Bit defender found 9 viruses

[pikatech]

Hello All !
Friends compaq presario 5000 is very slow with popups & strange icon on desktop that won't go away
So, I ran a trial version of "Bit defender" and it identified 9 Viruses,
It only moved the viruses, it did not remove them.
What should I do next ?
Any advice much appreciated !

Jim

[rjfvillarosa]

If you can get the machine onto the internet go here and run housecall.
http://housecall.trendmicro.com tell it to repair/heal automatically.
After that go here http://free.grisoft.com/freeweb.php download and install AVG7 free version.

[macko72]

And then install and run this even do I'm not sure it will remove those icons I had to do something different to remove them but anyway give it a go!!!

[pikatech]

Thanx for the Links.
I tried to go to the 1rst site, but their is too many pop ups and the activity in task manager is insane ! constantly 100% activity !!
any more advice- much appreciated

[Lobos]

If you don't already have it, download, install and run AdAware SE Personal.

-

Next, check for, and download any available updates:

1. click "Check for updates now".
2. Click "Connect".
3. If updates(definitions) are available click "Ok", otherwise, click "Ok".
4. Click "Finish".

-

Next, configure AdAware to be as effective as possible:

1. Click the 'gear' in the upper-right hand corner of the AdAware Window.
2. Click Scanning, and check(tick) the following:

Scan within archives
Scan active processes
Scan registry
Deep-scan registry
Scan my IE Favorites for banned URLs
Scan my Hosts file

3. Click "Tweak".
4. Click "Scanning Engine", then check(tick) the following:

Unload recognized proceses & modules during scan

5. Click "Cleaning Engine", then check(tick) then following:

>Always try to unload modules before deletion
During removal, unload Explorer and IE if necessary
Let Winodws remove files in use at next reboot
Delete quarantined objects after retoring

6. Then click "Proceed"

-

Now, let AdAware locate and remove anything it finds, by:

1. Click "Start".
2. Check(tick) "perform full system scan".
3. Click "Next".

-

Exit the program.


Reboot

Next create a folder for HijackThis in the root folder of your hard drive so it can make proper backups

example

C:/HJT/
C:/hijackthis/

next


Click here to download Hijack This. 1.99.1 Save it to the folder you have just created

Close all open windows and open HIJACK THIS. Click “Scan” . When the scan is finished (it only takes a second), the scan button will change to“Save Log”. Click on“Save Log” and save it to NotePad. Copy the entire log and paste it here.

DO NOT FIX ANYTHING YET , most items that appear in the log are harmless or even needed. Wait for someone to analyze the scan and advise.



we can see a little better whats going on with your computer




Lobos

[rjfvillarosa]

Being a Compaq 5000 I guess it's running 98SE or ME, can you get it into safemode?

[pikatech]

Its a newer 5000 so XP is the OS
I'm gonna try Lobos advice, but doin anything is tough, computer stalls ALOT!!

[ghost2003]

reboot in safemode with networking(hold f8 on boot) and try to go to the housecall site again. Were you able to get avg7 yet?

[macko72]

Since you have XP try this for removing malware that cousing your 100% cpu usage:
Click Start > Run then type msconfig and on a services tab check box by hide all MS services then click disable all and apply!
After that it will ask you to restart do it and when comp starts again run ad-aware or MS Windows Antispyware(recomended)!!!
You can do this as well: Double click My comp choose tools from toolbar choose folder options then view then show hidden files and folders.
Then click local disk c: doc&settings > your name > lockal settings and both application data folder and temp folder check for any unusual names and delete them if found any!!!
(This was one more way to get rid of stupid malware)!!! Any questions just ask!!!!

[pikatech]

Wow !! Macko & Lobos !! youse guyz have great ideas !
I went with ghost 2003's safeboot w/ network route and ran housecall/trendmicro.
Housecall detected 23 trojan viruses marked "noncleanable"
So I dwnloaded AVG7 and right now its having a little trouble installing.(I couldn't install AVG7 in safemode)
So I'm back in normal (painfully slow mode)
How can I get rid of those 23 trojan viruses?

Thanx all for the kool advice- I'm hangin witcha !!

[macko72]

Read carefuly my previous post and when you stop all processes you can run both antispyware and antivirus scaners!!!

[pikatech]

Alrite Macko !!

[pikatech]

Ok Macko ! Did the msconfig technique, dwnloaded & am running MS Antispyware software as we speak.
What virus cleaner do u recommend? And what next ?
Thanx for the help

[macko72]

Use any updated virus cleaner that you may have and run them as I described!!!
You posted about downloading AVG7 try that one I belive that you gona be able to install it now!!!

[pikatech]

OK Lobos ! Thanx for the advice. Here is my hijack this Log

Logfile of HijackThis v1.99.1
Scan saved at 2:16:15 AM, on 4/29/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\Smtray.exe
C:\Program Files\Microsoft Works\WksSb.exe
C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\1gqmerf5\1gqmerf5.exe
C:\WINDOWS\system32\apam.exe
c:\windows\system32\deshev.exe
C:\Program Files\1gqmerf5\1gqmerf5.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\Program Files\Hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer,(Default) = www.google.com
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://store.presario.net/scripts/re...c=3c01&lc=0409
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Compaq
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
R3 - URLSearchHook: (no name) - _{CA0E28FA-1AFD-4C21-A8DC-70EB5BE2F076} - (no file)
N2 - Netscape 6: user_pref("browser.search.defaultengine", "engine://C%3A%5CProgram%20Files%5CNetscape%5CNetscape%206%5Csearchplugins%5CSBWeb_01.src"); (C:\Documents and Settings\Julie_2\Application Data\Mozilla\Profiles\default\tc1ai4pj.slt\prefs.js)
O2 - BHO: FlashEnhancer Extender - {0AD937E7-2F37-4873-A05E-548A67EF1D0E} - c:\Program Files\Flen\flen.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: ohb - {999A06FF-10EF-4A29-8640-69E99882C26B} - C:\WINDOWS\system32\nsl68.dll
O4 - HKLM\..\Run: [srmclean] C:\Cpqs\Scom\srmclean.exe
O4 - HKLM\..\Run: [Smapp] Smtray.exe
O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Program Files\Microsoft Works\WksSb.exe /AllUsers
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [1gqmerf5] C:\Program Files\1gqmerf5\1gqmerf5.exe
O4 - HKLM\..\Run: [Media Access] C:\Program Files\Media Access\MediaAccK.exe
O4 - HKLM\..\Run: [KavSvc] C:\WINDOWS\system32\apam.exe
O4 - HKLM\..\Run: [qivjpql] c:\windows\system32\deshev.exe
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [Ywp7RVfne] scr20.exe
O8 - Extra context menu item: &Search - http://bar.mywebsearch.com/menusearc...S_ZNxdm973YYUS
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: Support - {DDDDF789-03D1-4F7B-8CC9-A11143EFE4C7} - C:\Program Files\Internet Explorer\SIGNUP\Presario.htm (HKCU)
O14 - IERESET.INF: START_PAGE_URL=http://store.presario.net/scripts/redirectors/presario/storeredir2.dll?s=consumerfav&c=3c01&lc=0409
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/housecall/xscan60.cab
O16 - DPF: {0878B424-1F95-4E26-B5AB-F0D349D89650} - http://download.bargain-buddy.net/do...ARKETING11.cab
O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://ak.imgfarm.com/images/nocache...p1.0.0.8-2.cab
O16 - DPF: {539DA0E0-74A7-11D9-9669-0800200C9A66} - http://www.ouchvideo.com/mmviewer_ic13.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2...ll/xscan53.cab
O23 - Service: System Startup Service (SvcProc) - Unknown owner - C:\WINDOWS\svcproc.exe

[macko72]

C:\Program Files\1gqmerf5\1gqmerf5.exe
C:\Program Files\1gqmerf5\1gqmerf5.exe
O4 - HKLM\..\Run: [1gqmerf5] C:\Program Files\1gqmerf5\1gqmerf5.exe

C:\WINDOWS\system32\apam.exe
O4 - HKLM\..\Run: [KavSvc] C:\WINDOWS\system32\apam.exe
O4 - HKLM\..\Run: [qivjpql] c:\windows\system32\deshev.exe
c:\windows\system32\deshev.exe

R3 - URLSearchHook: (no name) - _{CA0E28FA-1AFD-4C21-A8DC-70EB5BE2F076} - (no file)

O4 - HKCU\..\Run: [Ywp7RVfne] scr20.exe

I would say this all are malware and I recommend that you wait for few more posts before continuing with hijack this!!!

Note: By the looking in the log I would say that you use more than one antispyware software when you clean your system from rest of the malware try to use just one or you can use more but find some that will not fight each other!!!

[pikatech]

Alright ! while I wait for more input on my "hijack this" Log,
Maybe I should Uninstall Microsoft's AntiSpyware program and just keep ad aware & Spybot
When I use Internet explorer, I STILL GET POPUPS ! Not as bad though, so I am using Firefox until I can make IE Secure.
The task manager is constantly at 44 %
We're gettin there

Thanx !

[macko72]

If u using free version of ad-aware it's better to leave MS windows antispyware and since no one else answered all day maybe you should procede with hijack this!!!

[pikatech]

Ok ! Should I run hijack again and check (mark) all the boxes. then click "fix checked"

[macko72]

Yes, well sorry for not responding, was working till late !!!
Did you menage to do it or still having problem???