Welcome guest. Before posting on our computer help forum, you must register. Click here it's easy and free.

« previous next »
Pages: [1]   Go Down

Author Topic: a little virus help please  (Read 3644 times)

0 Members and 1 Guest are viewing this topic.

dazbuzz

    Topic Starter


    Starter

    a little virus help please
    « on: August 18, 2008, 08:29:40 PM »
    ive never had serious viruses before, so im not sure what to do. Anyway i currently have ad-aware 2008, AVG free and bullguard on my computer and yes i have ran them all twice, but i cant seem to remove the virus.

    http://i181.photobucket.com/albums/x109/dazbuzz/desktop2.jpg
    http://i181.photobucket.com/albums/x109/dazbuzz/desktop3.jpg

    ever since ive had this virus, ive been unable to change my background from this. Ive deleted about...4 different viruses with the software, yet after restarting my computer, i still cannot change my background.

    any help on what i should do next would be greatly appreciated, thanks.
    Logged

    CBMatt

    • Mod & Malware Specialist


      • Prodigy

    • Sad and lonely...and loving every minute of it.
      • Thanked: 167
      • Yes
    • Experience: Experienced
    • OS: Windows 7
    Re: a little virus help please
    « Reply #1 on: August 18, 2008, 08:42:08 PM »
    This is a fairly common type of infection and although it is annoying and intrusive, it usually isn't very harmful.  Follow the instructions in this thread and post back with the three requested logs...
    http://www.computerhope.com/forum/index.php/topic,46313.0.html
    Logged
    Quote
    An undefined problem has an infinite number of solutions.
    —Robert A. Humphrey

    dazbuzz

      Topic Starter


      Starter

      Re: a little virus help please
      « Reply #2 on: August 19, 2008, 09:47:14 AM »
      EDIT: i have the other scan log now but i scanned while in safe mode, i dont know if that matters.

      well im only able to post two of the required logs at the moment. I left my computer scanning last night and when i checked this morning, my computer was turned off and i couldnt load windows normally(im in safe mode right now) which i guess is bad.

      i was able to get the hijackthis and Malwarebytes' Anti-Malware logs:

      Logfile of Trend Micro HijackThis v2.0.2
      Scan saved at 04:23:18, on 19/08/2008
      Platform: Windows Vista SP1 (WinNT 6.00.1905)
      MSIE: Internet Explorer v7.00 (7.00.6001.18000)
      Boot mode: Normal

      Running processes:
      C:\Windows\system32\Dwm.exe
      C:\Windows\Explorer.EXE
      C:\Windows\system32\taskeng.exe
      C:\Program Files\Windows Defender\MSASCui.exe
      C:\Program Files\Cyberlink\Shared files\brs.exe
      C:\Program Files\HomeCinema\PlayMovie\PMVService.exe
      C:\Windows\RtHDVCpl.exe
      C:\Windows\System32\rundll32.exe
      C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
      C:\Program Files\AVG\AVG8\avgtray.exe
      C:\Windows\System32\mobsync.exe
      C:\Program Files\BullGuard Software\BullGuard\BullGuard.exe
      C:\Program Files\DNA\btdna.exe
      C:\Windows\ehome\ehtray.exe
      C:\Program Files\DAEMON Tools Lite\daemon.exe
      C:\Windows\ehome\ehmsas.exe
      C:\Program Files\Mozilla Firefox\firefox.exe
      C:\Windows\system32\wuauclt.exe
      C:\Program Files\Combined Community Codec Pack\MPC\mplayerc.exe
      C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
      C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe
      C:\Program Files\Trend Micro\HijackThis\sniper.exe.exe

      R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.aldi.com/
      R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
      R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
      R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.aldi.com/
      R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
      R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
      R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
      R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
      R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
      R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
      O1 - Hosts: ::1 localhost
      O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
      O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
      O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
      O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
      O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
      O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
      O3 - Toolbar: Veoh Browser Plug-in - {D0943516-5076-4020-A3B5-AEFAF26AB263} - C:\Program Files\Veoh Networks\Veoh\Plugins\reg\VeohToolbar.dll
      O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
      O4 - HKLM\..\Run: [BDRegion] C:\Program Files\Cyberlink\Shared Files\brs.exe
      O4 - HKLM\..\Run: [PlayMovie] "C:\Program Files\HomeCinema\PlayMovie\PMVService.exe"
      O4 - HKLM\..\Run: [BullGuard] "C:\Program Files\BullGuard Software\BullGuard\bullguard.exe" -boot
      O4 - HKLM\..\Run: [RtHDVCpl] RtHDVCpl.exe
      O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\Windows\system32\NvCpl.dll,NvStartup
      O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\Windows\system32\NvMcTray.dll,NvTaskbarInit
      O4 - HKLM\..\Run: [toolbar_eula_launcher] C:\Program Files\GoogleEULA\EULALauncher.exe
      O4 - HKLM\..\Run: [BTHelena_McciTrayApp] C:\Program Files\BBDesktopHelpUpgradeAdvisor\McciTrayApp.exe
      O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
      O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
      O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
      O4 - HKLM\..\Run: [lphcjv8j0eg11] C:\Windows\system32\lphcjv8j0eg11.exe
      O4 - HKCU\..\Run: [BullGuard] "C:\Program Files\BullGuard Software\BullGuard\BullGuard.exe"
      O4 - HKCU\..\Run: [BitTorrent DNA] "C:\Program Files\DNA\btdna.exe"
      O4 - HKCU\..\Run: [Veoh] "C:\Program Files\Veoh Networks\Veoh\VeohClient.exe" /VeohHide
      O4 - HKCU\..\Run: [EA Core] C:\Program Files\Electronic Arts\EADM\Core.exe -silent
      O4 - HKCU\..\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe
      O4 - HKCU\..\Run: [DAEMON Tools Lite] "C:\Program Files\DAEMON Tools Lite\daemon.exe" -autorun
      O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
      O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
      O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
      O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office12\EXCEL.EXE/3000
      O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\PROGRA~1\Java\JRE16~1.0_0\bin\ssv.dll
      O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\PROGRA~1\Java\JRE16~1.0_0\bin\ssv.dll
      O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
      O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
      O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\Office12\REFIEBAR.DLL
      O13 - Gopher Prefix:
      O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
      O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
      O20 - AppInit_DLLs: avgrsstx.dll
      O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
      O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
      O23 - Service: AVG Free8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
      O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
      O23 - Service: BullGuard LiveUpdate (BGLiveSvc) - BullGuard Software - C:\Program Files\BullGuard Software\BullGuard\BullGuardUpdate.exe
      O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
      O23 - Service: Function Discovery Provider Host fdPHostEMDMgmt (fdPHostEMDMgmt) - Unknown owner - C:\Windows\system32\advapi32p.exe (file missing)
      O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
      O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
      O23 - Service: Nero BackItUp Scheduler 3 - Nero AG - C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
      O23 - Service: Netlogon NetlogonIKEEXT (NetlogonIKEEXT) - Unknown owner - C:\Windows\system32\apdsl.exe (file missing)
      O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe
      O23 - Service: NVIDIA Display Driver Service (nvsvc) - NVIDIA Corporation - C:\Windows\system32\nvvsvc.exe
      O23 - Service: PLFlash DeviceIoControl Service - Prolific Technology Inc. - C:\Windows\system32\IoctlSvc.exe
      O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\Cyberlink\Shared files\RichVideo.exe

      --
      End of file - 7846 bytes




      Malwarebytes' Anti-Malware 1.25
      Database version: 1069
      Windows 6.0.6001 Service Pack 1

      04:28:46 19/08/2008
      mbam-log-08-19-2008 (04-28-46).txt

      Scan type: Quick Scan
      Objects scanned: 41657
      Time elapsed: 5 minute(s), 19 second(s)

      Memory Processes Infected: 0
      Memory Modules Infected: 0
      Registry Keys Infected: 1
      Registry Values Infected: 5
      Registry Data Items Infected: 2
      Folders Infected: 0
      Files Infected: 2

      Memory Processes Infected:
      (No malicious items detected)

      Memory Modules Infected:
      (No malicious items detected)

      Registry Keys Infected:
      HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Software Notifier (Rogue.Multiple) -> Quarantined and deleted successfully.

      Registry Values Infected:
      HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\lphcjv8j0eg11 (Trojan.FakeAlert) -> Quarantined and deleted successfully.
      HKEY_CURRENT_USER\Control Panel\Desktop\wallpaper (Hijack.Wallpaper) -> Quarantined and deleted successfully.
      HKEY_CURRENT_USER\Control Panel\Desktop\originalwallpaper (Hijack.Wallpaper) -> Quarantined and deleted successfully.
      HKEY_CURRENT_USER\Control Panel\Desktop\convertedwallpaper (Hijack.Wallpaper) -> Quarantined and deleted successfully.
      HKEY_CURRENT_USER\Control Panel\Desktop\scrnsave.exe (Hijack.Wallpaper) -> Quarantined and deleted successfully.

      Registry Data Items Infected:
      HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\NoDispBackgroundPage (Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
      HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\NoDispScrSavPage (Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

      Folders Infected:
      (No malicious items detected)

      Files Infected:
      C:\Windows\System32\blphcjv8j0eg11.scr (Trojan.FakeAlert) -> Quarantined and deleted successfully.
      C:\Windows\System32\phcjv8j0eg11.bmp (Trojan.FakeAlert) -> Quarantined and deleted successfully.


      SUPERAntiSpyware Scan Log
      http://www.superantispyware.com

      Generated 08/19/2008 at 05:00 PM

      Application Version : 4.15.1000

      Core Rules Database Version : 3540
      Trace Rules Database Version: 1529

      Scan type       : Quick Scan
      Total Scan Time : 00:12:30

      Memory items scanned      : 257
      Memory threats detected   : 0
      Registry items scanned    : 444
      Registry threats detected : 0
      File items scanned        : 15625
      File threats detected     : 0

      « Last Edit: August 19, 2008, 10:26:50 AM by dazbuzz »
      Logged

      CBMatt

      • Mod & Malware Specialist


        • Prodigy

      • Sad and lonely...and loving every minute of it.
        • Thanked: 167
        • Yes
      • Experience: Experienced
      • OS: Windows 7
      Re: a little virus help please
      « Reply #3 on: August 19, 2008, 03:53:13 PM »
      Your HJT log was created before your MBAM, so a couple of those entries might not be there any longer.  Can you please post a new HJT log?  We normally avoid scanning in Safe Mode, but it may help give some insight into the problem.

      I see no reason for you to not be able to get into Normal Mode.  What happens if you try?  Do you get any errors or does it just restart?  Are you still having this problem?

      If so, try entering Safe Mode With Networking.  Are you able to get an internet connection?  You may need to use this at some point.
      Logged
      Quote
      An undefined problem has an infinite number of solutions.
      —Robert A. Humphrey

      dazbuzz

        Topic Starter


        Starter

        Re: a little virus help please
        « Reply #4 on: August 19, 2008, 05:20:14 PM »
        well one scan was talking a while, so i left it to run all night, when i woke up my computer was turned off. After the computer loaded to the desktop it kept freezing, but after a system restore my computer seemed to work fine. when i posted the log in safe mode, my computer was using safe mode with networking. When my computer finished with system resotre, i ran a Malwarebytes' Anti-Malware san, deleted the viruses and then restarted my computer again.

        since using all the anti-virus programs my computer seems to be fine, the background is back to my normal one too.

        here is a new hijackthis log, ill alos post the malwarebytes' log from the scan i ran after using system restore:


        Malwarebytes' Anti-Malware 1.25
        Database version: 1071
        Windows 6.0.6001 Service Pack 1

        18:14:33 19/08/2008
        mbam-log-08-19-2008 (18-14-33).txt

        Scan type: Quick Scan
        Objects scanned: 41401
        Time elapsed: 5 minute(s), 35 second(s)

        Memory Processes Infected: 0
        Memory Modules Infected: 0
        Registry Keys Infected: 1
        Registry Values Infected: 5
        Registry Data Items Infected: 2
        Folders Infected: 0
        Files Infected: 2

        Memory Processes Infected:
        (No malicious items detected)

        Memory Modules Infected:
        (No malicious items detected)

        Registry Keys Infected:
        HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Software Notifier (Rogue.Multiple) -> Quarantined and deleted successfully.

        Registry Values Infected:
        HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\lphcjv8j0eg11 (Trojan.FakeAlert) -> Quarantined and deleted successfully.
        HKEY_CURRENT_USER\Control Panel\Desktop\wallpaper (Hijack.Wallpaper) -> Quarantined and deleted successfully.
        HKEY_CURRENT_USER\Control Panel\Desktop\originalwallpaper (Hijack.Wallpaper) -> Quarantined and deleted successfully.
        HKEY_CURRENT_USER\Control Panel\Desktop\convertedwallpaper (Hijack.Wallpaper) -> Quarantined and deleted successfully.
        HKEY_CURRENT_USER\Control Panel\Desktop\scrnsave.exe (Hijack.Wallpaper) -> Quarantined and deleted successfully.

        Registry Data Items Infected:
        HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\NoDispBackgroundPage (Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
        HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\NoDispScrSavPage (Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

        Folders Infected:
        (No malicious items detected)

        Files Infected:
        C:\Windows\System32\blphcjv8j0eg11.scr (Trojan.FakeAlert) -> Quarantined and deleted successfully.
        C:\Windows\System32\phcjv8j0eg11.bmp (Trojan.FakeAlert) -> Quarantined and deleted successfully.







        Logfile of Trend Micro HijackThis v2.0.2
        Scan saved at 00:08:49, on 20/08/2008
        Platform: Windows Vista SP1 (WinNT 6.00.1905)
        MSIE: Internet Explorer v7.00 (7.00.6001.18000)
        Boot mode: Normal

        Running processes:
        C:\Windows\system32\Dwm.exe
        C:\Windows\Explorer.EXE
        C:\Windows\system32\taskeng.exe
        C:\Program Files\Windows Defender\MSASCui.exe
        C:\Program Files\Cyberlink\Shared files\brs.exe
        C:\Program Files\HomeCinema\PlayMovie\PMVService.exe
        C:\Windows\RtHDVCpl.exe
        C:\Windows\System32\rundll32.exe
        C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
        C:\Program Files\AVG\AVG8\avgtray.exe
        C:\Program Files\DNA\btdna.exe
        C:\Windows\ehome\ehtray.exe
        C:\Program Files\DAEMON Tools Lite\daemon.exe
        C:\Windows\ehome\ehmsas.exe
        C:\Program Files\Combined Community Codec Pack\MPC\mplayerc.exe
        C:\Windows\system32\wuauclt.exe
        C:\Program Files\Mozilla Firefox\firefox.exe
        C:\Program Files\MSN Messenger\msnmsgr.exe
        C:\Windows\system32\SearchFilterHost.exe
        C:\Program Files\Trend Micro\HijackThis\sniper.exe.exe

        R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.aldi.com/
        R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
        R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
        R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.aldi.com/
        R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
        R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
        R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
        R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
        R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
        R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
        O1 - Hosts: ::1 localhost
        O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
        O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
        O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
        O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
        O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
        O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
        O3 - Toolbar: Veoh Browser Plug-in - {D0943516-5076-4020-A3B5-AEFAF26AB263} - C:\Program Files\Veoh Networks\Veoh\Plugins\reg\VeohToolbar.dll
        O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
        O4 - HKLM\..\Run: [BDRegion] C:\Program Files\Cyberlink\Shared Files\brs.exe
        O4 - HKLM\..\Run: [PlayMovie] "C:\Program Files\HomeCinema\PlayMovie\PMVService.exe"
        O4 - HKLM\..\Run: [BullGuard] "C:\Program Files\BullGuard Software\BullGuard\bullguard.exe" -boot
        O4 - HKLM\..\Run: [RtHDVCpl] RtHDVCpl.exe
        O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\Windows\system32\NvCpl.dll,NvStartup
        O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\Windows\system32\NvMcTray.dll,NvTaskbarInit
        O4 - HKLM\..\Run: [toolbar_eula_launcher] C:\Program Files\GoogleEULA\EULALauncher.exe
        O4 - HKLM\..\Run: [BTHelena_McciTrayApp] C:\Program Files\BBDesktopHelpUpgradeAdvisor\McciTrayApp.exe
        O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
        O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
        O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
        O4 - HKCU\..\Run: [BullGuard] "C:\Program Files\BullGuard Software\BullGuard\BullGuard.exe"
        O4 - HKCU\..\Run: [BitTorrent DNA] "C:\Program Files\DNA\btdna.exe"
        O4 - HKCU\..\Run: [Veoh] "C:\Program Files\Veoh Networks\Veoh\VeohClient.exe" /VeohHide
        O4 - HKCU\..\Run: [EA Core] C:\Program Files\Electronic Arts\EADM\Core.exe -silent
        O4 - HKCU\..\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe
        O4 - HKCU\..\Run: [DAEMON Tools Lite] "C:\Program Files\DAEMON Tools Lite\daemon.exe" -autorun
        O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
        O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
        O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
        O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office12\EXCEL.EXE/3000
        O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\PROGRA~1\Java\JRE16~1.0_0\bin\ssv.dll
        O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\PROGRA~1\Java\JRE16~1.0_0\bin\ssv.dll
        O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
        O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
        O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\Office12\REFIEBAR.DLL
        O13 - Gopher Prefix:
        O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
        O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
        O20 - AppInit_DLLs: avgrsstx.dll
        O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
        O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
        O23 - Service: AVG Free8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
        O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
        O23 - Service: BullGuard LiveUpdate (BGLiveSvc) - BullGuard Software - C:\Program Files\BullGuard Software\BullGuard\BullGuardUpdate.exe
        O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
        O23 - Service: Function Discovery Provider Host fdPHostEMDMgmt (fdPHostEMDMgmt) - Unknown owner - C:\Windows\system32\advapi32p.exe (file missing)
        O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
        O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
        O23 - Service: Nero BackItUp Scheduler 3 - Nero AG - C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
        O23 - Service: Netlogon NetlogonIKEEXT (NetlogonIKEEXT) - Unknown owner - C:\Windows\system32\apdsl.exe (file missing)
        O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe
        O23 - Service: NVIDIA Display Driver Service (nvsvc) - NVIDIA Corporation - C:\Windows\system32\nvvsvc.exe
        O23 - Service: PLFlash DeviceIoControl Service - Prolific Technology Inc. - C:\Windows\system32\IoctlSvc.exe
        O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\Cyberlink\Shared files\RichVideo.exe

        --
        End of file - 7655 bytes
        Logged

        CBMatt

        • Mod & Malware Specialist


          • Prodigy

        • Sad and lonely...and loving every minute of it.
          • Thanked: 167
          • Yes
        • Experience: Experienced
        • OS: Windows 7
        Re: a little virus help please
        « Reply #5 on: August 19, 2008, 05:55:23 PM »
        Okay, great.  I can see that MBAM removed the desktop hijacker.  Your HJT log looks fine, but I would suggest removing these entries...

        R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
        R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
        R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
        R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =

        O1 - Hosts: ::1 localhost

        O23 - Service: Function Discovery Provider Host fdPHostEMDMgmt (fdPHostEMDMgmt) - Unknown owner - C:\Windows\system32\advapi32p.exe (file missing)
        O23 - Service: Netlogon NetlogonIKEEXT (NetlogonIKEEXT) - Unknown owner - C:\Windows\system32\apdsl.exe (file missing)

        Next, you should clear out your restore points...
        Reset and Re-enable your System Restore to remove infected files that have been backed up by Windows. The files in System Restore are protected to prevent any programs from changing those files.  This is the only way to clean these files: (You will lose all previous restore points which are likely to be infected)
        ]1. Turn off System Restore.
        On the Desktop, right-click My Computer.
        Click Properties.
        Click the System Restore tab.
        Check Turn off System Restore.
        Click Apply, and then click OK.

        2. Restart your computer.

        3. Turn ON System Restore.
        On the Desktop, right-click My Computer.
        Click Properties.
        Click the System Restore tab.
        UN-Check Turn off System Restore.
        Click Apply, and then click OK.

        System Restore will now be active again.



        If you start to experience any other problems, just let us know.
        Logged
        Quote
        An undefined problem has an infinite number of solutions.
        —Robert A. Humphrey

        dazbuzz

          Topic Starter


          Starter

          Re: a little virus help please
          « Reply #6 on: August 19, 2008, 06:37:42 PM »
          ok i have removed those files and turned off/on system restore.


          thank you very much for your help.
          Logged

          CBMatt

          • Mod & Malware Specialist


            • Prodigy

          • Sad and lonely...and loving every minute of it.
            • Thanked: 167
            • Yes
          • Experience: Experienced
          • OS: Windows 7
          Re: a little virus help please
          « Reply #7 on: August 19, 2008, 08:53:00 PM »
          You're very welcome.
          Logged
          Quote
          An undefined problem has an infinite number of solutions.
          —Robert A. Humphrey
          Pages: [1]   Go Up
          « previous next »