mary38483 Posted October 13, 2008 Posted October 13, 2008 My computer has recently had virus alert in my task bar next to the clock. I have tried everything i know of to fix this, but nothing has. My background has diappeared, in my start i no longer get my programs, or control panel, or my computer, or run....3 new icons have popped up on my desktop, and I keep messages saying i am infected.I have run Hijack this and this is the results it gives me....Logfile of HijackThis v1.99.1Scan saved at 09:29: VIRUS ALERT!, on 10/13/2008Platform: Windows XP SP2 (WinNT 5.01.2600)MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)Running processes:C:\WINDOWS\System32\smss.exeC:\WINDOWS\system32\winlogon.exeC:\WINDOWS\system32\services.exeC:\WINDOWS\system32\lsass.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\System32\svchost.exeC:\WINDOWS\system32\spoolsv.exeC:\Program Files\QuickTime\qttask.exeC:\Program Files\SlipStream Web Accelerator\slipcore.exeC:\WINDOWS\SYSTEM32\USRmlnkA.exeC:\Program Files\Java\jre1.6.0_07\bin\jusched.exeC:\WINDOWS\SYSTEM32\USRshutA.exeC:\WINDOWS\SYSTEM32\USRmlnkA.exeC:\Program Files\SlipStream Web Accelerator\slipgui.exeC:\Program Files\Internet Explorer\iexplore.exeC:\WINDOWS\explorer.exeC:\WINDOWS\system32\rundll32.exeC:\Program Files\ewido anti-spyware 4.0\guard.exeC:\WINDOWS\system32\wpabaln.exeC:\Program Files\Mozilla Firefox\firefox.exeC:\Program Files\ewido anti-spyware 4.0\ewido.exeC:\Program Files\WinRAR\WinRAR.exeC:\DOCUME~1\mary\LOCALS~1\Temp\Rar$EX00.281\HijackThis.exeR1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=127.0.0.1:5400O3 - Toolbar: olnmraew - {C6E98D75-91EE-4EB1-9CE2-047046F30E32} - C:\WINDOWS\olnmraew.dllO3 - Toolbar: AVGTOOLBAR - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLLO4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottimeO4 - HKLM\..\Run: [slipStream] "C:\Program Files\SlipStream Web Accelerator\slipcore.exe"O4 - HKLM\..\Run: [uSRpdA] C:\WINDOWS\SYSTEM32\USRmlnkA.exe RunServices \Device\3cpipe-USRpdAO4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"O4 - HKLM\..\Run: [{0228e555-4f9c-4e35-a3ec-b109a192b4c2}] C:\Program Files\Google\Gmail Notifier\gnotify.exeO4 - HKLM\..\Run: [!ewido] "C:\Program Files\ewido anti-spyware 4.0\ewido.exe" /minimizedO4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\ypager.exe" -quietO4 - Global Startup: Instant Update Reminder.lnk = ?O4 - Global Startup: SlipStream Web Accelerator.lnk = C:\Program Files\SlipStream Web Accelerator\slipgui.exeO6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions presentO8 - Extra context menu item: Show All Original Images - res://C:\Program Files\SlipStream Web Accelerator\gui_resource.dll/327O8 - Extra context menu item: Show Original Image - res://C:\Program Files\SlipStream Web Accelerator\gui_resource.dll/328O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\npjpi160_07.dllO9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\npjpi160_07.dllO9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exeO9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exeO9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exeO9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exeO16 - DPF: {2D8ED06D-3C30-438B-96AE-4D110FDC1FB8} (ActiveScan 2.0 Installer Class) - http://acs.pandasoftware.com/activescan/cabs/as2stubie.cabO17 - HKLM\System\CCS\Services\Tcpip\..\{2C6EAB0D-1A58-41BD-8453-EAB8BAC53A7A}: NameServer = 64.136.173.5 64.136.164.77O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dllO21 - SSODL: lfstbwvd - {39F839B6-596C-41B7-A906-834AE131C502} - C:\WINDOWS\lfstbwvd.dllO23 - Service: AVG8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exeO23 - Service: AVG8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exeO23 - Service: AVG8 Firewall (avgfws8) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgfws8.exeO23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe
jaclaz Posted October 13, 2008 Posted October 13, 2008 A useful hijackthis "side" service is this site:http://www.hijackthis.de/where you have an easy to visualize analisys of your log.From it it does not seem that you have much problems.the "questionable items" are below (as coming from "short analisys"):[?] - C:\WINDOWS\SYSTEM32\USRmlnkA.exe[?] - C:\WINDOWS\SYSTEM32\USRmlnkA.exe[?] - O3 - Toolbar: olnmraew - {C6E98D75-91EE-4EB1-9CE2-047046F30E32} - C:\WINDOWS\olnmraew.dll[?] - O8 - Extra context menu item: Show All Original Images - res://C:\Program Files\SlipStream Web Accelerator\gui_resource.dll/327[?] - O8 - Extra context menu item: Show Original Image - res://C:\Program Files\SlipStream Web Accelerator\gui_resource.dll/328[?] - O17 - HKLM\System\CCS\Services\Tcpip\..\{2C6EAB0D-1A58-41BD-8453-EAB8BAC53A7A}: NameServer = 64.136.173.5 64.136.164.77[?] - O21 - SSODL: lfstbwvd - {39F839B6-596C-41B7-A906-834AE131C502} - C:\WINDOWS\lfstbwvd.dllOf course only you may know how accurate is the above and what in it may actually be a problem.jaclaz
Tarun Posted October 13, 2008 Posted October 13, 2008 Your HijackThis version is out of date.Please download my Anti-Malware Toolkit and get the Professional package. Then follow the directions in the PC Cleanup guide. After that please repost a your HijackThis log.
Stoner81 Posted October 13, 2008 Posted October 13, 2008 In my experience this sounds like a rootkit infection in which case you are in some serious trouble try installing NOD32 v2.7 and update it then boot into safe mode and do a complete system scan and that mite do it. If not then I have generally found the only way to remove them is to do a complete format and reinstall your OS Stoner81
mary38483 Posted October 13, 2008 Author Posted October 13, 2008 The Slipstream process is my internet accelerator that came with my internet service, and the USR is my modem update reminder.I went and used 2 programs from lunarsoft.net and they have really straightened out my computer ALOT...However it is still showing my time in army time. That i haven't figured out yet.
Tarun Posted October 13, 2008 Posted October 13, 2008 SUPERAntiSpyware has a setting to reset to the 12 hour clock.
twig123 Posted October 13, 2008 Posted October 13, 2008 I would have suggested Malwarebytes Anti-Malware... even the free edition rocks!
krona Posted October 13, 2008 Posted October 13, 2008 I had the same thing happen to my computer and following this workedhttp://miekiemoes.blogspot.com/2008/05/vir...to-restore.htmlgood luck!
kooler Posted October 13, 2008 Posted October 13, 2008 malwarebytes get rid of it .. i think every vista laptop i worked on in the last 2 months has got that just do a full system scaN with it.. and it will have to reboot to get it off theregood luck
Redhatcc Posted November 4, 2008 Posted November 4, 2008 Malwarebytes Anti-Malwarevery good program i didnt hear about it until like a month ago but i was impressed.... poor spybot what happened >.<
robd Posted November 7, 2008 Posted November 7, 2008 +1 for Malware BytesThis sounds reminiscent to the Smitfraud virus I came across about 8 months ago which displayed a message in the system tray. Tarun recommended Malware Bytes and it did the trick then. Solid program.
WangoTango Posted November 21, 2008 Posted November 21, 2008 (edited) Just by looking at your running processes, it's possible that a Trojan has disguised itself as one of the normal exe's. You might want to download Spybot, run it and see if it finds anything. If it does be shure to check the location of it and what it's called, write it down and delete it. Then go to Start > Run > Type "msconfig" without the quotes > Go to the startup tab. If anything that spybot found is checked, uncheck them. Or anything that looks suspicious look it up at the Startup page. Edited November 21, 2008 by WangoTango
Tarun Posted November 21, 2008 Posted November 21, 2008 Since we haven't heard from mary in over a month, I'm closing this thread. If mary contacts me about reopening it I will.
Recommended Posts