| Forum Home | ||||
| Press F1 | ||||
| Thread ID: 93425 | 2008-09-16 03:43:00 | XP Home totally infested with spyware and/or viruses.... | GR8Metal (14133) | Press F1 |
| Post ID | Timestamp | Content | User | ||
| 705510 | 2008-09-16 03:43:00 | Hi all, :punk I have yet another PC that's been infected with all sorts of rubbish . There is no "run" when start menu is pressed . System displays "virus alert" on bottom right of task bar . Unable to run "regedit" as it displays "administrator has disabled registry editing . . . " . The general tab in system properties says that the system is registered to "virus alert" . I've removed the hard drive from the system and installed it into a clean PC with updated malware removal utilities (spybot, super antispyware, malware remover, trojan remover etc) and Avast AV . Have ran scans which detected and removed trojan viruses and bulk load of spyware . Re inserted back into PC but still evidence of infection . Unable to boot into safe mode either to run further scans . . . . . Can anyone help in regards to what I can remove from the hijack this log below . . . . Logfile of Trend Micro HijackThis v2 . 0 . 2 Scan saved at 14:59: VIRUS ALERT!, on 16/09/2008 Platform: Windows XP SP2 (WinNT 5 . 01 . 2600) MSIE: Internet Explorer v7 . 00 (7 . 00 . 6000 . 16705) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss . exe C:\WINDOWS\system32\winlogon . exe C:\WINDOWS\system32\services . exe C:\WINDOWS\system32\lsass . exe C:\WINDOWS\system32\svchost . exe C:\WINDOWS\System32\svchost . exe C:\WINDOWS\Explorer . EXE C:\WINDOWS\system32\spoolsv . exe C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService . exe C:\PROGRA~1\McAfee\MSC\mcmscsvc . exe c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc . exe c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy . exe C:\PROGRA~1\McAfee\VIRUSS~1\mcshield . exe C:\Program Files\McAfee\MPF\MPFSrv . exe C:\WINDOWS\System32\nvsvc32 . exe C:\WINDOWS\System32\svchost . exe C:\windows\system\hpsysdrv . exe C:\WINDOWS\System32\hphmon05 . exe C:\Program Files\InterVideo\Common\bin\WinCinemaMgr . exe C:\Program Files\Common Files\InterVideo\SchSvr\SchSvr . exe C:\Program Files\Multimedia Card Reader\shwicon2k . exe C:\Program Files\iTunes\iTunesHelper . exe C:\WINDOWS\system32\ps2 . exe C:\WINDOWS\system32\ctfmon . exe C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware . exe C:\Program Files\HP\Digital Imaging\bin\hpqtra08 . exe C:\Program Files\Updates from HP\137903\Program\BackWeb-137903 . exe c:\PROGRA~1\mcafee . com\agent\mcagent . exe C:\WINDOWS\system32\wscntfy . exe C:\Program Files\iPod\bin\iPodService . exe C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon . exe C:\Program Files\Trend Micro\HijackThis\HijackThis . exe R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://nz10 . hpwis . com/ R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = . microsoft . com/fwlink/?LinkId=69157" target="_blank">go . microsoft . com R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = . microsoft . com/fwlink/?LinkId=54896" target="_blank">go . microsoft . com R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = . microsoft . com/fwlink/?LinkId=54896" target="_blank">go . microsoft . com R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = . microsoft . com/fwlink/?LinkId=69157" target="_blank">go . microsoft . com R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Int ernet Settings,ProxyOverride = localhost O2 - BHO: {e23944b0-415a-5a0b-50e4-20692ea1a560} - {065a1ae2-9602-4e05-b0a5-a5140b44932e} - C:\WINDOWS\system32\gvxsvf . dll (file missing) O2 - BHO: (no name) - {240074BC-32C6-45FB-8C57-8516BEEB7B9E} - C:\WINDOWS\system32\geBqnLDu . dll (file missing) O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1 . 6 . 0_07\bin\ssv . dll O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin . dll O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2 . dll O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\3 . 0 . 1225 . 9868\s wg . dll O3 - Toolbar: HP View - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - c:\program files\hp\digital imaging\bin\hpdtlk02 . dll O4 - HKLM\ . . \Run: [MSPY2002] C:\WINDOWS\System32\IME\PINTLGNT\ImScInst . exe /SYNC O4 - HKLM\ . . \Run: [PHIME2002ASync] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP . EXE /SYNC O4 - HKLM\ . . \Run: [PHIME2002A] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP . EXE /IMEName O4 - HKLM\ . . \Run: [hpsysdrv] c:\windows\system\hpsysdrv . exe O4 - HKLM\ . . \Run: [HPHUPD05] c:\Program Files\HP\{45B6180B-DCAB-4093-8EE8-6164457517F0}\hphupd05 . exe O4 - HKLM\ . . \Run: [HPHmon05] C:\WINDOWS\System32\hphmon05 . exe O4 - HKLM\ . . \Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray . exe" /r O4 - HKLM\ . . \Run: [WinCinemaMgr] "C:\Program Files\InterVideo\Common\bin\WinCinemaMgr . exe" O4 - HKLM\ . . \Run: [Home Theater SchSvr] "C:\Program Files\Common Files\InterVideo\SchSvr\SchSvr . exe" O4 - HKLM\ . . \Run: [NvCplDaemon] RUNDLL32 . EXE C:\WINDOWS\System32\NvCpl . dll,NvStartup O4 - HKLM\ . . \Run: [Sunkist2k] C:\Program Files\Multimedia Card Reader\shwicon2k . exe O4 - HKLM\ . . \Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8 . 0\Reader\Reader_sl . exe" O4 - HKLM\ . . \Run: [mcagent_exe] C:\Program Files\McAfee . com\Agent\mcagent . exe /runkey O4 - HKLM\ . . \Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier . exe O4 - HKLM\ . . \Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper . exe" O4 - HKLM\ . . \Run: [d01ee279] rundll32 . exe "C:\WINDOWS\system32\uwbsrtwe . dll",b O4 - HKLM\ . . \Run: [PS2] C:\WINDOWS\system32\ps2 . exe O4 - HKCU\ . . \Run: [Acme . PCHButton] C:\PROGRA~1\HPPAVI~1\Pavilion\XPHWWBP4\plugin\bin\ PCHButton . exe O4 - HKCU\ . . \Run: [ctfmon . exe] C:\WINDOWS\system32\ctfmon . exe O4 - HKCU\ . . \Run: [BackupNotify] c:\Program Files\HP\Digital Imaging\bin\backupnotify . exe O4 - HKCU\ . . \Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware . exe O4 - HKUS\S-1-5-19\ . . \Run: [CTFMON . EXE] C:\WINDOWS\System32\CTFMON . EXE (User 'LOCAL SERVICE') O4 - HKUS\S-1-5-20\ . . \Run: [CTFMON . EXE] C:\WINDOWS\System32\CTFMON . EXE (User 'NETWORK SERVICE') O4 - S-1-5-18 Startup: AutoTBar . exe (User 'SYSTEM') O4 - . DEFAULT Startup: AutoTBar . exe (User 'Default user') O4 - . DEFAULT User Startup: AutoTBar . exe (User 'Default user') O4 - Global Startup: Google Updater . lnk = C:\Program Files\Google\Google Updater\GoogleUpdater . exe O4 - Global Startup: HP Digital Imaging Monitor . lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08 . exe O4 - Global Startup: Microsoft Office . lnk = C:\Program Files\Microsoft Office\Office10\OSA . EXE O4 - Global Startup: Updates from HP . lnk = C:\Program Files\Updates from HP\137903\Program\BackWeb-137903 . exe O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Pol icies\System, DisableRegedit=1 O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\Office10\EXCEL . EXE/3000 O9 - Extra button: Blog This - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension . dll O9 - Extra 'Tools' menuitem: &Blog This in Windows Live Writer - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension . dll O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR . DLL O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag . exe O9 - Extra 'Tools' menuitem: @xpsp3res . dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag . exe O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs . exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs . exe O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} (Facebook Photo Uploader 5) - . facebook . com/controls/FacebookPhotoUploader5 . cab" target="_blank">upload . facebook . com O16 - DPF: {138E6DC9-722B-4F4B-B09D-95D191869696} (Bebo Uploader Control) - . bebo . com/files/BeboUploader . 5 . 1 . 4 . cab" target="_blank">www . bebo . com O16 - DPF: {149E45D8-163E-4189-86FC-45022AB2B6C9} (SpinTop DRM Control) - file:///C:/Program%20Files/Elements/Images/stg_drm . ocx O16 - DPF: {20A60F0D-9AFA-4515-A0FD-83BD84642501} (Checkers Class) - . zone . msn . com/binary/msgrchkr . cab56986 . cab" target="_blank">messenger . zone . msn . com O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - . update . microsoft . com/microsoftupdate/v6/V5Controls/en/x86/client/wuweb_site . cab?1209889947171" target="_blank">www . update . microsoft . com O16 - DPF: {64D01C7F-810D-446E-A07E-16C764235644} (AtlAtomadersCtlAttrib Class) - . msn . com/bingame/amad/default/atomaders . cab" target="_blank">zone . msn . com O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - . update . microsoft . com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site . cab?1209889935906" target="_blank">www . update . microsoft . com O16 - DPF: {6F15128C-E66A-490C-B848-5000B5ABEEAC} (HP Download Manager) - . www2 . hp . com/ediags/dex/secure/HPDEXAXO . cab" target="_blank">h20436 . www2 . hp . com O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - . zone . msn . com/binFramework/v10/ZIntro . cab56649 . cab" target="_blank">cdn2 . zone . msn . com O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - . zone . msn . com/binary/MessengerStatsPAClient . cab56907 . cab" target="_blank">messenger . zone . msn . com O16 - DPF: {CC450D71-CC90-424C-8638-1F2DBAC87A54} (ArmHelper Control) - file:///C:/Program%20Files/Amazing%20Adventures%20The%20Lost%20Tomb/Images/armhelper . ocx O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - . macromedia . com/get/shockwave/cabs/flash/swflash . cab" target="_blank">fpdownload2 . macromedia . com O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO . dll O21 - SSODL: mgxfebsq - {6530DB00-6FDC-4F05-9E43-3F281D70C1EE} - C:\WINDOWS\mgxfebsq . dll (file missing) O23 - Service: Apple Mobile Device - Apple Inc . - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService . exe O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService . exe O23 - Service: iPod Service - Apple Inc . - C:\Program Files\iPod\bin\iPodService . exe O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc . - C:\PROGRA~1\McAfee\MSC\mcmscsvc . exe O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc . - c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc . exe O23 - Service: McAfee Scanner (McODS) - McAfee, Inc . - C:\PROGRA~1\McAfee\VIRUSS~1\mcods . exe O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc . - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy . exe O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc . - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield . exe O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc . - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon . exe O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc . - C:\Program Files\McAfee\MPF\MPFSrv . exe O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32 . exe -- . . . . . . And of course, it had limewire installed! :mad: Cheers . . . . . . |
GR8Metal (14133) | ||
| 705511 | 2008-09-16 03:52:00 | Get malwarebytes below, update it then scan as well Tick these then tick fix checked Close browsers O2 - BHO: {e23944b0-415a-5a0b-50e4-20692ea1a560} - {065a1ae2-9602-4e05-b0a5-a5140b44932e} - C:\WINDOWS\system32\gvxsvf.dll (file missing) <-- if this file is here delete it after O2 - BHO: (no name) - {240074BC-32C6-45FB-8C57-8516BEEB7B9E} - C:\WINDOWS\system32\geBqnLDu.dll (file missing) same as above O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" O4 - HKLM\..\Run: [d01ee279] rundll32.exe "C:\WINDOWS\system32\uwbsrtwe.dll",b <-- delete this file after you reboot O4 - S-1-5-18 Startup: AutoTBar.exe (User 'SYSTEM') O4 - .DEFAULT Startup: AutoTBar.exe (User 'Default user') O4 - .DEFAULT User Startup: AutoTBar.exe (User 'Default user') O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Pol icies\System, DisableRegedit=1 O21 - SSODL: mgxfebsq - {6530DB00-6FDC-4F05-9E43-3F281D70C1EE} - C:\WINDOWS\mgxfebsq.dll (file missing) Run trojan remover again update it then scan, then select all options under utilities Then reboot Then uninstall Mcafee and install something better Look in add/remove programs for Videoaccess codec I think it is, uninstall it if its there |
Speedy Gonzales (78) | ||
| 1 | |||||