Author Topic: I can not get to restore or even have norton run online virus scan (Read 17602 times)

Corrine · « **Reply #45 on:** January 03, 2009, 12:20:54 PM »

Hi, Nash.

The files MBAM found in system restore are not a danger and in Qoobox contains the quarantined files from ComboFix which will be removed whe nwe do the final cleanup.

Because of the strange results when you attempted the Kaspersky online scan, I would likel you to do a full system scan with Avira. Make sure Avira is updated and scan your computer. Don't worry about any findings in System Restore or Qoobox. Let me know the results.

nash017 · « **Reply #46 on:** January 03, 2009, 03:22:06 PM »

here is the Mbam log, after the scan i could not get on the net, remote computer not responding, so had to reboot and then i am able to get online

Malwarebytes' Anti-Malware 1.31
Database version: 1597
Windows 5.1.2600 Service Pack 3

03/01/2009 15:52:39
mbam-log-2009-01-03 (15-52-39).txt

Scan type: Full Scan (C:\|)
Objects scanned: 181055
Time elapsed: 3 hour(s), 29 minute(s), 0 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 3

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\Qoobox\Quarantine\C\WINDOWS\system32\khfCuvwu.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{ABBF0631-AE42-42A0-ACB3-E34260847567}\RP4\A0004306.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{ABBF0631-AE42-42A0-ACB3-E34260847567}\RP9\A0005128.dll (Trojan.Vundo) -> Quarantined and deleted successfully.

nash017 · « **Reply #47 on:** January 03, 2009, 08:01:11 PM »

Avira AntiVir Personal
Report file date: 03 January 2009 16:48

Scanning for 1143372 virus strains and unwanted programs.

Licensed to: Avira AntiVir PersonalEdition Classic
Serial number: 0000149996-ADJIE-0001
Platform: Windows XP
Windows version: (Service Pack 3) [5.1.2600]
Boot mode: Normally booted
Username: SYSTEM
Computer name: nash

Version information:
BUILD.DAT : 8.2.0.337 16934 Bytes 11/18/2008 13:05:00
AVSCAN.EXE : 8.1.4.10 315649 Bytes 11/18/2008 09:21:26
AVSCAN.DLL : 8.1.4.0 40705 Bytes 5/26/2008 08:56:40
LUKE.DLL : 8.1.4.5 164097 Bytes 6/12/2008 13:44:19
LUKERES.DLL : 8.1.4.0 12033 Bytes 5/26/2008 08:58:52
ANTIVIR0.VDF : 7.1.0.0 15603712 Bytes 10/27/2008 12:30:36
ANTIVIR1.VDF : 7.1.1.33 1705984 Bytes 12/24/2008 14:53:51
ANTIVIR2.VDF : 7.1.1.60 318976 Bytes 1/2/2009 12:27:19
ANTIVIR3.VDF : 7.1.1.65 20480 Bytes 1/2/2009 16:23:11
Engineversion : 8.2.0.45
AEVDF.DLL : 8.1.0.6 102772 Bytes 10/14/2008 11:05:56
AESCRIPT.DLL : 8.1.1.19 336252 Bytes 12/22/2008 01:45:14
AESCN.DLL : 8.1.1.5 123251 Bytes 11/7/2008 16:06:41
AERDL.DLL : 8.1.1.3 438645 Bytes 11/4/2008 14:58:38
AEPACK.DLL : 8.1.3.4 393591 Bytes 11/11/2008 10:41:39
AEOFFICE.DLL : 8.1.0.33 196987 Bytes 12/22/2008 01:45:13
AEHEUR.DLL : 8.1.0.75 1524087 Bytes 12/22/2008 01:45:13
AEHELP.DLL : 8.1.2.0 119159 Bytes 12/22/2008 01:45:11
AEGEN.DLL : 8.1.1.8 323956 Bytes 12/22/2008 01:45:11
AEEMU.DLL : 8.1.0.9 393588 Bytes 10/14/2008 11:05:56
AECORE.DLL : 8.1.5.2 172405 Bytes 12/22/2008 01:45:10
AEBB.DLL : 8.1.0.3 53618 Bytes 10/14/2008 11:05:56
AVWINLL.DLL : 1.0.0.12 15105 Bytes 7/9/2008 09:40:05
AVPREF.DLL : 8.0.2.0 38657 Bytes 5/16/2008 10:28:01
AVREP.DLL : 8.0.0.2 98344 Bytes 7/31/2008 13:02:15
AVREG.DLL : 8.0.0.1 33537 Bytes 5/9/2008 12:26:40
AVARKT.DLL : 1.0.0.23 307457 Bytes 2/12/2008 09:29:23
AVEVTLOG.DLL : 8.0.0.16 119041 Bytes 6/12/2008 13:27:49
SQLITE3.DLL : 3.3.17.1 339968 Bytes 1/22/2008 18:28:02
SMTPLIB.DLL : 1.2.0.23 28929 Bytes 6/12/2008 13:49:40
NETNT.DLL : 8.0.0.1 7937 Bytes 1/25/2008 13:05:10
RCIMAGE.DLL : 8.0.0.51 2371841 Bytes 6/12/2008 14:48:07
RCTEXT.DLL : 8.0.52.0 86273 Bytes 6/27/2008 14:34:37

