|
Answer» Hello everyone.
Lately I have been having a problem with a Virus I believe.
I ran S&D and it fount registry files and such saying about fake virus protector. So, I fixed the problems and I am still having this annoying thing pop up.
Its down on my icon tray next to my clock. It pops up saying
System Alert!
System has detected blah blah about spyware and such.
Here is my HJT:
---------------------------------------------------------
Logfile of Trend Micro HijackThis v2.0.0 (BETA)
Scan saved at 3:56:08 PM, on 11/20/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
Boot mode: Normal
Running processes:
C:\Windows\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\Windows\system32\services.exe
C:\Windows\system32\lsass.exe
C:\Windows\system32\svchost.exe
C:\Program Files\PC Tools Firewall Plus\FWService.exe
C:\Windows\System32\svchost.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\Windows\system32\spoolsv.exe
C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
C:\Windows\System32\svchost.exe
C:\WINDOWS\SYSTEM32\USRmlnkA.exe
C:\WINDOWS\SYSTEM32\USRshutA.exe
C:\WINDOWS\SYSTEM32\USRmlnkA.exe
C:\Program Files\Ahead\InCD\InCD.exe
C:\Windows\system32\wscntfy.exe
C:\Windows\explorer.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Administrator\Desktop\HJT\HiJackThis_v2.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://v4.windowsupdate.microsoft.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R3 - URLSearchHook: (no name) - {D73F49B6-B51B-4d32-A3B7-BD04B8342F53} - C:\Program Files\MorpheusBar\SrchAstt\1.bin\MBSRCAS.DLL
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: (no name) - {D73F49B1-B51B-4d32-A3B7-BD04B8342F53} - C:\Program Files\MorpheusBar\SrchAstt\1.bin\MBSRCAS.DLL
O4 - HKLM\..\Run: [USRpdA] C:\WINDOWS\SYSTEM32\USRmlnkA.exe RunServices \Device\3cpipe-USRpdA
O4 - HKLM\..\Run: [PURE Networks Port Magic] "C:\PROGRA~1\PURENE~1\PORTMA~1\PortAOL.exe" -Run
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Windows\system32\NeroCheck.exe
O4 - HKLM\..\Run: [InCD] C:\Program Files\Ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [ThePrivacyGuard] "C:\PROGRA~1\THEPRI~1\THEPRI~1.EXE" /startup
O4 - HKCU\..\Policies\Explorer\Run: [{1C62120B-07D0-1033-0428-031216200001}] "C:\Program Files\Common Files\{1C62120B-07D0-1033-0428-031216200001}\Update.exe" mc-110-12-0001232
O4 - HKUS\S-1-5-18\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe (User 'Default user')
O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O8 - Extra context menu item: AdSubtract: Bypass Site - res://C:\Program Files\interMute\AdSubtract\AdSub.exe/360
O8 - Extra context menu item: AdSubtract: Cloak Image - res://C:\Program Files\interMute\AdSubtract\AdSub.exe/361
O8 - Extra context menu item: AdSubtract: Report Site - res://C:\Program Files\interMute\AdSubtract\AdSub.exe/359
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.safety.live.com/resource/download/scanner/wlscbase8460.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://zone.msn.com/binFramework/v10/ZIntro.cab34246.cab
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\Windows\System32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\Windows\System32\browseui.dll
O22 - SharedTaskScheduler: haeckel - {8373a2e0-bdd0-42bd-b4ec-ba5451eb6607} - C:\Windows\system32\moywh.dll
O23 - Service: AOL TopSpeed Monitor (AOL TopSpeedMonitor) - America Online, Inc - C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
O23 - Service: FileZilla Server FTP server (FileZilla Server) - Unknown owner - C:\Documents and Settings\Administrator\Desktop\7.6 YurOTs\xampp\FileZillaFTP\FileZillaServer.exe (file MISSING)
O23 - Service: InstallDriver Table MANAGER (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: InCD Helper (InCDsrv) - Nero AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: InCD Helper (read only) (InCDsrvR) - Nero AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: PC Tools Firewall Plus (PCToolsFirewallPlus) - Unknown owner - C:\Program Files\PC Tools Firewall Plus\FWService.exe
O23 - Service: Windows User Mode Driver Framework (UMWdf) - Unknown owner - C:\WINDOWS\System32\wdfmgr.exe (file missing)
--
End of file - 5344 bytes
Looking at the log, but first, why is your antivirus turned off?
There will be a few logs we need so please add them as attachments in the next post.
How to attach logs in a post
Save the log to somewhere you can easily find it. (usually the desktop)
To do this, from within the notepad go to the top of the page and select "File" > "Save As..." enter the file name and click "Save" Be sure the desktop is the location selected to save to.
Please save all files as Text Documents (.txt)
Posting the log
1. Below the text box click "Additional Options..."
* If REPLYING in a thread, before putting text into the reply box select "Preview"
2. Scroll down and select "Additional Options..."
3. Click "Browse"
4. Locate the file you want to attach and double click it to enter it into the window.
5. If you have more than one log click "(more attachments)" and a new window will open for adding another log.
* You will need to enter a message in the text box as well.
==========
Please read these carefully in order to save and post the logs we need.
==========
Download SDFix.exe and save it to your Desktop.
Double click SDFix.exe and it will extract the files to %systemdrive%
(Drive that contains the Windows Directory, typically C:\SDFix)
Please then reboot your computer in Safe Mode by doing the following : - Restart your computer
- After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
- Instead of Windows loading as normal, the Advanced Options Menu should appear;
- Select the first option, to run Windows in Safe Mode, then press Enter.
- Choose your usual account.
- Open the extracted SDFix folder and double click RunThis.bat to start the script.
- Type Y to begin the cleanup process.
- It will remove any Trojan Services and Registry Entries that it finds then prompt you to press any key to Reboot.
- Press any Key and it will restart the PC.
- When the PC restarts the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.
- Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt
(Report.txt will also be copied to Clipboard).
- Finally add the contents of the Report.txt in your next post as an Attachment
==========
Download Superantispyware (SAS)
SUPERAntispyware Free Edition
Install it and double-click the icon on your desktop to run it.
* It will ask if you want to Update the program definitions, click Yes.
* Under Configuration and Preferences, click the Preferences button.
* Click the Scanning Control tab.
* Under Scanner Options make sure the following are checked:
+ Close browsers before scanning
+ Scan for tracking cookies
+ Terminate memory threats before quarantining.
+ Please leave the others unchecked.
+ Click the Close button to leave the control center screen.
* On the main screen, under Scan for Harmful Software click Scan your computer.
* On the left check C:\Fixed Drive.
* On the right, under Complete Scan, choose Perform Complete Scan.
* Click Next to start the scan. Please be patient while it scans your computer.
* After the scan is complete a summary box will appear. Click OK.
* Make sure everything in the white box has a check next to it, then click Next.
* It will quarantine what it found and if it asks if you want to reboot, click Yes.
* To retrieve the removal information please do the following:
+ After reboot, double-click the SUPERAntiSpyware icon on your desktop.
+ Click Preferences. Click the Statistics/Logs tab.
+ Under Scanner Logs, double-click SUPERAntiSpyware Scan Log.
+ It will open in your default text editor (such as Notepad/Wordpad).
+ Save the notepad file to your desktop by clicking (in notepad) "File" "Save As"
* Save the log somewhere you can easily find it. (normally the desktop)
* Click close and close again to exit the program.
* Please add the log as an attachment in the next post.
==========
You need to delete/UNINSTALL your copy of HijackThis (beta) and download the current version from here HijackThis.
Please use the new version in future scans.
Do a new HijackThis scan and add it as an attachment in the next post.
==========
Attach these items in the next post
SDFix Report.txt
SUPERAntiSpyware log
New HijackThis log
Also let us know how things are now.
I dont have an Anti-virus...
[saving disk space - old attachment deleted by admin]First lets get some antivirus protection on the computer.
Download and install Avast! 4 Home Edition Free
When you get done I will have some more instructions ready.Step 1
Complete this procedure completely including attaching the requested log before doing the second procedure.
Download SmitfraudFix (by S!Ri) to your Desktop.
Extract all the files to your Destop. A folder named SmitfraudFix will be created on your Desktop.
Open the SmitfraudFix folder and double-click smitfraudfix.cmd
Select option #1 - Search by typing 1 and press Enter
This program will scan large amounts of files on your computer for known patterns so please be patient while it works. When it is done, the results of the scan will be displayed and it will create a log named rapport.txt in the root of your drive, eg: Local Disk C: or partition where your operating system is installed. Please attach that log in your next reply.
Note: process.exe ( which is used my SmitFraudFIx ) is detected by some antivirus programs (AntiVir, Dr.Web, Kaspersky) as a "RiskTool"; it is not a virus, but a program used to stop system processes. Antivirus programs cannot distinguish between "good" and "malicious" use of such programs, therefore they may alert the user.
http://www.beyondlogic.org/consulting/processutil/processutil.htm
Alright did both.
[saving disk space - old attachment deleted by admin]Post a new HijackThis log please.
Also how is the computer now?
Well...The tray icon went away and such.
But my interent is messing up abit. Like it will slow down on loading or it won't load at all it just sits there loading...
I restart my computer and it will work. But i restarted my computer earlier and this thing poped up saying that a file hasn't closed yet...Press End Now or Close you know one of those things. The fille was called FFHook...Is that good or bad?
[saving disk space - old attachment deleted by admin]The FFHook.dll is related to firefox but not malicious as far as I know. I will look into it further...
The log isn't showing any malware but there some empty entries to fix.
Open HijackThis and select "Do a system scan only"
Place a check mark next to:
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R3 - URLSearchHook: (no name) - {D73F49B6-B51B-4d32-A3B7-BD04B8342F53} - C:\Program Files\MorpheusBar\SrchAstt\1.bin\MBSRCAS.DLL (file missing)
O2 - BHO: (no name) - {D73F49B1-B51B-4d32-A3B7-BD04B8342F53} - C:\Program Files\MorpheusBar\SrchAstt\1.bin\MBSRCAS.DLL (file missing)
Close all windows and click "Fix checked"
I will look around and see if I can come up with anything on the FFHOOK.dll
Do you have the latest version of Firefox 2.0.0.9?
Also have you ran a virus scan with Avast! yet?
To learn more about how to protect yourself while on the internet read this article by Tony Klien: So how did I get infected in the first place? It mentions many free programs so it is worth a look.
yes i have 2.0.0.9
And yes I ran a scan with Avast...After I restarted my computer it ran and i also ran it after that.I suggest removing all traces of Firefox and reinstalling it fresh.
It is most likely an extension or add-on that is corrupt.
Use Mozbackup to backup any bookmarks, cookies or saved passwords. Just don't backup any extensions, you will need to add them back manually.
Mozbackup is simple to use and only takes a second to run. http://mozbackup.jasnapaka.com/download.php
To completely uninstall Firefox, then completely remove all traces of Firefox (save your bookmarks first):
1) Use Add/Remove Programs to uninstall Firefox
2) Delete the Mozilla/Firefox subdirectory in Program Files
3) Delete the Mozilla/Firefox subdirectory in your user profile
4) Reinstall Firefox
|
