0

Ive done some research on this and i see there are a few variations of this floating around.
This one prevents me from running spybot and disables zone alarm. Hy home page is unaffected and the computer seems to be running otherwise normally. Ive DL HJT but I
need some help starting from here.

Also im unable to download AVG because it says i don't have the correct windows configuration. I'm running XP so that kind of baffled me.

Wow apparently I cannot run HJT either i double click on the icon but nothing happens. Please help!

2
Contributors
4
Replies
5
Views
9 Years
Discussion Span
Last Post by crunchie
0

Sorry to bump my own thread here but i tried to edit the OP and it wouldnt let me. This appears to be the 'XP Security Center' malware version of 'Your computer is infected!' 'windows has detected spyware infection!' It seems to be relatively new and as i stated previously I cant run spybot or HJt in reg or safe mode. I succesfully ran Adaware a it removed some stuff but the red x and balloon still remain. Someone also suggested bullguard but theres an error when i try and dl the trial version and also the same thing happens when i try and DL AVG. THis is getting annoying please help!

0

Crunchie thank you for trying to help. After googling for over 2 hours and dling several spyware removal tools that promised to remove the xp security trojan only to find out I'd have to get the full version for removal I finally stumbled upon Malewarebyte's Anti-Malware
and voila problem solved. After removing the nasties was i able to succesfully run hjt and spybot and everything seems to be back to normal. If u dont mind here is the my hjt log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:22:49 AM, on 6/26/2008
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\AIM\aim.exe
C:\WINDOWS\System32\devldr32.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O1 - Hosts: 62.75.224.159 home.edonkey2000.com
O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)
O3 - Toolbar: (no name) - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - (no file)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKCU\..\Policies\Explorer\Run: [{C43866F6-0511-1033-0220-010828000001}] "C:\Program Files\Common Files\{C43866F6-0511-1033-0220-010828000001}\Update.exe" mc-110-12-0000103
O4 - HKUS\S-1-5-18\..\Run: [Starting up] wvsvc.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [Nortons AV SYSTEM] scvchost.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [Windows Processe Manager] mspn32.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [RunNarrator] Narrator.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunServices: [Windows Processe Manager] mspn32.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [Starting up] wvsvc.exe (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [RunNarrator] Narrator.exe (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunServices: [Windows Processe Manager] mspn32.exe (User 'Default user')
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - (no file)
O9 - Extra 'Tools' menuitem: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - (no file)
O9 - Extra button: EmpirePoker - {77E68763-4284-41d6-B7E7-B6E1F053A9E7} - C:\Program Files\EmpirePoker\EmpirePoker.exe (file missing)
O9 - Extra 'Tools' menuitem: EmpirePoker - {77E68763-4284-41d6-B7E7-B6E1F053A9E7} - C:\Program Files\EmpirePoker\EmpirePoker.exe (file missing)
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe (file missing)
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe (file missing)
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O16 - DPF: ActiveGS.cab - http://www.virtualapple.org/activegs.cab
O16 - DPF: QWERTY by pogo - http://game1.pogo.com/applet-6.7.3.30/squares/squares-en_US.cab
O16 - DPF: Yahoo! Fleet - http://origin.games.yahoo.net/games/clients/y/fltt3_x.cab
O16 - DPF: Yahoo! Hearts - http://download2.games.yahoo.com/games/clients/y/ht1_x.cab
O16 - DPF: Yahoo! Literati - http://origin.games.yahoo.net/games/clients/y/tt5_x.cab
O16 - DPF: {05D44720-58E3-49E6-BDF6-D00330E511D3} (StagingUI Object) - http://zone.msn.com/binFrameWork/v10/StagingUI.cab55579.cab
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://pcpitstop.com/pcpitstop/PCPitStop.CAB
O16 - DPF: {1663ed61-23eb-11d2-b92f-008048fdd814} (MeadCo ScriptX Basic) - http://ecourt.maricopa.gov/includes/ScriptX.cab
O16 - DPF: {3BB54395-5982-4788-8AF4-B5388FFDD0D8} (MSN Games – Buddy Invite) - http://zone.msn.com/BinFrameWork/v10/ZBuddy.cab55579.cab
O16 - DPF: {3EA4FA88-E0BE-419A-A732-9B79B87A6ED0} (CTVUAxCtrl Object) - http://dl.tvunetworks.com/TVUAx.cab
O16 - DPF: {5736C456-EA94-4AAC-BB08-917ABDD035B3} (ZonePAChat Object) - http://zone.msn.com/binframework/v10/ZPAChat.cab55579.cab
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase9563.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1122113763814
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1175571768886
O16 - DPF: {70BA88C8-DAE8-4CE9-92BB-979C4A75F53B} (GSDACtl Class) - http://launch.gamespyarcade.com/software/launch/alaunch.cab
O16 - DPF: {7584C670-2274-4EFB-B00B-D6AABA6D3850} (Microsoft RDP Client Control (redist)) - https://www.taxsimple.org/tsweb/msrdp.cab
O16 - DPF: {95B5D20C-BD31-4489-8ABF-F8C8BE748463} (MSN Games – Hearts) - http://zone.msn.com/bingame/zpagames/zpa_hrtz.cab67031.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://cdn2.zone.msn.com/binFramework/v10/ZIntro.cab56649.cab
O16 - DPF: {DA2AA6CF-5C7A-4B71-BC3B-C771BB369937} (MSN Games – Game Communicator) - http://zone.msn.com/binframework/v10/StProxy.cab55579.cab
O16 - DPF: {F773E7B2-62A9-4524-9109-87D2F0BEFAA4} (ChessControl Class) - http://sympatico.zone.msn.com/bingame/zpagames/zpa_kqrp.cab56961.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{E960A0F2-6231-4C1D-BCDE-3847772FC745}: NameServer = 68.238.64.12,68.238.128.12
O20 - AppInit_DLLs: C:\WINDOWS\System32\cru629.dat
O21 - SSODL: mtklefa - {41BC1989-2799-4F2C-1E80-5BEC92D8FA06} - (no file)
O21 - SSODL: mtklefap - {F1464304-3030-4B95-88A9-6E68C6868AF5} - (no file)
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe

--
End of file - 6365 bytes

If you see anything that doesnt belong I would appreciate any help and any suggestions to prevent this from happening again would be rgeatly appreciated.

0

I cannot see how your pc is back to normal as the hijackthis log shows that it is still infected.

==

Can you please do the following.

===============

Scan with HijackThis and then place a check next to all the following, if present:

 R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file) 


 O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)  O3 - Toolbar: (no name) - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - (no file) 


 O4 - HKCU\..\Policies\Explorer\Run: [{C43866F6-0511-1033-0220-010828000001}] "C:\Program Files\Common Files\{C43866F6-0511-1033-0220-010828000001}\Update.exe" mc-110-12-0000103  O4 - HKUS\S-1-5-18\..\Run: [Starting up] wvsvc.exe (User 'SYSTEM')  O4 - HKUS\S-1-5-18\..\Run: [Nortons AV SYSTEM] scvchost.exe (User 'SYSTEM')  O4 - HKUS\S-1-5-18\..\Run: [Windows Processe Manager] mspn32.exe (User 'SYSTEM')  O4 - HKUS\S-1-5-18\..\RunServices: [Windows Processe Manager] mspn32.exe (User 'SYSTEM')  O4 - HKUS\.DEFAULT\..\Run: [Starting up] wvsvc.exe (User 'Default user')  O4 - HKUS\.DEFAULT\..\RunServices: [Windows Processe Manager] mspn32.exe (User 'Default user') 


 O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present 
...(Unless you've set these with an anti-spyware program like SpyBot's Immunize feature, have HiJackThis fix this.)


 O9 - Extra button: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - (no file)  O9 - Extra 'Tools' menuitem: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - (no file)  O9 - Extra button: EmpirePoker - {77E68763-4284-41d6-B7E7-B6E1F053A9E7} - C:\Program Files\EmpirePoker\EmpirePoker.exe (file missing)  O9 - Extra 'Tools' menuitem: EmpirePoker - {77E68763-4284-41d6-B7E7-B6E1F053A9E7} - C:\Program Files\EmpirePoker\EmpirePoker.exe (file missing)  O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe (file missing)  O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe (file missing)  O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file) 


 O20 - AppInit_DLLs: C:\WINDOWS\System32\cru629.dat 


 O21 - SSODL: mtklefa - {41BC1989-2799-4F2C-1E80-5BEC92D8FA06} - (no file)  O21 - SSODL: mtklefap - {F1464304-3030-4B95-88A9-6E68C6868AF5} - (no file) 

Now, close all instances of Internet Explorer and any other windows you have open except HiJackThis, click "Fix checked".

===============

Locate and delete the following item(s), if present. Make sure you are able to view system and hidden files/ folders:

folders...

C:\Program Files\Common Files\{C43866F6-0511-1033-0220-010828000001}

Search for...

wvsvc.exescvchost.exemspn32.exe

...using "Start | Search...".

-

Note that some of these file(s)/folder(s) may or may not be present. If present, and cannot be deleted because they're 'in use', try deleting them in Safe Mode by doing the following:

Restart your computer
After hearing your computer beep once during startup, but before the Windows icon appears, press F8.
Instead of Windows loading as normal, a menu should appear.

Select the first option to run Windows in Safe Mode hit enter.

-

Reboot.

===============

Please download ComboFix

You must download it to and run it from your Desktop
Physically disconnect from the internet.
Now STOP all your monitoring programs (Antivirus/Antispyware, Guards and Shields) as they could easily interfere with ComboFix.
Double click combofix.exe & follow the prompts.
When finished, it will produce a log. Please save that log to post in your next reply along with a fresh HJT log
Re-enable all the programs that were disabled during the running of ComboFix..

Note:Do not mouse-click combofix's window while it is running. That may cause it to stall.

CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.

Edited by happygeek: fixed formatting

This topic has been dead for over six months. Start a new discussion instead.
Have something to contribute to this discussion? Please be thoughtful, detailed and courteous, and be sure to adhere to our posting rules.