alrite me old muckers

[silent]

could one of you have a look at 'hijack this' for a mate of mine.

cheers

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 20:30:47, on 07/05/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\iS3\Anti-Spyware\SZServer.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\STOPzilla!\STOPzilla.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\ehome\ehtray.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\WINDOWS\system32\Firewall.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\MSN Messenger\usnsvc.exe
C:\Program Files\Mesws nt\patrvsvc.exe
C:\WINDOWS\system32\dwwin.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\Program Files\Mesws nt\patrvsvc.exe
C:\WINDOWS\system32\dwwin.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,First Home Page = http://go.microsoft.com/fwlink/?LinkId=54843
O1 - Hosts: 195.13.63.187 irc.westwood.com
O1 - Hosts: 195.13.63.187 servserv.westwood.com
O3 - Toolbar: mkrndofl - {9BBD1381-809E-4207-B9CC-949B471878AD} - C:\WINDOWS\mkrndofl.dll (file missing)
O3 - Toolbar: STOPzilla - {98828DED-A591-462F-83BA-D2F62A68B8B8} - C:\Program Files\STOPzilla!\SZSG.dll
O3 - Toolbar: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL (file missing)
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] HDAShCut.exe
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [Firewall.exe] C:\WINDOWS\system32\Firewall.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [78ebeab1] rundll32.exe "C:\WINDOWS\system32\hlrcwhnu.dll",b
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [updateMgr] C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe AcRdB7_0_9
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: NkbMonitor.exe.lnk = C:\Program Files\Nikon\PictureProject\NkbMonitor.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: @C:\Program Files\Messenger\Msgslang.dll,-61144 - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: @C:\Program Files\Messenger\Msgslang.dll,-61144 - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\program files\common files\is3\anti-spyware\is3lsp.dll
O10 - Unknown file in Winsock LSP: c:\program files\common files\is3\anti-spyware\is3lsp.dll
O10 - Unknown file in Winsock LSP: c:\program files\common files\is3\anti-spyware\is3lsp.dll
O10 - Unknown file in Winsock LSP: c:\program files\common files\is3\anti-spyware\is3lsp.dll
O10 - Unknown file in Winsock LSP: c:\program files\common files\is3\anti-spyware\is3lsp.dll
O10 - Unknown file in Winsock LSP: c:\program files\common files\is3\anti-spyware\is3lsp.dll
O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} (Facebook Photo Uploader 5) - http://upload.facebook.com/controls/Fac ... oader5.cab
O16 - DPF: {67A5F8DC-1A4B-4D66-9F24-A704AD929EEE} (System Requirements Lab) - http://www.systemrequirementslab.com/sysreqlab2.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftup ... 8129431703
O16 - DPF: {73B51289-6DB3-4E3D-A873-9F3C0652D380} (Sharkserv140.UpdateEngine) - http://www.sharkserv.com/media/sharkserv140.cab
O16 - DPF: {A90A5822-F108-45AD-8482-9BC8B12DD539} (Crucial cpcScan) - http://www.crucial.com/controls/cpcScanner.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Me ... b56907.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/s ... wflash.cab
O16 - DPF: {D6E7CFB5-C074-4D1C-B647-663D1A8D96BF} (Facebook Photo Uploader 4) - http://upload.facebook.com/controls/Fac ... der4_5.cab
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll (file missing)
O21 - SSODL: tdomgafw - {32CD0CCF-A53E-4161-9525-AFB38CFB81BE} - C:\WINDOWS\tdomgafw.dll
O21 - SSODL: wetkadmr - {201DE8E7-8EEC-4AD2-91F2-CE8D7846BAD7} - C:\WINDOWS\wetkadmr.dll (file missing)
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: AVG8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: STOPzilla Service (szserver) - iS3, Inc. - C:\Program Files\Common Files\iS3\Anti-Spyware\SZServer.exe

--
End of file - 8028 bytes

[[SCUM] McPhil]

at first glance, stopzilla.exe is not a critical component but loves munching on resources. Delete that and remove the program. Have your mate install firefox 2.x and configure the popup blocker in that.

Let me study the post some more and I'll follow up.

[silent]

cheers pal, theres more info to follow he has a virus or some discription let me get details.

[[SCUM] McPhil]

A few baddies in here m8. If your buddy doesn't want to do a fresh wipe and reload, do this:

1. Open Internet Explorer 7
2. Go To BitDefender Free Online Virus Scanner at http://www.bitdefender.com/scan8

Run the scanner. Let it run 100%. If all virus definitions don't load, go ahead and scan as it'll find a handful of baddies then reboot the system and run it again.

Once you do that, feel free to post the virus scanner results back here so we can compare the Hijackthis log with the bitdefender scan results and see if he needs further cleaning. If necessary, I can remote into his computer and manually clean it if he's got a virus in the prefetch or restore log.

Good luck!

[silent]

he cant open IE and will not work in FF.

this is his process screen

capture_08052008_120315.jpg

(276.7 KiB) Downloaded 5077 times

have googled patrvsvc.exe but absolutly nothing found.

the scans he has managed to do have found:
privacy danger
desktop hijacker
context plus
vundo
highconvert
winsecureAV

[[SCUM] Speedy]

eek. If I was him, quick backup and nuke the hdd

[[SCUM] McPhil]

The best thing to do m8 since you don't have a sys eng around, go into the bios, set the optical drive and the primary boot device, put in the Windows Xp boot CD, and blast the hard drive.

ALTERNATIVELY - Pull the hard drive from the infected computer. Attach the drive as a Slave (eide) or to a sata port or put in an external USB device. Boot uninfected computer that the infected drive is attached to. Make sure the infected drive is now mounted. Open the bitdefender online scanner on the uninfected computer and scan the infected hard drive only. This will clean it up enough so you then can put it back in the native computer and then do a scan there.

Otherwise, you need to back up the data and blast it.

[silent]

we are talking about 100gb that needs to be backed up, if he were to connect an external hdd and backup that way, then reformat when he comes to bring files from the external hdd will anti virus flag it up or will the virus not copy itself over to the external hdd.

sorry if i make little sense lol

[[SCUM] McPhil]

Can you put the infected drive in an External drive housing?

[silent]

i mean if the files that need to be backed up are backed up on an external hdd that he can get hold of, and then the 'infected' hdd is just wiped, then put all backed up files back on the original 'infected' hdd

[[SCUM] McPhil]

If you have access to an external drive (the housing...) then wiping the drive may not be necessary.

Remove the drive from the external drive housing. Install the infected drive inside the external drive housing. Boot your computer. Attach the USB cable from the external drive to a USB port on your computer. Run the virus scanner installed on your computer. Remove the viruses found. Then running the bitdefender online scanner on the drive (not your computer but just the infected drive). Once the scanning is done. Remove the once infected drive from the external drive housing back into the original computer, boot up the computer. Try again to load Internet Explorer and run the online bitdefender scanner.

This would take the most time but then you wouldn't have to mess with backing up data or reinstalling your OS.

[silent]

he tried to run norton just to see if it would help, the pc crashed, he restarted it and now cannot even get to desktop or anything just a black screen.

he is just going to blast the hdd pity about losing alot of files but shit happens.

Ill put your idea to him philly, cheers for all your help mucho appreciated

[[SCUM] McPhil]

He can send it to me and I can recover the data and clean up the drive. Just an option. 50% discount on the service

[silent]

will put it to him, cheers pal.

what would the turn around time be ?

[[SCUM] McPhil]

About 3 to 5 days depending on the level of damage.