I Have a virus

[patio]

I suggest starting over following the Guideline from start to finish...there's a reason it was written the way it was and has been successful in the past.
Keep in mind a lot of work was put into this method and is done by volunteers...
If i'm off target on this i apologise but try it anyways.

[evilfantasy]

Since you ran Kaspersky you could have posted the log. It would be a big help and I may need you to run it again so I can see the log.


Open Hijackthis and select Do a system scan only.

Place a check mark next to the following entries: (if there)

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = \blank.htm

Important: Close all windows except for Hijackthis and then click Fix checked.

Exit Hijackthis.

----------

Please download ATF Cleaner by Atribune. ATF Cleaner.exe

Make sure that all browser windows are closed.

• Under the Main tab, put a check next to Select All.
  Click the Empty Selected button. (Note: if you remove cookies, automated login at forums and sites will be disabled. If you do not want this, uncheck Cookies)
  
• If you use the Firefox browser:
  Click on Firefox at the top and put a check next to Select All.
  If you would like to keep your saved passwords, click No at the prompt.
  Click the Empty Selected button. (Note: if you remove cookies, automated login at forums and sites will be disabled. If you do not want this, uncheck Cookies)
  
• If you use the Opera browser:
  Click on Opera at the top and put a check next to Select All.
  If you would like to keep your saved passwords, click No at the prompt.
  Click the Empty Selected button. (Note: if you remove cookies, automated login at forums and sites will be disabled. If you do not want this, uncheck Cookies)

.
Important: Restart the computer before continuing.

----------

This scanner works with Internet Explorer only
Go to the BitDefender Online Scanner
Click I Agree to the license and then install the ActiveX control.
Please DO NOT change the Scanning Options.
That will make your logs huge and we don't need to see clean files.
Select Start Scan to begin.
This scan can take a while so please be patient and let it complete.

 Once Bitdefender completes the scan:
 Click-on the Detected Problems tab.
 Then select Click here to export the scan report


 
 When the window comes up to save the report, change the Save as type: box to:
 Text (Tab Delimited) (*.txt) and then in the File name box enter change to bdscan then click Save


 
 This will save a file named bdscan.txt. I would suggest saving it to the Desktop so you can easily find it. (take notice of where you save it so you can find it later)
 
 This bdcan.txt file will actually contain HTML code that we can easily view later while reviewing your log. All we have to do is rename the file to bdscan.html.
 
 If you do not follow these step, you will have an incorrect log or worse a log summary which is useless to us
 
 Post the bdscan.txt in the next post.

[The Bubba]

I'm at work right now but will tear into it when I get home later tonight. Thanks for all the help so far, it is much appreciated.

[evilfantasy]

No problem, I should be around.

[The Bubba]

I had to break up the Kaspersky log (too big for an attachment). I'm sending the top and the parts showing all infections.

Saturday, April 05, 2008 11:25:12 AM
Operating System: Microsoft Windows XP Home Edition, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 5/04/2008
Kaspersky Anti-Virus database records: 684126
 
 
Scan Settings
Scan using the following antivirus database extended
Scan Archives true
Scan Mail Bases true
 
Scan Target My Computer
A:\
C:\
D:\
E:\
F:\
G:\ 
 
Scan Statistics
Total number of scanned objects 105330
Number of viruses found 6
Number of infected objects 8
Number of suspicious objects 0
Duration of the scan process 01:52:06

C:\Documents and Settings\john\.housecall6.6\Quarantine\SeekmoTB.dll.bac_a03132  Infected: not-a-virus:AdWare.Win32.Agent.c  skipped 
 
C:\Documents and Settings\john\My Documents\ww2rescue.exe/file451  Infected: not-a-virus:AdTool.Win32.WhenU.a  skipped 
 
C:\Documents and Settings\john\My Documents\ww2rescue.exe/file452  Infected: not-a-virus:Server-Proxy.Win32.MarketScore.k  skipped 
 
C:\Documents and Settings\john\My Documents\ww2rescue.exe/file453  Infected: not-a-virus:AdWare.Win32.NewDotNet  skipped 
 
C:\Documents and Settings\john\My Documents\ww2rescue.exe  Inno: infected - 3  skipped 
 
C:\System Volume Information\MountPointManagerRemoteDatabase  Object is locked  skipped 
 
C:\WINDOWS\system32\drivers\etc\hosts.20070828-214029.backup  Infected: Trojan.Win32.Qhost.mg  skipped 
 
C:\WINDOWS\system32\drivers\etc\hosts.20070828-214030.backup  Infected: Trojan.Win32.Qhost.mg  skipped 
 
D:\25bbe8f1d2e98ae45a383005147b\ffastun.ffo  Object is locked  skipped 
 
D:\25bbe8f1d2e98ae45a383005147b\ffastun0.ffx  Object is locked  skipped 
 
D:\Documents and Settings\All Users\Application Data\avg7\Log\emc.log  Object is locked  skipped 
 
D:\Documents and Settings\All Users\Application Data\Grisoft\Avg7Data\avg7log.log  Object is locked  skipped 
 
D:\Documents and Settings\All Users\Application Data\Grisoft\Avg7Data\avg7log.log.lck  Object is locked  skipped 
 
D:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat  Object is locked  skipped 
 
D:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat  Object is locked  skipped 
 
D:\Documents and Settings\\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\AppLogs\SUPERANTISPYWARE-4-5-2008( 8-12-1 ).LOG  Object is locked  skipped 
 
D:\Documents and Settings\\Cookies\index.dat  Object is locked  skipped 
 
D:\Documents and Settings\\Local Settings\Application Data\Microsoft\Feeds Cache\index.dat  Object is locked  skipped 
 
D:\Documents and Settings\\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat  Object is locked  skipped 
 
D:\Documents and Settings\\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG  Object is locked  skipped 
 
D:\Documents and Settings\\Local Settings\History\History.IE5\index.dat  Object is locked  skipped 
 
D:\Documents and Settings\\Local Settings\History\History.IE5\MSHist012008040520080406\index.dat  Object is locked  skipped 
 
D:\Documents and Settings\\Local Settings\Temp\~DF3D01.tmp  Object is locked 

[evilfantasy]

Please download Combofix by sUBs from one of the below links.
(Try all three if necessary)

• Link #1
  
• Link #2
  
• Link #3

Important! Combofix.exe MUST be saved to and ran from the Desktop.

• Close any open Web browsers. (Firefox, Internet Explorer, etc) before starting Combofix.
• Important! Temporarily disable your antivirus, script blocking and any antispyware real time protection before performing a scan.
  • Click this link to see a list of security programs that should be disabled and how to disable them.
    
  • If yours is not listed and you don't know how to disable it, please ask.
• Warning: Combofix disconnects your computer from the internet. The connection is automatically restored before Combofix completes its run.
  
• Double click combofix.exe & follow the prompts.
• Choose Yes to accept the Disclaimers.[

• When finished, it will produce a log for you.
• Post that log in your next reply.

Warning: Do not mouseclick combofix's window while it is running. That may cause it to stall

• If Combofix runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your computer.
  
• Important: Remember to re-enable your antivirus and antispyware before reconnecting to the Internet.

[The Bubba]

I haven't had time to go through the approved procedures because of some things that came up. I don't have anything planned tonight when I get home and should be able to devote my full attention to my computer. Do you want me to do the other steps posted first or just go straight to the Combofix?

[evilfantasy]

We will do the combofix first, according to the Kaspersky log it is needed.

[The Bubba]

Will do, which will be in about 5 hours when I get home.

[The Bubba]

Here is the Combofix log:



[recovering space - attachment deleted by admin]

[evilfantasy]

Delete these files/folders, as follows:

1. Go to Start > Run > type Notepad.exe and click OK to open Notepad.
It must be Notepad, not Wordpad.

• Click Start , then Run
  
• Type notepad.exe in the Run Box.
  

2. Copy the text in the below code box by highlighting all the text and pressing Ctrl+C

Code: [Select]

Killall::

Folder::
D:\Program Files\CyberDefender
D:\Program Files\NoAdware5.0
File::
D:\WINDOWS\st_affiliate.ini
3. Go to the Notepad window and click Edit > Paste
4. Then click File > Save
5. Name the file CFScript.txt - Save the file to your Desktop
6. Then drag the CFScript (hold the left mouse button while dragging the file) and drop it (release the left mouse button) into ComboFix.exe as you see in the screenshot below. Important: Perform this instruction carefully!



ComboFix will begin to execute, just follow the prompts.
After reboot (in case it asks to reboot), it will produce a log for you.
Post that log (Combofix.txt) in your next reply.

Note: Do not mouseclick combofix's window while it is running. That may cause your system to freeze


After posting that log run the BitDefender scan from HERE and post the log from it.

[The Bubba]

Will do. While I was waiting for your reply last night, I began doing the other procedure. I fell asleep during AVG's scan, man these scans are long. It found a virus though and deleted it. I'll your other procedure when I get home tonight. The way this is going, I might get this accomplished in about a week.

[evilfantasy]

man these scans are long.

The alternative is manually looking at each file.

We will get through it all. Might take some time but it's worth it.

[The Bubba]

There's no doubt it's worth it, you guys amaze me with your staying power. I've been to other computer sites and they're pretty good but you guys are the pick of the litter.

[The Bubba]

Here is the Combofix log, now off to bitdefender. I don't know how I double entered the attachment?

[recovering space - attachment deleted by admin]