| Forum Home | ||||
| Press F1 | ||||
| Thread ID: 74419 | 2006-11-22 01:06:00 | Virus/trojan/malware problems"Win32/chisyne/generic" | koseyboy (11501) | Press F1 |
| Post ID | Timestamp | Content | User | ||
| 501064 | 2006-11-22 04:40:00 | Or try trojan remover (dl.filekicker.com) from here (www.simplysup.com) Install it, update it. Then click on scan. See if it finds anything. Its only a trial, but it may be better than nothing. Then go to the utils menu. Select the 3rd to 7th option as well. |
Speedy Gonzales (78) | ||
| 501065 | 2006-11-22 04:59:00 | Thanks Speedy. I downloaded and ran trojan remover, but it didn't find anything. After it had done it's thing and I restarted my computer I went into ie7 and my antivirus came up with another alert Win32/chisyne!generic in my temp internet files folder. There must be a file somewhere which is downloading these, but I sure can't see find it or remove it with my antivirus/spyware software. Any thoughts? Thanks heaps for your help so far. |
koseyboy (11501) | ||
| 501066 | 2006-11-22 05:02:00 | Get ccleaner (www.ccleaner.com) install and click on run cleaner. This will remove temp files etc off the hdd. And clear the browser's cache. Close the browser/s first. |
Speedy Gonzales (78) | ||
| 501067 | 2006-11-22 05:11:00 | Thanks Speedy. I already have CCleaner on my comp. Used it earlier today, but haven't since we've done all this work. I checked HJT again after I had disabled system restore and I noticed a couple of things which re-appeared again - O20 - Winlogon Notify: winouw32 - C:\WINDOWS\SYSTEM32\winouw32.dll and in my running processes cool.exe was there again after I had stopped it and deleted it previously. Do you think these could be at the root of my problems? I'll run the cleaner and get back to you. Thanks heaps |
koseyboy (11501) | ||
| 501068 | 2006-11-22 05:23:00 | See if these entries (www.symantec.com) (under the removal tab) are in your registry. Run ccleaner again, click on tools / startup. Maximise ccleaner's window. Take a snapshot. If u have some kind of graphics program (like Irfanview or similar), paste the snapshot, upload it here (http://www.imagef1.net.nz/) and copy and paste the link this site gives u back here. So, I can see what appears in the startup tab of ccleaner. O20 - Winlogon Notify: winouw32 - C:\WINDOWS\SYSTEM32\winouw32.dll Turn off system restore (if its on again), boot into safe mode, and delete this file again. Is XP up to date with updates/patches etc? |
Speedy Gonzales (78) | ||
| 501069 | 2006-11-22 05:47:00 | Here's the screenshot you wanted. I'll work on the other things you mentioned now... Attached file: CCleaner_startup_screenshot.jpg (www.imagef1.net.nz) (93 KB) |
koseyboy (11501) | ||
| 501070 | 2006-11-22 05:52:00 | I don't have either of those registry entries you pointed me towards on the symanatec site... Now I'll delete that problem file in safe mode... |
koseyboy (11501) | ||
| 501071 | 2006-11-22 05:56:00 | The startup entries look ok to me. Where is this cool.exe file?? What folder? |
Speedy Gonzales (78) | ||
| 501072 | 2006-11-22 06:15:00 | The startup entries look ok to me. Where is this cool.exe file?? What folder? This is an undesirable program. This file has been identified as a program that is undesirable to have running on your computer. This consists of programs that are misleading, harmful, or undesirable. If the description states that it is a piece of malware, you should immediately run an antivirus and antispyware program. If that does not help, feel free to ask us for assistance in the forums. Name: Microsoft System Checkup Filename: Cool.exe Command: C:\WINDOWS\system32\cool.exe Description: Added by the DONK.B WORM! File Location: %System% Startup Type: This startup entry is started automatically from a Run, RunOnce, RunServices, or RunServicesOnce entry in the registry. HijackThis Category: O4 Entry<<Look here!~ Note: %System% is a variable that refers to the Windows System folder. By default this is C:\Windows\System for Windows 95/98/ME, C:\Winnt\System32 for Windows NT/2000, or C:\Windows\System32 for Windows XP. |
SurferJoe46 (51) | ||
| 501073 | 2006-11-22 06:22:00 | That's exactly it SurferJoe. I was finding the DONK.B WORM! on my system as well - but it seems to have gone since I removed cool.exe. Thanks for that. Hi Speedy. The cool.exe file was in windows/system23/cool.exe as SurferJoe stated above. I deleted it before the last few HJT logs as it came up in the HJT analysis page as a trojan. I finally managed to delete O20 - Winlogon Notify: winouw32 - C:\WINDOWS\SYSTEM32\winouw32.dll It took me a while as I couldn't just delete it, even in safe mode because it was loaded at startup. I got rid of it with the delete on startup option in HJT. So far I haven't had any antivirus alerts, so hopefully you've fixed it for me. I'll post my latest HJT log for you to have a look over and if you're happy I'll turn on system restore and hide my system files again. Thanks for all your great help!:) :) Logfile of HijackThis v1.99.1 Scan saved at 7:16:11 p.m., on 22/11/2006 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v7.00 (7.00.5730.0011) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\csrss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\Explorer.EXE C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\CAVTray.exe C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\CAVRID.exe C:\Program Files\iTunes\iTunesHelper.exe C:\WINDOWS\SOUNDMAN.EXE C:\WINDOWS\system32\ctfmon.exe C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\ISafe.exe C:\Program Files\Spyware Doctor\sdhelp.exe C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe C:\Program Files\UPHClean\uphclean.exe C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\VetMsg.exe C:\Program Files\iPod\bin\iPodService.exe C:\WINDOWS\System32\alg.exe C:\WINDOWS\system32\wuauclt.exe C:\Documents and Settings\Haden\Desktop\HijackThis\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = xtramsn.co.nz R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = go.microsoft.com R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~1\tools\iesdsg.dll O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32 O4 - HKLM\..\Run: [IMEKRMIG6.1] C:\WINDOWS\ime\imkr6_1\IMEKRMIG.EXE O4 - HKLM\..\Run: [CaAvTray] "C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\CAVTray.exe" O4 - HKLM\..\Run: [CAVRID] "C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\CAVRID.exe" O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe" O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe O4 - Global Startup: Adobe Acrobat Speed Launcher.lnk = ? O4 - Global Startup: AutoCAD Startup Accelerator.lnk = C:\Program Files\Common Files\Autodesk Shared\acstart17.exe O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html O8 - Extra context menu item: Convert to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000 O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O11 - Options group: [INTERNATIONAL] International* O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - security.symantec.com O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - update.microsoft.com O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - security.symantec.com O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - update.microsoft.com O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - www3.ca.com O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.5.0) - javadl-esd.sun.com O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - messenger.zone.msn.com O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - acs.pandasoftware.com O16 - DPF: {AE563720-B4F5-11D4-A415-00108302FDFD} (NOXLATE-BANR) - file://C:\Program Files\Autodesk Architectural Desktop 3\InstBanr.ocx O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - messenger.msn.com O16 - DPF: {C6637286-300D-11D4-AE0A-0010830243BD} (InstaFred) - file://C:\Program Files\Autodesk Architectural Desktop 3\InstFred.ocx O16 - DPF: {F281A59C-7B65-11D3-8617-0010830243BD} (AcPreview Control) - file://C:\Program Files\Autodesk Architectural Desktop 3\AcPreview.ocx O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe O23 - Service: Autodesk Licensing Service - Autodesk - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe O23 - Service: CAISafe - Computer Associates International, Inc. - C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\ISafe.exe O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe O23 - Service: PC Tools Spyware Doctor (SDhelper) - PC Tools Research Pty Ltd - C:\Program Files\Spyware Doctor\sdhelp.exe O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe O23 - Service: VET Message Service (VETMSGNT) - Computer Associates International, Inc. - C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\VetMsg.exe |
koseyboy (11501) | ||
| 1 2 3 4 5 | |||||