Computer Hope
Software => Computer viruses and spyware => Topic started by: bamfy on May 18, 2009, 02:48:07 PM
-
Hi,
firstly thanks for your help in advance... I have had this problem a week now and been going through the forum and can't find a fix.
Firstly i am unable to use windows properly. At present when i start my laptop up i get to the log on screen and enter my details and then all i get in the background and the arrow there.. i have to manually run explorer.exe.... Today it wont even start explorer.exe it pops up with a windows explorer error.
I have to open programs such as firefox ect with the task manager which is becoming a pain. Other this i have noticed is about 25/30 cmd.exe processes running at times.. and some .tmp files running... I also get a bsod popping up at times and the error is "page fault in non paged area"
hope you can help!!
thanks
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 17:59:49, on 18/05/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\bmwebcfg.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\taskmgr.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www1.euro.dell.com/content/de...=uk&l=en&s=gen
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Page_URL = http://www.google.co.uk/ig/dell?hl=e...uk&ibd=2081027
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.google.co.uk/ig/dell?hl=e...uk&ibd=2081027
O2 - BHO: MS extension - {E59CAA7A-E7C2-4ca4-BA16-BE41FBC048A8} - interconn32.dll (file missing)
O4 - HKLM\..\Run: [20920] C:\veavtuf.exe
O4 - HKLM\..\Run: [reader_s] C:\WINDOWS\System32\reader_s.exe
O4 - HKLM\..\Run: [services] C:\WINDOWS\services.exe
O4 - HKCU\..\Run: [reader_s] C:\Documents and Settings\who r you\reader_s.exe
O4 - HKUS\S-1-5-18\..\Run: [reader_s] C:\WINDOWS\system32\config\systemprofile\reader_s.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [reader_s] C:\WINDOWS\system32\config\systemprofile\reader_s.exe (User 'Default user')
O8 - Extra context menu item: &Search - ?p=ZUfox000
O8 - Extra context menu item: Send to &Bluetooth Device... - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
O8 - Extra context menu item: Send To Bluetooth - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra 'Tools' menuitem: @btrez.dll,-12650 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: WH GBP Casino - {37236812-C1A2-4529-A9CE-CFE04E3DF08A} - http://www.williamhillcasino.com (file missing) (HKCU)
O9 - Extra 'Tools' menuitem: WH GBP Casino - {37236812-C1A2-4529-A9CE-CFE04E3DF08A} - http://www.williamhillcasino.com (file missing) (HKCU)
O10 - Unknown file in Winsock LSP: bmnet.dll
O10 - Unknown file in Winsock LSP: bmnet.dll
O10 - Unknown file in Winsock LSP: bmnet.dll
O20 - AppInit_DLLs: C:\WINDOWS\system32\sezulono.dll c:\windows\system32\nojelawo.dll
O23 - Service: Background Intelligent Transfer Service (BITS) - Unknown owner - C:\WINDOWS\
O23 - Service: Bytemobile Web Configurator (bmwebcfg) - Bytemobile, Inc. - C:\WINDOWS\system32\bmwebcfg.exe
O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation. - C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: Vodafone Mobile Connect Service (VMCService) - Vodafone - C:\Program Files\Vodafone\Vodafone Mobile Connect\Bin\VMCService.exe
--
End of file - 4628 bytes
-
See if you can run the other two programs from the guidelines....
http://www.computerhope.com/forum/index.php/topic,46313.0.html
and post the logs.
-
hi there,
i tried the other two programs.. when i run superantispyware i get bsod with the error explained above.. the laptop has now rebooted and has the explorer.exe starting on its own but tons of cmd.exe files running... here is ccleaner log and new hjt log
CLEANING COMPLETE - (1.778 secs)
------------------------------------------------------------------------------------------
8.16MB removed.
------------------------------------------------------------------------------------------
Details of files deleted
------------------------------------------------------------------------------------------
Marked for deletion: C:\Documents and Settings\who r you\Local Settings\Temporary Internet Files\Content.IE5\index.dat
Marked for deletion: C:\Documents and Settings\who r you\Cookies\index.dat
Marked for deletion: C:\Documents and Settings\who r you\Local Settings\History\History.IE5\index.dat
Emptied Recycle Bin (3 files) 7.11MB
C:\WINDOWS\TEMP\VRT1.tmp 3.00KB
C:\WINDOWS\TEMP\VRT10.tmp 3.00KB
C:\WINDOWS\TEMP\VRT11.tmp 3.00KB
C:\WINDOWS\TEMP\VRT14.tmp 11.50KB
C:\WINDOWS\TEMP\VRT15.tmp 3.00KB
C:\Documents and Settings\who r you\Local Settings\temp\Cookies\who r you@bontrafic[2].txt 176 bytes
C:\Documents and Settings\who r you\Local Settings\temp\coredmp 0 bytes
C:\Documents and Settings\who r you\Local Settings\temp\etilqs_2fdgV2mCkbnJPCjl58nT 1.00KB
C:\Documents and Settings\who r you\Local Settings\temp\etilqs_2fdgV2mCkbnJPCjl58nT-journal 1.51KB
C:\Documents and Settings\who r you\Local Settings\temp\etilqs_xwjRlfZpxt6JKsNXI2rc 32.03KB
C:\Documents and Settings\who r you\Local Settings\temp\IMT4.xml 1.95KB
C:\Documents and Settings\who r you\Local Settings\temp\IMT5.xml 426 bytes
C:\Documents and Settings\who r you\Local Settings\temp\IMT6.xml 0.67MB
C:\Documents and Settings\who r you\Local Settings\temp\SSUPDATE.EXE 0.17MB
C:\Documents and Settings\who r you\Local Settings\temp\Temporary Internet Files\Content.IE5\BY2ZVZBR\index[1].htm 4.50KB
C:\Documents and Settings\who r you\Local Settings\temp\Temporary Internet Files\Content.IE5\H11DJMAT\index[1].htm 4.50KB
C:\Documents and Settings\who r you\Local Settings\temp\Temporary Internet Files\Content.IE5\H11DJMAT\index[2].htm 4.50KB
C:\Documents and Settings\who r you\Local Settings\temp\Temporary Internet Files\Content.IE5\KW0YIMQO\index[1].htm 4.50KB
C:\Documents and Settings\who r you\Local Settings\temp\~DFEF2D.tmp 0.11MB
C:\WINDOWS\system32\wbem\Logs\wbemcore.log 7.46KB
C:\WINDOWS\system32\wbem\Logs\wbemess.log 1.21KB
C:\WINDOWS\system32\wbem\Logs\wmiprov.log 438 bytes
Removed Cookie: www.superantispyware.com
Removed Cookie: google.co.uk
Removed Cookie: bbc.co.uk
Removed Cookie: google.com
Firefox/Mozilla cache cleaning was skipped.
C:\Documents and Settings\who r you\Local Settings\Application Data\Opera\Opera\profile\cache4\dcache4.url 20 bytes
C:\Documents and Settings\who r you\Local Settings\Application Data\Opera\Opera\profile\cache4\revocation\dcache4.url 20 bytes
C:\Documents and Settings\who r you\Local Settings\Application Data\Opera\Opera\profile\cache4\revocation\vlink4.dat 12 bytes
C:\Documents and Settings\who r you\Application Data\Opera\Opera\profile\global.dat 0 bytes
C:\Documents and Settings\who r you\Application Data\Opera\Opera\profile\download.dat 12 bytes
C:\Documents and Settings\who r you\Application Data\Opera\Opera\profile\vlink4.dat 12 bytes
C:\Documents and Settings\who r you\Application Data\Opera\Opera\profile\typed_history.xml 56 bytes
C:\Documents and Settings\who r you\Local Settings\Application Data\Opera\Opera\profile\vps\0000\md.dat 8.00KB
C:\Documents and Settings\who r you\Application Data\Macromedia\Flash Player\#SharedObjects\LVLXENDC\naiadsystems.com\naiad.sol 57 bytes
C:\Documents and Settings\who r you\Application Data\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#naiadsystems.com\settings.sol 86 bytes
------------------------------------------------------------------------------------------
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 22:18:00, on 18/05/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\bmwebcfg.exe
C:\WINDOWS\system32\tcpsvcs.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\reader_s.exe
C:\WINDOWS\services.exe
C:\Documents and Settings\who r you\reader_s.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\WINDOWS\system32\cmd.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\services.exe
C:\WINDOWS\system32\cmd.exe
C:\WINDOWS\services.exe
C:\WINDOWS\system32\cmd.exe
C:\WINDOWS\services.exe
C:\WINDOWS\system32\cmd.exe
C:\WINDOWS\services.exe
C:\WINDOWS\system32\cmd.exe
C:\WINDOWS\services.exe
C:\WINDOWS\system32\cmd.exe
C:\WINDOWS\services.exe
C:\WINDOWS\system32\cmd.exe
C:\WINDOWS\services.exe
C:\WINDOWS\system32\cmd.exe
C:\WINDOWS\services.exe
C:\WINDOWS\system32\cmd.exe
C:\WINDOWS\services.exe
C:\WINDOWS\system32\cmd.exe
C:\WINDOWS\services.exe
C:\WINDOWS\system32\cmd.exe
C:\WINDOWS\services.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\cmd.exe
C:\WINDOWS\services.exe
C:\WINDOWS\system32\cmd.exe
C:\WINDOWS\services.exe
C:\WINDOWS\system32\cmd.exe
C:\WINDOWS\services.exe
C:\WINDOWS\system32\cmd.exe
C:\WINDOWS\services.exe
C:\WINDOWS\system32\cmd.exe
C:\WINDOWS\services.exe
C:\WINDOWS\system32\cmd.exe
C:\WINDOWS\services.exe
C:\WINDOWS\system32\cmd.exe
C:\Program Files\CCleaner\CCleaner.exe
C:\WINDOWS\services.exe
C:\WINDOWS\system32\cmd.exe
C:\WINDOWS\services.exe
C:\WINDOWS\system32\cmd.exe
C:\WINDOWS\services.exe
C:\WINDOWS\system32\cmd.exe
C:\WINDOWS\services.exe
C:\WINDOWS\system32\cmd.exe
C:\WINDOWS\services.exe
C:\WINDOWS\system32\cmd.exe
C:\WINDOWS\services.exe
C:\WINDOWS\system32\cmd.exe
C:\WINDOWS\services.exe
C:\WINDOWS\system32\cmd.exe
C:\WINDOWS\services.exe
C:\WINDOWS\system32\cmd.exe
C:\WINDOWS\services.exe
C:\WINDOWS\system32\cmd.exe
C:\WINDOWS\services.exe
C:\WINDOWS\system32\cmd.exe
C:\WINDOWS\services.exe
C:\WINDOWS\system32\cmd.exe
C:\WINDOWS\services.exe
C:\WINDOWS\system32\cmd.exe
C:\WINDOWS\services.exe
C:\WINDOWS\system32\cmd.exe
C:\WINDOWS\services.exe
C:\WINDOWS\system32\cmd.exe
C:\WINDOWS\services.exe
C:\WINDOWS\system32\cmd.exe
C:\WINDOWS\services.exe
C:\WINDOWS\system32\cmd.exe
C:\WINDOWS\services.exe
C:\WINDOWS\system32\cmd.exe
C:\WINDOWS\services.exe
C:\WINDOWS\system32\cmd.exe
C:\WINDOWS\services.exe
C:\WINDOWS\system32\cmd.exe
C:\WINDOWS\services.exe
C:\WINDOWS\system32\cmd.exe
C:\WINDOWS\services.exe
C:\WINDOWS\system32\cmd.exe
C:\WINDOWS\services.exe
C:\WINDOWS\system32\cmd.exe
C:\WINDOWS\services.exe
C:\WINDOWS\system32\cmd.exe
C:\WINDOWS\services.exe
C:\WINDOWS\system32\cmd.exe
C:\WINDOWS\services.exe
C:\WINDOWS\system32\cmd.exe
C:\WINDOWS\services.exe
C:\WINDOWS\system32\cmd.exe
C:\WINDOWS\services.exe
C:\WINDOWS\system32\cmd.exe
C:\WINDOWS\services.exe
C:\WINDOWS\system32\cmd.exe
C:\WINDOWS\services.exe
C:\WINDOWS\system32\cmd.exe
C:\WINDOWS\services.exe
C:\WINDOWS\system32\cmd.exe
C:\WINDOWS\services.exe
C:\WINDOWS\system32\cmd.exe
C:\WINDOWS\services.exe
C:\WINDOWS\system32\cmd.exe
C:\WINDOWS\services.exe
C:\WINDOWS\system32\cmd.exe
C:\WINDOWS\services.exe
C:\WINDOWS\system32\cmd.exe
C:\WINDOWS\services.exe
C:\WINDOWS\system32\cmd.exe
C:\WINDOWS\services.exe
C:\WINDOWS\system32\cmd.exe
C:\WINDOWS\services.exe
C:\WINDOWS\system32\cmd.exe
C:\WINDOWS\services.exe
C:\WINDOWS\system32\cmd.exe
C:\WINDOWS\services.exe
C:\WINDOWS\system32\cmd.exe
C:\WINDOWS\services.exe
C:\WINDOWS\system32\cmd.exe
C:\WINDOWS\services.exe
C:\WINDOWS\system32\cmd.exe
C:\WINDOWS\services.exe
C:\WINDOWS\system32\cmd.exe
C:\WINDOWS\services.exe
C:\WINDOWS\system32\cmd.exe
C:\WINDOWS\services.exe
C:\WINDOWS\system32\cmd.exe
C:\WINDOWS\services.exe
C:\WINDOWS\system32\cmd.exe
C:\WINDOWS\services.exe
C:\WINDOWS\system32\cmd.exe
C:\WINDOWS\services.exe
C:\WINDOWS\system32\cmd.exe
C:\WINDOWS\services.exe
C:\WINDOWS\system32\cmd.exe
C:\WINDOWS\services.exe
C:\WINDOWS\system32\cmd.exe
C:\WINDOWS\services.exe
C:\WINDOWS\system32\cmd.exe
C:\WINDOWS\services.exe
C:\WINDOWS\system32\cmd.exe
C:\WINDOWS\services.exe
C:\WINDOWS\system32\cmd.exe
C:\WINDOWS\services.exe
C:\WINDOWS\system32\cmd.exe
C:\WINDOWS\services.exe
C:\WINDOWS\system32\cmd.exe
C:\WINDOWS\services.exe
C:\WINDOWS\system32\cmd.exe
C:\WINDOWS\services.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\system32\cmd.exe
C:\WINDOWS\services.exe
C:\WINDOWS\system32\cmd.exe
C:\WINDOWS\services.exe
C:\WINDOWS\system32\cmd.exe
C:\WINDOWS\services.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www1.euro.dell.com/content/default.aspx?c=uk&l=en&s=gen
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Page_URL = www.google.co.uk/ig/dell?hl=en&client=dell-usuk&channel=uk&ibd=2081027
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.google.co.uk/ig/dell?hl=en&client=dell-usuk&channel=uk&ibd=2081027
O2 - BHO: MS extension - {E59CAA7A-E7C2-4ca4-BA16-BE41FBC048A8} - interconn32.dll (file missing)
O4 - HKLM\..\Run: [20920] C:\veavtuf.exe
O4 - HKLM\..\Run: [reader_s] C:\WINDOWS\System32\reader_s.exe
O4 - HKLM\..\Run: [services] C:\WINDOWS\services.exe
O4 - HKCU\..\Run: [reader_s] C:\Documents and Settings\who r you\reader_s.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKUS\S-1-5-18\..\Run: [reader_s] C:\WINDOWS\system32\config\systemprofile\reader_s.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [reader_s] C:\WINDOWS\system32\config\systemprofile\reader_s.exe (User 'Default user')
O8 - Extra context menu item: &Search - ?p=ZUfox000
O8 - Extra context menu item: Send to &Bluetooth Device... - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
O8 - Extra context menu item: Send To Bluetooth - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra 'Tools' menuitem: @btrez.dll,-12650 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: WH GBP Casino - {37236812-C1A2-4529-A9CE-CFE04E3DF08A} - http://www.williamhillcasino.com (file missing) (HKCU)
O9 - Extra 'Tools' menuitem: WH GBP Casino - {37236812-C1A2-4529-A9CE-CFE04E3DF08A} - http://www.williamhillcasino.com (file missing) (HKCU)
O10 - Unknown file in Winsock LSP: bmnet.dll
O10 - Unknown file in Winsock LSP: bmnet.dll
O10 - Unknown file in Winsock LSP: bmnet.dll
O20 - AppInit_DLLs: C:\WINDOWS\system32\sezulono.dll c:\windows\system32\nojelawo.dll
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Background Intelligent Transfer Service (BITS) - Unknown owner - C:\WINDOWS\
O23 - Service: Bytemobile Web Configurator (bmwebcfg) - Bytemobile, Inc. - C:\WINDOWS\system32\bmwebcfg.exe
O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation. - C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: Vodafone Mobile Connect Service (VMCService) - Vodafone - C:\Program Files\Vodafone\Vodafone Mobile Connect\Bin\VMCService.exe
--
End of file - 9174 bytes
-
The logs show that you are infected by an infection called Virut or Sality. Virut/Sality is a virus that infects all executable files and screensavers. Virut also opens a back door providing the attacker with unauthorized remote access to the infected computer. Definition: Polymorphic virus (http://www.spywareguide.com/term_show.php?id=33).
