PDA

View Full Version : A virus has been found on your computer


garrfoster
2009-02-27, 23:38
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:10:00 AM, on 1/1/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\userinit.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\RTHDCPL.EXE
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Razer\Lycosa\razerhid.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\frmwrk32.exe
C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe
C:\Program Files\Steam\Steam.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\windows\nfra.exe
C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ArcCon.ac
C:\Documents and Settings\Lindsay Foster\Application Data\svchost.exe
C:\WINDOWS\system32\ntdll64.exe
C:\Program Files\Razer\Lycosa\razertra.exe
C:\DOCUME~1\LINDSA~1\LOCALS~1\Temp\oa8v1ix3o.exe
C:\DOCUME~1\LINDSA~1\LOCALS~1\Temp\ztre79zwrg.exe
C:\DOCUME~1\LINDSA~1\LOCALS~1\Temp\a3wcy907sa8.exe
C:\DOCUME~1\LINDSA~1\LOCALS~1\Temp\mumvmvfb.exe
C:\DOCUME~1\LINDSA~1\LOCALS~1\Temp\fs05uo.exe
C:\DOCUME~1\LINDSA~1\LOCALS~1\Temp\w4oodwfjh.exe
C:\DOCUME~1\LINDSA~1\LOCALS~1\Temp\xjcpdu4tr.exe
C:\DOCUME~1\LINDSA~1\LOCALS~1\Temp\tzcoxx3gokag.exe
C:\Program Files\Linksys\WUSB600N\WUSB600N.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Java\jre1.6.0_07\bin\jucheck.exe
C:\Documents and Settings\Lindsay Foster\Desktop\HijackThis.exe
C:\WINDOWS\system32\NOTEPAD.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/customize/ptec/defaults/sb/*http://www.yahoo.com/search/ie.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapps.yahoo.com/customize/ptec/defaults/sp/*http://www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customize/ptec/defaults/su/*http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=localhost:7070
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: C:\WINDOWS\system32\hhs3ijndfd.dll - {c5bf49a2-94f3-42bd-f434-3604812c8955} - C:\WINDOWS\system32\hhs3ijndfd.dll
O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_6_2_0.dll
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [Vtidodaqox] rundll32.exe "C:\WINDOWS\Vfomiko.dll",e
O4 - HKLM\..\Run: [sunjavaupdatesched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKLM\..\Run: [soundman] SOUNDMAN.EXE
O4 - HKLM\..\Run: [rthdcpl] RTHDCPL.EXE
O4 - HKLM\..\Run: [Qwotitukixuy] rundll32.exe "C:\WINDOWS\erutazalebinurif.dll",e
O4 - HKLM\..\Run: [quicktime task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [nvmediacenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [lycosa] "C:\Program Files\Razer\Lycosa\razerhid.exe"
O4 - HKLM\..\Run: [jsf8uiw3jnjgffght] C:\DOCUME~1\LINDSA~1\LOCALS~1\Temp\winlognn.exe
O4 - HKLM\..\Run: [ituneshelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [framework windows] frmwrk32.exe
O4 - HKLM\..\Run: [arcsoft connection service] C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe
O4 - HKLM\..\Run: [alcwzrd] ALCWZRD.EXE
O4 - HKLM\..\Run: [alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [adobecs4servicemanager] "C:\Program Files\Common Files\Adobe\CS4ServiceManager\CS4ServiceManager.exe" -launchedbylogin
O4 - HKLM\..\Run: [adobe reader speed launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [*ctfmon32] "C:\Documents and Settings\Lindsay Foster\Application Data\svchost.exe"
O4 - HKCU\..\Run: [zux5w4gt8ip9yx498brllpagg7nkabwj] C:\DOCUME~1\LINDSA~1\LOCALS~1\Temp\xbyyng9a.exe
O4 - HKCU\..\Run: [zqckhhc5oi4v9dwq48kqd6amxxfh79igxmzgfe3s4] C:\DOCUME~1\LINDSA~1\LOCALS~1\Temp\sszdwdk2ggpi.exe
O4 - HKCU\..\Run: [z398rgcmz9kwstdi9pnotffcv] C:\DOCUME~1\LINDSA~1\LOCALS~1\Temp\h7lrv3cjiy67.exe
O4 - HKCU\..\Run: [yvl02bis3ycnrsatmiuqn5gwmbtk6goacclpzgj] C:\DOCUME~1\LINDSA~1\LOCALS~1\Temp\j52oef4oiz.exe
O4 - HKCU\..\Run: [yul2vz3ooa5b1qznwktc4f7740tu] C:\DOCUME~1\LINDSA~1\LOCALS~1\Temp\llf0bnbfj.exe
O4 - HKCU\..\Run: [ysj5kl7fruvz45c9u2tuy] C:\DOCUME~1\LINDSA~1\LOCALS~1\Temp\rbeesz.exe
O4 - HKCU\..\Run: [y4qxvkf8wcgfifwr41mbti5i0tkgsi9eupuvuw10] C:\DOCUME~1\LINDSA~1\LOCALS~1\Temp\kpr6lc7fql1y2.exe
O4 - HKCU\..\Run: [xzh6uq1w3r3x0959q0fk3nbof262wdfci2whpd7m57sv2i5le] C:\DOCUME~1\LINDSA~1\LOCALS~1\Temp\nrpw427dkxw.exe
O4 - HKCU\..\Run: [wgtuyrld8zxry1yuxbhif0j06k6l0dw8grlmxmmyh9j] C:\DOCUME~1\LINDSA~1\LOCALS~1\Temp\eq4fbj43so.exe
O4 - HKCU\..\Run: [wfuvsj2yvqdkpt7y55jj6o926503glm0p9x31wd] C:\DOCUME~1\LINDSA~1\LOCALS~1\Temp\clfq1hy69fdrm.exe
O4 - HKCU\..\Run: [wb8x7tjewb96a1upxeg18ro6ic37h0] C:\DOCUME~1\LINDSA~1\LOCALS~1\Temp\of44sce.exe
O4 - HKCU\..\Run: [vn5eu8eswz1pw1b2hvwfyc1dn2bfzw36mf97abrag8okn] C:\DOCUME~1\LINDSA~1\LOCALS~1\Temp\w3tjtp.exe
O4 - HKCU\..\Run: [vm9xmkqwku8yrj] C:\DOCUME~1\LINDSA~1\LOCALS~1\Temp\xiyai3ne.exe
O4 - HKCU\..\Run: [v8t1j9w14jlvt57xp05xym1fbj920yu73bbzyy5cyut6d6l5] C:\DOCUME~1\LINDSA~1\LOCALS~1\Temp\vw06kk9p.exe
O4 - HKCU\..\Run: [v74s9guo5xag0mtqgiapgd7ys5ow1nxhk7af0u9jbhvj7v] C:\DOCUME~1\LINDSA~1\LOCALS~1\Temp\c6z41ll.exe
O4 - HKCU\..\Run: [uml2qahz1zzxbegw7agq] C:\DOCUME~1\LINDSA~1\LOCALS~1\Temp\v7d0br6.exe
O4 - HKCU\..\Run: [tv0cpxwl6myal6a18gx58qgh73aqm83a6ujxiei3e3pqxz] C:\DOCUME~1\LINDSA~1\LOCALS~1\Temp\i7o492cbo.exe
O4 - HKCU\..\Run: [stpa1sq8lejn1hqwhuzsr1g3e22wt93] C:\DOCUME~1\LINDSA~1\LOCALS~1\Temp\j5znnffk2.exe
O4 - HKCU\..\Run: [steam] "C:\Program Files\Steam\Steam.exe" -silent
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [s24xsl7u2nutjxbya886mz] C:\DOCUME~1\LINDSA~1\LOCALS~1\Temp\fx2xyfh7y8hnm.exe
O4 - HKCU\..\Run: [rwmc3gt4g5eh3h13ag38b05xiihxp7vv] C:\DOCUME~1\LINDSA~1\LOCALS~1\Temp\i9fntz1665wv.exe
O4 - HKCU\..\Run: [p2f3xq0jf8c0euy36] C:\DOCUME~1\LINDSA~1\LOCALS~1\Temp\p4by1u.exe
O4 - HKCU\..\Run: [ob4v8mu0dqe81y9] C:\DOCUME~1\LINDSA~1\LOCALS~1\Temp\r9vnyadxz5.exe
O4 - HKCU\..\Run: [nfra] c:\windows\nfra.exe
O4 - HKCU\..\Run: [krmhkwki0w9islf16evgvy75ryhv1nuom] C:\DOCUME~1\LINDSA~1\LOCALS~1\Temp\dlck22nqwn.exe
O4 - HKCU\..\Run: [jhjfryaogobatkvr7urlyvit7mo043tn3a] C:\DOCUME~1\LINDSA~1\LOCALS~1\Temp\jalrnw921.exe
O4 - HKCU\..\Run: [jgk45xin4wvyv] C:\DOCUME~1\LINDSA~1\LOCALS~1\Temp\lkz0xwmcf90.exe
O4 - HKCU\..\Run: [ifvukf4tg89mhrff6pjnntxqv11ghofjk2] C:\DOCUME~1\LINDSA~1\LOCALS~1\Temp\qinogt4i.exe
O4 - HKCU\..\Run: [hbdhdmok2yaw] C:\DOCUME~1\LINDSA~1\LOCALS~1\Temp\j72yr4.exe
O4 - HKCU\..\Run: [gxxfb5jr1e6wo9vtwgj2iejw4dzskbea6lviyd] C:\DOCUME~1\LINDSA~1\LOCALS~1\Temp\s1x9xf.exe
O4 - HKCU\..\Run: [epson stylus nx400 series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIEGA.EXE /FU "C:\WINDOWS\TEMP\E_S124.tmp" /EF "HKCU"
O4 - HKCU\..\Run: [e6z749vc0p81p884gb17j79uwl68u0osskjxz] C:\DOCUME~1\LINDSA~1\LOCALS~1\Temp\oz03su.exe
O4 - HKCU\..\Run: [drpu49veiepgw9c2lf] C:\DOCUME~1\LINDSA~1\LOCALS~1\Temp\rg3ysxhhn5x.exe
O4 - HKCU\..\Run: [dlt5uxftvuuo] C:\DOCUME~1\LINDSA~1\LOCALS~1\Temp\r9k4prfw.exe
O4 - HKCU\..\Run: [b5fr538nuxyknqliu3jka8c6ildk] C:\DOCUME~1\LINDSA~1\LOCALS~1\Temp\m36q9u8no8.exe
O4 - HKCU\..\Run: [a5f36zzmbncgzhh9jtyv] C:\DOCUME~1\LINDSA~1\LOCALS~1\Temp\ntixshnws.exe
O4 - HKCU\..\Run: [smvd9jximb79edkvyt1bmu8e0r] C:\DOCUME~1\LINDSA~1\LOCALS~1\Temp\j4vgl7mh7.exe
O4 - HKCU\..\Run: [dsh4kixi6qoqws45s] C:\DOCUME~1\LINDSA~1\LOCALS~1\Temp\njce96i.exe
O4 - HKCU\..\Run: [cc9v8a52rtt1stybnd58gfpnyvqokye13ulie0qyogh19ydn4] C:\DOCUME~1\LINDSA~1\LOCALS~1\Temp\othc0n2n.exe
O4 - HKCU\..\Run: [sho3b6g67wxe0gr4rvy4do5yv7tujw4k1r5kgett] C:\DOCUME~1\LINDSA~1\LOCALS~1\Temp\jzjg58avemx9.exe
O4 - HKCU\..\Run: [j4zio0zhhh32wncd] C:\DOCUME~1\LINDSA~1\LOCALS~1\Temp\qm214jz.exe
O4 - HKCU\..\Run: [qu6iqc4wz85i61llmm4x5upm3cxxx] C:\DOCUME~1\LINDSA~1\LOCALS~1\Temp\rdqzcj0l.exe
O4 - HKCU\..\Run: [vsn95qsg100] C:\DOCUME~1\LINDSA~1\LOCALS~1\Temp\qdn53h9l649pj.exe
O4 - HKCU\..\Run: [t3872pfp0e] C:\DOCUME~1\LINDSA~1\LOCALS~1\Temp\i9bpjm0cpy2ik.exe
O4 - HKCU\..\Run: [bsgl9gt9cvl1qbon1c815nbqrvg6g4ssczfdt252iwdaor81y] C:\DOCUME~1\LINDSA~1\LOCALS~1\Temp\tsu8pw.exe
O4 - HKCU\..\Run: [asg7dxsdm2t91jaqe7thcd] C:\DOCUME~1\LINDSA~1\LOCALS~1\Temp\vdashkemt3oj5.exe
O4 - HKCU\..\Run: [f3q1g67t7zbi3bftlouuq5mksyhbiew] C:\DOCUME~1\LINDSA~1\LOCALS~1\Temp\uytbt41.exe
O4 - HKCU\..\Run: [e8i41t8d97l7r539h31nxvwvk9eqs76z565g711dwl] C:\DOCUME~1\LINDSA~1\LOCALS~1\Temp\nv0d66trvxnp.exe
O4 - HKCU\..\Run: [urkcz7x6abwdtqp51w6ktxcmjw40mbqot4xikauhhcerbkh] C:\DOCUME~1\LINDSA~1\LOCALS~1\Temp\nqodq7h.exe
O4 - HKCU\..\Run: [ifpfkoqsi7qu3pngen3tfuguwvucb] C:\DOCUME~1\LINDSA~1\LOCALS~1\Temp\xijy50z.exe
O4 - HKCU\..\Run: [cahy98kd4f807e2y6xsrb8] C:\DOCUME~1\LINDSA~1\LOCALS~1\Temp\tyq012r8h953.exe
O4 - HKCU\..\Run: [hxvj46ng8h87gfmkin1pdbbxddj4ie7juj2e6] C:\DOCUME~1\LINDSA~1\LOCALS~1\Temp\i6l1186.exe
O4 - Global Startup: Wireless Network Monitor.lnk = C:\Program Files\Linksys\WUSB600N\WUSB600N.exe
O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: (no name) - {dfb852a3-47f8-48c4-a200-58cab36fd2a2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {dfb852a3-47f8-48c4-a200-58cab36fd2a2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\docume~1\lindsa~1\locals~1\temp\ntdll64.dll
O10 - Unknown file in Winsock LSP: c:\docume~1\lindsa~1\locals~1\temp\ntdll64.dll
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll (file missing)
O20 - Winlogon Notify: crypt - C:\WINDOWS\SYSTEM32\crypts.dll
O22 - SharedTaskScheduler: jgzfkj9w38rksndfi7r4 - {C5BF49A2-94F3-42BD-F434-3604812C8955} - C:\WINDOWS\system32\hhs3ijndfd.dll
O23 - Service: ArcSoft Connect Daemon (ACDaemon) - ArcSoft Inc. - C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Background Intelligent Transfer Service (BITS) - Unknown owner - C:\WINDOWS\
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: FLEXnet Licensing Service (flexnet licensing service) - Acresso Software Inc. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Intuit Update Service (IntuitUpdateService) - Intuit Inc. - C:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe
O23 - Service: Automatic Updates (wuauserv) - Unknown owner - C:\WINDOWS\

--
End of file - 13022 bytes


Virus prevented me from using the provided software to make a back up of my system registry. HJT was the only piece of software I could download and use. Spybot and adware were not able to open.

Thank you for your assistance.
peku006
2009-02-28, 19:08
Hello and welcome to Safer Networking.

My name is peku006 and I will be helping you to remove any infection(s) that you may have.
I will be giving you a series of instructions that need to be followed in the order in which I give them to you.

Please observe these rules while we work:

If you don't know, stop and ask! Don't keep going on.
Please reply to this thread. Do not start a new topic.
Please continue to respond until I give you the "All Clear"

If you follow these instructions, everything should go smoothly.

There is no sign of an antivirus installed on your system. There are several reasons for it. Either you have disabled your antivirus or there's no antivirus installed.

If you have disabled it, please re-enable it. If you have no antivirus installed, please get ONE antivirus and install it. Restart the computer for changes to take effect.

avast! 4 Home Edition (http://files.avast.com/iavs4pro/setupeng.exe)
AntiVir Free Edition (http://www.antivir-pe.com/freet/index.php?id=25&domain=free-av.com)

1 - Clean temp files

Download and Run ATF Cleaner
Download ATF (Atribune Temp File) Cleaner© by Atribune (http://www.atribune.org/ccount/click.php?id=1) to your desktop.Double-click ATF Cleaner.exe to open it.

Under Main choose:
Windows Temp
Current User Temp
All Users Temp
Temporary Internet Files
Prefetch
Java Cache
*The other boxes are optional*
Then click the Empty Selected button.

if you use Firefox:
Click Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click NO at the prompt.

if you use Opera:
Click Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click NO at the prompt.


Click Exit on the Main menu to close the program


2 - Scan With ComboFix

Please visit this webpage for download links, and instructions for running the tool:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

* Ensure you have disabled all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

How to Temporarily Disable Anti-virus (http://www.bleepingcomputer.com/forums/topic114351.html)

Please include the C:\ComboFix.txt in your next reply for further review.

3 - Run Hijackthis
Click on the Do a system scan and save a logfile button. It will scan and the log should open in notepad

4 - Status Check
Please reply with


1. the ComboFix log(C:\ComboFix.txt)
2. a fresh HijackThis log

Thanks peku006
peku006
2009-03-06, 13:29
Due to inactivity, this thread will now be closed.

Note:If it has been four days or more since your last post, and the helper assisting you posted a response to that post to which you did not reply, your topic will not be reopened. At that point, if you still require help, please start a new topic and include a fresh HijackThis log and a link to your previous thread.

If it has been less than four days since your last response and you need the thread re-opened, please send me or MOD a private message (pm). A valid, working link to the closed topic is required.