1. Computer problem? Tech Support Guy is completely free -- paid for by advertisers and donations. Click here to join today! If you're new to Tech Support Guy, we highly recommend that you visit our Guide for New Members.

BS 2.0 Virus

Discussion in 'Virus & Other Malware Removal' started by Hanno, Feb 16, 2007.

Thread Status:
Not open for further replies.
Advertisement
  1. Hanno

    Hanno Thread Starter

    Joined:
    Dec 7, 2003
    Messages:
    31
    Actually i dont know how to call the topic.. But I know that i have some malware/spyware or whatever on my computer. I got the virus from the internet.. right after it was installed, there appeared a red cross (like on the error sign) in the right bottom corner where all the signs are.. there a speachbubble-window appears every minute that says
    "your computer has detected spyware infection! windows has detected spyware, it is recommended to use a special antsipyware program. windows will now download and install the most up-to-date antispyware program" and so on..
    at the same time the desktop changed to a black screen, there is written: "Your computer is in danger, widows security has detected spyware, adware"
    and a program called BS 2.0 Security center started ( i think its the programm that is mentioned in the speech bubble) and it starts to look for spyware. It finds a virus called "Security 2k Adware".. but i dont know if this means anything because its possible that the BS 2.0 Security center is also a spyware... when the scan is finished there appears a window "BS evaluation Version warning!" in headline.. and the rest of the text: "This version of BS is for evaluation purpose only. The removal feature is disabled. you may scan your PC to locate malware threats. to be able to remove threads found, you should purchase a license". then there are possibilities to do so by clicking a button.. which leads to an internet address: "http://www.bravesentry.com/buy.php?advid=278" thats how i managed to get internet working to post in this thread.. because everything else i tried made the PC crash.. i instantly tried to run adaware.. but after ~10 mins it crashed, and my pc was rebooted.. since then the pc rebooted all the time.. and after about 3 times rebooting and a blue screen with some error messages "you have to uninstall the last hardware or software installed" etc. the computer was back to windows.. and now every time i try to do something to get the pc working again it crashes.. I also cant start the computer in safe mode.. I cant choose this option anymore... the keyboard seems to be disabled when i have to move with the arrow keys and press enter or sth.. i can only get to the bios but i have no idea if this can help me. So i think i cant run any programs without crashing my pc.. there are some data on this pc which i cant afford to lose, and i have to get to them until next week.. i hope someone can help me. i dont know what else i could do.
    BTW: when i press control alt delete to get to the taskmanager it says "taskmanager was deaktivated by the administrator".. i also cant close the BS 2.0 central without crashing the computer
     
  2. MFDnNC

    MFDnNC

    Joined:
    Sep 7, 2004
    Messages:
    49,014
    Click here to download HJTsetup.exe:

    http://www.thespykiller.co.uk/forum/index.php?action=tpmod;dl=item5
    Scroll down to the download section

    Save HJTsetup.exe to your desktop.

    Double click on the HJTsetup.exe icon on your desktop.
    By default it will install to C:\Program Files\Hijack This.
    Continue to click Next in the setup dialogue boxes until you get to the Select Addition Tasks dialogue.
    Put a check by Create a desktop icon then click Next again.
    Continue to follow the rest of the prompts from there.
    At the final dialogue box click Finish and it will launch Hijack This.
    Click on the Do a system scan and save a log file button. It will scan and then ask you to save the log.
    Click Save to save the log file and then the log will open in notepad.
    Click on "Edit > Select All" then click on "Edit > Copy" to copy the entire contents of the log.
    Come back here to this thread and Paste the log in your next reply.
    DO NOT have Hijack This fix anything yet. Most of what it finds will be harmless or even required.
     
  3. Hanno

    Hanno Thread Starter

    Joined:
    Dec 7, 2003
    Messages:
    31
    ok thanks, i allready had hijackthis installed, but until now the PC crashed every time i tried to open any program.. but actually it worked now :)

    so here is the log:

    Logfile of HijackThis v1.99.1
    Scan saved at 22:50:14, on 16.02.2007
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v7.00 (7.00.5730.0011)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\csrss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Programme\Internet Explorer\IEXPLORE.EXE
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\SOUNDMAN.EXE
    C:\Programme\Java\jre1.5.0_10\bin\jusched.exe
    C:\Programme\iTunes\iTunesHelper.exe
    C:\Programme\QuickTime\qttask.exe
    C:\Programme\DAEMON Tools\daemon.exe
    C:\Programme\Gemeinsame Dateien\Real\Update_OB\realsched.exe
    C:\Programme\CyberLink\PowerDVD\PDVDServ.exe
    C:\WINDOWS\system32\P2P Networking\P2P Networking.exe
    C:\WINDOWS\system32\kernels88.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\Programme\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
    C:\Windows\xpupdate.exe
    C:\Program Files\BraveSentry\BraveSentry.exe
    C:\Programme\Hewlett-Packard\Digital Imaging\bin\hpohmr08.exe
    C:\Programme\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
    C:\Programme\Hewlett-Packard\Digital Imaging\bin\hpoevm08.exe
    C:\PROGRA~1\ICQ\ICQ.exe
    C:\WINDOWS\System32\nvsvc32.exe
    C:\Programme\CyberLink\Shared files\RichVideo.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Programme\iPod\bin\iPodService.exe
    C:\Programme\Hewlett-Packard\Digital Imaging\Bin\hpoSTS08.exe
    C:\Programme\Gemeinsame Dateien\{A5F2A951-09E5-1031-1128-02103102002b}\Update.exe
    C:\Programme\Opera\Opera.exe
    C:\Programme\Internet Explorer\iedw.exe
    C:\Programme\Internet Explorer\IEXPLORE.EXE
    C:\Dokumente und Einstellungen\Gudrun Amberger\Desktop\hijackthis\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://google.icq.com/search/search_frame.php
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://google.icq.com
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.at/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
    R3 - URLSearchHook: (no name) - {855F3B16-6D32-4fe6-8A56-BBB695989046} - (no file)
    O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Programme\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_0.dll
    O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programme\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
    O2 - BHO: Need2Find Bar BHO - {4D1C4E81-A32A-416b-BCDB-33B3EF3617D3} - C:\Programme\Need2Find\bar\1.bin\ND2FNBAR.DLL
    O2 - BHO: InstaFinder_K - {4E7BD74F-2B8D-469E-90F0-F66AB581A933} - C:\Programme\INSTAFINK\instafink.dll
    O2 - BHO: RXResultTracker Class - {59879FA4-4790-461c-A1CC-4EC4DE4CA483} - C:\Programme\RXToolBar\sfcont.dll
    O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Programme\Java\jre1.5.0_10\bin\ssv.dll
    O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\programme\google\googletoolbar2.dll
    O2 - BHO: Bar888 - {C1B4DEC2-2623-438e-9CA2-C9043AB28508} - C:\PROGRA~1\GEMEIN~1\{35F2A~1\Bar888.dll
    O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Programme\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_0.dll
    O3 - Toolbar: RX Toolbar - {25D8BACF-3DE2-4B48-AE22-D659B8D835B0} - C:\Programme\RXToolBar\RXToolBar.dll
    O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\programme\google\googletoolbar2.dll
    O3 - Toolbar: Bar888 - {C1B4DEC2-2623-438e-9CA2-C9043AB28508} - C:\PROGRA~1\GEMEIN~1\{35F2A~1\Bar888.dll
    O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
    O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
    O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Programme\Java\jre1.5.0_10\bin\jusched.exe"
    O4 - HKLM\..\Run: [iTunesHelper] "C:\Programme\iTunes\iTunesHelper.exe"
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Programme\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [DAEMON Tools] "C:\Programme\DAEMON Tools\daemon.exe" -lang 1033
    O4 - HKLM\..\Run: [TkBellExe] "C:\Programme\Gemeinsame Dateien\Real\Update_OB\realsched.exe" -osboot
    O4 - HKLM\..\Run: [Mirabilis ICQ] C:\PROGRA~1\ICQ\ICQNet.exe
    O4 - HKLM\..\Run: [RemoteControl] C:\Programme\CyberLink\PowerDVD\PDVDServ.exe
    O4 - HKLM\..\Run: [LanguageShortcut] C:\Programme\CyberLink\PowerDVD\Language\Language.exe
    O4 - HKLM\..\Run: [P2P Networking] C:\WINDOWS\system32\P2P Networking\P2P Networking.exe /AUTOSTART
    O4 - HKLM\..\Run: [System] C:\WINDOWS\system32\kernels88.exe
    O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
    O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
    O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Programme\Gemeinsame Dateien\Ahead\lib\NMBgMonitor.exe"
    O4 - HKCU\..\Run: [swg] C:\Programme\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
