I've got infected

[Cool Buddy]

I'm getting the following error whenever I use the up button in windows explorer:

Some dangerous viruses detected in your system. Microsoft Windows XP files corrupted.
This may lead to the destruction of important files in C:\WINDOWS. Download protection software now!

Click OK to download the antispyware. (Recommended)

How to remove this? ESET is not detecting any viruses in the PC though its updated.

[VarDOS]

Try Hijack This.........It will work

[thewisecrab]

It is not a virus...its spyware.
Download And Install spybot Search and Destroy and scan your PC.
Here is the link:
http://www.filehippo.com/download_sp...earch_destroy/
ESET NOD32 is only for viruses....

[Cool Buddy]

I've attached the hijack this log file

[thewisecrab]

The attachment system is not working on this forum. Just copy paste the report in your post.
And I'm saying it's not a virus. Refer to my earlier post for Downloading Spybot. Install it and update it. Run the scan and you are clean

[red_devil]

Code:

	Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 13:23:23, on 06/11/08
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Adobe\Photoshop Elements 6.0\PhotoshopElementsFileAgent.exe
C:\Program Files\ESET\ESET Smart Security\ekrn.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\LClock\LClock.exe
C:\Program Files\ESET\ESET Smart Security\egui.exe
C:\Program Files\DU Meter\DUMeter.exe
C:\Program Files\RocketDock\RocketDock.exe
C:\Program Files\Launchy\Launchy.exe
C:\Program Files\Logitech\SetPoint\SetPoint.exe
C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE
C:\Program Files\Common Files\Logishrd\KHAL2\KHALMNPR.EXE
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\msiexec.exe
C:\Program Files\HijackThis\HijackThis.exe
C:\WINDOWS\system32\taskmgr.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = file:///E:/Documents/homepage/homepage.html
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: (no name) - {0575D86E-C7A3-476B-9DC1-A5CB1818E750} - (no file)
O2 - BHO: (no name) - {05F90A2A-CB4C-4471-AD98-BF0A42D1320D} - (no file)
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: (no name) - {2230922E-4186-4E48-B611-A08673AB4B68} - (no file)
O2 - BHO: (no name) - {24761BF2-A4B8-43D4-B7F7-3872C77C59EE} - (no file)
O2 - BHO: (no name) - {2A2909FB-3224-470E-98E1-655E1FCF2307} - (no file)
O2 - BHO: flashget urlcatch - {2F364306-AA45-47B5-9F9D-39A8B94E7EF7} - C:\Program Files\FlashGet\jccatch.dll
O2 - BHO: (no name) - {3B1901EC-81CC-465C-8244-96ED1E24C532} - (no file)
O2 - BHO: (no name) - {3eed9ae9-da9b-4a7e-aed6-d96ff2a910c1} - (no file)
O2 - BHO: (no name) - {44A8C575-EB57-4AC0-9F71-6C1A0F7F58B1} - (no file)
O2 - BHO: (no name) - {4596DFB1-7667-4015-AEBB-6F48A35FB57C} - (no file)
O2 - BHO: (no name) - {5150765B-B59C-4AFF-B61E-8765EF96D7FE} - (no file)
O2 - BHO: (no name) - {5AC08AC9-142A-44BB-ABB7-1FDBED8196E2} - (no file)
O2 - BHO: (no name) - {67B3CF57-27B1-4FB1-AC67-9A2F9B8A416E} - (no file)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: (no name) - {8D627E35-2C36-486C-BB30-EB5B4D9E3764} - (no file)
O2 - BHO: (no name) - {91441E15-A316-44BB-93FB-7357A8400602} - (no file)
O2 - BHO: (no name) - {A1364832-FEDB-4F07-AB00-54A3C343242C} - (no file)
O2 - BHO: (no name) - {A3518572-C340-49B6-9D41-D7999D6EF48E} - (no file)
O2 - BHO: (no name) - {B94D8523-0D7D-4288-92ED-F0ADAC3FADE4} - (no file)
O2 - BHO: (no name) - {cb6655ec-942d-45fb-a274-5acfa4216db0} - (no file)
O2 - BHO: {ef060590-da11-d83b-e744-d2409faef01d} - {d10feaf9-042d-447e-b38d-11ad095060fe} - (no file)
O2 - BHO: (no name) - {D8A04310-E60B-4DD0-96F3-06AED4D6C75E} - (no file)
O2 - BHO: JurToolbar - {DEE7B1F7-A014-477C-B0C5-23A51AA81DB5} - C:\WINDOWS\system32\hhahgxda.dll
O2 - BHO: (no name) - {DFF27B76-89A4-4ACD-A798-C315E990D77C} - (no file)
O2 - BHO: (no name) - {E44D2101-8C56-47D7-A648-86EDC4B445CE} - (no file)
O2 - BHO: FlashGet GetFlash Class - {F156768E-81EF-470C-9057-481BA8380DBA} - C:\Program Files\FlashGet\getflash.dll
O4 - HKLM\..\Run: [LClock] C:\Program Files\LClock\LClock.exe
O4 - HKLM\..\Run: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [egui] "C:\Program Files\ESET\ESET Smart Security\egui.exe" /hide /waitservice
O4 - HKLM\..\Run: [DU Meter] C:\Program Files\DU Meter\DUMeter.exe
O4 - HKLM\..\Run: [NvMediaCenter] RunDLL32.exe NvMCTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKCU\..\Run: [RocketDock] "C:\Program Files\RocketDock\RocketDock.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - Startup: OneNote 2007 Screen Clipper and Launcher.lnk = C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE
O4 - Global Startup: Launchy.lnk = C:\Program Files\Launchy\Launchy.exe
O4 - Global Startup: Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\SetPoint.exe
O8 - Extra context menu item: &Download All with FlashGet - C:\Program Files\FlashGet\jc_all.htm
O8 - Extra context menu item: &Download with FlashGet - C:\Program Files\FlashGet\jc_link.htm
O8 - Extra context menu item: Add to Google Photos Screensa&ver - res://C:\WINDOWS\system32\GPhotos.scr/200
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\Program Files\FlashGet\FlashGet.exe
O9 - Extra 'Tools' menuitem: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\Program Files\FlashGet\FlashGet.exe
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O20 - AppInit_DLLs: potgic.dll
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Adobe Active File Monitor V6 (AdobeActiveFileMonitor6.0) - Unknown owner - C:\Program Files\Adobe\Photoshop Elements 6.0\PhotoshopElementsFileAgent.exe
O23 - Service: Eset HTTP Server (EhttpSrv) - ESET - C:\Program Files\ESET\ESET Smart Security\EHttpSrv.exe
O23 - Service: Eset Service (ekrn) - ESET - C:\Program Files\ESET\ESET Smart Security\ekrn.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: mental ray 3.5 Satellite (32-bit) (mi-raysat_3dsmax9_32) - Unknown owner - C:\Program Files\Autodesk\3ds Max 9\mentalray\satellite\raysat_3dsmax9_32server.exe (file missing)
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Apache Tomcat Tomcat6 (Tomcat6) - Apache Software Foundation - D:\xampplite\tomcat\bin\tomcat6.exe
O23 - Service: TuneUp Drive Defrag Service (TuneUp.Defrag) - TuneUp Software GmbH - C:\WINDOWS\System32\TuneUpDefragService.exe
O23 - Service: Windows Driver Foundation - User-mode Driver Framework (WudfSvc) - Unknown owner - hex(2):25,00,53,00,79,00,73,00,74,00,65,00,6d,00,52,00,6f,00,6f,00,74,00,25,00,5c,00,73,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,5c,00,73,00,76,00,63,00,68,00,6f,00,73,00,74,00,2e,00,65,00,78,00,65,00,20,00,2d,00,6b,00,20,00,57,00,75,00,64,00,66,00,53,00,65,00,72,00,76,00,69,00,63,00,65,00,47,00,72,00,6f,00,75,00,70,00,00,00 (file missing)

--
End of file - 8430 bytes

@thewisecrab, thats his log file.. {the attachment system worked fine for me.. }

i'm no expert with all these Hijackthis logs but that appears clean to me ...

{ some expert please find out if there is anything suspicious and please point it out here... hope to learn from you guys }

[mrintech]

dude frankly scan your computer with following tools:

* Super AntiSpyware: http://www.superantispyware.com/download.html
* a-Squared: http://www.emsisoft.com/en/software/free/

I bet you your problem will be immediately solved if this is a spyware/virus attack.

Run full system scan with latest updates

[Quiz_Master]

@n6300 You are infected with adware. (I mean your pc ). The message you see is actualy an advertisement. The cause is you have some weird toolbars installed. (JurJooToolbar and ArcoIEHelper).See the log?

Download and Install Spybot Search and destroy from here: http://www.spybot.com/en/mirrors/index.html
Then Download Its Updates From Here : http://www.spybotupdates.biz/updates...d_includes.exe And Install it.

Do a scan of your PC in safe mode. This will remove the Adware.

Do let us know if you solve the problem

[mrintech]

Quote:

Originally Posted by Quiz_Master

@n6300 You are infected with adware. (I mean your pc ). The message you see is actualy an advertisement. The cause is you have some weird toolbars installed. (JurJooToolbar and ArcoIEHelper).See the log?

Download and Install Spybot Search and destroy from here: http://www.spybot.com/en/mirrors/index.html
Then Download Its Updates From Here : http://www.spybotupdates.biz/updates...d_includes.exe And Install it.

Do a scan of your PC in safe mode. This will remove the Adware.

Do let us know if you solve the problem

dude frankly speaking Spybot S & D has lost it's charm, though it was the king back in 2006-2007.

Wanna proof read: http://www.techsupportalert.com/best...re-remover.htm

superantispyware literally ROCKZ

Try it

[Cool Buddy]

I scanned my PC with spybot, did remove a few infections,but problem persists.
tried Advanced spyware remover free, removed 2 infections, still the problem persists.
tried super antispyware, removed 2 infections but the problem persists.
Tried adaware 2008, crashes in between the scan.
Thanks everyoe for the help. I think I'll reinstall windows.

[comp@ddict]

Or alternatively jus download KIS trial and scan, that works too

[toofan]

download combofix.exe. search for it in google. use it . first stop your antivirus.
secondly do a boot time scan of you system ( I use avast it has this setting) with antivirus and spybot search and destroy.

this will surely help you.

[skippednote]

You can go for a online scan or download avg 8 free edition.

[mrintech]

if you have fast internet connection than go for Kaspersky online scan: http://www.kaspersky.com/virusscanner

No need to worry

[toofan]

don't forget to inform us.

[red_devil]

Quote:

Originally Posted by Quiz_Master

@n6300 You are infected with adware. (I mean your pc ). The message you see is actualy an advertisement. The cause is you have some weird toolbars installed. (JurJooToolbar and ArcoIEHelper).See the log?

i'm not the one who is infected { nor is my PC }... i just put the hijackthis log file of the thread starter in my post cos someone before me said the attachment system isn't working !!

[mrintech]

^^^

[toofan]

[Cool Buddy]

Spyware Terminator is not working either. I hope XP SP3 will be better in tackling malware, I have got a fresh copy.

[ubersoldat]

Hi,

U can use PC Tools Threatfire to wipe out all the Spware and Viruses. Also try using Windows Defender with an updated version.

U can try the following steps. Pls backup the Registry and Delele the following keys.
C:\Program Files\Launchy\Launchy.exe
C:\Program Files\LClock\LClock.exe

O2 - BHO: JurToolbar - {DEE7B1F7-A014-477C-B0C5-23A51AA81DB5} - C:\WINDOWS\system32\hhahgxda.dll

Also, delete the entries with (no name) and (no file) generated by HijackThis. Ex:
O2 - BHO: (no name) - {cb6655ec-942d-45fb-a274-5acfa4216db0} - (no file)

Try to fix registry errors using Tune-Up utilities Registry Cleaner. I suspect u used some crack file, so the problem of Spyware has arised.

Bye

@Quiz Master . ArcoIEHelper (AcroIEHelper) from Adobe is a BHO for displaying PDF's in Internet Explorer I guess. Its not a spware.

[comp@ddict]

Crack file widout AV on. Happened with me, got infected with some Win32Perfibt or something virus. Wiped out the uninstall files of some 14 programs of mine. Now I'm not able to uninstall O&O Defrag 2000 Freeware, and Vista Inspirat 2 BricoPack, rest all handled by reinstalling. What shud I do god darn it!

[thewisecrab]

Thanks n6300 for the log
@Cool Buddy
To me, this seems to be the problem:

Quote:

C:\WINDOWS\System32\svchost.exe

All the remaining system files (and they are clean) are in "system32"
whereas
this is in "System32" (different caps)

Try using this too:
http://thinkdigit.com/forum/showpost...5&postcount=36

[ubersoldat]

Quote:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:15:54 PM, on 09-Nov-08
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16735)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe

@thewisecrab. Do u mean to say that my system is infected too? lol . Just run Hijackthis urselves and watch the log file generated. lol . If that doesnt help, try creating a 'System32' folder in the Windows directory urselves. lolz .

@Cool Buddy. Try using Avast 4.8 and Windows Defender. Using Avast, scan ur C: drive for viruses and Spyware. Inmost case, ur problem should be solved.

Bye

[Cool Buddy]

@ubersoldat
You do seem to be an experienced user. Thanks for your help, I'll definitely try these, but are You sure I can remove all no name no file entries safely.

BTW launchy is a good program, no problems from that, you can also try it here.
Lclock is also harmless, just shows the clock in a better way in the tray.

I think it helped, right now I'm not getting the error.
Please give your views about this entry:

O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll

it is 139 KB in size, the size that vundoo's dll's are generally. however hovering the mouse aboove it shows a description "client service for netware provider and authenticcation package dll company Microsoft" (how to copy text from status bar of explorer?!)

[thewisecrab]

Quote:

Originally Posted by ubersoldat

@thewisecrab. Do u mean to say that my system is infected too? lol . Just run Hijackthis urselves and watch the log file generated. lol . If that doesnt help, try creating a 'System32' folder in the Windows directory urselves. lolz .

@Cool Buddy. Try using Avast 4.8 and Windows Defender. Using Avast, scan ur C: drive for viruses and Spyware. Inmost case, ur problem should be solved.

Bye

I'm not very good at log files, just thought a little trial and error tricks might help...it didnt...I can see that

[ubersoldat]

Hi,

@Cool Buddy, there is no issue with the file nwprovau.dll . I checked the file and its frm MS. Comments go as: Client Service for NetWare Provider and Authentication Package DLL . Dint try Launchy. Regarding the 'no file' and 'no name' entry in HijackThis, I am not very sure becos I too have deleted these entries frm my registry and faced no probs. Not sure about urs. U have to analyse those entries.

I suggest u use Avast 4.8, an updated version of Spy-Bot and Windows Defender. Other AV I am not sure. But I can say that Avast does a better job of catching Viruses, Spyware, Adware, Malware and Trojan Horses than paid AV's like Norton and MCAffee. Just make sure that u update it daily.

Bye

Hi again everyone,

Pls check this link:

http://www.seasonsecurity.com/attent...xp-files-51803

Bye and Happy Virus Hunting

[VarDOS]

Hi friends,
I too have been infected with Worm/VB.QG virus......It has infected all my exe files on my PC....all my SETUPS and Installations have been infected. Those SETUPS i had dloaded from net....and are more than 60GB pls help guys

[ubersoldat]

@ Varad Dilip . Hey, I would suggest u run a boot time scan using Avast. Same thing happened with my friends PC. He got over 7000 infected exe files. lol . Also, pls dont delete any file if avast gives u options whether to move infected file to chest or delete. U dont go to delete any file. If u do, then ur setup will be deleted rather than the Virus. lol

Bye

[paroh]

Try this as it look similar to the problem that i encounter

Code:

http://www.thinkdigit.com/forum/showthread.php?t=101875

[Cool Buddy]

Problem solved.