Configuration settings for the scan:
Jobname..........................: Complete system scan
Configuration file...............: C:\Program Files\Avira\AntiVir PersonalEdition Classic\sysscan.avp
Logging..........................: low
Primary action...................: repair
Secondary action.................: rename
Scan master boot sector..........: on
Scan boot sector.................: on
Boot sectors.....................: C:, G:,
Process scan.....................: on
Scan registry....................: on
Search for rootkits..............: on
Scan all files...................: All files
Scan archives....................: on
Recursion depth..................: 20
Smart extensions.................: on
Macro heuristic..................: on
File heuristic...................: medium
Deviating risk categories........: +APPL,+JOKE,+PCK,+SPR,

Start of the scan: 03 January 2009 16:48

Starting search for hidden objects.
'70981' objects were checked, '0' hidden objects were found.

The scan of running processes will be started
Scan process 'avscan.exe' - '1' Module(s) have been scanned
Scan process 'avcenter.exe' - '1' Module(s) have been scanned
Scan process 'steam.exe' - '1' Module(s) have been scanned
Scan process 'dslmon.exe' - '1' Module(s) have been scanned
Scan process 'KBDAP32A.EXE' - '1' Module(s) have been scanned
Scan process 'TeaTimer.exe' - '1' Module(s) have been scanned
Scan process 'rundll32.exe' - '1' Module(s) have been scanned
Scan process 'ctfmon.exe' - '1' Module(s) have been scanned
Scan process 'jusched.exe' - '1' Module(s) have been scanned
Scan process 'avgnt.exe' - '1' Module(s) have been scanned
Scan process 'realsched.exe' - '1' Module(s) have been scanned
Scan process 'rundll32.exe' - '1' Module(s) have been scanned
Scan process 'explorer.exe' - '1' Module(s) have been scanned
Scan process 'alg.exe' - '1' Module(s) have been scanned
Scan process 'wdfsvc.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'PTSsvc.exe' - '1' Module(s) have been scanned
Scan process 'PnkBstrB.exe' - '1' Module(s) have been scanned
Scan process 'PnkBstrA.exe' - '1' Module(s) have been scanned
Scan process 'nvsvc32.exe' - '1' Module(s) have been scanned
Scan process 'LSSrvc.exe' - '1' Module(s) have been scanned
Scan process 'jqs.exe' - '1' Module(s) have been scanned
Scan process 'GoogleUpdaterService.exe' - '1' Module(s) have been scanned
Scan process 'avguard.exe' - '1' Module(s) have been scanned
Scan process 'sched.exe' - '1' Module(s) have been scanned
Scan process 'spoolsv.exe' - '1' Module(s) have been scanned
Scan process 'aawservice.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'lsass.exe' - '1' Module(s) have been scanned
Scan process 'services.exe' - '1' Module(s) have been scanned
Scan process 'winlogon.exe' - '1' Module(s) have been scanned
Scan process 'csrss.exe' - '1' Module(s) have been scanned
Scan process 'smss.exe' - '1' Module(s) have been scanned
38 processes with 38 modules were scanned

Starting master boot sector scan:
Master boot sector HD0
[INFO] No virus was found!
Master boot sector HD1
[INFO] No virus was found!
Master boot sector HD2
[INFO] No virus was found!

Start scanning boot sectors:
Boot sector 'C:\'
[INFO] No virus was found!
Boot sector 'G:\'
[INFO] No virus was found!

Starting to scan the registry.
The registry was scanned ( '55' files ).

Starting the file scan:

Begin scan in 'C:\'
C:\Documents and Settings\norman\Desktop\ComboFix.exe

Archive type: RAR SFX (self extracting)

--> 32788R22FWJFW\hidec.exe
[DETECTION] Contains recognition pattern of the SPR/Tool.Hide.A program
--> 32788R22FWJFW\NirCmd.cfexe
[DETECTION] Contains recognition pattern of the APPL/NirCmd.E.2.B application
--> 32788R22FWJFW\nircmd.com
[DETECTION] Contains recognition pattern of the APPL/NirCmd.E.2.B application
--> 32788R22FWJFW\NirCmdC.cfexe
[DETECTION] Contains recognition pattern of the APPL/NirCmd.E.1.B application
--> 32788R22FWJFW\psexec.cfexe
[1] Archive type: RSRC
--> Object
[DETECTION] Contains recognition pattern of the APPL/PsExec.E application
[NOTE] A backup was created as '49cc9c0c.qua' ( QUARANTINE )
[NOTE] The file was renamed to 'ComboFix.exe.VIR'!
C:\System Volume Information\_restore{ABBF0631-AE42-42A0-ACB3-E34260847567}\RP10\A0005211.exe
[DETECTION] Contains recognition pattern of the APPL/NirCmd.E.2.B application
[NOTE] A backup was created as '498fc28b.qua' ( QUARANTINE )
[NOTE] The file was renamed to 'A0005211.exe.VIR'!
C:\System Volume Information\_restore{ABBF0631-AE42-42A0-ACB3-E34260847567}\RP11\A0005328.exe
[DETECTION] Contains recognition pattern of the SPR/Tool.Hide.A program
[NOTE] A backup was created as '498fc292.qua' ( QUARANTINE )
[NOTE] The file was renamed to 'A0005328.exe.VIR'!
C:\System Volume Information\_restore{ABBF0631-AE42-42A0-ACB3-E34260847567}\RP11\A0005335.com
[DETECTION] Contains recognition pattern of the APPL/NirCmd.E.2.B application
[NOTE] A backup was created as '48897b43.qua' ( QUARANTINE )
[NOTE] The file was renamed to 'A0005335.com.VIR'!
C:\System Volume Information\_restore{ABBF0631-AE42-42A0-ACB3-E34260847567}\RP11\A0005349.exe
[DETECTION] Contains recognition pattern of the APPL/NirCmd.E.2.B application
[NOTE] A backup was created as '498fc293.qua' ( QUARANTINE )
[NOTE] The file was renamed to 'A0005349.exe.VIR'!
C:\System Volume Information\_restore{ABBF0631-AE42-42A0-ACB3-E34260847567}\RP12\A0005373.exe
[DETECTION] Contains recognition pattern of the SPR/Tool.Hide.A program
[NOTE] A backup was created as '498fc296.qua' ( QUARANTINE )
[NOTE] The file was renamed to 'A0005373.exe.VIR'!
C:\System Volume Information\_restore{ABBF0631-AE42-42A0-ACB3-E34260847567}\RP12\A0005380.com
[DETECTION] Contains recognition pattern of the APPL/NirCmd.E.2.B application
[NOTE] A backup was created as '48897b47.qua' ( QUARANTINE )
[NOTE] The file was renamed to 'A0005380.com.VIR'!
C:\System Volume Information\_restore{ABBF0631-AE42-42A0-ACB3-E34260847567}\RP13\A0005542.exe
[DETECTION] Contains recognition pattern of the APPL/NirCmd.E.2.B application
[NOTE] A backup was created as '498fc2a2.qua' ( QUARANTINE )
[NOTE] The file was renamed to 'A0005542.exe.VIR'!
C:\System Volume Information\_restore{ABBF0631-AE42-42A0-ACB3-E34260847567}\RP14\A0006069.exe
[DETECTION] Contains recognition pattern of the SPR/Tool.Hide.A program
[NOTE] A backup was created as '498fc2a5.qua' ( QUARANTINE )
[NOTE] The file was renamed to 'A0006069.exe.VIR'!
C:\System Volume Information\_restore{ABBF0631-AE42-42A0-ACB3-E34260847567}\RP14\A0006076.com
[DETECTION] Contains recognition pattern of the APPL/NirCmd.E.2.B application
[NOTE] A backup was created as '498fc2a6.qua' ( QUARANTINE )
[NOTE] The file was renamed to 'A0006076.com.VIR'!
C:\System Volume Information\_restore{ABBF0631-AE42-42A0-ACB3-E34260847567}\RP14\A0006113.exe

Archive type: RAR SFX (self extracting)

--> 32788R22FWJFW\hidec.exe
[DETECTION] Contains recognition pattern of the SPR/Tool.Hide.A program
--> 32788R22FWJFW\NirCmd.cfexe
[DETECTION] Contains recognition pattern of the APPL/NirCmd.E.2.B application
--> 32788R22FWJFW\nircmd.com
[DETECTION] Contains recognition pattern of the APPL/NirCmd.E.2.B application
--> 32788R22FWJFW\NirCmdC.cfexe
[DETECTION] Contains recognition pattern of the APPL/NirCmd.E.1.B application
--> 32788R22FWJFW\psexec.cfexe
[1] Archive type: RSRC
--> Object
[DETECTION] Contains recognition pattern of the APPL/PsExec.E application
[NOTE] A backup was created as '498fc2ac.qua' ( QUARANTINE )
[NOTE] The file was renamed to 'A0006113.exe.VIR'!
C:\System Volume Information\_restore{ABBF0631-AE42-42A0-ACB3-E34260847567}\RP4\A0003113.exe
[DETECTION] Contains recognition pattern of the APPL/NirCmd.D.2 application
[NOTE] A backup was created as '498fc361.qua' ( QUARANTINE )
[NOTE] The file was renamed to 'A0003113.exe.VIR'!
C:\System Volume Information\_restore{ABBF0631-AE42-42A0-ACB3-E34260847567}\RP4\A0003534.exe
[DETECTION] Contains recognition pattern of the APPL/NirCmd.D.2 application
[NOTE] A backup was created as '498fc37d.qua' ( QUARANTINE )
[NOTE] The file was renamed to 'A0003534.exe.VIR'!
C:\System Volume Information\_restore{ABBF0631-AE42-42A0-ACB3-E34260847567}\RP6\A0004383.exe
[DETECTION] Contains recognition pattern of the SPR/Destart.A program
[NOTE] A backup was created as '498fc3a4.qua' ( QUARANTINE )
[NOTE] The file was renamed to 'A0004383.exe.VIR'!
C:\System Volume Information\_restore{ABBF0631-AE42-42A0-ACB3-E34260847567}\RP6\A0004414.exe
[DETECTION] Contains recognition pattern of the SPR/tcpip.sys.Patch program
[NOTE] A backup was created as '498fc3a6.qua' ( QUARANTINE )
[NOTE] The file was renamed to 'A0004414.exe.VIR'!
C:\System Volume Information\_restore{ABBF0631-AE42-42A0-ACB3-E34260847567}\RP8\A0005069.exe
[DETECTION] This file has been compressed using unusual runtime compression (PCK/Obsidium). Please verify the origin of this file.
[NOTE] A backup was created as '498fc3d0.qua' ( QUARANTINE )
[NOTE] The file was renamed to 'A0005069.exe.VIR'!
C:\System Volume Information\_restore{ABBF0631-AE42-42A0-ACB3-E34260847567}\RP9\A0005150.EXE
[DETECTION] Contains recognition pattern of the APPL/PsExec.E application
[NOTE] A backup was created as '498fc3d7.qua' ( QUARANTINE )
[NOTE] The file was renamed to 'A0005150.EXE.VIR'!
C:\System Volume Information\_restore{ABBF0631-AE42-42A0-ACB3-E34260847567}\RP9\A0005168.exe
[DETECTION] Contains recognition pattern of the SPR/Tool.Hide.A program
[NOTE] A backup was created as '498fc3d8.qua' ( QUARANTINE )
[NOTE] The file was renamed to 'A0005168.exe.VIR'!
C:\System Volume Information\_restore{ABBF0631-AE42-42A0-ACB3-E34260847567}\RP9\A0005176.com
[DETECTION] Contains recognition pattern of the APPL/NirCmd.E.2.B application
[NOTE] A backup was created as '48897a09.qua' ( QUARANTINE )
[NOTE] The file was renamed to 'A0005176.com.VIR'!
C:\WINDOWS\NIRCMD.exe
[DETECTION] Contains recognition pattern of the APPL/NirCmd.E.2.B application
[NOTE] A backup was created as '49b1c51a.qua' ( QUARANTINE )
[NOTE] The file was renamed to 'NIRCMD.exe.VIR'!
Begin scan in 'G:\' <IOMEGA_HDD>

End of the scan: 03 January 2009 20:47
Used time: 3:58:44 Hour(s)

The scan has been done completely.

13134 Scanning directories
401692 Files were scanned
28 viruses and/or unwanted programs were found
0 Files were classified as suspicious:
0 files were deleted
0 files were repaired
20 files were moved to quarantine
20 files were renamed
0 Files cannot be scanned
401664 Files not concerned
5699 Archives were scanned
0 Warnings
20 Notes
70981 Objects were scanned with rootkit scan
0 Hidden objects were found

nash017 · « **Reply #48 on:** January 03, 2009, 08:04:38 PM »

this is the html from a web page that comes up all the time, i dont know if this helps or maybe someone else knows more about it:
<HTML>
<HEAD>
<TITLE>title</TITLE>
<META http-equiv=Content-Type content="text/html; charset=gb2312">
<style media=print>
.Noprint{display:none;}
.PageNext{page-break-after: always;}
</style>
<STYLE type=text/css>
.NOPRINT {
font-family: "ËÎÌå";
font-size: 12px;
}
TD {
   FONT-SIZE: 12px
}
A.a0111:link {
   COLOR: #ffffff; TEXT-DECORATION: none
}
A.a0111:visited {
   COLOR: #ffffff; TEXT-DECORATION: none
}
A.a0111:active {
   COLOR: #9bec33; TEXT-DECORATION: none
}
A.a0111:hover {
   COLOR: #9bec33; TEXT-DECORATION: none
}
body {
   margin-top: 0px;
   margin-left: 0px;
   background-color: #E3F0FF;
}
</STYLE>
<META content="MSHTML 6.00.2900.3086" name=GENERATOR></HEAD>
<BODY>

</BODY>
</HTML>
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=gb2312">
<title>picview</title>
<style type="text/css">

</style>
</head>
<body>
<span class="style1">
</span>

<table cellSpacing="1" cellPadding="1" width="97%" align="center" border="1" class="a2" style="font-family: ËÎÌå; font-size: 12pt" align="center">
<TR align="middle" class="a1">
      <TD height="23"><span class="style1">Õ¾µãÃû³Æ</span></TD>
      <TD height="23" class="style1">ÏßÂ·Ãû³Æ</TD>
      <TD height="23" class="style1">Ëþ¸ËÃû³Æ</TD>
      <TD height="23" class="style1">ÏàÎ»</TD>
      <TD height="23" class="style1">Ê±¼ä</TD>
      <TD height="23" class="style1">Æ½¾ùÐ¹Â©µçÁ÷</TD>
      <TD height="23" class="style1">×î´óÐ¹Â©µçÁ÷</TD>
      <TD height="23" class="style1">³¬¹ý3mA</TD>
      <TD height="23" class="style1">³¬¹ý10mA</TD>
      <TD height="23" class="style1">ÎÂ¶È</TD>
      <TD height="23" class="style1">Êª¶È</TD>
      <TD height="23" class="style1">µç³ØµçÑ¹</TD>
   </TR>
      <span class="style1">

</span>
</table>
<table border="0" cellpadding="2" cellspacing="2" borderColorLight=#808080 borderColorDark=#ffffff style="font-family: ËÎÌå; font-size: 9pt" align="center">
<tr>

<td width="25%" align="center">µ±Ç°Ò³0/0</td>
<td width="62%" align="right"> <a href="chushi.asp?page=1">Ê×Ò³[/url]|

<a href="chushi.asp?page=2">ÏÂÒ³[/url] |
<a href="chushi.asp?page=0">Î²Ò³[/url]|×ªµ½µÚ
<select name="sel_page" onChange="javascript:location=this.options[this.selectedIndex].value;">

</select>Ò³</font>

</table>
</body>
</html>

nash017 · « **Reply #49 on:** January 03, 2009, 08:09:18 PM »

I have noticed that the icon on desktop for Combifix has changed, i think avira has it marked as a virus or something, shall i go into the quarantine files and restore it???

Corrine · « **Reply #50 on:** January 03, 2009, 08:14:02 PM »

Let's see if uninstalling ComboFix works first. Please do the following to implement cleanup procedures an also to reset System Restore points:

Click Start > Run and copy/paste the following bolded text into the Run box and click OK: ComboFix /u

Note: In the event you wish to contribute to the ongoing development of ComboFix, the developer is accepting donations via PayPal.

Corrine · « **Reply #51 on:** January 03, 2009, 08:20:25 PM »

Quote

this is the html from a web page that comes up all the time, i dont know if this helps or maybe someone else knows more about it:

Is this in IE?

Perhaps start by checking Tools > Options > Internet Options > General Tab. Check that the Language is correct and also with English-based systems that the Font is Latin based.

Under View, check that encoding is set for Unicode.

nash017 · « **Reply #52 on:** January 04, 2009, 01:28:51 AM »

Quote

this is the html from a web page that comes up all the time, i dont know if this helps or maybe someone else knows more about it:
Is this in IE?

Perhaps start by checking Tools > Options > Internet Options > General Tab. Check that the Language is correct and also with English-based systems that the Font is Latin based.

Under View, check that encoding is set for Unicode.

Hi yes it is IE IE7
The language is English (United Kingdom)en-gb the font is Latin based, web page in Times New Roman, and Courier New.
also windows can not find combofix will have to restore the file avira has put into quarantine i think

* edited by winchester73 to fix quote tags

nash017 · « **Reply #53 on:** January 04, 2009, 11:31:28 AM »

Hi Corrine, i dont know if this helps but my IE is being routed by a proxy server, i pinged it last night, as my webroot firewall found this:
IP No. 2 (61.166.68.71) is located in Yünnan (China)
(Latitude 25.4832 / Longitude 100.5833)

so i checked it and found this:
% [whois.apnic.net node-1]
% Whois data copyright terms http://www.apnic.net/db/dbcopyright.html

inetnum: 61.166.0.0 - 61.166.255.255
netname: CHINANET-YN
country: CN
descr: CHINANET Yunnan province network
admin-c: ZL48-AP
tech-c: ZL48-AP
status: ALLOCATED NON-PORTABLE
changed: jjway@126.com 20070104
mnt-by: MAINT-CHINANET
source: APNIC

person: zhiyong liu
nic-hdl: ZL48-AP
e-mail: ynipm@126.com
address: 136 beijin roadkunmingchina
phone: +86-871-8223073
fax-no: +86-871-8221536
country: CN
changed: ynipm@126.com 20070813
mnt-by: MAINT-CHINANET-YN
source: APNIC

Dont know if this helps?? Combofix has been deleted.

winchester73 · « **Reply #54 on:** January 04, 2009, 02:26:42 PM »

Let's have a look at your "hosts" file and see if something has been planted there to cause the website redirections.

Naviagte via Windows Explorer to your C:\WINDOWS\system32\drivers\etc folder, find the Hosts file and open it with Notepad ... copy the contents here please.

winchester73 · « **Reply #55 on:** January 04, 2009, 02:28:38 PM »

Note to self:

IP address: 61.166.68.71
Reverse DNS: [Timeout]
Reverse DNS authenticity: [Unknown]
ASN: 4134
ASN Name: CHINANET-BACKBONE (No.31,Jin-rong Street)
IP range connectivity: 3
Registrar (per ASN): APNIC
Country (per IP registrar): CN [China]
Country Currency: CNY [China Yuan Renminbi]
Country IP Range: 61.128.0.0 to 61.191.255.255
Country fraud profile: Normal
City (per outside source): Beijing, Beijing
Country (per outside source): CN [China]
Private (internal) IP? No
IP address registrar: whois.apnic.net
Known Proxy? No
Link for WHOIS: 61.166.68.71

nash017 · « **Reply #56 on:** January 04, 2009, 09:28:03 PM »

Ihave found a HCKU file in hijack this but it will not delete it keeps coming back as soon as i do a log, see if this will post.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 22:23:15, on 04/01/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16762)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\WINDOWS\system32\PnkBstrB.exe
C:\Program Files\KODAK\KODAK Picture Transfer Software\PTSsvc.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Webroot\Webroot Desktop Firewall\wdfsvc.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Muiltmedia keyboard utility\2.2D\KbdAp32A.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\SAGEM\SAGEM F@st 800-840\dslmon.exe
C:\Program Files\IncrediMail\bin\IMApp.exe
E:\HiJackThis.exe
C:\WINDOWS\system32\wuauclt.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 61.166.68.71:80
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Java(tm) Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O2 - BHO: EpsonToolBandKicker Class - {E99421FB-68DD-40F0-B4AC-B7027CAE2F1A} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
O3 - Toolbar: EPSON Web-To-Page - {EE5D279F-081B-4404-994D-C6B60AAEBA6D} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [FLMK08KB] C:\Program Files\Muiltmedia keyboard utility\2.2D\MMKEYBD.EXE
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre6\bin\jusched.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [HijackThis startup scan] E:\HijackThis.exe /startupscan
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: DSLMON.lnk = C:\Program Files\SAGEM\SAGEM F@st 800-840\dslmon.exe
O8 - Extra context menu item: &Add animation to IncrediMail Style Box - C:\Program Files\IncrediMail\bin\resources\WebMenuImg.htm
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace.com/upload/MySpaceUploader1006.cab
O16 - DPF: {56762DEC-6B0D-4AB4-A8AD-989993B5D08B} (OnlineScanner Control) - http://www.eset.eu/buxus/docs/OnlineScanner.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Avira AntiVir Personal - Free Antivirus Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: Avira AntiVir Personal - Free Antivirus Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: ColdFusion Monitoring Service (ClusterCATS Service) - Unknown owner - C:\CFusion\cfam\program\ccmgr.exe (file missing)
O23 - Service: ColdFusion Management Repository Server (ColdFusion Management Repository) - Unknown owner - C:\CFusion\jrun\bin\jrun.exe (file missing)
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Unknown owner - C:\WINDOWS\system32\drivers\KodakCCS.exe (file missing)
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
O23 - Service: PnkBstrB - Unknown owner - C:\WINDOWS\system32\PnkBstrB.exe
O23 - Service: ptssvc - KODAK - C:\Program Files\KODAK\KODAK Picture Transfer Software\PTSsvc.exe
O23 - Service: Roxio UPnP Renderer 9 - Sonic Solutions - C:\Program Files\Roxio\Digital Home 9\RoxioUPnPRenderer9.exe
O23 - Service: Roxio Upnp Server 9 - Sonic Solutions - C:\Program Files\Roxio\Digital Home 9\RoxioUpnpService9.exe
O23 - Service: LiveShare P2P Server 9 (RoxLiveShare9) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxLiveShare9.exe
O23 - Service: RoxMediaDB9 - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxMediaDB9.exe
O23 - Service: Roxio Hard Drive Watcher 9 (RoxWatch9) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatch9.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
O23 - Service: Webroot Desktop Firewall network service (WDFNet) - Webroot Software Inc (www.webroot.com) - C:\Program Files\Webroot\Webroot Desktop Firewall\wdfsvc.exe

--
End of file - 9136 bytes

nash017 · « **Reply #57 on:** January 04, 2009, 09:30:03 PM »

Hi Winchester, I think the Host file must be to big to download

Nash

winchester73 · « **Reply #58 on:** January 04, 2009, 10:46:47 PM »

Got your PM, thanks. It will take some time to sort out what Spybot has put there ...

In the meanwhile, boot into safe mode, run HJT again, and "fix" this:

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 61.166.68.71:80

Then reboot normally, and see if it has disappeared ...

Corrine · « **Reply #59 on:** January 04, 2009, 10:55:49 PM »

Ah, Winchester replied while I was looking things over. If booting to safe mode doesn't solve the problem, give this a try.

Close all programs. Launch IE7 > Tools > Internet Options > Connections > LAN Settings > Remove all the proxy server entries. Restart the computer.

LandzDown Forum

News:

Author Topic: I can not get to restore or even have norton run online virus scan (Read 17602 times)

Corrine

Re: I can not get to restore or even have norton run online virus scan

nash017

Re: I can not get to restore or even have norton run online virus scan

nash017

Re: I can not get to restore or even have norton run online virus scan

nash017

Re: I can not get to restore or even have norton run online virus scan

nash017

Re: I can not get to restore or even have norton run online virus scan

Corrine

Re: I can not get to restore or even have norton run online virus scan

Corrine

Re: I can not get to restore or even have norton run online virus scan

nash017

Re: I can not get to restore or even have norton run online virus scan

nash017

Re: I can not get to restore or even have norton run online virus scan

winchester73

Re: I can not get to restore or even have norton run online virus scan

winchester73

Re: I can not get to restore or even have norton run online virus scan

nash017

Re: I can not get to restore or even have norton run online virus scan

nash017

Re: I can not get to restore or even have norton run online virus scan

winchester73

Re: I can not get to restore or even have norton run online virus scan

Corrine

Re: I can not get to restore or even have norton run online virus scan