0

Have tried different approaches with no favorable results. It has disabled Avast! and whenever I delete the files with MBAM and reboot, it forces the computer to reboot again hence reinstalling itself all over again.

HijackThis won't start up at all.

Any help greatly appreciated.

----------------------------------------------------------------------------
MBAM:
----------------------------------------------------------------------------

Malwarebytes' Anti-Malware 1.39
Database version: 2547
Windows 5.1.2600 Service Pack 2

8/3/2009 1:02:03 AM
mbam-log-2009-08-03 (01-02-03).txt

Scan type: Full Scan (C:\|D:\|E:\|F:\|G:\|H:\|I:\|J:\|)
Objects scanned: 190406
Time elapsed: 33 minute(s), 5 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 1
Registry Data Items Infected: 6
Folders Infected: 0
Files Infected: 18

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\braviax (Trojan.FakeAlert) -> Quarantined and deleted successfully.

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\FirewallDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Security Center\FirewallDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\system32\braviax.exe (Trojan.FakeAlert) -> Delete on reboot.
c:\documents and settings\hp_administrator\Desktop\avenger.exe (Trojan.Agnet) -> Quarantined and deleted successfully.
c:\documents and settings\hp_administrator\local settings\temporary internet files\Content.IE5\MKOYB64Q\Install[1].exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
c:\system volume information\_restore{106cf321-99a3-4e3a-9103-1bd027606a99}\RP82\A0018800.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
c:\system volume information\_restore{106cf321-99a3-4e3a-9103-1bd027606a99}\RP82\A0018809.exe (Trojan.Banker) -> Quarantined and deleted successfully.
c:\system volume information\_restore{106cf321-99a3-4e3a-9103-1bd027606a99}\RP82\A0018779.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
c:\system volume information\_restore{106cf321-99a3-4e3a-9103-1bd027606a99}\RP82\A0018799.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
c:\WINDOWS\braviax.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
c:\WINDOWS\cru629.dat (Trojan.FakeAlert) -> Quarantined and deleted successfully.
c:\WINDOWS\system32\cru629.dat (Trojan.FakeAlert) -> Quarantined and deleted successfully.
c:\WINDOWS\system32\wisdstr.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
c:\WINDOWS\Temp\wpv521249195745.exe (Trojan.Agent) -> Quarantined and deleted successfully.
c:\WINDOWS\Temp\wpv371249179083.exe (Trojan.Agent) -> Quarantined and deleted successfully.
c:\WINDOWS\Temp\wpv481248190332.exe (Trojan.Agent) -> Quarantined and deleted successfully.
c:\WINDOWS\Temp\wpv851249202403.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\drivers\beep.sys (Fake.Beep.sys) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\dllcache\beep.sys (Fake.Beep.sys) -> Quarantined and deleted successfully.
C:\Documents and Settings\HP_Administrator\Application Data\wiaserva.log (Malware.Trace) -> Quarantined and deleted successfully.

4
Contributors
17
Replies
18
Views
8 Years
Discussion Span
Last Post by jholland1964
0

Yes, I can. I will proceed doing the scans. Meanwhiles, the critical areas scan is complete.

----------------------------------------------------------------------------
Critical Areas Scan:
----------------------------------------------------------------------------

KASPERSKY ONLINE SCANNER 7.0 REPORT
Monday, August 3, 2009
Operating System: Microsoft Windows XP Professional Service Pack 2 (build 2600)
Kaspersky Online Scanner version: 7.0.26.13
Program database last update: Monday, August 03, 2009 16:57:22
Records in database: 2577101

Scan settings
Scan using the following database extended
Scan archives yes
Scan mail databases yes

Scan area Critical Areas
C:\Documents and Settings\All Users\Start Menu\Programs\Startup
C:\Documents and Settings\HP_Administrator\Start Menu\Programs\Startup
C:\Program Files
C:\WINDOWS

Scan statistics
Files scanned 50042
Threat name 5
Infected objects 7
Suspicious objects 0
Duration of the scan 01:13:32

File name Threat name Threats count
svchost.exe\svchost.exe/svchost.exe\svchost.exe Infected: Trojan-PSW.Win32.Agent.mzh 1

C:\WINDOWS\cru629.dat Infected: Backdoor.Win32.Small.ejx 1

C:\WINDOWS\system32\cru629.dat Infected: Backdoor.Win32.Small.ejx 1

C:\WINDOWS\system32\dllcache\beep.sys Infected: Backdoor.Win32.UltimateDefender.igs 1

C:\WINDOWS\system32\drivers\beep.sys Infected: Backdoor.Win32.UltimateDefender.igs 1

C:\WINDOWS\system32\wisdstr.exe Infected: Trojan-Downloader.Win32.FraudLoad.fdl 1

C:\WINDOWS\Temp\wpv531249202403.exe Infected: Trojan-Downloader.Win32.Boltolog.gyp 1

The selected area was scanned.

0

You have a really nasty infection there. Was the online scanner able to remove those threats?
Please post a fresh Mbam log in your next reply.

0

Well, the joys of letting other people to use your computer to "check something really quick" :)

I didn't see an option for getting rid of the infected files on the online scanner.


Thanks again for your guidance, it is very appreciatted.

Running MBAM full scan for fresh log.

Attachments scannerc.jpg 71.06 KB
0

You need to make sure that no other antivirus software is running for the online scan.

0

Kaspersky scan of My Computer:

----------------------------------------------------------------------------
My Computer Scan:
----------------------------------------------------------------------------


Monday, August 3, 2009
Operating System: Microsoft Windows XP Professional Service Pack 2 (build 2600)
Kaspersky Online Scanner version: 7.0.26.13
Program database last update: Monday, August 03, 2009 16:57:22
Records in database: 2577101

Scan settings
Scan using the following database extended
Scan archives yes
Scan mail databases yes

Scan area My Computer
C:\
D:\
E:\
F:\
G:\
H:\
I:\
J:\

Scan statistics
Files scanned 106137
Threat name 7
Infected objects 10
Suspicious objects 0
Duration of the scan 02:31:53

File name Threat name Threats count
svchost.exe\svchost.exe/svchost.exe\svchost.exe Infected: Trojan-PSW.Win32.Agent.mzh 1

C:\Documents and Settings\HP_Administrator\Local Settings\Application Data\Opera\Opera\profile\cache4\opr07TMK Infected: Exploit.JS.Pdfka.pe 1

C:\Documents and Settings\HP_Administrator\Local Settings\Temp\RarSFX0\install.exe Infected: Trojan-Downloader.Win32.Boltolog.gyl 1

C:\Documents and Settings\HP_Administrator\Local Settings\Temporary Internet Files\Content.IE5\CSHU78I4\Install[1].exe Infected: Trojan-Downloader.Win32.FraudLoad.fdl 1

C:\WINDOWS\cru629.dat Infected: Backdoor.Win32.Small.ejx 1

C:\WINDOWS\system32\cru629.dat Infected: Backdoor.Win32.Small.ejx 1

C:\WINDOWS\system32\dllcache\beep.sys Infected: Backdoor.Win32.UltimateDefender.igs 1

C:\WINDOWS\system32\drivers\beep.sys Infected: Backdoor.Win32.UltimateDefender.igs 1

C:\WINDOWS\system32\wisdstr.exe Infected: Trojan-Downloader.Win32.FraudLoad.fdl 1

C:\WINDOWS\Temp\wpv531249202403.exe Infected: Trojan-Downloader.Win32.Boltolog.gyp 1

The selected area was scanned.

0

----------------------------------------------------------------------------
Latest MBAM Log:
----------------------------------------------------------------------------

Malwarebytes' Anti-Malware 1.39
Database version: 2547
Windows 5.1.2600 Service Pack 2

8/3/2009 3:10:37 PM
mbam-log-2009-08-03 (15-10-37).txt

Scan type: Full Scan (C:\|D:\|E:\|F:\|G:\|H:\|I:\|J:\|)
Objects scanned: 193590
Time elapsed: 35 minute(s), 20 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 2
Registry Data Items Infected: 6
Folders Infected: 0
Files Infected: 15

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\braviax (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\braviax (Trojan.Downloader) -> Quarantined and deleted successfully.

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\FirewallDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Security Center\FirewallDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\system32\braviax.exe (Trojan.FakeAlert) -> Delete on reboot.
c:\documents and settings\hp_administrator\local settings\temporary internet files\Content.IE5\CSHU78I4\Install[1].exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
c:\system volume information\_restore{106cf321-99a3-4e3a-9103-1bd027606a99}\RP84\A0020916.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
c:\system volume information\_restore{106cf321-99a3-4e3a-9103-1bd027606a99}\RP84\A0020917.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
c:\WINDOWS\braviax.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
c:\WINDOWS\cru629.dat (Trojan.FakeAlert) -> Quarantined and deleted successfully.
c:\WINDOWS\system32\cru629.dat (Trojan.FakeAlert) -> Quarantined and deleted successfully.
c:\WINDOWS\system32\wisdstr.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
c:\WINDOWS\Temp\wpv291249195745.exe (Trojan.Agent) -> Quarantined and deleted successfully.
c:\WINDOWS\Temp\wpv531249202403.exe (Trojan.Agent) -> Quarantined and deleted successfully.
c:\WINDOWS\Temp\wpv871249179083.exe (Trojan.Agent) -> Quarantined and deleted successfully.
c:\WINDOWS\Temp\wpv921248190332.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\drivers\beep.sys (Fake.Beep.sys) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\dllcache\beep.sys (Fake.Beep.sys) -> Quarantined and deleted successfully.
C:\Documents and Settings\HP_Administrator\Application Data\wiaserva.log (Malware.Trace) -> Quarantined and deleted successfully.

0

Bad news. Right after I gave permission to MBAM to restart the computer so it could get rid of malicious files, the computer went on a boot loop.

Right when the screen for Windows XP start loading, it gets interrupted. It doesn't reach any other screens. Trying to boot it on safe mode makes a list of .dll files on system32 appear but ultimately just flashes a brief blue error screen and go back to a boot loop.

Reverting to a safe point gives me a blue screen and boot loop.

I have my old girl on System Recovery running some device and driver tests for now.

0

I did a System Restore without deleting my files; Homeantivirus2010 has not shown up but Im scared of rebooting my PC in case it does.

I took this oportunity to run HijackThis while I can, here's the log.

------------------------------------------------------------------------
HijackThis Log
------------------------------------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 5:53:08 PM, on 8/3/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
c:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
c:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
c:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\arservice.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\msiexec.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\ehome\ehtray.exe
C:\Program Files\Java\jre1.5.0_05\bin\jusched.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\windows\system\hpsysdrv.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\Java\jre1.5.0_05\bin\jucheck.exe
C:\WINDOWS\ARPWRMSG.EXE
C:\Program Files\DISC\DISCover.exe
C:\Program Files\DISC\DiscUpdMgr.exe
C:\Program Files\HP DigitalMedia Archive\DMAScheduler.exe
C:\WINDOWS\SMINST\RECGUARD.EXE
C:\HP\KBD\KBD.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
C:\Program Files\Hewlett-Packard\HP Boot Optimizer\HPBootOp.exe
C:\hp\bin\cloaker.exe
C:\WINDOWS\system32\cmd.exe
C:\hp\bin\cloaker.exe
C:\WINDOWS\system32\cmd.exe
C:\Program Files\DISC\DiscStreamHub.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
c:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Documents and Settings\HP_Administrator\Desktop\HiJackThis.exe
C:\WINDOWS\system32\wscript.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
c:\hp\bin\cloaker.exe
c:\windows\i386\winnt32.exe
C:\Program Files\Updates from HP\9972322\Program\Updates from HP.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=63&bd=PAVILION&pf=desktop
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=63&bd=PAVILION&pf=desktop
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=63&bd=PAVILION&pf=desktop
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=63&bd=PAVILION&pf=desktop
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=63&bd=PAVILION&pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=63&bd=PAVILION&pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=63&bd=PAVILION&pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=63&bd=PAVILION&pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=63&bd=PAVILION&pf=desktop
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=63&bd=PAVILION&pf=desktop
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=63&bd=PAVILION&pf=desktop
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: NAV Helper - {A8F38D8D-E480-4D52-B7A2-731BB6995FDD} - c:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: HpWebHelper - {AAAE832A-5FFF-4661-9C8F-369692D1DCB9} - C:\WINDOWS\pchealth\helpctr\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\plugin\WebHelper.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: Norton AntiVirus - {C4069E3A-68F1-403E-B40E-20066696354B} - c:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_05\bin\jusched.exe
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [AlwaysReady Power Message APP] ARPWRMSG.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [HPHUPD08] c:\Program Files\HP\Digital Imaging\{33D6CC28-9F75-4d1b-A11D-98895B3A3729}\hphupd08.exe
O4 - HKLM\..\Run: [DISCover] C:\Program Files\DISC\DISCover.exe
O4 - HKLM\..\Run: [DiscUpdateManager] C:\Program Files\DISC\DiscUpdMgr.exe
O4 - HKLM\..\Run: [DMAScheduler] "c:\Program Files\HP DigitalMedia Archive\DMAScheduler.exe"
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [PCDrProfiler] "C:\Program Files\PC-Doctor 5 for Windows\RunProfiler.exe" -r
O4 - HKLM\..\Run: [ccApp] "c:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [IS CfgWiz] c:\Program Files\Norton Internet Security\cfgwiz.exe /GUID {F073BDC9-0D67-4ff0-879E-27241C843828} /MODE CfgWiz /CMDLINE "REBOOT"
O4 - HKLM\..\Run: [SSC_UserPrompt] "c:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe"
O4 - HKLM\..\Run: [HPBootOp] C:\Program Files\Hewlett-Packard\HP Boot Optimizer\HPBootOp.exe /run
O4 - HKLM\..\Run: [IcoSet] c:\hp\bin\cloaker.exe c:\hp\bin\IcoSet\adjust.bat seticon
O4 - HKLM\..\Run: [regcmdcons] c:\hp\bin\cloaker.exe c:\hp\bin\cmdcons.cmd
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPwuSchd2.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - .DEFAULT User Startup: Pin.lnk = C:\hp\bin\CLOAKER.EXE (User 'Default user')
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Ventrilo.lnk = C:\Program Files\Ventrilo\Ventrilo.exe
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://C:\Program Files\Google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_05\bin\npjpi150_05.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_05\bin\npjpi150_05.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL (file missing)
O9 - Extra button: Internet Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm
O9 - Extra 'Tools' menuitem: Internet Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: http://*.trymedia.com (HKLM)
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Internet Security Password Validation (ccISPwdSvc) - Symantec Corporation - c:\Program Files\Norton Internet Security\ccPwdSvc.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: COM Host (comHost) - Symantec Corporation - c:\Program Files\Norton Internet Security\comHost.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - c:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton Protection Center Service (NSCService) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\Security Console\NSCSRVCE.EXE
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Symantec AVScan (SAVScan) - Symantec Corporation - c:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

--
End of file - 10949 bytes

0

I've got the same homeantivirus2010 invasion. It keeps disarming any tool I bring to bear against it: Avast, RunScanner, MBAM, Sophos Anti-Rootkit, HijackThis, SpywareDoctor (which keeps claiming to have removed all the infective agents, even though they keep reappearing).

One nasty piece of work. Nastiest I've seen in years.

-- stan

0

I've got the same homeantivirus2010 invasion. It keeps disarming any tool I bring to bear against it: Avast, RunScanner, MBAM, Sophos Anti-Rootkit, HijackThis, SpywareDoctor (which keeps claiming to have removed all the infective agents, even though they keep reappearing).

One nasty piece of work. Nastiest I've seen in years.

-- stan

Stanley, you need to begin your own thread and not post in another person's thread for help. Leads only to confusion for both posters and to those attempting to help.
Make your own post and somebody will help you.

0

Stanley, you need to begin your own thread and not post in another person's thread for help. Leads only to confusion for both posters and to those attempting to help.
Make your own post and somebody will help you.

Thanks for suggestion. Not here for help, just seeking data on this particular nasty, and wanted to provide some additional reinforcing experience. Apologies for breaking DW thread etiquette.

-- stan

0

Shakespeare, system restore should never ever be used to try to remove an infection. It was not designed for that purpose at all.

I have been reliably informed than the online scanner I got you to run no longer removes what it finds.

Please go to the Eset online scanner and give that a go.

0

My apologies, I found no other way to get the machine out of the boot loop.

All forms of Safe Mode were not working.

0

I ran ESET and selected the option to get rid of infected files. Once it was done, I ran it once more to make sure. It turned back 0 results.

I now ran MBAM for a new log.

Malwarebytes' Anti-Malware 1.40
Database version: 2581
Windows 5.1.2600 Service Pack 2

8/8/2009 7:50:46 PM
mbam-log-2009-08-08 (19-50-46).txt

Scan type: Full Scan (C:\|D:\|)
Objects scanned: 208408
Time elapsed: 32 minute(s), 30 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 5

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\System Volume Information\_restore{106CF321-99A3-4E3A-9103-1BD027606A99}\RP2\A0001079.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\Documents and Settings\HP_Administrator\Application Data\wiaserva.log (Malware.Trace) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\wpv021248190332.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\HP_Administrator\delself.bat (Malware.Trace) -> Quarantined and deleted successfully.
C:\Documents and Settings\HP_Administrator\oashdihasidhasuidhiasdhiashdiuasdhasd (Trace.Pandex) -> Quarantined and deleted successfully.

0

Machine works again, but Im worried of any traces. Any way I could get a scan of my machine evaluated, please?

Thank you : )

This topic has been dead for over six months. Start a new discussion instead.
Have something to contribute to this discussion? Please be thoughtful, detailed and courteous, and be sure to adhere to our posting rules.