Author Topic: Virus issues, please help!! (Read 20877 times)

InazumaRaijin · « **on:** October 18, 2007, 05:01:27 AM »

So I recently found myself buried under what appears to be a good deal of viruses and/or trojans. I immediately started scanning, of course. Ran a quick scan, only got one thing, then decided it would be best to do a thorough scan. Well, I've made it up to 29000 files scanned and found 6 things, but I'm worried now... It says that the current scanner status is infected and it's scanning slower than 1 file per second... Does this mean my scanner itself is infected? And if so, what should I do about that and whatever else may be on my computer? Someone please help quickly!

Edit: Okay, so it picked up QUITE a bit of speed, it's going much faster now. Thing is though, I still get these fake system messages that tell me to install programs that I'm 100% sure are fake programs used to propagate the trojan/viruses, and my scan is nearly done... I'm worried that the scan itself may not be removing the problem... Any suggestions on what to do in this case?

oldman · « **Reply #1 on:** October 18, 2007, 10:13:12 AM »

Welcome to the forum.

Can you give an example of what files are being detected? What is the full path and what is it being detected as?

What are the names of the programs you are being asked to install? You probably are right in them being bogus.

The slow down may have been due to a compressed archive.

Your os and other security programs would also be helpful. Move anything found to the chest.

Lisandro · « **Reply #2 on:** October 18, 2007, 01:25:29 PM »

Quote from: InazumaRaijin on October 18, 2007, 05:01:27 AM

It says that the current scanner status is infected and it's scanning slower than 1 file per second... Does this mean my scanner itself is infected?

No. Just the status of the scanning: an infected file was detected.

Quote from: InazumaRaijin on October 18, 2007, 05:01:27 AM

whatever else may be on my computer? Someone please help quickly!

Hey... we're here quickly

Quote from: InazumaRaijin on October 18, 2007, 05:01:27 AM

fake programs

Which ones? Do you use RogueRemover (www.malwarebytes.com) to see what's wrong?

Quote from: InazumaRaijin on October 18, 2007, 05:01:27 AM

I'm worried that the scan itself may not be removing the problem... Any suggestions on what to do in this case?

If a virus is replicant (coming and coming again), you could follow the general cleaning procedure:

1. Disable System Restore on Windows ME or Windows XP. System Restore cannot be disabled on Windows 9x and it's not available in Windows 2k. After boot you can enable System Restore again after step 3.

2. Clean your temporary files. You can use CleanUp or the Windows Advanced Care features for that.

3. Schedule a boot time scanning with avast. Start avast! > Right click the skin > Schedule a boot-time scanning. Select for scanning archives. Boot. Other option is scanning in SafeMode (repeatedly press F8 while booting).

4. It will be good if you download, install, update and run AVG Antispyware. Some users recommend SUPERantispyware, Spyware Terminator and/or a-squared (take care about false positives).
If any infection is detected, better and safer is send the file to Quarantine than to simple delete than.

5. If you still detecting any strange behavior or even you're sure you're not clean, maybe it will be good to test your machine with anti-rootkit applications. I suggest AVG or Panda.

6. Also, if you still detecting strange behaviors or you want to be sure you're clean, maybe making a HijackThis log to post here and, specially, scan and submit to on-line analysis the RunScanner log would help to identify the problem and the solution.

7. After you're clean, use the immunization of SpywareBlaster or, which is better, the Windows Advanced Care features of spyware/adware cleaning and removal.

8. Finally, when you're clean, check for insecure applications with Secunia Software Inspector to update insecure applications and avoid reinfection.a

InazumaRaijin · « **Reply #3 on:** October 18, 2007, 03:29:10 PM »

Kay, so I ran it over night. Two files were found to be infected and moved to the chest: a file in my temp folder and what appears to be my temp folder itself. Within these two files were 4 instances of the trojan Win32:Winfixer-F(trj) and 2 instances of the virus PS/MPC-gen5. These files have been moved to my chest, but I'm still being spammed with fake system warnings telling me to download things like WinSpyControl (asks you to purchase the product, but I'm not stupid, I'm not putting a dime into anything via computer right now) or other weird things of the like. So either moving them to the chest didn't delete the files (I'm new to using avast! so I have no clue how it actually works, haha), or there are more files that I need to get rid of and avast! can't get them for me (I ran a thorough scan of all files, including archived). I guess when I get home from school and work I'll try one of the above-mentioned sites and see what I can do about it. I appreciate this and any future help!

Edit: Forgot to mention, I'm just running XP Home Edition

Lisandro · « **Reply #4 on:** October 18, 2007, 04:28:39 PM »

Quote from: InazumaRaijin on October 18, 2007, 03:29:10 PM

But I'm still being spammed with fake system warnings telling me to download things like WinSpyControl (asks you to purchase the product, but I'm not stupid, I'm not putting a dime into anything via computer right now) or other weird things of the like.

Follow the other general cleaning procedures, specially steps 4, 5 and 6.

Quote from: InazumaRaijin on October 18, 2007, 03:29:10 PM

So either moving them to the chest didn't delete the files (I'm new to using avast! so I have no clue how it actually works, haha), or there are more files that I need to get rid of and avast! can't get them for me (I ran a thorough scan of all files, including archived). I guess when I get home from school and work I'll try one of the above-mentioned sites and see what I can do about it. I appreciate this and any future help!

Reinfection was not due only to files, but there are a lot of ways to do so.

oldman · « **Reply #5 on:** October 18, 2007, 08:33:16 PM »

Do #4 in Tech's post with at least the first 2 programs. That will at least clean up some of the garbage somewhat. You can post the results minus the tracking cookies.

For hijackthis follow the following. When posting that log you will probably have to split it into a couple of post.

Click here to download HJTsetup.exe

Save HJTsetup.exe to your desktop.
Doubleclick on the HJTsetup.exe icon on your desktop.
By default it will install to C:\Program Files\Hijack This.
Continue to click Next in the setup dialogue boxes until you get to the Select Addition Tasks dialogue.
Put a check by Create a desktop icon then click Next again.
Continue to follow the rest of the prompts from there.
At the final dialogue box click Finish and it will launch Hijack This.
Click on the Do a system scan and save a logfile button. It will scan and the log should open in notepad.
Click on "Edit > Select All" then click on "Edit > Copy" to copy the entire contents of the log.
Come back here to this thread and Paste the log in your next reply.
DO NOT have Hijack This fix anything yet. Most of what it finds will be harmless or even required.

InazumaRaijin · « **Reply #6 on:** October 18, 2007, 08:39:06 PM »

Thanks for all the advice. Right now I'm running the CleanUp program back home to clean up my temp folder, since that's where the problem originated, so when I get home I'm going to check to see how that's working out. If I still have the problem, I'll download HJTsetup.exe and make a log file as I was told. In all honesty, this is the first virus I've ever had to deal with, since I'm usually a fanatic about keeping my computer up and running efficiently, so I'm really new to all this and appreciate all the help, haha

oldman · « **Reply #7 on:** October 18, 2007, 08:46:22 PM »

You're welcome. Take things one step at a time, keep track of what you do, and have a little patience.

InazumaRaijin · « **Reply #8 on:** October 18, 2007, 09:27:41 PM »

Haha, patience doesn't sit well with me, I get out of school in an hour and then have to work for 3 and a half more hours, then a one hour drive home to see if everything went well, hahaha. But yeah, I'm hoping that everything I've done so far will be enough and I'm hoping even more that I'm not going to be flooded by spam when I get back (I ran my virus scan over night last night and came back in the morning to about... 30+ fake system messages, as well as some less-than-appropriate ads), haha

EDIT: SO I did as advised and got a HijackThis log. I can't make ANY sense of it, but I guess that's what I have you guys for, haha! So yeah, here it is:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 6:43:48 PM, on 10/18/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16544)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\Program Files\MSN Messenger\usnsvc.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\System32\DLA\DLACTRLW.EXE
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\NETGEAR\WG311TSU\Utility\Gear311T.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\PROGRA~1\COMMON~1\WINSPY~1\ugcw.exe
C:\Program Files\Common Files\WinSpyControl\bm.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\Nikon\NkView6\NkvMon.exe
C:\Program Files\OpenOffice.org 2.3\program\soffice.exe
C:\Program Files\OpenOffice.org 2.3\program\soffice.BIN
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = www.google.com/ig/dell?hl=en&client=dell-usuk&channel=us
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Page_URL = www.google.com/ig/dell?hl=en&client=dell-usuk&channel=us
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\System32\DLA\DLASHX_W.DLL
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: CIEIntegrator Object - {7A7F202E-AF91-4889-9DD5-2FE241085CC1} - C:\Program Files\WinSpyControl\Tools\pg.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: CBrowserHelperObject Object - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - C:\Program Files\BAE\BAE.dll
O2 - BHO: (no name) - {CFE15135-C591-4000-A55E-A50E5F9F82BC} - C:\Program Files\Video Add-on\isfmdl.dll
O2 - BHO: IEFW Object - {FAAD2038-C371-473D-86F1-5B11D39C3775} - C:\Program Files\WinSpyControl\Tools\IEFWBHO.dll
O3 - Toolbar: IE Custom Tools - {23ED2206-856D-461A-BBCF-1C2466AC5AE3} - C:\Program Files\Video Add-on\ictmdl.dll
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [ISUSPM Startup] "C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [DLA] C:\WINDOWS\System32\DLA\DLACTRLW.EXE
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [AS00_Gear311T] C:\Program Files\NETGEAR\WG311TSU\Utility\Gear311T.exe -hide
O4 - HKLM\..\Run: [MSKDetectorExe] C:\Program Files\McAfee\SpamKiller\MSKDetct.exe /uninstall
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [DLCFCATS] rundll32 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\DLCFtime.dll,_RunDLLEntry@16
O4 - HKLM\..\Run: [WinSpyControl] C:\Program Files\WinSpyControl\pgs.exe
O4 - HKLM\..\Run: [ugcw] "C:\PROGRA~1\COMMON~1\WINSPY~1\ugcw.exe" -start
O4 - HKLM\..\Run: [Salestart] "C:\Program Files\Common Files\WinSpyControl\bm.exe" dm=http://winspycontrol.com; ad=http://winspycontrol.com
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [BitTorrent] "C:\Program Files\Bit Torrent\bittorrent.exe" --force_start_minimized
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Startup: OpenOffice.org 2.3.lnk = C:\Program Files\OpenOffice.org 2.3\program\quickstart.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: NkvMon.exe.lnk = C:\Program Files\Nikon\NkView6\NkvMon.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {1663ed61-23eb-11d2-b92f-008048fdd814} (MeadCo ScriptX Advanced) - https://eagent.farmersinsurance.com/PLA/eAgent/eAuto/commonActiveX/smsx.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{AF9C7035-23C9-493D-9478-395607421D70}: NameServer = 68.87.69.146,68.87.85.98
O22 - SharedTaskScheduler: benzaldoxime - {a6d478c6-7961-4fe9-be4b-e621dd640112} - C:\WINDOWS\system32\nczupfw.dll
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: dlcf_device - - C:\WINDOWS\system32\dlcfcoms.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe

--
End of file - 8385 bytes

InazumaRaijin · « **Reply #9 on:** October 19, 2007, 03:58:54 AM »

I'm really sorry for the double-post (don't know what the rules are on it), but I forgot to mention in the above edit that there still is something on my computer after having cleared out my temp folder. I still have a "security warning" in the bottom right that tries to get me to buy "virus protection", something along the lines of a product called AntiVirGear. Pretty sure it's a bogus ad trying to get me to give out personal info. So yeah, someone look at my log file above and help me out more? Haha

oldman · « **Reply #10 on:** October 19, 2007, 05:49:44 AM »

Did you download and update super antispyware?

If not do so now. If you did then procede.

Under Configuration and Preferences, click the Preferences button.
Then click the Scanning Control tab.

Under Scanner Options make sure the following are checked
- Close browsers before scanning
- Scan for tracking cookies
- Terminate memory threats before quaranine.

leave the others unchecked.

Return to the main page by clicking close on that screen. On the main screen, under Scan for Harmful Software click Scan your computer. On the left check C:\Fixed Drive.
Under Complete Scan, choose Perform Complete Scan.
· Click Next to start the scan.

When the scan is done, quaretine everthing found . Reboot if asked.

Post that log, Start superantispyware, the log will be under Preferences, Statistics/Logs tab in the scanner logs.

edit and another hjt log.

InazumaRaijin · « **Reply #11 on:** October 19, 2007, 07:11:38 AM »

VICTORY!!! Here's the log, I think it's finally gone now!

SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 10/18/2007 at 10:00 PM

Application Version : 3.9.1008

Core Rules Database Version : 3327
Trace Rules Database Version: 1328

Scan type : Complete Scan
Total Scan Time : 00:52:49

Memory items scanned : 568
Memory threats detected : 2
Registry items scanned : 5514
Registry threats detected : 96
File items scanned : 33670
File threats detected : 27

Trojan.Smitfraud Variant
   C:\WINDOWS\SYSTEM32\NCZUPFW.DLL
   C:\WINDOWS\SYSTEM32\NCZUPFW.DLL
   HKLM\Software\Classes\CLSID\{a6d478c6-7961-4fe9-be4b-e621dd640112}
   HKCR\CLSID\{A6D478C6-7961-4FE9-BE4B-E621DD640112}
   HKCR\CLSID\{A6D478C6-7961-4FE9-BE4B-E621DD640112}\InProcServer32
   HKCR\CLSID\{A6D478C6-7961-4FE9-BE4B-E621DD640112}\InProcServer32#ThreadingModel
   HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler#{a6d478c6-7961-4fe9-be4b-e621dd640112}

Malware.LocusSoftware Inc/BestSellerAntivirus
   C:\PROGRA~1\COMMON~1\WINSPY~1\UGCW.EXE
   C:\PROGRA~1\COMMON~1\WINSPY~1\UGCW.EXE
   HKLM\Software\Classes\CLSID\{7A7F202E-AF91-4889-9DD5-2FE241085CC1}
   HKCR\CLSID\{7A7F202E-AF91-4889-9DD5-2FE241085CC1}
   HKCR\CLSID\{7A7F202E-AF91-4889-9DD5-2FE241085CC1}
   HKCR\CLSID\{7A7F202E-AF91-4889-9DD5-2FE241085CC1}#AppID
   HKCR\CLSID\{7A7F202E-AF91-4889-9DD5-2FE241085CC1}\InprocServer32
   HKCR\CLSID\{7A7F202E-AF91-4889-9DD5-2FE241085CC1}\InprocServer32#ThreadingModel
   HKCR\CLSID\{7A7F202E-AF91-4889-9DD5-2FE241085CC1}\ProgID
   HKCR\CLSID\{7A7F202E-AF91-4889-9DD5-2FE241085CC1}\Programmable
   HKCR\CLSID\{7A7F202E-AF91-4889-9DD5-2FE241085CC1}\TypeLib
   HKCR\CLSID\{7A7F202E-AF91-4889-9DD5-2FE241085CC1}\VersionIndependentProgID
   C:\PROGRAM FILES\WINSPYCONTROL\TOOLS\PG.DLL
   HKLM\Software\Classes\CLSID\{FAAD2038-C371-473d-86F1-5B11D39C3775}
   HKCR\CLSID\{FAAD2038-C371-473D-86F1-5B11D39C3775}
   HKCR\CLSID\{FAAD2038-C371-473D-86F1-5B11D39C3775}
   HKCR\CLSID\{FAAD2038-C371-473D-86F1-5B11D39C3775}#AppID
   HKCR\CLSID\{FAAD2038-C371-473D-86F1-5B11D39C3775}\InprocServer32
   HKCR\CLSID\{FAAD2038-C371-473D-86F1-5B11D39C3775}\InprocServer32#ThreadingModel
   HKCR\CLSID\{FAAD2038-C371-473D-86F1-5B11D39C3775}\ProgID
   HKCR\CLSID\{FAAD2038-C371-473D-86F1-5B11D39C3775}\Programmable
   HKCR\CLSID\{FAAD2038-C371-473D-86F1-5B11D39C3775}\TypeLib
   HKCR\CLSID\{FAAD2038-C371-473D-86F1-5B11D39C3775}\VersionIndependentProgID
   C:\PROGRAM FILES\WINSPYCONTROL\TOOLS\IEFWBHO.DLL
   HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{7A7F202E-AF91-4889-9DD5-2FE241085CC1}
   HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{FAAD2038-C371-473D-86F1-5B11D39C3775}
   HKLM\System\ControlSet001\Services\fmtr
   C:\WINDOWS\SYSTEM32\DRIVERS\FMTR.SYS
   HKLM\System\CurrentControlSet\Services\fmtr
   HKCR\AVIEBHO.IEFW
   HKCR\AVIEBHO.IEFW\CLSID
   HKCR\AVIEBHO.IEFW\CurVer
   HKCR\AVIEBHO.IEFW.2
   HKCR\AVIEBHO.IEFW.2\CLSID
   HKCR\GPBlocker.IEPBlocker
   HKCR\GPBlocker.IEPBlocker\CLSID
   HKCR\GPBlocker.IEPBlocker\CurVer
   HKCR\GPBlocker.IEPBlocker.1
   HKCR\GPBlocker.IEPBlocker.1\CLSID
   HKCR\TypeLib\{314F88D6-80CE-408A-9E8F-B2389B81E8B8}
   HKCR\TypeLib\{314F88D6-80CE-408A-9E8F-B2389B81E8B8}\1.0
   HKCR\TypeLib\{314F88D6-80CE-408A-9E8F-B2389B81E8B8}\1.0\0
   HKCR\TypeLib\{314F88D6-80CE-408A-9E8F-B2389B81E8B8}\1.0\0\win32
   HKCR\TypeLib\{314F88D6-80CE-408A-9E8F-B2389B81E8B8}\1.0\FLAGS
   HKCR\TypeLib\{314F88D6-80CE-408A-9E8F-B2389B81E8B8}\1.0\HELPDIR
   HKCR\TypeLib\{D731A77D-A816-4730-96D2-14A5F9917255}
   HKCR\TypeLib\{D731A77D-A816-4730-96D2-14A5F9917255}\1.0
   HKCR\TypeLib\{D731A77D-A816-4730-96D2-14A5F9917255}\1.0\0
   HKCR\TypeLib\{D731A77D-A816-4730-96D2-14A5F9917255}\1.0\0\win32
   HKCR\TypeLib\{D731A77D-A816-4730-96D2-14A5F9917255}\1.0\FLAGS
   HKCR\TypeLib\{D731A77D-A816-4730-96D2-14A5F9917255}\1.0\HELPDIR
   HKCR\AppId\{314F88D6-80CE-408a-9E8F-B2389B81E8B8}
   HKLM\Software\uga6pcw
   HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\UAVIEN_is1
   HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\UAVIEN_is1#Inno Setup: Setup Version
   HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\UAVIEN_is1#Inno Setup: App Path
   HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\UAVIEN_is1#InstallLocation
   HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\UAVIEN_is1#Inno Setup: Icon Group
   HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\UAVIEN_is1#Inno Setup: User
   HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\UAVIEN_is1#Inno Setup: Selected Tasks
   HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\UAVIEN_is1#Inno Setup: Deselected Tasks
   HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\UAVIEN_is1#DisplayName
   HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\UAVIEN_is1#UninstallString
   HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\UAVIEN_is1#QuietUninstallString
   HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\UAVIEN_is1#NoModify
   HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\UAVIEN_is1#NoRepair
   HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\UAVIEN_is1#InstallPath
   C:\DOCUMENTS AND SETTINGS\SION\APPLICATION DATA\INSTALL_EN[1].EXE
   C:\PROGRAM FILES\COMMON FILES\WINSPYCONTROL\UGCW.EXE
   C:\PROGRAM FILES\WINSPYCONTROL\FMTR.SYS
   C:\PROGRAM FILES\WINSPYCONTROL\FOPNL.DLL
   C:\PROGRAM FILES\WINSPYCONTROL\RESTART.EXE
   C:\PROGRAM FILES\WINSPYCONTROL\RTASKS.EXE
   C:\WINDOWS\Prefetch\UGCW.EXE-242A0E56.pf

Trojan.Media-Codec/V4
   HKLM\Software\Classes\CLSID\{23ED2206-856D-461A-BBCF-1C2466AC5AE3}
   HKCR\CLSID\{23ED2206-856D-461A-BBCF-1C2466AC5AE3}
   HKCR\CLSID\{23ED2206-856D-461A-BBCF-1C2466AC5AE3}
   HKCR\CLSID\{23ED2206-856D-461A-BBCF-1C2466AC5AE3}\Implemented Categories
   HKCR\CLSID\{23ED2206-856D-461A-BBCF-1C2466AC5AE3}\Implemented Categories\{00021493-0000-0000-C000-000000000046}
   HKCR\CLSID\{23ED2206-856D-461A-BBCF-1C2466AC5AE3}\InprocServer32
   HKCR\CLSID\{23ED2206-856D-461A-BBCF-1C2466AC5AE3}\InprocServer32#ThreadingModel
   C:\PROGRAM FILES\VIDEO ADD-ON\ICTMDL.DLL
   HKLM\Software\Classes\CLSID\{CFE15135-C591-4000-A55E-A50E5F9F82BC}
   HKCR\CLSID\{CFE15135-C591-4000-A55E-A50E5F9F82BC}
   HKCR\CLSID\{CFE15135-C591-4000-A55E-A50E5F9F82BC}#xxx
   HKCR\CLSID\{CFE15135-C591-4000-A55E-A50E5F9F82BC}\InprocServer32
   HKCR\CLSID\{CFE15135-C591-4000-A55E-A50E5F9F82BC}\InprocServer32#ThreadingModel
   C:\PROGRAM FILES\VIDEO ADD-ON\ISFMDL.DLL
   HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{CFE15135-C591-4000-A55E-A50E5F9F82BC}
   HKLM\Software\Microsoft\Internet Explorer\Toolbar#{23ED2206-856D-461A-BBCF-1C2466AC5AE3}
   HKU\S-1-5-21-3056869707-3982748799-3199561885-1006\Software\Online Add-on
   HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IE Custom Tools
   HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IE Custom Tools#DisplayName
   HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IE Custom Tools#UninstallString
   HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IE Safety Features
   HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IE Safety Features#DisplayName
   HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IE Safety Features#UninstallString
   HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Information Center
   HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Information Center#DisplayName
   HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Information Center#UninstallString
   C:\PROGRAM FILES\VIDEO ADD-ON\ICMNTR.EXE
   C:\PROGRAM FILES\VIDEO ADD-ON\ICTHIS.EXE
   C:\PROGRAM FILES\VIDEO ADD-ON\ICTUN.EXE
   C:\PROGRAM FILES\VIDEO ADD-ON\ICUN.EXE
   C:\PROGRAM FILES\VIDEO ADD-ON\ISFMM.EXE
   C:\PROGRAM FILES\VIDEO ADD-ON\ISFMNTR.EXE
   C:\PROGRAM FILES\VIDEO ADD-ON\ISFUN.EXE
   C:\PROGRAM FILES\VIDEO ADD-ON\UNINST.EXE

Adware.Tracking Cookie
   C:\Documents and Settings\Sion\Cookies\sion@atdmt[1].txt
   C:\Documents and Settings\Sion\Cookies\sion@www.antivirgear[2].txt

Trojan.Security Toolbar
   C:\Documents and Settings\All Users\Start Menu\Online Security Guide.url
   C:\Documents and Settings\All Users\Start Menu\Security Troubleshooting.url

Trojan.Media-Codec
   HKCR\VideoAXObject.Chl
   HKCR\VideoAXObject.Chl\CLSID

Malware.SpyLocked
   HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Windows Safety Alert
   HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Windows Safety Alert#DisplayName
   HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Windows Safety Alert#UninstallString

Browser Hijacker.Favorites
   C:\DOCUMENTS AND SETTINGS\SION\FAVORITES\ONLINE SECURITY TEST.URL

InazumaRaijin · « **Reply #12 on:** October 19, 2007, 07:12:11 AM »

Sorry for a second double post, but both logs didn't fit in one message, so here' the hjt log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:11:03 PM, on 10/18/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16544)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\System32\DLA\DLACTRLW.EXE
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\NETGEAR\WG311TSU\Utility\Gear311T.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\Common Files\WinSpyControl\bm.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\Nikon\NkView6\NkvMon.exe
C:\Program Files\OpenOffice.org 2.3\program\soffice.exe
C:\Program Files\OpenOffice.org 2.3\program\soffice.BIN
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = www.google.com/ig/dell?hl=en&client=dell-usuk&channel=us
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Page_URL = www.google.com/ig/dell?hl=en&client=dell-usuk&channel=us
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\System32\DLA\DLASHX_W.DLL
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: CBrowserHelperObject Object - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - C:\Program Files\BAE\BAE.dll
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [ISUSPM Startup] "C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [DLA] C:\WINDOWS\System32\DLA\DLACTRLW.EXE
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [AS00_Gear311T] C:\Program Files\NETGEAR\WG311TSU\Utility\Gear311T.exe -hide
O4 - HKLM\..\Run: [MSKDetectorExe] C:\Program Files\McAfee\SpamKiller\MSKDetct.exe /uninstall
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [DLCFCATS] rundll32 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\DLCFtime.dll,_RunDLLEntry@16
O4 - HKLM\..\Run: [WinSpyControl] C:\Program Files\WinSpyControl\pgs.exe
O4 - HKLM\..\Run: [ugcw] "C:\PROGRA~1\COMMON~1\WINSPY~1\ugcw.exe" -start
O4 - HKLM\..\Run: [Salestart] "C:\Program Files\Common Files\WinSpyControl\bm.exe" dm=http://winspycontrol.com; ad=http://winspycontrol.com
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [BitTorrent] "C:\Program Files\Bit Torrent\bittorrent.exe" --force_start_minimized
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - Startup: OpenOffice.org 2.3.lnk = C:\Program Files\OpenOffice.org 2.3\program\quickstart.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: NkvMon.exe.lnk = C:\Program Files\Nikon\NkView6\NkvMon.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {1663ed61-23eb-11d2-b92f-008048fdd814} (MeadCo ScriptX Advanced) - https://eagent.farmersinsurance.com/PLA/eAgent/eAuto/commonActiveX/smsx.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{AF9C7035-23C9-493D-9478-395607421D70}: NameServer = 68.87.69.146,68.87.85.98
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: dlcf_device - - C:\WINDOWS\system32\dlcfcoms.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe

--
End of file - 7990 bytes

Spiritsongs · « **Reply #13 on:** October 19, 2007, 08:01:01 AM »

Hi InazumaRaijin :

The Hijackthis Log shows you have the troublesome "Viewpoint" program;
it would be wise to go to the "Add or Remove Programs" section of your
computer and "uninstall" or "remove" the "Viewpoint" program .

oldman · « **Reply #14 on:** October 19, 2007, 12:30:17 PM »

Well. I think some of it's gone. SAS did catch a lot of the executables, but some of it still shows up in your last hjt log.

C:\Program Files\Common Files\WinSpyControl\bm.exe

along with some registry entries.

O4 - HKLM\..\Run: [WinSpyControl] C:\Program Files\WinSpyControl\pgs.exe
O4 - HKLM\..\Run: [ugcw] "C:\PROGRA~1\COMMON~1\WINSPY~1\ugcw.exe" -start
O4 - HKLM\..\Run: [Salestart] "C:\Program Files\Common Files\WinSpyControl\bm.exe" dm=http://winspycontrol.com; ad=http://winspycontrol.com

I suspect the popup is gone now? Was that the complete SAS log? It seems that a couple of entries at the end are missing.

Download ComboFix from Here or Here to your Desktop.

Double click combofix.exe and follow the prompts.

When finished, it shall produce a log for you. Post that log and a HiJackthis log in your next reply
Note: Do not mouseclick combofix's window while its running. That may cause it to stall.

Author Topic: Virus issues, please help!! (Read 20877 times)

InazumaRaijin

Virus issues, please help!!

oldman

Re: Virus issues, please help!!

Lisandro

Re: Virus issues, please help!!

InazumaRaijin

Re: Virus issues, please help!!

Lisandro

Re: Virus issues, please help!!

oldman

Re: Virus issues, please help!!

InazumaRaijin

Re: Virus issues, please help!!

oldman

Re: Virus issues, please help!!

InazumaRaijin

Re: Virus issues, please help!!

InazumaRaijin

Re: Virus issues, please help!!

oldman

Re: Virus issues, please help!!

InazumaRaijin

Re: Virus issues, please help!!

InazumaRaijin

Re: Virus issues, please help!!

Spiritsongs

"Viewpoint"

oldman

Re: Virus issues, please help!!