Spyware/malware.. maybe more problems

[gnrtool82]

I believe I have serious problems with my computer. My background changed randomly to red text with a black background telling me that my computer has been infected via my IP address and unautorized access was gained by another computer. IE windows constantly open trying to sell me anti spyware programs.

The panda anti-root scan did not find anything after the scan.

Here are the three logs requested. Let me know if you need anymore information, thanks in advance.

 

[howard_hopkinso]

Delete all files in AVG Antispyware quarantine.

Download and run this Symantec/Norton removal tool.

Go to add remove programmes in your control panel and uninstall anything to do with(if there).

p2pnetworks
e-zshopper
acespy

Close control panel.


Open notepad and copy/paste the text in the code box below into it:
NOTE* make sure to only highlight and copy what is inside the quote box nothing out side of it.
Also ..

Pay particular attention to this :-

Make sure the word File:: is on the first line of the text file you save (no blank line above it, & no space in front of it)
Code:

File::
C:\WINDOWS\system32\ace16win.dll
C:\WINDOWS\fkwggshm.exe
C:\WINDOWS\system32\stfv.bin
C:\WINDOWS\system32\vvgeowbv.exe
C:\WINDOWS\system32\aivskurq.dll
C:\WINDOWS\system32\dpqaqlqx.bin
C:\WINDOWS\system32\xxyawvw.dll.vir
C:\microbyte.vbs
C:\WINDOWS\system32\msole32.exe
C:\WINDOWS\adbar.dll
C:\WINDOWS\pbsysie.dll
C:\WINDOWS\system32\ESHOPEE.exe
C:\WINDOWS\settn.dll
C:\WINDOWS\daxtime.dll
C:\WINDOWS\cbinst$.exe
C:\WINDOWS\kkcomp.dll
C:\WINDOWS\spredirect.dll
C:\WINDOWS\wbeCheck.exe
C:\WINDOWS\dp0.dll
C:\WINDOWS\iexplorr23.dll
C:\WINDOWS\hotporn.exe
C:\WINDOWS\wbeInst$.exe
C:\WINDOWS\jd2002.dll
C:\WINDOWS\fhfmm-Uninstaller.exe
C:\WINDOWS\ngd.dll
C:\WINDOWS\ie_32.exe
C:\WINDOWS\liqad$.exe
C:\WINDOWS\kkcomp$.exe
C:\WINDOWS\liqui.dll
C:\WINDOWS\kvnab.exe
C:\WINDOWS\fhfmm.exe
C:\WINDOWS\liqad.dll
C:\WINDOWS\hcwprn.exe
C:\WINDOWS\wml.exe
C:\WINDOWS\system32\wml.exe
C:\WINDOWS\xadbrk.exe
C:\WINDOWS\system32\vxddsk.exe
C:\WINDOWS\7search.dll
C:\WINDOWS\liqui-Uninstaller.exe
C:\WINDOWS\764.exe
C:\WINDOWS\kvnab$.exe
C:\WINDOWS\xxxvideo.exe
C:\WINDOWS\vxddsk.exe
C:\WINDOWS\liqui.exe
C:\WINDOWS\eventlowg.dll
C:\WINDOWS\flt.dll
C:\WINDOWS\liqad.exe
C:\WINDOWS\kkcomp.exe
C:\WINDOWS\kvnab.dll
C:\WINDOWS\aconti.exe
C:\WINDOWS\xadbrk_.exe
C:\WINDOWS\pbar.dll
C:\WINDOWS\xadbrk.dll
C:\Documents and Settings\T-Bone\trial_setup.exe

Folder::
C:\Documents and Settings\All Users\Application Data\INTERNET SPAM SUPPORT AUDIO
C:\DOCUME~1\T-Bone\APPLIC~1\GPLUPL~1
C:\VundoFix Backups
C:\Program Files\p2pnetworks
C:\Program Files\e-zshopper
C:\WINDOWS\system32\acespy

Registry::
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{00000000-d9e3-4bc6-a0bd-3d0ca4be5271}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{00000012-890e-4aac-afd9-eff6954a34dd}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{029e02f0-a0e5-4b19-b958-7bf2db29fb13}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{06dfedaa-6196-11d5-bfc8-00508b4a487d}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{1adbcce8-cf84-441e-9b38-afc7a19c06a4}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{2d7cb618-cc1c-4126-a7e3-f5b12d3bcf71}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{51641ef3-8a7a-4d84-8659-b0911e947cc8}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{53C330D6-A4AB-419B-B45D-FD4411C1FEF4}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{54645654-2225-4455-44A1-9F4543D34546}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{669695bc-a811-4a9d-8cdf-ba8c795f261e}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{6abc861a-31e7-4d91-b43b-d3c98f22a5c0}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{944864a5-3916-46e2-96a9-a2e84f3f1208}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{a4a435cf-3583-11d4-91bd-0048546a1450}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A6E432B4-D4C2-43B3-BF55-C364F8F7362A}]
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{b8875bfe-b021-11d4-bfa8-00508b8e9bd3}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{c2680e10-1655-4a0e-87f8-4259325a84b7}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{c4ca6559-2cf1-48b6-96b2-8340a06fd129}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{c5af2622-8c75-4dfb-9693-23ab7686a456}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{ca1d1b05-9c66-11d5-a009-000103c1e50b}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{d8efadf1-9009-11d6-8c73-608c5dc19089}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{e9147a0a-a866-4214-b47c-da821891240f}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{e9306072-417e-43e3-81d5-369490beef7c}]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSConfig"=-
"Support audio cool poll"=-
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"secttitle"=-
[HKEY_CURRENT_USER\software\microsoft\windows nt\currentversion\winlogon]
"Userinit"="C:\\WINDOWS\\system32\\vvgeowbv.exe
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
"Authentication Packages"= msv1_0 C:\WINDOWS\system32\awtst.dll
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\secttitle]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Support audio cool poll]

Save this as CFScript.txt

Then drag the CFScript.txt into ComboFix.exe as you see in the screenshot below.

This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a fresh HJT log.

Regards Howard

This thread is for the use of gnrtool82 only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.

 

[gnrtool82]

A problem has arisen after using the Norton Removal Tool. I cannot log into my username on windows. It's there, but when I click on it, it goes to a black screen saying "domain name not available." then returns me to the Windows login in which I cannot do anything.

 

[howard_hopkinso]

Boot into safe mode and try a system restore. See is that helps.

If it does, follow the instructions in my post above, without removing Norton.

Regards Howard

 

[gnrtool82]

After a couple restarts it was able to login into windows, but after a couple seconds windows explorer encountered a problem and had to be shut down withdr watson postmortem debugger message coming up. So, after going into safe mode then restoring I was able to do the rest, of course, Norton is still there.

hjt and combofix included

 

[howard_hopkinso]

The reason I wanted you to uninstall Norton, is because you`re currently running AVG and Nortons, both at the same time. In addition to that, you`re also running Norton`s firewall as well as the Kerio firewall. This state of afairs is definitely not good and can cause serious conflicts. You should only have one AV and one Firewall running.

Try uninstalling Norton from add remove programmes.


Go to add remove programmes in your control panel and uninstall anything to do with(if there).

viewpoint
viewpoint manager
viewpoint toolbar

Close control panel.

Click start/run and type services.msc into the run box and press the enter key.

When the window appears, maximise it. Double click on the following services(if there) and select stop if they are running. Set the startup type to disabled. Click apply/ok for each service you disable.

Viewpoint Manager Service

Close the services window.


Run this Combofix script as before.

Folder::
C:\Program Files\Viewpoint
C:\qoobox
C:\Documents and Settings\All Users\Application Data\Free dent poll internet
C:\Documents and Settings\All Users\Application Data\dateflaweqbody

Post fresh HJT and Combofix logs.

Regards Howard

This thread is for the use of gnrtool82 only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.

 

[gnrtool82]

I think things might be going in the right direction.

 

[howard_hopkinso]

All clean.

Delete the following folder.

C:\qoobox

Turn off system restore.(XP/ME only) See how HERE.

Now, turn system restore back on. This will have deleted all your old restore points and any nasties that are in them. It will also have created a new, clean restore point.

Go HERE, download and install the latest version of Java.

Once it`s installed, go to add remove programmes in your control panel and uninstall all previous versions of Java, except version 6 update 3. Close Control panel.

The only thing you have left to solve, is the fact you`re running 2 AV and 2 firewalls.

If you have any further virus/spyware problems, please post in this thread.

Regards Howard

This thread is for the use of gnrtool82 only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.