Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

wallpaper doesnt change & "VIRUS ALERT!" text on the


  • This topic is locked This topic is locked

#1
[email protected]!ck

[email protected]!ck

    New Member

  • Member
  • Pip
  • 1 posts
I've tried spybot to remove most the spyware,
but still cant get rid of da 2 probs:
1. wallpaper doesnt change,right clik shows a web browser menu
2.there is a text "VIRUS ALERT!" next to time on the taskbar

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 20:44: VIRUS ALERT!, on 8/6/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\PROGRA~1\AVG\AVG8\avgam.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgnsx.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\GRETECH\GomPlayer\GOM.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://http//:www.google.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: GigagetIEHelper - {111CAA23-6F4F-42AC-8555-B48C1D87BBAB} - C:\WINDOWS\system32\gigagetbho_v10.dll
O2 - BHO: (no name) - {20CFF989-B2F4-4EC9-9F4A-A05F766EAC67} - (no file)
O2 - BHO: flashget urlcatch - {2F364306-AA45-47B5-9F9D-39A8B94E7EF7} - C:\Program Files\FlashGet\jccatch.dll
O2 - BHO: (no name) - {41A5E4AC-B290-4ECD-9A12-5341CD30C3CC} - (no file)
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {694853dc-9539-4896-9a00-3d6af90be5e1} - (no file)
O2 - BHO: (no name) - {69BFC627-1127-47CE-A0BE-F79A2340438C} - (no file)
O2 - BHO: {928042c0-3ef7-8638-a694-3eabe0acb208} - {802bca0e-bae3-496a-8368-7fe30c240829} - (no file)
O2 - BHO: (no name) - {B4FB0B4F-EBC8-40BD-B19B-DB39B230E477} - (no file)
O2 - BHO: (no name) - {B6BCAD83-FE1E-4495-A2FF-443DF1BF7141} - (no file)
O2 - BHO: (no name) - {C5E84927-CFF0-4CA3-A068-02E7C01C1E7C} - (no file)
O2 - BHO: FlashGet GetFlash Class - {F156768E-81EF-470C-9057-481BA8380DBA} - C:\Program Files\FlashGet\getflash.dll
O4 - HKLM\..\Run: [Flashget] C:\Program Files\FlashGet\flashget.exe /min
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\RunOnce: [SpybotDeletingA7533] command /c del "C:\WINDOWS\xokvrpwg.dll_old"
O4 - HKLM\..\RunOnce: [SpybotDeletingC3808] cmd /c del "C:\WINDOWS\xokvrpwg.dll_old"
O4 - HKLM\..\RunOnce: [SpybotDeletingA6641] command /c del "C:\WINDOWS\tfnslopk.dll_old"
O4 - HKLM\..\RunOnce: [SpybotDeletingC6314] cmd /c del "C:\WINDOWS\tfnslopk.dll_old"
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\RunOnce: [SpybotDeletingB7956] command /c del "C:\WINDOWS\xokvrpwg.dll_old"
O4 - HKCU\..\RunOnce: [SpybotDeletingD6028] cmd /c del "C:\WINDOWS\xokvrpwg.dll_old"
O4 - HKCU\..\RunOnce: [SpybotDeletingB9536] command /c del "C:\WINDOWS\tfnslopk.dll_old"
O4 - HKCU\..\RunOnce: [SpybotDeletingD8581] cmd /c del "C:\WINDOWS\tfnslopk.dll_old"
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O8 - Extra context menu item: &Download All by Gigaget - C:\Program Files\Gigaget\getallurl.htm
O8 - Extra context menu item: &Download All with FlashGet - C:\Program Files\FlashGet\jc_all.htm
O8 - Extra context menu item: &Download with FlashGet - C:\Program Files\FlashGet\jc_link.htm
O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\Program Files\FlashGet\FlashGet.exe
O9 - Extra 'Tools' menuitem: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\Program Files\FlashGet\FlashGet.exe
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O17 - HKLM\System\CCS\Services\Tcpip\..\{6F277236-5C31-4D47-B096-F47E5AFF2EF7}: NameServer = 218.248.255.139 218.248.255.146
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - AppInit_DLLs: avgrsstx.dll
O20 - Winlogon Notify: awtsTNhh - awtsTNhh.dll (file missing)
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ares Chatroom server (AresChatServer) - Ares Development Group - C:\Program Files\Ares\chatServer.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
O24 - Desktop Component 0: Privacy Protection - file:///C:\WINDOWS\privacy_danger\index.htm

--
End of file - 6042 bytes
  • 0

Advertisements


#2
greyknight17

greyknight17

    Malware Expert

  • Visiting Consultant
  • 16,560 posts
Welcome to GTG.

Please print the below instructions or copy them to Notepad. Make sure to work through the fixes in the order mentioned below. If there's anything that you don't understand, ask your question(s) before proceeding with the fixes.

Run a scan in HijackThis. Check each of the following if they still exist and hit 'Fix Checked' after you checked the last one:

O2 - BHO: GigagetIEHelper - {111CAA23-6F4F-42AC-8555-B48C1D87BBAB} - C:\WINDOWS\system32\gigagetbho_v10.dll
O2 - BHO: (no name) - {20CFF989-B2F4-4EC9-9F4A-A05F766EAC67} - (no file)
O2 - BHO: (no name) - {41A5E4AC-B290-4ECD-9A12-5341CD30C3CC} - (no file)
O2 - BHO: (no name) - {694853dc-9539-4896-9a00-3d6af90be5e1} - (no file)
O2 - BHO: (no name) - {69BFC627-1127-47CE-A0BE-F79A2340438C} - (no file)
O2 - BHO: {928042c0-3ef7-8638-a694-3eabe0acb208} - {802bca0e-bae3-496a-8368-7fe30c240829} - (no file)
O2 - BHO: (no name) - {B4FB0B4F-EBC8-40BD-B19B-DB39B230E477} - (no file)
O2 - BHO: (no name) - {B6BCAD83-FE1E-4495-A2FF-443DF1BF7141} - (no file)
O2 - BHO: (no name) - {C5E84927-CFF0-4CA3-A068-02E7C01C1E7C} - (no file)
O4 - HKLM\..\RunOnce: [SpybotDeletingA7533] command /c del "C:\WINDOWS\xokvrpwg.dll_old"
O4 - HKLM\..\RunOnce: [SpybotDeletingC3808] cmd /c del "C:\WINDOWS\xokvrpwg.dll_old"
O4 - HKLM\..\RunOnce: [SpybotDeletingA6641] command /c del "C:\WINDOWS\tfnslopk.dll_old"
O4 - HKLM\..\RunOnce: [SpybotDeletingC6314] cmd /c del "C:\WINDOWS\tfnslopk.dll_old"
O4 - HKCU\..\RunOnce: [SpybotDeletingB7956] command /c del "C:\WINDOWS\xokvrpwg.dll_old"
O4 - HKCU\..\RunOnce: [SpybotDeletingD6028] cmd /c del "C:\WINDOWS\xokvrpwg.dll_old"
O4 - HKCU\..\RunOnce: [SpybotDeletingB9536] command /c del "C:\WINDOWS\tfnslopk.dll_old"
O4 - HKCU\..\RunOnce: [SpybotDeletingD8581] cmd /c del "C:\WINDOWS\tfnslopk.dll_old"
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O20 - Winlogon Notify: awtsTNhh - awtsTNhh.dll (file missing)
O24 - Desktop Component 0: Privacy Protection - file:///C:\WINDOWS\privacy_danger\index.htm


Locate the following Files/Folders and delete them if they exist (if no location given, just do a search for them):

C:\WINDOWS\system32\gigagetbho_v10.dll
C:\WINDOWS\privacy_danger\


Download Malwarebytes ' Anti-Malware at http://www.besttechi.../mbam-setup.exe or http://www.majorgeek...ware_d5756.html Double-click on mbam-setup.exe to install the application.

* Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
* If an update is found, it will download and install the latest version.
* Once the program has loaded, select Perform Full Scan, then click Scan.
* The scan may take some time to finish, so please be patient.
* When the scan is complete, click OK, then Show Results to view the results.
* Make sure that everything is checked, and click Remove Selected.
* When disinfection is completed, a log will open in Notepad and you may be prompted to restart (see Extra Note below).
* The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
* Copy & paste the entire report into your next reply.

Extra Note:
If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts. Click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediately.


Go to http://www.bleepingc...to-use-combofix and follow the instructions on how to install the Recovery Console and run ComboFix. Go through all the steps until posting the log part. Post the combofix log here.
  • 0

#3
greyknight17

greyknight17

    Malware Expert

  • Visiting Consultant
  • 16,560 posts
Due to lack of feedback, this topic has been closed.

If you need this topic reopened, please contact a staff member. This applies only to the original topic starter. Everyone else please begin a New Topic.
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP