Man Im so so screwed, please help me. Im a student for photography and I have two of my midterm projects on my PC. This afternoon something about a codec apeared on my screen while I was trying to look at a video that was sent to me. I clicked it and 3 minutes later I get a red screen with a biohazard sign on it. Now task manager is gone, control panel is gone, my c drive is gone.......everything is gone except for a few files on my desktop. Im going to fail if I cant get my files for class........Man Im in panic mode so much right now. On top of that I have client files for my freelance graphic arts that I really really need..........PLEASE Help me guys, I would really really appreciate it.
Red biohazard desktop
- Thread starter mrnopost
- Start date
- Status
Install MBAM Malware Bytes and SuperAntispyware while in SAFE MODE, and run them. You will likely get lucky and remove enough to get the boot working. Or buy Spyware Doctor 5.5 or Webroot Spyware... at about $30 and $45. and clean your system. I would also download and run a scan with antivir antispyware.
The BIOHAZARD crap is more gag than long term dangerous. Just keep as calm as possible and organized as possible, and look at the posts on this forum for removing infestations.
It will be alright, but may take two or three hours to fix.
The BIOHAZARD crap is more gag than long term dangerous. Just keep as calm as possible and organized as possible, and look at the posts on this forum for removing infestations.
It will be alright, but may take two or three hours to fix.
xxdanielxx
Posts: 1,069 +0
looks like we have some work to do I am checking your log right now
xxdanielxx
Posts: 1,069 +0
ok first you have 3 realtime spyware apps which you can only have one you currently have
Webroot
spyware doctor
Window Defender
Please uninstall 2 of them. If I am wrong please advice
Webroot
spyware doctor
Window Defender
Please uninstall 2 of them. If I am wrong please advice
Partially true. Spyware Doctor and SpySweeper conflict and are probably part of the problem.. But Windows Defender will work with either and should not be installed... I would keep Spysweeper and Windows Defender because they serve different functions... but save the install code for SpySweeper.
xxdanielxx
Posts: 1,069 +0
Also do you know the IP below
192.168.2.1
192.168.2.1
xxdanielxx
Posts: 1,069 +0
Ok please follow the steps below
-----------------------------------------------------------
We need to get rid of one of the services running on your machine. To do this, copy (Ctrl +C) and paste (Ctrl +V) the text in the code box below to Notepad.
Save it to your desktop as File name: service.cmd
Save as type: All Files
Once done, double click service.cmd to run it. A command window will open briefly, then close. This is quite normal.
-----------------------------------------------------------
Please read this post completely, it may make it easier for you if you copy and paste this post to a new text document or print it for reference later.
Please re-open HiJackThis and scan.**Check the boxes next to all the entries listed below.
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://softwarereferral.com/jump.php?wmid=6010&mid=MjI6Ojg5&lid=2
O3 - Toolbar: Gwinnett Tech Browser Toolbar - {F3A2858F-30A5-445C-A604-46B25A7AA8BF} - C:\Program Files\GTCBrowserToolbar\Gwinnett Tech Browser Toolbar\GwinnettechToolBar.dll
O3 - Toolbar: fdkowvbp - {54EF0797-AF80-4CF5-AB0C-7E87CCEC3E0B} - C:\WINNT\fdkowvbp.dll
O4 - HKLM\..\Run: [lphc7elj0e753] C:\WINNT\system32\lphc7elj0e753.exe
O4 - HKLM\..\Run: [SMrhc3elj0e753] C:\Program Files\rhc3elj0e753\rhc3elj0e753.exe
O4 - HKLM\..\Run: [4443684d] rundll32.exe "C:\WINNT\system32\gcvlvsnp.dll",b
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1
O8 - Extra context menu item: &Search - http://bar.mywebsearch.com/menusearch.html?p=ZSzed055DIUS_ZN
O9 - Extra button: PalTalk - {4EAFEF58-EEFA-4116-983D-03B49BCBFFFE} - C:\Program Files\Paltalk Messenger\Paltalk.exe (file missing)
O9 - Extra button: Ebates - {6685509E-B47B-4f47-8E16-9A5F3A62F683} - file://C:\Program Files\Ebates_MoeMoneyMaker\Sy350\Tp350\scri350a.htm (file missing) (HKCU)
O16 - DPF: {2DFF31F9-7893-4922-AF66-C9A1EB4EBB31} (Rhapsody Player Engine) - http://forms.real.com/real/player/d.../mrkt/rhapx/RhapsodyPlayerEngine_Inst_Win.cab
O16 - DPF: {9F6D8A59-DD92-499D-944A-38FDB2CE46FF} (Napster download control v2.0) - http://sms.napster.com/client/plugin/npdownload.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://www.popcap.com/webgames/popcaploader_v10.cab
O21 - SSODL: wnslvxtf - {FF119E9A-3F23-49B8-B0A4-268168B9D0CD} - C:\WINNT\wnslvxtf.dll
O21 - SSODL: eqvwamkl - {4C80C046-C152-4C98-A647-A70455B3DBAC} - C:\WINNT\eqvwamkl.dll
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe
O24 - Desktop Component 0: Privacy Protection - (no file)
Now close all windows other than HiJackThis, then click Fix Checked.**Close HiJackThis.**Reboot into safe mode.
Restart your computer and as soon as it starts booting up again continuously tap F8. A menu should come up where you will be given the option to enter Safe Mode.
Please go to Start > Control Panel > Add/Remove Programs and remove the following (if present):
GTCBrowserToolbar
rhc3elj0e753
Viewpoint
Ebates_MoeMoneyMaker
--------------------------------------------------------------
Please download the OTMoveIt2 by OldTimer.
After that, Reboot, and post a new HijackThis log here in a reply
- Please go to VirSCAN.org FREE on-line scan service
- Copy and paste the following file path into the "Suspicious files to scan"box on the top of the page:
- C:\WINNT\eHome\MCAgen.exe
- Click on the Upload button
- Once the Scan is completed, click on the "Copy to Clipboard" button. This will copy the link of the report into the Clipboard.
- Paste the contents of the Clipboard in your next reply.
-----------------------------------------------------------
We need to get rid of one of the services running on your machine. To do this, copy (Ctrl +C) and paste (Ctrl +V) the text in the code box below to Notepad.
Code:
@echo off
sc stop Viewpoint Corporation
sc delete Viewpoint Corporation
del service.cmd and exitSave it to your desktop as File name: service.cmd
Save as type: All Files
Once done, double click service.cmd to run it. A command window will open briefly, then close. This is quite normal.
-----------------------------------------------------------
Please read this post completely, it may make it easier for you if you copy and paste this post to a new text document or print it for reference later.
Please re-open HiJackThis and scan.**Check the boxes next to all the entries listed below.
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://softwarereferral.com/jump.php?wmid=6010&mid=MjI6Ojg5&lid=2
O3 - Toolbar: Gwinnett Tech Browser Toolbar - {F3A2858F-30A5-445C-A604-46B25A7AA8BF} - C:\Program Files\GTCBrowserToolbar\Gwinnett Tech Browser Toolbar\GwinnettechToolBar.dll
O3 - Toolbar: fdkowvbp - {54EF0797-AF80-4CF5-AB0C-7E87CCEC3E0B} - C:\WINNT\fdkowvbp.dll
O4 - HKLM\..\Run: [lphc7elj0e753] C:\WINNT\system32\lphc7elj0e753.exe
O4 - HKLM\..\Run: [SMrhc3elj0e753] C:\Program Files\rhc3elj0e753\rhc3elj0e753.exe
O4 - HKLM\..\Run: [4443684d] rundll32.exe "C:\WINNT\system32\gcvlvsnp.dll",b
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1
O8 - Extra context menu item: &Search - http://bar.mywebsearch.com/menusearch.html?p=ZSzed055DIUS_ZN
O9 - Extra button: PalTalk - {4EAFEF58-EEFA-4116-983D-03B49BCBFFFE} - C:\Program Files\Paltalk Messenger\Paltalk.exe (file missing)
O9 - Extra button: Ebates - {6685509E-B47B-4f47-8E16-9A5F3A62F683} - file://C:\Program Files\Ebates_MoeMoneyMaker\Sy350\Tp350\scri350a.htm (file missing) (HKCU)
O16 - DPF: {2DFF31F9-7893-4922-AF66-C9A1EB4EBB31} (Rhapsody Player Engine) - http://forms.real.com/real/player/d.../mrkt/rhapx/RhapsodyPlayerEngine_Inst_Win.cab
O16 - DPF: {9F6D8A59-DD92-499D-944A-38FDB2CE46FF} (Napster download control v2.0) - http://sms.napster.com/client/plugin/npdownload.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://www.popcap.com/webgames/popcaploader_v10.cab
O21 - SSODL: wnslvxtf - {FF119E9A-3F23-49B8-B0A4-268168B9D0CD} - C:\WINNT\wnslvxtf.dll
O21 - SSODL: eqvwamkl - {4C80C046-C152-4C98-A647-A70455B3DBAC} - C:\WINNT\eqvwamkl.dll
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe
O24 - Desktop Component 0: Privacy Protection - (no file)
Now close all windows other than HiJackThis, then click Fix Checked.**Close HiJackThis.**Reboot into safe mode.
Restart your computer and as soon as it starts booting up again continuously tap F8. A menu should come up where you will be given the option to enter Safe Mode.
Please go to Start > Control Panel > Add/Remove Programs and remove the following (if present):
GTCBrowserToolbar
rhc3elj0e753
Viewpoint
Ebates_MoeMoneyMaker
--------------------------------------------------------------
Please download the OTMoveIt2 by OldTimer.
- Save it to your desktop.
- Please double-click OTMoveIt2.exe to run it. (Vista users, please right click on OTMoveit2.exe and select "Run as an Administrator")
- Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):
Code:C:\Program Files\GTCBrowserToolbar C:\WINNT\fdkowvbp.dll C:\WINNT\system32\lphc7elj0e753.exe C:\Program Files\rhc3elj0e753 C:\WINNT\system32\gcvlvsnp.dll C:\Program Files\Ebates_MoeMoneyMaker C:\WINNT\wnslvxtf.dll C:\WINNT\eqvwamkl.dll C:\Program Files\Viewpoint\ - Return to OTMoveIt2, right click in the "Paste List of Files/Folders to Move" window (under the light Yellow bar) and choose Paste.
- Click the red Moveit! button.
- A log of files and folders moved will be created in the c:\_OTMoveIt\MovedFiles folder in the form of Date and Time (mmddyyyy_hhmmss.log). Please open this log in Notepad and post its contents in your next reply.
- Close OTMoveIt2
After that, Reboot, and post a new HijackThis log here in a reply
Here goes the report. Sorry It took so long, my pc is running super slowwwww!! Feel like I got a dern Tandy now. Feel like this thing is running on a Johnny 5 processer. Thanks again Daniel....Your like a god right about now. Also, Im not sure what that IP address is, but I googled it and I think it may have something to do with my buffalo router.
VirSCAN.org Scanned Report :
Scanned time : 2008/08/01 02:42:46 (EDT)
Scanner results: All Scanners reported not find malware!
File Name : MCAgen.exe
File Size : 249856 byte
File Type : PE32 executable for MS Windows (GUI) Intel 80386 32-bit
MD5 : 2bc9fa0c8cb0fda52dd343aa9d995a05
SHA1 : ccb8af89d65c5ca72e75e9ffc301dc8ba240c7f6
Online report :
Scanner Engine Ver Sig Ver Sig Date Time Scan result
a-squared 3.5.0.22 2008.07.31 2008-07-31 2.64 -
AhnLab V3 2008.08.01.01 2008.08.01 2008-08-01 0.88 -
AntiVir 7.8.1.15 7.0.5.200 2008-07-31 2.18 -
Arcavir 1.0.5 200807311911 2008-07-31 1.21 -
AVAST! 3.0.1 080731-0 2008-07-31 0.68 -
AVG 7.5.51.442 270.5.10/1584 2008-07-31 1.51 -
BitDefender 7.60825.1412061 7.20290 2008-08-01 2.73 -
CA (VET) 9.0.0.143 31.6.5999 2008-07-31 0.79 -
ClamAV 0.93.3 7906 2008-08-01 0.05 -
Comodo 2.11 2.0.0.603 2008-08-01 0.43 -
CP Secure 1.1.0.715 2008.08.01 2008-08-01 5.80 -
Dr.Web 4.44.0.9170 2008.07.31 2008-07-31 3.09 -
ewido 4.0.0.2 2008.07.31 2008-07-31 2.31 -
F-Prot 4.4.4.56 20080731 2008-07-31 1.00 -
F-Secure 5.51.6100 2008.07.31.09 2008-07-31 2.88 -
Fortinet 2.81-3.11 9.374 2008-08-01 1.68 -
ViRobot 20080731 2008.07.31 2008-07-31 0.40 -
Ikarus T3.1.01.34 2008.08.01.71199 2008-08-01 3.22 -
JiangMin 11.0.706 2008.08.01 2008-08-01 1.14 -
Kaspersky 5.5.10 2008.08.01 2008-08-01 0.04 -
KingSoft 2008.1.14.15 2008.7.31.17 2008-07-31 0.57 -
McAfee 5.2.00 5350 2008-07-30 2.30 -
Microsoft 1.3806 2008.08.01 2008-08-01 4.03 -
mks_vir 2.01 2008.07.31 2008-07-31 2.64 -
Norman 5.93.01 5.93.00 2008-07-31 4.66 -
Panda 9.05.01 2008.07.31 2008-07-31 2.01 -
Trend Micro 8.700-1004 5.448.05 2008-07-31 0.03 -
Quick Heal 9.50 2008.07.31 2008-07-31 1.66 -
Rising 20.0 20.55.40.00 2008-08-01 0.76 -
Sophos 2.75.4 4.31 2008-08-01 1.91 -
Sunbelt 3.1.1537.1 2175 2008-07-31 0.55 -
Symantec 1.3.0.24 20080731.003 2008-07-31 0.19 -
nProtect 2008-07-31.01 1730652 2008-07-31 3.21 -
The Hacker 6.2.96 v00391 2008-07-31 0.40 -
VBA32 3.12.8.2 20080731.1522 2008-07-31 1.24 -
VirusBuster 4.5.11.10 4.5.11/ 0010-00-00 1.15 -
VirSCAN.org Scanned Report :
Scanned time : 2008/08/01 02:42:46 (EDT)
Scanner results: All Scanners reported not find malware!
File Name : MCAgen.exe
File Size : 249856 byte
File Type : PE32 executable for MS Windows (GUI) Intel 80386 32-bit
MD5 : 2bc9fa0c8cb0fda52dd343aa9d995a05
SHA1 : ccb8af89d65c5ca72e75e9ffc301dc8ba240c7f6
Online report :
Scanner Engine Ver Sig Ver Sig Date Time Scan result
a-squared 3.5.0.22 2008.07.31 2008-07-31 2.64 -
AhnLab V3 2008.08.01.01 2008.08.01 2008-08-01 0.88 -
AntiVir 7.8.1.15 7.0.5.200 2008-07-31 2.18 -
Arcavir 1.0.5 200807311911 2008-07-31 1.21 -
AVAST! 3.0.1 080731-0 2008-07-31 0.68 -
AVG 7.5.51.442 270.5.10/1584 2008-07-31 1.51 -
BitDefender 7.60825.1412061 7.20290 2008-08-01 2.73 -
CA (VET) 9.0.0.143 31.6.5999 2008-07-31 0.79 -
ClamAV 0.93.3 7906 2008-08-01 0.05 -
Comodo 2.11 2.0.0.603 2008-08-01 0.43 -
CP Secure 1.1.0.715 2008.08.01 2008-08-01 5.80 -
Dr.Web 4.44.0.9170 2008.07.31 2008-07-31 3.09 -
ewido 4.0.0.2 2008.07.31 2008-07-31 2.31 -
F-Prot 4.4.4.56 20080731 2008-07-31 1.00 -
F-Secure 5.51.6100 2008.07.31.09 2008-07-31 2.88 -
Fortinet 2.81-3.11 9.374 2008-08-01 1.68 -
ViRobot 20080731 2008.07.31 2008-07-31 0.40 -
Ikarus T3.1.01.34 2008.08.01.71199 2008-08-01 3.22 -
JiangMin 11.0.706 2008.08.01 2008-08-01 1.14 -
Kaspersky 5.5.10 2008.08.01 2008-08-01 0.04 -
KingSoft 2008.1.14.15 2008.7.31.17 2008-07-31 0.57 -
McAfee 5.2.00 5350 2008-07-30 2.30 -
Microsoft 1.3806 2008.08.01 2008-08-01 4.03 -
mks_vir 2.01 2008.07.31 2008-07-31 2.64 -
Norman 5.93.01 5.93.00 2008-07-31 4.66 -
Panda 9.05.01 2008.07.31 2008-07-31 2.01 -
Trend Micro 8.700-1004 5.448.05 2008-07-31 0.03 -
Quick Heal 9.50 2008.07.31 2008-07-31 1.66 -
Rising 20.0 20.55.40.00 2008-08-01 0.76 -
Sophos 2.75.4 4.31 2008-08-01 1.91 -
Sunbelt 3.1.1537.1 2175 2008-07-31 0.55 -
Symantec 1.3.0.24 20080731.003 2008-07-31 0.19 -
nProtect 2008-07-31.01 1730652 2008-07-31 3.21 -
The Hacker 6.2.96 v00391 2008-07-31 0.40 -
VBA32 3.12.8.2 20080731.1522 2008-07-31 1.24 -
VirusBuster 4.5.11.10 4.5.11/ 0010-00-00 1.15 -
My MoveIt2 log....
File/Folder C:\Program Files\GTCBrowserToolbar not found.
File/Folder C:\WINNT\fdkowvbp.dll not found.
File/Folder C:\WINNT\system32\lphc7elj0e753.exe not found.
File/Folder C:\Program Files\rhc3elj0e753 not found.
File/Folder C:\WINNT\system32\gcvlvsnp.dll not found.
File/Folder C:\Program Files\Ebates_MoeMoneyMaker not found.
File/Folder C:\WINNT\wnslvxtf.dll not found.
File/Folder C:\WINNT\eqvwamkl.dll not found.
Folder C:\Program Files\Viewpoint\ not found.
OTMoveIt2 by OldTimer - Version 1.0.4.3 log created on 080
File/Folder C:\Program Files\GTCBrowserToolbar not found.
File/Folder C:\WINNT\fdkowvbp.dll not found.
File/Folder C:\WINNT\system32\lphc7elj0e753.exe not found.
File/Folder C:\Program Files\rhc3elj0e753 not found.
File/Folder C:\WINNT\system32\gcvlvsnp.dll not found.
File/Folder C:\Program Files\Ebates_MoeMoneyMaker not found.
File/Folder C:\WINNT\wnslvxtf.dll not found.
File/Folder C:\WINNT\eqvwamkl.dll not found.
Folder C:\Program Files\Viewpoint\ not found.
OTMoveIt2 by OldTimer - Version 1.0.4.3 log created on 080
xxdanielxx
Posts: 1,069 +0
SmitfraudFix
-------------------------------------------------
ComboFix
Caution - do not touch your mouse/keyboard until the scan has completed. The scan will temporarily disable your desktop, and if interrupted may leave your desktop disabled. If this occurs, please reboot to restore the desktop. Combofix is a very powerful tool so please do NOT do anything without instruction
Combofix will automatically save the log file to C:\combofix.txt
Then post a fresh hijackthis log
- Download SmitFraudFix to your deskop
- reboot your computer in Safe Mode (before the Windows icon appears, tap the F8 key continually)
- Double-click SmitfraudFix.exe
- Select 2 and hit Enter to delete infect files.
- You will be prompted: Do you want to clean the registry ? answer Y (yes) and hit Enter in order to remove the Desktop background and clean registry keys associated with the infection.
- The tool will now check if wininet.dll is infected. You may be prompted to replace the infected file (if found): Replace infected file ? answer Y (yes) and hit Enter to restore a clean file.
- A reboot may be needed to finish the cleaning process. The report can be found at the root of the system drive, usually at C:\rapport.txt (Attach the log to your next reply)
-------------------------------------------------
ComboFix
- Download ComboFix to your desktop.
- Double click combofix.exe & follow the prompts.
- A window will open with a warning.
- When the scan completes it will open a text window. Please attach that log back here together with a fresh HJT log.
Caution - do not touch your mouse/keyboard until the scan has completed. The scan will temporarily disable your desktop, and if interrupted may leave your desktop disabled. If this occurs, please reboot to restore the desktop. Combofix is a very powerful tool so please do NOT do anything without instruction
Combofix will automatically save the log file to C:\combofix.txt
Then post a fresh hijackthis log
xxdanielxx
Posts: 1,069 +0
If the user is already being help please do not jump in with other advice it can confuse the user
xxdanielxx
Posts: 1,069 +0
Hmm the first hijackthis scan you did showed
Logfile of Trend Micro HijackThis v2.0.2
Which is the newest version but your new log shows
Logfile of HijackThis v1.99.1
And you are running it from my documents
go to the following location and delete hijackthis
C:\Documents and Settings\Administrator\My Documents\HijackThis.exe
run the newest version and post a fresh hijackthis log
Logfile of Trend Micro HijackThis v2.0.2
Which is the newest version but your new log shows
Logfile of HijackThis v1.99.1
And you are running it from my documents
go to the following location and delete hijackthis
C:\Documents and Settings\Administrator\My Documents\HijackThis.exe
run the newest version and post a fresh hijackthis log
- Status
