PDA

View Full Version : HELP please computer got virus



prefect
12-07-2010, 07:01 PM
My main computer has got some type of virus I was clicking on a link on wikipedia of all things.
OS is XP anti virus is AVG
I cant do any thing cant click open AVG go to IE and Chrome it says it wont connect. I think I clicked some box which started the virus wrecking stuff by mistake
Virus wont even let me go to control panel or help
Is there some way of removing virus or do I have to format hard drive or will virus it stop me from even doing that.
Help appreciated still got old computer on network to ask for help
Thanks

prefect
12-07-2010, 07:09 PM
Here are some of the warning things
Security warning application cant be executed the file wscntry is infected.

IE warning visiting this website might harm your computer

Windows Security Alert do you want to activate your anti virus software now this is the one that I clicked and infected the computer I think the whole task bar fills with red shields with X on them

The Error Guy
12-07-2010, 07:13 PM
Well it won't stop you formatting unless it manages to lock the entire magnetic structure of the drive. in the mean time get it off the internet so the virus can't send or download info

prefect
12-07-2010, 07:14 PM
Its turned off

The Error Guy
12-07-2010, 07:21 PM
Well thats a step. As for me, I can't help much from here. I dont know the nature of the virus or any other details. Someone will know. i don't :rolleyes:

Jen
12-07-2010, 07:22 PM
Can you get into Safe Mode and run AVG from there?

Speedy Gonzales
12-07-2010, 07:28 PM
Could be fake security software (http://www.computerhope.com/forum/index.php?topic=104218.0) that's telling you this. If you can download click this - direct link to trojan remover (http://www.simplysupersoft.com/download/dl/trjsetup682.exe) then install / run it / update it (if it works), then scan. If you cant, type this in under start run http://www.simplysupersoft.com/download/dl/trjsetup682.exe

prefect
12-07-2010, 07:29 PM
I know its fake Speedy, thanks Jen will try safe mode

wainuitech
12-07-2010, 07:41 PM
You also need to dump AVG-- Chances are good any infection will have damaged / Killed it -- Its hopeless these days - seen it countless times it says its working, but the infections have actually destroyed it.

Install MSSE microsofts site (http://www.microsoft.com/security_essentials/)

You will also need to run Malwarebytes, Spybot S&D and Super antispyware, all in full scan modes, with system restore turned off.

Depending on the infection those may or may not be enough to clean it.

prefect
12-07-2010, 07:41 PM
Got into Safe Mode it says select OS to start,.
Arrow down down to XP home edition push enter and it just goes to the whole page of lines of stuff.
Has the virus done that as well?

Speedy Gonzales
12-07-2010, 07:42 PM
Boot into safe mode / networking (so you can get on the net / download something) then scan it with something

prefect
12-07-2010, 07:43 PM
You also need to dump AVG-- Chances are good any infection will have damaged / Killed it -- Its hopeless these days - seen it countless times it says its working, but the infections have actually destroyed it.

Install MSSE microsofts site (http://www.microsoft.com/security_essentials/)

Will do but I cant go to into control panel to uninstall and I cant go internet to download anything.

wainuitech
12-07-2010, 07:47 PM
Will do but I cant go to into control panel to uninstall and I cant go internet to download anything. you can download the programs to another PC, and transfer across from a USB drive. keep in mind, depending on the infections they may also infect the drive, so that may need fixing later.

Trojan Remover, Spybot, Super antispy & Malwarebytes will all run in safe mode.

You need to kil the infections first, then they will allow the removal of AVG. Use Revo uninstaller portable (http://revo-uninstaller-portable.en.softonic.com/) and remove all the reg keys and folders as well.

Greven
12-07-2010, 07:47 PM
Will do but I cant go to into control panel to uninstall and I cant go internet to download anything.

even when you log in as administrator under safe mode with networking?

Speedy Gonzales
12-07-2010, 07:48 PM
Use ccleaner if its installed then

prefect
12-07-2010, 08:07 PM
You also need to dump AVG-- Chances are good any infection will have damaged / Killed it -- Its hopeless these days - seen it countless times it says its working, but the infections have actually destroyed it.

Install MSSE microsofts site (http://www.microsoft.com/security_essentials/)

You will also need to run Malwarebytes, Spybot S&D and Super antispyware, all in full scan modes, with system restore turned off.

Depending on the infection those may or may not be enough to clean it.

Thanks Wainui I got into safe mode run system restore downloaded microsoft.co./security its doing a scan now.

wainuitech
12-07-2010, 09:03 PM
Running system restore is not what I said tisk tisk :D -- MSSE needs to be run in FULL mode, so it may take an hour or more.

What you need to do it TURN OFF system restore, as any infections usually will take up residence in there, and as soon as you reboot it can reload in the infections. (once the PC is clean, THEN turn it back on)

Once MSSE has done it thing, run Trojan Remover,Malwarebytes, Spybot, Super antispy in that order - in full scan modes for them all.

Malwarebytes, Super antispy both have the option to do quick scans or Full-- Quick are hopeless - so use full.

Depending on the speed and amount of data on the PC, they can EACH easily take over an hour to run.

I get this all the time, cowboys saying they can clean a PC in 30 Minutes HA! (unless you count formatting a drive first).

pctek
12-07-2010, 09:11 PM
Install MSSE microsofts site (http://www.microsoft.com/security_essentials/)

You will also need to run Malwarebytes, Spybot S&D and Super antispyware, all in full scan modes, with system restore turned off.

.

Yes, I agree there. And do a HJT log too.

prefect
12-07-2010, 09:47 PM
Running system restore is not what I said tisk tisk :D -- MSSE needs to be run in FULL mode, so it may take an hour or more.

What you need to do it TURN OFF system restore, as any infections usually will take up residence in there, and as soon as you reboot it can reload in the infections. (once the PC is clean, THEN turn it back on)

Once MSSE has done it thing, run Trojan Remover,Malwarebytes, Spybot, Super antispy in that order - in full scan modes for them all.

Malwarebytes, Super antispy both have the option to do quick scans or Full-- Quick are hopeless - so use full.
Will post HJT log tomorrow

Depending on the speed and amount of data on the PC, they can EACH easily take over an hour to run.

I get this all the time, cowboys saying they can clean a PC in 30 Minutes HA! (unless you count formatting a drive first).


Thanks Wainui MSSE has just finished a scan 1hr 15 min found heaps of trojans and viruses.
Running spybot now.
Tomorrow will turn restore off and download and run programs exactly as you have listed
Thanks for help all those who have replied.

wainuitech
12-07-2010, 10:05 PM
Turn off Restore BEFORE you turn the PC off for the night, doing it tomorrow may reinfect the PC on start up.

System restore has many good points. BUT infections can get into it as well, which is not good.

The down side of turning off restore is "IF" anything goes wrong, there is no restore point to undo the changes. Its a risk that has to be taken --"most" of the time its Ok though.

Edited:Good that the programs are finding infections.

prefect
14-07-2010, 10:48 AM
Done everything you said Wainui here is the hijack this log

Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 9:44:18 a.m., on 14/07/2010
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
c:\Program Files\Microsoft Security Essentials\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Microsoft Security Essentials\msseces.exe
C:\Program Files\Schmaili84\schmaili.exe
C:\Program Files\FeedReader30\feedreader.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Nokia\Nokia PC Suite 7\PCSuite.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\CDBurnerXP\NMSAccessU.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\TomTom HOME 2\TomTomHOMEService.exe
C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
C:\Program Files\PC Connectivity Solution\Transports\NclUSBSrv.exe
C:\Program Files\PC Connectivity Solution\Transports\NclRSSrv.exe
C:\Program Files\PC Connectivity Solution\Transports\NclMSBTSrv.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Google\Chrome\Application\chrome.exe
C:\Program Files\Google\Chrome\Application\chrome.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://news.bbc.co.uk/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://search.live.com/sphome.aspx
R3 - URLSearchHook: (no name) - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\System32\DLA\DLASHX_W.DLL
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [MSSE] "c:\Program Files\Microsoft Security Essentials\msseces.exe" -hide -runkey
O4 - HKLM\..\Run: [TrojanScanner] C:\Program Files\Trojan Remover\Trjscan.exe /boot
O4 - HKCU\..\Run: [Schmaili] C:\Program Files\Schmaili84\schmaili.exe
O4 - HKCU\..\Run: [feedreader.exe] "C:\Program Files\FeedReader30\feedreader.exe"
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [PC Suite Tray] "C:\Program Files\Nokia\Nokia PC Suite 7\PCSuite.exe" -onlytray
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [RunNarrator] Narrator.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [RunNarrator] Narrator.exe (User 'Default user')
O8 - Extra context menu item: Google Sidewiki... - res://C:\Program Files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_5F1A 57F0B9B89E2E.dll/cmsidewiki.html
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1261974304953
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Google Update Service (gupdate) (gupdate) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Imapi Helper - Unknown owner - F:\iso recorder\ImapiHelper.exe (file missing)
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: NMSAccess - Unknown owner - C:\Program Files\CDBurnerXP\NMSAccessU.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: ServiceLayer - Nokia - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
O23 - Service: TomTomHOMEService - TomTom - C:\Program Files\TomTom HOME 2\TomTomHOMEService.exe

--
End of file - 6842 bytes
Those programs found shitloads of bad things
Thanks everyone for help I appreciate it, only thing IE not working I have uninstalled it will just stick with Chrome.
Thanks again

Speedy Gonzales
14-07-2010, 11:23 AM
Tick these then tick fix checked. Close browsers. Make sure system restore is still disabled

R3 - URLSearchHook: (no name) - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)

O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)

O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"

O4 - HKLM\..\Run: [TrojanScanner] C:\Program Files\Trojan Remover\Trjscan.exe /boot

O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe

Uninstall all versions of Java, prior to 6 Update 21, which is the latest

If this has been uninstalled, tick this

O23 - Service: Imapi Helper - Unknown owner - F:\iso recorder\ImapiHelper.exe (file missing)

Then reboot. Then update it, there's one update for it today. Is IE crashing? Uninstall Google toolbar. Uninstall this, I think it belongs to some Roxio program. It can make IE crash

O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\System32\DLA\DLASHX_W.DLL. Or if you're using IE8, disable the drive letter access addon

prefect
14-07-2010, 11:31 AM
Thanks for help Speedy
How do I know if old versions of Java are installed?
So what does:

If this has been uninstalled, tick this
mean.
Is the update today for hijack this?
Not too worried about IE havent used it for a while using Chrome

Thanks again

Speedy Gonzales
14-07-2010, 11:36 AM
How do I know if old versions of Java are installed?

Look in add/remove programs. If theres more than 1 entry for Java TM 6 Update xx uninstall it. And leave update 21 installed (if Update 21 isnt installed, download it then install it).


So what does:

If this has been uninstalled, tick this mean.

If you've uninstalled the program in add/remove programs, tick that entry then tick fix checked. No point leaving it there, if its not on the hdd


Is the update today for hijack this?
No its for XP