0

Hi
My IE homepage is set to the above mentioned page and resetting it to blank doesn't work. If you think there might be some danger in visiting this page, here are the contents(top 4 lines):

This Account Has Been Suspended

Why? There could be a few reasons why your account is suspended, the most common are...


Account Unpaid?

Unpaid accounts are suspended 10 days after the due date
however re-activation is INSTANT following payment, like this...


I found something on following website about this problem, but somehow I did not trust this website.
www.securitystronghold.com/gates/darker.html

I felt like the creator of both websites might be the same. And they might try to install something bad by prompting me to download there so called darker and svchost.exe removal tool. If somebody has tested this and trust them, then I will download their tool.

Also I feel there is some virus in my computer as I found wscript.exe in my task manager.This is my office computer and I have symantec anti-virus, but I don't like it. It anyways does a force scan every morning(over which I have absolutely no control) and does not find any virus.

I also tried ESET online scan but it completed in 0.00 secs, saying no threats have been found. I think my office network doesn't allow this kind of scanning. (As Kaspersky is still trying to get my computer configuration since last 30 minutes).

Any help guys...
(I haven't done everything that is written in the "Read me before posting a request for assistance", but if nobody knows the problem and solution, I will try to do whatever is written there)

Also this problem doesn't seem to cause any difficulties or bad things in my computer.

5
Contributors
12
Replies
13
Views
8 Years
Discussion Span
Last Post by PhilliePhan
0

"Read me before posting a request for assistance" The instructions are quite clear that is why it is titled that way. Follow those steps.

0

I agree jholland, but its my office computer and I don't seem to have all the rights to perform all these actions. (Also I tried to perform online scans, checked my task manager process lists, which are part of that list) Here I am not saying I have done some of things in that list, so you should do something for me... that would be ridiculous. I was just wondering if anyone have come across this problem before so that I could take help from their experience.

0

grvs, there is a key in registry which will auto-reset your homepage if you change it. An example of pestilence, for sure, when it is set by some company whose product you have bought.
In this case though, it appears that a malware has set it, and that will require removal. You need administrative powers to run those tools. It would be handy if you could at least run hijackthis.

0

Thanks gerbil. I got some of the administrative access today, which includes regedit, command prompt, and installation of programs and I am able to download things from some of the websites. (Still no control over the symantec antivirus installed in my computer)

So i tried the to change the home page to blank (and google also) using regedit, but the virus/worm resets it to http://www.socio.fusionace.com/ (which is different from original but it redirects my IE home page to that page only)


Then I downloaded Hijack this but when I click on Analyze this, it takes me to an error page.
(Answer - Error running Hijack This)

I do have hijackthis.log (changed to .txt to upload) and startuplist.txt whose contents are as attached.

I also tried to empty my windows/temp folder but there are two files which I couldn't remove.
these are
C:\WINDOWS\Temp\QosServ.log
C:\WINDOWS\Temp\hsperfdata_SYSTEM\1612 (no extension)

Seems like I can't even read those files.

Thanks

Attachments
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:18:18 PM, on 6/17/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\Program Files\Symantec Client Security\Symantec Client Firewall\ISSVC.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Broadcom\ASFIPMon\AsfIpMon.exe
C:\Program Files\Symantec Client Security\Symantec AntiVirus\DefWatch.exe
C:\WINDOWS\system32\QosServM.exe
C:\Program Files\Symantec Client Security\Symantec AntiVirus\SavRoam.exe
D:\OracleBI\web\bin\sawjavahostsvc.exe
C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
C:\Program Files\Symantec Client Security\Symantec AntiVirus\Rtvscan.exe
C:\Program Files\Symantec Client Security\Symantec Client Firewall\SymSPort.exe
C:\WINDOWS\system32\SearchIndexer.exe
C:\WINDOWS\system32\wscript.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
D:\Program Files\Winamp\winampa.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Windows Desktop Search\WindowsSearch.exe
C:\Program Files\WordWeb\wweb32.exe
C:\PROGRA~1\Microsoft Office\Office12\OUTLOOK.EXE
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\System32\NOTEPAD.EXE
D:\Program Files\Winamp\winamp.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.socio.fusionace.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Fusion|Ace Enterprises
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 10.100.5.135:6588
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.ggn01-mos02.*;*.ggn01-mos01.*;10.100.*.*;http://learning/default.aspx#;*.10.100.7.20.*,;<local>
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\wscript.exe C:\WINDOWS\system32\FAantivirus.vbs
O1 - Hosts: 139.85.17.31 crmgateway.hns.com
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: AvayaIEHlprObj Class - {E6DF0B46-7D6F-407A-A6A2-62D17A021A9A} - C:\Program Files\Avaya\Avaya IP Softphone\AvayaWebDial.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Synchronization Manager] %SystemRoot%\system32\mobsync.exe /logon
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\isuspm.exe -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [WinampAgent] "D:\Program Files\Winamp\winampa.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKUS\S-1-5-18\..\RunOnce: [TSClientMSIUninstaller] cmd.exe /C "cscript %systemroot%\Installer\TSClientMsiTrans\tscuinst.vbs" (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [TSClientAXDisabler] cmd.exe /C "%systemroot%\Installer\TSClientMsiTrans\tscdsbl.bat" (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: []  (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [TSClientMSIUninstaller] cmd.exe /C "cscript %systemroot%\Installer\TSClientMsiTrans\tscuinst.vbs" (User 'Default user')
O4 - Startup: WordWeb.lnk = C:\Program Files\WordWeb\wweb32.exe
O4 - Global Startup: Adobe Acrobat Speed Launcher.lnk = ?
O4 - Global Startup: Windows Search.lnk = C:\Program Files\Windows Desktop Search\WindowsSearch.exe
O8 - Extra context menu item: &WordWeb... - res://C:\WINDOWS\wweb32.dll/lookup.html
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\Microsoft Office\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\Microsoft Office\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=about:blank
O16 - DPF: {3BA494B1-D507-4C11-9BDA-D47E1A65DFCF} (Confidence Online for Web Applications) - https://mcpuk1.jpmorgan.com/llclient/webvpn-amer-card/winxp/AXXPEE.dll
O16 - DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} (OnlineScanner Control) - http://download.eset.com/special/eos/OnlineScanner.cab
O16 - DPF: {7584C670-2274-4EFB-B00B-D6AABA6D3850} (Microsoft RDP Client Control (redist)) - https://internal.zelcomgroup.com/Remote/msrdp.cab
O16 - DPF: {E5F5D008-DD2C-4D32-977D-1A0ADF03058B} (JuniperSetupSP1 Control) - https://webvpn.jpmorganchase.com/dana-cached/setup/JuniperSetupSP1.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = QGC.COM
O17 - HKLM\Software\..\Telephony: DomainName = QGC.COM
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = QGC.COM
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = QGC.COM
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Broadcom ASF IP and SMBIOS Mailbox Monitor (ASFIPmon) - Broadcom Corporation - C:\Program Files\Broadcom\ASFIPMon\AsfIpMon.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec Client Security\Symantec AntiVirus\DefWatch.exe
O23 - Service: getPlus(R) Helper - Unknown owner - C:\Program Files\NOS\bin\getPlus_HelperSvc.exe (file missing)
O23 - Service: iClarityQoSService - AVAYA Communication - C:\WINDOWS\system32\QosServM.exe
O23 - Service: IS Service (ISSVC) - Symantec Corporation - C:\Program Files\Symantec Client Security\Symantec Client Firewall\ISSVC.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Logictree CTI Agent (LTAgent) - Unknown owner - C:\PROGRA~1\LOGICT~1\LTAgent\LTAgent.exe (file missing)
O23 - Service: Oracle BI Cluster Controller - Oracle Corporation - D:\OracleBI\server\Bin\NQSClusterController.exe
O23 - Service: Oracle BI Scheduler - Oracle Corporation - D:\OracleBI\server\Bin\NQScheduler.exe
O23 - Service: Oracle BI Server - Oracle Corporation - D:\OracleBI\server\Bin\NQSServer.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec Client Security\Symantec An
StartupList report, 6/17/2009, 7:12:46 PM
StartupList version: 1.52.2
Started from : C:\Program Files\Trend Micro\HijackThis\HijackThis.EXE
Detected: Windows XP SP3 (WinNT 5.01.2600)
Detected: Internet Explorer v6.00 SP3 (6.00.2900.5512)
* Using default options
==================================================

Running processes:

C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\Program Files\Symantec Client Security\Symantec Client Firewall\ISSVC.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Broadcom\ASFIPMon\AsfIpMon.exe
C:\Program Files\Symantec Client Security\Symantec AntiVirus\DefWatch.exe
C:\WINDOWS\system32\QosServM.exe
C:\Program Files\Symantec Client Security\Symantec AntiVirus\SavRoam.exe
D:\OracleBI\web\bin\sawjavahostsvc.exe
C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
C:\Program Files\Symantec Client Security\Symantec AntiVirus\Rtvscan.exe
C:\Program Files\Symantec Client Security\Symantec Client Firewall\SymSPort.exe
C:\WINDOWS\system32\SearchIndexer.exe
C:\WINDOWS\system32\wscript.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
D:\Program Files\Winamp\winampa.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Windows Desktop Search\WindowsSearch.exe
C:\Program Files\WordWeb\wweb32.exe
C:\PROGRA~1\Microsoft Office\Office12\OUTLOOK.EXE
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\System32\NOTEPAD.EXE
D:\Program Files\Winamp\winamp.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\system32\SearchProtocolHost.exe

--------------------------------------------------

Listing of startup folders:

Shell folders Startup:
[C:\Documents and Settings\qam00326\Start Menu\Programs\Startup]
WordWeb.lnk = C:\Program Files\WordWeb\wweb32.exe

Shell folders Common Startup:
[C:\Documents and Settings\All Users\Start Menu\Programs\Startup]
Adobe Acrobat Speed Launcher.lnk = ?
Windows Search.lnk = C:\Program Files\Windows Desktop Search\WindowsSearch.exe

--------------------------------------------------

Checking Windows NT UserInit:

[HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
UserInit = C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\wscript.exe C:\WINDOWS\system32\FAantivirus.vbs

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run

ccApp = "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
SoundMAXPnP = C:\Program Files\Analog Devices\Core\smax4pnp.exe
IgfxTray = C:\WINDOWS\system32\igfxtray.exe
HotKeysCmds = C:\WINDOWS\system32\hkcmd.exe
Persistence = C:\WINDOWS\system32\igfxpers.exe
SunJavaUpdateSched = "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
ISUSPM Startup = C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\isuspm.exe -startup
ISUSScheduler = "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
WinampAgent = "D:\Program Files\Winamp\winampa.exe"

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run

ctfmon.exe = C:\WINDOWS\system32\ctfmon.exe
MSMSGS = "C:\Program Files\Messenger\msmsgs.exe" /background

--------------------------------------------------

Shell & screensaver key from C:\WINDOWS\SYSTEM.INI:

Shell=*INI section not found*
SCRNSAVE.EXE=*INI section not found*
drivers=*INI section not found*

Shell & screensaver key from Registry:

Shell=explorer.exe
SCRNSAVE.EXE=C:\WINDOWS\system32\logon.scr
drivers=*Registry value not found*

Policies Shell key:

HKCU\..\Policies: Shell=*Registry value not found*
HKLM\..\Policies: Shell=*Registry value not found*

--------------------------------------------------


Enumerating Browser Helper Objects:

(no name) - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}
(no name) - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43}
(no name) - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll - {AE7CD045-E861-484f-8273-0445EE161910}
(no name) - C:\Program Files\Avaya\Avaya IP Softphone\AvayaWebDial.dll - {E6DF0B46-7D6F-407A-A6A2-62D17A021A9A}

--------------------------------------------------

Enumerating Download Program Files:

[Confidence Online for Web Applications]
InProcServer32 = C:\WINDOWS\Downloaded Program Files\AXXPEE.dll
CODEBASE = https://mcpuk1.jpmorgan.com/llclient/webvpn-amer-card/winxp/AXXPEE.dll

[OnlineScanner Control]
InProcServer32 = C:\PROGRA~1\ESET\ESET Online Scanner\OnlineScanner.ocx
CODEBASE = http://download.eset.com/special/eos/OnlineScanner.cab

[Microsoft RDP Client Control (redist)]
InProcServer32 = C:\WINDOWS\Downloaded Program Files\msrdp.ocx
CODEBASE = https://internal.zelcomgroup.com/Remote/msrdp.cab

[JuniperSetupSP1 Control]
InProcServer32 = C:\WINDOWS\DOWNLO~1\JuniperSetup.ocx
CODEBASE = https://webvpn.jpmorganchase.com/dana-cached/setup/JuniperSetupSP1.cab

--------------------------------------------------

Enumerating ShellServiceObjectDelayLoad items:

PostBootReminder: C:\WINDOWS\system32\SHELL32.dll
CDBurn: C:\WINDOWS\system32\SHELL32.dll
WebCheck: C:\WINDOWS\system32\webcheck.dll
SysTray: C:\WINDOWS\system32\stobject.dll

--------------------------------------------------
End of report, 6,823 bytes
Report generated in 0.266 seconds

Command line options:
   /verbose  - to add additional info on each section
   /complete - to include empty sections and unsuspicious data
   /full     - to include several rarely-important sections
   /force9x  - to include Win9x-only startups even if running on WinNT
   /forcent  - to include WinNT-only startups even if running on Win9x
   /forceall - to include all Win9x and WinNT startups, regardless of platform
   /history  - to list version history only
0

