[Iceyx]

So recently i got hit by a pretty bad outbreak of spyware/viruses while surfing the web. I thought I got it all after scanning with AVG 3 times, spybot, adaware, hijack this, and redid it all in safe mode. I also did a restore to 5 days earlier. My computer has run clean for about a month, until suddenly while browsing a website that I hit almost hourly, AVG detected 4 trojans all attacking at once. I healed each of these, then some program started auto installing itself (It was one of those "I'm a spyware healer...that si spyware!"), closing it would not work, so i quickly ctrlaltdeleted and stopped the process, this halted the installation from the looks of things. I then immediatly restored to 2 days before. Once that was done, I scanned with AVG, found a few trojans (svhost was one of them, i was waiting to get hit by something disguised as that!) Healed, then deleted them from the virus vault. Right after that, I loaded up spybot, and ran into what I believe is a bug. It starts fine, scans for a few minutes, then picks up cookies at about 1/4 the way in (Spybot searches for cookies at the end of its search, so this was weird). It tells me something along the lines of user haulted the scan process, and stopped scanning. A second try gave me the exact same results. So at this point I am a little worried, spybot has never failed me before. I boot my computer into safe mode and try again. It works, but in safemode it does not even detect the normal 10 or 12 cookies that it usually finds. It finds nothing. So I run AVG, and at around 60000 files scanned, it stops on one of the System restore files, (something like A0006043) And holds there for a good 10 minutes. Getting impatient, i attempt to quit out, but it refuses... I don't think AVG was meant for safe mode! So I just go right for the restart. Once windows has booted back into normal mode, I run the hijack this! scan, and find nothing unusual that I have not seen before. But I am not 100% sure that everything in my Hijack This! log file is safe, even after googling every single thing in it. So here I am, nothing seems out of place, yet I have a feeling there is a trojan imbedded somewhere on my drive, waiting another month to pop up and reinstall its fun stuff. I have not tried rerunning spybot outside of safe mode yet, but I would assume it finds the important stuff while scanning in safe mode anyhow. I might pick up Trend Micro: PC Cillin tomorrow, and Spysweeper, and let them have a go, but I want to avoid that. To be completely honest, I have never actually recieved a virus before that outbreak 1 month ago. Sure I have downloaded my fair share of spyware, but my virus protection programs never picked anything up. This is why I am a bit leery on getting 2 outbreaks in such a short time. Unless my luck decided to die out, I think this most recent one was something left over from before. So what more can I do here? I don't want to repeat this, I wasted a good 3 hours running all these scans that I could be throwing into precious PC gaming time! If you need a Hijack This! log file, I can supply one.

[Wainui]

Download and run {size:18px}Trojan Hunter[/size:5432663853]Its a Shareware program but you can use for Free for 30 days. By that time hopefully you would have sorted out all your problems.Regarding your Anti-Virus programs, try Avast which you will find {size:18px}Here[/size:5432663853]Download Avast but beore installing it go into the Control Panel and Uninstall AVG.Also try an another Anti-Spyware program from {size:18px} Here[/size:5432663853]A-Squarred is good so in Super-Antispyware.Uninstall Spybot first before running one of the others.

[SpiritWind]

{size:18px}[/size]:D Hi Iceyx : One of the most important "Items" to mention is the SPECIFIC Name of your Operating System, usually either Win XP or Vista !? The Best Recommendations come from knowing this, otherwise we are guessing . In addition be SPECIFIC on WHICH AVG product you are using; I will assume it is their antiVIRUS !? However, they have one of the Best FREE antiSPYWARE programs IF your OS is Win XP or Win 2000 . The FREE version of SUPERAntiSpyware from www.superantispyware.com is one of the Best FREE antiSPYWARE programs nowadays; Spybot & Ad-Aware are NOT . Would not bother with "Trojan Hunter", PC-cillian or SpySweeper. I suspect you MAY have a "Rogue" program on your computer; therefore, I recommend you try the FREE "RogueRemover" from www.malwarebytes.org/rogueremover.php . IF the 3 Programs I have recommended do NOT resolve your situation, I recommend you Post a HijackThis Log on one of the many Malware-fighting Support Forums, such as the one at "SpyWare BeWare", which are staffed by experienced, trained, certified, Volunteer, Experts . And you mentioned "Gaming Time"; you may have the latest trojan- rootkit which is making the "rounds" at some of the Gaming sites !?

[Iceyx]

I'll give it a shot then. I ran trojan hunter and found 8 trojans, many of which were located in my restore files. I'll get rid of spybot next and install superantispyware. As for operating system, I am running XP home edition.

[Iceyx]

And yes, AVG antivirus.

[lilxkid24]

or you can try avast. Avast does a bit more picking up trojans and stuff.

[Iceyx]

Is avast still free? If so I can snag it. Superantispyware found another 10 important trojans (and around 101 cookies) It seems like every program finds its own thing...

[lilxkid24]

yes avast is free. You just have to register for a free cd key which you do once a year after the 1 month or 3 month is expired.

[TeMerc]

I wouldn't advise spending any $$ to remove what you're describing.Altho it sounds liike you got rooted.A HJT log file would be a good start tho.One other thing you can run too, system gathering:download {color:blue}ComboScan{color} to your desktop. {color:blue}Alternate download link{color}Close all applications and windows. [list] A folder, C:ComboScan, will also open. In it will be another text file, Supplementary.txt.Please attach Supplementary.txt to your post.Note: Some firewalls may warn that sigcheck.exe is trying to access the internet - please ensure that you allow sigcheck.exe permission to do so.At this point reboot the system, and post back another HJT log file along with the other two logs requested.

[Iceyx]

Logfile of HijackThis v1.99.1
Scan saved at 10:51:40 PM, on 8/21/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:WINDOWSSystem32smss.exe
C:WINDOWSsystem32winlogon.exe
C:WINDOWSsystem32services.exe
C:WINDOWSsystem32lsass.exe
C:WINDOWSsystem32svchost.exe
C:WINDOWSSystem32svchost.exe
C:WINDOWSsystem32spoolsv.exe
C:WINDOWSExplorer.EXE
C:WINDOWSSystem32DSentry.exe
C:Program FilesiTunesiTunesHelper.exe
C:PROGRA~1GrisoftAVG7avgcc.exe
C:WINDOWSsystem32ctfmon.exe
C:Program FilesWindows Media PlayerWMPNSCFG.exe
C:PROGRA~1GrisoftAVG7avgamsvr.exe
C:PROGRA~1GrisoftAVG7avgupsvc.exe
C:WINDOWSSystem32CTsvcCDA.exe
C:WINDOWSSystem32svchost.exe
C:WINDOWSsystem32nvsvc32.exe
C:WINDOWSSystem32MsPMSPSv.exe
C:Program FilesiPodbiniPodService.exe
C:WINDOWSsystem32wscntfy.exe
C:Program FilesCommon FilesRealUpdate_OBrealsched.exe
C:Program FilesVentriloVentrilo.exe
C:Program FilesMozilla Firefoxfirefox.exe
C:DOCUME~1SHAUNLOCALS~1TempTemporary Directory 1 for hijackthis.zipHijackThis.exe
R1 - HKCUSoftwareMicrosoftInternet ExplorerMain,DefaultPageURL = http://www.dellnet.com/
R0 - HKCUSoftwareMicrosoftInternet ExplorerMain,Start Page = http://www.blizzard.com/
R1 - HKLMSoftwareMicrosoftInternet ExplorerMain,DefaultPageURL = http://www.dellnet.com/
R0 - HKLMSoftwareMicrosoftInternet ExplorerMain,Start Page = http://www.dellnet.com/
R1 - HKCUSoftwareMicrosoftInternet Connection Wizard,ShellNext = http://www.dellnet.com/
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:Program FilesAdobeAcrobat 6.0ReaderActiveXAcroIEHelper.dll
O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)
O4 - HKLM..Run: http://PRONoMgr.exe C:Program FilesIntelNCSPROSetPRONoMgr.exe
O4 - HKLM..Run: CTSysVol] C:Program FilesCreativeSBAudigy2Surround MixerCTSysVol.exe
O4 - HKLM..Run: [ATIPTA] C:Program FilesATI TechnologiesATI Control Panelatiptaxx.exe
O4 - HKLM..Run: [AsioReg] REGSVR32.EXE /S CTASIO.DLL
O4 - HKLM..Run: [Windows Media Connect 2] "C:Program FilesWindows Media Connect 2WMCCFG.exe" /StartQuiet
O4 - HKLM..Run: [DVDSentry] C:WINDOWSSystem32DSentry.exe
O4 - HKLM..Run: [NvCplDaemon] RUNDLL32.EXE C:WINDOWSsystem32NvCpl.dll,NvStartup
O4 - HKLM..Run: [nwiz] nwiz.exe /install
O4 - HKLM..Run: [NvMediaCenter] RUNDLL32.EXE C:WINDOWSsystem32NvMcTray.dll,NvTaskbarInit
O4 - HKLM..Run: [QuickTime Task] "C:Program FilesQuickTimeqttask.exe" -atboottime
O4 - HKLM..Run: [TkBellExe] "C:Program FilesCommon FilesRealUpdate_OBrealsched.exe" -osboot
O4 - HKLM..Run: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM..Run: [Logitech Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM..Run: [iTunesHelper] "C:Program FilesiTunesiTunesHelper.exe"
O4 - HKLM..Run: [http://IMJPMIG8.1 "C:WINDOWSIMEimjp8_1IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM..Run: MSPY2002] C:WINDOWSsystem32IMEPINTLGNTImScInst.exe /SYNC
O4 - HKLM..Run: [PHIME2002ASync] C:WINDOWSsystem32IMETINTLGNTTINTSETP.EXE /SYNC
O4 - HKLM..Run: [PHIME2002A] C:WINDOWSsystem32IMETINTLGNTTINTSETP.EXE /IMEName
O4 - HKLM..Run: [AVG7_CC] C:PROGRA~1GrisoftAVG7avgcc.exe /STARTUP
O4 - HKCU..Run: [SB Audigy 2 Startup Menu] /L:ENG
O4 - HKCU..Run: [http://ctfmon.exe C:WINDOWSsystem32ctfmon.exe
O4 - HKCU..Run: [WMPNSCFG] C:Program FilesWindows Media PlayerWMPNSCFG.exe
O4 - HKCU..Run: [SUPERAntiSpyware] C:Program FilesSUPERAntiSpywareSUPERAntiSpyware.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:WINDOWSSystem32msjava.dll (file missing)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:WINDOWSSystem32msjava.dll (file missing)
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:Program FilesMessengermsmsgs.exe (file missing)
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:Program FilesMessengermsmsgs.exe (file missing)
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupd...b?1094506279375
O16 - DPF: {68BCE50A-DC9B-4519-A118-6FDA19DB450D} (Info Class) - http://www.blizzard..../wowbeta/si.cab
O20 - Winlogon Notify: !SASWinLogon - C:Program FilesSUPERAntiSpywareSASWINLO.dll
O20 - Winlogon Notify: WgaLogon - C:WINDOWSSYSTEM32WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:WINDOWSsystem32WPDShServiceObj.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:Program FilesCommon FilesAdobe Systems SharedServiceAdobelmsvc.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:WINDOWSsystem32Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:WINDOWSSYSTEM32ati2sgag.exe
O23 - Service: AVG7 alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:PROGRA~1GrisoftAVG7avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:PROGRA~1GrisoftAVG7avgupsvc.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:WINDOWSSystem32CTsvcCDA.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:Program FilesCommon FilesInstallShieldDriver11Intel 32IDriverT.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:Program FilesiPodbiniPodService.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:Program FilesIntelNCSSyncNetSvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:WINDOWSsystem32nvsvc32.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Unknown owner - %ProgramFiles%WinPcaprpcapd.exe" -d -f "%ProgramFiles%WinPcaprpcapd.ini (file missing)



Thats my most recent logfile after doing some serious cleaning, anything good?

[TeMerc]

I don't see anything odd, just a single line from a previous uninstall.

Open Hijackthis, select the [Do a system scan only] button and look over the following entries I have listed, check the boxes [] next to them and press the [Fix Checked] button. When you are doing this, make sure you have No IE windows, nor any other browsers open, including this one. Reboot if I have specified below, and post a fresh HijackThis log.

O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)

Reboot, run HJT, if the above are gone, no need to repost with new log.

Run ComboScan so we can be sure.