SERIOUS BUSINESS issues, please help!!!

So I was trying to stream a show from a site that my friend gave me, and somehow it gave me some brutal virus/spyware/adware/trojan garbage. Don’t know how it got on my comp because it didn’t even ask me to download anything at all, it just all fell apart… So anyway, having serious issues now and can’t even connect to the internet (on a laptop right now, not my PC). When I connect to my homepage, it redirects me to avxp.net or something like that, which is obviously a bogus antivirus scan that asks me to download their program which will further screw me over. I can also connect to google for some reason. If I try to connect to a site by URL it says it can’t connect, whereas if I try to connect through a google search it redirects me to random crap pages that DO NOT HELP.

I have a couple screenshots of the files that I’m almost sure are doing it, since I delete them and they keep recreating themselves, but they’re too large for me to attach so if you ask me to I can upload the pics to a site and post the URL for them here. I also have a HJT log, though I only found one thing suspicious (the file at the top, but I can’t get info on it or delete it or anything). Below is said HJT log. Please, please, PLEASE, someone help me!!! Thanks!

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:19:28 PM, on 8/22/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16705)
Boot mode: Normal

Running processes:
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\NETGEAR\WG311TSU\Utility\Gear311T.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Linksys EasyLink Advisor\LinksysAgent.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\Program Files\Internet Explorer\Iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe

F2 - REG:system.ini: UserInit=C:\WINDOWS\SYSTEM32\Userinit.exe,C:\WINDOWS\system32\oembios.exe,
O4 - HKLM..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM..\Run: [iTunesHelper] “C:\Program Files\iTunes\iTunesHelper.exe”
O4 - HKLM..\Run: [QuickTime Task] “C:\Program Files\QuickTime\qttask.exe” -atboottime
O4 - HKLM..\Run: [AS00_Gear311T] C:\Program Files\NETGEAR\WG311TSU\Utility\Gear311T.exe -hide
O4 - HKLM..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKCU..\Run: [BitTorrent] “C:\Program Files\Bit Torrent\bittorrent.exe” --force_start_minimized
O4 - HKCU..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU..\Run: [EasyLinkAdvisor] “C:\Program Files\Linksys EasyLink Advisor\LinksysAgent.exe” /startup
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: dlcf_device - - C:\WINDOWS\system32\dlcfcoms.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe


End of file - 3677 bytes

Have you tried thorough scanning or scheduling a boot-time scan?

I suggest one of these antispyware scanners:

SuperAntiSpyware Free
Spybot - Search and Destroy
SpywareTerminator (exclude crawler toolbar, add on, and ClamAV module)

Yes, did a thorough SAS scan, got 5 items, that was the first thing I did. It helped a little bit but the majority of the problem is still in tact…

I suggest MalwareByte’s Anti-Malware or RogueRemover.

Forgot to mention, but when all this began it wiped my desktop background and replaced it with an ad saying my computer was infected and I needed to download some program. Thanks for the recommendation, but I can’t download anything right now. As I stated, any time I try to connect to a site, it stops me by either saying it can’t find the site or redirecting me to a random site, typically a search engine. Downloading is, unfortunately, out of the question…

do you have any other anti spyware loaded like spybot or ad-aware
do schedule a boot time scan with avast asap
MBAM would be best but you can’t DL it
there are some other methods to had kill this thing but it would be nice to know which one you have
what do the pop-ups say?
you can also try that SAS scan again in safe mode
will Dr.Web cure it connect? F-protect etc?

I only have avast! and SAS on my system. Scheduling a boot scan with avast as we speak hopefully it catches this stuff. The only pop ups I get are actually redirects, and I either get redirected to a search engine site or something along the lines of www.avxp.net (which does a BS scan and tell me to download their programs, which are 99.99999999999% likely to be more spyware). As for the Dr.Web cure thing, no clue what that even is lol

Go to Add/Remove Programs and un-install everything BitTorrent and Viewpoint.

Unfortunatly BitTorrent P2P file sharing is an easy way for malware to get into your system.

Close all browser windows then run HijackThis then check the following then Fix checked:

F2 - REG:system.ini: UserInit=C:\WINDOWS\SYSTEM32\Userinit.exe,C:\WINDOWS\system32\oembios.exe,
O4 - HKCU..\Run: [BitTorrent] “C:\Program Files\Bit Torrent\bittorrent.exe” --force_start_minimized
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe

Use Windows explorer to go to C:\Program Files then delete C:\Program Files\Viewpoint

Once you get this situation resolved then you shold go to Windows Update and install Service Pack 3

I’ve had BitTorrent for a while and have had no problems with it, though I know about its track record so to speak. However, it wasn’t even running when I got this issue so that’s not the problem. Viewpoint, yes, is a likely culprit. As for the first entry, the F2, that’s the entry I couldn’t do anything about. Couldn’t get information on it and couldn’t repair/delete it. I would also like to add that I don’t use IE, I use Firefox.

What make you think that Firefox is a safer browser?

Firefox is a safer browser but with ad-ins it can become just as vulnerable as IE6.

Just saying that I use Firefox, not saying it’s safer or anything necessarily. It’s just my personal preference is all.

Okay, so the boot scan finished and found one corrupted file, can’t remember which one and can’t find it in the log but it found it. Also removed the Viewpoint thing through HJT, but I still can’t fix that F2 entry from the very top. I rescan and it keeps coming right back up. Still can’t access sites, but the avxp thing didn’t pop up when I opened Firefox, which is a start.

Firefox and Thunderbird are less prone to The Active X control vulnerabilities. But that’s not the problem. The BitTorrent question here is that the files are on the PC, even if not used. So the malware can get to it. Thanks for the tip on the vulnerabilities with the Firefox add-ins. Luckily I don’t use many as it does slow FF down. So no real problem there.

Maybe look at Avast Virus cleaner for removal of a limited set of viruses/worms. But that is not the real reason. This app has - although I’ve not yet had need of it - the ability to look at and edit/adapt a system to get it working again. It will use its own files to rename/replace MS files. At avast!'s home page.

My combo is FF, TB, avast! 4 Home, Spybot and Filseclab for a firewall (this really works, easily).

The real reason I’m here.
avast! caught an HTML:Alaple-A[Wrm] virus from a site in South Africa. www.satec.co.za. Three times! All I needed to do was “Abort the connection”. I cannot get any info where I can contact them to let them know about this. Any help? Thank you.

Oh yes, avast! auto updates (080822-0,22-08-2008) and runs in residence - 6 services. Filseclab regularly shows denials to attacking traffic.

How about:
http://www.satec.co.za/contact.html

Please see the following:
http://forum.piriform.com/index.php?showtopic=17348

The point about BitTorrent made sense so I went ahead and wiped that out, hoped it’d work but now it’s right back where it started - loaded up my homepage and it redirected me to avxp-2008.net and did its little BS scan claiming I was ridiculously infected and it could help me. Still couldn’t manage to repair/remove the F2 entry from HJT, which is still bothering me because I’m sure that’s part of my issue since I haven’t ever seen it in a HJT log until I got this issue. So… any other suggestions anyone?

Since I appear to be running lower and lower on options, I’ll put a link to the screenshots I took of the files that continuously reappear when deleted, as I’m sure the virus is in there somewhere (when I originally looked through the files, I checked the Created date and a lot of them said they were created right when I started having problems. Problem is, every time I go to delete them, even in safe mode, they reappear when I boot the computer, making me think that I have yet to find the root of the problem). There were a good numbr of files for me to suspect, so I had to take 4 screenshots. They are recent - I just ran this search a few minutes ago.

Screenshot 1 - http://img152.imageshack.us/my.php?image=virusgarbage1ji8.png
Screenshot 2 - http://img123.imageshack.us/my.php?image=virusgarbage2bo6.png
Screenshot 3 - http://img123.imageshack.us/my.php?image=virusgarbage3mi4.png
Screenshot 4 - http://img123.imageshack.us/my.php?image=virusgarbage4wz8.png

Those are all the files that have been created yesterday. The big-time issues are the ones called Cache, they were created originally at the time my PC was infected and constantly reappear when deleted. I’m going to try deleting them now that I removed the Macromedia from my comp (since a lot of this stuff keeps appearing around Macromedia) but I’m not expecting them to stay gone still. Any ideas anyone?

Edit - As expected, deleted files reappeared again. I’m still suspicious about the F2 entry of my HJT log though, seems awfully curious that it appeared when this all began and refuses to leave my computer…

slow down a little
did the SAS boot time scan find anything- what exactly
avast scan?
still unable to download anything?
do you have a pen drive or a spare hard drive you could download files to at a buddies?
here is a write up from threat net
http://www.threatexpert.com/report.aspx?uid=92ecfbb6-1a1b-42c5-94ac-da1b72596eab
so a hand removal could be attempted
(at the end see an example on how a hosts file or outbound firewall would have prevented this infection from phoning home)
however (If Polonous or other experts are away for the weekend)

If we do not make any progress here I would suggest that you post over in the Malware Bytes Forum
Jean In Montana is an expert on this infection
http://www.malwarebytes.org/forums/index.php?s=45dddb9fa76cce9f6b2dafdfec641a8d&showforum=7
However if you post there be sure to read all the stickies and do everything exactly- they are busy and tend to not have much patience
post a link to this thread tell Jean “Theolona Ranger says howdy”
please report back how you do
good luck

:slight_smile: Hi :

There is a very good Chance that IF you could run a fully Updated, “Full Scan”
of Malwarebytes’ Anti-Malware, the problem MAY be resolved. Since you cannot
download anything, try and use a Friend ( not the Idiot who referred you to that
Site ) who has an uninfected computer or perhaps a local library to “burn” that
program onto a CD for future installation into your computer . IF this and/or IF
an experienced “Malware-Fighter” like “JeaninMontana” cannot help, the only
recource seems to be reformatting and reinstallation of your Operating System !?

By the way, malware is getting so bad that just visiting an infected Site can
infect a person’s computer .

Way back in reply #3 Jtaylor83 suggested the two programs most likely to resolve the avxp-2008 issue, see below. I can only assume that you didn’t run them as a) there was no mention of having run them, b) the topic is still on-going.

DavidR
He can’t download anything
he does have SAS installed and Avast
any ideas?

InazumaRaijin
did you get either or both of the SAS and AVAST boot time or safe mode scans to run?

He is going to have to get creative then, use a friend, etc. download the files save to CD/flash drive, etc. and transfer to his system. How is he posting here or is it just downloads that are restricted.