I Have a virus

[The Bubba]

I've recently found that I have a virus called win32qhost.mg and was trying to find a program to remove it. I found one called CyberDefender and It says it out performs all of the well known others and lists them. Is it safe to use?
__________________

[evilfantasy]

Not familiar with it.

Trusted method HERE

[The Bubba]

I have AVG and it doesn't know it's there. I found it using Kaspersky's on line scan. My AVG is always updated as well and it still didn't catch it. I guess I'll bite and use this CyberDefender program that says it can remove it.

[evilfantasy]

Cyberdefender is a rouge tool. See HERE If you downloaded it then you have just infected your computer even further. All the tools we suggest are free and don't contain even more malware.

Do you still have the Kaspersky scan log? Kaspersky finds things but unless you know exactly what you are looking at in the log then it can be misleading.

You can follow the guide from my previous post or go for it on your own. Your choice.

[The Bubba]

Looks like there are mixed feelings about it. My AVG doesn't detect the win32qhost Trojan and my computer is still acting very slow and won't even open pages on the first or second try. What to do except put down some bucks for a good program that can remove it.

[evilfantasy]

Trusted method HERE

You can either do our guide which has helped hundreds fix their malware problems for free or as I said in the previous post you can go it alone. Your choice.

[The Bubba]

OK, I had already done the first 3 steps and will get back to you after I'm through with the rest. I had gone over your list before but got distracted somehow.

[The Bubba]

I'm about to give up, I've done all the steps and now when I try to add 3 attachments, it say either I can't add 4 attachments, no body or you've already posted that. What's a guy to do?

[The Bubba]

I'm going to try each attachment in 3 different posts.

[recovering space - attachment deleted by admin]

[The Bubba]

Another

Dr Web didn't want to do right, here is the log.


CFD.exe;C:\Program Files\BroadJump\Client Foundation;Adware.Cfd;;
00688484.FIL;D:\$VAULT$.AVG;Trojan.Fakealert.406;Deleted.;
00710875.FIL;D:\$VAULT$.AVG;Trojan.Fakealert.406;Deleted.;
00733187.FIL;D:\$VAULT$.AVG;Trojan.Fakealert.406;Deleted.;
nutils.dll;D:\Program Files\NoAdware5.0;Trojan.NtRootKit.103;Deleted.;
A0018115.dll;D:\System Volume Information\_restore{84ED5C82-C100-4A9C-A172-5240B436D570}\RP186;Trojan.NtRootKit.103;Deleted.;
A0019384.dll;D:\System Volume Information\_restore{84ED5C82-C100-4A9C-A172-5240B436D570}\RP190;Trojan.NtRootKit.103;Deleted.;




[recovering space - attachment deleted by admin]

[The Bubba]

And the last


[recovering space - attachment deleted by admin]

[The Bubba]

Success maybe?

[evilfantasy]

Having two antivirus programs running at the same time causes your computer to run very slowly and also causes random lockups.

Please uninstall one antivirus program and then run a new Hijackthis scan and post the log. You can just copy and pase it directly into the post instead of attaching it.

Let me know how things are now.

[The Bubba]

I removed one of the anti virus programs. Did you remove my attachments? Here is the Hijack this log you asked for. BTW, my computer is doing much better but still acting up just a tad.


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:13:34 AM, on 4/5/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16608)
Boot mode: Normal

Running processes:
D:\WINDOWS\System32\smss.exe
D:\WINDOWS\system32\winlogon.exe
D:\WINDOWS\system32\services.exe
D:\WINDOWS\system32\lsass.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\System32\svchost.exe
D:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
D:\WINDOWS\system32\spoolsv.exe
D:\WINDOWS\Explorer.EXE
D:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe
D:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe
D:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
D:\Program Files\IE New Window Maximizer\iemaximizer.exe
D:\WINDOWS\system32\ctfmon.exe
D:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
D:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
D:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
D:\PROGRA~1\Grisoft\AVG7\avgemc.exe
D:\WINDOWS\system32\wuauclt.exe
D:\Documents and Settings\John Matthews\My Documents\Hijack this\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://bigblueheaven.net/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = \blank.htm
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - D:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - D:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O4 - HKLM\..\Run: [AVG7_CC] D:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [WinPatrol] C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "D:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "D:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKCU\..\Run: [IE New Window Maximizer] D:\Program Files\IE New Window Maximizer\iemaximizer.exe
O4 - HKCU\..\Run: [ctfmon.exe] D:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] D:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] D:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] D:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] D:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] D:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O4 - Global Startup: Microsoft Office.lnk = D:\Program Files\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: &ieSpell Options - res://D:\Program Files\ieSpell\iespell.dll/SPELLOPTION.HTM
O8 - Extra context menu item: Check &Spelling - res://D:\Program Files\ieSpell\iespell.dll/SPELLCHECK.HTM
O8 - Extra context menu item: Lookup on Merriam Webster - file://D:\Program Files\ieSpell\Merriam Webster.HTM
O8 - Extra context menu item: Lookup on Wikipedia - file://D:\Program Files\ieSpell\wikipedia.HTM
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: ieSpell - {0E17D5B7-9F5D-4fee-9DF6-CA6EE38B68A8} - D:\Program Files\ieSpell\iespell.dll
O9 - Extra 'Tools' menuitem: ieSpell - {0E17D5B7-9F5D-4fee-9DF6-CA6EE38B68A8} - D:\Program Files\ieSpell\iespell.dll
O9 - Extra button: (no name) - {1606D6F9-9D3B-4aea-A025-ED5B2FD488E7} - D:\Program Files\ieSpell\iespell.dll
O9 - Extra 'Tools' menuitem: ieSpell Options - {1606D6F9-9D3B-4aea-A025-ED5B2FD488E7} - D:\Program Files\ieSpell\iespell.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - D:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - D:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - D:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - D:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/us/kavwebscan_unicode.cab
O16 - DPF: {E8F628B5-259A-4734-97EE-BA914D7BE941} (Driver Agent ActiveX Control) - http://driveragent.com/files/driveragent.cab
O20 - Winlogon Notify: !SASWinLogon - D:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - D:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - D:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - D:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - D:\PROGRA~1\Grisoft\AVG7\avgemc.exe

--
End of file - 6016 bytes

[The Bubba]

Well I saw the proceedure that you suggested remove some viruses, but I ran another Kaspersky online scan and it says I still have 6 viruses.

[patio]

I suggest starting over following the Guideline from start to finish...there's a reason it was written the way it was and has been successful in the past.
Keep in mind a lot of work was put into this method and is done by volunteers...
If i'm off target on this i apologise but try it anyways.

[evilfantasy]

Since you ran Kaspersky you could have posted the log. It would be a big help and I may need you to run it again so I can see the log.


Open Hijackthis and select Do a system scan only.

Place a check mark next to the following entries: (if there)

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = \blank.htm

Important: Close all windows except for Hijackthis and then click Fix checked.

Exit Hijackthis.

----------

Please download ATF Cleaner by Atribune. ATF Cleaner.exe

Make sure that all browser windows are closed.

• Under the Main tab, put a check next to Select All.
  Click the Empty Selected button. (Note: if you remove cookies, automated login at forums and sites will be disabled. If you do not want this, uncheck Cookies)
  
• If you use the Firefox browser:
  Click on Firefox at the top and put a check next to Select All.
  If you would like to keep your saved passwords, click No at the prompt.
  Click the Empty Selected button. (Note: if you remove cookies, automated login at forums and sites will be disabled. If you do not want this, uncheck Cookies)
  
• If you use the Opera browser:
  Click on Opera at the top and put a check next to Select All.
  If you would like to keep your saved passwords, click No at the prompt.
  Click the Empty Selected button. (Note: if you remove cookies, automated login at forums and sites will be disabled. If you do not want this, uncheck Cookies)

.
Important: Restart the computer before continuing.

----------

This scanner works with Internet Explorer only
Go to the BitDefender Online Scanner
Click I Agree to the license and then install the ActiveX control.
Please DO NOT change the Scanning Options.
That will make your logs huge and we don't need to see clean files.
Select Start Scan to begin.
This scan can take a while so please be patient and let it complete.

 Once Bitdefender completes the scan:
 Click-on the Detected Problems tab.
 Then select Click here to export the scan report


 
 When the window comes up to save the report, change the Save as type: box to:
 Text (Tab Delimited) (*.txt) and then in the File name box enter change to bdscan then click Save


 
 This will save a file named bdscan.txt. I would suggest saving it to the Desktop so you can easily find it. (take notice of where you save it so you can find it later)
 
 This bdcan.txt file will actually contain HTML code that we can easily view later while reviewing your log. All we have to do is rename the file to bdscan.html.
 
 If you do not follow these step, you will have an incorrect log or worse a log summary which is useless to us
 
 Post the bdscan.txt in the next post.

[The Bubba]

I'm at work right now but will tear into it when I get home later tonight. Thanks for all the help so far, it is much appreciated.

[evilfantasy]

No problem, I should be around.

[The Bubba]

I had to break up the Kaspersky log (too big for an attachment). I'm sending the top and the parts showing all infections.

Saturday, April 05, 2008 11:25:12 AM
Operating System: Microsoft Windows XP Home Edition, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 5/04/2008
Kaspersky Anti-Virus database records: 684126
 
 
Scan Settings
Scan using the following antivirus database extended
Scan Archives true
Scan Mail Bases true
 
Scan Target My Computer
A:\
C:\
D:\
E:\
F:\
G:\ 
 
Scan Statistics
Total number of scanned objects 105330
Number of viruses found 6
Number of infected objects 8
Number of suspicious objects 0
Duration of the scan process 01:52:06

C:\Documents and Settings\john\.housecall6.6\Quarantine\SeekmoTB.dll.bac_a03132  Infected: not-a-virus:AdWare.Win32.Agent.c  skipped 
 
C:\Documents and Settings\john\My Documents\ww2rescue.exe/file451  Infected: not-a-virus:AdTool.Win32.WhenU.a  skipped 
 
C:\Documents and Settings\john\My Documents\ww2rescue.exe/file452  Infected: not-a-virus:Server-Proxy.Win32.MarketScore.k  skipped 
 
C:\Documents and Settings\john\My Documents\ww2rescue.exe/file453  Infected: not-a-virus:AdWare.Win32.NewDotNet  skipped 
 
C:\Documents and Settings\john\My Documents\ww2rescue.exe  Inno: infected - 3  skipped 
 
C:\System Volume Information\MountPointManagerRemoteDatabase  Object is locked  skipped 
 
C:\WINDOWS\system32\drivers\etc\hosts.20070828-214029.backup  Infected: Trojan.Win32.Qhost.mg  skipped 
 
C:\WINDOWS\system32\drivers\etc\hosts.20070828-214030.backup  Infected: Trojan.Win32.Qhost.mg  skipped 
 
D:\25bbe8f1d2e98ae45a383005147b\ffastun.ffo  Object is locked  skipped 
 
D:\25bbe8f1d2e98ae45a383005147b\ffastun0.ffx  Object is locked  skipped 
 
D:\Documents and Settings\All Users\Application Data\avg7\Log\emc.log  Object is locked  skipped 
 
D:\Documents and Settings\All Users\Application Data\Grisoft\Avg7Data\avg7log.log  Object is locked  skipped 
 
D:\Documents and Settings\All Users\Application Data\Grisoft\Avg7Data\avg7log.log.lck  Object is locked  skipped 
 
D:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat  Object is locked  skipped 
 
D:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat  Object is locked  skipped 
 
D:\Documents and Settings\\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\AppLogs\SUPERANTISPYWARE-4-5-2008( 8-12-1 ).LOG  Object is locked  skipped 
 
D:\Documents and Settings\\Cookies\index.dat  Object is locked  skipped 
 
D:\Documents and Settings\\Local Settings\Application Data\Microsoft\Feeds Cache\index.dat  Object is locked  skipped 
 
D:\Documents and Settings\\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat  Object is locked  skipped 
 
D:\Documents and Settings\\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG  Object is locked  skipped 
 
D:\Documents and Settings\\Local Settings\History\History.IE5\index.dat  Object is locked  skipped 
 
D:\Documents and Settings\\Local Settings\History\History.IE5\MSHist012008040520080406\index.dat  Object is locked  skipped 
 
D:\Documents and Settings\\Local Settings\Temp\~DF3D01.tmp  Object is locked 

[evilfantasy]

Please download Combofix by sUBs from one of the below links.
(Try all three if necessary)

• Link #1
  
• Link #2
  
• Link #3

Important! Combofix.exe MUST be saved to and ran from the Desktop.

• Close any open Web browsers. (Firefox, Internet Explorer, etc) before starting Combofix.
• Important! Temporarily disable your antivirus, script blocking and any antispyware real time protection before performing a scan.
  • Click this link to see a list of security programs that should be disabled and how to disable them.
    
  • If yours is not listed and you don't know how to disable it, please ask.
• Warning: Combofix disconnects your computer from the internet. The connection is automatically restored before Combofix completes its run.
  
• Double click combofix.exe & follow the prompts.
• Choose Yes to accept the Disclaimers.[

• When finished, it will produce a log for you.
• Post that log in your next reply.

Warning: Do not mouseclick combofix's window while it is running. That may cause it to stall

• If Combofix runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your computer.
  
• Important: Remember to re-enable your antivirus and antispyware before reconnecting to the Internet.

[The Bubba]

I haven't had time to go through the approved procedures because of some things that came up. I don't have anything planned tonight when I get home and should be able to devote my full attention to my computer. Do you want me to do the other steps posted first or just go straight to the Combofix?

[evilfantasy]

We will do the combofix first, according to the Kaspersky log it is needed.

[The Bubba]

Will do, which will be in about 5 hours when I get home.

[The Bubba]

Here is the Combofix log:



[recovering space - attachment deleted by admin]

[evilfantasy]

Delete these files/folders, as follows:

1. Go to Start > Run > type Notepad.exe and click OK to open Notepad.
It must be Notepad, not Wordpad.

• Click Start , then Run
  
• Type notepad.exe in the Run Box.
  

2. Copy the text in the below code box by highlighting all the text and pressing Ctrl+C

Code: [Select]

Killall::

Folder::
D:\Program Files\CyberDefender
D:\Program Files\NoAdware5.0
File::
D:\WINDOWS\st_affiliate.ini
3. Go to the Notepad window and click Edit > Paste
4. Then click File > Save
5. Name the file CFScript.txt - Save the file to your Desktop
6. Then drag the CFScript (hold the left mouse button while dragging the file) and drop it (release the left mouse button) into ComboFix.exe as you see in the screenshot below. Important: Perform this instruction carefully!



ComboFix will begin to execute, just follow the prompts.
After reboot (in case it asks to reboot), it will produce a log for you.
Post that log (Combofix.txt) in your next reply.

Note: Do not mouseclick combofix's window while it is running. That may cause your system to freeze


After posting that log run the BitDefender scan from HERE and post the log from it.

[The Bubba]

Will do. While I was waiting for your reply last night, I began doing the other procedure. I fell asleep during AVG's scan, man these scans are long. It found a virus though and deleted it. I'll your other procedure when I get home tonight. The way this is going, I might get this accomplished in about a week.

[evilfantasy]

man these scans are long.

The alternative is manually looking at each file.

We will get through it all. Might take some time but it's worth it.

[The Bubba]

There's no doubt it's worth it, you guys amaze me with your staying power. I've been to other computer sites and they're pretty good but you guys are the pick of the litter.

[The Bubba]

Here is the Combofix log, now off to bitdefender. I don't know how I double entered the attachment?

[recovering space - attachment deleted by admin]

[evilfantasy]

Looks good. Combofix took care of what I was hoping it would. Hopefully BitDefender will be good news as well.

[The Bubba]

Bitdefender giving me trouble, it won't comply. I went to my security options but they were set in accordance with Defender's specs.

[evilfantasy]

Try this one instead.

Use the Trend Micro Housecall Scan

• Click Scan Now. It's Free
  
• Read and put a Check next to Yes, I accept the Terms of Use
  
• Then click Launch HouseCall Wait for the Java-Based Housecall Kernel Test
  
• Click Starting Housecall and wait for the updates to finish.
  
• Under Scan complete computer for malware, grayware, and vulnerabilities click the Next>> button.

• It will download the latest scan engine and pattern files. When the definitions have been downloaded, the scan will start.
• Please wait while HouseCall scans your system…
• Once the scan is complete, it will take you to the summary page.

• Under Cleanup options choose Clean all detected infections automatically
  
• Click the Clean now>> button.
  
• When presented with a notification According to your instructions, all detected infections were cleaned..., click OK

• The Housecall log is saved to C:\Documents and Settings\UserName\.housecall\log\

[The Bubba]

I tried another site and got it to take, here is it's scan:



[recovering space - attachment deleted by admin]

[The Bubba]

I will do housecall as well.

[evilfantasy]

Was this the Bitdefender online scan?

Please post a new Hijackthis log.

Let me know how things are now.

[The Bubba]

I'm afraid not, it has an icon in my startup bar or task menu. Here is the Hijack this log.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:43:13 AM, on 4/8/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16608)
Boot mode: Normal

Running processes:
D:\WINDOWS\System32\smss.exe
D:\WINDOWS\system32\winlogon.exe
D:\WINDOWS\system32\services.exe
D:\WINDOWS\system32\lsass.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\System32\svchost.exe
D:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
D:\WINDOWS\system32\spoolsv.exe
D:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
D:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
D:\PROGRA~1\Grisoft\AVG7\avgemc.exe
D:\Program Files\Common Files\Softwin\BitDefender Communicator\xcommsvr.exe
D:\Program Files\Common Files\Softwin\BitDefender Update Service\livesrv.exe
D:\WINDOWS\Explorer.EXE
D:\WINDOWS\system32\ctfmon.exe
D:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
D:\Program Files\IE New Window Maximizer\iemaximizer.exe
D:\Program Files\Internet Explorer\iexplore.exe
D:\Program Files\Common Files\Softwin\BitDefender Scan Server\bdss.exe
D:\Program Files\Softwin\BitDefender10\vsserv.exe
D:\Program Files\Softwin\BitDefender10\bdmcon.exe
D:\Documents and Settings\John Matthews\My Documents\Hijack this\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://bigblueheaven.net/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = \blank.htm
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - D:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - D:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O4 - HKLM\..\Run: [AVG7_CC] D:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [WinPatrol] C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "D:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "D:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKCU\..\Run: [IE New Window Maximizer] D:\Program Files\IE New Window Maximizer\iemaximizer.exe
O4 - HKCU\..\Run: [ctfmon.exe] D:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] D:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] D:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] D:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] D:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] D:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O4 - Global Startup: Microsoft Office.lnk = D:\Program Files\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: &ieSpell Options - res://D:\Program Files\ieSpell\iespell.dll/SPELLOPTION.HTM
O8 - Extra context menu item: Check &Spelling - res://D:\Program Files\ieSpell\iespell.dll/SPELLCHECK.HTM
O8 - Extra context menu item: Lookup on Merriam Webster - file://D:\Program Files\ieSpell\Merriam Webster.HTM
O8 - Extra context menu item: Lookup on Wikipedia - file://D:\Program Files\ieSpell\wikipedia.HTM
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: ieSpell - {0E17D5B7-9F5D-4fee-9DF6-CA6EE38B68A8} - D:\Program Files\ieSpell\iespell.dll
O9 - Extra 'Tools' menuitem: ieSpell - {0E17D5B7-9F5D-4fee-9DF6-CA6EE38B68A8} - D:\Program Files\ieSpell\iespell.dll
O9 - Extra button: (no name) - {1606D6F9-9D3B-4aea-A025-ED5B2FD488E7} - D:\Program Files\ieSpell\iespell.dll
O9 - Extra 'Tools' menuitem: ieSpell Options - {1606D6F9-9D3B-4aea-A025-ED5B2FD488E7} - D:\Program Files\ieSpell\iespell.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - D:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - D:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - D:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - D:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/us/kavwebscan_unicode.cab
O16 - DPF: {E8F628B5-259A-4734-97EE-BA914D7BE941} (Driver Agent ActiveX Control) - http://driveragent.com/files/driveragent.cab
O20 - Winlogon Notify: !SASWinLogon - D:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - D:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - D:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - D:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - D:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: BitDefender Scan Server (bdss) - Unknown owner - D:\Program Files\Common Files\Softwin\BitDefender Scan Server\bdss.exe
O23 - Service: BitDefender Desktop Update Service (LIVESRV) - SOFTWIN S.R.L. - D:\Program Files\Common Files\Softwin\BitDefender Update Service\livesrv.exe
O23 - Service: BitDefender Virus Shield (VSSERV) - SOFTWIN S.R.L. - D:\Program Files\Softwin\BitDefender10\vsserv.exe
O23 - Service: BitDefender Communicator (XCOMM) - SOFTWIN S.R.L - D:\Program Files\Common Files\Softwin\BitDefender Communicator\xcommsvr.exe

--
End of file - 6713 bytes

[The Bubba]

I was able to go in and make a few security changes to allow the online bitdefender to work and will post it when I get home tonight. They're sooo long.

[evilfantasy]

OK, if needed go to www.savefile.com and upload the log there. There is no need to sign up, just post the link to the file back here so I can go to it.

You can uninstall the BitDefender standalone that you used earlier. We are done with it.

[The Bubba]

Thanks, will do. I assume the Hijackthis log was OK?

[evilfantasy]

Yes it looked good, this will hopefully be the last scan.

[The Bubba]

I don't think my computer is clean, it's still acting up. Here's the bitdefender log:

http://www.savefile.com/files/1492924

[The Bubba]

I have a question, How long does it take for Housecall to initiate the scan? I called it up and it's taking a small lifetime to begin it's scan.

[evilfantasy]

The housecall definitions can take a while.

What do you mean by acting up?

[The Bubba]

It's still giving some of the old symptoms, sluggish, doesn't load the pages on the first try, takes a long time loading detail stuff like banners or icons like login and register. I run a website too as you may have noticed and when I call it up, it sometimes doesn't load all the way and I have to hit refresh.

[The Bubba]

Here is my latest Kaspersky, it still says I have 5 viruses.

 http://www.savefile.com/files/1493802

[evilfantasy]

Go in and delete this file ww2rescue.exe and any others with the name in it.

Found in C:\Documents and Settings\john\My Documents\ww2rescue.exe

Now lets do some cleanup.

Let's clear out the programs we've been using to clean up your computer, they are not suitable for
general malware removal and could cause damage if launched accidentally and will help secure the work you have done.
.

• Click START then RUN
  
• Now type Combofix /u in the runbox
  
• Make sure there's a space between Combofix and /u
• Then hit Enter.

.

.
The above procedure will:

• Delete:
• ComboFix and its associated files and folders.
• VundoFix backups, if present
• The C:\Deckard folder, if present
• The C:_OtMoveIt folder, if present

• Reset the clock settings.
• Hide file extensions, if required.
• Hide System/Hidden files, if required.
• Set a new, clean Restore Point.

.
Download OTMoveIt2 by OldTimer OTMoveIt2.exe and place it on your desktop. (unless you already have it installed)

1. Double click OTMoveIt2.exe to launch it.
Vista users right click and choose Run As Administrator
2. Click on the CleanUp! button.
3. OTMoveIt2 will download a list from the Internet, if your firewall or other defensive programs alerts you, allow it access.
4. Click YES at the next prompt (list downloaded, Do you want to begin cleanup process?)
5. Once complete exit out of OTMoveIt2

Set a New Restore Point to prevent possible reinfection from an old one
Setting a new restore point AFTER cleaning your system will enable your computer to roll-back to a clean working state if needed.

• Go to Start > Programs > Accessories > System Tools and click System Restore
  
• Choose the radio button marked Create a Restore Point on the first screen then click Next Give the Restore Point a name then click Create.
  
• The new restore point will be stamped with the current date and time. Keep a log of this so you can find it easily should you need to use System Restore.
• Next go to Start > Run and type Cleanmgr
  
• Click OK
  
• Click the More Options Tab.
  
• Click Clean Up in the System Restore section to remove all previous restore points except the newly created clean one.

.
Use the Secunia Software Inspector to check for out of date software.

• Click Start Now
  
• Check the box next to Enable thorough system inspection.
  
• Click Start
  
• Allow the scan to finish and scroll down to see if any updates are needed.
• Update anything listed.

.
Here are some great tools to help you keep from getting infected again.

To prevent unknown applications from being installed on your computer install WinPatrol 2007

Another thing I would suggest installing SiteAdvisor. SiteAdvisor rates sites on business practices and spam.

Spybot Search & Destroy - A safe and effective spyware scanner.
* Using Spybot - Search & Destroy to remove Spyware , Malware, and Hijackers

AVG Anti-Spyware Free Edition - Very reliable with a high detection rate.
* AVG Anti-Spyware User Manual

SpywareBlaster - Secure your Internet Explorer to make it harder for these ActiveX programs to run on your computer. Also stop certain cookies from being added to your computer when running Mozilla based browsers like Firefox.
* Using SpywareBlaster to protect your computer from Spyware and Malware

Comodo BOClean - Stops trojans and many more malicious attacks.

Use a Firewall - It can not be stressed enough how important it is that you use a Firewall on your computer. Without a firewall your computer is susceptible to being hacked and taken over.
* Click here for a list of free firewalls.
* Why would I consider a third party firewall?
* Understanding and Using Firewalls

 UPDATE!!! UPDATE!!! UPDATE!!! - If you do not have automatic updates enabled then visit http://www.windowsupdate.com[/b]]http://www.windowsupdate.com regularly. This will ensure your computer has always the latest security updates available installed on your computer.
* Help with Windows updates

Learn more about how to protect yourself while on the internet read this article by Tony Klien: So how did I get infected in the first place?

Let us know how things are now.

[The Bubba]

Back at work again, I have tomorrow off and hopefully will be able to devote the whole day to my computer. I finally got Housecall to run and it cleaned up some stuff. I will try to get as much done tonight as I can on your to do list.

[The Bubba]

I did the combofix /u in the run box and it didn't remove Combofix, it gave me a run box which I clicked and then acted like it ran Combofix.

[evilfantasy]

OTMoveIt2 should remove anything left over that combofix /u didn't get so that is OK if it didn't work right.

[The Bubba]

OK, we'll give it a try.

[The Bubba]

I ran OTMoveIt2.exe and it removed combofix. I then created a new restore point and then tried to run Cleanmgr, it didn't give me the more options you mentioned, it just wanted to know which drive I wanted to clean, C or E.

[evilfantasy]

Try it this way.

Reset and Re-enable your System Restore to remove any infected files that have been backed up by Windows. The files in System Restore are protected to prevent any programs from changing those files. This is the only way to clean these files: (You will lose all previous restore points which are infected, but that's good news)

Turn OFF System Restore

• On the Desktop, right-click My Computer
  
• Click Properties
  
• Click the System Restore tab.
  
• Check Turn off System Restore
  
• Click Apply, and then click OK

Restart your computer

Turn ON System Restore

• On the Desktop, right-click My Computer
  
• Click Properties
  
• Click the System Restore tab.
  
• UN-Check Turn off System Restore
  
• Click Apply, and then click OK

System Restore will now be active again

Now set a new restore point

• Go to Start, then Programs, then Accessories, then System Tools
  
• Choose System Restore
  
• When the program starts, make sure that Create a Restore Point is checked, the click Next
  
• Give the restore point a name, then click Create, then Close to complete.

[The Bubba]

OK, be right back.

[The Bubba]

All done, do I do the aforemention proceedure now?

[evilfantasy]

 Secunia Software Inspector would be advised. then check through the rest and see if there is anything you may use to tighten up your security.

[The Bubba]

I already have most of what you've listed but will install what I don't have. I'm venturing to guess that I'm still infected. That's not a slam by any means but my computer is still not right.

[evilfantasy]

I don't think that an infection is causing the problem. You can run a new Kaspersky scan and post the log for a double check.

You don't need everything in the list. I try to give more than one option for the software I advise to use so it doesn't seem like I am promoting any one product - which I don't.

[The Bubba]

After I install everything and do scans, I'll do a Kaspersky and post it. See you tomorrow.

[The Bubba]

Well, after running another Kaspersky scan, I can now say that my computer is clean. I now need to know how many of these new found security programs do I need on my start up menu or task bar and which ones can be ran every so often? I now have Window Patrol (have always had) AVG..ditto, new stuff is Comodo Boclean, spybot, Superantispyware, Omniquad total security and last but not least, a Kerio firewall. I want to thank you (Evilfantasy) for taking the time to help me struggle through these cleansing processes. Off topic, how's the weather there, we are due east of you and are expecting the same severe weather.

[The Bubba]

While I am heaping praises, my computer is still having trouble opening web pages in a timely manner. Sometimes it fails completely. I guess the chase is still on.

[evilfantasy]

Keep everything but Omniquad total security.

Do you have an XP CD?

If so, place it in your CD ROM drive and follow the instructions below:

• Click on Start > Run and type sfc /scannow then press Enter (note the space between scf and /scannow)
  • Let this run undisturbed until the window with the blue  progress bar goes away

SFC - Which stands for System File Checker, retrieves the correct version of the file from %Systemroot%\System32\Dllcache or the Windows installation source files, and then replaces the incorrect file.

If you want to see what was replaced, right-click My Computer and click on Manage.
In the new window that appears, expand the Event Viewer (by clicking on the + symbol next to it) and then click on System.


The rain finally stopped today. First night we were getting large golfball size hail and then heavy rain for what seemed like 48 hours. Could be another flood riddled season in the midwest. Hope not.....

[The Bubba]

Hmmm, the last time I was asked to place my XP cd in my drive, I accidentally reinstalled it and lost valuable personal files. Let's hope it doesn't happen again, it's a long drive to OK.

[evilfantasy]

That method won't delete anything. Just don't restart the computer with the CD in the drive and you won't chance loosing anything.

[The Bubba]

Mission accomplished but computer still sluggish. Some sites had to be refreshed to get them to load. I defraged today as well.

[evilfantasy]

Let's try a few things with dial a fix.

First

Please download Dial-a-Fix by djlizard, save it to the desktop then extract it to it's own folder.

• Open the folder and run Dial-a-fix.exe
• 2 windows will open. Close the one in the background labled Restrictive Policies
• On the main window, check the box in section 4, labled SSL/HTTPS/Cryptography. The 4 boxes under it should be pre-checked
• Check all boxes in Section 5, labled Registration Center.
• Click Go
• OK any error messages if received, but write them down and post them here.
• Restart the computer when done

.

Next

Open Dial-a-fix and click the hammer icon. Select Flush DNS and click Go
When complete, select Repair Permissions and click Go
When complete, select Repair/reinstall IE and click Go

If at any time you are prompted for the XP cd, insert it
Make note of any error messages and post them here
Reboot when complete and let me know if there's any change

[The Bubba]

OK, but first I'm going to do some checks that dial-a-fix recommends first.

[The Bubba]

Just concluded Dial a fix and had no problems. Computer is still slightly sluggish and some pages still have to be refreshed. Even on my own website, things like chat room boxes and stat counters are way slow to load. Any other suggestions?

[The Bubba]

Just for grins, click on my website and scroll the whole page and time how long it takes. The last thing to load is the search engine boxes at the very bottom of the page. If your computer takes very long for it to load then I won't gripe but I know that in the past, mine use to load it in about 5 seconds.

[evilfantasy]

Pretty much instantly.

Do you think it is the browser or your connection?

[The Bubba]

It's possible, Insight has recently changed over to Comcast. As far as browsers, I've been using the same all a long. I installed Foxfire and tried it but it didn't do justice to some of the graphics on my site.

I really appreciate your help and even recommended the site on my site, thanks again.

[evilfantasy]

Could be the connection. You could try re-installing IE7.

• First go here to Download IE 7 to the desktop. (Don't install it yet)

• Uninstall the version of IE you have installed now, to do so follow these steps:
• Click Start
  
• Click Control Panel
  
• Double click Add or Remove Programs
  
• Scroll down until you find Internet Explore
  
• Then click Change/Remove, and follow the prompts.

• Note: If you are unable to see IE7 in Add or Remove Programs follow these steps:

• Click Start
  
• Click Run
  
• Type or copy and paste, into the text box:

• %windir%\ie7\spuninst\spuninst.exe

• Then Press Enter
  
• Restart your computer.
  • Install the fresh version of Internet Explorer 7.

[/list]

[The Bubba]

I downloaded, uninstalled and reinstalled IE7. I can't tell any difference so far. What is your opinion on the IE7 add ons that they offer?

[evilfantasy]

Which add-ons, and from where?

[The Bubba]

They are the addons that you can choose after installing IE7. They come with it, one of them is ispell. BTW, my computer is getting a bit perkier.

[evilfantasy]

Hopefully it will come all the way around.

I am not real fammiliar with the add ons in ie7, I use Firefox. I did a google and found some interesting ones HERE. I suppose as long as they come from a reliable source then they would be great to use.

[The Bubba]

Thanks and thanks again for all the work involved in helping clean up my computer.

[evilfantasy]

No problem, safe surfing.........

[The Bubba]

And safe surfing to you as well.

[The Bubba]

Sorry to keep hanging on but my computer is still pretty sluggish. What do you think of the idea that the problem may be stemming from my modem (cable) or my router? I can bypass the router but how do you check a modem other than look at it's lights?

[evilfantasy]

Not sure how to check a modem.

Try this. PC Pitstop Full Tests. It's a free set of tests. Might lead on to something that can be looked into.

[The Bubba]

After running the tests, I have 3 areas that brought up yellow flags.

1) Memory 480 MB ram

2) Drives C,D

3) Internet: MSIE 7.0; .NET CLR 1.1.4322; .NET CLR 2.0.50727; .NET CLR 3.0.04506.30

I looked over some of the options to try but decided to show the test results to you first. I'm thinking there might be room for improvement in these areas but they have been the same since I purchased the computer about 3 years ago. Obviously something has changed.

[evilfantasy]

Adding new programs/software. Some windows updates can take up alot of space and add to system resources. Hardware isn't my strong suit but more RAM wouldn't hurt. 1gig is usually the recommended amount and does seem to be the "sweet spot" for XP as well as Vista.

I'm not sure what to think about 2) and 3).

[The Bubba]

I thought about the ram myself and will get some soon and plug it in. I went ahead and did some of the cleanup part of Pitstop but haven't noticed any change. I drop a line after I get some more ram.

[The Bubba]

Should get the ram tomorrow but in the meantime I have developed another problem. When I login to my site, it shows my name but still shows the word login (should show admin). I also can't post a message either. I also can't on the support forum that runs my site (message board). I went back a bit with system restore, back to where I reported I was clean. Still no luck. I ran Kaspersky again just to be safe and am still showing clean. At work I can login to my site an everything is fine. Any ideas?

[evilfantasy]

Hello, sorry it has taken so long for me to get back to this.

I really don't know what might be going on.

[The Bubba]

Well I got the ram installed, even did a reinstall of IE7 but the problem I mentioned still persists still persists. You would think Kaspersky would catch something with it's scan if there was anything and it didn't. This is darn aggravating and everything would be OK if I could get my website to allow a proper login. I would think it would have to be some kind of registry change, that's why I did a system restore. I do have another question though, I've reinstalled IE7 twice now, the first time it asked to insert my XP disc but this last time it didn't? Should I be asking these questions in another forum, it would appear that this is not virus/spyware related?

[evilfantasy]

You may get a better response in another forum. (not many are willing to read the 6 pages we have here)

I am stumped. It could be something simple and then again it could be a reinstall that is needed.

[The Bubba]

As far as a reinstall, are you referring to IE7? As far as reading the 6 pages we've created, the amount of views shown seem to indicate that there were several that were interested. You have a great deal of knowledge that you are willing to give for free in order to aid in solving certain computer problems and I hope that I haven't offended you by stating that I might need to ask certain questions in another forum. I more than appreciate your time and interest in helping me.

[evilfantasy]

No offense taken at all . I am always open to "knowledgeable" input from others.

By a reinstall I meant Windows. I don't think that is the case and I normally never recommend it as I would rather see the problem fixed. I just don't know where to look for the fix. We have tried everything that normally works and it seems to have the opposite results. A new thread will be more likely to get new views on what to try.

[The Bubba]

I was thinking the same thing but will exhaust all means possible before doing that because it's such a pain. Thanks again for your time in getting my computer cleaned up.