|
| ||
| Serious Virus won't even let me search for help . . . Hello everyone. I am new to this forum, and am pretty inept when it comes to computers. Even though I was using Trend Micro PC-cillin, I have gotten an extremely bad virus that I am having zero luck getting rid of. My sister also got the same thing, and the only website we both visited recently is the BBC5 website. I live in the U.S., but she was on a radio show when they were here, for what it matters. Anyway, this is what has happened so far: It started with a red circle with a white X in the task bar in the lower right by the clock. It seemed like it was the wrong size, and it kept popping up a message saying "You have been infected with Spyware. Download this patch. . ." I noticed there was a typo and a grammatical error so I was suspicious. I think I may have clicked on it, but the second the website came up I closed it. While the pop-up was happening, I went to google, only to discover that every site went to an ad for antivirus09 or something to that effect. I noticed in the URL it said go.google. . . All search enginges are hijacked. I then removed Trend Micro PC and installed Windows Live Onecare. This actually seemed to remove the pop-up issue. But, all search engines are still hijacked, and this virus is so insidious that it won't even allow me to access any pages where I can get help. I'm surprised I can even get on this forum. Today I purchased Kaspersky Anti-Virus 2009, but I can't install it because apparently there is some bit of Windows Defender left, but I can't remove it, nor can I figure out how to do so. I found one link to Microsoft that's supposed to help you remove WD, but, the virus won't let me open the page. I've tried unsuccessfully to download: hijackthis, Spyhunter, Spybotsd160, and Malawarebytes Anti-Malware. All of those except the hijackthis are on my desktop, but I can't get them to open. From what I've read on this forum and elsewhere, the Malaware thing should do the trick, but I can't get it to open. And like I mentioned, any websites like bleepingcomputer.com, majorgeek.com, or even the Kaspersky homepage are blocked by this virus. I really, really need help. I've got six years of programs on this computer, and I would really prefer to not have to reformat. And like I mentioned, I'm pretty inept at computer stuff, so go easy on me! As it is, I've spent several days trying to figure this out on my own, and I'm at my wit's end. I spent at least 7 hours today alone trying to restart, go into safemode, reboot, research, get people to look things up on their computers, etc, etc, etc, etc. Thank you in advance for any assistance. |
| ||
| Re: Serious Virus won't even let me search for help . . . Hi and welcome to the Daniweb forums :). ========== Rename hijackthis to analysethis and try running it again. |
| ||
| Re: Serious Virus won't even let me search for help . . . When you say to rename it, do you mean in the URL or when it's actually on your computer? That was one of the ones where I couldn't even open the page. Do you have a link to a site for it? Oh, and I forgot to mention that I'm encountering these errors when I'm trying to deal with antivirus programs where it's basically telling me I'm not connected to the Internet, when clearly I am. I just tried to reinstall the Trend Micro PC program so I have some protection in the meantime, but now apparently it's incompatible with my version of Windows XP, and then when I tried to to do an update through the control panel, it said something to the effect that it wasn't able to access the server. |
| ||
| Re: Serious Virus won't even let me search for help . . . 1 Attachment(s) I have renamed it and uploaded it for you. Download it from the attachment below. |
| ||
| Re: Serious Virus won't even let me search for help . . . Thanks! I was able to open that with no trouble! I'll do a scan when I get back in a little bit. Should I post the results here? Also, from what I've read, it sounds like MalwareBytes Anti-Malware program has been the key to beating this virus. Of course, I can't open it because of the virus, but I hear that it's possible to rename the exe file to trick the virus into allowing it to open. Do you know how to rename it? Or, if it's not too much of a hassle, to do another one of those zip files? I was going to try to download it at my parent's house and burn it onto a CD, but they have an Apple, and I couldn't figure out how to burn it onto a CD, and I don't even think it was compatible on their computer to begin with. My next step is to try and rename the file (if I can figure out how to do it), or go buy a flash drive and try to transfer it that way. And thank you so much for helping! |
| ||
| Re: Serious Virus won't even let me search for help . . . If you post the hijackthis log here we may be able to delete the files that are stopping MBAM from running. To rename the file though, just right click on it and select rename and call it whatever and then hit the enter button. I have not heard of that being done with MBAM, but it should be possible. |
| ||
| Re: Serious Virus won't even let me search for help . . . Okay, so here's an update on what I've done: I went through my add/remove list using a list of programs that should be removed, and discovered that I had spywarebot, which as most people by now probably know is bad, and that spybot is the good program. I installed that over a year ago. It has now been removed. I renamed the Malware program to eatthis (clever, I know), and it opened no problem. I did a scan, it found some stuff, and I deleted it. I was hoping that that was the end of it. I restarted the computer, and discovered that google is still being hijacked. I was able to run the spyhunter program that found some incriminating looking stuff, but when I tried to delete them, I was told I had to pay for the full version. Sorry, I fell for that with spywarebot already, so bye bye, it's now off my system. I then tried to open the spybotsd program, but I get an error that says a connection to the server cannot be made, so it won't open. Oh, and then when I restarted my computer, I noticed to my dismay that google was taking over as the homepage again. Also, when the computer starts up, I get an error regarding SPRTCMD.EXE and about something missing and the error also mentions LIBEAY32.DLL Any idea as to what that is all about? And lastly, I ran the hijackthis, and will cut and paste the log below. I looked through it, and while I don't understand most of it, I did see quite a few things that I thought were long gone, such as the earthlink accelerator, which I cannot find in the add/remove list, so I'm not sure how to get rid of these things. I'm sorry if this is an overload of information, but I just want to be as complete as I can in the steps I have taken in the event that reveals anything that could help. Here's the log: Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 12:48:29 AM, on 11/14/2008 Platform: Windows XP SP3 (WinNT 5.01.2600) MSIE: Internet Explorer v7.00 (7.00.6000.16735) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\Program Files\Microsoft Windows OneCare Live\Antivirus\MsMpEng.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe C:\Program Files\Bonjour\mDNSResponder.exe C:\WINDOWS\system32\cisvc.exe C:\WINDOWS\System32\nvsvc32.exe C:\Program Files\Microsoft Windows OneCare Live\OcHealthMon.exe C:\Program Files\Comcast\Desktop Doctor\bin\sprtsvc.exe C:\Program Files\Dell Support Center\bin\sprtsvc.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Microsoft Windows OneCare Live\Firewall\msfwsvc.exe C:\Program Files\Microsoft Windows OneCare Live\winss.exe C:\WINDOWS\Explorer.EXE C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe C:\Program Files\Comcast\Desktop Doctor\bin\sprtcmd.exe C:\Program Files\QuickTime\QTTask.exe C:\Program Files\iTunes\iTunesHelper.exe C:\Program Files\Microsoft Windows OneCare Live\winssnotify.exe C:\Program Files\Linksys EasyLink Advisor\LinksysAgent.exe C:\Program Files\DellSupport\DSAgnt.exe C:\WINDOWS\system32\ctfmon.exe C:\Program Files\Messenger\msmsgs.exe C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe C:\Program Files\iPod\bin\iPodService.exe C:\WINDOWS\system32\wuauclt.exe C:\WINDOWS\System32\svchost.exe C:\Documents and Settings\Charlie Kierscht\Desktop\New Folder\Analysethis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.comcast.net/a/ R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.comcast.net/toolbar2.0/search/ R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file) R3 - URLSearchHook: (no name) - {0FA33B6C-71BC-69D3-DB7A-472A4D6F3452} - (no file) O1 - Hosts: 5377608764 www.selfbookmarks.com O1 - Hosts: 5377608764 www.selfbookmarks.com O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll (file missing) O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll O3 - Toolbar: Comcast Toolbar - {4E7BD74F-2B8D-469E-93BE-BE2DF4D9AE29} - C:\PROGRA~1\COMCAS~1\COMCAS~1.DLL O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb09.exe O4 - HKLM\..\Run: [PtiuPbmd] Rundll32.exe ulutil2.dll,SetWriteBack O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup O4 - HKLM\..\Run: [dscactivate] "C:\Program Files\Dell Support Center\gs_agent\custom\dsca.exe" O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe" O4 - HKLM\..\Run: [ddoctorv2] "C:\Program Files\Comcast\Desktop Doctor\bin\sprtcmd.exe" /P ddoctorv2 O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime O4 - HKLM\..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe" O4 - HKLM\..\Run: [OneCareUI] "C:\Program Files\Microsoft Windows OneCare Live\winssnotify.exe" O4 - HKCU\..\Run: [EasyLinkAdvisor] "C:\Program Files\Linksys EasyLink Advisor\LinksysAgent.exe" /startup O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\DellSupport\DSAgnt.exe" /startup O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe O4 - HKUS\S-1-5-18\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NVMCTRAY.DLL,NvTaskbarInit (User 'SYSTEM') O4 - HKUS\S-1-5-18\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'SYSTEM') O4 - HKUS\S-1-5-18\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background (User 'SYSTEM') O4 - HKUS\S-1-5-18\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe (User 'SYSTEM') O4 - HKUS\.DEFAULT\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NVMCTRAY.DLL,NvTaskbarInit (User 'Default user') O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000 O8 - Extra context menu item: Refresh Pa&ge with Full Quality - C:\Program Files\EarthLink TotalAccess\Accelerator\\pac-page.html O8 - Extra context menu item: Refresh Pi&cture with Full Quality - C:\Program Files\EarthLink TotalAccess\Accelerator\\pac-image.html O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} (Facebook Photo Uploader 5) - http://upload.facebook.com/controls/...oUploader5.cab O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://www1.snapfish.com/SnapfishActivia.cab O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace.com/upload/MySpaceUploader1006.cab O16 - DPF: {493ACF15-5CD9-4474-82A6-91670C3DD66E} (LinkedIn ContactFinderControl) - http://www.linkedin.com/cab/LinkedIn...derControl.cab O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/micr...?1195791662969 O16 - DPF: {D6E7CFB5-C074-4D1C-B647-663D1A8D96BF} (Facebook Photo Uploader 4) - http://upload.facebook.com/controls/...ploader4_5.cab O16 - DPF: {E36C5562-C4E0-4220-BCB2-1C671E3A5916} (Seagate SeaTools English Online) - file:///E:/tools/en/bin/npseatools.cab O20 - AppInit_DLLs: karna.dat O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe O23 - Service: Intel(R) NMS (NMSSvc) - Intel Corporation - C:\WINDOWS\System32\NMSSvc.exe O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe O23 - Service: SupportSoft Sprocket Service (ddoctorv2) (sprtsvc_ddoctorv2) - SupportSoft, Inc. - C:\Program Files\Comcast\Desktop Doctor\bin\sprtsvc.exe O23 - Service: SupportSoft Sprocket Service (dellsupportcenter) (sprtsvc_dellsupportcenter) - SupportSoft, Inc. - C:\Program Files\Dell Support Center\bin\sprtsvc.exe -- End of file - 8378 bytes Please let me know if I need to insert the log in a different fashion or if this is okay, and again, thanks so much for your help! |
| ||
| Re: Serious Virus won't even let me search for help . . . Ok. First things first. I am a stickler for ppl following only the instructions given. Although it is good that you have indicated everything you have done, doing things that are not requested can create a lot of confusion for the helper (namely me). If you can stick to just what I request you do, I would appreciate it. You can run all the programs you wish once we are finished. Deal? :) ==== Can you please do the following. =============== Scan with HijackThis and then place a check next to all the following, if present: R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file) R3 - URLSearchHook: (no name) - {0FA33B6C-71BC-69D3-DB7A-472A4D6F3452} - (no file) O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll (file missing) O8 - Extra context menu item: Refresh Pa&ge with Full Quality - C:\Program Files\EarthLink TotalAccess\Accelerator\\pac-page.html O8 - Extra context menu item: Refresh Pi&cture with Full Quality - C:\Program Files\EarthLink TotalAccess\Accelerator\\pac-image.html Now, close all instances of Internet Explorer and any other windows you have open except HiJackThis, click "Fix checked". =============== Download SDFix and save it to your desktop. Please then reboot your computer in Safe Mode by doing the following :
|
| ||
| Re: Serious Virus won't even let me search for help . . . Will do. And I promise, I'll follow only what you say from now on! I was just hellbent on trying to figure this thing out, but, I'm not doing such a good job. And as usual, I'll probably just make it worse if I keep it up! So I'll print out your instructions and follow them exactly. I'll try to do it tomorrow afternoon (Friday). Thanks! |
| ||
| Re: Serious Virus won't even let me search for help . . . lol. It's already Friday afternoon here. 6.22 PM to be exact :) |
| ||
| Re: Serious Virus won't even let me search for help . . . Oh yeah? What's the future like? Any flying cars yet? Oh that joke never gets old. So what country are you located in? I'm in the U.S.A. So, sometime in your recent past, I'll go through your steps and post the results. Okay, clearly I need to go to bed now. It's almost 4:00 AM here. |
| ||
| Re: Serious Virus won't even let me search for help . . . Western Australia. We only use our flying chariots on the weekend. I'll tell you the winning lotto numbers tomorrow :D |
| ||
| Re: Serious Virus won't even let me search for help . . . I followed the first step regarding running hijackthis and marking those items you indicated and then clicking on "fix checked." But when I try to download SDFix, the virus won't allow that page to open. What can I do? I was going to try running the Malware removal in the hopes that that would enable me to download it so I could continue on, but I remembered I took a solemn oath to not do any additional steps. Oh, and it would help if I had the winning lottery numbers yesterday, so I can play them tomorrow. Wait, does that make sense? I was going to guess Australia. Did my username catch your eye? |
| ||
| Re: Serious Virus won't even let me search for help . . . 1 Attachment(s) Quote:
I have uploaded it for you. |
| ||
| Re: Serious Virus won't even let me search for help . . . Awesome group. But, as you can tell by my username, I'm rather biased. I have a bit of a, well, shrine, on my wall for lack of a better word. All of their autographs framed, with guitar picks, a drumstick, backstage pass, etc. Unfortunately I'll never get to meet Michael Hutchence. And back to the task at hand. Thanks for uploading that file. You my friend, are a miracle worker! The slowdown appears to be gone, and google is no longer hijacked! I'll post the logs below, but just so I can help prevent this from happening again, what do you recommend I use: IE7 or Firefox? I've heard good things about Firefox and that I should stay away from IE7, but that's all I've known and used for a long time. Also, what do you think about Kaspersky Anti-Virus 2009 versus Windows Live OneCare or any other program for that matter? Hopefully Kaspersky is good since I already opened it. Hopefully this is the last of the virus. It sure was nasty. But you were amazing, and I never could have fixed it without your help, and for that, I am truly grateful. I'll wait and see if the logs revealed any more nasty surprises before I start the celebration though. (I tried doing what you said about putting CODE tags around the SDFix log, but I'm not entirely sure I did it right. I hit the # sign icon that says "wrap [CODE] tags around selected text" and I'm not sure it did what it was supposed to. I did notice that it inserted a lot of emoticons in one part, and apparently the letter "d" became an emoticon, so I'm not sure how that happened. Let me know if I did something wrong and I'll be happy to try again. See, totally inept.) HJT Log: Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 11:28:41 PM, on 11/15/2008 Platform: Windows XP SP3 (WinNT 5.01.2600) MSIE: Internet Explorer v7.00 (7.00.6000.16735) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\Program Files\Microsoft Windows OneCare Live\Antivirus\MsMpEng.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe C:\Program Files\Bonjour\mDNSResponder.exe C:\WINDOWS\system32\cisvc.exe C:\WINDOWS\System32\nvsvc32.exe C:\Program Files\Microsoft Windows OneCare Live\OcHealthMon.exe C:\Program Files\Comcast\Desktop Doctor\bin\sprtsvc.exe C:\Program Files\Dell Support Center\bin\sprtsvc.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Microsoft Windows OneCare Live\Firewall\msfwsvc.exe C:\Program Files\Microsoft Windows OneCare Live\winss.exe C:\WINDOWS\Explorer.EXE C:\Program Files\Microsoft Windows OneCare Live\winssnotify.exe C:\WINDOWS\system32\cidaemon.exe C:\WINDOWS\system32\ctfmon.exe C:\WINDOWS\system32\notepad.exe C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe C:\Program Files\Comcast\Desktop Doctor\bin\sprtcmd.exe C:\Program Files\QuickTime\QTTask.exe C:\Program Files\iTunes\iTunesHelper.exe C:\Program Files\Linksys EasyLink Advisor\LinksysAgent.exe C:\Program Files\DellSupport\DSAgnt.exe C:\Program Files\Messenger\msmsgs.exe C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe C:\Program Files\iPod\bin\iPodService.exe C:\WINDOWS\System32\svchost.exe C:\Documents and Settings\Charlie Kierscht\Desktop\New Folder\Analysethis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.comcast.net/a/ R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.comcast.net/toolbar2.0/search/ R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll O3 - Toolbar: Comcast Toolbar - {4E7BD74F-2B8D-469E-93BE-BE2DF4D9AE29} - C:\PROGRA~1\COMCAS~1\COMCAS~1.DLL O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb09.exe O4 - HKLM\..\Run: [PtiuPbmd] Rundll32.exe ulutil2.dll,SetWriteBack O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup O4 - HKLM\..\Run: [dscactivate] "C:\Program Files\Dell Support Center\gs_agent\custom\dsca.exe" O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe" O4 - HKLM\..\Run: [ddoctorv2] "C:\Program Files\Comcast\Desktop Doctor\bin\sprtcmd.exe" /P ddoctorv2 O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime O4 - HKLM\..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe" O4 - HKLM\..\Run: [OneCareUI] "C:\Program Files\Microsoft Windows OneCare Live\winssnotify.exe" O4 - HKCU\..\Run: [EasyLinkAdvisor] "C:\Program Files\Linksys EasyLink Advisor\LinksysAgent.exe" /startup O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\DellSupport\DSAgnt.exe" /startup O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe O4 - HKUS\S-1-5-18\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NVMCTRAY.DLL,NvTaskbarInit (User 'SYSTEM') O4 - HKUS\S-1-5-18\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'SYSTEM') O4 - HKUS\S-1-5-18\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background (User 'SYSTEM') O4 - HKUS\S-1-5-18\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe (User 'SYSTEM') O4 - HKUS\.DEFAULT\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NVMCTRAY.DLL,NvTaskbarInit (User 'Default user') O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000 O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} (Facebook Photo Uploader 5) - http://upload.facebook.com/controls/...oUploader5.cab O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://www1.snapfish.com/SnapfishActivia.cab O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace.com/upload/MySpaceUploader1006.cab O16 - DPF: {493ACF15-5CD9-4474-82A6-91670C3DD66E} (LinkedIn ContactFinderControl) - http://www.linkedin.com/cab/LinkedIn...derControl.cab O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/micr...?1195791662969 O16 - DPF: {D6E7CFB5-C074-4D1C-B647-663D1A8D96BF} (Facebook Photo Uploader 4) - http://upload.facebook.com/controls/...ploader4_5.cab O16 - DPF: {E36C5562-C4E0-4220-BCB2-1C671E3A5916} (Seagate SeaTools English Online) - file:///E:/tools/en/bin/npseatools.cab O20 - AppInit_DLLs: karna.dat O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe O23 - Service: Intel(R) NMS (NMSSvc) - Intel Corporation - C:\WINDOWS\System32\NMSSvc.exe O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe O23 - Service: SupportSoft Sprocket Service (ddoctorv2) (sprtsvc_ddoctorv2) - SupportSoft, Inc. - C:\Program Files\Comcast\Desktop Doctor\bin\sprtsvc.exe O23 - Service: SupportSoft Sprocket Service (dellsupportcenter) (sprtsvc_dellsupportcenter) - SupportSoft, Inc. - C:\Program Files\Dell Support Center\bin\sprtsvc.exe -- End of file - 7744 bytes SDFIX Log |
| ||
| Re: Serious Virus won't even let me search for help . . . Oh, and after all of that, I forgot to ask if that error regarding SPRTCMD.EXE and LIBEAY32.DLL has anything to do with the virus. I still get that when the computer starts up. It's been doing that for at least a month now, and doesn't appear to have any effect on the computer as far as I can tell. but I suppose there's some reason for it. Maybe that's a whole other issue. |
| ||
| Re: Serious Virus won't even let me search for help . . . So I did a little research on google, since I can now use it again, and I don't want to be totally useless, and read some interesting things regarding LIBEAY32.DLL and SPRTCMD.EXE and how they can be virus related, and I even saw something about the LIBEAY32.DLL being related to a program that captures keystrokes and screen captures and stuff, but that seemed isolated and may have been a scam to get you to download some other crap. I also have two files, when I look at the properties it says "type of file: file" on my desktop that have been there for months, and I cannot delete them. The computer won't allow it. It says "cannot read from source." Not sure if that has anything to do with the problems or not. Just trying to make sure there isn't something lurking waiting to rise up again. |
| ||
| Re: Serious Virus won't even let me search for help . . . Kaspersky or Nod32 if you wish to buy. I use Avast free edition and have never found a need to buy AV. Main reason for that is because I refuse to use Internet Explorer. My browser of choice is Opera and has been for the last 5-6 years. == I am not convinced your pc is yet clean. Please download ComboFix by sUBs from HERE or HERE
Note: Do not mouse-click combofix's window while it is running. That may cause it to stall. CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine. |
| ||
| Re: Serious Virus won't even let me search for help . . . Yeah, unfortunately you're right. Google is hijacked again. It appears help sites are getting blocked, and the slowdown is returning. Since the changes you had me made, I noticed that when I ran my Kodak Easyshare program, and it accessed the Internet for some update I'm assuming, and when I went to Facebook to upload some pictures, I had to install the pic uploader. But, I would assume both of those SHOULD be trustworthy. I'll follow those steps and post the results. Thanks. |
| ||
| Re: Serious Virus won't even let me search for help . . . Good grief. This stupid virus won't let me open either of those links. I can't do a right click and save as either. I'm starting to get really, really mad. Okay, madder than I was. |
| ||
| Re: Serious Virus won't even let me search for help . . . PM me an email addy and I will email it to you. |
| ||
| Re: Serious Virus won't even let me search for help . . . I was finally able to do a download of that combofix. I had a hunch that if I ran the malwarebytes program, it would let me do it, and it worked after deleting two trojans. That's the one I had already downloaded. Sorry. It seemed like the computer was getting worse than it had been before, and I just wanted to be sure to download that combofix while I still could. I was even starting to have difficulty getting on this site, and if I got blocked from here, I would have been totally screwed. So, when I ran the combofix, it found a rootkit activity which caused the system to reboot. That sounded ominous. Don't know if it was or not. It also looks like it found several trojans and some sort of install log thing. When the whole process was done, it added a new IE icon to my desktop, and it also changed the symbol on a jpeg file I had on the desktop. I didn't know if that was normal or not. Here are the logs: Combofix: ComboFix 08-11-18.A2 - Charlie Kierscht 2008-11-19 16:53:23.1 - NTFSx86 Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.207 [GMT -6:00] . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . c:\program files\INSTALL.LOG c:\windows\system32\drivers\TDSSqjso.sys c:\windows\system32\TDSSaewi.dll c:\windows\system32\TDSSbvan.dll c:\windows\system32\TDSShchc.dll c:\windows\system32\TDSSierd.dat c:\windows\system32\TDSSmhxt.log c:\windows\system32\TDSSnmxh.log c:\windows\system32\TDSSnpvw.dll c:\windows\system32\TDSSofxh.log c:\windows\system32\TDSSurta.dll c:\windows\system32\TDSSyyvb.dll . ((((((((((((((((((((((((((((((((((((((( Drivers/Services ))))))))))))))))))))))))))))))))))))))))))))))))) . -------\Service_TDSSSERV.SYS -------\Legacy_TDSSSERV.SYS ((((((((((((((((((((((((( Files Created from 2008-10-19 to 2008-11-19 ))))))))))))))))))))))))))))))) . 2008-11-15 21:28 . 2008-11-15 21:28 578,560 --a--c--- c:\windows\SYSTEM32\DLLCACHE\user32.dll 2008-11-15 21:22 . 2008-11-15 21:23 <DIR> d-------- c:\windows\ERUNT 2008-11-13 21:53 . 2008-11-13 21:53 <DIR> d-------- c:\documents and settings\Charlie Kierscht\Application Data\Malwarebytes 2008-11-13 03:10 . 2007-11-27 22:56 116,416 --a------ c:\windows\SYSTEM32\DRIVERS\msfwhlpr.sys 2008-11-13 03:10 . 2007-11-27 22:56 91,328 --a------ c:\windows\SYSTEM32\DRIVERS\msfwdrv.sys 2008-11-13 03:07 . 2008-11-19 11:06 <DIR> d-------- c:\program files\Microsoft Windows OneCare Live 2008-11-13 02:13 . 2008-11-13 02:13 <DIR> d-------- c:\program files\Enigma Software Group 2008-11-13 01:06 . 2008-11-13 01:06 <DIR> d-------- c:\documents and settings\All Users\Application Data\Kaspersky Lab Setup Files 2008-11-12 14:12 . 2003-02-27 02:57 <DIR> d-------- c:\documents and settings\Administrator\Application Data\Symantec 2008-11-12 14:12 . 2007-10-18 22:26 <DIR> d-------- c:\documents and settings\Administrator\Application Data\Gtek 2008-11-12 14:12 . 2008-11-12 14:12 <DIR> d-------- c:\documents and settings\Administrator 2008-11-12 05:48 . 2008-11-13 21:53 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware 2008-11-12 05:48 . 2008-11-12 05:48 <DIR> d-------- c:\documents and settings\All Users\Application Data\Malwarebytes 2008-11-12 05:48 . 2008-10-22 16:10 38,496 --a------ c:\windows\SYSTEM32\DRIVERS\mbamswissarmy.sys 2008-11-12 05:48 . 2008-10-22 16:10 15,504 --a------ c:\windows\SYSTEM32\DRIVERS\mbam.sys 2008-11-12 00:49 . 2008-09-04 11:15 1,106,944 -----c--- c:\windows\SYSTEM32\DLLCACHE\msxml3.dll 2008-11-12 00:49 . 2008-10-24 05:21 455,296 -----c--- c:\windows\SYSTEM32\DLLCACHE\mrxsmb.sys 2008-11-11 00:29 . 2008-05-15 16:15 53,168 --a------ c:\windows\SYSTEM32\DRIVERS\MpFilter.sys 2008-11-10 05:17 . 2008-11-10 15:30 <DIR> d-------- c:\program files\Kontiki 2008-11-10 05:17 . 2008-11-10 05:17 <DIR> d-------- C:\logs3 2008-10-24 04:19 . 2008-10-15 10:34 337,408 -----c--- c:\windows\SYSTEM32\DLLCACHE\netapi32.dll . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2008-11-13 09:01 --------- d-----w c:\program files\Trend Micro 2008-11-13 06:59 --------- d-----w c:\program files\Windows Live Safety Center 2008-11-13 05:55 --------- d-----w c:\documents and settings\Admin\Application Data\ComcastToolbar 2008-11-10 23:33 --------- d-----w c:\program files\Java 2008-10-29 04:01 --------- d-----w c:\documents and settings\Charlie Kierscht\Application Data\Canon 2008-10-24 11:21 455,296 ----a-w c:\windows\system32\drivers\mrxsmb.sys 2008-10-21 08:28 --------- d-----w c:\documents and settings\Charlie Kierscht\Application Data\COMCASTTOOLBAR 2008-10-10 05:16 --------- d-----w c:\program files\iTunes 2008-10-10 05:16 --------- d-----w c:\documents and settings\All Users\Application Data\{3276BE95_AF08_429F_A64F_CA64CB79BCF6} 2008-10-10 05:15 --------- d-----w c:\program files\iPod 2008-10-01 18:01 32,000 ----a-w c:\windows\system32\drivers\usbaapl.sys 2008-09-19 05:40 --------- d-----w c:\program files\QuickTime 2008-09-19 05:03 --------- d-----w c:\program files\Bonjour 2008-09-05 11:09 10,752 ----a-w c:\windows\DCEBoot.exe 2008-08-31 04:45 53,248 ----a-w c:\windows\uneng.exe 2008-08-31 03:37 24,192 ----a-w c:\documents and settings\Charlie Kierscht\usbsermptxp.sys 2008-08-31 03:37 22,768 ----a-w c:\documents and settings\Charlie Kierscht\usbsermpt.sys 2008-07-18 06:59 92,064 ----a-w c:\documents and settings\Charlie Kierscht\mqdmmdm.sys 2008-07-18 06:59 9,232 ----a-w c:\documents and settings\Charlie Kierscht\mqdmmdfl.sys 2008-07-18 06:59 79,328 ----a-w c:\documents and settings\Charlie Kierscht\mqdmserd.sys 2008-07-18 06:59 66,656 ----a-w c:\documents and settings\Charlie Kierscht\mqdmbus.sys 2008-07-18 06:59 6,208 ----a-w c:\documents and settings\Charlie Kierscht\mqdmcmnt.sys 2008-07-18 06:59 5,936 ----a-w c:\documents and settings\Charlie Kierscht\mqdmwhnt.sys 2008-07-18 06:59 4,048 ----a-w c:\documents and settings\Charlie Kierscht\mqdmcr.sys 2008-04-25 23:32 411,248 ----a-w c:\program files\FLV PlayerRCSetup.exe 2007-07-10 23:59 63,944 -c--a-w c:\documents and settings\Charlie Kierscht\Application Data\GDIPFONTCACHEV1.DAT . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "EasyLinkAdvisor"="c:\program files\Linksys EasyLink Advisor\LinksysAgent.exe" [2007-03-15 454784] "DellSupport"="c:\program files\DellSupport\DSAgnt.exe" [2007-03-15 460784] "ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-13 15360] "MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2008-04-13 1695232] "swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2008-06-13 68856] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "HPDJ Taskbar Utility"="c:\windows\System32\spool\drivers\w32x86\3\hpztsb09.exe" [2003-12-04 176128] "NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2003-10-06 5058560] "dscactivate"="c:\program files\Dell Support Center\gs_agent\custom\dsca.exe" [2007-10-09 16384] "SunJavaUpdateSched"="c:\program files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 144784] "ddoctorv2"="c:\program files\Comcast\Desktop Doctor\bin\sprtcmd.exe" [2008-04-24 202560] "QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2008-09-06 413696] "AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2008-09-03 111936] "iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-10-01 289576] "OneCareUI"="c:\program files\Microsoft Windows OneCare Live\winssnotify.exe" [2008-11-05 64880] "PtiuPbmd"="ulutil2.dll" [2003-11-05 c:\windows\SYSTEM32\ulutil2.dll] [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run] "NvMediaCenter"="c:\windows\System32\NVMCTRAY.DLL" [2003-10-06 49152] "DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-02-26 437160] "MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2008-04-13 1695232] "ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-13 15360] [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\OneCareMP] @="Service" [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Kodak EasyShare software.lnk] path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Kodak EasyShare software.lnk backup=c:\windows\pss\Kodak EasyShare software.lnkCommon Startup HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Uniblue RegistryBooster 2 [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher] --a------ 2008-01-11 22:16 39792 f:\reader\reader_sl.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe] --a------ 2008-04-13 18:12 15360 c:\windows\SYSTEM32\ctfmon.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ddoctorv2] --a------ 2008-04-24 12:25 202560 c:\program files\Comcast\Desktop Doctor\bin\sprtcmd.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DellSupportCenter] --a------ 2007-10-09 17:56 202544 c:\program files\Dell Support Center\bin\sprtcmd.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\dscactivate] --a------ 2007-10-09 17:57 16384 c:\program files\Dell Support Center\gs_agent\custom\dsca.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DVDSentry] -ra------ 2002-08-14 18:22 28672 c:\windows\SYSTEM32\DSentry.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IMJPMIG8.1] --a------ 2004-08-03 23:31 208952 c:\windows\IME\IMJP8_1\imjpmig.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS] --a------ 2008-04-13 18:12 1695232 c:\program files\Messenger\msmsgs.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck] --a------ 2001-07-09 09:50 155648 c:\windows\SYSTEM32\NeroCheck.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon] --a------ 2003-10-06 14:16 5058560 c:\windows\SYSTEM32\nvcpl.dll [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\OpwareSE2] --a------ 2003-05-08 11:00 49152 c:\program files\ScanSoft\OmniPageSE2.0\opwareSE2.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task] --a------ 2008-09-06 14:09 413696 c:\program files\QuickTime\QTTask.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz] --a------ 2003-10-06 14:16 741376 c:\windows\SYSTEM32\nwiz.exe [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile] "EnableFirewall"= 0 (0x0) [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"= "c:\\Program Files\\Messenger\\msmsgs.exe"= "%windir%\\Network Diagnostic\\xpnetdiag.exe"= "c:\\Program Files\\KODAK\\Kodak EasyShare software\\bin\\EasyShare.exe"= "c:\\Program Files\\Bonjour\\mDNSResponder.exe"= "c:\\Program Files\\iTunes\\iTunes.exe"= [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List] "8097:TCP"= 8097:TCP:EarthLink UHP Modem Support R0 dontgo;Promise Removable Disk Control Driver;c:\windows\system32\DRIVERS\DontGo.sys [2007-04-22 7680] R0 ulsata2;ulsata2;c:\windows\system32\DRIVERS\ulsata2.sys [2007-04-22 125952] R2 OcHealthMon;Windows Live OneCare Health Monitor;"c:\program files\Microsoft Windows OneCare Live\OcHealthMon.exe" [2008-11-05 25968] S3 AWINDIS5;AWINDIS5 Protocol Driver;\??\c:\windows\system32\AWINDIS5.SYS [2007-10-14 16194] S3 BW2NDIS5;BW2NDIS5;c:\windows\system32\Drivers\BW2NDIS5.sys [] S3 GTN;GTN NDIS Protocol Driver;\??\c:\windows\system32\GTN [] [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{7ec9dacf-615e-11dc-9977-0007e9cf2e13}] \Shell\AutoRun\command - G:\launch.bat . Contents of the 'Scheduled Tasks' folder 2008-11-19 c:\windows\Tasks\AppleSoftwareUpdate.job - c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 11:34] 2008-11-16 c:\windows\Tasks\Disk Cleanup.job - c:\windows\SYSTEM32\cleanmgr.exe [2008-04-13 18:12] 2008-11-19 c:\windows\Tasks\EasyShare Registration Task.job - c:\windows\system32\rundll32.exe [2008-04-13 18:12] 2008-11-19 c:\windows\Tasks\SpywareBot Scheduled Scan.job - c:\program files\SpywareBot\SpywareBot.exe [] 2008-11-19 c:\windows\Tasks\SpywareBot Scheduled Scan.job - c:\program files\SpywareBot [] . . ------- Supplementary Scan ------- . uStart Page = hxxp://www.comcast.net/a/ uSearchMigratedDefaultURL = hxxp://search.yahoo.com/search?p={searchTerms}&ei=utf-8&fr=b1ie7 mStart Page = hxxp://www.google.com mWindow Title = Windows Internet Explorer provided by Comcast uInternet Connection Wizard,ShellNext = iexplore uInternet Settings,ProxyOverride = *.local IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\Office10\EXCEL.EXE/3000 O16 -: DirectAnimation Java Classes - file://c:\windows\Java\classes\dajava.cab c:\windows\Downloaded Program Files\DirectAnimation Java Classes.osd O16 -: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab c:\windows\Downloaded Program Files\Microsoft XML Parser for Java.osd . ************************************************************************** catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2008-11-19 17:04:20 Windows 5.1.2600 Service Pack 3 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden files: 0 ************************************************************************** [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\GTN] "ImagePath"="\??\c:\windows\system32\GTN" . ------------------------ Other Running Processes ------------------------ . c:\program files\Microsoft Windows OneCare Live\Antivirus\MsMpEng.exe c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe c:\program files\Bonjour\mDNSResponder.exe c:\windows\SYSTEM32\nvsvc32.exe c:\program files\Comcast\Desktop Doctor\bin\sprtsvc.exe c:\program files\Dell Support Center\bin\sprtsvc.exe c:\program files\Microsoft Windows OneCare Live\Firewall\msfwsvc.exe c:\program files\Microsoft Windows OneCare Live\winss.exe c:\windows\SYSTEM32\wscntfy.exe c:\program files\iPod\bin\iPodService.exe . ************************************************************************** . Completion time: 2008-11-19 17:16:56 - machine was rebooted ComboFix-quarantined-files.txt 2008-11-19 23:16:22 Pre-Run: 1,038,970,880 bytes free Post-Run: 20,412,231,680 bytes free WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe [boot loader] timeout=2 default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS [operating systems] c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Home Edition" /fastdetect /NoExecute=OptIn 220 --- E O F --- 2008-11-12 07:13:52 And here's the HJT log: Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 5:31:03 PM, on 11/19/2008 Platform: Windows XP SP3 (WinNT 5.01.2600) MSIE: Internet Explorer v7.00 (7.00.6000.16735) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\Program Files\Microsoft Windows OneCare Live\Antivirus\MsMpEng.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe C:\Program Files\Bonjour\mDNSResponder.exe C:\WINDOWS\System32\nvsvc32.exe C:\Program Files\Microsoft Windows OneCare Live\OcHealthMon.exe C:\Program Files\Comcast\Desktop Doctor\bin\sprtsvc.exe C:\Program Files\Dell Support Center\bin\sprtsvc.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Microsoft Windows OneCare Live\Firewall\msfwsvc.exe C:\Program Files\Microsoft Windows OneCare Live\winss.exe C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe C:\Program Files\Comcast\Desktop Doctor\bin\sprtcmd.exe C:\Program Files\QuickTime\QTTask.exe C:\Program Files\iTunes\iTunesHelper.exe C:\Program Files\Microsoft Windows OneCare Live\winssnotify.exe C:\Program Files\Linksys EasyLink Advisor\LinksysAgent.exe C:\Program Files\DellSupport\DSAgnt.exe C:\WINDOWS\system32\ctfmon.exe C:\Program Files\Messenger\msmsgs.exe C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe C:\Program Files\iPod\bin\iPodService.exe C:\WINDOWS\explorer.exe C:\WINDOWS\system32\notepad.exe C:\Program Files\Outlook Express\MSIMN.EXE C:\Program Files\internet explorer\iexplore.exe C:\WINDOWS\System32\svchost.exe C:\Documents and Settings\Charlie Kierscht\Desktop\Virus Killers\New Folder\Analysethis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.comcast.net/a/ R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll O3 - Toolbar: Comcast Toolbar - {4E7BD74F-2B8D-469E-93BE-BE2DF4D9AE29} - C:\PROGRA~1\COMCAS~1\COMCAS~1.DLL O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb09.exe O4 - HKLM\..\Run: [PtiuPbmd] Rundll32.exe ulutil2.dll,SetWriteBack O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup O4 - HKLM\..\Run: [dscactivate] "C:\Program Files\Dell Support Center\gs_agent\custom\dsca.exe" O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe" O4 - HKLM\..\Run: [ddoctorv2] "C:\Program Files\Comcast\Desktop Doctor\bin\sprtcmd.exe" /P ddoctorv2 O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime O4 - HKLM\..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe" O4 - HKLM\..\Run: [OneCareUI] "C:\Program Files\Microsoft Windows OneCare Live\winssnotify.exe" O4 - HKCU\..\Run: [EasyLinkAdvisor] "C:\Program Files\Linksys EasyLink Advisor\LinksysAgent.exe" /startup O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\DellSupport\DSAgnt.exe" /startup O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe O4 - HKUS\S-1-5-18\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NVMCTRAY.DLL,NvTaskbarInit (User 'SYSTEM') O4 - HKUS\S-1-5-18\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'SYSTEM') O4 - HKUS\S-1-5-18\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background (User 'SYSTEM') O4 - HKUS\S-1-5-18\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe (User 'SYSTEM') O4 - HKUS\.DEFAULT\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NVMCTRAY.DLL,NvTaskbarInit (User 'Default user') O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000 O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} (Facebook Photo Uploader 5 Control) - http://upload.facebook.com/controls/...oUploader5.cab O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://www1.snapfish.com/SnapfishActivia.cab O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace.com/upload/MySpaceUploader1006.cab O16 - DPF: {493ACF15-5CD9-4474-82A6-91670C3DD66E} (LinkedIn ContactFinderControl) - http://www.linkedin.com/cab/LinkedIn...derControl.cab O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/micr...?1195791662969 O16 - DPF: {D6E7CFB5-C074-4D1C-B647-663D1A8D96BF} (Facebook Photo Uploader 4) - http://upload.facebook.com/controls/...ploader4_5.cab O16 - DPF: {E36C5562-C4E0-4220-BCB2-1C671E3A5916} (Seagate SeaTools English Online) - file:///E:/tools/en/bin/npseatools.cab O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe O23 - Service: Intel(R) NMS (NMSSvc) - Intel Corporation - C:\WINDOWS\System32\NMSSvc.exe O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe O23 - Service: SupportSoft Sprocket Service (ddoctorv2) (sprtsvc_ddoctorv2) - SupportSoft, Inc. - C:\Program Files\Comcast\Desktop Doctor\bin\sprtsvc.exe O23 - Service: SupportSoft Sprocket Service (dellsupportcenter) (sprtsvc_dellsupportcenter) - SupportSoft, Inc. - C:\Program Files\Dell Support Center\bin\sprtsvc.exe -- End of file - 7896 bytes |
| ||
| Re: Serious Virus won't even let me search for help . . . So, after all that, I got a notice from Windows Live Onecare that a trojan was found. It was called trojan: winnt/tibs.gen!a and the description said that it was something that enabled an attacker to get control of my computer. So, you know, that's always something one wants to see. |
| ||
| Re: Serious Virus won't even let me search for help . . . I've gotten several more messages that trojans have been blocked. Which is good that it's catching them, but where are they coming from? |
| ||
| Re: Serious Virus won't even let me search for help . . . I am not seeing anything bad left in those logs now so I will get you to do the following;
Files to delete:
== Update MBAM and run it and download the latest SDFix and run it. Running one is obviously not enough. Post all logs please. |
| ||
| Re: Serious Virus won't even let me search for help . . . Here is the log from the Avenger. Apparently it couldn't find those files. When I woke up this morning, there was a notice from OneCare that it detected about 5 trojans, so I don't know if any of those were them. It kind of freaks me out that the OneCare keeps finding them. And then it gives me the option to subscribe, so I'm all suspicious that it's another scam to get me to buy it. But I would HOPE that Microsoft wouldn't do that. Logfile of The Avenger Version 2.0, (c) by Swandog46 http://swandog46.geekstogo.com Platform: Windows XP ******************* Script file opened successfully. Script file read successfully. Backups directory opened successfully at C:\Avenger ******************* Beginning to process script file: Rootkit scan active. No rootkits found! Error: file "C:\WINDOWS\system32\TDSSbvan.dll" not found! Deletion of file "C:\WINDOWS\system32\TDSSbvan.dll" failed! Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND) --> the object does not exist Error: file "C:\WINDOWS\system32\TDSSurta.dll" not found! Deletion of file "C:\WINDOWS\system32\TDSSurta.dll" failed! Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND) --> the object does not exist Error: file "C:\WINDOWS\system32\TDSSaewi.dll" not found! Deletion of file "C:\WINDOWS\system32\TDSSaewi.dll" failed! Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND) --> the object does not exist Error: file "C:\WINDOWS\system32\TDSSyyvb.dll" not found! Deletion of file "C:\WINDOWS\system32\TDSSyyvb.dll" failed! Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND) --> the object does not exist Completed script processing. ******************* Finished! Terminate. |
| ||
| Re: Serious Virus won't even let me search for help . . . Here's the HJT log. I ran MBAM in safemode and it found a trojan and a roguespyware. I tried saving a log in safemode, but I don't know how to get that show up in regular mode. I also couldn't figure out how to run SDFix in safemode. Is it necessary to run it in safemode? I have it running right now on my desktop, and I'll post that log when it's available. Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 9:29:41 PM, on 11/20/2008 Platform: Windows XP SP3 (WinNT 5.01.2600) MSIE: Internet Explorer v7.00 (7.00.6000.16735) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\Program Files\Microsoft Windows OneCare Live\Antivirus\MsMpEng.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\Explorer.EXE C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe C:\Program Files\Bonjour\mDNSResponder.exe C:\WINDOWS\System32\nvsvc32.exe C:\Program Files\Microsoft Windows OneCare Live\OcHealthMon.exe C:\Program Files\Comcast\Desktop Doctor\bin\sprtsvc.exe C:\Program Files\Dell Support Center\bin\sprtsvc.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Microsoft Windows OneCare Live\Firewall\msfwsvc.exe C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe C:\Program Files\Comcast\Desktop Doctor\bin\sprtcmd.exe C:\Program Files\QuickTime\QTTask.exe C:\Program Files\Microsoft Windows OneCare Live\winss.exe C:\Program Files\iTunes\iTunesHelper.exe C:\Program Files\Microsoft Windows OneCare Live\winssnotify.exe C:\Program Files\Linksys EasyLink Advisor\LinksysAgent.exe C:\Program Files\DellSupport\DSAgnt.exe C:\WINDOWS\system32\ctfmon.exe C:\Program Files\Messenger\msmsgs.exe C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe C:\Program Files\Outlook Express\MSIMN.EXE C:\Program Files\iPod\bin\iPodService.exe C:\Program Files\internet explorer\iexplore.exe C:\Documents and Settings\Charlie Kierscht\Desktop\Virus Killers\New Folder\Analysethis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.comcast.net/a/ R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll O3 - Toolbar: Comcast Toolbar - {4E7BD74F-2B8D-469E-93BE-BE2DF4D9AE29} - C:\PROGRA~1\COMCAS~1\COMCAS~1.DLL O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb09.exe O4 - HKLM\..\Run: [PtiuPbmd] Rundll32.exe ulutil2.dll,SetWriteBack O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup O4 - HKLM\..\Run: [dscactivate] "C:\Program Files\Dell Support Center\gs_agent\custom\dsca.exe" O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe" O4 - HKLM\..\Run: [ddoctorv2] "C:\Program Files\Comcast\Desktop Doctor\bin\sprtcmd.exe" /P ddoctorv2 O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime O4 - HKLM\..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe" O4 - HKLM\..\Run: [OneCareUI] "C:\Program Files\Microsoft Windows OneCare Live\winssnotify.exe" O4 - HKLM\..\Run: [Malwarebytes Anti-Malware (reboot)] "C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript O4 - HKCU\..\Run: [EasyLinkAdvisor] "C:\Program Files\Linksys EasyLink Advisor\LinksysAgent.exe" /startup O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\DellSupport\DSAgnt.exe" /startup O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe O4 - HKUS\S-1-5-18\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NVMCTRAY.DLL,NvTaskbarInit (User 'SYSTEM') O4 - HKUS\S-1-5-18\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'SYSTEM') O4 - HKUS\S-1-5-18\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background (User 'SYSTEM') O4 - HKUS\S-1-5-18\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe (User 'SYSTEM') O4 - HKUS\.DEFAULT\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NVMCTRAY.DLL,NvTaskbarInit (User 'Default user') O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000 O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} (Facebook Photo Uploader 5 Control) - http://upload.facebook.com/controls/...oUploader5.cab O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://www1.snapfish.com/SnapfishActivia.cab O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace.com/upload/MySpaceUploader1006.cab O16 - DPF: {493ACF15-5CD9-4474-82A6-91670C3DD66E} (LinkedIn ContactFinderControl) - http://www.linkedin.com/cab/LinkedIn...derControl.cab O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/micr...?1195791662969 O16 - DPF: {D6E7CFB5-C074-4D1C-B647-663D1A8D96BF} (Facebook Photo Uploader 4) - http://upload.facebook.com/controls/...ploader4_5.cab O16 - DPF: {E36C5562-C4E0-4220-BCB2-1C671E3A5916} (Seagate SeaTools English Online) - file:///E:/tools/en/bin/npseatools.cab O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe O23 - Service: Intel(R) NMS (NMSSvc) - Intel Corporation - C:\WINDOWS\System32\NMSSvc.exe O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe O23 - Service: SupportSoft Sprocket Service (ddoctorv2) (sprtsvc_ddoctorv2) - SupportSoft, Inc. - C:\Program Files\Comcast\Desktop Doctor\bin\sprtsvc.exe O23 - Service: SupportSoft Sprocket Service (dellsupportcenter) (sprtsvc_dellsupportcenter) - SupportSoft, Inc. - C:\Program Files\Dell Support Center\bin\sprtsvc.exe -- End of file - 7959 bytes |
| ||
| Re: Serious Virus won't even let me search for help . . . I ran the SDFix on the desktop, and it came up with a very, very brief log, assuming I'm posting the right thing. The interesting thing is the two things that came up are those files on my desktop I can't get rid of. I'm wondering if they're the source of the trojans coming in. I'm basically suspicious of everything now trying to figure out why so many keep popping up. Well, I see there's the box that says scan completed successfully, hidden processes 0, hidden services 0, and hidden files 0. Then in some catchme-0.3 box that came up, it lists those two files, and it gives me an option to add, scan, or zip. The files read: C:\Documents and Settings\Charlie Kierscht\Desktop\CAGHQ7GL:Zone.Identifier C:\Documents and Settings\Charlie Kierscht\Desktop\CATOMXHN:Zone.Identifier |
| ||
| Re: Serious Virus won't even let me search for help . . . Run those files through the Avenger following the previous instructions given. AFAIK SDFix only runs in safe mode. I gave instructions on how to get to safe mode in a previous reply. |
| ||
| Re: Serious Virus won't even let me search for help . . . Sorry for the delay in getting back. I had a film premiere on Friday, and the weekend was pretty hectic. So, here's where it's at: I know how to get to safemode, but the problem I'm having is when I get there, SDFix is nowhere to be found. It's not on the desktop, and it's not in the program's list, so I'm not sure how to run it in safemode. I tried having different versions of it on my desktop, as in, in the folder, in the zipped folder, and also directly on my desktop, and none of those show up in safemode. I finally was able to run spybot. It found about 95 things, but four of them it couldn't get rid of. It asked if I wanted it to run when the computer restarted and I said sure, and it found those four things, but it never gave me an option to have them removed. While it was scanning, it was naming off a bunch of stuff along the bottom, and quite a few things came up called Zlob, which I know is a bad virus. I wasn't sure if that was just a list of things the program was looking for or if that meant they were on my computer. MalwareMalbytes is coming up clean when I run it. Although it didn't find those 95 things Spybot found. Oh, and I tried to put those two files into Avenger like you said, but I get the following error: Error: Invalid script. A valid script must begin with a command directive. Aborting execution! Thanks, Charlie |
| ||
| Re: Serious Virus won't even let me search for help . . . You MUST put the following into The Avenger, above the files; Files to delete: When you get to safe mode, try going to C:\Documents and Settings\username\Desktop and it should be there. |
| ||
| Re: Serious Virus won't even let me search for help . . . Okay, I found the SDFix in safemode following your guidance. When I got the prompt that says "Type Y to start, A to make a log, and N to exit," I typed "y," and when I hit enter, the program shuts down. Or at least I'm assuming it shuts down because it completely disappears. I'm not sure what I'm doing wrong. Below is the Avenger log from when I tried to have those two mysterious files removed from my desktop. In Avenger I typed in "Delete these files," or however you said it on the other page, and then ran it. It basically says it can't find them. Logfile of The Avenger Version 2.0, (c) by Swandog46 http://swandog46.geekstogo.com Platform: Windows XP ******************* Script file opened successfully. Script file read successfully. Backups directory opened successfully at C:\Avenger ******************* Beginning to process script file: Rootkit scan active. No rootkits found! Error: file "C:\Documents and Settings\Charlie Kierscht\Desktop\CAGHQ7GL:Zone.Identifier" not found! Deletion of file "C:\Documents and Settings\Charlie Kierscht\Desktop\CAGHQ7GL:Zone.Identifier" failed! Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND) --> the object does not exist Error: file "C:\Documents and Settings\Charlie Kierscht\Desktop\CATOMXHN:Zone.Identifier" not found! Deletion of file "C:\Documents and Settings\Charlie Kierscht\Desktop\CATOMXHN:Zone.Identifier" failed! Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND) --> the object does not exist Completed script processing. ******************* Finished! Terminate. |
| ||
| Re: Serious Virus won't even let me search for help . . . What happened the first time you ran SDfix? It must have run ok as you posted the log from it. Can you list the problems you are still having. |
| ||
| Re: Serious Virus won't even let me search for help . . . I'm not sure why SDFix gave me trouble the second time. Everything seems to be running fine now. The only things still going on are those two files that I can't get rid of from my desktop, and that SPRTCMD.EXE I get on start-up. Do you think I'm in the clear now? |
| ||
| Re: Serious Virus won't even let me search for help . . . Maybe I spoke too soon. Windows Live OneCare just found and removed a trojan downloader, but, I suppose that's just part of being on the Internet. |
| ||
| Re: Serious Virus won't even let me search for help . . . What is SPRTCMD.EXE doing? Do you have hidden files/folders set to show? If so, set it back to normal and see if those files go from your desktop. Otherwise, tell me the full and complete filepath to them and we will try to clean them up. |
| ||
| Re: Serious Virus won't even let me search for help . . . The location for those mysterious files are as follows: C:\Documents and Settings\Charlie Kierscht\Desktop The names are: CAT0MXHN. and CAGHQ7GL. I'm not sure if the hidden files option is on or not. Concerning the other recurring issue, this is what happens. Upon start-up, the computer will load, and when it's all done, I get a message that comes up on the screen and it says: SPRTCMD.EXE Unable to Locate Component (this is in the blue part of the box) This application has failed to start because LIBEAY32.dll was not found. Re-installing the application may fix this problem. If I click "ok," it disappears, then shows up a second time, and when I click "ok" again, it goes away. I haven't the slightest idea what effect this is having on my computer if anything, and even less of an idea what application it's talking about. |
| ||
| Re: Serious Virus won't even let me search for help . . . SPRTCMD.EXE is something to do with the Dell support service. See if you can find it in msconfig and disable the startup. You need to take a look in Folder Options to see if hidden files are set to visible. |
| ||
| Re: Serious Virus won't even let me search for help . . . Okay, removing the SPRTCMD from the msconfig start-up screen did the trick. As far as the folder options, I can't find that. I looked on google and from what I could determine it should be under the tools section of IE, but it's not there. What should I do? |
| ||
| Re: Serious Virus won't even let me search for help . . . No, it's not in IE. Look in the control panel. It should be there, otherwise open any windows folder and on the TOOLS Tab, there should be an option to enter the folder options from there. |
| All times are GMT -4. The time now is 9:06 pm. |
Forum system based on vBulletin Copyright ©2000 - 2009, Jelsoft Enterprises Ltd.
©2003 - 2009 DaniWeb® LLC