Welcome to MalwareRemoval.com,
What if we told you that you could get malware removal help from experts, and that it was 100% free? MalwareRemoval.com provides free support for people with infected computers. Our help, and the tools we use are always 100% free. No hidden catch. We simply enjoy helping others. You enjoy a clean, safe computer.

Malware Removal Instructions

Keep getting blue screens

MalwareRemoval.com provides free support for people with infected computers. Using plain language that anyone can understand, our community of volunteer experts will walk you through each step.

Keep getting blue screens

Unread postby richardafcb » April 15th, 2007, 4:20 pm

Hi there,

Yesterday I got a message on MSN asking me to click on a link. When I clicked it I was asked to download an exe program, and I definitely clicked no as I know that's a sure fire way to get a virus, but I was infected anyway. A few files appeared on my desktop (rsgxbrG_pinch.exe and a few others) which I deleted but the PC has been almost unusable since.

The internet goes very slowly and I can barely do anything. I got through a virus scan which found nothing, but my AdAware scan kept causing a blue screen. I have managed to do a Hijack This report. It isn't the latest version as I can't download it on that computer. Incidently, this computer I am on now shares the internet connection with the infected computer. When the infected computer is connected to the internet, even if nothing is being loaded, the internet on this computer is extremely slow, so my connection is being used for something.

Basically, I struggle to open programs, and if I do I quickly get blue screens talking about doing memory dumps. Here is my hijack this report:

Logfile of HijackThis v1.99.1
Scan saved at 19:52:30, on 15/04/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\CTsvcCDA.EXE
c:\program files\mcafee.com\agent\mcdetect.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\WINDOWS\system32\MsPMSPSv.exe
C:\Program Files\McAfee.com\VSO\mcvsshld.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
c:\program files\mcafee.com\agent\mcagent.exe
c:\progra~1\mcafee.com\vso\mcvsescn.exe
C:\WINDOWS\system32\Rundll32.exe
C:\Program Files\McAfee.com\VSO\oasclnt.exe
C:\Program Files\D-Tools\daemon.exe
C:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Teleca Shared\CapabilityManager.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Common Files\Teleca Shared\Generic.exe
C:\Program Files\Sony Ericsson\Mobile2\Mobile Phone Monitor\epmworker.exe
C:\Unzipped\hijackthis\HijackThis.exe
C:\Program Files\Internet Explorer\iexplore.exe

F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\ntos.exe,
O2 - BHO: (no name) - {02DCA195-602B-4B1F-83FF-381B7E804BDB} - C:\WINDOWS\system32\HDBHO.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: WsftpBrowserHelper Class - {601ED020-FB6C-11D3-87D8-0050DA59922B} - C:\Program Files\Ipswitch\WS_FTP Pro\wsbho2k0.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: adobepnl.ADOBE_PANEL - {A40D9D65-5C09-421A-AFF8-2160D7ABD4E7} - (no file)
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar3.dll
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O4 - HKLM\..\Run: [VSOCheckTask] "C:\PROGRA~1\McAfee.com\VSO\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [VirusScan Online] C:\Program Files\McAfee.com\VSO\mcvsshld.exe
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [P17Helper] Rundll32 P17.dll,P17Helper
O4 - HKLM\..\Run: [OASClnt] C:\Program Files\McAfee.com\VSO\oasclnt.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\mcupdate.exe
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [DAEMON Tools-1033] "C:\Program Files\D-Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [Sony Ericsson PC Suite] "C:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe" /startoptions
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [spoolsvv] C:\WINDOWS\system32\spoolsvv.exe
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [kdx] C:\Program Files\Kontiki\KHost.exe -all
O4 - HKCU\..\Run: [userinit] C:\WINDOWS\system32\ntos.exe
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: RaptisoftGameLoader - http://www.miniclip.com/haphazard/rapti ... loader.cab
O16 - DPF: {001EE746-A1F9-460E-80AD-269E088D6A01} (Infotl Control) - http://site.ebrary.com/lib/bournemouth/ ... aryRdr.cab
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/Fac ... loader.cab
O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} - http://us.dl1.yimg.com/download.yahoo.c ... mplete.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Me ... b56907.cab
O16 - DPF: {F5A7706B-B9C0-4C89-A715-7A0C6B05DD48} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/Mi ... b56986.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{012590EA-EC62-4B28-BF5E-6A8A4450EDC7}: NameServer = 131.161.247.231
O17 - HKLM\System\CCS\Services\Tcpip\..\{D3521853-B21D-4CC6-8372-C52CDE5A4481}: NameServer = 131.161.247.231
O17 - HKLM\System\CCS\Services\Tcpip\..\{E2356588-595C-44B7-B5A6-B41BC0C9DB9E}: NameServer = 131.161.247.231
O17 - HKLM\System\CCS\Services\Tcpip\..\{F6911B21-A361-4608-9EDF-24BB4049869A}: NameServer = 131.161.247.231
O17 - HKLM\System\CS1\Services\Tcpip\..\{012590EA-EC62-4B28-BF5E-6A8A4450EDC7}: NameServer = 131.161.247.231
O17 - HKLM\System\CS2\Services\Tcpip\..\{012590EA-EC62-4B28-BF5E-6A8A4450EDC7}: NameServer = 131.161.247.231
O17 - HKLM\System\CS3\Services\Tcpip\..\{012590EA-EC62-4B28-BF5E-6A8A4450EDC7}: NameServer = 131.161.247.231
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - AppInit_DLLs: C:\WINDOWS\system32\svchu.dll
O20 - Winlogon Notify: mszsrn32 - C:\WINDOWS\system32\mszsrn32.dll
O20 - Winlogon Notify: rpcc - C:\WINDOWS\system32\rpcc.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.EXE
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: KService - Unknown owner - C:\Program Files\Kontiki\KService.exe
O23 - Service: Macromedia Licensing Service - Macromedia - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: McAfee WSC Integration (McDetect.exe) - McAfee, Inc - c:\program files\mcafee.com\agent\mcdetect.exe
O23 - Service: McAfee.com McShield (McShield) - McAfee Inc. - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee Task Scheduler (McTskshd.exe) - McAfee, Inc - c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Unknown owner - %ProgramFiles%\WinPcap\rpcapd.exe" -d -f "%ProgramFiles%\WinPcap\rpcapd.ini (file missing)


Any help would be really appreciated!

Cheers,

Rich
richardafcb
Active Member
 
Posts: 7
Joined: April 15th, 2007, 4:19 pm
Advertisement
Register to Remove

Unread postby random/random » April 15th, 2007, 4:52 pm

Download SDFix and save it to your Desktop.

Double click SDFix.exe and it will extract the files to %systemdrive%
(Drive that contains the Windows Directory, typically C:\SDFix)

Please then reboot your computer in Safe Mode by doing the following :
  • Restart your computer
  • After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
  • Instead of Windows loading as normal, the Advanced Options Menu should appear;
  • Select the first option, to run Windows in Safe Mode, then press Enter.
  • Choose your usual account.
  • Open the extracted SDFix folder and double click RunThis.bat to start the script.
  • Type Y to begin the cleanup process.
  • It will remove any Trojan Services and Registry Entries that it finds then prompt you to press any key to Reboot.
  • Press any Key and it will restart the PC.
  • When the PC restarts the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.
  • Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt
    (Report.txt will also be copied to Clipboard ready for posting back on the forum).
  • Finally paste the contents of the Report.txt back on the forum with a new HijackThis log
User avatar
random/random
Developer
Developer
 
Posts: 7723
Joined: December 18th, 2005, 3:30 pm

Unread postby richardafcb » April 15th, 2007, 5:58 pm

Hi there,

Thanks for your help. Here are the reports:


SDFix: Version 1.78

Run by Administrator - 15/04/2007 - 22:40:18.48

Microsoft Windows XP [Version 5.1.2600]

Running From: C:\SDFix

Safe Mode:
Checking Services:

Name:
ntldr.sys
wincom32

ImagePath:
\??\C:\ntldr.sys
\??\C:\WINDOWS\system32\wincom32.sys

ntldr.sys - Deleted
wincom32 - Deleted

Killing PID 176 'smss.exe'
Killing PID 248 'winlogon.exe'
Killing PID 248 'winlogon.exe'

ndis.sys Infected!

