GeekPolice
Welcome to GeekPolice.net!

From "wow" to "whoa" - we're teaching practical technology and helping others with tech support. Join our family here!

You are viewing the forum as a "Guest" which doesn't give you member privileges to ask questions or post comments.

Take 30 seconds to register or log in below and unlock the limitations of this website to discover new computer knowledge!

Unknown Virus

View previous topic View next topic Go down

Unknown Virus

Post by GypsyCowgirl on Tue Apr 07, 2009 5:10 pm

Hello, thanks for your response to my request for help. These are the details.

I recently installed AVG Free 8.5 on three computers. Two computer are working great. My computer stopped updating AVG after about three days. I can not update SuperantiSpyware, or Malwarebytes MBAM either. I have attempted to manually update all of the above, by loading the update onto a disk from another computer, but even though the updates seemed to take, all the programs claim my computer is clean.

If I open Firefox browser or IE, type in a google search, then click on a link the page I select starts to load, but then kicks me to a different website. If I click the back feature the browser will then take me to my original selection. If I type in something like AVG virus protection the browser will shut down and give me an error message.

I have attempted to open regedit, but when I do so, my computer screen flickers as if my computer is about to restart, but it does not. regedit will not open, even in safe mode. I can open task manager, and I can go to msconfig. After reading different posts, I downloaded CC Cleaner, but the process did not help.

Thanks

GypsyCowgirl
Novice
Novice

Status :
Online
Offline

Posts : 43
Joined : 2009-04-07
OS : XP
Points : 28211
# Likes : 0

View user profile

Back to top Go down

Re: Unknown Virus

Post by Belahzur on Tue Apr 07, 2009 5:11 pm

Doctor has posted to you here, it's just a little further down the first page:
[You must be registered and logged in to see this link.]

Follow his instructions before I can help.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Status :
Online
Offline

Posts : 34916
Joined : 2008-08-03
Gender : Male
OS : XP SP3 Media Centre
Points : 245029
# Likes : 1

View user profile

Back to top Go down

Re: Unknown Virus

Post by GypsyCowgirl on Tue Apr 07, 2009 5:12 pm

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:51:47 AM, on 4/7/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16791)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\WINDOWS\System32\CTsvcCDA.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgnsx.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\Program Files\AVG\AVG8\avgcsrvx.exe
C:\Program Files\AVG\AVG8\avgcsrvx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\PROGRA~1\Yahoo!\browser\ybrwicon.exe
C:\PROGRA~1\SBCLIG~1\SMARTB~1\MotiveSB.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\WINDOWS\System32\hphmon03.exe
C:\WINDOWS\System32\DSentry.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\PROGRA~1\Yahoo!\browser\ycommon.exe
C:\WINDOWS\BCMSMMSG.exe
C:\Program Files\Dell\Media Experience\PCMService.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\Program Files\eBay\eBay Toolbar2\eBayTBDaemon.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Creative\SBLive\Diagnostics\diagent.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\SBC LightSpeed Self Support Tool\bin\mpbtn.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Outlook Express\msimn.exe
C:\Program Files\HP\Smart Web Printing\hpswp_clipbook.exe
C:\Program Files\AVG\AVG8\aAvgApi.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\SYSTEM32\notepad.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

GypsyCowgirl
Novice
Novice

Status :
Online
Offline

Posts : 43
Joined : 2009-04-07
OS : XP
Points : 28211
# Likes : 0

View user profile

Back to top Go down

Re: Unknown Virus

Post by GypsyCowgirl on Tue Apr 07, 2009 5:12 pm

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = [You must be registered and logged in to see this link.]
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = [You must be registered and logged in to see this link.]
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = [You must be registered and logged in to see this link.]
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = [You must be registered and logged in to see this link.]
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = [You must be registered and logged in to see this link.]
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = [You must be registered and logged in to see this link.]
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = [You must be registered and logged in to see this link.]
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = [You must be registered and logged in to see this link.]
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = [You must be registered and logged in to see this link.]
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = [You must be registered and logged in to see this link.]
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Everyones Internet
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1;*.local
R3 - URLSearchHook: Yahoo! ¤u¨ã¦C - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn1\yt.dll
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\Userinit.exe
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn1\yt.dll
O2 - BHO: HP Print Clips - {053F9267-DC04-4294-A72C-58F732D338C0} - C:\Program Files\HP\Smart Web Printing\hpswp_framework.dll
O2 - BHO: (no name) - {0F7ADA61-49EC-4B5B-AA5F-E650E5722028} - C:\WINDOWS\system32\xxyAqoom.dll (file missing)
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: eBay Toolbar Helper - {22D8E815-4A5E-4DFB-845E-AAB64207F5BD} - C:\Program Files\eBay\eBay Toolbar2\eBayTB.dll
O2 - BHO: (no name) - {243B17DE-77C7-46BF-B94B-0B5F309A0E64} - C:\Program Files\Microsoft Money\System\mnyside.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: Java(tm) Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: PPCScamBHO Class - {7E3659A6-4BC5-4d93-B3FD-8B5ACC2FEDED} - (no file)
O2 - BHO: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL
O2 - BHO: Viewpoint Toolbar BHO - {A7327C09-B521-4EDB-8509-7D2660C9EC98} - C:\Program Files\Viewpoint\Viewpoint Toolbar\3.9.0\ViewBarBHO.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.1.1309.3572\swg.dll
O2 - BHO: Google Dictionary Compression sdch - {C84D72FE-E17D-4195-BB24-76C02E2E7C4E} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_219B3E1547538286.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O2 - BHO: SidebarAutoLaunch Class - {F2AA9440-6328-4933-B7C9-A6CCDF9CBF6D} - C:\Program Files\Yahoo!\browser\YSidebarIEBHO.dll
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
O3 - Toolbar: eBay Toolbar - {92085AD4-F48A-450D-BD93-B28CC7DF67CE} - C:\Program Files\eBay\eBay Toolbar2\eBayTB.dll
O3 - Toolbar: Yahoo! ¤u¨ã¦C - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn1\yt.dll
O3 - Toolbar: Viewpoint Toolbar - {F8AD5AA5-D966-4667-9DAF-2561D68B2012} - C:\Program Files\Common Files\Viewpoint\Toolbar Runtime\3.9.0\IEViewBar.dll
O3 - Toolbar: &Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll
O3 - Toolbar: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
O4 - HKLM\..\Run: [YBrowser] C:\PROGRA~1\Yahoo!\browser\ybrwicon.exe
O4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\SBCLIG~1\SMARTB~1\MotiveSB.exe
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [HPHmon03] C:\WINDOWS\System32\hphmon03.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb04.exe
O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\Media Experience\PCMService.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [eBayToolbar] C:\Program Files\eBay\eBay Toolbar2\eBayTBDaemon.exe
O4 - HKLM\..\Run: [diagent] "C:\Program Files\Creative\SBLive\Diagnostics\diagent.exe" startup
O4 - HKLM\..\Run: [cat] C:\Program Files\CAT\cat.exe
O4 - HKLM\..\Run: [Bart Station] C:\Program Files\PeoplePC\ISP6300\BIN\PPCOLink.exe -STATION
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\RunOnce: [Uninstall getPlus(R) for Adobe] "C:\Program Files\NOS\bin\getPlus_HelperSvc.exe" /UninstallGet1noarp
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_9 -reboot 1
O4 - HKCU\..\Run: [Norton SystemWorks] "C:\Program Files\Norton SystemWorks\cfgwiz.exe" /GUID {05858CFD-5CC4-4ceb-AAAF-CF00BF39736A} /MODE CfgWiz
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: Google Updater.lnk = C:\Program Files\Google\Google Updater\GoogleUpdater.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: SBC Self Support Tool.lnk = C:\Program Files\SBC LightSpeed Self Support Tool\bin\matcli.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: &Yahoo! Search - [You must be registered and logged in to see this link.] Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: eBay Search - [You must be registered and logged in to see this link.] Files\eBay\eBay Toolbar2\eBayTb.dll/RCSearch.html
O8 - Extra context menu item: Yahoo! &Dictionary - [You must be registered and logged in to see this link.] Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - [You must be registered and logged in to see this link.] Files\Yahoo!\Common/ycdict.htm
O9 - Extra button: HP Clipbook - {58ECB495-38F0-49cb-A538-10282ABF65E7} - C:\Program Files\HP\Smart Web Printing\hpswp_extensions.dll
O9 - Extra button: AT&T Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: HP Smart Select - {700259D7-1666-479a-93B1-3250410481E8} - C:\Program Files\HP\Smart Web Printing\hpswp_extensions.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyside.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: PokerStars.net - {FA9B9510-9FCB-4ca0-818C-5D0987B47C4D} - C:\Program Files\PokerStars.NET\PokerStarsUpdate.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.eznsearch.com
O15 - Trusted Zone: [You must be registered and logged in to see this link.]
O15 - Trusted Zone: [You must be registered and logged in to see this link.]
O15 - Trusted Zone: [You must be registered and logged in to see this link.]
O15 - Trusted Zone: [You must be registered and logged in to see this link.]
O15 - Trusted Zone: [You must be registered and logged in to see this link.]
O15 - Trusted Zone: [You must be registered and logged in to see this link.]
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - [You must be registered and logged in to see this link.]
O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} (Yahoo! Audio Conferencing) - [You must be registered and logged in to see this link.]
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - [You must be registered and logged in to see this link.]
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - [You must be registered and logged in to see this link.]
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - [You must be registered and logged in to see this link.]
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - [You must be registered and logged in to see this link.]
O16 - DPF: {7D1E9C49-BD6A-11D3-87A8-009027A35D73} (Yahoo! Audio UI1) - [You must be registered and logged in to see this link.]
O17 - HKLM\System\CCS\Services\Tcpip\..\{0DCE56D5-9130-4B54-B459-5C2AFE16A228}: NameServer = 68.94.156.1,68.94.157.1
O17 - HKLM\System\CS1\Services\Tcpip\..\{0DCE56D5-9130-4B54-B459-5C2AFE16A228}: NameServer = 68.94.156.1,68.94.157.1
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL
O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dll
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: AVG Free8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.exe
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: getPlus(R) Helper - NOS Microsystems Ltd. - C:\Program Files\NOS\bin\getPlus_HelperSvc.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Pml Driver - HP - C:\WINDOWS\System32\HPHipm09.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe

--
End of file - 16027 bytes

GypsyCowgirl
Novice
Novice

Status :
Online
Offline

Posts : 43
Joined : 2009-04-07
OS : XP
Points : 28211
# Likes : 0

View user profile

Back to top Go down

Unknown Virus

Post by GypsyCowgirl on Tue Apr 07, 2009 5:16 pm

[You must be registered and logged in to see this link.] wrote:Doctor has posted to you here, it's just a little further down the first page:
[You must be registered and logged in to see this link.]

Follow his instructions before I can help.

I read the instructions the doctor gave, and followed the instructions.
Thank you for your help!

GypsyCowgirl
Novice
Novice

Status :
Online
Offline

Posts : 43
Joined : 2009-04-07
OS : XP
Points : 28211
# Likes : 0

View user profile

Back to top Go down

Re: Unknown Virus

Post by Belahzur on Tue Apr 07, 2009 5:19 pm

Hello.
Before we start the malware removal, I want to throw out some junk that's not needed.

  • Open HijackThis.
  • When Hijack This opens, click "Open the Misc Tools section"
  • Then select "Open Uninstall Manager"
  • Click on "Save List..." (generates uninstall_list.txt)
  • Click Save, copy and paste the results in your next post.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Status :
Online
Offline

Posts : 34916
Joined : 2008-08-03
Gender : Male
OS : XP SP3 Media Centre
Points : 245029
# Likes : 1

View user profile

Back to top Go down

Re: Unknown Virus

Post by GypsyCowgirl on Tue Apr 07, 2009 5:25 pm

32 Bit HP CIO Components Installer
ABBYY FineReader 4.0 Sprint
Acrobat.com
Ad-Aware SE Personal
Adobe Acrobat 4.0
Adobe AIR
Adobe AIR
Adobe Atmosphere Player for Acrobat and Adobe Reader
Adobe Flash Player 10 Plugin
Adobe Flash Player ActiveX
Adobe Reader 9.1
Adobe® Photoshop® Album Starter Edition 3.2
Apple Mobile Device Support
Apple Software Update
AT&T Yahoo! Applications
AVG Free 8.5
BCM V.92 56K Modem
BearPaw 1200CS v1.3
BearPaw 1200CSv1.7
bitcontrol® MPEG-2 Video Decoder v2.1
Bonjour
CallWave
CCleaner (remove only)
Codec Pack - All In 1 6.0.2.6
Corel Paint Shop Pro X
Coupon Printer for Windows
Critical Update for Windows Media Player 11 (KB959772)
Crush'Em 2.0
Cucusoft MPEG/MOV/RM/DivX/AVI to DVD/VCD/SVCD Creator Pro 7.07
Dell Digital Jukebox Driver
Dell Media Experience
Dell Solution Center
DellSupport
DrawPlus 3.0
DS21Patch
DVDSentry
eBay Toolbar Featuring Yahoo!
Ez eBook Studio
Flock
getPlus(R) for Adobe
getPlus(R)_dll
Google Earth
Google Toolbar for Internet Explorer
Google Updater
GPL Ghostscript 8.50
GPL Ghostscript Fonts
GSpot Codec Information Appliance
HijackThis 2.0.2
Hotfix for Windows Internet Explorer 7 (KB947864)
Hotfix for Windows Media Format 11 SDK (KB929399)
Hotfix for Windows Media Format SDK (KB902344)
Hotfix for Windows Media Format SDK (KB910998)
Hotfix for Windows Media Player 11 (KB939683)
Hotfix for Windows XP (KB952287)
HP Customer Participation Program 9.0
HP Imaging Device Functions 9.0
HP OCR Software 9.0
HP Photosmart All-In-One Software 9.0
HP Photosmart Essential 2.01
hp photosmart printer series (Remove only)
HP Product Assistant
HP Smart Web Printing
HP Solution Center 9.0
HP Update
Intel(R) PRO Network Adapters and Drivers
Intel(R) PROSet
Internet Explorer Default Page
ItsDeductible Express
iTunes
Jasc Paint Shop Photo Album
Jasc Paint Shop Pro 8 Dell Edition
Java(TM) 6 Update 11
Java(TM) 6 Update 7
Kid's College CFA
K-Meleon 1.1 en-US (remove only)
Learn2 Player (Uninstall Only)
LimeWire PRO 4.14.10
LiveUpdate 3.0 (Symantec Corporation)
Malwarebytes' Anti-Malware
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Hotfix (KB928366)
Microsoft Compression Client Pack 1.0 for Windows XP
Microsoft Data Access Components KB870669
Microsoft Encarta Encyclopedia Standard 2003
Microsoft GIF Animator
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft Money 2003
Microsoft Money 2003 System Pack
Microsoft National Language Support Downlevel APIs
Microsoft Office Excel Viewer 2003
Microsoft Picture It! Photo 7.0
Microsoft Streets and Trips 2002
Microsoft User-Mode Driver Framework Feature Pack 1.0
Microsoft Visual C++ 2005 Redistributable
Microsoft Web Publishing Wizard 1.52
Microsoft Word 2002
Microsoft Works 2003 Setup Launcher
Microsoft Works 7.0
Microsoft Works Suite Add-in for Microsoft Word
Modem Helper
Mozilla (1.7.12)
Mozilla Firefox (3.0.8)
Mozilla Thunderbird (1.0.2)
MSN Music Assistant
MSXML 4.0 SP2 (KB925672)
MSXML 4.0 SP2 (KB927978)
MSXML 4.0 SP2 (KB936181)
MSXML 4.0 SP2 (KB954430)
MusicIP Mixer 1.8.1
MusicIP MyDJ Plug-in
Musicmatch® Jukebox
NeoPlanet
Netscape Navigator (9.0b3)
Norton WMI Update
NVIDIA Windows 2000/XP Display Drivers
OLYMPUS CAMEDIA Master 2.0
Orban/Coding Technologies AAC/aacPlus Player Plugin™ 1.0
PDF Printer Free
PDFCreator 0.7.1}
PeoplePC Online
PokerStars.net
PowerDVD
Puzzl'Em 1.0 Beta2
QuickTime
RealPlayer
Registry Mechanic 6.0
SBC Self Support Tool
SeaMonkey (1.1.4)
Security Update for CAPICOM (KB931906)
Security Update for CAPICOM (KB931906)
Security Update for Step By Step Interactive Training (KB898458)
Security Update for Step By Step Interactive Training (KB923723)
Security Update for Windows Internet Explorer 7 (KB937143)
Security Update for Windows Internet Explorer 7 (KB938127)
Security Update for Windows Internet Explorer 7 (KB942615)
Security Update for Windows Internet Explorer 7 (KB950759)
Security Update for Windows Internet Explorer 7 (KB953838)
Security Update for Windows Internet Explorer 7 (KB956390)
Security Update for Windows Internet Explorer 7 (KB958215)
Security Update for Windows Internet Explorer 7 (KB960714)
Security Update for Windows Internet Explorer 7 (KB961260)
Security Update for Windows Media Player (KB952069)
Security Update for Windows Media Player 10 (KB911565)
Security Update for Windows Media Player 10 (KB917734)
Security Update for Windows Media Player 11 (KB936782)
Security Update for Windows Media Player 11 (KB954154)
Security Update for Windows XP (KB938464)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB950760)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951066)
Security Update for Windows XP (KB951376)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951698)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB953839)
Security Update for Windows XP (KB954211)
Security Update for Windows XP (KB954459)
Security Update for Windows XP (KB954600)
Security Update for Windows XP (KB955069)
Security Update for Windows XP (KB956391)
Security Update for Windows XP (KB956802)
Security Update for Windows XP (KB956803)
Security Update for Windows XP (KB956841)
Security Update for Windows XP (KB957095)
Security Update for Windows XP (KB957097)
Security Update for Windows XP (KB958644)
Security Update for Windows XP (KB958687)
Security Update for Windows XP (KB958690)
Security Update for Windows XP (KB960225)
Security Update for Windows XP (KB960715)
Shockwave
Shop for HP Supplies
Skype™ 3.8
SmartFTP Client 2.5.1006.9
Sonic DLA
Sonic MyDVD
Sonic RecordNow!
Sonic Update Manager
Sound Blaster Live!
Spybot - Search & Destroy 1.2
SUPERAntiSpyware Free Edition
The Print Shop
The Print Shop 20
TurboTax Premier 2004
Ulead Photo Express 3.0 SE
Update for Windows XP (KB951072-v2)
Update for Windows XP (KB951978)
Update for Windows XP (KB955839)
Update for Windows XP (KB967715)
VideoLAN VLC media player 0.8.6c
Viewpoint Manager (Remove Only)
Viewpoint Toolbar
Web Page Creator
WebCyberCoach 3.2 Dell
WexTech AnswerWorks
Windows Genuine Advantage v1.3.0254.0
Windows Media Format 11 runtime
Windows Media Format 11 runtime
Windows Media Player 11
Windows Media Player 11
Windows XP Service Pack 3
WinWeather
Yahoo! Browser Services

GypsyCowgirl
Novice
Novice

Status :
Online
Offline

Posts : 43
Joined : 2009-04-07
OS : XP
Points : 28211
# Likes : 0

View user profile

Back to top Go down

Re: Unknown Virus

Post by Belahzur on Tue Apr 07, 2009 5:29 pm

Hello.

I see that you are running Limewire.
P2P(Peer to peer) applications are designed to help you easily share and distribute files between you and a group of people. But they can also be used to distribute malware, and thus are not considered safe.
The removal of these programs is optional, but highly recommended.

Go to Start > Control Panel > Add/Remove Programs and remove the following programs.

    Java(TM) 6 Update 11
    Java(TM) 6 Update 7
    LimeWire PRO 4.14.10
    LiveUpdate 3.0 (Symantec Corporation)
    Norton WMI Update
    PokerStars.net
    Registry Mechanic 6.0
    Viewpoint Manager (Remove Only)
    Viewpoint Toolbar

Now lets start removing some stuff.

  • Open HijackThis
  • Choose "Do a system scan only"
  • Check the boxes in front of these lines:


    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = [You must be registered and logged in to see this link.]
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = [You must be registered and logged in to see this link.]
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = [You must be registered and logged in to see this link.]
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
    R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = [You must be registered and logged in to see this link.]
    O2 - BHO: (no name) - {0F7ADA61-49EC-4B5B-AA5F-E650E5722028} - C:\WINDOWS\system32\xxyAqoom.dll (file missing)
    O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
    O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
    O4 - HKLM\..\Run: [cat] C:\Program Files\CAT\cat.exe
    O4 - HKLM\..\Run: [Bart Station] C:\Program Files\PeoplePC\ISP6300\BIN\PPCOLink.exe -STATION
    O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
    O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
    O15 - Trusted Zone: [You must be registered and logged in to see this link.]
    O15 - Trusted Zone: [You must be registered and logged in to see this link.]
    O15 - Trusted Zone: [You must be registered and logged in to see this link.]
    O15 - Trusted Zone: [You must be registered and logged in to see this link.]
    O15 - Trusted Zone: [You must be registered and logged in to see this link.]
    O15 - Trusted Zone: [You must be registered and logged in to see this link.]


  • Press "Fix Checked"
  • Close Hijack This.

Please download and run this tool.

Download Malwarebytes' Anti-Malware from [You must be registered and logged in to see this link.]

Double Click mbam-setup.exe to install the application.

  • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart. (See Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
Note:
If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts.
Click OK to either and let MBAM proceed with the disinfection process.
If asked to restart the computer, please do so immediately.


Post the contents of the MBAM Log.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Status :
Online
Offline

Posts : 34916
Joined : 2008-08-03
Gender : Male
OS : XP SP3 Media Centre
Points : 245029
# Likes : 1

View user profile

Back to top Go down

Malwarebytes

Post by GypsyCowgirl on Tue Apr 07, 2009 6:16 pm

I am encountering the same problem with Malwarebytes that I was having before. I did go to the link provided, but when Malwarebytes attempts to do an update I get an alert message, "Malwarebytes' Anti-Malware encountered a problem and needs to close. We are sorry for the inconvenience. If you were in the middle of something, the information you were working on might be lost. For more information about this error click here." There is an error report, but I can't copy it.

GypsyCowgirl
Novice
Novice

Status :
Online
Offline

Posts : 43
Joined : 2009-04-07
OS : XP
Points : 28211
# Likes : 0

View user profile

Back to top Go down

Re: Unknown Virus

Post by Belahzur on Tue Apr 07, 2009 6:19 pm

Okay, lets see if this will run.

  • Please download DDS by sUBs to your Desktop (Important!!) from one of these locations:
    [You must be registered and logged in to see this link.]
    [You must be registered and logged in to see this link.]
  • Double click DDS.scr to run
  • When complete, DDS.txt will open.
  • Save the report to your Desktop.
  • Copy and paste DDS.txt back here, I don't need to see attach.txt.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Status :
Online
Offline

Posts : 34916
Joined : 2008-08-03
Gender : Male
OS : XP SP3 Media Centre
Points : 245029
# Likes : 1

View user profile

Back to top Go down

Did not work

Post by GypsyCowgirl on Tue Apr 07, 2009 6:29 pm

Link one did not load, link 2 did, but when I ran the program a small black screen quickly flashed on and off, so I could not see if there were any results, or save.

GypsyCowgirl
Novice
Novice

Status :
Online
Offline

Posts : 43
Joined : 2009-04-07
OS : XP
Points : 28211
# Likes : 0

View user profile

Back to top Go down

Re: Unknown Virus

Post by Belahzur on Tue Apr 07, 2009 6:34 pm

Thanks, I know what's happening now. Smile

1. Please download The Avenger by Swandog46 to your Desktop
Link: [You must be registered and logged in to see this link.] or [You must be registered and logged in to see this link.].

  • Click on Avenger.zip to open the file
  • Extract avenger.exe to your desktop

2. Now, start The Avenger program by clicking on its icon on your desktop.

  • Leave the script box empty.
  • Leave the ticked box "Scan for rootkit" ticked.
  • Then tick "Disable any rootkits found"
  • Now click on the Execute to begin execution of the script.
  • Answer "Yes" twice when prompted.

    The Avenger will automatically do the following:

  • It will Restart your computer.
  • On reboot, it will briefly open a black command window on your desktop, this is normal.
  • After the restart, it creates a log file that should open with the results of Avenger’s actions. This log file will be located at C:\avenger.txt
  • The Avenger will also have backed up all the files, etc., that you asked it to delete, and will have zipped them and moved the zip archives to C:\avenger\backup.zip.
3. Please copy/paste the content of c:\avenger.txt into your reply.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Status :
Online
Offline

Posts : 34916
Joined : 2008-08-03
Gender : Male
OS : XP SP3 Media Centre
Points : 245029
# Likes : 1

View user profile

Back to top Go down

Re: Unknown Virus

Post by GypsyCowgirl on Tue Apr 07, 2009 6:55 pm

There were no rootkits founds

Logfile of The Avenger Version 2.0, (c) by Swandog46
[You must be registered and logged in to see this link.]

Platform: Windows XP

*******************

Script file opened successfully.
Script file read successfully.

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

Rootkit scan active.
No rootkits found!


Completed script processing.

GypsyCowgirl
Novice
Novice

Status :
Online
Offline

Posts : 43
Joined : 2009-04-07
OS : XP
Points : 28211
# Likes : 0

View user profile

Back to top Go down

Re: Unknown Virus

Post by Belahzur on Tue Apr 07, 2009 7:05 pm

Hello.
Are you able to open the command prompt or registry editor?

Go to Start > Run.
Type in regedit and hit enter.

Let me know if you can open that.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Status :
Online
Offline

Posts : 34916
Joined : 2008-08-03
Gender : Male
OS : XP SP3 Media Centre
Points : 245029
# Likes : 1

View user profile

Back to top Go down

Re: Unknown Virus

Post by GypsyCowgirl on Tue Apr 07, 2009 7:13 pm

Hi, thanks for your help!

No, I am not able to open regedit. When I attempt to open regedit, my computer seems as if it is going to restart, removing the start tab, but it doesn't restart, everything is still on the screen.

GypsyCowgirl
Novice
Novice

Status :
Online
Offline

Posts : 43
Joined : 2009-04-07
OS : XP
Points : 28211
# Likes : 0

View user profile

Back to top Go down

Re: Unknown Virus

Post by Belahzur on Tue Apr 07, 2009 7:17 pm

Okay, I think I know why now.

Navigate to this file:
C:\Windows\regedit.exe

Rename it to reg3dit.exe
It should let you open it now.

If it does, navigate to this key by following the path:
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32

When you rearch the drivers32 key, right click it > Export it.
Save it as drivers32.reg.

Now open it as a text file using Notepad, and copy and paste everything in that file back here.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Status :
Online
Offline

Posts : 34916
Joined : 2008-08-03
Gender : Male
OS : XP SP3 Media Centre
Points : 245029
# Likes : 1

View user profile

Back to top Go down

Re: Unknown Virus

Post by GypsyCowgirl on Tue Apr 07, 2009 7:33 pm

I can open msconfig

GypsyCowgirl
Novice
Novice

Status :
Online
Offline

Posts : 43
Joined : 2009-04-07
OS : XP
Points : 28211
# Likes : 0

View user profile

Back to top Go down

Re: Unknown Virus

Post by Belahzur on Tue Apr 07, 2009 7:36 pm

Msconfig can't help us.
The malware is hiding under that drivers32 registry key, so until you can get an export of it, we can't do much because it locks a lot of command line tools.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Status :
Online
Offline

Posts : 34916
Joined : 2008-08-03
Gender : Male
OS : XP SP3 Media Centre
Points : 245029
# Likes : 1

View user profile

Back to top Go down

Re: Unknown Virus

Post by GypsyCowgirl on Tue Apr 07, 2009 7:37 pm

regedit will still not open when I type in, C:\Windows\regedit.exe. When I attempt to open regedit, my toolbar tray items disapear for a couple of seconds, then pop back on, but regedit does not open.

GypsyCowgirl
Novice
Novice

Status :
Online
Offline

Posts : 43
Joined : 2009-04-07
OS : XP
Points : 28211
# Likes : 0

View user profile

Back to top Go down

Re: Unknown Virus

Post by GypsyCowgirl on Tue Apr 07, 2009 7:38 pm

I tried to open regedit in safe mode last night and it would not open.

GypsyCowgirl
Novice
Novice

Status :
Online
Offline

Posts : 43
Joined : 2009-04-07
OS : XP
Points : 28211
# Likes : 0

View user profile

Back to top Go down

Re: Unknown Virus

Post by Belahzur on Tue Apr 07, 2009 7:39 pm

That's why I asked that you rename.
Right click regedit.exe > Rename

Rename it to reg3dit.exe

Once renamed, it works.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Status :
Online
Offline

Posts : 34916
Joined : 2008-08-03
Gender : Male
OS : XP SP3 Media Centre
Points : 245029
# Likes : 1

View user profile

Back to top Go down

Re: Unknown Virus

Post by GypsyCowgirl on Tue Apr 07, 2009 7:42 pm

Oh, I am sorry, I misunderstood, were do I go to rename it?

GypsyCowgirl
Novice
Novice

Status :
Online
Offline

Posts : 43
Joined : 2009-04-07
OS : XP
Points : 28211
# Likes : 0

View user profile

Back to top Go down

Re: Unknown Virus

Post by Belahzur on Tue Apr 07, 2009 7:43 pm

Re-read this post:
[You must be registered and logged in to see this link.]

Using Windows Explorer (you can open this by holding the control key, then press "E")


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Status :
Online
Offline

Posts : 34916
Joined : 2008-08-03
Gender : Male
OS : XP SP3 Media Centre
Points : 245029
# Likes : 1

View user profile

Back to top Go down

Re: Unknown Virus

Post by GypsyCowgirl on Tue Apr 07, 2009 7:49 pm

[You must be registered and logged in to see this link.] wrote:Okay, I think I know why now.

Navigate to this file:
C:\Windows\regedit.exe

Rename it to reg3dit.exe
It should let you open it now.

If it does, navigate to this key by following the path:
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32

When you rearch the drivers32 key, right click it > Export it.
Save it as drivers32.reg.

Now open it as a text file using Notepad, and copy and paste everything in that file back here.

What do you mean by navigate to? Are you wanting me to select Start - Run, or Start - Search?

GypsyCowgirl
Novice
Novice

Status :
Online
Offline

Posts : 43
Joined : 2009-04-07
OS : XP
Points : 28211
# Likes : 0

View user profile

Back to top Go down

Re: Unknown Virus

Post by Belahzur on Tue Apr 07, 2009 7:51 pm

Sorry, it's just my technical language. LMBO or ROFL

Navigate as in: Press Start and open "My Computer"
Then open the "C Drive".
Then go into the Windows folder.

Inside the windows folder, there is regedit.exe.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Status :
Online
Offline

Posts : 34916
Joined : 2008-08-03
Gender : Male
OS : XP SP3 Media Centre
Points : 245029
# Likes : 1

View user profile

Back to top Go down

Re: Unknown Virus

Post by GypsyCowgirl on Tue Apr 07, 2009 7:57 pm

I opened the Windows folder and I found a blue block logo with regedit, but it does not say .exe. Is this the same as regedit.exe that I should rename?

GypsyCowgirl
Novice
Novice

Status :
Online
Offline

Posts : 43
Joined : 2009-04-07
OS : XP
Points : 28211
# Likes : 0

View user profile

Back to top Go down

Re: Unknown Virus

Post by Belahzur on Tue Apr 07, 2009 7:59 pm

Yes, it's just your folder options are set to not show file extensions. It's the same thing, just rename it from regedit to reg3edit.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Status :
Online
Offline

Posts : 34916
Joined : 2008-08-03
Gender : Male
OS : XP SP3 Media Centre
Points : 245029
# Likes : 1

View user profile

Back to top Go down

Re: Unknown Virus

Post by GypsyCowgirl on Tue Apr 07, 2009 8:10 pm

Two things, I don't know if this matters, but I noticed when I renamed regedit, reg3dit.exe, another regedit appeared right next to reg3dit.exe. Also as I am attempting to save drivers32.reg, it is attempting to save this as a document file. Should I save this in another way?

GypsyCowgirl
Novice
Novice

Status :
Online
Offline

Posts : 43
Joined : 2009-04-07
OS : XP
Points : 28211
# Likes : 0

View user profile

Back to top Go down

Re: Unknown Virus

Post by Belahzur on Tue Apr 07, 2009 8:14 pm

Hello.
That's the Windows File Protection that generated another copy of it, just Windows protecting itself.

It should want to automatically save it as a .reg file.
Either way, if saved as a .reg file, it can still be opened in Notepad.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Status :
Online
Offline

Posts : 34916
Joined : 2008-08-03
Gender : Male
OS : XP SP3 Media Centre
Points : 245029
# Likes : 1

View user profile

Back to top Go down

Re: Unknown Virus

Post by GypsyCowgirl on Tue Apr 07, 2009 8:19 pm

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32]
"midimapper"="midimap.dll"
"msacm.imaadpcm"="imaadp32.acm"
"msacm.msadpcm"="msadp32.acm"
"msacm.msg711"="msg711.acm"
"msacm.msgsm610"="msgsm32.acm"
"msacm.trspch"="tssoft32.acm"
"vidc.cvid"="iccvid.dll"
"vidc.I420"="msh263.drv"
"vidc.iv31"="ir32_32.dll"
"vidc.iv32"="ir32_32.dll"
"vidc.iyuv"="iyuv_32.dll"
"vidc.mrle"="msrle32.dll"
"vidc.msvc"="msvidc32.dll"
"vidc.uyvy"="msyuv.dll"
"vidc.yuy2"="msyuv.dll"
"vidc.yvu9"="tsbyuv.dll"
"vidc.yvyu"="msyuv.dll"
"wavemapper"="msacm32.drv"
"msacm.msg723"="msg723.acm"
"vidc.M263"="msh263.drv"
"vidc.M261"="msh261.drv"
"msacm.msaudio1"="msaud32.acm"
"msacm.sl_anet"="sl_anet.acm"
"msacm.l3acm"="C:\\WINDOWS\\System32\\l3codeca.acm"
"vidc.iv50"="ir50_32.dll"
"vidc.iv41"="ir41_32.ax"
"msacm.iac2"="iac25_32.ax"
"msacm.ctmp3"="C:\\WINDOWS\\System32\\ctmp3.acm"
"wave"="wdmaud.drv"
"midi"="wdmaud.drv"
"mixer"="wdmaud.drv"
"vidc.tscc"="tsccvid.dll"
"aux"="C:\\WINDOWS\\system32\\..\\rpo.pji"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32\Terminal Server]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32\Terminal Server\RDP]
"wave"="rdpsnd.dll"
"MaxBandwidth"=dword:000056b9
"wavemapper"="msacm32.drv"
"EnableMP3Codec"=dword:00000001
"midimapper"="midimap.dll"

GypsyCowgirl
Novice
Novice

Status :
Online
Offline

Posts : 43
Joined : 2009-04-07
OS : XP
Points : 28211
# Likes : 0

View user profile

Back to top Go down

Re: Unknown Virus

Post by Belahzur on Tue Apr 07, 2009 8:27 pm

There's the little devil.


  • Open HijackThis.
  • When Hijack This opens, click "Open the Misc Tools section"
  • Then select "Delete a file on reboot"
  • This opens a window to locate the file we wanted to be deleted.
  • Now using that window, look at the top for the drop down menu. Select the "C Drive"
  • Now go into the Windows folder, and select this file by double clicking: rpo.pji
  • Hijack This will warn you that system settings will change on reboot
  • Press YES and allow Hijack This to reboot your machine.
  • If Hijack This doesn't reboot your machine automatically, then reboot it yourself.


Now after reboot, check and make sure this file doesn't exist.
C:\WINDOWS\rpo.pji

Let me know if it has been deleted.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Status :
Online
Offline

Posts : 34916
Joined : 2008-08-03
Gender : Male
OS : XP SP3 Media Centre
Points : 245029
# Likes : 1

View user profile

Back to top Go down

Re: Unknown Virus

Post by GypsyCowgirl on Tue Apr 07, 2009 9:10 pm

I deleted rpo.pji, and have searched for it after reboot, and I do not see it any longer.

GypsyCowgirl
Novice
Novice

Status :
Online
Offline

Posts : 43
Joined : 2009-04-07
OS : XP
Points : 28211
# Likes : 0

View user profile

Back to top Go down

Re: Unknown Virus

Post by Belahzur on Tue Apr 07, 2009 9:11 pm

Hello.

  • Now open a new notepad file.
  • Input this into the notepad file:

    Windows Registry Editor Version 5.00

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32]
    "aux"="wdmaud.drv"

  • Save this as fix.reg, save it to your desktop.
  • Double click fix.reg to run it.
  • Select yes to the registry merge prompt.

Your problems should be gone now. Smile


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Status :
Online
Offline

Posts : 34916
Joined : 2008-08-03
Gender : Male
OS : XP SP3 Media Centre
Points : 245029
# Likes : 1

View user profile

Back to top Go down

Re: Unknown Virus

Post by GypsyCowgirl on Tue Apr 07, 2009 9:44 pm

Great! My AVG seems to be working again, I'll run a Malwarebytes update in a little while. I am wondering what should I do with the Avenger and fix.reg on my desk top?

Thanks so much for your help!!!!

GypsyCowgirl
Novice
Novice

Status :
Online
Offline

Posts : 43
Joined : 2009-04-07
OS : XP
Points : 28211
# Likes : 0

View user profile

Back to top Go down

Re: Unknown Virus

Post by Belahzur on Tue Apr 07, 2009 9:46 pm

Delete them.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Status :
Online
Offline

Posts : 34916
Joined : 2008-08-03
Gender : Male
OS : XP SP3 Media Centre
Points : 245029
# Likes : 1

View user profile

Back to top Go down

Re: Unknown Virus

Post by GypsyCowgirl on Tue Apr 07, 2009 10:02 pm

What do you recommend for protection? I now use AVG, SuperAntiSpyware, and Malwarebytes Anti-Malware. I use Firefox browser. What exactly was in my computer, and was the cat file deleted part of it.

Thanks again

GypsyCowgirl
Novice
Novice

Status :
Online
Offline

Posts : 43
Joined : 2009-04-07
OS : XP
Points : 28211
# Likes : 0

View user profile

Back to top Go down

Re: Unknown Virus

Post by Belahzur on Tue Apr 07, 2009 10:10 pm

I couldn't find much on that cat file, but what I read said it wasn't needed.

This is the malware you were dealing with:
[You must be registered and logged in to see this link.]


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Status :
Online
Offline

Posts : 34916
Joined : 2008-08-03
Gender : Male
OS : XP SP3 Media Centre
Points : 245029
# Likes : 1

View user profile

Back to top Go down

Re: Unknown Virus

Post by GypsyCowgirl on Wed Apr 08, 2009 8:01 pm

Belahzur, I sent you a PM regarding donations. Will you please take a look at that and get back with me.

Thanks

GypsyCowgirl
Novice
Novice

Status :
Online
Offline

Posts : 43
Joined : 2009-04-07
OS : XP
Points : 28211
# Likes : 0

View user profile

Back to top Go down

Re: Unknown Virus

Post by Belahzur on Wed Apr 08, 2009 8:03 pm

I don't know the email Doc uses for our donation via Paypal, so I'll send you my personal email that is my used on my Paypal account.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Status :
Online
Offline

Posts : 34916
Joined : 2008-08-03
Gender : Male
OS : XP SP3 Media Centre
Points : 245029
# Likes : 1

View user profile

Back to top Go down

View previous topic View next topic Back to top

- Similar topics

 
Permissions in this forum:
You cannot reply to topics in this forum