Too many problems to count.

Hi, I’m new here obviously, and I came because I’m sick of the little ‘quirks’ my computer has now.

Over a period of about a year and a half my computer has had too many viruses to count and some of them have done some -seemingly- irreparable damage to it. Most of these issues aren’t much of a problem as they don’t effect my daily usage, but as I’m joining the Army soon I’d like to repair as much of it as I can before I leave that way I can connect to other networks without fear of corrupting them. It should be said that I frequently visit ‘questionable’ sites and download from many different sources and methods, including the use of Torrents. I’m intelligent and a quick learner but I have little to no experience fixing these types of problems. As long as it’s explained in an easy to follow method I should be able to get… well, any information you guys need to help me out. I know a few things about my computer, mostly through random experimentation, and I’ve been looking around the internet for the past half hour for information on my most recent issue but answers and results vary.

I used to run the free trial AVG, which I’m not sure if it came with the laptop or I went and got it myself. After a while AVG started freaking out at a certain site that a programmer friend I knew owned, so I shut it off and forgot to turn it back on. The friend’s site wasn’t a problem, but after the other sites I went to my laptop started getting a wide variety of viruses that I mostly didn’t notice or flat out ignored. When a virus finally hijacked my desktop I got pissed and noticed that AVG was still off. I ran scans and didn’t find much so I asked my mom (she’s a webmaster for a construction safety business) and she told me to use Avast. Well, Avast got rid of all my problems -or so I thought at the time- so I was happy. Eventually I found out I still couldn’t get to my Task Manager, and my account on the computer has Admin rights, nor could I access it through the Administrator account or even in safe mode. I dismissed it, figuring it a done damage and my own fault for not taking care of the computer better.

Recently I began getting a virus alert in Google, as well as other search engines. This originated from what Avast says is a JSDownloader-DO [Trj] and happens with varying searches and search engines. Before that though I started having my clicks hijacked and send through various ‘click fraud manager’ sites. Only direct link clicks were affected though, leaving me still able to access my target site by copying the link destination and pasting it in my address bar, even if was a Google redirection link. When the Avast alert appears, I am given with only the option to abort the connection, and the threat location is a link within Google itself (always the Google search URL). Some sites I’ve seen say this is a minor threat, while others have said it’s merely a false positive, and most of the conversations aren’t that recent either.

I’ve run multiple scans with Avast since my clicks started getting redirected, using not only the normal scan, but also boot scans and scanning during safe mode (that one actually took somewhere around 12hrs to complete) but it never finds anything. Occasionally certain pieces of my data come up as unable to be scanned, and while I don’t remember the exact reason it didn’t seem to be a threat and it was stuff I’m pretty sure is clean anyway.

As it is, I know I’m running Avast simply as I downloaded it from the site and with high sensitivity -with the sites I visit regularly I figured high was best- and the icon says 6 out of 7 providers are running. I think the one that isn’t running is the Outlook/Exchange one. Though Avast has had problems updating multiple times, that’s because often my internet connection fluctuates and sometimes fails before Avast can finish updating. Normally the problem is fixed shortly afterward though and Avast updates without problems after some inventive maneuvering in an attempt to get a better signal. The primary issue with my wireless internet connection is that I live within a short distance from a Navy communication base, and often their signals disrupt every wireless signal in the entire neighborhood, even wireless home phones suffer occasionally.

Well, that’s pretty much all I have to say for now. Now that I think about it though, I often become overly formal and intellectual with requests and similar messages to people I don’t know. I guess it’s just habit or something.

So yeah, thanks in advance for your time and any help you can give me, thanks for reading this lengthy post, and umm… yeah.

Looking forward to your response (why does that line sound so unbelievably lame? but then again, just about every ‘closing’ line sounds lame to me).

Dorian

Hi Dorian, welcome to the Avast forum.

First, I suggest you run the AVG Remover Tool to be sure there are no “leftovers” from AVG. Reboot.

Run a system cleaner such as CCleaner Slim, reboot.

Then, I would download, install, update, and run complete scans with MBAM and SAS. Allow them to QUARANTINE, not DELETE any malware found. Reboot between scans, or as prompted.

Next, download and install Hijack This. Open Hijack This and select “Do a system scan and save a logfile”. Post the resulting Notepad file in this thread.

*Six of seven providers running in Avast is normal unless Windows Outlook is running.

*Lower your provider sensitivities to “Normal”, otherwise you are using excessive RAM with little additional protection.

*Advice: Stay away from dodgy sites and torrent downloads if you want a clean system.

I would also propose a clean reinstall of avast when you feel right, to set you off on a fresh start.
Here is a good step by step for clean install -

http://forum.avast.com/index.php?topic=48258.msg407243#msg407243

I assume you are using free Home edition -
May pay to copy and paste registration key somewhere first, for reuse later. Or locate it from amongst your emails so you can use it later. Otherwise you can go to Alwil site and report your license as lost to get you key renewed. I say this because it is something that I often forgot, when doing a clean install.

Alright, did the AVG removal, no leftovers from AVG found.

I ran the cleanup with default settings except that I also checked four boxes under the advanced (Menu Order Cache, Window Size/Location Cache, User Assist History, and Wipe Free Space) and I made Internet Explorer wipe autocomplete form history also (I don’t use internet explorer often, I prefer firefox) I also ran the registry fixer from that program because with how I keep reorganizing my files I was sure there were some errors there (and I was right) I saved a backup in case something it ‘fixed’ creates problems though, and had it fix everything.

I downloaded MBAM and ran it, it found a bunch of stuff and ‘quarantined and deleted’ them all. The only options were to either remove or ignore them. I ran SAS and it picked up a few more that MBAM missed and quarantined them.

And finally, attached is the Hijack This logfile.

Oh, and I did the clean reinstall after that. As for avoiding dodgy sites, well, I do my best to do so but occasionally to get what I want I have to dig through a lot. >.<


An analysis of your HJT log shows the following problems :

We couldn’t detect any active process of a firewall on your system. Possible reasons:
(1.) You are using the windows firewall or a hardware firewall.
(2.) You are using a firewall of an unknown vendor.
(3.) You are using a firewall, but for unknown reasons it is disabled
(4.) You don’t use any firewall at all.
We recommend you to use a firewall. Download and install one or activate windows xp´s firewall which is inbound protection only. It is best to use a 2-way firewall with both inbound and outbound protection.

[b]R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Search_URL = http://toolbar.ask.com/toolbarv/askRedirect?o=101757&gct=&gc=1&q=[/b]
This entry should be fixed by HijackThis. While InterActiveCorp says they have “;cleaned-up” ask toolbar, most antispyware programs still detect ask toolbar as spyware/adware. The choice is yours.

[b]R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://toolbar.ask.com/toolbarv/askRedirect?o=101757&gct=&gc=1&q=%s[/b]
This entry should be fixed by HijackThis. While InterActiveCorp says they have “cleaned-up” ask toolbar, most antispyware programs still detect ask toolbar as spyware/adware. The choice is yours.

O2 - BHO: AskBar BHO - {201f27d4-3704-41d6-89c1-aa35e39143ed} - C:\Program Files\AskBarDis\bar\bin\askBar.dll
Part of ask toolbar. It is suggested to remove this program.
http://www.what-is-exe.com/filenames/askbar-dll.html
askBar.dll is able to record inputs.
http://www.file.net/process/askbar.dll.html

O2 - BHO: (no name) - {324F5253-84F6-4A87-9583-9CCA81591B89} - (no file)
Unknown application. Unnecessary (deactivated) entry that can be fixed.

O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - (no file)
Unnecessary (deactivated) entry that can be fixed. LinkScannerIE.dll

O2 - BHO: {29df1c90-6301-0088-2cb4-0b44ab7f3215} - {5123f7ba-44b0-4bc2-8800-103609c1fd92} - (no file)
Unknown application. Unnecessary (deactivated) entry that can be fixed.

O2 - BHO: NCO 2.0 IE BHO - {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - (no file)
Unnecessary (deactivated) entry that can be fixed. coIEPlg.dll - Browser plugin related with Norton_Confidential

O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
Unnecessary (deactivated) entry that can be fixed.

O3 - Toolbar: (no name) - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - (no file)
Related to Norton Toolbar. Unnecessary (deactivated) entry that can be fixed.
http://www.spyandseek.com/Search.php?search_for=7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA&search=SAS-Search (4th from bottom on list)

O3 - Toolbar: Ask Toolbar - {3041d03e-fd4b-44e0-b742-2d9b88305f98} - C:\Program Files\AskBarDis\bar\bin\askBar.dll
Part of ask toolbar. It is suggested to remove this program.
http://www.what-is-exe.com/filenames/askbar-dll.html
askBar.dll is able to record inputs.
http://www.file.net/process/askbar.dll.html

O8 - Extra context menu item: &AIM Toolbar Search - C:\Documents and Settings\All Users\Application Data\AIM Toolbar\ieToolbar\resources\en-US\local\search.html
HJT rates this entry as bad. The choice is yours to keep it or remove it.

O20 - AppInit_DLLs: mgqnuo.dll
Related to Trojan-PSW.Win32 (keylogger) and this entry must be fixed.
http://www.threatexpert.com/report.aspx?md5=9218b1a9012da29cf999a14503550c89
http://www.precisesecurity.com/trojan/trojan-pswwin32dybaloml/
http://www.viruslist.com/en/viruses/encyclopedia?virusid=66350

O20 - Winlogon Notify: urqNGaxX - urqNGaxX.dll (file missing)
Possibly related to spyware. Unnecessary (deactivated) entry that can be fixed.

