Please Help! :(

Ok, here’s the story.

I’m a gamer. That’s basically the only thing I use my computer for.

So I downloaded avast! a few days ago when my other Antivirus program’s free trial ran out, and I’m liking it.

So, today my brother tells me he downloaded the Photoshop CS2 Trial from adobe.com and tried to look online for a serial code (which I know, is totally wrong and I beat him down for it) on those “hacking sites” and tried to make it a full version. Well guess what. I got a popup saying somthing like “Trojan Horse was found!” So I put it in the chest, deleted it from there.

So I go back to playing my game, and now, every 5-10 mins I’m getting the message “Adaware was found!” and then immediatly followed by “Malware was found!” What I don’t understand is, that I’m on the internet, but I wasn’t downloading anything. So when I get these messages (which are really annoying) I just click the “Abort Connection” button and it goes away for a few minutes.

So I downloaded: Ad-Aware SE Personal, and Spybot: Search & Destroy and scanned for spyware and other junk. The first scan with both programs found spyware and adaware, and deleted them. Though I’m still getting the popup from avast that adaware/spyware/malware is being found but when I scan it says there is none.

I scanned for viruses with AVG Free and it said there wasn’t any, and I’m in the process of scanning with avast.

Now…how do I properly fix this!? Where is all the spyware/adware/malware coming from!?

Thanks,

Shane

:frowning: :frowning: :-[

I would recommend you try a boot-time scan with avast since it is the one finding this infection(s).If the problem doesn’t go away just post back here.You can do that by starting avast! then right click somewhere in the GUI or click the menu and then just click Schedule boot time scan then restart see below:

http://img444.imageshack.us/img444/4030/untitled19mx8lq.jpg

P.S:Welcome to the forum!

Cheers

Mikey

also could you try to remember names of things you delete. it helps us a lot if we have that knowledge :wink:

Ok,

I did the Boot-Time scan and when it was done I logged in normally and there wasn’t anything saying if there was a virus or spyware or anything. When I first got the Trojan warning I put it in the chest and deleted it, and since then havent gotten a virus alert, only the spyware/adware/malware alerts which are constant. Like I said I’ve scanned with other spyware programs and have deleted everything, still nothing.

This is what I’m seeing every 5-10 mins:

http://img305.imageshack.us/img305/1196/ad16hf.jpg

And if this matters…

http://img321.imageshack.us/img321/181/ad28yy.jpg

Shane

:frowning: ??? :-[

Could you do a scan with HijackThis and post a log?

thanks

Mikey

Sure, will post it asap.

This is what I got:

Logfile of HijackThis v1.99.1
Scan saved at 5:59:43 PM, on 12/23/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\Program Files\Analog Devices\SoundMAX\SMTray.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2C1.EXE
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\World of Warcraft\WoW.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\DOCUME~1\Shane\LOCALS~1\Temp\Temporary Directory 1 for hijackthis.zip\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = \blank.htm
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O4 - HKLM..\Run: [Smapp] C:\Program Files\Analog Devices\SoundMAX\SMTray.exe
O4 - HKLM..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM..\Run: [EPSON Stylus C64 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2C1.EXE /P23 “EPSON Stylus C64 Series” /O6 “USB001” /M “Stylus C64”
O4 - HKLM..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM..\Run: [yaemu.exe] C:\WINDOWS\system32\yaemu.exe
O4 - HKCU..\Run: [MsnMsgr] “C:\Program Files\MSN Messenger\MsnMsgr.Exe” /background
O4 - HKCU..\Run: [MSMSGS] “C:\Program Files\Messenger\msmsgs.exe” /background
O4 - HKCU..\Run: [UnSpyPC] “C:\Program Files\UnSpyPC\UnSpyPC.exe”
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\npjpi150_06.dll
O9 - Extra ‘Tools’ menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\npjpi150_06.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra ‘Tools’ menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {88D758A3-D33B-45FD-91E3-67749B4057FA} - http://dm.screensavers.com/dm/installers/si/1/sinstaller.cab
O17 - HKLM\System\CCS\Services\Tcpip..{8A7F5207-1CB0-48E6-AC34-8DCAFFE82324}: NameServer = 85.255.113.150,85.255.112.12
O17 - HKLM\System\CCS\Services\Tcpip..{D6BD3C13-E20A-428D-8368-721D8EE56467}: NameServer = 85.255.113.150,85.255.112.12
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - “C:\PROGRA~1\MSNMES~1\msgrapp.dll” (file missing)
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe

Well you should definetly remove these:

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = \blank.htm

O4 - HKLM..\Run: [yaemu.exe] C:\WINDOWS\system32\yaemu.exe

O16 - DPF: {88D758A3-D33B-45FD-91E3-67749B4057FA} - http://dm.screensavers.com/dm/installers/si/1/sinstaller.cab

O17 - HKLM\System\CCS\Services\Tcpip..{D6BD3C13-E20A-428D-8368-721D8EE56467}: NameServer = 85.255.113.150,85.255.112.12

O17 - HKLM\System\CCS\Services\Tcpip..{8A7F5207-1CB0-48E6-AC34-8DCAFFE82324}: NameServer = 85.255.113.150,85.255.112.12

Then go to safe mode and run a couple scans with the anti malware tools you have…Report back then to let us know what is going on.

OK it’s 0:30 AM here so i’m going to bed but maybe someone else will be able to help you if this doesn’t solve your problems…See ya tomorrow :wink:

P.S: I did a little editting with this post so please re-read it.

Thanks

Mikey

I forgot to ask you…Are you running multiple resident AV programs at the same time?If so please just use one otherwise you’ll have problems.

Thanks

Mikey

Nope, not at the same time. Though I do have AVG and avast! installed.

Ok, I deleted the things listed above, now when I restarted my PC I got the message:

http://img498.imageshack.us/img498/4171/ad35ua.jpg

And whenever I try to do anything about it I get:

http://img248.imageshack.us/img248/9912/ad40wi.jpg

So…going to scan with avast right now, then scan for spyware after.

It’s like i said you have 2 resident AV’s installed that is why you cannot get rid of this malware(one av locks the file when the other detects it).Please disable AVG’s resident shield if you know how or just uninstall it.

ShaneTerry, like ReVaN said, you shouldn’t use two antivirus at the same time in the same computer.
These kind of programs are not like antispywares (that you can have more than one).
Better if you choose one of them. Think in detection, support, features that you need :wink:

Ah, I thought he meant running at the same time. My bad.

Ok, so I uninstalled AVG and am thoroughly scanning with avast.

Btw I haven’t gotten the adaware/malware/spyware popup since I deleted the different files in the HijackThis log.

Hope this works…will post back when it’s done.

Good decision :wink:

We’ll waiting here to help 8)

O17 - HKLM\System\CCS\Services\Tcpip\..\{D6BD3C13-E20A-428D-8368-721D8EE56467}: NameServer = 85.255.113.150,85.255.112.12

O17 - HKLM\System\CCS\Services\Tcpip..{8A7F5207-1CB0-48E6-AC34-8DCAFFE82324}: NameServer = 85.255.113.150,85.255.112.12

These entries could be your ISPs IP address (check using a whois search), if you fix them in HJT you may not be able to connect, if that is the case, restore them.

Ok, so…

When I did the scan, I pressed the
http://img460.imageshack.us/img460/4180/av13cg.jpg
option.

And to my surprise…

http://img460.imageshack.us/img460/6325/av21xe.jpg

Should I scan under a different option? If so which one?

Shane
???

He is here isn’t he?So he is connected wouldn’t you agree? The IP’s are somewhere in the Ukraine…

Apparently you are clean now Shane, but just to be sure you can run an online scan at http://housecall.trendmicro.com/

Awesome. Scanning now. Will post what was up when it’s done.