Welcome to MalwareRemoval.com,
What if we told you that you could get malware removal help from experts, and that it was 100% free? MalwareRemoval.com provides free support for people with infected computers. Our help, and the tools we use are always 100% free. No hidden catch. We simply enjoy helping others. You enjoy a clean, safe computer.

Malware Removal Instructions

PC Infected - Logfile attached - HELP PLEASE!!

MalwareRemoval.com provides free support for people with infected computers. Using plain language that anyone can understand, our community of volunteer experts will walk you through each step.

PC Infected - Logfile attached - HELP PLEASE!!

Unread postby andymckenna » February 22nd, 2006, 5:17 pm

Hi - my PC appears to attempt to dial up to th einternet automatically afetr each reboot, and I receive virus alerts for 'trojan horse generic oof' and generic non'. Cleaning and rebooting with system restore tunred off seems to have no effect even though no new infections are apparent.

Any ideas gratefully received

Thanks

Andy

Logfile of HijackThis v1.99.1
Scan saved at 21:14:42, on 22/02/2006
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\SYSTEM32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\alg.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Documents and Settings\Andy\Desktop\security suite\ewidoctrl.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Spyware Doctor 3.5\Spyware Doctor\sdhelp.exe
C:\WINDOWS\SYSTEM32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\BroadJump\Client Foundation\CFD.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Adobe\Adobe Version Cue\ControlPanel\VersionCueTray.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\Picasa2\PicasaMediaDetector.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Java\jre1.5.0\bin\jusched.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Spyware Doctor 3.5\Spyware Doctor\swdoctor.exe
C:\Program Files\Adobe\Adobe Acrobat 6.0\Distillr\acrotray.exe
C:\Program Files\Common Files\DataViz\DvzIncMsgr.exe
C:\Program Files\Delux\PS2 Keyboard English Edition 2.0\kb_2k.exe
C:\Program Files\Palm\HOTSYNC.EXE
C:\Program Files\One.Care\bin\mpbtn.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\System32\taskmgr.exe
C:\Program Files\TrojanHunter 4.2\TrojanHunter.exe
C:\Documents and Settings\Andy\Desktop\hijackthis_sfx.exe
C:\Program Files\Outlook Express\msimn.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Adobe Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~1.5\SPYWAR~1\tools\iesdsg.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Adobe Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~1.5\SPYWAR~1\tools\iesdpb.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: MSN Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - blank (file missing)
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Adobe Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [BJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe
O4 - HKLM\..\Run: [SiSUSBRG] C:\WINDOWS\SiSUSBrg.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [AdobeVersionCue] C:\Program Files\Adobe\Adobe Version Cue\ControlPanel\VersionCueTray.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SpeedTouch USB Diagnostics] "C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe" /icon
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [Picasa Media Detector] C:\Program Files\Picasa2\PicasaMediaDetector.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [ControlPanel] C:\WINDOWS\System32\per.exe internat.dll,LoadKeyboardProfile
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0\bin\jusched.exe
O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 4.2\THGuard.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [Spyware Doctor] "C:\Program Files\Spyware Doctor 3.5\Spyware Doctor\swdoctor.exe" /Q
O4 - Startup: HotSync Manager.lnk = C:\Program Files\Palm\HOTSYNC.EXE
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Adobe Acrobat 6.0\Distillr\acrotray.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: DataViz Inc Messenger.lnk = C:\Program Files\Common Files\DataViz\DvzIncMsgr.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: One.Care.lnk = C:\Program Files\One.Care\bin\matcli.exe
O4 - Global Startup: PS2 Keyboard English Edition 2.0.lnk = ?
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar2.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0\bin\npjpi150.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0\bin\npjpi150.dll
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1.5\SPYWAR~1\tools\iesdpb.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O15 - Trusted Zone: http://*.msn.com
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resourc ... oscan8.cab
O16 - DPF: {6E5A37BF-FD42-463A-877C-4EB7002E68AE} (Housecall ActiveX 6.5) - http://us-housecall.trendmicro-europe.c ... hcImpl.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004 ... scan53.cab
O16 - DPF: {80DD2229-B8E4-4C77-B72F-F22972D723EA} - http://www.bitdefender.com/scan/Msie/bitdefender.cab
O16 - DPF: {BF6BBE9A-0656-4598-A0CD-32DAC03959B5} (Image Uploader 3.0 Control) - http://www.bootsdigitalphotocentre.com/ ... loader.cab
O16 - DPF: {E855A2D4-987E-4F3B-A51C-64D10A7E2479} (EPSImageControl Class) - http://tools.ebayimg.com/eps/activex/EP ... -0-3-0.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{72714955-C8ED-4FFB-877D-AF1C4280946E}: NameServer = 212.67.120.148 212.67.96.129
O17 - HKLM\System\CS1\Services\Tcpip\..\{72714955-C8ED-4FFB-877D-AF1C4280946E}: NameServer = 212.67.120.148 212.67.96.129
O23 - Service: AdobeVersionCue - Adobe Sytems - C:\Program Files\Adobe\Adobe Version Cue\service\VersionCue.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: ewido security suite control - ewido networks - C:\Documents and Settings\Andy\Desktop\security suite\ewidoctrl.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: PC Tools Spyware Doctor (SDhelper) - PC Tools Research Pty Ltd - C:\Program Files\Spyware Doctor 3.5\Spyware Doctor\sdhelp.exe
andymckenna
Active Member
 
Posts: 7
Joined: February 22nd, 2006, 3:16 pm
Advertisement
Register to Remove

Unread postby Linkmaster » February 23rd, 2006, 2:43 pm

Hi andymckenna, Welcome to MalWare Removal !!

We can definitely help you, but first you need to help us.
The first step in this process is to apply Service Pack 1a for Windows XP
Without this update, you're wide open to re-infection, and we're both just wasting our time.
Apply the update, reboot, and post a fresh Hijack This log here
User avatar
Linkmaster
MRU Honors Grad Emeritus
 
Posts: 822
Joined: October 7th, 2005, 5:57 am
Location: Arkansas, USA

Service Pack 1a - Unable to load

Unread postby andymckenna » February 23rd, 2006, 6:02 pm

Hi - my PC came with XP pre-installed and I don't seem able to load up the service pack - I am receiving "The product key used to install windows is invalid...."

Can you help?

I have since posting the hijack logfile tried running various virus and spyware software in safe mode with system restore turned off but after each reboot the pc attempts to dial up automatically and same virus warnings appear.


Thanks

Andy
andymckenna
Active Member
 
Posts: 7
Joined: February 22nd, 2006, 3:16 pm

Unread postby Linkmaster » February 23rd, 2006, 8:29 pm

Lets do this :

Please click HERE
(Use Internet Explorer ONLY !! Firefox or other browsers wont work)

Click on Windows Validation Assistant on left
Click on the Validate Now button.
Be patient while the ActiveX loads, do not click on any links.
Read the instructions on this page while it's loading
You will be prompted to install - click YES
Enter your Product key
To Find Key :Click Start, right-click My Computer, and then click Properties On the General tab, under Registered to, enter that number
Then click Continue
When it says "Validation Complete" please click Continue to return to your previous activity
Copy what it says and paste it here
User avatar
Linkmaster
MRU Honors Grad Emeritus
 
Posts: 822
Joined: October 7th, 2005, 5:57 am
Location: Arkansas, USA

Validation Failed

Unread postby andymckenna » February 24th, 2006, 5:01 am

Hi - atempted to validate as per your instructions (repeatedly) but when clicked on 'Validate Now' button I was redirected to url below, whose content appears to be in Russian or similar.


http://www.microsoft.com/genuine/downlo ... f&Error=20

??
andymckenna
Active Member
 
Posts: 7
Joined: February 22nd, 2006, 3:16 pm

Validation Failure 2

Unread postby andymckenna » February 24th, 2006, 5:10 am

After another attempt at Validating - this was the result:

"Validation Failure: Product Key Failed Validation[0x80080220]

Why did my machine fail validation?

The product key found on your computer is from a Volume License Key (VLK), which has been blocked. A VLK is typically licensed to organizations who want to use multiple copies of Windows. However, if a VLK is reported as stolen or leaked, it is then blocked from passing through validation."
andymckenna
Active Member
 
Posts: 7
Joined: February 22nd, 2006, 3:16 pm

Unread postby Linkmaster » February 24th, 2006, 12:29 pm

I am not prying but did you buy this from a "third" party or from a retail store ??

It is saying that this version of Windows is not valid!!
User avatar
Linkmaster
MRU Honors Grad Emeritus
 
Posts: 822
Joined: October 7th, 2005, 5:57 am
Location: Arkansas, USA

Unread postby andymckenna » February 24th, 2006, 1:01 pm

I bought it from an independent retailer - do you think something's a bit off with my windows installation??
andymckenna
Active Member
 
Posts: 7
Joined: February 22nd, 2006, 3:16 pm

Unread postby Linkmaster » February 24th, 2006, 1:25 pm

It seems to be indicating that this Key not valid.

I am going to get another opinion on this so I can give you a better answer !!
User avatar
Linkmaster
MRU Honors Grad Emeritus
 
Posts: 822
Joined: October 7th, 2005, 5:57 am
Location: Arkansas, USA

Unread postby Linkmaster » February 24th, 2006, 3:31 pm

Try this:
CLick here:
http://www.licenturion.com/xp/xpinfo-exe.zip
Then hit "save" (not open). Save the folder to your desktop
right click on the file and select extract all. Extract the folder to the desktop.
open the folder and double click on xpinfo.exe
If all is well you should get something that looks like this:

Image

IF it gives you problems, then please describe what part of your key isn't checking out.
User avatar
Linkmaster
MRU Honors Grad Emeritus
 
Posts: 822
Joined: October 7th, 2005, 5:57 am
Location: Arkansas, USA

Unread postby andymckenna » February 24th, 2006, 3:48 pm

Here's what happened:

On clicking 'xpinfo.exe' I got an 'expinfo error':

"Cannot collect configuration date (-204).
(a) you are running a volume licensed version or oem release of windows xp.
(b) you have not activated your certification of windows yet."

Upon 'ok' a dialogue box opens - 'Fully Licensed [heading[" with all options greyed out, and FCKGW - RHQQ2 - YXRKT - ????? - ?????


??
andymckenna
Active Member
 
Posts: 7
Joined: February 22nd, 2006, 3:16 pm

Unread postby wng_z3r0 » February 25th, 2006, 2:32 am

Andy, I am sorry, but your XP key is a well known pirated key. You need to contact microsoft to resolve this issue. There are several options available to you, as listed out here:
http://www.microsoft.com/resources/howt ... /what.aspx

There are two reasons that we can't help you until you get a legit copy of windows.
The first is that you can't get any service packs. Without these service packs, there is little point in cleaning out your computer. As soon as you reconnect to the internet, there is an extremely high probability of being infected.


The second is an ethical reason. Please read this post:
http://www.malwareremoval.com/forum/viewtopic.php?t=550


If purchasing a new copy of xp, or submitting the data to microsoft necessary to get a replacement copy is not possible for your situation, you may wish to consider linux or some other free operating system. Linux builds such as Wine are capable of running many windows programs natively.

wng
User avatar
wng_z3r0
Admin/Teacher Emeritus
 
Posts: 4282
Joined: March 6th, 2005, 8:22 pm

Unread postby Nick-YF19 » February 26th, 2006, 12:30 pm

Due to the lack of valid XP key, we will have to close this topic.
User avatar
Nick-YF19
Admin/Teacher Emeritus
 
Posts: 4036
Joined: May 17th, 2005, 12:42 am
Location: California
Advertisement
Register to Remove


  • Similar Topics
    Replies
    Views
    Last post

Return to Infected? Virus, malware, adware, ransomware, oh my!



Who is online

Users browsing this forum: No registered users and 294 guests

Contact us:

Advertisements do not imply our endorsement of that product or service. Register to remove all ads. The forum is run by volunteers who donate their time and expertise. We make every attempt to ensure that the help and advice posted is accurate and will not cause harm to your computer. However, we do not guarantee that they are accurate and they are to be used at your own risk. All trademarks are the property of their respective owners.

Member site: UNITE Against Malware