I think Ive got a virus...

Lardalish

Ok, so like the title says I think my computer has a virus. When I google and then click on a result it redirects me to some random site, usually one of those sites thats like "HERES SOME STUFF THATS LIKE WHAT YOU WANTED" with links to other sites. This is increadibly annoying. So I ran my virus checker and it didnt find anything, or rather, it found a couple minor things, fixed em, but it kept happening.

So how do I find this virus? Im not a very computer literate guy, but I can follow directions.

Im running Windows 2000 (yeah, I know), and my virus checker is AVG 8.5 free edition.

rfalias

Well, start off with Spybot S&D
http://www.safer-networking.org/index2.html

Install, update.
Run it in safe-mode (Press F8, or sometimes F12) during startup.

That gets most things now-a-days, but you can use others:
AVG is a good start, I've also had good luck with Avast! http://www.avast.com/

http://www.javacoolsoftware.com/spywareblaster.html
Spyware Blaster is also another great tool to help with the BHO's (Browser Hijack Objects)
A BHO is what you have, and they are annoying to no end.

If that still does not do it, get HijackThis! and run the log and post it here!
http://www.trendsecure.com/portal/en-US/tools/security_tools/hijackthis

Only get those tools from the sites listed, there are a lot of fake sites that will just pile on more spyware, so you gotta look out for the frauds.

Run all of that stuff in safe mode once you have updated, you will remove more trash that way.

Lardalish

Ok, I downloaded all three of those, Search and Destroy and Hijack This dont want to start up. I click em and the hourglass comes up next to the pointer for about a second, then goes away and nothing happens.

I ran Spyware Blaster and told it to do all its protection stuff, but I tried googling again and its still the same. Gettin redirected to random places.

rfalias

Try installing the programs in safe mode, there are certain nasty things that prevent them from being installed.

Yann

I had the same shit or similar a couple of days ago. I ran AdAware, CCcleaner and Malwarebytes anti-malware in safemode, got rid of it fine.

DrFrylock

Run HijackThis and Malwarebytes. If HijackThis won't run, rename the executable from "HijackThis.exe" to something else, like "hjt.exe."

rfalias

They need to institute the death penalty for the assholes that write all this malware stuff. Bunch of scumbags.

ApexMirage

penny018 wrote: »

download AVG anti-virus and also McAfee anti-virus software from the net. that should help

He already has AVG and this undoubtedly is not a virus.

Definitely install from safe mode, and scan from there

Lardalish

Ok, so I went into safemode and changed the names of the .exe files and ran both Spybot and Hijack This, spybot removed some stuff and hijack gave me a txt file (which is what Im guessing you wanted me to post). But firefox wouldn't let me on the internet in safe mode so I restarted and now Im getting an "Inaccessible Boot Device" blue screen. I can't start up in regular mode or safe mode, I just get that blue screen. Im on my roommates computer now.

Soooo... is there a way to salvage this? Ive still got some important files on there that would be nearly impossible to replace in time.

Lardalish

Alright, I have no idea what's going on, but I tried again and this time it started up. Whatever.

So heres what Hijack This! gave me

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:21:58 AM, on 6/13/2009
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Safe mode

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\userinit.exe
C:\WINNT\Explorer.EXE
C:\Program Files\Trend Micro\HijackThis\HT.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\windows\system32\blank.htm
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\windows\system32\blank.htm
N3 - Netscape 7: # Mozilla User Preferences

/* Do not edit this file.
*
* If you make changes to this file while the browser is running,
* the changes will be overwritten when the browser exits.
*
* To make a manual change to preferences, you can visit the URL about:config
* For more information, see http://www.mozilla.org/unix/customizing.html#prefs
*/

user_pref("aim.session.screenname", "lardalish");
user_pref("browser.activation.checkedNNFlag", true);
user_pref("browser.bookmarks.added_static_root", true);
user_pref("browser.cache.disk.parent_directory", "C:\\DOCUMENTS AND SETTINGS\\BRYANH.DELL8200\\APPLICATION DATA\\Mozilla\\Profiles\\default\\tnqfo4nj.slt");
user_pref("browser.download.dir", "C:\\Documents and Settings\\bryanh\\My Documents\\download");
user_pref("browser.download.save_converter_index", 0);
user_pref("browser.open.dir", "C:\\Documents and Settings\\bryanh.DELL8200\\My Documents");
user_pref("browser.open.filterIndex", 0);
user_pref("browser.search.defaultengine", "engine://C%3A%
N3 - Netscape 7: # Mozilla User Preferences

/* Do not edit this file.
*
* If you make changes to this file while the browser is running,
* the changes will be overwritten when the browser exits.
*
* To make a manual change to preferences, you can visit the URL about:config
* For more information, see http://www.mozilla.org/unix/customizing.html#prefs
*/

user_pref("aim.session.screenname", "lardalish");
user_pref("browser.activation.checkedNNFlag", true);
user_pref("browser.bookmarks.added_static_root", true);
user_pref("browser.cache.disk.parent_directory", "C:\\DOCUMENTS AND SETTINGS\\BRYANH.DELL8200\\APPLICATION DATA\\Mozilla\\Profiles\\default\\tnqfo4nj.slt");
user_pref("browser.download.dir", "C:\\Documents and Settings\\bryanh\\My Documents\\download");
user_pref("browser.download.save_converter_index", 0);
user_pref("browser.open.dir", "C:\\Documents and Settings\\bryanh.DELL8200\\My Documents");
user_pref("browser.open.filterIndex", 0);
user_pref("browser.search.defaultengine", "engine://C%3A%
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINNT\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [OpwareSE2] "C:\Program Files\ScanSoft\OmniPageSE2.0\OpwareSE2.exe"
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINNT\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\ipoint.exe"
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKCU\..\Run: [BitTorrent] "C:\Program Files\BitTorrent\bittorrent.exe" --force_start_minimized
O4 - HKCU\..\Run: [Steam] "C:\Program Files\Steam\Steam.exe" -silent
O4 - HKCU\..\Run: [AlcoholAutomount] "C:\Program Files\Alcohol Soft\Alcohol 120\axcmd.exe" /automount
O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_9 -reboot 1
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKUS\.DEFAULT\..\RunOnce: [^SetupICWDesktop] C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop (User 'Default user')
O4 - Startup: Folding@Home 5.03.lnk = C:\Program Files\Folding@Home\winfah.exe
O4 - Startup: Microsoft Find Fast.lnk = C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
O4 - Startup: OpenOffice.org 2.4.lnk = C:\Program Files\OpenOffice.org 2.4\program\quickstart.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
O8 - Extra context menu item: &Search - http://bar.mywebsearch.com/menusearch.html?p=ZB
O8 - Extra context menu item: &Viewpoint Search - res://C:\Program Files\Viewpoint\Viewpoint Toolbar\ViewBar.dll/CXTSEARCH.HTML
O8 - Extra context menu item: Easy-WebPrint Add To Print List - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.html
O8 - Extra context menu item: Easy-WebPrint High Speed Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.html
O8 - Extra context menu item: Easy-WebPrint Preview - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Preview.html
O8 - Extra context menu item: Easy-WebPrint Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Print.html
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O15 - Trusted Zone: http://download.windowsupdate.com
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase8300.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1230147688140
O16 - DPF: {CD995117-98E5-4169-9920-6C12D4C0B548} - http://gamedownload.ijjimax.com/gamedownload/dist/hgstart/HGPlugin9USA.cab
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - Winlogon Notify: avgrsstarter - C:\WINNT\SYSTEM32\avgrsstx.dll
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AVG Free8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: nProtect GameGuard Service (npggsvc) - Unknown owner - C:\WINNT\system32\GameMon.des.exe (file missing)
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINNT\system32\nvsvc32.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies - C:\Program Files\WinPcap\rpcapd.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: StarWind AE Service (StarWindServiceAE) - Rocket Division Software - C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINNT\system32\ZoneLabs\vsmon.exe
O23 - Service: WMP54GSSVC - GEMTEKS - C:\Program Files\Linksys Wireless-G PCI Network Adapter with SpeedBooster\WLService.exe

--
End of file - 9716 bytes

DrFrylock

I don't see anything overtly suspicious in there. Can you run it again in non-safemode and post the log?

matt has a problem

Download and run Malwarebytes. Had the same thing on a PC at work and it cleared right up.

Lardalish

DrFrylock wrote: »

I don't see anything overtly suspicious in there. Can you run it again in non-safemode and post the log?

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:10:14 PM, on 6/13/2009
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\PROGRA~1\AVG\AVG8\avgnsx.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\hidserv.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINNT\system32\nvsvc32.exe
C:\WINNT\system32\MSTask.exe
C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe
C:\WINNT\system32\stisvc.exe
C:\Program Files\AVG\AVG8\avgrsx.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\WINNT\system32\ZoneLabs\vsmon.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\Program Files\Linksys Wireless-G PCI Network Adapter with

SpeedBooster\WLService.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\Linksys Wireless-G PCI Network Adapter with

SpeedBooster\WMP54GSv1_1.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\WINNT\Explorer.EXE
C:\Program Files\AVG\AVG8\avgcsrvx.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\ScanSoft\OmniPageSE2.0\OpwareSE2.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Microsoft IntelliPoint\ipoint.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Folding@Home\winfah.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\Program Files\OpenOffice.org 2.4\program\soffice.exe
C:\Program Files\OpenOffice.org 2.4\program\soffice.BIN
C:\WINNT\System32\SCardSvr.exe
C:\Program Files\Folding@Home\FahCore_78.exe
C:\Program Files\Pidgin\pidgin.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HT.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =

C:\windows\system32\blank.htm
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =

C:\windows\system32\blank.htm
N3 - Netscape 7: # Mozilla User Preferences

/* Do not edit this file.
*
* If you

make changes to this file while the browser is running,
* the changes will be

overwritten when the browser exits.
*
* To make a manual change to preferences,

you can visit the URL about:config
* For more information, see

http://www.mozilla.org/unix/customizing.html#prefs
*/

user_pref("aim.session.screenname", "lardalish");
user_pref("browser.activation.checkedNNFlag", true);
user_pref("browser.bookmarks.added_static_root", true);
user_pref("browser.cache.disk.parent_directory", "C:\\DOCUMENTS AND

SETTINGS\\BRYANH.DELL8200\\APPLICATION

DATA\\Mozilla\\Profiles\\default\\tnqfo4nj.slt");
user_pref("browser.download.dir",

"C:\\Documents and Settings\\bryanh\\My Documents\\download");
user_pref("browser.download.save_converter_index", 0);
user_pref("browser.open.dir", "C:\\Documents and Settings\\bryanh.DELL8200\\My

Documents");
user_pref("browser.open.filterIndex", 0);
user_pref("browser.search.defaultengine", "engine://C%3A%
N3 - Netscape 7: # Mozilla User Preferences

/* Do not edit this file.
*
* If you

make changes to this file while the browser is running,
* the changes will be

overwritten when the browser exits.
*
* To make a manual change to preferences,

you can visit the URL about:config
* For more information, see

http://www.mozilla.org/unix/customizing.html#prefs
*/

user_pref("aim.session.screenname", "lardalish");
user_pref("browser.activation.checkedNNFlag", true);
user_pref("browser.bookmarks.added_static_root", true);
user_pref("browser.cache.disk.parent_directory", "C:\\DOCUMENTS AND

SETTINGS\\BRYANH.DELL8200\\APPLICATION

DATA\\Mozilla\\Profiles\\default\\tnqfo4nj.slt");
user_pref("browser.download.dir",

"C:\\Documents and Settings\\bryanh\\My Documents\\download");
user_pref("browser.download.save_converter_index", 0);
user_pref("browser.open.dir", "C:\\Documents and Settings\\bryanh.DELL8200\\My

Documents");
user_pref("browser.open.filterIndex", 0);
user_pref("browser.search.defaultengine", "engine://C%3A%
O2 - BHO: Adobe PDF Reader Link Helper -

{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common

Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter -

{3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program

Files\AVG\AVG8\avgssie.dll
O2 - BHO: Spybot-S&D IE Protection -

{53707962-6F74-2D53-2644-206D7942484F} -

C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper -

{DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program

Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl -

{E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program

Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} -

C:\WINNT\System32\msdxm.ocx
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE

C:\WINNT\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [OpwareSE2] "C:\Program

Files\ScanSoft\OmniPageSE2.0\OpwareSE2.exe"
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE

C:\WINNT\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program

Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone

Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\ipoint.exe"
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program

Files\Java\jre6\bin\jusched.exe"
O4 - HKCU\..\Run: [BitTorrent] "C:\Program Files\BitTorrent\bittorrent.exe"

--force_start_minimized
O4 - HKCU\..\Run: [Steam] "C:\Program Files\Steam\Steam.exe" -silent
O4 - HKCU\..\Run: [AlcoholAutomount] "C:\Program Files\Alcohol Soft\Alcohol

120\axcmd.exe" /automount
O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat

7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_9 -reboot 1
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search &

Destroy\TeaTimer.exe
O4 - HKUS\.DEFAULT\..\RunOnce: [^SetupICWDesktop] C:\Program

Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop (User 'Default

user')
O4 - Startup: Folding@Home 5.03.lnk = C:\Program

Files\Folding@Home\winfah.exe
O4 - Startup: Microsoft Find Fast.lnk = C:\Program Files\Microsoft

Office\Office\FINDFAST.EXE
O4 - Startup: OpenOffice.org 2.4.lnk = C:\Program Files\OpenOffice.org

2.4\program\quickstart.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM

Toolbar\AIMBar.dll/aimsearch.htm
O8 - Extra context menu item: &Search -

http://bar.mywebsearch.com/menusearch.html?p=ZB
O8 - Extra context menu item: &Viewpoint Search - res://C:\Program

Files\Viewpoint\Viewpoint Toolbar\ViewBar.dll/CXTSEARCH.HTML
O8 - Extra context menu item: Easy-WebPrint Add To Print List - res://C:\Program

Files\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.html
O8 - Extra context menu item: Easy-WebPrint High Speed Print - res://C:\Program

Files\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.html
O8 - Extra context menu item: Easy-WebPrint Preview - res://C:\Program

Files\Canon\Easy-WebPrint\Resource.dll/RC_Preview.html
O8 - Extra context menu item: Easy-WebPrint Print - res://C:\Program

Files\Canon\Easy-WebPrint\Resource.dll/RC_Print.html
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} -

C:\WINNT\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links -

{c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} -

C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration -

{DFB852A3-47F8-48C4-A200-58CAB36FD2A2} -

C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O15 - Trusted Zone: http://download.windowsupdate.com
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine

Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety

Center Base Module) -

http://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase8300.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl

Class) -

http://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuw

eb_site.cab?1230147688140
O16 - DPF: {CD995117-98E5-4169-9920-6C12D4C0B548} -

http://gamedownload.ijjimax.com/gamedownload/dist/hgstart/HGPlugin9USA.cab
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} -

C:\Program Files\AVG\AVG8\avgpp.dll
O20 - Winlogon Notify: avgrsstarter - C:\WINNT\SYSTEM32\avgrsstx.dll
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common

Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AVG Free8 E-mail Scanner (avg8emc) - AVG Technologies CZ,

s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. -

C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation

- C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation -

C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS

Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation -

C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems,

Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: nProtect GameGuard Service (npggsvc) - Unknown owner -

C:\WINNT\system32\GameMon.des.exe (file missing)
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation -

C:\WINNT\system32\nvsvc32.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) -

CACE Technologies - C:\Program Files\WinPcap\rpcapd.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation -

C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: StarWind AE Service (StarWindServiceAE) - Rocket Division

Software - C:\Program Files\Alcohol Soft\Alcohol

120\StarWind\StarWindServiceAE.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program

Files\Viewpoint\Common\ViewpointService.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC -

C:\WINNT\system32\ZoneLabs\vsmon.exe
O23 - Service: WMP54GSSVC - GEMTEKS - C:\Program Files\Linksys Wireless-G

PCI Network Adapter with SpeedBooster\WLService.exe

--
End of file - 11274 bytes

Also: I downloaded Malwarebytes and it doesnt want to open, a lot like Spybot and Hijack were doin, but changing the names of the .exe's didn't help.

EDIT: Ok, Malwarebytes just started working, I think my computer is selectively haunted. Whatever, Ill let you guys know how it turns out when the scan is done.

Lardalish

Malware's logfile:

Malwarebytes' Anti-Malware 1.37
Database version: 2182
Windows 5.0.2195 Service Pack 4

6/13/2009 4:00:21 PM
mbam-log-2009-06-13 (16-00-21).txt

Scan type: Full Scan (C:\|D:\|E:\|F:\|G:\|H:\|)
Objects scanned: 240405
Time elapsed: 41 minute(s), 2 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 8
Registry Values Infected: 3
Registry Data Items Infected: 0
Folders Infected: 12
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CLASSES_ROOT\Interface\{48e92754-2daf-4de4-8385-34f631580e9b} (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{a1c23ba2-8f20-4c01-b663-7ff2b3421194} (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{2b96d5cc-c5b5-49a5-a69d-cc0a30f9028c} (Adware.Minibug) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\AppID\{f4406238-983a-4845-9053-f1d0007fd135} (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\MpegBuster (Trojan.DNSChanger) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Software Notifier (Rogue.Multiple) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\The Weather Channel (Adware.Hotbar) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\WUSN.1 (Adware.WhenUSave) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\rhcpnvj0eg8a (Rogue.AntivirusXP2008) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Control Panel\Desktop\originalwallpaper (Hijack.Wallpaper) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Control Panel\Desktop\convertedwallpaper (Hijack.Wallpaper) -> Quarantined and deleted successfully.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
c:\documents and settings\bryanh\application data\rhcpnvj0eg8a (Rogue.Multiple) -> Quarantined and deleted successfully.
c:\documents and settings\bryanh\application data\rhcpnvj0eg8a\Quarantine (Rogue.Multiple) -> Quarantined and deleted successfully.
c:\documents and settings\bryanh\application data\rhcpnvj0eg8a\quarantine\Autorun (Rogue.Multiple) -> Quarantined and deleted successfully.
c:\documents and settings\bryanh\application data\rhcpnvj0eg8a\quarantine\Autorun\HKCU (Rogue.Multiple) -> Quarantined and deleted successfully.
c:\documents and settings\bryanh\application data\rhcpnvj0eg8a\quarantine\Autorun\HKCU\RunOnce (Rogue.Multiple) -> Quarantined and deleted successfully.
c:\documents and settings\bryanh\application data\rhcpnvj0eg8a\quarantine\Autorun\HKLM (Rogue.Multiple) -> Quarantined and deleted successfully.
c:\documents and settings\bryanh\application data\rhcpnvj0eg8a\quarantine\Autorun\HKLM\RunOnce (Rogue.Multiple) -> Quarantined and deleted successfully.
c:\documents and settings\bryanh\application data\rhcpnvj0eg8a\quarantine\Autorun\StartMenuAllUsers (Rogue.Multiple) -> Quarantined and deleted successfully.
c:\documents and settings\bryanh\application data\rhcpnvj0eg8a\quarantine\Autorun\StartMenuCurrentUser (Rogue.Multiple) -> Quarantined and deleted successfully.
c:\documents and settings\bryanh\application data\rhcpnvj0eg8a\quarantine\BrowserObjects (Rogue.Multiple) -> Quarantined and deleted successfully.
c:\documents and settings\bryanh\application data\rhcpnvj0eg8a\quarantine\Packages (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\Program Files\MpegBuster (Trojan.DNSChanger) -> Quarantined and deleted successfully.

Files Infected:
c:\program files\mpegbuster\Uninstall.exe (Trojan.DNSChanger) -> Quarantined and deleted successfully.

Its havin me restart then Ill see if that fixed my problem!

Desert_Eagle25

If you're using firefox, use Google Redirect Fix.

http://forums.majorgeeks.com/showthread.php?t=182559

Lardalish

Ok, Im at a loss.

When I restarted it told me a critical file was corrupted and that I needed to repair it with the emergency repair disk. So I did that, then something else was fucked up, so I used the repair disk again, then another thing fucked up and I used it again, and this happened like four or five times. NOw I finally get on and its reverted me back to service pack 2 (luckily all my files are still here) so Ive got to go download service pack 4 and all those critical updates. I go there to download em and it says I need IE5.5 or higher to use the site. So I download IE6 and try to run it, but when I try it tells me that another application is waiting to be rebooted so I have to reboot the computer before I can try to install IE6. So I restart and when I get back I try to run it again and I get the same error. So I try to run it anyway and it gives me an error code (0x8007041D). All the while Im doing this I keep getting little pop ups saying that WINDOWS INSTALLER IS STARTING but thats it, then they go away, and come back. All through what Im doing.

I have no idea what to do, Im so lost and confused.

ApexMirage

Just back up your files and format the bastard, It's going to be more trouble than it's worth at this point... and you'd really want a new OS, win2k is bad beyond words

Lardalish

Well, I dont have the money for a new windows (Im broke as hell), but I have considered using Linux. Maybe someone can give me an idea of how to start on that? I think Ive got some version of Linux already on here, but I dont know how to use it or what it is exactly.

Can I copy all my files from here onto a drive and load em onto there? I know that linux has OpenOffice which I already use, and they have Firefox, which I already use, and they have an AIM client (I think they use pidgin) and I already use Pidgin, so maybe the transfer wont be so bad.

I dunno, Im about fed up with this thing. Ive had this machine since 2k came out, well, it was my dad's then but still.

Nerdtendo

It's a long shot, but some employers can legally give an OS license out to their employees. See if that's available at your job. Obviously, it won't be if you work at a restaurant or something, but some office jobs do it.

DrFrylock

Yep, you likely hosed something critical when you were fixing the machine. It's a risk.

Windows 2000 probably wasn't long for the supported world anyway - at some point, MS would stop making security patches for it and you'd be screwed either way.

If you want to do Linux, pick your favorite distribution, download an ISO, burn it to a CD, and boot off the CD and install it. It's just like installing Windows. I like Ubuntu but if you want a flamewar you can go over to D&D to talk about "quien distro es mas macho?" You can also download one of the many LiveCD distributions (available with many distributions) in order to basically see if your hardware works before you go forward with a full installation.

The biggest problems people seem to have with Linux are 1) sound and 2) wireless network cards. The latter especially.

Good luck!

Delicious Steve

Sounded a bit like a rootkit, i remember my brother had one last year

But yeah, reformat is the right way to go

Good luck (not being sarcastic) using Linux

GrimReaper

I'd also like to vote on reformat.

If you do go with Linux then from your computer skill level I'd go with Ubuntu and you should be aware then you're not going to be able to play any games that are windows only unless you're willing to learn your way around wine.


A few of the things that were dodgy in your hijackthis log:

O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present

O8 - Extra context menu item: &Search - http://bar.mywebsearch.com/menusearch.html?p=ZB
O8 - Extra context menu item: &Viewpoint Search - res://C:\Program Files\Viewpoint\Viewpoint Toolbar\ViewBar.dll/CXTSEARCH.HTML

O16 - DPF: {CD995117-98E5-4169-9920-6C12D4C0B548} - http://gamedownload.ijjimax.com/game...Plugin9USA.cab

real_pochacco

Man malwarebytes and avast really helped my computer, that totally fixed it.

Lardalish

Well, I think all the anti-virus things Ive run got the virus because googling now doesnt get me redirected to random things, but in the process it bombed something that my Windows repair disks cant fix. Ive run the emergency repair several times, but it always leaves something messed up. Currently I cant update Internet Explorer so I cant use Windows Update to get the updates that have already been released.

I said Linux purely because my dad is a big fan of it and hes switched all the computers in the house over to that, even my tech retarded (said as lovingly as possible) mother. And I might not know a lot about computers but I learn pretty fast. Im heading home in a week or so, when I get back I think Im going to have my dad set me up and explain the basics.

ascannerlightly

Lardalish wrote: »

I dunno, Im about fed up with this thing. Ive had this machine since 2k came out, well, it was my dad's then but still.

is this the original install of 2k?

Lardalish

ascannerlightly wrote: »

Lardalish wrote: »

I dunno, Im about fed up with this thing. Ive had this machine since 2k came out, well, it was my dad's then but still.

is this the original install of 2k?

I think?

My green CD says its got SP2 so I guess its not the very first super early install, but it was pretty close.

ascannerlightly

for the machine. have you personally reinstalled windows on this machine (recently.. ever?)

Lardalish

Oh, umm... I dont think so. I know I havent and Ive had it for....3 years maybe? Maybe 4.

My dad might have at some point though, before it was mine I didn't really pay attention to what he did to it.

ascannerlightly

format/reinstall is definately the way to go then. even without any virus/spyware/malware invasions, it's a good idea to reinstall windows on a regular basis. you might not notice it now, but when (if) you do format/reinstall you'll notice a huge increase in overall performance. i'm no programmer so i can't explain specific why's (someone here can, i'm sure), but windows is inherently unstable.