Welcome to MalwareRemoval.com,
What if we told you that you could get malware removal help from experts, and that it was 100% free? MalwareRemoval.com provides free support for people with infected computers. Our help, and the tools we use are always 100% free. No hidden catch. We simply enjoy helping others. You enjoy a clean, safe computer.

Malware Removal Instructions

please help with malware removal!!!!!

MalwareRemoval.com provides free support for people with infected computers. Using plain language that anyone can understand, our community of volunteer experts will walk you through each step.

please help with malware removal!!!!!

Unread postby wolfmawr » July 26th, 2006, 9:57 pm

hi, I have a virus taking over and it is huge. I believe its in system 32. I really need help and appreciate your time and advice in advance. When I ran the "hijack this" program they told me the problem was too large and to go somewhere in the c drive to solve problem, But I'm not that great with computers
.
Thanks, Kristine

Logfile of HijackThis v1.99.1
Scan saved at 9:35:42 PM, on 7/26/2006
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\HPZipm12.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\BellSouth\Alert Manager\BellSouthAlertManager.exe
C:\Program Files\Logitech\Video\LogiTray.exe
C:\WINDOWS\System32\testtestt.exe
C:\WINDOWS\System32\b5c3a855.exe
C:\WINDOWS\System32\system.exe
C:\Program Files\Messenger\msmsgs.exe
C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE
C:\WINDOWS\System32\sys32.exe
C:\Program Files\Common Files\Microsoft Shared\Web Folders\ibm00001.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\Kodak Software Updater.exe
C:\WINDOWS\System32\services.exe
C:\WINDOWS\System32\LVComS.exe
C:\Program Files\HP\Digital Imaging\bin\hpqgalry.exe
C:\WINDOWS\System32\winbmsv1.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\mom\Local Settings\Temp\Temporary Directory 1 for hijackthis[1].zip\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ycomp_ ... ch/ie.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ycomp_ ... .yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
F2 - REG:system.ini: Shell=explorer.exe "C:\Program Files\Common Files\Microsoft Shared\Web Folders\ibm00001.exe"
O1 - Hosts: 84.252.148.80 http://www.bankone.com
O1 - Hosts: 84.252.148.80 bankone.com
O1 - Hosts: 84.252.148.80 halifax.com
O1 - Hosts: 84.252.148.80 http://www.halifax.com
O1 - Hosts: 84.252.148.80 halifax.co.uk
O1 - Hosts: 84.252.148.80 http://www.halifax.co.uk
O1 - Hosts: 84.252.148.80 http://www.bankofamerica.com
O1 - Hosts: 84.252.148.80 bankofamerica.com
O1 - Hosts: 84.252.148.80 http://www.paypal.com
O1 - Hosts: 84.252.148.80 paypal.com
O1 - Hosts: 84.252.148.80 http://www.lloydstsb.com
O1 - Hosts: 84.252.148.80 lloydstsb.com
O1 - Hosts: 84.252.148.80 http://www.lloydstsb.co.uk
O1 - Hosts: 84.252.148.80 lloydstsb.co.uk
O1 - Hosts: 84.252.148.80 http://www.garanti.com.tr
O1 - Hosts: 84.252.148.80 garanti.com.tr
O1 - Hosts: 84.252.148.80 http://www.kocbank.com.tr
O1 - Hosts: 84.252.148.80 kocbank.com.tr
O1 - Hosts: 84.252.148.80 http://www.disbank.com.tr
O1 - Hosts: 84.252.148.80 disbank.com.tr
O1 - Hosts: 84.252.148.80 http://www.chase.com
O1 - Hosts: 84.252.148.80 chase.com
O1 - Hosts: 84.252.148.80 http://www.southtrust.com
O1 - Hosts: 84.252.148.80 southtrust.com
O1 - Hosts: 84.252.148.80 http://www.wachovia.com
O1 - Hosts: 84.252.148.80 wachovia.com
O1 - Hosts: 84.252.148.80 http://www.wellsfargo.com
O1 - Hosts: 84.252.148.80 wellsfargo.com
O1 - Hosts: 84.252.148.80 http://www.barclays.co.uk
O1 - Hosts: 84.252.148.80 barclays.co.uk
O1 - Hosts: 84.252.148.80 http://www.barclays.com
O1 - Hosts: 84.252.148.80 barclays.com
O1 - Hosts: 84.252.148.80 http://www.barclays.pt
O1 - Hosts: 84.252.148.80 barclays.pt
O1 - Hosts: 84.252.148.80 http://www.barclays.pt
O1 - Hosts: 84.252.148.80 barclays.pt
O1 - Hosts: 84.252.148.80 http://www.citi.com
O1 - Hosts: 84.252.148.80 citi.com
O1 - Hosts: 84.252.148.80 http://www.citibank.com
O1 - Hosts: 84.252.148.80 citibank.com
O1 - Hosts: 84.252.148.80 http://www.etrade.com
O1 - Hosts: 84.252.148.80 etrade.com
O1 - Hosts: 84.252.148.80 http://www.neteller.com
O1 - Hosts: 84.252.148.80 neteller.com
O1 - Hosts: 84.252.148.80 tcfbank.com
O1 - Hosts: 84.252.148.80 http://www.tcfbank.com
O1 - Hosts: 84.252.148.80 hsbc.com
O1 - Hosts: 84.252.148.80 http://www.hsbc.com
O1 - Hosts: 84.252.148.80 hsbc.co.uk
O1 - Hosts: 84.252.148.80 http://www.hsbc.co.uk
O1 - Hosts: 84.252.148.80 aol.com
O1 - Hosts: 84.252.148.80 http://www.aol.com
O1 - Hosts: 84.252.148.80 comerica.com
O1 - Hosts: 84.252.148.80 http://www.comerica.com
O1 - Hosts: 84.252.148.80 http://www.3riversfcu.org
O1 - Hosts: 84.252.148.80 3riversfcu.org
O1 - Hosts: 84.252.148.80 http://www.53.com
O1 - Hosts: 84.252.148.80 53.com
O1 - Hosts: 84.252.148.80 http://www.amazon.com
O1 - Hosts: 84.252.148.80 amazon.com
O1 - Hosts: 84.252.148.80 http://www.bbt.com
O1 - Hosts: 84.252.148.80 bbt.com
O1 - Hosts: 84.252.148.80 http://www.boh.com
O1 - Hosts: 84.252.148.80 boh.com
O1 - Hosts: 84.252.148.80 http://www.capitalone.com
O1 - Hosts: 84.252.148.80 capitalone.com
O1 - Hosts: 84.252.148.80 http://www.cnbwax.com
O1 - Hosts: 84.252.148.80 cnbwax.com
O1 - Hosts: 84.252.148.80 http://www.cwbk.com
O1 - Hosts: 84.252.148.80 cwbk.com
O1 - Hosts: 84.252.148.80 http://www.ebay.com
O1 - Hosts: 84.252.148.80 ebay.com
O1 - Hosts: 84.252.148.80 http://www.edsefcu.org
O1 - Hosts: 84.252.148.80 edsefcu.org
O1 - Hosts: 84.252.148.80 egold.com
O1 - Hosts: 84.252.148.80 http://www.egold.com
O1 - Hosts: 84.252.148.80 http://www.e-gold.com
O1 - Hosts: 84.252.148.80 e-gold.com
O1 - Hosts: 84.252.148.80 http://www.firstusa.com
O1 - Hosts: 84.252.148.80 firstusa.com
O1 - Hosts: 84.252.148.80 http://www.frontierbank.com
O1 - Hosts: 84.252.148.80 frontierbank.com
O1 - Hosts: 84.252.148.80 http://www.gncu.org
O1 - Hosts: 84.252.148.80 gncu.org
O1 - Hosts: 84.252.148.80 http://www.householdbank.com
O1 - Hosts: 84.252.148.80 householdbank.com
O1 - Hosts: 84.252.148.80 http://www.icicibank.com
O1 - Hosts: 84.252.148.80 icicibank.com
O1 - Hosts: 84.252.148.80 http://www.mbna.com
O1 - Hosts: 84.252.148.80 mbna.com
O1 - Hosts: 84.252.148.80 http://www.mibank.com
O1 - Hosts: 84.252.148.80 mibank.com
O1 - Hosts: 84.252.148.80 http://www.midamericabank.com
O1 - Hosts: 84.252.148.80 midamericabank.com
O1 - Hosts: 84.252.148.80 http://www.myindymacbank.com
O1 - Hosts: 84.252.148.80 myindymacbank.com
O1 - Hosts: 84.252.148.80 http://www.nafcunet.org
O1 - Hosts: 84.252.148.80 nafcunet.org
O1 - Hosts: 84.252.148.80 http://www.nationalcity.com
O1 - Hosts: 84.252.148.80 nationalcity.com
O1 - Hosts: 84.252.148.80 http://www.cnb.com
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [tgcmd] "C:\Program Files\Support.com\BellSouth\hcenter.exe" /starthidden /tgcmdwrapper
O4 - HKLM\..\Run: [tgcmd] "C:\Program Files\Support.com\BellSouth\hcenter.exe" /starthidden /tgcmdwrapper
O4 - HKLM\..\Run: [BellSouthAlertManager.exe] C:\Program Files\BellSouth\Alert Manager\BellSouthAlertManager.exe
O4 - HKLM\..\Run: [LogitechVideoRepair] C:\Program Files\Logitech\Video\ISStart.exe
O4 - HKLM\..\Run: [LogitechVideoTray] C:\Program Files\Logitech\Video\LogiTray.exe
O4 - HKLM\..\Run: [System] C:\WINDOWS\System32\testtestt.exe
O4 - HKLM\..\Run: [b5c3a855.exe] C:\WINDOWS\System32\b5c3a855.exe
O4 - HKLM\..\Run: [spoolsvv] C:\WINDOWS\System32\spoolsvv.exe
O4 - HKLM\..\Run: [HotKeysCmd] C:\WINDOWS\System32\system.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet
O4 - HKCU\..\Run: [Windows update loader] C:\Windows\xpupdate.exe
O4 - HKCU\..\Run: [b5c3a855.exe] C:\Documents and Settings\mom\Local Settings\Application Data\b5c3a855.exe
O4 - HKCU\..\Run: [shell] "C:\Program Files\Common Files\Microsoft Shared\Web Folders\ibm00001.exe"
O4 - HKCU\..\RunOnce: [BellSouth Help Center] C:\Program Files\Support.com\BellSouth\hcenter.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: HP Image Zone Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe
O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
O4 - Global Startup: Kodak software updater.lnk = C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\Kodak Software Updater.exe
O4 - Global Startup: Event Reminder.lnk = C:\Program Files\PrintMaster Platinum 17\Remind.exe
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O20 - AppInit_DLLs: tlntwucl.dll mciawmsp.dll
O20 - Winlogon Notify: artm_newreg - C:\Documents and Settings\All Users\Documents\Settings\artm_new.dll
O20 - Winlogon Notify: winbmsv1 - C:\WINDOWS\System32\winbmsv1.dll
O21 - SSODL: DCOM Server 2236 - {2C1CD3D7-86AC-4068-93BC-A02304BB2236} - C:\WINDOWS\System32\2236_27.dll
O23 - Service: Microsoft ASPI Manager (aspi113210) - Unknown owner - C:\WINDOWS\System32\aspi267317.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
wolfmawr
Active Member
 
Posts: 3
Joined: July 26th, 2006, 9:40 pm
Advertisement
Register to Remove

Unread postby 'KotaGuy » July 26th, 2006, 10:47 pm

Hi Kristine.

You computer is in extremely rough shape. I'm afraid it has been totally compromised by numerous backdoors/RAT's(Remote Access Trojans) and a keylogger or two as well. So, security-wise, it cannot be trusted.

I hate to tell people this when they come to us for help... but your most prudent course of action may be to just cut your losses and format and reinstall Windows.

If you choose not to do this I will try my best to clean things up for you. But please understand I cannot guarantee the security of the system afterwards just because of the nature of the infections and what can be done with them.

Please let me know what you want to do.
User avatar
'KotaGuy
Admin/Teacher Emeritus
 
Posts: 12472
Joined: April 7th, 2005, 7:06 pm
Location: Alberta, Canada

Thanks

Unread postby wolfmawr » July 27th, 2006, 11:04 pm

Thanks for your time. I quess I'm ready to cut my losses. Could you please explain to me how I would go about doing what your suggested with formating and reinstalling windows. Thanks again,

Kristine
wolfmawr
Active Member
 
Posts: 3
Joined: July 26th, 2006, 9:40 pm

Unread postby 'KotaGuy » July 28th, 2006, 2:44 am

Instructions provided here will help you. The site has pictures and walks you through the process step-by-step.

Of course... you won't be able to access the site once you've started the reinstall so you may want to print the instructions out first.

Once you have Windows reinstalled... I strongly suggest you change all passwords you've used to access the computer and any websites you use... especially if you've done any online shopping with a credit card or any online banking.

You should also contact your financial institution and make them aware of what has happened and the possibility of fraudulent transactions if you do use the computer for online shopping/banking. Keep a close eye on your bank statements/credit card statements for the next little while if you have.
User avatar
'KotaGuy
Admin/Teacher Emeritus
 
Posts: 12472
Joined: April 7th, 2005, 7:06 pm
Location: Alberta, Canada

Thanks again

Unread postby wolfmawr » July 29th, 2006, 11:26 am

Thanks for the information and advice.
wolfmawr
Active Member
 
Posts: 3
Joined: July 26th, 2006, 9:40 pm

Unread postby 'KotaGuy » July 30th, 2006, 10:41 pm

This topic is now closed. If you wish it reopened, please send us an email to 'admin at malwareremoval.com' with a link to your thread.

You can help support this site from this link :
Donations For Malware Removal

Do not bother contacting us if you are not the topic starter. A valid, working link to the closed topic is required along with the user name used. If the user name does not match the one in the thread linked, the email will be deleted.
User avatar
'KotaGuy
Admin/Teacher Emeritus
 
Posts: 12472
Joined: April 7th, 2005, 7:06 pm
Location: Alberta, Canada
Advertisement
Register to Remove


  • Similar Topics
    Replies
    Views
    Last post

Return to Infected? Virus, malware, adware, ransomware, oh my!



Who is online

Users browsing this forum: No registered users and 291 guests

Contact us:

Advertisements do not imply our endorsement of that product or service. Register to remove all ads. The forum is run by volunteers who donate their time and expertise. We make every attempt to ensure that the help and advice posted is accurate and will not cause harm to your computer. However, we do not guarantee that they are accurate and they are to be used at your own risk. All trademarks are the property of their respective owners.

Member site: UNITE Against Malware