davethompson5151 Posted September 19, 2008 Posted September 19, 2008 I'm new to this and I've come here as I'm desperate. My PC has picked up a really nasty virus, the likes of which I've never seen and nothing I try seems to shift it. I am using Windows XP Home edition. The virus puts a red icon in my taskbar which says "windows security alert". It states that my automatic updates are switched off and I have to click the balloon to fix it. Clicking on this taskbar icon brings up what I assume are fake alerts stating I have spyware, etc. The main annoying side effect of this virus is that my internet has gone, how can I put it, totally bonkers. No matter what I type in search bars, etc, I am always redirected to random pages which have no bearing on what I am searching for. It has rendered my internet completely useless. The only way I can get a somewhat stable internet is by doing what I am doing now, running in safe mode. I have tried AVG antivirus, Windows Live Onecare, Hijack this, nothing seems to work. the programs pick up several trojans and so on, which they claim they have removed, but when I restart my PC, it won't start up and just locks up. The only way I can get the PC to restart properly is to switch the power off and back on. Then when I get it back on, the problem persists and the removed trojans come back. I may be wrong, but looking on the internet, I believe the virus I have is called Gaelicum. Another side effect of this, is that the PC will sometimes just freeze up and I have to power off to restart. I am at my wits end. I have enclosed a Hijack this report if this will assist anyone. Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 11:13:19, on 19/09/2008 Platform: Windows XP SP3 (WinNT 5.01.2600) MSIE: Internet Explorer v7.00 (7.00.6000.16705) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\Program Files\Microsoft Windows OneCare Live\Antivirus\MsMpEng.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe C:\Program Files\Bonjour\mDNSResponder.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe C:\Program Files\Microsoft SQL Server\MSSQL\Binn\sqlservr.exe C:\Program Files\Microsoft Windows OneCare Live\OcHealthMon.exe C:\WINDOWS\system32\HPZipm12.exe C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS C:\WINDOWS\System32\snmp.exe C:\Program Files\TalkTalk\bin\sprtsvc.exe C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe C:\WINDOWS\system32\svchost.exe C:\Program Files\Common Files\Supportsoft\bin\tgsrvc.exe C:\WINDOWS\system32\windowsautomaticupdates.exe C:\Program Files\Webroot\Washer\WasherSvc.exe C:\Program Files\Microsoft Windows OneCare Live\Firewall\msfwsvc.exe C:\WINDOWS\Explorer.EXE C:\Program Files\Microsoft Windows OneCare Live\winss.exe C:\WINDOWS\system32\wscntfy.exe C:\Program Files\Internet Explorer\Iexplore.exe C:\WINDOWS\SOUNDMAN.EXE C:\Program Files\Microsoft Windows OneCare Live\winssnotify.exe C:\Program Files\Trend Micro\HijackThis\HijackThis.exe C:\Program Files\Microsoft Windows OneCare Live\WinSSIntro.exe C:\Program Files\Microsoft Windows OneCare Live\WinSSUI.exe C:\WINDOWS\system32\NOTEPAD.EXE R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://bt.yahoo.com R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = Live Search: R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = Live Search: R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = Welcome to AOL UK in partnership with TalkTalk R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://bt.yahoo.com R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = MSN.com R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1;*.local O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file) O4 - HKLM\..\Run: [soundMan] SOUNDMAN.EXE O4 - HKLM\..\Run: [OneCareUI] "C:\Program Files\Microsoft Windows OneCare Live\winssnotify.exe" O4 - HKCU\..\Run: [HijackThis startup scan] C:\Program Files\Trend Micro\HijackThis\HijackThis.exe /startupscan O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM') O4 - HKUS\S-1-5-18\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'SYSTEM') O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user') O8 - Extra context menu item: &D&ownload &with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddLink.htm O8 - Extra context menu item: &D&ownload all video with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddVideo.htm O8 - Extra context menu item: &D&ownload all with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddAllLink.htm O8 - Extra context menu item: &MSN Search - res://C:\Program Files\MSN Toolbar Suite\TB\02.05.0000.1082\en-gb\msntb.dll/search.htm O8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm O8 - Extra context menu item: Add to Windows &Live Favorites - Add to Windows Live Favorites O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office12\EXCEL.EXE/3000 O9 - Extra button: (no name) - CmdMapping - (no file) O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll O9 - Extra button: BT Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\WINDOWS\system32\shdocvw.dll O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\Office12\REFIEBAR.DLL O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll O9 - Extra button: BitComet - {D18A0B52-D63C-4ed0-AFC6-C1E3DC1AF43A} - C:\WINDOWS\system32\shdocvw.dll O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll O15 - Trusted Zone: Website Promotion Search Engine Submission Optimization & Marketing Software, Ranking Software, Popup Software, Tracks Eraser Software O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab31267.cab O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} (Facebook Photo Uploader 5) - http://upload.facebook.com/controls/FacebookPhotoUploader5.cab O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab31267.cab O16 - DPF: {20A60F0D-9AFA-4515-A0FD-83BD84642501} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab56986.cab O16 - DPF: {352797A0-EFD0-4FA6-B229-145120EA4B8A} (Walt Disney Internet Group Hardware Control) - https://disneyblast.go.com/v3/setup/activex/DIGHardwareControl.cab O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace.com/upload/MySpaceUploader1005.cab O16 - DPF: {49232000-16E4-426C-A231-62846947304B} (SysData Class) - http://ipgweb.cce.hp.com/rdqna/downloads/sysinfo.cab O16 - DPF: {4A3CF76B-EC7A-405D-A67D-8DC6B52AB35B} (QDiagAOLCCUpdateObj Class) - http://aolcc.aolsvc.aol.co.uk/computercheckup/qdiagcc.cab O16 - DPF: {4D7F48C0-CB49-4EA6-97D4-04F4EACC2F3B} (InstallShield Setup Player 2K2) - http://sib1.od2.com/common/Member/ClientInstall/10.20.0002/OCI/setup.exe O16 - DPF: {54BE6B6F-3056-470B-97E1-BB92E051B6C4} (DeviceEnum Class) - http://h30155.www3.hp.com/ediags/dd/install/HPDriverDiagnosticsxp2k.cab O16 - DPF: {71057C18-0507-4747-86BC-E11CE7512C5F} (mailhelper Class) - https://register.btinternet.com/templates/btmailcontrol013.cab O16 - DPF: {82F2D6B2-6C58-4404-A930-9DB0FD90D4B1} (Driver_Detective_v43_Non_Member.DD_v43) - http://www.drivershq.com/cab/prod/Driver_Detective_v43_Non_Member.CAB O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab O16 - DPF: {9122D757-5A4F-4768-82C5-B4171D8556A7} (PhotoPickConvert Class) - http://appdirectory.messenger.msn.com/AppDirectory/P4Apps/PhotoSwap/PhtPkMSN.cab O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://messenger.zone.msn.com/binary/ZIntro.cab32846.cab O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab O16 - DPF: {EC5A4E7B-02EB-451D-B310-D5F2E0A4D8C3} (webhelper Class) - https://register.btinternet.com/templates/btwebcontrol028.cab O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll O18 - Filter hijack: text/html - (no CLSID) - (no file) O20 - AppInit_DLLs: qicgel.dll O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe O23 - Service: LiveUpdate Notice Service Ex (LiveUpdate Notice Ex) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe (file missing) O23 - Service: LiveUpdate Notice Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe O23 - Service: Panda anti-virus service (PAVSRV) - Unknown owner - C:\Program Files\Panda Software\Panda Antivirus 2007\pavsrv51.exe (file missing) O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe O23 - Service: PrismXL - New Boundary Technologies, Inc. - C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS O23 - Service: Panda IManager Service (PSIMSVC) - Unknown owner - C:\Program Files\Panda Software\Panda Antivirus 2007\psimsvc.exe (file missing) O23 - Service: SupportSoft Sprocket Service (TalkTalk) (sprtsvc_TalkTalk) - SupportSoft, Inc. - C:\Program Files\TalkTalk\bin\sprtsvc.exe O23 - Service: StarWind AE Service (StarWindServiceAE) - Rocket Division Software - C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe O23 - Service: SupportSoft RemoteAssist - SupportSoft, Inc. - C:\Program Files\Common Files\Supportsoft\bin\ssrc.exe O23 - Service: SupportSoft Repair Service (TalkTalk) (tgsrvc_TalkTalk) - SupportSoft, Inc. - C:\Program Files\Common Files\Supportsoft\bin\tgsrvc.exe O23 - Service: Windows Automatic Updates - Stanford University - C:\WINDOWS\system32\windowsautomaticupdates.exe O23 - Service: Window Washer Engine (wwEngineSvc) - Webroot Software, Inc. - C:\Program Files\Webroot\Washer\WasherSvc.exe -- End of file - 11334 bytes Please can someone help? Quote
RandyL Posted September 19, 2008 Posted September 19, 2008 Hi dave; Yes you are indeed infected. I'm going to ask you to attempt to run our malware removal guide. Make sure you attempt to update these programs if prompted. I understand you are in safe mode with networking but do what you can even if it's not in the correct order. Your computer could is infected with Malware. Malware is software designed to infiltrate or damage a computer system without the owner's informed consent. It is a combination of the words malicious and software. The expression is a general term used by computer professionals to mean a variety of forms of hostile, intrusive, or annoying software or program code. Required Cleanup StepsDisable the Spybot Search & Destroy TEA TIMER if you use it and if it is enabled Run a Temporary file and cache cleaner (ATF) Run 2 Anti-Malware scanners (Listed Below) Run an Online Anti-Virus / Anti-Malware Scanner (Listed Below) Clear out old System Restore points If continued Malware type activity is present you may be asked to post a TrendMicro™ HijackThis™ Log file, do not do so unless requested. The reason to run multiple scanners is to ensure that no single scanner is missing something. The time it takes will vary depending on your system and your internet connection speed. Typically the SUPERAntiSpyware and Malwarebytes scanners will take between 10 to 90 minutes. The ESET online scan should take between 1 to 3 hours. In most cases, these scans will suffice to clean and disinfect your computer. Heavily infected systems or slower PCs can take much longer to scan and clean. For best results print the following instructions and bookmark this Web page To keep this guide printer-friendly, use your cursor to highlight the contents below. From your browser select File - Print and in the printer dialog box under "Print range" click the Selection choice to print out these instructions for removal of malware. http://i306.photobucket.com/albums/nn266/FPCH/Malware%20Guide/printer-selection.gif ____________________________________________ STEP 1 Disable Spybot Search & Destroys' TEA TIMER: (if installed, if not go to Step 2)Run Spybot-S&D in Advanced Mode. If it is not already set to do this Go to the Mode menu select "Advanced Mode" On the left hand side, Click on Tools Then click on the Resident Icon in the List Uncheck "Resident TeaTimer" and OK any prompts. Restart your computer. __________________________________________________ STEP 2 Follow these instructions carefully. Download ATF-Cleaner from Snapfiles.com to remove un-needed temporary files from your computer that may contain malware. You can also download it from Majorgeeks.com When you run ATF-Cleaner, check the items as shown below for Main. For FireFox, be sure to click on the FireFox tab on top and check the items as shown below for FireFox NOTE: If you don't have FireFox or Opera installed then they will be grayed out and can be ignored Then click on "Empty Selected". http://i306.photobucket.com/albums/nn266/FPCH/Malware%20Guide/atf-cleaner01.gif. http://i306.photobucket.com/albums/nn266/FPCH/Malware%20Guide/atf-cleaner02.gif __________________________________________________ STEP 3 Install and run the free version (not the Professional version) of SUPERAntiSpyware from SUPERAntiSpyware.com Accept any prompts to allow SUPERAntiSpyware to install the latest rules and infection definition files. You do not have to send them your e-mail address, just click next. You can leave the automated check for updates on. You can uncheck "Send a diagnostic report to research center" if you don't want to send the information. DO NOT allow SUPERAntiSpyware to protect your Home Page settings. On the Top Left select the Scan your computer button. Make sure there is a CHECK MARK on all Fixed Drives. Click "Perform a Complete Scan". Click "Next" to Repair issues found and reboot the computer when prompted to do so. __________________________________________________ STEP 4 Install and run Malwarebytes' Anti-Malware from Malwarebytes - (direct download) Accept all defaults for the installer Allow the program to update the definitions Click on the Quick Scan and click Next. If any items are found allow it to clean them and then Reboot your computer. __________________________________________________ STEP 5 Run an online scan with ESET from Free Virus Scan: Use ESET's Online Antivirus Scanner You must use Internet Explorer for this online scan. FireFox, Opera, etc will not work for this scan. If your computer is running Window's Vista, then you must first start Internet Explorer as an Administrator. To do so, right-click on the Internet Explorer icon in the Start Menu and select "Run as administrator" from the popup context menu. Accept the terms and click "Start". Once the scanner is ready, check "Remove found threats" AND "Scan unwanted applications". Click "Start" to begin the scan. When completed restart your computer __________________________________________________ Make sure your internet firewall security is enabled, and then please return to Extreme Tech Support - Free PC Help and tell us how the computer seems to be operating. At that time, you will receive instructions to assist you in removing malicious programs from your Add/Remove program list if warranted. If required this is the download link for TrendMicro™ HijackThis™ Unless instructed to by the Technician helping you then do not download this tool. Once you and the Technician agree that your system appears to be clean then you should delete all your System Restore points and recreate a new one. Please follow the instructions here How to turn off and turn on System Restore in Windows XP How to turn off and turn on System Restore in Windows Vista Quote We are all members helping other members. Please return here where you may be able to help someone else. After all, no one knows everything and you may have the answer that someone needs.Get help with computer problems. Join Free PC Help here Donations are welcome. Read Here
Seth Posted September 19, 2008 Posted September 19, 2008 ATF Cleaner, MalwareBytes, and Eset's online scan, should all be fine in Safe Mode with Networking. Following that, boot to normal mode and follow the SuperAntiSpyware instructions then continue on. Quote Need help with your computer problems? Then why not join Free PC Help. Register here If Free PC Help has helped you then please consider a donation. Click here
Guest Wolfeymole Posted September 19, 2008 Posted September 19, 2008 You have P2P software on the system. P2P Warning! IMPORTANT We notice there are signs of one or more P2P (Person to Person) File Sharing Programs on your computer. Please note that as long as you are using any form of Peer-to-Peer networking and downloading files from non-documented sources there is a high probability that you will be infested with malware. Once upon a time, P2P file sharing was fairly safe. That is no longer true. You may continue to use P2P sharing at your own risk; however, please keep in mind that this practice may be the source of your current malware infestation. References for the risk of these programs can be found in these links: Malware: Help prevent the Infection IM And P2P Malware Threats Nearly Triple - Technology News by TechWeb How to Prevent Online Invation of Spyware, Adware and Malware We would recommend that you uninstall these P2P programs, however that choice is up to you. If you choose to remove these programs, you can do so in the Control Panel via Add/Remove Programs. If you have Vista it's Programs and Features. However in order for us to provide future assistance on this matter you must remove the P2P first as it would be fruitless to continue unless the possible cause is ruled out first and to prevent future infestations. Quote
davethompson5151 Posted September 19, 2008 Author Posted September 19, 2008 Thanks for all your help guys, everything's fine now. Took the whole day, but never mind, it's done now. I appreciate what you say about P2P as I admit it was something I downloaded from them that caused this in the first place. So I have learned a painful lesson. Thanks again everyone Quote
Guest Wolfeymole Posted September 19, 2008 Posted September 19, 2008 Good to hear all is good again Dave, thank you for letting us know. :) Quote
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.