1. Computer problem? Tech Support Guy is completely free -- paid for by advertisers and donations. Click here to join today! If you're new to Tech Support Guy, we highly recommend that you visit our Guide for New Members.

HTML/Infected.WebPage.Gen - Need some help for removal, log inside

Discussion in 'Virus & Other Malware Removal' started by stew181, Apr 4, 2010.

Thread Status:
Not open for further replies.
Advertisement
  1. stew181

    stew181 Thread Starter

    Joined:
    Apr 4, 2010
    Messages:
    3
    yesterday my friend got some malware from a url while browsing the net on my desktop. Now I'm stuck with it, pop ups keep coming up every 10 or so minutes, asking me to buy some sh1t. here is the log from hijack this.

    Logfile of Trend Micro HijackThis v2.0.3 (BETA)
    Scan saved at 11:03:26 PM, on 4/4/2010
    Platform: Windows XP SP3 (WinNT 5.01.2600)
    MSIE: Internet Explorer v8.00 (8.00.6001.18702)
    Boot mode: Normal

    Running processes:
    D:\WINDOWS\System32\smss.exe
    D:\WINDOWS\system32\winlogon.exe
    D:\WINDOWS\system32\services.exe
    D:\WINDOWS\system32\lsass.exe
    D:\WINDOWS\system32\svchost.exe
    D:\WINDOWS\System32\svchost.exe
    D:\WINDOWS\system32\spoolsv.exe
    D:\Program Files\Avira\AntiVir Desktop\sched.exe
    D:\Program Files\Avira\AntiVir Desktop\avguard.exe
    D:\Program Files\Canon\IJPLM\IJPLMSVC.EXE
    D:\Program Files\Java\jre6\bin\jqs.exe
    D:\Program Files\Avira\AntiVir Desktop\avshadow.exe
    D:\WINDOWS\system32\nvsvc32.exe
    D:\WINDOWS\system32\svchost.exe
    D:\WINDOWS\Explorer.EXE
    D:\WINDOWS\Hletub.exe
    D:\Program Files\Avira\AntiVir Desktop\avgnt.exe
    D:\Program Files\Elaborate Bytes\VirtualCloneDrive\VCDDaemon.exe
    D:\Program Files\Everything\Everything.exe
    D:\WINDOWS\system32\RunDll32.exe
    D:\Program Files\CyberLink\PowerDVD10\PDVD10Serv.exe
    D:\Program Files\Cyberlink\Shared files\brs.exe
    D:\WINDOWS\system32\RUNDLL32.EXE
    D:\Program Files\Replay Media Catcher\FLVSrvc.exe
    D:\Program Files\Java\jre6\bin\jusched.exe
    D:\Program Files\Canon\MyPrinter\BJMyPrt.exe
    D:\Program Files\ScanSoft\OmniPageSE4\OpwareSE4.exe
    D:\Program Files\SlySoft\AnyDVD\AnyDVDtray.exe
    D:\PROGRA~1\FREEDO~1\fdm.exe
    D:\Program Files\Messenger\msmsgs.exe
    D:\Program Files\uTorrent\uTorrent.exe
    D:\WINDOWS\system32\ctfmon.exe
    D:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
    D:\Program Files\MPC HomeCinema\mpc-hc.exe
    D:\WINDOWS\system32\SNDVOL32.EXE
    D:\Program Files\NewsBin\nbpro.exe
    D:\Program Files\Mozilla Firefox\firefox.exe
    D:\DOCUME~1\Stew\LOCALS~1\Temp\Hsq.exe
    d:\program files\avira\antivir desktop\avcenter.exe
    D:\WINDOWS\system32\msiexec.exe
    D:\Program Files\TrendMicro\HiJackThis\HiJackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
    O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - D:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
    O2 - BHO: FDMIECookiesBHO Class - {CC59E0F9-7E43-44FA-9FAA-8377850BF205} - D:\Program Files\Free Download Manager\iefdm2.dll
    O2 - BHO: Ask Toolbar BHO - {D4027C7F-154A-4066-A1AD-4243D8127440} - D:\Program Files\Ask.com\GenericAskToolbar.dll
    O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - D:\Program Files\Java\jre6\bin\jp2ssv.dll
    O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - D:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
    O3 - Toolbar: Ask Toolbar - {D4027C7F-154A-4066-A1AD-4243D8127440} - D:\Program Files\Ask.com\GenericAskToolbar.dll
    O4 - HKLM\..\Run: [avgnt] "D:\Program Files\Avira\AntiVir Desktop\avgnt.exe" /min
    O4 - HKLM\..\Run: [VirtualCloneDrive] "D:\Program Files\Elaborate Bytes\VirtualCloneDrive\VCDDaemon.exe" /s
    O4 - HKLM\..\Run: [Everything] "D:\Program Files\Everything\Everything.exe" -startup
    O4 - HKLM\..\Run: [SbUsb AudCtrl] RunDll32 sbusbdll.dll,RCMonitor
    O4 - HKLM\..\Run: [RemoteControl10] "D:\Program Files\CyberLink\PowerDVD10\PDVD10Serv.exe"
    O4 - HKLM\..\Run: [BDRegion] D:\Program Files\Cyberlink\Shared files\brs.exe
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE D:\WINDOWS\system32\NvCpl.dll,NvStartup
    O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
    O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE D:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
    O4 - HKLM\..\Run: [Ask and Record FLV Service] "D:\Program Files\Replay Media Catcher\FLVSrvc.exe" /run
    O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "D:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
    O4 - HKLM\..\Run: [Adobe ARM] "D:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
    O4 - HKLM\..\Run: [SunJavaUpdateSched] "D:\Program Files\Java\jre6\bin\jusched.exe"
    O4 - HKLM\..\Run: [CanonSolutionMenu] D:\Program Files\Canon\SolutionMenu\CNSLMAIN.exe /logon
    O4 - HKLM\..\Run: [CanonMyPrinter] D:\Program Files\Canon\MyPrinter\BJMyPrt.exe /logon
    O4 - HKLM\..\Run: [SSBkgdUpdate] "D:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" -Embedding -boot
    O4 - HKLM\..\Run: [OpwareSE4] "D:\Program Files\ScanSoft\OmniPageSE4\OpwareSE4.exe"
    O4 - HKCU\..\Run: [AnyDVD] D:\Program Files\SlySoft\AnyDVD\AnyDVDtray.exe
    O4 - HKCU\..\Run: [Free Download Manager] D:\PROGRA~1\FREEDO~1\fdm.exe -autorun
    O4 - HKCU\..\Run: [MSMSGS] "D:\Program Files\Messenger\msmsgs.exe" /background
    O4 - HKCU\..\Run: [uTorrent] "D:\Program Files\uTorrent\uTorrent.exe"
    O4 - HKCU\..\Run: [YVIBBBHA8C] D:\DOCUME~1\Stew\LOCALS~1\Temp\Hsq.exe
    O4 - HKCU\..\Run: [ctfmon.exe] D:\WINDOWS\system32\ctfmon.exe
    O4 - HKCU\..\Run: [SUPERAntiSpyware] D:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
    O4 - Global Startup: Adobe Gamma Loader.lnk = D:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
    O4 - Global Startup: Freenet Tray.lnk = K:\Freenet\bin\freenettray.exe
    O8 - Extra context menu item: Download all with Free Download Manager - file://D:\Program Files\Free Download Manager\dlall.htm
    O8 - Extra context menu item: Download selected with Free Download Manager - file://D:\Program Files\Free Download Manager\dlselected.htm
    O8 - Extra context menu item: Download video with Free Download Manager - file://D:\Program Files\Free Download Manager\dlfvideo.htm
    O8 - Extra context menu item: Download with Free Download Manager - file://D:\Program Files\Free Download Manager\dllink.htm
    O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - D:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - D:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\msmsgs.exe
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
    O17 - HKLM\System\CCS\Services\Tcpip\..\{5E9F228C-B49C-4271-AC74-4F5E810A1EF0}: NameServer = 93.188.163.136,93.188.166.163
    O17 - HKLM\System\CCS\Services\Tcpip\..\{F0492A8C-E8AD-49D2-AFC1-76D9DCE36D7C}: NameServer = 93.188.163.136,93.188.166.163
    O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 93.188.163.136,93.188.166.163
    O17 - HKLM\System\CS2\Services\Tcpip\Parameters: NameServer = 93.188.163.136,93.188.166.163
    O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 93.188.163.136,93.188.166.163
    O20 - Winlogon Notify: !SASWinLogon - D:\Program Files\SUPERAntiSpyware\SASWINLO.dll
    O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - D:\WINDOWS\system32\browseui.dll
    O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - D:\WINDOWS\system32\browseui.dll
    O23 - Service: Avira AntiVir Scheduler (AntiVirSchedulerService) - Avira GmbH - D:\Program Files\Avira\AntiVir Desktop\sched.exe
    O23 - Service: Avira AntiVir Guard (AntiVirService) - Avira GmbH - D:\Program Files\Avira\AntiVir Desktop\avguard.exe
    O23 - Service: Freenet background service (freenet) - Unknown owner - K:\Freenet\bin\wrapper-windows-x86-32.exe (file missing)
    O23 - Service: PIXMA Extended Survey Program (IJPLMSVC) - Unknown owner - D:\Program Files\Canon\IJPLM\IJPLMSVC.EXE
    O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - D:\Program Files\Java\jre6\bin\jqs.exe
    O23 - Service: NVIDIA-OMEGA Display Driver Service (NVSvc) - NVIDIA Corporation - D:\WINDOWS\system32\nvsvc32.exe
    O23 - Service: OpenVPN Service (OpenVPNService) - Unknown owner - D:\Program Files\OpenVPN\bin\openvpnserv.exe

    --
    End of file - 8537 bytes
     
  2. stew181

    stew181 Thread Starter

    Joined:
    Apr 4, 2010
    Messages:
    3
    scanned with superantispyware & antvir antivirus, but no luck in removal.
     
  3. stew181

    stew181 Thread Starter

    Joined:
    Apr 4, 2010
    Messages:
    3
    What other info should I provide?
     
  4. SweetTech

    SweetTech

    Joined:
    Dec 31, 1969
    Messages:
    1,016
    My name is SweetTech. I would be glad to take a look at your log and help you with solving any malware problems. I'd be grateful if you would note the following:

    • Logs from malware removal programs (DDS is one of them) can take some time to analyze. I need you to be patient while I analyze any logs you post.
    • Please make sure to carefully read any instruction that I give you.
      Reading too lightly will cause you to miss important steps, which could have destructive effects.
    • If you're not sure, or if something unexpected happens, do NOT continue! Stop and ask!
    • These instructions have been specifically tailored to your computer and the issues you are experiencing with your computer. It's important to note that these instructions are not suitable for any other computer, even if the issues are fairly similar.
    • Do not do things I do not ask for, such as running a spyware scan on your computer. The one thing that you should always do, is to make sure sure that your anti-virus definitions are up-to-date!
    • If I instruct you to download a specific tool in which you already have, please delete the copy that you have and re-download the tool. The reason I ask you to do this is because these tools are updated fairly regularly.
    • Please do not use the Attachment feature for any log file. Do a Copy/Paste of the entire contents of the log file and submit it inside your post.
    • I am going to stick with you until ALL malware is gone from your system. I would appreciate it if you would do the same. From this point, we're in this together ;)
      Because of this, you must reply within five days
      . I will post a reminder should you seem to fail to do this, however, if you fail to reply within two days then,
      unless I have been notified of your absence in advance, the topic shall be closed!
    • Please do not PM me directly for help. If you have any questions, post them in this topic. The only time you can and should PM me is when I have not been replying to you for several days (usually around 4 days) and you need an explanation. If that's the case, just send me a message to me on here. ;)
    • Lastly, I am no magician. I will try very hard to fix your issues, but no promises can be made. Also be aware that some infections are so severe that you might need to resort to reformatting and reinstalling your operating system.
      Don't worry, this only happens in severe cases, but it sadly does happen. Be prepared to back up your data. Have means of backing up your data available.

    ____________________________________________________


    OTL Custom Scan

    • Download OTL to your desktop.
    • Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.
    • When the window appears, underneath Output at the top change it to Minimal Output.
    • Check the boxes beside LOP Check and Purity Check.
    • Under Custom Scan paste this in

      netsvcs
      %SYSTEMDRIVE%\*.exe
      /md5start
      eventlog.dll
      scecli.dll
      netlogon.dll
      cngaudit.dll
      sceclt.dll
      ntelogon.dll
      logevent.dll
      iaStor.sys
      nvstor.sys
      atapi.sys
      IdeChnDr.sys
      viasraid.sys
      AGP440.sys
      vaxscsi.sys
      nvatabus.sys
      viamraid.sys
      nvata.sys
      nvgts.sys
      iastorv.sys
      ViPrt.sys
      eNetHook.dll
      ahcix86.sys
      KR10N.sys
      nvstor32.sys
      ahcix86s.sys
      nvrd32.sys
      symmpi.sys
      adp3132.sys
      mv61xx.sys
      /md5stop
      %systemroot%\*. /mp /s
      CREATERESTOREPOINT
      %systemroot%\system32\*.dll /lockedfiles
      %systemroot%\Tasks\*.job /lockedfiles
      %systemroot%\system32\drivers\*.sys /lockedfiles
      %systemroot%\System32\config\*.sav
    • Click the Run Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
      • When the scan completes, it will open two notepad windows. OTL.Txt and Extras.Txt. These are saved in the same location as OTL.
      • Please copy (Edit->Select All, Edit->Copy) the contents of these files, one at a time, and post it with your next reply.
      • You may need two posts to fit them both in.



    NEXT:



    Scanning with GMER

    Please download GMER from one of the following locations and save it to your desktop:
    • Main Mirror
      This version will download a randomly named file (Recommended)
    • Zipped Mirror
      This version will download a zip file you will need to extract first. If you use this mirror, please extract the zip file to your desktop.


    • Disconnect from the Internet and close all running programs.
    • Temporarily disable any real-time active protection so your security programs will not conflict with gmer's driver.
    • Double-click on the randomly named GMER file (i.e. n7gmo46c.exe) and allow the gmer.sys driver to load if asked.
    • Note: If you downloaded the zipped version, extract the file to its own folder such as C:\gmer and then double-click on gmer.exe.

      [​IMG]
    • GMER will open to the Rootkit/Malware tab and perform an automatic quick scan when first run. (do not use the computer while the scan is in progress)
    • If you receive a WARNING!!! about rootkit activity and are asked to fully scan your system...click NO.
    • Now click the Scan button. If you see a rootkit warning window, click OK.
    • When the scan is finished, click the Save... button to save the scan results to your Desktop. Save the file as gmer.log.
    • Click the Copy button and paste the results into your next reply.
    • Exit GMER and be sure to re-enable your anti-virus, Firewall and any other security programs you had disabled.
    -- If you encounter any problems, try running GMER in safe mode.
    -- If GMER crashes or keeps resulting in a BSODs, uncheck Devices on the right side before scanning
    .



    NEXT:



    Please make sure you include the following items in your next post:
    1. Any comments or questions you may have that you'd like for me to answer in my next post to you.
    2. The logs that were produced after running the OTL scans. (OTL.txt & Extras.txt)
    3. The log that was produced after running GMER
    4. An update on how your computer is currently running.​
    It would be helpful if you could answer each question in the order asked, as well as numbering your answers.
     
  5. SweetTech

    SweetTech

    Joined:
    Dec 31, 1969
    Messages:
    1,016
    Do you still need help with your machine?

    If the instructions are unclear or something isn't working, please let me know before proceeding.
     
  6. Sponsor

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 733,556 other people just like you!

Loading...
Thread Status:
Not open for further replies.

Short URL to this thread: https://techguy.org/914637

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice