Need some advice please

[Gabriel]

I was on the internet last night when i noticed that that everything was going very slow. I did some checking around my cpu and ran some virus programs. I found some virsus nothing unuasl until i went in my control panel. I noticed that i had to new options under my control panel a MS AV and a Software explorers. I didnt not download or install any of these programs. Could these be some kinds of infections? All my internet use is very slow.

[Carbon Dudeoxide]

What were the items in Control Panel (add and remove programs?)?

Also, you might want to look here so we can see if your computer is infected and help disinfect it:
http://www.computerhope.com/forum/index.php/topic,46313.0.html

[senthilvalli]

you delete all internet temp files... or using window washer. and scan full system vrus

[Carbon Dudeoxide]

you delete all internet temp files... or using window washer. and scan full system vrus

Please discard this advice.

Senthivalli, please leave Malware-Cleaning to the Malware Specialists.

However, cleaning the temporary files can be useful, but personally I would use CCleaner to do so.

[Gabriel]

Thank you i am in the process of doing all those steps on that link  =-). No its not under add or remove programs. I did get a odd pop saying that my computer was infected and can only assume shortly there after those 2 programs showed up under my control panel. I dare not open them cause i have no idea what they are lol

[Carbon Dudeoxide]

All right, good luck.

When you post the three logs, one of our Malware Specialists will help from there.

[Gabriel]

For that Link you gave me i cant do steps 3 and 4 its telling me i am iunable to connect to those websites. i was able to get CCleaner and hijack this. there others i cant download

[Gabriel]

i apologize for my spelling been up all night figuring this stuff out or at least trying to =-)

[Gabriel]

this is the log from hijack this:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:30:03 AM, on 9/8/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16705)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\snmp.exe
C:\Program Files\Dell Support Center\bin\sprtsvc.exe
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Download Manager\DLM.exe
C:\Program Files\Logitech\GamePanel Software\LCD Manager\LCDMon.exe
C:\Program Files\Logitech\GamePanel Software\LCD Manager\Applets\LCDClock.exe
C:\Program Files\Logitech\GamePanel Software\LCD Manager\Applets\LCDMedia.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\LVComsX.exe
C:\Program Files\TrojanHunter 5.0\TrojanHunter.exe
C:\Program Files\TrojanHunter 5.0\THGuard.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

O2 - BHO: Ask Toolbar BHO - {F0D4B231-DA4B-4daf-81E4-DFEE4931A4AA} - C:\Program Files\AskSBar\bar\1.bin\ASKSBAR.DLL
O3 - Toolbar: Ask Toolbar - {F0D4B239-DA4B-4daf-81E4-DFEE4931A4AA} - C:\Program Files\AskSBar\bar\1.bin\ASKSBAR.DLL
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [DellSupportCenter] "C:\Program Files\Dell Support Center\bin\sprtcmd.exe" /P DellSupportCenter
O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 5.0\THGuard.exe"
O4 - HKLM\..\RunOnce: [SpybotDeletingA4309] command /c del "C:\WINDOWS\SchedLgU.Txt"
O4 - HKLM\..\RunOnce: [SpybotDeletingC7787] cmd /c del "C:\WINDOWS\SchedLgU.Txt"
O4 - HKCU\..\RunOnce: [SpybotDeletingB320] command /c del "C:\WINDOWS\SchedLgU.Txt"
O4 - HKCU\..\RunOnce: [SpybotDeletingD2938] cmd /c del "C:\WINDOWS\SchedLgU.Txt"
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\SYSTEM32\ati2sgag.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: SupportSoft Sprocket Service (dellsupportcenter) (sprtsvc_dellsupportcenter) - SupportSoft, Inc. - C:\Program Files\Dell Support Center\bin\sprtsvc.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe

--
End of file - 3607 bytes

[Carbon Dudeoxide]

For MBAM and SAS, can you download them to a Flash Drive and copy them over?

[Gabriel]

i dont know how to do that. I cant even connect to the website to get the download started. Its giving me this error :

Failed to Connect

  Firefox can't establish a connection to the server at www.besttechie.net.

        Though the site seems valid, the browser was unable to establish a connection.

    * Could the site be temporarily unavailable? Try again later.
    * Are you unable to browse other sites?  Check the computer's network connection.
    * Is your computer or network protected by a firewall or proxy? Incorrect settings can interfere with Web browsing.

Clearly i have internet cause i am on this website and can check other websites =-)

[Carbon Dudeoxide]

besttechie.net??

What Step are you on?

[Gabriel]

Step 3: SUPERAntiSpyware and Step 4: Malwarebytes' Anti-Malware (MBAM). thats the error message i get when i click on those links that are on the post.

[Gabriel]

Thats also a problem i seem to be having the links i am  click on arent taking me to the correct site.  its takin a lon time to load and its sending me to other sites with some long *censored* names lol

[Carbon Dudeoxide]

http://downloads2.superantispyware.com/downloads/SUPERAntiSpyware.exe

http://download.bleepingcomputer.com/malwarebytes/mbam-setup.exe

Try those.

[Gabriel]

those dont work either . It seems i cant click on links if i do they dont take me to the correct site. I was able to download MBAM but i have to search it on google then open a new tab copy the url and paste it in the new tab lol.It seems thats the only way i can do it

[Carbon Dudeoxide]

If you can, post whatever logs you can.

If you have access to another computer, download SAS there and transfer it to the computer with the problem (like with email or a flash drive/usb stick)

[Gabriel]

using that same method i used for MBAM i got the other program. I am updating each one then going to run them and post the logs

[Carbon Dudeoxide]

Good Luck!

[Gabriel]

this is MBAM log file:


Malwarebytes' Anti-Malware 1.27
Database version: 1128
Windows 5.1.2600 Service Pack 2

9/8/2008 9:39:59 AM
mbam-log-2008-09-08 (09-39-59).txt

Scan type: Quick Scan
Objects scanned: 48334
Time elapsed: 10 minute(s), 38 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 13
Registry Values Infected: 0
Registry Data Items Infected: 1
Folders Infected: 0
Files Infected: 10

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CLASSES_ROOT\minibugtransporter.minibugtransporterx (Adware.Minibug) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\minibugtransporter.minibugtransporterx.1 (Adware.Minibug) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{04a38f6b-006f-4247-ba4c-02a139d5531c} (Adware.Minibug) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{625d8e25-27d8-4527-a178-4a17071ba1bc} (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{2b96d5cc-c5b5-49a5-a69d-cc0a30f9028c} (Adware.Minibug) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Typelib\{3c2d2a1e-031f-4397-9614-87c932a848e0} (Adware.Minibug) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\AppID\{f60777da-d6a6-40f6-b665-6f361c1017b6} (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\tdssdata (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\tdss (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Software Notifier (Rogue.Multiple) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\AppID\poswin.dll (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\The Weather Channel (Adware.Hotbar) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Multimedia\WMPlayer\Schemes\f3pss (Adware.MyWebSearch) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Start_ShowHelp (Hijack.StartMenu) -> Bad: (0) Good: (1) -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\SYSTEM32\MSa.cpl (Rogue.MSAntivirus) -> Quarantined and deleted successfully.
C:\WINDOWS\SYSTEM32\tdssadw.dll (Trojan.Agent) -> Delete on reboot.
C:\WINDOWS\SYSTEM32\tdssl.dll (Trojan.Agent) -> Delete on reboot.
C:\WINDOWS\SYSTEM32\tdssmain.dll (Trojan.Agent) -> Delete on reboot.
C:\WINDOWS\SYSTEM32\tdssinit.dll (Trojan.Agent) -> Delete on reboot.
C:\WINDOWS\SYSTEM32\tdsslog.dll (Trojan.Agent) -> Delete on reboot.
C:\WINDOWS\SYSTEM32\tdssservers.dat (Trojan.Agent) -> Delete on reboot.
C:\WINDOWS\SYSTEM32\DRIVERS\tdssserv.sys (Trojan.Agent) -> Delete on reboot.
C:\WINDOWS\SYSTEM32\lphc75bj0erd9.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\x (Trojan.FakeAlert) -> Quarantined and deleted successfully.

[Gabriel]

this is the superantispyware log file:

SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 09/08/2008 at 10:08 AM

Application Version : 4.20.1046

Core Rules Database Version : 3558
Trace Rules Database Version: 1546

Scan type       : Complete Scan
Total Scan Time : 00:48:40

Memory items scanned      : 418
Memory threats detected   : 0
Registry items scanned    : 5761
Registry threats detected : 23
File items scanned        : 24774
File threats detected     : 13

Adware.EngageSidebar
   C:\Program Files\EngageSidebar\magn.bmp
   C:\Program Files\EngageSidebar\style.css
   C:\Program Files\EngageSidebar\Uninstall.exe
   C:\Program Files\EngageSidebar
   C:\WINDOWS\system32\Ldresb\setup.dat
   C:\WINDOWS\system32\Ldresb\update.ini
   C:\WINDOWS\system32\Ldresb
   C:\Documents and Settings\Gabe\Start Menu\Programs\EngageSidebar\Uninstall.lnk
   C:\Documents and Settings\Gabe\Start Menu\Programs\EngageSidebar
   HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Engage SideBar
   HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Engage SideBar#DisplayName
   HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\EngageSidebar
   HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\EngageSidebar#UninstallString
   HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\EngageSidebar#Publisher
   HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\EngageSidebar#NoModify
   HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\EngageSidebar#NoRepair
   HKLM\SOFTWARE\EngageSidebar
   HKLM\SOFTWARE\EngageSidebar#Affiliate
   HKLM\SOFTWARE\EngageSidebar#AppDir
   HKLM\SOFTWARE\EngageSidebar\AdSettings
   HKLM\SOFTWARE\EngageSidebar\AdSettings#PageSize
   HKLM\SOFTWARE\EngageSidebar\AdSettings#BarPlace
   HKLM\SOFTWARE\EngageSidebar\AdSettings#DescLength
   HKLM\SOFTWARE\EngageSidebar\AdSettings#SearchImage
   HKLM\SOFTWARE\EngageSidebar\AdSettings#StyleFile
   HKLM\SOFTWARE\EngageSidebar\AdSettings#a
   HKLM\SOFTWARE\EngageSidebar\AdSettings#aa
   HKLM\SOFTWARE\EngageSidebar\AdSettings#b
   HKLM\SOFTWARE\EngageSidebar\AdSettings#bb
   HKLM\SOFTWARE\EngageSidebar\AdSettings#c
   HKLM\SOFTWARE\EngageSidebar\AdSettings#cc
   HKCR\Directory\shellex\ContextMenuHandlers\Shlesb

Adware.Unknown Origin
   C:\WINDOWS\ESBAGENT.JPG
   C:\WINDOWS\ESBLOGO.JPG

Trojan.Unknown Origin

[Gabriel]

one of the programs is gone thanks to all that =-) still have the software explorers one under my control panel . any ideas what it could be after all that removing of infections?

[Carbon Dudeoxide]

I would wait for a Malware Specialist before you or I do anything more. 

[evilfantasy]

You haven't posted all of the logs.

[Gabriel]

i posted the MBAM the superanti sypware and the hijackthis. What other logs do i need to post? The ccleaner?

[evilfantasy]

Please run HijackThis only after the above steps have been completed

The HijackThis log isn't any good being run before the malware has been removed. It will show entries that are no longer there...

