TechSpot

Virus/spyware please help

By wolfblitz
Nov 12, 2008
  1. Hi I seem to have picked up a virus/spyware which is redirecting me to unwanted web pages...I have tried your 8 step procedure without success as I cannot download or open anything I already have malwarebytes and spybot installed but cannot open either my anti virus prog is kaspersky

    Thanks

    Managed to get HJT to run here is log Thanks

    Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 12:13:12, on 12/11/2008
    Platform: Windows XP SP3 (WinNT 5.01.2600)
    MSIE: Internet Explorer v7.00 (7.00.6000.16735)
    Boot mode: Normal

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Ahead\InCD\InCDsrv.exe
    C:\WINDOWS\system32\svchost.exe
    C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2009\avp.exe
    C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2009\avp.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\system32\wuauclt.exe
    C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,First Home Page = http://go.microsoft.com/fwlink/?LinkId=54843
    O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
    O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O2 - BHO: IEVkbdBHO - {59273AB4-E7D3-40F9-A1A8-6FA9CCA1862C} - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2009\ievkbd.dll
    O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
    O4 - HKLM\..\Run: [AVP] "C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2009\avp.exe"
    O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
    O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
    O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
    O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
    O8 - Extra context menu item: Add to Banner Ad Blocker - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2009\ie_banner_deny.htm
    O9 - Extra button: Web traffic protection statistics - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2009\SCIEPlgn.dll
    O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
    O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) -
    O17 - HKLM\System\CCS\Services\Tcpip\..\{5712A3D9-784D-4F7D-A617-525E46C9377B}: NameServer = 62.24.218.50,62.24.218.51
    O17 - HKLM\System\CS1\Services\Tcpip\..\{5712A3D9-784D-4F7D-A617-525E46C9377B}: NameServer = 62.24.218.50,62.24.218.51
    O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
    O23 - Service: Kaspersky Internet Security (AVP) - Kaspersky Lab - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2009\avp.exe
    O23 - Service: InCD Helper (InCDsrv) - Nero AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
    O23 - Service: InCD Helper (read only) (InCDsrvR) - Nero AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
    O23 - Service: KService - Unknown owner - C:\Program Files\Kontiki\KService.exe (file missing)
    O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
    O23 - Service: ServiceLayer - Nokia. - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe

    --
    End of file - 4771 bytes
     
  2. rf6647

    rf6647 TS Maniac Posts: 931

    Try a few tricks to get through,

    HJT showed 2 processes for
    C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2009\avp.exe
    This could foul things up. Disconnect from internet. Disable if unable to justify the 2 processes.

    Drop to safe mode & try MBAM, SAS, SpyBot

    RIES may give an opening: http://www.techspot.com/vb/post680361-2.html

    I'll be out the door shortly. Sorry to leave you hanging. Attachments signal you are following the 8-step guide.
     
  3. mflynn

    mflynn TS Rookie Posts: 2,793

    Hi Wolf

    Welcome aboard!

    I watch you on the news!:D

    OK I have seen a few of these in the last few days! Some programs run like HJT others won't some programs can be downloaded others can not!

    HJT is clean but run it Scan only and remove the below (no real isue)

    O23 - Service: KService - Unknown owner - C:\Program Files\Kontiki\KService.exe (file missing)

    We need MalwareBytes and SAS ran so as soon as somthing breaks loose to allow this run them and get the log files back to us.

    I am trying something else with you as it has not been to successful with the others.

    Boot to Safe Mode with networking connect back here to do the below.

    Only if you have issues connecting in Safe Mode networking then do it in normal mode.

    Open the attachment xfr.zip. Extract it to the Desktop. It will extract to a folder named "Repair" .

    Dbl click the folder Repair Folder.

    1. run the hst.bat (this defaults the hosts file)
    2..rt click the deldomains.inf then on menu "Install"
    3. dbl click the ResetProtocolDefaults.reg accept all prompts
    4. run the cleenup2.bat

    Now try the MWBAM and SAS

    If they run post the logs.

    If either found and fixed anything then before rebooting run that program again until it comes up clean or finds something it can not fix. Post the logs again including HJT.

    Let me know!

    Mike

    EDIT: Do the below if it will download and run while in safe mode networking.

    D/L Xclean_Micro

    http://www.xblock.com/download/xclean_micro.exe

    No install, just run it delete all it finds decline to reboot on each item found, until the program finishes then reboot.

    Xclean will run minimized and will pop up a window if it finds anything. If it finds nothing it will exit.

    If it finds anything reboot run it again.

    Mike
     
  4. mflynn

    mflynn TS Rookie Posts: 2,793

    Hi rf6647

    I just saw your post. I was composing offline.

    Mike
     
  5. wolfblitz

    wolfblitz TS Enthusiast Topic Starter Posts: 111

    Hi rf6647 thanks for your reply I did as you suggested and it made no difference

    ---------------------------------------------------------------------------------------------------------------------------------------

    Hi mflynn thanks for your reply I did as you suggested also with some result I still cant download SAS or open MWBAM or SPYBOT but I've got some logs for you if they help

    Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 17:40:36, on 12/11/2008
    Platform: Windows XP SP3 (WinNT 5.01.2600)
    MSIE: Internet Explorer v7.00 (7.00.6000.16735)
    Boot mode: Safe mode with network support

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\system32\svchost.exe
    C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\Mozilla Firefox\firefox.exe
    C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,First Home Page = http://go.microsoft.com/fwlink/?LinkId=54843
    O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
    O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O2 - BHO: IEVkbdBHO - {59273AB4-E7D3-40F9-A1A8-6FA9CCA1862C} - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2009\ievkbd.dll
    O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
    O4 - HKLM\..\Run: [AVP] "C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2009\avp.exe"
    O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
    O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
    O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
    O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
    O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
    O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) -
    O17 - HKLM\System\CCS\Services\Tcpip\..\{5712A3D9-784D-4F7D-A617-525E46C9377B}: NameServer = 62.24.218.50,62.24.218.51
    O17 - HKLM\System\CS1\Services\Tcpip\..\{5712A3D9-784D-4F7D-A617-525E46C9377B}: NameServer = 62.24.218.50,62.24.218.51
    O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
    O23 - Service: Kaspersky Internet Security (AVP) - Kaspersky Lab - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2009\avp.exe
    O23 - Service: InCD Helper (InCDsrv) - Nero AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
    O23 - Service: InCD Helper (read only) (InCDsrvR) - Nero AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
    O23 - Service: KService - Unknown owner - C:\Program Files\Kontiki\KService.exe (file missing)
    O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
    O23 - Service: ServiceLayer - Nokia. - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe

    --
    End of file - 4207 bytes
     
  6. mflynn

    mflynn TS Rookie Posts: 2,793

    Deleted posted to wrong thread my me by mistake!
     
  7. mflynn

    mflynn TS Rookie Posts: 2,793

    Wolf

    Were you able to download and run Xclean.

    If so what was the results?

    Mike
     
  8. wolfblitz

    wolfblitz TS Enthusiast Topic Starter Posts: 111

    Hi mflynn
    Thanks for your reply yes I ran xclean but cant find a log does it make one? It made no difference anyway it's still the same
     
  9. rf6647

    rf6647 TS Maniac Posts: 931

    Mflynn recommends msconfig / selective startup & renaming the ‘exe’ file for mbam & sas. If using shortcuts, rename these also. mwb & sas were suggested.

    Here is the message containing the instructions. Upper right corner shows the full thread.

    This effort is directed at taking away some of the malware protecting the real nasty.

    My sense of timing is lousy. It's past my bedtime.

    [edit]
    Please use attachments to include files.

    Here is a link to obtain a massive text file identifying new files during the past 30 days. It does not clean anything. It merely gives up names.
    oldtimer listing program
     
  10. wolfblitz

    wolfblitz TS Enthusiast Topic Starter Posts: 111

     
  11. mflynn

    mflynn TS Rookie Posts: 2,793

    Hi Wolf

    Thanks rf6647

    Yes that was what I was doing (clean boot) as we were trying to get a handle on it, but later found out it was not necessary.

    XClean has no log so no problem

    All you need to do is rename SuperAntiSpyware to say SAS.exe and mbam.exe to mwbam.exe.

    So My Computer to \Program Files\SuperAntiSpyware find and rename as above and run from there by dbl clicking. Then do the same for MalwareBytes.

    After loading but before clicking Scan do the below config changes

    SuperAntispyware config

    UPDATE!

    Then

    Click the Preferences button.

    Then Scanning Control.

    In Scanner Options make sure the following are checked:
    1. Close browsers before scanning
    2. Scan for tracking cookies
    3. Terminate memory threats before quarantining.
    4. Leave the others as they are.

    In MalwareBytes after update but before running
    Click settings and confirm all are Checked.

    I repeat Update these 2 programs.

    Run them and post their logs then a new HJT log HJT always last.

    After attaching logs from above run both programs again to confirm they find nothing else and attach new logs for this run!

    Do this correctly and we will make a short job of this!

    Mike
     
     
  12. wolfblitz

    wolfblitz TS Enthusiast Topic Starter Posts: 111

    Hi mflynn

    Thanks for your help and advice it's much appreciated

    Re-naming MalwareBytes did the trick I was able to open and run it and it found at least a dozen nastis............. I also downloaded and ran SAS and am attatching the logs now
     
  13. mflynn

    mflynn TS Rookie Posts: 2,793

    Looks good

    Good job!

    Run MWBAM again and again until clean or it finds something it can not clean.

    After then attach another HJT log!

    Mike
     
  14. rf6647

    rf6647 TS Maniac Posts: 931

    MBAM needs update to 1.30

    Malwarebytes' Anti-Malware 1.29 Database version: 1282 13/11/2008 13:15:23
     
  15. mflynn

    mflynn TS Rookie Posts: 2,793

    10-4 to that!

    Wolf always update this and SAS, these things can have updates less than an hour apart,

    Thanks Rich I missed that again!

    Mike
     
  16. wolfblitz

    wolfblitz TS Enthusiast Topic Starter Posts: 111

    hi mflynn thanks for your reply and advice

    I ran malwarebytes a few times untill it found nothing log attatched

    thanks again for all your help
     
  17. mflynn

    mflynn TS Rookie Posts: 2,793

    OK but you were supposed to post logs of each run.

    But any ways do the same for SAS but post each log for each run before the next run.

    After the last run a HJT log please!

    Mike
     
  18. wolfblitz

    wolfblitz TS Enthusiast Topic Starter Posts: 111

    Hi mflynn thanks for your reply
    Sorry about the logs but it wasn't clear that I had to post after every run
    Here is the log for the SAS run
     
  19. mflynn

    mflynn TS Rookie Posts: 2,793

    Post a HJT log we may be finished.

    How is computer running?

    Mike
     
  20. wolfblitz

    wolfblitz TS Enthusiast Topic Starter Posts: 111

    Hi mflynn thanks for your reply and advice

    somthing wierd happened when i tried to run HJT when i clicked on the desktop icon to get to HJT my pc couldn't find it right away an informed me that the shortcut had been altered in some way so that it didn't go to HJT............. i didn't re-name this earlier does it mean anything to you? ......iv'e never encountered this before

    My pc is running great as good as ever
     
  21. mflynn

    mflynn TS Rookie Posts: 2,793

    Hmmm

    Don't know but HJT has been renamed crusty,exe. Perhaps you shortcut was pointing to HighJackThis.exe

    If nothing more then forget it.

    In Finishing up...

    Every 2 weeks or so run mbam and sas until clean. If they find something they can not clean then get back to us.

    Additionally run CCleaner.

    I have been using ThreatFire for more than a year it just went from ver 3 to ver 4.

    It was designed to co-exist with other Virus scanners.

    Additionally it uses totally different process to protect. While conventional Virus scanners work from definitions ThreatFire works on recognizing Virus/Malware activity. It's like looking at it with 2 sets of eyes and from a different angle.

    http://www.threatfire.com/Download/

    Look at http://www.javacoolsoftware.com/spywareblaster.html

    Run SpyBot ocassionally and use the Immunize function.

    Hostman http://www.abelhadigital.com/2008/07/hostsman-3157-released.html

    Mike
     
  22. wolfblitz

    wolfblitz TS Enthusiast Topic Starter Posts: 111

    Hi mflynn thanks for your reply

    I already have spyware blaster but will take a look at threatfire

    Many thanks again for all your help and advice it's much appreciated thank you
     
Topic Status:
Not open for further replies.


Add New Comment

TechSpot Members
Login or sign up for free,
it takes about 30 seconds.
You may also...


Get complete access to the TechSpot community. Join thousands of technology enthusiasts that contribute and share knowledge in our forum. Get a private inbox, upload your own photo gallery and more.