Sorry, but am a bit confused here since you said this

Then I downloaded Hijack this but when I click on Analyze this, it takes me to an error page.

but then you posted two logs from HiJackThis, so you were obviously able to run the program.
As gerbil said, there is definitely malware on there and there are tools that must be run to remove it. Trying to do it manually may be next to, if not impossible as that can involve trying to track down multiple files in multiple locations on the computer. Leave just one of those files and the infections can rebuild themselves. Plus manual removal done the wrong way can render the computer useless.
You said you can download some programs did you download and run MBA-M? That one is key.

0

Ok again it seems that Hijackthis works on my computer but network doesn't allow it to send log files directly to Trend micro website. I will try MBA - M tomorrow (at home right now).

0

There is no reason to send files to Trend Micro. We are using these logs here so we are the ones who need to see them. Unless instructed by a helper here you wouldn't be sending files someplace else.

0

delete C:\WINDOWS\system32\FAantivirus.vbs
Edit key with IceSword beacuse with regedit it may show error
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
userinit C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\wscript.exe C:\WINDOWS\system32\FAantivirus.vbs delete this string C:\WINDOWS\system32\FAantivirus.vbs and check keys below also

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{79304312-9a8b-11de-8e38-00148598e886}\Shell]
@="Open"

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{79304312-9a8b-11de-8e38-00148598e886}\Shell\Auto]
@="AutoPlay"

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{79304312-9a8b-11de-8e38-00148598e886}\Shell\Auto\Command]
@="wscript.exe FAantivirus.vbs"

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{79304312-9a8b-11de-8e38-00148598e886}\Shell\AutoRun]
"Extended"=""

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{79304312-9a8b-11de-8e38-00148598e886}\Shell\AutoRun\command]
@="wscript.exe FAantivirus.vbs"

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{79304312-9a8b-11de-8e38-00148598e886}\Shell\Explore]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{79304312-9a8b-11de-8e38-00148598e886}\Shell\Explore\Command]
@="wscript.exe FAantivirus.vbs"

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{79304312-9a8b-11de-8e38-00148598e886}\Shell\Find]
@="Search..."

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{79304312-9a8b-11de-8e38-00148598e886}\Shell\Find\Command]
@="wscript.exe FAantivirus.vbs"

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{79304312-9a8b-11de-8e38-00148598e886}\Shell\Format...]
@="Format..."

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{79304312-9a8b-11de-8e38-00148598e886}\Shell\Format...\Command]
@="wscript.exe FAantivirus.vbs"

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{79304312-9a8b-11de-8e38-00148598e886}\Shell\open]
@="Open"

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{79304312-9a8b-11de-8e38-00148598e886}\Shell\open\Command]
@="wscript.exe FAantivirus.vbs" from usedmachineryindia.com

0

mohitume,
I have no idea what it is that you have posted, an incomplete section of some sort of log obviously. This thread is three months old. You need to begin your OWN thread. State your problems. Give info on your computer, what symptoms you are having and what programs you have run to attempt to correct these problems. Somebody will then help you.

Edited by jholland1964: n/a

0

jholland1964 i dont know what do you want to prove. It is only solution of the above problem and i am proud that i am the first to post it. better than experts here

0

jholland1964 i dont know what do you want to prove. It is only solution of the above problem and i am proud that i am the first to post it. better than experts here

Look I am not trying to prove anything. You didn't even preface your reply with "This is the solution I used to fix the problem", you just posted a registry edit (without explaining that is what it was) which many are uncomfortable doing first of all and secondly if done wrong can really damage a computer.

0

It is only solution of the above problem and i am proud that i am the first to post it. better than experts here

Actually, it is not.

And, by the way, it is incomplete.

If it worked for you, great! :)
Did you clean your infected pen drive[s]?

And, why not save some hassle and just remove the MountPoints2 key altogether? That seems easier to me....

Many of the people posting for help in this Forum are novices and likely not comfortable using a tool such as IceSword. Especially without detailed instruction. But, since this is an open Forum, all are allowed to give advice and the posters are left to sort it out.

If you are willing to stick around and talk posters through your fix and address any complications they encounter along the way, I am sure the Daniweb community would welcome you.


Cheers :)
PP

Edited by PhilliePhan: n/a

This topic has been dead for over six months. Start a new discussion instead.
Have something to contribute to this discussion? Please be thoughtful, detailed and courteous, and be sure to adhere to our posting rules.