Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works


  • Please log in to reply




  • Member
  • PipPip
  • 51 posts
Ok, I really really really need your guys help. Like PLEASE. It would be greatly appreciated!

This is what happened.
Some how I got a virus or something. And the first thing that happened is I found an icon on my desktop that was entitled Security iGuard. So I immediately deleted it. Then my screen kinda blinked and when I tried to double click on my computer, or the interenet or any folder it just didn't work. So I restarted my computer and tried again. Still didn't work. So I ran Adaware and then I deleted whatever showed up. Then I was able to open up the interenet. When I opened the interenet up my homepage was changed. It kind of looked like the "Page cannot be displayed" page, but instead it had 401 MPV Warning at the top. And it had stuff about my computer. The homepage told me I was being watched or something and had a list of what "they" knew about my computer. Most of the things on the list were correct, like my what interenet I was using (Comcast), and like the interenet connector or something like that. It listed my ip address, which I'm not sure was correct. But it also said the last time "they" investigated your computer was time went here. But that time was just the moment I opened up the interenet, so when ever I opened up the interenet, it would put that specific time there. I decided to run Ad-aware again, and Spy Bot. But when I ran spy bot the whole computer just froze while I was deleting the infected objects that came up in spy bot. I restarted the computer, but when I logged on to the desk top nothing worked. It just froze. And it kept on doing that.
So I went on my old computer and looked around for a solution by looking on google for 401 MPV Warning. I found a site which gave a step by step solution. First it told me to download and install KAV. So I went on my computer and booted it up in safe mode with networking. I found the same site and downloaded KAV.(Kaspersky Anti Virus) But I couldn't update. So the site gave instructions on how to update KAV manually. It said to go on another computer and download the updates from the site, burn the updates onto a cd and then go to the virus infected computer and put the updates from the cd onto that computer. But I didn't have cd burner for my old computer. So I decided to just download the updates from safe mode with networking from the virus infected computer.(By the way when I was in safe mode I had no problems, like the interenet worked and the computer didn't crash). From there I manually updated KAV and then I scanned the computer. A few hours later the scanning was complete, but I still had the problem of the homepage(well I think i did) and the computer not working in normal mode. So I decided to use Hijack This and looked up ANYTHING that looked suspicious on Hijack This and deleted it if I found it was bad. After thoroughly going through Hijack This it didn't change too much. I decided just to go to internet options and change my homepage back to google, and it worked! My homepage was no longer 401 MPV Warning. But my computer still wouldn't work in normal mode. So then I decided to go to the start menu, and then run, and I typed in msconfig. From there I went to the far right tab, which is startup. There it had a list of programs that started up when I went onto desk top. Because if safe mode works, but normal mode doesn't, and it stops working right when I login to windows, the virus had to be a program that started in the beginning of it (i think). So I decided to look through the list for anything uneeded and one by one checked them off. Such as nwiz, and mm_tray, and mcshld, or KAV, and stuff like that. Then when I tried to reboot in normal mode it would either 1, not let me logon to a name for windows at all. Or 2 let me logon for a little bit, but stop working when I double clicked on any icon on the desk top.

Now here I am desparate for help. PLEASE I beg you help me
additionaly info:
I use Windows XP.
my hijack this log file(I don't know of this will help)

Logfile of HijackThis v1.99.1
Scan saved at 11:47:50 PM, on 4/9/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\AIM95\aim.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Microsoft Office\Office\WINWORD.EXE
C:\Program Files\Microsoft Works\MSWorks.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Ed Oh\Desktop\Hijack this\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.dellnet.com/
O3 - Toolbar: AIM Search - {40D41A8B-D79B-43d7-99A7-9EE0F344C385} - C:\Program Files\AIM Toolbar\AIMBar.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [diagent] "C:\Program Files\Creative\SBLive\Diagnostics\diagent.exe" startup
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [DwlClient] C:\Program Files\Common Files\Dell\EUSW\Support.exe
O4 - HKLM\..\Run: [MMTray] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKLM\..\Run: [VirusScan Online] c:\program files\mcafee.com\vso\mcvsshld.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\System32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\McAfee.com\Agent\McUpdate.exe
O4 - HKLM\..\Run: [MCAgentExe] C:\Program Files\McAfee.com\Agent\mcagent.exe
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [IMEKRMIG6.1] C:\WINDOWS\ime\imkr6_1\IMEKRMIG.EXE
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [Services] C:\hi.exe.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM95\aim.exe -cnetwait.odl
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?
O4 - Global Startup: winlogin.exe
O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM95\aim.exe
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyviewer.dll
O16 - DPF: Yahoo! Chess - http://download.game...nts/y/ct1_x.cab
O16 - DPF: Yahoo! Graffiti - http://download.game...ts/y/grt5_x.cab
O16 - DPF: Yahoo! Pool 2 - http://download.game...ts/y/potc_x.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcaf...64/mcinsctl.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://www.bitdefend...can8/oscan8.cab
O23 - Service: kavsvc - Kaspersky Lab - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus Personal\kavsvc.exe
O23 - Service: Alias Maya 5.0 PLE Help Server (Maya5PLEHelpServer) - Unknown owner - C:\Program Files\AliasWavefront\Maya 5.0 Personal Learning Edition\docs\Wrapper.exe" -s "C:\Program Files\AliasWavefront\Maya 5.0 Personal Learning Edition\docs/Wrapper.conf (file missing)
O23 - Service: McAfee.com McShield (McShield) - Unknown owner - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee.com VirusScan Online Realtime Engine (MCVSRte) - Mcafee.com Corporation - c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
O23 - Service: Intel® NMS (NMSSvc) - Intel Corporation - C:\WINDOWS\System32\NMSSvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe

If there is ANY other info you need to help me please jsut ask. I am on the brink of falling apart. I really need your guy's help. It would be GREATLY appreciated.
  • 0





  • Topic Starter
  • Member
  • PipPip
  • 51 posts
pLEASE i need your guys help
  • 0



    Visiting Staff

  • Visiting Consultant
  • 363 posts
Hi there

I'll have this moved by a mod to the Malware removal forum so it can be reviewed there.
  • 0




  • Topic Starter
  • Member
  • PipPip
  • 51 posts
k sorry about putting it in the wrong spot, i wasn't sure where exactly to put it but please help me.
  • 0



    Visiting Staff

  • Visiting Consultant
  • 363 posts
Hi sooch90

You are in the right place now :tazz:

We can certainly help you but it does take a while to go through logs and prepare responses.
  • 0



    Visiting Staff

  • Visiting Consultant
  • 363 posts
Hi sooch

From the HijackThis log that you have posted I have identified virus and trojan infections but there will be some things missing. From your description at the start you certainly had malware problems as well.

Not everything that starts with Windows is listed in MSConfig. Files can be started from the registry and user startup files. Some of the files you've named are not harmful - some that are in the log are definitely malware. Are you able to give me a list of what you have disabled in MSConfig?

This page at Symantec describes the procedure for doing a Cleanboot rather than booting to Safe Mode. http://service1.syma...=&osv=&osv_lvl=
Are you able to let me know if you think you may be able to do that.

HijackThis has some ability to restore removed entries - but cannot do so if you have deleted the files. Do you recall if you only used HijackThis to 'fix' or if you deleted files that you thought were bad as well.

If you think there is any chance that you may have accidentally deleted Windows operating system files I need to know what steps to recommend next.

If you can clean boot to a state that Windows is in on a new install - you may be able to run the removal tools you will need.

Do you have your original Windows CD or a recovery disk that came with your computer. You'll need them if you have to replace system files.
  • 0

Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP