Posts by gerbil

You are going to have to wipe your flashdrive and format it. Remove it. Then try this:
==Download this file to your DESKTOP: http://download.bleepingcomputer.com/sUBs/ComboFix.exe
.....or this file: http://subs.geekstogo.com/ComboFix.exe
-IMPORTANT! : disconnect from the web, turn off your Antivirus, Antispyware and Firewall for the duration of this scan. Don't forget to reset them before you go back on the web!
- to run it dclick the Combofix.exe icon and follow the prompts to start it. When finished, it will produce a log, C:\Combofix.txt - post that log in your next reply.
A word of caution - do not touch your mouse/keyboard until the scan has completed. The scan will temporarily disable your desktop, and if interrupted may leave your desktop disabled. If this occurs reboot to restore the desktop.

You are in Chennai, I take it, aamdevan? Could you post the SAS and MBAM logs, please? They would be interesting for us. Your HJT log is clean,although I note that you could update IE to IE6 with W2000, SP4. for security purposes.
Perhaps try this scan....
==Please use IE or Firefox to do an online scan at panda:- http://www.pandasecurity.com/activescan/index/
-First Register [otherwise there will be no disinfection, merely detection] with a valid email address for the free online virus scan and follow through.
Unlike Kaspersky this scan does not require Java. Panda will clean only virii, but it is superb at listing other malwares which can then be targeted.
Please ATTACH to your post the log it produces.

Not overheating....? If it checks the drive when it restarts, it's likely the drive caused the error. Backup what is important ready for the day when it won't start at all.

And rubbing with your fingertip with toothpaste is a great way to remove those minor scratches on the cd surface. True.
So, pits washed with warm soapy water, and cleaned with toothpaste, it's all ready to go for a drive an get loaded.

You're welcome, Kim.

The entries in your first log beginning with this time stamp give me a problem... 6/18/2009 3:05:17 PM -ok, give YOU a problem. We cannot be seen to be helping folks who circumvent legitimate software restrictions. You must delete these patches before we can offer advice.

I don't think they were the source of your infection, but again, I don't see why patches should contain trojans if license circumvention is all they were about.
Nice to have a hijackthis log, though.
==download hijackthis: http://www.majorgeeks.com/download5554.html
-copy it to a new FOLDER placed either alongside your program files or on your desktop and then... rename hijackthis.exe to imabunny.exe
-in that folder start HijackThis by dclicking the .exe
-CLOSE ALL OTHER APPLICATIONS and any open windows including the explorer window containing HijackThis.
-click the Scan and Save a Logfile button. Post the log here.
Being now up to date with all patches is fine, but won't deal with an infection already in there. You might also try a rootkit scan... eg. GMER.

you most likely have some malware causing this issue.. but I cannot ell what it is from your post. Why not run a hijackthis log and post it as a next step?

So these files, autorun.inf and backupuser.exe, are not being recreated now? That's fine then, Neitz.

Your sys is totally safe from intrusion with a decent firewall running.
On the other hand... why waste the electricity? Think of the earth, just a little bit.

What brand, model, Kim? Java has nothing to do with mice. What process is using so much of your CPU time?

Yes, you do have an infection there. Some is hidden. Your thread will probably be moved over to Viuses etc forum, but meanwhile..
==Download this file to your DESKTOP: http://download.bleepingcomputer.com/sUBs/ComboFix.exe
.....or this file: http://subs.geekstogo.com/ComboFix.exe
-IMPORTANT! : disconnect from the web, turn off your Antivirus, Antispyware and Firewall for the duration of this scan. Don't forget to reset them before you go back on the web!
- to run it dclick the Combofix.exe icon and follow the prompts to start it. When finished, it will produce a log, C:\Combofix.txt - post that log in your next reply.
A word of caution - do not touch your mouse/keyboard until the scan has completed. The scan will temporarily disable your desktop, and if interrupted may leave your desktop disabled. If this occurs reboot to restore the desktop.

Cool. Well, that seems to be all taken care of.
Cheers, Geoff. Good luck out there.

The name of its creator? Obviously you have checked for that, and one is not there. It did not delete, which is interesting.... so rename it and see what complains, if anything, ever - it has not been accessed since its creation date. NV32643396.TMP.bak will do the trick. You could then upload it for scanning..
==Please go to this web page http://virusscan.jotti.org/, click browse and submit that file for examination: c:\windows\NV32643396.TMP; post the result.

Reading.. it is possibly just PS and fan. But I can only guess.

That looks better, illahae. Just one thing, what does this file relate to : c:\windows\NV32643396.TMP ?
If it is benign [check its properties] then remove a few of those specialist tools you have been throwing at this thing. This will uninstall Combofix and its quarantine.... Run:
combofix /u

Skynet. A rootkit. So that is what was hiding msiebbar.dll
This should not take long, but because there are still two drivers to delete we will use Combofix to delete them, in case they are protecting other malware processes...
==Again please disconnect from the web, turn off your Antivirus, Antispyware and Firewall for the duration of this scan:
Copy the text in the box to a notepad [format/wordwrap unchecked] and save as CFScript.txt to where you saved Combofix -that is, to your desktop.

Killall::

File::
c:\windows\NV32643396.TMP
c:\windows\system32\C3F30A4ADF.sys
c:\windows\system32\KGyGaAvL.sys

Driver::
C3F30A4ADF.sys
KGyGaAvL.sys

Good. Now drag the CFScript.txt icon onto the Combofix icon on your desktop. Combofix will start, let it run, if your firewall prompts then allow all; post the log.
[Check that the O18 entry is gone, let me know]

Get CCleaner [see below].
Right. This method kinda ramps up... stop when you win. When you do, fix the O18 entry with hijackthis, and then run CCLeaner.
For a start, in an Explorer window, go Tools, Folder options, View tab, and select Show hidden files and folders, Apply and Ok.
1:In a cmd window, run these two commands [you can paste them into the cmd window]:
cd c:\windows\system32
del /f /a ahr msiebbar.dll

2:If you can see the file in system32...
==This one is a general purpose deleter, Unlocker: http://filehippo.com/download_unlocker/
Dclick the exe to install it, unchecking the updater and assistant boxes. It runs from the rclick context menu, and that is cool.
Browse to the file, rclick it, choose Unlocker, remove any hooks...[ If the file or folder is locked then a window will appear with a list of processes locking the file or folder. Select the locks and click Unlock and you are done. It is recommended to Unlock wisely and to close open processes locking files or folder if any, but if only Explorer.exe is the culprit, do not hesitate!]
..choose Delete, and delete it.

If the file can not be seen, and the O18 entry still regenerates, then:
==Download this file to your DESKTOP: http://download.bleepingcomputer.com/sUBs/ComboFix.exe
.....or this file: http://subs.geekstogo.com/ComboFix.exe
-IMPORTANT! : disconnect from the web, turn off your Antivirus, Antispyware and Firewall for the duration of …

Try del /f /a ahrs ...

cd c:\windows\system32
del /f /a ahrs uacinit.dll
If that does not work, and assuming that it is not hidden [in an Explorer window, go Tools, Folder options, View and select Show hidden files and folders], then...
==This one is a general purpose deleter, Unlocker: http://filehippo.com/download_unlocker/
Dclick the exe to install it, unchecking the updater and assistant boxes. It runs from the rclick context menu, and that is cool.
-browse to uacinit.dll, rclick it, unlock it if needs be, and delete it.
Thinking about it more, there must be other related files there which restore/protect it.
==Download this file to your DESKTOP: http://download.bleepingcomputer.com/sUBs/ComboFix.exe
.....or this file: http://subs.geekstogo.com/ComboFix.exe
-IMPORTANT! : disconnect from the web, turn off your Antivirus, Antispyware and Firewall for the duration of this scan. Don't forget to reset them before you go back on the web!
- to run it dclick the Combofix.exe icon and follow the prompts to start it. When finished, it will produce a log, C:\Combofix.txt - post that log in your next reply.
A word of caution - do not touch your mouse/keyboard until the scan has completed. The scan will temporarily disable your desktop, and if interrupted may leave your desktop disabled. If this occurs reboot to restore the desktop.

May I assume then that it is the old scroll ball type underneath? If so, open it up and drop out the ball, use your fingernail or similar to scrape dust, grease, banana skins off the two small rollers [the gunge appears as a dark ring, almost looking like it should be there...]. For cursor movement most mice use the default Windows driver, and it is a good one.

I did tell you that some malware inserted those autorun.inf files; just deleting them may not cure the problem. And that you should run MBAM as a next step.

The hijackthis log is clean. An important instruction for MBAM:
Be sure that everything is checked, and click Remove Selected.
And restart the machine if requested.
The Vista tool rquires that you allow M$ to validate your OS first.. they don't wish to help people running pirated copies.... that is all.
Is there still a problem?

Good Lord, nicen. That lil dark spot in the nightime space photos of the states is down to your power drain, then! i had thought it was a patch of forest.
A 4870! Does that poke out the front of the case much? Give that other sys a lil power supply, too.
I spose the irq conflict comes from the two boys, both wanting to be on at the same time...but seriously, do you get an address with that IRQ conflict msg? If so, use Dev Mgmnt to pinpoint the resource type [it will be under View, ... then Memory]. It could be due to a faulty RAM module... run a memtest.
Do take the time to go outdoors once in a while.

Ah.. you just beat me to it, crunchie.
In general....that is a legitimate winsock file in the hijackthis report - it is Windows Parental Control service, and in any event Hijackthis should NOT be used to modify the contents of winsock.

Is it a wireless mouse? bluetooth, or 2.4GHZ one? Move cordless phones away....

Ok, plastered. that often does work.. :)

Yep. One would almost think that it would pay security companies to pay folks to write malware to keep the circle going. But they don't have to do that, there are enough misfits and individuals who do it for pay and pleasure. Anyway, it is a good argument for using free AV services.... there is not incentive then... :)

Ed, try going into pgm files\inernet explorer\.. and dclicking iexplore.exe. I think your IE icons are corrupted.

Most likely, if this is a repetitive event, you have some badly coded malware on board. Or it could be due to not being up-to-date with Windows Updates... help us by using the Click Here link in the error window to find what module is causing the problem in svchost.

That's good, neitz, so now we know the problem. But something put that file there, and it is likely still in your machine. I do strongly suggest yur run MBAM as above. Post the log.

Ah, okay, illahae.. It is gone, so you are pretty clear to go too. Ignore my post re SAS and Registry Editor - not required.
Cheers.

Rclick and delete works for me. Or you can drag them somewhere... the bin, for example... desktop... there should be no trick to it, they are just shortcuts. As such, they are files, found here: C:\Documents and Settings\You\Application Data\Microsoft\Internet Explorer\Quick Launch, and can be deleted from there also.

An example would be C:\ autorun.inf
Just use Explorer, expand each drive [partition] if it exists. If not, just run MBAM. These files are usually found in software cds to automatically start the installation processs when you insert the cd, saves you hunting for setup.exe or whatever. But you can write all sorts of instructions into them. Naughty ones.

Okay, It slipped my mind your having Superantispyware: Please disable it from starting with Windows via the system tray control centre. Restart your sys, and then fix that O18 entry with hijackthis, then re-enable SAS.
Or this may get by SAS and fix it:
==Please copy the text in the box to a notepad [format/wordwrap unchecked] and save as fixkey.reg to your desktop; dclick it to run... agree; if it opens in notepad instead rclick the icon [file], choose Open with, Registry editor....

Windows Registry Editor Version 5.00

[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{27ad87fe-f8bf-4593-8e1e-9e7ca6a99ca6}]

Fix these with hijackthis:

O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O2 - BHO: (no name) - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - (no file)
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab}
O20 - Winlogon Notify: byXOhFyy - byXOhFyy.dll (file missing)
Kick McAfee...and that should be all. How is the machine, now?

"All I have to do is start typing the file name in search and everything shuts down." Wow, neat work by the pest. Okay, let's test this:
==This one is a general purpose deleter, Unlocker: http://filehippo.com/download_unlocker/
Dclick the exe to install it, unchecking the updater and assistant boxes. It runs from the rclick context menu, and that is cool.
Good, now NAVIGATE [browse] to that file: c:\program files\Manson\liser.dll, rclick it, and choose Unlocker. "If the file
or folder is locked then a window will appear with a list of processes
locking the file or folder. Select the locks and click Unlock and you
are done." Select delete, and ok.

Aw... please don't run registry cleaners. They just don't do anything worthwhile. If you really want to speed up registry access then remove spaces and defragment it - sysinternals have a pgm for doing that latter.

Okay on the MBAm action... did you miss fixing this one with hijackthis?:
O18 - Filter hijack: text/html - {27ad87fe-f8bf-4593-8e1e-9e7ca6a99ca6} - C:\WINDOWS\system32\msiebbar.dll
It is a protocol hijack key for a trojan downloader, but you say you could not find the file - Avira may have caught it.

weirdos? And you expect help after this?

Hello, bati. Start hijackthis, select Scan Only, place checkmarks against all the entries listed below that still exist, and then press Fix Checked.

O4 - HKCU\..\Run: [SystemManger] C:\Program Files\Internet Explorer\iexplorer.exe
O4 - HKUS\S-1-5-21-1935655697-1897051121-725345543-500\..\Run: [SystemManger] C:\Program Files\Internet Explorer\iexplorer.exe (User '?')
O13 - DefaultPrefix:
O13 - WWW Prefix:
O13 - Home Prefix:
O13 - Mosaic Prefix:
O13 - FTP Prefix:
O13 - Gopher Prefix:

Delete this file: C:\Program Files\Internet Explorer\iexplorer.exe [it's okay... the correct file is iexplore.exe, and it may still be in the Internet Explorer folder].
Post another log run afterward with yur comments, please.

Okay, nicen. The fan speed being so high may be due to some monitoring fault, what with the 12V being out, I just don't know. I do know the fan speed monitor [in the fan itself] can fail and leave the fan running flat out.
850W. Wow. Are you planning on crossfired gaming cards? 850W is a toaster. :)

True. So if you only get hit by old viruses, you're laughing.
Avast. I depend upon it.

I might have known it.. there actually is a bestsitetobe.com

Okay, when you type in a URL, say http://www.bestsitetobe.com, the web does not recognise that as a valid machine address, so it is converted to one, an IP address, say 234.34.121.005 which is linked to a machine or server somewhere in the world. To do that conversion a DNS server gets involved - those servers maintain URL <> IP address lists. Your ISP assigns you to one or two of them, and those DNS servers will have their IP addresses loaded into your router at log-on to your ISP. A DNS hijack then is when malware loads in its own DNS servers... you enter a URL, their DNS servers put in a selected IP address, which may not be the correct one. Get rid of those two.

To elaborate on what godspeed posted.. those IP addresses are for an address in New Delhi : is that valid for you, plastered? They have persisted throughout all your posted logs, including those in the other forum...

grvs, there is a key in registry which will auto-reset your homepage if you change it. An example of pestilence, for sure, when it is set by some company whose product you have bought.
In this case though, it appears that a malware has set it, and that will require removal. You need administrative powers to run those tools. It would be handy if you could at least run hijackthis.

Neitz, check in the root of each affected drive to see if there is a file called autoruns.inf: if so, delete it. Then...
==Please download Malwarebytes' Anti-Malware
from: http://www.majorgeeks.com/Malwarebytes_Anti-Malware_d5756.html
or: http://www.besttechie.net/tools/mbam-setup.exe
=Dclick that file, mbam-setup.exe, to install the application,
-ensure that it is set to update and start, else start it via the icon, and UPDATE it.
Select "Perform QUICK Scan", then click Scan; the application will guide you through the remaining steps.
ENSURE that EVERYTHING found has a CHECKMARK against it, then click Remove Selected.
If malware has been found [and removed] MBAM will automatically produce a log for you when it completes... do not click the Save Logfile button.
Examine the log: if some files are listed as Delete on Reboot then restart your machine before continuing.
Copy and post that log [it is also saved under Logs tab in MBAM].

Okay, please restart in Normal Mode, and run MBAM again.And this time:
ENSURE that EVERYTHING found has a CHECKMARK against it, then click Remove Selected.
If malware has been found [and removed] MBAM will automatically produce a log for you... do not click the Save Logfile button.
When it completes examine the log: if some files are listed as Delete on Reboot then restart your machine before continuing.
This way, I get to see the actions performed by MBAM on detected objects.

Please do not use Rapidshare for posting logs. Post them here.
Start hijackthis, select Scan Only, place checkmarks against all the entries listed below that still exist, and then press Fix Checked.
O4 - HKLM\..\Run: [13930784] C:\Documents and Settings\All Users\Application Data\13930784\13930784.exe
O4 - HKLM\..\Run: [93940776] C:\Documents and Settings\All Users\Application Data\93940776\93940776.exe
O15 - Trusted Zone: *.amaena.com
O15 - Trusted Zone: *.antimalwareguard.com
O15 - Trusted Zone: *.antispyexpert.com
O15 - Trusted Zone: *.avsystemcare.com
O15 - Trusted Zone: *.gomyhit.com
O15 - Trusted Zone: *.imageservr.com
O15 - Trusted Zone: *.imagesrvr.com
O15 - Trusted Zone: *.onerateld.com
O15 - Trusted Zone: *.safetydownload.com
O15 - Trusted Zone: *.spyguardpro.com
O15 - Trusted Zone: *.storageguardsoft.com
O15 - Trusted Zone: *.trustedantivirus.com
O15 - Trusted Zone: *.virusremover2008.com
O15 - Trusted Zone: *.virusschlacht.com
O15 - Trusted Zone: *.amaena.com (HKLM)
O15 - Trusted Zone: *.antimalwareguard.com (HKLM)
O15 - Trusted Zone: *.antispyexpert.com (HKLM)
O15 - Trusted Zone: *.avsystemcare.com (HKLM)
O15 - Trusted Zone: *.gomyhit.com (HKLM)
O15 - Trusted Zone: *.imageservr.com (HKLM)
O15 - Trusted Zone: *.imagesrvr.com (HKLM)
O15 - Trusted Zone: *.onerateld.com (HKLM)
O15 - Trusted Zone: *.safetydownload.com (HKLM)
O15 - Trusted …

Mmm... okay, go into safe mode, rename mbam.exe to boom.exe, try to run it there for a start.

In Safe Mode delete these tow files: ckaafkkerqmyugky.dll and cfrdxdijbmienkkc.dll. You might aslo check in system32\drivers for a file commencing with tdss..., a .sys file. Rename it. Say to tdss...sys.bak
Next, rename the MBAM installer, delete the other MBAM files, run the installer, rename the mbam.exe to boom.exe, see if it will run. Rename hijackthis.exe also, try to run it.