Welcome to MalwareRemoval.com,
What if we told you that you could get malware removal help from experts, and that it was 100% free? MalwareRemoval.com provides free support for people with infected computers. Our help, and the tools we use are always 100% free. No hidden catch. We simply enjoy helping others. You enjoy a clean, safe computer.

Malware Removal Instructions

Please help me before I damage my computer.......more ^^

MalwareRemoval.com provides free support for people with infected computers. Using plain language that anyone can understand, our community of volunteer experts will walk you through each step.

Please help me before I damage my computer.......more ^^

Unread postby B|air » July 6th, 2005, 5:59 am

Hey guys,

I recently brought a computer back from a boarding environment, to find that it had more viruses in it than my cooking, and after alot of stressing I searched the net and downloaded AVG, Microsoft Anti-Spyware and Hijack-This. After a brief yet intense bout of obliterating every running process and file I could find (wearing a Rambo bandana, of course) that was not MSN Messenger. These days it is, to the best of my knowledge, virus free, however a HTML file that is over my desktop. In a hissy-fit I tracked down the actual file it displayed (Just a message about "Click here to remove the virus" which was not very convincing) so my desktop is now a perpetually white HTML file. Interestingly google is more than happy to translate it into English for me :/

Back to my point (which I left in the dirt somewhere around "Rambo Bandana") I really am quite eager to get a desktop wallpaper back (I have this great pure white one i use....... :/ ).

Before I put up a Hijack-This logfile, here's some information that might help.
- I'm using Windows XP Family Edition, Internet Explorer 6, A demo of Style XP which is now unregistered and not particularly pretty, and my Year 12 soccer team didn't win a single game, convincing me that rugby is, infact, the better game. And that I'm not a very good goalee.

Also, here's my Hijack-This logfile, which is pretty small due to a mad rampage of "Fixing" (Insert mushroom cloud):

Logfile of HijackThis v1.99.1
Scan saved at 7:57:42 PM, on 7/7/2005
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\QuickTime\qttask.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\system32\winlogon.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\chris blair\Desktop\HijackThis.exe

O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - Global Startup: OSA.exe
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe

And to wrap this up (just like that T-Shirt my parents gave me every Christmas as a kid) I'll add 2 more bits of info.

Firstly, I have several instances of SCVhost.exe, both on my drive and in running processes, and second I can see my desktop icons, they appear over the HTML file. Also I just remembered, If I log on with a different account, the desktop is normal.

Ok guys, sorry that's so long, and I sincerely hope you guys can help me out, staring at my desktop used to be my favourite pass-time.

Thanks Guys ^^
B|air
Active Member
 
Posts: 2
Joined: July 6th, 2005, 5:32 am
Advertisement
Register to Remove

Unread postby dobhar » July 6th, 2005, 8:45 am

Hi B|air...

My name is dobhar and I will be looking over your log. Please give me some time to go look it over and I will post back as soon as possible. If you have any questions please post back as a reply to this Thread\Topic and I will be advised by email. Do not start another Thread\Topic.

Thank You,
User avatar
dobhar
MRU Honors Grad Emeritus
 
Posts: 961
Joined: March 3rd, 2005, 3:00 am
Location: Winnipeg

Unread postby dobhar » July 6th, 2005, 12:14 pm

Hi B|air...
Firstly, I have several instances of SCVhost.exe, both on my drive and in running processes...

I think you mean "svchost.exe" not "scvhost.exe"...big difference between the 2. One is a legitimate file and the other is a "Nasty". The "svchost.exe" is the legitimate file and if you look in your log you will see your running 3 instances of this file and that is fine. Be careful in what you type and remove as it could be a legitimate file... :)
_______________________________________

second I can see my desktop icons, they appear over the HTML file

Step 1.
==========

Locate and delete "C:\WINDOWS\Web\desktop.html " <<<=This File
(Note: if you can't delete it you may have to delete it in Safe Mode)

Step 2.
==========

- Get into Control Panel and double click "Display"
- Click on the "Desktop" tab then click "Customise Desktop..."
- Click on the "Web" tab
- Under "Web pages" look for a check box and "Security"
- If found, Highlight (select) "Security" and click on "Delete"
- Deselect\uncheck anything else on the list.
(Note: You should now be able to change your desktop settings back to how you would like it. If your desktop still looks strange, go into your display properties and click on the Themes tab. Change the theme to Windows XP and you will now be using the default Windows XP settings. Then change them as you see fit)

Step 3.
==========

We now need to cleanup all the Temp files, Temporary Internet Files, Recycle Bin, etc...
- Click the "Start" button, then select "Run"
- Enter cleanmgr in the "Run" menu to start XP's "Disk Cleanup" tool
- Select the drive you want to clean up. The default will be C:
- Disk Cleanup will calculate the free space on your computer, which may take a few minutes
- After the calculation is complete, confirm that only the following checkboxes are checked:
Temporary Internet Files
Recycle Bin
Temporary (Temp) Files

- Click OK and Yes when prompted to delete files. Disk cleanup will delete the files and close automatically when finished.

- Browse to C:\Windows\Prefetch folder. Delete All files within the Prefetch folder <= Not the Prefetch folder itself
______________________________________

**Important**
Your log is not that bad at all but before I make any recommendations you NEED to get your WindowsXP updated to Service Pack 1 asap as you are in badly need of some Microsoft updates and patches...otherwise your PC will get reinfected and we will be doing this all over again.

Please go to the address below and get all critical updates EXCEPT service pack 2.

http://windowsupdate.microsoft.com/
User avatar
dobhar
MRU Honors Grad Emeritus
 
Posts: 961
Joined: March 3rd, 2005, 3:00 am
Location: Winnipeg

Unread postby B|air » July 6th, 2005, 11:58 pm

Hey thanks mate, went through all that and worked like a charm, plus I'm downloading SP1 as we speak so should be all good.

By the way yeah it was SVChost.exe, so my bad :lol:

Anyway tah again for the help.
B|air
Active Member
 
Posts: 2
Joined: July 6th, 2005, 5:32 am

Unread postby dobhar » July 7th, 2005, 3:27 am

No problem B|air...glad to help... :D

Once your finished with the updates please post back a fresh new HijackThis log for me to analyze.

Thanks,
User avatar
dobhar
MRU Honors Grad Emeritus
 
Posts: 961
Joined: March 3rd, 2005, 3:00 am
Location: Winnipeg

Unread postby 'KotaGuy » July 27th, 2005, 12:37 pm

Whilst we appreciate that you may be busy, it has been 14 days or more since we heard from you.

Infections can change and fresh instructions will now need to be given. This topic is now closed, if you still require assistance then please start a new topic in the Malware Removal Forum

If you wish this topic reopened, please send us an email to 'admin at malwareremoval.com' with a link to your thread.

You can help support this site from this link :
Donations For Malware Removal

Do not bother contacting us if you are not the topic starter. A valid,
working link to the closed topic is required along with the user name used.
If the user name does not match the one in the thread linked, the email will be deleted.
User avatar
'KotaGuy
Admin/Teacher Emeritus
 
Posts: 12472
Joined: April 7th, 2005, 7:06 pm
Location: Alberta, Canada
Advertisement
Register to Remove


  • Similar Topics
    Replies
    Views
    Last post

Return to Infected? Virus, malware, adware, ransomware, oh my!



Who is online

Users browsing this forum: No registered users and 272 guests

Contact us:

Advertisements do not imply our endorsement of that product or service. Register to remove all ads. The forum is run by volunteers who donate their time and expertise. We make every attempt to ensure that the help and advice posted is accurate and will not cause harm to your computer. However, we do not guarantee that they are accurate and they are to be used at your own risk. All trademarks are the property of their respective owners.

Member site: UNITE Against Malware