1. Computer problem? Tech Support Guy is completely free -- paid for by advertisers and donations. Click here to join today! If you're new to Tech Support Guy, we highly recommend that you visit our Guide for New Members.

Maleware-Help!

Discussion in 'Virus & Other Malware Removal' started by Siuprof, Oct 8, 2008.

Thread Status:
Not open for further replies.
  1. Siuprof

    Siuprof Thread Starter

    Joined:
    Oct 8, 2008
    Messages:
    3
    Here are the symptoms:

    • Desktop displays a red screen with a bio hazard symbol and says that "your privacy is in dager
    • Directs me to down load removal software for a fee
    • cannot access Tech Guys web site
    • computer runs slow
    • I cannot run windows in safe mode
    Here is my Hijackthis log, thanks for any help that you can provide.Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 14:24: VIRUS ALERT!, on 08.10.2008
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
    Boot mode: Normal

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
    C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
    C:\WINDOWS\system32\igfxtray.exe
    C:\WINDOWS\system32\hkcmd.exe
    C:\WINDOWS\system32\igfxpers.exe
    C:\WINDOWS\ATK0100\HControl.exe
    C:\Program Files\Wireless Console 2\wcourier.exe
    C:\WINDOWS\sm56hlpr.exe
    C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
    C:\Program Files\ASUS\Power4 Gear\BatteryLife.exe
    C:\PROGRA~1\HDTUNE~1\HDTune.exe
    C:\Program Files\Trident Software\Pragma\pragma.exe
    C:\Program Files\ABBYY Lingvo 10 Multilingual Dictionary\Lvagent.exe
    C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\Program Files\DNA\btdna.exe
    C:\WINDOWS\system32\drivers\svchost.exe
    C:\WINDOWS\system32\svchost.exe
    C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtMng.exe
    C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosA2dp.exe
    C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtHid.exe
    C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtHsp.exe
    C:\WINDOWS\ATK0100\ATKOSD.exe
    C:\WINDOWS\system32\wuauclt.exe
    C:\WINDOWS\system32\wuauclt.exe
    C:\Program Files\WinRAR\WinRAR.exe
    C:\DOCUME~1\Boss\LOCALS~1\Temp\Rar$EX02.390\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://softwarereferral.com/jump.php?wmid=6010&mid=MjI6Ojg5&lid=2
    R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://codecs.r8.org/
    R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Ссылки
    O3 - Toolbar: fqbewlna - {C5822EDE-ACAD-4FC2-BA40-079C03BB77E8} - C:\WINDOWS\fqbewlna.dll
    O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
    O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
    O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe
    O4 - HKLM\..\Run: [HControl] C:\WINDOWS\ATK0100\HControl.exe
    O4 - HKLM\..\Run: [Ярлык для страницы свойств High Definition Audio] HDAShCut.exe
    O4 - HKLM\..\Run: [Wireless Console 2] C:\Program Files\Wireless Console 2\wcourier.exe
    O4 - HKLM\..\Run: [SMSERIAL] sm56hlpr.exe
    O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
    O4 - HKLM\..\Run: [ACMON] C:\Program Files\ASUS\Splendid\ACMON.exe
    O4 - HKLM\..\Run: [Power_Gear] C:\Program Files\ASUS\Power4 Gear\BatteryLife.exe 1
    O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
    O4 - HKLM\..\Run: [HD Tune] C:\PROGRA~1\HDTUNE~1\HDTune.exe
    O4 - HKLM\..\Run: [Pragma5] C:\Program Files\Trident Software\Pragma\pragma.exe
    O4 - HKLM\..\Run: [Lingvo Launcher] "C:\Program Files\ABBYY Lingvo 10 Multilingual Dictionary\Lvagent.exe" /STARTUP
    O4 - HKLM\..\Run: [LingvoTraining] "C:\Program Files\ABBYY Lingvo 10 Multilingual Dictionary\Tutor.exe" /ND /NW /AS
    O4 - HKLM\..\Run: [egui] "C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe" /hide /waitservice
    O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
    O4 - HKCU\..\Run: [BitTorrent DNA] "C:\Program Files\DNA\btdna.exe"
    O4 - HKCU\..\Run: [SVCHOST.EXE] C:\WINDOWS\system32\drivers\svchost.exe
    O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
    O4 - HKUS\S-1-5-19\..\RunOnce: [nltide2] cmd.exe /C rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,L,,4,N (User 'LOCAL SERVICE')
    O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
    O4 - HKUS\S-1-5-20\..\RunOnce: [nltide2] cmd.exe /C rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,L,,4,N (User 'NETWORK SERVICE')
    O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
    O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
    O4 - Global Startup: Bluetooth Manager.lnk = ?
    O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
    O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1
    O8 - Extra context menu item: &Экспорт в Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
    O8 - Extra context menu item: Translate with Lingvo - res://C:\Program Files\ABBYY Lingvo 10 Multilingual Dictionary\Lingvo.exe/3000
    O9 - Extra button: Справочные материалы - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O17 - HKLM\System\CCS\Services\Tcpip\..\{62D53522-FDFC-481D-AEEC-23C894053C99}: NameServer = 194.44.214.32,194.44.214.37
    O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
    O23 - Service: Eset HTTP Server (EhttpSrv) - ESET - C:\Program Files\ESET\ESET NOD32 Antivirus\EHttpSrv.exe
    O23 - Service: Eset Service (ekrn) - ESET - C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
    O23 - Service: Журнал событий (Eventlog) - Корпорация Майкрософт - C:\WINDOWS\system32\services.exe
    O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
    O23 - Service: Служба COM записи компакт-дисков IMAPI (ImapiService) - Корпорация Майкрософт - C:\WINDOWS\system32\imapi.exe
    O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
    O23 - Service: NetMeeting Remote Desktop Sharing (mnmsrvc) - Корпорация Майкрософт - C:\WINDOWS\system32\mnmsrvc.exe
    O23 - Service: Plug and Play (PlugPlay) - Корпорация Майкрософт - C:\WINDOWS\system32\services.exe
    O23 - Service: PsViatau (PTsup5) - Trident Software - C:\Program Files\Trident Software\Pragma\ptsup5.exe
    O23 - Service: Диспетчер сеанса справки для удаленного рабочего стола (RDSessMgr) - Корпорация Майкрософт - C:\WINDOWS\system32\sessmgr.exe
    O23 - Service: Смарт-карты (SCardSvr) - Корпорация Майкрософт - C:\WINDOWS\System32\SCardSvr.exe
    O23 - Service: ServiceLayer - Nokia. - C:\Program Files\Common Files\PCSuite\Services\ServiceLayer.exe
    O23 - Service: Журналы и оповещения производительности (SysmonLog) - Корпорация Майкрософт - C:\WINDOWS\system32\smlogsvc.exe
    O23 - Service: Теневое копирование тома (VSS) - Корпорация Майкрософт - C:\WINDOWS\System32\vssvc.exe
    O23 - Service: Адаптер производительности WMI (WmiApSrv) - Корпорация Майкрософт - C:\WINDOWS\system32\wbem\wmiapsrv.exe
    O24 - Desktop Component 0: Privacy Protection - file:///C:\WINDOWS\privacy_danger\index.htm

