# Virus?



## Xpire (Sep 23, 2007)

Hi guys,

Not sure if i'm posting this in the right section or not. 

Well, for no reason today, my laptop suddenly wouldn't let me go to www.google.com/www.gmail.com. So far i've only found it to be these two web sites that don't work. 

They work fine for everyone else, even my other computers on the network. 

I tried running cmd.exe and pinging various websites, all websites responded except for google and gmail. 

Is this a virus? I was thinking it was, as lately my AVG has been finding some cookies that its been unable to get rid of. I only reformatted this computer last week as well  

Thanks guys


----------



## adarsh (Sep 23, 2007)

hi pls. post a hijack this log here...


----------



## Punk (Sep 23, 2007)

*How to post a Hijackthis log*


 Click  here  to download HijackThis Installer
 Save *HijackThis Installer* to your desktop.
 Doubleclick on the *HijackThis Installer* icon on your desktop.
 By default it will install to C*:\Program Files\Trend Micro\HijackThis .*
 Click on *Install*.
 It will create a HijackThis icon on the desktop.
Once installed, it will launch Hijackthis.
Click on the *Do a system scan and save a logfile* button. It will scan and the log should open in notepad.
 Click on "Edit > Select All" then click on "Edit > Copy" to copy the entire contents of the log.
 Come back here to this thread and Paste the log in your next reply.
 
BTW Have you tried www.google.com/gmail ?


----------



## Xpire (Sep 23, 2007)

Grr... That link to the HijackThis installer doesn't work for me... and for some reason sites like yahoo and stuff load really slowly.. i see the frame of the website and stuff...then it just stops. 

Yeah, www.google.com/gmail works =\ 

Now what?  this is so annoying

Btw, just tried pinging www.trendsecure.com, and it didn't work.


----------



## adarsh (Sep 23, 2007)

hi again
try this link : http://merijn.org/programs.php#hijackthis


----------



## Xpire (Sep 23, 2007)

Ah thanks a lot. 



> Logfile of Trend Micro HijackThis v2.0.0 (BETA)
> Scan saved at 1:51:44 AM, on 24/09/2007
> Platform: Windows XP SP2 (WinNT 5.01.2600)
> Boot mode: Normal
> ...



Hope that makes it easier to read, have no idea what that log file talks about...but i hope it can solve the problem.

Thanks guys


----------



## Punk (Sep 23, 2007)

You have an older version of Hijackthis, download the newer version from this link

http://www.trendsecure.com/portal/en-US/threat_analytics/HJTInstall.exe

HJT shows everything (everything that malware infects) that is on your computer, which is why we use it to find out what kind of malware you are infected with.


----------



## adarsh (Sep 23, 2007)

hi Xpire, ive found a bad BHO... in order to remove this, download and run scans with 

SuperAntiSpyware from www.superantispyware.com in safe mode.

after disinfection , please post a new HJT log here


----------



## Xpire (Sep 23, 2007)

Webbenji, as i said two posts ago, that link doesn't work for me. Sorry


----------



## Xpire (Sep 23, 2007)

adarsh said:


> hi Xpire, ive found a bad BHO... in order to remove this, download and run scans with
> 
> SuperAntiSpyware from www.superantispyware.com in safe mode.
> 
> after disinfection , please post a new HJT log here



Do you mean in Windows safe mode? Or the SUPERAntiSpyware safe mode?

Don't think i know how to start this laptop in safe mode, is there a way to restart in safe mode from Run?


----------



## Punk (Sep 23, 2007)

Adarsh, what BHO did you find?


----------



## adarsh (Sep 23, 2007)

windows safe mode. first boot into safe mode, and then run scans with SuperAntiSpyware... i would also recommend downloading spybot search and destroy from http://www.safer-networking.com .

run both scans one after the other in safe mode and post a new HJT log.


----------



## Xpire (Sep 23, 2007)

Ah i think you missed my edit. 

Is there a way to reboot into safe mode from Start>Run? I don't think i know how to start in safe mode normally, using F8 and such, as i'm using an asus laptop.


----------



## adarsh (Sep 23, 2007)

hey webbenji, this one :

O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)


----------



## adarsh (Sep 23, 2007)

go to run, type msconfig, and click on the tab "boot.ini".
under boot options, put a check on /SAFEBOOT... and click ok... when u are prompted, hit Restart. now when the system restarts, u will enter safe mode.

as soon as your scans are done, go to run, type msconfig, and click on the tab "boot.ini".
under boot options,  UNCHECK /SAFEBOOT... and click ok... when u are prompted, hit Restart.


----------



## Punk (Sep 23, 2007)

Adarsh I already told you it is Legit:

http://www.castlecops.com/tk32132-Windows_Live_Call_HoverToCall_class.html

Ok let's do an online scan:

Go *here* to run an online scannner from Kaspersky.

 Click on "*Kaspersky Online Scanner*"
  A new smaller window will pop up. Press on "*Accept*". After reading the contents.
  Now Kaspersky will update the anti-virus database. Let it run.
 Click on "*Next*">"*Scan Settings*", and make sure the database is set to "*extended*". And check both the scan options. Then click *OK*.
 Then click on "*My Computer*", and the scan will start.
  Once finished, save the log as "*KAV.txt*" to the desktop.


----------



## adarsh (Sep 23, 2007)

sorry webbenji , mistake again, i apologise...


----------



## Xpire (Sep 24, 2007)

Yeah.. just completed the scans in safe mode, didnt do anything i think. Heres my HJT file just incase. 



> Logfile of Trend Micro HijackThis v2.0.0 (BETA)
> Scan saved at 11:53:06 AM, on 24/09/2007
> Platform: Windows XP SP2 (WinNT 5.01.2600)
> Boot mode: Normal
> ...



All it found were tracking cookies.

Trying the online scan now...
Thanks guys


----------



## Xpire (Sep 24, 2007)

Ok, just completed the online scan. 

It found a bunch of things, but all the actions were 'skipped' as the 'object is locked' or something...

Any other suggestions?

I can post up the scan report, if i can find a website that i can upload the html file on... just having a problem finding one when i cant even google one


----------



## adarsh (Sep 24, 2007)

open the html file and highlight all the text and copy paste it here...
i cudnt find anythign wrong with your log.
it could also be tht the problem is caused by temporary files... try cleaning out all the dumps by using ccleaner. 
get ccleaner from here : http://www.ccleaner.com/download/downloading

im not sure if this mite work though, just give it a try.


----------



## Xpire (Sep 24, 2007)

Still doesn't work after cleaning it...This is so frustrating...Google is like the page i view the most and i cant even get onto it...

Anyone else have any suggestions?


----------



## Punk (Sep 24, 2007)

Can I see the Kapersky log please?

Those locked and skipped objects can be the problem.


----------



## Xpire (Sep 25, 2007)

Woops sorry.



> -------------------------------------------------------------------------------
> KASPERSKY ONLINE SCANNER REPORT
> Monday, September 24, 2007 12:59:57 PM
> Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600)
> ...



I think this problems getting worse... www.google.com/gmail doesnt work anymore... and my msn messenger doesnt even work... grr..


----------



## Xpire (Sep 25, 2007)

Ok...Weird...

Normally i manually configure my IP through this computer...but i felt like testing whether automatic configuration would work. I usually use manual config for the ports on azureus and stuff...

Well anyway, after i clicked on the automatic config, all these notification boxes popped up near the system tray from avg, saying that profile has been changed bla bla. Then everything worked again?

Im not sure whether its AVG that caused all these problems... or possibly my router screwing me up... i'll have to test it a bit further... ugh. 

Thanks a lot guys. =D


----------



## Punk (Sep 25, 2007)

Please download the *ComboFix* by sUBs:

*NOTE:  In the event you already have ComboFix, this is a new version that you have to download*.

Save it to your desktop.
Double-click *combofix.exe* and follow the prompts.
When finished, it shall produce a log for you. Copy and paste the contents of the log in your next reply.
*CAUTION*:
Please do *NOT* mouse-click ComboFix's window while it is running. That may cause it to stall.
Also, please do *NOT* adjust your time format while ComboFix is running.


----------



## Xpire (Sep 25, 2007)

Don't know what that program was for...but heres the log.



> ComboFix 07-09-21.2 - "Alson" 2007-09-25 15:51:14.1 - NTFSx86
> Microsoft Windows XP Professional  5.1.2600.2.1252.1.1033.18.114 [GMT 10:00]
> * Created a new restore point
> .
> ...


----------



## Punk (Sep 25, 2007)

Well if changing some settings worked, maybe it was AVG having conflicts with your router.

I have found no spyware, so as long as you scan your computer regularly, you're fine. Also this is just a suggestion, you do as you want, but I found you're using some P2P softwares such as Limewire and Azureus which are the best way to get infected by trojans and spywares. I recommend you ONLY use them for *legal* file uplaoding/downloading.

Post back here if the problem comes back.

Webbenji

PS: Combofix is a program that helps me see if you got any spyware hidden and remove them.


----------



## Xpire (Sep 25, 2007)

Hmm i see...

I wonder what triggered them to conflict with one another...

Thanks for your help Webbenji.


----------



## Punk (Sep 25, 2007)

No problem, it might have come from an update or a setting you changed.


----------



## John McKenna (Sep 25, 2007)

*Xpire*,

Your ComboFix log is showing signs of a USB Flash Drive Infection.

Please attach your flash drive to the computer.

Open notepad (Start > Run and type notepad) and copy/paste the text in the quote box below to it:


```
File::
C:\WINDOWS\system32\oxbvpen.exe
C:\ntde1ect.com

Registry::
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{7a03c118-5e2f-11dc-bda8-0015f2e8526e}]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{c066b555-5d78-11dc-bda5-00130205c789}]
```

Save this as "*CFScript*"






Refering to the picture above, drag *CFScript* into ComboFix.exe

Run ComboFix again and post the resultant log file please.

*Do not mouseclick Combofix's window whilst it's running. That may cause it to stall.*


----------



## Punk (Sep 25, 2007)

Oh damn, didn't see that one...


----------



## Xpire (Sep 26, 2007)

Hmm i have a couple of flash drives that are occasionally attached to this computer, most usually my friend's flash drives as i don't own one myself. 

Will that CFScript work with my iPod plugged in? even though i haven't plugged it in for a long time.. i don't think its the iPod that's infected.


----------



## John McKenna (Sep 27, 2007)

I would imagine it's more likely to be your friend's. The infected flash drive will be disinfected if attached while running CFScript. Either way there are files and registry keys on your own machine which need removing by ComboFix. If you can't track down the infected flash drive, ban your friends from using them!!


----------



## Xpire (Sep 27, 2007)

I see i see...haha.

Then should i attached the seperate flash drives and run CFScript each time? Or once is enough?

Thanks for the help guys.


----------



## John McKenna (Sep 27, 2007)

There's no harm in running it for each flash drive attached. 

After each run a new text file will be created with the results. Instead of posting them all, *Attach* them to your post. Edit each text file at the top to include the flash drive owner's name. That way you can hit them with a big stick once we track down the culprit.


----------



## Xpire (Oct 2, 2007)

> ComboFix 07-10-02.2 - Alson 2007-10-03  0:46:26.5 - NTFSx86
> Microsoft Windows XP Professional  5.1.2600.2.1252.1.1033.18.315 [GMT 10:00]
> Running from: C:\Documents and Settings\Alson\Desktop\ComboFix(2).exe
> Command switches used :: C:\Documents and Settings\Alson\Desktop\CFScript_used_2007-10-02@17.09.txt
> ...


Had to shorten it a bit due to restrictions of the forum...Hopefully didn't cut out the important parts.

Sorry for the delayed reply but i thought the problem was solved. I've run the combofix on my friends usb's twice and each time it fixed the problem but then it came back again, i think. This is the log report from a combofix that i ran on my ipod, which i ran again a couple of days ago with the same log. Im guessing the FILE:: at the top means that it had found infected files...
Can you tell me why it keeps coming back?


----------



## Punk (Oct 2, 2007)

You can post the end of the log in a second post.


----------



## Xpire (Oct 3, 2007)

Didn't think the second part had any significance. It's too hard to paste the rest of the log here, i have to split it up to like 4-5 parts because the forum won't let me paste it all grr.


----------



## John McKenna (Oct 3, 2007)

Upload the text file as an attachment please.


----------



## Xpire (Oct 4, 2007)

Sorry about that, just got frustrating. Here's the latest log, i found that everytime i insert my usb into the computer, i have to run combofix to be able to access my files on the usb


----------



## ceewi1 (Oct 5, 2007)

Xpire, please attach the combofix log, which should be located at C:\combofix.txt.  What you've attached is just the input script


----------



## Xpire (Oct 7, 2007)

LOL, woops. sorry.
Gees, that was pretty annoying, forum wouldn't let me attach anything more than 19.5kb.


----------



## Xpire (Oct 9, 2007)

No replies? =(


----------



## ceewi1 (Oct 9, 2007)

Sorry about the delay.

The File:: section doesn't indicate that the files have been detected - it's just the files you've asked combofix to delete via the CFScript.txt file.  If it had detected and deleted the files they would appear in the Other Deletions section.

The entries for the offending files no longer appear, your log appears to be clean.  The infected flash drive isn't one of the ones you've posted, though.


----------



## Xpire (Oct 14, 2007)

Oh i see...the flash drives still seem to play up a bit though.. not a big problem. 
Thanks for your help guys. appreciate it


----------



## Xpire (Nov 10, 2007)

Hi again guys, 
Sorry about this but its been frustrating me a bit...
Everytime i insert my flash drive into my laptop, it doesn't let me open it. 
Once i run the ComboFix with the script that John McKenna provided, everything is fixed but only temporarily. Once i restart or re-insert my usb drive. It doesn't work again...

Does anyone know a permanent fix to the 'usb drive infection'? 

Here's a copy of my latest combofix log: 

Combofix.txt


----------



## ceewi1 (Nov 10, 2007)

What exactly happens when you try to open up the drive?

Try this:

Look for a file called autorun.inf on the root of each drive, particularly the flash drive.  If it's found, post the contents here and delete it.

Next, download and run this file: http://www.techsupportforum.com/sectools/sUBs/Flash_Disinfector.exe

Finally, run Notepad and paste the contents of the codebox into a new file.  Please do not include the word Code:

```
REGEDIT4

[-HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2]
```

Save the file to the desktop as *fix.reg* and make sure the "Save as Type" field says "All Files".  Then please go to the desktop and double-click on fix.reg, and click Yes to merge it with the registry.

Restart, and try accessing the flash drive again.


----------



## Xpire (Nov 14, 2007)

Hi,

Sorry i didn't follow your steps in order. I actually ran the disinfector first. After running the disinfector the usb worked fine. 

It seems as though my usb is permanently fine now, however if i plug in other usb's that haven't been inside my computer before, they get affected immediately... as if my hdd is the one that is infected.

Within the contents of my autorun file was this:

[AutoRun]
open=oxbvpen.exe
shellexecute=oxbvpen.exe
shell\Auto\command=oxbvpen.exe


Thanks!


----------



## ceewi1 (Nov 15, 2007)

Let's get some more information.

Go to Kaspersky Online Scanner and click *Accept*
When the updates are finished downloading, click *Next>>Scan Settings*
Under *Scan using the following antivirus database:*, select *extended*
Make sure the *Scan Archives* and *Scan Mail Bases* options are selected as well. Click *OK*
Click *My Computer* and wait for the scan to finish
Click *Save Report As*. Under *Save as type:*, select *Text file*. Save this log to your Desktop and post a copy of it here.

Please also double click on Combofix.exe to have it generate a new log and post that log here


----------

