# VIRUS,VIRUS, Getting blocked accessing antivirus sites

1. Hey everyone

A computer in my posesion (a friends computer) has got a problem with running any antivirus/spyware or even updating or accessing any type of antivirus/antispyware sites, I was fortunate enough to get Hijack This to run via USB stick, Log is below.

I also managed to get Malwarebytes to run by changing the exe file name in the c/program files to xxx.exe, & no it is not porn as shown in the log, it did find some stuff, but not much, after rebooting I still am having the same problem, e.g. getting redirected to other sites & so on, I can't seem to get S&D to do anything at all either, it just hangs.

On top of all that, I tried a system restore, without any luck, everytime I thought it worked, it would reboot like it was working & then a message would appear stating that it was unsuccessful & that no changes have been made.

I am at wits end with what to do next, please if you see anything in the log below that seems to be not right, please let me know, thankyou in advance, regards Denis
------------------------------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:28:38 PM, on 06/04/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16791)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\acs.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\Program Files\Alarm Me\AlarmMe.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
G:\Hijack This\HijackThis.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Windows Media Player\wmplayer.exe
C:\Program Files\Malwarebytes' Anti-Malware\xxx.exe

O2 - BHO: IDM Helper - {0055C089-8582-441B-A0BF-17B458C2A3A8} - C:\Program Files\Internet Download Manager\IDMIECC.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Flash and Media Capture Helper - {E8803722-A7F5-45C5-B39A-A8B244486EC2} - C:\Program Files\Common Files\MetaProducts\FMCapt.dll
O3 - Toolbar: Flash and Media Capture Bar - {650EB965-8A1D-41C9-A941-0578F5CFC569} - C:\Program Files\Common Files\MetaProducts\FMCapt.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKLM\..\Run: [BrStsWnd] C:\Program Files\Brownie\BrstsWnd.exe Autorun
O4 - HKLM\..\Run: [TWCU] "C:\Program Files\TP-LINK\TL-WN821N 1.0\TWCU.exe" -nogui
O4 - HKLM\..\Run: [AlarmMe] "C:\Program Files\Alarm Me\AlarmMe.exe" "-h"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\Windows Live\Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [InfoWonder] "C:\Program Files\InfoWonder\InfoWonder.exe"
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O4 - Startup: Alarm++.lnk = C:\Program Files\Alarm++\Alarm.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office12\EXCEL.EXE/3000
O8 - Extra context menu item: Save &image with Flash and Media Capture - res://C:\Program Files\Common Files\MetaProducts\FMCapt.dll/saveimg.htm
O8 - Extra context menu item: Save &media files with Flash and Media Capture - res://C:\Program Files\Common Files\MetaProducts\FMCapt.dll/savemedia.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Save Media files - {F6F76DF4-FD65-4DE7-942F-4BD5DE9B1C6B} - C:\Program Files\Common Files\MetaProducts\FMCapt.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1180151610265
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1180183893718
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
O23 - Service: TP-LINK Configuration Service (ACS) - Atheros - C:\WINDOWS\system32\acs.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: MySQL - Unknown owner - C:\Program Files\PIM Xtreme\MySQL\bin\mysqld.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

--
End of file - 7797 bytes
2. IMO there comes a time when the amount of effort to clean a machine just isn't worth it and, frankly, after cleaning a heavily infected machine you can never be 100% certain you got everything. The alternative is to do a format and re-install.

Its a pain to go through a full format/re-install but then at least you know you will be starting with a clean machine. Install your OS and get all the devices working, then apply all the patches and the AV and anti-spyware. (At this point I might suggest creating an image of the system so it can be restored easily in the future). Then install the rest of the software, being careful if any of the apps were downloaded or otherwise obtained from non-original media.

Of course you should get the OK from the owner of the machine and ensure they have a backup of any personal data. Ensure you scan the data before restoring it back to the rebuilt machine.
3. Hey All

I can't do a reinstall because he has so much work stuff on the PC, however, I have just descovered that I can run NOD32 in safemode, it has found win32/Agent.ODG virus but can not get rid of it, maybe someone can help now that the virus has been identified, any ideas

regards Denis
4. Originally Posted by G)-(OST
Hey everyone

A computer in my posesion (a friends computer) has got a problem with running any antivirus/spyware or even updating or accessing any type of antivirus/antispyware sites, I was fortunate enough to get Hijack This to run via USB stick, Log is below.

I also managed to get Malwarebytes to run by changing the exe file name in the c/program files to xxx.exe, & no it is not porn as shown in the log, it did find some stuff, but not much, after rebooting I still am having the same problem, e.g. getting redirected to other sites & so on, I can't seem to get S&D to do anything at all either, it just hangs.

On top of all that, I tried a system restore, without any luck, everytime I thought it worked, it would reboot like it was working & then a message would appear stating that it was unsuccessful & that no changes have been made.

I am at wits end with what to do next, please if you see anything in the log below that seems to be not right, please let me know, thankyou in advance, regards Denis
------------------------------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Run your spyware stuff with the computer in safe mode and with NO internet connectivity.
5. Just trying out GMER, it's a root kit revealer, lets see what happens
6. Avast did the trick
7. For future reference there are many, many tools out there that do not require you to boot into Windows from the hard drive. You can use a live Linux CD and clamAV to get some things - clamAV isn't nearly as good as some other tools, but it will clean out some common items. Then you can find (or create your own) Windows PE environment, some virus companies offer free bootable CDs to do what you need to do.
8. hi there g, if you have a spare pc that is not in use. id set your friends pcs hdd as a slave, once you have done that you can get to the docs and settings on the root of c, from there you can get to his work. once you have back it all up id wipe it.
9. While you have the HDD as a slave you can scan it with as many AV and ASW as you want. I have done it many times.
Ewido on line is very good too.

Statistics