1. Computer problem? Tech Support Guy is completely free -- paid for by advertisers and donations. Click here to join today! If you're new to Tech Support Guy, we highly recommend that you visit our Guide for New Members.

"Virus Alert!" in Task Bar + fake warnings

Discussion in 'Virus & Other Malware Removal' started by neilalderson, Sep 27, 2008.

Thread Status:
Not open for further replies.
  1. neilalderson

    neilalderson Thread Starter

    Joined:
    Sep 27, 2008
    Messages:
    2
    Hi guys,

    I stupidly fell into a trap of downloading what looked like a Flash update but was in fact a package of a whole heap of nasties! The first noticable symptom is "Virus Alert!" appearing in the Task Bar by the Date/Time. This phrase seems to pop up alongside ANY System DateTime being displayed. Also I think my desktop has been hijacked as it changes colour and turns white. A load of restrictions have been put on any account I log into, can't run Task Manager, open Explorer, many Start menu items have been removed. On top of this there are a load of Fake Windows Alerts popping up telling me I need to download Anti Virus software, which then link to some dodgy website. Ran AdAware but it didn't help and ran my McAfee On-Demand scan, which also hasn't found much (just a few trojan files which were deleted but reappear on reboot).

    I have attached my HijackThis log, if someone could show me which items can be fixed and address any of the other issues I'd be eternally grateful!

    Thanks,
    Neil
     

    Attached Files:

  2. neilalderson

    neilalderson Thread Starter

    Joined:
    Sep 27, 2008
    Messages:
    2
    Not sure if my attachment worked so pasting the log in plain view for easier access for you.

    Cheers,
    Neil

    Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 00:13: VIRUS ALERT!, on 28/09/2008
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v7.00 (7.00.6000.16705)
    Boot mode: Normal

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\Program Files\Fortinet\FortiClient\scheduler.exe
    C:\Program Files\Fortinet\FortiClient\FCDBLog.exe
    C:\Program Files\Fortinet\FortiClient\fortifw.exe
    C:\Program Files\Fortinet\FortiClient\FCMgr.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\System32\WLTRYSVC.EXE
    C:\WINDOWS\System32\bcmwltry.exe
    C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\BMC Software\AppSight\Bin\RI_svc.exe
    C:\Program Files\Broadcom\ASFIPMon\AsfIpMon.exe
    C:\Program Files\Rational\ClearCase\bin\cccredmgr.exe
    C:\WINDOWS\system32\cisvc.exe
    C:\WINDOWS\system32\crypserv.exe
    C:\WINDOWS\system32\inetsrv\inetinfo.exe
    C:\Program Files\Rational\ClearCase\bin\lockmgr.exe
    C:\Program Files\McAfee\Common Framework\FrameworkService.exe
    C:\Program Files\McAfee\VirusScan Enterprise\Mcshield.exe
    C:\Program Files\McAfee\VirusScan Enterprise\VsTskMgr.exe
    C:\Program Files\Microsoft SQL Server\MSSQL.2\MSSQL\Binn\msftesql.exe
    C:\Program Files\Microsoft SQL Server\MSSQL.2\MSSQL\Binn\sqlservr.exe
    C:\Program Files\OmniBack\bin\OmniInet.exe
    C:\WINDOWS\System32\svchost.exe
    c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
    C:\Program Files\SigmaTel\C-Major Audio\WDM\StacSV.exe
    c:\program files\timbuktu pro\tb2launch.exe
    C:\Program Files\Asset Services Management\ASMAgent.exe
    C:\WINDOWS\system32\mqsvc.exe
    C:\Program Files\Microsoft SQL Server\MSSQL.2\MSSQL\Binn\SQLAGENT90.EXE
    C:\Program Files\Actaris\Vantage Schedule Processor\Actaris.Vantage.ScheduleProcessor.exe
    C:\WINDOWS\system32\mqtgsvc.exe
    C:\WINDOWS\system32\wuauclt.exe
    c:\program files\timbuktu pro\tb2pro.exe
    C:\Program Files\Fortinet\FortiClient\FortiTray.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\DellTPad\Apoint.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\hkcmd.exe
    C:\WINDOWS\system32\igfxpers.exe
    C:\WINDOWS\system32\igfxsrvc.exe
    C:\WINDOWS\stsystra.exe
    C:\Program Files\DellTPad\ApMsgFwd.exe
    C:\WINDOWS\system32\WLTRAY.exe
    C:\WINDOWS\system32\KADxMain.exe
    C:\Program Files\DellTPad\HidFind.exe
    C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
    C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe
    C:\Program Files\DellTPad\Apntex.exe
    C:\Program Files\McAfee\Common Framework\UdaterUI.exe
    C:\program files\timbuktu pro\tb2logon.exe
    C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
    C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
    c:\program files\timbuktu pro\TNOTIFY.EXE
    C:\Program Files\McAfee\Common Framework\McTray.exe
    C:\Program Files\Kontiki\KHost.exe
    C:\DOCUME~1\ALDERS~1\LOCALS~1\Temp\UIUCU.EXE
    C:\WINDOWS\system32\lphc50oj0erfe.exe
    C:\Windows\system32\YURB1.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtMng.exe
    C:\Program Files\Digital Line Detect\DLG.exe
    C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosA2dp.exe
    C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtHid.exe
    C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtHsp.exe
    C:\Program Files\Toshiba\Bluetooth Toshiba Stack\tosOBEX.exe
    C:\Program Files\Toshiba\Bluetooth Toshiba Stack\tosBtProc.exe
    C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://softwarereferral.com/jump.php?wmid=6010&mid=MjI6Ojg5&lid=2
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,First Home Page = http://www.euro.dell.com
    O1 - Hosts: 172.23.81.75 fxtwiki.felixstowe.actaris.com fxtwiki
    O1 - Hosts: 172.23.80.139 fxebdcrms # for Vantage share
    O1 - Hosts: 172.23.49.8 teamtrack.dtc.actaris.com # team track
    O1 - Hosts: 172.23.80.138 www.felixstowe.actaris.com www # intranet
    O1 - Hosts: 172.23.81.4 fx003 # Appsight License Server
    O1 - Hosts: 172.23.80.248 fx1427s # Appsight Server
    O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
    O2 - BHO: QXK Olive - {129D532E-E2EC-4527-B4BA-4626830EFE18} - C:\WINDOWS\dfmlxbpkbkl.dll
    O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
    O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan Enterprise\scriptcl.dll
    O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
    O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
    O3 - Toolbar: peltodgx - {BAB8F6DC-41B1-440F-A066-AAC224906880} - C:\WINDOWS\peltodgx.dll
    O4 - HKLM\..\Run: [Apoint] C:\Program Files\DellTPad\Apoint.exe
    O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
    O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
    O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe
    O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
    O4 - HKLM\..\Run: [Broadcom Wireless Manager UI] C:\WINDOWS\system32\WLTRAY.exe
    O4 - HKLM\..\Run: [KADxMain] C:\WINDOWS\system32\KADxMain.exe
    O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
    O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
    O4 - HKLM\..\Run: [PDVDDXSrv] "C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe"
    O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.EXE" /STANDALONE
    O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\McAfee\Common Framework\UdaterUI.exe" /StartedFromRunKey
    O4 - HKLM\..\Run: [TLogonPath] "c:\program files\timbuktu pro\tb2logon.exe"
    O4 - HKLM\..\Run: [MsmqIntCert] regsvr32 /s mqrt.dll
    O4 - HKLM\..\Run: [CCDoctorLogonTesting] "C:\Program Files\Rational\ClearCase\bin\ccdoctor.exe" /LogonStartup
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
    O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
    O4 - HKLM\..\Run: [4oD] "C:\Program Files\Kontiki\KHost.exe" -all
    O4 - HKLM\..\Run: [UIUCU] C:\DOCUME~1\ALDERS~1\LOCALS~1\Temp\UIUCU.EXE -CLEAN_UP -S
    O4 - HKLM\..\Run: [lphc50oj0erfe] C:\WINDOWS\system32\lphc50oj0erfe.exe
    O4 - HKLM\..\Run: [\YURD5.exe] C:\Windows\system32\YURD5.exe
    O4 - HKLM\..\Run: [\YURD6.exe] C:\Windows\system32\YURD6.exe
    O4 - HKLM\..\Run: [\YURD7.exe] C:\Windows\system32\YURD7.exe
    O4 - HKLM\..\Run: [\YURD8.exe] C:\Windows\system32\YURD8.exe
    O4 - HKLM\..\Run: [\YUR72.exe] C:\Windows\system32\YUR72.exe
    O4 - HKLM\..\Run: [\YUR73.exe] C:\Windows\system32\YUR73.exe
    O4 - HKLM\..\Run: [\YUR76.exe] C:\Windows\system32\YUR76.exe
    O4 - HKLM\..\Run: [\YURB0.exe] C:\Windows\system32\YURB0.exe
    O4 - HKLM\..\Run: [\YURB1.exe] C:\Windows\system32\YURB1.exe
    O4 - HKLM\..\Run: [\YURB3.exe] C:\Windows\system32\YURB3.exe
    O4 - HKLM\..\Run: [\YURB4.exe] C:\Windows\system32\YURB4.exe
    O4 - HKLM\..\Run: [\YURCA.exe] C:\Windows\system32\YURCA.exe
    O4 - HKLM\..\Run: [\YURCD.exe] C:\Windows\system32\YURCD.exe
    O4 - HKLM\..\Run: [\YURB5.exe] C:\Windows\system32\YURB5.exe
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
    O4 - HKCU\..\Run: [\YURCA.exe] C:\Windows\system32\YURCA.exe
    O4 - HKCU\..\Run: [\YURCD.exe] C:\Windows\system32\YURCD.exe
    O4 - HKCU\..\Run: [kdx] C:\Program Files\Kontiki\KHost.exe -all
    O4 - HKCU\..\Run: [\YURB1.exe] C:\Windows\system32\YURB1.exe
    O4 - HKCU\..\Run: [\YURB5.exe] C:\Windows\system32\YURB5.exe
    O4 - HKLM\..\Policies\Explorer\Run: [mC85vZsMwb] C:\DOCUME~1\ALDERS~1\LOCALS~1\Temp\windfr.exe
    O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
    O4 - HKUS\S-1-5-18\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'SYSTEM')
    O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
    O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
    O4 - Global Startup: Bluetooth Manager.lnk = ?
    O4 - Global Startup: Digital Line Detect.lnk = C:\Program Files\Digital Line Detect\DLG.exe
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
    O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
    O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
    O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O16 - DPF: {0533AC04-11E3-48CA-A167-40D782C6BD1C} (FileTransferControl Class) - http://pdm.dtc.actaris.com/Advitium/ActiveX/FileTransfer2.cab
    O16 - DPF: {493EBD8D-8D67-4A2D-8CF9-B8FC992DCFF6} (ProcessViewer Class) - http://pdm.dtc.actaris.com/Advitium/ActiveX/ProcessViewer.cab
    O16 - DPF: {88D969C0-F192-11D4-A65F-0040963251E5} (XML DOM Document 4.0) - http://pdm.dtc.actaris.com/Advitium/ActiveX/msxml4.cab
    O16 - DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7} (get_atlcom Class) - http://www.adobe.com/products/acrobat/nos/gp.cab
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
    O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
    O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~2\GOEC62~1.DLL
    O21 - SSODL: rwlfsdmk - {E8ACF29E-CF02-4B6C-83B3-136B1F15A7CE} - C:\WINDOWS\rwlfsdmk.dll
    O21 - SSODL: onfwbsak - {15E4D4B5-A7D1-4541-9220-FC5EAFC15054} - C:\WINDOWS\onfwbsak.dll
    O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
    O23 - Service: Atria Location Broker (Albd) - Unknown owner - C:\Program Files\Rational\ClearCase\bin\albd_server.exe
    O23 - Service: AppSight Install Service (AppSightInstallService) - Identify Software Ltd. - C:\Program Files\BMC Software\AppSight\Bin\RI_svc.exe
    O23 - Service: AppSight Server (ApsSrvService) - Identify Software Ltd. - C:\Program Files\BMC Software\AppSight\Bin\ApsSrv.exe
    O23 - Service: Broadcom ASF IP and SMBIOS Mailbox Monitor (ASFIPmon) - Broadcom Corporation - C:\Program Files\Broadcom\ASFIPMon\AsfIpMon.exe
    O23 - Service: ASMAgent - ASAP Software, Inc. - C:\Program Files\Asset Services Management\ASMAgent.exe
    O23 - Service: Atria Cred Manager (cccredmgr) - Unknown owner - C:\Program Files\Rational\ClearCase\bin\cccredmgr.exe
    O23 - Service: Crypkey License - CrypKey (Canada) Ltd. - C:\WINDOWS\SYSTEM32\crypserv.exe
    O23 - Service: Fortinet Service Scheduler (FA_Scheduler) - Fortinet Inc. - C:\Program Files\Fortinet\FortiClient\scheduler.exe
    O23 - Service: Google Desktop Manager 5.7.802.22438 (GoogleDesktopManager-022208-143751) - Google - C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
    O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
    O23 - Service: KService - Kontiki Inc. - C:\Program Files\Kontiki\KService.exe
    O23 - Service: Atria Lock Manager (LockMgr) - Unknown owner - C:\Program Files\Rational\ClearCase\bin\lockmgr.exe
    O23 - Service: McAfee Framework Service (McAfeeFramework) - McAfee, Inc. - C:\Program Files\McAfee\Common Framework\FrameworkService.exe
    O23 - Service: McAfee McShield (McShield) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan Enterprise\Mcshield.exe
    O23 - Service: McAfee Task Manager (McTaskManager) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan Enterprise\VsTskMgr.exe
    O23 - Service: Data Protector Inet (OmniInet) - Hewlett-Packard - C:\Program Files\OmniBack\bin\OmniInet.exe
    O23 - Service: SigmaTel Audio Service (STacSV) - SigmaTel, Inc. - C:\Program Files\SigmaTel\C-Major Audio\WDM\StacSV.exe
    O23 - Service: stllssvr - MicroVision Development, Inc. - C:\Program Files\Common Files\SureThing Shared\stllssvr.exe
    O23 - Service: Tb2 Launch (Tb2Launch) - Netopia, Inc. - c:\program files\timbuktu pro\tb2launch.exe
    O23 - Service: Vantage Comms Server - Actaris - C:\Program Files\Actaris\Vantage Comms Server\Actaris.Vantage.CommsServer.exe
    O23 - Service: Vantage Schedule Processor - Actaris - C:\Program Files\Actaris\Vantage Schedule Processor\Actaris.Vantage.ScheduleProcessor.exe
    O23 - Service: Dell Wireless WLAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\WLTRYSVC.EXE

    --
    End of file - 13811 bytes
     
As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 733,556 other people just like you!

Loading...
Thread Status:
Not open for further replies.

Short URL to this thread: https://techguy.org/753948

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice