1. TechSpot is dedicated to computer enthusiasts and power users. Ask a question and give support. Join the community here.
    TechSpot is dedicated to computer enthusiasts and power users.
    Ask a question and give support.
    Join the community here, it only takes a minute.
    Dismiss Notice

Red biohazard desktop

By mrnopost ยท 15 replies
Jul 31, 2008
  1. Man Im so so screwed, please help me. Im a student for photography and I have two of my midterm projects on my PC. This afternoon something about a codec apeared on my screen while I was trying to look at a video that was sent to me. I clicked it and 3 minutes later I get a red screen with a biohazard sign on it. Now task manager is gone, control panel is gone, my c drive is gone.......everything is gone except for a few files on my desktop. Im going to fail if I cant get my files for class........Man Im in panic mode so much right now. On top of that I have client files for my freelance graphic arts that I really really need..........PLEASE Help me guys, I would really really appreciate it.
  2. raybay

    raybay TS Evangelist Posts: 7,241   +10

    Install MBAM Malware Bytes and SuperAntispyware while in SAFE MODE, and run them. You will likely get lucky and remove enough to get the boot working. Or buy Spyware Doctor 5.5 or Webroot Spyware... at about $30 and $45. and clean your system. I would also download and run a scan with antivir antispyware.

    The BIOHAZARD crap is more gag than long term dangerous. Just keep as calm as possible and organized as possible, and look at the posts on this forum for removing infestations.
    It will be alright, but may take two or three hours to fix.
  3. mrnopost

    mrnopost TS Rookie Topic Starter

    my log file

    here is the log file for my hijackthis....
    I dont know what else to do. :(

    Attached Files:

  4. mrnopost

    mrnopost TS Rookie Topic Starter

    Thanks RayBay, I will do everything you suggested. I appreciate it!! :)
  5. xxdanielxx

    xxdanielxx TS Booster Posts: 1,069

    looks like we have some work to do I am checking your log right now
  6. xxdanielxx

    xxdanielxx TS Booster Posts: 1,069

    ok first you have 3 realtime spyware apps which you can only have one you currently have

    spyware doctor
    Window Defender

    Please uninstall 2 of them. If I am wrong please advice
  7. raybay

    raybay TS Evangelist Posts: 7,241   +10

    Partially true. Spyware Doctor and SpySweeper conflict and are probably part of the problem.. But Windows Defender will work with either and should not be installed... I would keep Spysweeper and Windows Defender because they serve different functions... but save the install code for SpySweeper.
  8. xxdanielxx

    xxdanielxx TS Booster Posts: 1,069

    Also do you know the IP below
  9. xxdanielxx

    xxdanielxx TS Booster Posts: 1,069

    Ok please follow the steps below

    • Please go to VirSCAN.org FREE on-line scan service
    • Copy and paste the following file path into the "Suspicious files to scan"box on the top of the page:
      • C:\WINNT\eHome\MCAgen.exe
    • Click on the Upload button
    • Once the Scan is completed, click on the "Copy to Clipboard" button. This will copy the link of the report into the Clipboard.
    • Paste the contents of the Clipboard in your next reply.


    We need to get rid of one of the services running on your machine. To do this, copy (Ctrl +C) and paste (Ctrl +V) the text in the code box below to Notepad.

    @echo off
    sc stop Viewpoint Corporation
    sc delete Viewpoint Corporation
    del service.cmd and exit
    Save it to your desktop as File name: service.cmd
    Save as type: All Files

    Once done, double click service.cmd to run it. A command window will open briefly, then close. This is quite normal.


    Please read this post completely, it may make it easier for you if you copy and paste this post to a new text document or print it for reference later.

    Please re-open HiJackThis and scan.**Check the boxes next to all the entries listed below.

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://softwarereferral.com/jump.php?wmid=6010&mid=MjI6Ojg5&lid=2
    O3 - Toolbar: Gwinnett Tech Browser Toolbar - {F3A2858F-30A5-445C-A604-46B25A7AA8BF} - C:\Program Files\GTCBrowserToolbar\Gwinnett Tech Browser Toolbar\GwinnettechToolBar.dll
    O3 - Toolbar: fdkowvbp - {54EF0797-AF80-4CF5-AB0C-7E87CCEC3E0B} - C:\WINNT\fdkowvbp.dll
    O4 - HKLM\..\Run: [lphc7elj0e753] C:\WINNT\system32\lphc7elj0e753.exe
    O4 - HKLM\..\Run: [SMrhc3elj0e753] C:\Program Files\rhc3elj0e753\rhc3elj0e753.exe
    O4 - HKLM\..\Run: [4443684d] rundll32.exe "C:\WINNT\system32\gcvlvsnp.dll",b
    O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
    O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1
    O8 - Extra context menu item: &Search - http://bar.mywebsearch.com/menusearch.html?p=ZSzed055DIUS_ZN
    O9 - Extra button: PalTalk - {4EAFEF58-EEFA-4116-983D-03B49BCBFFFE} - C:\Program Files\Paltalk Messenger\Paltalk.exe (file missing)
    O9 - Extra button: Ebates - {6685509E-B47B-4f47-8E16-9A5F3A62F683} - file://C:\Program Files\Ebates_MoeMoneyMaker\Sy350\Tp350\scri350a.htm (file missing) (HKCU)
    O16 - DPF: {2DFF31F9-7893-4922-AF66-C9A1EB4EBB31} (Rhapsody Player Engine) - http://forms.real.com/real/player/d.../mrkt/rhapx/RhapsodyPlayerEngine_Inst_Win.cab
    O16 - DPF: {9F6D8A59-DD92-499D-944A-38FDB2CE46FF} (Napster download control v2.0) - http://sms.napster.com/client/plugin/npdownload.cab
    O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://www.popcap.com/webgames/popcaploader_v10.cab
    O21 - SSODL: wnslvxtf - {FF119E9A-3F23-49B8-B0A4-268168B9D0CD} - C:\WINNT\wnslvxtf.dll
    O21 - SSODL: eqvwamkl - {4C80C046-C152-4C98-A647-A70455B3DBAC} - C:\WINNT\eqvwamkl.dll
    O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe
    O24 - Desktop Component 0: Privacy Protection - (no file)

    Now close all windows other than HiJackThis, then click Fix Checked.**Close HiJackThis.**Reboot into safe mode.

    Restart your computer and as soon as it starts booting up again continuously tap F8. A menu should come up where you will be given the option to enter Safe Mode.

    Please go to Start > Control Panel > Add/Remove Programs and remove the following (if present):


    Please download the OTMoveIt2 by OldTimer.
    • Save it to your desktop.
    • Please double-click OTMoveIt2.exe to run it. (Vista users, please right click on OTMoveit2.exe and select "Run as an Administrator")
    • Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):

      C:\Program Files\GTCBrowserToolbar
      C:\Program Files\rhc3elj0e753
      C:\Program Files\Ebates_MoeMoneyMaker
      C:\Program Files\Viewpoint\
    • Return to OTMoveIt2, right click in the "Paste List of Files/Folders to Move" window (under the light Yellow bar) and choose Paste.
    • Click the red Moveit! button.
    • A log of files and folders moved will be created in the c:\_OTMoveIt\MovedFiles folder in the form of Date and Time (mmddyyyy_hhmmss.log). Please open this log in Notepad and post its contents in your next reply.
    • Close OTMoveIt2
    If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.

    After that, Reboot, and post a new HijackThis log here in a reply
  10. mrnopost

    mrnopost TS Rookie Topic Starter

    Here goes the report. Sorry It took so long, my pc is running super slowwwww!! Feel like I got a dern Tandy now. Feel like this thing is running on a Johnny 5 processer. Thanks again Daniel....Your like a god right about now. Also, Im not sure what that IP address is, but I googled it and I think it may have something to do with my buffalo router.

    VirSCAN.org Scanned Report :
    Scanned time : 2008/08/01 02:42:46 (EDT)
    Scanner results: All Scanners reported not find malware!
    File Name : MCAgen.exe
    File Size : 249856 byte
    File Type : PE32 executable for MS Windows (GUI) Intel 80386 32-bit
    MD5 : 2bc9fa0c8cb0fda52dd343aa9d995a05
    SHA1 : ccb8af89d65c5ca72e75e9ffc301dc8ba240c7f6
    Online report :

    Scanner Engine Ver Sig Ver Sig Date Time Scan result
    a-squared 2008.07.31 2008-07-31 2.64 -
    AhnLab V3 2008.08.01.01 2008.08.01 2008-08-01 0.88 -
    AntiVir 2008-07-31 2.18 -
    Arcavir 1.0.5 200807311911 2008-07-31 1.21 -
    AVAST! 3.0.1 080731-0 2008-07-31 0.68 -
    AVG 270.5.10/1584 2008-07-31 1.51 -
    BitDefender 7.60825.1412061 7.20290 2008-08-01 2.73 -
    CA (VET) 31.6.5999 2008-07-31 0.79 -
    ClamAV 0.93.3 7906 2008-08-01 0.05 -
    Comodo 2.11 2008-08-01 0.43 -
    CP Secure 2008.08.01 2008-08-01 5.80 -
    Dr.Web 2008.07.31 2008-07-31 3.09 -
    ewido 2008.07.31 2008-07-31 2.31 -
    F-Prot 20080731 2008-07-31 1.00 -
    F-Secure 5.51.6100 2008.07.31.09 2008-07-31 2.88 -
    Fortinet 2.81-3.11 9.374 2008-08-01 1.68 -
    ViRobot 20080731 2008.07.31 2008-07-31 0.40 -
    Ikarus T3.1.01.34 2008.08.01.71199 2008-08-01 3.22 -
    JiangMin 11.0.706 2008.08.01 2008-08-01 1.14 -
    Kaspersky 5.5.10 2008.08.01 2008-08-01 0.04 -
    KingSoft 2008.1.14.15 2008.7.31.17 2008-07-31 0.57 -
    McAfee 5.2.00 5350 2008-07-30 2.30 -
    Microsoft 1.3806 2008.08.01 2008-08-01 4.03 -
    mks_vir 2.01 2008.07.31 2008-07-31 2.64 -
    Norman 5.93.01 5.93.00 2008-07-31 4.66 -
    Panda 9.05.01 2008.07.31 2008-07-31 2.01 -
    Trend Micro 8.700-1004 5.448.05 2008-07-31 0.03 -
    Quick Heal 9.50 2008.07.31 2008-07-31 1.66 -
    Rising 20.0 2008-08-01 0.76 -
    Sophos 2.75.4 4.31 2008-08-01 1.91 -
    Sunbelt 3.1.1537.1 2175 2008-07-31 0.55 -
    Symantec 20080731.003 2008-07-31 0.19 -
    nProtect 2008-07-31.01 1730652 2008-07-31 3.21 -
    The Hacker 6.2.96 v00391 2008-07-31 0.40 -
    VBA32 20080731.1522 2008-07-31 1.24 -
    VirusBuster 4.5.11/ 0010-00-00 1.15 -
  11. mrnopost

    mrnopost TS Rookie Topic Starter

    My MoveIt2 log....

    File/Folder C:\Program Files\GTCBrowserToolbar not found.
    File/Folder C:\WINNT\fdkowvbp.dll not found.
    File/Folder C:\WINNT\system32\lphc7elj0e753.exe not found.
    File/Folder C:\Program Files\rhc3elj0e753 not found.
    File/Folder C:\WINNT\system32\gcvlvsnp.dll not found.
    File/Folder C:\Program Files\Ebates_MoeMoneyMaker not found.
    File/Folder C:\WINNT\wnslvxtf.dll not found.
    File/Folder C:\WINNT\eqvwamkl.dll not found.
    Folder C:\Program Files\Viewpoint\ not found.

    OTMoveIt2 by OldTimer - Version log created on 080
  12. mrnopost

    mrnopost TS Rookie Topic Starter

    here goes my new log. Seems like the pop ups stop. But I still dont have access to c drive, control panel or anything else in the start menu. But it seems like we are getting somewhere. :) Man Im somewhat relieved.
  13. xxdanielxx

    xxdanielxx TS Booster Posts: 1,069


    • Download SmitFraudFix to your deskop
    • reboot your computer in Safe Mode (before the Windows icon appears, tap the F8 key continually)
    • Double-click SmitfraudFix.exe
    • Select 2 and hit Enter to delete infect files.
    • You will be prompted: Do you want to clean the registry ? answer Y (yes) and hit Enter in order to remove the Desktop background and clean registry keys associated with the infection.
    • The tool will now check if wininet.dll is infected. You may be prompted to replace the infected file (if found): Replace infected file ? answer Y (yes) and hit Enter to restore a clean file.
    • A reboot may be needed to finish the cleaning process. The report can be found at the root of the system drive, usually at C:\rapport.txt (Attach the log to your next reply)



    • Download ComboFix to your desktop.
    • Double click combofix.exe & follow the prompts.
    • A window will open with a warning.
    • When the scan completes it will open a text window. Please attach that log back here together with a fresh HJT log.

    Caution - do not touch your mouse/keyboard until the scan has completed. The scan will temporarily disable your desktop, and if interrupted may leave your desktop disabled. If this occurs, please reboot to restore the desktop. Combofix is a very powerful tool so please do NOT do anything without instruction

    Combofix will automatically save the log file to C:\combofix.txt

    Then post a fresh hijackthis log
  14. insoman

    insoman TS Booster Posts: 102

    Just a humble suggestion. Open the file in notepad and delete all but one line of code then click save. I had one of these and it worked as a quick fix. Maybe just maybe it would work for you?
    Humble apologies if I am being stupid.
  15. xxdanielxx

    xxdanielxx TS Booster Posts: 1,069

    If the user is already being help please do not jump in with other advice it can confuse the user
  16. xxdanielxx

    xxdanielxx TS Booster Posts: 1,069

    Hmm the first hijackthis scan you did showed

    Logfile of Trend Micro HijackThis v2.0.2

    Which is the newest version but your new log shows

    Logfile of HijackThis v1.99.1

    And you are running it from my documents

    go to the following location and delete hijackthis
    C:\Documents and Settings\Administrator\My Documents\HijackThis.exe

    run the newest version and post a fresh hijackthis log
Topic Status:
Not open for further replies.

Similar Topics

Add New Comment

You need to be a member to leave a comment. Join thousands of tech enthusiasts and participate.
TechSpot Account You may also...