Jump to content


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.

Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.


Virus help needed

  • This topic is locked This topic is locked
2 replies to this topic

#1 Aanders5


  • Members
  • 58 posts
  • Gender:Male
  • Location:USA, MI
  • Local time:07:04 AM

Posted 28 October 2008 - 10:23 AM

Okay, so i talked to my friend who is the district's school programmer and he suggest that I post my problem on here, as he says that the removal process will probably involve several steps that you guys can help me with. I am newer to programming and so far I have stopped the virus for the most part, however, I am not sure whether the files still exist or if its multiplying.
Usually there are 2 random icons that keep on flashing with warning pop-ups that want me to download "their" virus removal programs, and then it randomly opens up one or two IE explorer windows directing me to an unknown site. So far I have stopped most of the "processes" (in the system manager that I could figure out were virus programs) however i still have a flashing yellow caution sign that keeps telling me to download their virus software.

So my problems are this,
1) how do I remove the annoying flashing icon(s)
2) how do I, in general, permanently rid of all the virus as I have only stopped them (they are also "startup" programs.

From what i have read thus far, I think the first step is for me to post something called like a Hjack report, then you guys give me some info that i need to save to my desktop before going into the good O'l safe mode, and then usually the steps change slightly with each person.

I really have no idea about how to go through the steps of removing the virus, but i am fully capable of navigating the PC and its software. The only reason why i cannot use a "restore point" is because I just spent 3 hours setting up a "WAMP" database that I really don't want to redo. :)

So you can probably just explain this whole removal process to me in "nerdy" terms rather than typing out lengthy explanations about how to preform each step. :thumbsup:

Thank for the help! :)

(I'm currently working as tech support for the school in about 1 hour 12:10 EST), and then I will be able to keep a constant watch on this topic (check up every 5 minutes) for the following 5 hours after-words (Till 5:00pm EST), so I will be able to respond to your questions and responses within a matter of minutes)

Edited by Aanders5, 28 October 2008 - 10:27 AM.

BC AdBot (Login to Remove)



#2 Aanders5

  • Topic Starter

  • Members
  • 58 posts
  • Gender:Male
  • Location:USA, MI
  • Local time:07:04 AM

Posted 28 October 2008 - 12:33 PM

Okay, heres the HJT log

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 12:53:24 PM, on 10/28/2008

Platform: Windows XP SP3 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)

Boot mode: Normal

Running processes:









C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

C:\Program Files\Bonjour\mDNSResponder.exe



C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS







C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe

C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe

C:\Program Files\Synaptics\SynTP\SynTPLpr.exe

C:\Program Files\Synaptics\SynTP\SynTPEnh.exe

C:\Program Files\Digital Media Reader\shwicon2k.exe

C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe

C:\Program Files\QuickTime\QTTask.exe

C:\Program Files\iTunes\iTunesHelper.exe

C:\Program Files\iPod\bin\iPodService.exe



C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe

C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe

C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe

C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://windiwsfsearch.com

R1 - HKLM\Software\Microsoft\Internet Explorer,SearchURL = http://windiwsfsearch.com

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://windiwsfsearch.com

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://windiwsfsearch.com/ie6.html

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://windiwsfsearch.com

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.gatewaybiz.com

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://windiwsfsearch.com

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://windiwsfsearch.com/ie6.html

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://windiwsfsearch.com

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.gatewaybiz.com

R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://windiwsfsearch.com

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://windiwsfsearch.com

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local

R3 - URLSearchHook: Sals infobar Toolbar - {f24556fd-0e1c-4c52-8d3b-dfb23ca93980} - C:\Program Files\Sals_infobar\tbSal0.dll

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll

O2 - BHO: 848700 helper - {0CC6DB27-243B-4450-96A7-7E868225858D} - C:\WINDOWS\system32\848700\848700.dll (file missing)

O2 - BHO: (no name) - {3B7AAEB1-9F3D-4491-9C06-C7165CA8D058} - C:\Program Files\Applications\iebt.dll (file missing)

O2 - BHO: 512686 helper - {51B15F5A-E98B-4658-B9CB-9307B74773A7} - C:\WINDOWS\system32\512686\512686.dll (file missing)

O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll

O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll

O2 - BHO: VResLabWarningBHO Class - {B494E7BB-1E33-4922-A947-F74EFF4E714F} - C:\Program Files\VResLab\VResLabWarning.dll

O2 - BHO: 813686 helper - {D577B1B9-76E7-42C6-82FE-15206296FAED} - C:\WINDOWS\system32\813686\813686.dll (file missing)

O2 - BHO: Sals infobar Toolbar - {f24556fd-0e1c-4c52-8d3b-dfb23ca93980} - C:\Program Files\Sals_infobar\tbSal0.dll

O3 - Toolbar: Sals infobar Toolbar - {f24556fd-0e1c-4c52-8d3b-dfb23ca93980} - C:\Program Files\Sals_infobar\tbSal0.dll

O3 - Toolbar: Internet Service - {144A6B24-0EBC-4D89-BF09-A06A718E57B5} - C:\Program Files\Applications\iebr.dll (file missing)

O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe

O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe

O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe

O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"

O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe

O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe

O4 - HKLM\..\Run: [SunKist] C:\Program Files\Digital Media Reader\shwicon2k.exe


O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime

O4 - HKLM\..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe

O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"

O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /min

O4 - HKCU\..\Run: [wblogon] C:\WINDOWS\system32\algg.exe

O4 - HKCU\..\Run: [VResLab] "C:\Program Files\VResLab\VResLab.exe"

O4 - HKLM\..\Policies\Explorer\Run: [smile] C:\Program Files\Applications\wcs.exe

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll

O9 - Extra button: (no name) - {9034A523-D068-4BE8-A284-9DF278BE776E} - http://www.onlyiesettings.com/redirect.php (file missing)

O9 - Extra 'Tools' menuitem: IE Anti-Spyware - {9034A523-D068-4BE8-A284-9DF278BE776E} - http://www.onlyiesettings.com/redirect.php (file missing)

O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O22 - SharedTaskScheduler: gey - {ba934431-76af-4c99-93c2-c3d21944a72e} - C:\WINDOWS\system32\gcqltg.dll (file missing)

O23 - Service: Avira AntiVir Personal - Free Antivirus Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe

O23 - Service: Avira AntiVir Personal - Free Antivirus Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe

O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe

O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe

O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe

O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe

O23 - Service: PrismXL - New Boundary Technologies, Inc. - C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS

O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies - C:\Program Files\WinPcap\rpcapd.exe

O23 - Service: wampapache - Apache Software Foundation - c:\wamp\bin\apache\apache2.2.8\bin\httpd.exe

O23 - Service: wampmysqld - Unknown owner - c:\wamp\bin\mysql\mysql5.0.51b\bin\mysqld-nt.exe


End of file - 8663 bytes

So, what do I do now?

#3 Aanders5

  • Topic Starter

  • Members
  • 58 posts
  • Gender:Male
  • Location:USA, MI
  • Local time:07:04 AM

Posted 29 October 2008 - 10:30 AM

hahaha! I FIXED IT! Just from doing all these random safety tricks, and deleting certain files, and trying to trip the virus into showing themselves to me. I've turned my laptop on and off like 20 times...and nothing! it's back up to speed, no more pop-ups, no virul programs running in processes...I think i cured my computer without having to boot it in safe mode.

@ myself: Thank you myself! :thumbsup:

@the other myself of me: No problem, Aanders5. Take care.

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users