    --
    End of file - 7091 bytes

    Here is the Smitfraudfix log
    SmitFraudFix v2.356

    Scan done at 14:44:46,56, 08.10.2008
    Run from C:\Documents and Settings\Boss\? ?(R)??(c) ??(R)«\SmitfraudFix
    OS: Microsoft Windows XP [?????? 5.1.2600] - Windows_NT
    The filesystem type is
    Fix run in normal mode

    »»»»»»»»»»»»»»»»»»»»»»»» Process

    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
    C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
    C:\WINDOWS\system32\igfxtray.exe
    C:\WINDOWS\system32\hkcmd.exe
    C:\WINDOWS\system32\igfxpers.exe
    C:\WINDOWS\ATK0100\HControl.exe
    C:\Program Files\Wireless Console 2\wcourier.exe
    C:\WINDOWS\sm56hlpr.exe
    C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
    C:\Program Files\ASUS\Power4 Gear\BatteryLife.exe
    C:\PROGRA~1\HDTUNE~1\HDTune.exe
    C:\Program Files\Trident Software\Pragma\pragma.exe
    C:\Program Files\ABBYY Lingvo 10 Multilingual Dictionary\Lvagent.exe
    C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\Program Files\DNA\btdna.exe
    C:\WINDOWS\system32\drivers\svchost.exe
    C:\WINDOWS\system32\svchost.exe
    C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtMng.exe
    C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosA2dp.exe
    C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtHid.exe
    C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtHsp.exe
    C:\WINDOWS\ATK0100\ATKOSD.exe
    C:\WINDOWS\system32\wuauclt.exe
    C:\Program Files\Mozilla Firefox\firefox.exe
    C:\WINDOWS\system32\wuauclt.exe
    C:\Documents and Settings\Boss\??????? ????\SmitfraudFix\Policies.exe
    C:\WINDOWS\system32\cmd.exe

    »»»»»»»»»»»»»»»»»»»»»»»» hosts


    »»»»»»»»»»»»»»»»»»»»»»»» C:\


    »»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS

    C:\WINDOWS\mgxfebsq.dll FOUND !
    C:\WINDOWS\mqgldfvo.exe FOUND !
    C:\WINDOWS\privacy_danger FOUND !

    »»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system


    »»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\Web


    »»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system32

    C:\WINDOWS\system32\tdssservers.dat detected, use a Rootkit scanner
    C:\WINDOWS\system32\tdssadw.dll detected, use a Rootkit scanner
    C:\WINDOWS\system32\tdssinit.dll detected, use a Rootkit scanner
    C:\WINDOWS\system32\tdssl.dll detected, use a Rootkit scanner
    C:\WINDOWS\system32\tdsslog.dll detected, use a Rootkit scanner
    C:\WINDOWS\system32\tdssmain.dll detected, use a Rootkit scanner
    C:\WINDOWS\system32\drivers\tdssserv.sys detected, use a Rootkit scanner
    C:\WINDOWS\system32\drivers\svchost.exe FOUND !

    »»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\Boss


    »»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\Boss\Application Data


    »»»»»»»»»»»»»»»»»»»»»»»» Start Menu


    »»»»»»»»»»»»»»»»»»»»»»»» C:\DOCUME~1\Boss\91BD~1

    C:\DOCUME~1\Boss\91BD~1\Error Cleaner.url FOUND !
    C:\DOCUME~1\Boss\91BD~1\Privacy Protector.url FOUND !
    C:\DOCUME~1\Boss\91BD~1\Spyware?Malware Protection.url FOUND !

    »»»»»»»»»»»»»»»»»»»»»»»» Desktop

    C:\DOCUME~1\Boss\0016~1\Error Cleaner.url FOUND !
    C:\DOCUME~1\Boss\0016~1\Privacy Protector.url FOUND !
    C:\DOCUME~1\Boss\0016~1\Spyware?Malware Protection.url FOUND !

    »»»»»»»»»»»»»»»»»»»»»»»» C:\Program Files

    C:\Program Files\PCHealthCenter\ FOUND !

    »»»»»»»»»»»»»»»»»»»»»»»» Corrupted keys


    »»»»»»»»»»»»»»»»»»»»»»»» Desktop Components

    [HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop\Components\0]
    "Source"="file:///C:\\WINDOWS\\privacy_danger\\index.htm"
    "SubscribedURL"=""
    "FriendlyName"="Privacy Protection"

    [HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop\Components\1]
    "Source"="about:Home"
    "SubscribedURL"="about:Home"
    "FriendlyName"="?(R)? ????? ? ¤(R)¬ ?*?? ??? *?? "

    »»»»»»»»»»»»»»»»»»»»»»»» o4Patch
    !!!Attention, following keys are not inevitably infected!!!

    o4Patch
    Credits: Malware Analysis & Diagnostic
    Code: S!Ri



    »»»»»»»»»»»»»»»»»»»»»»»» IEDFix
    !!!Attention, following keys are not inevitably infected!!!

    IEDFix
    Credits: Malware Analysis & Diagnostic
    Code: S!Ri



    »»»»»»»»»»»»»»»»»»»»»»»» VACFix
    !!!Attention, following keys are not inevitably infected!!!

    VACFix
    Credits: Malware Analysis & Diagnostic
    Code: S!Ri
    +--------------------------------------------------+
    [!] Suspicious: vmgspntbgbw.dll
    BHO: QXK Olive - {1530CA4C-149B-4801-8DD4-5CD093B45D63}
    TypeLib: {A144B380-EBBB-42BA-B34A-45722E31948E}
    Interface: {02D99F20-DED5-4B1E-8824-453988CD87A2}
    Interface: {920918D3-E78A-466C-91F3-0CA5B1340823}

    [!] Suspicious: fqbewlna.dll
    Toolbar: fqbewlna - {C5822EDE-ACAD-4FC2-BA40-079C03BB77E8}
    TypeLib: {F355EB66-AA5C-45EB-8D3E-985F816D9A4A}
    Interface: {A21EA590-9F50-4200-99E9-F10973716AC0}
    Classe: fqbewlna.bxml
    Classe: fqbewlna.ToolBar.1


    »»»»»»»»»»»»»»»»»»»»»»»» 404Fix
    !!!Attention, following keys are not inevitably infected!!!

