[In Progress] need help with virus or something, no idea what to do

[kunai40]

I have i virus and my avg scaners not working right so I have no idea what else to do, need some step by step instructions. I'll post some of the problems i've noticed incase it'll be of use to you. There is protection center program that installed itself and it's not under add remove programs so i don't know how to get rid of it, there's also icons on my desktop spam001 spam003 troj000 and 3 porn ones or something. I also can't get into my task manager. I have pop ups telling me i have a virus and or my computers being attack etc..Also about evey hour or so a pop up shows up telling me windows is about to restart. Thats all i've noticed. please help me out if you can

[K27]

Hi kunai40,

Welcome to SpywareHammer,

I'm K27 and i will be reviewing your log for you.

Please DO NOT run any scans/tools/fixes on your own as this will conflict with the tools we are going to use.

Please Print or Save to Notepad all instructions and please follow them carefully and if there's something you don't understand or that will not work please let me know and we will go through it together.

Please DO NOT use this system for anything apart from visiting this forum and other sites I direct you too, as this will only make the cleanup process all the more diffecult.

Before we can provide any help we need to see some logs,

The first being HiJackThis, please read THIS page and follow the instructions for running HijackThis.

Please note that HJT is now on version 2.0.4, so please download and run that version, not 2.0.2 or 2.0.3.

Post the HJT log back to this thread.

Thanks
K27

[kunai40]

everytime i try to past the log file, it keeps displaying internet explorer cannot display webpage

[kunai40]

Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 5:47:16 PM, on 6/2/2010
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\AVG\AVG9\avgchsvx.exe
C:\Program Files\AVG\AVG9\avgrsx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\AVG\AVG9\avgcsrvx.exe
C:\WINDOWS\system32\acs.exe
C:\Program Files\AVG\AVG9\avgwdsvc.exe
C:\Program Files\AVG\AVG9\avgfws9.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\SearchIndexer.exe
C:\Program Files\AVG\AVG9\avgam.exe
C:\Program Files\AVG\AVG9\avgemc.exe
C:\Program Files\AVG\AVG9\avgnsx.exe
C:\Program Files\AVG\AVG9\avgcsrvx.exe
C:\Program Files\AVG\AVG9\avgcsrvx.exe
C:\WINDOWS\Explorer.EXE
C:\DOCUME~1\Owner\LOCALS~1\Temp\mscdexnt.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\Atheros\ACU.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\PROGRA~1\AVG\AVG9\avgtray.exe
C:\DOCUME~1\Owner\LOCALS~1\Temp\wscsvc32.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\Program Files\Protection Center\cntprot.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb10.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\IM Magician\Vicamon.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Windows Desktop Search\WindowsSearch.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\HP\hpcoretech\comp\hptskmgr.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\SearchProtocolHost.exe
C:\WINDOWS\system32\msiexec.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\SearchProtocolHost.exe
C:\DOCUME~1\Owner\LOCALS~1\Temp\mscdexnt.exe
C:\Program Files\Trend Micro\HijackThis\HiJackThis.exe

[kunai40]

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ca/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

[kunai40]

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
r1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
r3 - URLSearchHook: AVG Security Toolbar BHO - {A3BC75A2-1F87-4686-AA43-5347D756017C} - C:\Program Files\AVG\AVG9\Toolbar\IEToolbar.dll
o2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
o2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG9\avgssie.dll
o2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)
o2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
o2 - BHO: AVG Security Toolbar BHO - {A3BC75A2-1F87-4686-AA43-5347D756017C} - C:\Program Files\AVG\AVG9\Toolbar\IEToolbar.dll

[kunai40]

02 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
02 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
03 - Toolbar: AVG Security Toolbar - {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - C:\Program Files\AVG\AVG9\Toolbar\IEToolbar.dll
04 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
04 - HKLM\..\Run: [ACU] "C:\Program Files\Atheros\ACU.exe" -nogui
04 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
04 - HKLM\..\Run: [AVG9_TRAY] C:\PROGRA~1\AVG\AVG9\avgtray.exe
04 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
04 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
04 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
04 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb10.exe
04 - HKLM\..\Run: [IMMON] "C:\Program Files\IM Magician\Vicamon.exe"
04 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe"
04 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
04 - HKLM\..\Run: [Sqiqudihosozi] rundll32.exe "C:\WINDOWS\ahagawop.dll",Startup
04 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
04 - HKCU\..\Run: [msnmsgr] "C:\Program Files\Windows Live\Messenger\msnmsgr.exe" /background
04 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
04 - HKCU\..\Run: [Droyeda] rundll32.exe "C:\WINDOWS\mstmti.dll",Startup
04 - HKCU\..\Run: [Protection Center] "C:\Program Files\Protection Center\cntprot.exe" -noscan
04 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
04 - Global Startup: Windows Search.lnk = C:\Program Files\Windows Desktop Search\WindowsSearch.exe

[kunai40]

   o9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - c:\WINDOWS\Network Diagnostic\xpnetdiag.exe
   o9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network -Diagnostic\xpnetdiag.exe
  
o9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\Program Files\Messenger\msmsgs.exe
    o9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

not sure if i can post the rest, you think the virus is doing this?
    

[kunai40]

o16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase6087.cab

[kunai40]

missing line
o16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} - http://download.divx.com/player/DivXBrowserPlugin.cab
o16 - DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} (Facebook Photo Uploader 5 Control) - http://upload.facebook.com/controls/2009.07.28_v5.5.8.1/FacebookPhotoUploader55.cab
o16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
o16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
o18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG9\avgpp.dll
o20 - Winlogon Notify: avgrsstarter - avgrsstx.dll (file missing)
o22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
o22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
o23 - Service: Atheros Configuration Service (ACS) - Unknown owner - C:\WINDOWS\system32\acs.exe
o23 - Service: AVG E-mail Scanner (avg9emc) - AVG Technologies CZ, s.r.o. - C:\Program Files\AVG\AVG9\avgemc.exe
o23 - Service: AVG WatchDog (avg9wd) - AVG Technologies CZ, s.r.o. - C:\Program Files\AVG\AVG9\avgwdsvc.exe
o23 - Service: AVG Firewall (avgfws9) - AVG Technologies CZ, s.r.o. - C:\Program Files\AVG\AVG9\avgfws9.exe
o23 - Service: AVG9IDSAgent (AVGIDSAgent) - AVG Technologies CZ, s.r.o. - C:\Program Files\AVG\AVG9\Identity Protection\Agent\Bin\AVGIDSAgent.exe
o23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
--
End of file - 7979 bytes

[kunai40]

missing line = o16 - DPF: (6414512B-B978x-451D-A0D8-FCFDF33E833C) (WUWxebControl Class) - http://update.micrxosoft.com/windowsupxdate/v6/V5Controls/en/x86/client/wuxweb_site.cab?1264353318015

never mind about x's in this line

got it all, sorry about all the posts

[K27]

Hi,

Ok lets try this:

Please download Malwarebytes Anti-Malware and save it to your desktop.
alternate download link 1
alternate download link 2

MBAM may "make changes to your registry" as part of its disinfection routine. If using other security programs that detect registry changes (ie Spybot's Teatimer), they may interfere or alert you. Temporarily disable such programs or permit them to allow the changes.

• Make sure you are connected to the Internet.
• Double-click on mbam-setup.exe to install the application.
  
• When the installation begins, follow the prompts and do not make any changes to default settings.
• When installation has finished, make sure you leave both of these checked:
• Update Malwarebytes' Anti-Malware
  
• Launch Malwarebytes' Anti-Malware

• Then click Finish.

MBAM will automatically start and you will be asked to update the program before performing a scan.

• If an update is found, the program will automatically update itself. Press the OK button to close that box and continue.
  
• If you encounter any problems while downloading the definition updates, manually download them from here and just double-click on mbam-rules.exe to install.

On the Scanner tab:

• Make sure the "Perform Quick Scan" option is selected.
  
• Then click on the Scan button.
  
• If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
  
• The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
  
• When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  
• Click OK to close the message box and continue with the removal process.

Back at the main Scanner screen:

• Click on the Show Results button to see a list of any malware that was found.
  
• Make sure that everything is checked, and click Remove Selected.
  
• When removal is completed, a log report will open in Notepad.
• The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
  
• Copy and paste the contents of that report in your next reply. Be sure to post the complete log to include the top portion which shows MBAM's database version and your operating system.
• Exit MBAM when done.

Note: If MBAM encounters a file that is difficult to remove, you will be asked to reboot your computer so MBAM can proceed with the disinfection process. If asked to restart the computer, please do so immediately. Failure to reboot normally (not into safe mode) will prevent MBAM from removing all the malware.


I need to see some additional information about what is happening in your machine. 
Please perform the following scan:

• Download DDS by sUBs from one of the following links.  Save it to your desktop.
  • DDS.com
    
  • DDS.scr
    
  • DDS.pif
    
• Double click on the DDS icon, allow it to run.
  
• A small box will open, with an explanation about the tool.   
• When done, DDS will open two (2) logs

         1. DDS.txt
         2. Attach.txt

• Save both reports to your desktop.
• The instructions here ask you to attach the Attach.txt.

 

• Instead of attaching, please copy/past both logs into your next reply.
  
  
• Close the program window, and delete the program from your desktop.

Please note:  You may have to disable any script protection running if the scan fails to run.
After downloading the tool, disconnect from the internet and disable all antivirus protection.
Run the scan, enable your A/V and reconnect to the internet. 
Information on A/V control HERE


Please COPY/PASTE the MBAM log and BOTH DDS logs back to this thread, If you still have posting problems please DO NOT break the logs up, let me know and we will try another route.

Thanks
K27

[kunai40]

I ran malware, deleted the files and stuff restarted my computer like it told me to, downloaded that dds thing, disconected internet and turned off ativirus, ran dds turned antivirus back on, reconected internet, deleted dds, tried pasting the files, still saying internet can't display web page when I click post

[K27]

OK, from the sounds of things you can get to the reply screen OK to copy/paste logs that are needed but when your click post, you the get unable to connect?

You seem to be able to post short messages, so here is what I would like to try:

Please zip the three logs up, one from MBAM and two from DDS, the MBAM log can be found under the logs tab once you open the MBAM program, just double click the log and it will open,please save the MBAM log to your desktop for ease of finding it, there are instructions for zipping files HERE if you need them.

Then please click they reply button for this post and then click "Advanced Options" button, which is located to the bottom left, below the reply window.

You will then see a "Browse" button, please click it and then navigate to the MBAM log and and click open in the navigation box, you will then see the MBAM log path in the text box next to the browse button.

Then please click more attachments and repeat the above steps for both DDS logs.

Thanks
K27

[kunai40]

here you go,

also I forgot to write about the error I get when load windows, it says erro loading c:/windows/mstmti.dll specified module not found