[Jase8282]

Hi, i was downloading something, and i opened a file...the next second my desktop icons were gone. A small black window poped up (i thinks its the command window, or run or something like that). This window flashed a couple times. Then I got all these "Your Computer is infected with a Virus!" (one of which was from my AVG Antivirus) things promting me to go to sites, I then shut off my internet (because i know those things are spam that only make the problem worse) and shut off my computer hopeing the problem will go away. When i restart, Some of the icons were back, but no control panel, no Internet explorer, and a few other random things. There were 3 new icons on my desktop and on my bottom bar next to the time it says VIRUS alert and is displaiyng in military time. But now the programs bar under start is gone, and i cant go to my hardrive thru my "my computer". I run scans (SpywareDoctor) and it pulls up a few "Adware Agent BN" i remove them, and run again, and it keeps getting some...now everytime i run it it pulls up one... now that im back connected online its picked up Trojan Downloader VB.AXA
RougeAntispyware and RougeAntispyware Ultimate Cleaner. (ran again and got the same thing)
Now my AVG just pulled this up on its Reisdent shied...Trojan Horse Generic_c.MFD

Haha and all thru my message i ve been having windows poping up trying to get me to download antivirus stuff...
So im thinking, because of my loss options (programs bar, lack of icons, this computer saying "the administrator has disabled my option to go to the control panel") Im thinking that the virus has made itself the administrator....hope this info helps, sorry theres so much
What should i do! Thanks (o, also, i put the or orgional downloaded thing in the trash and deleted)
((Update)): My desktop background is now completely white -_-

[sifisxx]

AVG its useless antivirus try to scan your system with superantispyware also try to make system restore but usually virus has modified the registry and you cant do this

[Flashorn]

Hey Jase!!



First things First, We must know what Operating System ( XP SP1 or 2 or 3 , Vista , SP1 , ect...).

Also , those new Icons, PLZ be more specific (the names of these Icons).

Otherwise , it would be difficult to suggest any security programs. Is this a full tower or a notebook.

Also the name , make and the number of the PC. NOT the serial number.

In the mean time "Turn Off" the computer's "System Restore".

IF this is not possible in normal mode then do it in Safe Mode.



Post back with this information and we can go from there.

Do not waste time with this info. It could be much harder to try and eradicate this infection.





FLASHORN. !http://forums.pcworld.com/legacyimages/
1!

[Bananana]

Hi Jase8282.

If you want an antivirus that works, try "Avast! Antivirus" (this is not an advertisment)

Are you able to go on to the internet through any otherways?

[Jase8282]

Compaq presario laptop series R4000 Service pack 2 XP
The desktop icons were "Spyware&Malware Protection" "Privacy Protector" and "Error Erasor"



And how do i turn off System Restore?

[Jase8282]

I can get to the Avast download, what do you mean "what other ways can i get to the internet?"

[SpiritWind]

Hi :

You are describing the classic symptoms of a "Rogue" program and, IF possible, use

the FREE "Malwarebytes' Anti-Malware", best downloaded from

www.malwarebytes.org/mbam.php .

[Jase8282]

Ill update on what ive done...I turned off system restore, i ran Malwarebyte's Anti-Malware (both done in Safe mode, on the admin user (cuz i cant do anything on my user))

[Jase8282]

I ran Hijackthis, and heres the log



Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:08:17 PM, on 8/22/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16705)
Boot mode: Safe mode

Running processes:
C:WINDOWSSystem32smss.exe
C:WINDOWSSYSTEM32winlogon.exe
C:WINDOWSsystem32services.exe
C:WINDOWSsystem32lsass.exe
C:WINDOWSsystem32svchost.exe
C:WINDOWSsystem32svchost.exe
C:Program FilesSpyware DoctorpctsAuxs.exe
C:Program FilesSpyware DoctorpctsSvc.exe
C:WINDOWSExplorer.EXE
C:Program FilesMalwarebytes' Anti-Malwarembam.exe
C:WINDOWSsystem32NOTEPAD.EXE
C:Documents and SettingsAdministratorDesktopTrend MicroHijackThisHijackThis.exe

R0 - HKCUSoftwareMicrosoftInternet ExplorerMain,Start Page = http://ie.redirect.h...sario&pf=laptop
R1 - HKLMSoftwareMicrosoftInternet ExplorerMain,DefaultPageURL = http://go.microsoft....k/?LinkId=69157
R1 - HKLMSoftwareMicrosoftInternet ExplorerMain,DefaultSearchURL = http://go.microsoft....k/?LinkId=54896
R1 - HKLMSoftwareMicrosoftInternet ExplorerMain,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLMSoftwareMicrosoftInternet ExplorerMain,Start Page = http://go.microsoft....k/?LinkId=69157
R1 - HKCUSoftwareMicrosoftInternet Connection Wizard,ShellNext = http://go.microsoft....k/?LinkId=74005
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:Program FilesAVGAVG8avgssie.dll
O2 - BHO: QXK Olive - {5AA9C7D0-0D81-442E-A9B2-75CA0D358CFA} - C:WINDOWStwmxbsqrktl.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:Program FilesJavajre1.6.0_07binssv.dll
O2 - BHO: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:PROGRA~1AVGAVG8AVGTOO~1.DLL
O3 - Toolbar: (no name) - {ACB1E670-3217-45C4-A021-6B829A8A27CB} - (no file)
O3 - Toolbar: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:PROGRA~1AVGAVG8AVGTOO~1.DLL
O3 - Toolbar: rafbsvnx - {AB7B6869-83A5-4F36-8517-1A55496017EF} - C:WINDOWSrafbsvnx.dll
O4 - HKLM..Run: hpWirelessAssistant] C:Program FileshpqHP Wireless AssistantHP Wireless Assistant.exe
O4 - HKLM..Run: [SynTPLpr] C:Program FilesSynapticsSynTPSynTPLpr.exe
O4 - HKLM..Run: [SynTPEnh] C:Program FilesSynapticsSynTPSynTPEnh.exe
O4 - HKLM..Run: [LSBWatcher] c:hpdrivershplsbwatcherlsburnwatcher.exe
O4 - HKLM..Run: [Cpqset] C:Program FilesHPQDefault Settingscpqset.exe
O4 - HKLM..Run: [ISTray] "C:Program FilesSpyware DoctorpctsTray.exe"
O4 - HKLM..Run: [SunJavaUpdateSched] "C:Program FilesJavajre1.6.0_07binjusched.exe"
O4 - HKLM..Run: [HP Software Update] C:Program FilesHpHP Software UpdateHPWuSchd2.exe
O4 - HKLM..Run: [QuickTime Task] "C:Program FilesQuickTimeqttask.exe" -atboottime
O4 - HKLM..Run: [iTunesHelper] "C:Program FilesiTunesiTunesHelper.exe"
O4 - HKLM..Run: [AVG8_TRAY] C:PROGRA~1AVGAVG8avgtray.exe
O4 - HKLM..Run: [Sccs] C:Documents and SettingsJason Chapmansccs.exe
O4 - HKLM..Run: [Css] C:Documents and SettingsJason Chapmancss.exe
O4 - HKLM..Run: [ppxcs] C:Documents and SettingsJason Chapmanppxcs.exe
O4 - HKCU..Run: [MSMSGS] "C:Program FilesMessengermsmsgs.exe" /background
O4 - HKCU..Run: [http://ctfmon.exe C:WINDOWSsystem32ctfmon.exe
O4 - HKLM..PoliciesExplorerRun: [4095119312] "C:WINDOWSsystem32manxpdbg.exe"
O8 - Extra context menu item: &Google Search - res://C:Program FilesGoogleGoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://C:Program FilesGoogleGoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:Program FilesGoogleGoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://C:Program FilesGoogleGoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://C:Program FilesGoogleGoogleToolbar1.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:Program FilesJavajre1.6.007binnpjpi16007.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:Program FilesJavajre1.6.007binnpjpi16007.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:WINDOWSNetwork Diagnosticxpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:WINDOWSNetwork Diagnosticxpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:Program FilesMessengermsmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:Program FilesMessengermsmsgs.exe
O10 - Unknown file in Winsock LSP: c:windowssystem32regowreg.dll
O14 - IERESET.INF: STARTPAGEURL=http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q305&bd=presario&pf=laptop
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {1E54D648-B804-468d-BC78-4AFFED8E262E} (System Requirements Lab) - http://www.srtest.co.../sysreqlab3.cab
O16 - DPF: {DB7BF79A-FC51-4B5A-92BC-A65731174380} (InstantAction Game Launcher) - http://www.instantac...ad/iaplayer.cab
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:Program FilesAVGAVG8avgpp.dll
O21 - SSODL: vtqnxfko - {4E14BE3F-32F6-4176-BDE9-B5ED04826D5E} - C:WINDOWSvtqnxfko.dll
O21 - SSODL: tsxngabr - {47D1C535-EFDD-4B5B-8560-CDD36DBC35C0} - C:WINDOWStsxngabr.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:WINDOWSsystem32Ati2evxx.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:Program FilesSymantecLiveUpdateALUSchedulerSvc.exe
O23 - Service: AVG Free8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:PROGRA~1AVGAVG8avgemc.exe
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:PROGRA~1AVGAVG8avgwdsvc.exe
O23 - Service: Bonjour Service - Apple Inc. - C:Program FilesBonjourmDNSResponder.exe
O23 - Service: HP WMI Interface (hpqwmi) - Hewlett-Packard Development Company, L.P. - C:Program FilesHPQSHAREDHPQWMI.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:Program FilesCommon FilesInstallShieldDriver11Intel 32IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:Program FilesiPodbiniPodService.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Unknown owner - C:Program FilesCommon FilesLightScribeLSSrvc.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:PROGRA~1SymantecLIVEUP~1LUCOMS~1.EXE
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:Program FilesSpyware DoctorpctsAuxs.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:Program FilesSpyware DoctorpctsSvc.exe

--
End of file - 7171 bytes

[Adama]

Hi Jase and welcome to PCWorld Community.

It sounds like you have a virus infection. There is another member who started a discussion about a Major infection just yesterday. Here's the link to that discussion forums.pcworld.com/thread/37626?start=0&tstart=0

Our members Flashorn and SpiritWind, know a lot about these kinds of things, and they have both given you some excellent advise, which can really help you find a solution to your problem.

BTW, I think the HijackThis log has to be submitted to the HijackThis people for evaluation and then they'll give you some advise as well.

[SpiritWind]

Hi :



The following on your computer ( "O3 - Toolbar: rafbsvnx - {AB7B6869-83A5-4F36-8517-1A55496017EF} - C:WINDOWSrafbsvnx.dll " )

indicates you have a very bad piece of "Malware" ( worse than a "virus" ) and is the newest

"Species" of the "Zlob family of Trojans" . Just recently someone with the same thing

received Help by the highly trained, certified, Volunteer "Malware-Fighters" on the Forums

at aumha.net . I highly recommend you go there and ask for their Help .

P.S. IF at all possible, Post a HijackThis Log run in "Normal" Mode ONLY .

[alchav21]

Jase, once you pick up a Virus all you can do is try to get rid of it, and then put your computer back to the way it was before the Virus. AVG is a good Anti-Virus, but the Free Version is limited. It still works as long as it is updated properly. You run some Full Scans till you come up clean, then read up on the Virus to clean up it's mess. If you can't get your computer back to normal, then the next step is to Back your Data and Format and reload Windows.

[Knifeblade]

like said above, but do these first~~~~~~~ do some quick housecleaning, meaning defragment, and error-check. That won't give you clean slate, per se, but it will help your system process the suggestions from our other Community members. You may need to goto SAFEmode for this.

Then, I fully agree, Avast anti-virus and Super-antispyware runs, run them deep {thorough}, not quick. This will take some time. Let the time happen. You can find the d/l's from the d/l section of the homepage with a quick search. You may also want to goto TaskManager, look through all your tabs and the following info. the tabs give. You may need to do this in SAFE mode, as suggested, so you can access sans the warnings and blanking out.

Look for unusual exe.s, especially if you can identify them from any of your warning windows. Do an end process or end process tree on them. End process tree works best. It sounds more like a really bad malware infection than a virus.

Why? because you grabbed a file. Possible virus, from your warnings, but I think malware, which Super anti-spyware does a really good job on. I had a similar experience, the above are steps I took, and sigh, no easy way, but it is workable.

[GoneFishing]

Download he free version of NOD32 from eset and run it, if you have any secondary issues like Icons, use the system restore , NOD32 is probably the best there is