| Forum Home | ||||
| Press F1 | ||||
| Thread ID: 72583 | 2006-09-18 06:01:00 | Virus Detected : ( | Lovelee (6586) | Press F1 |
| Post ID | Timestamp | Content | User | ||
| 485489 | 2006-09-18 06:01:00 | Hey Guys! Another of my mates computers. Been giving her trouble for a while, and AVG has in the last couple of days picked up virus Win32/CryptExe Ive had a quick look online, but Im not finding anything to remove it. Bear in mind that I dont have the skills to go into the registry. I have done a hijackthis ... GREATLY APPRECIATE YOUR INPUT. Logfile of HijackThis v1.99.1 Scan saved at 3:56:23 p.m., on 18/09/2006 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\SYSTEM32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe C:\Program Files\iolo\System Mechanic 6\IoloSGCtrl.exe C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE C:\WINDOWS\System32\svchost.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\system32\igfxtray.exe C:\WINDOWS\system32\hkcmd.exe C:\Program Files\iolo\System Mechanic 6\SystemGuardAlerter.exe C:\Program Files\Common Files\Real\Update_OB\realsched.exe C:\Program Files\ScanSoft\OmniPageSE2.0\OpwareSE2.exe C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe C:\WINDOWS\system32\ctfmon.exe C:\Program Files\Messenger\msmsgs.exe C:\WINDOWS\system32\rundll32.exe C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe C:\Program Files\Outlook Express\msimn.exe C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files\Internet Explorer\iexplore.exe C:\Documents and Settings\laptop\My Documents\HJT\HijackThis.exe R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.nz/ R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe O4 - HKLM\..\Run: [WatchDog] C:\Program Files\InterVideo\DVD Check\DVDCheck.exe O4 - HKLM\..\Run: [MediaPipe P2P Loader] "C:\Program Files\p2pnetworks\mpp2pl.exe" /H O4 - HKLM\..\Run: [SystemGuardAlerter] "C:\Program Files\iolo\System Mechanic 6\SystemGuardAlerter.exe" O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe" O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k O4 - HKLM\..\Run: [OpwareSE2] "C:\Program Files\ScanSoft\OmniPageSE2.0\OpwareSE2.exe" O4 - HKLM\..\Run: [OPSE reminder] "C:\Program Files\ScanSoft\OmniPageSE2.0\EregEng\Ereg.exe" -r "C:\Program Files\ScanSoft\OmniPageSE2.0\EregEng\ereg.ini" O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background O4 - HKCU\..\Run: [Instant Access] rundll32.exe EGACCESS4_1065.dll,InstantAccess O4 - Global Startup: BTTray.lnk = ? O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar1.dll/cmwordtrans.html O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000 O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm O9 - Extra 'Tools' menuitem: @btrez.dll,-4017 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll O16 - DPF: {04F414E9-E352-4BC3-963D-7BFE5A5F31A9} - scripts.dlv4.com O16 - DPF: {0878F049-D33E-45E0-A157-C36A6683CF25} - scripts.dlv4.com O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - go.microsoft.com O16 - DPF: {1CD4E2DC-2DA0-4154-8723-38CB04FB6A58} - scripts.dlv4.com O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - update.microsoft.com O16 - DPF: {82FC4503-8459-4239-9B85-0617BEAA950A} - scripts.dlv4.com O16 - DPF: {CB5D474E-A510-40A4-B5A4-838933BCBA64} - scripts.dlv4.com O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe O23 - Service: Bluetooth Service (btwdins) - WIDCOMM, Inc. - C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe O23 - Service: iolo System Guard (IOLO_SRV) - Unknown owner - C:\Program Files\iolo\System Mechanic 6\IoloSGCtrl.exe O23 - Service: MainSafe Service (MSFIE) - Unknown owner - C:\WINDOWS\system32\mainsafe.exe (file missing) |
Lovelee (6586) | ||
| 485490 | 2006-09-18 06:03:00 | Sorry .. meant to add .. The computer will connect to the net, but I couldnt search for Press F1, in any way from her computer. It would bring the home page up, but not even go to any links on the page. |
Lovelee (6586) | ||
| 485491 | 2006-09-18 06:55:00 | This entry looks like Adware/spyware . Run HJT again tick these entries and tick fix checked . O4 - HKLM\ . . \Run: [MediaPipe P2P Loader] "C:\Program Files\p2pnetworks\mpp2pl . exe" /H O23 - Service: MainSafe Service (MSFIE) - Unknown owner - C:\WINDOWS\system32\mainsafe . exe (file missing) These dont have to be in startup O4 - HKLM\ . . \Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k O4 - HKCU\ . . \Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs . exe" /background |
Speedy Gonzales (78) | ||
| 485492 | 2006-09-18 07:11:00 | OK Ive taken them off .. rebooting the comp at the moment. All that Ive been able to find online about the virus is that it is malaware. So, how is it rremoved. Thank you Speedy :) |
Lovelee (6586) | ||
| 485493 | 2006-09-18 07:54:00 | Use Spybot or Adaware, and do a scan. | Speedy Gonzales (78) | ||
| 485494 | 2006-09-18 08:01:00 | :D | Lovelee (6586) | ||
| 485495 | 2006-09-18 09:07:00 | PressF1's FAQ on how to remove malwares -> faqf1.net.nz Cheers :) |
Renmoo (66) | ||
| 485496 | 2006-09-18 09:12:00 | Speedy While I was waiting for you to reply I hunted for the virus and figured out that it must have been malware. I also discovered from searching for the virus a file named *altpayments* which is a problem, and I had noticed it in windows explorer, do I deleted it. While I was in there hunting for suspicious dialers and such, I found one called *Instant Access* (it is in the recycle bin at the moment) but it too had a dialer in it, so I deleted it. When I rebooted the comp on the system tray is a blank area, and when I hang cursor over it, it says Instant Access. Have I deleted something important? I can restore it, no problems there. Though I also notice it in the HJT a reference to it. SO Ive done another HJT its there O4 - HKCU\..\Run: [Instant Access] rundll32.exe EGACCESS4_1065.dll,InstantAccess What do you suggest? Logfile of HijackThis v1.99.1 Scan saved at 7:45:24 p.m., on 18/09/2006 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\SYSTEM32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe C:\Program Files\iolo\System Mechanic 6\IoloSGCtrl.exe C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE C:\WINDOWS\System32\svchost.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\system32\igfxtray.exe C:\WINDOWS\system32\hkcmd.exe C:\Program Files\iolo\System Mechanic 6\SystemGuardAlerter.exe C:\Program Files\Common Files\Real\Update_OB\realsched.exe C:\Program Files\ScanSoft\OmniPageSE2.0\OpwareSE2.exe C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe C:\WINDOWS\system32\ctfmon.exe C:\WINDOWS\system32\rundll32.exe C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe C:\Program Files\Internet Explorer\iexplore.exe C:\Documents and Settings\laptop\My Documents\HJT\HijackThis.exe R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.nz/ R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe O4 - HKLM\..\Run: [WatchDog] C:\Program Files\InterVideo\DVD Check\DVDCheck.exe O4 - HKLM\..\Run: [SystemGuardAlerter] "C:\Program Files\iolo\System Mechanic 6\SystemGuardAlerter.exe" O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe" O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot O4 - HKLM\..\Run: [OpwareSE2] "C:\Program Files\ScanSoft\OmniPageSE2.0\OpwareSE2.exe" O4 - HKLM\..\Run: [OPSE reminder] "C:\Program Files\ScanSoft\OmniPageSE2.0\EregEng\Ereg.exe" -r "C:\Program Files\ScanSoft\OmniPageSE2.0\EregEng\ereg.ini" O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe O4 - HKCU\..\Run: [Instant Access] rundll32.exe EGACCESS4_1065.dll,InstantAccess O4 - Global Startup: BTTray.lnk = ? O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar1.dll/cmwordtrans.html O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000 O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm O9 - Extra 'Tools' menuitem: @btrez.dll,-4017 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll O16 - DPF: {04F414E9-E352-4BC3-963D-7BFE5A5F31A9} - scripts.dlv4.com O16 - DPF: {0878F049-D33E-45E0-A157-C36A6683CF25} - scripts.dlv4.com O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - go.microsoft.com O16 - DPF: {1CD4E2DC-2DA0-4154-8723-38CB04FB6A58} - scripts.dlv4.com O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - update.microsoft.com O16 - DPF: {82FC4503-8459-4239-9B85-0617BEAA950A} - scripts.dlv4.com O16 - DPF: {CB5D474E-A510-40A4-B5A4-838933BCBA64} - scripts.dlv4.com O17 - HKLM\System\CCS\Services\Tcpip\..\{26806C7B-9D57-498E-9273-88D0807C94CD}: NameServer = 202.27.158.40 202.27.156.72 O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe O23 - Service: Bluetooth Service (btwdins) - WIDCOMM, Inc. - C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe O23 - Service: iolo System Guard (IOLO_SRV) - Unknown owner - C:\Program Files\iolo\System Mechanic 6\IoloSGCtrl.exe O23 - Service: MainSafe Service (MSFIE) - Unknown owner - C:\WINDOWS\system32\mainsafe.exe (file missing) |
Lovelee (6586) | ||
| 485497 | 2006-09-18 09:21:00 | That entry u said maybe another prob. O4 - HKCU\..\Run: [Instant Access] rundll32.exe EGACCESS4_1065.dll,InstantAccess Go to control panel / add remove programs and take a snapshot of whats there, and post it here. Post the link it gives u back here. Or, if u have ccleaner (www.ccleaner.com) run it then go to tools / uninstall, and click on save to text file. And copy and paste what it saves in here. That'll tell us whats in add / remove programs. |
Speedy Gonzales (78) | ||
| 485498 | 2006-09-18 09:33:00 | ok .. this will take a wee while, cos Im downloading adaware for my comp now :) and I cant remember my password for here to sign in from her comp!! | Lovelee (6586) | ||
| 1 2 | |||||