| Forum Home | ||||
| Press F1 | ||||
| Thread ID: 110868 | 2010-07-05 02:13:00 | Virus issue, help please. | Mister (15201) | Press F1 |
| Post ID | Timestamp | Content | User | ||
| 1116014 | 2010-07-05 02:13:00 | Heya. So I've been away for a month or so, I get back, and my brother has been using my computer. He's been doing all sorts of things on it, and I assume he's collected some viruses. There's some weird processes that keep running in Task Manager, which keep flashing, I google these tasks, and apparently they're Trojans/Viruses. Such as csrss.exe And smss.exe But Microsoft Security Essentials can't find anything, niether can Super Anti Spyware. And I can't install Trojan Remover because I get the error "This program will not run on Windows NT" Here's a HiJack This log, maybe it will help. Logfile of Trend Micro HijackThis v2.0.3 (BETA) Scan saved at 1:13:41 p.m., on 5/07/2010 Platform: Windows XP SP3 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\Ati2evxx.exe C:\WINDOWS\system32\svchost.exe c:\Program Files\Microsoft Security Essentials\MsMpEng.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\Ati2evxx.exe C:\WINDOWS\Explorer.EXE C:\Program Files\ASUS\EPU-4 Engine\FourEngine.exe C:\Program Files\Logitech\GamePanel Software\LCD Manager\LCDMon.exe C:\Program Files\Logitech\GamePanel Software\G-series Software\LGDCore.exe C:\WINDOWS\RTHDCPL.EXE C:\Program Files\Microsoft Security Essentials\msseces.exe C:\Program Files\Logitech\GamePanel Software\LCD Manager\Applets\LCDClock.exe C:\Program Files\Logitech\GamePanel Software\LCD Manager\Applets\LCDCountdown.exe C:\Program Files\Logitech\GamePanel Software\LCD Manager\Applets\LCDPop3.exe C:\Program Files\Logitech\GamePanel Software\LCD Manager\Applets\LCDMedia.exe C:\Program Files\n52te\n52teHid.exe C:\Program Files\iTunes\iTunesHelper.exe C:\Program Files\Windows Live\Messenger\msnmsgr.exe C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe C:\Documents and Settings\Matt\Application Data\Windows Firewall\winlogon.exe C:\Documents and Settings\Matt\Local Settings\Apps\2.0\50MZBZEY.RZL\ZQBJCT8M.4P3\curs.. tion_eee711038731a406_0004.0000_172b37d8269e5e48\C urseClient.exe C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe C:\Program Files\Bonjour\mDNSResponder.exe C:\Program Files\Java\jre6\bin\jqs.exe C:\Program Files\n52te\n52teTra.exe C:\WINDOWS\system32\wscntfy.exe C:\Program Files\iPod\bin\iPodService.exe C:\Program Files\Windows Live\Contacts\wlcomm.exe C:\Program Files\World of Warcraft\WoW.exe C:\Program Files\iTunes\iTunes.exe C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\plugin-container.exe C:\Program Files\TrendMicro\HiJackThis\HiJackThis.exe R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:Blank R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:Blank R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:Blank R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:Blank R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Int ernet Settings,ProxyOverride = *.local O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file) O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll O2 - BHO: Ask Toolbar BHO - {D4027C7F-154A-4066-A1AD-4243D8127440} - C:\Program Files\Ask.com\GenericAskToolbar.dll O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll O3 - Toolbar: Ask Toolbar - {D4027C7F-154A-4066-A1AD-4243D8127440} - C:\Program Files\Ask.com\GenericAskToolbar.dll O4 - HKLM\..\Run: [Six Engine] "C:\Program Files\ASUS\EPU-4 Engine\FourEngine.exe" -r O4 - HKLM\..\Run: [ASUS Update Checker] C:\Program Files\ASUS\ASUSUpdate\UpdateChecker\UpdateChecker. exe O4 - HKLM\..\Run: [Launch LCDMon] "C:\Program Files\Logitech\GamePanel Software\LCD Manager\LCDMon.exe" O4 - HKLM\..\Run: [Launch LGDCore] "C:\Program Files\Logitech\GamePanel Software\G-series Software\LGDCore.exe" /SHOWHIDE O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE O4 - HKLM\..\Run: [MSSE] "c:\Program Files\Microsoft Security Essentials\msseces.exe" -hide -runkey O4 - HKLM\..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\AppleSyncNotifier.exe O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe" O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" O4 - HKLM\..\Run: [Jomantha] C:\Program Files\n52te\n52teHid.exe O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe" O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\Windows Live\Messenger\msnmsgr.exe" /background O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe O4 - HKCU\..\Run: [Google Update] "C:\Documents and Settings\Matt\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" /c O4 - HKCU\..\Run: [HKCU] C:\Documents and Settings\Matt\Application Data\Windows Firewall\winlogon.exe O4 - Startup: CurseClientStartup.ccip O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - platformdl.adobe.com O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll O23 - Service: Avira AntiVir MailGuard (AntiVirMailService) - Unknown owner - C:\Program Files\Avira\AntiVir Desktop\avmailc.exe (file missing) O23 - Service: Avira AntiVir Scheduler (AntiVirSchedulerService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\sched.exe O23 - Service: Avira AntiVir Guard (AntiVirService) - Unknown owner - C:\Program Files\Avira\AntiVir Desktop\avguard.exe (file missing) O23 - Service: Avira AntiVir WebGuard (AntiVirWebService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\AVWEBGRD.EXE O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe O23 - Service: Google Update Service (gupdate) (gupdate) - Unknown owner - C:\Program Files\Google\Update\GoogleUpdate.exe (file missing) O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe O23 - Service: nTune Service (nTuneService) - Unknown owner - C:\Program Files\NVIDIA Corporation\nTune\nTuneService.exe (file missing) -- End of file - 7242 bytes Thanks you. |
Mister (15201) | ||
| 1116015 | 2010-07-05 02:19:00 | Tick these then tick fix checked (or delete the startup entries with ccleaner) Close browsers. Disable system restore I would remove curseclient. People who have used it, have had their WOW accounts hacked O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file) Uninstall askbar I dont think, this needs to be in startup O4 - HKLM\..\Run: [ASUS Update Checker] C:\Program Files\ASUS\ASUSUpdate\UpdateChecker\UpdateChecker. exe O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe" Its probably this entry thats a virus. This is probably why TR wont work. TR definitely works in XP O4 - HKCU\..\Run: [HKCU] C:\Documents and Settings\Matt\Application Data\Windows Firewall\winlogon.exe O4 - Startup: CurseClientStartup.ccip Uninstall Avira, since MSSE is installed. I would also update to IE 7 or 8. Even if you dont use IE. Then run ccleaner and remove the temp files etc |
Speedy Gonzales (78) | ||
| 1116016 | 2010-07-05 02:23:00 | ok Thank you. I should also add, my mouse is now randomly freezing up, like it slows down by alot. Still moves, just reaaaaally slowly. |
Mister (15201) | ||
| 1116017 | 2010-07-05 02:27:00 | Fix all of the above that'll probably fix it. Then run trojan remover. It'll probably run after you reboot | Speedy Gonzales (78) | ||
| 1116018 | 2010-07-05 02:28:00 | Fix all of the above that'll probably fix it. Then run trojan remover. It'll probably run after you reboot Find this file after you reboot then delete it C:\Documents and Settings\Matt\Application Data\Windows Firewall\winlogon.exe <- this file |
Speedy Gonzales (78) | ||
| 1116019 | 2010-07-05 02:28:00 | Fix all of the above that'll probably fix it. Then run trojan remover. It'll probably run after you reboot Mmm, yeah. I can't install Trojan Remover still, it still says the program will not run on Windows NT. |
Mister (15201) | ||
| 1116020 | 2010-07-05 02:31:00 | So have you ticked those entries YET? Make sure you reboot after | Speedy Gonzales (78) | ||
| 1116021 | 2010-07-05 02:34:00 | So have you ticked those entries YET? Make sure you reboot after Yes and Yes, Also when I try to locate C:\Documents and Settings\Matt\Application Data\Windows Firewall\winlogon.exe I get to the folder "Matt" But there is no Application Data Folder. |
Mister (15201) | ||
| 1116022 | 2010-07-05 02:35:00 | Ok. Get teamviewer, if you want. And send the ID and password to me in a PM. I can check it from here. Boot into safe mode / networking. You may have to go to tools / folder options / view in my computer / select show hidden folders/files to see it. Its hidden by default | Speedy Gonzales (78) | ||
| 1116023 | 2010-07-05 02:38:00 | Ok. I think we've done this before, but I must have uninstalled it. Download now. | Mister (15201) | ||
| 1 2 | |||||