My fren's lappy has been infected with viruses. I try removing it..but fail.
What i did:
01. Normal startup. Show all hidden files + os files, and delete all of viruses files. Restart, and there it goes, a BSOD until hv to use "Last working config". The viruses is back. IE keep open and closes non-stop.
02. Safe mode/nromal startup. Show all hidden files + os files, and delete all of viruses files. Restart, and there it goes, a BSOD until hv to use "Last working config". The viruses is back. IE keep open and closes non-stop.
03. Safe mode/nromal startup. Show all hidden files + os files, and delete all of viruses files. Run msconfig. Disable all suspected-to-be-viruses start at boot entries. Restart, and there it goes, a BSOD until hv to use "Last working config". The viruses is back.
04. Safe mode/nromal startup. Run msconfig. Disable all suspected-to-be-viruses start at boot entries. Restart. The entries reverted to previous one + svchost.exe error non-stop.
05. Safe mode/normal startup. Manually run regedit (cannot use run, coz it was over-written by viruses to run its own version of regedit which if run, will add entries to registry to check and add its own entries). Search and delete suspected viruses entries. Restart. Fail!! Registry back to previous one.
06. Install kaspersky. Run it...but all protection was disabled. Update cannot start. A quick look at registry, I found that the viruses block kaspersky to run normally and prevent it from updating (same to all other AV). Delete the registry entry...but its back after restart.
07. Use cccleaner. clean everything. Fail.
08. Clean up disk...delete all Recycler folder contents (apparently some cannot be deleted). Restart. The viruses is back.
09. Combination of any or all 01-08. Fail miserably
10. Fedup!!! Close the lappy...play game for couple of hours. and then sleep.
Things to keep in mind:
01. When viruses files are deleted, windows startup will produce BSOD (after logon screen). Only safe mode and "Last working config" can be use.
02. If "Last working config" is selected, viruses files will be restored...viruses startup entries will be restored...viruses registry entries will be restored. THEY ARE SUPER PERSISTENT!!! :bruce:
03. After all that try and error, the viruses seem to be more dangerous. They actively monitor hidden files and os files showing or not showing. If showing they will straight disable it. this is more active if i open C:\WINDOWS and all other folder in it. They straight disable after a few seconds. True even in safe mode o.0
04. Lappy is Windows XP Pro SP2 version 2600 rtm.040803-2158
05. Normal logon is restricted. all .exe is prevented from running by the viruses/malware. only safe mode available for fixing and tweaking.
Errors:
01. BSOD.
02. IE keep open and closes non-stop.
03. svchost.exe error windows pop-up non-stop
04. all. exe cannot run if normal logon. only safe mode available.
* if u hv any queries, feel free to ask.
checkbox filled with red = suspected viruses entries
svchost.exe error log
- Code: Select all
Event Type: Error Event Source: Application Error Event Category: None Event ID: 1000 Date: 11/6/2009 Time: 2:19:05 PM User: N/A Computer: EILHAM-0FD620B4 Description: Faulting application svchost.exe, version 5.1.2600.2180, faulting module unknown, version 0.0.0.0, fault address 0x24696c9a. For more information, see Help and Support Center at [url=http://go.microsoft.com/fwlink/events.asp]http://go.microsoft.com/fwlink/events.asp[/url]. Data: 0000: 41 70 70 6c 69 63 61 74 Applicat 0008: 69 6f 6e 20 46 61 69 6c ion Fail 0010: 75 72 65 20 20 73 76 63 ure svc 0018: 68 6f 73 74 2e 65 78 65 host.exe 0020: 20 35 2e 31 2e 32 36 30 5.1.260 0028: 30 2e 32 31 38 30 20 69 0.2180 i 0030: 6e 20 75 6e 6b 6e 6f 77 n unknow 0038: 6e 20 30 2e 30 2e 30 2e n 0.0.0. 0040: 30 20 61 74 20 6f 66 66 0 at off 0048: 73 65 74 20 32 34 36 39 set 2469 0050: 36 63 39 61 0d 0a 6c9a..
Trend Micro HijackThis 2.0.2 log:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 5:03:14 PM, on 11/6/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Safe mode
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.exe
C:\WINDOWS\system32\csrcs.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\Program Files\WinRAR\WinRAR.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\mmc.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll
F2 - REG:system.ini: Shell=Explorer.exe csrcs.exe
F3 - REG:win.ini: load=C:\WINDOWS\system\svchost.exe
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,C:\DOCUME~1\mEiLhAm\LOCALS~1\Temp\init.exe
O2 - BHO: (no name) - {0040a6fb-2ecf-491e-8ed6-764fc718c783} - C:\WINDOWS\system32\uysqnrdi.dll
O2 - BHO: IDM Helper - {0055c089-8582-441b-a0bf-17b458c2a3a8} - C:\Documents and Settings\mEiLhAm\Desktop\IDM v5.18 Build 3 Portable\IDMIECC.dll
O2 - BHO: (no name) - {020537d8-2ecf-491e-8ed6-764fc718c783} - C:\WINDOWS\system32\uysqnrdi.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O2 - BHO: IEVkbdBHO - {59273ab4-e7d3-40f9-a1a8-6fa9cca1862c} - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2010\ievkbd.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\PROGRA~1\MICROS~2\Office12\GRA8E1~1.DLL
O2 - BHO: (no name) - {86e25736-febb-4c09-b636-5cb028898184} - c:\windows\system32\dtoknld.dll
O2 - BHO: link filter bho - {e33cf602-d945-461a-83f0-819f76a199f8} - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2010\klwtbbho.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [AzMixerSel] C:\Program Files\Realtek\InstallShield\AzMixerSel.exe
O4 - HKLM\..\Run: [AVP] "C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2010\avp.exe"
O4 - HKLM\..\Run: [userini] C:\WINDOWS\system32\userini.exe
O4 - HKLM\..\Run: [winupdate.exe] C:\WINDOWS\system32\winupdate.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [IDMan] C:\Documents and Settings\mEiLhAm\Desktop\IDM v5.18 Build 3 Portable\IDMan.exe /onboot
O4 - HKCU\..\Run: [12CFG214-K641-12SF-N85P] C:\RECYCLER\S-1-5-21-0243936033-3052116371-381863308-1811\vsbntlo.exe
O4 - HKCU\..\Run: [userini] C:\WINDOWS\system32\userini.exe
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKCU\..\Run: [Advanced Virus Remover] C:\Program Files\AdvancedVirusRemover\PAVRM.exe
O4 - HKCU\..\Run: [PopRock] C:\DOCUME~1\mEiLhAm\LOCALS~1\Temp\b.exe
O4 - HKLM\..\Policies\Explorer\Run: [csrcs] C:\WINDOWS\system32\csrcs.exe
O4 - HKLM\..\Policies\Explorer\Run: [userini] C:\WINDOWS\system32\userini.exe
O4 - HKCU\..\Policies\Explorer\Run: [userini] C:\WINDOWS\system32\userini.exe
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O8 - Extra context menu item: download all links with idm - C:\Documents and Settings\mEiLhAm\Desktop\IDM v5.18 Build 3 Portable\IEGetAll.htm
O8 - Extra context menu item: download flv video content with idm - C:\Documents and Settings\mEiLhAm\Desktop\IDM v5.18 Build 3 Portable\IEGetVL.htm
O8 - Extra context menu item: download with idm - C:\Documents and Settings\mEiLhAm\Desktop\IDM v5.18 Build 3 Portable\IEExt.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O8 - Extra context menu item: Send to &Bluetooth Device... - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: &Virtual keyboard - {4248fe82-7fcb-46ac-b270-339f08212110} - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2010\klwtbbho.dll <-- i think this what prevent KIS from running normal. it was forced to run..but under limited function
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra 'Tools' menuitem: @btrez.dll,-12650 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra button: URLs c&heck - {ccf151d8-d089-449f-a5a4-d9909053f20f} - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2010\klwtbbho.dll <-- i think this what prevent KIS from running normal. it was forced to run..but under limited function
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\winhelper.dll
O12 - Plugin for .pdf: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MICROS~2\Office12\GR99D3~1.DLL
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - AppInit_DLLs: C:\PROGRA~1\KASPER~1\KASPER~1\mzvkbd.dll,C:\PROGRA~1\KASPER~1\KASPER~1\mzvkbd3.dll,C:\PROGRA~1\KASPER~1\KASPER~1\kloehk.dll
O20 - Winlogon Notify: adqfqpoe - C:\WINDOWS\SYSTEM32\dtoknld.dll
O20 - Winlogon Notify: Antiwpa - C:\WINDOWS\SYSTEM32\antiwpa.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - Unknown owner - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe (file missing)
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - Unknown owner - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe (file missing)
O23 - Service: avp - Kaspersky Lab - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2010\avp.exe
O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation. - C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
O23 - Service: FCI (fci) - Unknown owner - C:\WINDOWS\system32\svchost.exe:ext.exe
O23 - Service: ICF (icf) - Unknown owner - C:\WINDOWS\system32\svchost.exe:exe.exe
O23 - Service: Microsoft security update service (msupdate) - Unknown owner - c:\windows\system32\mssrv32.exe
O23 - Service: O2Micro Flash Memory Card Service (o2flash) - O2Micro International - C:\Program Files\O2Micro Oz128 Driver\o2flash.exe
O23 - Service: TuneUp Drive Defrag Service (TuneUp.Defrag) - TuneUp Software GmbH - C:\WINDOWS\System32\TuneUpDefragService.exe
O23 - Service: Vodafone Mobile Connect Service (VMCService) - Vodafone - C:\Program Files\Vodafone\Vodafone Mobile Connect\Bin\VMCService.exe
--
End of file - 8228 bytes
blue = files was deleted manually
red = suspected to be entries created by the viruses
purple = by gnush85