Spybot Blocked

[diggerdave]

Spybot Search & Destroy won't load. I have removed and reinstalled, no luck.
My browser, Firefox, won't open the Spybot website(safer-networking.org), but it will open it using the IP address.
I have started to get popups from various web sites.

Below are the requested log files:

SuperAntiSpyware:No infections reported

Malwarebytes' Anti-Malware 1.33
Database version: 1654
Windows 5.1.2600 Service Pack 3

2/7/2009 10:48:49 AM
mbam-log-2009-02-07 (10-48-49).txt

Scan type: Quick Scan
Objects scanned: 50869
Time elapsed: 1 minute(s), 43 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:14:56 PM, on 2/7/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
G:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\LxrSII1s.exe
C:\Program Files\Common Files\Intuit\QuickBooks\QBCFMonitorService.exe
C:\Program Files\Common Files\SafeNet Sentinel\Sentinel Keys Server\sntlkeyssrvr.exe
C:\Program Files\Common Files\SafeNet Sentinel\Sentinel Protection Server\WinNT\spnsrvnt.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\SearchIndexer.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgnsx.exe
g:\Program Files\Webroot\Washer\WasherSvc.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\Program Files\AVG\AVG8\avgcsrvx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\SOUNDMAN.EXE
G:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Windows Desktop Search\WindowsSearch.exe
G:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\SearchProtocolHost.exe
C:\Program Files\Trend Micro\HijackThis\Sniper.exe

O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: Java(tm) Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - G:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\4.1.805.4472\swg.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - G:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - G:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
O4 - HKLM\..\Run: [ZoneAlarm Client] "g:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [QuickTime Task] "G:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - Global Startup: Windows Search.lnk = C:\Program Files\Windows Desktop Search\WindowsSearch.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://G:\PROGRA~1\MICROS~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - G:\PROGRA~1\MICROS~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1225168748234
O18 - Protocol: intu-help-qb1 - {9B0F96C7-2E4B-433E-ABF3-043BA1B54AE3} - G:\Program Files\Intuit\QuickBooks 2008\HelpAsyncPluggableProtocol.dll
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O18 - Protocol: qbwc - {FC598A64-626C-4447-85B8-53150405FD57} - mscoree.dll (file missing)
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dll
O23 - Service: AVG8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - G:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Lexar Secure II (LxrSII1s) - Unknown owner - C:\WINDOWS\SYSTEM32\LxrSII1s.exe
O23 - Service: QBCFMonitorService - Intuit - C:\Program Files\Common Files\Intuit\QuickBooks\QBCFMonitorService.exe
O23 - Service: Intuit QuickBooks FCS (QBFCService) - Intuit Inc. - C:\Program Files\Common Files\Intuit\QuickBooks\FCS\Intuit.QuickBooks.FCS.exe
O23 - Service: Sentinel Keys Server (SentinelKeysServer) - SafeNet, Inc. - C:\Program Files\Common Files\SafeNet Sentinel\Sentinel Keys Server\sntlkeyssrvr.exe
O23 - Service: Sentinel Protection Server (SentinelProtectionServer) - SafeNet, Inc - C:\Program Files\Common Files\SafeNet Sentinel\Sentinel Protection Server\WinNT\spnsrvnt.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Check Point Software Technologies LTD - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
O23 - Service: Window Washer Engine (wwEngineSvc) - Webroot Software, Inc. - g:\Program Files\Webroot\Washer\WasherSvc.exe

--
End of file - 6130 bytes

[diggerdave]

Today I've been unable to update AVG and had several sites redirect to wrong pages.

[Gean Freaks]

What type of Internet connection are you using, is it dsl , cable or dial up?

[diggerdave]

I have a cable connection.

As an update to my situation, I found that the firefox pop-up blocker had been disabled so I re-enabled it. I'm still getting an occasional pop-up but it's much improved. I edited the hosts file to redirect from safer-networking.org to the IP address which has allowed me to access the website. Spybot S&D still won't load.

Thanks for your response.

[Gean Freaks]

Hi

     Tyr restarting your computer in safemode with networking then visit this website safety.live.com
click the button that says "Full Service scan" then let the scan to finish. After completing the scan, follow the prompts to remove the possible infections that will be detected, then restart the computer to normal mode and check if the issue is persisting. goodluck..

[diggerdave]

I ran the full scan as you suggested. It found 4 variants of the alureon trojan and was able to remove 3. That makes me a little nervous, but I have been able to update and run Spybot S&D and update AVG.

[Gean Freaks]

That's nice to hear ,     however, are you still being redirected to wrong webpages when surfing the internet?

[Gean Freaks]

And by the way , you mentioned that you  are able to update and run spybot and update avg as well , did you run a scan using avg as well ? did it find some infections?

[diggerdave]

I haven't had any problems with redirecting so far. I just finished running AVG. It found the following infection on a flash drive.

"N:\RECYCLER\S-7-6-39-100011020-100006772-100026489-6899.com";"Trojan horse Generic12.BJLK";"Moved to Virus Vault"

[evilfantasy]

Download random's system information tool (RSIT) by random/random from and save it to your Desktop.

• Double click on RSIT.exe to run.
  
• Click Continue at the disclaimer screen.
  
• Once it has finished, two logs will open.
• log.txt <will be maximized and info.txt <will be minimized
  
• Please post the contents of both logs in the next reply.

[diggerdave]

I've attached the 2 logs.

[attachment deleted by admin]

[evilfantasy]

Disable Spybot's TeaTimer

While TeaTimer is an excellent tool for the prevention of spyware, it can also interfere with HijackThis fixes. Please disable TeaTimer for now until you are clean.

1. Right click Spybot in the System Tray (looks like a calendar with a padlock symbol). Choose Exit Spybot S&D Resident
2. Run Spybot S&D
3. Go to the Mode menu, and make sure Advanced Mode is selected.
4. On the left hand side, choose Tools > Resident
uncheck Resident TeaTimer and OK any prompt and Restart your computer.

Note: If TeaTimer gives you a warning afterwards that some changes were made, allow this instead of blocking it.

If TeaTimer will not turn off then uninstall Spybot until we are done cleaning.

----------

Open HijackThis and select Do a system scan only.

Place a check mark next to the following entries: (if there)

- O18 - Protocol: qbwc - {FC598A64-626C-4447-85B8-53150405FD57} - mscoree.dll (file missing)

Important: Close all windows except for HijackThis and then click Fix checked.

Exit HijackThis.

----------

Note: the below instructions were created specifically for this user. If you are not this user, DO NOT follow these directions as they could damage the workings of your system

Go to Start > Run and type notepad.exe then click OK

Copy and paste the below into Notepad and save as fixme.reg to Your Desktop

Code: [Select]

REGEDIT4

[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Windows Protector]

Locate fixme.reg on your Desktop and double-click it. Answer Yes when prompted to merge with the Registry.

Make sure that you tell me if you receive a success message about adding the above to the registry. If you do not get a success message, it did not work.

Delete the fixme.reg from the Desktop.

----------

Download Lop S&D by Eric_71 and save it to your Desktop. Lop S&D will only run on Windows XP and Windows Vista

Disable your antivirus and antimalware programs so they do not interfere with the running of Lop S&D. If needed see: How To Temporarily Disable Your Anti-virus, Firewall And Anti-malware Programs

If you are using Windows Vista, right-click on LopSD.exe icon and select 'Run as administrator' to perform this scan.

• Double-click Lop S&D.exe
  
• Choose the language by typing of the corresponding letter and press Enter
• Click OK at the informative window
  
• Type 1, to choose Option 1 (Search) then press Enter
  
• Wait until the end of the scan
• A report will be generated, post the contents of it in your next reply.

