Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

our computer has a virus, but we don't know what it is


  • Please log in to reply

#1
simard

simard

    New Member

  • Member
  • Pip
  • 4 posts
Hello. I'm hoping you can assist me to resolve my computer problem, it's on my parents' computer.

I know their computer has a virus because it is suddenly extremely slow. When you click to open a browser window it takes literally half an hour. I tested the memory and stuff (by pressing f8 at startup and doing some HP diagnostics) and it is fine, so there must be something else involved here. Things do go better in safe mode and I did manage to open up Firefox there and I downloaded hijackthis. The hijackthis log is at the end of this thread, but first some more info to help your diagnosis:

[edit: new symptom: it seems that programs are re-installing when I activate them. I first noticed this in safe mode but I just assumed it was a normal feature of safe mode. But now I have restarted the computer regularly and it is still happening. In safe mode this occurred with SuperAntiSpyware, when I opened the program as usual it asked me what language I wanted to use it in, if I want to protect my homepage, etc., as if I had just installed it. And now in regular mode it is happening with Internet Explorer, when I open a browser window it says it has installed the Google toolbar and it says it has installed version 8 of IE, but both these things were already installed some time ago.]

- two days ago my mother visited a website she frequents, except hackers had taken it over and left a message saying they had taken it over, they said they were from Turkey.. I may be able to get more details when my mother comes home from work.. anyways the site owners e-mailed everyone that they should stay away from the site for the time being until they get it back under control, but my mother went on the site before reading the e-mail.. and now the present computer problem has started one day ago (one day after the site was visited), so maybe it's a coincidence, maybe not... [edit: no new info from my mother, except that the Turkish group may have indicated in their statement that they have some sort of political affiliation/agenda]

- computer specs:
Windows Vista Home Premium (Build 6002: Service Pack 2)
Intel Pentium Dual CPU 1.6GHz
1.00GB
32-bit Operating System

- utilities on computer (and used regularly):
Bell Internet Security Services (paid anti-virus and anti-spyware program that comes with the internet package from Sympatico)
SuperAntiSpaware free edition
Spybot free edition
SecureIT free edition

- Firewall and live protection all enabled. Security level of the computer is set to medium or high I'm not sure which, but definitely not low.

- Yesterday I scanned with all those anti-virus and anti-spyware programs. A few small things were picked up, including one trojan by Spybot, but I didn't keep a record of it because I assumed the problem would go away after all the scans were completed - however, the problem remains.

Prior to this problem our computer has still been a bit slow for a while now (of course not nearly as bad as how it is today), and we have been considering paying a one-time fee to have our computer cleaned and sped-up, by using one of those online services you always see advertised. But there are so many, we're not sure which one to get. Perhaps now would be an ideal time to do this, so as to remove both the virus and all the other 'stuff' that's been slowing our computer down? Which one should we use?

Thank you so much in advance for any assistance you can offer! We're extremely thankful for your time.. our paid virus scanner isn't catching it, so without this recourse I guess we'd have to reformat!

Here is the log file I took yesterday night on safe mode (and note that the hijackthis program is freshly downloaded and installed):

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:04:44 AM, on 06/01/2010
Platform: Windows Vista SP2 (WinNT 6.00.1906)
MSIE: Internet Explorer v8.00 (8.00.6001.18865)
Boot mode: Safe mode with network support

Running processes:
C:\Windows\Explorer.EXE
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - Default URLSearchHook is missing
O1 - Hosts: ::1 localhost
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Pop-Up Blocker BHO - {3C060EA2-E6A9-4E49-A530-D4657B8C449A} - C:\Program Files\Bell\Bell Internet Security Services\pkR.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.4.4525.1752\swg.dll
O2 - BHO: SecurityCoverage Popup Blocker - {C68AE9C0-0909-4DDC-B661-C1AFB9F5AE53} - C:\Program Files\SecureIT\PopupBlocker.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll
O4 - HKLM\..\Run: [hpsysdrv] c:\hp\support\hpsysdrv.exe
O4 - HKLM\..\Run: [OsdMaestro] "C:\Program Files\Hewlett-Packard\On-Screen OSD Indicator\OSD.exe"
O4 - HKLM\..\Run: [RtHDVCpl] RtHDVCpl.exe
O4 - HKLM\..\Run: [HP Health Check Scheduler] c:\Program Files\Hewlett-Packard\HP Health Check\HPHC_Scheduler.exe
O4 - HKLM\..\Run: [SunJavaUpdateReg] "C:\Windows\system32\jureg.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [IgfxTray] C:\Windows\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\Windows\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\Windows\system32\igfxpers.exe
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [Performance Center] C:\Program Files\Ascentive\Performance Center\ApcMain.exe -m
O4 - HKLM\..\Run: [SSA.exe] "C:\Program Files\Bell\Internet Service Advisor\SSA.exe" /AUTORUN
O4 - HKLM\..\Run: [BellCanada_McciTrayApp] C:\Program Files\BellCanada\McciTrayApp.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [SCControlPanel] C:\Program Files\SecureIT\SCControlPanel.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
O9 - Extra button: PokerStars - {3AD14F0C-ED16-4e43-B6D8-661B03F6A1EF} - C:\Program Files\PokerStars\PokerStarsUpdate.exe
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O13 - Gopher Prefix:
O15 - ProtocolDefaults: '@ivt' protocol is in My Computer Zone, should be Intranet Zone
O15 - ProtocolDefaults: 'file' protocol is in My Computer Zone, should be Internet Zone
O15 - ProtocolDefaults: 'ftp' protocol is in My Computer Zone, should be Internet Zone
O15 - ProtocolDefaults: 'http' protocol is in My Computer Zone, should be Internet Zone
O15 - ProtocolDefaults: 'https' protocol is in My Computer Zone, should be Internet Zone
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: HP Health Check Service - Hewlett-Packard - c:\Program Files\Hewlett-Packard\HP Health Check\hphc_service.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - c:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - c:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: McciCMService - Motive Communications, Inc. - C:\Program Files\Common Files\Motive\McciCMService.exe
O23 - Service: PD91Agent - Raxco Software, Inc. - C:\Program Files\Raxco\PerfectDisk2008\PD91Agent.exe
O23 - Service: PD91Engine - Raxco Software, Inc. - C:\Program Files\Raxco\PerfectDisk2008\PD91Engine.exe
O23 - Service: Bell Internet Security Services (Radialpoint Security Services) - Radialpoint SafeCare Inc. - C:\Program Files\Bell\Bell Internet Security Services\RpsSecurityAwareR.exe
O23 - Service: Bell Internet Security Services SafeConnectAgent (RadialpointSafeConnectAgent) - Unknown owner - C:\Program Files\Bell\Bell Internet Security Services\SafeConnect\Bin\SanaAgent.exe (file missing)
O23 - Service: Bell Internet Security Services Firewall (RP_FWS) - Bell - C:\Program Files\Bell\Bell Internet Security Services\Fws.exe
O23 - Service: SecureIT Monitor (SCMonitor) - SecurityCoverage Inc. - C:\Program Files\SecureIT\scmonitor\SCMonitorService.exe
O23 - Service: SecureIT Update Service (scupdateservice) - SecurityCoverage Inc. - C:\Program Files\SecureIT\scmonitor\SCUpdateService.exe
O23 - Service: Personal Vault Backup Service (VaultClientSRV) - Bell Canada - C:\Program Files\Personal Vault\VaultClientSRV.exe
O23 - Service: Personal Vault Upgrade Service (VaultClientUpgrade) - Bell Canada - C:\Program Files\Personal Vault\VaultClientUpgrade.exe
O23 - Service: XAudioService - Conexant Systems, Inc. - C:\Windows\system32\DRIVERS\xaudio.exe

--
End of file - 7793 bytes

Edited by simard, 06 January 2010 - 01:26 PM.

  • 0

Advertisements







Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP