| Forum Home | ||||
| Press F1 | ||||
| Thread ID: 79408 | 2007-05-19 03:53:00 | Virus Problems | Sherman (9181) | Press F1 |
| Post ID | Timestamp | Content | User | ||
| 550987 | 2007-05-19 03:53:00 | Hi folks I'm helping a good friend to clean up her computer some. She used to have nortons, but doesn't seem to think they are that great any more... Needless to say, she now has AVG. The problem is that AVG seems to be picking up about 7-9 threats, and these threats always seem to be the same ones every time... No matter whether I tell AVG to heal the files or move them to the virus vault they still keep coming up! Any Ideas as to how I might be able to get rid of the viruses? I've also done the usual malware/spyware scans as well... Ive run hijack this and here's the log, for those people who understand such things... Logfile of Trend Micro HijackThis v2.0.0 (BETA) Scan saved at 2:44:06 p.m., on 19/05/2007 Platform: Windows XP SP1 (WinNT 5.01.2600) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\LEXBCES.EXE C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\system32\LEXPPS.EXE C:\WINDOWS\Explorer.EXE C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe C:\PROGRA~1\Grisoft\AVG7\avgemc.exe C:\WINDOWS\SOINTGR.EXE C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIB GP.EXE C:\PROGRA~1\Grisoft\AVG7\avgcc.exe C:\WINDOWS\System32\telcoms.exe C:\WINDOWS\System32\itsdde.exe C:\WINDOWS\System32\xmlehkyw.exe C:\WINDOWS\System32\dcpavss.exe C:\WINDOWS\System32\xmlyiexj.exe C:\WINDOWS\System32\ldmprocs.exe C:\WINDOWS\System32\fxsotwir.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Microtek\ScanWizard 5\ScannerFinder.exe C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe C:\WINDOWS\explorer.exe C:\Program Files\Internet Explorer\iexplore.exe C:\Documents and Settings\Margaret\Desktop\HiJackThis_v2.exe O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll O2 - BHO: EpsonToolBandKicker Class - {E99421FB-68DD-40F0-B4AC-B7027CAE2F1A} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx O3 - Toolbar: EPSON Web-To-Page - {EE5D279F-081B-4404-994D-C6B60AAEBA6D} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll O4 - HKLM\..\Run: [SO5 Integrator Pass Two] C:\WINDOWS\SOINTGR.EXE O4 - HKLM\..\Run: [EPSON Stylus C79 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIB GP.EXE /FU "C:\WINDOWS\TEMP\E_SA8.tmp" /EF "HKLM" O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP O4 - HKLM\..\Run: [Microsoft Telecoms Center] telcoms.exe O4 - HKLM\..\Run: [ascdps] C:\WINDOWS\System32\itsdde.exe O4 - HKLM\..\Run: [dlcipscl] C:\WINDOWS\System32\dcpavss.exe O4 - HKLM\..\Run: [ssmcopx] C:\WINDOWS\System32\xmlyiexj.exe O4 - HKLM\..\Run: [ldvbs] C:\WINDOWS\System32\xmlyiexj.exe O4 - HKLM\..\Run: [wdmlpc] C:\WINDOWS\System32\xmlyiexj.exe O4 - HKLM\..\Run: [smiproc] C:\WINDOWS\System32\ldmprocs.exe O4 - HKLM\..\Run: [idmlcs] C:\WINDOWS\System32\xmlehkyw.exe O4 - HKLM\..\Run: [timelibw] fxsotwir.exe O4 - HKLM\..\Run: [xsmoves] C:\WINDOWS\System32\xmlehkyw.exe O4 - HKLM\..\RunServices: [Microsoft Telecoms Center] telcoms.exe O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background O4 - HKCU\..\Run: [Microsoft Telecoms Center] telcoms.exe O4 - HKCU\..\Run: [ascdps] C:\WINDOWS\System32\itsdde.exe O4 - HKCU\..\Run: [dlcipscl] C:\WINDOWS\System32\dcpavss.exe O4 - HKCU\..\Run: [ssmcopx] C:\WINDOWS\System32\xmlyiexj.exe O4 - HKCU\..\Run: [ldvbs] C:\WINDOWS\System32\xmlyiexj.exe O4 - HKCU\..\Run: [wdmlpc] C:\WINDOWS\System32\xmlyiexj.exe O4 - HKCU\..\Run: [smiproc] C:\WINDOWS\System32\ldmprocs.exe O4 - HKCU\..\Run: [idmlcs] C:\WINDOWS\System32\xmlehkyw.exe O4 - HKCU\..\Run: [timelibw] fxsotwir.exe O4 - HKCU\..