So i'm normally semi competent with my computer, but this issue has me at my wits ends.

Issues:
* Random words on most webpages are underlined, with popups whenever i scroll over them, and random redirects if i happen to click on them.
* Any websearch result, if clicked on, redirects to a random website, and I get a popup
* I cannot run Adaware, the update and scans error midway through, and freeze the program

I cannot enter safe mode, (probably my own fault).. i've tried holding F8 on restarts, repeatedly hitting F8 on restarts, and pulling the plug on my machine, to let it automatically enter the screen to choose safe mode (nothing has worked yet)

I recently deleted my Local Settings\Temp files to free up disk space, and it seems like all these issues got a lot worse (did I trigger something when i tried to delete the files? Most of these files directories were in that folder.)

AVG runs and detected the following, moving all to the virus vault (status for all is still "Infected"):

Worm/Generic.IMQ
Virus JS/Downloader.Agent
Virus HTML/Framer
Virus Java/ByteVerify
Trojan FakeAlert.H
Trojan Generic_c.IKY
Trojan Generic12.KAO
Trojan Generic12.OBZ
Trojan Generic12.QMX
Trojan Generic11.YQP
Trojan Generic11.BJXE
Trojan Generic6.QZR
Trojan SHeur2.AXX
Trojan SHeur2.CRJ
Trojan Downloader.Agent.APGW
Trojan Downloader.Agent.APJZ
Trojan Downloader.Agent.AGDP
Trojan Downloader.Generic2.IHY
Trojan Downloader.Generic3.SZP
Trojan Downloader.Generic6.LLP

I was searching for some of these items and came across a recommendation to install and run SDFix, but the install directions state to run in safe mode.

can anyone offer me some assistance, or at least give me some idea on how to attempt to fix these issues

Thank you!

Phill

Hi, and Welcome to WhatTheTech

My name is jpshortstuff. I would be glad to take a look at your log and help you with solving any malware problems. HijackThis logs can take a while to research, so please be patient and I'd be grateful if you would note the following:

• I will be working on your Malware issues, this may or may not, solve other issues you have with your machine.
• The fixes are specific to your problem and should only be used for the issues on this machine.
• Please continue to review my answers until I tell you your machine appears to be clear. Absence of symptoms does not mean that everything is clear.
• It's often worth reading through these instructions and printing them for ease of reference.
• If you don't know or understand something, please don't hesitate to say or ask!! It's better to be sure and safe than sorry.
• Please reply to this thread. Do not start a new topic.

Please download ATF Cleaner by Atribune.
Download - ATF Cleaner»
Double-click ATF-Cleaner.exe to run the program.
Under Main choose: Select All
Click the Empty Selected button.

(If you use FireFox or the Opera browser
To keep saved passwords, click No at the prompt.)

It's normal after running ATF cleaner that the PC will be slower to boot the first time or two.


Please download Malwarebytes' Anti-Malware to your desktop.

• Double-click mbam-setup.exe and follow the prompts to install the program.
• At the end, be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
• If an update is found, it will download and install the latest version.
• Once the program has loaded, select Perform full scan, then click Scan.
• When the scan is complete, click OK, then Show Results to view the results.
• Be sure that everything is checked, and click Remove Selected.
• When completed, a log will open in Notepad. Please save it to a convenient location.
• The log can also be found here:
  C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\log-date.txt
• Or at C:\Program Files\Malwarebytes' Anti-Malware\Logs\log-date.txt
• Post that log back here.

Please download DDS and save it to your desktop.

• Disable any script blocking protection
• Double click dds.scr to run the tool.
• When done, DDS.txt will open.
• Click Yes at the next prompt for Optional Scan.
• Save both reports to your desktop.

---------------------------------------------------

• Post the contents of the DDS.txt report in your next reply
• Attach the Attach.txt report to your post by scroling down to the Attachments area and then clicking Browse. Browse to where you saved the file, and click Open and the click UPLOAD.

Please download HijackThis version 2.0.2 and save the file to your desktop. Double click the Hijackthis icon on your desktop and hit Do a System Scan and Save a Logfile and then copy and paste the log into a new reply, using the Add Reply button.

Thanks.

first off, thank you very much for your assistance! I cannot tell you how grateful I am.

Now for the good stuff...

I ran ATF Cleaner, and it freed up something close to 200 MB of hard disk space.

I downloaded Malwarebyte's Anti-Malware and ran the scan. The log file is attached to this post. I did have to restart to allow the program to get rid of two files

I downloaded and attempted to run DDS, but when I opened the file, all i got was line after line of symbols, and nothing else. I was expecting a program to run, but after waiting a while, nothing else happened.

I have not updated my HiJackThis program with the newest version. I wanted to follow your instructions and not bypass the DDS. Is there something that I am missing that is causing it not to work properly? I have downloaded the program to my desktop, as instructed, and ran it from there.

Thank you once again for your assistance!

Phill

Hi

Not something you have missed no, just something that I didn't expect. Try this version instead:
http://www.techsupportforum.com/sectools/sUBs/dds

Then proceed with HijackThis.

Thanks.

Thank you once again for your assistance!

I ran DDS from the link that you posted, and this time it worked. I'll post teh "POST" file below, and attach the "ATTACH" file to this relay. As per your instructions, i'll post the Hijackthis in the next reply.

By the way, you guys are seriously on the ball with this stuff. You even think ahead enough to run files that create text documents, automatically titled what you are supposed to do with them... A lot of people can write a program, but it takes someone who's really in the know to do it well, and still pay attention to the little details... fantastic work all around.

Thank you!

Phill

"POST":

DDS (Version 1.0) - FAT32x86
Run by phillip lemke at 18:05:43.92 on Wed 12/03/2008
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.511.254 [GMT -5:00]

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
svchost.exe
svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\AAWTray.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\Program Files\Logitech\SetPoint\SetPoint.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe -k imgsvc
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\Program Files\Common Files\Logitech\KHAL\KHALMNPR.EXE
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\phillip lemke\Desktop\dds.com

============== Pseudo HJT Report ===============

uInternet Connection Wizard,ShellNext = hxxp://www.nvidia.com/Products.nsf/htmlmedia/software_drivers.html
BHO: {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - c:\program files\adobe\acrobat 5.0\reader\activex\AcroIEHelper.ocx
BHO: {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [AVG7_CC] c:\progra~1\grisoft\avg7\avgcc.exe /STARTUP
mRun: [AAWTray] c:\program files\lavasoft\ad-aware 2007\AAWTray.exe
mRun: [MP10_EnsureFileVer] c:\windows\inf\unregmp2.exe /EnsureFileVersions
dRun: [AVG7_Run] c:\progra~1\grisoft\avg7\avgw.exe /RUNONCE
dRun: [MySpaceIM] c:\program files\myspace\im\MySpaceIM.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\logite~1.lnk - c:\program files\logitech\setpoint\SetPoint.exe
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office10\EXCEL.EXE/3000
IE: {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - f:\progra~1\aim95\aim.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0015-0000-0002-ABCDEFFEDCBC} - c:\program files\java\jre1.5.0_02\bin\npjpi150_02.dll
IE: {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - f:\progra~1\aim95\aim.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
TCP: NameServer = 208.67.220.220,208.67.222.222
Handler: cdo - {CD00020A-8B95-11D1-82DB-00C04FB1625D} - c:\program files\common files\microsoft shared\web folders\PKMCDO.DLL
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SecurityProviders: msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll, msansspc.dll

============= SERVICES / DRIVERS ===============

R0 SI3112r;Silicon Image SiI 3112 SATARaid Controller;c:\windows\system32\drivers\SI3112r.sys [2003-5-9 89749]
R1 Avg7Core;AVG7 Kernel;c:\windows\system32\drivers\avg7core.sys [2007-3-30 821856]
R1 Avg7RsW;AVG7 Wrap Driver;c:\windows\system32\drivers\avg7rsw.sys [2007-3-30 4224]
R1 Avg7RsXP;AVG7 Resident Driver XP;c:\windows\system32\drivers\avg7rsxp.sys [2007-3-30 27776]
R1 AvgClean;AVG7 Clean Driver;c:\windows\system32\drivers\avgclean.sys [2007-3-30 10760]
R2 aawservice;Ad-Aware 2007 Service;"c:\program files\lavasoft\ad-aware 2007\aawservice.exe" [2007-8-27 566616]
R2 Avg7Alrt;AVG7 Alert Manager Server;c:\progra~1\grisoft\avg7\avgamsvr.exe [2007-3-30 418816]
R2 Avg7UpdSvc;AVG7 Update Service;c:\progra~1\grisoft\avg7\avgupsvc.exe [2007-3-30 49664]
R2 Viewpoint Manager Service;Viewpoint Manager Service;"c:\program files\viewpoint\common\ViewpointService.exe" [2007-1-10 24652]

=============== Created Last 30 ================

2008-12-01 23:22 <DIR> --d----- c:\docume~1\philli~1\applic~1\Malwarebytes
2008-12-01 23:22 15,504 a------- c:\windows\system32\drivers\mbam.sys
2008-12-01 23:22 38,496 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2008-12-01 23:22 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Malwarebytes
2008-12-01 23:22 <DIR> --d----- c:\program files\Malwarebytes' Anti-Malware
2008-11-30 15:31 <DIR> --d----- C:\SDFix
2008-11-23 12:10 <DIR> --d----- c:\docume~1\philli~1\applic~1\Twain

==================== Find3M ====================

2008-10-16 14:13 1,809,944 a------- c:\windows\system32\dllcache\wuaueng.dll
2008-10-16 14:13 202,776 a------- c:\windows\system32\dllcache\wuweb.dll
2008-10-16 14:12 323,608 a------- c:\windows\system32\dllcache\wucltui.dll
2008-10-16 14:12 561,688 a------- c:\windows\system32\dllcache\wuapi.dll
2008-10-16 14:09 92,696 a------- c:\windows\system32\dllcache\cdm.dll
2008-10-16 14:09 51,224 a------- c:\windows\system32\dllcache\wuauclt.exe
2008-05-15 07:35 <DIR> --d----- c:\docume~1\philli~1\applic~1\Mp3tag
2008-04-20 16:52 <DIR> --d----- c:\docume~1\philli~1\applic~1\Autodesk
2007-07-26 22:20 <DIR> --d----- c:\docume~1\philli~1\applic~1\MySpace
2007-03-30 22:09 <DIR> --d----- c:\docume~1\philli~1\applic~1\AVG7
2007-03-30 22:09 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Grisoft
2005-08-21 21:55 <DIR> --d----- c:\docume~1\philli~1\applic~1\.BitTornado
2004-07-29 12:28 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Spybot - Search & Destroy
2004-02-10 01:27 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Viewpoint
2004-01-28 00:42 <DIR> --d----- c:\docume~1\philli~1\applic~1\SSH

============= FINISH: 18:06:11.42 ===============

The Hijackthis log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 6:10:01 PM, on 12/3/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\AAWTray.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\Program Files\Logitech\SetPoint\SetPoint.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\Program Files\Common Files\Logitech\KHAL\KHALMNPR.EXE
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\phillip lemke\Local Settings\Temporary Internet Files\Content.IE5\UBSV2HGD\HijackThis[1].exe

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.nvidia.com/Products.nsf/htmlmed...re_drivers.html
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AAWTray] C:\Program Files\Lavasoft\Ad-Aware 2007\AAWTray.exe
O4 - HKLM\..\Run: [MP10_EnsureFileVer] C:\WINDOWS\inf\unregmp2.exe /EnsureFileVersions
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O4 - Global Startup: Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\SetPoint.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - F:\PROGRA~1\AIM95\aim.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .mpeg: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin3.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 208.67.220.220,208.67.222.222
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 208.67.220.220,208.67.222.222
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe

--
End of file - 4370 bytes

Hi

You are using Kazaa. This is not technically malware by itself, but it installs its own adware software when installed in order to run properly. KaZaA is a hotbed for virus and malware activity. There are several out there that have been deemed "safe" and adware‑free (although inadvertently downloading adware is still a huge possibility with any file sharing program.). I strongly recommend that you remove it. Read this article for Alternatives that will provide some of the same function without the garbage. To remove it, click Start >> Control Panel >> Add or Remove Programs and click Remove next to the "Kazaa Lite v2.1.0" entry.


Viewpoint Manager is often installed without the users permission. If you didn't install it, or if you did but you no longer use it, I recommend you get rid of it.

Please click Start >> Control Panel >> Add or Remove Programs.
Find the item below on the list and click Remove.
Viewpoint Manager
Viewpoint Media Player
Let me know how it goes.

While you are in "Add/Remove Programs", we can get rid of these old versions of Java. Old versions of Java shouldn't be left on the machine as they can be exploited by malicious programs.
J2SE Runtime Environment 5.0 Update 2
Java 2 Runtime Environment, SE v1.4.2_01
Java 2 Runtime Environment, SE v1.4.2_03
Java 2 Runtime Environment, SE v1.4.2_05
Java 2 Runtime Environment, SE v1.4.2_06

Reboot after these steps.

Now let's install the latest.

Installing Java:

• Download the latest version of Java Runtime Environment (JRE) 6 Update 11.
  
• Scroll down to where it says "Java Runtime Environment (JRE) 6 Update 11, The Java SE Runtime Environment (JRE) allows end-users to run Java applications".
  
• Click the "Download" button to the right.
  
• Check the box that says: "Accept License Agreement".
  
• The page will refresh.
  
• Click on the link to download Windows Offline Installation, Multi-language and save it to your desktop.
  
• Close any programs you may have running - especially any web browsers.
  
• From your desktop double-click on jre-6u11-windowsi586.exe to install the newest version.

From now on, you wont have to remove older versions of Java as any new updates will automatically remove the older versions.


Please go to Kaspersky website and perform an online antivirus scan.

1. Read through the requirements and privacy statement and click on Accept button.
2. It will start downloading and installing the scanner and virus definitions. You will be prompted to install an application from Kaspersky. Click Run.
3. When the downloads have finished, click on Settings.
4. Make sure these boxes are checked (ticked). If they are not, please tick them and click on the Save button:
   Spyware, Adware, Dialers, and other potentially dangerous programs
   Archives
   Mail databases
5. Click on My Computer under Scan.
6. Once the scan is complete, it will display the results. Click on View Scan Report.
7. You will see a list of infected items there. Click on Save Report As....
8. Save this report to a convenient place. Change the Files of type to Text file (.txt) before clicking on the Save button.
9. Please post this log in your next reply, along with a fresh HijackThis log.

Also, please give a detailed description of how your computer is running and behaving at the moment, listing any remaining problems.

Thanks.

Due to inactivity this topic will be closed.
If you need help please start a new thread and post a new HJT log