Undeleteable Virus!!!!

**madmikejt12** · 13-08-2005

hi, on avg, i got this box:

when i went to that folder, it was empty (showing hidden and system files/folders) can someone please help?

**Tassie Devil** · 14-08-2005

Did you click on the Heal button or delete/move to vault? Usually if you click heal it will stop the file running and then put it in the vault. If not you may need to ctrl/alt/del and stop it running first.

**madmikejt12** · 14-08-2005

yup, pressed everything

i found a few wierd things in my "processes" ill post a HJT log

**madmikejt12** · 14-08-2005

Logfile of HijackThis v1.99.1
Scan saved at 03:29:10, on 14/08/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\TGTSoft\StyleXP\StyleXPService.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\WINDOWS\Config\svchost.exe
D:\PROGRA~1\Security\Firewall\PERSON~1\MPFSERVICE. exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\Config\FahCore_78.exe ???
C:\WINDOWS\System32\hkcmd.exe
C:\Program Files\VoyagerTest\fts.exe
C:\Program Files\QuickTime\qttask.exe
D:\PROGRA~1\Security\Firewall\PERSON~1\MpfTray.exe
C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe is this the virus proces?
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe ????
C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe
C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
D:\PROGRA~1\Security\Firewall\PERSON~1\Mp***ent.ex e
C:\Program Files\BT Voyager 105 ADSL Modem\dslstat.exe
C:\Program Files\BT Voyager 105 ADSL Modem\dslagent.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S10IC 2.EXE ?????
C:\Program Files\Muiltmedia keyboard utility\2.2D\KbdAp32A.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\AOL 9.0\aoltray.exe
D:\Program files\accesories\Palm\HOTSYNC.EXE
D:\Program files\Security\SpywareGuard\sgmain.exe
D:\Program files\Security\SpywareGuard\sgbhp.exe
C:\Program Files\AOL\Broadband CheckUp\bin\mpbtn.exe
C:\Program Files\Windows Media Player\wmplayer.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\Internet Explorer\iexplore.exe
c:\progra~1\intern~1\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
D:\Program files\Security\hijackthis.exe

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = wmplayer.exe //ICWLaunch
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - D:\Program files\Security\SpywareGuard\dlprotect.dll
O3 - Toolbar: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [%FP%Friendly fts.exe] "C:\Program Files\VoyagerTest\fts.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [MPFExe] D:\PROGRA~1\Security\Firewall\PERSON~1\MpfTray.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\Run: [RoxioEngineUtility] "C:\Program Files\Common Files\Roxio Shared\System\EngUtil.exe"
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [AOL Spyware Protection] "C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe"
O4 - HKLM\..\Run: [AOLDialer] C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
O4 - HKLM\..\Run: [DSLSTATEXE] C:\Program Files\BT Voyager 105 ADSL Modem\dslstat.exe icon
O4 - HKLM\..\Run: [DSLAGENTEXE] C:\Program Files\BT Voyager 105 ADSL Modem\dslagent.exe
O4 - HKLM\..\Run: [NetPumper] "D:\Downloads\NetPumper\NetPumperIEProxy.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [FLMK08KB] C:\Program Files\Muiltmedia keyboard utility\2.2D\MMKEYBD.EXE
O4 - HKLM\..\Run: [EPSON Stylus C42 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S10IC 2.EXE /P23 "EPSON Stylus C42 Series" /O6 "USB001" /M "Stylus C42"
O4 - HKLM\..\Run: [Find Wma Load Dash] C:\Documents and Settings\All Users\Application Data\gpl rect find wma\grid bind.exe
O4 - HKCU\..\Run: [STYLEXP] C:\Program Files\TGTSoft\StyleXP\StyleXP.exe -Hide
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [itchbold] C:\DOCUME~1\Owner\APPLIC~1\THUNKL~1\pop mail online.exe
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Startup: SpywareGuard.lnk = D:\Program files\Security\SpywareGuard\sgmain.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: AOL 9.0 Tray Icon.lnk = C:\Program Files\AOL 9.0\aoltray.exe
O4 - Global Startup: AOL Broadband Check-Up.lnk = C:\Program Files\AOL\Broadband CheckUp\bin\matcli.exe
O4 - Global Startup: HotSync Manager.lnk = D:\Program files\accesories\Palm\HOTSYNC.EXE
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O9 - Extra button: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
O9 - Extra 'Tools' menuitem: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
O17 - HKLM\System\CCS\Services\Tcpip\..\{129D887E-FAF6-4907-A5CB-14DDD6F2EC9C}: NameServer = 205.188.146.145
O17 - HKLM\System\CS1\Services\Tcpip\..\{129D887E-FAF6-4907-A5CB-14DDD6F2EC9C}: NameServer = 205.188.146.145
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
O23 - Service: AOL Spyware Protection Service (AOLService) - Unknown owner - C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\\aolserv.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
O23 - Service: Hardware Check - Stanford University - C:\WINDOWS\Config\svchost.exe
O23 - Service: Macromedia Licensing Service - Macromedia - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee Corporation - D:\PROGRA~1\Security\Firewall\PERSON~1\MPFSERVICE. exe
O23 - Service: StyleXPService - Unknown owner - C:\Program Files\TGTSoft\StyleXP\StyleXPService.exe

i noticed there where a few C:\WINDOWS\System32\svchost.exe i thaught there only used to be one (or 2 at the most)

**madmikejt12** · 15-08-2005

also, what is FahCore_78.exe? it is using 80-85% of my cpu, i think it is slowing down my computer when i end it, it just comes back after a few seconds!!!!

**Tassie Devil** · 16-08-2005

All I could find on it is this. FahCore_78.exe is associated with the Folding at home application? http://folding.stanford.edu/
Do you run this program?

SMax4PNP.exe, SoundMax integrated sound. Required if you have custom settings for your sound, such as effects and environments

jusched.exe - This is Sun's Java automatic update utility

E_S10IC 2.EXE is the driver for your Epson printer.

**madmikejt12** · 16-08-2005

All I could find on it is this. FahCore_78.exe is associated with the Folding at home application? http://folding.stanford.edu/
Do you run this program?

Never heard of it!!! :s

SMax4PNP.exe, SoundMax integrated sound. Required if you have custom settings for your sound, such as effects and environments

oh lol ok thanks

jusched.exe - This is Sun's Java automatic update utility

I read about this after i posted it

E_S10IC 2.EXE is the driver for your Epson printer.

ah thanks, that will be gone in october

getting new printer.... i think i might have deleted the virus (unless it was a different one) i will run a scan now

Thanks for your help

btw, do you know how to un-install that program, i cant find any instructions and i havnt got a CLUE what im looking for :s

**HJThis** · 16-08-2005

Hi,madmikejt12

Yes on almost all them items i find the same info
only 2 items in this logfile i see should go.

Check the following items in HijackThis.
Close all windows except HijackThis and click Fix checked:

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = wmplayer.exe //ICWLaunch

O4 - HKLM\..\Run: [NetPumper] "D:\Downloads\NetPumper\NetPumperIEProxy.exe

Make sure you can view hidden and system files: Instructions here

Then Boot to safe mode: Instructions here

Delete the following files\folders IF still present:
D:\Downloads\NetPumper\<---This folder

Then do a reboot see if it helps you do have
this item here.

C:\WINDOWS\Config\svchost.exe

i am looking for info on it will get back to you

HGD

**Tassie Devil** · 16-08-2005

Try reading here Mike. It should help you remove it as there seems to be no uninstaller with the program. http://forum.folding-community.org/v...ight=uninstall

**HJThis** · 16-08-2005

Hi,Tassie Devil

Nice find

HGD

Undeleteable Virus!!!!

Undeleteable Virus!!!!

Similar Threads

Virus that won't let me open or run any anti-virus software

Virus

Virus!

do I have a virus?

Virus