0

Hello,

So for about a week, I've been running scans regularly using Spybot S&D, SUPERAntiSpyware, and Spy Hunter, but it hasn't gotten rid of the VIRUS ALERT! at the bottom right corner of my taskbar. Also, it oddly changed my clock to military time.

Control Panel and My Computer, My Documents, etc. are nowhere to be found. Can Someone help?

Here is my HJT Log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 16:25: VIRUS ALERT!, on 8/6/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\WINDOWS\system32\AvidSDMService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\iaantmon.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\Program Files\Spyware Terminator\sp_rsser.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\WINDOWS\ehome\mcrdsvc.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\ehome\ehtray.exe
C:\WINDOWS\stsystra.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe
C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
C:\Program Files\Intel\Wireless\Bin\EOUWiz.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Enigma Software Group\SpyHunter\SpyHunter3.exe
C:\Program Files\AIM6\aim6.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Common Files\AOL\Loader\aolload.exe
C:\PROGRA~1\Intel\Wireless\Bin\Dot1XCfg.exe
C:\Program Files\AIM6\aolsoftware.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\PROGRA~1\MOZILL~1\FIREFOX.EXE
C:\Documents and Settings\Gabe\Desktop\ATF-Cleaner.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: (no name) - {02ECFC70-4CCC-445B-9F26-E920278207A4} - (no file)
O2 - BHO: (no name) - {077F6650-2B8E-40A5-BE6A-3D132290131E} - (no file)
O2 - BHO: (no name) - {0F19D790-B85C-4FFB-8708-73858B42FF16} - (no file)
O2 - BHO: (no name) - {15379EEB-59A8-41B3-A54B-DADC487B196E} - (no file)
O2 - BHO: (no name) - {20C27E92-B7F7-4634-A9BD-4E4E6AE8B970} - (no file)
O2 - BHO: (no name) - {3D4432D8-EAB2-4F53-BE30-BC8C20275116} - (no file)
O2 - BHO: (no name) - {44AEEC12-145D-4DB4-BA1A-9B4671BCDE67} - (no file)
O2 - BHO: (no name) - {4BCCE840-DC95-423F-8889-A9FF6864E515} - (no file)
O2 - BHO: (no name) - {50C27873-DA8A-4911-BFF4-32AD422F4B10} - (no file)
O2 - BHO: (no name) - {5D3838C9-7B6F-432A-8403-41AE60D8D554} - (no file)
O2 - BHO: (no name) - {5FE99CA8-25A2-4DE7-97D3-FFDCF7443C4E} - (no file)
O2 - BHO: (no name) - {650F7F9D-830C-4D5F-AB38-D294A29FBA22} - C:\WINDOWS\system32\vtUlKBRL.dll (file missing)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: (no name) - {9203AAD0-CA84-4064-899D-8EF46B7F2148} - (no file)
O2 - BHO: (no name) - {B3D5C948-EF59-43CC-8D1D-E6DDF659ED92} - (no file)
O2 - BHO: (no name) - {B7912978-55B7-419B-880E-5595BB2E67D5} - C:\WINDOWS\system32\opnnmLDu.dll (file missing)
O2 - BHO: (no name) - {C0AB3E98-A48C-40CC-80A1-84A7BD49A0EB} - (no file)
O2 - BHO: (no name) - {E3AE52FC-C698-4ADB-9A18-FFFFD81A58AE} - (no file)
O2 - BHO: (no name) - {F4B2B84A-0BCF-42C3-B6DF-6FCB44D5332E} - C:\WINDOWS\system32\fcccATlj.dll (file missing)
O2 - BHO: {c21173e3-6541-ca7b-de64-72cf0a8fa9af} - {fa9af8a0-fc27-46ed-b7ac-14563e37112c} - C:\WINDOWS\system32\pwxeew.dll (file missing)
O2 - BHO: (no name) - {FD5077BC-36C9-4272-B673-BD947530F432} - (no file)
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKLM\..\Run: [IAAnotif] C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [IntelZeroConfig] "C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe"
O4 - HKLM\..\Run: [IntelWireless] "C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" /tf Intel PROSet/Wireless
O4 - HKLM\..\Run: [EOUApp] "C:\Program Files\Intel\Wireless\Bin\EOUWiz.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [Antivirus] C:\Program Files\VAV\vav.exe
O4 - HKLM\..\Run: [SpyHunter Security Suite] C:\Program Files\Enigma Software Group\SpyHunter\SpyHunter3.exe
O4 - HKCU\..\Run: [Aim6] "C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: PokerStars - {3AD14F0C-ED16-4e43-B6D8-661B03F6A1EF} - C:\Program Files\PokerStars\PokerStarsUpdate.exe
O9 - Extra button: Doyles Room Poker - {725E77D3-B919-4eef-8EEE-D09DE618B6C1} - C:\Microgaming\Poker\DoylesRoomMPP\MPPoker.exe
O9 - Extra button: Bodog Poker - {F47C1DB5-ED21-4dc1-853E-D1495792D4C5} - C:\Program Files\Bodog Poker\BPGame.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O20 - AppInit_DLLs: pwxeew.dll
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O21 - SSODL: SysSetDrive - {50eda071-7050-44f4-bf3b-1fde39191eab} - C:\WINDOWS\Resources\SysSetDrive.dll
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Avid SDM Service (AvidSDMService) - Avid Technology, Inc. - C:\WINDOWS\system32\AvidSDMService.exe
O23 - Service: Avid Startup (AvidStartup) - Unknown owner - C:\WINDOWS\system32\AvidStartup.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe
O23 - Service: Intel(R) PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Intel(R) Matrix Storage Event Monitor (IAANTMon) - Intel Corporation - C:\Program Files\Intel\Intel Matrix Storage Manager\iaantmon.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Intel(R) PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Intel(R) PROSet/Wireless Service (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: Spyware Terminator Realtime Shield Service (sp_rssrv) - Crawler.com - C:\Program Files\Spyware Terminator\sp_rsser.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe
O24 - Desktop Component 0: Privacy Protection - file:///C:\WINDOWS\privacy_danger\index.htm

--
End of file - 9526 bytes


I'd really appreciate any help. Thanks.

5
Contributors
5
Replies
6
Views
9 Years
Discussion Span
Last Post by crunchie
0

Before you do anything please go in and STOP AdAware service from running on the computer. This could interfere with any fixes attempted. Also turn off AVG Anti-Spyware 7.5. This program can actually be uninstalled as it is out of date and no longer supported and also could interfere with attempted fixes. The newest version is now contained within AVG 8 antivirus program. Turn off that Spyware Hunter program also. This could interfere also. Also, this does not appear to contain an antivirus program or firewall.

One thing you are showing on the log is the VistaAntivirus2008 program which is a Rogue anti-spy program. You need to do the following which WILL remove this and other items, maybe not all but if we can get this thing off there then maybe we can get busy on some of the other scans you need to do;
Please download Malwarebytes' Anti-Malware (MBA-M) to your Desktop.

  • DoubleClick mbam-setup.exe and follow the prompts to install MBA-M.
  • Be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select Perform full scan, then click Scan.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Be sure that everything is checked, and click Remove Selected.
  • When MBA-M finishes, Notepad will open with the log. Please save it where you can find it easily. The log can also be opened by going to Start > All Programs > Malwarebytes' Anti-Malware > Logs > log-date.txt.

You also do not appear to be running either an anti-virus program or a firewall. Both of these are absolute musts. There are several good free ones of each available noted in this sticky at the top of the page PC Protection - How To Avoid Infections. The choice is yours but pick one of each and install and use them ALWAYS.

Once you have run and cleaned whatever is noted by the Malwarebytes' Anti-Malware program then reboot and run HiJackThis and place checkmarks next to the following entries if they still exist;

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank

O2 - BHO: (no name) - {02ECFC70-4CCC-445B-9F26-E920278207A4} - (no file)
O2 - BHO: (no name) - {077F6650-2B8E-40A5-BE6A-3D132290131E} - (no file)
O2 - BHO: (no name) - {0F19D790-B85C-4FFB-8708-73858B42FF16} - (no file)
O2 - BHO: (no name) - {15379EEB-59A8-41B3-A54B-DADC487B196E} - (no file)
O2 - BHO: (no name) - {20C27E92-B7F7-4634-A9BD-4E4E6AE8B970} - (no file)
O2 - BHO: (no name) - {3D4432D8-EAB2-4F53-BE30-BC8C20275116} - (no file)
O2 - BHO: (no name) - {44AEEC12-145D-4DB4-BA1A-9B4671BCDE67} - (no file)
O2 - BHO: (no name) - {4BCCE840-DC95-423F-8889-A9FF6864E515} - (no file)
O2 - BHO: (no name) - {50C27873-DA8A-4911-BFF4-32AD422F4B10} - (no file)
O2 - BHO: (no name) - {5D3838C9-7B6F-432A-8403-41AE60D8D554} - (no file)
O2 - BHO: (no name) - {5FE99CA8-25A2-4DE7-97D3-FFDCF7443C4E} - (no file)
O2 - BHO: (no name) - {650F7F9D-830C-4D5F-AB38-D294A29FBA22} - C:\WINDOWS\system32\vtUlKBRL.dll (file missing)
O2 - BHO: (no name) - {9203AAD0-CA84-4064-899D-8EF46B7F2148} - (no file)
O2 - BHO: (no name) - {B3D5C948-EF59-43CC-8D1D-E6DDF659ED92} - (no file)
O2 - BHO: (no name) - {B7912978-55B7-419B-880E-5595BB2E67D5} - C:\WINDOWS\system32\opnnmLDu.dll (file missing)
O2 - BHO: (no name) - {C0AB3E98-A48C-40CC-80A1-84A7BD49A0EB} - (no file)
O2 - BHO: (no name) - {E3AE52FC-C698-4ADB-9A18-FFFFD81A58AE} - (no file)
O2 - BHO: (no name) - {F4B2B84A-0BCF-42C3-B6DF-6FCB44D5332E} - C:\WINDOWS\system32\fcccATlj.dll (file missing)
O2 - BHO: {c21173e3-6541-ca7b-de64-72cf0a8fa9af} - {fa9af8a0-fc27-46ed-b7ac-14563e37112c} - C:\WINDOWS\system32\pwxeew.dll (file missing)
O2 - BHO: (no name) - {FD5077BC-36C9-4272-B673-BD947530F432} - (no file)

O4 - HKLM\..\Run: [Antivirus] C:\Program Files\VAV\vav.exe

O20 - AppInit_DLLs: pwxeew.dll

O24 - Desktop Component 0: Privacy Protection - file:///C:\WINDOWS\privacy_danger\index.htm

Once you have placed checkmarks next to all of the above entries then click the Fix Checked button.
Exit HiJackThis.
Reboot the computer and run HiJackThis one more time. Save the log.
Come back here and post that log along with the MBA-M log.

Edited by mike_2000_17: Fixed formatting

0

One important thing to remember, stick to one anit-spyware/scan service... there are a lot of rogues out there

If it still does not seem to work after running the program jholland has suggested, try turning off restore point, sometimes this can interfere with the scanning process as well

If all else fails, try doing this all in safe mode

Also, if you are using IE, try switching to Firefox, it is much more secure, and in my opinion, faster

0

If it still does not seem to work after running the program jholland has suggested, try turning off restore point, sometimes this can interfere with the scanning process as wellr

No! That is not a good idea!

We prefer to have System Restore enabled. We operate under the assumption that "an infected Restore Point is better than none at all."

We instruct people to Flush System Restore AFTER the malware cleaning process is completed.

PP :)

0

One important thing to remember, stick to one anit-spyware/scan service... there are a lot of rogues out there

If it still does not seem to work after running the program jholland has suggested, try turning off restore point, sometimes this can interfere with the scanning process as well

If all else fails, try doing this all in safe mode

Also, if you are using IE, try switching to Firefox, it is much more secure, and in my opinion, faster

Sorry, have to disagree here. The rule is one anti-virus program and one firewall, but not one anti-spy program. While I don't suggest running a huge number, but more than one is generally what is advised. Each anti-spy program looks for different things and different types of malware, what one finds another may not. Yes, there are a lot of rogue programs out there and one should follow the advice given at forums like this one and several of the other well respected forums. Most all recommend using at least two.
I would also disagree on using System Restore to roll back to a time before the infection. Most of the time most people do not know exactly when that infection entered the computer, this would be pretty much of a shot in the dark and picking the correct restore point. Plus, with the use of cleaning tools like MBA-M and others which may be recommended one should leave System Restore running, unless specifically told to disable by the person helping with the clean up. These are very powerful tools, and yes a mistake can be made and without System Restore running a mistake cannot be corrected if needed.
In this sticky, Read me before posting a request for assistance, at the top of this page, the instruction is VERY CLEAR

Please familiarize yourself with the following instructions as you will be asked to perform them at various points in the cleaning process:

• Booting to Safe Mode

• Enabling the Viewing of Hidden Files

• Turning Off (Disabling) System Restore - (Windows ME / XP / Vista Only)

You will need to flush your restore points AFTER the fixing process has been completed to ensure that no malware is preserved. This is done by disabling and then re-enabling System Restore as per the above link.
With the addition of such tools as ComboFix, much of the malware removal process is “automated” these days and the above will be done for you via instructions for these types of tools. Still, it is good to be familiar with these procedures in the event you need to manually track down and remove stubborn malware.

This topic has been dead for over six months. Start a new discussion instead.
Have something to contribute to this discussion? Please be thoughtful, detailed and courteous, and be sure to adhere to our posting rules.