Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

  • Congratulations Chris Miller on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

Need help removing virus.

Status
Not open for further replies.

eightoheight

Technical User
May 15, 2011
1
US
I have a really bad virus on my computer. It won't let me browse the internet with FireFox and every time I open anything a new process, kit.exe, starts. I'm able to end it but it eventually comes back in multiples if I do.

I read a few forums but can't find anything that actually helps me (mostly because I can't understand what's being said - I'm not a "techie"), so I was wondering if anyone here could help me out.

I ran a few scans and below are the logs. The virus wouldn't let me run ComboFix. I could download it but the .exe file got changed to a different name in the process and when they told me to change the name back (a message popped up) the virus started 12 new processes and shut my system down. It did the same thing with Malwarebytes' Anti-Malware. As for Kaspersky, it scanned for about two hours, was at 75% then fell down to 12% and got stuck there for another 2 hours so I couldn't do a scan on there.



NoMD5:


NoMD5Sys by jpshortstuff (29.10.09.1)
Log created at 23:26 on 28/03/2011 (Compaq_Owner)


-=E.O.F=-

C:\WINDOWS\system32\en-us...
C:\WINDOWS\system32\export...
C:\WINDOWS\system32\FxsTmp...
C:\WINDOWS\system32\icsxml...
C:\WINDOWS\system32\IME...
C:\WINDOWS\system32\IME\CINTLGNT...
C:\WINDOWS\system32\IME\PINTLGNT...
C:\WINDOWS\system32\IME\TINTLGNT...
C:\WINDOWS\system32\inetsrv...
C:\WINDOWS\system32\Macromed...
C:\WINDOWS\system32\Macromed\Director...
C:\WINDOWS\system32\Macromed\Flash...
C:\WINDOWS\system32\Macromed\Shockwave 10...
C:\WINDOWS\system32\Macromed\Shockwave 10\Xtras...
C:\WINDOWS\system32\Microsoft...
C:\WINDOWS\system32\Microsoft\Protect...
C:\WINDOWS\system32\Microsoft\Protect\S-1-5-18...
C:\WINDOWS\system32\Microsoft\Protect\S-1-5-18\User...
C:\WINDOWS\system32\MpEngineStore...
C:\WINDOWS\system32\MpEngineStore\History...
C:\WINDOWS\system32\MpEngineStore\History\Reboot...
C:\WINDOWS\system32\MpEngineStore\RebootActions...
C:\WINDOWS\system32\MsDtc...
C:\WINDOWS\system32\MsDtc\Trace...
C:\WINDOWS\system32\mui...
C:\WINDOWS\system32\mui\0009...
C:\WINDOWS\system32\mui\0409...
C:\WINDOWS\system32\mui\041b...
C:\WINDOWS\system32\mui\0424...
C:\WINDOWS\system32\mui\dispspec...
C:\WINDOWS\system32\oobe...
C:\WINDOWS\system32\pcintro...
C:\WINDOWS\system32\pcintro\elements...
C:\WINDOWS\system32\pcintro\elements\photos...
C:\WINDOWS\system32\pcintro\elements\ro_icons...
C:\WINDOWS\system32\pcintro\elements\timeline...
C:\WINDOWS\system32\pcintro\elements\timeline\3...
C:\WINDOWS\system32\pcintro\elements\timeline\4...
C:\WINDOWS\system32\pcintro\elements\timeline\5...
C:\WINDOWS\system32\pcintro\elements\timeline\6...
C:\WINDOWS\system32\pcintro\elements\titleblocks...
C:\WINDOWS\system32\pcintro\elements\wait...
C:\WINDOWS\system32\PreInstall...
C:\WINDOWS\system32\PreInstall\WinSE...
C:\WINDOWS\system32\PreInstall\WinSE\wxp_x86_0409_v1...
C:\WINDOWS\system32\QuickTime...
C:\WINDOWS\system32\ReinstallBackups...
C:\WINDOWS\system32\ReinstallBackups\0000...
C:\WINDOWS\system32\ReinstallBackups\0000\DriverFiles...
C:\WINDOWS\system32\ReinstallBackups\0000\DriverFiles\i386...
C:\WINDOWS\system32\ReinstallBackups\0001...
C:\WINDOWS\system32\ReinstallBackups\0001\DriverFiles...
C:\WINDOWS\system32\ReinstallBackups\0002...
C:\WINDOWS\system32\ReinstallBackups\0002\DriverFiles...
C:\WINDOWS\system32\ReinstallBackups\0002\DriverFiles\i386...
C:\WINDOWS\system32\ReinstallBackups\0003...
C:\WINDOWS\system32\ReinstallBackups\0003\DriverFiles...
C:\WINDOWS\system32\ReinstallBackups\0004...
C:\WINDOWS\system32\ReinstallBackups\0004\DriverFiles...
C:\WINDOWS\system32\ReinstallBackups\0004\DriverFiles\i386...
C:\WINDOWS\system32\Restore...
C:\WINDOWS\system32\scripting...
C:\WINDOWS\system32\Setup...
C:\WINDOWS\system32\SoftwareDistribution...
C:\WINDOWS\system32\SoftwareDistribution\Setup...
C:\WINDOWS\system32\SoftwareDistribution\Setup\ServiceStartup...
C:\WINDOWS\system32\SoftwareDistribution\Setup\ServiceStartup\wups.dll...
C:\WINDOWS\system32\SoftwareDistribution\Setup\ServiceStartup\wups.dll\7.4.7600.
226...
C:\WINDOWS\system32\spool...
C:\WINDOWS\system32\spool\drivers...
C:\WINDOWS\system32\spool\drivers\color...
C:\WINDOWS\system32\spool\drivers\w32x86...
C:\WINDOWS\system32\spool\drivers\w32x86\3...
C:\WINDOWS\system32\spool\drivers\w32x86\hpphotosmart_c4400_se709...
C:\WINDOWS\system32\spool\PRINTERS...
C:\WINDOWS\system32\spool\prtprocs...
C:\WINDOWS\system32\spool\prtprocs\w32x86...
C:\WINDOWS\system32\spool\prtprocs\x64...
C:\WINDOWS\system32\spool\XPSEP...
C:\WINDOWS\system32\spool\XPSEP\amd64...
C:\WINDOWS\system32\spool\XPSEP\amd64\amd64...
C:\WINDOWS\system32\spool\XPSEP\i386...
C:\WINDOWS\system32\spool\XPSEP\i386\i386...
C:\WINDOWS\system32\URTTemp...
C:\WINDOWS\system32\usmt...
C:\WINDOWS\system32\wbem...
C:\WINDOWS\system32\wbem\AutoRecover...
C:\WINDOWS\system32\wbem\Logs...
C:\WINDOWS\system32\wbem\mof...
C:\WINDOWS\system32\wbem\mof\bad...
C:\WINDOWS\system32\wbem\mof\good...
C:\WINDOWS\system32\wbem\Performance...
C:\WINDOWS\system32\wbem\Repository...
C:\WINDOWS\system32\wbem\Repository\FS...
C:\WINDOWS\system32\wbem\snmp...
C:\WINDOWS\system32\wbem\xml...
C:\WINDOWS\system32\XPSViewer...
C:\WINDOWS\system32\XPSViewer\en-US...
C:\WINDOWS\Tasks...
C:\WINDOWS\Temp...
C:\WINDOWS\twain_32...
C:\WINDOWS\twain_32\913D Camera...
C:\WINDOWS\twain_32\hpsj_0000...
C:\WINDOWS\twain_32\JL2005D...
C:\WINDOWS\twain_32\MyDSC...
C:\WINDOWS\twain_32\MyDSC\Skin...
C:\WINDOWS\twain_32\MyDSC\Temp...
C:\WINDOWS\twain_32\QuickCam...
C:\WINDOWS\VerizonOnline...
C:\WINDOWS\VerizonOnline\SfpSrvrLogs...
C:\WINDOWS\WBEM...
C:\WINDOWS\Web...
C:\WINDOWS\Web\printers...
C:\WINDOWS\Web\printers\images...
C:\WINDOWS\Web\Wallpaper...
C:\WINDOWS\Web\Wallpaper\welcome...
C:\WINDOWS\WinSxS...
C:\WINDOWS\WinSxS\amd64_Microsoft.VC90.ATL_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_
673f7fa2...
C:\WINDOWS\WinSxS\amd64_Microsoft.VC90.CRT_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_
069f922e...
C:\WINDOWS\WinSxS\amd64_Microsoft.VC90.OpenMP_1fc8b3b9a1e18e3b_9.0.30729.4148_x-
ww_22d6ba8a...
C:\WINDOWS\WinSxS\InstallTemp...
C:\WINDOWS\WinSxS\Manifests...
C:\WINDOWS\WinSxS\MSIL_IEExecRemote_b03f5f7f11d50a3a_2.0.0(2).0_x-ww_6e57c34e...

C:\WINDOWS\WinSxS\MSIL_IEExecRemote_b03f5f7f11d50a3a_2.0.0.0_x-ww_6e57c34e...
C:\WINDOWS\WinSxS\MSIL_Microsoft.Workflow.Compiler_31bf3856ad364e35_4.0.0.0_x-ww
_97359ba5...
C:\WINDOWS\WinSxS\Policies...
C:\WINDOWS\WinSxS\Policies\amd64_policy.9.0.Microsoft.VC90.ATL_1fc8b3b9a1e18e3b_
x-ww_fe3d5721...
C:\WINDOWS\WinSxS\Policies\amd64_policy.9.0.Microsoft.VC90.CRT_1fc8b3b9a1e18e3b_
x-ww_16f3e195...
C:\WINDOWS\WinSxS\Policies\amd64_policy.9.0.Microsoft.VC90.OpenMP_1fc8b3b9a1e18e
3b_x-ww_ca951597...
C:\WINDOWS\WinSxS\Policies\x86_policy.1.0.Microsoft.Windows.GdiPlus_6595b64144cc
f1df_x-ww_4e8510ac...
C:\WINDOWS\WinSxS\Policies\x86_policy.4.1.Microsoft.MSXML2R_6bd6b9abf345378f_x-w
w_679a1c95...
C:\WINDOWS\WinSxS\Policies\x86_policy.4.20.Microsoft.MSXML2_6bd6b9abf345378f_x-w
w_88e8eab8...
C:\WINDOWS\WinSxS\Policies\x86_policy.5.1.Microsoft.Windows.SystemCompatible_659
5b64144ccf1df_x-ww_a0111510...
C:\WINDOWS\WinSxS\Policies\x86_policy.5.2.Microsoft.Windows.Networking.Dxmrtp_65
95b64144ccf1df_x-ww_362e60dd...
C:\WINDOWS\WinSxS\Policies\x86_policy.5.2.Microsoft.Windows.Networking.Rtcdll_65
95b64144ccf1df_x-ww_c7b7206f...
C:\WINDOWS\WinSxS\Policies\x86_policy.6.0.Microsoft.Tools.VisualCPlusPlus.Runtim
e-Libraries_6595b64144ccf1df_x-ww_527a1c68...
C:\WINDOWS\WinSxS\Policies\x86_policy.6.0.Microsoft.Windows.Common-Controls_6595
b64144ccf1df_x-ww_5ddad775...
C:\WINDOWS\WinSxS\Policies\x86_policy.7.0.Microsoft.Windows.CPlusPlusRuntime_659
5b64144ccf1df_x-ww_a317e4b3...
C:\WINDOWS\WinSxS\Policies\x86_policy.8.0.Microsoft.VC80.ATL_1fc8b3b9a1e18e3b_x-
ww_5f0bbcff...
C:\WINDOWS\WinSxS\Policies\x86_policy.8.0.Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_x-
ww_77c24773...
C:\WINDOWS\WinSxS\Policies\x86_policy.8.0.Microsoft.VC80.MFCLOC_1fc8b3b9a1e18e3b
_x-ww_caeee150...
C:\WINDOWS\WinSxS\Policies\x86_policy.8.0.Microsoft.VC80.MFC_1fc8b3b9a1e18e3b_x-
ww_0f75c32e...
C:\WINDOWS\WinSxS\Policies\x86_policy.8.0.Microsoft.VC80.OpenMP_1fc8b3b9a1e18e3b
_x-ww_7d81c9f9...
C:\WINDOWS\WinSxS\Policies\x86_policy.9.0.Microsoft.VC90.ATL_1fc8b3b9a1e18e3b_x-
ww_9e7eb501...
C:\WINDOWS\WinSxS\Policies\x86_policy.9.0.Microsoft.VC90.CRT_1fc8b3b9a1e18e3b_x-
ww_b7353f75...
C:\WINDOWS\WinSxS\Policies\x86_policy.9.0.Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b
_x-ww_b8438ace...
C:\WINDOWS\WinSxS\Policies\x86_policy.9.0.Microsoft.VC90.MFC_1fc8b3b9a1e18e3b_x-
ww_4ee8bb30...
C:\WINDOWS\WinSxS\Policies\x86_policy.9.0.Microsoft.VC90.OpenMP_1fc8b3b9a1e18e3b
_x-ww_6ad67377...
C:\WINDOWS\WinSxS\x86_Microsoft.MSXML2R_6bd6b9abf345378f_4.1.0.0_x-ww_29c3ad6a..
.
C:\WINDOWS\WinSxS\x86_Microsoft.MSXML2R_6bd6b9abf345378f_4.1.1.0_x-ww_2a41bceb..
.
C:\WINDOWS\WinSxS\x86_Microsoft.MSXML2_6bd6b9abf345378f_4.1.0.0_x-ww_b319d8da...

C:\WINDOWS\WinSxS\x86_Microsoft.MSXML2_6bd6b9abf345378f_4.20.9818.0_x-ww_8ff50c5
d...
C:\WINDOWS\WinSxS\x86_Microsoft.MSXML2_6bd6b9abf345378f_4.20.9876.0_x-ww_a621d1d
5...
C:\WINDOWS\WinSxS\x86_Microsoft.Tools.VisualCPlusPlus.Runtime-Libraries_6595b641
44ccf1df_6.0.0.0_x-ww_ff9986d7...
C:\WINDOWS\WinSxS\x86_Microsoft.Tools.VisualCPlusPlus.Runtime-Libraries_6595b641
44ccf1df_6.0.9792.0_x-ww_08a6620a...
C:\WINDOWS\WinSxS\x86_Microsoft.VC80.ATL_1fc8b3b9a1e18e3b_8.0.50727.4053_x-ww_47
3666fd...
C:\WINDOWS\WinSxS\x86_Microsoft.VC80.ATL_1fc8b3b9a1e18e3b_8.0.50727.5592_x-ww_78
37863c...
C:\WINDOWS\WinSxS\x86_Microsoft.VC80.ATL_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_cbb
27474...
C:\WINDOWS\WinSxS\x86_Microsoft.VC80.ATL_1fc8b3b9a1e18e3b_8.0.50727.91_x-ww_6e85
597b...
C:\WINDOWS\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.3053_x-ww_b8
0fa8ca...
C:\WINDOWS\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.4053_x-ww_e6
967989...
C:\WINDOWS\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.5592_x-ww_17
9798c8...
C:\WINDOWS\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_6b1
28700...
C:\WINDOWS\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.91_x-ww_0de5
6c07...
C:\WINDOWS\WinSxS\x86_Microsoft.VC80.MFCLOC_1fc8b3b9a1e18e3b_8.0.50727.4053_x-ww
_0ccc058c...
C:\WINDOWS\WinSxS\x86_Microsoft.VC80.MFCLOC_1fc8b3b9a1e18e3b_8.0.50727.5592_x-ww
_3dcd24cb...
C:\WINDOWS\WinSxS\x86_Microsoft.VC80.MFCLOC_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_
91481303...
C:\WINDOWS\WinSxS\x86_Microsoft.VC80.MFCLOC_1fc8b3b9a1e18e3b_8.0.50727.91_x-ww_3
41af80a...
C:\WINDOWS\WinSxS\x86_Microsoft.VC80.MFC_1fc8b3b9a1e18e3b_8.0.50727.4053_x-ww_b7
7cec8e...
C:\WINDOWS\WinSxS\x86_Microsoft.VC80.MFC_1fc8b3b9a1e18e3b_8.0.50727.5592_x-ww_e8
7e0bcd...
C:\WINDOWS\WinSxS\x86_Microsoft.VC80.MFC_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_3bf
8fa05...
C:\WINDOWS\WinSxS\x86_Microsoft.VC80.MFC_1fc8b3b9a1e18e3b_8.0.50727.91_x-ww_decb
df0c...
C:\WINDOWS\WinSxS\x86_Microsoft.VC80.OpenMP_1fc8b3b9a1e18e3b_8.0.50727.5592_x-ww
_189d6662...
C:\WINDOWS\WinSxS\x86_Microsoft.VC80.OpenMP_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_
6c18549a...
C:\WINDOWS\WinSxS\x86_Microsoft.VC90.ATL_1fc8b3b9a1e18e3b_9.0.21022.8_x-ww_312cf
0e9...
C:\WINDOWS\WinSxS\x86_Microsoft.VC90.ATL_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_35
3599c2...
C:\WINDOWS\WinSxS\x86_Microsoft.VC90.ATL_1fc8b3b9a1e18e3b_9.0.30729.5570_x-ww_65
b7a93a...
C:\WINDOWS\WinSxS\x86_Microsoft.VC90.CRT_1fc8b3b9a1e18e3b_9.0.21022.8_x-ww_d08d0
375...
C:\WINDOWS\WinSxS\x86_Microsoft.VC90.CRT_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_d4
95ac4e...
C:\WINDOWS\WinSxS\x86_Microsoft.VC90.CRT_1fc8b3b9a1e18e3b_9.0.30729.5570_x-ww_05
17bbc6...
C:\WINDOWS\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.21022.8_x-ww_11
f3ea3a...
C:\WINDOWS\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww
_15fc9313...
C:\WINDOWS\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.5570_x-ww
_467ea28b...
C:\WINDOWS\WinSxS\x86_Microsoft.VC90.MFC_1fc8b3b9a1e18e3b_9.0.21022.8_x-ww_a1737
67a...
C:\WINDOWS\WinSxS\x86_Microsoft.VC90.MFC_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_a5
7c1f53...
C:\WINDOWS\WinSxS\x86_Microsoft.VC90.MFC_1fc8b3b9a1e18e3b_9.0.30729.5570_x-ww_d5
fe2ecb...
C:\WINDOWS\WinSxS\x86_Microsoft.VC90.OpenMP_1fc8b3b9a1e18e3b_9.0.21022.8_x-ww_ec
c42bd1...
C:\WINDOWS\WinSxS\x86_Microsoft.VC90.OpenMP_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww
_f0ccd4aa...
C:\WINDOWS\WinSxS\x86_Microsoft.VC90.OpenMP_1fc8b3b9a1e18e3b_9.0.30729.5570_x-ww
_214ee422...
C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.0.0
_x-ww_1382d70a...
C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.260
0.2180_x-ww_a84f1ff9...
C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.260
0.2982_x-ww_ac3f9c03...
C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.260
0.5512_x-ww_35d4ce83...
C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.260
0.6028_x-ww_61e65202...
C:\WINDOWS\WinSxS\x86_Microsoft.Windows.CPlusPlusRuntime_6595b64144ccf1df_7.0.0.
0_x-ww_2726e76a...
C:\WINDOWS\WinSxS\x86_Microsoft.Windows.CPlusPlusRuntime_6595b64144ccf1df_7.0.26
00.2180_x-ww_b2505ed9...
C:\WINDOWS\WinSxS\x86_Microsoft.Windows.CPlusPlusRuntime_6595b64144ccf1df_7.0.26
00.5512_x-ww_3fd60d63...
C:\WINDOWS\WinSxS\x86_Microsoft.Windows.GdiPlus_6595b64144ccf1df_1.0.0.0_x-ww_8d
353f13...
C:\WINDOWS\WinSxS\x86_Microsoft.Windows.GdiPlus_6595b64144ccf1df_1.0.2600.2180_x
-ww_522f9f82...
C:\WINDOWS\WinSxS\x86_Microsoft.Windows.GdiPlus_6595b64144ccf1df_1.0.2600.5512_x
-ww_dfb54e0c...
C:\WINDOWS\WinSxS\x86_Microsoft.Windows.GdiPlus_6595b64144ccf1df_1.0.6001.22319_
x-ww_f0b4c2df...
C:\WINDOWS\WinSxS\x86_Microsoft.Windows.GdiPlus_6595b64144ccf1df_1.0.6002.22509_
x-ww_c7dad023...
C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Networking.Dxmrtp_6595b64144ccf1df_5.2.2
.3_x-ww_468466a7...
C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Networking.RtcDll_6595b64144ccf1df_5.2.2
.3_x-ww_d6bd8b95...
C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Networking.RtcRes_6595b64144ccf1df_5.2.2
.3_en_16a24bc0...
C:\WINDOWS\WinSxS\x86_System.EnterpriseServices_b03f5f7f11d50a3a_2.0.0(2).0_x-ww
_7d5f3790...
C:\WINDOWS\WinSxS\x86_System.EnterpriseServices_b03f5f7f11d50a3a_2.0.0.0_x-ww_7d
5f3790...
C:\WINDOWS\WinSxS\x86_System.EnterpriseServices_b03f5f7f11d50a3a_4.0.0(2).0_x-ww
_29b51492...
C:\WINDOWS\WinSxS\x86_System.EnterpriseServices_b03f5f7f11d50a3a_4.0.0.0_x-ww_29
b51492...

Done!





HijackThis:


Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 11:47:51 PM, on 3/28/2011
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSRMon.exe
C:\WINDOWS\sm56hlpr.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\hp\drivers\hplsbwatcher\lsburnwatcher.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\ALCXMNTR.EXE
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
c:\windows\system\hpsysdrv.exe
C:\Program Files\Java\jre1.5.0\bin\jusched.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Java\jre6\bin\java.exe
C:\WINDOWS\system32\msiexec.exe
C:\WINDOWS\system32\taskmgr.exe
C:\Program Files\Trend Micro\HiJackThis\HiJackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=127.0.0.1:18810
O2 - BHO: HP Print Enhancer - {0347C33E-8762-4905-BF09-768834316C61} - C:\Program Files\HP\Digital Imaging\Smart Web Printing\hpswp_printenhancer.dll
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O2 - BHO: HP Smart BHO Class - {FFFFFFFF-CF4E-4F2B-BDC2-0E72E116A856} - C:\Program Files\HP\Digital Imaging\Smart Web Printing\hpswp_BHO.dll
O4 - HKLM\..\Run: [SMSERIAL] sm56hlpr.exe
O4 - HKLM\..\Run: [LSBWatcher] c:\hp\drivers\hplsbwatcher\lsburnwatcher.exe
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 10.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
O4 - HKLM\..\Run: [DivX Download Manager] "C:\Program Files\DivX\DivX Plus Web Player\DDmService.exe" start
O4 - HKLM\..\Run: [hpqSRMon] C:\Program Files\HP\Digital Imaging\bin\hpqSRMon.exe
O4 - HKLM\..\Run: [HPBootOp] "C:\Program Files\Hewlett-Packard\HP Boot Optimizer\HPBootOp.exe" /run
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Easy Dock] C:\Documents and Settings\Compaq_Owner.YOUR-27E1513D96.000\My Documents\RCA easyRip\EZDock.exe
O4 - HKCU\..\Run: [quosbhhm] C:\DOCUME~1\COMPAQ~1.000\LOCALS~1\Temp\kftsxsyut\tifbdvtsika.exe
O4 - HKCU\..\Run: [kchktphm] C:\DOCUME~1\COMPAQ~1.000\LOCALS~1\Temp\jphgxmyue\kfpsqgssika.exe
O4 - HKCU\..\Run: [tliimboh] C:\DOCUME~1\COMPAQ~1.000\LOCALS~1\Temp\kimckdjsp\vnnjwnfsika.exe
O4 - HKCU\..\Run: [ylmglgmc] C:\DOCUME~1\COMPAQ~1.000\LOCALS~1\Temp\kejmdvbvt\tpmubtgsika.exe
O4 - HKUS\S-1-5-18\..\Run: [CE8SIIFGSU] C:\WINDOWS\TEMP\Ske.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CE8SIIFGSU] C:\WINDOWS\TEMP\Ske.exe (User 'Default user')
O8 - Extra context menu item: Download all by RedTube Grabber - C:\Program Files\RedTubeGrabber\downall.htm
O8 - Extra context menu item: Download by YouTube Robot - C:\Program Files\RedTubeGrabber\downlink.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: HP Smart Select - {DDE87865-83C5-48c4-8357-2F5B1AA84522} - C:\Program Files\HP\Digital Imaging\Smart Web Printing\hpswp_BHO.dll
O9 - Extra button: Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm
O9 - Extra 'Tools' menuitem: Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - O20 - Winlogon Notify: TPSvc - TPSvc.dll (file missing)
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe

--
End of file - 8085 bytes
 
Are you running your scanners in safe mode?

Steve: N.M.N.F.
If something is popular, it must be wrong: Mark Twain
 
O4 - HKCU\..\Run: [quosbhhm] C:\DOCUME~1\COMPAQ~1.000\LOCALS~1\Temp\kftsxsyut\tifbdvtsika.exe
O4 - HKCU\..\Run: [kchktphm] C:\DOCUME~1\COMPAQ~1.000\LOCALS~1\Temp\jphgxmyue\kfpsqgssika.exe
O4 - HKCU\..\Run: [tliimboh] C:\DOCUME~1\COMPAQ~1.000\LOCALS~1\Temp\kimckdjsp\vnnjwnfsika.exe
O4 - HKCU\..\Run: [ylmglgmc] C:\DOCUME~1\COMPAQ~1.000\LOCALS~1\Temp\kejmdvbvt\tpmubtgsika.exe
O4 - HKUS\S-1-5-18\..\Run: [CE8SIIFGSU] C:\WINDOWS\TEMP\Ske.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CE8SIIFGSU] C:\WINDOWS\TEMP\Ske.exe (User 'Default user')

these are the culprits...

but that will do you no good, they will most likely get respawned once you kill them...

suggestion:

either slave the laptop drive to a clean running PC and do a malware scan from said PC, or create/use a bootable CD/DVD with malware-scanners (e.g. a BartPE with portable versions of ClamAV/McAffee/Norton/Avira/AVG, etc. and MBAM - or a live Linux CD such as Kaspersky/Avira/Dr.Web) and scan the drive...

here are a few links:

Avira AntiVir Rescue System

Kaspersky Rescue Disk 10

Dr.Web® LiveCD

Bart's Preinstalled Environment (BartPE) bootable live windows CD/DVD

also suggested would be to use GMER, see link below for download details and USAGE detail, there are several videos on how to use it there as well...

GMER Rootkit Detector and Remover

once scanned with GMER and baddies removed, install Malwarebytes AntiMalware (MBAM) again and do a quick scan first, removing what it finds, and then a FULL scan also removing what it finds...


Ben
"If it works don't fix it! If it doesn't use a sledgehammer..."
How to ask a question, when posting them to a professional forum.
Only ask questions with yes/no answers if you want "yes" or "no"
 
BBB- The OP said he wasn't that technical. So, a simpler, one shot approach for someone with less skills is to run ComboFix.


0. Download combofix to desktop (use another PC if you have to)
1. Remove any antivirus you have (important to do this)
2. Use CCleaner registry cleaner to clean up the registry. Save before each fix and keep fixing until no more errors.
3. Reboot into safe mode with networking (you need internet access)
4. Run combofix (it will install Microsoft recovery console or you could do that ahead of time and not need safe mode with networking)
5. Reboot after it's done and see what happens.
 
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=127.0.0.1:18810" < this is redirecting your Internet access.

If you can boot to Safe Mode with networking, remove the proxy server in IE > Tools > Internet options > Connections > LAN settings and you may regain 'net access with IE so you can retry downloading and installing Combofix.
 
Goom, I was aware of that, that is one of the reasons why I am pointing him towards a LiveCD... and if he/she can not make heads and tails of both our suggestions, then it would be my suggestion to take the laptop to a professional and have them take care of it...

satrow, thanks for catching that, I just skimmed over the HJT log, and those I listed jumped right at me, so I did not continue discerning the log...



Ben
"If it works don't fix it! If it doesn't use a sledgehammer..."
How to ask a question, when posting them to a professional forum.
Only ask questions with yes/no answers if you want "yes" or "no"
 
It would be nice if EVERY poster explained their level of expertise. Then we could tailor our response between "take it to a shop" and "steps 14 - 35, blah blah, blah".

Also, lots of people just don't have the patience to follow instruction no matter how good.

The other issue is: does the poster have another computer on which they can create a bootable CD or slave a hard drive. If you've got one PC and it's infected, that wouldn't be an option. You have to rescue it in situ.
 
Status
Not open for further replies.

Part and Inventory Search

Sponsor

Back
Top