I've got a NASTY virus

Da Pirates · February 24, 2010

[hide= HiJackThis Log Is Here]Logfile of Trend Micro HijackThis v2.0.3 (BETA)

Scan saved at 3:37:25 PM, on 2/24/2010

Platform: Unknown Windows (WinNT 6.01.3504)

MSIE: Internet Explorer v8.00 (8.00.7600.16385)

Boot mode: Normal

Running processes:

C:\Windows\system32\taskhost[Caution: Executable File]

C:\Windows\system32\taskeng[Caution: Executable File]

C:\Windows\system32\Dwm[Caution: Executable File]

C:\Windows\msa[Caution: Executable File]

C:\Windows\Explorer[Caution: Executable File]

C:\Users\MOMAND~1\AppData\Local\Temp\Fvl[Caution: Executable File]

C:\Windows\System32\rundll32[Caution: Executable File]

C:\Program Files\Synaptics\SynTP\SynTPEnh[Caution: Executable File]

C:\Program Files\HP\HP Software Update\hpwuSchd2[Caution: Executable File]

C:\Program Files\Hewlett-Packard\HP Wireless Assistant\HPWAMain[Caution: Executable File]

C:\Program Files\Synaptics\SynTP\SynTPHelper[Caution: Executable File]

C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QLBCTRL[Caution: Executable File]

C:\Program Files\HP\QuickPlay\QPService[Caution: Executable File]

C:\Program Files\Alwil Software\Avast4\ashDisp[Caution: Executable File]

C:\Program Files\Java\jre6\bin\jusched[Caution: Executable File]

C:\Program Files\iTunes\iTunesHelper[Caution: Executable File]

C:\Program Files\Common Files\LightScribe\LightScribeControlPanel[Caution: Executable File]

C:\Program Files\Steam\Steam[Caution: Executable File]

C:\Users\MOMAND~1\AppData\Local\Temp\mvNat[Caution: Executable File]

C:\Program Files\Hewlett-Packard\Shared\HpqToaster[Caution: Executable File]

C:\Windows\system32\ctfmon[Caution: Executable File]

C:\Program Files\Mozilla Firefox\firefox[Caution: Executable File]

C:\Program Files\TrendMicro\HiJackThis\HiJackThis[Caution: Executable File]

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_us&c=91&bd=Presario&pf=cnnb

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_us&c=91&bd=Presario&pf=cnnb

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_us&c=91&bd=Presario&pf=cnnb

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =

O1 - Hosts: ::1 localhost

O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll

O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll

O2 - BHO: Microsoft Live Search Toolbar Helper - {d2ce3e00-f94a-4740-988e-03dc2f38c34f} - c:\Program Files\MSN\Toolbar\3.0.0541.0\msneshellx.dll

O2 - BHO: Java Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll

O3 - Toolbar: Microsoft Live Search Toolbar - {1E61ED7C-7CB8-49d6-B9E9-AB4C880C8414} - c:\Program Files\MSN\Toolbar\3.0.0541.0\msneshellx.dll

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32[Caution: Executable File] C:\Windows\system32\NvCpl.dll,NvStartup

O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32[Caution: Executable File] C:\Windows\system32\NvMcTray.dll,NvTaskbarInit

O4 - HKLM\..\Run: [synTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh[Caution: Executable File]

O4 - HKLM\..\Run: [AdobeCS4ServiceManager] "C:\Program Files\Common Files\Adobe\CS4ServiceManager\CS4ServiceManager[Caution: Executable File]" -launchedbylogin

O4 - HKLM\..\Run: [HP Health Check Scheduler] c:\Program Files\Hewlett-Packard\HP Health Check\HPHC_Scheduler[Caution: Executable File]

O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\Hp\HP Software Update\HPWuSchd2[Caution: Executable File]

O4 - HKLM\..\Run: [hpWirelessAssistant] C:\Program Files\Hewlett-Packard\HP Wireless Assistant\HPWAMain[Caution: Executable File]

O4 - HKLM\..\Run: [QlbCtrl[Caution: Executable File]] C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl[Caution: Executable File] /Start

O4 - HKLM\..\Run: [QPService] "C:\Program Files\HP\QuickPlay\QPService[Caution: Executable File]"

O4 - HKLM\..\Run: [updateLBPShortCut] "C:\Program Files\CyberLink\LabelPrint\MUITransfer\MUIStartMenu[Caution: Executable File]" "C:\Program Files\CyberLink\LabelPrint" UpdateWithCreateOnce "Software\CyberLink\LabelPrint\2.5"

O4 - HKLM\..\Run: [updateP2GoShortCut] "C:\Program Files\CyberLink\Power2Go\MUITransfer\MUIStartMenu[Caution: Executable File]" "C:\Program Files\CyberLink\Power2Go" UpdateWithCreateOnce "SOFTWARE\CyberLink\Power2Go\6.0"

O4 - HKLM\..\Run: [updatePDIRShortCut] "C:\Program Files\CyberLink\PowerDirector\MUITransfer\MUIStartMenu[Caution: Executable File]" "C:\Program Files\CyberLink\PowerDirector" UpdateWithCreateOnce "SOFTWARE\CyberLink\PowerDirector\7.0"

O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp[Caution: Executable File]

O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched[Caution: Executable File]"

O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl[Caution: Executable File]"

O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM[Caution: Executable File]"

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask[Caution: Executable File]" -atboottime

O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper[Caution: Executable File]"

O4 - HKCU\..\Run: [Google Update] "C:\Users\Mom And Jeff\AppData\Local\Google\Update\GoogleUpdate[Caution: Executable File]" /c

O4 - HKCU\..\Run: [LightScribe Control Panel] C:\Program Files\Common Files\LightScribe\LightScribeControlPanel[Caution: Executable File] -hidden

O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\Windows Live\Messenger\msnmsgr[Caution: Executable File]" /background

O4 - HKCU\..\Run: [steam] "c:\program files\steam\steam[Caution: Executable File]" -silent

O4 - HKCU\..\Run: [TOY5KNQ8OC] C:\Users\MOMAND~1\AppData\Local\Temp\Fvl[Caution: Executable File]

O4 - HKUS\S-1-5-19\..\Run: [sidebar] %ProgramFiles%\Windows Sidebar\Sidebar[Caution: Executable File] /autoRun (User 'LOCAL SERVICE')

O4 - HKUS\S-1-5-19\..\RunOnce: [mctadmin] C:\Windows\System32\mctadmin[Caution: Executable File] (User 'LOCAL SERVICE')

O4 - HKUS\S-1-5-20\..\Run: [sidebar] %ProgramFiles%\Windows Sidebar\Sidebar[Caution: Executable File] /autoRun (User 'NETWORK SERVICE')

O4 - HKUS\S-1-5-20\..\RunOnce: [mctadmin] C:\Windows\System32\mctadmin[Caution: Executable File] (User 'NETWORK SERVICE')

O4 - Startup: 8011.lnk = ?

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office12\EXCEL[Caution: Executable File]/3000

O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~4\Office12\ONBttnIE.dll

O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~4\Office12\ONBttnIE.dll

O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\Office12\REFIEBAR.DLL

O13 - Gopher Prefix:

O16 - DPF: {FFB3A759-98B1-446F-BDA9-909C6EB18CC7} (PCPitstop Exam) - http://utilities.pcpitstop.com/da2/PCPitStop2.cab

O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService[Caution: Executable File]

O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv[Caution: Executable File]

O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ[Caution: Executable File]

O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv[Caution: Executable File]

O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv[Caution: Executable File]

O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder[Caution: Executable File]

O23 - Service: Com4QLBEx - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\Com4QLBEx[Caution: Executable File]

O23 - Service: FLEXnet Licensing Service - Acresso Software Inc. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService[Caution: Executable File]

O23 - Service: GameConsoleService - WildTangent, Inc. - C:\Program Files\HP Games\My HP Game Console\GameConsoleService[Caution: Executable File]

O23 - Service: HP Health Check Service - Hewlett-Packard - c:\Program Files\Hewlett-Packard\HP Health Check\hphc_service[Caution: Executable File]

O23 - Service: hpqwmiex - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\Shared\hpqwmiex[Caution: Executable File]

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT[Caution: Executable File]

O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService[Caution: Executable File]

O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc[Caution: Executable File]

O23 - Service: NVIDIA Display Driver Service (nvsvc) - NVIDIA Corporation - C:\Windows\system32\nvvsvc[Caution: Executable File]

O23 - Service: Recovery Service for Windows - Unknown owner - C:\Program Files\SMINST\BLService[Caution: Executable File]

O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared files\RichVideo[Caution: Executable File]

O23 - Service: Steam Client Service - Valve Corporation - C:\Program Files\Common Files\Steam\SteamService[Caution: Executable File]

O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService[Caution: Executable File]

O23 - Service: XAudioService - Conexant Systems, Inc. - C:\Windows\system32\DRIVERS\xaudio[Caution: Executable File]

--

End of file - 9206 bytes[/hide]

I'm using Avast antivirus and it's going crazy every 10 mins popping up at random times. When I went to sleep last night, I left my computer running. Came back in the morning and there were 7 IE windows open with pop up ads and avast had like 5 instances open. Can someone tell me what caused this virus and how to get rid of permanently? Avast keeps detecting it and I delete it but it just keeps coming back.

Mil · February 24, 2010

http://www.hijackthis.de/ says that the problem is due to C:\Windows\msa[Caution: Executable File]. A quick Google says that this is malware. How to remove.

kapeg90 · February 25, 2010

Try to download some freeware Adware programs from Download.com

Try Adware or SUPERAntiSpyware :)

Will H · February 26, 2010

Try to download some freeware Adware programs from Download.com

Try Adware or SUPERAntiSpyware :)

Better, just get Microsoft Security Essentials and forget about it.

Sign In

I've got a NASTY virus

Recommended Posts

Da Pirates

Link to comment

Share on other sites

Mil

Link to comment

Share on other sites

kapeg90

Link to comment

Share on other sites

Will H

Link to comment

Share on other sites

Create an account or sign in to comment

Create an account

Sign in

Browse

Activity

Important Information