Just been attacked by a crap load of viruses

Then you did not save the file exactly as the instructions indicate. Try again.

Please do not post HijackThis logs without following the READ & RUN ME instructions but for SpyFalcon, the stick for SpywareQuake & SpyFalcon should work.

 

Looks like you have a new form that will require some additions to the procedure. I already can see some items to add to the registry patch but we need to locate possible hidden DLL files. Were you finally able to get the fixquake.reg patch to add into your registry. I will be making a new one after getting info from the below.


Please run the below procedure and attach the log from WinPfind:

Running WinPfind by OldTimer

 

That's a PandaActiveScan log not Kaspersky. You have a lot more problems than just SpyFalcon. You need to complete the other steps in the READ & RUN ME that you have not run. That is in particular, run Bitdefender and attach the log. Follow the directions in step 6 for creating the log.

In the meantime, I have been modifying the SpywareQuake & SpyFalcon removal procedure. You should re-run the procedure now. You MUST redownload the fixquake.reg patch since it has changed. Also there is a new file in the list ( %System32%\oerucu.dll ). You should find this one one your PC, renamed it, and then delete it later.

After running Bitdefender and attach the log, and after also re-running the SpywareQuake & SpyFalcon procedure, attach a new HijackThis log so we can finish fixing your remaining problems.

 

I also see signs of the below P2P programs in your WinPfind log:

Ares
Bearshare
Morpheus

Do you still have these installed? They contain bundled malware. Newer versions of Bearshare and Morpheus are supposedly clean.

 

Did you rerun the SpywareQuake removal steps?

The oerucu.dll file clearly showed in your PandaActiveScan log (look for yourself at the log). Are you sure you really have viewing of hidden and system files and also extensions for known file types enabled?


Make sure viewing of hidden files is enabled (per the tutorial).

Run HijackThis and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:
R3 - Default URLSearchHook is missing
O15 - Trusted Zone: http://housecall65.trendmicro.com
O15 - Trusted Zone: http://www.trendmicro.com
O20 - Winlogon Notify: winrvc32 - winrvc32.dll (file missing)
O20 - Winlogon Notify: WRNotifier - WRLogonNTF.dll (file missing)

After clicking Fix, exit HJT.
Boot into safe mode and use Windows Explorer to delete:
C:\WINDOWS\System32\oerucu.dll
c:\windows\system32\wnscpcc.exe
c:\documents and settings\hamza\favorites\Antivirus Test Online.url
C:\Documents and Settings\Hamza\Local Settings\Temp <--- delete all files & subfolders in this Temp folder
C:\WINDOWS\temp <--- delete all files & subfolders in this Temp folder
C:\WINDOWS\??stem32\arpa.exe <--- looks like you have a folder trying pretending to be another system32 folder. You need to locate this folder and delete it. Make sure you do not try to delete the real system32 folder. This fake folder will more than likely not be in alphabetical order (sort the folder by Name) and you should be able to see the arpa.exe file in the fake folder.

If you get an error when deleting a file. Right click on the file and check to see if the read only attribute is checked. If it is, uncheck it and try again. Other wise open Task Manager and kill the process if running then delete the file.

Now if running Win XP goto c:\windows\Prefetch and delete all files in this folder.
Now run Ccleaner (installed while running the READ ME FIRST).

Now we need to Reset Web Settings:

1. If you have an Internet Explorer icon on your Desktop, goto step 2. If not, skip to step 3.
2. Now right click on your desktop Internet Explorer icon and select Properties. Then click the Programs tab and then click "Reset Web Settings". Now go back to the General tab and set your home page address to something useful like www.majorgeeks.com. Click Apply. Click Delete Cookies, Click Delete Files and select Delete all Offline content too, Click OK. When it finishes Click OK. Then skip step 3.
3. If you do not have an Internet Explorer icon on your Desktop, click Start, Control Panel (for some systems it may be Start, Settings, Control Panel), Internet Options, Programs tab and then click "Reset Web Settings". Now go back to the General tab and set your home page address to something useful like www.majorgeeks.com. Click Apply. Click Delete Cookies, Click Delete Files and select Delete all Offline content too, Click OK. When it finishes Click OK.

Now reboot in normal mode and post a new HJT log.

Make sure you tell me how things are working now.

Reminder Note: Once we have determined you are malware free you will need to disable System Restore, reboot, and re-enable system restore per step 1 of the READ & RUN ME. This only applies to if using WinXP or WinMe.

 

I forgot one more thing I want your to do so we can get rid of the registry entries for those P2P programs and also a few other things you need to remove that you no longer use.

Copy the bold text below to notepad. Save it as fixme.reg to your desktop. Be sure the "Save as" type is set to "all files" Once you have saved it double click it and allow it to merge with the registry.

 

Valid!

I thought it was for your wireless Lan.

See: http://www.liutilities.com/products/wintaskspro/processlibrary/prismsvr/


Your startup probably slow just due to the programs you are running. In particular, all the stuff from Symantec.

Have you complete the steps from my previous messages?

Do you still use AOL?

 

There is nothing in there to be concerned with. The first is a false positive relating to your CCleaner installation file. The others are in your Quarantine and System Restore folders. Empty your Quarantine (step 0 of the READ ME) and flush system restore per step 1 of the READ ME.

 

Let's get an installed programs list from HijackThis!

• Run HijackThis, click Open the Misc Tools section
• Click Open Uninstall Manager
• Click Save List (generates uninstall_list.txt)
• Click Save, to save it to a file where you can find it.
• Attach the uninstall_list.txt file to your next message.

We can manually remove AOL's services and that other process (if you are sure it is not needed) but let me see the above log first.

But see the below and tell me if this is what you have:
http://www.bleepingcomputer.com/startups/PRISMSVR.EXE-9262.html

 

AOL is in your Add/Remove Programs list. If you do not use it, uninstall all of the below:
AOL Coach Version 2.0(Build:20041026.5 en)
AOL Connectivity Services
AOL Spyware Protection
AOL You've Got Pictures Screensaver
Viewpoint Media Player

You also need to uninstall:
Java 2 Runtime Environment, SE v1.4.2_05 <--- old version no longer needed
Microsoft AntiSpyware <--- Consider upgrading to WinXP SP2 and using Windows Defender
Mozilla Firefox (1.5) <---- Make sure this is 1.5.0.4 . The new version does not show full version info in Add/Remove programs, so I'm just recommending you check your version by running it.


You did not address my question about:
http://www.bleepingcomputer.com/star....EXE-9262.html

 

No it is not the latest. See: Mozilla FireFox

Read the link in my last two messages. It is referring to Siemens Gigaset USB Adapter software related.

I would like to get some more info on the C:\WINDOWS\System32\PRISMSVR.EXE file. Locate it again using Windows Explorer and then right click on it and select Properties. Now see if there is a Version tab in the window. If so, select the Version tab and on the next window select each of the listed Item names (one at a time) to get more info about the file. The most important Item is the company name. If there is no Version tab, tell me that too.

Attach a new HJT log and let's see if the AOL stuff is all gone.

 

Well that is not the same file but it is related. Seems to also be for Wireless D-link DWL-G120 USB Adapter Prism54 Driver.

Did someone at one time have some wireless interface in the PC?

All the AOL stuff seems to be gone except for a few active-x objects. Lets fix them and also the prismsvr.exe line. If it winds up being a problem, you can always restore it from the HijackThis backup. Run HijackThis and fix the below lines:


O4 - HKLM\..\Run: [PRISMSVR.EXE] "C:\WINDOWS\System32\PRISMSVR.EXE" /APPLY
O16 - DPF: {37DF41B2-61DB-4CAC-A755-CFB3C7EE7F40} - http://esupport.aol.com/help/acp2/engine/aolcoach_core_1.cab
O16 - DPF: {4A3CF76B-EC7A-405D-A67D-8DC6B52AB35B} - http://aolcc.aol.com/computercheckup/qdiagcc.cab


How is everything working now?

 

There are many opinions on SP2. Some people (a small number) have a few compatibility issues with it but most don't. Some of the people who had problems with it, had them because they tried to upgrade while they were infected with malware. That is a very bad idea.

Your log is clean. If you are not having any other malware problems, it is time to go back to step 1 of the READ & RUN ME to Disable System Restore which will flush your Restore Points. Then reboot and enable System Restore to create a new clean Restore Point.

After that, you should work thru the below link:

How to Protect yourself from malware!

 

Note: It is not a good idea to do what you have been doing working in multiple forums.

http://forums.techguy.org/security/469704-help-im-being-attacked-2.html

In the future, pick one forum and stick with it. If you don't trust the forum, then don't post there but posting the samething in multiple forums and actually working in both at the same time is a bad idea and the duplicated effort on our part is waste of our time.

You did the samething at least once before in these two threads:

http://forums.majorgeeks.com/showthread.php?t=91490
http://forums.techguy.org/security/464450-help-needed-may-infected-lot.html

 

We don't have a problem with you working in other forums. It is working in multiple ones for the same malware issue that is a problem. Neither forum knows about the other and approaches to fixing things can take different directions. Things that could be done could confuse the other helper and could also cause things the helpers suggests doing to conflict with each other. It is just a very bad idea. We know that people want to get their PCs fixed ASAP, but the best a fastest method is almost always working in only one forum. The only time that is not true is when you look for help in a forum with in experience helpers and their are hundreds of forums like that.

What two Java programs are you referring to? Do you mean the Sun Java Console? While slow startup can be malware, it is more frequently due to the amount and choice of software being run. Symantec/Norton is a common factor causing slow startup and poor PC performance.

Not sure what you mean. Attach a log showing what it is reporting.

 

I doubt the Sun Java Console (those lines are what I meant by my comment) have anything to due with your PC being slow. WHat version of Sun Java do you have installed?

As far as Spybot, that is the SDhelper function also available from the Advanced Tools--> Resident menu. Your Symantec Security Suite is probably blocking it from being set.

 

Look in add/Remove programs to see what versions you have. You may even have more than one. Also in control panel you probably will see a Java Plug-in icon which you can double click on. Be patient, it may take awhile for the program to load up and show something. Then just click the About tab and you will see the version.

No i'm not sure that it is Norton but it is the only other protection software you have running so would appear to be the only thing that could block any registry changes like that.

You could try reinstalling if you like. It may of may not work. You could also try changing it from the Advanced -->Tools--> Resident menu.

 

Installing SP2 and performing PC backups are not topics for this forum. Yes, it would be a good idea to have a backup. Is it a requirement before upgrading to SP2? No it is just a safety net in case something goes wrong. You should discuss this in the Software Forum.