Aftermath of Infection...Still infected?

Learn about Computer Security Virus/Malware Removal Assistance
1

Hey, Thanks in advance for your help.

I recently had a few Trojans. They did a few nasty things to my computer including preventing me from updating all my anti-virus software.

I finally got rid of everything through perusing the forums here and elsewhere. I downloaded malwarebytes on a clean machine and unitistalled and reinstalled on the infected machine. (I also copied the rules.ref file so I would have the updated defs). I did a similar thing with superantispyware. I ran both and they seem to have deleted/quarantined many trojans/adware. I then was able to reinstall comodo and update comodo.

I still cannot update any antimalware programs except comodo.

First is my machine clean? I have run the three programs above and all say none infections found.

Second? If clean why can I not update superantispyware and malwarebytes? The error message says to check my internet connection and make sure my firewall allows both programs. I went to the advance options and set both programs to full access.

Thanks a ton for all your help

Shoeby

2

Please follow the guidelines of this sticky topic from another board here at the Comodo forums:
What to do if you’re infected - eXPerience Rev.2.

May be it is just your hosts file that has redirects for the IP addresses of the update servers of program. The hosts file works like a DNS server so when it gets edited you can block access to sites if you want. It does so by telling that a domain’s IP address is your own computer (local host with IP address 127.0.0.1).

Open Windows Explorer and navigate to :\windows\systems32\drivers\etc. Right click on the hosts file, choose Properties and disable the write protect. Now open it with Notepad.

Now see what is stored in it. Take out all the things you see until it looks like this:

# Copyright (c) 1993-2006 Microsoft Corp.
#
# This is a sample HOSTS file used by Microsoft TCP/IP for Windows.
#
# This file contains the mappings of IP addresses to host names. Each
# entry should be kept on an individual line. The IP address should
# be placed in the first column followed by the corresponding host name.
# The IP address and the host name should be separated by at least one
# space.
#
# Additionally, comments (such as these) may be inserted on individual
# lines or following the machine name denoted by a '#' symbol.
#
# For example:
#
#      102.54.94.97     rhino.acme.com          # source server
#       38.25.63.10     x.acme.com              # x client host

127.0.0.1       localhost

Make sure the line 127.0.0.1 localhost is there. That is the key. The texts above are just comments.

When done save the file and close Notepad. Notice that when you forgot to take out the write protect it will complain it can’t safe and will suggest to save it as a text file. In that case just close without saving and take out the write protect as described. Also make sure non of your security programs are keeping an eye on the Hosts files

3

Thanks for the promptness!!!
Ok I have 4 hosts files.

“hosts”, “hosts.bak”, “hosts.bho”, and “LMHosts” (the last is a SAM file, whatever that means)
hosts and hosts.bak have pretty random websites that look terrible, can I delete these files? Also they have the Stopzilla written a lot in these files. Should these be deleted?

I am following your guide that you posted.

The only one that looks like what you describe is LMHosts.
You mean I should delete these two lines:

102.54.94.102 “appname \0x14” #special app server

102.54.94.123 popular #PRE #source server

Here’s the contents:

Copyright (c) 1993-1999 Microsoft Corp.

This is a sample LMHOSTS file used by the Microsoft TCP/IP for Windows.

This file contains the mappings of IP addresses to computernames

(NetBIOS) names. Each entry should be kept on an individual line.

The IP address should be placed in the first column followed by the

corresponding computername. The address and the computername

should be separated by at least one space or tab. The “#” character

is generally used to denote the start of a comment (see the exceptions

below).

This file is compatible with Microsoft LAN Manager 2.x TCP/IP lmhosts

files and offers the following extensions:

#PRE

#DOM:

#INCLUDE

#BEGIN_ALTERNATE

#END_ALTERNATE

\0xnn (non-printing character support)

Following any entry in the file with the characters “#PRE” will cause

the entry to be preloaded into the name cache. By default, entries are

not preloaded, but are parsed only after dynamic name resolution fails.

Following an entry with the “#DOM:” tag will associate the

entry with the domain specified by . This affects how the

browser and logon services behave in TCP/IP environments. To preload

the host name associated with #DOM entry, it is necessary to also add a

#PRE to the line. The is always preloaded although it will not

be shown when the name cache is viewed.

Specifying “#INCLUDE ” will force the RFC NetBIOS (NBT)

software to seek the specified and parse it as if it were

local. is generally a UNC-based name, allowing a

centralized lmhosts file to be maintained on a server.

It is ALWAYS necessary to provide a mapping for the IP address of the

server prior to the #INCLUDE. This mapping must use the #PRE directive.

In addtion the share “public” in the example below must be in the

LanManServer list of “NullSessionShares” in order for client machines to

be able to read the lmhosts file successfully. This key is under

\machine\system\currentcontrolset\services\lanmanserver\parameters\nullsessionshares

in the registry. Simply add “public” to the list found there.

The #BEGIN_ and #END_ALTERNATE keywords allow multiple #INCLUDE

statements to be grouped together. Any single successful include

will cause the group to succeed.

Finally, non-printing characters can be embedded in mappings by

first surrounding the NetBIOS name in quotations, then using the

\0xnn notation to specify a hex value for a non-printing character.

The following example illustrates all of these extensions:

102.54.94.97 rhino #PRE #DOM:networking #net group’s DC

102.54.94.102 “appname \0x14” #special app server

102.54.94.123 popular #PRE #source server

102.54.94.117 localsrv #PRE #needed for the include

#BEGIN_ALTERNATE

#INCLUDE \localsrv\public\lmhosts

#INCLUDE \rhino\public\lmhosts

#END_ALTERNATE

In the above example, the “appname” server contains a special

character in its name, the “popular” and “localsrv” server names are

preloaded, and the “rhino” server name is specified so it can be used

to later #INCLUDE a centrally maintained lmhosts file if the “localsrv”

system is unavailable.

Note that the whole file is parsed including comments on each lookup,

so keeping the number of comments to a minimum will improve performance.

Therefore it is not advisable to simply add lmhosts file entries onto the

end of this file.

4

Please open Hosts (the file without extension).

5

Ok here’s what that hosts file looks like. I guess I have/had plenty of trojans.

127.0.0.1 localmachine # Inserted By STOPzilla
127.0.0.1 coolweb
127.0.0.1 teen-biz.com # Inserted By STOPzilla
127.0.0.1 search4www.com # Inserted By STOPzilla
127.0.0.1 best4all.net # Inserted By STOPzilla
127.0.0.1 zonebest.com # Inserted By STOPzilla
127.0.0.1 all-websearch.com # Inserted By STOPzilla
127.0.0.1 xxxxude-teens-bodies.xxx # Inserted By STOPzilla
127.0.0.1 picslab.com # Inserted By STOPzilla
127.0.0.1 teen-fantazi.com # Inserted By STOPzilla
127.0.0.1 bailefunk.com # Inserted By STOPzilla
127.0.0.1 newsh.com # Inserted By STOPzilla
127.0.0.1 hqthumbz.com # Inserted By STOPzilla
127.0.0.1 xxxsearch4www.xxx # Inserted By STOPzilla
127.0.0.1 on-search.com # Inserted By STOPzilla
127.0.0.1xxxxteen-biz.xxx # Inserted By STOPzilla
127.0.0.1 xxxxbest4all.xxx # Inserted By STOPzilla
127.0.0.1 xxx-teen-bodies.xxx # Inserted By STOPzilla
127.0.0.1 600pics.com # Inserted By STOPzilla
127.0.0.1xxxxnewsh.xxx # Inserted By STOPzilla
127.0.0.1 xxx.all-websearch.xxx # Inserted By STOPzilla
127.0.0.1 searchforit.com # Inserted By STOPzilla
127.0.0.1 more-pages.com # Inserted By STOPzilla
127.0.0.1 surubanet.com # Inserted By STOPzilla
127.0.0.1 xxx.hqthumbz.xxx # Inserted By STOPzilla
127.0.0.1 zgallery.us # Inserted By STOPzilla
127.0.0.1 lust-mature.com # Inserted By STOPzilla
127.0.0.1xxx.lust-mature.xxx # Inserted By STOPzilla
127.0.0.1 xxx.more-pages.xxx # Inserted By STOPzilla
127.0.0.1 msmn.com # Inserted By STOPzilla
127.0.0.1 xxx.teen-fantazi.xxx # Inserted By STOPzilla
127.0.0.1 localhost # Inserted By STOPzilla
127.0.0.1 ysbweb.com # Inserted By STOPzilla
127.0.0.1 sp2admin.biz # Inserted By STOPzilla
127.0.0.1 flavinha.com # Inserted By STOPzilla
127.0.0.1 all-tgp.org # Inserted By STOPzilla
127.0.0.1 granjerascachondas.com # Inserted By STOPzilla
127.0.0.1 heretofind.com # Inserted By STOPzilla
127.0.0.1 xxx.bailefunk.xxx # Inserted By STOPzilla
127.0.0.1 dedmazai.com # Inserted By STOPzilla
127.0.0.1 vivisexy.com # Inserted By STOPzilla
127.0.0.1 picshunter.us # Inserted By STOPzilla
127.0.0.1 teenygirlshome.com # Inserted By STOPzilla
127.0.0.1 onlyhotlinks.com # Inserted By STOPzilla
127.0.0.1 sex-pics.biz # Inserted By STOPzilla
127.0.0.1 xxx.zonebest.xxx # Inserted By STOPzilla
127.0.0.1 0websearch.com # Inserted By STOPzilla
127.0.0.1 xxx.sp2admin.xxx # Inserted By STOPzilla
127.0.0.1 xxx.heretofind.xxx # Inserted By STOPzilla
127.0.0.1 xxx.teenygirlshome.xxx # Inserted By STOPzilla
127.0.0.1 bundleware.com # Inserted By STOPzilla
127.0.0.1 besthardcore.net # Inserted By STOPzilla
127.0.0.1 mikos.paraisoasiatico.com # Inserted By STOPzilla

Changed live links*

6

Ok deleted everything after localhost in hosts.

I ran bitdefender and it found nothing. I’m Here is the hijackthis results.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 5:13:38 PM, on 5/28/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16827)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\AVG\AVG8\avgrsx.exe
C:\Program Files\Intel\ASF Agent\ASFAgent.exe
C:\Program Files\Belkin\Belkin Wireless Network Utility\WLService.exe
C:\Program Files\Belkin\Belkin Wireless Network Utility\WLanCfgG.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Dell\OpenManage\Client\Iap.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\Program Files\Common Files\Softwin\BitDefender Communicator\xcommsvr.exe
C:\Program Files\Common Files\Softwin\BitDefender Scan Server\bdss.exe
C:\Program Files\Common Files\Softwin\BitDefender Update Service\livesrv.exe
C:\Program Files\COMODO\SafeSurf\cssurf.exe
C:\Program Files\Softwin\BitDefender10\bdmcon.exe
C:\Program Files\Softwin\BitDefender10\bdagent.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Softwin\BitDefender10\vsserv.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\Documents and Settings\Stew\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\Stew\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\Stew\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\Stew\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\Stew\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\Stew\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = Bing
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = AOL
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://www.udel.edu/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=localhost:7171
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local;
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Download Manager Browser Helper Object - {19C8E43B-07B3-49CB-BFFC-6777B593E6F8} - C:\PROGRA~1\COMMON~1\fluxDVD\DOWNLO~1\XEBDLH~1.DLL
O2 - BHO: AskBar BHO - {201f27d4-3704-41d6-89c1-aa35e39143ed} - C:\Program Files\AskBarDis\bar\bin\askBar.dll (file missing)
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: Ask Toolbar - {3041d03e-fd4b-44e0-b742-2d9b88305f98} - C:\Program Files\AskBarDis\bar\bin\askBar.dll (file missing)
O4 - HKLM..\Run: [NvMediaCenter] “RunDLL32.exe” NvMCTray.dll,NvTaskbarInit
O4 - HKLM..\Run: [nwiz] “nwiz.exe” /install
O4 - HKLM..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM..\Run: [COMODO SafeSurf] “C:\Program Files\COMODO\SafeSurf\cssurf.exe” -s
O4 - HKLM..\Run: [COMODO Internet Security] “C:\Program Files\COMODO\COMODO Internet Security\cfp.exe” -h
O4 - HKLM..\Run: [Conime] %windir%\system32\conime.exe
O4 - HKLM..\Run: [BDMCon] “C:\Program Files\Softwin\BitDefender10\bdmcon.exe” /reg
O4 - HKLM..\Run: [BDAgent] “C:\Program Files\Softwin\BitDefender10\bdagent.exe”
O4 - HKCU..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKUS\S-1-5-21-2457479915-1550490714-1572317860-1006..\Run: [DellSupport] “C:\Program Files\Dell Support\DSAgnt.exe” /startup (User ‘postgres’)
O4 - HKUS\S-1-5-18..\Run: [DWQueuedReporting] “C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe” -t (User ‘SYSTEM’)
O4 - HKUS.DEFAULT..\Run: [DWQueuedReporting] “C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe” -t (User ‘Default user’)
O4 - Global Startup: Startup
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: PokerStars - {3AD14F0C-ED16-4e43-B6D8-661B03F6A1EF} - C:\Program Files\PokerStars\PokerStarsUpdate.exe
O9 - Extra button: Doyles Room Poker - {40B2063F-DB01-4962-BE63-59435C01283C} - C:\PROGRA~1\DOYLES~1\client.exe (file missing)
O9 - Extra button: EmpirePoker - {77E68763-4284-41d6-B7E7-B6E1F053A9E7} - C:\Program Files\EmpirePoker\EmpirePoker.exe (file missing)
O9 - Extra ‘Tools’ menuitem: EmpirePoker - {77E68763-4284-41d6-B7E7-B6E1F053A9E7} - C:\Program Files\EmpirePoker\EmpirePoker.exe (file missing)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe (file missing)
O9 - Extra ‘Tools’ menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe (file missing)
O9 - Extra button: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe (file missing)
O9 - Extra ‘Tools’ menuitem: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe (file missing)
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra ‘Tools’ menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Bodog Poker - {F47C1DB5-ED21-4dc1-853E-D1495792D4C5} - C:\Program Files\Bodog Poker\BPGame.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra ‘Tools’ menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: (no name) - SolidConverterPDF - (no file) (HKCU)
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} - http://207.188.7.150/198ad95a378d5f391004/netzip/RdxIE2.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - https://fpdownload.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dll
O22 - SharedTaskScheduler: IPC Configuration Utility - IPC Configuration Utility - (no file)
O23 - Service: ASF Agent (ASFAgent) - Intel Corporation - C:\Program Files\Intel\ASF Agent\ASFAgent.exe
O23 - Service: BitDefender Scan Server (bdss) - Unknown owner - C:\Program Files\Common Files\Softwin\BitDefender Scan Server\bdss.exe
O23 - Service: Belkin Wireless USB Network Adapter (Belkin Wireless USB Network Adapter Service) - Unknown owner - C:\Program Files\Belkin\Belkin Wireless Network Utility\WLService.exe
O23 - Service: COMODO Internet Security Helper Service (cmdAgent) - Unknown owner - C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe
O23 - Service: Iap - Dell Computer Corporation - C:\Program Files\Dell\OpenManage\Client\Iap.exe
O23 - Service: Kodak AiO Network Discovery Service - Eastman Kodak Company - C:\Program Files\Kodak\AiO\Center\EKDiscovery.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: BitDefender Desktop Update Service (LIVESRV) - SOFTWIN S.R.L. - C:\Program Files\Common Files\Softwin\BitDefender Update Service\livesrv.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PostgreSQL Database Server 8.0 (pgsql-8.0) - PostgreSQL Global Development Group - C:\Program Files\PostgreSQL\8.0\bin\pg_ctl.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe
O23 - Service: BitDefender Virus Shield (VSSERV) - SOFTWIN S.R.L. - C:\Program Files\Softwin\BitDefender10\vsserv.exe
O23 - Service: BitDefender Communicator (XCOMM) - SOFTWIN S.R.L - C:\Program Files\Common Files\Softwin\BitDefender Communicator\xcommsvr.exe
O24 - Desktop Component 1: Intelligent Explorer[ieplugin.com] OnScreen Portal - http://active.ieplugin.com/active/?17334984


End of file - 9994 bytes

7

Delete this in Hijack this

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=localhost:7171

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local;
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O2 - BHO: AskBar BHO - {201f27d4-3704-41d6-89c1-aa35e39143ed} - C:\Program Files\AskBarDis\bar\bin\askBar.dll (file missing)
O3 - Toolbar: Ask Toolbar - {3041d03e-fd4b-44e0-b742-2d9b88305f98} - C:\Program Files\AskBarDis\bar\bin\askBar.dll (file missing)
Unknown
O4 - Global Startup: Startup
O9 - Extra button: Doyles Room Poker - {40B2063F-DB01-4962-BE63-59435C01283C} - C:\PROGRA~1\DOYLES~1\client.exe (file missing)
O9 - Extra button: EmpirePoker - {77E68763-4284-41d6-B7E7-B6E1F053A9E7} - C:\Program Files\EmpirePoker\EmpirePoker.exe (file missing)
O9 - Extra ‘Tools’ menuitem: EmpirePoker - {77E68763-4284-41d6-B7E7-B6E1F053A9E7} - C:\Program Files\EmpirePoker\EmpirePoker.exe (file missing)
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe (file missing)
O9 - Extra ‘Tools’ menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe (file missing)

O9 - Extra button: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe (file missing)


O9 - Extra 'Tools' menuitem: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe (file missing)

O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: Bodog Poker - {F47C1DB5-ED21-4dc1-853E-D1495792D4C5} - C:\Program Files\Bodog Poker\BPGame.exe (file missing)
O9 - Extra button: (no name) - SolidConverterPDF - (no file) (HKCU)
Unknown
O22 - SharedTaskScheduler: IPC Configuration Utility - IPC Configuration Utility - (no file)
O24 - Desktop Component 1: Intelligent Explorer[ieplugin.com] OnScreen Portal - http://active.ieplugin.com/active/?17334984

8

Ok here’s the new log after I used hijackthis to delete the lines as instructed.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:47:35 PM, on 5/28/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16827)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\AVG\AVG8\avgrsx.exe
C:\Program Files\Intel\ASF Agent\ASFAgent.exe
C:\Program Files\Belkin\Belkin Wireless Network Utility\WLService.exe
C:\Program Files\Belkin\Belkin Wireless Network Utility\WLanCfgG.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Dell\OpenManage\Client\Iap.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\Program Files\Common Files\Softwin\BitDefender Communicator\xcommsvr.exe
C:\Program Files\Common Files\Softwin\BitDefender Update Service\livesrv.exe
C:\Program Files\COMODO\SafeSurf\cssurf.exe
C:\Program Files\COMODO\COMODO Internet Security\cfp.exe
C:\Program Files\Softwin\BitDefender10\bdagent.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\SNDVOL32.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\Program Files\Common Files\Softwin\BitDefender Scan Server\bdss.exe
C:\Program Files\Softwin\BitDefender10\vsserv.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = Bing
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = AOL
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://www.udel.edu/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=localhost:7171
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local;
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Download Manager Browser Helper Object - {19C8E43B-07B3-49CB-BFFC-6777B593E6F8} - C:\PROGRA~1\COMMON~1\fluxDVD\DOWNLO~1\XEBDLH~1.DLL
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM..\Run: [NvMediaCenter] “RunDLL32.exe” NvMCTray.dll,NvTaskbarInit
O4 - HKLM..\Run: [nwiz] “nwiz.exe” /install
O4 - HKLM..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM..\Run: [COMODO SafeSurf] “C:\Program Files\COMODO\SafeSurf\cssurf.exe” -s
O4 - HKLM..\Run: [COMODO Internet Security] “C:\Program Files\COMODO\COMODO Internet Security\cfp.exe” -h
O4 - HKLM..\Run: [Conime] %windir%\system32\conime.exe
O4 - HKLM..\Run: [BDMCon] “C:\Program Files\Softwin\BitDefender10\bdmcon.exe” /reg
O4 - HKLM..\Run: [BDAgent] “C:\Program Files\Softwin\BitDefender10\bdagent.exe”
O4 - HKCU..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKUS\S-1-5-21-2457479915-1550490714-1572317860-1006..\Run: [DellSupport] “C:\Program Files\Dell Support\DSAgnt.exe” /startup (User ‘postgres’)
O4 - HKUS\S-1-5-18..\Run: [DWQueuedReporting] “C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe” -t (User ‘SYSTEM’)
O4 - HKUS.DEFAULT..\Run: [DWQueuedReporting] “C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe” -t (User ‘Default user’)
O4 - Global Startup: Startup
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: PokerStars - {3AD14F0C-ED16-4e43-B6D8-661B03F6A1EF} - C:\Program Files\PokerStars\PokerStarsUpdate.exe
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra ‘Tools’ menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra ‘Tools’ menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} - http://207.188.7.150/198ad95a378d5f391004/netzip/RdxIE2.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - https://fpdownload.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dll
O23 - Service: ASF Agent (ASFAgent) - Intel Corporation - C:\Program Files\Intel\ASF Agent\ASFAgent.exe
O23 - Service: BitDefender Scan Server (bdss) - Unknown owner - C:\Program Files\Common Files\Softwin\BitDefender Scan Server\bdss.exe
O23 - Service: Belkin Wireless USB Network Adapter (Belkin Wireless USB Network Adapter Service) - Unknown owner - C:\Program Files\Belkin\Belkin Wireless Network Utility\WLService.exe
O23 - Service: COMODO Internet Security Helper Service (cmdAgent) - Unknown owner - C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe
O23 - Service: Iap - Dell Computer Corporation - C:\Program Files\Dell\OpenManage\Client\Iap.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Kodak AiO Network Discovery Service - Eastman Kodak Company - C:\Program Files\Kodak\AiO\Center\EKDiscovery.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: BitDefender Desktop Update Service (LIVESRV) - SOFTWIN S.R.L. - C:\Program Files\Common Files\Softwin\BitDefender Update Service\livesrv.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PostgreSQL Database Server 8.0 (pgsql-8.0) - PostgreSQL Global Development Group - C:\Program Files\PostgreSQL\8.0\bin\pg_ctl.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe
O23 - Service: BitDefender Virus Shield (VSSERV) - SOFTWIN S.R.L. - C:\Program Files\Softwin\BitDefender10\vsserv.exe
O23 - Service: BitDefender Communicator (XCOMM) - SOFTWIN S.R.L - C:\Program Files\Common Files\Softwin\BitDefender Communicator\xcommsvr.exe


End of file - 7818 bytes

9

also these

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=localhost:7171

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local;

once rebooted open IE, go to internet options, internet connections, LAN network and make sure “use proxy server…” is NOT ticked

10

and this

O9 - Extra button: PokerStars - {3AD14F0C-ED16-4e43-B6D8-661B03F6A1EF} - C:\Program Files\PokerStars\PokerStarsUpdate.exe

11

Dear shoeby,

as the writer of the “What to do if you’re infected” guide, I would like to ask you some questions.

  1. have you followed the guide
  2. have you used all the applications I sujested ?
  3. do you have any other antimalware products installed ?

Thank you

yours sincerely,
Xan

12

Hey everyone,

First thanks for all your help. The machine seems to be running well now. The only thing that is weird is the start-up. I have a hunch that one of the viruses/worms altered my startup cause its some weird slower version. A friend suggested I reinstall the global startup folder, any ideas? (One day I got a random pop-up that said ‘global startup is a windows process and could not be deleted.’)

Thanks again for everything.

Dear eXPerience,
Thanks a ton for that great guide. As I originally stated I perused this forum and others and attempted to rid myself of the infection before posting here. During that time I was able to run Malwarebytes, superantispyware and comodo. I also ran Dr. Web fix-it in safe mode on the advice of a friend and AVG. I had hijackthis but did not know how to use it really.

After posting here and being informed about your guide, I followed it. I downloaded bitdefender and posted the hijackthis log on the forum.

For the sake of organization:

  1. yes
  2. yes
  3. yes the relevant applications include: AVG, adaware and ccleaner.

Let me know if you would like any other info.

Again I can’t thank you enough.

13

to see what is starting and could be slowing it down, go to start → run → type msconfig → hit run and go to the startup tab. Then can you post a screen shot so we can see if anything is there that shouldn’t be there.

14

Ok here it is.

Also there are a ton of microsoft services that aren’t running then are checked under the services tab. Is there a good list of what should be running?

[attachment deleted by admin]

15

can you make the window bigger so I could see all of them including moving the dividers so I could see the full paths. Thanks :wink:

16

O0

[attachment deleted by admin]

17

everything looks good from what I can see.