Welcome to MalwareRemoval.com,
What if we told you that you could get malware removal help from experts, and that it was 100% free? MalwareRemoval.com provides free support for people with infected computers. Our help, and the tools we use are always 100% free. No hidden catch. We simply enjoy helping others. You enjoy a clean, safe computer.

Malware Removal Instructions

can someone please help me

MalwareRemoval.com provides free support for people with infected computers. Using plain language that anyone can understand, our community of volunteer experts will walk you through each step.

can someone please help me

Unread postby mynameisdaniel » September 9th, 2007, 9:18 am

everytime i open the internet or my computer i have problems, sometimes my sound mutes and when i unmute chinease music play, i dont no where from

i formated but my files i backed up then put back on my computer were infected
i have downloaded some antivirus software and it is a little better now,

please help me out, thankyou


Logfile of HijackThis v1.99.1
Scan saved at 11:15:08 PM, on 9/9/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Common Files\Real\Update_OB\evntsvc.exe
C:\Program Files\Last.fm\LastFMHelper.exe
C:\Program Files\Last.fm\LastFM.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\Program Files\Google\Google Updater\GoogleUpdater.exe
C:\Program Files\iTunes\iTunes.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\msiexec.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\MSN Messenger\usnsvc.exe
C:\Program Files\Hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://au.myspace.com/
O2 - BHO: flash player - {25864158-329E-434B-B24F-3DA6F300D30A} - C:\WINDOWS\system32\flashplay.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.1.615.5858\swg.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKLM\..\Run: [TkBellExe] C:\Program Files\Common Files\Real\Update_OB\evntsvc.exe -osboot
O4 - HKLM\..\RunOnce: [WMC_RebootCheck] C:\WINDOWS\inf\unregmp2.exe /FixUps
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - Global Startup: Google Updater.lnk = C:\Program Files\Google\Google Updater\GoogleUpdater.exe
O4 - Global Startup: Last.fm Helper.lnk = C:\Program Files\Last.fm\LastFMHelper.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O23 - Service: AntiVir PersonalEdition Classic Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: AntiVir PersonalEdition Classic Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
mynameisdaniel
Active Member
 
Posts: 6
Joined: September 9th, 2007, 9:08 am
Advertisement
Register to Remove

Unread postby silver » September 16th, 2007, 1:57 am

Hi mynameisdaniel,

Your machine is infected with a worm, and you probably have a copy of the worm on a removable storage device which is why your machine has been reinfected.

In your next post, please tell me how many removable storage devices you have, such as MP3 players, USB drives, external hard drives and other similar devices. Also, let me know what you used to back up your files before reinstalling - did you use CDs, DVDs, an external hard drive etc.

It appears that you have two antivirus programs running - AVG and Antivir. Running one antivirus program is essential, but having two can cause conflicts, slow your system down and even cause stability problems without improving your security. You should use just one antivirus program and if you want an "2nd opinion", use an online scanner like Kaspersky's.

If you have two antivirus programs installed, then before proceeding, please remove one of them.
Please make sure you choose one currently capable of receiving updates, because an antivirus program without updates cannot protect your system effectively. If you have any problems, please stop and let me know.

Next press Start->Run, copy/paste the following command (it's one long command) into the box and press OK:
reg export hklm\software\microsoft\windows\currentversion\policies "%userprofile%\desktop\export.reg"

A file called export.reg should appear on your Desktop. Please open this file by right-clicking it and selecting Edit. Copy and paste the contents into your next response.

Now open HijackThis, select Open the Misc Tools section
Press the Open Uninstall Manager... button, then press Save list...
Save the Uninstall log to your Desktop and include a copy in your next response.
Now press Back and Scan and then Save log to create and save a new HijackThis log.

Once complete, please post the uninstall list, the export.reg output and a new HijackThis log. Also, let me know about your removable storage devices.
User avatar
silver
Regular Member
 
Posts: 9219
Joined: August 7th, 2006, 9:40 pm
Location: GMT+7

Unread postby mynameisdaniel » September 16th, 2007, 5:57 am

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\Attachments]
"ScanWithAntiVirus"=dword:00000002

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\NonEnum]
"{BDEADF00-C265-11D0-BCED-00A0C90AB50F}"=dword:00000001
"{6DFD7C5C-2451-11d3-A299-00C04F8EF6AF}"=dword:40000021
"{0DF44EAA-FF21-4412-828E-260A8728E7F1}"=dword:00000020

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\Ratings]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"dontdisplaylastusername"=dword:00000000
"legalnoticecaption"=""
"legalnoticetext"=""
"shutdownwithoutlogon"=dword:00000001
"undockwithoutlogon"=dword:00000001








Adobe Flash Player 9 ActiveX
Adobe Reader 8.1.0
AIM 6
Athlon 64 Processor Driver
Avira AntiVir PersonalEdition Classic
CD Audio Reader Filter (remove only)
Combined Community Codec Pack 2007-02-22
DirectVobSub (remove only)
DScaler 5 Mpeg Decoders
DS-MP3 Source 1.30
DVD Shrink 3.2
ffdshow [rev 1058+] [2007-03-22]
FLV Player
Google Toolbar for Internet Explorer
Google Toolbar for Internet Explorer
Google Updater
Haali Media Splitter
Hijackthis 1.99.1
HijackThis 1.99.1
iPod for Windows 2005-10-12
iTunes
Last.fm 1.3.1.1
Matroska Pack
Microsoft Office XP Professional with FrontPage
Microsoft Windows Journal Viewer
NVIDIA Drivers
OpenSource Flash Video Splitter (remove only)
QuickTime
RealMedia (remove only)
RealOne Player
Realtek AC'97 Audio
Security Update for Windows Media Player (KB911564)
Security Update for Windows Media Player 10 (KB936782)
Security Update for Windows Media Player 6.4 (KB925398)
Security Update for Windows Media Player 9 (KB936782)
Security Update for Windows XP (KB890046)
Security Update for Windows XP (KB893756)
Security Update for Windows XP (KB896358)
Security Update for Windows XP (KB896423)
Security Update for Windows XP (KB896428)
Security Update for Windows XP (KB899587)
Security Update for Windows XP (KB899591)
Security Update for Windows XP (KB900725)
Security Update for Windows XP (KB901017)
Security Update for Windows XP (KB901190)
Security Update for Windows XP (KB901214)
Security Update for Windows XP (KB902400)
Security Update for Windows XP (KB904706)
Security Update for Windows XP (KB905414)
Security Update for Windows XP (KB905749)
Security Update for Windows XP (KB908519)
Security Update for Windows XP (KB911562)
Security Update for Windows XP (KB911927)
Security Update for Windows XP (KB913580)
Security Update for Windows XP (KB914388)
Security Update for Windows XP (KB914389)
Security Update for Windows XP (KB917344)
Security Update for Windows XP (KB917953)
Security Update for Windows XP (KB918118)
Security Update for Windows XP (KB918439)
Security Update for Windows XP (KB919007)
Security Update for Windows XP (KB920213)
Security Update for Windows XP (KB920670)
Security Update for Windows XP (KB920683)
Security Update for Windows XP (KB920685)
Security Update for Windows XP (KB921503)
Security Update for Windows XP (KB922819)
Security Update for Windows XP (KB923191)
Security Update for Windows XP (KB923414)
Security Update for Windows XP (KB923689)
Security Update for Windows XP (KB923789)
Security Update for Windows XP (KB923980)
Security Update for Windows XP (KB924270)
Security Update for Windows XP (KB924496)
Security Update for Windows XP (KB924667)
Security Update for Windows XP (KB925902)
Security Update for Windows XP (KB926255)
Security Update for Windows XP (KB926436)
Security Update for Windows XP (KB927779)
Security Update for Windows XP (KB927802)
Security Update for Windows XP (KB928255)
Security Update for Windows XP (KB928843)
Security Update for Windows XP (KB929123)
Security Update for Windows XP (KB930178)
Security Update for Windows XP (KB931261)
Security Update for Windows XP (KB931784)
Security Update for Windows XP (KB932168)
Security Update for Windows XP (KB935839)
Security Update for Windows XP (KB935840)
Security Update for Windows XP (KB936021)
Security Update for Windows XP (KB937143)
Security Update for Windows XP (KB938127)
Security Update for Windows XP (KB938829)
SHOUTcast Source (remove only)
SoulSeek Client 156c
Update for Windows XP (KB894391)
Update for Windows XP (KB898461)
Update for Windows XP (KB900485)
Update for Windows XP (KB908531)
Update for Windows XP (KB910437)
Update for Windows XP (KB911280)
Update for Windows XP (KB916595)
Update for Windows XP (KB920872)
Update for Windows XP (KB922582)
Update for Windows XP (KB927891)
Update for Windows XP (KB930916)
Update for Windows XP (KB933360)
Update for Windows XP (KB938828)
VideoLAN VLC media player 0.8.4a
Viewpoint Media Player
Windows Defender
Windows Installer 3.1 (KB893803)
Windows Live Messenger
Windows Media Format Runtime
Windows Media Player 10
Windows XP Hotfix - KB873339
Windows XP Hotfix - KB885835
Windows XP Hotfix - KB885836
Windows XP Hotfix - KB885884
Windows XP Hotfix - KB886185
Windows XP Hotfix - KB887472
Windows XP Hotfix - KB888302
Windows XP Hotfix - KB890859
Windows XP Hotfix - KB891781
Windows XP Service Pack 2
WinRAR archiver
Zoom Player (remove only)





Logfile of HijackThis v1.99.1
Scan saved at 7:53:41 PM, on 9/16/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\iTunes\iTunes.exe
C:\Program Files\Google\Google Updater\GoogleUpdater.exe
C:\Program Files\Last.fm\LastFMHelper.exe
C:\Program Files\Last.fm\LastFM.exe
C:\Program Files\MSN Messenger\usnsvc.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\AIM6\aim6.exe
C:\Program Files\AIM6\aolsoftware.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe
C:\WINDOWS\system32\wisptis.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\uTorrent\uTorrent.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://au.myspace.com/
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: flash player - {25864158-329E-434B-B24F-3DA6F300D30A} - C:\WINDOWS\system32\flashplay.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.1.615.5858\swg.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKLM\..\Run: [TkBellExe] C:\Program Files\RealMedia\Update_OB\evntsvc.exe -osboot
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\RunOnce: [InnoSetupRegFile.0000000001] "C:\WINDOWS\is-675J8.exe" /REG
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [Aim6] "C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp
O4 - Global Startup: Google Updater.lnk = C:\Program Files\Google\Google Updater\GoogleUpdater.exe
O4 - Global Startup: Last.fm Helper.lnk = C:\Program Files\Last.fm\LastFMHelper.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O23 - Service: AntiVir PersonalEdition Classic Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: AntiVir PersonalEdition Classic Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe




o thankyou for you help, i uninstaled AVG,

but um i had an awful lot of data so i used a USB drive, my ipod and 10or so dvds to back everything up

i actualy intended to keep much of the stuff on those dvds instead of puting them back on my pc as backup since my hard drive cant fit it all, can i presume there infected and all need to be reburnt?

thanks again,
daniel
mynameisdaniel
Active Member
 
Posts: 6
Joined: September 9th, 2007, 9:08 am

Unread postby silver » September 16th, 2007, 8:51 am

Hi mynameisdaniel,

We'll clean your USB drive and ipod, but we can't of course clean infected files from your DVDs. It is however quite possible that the DVDs are clean as the infection could easily have come back via your USB drive and/or ipod but we don't know yet - please do not use the DVDs until we've checked them.

It's important you do everything in this post and do it in the order that it is written, otherwise we may have to start again so please take your time and if you have any problems, please stop and let me know what's happened.

NOTE: Before you start, please make sure you do not have your ipod or USB drives inserted in the computer, and don't insert them until I ask you to.

------------------------------------------------------------------------

You have Viewpoint Media Player installed on your system. This program is not malware but it is foistware in that it is usually installed without the user's knowledge or approval, and for this reason I recommend you remove it. If you actually use this program, I recommend you try using safe and free alternatives such as VLC Player or Media Player Classic.
To remove, open Start->Control Panel->Add/Remove Programs find Viewpoint Media Player and select Remove

------------------------------------------------------------------------

Make hidden/system files and folders visible:
Click Start -> My Computer
Select the Tools menu, click Folder Options and select the View tab
Under the Hidden files and folders heading SELECT Show hidden files and folders
UNCHECK the Hide extensions for known file types option
UNCHECK the Hide protected operating system files (recommended) option
Click Yes to confirm and press OK

------------------------------------------------------------------------

Backup Your Registry with ERUNT:
  • Download erunt.zip to your Desktop from here:
    http://aumha.org/downloads/erunt.zip
  • Right-click erunt.zip, select Extract All... and follow the prompts to extract ERUNT to a new folder on your Desktop
  • Inside the new folder, double-click ERUNT.exe to start the program
  • OK all the prompts to back up your registry to the default location.
Note: to restore your registry, go to the backup folder and start ERDNT.exe

------------------------------------------------------------------------

Next press Start->Run, copy/paste the following command (it's one long command) into the box and press OK:
reg add hklm\software\microsoft\windows\currentversion\policies\explorer /v "NoDriveTypeAutoRun" /t REG_DWORD /d 0x000000ff

------------------------------------------------------------------------

Please download Suspicious File Packer to your Desktop.
  • Right-click sfp.zip, choose Extract All... and extract sfp.exe to your Desktop
  • Double-click sfp.exe to start the program
  • Copy and Paste the following file list into the text box of the program:
    C:\readme.txt.exe
    C:\flashplay.dll
    C:\autorun.inf
    C:\Windows\system32\flashplay.dll
  • A file called requested-files[YYYY-MM-DD_MM_ss].cab will appear on your Desktop.
  • Now open this page in your browser
  • Press Browse and browse to the requested-files[YYYY-MM-DD_MM_ss].cab file on your Desktop, fill in the other fields as appropriate then press Send File
------------------------------------------------------------------------

Then, open HijackThis, choose Do a system scan only and place a checkmark next to the following lines:
O2 - BHO: flash player - {25864158-329E-434B-B24F-3DA6F300D30A} - C:\WINDOWS\system32\flashplay.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)

Then close all open windows apart from HijackThis, press Fix checked, OK the prompt and close HijackThis.

------------------------------------------------------------------------

Next, reboot your computer

Once it has rebooted, use Windows Explorer (right-click Start, select Explore) to find and delete the following files (if present):
C:\readme.txt.exe
C:\flashplay.dll
C:\autorun.inf
C:\Windows\system32\flashplay.dll

If one or more is not present then that's OK but if you have trouble deleting any, please let me know in your next response.

If you have other hard drives or other partitions - such as a D:\ drive please delete these files from it if present:
D:\readme.txt.exe
D:\flashplay.dll
D:\autorun.inf


Then, for each USB drive and ipod you have:

Insert the device, then delete any of these files that are present on the device:
Z:\readme.txt.exe
Z:\flashplay.dll
Z:\autorun.inf

NOTE: I have used the drive letter Z: - please substitute the USB device's drive letter for this.

------------------------------------------------------------------------

Once complete, please post a new HijackThis log and let me know how you got on. Please also tell me if you found any of those files on your USB drive(s) and/or ipod.
User avatar
silver
Regular Member
 
Posts: 9219
Joined: August 7th, 2006, 9:40 pm
Location: GMT+7

Unread postby mynameisdaniel » September 16th, 2007, 7:07 pm

Logfile of HijackThis v1.99.1
Scan saved at 9:03:30 AM, on 9/17/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\AIM6\aim6.exe
C:\Program Files\Google\Google Updater\GoogleUpdater.exe
C:\Program Files\Last.fm\LastFMHelper.exe
C:\Program Files\AIM6\aolsoftware.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\MSN Messenger\usnsvc.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\iTunes\iTunes.exe
C:\Program Files\Last.fm\LastFM.exe
C:\Program Files\Hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://au.myspace.com/
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.1.615.5858\swg.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKLM\..\Run: [TkBellExe] C:\Program Files\RealMedia\Update_OB\evntsvc.exe -osboot
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [Aim6] "C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp
O4 - Global Startup: Google Updater.lnk = C:\Program Files\Google\Google Updater\GoogleUpdater.exe
O4 - Global Startup: Last.fm Helper.lnk = C:\Program Files\Last.fm\LastFMHelper.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O23 - Service: AntiVir PersonalEdition Classic Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: AntiVir PersonalEdition Classic Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe


thanks again,
i have gone through all the steps, although i didnt find any files in the explorer folder, i did find the ones mentioned on the usb and ipod and deleated them

~daniel~
mynameisdaniel
Active Member
 
Posts: 6
Joined: September 9th, 2007, 9:08 am

Unread postby silver » September 17th, 2007, 12:16 am

Hi mynameisdaniel,

i have gone through all the steps, although i didnt find any files in the explorer folder, i did find the ones mentioned on the usb and ipod and deleated them

That sounds fine :) you can now delete the requested-files...cab file from your Desktop.

Please open Notepad (press Start->Run, enter notepad and press OK)
Copy everything inside the code box below (Starting with REGEDIT4) and paste it into a new notepad file.
Change the Save As Type to All Files and save it as fix.reg to your Desktop.

Note: Please copy and paste all the text at once, and check that there is NO blank line above REGEDIT4 and one blank line at the bottom.
Code: Select all
REGEDIT4

[-HKEY_CLASSES_ROOT\CLSID\{25864158-329E-434B-B24F-3DA6F300D30A}]

[-HKEY_CLASSES_ROOT\flashplay.bho]

[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer]

[-HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{25864158-329E-434B-B24F-3DA6F300D30A}]


Locate fix.reg on your Desktop, if you did it right it should look like this:Image
Double-click it, when it asks if you want to merge with the registry, click Yes.

Next please do an online scan with Kaspersky:

Open Kaspersky Online Scanner in Internet Explorer

You will be prompted to install an ActiveX component from Kaspersky,
Click Yes.
  • The program will launch and then begin downloading the latest definition files:
  • Once the files have been downloaded click on NEXT and then Scan Settings
  • In the scan settings make that the following are selected:
    • Scan using the following Anti-Virus database:
      Extended (if available otherwise Standard)
    • Scan Options:
      Scan Archives
      Scan Mail Bases
  • Click OK
  • Now under select a target to scan:
      Select My Computer
  • The program will start to scan your system.
  • Once the scan is complete, click on the Save as Text button and save the file to your desktop


Once complete, please post the Kaspersky report and a new HijackThis log.
Also, let me know how your computer is running now.
User avatar
silver
Regular Member
 
Posts: 9219
Joined: August 7th, 2006, 9:40 pm
Location: GMT+7

Unread postby mynameisdaniel » September 17th, 2007, 3:44 am

-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Monday, September 17, 2007 5:40:42 PM
Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.93.1
Kaspersky Anti-Virus database last update: 17/09/2007
Kaspersky Anti-Virus database records: 419621
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
C:\
D:\
E:\

Scan Statistics:
Total number of scanned objects: 84211
Number of viruses found: 1
Number of infected objects: 22
Number of suspicious objects: 0
Duration of the scan process: 00:41:23

Infected Object Name / Virus Name / Last Action
C:\Documents and Settings\All Users\Application Data\Microsoft\Windows Defender\Support\MPLog-09092007-183559.log Object is locked skipped
C:\Documents and Settings\daniel\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\daniel\Desktop\Honey And Clover\Honey And Clover.avi Object is locked skipped
C:\Documents and Settings\daniel\Local Settings\Application Data\AOL OCP\AIM\Storage\All Users\localStorage\common.cls Object is locked skipped
C:\Documents and Settings\daniel\Local Settings\Application Data\AOL OCP\AIM\Storage\data\mynameisdaniel33\localStorage\common.cls Object is locked skipped
C:\Documents and Settings\daniel\Local Settings\Application Data\Last.fm\Client\container.log Object is locked skipped
C:\Documents and Settings\daniel\Local Settings\Application Data\Last.fm\Client\iTunesPlugin.log Object is locked skipped
C:\Documents and Settings\daniel\Local Settings\Application Data\Last.fm\Client\lastfmhelper.log Object is locked skipped
C:\Documents and Settings\daniel\Local Settings\Application Data\Last.fm\Client\mediadevice.db Object is locked skipped
C:\Documents and Settings\daniel\Local Settings\Application Data\Microsoft\Messenger\mystic_dragon33@hotmail.com\SharingMetadata\Logs\Dfsr00005.log Object is locked skipped
C:\Documents and Settings\daniel\Local Settings\Application Data\Microsoft\Messenger\mystic_dragon33@hotmail.com\SharingMetadata\pending.dat Object is locked skipped
C:\Documents and Settings\daniel\Local Settings\Application Data\Microsoft\Messenger\mystic_dragon33@hotmail.com\SharingMetadata\Working\database_6AC8_1109_C810_D563\dfsr.db Object is locked skipped
C:\Documents and Settings\daniel\Local Settings\Application Data\Microsoft\Messenger\mystic_dragon33@hotmail.com\SharingMetadata\Working\database_6AC8_1109_C810_D563\fsr.log Object is locked skipped
C:\Documents and Settings\daniel\Local Settings\Application Data\Microsoft\Messenger\mystic_dragon33@hotmail.com\SharingMetadata\Working\database_6AC8_1109_C810_D563\fsrtmp.log Object is locked skipped
C:\Documents and Settings\daniel\Local Settings\Application Data\Microsoft\Messenger\mystic_dragon33@hotmail.com\SharingMetadata\Working\database_6AC8_1109_C810_D563\tmp.edb Object is locked skipped
C:\Documents and Settings\daniel\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\daniel\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\daniel\Local Settings\Application Data\Microsoft\Windows Defender\FileTracker\{27143F74-E728-4B29-B4B4-D86413FF903A} Object is locked skipped
C:\Documents and Settings\daniel\Local Settings\Application Data\Microsoft\Windows Live Contacts\mystic_dragon33@hotmail.com\real\members.stg Object is locked skipped
C:\Documents and Settings\daniel\Local Settings\Application Data\Microsoft\Windows Live Contacts\mystic_dragon33@hotmail.com\shadow\members.stg Object is locked skipped
C:\Documents and Settings\daniel\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\daniel\Local Settings\History\History.IE5\MSHist012007091720070918\index.dat Object is locked skipped
C:\Documents and Settings\daniel\Local Settings\Temp\sqlite_VbMhen4uITXtwEn Object is locked skipped
C:\Documents and Settings\daniel\Local Settings\Temp\~DF370D.tmp Object is locked skipped
C:\Documents and Settings\daniel\Local Settings\Temp\~DF38E4.tmp Object is locked skipped
C:\Documents and Settings\daniel\Local Settings\Temp\~DF70E2.tmp Object is locked skipped
C:\Documents and Settings\daniel\Local Settings\Temp\~DF7119.tmp Object is locked skipped
C:\Documents and Settings\daniel\Local Settings\Temporary Internet Files\Content.IE5\CLAZWXQJ\UserStatusChange[15].html Object is locked skipped
C:\Documents and Settings\daniel\Local Settings\Temporary Internet Files\Content.IE5\CLAZWXQJ\UserStatusChange[26].html Object is locked skipped
C:\Documents and Settings\daniel\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\daniel\Local Settings\Temporary Internet Files\Content.IE5\L7Z8UK1R\UserStatusChange[26].html Object is locked skipped
C:\Documents and Settings\daniel\Local Settings\Temporary Internet Files\Content.IE5\S1E7WL2N\UserStatusChange[13].html Object is locked skipped
C:\Documents and Settings\daniel\My Documents\My Music\iTunes\iTunes Library.itl Object is locked skipped
C:\Documents and Settings\daniel\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\daniel\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\Program Files\Hijackthis\backups\backup-20070917-083552-883.dll Infected: Virus.Win32.BHO.b skipped
C:\RECYCLER\S-1-5-21-448539723-1547161642-725345543-1003\Dc69.cab/C:/Windows/system32/flashplay.dll Infected: Virus.Win32.BHO.b skipped
C:\RECYCLER\S-1-5-21-448539723-1547161642-725345543-1003\Dc69.cab CAB: infected - 1 skipped
C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
C:\System Volume Information\_restore{4F0C5882-E17F-42AB-A0F6-1B652512D8DE}\RP27\change.log Object is locked skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\SoftwareDistribution\EventCache\{5362A014-1879-4274-A5D6-C476E15805C9}.bin Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\Sti_Trace.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\default Object is locked skipped
C:\WINDOWS\system32\config\default.LOG Object is locked skipped
C:\WINDOWS\system32\config\SAM Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SECURITY Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\software Object is locked skipped
C:\WINDOWS\system32\config\software.LOG Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\system Object is locked skipped
C:\WINDOWS\system32\config\system.LOG Object is locked skipped
C:\WINDOWS\system32\flashplay.dll Infected: Virus.Win32.BHO.b skipped
C:\WINDOWS\system32\h323log.txt Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\wiadebug.log Object is locked skipped
C:\WINDOWS\wiaservc.log Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped
E:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
E:\System Volume Information\_restore{4F0C5882-E17F-42AB-A0F6-1B652512D8DE}\RP10\A0004374.dll Infected: Virus.Win32.BHO.b skipped
E:\System Volume Information\_restore{4F0C5882-E17F-42AB-A0F6-1B652512D8DE}\RP11\A0004561.dll Infected: Virus.Win32.BHO.b skipped
E:\System Volume Information\_restore{4F0C5882-E17F-42AB-A0F6-1B652512D8DE}\RP13\A0005022.dll Infected: Virus.Win32.BHO.b skipped
E:\System Volume Information\_restore{4F0C5882-E17F-42AB-A0F6-1B652512D8DE}\RP13\A0005471.dll Infected: Virus.Win32.BHO.b skipped
E:\System Volume Information\_restore{4F0C5882-E17F-42AB-A0F6-1B652512D8DE}\RP14\A0005537.dll Infected: Virus.Win32.BHO.b skipped
E:\System Volume Information\_restore{4F0C5882-E17F-42AB-A0F6-1B652512D8DE}\RP15\A0005543.dll Infected: Virus.Win32.BHO.b skipped
E:\System Volume Information\_restore{4F0C5882-E17F-42AB-A0F6-1B652512D8DE}\RP15\A0005546.dll Infected: Virus.Win32.BHO.b skipped
E:\System Volume Information\_restore{4F0C5882-E17F-42AB-A0F6-1B652512D8DE}\RP16\A0005554.dll Infected: Virus.Win32.BHO.b skipped
E:\System Volume Information\_restore{4F0C5882-E17F-42AB-A0F6-1B652512D8DE}\RP16\A0006394.dll Infected: Virus.Win32.BHO.b skipped
E:\System Volume Information\_restore{4F0C5882-E17F-42AB-A0F6-1B652512D8DE}\RP17\A0006407.dll Infected: Virus.Win32.BHO.b skipped
E:\System Volume Information\_restore{4F0C5882-E17F-42AB-A0F6-1B652512D8DE}\RP17\A0006457.dll Infected: Virus.Win32.BHO.b skipped
E:\System Volume Information\_restore{4F0C5882-E17F-42AB-A0F6-1B652512D8DE}\RP19\A0006538.dll Infected: Virus.Win32.BHO.b skipped
E:\System Volume Information\_restore{4F0C5882-E17F-42AB-A0F6-1B652512D8DE}\RP20\A0006564.dll Infected: Virus.Win32.BHO.b skipped
E:\System Volume Information\_restore{4F0C5882-E17F-42AB-A0F6-1B652512D8DE}\RP24\A0006680.dll Infected: Virus.Win32.BHO.b skipped
E:\System Volume Information\_restore{4F0C5882-E17F-42AB-A0F6-1B652512D8DE}\RP25\A0006702.dll Infected: Virus.Win32.BHO.b skipped
E:\System Volume Information\_restore{4F0C5882-E17F-42AB-A0F6-1B652512D8DE}\RP26\A0006708.dll Infected: Virus.Win32.BHO.b skipped
E:\System Volume Information\_restore{4F0C5882-E17F-42AB-A0F6-1B652512D8DE}\RP26\A0006764.dll Infected: Virus.Win32.BHO.b skipped
E:\System Volume Information\_restore{4F0C5882-E17F-42AB-A0F6-1B652512D8DE}\RP9\A0004371.dll Infected: Virus.Win32.BHO.b skipped

Scan process completed.



Logfile of HijackThis v1.99.1
Scan saved at 5:42:03 PM, on 9/17/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\AIM6\aim6.exe
C:\Program Files\Google\Google Updater\GoogleUpdater.exe
C:\Program Files\Last.fm\LastFMHelper.exe
C:\Program Files\AIM6\aolsoftware.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\MSN Messenger\usnsvc.exe
C:\Program Files\iTunes\iTunes.exe
C:\Program Files\Last.fm\LastFM.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\uTorrent\uTorrent.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://au.myspace.com/
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.1.615.5858\swg.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKLM\..\Run: [TkBellExe] C:\Program Files\RealMedia\Update_OB\evntsvc.exe -osboot
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [Aim6] "C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp
O4 - Global Startup: Google Updater.lnk = C:\Program Files\Google\Google Updater\GoogleUpdater.exe
O4 - Global Startup: Last.fm Helper.lnk = C:\Program Files\Last.fm\LastFMHelper.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partne ... nicode.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O23 - Service: AntiVir PersonalEdition Classic Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: AntiVir PersonalEdition Classic Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe



yea actualy those antivirus alerts that would come up everytime i opened my computer or any of my drives has stoped and the sound muting that occoured whenever i used internet explorer.

thanks,
daniel
mynameisdaniel
Active Member
 
Posts: 6
Joined: September 9th, 2007, 9:08 am

Unread postby silver » September 17th, 2007, 6:06 am

Hi mynameisdaniel,

It looks like one of those bad files is still present, please use Windows Explorer to delete it:
C:\WINDOWS\system32\flashplay.dll

Please confirm in your next response whether you were able to delete this or not.

You have uTorrent, a P2P file sharing program installed on your computer. This program does not come bundled with malware as some similar programs do, but peer-to-peer file sharing networks are one of the biggest sources of malware we see. Anything downloaded from them cannot be trusted to be clean, because even if the file appears to be what it claims to be, it can have malware embedded in it.
I recommend you remove it, but of course the choice is yours. You can remove uTorrent by deleting the program folder:
C:\Program Files\uTorrent


Once complete, please let me know if you were able to delete the file flashplay.dll
User avatar
silver
Regular Member
 
Posts: 9219
Joined: August 7th, 2006, 9:40 pm
Location: GMT+7

Unread postby mynameisdaniel » September 17th, 2007, 8:23 am

i found and deleated the file flashplay.dll

dose this mean that the process is compleate?

ah i use uTorrent more than pretty much anyother program, its ok caz i only ever use it to dl anime fansubs

o one more thing, about the disks i used to back up my files, they mainly contain avi files with anime, how would i go about checking them for malware?

thanks, daniel
mynameisdaniel
Active Member
 
Posts: 6
Joined: September 9th, 2007, 9:08 am

Unread postby silver » September 17th, 2007, 9:20 am

Hi mynameisdaniel,

Yes I think your system is clean now, however there are some important final steps:

Please delete sfp.zip and it's associated folder, requested-files.....cab and fix.reg from your Desktop. Then empty your recycle bin.

