Hi, I got 1/many messages from my firends on MSN that I should check out a file... I was foolish enough to open it... after many encouraging auto messages from my pals over the MSN, SO I opened it and now every 30secs my MSN mEssenger keeps sending IMs to my friends about that virus file.
Also every 5minutes or so my Kaspesky tells me I've got a virus and then it resolves the problem, and 5 minutes after it does it again
My HijackThis Log reads:
Also should ad, that my computer gave me popups with http://web.links4all.biz/ and still had the ToolBar888 even though I have uninstalled it via CCleaner, Just in case here is a newer HJT LOG:
-
Logfile of HijackThis v1.99.1
Scan saved at 21:34:35, on 17-09-2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
PLease help, I need urgent help so I can share the solution to my friends before this gets out of hand, how to remove this realy *** virus/malware
_
PS the link to the virus is http://www.uglyphotos.net /photo223.PIF
Do not open the file once downloaded, I hold no responcibility. NOTE: I seperated part of the link as to avoid users automatically clicking on the link, downloading and being infected-J$3457
hi deadly please do the following steps (in order):Make sure that you can see hidden files.
Click Start.
Click My Computer.
Select the Tools menu and click Folder Options.
Select the View Tab.
Under the Hidden files and folders heading select Show hidden files and folders.
Uncheck the Hide protected operating system files (recommended) option.
Click Yes to confirm.
Uncheck the Hide file extensions for known file types.
Click OK.
then First download ewido anti-spyware from HERE and save that file to your desktop.
Once you have downloaded ewido anti-spyware, locate the icon on the desktop and double-click it to launch the set up program.
Once the setup is complete you will need to run ewido and update the definition files.
On the main screen select the "Update" icon then click "Start Update". The update will start and a progress bar will show the updates being installed.
Once the update has completed select the "Scanner" icon at the top of the screen, then select the "Settings" tab.
Once in the Settings screen click on "Recommended actions" and then select "Quarantine".
Under "Reports"
Select "Automatically generate report after every scan"
Un-Select "Only if threats were found"
Close ewido anti-spyware and reboot your computer into Safe Mode.
Lauch ewido-anti-spyware by double-clicking the icon on your desktop. IMPORTANT: Do not open any other windows or programs while ewido is scanning, it may interfere with the scanning proccess.
Select the "Scanner" icon at the top and then the "Scan" tab then click on "Complete System Scan"
Ewido will now begin the scanning process, be patient this may take a little time.
Ewido will list any infections found on the left hand side. When the scan has finished, it should automatically set the recommended action to Quarantine--if not click on Recommended Action and set it there. Click the Apply all actions button. Ewido will display "All actions have been applied" on the right hand side.
Click on "Save Report", then "Save Report As". This will create a text file. Make sure you know where to find this file again (like on the Desktop).
Hi, Thanks for the fast reply, here is the eWido Log:
-
ewido anti-spyware - Scan Report
+ Created at: 21:00:47 18-09-2006
+ Scan result:
C:\Programmer\Fælles filer\{98F20E2E-0AF9-1030-0811-05022106002d}\Update.exe -> Adware.Agent : No action taken.
C:\Programmer\Fælles filer\{98F20E2E-0AFA-1030-0811-05022106002d}\Update.exe -> Adware.Agent : No action taken.
C:\Documents and Settings\Edward Hansen\mt-uninstaller.exe -> Adware.PurityScan : No action taken.
C:\WINDOWS\system32\bveepzpv.dll -> Adware.PurityScan : No action taken.
C:\Programmer\ToolBar888 -> Adware.Softomate : No action taken.
C:\Programmer\ToolBar888\Activate.exe -> Adware.Softomate : No action taken.
C:\Programmer\ToolBar888\MyToolBar.dll -> Adware.Softomate : No action taken.
C:\Programmer\ToolBar888\Uninst.exe -> Adware.Softomate : No action taken.
C:\Documents and Settings\Edward Hansen\3.exe/dev.exe -> Backdoor.Rbot.biz : No action taken.
C:\Documents and Settings\Edward Hansen\Lokale indstillinger\Temporary Internet Files\Content.IE5\HE8IZ1F8\3[1].exe/dev.exe -> Backdoor.Rbot.biz : No action taken.
C:\Documents and Settings\Edward Hansen\Lokale indstillinger\Temp\installer.exe -> Dropper.PurityScan.q : No action taken.
C:\Documents and Settings\Edward Hansen\Lokale indstillinger\Temporary Internet Files\Content.IE5\HE8IZ1F8\Xinstall[1].exe -> Heuristic.Win32.Morphine-Crypted : No action taken.
C:\Programmer\MSN Messenger\Xinstall.exe -> Heuristic.Win32.Morphine-Crypted : No action taken.
C:\WINDOWS\system32\Xinstall.exe -> Heuristic.Win32.Morphine-Crypted : No action taken.
C:\Documents and Settings\Edward Hansen\Lokale indstillinger\Temporary Internet Files\Content.IE5\74J8H3EJ\speedtest2[1].dll -> Not-A-Virus.Downloader.Win32.InsTool.a : No action taken.
C:\WINDOWS\Downloaded Program Files\speedtest2.dll -> Not-A-Virus.Downloader.Win32.InsTool.a : No action taken.
C:\Programmer\Cheat Engine\dbk32.sys -> Rootkit.Small : No action taken.
C:\Documents and Settings\Edward Hansen\Cookies\edward [email]hansen@atdmt[1].txt[/email] -> TrackingCookie.Atdmt : No action taken.
::Report end
-
But the Evil Toolbar 888 is still there, and my Windows Messenger is still not functunal.
-
Plus I have added a HJT repport again.
-
Logfile of HijackThis v1.99.1
Scan saved at 21:16:48, on 18-09-2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
do you use MSN messenger OR windows messenger? people usually confuse the 2 as the same but there seperate and windows messenger is known to be associated with spyware but please do the following: run the following scanner, it basically scans for spyware A-Z and if/when spyware's detected it'll prompt you to either ignore or remove obviously click remove, it won't create a report at the end so don't worry about that but if possible please me know if and what it found along with a new hjt log after a fresh reboot after running this scanner--->http://www.xblock.com/download/xclean_micro.exe
Okay I have rebooted and as soon as I got into windows I got a nice little virus warning with !Update!...some numbers virus.
888 toolbar is still there and I can't uninstall it because CCLeaner & Controll panel uninstaller tells me that the uninstaller is gone.
Anyway here is my HJT repport:
-
Logfile of HijackThis v1.99.1
Scan saved at 21:28:51, on 18-09-2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
PS: I am using the new "Windows Live Messenger" (The Microsoft Windows Vista substitute for the MSN Messenger)
PS: Even though the 888 Toolbar is still there in the Toolbars that can be activated, it can not be opened(Shown) and I can't uninstall it.
PS: I have a vierd program in my startup and running processes MSIexec.exe wich is wierd because it looks like a installer...
PS: The virus being found every time I start my computer is called "!update-4295[1].0000"
Open hijackthis 1.99.1
- Click the Config... button, then go to the Misc Tools section.
- Click on Open Uninstall Manager. You'll see a list of programs.
- Click on Save List...
The file "uninstall_list.txt" will be created. Copy and paste the contents of this file to your next reply.
3DMark06
Ad-Aware SE Professional
Adobe Bridge 1.0
Adobe Common File Installer
Adobe Flash Player 9 ActiveX
Adobe Help Center 1.0
Adobe Photoshop CS2
Adobe Photoshop Elements 4.0
Adobe Reader 7.0.8
Adobe Shockwave Player
Adobe Stock Photos 1.0
Alive MP3 WAV Converter version 3.0.2.8
AsusUpdate
Battlefield 2(TM)
Battlefield 2: Special Forces
CCleaner (remove only)
Cheat Engine 5.2
CP210x USB to UART Bridge Controller
Creative Audio Console
Darkstar One
DefilerPak 1.22 (Remove Only)
Engelsk Large
Evil Genius V1.01
ewido anti-spyware 4.0
FlashFXP v3.2.0 (Build 1080) Scene Edition
Fraps (remove only)
Gyldendals Røde Ordbøger Dansk-Engelsk/Engelsk-Dansk Ordbog
Hide IP Platinum 2.2
High Definition Audio Driver Package - KB835221
High Definition Audio Driver Package - KB888111
HijackThis 1.99.1
Hotfix for Windows XP (KB915865)
Hotfix til Windows XP (KB914440)
iColorFolder
IGN Download Manager 2.2.1
J2SE Runtime Environment 5.0 Update 7
Kaspersky Anti-Virus Personal
KhalSetup
LEGO Star Wars
LEGO Star Wars II
LiveReg (Symantec Corporation)
LiveUpdate 2.6 (Symantec Corporation)
Logitech SetPoint
Marvell Miniport Driver
MediaTickets by OIN
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Danish Language Pack
Microsoft .NET Framework 1.1 Hotfix (KB886903)
Microsoft .NET Framework 2.0
Microsoft .NET Framework 2.0 Language Pack - DAN
Microsoft Base Smart Card Crypto-udbyder
Microsoft Office Professional Edition 2003
Microsoft Plus! for Windows XP
Microsoft User-Mode Driver Framework Feature Pack 1.0.0 (Pre-Release 5348)
Microsoft Visual C++ 2005 Redistributable
mIRC
MSXML 4.0 SP2 Parser and SDK
Nero 7 Ultra Edition
Norton Ghost 10.0
NVIDIA Drivers
Oblivion
Opdatering til Windows XP (KB894391)
Opdatering til Windows XP (KB898461)
Opdatering til Windows XP (KB900485)
Opdatering til Windows XP (KB904942)
Opdatering til Windows XP (KB908531)
Opdatering til Windows XP (KB910437)
Opdatering til Windows XP (KB916595)
Opdatering til Windows XP (KB920872)
Opdatering til Windows XP (KB922582)
Opera 9.01
Politikens Tysk-Dansk-Tysk
PortTrigger 1.0.57
Postal 2 Apocalypse Weekend Expansion Pack
Postal 2 Share The Pain
PowerDVD
PowerISO
Quake 4(TM)
QuickTime Alternative 1.71 Beta 2
Q-Xpress Installer 1.1.4
RealPlayer
Realtek High Definition Audio Driver
Registry Mechanic 5.2
Samsung Mobie USB Driver Installer
Samsung Mobile USB Modem Software
Samsung PC Studio 2.0 PIM & File Manager
Security Update til Microsoft .NET Framework 2.0 (KB917283)
SereneScreen Marine Aquarium 2.6
Sikkerhedsopdatering til Windows Media Player (KB911564)
Sikkerhedsopdatering til Windows Media Player 10 (KB917734)
Sikkerhedsopdatering til Windows Media Player 9 (KB917734)
Sikkerhedsopdatering til Windows XP (KB890046)
Sikkerhedsopdatering til Windows XP (KB893756)
Sikkerhedsopdatering til Windows XP (KB896358)
Sikkerhedsopdatering til Windows XP (KB896422)
Sikkerhedsopdatering til Windows XP (KB896423)
Sikkerhedsopdatering til Windows XP (KB896424)
Sikkerhedsopdatering til Windows XP (KB896428)
Sikkerhedsopdatering til Windows XP (KB899587)
Sikkerhedsopdatering til Windows XP (KB899589)
Sikkerhedsopdatering til Windows XP (KB899591)
Sikkerhedsopdatering til Windows XP (KB900725)
Sikkerhedsopdatering til Windows XP (KB901017)
Sikkerhedsopdatering til Windows XP (KB901214)
Sikkerhedsopdatering til Windows XP (KB902400)
Sikkerhedsopdatering til Windows XP (KB904706)
Sikkerhedsopdatering til Windows XP (KB905414)
Sikkerhedsopdatering til Windows XP (KB905749)
Sikkerhedsopdatering til Windows XP (KB908519)
Sikkerhedsopdatering til Windows XP (KB911280)
Sikkerhedsopdatering til Windows XP (KB911562)
Sikkerhedsopdatering til Windows XP (KB911567)
Sikkerhedsopdatering til Windows XP (KB911927)
Sikkerhedsopdatering til Windows XP (KB912919)
Sikkerhedsopdatering til Windows XP (KB913580)
Sikkerhedsopdatering til Windows XP (KB914388)
Sikkerhedsopdatering til Windows XP (KB914389)
Sikkerhedsopdatering til Windows XP (KB916281)
Sikkerhedsopdatering til Windows XP (KB917159)
Sikkerhedsopdatering til Windows XP (KB917344)
Sikkerhedsopdatering til Windows XP (KB917422)
Sikkerhedsopdatering til Windows XP (KB917953)
Sikkerhedsopdatering til Windows XP (KB918439)
Sikkerhedsopdatering til Windows XP (KB918899)
Sikkerhedsopdatering til Windows XP (KB919007)
Sikkerhedsopdatering til Windows XP (KB920214)
Sikkerhedsopdatering til Windows XP (KB920670)
Sikkerhedsopdatering til Windows XP (KB920683)
Sikkerhedsopdatering til Windows XP (KB920685)
Sikkerhedsopdatering til Windows XP (KB921398)
Sikkerhedsopdatering til Windows XP (KB921883)
Sikkerhedsopdatering til Windows XP (KB922616)
Skype 2.5
Softick PPP 2.21 (remove only)
SoulSeekkor's TQ Defiler
Star Wars(R) Knights of the Old Republic(R) II: The Sith Lords(TM)
Star Wars®: Knights of the Old Republic (TM)
Steam
System Requirements Lab
TI Connect 1.6
Titan Quest
Unlocker 1.8.4
Winamp (remove only)
Windows Installer 3.1 (KB893803)
Windows Live Sign-in Assistant
Windows Media Connect
Windows Media Format 11 runtime
Windows Media Format 11 runtime
Windows Media Format SDK Hotfix - KB891122
Windows XP Hotfix - KB873339
Windows XP Hotfix - KB885835
Windows XP Hotfix - KB885836
Windows XP Hotfix - KB886185
Windows XP Hotfix - KB887472
Windows XP Hotfix - KB887742
Windows XP Hotfix - KB888113
Windows XP Hotfix - KB888302
Windows XP Hotfix - KB890859
Windows XP Hotfix - KB891781
Windows XP Service Pack 2
WinRAR archiver
Click the F-Secure Online Scanner Next Generation Beta link.
When prompted, choose to install the software.
After the software has installed, click Accept.
Click Custom Scan and check the option for Scan inside archives, then click Start.
The necessary databases will then be downloaded, and the scan will then start automatically. Please be patient as this scan will take a while to complete.
If any infections are found then once the scan has finished the "cleaning" screen will be displayed. Choose Automatic cleaning (recommended).
After cleaning has finished, then the Finish screen will be displayed. Choose Show Report.
In order to post the report, press CTRL+A on your keyboard to highlight all the text. Then copy and paste that information into this thread, along with a new HijackThis log.
Next, uninstall your currently installed version from Add or Remove Programs.
If you have older versions listed uninstall them also. If you simply update to the new version,
it leaves the older version(s) still installed, complete with previous vulnerabilities.
- Examples of older versions in Add or Remove Programs:
Java 2 Runtime Environment, SE v1.4.2
J2SE Runtime Environment 5.0
J2SE Runtime Environment 5.0 Update 2
Restart your system.
Install the new version by double-clicking on the file you downloaded.
I cleaned it, and it deleted 7 megabytes of something. But I could not choose Opera on top, it was greyed out.. maybee it's because I use a newer version than the program recognises.. ? I will try to reboot now
EDIT: It did not help on the "!Update" virus Even though it was found in IE's temp.
PS: Also something I have noticed, I get popups at random, abbout Casino, Pornography, Free XXX Cams Now, Buy Cheap CDs and stuff like that, wich makes the PC unsafe for miniors Oh god this virus is a B****
also please try the following-->download Cleanup 4.5
NOTE: CleanUp! deletes EVERYTHING out of your temp/temporary folders, it does not make backups. If you have any documents or programs that are saved in any Temporary Folders, make a backup of these before running CleanUp!. Do NOT run this program if you have XP Professional 64 bit edition. If you're unsure please do not run it! If you don't already know, you're probably not using XP64, but you can download & run this tool to find out for sure.....http://www.kellys-korner-xp.com/regs...p_whichcpu.exe
Run Cleanup! using the following configuration:
Open Cleanup! by double-clicking the icon on your desktop (or from the Start > All Programs menu).
Set the program up as follows:
Click "Options..."
Move the arrow down to "Custom CleanUp!"
Put a check next to the following (Make sure nothing else is checked!):
Empty Recycle Bins
Delete Cookies
Delete Prefetch files (if present)
Cleanup! All Users
Click on the Temporary Files tab and uncheck the box for Scan drives for files matching if it’s checked.
Click OK
Press the CleanUp! button to start the program.. Do NOT Reboot/logoff when prompted.
* CleanUp! will not create any backups!!
What do you mean by "deletes EVERYTHING out of your temp/temporary folders" what does it delete exactly, so I know what to take backup of
just temp files/folders that contain files like temp internet files, cookies, etc..i'm going to research this further and will be back with more info
PS:also deadly could you please take a screenshot of this update virus message and attach it to your next reply as it may help me better
Oh my GOD! it's gone, I think it was by combining all of the programs that you mentioned in 1 reboot that did it.. Lol i just got pissed and ran all of the cleaning programs :P
I will post a HJT just to be shure that it all is gone ok?
-
Logfile of HijackThis v1.99.1
Scan saved at 16:48:38, on 20-09-2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
PS: What is svchost.exe & smss.exe I always wanted to know that :P
PPS: Will it be safe to install Windows Live Messenger again? because it got uninstalled with all of the Scanning and stuff.
really?That's good but please first do a system scan only in HJT and fix *check* the following lines (make sure NO windows are open during the fix except for hjt itself) then reboot and post new log-->R3 - URLSearchHook: (no name) - {4111AC64-1CD1-1176-A2A3-1743B163F290} - (no file)
O2 - BHO: (no name) - {4111AC64-1CD1-1176-A2A3-1743B163F290} - (no file)
those are both windows processes all legit
Logfile of HijackThis v1.99.1
Scan saved at 17:24:34, on 20-09-2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
It behaving great!!! Thank you very much for Curing it !!! Man this is awesome! I would hug you! It's running like... even better than before the virus!
PS: Im gonna install Messenger and tell all my firends what to do!
PPS: don't you think it could be a great idea to post all of your replies on a manual on how to delete the Messenger virus? Because alot of people got that virus, I mean even my friends all the way in Chile got it.
i appreciate that idea of my posts in this thread becoming a manual but that wouldn't be a good idea in itself only because EACH and every computer is different especially on infections each computer has to be approached with a different set of instructions legion so if they need help tell them to register and we'd be glad to help them as for you though please follow these steps to prevent malware...Here are some tips, to reduce the potential for spyware infection in the future, I strongly recommend installing the following applications:
Detect and Remove Programs:
How to use Ad-Aware to remove Spyware<=If you suspect that you have spyware installed on your computer, here are instructions on how to download, install and then use Ad-Aware.
How to use Spybot to remove Spyware<=If you suspect that you have spyware installed on your computer, here are instructions on how to download, install and then use Spybot. Similar to Ad-Aware, I strongly recommend both to catch most spyware.
Prevention Programs:
Spywareblaster<=SpywareBlaster will prevent spyware from being installed.
Spywareguard<=SpywareGuard offers realtime protection from spyware installation attempts.
IE/Spyad<=IE/Spyad places over 4000 websites and domains in the IE Restricted list which will severely impair attempts to infect your system. It basically prevents any downloads (Cookies etc) from the sites listed, although you will still be able to connect to the sites.
MVPS Hosts file<=The MVPS Hosts file replaces your current HOSTS file with one containing well know ad sites etc. Basically, this prevents your coputer from connecting to those sites by redirecting them to 127.0.0.1 which is your local computer
Google Toolbar<=Get the free google toolbar to help stop pop up windows.
Other necessary Programs:
AntiVirus Program<=An AntiVirus program is a must! Whether it is a free version like AVG or Anti-Vir, or a shareware version like Norton or Kapersky, this is a must have.
Firewall<=A firewall is definatley a must have. Two good free versions are Kerio and ZoneLabs.
More Secure Browser<=Internet Explorer is not the most secure and best browser. There are safer and better alternatives available. I recommend Firefox, however Opera and SlimBrowsers are good as well.
And also see TonyKlein's good advice So how did I get infected in the first place?
PS:Also Legion to make sure all previous infected restore points are flushed out as to prevent re infection please do the following to creat a new restore point and flush out all the old one's...right click my computer>select properties>system restore tab>check turn off system restore>reboot then repeat the same steps only UNcheck turn off system restore then voila! a new restore point will be created..please reply once more to this thread and i'll mark it resolved:smiles:
Comments
Also every 5minutes or so my Kaspesky tells me I've got a virus and then it resolves the problem, and 5 minutes after it does it again
My HijackThis Log reads:
Also should ad, that my computer gave me popups with http://web.links4all.biz/ and still had the ToolBar888 even though I have uninstalled it via CCleaner, Just in case here is a newer HJT LOG:
-
Logfile of HijackThis v1.99.1
Scan saved at 21:34:35, on 17-09-2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Programmer\Fælles filer\Symantec Shared\ccSetMgr.exe
C:\Programmer\Fælles filer\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\RunDLL32.exe
C:\Programmer\Java\jre1.5.0_07\bin\jusched.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\CTHELPER.EXE
C:\Programmer\Fælles filer\Symantec Shared\ccApp.exe
C:\WINDOWS\system32\rundll32.exe
C:\Programmer\Fælles filer\Real\Update_OB\realsched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Programmer\Adobe\Photoshop Elements 4.0\PhotoshopElementsFileAgent.exe
C:\Programmer\Logitech\SetPoint\SetPoint.exe
C:\WINDOWS\System32\GEARSec.exe
C:\Programmer\Fælles filer\Logitech\KhalShared\KHALMNPR.EXE
C:\Programmer\Fælles filer\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Programmer\Norton Ghost\Agent\VProSvc.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Programmer\CyberLink\Shared files\RichVideo.exe
C:\Programmer\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
C:\Programmer\Fælles filer\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Documents and Settings\Edward Hansen\Xinstall.exe
C:\WINDOWS\System32\svchost.exe
C:\Programmer\Opera\Opera.exe
C:\Programmer\MSN Messenger\msnmsgr.exe
C:\Programmer\MSN Messenger\msgs.exe
C:\Programmer\Fælles filer\{98F20E2E-0AF9-1030-0811-05022106002d}\Update.exe
C:\WINDOWS\system32\svchost.exe
C:\DOCUME~1\EDWARD~1\APPLIC~1\PPATCH~1\chkdsk.exe
C:\Documents and Settings\Edward Hansen\Application Data\?dobe\m?iexec.exe
C:\Programmer\Internet Explorer\iexplore.exe
C:\Documents and Settings\Edward Hansen\Skrivebord\hijackthis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.dk/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Hyperlinks
R3 - URLSearchHook: (no name) - {4111AC64-1CD1-1176-A2A3-1743B163F290} - C:\WINDOWS\system32\bveepzpv.dll
R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programmer\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {4111AC64-1CD1-1176-A2A3-1743B163F290} - C:\WINDOWS\system32\bveepzpv.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Programmer\Java\jre1.5.0_07\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Programmer\Fælles filer\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: QUICKfind BHO Object - {C08DF07A-3E49-4E25-9AB0-D3882835F153} - C:\Programmer\TEXTware\QUICKfind\PlugIns\IEHelp.dll
O2 - BHO: ToolBar888 - {CBCC61FA-0221-4ccc-B409-CEE865CACA3A} - C:\Programmer\ToolBar888\MyToolBar.dll
O3 - Toolbar: ToolBar888 - {CBCC61FA-0221-4ccc-B409-CEE865CACA3A} - C:\Programmer\ToolBar888\MyToolBar.dll
O4 - HKLM\..\Run: [KAVPersonal50] "C:\Programmer\Kaspersky Lab\Kaspersky Anti-Virus Personal\kav.exe" /minimize
O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] HDAShCut.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RunDLL32.exe NvMCTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [Logitech Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Programmer\Java\jre1.5.0_07\bin\jusched.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [AlcWzrd] ALCWZRD.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [ccApp] "C:\Programmer\Fælles filer\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [TkBellExe] "C:\Programmer\Fælles filer\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [explorer] C:\Documents and Settings\Edward Hansen\Xinstall.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Programmer\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Iana] "C:\DOCUME~1\EDWARD~1\APPLIC~1\PPATCH~1\chkdsk.exe" -vt yazb
O4 - HKCU\..\Run: [Lcomw] C:\Documents and Settings\Edward Hansen\Application Data\?dobe\m?iexec.exe
O4 - Global Startup: Logitech SetPoint.lnk = C:\Programmer\Logitech\SetPoint\SetPoint.exe
O8 - Extra context menu item: E&ksporter til Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programmer\Java\jre1.5.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programmer\Java\jre1.5.0_07\bin\ssv.dll
O9 - Extra button: Opslag - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmer\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmer\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineSweeper.cab31267.cab
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (FilePlanet Download Control Class) - http://www.fileplanet.com/fpdlmgr/cabs/FPDC_2.2.1.87.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1151089028752
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab
O16 - DPF: {9B17FE0E-51F2-4692-8B32-8EFB805FC0E7} (HPObjectInstaller Class) - http://h30155.www3.hp.com/ediags/dd/install/guidedsolutions.cab
O16 - DPF: {BE833F39-1E0C-468C-BA70-25AAEE55775E} (System Requirements Lab) - http://www.systemrequirementslab.com/sysreqlab.cab
O16 - DPF: {E055C02E-6258-40FF-80A7-3BDA52FACAD7} (Installer Class) - http://activex.matcash.com/speedtest2.dll
O17 - HKLM\System\CCS\Services\Tcpip\..\{6584C042-C610-4AD5-A43E-46AA5A8C32FE}: NameServer = 57.6.21.36
O17 - HKLM\System\CCS\Services\Tcpip\..\{939F8317-2707-478A-ACE8-15A4A2A2E182}: NameServer = 193.162.153.164,194.239.134.83
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O23 - Service: Adobe LM Service - Adobe Systems - C:\Programmer\Fælles filer\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Adobe Active File Monitor V4 (AdobeActiveFileMonitor4.0) - Unknown owner - C:\Programmer\Adobe\Photoshop Elements 4.0\PhotoshopElementsFileAgent.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Programmer\Fælles filer\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Programmer\Fælles filer\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Programmer\Fælles filer\Symantec Shared\ccSetMgr.exe
O23 - Service: GEARSecurity - GEAR Software - C:\WINDOWS\System32\GEARSec.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Programmer\Fælles filer\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: Kaspersky Anti-Virus Service (kavsvc) - Kaspersky Lab - C:\Programmer\Kaspersky Lab\Kaspersky Anti-Virus Personal\kavsvc.exe
O23 - Service: Norton Ghost - Symantec Corporation - C:\Programmer\Norton Ghost\Agent\VProSvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Programmer\CyberLink\Shared files\RichVideo.exe
O23 - Service: StarWind iSCSI Service (StarWindService) - Rocket Division Software - C:\Programmer\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Programmer\Fælles filer\Symantec Shared\CCPD-LC\symlcsvc.exe
__
PLease help, I need urgent help so I can share the solution to my friends before this gets out of hand, how to remove this realy *** virus/malware
_
PS the link to the virus is http://www.uglyphotos.net /photo223.PIF
Do not open the file once downloaded, I hold no responcibility.
NOTE: I seperated part of the link as to avoid users automatically clicking on the link, downloading and being infected-J$3457
then First download ewido anti-spyware from HERE and save that file to your desktop.
- Once you have downloaded ewido anti-spyware, locate the icon on the desktop and double-click it to launch the set up program.
- Once the setup is complete you will need to run ewido and update the definition files.
- On the main screen select the "Update" icon then click "Start Update". The update will start and a progress bar will show the updates being installed.
- Once the update has completed select the "Scanner" icon at the top of the screen, then select the "Settings" tab.
- Once in the Settings screen click on "Recommended actions" and then select "Quarantine".
- Under "Reports"
- Select "Automatically generate report after every scan"
- Un-Select "Only if threats were found"
Close ewido anti-spyware and reboot your computer into Safe Mode.IMPORTANT: Do not open any other windows or programs while ewido is scanning, it may interfere with the scanning proccess.
-
ewido anti-spyware - Scan Report
+ Created at: 21:00:47 18-09-2006
+ Scan result:
C:\Programmer\Fælles filer\{98F20E2E-0AF9-1030-0811-05022106002d}\Update.exe -> Adware.Agent : No action taken.
