Dire Need Of Help With Virus

[chloedog]

I downloaded the avast, followed all of the directions and it took over an hour until all files were scanned.  Once completed I highlighted all infections found and hit delete under action.  Rebooted only to find that nothing changed- computer still infected with Trojan.  I keep getting message on task bar saying my computer is infected.  After all the time spent doing this I can't believe nothing's changed.  The longer the virus is on my computer the worse things will get.  Please, please advise.  What could I have possibly done wrong?

Thanks!!

~D

[FreewheelinFrank]

Hi Chloedog,

If you haven't already, you should do a boot time scan with avast!

(In Win 98 this is not possible- boot into safe mode before scanning- hit F8 while booting.)

Right click the avast! globe and select Start avast! Antivirus.

avast! will do a memory scan: if it finds malware in memory, it will prompt you to do a boot time scan: accept this and reboot.

If avast! doesn't find anything in memory, schedule a boot time scan. (Click the button at the top left of the avast! silver console and select Schedule boot time scan from the drop-down menu.)

The safest option if avast! finds anything during a boot time scan is 'move'.

If you haven't done so already, it would also be a good idea to download and run Ad-Aware and Spybot Search & Destroy to look for any spyware on your system.

http://www.lavasoft.de/

http://www.safer-networking.org/en/download/

Be sure to update both programs before running. Run both programs in safe mode- tap F8 while booting.

http://www.pchell.com/support/safemode.shtml

If you still have a problem, could you make a note of the warnings you receive, file names and locations. We can't really help you without any specific information...

Some information about your OS would also be useful...

Right click My Computer and select Properties. Tell us what it says under General.

Sorry to send you away to do more scans, but if you can come back with more information, rest assured we can help you.

[polonus]

Hi FreewheelinFrank,

Better next ask Chloedog to do a HJT log also. Like to see his StartupList as well.

greets,

polonus

[chloedog]

Hi- thanks for replying so fast.  I did all that you suggested except I did  not put computer in safe mode when running the avast scan.  I am using windows xp, cable modem, have aol 8 if any of that info. is helpful.  Should I run avast  in safe mode?  I'm really not tech savvy at all and am trying my best to follow all the directions.  I have both an i and an a in 2 seperate blue circles on my task bar- the avast balls though I don't know the difference...but I did the virus scan which took over one hour.  I wish someone were here to help me!!

Thanks!!

[FreewheelinFrank]

Right click the globe with the 'a'.

Select 'Start avast! anti-Virus'

You should get the silver console after avast! has tested memory.

You will need to do a boot time scan as you have XP. Follow the instructions above. A boot time scan will remove more nasties. If anything reamains, please note down as many details as you can and tell us: we will help you.

But first do that boot time scan!

[chloedog]

I did the boot time scan originally when I ran the program.
I'm afraid I will do all the steps again, it will take an hour plus and I'll find out again that I still have virus (or viruses)
When the scan is complete and it lists the infected files, should I highlight all and click on delete option under action, or was I supposed to click something else?  Sorry I seem "slow" but like I said, tech savvy is not my forte...at all    Maybe you could email me to communicate easier?  My email is jadjfd@yahoo.com

Thanks again!

[chloedog]

ok- I did all the steps that suggested by FreewheelinFrank and I still have the virus!  Here's the info.- hope it helps:
After the scan was completed my options were to press any # 1-6.  I chose the option that said Move which is what wheelinfrank said (there was an option that said Move All- should I have chosen that or is that irrelevant to the problem?)  After that was selected it said 1 file infected and it continued with reboot.  Oh, also while it was scanning I noticed it said C:/hiberfil/sys errorOXC0000022
and C:\documents and settings\(my name was here)\local settings\temp\se.d77 is infected by Win32: StartPage-067(Trj)  Once rebooted the warning on my deskstop still says:  Security warning- an error in IE has occured at 0028-COO11E36 in VXD VMM <01>+  Error caused by Trojan-Spy.HTML.smitfraud.c  system cannot function in normal mode  Please tell me what to do- this has become a nightmare!

[MFB]

Hi there, can you give us a hijack log?  If you don't have hijackthis heres the link:

http://www.tomcoyote.org/hjt/

Ignore the 023 that deals with avast and the missing file cause that's false. 

[chloedog]

Hi- please tell me what to do when I get to the page of the link you've provided.  So many options and I have zero idea which to click or download- should I click hijackthis, or something else?  Thanks!!

[MFB]

You see the button with the blinking green light next to it?  Click on that.   

Once you got Hijackthis, click on "Do a system scan and save a logfile"  and Copy and paste the logfile here.


Note: Don't FIX anything yet if you're uncertain. 

[chloedog]

Logfile of HijackThis v1.99.1
Scan saved at 5:54:08 PM, on 6/30/2005
Platform: Windows XP  (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\System32\intel32.exe
C:\Program Files\Winferno\Secure IE\SIEPulse.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\AOLACSD.EXE
C:\Program Files\AOL Companion\companion.exe
C:\Program Files\America Online 8.0\aoltray.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\wanmpsvc.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\America Online 8.0\aol.exe
C:\Program Files\America Online 8.0\waol.exe
C:\Program Files\America Online 8.0\aolwbspd.exe
C:\Documents and Settings\Debbie Diamond\Local Settings\Temp\Temporary Directory 1 for hijackthis[1].zip\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\DOCUME~1\DEBBIE~1\LOCALS~1\Temp\se.dll/spage.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://red.clientapps.yahoo.com/customize/ie/defaults/su/ymsgr6/*http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\DOCUME~1\DEBBIE~1\LOCALS~1\Temp\se.dll/spage.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customize/ie/defaults/su/ymsgr6/*http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
O2 - BHO: MyWebSearch Search Assistant BHO - {00A6FAF1-072E-44cf-8957-5838F569A31D} - C:\Program Files\MyWebSearch\SrchAstt\1.bin\MWSSRCAS.DLL
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\PROGRA~1\YAHOO!\COMPAN~1\INSTALLS\cpn\ycomp5_3_12_0.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\ADOBE 6\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: mwsBar BHO - {07B18EA1-A523-4961-B6BB-170DE4475CCA} - C:\Program Files\MyWebSearch\bar\1.bin\MWSBAR.DLL
O2 - BHO: (no name) - {20F6DD0F-FDB2-4B82-8980-54DAA19F641B} - C:\WINDOWS\System32\jfge.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: My &Web Search - {07B18EA9-A523-4961-B6BB-170DE4475CCA} - C:\Program Files\MyWebSearch\bar\1.bin\MWSBAR.DLL
O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\YAHOO!\COMPAN~1\INSTALLS\cpn\ycomp5_3_12_0.dll
O3 - Toolbar: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
O4 - HKLM\..\Run: [AOLDialer] C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
O4 - HKLM\..\Run: [AOL Spyware Protection] "C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe"
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [intel32.exe] C:\WINDOWS\System32\intel32.exe
O4 - HKLM\..\Run: [PSGuard] C:\Program Files\PSGuard\PSGuard.exe
O4 - HKLM\..\Run: [SIE2004] "C:\Program Files\Winferno\Secure IE\SIEPulse.exe"
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: AOL Companion.lnk = C:\Program Files\AOL Companion\companion.exe
O4 - Global Startup: America Online 8.0 Tray Icon.lnk = C:\Program Files\America Online 8.0\aoltray.exe
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O8 - Extra context menu item: &Search - http://bar.mywebsearch.com/menusearch.html?p=ZCxdm324
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2\bin\npjpi142.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2\bin\npjpi142.dll
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra button: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
O9 - Extra 'Tools' menuitem: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O16 - DPF: {37DF41B2-61DB-4CAC-A755-CFB3C7EE7F40} (AOL Content Update) - http://esupport.aol.com/help/acp2/engine/aolcoach_core_1.cab
O16 - DPF: {4A3CF76B-EC7A-405D-A67D-8DC6B52AB35B} (QDiagAOLCCUpdateObj Class) - http://aolcc.aol.com/computercheckup/qdiagcc.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{E24A4EB9-B1BF-4BDC-A998-B019E1886D46}: NameServer = 205.188.146.145
O18 - Filter: text/html - {E39C5294-3AFA-46F5-821F-2D6310E3C4D5} - C:\WINDOWS\System32\jfge.dll
O18 - Filter: text/plain - {E39C5294-3AFA-46F5-821F-2D6310E3C4D5} - C:\WINDOWS\System32\jfge.dll
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\System32\NavLogon.dll
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\AOLACSD.EXE
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe

[MFB]

I recommend removing these:

      R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\DOCUME~1\DEBBIE~1\LOCALS~1\Temp\se.dll/spage.html

      R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\DOCUME~1\DEBBIE~1\LOCALS~1\Temp\se.dll/spage.html

      O2 - BHO: MyWebSearch Search Assistant BHO - {00A6FAF1-072E-44cf-8957-5838F569A31D} - C:\Program Files\MyWebSearch\SrchAstt\1.bin\MWSSRCAS.DLL

O2 - BHO: mwsBar BHO - {07B18EA1-A523-4961-B6BB-170DE4475CCA} - C:\Program Files\MyWebSearch\bar\1.bin\MWSBAR.DLL

      O3 - Toolbar: My &Web Search - {07B18EA9-A523-4961-B6BB-170DE4475CCA} - C:\Program Files\MyWebSearch\bar\1.bin\MWSBAR.DLL

    O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML

      O8 - Extra context menu item: &Search - http://bar.mywebsearch.com/menusearch.html?p=ZCxdm324




IGNORE THESE:

O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)

      O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)

[polonus]

Hi Chloedog,

Do exactly what fixer recommends. There is a saved HJT analysis for you here:
http://hijackthis.de/logfiles/28f93bf990368802a6e60071555ab44d.html
It will be there for the next three days. Forget the 023's on AVAST-this is a false hick-up because of the program. If the nasty BHO's wont leave your machine, which I doubt, you can also download ToolbarCop, an easy tool to get the nasties from your comp. Download from: http://www.majorgeeks.com/download4126.html
Lots of success with your anti-slimeware action. And greets  to FIXER,

Yours faithfully,

polonus

[chloedog]

I checked what you said too but Remove isn't an option.  Which box should I click on?  Scan, Fix Checked, etc.?  Thanks

[polonus]

Hi cloedog,

We mean fix the things FIXER mentioned. His name is FIXER, isn't it.

greets,

polonus