A copy of the report can be found at this location: %systemdrive%\lopR.txt, in most cases C:\lopR.txt

[diggerdave]

Log attached

[attachment deleted by admin]

[evilfantasy]

Antivirus : AVG Free 8.0
Antivirus : ZoneAlarm Security Suite Antivirus 7.0.473.000 (Activated)

Are you running two antivirus? This is never advised as it just causes problems. Please uninstall either AVG or ZoneAlarm Security Suite Antivirus.

Looking at the log now. How is the computer running now?

[diggerdave]

I haven't had zone alarm security suite running for at least 6 months. I am running the free zone alarm fire wall. Seems to be running well.

[evilfantasy]

I haven't had zone alarm security suite running for at least 6 months. I am running the free zone alarm fire wall. Seems to be running well.

OK, it must be seeing the security center as having the Security Suite installed. No problem.

--

You are going to have to remove the Cracks & Keygens before I can continue helping.

Download the OTMoveIt3 by OldTimer

Note: If you are running on Vista, right-click on OTMoveIt3.exe and choose Run As Administrator.

* Save it to your Desktop.
* Double-click OTMoveIt3.exe to run it.
* Copy the lines in the codebox below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy)

Code: [Select]

:Processes
explorer.exe

:files
C:\DOCUME~1\David\Application Data\uTorrent\Adobe Acrobat 9 Pro Extended + Crack (PTB-ITA-ESP-NL) (iso).rar.torrent
C:\DOCUME~1\David\Application Data\uTorrent\ConvertXtoDVD-V3 DivX-V6 Nero-V8 WinRar-V3-Full Patch And Keygen's -2-  MAXIMODIS.zip.torrent
C:\DOCUME~1\David\Application Data\uTorrent\keygen.exe.torrent
C:\DOCUME~1\David\Application Data\uTorrent\Nero 9 Ver. C Iso + Cracks & Apps.rar.torrent
C:\DOCUME~1\David\Application Data\uTorrent\Nero 9. Ultra NEW RELEASE Including+Keygen Valildation Crack.rar.torrent
C:\DOCUME~1\David\Application Data\uTorrent\nero_8_keygen__serials_reg__activation.rar.torrent
C:\DOCUME~1\David\Application Data\uTorrent\RegCure 1.5 with crack.rar.torrent

:Commands
[purity]
[emptytemp]
[start explorer]
[Reboot]

* Return to OTMoveIt3, right click in the "Paste Instructions for Items to be Moved" window (under the yellow bar) and choose Paste.
* Click the red Moveit! button.
* Copy everything in the Results window (under the green bar) to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it in your next reply.
Close OTMoveIt3

Note: If a file or folder cannot be moved immediately you may be asked to reboot your computer in order to finish the move process. If asked to reboot, choose Yes. If not, reboot anyway.

[diggerdave]

Here's the log:
========== PROCESSES ==========
Process explorer.exe killed successfully.
========== FILES ==========
File/Folder C:\DOCUME~1\David\Application Data\uTorrent\Adobe Acrobat 9 Pro Extended + Crack (PTB-ITA-ESP-NL) (iso).rar.torrent not found.
File/Folder C:\DOCUME~1\David\Application Data\uTorrent\ConvertXtoDVD-V3 DivX-V6 Nero-V8 WinRar-V3-Full Patch And Keygen's -2-  MAXIMODIS.zip.torrent not found.
File/Folder C:\DOCUME~1\David\Application Data\uTorrent\keygen.exe.torrent not found.
File/Folder C:\DOCUME~1\David\Application Data\uTorrent\Nero 9 Ver. C Iso + Cracks & Apps.rar.torrent not found.
File/Folder C:\DOCUME~1\David\Application Data\uTorrent\Nero 9. Ultra NEW RELEASE Including+Keygen Valildation Crack.rar.torrent not found.
File/Folder C:\DOCUME~1\David\Application Data\uTorrent\nero_8_keygen__serials_reg__activation.rar.torrent not found.
File/Folder C:\DOCUME~1\David\Application Data\uTorrent\RegCure 1.5 with crack.rar.torrent not found.
========== COMMANDS ==========
File delete failed. C:\DOCUME~1\David\LOCALS~1\Temp\etilqs_QcjCX8zRcMQq3Ps9d45X scheduled to be deleted on reboot.
File delete failed. C:\DOCUME~1\David\LOCALS~1\Temp\etilqs_QcjCX8zRcMQq3Ps9d45X-journal scheduled to be deleted on reboot.
File delete failed. C:\DOCUME~1\David\LOCALS~1\Temp\etilqs_u59Ra7VKA7IFF7KLQAw4 scheduled to be deleted on reboot.
File delete failed. C:\DOCUME~1\David\LOCALS~1\Temp\~DF9103.tmp scheduled to be deleted on reboot.
User's Temp folder emptied.
User's Temporary Internet Files folder emptied.
User's Internet Explorer cache folder emptied.
Local Service Temp folder emptied.
File delete failed. C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat scheduled to be deleted on reboot.
Local Service Temporary Internet Files folder emptied.
File delete failed. C:\WINDOWS\temp\gnserv.dat scheduled to be deleted on reboot.
File delete failed. C:\WINDOWS\temp\Perflib_Perfdata_770.dat scheduled to be deleted on reboot.
File delete failed. C:\WINDOWS\temp\spnserv.dat scheduled to be deleted on reboot.
File delete failed. C:\WINDOWS\temp\spserv.dat scheduled to be deleted on reboot.
File delete failed. C:\WINDOWS\temp\ZLT06db8.TMP scheduled to be deleted on reboot.
Windows Temp folder emptied.
Java cache emptied.
File delete failed. C:\Documents and Settings\David\Local Settings\Application Data\Mozilla\Firefox\Profiles\msin5iya.default\OfflineCache\index.sqlite scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\David\Local Settings\Application Data\Mozilla\Firefox\Profiles\msin5iya.default\Cache\_CACHE_001_ scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\David\Local Settings\Application Data\Mozilla\Firefox\Profiles\msin5iya.default\Cache\_CACHE_002_ scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\David\Local Settings\Application Data\Mozilla\Firefox\Profiles\msin5iya.default\Cache\_CACHE_003_ scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\David\Local Settings\Application Data\Mozilla\Firefox\Profiles\msin5iya.default\Cache\_CACHE_MAP_ scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\David\Local Settings\Application Data\Mozilla\Firefox\Profiles\msin5iya.default\urlclassifier3.sqlite scheduled to be deleted on reboot.
FireFox cache emptied.
Temp folders emptied.
Explorer started successfully
 
OTMoveIt3 by OldTimer - Version 1.0.8.0 log created on 02112009_154245

[evilfantasy]

Download ComboFix© by sUBs from one of the below links. Be sure top save it to the Desktop.

Link #1
Link #2

**Note:  It is important that it is saved directly to your Desktop

Close any open Web browsers. (Firefox, Internet Explorer, etc) before starting ComboFix.

Temporarily disable your antivirus, and any antispyware real time protection before performing a scan. Click this link to see a list of security programs that should be disabled and how to disable them.
 
Double click combofix.exe & follow the prompts.
When finished ComboFix will produce a log for you.
Post the ComboFix log in your next reply.

Important: Do not mouseclick ComboFix's window while it is running. That may cause it to stall.

Remember to re-enable your antivirus and antispyware protection when ComboFix is complete.

If you have problems with ComboFix usage, see How to use ComboFix

[diggerdave]

Log attached

[attachment deleted by admin]

[evilfantasy]

Everything looks OK.

How is the computer running now?

[diggerdave]

It's taking well over a minute at boot up to get from the post to the memory check.

[evilfantasy]

Has this just started happening?

[diggerdave]

Yes. I believe it started after running OTMoveIt3.

[evilfantasy]

All that did was remove temporary files. Everything else said "Not found."

Try Dial-a-fix.

Download Dial-a-Fix by djlizard, save it to the desktop then extract it to it's own folder.

• Open the folder and run Dial-a-fix.exe
• 2 windows will open. Close the one in the background labeled Restrictive Policies
• Check the box in section 1, Empty temp folders.
  
• Check the box in section 2, Fix Windows Installer.
  
• Check the box in section 3, Fix Windows Update.
  
• Check the box in section 4, labeled SSL/HTTPS/Cryptography. The 4 boxes under it should be pre-checked
  
• Check all boxes in section 5, labeled Registration Center.
  
• Click Go
  
• OK any error messages if received, but write them down and post them here.
• Restart the computer when done.

.
How is it now?

[diggerdave]

Dial-a-fix has been stuck on the same task for about an hour and a half.

[evilfantasy]

Can you see which one it is?

[diggerdave]

Stopping CRYPTSVC...

[evilfantasy]

OK stop it and uncheck box 4, labeled SSL/HTTPS/Cryptography

Now run it again please with the other boxes checked.

[diggerdave]

I'm still getting the lengthy delay at boot up.

[evilfantasy]

A computer can be slow to start up after cleaning the cache which is what we did when running OTMoveIt. After a few more restarts see if it is still running slow.

We should check for any more malware also as it could be that as well.

Use the Kaspersky Lab Online Scanner

In Microsoft Windows Vista, you must open the Web browser using the Run as Administrator command. From the Desktop right click the icon to open the browser and choose Run as Administrator.

• Click on SCAN NOW
  
• Click Accept.
  
• The program will then begin downloading the latest definition files.
• Once the files have been downloaded locate the Scan Settings and have it scan My Computer.
  
• The scan will take a while, so be patient and let it finish.

.
When the scan is done, in the Scan is complete window, any infection is displayed.
There is no option to clean/disinfect, however, we need to analyze the information on the report.

To obtain the report:
Click on: Save Report As

• Next, in the Save as prompt, Save in area, select: Desktop.
  
• In the File name area use KScan, or something similar.
  
• In Save as type: click the drop arrow and select: Text file [*.txt]
  
• Then, click: Save

.
Copy and paste the Kaspersky Online Scanner Report in your next reply.

Note for Internet Explorer 7 users: If at any time you have trouble viewing the accept button of the license, click on the Zoom tool located at the bottom right of the IE window and set the zoom to 75%. Once the license is accepted, reset to 100%.

[diggerdave]

Kaspersky found no threats.

[evilfantasy]

Run CCleaner.

There may be a lot of fragmented sections on the drive after cleaning the malware.

You can use the built in Windows Defrag or a faster FREE program. Defraggler is very effective and easy to use. Be sure to clean out temp files and restart the computer just before using this.

[dexuk]

Programme files - find the Spybot search and Destroy executable and rename it to anything you want ( sb.exe for example) - double click it.........  use this trick if other AV, Malware or Spyware apps fail to start. Try Malwarebytes. rename to mb.exe if fails to start. Don't change the .exe part!

[evilfantasy]

@ dexuk

Did you even read through all of the posts?

That method is just avoiding the problem, not fixing it....

[diggerdave]

The memory test is still excruciatingly long, but all else seems to be running well.

[evilfantasy]

OK let's clean up. Let me know if you have any questions.

Download OTCleanIt.exe and save it to your Desktop.

• Double-click OTCleanIt.exe.
  
• Click the CleanUp! button.
  
• Select Yes when the "Begin cleanup Process?" prompt appears.
  
• If you are prompted to Reboot during the cleanup, select Yes.
  
• The tool will delete itself once it finishes, if not delete it yourself.

.
----------

Set a New Restore Point to prevent possible reinfection from an old one
Setting a new restore point AFTER cleaning your system will enable your computer to roll-back to a clean working state if needed.

• Go to Start > Programs > Accessories > System Tools and click System Restore
  
• Choose the radio button marked Create a Restore Point on the first screen then click Next Give the Restore Point a name then click Create.
  
• The new restore point will be stamped with the current date and time. Keep a log of this so you can find it easily should you need to use System Restore.
• Next go to Start > Run and type Cleanmgr
  
• Click OK
  
• Click the More Options Tab.
  
• Click Clean Up in the System Restore section to remove all previous restore points except the newly created clean one.

You can find instructions on how to enable and re-enable system restore here:

Windows XP System Restore Guide or Windows Vista System Restore Guide
.
----------

Use the Secunia Software Inspector to check for out of date software.

• Click Start Now
  
• Check the box next to Enable thorough system inspection.
  
• Click Start
  
• Allow the scan to finish and scroll down to see if any updates are needed.
• Update anything listed.

.
----------

Go to Microsoft Windows Update and get all critical updates.

----------

Here are some great FREE tools to help you keep from getting infected again. These tools use little or no resources so won't slow down your PC.

Concerned about Browser Security? Consider using Mozilla Firefox. With more than 15,000 improvements, Firefox 3 is faster, safer and smarter than ever before.

For Internet Explorer 7 users there is IE7Pro. IE7Pro is a must have add-on for Internet Explorer, which includes a lot of features and tweaks to make your IE friendlier, more useful, more secure and customizable.

To prevent unknown applications from being installed on your computer install WinPatrol 2008
* Using Winpatrol to protect your computer from malicious software

I suggest using WOT - Web of Trust. WOT is a free Internet security addon for your browser. It will keep you safe from online scams, identity theft, spyware, spam, viruses and unreliable shopping sites. WOT warns you before you interact with a risky website. It's easy and it's free.

SpywareBlaster - Secure your Internet Explorer to make it harder for ActiveX programs to run on your computer. Also stop certain cookies from being added to your computer when running Mozilla based browsers like Firefox.
* Using SpywareBlaster to protect your computer from Spyware and Malware
* If you don't know what ActiveX controls are, see here

Check out Keeping Yourself Safe On The Web for tips and free tools to help keep you safe in the future.

Also see Slow Computer? It May Not Be Malware for free cleaning/maintenance tools to help keep your computer running smooth.

[diggerdave]

Thank you for your help. It's only slow right after the post when it's doing the memory check.

[diggerdave]

Is it possible that during the cleaning up process that my bios settings were changed?

[evilfantasy]

No, the BIOS wasn't touched.

There may be a lot of fragmented sections on the drive after cleaning the malware.

You can use the built in Windows Defrag or a faster FREE program. Defraggler is very effective and easy to use. Be sure to clean out temp files and restart the computer just before using this.

[diggerdave]

I've run defraggler a couple of times over the weekend.

[evilfantasy]

It's possible something might have gotten back in.

Use the ESET Online Antivirus Scanner

This scanner requires Internet Explorer

1. Check the box next to YES, I accept the Terms of Use.
2. Click Start
3. When asked, allow the activex control to install
4. Click Start
5. Make sure that the option Remove found threats and the option Scan unwanted applications is check marked.
6. Click Scan
7. Wait for the scan to finish
8. Use notepad to open the logfile located at C:\Program Files\EsetOnlineScanner\log.txt
9. Add the C:\Program Files\EsetOnlineScanner\log.txt log into your next reply.

----------

Download GMER and save it to your desktop

• Unzip (extract) it to your desktop.
• Disconnect from Internet and close all running programs.
• There is a small chance this application may crash your computer so save any work you have open.
• Double-click gmer.exe to run it.
  
• Let the gmer.sys driver to load if asked.
• If it gives you a warning at program start about rootkit activity and asks if you want to run a scan... click NO
  
• Click the Rootkit tab.
  
• Make sure all the boxes on the right of the screen are checked, EXCEPT for "Show All".
  
• Then click the Scan button. Wait for the scan to finish.
  
• Once done, click the Copy button.
  
• This will copy the results to the clipboard. Open Notepad and press CTRL + V to paste the log, and save it to your desktop.
  
• Add this log to your next reply.

NOTE: If you're having problems with running gmer.exe, try it in Safe Mode. This tool works in Safe Mode whereas many other rootkit revealers do not.

[cliffdodger]

ESET is a fantastic A/V program.

But... every virus scanner whether they like to admit it or not misses the occasional well built trojan - even with great heuristic scanning.

I tend to keep a copy of A squared free anti-trojan around just for those days when spybot and eset/nod32 don't get the job done (those days are very few and very far between - once a year perhaps?)

When something's wrong and no results are turning up I've often found stealthy trojans with A squared.
FYI - trojans work fast.. once they infect you they may be set up to waste no time forwarding your saved passwords and other information to a hackers network.  They may install a keylogger so they can log what websites you go to and record the usernames and passwords you enter.  The real danger being either identity theft or waking up with your bank accounts drained.  I'd update all your passwords anytime you've cleaned a trojan on your machine.  The other thing people neglect is liability.  Being infected by a trojan means the trojan can hack into other systems via your computer or host illegal material on your computer leaving you liable to your countries laws for that crime because it's happening on your computer.  Trojan's are NASTY.

http://www.emsisoft.com/en/software/free/ - A squared Free Anti-trojan

[evilfantasy]

Please let the above instructions be posted before moving on to anything else.

aSquared is an advanced tool and it's results are easily misunderstood.

See here http://www.computerhope.com/forum/index.php/topic,57605.0.html

[cliffdodger]

p.s. if you're really worried about protecting account passwords you have on your pc you should install a software firewall even if you have a hardware firewall already.  Set the software firewall to manual.  You'll have to know your windows processes and recognize what's your hardware, what's windows and what's not (it comes with time - just look them up on google if you're not sure)

This way - any time a program wants to connect to the internet it must manually ask you for permission.  When you see a tmp file accessing the internet when you're not in the middle of installing a program that's an obvious clue you may have just caught a trojan - but if you didn't have the software firewall the trojan could already be sending it's data to a hacker or doing whatever it's programmed to do around the web.

[evilfantasy]

@cliffdodger 

Remove the link in your signature or your posts will be deleted..

[cliffdodger]

 

done.. sadly

[evilfantasy]

You have to contact the owner to advertise. http://www.computerhope.com/cgi-bin/mail.cgi

Thew link is in your profile so if anyone is interested they can just use that one.

[cliffdodger]

hmm, I didn't realize having a link in your signature was considered advertising... doesn't everybody have one?
Regardless.. your forum, your rules, no problem.

Otherwise I hope you didn't have a problem with any of the information I was providing.  That strategy has worked well for me for several years and I began it with no professional experience.  Now as a professional I still find it to be the most effective means of protection for myself and those willing to take the time to try it.

(Nod32 + Spybot + A squared Anti-trojan + Software firewall with manual outgoing policies)  - great when you really need to keep any data from getting out in the event of a trojan infection.

[evilfantasy]

Protection and removal are two different things. If the malware is already there protection is compromised. We deal with a lot of rootkits recently. Special tools are needed to find and remove them.

People have links to their blogs and a few long standing members are allowed to link to their forums. But no commercial links are allowed in signatures.

[cliffdodger]

If the malware is already there protection is compromised.

Indeed - in what I'm describing Eset is your protection and no other active scanners are used.  Firewall prevents virus/trojan-hacker communication if you get infected.  Spybot and A squared are there for cleanup.  If those don't work it's off to safe mode or registry cleaning software.  Forget what I use for that.

[evilfantasy]

Did you read the 3 other pages and see what we have already done.

[diggerdave]

Here's the info

[attachment deleted by admin]

[evilfantasy]

It's only slow right after the post when it's doing the memory check.

Can you tell me exactly what this means?

Do you mean the computer boots up slow?

[diggerdave]

Previously when I turned on the computer the memory check counter would spin and complete the task in short order. Next the rest of the boot process would be visible and finally it would start the windows process. Now I turn on the computer and no memory check counter just a long wait. After well over a minute it goes to the windows process but no boot play-by-play on the screen.

[evilfantasy]

I'm not sure about that. Try posting inthe Windows forum and I'm sure someone there will have an idea on what to do.

[diggerdave]

Thanks for you help.