Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

Computer is infected


  • Please log in to reply

#1
Briver

Briver

    New Member

  • Member
  • Pip
  • 1 posts
Okay. I would like to start by saying thank you for this site. I use a computer but don't konw how to fix onw. So this has been a very helpful forum.
My computer started to automatically make desktop icons for spyware removal and I would get warning popups that my computer was infected. Also Internet Explorer Kept on opening up to different spy ware removal programs. I did not use any of those spy ware removers.
I found you forum and followed the steps directed and will post them here and let you know of all the results.


1. Did the ATF.

1.5 Sorry had to come back and fill this in. I do not know what was being asked about the msconfig settings. I figured since I didn't know about them I probably have done anything to them. I moved on to the next step.

2. Did the Create a system restore point and got rid of all the older ones.

3. Downloaded and Ran AVG. Now I set the program up as directed so a log would be generated after each scna but when it was finished there was no scan. I double checked the settings and they are correct. I am sorry I have no scan log for this step.

4. Superantispyware log
SUPERAntiSpyware Scan Log
Generated 03/20/2008 at 10:40 PM

Application Version : 3.6.1000

Core Rules Database Version : 3422
Trace Rules Database Version: 1414

Scan type : Complete Scan
Total Scan Time : 04:31:02

Memory items scanned : 506
Memory threats detected : 1
Registry items scanned : 5118
Registry threats detected : 4
File items scanned : 92372
File threats detected : 19

Trojan.Net-BOK/NMC
C:\WINDOWS\BOKPKOV.DLL
C:\WINDOWS\BOKPKOV.DLL
HKLM\Software\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad#bokpkov [ {D2F97702-FDD0-46A2-A89D-171BE4F57CA5} ]

Browser Hijacker.Internet Explorer Settings Hijack
HKU\S-1-5-21-1343024091-1409082233-682003330-1004\Software\Microsoft\Internet Explorer\Main#Start Page [ http://softwarerefer...=...6Ojg5&lid=2 ]

Trojan.DNSChanger-Codec
HKCR\etlrlws.ToolBar.1
HKCR\etlrlws.ToolBar.1\CLSID

Desktop Hijacker.AboutYourPrivacy
C:\WINDOWS\privacy_danger\images\capt.gif
C:\WINDOWS\privacy_danger\images\danger.jpg
C:\WINDOWS\privacy_danger\images\down.gif
C:\WINDOWS\privacy_danger\images\spacer.gif
C:\WINDOWS\privacy_danger\images
C:\WINDOWS\privacy_danger\index.htm
C:\WINDOWS\privacy_danger
C:\Documents and Settings\Rivera Family\Desktop\Error Cleaner.url
C:\Documents and Settings\Rivera Family\Desktop\Privacy Protector.url
C:\Documents and Settings\Rivera Family\Desktop\Spyware&Malware Protection.url
C:\Documents and Settings\Rivera Family\Favorites\Error Cleaner.url
C:\Documents and Settings\Rivera Family\Favorites\Privacy Protector.url
C:\Documents and Settings\Rivera Family\Favorites\Spyware&Malware Protection.url

Adware.Tracking Cookie
C:\Documents and Settings\Rivera Family\Cookies\rivera [email protected][1].txt
C:\Documents and Settings\Rivera Family\Cookies\rivera [email protected][1].txt
C:\Documents and Settings\Rivera Family\Cookies\rivera [email protected][1].txt
C:\Documents and Settings\Rivera Family\Cookies\rivera [email protected][1].txt
C:\Documents and Settings\Rivera Family\Cookies\rivera [email protected][1].txt


5.Ran the Panda online scan


Incident Status Location

Adware:adware/cws Not disinfected C:\Documents and Settings\Rivera Family\Favorites\Health
Potentially unwanted tool:application/altnet Not disinfected hkey_local_machine\software\microsoft\windows\currentversion\app management\arpcache\AltnetDM
Spyware:Cookie/Atwola Not disinfected C:\Documents and Settings\Rivera Family\Application Data\Mozilla\Firefox\Profiles\uldtj68s.default\cookies.txt[.atwola.com/]
Potentially unwanted tool:Application/Processor Not disinfected C:\Documents and Settings\Rivera Family\My Documents\SFF\SmitfraudFix\Process.exe
Virus:Trj/Rebooter.J Disinfected C:\Documents and Settings\Rivera Family\My Documents\SFF\SmitfraudFix\Reboot.exe
Potentially unwanted tool:Application/SuperFast Not disinfected C:\Documents and Settings\Rivera Family\My Documents\SFF\SmitfraudFix\restart.exe
Potentially unwanted tool:Application/Processor Not disinfected C:\WINDOWS\system32\Process.exe

6. I Than made it so that only AVG is the only spyware running on my computer

7. I checked for windows updates and there was nothing for me to download.

8. Hijackthis log

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 5:26:31 AM, on 3/22/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16608)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\Explorer.EXE
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Logitech\iTouch\iTouch.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe
C:\Program Files\Lexmark 4200 Series\lxbmbmgr.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\Lexmark 4200 Series\lxbmbmon.exe
C:\PROGRA~1\WI1F86~1\MESSEN~1\msnmsgr.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\Program Files\Windows Live\Messenger\usnsvc.exe
C:\Program Files\Microsoft Office\Office10\WINWORD.EXE
C:\Program Files\Microsoft Works\MSWorks.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = www.msn.com
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O3 - Toolbar: etlrlws - {EB2B30CB-5CB8-4734-8DEC-67708302DCAF} - C:\WINDOWS\etlrlws.dll (file missing)
O4 - HKLM\..\Run: [zBrowser Launcher] C:\Program Files\Logitech\iTouch\iTouch.exe
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Lexmark 4200 Series] "C:\Program Files\Lexmark 4200 Series\lxbmbmgr.exe"
O4 - HKLM\..\Run: [FaxCenterServer4_in_1] "C:\Program Files\Lexmark 4200 Series\Fax\fm3032.exe" /s
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\mnyexpr.exe"
O4 - HKCU\..\Run: [MsnMsgr] "C:\PROGRA~1\WI1F86~1\MESSEN~1\msnmsgr.exe" /background
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [ISUSPM] "C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe" -scheduler
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zon...kr.cab31267.cab
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zon...nt.cab31267.cab
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zon...er.cab31267.cab
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://photo.walgree...eensActivia.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://appldnld.appl...meInstaller.exe
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.mcaf...01/mcinsctl.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx1.hotmail....es/MSNPUpld.cab
O16 - DPF: {5D6F45B3-9043-443D-A792-115447494D24} (UnoCtrl Class) - http://messenger.zon...1/GAME_UNO1.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zon...nt.cab31267.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://messenger.zon...ro.cab53083.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - http://download.mcaf...,26/mcgdmgr.cab
O16 - DPF: {E5D419D6-A846-4514-9FAD-97E826C84822} (HeartbeatCtl Class) - http://fdl.msn.com/z...s/heartbeat.cab
O16 - DPF: {E6187999-9FEC-46A1-A20F-F4CA977D5643} (ZoneChess Object) - http://messenger.zon...ss.cab31267.cab
O18 - Filter hijack: text/html - (no CLSID) - (no file)
O21 - SSODL: altvxvm - {DAEFDDED-3A47-4F21-A3BA-1A7A925E1BA1} - C:\WINDOWS\altvxvm.dll (file missing)
O21 - SSODL: bokpkov - {C33401CB-3F74-42DA-8B61-BD762C950CC5} - C:\WINDOWS\bokpkov.dll (file missing)
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: McAfee Real-time Scanner (McShield) - Unknown owner - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe (file missing)
O23 - Service: McAfee SystemGuards (McSysmon) - Unknown owner - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe (file missing)

--
End of file - 6261 bytes

9. uninstall list
Adobe Flash Player 9 ActiveX
Adobe Flash Player ActiveX
Adobe Reader 8.1.1
AVG Anti-Spyware 7.5
AviSynth 2.5
BlackBerry Desktop Software 4.2
BlackBerry Desktop Software 4.2
BlackBerry v4.2.1 for the 8100 Series Wireless Handheld
DVD Player
HijackThis 2.0.2
Lexmark 4200 Series
Lexmark 4200 Series Fax Solutions
LiveUpdate 3.0 (Symantec Corporation)
Logitech iTouch Software
Microsoft Compression Client Pack 1.0 for Windows XP
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft National Language Support Downlevel APIs
Microsoft Picture It! Photo 7.0
Microsoft User-Mode Driver Framework Feature Pack 1.0
Microsoft Visual C++ 2005 Redistributable
Microsoft Web Publishing Wizard 1.52
Microsoft Word 2002
Microsoft Works 2003 Setup Launcher
Microsoft Works 7.0
Microsoft Works Suite Add-in for Microsoft Word
MSXML 4.0 SP2 (KB927978)
MSXML 4.0 SP2 (KB936181)
MUSICMATCH® Jukebox
Netflix Movie Viewer
Panda ActiveScan
QuickTime
RealPlayer
Rhapsody Player Engine
Security Update for CAPICOM (KB931906)
Security Update for CAPICOM (KB931906)
Security Update for Windows Internet Explorer 7 (KB938127)
Security Update for Windows Internet Explorer 7 (KB942615)
Security Update for Windows Internet Explorer 7 (KB944533)
Security Update for Windows Media Player 9 (KB911565)
Security Update for Windows Media Player 9 (KB936782)
Security Update for Windows XP (KB941644)
Security Update for Windows XP (KB943055)
Security Update for Windows XP (KB943485)
Security Update for Windows XP (KB946026)
Shockwave
Silver EyeToy USB Camera
Sony USB Driver
Viewpoint Media Player
Wal-Mart Music Downloads Store
Watchtower Library 2007 - English
Windows Defender Signatures
Windows Internet Explorer 7
Windows Live installer
Windows Live Mail
Windows Live Messenger
Windows Live Sign-in Assistant
Windows Media Format 11 runtime
Windows Media Format 11 runtime
Windows Media Player 11
Windows Media Player 11
Windows XP Hotfix - KB873333
Windows XP Hotfix - KB873339
Windows XP Hotfix - KB885835
Windows XP Hotfix - KB885836
Windows XP Hotfix - KB885884
Windows XP Hotfix - KB886185
Windows XP Hotfix - KB888113
Windows XP Hotfix - KB888302
Windows XP Hotfix - KB891781
Windows XP Service Pack 2
XviD MPEG4 Video Codec (remove only)



In conclusion my comp is starting up fast now. I would take 15-20 minutes before I did all of this but know it seems to be back to normal. THANKYOU!!!. I am not getting the desktop icons on my screen. I am not getting the warning pop ups. My home screen for internet explorer is not getting change anymore nor is it onpening by itself anymore. again thankyou. I would appreciate if someone could review these logs to see if it has all been cleaned up or there is something still hiding as the Panda scan stated I was still infected. Thank you again for the help. Just let me know what to do and please go step by step as you did with your prior instruction as I am not too familiar with this aspect of computers. Thank you again.

I would like to add something new. When I startup windows now I am encountering some issues. When I log into my account my system will shut down and restart. I am also getting an error message that winlogin.exe had to close due to a problem. Other than that everything else seems to be running normally. Thanks again

Edited by Briver, 25 March 2008 - 01:06 PM.

  • 0

Advertisements







Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP