Need some advice please

[Gabriel]

those dont work either . It seems i cant click on links if i do they dont take me to the correct site. I was able to download MBAM but i have to search it on google then open a new tab copy the url and paste it in the new tab lol.It seems thats the only way i can do it

[Carbon Dudeoxide]

If you can, post whatever logs you can.

If you have access to another computer, download SAS there and transfer it to the computer with the problem (like with email or a flash drive/usb stick)

[Gabriel]

using that same method i used for MBAM i got the other program. I am updating each one then going to run them and post the logs

[Carbon Dudeoxide]

Good Luck!

[Gabriel]

this is MBAM log file:


Malwarebytes' Anti-Malware 1.27
Database version: 1128
Windows 5.1.2600 Service Pack 2

9/8/2008 9:39:59 AM
mbam-log-2008-09-08 (09-39-59).txt

Scan type: Quick Scan
Objects scanned: 48334
Time elapsed: 10 minute(s), 38 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 13
Registry Values Infected: 0
Registry Data Items Infected: 1
Folders Infected: 0
Files Infected: 10

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CLASSES_ROOT\minibugtransporter.minibugtransporterx (Adware.Minibug) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\minibugtransporter.minibugtransporterx.1 (Adware.Minibug) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{04a38f6b-006f-4247-ba4c-02a139d5531c} (Adware.Minibug) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{625d8e25-27d8-4527-a178-4a17071ba1bc} (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{2b96d5cc-c5b5-49a5-a69d-cc0a30f9028c} (Adware.Minibug) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Typelib\{3c2d2a1e-031f-4397-9614-87c932a848e0} (Adware.Minibug) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\AppID\{f60777da-d6a6-40f6-b665-6f361c1017b6} (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\tdssdata (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\tdss (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Software Notifier (Rogue.Multiple) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\AppID\poswin.dll (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\The Weather Channel (Adware.Hotbar) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Multimedia\WMPlayer\Schemes\f3pss (Adware.MyWebSearch) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Start_ShowHelp (Hijack.StartMenu) -> Bad: (0) Good: (1) -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\SYSTEM32\MSa.cpl (Rogue.MSAntivirus) -> Quarantined and deleted successfully.
C:\WINDOWS\SYSTEM32\tdssadw.dll (Trojan.Agent) -> Delete on reboot.
C:\WINDOWS\SYSTEM32\tdssl.dll (Trojan.Agent) -> Delete on reboot.
C:\WINDOWS\SYSTEM32\tdssmain.dll (Trojan.Agent) -> Delete on reboot.
C:\WINDOWS\SYSTEM32\tdssinit.dll (Trojan.Agent) -> Delete on reboot.
C:\WINDOWS\SYSTEM32\tdsslog.dll (Trojan.Agent) -> Delete on reboot.
C:\WINDOWS\SYSTEM32\tdssservers.dat (Trojan.Agent) -> Delete on reboot.
C:\WINDOWS\SYSTEM32\DRIVERS\tdssserv.sys (Trojan.Agent) -> Delete on reboot.
C:\WINDOWS\SYSTEM32\lphc75bj0erd9.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\x (Trojan.FakeAlert) -> Quarantined and deleted successfully.

[Gabriel]

this is the superantispyware log file:

SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 09/08/2008 at 10:08 AM

Application Version : 4.20.1046

Core Rules Database Version : 3558
Trace Rules Database Version: 1546

Scan type       : Complete Scan
Total Scan Time : 00:48:40

Memory items scanned      : 418
Memory threats detected   : 0
Registry items scanned    : 5761
Registry threats detected : 23
File items scanned        : 24774
File threats detected     : 13

Adware.EngageSidebar
   C:\Program Files\EngageSidebar\magn.bmp
   C:\Program Files\EngageSidebar\style.css
   C:\Program Files\EngageSidebar\Uninstall.exe
   C:\Program Files\EngageSidebar
   C:\WINDOWS\system32\Ldresb\setup.dat
   C:\WINDOWS\system32\Ldresb\update.ini
   C:\WINDOWS\system32\Ldresb
   C:\Documents and Settings\Gabe\Start Menu\Programs\EngageSidebar\Uninstall.lnk
   C:\Documents and Settings\Gabe\Start Menu\Programs\EngageSidebar
   HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Engage SideBar
   HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Engage SideBar#DisplayName
   HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\EngageSidebar
   HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\EngageSidebar#UninstallString
   HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\EngageSidebar#Publisher
   HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\EngageSidebar#NoModify
   HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\EngageSidebar#NoRepair
   HKLM\SOFTWARE\EngageSidebar
   HKLM\SOFTWARE\EngageSidebar#Affiliate
   HKLM\SOFTWARE\EngageSidebar#AppDir
   HKLM\SOFTWARE\EngageSidebar\AdSettings
   HKLM\SOFTWARE\EngageSidebar\AdSettings#PageSize
   HKLM\SOFTWARE\EngageSidebar\AdSettings#BarPlace
   HKLM\SOFTWARE\EngageSidebar\AdSettings#DescLength
   HKLM\SOFTWARE\EngageSidebar\AdSettings#SearchImage
   HKLM\SOFTWARE\EngageSidebar\AdSettings#StyleFile
   HKLM\SOFTWARE\EngageSidebar\AdSettings#a
   HKLM\SOFTWARE\EngageSidebar\AdSettings#aa
   HKLM\SOFTWARE\EngageSidebar\AdSettings#b
   HKLM\SOFTWARE\EngageSidebar\AdSettings#bb
   HKLM\SOFTWARE\EngageSidebar\AdSettings#c
   HKLM\SOFTWARE\EngageSidebar\AdSettings#cc
   HKCR\Directory\shellex\ContextMenuHandlers\Shlesb

Adware.Unknown Origin
   C:\WINDOWS\ESBAGENT.JPG
   C:\WINDOWS\ESBLOGO.JPG

Trojan.Unknown Origin

[Gabriel]

one of the programs is gone thanks to all that =-) still have the software explorers one under my control panel . any ideas what it could be after all that removing of infections?

[Carbon Dudeoxide]

I would wait for a Malware Specialist before you or I do anything more. 

[evilfantasy]

You haven't posted all of the logs.

[Gabriel]

i posted the MBAM the superanti sypware and the hijackthis. What other logs do i need to post? The ccleaner?

[evilfantasy]

Please run HijackThis only after the above steps have been completed

The HijackThis log isn't any good being run before the malware has been removed. It will show entries that are no longer there...

[Gabriel]

ahhh np =-) didnt realize it lol here it is



Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:58:53 PM, on 9/8/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16705)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\snmp.exe
C:\Program Files\Dell Support Center\bin\sprtsvc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Documents and Settings\Gabe\Desktop\TAConf2.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [DellSupportCenter] "C:\Program Files\Dell Support Center\bin\sprtcmd.exe" /P DellSupportCenter
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\SYSTEM32\ati2sgag.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: SupportSoft Sprocket Service (dellsupportcenter) (sprtsvc_dellsupportcenter) - SupportSoft, Inc. - C:\Program Files\Dell Support Center\bin\sprtsvc.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe

--
End of file - 3330 bytes

[evilfantasy]

Do you know what this is? C:\Documents and Settings\Gabe\Desktop\TAConf2.exe

Download ViewpointKiller.zip

• Unzip the program and all of the contents of ViewpointKiller.zip to a location such as your desktop.
  
• Double click the ViewpointKiller icon to run ViewpointKiller.exe.
  
• Select the File menu, and select Check to see if you have Viewpoint installed.
  
• If ViewpointKiller indicates that any of the Viewpoint variants are installed, select the proper Kill option in the File menu.

• Follow the prompts and instructions very carefully, answering Yes or No depending on which option you are most comfortable with.
  
• The MsConfig instructions are very important, so be sure to read them carefully.

• Note: When done with ViewpointKiller right click and delete all files that were unzipped.

[Gabriel]

alright i used that tool. yea taconf is a voice program its not a virsus or something =-). Is there anyway i can remove the program  from the control panel? i cant seem to drag it to the recycle bin or delete it.

[evilfantasy]

Looks good then.

Let me know if you have any questions.



Set a New Restore Point to prevent possible reinfection from an old one
Setting a new restore point AFTER cleaning your system will enable your computer to roll-back to a clean working state if needed.

• Go to Start > Programs > Accessories > System Tools and click System Restore
  
• Choose the radio button marked Create a Restore Point on the first screen then click Next Give the Restore Point a name then click Create.
  
• The new restore point will be stamped with the current date and time. Keep a log of this so you can find it easily should you need to use System Restore.
• Next go to Start > Run and type Cleanmgr
  
• Click OK
  
• Click the More Options Tab.
  
• Click Clean Up in the System Restore section to remove all previous restore points except the newly created clean one.

You can find instructions on how to enable and re-enable system restore here:

Windows XP System Restore Guide or Windows Vista System Restore Guide
.
----------

Use the Secunia Software Inspector to check for out of date software.

• Click Start Now
  
• Check the box next to Enable thorough system inspection.
  
• Click Start
  
• Allow the scan to finish and scroll down to see if any updates are needed.
• Update anything listed.

.
----------

Important: You Need to Update Windows and Internet Explorer regularly to protect your computer from the malware and other security threats that are on the Internet. Go to Microsoft Windows Update and get all critical updates.

----------

To prevent unknown applications from being installed on your computer install WinPatrol 2008
* Using Winpatrol to protect your computer from malicious software

I suggest using SiteAdvisor. SiteAdvisor rates sites on business practices and spam. Safety ratings from McAfee SiteAdvisor are based on automated safety tests of Web sites.

SpywareBlaster - Secure your Internet Explorer to make it harder for ActiveX programs to run on your computer. Also stop certain cookies from being added to your computer when running Mozilla based browsers like Firefox.
* Using SpywareBlaster to protect your computer from Spyware and Malware
* If you don't know what ActiveX controls are, see here

Check out Keeping Yourself Safe On The Web for tips and free tools to help keep you safe in the future.

Also see Slow Computer? It May Not Be Malware for free cleaning/maintenance tools to help keep your computer running smooth.