higbvuyb
2007-10-02, 04:54
Hi, I'm trying to clean out a computer, which has a virus.
This is a Windows XP Home Edition SP1a computer.
The computer resets itself seconds after Windows loads, unless I boot it up in Safe mode, so all the scans were done in Safe mode.
I've already tried disabling all startup items, but it doesn't work. I've also tried installing
The Kaspersky scan report is very long (772 infected items), so I am posting a summary:
Number of viruses found 10
Number of infected objects 772
Infected Object Name Virus Name
(Several hundred files) Infected: Virus.Win32.Virut.a
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\MPODATIX\kwyrjpibha[1].htm Infected: Trojan-Downloader.Win32.Agent.ddl skipped
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\YHQRCP03\doqjpvbu[1].txt Infected: Trojan.Win32.Inject.ch
C:\Documents and Settings\Administrator.YOUR-DY4I9NVWMO\Local Settings\Temporary Internet Files\Content.IE5\18Z91L93\kwyrjpibha[1].htm Infected: Trojan-Downloader.Win32.Agent.ddl skipped
C:\Documents and Settings\Administrator.YOUR-DY4I9NVWMO\Local Settings\Temporary Internet Files\Content.IE5\6GIMUK6Y\doqjpvbu[1].txt Infected: Trojan.Win32.Inject.ch
C:\Documents and Settings\James\Local Settings\Temp\efgi2ty.dll Infected: Trojan-PSW.Win32.OnLineGames.dbn skipped
C:\Documents and Settings\James\Local Settings\Temp\u4ppj.dll Infected: Trojan-PSW.Win32.OnLineGames.boe
C:\Documents and Settings\James\Local Settings\Temporary Internet Files\Content.IE5\WLYJ0D6Z\help[1].exe Infected: Trojan-PSW.Win32.OnLineGames.bs skipped
C:\Documents and Settings\James\Local Settings\Temporary Internet Files\Content.IE5\WLYJ0D6Z\help[2].exe Infected: Trojan-PSW.Win32.OnLineGames.bs skipped
C:\Documents and Settings\James\Local Settings\Temporary Internet Files\Content.IE5\WLYJ0D6Z\help[3].exe Infected: Trojan-PSW.Win32.OnLineGames.bs
C:\Program Files\MWGuide\MWGuide.dll Infected: not-a-virus:AdWare.Win32.Agent.fd
C:\Program Files\NTemp\npkmnc.sys Infected: Rootkit.Win32.Agent.et
C:\uvbbeuu.exe Infected: Trojan-Downloader.Win32.Agent.ddl skipped
C:\WINDOWS\$MSI31Uninstall_KB893803v2$\msiexec.exe Infected: Virus.Win32.Virut.a
C:\WINDOWS\system32\avpo0.dll Infected: Packed.Win32.NSAnti.r skipped
C:\WINDOWS\system32\avpo1.dll Infected: Packed.Win32.NSAnti.r
C:\WINDOWS\system32\dab1.dll Infected: Packed.Win32.NSAnti.r
C:\WINDOWS\system32\drivers\npkmnc.sys Infected: Rootkit.Win32.Agent.et
C:\WINDOWS\system32\explorer.exe~ Infected: Packed.Win32.NSAnti.r
C:\WINDOWS\system32\help.exe.tmp Infected: Trojan-Dropper.Win32.Agent.byp
The HijackThis log:
(Run under safe mode)
-------------------------------------------
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:48:25 PM, on 2/10/2007
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2600.0000)
Boot mode: Safe mode with network support
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\System32\explorer.exe,
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Shopgate - {5075B68F-6C18-469C-8962-7E9C1778B722} - C:\PROGRA~1\Webvia\webvia.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_0.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {10082A0C-609A-4E16-816C-01A40E3AF6ED} - http://down.c-zero.co.kr/cab6/CCInst6.CAB
O16 - DPF: {118FAE88-BC23-4A74-B17A-64184362BCC7} (plueclear Control) - http://update.plusclear.com/activex/plueclearP.cab
O16 - DPF: {126AADD9-6A80-48B7-864A-5EA9A73F0665} (EZCatchInstaller Class) - http://update.ezcatch.net/cab/EZCatchCom.cab
O16 - DPF: {97F3D1C1-C8C2-471D-A139-298DEAA35E0B} (ToonsXComicPlus Control) - http://comicplus.donga.com/viewer/ToonsXComicPlus.cab
O16 - DPF: {CE109CEF-E299-4DAF-9FCB-9C030A32C546} - http://up.uccc.co.kr/ucccplay/launchucccplay.cab
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - Unknown owner - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe (file missing)
--
End of file - 2553 bytes
-------------------------------------------
What do I do to fix this computer? Thanks in advance.
This is a Windows XP Home Edition SP1a computer.
The computer resets itself seconds after Windows loads, unless I boot it up in Safe mode, so all the scans were done in Safe mode.
I've already tried disabling all startup items, but it doesn't work. I've also tried installing
The Kaspersky scan report is very long (772 infected items), so I am posting a summary:
Number of viruses found 10
Number of infected objects 772
Infected Object Name Virus Name
(Several hundred files) Infected: Virus.Win32.Virut.a
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\MPODATIX\kwyrjpibha[1].htm Infected: Trojan-Downloader.Win32.Agent.ddl skipped
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\YHQRCP03\doqjpvbu[1].txt Infected: Trojan.Win32.Inject.ch
C:\Documents and Settings\Administrator.YOUR-DY4I9NVWMO\Local Settings\Temporary Internet Files\Content.IE5\18Z91L93\kwyrjpibha[1].htm Infected: Trojan-Downloader.Win32.Agent.ddl skipped
C:\Documents and Settings\Administrator.YOUR-DY4I9NVWMO\Local Settings\Temporary Internet Files\Content.IE5\6GIMUK6Y\doqjpvbu[1].txt Infected: Trojan.Win32.Inject.ch
C:\Documents and Settings\James\Local Settings\Temp\efgi2ty.dll Infected: Trojan-PSW.Win32.OnLineGames.dbn skipped
C:\Documents and Settings\James\Local Settings\Temp\u4ppj.dll Infected: Trojan-PSW.Win32.OnLineGames.boe
C:\Documents and Settings\James\Local Settings\Temporary Internet Files\Content.IE5\WLYJ0D6Z\help[1].exe Infected: Trojan-PSW.Win32.OnLineGames.bs skipped
C:\Documents and Settings\James\Local Settings\Temporary Internet Files\Content.IE5\WLYJ0D6Z\help[2].exe Infected: Trojan-PSW.Win32.OnLineGames.bs skipped
C:\Documents and Settings\James\Local Settings\Temporary Internet Files\Content.IE5\WLYJ0D6Z\help[3].exe Infected: Trojan-PSW.Win32.OnLineGames.bs
C:\Program Files\MWGuide\MWGuide.dll Infected: not-a-virus:AdWare.Win32.Agent.fd
C:\Program Files\NTemp\npkmnc.sys Infected: Rootkit.Win32.Agent.et
C:\uvbbeuu.exe Infected: Trojan-Downloader.Win32.Agent.ddl skipped
C:\WINDOWS\$MSI31Uninstall_KB893803v2$\msiexec.exe Infected: Virus.Win32.Virut.a
C:\WINDOWS\system32\avpo0.dll Infected: Packed.Win32.NSAnti.r skipped
C:\WINDOWS\system32\avpo1.dll Infected: Packed.Win32.NSAnti.r
C:\WINDOWS\system32\dab1.dll Infected: Packed.Win32.NSAnti.r
C:\WINDOWS\system32\drivers\npkmnc.sys Infected: Rootkit.Win32.Agent.et
C:\WINDOWS\system32\explorer.exe~ Infected: Packed.Win32.NSAnti.r
C:\WINDOWS\system32\help.exe.tmp Infected: Trojan-Dropper.Win32.Agent.byp
The HijackThis log:
(Run under safe mode)
-------------------------------------------
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:48:25 PM, on 2/10/2007
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2600.0000)
Boot mode: Safe mode with network support
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\System32\explorer.exe,
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Shopgate - {5075B68F-6C18-469C-8962-7E9C1778B722} - C:\PROGRA~1\Webvia\webvia.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_0.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {10082A0C-609A-4E16-816C-01A40E3AF6ED} - http://down.c-zero.co.kr/cab6/CCInst6.CAB
O16 - DPF: {118FAE88-BC23-4A74-B17A-64184362BCC7} (plueclear Control) - http://update.plusclear.com/activex/plueclearP.cab
O16 - DPF: {126AADD9-6A80-48B7-864A-5EA9A73F0665} (EZCatchInstaller Class) - http://update.ezcatch.net/cab/EZCatchCom.cab
O16 - DPF: {97F3D1C1-C8C2-471D-A139-298DEAA35E0B} (ToonsXComicPlus Control) - http://comicplus.donga.com/viewer/ToonsXComicPlus.cab
O16 - DPF: {CE109CEF-E299-4DAF-9FCB-9C030A32C546} - http://up.uccc.co.kr/ucccplay/launchucccplay.cab
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - Unknown owner - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe (file missing)
--
End of file - 2553 bytes
-------------------------------------------
What do I do to fix this computer? Thanks in advance.