    O4 - HKCU\..\Run: [Windows update loader] C:\Windows\xpupdate.exe
    O4 - HKCU\..\Run: [BraveSentry] C:\Program Files\BraveSentry\BraveSentry.exe
    O4 - Global Startup: Adobe Reader - Schnellstart.lnk = C:\Programme\Adobe\Acrobat 7.0\Reader\reader_sl.exe
    O4 - Global Startup: hp psc 1000 series.lnk = ?
    O4 - Global Startup: hpoddt01.exe.lnk = ?
    O8 - Extra context menu item: &ICQ Toolbar Search - res://C:\Programme\ICQToolbar\toolbaru.dll/SEARCH.HTML
    O8 - Extra context menu item: &Search - http://kp.bar.need2find.com/KP/menusearch.html?p=KP
    O8 - Extra context menu item: Nach Microsoft &Excel exportieren - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programme\Java\jre1.5.0_10\bin\ssv.dll
    O9 - Extra 'Tools' menuitem: Sun Java Konsole - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programme\Java\jre1.5.0_10\bin\ssv.dll
    O9 - Extra button: ICQ Pro - {6224f700-cba3-4071-b251-47cb894244cd} - C:\PROGRA~1\ICQ\ICQ.exe
    O9 - Extra 'Tools' menuitem: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\PROGRA~1\ICQ\ICQ.exe
    O9 - Extra button: Recherchieren - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
    O9 - Extra button: Recherche-Assistent - {9455301C-CF6B-11D3-A266-00C04F689C50} - C:\Programme\Gemeinsame Dateien\Microsoft Shared\Encarta Researcher\EROPROJ.DLL
    O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Programme\PartyGaming\PartyPoker\RunApp.exe (file missing)
    O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Programme\PartyGaming\PartyPoker\RunApp.exe (file missing)
    O9 - Extra button: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Programme\ICQLite\ICQLite.exe
    O9 - Extra 'Tools' menuitem: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Programme\ICQLite\ICQLite.exe
    O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
    O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programme\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programme\Messenger\msmsgs.exe
    O10 - Unknown file in Winsock LSP: c:\windows\system32\msnetax.dll
    O10 - Unknown file in Winsock LSP: c:\windows\system32\msnetax.dll
    O10 - Unknown file in Winsock LSP: c:\windows\system32\msnetax.dll
    O10 - Unknown file in Winsock LSP: c:\windows\system32\msnetax.dll
    O10 - Unknown file in Winsock LSP: c:\windows\system32\msnetax.dll
    O10 - Unknown file in Winsock LSP: c:\windows\system32\msnetax.dll
    O10 - Unknown file in Winsock LSP: c:\windows\system32\msnetax.dll
    O10 - Unknown file in Winsock LSP: c:\windows\system32\msnetax.dll
    O10 - Unknown file in Winsock LSP: c:\windows\system32\msnetax.dll
    O10 - Unknown file in Winsock LSP: c:\windows\system32\msnetax.dll
    O10 - Unknown file in Winsock LSP: c:\windows\system32\msnetax.dll
    O10 - Unknown file in Winsock LSP: c:\windows\system32\msnetax.dll
    O11 - Options group: [INTERNATIONAL] International*
    O12 - Plugin for .pdf: C:\Programme\Internet Explorer\PLUGINS\nppdf32.dll
    O16 - DPF: {1D6711C8-7154-40BB-8380-3DEA45B69CBF} (Web P2P Installer) -
    O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1126186008968
    O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://zone.msn.com/binFramework/v10/ZIntro.cab34246.cab
    O16 - DPF: {E5D419D6-A846-4514-9FAD-97E826C84822} (HeartbeatCtl Class) - http://fdl.msn.com/zone/datafiles/heartbeat.cab
    O18 - Filter: text/html - {2AB289AE-4B90-4281-B2AE-1F4BB034B647} - C:\Programme\RXToolBar\sfcont.dll
    O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
    O20 - Winlogon Notify: winsys2freg - C:\Dokumente und Einstellungen\All Users.WINDOWS\Dokumente\Settings\winsys2f.dll
    O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
    O21 - SSODL: CDRecorder031 - {A3BC5E20-0235-1ABF-9CE1-00AA00512031} - C:\WINDOWS\system32\tpkdbd32.dll
    O23 - Service: Adobe LM Service - Adobe Systems - C:\Programme\Gemeinsame Dateien\Adobe Systems Shared\Service\Adobelmsvc.exe
    O23 - Service: Client IP-IPX - Unknown owner - C:\WINDOWS\system32\svchosts.exe" -e te-110-12-0000271 (file missing)
    O23 - Service: Google Updater Service (gusvc) - Google - C:\Programme\Google\Common\Google Updater\GoogleUpdaterService.exe
    O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Programme\Gemeinsame Dateien\InstallShield\Driver\11\Intel 32\IDriverT.exe
    O23 - Service: iPodService - Apple Computer, Inc. - C:\Programme\iPod\bin\iPodService.exe
    O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
    O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
    O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Programme\CyberLink\Shared files\RichVideo.exe
     
  4. MFDnNC

    MFDnNC

    Joined:
    Sep 7, 2004
    Messages:
    49,014
    You should print out these instructions, or copy them to a NotePad file for reading while in Safe Mode, because you will not be able to connect to the Internet to read from this site.

    Please download SmitfraudFix (by S!Ri)
    Extract the content (a folder named SmitfraudFix) to your Desktop.

    Next, please reboot your computer in Safe Mode by doing the following :
    • Restart your computer
    • After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
    • Instead of Windows loading as normal, a menu with options should appear;
    • Select the first option, to run Windows in Safe Mode, then press "Enter".
    • Choose your usual account.
    Once in Safe Mode, open the SmitfraudFix folder again and double-click smitfraudfix.cmd
    Select option #2 - Clean by typing 2 and press "Enter" to delete infected files.

    You will be prompted: "Registry cleaning - Do you want to clean the registry?"; answer "Yes" by typing Y and press "Enter" in order to remove the Desktop background and clean registry keys associated with the infection.

    The tool will now check if wininet.dll is infected. You may be prompted to replace the infected file (if found); answer "Yes" by typing Y and press "Enter".

    The tool may need to restart your computer to finish the cleaning process; if it doesn't, please restart it into Normal Windows.

    A text file will appear onscreen, with results from the cleaning process; please copy/paste the content of that report into your next reply along with a new hijack log.

    The report can also be found at the root of the system drive, usually at C:\rapport.txt

    Warning: running option #2 on a non infected computer will remove your Desktop background.

    =====================
    Download Superantispyware (SAS)

    http://www.superantispyware.com/superantispywarefreevspro.html

    Install it and double-click the icon on your desktop to run it.
    · It will ask if you want to update the program definitions, click Yes.
    · Under Configuration and Preferences, click the Preferences button.
    · Click the Scanning Control tab.
    · Under Scanner Options make sure the following are checked:
    o Close browsers before scanning
    o Scan for tracking cookies
    o Terminate memory threats before quarantining.
    o Please leave the others unchecked.
    o Click the Close button to leave the control center screen.
    · On the main screen, under Scan for Harmful Software click Scan your computer.
    · On the left check C:\Fixed Drive.
    · On the right, under Complete Scan, choose Perform Complete Scan.
    · Click Next to start the scan. Please be patient while it scans your computer.
    · After the scan is complete a summary box will appear. Click OK.
    · Make sure everything in the white box has a check next to it, then click Next.
    · It will quarantine what it found and if it asks if you want to reboot, click Yes.
    · To retrieve the removal information for me please do the following:
    o After reboot, double-click the SUPERAntispyware icon on your desktop.
    o Click Preferences. Click the Statistics/Logs tab.
    o Under Scanner Logs, double-click SUPERAntiSpyware Scan Log.
    o It will open in your default text editor (such as Notepad/Wordpad).
    o Please highlight everything in the notepad, then right-click and choose copy.
    · Click close and close again to exit the program.
    · Please paste that information here for me with a new HijackThis log.
     
  5. Hanno

    Hanno Thread Starter

    Joined:
    Dec 7, 2003
    Messages:
    31
    sorry i didnt read all of your post yet.. i will do so when u helped me again. i cant start in safe mode... i allready tried to get to savemode by pressing f8, but then it asks me what to do and i cant use the arrow keys to get to "safe mode" plus i cant press enter key.. so i can just wait untill the countdown finishes and it starts windows in the usual mode..
     
  6. MFDnNC

    MFDnNC

    Joined:
    Sep 7, 2004
    Messages:
    49,014
    Try in normal mode
     
  7. Hanno

    Hanno Thread Starter

    Joined:
    Dec 7, 2003
    Messages:
    31
    thanks for your help. it didnt work with the program Smitfraud.. but i managed to get to safe mode by "msconfig". in safemode i could restore my system and now it is working again. Thank you very much for your help
     
  8. cybertech

    cybertech Retired Moderator

    Joined:
    Apr 16, 2002
    Messages:
    72,115
    This thread is solved. I am closing it now if you need it reopened pm me or any other moderator.

    Anyone with a similar problem Please start a new thread!

    If you don't know how to start a new thread click here: http://www.techguy.org/welcome.html and look at #4.
     
  9. Sponsor

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 733,556 other people just like you!

Loading...
Thread Status:
Not open for further replies.

Short URL to this thread: https://techguy.org/544649

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice