HJT Log view please

[EricSalvi]

I guys, I usually am really good at keeping up my virus stuff and always check, but right now I got something and dont know how I got it. you guys are good at what you do and I Have no doubt you can help me out.

Here is a HJT log.

Also one main thing I have noticed different is a red shield with an x in it at my lower right window on the taskbar. Keep on saying "your computer is infected!!!" click yes to download a program or no to quit.

 

[howard_hopkinso]

Hello and welcome to Techspot.

Your system has at least one infection and possibly more.

Very Important: Before deciding whether you should clean or reformat your system, go and read this thread HERE and decide what it is you want to do.

If after reading the above, you wish to clean your system, do the following.

Go and read the Viruses/Spyware/Malware, preliminary removal instructions. Follow all the instructions exactly.

Post fresh HJT and AVG Antispyware logs as attachments into this thread, only after doing the above.

Regards Howard :wave: :wave:

This thread is for the use of EricSalvi only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.

 

[EricSalvi]

WOW that was long. Thanks for the reply, I know my first post was vague but I read the forum guidlines after posting it and it was too late and had to get some sleep.

Well I did what you told me to do.. here are the log files. Also adding the smitfraudfix log vile as well.

 

[howard_hopkinso]

The Smitfraud.txt you attached is only the Smitfraudfix instructions lol.

Run HJT with no other programmes open. Click the scan button. Have HJT fix the following, by placing a tick in the little box next to(if there).

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = :0

O9 - Extra button: ComcastHSI - {669B269B-0D4E-41FB-A3D8-FD67CA94F646} - http://www.comcast.net/ (file missing)

O9 - Extra button: Support - {8828075D-D097-4055-AA02-2DBFA9D85E8A} - http://www.comcastsupport.com/ (file missing)

O9 - Extra button: Help - {97809617-3937-4F84-B335-9BB05EF1A8D4} - http://online.comcast.net/help/ (file missing)

O9 - Extra button: ToolbarCop - {A349A035-E26F-454b-ABB4-5208E50E1BE7} - C:\WINDOWS\System32\shdocvw.dll (HKCU)

O9 - Extra 'Tools' menuitem: ToolbarCop - {A349A035-E26F-454b-ABB4-5208E50E1BE7} - C:\WINDOWS\System32\shdocvw.dll (HKCU)

O16 - DPF: {A8F2B9BD-A6A0-486A-9744-18920D898429} - http://www.sibelius.com/download/software/win/ActiveXPlugin.cab

Click on the fix checked button.

Close HJT and reboot your system. Other than the above, your HJT log is clean.

Turn off system restore.(XP/ME only) See how HERE.

Now, turn system restore back on. This will have deleted all your old restore points and the nasties that are in them. It wil also have created a ne, clean restore point.

Let me know if you`re still having any problems.

Regards Howard

This thread is for the use of EricSalvi only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.

 

[EricSalvi]

Ok sorry bout that file, LOL Thought it was that log file.

Ok a couple of things, one I did the HJT fix and worked fine havent had a chance to do the system restore because I ran into a problem.

I got an Application Error for services.exe. Then a window pops up and says system is shutting down so please save work. it is the system process for windows/system32/services.exe. What do I do?

Also in msconfig startup what is dumprep 0 -U? also I turned off ctpmon before should i turn it back on? I keep on getting this app error and so i need to send now before it restarts...

Oh here is that file by the way, just did it again, and has some viruses on it still???

 

[howard_hopkinso]

Your system is infected with a rootkit.

Go HERE and follow the instructions.

Download and run the Blacklight programme. follow all the instructions carefully.

Download combofix.exe. Double click combofix.exe & follow the prompts. A window will open with a warning. Type "Y" (and Enter) to start the fix. When the scan completes it will open a text window. Please attach that log back here together with a fresh HJT log. Caution - do not touch your mouse/keyboard until the scan has completed. The scan will temporarily disable your desktop, and if interrupted may leave your desktop disabled. If this occurs, please reboot to restore the desktop.

Post the Combofix log as well as the Blacklight results and let me know the results of the Rustock scan.

Regards Howard

This thread is for the use of EricSalvi only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.

 

[EricSalvi]

Ok lets see were to begin. I did everything you told me about that rootkit so I am going to post the new HJT log, and the Combofix.txt file.

Rustock and blacklight both came up with nothing... well actually rustock told me about that rootkit, and on reboot it froze and had to shut down computer, so on restart it said couldn't find 'file' to delete. So figured that was all set.

Something new

Earlier a couple posts/replies back, I said that I was getting an error with services.exe, well I still am, so I decided to check at msconfig/startup section to see if there was something that I did by accident, and at the general tab at msconfig it says selective startup and that was checked, but I thought I didnt have that before so went back to normal startup and didnt realize it would let all the stuff I had disabled before come back, including ctpmon. Now is ctpmon a virus??? I disabled it before my very first HJT log file so it wasnt in there but now it is because its back. So here is a HJT log file with all startups on.

atualyspy2.8 is also being found from aol search program that came back when I turned all the startups back on.

And how do I get rid of completely the startup files in msconfig after I disable them?

 

[howard_hopkinso]

Your rootkit appears to have gone.

You might want to copy and paste these instructions into a notepad file. Then you can have the file open in safe mode, so you can follow the instructions easier.

Boot into safe mode, under your normal user name(NOT THE ADMINISTRATOR ACCOUNT). See how HERE.

In Windows Explorer, turn on "Show all files and folders, including hidden and system". See how HERE.

Go to add remove programmes in your control panel and uninstall anything to do with(if there).

SpyEraser

Close control panel.

Open your task manager, by holding down the ctrl and alt keys and pressing the delete key.

Click on the processes tab and end process for(if there).

SpyEraser.exe
ctpmon.exe<"System Registry Cleaner", stealth installed foistware from sysregistry.com

Close task manager.

Run HJT with no other programmes open(except notepad). Click the scan button. Have HJT fix the following, by placing a tick in the little box next to(if there).

O4 - HKCU\..\Run: [Uniblue SpyEraser] "C:\Program Files\Uniblue\SpyEraser\SpyEraser.exe" -m

O4 - HKCU\..\Run: [SB Audigy 2 Startup Menu] /L:ENG

O4 - HKCU\..\Run: [ctpmon] ctpmon.exe

Click on the fix checked button.

Close HJT.

Locate and delete the following bold files and/or directories(if there).


C:\Program Files\Uniblue\SpyEraser<Delete the entire folder.

ctpmon.exeSearch your system for this file and delete all instances found.

Reboot into normal mode and rehide your protected OS files.

Post a fresh HJT log and let me know if you`re still having any problems.

Regards Howard

This thread is for the use of EricSalvi only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.

 

[EricSalvi]

Ok I tried doing what you said. I uninstalled spyeraser and then did HJT in safemode as well and got rid of only ctpmon and eng the other wasnt there, and then went to do a search but the search window wouldn't open up so I had to do the search in normal view. Found one thing so far and deleted it.

Did a HJT and those 2 are back in there. Why is that?

also is the L:/eng file the thing that opens up the system32 window everytime on reboot? Here is a newer HJT log file.

I also want to say thank you for all your help.

 

[howard_hopkinso]

In Windows Explorer, turn on "Show all files and folders, including hidden and system". See how HERE.


Open your task manager, by holding down the ctrl and alt keys and pressing the delete key.

Click on the processes tab and end process for(if there).

ctpmon.exe

Close task manager.

Run HJT with no other programmes open(except notepad). Click the scan button. Have HJT fix the following, by placing a tick in the little box next to(if there).

O4 - HKCU\..\Run: [SB Audigy 2 Startup Menu] /L:ENG

O4 - HKCU\..\Run: [ctpmon] ctpmon.exe

Click on the fix checked button.

Close HJT.

Locate and delete the following bold files and/or directories(if there).

ctpmon.exe<Search your system for this file and delete all instances found. If you can`t delete the file, please give me the full filepath to the file.

Reboot your computer and post a fresh HJT log.

Regards Howard

This thread is for the use of EricSalvi only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.

 

[EricSalvi]

Just did everything you said, and still there!

The search didnt find any ctpmon.exe instances either.

here is a newer hjt log file

 

[howard_hopkinso]

1. Please download The Avenger by Swandog46 from HERE. Save it to your Desktop and extract it.

2. Download the attached avengerscript.txt and save it to your desktop

Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.

3. Now, start The Avenger program by double clicking on its icon on your desktop.

Under "Script file to execute" choose "Load script from file".
Now click on the folder icon which will open a new window titled "open Script File"
navigate to the file you have just downloaded, click on it and press open
Now click on the Green Light to begin execution of the script
Answer "Yes" twice when prompted.

4. The Avenger will automatically do the following:

It will Restart your computer. ( In cases where the code to execute contains "Drivers to Unload", The Avenger will actually restart your system twice.)
On reboot, it will briefly open a black command window on your desktop, this is normal.
After the restart, it creates a log file that should open with the results of Avenger’s actions. This log file will be located at C:\avenger.txt
The Avenger will also have backed up all the files, etc., that you asked it to delete, and will have zipped them and moved the zip archives to C:\avenger\backup.zip.

5. Please attach the content of c:\avenger.txt into your reply.

when it reboots and post a fresh HJT log.

Regards Howard

This thread is for the use of EricSalvi only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.

 

[EricSalvi]

Avenger.txt content

Logfile of The Avenger version 1, by Swandog46
Running from registry key:
\Registry\Machine\System\CurrentControlSet\Services\syaqovpd

*******************

Script file located at: \??\C:\tauookqe.txt
Script file opened successfully.

Script file read successfully

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:



File C:\Windows\System32\ctpmon.exe not found!
Deletion of file C:\Windows\System32\ctpmon.exe failed!

Could not process line:
C:\Windows\System32\ctpmon.exe
Status: 0xc0000034


Completed script processing.

*******************

Finished! Terminate.

 

[howard_hopkinso]

Ok, go HERE and follow the instructions for removing the ctpmon.exe file.

Post a fresh HJT log after doing the above.

Regards Howard

This thread is for the use of EricSalvi only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.

 

[EricSalvi]

Here are the 2 log files. Seems to me that it is gone. Thanks. Does the HJT log seem normal now? Also msconfig startup, is that a good place to turn off startup files?

 

[howard_hopkinso]

Have HJT fix this entry.

O4 - HKCU\..\Run: [SB Audigy 2 Startup Menu] /L:ENG

Reboot your system. That should stop you from getting the L:/eng file from opening up the system32 folder on reboot?

Other than that, your HJT log is clean.

Yes, msconfig`s startup tab is a good place to prevent stuff starting with Windows.

If you have any further virus/spyware problems, please post in this thread.

Regards Howard

This thread is for the use of EricSalvi only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.