Create a new, clean System Restore point which you can use in case of future system problems:
Press Start->All Programs->Accessories->System Tools->System Restore
Select Create a restore point, then Next, type a name like All Clean then press the Create button and once it's done press Close

Now remove old, infected System Restore points:
Next click Start->Run and type cleanmgr in the box and press OK
Ensure the boxes for Temporary Files and Temporary Internet Files are checked, you can choose to check other boxes if you wish but they are not required.
Select the More Options tab, under System Restore press Clean up... and say Yes to the prompt
Press OK and Yes to confirm

Re-hide hidden/system files and folders:
Click Start -> My Computer
Select the Tools menu, click Folder Options and select the View tab
Under the Hidden files and folders heading SELECT Do not show hidden files and folders
CHECK the Hide extensions for known file types option
CHECK the Hide protected operating system files (recommended) option
Press OK

Once you have completed those steps I recommend you check your DVDs for infected files. The Kaspersky online scanner appears to detect this infection so I would use that to scan each of them. Your avi files should be safe but any program file should be carefully checked before use. If you find an infected file on a (write-once) DVD, copy the uninfected files and destroy the DVD.

Here are some tips to help you keep your computer clean:

Operating system vulnerabilities can easily be exploited by malware so please ensure your operating system is automatically kept up to date by using Windows Update:
Go to Start->Control Panel->Automatic Updates
Select Automatic and select a suitable schedule
Also, check that your antivirus and antispyware programs are set to automatically update daily.

You should consider installing a Personal Firewall program. Even if you are behind a NAT router, I recommend you use firewall software as it will improve the security of your computer by monitoring and controlling outbound connections to the internet as well as inbound. There are various free packages available, such as Sunbelt Personal Firewall and Zone Alarm:
http://www.sunbelt-software.com/Home-Ho ... -Firewall/
http://www.zonelabs.com/

Spywareblaster is a free program which prevents the download and installation of Internet Explorer ActiveX based malware by immunizing your system against it. You can download Spywareblaster from here and a tutorial to help you get started is available here.

Consider a custom hosts file such as MVPS HOSTS. This custom hosts file effectively blocks a wide range of unwanted ads, banners, 3rd party Cookies, 3rd party page counters, web bugs, and many hijackers.
For information on how to download and install, please read this tutorial by WinHelp2002
Note: Be sure to follow the instructions to disable the DNS Client service before installing a custom hosts file.

Please take care when downloading programs. One of the easiest ways to be infected is to download freeware/shareware programs which come laden with malware - this includes allowing websites to install browser plug-ins orActiveX controls. Before downloading, it is crucial to check whether the source is reputable.
One way to check is to use McAfee SiteAdvisor. Copy the domain name into the space provided and SiteAdvisor will give you a report on the website which can help you decide if it is safe. They also have a toolbar for IE and Firefox which adds this functionality to your browser.

Download and install the free version of WinPatrol. This program protects your computer in a variety of ways and will work well with your existing security software. Have a look at this tutorial to help you get started with the program.

Find out more about how to prevent infection in the future
http://forum.malwareremoval.com/viewtopic.php?p=33687

Please post back to let me know that you have read this, and if there are any further issues.
User avatar
silver
Regular Member
 
Posts: 9219
Joined: August 7th, 2006, 9:40 pm
Location: GMT+7

Unread postby mynameisdaniel » September 17th, 2007, 11:59 pm

ok iv gone through those final steps, now i just have to check all my dvds

thankyou for all your help, you realy were a lifesaver

daniel
mynameisdaniel
Active Member
 
Posts: 6
Joined: September 9th, 2007, 9:08 am

Unread postby silver » September 18th, 2007, 12:25 am

You're most welcome and be careful with those DVDs :)


This topic is now closed.

If you are the originator of this topic, and you need it re-opened please send an email to 'admin at malwareremoval.com', including a link to this topic.

If you have been helped and wish to donate to help with the costs of this volunteer site, please read Donations For Malware Removal

Please do not contact us if you are not the topic starter. A valid, working link to the closed topic is required along with the user name used. If the user name does not match the one in the thread linked, the email will be deleted.

Gary R
User avatar
silver
Regular Member
 
Posts: 9219
Joined: August 7th, 2006, 9:40 pm
Location: GMT+7
Advertisement
Register to Remove


Return to Infected? Virus, malware, adware, ransomware, oh my!



Who is online

Users browsing this forum: No registered users and 37 guests

Contact us:

Advertisements do not imply our endorsement of that product or service. Register to remove all ads. The forum is run by volunteers who donate their time and expertise. We make every attempt to ensure that the help and advice posted is accurate and will not cause harm to your computer. However, we do not guarantee that they are accurate and they are to be used at your own risk. All trademarks are the property of their respective owners.

Member site: UNITE Against Malware