Patched File copied to Backups Folder
Attempting to replace ndis.sys with original version...

Original ndis.sys Restored


Restoring Windows Registry Values
Restoring Windows Default Hosts File


Rebooting...

Normal Mode:
Checking Files:

Below files will be copied to Backups folder then removed:

C:\CP1041.NLS - Deleted
C:\WINDOWS\system32\3ti.exe.exe - Deleted
C:\WINDOWS\system32\pdp.exe.exe - Deleted
C:\WINDOWS\system32\zup.exe.exe - Deleted
C:\WINDOWS\system32\ntos.exe - Deleted
C:\WINDOWS\system32\rpcc.dll - Deleted
C:\WINDOWS\system32\svcp.csv - Deleted
C:\WINDOWS\system32\wincom32.ini - Deleted
C:\WINDOWS\system32\wincom32.sys - Deleted
C:\WINDOWS\system32\wsnpoem\audio.dll - Deleted
C:\WINDOWS\system32\wsnpoem\video.dll - Deleted



Removing Temp Files

ADS Check:

Checking if ADS is attached to system32 Folder
C:\WINDOWS\system32
No streams found.

Checking if ADS is attached to svchost.exe
C:\WINDOWS\system32\svchost.exe
No streams found.



Final Check:

Remaining Services:
------------------



Authorized Application Key Export:

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\Yahoo!\\Messenger\\ypager.exe"="C:\\Program Files\\Yahoo!\\Messenger\\ypager.exe:*:Enabled:Yahoo! Messenger"
"C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"="C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe:*:Enabled:Yahoo! FT Server"
"C:\\Program Files\\Bonjour\\mDNSResponder.exe"="C:\\Program Files\\Bonjour\\mDNSResponder.exe:*:Enabled:Bonjour"
"C:\\WINDOWS\\kdx\\KHost.exe"="C:\\WINDOWS\\kdx\\KHost.exe:*:Enabled:Delivery Manager"
"C:\\Program Files\\KService\\KService.exe"="C:\\Program Files\\KService\\KService.exe:*:Enabled:Delivery Manager Service"
"C:\\Program Files\\MSN Messenger\\msncall.exe"="C:\\Program Files\\MSN Messenger\\msncall.exe:*:Enabled:Windows Live Messenger 8.0 (Phone)"
"C:\\Program Files\\uTorrent\\utorrent.exe"="C:\\Program Files\\uTorrent\\utorrent.exe:*:Enabled:µTorrent"
"C:\\Program Files\\iTunes\\iTunes.exe"="C:\\Program Files\\iTunes\\iTunes.exe:*:Enabled:iTunes"
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"="C:\\Program Files\\MSN Messenger\\msnmsgr.exe:*:Enabled:Windows Live Messenger 8.1"
"C:\\Program Files\\MSN Messenger\\livecall.exe"="C:\\Program Files\\MSN Messenger\\livecall.exe:*:Enabled:Windows Live Messenger 8.1 (Phone)"
"C:\\Program Files\\Kontiki\\KService.exe"="C:\\Program Files\\Kontiki\\KService.exe:*:Enabled:Delivery Manager Service"
"C:\\Documents and Settings\\Richard\\Desktop\\rsgxbrG_Pinch.exe"="C:\\Documents and Settings\\Richard\\Desktop\\rsgxbrG_Pinch.exe:*:Enabled:Enabled"
"C:\\Documents and Settings\\Richard\\Local Settings\\Temp\\d3.exe"="C:\\Documents and Settings\\Richard\\Local Settings\\Temp\\d3.exe:*:Enabled:enable"
"C:\\WINDOWS\\explorer.exe"="C:\\WINDOWS\\explorer.exe:*:Enabled:Explorer"


[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\MSN Messenger\\msncall.exe"="C:\\Program Files\\MSN Messenger\\msncall.exe:*:Enabled:Windows Live Messenger 8.0 (Phone)"
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"="C:\\Program Files\\MSN Messenger\\msnmsgr.exe:*:Enabled:Windows Live Messenger 8.1"
"C:\\Program Files\\MSN Messenger\\livecall.exe"="C:\\Program Files\\MSN Messenger\\livecall.exe:*:Enabled:Windows Live Messenger 8.1 (Phone)"


Remaining Files:
---------------

Backups Folder: - C:\SDFix\backups\backups.zip

Checking For Files with Hidden Attributes:

C:\Documents and Settings\Richard\Desktop\Foo Fighters - Skin And Bones [www.TodoCVCD.com][Johnnygan]\Thumbs.db
C:\Documents and Settings\Richard\Desktop\Random\Nick.Lachey.Whats.Left.Of.Me.[emulebit.com]\Thumbs.db
C:\Documents and Settings\Richard\Desktop\Random\The Darkness - One Way Ticket To Hell and Back [Rock][2005][www.pctrecords.com]\Thumbs.db
C:\Documents and Settings\Richard\Local Settings\Application Data\Microsoft\Messenger\richafcb@hotmail.com\Sharing Folders\sam@blastedthing.co.uk\Thumbs.db
C:\Documents and Settings\Richard\Local Settings\Application Data\Microsoft\Messenger\richafcb@hotmail.com\SharingMetadata\Working\FileIDTable_1
C:\Documents and Settings\Richard\Local Settings\Application Data\Microsoft\Messenger\richafcb@hotmail.com\SharingMetadata\Working\SimilarityTable_1
C:\Documents and Settings\Richard\My Documents\Richard\Web Design\KOfightposters.com\Thumbs.db
C:\Documents and Settings\Richard\My Documents\Richard\Web Design\KOfightposters.com\admin\Thumbs.db
C:\Documents and Settings\Richard\My Documents\Richard\Web Design\KOfightposters.com\admin\_notes\dwsync.xml
C:\Documents and Settings\Richard\My Documents\Richard\Web Design\KOfightposters.com\admin\_notes\_notes\dwsync.xml
C:\Documents and Settings\Richard\My Documents\Richard\Web Design\KOfightposters.com\form\.cvsignore
C:\Documents and Settings\Richard\My Documents\Richard\Web Design\KOfightposters.com\form\config\.cvsignore
C:\Documents and Settings\Richard\My Documents\Richard\Web Design\KOfightposters.com\form\scripts\.cvsignore
C:\Documents and Settings\Richard\My Documents\Richard\Web Design\KOfightposters.com\images\Thumbs.db
C:\Documents and Settings\Richard\My Documents\Richard\Web Design\KOfightposters.com\images\buttons\Thumbs.db
C:\Documents and Settings\Richard\My Documents\Richard\Web Design\KOfightposters.com\images\topimages\Thumbs.db
C:\Documents and Settings\Richard\My Documents\Richard\Web Design\KOfightposters.com\images\topimages\_notes\dwsync.xml
C:\Documents and Settings\Richard\My Documents\Richard\Web Design\KOfightposters.com\images\_notes\dwsync.xml
C:\Documents and Settings\Richard\My Documents\Richard\Web Design\KOfightposters.com\images\_notes\_notes\dwsync.xml
C:\Documents and Settings\Richard\My Documents\Richard\Web Design\KOfightposters.com\includes\common\_notes\dwsync.xml
C:\Documents and Settings\Richard\My Documents\Richard\Web Design\KOfightposters.com\includes\skins\_notes\dwsync.xml
C:\Documents and Settings\Richard\My Documents\Richard\Web Design\KOfightposters.com\includes\tng\_notes\dwsync.xml
C:\Documents and Settings\Richard\My Documents\Richard\Web Design\KOfightposters.com\_mmServerScripts\_notes\dwsync.xml
C:\Documents and Settings\Richard\My Documents\Richard\Web Design\KOfightposters.com\_notes\dwsync.xml
C:\Documents and Settings\Richard\My Documents\Richard\Web Design\KOfightposters.com\_notes\_notes\dwsync.xml
C:\Documents and Settings\Richard\My Documents\Richard\Web Design\KOfightposters.com 2\Thumbs.db
C:\Documents and Settings\Richard\My Documents\Richard\Web Design\KOfightposters.com 2\admin\Thumbs.db
C:\Documents and Settings\Richard\My Documents\Richard\Web Design\KOfightposters.com 2\admin\_notes\dwsync.xml
C:\Documents and Settings\Richard\My Documents\Richard\Web Design\KOfightposters.com 2\admin\_notes\_notes\dwsync.xml
C:\Documents and Settings\Richard\My Documents\Richard\Web Design\KOfightposters.com 2\form\.cvsignore
C:\Documents and Settings\Richard\My Documents\Richard\Web Design\KOfightposters.com 2\form\Thumbs.db
C:\Documents and Settings\Richard\My Documents\Richard\Web Design\KOfightposters.com 2\form\config\.cvsignore
C:\Documents and Settings\Richard\My Documents\Richard\Web Design\KOfightposters.com 2\form\scripts\.cvsignore
C:\Documents and Settings\Richard\My Documents\Richard\Web Design\KOfightposters.com 2\images\Thumbs.db
C:\Documents and Settings\Richard\My Documents\Richard\Web Design\KOfightposters.com 2\images\buttons\Thumbs.db
C:\Documents and Settings\Richard\My Documents\Richard\Web Design\KOfightposters.com 2\images\buttons\_notes\dwsync.xml
C:\Documents and Settings\Richard\My Documents\Richard\Web Design\KOfightposters.com 2\images\buttons\_notes\_notes\dwsync.xml
C:\Documents and Settings\Richard\My Documents\Richard\Web Design\KOfightposters.com 2\images\topimages\Thumbs.db
C:\Documents and Settings\Richard\My Documents\Richard\Web Design\KOfightposters.com 2\images\topimages\_notes\_notes\dwsync.xml
C:\Documents and Settings\Richard\My Documents\Richard\Web Design\KOfightposters.com 2\images\_notes\dwsync.xml
C:\Documents and Settings\Richard\My Documents\Richard\Web Design\KOfightposters.com 2\images\_notes\_notes\dwsync.xml
C:\Documents and Settings\Richard\My Documents\Richard\Web Design\KOfightposters.com 2\new\_notes\_notes\dwsync.xml
C:\Documents and Settings\Richard\My Documents\Richard\Web Design\KOfightposters.com 2\_mmServerScripts\_notes\dwsync.xml
C:\Documents and Settings\Richard\My Documents\Richard\Web Design\KOfightposters.com 2\_notes\dwsync.xml
C:\Documents and Settings\Richard\My Documents\Richard\Web Design\KOfightposters.com 2\_notes\_notes\dwsync.xml
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Outlook Express\msimn.exe
C:\WINDOWS\system32\tmp_ilo.exe
C:\Documents and Settings\All Users\Documents\front room\My Documents\Laura's Documents\~WRL0335.tmp
C:\Documents and Settings\All Users\Documents\front room\My Documents\Laura's Documents\~WRL2467.tmp
C:\Documents and Settings\All Users\Documents\front room\My Documents\Michael's Documents\~WRL0001.tmp
C:\Documents and Settings\All Users\Documents\front room\My Documents\Michael's Documents\~WRL0002.tmp
C:\Documents and Settings\All Users\Documents\front room\My Documents\Michael's Documents\~WRL0003.tmp
C:\Documents and Settings\All Users\Documents\front room\My Documents\Michael's Documents\~WRL0004.tmp
C:\Documents and Settings\All Users\Documents\front room\My Documents\Michael's Documents\~WRL0005.tmp
C:\Documents and Settings\All Users\Documents\front room\My Documents\Michael's Documents\~WRL1315.tmp
C:\Documents and Settings\All Users\Documents\front room\My Documents\Michael's Documents\~WRL1470.tmp
C:\Documents and Settings\All Users\Documents\front room\My Documents\Michael's Documents\~WRL2334.tmp
C:\Documents and Settings\All Users\Documents\front room\My Documents\Michael's Documents\~WRL2565.tmp
C:\Documents and Settings\Richard\My Documents\Richard\Presentation\~WRL2245.tmp
C:\Documents and Settings\Richard\My Documents\Richard\University\International Marketing\~WRL0003.tmp
C:\Documents and Settings\Richard\My Documents\Richard\University\PR\~WRL1072.tmp

Finished



Logfile of HijackThis v1.99.1
Scan saved at 22:54:50, on 15/04/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\CTsvcCDA.EXE
C:\Program Files\Kontiki\KService.exe
c:\program files\mcafee.com\agent\mcdetect.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\MsPMSPSv.exe
C:\Program Files\McAfee.com\VSO\mcvsshld.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
c:\progra~1\mcafee.com\vso\mcvsescn.exe
c:\program files\mcafee.com\agent\mcagent.exe
C:\WINDOWS\system32\Rundll32.exe
C:\Program Files\McAfee.com\VSO\oasclnt.exe
C:\Program Files\D-Tools\daemon.exe
C:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Common Files\Teleca Shared\CapabilityManager.exe
C:\WINDOWS\system32\dumprep.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
C:\Program Files\Kontiki\KHost.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Common Files\Teleca Shared\Generic.exe
C:\Program Files\Sony Ericsson\Mobile2\Mobile Phone Monitor\epmworker.exe
C:\Unzipped\hijackthis\HijackThis.exe

O2 - BHO: (no name) - {02DCA195-602B-4B1F-83FF-381B7E804BDB} - C:\WINDOWS\system32\HDBHO.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: WsftpBrowserHelper Class - {601ED020-FB6C-11D3-87D8-0050DA59922B} - C:\Program Files\Ipswitch\WS_FTP Pro\wsbho2k0.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar3.dll
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O4 - HKLM\..\Run: [VSOCheckTask] "C:\PROGRA~1\McAfee.com\VSO\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [VirusScan Online] C:\Program Files\McAfee.com\VSO\mcvsshld.exe
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [P17Helper] Rundll32 P17.dll,P17Helper
O4 - HKLM\..\Run: [OASClnt] C:\Program Files\McAfee.com\VSO\oasclnt.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\McUpdate.exe
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [DAEMON Tools-1033] "C:\Program Files\D-Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [Sony Ericsson PC Suite] "C:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe" /startoptions
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [kdx] C:\Program Files\Kontiki\KHost.exe -all
O4 - HKCU\..\Run: [userinit] C:\WINDOWS\system32\ntos.exe
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: RaptisoftGameLoader - http://www.miniclip.com/haphazard/rapti ... loader.cab
O16 - DPF: {001EE746-A1F9-460E-80AD-269E088D6A01} (Infotl Control) - http://site.ebrary.com/lib/bournemouth/ ... aryRdr.cab
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/Fac ... loader.cab
O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} - http://us.dl1.yimg.com/download.yahoo.c ... mplete.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Me ... b56907.cab
O16 - DPF: {F5A7706B-B9C0-4C89-A715-7A0C6B05DD48} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/Mi ... b56986.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{012590EA-EC62-4B28-BF5E-6A8A4450EDC7}: NameServer = 131.161.247.231
O17 - HKLM\System\CCS\Services\Tcpip\..\{D3521853-B21D-4CC6-8372-C52CDE5A4481}: NameServer = 131.161.247.231
O17 - HKLM\System\CCS\Services\Tcpip\..\{E2356588-595C-44B7-B5A6-B41BC0C9DB9E}: NameServer = 131.161.247.231
O17 - HKLM\System\CCS\Services\Tcpip\..\{F6911B21-A361-4608-9EDF-24BB4049869A}: NameServer = 131.161.247.231
O17 - HKLM\System\CS1\Services\Tcpip\..\{012590EA-EC62-4B28-BF5E-6A8A4450EDC7}: NameServer = 131.161.247.231
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - AppInit_DLLs: C:\WINDOWS\system32\svchu.dll
O20 - Winlogon Notify: mszsrn32 - C:\WINDOWS\system32\mszsrn32.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.EXE
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: KService - Unknown owner - C:\Program Files\Kontiki\KService.exe
O23 - Service: Macromedia Licensing Service - Macromedia - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: McAfee WSC Integration (McDetect.exe) - McAfee, Inc - c:\program files\mcafee.com\agent\mcdetect.exe
O23 - Service: McAfee.com McShield (McShield) - McAfee Inc. - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee Task Scheduler (McTskshd.exe) - McAfee, Inc - c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Unknown owner - %ProgramFiles%\WinPcap\rpcapd.exe" -d -f "%ProgramFiles%\WinPcap\rpcapd.ini (file missing)




Cheers,

Rich
richardafcb
Active Member
 
Posts: 7
Joined: April 15th, 2007, 4:19 pm

Unread postby random/random » April 16th, 2007, 12:35 pm

  • Go to Start > My Computer
  • Go to Tools > Folder Options
  • Click on the View tab
  • Untick the following:
    • Hide extensions for known file types
    • Hide protected operating system files (Recommended)
  • You will get a message warning you about showing protected operating system files, click Yes
  • Make sure this option is selected:
    • Show hidden files and folders
  • Click Apply and then click OK


Run HijackThis
Click on do a system scan only
Place a checkmark next to these lines(if still present)

O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O4 - HKCU\..\Run: [userinit] C:\WINDOWS\system32\ntos.exe
O16 - DPF: RaptisoftGameLoader - http://www.miniclip.com/haphazard/rapti ... loader.cab
O20 - AppInit_DLLs: C:\WINDOWS\system32\svchu.dll
O20 - Winlogon Notify: mszsrn32 - C:\WINDOWS\system32\mszsrn32.dll

Then close all windows except HijackThis and click Fix Checked

Restart


Use windows explorer to find and delete these files:

C:\WINDOWS\system32\svchu.dll
C:\WINDOWS\system32\mszsrn32.dll

Then please upload this file:

C:\WINDOWS\system32\tmp_ilo.exe

To either jotti or virustotal

Post back with the jotti/virustotal results and a new HijackThis log
User avatar
random/random
Developer
Developer
 
Posts: 7723
Joined: December 18th, 2005, 3:30 pm

Unread postby richardafcb » April 16th, 2007, 2:43 pm

Hi there,

I have done so and posted the result below. Not sure if I've mentioned it but my internet has been extremely slow since the problems began.

STATUS: FINISHED
Complete scanning result of "tmp_ilo.exe", received in VirusTotal at 04.16.2007, 18:50:22 (CET).
Antivirus Version Update Result
AhnLab-V3 2007.4.14.0 04.16.2007 no virus found
AntiVir 7.3.1.52 04.16.2007 BDS/Agent.Amo
Authentium 4.93.8 04.13.2007 no virus found
Avast 4.7.981.0 04.16.2007 no virus found
AVG 7.5.0.447 04.15.2007 no virus found
BitDefender 7.2 04.16.2007 no virus found
CAT-QuickHeal 9.00 04.16.2007 (Suspicious) - DNAScan
ClamAV devel-20070312 04.16.2007 no virus found
DrWeb 4.33 04.16.2007 no virus found
eSafe 7.0.15.0 04.16.2007 suspicious Trojan/Worm
eTrust-Vet 30.7.3572 04.16.2007 no virus found
Ewido 4.0 04.16.2007 no virus found
FileAdvisor 1 04.16.2007 no virus found
Fortinet 2.85.0.0 04.16.2007 suspicious
F-Prot 4.3.2.48 04.13.2007 no virus found
F-Secure 6.70.13030.0 04.16.2007 no virus found
Ikarus T3.1.1.5 04.16.2007 no virus found
Kaspersky 4.0.2.24 04.16.2007 no virus found
McAfee 5009 04.13.2007 no virus found
Microsoft 1.2405 04.16.2007 no virus found
NOD32v2 2195 04.16.2007 no virus found
Norman 5.80.02 04.14.2007 no virus found
Panda 9.0.0.4 04.15.2007 Suspicious file
Prevx1 V2 04.16.2007 no virus found
Sophos 4.16.0 04.12.2007 Mal/HckPk-C
Sunbelt 2.2.907.0 04.07.2007 VIPRE.Suspicious
Symantec 10 04.16.2007 no virus found
TheHacker 6.1.6.095 04.15.2007 no virus found
VBA32 3.11.3 04.16.2007 no virus found
VirusBuster 4.3.7:9 04.16.2007 Packed/FSG
Webwasher-Gateway 6.0.1 04.16.2007 Trojan.Agent.Amo

Aditional Information
File size: 8654 bytes
MD5: deb3cd15f663f1bf233ac322953c126d
SHA1: 72fc134a62b66b8005c9cc93044b0c3685110784
Sunbelt info: VIPRE.Suspicious is a generic detection for potential threats that are deemed suspicious through heuristics.
richardafcb
Active Member
 
Posts: 7
Joined: April 15th, 2007, 4:19 pm

Unread postby richardafcb » April 16th, 2007, 3:43 pm

Sorry - forgot to mention that I couldn't locate svchu.dll.

The internet is now totally down on that computer, which is very worrying. Also, I did a restart and just got a black screen with a flashing _. I couldn't type or anything, so on restart I tried to go into safe mode. tapping DEL didn't let me do this, but it did cut out the black screen with the _.

This is very bizarre!
richardafcb
Active Member
 
Posts: 7
Joined: April 15th, 2007, 4:19 pm

Unread postby random/random » April 16th, 2007, 4:07 pm

Tapping DEL will get you into the BIOS, not into safe mode

To get into safe mode, you would need to tap F8

First, Download LSPFix.exe and transfer it to the PC double-click LSPFix.exe that you downloaded earlier. Check the "I know what I'm doing" button. You will see 2 panels. If there is any file listed in the "Remove" panel on the right-side, leave it as is and just click "Finish>>" then reboot your computer and you should now have access to the Internet. If nothing is listed under the "Remove Panel", do NOT do anything - just close the program.

Let me know if this gives the computer access to the internet
User avatar
random/random
Developer
Developer
 
Posts: 7723
Joined: December 18th, 2005, 3:30 pm

Unread postby richardafcb » April 17th, 2007, 1:42 pm

Hi there,

Thanks loads. The internet is now fine. The computer keeps crashing with a blue screen though talking about "non paged area". Any ideas? Again, its only been happening since I got infected.

Cheers,

Rich
richardafcb
Active Member
 
Posts: 7
Joined: April 15th, 2007, 4:19 pm

Unread postby richardafcb » April 17th, 2007, 2:34 pm

Apologies, it says "page fault in a non paged area" and says it is doing a physical memory dump.

Cheers,

Rich
richardafcb
Active Member
 
Posts: 7
Joined: April 15th, 2007, 4:19 pm

Unread postby random/random » April 17th, 2007, 4:46 pm

How long is it after booting windows that it bluescreens and does it do it in safe mode?
User avatar
random/random
Developer
Developer
 
Posts: 7723
Joined: December 18th, 2005, 3:30 pm

Unread postby richardafcb » April 17th, 2007, 5:18 pm

It's usually about an hour. Sometimes longer, sometimes less. Not too sure if it does it in safe mode because not had the computer on that long in safe mode. A google search says it may be damage to the RAM. Surely a virus can't do that??

Thanks for your continued help - it's greatly appreciated.

Rich
richardafcb
Active Member
 
Posts: 7
Joined: April 15th, 2007, 4:19 pm

Unread postby random/random » April 18th, 2007, 12:28 pm

I am not aware of any viruses that are capable of damaging the RAM

Please post a new HijackThis log
User avatar
random/random
Developer
Developer
 
Posts: 7723
Joined: December 18th, 2005, 3:30 pm

Unread postby NonSuch » May 2nd, 2007, 2:36 am

This topic is now closed due to inactivity. If you wish it reopened, please send us an email to 'admin at malwareremoval.com' with a link to your thread.

You can help support this site from this link :
Donations For Malware Removal

Please do not contact us if you are not the topic starter. A valid, working link to the closed topic is required along with the user name used. If the user name does not match the one in the thread linked, the email will be deleted.
User avatar
NonSuch
Administrator
Administrator
 
Posts: 27230
Joined: February 23rd, 2005, 7:08 am
Location: California
Advertisement
Register to Remove


  • Similar Topics
    Replies
    Views
    Last post

Return to Infected? Virus, malware, adware, ransomware, oh my!



Who is online

Users browsing this forum: No registered users and 36 guests

Contact us:

Advertisements do not imply our endorsement of that product or service. Register to remove all ads. The forum is run by volunteers who donate their time and expertise. We make every attempt to ensure that the help and advice posted is accurate and will not cause harm to your computer. However, we do not guarantee that they are accurate and they are to be used at your own risk. All trademarks are the property of their respective owners.

Member site: UNITE Against Malware