Having problems accessing AV websites

[zombeh]

I'm pretty sure I have some kind of virus/spyware. I tried downloading some ipod backup programs without any antivirus installed. I have uninstalled all the crap but still having some computer issues. Here is my Hijackthis Log

do you see anything that needs to be fixed?


RECUVA recovered ALL my photo's. JFYI

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 3:38:36 PM, on 1/12/2010
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
C:\WINDOWS\system32\IFXSPMGT.exe
C:\WINDOWS\system32\IFXTCS.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Softex\OmniPass\Omniserv.exe
C:\Program Files\Infineon\Security Platform Software\PSDsrvc.EXE
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Softex\OmniPass\OPXPApp.exe
C:\WINDOWS\Explorer.exe
C:\WINDOWS\system32\Explorer.exe
C:\WINDOWS\system32\00THotkey.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\TFNF5.exe
C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
C:\Program Files\Softex\OmniPass\scureapp.exe
C:\Program Files\Apoint2K\Apoint.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\TOSHIBA\ConfigFree\NDSTray.exe
C:\Program Files\Infineon\Security Platform Software\SpTNA.exe
C:\WINDOWS\system32\TPSMain.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtMng.exe
C:\Program Files\Apoint2K\Apntex.exe
C:\WINDOWS\system32\TPSBattM.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosA2dp.exe
C:\Documents and Settings\Owner\Favorites\svchost.exe
C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
F2 - REG:system.ini: Shell=C:\WINDOWS\Explorer.exe "C:\WINDOWS\system32\Explorer.exe"
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe, "C:\Documents and Settings\Owner\Application Data\Explore.exe"
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [00THotkey] C:\WINDOWS\system32\00THotkey.exe
O4 - HKLM\..\Run: [000StTHK] 000StTHK.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [TFNF5] TFNF5.exe
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
O4 - HKLM\..\Run: [SoundMAX] C:\Program Files\Analog Devices\SoundMAX\Smax4.exe /tray
O4 - HKLM\..\Run: [OmniPass] C:\Program Files\Softex\OmniPass\scureapp.exe
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint2K\Apoint.exe
O4 - HKLM\..\Run: [LtMoh] C:\Program Files\ltmoh\Ltmoh.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [NDSTray.exe] NDSTray.exe
O4 - HKLM\..\Run: [IfxSecurePlatformIndication] C:\Program Files\Infineon\Security Platform Software\SpTNA.exe
O4 - HKLM\..\Run: [PSDruntime] C:\Program Files\Infineon\Security Platform Software\PSDrt.EXE
O4 - HKLM\..\Run: [TPSMain] TPSMain.exe
O4 - HKLM\..\Run: [TPSODDCtl] TPSODDCtl.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [OM2_Monitor] "C:\Program Files\OLYMPUS\OLYMPUS Master 2\FirstStart.exe" /OM
O4 - HKLM\..\RunOnce: [Dll Link] C:\WINDOWS\svchoist.exe
O4 - HKCU\..\Run: [OM2_Monitor] "C:\Program Files\OLYMPUS\OLYMPUS Master 2\MMonitor.exe" -NoStart
O4 - HKCU\..\RunOnce: [Dll Link] C:\Documents and Settings\Owner\Favorites\svchost.exe
O4 - HKLM\..\Policies\Explorer\Run: [Graphics] C:\WINDOWS\_default+.pif
O4 - HKCU\..\Policies\Explorer\Run: [WinNT] C:\Documents and Settings\Owner\Application Data\Microsoft\WinNT.com
O4 - HKUS\S-1-5-21-789336058-926492609-682003330-1003\..\Run: [OM2_Monitor] "C:\Program Files\OLYMPUS\OLYMPUS Master 2\MMonitor.exe" -NoStart (User '?')
O4 - HKUS\S-1-5-21-789336058-926492609-682003330-1003\..\RunOnce: [Dll Link] C:\Documents and Settings\Owner\Favorites\svchost.exe (User '?')
O4 - HKUS\S-1-5-21-789336058-926492609-682003330-1003\..\Policies\Explorer\Run: [WinNT] C:\Documents and Settings\Owner\Application Data\Microsoft\WinNT.com (User '?')
O4 - Global Startup: Bluetooth Manager.lnk = ?
O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1
O7 - HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1
O8 - Extra context menu item: Add to Google Photos Screensa&ver - res://C:\WINDOWS\system32\GPhotos.scr/200
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - Winlogon Notify: PSDNtfy - C:\Program Files\Infineon\Security Platform Software\PSDNtfy.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: ConfigFree Service (CFSvcs) - TOSHIBA CORPORATION - C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
O23 - Service: Google Update Service (gupdate) (gupdate) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Security Platform Management Service (IFXSpMgtSrv) - Infineon Technologies AG - C:\WINDOWS\system32\IFXSPMGT.exe
O23 - Service: Trusted Platform Core Service (IFXTCS) - Infineon Technologies AG - C:\WINDOWS\system32\IFXTCS.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Softex OmniPass Service (omniserv) - Softex Inc. - C:\Program Files\Softex\OmniPass\Omniserv.exe
O23 - Service: Personal Secure Drive Service (PersonalSecureDriveService) - Infineon Technologies AG - C:\Program Files\Infineon\Security Platform Software\PSDsrvc.EXE
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe

--
End of file - 7197 bytes

 

[Dinh]

HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Syst em, DisableRegedit=1

Seems like a policy change. You should run a Malware Antibytes Scan.

 

[zombeh]

I tried downloading malwarebytes but I cannot access their website either. Is there anyway you can host the setup.exe for me somewhere? It's hard for me to access another computer because I am currently traveling around New Zealand.

Thanks

 

[xdivenx]

After using hijackthis.de with your log, it has spotted:

O7 - HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\Syst em, DisableRegedit=1
O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Syst em, DisableRegedit=1

as being nasty entries. I take no responsibility for your actions, but I suggest removing them.

There are also some unknown entries on there, I am assuming from your work. I would inspect them yourself.

Edit: Here is an up to date version of malware bytes, you should not have a problem downloading it:

http://www.moogu.net/malwearbites.exe

 

[IceWeasel]

can you go to www.filehippo.com and download stuff from their? just make sure your rename the files when you save them, as some malware is smart enough to delete/neuter the mbam-setup.exe file

also, try doing a google search for ComboFix on BleepingComputer's website that program is not normally recognized by malware

 

[hawk82]

O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Syst em, DisableRegedit=1
O7 - HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\Syst em, DisableRegedit=1
O4 - HKUS\S-1-5-21-789336058-926492609-682003330-1003\..\RunOnce: [Dll Link] C:\Documents and Settings\Owner\Favorites\svchost.exe (User '?')
O4 - HKUS\S-1-5-21-789336058-926492609-682003330-1003\..\Policies\Explorer\Run: [WinNT] C:\Documents and Settings\Owner\Application Data\Microsoft\WinNT.com (User '?')
O4 - HKLM\..\Policies\Explorer\Run: [Graphics] C:\WINDOWS\_default+.pif
O4 - HKCU\..\Policies\Explorer\Run: [WinNT] C:\Documents and Settings\Owner\Application Data\Microsoft\WinNT.com
O4 - HKCU\..\RunOnce: [Dll Link] C:\Documents and Settings\Owner\Favorites\svchost.exe
O4 - HKLM\..\RunOnce: [Dll Link] C:\WINDOWS\svchoist.exe
F2 - REG:system.ini: Shell=C:\WINDOWS\Explorer.exe "C:\WINDOWS\system32\Explorer.exe"
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe, "C:\Documents and Settings\Owner\Application Data\Explore.exe"
C:\Documents and Settings\Owner\Favorites\svchost.exe
C:\WINDOWS\system32\svchost.exe

Those entries look highly suspicious to me. Try removing those with HiJackThis in Safe Mode. Then see if you can download Combofix. Run that. Then download MalwareBytes. Run that. Then download Spybot. Run that.

Then get yourself an antivirus program and run a full system scan.

 

[zombeh]

Those entries look highly suspicious to me. Try removing those with HiJackThis in Safe Mode. Then see if you can download Combofix. Run that. Then download MalwareBytes. Run that. Then download Spybot. Run that.

Then get yourself an antivirus program and run a full system scan.

I have tried removing the suspicious ones in hijackthis in safe mode and somehow they keep reappearing, I cannot delete them. I have also scanned with spybot and malbytes and it found 12 results. It said if fixed them but they are still reappearing in scan.

I can access all the websites via safemode w/networking but my computer is still infected. what else can I try?

 

[boatasiaus]

I have tried removing the suspicious ones in hijackthis in safe mode and somehow they keep reappearing, I cannot delete them. I have also scanned with spybot and malbytes and it found 12 results. It said if fixed them but they are still reappearing in scan.

I can access all the websites via safemode w/networking but my computer is still infected. what else can I try?

Turn off system restore, then scan in safe mode?

 

[PrincessFrosty]

Sounds like a Confiker variant, blocks web access to common AV and Microsoft sites to prevent updates.

Use this website to check for infection (checks which sites are blocked basically)

http://www.confickerworkinggroup.org/infection_test/cfeyechart.html

 

[xdivenx]

I have tried removing the suspicious ones in hijackthis in safe mode and somehow they keep reappearing, I cannot delete them. I have also scanned with spybot and malbytes and it found 12 results. It said if fixed them but they are still reappearing in scan.

I can access all the websites via safemode w/networking but my computer is still infected. what else can I try?

If you can find the actual location of the files, try using the delete on reboot feature of hijackthis.

 

[hawk82]

I have tried removing the suspicious ones in hijackthis in safe mode and somehow they keep reappearing, I cannot delete them. I have also scanned with spybot and malbytes and it found 12 results. It said if fixed them but they are still reappearing in scan.

I can access all the websites via safemode w/networking but my computer is still infected. what else can I try?

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

 

[zombeh]

I have tried everything you guys have suggested but still no luck. I have fixed a couple issues but not all. I can access AV websites now but my folder options are still messed up and so is system performance. Housecall scann finds about 80 problems, says i need to restart to fix problems, but never fixes. I can't install any anti-virus because some registry changes are denied when installing. What else can I try?

 

[Zlash]

Start over or get a boot cd with tools on it then scan for root kits.

 

[zombeh]

My laptop doesn't have a cd drive. Is there a link to download a Flash USB version?

 

[Madnes5]

Start over or get a boot cd with tools on it then scan for root kits.

2nd this. Just reinstall. Only way you're going to know you have a clean system.

 

[zombeh]

2nd this. Just reinstall. Only way you're going to know you have a clean system.

I know but I cannot do this until I return to the states. I have 12gbs of pictures of my trip on this laptop and cannot lose the pictures. I already lost a few folders because some scan results thought my picture folder (newzealand) was a .exe virus and it wasn't. All my picture folders say they are 93.5kb. I've backed up some pictures but not all. It's hard for me because i am traveling around the country.

 

[Shockey]

I know but I cannot do this until I return to the states. I have 12gbs of pictures of my trip on this laptop and cannot lose the pictures. I already lost a few folders because some scan results thought my picture folder (newzealand) was a .exe virus and it wasn't. All my picture folders say they are 93.5kb. I've backed up some pictures but not all. It's hard for me because i am traveling around the country.

Buy external hard drive?

 

[robble]

Sorry about your problem. I clicked on this thread thinking you couldn't access AdultVideo sites.. lol

 

[zombeh]

haha, that's pretty funny.

Bigger problem: Combofix deleted explorer.exe i think. Now I have to boot into safemode to access explorer since task manager is disabled in normal mode. Did a system restore to 3 days ago and explorer came up just fine, then started up the computer again and bam, nothing.

 

[marley1]

i have been having issues with combofix recently, making system do a stop 0x7b or 0x7e

what exactly is happening now?

Malware Bytes should have cleaned up alot of nasy.
If you can grab a external CD, I would try a repair install of Windows, if not backup and format.

 

[zombeh]

It's basically sluggish, no folder options, reg edit and task manager disabled, can't upload photo's because folders are coming up as .exe's in upload form.

I also do not have a xp pro sp2 cd

 

[PedroDaGr8]

OK, no offense to the people on here but you need a bit more advanced help. Check out the a site like www.geekstogo.com, www.bleepingcomputer.com or www.spywareinfoforums.info and post in ONE of the above sites malware removal subforum.

The certified helpers go through some REALLY rigerous(sp?) training on not only how to remove all malware but also how to recover from problems that arise from using some of these programs.

sUBs, the maker of combofix, is a member of these forums and he often will offer direct help to the certified helpers when there is an exceptionally tricky problem.

Personally, I recommend geekstogo, because I tried going through their training but ran out of spare time to study. It was INTENSE I can tell you that much.

EDIT: By the way, your infection is W32.Autosky, not Conficker as some suggested (just because it blocks AV sites doesn't mean it is conficker. MANY infections now do that). All of the infected lines in your HJT log point to Autosky.

 

[zombeh]

does anyone know of any good photo recovery programs?

 

[zombeh]

RECUVA recovered ALL my photo's. JFYI