Hello,

Avast reported I had the ‘Win32:JunkPoly [Cryp]’ worm. Never heared of it, but it seems to have slowed down my PC. Kaspersky online scanner has also detected something a few days ago, which I scanned with Avast and put in the vault.

Something I have noticed (had a few days ago) is that I cant use MSN Hotmail email service, I cant view my emails, delete them or anything. I cant watch TV on Iplayer (video doesn’t load), facebook doesn’t work well (mum said she cant view her friends) and im sure there’s more sites I wont be able to use. Iv reinstalled the latest Java, flash player (as well as shockwave player and acrobat reader), cleared internet history, done a disc cleanup and defrag.

Super anti-spyware also found something. Hijack This in the next post as the forum doesnt allow that many characters.

Any help is appreciated, thank you,
James.

http://i260.photobucket.com/albums/ii31/jamesyyyya/Untitled-2.png

(sorry the log opens up in Internet explorer so I had to make a print screen)

mIRC deleted and the other file is in the vault.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:59:12 PM, on 15/02/2010
Platform: Unknown Windows (WinNT 6.01.3504)
MSIE: Internet Explorer v8.00 (8.00.7600.16385)
Boot mode: Normal

Running processes:
C:\Windows\system32\taskhost.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\Alwil Software\Avast4\ashDisp.exe
C:\Program Files\Ad Muncher\AdMunch.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CCC.exe
C:\Users\James\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\James\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\James\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://livefooty.doctor-serv.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - URLSearchHook: McAfee SiteAdvisor Toolbar - {0EBBBE48-BAD4-4B4C-8E5A-516ABECAE064} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
O1 - Hosts: ::1 localhost
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: McAfee SiteAdvisor BHO - {B164E929-A1B6-4A06-B104-2CD0E90A88FF} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
O2 - BHO: MegaIEMn - {bf00e119-21a3-4fd1-b178-3b8537e75c92} - C:\Program Files\Megaupload\Mega Manager\MegaIEMn.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O3 - Toolbar: McAfee SiteAdvisor Toolbar - {0EBBBE48-BAD4-4B4C-8E5A-516ABECAE064} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
O4 - HKLM..\Run: [S3Funkey] S3Funkey.exe
O4 - HKLM..\Run: [S3Trayp] S3trayp.exe -chkautorun
O4 - HKLM..\Run: [StartCCC] “C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe” MSRun
O4 - HKLM..\Run: [SunJavaUpdateSched] “C:\Program Files\Common Files\Java\Java Update\jusched.exe”
O4 - HKLM..\Run: [QuickTime Task] “C:\Program Files\QuickTime\QTTask.exe” -atboottime
O4 - HKLM..\Run: [avast!] “C:\Program Files\Alwil Software\Avast4\ashDisp.exe”
O4 - HKLM..\Run: [Adobe Reader Speed Launcher] “C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe”
O4 - HKLM..\Run: [Adobe ARM] “C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe”
O4 - HKLM..\Run: [Ad Muncher] C:\Program Files\Ad Muncher\AdMunch.exe /bt
O4 - HKCU..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKUS\S-1-5-19..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /autoRun (User ‘LOCAL SERVICE’)
O4 - HKUS\S-1-5-19..\RunOnce: [mctadmin] C:\Windows\System32\mctadmin.exe (User ‘LOCAL SERVICE’)
O4 - HKUS\S-1-5-20..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /autoRun (User ‘NETWORK SERVICE’)
O4 - HKUS\S-1-5-20..\RunOnce: [mctadmin] C:\Windows\System32\mctadmin.exe (User ‘NETWORK SERVICE’)
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: PokerStars - {3AD14F0C-ED16-4e43-B6D8-661B03F6A1EF} - C:\Program Files\PokerStars\PokerStarsUpdate.exe
O9 - Extra button: Ladbrokes Poker - {C2A80015-C447-4dc4-82DD-AED83D6ED57E} - C:\Microgaming\Poker\ladbrokesMPP\MPPoker.exe
O13 - Gopher Prefix:
O16 - DPF: {3EA4FA88-E0BE-419A-A732-9B79B87A6ED0} - http://dl.tvunetworks.com/TVUAx.cab
O16 - DPF: {40F576AD-8680-4F9E-9490-99D069CD665F} (System Requirements Lab Class) - http://srtest-cdn.systemrequirementslab.com.s3.amazonaws.com/bin/sysreqlabdetect.cab
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
O18 - Protocol: dssrequest - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
O18 - Protocol: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: AMD External Events Utility - AMD - C:\Windows\system32\atiesrxx.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: Process Monitor (LVPrcSrv) - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
O23 - Service: McAfee SiteAdvisor Service - McAfee, Inc. - c:\PROGRA~1\mcafee\SITEAD~1\mcsacore.exe
O23 - Service: SureThing Labelflash service - MicroVision Development, Inc. - C:\Program Files\Common Files\SureThing Shared\stllssvr.exe
O23 - Service: TVersityMediaServer - Unknown owner - C:\Users\James\AppData\Local\TVersity\Media Server\MediaServer.exe

–
End of file - 6611 bytes

Have you tried

Malwarebytes Antimalware 1.44 http://filehippo.com/download_malwarebytes_anti_malware/
UPDATE after install and run quick scan. Click the “REMOVE SELECTED” button to quarantine anthing found and restart

come back and post the scan log here

Thank you for the help. Please can I ask (if you can use it) just to recheck my hijack this log above. Its a fresh once. The last one was made before I got the virus warning earlier today.

Heres the Malwarebytes report (all clear):

Malwarebytes' Anti-Malware 1.44 Database version: 3742 Windows 6.1.7600 Internet Explorer 8.0.7600.16385

15/02/2010 10:39:05 PM
mbam-log-2010-02-15 (22-39-05).txt

Scan type: Full Scan (C:|D:|)
Objects scanned: 267096
Time elapsed: 2 hour(s), 19 minute(s), 31 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

Again, thank you for the help. It means a lot. My PC was dead slow when it found the virus, but the speed seems to be ok now.

I am no expert, but to me the HijacThis log looks fine.
If you still think you have some infection you can post an OTL log from essexboy guid and let him have a look
http://forum.avast.com/index.php?topic=53253.msg451454#msg451454

If the computer is just slow, you can try some hous cleaning
CCleaner http://www.piriform.com/ccleaner
Defraggler http://www.piriform.com/defraggler

Thank you. I’ll make a quick post on the forum he mentions with an OTL log. As for cleaning, my PC is generally fast. I tend to keep it clean from clutter, delete files I don’t need regularly, use the cleanup took, defrag in safe mode and delete internet history/cache. If anything, it needs hardware upgrades which i’ll do when I have money

Thanks

if you post the OTL log you should do it here in the topic you started

Go to Add/Remove Programs and un-install McAfee SiteAdvisor as it is hopelessly inadequate and even lists sites with malware as safe.

Finjan Secure Browsing is much better…

I use it as a rough outline although it doesn’t seem to work with chrome Its not completely accurate, but it helps). Might try your suggestion though, thank you.

try: http://filehippo.com/download_spyware_terminator/

Good Luck and God Bless…

I’ll scan with that spyware scanner, thank you.

Just woken up and found all of this, There proberly is more in other folders, but this is enough proof that my PC isnt clean:

http://i260.photobucket.com/albums/ii31/jamesyyyya/Untitled-4.png

http://i260.photobucket.com/albums/ii31/jamesyyyya/Untitled1-1.png

However much I love Nickelback, this most certainly ISNT a system file. (By the way, I have NO music currently on my PC, its all on my mp4. I was moving 1 nickelback song from my pc to mp4 a few days ago then deleted it.)

I’ll post the results of the scan. Also, heres the OLT logs.

Hi the desktop.ini are system files along with the NTuser.dat files. What problems are you currently experiencing ?

Run OTL.exe

[*]Under the Custom Scans/Fixes box at the bottom, paste in the following

:OTL
[2010/02/07 04:20:19 | 000,000,020 | ---- | M] () -- C:\Windows\��)
[2009/12/26 19:26:22 | 000,021,504 | ---- | C] () -- C:\Windows\jestertb.dll

:Commands
[purity]
[emptytemp]

[*]Then click the Run Fix button at the top
[*]Let the program run unhindered, reboot when it is done
[*]Then post a new OTL log ( don’t check the boxes beside LOP Check or Purity this time )

Thank you for your time. Iv removed what you said (it couldn’t find [2010/02/07 04:20:19 | 000,000,020 | ---- | M] () – C:\Windows\�� )

Heres the new log.

OK that is a file or folder within windows that is appearing to use unicode to hide - lets try big brother this time as it is more adept at removing that type of thing

To ensure that I get all the information this log will need to be attached (instructions at the end) if it is to large to attach then upload to Mediafire and post the sharing link.

Download OTS to your Desktop

[*]Close ALL OTHER PROGRAMS.
[*]Double-click on OTS.exe to start the program.
[*]Check the box that says Scan All Users
[*]Under Additional Scans check the following:
[*]Reg - Shell Spawning
[*]File - Lop Check
[*]File - Purity Scan
[*]Evnt - EvtViewer (last 10)
[*]Under the Custom Scan box paste this in
netsvcs
%SYSTEMDRIVE%*.*
/md5start
eventlog.dll
scecli.dll
netlogon.dll
cngaudit.dll
sceclt.dll
ntelogon.dll
logevent.dll
iaStor.sys
nvstor.sys
atapi.sys
IdeChnDr.sys
viasraid.sys
AGP440.sys
vaxscsi.sys
nvatabus.sys
viamraid.sys
nvata.sys
nvgts.sys
iastorv.sys
ViPrt.sys
eNetHook.dll
ahcix86.sys
KR10N.sys
nvstor32.sys
ahcix86s.sys
nvrd32.sys
/md5stop
%systemroot%*. /mp /s
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options /s
CREATERESTOREPOINT
%systemroot%\system32*.dll /lockedfiles
%systemroot%\Tasks*.job /lockedfiles

[*]Now click the Run Scan button on the toolbar.
[*]Let it run unhindered until it finishes.
[*]When the scan is complete Notepad will open with the report file loaded in it.
[*]Click the Format menu and make sure that Wordwrap is not checked. If it is then click on it to uncheck it.

Please attach the log in your next post.

Scan complete.

Ok could you run this and left me know what problems you are still having

Start OTS. Copy/Paste the information in the quotebox below into the pane where it says “Paste fix here” and then click the Run Fix button.

[Unregister Dlls]
[Files/Folders - Created Within 30 Days]
NY ->  _ -> C:\Users\James\AppData\Local\_
[Files/Folders - Modified Within 30 Days]
NY ->  ´ô) -> C:\Windows\´ô)
[Files - No Company Name]
NY ->  ´ô) -> C:\Windows\´ô)
[Empty Temp Folders]

The fix should only take a very short time. When the fix is completed a message box will popup telling you that it is finished. Click the Ok button and Notepad will open with a log of actions taken during the fix. Post that information back here along with a new OTS log.

I will review the information when it comes back in.

Also let me know of any problems you encountered performing the steps above or any continuing problems you are still having with the computer.

Hey,

Not really having any major problems now. Not sure why my PC thought the nickelback image was a system file, that bit is confusing. Internet seems to be a little slow (slower then it was, but not too much, could be a connection problem, IDK). And im having trouble with some sites like BBC Iplayer (viewing vids), facebook (viewing certain things) and sometimes certain buttons dont work, for instance, on ebuyer.com, I have cant view comments about items or the specifications, but othertimes I can as the button doesnt do anything on the site). This is all new. Java & flash are both up-to-date and allowed via settings.

Anyway, Done the fix and the scan. Not sure if you wanted a normal scan or the custom scan you stated in the last post, so I performed both just incase.

The fix is ‘02172010_213849.log’, a new default scan (without clicking certion options) is ‘OTS.txt’ and the new scan like you stated in your last post is ‘OTS1.txt’

OK the wierdos went this time without a struggle - Lets try a little TLC. Run OTS and hit the cleanup button, that will remove my tools

Download Flush Flash and then run - full instructions are on the download page

SPRING CLEAN

Download TFC to your desktop

[*]Open the file and close any other windows.
[*]It will close all programs itself when run, make sure to let it run uninterrupted.
[*]Click the Start button to begin the process. The program should not take long to finish its job
[*]Once its finished it should reboot your machine, if not, do this yourself to ensure a complete clean

THEN

Download and run Auslogics Disc Defragmenter

Let me know of any change after this

The Flash Flush has worked perfectly, all sites are working like normal again.

1 question, iv been running ‘Admucher’ to remove ads (got it any problems occurred) and it removes all ads from all sites in chrome and IE. Will this cut down (or hopefully stop) me getting any spyware from ads?

Also, I use ‘My defrag’ as it runs perfectly in safe mode. Should I keep this or use the one you mentioned? I tried it before and I don’t think it worked in safe mode Or is it pointless going into safe mode altogether for defragging?

Thank you for the help, you saved me from a lot of annoyances… and in good timing as I have a job interview in the morning.

James.

EDIT: Just been on a forum I use and I cant use the clickable smileys. I have to type in the code (and I dont know the code for most of them )

Unfortunately there are always going to be driveby downloads and infected websites, but as long as you use common sense and close ads by using the X and not the supplied close button the chances are greatly reduced

If you are happy with my defrag then keep it - always use what you like and not what any one else says

I had a problem with the smileys yesterday as well - may be a forum problem

Good luck with the interview