Jump to content

Need help with virus removal


Recommended Posts

Ok, apparently Ive recently contracted the Windows XP Recovery virus. On start up the windows xp recovery center pops up and runs a scan telling me I have a bad hard drive among other errors. Also get error messages from the task bar popping up. The desktop has gone blank, so has my startup menu programs. I've already unhid the programs under my computer. Before getting on here I ran malwarebytes, avira scan and spybot search and destroy. spybot found a windows security system over ride and a trojan(sorry can't remember the name of it and no logs) while malware and avira are coming up clean. Noticed my malwarebytes was out of date after I ran the DDS scan so I'm updating it now but figured I'd hold off on scanning again till told to. Thanks for the help!

.

DDS (Ver_2011-06-03.01) - NTFSx86 NETWORK

Internet Explorer: 8.0.6001.18702

Run by Administrator at 18:10:59 on 2011-06-05

Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.255.23 [GMT -5:00]

.

AV: AntiVir Desktop *Enabled/Updated* {AD166499-45F9-482A-A743-FDD3350758C7}

.

============== Running Processes ===============

.

C:\WINDOWS\system32\svchost -k DcomLaunch

svchost.exe

C:\WINDOWS\system32\svchost.exe -k netsvcs

svchost.exe

svchost.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\Internet Explorer\IEXPLORE.EXE

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\Internet Explorer\IEXPLORE.EXE

C:\Program Files\Internet Explorer\iexplore.exe

C:\Program Files\Internet Explorer\iexplore.exe

.

============== Pseudo HJT Report ===============

.

BHO: &Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - c:\program files\yahoo!\companion\installs\cpn0\yt.dll

BHO: vShare Plugin: {043c5167-00bb-4324-af7e-62013faedacf} - c:\program files\vshare\vshare_toolbar.dll

BHO: DriveLetterAccess: {5ca3d70e-1895-11cf-8e15-001234567890} - c:\windows\system32\dla\tfswshx.dll

BHO: Skype Plug-In: {ae805869-2e5c-4ed4-8f7b-f1f7851a4497} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll

BHO: Java Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll

BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll

BHO: SingleInstance Class: {fdad4da1-61a2-4fd8-9c17-86f7ac245081} - c:\program files\yahoo!\companion\installs\cpn0\YTSingleInstance.dll

TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn0\yt.dll

TB: vShare Plugin: {043c5167-00bb-4324-af7e-62013faedacf} - c:\program files\vshare\vshare_toolbar.dll

uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe

uRunOnce: [nltide_2] regsvr32 /s /n /i:U shell32

mRun: [updateManager] "c:\program files\common files\sonic\update manager\sgtray.exe" /r

mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime

mRun: [avgnt] "c:\program files\avira\antivir desktop\avgnt.exe" /min

mRun: [HostManager] c:\program files\common files\aol\1293679480\ee\AOLSoftware.exe

mRun: [sunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"

mRun: [PHIME2002ASync] c:\windows\system32\ime\tintlgnt\TINTSETP.EXE /SYNC

mRun: [PHIME2002A] c:\windows\system32\ime\tintlgnt\TINTSETP.EXE /IMEName

mRun: [iMJPMIG8.1] "c:\windows\ime\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32

mRun: [dla] c:\windows\system32\dla\tfswctrl.exe

mRun: [ATIModeChange] Ati2mdxx.exe

mRun: [ArcSoft MediaImpression Monitor] c:\program files\kodak\mediaimpression se\ArcMonitor.exe

mRun: [ArcSoft Connection Service] c:\program files\common files\arcsoft\connection service\bin\ACDaemon.exe

dRunOnce: [nltide_2] regsvr32 /s /n /i:U shell32

IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe

IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe

IE: {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll

DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://javadl-esd.sun.com/update/1.6.0/jinstall-6-windows-i586.cab

DPF: {CAFEEFAC-0016-0000-0018-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab

DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab

TCP: DhcpNameServer = 192.168.2.1

TCP: Interfaces\{ABF422BA-5F59-4A3F-A4FB-06CFF8994ABB} : DhcpNameServer = 192.168.2.1

Handler: skype-ie-addon-data - {91774881-D725-4E58-B298-07617B9B86A8} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll

Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL

Handler: vsharechrome - {3F3A4B8A-86FC-43A4-BB00-6D7EBE9D4484} - c:\program files\vshare\vshare_toolbar.dll

SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

Hosts: 127.0.0.1 www.spywareinfo.com

.

============= SERVICES / DRIVERS ===============

.

S1 avgio;avgio;c:\program files\avira\antivir desktop\avgio.sys [2010-11-24 11608]

S2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\avira\antivir desktop\sched.exe [2010-11-24 136360]

S2 AntiVirService;Avira AntiVir Guard;c:\program files\avira\antivir desktop\avguard.exe [2010-11-24 269480]

S2 avgntflt;avgntflt;c:\windows\system32\drivers\avgntflt.sys [2010-11-24 61960]

S2 LicCtrlService;LicCtrl Service;c:\windows\Runservice.exe [2010-11-6 2560]

.

=============== Created Last 30 ================

.

2011-06-05 21:46:44 -------- d-----w- c:\windows\pss

2011-06-05 17:13:05 -------- d--h--w- c:\documents and settings\administrator.owner-75fdfe945\application data\Avira

2011-06-05 07:21:34 -------- d-sh--w- c:\documents and settings\administrator.owner-75fdfe945\PrivacIE

2011-06-05 07:20:06 -------- d--h--w- c:\documents and settings\administrator.owner-75fdfe945\application data\Malwarebytes

2011-06-04 23:32:16 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2011-06-04 22:34:50 -------- d-sh--w- C:\found.004

2011-06-04 22:22:09 333312 ---ha-w- c:\documents and settings\all users\application data\16572196.exe

2011-06-04 22:17:51 333312 ---ha-w- c:\documents and settings\all users\application data\17948452.exe

2011-06-04 19:56:32 418816 ---ha-w- c:\documents and settings\all users\application data\pwuodgGalVQQUg.exe

2011-06-02 19:25:30 -------- d--h--w- C:\3f99aae90d790088b66234d5a7ee1e36

2011-06-01 21:02:31 -------- d--h--w- c:\windows\system32\wbem\Repository

2011-06-01 21:02:31 -------- d-----w- c:\windows\system32\wbem\repository\FS

2011-06-01 04:56:02 -------- d--h--w- c:\documents and settings\all users\application data\Spybot - Search & Destroy

2011-06-01 04:54:31 -------- d--h--w- c:\program files\Spybot - Search & Destroy 2

2011-05-29 19:51:11 -------- d-sh--w- C:\found.003

2011-05-23 12:05:41 -------- d--h--w- c:\documents and settings\all users\application data\Malwarebytes

2011-05-23 12:05:35 -------- d--h--w- c:\program files\Malwarebytes' Anti-Malware

2011-05-15 22:43:30 -------- d-sh--w- C:\found.002

.

==================== Find3M ====================

.

2011-06-05 21:51:18 1481 --sha-w- c:\windows\system32\mmf.sys

.

============= FINISH: 18:11:53.84 ===============

Link to post
Share on other sites

  • Staff

Hi and welcome to Malwarebytes.

Please update MBAM, run a Quick Scan, and post its log.

Next, please visit this webpage for instructions for running ComboFix:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

  • When the tool is finished, it will produce a report for you.
  • Please post the C:\ComboFix.txt along with a new DDS log so we may continue cleaning the system.

-screen317

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.