Hi
My IE homepage is set to the above mentioned page and resetting it to blank doesn't work. If you think there might be some danger in visiting this page, here are the contents(top 4 lines):

This Account Has Been Suspended

Why? There could be a few reasons why your account is suspended, the most common are...


Account Unpaid?

Unpaid accounts are suspended 10 days after the due date
however re-activation is INSTANT following payment, like this...


I found something on following website about this problem, but somehow I did not trust this website.
www.securitystronghold.com/gates/darker.html

I felt like the creator of both websites might be the same. And they might try to install something bad by prompting me to download there so called darker and svchost.exe removal tool. If somebody has tested this and trust them, then I will download their tool.

Also I feel there is some virus in my computer as I found wscript.exe in my task manager.This is my office computer and I have symantec anti-virus, but I don't like it. It anyways does a force scan every morning(over which I have absolutely no control) and does not find any virus.

I also tried ESET online scan but it completed in 0.00 secs, saying no threats have been found. I think my office network doesn't allow this kind of scanning. (As Kaspersky is still trying to get my computer configuration since last 30 minutes).

Any help guys...
(I haven't done everything that is written in the "Read me before posting a request for assistance", but if nobody knows the problem and solution, I will try to do whatever is written there)

Also this problem doesn't seem to cause any difficulties or bad things in my computer.

Recommended Answers

"Read me before posting a request for assistance" The instructions are quite clear that is why it is titled that way. Follow those steps.

Jump to Post

grvs, there is a key in registry which will auto-reset your homepage if you change it. An example of pestilence, for sure, when it is set by some company whose product you have bought.
In this case though, it appears that a malware has set it, and that will require …

Jump to Post

Sorry, but am a bit confused here since you said this

Then I downloaded Hijack this but when I click on Analyze this, it takes me to an error page.

but then you posted two logs from HiJackThis, so you were obviously able to run the program.
As gerbil said, …

Jump to Post

All 12 Replies

"Read me before posting a request for assistance" The instructions are quite clear that is why it is titled that way. Follow those steps.

I agree jholland, but its my office computer and I don't seem to have all the rights to perform all these actions. (Also I tried to perform online scans, checked my task manager process lists, which are part of that list) Here I am not saying I have done some of things in that list, so you should do something for me... that would be ridiculous. I was just wondering if anyone have come across this problem before so that I could take help from their experience.

grvs, there is a key in registry which will auto-reset your homepage if you change it. An example of pestilence, for sure, when it is set by some company whose product you have bought.
In this case though, it appears that a malware has set it, and that will require removal. You need administrative powers to run those tools. It would be handy if you could at least run hijackthis.

Thanks gerbil. I got some of the administrative access today, which includes regedit, command prompt, and installation of programs and I am able to download things from some of the websites. (Still no control over the symantec antivirus installed in my computer)

So i tried the to change the home page to blank (and google also) using regedit, but the virus/worm resets it to http://www.socio.fusionace.com/ (which is different from original but it redirects my IE home page to that page only)


Then I downloaded Hijack this but when I click on Analyze this, it takes me to an error page.
(Answer - Error running Hijack This)

I do have hijackthis.log (changed to .txt to upload) and startuplist.txt whose contents are as attached.

I also tried to empty my windows/temp folder but there are two files which I couldn't remove.
these are
C:\WINDOWS\Temp\QosServ.log
C:\WINDOWS\Temp\hsperfdata_SYSTEM\1612 (no extension)

Seems like I can't even read those files.

Thanks

Sorry, but am a bit confused here since you said this

Then I downloaded Hijack this but when I click on Analyze this, it takes me to an error page.

but then you posted two logs from HiJackThis, so you were obviously able to run the program.
As gerbil said, there is definitely malware on there and there are tools that must be run to remove it. Trying to do it manually may be next to, if not impossible as that can involve trying to track down multiple files in multiple locations on the computer. Leave just one of those files and the infections can rebuild themselves. Plus manual removal done the wrong way can render the computer useless.
You said you can download some programs did you download and run MBA-M? That one is key.

Ok again it seems that Hijackthis works on my computer but network doesn't allow it to send log files directly to Trend micro website. I will try MBA - M tomorrow (at home right now).

There is no reason to send files to Trend Micro. We are using these logs here so we are the ones who need to see them. Unless instructed by a helper here you wouldn't be sending files someplace else.

delete C:\WINDOWS\system32\FAantivirus.vbs
Edit key with IceSword beacuse with regedit it may show error
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
userinit C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\wscript.exe C:\WINDOWS\system32\FAantivirus.vbs delete this string C:\WINDOWS\system32\FAantivirus.vbs and check keys below also

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{79304312-9a8b-11de-8e38-00148598e886}\Shell]
@="Open"

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{79304312-9a8b-11de-8e38-00148598e886}\Shell\Auto]
@="AutoPlay"

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{79304312-9a8b-11de-8e38-00148598e886}\Shell\Auto\Command]
@="wscript.exe FAantivirus.vbs"

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{79304312-9a8b-11de-8e38-00148598e886}\Shell\AutoRun]
"Extended"=""

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{79304312-9a8b-11de-8e38-00148598e886}\Shell\AutoRun\command]
@="wscript.exe FAantivirus.vbs"

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{79304312-9a8b-11de-8e38-00148598e886}\Shell\Explore]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{79304312-9a8b-11de-8e38-00148598e886}\Shell\Explore\Command]
@="wscript.exe FAantivirus.vbs"

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{79304312-9a8b-11de-8e38-00148598e886}\Shell\Find]
@="Search..."

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{79304312-9a8b-11de-8e38-00148598e886}\Shell\Find\Command]
@="wscript.exe FAantivirus.vbs"

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{79304312-9a8b-11de-8e38-00148598e886}\Shell\Format...]
@="Format..."

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{79304312-9a8b-11de-8e38-00148598e886}\Shell\Format...\Command]
@="wscript.exe FAantivirus.vbs"

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{79304312-9a8b-11de-8e38-00148598e886}\Shell\open]
@="Open"

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{79304312-9a8b-11de-8e38-00148598e886}\Shell\open\Command]
@="wscript.exe FAantivirus.vbs" from usedmachineryindia.com

mohitume,
I have no idea what it is that you have posted, an incomplete section of some sort of log obviously. This thread is three months old. You need to begin your OWN thread. State your problems. Give info on your computer, what symptoms you are having and what programs you have run to attempt to correct these problems. Somebody will then help you.

jholland1964 i dont know what do you want to prove. It is only solution of the above problem and i am proud that i am the first to post it. better than experts here

jholland1964 i dont know what do you want to prove. It is only solution of the above problem and i am proud that i am the first to post it. better than experts here

Look I am not trying to prove anything. You didn't even preface your reply with "This is the solution I used to fix the problem", you just posted a registry edit (without explaining that is what it was) which many are uncomfortable doing first of all and secondly if done wrong can really damage a computer.

It is only solution of the above problem and i am proud that i am the first to post it. better than experts here

Actually, it is not.

And, by the way, it is incomplete.

If it worked for you, great! :)
Did you clean your infected pen drive[s]?

And, why not save some hassle and just remove the MountPoints2 key altogether? That seems easier to me....

Many of the people posting for help in this Forum are novices and likely not comfortable using a tool such as IceSword. Especially without detailed instruction. But, since this is an open Forum, all are allowed to give advice and the posters are left to sort it out.

If you are willing to stick around and talk posters through your fix and address any complications they encounter along the way, I am sure the Daniweb community would welcome you.


Cheers :)
PP

Be a part of the DaniWeb community

We're a friendly, industry-focused community of 1.19 million developers, IT pros, digital marketers, and technology enthusiasts learning and sharing knowledge.