help, I think I have a virus :(

Here is the log as requested..... my pc has slowed a lot and have found malware called vanbot plus other things like trojans which I have removed with spyware s&d, I have avast installed etc but the pc is definately acting odd atm. I keep getting program crashes and the pc is taking longer to turn off, even though I have removed some large programs like games etc to try and help.
whats going on :S Oh yeah, also windows automatic updates has been turned off and no matter what I do I cant turn it back on!

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 00:15:01, on 01/01/2004
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16735)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Common Files\Nero\Nero BackItUp 4\NBService.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\system32\wscntfy.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\WINDOWS\system32\ovkvzt.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Palm\HOTSYNC.EXE
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Denis\Desktop\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = https://login.yahoo.com/config/login_verify2?.intl=uk&.src=ym&.done=http://uk.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = \blank.htm
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [Microsoft Update Machine] ovkvzt.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [30c9655f] rundll32.exe "C:\WINDOWS\system32\mxdcotdd.dll",b
O4 - HKLM\..\RunServices: [Microsoft Update Machine] ovkvzt.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [EPSON Stylus D92 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIBZE.EXE /FU "C:\WINDOWS\TEMP\E_SD7.tmp" /EF "HKCU"
O4 - HKCU\..\Run: [Microsoft Update Machine] ovkvzt.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: HotSync Manager.lnk = C:\Palm\HOTSYNC.EXE
O8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm
O8 - Extra context menu item: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{FC67772E-FD22-4A2C-AD7B-C53F6FC3898A}: NameServer = 212.159.6.10,212.159.6.9
O20 - AppInit_DLLs: lukion.dll
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Nero BackItUp Scheduler 4.0 - Nero AG - C:\Program Files\Common Files\Nero\Nero BackItUp 4\NBService.exe

--
End of file - 5980 bytes

Cant get an uninstall list for you to see because it doesnt show me where it is saving the list to, its not on the dektop!

and, now, I am getting this every time I try and log in to bt yahoo and read my emails through Internet explorer:

There is a problem with this website's security certificate.


The security certificate presented by this website has expired or is not yet valid.

Security certificate problems may indicate an attempt to fool you or intercept any data you send to the server.
We recommend that you close this webpage and do not continue to this website.
Click here to close this webpage.
Continue to this website (not recommended).
More information


If you arrived at this page by clicking a link, check the website address in the address bar to be sure that it is the address you were expecting.
When going to a website with an address such as https://example.com, try adding the 'www' to the address, https://www.example.com.
If you choose to ignore this error and continue, do not enter private information into the website.

For more information, see "Certificate Errors" in Internet Explorer Help.

Hello, thank you for having patience.

Your computer has multiple infections, including a backdoor. A backdoor gives intruders complete control of your computer, logs your keystrokes, steal personal information, etc.

You are strongly advised to do the following:

• Disconnect the computer from the Internet and from any networked computers until it is cleaned.
  
• Back up all your important data except programs. The programs can be reinstalled back from the original disc or from the Net.
  
• Call all your banks, financial institutions, credit card companies and inform them that you may be a victim of identity theft and put a watch on your accounts. If you don't mind the hassle, change all your account numbers.
  
• From a clean computer, change all your passwords (ISP login password, your email address(es) passwords, financial accounts, PayPal, eBay, Amazon, online groups and forums and any other online activities you carry out which require a username and password).
  

Do NOT change your passwords from this computer as the attacker will be able to get all the new passwords and transaction records.

Due to its backdoor functionality, your computer is very likely to have been compromised and there is no way that it can be trusted again. Many experts in the security community believe that once infected with this type of Trojan, the best course of action would be to do a reformat and reinstallation of the operating system (OS). However, if you do not have the resources to reinstall your OS and would like me to attempt to clean your machine, I will be happy to do so.

To help you understand more, please take some time to read the following articles:

What are Remote Access Trojans and why are they dangerous
How do I respond to a possible identity theft and how do I prevent it
When should do a reformat and reinstallation of my OS
Where to backup your files
How to backup your files in Windows XP
Restoring your backups

I now have a cmos error on startup and the whole system freezes/crashes at the desktop. I think my cmos battery is ok so how can i fix it please? (i did a complete re foramt and fresh install with windows xp sp2)

Remove the battery on the motherboard for a few seconds, and put it back in.
This might reset the settings itself and correct it.

did that, its still not working! what else can I try? thx

How old is this machine? I'm not certain of it, but the battery dying on it's own is a possibility.

its about 3 or 4 years old. would my desktop and everything crash like this if it were the battery dead though iyo?

If the computer is turned off while it was still running there is a possibility to corrupt the CMOS. Ensure that the computer is properly turned off before disconnecting power cords or switches.

If you have recently flashed your BIOS, the values stored in CMOS may have been reset. Enter CMOS setup and re-enter all the appropriate values.

Hello Doc.

DaShiner,
I've talked to someone, he says just enter the BIOS. don't change anything and save the settings, even without any changes.

See what happens.

ahh, I'd already changed it in there and saved settings before I read this post
so do you think it could be just a simple case of "dead battery" that would cause the error and the crashes?

It is possible.
If you can change the battery and backup your settings, then go for it.

ok I will try that and see if it works. LOL i live in the countryside so gonna have to buy a battery worth bugger all from the nearest shop which is miles away, ahh well, hope it sorts it out ;)

I put the new battery in and the only difference is that the clock keeps the right time on the desktop now which it didnt while all this nightmare has been going on.
Im really p'd off now, been trying to sort this all day with no luck. I just did ANOTHER install of windows hoping it would do something but no change. I cant download microsoft updates or .net fx and ati drivers. I can download other progs such as anti spyware and things like that while in safe mode but its still crashing in normal mode.

This is probably a hardware issue now.

The crashing is because of the CPU over heating?
Take the case off and clean any dust off the hardware. And how much RAM does this machine have?

Its pretty clean inside atm and as far as I could see the cpu temp looked 50ish degrees c

Ive got 1gig of ram

its pretty clean inside and as far as I could see in the settings the cpu was around 50ish degrees c

i have 1gig ram installed
and in case it helps:

ms windows version 2002 sp2
amd athlon 64bit processor 3200+ 2.01 GHz
my mobo is a foxconn winfast ck804k8ma (socket 939 i believe)

50c is quite high.
If this is another BIOS problem, I don't know what to suggest with every BIOS being different.

I think your CPU may have had it. Either your heatsink is giving up or you need new heatpaste.

I'll see what a colleague thinks of this.

cpu is pretty clean and is athlon 64 3200+ 2 ghz
1 gig ram
foxconn winfast ck804k8ma mobo

Belahzur wrote:

50c is quite high.
If this is another BIOS problem, I don't know what to suggest with every BIOS being different.

I think your CPU may have had it. Either your heatsink is giving up or you need new heatpaste.

I'll see what a colleague thinks of this.

sorry for all the posts I didnt think some had worked so typed it again. thanks for all this help, I hope its an easier fix than a new cpu lol

We'll see.
I've PM'd our hardware tech, he'll post here soon.

Its cool now! turned out to be my c: drive was knackered, replaced now and all is good. Thanks for your help guys, this is a very handy place. I never even heard of hijack this before I came here and the fact that we can use it and post the info on here for someone that knows what they are doing is amazing to me. Thanks again ;)

Yes, Hijack This is a very hand tool.
Glad you fixed it.

Im sure I'll be back soon lol
Was probably that virus that killed my hdd you think? Ive heard that can happen, is it true?

Feel free to visit this forum anytime you like, just don't be back in the malware removal section.
Malware does damage that can't always be undone, but I can't see any purpose of a malware writer gets from killing a HDD.
The infection you had was quite nasty, a backdoor bot that steals personal info, plus some vundo adware infection.


Below I have included a number of recommendations for how to protect your computer in order to prevent future malware infections. Please take these recommendations seriously; these few simple steps can stave off the vast majority of spyware problems. As happy as we are to help you, for your sake we would rather not have repeat customers.

1) Please navigate to http://windowsupdate.microsoft.com and download all the "critical updates" for Windows. This can patch many of the security holes through which attackers can gain access to your computer.

Please either enable Automatic Updates under Start -> Control Panel -> Automatic Updates , or get into the habit of checking for Windows updates regularly. I cannot stress enough how important this is.

2) In order to protect yourself against spyware, you should consider installing and running the following free programs:

Ad-Aware SE
A tutorial on using Ad-Aware to remove spyware from your computer may be found here.

Spybot-Search & Destroy
A tutorial on using Spybot to remove spyware from your computer may be found here. Please also remember to enable Spybot's "Immunize" and "TeaTimer" features.

SpywareBlaster
A tutorial on using SpywareBlaster to prevent spyware from ever installing on your computer may be found here.

SpywareGuard
A tutorial on using SpywareGuard for realtime protection against spyware and hijackers may be found here.

Make sure to keep these programs up-to-date and to run them regularly, as this can prevent a great deal of spyware hassle.

3) Please consider using an alternate browser. Mozilla's Firefox browser is fantastic; it is much more secure than Internet Explorer, immune to almost all known browser hijackers, and also has the best built-in popup blocker (as an added benefit!) that I have ever seen. If you are interested, Firefox may be downloaded from here:
http://www.mozilla.org/products/firefox/

4) Also make sure to run your antivirus software regularly, and to keep it up-to-date.

5) Finally, consider maintaining a firewall. Some good free firewalls are Kerio, or
Outpost
A tutorial on understanding and using firewalls may be found here.

Please also read Tony Klein's excellent article: How I got Infected in the First Place

Hopefully this should take care of your problems! Good luck.

thanks. Ive got most of those progs any way and i do auto updates and just about everything you mentioned but just proves they can still slip in sometimes lol.]Thx again for you help. ;)

Since this issue is resolved, this topic is closed.

If you need this topic reopened, please contact a staff member. This applies only to the original topic starter.