Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Nasty Virus/Issue help PLZ


  • This topic is locked This topic is locked
3 replies to this topic

#1 Humbleguy

Humbleguy

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:11:42 AM

Posted 06 June 2009 - 10:04 PM

Ok I have never posted on a thread about a virus or anythin but have been reading a few things hre and there and you guy are awesome. I have made progress but not solved my issueplease help as muchas you can.

Firstly I currently have bot vista and XP wt vista being the primary, so i cannot do a system restore or else my whole partiton will be messed up. The virus/issue is on XP. I have no idea where it came from. But to be more detailed it will not allow me to install superantispyware , spybot search and destroy as well as other programs. I cannot edit the registry it says it hs been disabled by the administratr even though i am logged in as an administrator. If i right click and manually run as administrator it does not even do anything.It redirects most sites i visit especially if go malware removal sites. I was able to get rd of a few pocesses sysdll.exe and pp10.exe from auto starting, and i dont even see them anymore. I have malware bytes on my pc and if itry to open it crashes. Here is the hijacklog hopefully someone can help since i am tryng everything possible to avoid havng to reinstall XP.

Running processes:
D:\WINDOWS\System32\smss.exe
D:\WINDOWS\system32\winlogon.exe
D:\WINDOWS\system32\services.exe
D:\WINDOWS\system32\lsass.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\system32\LEXBCES.EXE
D:\WINDOWS\system32\spoolsv.exe
D:\WINDOWS\system32\LEXPPS.EXE
D:\Program Files\Google\Update\GoogleUpdate.exe
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\Explorer.EXE
D:\Program Files\Microsoft LifeCam\MSCamS32.exe
D:\Program Files\CDBurnerXP\NMSAccessU.exe
D:\Program Files\Trend Micro\TrendSecure\SecurityActivityDashboard\tmarsvc.exe
D:\WINDOWS\stsystra.exe
D:\WINDOWS\system32\hkcmd.exe
D:\Program Files\RocketDock\RocketDock.exe
D:\WINDOWS\system32\ctfmon.exe
D:\DOCUME~1\Andre\LOCALS~1\Temp\svchost.exe
D:\Program Files\Trend Micro\Internet Security\TMAS_OE\TMAS_OEMon.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\System32\TUProgSt.exe
D:\Program Files\TuneUp Utilities 2009\Integrator.exe
D:\Documents and Settings\Andre\Desktop\KillBox.exe
D:\Program Files\Trend Micro\TrendSecure\TSCFPlatformCOMSvr.exe
D:\Program Files\Trend Micro\TrendSecure\TISProToolbar\PlatformDependent\ProToolbarComm.exe
D:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
D:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
D:\Program Files\Mozilla Firefox\firefox.exe
D:\Program Files\Internet Explorer\iexplore.exe
D:\Program Files\Java\jre6\bin\java.exe
D:\Program Files\Internet Explorer\iexplore.exe
D:\Program Files\Internet Explorer\iexplore.exe
D:\Program Files\Internet Explorer\iexplore.exe
D:\Documents and Settings\Andre\Desktop\HJT.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://google.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=localhost:7171
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local;<local>
O3 - Toolbar: Trend Micro Toolbar - {CCAC5586-44D7-4c43-B64A-F042461A97D2} - D:\Program Files\Trend Micro\TrendSecure\TISProToolbar\TSToolbar.dll
O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKLM\..\Run: [HotKeysCmds] D:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [Ad-Watch] D:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
O4 - HKLM\..\Run: [UfSeAgnt.exe] "D:\Program Files\Trend Micro\Internet Security\UfSeAgnt.exe"
O4 - HKCU\..\Run: [RocketDock] "D:\Program Files\RocketDock\RocketDock.exe"
O4 - HKCU\..\Run: [ctfmon.exe] D:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Windows System Recover!] D:\DOCUME~1\Andre\LOCALS~1\Temp\svchost.exe
O4 - HKCU\..\Run: [OE] D:\Program Files\Trend Micro\Internet Security\TMAS_OE\TMAS_OEMon.exe
O4 - HKUS\.DEFAULT\..\Run: [Windows System Recover!] D:\WINDOWS\TEMP\taskmgr.exe (User 'Default user')
O4 - HKUS\.DEFAULT\..\Run: [reader_s] D:\WINDOWS\system32\config\systemprofile\reader_s.exe (User 'Default user')
O4 - HKUS\.DEFAULT\..\Run: [OE] D:\Program Files\Trend Micro\Internet Security\TMAS_OE\TMAS_OEMon.exe (User 'Default user')
O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1
O8 - Extra context menu item: Add to Google Photos Screensa&ver - res://D:\WINDOWS\system32\GPhotos.scr/200
O9 - Extra button: (no name) - {09C04DA7-5B76-4EBC-BBEE-B25EAC5965F5} - D:\Program Files\Google\Google Gears\Internet Explorer\0.5.21.0\gears.dll
O9 - Extra 'Tools' menuitem: &Gears Settings - {09C04DA7-5B76-4EBC-BBEE-B25EAC5965F5} - D:\Program Files\Google\Google Gears\Internet Explorer\0.5.21.0\gears.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - D:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - D:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - D:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - D:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - D:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O16 - DPF: {036F8A56-0BC8-4607-8F98-D3231E6FF5ED} (CentraUpdaterAxCtl Class) - http://de205.centra.com/SiteRoots/main/Ins...raUpdaterAx.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{FCA825CC-4D87-4594-9032-417D6B7FE2C0}: NameServer = 85.255.112.68,85.255.112.66
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 85.255.112.68,85.255.112.66
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.112.68,85.255.112.66
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - D:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll
O18 - Protocol: navnet - {AD6E5643-7B0C-46AA-95AD-9773FF2A857A} - D:\Program Files\NavNetApp\ComUtilities.dll
O18 - Protocol: tmtb - {04EAF3FB-4BAC-4B5A-A37D-A1CF210A5A42} - D:\Program Files\Trend Micro\TrendSecure\TISProToolbar\TSToolbar.dll
O20 - Winlogon Notify: __c00f6c71 - D:\WINDOWS\system32\__c00F6C71.dat
O23 - Service: BitDefender Arrakis Server (Arrakis3) - Unknown owner - D:\Program Files\Common Files\BitDefender\BitDefender Arrakis Server\bin\Arrakis3.exe (file missing)
O23 - Service: Background Intelligent Transfer Service (BITS) - Unknown owner - D:\WINDOWS\
O23 - Service: Lavasoft Ad-Aware Service (lavasoft ad-aware service) - Lavasoft - D:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - D:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: BitDefender Desktop Update Service (LIVESRV) - BitDefender SRL - D:\Program Files\Common Files\BitDefender\BitDefender Update Service\livesrv.exe
O23 - Service: NMSAccessU - Unknown owner - D:\Program Files\CDBurnerXP\NMSAccessU.exe
O23 - Service: Security Activity Dashboard Service (security activity dashboard service) - Trend Micro Inc. - D:\Program Files\Trend Micro\TrendSecure\SecurityActivityDashboard\tmarsvc.exe
O23 - Service: Trend Micro Central Control Component (sfctlcom) - Trend Micro Inc. - D:\Program Files\Trend Micro\Internet Security\SfCtlCom.exe
O23 - Service: Trend Micro Unauthorized Change Prevention Service (tmbmserver) - Trend Micro Inc. - D:\Program Files\Trend Micro\BM\TMBMSRV.exe
O23 - Service: Trend Micro Personal Firewall (tmpfw) - Trend Micro Inc. - D:\Program Files\Trend Micro\Internet Security\TmPfw.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - D:\Program Files\Trend Micro\Internet Security\TmProxy.exe
O23 - Service: TuneUp Drive Defrag Service (TuneUp.Defrag) - TuneUp Software - D:\WINDOWS\System32\TuneUpDefragService.exe
O23 - Service: TuneUp Program Statistics Service (TuneUp.ProgramStatisticsSvc) - TuneUp Software - D:\WINDOWS\System32\TUProgSt.exe
O23 - Service: Automatic Updates (wuauserv) - Unknown owner - D:\WINDOWS\


By the way in case someone must know. C:/ is my recovery and D is where my XP is on.Everything i have tried thus far i have also attempted to do in safe mode as well and nothing worked except i was able to ge rid of sysdll and pp10.exe or so it seems

Edited by Orange Blossom, 06 June 2009 - 11:18 PM.
Fixed BB code for readability. ~ OB


BC AdBot (Login to Remove)

 


#2 Humbleguy

Humbleguy
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:11:42 AM

Posted 06 June 2009 - 10:48 PM

Actually i have just read the post and have attached the dds log. My apologies to the mods.I wanted help so bad i just wanted to hurry and post.

Attached Files

  • Attached File  DDS.txt   17.11KB   5 downloads

Edited by Humbleguy, 06 June 2009 - 11:13 PM.


#3 SifuMike

SifuMike

    malware expert


  • Members
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:09:42 AM

Posted 07 June 2009 - 02:51 PM

Hello Humbleguy,

Your log indictates you are running TWO antivirus and TWO firewalls: BitDefender Antivirus, Trend Micro Internet Security Pro, BitDefender Firewall, Trend Micro Personal Firewall. :thumbup2:


I (as well as MicroSoft, McAfee and Symantec) recommend that you DO NOT have more than one anti virus product installed and running on your computer at a time.

The reason for this is that if both products have their automatic (Real-Time) protection switched on, then those products which do not encrypt the virus strings within them can cause other anti virus products to cause "false alarms".

It can also lead to a clash as both products fight for access to files which are opened again this is the resident/automatic protection.

In general terms, the two programs may conflict and cause:

1) False Alarms: When the anti virus software tells you that your PC has a virus when it actually doesn't.
2) System Performance Problems: Your system may lock up due to both products attempting to access the same file at the same time.

Therefore please go to add/remove in the control panel and remove one of these.
BitDefender Antivirus Antivirus or Trend Micro Internet Security Pro Antivirus


Also disable or uninstall one of the two firewalls. Running two firewalls will cause major problems.

****************

I have malware bytes on my pc and if itry to open it crashes

.

If MBAM will not install, please rename the installer mbam-setup.exe. Example: newtool.exe
Proceed installing the renamed installer of MBAM.

If MBAM will not run, go to the program directory of MBAM (e.g. C:\Program FIles\Malwarebytes Antimalware\) then rename mbam.exe to newtool.exe, double click newtool.exe to proceed in running a quick scan.

Disable Ad-Watch to make sure it won't interfere fixing.



* Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
* If an update is found, it will download and install the latest version.
* Once the program has loaded, select "Perform Full Scan", then click Scan.
* The scan may take some time to finish,so please be patient.
* When the scan is complete, click OK, then Show Results to view the results.
* Make sure that everything is checked, and click Remove Selected.
* When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
* The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
* Copy&Paste the entire MBAM report (even if it does not find anything) in your next reply along with a fresh HijackThis log.

Edited by SifuMike, 07 June 2009 - 02:57 PM.

If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#4 SifuMike

SifuMike

    malware expert


  • Members
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:09:42 AM

Posted 16 June 2009 - 10:14 PM

Due to inactivity, this thread will now be closed.
If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users