| Forum Home | ||||
| Press F1 | ||||
| Thread ID: 57578 | 2005-05-06 11:27:00 | Help Virus | G-Boy (6793) | Press F1 |
| Post ID | Timestamp | Content | User | ||
| 352816 | 2005-05-07 01:13:00 | No. Spybot has nothing to do with the hijackthis log. Download HJT do a scan and copy and paste what it brings up. Might as well do it now.... We'll see what we can do. OK here we go Logfile of HijackThis v1.99.1 Scan saved at 12:05:29 p.m., on 7/05/2005 Platform: Windows ME (Win9x 4.90.3000) MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106) Running processes: C:\WINDOWS\SYSTEM\KERNEL32.DLL C:\WINDOWS\SYSTEM\MSGSRV32.EXE C:\WINDOWS\SYSTEM\MPREXE.EXE C:\PROGRAM FILES\SYGATE\SPF\SMC.EXE C:\WINDOWS\SYSTEM\KB891711\KB891711.EXE C:\WINDOWS\SYSTEM\mmtask.tsk C:\WINDOWS\SYSTEM\RESTORE\STMGR.EXE C:\WINDOWS\SYSTEM\RPCSS.EXE C:\WINDOWS\SYSTEM\SYSTRAY.EXE C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGCC.EXE C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGEMC.EXE C:\PROGRAM FILES\DU METER\DUMETER.EXE C:\PROGRAM FILES\A2\A2GUARD.EXE C:\WINDOWS\SYSTEM\WMIEXE.EXE C:\PROGRAM FILES\SPYBOT - SEARCH & DESTROY\TEATIMER.EXE C:\WINDOWS\SYSTEM\STIMON.EXE C:\WINDOWS\SYSTEM\DDHELP.EXE C:\WINDOWS\EXPLORER.EXE C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGAMSVR.EXE C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE C:\WINDOWS\SYSTEM\SPOOL32.EXE C:\MY DOCUMENTS\HIJACK THIS\HIJACKTHIS.EXE R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.tvnz.co.nz/ R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\sxkep.dll/sp.html#28129 R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\sxkep.dll/sp.html#28129 R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://www.nzoom.co.nz/ R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = R3 - Default URLSearchHook is missing O2 - BHO: Class - {6669DCAF-F6A9-C3C9-69D4-24AA388E878A} - C:\WINDOWS\D3IW32.DLL O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX O4 - HKLM\..\Run: [SystemTray] SysTray.Exe O4 - HKLM\..\Run: [SmcService] C:\PROGRA~1\SYGATE\SPF\SMC.EXE -startgui O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGCC.EXE /STARTUP O4 - HKLM\..\Run: [AVG7_AMSVR] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGAMSVR.EXE O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGEMC.EXE O4 - HKLM\..\Run: [DU Meter] C:\PROGRAM FILES\DU METER\DUMETER.EXE O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime O4 - HKLM\..\Run: [MSConfigReminder] C:\WINDOWS\SYSTEM\msconfig.exe /reminder O4 - HKLM\..\Run: [IEXPLORE.EXE] C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE O4 - HKLM\..\Run: [nForce9xUpgrade] rundll32.exe nvack.dll,nForce9xUpgrade O4 - HKLM\..\RunServices: [SmcService] C:\PROGRAM FILES\SYGATE\SPF\SMC.EXE O4 - HKLM\..\RunServices: [*StateMgr] C:\WINDOWS\System\Restore\StateMgr.exe O4 - HKLM\..\RunServices: [KB891711] C:\WINDOWS\SYSTEM\KB891711\KB891711.EXE O4 - HKCU\..\Run: [a-squared] "C:\Program Files\a2\a2guard.exe" O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\PROGRAM FILES\SPYBOT - SEARCH & DESTROY\TeaTimer.exe O8 - Extra context menu item: Save with Download Manager... - file://C:\Program Files\J River\Media Center\DMDownload.htm O16 - DPF: {70BA88C8-DAE8-4CE9-92BB-979C4A75F53B} (GSDACtl Class) - launch.gamespyarcade.com O16 - DPF: {1842B0EE-B597-11D4-8997-00104BD12D94} (iCC Class) - www.pcpitstop.com O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - www.pcpitstop.com O16 - DPF: {C3DFA998-A486-11D4-AA25-00C04F72DAEB} (MSN Photo Upload Tool) - sc.communities.msn.com O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - fdl.msn.com O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - www.pandasoftware.com O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} ( Yahoo! Audio Conferencing) - us.chat1.yimg.com O16 - DPF: Yahoo! Chat - us.chat1.yimg.com O16 - DPF: {EB387D2F-E27B-4D36-979E-847D1036C65D} (QDiagHUpdateObj Class) - h30043.www3.hp.com O16 - DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} (iPIX ActiveX Control) - www.ipix.com O16 - DPF: {72C23FEC-3AF9-48FC-9597-241A8EBDFE0A} (InstallShield International Setup Player) - ftp.hp.com O16 - DPF: {7D1E9C49-BD6A-11D3-87A8-009027A35D73} ( Yahoo! Audio UI1) - chat.yahoo.com O16 - DPF: {E504EE6E-47C6-11D5-B8AB-00D0B78F3D48} ( Yahoo! Webcam Viewer Wrapper) - chat.yahoo.com O16 - DPF: Yahoo! Chat 1.3 - jcs.chat.dcn.yahoo.com O16 - DPF: {15589FA1-C456-11CE-BF01-000000000000} - www.errornuker.com O16 - DPF: {40289096-9F72-4A04-BCB3-E434ECDCEE33} (AppDLCtrl Class) - download.howudodat.com O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (FilePlanet Download Control Class) - www.fileplanet.com O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - www.shockwave.com O16 - DPF: {BB21F850-63F4-4EC9-BF9D-565BD30C9AE9} (ASquaredScanForm Element) - www.windowsecurity.com O16 - DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE} - O16 - DPF: {42F2C9BA-614F-47C0-B3E3-ECFD34EED658} - O17 - HKLM\System\CCS\Services\VxD\MSTCP: NameServer = 202.27.158.40,202.27.156.72 And below is some of the 100 or so virsus i have deleted or moved to the virus vault, each time i delete or send to vault it creates two more. "","","Trojan horse Downloader.Agent.11.Q","C:\WINDOWS\SYSTEM\CRBP.EXE","6/05/2005 11:31:29 p.m.","CRBP.EXE","11.12 KB" "","","Trojan horse Downloader.Agent.12.D","C:\WINDOWS\SYSHB.EXE","6/05/2005 11:31:31 p.m.","SYSHB.EXE","32.62 KB" "","","Trojan horse Downloader.Agent.11.Q","C:\WINDOWS\NTFZ32.EXE","6/05/2005 11:34:00 p.m.","NTFZ32.EXE","11.12 KB" "","","Trojan horse Downloader.Agent.12.D","C:\WINDOWS\SYSTEM\D3TD32.EXE","6/05/2005 11:34:05 p.m.","D3TD32.EXE","32.62 KB" "","","Trojan horse Downloader.Agent.11.Q","C:\WINDOWS\SYSTEM\SYSIJ.EXE","6/05/2005 11:34:27 p.m.","SYSIJ.EXE","11.12 KB" "","","Trojan horse Downloader.Agent.12.D","C:\WINDOWS\SDKJS32.EXE","6/05/2005 11:34:34 p.m.","SDKJS32.EXE","32.62 KB" "","","Trojan horse Downloader.Agent.11.Q","C:\WINDOWS\JAVAXC32.EXE","7/05/2005 12:20:58 a.m.","JAVAXC32.EXE","11.12 KB" "","","Trojan horse Downloader.Agent.12.D","C:\WINDOWS\SYSDF.EXE","7/05/2005 12:21:05 a.m.","SYSDF.EXE","32.62 KB" "","","Trojan horse Downloader.Agent.12.D","C:\WINDOWS\SYSTEM\WINCH.EXE","7/05/2005 12:23:42 a.m.","WINCH.EXE","32.62 KB" "","","Trojan horse Downloader.Agent.11.Q","C:\WINDOWS\SYSTEM\JAVAGG32.EXE","7/05/2005 12:25:34 a.m.","JAVAGG32.EXE","11.12 KB" "","","Trojan horse Downloader.Agent.12.D","C:\WINDOWS\SYSNR32.EXE","7/05/2005 12:25:48 a.m.","SYSNR32.EXE","32.62 KB" "","","Trojan horse Downloader.Agent.11.Q","C:\WINDOWS\SYSTEM\NETDR32.EXE","7/05/2005 12:27:13 a.m.","NETDR32.EXE","11.12 KB" "","","Trojan horse Downloader.Agent.12.D","C:\WINDOWS\SYSTEM\CRJV32.EXE","7/05/2005 12:27:19 a.m.","CRJV32.EXE","32.62 KB" "","","Trojan horse Downloader.Agent.11.Q","C:\WINDOWS\SYSTEM\ATLSA32.EXE","7/05/2005 1:22:51 a.m.","ATLSA32.EXE","11.12 KB" "","","Trojan horse Downloader.Agent.12.D","C:\WINDOWS\SYSTEM\MSTS.EXE","7/05/2005 1:22:59 a.m.","MSTS.EXE","32.62 KB" "","","Trojan horse Downloader.Agent.11.Q","C:\WINDOWS\ADDQA.EXE","7/05/2005 10:19:02 a.m.","ADDQA.EXE","11.12 KB" "","","Trojan horse Downloader.Agent.12.D","C:\WINDOWS\SYSTEM\CRRJ32.EXE","7/05/2005 10:19:06 a.m.","CRRJ32.EXE","32.62 KB" "","","Trojan horse Downloader.Agent.11.Q","C:\WINDOWS\SYSTEM\NETWT32.EXE","7/05/2005 10:23:44 a.m.","NETWT32.EXE","11.12 KB" "","","Trojan horse Downloader.Agent.12.D","C:\WINDOWS\SYSTEM\APIQY.EXE","7/05/2005 10:23:46 a.m.","APIQY.EXE","32.62 KB" "","","Trojan horse Downloader.Agent.11.Q","C:\WINDOWS\NETED.EXE","7/05/2005 10:31:26 a.m.","NETED.EXE","11.12 KB" "","","Trojan horse Downloader.Agent.12.D","C:\WINDOWS\SYSTEM\WINGN32.EXE","7/05/2005 10:31:30 a.m.","WINGN32.EXE","32.62 KB" "","","Trojan horse Downloader.Agent.11.Q","C:\WINDOWS\SYSVN.EXE","7/05/2005 10:32:32 a.m.","SYSVN.EXE","11.12 KB" "","","Trojan horse Downloader.Agent.12.D","C:\WINDOWS\SYSTEM\SDKWW32.EXE","7/05/2005 10:32:41 a.m.","SDKWW32.EXE","32.62 KB" "","","Trojan horse Downloader.Agent.11.Q","C:\WINDOWS\SYSTEM\ATLEU32.EXE","7/05/2005 10:44:22 a.m.","ATLEU32.EXE","11.12 KB" "","","Trojan horse Downloader.Agent.12.D","C:\WINDOWS\MSFE32.EXE","7/05/2005 10:44:26 a.m.","MSFE32.EXE","32.62 KB" "","","Trojan horse Downloader.Agent.11.Q","C:\WINDOWS\APIAN32.EXE","7/05/2005 10:45:00 a.m.","APIAN32.EXE","11.12 KB" "","","Trojan horse Downloader.Agent.12.D","C:\WINDOWS\SYSTEM\SYSBE32.EXE","7/05/2005 10:45:07 a.m.","SYSBE32.EXE","32.62 KB" "","","Trojan horse Downloader.Agent.12.D","C:\WINDOWS\SYSTEM\NETFY.EXE","7/05/2005 11:52:27 a.m.","NETFY.EXE","32.62 KB" "","","Trojan horse Downloader.Agent.12.D","C:\WINDOWS\SYSTEM\ATLEC.EXE","7/05/2005 11:52:30 a.m.","ATLEC.EXE","32.62 KB" "","","Trojan horse Downloader.Agent.12.D","C:\WINDOWS\SYSTEM\IEJG.EXE","7/05/2005 11:52:33 a.m.","IEJG.EXE","32.62 KB" "","","Trojan horse Downloader.Agent.12.D","C:\WINDOWS\NETIG.EXE","7/05/2005 11:52:35 a.m.","NETIG.EXE","32.62 KB" "","","Trojan horse Downloader.Agent.12.D","C:\WINDOWS\D3TI32.EXE","7/05/2005 11:52:37 a.m.","D3TI32.EXE","32.62 KB" "","","Trojan horse Downloader.Agent.12.D","C:\WINDOWS\NTIM32.EXE","7/05/2005 11:52:39 a.m.","NTIM32.EXE","32.62 KB" "","","Trojan horse Downloader.Agent.11.Q","C:\WINDOWS\SYSTEM\D3HX32.EXE","7/05/2005 11:52:41 a.m.","D3HX32.EXE","11.12 KB" "","","Trojan horse Downloader.Agent.11.Q","C:\WINDOWS\SYSTEM\APPSR.EXE","7/05/2005 11:52:44 a.m.","APPSR.EXE","11.12 KB" "","","Trojan horse Downloader.Agent.11.Q","C:\WINDOWS\SYSTEM\IEHC.EXE","7/05/2005 11:52:46 a.m.","IEHC.EXE","11.12 KB" "","","Trojan horse Downloader.Agent.11.Q","C:\WINDOWS\ADDZV.EXE","7/05/2005 11:52:48 a.m.","ADDZV.EXE","11.12 KB" "","","Trojan horse Downloader.Agent.11.Q","C:\WINDOWS\SDKDT.EXE","7/05/2005 11:52:50 a.m.","SDKDT.EXE","11.12 KB" "","","Trojan horse Downloader.Agent.11.Q","C:\WINDOWS\D3RD.EXE","7/05/2005 11:58:56 a.m.","D3RD.EXE","11.12 KB" "","","Trojan horse Downloader.Agent.12.D","C:\WINDOWS\SYSTEM\NETSM32.EXE","7/05/2005 11:58:58 a.m.","NETSM32.EXE","32.62 KB" |
G-Boy (6793) | ||
| 352817 | 2005-05-07 01:41:00 | C:\WINDOWS\SYSTEM\MPREXE . EXE This is used in 98/ME what's it show in Task Manager? Is this name in capital or little letters? C:\WINDOWS\SYSTEM\WMIEXE . EXE This looks like a valid Windows file . BUT it may also be this: . symantec . com/avcenter/venc/data/w32 . torun . html" target="_blank">securityresponse . symantec . com C:\PROGRAM FILES\SPYBOT - SEARCH & DESTROY\TEATIMER . EXE Remove this, it isnt needed . R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\sxkep . dll/sp . html#28129 R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\sxkep . dll/sp . html#28129 Dunno what these are . Remove them . R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = R3 - Default URLSearchHook is missing O2 - BHO: Class - {6669DCAF-F6A9-C3C9-69D4-24AA388E878A} - C:\WINDOWS\D3IW32 . DLL O4 - HKLM\ . . \Run: [ScanRegistry] C:\WINDOWS\scanregw . exe /autorun This shouldn't be in startup . It might be this . symantec . com/avcenter/venc/data/backdoor . gwghost . html" target="_blank">securityresponse . symantec . com O4 - HKLM\ . . \Run: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK . EXE" -atboottime This is for Quicktime, but isn't needed . Remove it O4 - HKLM\ . . \Run: [MSConfigReminder] C:\WINDOWS\SYSTEM\msconfig . exe /reminder This shouldn't be in startup either . O4 - HKCU\ . . \Run: [SpybotSD TeaTimer] C:\PROGRAM FILES\SPYBOT - SEARCH & DESTROY\TeaTimer . exe Remove this O8 - Extra context menu item: Save with Download Manager . . . - file://C:\Program Files\J River\Media Center\DMDownload . htm Remove this Tick and click on fix on the above entries . See what happens . . Reboot . See if it creates more of these trojan files . I would also get the coolwebsearch removal tool/program . This file maybe at the same site u got HJT from . Some of these files, maybe part of Coolwebsearch . |
Speedy Gonzales (78) | ||
| 352818 | 2005-05-07 02:05:00 | i would leave the spybot protection on. firstly i would run your anyivirus (assuming its upto date) in safe mode. then, while still in safe mode, run spybot and/or adaware CWShredder etc. |
tweak'e (69) | ||
| 352819 | 2005-05-07 02:44:00 | C:\WINDOWS\SYSTEM\MPREXE . EXE This is used in 98/ME what's it show in Task Manager? Is this name in capital or little letters? C:\WINDOWS\SYSTEM\WMIEXE . EXE This looks like a valid Windows file . BUT it may also be this: . symantec . com/avcenter/venc/data/w32 . torun . html" target="_blank">securityresponse . symantec . com C:\PROGRAM FILES\SPYBOT - SEARCH & DESTROY\TEATIMER . EXE Remove this, it isnt needed . R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\sxkep . dll/sp . html#28129 R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\sxkep . dll/sp . html#28129 Dunno what these are . Remove them . R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = R3 - Default URLSearchHook is missing O2 - BHO: Class - {6669DCAF-F6A9-C3C9-69D4-24AA388E878A} - C:\WINDOWS\D3IW32 . DLL O4 - HKLM\ . . \Run: [ScanRegistry] C:\WINDOWS\scanregw . exe /autorun This shouldn't be in startup . It might be this . symantec . com/avcenter/venc/data/backdoor . gwghost . html" target="_blank">securityresponse . symantec . com O4 - HKLM\ . . \Run: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK . EXE" -atboottime This is for Quicktime, but isn't needed . Remove it O4 - HKLM\ . . \Run: [MSConfigReminder] C:\WINDOWS\SYSTEM\msconfig . exe /reminder This shouldn't be in startup either . O4 - HKCU\ . . \Run: [SpybotSD TeaTimer] C:\PROGRAM FILES\SPYBOT - SEARCH & DESTROY\TeaTimer . exe Remove this O8 - Extra context menu item: Save with Download Manager . . . - file://C:\Program Files\J River\Media Center\DMDownload . htm Remove this Tick and click on fix on the above entries . See what happens . . Reboot . See if it creates more of these trojan files . I would also get the coolwebsearch removal tool/program . This file maybe at the same site u got HJT from . Some of these files, maybe part of Coolwebsearch . Man i cant thank you enough Speedy, I removed what you said, restarted scaned with all the programs again, and all seems good . One thing i have noticed and i dont no if some program is just hiding them, i have show hidden folders on . That is my DOWNLOADED PROGRAM FILES folder seems empty, it used to have a dozen or so things in at . everything still seems to work . Just wondred about what Tweake was saying about leaving SPYBOT TEATIMER ON, shall i? |
G-Boy (6793) | ||
| 352820 | 2005-05-07 03:09:00 | No worries :) Umm u can leave teatimer in if you like . I just found it annoying and pressing the wrong option sometimes stuffed things up! Coz it'd remove the entry for something that needs to be loaded on startup . Just as long as u can figure out what file it is, it's querying, whether it should be allowed or not, it should be fine . Yup depends what files are in the downloaded programs folder (What they're called) . This is where the file for Windowsupdate downloads to (ie: If you've done a new install of Windows, and you go to the Windowupdate site, to scan for updates) . And some sites like Trend (if u do scans online), also install their files to this folder . BUT nasty installs/files from unknown places also install malware and other things here . The files in downloaded program files, once u revisit something like Windowsupdate or a site like Trend, it'll drop its file back into this folder . If u had flash previously for sites, you may have to go back to the site to reinstall/download it . |
Speedy Gonzales (78) | ||
| 1 2 | |||||