Start up hijacked

[GrahamK]

My wife was searching on google and came across a site that downloaded something onto my computer.

When i start the computer up the backround has changed to a warning sign which advises me to download an antispyware program. Then after a few moments the machine goes to a blue screen of death.

I am able to start the computer in safe mode but cannot access the internet so I am posting this via my nintendo wii. Because of this i cannot post a hijack this log. I believe I may have located the problem in the HJT scan;

04 - HKUS\.DEFAULT\..\Run:[CTFMON.EXE]C:\WINDOWS\system32\CTFMON.EXE (User ‘Default user')

04-HKUS\S-1-5-18\..\Run:[CTFMON.EXE]C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')

Im so sorry that I cannot provide you with more info. If there were some way you could help me to enable internet access in safe mode I certain this would be an easy fix. I have 2 years worth of my own musical works on this computer so it is precious.

Please help.

Update: I finally managed to get online but incredibly I cannot access this site or any other related via my browser.

Ashwebsv.exe has appeared on my task manager and after a search it seems that this a problem.

Ok, I managed to get onto the internet via safe mode. I did a HJT scan saved a log file and was ready to upload it but the virus in blocking access to this site and also sites like bleeping computer etc.

Im at my wits end. I cant provide you guys with the information you need to help remove this threat.

A friend suggested that I backup my important files and wipe the drive clean and start again. Because I cant get log files onto this thread Im beginning to think this is my only option.

Can anyone advise?

(Also can a mod edit this into my original post? I dont see any "edit" feature on the forum...thanks)

[GrahamK]

Ok guys, sorry in advance if it seems like I am spamming. Thanks for your patience on this matter.

I managed to get a program called Malwarebytes via a friend through E mail and after scanning my system in safe mode and rebooting I am now up and running in Normal Mode.

The program seems to have taken care of some of the infection but I wanted to post my log as I can now access this site again.

Here is my HJT log file:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 20:38:11, on 22/08/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\stsystra.exe
C:\WINDOWS\System32\DLA\DLACTRLW.EXE
C:\WINDOWS\System32\M-AudioTaskBarIcon.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\ATI Technologies\ATI.ACE\CLI.EXE
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Google\Google Updater\GoogleUpdater.exe
C:\Program Files\Sony\Sony Picture Utility\VolumeWatcher\SPUVolumeWatcher.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\Program Files\M-Audio\MobilePre\Install\MPInst.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www1.euro.dell.com/content/de...=ie&l=en&s=gen
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.1.1119.1736\swg.dll
O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKLM\..\Run: [DLA] C:\WINDOWS\System32\DLA\DLACTRLW.EXE
O4 - HKLM\..\Run: [M-Audio Taskbar Icon] C:\WINDOWS\System32\M-AudioTaskBarIcon.exe
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [ISUSPM Startup] "C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\CLIStart.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKLM\..\Run: [MSKDetectorExe] C:\Program Files\McAfee\SpamKiller\MSKDetct.exe /uninstall
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\pchealth\helpctr\Binaries\MSCONFIG.EXE /auto
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Startup: Picture Motion Browser Media Check Tool.lnk = C:\Program Files\Sony\Sony Picture Utility\VolumeWatcher\SPUVolumeWatcher.exe
O4 - Global Startup: Google Updater.lnk = C:\Program Files\Google\Google Updater\GoogleUpdater.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/par...an_unicode.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace.com/upload/MySpaceUploader1006.cab
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - http://download.divx.com/player/DivXBrowserPlugin.cab
O16 - DPF: {E7DBFB6C-113A-47CF-B278-F5C6AF4DE1BD} - http://download.abacast.com/download...basetup162.cab
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: MobilePre Installer (MobilePreInstallerService) - M-Audio - C:\Program Files\M-Audio\MobilePre\Install\MPInst.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe

--
End of file - 7369 bytes

[GrahamK]

72 hour bump

[tetonbob]

Hello -

HijackThis log looks clean, but that does not always mean the machine is.

The items you mention in your first post are legit.

Post the log from MBAM, please. You can access it from the Logs tab on the user interface.

Also please do this:

Create an uninstall list:

• Open HiJackThis
• Click on the button " Open the Misc Tools section"
• Click on the Box that says "Open Uninstall Manager"
• Click on the button "Save list"
• Copy and past the List from the notepad file into your post

[GrahamK]

Here is the uninstall list:

Ad-Aware SE Personal
Adobe Acrobat - Reader 6.0.2 Update
Adobe Flash Player ActiveX
Adobe Flash Player Plugin
Adobe Reader 6.0.1
Adobe Shockwave Player
AKAI professional DCVocoder 1.0
Antares Auto-Tune 3.03 DirectX
Antares Kantos v1.0
Apple Mobile Device Support
Apple Software Update
Arturia Modular System v1.0
ATI - Software Uninstall Utility
ATI Catalyst Control Center
ATI Control Panel
ATI Display Driver
avast! Antivirus
AVG Anti-Spyware 7.5
Bonjour
Canon iP1800 series
Canon iP1800 series User Registration
CDRWIN 5
CleanUp!
ConvertXtoDVD 2.1.18.242
Dell CinePlayer
Dell Driver Reset Tool
Digital Camera Driver
Dinosaur Adventure 3-D
DivX Content Uploader
DivX Web Player
Drum Machine 1.29 BETA
EZMedia Box 2.0
EZVideo Mail
Fallout2
Google Earth
Google Updater
Guitar Pro 5.2
High Definition Audio Driver Package - KB835221
HijackThis 2.0.2
Hotfix for Windows Media Format 11 SDK (KB929399)
Hotfix for Windows Media Player 11 (KB939683)
Hotfix for Windows XP (KB926239)
Hotfix for Windows XP (KB952287)
IK Multimedia AmpliTube v1.1.1
Intel(R) PRO Network Connections Drivers
Intel(R) PROSet for Wired Connections
iTunes
Java(TM) 6 Update 4
Java(TM) 6 Update 5
Java(TM) 6 Update 7
Kaspersky Online Scanner
Malwarebytes' Anti-Malware
MCU
Mercury 1
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Hotfix (KB928366)
Microsoft Compression Client Pack 1.0 for Windows XP
Microsoft User-Mode Driver Framework Feature Pack 1.0
Microsoft Windows Media Video 9 VCM
Microsoft Works 7.0
MobilePre
Mozilla Firefox (2.0.0.16)
MSN
MSXML 4.0 SP2 (KB927978)
MSXML 4.0 SP2 (KB936181)
Native Instruments Absynth v3.0
Native Instruments B4 v1.11
Native Instruments Battery
Native Instruments FM7
Native Instruments Guitar Rig v1.1.2
Native Instruments GuitarRig2 RTAS VSTi DXi
Novation V-Station VSTi v1.11
OpenOffice.org Installer 1.0
Opera 9.52
Orange Vocoder v1.1.2
Power Tab Editor 1.7
PSP PianoVerb 1.0
QuickTime
Reason
Reason Adapted for M-Audio 2.5
ReCycle 2.0
Roxio DLA
Roxio MyDVD LE
Roxio RecordNow Audio
Roxio RecordNow Copy
Roxio RecordNow Data
Security Update for Step By Step Interactive Training (KB898458)
Security Update for Step By Step Interactive Training (KB923723)
Security Update for Windows Media Player (KB911564)
Security Update for Windows Media Player 11 (KB936782)
Security Update for Windows Media Player 6.4 (KB925398)
Security Update for Windows Media Player 9 (KB917734)
Security Update for Windows Media Player 9 (KB936782)
Security Update for Windows XP (KB890046)
Security Update for Windows XP (KB893756)
Security Update for Windows XP (KB896428)
Security Update for Windows XP (KB899587)
Security Update for Windows XP (KB900725)
Security Update for Windows XP (KB901017)
Security Update for Windows XP (KB901190)
Security Update for Windows XP (KB902400)
Security Update for Windows XP (KB905414)
Security Update for Windows XP (KB905749)
Security Update for Windows XP (KB911567)
Security Update for Windows XP (KB911927)
Security Update for Windows XP (KB913580)
Security Update for Windows XP (KB914388)
Security Update for Windows XP (KB914389)
Security Update for Windows XP (KB916281)
Security Update for Windows XP (KB917159)
Security Update for Windows XP (KB917422)
Security Update for Windows XP (KB917953)
Security Update for Windows XP (KB918118)
Security Update for Windows XP (KB918899)
Security Update for Windows XP (KB919007)
Security Update for Windows XP (KB920213)
Security Update for Windows XP (KB920214)
Security Update for Windows XP (KB920670)
Security Update for Windows XP (KB920683)
Security Update for Windows XP (KB920685)
Security Update for Windows XP (KB921398)
Security Update for Windows XP (KB921503)
Security Update for Windows XP (KB921883)
Security Update for Windows XP (KB922616)
Security Update for Windows XP (KB922760)
Security Update for Windows XP (KB922819)
Security Update for Windows XP (KB923191)
Security Update for Windows XP (KB923414)
Security Update for Windows XP (KB923689)
Security Update for Windows XP (KB923694)
Security Update for Windows XP (KB923980)
Security Update for Windows XP (KB924191)
Security Update for Windows XP (KB924270)
Security Update for Windows XP (KB924496)
Security Update for Windows XP (KB924667)
Security Update for Windows XP (KB925454)
Security Update for Windows XP (KB925486)
Security Update for Windows XP (KB925902)
Security Update for Windows XP (KB926255)
Security Update for Windows XP (KB926436)
Security Update for Windows XP (KB927779)
Security Update for Windows XP (KB927802)
Security Update for Windows XP (KB928090)
Security Update for Windows XP (KB928255)
Security Update for Windows XP (KB928843)
Security Update for Windows XP (KB929123)
Security Update for Windows XP (KB929969)
Security Update for Windows XP (KB930178)
Security Update for Windows XP (KB931261)
Security Update for Windows XP (KB931768)
Security Update for Windows XP (KB931784)
Security Update for Windows XP (KB932168)
Security Update for Windows XP (KB933566)
Security Update for Windows XP (KB933729)
Security Update for Windows XP (KB935839)
Security Update for Windows XP (KB935840)
Security Update for Windows XP (KB936021)
Security Update for Windows XP (KB937143)
Security Update for Windows XP (KB938127)
Security Update for Windows XP (KB938829)
Security Update for Windows XP (KB939653)
Security Update for Windows XP (KB941202)
Security Update for Windows XP (KB941568)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB941644)
Security Update for Windows XP (KB941693)
Security Update for Windows XP (KB942615)
Security Update for Windows XP (KB943055)
Security Update for Windows XP (KB943460)
Security Update for Windows XP (KB943485)
Security Update for Windows XP (KB944338)
Security Update for Windows XP (KB944533)
Security Update for Windows XP (KB944653)
Security Update for Windows XP (KB945553)
Security Update for Windows XP (KB946026)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB947864)
Security Update for Windows XP (KB948590)
Security Update for Windows XP (KB948881)
Security Update for Windows XP (KB950749)
Security Update for Windows XP (KB950759)
Security Update for Windows XP (KB950760)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951066)
Security Update for Windows XP (KB951376)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951698)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB953838)
Security Update for Windows XP (KB953839)
Sonic Activation Module
Sonic Foundry Sound Forge 6.0
Sonic Update Manager
Sony Picture Utility
Sony Sound Forge 8.0d
SoulSeek Client 156c
Spybot - Search & Destroy
Spybot - Search & Destroy 1.5.2.20
Steinberg Cubase SX v2.0.2.31
Steinberg Groove Agent
Steinberg PLEX VSTi v1.0
Syncrosoft's License Control
Update for Windows XP (KB894391)
Update for Windows XP (KB898461)
Update for Windows XP (KB900485)
Update for Windows XP (KB908531)
Update for Windows XP (KB910437)
Update for Windows XP (KB911280)
Update for Windows XP (KB916595)
Update for Windows XP (KB920872)
Update for Windows XP (KB922582)
Update for Windows XP (KB927891)
Update for Windows XP (KB929338)
Update for Windows XP (KB930916)
Update for Windows XP (KB931836)
Update for Windows XP (KB933360)
Update for Windows XP (KB936357)
Update for Windows XP (KB938828)
Update for Windows XP (KB942763)
Update for Windows XP (KB942840)
Update for Windows XP (KB946627)
Update for Windows XP (KB951072-v2)
Waves 4.0
WinAce Archiver 2.0
Windows Live installer
Windows Live Messenger
Windows Live Sign-in Assistant
Windows Media Format 11 runtime
Windows Media Format 11 runtime
Windows Media Player 11
Windows Media Player 11
Windows XP Hotfix - KB885836
Windows XP Hotfix - KB886185
Windows XP Hotfix - KB888302
Windows XP Hotfix - KB890859
WinRAR archiver
Xbox 360 Controller for Windows

Here is the first Malware Bytes log on my list...I dont think it saved the original scan that detected and cleaned the system though.

alwarebytes' Anti-Malware 1.25
Database version: 1062
Windows 5.1.2600 Service Pack 2

21:29:28 22/08/2008
mbam-log-08-22-2008 (21-29-28).txt

Scan type: Full Scan (C:\|)
Objects scanned: 105353
Time elapsed: 1 hour(s), 7 minute(s), 34 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 3
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CURRENT_USER\SOFTWARE\VideoEgg (Adware.VideoEgg) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\MozillaPlugins\@videoegg.com/publisher,version=1.5 (Adware.VideoEgg) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\VideoEgg (Adware.VideoEgg) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

[tetonbob]

OK....let's take care of some things I see there.

Uninstall the following via the Add/Remove Panel (Start->(Settings)->Control Panel->Add/Remove Programs) if they exist:

Java(TM) 6 Update 4
Java(TM) 6 Update 5

These are all outdated, and security risks by having them installed still. Unfortunately, Java does not uninstall previous version when you update, nor tell you that you should. They also take up valuable space on your hard drive.

Leave Java(TM) 6 Update 7 alone, as it is the most recent.

---------------------------------------------------------------------------------------------

Ad-Aware SE Personal is outdated. Ad-Aware is now at version 2008. It still has a free version, so you may want to consider uninstalling and upgrading.

Spybot Search & Destroy is now at version 1.6, so again, you should consider updating. Spybot S&D should automatically upgrade versions for you through the built-in updater. It just did on one of my machines last night.

Things look good. To help ensure there are no remnants...

First uninstall Kaspersky Online Scanner from Add or Remove Programs, as we want to make sure you have the most recent version.

Next....

Establish an internet connection & perform an online scan with Firefox or Internet Explorer at Kaspersky Online Scanner

Click Accept, when prompted to download and install the program files and database of malware definitions.

• Click Run at the Security prompt.
• The program will then begin downloading and installing and will also update the database.
• Please be patient as this can take several minutes.
• Once the update is complete, click on My Computer under the green Scan bar to the left to start the scan.
• Once the scan is complete, it will display if your system has been infected. It does not provide an option to clean/disinfect. We only require a report from it.
• Do NOT be alarmed by what you see in the report. Many of the finds have likely been quarantined.
• Click View scan report at the bottom.
• Click the Save Report As... button.
• Click the Save as Text button to save the file to your desktop so that you may post it in your next reply.

**Note**

To optimize scanning time and produce a more sensible report for review:

• Close any open programs
• Turn off the real time scanner of any existing antivirus program while performing the online scan.

Note for Internet Explorer 7 users: If at any time you have trouble viewing the accept button of the license, click on the Zoom tool located at the bottom right of the IE window and set the zoom to 75 %. Once the license accepted, reset to 100%.

---------------------------------------------------------------------------------------------

[GrahamK]

Ok, Ive uninstalled the Java programs and also uninstalled Adaware...Ive never really used it anyway. Will update Spybot shortly.

Here is the kaspersky log...it seems that it found something.

--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7 REPORT
Sunday, August 24, 2008
Operating System: Microsoft Windows XP Home Edition Service Pack 2 (build 2600)
Kaspersky Online Scanner 7 version: 7.0.25.0
Program database last update: Sunday, August 24, 2008 21:40:56
Records in database: 1141321
--------------------------------------------------------------------------------

Scan settings:
Scan using the following database: extended
Scan archives: yes
Scan mail databases: yes

Scan area - My Computer:
C:\
D:\
E:\

Scan statistics:
Files scanned: 74199
Threat name: 1
Infected objects: 23
Suspicious objects: 0
Duration of the scan: 01:02:13


File name / Threat name / Threats count
C:\Documents and Settings\Administrator\Local Settings\Application Data\Mozilla\Firefox\Profiles\7d60mvvt.default\Cache\B0487342d01 Infected: Trojan-Downloader.JS.Agent.cnn 1
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\01E3G5UJ\eurogamer[1].htm Infected: Trojan-Downloader.JS.Agent.cnn 1
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\01E3G5UJ\forum_threads[1].htm Infected: Trojan-Downloader.JS.Agent.cnn 1
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\01E3G5UJ\forum_thread_posts[2].htm Infected: Trojan-Downloader.JS.Agent.cnn 1
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\01E3G5UJ\Guitar[1].htm Infected: Trojan-Downloader.JS.Agent.cnn 1
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\0D11T6K2\adServer[1].htm Infected: Trojan-Downloader.JS.Agent.cnn 1
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\0D11T6K2\search[1].htm Infected: Trojan-Downloader.JS.Agent.cnn 1
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\0D11T6K2\trace[1].htm Infected: Trojan-Downloader.JS.Agent.cnn 1
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\0D11T6K2\WLLogin_JS[1].htm Infected: Trojan-Downloader.JS.Agent.cnn 1
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\RT36F7BT\adServer[1].htm Infected: Trojan-Downloader.JS.Agent.cnn 1
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\RT36F7BT\adServer[2].htm Infected: Trojan-Downloader.JS.Agent.cnn 1
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\RT36F7BT\default[1].htm Infected: Trojan-Downloader.JS.Agent.cnn 1
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\RT36F7BT\forum_thread_posts[1].htm Infected: Trojan-Downloader.JS.Agent.cnn 1
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\RT36F7BT\jump1[1].htm Infected: Trojan-Downloader.JS.Agent.cnn 1
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\RT36F7BT\menu[1].htm Infected: Trojan-Downloader.JS.Agent.cnn 1
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\RT36F7BT\ultimate-guitar[1].htm Infected: Trojan-Downloader.JS.Agent.cnn 1
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\XVCESK1F\adServer[1].htm Infected: Trojan-Downloader.JS.Agent.cnn 1
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\XVCESK1F\forum_thread_posts[1].htm Infected: Trojan-Downloader.JS.Agent.cnn 1
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\XVCESK1F\landing_e[1].htm Infected: Trojan-Downloader.JS.Agent.cnn 1
C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\KOBG7OFU\adframe[1].htm Infected: Trojan-Downloader.JS.Agent.cnn 1
C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\KOBG7OFU\video[2].htm Infected: Trojan-Downloader.JS.Agent.cnn 1
C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\Q0TIEP71\;ord=143911413[1].htm Infected: Trojan-Downloader.JS.Agent.cnn 1
C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\Q0TIEP71\stats[1].htm Infected: Trojan-Downloader.JS.Agent.cnn 1

The selected area was scanned.

[tetonbob]

You should be able to remove those running this tool:

Please download ATF Cleaner by Atribune.

• Double-click ATF-Cleaner.exe to run the program.
  Under Main choose: Select All
  Click the Empty Selected button.

If you use Firefox browser

• Click Firefox at the top and choose: Select All
  Click the Empty Selected button.
  NOTE: If you would like to keep your saved passwords, please click No at the prompt.

If you use Opera browser

• Click Opera at the top and choose: Select All
  Click the Empty Selected button.
  NOTE: If you would like to keep your saved passwords, please click No at the prompt.

Click Exit on the Main menu to close the program.
For Technical Support, double-click the e-mail address located at the bottom of each menu.

---------------------------------------------------------------------------------------------

Other than that, how is the machine behaving? Is Avast alerting you to anything?

[GrahamK]

Done, cleaned it with the program.

The machine is behaving well, running much quieter that before. Nothing suspicious and no pop ups or anything out of the ordinary.

[tetonbob]

Good job.

Some final procedures for you.

After an infection has been cleaned, it's a good idea to clear out old System Restore points, and create a new clean one from which to go forward. In this way, you won't roll back to a time when the machine was infected.


Clear & Reset System Restore's Cache

• click Start >> Run - type SYSDM.CPL & press Enter
• select the System Restore Tab
• tick on the checkbox - "Turn off System Restore on all drives"
• click Apply
• then untick the same checkbox & click OK

Now that your system is clean, to help protect your computer in the future I recommend that you follow these steps and look into the following free programs:

• Microsoft Windows Update - http://www.windowsupdate.com
  Visit regularly. This will ensure your computer always has the latest security updates. If there are new updates to install, install them immediately, reboot your computer, and revisit the site until there are no more critical updates.
  
• SpywareBlaster to help prevent spyware from installing in the first place.
  • Install & update SpywareBlaster with the latest definitions.
    After you have updated, click the button - enable protection for all unprotected items
• MVPS HOST FILE
  The MVPS Hosts file replaces your current HOSTS file with one that will restrict known ad sites form serving you unsolicited advertisements. Basically, this prevents your computer from connecting to those sites by redirecting them to 127.0.0.1 which is the IP of your local computer.
  • Download Host.zip to your desktop.
  • From your Desktop right-click (hosts.zip) and select:
    Extract All from the menu.
    
  • Click Next, click Next, select the option:
    "Show Extracted files", click Finish
    
  • This will open the newly created hosts folder on your Desktop.
    
  • Double-click on the included mvps.bat file, this will rename the existing HOSTS file to HOSTS.MVP, then it will copy the included updated HOSTS file to the correct location on your machine.
    
  • Once updated you should see another prompt that the task was completed.
• ANTIVIRUS SOFTWARE
  It is very important that you have anti-virus software running on your machine. This alone can save you a lot of trouble with malware in the future. It is imperative that you update your antivirus software at least once a week (even more if you wish). If you do not update your antivirus software then it will not be able to catch new malware that may have come out.
  
• FIREWALL
  Using a third-party firewall will allow you to give/deny access for applications that want to go online. Without a firewall your computer is susceptible to being hacked and taken over. Simply using a Firewall in its default configuration can lower your risk greatly. A tutorial on Firewalls and a listing of some available ones can be found here
  
  Do not install more than one firewall program because they will conflict with each other.

Here are some additional utilities that will further enhance your safety.

• http://www.trillian.cc ? Trillian or http://www.miranda-im.com ? Miranda-IM - These are Malware free Instant Messenger programs which allow you to connect to multiple IM services in one program! (AOL, Yahoo, ICQ, IRC, MSN)
  
  
• http://www.mozilla.org/products/firefox/ - Firefox - Use this alternate browser. While Internet Explorer is not a bad browser, almost every exploit crafted is targeted to take advantage of an IE weakness.
  
  
• http://java.com/en/index.jsp - Sun's Java - It's much more secure than Microsoft's Java Virtual Machine.
  
  
• http://www.aumha.org/downloads/erunt-setup.exe - ERUNT - A useful freeware utility for users of Windows 2000/XP. It's made up of two parts - ERUNT & NTREGOPT.
  
  ERUNT will create daily complete backups of your computer's Registry. Whilst System Restore does the same thing, a corrupt registry file may prevent Windows from booting & this effectively renders disables System Restore. With ERUNT, you're able to restore the damaged Registry.
  
  NTREGOPT works by recreating each registry hive "from scratch", thus removing any slack space that may be left from previously modified or deleted keys. In other words, it compacts the Registry to a small size which allows Windows to load & perform faster.

In light of your recent troubles, I'm sure you'll like to avoid any future infections. Please take a look at these well written articles

• HOW DID I GET INFECTED IN THE FIRST PLACE?
• MAKING INTERNET EXPLORER SAFER

If you want to fight back the Malware Writers that have made your life a misery, please take a look here and read what you can do against it.

Please respond to this thread one more time so we can mark this thread as resolved.

[GrahamK]

Thanks again!

I have a couple of questions:

1) Is Opera a safer browser?

2) Where do these malware programs come from?

[tetonbob]

Insofar as it's used less than Internet Explorer, Opera is a safer browser, as is Firefox. Since most users have IE installed on their machines and use it, the bad guys focus on it to exploit.

The malware programs come mostly from organized elements looking to make money at the expense of unsuspecting computer users.

Here's more information:

http://itw.trendmicro-europe.com/index.php?id=21

http://www.f-secure.com/f-secure/pre...117_1_eng.html

http://mastdb3.mcafee.com/VirusMap3....t=JPEG&lang=en

Surf Safely, and Think Prevention!

Since this issue is resolved, this topic will be archived.