\Run: [xsmoves] C:\WINDOWS\System32\xmlehkyw.exe O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'LOCAL SERVICE') O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE') O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'NETWORK SERVICE') O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM') O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user') O4 - Global Startup: CreataCard Gold 2 Forget Me Not Reminders.lnk = C:\Program Files\CreataCard\Gold\FMRMD32.EXE O4 - Global Startup: Microtek Scanner Finder.lnk = C:\Program Files\Microtek\ScanWizard 5\ScannerFinder.exe O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000 O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm O17 - HKLM\System\CCS\Services\Tcpip\..\{EDDD625A-9FD5-44AC-9BBC-9620624B6FA9}: NameServer = 202.27.158.40 202.27.184.3 O17 - HKLM\System\CCS\Services\Tcpip\..\{EDF826FF-62BE-4AD0-BA77-5F4337C09705}: NameServer = 194.54.90.226 O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\System32\browseui.dll O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\System32\browseui.dll O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe O24 - Desktop Component 0: (no name) - images.google.com O24 - Desktop Component 1: (no name) - file:///D:/images/img1-800.jpg O24 - Desktop Component 2: (no name) - file:///D:/images/img3-800.jpg O24 - Desktop Component 3: (no name) - icelandiscool.com O24 - Desktop Component 4: (no name) - www7.nationalgeographic.com -- End of file - 6074 bytes She is on dialup, and doesn't access the internet much. |
Sherman (9181) | ||
| 550988 | 2007-05-19 04:04:00 | The problem is that AVG seems to be picking up about 7-9 threats, and these threats always seem to be the same ones every time... No matter whether I tell AVG to heal the files or move them to the virus vault they still keep coming up! Any Ideas as to how I might be able to get rid of the viruses? Does AVG say where these threats are coming from? (I have a funny felling that AVG is picking up the threats from System Restore folders so I think you may need to disable System Restore & restart the computer ( Doing this will removed all System Restore points) & then turn on System Restore again) |
stu161204 (123) | ||
| 550989 | 2007-05-19 04:05:00 | Put HJT in it own folder then run it again tick these entries and tick fix checked Close browser/s. C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIB GP.EXE These most probably belong to viruses or diallers or something. After u tick these entries and tick fix checked, boot into safe mode and delete these files. I would also get trojan remover in my sig below update it then click on scan. Then select the 3rd - 7th option under the utilities menu. ************************************************** ******** C:\WINDOWS\System32\telcoms.exe C:\WINDOWS\System32\itsdde.exe C:\WINDOWS\System32\xmlehkyw.exe C:\WINDOWS\System32\dcpavss.exe C:\WINDOWS\System32\xmlyiexj.exe C:\WINDOWS\System32\ldmprocs.exe C:\WINDOWS\System32\fxsotwir.exe O4 - HKLM\..\Run: [Microsoft Telecoms Center] telcoms.exe O4 - HKLM\..\Run: [ascdps] C:\WINDOWS\System32\itsdde.exe O4 - HKLM\..\Run: [dlcipscl] C:\WINDOWS\System32\dcpavss.exe O4 - HKLM\..\Run: [ssmcopx] C:\WINDOWS\System32\xmlyiexj.exe O4 - HKLM\..\Run: [ldvbs] C:\WINDOWS\System32\xmlyiexj.exe O4 - HKLM\..\Run: [wdmlpc] C:\WINDOWS\System32\xmlyiexj.exe O4 - HKLM\..\Run: [smiproc] C:\WINDOWS\System32\ldmprocs.exe O4 - HKLM\..\Run: [idmlcs] C:\WINDOWS\System32\xmlehkyw.exe O4 - HKLM\..\Run: [timelibw] fxsotwir.exe O4 - HKLM\..\Run: [xsmoves] C:\WINDOWS\System32\xmlehkyw.exe O4 - HKLM\..\RunServices: [Microsoft Telecoms Center] telcoms.exe O4 - HKCU\..\Run: [Microsoft Telecoms Center] telcoms.exe O4 - HKCU\..\Run: [ascdps] C:\WINDOWS\System32\itsdde.exe O4 - HKCU\..\Run: [dlcipscl] C:\WINDOWS\System32\dcpavss.exe O4 - HKCU\..\Run: [ssmcopx] C:\WINDOWS\System32\xmlyiexj.exe O4 - HKCU\..\Run: [ldvbs] C:\WINDOWS\System32\xmlyiexj.exe O4 - HKCU\..\Run: [wdmlpc] C:\WINDOWS\System32\xmlyiexj.exe O4 - HKCU\..\Run: [smiproc] C:\WINDOWS\System32\ldmprocs.exe O4 - HKCU\..\Run: [idmlcs] C:\WINDOWS\System32\xmlehkyw.exe O4 - HKCU\..\Run: [timelibw] fxsotwir.exe O4 - HKCU\..\Run: [xsmoves] C:\WINDOWS\System32\xmlehkyw.exe ************************************************** *** O4 - Global Startup: CreataCard Gold 2 Forget Me Not Reminders.lnk = C:\Program Files\CreataCard\Gold\FMRMD32.EXE O24 - Desktop Component 0: (no name) - images.google.com O24 - Desktop Component 1: (no name) - file:///D:/images/img1-800.jpg O24 - Desktop Component 2: (no name) - file:///D:/images/img3-800.jpg O24 - Desktop Component 3: (no name) - icelandiscool.com O24 - Desktop Component 4: (no name) - www7.nationalgeographic.com And if shes planning on getting on the net again install a firewall. |
Speedy Gonzales (78) | ||
| 550990 | 2007-05-19 04:08:00 | Also once you get ride of this virus problem & any Spyware, Adware she should upgrade to Win XP SP 2 as she won’t be able to or have a hard time getting windows updates. I think you should be able to get SP2 on a CD from MS, if not I am sure some one here who’s on broadband will be able to download it & send it to you :) |
stu161204 (123) | ||
| 550991 | 2007-05-19 04:12:00 | I think you should be able to get SP2 on a CD from MS, if not I am sure some one here who’s on broadband will be able to download it & send it to you :) And if she decides to install SP2 and other updates DON'T install it until u remove the entries and delete the files I posted. And yup, it might be a good idea to disable system restore before u delete the files. Then turn it back on later. (altho u may have to delete the files in the SR folder/s as well). Soon find out if they come back. Otherwise it may not boot into XP again. |
Speedy Gonzales (78) | ||
| 550992 | 2007-05-19 04:23:00 | Wow, that is a lot of bad stuff on one computer. Been ages since I've seen that. | beeswax34 (63) | ||
| 550993 | 2007-05-19 04:59:00 | It's similar to my dads PC, he doesn't use a firewall. Does your friend have a firewall installed, Sherman? | winmacguy (3367) | ||
| 550994 | 2007-05-19 05:14:00 | The problem is, she is an older lady (try in her 80's) and she recently only just got proper antivirus (she had nortons firewall before, not knowing it was not antivirus). I also imagine that before she got AVG, no sort of scan had been done whatsoever on her computer. And this is a comuter thats around 3-4 years old now... And she only got AVG a few weeks ago... BTW speedy, I went to delete those files in C:\WINDOWS\System32\ and they didn't exist! And no, she doesn't have a firewall now, I'll probably put zonealarm or somthing on tomorrow. I must say that she does better than my grandparents though! 1st she actually has a computer... Second, she goes to seniorNET so she know how to use it (moreorless) Third, If she has a problem and it comes up with a message, she writes things down. She also writes down instructions on how to do virus/spyware scans, so once she has been showed how to do it, she doesn't have to ask again. |
Sherman (9181) | ||
| 550995 | 2007-05-19 05:17:00 | BTW speedy, I went to delete those files in C:\WINDOWS\System32\ and they didn't exist! Post another HJT log, if you ticked the previous entries, then tick fix checked. We'll see if theyre still in it. Did u use TR and do a scan? |
Speedy Gonzales (78) | ||
| 550996 | 2007-05-19 05:20:00 | The problem is, she is an older lady (try in her 80's) and she recently only just got proper antivirus (she had nortons firewall before, not knowing it was not antivirus). I also imagine that before she got AVG, no sort of scan had been done whatsoever on her computer. And this is a comuter thats around 3-4 years old now... And she only got AVG a few weeks ago... She is only about 10 years older and with the same amount of knowledge as my dad, well maybe more. Good on her for going to senior net :) His PC is probably about the same age (not including updates). |
winmacguy (3367) | ||
| 1 | |||||