So I think malware has gotten onto my computer and AVG occasionally displays multiple pop-up warnings all at once and point to svchost.exe. This only started occuring about 20 minutes ago.

I'll get some pics when it happens next.

Here's my Hijack This log:


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 3:08:44 PM, on 02/01/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16762)
Boot mode: Normal

Running processes:
E:\WINDOWS\System32\smss.exe
E:\WINDOWS\system32\winlogon.exe
E:\WINDOWS\system32\services.exe
E:\WINDOWS\system32\lsass.exe
E:\WINDOWS\system32\Ati2evxx.exe
E:\WINDOWS\system32\svchost.exe
E:\WINDOWS\System32\svchost.exe
E:\WINDOWS\system32\Ati2evxx.exe
E:\WINDOWS\system32\brsvc01a.exe
E:\WINDOWS\system32\spoolsv.exe
E:\WINDOWS\system32\brss01a.exe
E:\WINDOWS\System32\svchost.exe
E:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
E:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
E:\Program Files\Bonjour\mDNSResponder.exe
E:\WINDOWS\system32\PnkBstrA.exe
E:\WINDOWS\system32\PnkBstrB.exe
E:\WINDOWS\system32\svchost.exe
E:\PROGRA~1\SPEEDB~1\VideoAcceleratorService.exe
E:\Program Files\Common Files\Pure Networks Shared\Platform\nmsrvc.exe
E:\PROGRA~1\AVG\AVG8\avgam.exe
E:\PROGRA~1\AVG\AVG8\avgrsx.exe
E:\PROGRA~1\AVG\AVG8\avgnsx.exe
E:\WINDOWS\Explorer.EXE
E:\PROGRA~1\SPEEDB~1\VideoAcceleratorEngine.exe
E:\WINDOWS\RTHDCPL.EXE
E:\WINDOWS\System32\svchost.exe
E:\Program Files\Common Files\Pure Networks Shared\Platform\nmctxth.exe
E:\Program Files\Pure Networks\Network Magic\nmapp.exe
E:\PROGRA~1\AVG\AVG8\avgtray.exe
E:\Program Files\Microsoft IntelliPoint\ipoint.exe
E:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
E:\WINDOWS\system32\rundll32.exe
E:\Program Files\Windows Live\Messenger\msnmsgr.exe
E:\Program Files\Microsoft IntelliPoint\dpupdchk.exe
E:\WINDOWS\system32\ctfmon.exe
E:\Program Files\Uniblue\SpeedUpMyPC 3\SpeedUpMyPC.exe
E:\Program Files\StickyNote\StickyNote.exe
E:\Program Files\Stardock\ObjectDock\ObjectDock.exe
E:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe
E:\Program Files\Windows Live\Messenger\usnsvc.exe
E:\Documents and Settings\Amit\Desktop\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://search.speedbit.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Int ernet Settings,ProxyOverride = *.local
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [nmctxth] "E:\Program Files\Common Files\Pure Networks Shared\Platform\nmctxth.exe"
O4 - HKLM\..\Run: [nmapp] "E:\Program Files\Pure Networks\Network Magic\nmapp.exe" -autorun -nosplash
O4 - HKLM\..\Run: [AVG8_TRAY] E:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [IntelliPoint] "E:\Program Files\Microsoft IntelliPoint\ipoint.exe"
O4 - HKLM\..\Run: [LogonStudio] "E:\Program Files\WinCustomize\LogonStudio\logonstudio.exe" /RANDOM
O4 - HKLM\..\Run: [StartCCC] "E:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRun
O4 - HKLM\..\Run: [BootSkin Startup Jobs] "E:\PROGRA~1\Stardock\WINCUS~1\BootSkin\BootSkin.ex e" /StartupJobs
O4 - HKLM\..\Run: [QuickTime Task] "E:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [prunnet] "E:\WINDOWS\system32\prunnet.exe"
O4 - HKLM\..\Run: [c8297fd4] rundll32.exe "E:\WINDOWS\system32\upjocneh.dll",b
O4 - HKCU\..\Run: [msnmsgr] "E:\Program Files\Windows Live\Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] E:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Uniblue SpeedUpMyPC] E:\Program Files\Uniblue\SpeedUpMyPC 3\SpeedUpMyPC.exe -s
O4 - HKCU\..\Run: [prunnet] "E:\WINDOWS\system32\prunnet.exe"
O4 - HKLM\..\Policies\Explorer\Run: [Tfn4gK4PKE] E:\Documents and Settings\All Users\Application Data\mjynohix\arshqfmj.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] E:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] E:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] E:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] E:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Startup: Stardock ObjectDock.lnk = E:\Program Files\Stardock\ObjectDock\ObjectDock.exe
O4 - Global Startup: Sticky Note.lnk = E:\Program Files\StickyNote\StickyNote.exe
O8 - Extra context menu item: &Clean Traces - C:\Program Files\DAP\Privacy Package\dapcleanerie.htm
O8 - Extra context menu item: &D&ownload &with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddLink.htm
O8 - Extra context menu item: &D&ownload all video with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddVideo.htm
O8 - Extra context menu item: &D&ownload all with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddAllLink.htm
O8 - Extra context menu item: &Download with &DAP - C:\Program Files\DAP\dapextie.htm
O8 - Extra context menu item: Download &all with DAP - C:\Program Files\DAP\dapextie2.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - E:\Program Files\Java\jre1.5.0_12\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - E:\Program Files\Java\jre1.5.0_12\bin\ssv.dll
O9 - Extra button: Subscribe in Desktop Sidebar - {09FE188B-6E85-479e-9411-51FB2220DF80} - E:\WINDOWS\system32\shdocvw.dll
O9 - Extra 'Tools' menuitem: Subscribe in Desktop Sidebar - {09FE188B-6E85-479e-9411-51FB2220DF80} - E:\WINDOWS\system32\shdocvw.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: BitComet - {D18A0B52-D63C-4ed0-AFC6-C1E3DC1AF43A} - res://C:\Program Files\BitComet\tools\BitCometBHO_1.2.1.2.dll/206 (file missing)
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - E:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - E:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - E:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - E:\Program Files\Messenger\msmsgs.exe
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - E:\Program Files\AVG\AVG8\avgpp.dll
O20 - AppInit_DLLs: avgrsstx.dll,wbsys.dll foaswg.dll
O21 - SSODL: syshlpact - {1501D121-B389-63DE-4639-00FD741FAE08} - E:\Program Files\ordbfkf\syshlpact.dll
O23 - Service: ANIWZCSd Service (ANIWZCSdService) - Unknown owner - E:\Program Files\ANI\ANIWZCS2 Service\ANIWZCSdS.exe (file missing)
O23 - Service: Apple Mobile Device - Apple Inc. - E:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - E:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - E:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - E:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: Bonjour Service - Apple Inc. - E:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: BrSplService (Brother XP spl Service) - brother Industries Ltd - E:\WINDOWS\system32\brsvc01a.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - E:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - E:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Nero BackItUp Scheduler 4.0 - Unknown owner - E:\Program Files\Common Files\Nero\Nero BackItUp 4\NBService.exe (file missing)
O23 - Service: Pure Networks Net2Go Service (nmraapache) - Pure Networks, Inc. - E:\Program Files\Pure Networks\Network Magic\WebServer\bin\nmraapache.exe
O23 - Service: Pure Networks Platform Service (nmservice) - Pure Networks, Inc. - E:\Program Files\Common Files\Pure Networks Shared\Platform\nmsrvc.exe
O23 - Service: PnkBstrA - Unknown owner - E:\WINDOWS\system32\PnkBstrA.exe
O23 - Service: PnkBstrB - Unknown owner - E:\WINDOWS\system32\PnkBstrB.exe
O23 - Service: Turbine Message Service - Soundtrack (SoundtrackTurbineMessageService) - Turbine, Inc. - E:\Program Files\Turbine\Turbine Download Manager - Soundtrack\TurbineMessageService.exe
O23 - Service: Turbine Network Service - Soundtrack (SoundtrackTurbineNetworkService) - Turbine, Inc. - E:\Program Files\Turbine\Turbine Download Manager - Soundtrack\TurbineNetworkService.exe
O23 - Service: VideoAcceleratorService - Speedbit Ltd. - E:\PROGRA~1\SPEEDB~1\VideoAcceleratorService.exe
O24 - Desktop Component 0: (no name) - E:\Documents and Settings\Amit\My Documents\My Videos\DreamHTML.htm

--
End of file - 9578 bytes

A quick google looks like the prunnet.exe entry:
O4 - HKCU\..\Run: [prunnet] "E:\WINDOWS\system32\prunnet.exe"

Is some form of popup-causing malware. Try running MalwareBytes Anti-malware (http://www.malwarebytes.org/mbam.php) to see if it can pick up and remove the infection.

If Malwarebytes is unable to run, try using a good online scanner; my personal recommendations are either the Kaspersky Online Scanner (http://www.kaspersky.com/virusscanner) or Trend Micro HouseCall (http://housecall.trendmicro.com/). Both of these require Internet Explorer and will ask to install a couple of ActiveX components.

That is the same virus/trojan thing me and Hunter got. Weird. My McAfee got rid of it though. Have you ever experinced explorer.exe closing randomly?

Courtesy of Kalub...

http://hjt.networktechs.com/

Use this to find out whats bad. It's not always right, but its damn well useful.

That is the same virus/trojan thing me and Hunter got. Weird. My McAfee got rid of it though. Have you ever experinced explorer.exe closing randomly?You can never be 100% sure of that.

You can never be 100% sure of that.
I'm about 99% sure. I've done plenty of tests and scans and none of them found any traces of it.

Oh you might be sure to within your own certainty... however if... for instance... there's a rootkit on the system... whenever the virus scanner asks Windows for a file that's infected with the root kit (or the rootkit itself)... the root kit could tell Windows to report the file as what it SHOULD be, not what it is.

Likely? Not really... but possible (and been done).

Oh you might be sure to within your own certainty... however if... for instance... there's a rootkit on the system... whenever the virus scanner asks Windows for a file that's infected with the root kit (or the rootkit itself)... the root kit could tell Windows to report the file as what it SHOULD be, not what it is.

Likely? Not really... but possible (and been done).
Yeah, most likely. I have a bunch of svchost.exe open in task manager and some of them take up ~100K of my resources. Not much I can really do about it (read: cba to do anything about it)

Thanks for the replies guys.


That is the same virus/trojan thing me and Hunter got. Weird. My McAfee got rid of it though. Have you ever experinced explorer.exe closing randomly?

No random explorer.exe crashes, thank god.


A quick google looks like the prunnet.exe entry:
O4 - HKCU\..\Run: [prunnet] "E:\WINDOWS\system32\prunnet.exe"

Is some form of popup-causing malware. Try running MalwareBytes Anti-malware (http://www.malwarebytes.org/mbam.php) to see if it can pick up and remove the infection.

If Malwarebytes is unable to run, try using a good online scanner; my personal recommendations are either the Kaspersky Online Scanner (http://www.kaspersky.com/virusscanner) or Trend Micro HouseCall (http://housecall.trendmicro.com/). Both of these require Internet Explorer and will ask to install a couple of ActiveX components.

I'm running a Hard Drive specific scan right now, if AVG does not detect the problem I'll scan the other partitions and HDDs on my computer or try the other scanners.

Courtesy of Kalub...

http://hjt.networktechs.com/

Use this to find out whats bad. It's not always right, but its damn well useful.

Parser is not working for me. I put the log in and click parse but the new page only has the legend of threat.

That is the same virus/trojan thing me and Hunter got. Weird. My McAfee got rid of it though. Have you ever experinced explorer.exe closing randomly?
wait, are you talking about this virus hunter got?
http://www.modacity.net/forums/showthread.php?t=13513

wait, are you talking about this virus hunter got?
http://www.modacity.net/forums/showthread.php?t=13513
Yeah, except I was lucky enough not to have the same amount of problems like he did.

ok. installing malwarebytes anti maleware thing because i dont want issues with my computer. god that would suck. go back to school 2 weeks before midterms with a malfunctioning computer to study from
its happened before

Aight so I let AVG run for about 5 hours scanning my entire computer. Everything bad came out of my main Partition, E drive. So I went to the vault and deleted all the shit and my computer has been running for another 6 hours no problem with two user induced restarts so I gather that my computer is working well with minimal to no malware or viruses for now.

Alright, good to see AVG was able to clear it up.

Hmm, there seems to be one more problem. I got rid of the AVG warnings and things are fine, although, when I'm using FireFox I seem to get random new windows opening with ads. I'll run another scan today and see what shows up.

Also, I'm trying to get onto the Kaspersky website to see how much it costs and if it comes with multiple licenses per purchase, but the website seems to be down.

The site isn't down; that may be a symptom of a remaining infection.

Are you able to access any of the following sites:

http://www.bleepingcomputer.com/
http://www.malwarebytes.org/
http://www.safer-networking.org/en/home/index.html

Also check your hosts file for any odd entries (C:\WINDOWS\system32\drivers\etc\hosts - Open with Notepad). There should, by default, be only one entry beneath the introduction text:

127.0.0.1 localhost

The site isn't down; that may be a symptom of a remaining infection.

Are you able to access any of the following sites:

http://www.bleepingcomputer.com/
http://www.malwarebytes.org/
http://www.safer-networking.org/en/home/index.html

Also check your hosts file for any odd entries (C:\WINDOWS\system32\drivers\etc\hosts - Open with Notepad). There should, by default, be only one entry beneath the introduction text:

127.0.0.1 localhost

Jelly, you're on to something. I have no access to those sites or any other virus protection website. I get the "Page Not Found" error. I can get to PandaSecurity.com which is what I used previously to AVG and worked well, only there were so many damn annoying pop-ups from the program itself. I think the following URL is a phishing site. It sure as hell feels like it:

http://www.virus-protection-2009.com/default.asp?PID=e0c3fb23-0cee-4f09-ae07-d38f69466c8f&gclid=CJyc0Jzn9ZcCFRJxxwodDlNhDw

I checked my host file with notepad and the 127.0.0.1 localhost is the only entry, so I think we're good with that. Also, AVG failed to find any other threats. It may also be worth noting that the random pop-ups have to do with google searches, but may not be limited to google searches.

Can you post a screenshot of what's running in your task manager?

Can you post a screenshot of what's running in your task manager?

http://img356.imageshack.us/img356/1631/20251892so3.jpg

Nothing looks out of the ordinary. Are you able to connect to the internet with AVG and update it?

Also, try having a look at this thread (http://www.techtalkz.com/computer-security/515329-cannot-access-antivirus-sites-google-avast-etc.html).

Nothing looks out of the ordinary. Are you able to connect to the internet with AVG and update it?

Also, try having a look at this thread (http://www.techtalkz.com/computer-security/515329-cannot-access-antivirus-sites-google-avast-etc.html).

yes, i can update. The last updated set of signatures was today at 4:36PM EST. So it works.