### Thread: My virus won't go away

Page 1 of 2 12 Last
1. No Profile Picture
Registered User
Devshed Newbie (0 - 499 posts)

Join Date
Feb 2013
Posts
8
Rep Power
0

#### My virus won't go away

I had 10 viruses a while ago and my antivirus found them but my computer has never been the same since. I can only get my browsers to work for about half an hour and then i have to close and reopen it. Even when it is working if i try and open a new tab they never load so i can never click on links that open in a new window or tab. Is this to do with a virus?
Every day i got a popup saying java oracle america wanted to update but when I did a scan they stopped. I deleted a quarantined tracking cookie from my antivirus the other day and as soon as i did this the update for oracle america came back. Does this mean deleting it from quarantine brought the virus back? And what can i do about my browsers, it happens for both internet explorer and google chrome.
Thanks
2. No Profile Picture
Registered User
Devshed Newbie (0 - 499 posts)

Join Date
Feb 2013
Posts
3
Rep Power
0
Try running a malware program like Malwarebytes. After it is done, reboot and uninstall chrome. Reboot and then reinstall chrome and see if that helps.
3. No Profile Picture
Registered User
Devshed Newbie (0 - 499 posts)

Join Date
Feb 2013
Posts
8
Rep Power
0
Originally Posted by JMac618
Try running a malware program like Malwarebytes. After it is done, reboot and uninstall chrome. Reboot and then reinstall chrome and see if that helps.
Tried it, it hasnt helped :/ thanks for replying though.
4. Have you worked your way through the instructions in this thread?
http://forums.devshed.com/antivirus-...st-519852.html
5. No Profile Picture
Registered User
Devshed Newbie (0 - 499 posts)

Join Date
Feb 2013
Posts
8
Rep Power
0
Originally Posted by salem
yep, lots of tracking cookies were found im not sure how serious that is, either way ive deleted them. The main issue is that i cant open more than one tab or window at the same time. I can have the first window open in google chrome and another in internet explorer and they will both work for a while. But if i try and open an extra window or click a link in either one to open in a new tab they only work half of the time.
6. Ok, so where is this part of the analysis?
Step 5

Now that you have all of the Above... And even if you THINK every thing might be fixed please

here

Click "Scan", after click "Save Log".
Save the log, and copy/paste this and all the above logs we have saved to a NEW THREAD by clicking the button.

Due to fourm restrictions you will have to edit out the URL's before posting logs.

On the 6th post you will not have to edit your logs.
When you're editing URLs, be consistent about it, like say replacing "http://" with "http: //" (add a space)
7. No Profile Picture
Registered User
Devshed Newbie (0 - 499 posts)

Join Date
Feb 2013
Posts
8
Rep Power
0
Originally Posted by salem
Ok, so where is this part of the analysis?

When you're editing URLs, be consistent about it, like say replacing "http://" with "http: //" (add a space)
what do you mean? i just scanned it with the malware bytes and super spyware and the bit internet thing. The hijack this thing didnt work because it said it is in a temporary file? and i havent been saving the logs to post in a reply because i couldn't see that anyone else had done it. Do you think the hijack this part will solve the browser issue
8. No Profile Picture
Registered User
Devshed Newbie (0 - 499 posts)

Join Date
Feb 2013
Posts
8
Rep Power
0
Originally Posted by salem
Ok, so where is this part of the analysis?

When you're editing URLs, be consistent about it, like say replacing "http://" with "http: //" (add a space)
ok i retried it and saved it somewhere else but it said:
For some reason your system denied write access to the hosts file. If any hijacked domains are in this file, hikackthis may not be able to fix this
If that happens you need to edit the file yourself
You can do this by click start run notepad C:\Windows\System32\drivers\etc\hosts
Press enter. Find the lines hijack this reports and delete them. Save files as ‘hosts’ and reboot

i had to type it out it wouldnt let me copy and paste. but then typing into run notepad c windows etc stuff didnt work, and i have definitely typed it correctly so i'm not sure what's wrong. I can try and get access to logs for all the other stuff if i need it
9. So post what you did manage to get out of hijackthis.

And if the malware has got at your hosts file, then you will need to edit it. A corrupted host file will mis-direct any web accesses you might be trying to make.
10. No Profile Picture
Registered User
Devshed Newbie (0 - 499 posts)

Join Date
Feb 2013
Posts
8
Rep Power
0
Originally Posted by salem
So post what you did manage to get out of hijackthis.

And if the malware has got at your hosts file, then you will need to edit it. A corrupted host file will mis-direct any web accesses you might be trying to make.
Do you mean this stuff?

Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 10:11:24, on 02/03/2013
Platform: Windows 7 SP1 (WinNT 6.00.3505)
MSIE: Internet Explorer v9.00 (9.00.8112.16464)
Boot mode: Normal

Running processes:
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe
C:\Program Files\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe
C:\Program Files\Realtek\Audio\HDA\RtHDVCpl.exe
C:\Program Files\Realtek\Audio\HDA\RtHDVBg.exe
C:\Program Files\Launch Manager\HotkeyApp.exe
C:\Program Files\Launch Manager\OSD.exe
C:\Program Files\Launch Manager\WButton.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\TalkTalk\Security\Common\FSM32.EXE
C:\Program Files\AVAST Software\Avast\AvastUI.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Windows\System32\igfxtray.exe
C:\Windows\System32\hkcmd.exe
C:\Windows\System32\igfxpers.exe
C:\Program Files\DivX\DivX Update\DivXUpdate.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Windows\system32\Macromed\Flash\FlashUtil32_11_6_602_171_ActiveX.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://medion.msn.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://uk.msn.com/?ocid=oa-skype
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: Increase performance and video formats for your HTML5 <video> - {326E768D-4182-46FD-9C16-1449A49795F4} - C:\Program Files\DivX\DivX Plus Web Player\ie\DivXHTML5\DivXHTML5.dll
O2 - BHO: Java(tm) Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre7\bin\ssv.dll
O2 - BHO: avast! WebRep - {8E5E2654-AD2D-48bf-AC2D-D17F00898D06} - C:\Program Files\AVAST Software\Avast\aswWebRepIE.dll
O2 - BHO: LitmusBHO - {C6867EB7-8350-4856-877F-93CF8AE3DC9C} - C:\Program Files\TalkTalk\Security\NRS\iescript\baselitmus.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre7\bin\jp2ssv.dll
O3 - Toolbar: avast! WebRep - {8E5E2654-AD2D-48bf-AC2D-D17F00898D06} - C:\Program Files\AVAST Software\Avast\aswWebRepIE.dll
O3 - Toolbar: Browsing Protection Toolbar - {265EEE8E-3228-44D3-AEA5-F7FDF5860049} - C:\Program Files\TalkTalk\Security\NRS\iescript\baselitmus.dll
O4 - HKLM\..\Run: [IAStorIcon] C:\Program Files\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe
O4 - HKLM\..\Run: [RtHDVCpl] C:\Program Files\Realtek\Audio\HDA\RtHDVCpl.exe -s
O4 - HKLM\..\Run: [RtHDVBg] C:\Program Files\Realtek\Audio\HDA\RtHDVBg.exe /FORPCEE3
O4 - HKLM\..\Run: [HotkeyApp] "C:\Program Files\Launch Manager\HotkeyApp.exe"
O4 - HKLM\..\Run: [LMgrVolOSD] "C:\Program Files\Launch Manager\OSD.exe"
O4 - HKLM\..\Run: [LMgrOSD] "C:\Program Files\Launch Manager\OSDCtrl.exe"
O4 - HKLM\..\Run: [Wbutton] "C:\Program Files\Launch Manager\Wbutton.exe"
O4 - HKLM\..\Run: [SynTPEnh] %ProgramFiles%\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [CLMLServer] "C:\Program Files\CyberLink\Power2Go\CLMLSvc.exe"
O4 - HKLM\..\Run: [YouCam Mirror Tray icon] "C:\Program Files\CyberLink\YouCam\YouCamTray.exe" /s
O4 - HKLM\..\Run: [APSDaemon] "C:\Program Files\Common Files\Apple\Apple Application Support\APSDaemon.exe"
O4 - HKLM\..\Run: [F-Secure Manager] "C:\Program Files\TalkTalk\Security\Common\FSM32.EXE" /splash
O4 - HKLM\..\Run: [F-Secure TNB] "C:\Program Files\TalkTalk\Security\FSGUI\TNBUtil.exe" /CHECKALL /WAITFORSW
O4 - HKLM\..\Run: [avast] "C:\Program Files\AVAST Software\Avast\avastUI.exe" /nogui
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe"
O4 - HKLM\..\Run: [IgfxTray] C:\Windows\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\Windows\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\Windows\system32\igfxpers.exe
O4 - HKLM\..\Run: [DivXUpdate] "C:\Program Files\DivX\DivX Update\DivXUpdate.exe" /CHECKNOW
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /minimized /regrun
O4 - HKCU\..\Run: [EPSON SX210 Series] C:\Windows\system32\spool\DRIVERS\W32X86\3\E_FATIFDE.EXE /FU "C:\Windows\TEMP\E_S67DF.tmp" /EF "HKCU"
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: eBay.co.uk - {0B65DCC9-1740-43dc-B19C-4F309FB6A6CA} - http://rover.ebay.com/rover/1/710-72741-17534-1/4 (file missing) (HKCU)
O9 - Extra 'Tools' menuitem: eBay.co.uk - {0B65DCC9-1740-43dc-B19C-4F309FB6A6CA} - http://rover.ebay.com/rover/1/710-72741-17534-1/4 (file missing) (HKCU)
O11 - Options group: [ACCELERATED_GRAPHICS] Accelerated graphics
O16 - DPF: {4B54A9DE-EF1C-4EBE-A328-7C28EA3B433A} (Bitdefender QuickScan Control) - http://quickscan.bitdefender.com/qsax/qsax.cab
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: SAS Core Service (!SASCORE) - SUPERAntiSpyware.com - C:\Program Files\SUPERAntiSpyware\SASCORE.EXE
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
O23 - Service: avast! Antivirus - AVAST Software - C:\Program Files\AVAST Software\Avast\AvastSvc.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: FSGKHS (F-Secure Gatekeeper Handler Starter) - Unknown owner - C:\Program Files\TalkTalk\Security\Anti-Virus\fsgk32st.exe
O23 - Service: F-Secure Anti-Virus Firewall Daemon (FSDFWD) - F-Secure Corporation - C:\Program Files\TalkTalk\Security\FWES\Program\fsdfwd.exe
O23 - Service: F-Secure Management Agent (FSMA) - F-Secure Corporation - C:\Program Files\TalkTalk\Security\Common\FSMA32.EXE
O23 - Service: F-Secure ORSP Client (FSORSPClient) - F-Secure Corporation - C:\Program Files\TalkTalk\Security\ORSP Client\fsorsp.exe
O23 - Service: Intel(R) Rapid Storage Technology (IAStorDataMgrSvc) - Intel Corporation - C:\Program Files\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Intel(R) Management and Security Application Local Management Service (LMS) - Intel Corporation - C:\Program Files\Intel\Intel(R) Management Engine Components\LMS\LMS.exe
O23 - Service: MBAMScheduler - Malwarebytes Corporation - C:\Program Files\Malwarebytes' Anti-Malware\mbamscheduler.exe
O23 - Service: MBAMService - Malwarebytes Corporation - C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
O23 - Service: Protexis Licensing V2 (PSI_SVC_2) - Protexis Inc. - c:\Program Files\Common Files\Protexis\License Service\PsiService_2.exe
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared files\RichVideo.exe
O23 - Service: Skype Updater (SkypeUpdate) - Skype Technologies - C:\Program Files\Skype\Updater\Updater.exe
O23 - Service: Intel(R) Management & Security Application User Notification Service (UNS) - Intel Corporation - C:\Program Files\Intel\Intel(R) Management Engine Components\UNS\UNS.exe
O23 - Service: WisLMSvc - Wistron Corp. - C:\Program Files\Launch Manager\WisLMSvc.exe
O23 - Service: X10 Device Network Service (x10nets) - X10 - C:\PROGRA~1\COMMON~1\X10\Common\x10nets.exe

--
End of file - 10110 bytes

none of it means anything to me. Is there somewhere else i should be posting this though like it tells me on the instructions?
11. The first thing I would suggest you do is un-install ONE of your virus scanners.

You have both Avast and F-Secure active at the same time.
C:\Program Files\TalkTalk\Security\Common\FSM32.EXE
C:\Program Files\AVAST Software\Avast\AvastUI.exe
O2 - BHO: avast! WebRep - {8E5E2654-AD2D-48bf-AC2D-D17F00898D06} - C:\Program Files\AVAST Software\Avast\aswWebRepIE.dll
O2 - BHO: LitmusBHO - {C6867EB7-8350-4856-877F-93CF8AE3DC9C} - C:\Program Files\TalkTalk\Security\NRS\iescript\baselitmus.dll
O3 - Toolbar: avast! WebRep - {8E5E2654-AD2D-48bf-AC2D-D17F00898D06} - C:\Program Files\AVAST Software\Avast\aswWebRepIE.dll
O3 - Toolbar: Browsing Protection Toolbar - {265EEE8E-3228-44D3-AEA5-F7FDF5860049} - C:\Program Files\TalkTalk\Security\NRS\iescript\baselitmus.dll
O4 - HKLM\..\Run: [F-Secure Manager] "C:\Program Files\TalkTalk\Security\Common\FSM32.EXE" /splash
O4 - HKLM\..\Run: [F-Secure TNB] "C:\Program Files\TalkTalk\Security\FSGUI\TNBUtil.exe" /CHECKALL /WAITFORSW
O4 - HKLM\..\Run: [avast] "C:\Program Files\AVAST Software\Avast\avastUI.exe" /nogui
O23 - Service: avast! Antivirus - AVAST Software - C:\Program Files\AVAST Software\Avast\AvastSvc.exe
O23 - Service: FSGKHS (F-Secure Gatekeeper Handler Starter) - Unknown owner - C:\Program Files\TalkTalk\Security\Anti-Virus\fsgk32st.exe
O23 - Service: F-Secure Anti-Virus Firewall Daemon (FSDFWD) - F-Secure Corporation - C:\Program Files\TalkTalk\Security\FWES\Program\fsdfwd.exe
O23 - Service: F-Secure Management Agent (FSMA) - F-Secure Corporation - C:\Program Files\TalkTalk\Security\Common\FSMA32.EXE
O23 - Service: F-Secure ORSP Client (FSORSPClient) - F-Secure Corporation - C:\Program Files\TalkTalk\Security\ORSP Client\fsorsp.exe

Virus scanners rarely play nice with one another, as each often views the other as a threat (because of all the messy things they have to do as a scanner to begin with).

If it is, then I would suggest you uninstall the avast scanner.
If you're using some other ISP now (and TalkTalk is old and out of date), then I would keep the Avast and uninstall F-Secure.

With regard to your hosts file, it should look like one of these examples
If it has lots of other entries listing your popular websites, then it needs to be cleaned up. The Microsoft tool on the link posted should do this job for you.

When you first start the machine, is there a LOT of disk activity, which goes on for a long time?
If there is, you may have "scan at startup" selected, which will keep your machine busy (and your user experience poor) for some time.
If you can, leave the machine on for an hour or so and see if it settles down to normal operation.
If there is a scan at startup, it can be turned off usually.
12. No Profile Picture
Registered User
Devshed Newbie (0 - 499 posts)

Join Date
Feb 2013
Posts
8
Rep Power
0
Originally Posted by salem
The first thing I would suggest you do is un-install ONE of your virus scanners.

You have both Avast and F-Secure active at the same time.
Virus scanners rarely play nice with one another, as each often views the other as a threat (because of all the messy things they have to do as a scanner to begin with).

If it is, then I would suggest you uninstall the avast scanner.
If you're using some other ISP now (and TalkTalk is old and out of date), then I would keep the Avast and uninstall F-Secure.

With regard to your hosts file, it should look like one of these examples
If it has lots of other entries listing your popular websites, then it needs to be cleaned up. The Microsoft tool on the link posted should do this job for you.

When you first start the machine, is there a LOT of disk activity, which goes on for a long time?
If there is, you may have "scan at startup" selected, which will keep your machine busy (and your user experience poor) for some time.
If you can, leave the machine on for an hour or so and see if it settles down to normal operation.
If there is a scan at startup, it can be turned off usually.
Talk talk is my ISP at home. Im currently in uni halls but i know the software is up to date. I know my browser issue is nothing to do with a bad internet connection too because nobody in my halls has it.
I know the antiviruses arent causing the browser issues either because it happened before i downloaded avast. My talk talk antivirus was playing up, it would scan for about a minute and then it would stop after only checking about 800 files and it would say nothing was found. Thats why i got avast. So i am not sure which to remove because avast is probably working better.
I did the cleaning thing with the microsoft tool, not sure what its done but its not made a difference.
There's definitely no scan at startup. I can be on my computer for hours anyway and still the browsers will play up and i have to close and reopen them. I dont think it is a virus doing it anymore though ive done so many scans it must be super clean! I should probably just get a new laptop.
Thanks for helping me though if you don't have any more suggestions

Have a good read through all the pinned topics here
It's a busy site, so pay attention to the forum rules and above all be patient. These are run by knowledgeable volunteers working for free.

> Is there somewhere else i should be posting this though like it tells me on the instructions?
Yes, there will be a "home" site which will be able to tell you all about the logs. I've used hijackthis in the past, but am no expert on it's use. The two virus scanner issue was easy enough to spot, but there could be other things.

Picking up on what some of the bleepingcomputer.com tutorials mention, you do have a lot of background services running.
When the system goes busy, you could try running task manager
Depending on which OS version you have, you may have to click some options, you should be able to find something like the picture where you have columns labelled "CPU" and "Mem Usage". Processes taking a lot of time / memory will have large numbers - the more active the machine is, the less responsive it will be to your actions.
14. No Profile Picture
Registered User
Devshed Newbie (0 - 499 posts)

Join Date
Feb 2013
Posts
8
Rep Power
0
I tried everything possible and none of it seemed to work so I had been dealing with it for a while. Last week i turned my laptop on and it was working fine, i hadn't done anything special, it has magically fixed itself! I don't know if it was any of the antivirus things i was told to do, if it was they took a long time to kick in. The super antispyware still picks something up every time i do a scan and my talk talk antivirus still only scans for 30 seconds before turning off but the browsers being fixed is good enough for me.
Thanks for solutions everyone, i don't know how to close the thread..
15. No Profile Picture
Registered User
Devshed Newbie (0 - 499 posts)

Join Date
Apr 2013
Posts
1
Rep Power
0
It could be your Firewalls and Email filters aren't always particularly fond of emails that contain link ,images ,attachments.even email filter sometime trigger .try writing a plain email with no attachment.
Page 1 of 2 12 Last