Virus/Trojan/Malware Help!

Hi guys,

Firstly i stumbled accross this site and it looks great, a wealth of knowledge and great people to back it up.

Ok, now my problem, my pc at home seems to have become affeceted with a Virus/Trojan/Malware, this happened less than a week ago and originally manefested itself by closing my IE and also my MSN and refusing to let me re-open them with out rebooting.

After rebooting i was able to access both again but my 'Task Manager' menu was stuck on the 'processes' screen and the tabs had disappeared to allow to view anything else on there.
This was coupled with the most annoying problem of, everytime i searched for something in a search engine and clicked on the results it would redirect me, not to anything specific, it would be completely random but it happened every time i clicked on a search engine result but not if i typed the address into the address bar.

With all of this me and my friend spent over 4 hours working on it last night, running HiJackThis repeatedly and trying to fix, clean, and delete everything we could.

The 'Task Manager' menu is now back up and fully working but i am still being redirected when it comes to search engine results.

Below i have pasted the most recent Log File from HiJack this but when we called it a day in the early hours of this morning we were both stuck with where to go, especially with our relatively limited knowledge.

Im keeping my fingers crossed some of you guys will be able to shed some light on this for me.

Anyway thanks in advance and here it is:


Logfile of Trend Micro HijackThis v2.0.0 (BETA)
Scan saved at 07:52:12, on 10/05/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\System32\alg.exe
C:\crusty.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.google.co.uk
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe "
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'Default user')
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

--
End of file - 2554 bytes

 

Hi,
I will not be the one to examine your log but from all the other ones I do read I have seen those that are posted from Trend Micro (Beta Version) are asked to re-post them from www.thespykiller.co.uk

You can wait till you are instructed by one of the specialists or save your self some time and beat em' to the punch...Also after doing so hang in there as the guys can some times be bogged down with others...Good luck.

 

Hi MasterGreen,

Thanks for your advice, do you mean that i need to post my log file on the forum from the link that you provided?

Cheers

 

Hi,
No...Open up this forum as if you were going to post your log, then minimize this screen, download The HijackLog, open up this screen again,copy and paste it here (in this forum).
After you do that, a specialist will do their best to get to it as soon as they can...

 

HI,
Here are the steps you will be required to do:

* Save HJTsetup.exe to your desktop.
* Doubleclick on the HJTsetup.exe icon on your desktop.
* By default it will install to C:\Program Files\Hijack This.
* Continue to click Next in the setup dialogue boxes until you get to the Select Addition Tasks dialogue.
* Put a check by Create a desktop icon then click Next again.
* Continue to follow the rest of the prompts from there.
* At the final dialogue box click Finish and it will launch Hijack This.
* Click on the Scan button.
You will notice the [Scan] button will turn into a [Save Log] button. [/b] It will scan and the log should open in notepad.
* Click on "Edit > Select All" then click on "Edit > Copy" to copy the entire contents of the log.
* Come back here to this thread and Paste the log in your next reply.
* DO NOT have Hijack This fix anything yet. Most of what it finds will be harmless or even required.

 

Hi,

That is what i have already done in my first post although i am at a sligtly advanced stage and have removed some of the stuff that it originally found so the log file above is the updated/most recent one

 

Hi,
You may have posted it in your first log but where you got your Hijacklog scan done from "Trend Micro (Beta)" is not the perferred one and that's what I was trying to explain without getting into details (and leave that up to one of the specialists to do)...So you can wait and as soon as one of the specialists comes available they can explain...