Virus

[joelk989]

so i was on the internet, then windows explorer failed, and then restarted... as soon as it started up a red circle with an x in it on my programs running bar with a windows pop-up appeared, it said "you computer is infected with spyware" i go to task manager and end all the processes that i find that arent normal processes then go to the system folder and delete them, i know i didnt delete the critical files that i need to run the system, so i restart and the OS is screwed it loads XP but wont bring up the login screen. so i ended reformating and thats what its doing now, (im on a spare computer)

what a lame virus, it didnt even have to have me load an execuatble and run it.

why do people make viruses?

PS

screw internet explorer

 

[breaker3000]

Use FireFox u should of used it in the first place.

 

[01001010]

And this helps him how? Come on man....

Ok, I need you to run HJT (Found here http://thetechaddict.net/forums/index.php?showtopic=3)

Instructions

Following these steps are important to being able to help you solve your problems correctly. We also suggest that you print out these instructions to make it easier to follow. It is also a good idea to check out some of the other threads, in this section, to see what info is needed and how they were posted. Submitted logs that clearly identify they have taken all the steps below and have enclosed a description of the problem will be addressed before logs that do not identify the problem or appear not to have been run by the steps written below. In short. You have a much better chance of getting your log read if you follow the steps.

PREPARING YOUR COMPUTER FOR HIJACK


Make sure your system is up to date with all patches and service packs from Windows Update. Windows update

Make sure you can see all hidden files. How to see hidden files

Here are the instructions for booting into safe mode. Booting to safe mode

STEP ONE


Go here and run online scans (all), allow them to delete whatever they find. Note any thing that can't be fixed.
Trend Housecall


STEP TWO


Scanning with Ad-Aware Se

Download and Install Ad-Aware SE, keeping the default options. However, some of the settings will need to be changed before your first scan.

Close ALL windows except Ad-Aware SE.

Click on the"world" icon at the top right of the Ad-Aware SE window and let AdAware SE update the reference list for the adware and malware.

Once the update is finished click on the "Gear" icon (second from the left at the top of the window) to access the preferences/settings window.

In the "General" window make sure the following are selected in green:

? Automatically save log-file

? Automatically quarantine objects prior to removal

? Safe Mode (always request confirmation)


Under Definitions:

? Prompt to udate outdated definitions - set the number of days


Click on the "Scanning" button on the left and select in green :

Under Driver, Folders & Files:

? Scan Within Archives


Under Select drives & folders to scan:

? choose all hard drives


Under Memory & Registry: all green

? Scan Active Processes

? Scan Registry

? Deep Scan Registry

? Scan my IE favorites for banned URL?s

? Scan my Hosts file


Click on the "Advanced" button on the left and select in green:

Under Shell Integration:

? Move deleted files to recycle bin


Under Logfile Detail Level: all green

? include addtional object information

? DESELECT - include negligible objects information

? include environment information


Under Alternate Data Streams:

? Don't log streams smaller than 0 bytes

? Don't log ADS with the following names:
CA_INOCULATEIT


Click the "Tweak" button and select in green:

Under the "Scanning Engine":

? Unload recognized processes during scanning

? Scan registry for all users instead of current user only


Under the "Cleaning Engine":

? Let Windows remove files in use at next reboot


Under the Log Files:

? Include basic Ad-aware SE settings in logfile

? Include additional Ad-aware SE settings in logfile

? Please do not check or make green: Include Module list in logfile

Click on "Proceed" to save the settings.


Click "Start?"

? Choose: 'Perform Full System Scan'

? DESELECT "Search for negligible risk entries", as negligible risk entries (MRU's) are not considered to be a threat.

Click "Next" and Ad-Aware SE will scan your hard drive with the options you have selected and clean automatically.

If Ad-Aware SE finds bad entries, you will receive a list of what it found in the window

Save the log file when it asks and then click "finish"

REBOOT to complete the removal of what Ad-Aware SE found

STEP THREE


Scanning in Spybot Search and Destroy:

1. Downloaded and Install Spybot S&D, accepting the Default Settings

2. In the Menu Bar at the top of the Spybot window you will see 'Mode'. Make certain that 'default mode' has a check mark beside it.

3. Close ALL windows except Spybot S&D

4. Click the button to "Search for Updates" then download and install the Updates.

5. Next click the button "Check for Problems"

Continued

 

[01001010]

6. When Spybot is complete, it will be showing ?RED? entries bold 'Black' entries and ?GREEN? entries in the window

7. Make certain there is a check mark beside all of the "RED" entries ONLY.

8. Choose ?Fix Selected Problems? and allow Spybot to fix the "RED" entries.

9. REBOOT to complete the scan and clear memory.

STEP FOUR


Download and install the latest version of Hijack This. Current version is v1.99.1. The program can be found here. . .
http://www.tomcoyote.org/hjt/
Be sure to read the instructions at the sight for downloading and installing. Do not attempt to fix anything before submitting a log.

Be sure to include a description of your problem and anything you have tried to fix it! Also include that you have done all the steps above so that the specialists know you have prepped the system.

PLEASE NOTE:

Reading each log can take anywhere from 30-60 minutes. That does not include the time it takes to respond with all the fixes that will be required to help you.There are very few Specialists available with the expertise required to help you safely solve your problem. Our specialists have put in alot of time training to help you and do so on a volunteer basis. We are very lucky to have some of the best in the world. Please be patient as there are often more logs than specialists to go around. If your log has not been read within 7-10 days, feel free to contact one of the admins so that they can assist you.

EXAMPLE OF WHAT YOUR LOG SHOULD LOOK LIKE WHEN SUBMITTED.


The description of your problem and all the steps you have done to try to correct the problem, go here. Be sure to let the experts know that you followed the steps for prepping the system!

Logfile of HijackThis v1.99.1
Scan saved at 11:09:28 AM, on 8/22/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\SYSTEM32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Softex\OmniPass\Omniserv.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\Explorer.EXE
C:\windows\system\hpsysdrv.exe
C:\WINDOWS\system32\hkcmd.exe
C:\HP\KBD\KBD.EXE
C:\Program Files\Multimedia Card Reader\shwicon2k.exe
C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
C:\WINDOWS\system32\igfxtray.exe
C:\Program Files\AIM\aim.exe
C:\Program Files\foobar2000\foobar2000.exe
C:\Program Files\Deer Park Alpha 2\firefox.exe
C:\Documents and Settings\Owner.YOUR-LK4RLMSU41\Desktop\Stuff\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://qus9.hpwis.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://srch-qus9.hpwis.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://yahoo.sbc.com/dsl
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://rd.yahoo.com/customize/sbcyd...//www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://rd.yahoo.com/customize/sbcyd.../search/ie.html
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://rd.yahoo.com/customize/sbcyd...//www.yahoo.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Int ernet Settings,ProxyOverride = localhost
R3 - Default URLSearchHook is missing
O2 - BHO: (no name) - {243B17DE-77C7-46BF-B94B-0B5F309A0E64} - C:\Program Files\Microsoft Money\System\mnyside.dll
O2 - BHO: Viewpoint Toolbar BHO - {A7327C09-B521-4EDB-8509-7D2660C9EC98} - C:\Program Files\Viewpoint\Viewpoint Toolbar\ViewBarBHO.dll
O2 - BHO: MyBHOSpy Class - {C52CBAEC-D969-4635-9F50-426CC15CE463} - C:\WINDOWS\System32\4143179a.dll
O3 - Toolbar: Viewpoint Toolbar - {F8AD5AA5-D966-4667-9DAF-2561D68B2012} - C:\Program Files\Viewpoint\Viewpoint Toolbar\ViewBar.dll
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet /keeploaded /nodetect
O4 - HKLM\..\Run: [Sunkist2k] C:\Program Files\Multimedia Card Reader\shwicon2k.exe
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [Zone Labs Client] C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
O4 - HKLM\..\Run: [BlockChecker] C:\Program Files\Block Checker\block-checker.exe
O4 - HKCU\..\Run: [NVIEW] rundll32.exe nview.dll,nViewLoadHook
O4 - Startup: RollerCoaster Tycoon 3 Registration.lnk = C:\Documents and Settings\Owner.YOUR-LK4RLMSU41\Local Settings\Temp\{7B7A9144-5122-4903-96D6-3F122376F1C7}\{907B4640-266B-4A21-92FB-CD1A86CD0F63}\ATR1.exe
O8 - Extra context menu item: &Viewpoint Search - res://C:\Program Files\Viewpoint\Viewpoint Toolbar\ViewBar.dll/CXTSEARCH.HTML
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra button: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\Program Files\Yahoo!\Common\ylogin.dll
O9 - Extra 'Tools' menuitem: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\Program Files\Yahoo!\Common\ylogin.dll
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyPoker\PartyPoker.exe (file missing)
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyPoker\PartyPoker.exe (file missing)
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyside.dll
O9 - Extra button: Royal Vegas Poker - {FA4904B4-1FAF-4afd-886C-C19D2297BA62} - C:\Program Files\royalvegasMPP\MPPoker.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0FFFFFFF-0FFF-0FFF-0FFF-0FFFFFFFFFFF} - http://www.pcflashbang.com/statistics/inst.exe
O16 - DPF: {2615A7FB-2554-454F-848E-5E5DB130D43C} (WCGSystem Control) - http://genius.worldcybergames.com/WCGSystem.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (FilePlanet Download Control Class) - http://www.fileplanet.com/fpdlmgr/c...DC_1_0_0_44.cab
O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} - http://us.dl1.yimg.com/download.yah...utocomplete.cab
O16 - DPF: {D6FCA8ED-4715-43DE-9BD2-2789778A5B09} - http://guard.gunbound.net/nProtect/keyCrypt/npkcx.cab
O16 - DPF: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - http://us.dl1.yimg.com/download.com...bio5_3_12_0.cab
O16 - DPF: {FDDCE9FE-1FC6-413C-80B1-37B101FDA1D4} (ShellInstaller Control) - http://download.buddylinks.net/ShellInstallerRaptor.cab
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: OPXPGina - C:\Program Files\Softex\OmniPass\opxpgina.dll
O23 - Service: npkcsvc - INCA Internet Co., Ltd. - C:\WINDOWS\System32\npkcsvc.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Softex OmniPass Service (omniserv) - Unknown owner - C:\Program Files\Softex\OmniPass\Omniserv.exe
O23 - Service: Panda anti-virus service (PAVSRV) - Unknown owner - C:\Program Files\Panda Software\Panda Titanium Antivirus 2005\pavsrv51.exe (file missing)
O23 - Service: Panda IManager Service (PSIMSVC) - Unknown owner - C:\Program Files\Panda Software\Panda Titanium Antivirus 2005\PsImSvc.exe (file missing)
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

Then post them here
http://forums.thetechguys.com/forumdisplay.php?f=22[/quote]

End

 

[joelk989]

thanks, yeah im using firefox now, its kinda to late to do the HJK thing considering i already reformated but if it ever happens again ill do it

 

[joxley1990]

Everyone loves a good old reformat.

 

[joelk989]

yeah exspecially when i just backed up my files on DVD's, good timing

 

[abowlofrice]

internet explorer does not suck....
wuts so good about firefox??