Virus help needed
- Thread starter impaq
- Start date
- Status
kritius
Posts: 2,077 +0
Hi impaq, :wave:
First please go to Start -> Control Panel -> Add/remove programs and uninstall Hijackthis.
Next please follow these instructions. Your version of Hijackthis is out of date/installed in wrong folder
Highjackthis Instructions
I need you to follow all the steps HERE and then post back with the three requested logs as attachments
Dont forget to make sure that AVG is set to quarantine the results, that HJT is the last step and to let us know the results of the antirootkit scan.
Good luck and welcome to techspot.
This thread is for the use of impaq only. Please don't post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
First please go to Start -> Control Panel -> Add/remove programs and uninstall Hijackthis.
Next please follow these instructions. Your version of Hijackthis is out of date/installed in wrong folder
Highjackthis Instructions
- Make sure you have the LATEST version of HJT (currently v2.0.0.2) it can be downloaded from HERE
- Run the HijackThis Installer and it will automatically place HJT in C:\Program Files\TrendMicro\HijackThis\HijackThis.exe. Please don't change the directory.
- After installing, the program launches automatically.
I need you to follow all the steps HERE and then post back with the three requested logs as attachments
- AVG antispyware
- ComboFix
- Hijackthis (step 15)
Dont forget to make sure that AVG is set to quarantine the results, that HJT is the last step and to let us know the results of the antirootkit scan.
Good luck and welcome to techspot.
This thread is for the use of impaq only. Please don't post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
Bobbye
Posts: 16,313 +36
kritius, take a look at this:
Name: antiviirus (note spelling)
Filename: antiviirus.exe
Command: C:\Program Files\antiviirus.exe
Description: Identified as a variant of the Trojan-Downloader.Win32.Agent.keu malware.
File Location: C:\Program Files\antiviirus.exe
and 16 BHOs! Oh my!
Name: antiviirus (note spelling)
Filename: antiviirus.exe
Command: C:\Program Files\antiviirus.exe
Description: Identified as a variant of the Trojan-Downloader.Win32.Agent.keu malware.
File Location: C:\Program Files\antiviirus.exe
and 16 BHOs! Oh my!
Bobbye
Posts: 16,313 +36
In the meantime, while the malware is being rounded up:
STOP these auto-updates:
C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
You are way behind on the current Java and update. Current is v6/u5. So when you get clean, you can uninstall this version in the control Panel and install the current version- these later versions addressed some security issues:
http://java.sun.com/javase/downloads/index.jsp
Go to Start> Run> type in ;msconfig' without the quotes> enter> Selective Startup> Startup tab> uncheck all of the following programs:
C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
C:\Program Files\Broderbund\Mavis Beacon Teaches Typing 15\minimavis.exe>
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Broderbund\Mavis Beacon Teaches Typing 15\minimavis.exe> Global Startup
ersonal Coach.lnk
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\MSN Messenger\msnmsgr.exe" /background
IF any of the following show on Startup, uncheck them also:
C:\Program Files\WinSecureAv\pgs.exe /min
Description: Related to the rogue anti-spyware program called WinSecureAv. This program is installed via the use of malware and display false or exaggerated infection results.
File Location: C:\Program Files\WinSecureAv\pgs.exe
C:\Windows\System32\mszsrn32.dll
Description: Added by the W32.Banwarum@mm mass-mailing worm.
File Location: %System%
Startup Type: This program uses the Winlogon Notify key to automatically start. This key is used to run certain programs when specific actions occur such as computer starting up, a user logging in or logging off, or a computer shutting down.
O20 - Winlogon Notify: mszsrn32 - C:\WINDOWS\System32\mszsrn32.dll (file missing)
O20 - Winlogon Notify: WLCtrl32 - WLCtrl32.dll (file missing)
When finished unchecking: Apply> OK> Reboot>
Close the nag message that comes up after checking 'don't show this message again.'
These will not remove the files from your system. But it may keep them from doing more damage. If you see any of the processes listed in the Task Manager> highlight> End Task.
kritius, I hope this will help out.
STOP these auto-updates:
C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
You are way behind on the current Java and update. Current is v6/u5. So when you get clean, you can uninstall this version in the control Panel and install the current version- these later versions addressed some security issues:
http://java.sun.com/javase/downloads/index.jsp
Go to Start> Run> type in ;msconfig' without the quotes> enter> Selective Startup> Startup tab> uncheck all of the following programs:
C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
C:\Program Files\Broderbund\Mavis Beacon Teaches Typing 15\minimavis.exe>
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Broderbund\Mavis Beacon Teaches Typing 15\minimavis.exe> Global Startup
ersonal Coach.lnkC:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\MSN Messenger\msnmsgr.exe" /background
IF any of the following show on Startup, uncheck them also:
C:\Program Files\WinSecureAv\pgs.exe /min
Description: Related to the rogue anti-spyware program called WinSecureAv. This program is installed via the use of malware and display false or exaggerated infection results.
File Location: C:\Program Files\WinSecureAv\pgs.exe
C:\Windows\System32\mszsrn32.dll
Description: Added by the W32.Banwarum@mm mass-mailing worm.
File Location: %System%
Startup Type: This program uses the Winlogon Notify key to automatically start. This key is used to run certain programs when specific actions occur such as computer starting up, a user logging in or logging off, or a computer shutting down.
O20 - Winlogon Notify: mszsrn32 - C:\WINDOWS\System32\mszsrn32.dll (file missing)
O20 - Winlogon Notify: WLCtrl32 - WLCtrl32.dll (file missing)
When finished unchecking: Apply> OK> Reboot>
Close the nag message that comes up after checking 'don't show this message again.'
These will not remove the files from your system. But it may keep them from doing more damage. If you see any of the processes listed in the Task Manager> highlight> End Task.
kritius, I hope this will help out.
kritius
Posts: 2,077 +0
Go to Start> Run> type in ;msconfig' without the quotes> enter> Selective Startup> Startup tab> uncheck all of the following programs:
C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
C:\Program Files\Broderbund\Mavis Beacon Teaches Typing 15\minimavis.exe>
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Broderbund\Mavis Beacon Teaches Typing 15\minimavis.exe> Global Startup
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\MSN Messenger\msnmsgr.exe" /background
Its better to have everything enabled in MSCONFIG while doing a fix because you want everything visible, better to use spybot or Ccleaner to control the startups.
The rest is grand though.
kritius
Posts: 2,077 +0
ok.
Do you live in Canada? I need to know to check your IP settings are legit.
Lets get started then,
Before continuing, please download and install XP SP1a.
Select the language of your operating system and click Go to download it.
Restart the computer for changes to take effect.
If you have problems downloading and installing, please let me know.
Upload a File to Jotti
Please visit http://virusscan.jotti.org/
Copy/paste this file and path into the white box at the top:
Please wait for all the scanners to finish then post the results in your next response.
Do this for each file
Fix entries with HijackThis
Open up Hijackthis.
Click on do a system scan only.
Place a checkmark next to these lines(if still present).
O4 - HKLM\..\Run: [yijfxmoo] C:\WINDOWS\system32\yijfxmoo.exe
O4 - HKLM\..\Run: [wcdxjyyh] C:\WINDOWS\system32\wcdxjyyh.exe
O4 - HKCU\..\Run: [AVSystemCare] C:\Program Files\AVSystemCare\pgs.exe /min
O4 - HKLM\..\Policies\Explorer\Run: [YmbAAfe5dA] C:\WINDOWS\TEMP\comsvr32.exe
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe (file missing)
O20 - AppInit_DLLs: C:\WINDOWS\System32\svch6ng.dll
O20 - Winlogon Notify: mszsrn32 - C:\WINDOWS\System32\mszsrn32.dll (file missing)
O20 - Winlogon Notify: WLCtrl32 - WLCtrl32.dll (file missing)
O21 - SSODL: RunOnceSrv - {109fd9c6-7aea-478a-be60-5e6b3a7bbbab} - C:\WINDOWS\Installer\{109fd9c6-7aea-478a-be60-5e6b3a7bbbab}\RunOnceSrv.dll (file missing)
O23 - Service: FireDaemon Service: events (events) - Unknown owner - C:\windows\system32\spool\printers\FireDaemon.exe (file missing)
O23 - Service: Google Online Search Service - 2nd - Unknown owner - C:\WINDOWS\System32\winlast.exe (file missing)
Then close all windows except Hijackthis (including this one) and click Fix Checked
Close HijackThis.
Delete files and folders
Please go to Kaspersky website and perform an online antivirus scan. Please use Internet Explorer as it uses ActiveX.
Run HijackThis again and post a fresh log
In your next reply you should have,
1)fresh HJT log
2)Kaspersky log
This thread is for the use of impaq only. Please don't post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
Do you live in Canada? I need to know to check your IP settings are legit.
Lets get started then,
Before continuing, please download and install XP SP1a.
Select the language of your operating system and click Go to download it.
Restart the computer for changes to take effect.
If you have problems downloading and installing, please let me know.
Upload a File to Jotti
Please visit http://virusscan.jotti.org/
Copy/paste this file and path into the white box at the top:
Press Submit - this will submit the file for testing.
Please wait for all the scanners to finish then post the results in your next response.
Do this for each file
Fix entries with HijackThis
Open up Hijackthis.
Click on do a system scan only.
Place a checkmark next to these lines(if still present).
O4 - HKLM\..\Run: [yijfxmoo] C:\WINDOWS\system32\yijfxmoo.exe
O4 - HKLM\..\Run: [wcdxjyyh] C:\WINDOWS\system32\wcdxjyyh.exe
O4 - HKCU\..\Run: [AVSystemCare] C:\Program Files\AVSystemCare\pgs.exe /min
O4 - HKLM\..\Policies\Explorer\Run: [YmbAAfe5dA] C:\WINDOWS\TEMP\comsvr32.exe
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe (file missing)
O20 - AppInit_DLLs: C:\WINDOWS\System32\svch6ng.dll
O20 - Winlogon Notify: mszsrn32 - C:\WINDOWS\System32\mszsrn32.dll (file missing)
O20 - Winlogon Notify: WLCtrl32 - WLCtrl32.dll (file missing)
O21 - SSODL: RunOnceSrv - {109fd9c6-7aea-478a-be60-5e6b3a7bbbab} - C:\WINDOWS\Installer\{109fd9c6-7aea-478a-be60-5e6b3a7bbbab}\RunOnceSrv.dll (file missing)
O23 - Service: FireDaemon Service: events (events) - Unknown owner - C:\windows\system32\spool\printers\FireDaemon.exe (file missing)
O23 - Service: Google Online Search Service - 2nd - Unknown owner - C:\WINDOWS\System32\winlast.exe (file missing)
Then close all windows except Hijackthis (including this one) and click Fix Checked
Close HijackThis.
Delete files and folders
- I need you to right click on the start button
click on explore
and navegate to and delete these files or folders (if present):
C:\WINDOWS\system32\yijfxmoo.exe<-----This file
C:\WINDOWS\system32\wcdxjyyh.exe<-------This file
C:\Program Files\AVSystemCare\pgs.exe<----This folder
C:\WINDOWS\TEMP\comsvr32.exe<------This file
C:\WINDOWS\bdoscandel.exe<------This file
C:\WINDOWS\System32\svch6ng.dll<-----This file
C:\WINDOWS\System32\mszsrn32.dll<-------This file
C:\windows\system32\spool\printers\FireDaemon.exe<------This file
C:\WINDOWS\System32\winlast.exe<------This file
Please go to Kaspersky website and perform an online antivirus scan. Please use Internet Explorer as it uses ActiveX.
- Read through the requirements and privacy statement and click on Accept button.
- It will start downloading and installing the scanner and virus definitions. You will be prompted to install an ActiveX from Kaspersky. Click Yes.
- When the downloads have finished, click on Next button.
- Click on Scan Settings button.
- Select extended under Scan using the following antivirus database:
- Check (tick) these boxes under Scan options:
- Scan Archives
- Scan Mail Bases
- Click OK
- Click on My Computer under Please select a target to scan:
- Once the scan is complete it will display if your system has been infected. Click on Save as text button and save it to your desktop.
- Copy and paste this log in your next reply.
Run HijackThis again and post a fresh log
In your next reply you should have,
1)fresh HJT log
2)Kaspersky log
This thread is for the use of impaq only. Please don't post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
Yes i live in Canada
also Kritius ive been told that i dont have a legit copy of windows xp on my hard drive. Prior to my computer being fried i had a legit copy then i went to get it fixed at a little shop and they put this copy i have now and i was also told that the SP1 would damage my computer if i dont have a legit copy of XP.. is that true? before i download it lol btw thanks alot for your help its appreciated.
also Kritius ive been told that i dont have a legit copy of windows xp on my hard drive. Prior to my computer being fried i had a legit copy then i went to get it fixed at a little shop and they put this copy i have now and i was also told that the SP1 would damage my computer if i dont have a legit copy of XP.. is that true? before i download it lol btw thanks alot for your help its appreciated.
kritius
Posts: 2,077 +0
- Status
Latest posts
-
Nintendo DMCA lawyers shut down everything Mario on Garry's Mod- Uncle Al replied
-
BlizzGone: Blizzard cancels 2024 convention but promises an eventual return- GodisanAtheist replied
