| Forum Home | ||||
| Press F1 | ||||
| Thread ID: 64673 | 2005-12-22 23:53:00 | Annoying virus files | polo (6383) | Press F1 |
| Post ID | Timestamp | Content | User | ||
| 415018 | 2005-12-22 23:53:00 | I have 2 files running in my pc eevry time. They are hedgie.exe and msgconfigure.exe and they are found usually in system32 folder. Mcafee IS 8 detects them as trojan virus. They can be removed. But after removing them they come next time my pc reboots. I disable them in msconfig startup but still they come back. This are not net virus. Plz tell me how to remove them permanently. | polo (6383) | ||
| 415019 | 2005-12-23 00:21:00 | Hi First run a full scan here with Ewido (www.cyberanswers.org) Then download HijackThis (www.cyberanswers.org). It will create a directory folder for you in C\Program files. Run a scan and save the log file. Post the whole log file here. Do not fix anything since most of them listed there are harmless (some are system required). This program will help determine what,if any, spyware/malware is on your computer. |
Pancake (6359) | ||
| 415020 | 2005-12-23 08:49:00 | Pancake the Ewido software does not work on mypc | polo (6383) | ||
| 415021 | 2005-12-23 09:00:00 | Just scan and post the HJT log ..... | Pancake (6359) | ||
| 415022 | 2005-12-23 10:02:00 | Run the computer nude (i.e. safe mode) and re-scan your entire HDD for the two annoying virus. As pancake says, post a HJT log here to enlighten us. Cheers :) |
Renmoo (66) | ||
| 415023 | 2005-12-24 20:32:00 | Logfile of HijackThis v1.99.1 Scan saved at 10:19:05 p.m., on 24/12/2005 Platform: Windows XP SP1 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\explorer.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\HijackThis\HijackThis.exe R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = c:\secure32.html R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = c:\secure32.html R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = c:\secure32.html R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = c:\secure32.html R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = c:\secure32.html R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Int ernet Settings,ProxyServer = http=localhost:8080 F2 - REG:system.ini: Shell=explorer.exe "C:\Program Files\Common Files\Microsoft Shared\Web Folders\ibm00009.exe" O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll O4 - HKLM\..\Run: [hedgie] C:\WINDOWS\System32\hedgie.exe O4 - HKLM\..\RunServices: [Microsoft Configure 32] msgconfigre.exe O4 - HKLM\..\RunServices: [hedgie] C:\WINDOWS\System32\hedgie.exe O4 - HKCU\..\Run: [hedgie] C:\WINDOWS\System32\hedgie.exe O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar2.dll/cmwordtrans.html O8 - Extra context menu item: Allow pop-ups from this site - C:\Program Files\Orcon Accelerator\pac-addwl.html O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000 O8 - Extra context menu item: Refresh Pa&ge with Full Quality - C:\Program Files\Orcon Accelerator\pac-page.html O8 - Extra context menu item: Refresh Pi&cture with Full Quality - C:\Program Files\Orcon Accelerator\pac-image.html O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL O9 - Extra button: Video Ads Blocker v1.0b Personal - {A566D401-65F3-4A08-B3CA-C2E76784B6F6} - C:\Program Files\Video Ads Blocker\addblocker.exe O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - update.microsoft.com O20 - Winlogon Notify: msupdate - C:\WINDOWS\SYSTEM32\msupdate32.dll O21 - SSODL: SysTray.Exbr - {6368D1FC-6F5C-4f1b-B164-E67214F678E9} - C:\WINDOWS\System32\fcgfqdbp.dll (file missing) |
polo (6383) | ||
| 415024 | 2005-12-24 22:43:00 | Recommend you run Ccleaner (www.ccleaner.com) with all boxes ticked first. Then use Hijackthis to cleanout the following entries... R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = c:\secure32.html R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = c:\secure32.html R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = c:\secure32.html R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = c:\secure32.html R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = c:\secure32.html F2 - REG:system.ini: Shell=explorer.exe "C:\Program Files\Common Files\Microsoft Shared\Web Folders\ibm00009.exe" O4 - HKLM\..\Run: [hedgie] C:\WINDOWS\System32\hedgie.exe O4 - HKLM\..\RunServices: [Microsoft Configure 32] msgconfigre.exe O4 - HKLM\..\RunServices: [hedgie] C:\WINDOWS\System32\hedgie.exe O4 - HKCU\..\Run: [hedgie] C:\WINDOWS\System32\hedgie.exe O20 - Winlogon Notify: msupdate - C:\WINDOWS\SYSTEM32\msupdate32.dll O21 - SSODL: SysTray.Exbr - {6368D1FC-6F5C-4f1b-B164-E67214F678E9} - C:\WINDOWS\System32\fcgfqdbp.dll (file missing) O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm Maybe suspect if you don't have a video ads blocking program.. O9 - Extra button: Video Ads Blocker v1.0b Personal - {A566D401-65F3-4A08-B3CA-C2E76784B6F6} - C:\Program Files\Video Ads Blocker\addblocker.exe |
pheonix (36) | ||
| 415025 | 2005-12-25 00:15:00 | Hi It may help to print out or copy this page as you will be working in Safe Mode . . Make sure to work through the fixes in the exact order its listed . . SHOW HIDDEN FILES AND FOLDERS . To show hidden files instructions (WinXP) Doubleclick My Computer | Tools | Folder Options | View tab Select Show Hidden Files and Folders Uncheck Hide extensions for known file types Uncheck Hide protected operating system files (Recommended) Select Apply to All Folders | Yes | Apply | OK ------------------------------------------------------------------ Files highlighted in BLACK will need to be removed from your hard drive . ------------------------------------------------------------------ Please start by going into SAFE MODE . During reboot, tap the F8 key . Select Safe Mode and then run "Hijack This" ------------------------------------------------------------------ Go into HijackThis->Config->Misc . Tools->Open process manager . Select the following exe file and click End Process for each one if they are listed . hedgie . exe msgconfigre . exe ibm00009 . exe ------------------------------------------------------------------ Have "Hijack This" fix all the following items in the list below by placing a check in the appropriate boxes . Confirm that you have only the listed ones checked, then press <Fix checked> and Close HJT . R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = c:\secure32 . html R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = c:\secure32 . html R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = c:\secure32 . html R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = c:\secure32 . html R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = c:\secure32 . html F2 - REG:system . ini: Shell=explorer . exe "C:\Program Files\Common Files\Microsoft Shared\Web Folders\ibm00009 . exe" O4 - HKLM\ . . \Run: [hedgie] C:\WINDOWS\System32\hedgie . exe O4 - HKLM\ . . \RunServices: [Microsoft Configure 32] msgconfigre . exe O4 - HKLM\ . . \RunServices: [hedgie] C:\WINDOWS\System32\hedgie . exe O4 - HKCU\ . . \Run: [hedgie] C:\WINDOWS\System32\hedgie . exe O20 - Winlogon Notify: msupdate - C:\WINDOWS\SYSTEM32\msupdate32 . dll O21 - SSODL: SysTray . Exbr - {6368D1FC-6F5C-4f1b-B164-E67214F678E9} - C:\WINDOWS\System32\fcgfqdbp . dll (file missing) ------------------------------------------------------------------ Open Windows Explorer and delete the following highlighted file/s Also delete the following red folder/s C:\WINDOWS\System32\fcgfqdbp . dll C:\WINDOWS\SYSTEM32\msupdate32 . dll C:\WINDOWS\System32\hedgie . exe C:\WINDOWS\System32\ msgconfigre . exe C:\Program Files\Common Files\Microsoft Shared\Web Folders\ibm00009 . exe -------------------------------------------------------------------------------- You will need to remove these registry entries . NOTE ::::Always back up your registry before making any changes . The easiest way to do this is to select the entry that you are going to delete with your mouse and go to File and choose Export . Call it any name that you like (selected branch(below) should be pre-selected) and then send it to a New Folder on your Desktop as a reg file . If you have no further problems, rightclick on the New Folder and delete it . Do NOT doubleclick on a . reg file unless you want to put it back in your Registry HKCR\CLSID\{6368D1FC-6F5C-4f1b-B164-E67214F678E9}\InProcServer32 HKLM\Software\Microsoft\Internet Explorer\Main Placeholder_Databr HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\She llServiceObjectDelayLoad SysTray . Exys {6368D1FC-6F5C-4f1b-B164-E67214F678E9} ------------------------------------------------------------------- Reboot, run a full scan here with Ewido ( . cyberanswers . org/runtest . php" target="_blank">www . cyberanswers . org) When finished please post a new log . . . . . . |
Pancake (6359) | ||
| 1 | |||||