[Gabriel]

ahhh np =-) didnt realize it lol here it is



Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:58:53 PM, on 9/8/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16705)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\snmp.exe
C:\Program Files\Dell Support Center\bin\sprtsvc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Documents and Settings\Gabe\Desktop\TAConf2.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [DellSupportCenter] "C:\Program Files\Dell Support Center\bin\sprtcmd.exe" /P DellSupportCenter
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\SYSTEM32\ati2sgag.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: SupportSoft Sprocket Service (dellsupportcenter) (sprtsvc_dellsupportcenter) - SupportSoft, Inc. - C:\Program Files\Dell Support Center\bin\sprtsvc.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe

--
End of file - 3330 bytes

[evilfantasy]

Do you know what this is? C:\Documents and Settings\Gabe\Desktop\TAConf2.exe

Download ViewpointKiller.zip

• Unzip the program and all of the contents of ViewpointKiller.zip to a location such as your desktop.
  
• Double click the ViewpointKiller icon to run ViewpointKiller.exe.
  
• Select the File menu, and select Check to see if you have Viewpoint installed.
  
• If ViewpointKiller indicates that any of the Viewpoint variants are installed, select the proper Kill option in the File menu.

• Follow the prompts and instructions very carefully, answering Yes or No depending on which option you are most comfortable with.
  
• The MsConfig instructions are very important, so be sure to read them carefully.

• Note: When done with ViewpointKiller right click and delete all files that were unzipped.

[Gabriel]

alright i used that tool. yea taconf is a voice program its not a virsus or something =-). Is there anyway i can remove the program  from the control panel? i cant seem to drag it to the recycle bin or delete it.

[evilfantasy]

Looks good then.

Let me know if you have any questions.



Set a New Restore Point to prevent possible reinfection from an old one
Setting a new restore point AFTER cleaning your system will enable your computer to roll-back to a clean working state if needed.

• Go to Start > Programs > Accessories > System Tools and click System Restore
  
• Choose the radio button marked Create a Restore Point on the first screen then click Next Give the Restore Point a name then click Create.
  
• The new restore point will be stamped with the current date and time. Keep a log of this so you can find it easily should you need to use System Restore.
• Next go to Start > Run and type Cleanmgr
  
• Click OK
  
• Click the More Options Tab.
  
• Click Clean Up in the System Restore section to remove all previous restore points except the newly created clean one.

You can find instructions on how to enable and re-enable system restore here:

Windows XP System Restore Guide or Windows Vista System Restore Guide
.
----------

Use the Secunia Software Inspector to check for out of date software.

• Click Start Now
  
• Check the box next to Enable thorough system inspection.
  
• Click Start
  
• Allow the scan to finish and scroll down to see if any updates are needed.
• Update anything listed.

.
----------

Important: You Need to Update Windows and Internet Explorer regularly to protect your computer from the malware and other security threats that are on the Internet. Go to Microsoft Windows Update and get all critical updates.

----------

To prevent unknown applications from being installed on your computer install WinPatrol 2008
* Using Winpatrol to protect your computer from malicious software

I suggest using SiteAdvisor. SiteAdvisor rates sites on business practices and spam. Safety ratings from McAfee SiteAdvisor are based on automated safety tests of Web sites.

SpywareBlaster - Secure your Internet Explorer to make it harder for ActiveX programs to run on your computer. Also stop certain cookies from being added to your computer when running Mozilla based browsers like Firefox.
* Using SpywareBlaster to protect your computer from Spyware and Malware
* If you don't know what ActiveX controls are, see here

Check out Keeping Yourself Safe On The Web for tips and free tools to help keep you safe in the future.

Also see Slow Computer? It May Not Be Malware for free cleaning/maintenance tools to help keep your computer running smooth.

[Gabriel]

thank u so much for all your help =-). this program is still in my control panel its a monitor with a magnifying glass thru the screen. when i hover over it it says : displays all software that is running on your computer or registered to run automatically. that program was not there 2 days ago lol

[evilfantasy]

Can you post a screenshot of it?

How to post screenshots or images