Solved Unable to remove this virus or malware

June 27, 2012 at 14:55:26
Specs: Windows XP, AMD Phenom 550/2GB DDR2
Hello,
I seem to be having a peculiar problem. My computer has just caught a virus or a malware of some sort and I'm having a lot of trouble getting rid of it. I have tried several of the popular antimalware softwares including Malwarebytes, all to no avail. Also my anti-virus software has clamped up and is now totally useless.

Here is a brief description of the problems I'm facing:
1)I'm unable to access certain websites. Some of them are popular websites like CNet while some are ones I regularly frequent including random forums I'm a member in. Though I'm able to access them perfectly fine using a proxy.

2) The real-time protection guard of any antivirus I install perpetually appears to be off and I can find no way to switch it back on. I was using Avira and when I discovered that I could no longer switch its guard on. I proceeded to uninstall it and install Avast, only to find the same situation repeat itself.

3) A popular software I use Daemon Tools has also stopped working and throws an error now whenever I try to run it. The error goes something like "DT needs Win2k or higher. Or Kernel Debugger must be disabled".

I'm convinced that this is all the work of a single entity and I've tried every solution I've come across through Google. But nothing seems to work. I'm deeply grateful if anyone can give me a hand in resolving this issue.
Thanks in advance and any help is greatly appreciated. :)


See More: Unable to remove this virus or malware

Report •


✔ Best Answer
June 28, 2012 at 17:38:16
'you MUST reinstall windows before it get worse enough to harm your computer.'
Bad advice...there are always progs that can fix any malware problem.Try these 2 free fully working trials....
1- Trojan Remover
http://www.simplysup.com/tremover/d...
2- Hitman Pro
http://www.surfright.nl/en/downloads/
Run them both till they run clean.

If that doesn't remedy the situation then you can try combofix, that works when others fail...follow the guide and you should be fine:
http://www.bleepingcomputer.com/com...

Some HELP in posting on Computing.net plus free progs and instructions 7 Golds



#1
June 27, 2012 at 15:03:44
Can you switch the antivirus on if you disconnected from the internet?

I am a hardware guy not a software guy but i try to help.


Report •

#2
June 27, 2012 at 15:08:28
I tried this just now and it doesn't seem to have any effect. I'm still unable to switch it back on. Looks like whatever is causing this is definitely on my hard drive.

Thanks. Any help is appreciated. :)


Report •

#3
June 27, 2012 at 15:09:38
The only best way of getting rid of it is reinstall windows.

I am a hardware guy not a software guy but i try to help.


Report •

Related Solutions

#4
June 27, 2012 at 15:12:58
Err I was hoping that I could avoid that somehow. :(

Report •

#5
June 27, 2012 at 15:15:31
Can you find the process in task manager (if the virus isn't blocking from opening).

I am a hardware guy not a software guy but i try to help.


Report •

#6
June 27, 2012 at 15:18:51
I tried that but I can't seem to locate it.

Report •

#7
June 27, 2012 at 15:20:13
When did it start?
Did it start when you went on a certain website

I am a hardware guy not a software guy but i try to help.


Report •

#8
June 27, 2012 at 15:22:37
It started sometime yesterday. I dunno which website. It could have been any of the ones I visited.
Though I have a few ideas. A website I went to asked me to install a tool. Since it was authored by Babylon - a reputable company, I went ahead with it.

Report •

#9
June 27, 2012 at 15:24:21
Can you do anything in safe mode?

I am a hardware guy not a software guy but i try to help.


Report •

#10
June 27, 2012 at 15:26:59
Hmm, I haven't tried that. But I can't switch off my machine right now. But I'll let you know soon. :)

Report •

#11
June 27, 2012 at 15:36:27
Reload it all from clean OEM disks. Then apply security suite and all updates. Then you can make an image. Next time this happens, you'll be able to return it faster.

A well protected system used correctly reduces the chance of a virus or malware.


Report •

#12
June 27, 2012 at 18:22:08
Novalight,
Babylon virus will do this, download SuperAntiSpyware (SAS) update it and Malwarebytes (MBAM).
Restart your pc in safe mode and run both MBAM and SAS from there and include the logs in your next reply, if anything is found. (Do a quick MBAM scan and a full SAS scan.)
In the SAS GUI windows find the tab with PUPs (Potentially Unwanted Programs) and check to remove any found.

Please reply and let us know if our help worked.


Report •

#13
June 28, 2012 at 04:30:27
jay, it's pretty much the same story in safe mode.

mortneff, I prefer not to format my disk just yet. But I intend to do what you said once I've got rid of this threat and secured some of my most important data.

MrGoodguy,
Following your directions, I reinstalled Malwarebytes and updated it to it's latest version. It still doesn't find anything on the system. But SuperAntiSpyware found a few worms and removed it. But the symptoms have still not gone yet. Anyway here are the logs.
1)MalwareBytes:
Malwarebytes Anti-Malware 1.61.0.1400
www.malwarebytes.org

Database version: v2012.06.28.06

Windows XP Service Pack 3 x86 NTFS
Internet Explorer 8.0.6001.18702
Sriram :: SRIRAM-2713F517 [administrator]

6/28/2012 3:01:14 PM
mbam-log-2012-06-28 (15-01-14).txt

Scan type: Quick scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 214202
Time elapsed: 8 minute(s), 38 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 0
(No malicious items detected)

(end)

2) SuperAntiSpyware:
SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 06/28/2012 at 04:40 PM

Application Version : 5.5.1006

Core Rules Database Version : 8812
Trace Rules Database Version: 6624

Scan type : Complete Scan
Total Scan Time : 01:17:12

Operating System Information
Windows XP Professional 32-bit, Service Pack 3 (Build 5.01.2600)
Administrator

Memory items scanned : 564
Memory threats detected : 0
Registry items scanned : 35399
Registry threats detected : 3
File items scanned : 103967
File threats detected : 76

Adware.Tracking Cookie
C:\Documents and Settings\Sriram\Cookies\sriram@ad.yieldmanager[2].txt [ /ad.yieldmanager ]
C:\Documents and Settings\Sriram\Cookies\sriram@ads.youporn[1].txt [ /ads.youporn ]
C:\Documents and Settings\Sriram\Cookies\sriram@advertising[2].txt [ /advertising ]
C:\Documents and Settings\Sriram\Cookies\sriram@ar.atwola[1].txt [ /ar.atwola ]
C:\Documents and Settings\Sriram\Cookies\sriram@at.atwola[2].txt [ /at.atwola ]
C:\Documents and Settings\Sriram\Cookies\sriram@doubleclick[2].txt [ /doubleclick ]
C:\Documents and Settings\Sriram\Cookies\sriram@invitemedia[2].txt [ /invitemedia ]
C:\Documents and Settings\Sriram\Cookies\sriram@kontera[1].txt [ /kontera ]
C:\Documents and Settings\Sriram\Cookies\sriram@legolas-media[1].txt [ /legolas-media ]
C:\Documents and Settings\Sriram\Cookies\sriram@pro-market[2].txt [ /pro-market ]
C:\Documents and Settings\Sriram\Cookies\sriram@revsci[2].txt [ /revsci ]
C:\Documents and Settings\Sriram\Cookies\sriram@tacoda.at.atwola[1].txt [ /tacoda.at.atwola ]
C:\Documents and Settings\Sriram\Cookies\sriram@tribalfusion[1].txt [ /tribalfusion ]
C:\Documents and Settings\Sriram\Cookies\sriram@xiti[1].txt [ /xiti ]
broadcast.piximedia.fr [ C:\DOCUMENTS AND SETTINGS\SRIRAM\APPLICATION DATA\MACROMEDIA\FLASH PLAYER\#SHAREDOBJECTS\N9A5V5RL ]
card.cricket.timesofindia.indiatimes.com [ C:\DOCUMENTS AND SETTINGS\SRIRAM\APPLICATION DATA\MACROMEDIA\FLASH PLAYER\#SHAREDOBJECTS\N9A5V5RL ]
cdn2.themis-media.com [ C:\DOCUMENTS AND SETTINGS\SRIRAM\APPLICATION DATA\MACROMEDIA\FLASH PLAYER\#SHAREDOBJECTS\N9A5V5RL ]
content.oddcast.com [ C:\DOCUMENTS AND SETTINGS\SRIRAM\APPLICATION DATA\MACROMEDIA\FLASH PLAYER\#SHAREDOBJECTS\N9A5V5RL ]
files.youporn.com [ C:\DOCUMENTS AND SETTINGS\SRIRAM\APPLICATION DATA\MACROMEDIA\FLASH PLAYER\#SHAREDOBJECTS\N9A5V5RL ]
ia.media-imdb.com [ C:\DOCUMENTS AND SETTINGS\SRIRAM\APPLICATION DATA\MACROMEDIA\FLASH PLAYER\#SHAREDOBJECTS\N9A5V5RL ]
media.ign.com [ C:\DOCUMENTS AND SETTINGS\SRIRAM\APPLICATION DATA\MACROMEDIA\FLASH PLAYER\#SHAREDOBJECTS\N9A5V5RL ]
media.mtvnservices.com [ C:\DOCUMENTS AND SETTINGS\SRIRAM\APPLICATION DATA\MACROMEDIA\FLASH PLAYER\#SHAREDOBJECTS\N9A5V5RL ]
media.socialvibe.com [ C:\DOCUMENTS AND SETTINGS\SRIRAM\APPLICATION DATA\MACROMEDIA\FLASH PLAYER\#SHAREDOBJECTS\N9A5V5RL ]
media1.break.com [ C:\DOCUMENTS AND SETTINGS\SRIRAM\APPLICATION DATA\MACROMEDIA\FLASH PLAYER\#SHAREDOBJECTS\N9A5V5RL ]
mediacenter.dw.de [ C:\DOCUMENTS AND SETTINGS\SRIRAM\APPLICATION DATA\MACROMEDIA\FLASH PLAYER\#SHAREDOBJECTS\N9A5V5RL ]
objects.tremormedia.com [ C:\DOCUMENTS AND SETTINGS\SRIRAM\APPLICATION DATA\MACROMEDIA\FLASH PLAYER\#SHAREDOBJECTS\N9A5V5RL ]
pubhdstats2.msvp.net [ C:\DOCUMENTS AND SETTINGS\SRIRAM\APPLICATION DATA\MACROMEDIA\FLASH PLAYER\#SHAREDOBJECTS\N9A5V5RL ]
s0.2mdn.net [ C:\DOCUMENTS AND SETTINGS\SRIRAM\APPLICATION DATA\MACROMEDIA\FLASH PLAYER\#SHAREDOBJECTS\N9A5V5RL ]
secure-uk.imrworldwide.com [ C:\DOCUMENTS AND SETTINGS\SRIRAM\APPLICATION DATA\MACROMEDIA\FLASH PLAYER\#SHAREDOBJECTS\N9A5V5RL ]
secure-us.imrworldwide.com [ C:\DOCUMENTS AND SETTINGS\SRIRAM\APPLICATION DATA\MACROMEDIA\FLASH PLAYER\#SHAREDOBJECTS\N9A5V5RL ]
serving-sys.com [ C:\DOCUMENTS AND SETTINGS\SRIRAM\APPLICATION DATA\MACROMEDIA\FLASH PLAYER\#SHAREDOBJECTS\N9A5V5RL ]
timesofindia.indiatimes.com [ C:\DOCUMENTS AND SETTINGS\SRIRAM\APPLICATION DATA\MACROMEDIA\FLASH PLAYER\#SHAREDOBJECTS\N9A5V5RL ]
vhss-a.oddcast.com [ C:\DOCUMENTS AND SETTINGS\SRIRAM\APPLICATION DATA\MACROMEDIA\FLASH PLAYER\#SHAREDOBJECTS\N9A5V5RL ]
vodhdstats.msvp.net [ C:\DOCUMENTS AND SETTINGS\SRIRAM\APPLICATION DATA\MACROMEDIA\FLASH PLAYER\#SHAREDOBJECTS\N9A5V5RL ]
www.99counters.com [ C:\DOCUMENTS AND SETTINGS\SRIRAM\APPLICATION DATA\MACROMEDIA\FLASH PLAYER\#SHAREDOBJECTS\N9A5V5RL ]
.doubleclick.net [ C:\DOCUMENTS AND SETTINGS\SRIRAM\APPLICATION DATA\MOZILLA\FIREFOX\PROFILES\H1BKQVEV.DEFAULT\COOKIES.SQLITE ]
.kontera.com [ C:\DOCUMENTS AND SETTINGS\SRIRAM\APPLICATION DATA\MOZILLA\FIREFOX\PROFILES\H1BKQVEV.DEFAULT\COOKIES.SQLITE ]
.xiti.com [ C:\DOCUMENTS AND SETTINGS\SRIRAM\APPLICATION DATA\MOZILLA\FIREFOX\PROFILES\H1BKQVEV.DEFAULT\COOKIES.SQLITE ]
.ru4.com [ C:\DOCUMENTS AND SETTINGS\SRIRAM\APPLICATION DATA\MOZILLA\FIREFOX\PROFILES\H1BKQVEV.DEFAULT\COOKIES.SQLITE ]
ad.yieldmanager.com [ C:\DOCUMENTS AND SETTINGS\SRIRAM\APPLICATION DATA\MOZILLA\FIREFOX\PROFILES\H1BKQVEV.DEFAULT\COOKIES.SQLITE ]
.invitemedia.com [ C:\DOCUMENTS AND SETTINGS\SRIRAM\APPLICATION DATA\MOZILLA\FIREFOX\PROFILES\H1BKQVEV.DEFAULT\COOKIES.SQLITE ]
.invitemedia.com [ C:\DOCUMENTS AND SETTINGS\SRIRAM\APPLICATION DATA\MOZILLA\FIREFOX\PROFILES\H1BKQVEV.DEFAULT\COOKIES.SQLITE ]
.collective-media.net [ C:\DOCUMENTS AND SETTINGS\SRIRAM\APPLICATION DATA\MOZILLA\FIREFOX\PROFILES\H1BKQVEV.DEFAULT\COOKIES.SQLITE ]
.revsci.net [ C:\DOCUMENTS AND SETTINGS\SRIRAM\APPLICATION DATA\MOZILLA\FIREFOX\PROFILES\H1BKQVEV.DEFAULT\COOKIES.SQLITE ]
.collective-media.net [ C:\DOCUMENTS AND SETTINGS\SRIRAM\APPLICATION DATA\MOZILLA\FIREFOX\PROFILES\H1BKQVEV.DEFAULT\COOKIES.SQLITE ]
.interclick.com [ C:\DOCUMENTS AND SETTINGS\SRIRAM\APPLICATION DATA\MOZILLA\FIREFOX\PROFILES\H1BKQVEV.DEFAULT\COOKIES.SQLITE ]
.interclick.com [ C:\DOCUMENTS AND SETTINGS\SRIRAM\APPLICATION DATA\MOZILLA\FIREFOX\PROFILES\H1BKQVEV.DEFAULT\COOKIES.SQLITE ]
.atdmt.com [ C:\DOCUMENTS AND SETTINGS\SRIRAM\APPLICATION DATA\MOZILLA\FIREFOX\PROFILES\H1BKQVEV.DEFAULT\COOKIES.SQLITE ]
.atdmt.com [ C:\DOCUMENTS AND SETTINGS\SRIRAM\APPLICATION DATA\MOZILLA\FIREFOX\PROFILES\H1BKQVEV.DEFAULT\COOKIES.SQLITE ]
.tacoda.at.atwola.com [ C:\DOCUMENTS AND SETTINGS\SRIRAM\APPLICATION DATA\MOZILLA\FIREFOX\PROFILES\H1BKQVEV.DEFAULT\COOKIES.SQLITE ]
.ar.atwola.com [ C:\DOCUMENTS AND SETTINGS\SRIRAM\APPLICATION DATA\MOZILLA\FIREFOX\PROFILES\H1BKQVEV.DEFAULT\COOKIES.SQLITE ]
.revsci.net [ C:\DOCUMENTS AND SETTINGS\SRIRAM\APPLICATION DATA\MOZILLA\FIREFOX\PROFILES\H1BKQVEV.DEFAULT\COOKIES.SQLITE ]
.revsci.net [ C:\DOCUMENTS AND SETTINGS\SRIRAM\APPLICATION DATA\MOZILLA\FIREFOX\PROFILES\H1BKQVEV.DEFAULT\COOKIES.SQLITE ]
.tacoda.net [ C:\DOCUMENTS AND SETTINGS\SRIRAM\APPLICATION DATA\MOZILLA\FIREFOX\PROFILES\H1BKQVEV.DEFAULT\COOKIES.SQLITE ]
.advertising.com [ C:\DOCUMENTS AND SETTINGS\SRIRAM\APPLICATION DATA\MOZILLA\FIREFOX\PROFILES\H1BKQVEV.DEFAULT\COOKIES.SQLITE ]
.at.atwola.com [ C:\DOCUMENTS AND SETTINGS\SRIRAM\APPLICATION DATA\MOZILLA\FIREFOX\PROFILES\H1BKQVEV.DEFAULT\COOKIES.SQLITE ]
.tacoda.at.atwola.com [ C:\DOCUMENTS AND SETTINGS\SRIRAM\APPLICATION DATA\MOZILLA\FIREFOX\PROFILES\H1BKQVEV.DEFAULT\COOKIES.SQLITE ]
.tacoda.at.atwola.com [ C:\DOCUMENTS AND SETTINGS\SRIRAM\APPLICATION DATA\MOZILLA\FIREFOX\PROFILES\H1BKQVEV.DEFAULT\COOKIES.SQLITE ]
.tacoda.at.atwola.com [ C:\DOCUMENTS AND SETTINGS\SRIRAM\APPLICATION DATA\MOZILLA\FIREFOX\PROFILES\H1BKQVEV.DEFAULT\COOKIES.SQLITE ]
.tacoda.at.atwola.com [ C:\DOCUMENTS AND SETTINGS\SRIRAM\APPLICATION DATA\MOZILLA\FIREFOX\PROFILES\H1BKQVEV.DEFAULT\COOKIES.SQLITE ]
.at.atwola.com [ C:\DOCUMENTS AND SETTINGS\SRIRAM\APPLICATION DATA\MOZILLA\FIREFOX\PROFILES\H1BKQVEV.DEFAULT\COOKIES.SQLITE ]
.zedo.com [ C:\DOCUMENTS AND SETTINGS\SRIRAM\APPLICATION DATA\MOZILLA\FIREFOX\PROFILES\H1BKQVEV.DEFAULT\COOKIES.SQLITE ]
.zedo.com [ C:\DOCUMENTS AND SETTINGS\SRIRAM\APPLICATION DATA\MOZILLA\FIREFOX\PROFILES\H1BKQVEV.DEFAULT\COOKIES.SQLITE ]
.zedo.com [ C:\DOCUMENTS AND SETTINGS\SRIRAM\APPLICATION DATA\MOZILLA\FIREFOX\PROFILES\H1BKQVEV.DEFAULT\COOKIES.SQLITE ]
.zedo.com [ C:\DOCUMENTS AND SETTINGS\SRIRAM\APPLICATION DATA\MOZILLA\FIREFOX\PROFILES\H1BKQVEV.DEFAULT\COOKIES.SQLITE ]
.zedo.com [ C:\DOCUMENTS AND SETTINGS\SRIRAM\APPLICATION DATA\MOZILLA\FIREFOX\PROFILES\H1BKQVEV.DEFAULT\COOKIES.SQLITE ]
.tribalfusion.com [ C:\DOCUMENTS AND SETTINGS\SRIRAM\APPLICATION DATA\MOZILLA\FIREFOX\PROFILES\H1BKQVEV.DEFAULT\COOKIES.SQLITE ]
.pro-market.net [ C:\DOCUMENTS AND SETTINGS\SRIRAM\APPLICATION DATA\MOZILLA\FIREFOX\PROFILES\H1BKQVEV.DEFAULT\COOKIES.SQLITE ]
.pro-market.net [ C:\DOCUMENTS AND SETTINGS\SRIRAM\APPLICATION DATA\MOZILLA\FIREFOX\PROFILES\H1BKQVEV.DEFAULT\COOKIES.SQLITE ]
.pro-market.net [ C:\DOCUMENTS AND SETTINGS\SRIRAM\APPLICATION DATA\MOZILLA\FIREFOX\PROFILES\H1BKQVEV.DEFAULT\COOKIES.SQLITE ]
.pro-market.net [ C:\DOCUMENTS AND SETTINGS\SRIRAM\APPLICATION DATA\MOZILLA\FIREFOX\PROFILES\H1BKQVEV.DEFAULT\COOKIES.SQLITE ]
.pro-market.net [ C:\DOCUMENTS AND SETTINGS\SRIRAM\APPLICATION DATA\MOZILLA\FIREFOX\PROFILES\H1BKQVEV.DEFAULT\COOKIES.SQLITE ]
.doubleclick.net [ C:\DOCUMENTS AND SETTINGS\SRIRAM\APPLICATION DATA\MOZILLA\FIREFOX\PROFILES\H1BKQVEV.DEFAULT\COOKIES.SQLITE ]
.invitemedia.com [ C:\DOCUMENTS AND SETTINGS\SRIRAM\APPLICATION DATA\MOZILLA\FIREFOX\PROFILES\H1BKQVEV.DEFAULT\COOKIES.SQLITE ]
ad.yieldmanager.com [ C:\DOCUMENTS AND SETTINGS\SRIRAM\APPLICATION DATA\MOZILLA\FIREFOX\PROFILES\H1BKQVEV.DEFAULT\COOKIES.SQLITE ]

Worm.SYSHost
HKLM\system\controlset001\services\syshost32
C:\WINDOWS\INSTALLER\{DF122263-CFEC-1B70-B703-518996924EC1}\SYSHOST.EXE
HKLM\system\controlset002\services\syshost32
HKLM\system\controlset003\services\syshost32

Also, I'm unable to find any PUPs tab in the SAS GUI.


Report •

#14
June 28, 2012 at 06:29:06
Help!! This has just got worse!

Since about an hour or so all websites are blocked. I can't even access google.


Report •

#15
June 28, 2012 at 07:45:13
If you,ve backed up your most important files (ones that you could never get back if deleted), you MUST reinstall windows before it get worse enough to harm your computer.

I am a hardware guy not a software guy but i try to help.


Report •

#16
June 28, 2012 at 14:53:32
Sorry the PUP's advice was for MBAM.
Just a side note "worm's" on a pc are never good to say the least. Even if we remove everything we can, there is no guarantee that your pc is totally cleaned.
If you do have the Windows cd's you might just want to use a Linux Live disk to retrieve your important data then reinstall Windows.

Please reply and let us know if our help worked.


Report •

#17
June 28, 2012 at 15:00:33
Download on a clean pc and put onto a flash drive Internet Connection Repair tool from this link:
http://www.pclive.com/index.php?pag...
Click "run test" and it will automatically fix most common problems with your connection.

Please reply and let us know if our help worked.


Report •

#18
June 28, 2012 at 15:10:46
My net is working again. Just the sites mentioned previously are blocked now. I'm not sure anymore if this is a malware or just my ISP playing mischief. In any case, I'll try out what you suggested and let you know what happens.

As for backing up my data. I'll need to do that in another drive. And I'll also try to get a copy of Ubuntu to do the same. One can only hope that this virus or whatever it is doesn't thrive in Linux and that I can safely transfer files from one medium to another.

Anyway, thanks guys. I really appreciate this. :)

Edit: I tried this tool, but I'm not getting its UI. It starts and quickly disappears. Am I missing something?


Report •

#19
June 28, 2012 at 15:33:11
Linux viruses are very rare and I wouldn't worry about that, and it is really easy using a Linux Live disk to get your files etc back.
The virus/worm is most likely trying to stop us from fixing your pc.
Can you try downloading HighJackThis this worm blocks HJT, so we will try and get around it by renaming it when you download it. (anything you want, just so you know which it is.)
HJT download link: http://www.filehippo.com/download_h...

Please reply and let us know if our help worked.


Report •

#20
June 28, 2012 at 17:38:16
✔ Best Answer
'you MUST reinstall windows before it get worse enough to harm your computer.'
Bad advice...there are always progs that can fix any malware problem.Try these 2 free fully working trials....
1- Trojan Remover
http://www.simplysup.com/tremover/d...
2- Hitman Pro
http://www.surfright.nl/en/downloads/
Run them both till they run clean.

If that doesn't remedy the situation then you can try combofix, that works when others fail...follow the guide and you should be fine:
http://www.bleepingcomputer.com/com...

Some HELP in posting on Computing.net plus free progs and instructions 7 Golds


Report •

#21
June 29, 2012 at 05:53:40
Re #18
"Just the sites mentioned previously are blocked now".

Might be worth checking to see if the blocked sites have been put in Hosts:
Go to Control Panel > Folder Options > View, and put a check mark in "Show hidden files and folders". For XP you can leave it that way.

Now follow this path:
"C:\Windows\System32\Drivers\etc". In there you should see a file named Hosts (with no file extension). Disable it by temporarily renaming it to Hostsx and see if that helps. If it is still the same after restart then rename it back to Hosts as it is not the culprit. If it helps we can take it from there.

Another place websites can be blocked is in IE's Restricted Sites.
From IE go to "Tools > Internet Options > Security tab > Restricted Sites icon > Sites button". See if your blocked sites are shown there - if so Remove them.

Always pop back and let us know the outcome - thanks


Report •

#22
June 30, 2012 at 14:41:16
Hey guys, thanks for all the replies. And sorry for responding a little late. Work really caught up with me. :P
Anyway, the strange new update is that all the sites got unblocked soon. But soon after, the speeds of my net dropped off so low as to even render surfing a major pain in the rear. So I would definitely attribute that to my ISP now. But no changes in the status in the other two symptoms. My anitvirus's guard is still inactive and I'm still getting the kernel error with DT.

MrGoodguy,
Here are the logs for HijackThis
Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 2:50:42 AM, on 7/1/2012
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\AVAST Software\Avast\avastUI.exe
C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe
C:\Program Files\Gigabyte\EasySaver\ESSVR.EXE
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\winmine.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Mozilla Firefox\plugin-container.exe
C:\WINDOWS\system32\msiexec.exe
C:\Program Files\Trend Micro\HiJackThis\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?Lin...
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?Lin...
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?Lin...
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?Lin...
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://start.facemoods.com/?a=ddrnw...
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = local
R3 - URLSearchHook: DeviceVM Url Search Hook - {0063BF63-BFFF-4B8F-9D26-4267DF7F17DD} - C:\WINDOWS\system32\dvmurl.dll
R3 - URLSearchHook: uTorrentBar Toolbar - {bf7380fa-e3b4-4db2-af3e-9d8783a45bfc} - C:\Program Files\uTorrentBar\prxtbuTo0.dll
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: avast! WebRep - {8E5E2654-AD2D-48bf-AC2D-D17F00898D06} - C:\Program Files\AVAST Software\Avast\aswWebRepIE.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.7.7227.1100\swg.dll
O2 - BHO: uTorrentBar - {bf7380fa-e3b4-4db2-af3e-9d8783a45bfc} - C:\Program Files\uTorrentBar\prxtbuTo0.dll
O2 - BHO: FDMIECookiesBHO Class - {CC59E0F9-7E43-44FA-9FAA-8377850BF205} - C:\Program Files\Free Download Manager\iefdm2.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: uTorrentBar Toolbar - {bf7380fa-e3b4-4db2-af3e-9d8783a45bfc} - C:\Program Files\uTorrentBar\prxtbuTo0.dll
O3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll
O3 - Toolbar: avast! WebRep - {8E5E2654-AD2D-48bf-AC2D-D17F00898D06} - C:\Program Files\AVAST Software\Avast\aswWebRepIE.dll
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [StartCCC] "C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRun
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
O4 - HKLM\..\Run: [AdobeAAMUpdater-1.0] "C:\Program Files\Common Files\Adobe\OOBE\PDApp\UWA\UpdaterStartupUtility.exe"
O4 - HKLM\..\Run: [SwitchBoard] C:\Program Files\Common Files\Adobe\SwitchBoard\SwitchBoard.exe
O4 - HKLM\..\Run: [AdobeCS6ServiceManager] "C:\Program Files\Common Files\Adobe\CS6ServiceManager\CS6ServiceManager.exe" -launchedbylogin
O4 - HKLM\..\Run: [avast] "C:\Program Files\AVAST Software\Avast\avastUI.exe" /nogui
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [DAEMON Tools Lite] "C:\Program Files\DAEMON Tools Lite\DTLite.exe" -autorun
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Google Update] "C:\Documents and Settings\Sriram\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" /c
O4 - S-1-5-18 Startup: PowerReg Scheduler.exe (User 'SYSTEM')
O4 - .DEFAULT Startup: PowerReg Scheduler.exe (User 'Default user')
O4 - Startup: PowerReg Scheduler.exe
O8 - Extra context menu item: Download all with Free Download Manager - file://C:\Program Files\Free Download Manager\dlall.htm
O8 - Extra context menu item: Download selected with Free Download Manager - file://C:\Program Files\Free Download Manager\dlselected.htm
O8 - Extra context menu item: Download video with Free Download Manager - file://C:\Program Files\Free Download Manager\dlfvideo.htm
O8 - Extra context menu item: Download with Free Download Manager - file://C:\Program Files\Free Download Manager\dllink.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Plugin Control) - http://appldnld.apple.com.edgesuite...
O16 - DPF: {0D6709DD-4ED8-40CA-B459-2757AEEF7BEE} (Dldrv2 Control) - http://download.gigabyte.com.tw/obj...
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/g...
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - http://platformdl.adobe.com/NOS/get...
O17 - HKLM\System\CCS\Services\Tcpip\..\{EDBBA498-78E6-4AB9-A752-D80DA36612E2}: NameServer = 59.185.3.10,59.185.3.11
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
O23 - Service: AODService - Unknown owner - C:\Program Files\AMD\OverDrive\AODAssist.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: avast! Antivirus - AVAST Software - C:\Program Files\AVAST Software\Avast\AvastSvc.exe
O23 - Service: ES lite Service for program management. (ES lite Service) - Unknown owner - C:\Program Files\Gigabyte\EasySaver\ESSVR.EXE
O23 - Service: FLEXnet Licensing Service - Acresso Software Inc. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Google Update Service (gupdate) (gupdate) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: Google Update Service (gupdatem) (gupdatem) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: Mozilla Maintenance Service (MozillaMaintenance) - Mozilla Foundation - C:\Program Files\Mozilla Maintenance Service\maintenanceservice.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: SwitchBoard - Adobe Systems Incorporated - C:\Program Files\Common Files\Adobe\SwitchBoard\SwitchBoard.exe

--
End of file - 10368 bytes

XpUser4Real,
I'll try your solutions tomorrow. Just got back home and am dead beat. Just wanna go to sleep now. But thanks a million for your help I really appreciate it. :)

Derek,
I had actually come across this solution earlier when I was looking for a solution through Google. And that host file proved not to be the culprit. But like I said earlier I think it's my ISP who is to blame, though I'm not 100% sure. As for IE's list of restricted sites, I checked it just in case, and found it empty. But thank you so much for offering to help. I'm very grateful. :)

You guys are all so nice. :)


Report •

#23
July 1, 2012 at 00:25:05
I suggest you run HJT again and mark the following for removal there are a few entries that relate to the Conduit Toolbar (Bad) and a Troj/BHO-DC (Trojan)

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://start.facemoods.com/?a=ddrnw...
R3 - URLSearchHook: uTorrentBar Toolbar - {bf7380fa-e3b4-4db2-af3e-9d8783a45bfc} - C:\Program Files\uTorrentBar\prxtbuTo0.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.7.7227.1100\swg.dll
O2 - BHO: uTorrentBar - {bf7380fa-e3b4-4db2-af3e-9d8783a45bfc} - C:\Program Files\uTorrentBar\prxtbuTo0.dll
O3 - Toolbar: uTorrentBar Toolbar - {bf7380fa-e3b4-4db2-af3e-9d8783a45bfc} - C:\Program Files\uTorrentBar\prxtbuTo0.dll
O3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll
O17 - HKLM\System\CCS\Services\Tcpip\..\{EDBBA498-78E6-4AB9-A752-D80DA36612E2}: NameServer = 59.185.3.10,59.185.3.11

Could you also open your "Run" box in your start menu and type " msconfig " have a look through your startup list for the following
PowerReg Scheduler (uncheck it so it does not start with Windows, or if you happy to remove it completely add a check when delete the other entries.)
O4 - S-1-5-18 Startup: PowerReg Scheduler.exe (User 'SYSTEM')
O4 - .DEFAULT Startup: PowerReg Scheduler.exe (User 'Default user')
O4 - Startup: PowerReg Scheduler.exe

Please reply and let us know if our help worked.


Report •

#24
July 2, 2012 at 02:06:50
Hitman Pro did the trick :). It detected a rootkit worm which was in my system32/drivers folder and removed it from my system, following which my Avast became active again. And as did DT once I reinstalled it.

MrGoodguy,
I've removed all those things. One curious thing about PowerReg was that it didn't show up in the list when I ran HijackThis for the second time. Maybe it was because I'd already disabled it from the start-up before I ran it again.

XpUser4Real,
I was unable to run Trojan Remover as I had already used it a couple of years ago to remove another problem. But like I said I was able to get the job done using Hitman Pro. :)

All my deepest thanks to jay_nar2012, mortneff, MrGoodguy, XpUser4Real and Derek for all your help and your patience. :)

One thing I find very curious. A real trojan or a worm would generally function discreetly and not announce its presence. But this one was screaming to be noticed seeing how it disabled my antivirus which was not even capable of detecting it. One is compelled to ask whether this was just created for mischief or to sell a few softwares. I wonder...

Just one more thing. While I had Avira its guard was disabled by the worm, but I could still perform a manual system scan on the system. But with Avast both functionalities were deactivated. So I was just wondering which antivirus I should keep installed on my system cause I've heard that they both are good. Or is it one of the anti-spyware softwares I should keep installed instead of them both? Any suggestions?

Thanks again guys. :)


Report •

#25
July 2, 2012 at 07:07:18
XpUser4Real

Looks like Hitman Pro was largely responsible for nailing this - nice one.

Just for info, may I ask if this trial can be uninstalled then reinstalled again after the trial has expired, or does it prevent ordinary computer users from using it again? Same goes for the other trials you suggested.

Thxs

Always pop back and let us know the outcome - thanks


Report •

#26
July 2, 2012 at 08:38:11
Novalight
Glad things worked out for you....thanks for posting back as it may help others with similar problems...Happy Computing!

Some HELP in posting on Computing.net plus free progs and instructions 7 Golds


Report •

#27
July 2, 2012 at 10:38:11
Derek,
Most of these softwares make an entry into the registry. So even if you uninstall them, the record in the registry is not erased. So they won't work when you reinstall it a second time. But if you can delete its registry entry, then it's possible to reuse the trial versions. :)

XpUser4Real,
Nah, don't mention it. It was the least I could do.
Thanks. :)


Report •

#28
July 2, 2012 at 11:10:53
Novalight

I rather suspected they would prohibit re-install later - thanks for the confirmation.

For ordinary users it means you only get one stab at the cherry, so it emphasises the need to bolster up ones armoury to try to avoid a further infection. Programs like SpywareBlaster are worth installing and for XP "Drop My Rights" from MS (or run your system as a limited user if you can stand it).

Always pop back and let us know the outcome - thanks


Report •

#29
July 5, 2012 at 09:33:31
You're welcome Derek. :)

That's very true although I do remember hearing somewhere that a registry cleaner tool helps with a few of the trial versions. I wonder...

Hmm, so no ideas on what anti-virus I should keep?


Report •

#30
July 5, 2012 at 09:42:30
Avast seems to be the most popular AV around these parts. Unfortunately there are always going to be times when one AV will see what others miss.

I would keep MalwareBytes onboard and updated, to run on demand if you suspect trouble at any time.


Report •

Ask Question