C:\Programmer\Fælles filer\{98F20E2E-0AFA-1030-0811-05022106002d}\Update.exe -> Adware.Agent : No action taken.
C:\Documents and Settings\Edward Hansen\mt-uninstaller.exe -> Adware.PurityScan : No action taken.
C:\WINDOWS\system32\bveepzpv.dll -> Adware.PurityScan : No action taken.
C:\Programmer\ToolBar888 -> Adware.Softomate : No action taken.
C:\Programmer\ToolBar888\Activate.exe -> Adware.Softomate : No action taken.
C:\Programmer\ToolBar888\MyToolBar.dll -> Adware.Softomate : No action taken.
C:\Programmer\ToolBar888\Uninst.exe -> Adware.Softomate : No action taken.
C:\Documents and Settings\Edward Hansen\3.exe/dev.exe -> Backdoor.Rbot.biz : No action taken.
C:\Documents and Settings\Edward Hansen\Lokale indstillinger\Temporary Internet Files\Content.IE5\HE8IZ1F8\3[1].exe/dev.exe -> Backdoor.Rbot.biz : No action taken.
C:\Documents and Settings\Edward Hansen\Lokale indstillinger\Temp\installer.exe -> Dropper.PurityScan.q : No action taken.
C:\Documents and Settings\Edward Hansen\Lokale indstillinger\Temporary Internet Files\Content.IE5\HE8IZ1F8\Xinstall[1].exe -> Heuristic.Win32.Morphine-Crypted : No action taken.
C:\Programmer\MSN Messenger\Xinstall.exe -> Heuristic.Win32.Morphine-Crypted : No action taken.
C:\WINDOWS\system32\Xinstall.exe -> Heuristic.Win32.Morphine-Crypted : No action taken.
C:\Documents and Settings\Edward Hansen\Lokale indstillinger\Temporary Internet Files\Content.IE5\74J8H3EJ\speedtest2[1].dll -> Not-A-Virus.Downloader.Win32.InsTool.a : No action taken.
C:\WINDOWS\Downloaded Program Files\speedtest2.dll -> Not-A-Virus.Downloader.Win32.InsTool.a : No action taken.
C:\Programmer\Cheat Engine\dbk32.sys -> Rootkit.Small : No action taken.
C:\Documents and Settings\Edward Hansen\Cookies\edward [email]hansen@atdmt[1].txt[/email] -> TrackingCookie.Atdmt : No action taken.
::Report end
-
But the Evil Toolbar 888 is still there, and my Windows Messenger is still not functunal.
-
Plus I have added a HJT repport again.
-
Logfile of HijackThis v1.99.1
Scan saved at 21:16:48, on 18-09-2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Programmer\Fælles filer\Symantec Shared\ccSetMgr.exe
C:\Programmer\Fælles filer\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Programmer\Adobe\Photoshop Elements 4.0\PhotoshopElementsFileAgent.exe
C:\Programmer\ewido anti-spyware 4.0\guard.exe
C:\WINDOWS\System32\GEARSec.exe
C:\Programmer\Fælles filer\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Programmer\Norton Ghost\Agent\VProSvc.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Programmer\CyberLink\Shared files\RichVideo.exe
C:\Programmer\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\RunDLL32.exe
C:\Programmer\Java\jre1.5.0_07\bin\jusched.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\CTHELPER.EXE
C:\Programmer\Fælles filer\Symantec Shared\ccApp.exe
C:\WINDOWS\system32\rundll32.exe
C:\Programmer\Fælles filer\Real\Update_OB\realsched.exe
C:\PROGRA~1\PRINTV~1\pvmodule.exe
C:\Programmer\ewido anti-spyware 4.0\ewido.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Documents and Settings\Edward Hansen\Application Data\?dobe\m?iexec.exe
C:\Programmer\Logitech\SetPoint\SetPoint.exe
C:\Programmer\Fælles filer\Logitech\KhalShared\KHALMNPR.EXE
C:\WINDOWS\System32\svchost.exe
C:\Programmer\Opera\Opera.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Programmer\Internet Explorer\iexplore.exe
C:\Documents and Settings\Edward Hansen\Skrivebord\hijackthis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.dk/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Hyperlinks
R3 - URLSearchHook: (no name) - {4111AC64-1CD1-1176-A2A3-1743B163F290} - C:\WINDOWS\system32\bveepzpv.dll (file missing)
R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programmer\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {4111AC64-1CD1-1176-A2A3-1743B163F290} - C:\WINDOWS\system32\bveepzpv.dll (file missing)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Programmer\Java\jre1.5.0_07\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Programmer\Fælles filer\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: QUICKfind BHO Object - {C08DF07A-3E49-4E25-9AB0-D3882835F153} - C:\Programmer\TEXTware\QUICKfind\PlugIns\IEHelp.dll
O2 - BHO: ToolBar888 - {CBCC61FA-0221-4ccc-B409-CEE865CACA3A} - C:\Programmer\ToolBar888\MyToolBar.dll (file missing)
O2 - BHO: PrintViewBHO Class - {D4E0C464-30CE-4075-9A10-71FD106C2847} - C:\PROGRA~1\PRINTV~1\PRINTH~1.DLL
O3 - Toolbar: ToolBar888 - {CBCC61FA-0221-4ccc-B409-CEE865CACA3A} - C:\Programmer\ToolBar888\MyToolBar.dll (file missing)
O4 - HKLM\..\Run: [KAVPersonal50] "C:\Programmer\Kaspersky Lab\Kaspersky Anti-Virus Personal\kav.exe" /minimize
O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] HDAShCut.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RunDLL32.exe NvMCTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [Logitech Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Programmer\Java\jre1.5.0_07\bin\jusched.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [AlcWzrd] ALCWZRD.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [ccApp] "C:\Programmer\Fælles filer\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [TkBellExe] "C:\Programmer\Fælles filer\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [explorer] C:\Documents and Settings\Edward Hansen\Xinstall.exe
O4 - HKLM\..\Run: [PVModule] C:\PROGRA~1\PRINTV~1\pvmodule.exe
O4 - HKLM\..\Run: [!ewido] "C:\Programmer\ewido anti-spyware 4.0\ewido.exe" /minimized
O4 - HKCU\..\Run: [MsnMsgr] "C:\Programmer\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Lcomw] C:\Documents and Settings\Edward Hansen\Application Data\?dobe\m?iexec.exe
O4 - Global Startup: Logitech SetPoint.lnk = C:\Programmer\Logitech\SetPoint\SetPoint.exe
O8 - Extra context menu item: E&ksporter til Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programmer\Java\jre1.5.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programmer\Java\jre1.5.0_07\bin\ssv.dll
O9 - Extra button: Opslag - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmer\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmer\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineSweeper.cab31267.cab
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (FilePlanet Download Control Class) - http://www.fileplanet.com/fpdlmgr/cabs/FPDC_2.2.1.87.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1151089028752
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab
O16 - DPF: {9B17FE0E-51F2-4692-8B32-8EFB805FC0E7} (HPObjectInstaller Class) - http://h30155.www3.hp.com/ediags/dd/install/guidedsolutions.cab
O16 - DPF: {BE833F39-1E0C-468C-BA70-25AAEE55775E} (System Requirements Lab) - http://www.systemrequirementslab.com/sysreqlab.cab
O16 - DPF: {E055C02E-6258-40FF-80A7-3BDA52FACAD7} (Installer Class) - http://activex.matcash.com/speedtest2.dll
O17 - HKLM\System\CCS\Services\Tcpip\..\{6584C042-C610-4AD5-A43E-46AA5A8C32FE}: NameServer = 57.6.21.36
O17 - HKLM\System\CCS\Services\Tcpip\..\{939F8317-2707-478A-ACE8-15A4A2A2E182}: NameServer = 193.162.153.164,194.239.134.83
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O23 - Service: Adobe LM Service - Adobe Systems - C:\Programmer\Fælles filer\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Adobe Active File Monitor V4 (AdobeActiveFileMonitor4.0) - Unknown owner - C:\Programmer\Adobe\Photoshop Elements 4.0\PhotoshopElementsFileAgent.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Programmer\Fælles filer\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Programmer\Fælles filer\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Programmer\Fælles filer\Symantec Shared\ccSetMgr.exe
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Programmer\ewido anti-spyware 4.0\guard.exe
O23 - Service: GEARSecurity - GEAR Software - C:\WINDOWS\System32\GEARSec.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Programmer\Fælles filer\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: Kaspersky Anti-Virus Service (kavsvc) - Kaspersky Lab - C:\Programmer\Kaspersky Lab\Kaspersky Anti-Virus Personal\kavsvc.exe
O23 - Service: Norton Ghost - Symantec Corporation - C:\Programmer\Norton Ghost\Agent\VProSvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Programmer\CyberLink\Shared files\RichVideo.exe
O23 - Service: StarWind iSCSI Service (StarWindService) - Rocket Division Software - C:\Programmer\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Programmer\Fælles filer\Symantec Shared\CCPD-LC\symlcsvc.exe
-
Detected CoolWebSearch:
Registry Keys (1) :
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks , _{CFBFAE00-17A6-11D0-99CB-00C04FD64497}
-
Detected GameSpy Arcade:
Registry Keys (Software) (2) :
HKEY_LOCAL_MACHINE\Software\GameSpy
HKEY_CURRENT_USER\Software\GameSpy
-
Okay I have rebooted and as soon as I got into windows I got a nice little virus warning with !Update!...some numbers virus.
888 toolbar is still there and I can't uninstall it
Anyway here is my HJT repport:
-
Logfile of HijackThis v1.99.1
Scan saved at 21:28:51, on 18-09-2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Programmer\Fælles filer\Symantec Shared\ccSetMgr.exe
C:\Programmer\Fælles filer\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\RunDLL32.exe
C:\Programmer\Java\jre1.5.0_07\bin\jusched.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\CTHELPER.EXE
C:\Programmer\Fælles filer\Symantec Shared\ccApp.exe
C:\WINDOWS\system32\rundll32.exe
C:\Programmer\Fælles filer\Real\Update_OB\realsched.exe
C:\PROGRA~1\PRINTV~1\pvmodule.exe
C:\Programmer\ewido anti-spyware 4.0\ewido.exe
C:\Programmer\Adobe\Photoshop Elements 4.0\PhotoshopElementsFileAgent.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Documents and Settings\Edward Hansen\Application Data\?dobe\m?iexec.exe
C:\Programmer\Logitech\SetPoint\SetPoint.exe
C:\Programmer\ewido anti-spyware 4.0\guard.exe
C:\WINDOWS\System32\GEARSec.exe
C:\Programmer\Fælles filer\Logitech\KhalShared\KHALMNPR.EXE
C:\Programmer\Fælles filer\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Programmer\Norton Ghost\Agent\VProSvc.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Programmer\CyberLink\Shared files\RichVideo.exe
C:\Programmer\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Programmer\Opera\Opera.exe
C:\Programmer\Internet Explorer\iexplore.exe
C:\Documents and Settings\Edward Hansen\Skrivebord\hijackthis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.dk/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Hyperlinks
R3 - URLSearchHook: (no name) - {4111AC64-1CD1-1176-A2A3-1743B163F290} - C:\WINDOWS\system32\bveepzpv.dll (file missing)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programmer\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {4111AC64-1CD1-1176-A2A3-1743B163F290} - C:\WINDOWS\system32\bveepzpv.dll (file missing)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Programmer\Java\jre1.5.0_07\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Programmer\Fælles filer\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: QUICKfind BHO Object - {C08DF07A-3E49-4E25-9AB0-D3882835F153} - C:\Programmer\TEXTware\QUICKfind\PlugIns\IEHelp.dll
O2 - BHO: ToolBar888 - {CBCC61FA-0221-4ccc-B409-CEE865CACA3A} - C:\Programmer\ToolBar888\MyToolBar.dll (file missing)
O2 - BHO: PrintViewBHO Class - {D4E0C464-30CE-4075-9A10-71FD106C2847} - C:\PROGRA~1\PRINTV~1\PRINTH~1.DLL
O3 - Toolbar: ToolBar888 - {CBCC61FA-0221-4ccc-B409-CEE865CACA3A} - C:\Programmer\ToolBar888\MyToolBar.dll (file missing)
O4 - HKLM\..\Run: [KAVPersonal50] "C:\Programmer\Kaspersky Lab\Kaspersky Anti-Virus Personal\kav.exe" /minimize
O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] HDAShCut.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RunDLL32.exe NvMCTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [Logitech Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Programmer\Java\jre1.5.0_07\bin\jusched.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [AlcWzrd] ALCWZRD.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [ccApp] "C:\Programmer\Fælles filer\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [TkBellExe] "C:\Programmer\Fælles filer\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [explorer] C:\Documents and Settings\Edward Hansen\Xinstall.exe
O4 - HKLM\..\Run: [PVModule] C:\PROGRA~1\PRINTV~1\pvmodule.exe
O4 - HKLM\..\Run: [!ewido] "C:\Programmer\ewido anti-spyware 4.0\ewido.exe" /minimized
O4 - HKCU\..\Run: [MsnMsgr] "C:\Programmer\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Lcomw] C:\Documents and Settings\Edward Hansen\Application Data\?dobe\m?iexec.exe
O4 - Global Startup: Logitech SetPoint.lnk = C:\Programmer\Logitech\SetPoint\SetPoint.exe
O8 - Extra context menu item: E&ksporter til Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programmer\Java\jre1.5.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programmer\Java\jre1.5.0_07\bin\ssv.dll
O9 - Extra button: Opslag - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmer\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmer\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineSweeper.cab31267.cab
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (FilePlanet Download Control Class) - http://www.fileplanet.com/fpdlmgr/cabs/FPDC_2.2.1.87.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1151089028752
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab
O16 - DPF: {9B17FE0E-51F2-4692-8B32-8EFB805FC0E7} (HPObjectInstaller Class) - http://h30155.www3.hp.com/ediags/dd/install/guidedsolutions.cab
O16 - DPF: {BE833F39-1E0C-468C-BA70-25AAEE55775E} (System Requirements Lab) - http://www.systemrequirementslab.com/sysreqlab.cab
O16 - DPF: {E055C02E-6258-40FF-80A7-3BDA52FACAD7} (Installer Class) - http://activex.matcash.com/speedtest2.dll
O17 - HKLM\System\CCS\Services\Tcpip\..\{6584C042-C610-4AD5-A43E-46AA5A8C32FE}: NameServer = 57.6.21.36
O17 - HKLM\System\CCS\Services\Tcpip\..\{939F8317-2707-478A-ACE8-15A4A2A2E182}: NameServer = 193.162.153.164,194.239.134.83
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O23 - Service: Adobe LM Service - Adobe Systems - C:\Programmer\Fælles filer\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Adobe Active File Monitor V4 (AdobeActiveFileMonitor4.0) - Unknown owner - C:\Programmer\Adobe\Photoshop Elements 4.0\PhotoshopElementsFileAgent.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Programmer\Fælles filer\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Programmer\Fælles filer\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Programmer\Fælles filer\Symantec Shared\ccSetMgr.exe
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Programmer\ewido anti-spyware 4.0\guard.exe
O23 - Service: GEARSecurity - GEAR Software - C:\WINDOWS\System32\GEARSec.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Programmer\Fælles filer\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: Kaspersky Anti-Virus Service (kavsvc) - Kaspersky Lab - C:\Programmer\Kaspersky Lab\Kaspersky Anti-Virus Personal\kavsvc.exe
O23 - Service: Norton Ghost - Symantec Corporation - C:\Programmer\Norton Ghost\Agent\VProSvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Programmer\CyberLink\Shared files\RichVideo.exe
O23 - Service: StarWind iSCSI Service (StarWindService) - Rocket Division Software - C:\Programmer\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Programmer\Fælles filer\Symantec Shared\CCPD-LC\symlcsvc.exe
PS: Even though the 888 Toolbar is still there in the Toolbars that can be activated, it can not be opened(Shown) and I can't uninstall it.
PS: I have a vierd program in my startup and running processes MSIexec.exe wich is wierd because it looks like a installer...
PS: The virus being found every time I start my computer is called "!update-4295[1].0000"
- Click the Config... button, then go to the Misc Tools section.
- Click on Open Uninstall Manager. You'll see a list of programs.
- Click on Save List...
The file "uninstall_list.txt" will be created. Copy and paste the contents of this file to your next reply.
3DMark06
Ad-Aware SE Professional
Adobe Bridge 1.0
Adobe Common File Installer
Adobe Flash Player 9 ActiveX
Adobe Help Center 1.0
Adobe Photoshop CS2
Adobe Photoshop Elements 4.0
Adobe Reader 7.0.8
Adobe Shockwave Player
Adobe Stock Photos 1.0
Alive MP3 WAV Converter version 3.0.2.8
AsusUpdate
Battlefield 2(TM)
Battlefield 2: Special Forces
CCleaner (remove only)
Cheat Engine 5.2
CP210x USB to UART Bridge Controller
Creative Audio Console
Darkstar One
DefilerPak 1.22 (Remove Only)
Engelsk Large
Evil Genius V1.01
ewido anti-spyware 4.0
FlashFXP v3.2.0 (Build 1080) Scene Edition
Fraps (remove only)
Gyldendals Røde Ordbøger Dansk-Engelsk/Engelsk-Dansk Ordbog
Hide IP Platinum 2.2
High Definition Audio Driver Package - KB835221
High Definition Audio Driver Package - KB888111
HijackThis 1.99.1
Hotfix for Windows XP (KB915865)
Hotfix til Windows XP (KB914440)
iColorFolder
IGN Download Manager 2.2.1
J2SE Runtime Environment 5.0 Update 7
Kaspersky Anti-Virus Personal
KhalSetup
LEGO Star Wars
LEGO Star Wars II
LiveReg (Symantec Corporation)
LiveUpdate 2.6 (Symantec Corporation)
Logitech SetPoint
Marvell Miniport Driver
MediaTickets by OIN
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Danish Language Pack
Microsoft .NET Framework 1.1 Hotfix (KB886903)
Microsoft .NET Framework 2.0
Microsoft .NET Framework 2.0 Language Pack - DAN
Microsoft Base Smart Card Crypto-udbyder
Microsoft Office Professional Edition 2003
Microsoft Plus! for Windows XP
Microsoft User-Mode Driver Framework Feature Pack 1.0.0 (Pre-Release 5348)
Microsoft Visual C++ 2005 Redistributable
mIRC
MSXML 4.0 SP2 Parser and SDK
Nero 7 Ultra Edition
Norton Ghost 10.0
NVIDIA Drivers
Oblivion
Opdatering til Windows XP (KB894391)
Opdatering til Windows XP (KB898461)
Opdatering til Windows XP (KB900485)
Opdatering til Windows XP (KB904942)
Opdatering til Windows XP (KB908531)
Opdatering til Windows XP (KB910437)
Opdatering til Windows XP (KB916595)
Opdatering til Windows XP (KB920872)
Opdatering til Windows XP (KB922582)
Opera 9.01
Politikens Tysk-Dansk-Tysk
PortTrigger 1.0.57
Postal 2 Apocalypse Weekend Expansion Pack
Postal 2 Share The Pain
PowerDVD
PowerISO
Quake 4(TM)
QuickTime Alternative 1.71 Beta 2
Q-Xpress Installer 1.1.4
RealPlayer
Realtek High Definition Audio Driver
Registry Mechanic 5.2
Samsung Mobie USB Driver Installer
Samsung Mobile USB Modem Software
Samsung PC Studio 2.0 PIM & File Manager
Security Update til Microsoft .NET Framework 2.0 (KB917283)
SereneScreen Marine Aquarium 2.6
Sikkerhedsopdatering til Windows Media Player (KB911564)
Sikkerhedsopdatering til Windows Media Player 10 (KB917734)
Sikkerhedsopdatering til Windows Media Player 9 (KB917734)
Sikkerhedsopdatering til Windows XP (KB890046)
Sikkerhedsopdatering til Windows XP (KB893756)
Sikkerhedsopdatering til Windows XP (KB896358)
Sikkerhedsopdatering til Windows XP (KB896422)
Sikkerhedsopdatering til Windows XP (KB896423)
Sikkerhedsopdatering til Windows XP (KB896424)
Sikkerhedsopdatering til Windows XP (KB896428)
Sikkerhedsopdatering til Windows XP (KB899587)
Sikkerhedsopdatering til Windows XP (KB899589)
Sikkerhedsopdatering til Windows XP (KB899591)
Sikkerhedsopdatering til Windows XP (KB900725)
Sikkerhedsopdatering til Windows XP (KB901017)
Sikkerhedsopdatering til Windows XP (KB901214)
Sikkerhedsopdatering til Windows XP (KB902400)
Sikkerhedsopdatering til Windows XP (KB904706)
Sikkerhedsopdatering til Windows XP (KB905414)
Sikkerhedsopdatering til Windows XP (KB905749)
Sikkerhedsopdatering til Windows XP (KB908519)
Sikkerhedsopdatering til Windows XP (KB911280)
Sikkerhedsopdatering til Windows XP (KB911562)
Sikkerhedsopdatering til Windows XP (KB911567)
Sikkerhedsopdatering til Windows XP (KB911927)
Sikkerhedsopdatering til Windows XP (KB912919)
Sikkerhedsopdatering til Windows XP (KB913580)
Sikkerhedsopdatering til Windows XP (KB914388)
Sikkerhedsopdatering til Windows XP (KB914389)
Sikkerhedsopdatering til Windows XP (KB916281)
Sikkerhedsopdatering til Windows XP (KB917159)
Sikkerhedsopdatering til Windows XP (KB917344)
Sikkerhedsopdatering til Windows XP (KB917422)
Sikkerhedsopdatering til Windows XP (KB917953)
Sikkerhedsopdatering til Windows XP (KB918439)
Sikkerhedsopdatering til Windows XP (KB918899)
Sikkerhedsopdatering til Windows XP (KB919007)
Sikkerhedsopdatering til Windows XP (KB920214)
Sikkerhedsopdatering til Windows XP (KB920670)
Sikkerhedsopdatering til Windows XP (KB920683)
Sikkerhedsopdatering til Windows XP (KB920685)
Sikkerhedsopdatering til Windows XP (KB921398)
Sikkerhedsopdatering til Windows XP (KB921883)
Sikkerhedsopdatering til Windows XP (KB922616)
Skype 2.5
Softick PPP 2.21 (remove only)
SoulSeekkor's TQ Defiler
Star Wars(R) Knights of the Old Republic(R) II: The Sith Lords(TM)
Star Wars®: Knights of the Old Republic (TM)
Steam
System Requirements Lab
TI Connect 1.6
Titan Quest
Unlocker 1.8.4
Winamp (remove only)
Windows Installer 3.1 (KB893803)
Windows Live Sign-in Assistant
Windows Media Connect
Windows Media Format 11 runtime
Windows Media Format 11 runtime
Windows Media Format SDK Hotfix - KB891122
Windows XP Hotfix - KB873339
Windows XP Hotfix - KB885835
Windows XP Hotfix - KB885836
Windows XP Hotfix - KB886185
Windows XP Hotfix - KB887472
Windows XP Hotfix - KB887742
Windows XP Hotfix - KB888113
Windows XP Hotfix - KB888302
Windows XP Hotfix - KB890859
Windows XP Hotfix - KB891781
Windows XP Service Pack 2
WinRAR archiver
Please navigate (using Internet Explorer, other browsers won't work) to the following site: http://support.f-secure.com/enu/home/ols3.shtml
-
Scanning Report
Tuesday, September 19, 2006 17:21:12 - 20:34:40
Computer name: EDWARD
Scanning type: Scan target for viruses, rootkits, spyware
Target: C:\
Result: 2 malware found
Tracking Cookie (spyware)
System (Disinfected)
System
Statistics
Scanned:
Files: 233420
System: 4669
Not scanned: 194
Actions:
Disinfected: 1
Renamed: 0
Deleted: 0
None: 1
Submitted: 0
Files not scanned:
xÈl‡AGEFILE.SYS
C:\WINDOWS\TEMP\PERFLIB_PERFDATA_830.DAT
C:\WINDOWS\SYSTEM32\BIOS1.ROM
C:\WINDOWS\SYSTEM32\DRIVERS\DTSCSI.SYS
C:\WINDOWS\SYSTEM32\DRIVERS\SPTD.SYS
C:\WINDOWS\SYSTEM32\DRIVERS\VAXSCSI.SYS
C:\WINDOWS\SYSTEM32\CONFIG\DEFAULT
C:\WINDOWS\SYSTEM32\CONFIG\SAM
C:\WINDOWS\SYSTEM32\CONFIG\SECURITY
C:\WINDOWS\SYSTEM32\CONFIG\SYSTEM
C:\WINDOWS\SYSTEM32\CATROOT2\EDB.LOG
C:\WINDOWS\SYSTEM32\CATROOT2\TMP.EDB
C:\PROGRAMMER\REGISTRY MECHANIC\BACKUP\AUTOMATIC BACKUP[1].RMB
C:\PROGRAMMER\REGISTRY MECHANIC\BACKUP\AUTOMATIC BACKUP[2].RMB
C:\PROGRAMMER\REGISTRY MECHANIC\BACKUP\AUTOMATIC BACKUP[3].RMB
C:\PROGRAMMER\REGISTRY MECHANIC\BACKUP\AUTOMATIC BACKUP[4].RMB
C:\PROGRAMMER\REGISTRY MECHANIC\BACKUP\AUTOMATIC BACKUP[5].RMB
C:\PROGRAMMER\OPERA\MAIL\INDEXER\INDEXER_64.DAT
C:\PROGRAMMER\NERO\NERO 7\NERO VISION\3DANIMATIONS\MENUS\4_3\TOWERS\TOWERS.MP3
C:\PROGRAMMER\NERO\NERO 7\NERO VISION\3DANIMATIONS\MENUS\4_3\TOWERS\TOWERS_INTRO.MP3
C:\PROGRAMMER\NERO\NERO 7\NERO VISION\3DANIMATIONS\MENUS\4_3\TOWERS\TOWERS_MENU_TO_MENU.MP3
C:\PROGRAMMER\NERO\NERO 7\NERO VISION\3DANIMATIONS\MENUS\4_3\TOWERS\TOWERS_MENU_TO_MENU_REV.MP3
C:\PROGRAMMER\NERO\NERO 7\NERO VISION\3DANIMATIONS\MENUS\4_3\TOWERS\TOWERS_MENU_TO_SUB1.MP3
C:\PROGRAMMER\NERO\NERO 7\NERO VISION\3DANIMATIONS\MENUS\4_3\TOWERS\TOWERS_MENU_TO_SUB1_REV.MP3
C:\PROGRAMMER\NERO\NERO 7\NERO VISION\3DANIMATIONS\MENUS\4_3\TOWERS\TOWERS_MENU_TO_SUB2.MP3
C:\PROGRAMMER\NERO\NERO 7\NERO VISION\3DANIMATIONS\MENUS\4_3\TOWERS\TOWERS_MENU_TO_SUB2_REV.MP3
C:\PROGRAMMER\NERO\NERO 7\NERO VISION\3DANIMATIONS\MENUS\4_3\TOWERS\TOWERS_MENU_TO_SUB3.MP3
C:\PROGRAMMER\NERO\NERO 7\NERO VISION\3DANIMATIONS\MENUS\4_3\TOWERS\TOWERS_MENU_TO_SUB3_REV.MP3
C:\PROGRAMMER\NERO\NERO 7\NERO VISION\3DANIMATIONS\MENUS\4_3\TOWERS\TOWERS_MENU_TO_SUB4.MP3
C:\PROGRAMMER\NERO\NERO 7\NERO VISION\3DANIMATIONS\MENUS\4_3\TOWERS\TOWERS_MENU_TO_SUB4_REV.MP3
C:\PROGRAMMER\NERO\NERO 7\NERO VISION\3DANIMATIONS\MENUS\4_3\TOWERS\TOWERS_MENU_TO_SUB5.MP3
C:\PROGRAMMER\NERO\NERO 7\NERO VISION\3DANIMATIONS\MENUS\4_3\TOWERS\TOWERS_MENU_TO_SUB5_REV.MP3
C:\PROGRAMMER\NERO\NERO 7\NERO VISION\3DANIMATIONS\MENUS\4_3\TOWERS\TOWERS_MENU_TO_SUB6.MP3
C:\PROGRAMMER\NERO\NERO 7\NERO VISION\3DANIMATIONS\MENUS\4_3\TOWERS\TOWERS_MENU_TO_SUB6_REV.MP3
C:\PROGRAMMER\NERO\NERO 7\NERO VISION\3DANIMATIONS\MENUS\4_3\TOWERS\TOWERS_TITLE1.MP3
C:\PROGRAMMER\NERO\NERO 7\NERO VISION\3DANIMATIONS\MENUS\4_3\TOWERS\TOWERS_TITLE1_REV.MP3
C:\PROGRAMMER\NERO\NERO 7\NERO VISION\3DANIMATIONS\MENUS\4_3\TOWERS\TOWERS_TITLE2.MP3
C:\PROGRAMMER\NERO\NERO 7\NERO VISION\3DANIMATIONS\MENUS\4_3\TOWERS\TOWERS_TITLE2_REV.MP3
C:\PROGRAMMER\NERO\NERO 7\NERO VISION\3DANIMATIONS\MENUS\4_3\TOWERS\TOWERS_TITLE3.MP3
C:\PROGRAMMER\NERO\NERO 7\NERO VISION\3DANIMATIONS\MENUS\4_3\TOWERS\TOWERS_TITLE3_REV.MP3
C:\PROGRAMMER\NERO\NERO 7\NERO VISION\3DANIMATIONS\MENUS\4_3\TOWERS\TOWERS_TITLE4.MP3
C:\PROGRAMMER\NERO\NERO 7\NERO VISION\3DANIMATIONS\MENUS\4_3\TOWERS\TOWERS_TITLE4_REV.MP3
C:\PROGRAMMER\NERO\NERO 7\NERO VISION\3DANIMATIONS\MENUS\4_3\TOWERS\TOWERS_TITLE5.MP3
C:\PROGRAMMER\NERO\NERO 7\NERO VISION\3DANIMATIONS\MENUS\4_3\TOWERS\TOWERS_TITLE5_REV.MP3
C:\PROGRAMMER\NERO\NERO 7\NERO VISION\3DANIMATIONS\MENUS\4_3\TOWERS\TOWERS_TITLE6.MP3
C:\PROGRAMMER\NERO\NERO 7\NERO VISION\3DANIMATIONS\MENUS\4_3\TOWERS\TOWERS_TITLE6_REV.MP3
C:\PROGRAMMER\NERO\NERO 7\NERO VISION\3DANIMATIONS\MENUS\4_3\MONITORS\MONITORS.MP3
C:\PROGRAMMER\NERO\NERO 7\NERO VISION\3DANIMATIONS\MENUS\4_3\MONITORS\MONITORS_INTRO.MP3
C:\PROGRAMMER\NERO\NERO 7\NERO VISION\3DANIMATIONS\MENUS\4_3\MONITORS\MONITORS_MENU_TO_MÞM
Options
Scanning engines:
F-Secure AVP: 6.0.171, 2006-09-19
F-Secure Libra: 2.4.1, 2006-09-16
F-Secure Orion: 1.2.37, 2006-09-19
F-Secure Blacklight: 1.0.31, 0000-00-00
F-Secure Pegasus: 1.19.0, 2006-08-14
F-Secure Draco: 1.0.35, 0259-24-212
Scanning options:
Scan all files
Scan inside archives
Use Advanced heuristics
Copyright © 1998-2006 Product support |Send virus sample to F-Secure
F-Secure assumes no responsibility for material created or published by third parties that F-Secure World Wide Web pages have a link to. Unless you have clearly stated otherwise, by submitting material to any of our servers, for example by E-mail or via our F-Secure's CGI E-mail, you agree that the material you make available may be published in the F-Secure World Wide Pages or hard-copy publications. You will reach F-Secure public web site by clicking on underlined links. While doing this, your access will be logged to our private access statistics with your domain name.This information will not be given to any third party. You agree not to take action against us in relation to material that you submit. Unless you have clearly stated otherwise, by submitting material you warrant that F-Secure may incorporate any concepts described in it in the F-Secure products/publications without liability.
it leaves the older version(s) still installed, complete with previous vulnerabilities.
- Examples of older versions in Add or Remove Programs:
- Double-click ATF-Cleaner.exe to run the program.
- Click Select All found at the bottom of the list.
- Click the Empty Selected button.
If you use Firefox browser, do this also:- Click Firefox at the top and choose Select All from the list.
- Click the Empty Selected button.
- NOTE : If you would like to keep your saved passwords, please click No at the prompt.
If you use Opera browser, do this also:- Click Opera at the top and choose Select All from the list.
- Click the Empty Selected button.
- NOTE : If you would like to keep your saved passwords, please click No at the prompt.
Click Exit on the Main menu to close the program.EDIT: It did not help on the "!Update" virus
PS: Also something I have noticed, I get popups at random, abbout Casino, Pornography, Free XXX Cams Now, Buy Cheap CDs and stuff like that, wich makes the PC unsafe for miniors
NOTE: CHECK PAGE 2:P
NOTE: CleanUp! deletes EVERYTHING out of your temp/temporary folders, it does not make backups. If you have any documents or programs that are saved in any Temporary Folders, make a backup of these before running CleanUp!. Do NOT run this program if you have XP Professional 64 bit edition. If you're unsure please do not run it! If you don't already know, you're probably not using XP64, but you can download & run this tool to find out for sure.....http://www.kellys-korner-xp.com/regs...p_whichcpu.exe
Run Cleanup! using the following configuration:
Open Cleanup! by double-clicking the icon on your desktop (or from the Start > All Programs menu).
Set the program up as follows:
Click "Options..."
Move the arrow down to "Custom CleanUp!"
Put a check next to the following (Make sure nothing else is checked!):
- Empty Recycle Bins
- Delete Cookies
- Delete Prefetch files (if present)
- Cleanup! All Users
- Click on the Temporary Files tab and uncheck the box for Scan drives for files matching if it’s checked.
Click OKPress the CleanUp! button to start the program.. Do NOT Reboot/logoff when prompted.
* CleanUp! will not create any backups!!
GOnna reboot & let you know how it's going.
PS:also deadly could you please take a screenshot of this update virus message and attach it to your next reply as it may help me better
I will post a HJT just to be shure that it all is gone ok?
-
Logfile of HijackThis v1.99.1
Scan saved at 16:48:38, on 20-09-2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Programmer\Fælles filer\Symantec Shared\ccSetMgr.exe
C:\Programmer\Fælles filer\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\RunDLL32.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\CTHELPER.EXE
C:\Programmer\Fælles filer\Symantec Shared\ccApp.exe
C:\WINDOWS\system32\rundll32.exe
C:\PROGRA~1\PRINTV~1\pvmodule.exe
C:\Programmer\ewido anti-spyware 4.0\Run ewido.exe
C:\Programmer\Adobe\Photoshop Elements 4.0\PhotoshopElementsFileAgent.exe
C:\Programmer\Java\jre1.5.0_08\bin\jusched.exe
C:\Programmer\ewido anti-spyware 4.0\guard.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\System32\GEARSec.exe
C:\Programmer\Logitech\SetPoint\SetPoint.exe
C:\Programmer\Fælles filer\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Programmer\Fælles filer\Logitech\KhalShared\KHALMNPR.EXE
C:\Programmer\Norton Ghost\Agent\VProSvc.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Programmer\CyberLink\Shared files\RichVideo.exe
C:\Programmer\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Programmer\Opera\Opera.exe
C:\Documents and Settings\Edward Hansen\Skrivebord\hijackthis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.dk/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Hyperlinks
R3 - URLSearchHook: (no name) - {4111AC64-1CD1-1176-A2A3-1743B163F290} - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programmer\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {4111AC64-1CD1-1176-A2A3-1743B163F290} - (no file)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Programmer\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Programmer\Java\jre1.5.0_08\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Programmer\Fælles filer\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: QUICKfind BHO Object - {C08DF07A-3E49-4E25-9AB0-D3882835F153} - C:\Programmer\TEXTware\QUICKfind\PlugIns\IEHelp.dll
O2 - BHO: PrintViewBHO Class - {D4E0C464-30CE-4075-9A10-71FD106C2847} - C:\PROGRA~1\PRINTV~1\PRINTH~1.DLL
O4 - HKLM\..\Run: [KAVPersonal50] "C:\Programmer\Kaspersky Lab\Kaspersky Anti-Virus Personal\kav.exe" /minimize
O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] HDAShCut.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RunDLL32.exe NvMCTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [Logitech Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [AlcWzrd] ALCWZRD.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [ccApp] "C:\Programmer\Fælles filer\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [PVModule] C:\PROGRA~1\PRINTV~1\pvmodule.exe
O4 - HKLM\..\Run: [!ewido] "C:\Programmer\ewido anti-spyware 4.0\Run ewido.exe" /minimized
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Programmer\Java\jre1.5.0_08\bin\jusched.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Logitech SetPoint.lnk = C:\Programmer\Logitech\SetPoint\SetPoint.exe
O8 - Extra context menu item: E&ksporter til Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programmer\Java\jre1.5.0_08\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programmer\Java\jre1.5.0_08\bin\ssv.dll
O9 - Extra button: Opslag - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmer\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmer\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineSweeper.cab31267.cab
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (FilePlanet Download Control Class) - http://www.fileplanet.com/fpdlmgr/cabs/FPDC_2.2.1.87.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1151089028752
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab
O16 - DPF: {9B17FE0E-51F2-4692-8B32-8EFB805FC0E7} (HPObjectInstaller Class) - http://h30155.www3.hp.com/ediags/dd/install/guidedsolutions.cab
O16 - DPF: {9D190AE6-C81E-4039-8061-978EBAD10073} (F-Secure Online Scanner 3.0) - http://support.f-secure.com/ols3/fscax.cab
O16 - DPF: {BE833F39-1E0C-468C-BA70-25AAEE55775E} (System Requirements Lab) - http://www.systemrequirementslab.com/sysreqlab.cab
O16 - DPF: {E055C02E-6258-40FF-80A7-3BDA52FACAD7} - http://activex.matcash.com/speedtest2.dll
O17 - HKLM\System\CCS\Services\Tcpip\..\{6584C042-C610-4AD5-A43E-46AA5A8C32FE}: NameServer = 57.6.21.36
O17 - HKLM\System\CCS\Services\Tcpip\..\{939F8317-2707-478A-ACE8-15A4A2A2E182}: NameServer = 193.162.153.164,194.239.134.83
O23 - Service: Adobe LM Service - Adobe Systems - C:\Programmer\Fælles filer\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Adobe Active File Monitor V4 (AdobeActiveFileMonitor4.0) - Unknown owner - C:\Programmer\Adobe\Photoshop Elements 4.0\PhotoshopElementsFileAgent.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Programmer\Fælles filer\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Programmer\Fælles filer\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Programmer\Fælles filer\Symantec Shared\ccSetMgr.exe
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Programmer\ewido anti-spyware 4.0\guard.exe
O23 - Service: GEARSecurity - GEAR Software - C:\WINDOWS\System32\GEARSec.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Programmer\Fælles filer\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: Kaspersky Anti-Virus Service (kavsvc) - Kaspersky Lab - C:\Programmer\Kaspersky Lab\Kaspersky Anti-Virus Personal\kavsvc.exe
O23 - Service: Norton Ghost - Symantec Corporation - C:\Programmer\Norton Ghost\Agent\VProSvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Programmer\CyberLink\Shared files\RichVideo.exe
O23 - Service: StarWind iSCSI Service (StarWindService) - Rocket Division Software - C:\Programmer\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Programmer\Fælles filer\Symantec Shared\CCPD-LC\symlcsvc.exe
PS: What is svchost.exe & smss.exe I always wanted to know that :P
PPS: Will it be safe to install Windows Live Messenger again? because it got uninstalled with all of the Scanning and stuff.
O2 - BHO: (no name) - {4111AC64-1CD1-1176-A2A3-1743B163F290} - (no file)
those are both windows processes all legit
-
Logfile of HijackThis v1.99.1
Scan saved at 17:24:34, on 20-09-2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Programmer\Fælles filer\Symantec Shared\ccSetMgr.exe
C:\Programmer\Fælles filer\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\RunDLL32.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\CTHELPER.EXE
C:\Programmer\Fælles filer\Symantec Shared\ccApp.exe
C:\WINDOWS\system32\rundll32.exe
C:\PROGRA~1\PRINTV~1\pvmodule.exe
C:\Programmer\Adobe\Photoshop Elements 4.0\PhotoshopElementsFileAgent.exe
C:\Programmer\ewido anti-spyware 4.0\Run ewido.exe
C:\Programmer\Java\jre1.5.0_08\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Programmer\Logitech\SetPoint\SetPoint.exe
C:\Programmer\ewido anti-spyware 4.0\guard.exe
C:\Programmer\Fælles filer\Logitech\KhalShared\KHALMNPR.EXE
C:\WINDOWS\System32\GEARSec.exe
C:\Programmer\Fælles filer\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Programmer\Norton Ghost\Agent\VProSvc.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Programmer\CyberLink\Shared files\RichVideo.exe
C:\Programmer\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\Edward Hansen\Skrivebord\hijackthis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.dk/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Hyperlinks
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programmer\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Programmer\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Programmer\Java\jre1.5.0_08\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Programmer\Fælles filer\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: QUICKfind BHO Object - {C08DF07A-3E49-4E25-9AB0-D3882835F153} - C:\Programmer\TEXTware\QUICKfind\PlugIns\IEHelp.dll
O2 - BHO: PrintViewBHO Class - {D4E0C464-30CE-4075-9A10-71FD106C2847} - C:\PROGRA~1\PRINTV~1\PRINTH~1.DLL
O4 - HKLM\..\Run: [KAVPersonal50] "C:\Programmer\Kaspersky Lab\Kaspersky Anti-Virus Personal\kav.exe" /minimize
O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] HDAShCut.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RunDLL32.exe NvMCTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [Logitech Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [AlcWzrd] ALCWZRD.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [ccApp] "C:\Programmer\Fælles filer\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [PVModule] C:\PROGRA~1\PRINTV~1\pvmodule.exe
O4 - HKLM\..\Run: [!ewido] "C:\Programmer\ewido anti-spyware 4.0\Run ewido.exe" /minimized
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Programmer\Java\jre1.5.0_08\bin\jusched.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Logitech SetPoint.lnk = C:\Programmer\Logitech\SetPoint\SetPoint.exe
O8 - Extra context menu item: E&ksporter til Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programmer\Java\jre1.5.0_08\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programmer\Java\jre1.5.0_08\bin\ssv.dll
O9 - Extra button: Opslag - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmer\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmer\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineSweeper.cab31267.cab
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (FilePlanet Download Control Class) - http://www.fileplanet.com/fpdlmgr/cabs/FPDC_2.2.1.87.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1151089028752
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab
O16 - DPF: {9B17FE0E-51F2-4692-8B32-8EFB805FC0E7} (HPObjectInstaller Class) - http://h30155.www3.hp.com/ediags/dd/install/guidedsolutions.cab
O16 - DPF: {9D190AE6-C81E-4039-8061-978EBAD10073} (F-Secure Online Scanner 3.0) - http://support.f-secure.com/ols3/fscax.cab
O16 - DPF: {BE833F39-1E0C-468C-BA70-25AAEE55775E} (System Requirements Lab) - http://www.systemrequirementslab.com/sysreqlab.cab
O16 - DPF: {E055C02E-6258-40FF-80A7-3BDA52FACAD7} - http://activex.matcash.com/speedtest2.dll
O17 - HKLM\System\CCS\Services\Tcpip\..\{6584C042-C610-4AD5-A43E-46AA5A8C32FE}: NameServer = 57.6.21.36
O17 - HKLM\System\CCS\Services\Tcpip\..\{939F8317-2707-478A-ACE8-15A4A2A2E182}: NameServer = 193.162.153.164,194.239.134.83
O23 - Service: Adobe LM Service - Adobe Systems - C:\Programmer\Fælles filer\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Adobe Active File Monitor V4 (AdobeActiveFileMonitor4.0) - Unknown owner - C:\Programmer\Adobe\Photoshop Elements 4.0\PhotoshopElementsFileAgent.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Programmer\Fælles filer\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Programmer\Fælles filer\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Programmer\Fælles filer\Symantec Shared\ccSetMgr.exe
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Programmer\ewido anti-spyware 4.0\guard.exe
O23 - Service: GEARSecurity - GEAR Software - C:\WINDOWS\System32\GEARSec.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Programmer\Fælles filer\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: Kaspersky Anti-Virus Service (kavsvc) - Kaspersky Lab - C:\Programmer\Kaspersky Lab\Kaspersky Anti-Virus Personal\kavsvc.exe
O23 - Service: Norton Ghost - Symantec Corporation - C:\Programmer\Norton Ghost\Agent\VProSvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Programmer\CyberLink\Shared files\RichVideo.exe
O23 - Service: StarWind iSCSI Service (StarWindService) - Rocket Division Software - C:\Programmer\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Programmer\Fælles filer\Symantec Shared\CCPD-LC\symlcsvc.exe
PS: Im gonna install Messenger and tell all my firends what to do!
PPS: don't you think it could be a great idea to post all of your replies on a manual on how to delete the Messenger virus? Because alot of people got that virus, I mean even my friends all the way in Chile got it.
Detect and Remove Programs:
- How to use Ad-Aware to remove Spyware <= If you suspect that you have spyware installed on your computer, here are instructions on how to download, install and then use Ad-Aware.
- How to use Spybot to remove Spyware <= If you suspect that you have spyware installed on your computer, here are instructions on how to download, install and then use Spybot. Similar to Ad-Aware, I strongly recommend both to catch most spyware.
Prevention Programs:- Spywareblaster <= SpywareBlaster will prevent spyware from being installed.
- Spywareguard <= SpywareGuard offers realtime protection from spyware installation attempts.
- IE/Spyad <= IE/Spyad places over 4000 websites and domains in the IE Restricted list which will severely impair attempts to infect your system. It basically prevents any downloads (Cookies etc) from the sites listed, although you will still be able to connect to the sites.
- MVPS Hosts file <= The MVPS Hosts file replaces your current HOSTS file with one containing well know ad sites etc. Basically, this prevents your coputer from connecting to those sites by redirecting them to 127.0.0.1 which is your local computer
- Google Toolbar <= Get the free google toolbar to help stop pop up windows.
Other necessary Programs:- AntiVirus Program<= An AntiVirus program is a must! Whether it is a free version like AVG or Anti-Vir, or a shareware version like Norton or Kapersky, this is a must have.
- Firewall<= A firewall is definatley a must have. Two good free versions are Kerio and ZoneLabs.
- More Secure Browser<= Internet Explorer is not the most secure and best browser. There are safer and better alternatives available. I recommend Firefox, however Opera and SlimBrowsers are good as well.
And also see TonyKlein's good adviceSo how did I get infected in the first place?
PS:Also Legion to make sure all previous infected restore points are flushed out as to prevent re infection please do the following to creat a new restore point and flush out all the old one's...right click my computer>select properties>system restore tab>check turn off system restore>reboot then repeat the same steps only UNcheck turn off system restore then voila! a new restore point will be created..please reply once more to this thread and i'll mark it resolved:smiles: