Hi guys its me I have caused my laptop to come down with a virus. Basically have got most of it but it still dumps me out while using windows it comes out with a blue screen and gives me a memory dump. Can some one help thanxs. I have got AVG Free and Zone Alarm on the laptop but still no good. What can i do to get rid of it besides formating it. Cause formating a laptop is harder than a desktop (in my opinion.) Any assistance would be greatly appreciated.
that could be heaps of stuff that can cause a memory dump. hmm, well in your situation i would run a scan of avast on the computer. its a lot better at finding trojans and viruses than avg. thats if your sure its a virus or trojan. the link below: http://www.download.com/Avast-Home-Edition/3000-2239_4-10375520.html
I am scanning the laptop with avast and so far its moved stuff to the vault. I am getting this error when i try to open IE7 it says that it can't find secure32.html I did delete it when scanning. I am wondering if i reinstall IE & or put IE6 back on will it put that file back on to my pc??
This is the hijack log. Logfile of HijackThis v1.99.1 Scan saved at 3:55:25 PM, on 29/12/2006 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v7.00 (7.00.5730.0011) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\ZoneLabs\vsmon.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\system32\spoolsv.exe C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe C:\Program Files\Alwil Software\Avast4\ashServ.exe C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe C:\WINDOWS\system32\DVDRAMSV.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\svchost.exe C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe C:\Program Files\Alwil Software\Avast4\ashWebSv.exe C:\WINDOWS\system32\igfxtray.exe C:\WINDOWS\system32\hkcmd.exe C:\Program Files\TOSHIBA\E-KEY\CeEKey.exe C:\Program Files\Apoint2K\Apoint.exe C:\Program Files\TOSHIBA\TouchPad\TPTray.exe C:\Program Files\TOSHIBA\ConfigFree\NDSTray.exe C:\WINDOWS\system32\TPSMain.exe C:\WINDOWS\system32\ZoomingHook.exe C:\Program Files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe C:\Program Files\TOSHIBA\Accessibility\FnKeyHook.exe C:\WINDOWS\system32\dla\tfswctrl.exe C:\Program Files\Apoint2K\Apntex.exe C:\Program Files\Toshiba\Tvs\TvsTray.exe C:\WINDOWS\system32\TPSBattM.exe C:\Program Files\TOSHIBA\Touch and Launch\PadExe.exe C:\WINDOWS\AGRSMMSG.exe C:\Program Files\ltmoh\Ltmoh.exe C:\WINDOWS\system32\TCtrlIOHook.exe C:\Program Files\TOSHIBA\TOSHIBA Controls\TFncKy.exe C:\Program Files\TOSHIBA\ConfigFree\CFSServ.exe C:\WINDOWS\system32\wuauclt.exe C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe C:\Program Files\Messenger\msmsgs.exe C:\WINDOWS\system32\ctfmon.exe C:\Program Files\MSN Messenger\MsnMsgr.Exe C:\Program Files\Windows Media Player\WMPNSCFG.exe C:\WINDOWS\system32\RAMASST.exe C:\Hijack\HijackThis.exe R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = c:\secure32.html R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = c:\secure32.html R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = c:\secure32.html R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = c:\secure32.html R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = c:\secure32.html R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = c:\secure32.html R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx O2 - BHO: (no name) - {46A4E9D9-B30E-452A-8157-DBBEC8573B03} - C:\Program Files\VSAdd-in\VSAdd-in.dll O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll O2 - BHO: (no name) - {7DA39570-5FD2-4f18-94B4-20730CB3F727} - C:\WINDOWS\system32\pgoqwqkl.dll O2 - BHO: (no name) - {F0A666C0-97E6-4213-9372-731302E15C6B} - (no file) O3 - Toolbar: &VSAdd-in - {74DD705D-6834-439C-A735-A6DBE2677452} - C:\Program Files\VSAdd-in\VSAdd-in.dll O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe O4 - HKLM\..\Run: [CeEKEY] C:\Program Files\TOSHIBA\E-KEY\CeEKey.exe O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint2K\Apoint.exe O4 - HKLM\..\Run: [TPNF] C:\Program Files\TOSHIBA\TouchPad\TPTray.exe O4 - HKLM\..\Run: [NDSTray.exe] NDSTray.exe O4 - HKLM\..\Run: [TPSMain] TPSMain.exe O4 - HKLM\..\Run: [ZoomingHook] ZoomingHook.exe O4 - HKLM\..\Run: [SmoothView] C:\Program Files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe O4 - HKLM\..\Run: [TOSHIBA Accessibility] C:\Program Files\TOSHIBA\Accessibility\FnKeyHook.exe O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe O4 - HKLM\..\Run: [Tvs] C:\Program Files\Toshiba\Tvs\TvsTray.exe O4 - HKLM\..\Run: [PadTouch] C:\Program Files\TOSHIBA\Touch and Launch\PadExe.exe O4 - HKLM\..\Run: [SVPWUTIL] C:\Program Files\Toshiba\Windows Utilities\SVPWUTIL.exe SVPwUTIL O4 - HKLM\..\Run: [HWSetup] C:\Program Files\TOSHIBA\TOSHIBA Applet\HWSetup.exe hwSetUP O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe O4 - HKLM\..\Run: [LtMoh] C:\\Program Files\\ltmoh\\Ltmoh.exe O4 - HKLM\..\Run: [TCtryIOHook] TCtrlIOHook.exe O4 - HKLM\..\Run: [TFncKy] TFncKy.exe O4 - HKLM\..\Run: [CFSServ.exe] CFSServ.exe -NoClient O4 - HKLM\..\Run: [AutoSys] C:\WINDOWS\system32\autosys.exe O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe" O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe O4 - HKCU\..\Run: [TOSCDSPD] C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE O4 - Global Startup: RAMASST.lnk = C:\WINDOWS\system32\RAMASST.exe O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000 O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_05\bin\npjpi142_05.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_05\bin\npjpi142_05.dll O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing) O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing) O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O11 - Options group: [INTERNATIONAL] International* O16 - DPF: {1F2F4C9E-6F09-47BC-970D-3C54734667FE} (LSSupCtl Class) - https://www-secure.symantec.com/techsupp/asa/ctrl/LSSupCtl.cab O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://eu-housecall.trendmicro-europe.com/housecall/applet/html/native/x86/win32/activex/hcImpl.cab O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1143847820558 O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} - https://www-secure.symantec.com/techsupp/asa/ctrl/SymAData.cab O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing) O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll O20 - Winlogon Notify: vturs - C:\WINDOWS\ O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll O20 - Winlogon Notify: winexy32 - C:\WINDOWS\SYSTEM32\winexy32.dll O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exe O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing) O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing) O23 - Service: ConfigFree Service (CFSvcs) - TOSHIBA CORPORATION - C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing) O23 - Service: COM+ Messages - Unknown owner - C:\WINDOWS\system32\svchosts.exe" -e (file missing) O23 - Service: DVD-RAM_Service - Matsushita Electric Industrial Co., Ltd. - C:\WINDOWS\system32\DVDRAMSV.exe O23 - Service: Microsoft authenticate service (MsaSvc) - Unknown owner - C:\WINDOWS\system32\msasvc.exe (file missing) O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe can someone let me know what i have to do from this??
Hi borhan9, This is the reason you're infected "j2re1.4.2_05". You've still got Java version 4.0 when 6.0 is now available. SmitfraudFix will remove the secure32.html, but there are also more infections you need to remove also. Download [bold]SmitfraudFix.zip[/bold] to the desktop from here. Extract the files to the desktop. Do not run it yet, you will in safe mode. Go to Add/Remove Programs and uninstall: VSAdd-in Then, go to Start > Run > type services.msc > click OK. Find the following and double-click it. COM+ Messages Beside "Startup type" click the drop-down menu and select "Disabled". Close Services. Open HijackThis. Click "Open th misc tools section". Click "Delete an NT service". Copy/paste this into the area and click OK. O23 - Service: COM+ Messages - Unknown owner - C:\WINDOWS\system32\svchosts.exe" -e (file missing) You will be prompted to restart, click No. Click "Back" and then "Scan". Check these: R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = c:\secure32.html R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = c:\secure32.html R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = c:\secure32.html R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = c:\secure32.html R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = c:\secure32.html R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = c:\secure32.html O2 - BHO: (no name) - {46A4E9D9-B30E-452A-8157-DBBEC8573B03} - C:\Program Files\VSAdd-in\VSAdd-in.dll O2 - BHO: (no name) - {7DA39570-5FD2-4f18-94B4-20730CB3F727} - C:\WINDOWS\system32\pgoqwqkl.dll O2 - BHO: (no name) - {F0A666C0-97E6-4213-9372-731302E15C6B} - (no file) O3 - Toolbar: &VSAdd-in - {74DD705D-6834-439C-A735-A6DBE2677452} - C:\Program Files\VSAdd-in\VSAdd-in.dll O4 - HKLM\..\Run: [AutoSys] C:\WINDOWS\system32\autosys.exe O20 - Winlogon Notify: vturs - C:\WINDOWS\ O20 - Winlogon Notify: winexy32 - C:\WINDOWS\SYSTEM32\winexy32.dll Close all windows except HijackThis, then click Fix checked. [bold]Note:[/bold] [bold]Print or copy these instructions to Notepad and save them. You will be in safe mode and can't access the internet.[/bold] * Reboot your computer in Safe Mode (upon boot press [bold]F8[/bold], select "[bold]Safe Mode[/bold]" from the menu and press [bold]Enter[/bold]) * Open the [bold]SmitfraudFix[/bold] folder. * Double-click [bold]smitfraudfix.cmd[/bold] * [bold]Select 2[/bold] and hit [bold]Enter[/bold] to delete infect files. * You will be prompted: Do you want to clean the registry ? answer [bold]Y (yes)[/bold] and hit Enter in order to remove the desktop background and clean registry keys associated with the infection. * The tool will now check if wininet.dll is infected. You may be prompted to replace the infected file (if found): Replace infected file ? answer [bold]Y (yes)[/bold] and hit [bold]Enter[/bold] to restore a clean file. * A reboot may be needed to finish the cleaning process. The report can be found at the root of the system drive, usually at [bold]C:\rapport.txt[/bold]. *Exit SmitfraudFix. Show hidden files and folders. Start > Control Panel > Folder Options > View tab > check "Show hidden files and folders". Click Apply, then OK. Locate and delete these(if there): C:\Program Files\VSAdd-in <--folder C:\WINDOWS\system32\autosys.exe <--file C:\WINDOWS\SYSTEM32\winexy32.dll <--file Empty the Recycle Bin and restart in normal mode. Go here and download [bold]Java Runtime Environment 6.0[/bold]. Uninstall all previous version and updates of JRE via [bold]Add/Remove Programs[/bold]. Restart and install [bold]Version 6.0[/bold]. Turn off [bold]System Restore[/bold]. Right click [bold]My Computer[/bold] > [bold]Properties[/bold] > [bold]System Restore tab[/bold] > check "[bold]Turn off System Restore[/bold]". Click [bold]Apply[/bold], then [bold]OK[/bold]. Restart and turn System Restore back on. Go here to run [bold]Kaspersky Online Scanner[/bold]. After downloading, click "[bold]My Computer[/bold]" to scan. After scanning, click "[bold]Save report as[/bold]". Save as a text file on the desktop. Post the Kaspersky log along with a new HijackThis log.
Ok this file was not there. Also it has not got rid of the trojan yet. I have found the recovery disc's would that help put things back to normal. I have not used recovery DVD's before, I have dont it through a clean format on my Desktop PC's before but never had to deal with the laptops. Will the recovery DVD also have a format option?? Thanxs in advance
UPDATE Well I have decided to cut all loses and format the drive. That took some doing. I had to get my trusty old Heiren BootCD out and let it weave its magic It did that and then i put in the recovery DVD. At first it looked like it did not work. But it was just taking its time So far im nearly quarter the way done. At some level i am pleased that i have got the bug out of the system. But on the other hand i feel defeated. I will keep you posted on the final results
Formatting the HD is very unnecessary in this case. These infections are not that serious and can be cleaned relatively easily. But, it's your computer and your choice.
@Niobis Thanxs for the heads up. But it was really frustrating me soo i did what i did. I had nothing on the laptop of importance so i formated. Don't worry i feel defeated by it. Cause i feel what i did was a cop out. Ohh well better luck next time i should no better that create a problem for me.
Niobis, i'm curious as to what that HijackThis log shows he had on his system. I didn't see anything unusual, but i'm no security expert. If someone can afford it, I say buy a 2nd hard drive & install that with your favorites apps. At the very least, Ghost your system once every week & save the older drive image for about 3-4 months. If someone partitions their HDD so Windows has a 5GB drive, a 1.2GB swap, and then all the others at or below 30MB (FAT32 will go to 32,749MB but no more than that) you are GOLDEN! You'll have drives that can be read/written to by Linux, with a decent cluster size, and safe to use with any OS all the way back to Win95. A second hard drive, if you keep track of what's on there, is a huge failsafe when this malware sh*t attacks your computer. Eventually, unless they're some security expert they will run into these problems.
Look again. All of these are bad: R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = c:\secure32.html R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = c:\secure32.html R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = c:\secure32.html R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = c:\secure32.html R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = c:\secure32.html R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = c:\secure32.html O2 - BHO: (no name) - {46A4E9D9-B30E-452A-8157-DBBEC8573B03} - C:\Program Files\VSAdd-in\VSAdd-in.dll O2 - BHO: (no name) - {7DA39570-5FD2-4f18-94B4-20730CB3F727} - C:\WINDOWS\system32\pgoqwqkl.dll O2 - BHO: (no name) - {F0A666C0-97E6-4213-9372-731302E15C6B} - (no file) O4 - HKLM\..\Run: [AutoSys] C:\WINDOWS\system32\autosys.exe O20 - Winlogon Notify: vturs - C:\WINDOWS\ O20 - Winlogon Notify: winexy32 - C:\WINDOWS\SYSTEM32\winexy32.dll O23 - Service: COM+ Messages - Unknown owner - C:\WINDOWS\system32\svchosts.exe" -e (file missing)
