Help!

sandy10 · 6 Feb 2007 at 18:07

Hi guys

I'm using Firefox, with Comodo Firewall and Nod 32AV.

Recently, I have, when booting, been getting a number of alerts by Nod of infected items - I click delete / clear, only for them to return the next time I fire up.

I am also getting a lot more popups, despite having them blocked, such as "see Paris Hilton with no make up on" etc - no thanks!

I've tried using ad-Aware etc to no avail...any help?

Thanks

Fr0dders · 6 Feb 2007 at 18:15

browser hijack im guessing

try hijack this (google for it and post your log)

also, if the infected files keep comming back, that means theres something else thats infected, that re-creates the file

thats what you need to find.

try AVG free edition to try scanning for this, if norton wont pick it up ?

or maybe you need to boot into safemode to stop it from loading ?

sandy10 · 6 Feb 2007 at 18:17

Hi, where do I post my log?

Not sure what i'd do in safe mode!

bikes · 6 Feb 2007 at 18:19

You can either post it in the forum, or if you know about Hijack This you can post it here

sandy10 · 6 Feb 2007 at 18:21

ok, see below - means nothing to me! (if there are any filthy links in amongst this, it was my brother)

C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\Comodo\Firewall\cmdagent.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Eset\nod32krn.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\wdfmgr.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\Eset\nod32kui.exe
C:\Program Files\Comodo\Firewall\CPF.exe
C:\Program Files\LClock\lclock.exe
C:\WINDOWS\System32\WgaTray.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\WinRAR\WinRAR.exe
C:\DOCUME~1\NICKSA~1\LOCALS~1\Temp\Rar$EX00.750\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Internet Explorer Provided by blueyonder
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime -Delay
O4 - HKLM\..\Run: [nod32kui] "C:\Program Files\Eset\nod32kui.exe" /WAITSERVICE
O4 - HKLM\..\Run: [Comodo Firewall] "C:\Program Files\Comodo\Firewall\CPF.exe" /background
O4 - HKCU\..\Run: [LClock] C:\Program Files\LClock\lclock.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE (file missing)
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE (file missing)
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://activex.microsoft.com/objects/ocget.dll
O16 - DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} (EPUImageControl Class) - http://tools.ebayimg.com/eps/wl/activex/eBay_Enhanced_Picture_Control_v1-0-3-48.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1129757619140
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
O16 - DPF: {D8089245-3211-40F6-819B-9E5E92CD61A2} (FlashXControl Object) - https://flashcasino.ladbrokes.com/instant-play-en/FlashAX.cab
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Comodo Application Agent (CmdAgent) - COMODO - C:\Program Files\Comodo\Firewall\cmdagent.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Program Files\Eset\nod32krn.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe

Biscuity · 6 Feb 2007 at 18:22

Are you using XP?

If so, turn off system restore before the Nod32 scan. Also scan again in safe mode.

Download AVG Anti Spyware on a 30 day free trial from http://www.ewido.net/en/download/

Run a scan with that too.

If those 2 don't fix it, run Hijack this & post your log here.

Edit: oops you've done it.

bikes · 6 Feb 2007 at 18:30

sandy10 said:
ok, see below - means nothing to me! (if there are any filthy links in amongst this, it was my brother)

Couldnt find no filthy links

But these can be removed:

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE (file missing)

O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE (file missing)

No really obvious nastys stand out that I can see. Someone else who knows more about Hijack This may see something mate.

Biscuity · 6 Feb 2007 at 18:31

Remove this link my clicking the checkbox next to it & choose fix.

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Int ernet Settings,ProxyOverride = 127.0.0.1

Then reboot & run Hijack this again. It may not be easy to get rid of. Close as many programs as you can before running Hijack this.

Biscuity · 6 Feb 2007 at 18:41

You could also delete:
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Internet Explorer Provided by blueyonder

ISPs have no business claiming that they supply IE! :rolleyes:

sandy10 · 6 Feb 2007 at 18:45

Ok, have done, fingers crossed! thanks!

Fr0dders · 7 Feb 2007 at 12:51

theres no obvious nasties in that log

just a bit of cleaing up that can be done

suggest you try AVG free anti virus or some other anti virus scanner with a free trial to get rid of it.

try running msconfig

and see whats listed in your startup process' anything you dont recognize, untick. you can allways put it back later.