There is no way to cure this infection. Your only option is to perform a full reformat. Do NOT attempt a repair install. Trying to fix this infection will only leave the computer unusable. See Virut on the Rise (http://evilfantasy.wordpress.com/2009/02/21/vitut-on-the-rise/) and Virut and other File infectors - Throwing in the Towel? (http://miekiemoes.blogspot.com/2009/02/virut-and-other-file-infectors-throwing.html) for more information.
Note that if you decide to try and clean this you must be extremely careful on what is backed up as these new infections can get into many different file extensions ( DLL, EXE, SCR, HTM, HTML, MP3, AVI, WMV, PDF.....etc). A complete reformat and reinstall is highly suggested! Avoid backing up compressed files (zip/cab/rar.....etc). Virut can also penetrate compressed files that have .exe or .scr inside them.
Backing up files before formatting
If you backup any files they should be scanned from a clean properly protected PC before restoring. Also be careful what scanner is used as some are very poor at detecting and even worse at protecting from this infection. In fact due to the nature of these new infections there are probably no tools that will properly protect you from the infection. Be very selective and only backup files you can not replace like text documents and personal photos.
Do not back up to another machine! It will likely become infected by Virut. Burn to DVD/CD, a flash drive or to an external drive which has nothing else on it and which you can format should it become infected from the backups.
I suggest running at least 3 of the below scanners on the backup files. Run the first scan then reboot before running the second then reboot after the second before running the third.
-) Dr.Web CureIt! (http://www.freedrweb.com/)
-) AVG Win32/Virut Removal Tool (http://www.avg.com/us.virus-removal.ndi-67762)
-) Symantwc W32.Virut Removal Tool (http://www.symantec.com/security_response/writeup.jsp?docid=2009-022016-4444-99)
-) McAfee Avert Stinger (http://vil.nai.com/vil/stinger/default.aspx)
-) Microsoft Windows Malicious Software Removal Tool (http://support.microsoft.com/kb/890830)
If you do not know how to perform a fresh install, use this website -> http://www.windowsreinstall.com/
Very important, do the following immediately or as soon as possible!
If you have done any online transactions, call all of your banks, credit card companies, financial institutions and inform them that you may be a victim of identity theft and to put a watch on your accounts and/or change all of your account numbers.
From a clean computer change all of your online passwords including for email, banks, financial accounts, PayPal, eBay, online credit card companies and any online forums or groups you belong to etc.
DO NOT change passwords or do any transactions while using the infected computer. The attacker will get the new passwords and transaction information.
-
hi,
thanks for that! i need to know what to do now.. the laptop has no disk drive and windows came installed on it already!
what can i do to fix this?
-
You will need to borrow a Windows CD from a friend if you can or try the manufacturers web site. They will usually ship the install CD for free or for shipping costs. As long as it is the same Operating System CD then you can use it. All you need is your License Key to activate Windows.
If not that then try eBay or Amazon. Someplace like that.
-
hi there,
just used this that was on the bottom of your last post
-) AVG Win32/Virut Removal Tool
i have run it and it asked me to restart.. i have done this and it was runnign for about 20 minutes and have now rebooted again and it seems to be working fine.. booted up correctly.. explorer.exe started fine and the tasks seems fine...
could this be now fixed or do i still need the re-install ?
-
No I highly doubt it is fixed. The Virut is in all of your system files. Removing it would leave your computer unusable. You can scan with the other tools and likely find more each time you scan. The computer is not safe until you reformat and reinstall.
Sorry but I've tried before. Hours and hours later I finally had to give in. You just can't contain the main infected files in order to clean them.
-
Hi Evilfantasy i have a question about this tools for malware detection does they conflict with any antivirus software for example Eset NOD 32 antivirus i give this example because this antivirus i use ;D.
-
No they won't.
-
Hi Evilfantasy
Maybe I'm unrealistic, but rather then attempt removal of the virus, couldn't another "protective" virus be written that could simply "follow" vitut around and return things to the default settings, or in a best case scenario, to the way they were? ...I dunno, just thinking out loud. I no code monkey or anything so don't really know if two polymorphic viruses can "battle it out"
-
Any program you have installed to counter Virut will also be infected so, no. The only reliable (and working) cure is as described above.