View Profile
View Forum Posts
Private Message
Hey everyone
A computer in my posesion (a friends computer) has got a problem with running any antivirus/spyware or even updating or accessing any type of antivirus/antispyware sites, I was fortunate enough to get Hijack This to run via USB stick, Log is below.
I also managed to get Malwarebytes to run by changing the exe file name in the c/program files to xxx.exe, & no it is not porn as shown in the log, it did find some stuff, but not much, after rebooting I still am having the same problem, e.g. getting redirected to other sites & so on, I can't seem to get S&D to do anything at all either, it just hangs.
On top of all that, I tried a system restore, without any luck, everytime I thought it worked, it would reboot like it was working & then a message would appear stating that it was unsuccessful & that no changes have been made.
I am at wits end with what to do next, please if you see anything in the log below that seems to be not right, please let me know, thankyou in advance, regards Denis
------------------------------------------------------------------
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:28:38 PM, on 06/04/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16791)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\acs.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\Program Files\TP-LINK\TL-WN821N 1.0\TWCU.exe
C:\Program Files\Alarm Me\AlarmMe.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\Program Files\Internet Download Manager\IDMan.exe
C:\Program Files\Internet Download Manager\IEMonitor.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
G:\Hijack This\HijackThis.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Windows Media Player\wmplayer.exe
C:\Program Files\Malwarebytes' Anti-Malware\xxx.exe
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: IDM Helper - {0055C089-8582-441B-A0BF-17B458C2A3A8} - C:\Program Files\Internet Download Manager\IDMIECC.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.1.1309.3572\s wg.dll
O2 - BHO: Flash and Media Capture Helper - {E8803722-A7F5-45C5-B39A-A8B244486EC2} - C:\Program Files\Common Files\MetaProducts\FMCapt.dll
O3 - Toolbar: Flash and Media Capture Bar - {650EB965-8A1D-41C9-A941-0578F5CFC569} - C:\Program Files\Common Files\MetaProducts\FMCapt.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKLM\..\Run: [BrStsWnd] C:\Program Files\Brownie\BrstsWnd.exe Autorun
O4 - HKLM\..\Run: [TWCU] "C:\Program Files\TP-LINK\TL-WN821N 1.0\TWCU.exe" -nogui
O4 - HKLM\..\Run: [AlarmMe] "C:\Program Files\Alarm Me\AlarmMe.exe" "-h"
O4 - HKLM\..\Run: [Ad-Watch] C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\Windows Live\Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [IDMan] C:\Program Files\Internet Download Manager\IDMan.exe /onboot
O4 - HKCU\..\Run: [InfoWonder] "C:\Program Files\InfoWonder\InfoWonder.exe"
O4 - HKCU\..\Run: [TaskMaster] C:\Program Files\TaskMaster\taskmstr.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O4 - Startup: Alarm++.lnk = C:\Program Files\Alarm++\Alarm.exe
O8 - Extra context menu item: Download all links with IDM - C:\Program Files\Internet Download Manager\IEGetAll.htm
O8 - Extra context menu item: Download FLV video content with IDM - C:\Program Files\Internet Download Manager\IEGetVL.htm
O8 - Extra context menu item: Download with IDM - C:\Program Files\Internet Download Manager\IEExt.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office12\EXCEL.EXE/3000
O8 - Extra context menu item: Save &image with Flash and Media Capture - res://C:\Program Files\Common Files\MetaProducts\FMCapt.dll/saveimg.htm
O8 - Extra context menu item: Save &media files with Flash and Media Capture - res://C:\Program Files\Common Files\MetaProducts\FMCapt.dll/savemedia.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Save Media files - {F6F76DF4-FD65-4DE7-942F-4BD5DE9B1C6B} - C:\Program Files\Common Files\MetaProducts\FMCapt.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1180151610265
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1180183893718
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
O23 - Service: TP-LINK Configuration Service (ACS) - Atheros - C:\WINDOWS\system32\acs.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Lavasoft Ad-Aware Service - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
O23 - Service: MySQL - Unknown owner - C:\Program Files\PIM Xtreme\MySQL\bin\mysqld.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
--
End of file - 7797 bytes
+ Reply to Thread
Results 1 to 12 of 12
-
-
IMO there comes a time when the amount of effort to clean a machine just isn't worth it and, frankly, after cleaning a heavily infected machine you can never be 100% certain you got everything. The alternative is to do a format and re-install.
Its a pain to go through a full format/re-install but then at least you know you will be starting with a clean machine. Install your OS and get all the devices working, then apply all the patches and the AV and anti-spyware. (At this point I might suggest creating an image of the system so it can be restored easily in the future). Then install the rest of the software, being careful if any of the apps were downloaded or otherwise obtained from non-original media.
Of course you should get the OK from the owner of the machine and ensure they have a backup of any personal data. Ensure you scan the data before restoring it back to the rebuilt machine. -
sounds like conficker worm.
http://www.spywarevoid.com/remove-conficker-worm-downadup-removal.html -
Hey All
I can't do a reinstall because he has so much work stuff on the PC, however, I have just descovered that I can run NOD32 in safemode, it has found win32/Agent.ODG virus but can not get rid of it, maybe someone can help now that the virus has been identified, any ideas
regards Denis -
Run your spyware stuff with the computer in safe mode and with NO internet connectivity.Originally Posted by G)-(OST
-
http://www.computing.net/answers/security/eset-cannot-clean-win32agentodg/25328.html
Just do a search for win32/Agent.ODG Removal -
-
Just trying out GMER, it's a root kit revealer, lets see what happens
-
For future reference there are many, many tools out there that do not require you to boot into Windows from the hard drive. You can use a live Linux CD and clamAV to get some things - clamAV isn't nearly as good as some other tools, but it will clean out some common items. Then you can find (or create your own) Windows PE environment, some virus companies offer free bootable CDs to do what you need to do.
Linux _is_ user-friendly. It is not ignorant-friendly and idiot-friendly. -
hi there g, if you have a spare pc that is not in use. id set your friends pcs hdd as a slave, once you have done that you can get to the docs and settings on the root of c, from there you can get to his work. once you have back it all up id wipe it.
-
While you have the HDD as a slave you can scan it with as many AV and ASW as you want. I have done it many times.
Ewido on line is very good too.
Quote
Visit Homepage
Similar Threads
-
Virus?
By pinetop in forum ComputerReplies: 5Last Post: 23rd May 2011, 15:11 -
Question about virus so terrible that Ghost restore did not kill the virus
By jimdagys in forum ComputerReplies: 24Last Post: 27th Apr 2010, 10:58 -
Question about how Antivirus software can repair severe virus infestation
By jimdagys in forum ComputerReplies: 3Last Post: 3rd Dec 2009, 05:59 -
virus or something else
By alintatoc in forum ComputerReplies: 3Last Post: 2nd Mar 2009, 14:37 -
Antivirus apps won't update after virus
By 12gage in forum ComputerReplies: 24Last Post: 6th Sep 2008, 02:13