|
|
|
|
|||||
|
|
|
|
|
|
|||
| Welcome
to Tech Support Forum home to more then 136,000 problems solved. Issues
have included: Spyware, Malware, Virus Issues, Windows, Microsoft,
Linux, Networking, Security, Hardware, and Gaming Getting your
problem solved is as easy as: 1. Registering for a free account 2. Asking your question 3. Receiving an answer Registered members: * See fewer ads. * And much more..
|
| Want to know how to post a question? click here | Having problems with spyware and pop-ups? First Steps |
|
|||||||
| Virus/Trojan/Spyware Help Get Rid Of Malware With Help From Our Analysts. Follow the "First Steps" link at the top right of each page before posting for help. |
 |
|
|
LinkBack | Thread Tools |
10-13-2009, 09:52 PM
|
#1 (permalink) |
|
Registered User
Join Date: Oct 2009
Posts: 7
OS: XP
|
Need Help to Eliminate Viruses XP Home
Ok, so time to get a little help on this problem. I have an HP Pavilion ZE4900 Laptop. It wouldn’t boot when I first got it and after a lot of effort I got XP Home Edition repaired and eventually updated to SP2. SP3 will not install as it stops part way through with an error message that it can’t copy either the file xptht26p.htm or sconnect.htm.
I finally got anti-virus software running on it and it was loaded with worms, Trojans, and backdoors. It seems to clean up with the virus cleaners until I connect to the internet and then the viruses start showing up again. Some of the virus files that start to show up are sv2.exe, sv3.exe (etc), svchust.exe, BtwSrv.dll (and exe), isasdk.sys, and spoolsrv.exe. Suspecting a Rootkit, I tried to run Rootkit Buster from TrendMicro but it won’t run saying that it failed the integrity check and needs to be downloaded again. I can run the same file on my desktop without the error. Deciding to post a HijackThis log here, I started over again to get it as clean as I can first. I updated the virus software and then disconnected from the internet. I booted in Safe Mode and signed on as Administrator. I then ran the following in the sequence shown: 1) Ccleaner 2) Spybot Search and Destroy (results; Alexa, Refpron, Smitfraud-C.gp, Win32.Agent.wiw, Win32.Clicker.sv, Win32.Delf.uc) 3) Super Antispyware (results; Trojan.Agent/Gen-Refpro[New], Trojan.Agent/Gen-Virut[FNS], Trojan.Dropper/Win-NV, Trojan.Agent/Gen-NumTemp, Trojan.Agent/Gen-Dropper[Temp], Trojan.Agent/Gen-VB[LSM32], Trojan.Agent/Gen, Adware.Vundo Variant) 4) Malwarebytes Anti-Malware (results;Trojan.Agent w/various *.tmp files, Backdoor.bot-Finstall.sys, Trojan.Agent-isvchost.exe, Trojan.Agent-Net_Login, Trojan.Downloader-NetLogin, Backdoor.bot-opeia.exe, Various Malware Traces such as BuildW, guid, Update, UpdateNew, mBt, mfa, uid, etc) 5) Ccleaner 6) HijackThis Each time I ran a program, I rebooted to Safe Mode and logged in as Administrator without any internet connection. Here is the HijackThis Log: Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 8:34:35 PM, on 10/13/2009 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Boot mode: Safe mode Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\Explorer.EXE C:\Virus Fighting Tools\HijackThis.exe R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.shortcut365.com/ R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = https://signup.live.com/signup.aspx?...ollrs=12&lic=1 R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = R3 - Default URLSearchHook is missing O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32 O4 - HKLM\..\Run: [IMEKRMIG6.1] C:\WINDOWS\ime\imkr6_1\IMEKRMIG.EXE O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\System32\IME\PINTLGNT\ImScInst.exe /SYNC O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /SYNC O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /IMEName O4 - HKLM\..\Run: [Malwarebytes Anti-Malware (reboot)] "C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe O4 - S-1-5-18 Startup: scandisk.lnk = ? (User 'SYSTEM') O4 - .DEFAULT Startup: scandisk.lnk = ? (User 'Default user') O4 - Global Startup: BTTray.lnk = ? O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\npjpi160_07.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\npjpi160_07.dll O9 - Extra button: (no name) - {5C106A59-CC3C-4caa-81A4-6D909B5ACE23} - C:\Program Files\KeyScrambler\KeyScramblerIE.dll O9 - Extra 'Tools' menuitem: &KeyScrambler... - {5C106A59-CC3C-4caa-81A4-6D909B5ACE23} - C:\Program Files\KeyScrambler\KeyScramblerIE.dll O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204 O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsof...?1226714866264 O20 - AppInit_DLLs: c:\windows\system32\wikufalu.dll,hezubuti.dll O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll O23 - Service: Application Layer Gateway Service (ALG) - Unknown owner - C:\WINDOWS\System32\alg.exe (file missing) O23 - Service: ASP.NET State Service (aspnet_state) - Unknown owner - C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe (file missing) O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe O23 - Service: btwdins - Unknown owner - C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe (file missing) O23 - Service: CiSvc - Unknown owner - C:\WINDOWS\system32\cisvc.exe (file missing) O23 - Service: clr_optimization_v2.0.50727_32 - Unknown owner - C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe (file missing) O23 - Service: ImapiService - Unknown owner - C:\WINDOWS\System32\imapi.exe (file missing) O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~2.EXE O23 - Service: mnmsrvc - Unknown owner - C:\WINDOWS\system32\mnmsrvc.exe (file missing) O23 - Service: NWDLS - Unknown owner - C:\WINDOWS\system32\NWDLS.exe (file missing) O23 - Service: RDSessMgr - Unknown owner - C:\WINDOWS\system32\sessmgr.exe (file missing) O23 - Service: RSVP - Unknown owner - C:\WINDOWS\System32\rsvp.exe (file missing) O23 - Service: SNDSrvc - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe O23 - Service: SPBBCSvc - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe O23 - Service: Spooler - Unknown owner - C:\WINDOWS\system32\spoolsv.exe (file missing) O23 - Service: Uninterruptible Power Supply (UPS) - Unknown owner - C:\WINDOWS\System32\ups.exe (file missing) O23 - Service: VSS - Unknown owner - C:\WINDOWS\System32\vssvc.exe (file missing) O23 - Service: WmiApSrv - Unknown owner - C:\WINDOWS\System32\wbem\wmiapsrv.exe (file missing) O23 - Service: WUSB54GCSVC - GEMTEKS - C:\Program Files\Compact Wireless-G USB Adapter Wireless Network Monitor\WLService.exe -- End of file - 5847 bytes |
|
     |
| Important Information |
|
Join the #1 Tech Support Forum Today - It's Totally Free!
TechSupportForum.com is a leading support website for your computer needs. We offer free, friendly and personalized computer support. Why pay to have your computer fixed when you can do it for free. Join TechSupportforum.com Today - Click Here |
|
10-14-2009, 11:03 AM
|
#2 (permalink) | |
|
Moderator, Analyst, Security Team ; Rangemaster, TSF Academy
Join Date: Jun 2006
Location: USA
Posts: 7,508
OS: XP SP3
|
Re: Need Help to Eliminate Viruses XP Home
Hello and welcome to TSF.
We want all our members to perform the steps outlined in the link given below, before posting for assistance. There's a sticky at the top of this forum, and a Quote:
Please follow our pre-posting process outlined here: NEW INSTRUCTIONS - Read This Before Posting For Malware Removal Help After running through all the steps, you shall have a proper set of logs. Please post them in a new topic, as this one shall be closed. If you have trouble with one of the steps, simply move on to the next one, and make note of it in your reply.
__________________
My services are free. However, you can donate to TSF to help keep it running.   Member of ASAP since 2005 Member of UNITE since 2006 |
|
|
|
|
|
| Thread Tools | |
|
|
