HELP PLEASE!!!!! infection problems

Right dont know where to start, i have a problem with pop ups saying im infected and my windows regestry is faulty bought software for that but still saying i have problems i have virus software. I have defraged it and done various virus scans, and when i boot it up it wont boot i have to keep my finger on the reset on the tower.

SO DOES ANY1 KNOW WHAT CAN HEP ME PLEASE?

Moved to Virus, spyware & security forum.

Can you get online with the infected computer?

If so follow these instructions.

The instructions in this threaad are for antbann only. Do not attempt to run any of these fixes on a non infected computer as it may cause damage.

1. Please download Combofix by sUBs. Place it on your Desktop. combofix.exe
2. Double click combofix.exe & follow the prompts.
3. When finished, it shall produce a log for you. Post that log in your next reply.
Combofix will create a backup to anything removed in C:\qoovox

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall.

Post back here if you need any help.

Thanks mate

Please see Guide For Attaching Logs To A Post and add the rest of the requested logs as attachments.

Also see Malware Removal: Temporarily Disable Real Time Monitoring Programs. and turn off any of the programs listed.

After Malware Removal is complete, you should reactivate these protective programs

============

Download RogueRemover Free from FileForum and let it clean anything it finds.

You are using Rouge cleaners. We will get you set up with free trustworthy programs when cleaning is complete.

============

Download HijackThis to your desktop.
Double-click on the file you just downloaded.
Click on the "Install" button to install.
It will by default install to the directory - C:\Program Files\Trend Micro\HijackThis
Please do not change the default install location.
Upon install, HijackThis should open for you.
Now close HijackThis to rename it to analyze.

Important
Rename the Hijackthis.exe file to analyze.exe.
This is important because some forms of malware can hide from HijackThis.
Right click the HijackThis.exe file in C:\Program Files\Trend Micro\HijackThis
Choose Rename.
Type in analyze and press the enter key.
Right click the analyze.exe file and send to desktop to create a shortcut.

Next click on the "Do a system scan and save a log file" button.
HijackThis will scan and then a log will open in notepad.
In the top left of the notepad window click "File" > "Save As" name it hijackthis and then save it to the Desktop.
Please save the log as a text (.txt) file.
In your post, add the log as an Attachment.

* Don't have Hijackthis fix anything yet. Most of what it finds will be harmless or even required.
** Don't use the Analyse This button. It's findings are dangerous if misinterpreted.

Guide For Attaching Logs To A Post

============

How To Create An Uninstall List

1. Start HijackThis
2. Click on the Misc Tools button
3. Click on the Open Uninstall Manager button.
4. Click on the Save list button and specify where you would like to save this file. When you press Save button a notepad will open with the contents of that file.
5. Save it to your desktop.
6. Add the uninstall_list.txt as an attachment in the next post.

============

Items needed in the next post:
HijackThis log
Uninstall_List.txt log
Please add them as attachments.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 22:08:37, on 30/10/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16544)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\Program Files\McAfee\MBK\MBackMonitor.exe
C:\Program Files\Common Files\McAfee\HackerWatch\HWAPI.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\program files\common files\mcafee\mna\mcnasvc.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
C:\PROGRA~1\McAfee\MSC\mcpromgr.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
c:\PROGRA~1\COMMON~1\mcafee\redirsvc\redirsvc.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\PROGRA~1\McAfee\MPS\mps.exe
C:\Program Files\McAfee\MSK\MskSrver.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\McAfee\MPS\mpsevh.exe
C:\Program Files\TomTom HOME 2\HOMERunner.exe
C:\Program Files\Google\Google Updater\GoogleUpdater.exe
C:\Program Files\philips\Philips SNU6500 Wireless USB Adapter Utility\PHUSBMonitor.exe
C:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.moneysavingexpert.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://g.msn.co.uk/0SEENGB/SAOS01?FORM=TOOLBR
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.pcservicecall.co.uk/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Int ernet Settings,ProxyOverride = 127.0.0.1
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - c:\program files\mcafee\virusscan\scriptcl.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.1.615.5858\sw g.dll
O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [MBkLogOnHook] C:\Program Files\McAfee\MBK\LogOnHook.exe
O4 - HKLM\..\Run: [TomTomHOME.exe] "C:\Program Files\TomTom HOME 2\HOMERunner.exe" -s
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNo tifier.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Google Updater.lnk = C:\Program Files\Google\Google Updater\GoogleUpdater.exe
O4 - Global Startup: Philips Wireless USB Adapter 11g.lnk = C:\Program Files\philips\Philips SNU6500 Wireless USB Adapter Utility\PHUSBMonitor.exe
O8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: Sky - {08E730A4-FB02-45BD-A900-01E4AD8016F6} - http://www.skybroadband.com (file missing)
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.pcservicecall.co.uk
O16 - DPF: {15589FA1-C456-11CE-BF01-00AA0055595A} - http://w4s2.work4sure.com/c/ge/w4sgeen9.exe
O16 - DPF: {A90A5822-F108-45AD-8482-9BC8B12DD539} (Crucial cpcScan) - http://www.crucial.com/controls/cpcScanner.cab
O16 - DPF: {F04A8AE2-A59D-11D2-8792-00C04F8EF29D} (Hotmail Attachments Control) - http://by121fd.bay121.hotmail.msn.co...x/HMAtchmt.ocx
O17 - HKLM\System\CCS\Services\Tcpip\..\{5D3D0EC7-51D8-414D-81B8-BB319A5A73C4}: NameServer = 85.255.116.71,85.255.112.63
O17 - HKLM\System\CCS\Services\Tcpip\..\{756D380B-3D9C-47C1-805B-45715F1883DC}: NameServer = 85.255.116.71,85.255.112.63
O17 - HKLM\System\CCS\Services\Tcpip\..\{9885F20C-F443-46DB-8C41-816DF80D07E0}: NameServer = 85.255.116.71,85.255.112.63
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 85.255.116.71 85.255.112.63
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: NameServer = 85.255.116.71 85.255.112.63
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.116.71 85.255.112.63
O23 - Service: McAfee Application Installer Cleanup (0306701193767176) (0306701193767176mcinstcleanup) - Unknown owner - C:\WINDOWS\TEMP\030670~1.EXE (file missing)
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: McAfee E-mail Proxy (Emproxy) - McAfee, Inc. - C:\PROGRA~1\COMMON~1\McAfee\EmProxy\emproxy.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: MBackMonitor - McAfee - C:\Program Files\McAfee\MBK\MBackMonitor.exe
O23 - Service: McAfee HackerWatch Service - McAfee, Inc. - C:\Program Files\Common Files\McAfee\HackerWatch\HWAPI.exe
O23 - Service: McAfee Update Manager (mcmispupdmgr) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcupdmgr.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\program files\common files\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Protection Manager (mcpromgr) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcpromgr.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Redirector Service (McRedirector) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\redirsvc\redirsvc.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: McAfee Privacy Service (MPS9) - McAfee, Inc. - C:\PROGRA~1\McAfee\MPS\mps.exe
O23 - Service: McAfee SpamKiller Service (MSK80Service) - McAfee Inc. - C:\Program Files\McAfee\MSK\MskSrver.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
--
End of file - 9249 bytes

Download this tool and save it to your desktop.

Only use it if your internet connection is broken due to any of these fixes.

[FONT=Arial]XP TCP/IP Repair[/FONT]
http://www.xp-smoker.com/freeware.html

===============

Go to add/remove programs and uninstall:
Error Repair Professional 3.55 <----------If not a paid version
J2SE Runtime Environment 5.0 Update 10
J2SE Runtime Environment 5.0 Update 11
J2SE Runtime Environment 5.0 Update 3
Java(TM) 6 Update 2
Java(TM) SE Runtime Environment 6 Update 1
LiveUpdate 3.0 (Symantec Corporation) <------If there are problems use the Norton Removal Tool

We will install the new version of Java when malware removal is done.
===============

Open HijackThis and select Do a system scan only
Place a check mark next to these entries:
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.moneysavingexpert.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://g.msn.co.uk/0SEENGB/SAOS01?FORM=TOOLBR
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll <-----If it is there
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll <-----If it is there
O9 - Extra button: Sky - {08E730A4-FB02-45BD-A900-01E4AD8016F6} - http://www.skybroadband.com (file missing)
O16 - DPF: {15589FA1-C456-11CE-BF01-00AA0055595A} - http://w4s2.work4sure.com/c/ge/w4sgeen9.exe
O17 - HKLM\System\CCS\Services\Tcpip\..\{5D3D0EC7-51D8-414D-81B8-BB319A5A73C4}: NameServer = 85.255.116.71,85.255.112.63
O17 - HKLM\System\CCS\Services\Tcpip\..\{756D380B-3D9C-47C1-805B-45715F1883DC}: NameServer = 85.255.116.71,85.255.112.63
O17 - HKLM\System\CCS\Services\Tcpip\..\{9885F20C-F443-46DB-8C41-816DF80D07E0}: NameServer = 85.255.116.71,85.255.112.63
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 85.255.116.7185.255.112.63
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: NameServer = 85.255.116.7185.255.112.63
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.116.7185.255.112.63
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe <-----If it is there
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE <-----If it is there

Close all other windows except HijackThis, and hit Fix Checked

===============

Run ATF Cleaner by Atribune

Please download ATF Cleaner by Atribune.
This program is for XP and Windows 2000 only

• Double-click ATF-Cleaner.exe to run the program.
  Under Main choose: Select All
  Click the Empty Selected button.

If you use Firefox browser

• Click Firefox at the top and choose: Select All
  Click the Empty Selected button.
  NOTE: If you would like to keep your saved passwords, please click No at the prompt.

If you use Opera browser

• Click Opera at the top and choose: Select All
  Click the Empty Selected button.
  NOTE: If you would like to keep your saved passwords, please click No at the prompt.

Click Exit on the Main menu to close the program.

Restart The Computer

===============

Next follow the directions in This Post

===============

In the next post include:
AVG Antispyware log
Fresh/New HijackThis log
As attachments.

Another problem i have, when i turn on my computerit wont boot i have to keep my finger on the reset button for the system to boot. any ideas

I need to see the logs to determine if anything is still there.

Do you have your Windows CD?

No I don't i have only had my computer 10months when i bout it new never got a windows c.d
Is they anyway i could get 1 think its somert to do with the windows regestry havnt a clue what they are

You will have to contact the computer manufacturer for a Windows CD. All you need is a few bucks and the serial number of the PC.

The HijackThis log is not showing any malware.

Try this:

Use the ESET Nod32 Online Scanner.

Click YES, I accept the Terms of Use. Then Start.

The scan report is saved by default in C:\Program Files\EsetOnlineScanner\log.txt

Add the EsetOnlineScanner\log.txt in your post as an Attachment.

Guide For Attaching Logs To A Post

ou dont know who makes e-S SYSTEMSi cant find them on the net

Is that the brand name? e-S Systems?

You really need to get the logs I have been requesting. HijackThis only shows some forms of malware, not all and I am fairly confident the PC is not cleaned yet.

Also, without following the instructions it may not be showing everything it can.

I have renamed the file and done another scan used the eset online scanner all ok