| Forum Home | ||||
| Press F1 | ||||
| Thread ID: 69539 | 2006-06-05 03:43:00 | virus attack in less than 24 hrs pls help | alistor isole (10503) | Press F1 |
| Post ID | Timestamp | Content | User | ||
| 460538 | 2006-06-05 03:43:00 | hey guys, i'm new here. yesterday night, i was searching google for a free ebook for school, kay? i couldn't find anything, even after going to several sites. i think one of them might have been bugged cos in my recent files log there was an application i did not open. i also found a hidden folder under "C:\Documents and Settings\Tan Aik Leng\complete" which held many .zip files with names like coolsearch etc. i have deleted them, but the "complete" folder cant seem to be unhidden. then numerous popups started appearing, adverts for some globe7 connect the world thing. other things that happened are on display properties (i think its right click on the desktop and select properties) the tabs at the top do not show. everything is slower and laggy. also task manager refuses to open. since yesterday i've run ad-aware several times and the popups seemed to have stoped. i've also installed Norman Virus Control that came with my PC but i didnt bother to install it at first. task manager still wont open and, i dunno if this matters, but the properties tabs also still wont come on. btw i'm running windows xp tablet pc version. |
alistor isole (10503) | ||
| 460539 | 2006-06-05 04:07:00 | Get the file in my sig below. We'll see what that comes up with. | Speedy Gonzales (78) | ||
| 460540 | 2006-06-05 04:21:00 | kay i did a scan and this is the log file: Logfile of HijackThis v1.99.1 Scan saved at 11:25:21 AM, on 6/5/2006 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Common Files\Microsoft Shared\Ink\KeyboardSurrogate.exe C:\Program Files\Intel\Wireless\Bin\EvtEng.exe C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\System32\digtizer.exe C:\Program Files\Norman\NPF\NPFSVICE.EXE C:\Norman\Bin\Zanda.exe C:\WINDOWS\system32\o2flash.exe C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe C:\Norman\Nvc\bin\nvcoas.exe C:\Norman\Nvc\BIN\NVCSCHED.EXE C:\Norman\bin\NJEEVES.EXE C:\Norman\Nvc\BIN\nipsvc.exe C:\Program Files\Intel\Wireless\Bin\ZcfgSvc.exe C:\WINDOWS\system32\ctfmon.exe C:\WINDOWS\system32\rundll32.exe C:\PROGRA~1\Intel\Wireless\Bin\1XConfig.exe C:\Program Files\Common Files\Microsoft Shared\Ink\TCServer.exe C:\WINDOWS\SYSTEM32\WISPTIS.EXE C:\WINDOWS\System32\tabbtnu.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\system32\hkcmd.exe C:\WINDOWS\AGRSMMSG.exe C:\Program Files\ltmoh\Ltmoh.exe C:\Program Files\Apoint2K\Apoint.exe C:\Program Files\Common Files\Microsoft Shared\Ink\TabTip.exe C:\Program Files\Fujitsu\Utils\FjDspMon.exe C:\Program Files\Fujitsu\Utils\fjevents.exe C:\Program Files\Fujitsu\Utils\FjMnuIco.exe C:\WINDOWS\system32\dla\tfswctrl.exe C:\WINDOWS\system32\igfxext.exe C:\Program Files\Fujitsu\Fujitsu Hotkey Utility\IndicatorUty.exe C:\Program Files\Fujitsu\BtnHnd\BtnHnd.exe C:\Program Files\Warranty\warranty.exe C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe C:\Program Files\Fujitsu\updnavi\updnavi.exe C:\Program Files\Common Files\Real\Update_OB\realsched.exe C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe C:\Program Files\MessengerPlus! 3\MsgPlus.exe C:\Program Files\outlook\outlook.exe C:\Norman\bin\ZLH.EXE C:\Program Files\Messenger\msmsgs.exe C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe C:\Program Files\Norman\NPF\NPFMSG.EXE C:\Program Files\Apoint2K\HidFind.exe C:\Program Files\Apoint2K\Apntex.exe C:\Norman\Nvc\BIN\NIP.EXE C:\Norman\Nvc\bin\cclaw.exe C:\Program Files\Internet Explorer\iexplore.exe C:\WINDOWS\system32\wuauclt.exe C:\Program Files\LimeWire\LimeWire.exe C:\DOCUME~1\TANAIK~1\LOCALS~1\Temp\Temporary Directory 1 for hijackthis[1].zip\HijackThis.exe R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.pc-ap.fujitsu.com/ R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Int ernet Settings,ProxyServer = proxy.acs.sch.edu.sg:80 F2 - REG:system.ini: UserInit=userinit.exe O2 - BHO: Internet Explorer Web Content Catcher - {FFF4E223-7019-4ce7-BE03-D7D3C8CCE884} - C:\Program Files\DNS\Catcher.dll O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll O4 - HKLM\..\Run: [TabletWizard] C:\WINDOWS\help\SplshWrp.exe O4 - HKLM\..\Run: [TabletTip] "C:\Program Files\Common Files\microsoft shared\ink\tabtip.exe" /resume O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe O4 - HKLM\..\Run: [LtMoh] C:\Program Files\ltmoh\Ltmoh.exe O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint2K\Apoint.exe O4 - HKLM\..\Run: [FjDspMon] C:\Program Files\Fujitsu\Utils\FjDspMon.exe O4 - HKLM\..\Run: [FjEvents] C:\Program Files\Fujitsu\Utils\fjevents.exe O4 - HKLM\..\Run: [Fujitsu Menu] C:\Program Files\Fujitsu\Utils\FjMnuIco.exe O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe O4 - HKLM\..\Run: [IndicatorUtility] C:\Program Files\Fujitsu\Fujitsu Hotkey Utility\IndicatorUty.exe O4 - HKLM\..\Run: [LoadBtnHnd] C:\Program Files\Fujitsu\BtnHnd\BtnHnd.exe O4 - HKLM\..\Run: [WarrantyReg] Program Files\Warranty\warranty.exe O4 - HKLM\..\Run: [Snippet] "C:\Program Files\Microsoft Experience Pack\Snipping Tool\SnippingTool.exe" /i O4 - HKLM\..\Run: [IntelWireless] C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe /tf Intel PROSet/Wireless O4 - HKLM\..\Run: [FJUPDNV_Chitose] C:\Program Files\Fujitsu\updnavi\updnavi.exe O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32 O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe O4 - HKLM\..\Run: [MessengerPlus3] "C:\Program Files\MessengerPlus! 3\MsgPlus.exe" O4 - HKLM\..\Run: [outlook] C:\Program Files\outlook\outlook.exe /auto O4 - HKLM\..\Run: [winlog] winlog.exe O4 - HKLM\..\Run: [defender] C:\\defender25.exe O4 - HKLM\..\Run: [Norman ZANDA] C:\Norman\bin\ZLH.EXE /LOAD /SPLASH O4 - HKLM\..\RunServices: [winlog] winlog.exe O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background O4 - HKCU\..\Run: [DNS] C:\Program Files\Common Files\mc-110-12-0000137.exe O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe O4 - Global Startup: NPF Messenger.lnk = ? O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000 O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O14 - IERESET.INF: START_PAGE_URL=http://www.pc-ap.fujitsu.com/ O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - messenger.zone.msn.com O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - go.microsoft.com O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - update.microsoft.com O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - messenger.zone.msn.com O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - messenger.msn.com O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - messenger.zone.msn.com O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = wlan.acs.sch.edu.sg O17 - HKLM\Software\..\Telephony: DomainName = wlan.acs.sch.edu.sg O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = wlan.acs.sch.edu.sg O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing) O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll O20 - Winlogon Notify: IntelWireless - C:\Program Files\Intel\Wireless\Bin\LgNotify.dll O20 - Winlogon Notify: loginkey - C:\Program Files\Common Files\Microsoft Shared\Ink\loginkey.dll O20 - Winlogon Notify: NetCache - C:\WINDOWS\system32\g004ladq1d0e.dll O20 - Winlogon Notify: TabBtnWL - C:\WINDOWS\SYSTEM32\TabBtnWL.dll O20 - Winlogon Notify: tpgwlnotify - C:\WINDOWS\SYSTEM32\tpgwlnot.dll O23 - Service: Digitizer Service (Digitizer) - WACOM - C:\WINDOWS\System32\digtizer.exe O23 - Service: EvtEng - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe O23 - Service: Norman API-hooking helper (NipSvc) - Unknown owner - C:\Norman\Nvc\BIN\nipsvc.exe O23 - Service: Norman NJeeves - Unknown owner - C:\Norman\bin\NJEEVES.EXE O23 - Service: Norman Type-R - Unknown owner - C:\Program Files\Norman\NPF\NPFSVICE.EXE O23 - Service: Norman ZANDA - Unknown owner - C:\Norman\Bin\Zanda.exe O23 - Service: Norman Virus Control on-access component (nvcoas) - Norman ASA - C:\Norman\Nvc\bin\nvcoas.exe O23 - Service: Norman Virus Control Scheduler (NVCScheduler) - Norman Data Defense Systems - C:\Norman\Nvc\BIN\NVCSCHED.EXE O23 - Service: O2Micro Flash Memory (O2Flash) - Unknown owner - C:\WINDOWS\system32\o2flash.exe O23 - Service: RegSrvc - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe O23 - Service: StyleXPService - Unknown owner - C:\Program Files\TGTSoft\StyleXP\StyleXPService.exe (file missing) |
alistor isole (10503) | ||
| 460541 | 2006-06-05 05:06:00 | The log doesnt look too bad, but I would boot into safe mode, tick these entries and tick fix checked. O2 - BHO: Internet Explorer Web Content Catcher - {FFF4E223-7019-4ce7-BE03-D7D3C8CCE884} - C:\Program Files\DNS\Catcher.dll O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe O4 - HKLM\..\Run: [MessengerPlus3] "C:\Program Files\MessengerPlus! 3\MsgPlus.exe" _ I would uninstall this, as some say it's adware. I'm not too sure what this is, but it doesnt look nice O4 - HKLM\..\Run: [defender] C:\\defender25.exe I'm pretty sure this entry is spyware-related O4 - HKCU\..\Run: [DNS] C:\Program Files\Common Files\mc-110-12-0000137.exe This may also be spyware O20 - Winlogon Notify: NetCache - C:\WINDOWS\system32\g004ladq1d0e.dll Then reboot. See how things are then. |
Speedy Gonzales (78) | ||
| 460542 | 2006-06-05 05:54:00 | Sounds like spyware named Look2Me. Program that removes it is available here (www.atribune.org) . |
gibler (49) | ||
| 460543 | 2006-06-05 05:57:00 | why do u always remove O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe its the java autoupdate....somewhat handy as most people forget to update java. |
tweak'e (69) | ||
| 460544 | 2006-06-05 06:06:00 | why do u always remove O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe its the java autoupdate....somewhat handy as most people forget to update java. Because it isnt needed. And the icon comes up whether its in startup or not anyway. Well, it does here. And it doesnt work anyway lol since, I've been using Sun Java. The icon pops up, and there has never been an update for it. |
Speedy Gonzales (78) | ||
| 460545 | 2006-06-05 06:35:00 | alright i've done all that, but when i ran hijackthis in safe mode it didnt find O20 - Winlogon Notify: NetCache - C:\WINDOWS\system32\g004ladq1d0e.dll fixed everything else, but when i rebooted, its was still slower than normal and some "Data Execution Prevention" window popped up, said something about winlog.exe. it closed winlog and i got that send-this-error-log-to-microsoft thing, about winlog.exe. been happening since before i did hijackthis. task manager still wont open. i'm doing gibler's suggestion now... |
alistor isole (10503) | ||
| 460546 | 2006-06-05 06:42:00 | gibler, i'm confused, i DLed the thing but what do i do with it? | alistor isole (10503) | ||
| 460547 | 2006-06-05 07:10:00 | Instructions are here: www.atribune.org |
zqwerty (97) | ||
| 1 2 | |||||