BullGuard
 HomeLog InRegisterCommunity CalendarSearch the ForumView The Member ListHelp
Please Help! I've got a virus problem!
   
BullGuard Antivirus Forum > BullGuard zone > BullGuard Trial users > Please Help! I've got a virus problem!  
Forum Quick Jump
 
New Topic Locked Topic Printable version of : Please Help! I've got a virus problem!
[ << Previous Thread | Next Thread >> ]

vuthda
New Member


Date Joined May 2006
Total Posts : 10
 
   Posted 5/30/2006 11:05 AM (GMT +2)    Quote: Please Help! I've got a virus problem!Alert an admin about: Please Help! I've got a virus problem!
i have bought a new computer recently, it occus virus problem, when i log in the windows , i can't click to execute any destop icon ,even the start botton also out of work, i decide to reinstall new windows and here is my HJT log file,
Logfile of HijackThis v1.99.1
Scan saved at 17:04:02, on 2006-5-30
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\Program Files\Winamp\Winampa.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\PROGRA~1\Webshots\webshots.scr
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\FlashGet\flashget.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Documents and Settings\Administrator\桌面\hijackthis.exe
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: IeCatch2 Class - {A5366673-E8CA-11D3-9CD9-0090271D075B} - C:\PROGRA~1\FlashGet\jccatch.dll
O3 - Toolbar: FlashGet Bar - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\fgiebar.dll
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] HDAShCut.exe
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [IMSCMig] C:\PROGRA~1\COMMON~1\MICROS~1\IME\IMSC40A\IMSCMIG.EXE /Preload
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp\Winampa.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Startup: Webshots.lnk = C:\Program Files\Webshots\Launcher.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: 使用网际快车下载 - C:\Program Files\FlashGet\jc_link.htm
O8 - Extra context menu item: 使用网际快车下载全部链接 - C:\Program Files\FlashGet\jc_all.htm
O8 - Extra context menu item: 导出到 Microsoft Office Excel(&X) - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: 信息检索 - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\flashget.exe
O9 - Extra 'Tools' menuitem: &FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\flashget.exe
O14 - IERESET.INF: START_PAGE_URL=about:blank
O17 - HKLM\System\CCS\Services\Tcpip\..\{098FB18C-7F69-480D-9467-BE227BFE6391}: NameServer = 192.168.0.1
O17 - HKLM\System\CS1\Services\Tcpip\..\{098FB18C-7F69-480D-9467-BE227BFE6391}: NameServer = 192.168.0.1
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\system32\NavLogon.dll
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
 
confused anyone can find my problem , please help
Back to Top
 

Touch
Forum Moderator




Date Joined Jun 2004
Total Posts : 12981
 
   Posted 5/30/2006 2:08 PM (GMT +2)    Quote: Please Help! I've got a virus problem!Alert an admin about: Please Help! I've got a virus problem!
Hi vuthda smile
 
 
Clean log, but if I´m right You have a
Gaelicium-infection.
 
If You have another computer or know one who have a computer, please download these two files, burn then to a cd or put them on a USB pen/stick.  Install them on the "sick" computer.
 
 
Reboot to safe mode, doubleclick on exefix reg, agree to merge, see if You can run Vcleaner exe now


Regards - Touch   idea
 
 
Please start your own thread by clicking the new topic button. Do NOT post your problem in someone elses thread.
Do not PM me with logfiles. They will be deleted
 

Back to Top
 

vuthda
New Member


Date Joined May 2006
Total Posts : 10
 
   Posted 5/31/2006 10:01 AM (GMT +2)    Quote: Please Help! I've got a virus problem!Alert an admin about: Please Help! I've got a virus problem!
hi
come again, thank for your reply,i have done what u said but can't find any virus, but now it still occus the problem: when i move the mouse on any icon on desktop every thing disappear! but in the safe mode my computer work properly, and here is my logfile
Logfile of HijackThis v1.99.1
Scan saved at 13:05:01, on 2006-5-31
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\RTHDCPL.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Rainlendar\Rainlendar.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\svchost.exe
G:\anti spy\hijackthis.exe
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: IeCatch2 Class - {A5366673-E8CA-11D3-9CD9-0090271D075B} - C:\PROGRA~1\FlashGet\jccatch.dll
O3 - Toolbar: FlashGet Bar - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\fgiebar.dll
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] HDAShCut.exe
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [IMSCMig] C:\PROGRA~1\COMMON~1\MICROS~1\IME\IMSC40A\IMSCMIG.EXE /Preload
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Startup: Rainlendar精美日历.lnk = C:\Program Files\Rainlendar\Rainlendar.exe
O8 - Extra context menu item: 使用网际快车下载 - C:\PROGRA~1\FlashGet\jc_link.htm
O8 - Extra context menu item: 使用网际快车下载全部链接 - C:\PROGRA~1\FlashGet\jc_all.htm
O8 - Extra context menu item: 导出到 Microsoft Office Excel(&X) - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: 信息检索 - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\flashget.exe
O9 - Extra 'Tools' menuitem: &FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\flashget.exe
O14 - IERESET.INF: START_PAGE_URL=about:blank
O17 - HKLM\System\CCS\Services\Tcpip\..\{5E5EC451-4FD3-4EAF-841E-04A44FC5690D}: NameServer = 192.168.0.1
O17 - HKLM\System\CS1\Services\Tcpip\..\{5E5EC451-4FD3-4EAF-841E-04A44FC5690D}: NameServer = 192.168.0.1
O17 - HKLM\System\CS2\Services\Tcpip\..\{5E5EC451-4FD3-4EAF-841E-04A44FC5690D}: NameServer = 192.168.0.1
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
 
Back to Top
 

Touch
Forum Moderator




Date Joined Jun 2004
Total Posts : 12981
 
   Posted 6/3/2006 3:57 AM (GMT +2)    Quote: Please Help! I've got a virus problem!Alert an admin about: Please Help! I've got a virus problem!
Sorry for late reply - Do you still have problems ?


Regards - Touch   idea
 
 
Please start your own thread by clicking the new topic button. Do NOT post your problem in someone elses thread.
Do not PM me with logfiles. They will be deleted
 

Back to Top
 

vuthda
New Member


Date Joined May 2006
Total Posts : 10
 
   Posted 6/3/2006 5:08 AM (GMT +2)    Quote: Please Help! I've got a virus problem!Alert an admin about: Please Help! I've got a virus problem!
no, now it's still work properly, but got question to ask you: do you know some effective antispyware softwares for chinesse QQ instance Messanger. confused
Back to Top
 

Touch
Forum Moderator




Date Joined Jun 2004
Total Posts : 12981
 
   Posted 6/3/2006 5:40 AM (GMT +2)    Quote: Please Help! I've got a virus problem!Alert an admin about: Please Help! I've got a virus problem!
Not exactly for chinesse QQ instance Messanger eyes
But try AVG antivirus
I can´t see any Avirus, or Firewall
 
And ZA as firewall 


Regards - Touch   idea
 
 
Please start your own thread by clicking the new topic button. Do NOT post your problem in someone elses thread.
Do not PM me with logfiles. They will be deleted
 

Back to Top
 

vuthda
New Member


Date Joined May 2006
Total Posts : 10
 
   Posted 6/6/2006 4:29 AM (GMT +2)    Quote: Please Help! I've got a virus problem!Alert an admin about: Please Help! I've got a virus problem!
thank for your comment, i still wonder why every time i turn on the computer, when i look in my Task Manager and in the application tab i see NTService.exe is running , i try to end task it , but when i restart my pc, NTService.exe is the same running. and here is my hijack this log file:
Logfile of HijackThis v1.97.7
Scan saved at 10:20:55, on 2006-6-6
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\Program Files\ewido anti-malware\ewidoguard.exe
C:\WINDOWS\NTService.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\Program Files\µçÄÔ±¨ºÏ¶©±¾2005\InfoReceiver\InfoReceiver.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Rainlendar\Rainlendar.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
E:\hijackthis.exe

O2 - BHO: stdup - {6A512BF7-EC78-4e8d-9841-6C02E8FA9838} - C:\WINDOWS\SYSTEM32\stdup.dll
O2 - BHO: (no name) - {A5366673-E8CA-11D3-9CD9-0090271D075B} - C:\PROGRA~1\FLASHGET\jccatch.dll
O3 - Toolbar: FlashGet Bar - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - C:\PROGRA~1\FLASHGET\fgiebar.dll
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [CJIMETIPSYNC] C:\Program Files\Common Files\Microsoft Shared\IME\IMTC65\CHANGJIE\CINTLCFG.EXE /CJIMETIPSync
O4 - HKLM\..\Run: [PHIMETIPSYNC] C:\Program Files\Common Files\Microsoft Shared\IME\IMTC65\PHONETIC\TINTLCFG.EXE /PHIMETIPSync
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [InfoReceiver] C:\Program Files\
O4 - HKLM\..\Run: [KService] C:\WINDOWS\system32\KService.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Startup: NTUSER.DAT
O4 - Startup: ntuser.dat.LOG
O4 - Startup: ntuser.ini
O8 - Extra context menu item: >> ²ÊÐÅ·¢ËÍ << - res://C:\PROGRA~1\MMSASS~1\Mmsass~1.dll/mms.htm
O8 - Extra context menu item: ʹÓÃÍø¼Ê¿ì³µÏÂÔØ - C:\Program Files\FlashGet\jc_link.htm
O8 - Extra context menu item: ʹÓÃÍø¼Ê¿ì³µÏÂÔØÈ«²¿Á´½Ó - C:\Program Files\FlashGet\jc_all.htm
O8 - Extra context menu item: …R³öÖÁ Microsoft Office Excel(&X) - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Ìí¼Óµ½QQ×Ô¶¨ÒåÃæ°å - C:\Program Files\Tencent\qq\AddPanel.htm
O8 - Extra context menu item: Ìí¼Óµ½QQ±íÇé - C:\Program Files\Tencent\qq\AddEmotion.htm
O8 - Extra context menu item: ÓÃQQ²ÊÐÅ·¢Ë͸ÃͼƬ - C:\Program Files\Tencent\qq\SendMMS.htm
O9 - Extra button: FlashGet (HKLM)
O9 - Extra 'Tools' menuitem: &FlashGet (HKLM)
O14 - IERESET.INF: START_PAGE_URL=about:blank
O17 - HKLM\System\CCS\Services\Tcpip\..\{6687B7D4-3772-4700-8E6A-57E38D4C0487}: NameServer = 192.168.0.1
O17 - HKLM\System\CS1\Services\Tcpip\..\{6687B7D4-3772-4700-8E6A-57E38D4C0487}: NameServer = 192.168.0.1
O17 - HKLM\System\CS2\Services\Tcpip\..\{6687B7D4-3772-4700-8E6A-57E38D4C0487}: NameServer = 192.168.0.1


could you please tell me how to fix this NTservice?
Back to Top
 

Touch
Forum Moderator




Date Joined Jun 2004
Total Posts : 12981
 
   Posted 6/6/2006 10:32 AM (GMT +2)    Quote: Please Help! I've got a virus problem!Alert an admin about: Please Help! I've got a virus problem!
Good grief, what have You done, it is certainly infected now freaked smilewinkgrin
First thing - You are using an ancient version of hijackthis, please download newest version -


1.       Download Hijackthis  http://castlecops.com/downloads-file-328.html.
To Desktop
 
2.       Unzip it in a permanent folder of your choice, such as C:\HJT\. To create this specific folder on your hard drive: Double click the 'My Computer' icon on your desktop, then under the category hard disk drives: double click Local Disk:, then select file->New -> Folder and name it HJT. Alternatively,you may navigate to the directory of your choice, create a new folder in the same way, and save it there.
3.       Next right-click on the HijackThis! Zip file and 'extract all' to the new folder you just created.
 
To obtain your Reference HijackThis Log:
1.       Double click the HijackThis.exe inside to folder to run the program.
2.       Choose the "Do a system scan and save a log file." option to perform your scan.
3.      HijackThis will analyze your system, and automatically open a notepad textfile containing the HijackThis log when the scan is finished.
Open the text files containing the logs with a text editor and click Edit -> Select All, followed by Edit -> Copy.
From within the browser window and with the message body text box selected, click Edit -> Paste.
 
    
Post fresh  hijackthis  log
 



Regards - Touch   idea
 
 
Please start your own thread by clicking the new topic button. Do NOT post your problem in someone elses thread.
Do not PM me with logfiles. They will be deleted
 

Back to Top
 

vuthda
New Member


Date Joined May 2006
Total Posts : 10
 
   Posted 6/15/2006 11:34 AM (GMT +2)    Quote: Please Help! I've got a virus problem!Alert an admin about: Please Help! I've got a virus problem!
hi:
back again, while I'm scanning spyware with Ad-ware personal, it indicate my pc was infected by spyware named: " Adware.huacisou " , i have try to delete many time but it can make sence, and Ad-ware alert that it can't delect the following files
C:\windows\system32\driver\abhcop.sys
C:\windows\system32\driver\hcalway.sys
come you tell me how to solve it?
thank in advance
Back to Top
 

Touch
Forum Moderator




Date Joined Jun 2004
Total Posts : 12981
 
   Posted 6/15/2006 12:39 PM (GMT +2)    Quote: Please Help! I've got a virus problem!Alert an admin about: Please Help! I've got a virus problem!
Leave ad aware, it is a kind of rootkit You´ve got (the sys files), and do as I suggest here: Posted 6/6/2006 9:32 AM


Regards - Touch   idea
 
 
Please start your own thread by clicking the new topic button. Do NOT post your problem in someone elses thread.
Do not PM me with logfiles. They will be deleted
 

Back to Top
 

vuthda
New Member


Date Joined May 2006
Total Posts : 10
 
   Posted 6/19/2006 5:19 AM (GMT +2)    Quote: Please Help! I've got a virus problem!Alert an admin about: Please Help! I've got a virus problem!
hi now in my LAN i have infected by W32.Rontokbro.X@mm which have been detected by Norton Anti virus, i try to scan it but the Norton still alert that virus, and here are my 3 pc's log file in the LAN:

----------------------------
pc1
----------------------------
Logfile of HijackThis v1.99.1
Scan saved at 9:25:29 AM, on 6/17/2006
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\WINDOWS\system32\UStorSrv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~2\VPTray.exe
C:\WINDOWS\System32\ctfmon.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Documents and Settings\Roth12\Local Settings\Temp\Temporary Directory 1 for hijackthis.zip\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapps.yahoo.com/customize/ie/defaults/sp/ymsgr6/*http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://red.clientapps.yahoo.com/customize/ie/defaults/su/ymsgr6/*http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/customize/ie/defaults/sb/ymsgr6/*http://www.yahoo.com/ext/search/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapps.yahoo.com/customize/ie/defaults/sp/ymsgr6/*http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customize/ie/defaults/su/ymsgr6/*http://www.yahoo.com
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~2\VPTray.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: iFinger - {936E5D60-596C-11D3-BB96-00600816DF55} - C:\WINDOWS\System32\SHDOCVW.DLL
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} (YAddBook Class) - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/suite/yautocomplete.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{47768B93-0350-4A09-9519-C6E1B15C61AB}: NameServer = 202.93.8.2,202.93.8.34
O17 - HKLM\System\CS1\Services\Tcpip\..\{47768B93-0350-4A09-9519-C6E1B15C61AB}: NameServer = 202.93.8.2,202.93.8.34
O17 - HKLM\System\CS2\Services\Tcpip\..\{47768B93-0350-4A09-9519-C6E1B15C61AB}: NameServer = 202.93.8.2,202.93.8.34
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\System32\NavLogon.dll
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
O23 - Service: UStorage Server Service - OTi - C:\WINDOWS\system32\UStorSrv.exe

------------------------------------
pc2
-------------------------------------
Logfile of HijackThis v1.99.1
Scan saved at 9:34:15 AM, on 6/17/2006
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Unable to get Internet Explorer version!

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ntvdm.exe
C:\WINDOWS\system32\ntvdm.exe
C:\Documents and Settings\Administrator\Local Settings\Temp\Temporary Directory 1 for hijackthis.zip\HijackThis.exe

O2 - BHO: (no name) - {02DCA195-602B-4B1F-83FF-381B7E804BDB} - C:\WINDOWS\system32\HDBHO.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll (file missing)
O3 - Toolbar: (no name) - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - (no file)
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} (Fun Web Products Installer Start) - http://ak.exe.imgfarm.com/images/nocache/funwebproducts/ei/SmileyCentralFWBInitialSetup1.0.0.15.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{652910C9-93EA-43B7-AEC9-798929DD6518}: NameServer = 202.93.8.2,202.93.8.34
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\System32\NavLogon.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: IIS Admin (IISADMIN) - Unknown owner - C:\WINDOWS\System32\inetsrv\inetinfo.exe (file missing)
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Unknown owner - %ProgramFiles%\WinPcap\rpcapd.exe" -d -f "%ProgramFiles%\WinPcap\rpcapd.ini (file missing)
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Simple Mail Transfer Protocol (SMTP) (SMTPSVC) - Unknown owner - C:\WINDOWS\System32\inetsrv\inetinfo.exe (file missing)
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
O23 - Service: UStorage Server Service - OTi - C:\WINDOWS\system32\UStorSrv.exe

------------------------
pc3
------------------------
Logfile of HijackThis v1.99.1
Scan saved at 10:38:32 PM, on 6/16/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\Temporary Directory 1 for hijackthis.zip\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.bbworld.com.kh/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://as.starware.com/dp/search?x=wKX1ILEOi+Vh7AfA98Gm4Me69ZMbubcDsnJKz/X5XzpJwOXlua1FBC9E+iRCiGj1mdSFaVWLfuGZVfQXANSEhWUBjiEu0csa9ozIdYNe6mxiEF/Gro4sZQTDmewr+J+WdZCrcT+IuWyM/12oNEV3UZ2DocYAUshXhwCRi9pKa1qw5yjuMMQnZIHK5vlJ++UwZDLvXQ6VlrI=
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O4 - HKLM\..\Run: [AttuneClientEngine] C:\PROGRA~1\Aveo\Attune\bin\attune_ce.exe
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\pchealth\helpctr\binaries\msconfig.exe /auto
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O17 - HKLM\System\CCS\Services\Tcpip\..\{A225CC32-F4EC-40F9-8D66-BB7F3DA0C515}: NameServer = 202.93.8.2,202.93.8.34
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\system32\NavLogon.dll
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe

could you please help me!
Back to Top
 

Touch
Forum Moderator




Date Joined Jun 2004
Total Posts : 12981
 
   Posted 6/22/2006 6:59 AM (GMT +2)    Quote: Please Help! I've got a virus problem!Alert an admin about: Please Help! I've got a virus problem!
Pc1 & PC2
 
 
Please download free  Trial of Superantispyware
http://www.superantispyware.com/superantispywarefreevspro.html
Install it using the Standard Install option. (You will be asked for your e-mail address, it is safe to give it.
close the program
 

Download and install:  http://www.filehippo.com/download_ccleaner/
For a basic version of CCleaner with no Yahoo Toolbar, select the second or third install option as follows:
Even if you selected Option 2 or 3, if you do not want the Yahoo Toolbar installed:
Uncheck "Add CCleaner Yahoo! Toolbar", as it is checked by default during CCleaner Setup

Install it using the Standard Install option. (You will be asked for your e-mail address, it is safe to give it. If you receive alerts from your firewall, allow all activities for Spy Sweeper)
You will be prompted to check for updated definitions, please do so.
(This may take several minutes)
 
 
Please print out or copy this page to Notepad as you will be in Safe Mode and unable to refer to this page.
 
 
Reboot into Safe  Mode   by tapping F8 after the BIOS has loaded.
The Windows Advanced Options Menu appears.
Ensure that the Safe mode option is selected.
Press Enter. The computer then begins to start in Safe mode.
 
 

Open Ccleaner.
1. Before first use, check under Options, Advanced, and UNCHECK "Only delete files in Windows Temp folder older than 48 hours".
2. A pop up box will appear advising this process will permanently delete files from your system.
3. Then select the items you wish to clean up.
In the Windows Tab:
Clean all entries in the "Internet Explorer". If you prefer to keep your cookies, uncheck the Cookies entry. Deleting cookies will require re-entry of user names and passwords on next visit to sites that require users log in.
Clean all the entries in the "Windows Explorer" section.
Clean all entries in the "System" section.
Clean all entries in the "Advanced" section.
Clean any others that you choose.
In the Applications Tab:
Clean all (optionally, except cookies) in the Firefox/Mozilla section if you use it.
Clean all in the Opera section if you use it.
Clean Sun Java in the Internet Section.
Clean any others that you choose.
4. Then click the "Run Cleaner" button and it will scan and clean your system. Click exit.
 

Run Spysweeper:
Click on "Options > Sweep Options" and check "Sweep all Folders on Selected drives". Check "Local Disc C".
Under What to Sweep: check all of the boxes except Sweep Contents of Compressed Files and do not Sweep Systemrestore Folder.
Click on Sweep and allow it to fully scan your system.
When the sweep has finished, click "Remove". Click "Select All" and then "Next".
From 'Results', select the Session Log tab. Click Save to File and save the log somewhere convenient.
Exit Spy Sweeper.
 

Start Superantispyware/rightclick on the black/yellow bug in tray.
Hit - Scan Your Computer - button
Click on the drive(s) you want to scan. Put a check in - Perform Complete Scan, then next
it will scan now. When scan have finished, put a checkmark with  all items it found. Next, after cleaning, let it Reboot
-------------------------------------------
 
Important -
Change langage.
 
-------------------------------------------------------------------------------
 
Next go to Start- Search and scrolldown using the scroll bar on the right. Go down to More advanced options and click.
Be sure the first three boxes are selected:
Search System folders
Search Hidden Files and folders
Search SubFolders
And Find:
superantispyware log
 
 
Post these log along with fresh hijackthis logs
 
 
 
 
 
 


Regards - Touch   idea
 
 
Please start your own thread by clicking the new topic button. Do NOT post your problem in someone elses thread.
Do not PM me with logfiles. They will be deleted
 

Back to Top
 
New Topic Locked Topic Printable version of : Please Help! I've got a virus problem!
 
Forum Information
Currently it is Thursday, December 18, 2014 9:28 PM (GMT +2)
There are a total of 60,830 posts in 13,364 threads.
In the last 3 days there were 4 new threads and 5 reply posts. View Active Threads
Who's Online
This forum has 36990 registered members. Please welcome our newest member, Penipuhati.
9 Guest(s), 0 Registered Member(s) are currently online.  Details
5 Latest Threads
Ex Display Kitchens For Sale (0)12/18/2014 3:41:50 PM (Penipuhati)
IS BULLGUARD BLOCKING WEBS.COM? (3)12/18/2014 11:12:18 AM (bobashabiniu)
Computer Attacks (hacks) on the increase??? (4)12/18/2014 11:11:43 AM (bobashabiniu)
Please help me in choosing web hosting (4)12/18/2014 11:11:21 AM (bobashabiniu)
Antivirus (3)12/18/2014 11:09:52 AM (alice william)