Im infected by "PSW.x-Vir trojan" HELP ME!

Status
This thread has been Locked and is not open to further replies. Please start a New Thread if you're having a similar issue. View our Welcome Guide to learn how to use this site.

e_miller12

Thread Starter
Joined
Jan 16, 2007
Messages
2
Im infected by "PSW.x-Vir trojan" HELP ME!
I get a balloon in my taskbar and i get lots of random popups. It also said my Coputer speed and internet speed was reduced by somthin % (I cant remember how much % it said!)

Here is my HiJack this log file:

Logfile of HijackThis v1.99.1
Scan saved at 12:52:56 PM, on 17/01/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
F:\WINDOWS\System32\smss.exe
F:\WINDOWS\system32\winlogon.exe
F:\WINDOWS\system32\services.exe
F:\WINDOWS\system32\lsass.exe
F:\WINDOWS\system32\Ati2evxx.exe
F:\WINDOWS\system32\svchost.exe
F:\WINDOWS\System32\svchost.exe
F:\Program Files\TGTSoft\StyleXP\StyleXPService.exe
F:\WINDOWS\system32\Ati2evxx.exe
F:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
F:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
F:\WINDOWS\Explorer.EXE
F:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
F:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
F:\WINDOWS\system32\brsvc01a.exe
F:\WINDOWS\system32\spoolsv.exe
F:\WINDOWS\system32\brss01a.exe
F:\Program Files\Key Generator\isamonitor.exe
F:\Program Files\Key Generator\pmsngr.exe
F:\Program Files\Common Files\Symantec Shared\ccApp.exe
F:\Program Files\Microsoft Hardware\Mouse\point32.exe
F:\Program Files\Microsoft Hardware\Keyboard\type32.exe
F:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
F:\Program Files\D-Tools\daemon.exe
F:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
F:\WINDOWS\SOUNDMAN.EXE
F:\Program Files\ScanSoft\PaperPort\pptd40nt.exe
F:\WINDOWS\system32\ctfmon.exe
F:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE
F:\Program Files\Key Generator\pmmon.exe
F:\Program Files\Key Generator\isamini.exe
F:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
F:\PROGRA~1\NETSUP~1\client32.exe
F:\Program Files\Norton AntiVirus\navapsvc.exe
F:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
F:\Program Files\NetSupport Manager\Gateway32.exe
F:\Program Files\CyberLink\Shared files\RichVideo.exe
F:\WINDOWS\System32\svchost.exe
F:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
F:\Program Files\Mozilla Firefox\firefox.exe
F:\Program Files\Messenger\msmsgs.exe
F:\Program Files\Brother\Brmfcmon\brmfcwnd.exe
F:\Program Files\Brother\Brmfcmon\BrMfimon.exe
F:\Program Files\Hijackthis\HijackThis.exe

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - F:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {67982BB7-0F95-44C5-92DC-E3AF3DC19D6D} - F:\Program Files\Key Generator\isaddon.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - F:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - F:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - F:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Protection Bar - {0D045BAA-4BD3-4C94-BE8B-21536BD6BD9F} - F:\Program Files\Key Generator\iesplugin.dll
O4 - HKLM\..\Run: [ccApp] "F:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] F:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [POINTER] point32.exe
O4 - HKLM\..\Run: [IntelliType] "F:\Program Files\Microsoft Hardware\Keyboard\type32.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] F:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [RemoteControl] "F:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [LanguageShortcut] "F:\Program Files\CyberLink\PowerDVD\Language\Language.exe"
O4 - HKLM\..\Run: [DAEMON Tools-1033] "F:\Program Files\D-Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [SunJavaUpdateSched] F:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [Mess Iso Defy Active] F:\Documents and Settings\All Users\Application Data\boobthirdmessiso\software knob.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [ATIPTA] atiptaxx.exe
O4 - HKLM\..\Run: [SSBkgdUpdate] "F:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" -Embedding -boot
O4 - HKLM\..\Run: [PaperPort PTD] F:\Program Files\ScanSoft\PaperPort\pptd40nt.exe
O4 - HKLM\..\Run: [IndexSearch] F:\Program Files\ScanSoft\PaperPort\IndexSearch.exe
O4 - HKCU\..\Run: [CTFMON.EXE] F:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Soft Mfcd] F:\DOCUME~1\ELLIOT~1\APPLIC~1\4BONE~1\FOURCLOSE.exe
O4 - HKCU\..\Run: [H/PC Connection Agent] "F:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE"
O4 - HKCU\..\Run: [STYLEXP] F:\Program Files\TGTSoft\StyleXP\StyleXP.exe -Hide
O4 - Startup: Adobe Gamma.lnk = F:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = F:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Status Monitor.lnk = F:\Program Files\Brother\Brmfcmon\BrMfcWnd.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://F:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - F:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - F:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - F:\Program Files\Microsoft ActiveSync\inetrepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - F:\Program Files\Microsoft ActiveSync\inetrepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - F:\Program Files\Microsoft ActiveSync\inetrepl.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - F:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - F:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - F:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {1F2F4C9E-6F09-47BC-970D-3C54734667FE} (LSSupCtl Class) - http://www.symantec.com/techsupp/asa/ctrl/LSSupCtl.cab
O16 - DPF: {3451DEDE-631F-421C-8127-FD793AFC6CC8} (ActiveDataInfo Class) - http://www.symantec.com/techsupp/asa/ctrl/SymAData.cab
O16 - DPF: {44990200-3C9D-426D-81DF-AAB636FA4345} (Symantec SmartIssue) - http://www.symantec.com/techsupp/asa/ctrl/tgctlsi.cab
O16 - DPF: {44990301-3C9D-426D-81DF-AAB636FA4345} (Symantec Script Runner Class) - http://www.symantec.com/techsupp/asa/ctrl/tgctlsr.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{29F14630-317D-4264-AC4A-3ED9BBC157F3}: NameServer = 192.168.1.254
O17 - HKLM\System\CCS\Services\Tcpip\..\{7EDF3D2C-EC73-4DA2-A394-9CEC06013D7B}: NameServer = 192.168.1.254
O17 - HKLM\System\CS2\Services\Tcpip\..\{29F14630-317D-4264-AC4A-3ED9BBC157F3}: NameServer = 192.168.1.254
O17 - HKLM\System\CS3\Services\Tcpip\..\{29F14630-317D-4264-AC4A-3ED9BBC157F3}: NameServer = 192.168.1.254
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - F:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - F:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - AppInit_DLLs: f:\windows\system32\winspool.dll
O20 - Winlogon Notify: WgaLogon - F:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - F:\WINDOWS\system32\WPDShServiceObj.dll
O21 - SSODL: carbinyl - {8d8c2387-7f80-4022-9be6-43630a969558} - F:\WINDOWS\system32\gwquvw.dll (file missing)
O23 - Service: Adobe LM Service - Adobe Systems - F:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - F:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - F:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - F:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: BrSplService (Brother XP spl Service) - brother Industries Ltd - F:\WINDOWS\system32\brsvc01a.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - F:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - F:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - F:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Client32 - NetSupport Ltd - F:\PROGRA~1\NETSUP~1\client32.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - F:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: LiveUpdate - Symantec Corporation - F:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - F:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - F:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: Gateway32 (PCIGateway) - NetSupport Ltd - F:\Program Files\NetSupport Manager\Gateway32.exe
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - F:\Program Files\CyberLink\Shared files\RichVideo.exe
O23 - Service: SAVScan - Symantec Corporation - F:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - F:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - F:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - F:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: StyleXPService - Unknown owner - F:\Program Files\TGTSoft\StyleXP\StyleXPService.exe
O23 - Service: Symantec Core LC - Symantec Corporation - F:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
_____________________________________________________________

Please help ASAP!

Thanks!
 

Cheeseball81

Retired Moderator
Joined
Mar 3, 2004
Messages
84,315
Hi and welcome :)

Please download SmitfraudFix (by S!Ri)
Extract the content (a folder named SmitfraudFix) to your Desktop.

Open the SmitfraudFix folder and double-click smitfraudfix.cmd
Select option #1 - Search by typing 1 and press "Enter"; a text file will appear, which lists infected files (if present).
Please copy/paste the content of that report into your next reply.

Note : process.exe is detected by some antivirus programs (AntiVir, Dr.Web, Kaspersky) as a "RiskTool"; it is not a virus, but a program used to stop system processes. Antivirus programs cannot distinguish between "good" and "malicious" use of such programs, therefore they may alert the user.
http://www.beyondlogic.org/consulting/proc...processutil.htm
 

e_miller12

Thread Starter
Joined
Jan 16, 2007
Messages
2
Thanks for your Reply.
Here is my SmitfraudFix results:

SmitFraudFix v2.70

Scan done at 11:36:12.21, Thu 18/01/2007
Run from C:\Downloads\Viral Stuff\SmitfraudFix\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
Fix ran in normal mode

»»»»»»»»»»»»»»»»»»»»»»»» F:\


»»»»»»»»»»»»»»»»»»»»»»»» F:\WINDOWS


»»»»»»»»»»»»»»»»»»»»»»»» F:\WINDOWS\system


»»»»»»»»»»»»»»»»»»»»»»»» F:\WINDOWS\Web


»»»»»»»»»»»»»»»»»»»»»»»» F:\WINDOWS\system32


»»»»»»»»»»»»»»»»»»»»»»»» F:\WINDOWS\system32\LogFiles


»»»»»»»»»»»»»»»»»»»»»»»» F:\Documents and Settings\Elliott Miller\Application Data


»»»»»»»»»»»»»»»»»»»»»»»» Start Menu


»»»»»»»»»»»»»»»»»»»»»»»» F:\DOCUME~1\ELLIOT~1\FAVORI~1


»»»»»»»»»»»»»»»»»»»»»»»» Desktop


»»»»»»»»»»»»»»»»»»»»»»»» F:\Program Files


»»»»»»»»»»»»»»»»»»»»»»»» Corrupted keys


»»»»»»»»»»»»»»»»»»»»»»»» Desktop Components

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop\Components\0]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="My Current Home Page"


»»»»»»»»»»»»»»»»»»»»»»»» Sharedtaskscheduler
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]
"{8d8c2387-7f80-4022-9be6-43630a969558}"="carbinyl"

[HKEY_CLASSES_ROOT\CLSID\{8d8c2387-7f80-4022-9be6-43630a969558}\InProcServer32]
@="F:\WINDOWS\system32\gwquvw.dll"

[HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{8d8c2387-7f80-4022-9be6-43630a969558}\InProcServer32]
@="F:\WINDOWS\system32\gwquvw.dll"


»»»»»»»»»»»»»»»»»»»»»»»» Scanning wininet.dll infection


»»»»»»»»»»»»»»»»»»»»»»»» End
 

Cookiegal

Karen
Administrator
Malware Specialist Coordinator
Joined
Aug 27, 2003
Messages
120,550
Cheeseball81 is not available to continue this with you so I will be assisting.

That is a very old version of SmitFraudFix and it's updated often. The newer version will detect this so please remove the one you have and redownload the latest version and run option 1 again and then post the log.
 
Status
This thread has been Locked and is not open to further replies. Please start a New Thread if you're having a similar issue. View our Welcome Guide to learn how to use this site.

Users Who Are Viewing This Thread (Users: 0, Guests: 1)

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 807,865 other people just like you!

Latest posts

Members online

Top