Infection Details according to avast more information:
URL: http://www.website-unavailable.com/?url Process: file://C:\Users\Nick\AppData\Local\Google\Chrome\Application\chrome.exe Infection: al
Infection Details according to avast more information:
URL: http://www.website-unavailable.com/?url Process: file://C:\Users\Nick\AppData\Local\Google\Chrome\Application\chrome.exe Infection: al
Hi,
Let me look over the logs and I will return as soon as I can.
Hi,
P2P - I see you have P2P software BitTorrent, uTorrent and Azureus installed on your machine. We are not here to pass judgment on file-sharing as a concept. However, we will warn you that engaging in this activity and having this kind of software installed on your machine will always make you more susceptible to re-infections and possibly Identity Theft. It likely contributed to your current situation. This page will give you further information.
Please note: Even if you are using a “safe” P2P program, it is only the program that is safe. You will be sharing files from uncertified sources, and these are often infected. The bad guys use P2P filesharing as a major conduit to spread their wares.
Run OTL.exe
[*]Copy/paste the following text written inside of the code box into the Custom Scans/Fixes box located at the bottom of OTL
:Services
:OTL
PRC - [2011/10/25 09:59:16 | 000,244,960 | ---- | M] () -- C:\Program Files (x86)\StartNow Toolbar\ToolbarUpdaterService.exe
SRV - [2011/10/25 09:59:16 | 000,244,960 | ---- | M] () [Auto | Running] -- C:\Program Files (x86)\StartNow Toolbar\ToolbarUpdaterService.exe -- (Updater Service for StartNow Toolbar)
IE:[b]64bit:[/b] - HKLM\..\SearchScopes,DefaultScope = {0633EE93-D776-472f-A0FF-E1416B8B2E3A}
IE:[b]64bit:[/b] - HKLM\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = http://www.bing.com/search?q={searchTerms}&form=AARTDF&pc=MAAR&src=IE-SearchBox
IE - HKLM\..\URLSearchHook: {88c7f2aa-f93f-432c-8f0e-b7d85967a527} - No CLSID value found
IE - HKLM\..\URLSearchHook: {ba14329e-9550-4989-b3f2-9732e92d17cc} - C:\Program Files (x86)\Vuze_Remote\prxtbVuze.dll (Conduit Ltd.)
IE - HKLM\..\SearchScopes,DefaultScope = {0633EE93-D776-472f-A0FF-E1416B8B2E3A}
IE - HKLM\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = http://www.bing.com/search?q={searchTerms}&form=AARTDF&pc=MAAR&src=IE-SearchBox
IE - HKLM\..\SearchScopes\{afdbddaa-5d3f-42ee-b79c-185a7020515b}: "URL" = http://search.conduit.com/ResultsExt.aspx?q={searchTerms}&SearchSource=4&ctid=CT2504091
IE - HKCU\..\URLSearchHook: {ba14329e-9550-4989-b3f2-9732e92d17cc} - C:\Program Files (x86)\Vuze_Remote\prxtbVuze.dll (Conduit Ltd.)
IE - HKCU\..\SearchScopes\{afdbddaa-5d3f-42ee-b79c-185a7020515b}: "URL" = http://search.conduit.com/ResultsExt.aspx?q={searchTerms}&SearchSource=4&ctid=CT2504091
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = *.local;192.168.*.*
FF - HKLM\Software\MozillaPlugins\@pandonetworks.com/PandoWebPlugin: C:\Program Files (x86)\Pando Networks\Media Booster\npPandoWebPlugin.dll (Pando Networks)
FF - HKCU\Software\MozillaPlugins\pandonetworks.com/PandoWebPlugin: C:\Program Files (x86)\Pando Networks\Media Booster\npPandoWebPlugin.dll (Pando Networks)
O2 - BHO: (Conduit Engine) - {30F9B915-B755-4826-820B-08FBA6BD249D} - C:\Program Files (x86)\ConduitEngine\ConduitEngine.dll (Conduit Ltd.)
O2 - BHO: (StartNow Toolbar Helper) - {6E13D095-45C3-4271-9475-F3B48227DD9F} - C:\Program Files (x86)\StartNow Toolbar\Toolbar32.dll ()
O2 - BHO: (no name) - {88c7f2aa-f93f-432c-8f0e-b7d85967a527} - No CLSID value found.
O2 - BHO: (Vuze Remote Toolbar) - {ba14329e-9550-4989-b3f2-9732e92d17cc} - C:\Program Files (x86)\Vuze_Remote\prxtbVuze.dll (Conduit Ltd.)
O3:[b]64bit:[/b] - HKLM\..\Toolbar: (no name) - Locked - No CLSID value found.
O3 - HKLM\..\Toolbar: (Conduit Engine) - {30F9B915-B755-4826-820B-08FBA6BD249D} - C:\Program Files (x86)\ConduitEngine\ConduitEngine.dll (Conduit Ltd.)
O3 - HKLM\..\Toolbar: (StartNow Toolbar) - {5911488E-9D1E-40ec-8CBB-06B231CC153F} - C:\Program Files (x86)\StartNow Toolbar\Toolbar32.dll ()
O3 - HKLM\..\Toolbar: (no name) - {88c7f2aa-f93f-432c-8f0e-b7d85967a527} - No CLSID value found.
O3 - HKLM\..\Toolbar: (Vuze Remote Toolbar) - {ba14329e-9550-4989-b3f2-9732e92d17cc} - C:\Program Files (x86)\Vuze_Remote\prxtbVuze.dll (Conduit Ltd.)
O3 - HKLM\..\Toolbar: (no name) - Locked - No CLSID value found.
O3 - HKCU\..\Toolbar\WebBrowser: (Vuze Remote Toolbar) - {BA14329E-9550-4989-B3F2-9732E92D17CC} - C:\Program Files (x86)\Vuze_Remote\prxtbVuze.dll (Conduit Ltd.)
O15 - HKCU\..Trusted Ranges: Range1979 ([http] in Trusted sites)
O33 - MountPoints2\{5b2b5ac6-5599-11e0-bb8e-206a8a1c2023}\Shell - "" = AutoRun
O33 - MountPoints2\{5b2b5ac6-5599-11e0-bb8e-206a8a1c2023}\Shell\AutoRun\command - "" = E:\Autorun.exe -- [2009/10/26 06:58:04 | 000,120,128 | RH-- | M] ()
O33 - MountPoints2\{75ae1345-ca11-11e0-a600-206a8a1c2023}\Shell - "" = AutoRun
O33 - MountPoints2\{75ae1345-ca11-11e0-a600-206a8a1c2023}\Shell\AutoRun\command - "" = G:\autorun.exe
O33 - MountPoints2\{97e77a4d-ca10-11e0-bbb6-206a8a1c2023}\Shell - "" = AutoRun
O33 - MountPoints2\{97e77a4d-ca10-11e0-bbb6-206a8a1c2023}\Shell\AutoRun\command - "" = E:\Autorun.exe -- [2009/10/26 06:58:04 | 000,120,128 | RH-- | M] ()
O33 - MountPoints2\{a21eea15-3f2c-11e1-b326-206a8a1c2023}\Shell - "" = AutoRun
O33 - MountPoints2\{a21eea15-3f2c-11e1-b326-206a8a1c2023}\Shell\AutoRun\command - "" = F:\Launcher.exe -- [2007/04/20 05:34:56 | 000,243,834 | R--- | M] ()
O33 - MountPoints2\{fe30c154-df18-11e0-8d7f-206a8a1c2023}\Shell - "" = AutoRun
O33 - MountPoints2\{fe30c154-df18-11e0-8d7f-206a8a1c2023}\Shell\AutoRun\command - "" = E:\Autorun.exe -- [2009/10/26 06:58:04 | 000,120,128 | RH-- | M] ()
[4 C:\Windows\SysWow64\*.tmp files -> C:\Windows\SysWow64\*.tmp -> ]
[1 C:\Windows\*.tmp files -> C:\Windows\*.tmp -> ]
[2011/02/18 19:18:19 | 000,003,584 | ---- | C] () -- C:\Users\Nick\AppData\Local\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
:Files
ipconfig /flushdns /c
:Commands
[purity]
[emptytemp]
[start explorer]
[Reboot]
[*]Then click the Run Fix button at the top
[*]Let the program run unhindered, reboot when it is done
[*]Then run a new scan and post a new OTL log ( don’t check the boxes beside LOP Check or Purity this time )
Interesting, I don’t have/can’t find Bittorrent, uTorrent and Azureus although I do have another torrent application (Vuze) that I think I will get rid of.
Hi jeffce,
Not to say OP does not have an infection, but this thread posted earlier on May 10th may be relevant (or not). http://forum.avast.com/index.php?topic=98238.0
Seems the vps defintion update or streaming updates fixed the issue in that thread.
oooh, thank you mchain. It seems like what jeffce gave me worked out, it’s not doing it any more so far but if it comes back I’ll give that link a try. I must thank you both greatly!
Not so fast.
As jeffce says, 2P2 programs are to be avoided, and you may still have remnants left on your system from malicious code left over, still. Same would be true for cracked software, user risk is higher when downloading and running such software.
Remnants can call in more malicious programs, so the absence of symptoms may not mean anything. Please wait until jeffce gives the all clear after he analyzes your logs.
If you can’t run such programs at work, why do it at home on your computer system?
Good point, thanks again!
Hi,
Run ERUNT again and then do the following…
Run OTL.exe
[*]Copy/paste the following text written inside of the code box into the Custom Scans/Fixes box located at the bottom of OTL
:Services
:OTL
IE:[b]64bit:[/b] - HKLM\..\SearchScopes,DefaultScope = {0633EE93-D776-472f-A0FF-E1416B8B2E3A}
IE:[b]64bit:[/b] - HKLM\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = http://www.bing.com/search?q={searchTerms}&form=AARTDF&pc=MAAR&src=IE-SearchBox
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = ;192.168.*.*
O3:[b]64bit:[/b] - HKLM\..\Toolbar: (no name) - Locked - No CLSID value found.
O33 - MountPoints2\{fe30c154-df18-11e0-8d7f-206a8a1c2023}\Shell - "" = AutoRun
O33 - MountPoints2\{fe30c154-df18-11e0-8d7f-206a8a1c2023}\Shell\AutoRun\command - "" = E:\Autorun.exe -- [2009/10/26 06:58:04 | 000,120,128 | RH-- | M] ()
:Files
ipconfig /flushdns /c
:Commands
[purity]
[emptytemp]
[resethosts]
[start explorer]
[Reboot]
[list]
[*]Then click the Run Fix button at the top
[*]Let the program run unhindered, reboot when it is done
[*]Then run a new scan and post a new OTL log ( don’t check the boxes beside LOP Check or Purity this time )
Malwarebytes
ESET Online Scanner
I’d like us to scan your machine with ESET Online Scan
Note: It is recommended to disable on-board anti-virus program and anti-spyware programs while performing scans so there are no conflicts and it will speed up scan time.
Please don’t go surfing while your resident protection is disabled!
Once the scan is finished remember to re-enable your anti-virus along with your anti-spyware programs.
As a Vista/Win7 user you will need to right click your browser icon and select “Run as Administrator” in order to run this scan.
[]Do not use this instance of your browser for anything besides doing this scan
[]When the scan is complete and the results saved, close that instance of your browser
[*]Open a new one the usual way and post the results in this topic.
[]Right-click and Run as Administartor on the following link to open ESET OnlineScan in a new window.
ESET OnlineScan
[]Click the
http://billy-oneal.com/Canned%20Speeches/speechimages/eset/esetOnline.png
button.
[]For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)[list=1]
[*]Click on
http://billy-oneal.com/Canned%20Speeches/speechimages/eset/esetSmartInstall.png
to download the ESET Smart Installer. Save it to your desktop.
[]Double click on the
http://billy-oneal.com/Canned%20Speeches/speechimages/eset/esetSmartInstallDesktopIcon.png
icon on your desktop.
[*]Check
http://billy-oneal.com/Canned%20Speeches/speechimages/eset/esetAcceptTerms.png
[*]Click the Start button.
[]Accept any security warnings from your browser.
[]Check
http://billy-oneal.com/Canned%20Speeches/speechimages/eset/esetScanArchives.png
[*]Make sure that the option “Remove found threats” is Unchecked
[*]Push the Start button.
[]ESET will then download updates for itself, install itself, and begin
scanning your computer. Please be patient as this can take some time.
[]When the scan completes, push
http://billy-oneal.com/Canned%20Speeches/speechimages/eset/esetListThreats.png
[*]Push
http://billy-oneal.com/Canned%20Speeches/speechimages/eset/esetExport.png
, and save the file to your desktop using a unique name, such as
ESETScan. Include the contents of this report in your next reply.
[*]Push the Back button.
[*]Push Finish
In your next reply please attach the logs made by OTL, Malwarebytes and ESET online scanner.
Lots o infections! =P
your Malwarebytes logs say the signatures are 2 days old.
always click the update button before a scan…malwarebytes release 5 - 10 updates a day
Oh, sorry, updated is attached.
Hi,
Run OTL.exe
[*]Copy/paste the following text written inside of the code box into the Custom Scans/Fixes box located at the bottom of OTL
:Services
:OTL
:Files
C:\Program Files (x86)\StartNow Toolbar\ReactivateIE.exe
C:\Program Files (x86)\StartNow Toolbar\ToolbarBroker.exe
C:\Users\Nick\Documents\Vuze Downloads\XLN.Audio.Addictive.Drums.DVDR.HYBRID-AiRISO\air-xlnaadkgn.rar
C:\Users\Nick\Documents\Vuze Downloads\XLN.Audio.Addictive.Drums.DVDR.HYBRID-AiRISO\Keygen.exe
C:\Users\Nick\Downloads\cnet2_64bit_Vista_Win7_R265_exe.exe
C:\Users\Nick\Downloads\cnet2_dvdaudioextractor_exe.exe
C:\Users\Nick\Downloads\cnet2_usb_asio_zip (1).exe
C:\Users\Nick\Downloads\cnet2_usb_asio_zip (2).exe
C:\Users\Nick\Downloads\cnet2_usb_asio_zip.exe
C:\Users\Nick\Downloads\epicbot.exe
C:\Users\Nick\Downloads\gamebooster (1).exe
C:\Users\Nick\Downloads\XLN.Audio.Addictive.Drums.DVDR.HYBRID-AiRISO\air-xlnaadkgn.rar
:Commands
[purity]
[emptytemp]
[start explorer]
[Reboot]
[*]Then click the Run Fix button at the top
[*]Let the program run unhindered, reboot when it is done
[*]Then run a new scan and post a new OTL log ( don’t check the boxes beside LOP Check or Purity this time )
In your next reply please attach the logs made by OTL and let me know how your system is running.
Everything has been running great so far.
Ok great! Give it a good run around and let me know tomorrow how things are running. If there are no problems, we will remove our tools and get you on your way.
Everything seems great, thank you so much for your excellent service and fast responses!
It’s running great. Thank you so much for the excellent service and fast responses! You’re doing God’s work
Hi,
It's running great. Thank you so much for the excellent service and fast responses! You're doing God's workThank you for the kind words. They are very much appreciated. :) ---------
Providing there are no other malware related problems…
IT APPEARS THAT YOUR LOGS ARE NOW CLEAN SO LETS DO A COUPLE OF THINGS TO WRAP THIS UP!!
Clean up with OTL:
[*]Double-click OTL.exe to start the program.
[*]Close all other programs apart from OTL as this step will require a reboot
[*]On the OTL main screen, press the CLEANUP button
[*]Say Yes to the prompt and then allow the program to reboot your computer.
Any of the logs that you created for use in the forums or remaining tools that have not yet been removed can be deleted so they aren’t cluttering up your desktop.
Here are some tips to reduce the potential for spyware infection in the future:
1. Make your Internet Explorer more secure - This can be done by following these simple instructions:
[*]From within Internet Explorer click on the Tools menu and then click on Options.
[*]Click once on the Security tab
[*]Click once on the Internet icon so it becomes highlighted.
[*]Click once on the Custom Level button.
[*]Change the Download signed ActiveX controls to Prompt
[*]Change the Download unsigned ActiveX controls to Disable
[*]Change the Initialize and script ActiveX controls not marked as safe to Disable
[*]Change the Installation of desktop items to Prompt
[*]Change the Launching programs and files in an IFRAME to Prompt
[*]Change the Navigate sub-frames across different domains to Prompt
[*]When all these settings have been made, click on the OK button.
[*]If it prompts you as to whether or not you want to save the settings, press the Yes button.
[*]Next press the Apply button and then the OK to exit the Internet Properties page.
2. Enable Protected Mode in Internet Explorer. This helps Windows Vista users stay more protected from attack by running Internet Explorer with restricted privileges as well as reducing the ability to write, alter or destroy data on your system or install malicious code. To make sure this is running follow these steps:
[*]Open Internet Explorer
[*]Click on Tools > Internet Options
[*]Press Security tab
[*]Select Internet zone then place check next to Enable Protected Mode if not already done
[*]Do the same for Local Intranet, Trusted Sites and Restricted Sites and then press Apply
[*]Restart Internet Explorer and in the bottom right corner of your screen you will see Protected Mode: On showing you it is enabled.
3. Use and update an anti-virus software - I can not overemphasize the need for you to use and update your anti-virus application on a regular basis. With the ever increasing number of new variants of malware arriving on the scene daily, you become very susceptible to an attack without updated protection.
4. Firewall
Using a third-party firewall will allow you to give/deny access for applications that want to go online. Without a firewall your computer is susceptible to being hacked and taken over. Simply using a firewall in its default configuration can lower your risk greatly. A tutorial on firewalls can be found here. **There are firewalls listed in this tutorial that could be downloaded and used but I would personally only recommend using one of the following two below:
Online Armor Free
Agnitum Outpost Firewall Free
5. Make sure you keep your Windows OS current. Windows XP users can visit Windows update regularly to download and install any critical updates and service packs. Windows Vista/7 users can open the Start menu > All Programs > Windows Update > Check for Updates (in left hand task pane) to update these systems. Without these you are leaving the back door open.
6. WOT (Web of Trust) As “Googling” is such an integral part of internet life, this free browser add on warns you about risky websites that try to scam visitors, deliver malware or send spam. It is especially helpful when browsing or searching in unfamiliar territory. WOT’s color-coded icons show you ratings for 21 million websites, helping you avoid the dangerous sites. WOT has an add-on available for Firefox, Internet Explorer as well as Google Chrome.
7.Finally, I strongly recommend that you read TonyKlein’s good advice So how did I get infected in the first place?
Please reply to this thread once more if you are satisfied so that we can mark the problem as resolved.