Red circle with white X in system tray. Avast! Has been run a few times and I can’t get rid of this. Cleaned out my registry and killed any unwanted tasks in the taskbar but this is in way over my head. Halp! Cant install HT for some reason, I’m assuming its blocking the install. This one is particularly nasty, any advice?
Try a boot time scan with avast! Right click the scanner screen, select ‘schedule a boot time scan’ and reboot when requested. (Or open the tab at the top left of the scanner screen and select the boot time option from there.)
Ad-Aware Free
Spybot Search & Destroy
SUPERAntiSpyware Free
a-Squared Free
Malwarebytes’ Anti-Malware
Download the installers on a second computer and burn to disk if necessary. You’ll need to download the update files as well, and do a manual update after installing:
http://www.softpedia.com/catList/109,0,3,0,1.html
http://www.superantispyware.com/definitions.html
http://www.malwarebytes.org/mbam.php (Bottom of page.)
!!!
These scam programs use vulnerabilities in old versions of software to install: scan for out-of-date and insecure software using Secunia Software Inspector and update any vulnerable software: this will help to prevent future infections.
!!!
Well, I got rid of the tray icon one but Avast! and the other one keep popping up with new stuff despite my best efforts. I got hijackthis! to work finally as well, but for some reason Firefox won’t let me get on to google or gmail or yahoo!. Any more advice? I’ve got the Malwarebytes and avast pro and AdAware and all of them find things every time I reboot.
Heres my HJT log.
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:24:17 PM, on 11/1/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16735)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\documents and settings\hp_administrator\desktop\b\yrnjaxqmiz\fcvrnebuqmd.exe
C:\documents and settings\hp_administrator\desktop\b\yrnjaxqmiz\fcvrnebuqmd.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\iaantmon.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\PSIService.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
c:\windows\system\hpsysdrv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Malwarebytes’ Anti-Malware\mbam.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\HP_Administrator\Desktop\HiJackThis.exe
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O4 - HKLM..\Run: [IAAnotif] C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe
O4 - HKLM..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM..\Run: [HPBootOp] “C:\Program Files\Hewlett-Packard\HP Boot Optimizer\HPBootOp.exe” /run
O4 - HKLM..\Run: [Reminder] “C:\Windows\Creator\Remind_XP.exe”
O4 - HKLM..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM..\Run: [SunJavaUpdateSched] “C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe”
O4 - HKLM..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
O4 - HKLM..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM..\Run: [semaj] c:\documents and settings\hp_administrator\desktop\b\yrnjaxqmiz\fcvrnebuqmd.exe fc
O4 - HKCU..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU..\Run: [semaj] c:\documents and settings\hp_administrator\desktop\b\yrnjaxqmiz\fcvrnebuqmd.exe fc
O4 - .DEFAULT User Startup: Pin.lnk = C:\hp\bin\CLOAKER.EXE (User ‘Default user’)
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra ‘Tools’ menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: Run IMVU - {d9288080-1baa-4bc4-9cf8-a92d743db949} - C:\Documents and Settings\HP_Administrator\Start Menu\Programs\IMVU\Run IMVU.lnk (file missing)
O9 - Extra button: Internet Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm
O9 - Extra ‘Tools’ menuitem: Internet Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra ‘Tools’ menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O9 - Extra ‘Tools’ menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://a1540.g.akamai.net/7/1540/52/20061023/qtinstall.info.apple.com/qtactivex/qtplugin.cab
O16 - DPF: {31E68DE2-5548-4B23-88F0-C51E6A0F695E} (Microsoft PID Sniffer) - https://support.microsoft.com/OAS/ActiveX/odc.cab
O16 - DPF: {CD995117-98E5-4169-9920-6C12D4C0B548} (HGPlugin9USA Class) - http://gamedownload.ijjimax.com/gamedownload/dist/hgstart/HGPlugin9USA.cab
O20 - AppInit_DLLs: karna.dat
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Intel® Quick Resume Technology Drivers (ELService) - Intel Corporation - C:\Program Files\Intel\IntelDH\Intel(R) Quick Resume Technology\ELService.exe
O23 - Service: Intel(R) Matrix Storage Event Monitor (IAANTMon) - Intel Corporation - C:\Program Files\Intel\Intel Matrix Storage Manager\iaantmon.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: ProtexisLicensing - Unknown owner - C:\WINDOWS\system32\PSIService.exe
–
End of file - 6881 bytes
Please download the OTMoveIt3 by OldTimer.
[*] Save it to your desktop.
[*] Please double-click OTMoveIt3.exe to run it. (Note: If you are running on Vista, right-click on the file and choose Run As Administrator).
[*]Copy the lines in the codebox below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):
:Processes
fcvrnebuqmd.exe
:Reg
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"semaj"=-
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"semaj"=-
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLs"=-
:Files
C:\documents and settings\hp_administrator\desktop\b\yrnjaxqmiz
C:\karna.dat /s
:Commands
[purity]
[emptytemp]
[*] Return to OTMoveIt3, right click in the “Paste Instructions for Items to be Moved” window (under the yellow bar) and choose Paste.
[*]Click the red Moveit! button.
[*]Copy everything in the Results window (under the green bar) to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it in your next reply.
[*]Close OTMoveIt3
Note: If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes. In this case, after the reboot, open Notepad (Start->All Programs->Accessories->Notepad), click File->Open, in the File Name box enter *.log and press the Enter key, navigate to the C:_OTMoveIt\MovedFiles folder, and open the newest .log file present, and copy/paste the contents of that document back here in your next post.
THEN
To ensure that I get all the information this log will need to be uploaded to Mediafire and post the sharing link.
Download OTScanit to your Desktop and double-click on it to extract the files. It will create a folder named OTScanIt on your desktop.
[*]Close ALL OTHER PROGRAMS.
[*]Open the OTScanit folder and double-click on OTScanit.exe to start the program.
[*]Check the box that says Scan All User Accounts
[*]Check the Radio button for Rootkit check YES
[*]Check the Radio buttons for Files/Folders Created Within 90 Days and Files/Folders Modified Within 90 Days
[]Under Additional Scans check the following:
[]Reg - BotCheck
[*]File - Additional Folder Scans
[*]Now click the Run Scan button on the toolbar.
[*]Let it run unhindered until it finishes.
[*]When the scan is complete Notepad will open with the report file loaded in it.
[*]Click the Format menu and make sure that Wordwrap is not checked. If it is then click on it to uncheck it.
========== PROCESSES ==========
Unable to kill process: fcvrnebuqmd.exe
========== REGISTRY ==========
Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\semaj not found.
Registry value HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\semaj not found.
Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs not found.
========== FILES ==========
File/Folder C:\documents and settings\hp_administrator\desktop\b\yrnjaxqmiz not found.
File/Folder C:\karna.dat not found.
========== COMMANDS ==========
File delete failed. C:\DOCUME~1\HP_ADM~1\LOCALS~1\Temp\etilqs_gSkbXKDRRhM8ZFsaV7wj scheduled to be deleted on reboot.
File delete failed. C:\DOCUME~1\HP_ADM~1\LOCALS~1\Temp\etilqs_gSkbXKDRRhM8ZFsaV7wj-journal scheduled to be deleted on reboot.
File delete failed. C:\DOCUME~1\HP_ADM~1\LOCALS~1\Temp\etilqs_vHJ7UZCtfOkyqnYBv7wU scheduled to be deleted on reboot.
File delete failed. C:\DOCUME~1\HP_ADM~1\LOCALS~1\Temp~DF8098.tmp scheduled to be deleted on reboot.
User’s Temp folder emptied.
User’s Temporary Internet Files folder emptied.
User’s Internet Explorer cache folder emptied.
File delete failed. C:\Documents and Settings\LocalService\Local Settings\Temp\Temporary Internet Files\Content.IE5\index.dat scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\LocalService\Local Settings\Temp\History\History.IE5\index.dat scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\LocalService\Local Settings\Temp\Cookies\index.dat scheduled to be deleted on reboot.
Local Service Temp folder emptied.
Local Service Temporary Internet Files folder emptied.
File delete failed. C:\WINDOWS\temp_avast4_\Webshlock.txt scheduled to be deleted on reboot.
File delete failed. C:\WINDOWS\temp\Perflib_Perfdata_6c8.dat scheduled to be deleted on reboot.
Windows Temp folder emptied.
Java cache emptied.
File delete failed. C:\Documents and Settings\HP_Administrator\Local Settings\Application Data\Mozilla\Firefox\Profiles\i81vgkaw.default\OfflineCache\index.sqlite scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\HP_Administrator\Local Settings\Application Data\Mozilla\Firefox\Profiles\i81vgkaw.default\Cache_CACHE_001_ scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\HP_Administrator\Local Settings\Application Data\Mozilla\Firefox\Profiles\i81vgkaw.default\Cache_CACHE_002_ scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\HP_Administrator\Local Settings\Application Data\Mozilla\Firefox\Profiles\i81vgkaw.default\Cache_CACHE_003_ scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\HP_Administrator\Local Settings\Application Data\Mozilla\Firefox\Profiles\i81vgkaw.default\Cache_CACHE_MAP_ scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\HP_Administrator\Local Settings\Application Data\Mozilla\Firefox\Profiles\i81vgkaw.default\urlclassifier3.sqlite scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\HP_Administrator\Local Settings\Application Data\Mozilla\Firefox\Profiles\i81vgkaw.default\XUL.mfl scheduled to be deleted on reboot.
FireFox cache emptied.
Temp folders emptied.
OTMoveIt3 by OldTimer - Version 1.0.7.0 log created on 11012008_193914
Files moved on Reboot…
File C:\DOCUME~1\HP_ADM~1\LOCALS~1\Temp\etilqs_gSkbXKDRRhM8ZFsaV7wj not found!
File C:\DOCUME~1\HP_ADM~1\LOCALS~1\Temp\etilqs_gSkbXKDRRhM8ZFsaV7wj-journal not found!
File C:\DOCUME~1\HP_ADM~1\LOCALS~1\Temp\etilqs_vHJ7UZCtfOkyqnYBv7wU not found!
C:\DOCUME~1\HP_ADM~1\LOCALS~1\Temp~DF8098.tmp moved successfully.
C:\Documents and Settings\LocalService\Local Settings\Temp\Temporary Internet Files\Content.IE5\index.dat moved successfully.
C:\Documents and Settings\LocalService\Local Settings\Temp\History\History.IE5\index.dat moved successfully.
C:\Documents and Settings\LocalService\Local Settings\Temp\Cookies\index.dat moved successfully.
File move failed. C:\WINDOWS\temp_avast4_\Webshlock.txt scheduled to be moved on reboot.
File C:\WINDOWS\temp\Perflib_Perfdata_6c8.dat not found!
C:\Documents and Settings\HP_Administrator\Local Settings\Application Data\Mozilla\Firefox\Profiles\i81vgkaw.default\OfflineCache\index.sqlite moved successfully.
C:\Documents and Settings\HP_Administrator\Local Settings\Application Data\Mozilla\Firefox\Profiles\i81vgkaw.default\Cache_CACHE_001_ moved successfully.
C:\Documents and Settings\HP_Administrator\Local Settings\Application Data\Mozilla\Firefox\Profiles\i81vgkaw.default\Cache_CACHE_002_ moved successfully.
C:\Documents and Settings\HP_Administrator\Local Settings\Application Data\Mozilla\Firefox\Profiles\i81vgkaw.default\Cache_CACHE_003_ moved successfully.
C:\Documents and Settings\HP_Administrator\Local Settings\Application Data\Mozilla\Firefox\Profiles\i81vgkaw.default\Cache_CACHE_MAP_ moved successfully.
C:\Documents and Settings\HP_Administrator\Local Settings\Application Data\Mozilla\Firefox\Profiles\i81vgkaw.default\urlclassifier3.sqlite moved successfully.
C:\Documents and Settings\HP_Administrator\Local Settings\Application Data\Mozilla\Firefox\Profiles\i81vgkaw.default\XUL.mfl moved successfully.
http://www.mediafire.com/?sharekey=055814fea9846172ab1eab3e9fa335ca41bfd3d1fcfce615
Thats the log and link to the log from the OTMoveit. I’ll update once the OTScanit does its job. Thanks by the way for all the help.
EDIT: http://www.mediafire.com/?sharekey=2d2a3281b3260956ab1eab3e9fa335ca8a16d7c287f1c8fb
Thats the link to the OT Scan it log. Thats a lot of stuff to go through and I really do appreciate all the work you guys put in for us noobs.
Hi…
I take it you have children. 
Best Regards…
Ha! how could you tell? I’ve got a 17 y/o son and a 15 y/o daughter. Both of them use this computer regularly and despite my best efforts seem to get into trouble with it hehe.
Its amazing how they know everything isn’t it ???
Hi…
Sorry Yokenney, I’m 37 and never had any children, at least for the time being, perhaps.
Best Regards…
Hi again there are a few more elements to kill and a little securing to do
Start OTScanit. Copy/Paste the information in the quotebox below into the pane where it says “Paste fix here” and then click the Run Fix button.
[Unregister Dlls]
[Registry - Non-Microsoft Only]
< Run [HKEY_LOCAL_MACHINE\] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
YN -> PCDrProfiler -> []
< Drives with AutoRun files > ->
YY -> Autorun.inf [[AUTORUN] | ShellExecute=Info.exe protect.ed 480 480 | ] -> D:\Autorun.inf [ FAT32 ]
YY -> AutoRun [] -> G:\AutoRun.exe [ UDF ]
YY -> AutoRun.exe [] -> G:\AutoRun.exe [ UDF ]
YY -> autorun.inf [] -> G:\autorun.inf [ UDF ]
YY -> AutoRunGUI.dll [] -> G:\AutoRunGUI.dll [ UDF ]
[Registry - Additional Scans - Non-Microsoft Only]
< BotCheck > ->
YN -> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\\C:\Documents and Settings\All Users\Application Data\csrss.exe -> %AllUsersProfile%\Application Data\csrss.exe [C:\Documents and Settings\All Users\Application Data\csrss.exe:*:Enabled:svchost]
[Files/Folders - Created Within 90 days]
NY -> SIntf16.dll -> %SystemRoot%\System32\SIntf16.dll
NY -> SIntf32.dll -> %SystemRoot%\System32\SIntf32.dll
NY -> SIntfNT.dll -> %SystemRoot%\System32\SIntfNT.dll
NY -> vghd.scr -> %SystemRoot%\System32\vghd.scr
[Files Created - Additional Folder Scans - Non-Microsoft Only]
NY -> vghd -> %AppData%\vghd
[Files/Folders - Modified Within 90 days]
NY -> SIntf16.dll -> %SystemRoot%\System32\SIntf16.dll
NY -> SIntf32.dll -> %SystemRoot%\System32\SIntf32.dll
NY -> SIntfNT.dll -> %SystemRoot%\System32\SIntfNT.dll
NY -> vghd.scr -> %SystemRoot%\System32\vghd.scr
NY -> qmgr0.dat -> C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat
NY -> qmgr1.dat -> C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat
[Empty Temp Folders]
The fix should only take a very short time. When the fix is completed a message box will popup telling you that it is finished. Click the Ok button and Notepad will open with a log of actions taken during the fix. Post that information back here along with a new Hijackthis log.
I will review the information when it comes back in.
Also let me know of any problems you encountered performing the steps above or any continuing problems you are still having with the computer.
THEN
Please download JavaRa to your desktop and unzip it to its own folder
[*]Run JavaRa.exe, pick the language of your choice and click Select. Then click Remove Older Versions.
[*]Accept any prompts.
[*]Open JavaRa.exe again and select Search For Updates.
[*]Select Update Using Sun Java’s Website then click Search and click on the Open Webpage button. Download and install the latest Java Runtime Environment (JRE) version for your computer.
Let me know how it runs now
For that fix to run, is a very short time 20+minutes? Heh, its been running a while and still hasn’t completed. I’ll update when I get a chance.
EDIT: 15 more minutes have gone by, still no text log. The only other thing thats come up or has been out of the ordinary is I can’t navigate to certain webpages EX: Google, yahoo or wikipedia. At least those are the ones I’ve noticed.
Intriguing stop the programme and reboot
It may be to do with this trojan C:\Documents and Settings\All Users\Application Data\csrss.exe
Well, as of the reading of your last post, otscanit was still working on the fix. I’m going to try to run it again but after that…?
You can’t use google as you have it as a no go in your host file
127.0.0.1 google.com.ag
Do you want to fix that ?
If so
Download the HostsXpert 4.2 - Hosts File Manager.
[]Unzip HostsXpert 4.2 - Hosts File Manager to a convenient folder such as C:\HostsXpert 4.2 - Hosts File Manager
[]Run HostsXpert 4.2 - Hosts File Manager from its new home
[]Click on “File Handling”.
[]Click on “Restore MS Hosts File”.
[]Click OK on the Confirmation box.
[]Click on “Make Read Only?”
[]Click the X to exit the program.
[]Note: If you were using a custom Hosts file you will need to replace any of those entries yourself.
Host file thing worked, thanks for that. Had to have been part of the mal-ware that I had on there. As for the script from two posts up, I didn’t get it to work the second time around either. Heres an updated HJT log.
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 5:34:31 PM, on 11/2/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16735)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\iaantmon.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\PSIService.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\System32\svchost.exe
c:\windows\system\hpsysdrv.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\LimeWire\LimeWire.exe
C:\Program Files\Winamp\winamp.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\HP_Administrator\Desktop\Virus Bullshit\HiJackThis.exe
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O4 - HKLM..\Run: [IAAnotif] C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe
O4 - HKLM..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM..\Run: [HPBootOp] “C:\Program Files\Hewlett-Packard\HP Boot Optimizer\HPBootOp.exe” /run
O4 - HKLM..\Run: [Reminder] “C:\Windows\Creator\Remind_XP.exe”
O4 - HKLM..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM..\Run: [SunJavaUpdateSched] “C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe”
O4 - HKLM..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKCU..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - .DEFAULT User Startup: Pin.lnk = C:\hp\bin\CLOAKER.EXE (User ‘Default user’)
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra ‘Tools’ menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: Run IMVU - {d9288080-1baa-4bc4-9cf8-a92d743db949} - C:\Documents and Settings\HP_Administrator\Start Menu\Programs\IMVU\Run IMVU.lnk (file missing)
O9 - Extra button: Internet Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm
O9 - Extra ‘Tools’ menuitem: Internet Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra ‘Tools’ menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O9 - Extra ‘Tools’ menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://a1540.g.akamai.net/7/1540/52/20061023/qtinstall.info.apple.com/qtactivex/qtplugin.cab
O16 - DPF: {31E68DE2-5548-4B23-88F0-C51E6A0F695E} (Microsoft PID Sniffer) - https://support.microsoft.com/OAS/ActiveX/odc.cab
O16 - DPF: {CD995117-98E5-4169-9920-6C12D4C0B548} (HGPlugin9USA Class) - http://gamedownload.ijjimax.com/gamedownload/dist/hgstart/HGPlugin9USA.cab
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Intel® Quick Resume Technology Drivers (ELService) - Intel Corporation - C:\Program Files\Intel\IntelDH\Intel(R) Quick Resume Technology\ELService.exe
O23 - Service: Intel(R) Matrix Storage Event Monitor (IAANTMon) - Intel Corporation - C:\Program Files\Intel\Intel Matrix Storage Manager\iaantmon.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: ProtexisLicensing - Unknown owner - C:\WINDOWS\system32\PSIService.exe
–
End of file - 6427 bytes
OK I will have a word with the author of the programme. Where there any errors or did it just not function ?
How are things running now ?
Nope, no errors. Just decided it wanted to freeze each time and pretend like it was working while giving one of those “Not Responding” title things. Other than that everything seems to be running pretty smoothly, the bandwith on my internet doesn’t seem to be so consumed hah. I’m getting almost double the d/l speed I once was. I appreciate all the time and effort you’ve put into helping me, any advice to prevent things like this in the future besides the standard "Run anti-virus and don’t d/l anything suspicious? I’ve got children that use the computer too, and I can’t monitor them all the time, is there any way to put restrictions on what programs they can use through their own user accounts or control what they install or run?
Hi :
Regarding “Bonjour/mDNSResponder” : Would recommend you read the Info at www.raymond.cc/blog/archives/2008/02/10/how-to-uninstall-or-remove-bonjour-mdnsresponderexe/ to read WHAT this does and Removal
Instructions IF interested !?
Based on the “Comments” on that Site, an unnecessary “port” is opened on
your computer that malware could come through .
More Info is in the Post I wrote at http://forum.avast.com/index.php?topic=39186.msg328959;topicseen#msg328959 .
As to your “children” : should seriously consider setting up “Limited” User
Accounts for them, then password-protect your Administator Account .
I will give my standard clean spiel
But as Spiritsong states a limited account would be the way to go
Now the best part of the day ----- Your log now appears clean 
A good workman always cleans up after himself so…Download and run this small programme and hit the cleanup button. It will remove all the programmes we have used plus itself. MBAM can be uninstalled via control panel add/remove along with ERUNT. But they may be useful tools to keep
We will now confirm that your hidden files are set to that, as some of the tools I use will change that
[*]Click Start.
[*]Open My Computer.
[*]Select the Tools menu and click Folder Options.
[*]Select the View Tab.
[*]Under the Hidden files and folders heading select Do not show hidden files and folders.
[]Click Yes to confirm.
[]Click OK.
Please download JavaRa to your desktop and unzip it to its own folder
[*]Run JavaRa.exe, pick the language of your choice and click Select. Then click Remove Older Versions.
[*]Accept any prompts.
[*]Open JavaRa.exe again and select Search For Updates.
[*]Select Update Using Sun Java’s Website then click Search and click on the Open Webpage button. Download and install the latest Java Runtime Environment (JRE) version for your computer.
XP
Now to get you off to a good start we will clean your restore points so that all the bad stuff is gone for good. Then if you need to restore at some stage you will be clean. There are several ways to reset your restore points, but this is my method:
[*]Select Start > All Programs > Accessories > System tools > System Restore.
[*]On the dialogue box that appears select Create a Restore Point
[*]Click NEXT
[*]Enter a name e.g. Clean
[*]Click CREATE
You now have a clean restore point, to get rid of the bad ones:
[*]Select Start > All Programs > Accessories > System tools > Disk Cleanup.
[*]In the Drop down box that appears select your main drive e.g. C
[*]Click OK
[*]The System will do some calculation and the display a dialogue box with TABS
[*]Select the More Options Tab.
[*]At the bottom will be a system restore box with a CLEANUP button click this
[*]Accept the Warning and select OK again, the program will close and you are done
Now that you are clean, to help protect your computer in the future I recommend that you get the following free programmes:
[]SpywareBlaster to help prevent spyware from installing in the first place.
[]SuperAntispyware Run weekly to keep your system clean
It is critical to have both a firewall and anti virus to protect your system and to keep them updated.
To keep your operating system up to date visit
[]Secunia Software inspector To check your programme update status
[]Microsoft Windows Update
To learn more about how to protect yourself while on the internet read our little guide How did I get infected in the first place ?
Keep safe 