1. Computer problem? Tech Support Guy is completely free -- paid for by advertisers and donations. Click here to join today! If you're new to Tech Support Guy, we highly recommend that you visit our Guide for New Members.

Your Computer Is Infected - Red Tray Icon (help Needed)

Discussion in 'Virus & Other Malware Removal' started by Dankras, Jan 27, 2007.

Thread Status:
Not open for further replies.
Advertisement
  1. Dankras

    Dankras Thread Starter

    Joined:
    Jan 27, 2007
    Messages:
    4
    Hi there!

    I have a Red Circle with an X within that shows a message indicating that my Pc is Infected!

    Please.. could someone give me a hand with this since I've runned every spyware but didn't work at all.

    Thanks.

    Logfile of HijackThis v1.99.1
    Scan saved at 08:44:46 p.m., on 27/01/2007
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\csrss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\system32\spoolsv.exe
    C:\ARCHIV~1\Grisoft\AVG7\avgamsvr.exe
    C:\ARCHIV~1\Grisoft\AVG7\avgupsvc.exe
    C:\Archivos de programa\Archivos comunes\Microsoft Shared\VS7Debug\mdm.exe
    C:\WINDOWS\system32\nvsvc32.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\alg.exe
    C:\WINDOWS\SOUNDMAN.EXE
    C:\Archivos de programa\Samsung\Samsung Media Studio\SamsungMediaStudioAgent.exe
    C:\WINDOWS\system32\RunDLL32.exe
    C:\Archivos de programa\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe
    C:\ARCHIV~1\Grisoft\AVG7\avgcc.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\WINDOWS\system32\ctpmon.exe
    C:\Archivos de programa\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
    C:\WINDOWS\system32\ctpmon.exe
    C:\Archivos de programa\Huawei Technologies\Huawei SmartAX MT810\dslmon.exe
    C:\Archivos de programa\Trend Micro\Tmas\tmas.exe
    C:\Archivos de programa\MSN Messenger\msnmsgr.exe
    C:\Archivos de programa\Internet Explorer\iexplore.exe
    C:\Documents and Settings\Administrador\Mis documentos\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
    R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Vínculos
    O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Archivos de programa\Archivos comunes\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\ARCHIV~1\SPYBOT~1\SDHelper.dll
    O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\archivos de programa\google\googletoolbar2.dll
    O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\archivos de programa\google\googletoolbar2.dll
    O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
    O4 - HKLM\..\Run: [NvCplDaemon] "RUNDLL32.EXE" C:\WINDOWS\system32\NvCpl.dll,NvStartup
    O4 - HKLM\..\Run: [nwiz] "nwiz.exe" /install
    O4 - HKLM\..\Run: [YeppStudioAgent] "C:\Archivos de programa\Samsung\Samsung Media Studio\SamsungMediaStudioAgent.exe"
    O4 - HKLM\..\Run: [NvMediaCenter] "RunDLL32.exe" NvMCTray.dll,NvTaskbarInit
    O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Archivos de programa\Java\jre1.5.0_03\bin\jusched.exe"
    O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Archivos de programa\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
    O4 - HKLM\..\Run: [AVG7_CC] C:\ARCHIV~1\Grisoft\AVG7\avgcc.exe /STARTUP
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
    O4 - HKCU\..\Run: [ctpmon] ctpmon.exe
    O4 - HKCU\..\Run: [swg] C:\Archivos de programa\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
    O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Archivos de programa\Adobe\Reader 8.0\Reader\reader_sl.exe
    O4 - Global Startup: DSLMON.lnk = ?
    O4 - Global Startup: Trend Micro Anti-Spyware.lnk = C:\Archivos de programa\Trend Micro\Tmas\Tmas.exe
    O8 - Extra context menu item: E&xportar a Microsoft Excel - res://C:\ARCHIV~1\MICROS~2\Office10\EXCEL.EXE/3000
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Archivos de programa\Java\j2re1.4.2_01\bin\npjpi142_01.dll
    O9 - Extra 'Tools' menuitem: Consola de Sun Java - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Archivos de programa\Java\j2re1.4.2_01\bin\npjpi142_01.dll
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Archivos de programa\Messenger\msmsgs.exe (file missing)
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Archivos de programa\Messenger\msmsgs.exe (file missing)
    O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
    O16 - DPF: {D8089245-3211-40F6-819B-9E5E92CD61A2} - https://allslots.microgaming.com/allslots/FlashAX.cab
    O17 - HKLM\System\CCS\Services\Tcpip\..\{8D91A32B-F986-406F-BDE3-51719A63C3E0}: NameServer = 200.45.191.35 200.45.191.40
    O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\ARCHIV~1\MSNMES~1\msgrapp.dll" (file missing)
    O20 - Winlogon Notify: WRNotifier - WRLogonNTF.dll (file missing)
    O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
    O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\ARCHIV~1\Grisoft\AVG7\avgamsvr.exe
    O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\ARCHIV~1\Grisoft\AVG7\avgupsvc.exe
    O23 - Service: Google Updater Service (gusvc) - Google - C:\Archivos de programa\Google\Common\Google Updater\GoogleUpdaterService.exe
    O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Archivos de programa\Archivos comunes\InstallShield\Driver\11\Intel 32\IDriverT.exe
    O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - C:\WINDOWS\system32\drivers\KodakCCS.exe
    O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
    O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
     
  2. sjpritch25

    sjpritch25

    Joined:
    Sep 8, 2005
    Messages:
    9,113
    Welcome to TSG :)

    Download SmitfraudFix (by S!Ri) to your Desktop.
    http://siri.urz.free.fr/Fix/SmitfraudFix.zip
    Extract all the files to your Destop. A folder named SmitfraudFix will be created on your Desktop.

    Open the SmitfraudFix folder and double-click smitfraudfix.cmd
    [​IMG]
    Select option #1 - Search by typing 1 and press Enter
    [​IMG]
    This program will scan large amounts of files on your computer for known patterns so please be patient while it works. When it is done, the results of the scan will be displayed and it will create a log named rapport.txt in the root of your drive, eg: Local Disk C: or partition where your operating system is installed. Please post that log along with all others requested in your next reply.

    Note : process.exe is detected by some antivirus programs (AntiVir, Dr.Web, Kaspersky) as a "RiskTool"; it is not a virus, but a program used to stop system processes. Antivirus programs cannot distinguish between "good" and "malicious" use of such programs, therefore they may alert the user.
    http://www.beyondlogic.org/consulting/proc...processutil.htm

    IMPORTANT: Do NOT run any other options until you are asked to do so!
     
  3. Dankras

    Dankras Thread Starter

    Joined:
    Jan 27, 2007
    Messages:
    4
    SmitFraudFix v2.137

    Scan done at 21:11:49,57, 27/01/2007
    Run from C:\Documents and Settings\Administrador\Mis documentos\SmitfraudFix
    OS: Microsoft Windows XP [Versi¢n 5.1.2600] - Windows_NT
    The filesystem type is NTFS
    Fix run in normal mode

    »»»»»»»»»»»»»»»»»»»»»»»» C:\


    »»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS


    »»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system


    »»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\Web


    »»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system32

    C:\WINDOWS\system32\autosys.exe FOUND !
    C:\WINDOWS\system32\ctpmon.exe FOUND !
    C:\WINDOWS\system32\RegistryCleanerSetup.exe FOUND !

    »»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\Administrador


    »»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\Administrador\Application Data


    »»»»»»»»»»»»»»»»»»»»»»»» Start Menu


    »»»»»»»»»»»»»»»»»»»»»»»» C:\DOCUME~1\ADMINI~1\FAVORI~1


    »»»»»»»»»»»»»»»»»»»»»»»» Desktop


    »»»»»»»»»»»»»»»»»»»»»»»» C:\Archivos de programa


    »»»»»»»»»»»»»»»»»»»»»»»» Corrupted keys


    »»»»»»»»»»»»»»»»»»»»»»»» Desktop Components

    [HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop\Components\0]
    "Source"="About:Home"
    "SubscribedURL"="About:Home"
    "FriendlyName"="Mi p*gina de inicio actual"


    »»»»»»»»»»»»»»»»»»»»»»»» Sharedtaskscheduler
    !!!Attention, following keys are not inevitably infected!!!

    SrchSTS.exe by S!Ri
    Search SharedTaskScheduler's .dll


    »»»»»»»»»»»»»»»»»»»»»»»» AppInit_DLLs
    !!!Attention, following keys are not inevitably infected!!!

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
    "AppInit_DLLs"=""


    »»»»»»»»»»»»»»»»»»»»»»»» Winlogon.System
    !!!Attention, following keys are not inevitably infected!!!

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
    "System"=""


    »»»»»»»»»»»»»»»»»»»»»»»» pe386-msguard-lzx32-huy32

    huy32 detected, use a Rootkit scanner

    »»»»»»»»»»»»»»»»»»»»»»»» Scanning wininet.dll infection


    »»»»»»»»»»»»»»»»»»»»»»»» End
     
  4. sjpritch25

    sjpritch25

    Joined:
    Sep 8, 2005
    Messages:
    9,113
    Please print out or copy these instructions/tutorial to Notepad as the internet will not be (while in Safe Mode) available to you at certain points of the removal process. Make sure to work through all the Steps in the exact order in which they are listed below. If there's anything that you don't understand, ask your question(s) before moving on with the fixes.

    Reboot your computer in Safe Mode.
    • If the computer is running, shut down Windows, and then turn off the power.
    • Wait 30 seconds, and then turn the computer on.
    • Start tapping the F8 key. The Windows Advanced Options Menu appears. If you begin tapping the F8 key too soon, some computers display a "keyboard error" message. To resolve this, restart the computer and try again.
    • Ensure that the Safe Mode option is selected.
    • Press Enter. The computer then begins to start in Safe mode.
    • Login on your usual account.
    Open the SmitfraudFix Folder, then double-click smitfraudfix.cmd file to start the tool.
    [​IMG]
    Select option #2 - Clean by typing 2 and press Enter.
    Wait for the tool to complete and disk cleanup to finish.
    You will be prompted : "Registry cleaning - Do you want to clean the registry ?" answer Yes by typing Y and hit Enter.
    The tool will also check if wininet.dll is infected. If it is infected and a clean version is found, you will be prompted to replace the infected wininet.dll with the clean file. Answer Yes to the question "Replace infected file ?" by typing Y and hit Enter.

    A reboot may be needed to finish the cleaning process, if you computer does not restart automatically please do it yourself manually. Reboot in Safe Mode.

    The tool will create a log named rapport.txt in the root of your drive, eg: Local Disk C: or partition where your operating system is installed. Please post that log along with all others requested in your next reply.
    Wia
     
  5. sjpritch25

    sjpritch25

    Joined:
    Sep 8, 2005
    Messages:
    9,113
    Also, you have a rootkit

    Download GMER's application from here:
    http://www.majorgeeks.com/GMER_d5198.html
    Unzip it and start the GMER.exe
    Click the Rootkit tab and click the Scan button.
    Once done, click the Copy button.
    This will copy the results to your clipboard.
    Paste the results in your next reply.
    Warning ! Please, do not select the "Show all" checkbox during the scan.

    If you're having problems with running GMER.exe, try it in safe mode.
     
  6. Dankras

    Dankras Thread Starter

    Joined:
    Jan 27, 2007
    Messages:
    4
    Thanks Pal !!!

    On safe mode I did the Registry Cleaning. Reboot my PC and the worm was out.

    Thanks again!!! You Guys are nice people!
     
  7. sjpritch25

    sjpritch25

    Joined:
    Sep 8, 2005
    Messages:
    9,113
    Good, but not done yet. You have a still have a rootkit on your computer.

    Please run this tool to remove it. Please post the rapport log. Thanks.

    Download
    http://www.uploads.ejvindh.net/rustbfix.exe
    ...and save it to your desktop.

    Double click on rustbfix.exe to run the tool. If a Rustock.b-infection is found, you will shortly hereafter be asked to reboot the computer. The reboot will probably take quite a while, and perhaps 2 reboots will be needed. But this will happen automatically. After the reboot 2 logfiles will open (%root%\avenger.txt & %root%\rustbfix\pelog.txt). Post the content of these logfiles along with a new HijackThis log.
     
  8. Dankras

    Dankras Thread Starter

    Joined:
    Jan 27, 2007
    Messages:
    4
    ************************* Rustock.b-fix -- By ejvindh *************************
    27/01/2007 23:12:11,67

    Rustock.b-driver on the system: NONE!

    Rustock.b-ADS attached to the System32-folder:
    :huy32.sys 69416
    Total size: 69416 bytes.
    Attempting to remove ADS...
    system32: deleted 69416 bytes in 1 streams.

    Looking for Rustock.b-files in the System32-folder:
    No Rustock.b-files found in system32


    ******************* Post-run Status of system *******************

    Rustock.b-driver on the system: NONE!

    Rustock.b-ADS attached to the System32-folder:
    No System32-ADS found.

    Looking for Rustock.b-files in the System32-folder:
    No Rustock.b-files found in system32


    ******************************* End of Logfile
    *******************************

    Logfile of HijackThis v1.99.1
    Scan saved at 11:16:30 p.m., on 27/01/2007
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\system32\spoolsv.exe
    C:\ARCHIV~1\Grisoft\AVG7\avgamsvr.exe
    C:\WINDOWS\system32\RunDLL32.exe
    C:\Archivos de programa\Huawei Technologies\Huawei SmartAX MT810\dslmon.exe
    C:\ARCHIV~1\Grisoft\AVG7\avgupsvc.exe
    C:\Archivos de programa\Archivos comunes\Microsoft Shared\VS7Debug\mdm.exe
    C:\WINDOWS\system32\nvsvc32.exe
    C:\WINDOWS\system32\svchost.exe
    C:\Archivos de programa\MSN Messenger\msnmsgr.exe
    C:\WINDOWS\system32\msiexec.exe
    C:\Archivos de programa\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
    C:\Archivos de programa\Internet Explorer\iexplore.exe
    C:\Documents and Settings\Administrador\Mis documentos\HijackThis.exe

    O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\archivos de programa\google\googletoolbar1.dll
    O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\archivos de programa\google\googletoolbar1.dll
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
    O4 - HKLM\..\Run: [NvMediaCenter] RunDLL32.exe NvMCTray.dll,NvTaskbarInit
    O4 - HKCU\..\Run: [swg] C:\Archivos de programa\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
    O4 - Global Startup: DSLMON.lnk = ?
    O8 - Extra context menu item: E&xportar a Microsoft Excel - res://C:\ARCHIV~1\MICROS~2\Office10\EXCEL.EXE/3000
    O17 - HKLM\System\CCS\Services\Tcpip\..\{8D91A32B-F986-406F-BDE3-51719A63C3E0}: NameServer = 200.45.191.35 200.45.191.40
    O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\ARCHIV~1\Grisoft\AVG7\avgamsvr.exe
    O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\ARCHIV~1\Grisoft\AVG7\avgupsvc.exe
    O23 - Service: Google Updater Service (gusvc) - Google - C:\Archivos de programa\Google\Common\Google Updater\GoogleUpdaterService.exe
    O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Archivos de programa\Archivos comunes\InstallShield\Driver\11\Intel 32\IDriverT.exe
    O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - C:\WINDOWS\system32\drivers\KodakCCS.exe
    O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
    O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe


    Is that it?

    Thanks a lot!
     
  9. sjpritch25

    sjpritch25

    Joined:
    Sep 8, 2005
    Messages:
    9,113
    Your Welcome !!!!! (y) :) :) :)

    Now that your system is clean you should SET A NEW RESTORE POINT to prevent future reinfection from the old restore point AFTER cleaning your system of any malware infection. Any trojans or spyware you picked up could have been saved in System Restore and are waiting to re-infect you. Since System Restore is a protected directory, your tools can not access it to delete files, trapping viruses inside. Setting a new restore point should be done to prevent any future reinfection from the old restore point and enable your computer to "roll-back" in case there is a future problem.

    To SET A NEW RESTORE POINT:
    1. Go to Start > Programs > Accessories > System Tools and click "System Restore".
    2. Choose the radio button marked "Create a Restore Point" on the first screen then click "Next". Give the R.P. a name then click "Create". The new point will be stamped with the current date and time. Keep a log of this so you can find it easily should you need to use System Restore.
    3. Then go to Start > Run and type: Cleanmgr
    4. Click "OK".
    5. Click the "More Options" Tab.
    6. Click "Clean Up" in the System Restore section to remove all previous restore points except the newly created one.

    Graphics for doing this are in the following links if you need them.
    How to Create a Restore Point.
    How to use Cleanmgr.

    ======================================

    Here is some useful information on keeping your computer clean:
    1. Most important thing is to make sure Windows is kept up to date with the latest patches and updates from Windows Update.
    2. If you don't have a Firewall installed, please choose from the following:
      1. ZoneAlarm Free
      2. Kerio Personal Firewall
    3. Here are two great Preventive programs:
      • SpywareBlaster protects you from malicious ActiveX controls and cookies. Make sure and check for updates twice a month.
      • IESpyads adds a long list of bad sites to your Restricted sites in Internet Explorer and protects against drive by downloads.
    4. Surf Safe with McAfee's SiteAdisor. SiteAdisor will work with Internet Explorer and Mozilla Firefox. SiteAdisor is a browser plugin that assigns a safety rating to domains listed in your search engine. SiteAdvisor uses the following color codes to indicate the safety level of each site.
      • Red for Warning
      • Yellow for Use Caution
      • Green for Safe
      • Grey for Unknown

      Here are the link to install SiteAdisor in Internet Explorer and Firefox
    5. Anti-Spyware Programs I Recommend:
      • Free Anti-Spyware Programs
      • Great Subscription Anti-Spyware Programs
    6. For Even More Information On Securing Your Computer read Tony Klein's So How Did I Get Infected In The First Place
     
  10. Sponsor

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 733,556 other people just like you!

Loading...
Thread Status:
Not open for further replies.

Short URL to this thread: https://techguy.org/538906

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice