System Security Virus Infection

View previous topic View next topic Go down

System Security Virus Infection

Post by dazdfloyd on Tue Jul 14, 2009 7:57 pm

I have read up on the topic and pretty much know what I'm dealing with. A friend told me you were the pros and to ask you guys for help. Some background info that will help:

*Have scanned and found massive infections
*Unable to open most programs including virus scan (was able to get PCtools spyhunter scanner to find the infections)
*ABLE to boot in safe mode
*UNABLE to run malwarebytes program orianlly suggested before finding you guys
*Will attempt to delete P2P programs but may run into problems if I can't get into certai nthings due to the severity of this virus.

I am willing to do whatever I can on my end to get rid of this nasty thing. I would hate to lose all of college portfolio work. Any help would be amazing!


Last edited by dazdfloyd on Tue Jul 14, 2009 8:40 pm; edited 1 time in total

dazdfloyd
Novice
Novice

Posts Posts : 12
Joined Joined : 2009-07-14
OS OS : XP
Points Points : 27024
# Likes # Likes : 0

View user profile

Back to top Go down

Re: System Security Virus Infection

Post by Origin on Tue Jul 14, 2009 8:38 pm

Hello dazdfloyd,

Welcome to Geek Police, my name is Origin and I will be helping you today. Please keep the following in mind:

  • If you do not get a reply from me or another helper within 2 days, please reply to your topic with the phrase BUMP
  • If you have any cracked/pirated software in your computer delete them or we will not help you.
  • Only follow advise from Geek Police Staff and not a regular member.
  • Do NOT run any tool without Geek Police supervision as it could hinder your system useless.


Please download Ice Sword from [You must be registered and logged in to see this link.]

  1. Download the zip to your desktop and extract it.
  2. Open the Ice Sword folder and then launch IceSword.exe.
  3. Then look in the left hand bottom of the program and press "Registry"
  4. When the registry list opens, drag the line between the two windows so you can see which registry hive you need.
  5. Next, open the HKEY_LOCAL_MACHINE, and navigate to the following key:

    HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run

  6. Now look in the right side pane for two run values that are just random numbers.
  7. Once you have found the value(s), right click it and press "Delete"
  8. Okay the prompt and close IceSword.


While my help is always free, please consider donating to keep this site alive: [You must be registered and logged in to see this link.]

[You must be registered and logged in to see this link.]

Origin
Master
Master

Posts Posts : 2685
Joined Joined : 2009-05-05
Gender Gender : Male
OS OS : Windows Xp Sp3
Points Points : 31473
# Likes # Likes : 0

View user profile

Back to top Go down

Re: System Security Virus Infection

Post by dazdfloyd on Tue Jul 14, 2009 10:01 pm

I can't seem to download it. I could but then then the download box went away. What do i do?

dazdfloyd
Novice
Novice

Posts Posts : 12
Joined Joined : 2009-07-14
OS OS : XP
Points Points : 27024
# Likes # Likes : 0

View user profile

Back to top Go down

Re: System Security Virus Infection

Post by Belahzur on Tue Jul 14, 2009 10:23 pm

Hello.
Can you download this instead and see if it works?
[You must be registered and logged in to see this link.]


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34916
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : XP SP3 Media Centre
Points Points : 245059
# Likes # Likes : 1

View user profile

Back to top Go down

Re: System Security Virus Infection

Post by dazdfloyd on Tue Jul 14, 2009 10:31 pm

I got icesword working. What next?

dazdfloyd
Novice
Novice

Posts Posts : 12
Joined Joined : 2009-07-14
OS OS : XP
Points Points : 27024
# Likes # Likes : 0

View user profile

Back to top Go down

Re: System Security Virus Infection

Post by Origin on Tue Jul 14, 2009 10:33 pm


  • Open the Ice Sword folder and then launch IceSword.exe.
  • Then look in the left hand bottom of the program and press "Registry"
  • When the registry list opens, drag the line between the two windows so you can see which registry hive you need.
  • Next, open the HKEY_LOCAL_MACHINE, and navigate to the following key:

    HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run

  • Now look in the right side pane for two run values that are just random numbers.
  • Once you have found the value(s), right click it and press "Delete"
  • Okay the prompt and close IceSword.


While my help is always free, please consider donating to keep this site alive: [You must be registered and logged in to see this link.]

[You must be registered and logged in to see this link.]

Origin
Master
Master

Posts Posts : 2685
Joined Joined : 2009-05-05
Gender Gender : Male
OS OS : Windows Xp Sp3
Points Points : 31473
# Likes # Likes : 0

View user profile

Back to top Go down

Re: System Security Virus Infection

Post by dazdfloyd on Tue Jul 14, 2009 10:44 pm

Ok. I deleted the one number sequence I found. There are also wierd files named igfxtray igfxhkcmd and igfxpers. Not sure if these are malicious as well.

dazdfloyd
Novice
Novice

Posts Posts : 12
Joined Joined : 2009-07-14
OS OS : XP
Points Points : 27024
# Likes # Likes : 0

View user profile

Back to top Go down

Re: System Security Virus Infection

Post by dazdfloyd on Tue Jul 14, 2009 10:45 pm

They all have in common system32 root folder.

dazdfloyd
Novice
Novice

Posts Posts : 12
Joined Joined : 2009-07-14
OS OS : XP
Points Points : 27024
# Likes # Likes : 0

View user profile

Back to top Go down

Re: System Security Virus Infection

Post by Origin on Tue Jul 14, 2009 10:48 pm

Don't delete gfxtray igfxhkcmd and igfxpers, they are legit entries, now do the following:

Please download the current version of HijackThis from [You must be registered and logged in to see this link.]

  • Double click and run the installer.
  • It will install to C:\Program Files\Trend Micro\HijackThis\winlogon.exe
  • After installing, you should get the user agreement, press accept and Hijack This will run.
  • Select Do a system scan and save a log file. This will open a notepad file of everything Hijack This found, copy and paste it back here.


While my help is always free, please consider donating to keep this site alive: [You must be registered and logged in to see this link.]

[You must be registered and logged in to see this link.]

Origin
Master
Master

Posts Posts : 2685
Joined Joined : 2009-05-05
Gender Gender : Male
OS OS : Windows Xp Sp3
Points Points : 31473
# Likes # Likes : 0

View user profile

Back to top Go down

Re: System Security Virus Infection

Post by dazdfloyd on Tue Jul 14, 2009 11:04 pm

It begins to run and is immediately shut down. Suggestions?

dazdfloyd
Novice
Novice

Posts Posts : 12
Joined Joined : 2009-07-14
OS OS : XP
Points Points : 27024
# Likes # Likes : 0

View user profile

Back to top Go down

Re: System Security Virus Infection

Post by dazdfloyd on Tue Jul 14, 2009 11:26 pm

No matter how I go about opening hijack I can't seem to run it.

dazdfloyd
Novice
Novice

Posts Posts : 12
Joined Joined : 2009-07-14
OS OS : XP
Points Points : 27024
# Likes # Likes : 0

View user profile

Back to top Go down

Re: System Security Virus Infection

Post by Origin on Tue Jul 14, 2009 11:29 pm

Can you try this version:
[You must be registered and logged in to see this link.]


While my help is always free, please consider donating to keep this site alive: [You must be registered and logged in to see this link.]

[You must be registered and logged in to see this link.]

Origin
Master
Master

Posts Posts : 2685
Joined Joined : 2009-05-05
Gender Gender : Male
OS OS : Windows Xp Sp3
Points Points : 31473
# Likes # Likes : 0

View user profile

Back to top Go down

Re: System Security Virus Infection

Post by dazdfloyd on Tue Jul 14, 2009 11:38 pm

THat one was also a no go. What about ADWIND in icesword? You said there would be two things to delete but I only saw one I was wondering if one got renamed. LOST

dazdfloyd
Novice
Novice

Posts Posts : 12
Joined Joined : 2009-07-14
OS OS : XP
Points Points : 27024
# Likes # Likes : 0

View user profile

Back to top Go down

Nix the reboot comment

Post by dazdfloyd on Wed Jul 15, 2009 12:10 am

I was able to opencesword and delete the file. I'll wait to see if you repost any additional help.


Last edited by dazdfloyd on Wed Jul 15, 2009 12:22 am; edited 1 time in total (Reason for editing : Able to fix problem)

dazdfloyd
Novice
Novice

Posts Posts : 12
Joined Joined : 2009-07-14
OS OS : XP
Points Points : 27024
# Likes # Likes : 0

View user profile

Back to top Go down

Re: System Security Virus Infection

Post by Belahzur on Wed Jul 15, 2009 3:02 pm

If you deleted the system security run value, can you post us a Hijack This log now?


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34916
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : XP SP3 Media Centre
Points Points : 245059
# Likes # Likes : 1

View user profile

Back to top Go down

Re: System Security Virus Infection

Post by dazdfloyd on Wed Jul 15, 2009 8:43 pm

Not abe to run/install highjackthis after removing both run values. any suggestions on how to get it to run? or am I missing something in the Run values?

dazdfloyd
Novice
Novice

Posts Posts : 12
Joined Joined : 2009-07-14
OS OS : XP
Points Points : 27024
# Likes # Likes : 0

View user profile

Back to top Go down

Re: System Security Virus Infection

Post by dazdfloyd on Wed Jul 15, 2009 9:46 pm

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 5:45:12 PM, on 7/15/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16850)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Spyware Doctor\pctsTray.exe
C:\WINDOWS\System32\reader_s.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\AIM\aim.exe
C:\Program Files\BitComet\BitComet.exe
C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
C:\Program Files\Simplify Media\SimplifyMedia.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\DOCUME~1\SUSANG~1\LOCALS~1\Temp\cl6p0.exe
C:\WINDOWS\System32\svchost.exe
C:\DOCUME~1\SUSANG~1\LOCALS~1\Temp\cl6p0.exe
C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltpspd.exe
C:\Documents and Settings\Susan Gargiulo\reader_s.exe
C:\DOCUME~1\SUSANG~1\LOCALS~1\Temp\lsass.exe
C:\WINDOWS\System32\avast!Antivirus.exe
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\WINDOWS\fonts\services.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
c:\windows\ld12.exe
C:\Program Files\Spyware Doctor\pctsAuxs.exe
C:\Program Files\Spyware Doctor\pctsSvc.exe
C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe
C:\WINDOWS\system32\sopidkc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\PROGRA~1\COMMON~1\AOL\112000~1\EE\AOLHOS~1.EXE
C:\PROGRA~1\COMMON~1\AOL\112000~1\EE\AOLServiceHost.exe
C:\DOCUME~1\SUSANG~1\LOCALS~1\Temp\cl6p0.exe
C:\DOCUME~1\SUSANG~1\LOCALS~1\Temp\cl6p0.exe
C:\DOCUME~1\SUSANG~1\LOCALS~1\Temp\cl6p0.exe
C:\DOCUME~1\SUSANG~1\LOCALS~1\Temp\cl6p0.exe
C:\DOCUME~1\SUSANG~1\LOCALS~1\Temp\winamp.exe
C:\DOCUME~1\SUSANG~1\LOCALS~1\Temp\mdm.exe
C:\DOCUME~1\SUSANG~1\LOCALS~1\Temp\spoolsv.exe
C:\DOCUME~1\SUSANG~1\LOCALS~1\Temp\taskmgr.exe
C:\DOCUME~1\SUSANG~1\LOCALS~1\Temp\system.exe
C:\DOCUME~1\SUSANG~1\LOCALS~1\Temp\smss.exe
C:\DOCUME~1\SUSANG~1\LOCALS~1\Temp\notepad.exe
C:\DOCUME~1\SUSANG~1\LOCALS~1\Temp\csrss.exe
C:\DOCUME~1\SUSANG~1\LOCALS~1\Temp\services.exe
C:\DOCUME~1\SUSANG~1\LOCALS~1\Temp\services.exe
C:\DOCUME~1\SUSANG~1\LOCALS~1\Temp\svchost.exe
c:\windows\pp10.exe
C:\DOCUME~1\SUSANG~1\LOCALS~1\Temp\install.exe
C:\DOCUME~1\SUSANG~1\LOCALS~1\Temp\setup.exe
C:\WINDOWS\system32\drivers\smss.exe
C:\DOCUME~1\SUSANG~1\LOCALS~1\Temp\b.exe
C:\DOCUME~1\SUSANG~1\LOCALS~1\Temp\c.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\WINDOWS\system32\wiwow64.exe
C:\WINDOWS\system32\msiexec.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = [You must be registered and logged in to see this link.]
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = [You must be registered and logged in to see this link.]
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = [You must be registered and logged in to see this link.]
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = [You must be registered and logged in to see this link.]
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = [You must be registered and logged in to see this link.]
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = [You must be registered and logged in to see this link.]
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = [You must be registered and logged in to see this link.]
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = [You must be registered and logged in to see this link.]
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R3 - URLSearchHook: AOLTBSearch Class - {EA756889-2338-43DB-8F07-D1CA6FB9C90D} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn1\yt.dll
F3 - REG:win.ini: load=C:\WINDOWS\system32\msibgoe.exe
F3 - REG:win.ini: run=C:\WINDOWS\system32\msafo.exe
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\drivers\smss.exe
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn1\yt.dll
O2 - BHO: C:\WINDOWS\system32\gsf83iujid.dll - {d76ab2a1-00f3-42bd-f434-00bbc39c8953} - C:\WINDOWS\system32\gsf83iujid.dll
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\MSN Toolbar\01.02.5000.1021\en-us\msntb.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn1\yt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: AOL Toolbar - {DE9C389F-3316-41A7-809B-AA305ED9D922} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll
O3 - Toolbar: My Global Search Bar - {37B85A29-692B-4205-9CAD-2626E4993404} - C:\Program Files\MyGlobalSearch\bar\1.bin\MGSBAR.DLL (file missing)
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\Run: [AOLDialer] C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
O4 - HKLM\..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe
O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [reader_s] C:\WINDOWS\System32\reader_s.exe
O4 - HKLM\..\Run: [ISTray] "C:\Program Files\Spyware Doctor\pctsTray.exe"
O4 - HKLM\..\Run: [sysldtray] c:\windows\ld12.exe
O4 - HKLM\..\Run: [ADWIND] C:\WINDOWS\system\msnfgg.exe
O4 - HKLM\..\Run: [pp] c:\windows\pp10.exe
O4 - HKLM\..\RunServices: [Microsoft Windowsx DLL Services Configuration] windir32.exe
O4 - HKLM\..\RunServices: [Microsoft Update 64 BIT] wininit32.exe
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [WhenUSave] "C:\Program Files\Save\Save.exe"
O4 - HKCU\..\Run: [PhotoShow Deluxe Media Manager] C:\PROGRA~1\WALGRE~1\WALGRE~1\data\Xtras\mssysmgr.exe
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [BitComet] "C:\Program Files\BitComet\BitComet.exe" /tray
O4 - HKCU\..\Run: [Save] C:\Documents and Settings\Susan Gargiulo\Application Data\Save\Save.exe
O4 - HKCU\..\Run: [Simplify Media] "C:\Program Files\Simplify Media\SimplifyMedia.exe"
O4 - HKCU\..\Run: [A00F1AF950AE.exe] C:\DOCUME~1\SUSANG~1\LOCALS~1\Temp\_A00F1AF950AE.exe
O4 - HKCU\..\Run: [] C:\DOCUME~1\SUSANG~1\LOCALS~1\Temp\cl6p0.exe
O4 - HKCU\..\Run: [hsf7husjnfg98gi498aejhiugjkdg4] C:\DOCUME~1\SUSANG~1\LOCALS~1\Temp\cl6p0.exe
O4 - HKCU\..\Run: [LowRiskFileTypes] C:\WINDOWS\sysguard.exe
O4 - HKCU\..\Run: [Windows System Recover!] C:\DOCUME~1\SUSANG~1\LOCALS~1\Temp\setup.exe
O4 - HKCU\..\Run: [reader_s] C:\Documents and Settings\Susan Gargiulo\reader_s.exe
O4 - HKCU\..\Run: [A00F18586.exe] C:\DOCUME~1\SUSANG~1\LOCALS~1\Temp\_A00F18586.exe
O4 - HKCU\..\Run: [12CFG515-K641-55SF-N66P] C:\RECYCLER\S-1-5-21-0243636035-3055115376-381863306-1556\pqlmq.exe
O4 - HKCU\..\Run: [Cognac] C:\DOCUME~1\SUSANG~1\LOCALS~1\Temp\b.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKLM\..\Policies\Explorer\Run: [exec] C:\WINDOWS\system32\msbezu.exe
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'Default user')
O4 - Startup: fmnupd32.exe
O4 - Startup: zqosys32.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1
O8 - Extra context menu item: &AOL Toolbar Search - c:\program files\aol\aol toolbar 2.0\resources\en-US\local\search.html
O8 - Extra context menu item: &d&ownload &with bitcomet - [You must be registered and logged in to see this link.] Files\BitComet\BitComet.exe/AddLink.htm
O8 - Extra context menu item: &d&ownload all video with bitcomet - [You must be registered and logged in to see this link.] Files\BitComet\BitComet.exe/AddVideo.htm
O8 - Extra context menu item: &d&ownload all with bitcomet - [You must be registered and logged in to see this link.] Files\BitComet\BitComet.exe/AddAllLink.htm
O8 - Extra context menu item: &Google Search - [You must be registered and logged in to see this link.] files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - [You must be registered and logged in to see this link.] files\google\GoogleToolbar2.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - [You must be registered and logged in to see this link.] files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - [You must be registered and logged in to see this link.] files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - [You must be registered and logged in to see this link.]
O8 - Extra context menu item: Save with Download Manager... - [You must be registered and logged in to see this link.] Files\J River\Media Center\DMDownload.htm
O8 - Extra context menu item: Similar Pages - [You must be registered and logged in to see this link.] files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - [You must be registered and logged in to see this link.] files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra button: AOL Toolbar - {3369AF0D-62E9-4bda-8103-B4C75499B578} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: BitComet - {D18A0B52-D63C-4ed0-AFC6-C1E3DC1AF43A} - [You must be registered and logged in to see this link.] Files\BitComet\tools\BitCometBHO_1.3.3.2.dll/206 (file missing)
O9 - Extra button: MUSICMATCH MX Web Player - {d81ca86b-ef63-42af-bee3-4502d9a03c2d} - [You must be registered and logged in to see this link.] (file missing)
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: *.musicmatch.com
O15 - Trusted Zone: *.musicmatch.com (HKLM)
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - [You must be registered and logged in to see this link.]
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {37DF41B2-61DB-4CAC-A755-CFB3C7EE7F40} (AOL Content Update) - [You must be registered and logged in to see this link.]
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - [You must be registered and logged in to see this link.]
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - [You must be registered and logged in to see this link.]
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - [You must be registered and logged in to see this link.]
O20 - AppInit_DLLs: ,C:\DOCUME~1\SUSANG~1\LOCALS~1\Temp\119921255mxx.dll
O20 - Winlogon Notify: ecfade - C:\WINDOWS\system32\ecfade.dll
O20 - Winlogon Notify: __c00FA191 - C:\WINDOWS\system32\__c00FA191.dat
O22 - SharedTaskScheduler: rtasgvfu76ew8ndkfno94 - {D76AB2A1-00F3-42BD-F434-00BBC39C8953} - C:\WINDOWS\system32\gsf83iujid.dll
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
O23 - Service: AOL TopSpeed Monitor (AOL TopSpeedMonitor) - America Online, Inc - C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: avast!Antivirus - Unknown owner - C:\WINDOWS\System32\avast!Antivirus.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: Background Intelligent Transfer Service (BITS) - Unknown owner - C:\WINDOWS\
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: PC Tools Auxiliary Service (sdauxservice) - PC Tools - C:\Program Files\Spyware Doctor\pctsAuxs.exe
O23 - Service: PC Tools Security Service (sdcoreservice) - PC Tools - C:\Program Files\Spyware Doctor\pctsSvc.exe
O23 - Service: sopidkc Service (sopidkc) - NewYork Lt - C:\WINDOWS\system32\sopidkc.exe
O23 - Service: Automatic Updates (wuauserv) - Unknown owner - C:\WINDOWS\

--
End of file - 15135 bytes

dazdfloyd
Novice
Novice

Posts Posts : 12
Joined Joined : 2009-07-14
OS OS : XP
Points Points : 27024
# Likes # Likes : 0

View user profile

Back to top Go down

Re: System Security Virus Infection

Post by dazdfloyd on Wed Jul 15, 2009 10:37 pm

I have posted my log. Can anyone help. The pop ups went away but are coming back.

dazdfloyd
Novice
Novice

Posts Posts : 12
Joined Joined : 2009-07-14
OS OS : XP
Points Points : 27024
# Likes # Likes : 0

View user profile

Back to top Go down

Re: System Security Virus Infection

Post by Belahzur on Wed Jul 15, 2009 11:59 pm

I'm afraid I have bad news.

Your system is infected with a polymorphic file infector called Virut. Virut is capable of infecting all the machine's executable files (.exe) and screensaver files (.scr). However, the problem is that the virus has a number of bugs in its code, and as a result, it may misinfect a proportion of executable files and therefore, the files are corrupted beyond repair. As of now, security experts suggest that a format and clean install, or destructive recovery if you have an OEM recovery partition, is the best way to clean the infection and it is the best and safest way to return the machine to its normal working state.

Backup all your documents and important items (personal data, work documents, etc) only. DO NOT backup any executable files (softwares) and screensavers (*.scr). It attempts to infect any accessed .exe or .scr files by appending itself to the executable.

Also, avoid backing up compressed files (zip/cab/rar) files that have .exe or .scr files inside them. Virut can penetrate and infect .exe files inside compressed files too.

Recent variants also modify htm, html, asp and php files.

Do not back up to another machine, as it may become compromised. Burn to DVD/CD, or to an external drive which has nothing else on it, and which you can format should it happen to become infected from the backups.


For more information, please see [You must be registered and logged in to see this link.]

Instructions how to format and reinstall Windows can be found [You must be registered and logged in to see this link.]


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34916
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : XP SP3 Media Centre
Points Points : 245059
# Likes # Likes : 1

View user profile

Back to top Go down

View previous topic View next topic Back to top

- Similar topics

 
Permissions in this forum:
You cannot reply to topics in this forum