Computer Hope
Software => Computer viruses and spyware => Topic started by: tackler on February 20, 2010, 09:59:13 AM
-
I've been dealing with a nasty virus over the past few days, but have been unable to handle it myself because of how its dealing with the situation. First off, I can't install any new anti-virus software and with the scans I've ran nothing picks up the virus.
I've tried reading the topic about what to do before posting and steps 1 , 2 , didn't help. And I couldn't install the programs listed in steps 3 or 4. What happens is I'll click on them, then nothing. They simple disappear, nothing pop-ups, no error messages, nothing. So I'm on Step 5 now. My Java version was Version 6 Update 16 before updating to Version 6 Update 18.
Now Step 6.....
I'll describe the virus first then post my HiJackThis log.
1. I get random re-directs from Google entries (Using Firefox) like the website I clicked will appear with another one completey not-related.
2. When I try to get some type of computer help, sometimes If I try and visit a computer help website like bleepingcomputer I'll get a webpage not found.
3. If I ctrl alt delete I can see under applications a bunch of Internet Explorer windows running what appears to be pop-ups but I cant see them.
On a sidenote I feel that it may be 2-3 or viruses, somewhere in the background.
Logfile of Trend Micro HijackThis v2.0.3 (BETA)
Scan saved at 8:42:54 AM, on 2/20/2010
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\DOCUME~1\HP_OWN~1.000\LOCALS~1\Temp\Hjr.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Microsoft Windows OneCare Live\winss.exe
C:\WINDOWS\system32\ctfmon.exe
C:\DOCUME~1\HP_OWN~1.000\LOCALS~1\Temp\drweb.exe
C:\DOCUME~1\HP_OWN~1.000\LOCALS~1\Temp\taskmgr.exe
C:\DOCUME~1\HP_OWN~1.000\LOCALS~1\Temp\csrss.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\DOCUME~1\HP_OWN~1.000\LOCALS~1\Temp\msinits.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\TrendMicro\HiJackThis\HiJackThis.exe
O2 - BHO: C:\WINDOWS\system32\yns8e.dll - {A3BA40A2-74F0-42BD-F434-00B15A2C8953} - C:\WINDOWS\system32\yns8e.dll
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKCU\..\Run: [Remote System Protection] rundll32.exe C:\WINDOWS\system32\yns8e.dll, HUI_proc
O4 - HKCU\..\Run: [TOY5KNQ8OC] C:\DOCUME~1\HP_OWN~1.000\LOCALS~1\Temp\Hjr.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [asg984jgkfmgasi8ug98jgkfgfb] C:\DOCUME~1\HP_OWN~1.000\LOCALS~1\Temp\csrss.exe
O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1
O22 - SharedTaskScheduler: 7whfiudhf8s7f3oifhif7syfdhsof - {A3BA40A2-74F0-42BD-F434-00B15A2C8953} - C:\WINDOWS\system32\yns8e.dll
--
End of file - 1893 bytes
I understand
[Saving space, attachment deleted by admin]
-
Welcome to CH.
Try this please.
Try not to restart the computer until one of the tools we use does it for you or tells you to.
1) Please download and run the below tool named Rkill (courtesy of BleepingComputer.com) which may help allow other programs to run.
There are 4 different versions. If one of them won't run then download and try to run the next one.
Vista and Windows 7 users need to right click Rkill and choose Run as Administrator
You only need to get one of these to run, not all of them. You may get warnings from your antivirus about this tool, ignore them or shutdown your antivirus.
* Rkill.com (http://download.bleepingcomputer.com/grinler/rkill.com)
* Rkill.scr (http://download.bleepingcomputer.com/grinler/rkill.scr)
* Rkill.pif (http://download.bleepingcomputer.com/grinler/rkill.pif)
* Rkill.exe (http://download.bleepingcomputer.com/grinler/rkill.exe)
* Double-click on the Rkill desktop icon to run the tool.
* If using Vista or Windows 7 right-click on it and choose Run As Administrator.
* A black DOS box will briefly flash and then disappear. This is normal and indicates the tool ran successfully.
* When finished it will create a log.
* Please post the rkill.log in the next reply.
* If Rkill does not run from the first link, delete the file, then download and use the one provided in Link 2. If it does not work, repeat the process and attempt to use one of the remaining links until the tool runs.
* Do not reboot until instructed.
* If the tool does not run from any of the links provided, please let me know.
Once you've gotten one of them to run then try to immediately run the following.
2) Download and run exeHelper
* Please download exeHelper from Raktor (http://www.raktor.net/exeHelper/exeHelper.com) to your desktop.
* Double-click on exeHelper.com to run the fix.
* A black window should pop up, press any key to close once the fix is completed.
* A log file named log.txt will be created in the directory where you ran exeHelper.com
* Add the log.txt file to your next message.
Note: If the window shows a message that says "Error deleting file", please re-run the program before posting a log - and post the two logs together (they will both be in the one file).
3) If you already have Malwarebytes be sure to update it before running the scan!
Download Malwarebytes' Anti-Malware (MBAM) (http://www.majorgeeks.com/Malwarebytes_Anti-Malware_d5756.html)
* Double-click mbam-setup.exe and follow the prompts to install the program.
* At the end, be sure a checkmark is placed next to the following:
* Update Malwarebytes' Anti-Malware
* Launch Malwarebytes' Anti-Malware
* Then click Finish
* If an update is found, it will download and install the latest version.
* Once the program has loaded, select Perform quick scan, then click Scan.
* When the scan is complete, click OK, then Show Results to view the results.
* Be sure that everything is checked, and click Remove Selected.
* When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
* The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
* Copy and Paste the entire report in your next reply.
Extra Note: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts, click OK to either and let MBAM proceed with the disinfection process, if asked to restart the computer, please do so immediately.
-
Alright here is the rkill log that I just got
This log file is located at C:\rkill.log.
Please post this only if requested to by the person helping you.
Otherwise you can close this log when you wish.
Ran as HP_Owner on 02/20/2010 at 22:30:16.
Processes terminated by Rkill or while it was running:
C:\WINDOWS\system32\rundll32.exe
C:\DOCUME~1\HP_OWN~1.000\LOCALS~1\Temp\cmd.exe
C:\DOCUME~1\HP_OWN~1.000\LOCALS~1\Temp\spoolsv.exe
C:\DOCUME~1\HP_OWN~1.000\LOCALS~1\Temp\services.exe
C:\DOCUME~1\HP_OWN~1.000\LOCALS~1\Temp\svchost.exe
C:\DOCUME~1\HP_OWN~1.000\LOCALS~1\Temp\csrss.exe
C:\DOCUME~1\HP_OWN~1.000\LOCALS~1\Temp\debug.exe
C:\DOCUME~1\HP_OWN~1.000\LOCALS~1\Temp\setup.exe
C:\DOCUME~1\HP_OWN~1.000\LOCALS~1\Temp\notepad.exe
C:\DOCUME~1\HP_OWN~1.000\LOCALS~1\Temp\system.exe
C:\DOCUME~1\HP_OWN~1.000\LOCALS~1\Temp\lsass.exe
C:\DOCUME~1\HP_OWN~1.000\LOCALS~1\Temp\win16.exe
C:\DOCUME~1\HP_OWN~1.000\LOCALS~1\Temp\msinits.exe
C:\DOCUME~1\HP_OWN~1.000\LOCALS~1\Temp\Hjr.exe
Rkill completed on 02/20/2010 at 22:30:23.
When I ran the exehelper it would go then stop after policies. Here is the log.
exeHelper by Raktor
Build 20091220
Run at 22:28:11 on 02/20/10
Now searching...
Checking for numerical processes...
Checking for sysguard processes...
Checking for bad processes...
Checking for bad files...
Checking for bad registry entries...
Resetting filetype association for .exe
Resetting filetype association for .com
Resetting userinit and shell values...
Resetting policies...
--Finished--
I was unable to install Malwarebytes' Anti-Malware due to it never loading. I downloaded the mbam-setup.exe to my desktop and from there once I clicked on it nothing would happen. This doesn't happen with other programs. Aswell, I see that the program is running when I go to Task Manager under processes.
On a side note it appears that I have had Malwarebytes' Anti-Malware installed under C:\Program Files\Malwarebytes' Anti-Malware but, when I click on the Icon nothing happens again. This doesn't happen with other programs too. It's like the virus knows the programs I'm trying to run and stops them from loading\appearing.
-
Restart the computer and the run Rkill again and then immediately after try this.
Download ComboFix from one of the below links. You must rename it before saving it!
Important! You MUST save ComboFix to your desktop.
Link #1 (http://download.bleepingcomputer.com/sUBs/ComboFix.exe)
Link #2 (http://www.forospyware.com/sUBs/ComboFix.exe)
Rename ComboFix to Combo-Fix before saving it to the desktop.
(http://img708.imageshack.us/img708/6562/cf1.gif)
(http://img708.imageshack.us/img708/6739/cf2.gif)
Temporarily disable your antivirus and any antispyware real time protection before performing a scan. Click this link (http://www.bleepingcomputer.com/forums/topic114351.html) to see a list of security programs that should be disabled and how to disable them.
Double click on Combo-Fix.exe & follow the prompts.
Vista and Windows 7 users Right-Click on Combo-Fix.exe and select Run as administrator (you will receive a UAC prompt, please allow it)
Do not mouse-click ComboFix's window while it is running. That may cause it to stall.
When the scan completes it will open a text window.
Post the contents of that log in your next reply.
Remember to re-enable your antivirus and antispyware protection when ComboFix is complete.
-
When I follow the link to download ComboFix on the first link. I get a server not found
(http://i49.tinypic.com/2s9uid0.png)
It's almost like the virus\trojan will allow me to go to certain sites and use only certain programs.
But I think if someone was able to put the ComboFix in a zip\rar folder then upload it somewhere else, I could then download from that website and run on it my computer.
When I try the second link, nothing happens I get redirected to http://www.forospyware.com/.
Sorry about all this trouble
-
Download the NVT Malware Remover Tool (http://www.novirusthanks.org/dl.php?get=NVT_Malware_Remover_Tool_English.zip) to your desktop.
* Unzip the file and then run the installer.
* Once installed click on the Update tab and check for updates.
* Next click the Scan tab and then click Scan button to begin the scanner.
* If any threats are found select the Remove button and then click Apply
* Next select the button next to Copy in DETECTED folder then click Apply
* Next at the top of the scanner window click Menu then select Open DETECTED folder
* Post that log back here.
* Restart the computer.
-
Here is the log that came back
NoVirusThanks Malware Remover 2.4.0.0
DB version: 196 (07.02.2010)
http://www.novirusthanks.org
Report created on 2/21/2010 at 7:26:34 PM
Microsoft Windows XP 5.1 Service Pack 2 32-bit OS
Scan type: Quick Scan
Time elapsed: 00:19:51
Objects scanned: 21849
Threats detected: 2
Files Infected:
C:\WINDOWS\Temp\_ex-08.exe -> No action taken
C:\WINDOWS\Temp\_ex-68.exe -> No action taken
Folders Infected:
End.
I know there is more in there. Maybe I need to get a version of ComboFix, anywhere you could put it in a folder and upload it?
I ran another program called RemoveIT Pro V4- Se. And they told me that I have a
Win32.Unknown.Random.X
Sys32.1194322800
Theres more aswell, but they are all Sys32.X
X being random numbers like the first one. Im not sure if this is any help but it's what I've been able to come up with.
Thanks
-
No action taken
Did you let those be fixed?
Download OTL (http://oldtimer.geekstogo.com/OTL.exe) to your desktop.
* Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.
* Vista and Windows 7 users Right-click OTL and choose Run as Administrator)
* When the window appears, underneath Output at the top change it to Minimal Output.
* Check the boxes beside LOP Check and Purity Check.
* Click the Run Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
When the scan completes, it will open two notepad windows. OTL.Txt and Extras.Txt. These are saved in the same location as OTL.
Please copy and pate the contents of these files, one at a time, into your next reply.
Note: You may need two or more posts to fit them all in.
-
I let those two things get taken care of.
When I clicked on the link to go to OTL I got another Server Not Found.
(http://i49.tinypic.com/8z42f7.png)
*Sidenote: This doesn't happen regularly and only with certain websites.
However, I was able to get you a pretty much full log report of some of the stuff happening in my computer.
RemoveIT Pro v7 - SE (Build date: 25.6.2009) full information log file.
Generated at: 2/21/2010 on 7:45:38 PM
Microsoft Windows XP Home Edition Service Pack 2 (Build 2600)
Author: Damjan Irgolic
http://www.incodesolutions.com
[email protected]
You have some viruses in your computer.
Please Scan your computer with RemoveIT Pro to remove discovered viruses.
Virus list:
Infected with Sys32.1194322800 - File C:\DOCUME~1\HP_OWN~1.000\LOCALS~1\Temp\1194322800.exe
Infected with Sys32.1434602420 - File C:\DOCUME~1\HP_OWN~1.000\LOCALS~1\Temp\1434602420.exe
Infected with Sys32.158686840 - File C:\DOCUME~1\HP_OWN~1.000\LOCALS~1\Temp\158686840.exe
Infected with Sys32.1949126510 - File C:\DOCUME~1\HP_OWN~1.000\LOCALS~1\Temp\1949126510.exe
Infected with Sys32.225736298 - File C:\DOCUME~1\HP_OWN~1.000\LOCALS~1\Temp\225736298.exe
Infected with Sys32.2308537926 - File C:\DOCUME~1\HP_OWN~1.000\LOCALS~1\Temp\2308537926.exe
Infected with Sys32.2407992742 - File C:\DOCUME~1\HP_OWN~1.000\LOCALS~1\Temp\2407992742.exe
Infected with Sys32.2538690376 - File C:\DOCUME~1\HP_OWN~1.000\LOCALS~1\Temp\2538690376.exe
Infected with Sys32.2646026966 - File C:\DOCUME~1\HP_OWN~1.000\LOCALS~1\Temp\2646026966.exe
Infected with Sys32.2664493634 - File C:\DOCUME~1\HP_OWN~1.000\LOCALS~1\Temp\2664493634.exe
Infected with Sys32.2701815552 - File C:\DOCUME~1\HP_OWN~1.000\LOCALS~1\Temp\2701815552.exe
Infected with Sys32.2720634474 - File C:\DOCUME~1\HP_OWN~1.000\LOCALS~1\Temp\2720634474.exe
Infected with Sys32.2897654786 - File C:\DOCUME~1\HP_OWN~1.000\LOCALS~1\Temp\2897654786.exe
Infected with Sys32.3042749252 - File C:\DOCUME~1\HP_OWN~1.000\LOCALS~1\Temp\3042749252.exe
Infected with Sys32.3081335842 - File C:\DOCUME~1\HP_OWN~1.000\LOCALS~1\Temp\3081335842.exe
Infected with Sys32.3090823340 - File C:\DOCUME~1\HP_OWN~1.000\LOCALS~1\Temp\3090823340.exe
Infected with Sys32.3142124428 - File C:\DOCUME~1\HP_OWN~1.000\LOCALS~1\Temp\3142124428.exe
Infected with Sys32.3375361794 - File C:\DOCUME~1\HP_OWN~1.000\LOCALS~1\Temp\3375361794.exe
Infected with Sys32.3548130850 - File C:\DOCUME~1\HP_OWN~1.000\LOCALS~1\Temp\3548130850.exe
Infected with Sys32.3576110384 - File C:\DOCUME~1\HP_OWN~1.000\LOCALS~1\Temp\3576110384.exe
Infected with Sys32.3729369912 - File C:\DOCUME~1\HP_OWN~1.000\LOCALS~1\Temp\3729369912.exe
Infected with Sys32.3751284930 - File C:\DOCUME~1\HP_OWN~1.000\LOCALS~1\Temp\3751284930.exe
Infected with Sys32.3976175968 - File C:\DOCUME~1\HP_OWN~1.000\LOCALS~1\Temp\3976175968.exe
Infected with Sys32.4067901878 - File C:\DOCUME~1\HP_OWN~1.000\LOCALS~1\Temp\4067901878.exe
Infected with Sys32.4191888010 - File C:\DOCUME~1\HP_OWN~1.000\LOCALS~1\Temp\4191888010.exe
Infected with Sys32.4205536296 - File C:\DOCUME~1\HP_OWN~1.000\LOCALS~1\Temp\4205536296.exe
Infected with Sys32.4283058304 - File C:\DOCUME~1\HP_OWN~1.000\LOCALS~1\Temp\4283058304.exe
Infected with Sys32.682687032 - File C:\DOCUME~1\HP_OWN~1.000\LOCALS~1\Temp\682687032.exe
Infected with Sys32.700499532 - File C:\DOCUME~1\HP_OWN~1.000\LOCALS~1\Temp\700499532.exe
Infected with Sys32.733246950 - File C:\DOCUME~1\HP_OWN~1.000\LOCALS~1\Temp\733246950.exe
Infected with Sys32.751303072 - File C:\DOCUME~1\HP_OWN~1.000\LOCALS~1\Temp\751303072.exe
Infected with Sys32.828545174 - File C:\DOCUME~1\HP_OWN~1.000\LOCALS~1\Temp\828545174.exe
Infected with Sys32._voidkrl32mainweq - File C:\documents and settings\all users\application data\_voidkrl32mainweq.dll
Infected with Sys32._voidmainqt - File C:\documents and settings\all users\application data\_voidmainqt.dll
Running processes: (23)
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Microsoft Windows OneCare Live\winss.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\explorer.exe
C:\PROGRA~1\MI1933~1\OFFICE11\OUTLOOK.EXE
C:\PROGRA~1\MI1933~1\OFFICE11\OUTLOOK.EXE
C:\PROGRA~1\MI1933~1\OFFICE11\OUTLOOK.EXE
C:\DOCUME~1\ALLUSE~1\APPLIC~1\15515522\15515522.exe
C:\Program Files\Microsoft Windows OneCare Live\OcHealthMon.exe
C:\DOCUME~1\HP_OWN~1.000\LOCALS~1\Temp\msinits.exe
C:\Program Files\InCode Solutions\RemoveIT Pro v4 - SE\removeit.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\DOCUME~1\HP_OWN~1.000\LOCALS~1\Temp\Hjr.exe
Startup files:
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\TOY5KNQ8OC
[C:\DOCUME~1\HP_OWN~1.000\LOCALS~1\Temp\Hjr.exe]
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\ctfmon.exe
[C:\WINDOWS\system32\ctfmon.exe]
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\asg984jgkfmgasi8ug98jgkfgfb
[C:\DOCUME~1\HP_OWN~1.000\LOCALS~1\Temp\winamp.exe]
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\Remote System Protection
[rundll32.exe C:\WINDOWS\system32\yns8e.dll, HUI_proc]
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\MSConfig
[C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto]
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\SunJavaUpdateSched
["C:\Program Files\Common Files\Java\Java Update\jusched.exe"]
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\QuickTime Task
["C:\Program Files\QuickTime\qttask.exe" -atboottime]
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\15515522
[C:\DOCUME~1\ALLUSE~1\APPLIC~1\15515522\15515522.exe]
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\CTFMON
[C:\WINDOWS\Temp\_ex-08.exe]
Detail report: (82)
Clsid C:\Program Files\uTorrent\uTorrent.exe /UNINSTALL[d41d8cd98f00b204e9800998ecf8427e][0]
Clsid C:\WINDOWS\system32\ati2evxx.dll[17c3eb51d17d90eb10b60d9804d8884d][155648]
Clsid C:\WINDOWS\system32\crypt32.dll[efc958396a7a7ef7e6d4a52b97512e18][597504]
Clsid C:\WINDOWS\system32\cryptnet.dll[cad4aa32e7eca00c23cc39c0eb833f9d][63488]
Clsid C:\WINDOWS\system32\cscdll.dll[587729679b4fe04ce06a5c61d6c56dcd][101888]
Clsid C:\WINDOWS\system32\lmiinit.dll[959ff3a8c74e51676ccdc740657464cc][87352]
Clsid C:\WINDOWS\system32\sclgntfy.dll[d636fa41e50671160d838ea2dace3330][20992]
Clsid c:\windows\system32\stobject.dll[297101a925ecffdcdf7f6341ffbb6c1a][121856]
Clsid c:\windows\system32\webcheck.dll[cc8915db4e33e8fb29ca0d2dbf75306e][236544]
Clsid C:\WINDOWS\system32\wlnotify.dll[a599e5e366c1408e48aa5d37882d4e3e][92672]
Clsid c:\windows\system32\wpdshserviceobj.dll[045e228f71c31901084b64be59093499][133632]
Clsid c:\windows\system32\yns8e.dll[3f12906ae4b6a15bf9b118151c95b2ca][20000]
Proc C:\DOCUME~1\ALLUSE~1\APPLIC~1\15515522\15515522.exe[11846d3e6cf8ce96e2d9035f377f6959][1036800]
Proc C:\DOCUME~1\HP_OWN~1.000\LOCALS~1\Temp\Hjr.exe[f4f0fcfe3eb5aee58b413051759c5aad][150528]
Proc C:\DOCUME~1\HP_OWN~1.000\LOCALS~1\Temp\msinits.exe[359cfd2ea9a17b9300683c0dcfb3c756][20000]
Proc C:\PROGRA~1\MI1933~1\OFFICE11\OUTLOOK.EXE[4063f7194c37217a66db6799046a2774][196424]
Proc C:\Program Files\InCode Solutions\RemoveIT Pro v4 - SE\removeit.exe[df716209199ba7c72dab2364f747dd98][557568]
Proc C:\Program Files\Internet Explorer\IEXPLORE.EXE[b60dddd2d63ce41cb8c487fcfbb6419e][638816]
Proc C:\Program Files\Java\jre6\bin\jqs.exe[77ac10db097dfd0cd3071465b644d0ab][153376]
Proc C:\Program Files\Microsoft Windows OneCare Live\OcHealthMon.exe[35f177825e8680bfa0f1432116603fce][26120]
Proc C:\Program Files\Microsoft Windows OneCare Live\winss.exe[65040b6a858b07a87ed8afca7b7345df][1134920]
Proc C:\Program Files\Mozilla Firefox\firefox.exe[9a1d58a8d5da06ee6592673cf695db95][910296]
Proc C:\WINDOWS\explorer.exe[a0732187050030ae399b241436565e64][1032192]
Proc C:\WINDOWS\system32\ctfmon.exe[24232996a38c0b0cf151c2140ae29fc8][15360]
Proc C:\WINDOWS\system32\lsass.exe[84885f9b82f4d55c6146ebf6065d75d2][13312]
Proc C:\WINDOWS\system32\services.exe[37561f8d4160d62da86d24ae41fae8de][110592]
Proc C:\WINDOWS\system32\spoolsv.exe[7435b108b935e42ea92ca94f59c8e717][57856]
Proc C:\WINDOWS\system32\svchost.exe[8f078ae4ed187aaabc0a305146de6716][14336]
RegRun c:\docume~1\alluse~1\applic~1\15515522\15515522.exe[11846d3e6cf8ce96e2d9035f377f6959][1036800]
RegRun c:\docume~1\hp_own~1.000\locals~1\temp\hjr.exe[f4f0fcfe3eb5aee58b413051759c5aad][150528]
RegRun c:\program files\common files\java\java update\jusched.exe[e0d6538b62c79fcbf0b27f95faf3208b][246504]
RegRun c:\program files\quicktime\qttask.exe [55d7a219ad8d0db8980528944152a6fd][417792]
RegRun c:\windows\pchealth\helpctr\binaries\msconfig.exe [4fd22142f54692463a7b98b7de175573][158208]
RegRun c:\windows\system32\ctfmon.exe[24232996a38c0b0cf151c2140ae29fc8][15360]
RegRun c:\windows\system32\yns8e.dll[3f12906ae4b6a15bf9b118151c95b2ca][20000]
Service c:\program files\bonjour\mdnsresponder.exe[3f56903e124e820aeece6d471583c6c1][238888]
Service c:\program files\common files\apple\mobile device support\bin\applemobiledeviceservice.exe[4b5ae15e5c73eb4dc8dbec2788230d41][144672]
Service c:\program files\common files\installshield\driver\1050\intel 32\idrivert.exe[6f95324909b502e2651442c1548ab12f][73728]
Service c:\program files\common files\microsoft shared\vs7debug\mdm.exe[11f714f85530a2bd134074dc30e99fca][322120]
Service c:\program files\ipod\bin\ipodservice.exe[1e6f080d5edb4c3b4c4eb787a0848dcc][545576]
Service c:\program files\java\jre6\bin\jqs.exe [77ac10db097dfd0cd3071465b644d0ab][153376]
Service c:\program files\lavasoft\ad-aware\aawservice.exe[db25bc5b0998e7b522c04a1e6a3303af][1229232]
Service c:\program files\logmein\x86\logmein.exe[9015122d04c195bdab88febcbae229db][63040]
Service c:\program files\logmein\x86\ramaint.exe[500f1e4461075d602ce77109a9a3d634][116032]
Service c:\program files\microsoft windows onecare live\ochealthmon.exe[35f177825e8680bfa0f1432116603fce][26120]
Service c:\program files\microsoft windows onecare live\winss.exe[65040b6a858b07a87ed8afca7b7345df][1134920]
Service c:\program files\nos\bin\getplus_helpersvc.exe[25867e27fc02e99c2a34b8a7dd6f20d4][66056]
Service c:\program files\windows media player\wmpnetwk.exe[f74e3d9a7fa9556c3bbb14d4e5e63d3b][913408]
Service c:\windows\microsoft.net\framework\v2.0.50727\aspnet_state.exe[0e5e4957549056e2bf2c49f4f6b601ad][34312]
Service c:\windows\microsoft.net\framework\v2.0.50727\mscorsvw.exe[d87acaed61e417bba546ced5e7e36d9c][69632]
Service c:\windows\microsoft.net\framework\v3.0\windows communication foundation\infocard.exe[c01ac32dc5c03076cfb852cb5da5229c][881664]
Service c:\windows\microsoft.net\framework\v3.0\windows communication foundation\smsvchost.exe[d34612c5d02d026535b3095d620626ae][132096]
Service c:\windows\microsoft.net\framework\v3.0\wpf\presentationfontcache.exe[8ba7c024070f2b7fdd98ed8a4ba41789][46104]
Service c:\windows\system32\alg.exe[f1958fbf86d5c004cf19a5951a9514b7][44544]
Service c:\windows\system32\ati2evxx.exe[42e4e2cf0406394bbce7eb358ae4e208][602112]
Service c:\windows\system32\ati2sgag.exe[460741befbfc91c88934620bc546d172][593920]
Service c:\windows\system32\cisvc.exe[3192bd04d032a9c4a85a3278c268a13a][5632]
Service c:\windows\system32\clipsrv.exe[c8dec22c4137d7a90f8bdf41ca4b82ae][33280]
Service c:\windows\system32\dllhost.exe [dd87db7387b9eb441c5674888a0d840c][5120]
Service c:\windows\system32\dmadmin.exe [554c7cb178fe3bd12450b81ad63adbc3][224768]
Service c:\windows\system32\fxssvc.exe[fcbd571fa0ee8dc238944ae5fab74461][267776]
Service c:\windows\system32\hpzipm12.exe[9d84376931440f3679beef2a414fa493][69632]
Service c:\windows\system32\imapi.exe[fa788520bcac0f5d9d5cde5615c0d931][150016]
Service c:\windows\system32\locator.exe[793f04a09b15e7c6c11dbdffaf06c0ab][75264]
Service c:\windows\system32\lsass.exe[84885f9b82f4d55c6146ebf6065d75d2][13312]
Service c:\windows\system32\mnmsrvc.exe[f6415361201915b9fe3896b0e4e724ff][32768]
Service c:\windows\system32\msdtc.exe[c7c3d89eb0a6f3dba622ea737fa335b1][6144]
Service c:\windows\system32\msiexec.exe [f5f0146580e7023adb963879840777f8][78848]
Service c:\windows\system32\netdde.exe[05afb5ad06462257bea7495283c86d50][111104]
Service c:\windows\system32\rsvp.exe[471b3f9741d762abe75e9deea4787e47][132608]
Service c:\windows\system32\scardsvr.exe[25d8de134df108e3dbc8d7d23b1aa58e][95744]
Service c:\windows\system32\services.exe[37561f8d4160d62da86d24ae41fae8de][110592]
Service c:\windows\system32\sessmgr.exe[729798e0933076b8fcfcd9934698f164][140800]
Service c:\windows\system32\smlogsvc.exe[8b54aa346d1b1b113ffaa75501b8b1b2][89600]
Service c:\windows\system32\spoolsv.exe[7435b108b935e42ea92ca94f59c8e717][57856]
Service c:\windows\system32\svchost.exe [8f078ae4ed187aaabc0a305146de6716][14336]
Service c:\windows\system32\ups.exe[3f5df65b0758675f95a2d43918a740a3][18432]
Service c:\windows\system32\vssvc.exe[3ee00364ae0fd8d604f46cbaf512838a][289792]
Service c:\windows\system32\wbem\wmiapsrv.exe[ba8cecc3e813e1f7c441b20393d4f86c][126464]
Startup c:\documents and settings\all users\start menu\programs\startup\desktop.ini[d6a6856702e3f0953e7246a9b4a9fe35][84]
Startup c:\documents and settings\hp_owner.your-f78bf48ce2.000\start menu\programs\startup\desktop.ini[d6a6856702e3f0953e7246a9b4a9fe35][84]
System.ini c:\windows\system32\svchost.exe [8f078ae4ed187aaabc0a305146de6716][14336]
Startup folder: (2)
Startup name: desktop.ini
Command: C:\Documents and Settings\HP_Owner.YOUR-F78BF48CE2.000\Start Menu\Programs\Startup\desktop.ini
Startup name: desktop.ini
Command: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\desktop.ini
Win.ini Startup: (1)
Path: No additional driver found!
Win.ini Startup: (1)
Path: No additional driver found!
Keyboard drivers: (1)
Name: No Keyboard Filter driver found!
Services: (101)
Service Name: .NET Runtime Optimization Service v2.0.50727_X86 [Stopped],
Path: C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
Service Name: Alerter [Stopped],
Path: C:\WINDOWS\system32\svchost.exe -k LocalService
Service Name: Apple Mobile Device [Stopped],
Path: "C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe"
Service Name: Application Layer Gateway Service [Running],
Path: C:\WINDOWS\System32\alg.exe
Service Name: Application Management [Stopped],
Path: C:\WINDOWS\system32\svchost.exe -k netsvcs
Service Name: ASP.NET State Service [Stopped],
Path: C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe
Service Name: Ati HotKey Poller [Stopped],
Path: C:\WINDOWS\system32\Ati2evxx.exe
Service Name: ATI Smart [Stopped],
Path: C:\WINDOWS\system32\ati2sgag.exe
Service Name: Automatic Updates [Stopped],
Path: C:\WINDOWS\system32\svchost.exe -k netsvcs
Service Name: Background Intelligent Transfer Service [Running],
Path: C:\WINDOWS\system32\svchost.exe -k netsvcs
Service Name: Bonjour Service [Stopped],
Path: "C:\Program Files\Bonjour\mDNSResponder.exe"
Service Name: ClipBook [Stopped],
Path: C:\WINDOWS\system32\clipsrv.exe
Service Name: COM+ Event System [Running],
Path: C:\WINDOWS\system32\svchost.exe -k netsvcs
Service Name: COM+ System Application [Stopped],
Path: C:\WINDOWS\system32\dllhost.exe /Processid:{02D4B3F1-FD88-11D1-960D-00805FC79235}
Service Name: Computer Browser [Stopped],
Path: C:\WINDOWS\system32\svchost.exe -k netsvcs
Service Name: Cryptographic Services [Running],
Path: C:\WINDOWS\system32\svchost.exe -k netsvcs
Service Name: DCOM Server Process Launcher [Running],
Path: C:\WINDOWS\system32\svchost -k DcomLaunch
Service Name: DHCP Client [Running],
Path: C:\WINDOWS\system32\svchost.exe -k netsvcs
Service Name: Distributed Link Tracking Client [Running],
Path: C:\WINDOWS\system32\svchost.exe -k netsvcs
Service Name: Distributed Transaction Coordinator [Stopped],
Path: C:\WINDOWS\system32\msdtc.exe
Service Name: DNS Client [Running],
Path: C:\WINDOWS\system32\svchost.exe -k NetworkService
Service Name: Error Reporting Service [Running],
Path: C:\WINDOWS\System32\svchost.exe -k netsvcs
Service Name: Event Log [Running],
Path: C:\WINDOWS\system32\services.exe
Service Name: Fast User Switching Compatibility [Running],
Path: C:\WINDOWS\System32\svchost.exe -k netsvcs
Service Name: Fax [Stopped],
Path: C:\WINDOWS\system32\fxssvc.exe
Service Name: getPlus(R) Helper [Stopped],
Path: C:\Program Files\NOS\bin\getPlus_HelperSvc.exe
Service Name: Help and Support [Running],
Path: C:\WINDOWS\System32\svchost.exe -k netsvcs
Service Name: HID Input Service [Running],
Path: C:\WINDOWS\System32\svchost.exe -k netsvcs
Service Name: HTTP SSL [Stopped],
Path: C:\WINDOWS\System32\svchost.exe -k HTTPFilter
Service Name: IMAPI CD-Burning COM Service [Stopped],
Path: C:\WINDOWS\system32\imapi.exe
Service Name: Indexing Service [Stopped],
Path: C:\WINDOWS\system32\cisvc.exe
Service Name: InstallDriver Table Manager [Stopped],
Path: "C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe"
Service Name: iPod Service [Stopped],
Path: "C:\Program Files\iPod\bin\iPodService.exe"
Service Name: IPSEC Services [Running],
Path: C:\WINDOWS\system32\lsass.exe
Service Name: Java Quick Starter [Running],
Path: "C:\Program Files\Java\jre6\bin\jqs.exe" -service -config "C:\Program Files\Java\jre6\lib\deploy\jqs\jqs.conf"
Service Name: Lavasoft Ad-Aware Service [Stopped],
Path: "C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe"
Service Name: Logical Disk Manager [Stopped],
Path: C:\WINDOWS\System32\svchost.exe -k netsvcs
Service Name: Logical Disk Manager Administrative Service [Stopped],
Path: C:\WINDOWS\System32\dmadmin.exe /com
Service Name: LogMeIn [Stopped],
Path: "C:\Program Files\LogMeIn\x86\LogMeIn.exe"
Service Name: LogMeIn Maintenance Service [Stopped],
Path: "C:\Program Files\LogMeIn\x86\RaMaint.exe"
Service Name: Machine Debug Manager [Stopped],
Path: "C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE"
Service Name: Messenger [Stopped],
Path: C:\WINDOWS\system32\svchost.exe -k netsvcs
Service Name: MS Software Shadow Copy Provider [Stopped],
Path: C:\WINDOWS\system32\dllhost.exe /Processid:{20434C82-24BE-4DD7-A39B-AE61CD09B496}
Service Name: Net Logon [Stopped],
Path: C:\WINDOWS\system32\lsass.exe
Service Name: Net.Tcp Port Sharing Service [Stopped],
Path: "c:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\SMSvcHost.exe"
Service Name: NetMeeting Remote Desktop Sharing [Stopped],
Path: C:\WINDOWS\system32\mnmsrvc.exe
Service Name: Network Connections [Running],
Path: C:\WINDOWS\System32\svchost.exe -k netsvcs
Service Name: Network DDE [Stopped],
Path: C:\WINDOWS\system32\netdde.exe
Service Name: Network DDE DSDM [Stopped],
Path: C:\WINDOWS\system32\netdde.exe
Service Name: Network Location Awareness (NLA) [Running],
Path: C:\WINDOWS\system32\svchost.exe -k netsvcs
Service Name: Network Provisioning Service [Stopped],
Path: C:\WINDOWS\System32\svchost.exe -k netsvcs
Service Name: NT LM Security Support Provider [Stopped],
Path: C:\WINDOWS\system32\lsass.exe
Service Name: Office Source Engine [Stopped],
Path: "C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
Service Name: Performance Logs and Alerts [Stopped],
Path: C:\WINDOWS\system32\smlogsvc.exe
Service Name: Plug and Play [Running],
Path: C:\WINDOWS\system32\services.exe
Service Name: Pml Driver HPZ12 [Stopped],
Path: C:\WINDOWS\system32\HPZipm12.exe
Service Name: Portable Media Serial Number Service [Stopped],
Path: C:\WINDOWS\System32\svchost.exe -k netsvcs
Service Name: Print Spooler [Running],
Path: C:\WINDOWS\system32\spoolsv.exe
Service Name: Protected Storage [Running],
Path: C:\WINDOWS\system32\lsass.exe
Service Name: QoS RSVP [Stopped],
Path: C:\WINDOWS\system32\rsvp.exe
Service Name: Remote Access Auto Connection Manager [Stopped],
Path: C:\WINDOWS\system32\svchost.exe -k netsvcs
Service Name: Remote Access Connection Manager [Running],
Path: C:\WINDOWS\system32\svchost.exe -k netsvcs
Service Name: Remote Desktop Help Session Manager [Stopped],
Path: C:\WINDOWS\system32\sessmgr.exe
Service Name: Remote Procedure Call (RPC) [Running],
Path: C:\WINDOWS\system32\svchost -k rpcss
Service Name: Remote Procedure Call (RPC) Locator [Stopped],
Path: C:\WINDOWS\system32\locator.exe
Service Name: Removable Storage [Stopped],
Path: C:\WINDOWS\system32\svchost.exe -k netsvcs
Service Name: Routing and Remote Access [Stopped],
Path: C:\WINDOWS\system32\svchost.exe -k netsvcs
Service Name: Secondary Logon [Running],
Path: C:\WINDOWS\System32\svchost.exe -k netsvcs
Service Name: Security Accounts Manager [Running],
Path: C:\WINDOWS\system32\lsass.exe
Service Name: Security Center [Stopped],
Path: C:\WINDOWS\System32\svchost.exe -k netsvcs
Service Name: Server [Running],
Path: C:\WINDOWS\system32\svchost.exe -k netsvcs
Service Name: Shell Hardware Detection [Running],
Path: C:\WINDOWS\System32\svchost.exe -k netsvcs
Service Name: Smart Card [Stopped],
Path: C:\WINDOWS\System32\SCardSvr.exe
Service Name: SSDP Discovery Service [Running],
Path: C:\WINDOWS\system32\svchost.exe -k LocalService
Service Name: SSHNAS [Stopped],
Path: C:\WINDOWS\system32\svchost.exe -k netsvcs
Service Name: System Event Notification [Running],
Path: C:\WINDOWS\system32\svchost.exe -k netsvcs
Service Name: System Restore Service [Stopped],
Path: C:\WINDOWS\system32\svchost.exe -k netsvcs
Service Name: Task Scheduler [Running],
Path: C:\WINDOWS\System32\svchost.exe -k netsvcs
Service Name: TCP/IP NetBIOS Helper [Running],
Path: C:\WINDOWS\system32\svchost.exe -k LocalService
Service Name: Telephony [Running],
Path: C:\WINDOWS\System32\svchost.exe -k netsvcs
Service Name: Terminal Services [Running],
Path: C:\WINDOWS\System32\svchost -k DComLaunch
Service Name: Themes [Running],
Path: C:\WINDOWS\System32\svchost.exe -k netsvcs
Service Name: Uninterruptible Power Supply [Stopped],
Path: C:\WINDOWS\System32\ups.exe
Service Name: Universal Plug and Play Device Host [Stopped],
Path: C:\WINDOWS\system32\svchost.exe -k LocalService
Service Name: Volume Shadow Copy [Stopped],
Path: C:\WINDOWS\System32\vssvc.exe
Service Name: WebClient [Running],
Path: C:\WINDOWS\system32\svchost.exe -k LocalService
Service Name: Windows Audio [Running],
Path: C:\WINDOWS\System32\svchost.exe -k netsvcs
Service Name: Windows CardSpace [Stopped],
Path: "c:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\infocard.exe"
Service Name: Windows Driver Foundation - User-mode Driver Framework [Stopped],
Path: C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
Service Name: Windows Firewall/Internet Connection Sharing (ICS) [Running],
Path: C:\WINDOWS\system32\svchost.exe -k netsvcs
Service Name: Windows Image Acquisition (WIA) [Running],
Path: C:\WINDOWS\system32\svchost.exe -k imgsvc
Service Name: Windows Installer [Stopped],
Path: C:\WINDOWS\system32\msiexec.exe /V
Service Name: Windows Live OneCare Health Monitor [Running],
Path: "C:\Program Files\Microsoft Windows OneCare Live\OcHealthMon.exe"
Service Name: Windows Live OneCare Restore Tool [Running],
Path: C:\Program Files\Microsoft Windows OneCare Live\winss.exe
Service Name: Windows Management Instrumentation [Running],
Path: C:\WINDOWS\system32\svchost.exe -k netsvcs
Service Name: Windows Media Player Network Sharing Service [Stopped],
Path: "C:\Program Files\Windows Media Player\WMPNetwk.exe"
Service Name: Windows Presentation Foundation Font Cache 3.0.0.0 [Stopped],
Path: c:\WINDOWS\Microsoft.NET\Framework\v3.0\WPF\PresentationFontCache.exe
Service Name: Windows Time [Running],
Path: C:\WINDOWS\System32\svchost.exe -k netsvcs
Service Name: Wireless Zero Configuration [Running],
Path: C:\WINDOWS\System32\svchost.exe -k netsvcs
Service Name: WMI Performance Adapter [Stopped],
Path: C:\WINDOWS\system32\wbem\wmiapsrv.exe
Service Name: Workstation [Running],
Path: C:\WINDOWS\system32\svchost.exe -k netsvcs
Finished...
-
Check your PM inbox.
-
Thanks for the help Evil Fantasy, but I had to resort to doing a System Recovery.
The computer when it was restarted had become infected with a new virus that was even newer and nastier. This time it didn't allow me to open ANYTHING and my desktop was completely blank.
Luckily was able to install everything.
thanks for all your help, cya around