TechSpot

Trouble with viruses

By jamie967
Nov 5, 2009
  1. hi i have performed the 8 steps and attached the logs.
    please help

    before the 8 steps every time i tried logging into IE it said there was a buffer overrun and shut the browser straight down.
    after the 8 steps it now lets me open some of the programs(games, etc) that were getting closed down straight away but i still get the same problem with the internet explorer
     

    Attached Files:

  2. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    Welcome to TechSpot Jaime. I'll help you sort through the malware.

    I have noticed that you have multiple antivirus programs running.
    Norton/Symantec
    Avast

    You should decide which you want to keep and remove the others for the following reasons:
    • *Multiple antivirus programs can cause conflicts that may leave the system more vulnerable.
    • *Multiple antivirus programs can also slow down the system.

      Since Symantec/Norton is a paid program and also had a firewall, you might want to keep it IF the subscription is current and if it's the full program, not a trial.Please decide which programs you would like to keep and remove the others. You will find the following removal tools helpful.

      Download the removal tool first and save it to your desktop.
      USE only the removal tool for the program you don't want to keep.
    • *Avast Removal
    • *Norton Removal Tool

    Note:Security programs are best removed while in Safe Mode.

    • Boot into Safe Mode
    • Restart your computer and start pressing the F8 key on your keyboard.
    • Select the Safe Mode option when the Windows Advanced Options menu appears, and then press ENTER.

    Double click on the removal tool and run it. Reboot the computer into Normal Mode when finished and update the AV program. After the uninstall is complete, please run the following:

    Please download ComboFix HERE:
    • With ComboFix, at the download window, please rename it to Combo-Fix(.exe) before downloading it.
    • Please disable all security programs, such as antiviruses, antispywares, and firewalls. Also disable your internet connection.
    • Run Combo-Fix.exe and follow the prompts.
      (Understand that things like your system clock changing and your desktop disappearing might happen. Do not worry, because all will be restored later.)
    • Wait for the scan to be completed.
    • If it requires a reboot, please do it.
    • After the scan has completed entirely, please post the log here. The log will be located at C:\ComboFix(.txt)

    Notes:

    • 1.Do not mouse-click Combofix's window while it is running. That may cause it to stall.
      2. ComboFix may reset a number of Internet Explorer's settings, including making I-E the default browser.
      3. Combofix prevents autorun of ALL CD, floppy and USB devices to assist with malware removal & increase security. If this is an issue or makes it difficult for you -- please tell your helper.
      4. CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.

    Therre are P2P prgrams running and a greal deal of Adware. I'll see all that's install in the Combofix report.

    Rescan with HijackThis and PASTE THAT log into your next reply. Then I will color code the optional removals and give any other bad entries in the HJT log for removal.

    Okay to attach the Combofix report.
     
  3. jamie967

    jamie967 TS Rookie Topic Starter

    Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 17:00:17, on 08/11/2009
    Platform: Windows XP SP3 (WinNT 5.01.2600)
    MSIE: Internet Explorer v8.00 (8.00.6001.18702)
    Boot mode: Normal

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\Ati2evxx.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\system32\Ati2evxx.exe
    C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
    C:\Program Files\Alwil Software\Avast4\ashServ.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Alwil Software\Avast4\setup\avast.setup
    C:\Program Files\AGI\common\win32\PythonService.exe
    C:\WINDOWS\eHome\ehRecvr.exe
    C:\WINDOWS\eHome\ehSched.exe
    C:\Documents and Settings\All Users\Application Data\Findbasic\findbasic137.exe
    C:\Program Files\Java\jre6\bin\jqs.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\system32\PnkBstrA.exe
    C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
    C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe
    C:\WINDOWS\system32\wuauclt.exe
    C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
    C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
    C:\WINDOWS\system32\dllhost.exe
    C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
    C:\Program Files\Findbasic\findbasic.exe
    C:\WINDOWS\ehome\ehtray.exe
    C:\WINDOWS\eHome\ehmsas.exe
    C:\WINDOWS\SOUNDMAN.EXE
    C:\Applications\Tool\AOL Demo\DSGDemo.exe
    C:\Program Files\btbb_wcm\McciTrayApp.exe
    C:\PROGRA~1\Yahoo!\browser\ybrwicon.exe
    C:\PROGRA~1\Yahoo!\YOP\yop.exe
    C:\Program Files\Java\jre6\bin\jusched.exe
    C:\PROGRA~1\Yahoo!\browser\ycommon.exe
    C:\WINDOWS\system32\nwiz.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.virginmedia.com/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaults/sb/msgr9/*http://www.yahoo.com/ext/search/search.html
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ie/defaults/su/msgr9/*http://www.yahoo.com
    R3 - URLSearchHook: AGSearchHook Class - {0BC6E3FA-78EF-4886-842C-5A1258C4455A} - C:\Program Files\AGI\common\agcutils.dll
    O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn3\yt.dll
    O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
    O2 - BHO: AskBar BHO - {201f27d4-3704-41d6-89c1-aa35e39143ed} - C:\Program Files\AskBarDis\bar\bin\askBar.dll
    O2 - BHO: Windows Live Family Safety Browser Helper - {4f3ed5cd-0726-42a9-87f5-d13f3d2976ac} - C:\Program Files\Windows Live\Family Safety\fssbho.dll
    O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\PROGRA~1\Yahoo!\Common\yiesrvc.dll
    O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)
    O2 - BHO: Kiwee Toolbar - {6638A9DE-0745-4292-8A2E-AE530E7B9B3F} - C:\Program Files\Kiwee Toolbar\2.8.167\KiweeIEToolbar.dll
    O2 - BHO: Search Helper - {6EBF7485-159F-4bff-A14F-B9E3AAC4465B} - C:\Program Files\Microsoft\Search Enhancement Pack\Search Helper\SEPsearchhelperie.dll
    O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
    O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
    O2 - BHO: Windows Live Toolbar Helper - {E15A8DC0-8516-42A1-81EA-DC94EC1ACF10} - C:\Program Files\Windows Live\Toolbar\wltcore.dll
    O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
    O2 - BHO: SidebarAutoLaunch Class - {F2AA9440-6328-4933-B7C9-A6CCDF9CBF6D} - C:\Program Files\Yahoo!\browser\YSidebarIEBHO.dll
    O2 - BHO: SingleInstance Class - {FDAD4DA1-61A2-4FD8-9C17-86F7AC245081} - C:\Program Files\Yahoo!\Companion\Installs\cpn3\YTSingleInstance.dll
    O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn3\yt.dll
    O3 - Toolbar: Kiwee Toolbar - {6638A9DE-0745-4292-8A2E-AE530E7B9B3F} - C:\Program Files\Kiwee Toolbar\2.8.167\KiweeIEToolbar.dll
    O3 - Toolbar: &Windows Live Toolbar - {21FA44EF-376D-4D53-9B0F-8A89D3229068} - C:\Program Files\Windows Live\Toolbar\wltcore.dll
    O3 - Toolbar: Ask Toolbar - {3041d03e-fd4b-44e0-b742-2d9b88305f98} - C:\Program Files\AskBarDis\bar\bin\askBar.dll
    O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
    O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
    O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
    O4 - HKLM\..\Run: [AOL_Demo] C:\Applications\Tool\AOL Demo\DSGDemo.exe
    O4 - HKLM\..\Run: [btbb_wcm_McciTrayApp] C:\Program Files\btbb_wcm\McciTrayApp.exe
    O4 - HKLM\..\Run: [YBrowser] C:\PROGRA~1\Yahoo!\browser\ybrwicon.exe
    O4 - HKLM\..\Run: [YOP] C:\PROGRA~1\Yahoo!\YOP\yop.exe /autostart
    O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
    O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
    O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
    O4 - HKLM\..\Run: [ZPLED] C:\Program Files\Wireless\RF Keyboard\1.0\ZPKBDLED.exe
    O4 - HKLM\..\Run: [KiweeHook] "C:\Program Files\Kiwee Toolbar\2.8.167\kwtbaim.exe"
    O4 - HKLM\..\Run: [fssui] "C:\Program Files\Windows Live\Family Safety\fsui.exe" -autorun
    O4 - HKLM\..\Run: [YSearchProtection] "C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe"
    O4 - HKLM\..\Run: [Broadbandadvisor.exe] "C:\Program Files\Virgin Broadband\advisor\Broadbandadvisor.exe" /AUTORUN
    O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
    O4 - HKLM\..\Run: [Malwarebytes Anti-Malware (reboot)] "C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript
    O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\Windows Live\Messenger\msnmsgr.exe" /background
    O4 - HKCU\..\Run: [BitTorrent DNA] "C:\Program Files\DNA\btdna.exe"
    O4 - HKCU\..\Run: [Messenger (Yahoo!)] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
    O4 - HKCU\..\Run: [Search Protection] C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe
    O4 - HKCU\..\Run: [WAB] C:\Documents and Settings\jim\Application Data\Macromedia\Common\2943602419.exe
    O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
    O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
    O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
    O4 - Startup: Xfire.lnk = C:\Program Files\Xfire\Xfire.exe
    O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
    O4 - Global Startup: Slim Multimedia Keyboard.lnk = C:\Program Files\Slim Multimedia Keyboard\MagicKey.exe
    O9 - Extra button: Blog This - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
    O9 - Extra 'Tools' menuitem: &Blog This in Windows Live Writer - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
    O9 - Extra button: BT Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\PROGRA~1\Yahoo!\Common\yiesrvc.dll
    O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O16 - DPF: CabBuilder - http://kiw.imgag.com/imgag/kiw/toolbar/download/InstallerControl.cab
    O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\common\yinsthelper.dll
    O16 - DPF: {69EF49E5-FE46-4B92-B5FA-2193AB7A6B8A} (GameLauncher Control) - http://www.acclaim.com/cabs/acclaim_v4.cab
    O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
    O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
     
  4. jamie967

    jamie967 TS Rookie Topic Starter

    O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
    O23 - Service: AG Windows Service (AGWinService) - Unknown owner - C:\Program Files\AGI\common\win32\PythonService.exe
    O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
    O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
    O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
    O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
    O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
    O23 - Service: Findbasic Service - Unknown owner - C:\Documents and Settings\All Users\Application Data\Findbasic\findbasic137.exe
    O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
    O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
    O23 - Service: nProtect GameGuard Service (npggsvc) - Unknown owner - C:\WINDOWS\system32\GameMon.des.exe (file missing)
    O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
    O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
    O23 - Service: SF FrontLine Drivers Auto Removal (v1) (sfrem01) - Protection Technology (StarForce) - C:\WINDOWS\system32\sfrem01.exe
    O23 - Service: Wireless Adapter Configurator - Unknown owner - C:\Program Files\BT Home Hub\Wireless Configuration\WirelessDaemon.exe (file missing)
    O23 - Service: Yahoo! Updater (YahooAUService) - Yahoo! Inc. - C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe
    O23 - Service: YPCService - Yahoo! Inc. - C:\WINDOWS\system32\YPCSER~1.EXE

    --
    End of file - 11055 bytes
     
  5. jamie967

    jamie967 TS Rookie Topic Starter

    sorry when i posted first half it said it needed to be confirmed by an administrator before it could be posted, what should i do about that?
     
  6. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    Hmm, I'll report that. Please rescan with HijackThis- if you have a problem pasting the log, attach it. I need the entire log.
     
  7. jamie967

    jamie967 TS Rookie Topic Starter

    ok its all up there now.
     
  8. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    EDIT:
    Please do the recommended scan in Post #9 BEFORE doing the following.

    Wait for us to review it BEFORE proceeding with what I set up below.
    ------------------------------------------------------------------------------------------------

    Jaime, you need to take some processes off of startup. You have way too much loading on start, then running in the background- the programs can be started manually when you need them.

    Most of the following entries are Adware. Adware is an optional removal, but I recommend that you remove it because:
    Adware or advertising-supported software is any software package which automatically plays, displays, or downloads advertisements to a computer after the software is installed on it or while the application is being used. Some types of adware are also spyware and can be classified as privacy-invasive software.

    Adware: is color coded green to make it easier for you to determine the type of entry you are removing.

    Please reopen HijackThis to 'do system scan only'. Check each of the following if present. I have included descriptions with some and grouped entries for same together..

    C:\Program Files\Findbasic\findbasic.exe
    C:\Documents and Settings\All Users\Application Data\Findbasic\findbasic137.exe
    O20 - Winlogon Notify: RelevantKnowledge - C:\Program Files\RelevantKnowledge\rlls.dll (file missing)

    P2P or 'file sharing: P2P Warning:
    I notice that you are using BitTorrent. This is a P2P or file sharing program.
    Note: Even if you are using a "safe" P2P program, it is only the program that is safe. I suggest that you uninstall Bit Torrentfor the following reasons:
    • As long as you are using file sharing networks and programs which are from sources that are not documented, you cannot verity that a download is legitimate.
    • Malware writers use these program to include malicious content.
    • Fie sharing is usually unmonitored and there is a danger that your private files might be accessed.
    • The 'sharing' also includes malware that the shared system has on it.
    • Files that are illegal can be spread through file sharing.

    Please read the information on P2P Warning to help you better understand these dangers.. Check the following for the optional removal.

    C:\Program Files\DNA\btdna.exe> btdna.exe is the BitTorrent peer-to-peer content distribution network.
    O4 - HKCU\..\Run: [BitTorrent DNA] "C:\Program Files\DNA\btdna.exe"


    KIWI Adware- Optional Removal:
    C:\Program Files\Kiwee Toolbar\2.8.167\kwtbaim.exe
    R3 - URLSearchHook: AGSearchHook Class - {0BC6E3FA-78EF-4886-842C-5A1258C4455A} - C:\Program Files\AGI\common\agcutils.dll
    O2 - BHO: Kiwee Toolbar - {6638A9DE-0745-4292-8A2E-AE530E7B9B3F} - C:\Program Files\Kiwee Toolbar\2.8.167\KiweeIEToolbar.dll
    O3 - Toolbar: Kiwee Toolbar - {6638A9DE-0745-4292-8A2E-AE530E7B9B3F} - C:\Program Files\Kiwee Toolbar\2.8.167\KiweeIEToolbar.dll
    O4 - HKLM\..\Run: [KiweeHook] "C:\Program Files\Kiwee Toolbar\2.8.167\kwtbaim.exe"
    O16 - DPF: CabBuilder - http://kiw.imgag.com/imgag/kiw/toolbar/download/InstallerControl.cab

    Read the KIWI EULA to better understandL http://www.spywareguide.com/product_show.php?id=2518[/b]

    You have the Ask Toolbar installed, I would recommend you uninstall it - decide after taking a look at this article:
    http://www.benedelman.org/spyware/ask-toolbars/ AskBar is considered Foistware. It's not spyware or virus. But it is installed without your permission with some other non-related program

    O2 - BHO: AskBar BHO - {201f27d4-3704-41d6-89c1-aa35e39143ed} - C:\Program Files\AskBarDis\bar\bin\askBar.dll
    O3 - Toolbar: Ask Toolbar - {3041d03e-fd4b-44e0-b742-2d9b88305f98} - C:\Program Files\AskBarDis\bar\bin\askBar.dll


    EzThemes AdWare: a Conduit "Community Toolbar" - modifies the default IE URL search hook. Conduit toolbars are reputed to have a certain trackware functionality.

    O2 - BHO: Ez Themes Toolbar - {2e736c18-1da3-4482-a3ad-c0d490e48204} - C:\Program Files\Ez_Themes\tbEz_1.dll (file missing)
    O3 - Toolbar: Ez Themes Toolbar - {2e736c18-1da3-4482-a3ad-c0d490e48204} - C:\Program Files\Ez_Themes\tbEz_1.dll (file missing)



    O4 - HKLM\..\Run: [AOL_Demo] C:\Applications\Tool\AOL Demo\DSGDemo.exe
    O4 - HKLM\..\Run: [LogMeIn GUI] "C:\Program Files\LogMeIn\x86\LogMeInSystray.exe"
    O4 - HKLM\..\Run: [Kqexuden] rundll32.exe "C:\WINDOWS\iheyeyog.dll",Startup
    O4 - HKCU\..\Run: [WAB] C:\Documents and Settings\jim\Application Data\Macromedia\Common\2943602419.exe
    O4 - Startup: mhbupd32.exe


    Close all Windows except HijackThis and click on "Fix Checked."

    Boot into Safe Mode
    • Restart your computer and start pressing the F8 key on your keyboard.
    • Select the Safe Mode option when the Windows Advanced Options menu appears, and then press ENTER.

    For any Program Files you stopped in HJT and want to uninstall:
    Control Panel> Add/Remove Programs> Uninstall each here.
    Findbasic
    RelevantKnowledge
    DNA (Bit Torrent
    Kiwee Toolbar\
    AskBarDis\
    Ez_Themes\
    LogMeIn


    For those same program files:
    Right click on Start> Explore> Local Drive (C)> Programs> for each of the programs you uninstalled find the program folder and do a right click> delete on each.
    Findbasic
    RelevantKnowledge
    DNA (Bit Torrent)
    Kiwee Toolbar\
    AskBarDis\
    Ez_Themes\
    LogMeIn


    Then using Windows Explorer as above, but going to Windows for file deletions:
    C:\WINDOWS\iheyeyog.dll

    So you have optional removals in adware, spyware and foinstware and I recommend you remover them all.

    Rescan with HijackThis and post new log. I have more for you to do, but this reply is long enough for now.
     
  9. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    Do this BEFORE following directions in Post #8. Wait for us to review before proceeding.

    Please download SystemLook from one of the links below and save it to your Desktop.
    Download Mirror #1
    Download Mirror #2
    • Double-click SystemLook.exe to run it.
    • Copy the content of the following codebox into the main textfield:
      Code:
      :filefind
      *atapi.sys
    • Click the Look button to start the scan.
    • When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.
    Note: The log can also be found on your Desktop entitled SystemLook.txt
     
  10. jamie967

    jamie967 TS Rookie Topic Starter

    ok heres the system look log
     

    Attached Files:

  11. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    Thanks Jaime. That looks good. A couple of more scans: If these are clean, then you can proceed with the instructions previously set up. Please wait until I see these logs.

    Please go to http://virusscan.jotti.org/en to upload a suspicious file for analysis.
    • Copy the following file and paste it in the Submit box:

      C:\WINDOWS\system32\drivers\atapi.sys
    • Click on Submit.
    • Wait for the scan. Paste the results in your next reply.

    Please download GMER HERE and save it to your desktop.
    • Double click set up to run gmer.exe
    • Select Rootkit tab
    • Click the "Scan" button.
    • Save the log and include in next reply.
    Warning ! Please, do not select the "Show all" checkbox during the scan.

    The screenshot HERE will show you how the display will come up.
    Please copy the scan result using Copy button> paste to Notepad and attach here.
    Warning ! Please, do not select the "Show all" checkbox during the scan.
     
  12. jamie967

    jamie967 TS Rookie Topic Starter

    Filename: a0u20og3.sys
    Status:
    Scan finished. 0 out of 21 scanners reported malware.
    Scan taken on: Tue 10 Nov 2009 17:37:22 (CET) Permalink
     

    Attached Files:

  13. jamie967

    jamie967 TS Rookie Topic Starter

    is it ok to continue with whats in post #8 now Bobbye?
     
  14. kimsland

    kimsland Ex-TechSpotter Posts: 14,524

    I would highly agree in uninstalling any Programs you do not want in Add/Remove Programs
    Especially since the ones listed by Bobbye all start with Windows
    Did you want any of those programs listed?
    I went through my program list the other day and I must have uninstalled at least 15 things just taking up room
     
  15. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    Yes, Jamie, go ahead with original directions in Post #8.

    When you have finished with that, follow with deleting contents of Recycler Folder as follows:

    Boot into Safe Mode
    • Restart your computer and start pressing the F8 key on your keyboard.
    • Select the Safe Mode option when the Windows Advanced Options menu appears, and then press ENTER.
    Using Windows Explorer: Do a right click on Start> Explore> click on Tools> Folder Options> View tab> CHECK 'show hidden files and folders'> UNCHECK 'hide protected operating system files' (Recommended)> Apply> OK.

    Scroll down to RECYCLER and click on the + sign to expand (this is NOT the Recycle Bin)> The contents will open on the right screen> do a right click> delete on each file with this SID:
    S-1-5-21-330564415-2671475969-752554860-1006

    You don't delete the folder itself- just the files in it. This is where the files you have deleted go. This never made much sense to me but that's the ways it is. The Recycler Folder contains files for ALL users which is why you use the CID to delete.

    When you have finished, go back the hide the files and folders and protected files again.

    Sorry, I haven't felt well and am trying to catch up. If you have any questions, don't hesitate to as. When you have finished, I'll instruct you in removing the cleaning tools and setting new restore points.
     
  16. jamie967

    jamie967 TS Rookie Topic Starter

    ok hope u get better soon heres the new HJT log from step 8
     
  17. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    Looking much better Jamie! I missed one Adware entry- it hid itself in the Services and I missed it!

    You can try doing this in Normal Mode. If there is any problem, just boot into Safe Mode and do it:

    Click on start> Run> type in services.msc> double-click on findbasic137> change Startup type to Disabled> Stop the Service.

    While you're in Services, look also for either of the following- if you find them handle the same as 'Findbasic. Close Services.

    To Delete the Service: Start> Run> cmd> OK> type sc delete findbasic137> Reboot the system.

    If you found either of the Services below, do the same removal Command for each.
    SEEKSERVICE139
    ZWANGI.EXE

    Please run online scan to make sure nothing is lurking:

    Run Eset NOD32 Online AntiVirus Scanner HERE

    Note: You will need to use Internet Explorer for this scan.
    • Tick the box next to YES, I accept the Terms of Use.
    • Click Start
    • When asked, allow the Active X control to install
    • Disable your current Antivirus software. You can usually do this with its Notification Tray icon near the clock.
    • Click Start
    • Make sure that the option "Remove found threats" is Unchecked, and the option "Scan unwanted applications" is checked
    • Click Scan
    • Wait for the scan to finish
    • Re-enable your Antivirus software.
    • A logfile is created and located at C:\Program Files\EsetOnlineScanner\log.txt. Please include this on your post.

    Attach log to next reply. If it's clean, proceed with the following to remove the cleanup tools and set new restore point:
    Remove all of the tools we used and the files and folders they created
    • DownloadOTCleanIt by OldTimer
    • Save it to your Desktop.
    • Double click OTCleanIt.exe.
    • Click the CleanUp! button.
    • If you are prompted to Reboot during the cleanup, select Yes.
    The tool will delete itself once it finishes.

    If you are prompted to Reboot during the cleanup, select Yes.

    You should now set a new Restore Point to prevent infection from any previous Restore Points. The easiest and safest way to do this is:
    • Go to Start > All Programs > Accessories > System Tools and click "System Restore".
    • Choose the radio button marked "Create a Restore Point" on the first screen then click "Next". Give the Restore Point a name then click "Create". The new Restore Point will be stamped with the current date and time. Keep a log of this so you can find it easily should you need to use System Restore.
    • Go to "Disk Cleanup" which can be found by going to Start > All Programs > Accessories > System Tools.
    • Click "OK" to select the partition or drive you desire.
    • Click the "More Options" Tab.
    • Click "Clean Up" in the System Restore section to remove all previous Restore Points except the newly created one.

    If you have any questions, let me know.

    Edit to add: Update Adobe:
    • Visit this site[Adobe Reader get the most current update. Uninstall any earlier updates as they are vulnerabilities.
     
  18. jamie967

    jamie967 TS Rookie Topic Starter

    heres the eset log
     

    Attached Files:

    • log.txt
      File size:
      2.8 KB
      Views:
      6
  19. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    Please download OTMovit by Old Timer and save to your desktop.
    • Double-click OTMoveIt3.exe to run it. (Vista users, please right click on OTMoveit3.exe and select "Run as an Administrator")
    • Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):

      Code:
      :Processes	
      
      :Services
      
      :Reg
      
      :Files
      C:\WINDOWS\Installer\2d6ce06.msi	
      C:\WINDOWS\Installer\2d6ce10.msi	
      C:\WINDOWS\system32\config\systemprofile\Application Data\Macromedia\Common\2943602419.exe
      C:\Documents and Settings\jim\Application Data\Macromedia\Common\2943602419.exe		
      C:\Documents and Settings\NetworkService\Application Data\Macromedia\Common\2943602419.exe
      C:\Program Files\Plus!\Themes\homernbart.exe
      C:\Program Files\Windows Live\Messenger\riched20.dll
      
      :Commands
      [purity]
      [emptytemp]
      [start explorer]
      [Reboot]
    • Return to OTMoveIt3, right click in the "Paste Instructions for Items to be Moved" window and choose Paste.
    • Click the red Moveit! button.
    • A log of files and folders moved will be created in the c:\_OTMoveIt\MovedFiles folder in the form of Date and Time (mmddyyyy_hhmmss.log). Please open this log in Notepad and post its contents in your next reply.
    • Close OTMoveIt3
    If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.
     
  20. jamie967

    jamie967 TS Rookie Topic Starter

    hi i tried clicking on the link but it keeps saying server not found
     
  21. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

  22. jamie967

    jamie967 TS Rookie Topic Starter

    ok heres that log
     

    Attached Files:

  23. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    Good job! Here is some information for you. Pay attention because this is an area you need to take better care of:

    User: jim account:
    ->Temp folder emptied: 683462295 bytes= 651.8 MB
    ->Temporary Internet Files folder emptied: 12674991 bytes= 12.08 MB
    ->Java cache emptied: 13689556 bytes= 13.0 MB
    ->FireFox cache emptied: 6933556 bytes= .068 MB
    ->Google Chrome cache emptied: 9144882 bytes= 9.8 MB

    Total for Jim: 686.7 MB
    Total Files Cleaned = 711.18 MB

    Do regular disc cleanups, defrags, delete temporary internet files and Cookies, etc. on a regular basis.

    Uninstall ComboFix.exe And all Backups of the files it deleted
    • Click START> then RUN
    • Now type Combofix /Uninstall in the runbox and click OK. Note the space between the X and the U, it needs to be there.
      [​IMG]

    Empty the Recycle Bin'/b]

    Then update and run the Eset scan again to make sure everything found was removed. IF it is clean and if the original problem was resolved and you have no new problems, repeat the cleaning instructions for OTMove IT and resetting the restore points.
     
  24. jamie967

    jamie967 TS Rookie Topic Starter

    linked the last eset scan log i did as it doesn't look liked im clean yet
     
  25. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    Jaime, why did you do the Eset scan? I think you might have the wrong idea about the purpose of an online scan.

    The main antivirus program is what handles viruses, Worms, Trojans, etc. on a daily basis. The purpose of an online scan is to find if there is malware that is hidden or not being found by that AV program. You are misusing Eset as shows by the long string of scans in the log.

    We handled this entry earlier on. I told you it was adware and suggest you remove it, giving instructions for the removal:

    C:\Program Files\Findbasic\findbasic.exe
    C:\Documents and Settings\All Users\Application Data\Findbasic\findbasic137.exe
    O20 - Winlogon Notify: RelevantKnowledge - C:\Program Files\RelevantKnowledge\rlls.dll (file missing)


    If you did not follow through, you have that same choice again.

    The other entries are the ones that were moved using OTMoveIt.

    If you are having malware problems-again then you need to go back to the beginning and start over with the original scans.
     
Topic Status:
Not open for further replies.

Similar Topics

Add New Comment

You need to be a member to leave a comment. Join thousands of tech enthusiasts and participate.
TechSpot Account You may also...