Overview of running tasks :

smss.exe
System task
Session Manager Subsystem

winlogon.exe
System task
Microsoft Windows Logon Process

services.exe
System task
Windows Service Controller

lsass.exe
System task
Local Security Authority Service

svchost.exe
System task
Microsoft Service Host Process

svchost.exe
System task
Microsoft Service Host Process

aswUpdSv.exe
Virusscan
Avast Anti-Virus Component

ashServ.exe
Virusscan
Avast

spoolsv.exe
System task
Microsoft Printer Spooler Service

jqs.exe
Backgroundtask
jqs.exe

svchost.exe
System task
Microsoft Service Host Process

ViewpointService.exe
Backgroundtask
View Manager Service

ashMaiSv.exe
Virusscan
Avast Anti-Virus Component

ashWebSv.exe
Virusscan
avast! Web Scanner

svchost.exe
System task
Microsoft Service Host Process

Explorer.EXE
System task
Microsoft Windows Explorer

RTHDCPL.EXE
Driver
Realtek HD Audio Sound Effect Manager

igfxtray.exe
Application
Intel Graphics configuration and diagnostic application

hkcmd.exe
Application
Intel multimedia devices

AsTray.exe
Unknown task (related to ASUS tray software)
Unknown task http://www.pcpitstop.com/libraries/process/i/AsTray.exe.html

igfxsrvc.exe
Driver
Intel(R) Common User Interface

AsAcpiSvr.exe
Unknown task (related to ASUS software)
Unknown task http://www.backgroundtask.eu/Systeemtaken/Taakinfo.php?ID=19627

igfxext.exe
Driver
Intel Common User Interface

AsEPCMon.exe
Backgroundtask
AsEPCMon.exe

ETDCtrl.exe
Unknown task (related to ASUS software)
Unknown task http://www.backgroundtask.eu/Systeemtaken/Taakinfo.php?ID=21823

realsched.exe
Application
RealNetworks Scheduler

ashDisp.exe
Virusscan
Avast AntiVirus

jusched.exe
Backgroundtask
Sun Java Update Scheduler

Belkinwcui.exe
System task
Wireless configuration utility for some Belkin cards such as the Wireless G Desktop Card

msmsgs.exe
Application
MSN Messenger

btdna.exe
Suspicious task
Bittorrend DNA

SUPERAntiSpyware.exe
Anti Add/Spyware software
SUPERAntiSpyware

SuperHybridEngine.exe
Backgroundtask
Eee Super Hybrid Engine

NOTEPAD.EXE
Application
Windows Notepad

HijackThis.exe
Application
Merijn Hijackthis


Alright, I had HijackThis fix all the problems you listed (including the ones that you said my choice on, since I don’t really use those) and I got the Webroot Desktop Firewall 5.8 from the Webroot site. I’ve also attached a new HijackThis log to this post, this time leaving BitTorrent running, since I think I had it shut down for the last one.

I normally have BitTorrent running all the time, in fact it’s one of my startup items. The majority of the torrents I get are from ThePirateBay and from users with good ratings, and I rarely ever see a problem from them, so yeah.

For the record, I can now access my task manager without problems, so that’s a plus. But I still get Avast alerts on google searches. I’ve also attached an avast log showing the warnings since I did a clean reinstall, the last one being after I did the HijackThis fix and had the firewall.

Hi Dorian

There are a few leads on google search relating to your problem – here are two of them

http://www.bleepingcomputer.com/forums/lofiversion/index.php/t249835.html

http://timt881.wordpress.com/2009/02/26/that-nasty-firefox-extension/

I am not so sure about the best procedure to sort this problem but there are some astute Firefox users on this forum. I would say definitely browser related but perhaps something on your computer also. So probably best wait for a second opinion on this.

If you are going to persist with BitTorrent, then are definitely going to need to protect your hosts file from intrusion by blocking unwanted parasites -

Go to - http://www.mvps.org/winhelp2002/hosts.htm

Edit - I am having trouble loading a clean copy of the hosts.zip to a computer. File link may need update. If you having same problem then disregard load hosts for now.

I followed the instructions and such on that last link, so that’s taken care of (I also did the DNS Client config that they mentioned for XP)

As for the firefox issue… I didn’t know it was just firefox so I tested IE and yeah, no issues there. Still, my problems don’t seem to be as bad as those you linked to. The redirection issues have gone a while back (since Avast started detecting the issue about) and I don’t have any issues with the right click either unless my computer’s busy, but that’s normal. As far as I can tell, my recycling bin’s working fine also, though occasionally it does seem to be a bit slower, but I figured that was due to content or whatever my computer was doing at the time. Still, I’ll bookmark those pages and wait for another opinion on the issue before taking action like you said.

I think your on the way to complete clean system. Its 5pm here and often forum is quiet this time of night, but north hemisphere should come on later on tonight and there may be some interest in your issues. At least there is a history of the problem to consult.

All I can propose is uninstall of firefox - perhaps disable active add ons and extensions first - then download and run your host files protection, and finally re-install the latest version of Firefox.

All the common procedures would obviously still apply - probably do them once your host file is protected. Download mbam under a different name, avast boot-time scan with firefox browser uninstalled, perhaps ATF cleaner - http://majorgeeks.com/ATF_Cleaner_d4949.html.

I can’t help you with the Firefox problem as I only use IE8 but what I see in the HijackThis log:

Download and install:
User Profile Hive Cleanup Service:
Brief Description
A service to help with slow log off and unreconciled profile problems.
http://www.microsoft.com/downloads/details.aspx?familyid=1B286E6D-8912-4E18-B570-42470E2F3582&displaylang=en

Adobe Reader 8.0 is vulnerable so go to Add/Remove programs and un-install it.

Adobe Reader 9.1:
http://get.adobe.com/reader <== un-select Google Toolbar if you do not want it

Update to IE8 as IE6 is vulnerable:
http://www.microsoft.com/windows/internet-explorer/default.aspx

IE is used everywhere in Windows to display everything even Windows Explorer.

Go to Secunia Online Software Inspector then run it to see what other applications are vulnerable:
http://secunia.com/vulnerability_scanning/online

I havent had a close look at your HijackThis log but what YoKenny says is 100% good advice to follow. You need to bring your computer up to date and you will find cleanup of your problems will become a lot easier and quicker. I would uninstall Firefox before doing the update procedures because FF has recently gone through an upgrade phase and you will always be better off with a clean install of the latest version.

Without consulting you HijackThis log –

  1. Uninstall Firefox browser including any associated toolbars including google (+ updater if loaded) in Add / Remove Programs in Control Panel (disable FF add ons and extensions first may make cleaner uninstall).

  2. Protect your hostfile from intrusion by following directions above.

  3. Go to Security Center in Control Panel and ensure Automatic Updates and Firewall boxes and checked for ON. If Virus Protection is not ON, click the Recommended tab and check the box to establish that you have your own virus protection. (I usual manual update avast iAVS here to effect this setting, but not critical to do this). Go to right hand panel and click Check for the latest updates from Windows update and take your time to bring your XP system up to date by downloading all Recommended updates. This make take some time but let the updates download and install at their own pace. Accept the offer to load automatic updates for Microsoft Update if you havent already. Only restart your computer when all download / install panels have shown Complete and can be closed (otherwise click Restart Later when prompted).

The prompt for download IE8 may not manifest until a bit later on, but just let the updates come through at their own pace (you can manual download IE8 if you want, but seems you would be jumping through from IE6). If updates procedures will not go through or if Windows updates sites cannot be reached, this may be because of malware infection - in that case, report back to this forum.

  1. update java (Control Panel > Java > Update > Update Now) or download latest version of Java
    from Java download site http://www.java.com/en/. (You can uninstall any older version in Add / Remove Programs)

  2. Update Adobe as YoKenny says. User Profile Hive Cleanup Service can be download / install at any time (at start if want - may help smoother running of the other updating procedures espec. with restarts). Run Secunia OSI to see how you have done / are doing http://secunia.com/vulnerability_scanning/online

  3. Run HijackThis and post log here to ready for clean install of latest version of Firefox.

Much of this will take some time but best just work you way through it at your own pace and dont hesitate to post to forum if there are any hiccups. If malware infection is active you may need to do some cleaning procedures as you go.

Edit - I am having trouble loading a clean copy of the hosts.zip to a computer. File link may need update. If you having same problem then disregard load hosts for now.

Thanks to everyone for helping me here, unfortunately all that work now seems for naught… lol. You see, I joined the military (hence my absence, no internet for a while, the longest weeks of my life T_T) Anyway, when I finally got my computer back I had it running for about a week and when I was taking it out one day it fell and the screen shattered T_T yeah, completely FUBAR… Anyway, it still works on external screens… in safemode… but yeah, I got all my data and started moving it to a new computer, but that’s raising a new set of problems, no viruses (so far anyway knocks on wood) but I’m wondering if I should do away with all the programs you guys recommended to me and just keep the paid for version of Norton 360 or if I should keep some which ones… etc. So yeah, here’s a link to a new thread I made in regards to that in a more appropriate section (at least it seems it’s a more appropriate section, I could be wrong shrug) But yeah, if any of you are still watching this and are interested in tossing in your two cents (goddess knows I need it) go right ahead :slight_smile: Link >> here

I have answered the other topic you started, http://forum.avast.com/index.php?topic=52543.msg444996#msg444996.