Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

Trojan bs


  • This topic is locked This topic is locked

#1
TinHead

TinHead

    Member

  • Member
  • PipPip
  • 45 posts
Howz't :) ill get str8 2 the point

i got 14 infected files that AVG found but i used another program that said it found 201 files infected but the other programm couldnt delete them unless u buy the product?? ummm avg has found 14 infected files (trojan) but when i try n delete the files it tells me 2 restart computer for it to take effect, so i restart and there still there?? very very annoying. :tazz: ;)
file infected is
"C:\_RESTORE\TEMP\A0066700.CPY"

can anyone recommend me a FREE programm that will find and delete ALL infected files on my HD??

Cheers :) :)

;) :) :) :)
  • 0

Advertisements


#2
Guest_thatman_*

Guest_thatman_*
  • Guest
Hi TinHead

Let us take a closer look at what is running on your PC. We'll need you to use a free diagnostic tool (HiJackThis) and post a log back here with the results.

Click the HijackThis Guide in my signature, download it and follow the instructions in the guide.

Most of what it lists will be harmless or even essential, DO NOT delete or modify anything yet! Someone will be along to tell you what steps to take after you post the contents of the scan results.

Kc :tazz:
  • 0

#3
TinHead

TinHead

    Member

  • Topic Starter
  • Member
  • PipPip
  • 45 posts
i just copyd and pasted from the note pad that opend when the programm finishd :tazz: hes the result, hope someone can help.

Thanks ;) ;)

Logfile of HijackThis v1.99.1
Scan saved at 6:09:00 p.m., on 8/04/2005
Platform: Windows ME (Win9x 4.90.3000)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\SYSTEM\SSDPSRV.EXE
C:\WINDOWS\SYSTEM\NVSVC.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\MSMSGS.EXE
C:\WINDOWS\POPUPER.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\RUNDLL32.EXE
C:\WINDOWS\RUNDLL32.EXE
C:\PROGRAM FILES\STEAM\STEAM.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\WINDOWS\SYSTEM\RESTORE\STMGR.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\MY DOCUMENTS\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer,(Default) = http://targetclicks.net/srch.php?qq=%s
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,Default_Search_URL = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://www.searchmai...earch.php?qq=%s
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = http://www.searchmaid.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
O2 - BHO: Name - {55D689CE-A956-4A97-B6E2-BFDBBE03BCB9} - C:\WINDOWS\SYSTEM\MSDWE.DLL (file missing)
O2 - BHO: (no name) - {D6E7022C-084D-49EB-A8F8-E896C4D9ACF5} - C:\WINDOWS\SYSTEM\DSKRFUOUI.DLL (file missing)
O2 - BHO: (no name) - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - (no file)
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O3 - Toolbar: Virtual Maid - {77B2F8DE-CB3F-4b6b-839B-807DD1ADBA1C} - C:\PROGRA~1\VIRTUA~1\VIRTUA~1.DLL (file missing)
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [PCHealth] C:\WINDOWS\PCHealth\Support\PCHSchd.exe -s
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime
O4 - HKLM\..\Run: [ICSDCLT] C:\WINDOWS\rundll32.exe C:\WINDOWS\SYSTEM\icsdclt.dll,ICSClient
O4 - HKLM\..\Run: [MSN Messenger] C:\WINDOWS\SYSTEM\msmsgs.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\SYSTEM\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\SYSTEM\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [Security iGuard] C:\Program Files\Security iGuard\Security iGuard.exe
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [*StateMgr] C:\WINDOWS\System\Restore\StateMgr.exe
O4 - HKLM\..\RunServices: [ATIPOLL] ati2evxx.exe
O4 - HKLM\..\RunServices: [SSDPSRV] C:\WINDOWS\SYSTEM\ssdpsrv.exe
O4 - HKLM\..\RunServices: [NVSvc] C:\WINDOWS\SYSTEM\nvsvc.exe -runservice
O4 - HKCU\..\Run: [Steam] "c:\program files\steam\steam.exe" -silent
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: &Download with &DAP - C:\PROGRA~1\DAP\dapextie.htm
O8 - Extra context menu item: Download &all with DAP - C:\PROGRA~1\DAP\dapextie2.htm
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra button: (no name) - {6685509E-B47B-4f47-8E16-9A5F3A62F683} - file://C:\PROGRAM FILES\EBATES_MOEMONEYMAKER\Sy350\Tp350\scri350a.htm (file missing) (HKCU)
O9 - Extra button: Microsoft AntiSpyware helper - {8FC05D41-4559-49A0-A562-1549A33C7152} - (no file) (HKCU)
O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {8FC05D41-4559-49A0-A562-1549A33C7152} - (no file) (HKCU)
O9 - Extra button: Microsoft AntiSpyware helper - {2481DB93-523C-461E-83C1-3672E7233551} - (no file) (HKCU)
O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {2481DB93-523C-461E-83C1-3672E7233551} - (no file) (HKCU)
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn...pDownloader.cab
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://chat.msn.com/bin/msnchat45.cab
O17 - HKLM\System\CCS\Services\VxD\MSTCP: NameServer = 69.50.184.85,195.225.176.37
O18 - Filter: text/html - {4C6E287D-8F2F-4391-A044-2985693F3313} - C:\WINDOWS\SYSTEM\DSKRFUOUI.DLL
O18 - Filter: text/plain - {4C6E287D-8F2F-4391-A044-2985693F3313} - C:\WINDOWS\SYSTEM\DSKRFUOUI.DLL
  • 0

#4
Guest_thatman_*

Guest_thatman_*
  • Guest
Hi TinHead

Download the CCleaner unzip the file to install. Don't run it yet.

Please download and install AD-Aware.
Check Here on how setup and use it - please make sure you update it first. Don't run it yet.

Download CW-Shredder at the link below:
CWShredder
Run CWShredder to fix your CWS problem.

Please set your system to show all files; please see here if you're unsure how to do this.

Press Control-Alt-Del to enter the Task Manager.
Click on the Processes tab and end the following processes:
C:\WINDOWS\POPUPER.EXE
Exit the Task Manager when finished.

Close all programs leaving only HijackThis running. Place a check against each of the following, making sure you get them all and not any others by mistake:
R1 - HKCU\Software\Microsoft\Internet Explorer,(Default) = http://targetclicks.net/srch.php?qq=%s
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,Default_Search_URL = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://www.searchmai...earch.php?qq=%s
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = http://www.searchmaid.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
O2 - BHO: Name - {55D689CE-A956-4A97-B6E2-BFDBBE03BCB9} - C:\WINDOWS\SYSTEM\MSDWE.DLL (file missing)
O2 - BHO: (no name) - {D6E7022C-084D-49EB-A8F8-E896C4D9ACF5} - C:\WINDOWS\SYSTEM\DSKRFUOUI.DLL (file missing)
O2 - BHO: (no name) - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - (no file)
O3 - Toolbar: Virtual Maid - {77B2F8DE-CB3F-4b6b-839B-807DD1ADBA1C} - C:\PROGRA~1\VIRTUA~1\VIRTUA~1.DLL (file missing)
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra button: (no name) - {6685509E-B47B-4f47-8E16-9A5F3A62F683} - file://C:\PROGRAM FILES\EBATES_MOEMONEYMAKER\Sy350\Tp350\scri350a.htm (file missing) (HKCU)
O9 - Extra button: Microsoft AntiSpyware helper - {8FC05D41-4559-49A0-A562-1549A33C7152} - (no file) (HKCU)
O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {8FC05D41-4559-49A0-A562-1549A33C7152} - (no file) (HKCU)
O9 - Extra button: Microsoft AntiSpyware helper - {2481DB93-523C-461E-83C1-3672E7233551} - (no file) (HKCU)
O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {2481DB93-523C-461E-83C1-3672E7233551} - (no file) (HKCU)
O18 - Filter: text/html - {4C6E287D-8F2F-4391-A044-2985693F3313} - C:\WINDOWS\SYSTEM\DSKRFUOUI.DLL
O18 - Filter: text/plain - {4C6E287D-8F2F-4391-A044-2985693F3313} - C:\WINDOWS\SYSTEM\DSKRFUOUI.DLL

Click on Fix Checked when finished and exit HijackThis.

Please run AD-Aware se

Reboot into Safe Mode: please see here if you are not sure how to do this.

Using Windows Explorer, locate the following files/folders, and delete them:
C:\PROGRA~1\VIRTUA~1<--Delete this whole folder
C:\WINDOWS\web\related.htm<--Delete this file
C:\WINDOWS\SYSTEM\DSKRFUOUI.DLL<--Delete this file
Exit Explorer.

Open the ccleaner.
Place a check by everything in the Applications tab.
Place a check by Internet Explorer, Windows explorer, and System in the Windows tab.
Now click on Run Cleaner

Please run the following free, online virus scans.
http://www.pandasoft...n_principal.htm
http://housecall.tre.../start_corp.asp
Please post the logs From Panda virus scan and HJT.log we will need them to remove previous infections that have left files on your system.

Kc :tazz:
  • 0

#5
TinHead

TinHead

    Member

  • Topic Starter
  • Member
  • PipPip
  • 45 posts
Hi ;) i done wat u told me to do but when i restarted in safe mode and had to find those three files i couldnt find them :tazz: so i just done everything else and heres the logs. ;)

Activcescan log.

Incident Status Location
Adware:Adware/IGuard No disinfected C:\WINDOWS\SYSTEM\wldr.dll
Adware:Adware/Msnagent No disinfected C:\WINDOWS\SYSTEM\dosxpd.exe
Adware:Adware/Findspy No disinfected C:\WINDOWS\SYSTEM\fixmapirs.exe
Spyware:Spyware/Media-motor No disinfected C:\WINDOWS\Downloaded Program Files\mm63.INF


Logfile of HijackThis v1.99.1
Scan saved at 10:00:38 p.m., on 11/04/2005
Platform: Windows ME (Win9x 4.90.3000)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\SYSTEM\SSDPSRV.EXE
C:\WINDOWS\SYSTEM\NVSVC.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\POPUPER.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\RUNDLL32.EXE
C:\WINDOWS\RUNDLL32.EXE
C:\WINDOWS\SYSTEM\RESTORE\STMGR.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\MY DOCUMENTS\HIJACKTHIS.EXE

O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [PCHealth] C:\WINDOWS\PCHealth\Support\PCHSchd.exe -s
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime
O4 - HKLM\..\Run: [ICSDCLT] C:\WINDOWS\rundll32.exe C:\WINDOWS\SYSTEM\icsdclt.dll,ICSClient
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\SYSTEM\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\SYSTEM\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [Security iGuard] C:\Program Files\Security iGuard\Security iGuard.exe
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [*StateMgr] C:\WINDOWS\System\Restore\StateMgr.exe
O4 - HKLM\..\RunServices: [ATIPOLL] ati2evxx.exe
O4 - HKLM\..\RunServices: [SSDPSRV] C:\WINDOWS\SYSTEM\ssdpsrv.exe
O4 - HKLM\..\RunServices: [NVSvc] C:\WINDOWS\SYSTEM\nvsvc.exe -runservice
O4 - HKCU\..\Run: [Steam] "c:\program files\steam\steam.exe" -silent
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: &Download with &DAP - C:\PROGRA~1\DAP\dapextie.htm
O8 - Extra context menu item: Download &all with DAP - C:\PROGRA~1\DAP\dapextie2.htm
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn...pDownloader.cab
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://chat.msn.com/bin/msnchat45.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft.../as5/asinst.cab
O17 - HKLM\System\CCS\Services\VxD\MSTCP: NameServer = 69.50.184.85,195.225.176.37

hope i done everything rite :-)
  • 0

#6
Guest_thatman_*

Guest_thatman_*
  • Guest
Hi TinHead

Download Pocket Killbox and unzip it; save it to your Desktop.
Run killbox and click the radio button that says Delete a file on reboot.
Copy and Paste them one at a time into the full path of file to delete box and click the red circle with a white cross in it.
The program will ask you if you want to reboot; say No each time until the last one has been pasted in where upon you should answer Yes.
Let the system reboot.
C:\WINDOWS\SYSTEM\wldr.dll
C:\WINDOWS\SYSTEM\dosxpd.exe
C:\WINDOWS\SYSTEM\fixmapirs.exe
C:\WINDOWS\Downloaded Program Files\mm63.INF


Reboot into normal mode.

Please run the following free, online virus scans.
http://www.pandasoft...n_principal.htm
Please post the logs From Panda virus scan and HJT.log we will need them to remove previous infections that have left files on your system.

