1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Please help!! I can't get rid of this bugger!!!!!!

Discussion in 'Windows - Virus and spyware problems' started by mjinga, Feb 13, 2008.

  1. mjinga

    mjinga Member

    Joined:
    Feb 13, 2008
    Messages:
    2
    Likes Received:
    0
    Trophy Points:
    11
    Hello people!

    Please I need HELP.

    I have something on my computer, I don’t know if it’s a virus, Trojan, Worm or spyware.

    Basically, there is a volume bar at the bottom of my screen. Nothing happens when I click on it. It also appears then disappears after a while. I can’t hear music, the volume bar goes down when I try tp play a song on Power Dvd or Windows mediea. The song is playing, but I can’t hear it. If I try and increase the volume, the bar goes down by itself.

    I have tried everything to remove this thing.

    I have run the Panda & Bull Guard AV, neither have picked it up. The scan comes out clean when I run them in normal mode. When I turn off system restore & scan, they freeze.

    I also ran Symantec & the scan result was no infections found. But when I checked the option ‘exclude this file from Scan’, that a file was automatically excluded from being scanned. Here is the name;

    system volume Information\_restore(5CC4E49F-3D 6C-40C2-BC04-75A734320976)

    I tried removing it from there, but it kept coming back.

    I then dried to delete the ‘system volume information’ folder from my hard drive.
    I ran my PC in safe mode & removed file restrictions & showed hidden files, so I could delete it. It was deleted but when I check later, it’s there again. I tried shredding the file with ‘Spybot’ but it came back after I restarted.

    I have run the following anti-spyware – AVG Anti-spyware, SpyBot search & destroy, Super anti-spyware, Spyware Blaster, BHO Demon, Ad Adware 2007, Bazooka, Bug hunter, Microsoft malicious removal tool.

    All these freeze after a while, even if I scan in safe mode. Some froze at this file;

    C:\WINDOWS\System32\drivers\etc\hosts

    Somebody please help, I don’t know what this bugger is & I’m really frustrated!!!!!!

    Here is my hijack file log.

    Logfile of Trend Micro HijackThis v2.0.0 (BETA)
    Scan saved at 11:05:08 AM, on 2/13/2008
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    Boot mode: Normal

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\SYSTEM32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
    C:\Program Files\BullGuard Ltd\BullGuard\BullGuardUpdate.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\svchost.exe
    C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
    C:\Program Files\Microsoft IntelliType Pro\itype.exe
    C:\Program Files\DAP\DAP.EXE
    C:\Program Files\Unlocker\UnlockerAssistant.exe
    C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
    C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
    C:\Program Files\BullGuard Ltd\BullGuard\bullguard.exe
    C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
    C:\Documents and Settings\Administrator\My Documents\My Completed Downloads\HiJackThis_v2.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.hotmail.com/
    O1 - Hosts: <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"
    O1 - Hosts: "http://www.w3.org/TR/html4/loose.dtd">
    O1 - Hosts: <html>
    O1 - Hosts: <head>
    O1 - Hosts: <script LANGUAGE="JavaScript">
    O1 - Hosts: <!--
    O1 - Hosts: if (window != top)
    O1 - Hosts: top.location.href = location.href;
    O1 - Hosts: // -->
    O1 - Hosts: </script>
    O1 - Hosts: <title>Site Unavailable</title>
    O1 - Hosts: <meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1">
    O1 - Hosts: <style type="text/css">
    O1 - Hosts: body{text-align:center;}
    O1 - Hosts: .geohead {font-family:Verdana, Arial, Helvetica, sans-serif; font-size:10px;width:750px;margin:10px 0 10px 0;height:35px;}
    O1 - Hosts: .geohead #geologo {width:270px;display:block; float:left; }
    O1 - Hosts: .geohead #rightside {width:480px;display:block; float:right;border-bottom:1px solid #999999; height:27px;}
    O1 - Hosts: .geohead #rightside #welcome {width:50%;display:block; float:left; text-align:left;}
    O1 - Hosts: .geohead #rightside #wlinks {width:50%;display:block; float:right; text-align:right;}
    O1 - Hosts: .ftr { margin:0px; color:#404040; font:x-small Arial,sans-serif; text-align:center; width:750px;}
    O1 - Hosts: .bodywrap{display:block;height:470px;}
    O1 - Hosts: .bodycnt{width:510px; display:block; float:left; background-color:#EEE9F5; height:auto; text-align:left; font-family:Arial, Helvetica, sans-serif;font-size:13px; color:#000000; padding:20px 20px 35px 20px;}
    O1 - Hosts: .title { font-family:Arial, Helvetica, sans-serif; font-weight:bold; font-size:24px; color:#7C56A9}
    O1 - Hosts: .adcnt{width:172px; display:block; float:right; text-align:left;cursor:pointer;cursor:hand;}
    O1 - Hosts: .adcnt td {text-align:left;}
    O1 - Hosts: .adsubt{font-size:10px; font-family:verdana; font-weight:bold; color:#b4b4b4; cursor:default;margin-top:5px;}
    O1 - Hosts: .ybadge { font-family: Verdana, Arial, Helvetica, sans-serif; font-size:10px; color: #666666; margin-top:10px;}
    O1 - Hosts: .ybadge img {margin-top:6px;}
    O1 - Hosts: .adtable {font-family:Verdana, Arial, Helvetica, sans-serif; font-size:10px;border: 1px solid #d6dbe7; background-color:#eff7ff; padding:3px; margin-bottom:10px; width:172px;}
    O1 - Hosts: .adttl{font-weight:bold;margin-bottom:3px;}
    O1 - Hosts: .addescr{color:#6b6b6b; margin-bottom:3px;}
    O1 - Hosts: .adlink a {color:#008200; text-decoration:none;}
    O1 - Hosts: </style>
    O1 - Hosts: </head>
    O1 - Hosts: <body>
    O1 - Hosts: <!-- following code added by server. PLEASE REMOVE -->
    O1 - Hosts: <!-- preceding code added by server. PLEASE REMOVE -->
    O1 - Hosts: <div id="maincnt">
    O1 - Hosts: <div class="geohead"><div id="geologo"><a href="http://geocities.yahoo.com"><img height=33 alt="Yahoo! GeoCities" src="http://us.i1.yimg.com/us.yimg.com/i/us/nt/ma/ma_geo_1.gif" width=259 border=0></a></div>
    O1 - Hosts: <div id="rightside"><div id="wlinks"><a href="http://geocities.yahoo.com">GeoCities Home</a> - <a href="http://www.yahoo.com">Yahoo!</a> - <a href="http://help.yahoo.com/help/us/geo/">Help</a></div>
    O1 - Hosts: </div></div>
    O1 - Hosts: <div class="bodywrap">
    O1 - Hosts: <div class="bodycnt">
    O1 - Hosts: <div class="title">Sorry, this GeoCities site is currently unavailable.</div>
    O1 - Hosts: <p>The GeoCities web site you were trying to view has temporarily exceeded its data transfer limit. Please try again later. </p>
    O1 - Hosts: <p>Are you the site owner?
    O1 - Hosts: Avoid service interruptions in the future by increasing your data transfer limit!
    O1 - Hosts: <a href="http://help.yahoo.com/help/us/geo/transfer/transfer-05.html" target="_blank">Find out how.</a> </p>
    O1 - Hosts: <p><a href="http://help.yahoo.com/help/us/geo/transfer/" target="_blank">Learn more about data transfer.</a></p>
    O1 - Hosts: </div>
    O1 - Hosts: <div class="adcnt">
    O1 - Hosts: <a target="_top" href="http://geocities.yahoo.com"><img src="http://us.i1.yimg.com/us.yimg.com/i/us/smbiz/b/geo_mast_small2.gif" alt="Yahoo! GeoCities" border="0" height="15" hspace="0" vspace="0" width="141"></a>
    O1 - Hosts: <div class="adsubt">SPONSORED LINKS</div>
    O1 - Hosts: <!--<table width="172" border="0" bgcolor="#FFFFFF" class="adtable"><tr><td align=left>-->
    O1 - Hosts: <div class="adtable">
    O1 - Hosts: <div class="adttl" title="Reliable plans include domain &amp; 24x7 support."><a href="http://pa.yahoo.com/*http://us.rd.yahoo.com/evt=27166/*http://smallbusiness.yahoo.com/webhosting" target="_blank">Yahoo! Web Hosting<br>
    O1 - Hosts: $25 Setup Waived</a></div>
    O1 - Hosts: <div class="addescr" title="Reliable plans include domain &amp; 24x7 support.">Reliable plans include domain &amp; 24x7 support.</div>
    O1 - Hosts: <div class="adlink" title="Reliable plans include domain &amp; 24x7 support."><a href="http://pa.yahoo.com/*http://us.rd.yahoo.com/evt=27166/*http://smallbusiness.yahoo.com/webhosting" target="_blank">webhosting.yahoo.com</a></div>
    O1 - Hosts: </div>
    O1 - Hosts: <div class="adtable">
    O1 - Hosts: <div class="adttl" title="Reliable plans include domain &amp; 24x7 support."><a href="http://pa.yahoo.com/*http://us.rd.yahoo.com/evt=27176/*http://smallbusiness.yahoo.com/domains/" target="_blank">Domain Names from Yahoo! only $9.95/yr</a></div>
    O1 - Hosts: <div class="addescr" title="Includes starter web page, email & domain forwarding, 24x7 support.">Includes starter web page, email & domain forwarding, 24x7 support.</div>
    O1 - Hosts: <div class="adlink" title="Includes starter web page, email & domain forwarding, 24x7 support."><a href="http://pa.yahoo.com/*http://us.rd.yahoo.com/evt=27176/*http://smallbusiness.yahoo.com/domains/" target="_blank">domains.yahoo.com</a></div>
    O1 - Hosts: </div>
    O1 - Hosts: <div class="adtable">
    O1 - Hosts: <div class="adttl" title="Setup fee waived. Up to 10 emails, SpamGuard, forwarding & virus scanning."><a href="http://pa.yahoo.com/*http://us.rd.yahoo.com/evt=27184/*http://smallbusiness.yahoo.com/mail" target="_blank">Yahoo! Business Email<br> Domain Included</a></div>
    O1 - Hosts: <div class="addescr" title="Setup fee waived. Up to 10 emails, SpamGuard, forwarding & virus scanning.">Setup fee waived. Up to 10 emails, SpamGuard, forwarding &amp; virus scanning.</div>
    O1 - Hosts: <div class="adlink" title="Setup fee waived. Up to 10 emails, SpamGuard, forwarding & virus scanning."><a href="http://pa.yahoo.com/*http://us.rd.yahoo.com/evt=27184/*http://smallbusiness.yahoo.com/mail" target="_blank">smallbusiness.yahoo.com</a></div>
    O1 - Hosts: </div>
    O1 - Hosts: <div class="adtable">
    O1 - Hosts: <div class="adttl" title="$50 setup fee waived. A reliable ecommerce plan, 24x7 support."><a href="http://pa.yahoo.com/*http://us.rd.yahoo.com/evt=/27190/*http://smallbusiness.yahoo.com/merchant" target="_blank">Ecommerce from Yahoo!<br> 1 Month Free</a></div>
    O1 - Hosts: <div class="addescr" title="$50 setup fee waived. A reliable ecommerce plan, 24x7 support.">$50 setup fee waived. A reliable ecommerce plan, 24x7 support.</div>
    O1 - Hosts: <div class="adlink" title="$50 setup fee waived. A reliable ecommerce plan, 24x7 support."><a href="http://pa.yahoo.com/*http://us.rd.yahoo.com/evt=/27190/*http://smallbusiness.yahoo.com/merchant" target="_blank">smallbusiness.yahoo.com</a></div>
    O1 - Hosts: </div>
    O1 - Hosts: <div class="ybadge">
    O1 - Hosts: Get your own web site at <br><a target="_top" href="http://geocities.yahoo.com">Yahoo! GeoCities</a>
    O1 - Hosts: <a href="http://smallbusiness.yahoo.com/webhosting/" target="_top"><img src="http://us.i1.yimg.com/us.yimg.com/i/us/wh/gr/badge_hostedby_purp_2.gif" alt="Hosted by Yahoo! Web Hosting" align="middle" border="0" height="31" width="88"></a>
    O1 - Hosts: </div>
    O1 - Hosts: </div>
    O1 - Hosts: </div>
    O1 - Hosts: <div class=ftr>
    O1 - Hosts: <hr size=1 width=100%>
    O1 - Hosts: Copyright &copy;
    O1 - Hosts: 2005 Yahoo! Inc. All rights reserved<br>
    O1 - Hosts: <a href="http://privacy.yahoo.com/privacy/us/geo/">Privacy Policy</a>
    O1 - Hosts: - <a href="http://docs.yahoo.com/info/copyright/copyright.html">Copyright Policy</a>
    O1 - Hosts: - <a href="http://docs.yahoo.com/info/guidelines/community.html">Guidelines</a>
    O1 - Hosts: - <a href="http://docs.yahoo.com/info/terms/geoterms.html">Terms of Service</a>
    O1 - Hosts: - <a href="http://help.yahoo.com/help/us/geo/">Help</a>
    O1 - Hosts: </div>
    O1 - Hosts: </div>
    O1 - Hosts: </body>
    O1 - Hosts: </html>
    O1 - Hosts: <!-- text below generated by server. PLEASE REMOVE --></object></layer></div></span></style></noscript></table></script></applet>
    O1 - Hosts: <IMG SRC="http://geo.yahoo.com/serv?s=19190039&t=1174035624&f=us-w91" ALT=1 WIDTH=1 HEIGHT=1>
    O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
    O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
    O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
    O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
    O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
    O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
    O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
    O4 - HKLM\..\Run: [itype] "c:\Program Files\Microsoft IntelliType Pro\itype.exe"
    O4 - HKLM\..\Run: [DownloadAccelerator] "C:\Program Files\DAP\DAP.EXE" /STARTUP
    O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb03.exe
    O4 - HKLM\..\Run: [BullGuard] "C:\Program Files\BullGuard Ltd\BullGuard\bullguard.exe" -boot
    O4 - HKLM\..\Run: [UnlockerAssistant] "C:\Program Files\Unlocker\UnlockerAssistant.exe"
    O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
    O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
    O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
    O4 - HKCU\..\Run: [Uniblue RegistryBooster 2] C:\Program Files\Uniblue\RegistryBooster 2\RegistryBooster.exe /S
    O4 - HKCU\..\Run: [BullGuard] "C:\Program Files\BullGuard Ltd\BullGuard\bullguard.exe"
    O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
    O4 - HKUS\S-1-5-19\..\RunOnce: [nlsf] cmd.exe /C move /Y "%SystemRoot%\System32\syssetub.dll" "%SystemRoot%\System32\syssetup.dll" (User 'LOCAL SERVICE')
    O4 - HKUS\S-1-5-19\..\RunOnce: [nlhr] RunDll32.exe %SystemRoot%\System32\AdvPack.Dll,LaunchINFSection %SystemRoot%\inf\nlite.inf,C (User 'LOCAL SERVICE')
    O4 - HKUS\S-1-5-19\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'LOCAL SERVICE')
    O4 - HKUS\S-1-5-20\..\RunOnce: [nlsf] cmd.exe /C move /Y "%SystemRoot%\System32\syssetub.dll" "%SystemRoot%\System32\syssetup.dll" (User 'NETWORK SERVICE')
    O4 - HKUS\S-1-5-18\..\RunOnce: [nlsf] cmd.exe /C move /Y "%SystemRoot%\System32\syssetub.dll" "%SystemRoot%\System32\syssetup.dll" (User 'SYSTEM')
    O4 - HKUS\.DEFAULT\..\RunOnce: [nlsf] cmd.exe /C move /Y "%SystemRoot%\System32\syssetub.dll" "%SystemRoot%\System32\syssetup.dll" (User 'Default user')
    O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
    O8 - Extra context menu item: &Clean Traces - C:\Program Files\DAP\Privacy Package\dapcleanerie.htm
    O8 - Extra context menu item: &Download with &DAP - C:\Program Files\DAP\dapextie.htm
    O8 - Extra context menu item: Download &all with DAP - C:\Program Files\DAP\dapextie2.htm
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~1\OFFICE11\EXCEL.EXE/3000
    O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
    O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
    O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
    O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
    O23 - Service: BullGuard LiveUpdate (BgLiveSvc) - BullGuard Ltd. - C:\Program Files\BullGuard Ltd\BullGuard\BullGuardUpdate.exe
    O23 - Service: BGRaSvc - BullGuard - C:\Program Files\BullGuard Ltd\BullGuard\support\bgrasvc.exe
    O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
    O23 - Service: Panda Process Protection Service (PavPrSrv) - Unknown owner - C:\Program Files\Common Files\Panda Software\PavShld\pavprsrv.exe (file missing)

    --
    End of file - 14100 bytes


     
  2. silk42

    silk42 Regular member

    Joined:
    Dec 21, 2007
    Messages:
    591
    Likes Received:
    0
    Trophy Points:
    26
    This is where your computer saves the restore points. Basically, your computer has created a restore point that contains the malware. In order to remove this, you'll have to turn off system restore so the restore point will be deleted. Once everything has been removed, you can then turn System Restore back on.

    In order to perform the procedure listed above, you need to right click on My Computer and select Properties. You'll then select the System Restore tab and turn it off for the volume in question. Reboot your computer and go into safe mode and run all of your scans again (Virus, Spybot, Adaware, etc...). After your computer has been cleaned, you should be good to go. It's recommended that you turn the System Restore option back on in case you ever need to use it in the future.
     
  3. mjinga

    mjinga Member

    Joined:
    Feb 13, 2008
    Messages:
    2
    Likes Received:
    0
    Trophy Points:
    11
    Hey 'Silk42', thanks a lot for the reply. I'll do as you say. Hope it works!!!! Will be back if it doesn't!!!
    Cheers;)

     
  4. echoreply

    echoreply Regular member

    Joined:
    Nov 9, 2007
    Messages:
    472
    Likes Received:
    0
    Trophy Points:
    26
    hi,

    thats your host file and you should not have HTML code in it;

    O1 - Hosts: <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"
    O1 - Hosts: "http://www.w3.org/TR/html4/loose.dtd">
    O1 - Hosts: <html>
    O1 - Hosts: <head>

    etc

    try this:
    start HJT, click the "Scan" button. check the items below, close any open windows, then click "Fixed checked"

    select all those 01 entries.

    reboot computer, rescan and post a new hjt log.

    echoreply
     

Share This Page