Start > Run and type in cleanmgr
Select the More options tab
Next to System Restore click Clean up...

This will remove all restore points except the new one you just created.

To learn more about how to protect yourself while on the internet read this article by Tony Klien: So how did I get infected in the first place? (http://www.castlecops.com/postlite7736-.html)

Let us know if anything else comes up.