velda Posted October 18, 2005 Report Share Posted October 18, 2005 I found this virus on my computer thru an AVG scan, I did print screen to get an image of exactly what it said. How can I remove this? I'm not familiar too much yet with XP so I'm not comfortable messing with the files just yet Thanks Link to post Share on other sites
Besttechie Posted October 18, 2005 Report Share Posted October 18, 2005 Ok, first thing we should do is disable system restore. To do that follow this:Right click My ComputerChoose PropertiesGo to the System Restore tabCheck Turn off System RestoreApply/OkNext, reboot. After you reboot run an AVG scan, see if it finds anything and if it does let me know. Then after you reboot and run the AVG scan post a HijackThis log. Follow the directions here:http://www.besttechie.net/forums/index.php?showtopic=1455Note: After we clean out the virus we will re-enable system restore. B Link to post Share on other sites
velda Posted October 18, 2005 Author Report Share Posted October 18, 2005 If found more than what it said before....off to run HJT Link to post Share on other sites
velda Posted October 18, 2005 Author Report Share Posted October 18, 2005 Logfile of HijackThis v1.99.1Scan saved at 11:12:30 AM, on 18/10/2005Platform: Windows XP SP2 (WinNT 5.01.2600)MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)Running processes:C:\WINDOWS\System32\smss.exeC:\WINDOWS\system32\winlogon.exeC:\WINDOWS\system32\services.exeC:\WINDOWS\system32\lsass.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\System32\svchost.exeC:\WINDOWS\system32\spoolsv.exeC:\WINDOWS\Explorer.EXEC:\WINDOWS\system32\carpserv.exeC:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exeC:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exeC:\Program Files\Microsoft IntelliType Pro\type32.exeC:\WINDOWS\system32\LVCOMSX.EXEC:\Program Files\Xerox\NWWia\XrxFTPLt.exeC:\WINDOWS\system32\Drivers\XWMSAPI.EXEC:\Program Files\QuickTime\qttask.exeC:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exeC:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exeC:\WINDOWS\system32\svchost.exeC:\Program Files\HiJack This\HijackThis.exeR0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhostO2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dllO2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dllO2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dllO3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dllO4 - HKLM\..\Run: [CARPService] carpserv.exeO4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUPO4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exeO4 - HKLM\..\Run: [type32] "C:\Program Files\Microsoft IntelliType Pro\type32.exe"O4 - HKLM\..\Run: [LVCOMSX] C:\WINDOWS\system32\LVCOMSX.EXEO4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWndO4 - HKLM\..\Run: [hpfsched] C:\WINDOWS\hpfsched.exeO4 - HKLM\..\Run: [XeroxScannerDaemon] C:\Program Files\Xerox\NWWia\XrxFTPLt.exeO4 - HKLM\..\Run: [XWMSUSBAPI] C:\WINDOWS\system32\Drivers\XWMSAPI.EXEO4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottimeO4 - Startup: PowerReg Scheduler V3.exeO8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.htmlO8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar2.dll/cmwordtrans.htmlO8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.htmlO8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.htmlO8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.htmlO8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.htmlO9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dllO9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dllO9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exeO9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exeO9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exeO16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab31267.cabO16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab31267.cabO16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineS...er.cab31267.cabO16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab31267.cabO16 - DPF: {A243F6C2-34D2-4549-BCCD-A7BEF759B236} (Seekford Solutions, Inc.'s ssiPictureUploader Control) - http://img.funtigo.com/images/uploader/ssi...ureUploader.cabO16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://messenger.zone.msn.com/binary/ZIntro.cab32846.cabO16 - DPF: {BFF1950D-B1B4-4AE8-B842-B2CCF06D9A1B} (Zylom Games Player) - http://game12.zylomgames.com/activex/zylomgamesplayer.cabO16 - DPF: {EB387D2F-E27B-4D36-979E-847D1036C65D} (QDiagHUpdateObj Class) - http://h30043.www3.hp.com/hpdj/en/check/qdiagh.cab?326O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/Solit...wn.cab31267.cabO18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exeO23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe Link to post Share on other sites
velda Posted October 18, 2005 Author Report Share Posted October 18, 2005 oops I have a bunch of stuff turned off with Starter.exe, should I turn them all on and run HJT again? Link to post Share on other sites
Besttechie Posted October 18, 2005 Report Share Posted October 18, 2005 Ok, please boot to safe mode, and run AVG from there, have it clean what it can.http://www.computerhope.com/issues/chsafe.htmFollow the Windows XP directions.Then reboot into normal mode, and run this scan.http://www.pandasoftware.com/activescan/Click "Scan your PC" then "Check Now" in the popup window, fill out the info and scan. Make sure to include your Panda log in your next reply.Good luck! B Link to post Share on other sites
velda Posted October 18, 2005 Author Report Share Posted October 18, 2005 booted in safe mode....ran AVG it found the same viruses, was unable to heal them. Off to do pandascan Link to post Share on other sites
velda Posted October 18, 2005 Author Report Share Posted October 18, 2005 I'm having a problem with pandascan. I can scan the computer and it says 17 viruses, but the box that pops up with the scan in it is cut off on the right side and I can't enlarge it???? so I can't see what to do or how to save the scan -- any ideas? I tried running it again and the popup box is still cut off the one side Link to post Share on other sites
Besttechie Posted October 18, 2005 Report Share Posted October 18, 2005 Hmm, not sure... screen shot?In the mean time run:http://housecall.antivirus.com/Make sure you tick the auto-clean box. B Link to post Share on other sites
velda Posted October 18, 2005 Author Report Share Posted October 18, 2005 well I went in to get a screen shot and now it's a full box so I'm off to scan again go figure Link to post Share on other sites
velda Posted October 18, 2005 Author Report Share Posted October 18, 2005 I'm a little confused.....when I was having the screen problems with panda, it was showing 17 viruses, but when I was able to view the whole screen and scanned there were no viruses, completely clean. Then I did trend micro one too, also clean. So now what? Link to post Share on other sites
Besttechie Posted October 18, 2005 Report Share Posted October 18, 2005 Ok, lets just clean out your temp internet files.In IEToolsInternet OptionsDelete Files Apply/OkAlso, your hjt log looks ok. What you can do is go to the location that those virus files are located and see if they're still there. If so, try to delete the files from normal mode regualarly if you can't boot to safe mode and delete them. After that you should be ok. Then you can re-enable system restore if you would like to. The same way you disabled it just uncheck it to turn it back on and apply/ok. You can fix this with HJT:O4 - Startup: PowerReg Scheduler V3.exeGood luck! B Link to post Share on other sites
velda Posted October 18, 2005 Author Report Share Posted October 18, 2005 Alright, thank you. I've done what you suggested and I am running AVG again. Those files *were* still there so I've deleted them hopefully AVG will come up clean. Thank you so much for taking the time to help me today Link to post Share on other sites
Matt Posted December 5, 2005 Report Share Posted December 5, 2005 This thread is being closed because it has been resolved. If you would like it to be reopened please a member of the Moderating team.Matt Link to post Share on other sites
Recommended Posts