Tech Support Guy banner
  • IMPORTANT: Only authorized members may reply to threads in this forum due to the complexity of the malware removal process. Authorized members include Malware Specialists and Trainees, Administrators, Moderators, and Trusted Advisors. Regular members are not permitted to reply, and any such posts will be deleted without notice or further explanation. Notice
Status
Not open for further replies.
1 - 1 of 1 Posts

·
Registered
Joined
·
1 Posts
Discussion Starter · #1 ·
So i got this virus 2 days ago from msn.
Its the fake virus scanner Total Security 4.52

I've tried scanning it with Malwarebytes, it helps for a bit..but after restart the virus is back.

I dunno what to do now.....pleeeease help


So here is the log from Hjackthis thingy.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 17:43:10, on 25.08.2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.20733)
Boot mode: Normal

Running processes:
C:WINDOWSSystem32smss.exe
C:WINDOWSsystem32winlogon.exe
C:WINDOWSsystem32services.exe
C:WINDOWSsystem32lsass.exe
C:WINDOWSsystem32Ati2evxx.exe
C:WINDOWSsystem32svchost.exe
C:WINDOWSSystem32svchost.exe
C:WINDOWSsystem32Ati2evxx.exe
C:WINDOWSExplorer.EXE
C:WINDOWSsystem32spoolsv.exe
C:program FilesCommon FilesAppleMobile Device SupportbinAppleMobileDeviceService.exe
C:program FilesCommon FilesAVerMediaServiceAVerRemote.exe
C:program FilesCommon FilesAVerMediaServiceAVerScheduleService.exe
C:program FilesBonjourmDNSResponder.exe
C:program FilesJavajre6binjqs.exe
C:program FilesCommon FilesAVerMediaFujitsu RCAVerHIDReceiver.exe
C:program FilesATI TechnologiesATI.ACECLI.EXE
C:program FilesMicrosoft OfficeOffice12GrooveMonitor.exe
C:WINDOWSsystem32RunDll32.exe
C:program FilesWinampwinampa.exe
C:program FilesiTunesiTunesHelper.exe
C:program FilesJavajre6binjusched.exe
C:program FilesSweetIMMessengerSweetIM.exe
C:WINDOWSsystem32ctfmon.exe
C:program FilesAnti-Virus&TrojanAnti-Virus&Trojan.exe
C:program FilesCommon FilesAVerMediaFujitsu RCAVerQuick.exe
C:program FilesWindows LiveMessengermsnmsgr.exe
C:WINDOWSsystem32taskmgr.exe
C:program FilesiPodbiniPodService.exe
C:program FilesATI TechnologiesATI.ACEcli.exe
C:program FilesATI TechnologiesATI.ACEcli.exe
C:program FilesWindows LiveContactswlcomm.exe
C:program FilesMozilla Firefoxfirefox.exe
C:program FilesTrend MicroHijackThisHijackThis.exe

R1 - HKCUSoftwareMicrosoftInternet ExplorerMain,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCUSoftwareMicrosoftInternet ExplorerMain,Start Page = http://search.bearshare.com/
R1 - HKLMSoftwareMicrosoftInternet ExplorerMain,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLMSoftwareMicrosoftInternet ExplorerMain,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLMSoftwareMicrosoftInternet ExplorerMain,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLMSoftwareMicrosoftInternet ExplorerMain,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCUSoftwareMicrosoftInternet Connection Wizard,ShellNext = https://login.live.com/ppsecure/sha1auth.srf?lc=1061
R1 - HKCUSoftwareMicrosoftWindowsCurrentVersionInternet Settings,ProxyOverride = *.local
R3 - URLSearchHook: SweetIM ToolbarURLSearchHook Class - {EEE6C35D-6118-11DC-9C72-001320C79847} - C:program FilesSweetIMToolbarsInternet ExplorermgHelper.dll
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:program FilesCommon FilesAdobeAcrobatActiveXAcroIEHelperShim.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:pROGRA~1MICROS~2Office12GRA8E1~1.DLL
O2 - BHO: UrlHelper Class - {74322BF9-DF26-493f-B0DA-6D2FC5E6429E} - C:program FilesBearShare ApplicationsBearShareBearShareIEHelper.dll
O2 - BHO: Windows Live'i sisselogimisabiline - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:program FilesCommon FilesMicrosoft SharedWindows LiveWindowsLiveLogin.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:program FilesJavajre6binjp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:program FilesJavajre6libdeployjqsiejqs_plugin.dll
O2 - BHO: SWEETIE - {EEE6C35C-6118-11DC-9C72-001320C79847} - C:program FilesSweetIMToolbarsInternet ExplorermgToolbarIE.dll
O3 - Toolbar: SweetIM Toolbar for Internet Explorer - {EEE6C35B-6118-11DC-9C72-001320C79847} - C:program FilesSweetIMToolbarsInternet ExplorermgToolbarIE.dll
O3 - Toolbar: BearShare MediaBar - {D3DEE18F-DB64-4BEB-9FF1-E1F0A5033E4A} - C:program FilesBearShare ApplicationsBearShare MediaBarBearShareMediaBar.dll
O4 - HKLM..Run: [ATICCC] "C:program FilesATI TechnologiesATI.ACECLIStart.exe"
O4 - HKLM..Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM..Run: [SkyTel] SkyTel.EXE
O4 - HKLM..Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM..Run: [AzMixerSel] C:program FilesRealtekInstallShieldAzMixerSel.exe
O4 - HKLM..Run: [INPROCOMMWireless] C:program FilesAtherosWirelessUtilityWlanUtil.exe
O4 - HKLM..Run: [NeroFilterCheck] C:WINDOWSsystem32NeroCheck.exe
O4 - HKLM..Run: [GrooveMonitor] "C:program FilesMicrosoft OfficeOffice12GrooveMonitor.exe"
O4 - HKLM..Run: [CmUsbSound] RunDll32 cmcnfgu.cpl,CMICtrlWnd
O4 - HKLM..Run: [WinampAgent] "C:program FilesWinampwinampa.exe"
O4 - HKLM..Run: [AppleSyncNotifier] C:program FilesCommon FilesAppleMobile Device SupportbinAppleSyncNotifier.exe
O4 - HKLM..Run: [QuickTime Task] "C:program FilesQuickTimeQTTask.exe" -atboottime
O4 - HKLM..Run: [iTunesHelper] "C:program FilesiTunesiTunesHelper.exe"
O4 - HKLM..Run: [SunJavaUpdateSched] "C:program FilesJavajre6binjusched.exe"
O4 - HKLM..Run: [Adobe Reader Speed Launcher] "C:program FilesAdobeReader 9.0ReaderReader_sl.exe"
O4 - HKLM..Run: [SweetIM] C:program FilesSweetIMMessengerSweetIM.exe
O4 - HKLM..Run: [11475464] C:Documents and SettingsAll UsersApplication Data1147546411475464.exe
O4 - HKCU..Run: [MsnMsgr] ~"C:program FilesWindows LiveMessengermsnmsgr.exe" /background
O4 - HKCU..Run: [ctfmon.exe] C:WINDOWSsystem32ctfmon.exe
O4 - HKUSS-1-5-19..Run: [CTFMON.EXE] C:WINDOWSsystem32CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUSS-1-5-20..Run: [CTFMON.EXE] C:WINDOWSsystem32CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUSS-1-5-18..Run: [CTFMON.EXE] C:WINDOWSsystem32CTFMON.EXE (User 'SYSTEM')
O4 - HKUS.DEFAULT..Run: [CTFMON.EXE] C:WINDOWSsystem32CTFMON.EXE (User 'Default user')
O4 - Startup: Adobe Gamma.lnk = C:program FilesCommon FilesAdobeCalibrationAdobe Gamma Loader.exe
O4 - Startup: OneNote 2007 Screen Clipper and Launcher.lnk = C:program FilesMicrosoft OfficeOffice12ONENOTEM.EXE
O4 - Global Startup: Anti-Virus&Trojan.lnk = C:program FilesAnti-Virus&TrojanAnti-Virus&Trojan.exe
O4 - Global Startup: AVer HID Receiver.lnk = C:program FilesCommon FilesAVerMediaFujitsu RCAVerHIDReceiver.exe
O4 - Global Startup: Fujitsu RC.lnk = C:program FilesCommon FilesAVerMediaFujitsu RCAVerQuick.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:pROGRA~1MICROS~2Office12EXCEL.EXE/3000
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:pROGRA~1MICROS~2Office12ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:pROGRA~1MICROS~2Office12ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:pROGRA~1MICROS~2Office12REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:WINDOWSNetwork Diagnosticxpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:WINDOWSNetwork Diagnosticxpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:program FilesMessengermsmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:program FilesMessengermsmsgs.exe
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:pROGRA~1MICROS~2Office12GR99D3~1.DLL
O23 - Service: Adobe LM Service - Adobe Systems - C:program FilesCommon FilesAdobe Systems SharedServiceAdobelmsvc.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:program FilesCommon FilesAppleMobile Device SupportbinAppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:WINDOWSsystem32Ati2evxx.exe
O23 - Service: AVerRemote - AVerMedia - C:program FilesCommon FilesAVerMediaServiceAVerRemote.exe
O23 - Service: AVerScheduleService - Unknown owner - C:program FilesCommon FilesAVerMediaServiceAVerScheduleService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:program FilesBonjourmDNSResponder.exe
O23 - Service: iPod Service - Apple Inc. - C:program FilesiPodbiniPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:program FilesJavajre6binjqs.exe

--
End of file - 8567 bytes

ALSO..here is Malwarebytes log ( i did it with Quick Scan and before doing these both logs.. i deleted the *randomnumber*.exe thing from Task Manager, to do Malwarebytes. :

Malwarebytes' Anti-Malware 1.40
Database version: 2688
Windows 5.1.2600 Service Pack 2

25.08.2009 17:55:09
mbam-log-2009-08-25 (17-55-09).txt

Scan type: Quick Scan
Objects scanned: 92432
Time elapsed: 5 minute(s), 11 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 2
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\taskman (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\11475464 (Rogue.Multiple) -> Quarantined and deleted successfully.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

Please help me?
 
1 - 1 of 1 Posts
Status
Not open for further replies.
Top