Need help with a virus, fast!

[crazzyperson]

I booted my PC like normal, started up all fine then a second later everyting blanks, taskbar, start menu, etc. then it pops up with an un-exitable full screen webpage containing images and such i'd rather not have on my computer screen (pornography) . I quickly shut it down and booted of my spare hard drive and did two full system scans one on norton and one on avg antivirus both found nothing. I checked again and it's still happening I need help fast please!

[Broni]

1. Run free ESET Online Scanner at: http://www.eset.com/onlinescan/
Note: This Scanner is for Internet Explorer Only
   1.  You will notice that the "Start" button is grayed out. Place a check mark at "Yes, I accept the Terms of use". The "Start" button will become visible. Click on it.
   2. If it wants to install an ActiveX component allow it
   3. You will be asked to install an ActiveX, click the "Install" button (Note: If you have a Firewall install you may have to approve the installation)
   4. Once ActiveX control is installed click on the "Start" button to initialize the scanner
   5. After initialization is complete uncheck\untick "Remove found threats"
   6. Check\tick "Scan unwanted applications"
   7. Click the "Scan" button
   8. Once the scan is done, you will find a log in C:\Program Files\esetonlinescanner\log.txt
Post ESET's log.

2. Download SUPERAntiSpyware Free for Home Users:
http://www.superantispyware.com/

Print these instructions out.

    * Double-click SUPERAntiSpyware.exe and use the default settings for installation.
    * An icon will be created on your desktop. Double-click that icon to launch the program.
    * If asked to update the program definitions, click "Yes". If not, update the definitions before scanning by selecting "Check for Updates". (If you encounter any problems while downloading the updates, manually download and unzip them from here: http://www.superantispyware.com/definitions.html.)
    * Close SUPERAntiSpyware.

Restart computer in Safe Mode.
To enter Safe Mode, restart computer, and keep tapping F8 key, until menu appears; pick Safe Mode; you'll see "Safe Mode" in all four corners of your screen

    * Open SUPERAntiSpyware.
    * Under "Configuration and Preferences", click the Preferences button.
    * Click the Scanning Control tab.
    * Under Scanner Options make sure the following are checked (leave all others unchecked):
          o Close browsers before scanning.
          o Scan for tracking cookies.
          o Terminate memory threats before quarantining.
    * Click the "Close" button to leave the control center screen.
    * Back on the main screen, under "Scan for Harmful Software" click Scan your computer.
    * On the left, make sure you check C:\Fixed Drive.
    * On the right, under "Complete Scan", choose Perform Complete Scan.
    * Click "Next" to start the scan. Please be patient while it scans your computer.
    * After the scan is complete, a Scan Summary box will appear with potentially harmful items that were detected. Click "OK".
    * Make sure everything has a checkmark next to it and click "Next".
    * A notification will appear that "Quarantine and Removal is Complete". Click "OK" and then click the "Finish" button to return to the main menu.
    * If asked if you want to reboot, click "Yes".
    * To retrieve the removal information after reboot, launch SUPERAntispyware again.
          o Click Preferences, then click the Statistics/Logs tab.
          o Under Scanner Logs, double-click SUPERAntiSpyware Scan Log.
          o If there are several logs, click the current dated log and press View log. A text file will open in your default text editor.
          o Please copy and paste the Scan Log results in your next reply with a new HijackThis log.
    * Click Close to exit the program.
Post SUPERAntiSpyware log.

3. Download HijackThis:
http://www.snapfiles.com/get/hijackthis.html
Post HijackThis log.

[crazzyperson]

Thanks i'll give it ago.

[crazzyperson]

I would do a hijack this but as I said right now im working on my uneffected hard drive and it would find nothing out of the ordinary. I wont be able to run it on the other hard drive because after the webpage comes up it stays up I can't alt-f4 alt-tab or anything

[Broni]

Well, we have to work on your infected HD.
Try to start in Safe Mode - To enter Safe Mode, restart computer, and keep tapping F8 key, until menu appears; pick Safe Mode; you'll see "Safe Mode" in all four corners of your screen.

[crazzyperson]

Ah, ok i'm geting somewhere, i'm in safemode  i've got eset running and ill post the log soon

[crazzyperson]

Ok eset running, aparently i've my "administrator" has even disabled rights to install superantivirus even through im on the admin account and ad for the HiJack this log well

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:18:58 a.m., on 6/01/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)
Boot mode: Safe mode with network support

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\TortoiseSVN\bin\TSVNCache.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
O3 - Toolbar: Show Norton Toolbar - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\2.0\CoIEPlg.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [HPHUPD05] c:\Program Files\HP\{45B6180B-DCAB-4093-8EE8-6164457517F0}\hphupd05.exe
O4 - HKLM\..\Run: [HPHmon05] C:\WINDOWS\System32\hphmon05.exe
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE
O4 - HKLM\..\Run: [StartCCC] "C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe"
O4 - HKLM\..\Run: [googletalk] C:\Program Files\Google\Google Talk\googletalk.exe /autostart
O4 - HKLM\..\Run: [Medichi] medichi.exe
O4 - HKLM\..\Run: [Medichi2] medichi2.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [osCheck] "C:\Program Files\Norton Internet Security\osCheck.exe"
O4 - HKLM\..\Run: [qdqnyngz] rundll32.exe "C:\Program Files\qdqnyngz\qbmhgtgx.dll",Init
O4 - HKLM\..\Run: [vapcdqls] regsvr32 /u "C:\Documents and Settings\All Users\Application Data\vapcdqls.dll"
O4 - HKLM\..\Run: [Kernel32] C:\WINDOWS\system32\drivers\svchost.exe
O4 - HKLM\..\Run: [SC2] C:\Program Files\SecCenter\scprot4.exe
O4 - HKLM\..\Run: [License] locker.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - Global Startup: Belkin 802.11g Wireless PCI Card Configuration Utility.lnk = ?
O7 - HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O16 - DPF: {56762DEC-6B0D-4AB4-A8AD-989993B5D08B} (OnlineScanner Control) - http://www.eset.eu/buxus/docs/OnlineScanner.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1193513486234
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1193513461562
O16 - DPF: {B020B534-4AA2-4B99-BD6D-5F6EE286DF5C} (Symantec Download Bridge) - https://atl.img.digitalriver.com/v2.0-img/operations/symbizpr/xcontrol/SymDlBrg.cab
O16 - DPF: {B7D07999-2ADB-4AEB-997E-F61CB7B2E2CD} (TSEasyInstallX Control) - http://www.trendsecure.com/easy_install/_activex/en-US/TSEasyInstallX.CAB
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O20 - AppInit_DLLs: murka.dat
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe
O23 - Service: FCI - Unknown owner - C:\WINDOWS\system32\svchost.exe:ext.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\LuComServer_3_4.EXE
O23 - Service: LiveUpdate Notice - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Core LC - Unknown owner - C:\PROGRA~1\COMMON~1\SYMANT~1\CCPD-LC\symlcsvc.exe

--
End of file - 6082 bytes

hope you can find something bad in there

[Broni]

Good, but I need you to run HJT AFTER ESET is done.

[crazzyperson]

Well esets about half way done (these are the times I wish I didn't have so many programs to scan) it's found 4 threats so far so im hoping its detected the problem. Oh and I guess I should mention that nortons been detecting spyware risks for about a week but not resolving them. About every five minutes I usually get something like norton has blocked risk trojan.vundo or trojan.horse

[Broni]

Just be patient. You can't rush those things.

[crazzyperson]

esets log:

# version=4
# OnlineScanner.ocx=1.0.0.56
# OnlineScannerDLLA.dll=1, 0, 0, 51
# OnlineScannerDLLW.dll=1, 0, 0, 51
# OnlineScannerUninstaller.exe=1, 0, 0, 49
# vers_standard_module=2766 (20080104)
# vers_arch_module=1.060 (20071228)
# vers_adv_heur_module=1.064 (20070717)
# EOSSerial=6e2e426d55bffa4d917027583fd2e6eb
# end=finished
# remove_checked=false
# unwanted_checked=true
# utc_time=2008-01-05 08:46:30
# local_time=2008-01-06 09:46:30 (+1200, New Zealand Daylight Time)
# country="New Zealand"
# osver=5.1.2600 NT Service Pack 2
# scanned=536558
# found=9
# scan_time=4030
C:\Program Files\Common Files\Symantec Shared\ccApp.exe   Win32/TrojanDropper.Agent.DGO virus   00000000000000000000000000000000
C:\Program Files\Norton Internet Security\osCheck.exe   Win32/TrojanDropper.Agent.DGO virus   00000000000000000000000000000000
C:\RECYCLER\S-1-5-21-2418244512-849263507-4064612095-1003\Dg176.bat   Win32/Adware.Virtumonde application   9A7EF09167A6F4433681B94351509043
C:\RECYCLER\S-1-5-21-2418244512-849263507-4064612095-1003\Dg190.tmp   Win32/Adware.UltimateDefender application   8D4145842AC55DD7D61861E54A0583A5
C:\WINDOWS\system32\ssttu.exe   Win32/TrojanDropper.Agent.DGO virus   00000000000000000000000000000000
C:\WINDOWS\system32\suspend.exe   Win32/TrojanDownloader.Small.NZD trojan   7809D29A32ABE9F1EA40C7B6D43201BC
C:\WINDOWS\system32\user32.dat   Win32/TrojanDownloader.Small.NZC trojan   B7D2D09D310A8C86FF706B5B9B84593D
C:\WINDOWS\system32\njprckha\njprckha1.exe   Win32/Adware.UltimateFixer application   E199BBF2C868BE7BC4246980BF49F345
C:\WINDOWS\system32\njprckha\njprckha3.exe   Win32/Adware.UltimateCleaner application   4214F251993ABF583AB333FEAAA9379A

[Broni]

Good.
Can you download, and run SUPERAntiSpyware in Safe Mode?