    404Fix
    Credits: Malware Analysis & Diagnostic
    Code: S!Ri


    »»»»»»»»»»»»»»»»»»»»»»»» AntiXPVSTFix
    !!!Attention, following keys are not inevitably infected!!!

    AntiXPVSTFix
    Credits: Malware Analysis & Diagnostic
    Code: S!Ri



    »»»»»»»»»»»»»»»»»»»»»»»» Sharedtaskscheduler
    !!!Attention, following keys are not inevitably infected!!!

    SrchSTS.exe by S!Ri
    Search SharedTaskScheduler's .dll


    »»»»»»»»»»»»»»»»»»»»»»»» AppInit_DLLs
    !!!Attention, following keys are not inevitably infected!!!

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
    "AppInit_DLLs"=""


    »»»»»»»»»»»»»»»»»»»»»»»» Winlogon
    !!!Attention, following keys are not inevitably infected!!!

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
    "Userinit"="C:\\WINDOWS\\system32\\userinit.exe,"
    "System"=""


    »»»»»»»»»»»»»»»»»»»»»»»» RK



    »»»»»»»»»»»»»»»»»»»»»»»» DNS

    Description: Realtek RTL8168/8111 PCI-E Gigabit Ethernet NIC -
    ???????? ???????????? ???????
    DNS Server Search Order: 194.44.214.32
    DNS Server Search Order: 194.44.214.37

    Description: Atheros AR5006EG Wireless Network Adapter - ????????
    ???????????? ???????
    DNS Server Search Order: 68.87.72.130
    DNS Server Search Order: 68.87.77.130
    DNS Server Search Order: 68.87.66.196

    HKLM\SYSTEM\CCS\Services\Tcpip\..\{62D53522-FDFC-481D-AEEC-23C894053C99}:
    NameServer=194.44.214.32,194.44.214.37
    HKLM\SYSTEM\CCS\Services\Tcpip\..\{7AAB4EDA-B04A-450E-B188-631355792D7D}:
    DhcpNameServer=68.87.72.130 68.87.77.130 68.87.66.196
    HKLM\SYSTEM\CS1\Services\Tcpip\..\{62D53522-FDFC-481D-AEEC-23C894053C99}:
    NameServer=194.44.214.32,194.44.214.37
    HKLM\SYSTEM\CS1\Services\Tcpip\..\{7AAB4EDA-B04A-450E-B188-631355792D7D}:
    DhcpNameServer=68.87.72.130 68.87.77.130 68.87.66.196
    HKLM\SYSTEM\CS2\Services\Tcpip\..\{62D53522-FDFC-481D-AEEC-23C894053C99}:
    NameServer=194.44.214.32,194.44.214.37
    HKLM\SYSTEM\CS2\Services\Tcpip\..\{7AAB4EDA-B04A-450E-B188-631355792D7D}:
    DhcpNameServer=68.87.72.130 68.87.77.130 68.87.66.196
    HKLM\SYSTEM\CCS\Services\Tcpip\Parameters: DhcpNameServer=68.87.72.130
    68.87.77.130 68.87.66.196
    HKLM\SYSTEM\CS1\Services\Tcpip\Parameters: DhcpNameServer=68.87.72.130
    68.87.77.130 68.87.66.196


    »»»»»»»»»»»»»»»»»»»»»»»» Scanning for wininet.dll infection


    »»»»»»»»»»»»»»»»»»»»»»»» End
     
  2. Siuprof

    Siuprof Thread Starter

    Joined:
    Oct 8, 2008
    Messages:
    3
    Sorry to bump this post, but I posted it 5 days ago and have not received a response yet. Could some one please advise. Thanks
     
  3. Siuprof

    Siuprof Thread Starter

    Joined:
    Oct 8, 2008
    Messages:
    3
    Sorry to bump this again, but for some reason the response to my question disapeared. Can you respond again>
    Thanks
     
As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 733,556 other people just like you!

Loading...
Thread Status:
Not open for further replies.

Short URL to this thread: https://techguy.org/757332

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice