Antivirus virus??

Question

Danielle 1 Junior Poster in Training

16 Years Ago

Hi there and thanks for everything first of all, I borrowed my friends hard drive (tower

for the computer) I'm using my own keyboard and monitor, after 1 day of alot of internet

usage I turned the computer back on and have benn inundated with all kinds of alerts saying

I have trojans and spyware and all that kind of stuff and keep getting redirected to

various antivirus websites plus a few porn sites popped up. I thought maybe he didn't have

any antivirus installed so I downloaded the avast home edition, which I use on my own

system, it cleaned a bunch of trojans and stuff, I ran CWS shredder, which didn't show

anything present, but this weird program 'Antivirus 2008' keeps running and prompting me to

buy it, there's an icon of it on the bottom of my screen which keeps giving me scary

security warnings and propmting me to update. And when I connect to the internet I

sometimes get re-routed to some weird antivirus page, not even Antivirus

2008...like....http://ucleaner.com, http://www.system-defender.com and since I downloaded

the Avast antivirus we're VERY SLOOOOWWWWW plus it doesn't let me navigate freely
I went to the programs list to remove Antivirus 2008 but it wasn't on the list and I tried

to delete the file from the program files on drive C but it said it was being used and I

wasn't able to delete it and I'm sure it is the culprit.
Ok I have my own tower back and on my friend's infcted system I was unable to send emails,

even open some web pages and I couldn't post on Daniweb so I saved the Hijack this log on a

floppy disk opened it on my own system so I could send it to you on my system, so I think

you can understand how troubling this is, I couldn't send or open emails and could not post

threads on your website, I even tried to save it as a draft that wasn't happening either, I

hope my description is understandable. I have kept his system with me so I can resolve the

problem hopefully. It's just going to mean changing over systems anytime I need to.

So I have 2 towers one infected that I am trying to clean, it has weird re-routing and

antivirus alerts despite downloading Avast home edition and cleaning a bunch of stuff, I

can't send emails or open some web pages, slow running and can't post threads on Daniweb.

I did however go to internet options and reset the home page address since I took the

hijack this log which resolved that problem but the Antivirus warnings, rerouting and

webpages still pop up nonethe less.

Please check out the Hijack this log underneath and please give me your advice, I'm not

that great with computers as you can probabaly tell from my descriptions so I mucho

appreciato your kind assistance.
Thanks XXX
Danielle.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 09:04:37 ب.ظ, on 2008/05/01
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINXPSP2\System32\smss.exe
C:\WINXPSP2\system32\winlogon.exe
C:\WINXPSP2\system32\services.exe
C:\WINXPSP2\system32\lsass.exe
C:\WINXPSP2\system32\svchost.exe
C:\WINXPSP2\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINXPSP2\system32\spoolsv.exe
C:\WINXPSP2\system32\svchost.exe
C:\Program Files\Universal Shield 4.0\US30Service.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINXPSP2\Explorer.EXE
C:\WINXPSP2\Win2Farsi\ClockMRT\MRTclock.exe
C:\WINXPSP2\SOUNDMAN.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\SlySoft\CloneCD\CloneCDTray.exe
C:\Program Files\Babylon\Babylon-Pro\Babylon.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\WINXPSP2\system32\ctfmon.exe
C:\WINXPSP2\Win2Farsi\ClockMRT\MRTclock.exe
C:\Program Files\Yahoo!\Messenger\ypager.exe
C:\Program Files\Antivirus 2008\Antvrs.exe
C:\Program Files\GetRight\getright.exe
C:\Program Files\Google\Web Accelerator\GoogleWebAccWarden.exe
C:\Program Files\Google\Web Accelerator\googlewebaccclient.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =

http://softwarereferral.com/jump.php?wmid=6010&mid=MjI6Ojg5&lid=2
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,AutoConfigURL =

http://localhost:9100/proxy.pac
O2 - BHO: IeCatch5 Class - {2F364306-AA45-47B5-9F9D-39A8B94E7EF7} - C:\PROGRA~1

\FlashGet\jccatch.dll
O2 - BHO: bho2gr Class - {31FF080D-12A3-439A-A2EF-4BA95A3148E8} - C:\Program

Files\GetRight\xx2gr.dll
O2 - BHO: FlpLauncher Class - {4401FDC3-7996-4774-8D2B-C1AE9CD6CC25} - C:\Program Files\E-

Book Systems\FlipAlbum 6 Pro Eval\fplaunch.dll
O2 - BHO: Google Web Accelerator Helper - {69A87B7D-DE56-4136-9655-716BA50C19C7} -

C:\Program Files\Google\Web Accelerator\GoogleWebAccToolbar.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program

files\google\googletoolbar1.dll
O3 - Toolbar: FlashGet Bar - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - C:\PROGRA~1

\FlashGet\fgiebar.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program

files\google\googletoolbar1.dll
O3 - Toolbar: Google Web Accelerator - {DB87BFA2-A2E3-451E-8E5A-C89982D87CBF} - C:\Program

Files\Google\Web Accelerator\GoogleWebAccToolbar.dll
O4 - HKLM\..\Run: [MRTKLOX] C:\WINXPSP2\Win2Farsi\ClockMRT\MRTclock.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe"

-osboot
O4 - HKLM\..\Run: [IMJPMIG8.2] msime82.exe
O4 - HKLM\..\Run: [CloneCDTray] "C:\Program Files\SlySoft\CloneCD\CloneCDTray.exe" /s
O4 - HKLM\..\Run: [Babylon Client] C:\Program Files\Babylon\Babylon-Pro\Babylon.exe -

AutoStart
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINXPSP2\system32\ctfmon.exe
O4 - HKCU\..\Run: [MsServer] msfun80.exe
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\ypager.exe" -quiet
O4 - HKCU\..\Run: [rrqcvqca] C:\WINXPSP2\system32\xktctkpa.exe
O4 - HKCU\..\Run: [Antivirus] C:\Program Files\Antivirus 2008\Antvrs.exe
O4 - HKLM\..\Policies\Explorer\Run: [nhZLQi5zTU] C:\Documents and Settings\All

Users\Application Data\lijetutc\tuxazcpq.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINXPSP2\system32\CTFMON.EXE (User 'LOCAL

SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINXPSP2\system32\CTFMON.EXE (User 'NETWORK

SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINXPSP2\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINXPSP2\system32\CTFMON.EXE (User 'Default

user')
O4 - Global Startup: GetRight - Tray Icon.lnk = C:\Program Files\GetRight\getright.exe
O4 - Global Startup: Run Google Web Accelerator.lnk = C:\Program Files\Google\Web

Accelerator\GoogleWebAccWarden.exe
O8 - Extra context menu item: &Google Search - res://C:\Program

Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://C:\Program

Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program

Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Download All by FlashGet - C:\Program

Files\FlashGet\jc_all.htm
O8 - Extra context menu item: Download using FlashGet - C:\Program

Files\FlashGet\jc_link.htm
O8 - Extra context menu item: Download with GetRight Pro - C:\Program

Files\GetRight\GRdownload.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3

\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Open with GetRight Pro Browser - C:\Program

Files\GetRight\GRbrowse.htm
O8 - Extra context menu item: Similar Pages - res://C:\Program

Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://C:\Program

Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1

\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1

\FlashGet\flashget.exe
O9 - Extra 'Tools' menuitem: &FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} -

C:\PROGRA~1\FlashGet\flashget.exe
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1

\Yahoo!\MESSEN~1\YPager.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} -

C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program

Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} -

C:\Program Files\Messenger\msmsgs.exe
O21 - SSODL: qadovnel - {D1525ABB-4C61-419F-BBAA-FF8A4327727E} - C:\WINXPSP2\qadovnel.dll
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program

Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4

\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil

Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil

Software\Avast4\ashWebSv.exe
O23 - Service: US30Service - Unknown owner - C:\Program Files\Universal Shield 4.0

\US30Service.exe
O24 - Desktop Component 0: Privacy Protection - file:///C:\WINXPSP2

\privacy_danger\index.htm

--
End of file - 6884 bytes

windows-virus

2 Contributors
16 Replies
226 Views
5 Days Discussion Span
Latest Post 16 Years Ago Latest Post by crunchie

crunchie 990 Most Valuable Poster

16 Years Ago

Hi. The next time you save an hijackthis log, in notepad, go to Format and uncheck wordwrap before saving the log.

====

Download Malwarebytes' Anti-Malware (http://www.majorgeeks.com/Malwarebytes_Anti-Malware_d5756.html) to your desktop.

* Double-click mbam-setup.exe and follow the prompts to install the program.
* At the end, be sure to checkmark the Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
* If an update is found, it will download and install the latest version.
* Once the program has loaded, select Perform full scan, then click Scan.
* When the scan is complete, click OK, then Show Results to view the results.
* Be sure that everything is checked, and click Remove Selected.
* When completed, a log will open in Notepad.
* Post the log back here.

Make sure that you restart the computer.

The log can also be found here:
C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\log-date.txt
Or at C:\Program Files\Malwarebytes' Anti-Malware\Logs\log-date.txt

Post new HJT log.

Danielle commented: Rock on Crunchie +4

crunchie 990 Most Valuable Poster

16 Years Ago

Please download SmitfraudFix (by S!Ri)
Extract the content (a folder named SmitfraudFix) to your Desktop.

Open the SmitfraudFix folder and double-click smitfraudfix.cmd
Select option #1 - Search by typing 1 and press "Enter"; a text file will appear, which lists infected files (if present).
Please copy/paste the content of that report into your next reply.

Note : process.exe is detected by some antivirus programs (AntiVir, Dr.Web, Kaspersky) as a "RiskTool"; it is not a virus, but a program used to stop system processes. Antivirus programs cannot distinguish between "good" and "malicious" use of such programs, therefore they may alert the user.
http://www.beyondlogic.org/consulting/proc...processutil.htm

Danielle commented: Very considerate with excellent advice +4

crunchie 990 Most Valuable Poster

16 Years Ago

You should print out these instructions, or copy them to a Notepad file for reading while in Safe Mode, because you will not be able to connect to the Internet to read from this site.

Please reboot your computer in Safe Mode by doing the following :

Restart your computer
After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
Instead of Windows loading as normal, a menu with options should appear;
Select the first option, to run Windows in Safe Mode, then press "Enter".
Choose your usual account.

Once in Safe Mode, open the SmitfraudFix folder again and double-click smitfraudfix.cmd
Select option #2 - Clean by typing 2 and press "Enter" to delete infected files.

You will be prompted : "Registry cleaning - Do you want to clean the registry ?"; answer "Yes" by typing Y and press "Enter" in order to remove the Desktop background and clean registry keys associated with the infection.

The tool will now check if wininet.dll is infected. You may be prompted to replace the infected file (if found); answer "Yes" by typing Y and press "Enter".

The tool may need to restart your computer to finish the cleaning process; if it doesn't, please restart anyway into normal Windows. A text file will appear onscreen, with results from the cleaning process; please copy/paste the content of that report into your next reply along with a new HijackThis log.
The report can also be found at the root of the system drive, usually at C:\rapport.txt

Warning : running option #2 on a non infected computer will remove your Desktop background.

crunchie 990 Most Valuable Poster

16 Years Ago

Ok. You are still infected with something there, so I would like you to run one more tool please.

Please download ComboFix by sUBs from HERE or HERE

You must download it to and run it from your Desktop
Physically disconnect from the internet.
Now STOP all your monitoring programs (Antivirus/Antispyware, Guards and Shields) as they could easily interfere with ComboFix.
Double click combofix.exe & follow the prompts.
When finished, it will produce a log. Please save that log to post in your next reply along with a fresh HJT log
Re-enable all the programs that were disabled during the running of ComboFix..

Note:
Do not mouse-click combofix's window while it is running. That may cause it to stall.

CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.

Danielle commented: Fabulous.... +4

Reply to this topic

Be a part of the DaniWeb community

We're a friendly, industry-focused community of developers, IT pros, digital marketers, and technology enthusiasts meeting, networking, learning, and sharing knowledge.

Danielle 1 Junior Poster in Training · Answer 1 · 2008-05-03T22:27:02+00:00

Hi there and thanks for everything first of all, I think my last post may have been confusing, so sorry about that, can you please look at me Hijack this log posted below and let me know what I can dp to stop Antivirus warnings and webpage rerouting that has started hapening on my system, also I can't send, or recieve mail and access some webpages.
Thanks XXX
Danielle.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 09:04:37 ب.ظ, on 2008/05/01
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINXPSP2\System32\smss.exe
C:\WINXPSP2\system32\winlogon.exe
C:\WINXPSP2\system32\services.exe
C:\WINXPSP2\system32\lsass.exe
C:\WINXPSP2\system32\svchost.exe
C:\WINXPSP2\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINXPSP2\system32\spoolsv.exe
C:\WINXPSP2\system32\svchost.exe
C:\Program Files\Universal Shield 4.0\US30Service.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINXPSP2\Explorer.EXE
C:\WINXPSP2\Win2Farsi\ClockMRT\MRTclock.exe
C:\WINXPSP2\SOUNDMAN.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\SlySoft\CloneCD\CloneCDTray.exe
C:\Program Files\Babylon\Babylon-Pro\Babylon.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\WINXPSP2\system32\ctfmon.exe
C:\WINXPSP2\Win2Farsi\ClockMRT\MRTclock.exe
C:\Program Files\Yahoo!\Messenger\ypager.exe
C:\Program Files\Antivirus 2008\Antvrs.exe
C:\Program Files\GetRight\getright.exe
C:\Program Files\Google\Web Accelerator\GoogleWebAccWarden.exe
C:\Program Files\Google\Web Accelerator\googlewebaccclient.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =

http://softwarereferral.com/jump.php...MjI6Ojg5&lid=2
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,AutoConfigURL =