Welcome to MalwareRemoval.com,
What if we told you that you could get malware removal help from experts, and that it was 100% free? MalwareRemoval.com provides free support for people with infected computers. Our help, and the tools we use are always 100% free. No hidden catch. We simply enjoy helping others. You enjoy a clean, safe computer.

Malware Removal Instructions

Virus removal - thank you in advance!

MalwareRemoval.com provides free support for people with infected computers. Using plain language that anyone can understand, our community of volunteer experts will walk you through each step.

Virus removal - thank you in advance!

Unread postby mikel » June 1st, 2008, 6:29 am

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:13:29, on 2008-06-01
Platform: Windows 2000 SP3 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program\CA\eTrust EZ Armor\eTrust EZ Antivirus\ISafe.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\dllcache\svqhost.exe
C:\WINNT\system32\dllcache\Rtsecar.exe
C:\WINNT\System32\nvsvc32.exe
C:\Program\Olivetti\ANY_WAY\olMntrService.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\stisvc.exe
C:\Program\CA\eTrust EZ Armor\eTrust EZ Antivirus\VetMsg.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\Explorer.EXE
C:\WINNT\SOUNDMAN.EXE
C:\WINNT\system32\RUNDLL32.EXE
C:\Program\CA\eTrust EZ Armor\eTrust EZ Antivirus\CAVTray.exe
C:\Program\CA\eTrust EZ Armor\eTrust EZ Antivirus\CAVRID.exe
C:\Program\MSN Apps\Updater\01.03.0000.1005\sv\msnappau.exe
C:\WINNT\system32\firefoxV2.com
C:\WINNT\system32\SQIservr.exe
C:\WINNT\system32\reglogon.exe
C:\WINNT\system32\1nternet.exe
C:\WINNT\system32\pwxmmdo.exe
C:\Program\Olivetti\ANY_WAY\olDvcStatus.exe
C:\WINNT\system32\internat.exe
C:\Program\MSN Messenger\MsnMsgr.Exe
C:\WINNT\system32\spools.exe
C:\WINNT\system32\spwls.exe
C:\Program\WinZip\WZQKPICK.EXE
C:\Program\Mozilla Firefox\firefox.exe
C:\Program\EditPlus 2\editplus.exe
C:\Program\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://g.msn.se/0SESVSE/SAOS02
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.argus.nu/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Länkar
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\Program\MSN Apps\ST\01.03.0000.1005\en-xu\stmain.dll
O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program\MSN Apps\MSN Toolbar\01.02.5000.1021\sv\msntb.dll
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program\MSN Apps\MSN Toolbar\01.02.5000.1021\sv\msntb.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINNT\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINNT\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [CaAvTray] "C:\Program\CA\eTrust EZ Armor\eTrust EZ Antivirus\CAVTray.exe"
O4 - HKLM\..\Run: [CAVRID] "C:\Program\CA\eTrust EZ Armor\eTrust EZ Antivirus\CAVRID.exe"
O4 - HKLM\..\Run: [msnappau] "C:\Program\MSN Apps\Updater\01.03.0000.1005\sv\msnappau.exe"
O4 - HKLM\..\Run: [Fire Fox] firefoxV2.com
O4 - HKLM\..\Run: [SQL Server] SQIservr.exe
O4 - HKLM\..\Run: [Microsoft Reglogon Service] reglogon.exe
O4 - HKLM\..\Run: [Topic 1nternet] 1nternet.exe
O4 - HKLM\..\Run: [Topic lnternet] pwxmmdo.exe
O4 - HKLM\..\Run: [Spool Service] spools.exe
O4 - HKLM\..\Run: [OlStatusMon] "C:\Program\Olivetti\ANY_WAY\olDvcStatus.exe" dvcStatusMinimize
O4 - HKLM\..\Run: [Spwl Service] spwls.exe
O4 - HKLM\..\RunServices: [Fire Fox] firefoxV2.com
O4 - HKLM\..\RunServices: [SQL Server] SQIservr.exe
O4 - HKLM\..\RunServices: [Microsoft Reglogon Service] reglogon.exe
O4 - HKLM\..\RunServices: [Topic 1nternet] 1nternet.exe
O4 - HKCU\..\Run: [internat.exe] internat.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [Windows Service Find] findup.exe
O4 - HKCU\..\Run: [Topic lnternet] pwxmmdo.exe
O4 - HKCU\..\Run: [Spool Service] spools.exe
O4 - HKCU\..\Run: [Spwl Service] spwls.exe
O4 - HKCU\..\RunServices: [Windows Service Find] findup.exe
O4 - HKUS\.DEFAULT\..\Run: [internat.exe] internat.exe (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [^SetupICWDesktop] C:\Program\Internet Explorer\Connection Wizard\icwconn1.exe /desktop (User 'Default user')
O4 - Startup: Adobe Gamma.lnk = C:\Program\Delade filer\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program\WinZip\WZQKPICK.EXE
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windows ... 9326153140
O16 - DPF: {FFBB3F3B-0A5A-4106-BE53-DFE1E2340CB1} (DownloadManagerkontroll) - http://dlm.tools.akamai.com/dlmanager/v ... .2.1.6.cab
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program\Delade filer\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: CAISafe - Computer Associates International, Inc. - C:\Program\CA\eTrust EZ Armor\eTrust EZ Antivirus\ISafe.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: Microsoft Agent - Unknown owner - C:\WINNT\system32\dllcache\svqhost.exe
O23 - Service: Microsoft Media - Unknown owner - C:\WINNT\system32\dllcache\Rtsecar.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINNT\System32\nvsvc32.exe
O23 - Service: olMntrService - Olivetti - C:\Program\Olivetti\ANY_WAY\olMntrService.exe
O23 - Service: Service Starter: Host (SRVStarter_Host) - Eng. Usama El-Mokadem - C:\WINNT\system32\dllcache\SRVhost.exe
O23 - Service: Service Starter: Hosts (SRVStarter_Hosts) - Eng. Usama El-Mokadem - C:\WINNT\system32\dllcache\SuStur.exe
O23 - Service: Service Starter: Link (SRVStarter_Link) - Eng. Usama El-Mokadem - C:\WINNT\system32\dllcache\SRVhost.exe
O23 - Service: Service Starter: Links (SRVStarter_Links) - Eng. Usama El-Mokadem - C:\WINNT\system32\dllcache\SuStur.exe
O23 - Service: VET Message Service (VETMSGNT) - Computer Associates International, Inc. - C:\Program\CA\eTrust EZ Armor\eTrust EZ Antivirus\VetMsg.exe
mikel
Active Member
 
Posts: 3
Joined: June 1st, 2008, 6:23 am
Advertisement
Register to Remove

Re: Virus removal - thank you in advance!

Unread postby dan12 » June 1st, 2008, 9:46 am

welcome to malwareremoval forums

My name is Dan, and I will be helping you to remove any infection(s) that you may have.

Please note! that all instructions given are customised for this computer only, the tools used may cause damage if used on a computer with different infections.

Please observe these rules while we work:
  • Perform all actions in the order given.
  • If you don't know, stop and ask! Don't keep going on.
  • Please reply to this thread. Do not start a new topic.
  • Stick with it till you're given the all clear.
  • REMEMBER, ABSENCE OF SYMPTOMS DOES NOT MEAN THE INFECTION IS ALL GONE.
If you can do these things, everything should go smoothly.
  • Please note you'll need to have Administrator priviledges to perform the fixes. (XP accounts are Administrator by default)
  • Please let me know if you are using a computer with multiple accounts, as this can affect the instructions given.

Unless informed of in advance, failure to post replies within 5 days will result in this thread being closed.


It may be helpful to you to print out or take a copy of any instructions given, as sometimes it is necessary to go offline and you will lose access to them.

I'm presently looking over your log and hope not to be too long.
Will be back with you as soon as I can.
Thanks dan
User avatar
dan12
MRU Honors Grad Emeritus
 
Posts: 6123
Joined: March 30th, 2006, 3:22 am
Location: Leicestershire

Re: Virus removal - thank you in advance!

Unread postby dan12 » June 1st, 2008, 9:47 am

Download SDFix and save it to your Desktop.

Double click SDFix.exe and it will extract the files to %systemdrive%
(Drive that contains the Windows Directory, typically C:\SDFix)

Please then reboot your computer in Safe Mode by doing the following :
  • Restart your computer
  • After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
  • Instead of Windows loading as normal, the Advanced Options Menu should appear;
  • Select the first option, to run Windows in Safe Mode, then press Enter.
  • Choose your usual account.
  • Open the extracted SDFix folder and double click RunThis.bat to start the script.
  • Type Y to begin the cleanup process.
  • It will remove any Trojan Services and Registry Entries that it finds then prompt you to press any key to Reboot.
  • Press any Key and it will restart the PC.
  • When the PC restarts the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.
  • Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt
    (Report.txt will also be copied to Clipboard ready for posting back on the forum).
  • Finally paste the contents of the Report.txt back on the forum with a new HijackThis log
User avatar
dan12
MRU Honors Grad Emeritus
 
Posts: 6123
Joined: March 30th, 2006, 3:22 am
Location: Leicestershire

Re: Virus removal - thank you in advance!

Unread postby mikel » June 1st, 2008, 1:14 pm

Thank you dan!

SDFix: Version 1.187
Run by Zara on s” 2008-06-01 at 18:55

Microsoft Windows 2000 [Version 5.00.2195]
Running From: C:\SDFix

Checking Services :

Name :
Microsoft Agent
Microsoft Media

Path :
"C:\WINNT\system32\dllcache\svqhost.exe"
"C:\WINNT\system32\dllcache\Rtsecar.exe"

Microsoft Agent - Deleted
Microsoft Media - Deleted



Restoring Windows Registry Values
Restoring Windows Default Hosts File

Rebooting


Checking Files :

Trojan Files Found:

C:\WINNT\system32\1nternet.exe - Deleted
C:\WINNT\system32\cdplayer.exe - Deleted
C:\WINNT\system32\dllcache\cychost.exe - Deleted
C:\WINNT\system32\dllcache\Rtsecar.exe - Deleted
C:\WINNT\system32\dllcache\svqhost.exe - Deleted
C:\WINNT\system32\spools.exe - Deleted





Removing Temp Files

ADS Check :



Final Check :

catchme 0.3.1361.2 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-06-01 18:59:41
Windows 5.0.2195 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden services & system hive ...

scanning hidden registry entries ...

scanning hidden files ...

scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0


Remaining Services :



Remaining Files :


File Backups: - C:\SDFix\backups\backups.zip

Files with Hidden Attributes :

Thu 8 Aug 2002 104,448 ..SHR --- "C:\WINNT\system32\pwxmmdo.exe"
Thu 8 Aug 2002 67,584 ..SHR --- "C:\WINNT\system32\reglogon.exe"
Thu 8 Aug 2002 269,312 ..SHR --- "C:\WINNT\system32\spwls.exe"
Thu 8 Aug 2002 540,160 ..SHR --- "C:\WINNT\system32\SQIservr.exe"
Sat 24 May 2008 22,528 ...H. --- "C:\Documents and Settings\zara\Mina dokument\~WRL0575.tmp"
Sat 24 May 2008 19,456 ...H. --- "C:\Documents and Settings\zara\Mina dokument\~WRL0591.tmp"
Wed 14 Nov 2007 20,480 A..H. --- "C:\Documents and Settings\zara\Mina dokument\~WRL0693.tmp"
Sat 24 May 2008 22,016 ...H. --- "C:\Documents and Settings\zara\Mina dokument\~WRL0834.tmp"
Wed 14 Nov 2007 19,968 ...H. --- "C:\Documents and Settings\zara\Mina dokument\~WRL1312.tmp"
Sat 24 May 2008 19,968 ...H. --- "C:\Documents and Settings\zara\Mina dokument\~WRL1436.tmp"
Wed 14 Nov 2007 19,968 ...H. --- "C:\Documents and Settings\zara\Mina dokument\~WRL2244.tmp"
Wed 14 Nov 2007 19,456 ...H. --- "C:\Documents and Settings\zara\Mina dokument\~WRL2302.tmp"
Wed 14 Nov 2007 19,968 ...H. --- "C:\Documents and Settings\zara\Mina dokument\~WRL2397.tmp"
Sat 24 May 2008 19,968 ...H. --- "C:\Documents and Settings\zara\Mina dokument\~WRL2807.tmp"
Sat 24 May 2008 19,456 ...H. --- "C:\Documents and Settings\zara\Mina dokument\~WRL3014.tmp"
Wed 14 Nov 2007 19,968 ...H. --- "C:\Documents and Settings\zara\Mina dokument\~WRL3276.tmp"
Sat 24 May 2008 20,480 ...H. --- "C:\Documents and Settings\zara\Mina dokument\~WRL3520.tmp"
Sat 24 May 2008 20,992 ...H. --- "C:\Documents and Settings\zara\Mina dokument\~WRL3815.tmp"
Wed 14 Nov 2007 19,968 ...H. --- "C:\Documents and Settings\zara\Mina dokument\~WRL3868.tmp"
Wed 14 Nov 2007 19,968 ...H. --- "C:\Documents and Settings\zara\Mina dokument\~WRL4067.tmp"
Sat 31 May 2008 458,240 ...H. --- "C:\Documents and Settings\zara\Skrivbord\~WRL0002.tmp"
Sat 31 May 2008 453,120 ...H. --- "C:\Documents and Settings\zara\Skrivbord\~WRL0004.tmp"
Sat 31 May 2008 452,096 ...H. --- "C:\Documents and Settings\zara\Skrivbord\~WRL0406.tmp"
Sat 31 May 2008 452,096 ...H. --- "C:\Documents and Settings\zara\Skrivbord\~WRL0770.tmp"
Sat 31 May 2008 452,096 ...H. --- "C:\Documents and Settings\zara\Skrivbord\~WRL1084.tmp"
Sat 31 May 2008 452,096 ...H. --- "C:\Documents and Settings\zara\Skrivbord\~WRL1574.tmp"
Sat 31 May 2008 452,096 ...H. --- "C:\Documents and Settings\zara\Skrivbord\~WRL2656.tmp"
Sat 31 May 2008 452,608 ...H. --- "C:\Documents and Settings\zara\Skrivbord\~WRL3685.tmp"
Sat 31 May 2008 452,608 ...H. --- "C:\Documents and Settings\zara\Skrivbord\~WRL3830.tmp"
Mon 11 Feb 2008 628,224 A.SH. --- "C:\WINNT\system32\dllcache\Service.exe"
Fri 23 Mar 2007 56,552 A.SH. --- "C:\WINNT\system32\dllcache\SRVhost.exe"
Fri 23 Mar 2007 56,552 A.SH. --- "C:\WINNT\system32\dllcache\SuStur.exe"
Sun 6 Jan 2008 145,152 ..SHR --- "C:\WINNT\system32\dllcache\sxchost.exe"
Sun 1 Jun 2008 4,622 A.SH. --- "C:\WINNT\system32\dllcache\wrda.sys"
Wed 14 Nov 2007 22,016 ...H. --- "C:\Documents and Settings\zara\Mina dokument\skola\~WRL0001.tmp"
Thu 6 Dec 2007 28,160 ...H. --- "C:\Documents and Settings\zara\Mina dokument\skola\~WRL0002.tmp"
Wed 5 Dec 2007 19,456 ...H. --- "C:\Documents and Settings\zara\Mina dokument\skola\~WRL0004.tmp"
Thu 15 Nov 2007 29,184 A..H. --- "C:\Documents and Settings\zara\Mina dokument\skola\~WRL0207.tmp"
Thu 15 Nov 2007 28,160 A..H. --- "C:\Documents and Settings\zara\Mina dokument\skola\~WRL0849.tmp"
Thu 15 Nov 2007 27,648 A..H. --- "C:\Documents and Settings\zara\Mina dokument\skola\~WRL1154.tmp"
Thu 15 Nov 2007 27,136 A..H. --- "C:\Documents and Settings\zara\Mina dokument\skola\~WRL1274.tmp"
Thu 15 Nov 2007 28,672 A..H. --- "C:\Documents and Settings\zara\Mina dokument\skola\~WRL1419.tmp"
Thu 15 Nov 2007 28,672 A..H. --- "C:\Documents and Settings\zara\Mina dokument\skola\~WRL1586.tmp"
Wed 5 Dec 2007 19,456 ...H. --- "C:\Documents and Settings\zara\Mina dokument\skola\~WRL1595.tmp"
Wed 5 Dec 2007 19,456 ...H. --- "C:\Documents and Settings\zara\Mina dokument\skola\~WRL1656.tmp"
Thu 15 Nov 2007 27,648 A..H. --- "C:\Documents and Settings\zara\Mina dokument\skola\~WRL1677.tmp"
Wed 5 Dec 2007 19,456 ...H. --- "C:\Documents and Settings\zara\Mina dokument\skola\~WRL2027.tmp"
Thu 15 Nov 2007 28,160 A..H. --- "C:\Documents and Settings\zara\Mina dokument\skola\~WRL2219.tmp"
Wed 14 Nov 2007 22,528 ...H. --- "C:\Documents and Settings\zara\Mina dokument\skola\~WRL2282.tmp"
Wed 14 Nov 2007 22,528 ...H. --- "C:\Documents and Settings\zara\Mina dokument\skola\~WRL2347.tmp"
Wed 14 Nov 2007 22,016 ...H. --- "C:\Documents and Settings\zara\Mina dokument\skola\~WRL2374.tmp"
Wed 14 Nov 2007 23,040 ...H. --- "C:\Documents and Settings\zara\Mina dokument\skola\~WRL2432.tmp"
Wed 5 Dec 2007 19,456 ...H. --- "C:\Documents and Settings\zara\Mina dokument\skola\~WRL2527.tmp"
Wed 14 Nov 2007 22,528 ...H. --- "C:\Documents and Settings\zara\Mina dokument\skola\~WRL2544.tmp"
Thu 15 Nov 2007 26,624 ...H. --- "C:\Documents and Settings\zara\Mina dokument\skola\~WRL2591.tmp"
Thu 15 Nov 2007 28,672 A..H. --- "C:\Documents and Settings\zara\Mina dokument\skola\~WRL2830.tmp"
Wed 14 Nov 2007 22,528 ...H. --- "C:\Documents and Settings\zara\Mina dokument\skola\~WRL3005.tmp"
Wed 5 Dec 2007 19,456 ...H. --- "C:\Documents and Settings\zara\Mina dokument\skola\~WRL3006.tmp"
Thu 15 Nov 2007 28,672 A..H. --- "C:\Documents and Settings\zara\Mina dokument\skola\~WRL3071.tmp"
Thu 15 Nov 2007 28,160 A..H. --- "C:\Documents and Settings\zara\Mina dokument\skola\~WRL3127.tmp"
Thu 15 Nov 2007 25,600 ...H. --- "C:\Documents and Settings\zara\Mina dokument\skola\~WRL3198.tmp"
Wed 14 Nov 2007 22,528 ...H. --- "C:\Documents and Settings\zara\Mina dokument\skola\~WRL3225.tmp"
Thu 15 Nov 2007 28,160 A..H. --- "C:\Documents and Settings\zara\Mina dokument\skola\~WRL3433.tmp"
Wed 5 Dec 2007 19,456 ...H. --- "C:\Documents and Settings\zara\Mina dokument\skola\~WRL3464.tmp"
Wed 5 Dec 2007 19,456 ...H. --- "C:\Documents and Settings\zara\Mina dokument\skola\~WRL3520.tmp"
Wed 14 Nov 2007 22,528 ...H. --- "C:\Documents and Settings\zara\Mina dokument\skola\~WRL3577.tmp"
Tue 13 May 2008 22,016 ...H. --- "C:\Documents and Settings\zara\Skrivbord\mikel\~WRL0001.tmp"
Tue 13 May 2008 22,016 ...H. --- "C:\Documents and Settings\zara\Skrivbord\mikel\~WRL0004.tmp"
Tue 13 May 2008 23,552 ...H. --- "C:\Documents and Settings\zara\Skrivbord\mikel\~WRL0714.tmp"
Tue 13 May 2008 23,040 ...H. --- "C:\Documents and Settings\zara\Skrivbord\mikel\~WRL1966.tmp"
Tue 13 May 2008 25,600 ...H. --- "C:\Documents and Settings\zara\Skrivbord\mikel\~WRL3849.tmp"
Tue 5 Feb 2008 0 ...H. --- "C:\Documents and Settings\zara\Application Data\Microsoft\Word\~WRL0001.tmp"
Tue 5 Feb 2008 19,456 ...H. --- "C:\Documents and Settings\zara\Application Data\Microsoft\Word\~WRL0003.tmp"
Sun 10 Feb 2008 25,600 ...H. --- "C:\Documents and Settings\zara\Application Data\Microsoft\Word\~WRL0004.tmp"
Tue 5 Feb 2008 19,456 ...H. --- "C:\Documents and Settings\zara\Application Data\Microsoft\Word\~WRL0005.tmp"
Sat 9 Feb 2008 25,600 ...H. --- "C:\Documents and Settings\zara\Application Data\Microsoft\Word\~WRL0481.tmp"
Sun 10 Feb 2008 24,576 ...H. --- "C:\Documents and Settings\zara\Application Data\Microsoft\Word\~WRL2244.tmp"
Sat 9 Feb 2008 25,088 ...H. --- "C:\Documents and Settings\zara\Application Data\Microsoft\Word\~WRL2630.tmp"
Sat 9 Feb 2008 25,088 ...H. --- "C:\Documents and Settings\zara\Application Data\Microsoft\Word\~WRL2761.tmp"
Sat 9 Feb 2008 25,088 ...H. --- "C:\Documents and Settings\zara\Application Data\Microsoft\Word\~WRL3668.tmp"
Mon 26 Dec 2005 7,163 A..H. --- "C:\Program\MSN Apps\Updater\01.03.0000.1005\sv\BIT3.tmp"
Mon 26 Dec 2005 7,163 A..H. --- "C:\Program\MSN Apps\Updater\01.03.0000.1005\sv\BIT7.tmp"
Sat 24 May 2008 0 A..H. --- "C:\Program\MSN Apps\Updater\01.03.0000.1005\sv\BIT8.tmp"
mikel
Active Member
 
Posts: 3
Joined: June 1st, 2008, 6:23 am

Re: Virus removal - thank you in advance!

Unread postby mikel » June 1st, 2008, 1:17 pm

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 19:14:15, on 2008-06-01
Platform: Windows 2000 SP3 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program\CA\eTrust EZ Armor\eTrust EZ Antivirus\ISafe.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\System32\nvsvc32.exe
C:\Program\Olivetti\ANY_WAY\olMntrService.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\stisvc.exe
C:\Program\CA\eTrust EZ Armor\eTrust EZ Antivirus\VetMsg.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\Explorer.EXE
C:\WINNT\system32\notepad.exe
C:\WINNT\SOUNDMAN.EXE
C:\WINNT\system32\RUNDLL32.EXE
C:\Program\CA\eTrust EZ Armor\eTrust EZ Antivirus\CAVTray.exe
C:\Program\CA\eTrust EZ Armor\eTrust EZ Antivirus\CAVRID.exe
C:\Program\MSN Apps\Updater\01.03.0000.1005\sv\msnappau.exe
C:\WINNT\system32\firefoxV2.com
C:\WINNT\system32\SQIservr.exe
C:\WINNT\system32\reglogon.exe
C:\Program\Olivetti\ANY_WAY\olDvcStatus.exe
C:\WINNT\system32\internat.exe
C:\Program\MSN Messenger\MsnMsgr.Exe
C:\WINNT\system32\pwxmmdo.exe
C:\WINNT\system32\spwls.exe
C:\Program\WinZip\WZQKPICK.EXE
C:\Program\Mozilla Firefox\firefox.exe
C:\Program\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://g.msn.se/0SESVSE/SAOS02
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.argus.nu/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Länkar
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\Program\MSN Apps\ST\01.03.0000.1005\en-xu\stmain.dll
O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program\MSN Apps\MSN Toolbar\01.02.5000.1021\sv\msntb.dll
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program\MSN Apps\MSN Toolbar\01.02.5000.1021\sv\msntb.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINNT\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINNT\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [CaAvTray] "C:\Program\CA\eTrust EZ Armor\eTrust EZ Antivirus\CAVTray.exe"
O4 - HKLM\..\Run: [CAVRID] "C:\Program\CA\eTrust EZ Armor\eTrust EZ Antivirus\CAVRID.exe"
O4 - HKLM\..\Run: [msnappau] "C:\Program\MSN Apps\Updater\01.03.0000.1005\sv\msnappau.exe"
O4 - HKLM\..\Run: [Fire Fox] firefoxV2.com
O4 - HKLM\..\Run: [SQL Server] SQIservr.exe
O4 - HKLM\..\Run: [Microsoft Reglogon Service] reglogon.exe
O4 - HKLM\..\Run: [Spool Service] spools.exe
O4 - HKLM\..\Run: [OlStatusMon] "C:\Program\Olivetti\ANY_WAY\olDvcStatus.exe" dvcStatusMinimize
O4 - HKLM\..\Run: [Spwl Service] spwls.exe
O4 - HKLM\..\Run: [Topic lnternet] pwxmmdo.exe
O4 - HKLM\..\RunServices: [Fire Fox] firefoxV2.com
O4 - HKLM\..\RunServices: [SQL Server] SQIservr.exe
O4 - HKLM\..\RunServices: [Microsoft Reglogon Service] reglogon.exe
O4 - HKCU\..\Run: [internat.exe] internat.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [Topic lnternet] pwxmmdo.exe
O4 - HKCU\..\Run: [Spool Service] spools.exe
O4 - HKCU\..\Run: [Spwl Service] spwls.exe
O4 - HKCU\..\RunServices: [Windows Service Find] findup.exe
O4 - HKUS\.DEFAULT\..\Run: [internat.exe] internat.exe (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [^SetupICWDesktop] C:\Program\Internet Explorer\Connection Wizard\icwconn1.exe /desktop (User 'Default user')
O4 - Startup: Adobe Gamma.lnk = C:\Program\Delade filer\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program\WinZip\WZQKPICK.EXE
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windows ... 9326153140
O16 - DPF: {FFBB3F3B-0A5A-4106-BE53-DFE1E2340CB1} (DownloadManagerkontroll) - http://dlm.tools.akamai.com/dlmanager/v ... .2.1.6.cab
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program\Delade filer\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: CAISafe - Computer Associates International, Inc. - C:\Program\CA\eTrust EZ Armor\eTrust EZ Antivirus\ISafe.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINNT\System32\nvsvc32.exe
O23 - Service: olMntrService - Olivetti - C:\Program\Olivetti\ANY_WAY\olMntrService.exe
O23 - Service: Service Starter: Host (SRVStarter_Host) - Eng. Usama El-Mokadem - C:\WINNT\system32\dllcache\SRVhost.exe
O23 - Service: Service Starter: Hosts (SRVStarter_Hosts) - Eng. Usama El-Mokadem - C:\WINNT\system32\dllcache\SuStur.exe
O23 - Service: Service Starter: Link (SRVStarter_Link) - Eng. Usama El-Mokadem - C:\WINNT\system32\dllcache\SRVhost.exe
O23 - Service: Service Starter: Links (SRVStarter_Links) - Eng. Usama El-Mokadem - C:\WINNT\system32\dllcache\SuStur.exe
O23 - Service: VET Message Service (VETMSGNT) - Computer Associates International, Inc. - C:\Program\CA\eTrust EZ Armor\eTrust EZ Antivirus\VetMsg.exe

--
End of file - 6289 bytes
mikel
Active Member
 
Posts: 3
Joined: June 1st, 2008, 6:23 am

Re: Virus removal - thank you in advance!

Unread postby dan12 » June 2nd, 2008, 4:04 am

Make a uninstall list using HijackThis
To access the Uninstall Manager you would do the following:

1. Start HijackThis
2. Click on the Config button
3. Click on the Misc Tools button
4. Click on the Open Uninstall Manager button.

You will now be presented with a screen similar to the one below:

Image

5. Click on the Save list... button and specify where you would like to save this file. When you press Save button a notepad will open with the contents of that file. Simply copy and paste the contents of that notepad here on your next reply.



We will begin with ComboFix.exe. Please visit this webpage for download links, and instructions for running the tool:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix


Please ensure you read this guide carefully and install the Recovery Console first.

The Windows Recovery Console will allow you to boot up into a special recovery (repair) mode. This allows us to more easily help you should your computer have a problem after an attempted removal of malware. It is a simple procedure that will only take a few moments of your time.

Once installed, you should see a blue screen prompt that says:

The Recovery Console was successfully installed.

Please continue as follows:

  1. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.


  2. Click Yes to allow ComboFix to continue scanning for malware.

When the tool is finished, it will produce a report for you.

Please include the following reports for further review, and so we may continue cleansing the system:

C:\ComboFix.txt
New HijackThis log.


Post the uninstall lis and combo report.
User avatar
dan12
MRU Honors Grad Emeritus
 
Posts: 6123
Joined: March 30th, 2006, 3:22 am
Location: Leicestershire

Re: Virus removal - thank you in advance!

Unread postby NonSuch » June 8th, 2008, 3:54 am

Due to lack of response, this topic is now closed.

If you still require help, please open a new thread in the Infected? Virus, malware, adware, ransomware, oh my! forum, include a fresh FRST log, and wait for a new helper.
User avatar
NonSuch
Administrator
Administrator
 
Posts: 27300
Joined: February 23rd, 2005, 7:08 am
Location: California
Advertisement
Register to Remove


  • Similar Topics
    Replies
    Views
    Last post

Return to Infected? Virus, malware, adware, ransomware, oh my!



Who is online

Users browsing this forum: No registered users and 53 guests

Contact us:

Advertisements do not imply our endorsement of that product or service. Register to remove all ads. The forum is run by volunteers who donate their time and expertise. We make every attempt to ensure that the help and advice posted is accurate and will not cause harm to your computer. However, we do not guarantee that they are accurate and they are to be used at your own risk. All trademarks are the property of their respective owners.

Member site: UNITE Against Malware