Hey all! Got infected with MicroAV and I'm trying to get rid of it. Googling around a bit, the removal process seemed pretty easy: stop the program, delete it, clean out the registry, and you're set. The nasty kicker I'm experiencing however is my computer won't let me End Process. By both ctrl+alt+delete and run -> taskmgr I get the message of "task manager has been disabled by your administrator". There's only one account on the computer, which I'm on. Further, straight access to the hard drive (C:, D was disabled, but can still be accessed through opening a folder on the desktop and going there via the address bar. Really sucks the life out the search function, though. But, I can't manually delete the MicroAV folder because its in use and I can't make it not be in use because I'm locked out. The only thing I've been able to do is disable MicroAV at startup with msconfig but it still managed to spew all over the desktop on reboot. So... please help :'( Hijackthis log: Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 20:22: VIRUS ALERT!, on 9/19/2008 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v7.00 (7.00.6000.16705) Boot mode: Normal Running processes: C:\WINDOWS\system32\csrss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\svchost.exe C:\Program Files\Citrix\ICA Client\ssonsvr.exe C:\WINDOWS\system32\spoolsv.exe C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe C:\Program Files\Bonjour\mDNSResponder.exe C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS C:\WINDOWS\system32\svchost.exe C:\WINDOWS\Explorer.EXE C:\Program Files\Pure Networks\Network Magic\nmsrvc.exe C:\WINDOWS\System32\alg.exe C:\Program Files\Digital Media Reader\shwiconem.exe C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe C:\WINDOWS\zHotkey.exe C:\WINDOWS\ALCWZRD.EXE C:\WINDOWS\system32\hkcmd.exe C:\WINDOWS\system32\igfxpers.exe C:\Program Files\ScanSoft\OmniPageSE4.0\OpwareSE4.exe C:\WINDOWS\system32\spool\drivers\w32x86\3\WrtMon.exe C:\Program Files\iTunes\iTunesHelper.exe C:\Windows\system32\YUR8F5.exe C:\Windows\system32\YUR8F6.exe C:\Windows\system32\YUR8F7.exe C:\Windows\system32\YUR8FB.exe C:\WINDOWS\system32\spool\drivers\w32x86\3\WrtProc.exe C:\Program Files\MicroAV\MicroAV.exe C:\Windows\system32\YUR984.exe C:\WINDOWS\system32\ctfmon.exe C:\PROGRA~1\AIM95\aim.exe C:\Program Files\TomTom HOME 2\HOMERunner.exe C:\Program Files\iPod\bin\iPodService.exe C:\Program Files\Microsoft Office\Office\OSA.EXE C:\WINDOWS\system32\wuauclt.exe C:\WINDOWS\system32\ntvdm.exe C:\Program Files\Trend Micro\HijackThis\HijackThis.exe C:\WINDOWS\system32\wbem\wmiprvse.exe R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://home.peoplepc.com/search R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://softwarereferral.com/jump.php?wmid=6010&mid=MjI6Ojg5&lid=2 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157 R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://home.peoplepc.com/search R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll O2 - BHO: Canon Easy Web Print Helper - {68F9551E-0411-48E4-9AAF-4BC42A6A46BE} - C:\Program Files\Canon\Easy-WebPrint\EWPBrowseLoader.dll O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll O2 - BHO: QXK Olive - {8F1CB0E0-C960-4E1C-AF34-76033AA917FA} - C:\WINDOWS\vmgspntbsex.dll O2 - BHO: (no name) - {A8FB8EB3-183B-4598-924D-86F0E5E37085} - (no file) O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll O3 - Toolbar: fqbewlna - {206DDC12-B015-499C-9981-BC5863B027CA} - C:\WINDOWS\fqbewlna.dll O4 - HKLM\..\Run: [SunKistEM] C:\Program Files\Digital Media Reader\shwiconem.exe O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe" O4 - HKLM\..\Run: [ShowWnd] ShowWnd.exe O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] HDAudPropShortcut.exe O4 - HKLM\..\Run: [CHotkey] zHotkey.exe O4 - HKLM\..\Run: [AlcWzrd] ALCWZRD.EXE O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe O4 - HKLM\..\Run: [SSBkgdUpdate] "C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" -Embedding -boot O4 - HKLM\..\Run: [OpwareSE4] "C:\Program Files\ScanSoft\OmniPageSE4.0\OpwareSE4.exe" O4 - HKLM\..\Run: [WrtMon.exe] C:\WINDOWS\system32\spool\drivers\w32x86\3\WrtMon.exe O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe" O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k O4 - HKLM\..\Run: [\YUR8F5.exe] C:\Windows\system32\YUR8F5.exe O4 - HKLM\..\Run: [C:\WINDOWS\system32\kdopp.exe] C:\WINDOWS\system32\kdopp.exe O4 - HKLM\..\Run: [\YUR8F6.exe] C:\Windows\system32\YUR8F6.exe O4 - HKLM\..\Run: [\YUR8F7.exe] C:\Windows\system32\YUR8F7.exe O4 - HKLM\..\Run: [\YUR8FB.exe] C:\Windows\system32\YUR8FB.exe O4 - HKLM\..\Run: [ANTIVIRUS] C:\Program Files\MicroAV\MicroAV.exe O4 - HKLM\..\Run: [\YUR906.exe] C:\Windows\system32\YUR906.exe O4 - HKLM\..\Run: [\YUR984.exe] C:\Windows\system32\YUR984.exe O4 - HKLM\..\Run: [\YURA01.exe] C:\Windows\system32\YURA01.exe O4 - HKLM\..\Run: [\YURA7E.exe] C:\Windows\system32\YURA7E.exe O4 - HKLM\..\Run: [\YURAFC.exe] C:\Windows\system32\YURAFC.exe O4 - HKLM\..\Run: [\YURB79.exe] C:\Windows\system32\YURB79.exe O4 - HKLM\..\Run: [\YURBF6.exe] C:\Windows\system32\YURBF6.exe O4 - HKLM\..\Run: [\YURC74.exe] C:\Windows\system32\YURC74.exe O4 - HKLM\..\Run: [\YURCF1.exe] C:\Windows\system32\YURCF1.exe O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto O4 - HKLM\..\Run: [\YUR2.exe] C:\Windows\system32\YUR2.exe O4 - HKLM\..\Run: [\YUR3.exe] C:\Windows\system32\YUR3.exe O4 - HKLM\..\Run: [\YUR4.exe] C:\Windows\system32\YUR4.exe O4 - HKLM\..\Run: [\YUR5.exe] C:\Windows\system32\YUR5.exe O4 - HKLM\..\Run: [\YURE.exe] C:\Windows\system32\YURE.exe O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O4 - HKCU\..\Run: [AIM (R)] C:\PROGRA~1\AIM95\aim.exe -cnetwait.odl O4 - HKCU\..\Run: [TomTomHOME.exe] "C:\Program Files\TomTom HOME 2\HOMERunner.exe" O4 - HKCU\..\Run: [\YUR8F5.exe] C:\Windows\system32\YUR8F5.exe O4 - HKCU\..\Run: [\YUR8F6.exe] C:\Windows\system32\YUR8F6.exe O4 - HKCU\..\Run: [\YUR8F7.exe] C:\Windows\system32\YUR8F7.exe O4 - HKCU\..\Run: [\YUR8FB.exe] C:\Windows\system32\YUR8FB.exe O4 - HKCU\..\Run: [\YUR906.exe] C:\Windows\system32\YUR906.exe O4 - HKCU\..\Run: [\YUR984.exe] C:\Windows\system32\YUR984.exe O4 - HKCU\..\Run: [\YURA01.exe] C:\Windows\system32\YURA01.exe O4 - HKCU\..\Run: [\YURA7E.exe] C:\Windows\system32\YURA7E.exe O4 - HKCU\..\Run: [\YURAFC.exe] C:\Windows\system32\YURAFC.exe O4 - HKCU\..\Run: [\YURB79.exe] C:\Windows\system32\YURB79.exe O4 - HKCU\..\Run: [\YURBF6.exe] C:\Windows\system32\YURBF6.exe O4 - HKCU\..\Run: [\YURC74.exe] C:\Windows\system32\YURC74.exe O4 - HKCU\..\Run: [\YURCF1.exe] C:\Windows\system32\YURCF1.exe O4 - HKCU\..\Run: [\YUR2.exe] C:\Windows\system32\YUR2.exe O4 - HKCU\..\Run: [\YUR3.exe] C:\Windows\system32\YUR3.exe O4 - HKCU\..\Run: [\YUR4.exe] C:\Windows\system32\YUR4.exe O4 - HKCU\..\Run: [\YUR5.exe] C:\Windows\system32\YUR5.exe O4 - HKCU\..\Run: [\YURE.exe] C:\Windows\system32\YURE.exe O4 - HKUS\S-1-5-18\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'SYSTEM') O4 - HKUS\.DEFAULT\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'Default user') O4 - Global Startup: Microsoft Find Fast.lnk = C:\Program Files\Microsoft Office\Office\FINDFAST.EXE O4 - Global Startup: Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1 O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll O9 - Extra button: AIM (R) - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\PROGRA~1\AIM95\aim.exe O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O16 - DPF: {0742B9EF-8C83-41CA-BFBA-830A59E23533} (Microsoft Data Collection Control) - https://support.microsoft.com/OAS/ActiveX/MSDcode.cab O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1176048324328 O16 - DPF: {94B82441-A413-4E43-8422-D49930E69764} (TLIEFlashObj Class) - https://rtc1.webresponse.one.microsoft.com/media/xp/TLIEFlash.CAB O17 - HKLM\System\CCS\Services\Tcpip\..\{A20A6C34-383F-4AB1-9BCE-DD030A06FB8A}: NameServer = 85.255.113.90,85.255.112.166 O17 - HKLM\System\CCS\Services\Tcpip\..\{EA288C1A-C0CE-46E7-9CC1-EA056EFD9082}: NameServer = 85.255.113.90,85.255.112.166 O21 - SSODL: mgxfebsq - {ECB5BE0D-BC87-4071-A041-D6F52EAB7D6C} - C:\WINDOWS\mgxfebsq.dll O21 - SSODL: dtseqrxk - {13D30C0F-2F18-4B2E-938C-1036C9C187F5} - C:\WINDOWS\dtseqrxk.dll O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe O23 - Service: Pure Networks Net2Go Service (nmraapache) - Pure Networks, Inc. - C:\Program Files\Pure Networks\Network Magic\WebServer\bin\nmraapache.exe O23 - Service: Pure Networks Network Magic Service (nmservice) - Pure Networks, Inc. - C:\Program Files\Pure Networks\Network Magic\nmsrvc.exe O23 - Service: PrismXL - New Boundary Technologies, Inc. - C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS -- End of file - 11222 bytes
Hi philsov Woah... you're quite infected. Please follow the instructions below first: Now, please download ComboFix. With ComboFix, at the download window, please rename it to Combo-Fix(.exe) before downloading it. Please disable all security programs, such as antiviruses, antispywares, and firewalls. Also disable your internet connection. • Run Combo-Fix.exe and follow the prompts. **Understand that things like your system clock changing and your desktop disappearing might happen. Do not worry, because all will be restored later. • Wait for the scan to be completed. • If it requires a reboot, please do it. • After the scan has completed entirely, please post the log here. The log will be located at C:\ComboFix(.txt) Do not click on the ComoboFix window, as it may cause it to stall. After that, please post a new HijackThis log. Best Regards
Hi paamaren Did you follow my instructions to remove your malware? If so, the malware may have left some traces behind. Open a new thread and follow these instructions: Please download the HijackThis zip file. Save it onto a convenient place in your computer, and then unzip the file. Rename HijackThis(.exe) to scanner(.exe). Next, run scanner(.exe). A window will pop up. • Click on the button which says Main Menu, then Do a system scan and save a logfile. • Please wait for the scan to be completed. • After the scan has completed, a text window will pop up. Please post the contents of this window here. This will also be located at hijackthis(.txt) in the same folder that HijackThis was originally saved. NOTE:: Do not fix anything using HijackThis, as this may also damage legitimate components of your computer. Best Regards
