Author Topic: No admin and hiding wares (Read 898 times)

Drtzz · « **on:** April 09, 2009, 11:57:21 PM »

Okay i was recently attacked by virut and some dropper, i managed to purge a fair deal of it from my computer but theres more i can tell. I am also receiving a message saying I do not have admistrative access to access this item, and i cannot access the internet on it. It had removed my rundll32 and i had put it back in, i had believed it removed my drivers for my network device but after reinstalling the drivers i still cannot access the net. I was using the recent version of AVG and after failure with the product i used prevx to check for infected files and used microsofts onecare. However here is my current hijack this log. Any help is welcomed.

[font=\"Courier New\"]Logfile of Trend Micro HijackThis v2.0.2[/font]

[font=\"Courier New\"]Scan saved at 11:16:46 PM, on 4/9/2009[/font]

[font=\"Courier New\"]Platform: Windows XP SP3 (WinNT 5.01.2600)[/font]

[font=\"Courier New\"]MSIE: Internet Explorer v8.00 (8.00.6001.18702)[/font]

[font=\"Courier New\"]Boot mode: Normal[/font]

[font=\"Courier New\"]Running processes:[/font]

[font=\"Courier New\"]C:\WINDOWS\System32\smss.exe[/font]

[font=\"Courier New\"]C:\WINDOWS\system32\winlogon.exe[/font]

[font=\"Courier New\"]C:\WINDOWS\system32\services.exe[/font]

[font=\"Courier New\"]C:\WINDOWS\system32\lsass.exe[/font]

[font=\"Courier New\"]C:\WINDOWS\system32\Ati2evxx.exe[/font]

[font=\"Courier New\"]C:\WINDOWS\system32\svchost.exe[/font]

[font=\"Courier New\"]C:\Program Files\Microsoft Windows OneCare Live\Antivirus\MsMpEng.exe[/font]

[font=\"Courier New\"]C:\WINDOWS\System32\svchost.exe[/font]

[font=\"Courier New\"]C:\WINDOWS\system32\svchost.exe[/font]

[font=\"Courier New\"]C:\WINDOWS\system32\Ati2evxx.exe[/font]

[font=\"Courier New\"]C:\WINDOWS\Explorer.EXE[/font]

[font=\"Courier New\"]C:\WINDOWS\system32\spoolsv.exe[/font]

[font=\"Courier New\"]C:\Program Files\APC\APC PowerChute Personal Edition\mainserv.exe[/font]

[font=\"Courier New\"]C:\Program Files\Prevx\prevx.exe[/font]

[font=\"Courier New\"]C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe[/font]

[font=\"Courier New\"]C:\Program Files\Prevx\prevx.exe[/font]

[font=\"Courier New\"]C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe[/font]

[font=\"Courier New\"]C:\Program Files\Zune\ZuneLauncher.exe[/font]

[font=\"Courier New\"]C:\Program Files\Java\jre6\bin\jusched.exe[/font]

[font=\"Courier New\"]C:\WINDOWS\RTHDCPL.EXE[/font]

[font=\"Courier New\"]C:\Program Files\Java\jre6\bin\jqs.exe[/font]

[font=\"Courier New\"]C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe[/font]

[font=\"Courier New\"]C:\Program Files\Microsoft Windows OneCare Live\OcHealthMon.exe[/font]

[font=\"Courier New\"]C:\Program Files\AIM6\aim6.exe[/font]

[font=\"Courier New\"]C:\WINDOWS\system32\svchost.exe[/font]

[font=\"Courier New\"]C:\Program Files\Microsoft Windows OneCare Live\winss.exe[/font]

[font=\"Courier New\"]C:\Program Files\AIM6\aolsoftware.exe[/font]

[font=\"Courier New\"]C:\Program Files\Internet Explorer\IEXPLORE.EXE[/font]

[font=\"Courier New\"]C:\Program Files\Internet Explorer\IEXPLORE.EXE[/font]

[font=\"Courier New\"]C:\Program Files\Trend Micro\HijackThis\HijackThis.exe[/font]

[font=\"Courier New\"]C:\DOCUME~1\COMPAQ~1\LOCALS~1\Temp\Temporary Directory 1 for RootkitRevealer.zip\RootkitRevealer.exe[/font]

[font=\"Courier New\"]C:\DOCUME~1\COMPAQ~1\LOCALS~1\Temp\KFCUXHT.exe[/font]

[font=\"Courier New\"]R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop[/font]

[font=\"Courier New\"]R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop[/font]

[font=\"Courier New\"]R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop[/font]

[font=\"Courier New\"]R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop[/font]

[font=\"Courier New\"]R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157[/font]

[font=\"Courier New\"]R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896[/font]

[font=\"Courier New\"]R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop[/font]

[font=\"Courier New\"]R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896[/font]

[font=\"Courier New\"]R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157[/font]

[font=\"Courier New\"]R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop[/font]

[font=\"Courier New\"]R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local[/font]

[font=\"Courier New\"]O2 - BHO: GigagetIEHelper - {111CAA23-6F4F-42AC-8555-B48C1D87BBAB} - C:\WINDOWS\system32\gigagetbho_v10.dll[/font]

[font=\"Courier New\"]O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll[/font]

[font=\"Courier New\"]O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - (no file)[/font]

[font=\"Courier New\"]O2 - BHO: (no name) - {6d794cb4-c7cd-4c6f-bfdc-9b77afbdc02c} - (no file)[/font]

[font=\"Courier New\"]O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll[/font]

[font=\"Courier New\"]O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)[/font]

[font=\"Courier New\"]O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll[/font]

[font=\"Courier New\"]O2 - BHO: hpWebHelper Class - {AAAE832A-5FFF-4661-9C8F-369692D1DCB9} - C:\WINDOWS\pchealth\helpctr\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\plugin\WebHelper.dll[/font]

[font=\"Courier New\"]O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll[/font]

[font=\"Courier New\"]O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll[/font]

[font=\"Courier New\"]O4 - HKLM\..\Run: [ftutil2] rundll32.exe ftutil2.dll,SetWriteCacheMode[/font]

[font=\"Courier New\"]O4 - HKLM\..\Run: [AlwaysReady Power Message APP] ARPWRMSG.EXE[/font]

[font=\"Courier New\"]O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe[/font]

[font=\"Courier New\"]O4 - HKLM\..\Run: [Zune Launcher] "c:\Program Files\Zune\ZuneLauncher.exe"[/font]

[font=\"Courier New\"]O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"[/font]

[font=\"Courier New\"]O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE[/font]

[font=\"Courier New\"]O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE[/font]

[font=\"Courier New\"]O4 - HKLM\..\Run: [StartCCC] "C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRun[/font]

[font=\"Courier New\"]O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u[/font]

[font=\"Courier New\"]O4 - HKLM\..\Run: [OneCareUI] "C:\Program Files\Microsoft Windows OneCare Live\winssnotify.exe"[/font]

[font=\"Courier New\"]O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background[/font]

[font=\"Courier New\"]O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe[/font]

[font=\"Courier New\"]O4 - HKCU\..\Run: [Aim6] "C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp[/font]

[font=\"Courier New\"]O4 - HKUS\S-1-5-21-3800127832-320483481-2181311428-1007\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background (User '?')[/font]

[font=\"Courier New\"]O4 - HKUS\S-1-5-21-3800127832-320483481-2181311428-1007\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe (User '?')[/font]

[font=\"Courier New\"]O4 - HKUS\S-1-5-21-3800127832-320483481-2181311428-1007\..\Run: [Aim6] "C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp (User '?')[/font]

[font=\"Courier New\"]O4 - .DEFAULT User Startup: Pin.lnk = C:\hp\bin\CLOAKER.EXE (User 'Default user')[/font]

[font=\"Courier New\"]O4 - .DEFAULT User Startup: PinMcLnk.lnk = C:\hp\bin\cloaker.exe (User 'Default user')[/font]

[font=\"Courier New\"]O4 - Global Startup: APC UPS Status.lnk = ?[/font]

[font=\"Courier New\"]O4 - Global Startup: ZDWLan Utility.lnk = C:\Program Files\ZyDAS Technology Corporation\ZyDAS_802.11g_Utility\ZDWlan.exe[/font]

[font=\"Courier New\"]O8 - Extra context menu item: &Download All by Gigaget - C:\Program Files\Giganology\Gigaget\getallurl.htm[/font]

[font=\"Courier New\"]O8 - Extra context menu item: &Download by Gigaget - C:\Program Files\Giganology\Gigaget\geturl.htm[/font]

[font=\"Courier New\"]O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office12\EXCEL.EXE/3000[/font]

[font=\"Courier New\"]O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~4\Office12\ONBttnIE.dll[/font]

[font=\"Courier New\"]O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~4\Office12\ONBttnIE.dll[/font]

[font=\"Courier New\"]O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\Office12\REFIEBAR.DLL[/font]

[font=\"Courier New\"]O9 - Extra button: Run IMVU - {d9288080-1baa-4bc4-9cf8-a92d743db949} - C:\Documents and Settings\Compaq_Administrator\Start Menu\Programs\IMVU\Run IMVU.lnk[/font]

[font=\"Courier New\"]O9 - Extra button: Internet Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\system32\shdocvw.dll[/font]

[font=\"Courier New\"]O9 - Extra 'Tools' menuitem: Internet Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\system32\shdocvw.dll[/font]

[font=\"Courier New\"]O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe[/font]

[font=\"Courier New\"]O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe[/font]

[font=\"Courier New\"]O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe[/font]

[font=\"Courier New\"]O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe[/font]

[font=\"Courier New\"]O16 - DPF: {5C051655-FCD5-4969-9182-770EA5AA5565} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/Solit...wn.cab56986.cab[/font]

[font=\"Courier New\"]O16 - DPF: {5D6F45B3-9043-443D-A792-115447494D24} (UnoCtrl Class) - http://messenger.zone.msn.com/EN-US/a-UNO1/GAME_UNO1.cab[/font]

[font=\"Courier New\"]O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1201682147649[/font]

[font=\"Courier New\"]O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab56907.cab[/font]

[font=\"Courier New\"]O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/flas...ent/swflash.cab[/font]

[font=\"Courier New\"]O17 - HKLM\System\CCS\Services\Tcpip\..\{7A5D39A0-0DCF-4B92-85EB-9BA11C7651D0}: NameServer = 85.255.112.91,85.255.112.85[/font]

[font=\"Courier New\"]O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 85.255.112.91,85.255.112.85[/font]

[font=\"Courier New\"]O17 - HKLM\System\CS2\Services\Tcpip\Parameters: NameServer = 85.255.112.91,85.255.112.85[/font]

[font=\"Courier New\"]O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.112.91,85.255.112.85[/font]

[font=\"Courier New\"]O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll[/font]

[font=\"Courier New\"]O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\Skype4COM.dll[/font]

[font=\"Courier New\"]O20 - Winlogon Notify: hggxyapn - hgGxyApN.dll (file missing)[/font]

[font=\"Courier New\"]O23 - Service: Application Layer Gateway Service (ALG) - Unknown owner - C:\WINDOWS\System32\alg.exe[/font]

[font=\"Courier New\"]O23 - Service: APC UPS Service - Unknown owner - C:\Program Files\APC\APC PowerChute Personal Edition\mainserv.exe[/font]

[font=\"Courier New\"]O23 - Service: ARSVC - Unknown owner - C:\WINDOWS\arservice.exe[/font]

[font=\"Courier New\"]O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe[/font]

[font=\"Courier New\"]O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe[/font]

[font=\"Courier New\"]O23 - Service: Background Intelligent Transfer Service (BITS) - Unknown owner - C:\WINDOWS\[/font]

[font=\"Courier New\"]O23 - Service: Bonjour Service - Unknown owner - C:\Program Files\Bonjour\mDNSResponder.exe[/font]

[font=\"Courier New\"]O23 - Service: CSIScanner - Prevx - C:\Program Files\Prevx\prevx.exe[/font]

[font=\"Courier New\"]O23 - Service: Diskeeper - Diskeeper Corporation - C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe[/font]

[font=\"Courier New\"]O23 - Service: Media Center Receiver Service (ehRecvr) - Unknown owner - C:\WINDOWS\eHome\ehRecvr.exe[/font]

[font=\"Courier New\"]O23 - Service: getPlus® Helper - NOS Microsystems Ltd. - C:\Program Files\NOS\bin\getPlus_HelperSvc.exe[/font]

[font=\"Courier New\"]O23 - Service: InstallDriver Table Manager (IDriverT) - Unknown owner - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe[/font]

[font=\"Courier New\"]O23 - Service: PIXMA Extended Survey Program (IJPLMSVC) - Unknown owner - C:\Program Files\Canon\IJPLM\IJPLMSVC.EXE[/font]

[font=\"Courier New\"]O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe[/font]

[font=\"Courier New\"]O23 - Service: KFCUXHT - Sysinternals - www.sysinternals.com - C:\DOCUME~1\COMPAQ~1\LOCALS~1\Temp\KFCUXHT.exe[/font]

[font=\"Courier New\"]O23 - Service: Process Monitor (LVPrcSrv) - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe[/font]

[font=\"Courier New\"]O23 - Service: lxcr_device - - C:\WINDOWS\system32\lxcrcoms.exe[/font]

[font=\"Courier New\"]O23 - Service: Windows Installer (MSIServer) - Unknown owner - C:\WINDOWS\system32\msiexec.exe[/font]

[font=\"Courier New\"]O23 - Service: npkcmsvc - INCA Internet Co., Ltd. - C:\Nexon\Mabinogi\npkcmsvc.exe[/font]

[font=\"Courier New\"]O23 - Service: Roxio UPnP Renderer 9 - Sonic Solutions - C:\Program Files\Common Files\Sonic Shared\RoxioUPnPRenderer9.exe[/font]

[font=\"Courier New\"]O23 - Service: Roxio Upnp Server 9 - Sonic Solutions - C:\Program Files\Common Files\Sonic Shared\RoxioUpnpService9.exe[/font]

[font=\"Courier New\"]O23 - Service: LiveShare P2P Server 9 (RoxLiveShare9) - Unknown owner - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxLiveShare9.exe[/font]

[font=\"Courier New\"]O23 - Service: RoxMediaDB9 - Unknown owner - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxMediaDB9.exe[/font]

[font=\"Courier New\"]O23 - Service: Remote Procedure Call (RPC) Locator (RpcLocator) - Unknown owner - C:\WINDOWS\system32\locator.exe[/font]

[font=\"Courier New\"]O23 - Service: QoS RSVP (RSVP) - Unknown owner - C:\WINDOWS\system32\rsvp.exe[/font]

[font=\"Courier New\"]O23 - Service: Print Spooler (Spooler) - Unknown owner - C:\WINDOWS\system32\spoolsv.exe[/font]

[font=\"Courier New\"]O23 - Service: stllssvr - MicroVision Development, Inc. - C:\Program Files\Common Files\SureThing Shared\stllssvr.exe[/font]

[font=\"Courier New\"]O23 - Service: Uninterruptible Power Supply (UPS) - Unknown owner - C:\WINDOWS\System32\ups.exe[/font]

[font=\"Courier New\"]O23 - Service: Windows Live Setup Service (WLSetupSvc) - Unknown owner - C:\Program Files\Windows Live\installer\WLSetupSvc.exe[/font]

[font=\"Courier New\"]O23 - Service: WMI Performance Adapter (WmiApSrv) - Unknown owner - C:\WINDOWS\system32\wbem\wmiapsrv.exe[/font]

[font=\"Courier New\"]O23 - Service: Automatic Updates (wuauserv) - Unknown owner - C:\WINDOWS\[/font]

[font=\"Courier New\"]--[/font]

[font=\"Courier New\"]End of file - 12466 bytes[/font]

guestolo · « **Reply #1 on:** April 10, 2009, 09:47:53 AM »

Since you don't appear to have Internet Access
Can you download the following from a computer with Internet, then Transfer them to the desktop of the computers Desktop with no Internet

Download [color=\"#FF0000\"]> ATF Cleaner <[/color] by Atribune

download Malwarebytes' Anti-Malware from Here or Here
Save the installer to desktop

After you have Transferred both these tools to desktop

Double Click on ATF-Cleaner.exe to Run it
Check the boxes to the left of:

Windows Temp
Current User Temp
All Users Temp
Temporary Internet Files
*Prefetch (Windows XP) only.
Java Cache

The rest are optional - if you want to remove the lot, check "Select All".
Finally click Empty Selected. When you get the "Done Cleaning" message, click OK.
If you use Firefox browser
Click Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
Click Exit from the Main menu

Double Click mbam-setup.exe to install the application.

Make sure a checkmark is placed next to [color=\"#006400\"]Launch Malwarebytes' Anti-Malware[/color], then click Finish.
Note: You would typically have it check for updates at this time, since you have no connection to the Internet yet, please deselect the Updating option
Once the program has loaded, select "Perform Quick Scan", then click Scan.
The scan may take some time to finish,so please be patient.
When the scan is complete, click OK, then Show Results to view the results.
Make sure that everything is checked, and click Remove Selected.
* When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
Copy&Paste the entire report in your next reply

Extra Note:
If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediately.

Also post a fresh Hijackthis log

NOTE: With both those logs, when they open in Notepad, select FORMAT>>Uncheck Word Wrap before copying the report, this will eliminate all the spaces in your logs

Drtzz · « **Reply #2 on:** April 11, 2009, 07:18:53 PM »

Okay, heres what happened. Originally i had gotten it so i could access my deskstop using onecare. The explorer had disappeared. Now after using the malwarebytes av, the explorer is gone again. I could not run hijack this because something altered or is blocking my admin rights. I had the program remove all of the following entries after i saved a log:

Malwarebytes' Anti-Malware 1.36
Database version: 1945
Windows 5.1.2600 Service Pack 3

4/11/2009 7:29:39 PM
mbam-log-2009-04-11 (19-29-32).txt

Scan type: Full Scan (C:\|D:\|G:\|)
Objects scanned: 263044
Time elapsed: 4 hour(s), 39 minute(s), 20 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 3
Registry Values Infected: 0
Registry Data Items Infected: 8
Folders Infected: 1
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\restore (Rootkit.Agent) -> No action taken.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\cs41275 (Malware.Trace) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\AGprotect (Malware.Trace) -> No action taken.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\FirewallDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> No action taken.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\NameServer (Trojan.DNSChanger) -> Data: 85.255.112.91,85.255.112.85 -> No action taken.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{7a5d39a0-0dcf-4b92-85eb-9ba11c7651d0}\NameServer (Trojan.DNSChanger) -> Data: 85.255.112.91,85.255.112.85 -> No action taken.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters\NameServer (Trojan.DNSChanger) -> Data: 85.255.112.91,85.255.112.85 -> No action taken.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters\Interfaces\{7a5d39a0-0dcf-4b92-85eb-9ba11c7651d0}\NameServer (Trojan.DNSChanger) -> Data: 85.255.112.91,85.255.112.85 -> No action taken.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\Tcpip\Parameters\NameServer (Trojan.DNSChanger) -> Data: 85.255.112.91,85.255.112.85 -> No action taken.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\Tcpip\Parameters\Interfaces\{7a5d39a0-0dcf-4b92-85eb-9ba11c7651d0}\NameServer (Trojan.DNSChanger) -> Data: 85.255.112.91,85.255.112.85 -> No action taken.

Folders Infected:
C:\Program Files\Microsoft Common (Trojan.Agent) -> No action taken.

Files Infected:
C:\WINDOWS\system32\gaopdxcounter (Trojan.Agent) -> No action taken.

guestolo · « **Reply #3 on:** April 11, 2009, 08:27:19 PM »

Okay, I need you to do the following
If you can now update Malwarebytes, update it, run the scan again and remove everything selected if found
Then post the new log
Only post the log after you reboot if prompted

Also, can you post a fresh Hijackthis log, ensure Word Wrap is not selected when copying the log

Drtzz · « **Reply #4 on:** April 11, 2009, 08:33:39 PM »

Update: I managed to get the explorer to work and an normal boot after using the "start windows using last good configuration" startup. I still am however without internet and without proper access, when i look at network activity under the task manager it says no network adapters detected. Should i run another malware bytes scan and should i do a new hijack this, and im not too sure on the last good configuration, did that also undo what i managed to do with the malwarebytes av.

-Curently scanning with the av(malbyte) and here is my Hijackthis log. I do not have a connection so updates can not occur on malwarebytes. Also a side note, the virus that im infected with is the Virut, and as far as the other infections i do not know.
either way the log is below.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:39:01 PM, on 4/11/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Microsoft Windows OneCare Live\Antivirus\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\APC\APC PowerChute Personal Edition\mainserv.exe
C:\WINDOWS\arservice.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Prevx\prevx.exe
C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Microsoft Windows OneCare Live\OcHealthMon.exe
C:\Program Files\Prevx\prevx.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Microsoft Windows OneCare Live\winss.exe
C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe
C:\Program Files\Zune\ZuneLauncher.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: GigagetIEHelper - {111CAA23-6F4F-42AC-8555-B48C1D87BBAB} - C:\WINDOWS\system32\gigagetbho_v10.dll
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - (no file)
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: hpWebHelper Class - {AAAE832A-5FFF-4661-9C8F-369692D1DCB9} - C:\WINDOWS\pchealth\helpctr\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\plugin\WebHelper.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [ftutil2] rundll32.exe ftutil2.dll,SetWriteCacheMode
O4 - HKLM\..\Run: [AlwaysReady Power Message APP] ARPWRMSG.EXE
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [Zune Launcher] "c:\Program Files\Zune\ZuneLauncher.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [StartCCC] "C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRun
O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
O4 - HKLM\..\Run: [OneCareUI] "C:\Program Files\Microsoft Windows OneCare Live\winssnotify.exe"
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Aim6] "C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp
O4 - HKUS\S-1-5-21-3800127832-320483481-2181311428-1007\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background (User '?')
O4 - HKUS\S-1-5-21-3800127832-320483481-2181311428-1007\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe (User '?')
O4 - HKUS\S-1-5-21-3800127832-320483481-2181311428-1007\..\Run: [Aim6] "C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp (User '?')
O4 - .DEFAULT User Startup: Pin.lnk = C:\hp\bin\CLOAKER.EXE (User 'Default user')
O4 - .DEFAULT User Startup: PinMcLnk.lnk = C:\hp\bin\cloaker.exe (User 'Default user')
O4 - Global Startup: APC UPS Status.lnk = ?
O4 - Global Startup: ZDWLan Utility.lnk = C:\Program Files\ZyDAS Technology Corporation\ZyDAS_802.11g_Utility\ZDWlan.exe
O8 - Extra context menu item: &Download All by Gigaget - C:\Program Files\Giganology\Gigaget\getallurl.htm
O8 - Extra context menu item: &Download by Gigaget - C:\Program Files\Giganology\Gigaget\geturl.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office12\EXCEL.EXE/3000
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~4\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~4\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\Office12\REFIEBAR.DLL
O9 - Extra button: Run IMVU - {d9288080-1baa-4bc4-9cf8-a92d743db949} - C:\Documents and Settings\Compaq_Administrator\Start Menu\Programs\IMVU\Run IMVU.lnk
O9 - Extra button: Internet Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra 'Tools' menuitem: Internet Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {5C051655-FCD5-4969-9182-770EA5AA5565} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/Solit...wn.cab56986.cab
O16 - DPF: {5D6F45B3-9043-443D-A792-115447494D24} (UnoCtrl Class) - http://messenger.zone.msn.com/EN-US/a-UNO1/GAME_UNO1.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1201682147649
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab56907.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/flas...ent/swflash.cab
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\Skype4COM.dll
O20 - Winlogon Notify: hggxyapn - hgGxyApN.dll (file missing)
O23 - Service: Application Layer Gateway Service (ALG) - Unknown owner - C:\WINDOWS\System32\alg.exe
O23 - Service: APC UPS Service - Unknown owner - C:\Program Files\APC\APC PowerChute Personal Edition\mainserv.exe
O23 - Service: ARSVC - Unknown owner - C:\WINDOWS\arservice.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Background Intelligent Transfer Service (BITS) - Unknown owner - C:\WINDOWS\
O23 - Service: Bonjour Service - Unknown owner - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: CSIScanner - Prevx - C:\Program Files\Prevx\prevx.exe
O23 - Service: Diskeeper - Diskeeper Corporation - C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
O23 - Service: Media Center Receiver Service (ehRecvr) - Unknown owner - C:\WINDOWS\eHome\ehRecvr.exe
O23 - Service: getPlus® Helper - NOS Microsystems Ltd. - C:\Program Files\NOS\bin\getPlus_HelperSvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Unknown owner - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: PIXMA Extended Survey Program (IJPLMSVC) - Unknown owner - C:\Program Files\Canon\IJPLM\IJPLMSVC.EXE
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Process Monitor (LVPrcSrv) - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
O23 - Service: lxcr_device - - C:\WINDOWS\system32\lxcrcoms.exe
O23 - Service: Windows Installer (MSIServer) - Unknown owner - C:\WINDOWS\system32\msiexec.exe
O23 - Service: npkcmsvc - INCA Internet Co., Ltd. - C:\Nexon\Mabinogi\npkcmsvc.exe
O23 - Service: Roxio UPnP Renderer 9 - Sonic Solutions - C:\Program Files\Common Files\Sonic Shared\RoxioUPnPRenderer9.exe
O23 - Service: Roxio Upnp Server 9 - Sonic Solutions - C:\Program Files\Common Files\Sonic Shared\RoxioUpnpService9.exe
O23 - Service: LiveShare P2P Server 9 (RoxLiveShare9) - Unknown owner - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxLiveShare9.exe
O23 - Service: RoxMediaDB9 - Unknown owner - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxMediaDB9.exe
O23 - Service: Remote Procedure Call (RPC) Locator (RpcLocator) - Unknown owner - C:\WINDOWS\system32\locator.exe
O23 - Service: QoS RSVP (RSVP) - Unknown owner - C:\WINDOWS\system32\rsvp.exe
O23 - Service: Print Spooler (Spooler) - Unknown owner - C:\WINDOWS\system32\spoolsv.exe
O23 - Service: stllssvr - MicroVision Development, Inc. - C:\Program Files\Common Files\SureThing Shared\stllssvr.exe
O23 - Service: Uninterruptible Power Supply (UPS) - Unknown owner - C:\WINDOWS\System32\ups.exe
O23 - Service: Windows Live Setup Service (WLSetupSvc) - Unknown owner - C:\Program Files\Windows Live\installer\WLSetupSvc.exe
O23 - Service: WMI Performance Adapter (WmiApSrv) - Unknown owner - C:\WINDOWS\system32\wbem\wmiapsrv.exe
O23 - Service: Automatic Updates (wuauserv) - Unknown owner - C:\WINDOWS\

--
End of file - 11594 bytes

guestolo · « **Reply #5 on:** April 12, 2009, 12:34:37 AM »

Download Dr.Web CureIt to the desktop:
ftp://ftp.drweb.com/pub/drweb/cureit/drweb-cureit.exe

Doubleclick the drweb-cureit.exe file and Allow to run the express scan
This will scan the files currently running in memory and when something is found, click the yes button when it asks you if you want to cure it. This is only a short scan.
Once the short scan has finished, mark the drives that you want to scan.
Select all drives. A red dot shows which drives have been chosen.
Click the green arrow at the right, and the scan will start.
Click 'Yes to all' if it asks if you want to cure/move the file.
When the scan has finished, look if you can click next icon next to the files found:
If so, click it and then click the next icon right below and select Move incurable as you'll see in next image:

This will move it to the %userprofile%\DoctorWeb\quarantaine-folder if it can't be cured.
After selecting, in the Dr.Web CureIt menu on top, click file and choose save report list
Save the report to your desktop. The report will be called DrWeb.csv
Close Dr.Web Cureit.
Reboot your computer
After reboot, post the contents of the log from Dr.Web you saved previously in your next reply.

Also post a fresh Hijackthis log

Drtzz · « **Reply #6 on:** April 12, 2009, 01:32:25 AM »

Okay im doing the scan now, when i did the wb av it said there are no infected files. I need to reenable system restore as i turned it off while in safe mode to try to make sure nothing was in those files. If this scan finds nothing how do i go about reclaiming admin as far as file restrictions. I also need the drivers for my ethernet as it seems something either removed or uninstalled my ethernet.

guestolo · « **Reply #7 on:** April 12, 2009, 01:54:28 PM »

Any update here?
Did you finish the Dr. Web scan?

Drtzz · « **Reply #8 on:** April 12, 2009, 09:21:46 PM »

[quote name=\'guestolo\' post=\'461116\' date=\'Apr 12 2009, 01:54 PM\']Any update here?
Did you finish the Dr. Web scan?[/quote]

Yes but you didnt explain too much on the other issue. However i really need to thank you as the dr web scan cured around 4,200 files/keys/etc that were infected. I knew about the behavior of the virut and i know it spreads like wildfire but i never thought it would go that deep. I accidently stopped the scan so its still going as we speak. But. I need to figure out where to get the drivers for a realtek fast ethernet device, as the virus or virus trojan combo i had removed the driver, as well as previous removing my rundll32 and mom.exe which is needed for my integrated graphics. But that was previously and i managed to get around that. (Reinstalled then graphics and replaced the rundll32.) But yeah happy easter and thank you like hardcore mate i owe you. I dont think i could of possibly have got this far on my own. The admin problem is the virus but i really do need to figure out how to get the drivers, none of the parts were removed and the model is sr2011wm its a presario, i dont mind doing the legwork for that but where would i find the motherboard's drivers?

guestolo · « **Reply #9 on:** April 12, 2009, 09:27:42 PM »

I'm not sure what your asking, I need to see that log from Dr. Web
Why would we want to install a driver that's probably going to get infected on the machine as it stands now?
If it is Virut, I personally suggest backing up any Important files/documents and clean installing the machine

Here's the usual recommendation for Virut

Quote

Your system is infected with a polymorphic file infector called Virut. Virut is capable of infecting all the machine's executable files (.exe) and screensaver files (.scr). However, the problem is that the virus has a number of bugs in its code, and as a result, it may misinfect a proportion of executable files and therefore, the files are corrupted beyond repair. As of now, security experts suggest that a format and clean install, or destructive recovery if you have an OEM recovery partition, is the best way to clean the infection and it is the best and safest way to return the machine to its normal working state.

Backup all your documents and important items (personal data, work documents, etc) only. DO NOT backup any executable files (softwares) and screensavers (*.scr). It attempts to infect any accessed .exe or .scr files by appending itself to the executable.

Also, avoid backing up compressed files (zip/cab/rar) files that have .exe or .scr files inside them. Virut can penetrate and infect .exe files inside compressed files too.

Recent variants also modify htm, html, asp and php files.

Do not back up to another machine, as it may become compromised. Burn to DVD/CD, or to an external drive which has nothing else on it, and which you can format should it happen to become infected from the backups.

Also note: If your transferring files with a USB flash drive
It may contain infected files, we would have to clean it with an updated Virus scanner

Forgot to add, this is the page for your drivers
http://h10025.www1.hp.com/ewfrf/wc/softwar...product=3292424

Drtzz · « **Reply #10 on:** April 13, 2009, 10:29:34 AM »

Thank you and it says dr web says that my computer is clean so far, it is still finishing the scan though, and i will send you the log for it when the scan is done. And yes i had figured it would of been easier to do a restore, but i know what is damaged and those files are infected. Truthfully i believe it is smarter what im doing now because otherwise i would of thrown infected files right back on this computer. I also have done a series of tweaks on this machine and to do them all over again would drive me insane. Im am far more for this method then a complete restore with backup. And thank you for the help you have given. Hopefully when this scan finishes and i get those drivers back on ill be as good as new, ha ha.

http://images.thetechguide.com/forum/public/style_emoticons/<#EMO_DIR#>/smile.gif\' class=\'bbc_emoticon\' alt=\'

\' />

Drtzz · « **Reply #11 on:** April 14, 2009, 03:33:41 PM »

Okay here is where im at as far as whats happened. The Dr web was still going so i stopped it, it was scanning the java files for windows to it was taking hours upon hours to scan files that were in the thousands and all of them were clean. I can get everything to work in safe mode but when in normal use notepad the calculator and a few other built in windows apps dont work. Im not sure how to send the dr web log considering what i saw was about 30 pages long and showed all of my files.
So far im thinking your tip for a clean wipe and reinstall or something along those lines will work better. Ive heard of virut being around even after a reformat though. The drivers wont install either, i ahve installed them but it still wont detect a network driver. Im guessing a repair install would fix most of this but i dont have a recovery cd. So at the moment im at abit of a standstill, any help tips or comments you can offer would be wonderful. Im actually slightly worried at this stage, considering its more or less the left overs of a war. As im pretty sure this computers purged but whats left is cleaning or repairing the damage.

Drtzz · « **Reply #12 on:** April 14, 2009, 08:49:33 PM »

For some reason i cant edit my post. But yeah i found something abit odd, i repaired things in safe mode then in normal mode i had to cure them again with dr web, but it was clean both times after the initial cleaning. Oh and what folder do the drivers for the realtek lan go in i think its still infected My calculator and all that works now but im confused on what to do and exactly how to repair my issues now.. is it winsock acting up? But theres not even a driver detected so how do i fix that? And the biggest one of all, where did you go guestolo, and here i wanted to ask if its okay to make guestolo fan t shirts.

guestolo · « **Reply #13 on:** April 16, 2009, 10:19:50 PM »

Umm, nice to have a fan, but that's not what I want here, I want your computer clean so it can't help the bad guys.
What do you want to do with this machine, keep going forward
Or as I suggest, let's start with a clean install,
It's not that hard, I'll give you a link to walk you thru it

Drtzz · « **Reply #14 on:** April 17, 2009, 01:26:37 AM »

Np and its been abit mate, and you didnt make a direct comment, either way the machines dead blocked the drivers somehow and went poof. Now im just trying to get a recovery cd so i can do a factory resett, otherwise im not to sure how to go about a clean install. And i was jokingly serious i was thinking about making you a t shirt. lol

guestolo · « **Reply #15 on:** April 17, 2009, 10:03:24 PM »

Did you find the CD for your computer?
Do you have a hidden recovery partition that you can backup from
I have no idea as you didn't supply me with One Dr. Web log I asked for??

Drtzz · « **Reply #16 on:** April 17, 2009, 10:23:59 PM »

Aye i would of but it didn really leave me with a log just like a list of every file on my pc. I did but not even the recovery partition works now, and yeah i managed to argue HP into sending me a recovery cd for free. So im going that route, tips, tricks ideas, comments, rage at me not sending a dr web log? lol but yeah i managed to get a backup before betsy tipped so im just going with the cd right now, gonna just restore put back on and retweak.. yay for the months ahead of me. btw you know anything about cluster sizes for blocks of data?

guestolo · « **Reply #17 on:** April 17, 2009, 10:33:45 PM »

I wouldn't worry about the cluster size of data, just leave the default of 4kb when you reformat with NTFS
In my opinion anyways

Get that recovery disk and start fresh, I really suggest it, ensure to get protections afterwards
Let me know when you get to the point where your ready to go with the CD's and we can go from there

Drtzz · « **Reply #18 on:** April 19, 2009, 10:43:09 AM »

sorry it took mke so long for a reply, and i already have done all that and went out and got protection. only problem im having is trying to figure out an optimal cluster size, im abit of a reg tweaker, just trying to get my pc back to what i had it at. But yeah basically everythings back up uninstalled all of hps bloatware, and i just need to transfer all my stuff back over now considering i put on what i needed to and reinstalled all my driver but 2 so far. Thanks for all the hel mate, any thoughts or tips though?

News:

Author Topic: No admin and hiding wares (Read 898 times)

Drtzz