You are here:

Computer Security & Viruses/virus/spyware help

Expert: Brian Benosky - 10/18/2010

Question
QUESTION: Hi, I have recently been having some trouble on my desktop
computer. I religiously use Avast/spyware S&D/CCcleaner but
something got through anyways. I can no longer open Spybot
S&D, there are no error messages or anything it just refuses
to open. Same with other similar spyware software they just
refuse to open. I can also not go to anti-virus websites
like norton, avg, pctools.com or download spybot again.
Every browser I use says that the page cannot be found. (I
only use google chrome for browsing and others for
troubleshooting stuff). Although I was able to access these
webpages through a proxy @ hidemyass.com. I think that is
all the detail I can say. Here is my hijackthis log.
Thanks in advance!

Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 6:10:05 PM, on 10/18/2010
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.17080)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\NVIDIA Corporation\nTune\nTuneService.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\Program Files\NVIDIA
Corporation\NetworkAccessManager\bin\nSvcAppFlt.exe
C:\Program Files\NVIDIA
Corporation\NetworkAccessManager\bin\nSvcIp.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Alwil Software\Avast5\avastUI.exe
C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\iTunes\iTunes.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Spyware Terminator\sp_rsser.exe
C:\Program Files\Spyware
Terminator\SpywareTerminatorUpdate.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Spyware
Terminator\SpywareTerminatorShield.exe
C:\WINDOWS\system32\msiexec.exe
C:\Program Files\Trend Micro\HiJackThis\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start
Page =
http://www.thevalarium.com/ValariumWebApp/faces/Calendar.jsp
R1 - HKLM\Software\Microsoft\Internet
Explorer\Main,Default_Page_URL =
http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet
Explorer\Main,Default_Search_URL =
http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search
Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start
Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local
Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local
Page =
R3 - URLSearchHook: UrlSearchHook Class - {00000000-6E41-
4FD3-8538-502F5495E5FC} - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-
4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common
Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-
6F6E-4B53-A66E-4E65E497C8C0} - (no file)
O2 - BHO: Ask Toolbar BHO - {D4027C7F-154A-4066-A1AD-
4243D8127440} - (no file)
O3 - Toolbar: (no name) - {CCC7A320-B3CA-4199-B1A6-
9F516DD69829} - (no file)
O3 - Toolbar: Nero Toolbar - {D4027C7F-154A-4066-A1AD-
4243D8127440} - (no file)
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE
C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [avast5] "C:\Program Files\Alwil
Software\Avast5\avastUI.exe" /nogui
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program
Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common
Files\Adobe\ARM\1.0\AdobeARM.exe"
O4 - HKLM\..\Run: [SpywareTerminator] "C:\Program
Files\Spyware Terminator\SpywareTerminatorShield.exe"
O4 - HKLM\..\RunOnce: [Malwarebytes' Anti-Malware]
C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe
/install /silent
O4 - HKCU\..\Run: [ctfmon.exe]
C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SpywareTerminatorUpdate] "C:\Program
Files\Spyware Terminator\SpywareTerminatorUpdate.exe"
O4 - HKCU\..\RunOnce: [FlashPlayerUpdate]
C:\WINDOWS\system32\Macromed\Flash\FlashUtil10b.exe
O8 - Extra context menu item: E&xport to Microsoft Excel -
res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-
00401C608501} - C:\Program
Files\Java\jre1.5.0_17\bin\npjpi150_17.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-
4FCB-11CF-AAA5-00401C608501} - C:\Program
Files\Java\jre1.5.0_17\bin\npjpi150_17.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-
3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-
f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 -
{e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network
Diagnostic\xpnetdiag.exe
O9 - Extra button: Bodog Poker - {F47C1DB5-ED21-4dc1-853E-
D1495792D4C5} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-
00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-
F110-11d2-BB9E-00C04F795683} - C:\Program
Files\Messenger\msmsgs.exe
O17 - HKLM\System\CCS\Services\Tcpip\..\{CE812A1A-D339-42F7-
8857-A24F810D99B7}: NameServer =
93.188.164.72,93.188.166.222
O17 - HKLM\System\CCS\Services\Tcpip\..\{D679F4FA-CDA1-436F-
A360-368422F3A7E7}: NameServer =
93.188.164.72,93.188.166.222
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer
= 93.188.164.72,93.188.166.222
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: NameServer
= 93.188.164.72,93.188.166.222
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer
= 93.188.164.72,93.188.166.222
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-
A8BA-11D1-B96B-00A0C90312E1} -
C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon
- {8C7461EF-2B13-11d2-BE35-3078302C2030} -
C:\WINDOWS\system32\browseui.dll
O23 - Service: avast! Antivirus - AVAST Software -
C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
O23 - Service: avast! Mail Scanner - AVAST Software -
C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
O23 - Service: avast! Web Scanner - AVAST Software -
C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
O23 - Service: ForceWare Intelligent Application Manager
(IAM) - Unknown owner - C:\Program Files\NVIDIA
Corporation\NetworkAccessManager\bin\nSvcAppFlt.exe
O23 - Service: InstallDriver Table Manager (IDriverT) -
Macrovision Corporation - C:\Program Files\Common
Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program
Files\iPod\bin\iPodService.exe
O23 - Service: ForceWare IP service (nSvcIp) - NVIDIA
Corporation - C:\Program Files\NVIDIA
Corporation\NetworkAccessManager\bin\nSvcIp.exe
O23 - Service: nTune Service (nTuneService) - NVIDIA -
C:\Program Files\NVIDIA Corporation\nTune\nTuneService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) -
NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PostgreSQL Database Server 8.3 (pgsql-8.3) -
PostgreSQL Global Development Group - C:\Program
Files\PostgreSQL\8.3\bin\pg_ctl.exe
O23 - Service: PnkBstrA - Unknown owner -
C:\WINDOWS\system32\PnkBstrA.exe
O23 - Service: Spyware Terminator Realtime Shield Service
(sp_rssrv) - Crawler.com - C:\Program Files\Spyware
Terminator\sp_rsser.exe
O23 - Service: Viewpoint Manager Service - Viewpoint
Corporation - C:\Program
Files\Viewpoint\Common\ViewpointService.exe

--
End of file - 7101 bytes

ANSWER: Hi Trevor

Please open HijackThis and click to do a Scan Only. Place a check mark in the box next to the following items, close any open browser windows, than click the fix checked button:

R3 - URLSearchHook: UrlSearchHook Class - {00000000-6E41-4FD3-8538-502F5495E5FC} - (no file)

O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - (no file)

O2 - BHO: Ask Toolbar BHO - {D4027C7F-154A-4066-A1AD-4243D8127440} - (no file)

O3 - Toolbar: (no name) - {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (no file)

O3 - Toolbar: Nero Toolbar - {D4027C7F-154A-4066-A1AD-4243D8127440} - (no file)

O17 - HKLM\System\CCS\Services\Tcpip\..\{CE812A1A-D339-42F7-8857-A24F810D99B7}: NameServer =93.188.164.72,93.188.166.222

O17 - HKLM\System\CCS\Services\Tcpip\..\{D679F4FA-CDA1-436F-A360-368422F3A7E7}: NameServer =93.188.164.72,93.188.166.222

O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer= 93.188.164.72,93.188.166.222

O17 - HKLM\System\CS2\Services\Tcpip\Parameters: NameServer= 93.188.164.72,93.188.166.222

O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer= 93.188.164.72,93.188.166.222

After fixing, close HJT and reboot. Next, I would like for you to run a ComboFix scan as follows:
Please download ComboFix from this link:
http://download.bleepingcomputer.com/sUBs/ComboFix.exe
*Important*-Save it to your desktop.
Double-click on the ComboFix icon found on your desktop. Please note, that once you start ComboFix you should not click anywhere on the ComboFix window as it can cause the program to stall. If asked to install the Windows Recovery Console, please allow the program to do so. ComboFix will now start scanning your computer for known infections. This procedure can take some time, so please be patient. If you see your Windows desktop disappear, do not worry. This is normal and ComboFix will restore your desktop before it is finished. ComboFix may also restart your computer. Do not intervene. Eventually you will see a new screen that states the program is almost finished and telling you the programs log file, or report, will be located at C:\ComboFix.txt. It will then display the log file automatically for you. Post me that log and a new HJT scan log in your next follow-up.

Brian

---------- FOLLOW-UP ----------

QUESTION: I did the first step in HJT, however ComboFix would not start.
I dloaded it to the desktop but when i clicked on it it
wouldn't open, wouldn't even flash a window. same thing that
happens with spybot. tried to reboot but didn't help. the
browser problem seems fixed though!

Answer
Hi Trevor

Try running ComboFix in Safe Mode. Reboot the computer, as it loads keep tapping the F8 key till a menu appears. Choose to boot Windows into Safe Mode with Networking. Log on as usual, then try running ComboFix from the desktop.

Brian

Computer Security & Viruses

All Answers

Answers by Expert:

Ask Experts

Volunteer

Brian Benosky

Expertise

I will help you in eradicating malware and all forms of virus/trojans/adware. I can answer all PC-related hardware issues. I can also troubleshoot Windows OS errors (all versions) and other software problems. HijackThis logs are a MUST for virus related help. If you do not know how to do this, I have posted easy-to-follow instructions on the Ask a Question page. Every computer infection is different, so I will give you personal instructions on how to remove the malware, not a 'pat' answer. You can be assured of a prompt, polite, and knowledgeable response in all regards.

Experience

I have over 25 years experience in using, building, and repairing computers. I have helped over two thousand people here on AllExperts, with consistent Top Feedback Scores. Please look at my answers here: http://en.allexperts.com/q/Computer-Security-Viruses-1737/indexExp_84308.htm I am also a Top Contributor of General Computing answers in Yahoo! Questions.

Education/Credentials
College Educated Self-taught Computer Skills

Encyclopedia

Browse Answers:

Computer Security & Viruses/virus/spyware help

Related Articles

Brian Benosky

Expertise

Experience