massive invasion!

[altvic]

hello
just reinstalled XP but somehow got infected with all sorts of stuff when adding new programmes. Can only operate in safe mode but did manage to get log below when in full mode. Combo fix will not work in any mode and HJT installer and combo fix disappeared when in safe mode.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 22:48: VIRUS ALERT!, on 24/08/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\brsvc01a.exe
C:\WINDOWS\system32\brss01a.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\ESET\ESET Smart Security\ekrn.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\mdm.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Spyware Doctor\svcntaux.exe
C:\Program Files\Spyware Doctor\swdsvc.exe
C:\Program Files\Spyware Doctor\SDTrayApp.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\ESET\ESET Smart Security\egui.exe
C:\Windows\System32\VIE49E.exe
C:\Windows\System32\VIE49F.exe
C:\Windows\System32\VIE4A0.exe
C:\Windows\System32\VIE4A1.exe
C:\Documents and Settings\Dad\Desktop\tjt.exe
C:\WINDOWS\System32\wbem\wmiprvse.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
F3 - REG:win.ini: run="C:\Documents and Settings\Dad\Application Data\Adobe\Manager.exe"
O2 - BHO: (no name) - {0AEF3541-F002-4FB9-B626-F1A8B418A552} - C:\WINDOWS\system32\sbeio32.dll
O2 - BHO: {9ea4f4a1-8c7a-0329-48b4-181e82bc6542} - {2456cb28-e181-4b84-9230-a7c81a4f4ae9} - C:\WINDOWS\system32\pohzvo.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {74CE56FF-3469-47C0-93E1-D0CB8B203EA9} - C:\WINDOWS\system32\ljJYOIyv.dll
O2 - BHO: (no name) - {9597547E-A632-4298-ADCC-A3C47AB1BEB2} - C:\WINDOWS\system32\yayXnoLb.dll (file missing)
O2 - BHO: (no name) - {99972D1B-964E-49EC-92F4-1EB39F4810A5} - (no file)
O3 - Toolbar: qalkfxor - {18C388BB-5014-4906-AE38-E62BA5AA7387} - C:\WINDOWS\qalkfxor.dll (file missing)
O4 - HKLM\..\Run: [SDTray] "C:\Program Files\Spyware Doctor\SDTrayApp.exe"
O4 - HKLM\..\Run: [egui] "C:\Program Files\ESET\ESET Smart Security\egui.exe" /hide /waitservice
O4 - HKLM\..\Run: [\VIE49E.exe] C:\Windows\System32\VIE49E.exe
O4 - HKLM\..\Run: [\VIE49F.exe] C:\Windows\System32\VIE49F.exe
O4 - HKLM\..\Run: [\VIE4A0.exe] C:\Windows\System32\VIE4A0.exe
O4 - HKLM\..\Run: [\VIE4A1.exe] C:\Windows\System32\VIE4A1.exe
O4 - HKLM\..\Run: [\SUE4A3.exe] C:\Windows\SUE4A3.exe
O4 - HKLM\..\Run: [\VIE3A.exe] C:\Windows\System32\VIE3A.exe
O4 - HKLM\..\Run: [\VIE3B.exe] C:\Windows\System32\VIE3B.exe
O4 - HKLM\..\Run: [\VIE3C.exe] C:\Windows\System32\VIE3C.exe
O4 - HKLM\..\Run: [\VIE3D.exe] C:\Windows\System32\VIE3D.exe
O4 - HKLM\..\RunOnce: [Spybot - Search & Destroy] "C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe" /autocheck
O4 - HKCU\..\Run: [\VIE49E.exe] C:\Windows\System32\VIE49E.exe
O4 - HKCU\..\Run: [\VIE49F.exe] C:\Windows\System32\VIE49F.exe
O4 - HKCU\..\Run: [\VIE4A0.exe] C:\Windows\System32\VIE4A0.exe
O4 - HKCU\..\Run: [\VIE4A1.exe] C:\Windows\System32\VIE4A1.exe
O4 - HKCU\..\Run: [\SUE4A3.exe] C:\Windows\SUE4A3.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [\VIE3A.exe] C:\Windows\System32\VIE3A.exe
O4 - HKCU\..\Run: [\VIE3B.exe] C:\Windows\System32\VIE3B.exe
O4 - HKCU\..\Run: [\VIE3C.exe] C:\Windows\System32\VIE3C.exe
O4 - HKCU\..\Run: [\VIE3D.exe] C:\Windows\System32\VIE3D.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/win...ls/en/x86/client/wuweb_site.cab?1219597694671
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MICROS~2\Office12\GR99D3~1.DLL
O20 - AppInit_DLLs: pohzvo.dll
O20 - Winlogon Notify: cbXRLCsr - C:\WINDOWS\
O20 - Winlogon Notify: ljJYOIyv - C:\WINDOWS\SYSTEM32\ljJYOIyv.dll
O21 - SSODL: pdoskegl - {59C4F70C-DA03-4EDB-9609-1A2E66DB586C} - C:\WINDOWS\pdoskegl.dll (file missing)
O21 - SSODL: rqbmvpso - {8EA89FD2-E019-40D5-B6CC-C31669823B20} - C:\WINDOWS\rqbmvpso.dll (file missing)
O23 - Service: BrSplService (Brother XP spl Service) - brother Industries Ltd - C:\WINDOWS\system32\brsvc01a.exe
O23 - Service: Eset HTTP Server (EhttpSrv) - ESET - C:\Program Files\ESET\ESET Smart Security\EHttpSrv.exe
O23 - Service: Eset Service (ekrn) - ESET - C:\Program Files\ESET\ESET Smart Security\ekrn.exe
O23 - Service: InCD Helper (InCDsrv) - Nero AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\svcntaux.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\swdsvc.exe
O24 - Desktop Component 0: Privacy Protection - (no file)

--
End of file - 6738 bytes

 

[magna86]

1. uninstal eset nod32

2.tools /folder options / view /show hidden files and folders/aplly /Ok

3. restart,hold f8 selekt save mode

shift+delete

C:\Windows\System32\VIE49E.exe
C:\Windows\System32\VIE49F.exe
C:\Windows\System32\VIE4A0.exe
C:\Windows\System32\VIE4A1.exe


4. start HjT

You may fix this
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
O2 - BHO: (no name) - {0AEF3541-F002-4FB9-B626-F1A8B418A552} - C:\WINDOWS\system32\sbeio32.dll
O2 - BHO: {9ea4f4a1-8c7a-0329-48b4-181e82bc6542} - {2456cb28-e181-4b84-9230-a7c81a4f4ae9} - C:\WINDOWS\system32\pohzvo.dll
O2 - BHO: (no name) - {74CE56FF-3469-47C0-93E1-D0CB8B203EA9} - C:\WINDOWS\system32\ljJYOIyv.dll
O2 - BHO: (no name) - {9597547E-A632-4298-ADCC-A3C47AB1BEB2} - C:\WINDOWS\system32\yayXnoLb.dll (file missing)
O2 - BHO: (no name) - {99972D1B-964E-49EC-92F4-1EB39F4810A5} - (no file)
O3 - Toolbar: qalkfxor - {18C388BB-5014-4906-AE38-E62BA5AA7387} - C:\WINDOWS\qalkfxor.dll (file missing)
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O20 - AppInit_DLLs: pohzvo.dll
O20 - Winlogon Notify: cbXRLCsr - C:\WINDOWS\
O20 - Winlogon Notify: ljJYOIyv - C:\WINDOWS\SYSTEM32\ljJYOIyv.dll


5.
download and run KIS
kaspersky trail
http://www.kaspersky.com/trials

then down and run spybot
http://fileforum.betanews.com/detail/1043809773/1

then post new HijackThis log

 

[cohen]

Warning don't follow any of the instructions above!!!!!!!!!! They may not need to be fixed, and nod 32 is good!!!!

Do the following!!!​

Please do a scan with Kaspersky Online Scanner

Click on the Accept button and install any components it needs.

• The program will install and then begin downloading the latest definition files.
• After the files have been downloaded on the left side of the page in the Scan section select My Computer.
• This will start the program and scan your system.
• The scan will take a while, so be patient and let it run.
• Once the scan is complete, click on View scan report
• Now, click on the Save Report as button.
• In the drop down box labeled Files of type change the type to Text file.
• Save the file to your desktop.
• Copy and paste that information in your next post.

 

[altvic]

sorry for the bother Cohen but the infection was so bad I couldn't even do as you instructed so I am now in the process of reformatting the partition.

The issues all started when I installed Linux Puppy; when I went onto windows disc check said there were some issues with hard drives and checked them. windows spent hours deleting files and finally when computer booted there were no programmes visible and virus checker (nod32) didn't work. What a mess. I then went for avg but must have got hit during this time.

question: I am thinking of comodo firewall and virus suite. are there any issues with these?
Many thanks

 

[cohen]

No problems,

To keep your computer clean i recommend the following:

• CCleaner
• AVG 8.0
• Zonealarm Firewall

I use, and i get the odd virus, but not a bad one and can be fixed by combo fix most of the time.

Cheers,

Cohen