Virus/spyware please help

Status
Not open for further replies.

wolfblitz

Posts: 82   +0
Hi I seem to have picked up a virus/spyware which is redirecting me to unwanted web pages...I have tried your 8 step procedure without success as I cannot download or open anything I already have malwarebytes and spybot installed but cannot open either my anti virus prog is kaspersky

Thanks

Managed to get HJT to run here is log Thanks

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:13:12, on 12/11/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16735)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2009\avp.exe
C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2009\avp.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,First Home Page = http://go.microsoft.com/fwlink/?LinkId=54843
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: IEVkbdBHO - {59273AB4-E7D3-40F9-A1A8-6FA9CCA1862C} - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2009\ievkbd.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O4 - HKLM\..\Run: [AVP] "C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2009\avp.exe"
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O8 - Extra context menu item: Add to Banner Ad Blocker - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2009\ie_banner_deny.htm
O9 - Extra button: Web traffic protection statistics - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2009\SCIEPlgn.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) -
O17 - HKLM\System\CCS\Services\Tcpip\..\{5712A3D9-784D-4F7D-A617-525E46C9377B}: NameServer = 62.24.218.50,62.24.218.51
O17 - HKLM\System\CS1\Services\Tcpip\..\{5712A3D9-784D-4F7D-A617-525E46C9377B}: NameServer = 62.24.218.50,62.24.218.51
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Kaspersky Internet Security (AVP) - Kaspersky Lab - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2009\avp.exe
O23 - Service: InCD Helper (InCDsrv) - Nero AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: InCD Helper (read only) (InCDsrvR) - Nero AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: KService - Unknown owner - C:\Program Files\Kontiki\KService.exe (file missing)
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe

--
End of file - 4771 bytes
 
Try a few tricks to get through,

HJT showed 2 processes for
C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2009\avp.exe
This could foul things up. Disconnect from internet. Disable if unable to justify the 2 processes.

Drop to safe mode & try MBAM, SAS, SpyBot

RIES may give an opening: https://www.techspot.com/vb/post680361-2.html

I'll be out the door shortly. Sorry to leave you hanging. Attachments signal you are following the 8-step guide.
 
Hi Wolf

Welcome aboard!

I watch you on the news!:D

OK I have seen a few of these in the last few days! Some programs run like HJT others won't some programs can be downloaded others can not!

HJT is clean but run it Scan only and remove the below (no real isue)

O23 - Service: KService - Unknown owner - C:\Program Files\Kontiki\KService.exe (file missing)

We need MalwareBytes and SAS ran so as soon as somthing breaks loose to allow this run them and get the log files back to us.

I am trying something else with you as it has not been to successful with the others.

Boot to Safe Mode with networking connect back here to do the below.

Only if you have issues connecting in Safe Mode networking then do it in normal mode.

Open the attachment xfr.zip. Extract it to the Desktop. It will extract to a folder named "Repair" .

Dbl click the folder Repair Folder.

1. run the hst.bat (this defaults the hosts file)
2..rt click the deldomains.inf then on menu "Install"
3. dbl click the ResetProtocolDefaults.reg accept all prompts
4. run the cleenup2.bat

Now try the MWBAM and SAS

If they run post the logs.

If either found and fixed anything then before rebooting run that program again until it comes up clean or finds something it can not fix. Post the logs again including HJT.

Let me know!

Mike

EDIT: Do the below if it will download and run while in safe mode networking.

D/L Xclean_Micro

http://www.xblock.com/download/xclean_micro.exe

No install, just run it delete all it finds decline to reboot on each item found, until the program finishes then reboot.

Xclean will run minimized and will pop up a window if it finds anything. If it finds nothing it will exit.

If it finds anything reboot run it again.

Mike
 
Hi rf6647 thanks for your reply I did as you suggested and it made no difference

---------------------------------------------------------------------------------------------------------------------------------------

Hi mflynn thanks for your reply I did as you suggested also with some result I still cant download SAS or open MWBAM or SPYBOT but I've got some logs for you if they help

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 17:40:36, on 12/11/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16735)
Boot mode: Safe mode with network support

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,First Home Page = http://go.microsoft.com/fwlink/?LinkId=54843
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: IEVkbdBHO - {59273AB4-E7D3-40F9-A1A8-6FA9CCA1862C} - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2009\ievkbd.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O4 - HKLM\..\Run: [AVP] "C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2009\avp.exe"
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) -
O17 - HKLM\System\CCS\Services\Tcpip\..\{5712A3D9-784D-4F7D-A617-525E46C9377B}: NameServer = 62.24.218.50,62.24.218.51
O17 - HKLM\System\CS1\Services\Tcpip\..\{5712A3D9-784D-4F7D-A617-525E46C9377B}: NameServer = 62.24.218.50,62.24.218.51
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Kaspersky Internet Security (AVP) - Kaspersky Lab - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2009\avp.exe
O23 - Service: InCD Helper (InCDsrv) - Nero AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: InCD Helper (read only) (InCDsrvR) - Nero AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: KService - Unknown owner - C:\Program Files\Kontiki\KService.exe (file missing)
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe

--
End of file - 4207 bytes
 
Hi mflynn
Thanks for your reply yes I ran xclean but cant find a log does it make one? It made no difference anyway it's still the same
 
Mflynn recommends msconfig / selective startup & renaming the ‘exe’ file for mbam & sas. If using shortcuts, rename these also. mwb & sas were suggested.

Here is the message containing the instructions. Upper right corner shows the full thread.

This effort is directed at taking away some of the malware protecting the real nasty.

My sense of timing is lousy. It's past my bedtime.

[edit]
Please use attachments to include files.

Here is a link to obtain a massive text file identifying new files during the past 30 days. It does not clean anything. It merely gives up names.
oldtimer listing program
 
Mflynn recommends msconfig / selective startup & renaming the ‘exe’ file for mbam & sas. If using shortcuts, rename these also. mwb & sas were suggested.

Hi thanks for your reply
Could you give more details about the above as i'm not good (thicko really) with the technical stuff
 
Hi Wolf

Thanks rf6647

Yes that was what I was doing (clean boot) as we were trying to get a handle on it, but later found out it was not necessary.

XClean has no log so no problem

All you need to do is rename SuperAntiSpyware to say SAS.exe and mbam.exe to mwbam.exe.

So My Computer to \Program Files\SuperAntiSpyware find and rename as above and run from there by dbl clicking. Then do the same for MalwareBytes.

After loading but before clicking Scan do the below config changes

SuperAntispyware config

UPDATE!

Then

Click the Preferences button.

Then Scanning Control.

In Scanner Options make sure the following are checked:
1. Close browsers before scanning
2. Scan for tracking cookies
3. Terminate memory threats before quarantining.
4. Leave the others as they are.

In MalwareBytes after update but before running
Click settings and confirm all are Checked.

I repeat Update these 2 programs.

Run them and post their logs then a new HJT log HJT always last.

After attaching logs from above run both programs again to confirm they find nothing else and attach new logs for this run!

Do this correctly and we will make a short job of this!

Mike
 
Hi mflynn

Thanks for your help and advice it's much appreciated

Re-naming MalwareBytes did the trick I was able to open and run it and it found at least a dozen nastis............. I also downloaded and ran SAS and am attatching the logs now
 
Looks good

Good job!

Run MWBAM again and again until clean or it finds something it can not clean.

After then attach another HJT log!

Mike
 
MBAM needs update to 1.30

Malwarebytes' Anti-Malware 1.29 Database version: 1282 13/11/2008 13:15:23
 
10-4 to that!

Wolf always update this and SAS, these things can have updates less than an hour apart,

Thanks Rich I missed that again!

Mike
 
hi mflynn thanks for your reply and advice

I ran malwarebytes a few times untill it found nothing log attatched

thanks again for all your help
 
OK but you were supposed to post logs of each run.

But any ways do the same for SAS but post each log for each run before the next run.

After the last run a HJT log please!

Mike
 
Hi mflynn thanks for your reply
Sorry about the logs but it wasn't clear that I had to post after every run
Here is the log for the SAS run
 
Hi mflynn thanks for your reply and advice

somthing wierd happened when i tried to run HJT when i clicked on the desktop icon to get to HJT my pc couldn't find it right away an informed me that the shortcut had been altered in some way so that it didn't go to HJT............. i didn't re-name this earlier does it mean anything to you? ......iv'e never encountered this before

My pc is running great as good as ever
 
Hmmm

Don't know but HJT has been renamed crusty,exe. Perhaps you shortcut was pointing to HighJackThis.exe

If nothing more then forget it.

In Finishing up...

Every 2 weeks or so run mbam and sas until clean. If they find something they can not clean then get back to us.

Additionally run CCleaner.

I have been using ThreatFire for more than a year it just went from ver 3 to ver 4.

It was designed to co-exist with other Virus scanners.

Additionally it uses totally different process to protect. While conventional Virus scanners work from definitions ThreatFire works on recognizing Virus/Malware activity. It's like looking at it with 2 sets of eyes and from a different angle.

http://www.threatfire.com/Download/

Look at http://www.javacoolsoftware.com/spywareblaster.html

Run SpyBot ocassionally and use the Immunize function.

Hostman http://www.abelhadigital.com/2008/07/hostsman-3157-released.html

Mike
 
Hi mflynn thanks for your reply

I already have spyware blaster but will take a look at threatfire

Many thanks again for all your help and advice it's much appreciated thank you
 
Status
Not open for further replies.
Back