Kc :tazz:
  • 0

#7
TinHead

TinHead

    Member

  • Topic Starter
  • Member
  • PipPip
  • 45 posts
Hi thatman :tazz:
do i copy

C:\WINDOWS\SYSTEM\wldr.dll
C:\WINDOWS\SYSTEM\dosxpd.exe
C:\WINDOWS\SYSTEM\fixmapirs.exe
C:\WINDOWS\Downloaded Program Files\mm63.INF

into the "full path of file to delete" box or do i copy

C:\PROGRA~1\VIRTUA~1
C:\WINDOWS\web\related.htm
C:\WINDOWS\SYSTEM\DSKRFUOUI.DLL

cheers ;)
  • 0

#8
Guest_thatman_*

Guest_thatman_*
  • Guest
Hi TinHead

Download Pocket Killbox and unzip it; save it to your Desktop.
Run it, and click the radio button that says Delete a file on reboot.
Copy and Paste them one at a time into the full path of file to delete box and click the red circle with a white cross in it.
The program will ask you if you want to reboot; say No each time until the last one has been pasted in where upon you should answer Yes.
Let the system reboot.
C:\PROGRAM FILES\Virtual Maid \Virtual Maid .DLL
C:\WINDOWS\SYSTEM\wldr.dll
C:\WINDOWS\SYSTEM\dosxpd.exe
C:\WINDOWS\SYSTEM\fixmapirs.exe
C:\WINDOWS\Downloaded Program Files\mm63.INF
C:\WINDOWS\web\related.htm
C:\WINDOWS\SYSTEM\DSKRFUOUI.DLL

End of killbox file's

Please run the following free, online virus scans.
http://www.pandasoft...n_principal.htm
Please post the logs From Panda virus scan and HJT.log we will need them to remove previous infections that have left files on your system.

Kc :tazz:
  • 0

#9
TinHead

TinHead

    Member

  • Topic Starter
  • Member
  • PipPip
  • 45 posts
Hi thatman :tazz: heres the logs of the pandascan and HJT.
;) ;) :) :)

Virus:Trj/Small.JU No disinfected C:\WINDOWS\popuper.exe


Logfile of HijackThis v1.99.1
Scan saved at 9:53:48 a.m., on 12/04/2005
Platform: Windows ME (Win9x 4.90.3000)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\SYSTEM\SSDPSRV.EXE
C:\WINDOWS\SYSTEM\NVSVC.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\POPUPER.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\RUNDLL32.EXE
C:\WINDOWS\RUNDLL32.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\WINDOWS\SYSTEM\RESTORE\STMGR.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\MY DOCUMENTS\HIJACKTHIS.EXE

O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [PCHealth] C:\WINDOWS\PCHealth\Support\PCHSchd.exe -s
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime
O4 - HKLM\..\Run: [ICSDCLT] C:\WINDOWS\rundll32.exe C:\WINDOWS\SYSTEM\icsdclt.dll,ICSClient
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\SYSTEM\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\SYSTEM\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [Security iGuard] C:\Program Files\Security iGuard\Security iGuard.exe
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [*StateMgr] C:\WINDOWS\System\Restore\StateMgr.exe
O4 - HKLM\..\RunServices: [ATIPOLL] ati2evxx.exe
O4 - HKLM\..\RunServices: [SSDPSRV] C:\WINDOWS\SYSTEM\ssdpsrv.exe
O4 - HKLM\..\RunServices: [NVSvc] C:\WINDOWS\SYSTEM\nvsvc.exe -runservice
O4 - HKCU\..\Run: [Steam] "c:\program files\steam\steam.exe" -silent
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: &Download with &DAP - C:\PROGRA~1\DAP\dapextie.htm
O8 - Extra context menu item: Download &all with DAP - C:\PROGRA~1\DAP\dapextie2.htm
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn...pDownloader.cab
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://chat.msn.com/bin/msnchat45.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft.../as5/asinst.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O17 - HKLM\System\CCS\Services\VxD\MSTCP: NameServer = 69.50.184.85,195.225.176.37
  • 0

#10
Guest_thatman_*

Guest_thatman_*
  • Guest
Hi TinHead

Please set your system to show {br}all files; please see here if you're unsure how to do this.

Press Control-Alt-Del to enter the Task Manager.
Click on the Processes tab and end the following processes:
B]C:\WINDOWS\POPUPER.EXE[/B]
Exit the Task Manager when finished.

{Reboot into Safe Mode: please see here if you are not sure how to do this.

Using Windows Explorer, locate the following files/folders, and delete them:
C:\WINDOWS\POPUPER.EXE
Exit Explorer, and reboot as normal afterwards.

Please run the following free, online virus scans.{br}http://www.pandasoft...rt_corp.asp{br}
Please post the logs From Panda virus scan and HJT.log
we will need them to remove previous infections that have left files on your system.


Kc :tazz:
  • 0

Advertisements


#11
TinHead

TinHead

    Member

  • Topic Starter
  • Member
  • PipPip
  • 45 posts
howz it :)

i done the pandascan and said no viruses found and i done the second scan
and it found 12 viruses

virus:
TROJ ESSPOR.G
TROJ ESEPOR.Y
TROJ SMALL.AN
TSPY DLOADER.DH
TROJ LOWZONES.BI
TROJ ESEPOR.G
TROJ DLOADER.DO
TROJ STARTPAG.LP
TROJ STARTPGE.DF
TSPY DLOADER.DG
TROJ ZLOB.Z

i tryd to select the option "clean" but it said they were in use and couldnt be
cleand or deleted :tazz: ;) ;)

Logfile of HijackThis v1.99.1
Scan saved at 9:14:20 p.m., on 12/04/2005
Platform: Windows ME (Win9x 4.90.3000)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\SYSTEM\SSDPSRV.EXE
C:\WINDOWS\SYSTEM\NVSVC.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\RESTORE\STMGR.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\RUNDLL32.EXE
C:\WINDOWS\RUNDLL32.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\MY DOCUMENTS\HIJACKTHIS.EXE

O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [PCHealth] C:\WINDOWS\PCHealth\Support\PCHSchd.exe -s
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime
O4 - HKLM\..\Run: [ICSDCLT] C:\WINDOWS\rundll32.exe C:\WINDOWS\SYSTEM\icsdclt.dll,ICSClient
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\SYSTEM\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\SYSTEM\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [Security iGuard] C:\Program Files\Security iGuard\Security iGuard.exe
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [*StateMgr] C:\WINDOWS\System\Restore\StateMgr.exe
O4 - HKLM\..\RunServices: [ATIPOLL] ati2evxx.exe
O4 - HKLM\..\RunServices: [SSDPSRV] C:\WINDOWS\SYSTEM\ssdpsrv.exe
O4 - HKLM\..\RunServices: [NVSvc] C:\WINDOWS\SYSTEM\nvsvc.exe -runservice
O4 - HKCU\..\Run: [Steam] "c:\program files\steam\steam.exe" -silent
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: &Download with &DAP - C:\PROGRA~1\DAP\dapextie.htm
O8 - Extra context menu item: Download &all with DAP - C:\PROGRA~1\DAP\dapextie2.htm
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn...pDownloader.cab
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://chat.msn.com/bin/msnchat45.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft.../as5/asinst.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O17 - HKLM\System\CCS\Services\VxD\MSTCP: NameServer = 69.50.184.85,195.225.176.37

Cheers :) :)
  • 0

#12
Guest_thatman_*

Guest_thatman_*
  • Guest
Hi TinHead

Lets see if this will find any hidden Trojan’s http://www.ewido.net/en/download/

This setup contains the free as well as the plus-version of the ewido security suite. After the installation, a free 14-day test version containing all the extensions of the plus-version will be activated. At the end of the test phase, the extensions of the plus version are deactivated and the freeware version can be used unlimited times. The purchased license code of the plus version can be entered at any time.

Kc :tazz:
  • 0

#13
TinHead

TinHead

    Member

  • Topic Starter
  • Member
  • PipPip
  • 45 posts
Hi thatman i downloaded that programm and tryd to install it
but it told me i need windows 2000 or higher and i have
windows ME?? also this might not have anything to do with this
topic but, as i was writing this out my computer restarted 7 times
by itself randomly... 1 afta another each time i tryd to "add a reply"
so i rote it in note pad copyd and just pasted it in here.
  • 0

#14
Guest_thatman_*

Guest_thatman_*
  • Guest
Hi TinHead

Sorry that my fault forgot you had Me.


Please try the following trojan scans: use Internet Explorer for the scan.
* WindowsSecurity

Kc :tazz:
  • 0

#15
TinHead

TinHead

    Member

  • Topic Starter
  • Member
  • PipPip
  • 45 posts
Hi thatman, sall good :-)
ahh i done that scan heres the results

"Starting scan at 23:34:21:800...
Scan Memory
Memory not infected
Scan folder: 'C:\', recursive
Finished scan at 23:39:10:930
Total number of files is 15157, number of infected files is 0
Average files per second is 52, average file size is 10208920"

umm does that mean the programm found and deleted those virus i posted
earlyer or is it saying that it cant find them??

cheers :tazz: ;)
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP