[BigMarv]

Hi,

I seem to have attracted above mentioned virus.

Have run AVG & Spybot aswell as Hijack this (see below)

Logfile of HijackThis v1.97.7
Scan saved at 18:48:11, on 16/04/2005
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Microsoft Office\Office10\msoffice.exe
C:\WINDOWS\System32\devldr32.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\SYSTEM32\rundll32.exe
C:\WINDOWS\System32\taskmgr.exe
C:\WINDOWS\System32\msole32.exe
C:\WINDOWS\popuper.exe
C:\WINDOWS\System32\intmonp.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\My Download Files\HijackThis.exe
C:\Program Files\Inventel\Gateway\wlancfg.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=http://www-cache.freeserve.net:8080;ftp=http://www-cache.freeserve.net:8080
F0 - system.ini: Shell=explorer.exe, msmsgs.exe
F2 - REG:system.ini: Shell=explorer.exe, msmsgs.exe
O2 - BHO: (no name) - {3BA765C2-08DB-4fe2-9279-311CA10D582A} - C:\WINDOWS\sehlp.dll (file missing)
O3 - Toolbar: Wanadoo - {8B68564D-53FD-4293-B80C-993A9F3988EE} - C:\PROGRA~1\Wanadoo\WSBar\WSBar.dll (file missing)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: (no name) - {0E1230F8-EA50-42A9-983C-D22ABC2EED3B} - (no file)
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [MSN Messenger] C:\WINDOWS\System32\msmsgs.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: AOL Instant Messenger ™ (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Messenger (HKLM)
O9 - Extra button: Microsoft AntiSpyware helper (HKCU)
O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper (HKCU)
O13 - WWW. Prefix: http://
O16 - DPF: {19E28AFC-EAE3-4CE5-AC83-2407B42F57C9} (MSSecurityAdvisor Class) - http://protect.micro...b?1102709163026
O16 - DPF: {BFF1950D-B1B4-4AE8-B842-B2CCF06D9A1B} (Zylom Games Player) - http://game14.zylomg...gamesplayer.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macr...ash/swflash.cab


Please help! I would like to get rid of Security iguard & the heinous blue screen.

I would try to follow someone else's thread, but it seems everyones problems vary.

Thanks in advance, it's nice to have people out there that have some computer knowledge and aren't using it for trouble.

[Advertisements]

Maybe I should add a couple of other things.

I have deleted wp.exe etc. from the windows directory as was suggested in previous posts.

I also have a flashing yello '!' at the bottom right of my screen. I don't know if it is a system thing or a malicious link, could someone advise on that.

I have also managed to change my homepage back from 'searchmaid' but don't for one second believe I have solved the problem - esp. as I have the blue screen still!

Please help if poss, I don't want my kids going onto a computer that could lead somewhere dodgy! Thanks

[BigMarv]

Maybe I should add a couple of other things.

I have deleted wp.exe etc. from the windows directory as was suggested in previous posts.

I also have a flashing yello '!' at the bottom right of my screen. I don't know if it is a system thing or a malicious link, could someone advise on that.

I have also managed to change my homepage back from 'searchmaid' but don't for one second believe I have solved the problem - esp. as I have the blue screen still!

Please help if poss, I don't want my kids going onto a computer that could lead somewhere dodgy! Thanks

[Michelle]

This is a pretty new infection. Please try to be as patient as possible.

[Michelle]

The first step in this process is to apply Service Pack 1a for Windows XP. Without this update, you're wide open to re-infection, and we're both just wasting our time.
Click here: http://www.microsoft...p1/default.mspx
Apply the update and reboot.

Then, we'll need you to download the latest version of HiJack This. Click Here to download the latest version (1.99.1). Please save it in a permanent folder (such as C:\HJT). This is to ensure that backups are saved and accessible in the event you should need it. Follow the instructions below if you are unsure how to save it in a permanent folder:

1.) Click on the link to download HiJackThis.exe.
2.) When it pulls up the box (for you to pick a location to save the file), click on the pulldown menu and select "[C:]".
3.) Click on the button to "create new folder" and name the folder HJT
4.) Double click on the folder you just made (to go into the folder) and click "save" on the bottom of the box.

Make sure you are disconnected from the Internet and all windows and programs are closed. Run HiJack This and post your new log here.

[BigMarv]

Hi,

Similar to Sara it has only offered me service pack2???

Any ideas?

Thanks

[Michelle]

Did you click on the link I posted and choose express installation?

Edited by bananafanafo, 16 April 2005 - 12:45 PM.

[BigMarv]

Hi bananafanofo,

I did, yes. When you go to the first page and select 'express installation' you then go to another page where the option is 'Windows XP SP1a', when clicking on this link it automatically fires you to windowsupdate.microsoft.com which would appear to be a generic microsoft page, not a specific download page for service pack 1?

I have started to download service pack 2, is this right or wrong?

Thanks

[Michelle]

I don't understand it...never had this problem installing Service Pack 1 before! Ugh...yes, I would go ahead and download/install Service Pack 2 and if it causes more problems, then we can uninstall it.

[BigMarv]

Ok, service pack 2 failed to load. I had an error come up on the screen saying the registery details may be incorrect, and I should go to www.howtotell.com to find out why - sounds dodgy!!!

[Michelle]

It's basically saying that your XP might be pirated... I'm not allowed to help until we know that XP is valid and without a service pack it won't do me any good to help anyway because your computer can become immediately re-infected due to it's vulnerability. The only other thing I can suggest is to go to howtotell.com and click on the "Windows Validation Assistant" - then click "validate now", then let me know everything it says.