| Forum Home | ||||
| Press F1 | ||||
| Thread ID: 97556 | 2009-02-19 22:32:00 | Virus Removal Help | Blam (54) | Press F1 |
| Post ID | Timestamp | Content | User | ||
| 749434 | 2009-02-19 22:32:00 | Currently trying to remove a virus from a friends PC, must be a newer variant as I have run Spyware Terminator, Trojan Remover and the virus still persists. Attached is a HijackThis log: Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 10:09:04 a.m., on 20/02/2009 Platform: Windows Vista (WinNT 6.00.1904) MSIE: Internet Explorer v7.00 (7.00.6000.16757) Boot mode: Normal Running processes: C:\Windows\system32\taskeng.exe C:\Windows\system32\Dwm.exe C:\Windows\Explorer.EXE C:\Program Files\Apoint2K\Apoint.exe C:\Windows\System32\ThpSrv.exe C:\Program Files\TOSHIBA\Power Saver\TPwrMain.exe C:\Program Files\AVG\AVG8\avgtray.exe C:\Program Files\Executor\Executor.exe C:\Program Files\Apoint2K\ApMsgFwd.exe C:\Users\12189\AppData\Local\Google\Update\GoogleU pdate.exe C:\Users\12189\AppData\Roaming\Microsoft\Windows\S tart Menu\Programs\Startup\Aero_Shake_1.3.exe C:\Users\12189\AppData\Roaming\Microsoft\Windows\S tart Menu\Programs\Startup\Belvedere 0.3.exe D:\Program Files\Rainmeter\Rainmeter.exe C:\Program Files\Apoint2K\Apntex.exe C:\Windows\System32\mobsync.exe C:\Program Files\Microsoft Office\Office12\WINWORD.EXE C:\Program Files\Microsoft\Office Live\OfficeLiveSignIn.exe C:\Program Files\FirstClass\fcc32.exe C:\Program Files\AVG\AVG8\avgui.exe D:\Flash drive\Hijackthis\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = pressf1.pcworld.co.nz R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = go.microsoft.com R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Int ernet Settings,AutoConfigURL = skcproxy R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = O1 - Hosts: ::1 localhost O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint2K\Apoint.exe O4 - HKLM\..\Run: [ThpSrv] C:\Windows\system32\thpsrv /logon O4 - HKLM\..\Run: [TPwrMain] %ProgramFiles%\TOSHIBA\Power Saver\TPwrMain.EXE O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe O4 - HKCU\..\Run: [Executor] "C:\Program Files\Executor\executor.exe" -s O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\Windows Live\Messenger\msnmsgr.exe" /background O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe O4 - HKCU\..\Run: [Google Update] "C:\Users\12189\AppData\Local\Google\Update\GoogleU pdate.exe" /c O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE') O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE') O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE') O4 - Global Startup: Windows Live Messenger .lnk = C:\Program Files\Windows Live\Messenger\msnmsgr.exe O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~1\Office12\EXCEL.EXE/3000 O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = student.sk.edu O17 - HKLM\Software\..\Telephony: DomainName = student.sk.edu O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = student.sk.edu O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = student.sk.edu O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll O20 - AppInit_DLLs: avgrsstx.dll O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe O23 - Service: Agere Modem Call Progress Audio (AgereModemAudio) - Agere Systems - C:\Windows\system32\agrsmsvc.exe O23 - Service: AVG8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe O23 - Service: AVG8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe O23 - Service: ProtexisLicensing - Unknown owner - C:\Windows\system32\PSIService.exe O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies - C:\Program Files\WinPcap\rpcapd.exe O23 - Service: Sandboxie Service (SbieSvc) - tzuk - C:\Program Files\Sandboxie\SbieSvc.exe O23 - Service: SBSD Security Center Service (SBSDWSCService) - Safer Networking Ltd. - C:\Program Files\Spybot - Search & Destroy\SDWinSec.exe O23 - Service: TOSHIBA HDD Protection (Thpsrv) - TOSHIBA Corporation - C:\Windows\system32\ThpSrv.exe O23 - Service: TOSHIBA Optical Disc Drive Service (TODDSrv) - TOSHIBA Corporation - C:\Windows\system32\TODDSrv.exe O23 - Service: TOSHIBA Power Saver (TosCoSrv) - TOSHIBA Corporation - C:\Program Files\TOSHIBA\Power Saver\TosCoSrv.exe O23 - Service: TOSHIBA Bluetooth Service - TOSHIBA CORPORATION - C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtSrv.exe O23 - Service: Ulead Burning Helper (UleadBurningHelper) - Ulead Systems, Inc. - C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe O23 - Service: Websense Desktop Client (WebsenseDesktopClient) - Unknown owner - C:\Program Files\PMM\WDC.exe (file missing) -- End of file - 6502 bytes Firefox does not open, I have tried FF safe mode, but it tries to open but then crashes straight away. Also, AVG pops up many times when user tries to access internet explorer, I have attached an image. AVG seems to think that most HTM files are "infected" There is also a dodgy file in C drive I have been trying to remove called asyoclq.exe TIA Blam |
Blam (54) | ||
| 749435 | 2009-02-19 22:39:00 | Please download Malwarebytes' Anti-Malware from one of these places: www.majorgeeks.com www.besttechie.net Double Click mbam-setup.exe to install the application. If it will not run make a copy of the MBAM.exe and rename MBAM.exe to xxx.exe and run that.Keep the genuine MBAM.exe as we may need to run that later as is. * Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish. * If an update is found, it will download and install the latest version. * Once the program has loaded, select "Perform Quick Scan", then click Scan. * The scan may take some time to finish,so please be patient. * When the scan is complete, click OK, then Show Results to view the results. * Make sure that everything is checked, and click Remove Selected. * When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note) * The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM. * Copy&Paste the entire report in your next reply along with a fresh HijackThis log. PLEASE NOTE: If MBAM encounters a file that is difficult to remove, you may be asked to reboot your computer so it can proceed with the disinfection process. Regardless if prompted to restart the computer or not, please do so immediately. Failure to reboot normally (not into safe mode) will prevent MBAM from removing all the malware. MBAM may "make changes to your registry" as part of its disinfection routine. If using other security programs that detect registry changes (ie Spybot's Teatimer), they may interfere or alert you after scanning with MBAM. Please temporarily disable such programs or permit them to allow the changes. Once that Malwarebytes' Anti-Malware is done removing the malware and you have rebooted the computer, browse around and see if you are still having that problem. |
Pancake (6359) | ||
| 749436 | 2009-02-19 23:14:00 | I forgot to mention that I have already run MBAM. Its usually the first one I run. Thanks Blam |
Blam (54) | ||
| 749437 | 2009-02-19 23:21:00 | O23 - Service: Sandboxie Service (SbieSvc) - tzuk - C:\Program Files\Sandboxie\SbieSvc.exe How did you get infected if you are running the above??!! You had to have let it in yourself. You had Spybot up to date with the latest definitions? That and MB didn't remove it? You had MB up to date too? Then Run NOD32, you'll have to get rid of AVG first or run NOD with this drive attached to another PC |
pctek (84) | ||
| 749438 | 2009-02-19 23:27:00 | Disable system restore Tick these then tick fix checked Close browsers O4 - HKCU\..\Run: [Google Update] "C:\Users\12189\AppData\Local\Google\Update\Google Update.exe" /c Uninstall all versions of Java its out of date then update it Scan the whole hdd with trojan remover / AVG |
Speedy Gonzales (78) | ||
| 749439 | 2009-02-19 23:35:00 | O23 - Service: Sandboxie Service (SbieSvc) - tzuk - C:\Program Files\Sandboxie\SbieSvc.exe How did you get infected if you are running the above??!! You had to have let it in yourself. You had Spybot up to date with the latest definitions? That and MB didn't remove it? You had MB up to date too? Then Run NOD32, you'll have to get rid of AVG first or run NOD with this drive attached to another PC Blam6 says, "Currently trying to remove a virus from a friends PC, must be a newer variant as I have run Spyware Terminator, Trojan Remover and the virus still persists." How did Blam6 let it in? It is a PC belonging to a friend in my opinion. |
Sweep (90) | ||
| 749440 | 2009-02-20 00:23:00 | Done all that, problem still persists? BTW when you browse for a webpage it creates a temp file right? Well AVG pops up saying that "htm" file is infected everytime I open a new webpage??? BTw PCTek-He only downloaded sandboxie a week ago, when everything was fine. He saw it in a blog.. Blam |
Blam (54) | ||
| 749441 | 2009-02-20 00:25:00 | Select all options under utilities in Trojan remover if you havent yet Run ccleaner and get rid of the temp files etc Then reboot Well it adds whatever to a cache |
Speedy Gonzales (78) | ||
| 749442 | 2009-02-20 01:29:00 | Done all that, problem still persists? BTw PCTek-He only downloaded sandboxie a week ago, when everything was fine . Done what exactly? Ran NOD? That file you mentioned is malware, if you have run all 3 of whats been suggested it should have found it . And sandboxie - he thought everything was fine . It probably wasn't . |
pctek (84) | ||
| 749443 | 2009-02-20 03:15:00 | go online & type HOUSECALL in your search bar it will take you to trendmicro online virus scan follow the prompts. | shell49 (7096) | ||
| 1 2 3 4 5 6 | |||||