Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

Error#317, Stealth.Hjack virus,www.newgenlook.info


  • Please log in to reply

#1
cherubkim

cherubkim

    New Member

  • Member
  • Pip
  • 3 posts
I went to a website yesterday and VET AntiVirus started going crazy detecting viruses. I was telling it to heal and/or delete, but it couldn't do it.

I immediately had all kind of desktop icons, that when deleted just come back. I have an icon in the system tray that looks like the Windows error icon, the red circle with white X in it. When clicked a browser page opens of the website http://www.newgenlook.info/ad/ad0278/ or other various pages at that domain and my browser keeps re-directing during use. I also get balloon pop-ups from this icon stating things such as "My computer has been infected by a stealth trojan and will not boot properly next startup, and Unkown Pop-ups detected.

My home page was changed to a newgenlook.info page, and I get various pop-ups and redirects. One real annoying thing is I will get a system message that states the following:

Error #317 - Microsoft Internet Security Warning
Windows is corrupted with spyware virus.
You must patch your pc urgently to protect your system
Private info is accessed by ports:
-8080
-3128
You can patch your pc for free now and delete all spyware viruses
Click ok to choose and download free spyware removal using AntiSpy

I always close or "cancel" this message and it always redirects me.

I have run the following:
Microsoft AntiSpyware Beta
Trend Micro PC-cillin (7.100.1003/2.184.00)
Ad-Aware (found hotoffers and removed)
CW Shredder 2.14
Trend Housecall
Spybot – Search & Destroy (found 8 items, fixed and immunized)

I am on an office network so am unsure as to how to disconnect this workstation from internet access if needed.
Below is HJT log… thank you in advance

---------------------------
Logfile of HijackThis v1.99.1
Scan saved at 11:21:52 AM, on 29/04/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Vet\isafe.exe
C:\Program Files\InterBase Corp\InterBase\bin\ibguard.exe
C:\WINDOWS\Explorer.EXE
C:\Vet\VetMsg.exe
C:\Vet\VetTray.exe
C:\Documents and Settings\ksamiotis.CARMICHAELWEBER\Application Data\Plaxo\2.1.0.80\InstallStub.exe
C:\Program Files\Macpro\Enterprise\scktsrvr.exe
C:\Documents and Settings\ksamiotis.CARMICHAELWEBER\Desktop\HijackThis.exe
C:\Program Files\Microsoft Firewall Client\ISATRAY.EXE
C:\Program Files\InterBase Corp\InterBase\bin\ibserver.exe
C:\WINDOWS\system32\userinit.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\TSC.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.newgenlook.info/ad/ad0278/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http://PDCSRV:8080
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: Merriam-Webster Online BHO - {5ADA9CAC-04F9-4DD2-ABFD-74D673BE8624} - C:\WINDOWS\_MWOLTB.DLL
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Merriam-Webster Online - {B7B76DD6-B6F0-4443-AF81-6A3ECF12A57D} - C:\WINDOWS\_MWOLTB.DLL
O4 - HKLM\..\Run: [VetTray] C:\Vet\VetTray.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\Internet Security 2005\pccguide.exe"
O4 - HKCU\..\Run: [PlaxoUpdate] C:\Documents and Settings\ksamiotis.CARMICHAELWEBER\Application Data\Plaxo\2.1.0.80\InstallStub.exe -a
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - Global Startup: Borland Socket Server.lnk = C:\Program Files\Macpro\Enterprise\scktsrvr.exe
O4 - Global Startup: Firewall Client Connectivity Monitor.LNK = C:\Program Files\Microsoft Firewall Client\ISATRAY.EXE
O4 - Global Startup: Microsoft Find Fast.lnk = C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
O8 - Extra context menu item: MWOL &Dictionary - res://C:\WINDOWS\_MWOLTB.DLL/23/219
O8 - Extra context menu item: MWOL &Thesaurus - res://C:\WINDOWS\_MWOLTB.DLL/23/220
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {08BEF711-06DA-48B2-9534-802ECAA2E4F9} (PlxInstall Class) - http://down.plaxo.co...laxoInstall.cab
O16 - DPF: {31B7EB4E-8B4B-11D1-A789-00A0CC6651A8} (Cult3D ActiveX Player) - http://www.cult3d.co...wnload/cult.cab
O16 - DPF: {3CF32649-D1C0-4F42-AB44-ED284748920B} (Merriam-Webster Online Toolbar) - http://www.m-w.com/t.../webinstall.cab
O16 - DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} (EPUImageControl Class) - http://tools.ebayimg...l_v1-0-3-12.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by15fd.bay15....es/MsnPUpld.cab
O16 - DPF: {5A3C6507-730A-43B2-8EAC-4C430F2EF35E} (PortfolioManager Class) - https://portfolioman...oliomanager.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn...pDownloader.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = carmichaelweber.com.au
O17 - HKLM\Software\..\Telephony: DomainName = carmichaelweber.com.au
O17 - HKLM\System\CCS\Services\Tcpip\..\{60F00273-EC81-4F16-BCEE-4354B736CE94}: NameServer = 192.168.0.1
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = carmichaelweber.com.au
O23 - Service: CA ISafe (CAISafe) - Computer Associates International, Inc. - C:\Vet\isafe.exe
O23 - Service: InterBase Guardian (InterBaseGuardian) - InterBase Software Corp. - C:\Program Files\InterBase Corp\InterBase\bin\ibguard.exe
O23 - Service: InterBase Server (InterBaseServer) - InterBase Software Corp. - C:\Program Files\InterBase Corp\InterBase\bin\ibserver.exe
O23 - Service: Trend Micro Central Control Component (PcCtlCom) - Trend Micro Incorporated. - C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
O23 - Service: Trend Micro Real-time Service (Tmntsrv) - Trend Micro Incorporated. - C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
O23 - Service: Trend Micro Personal Firewall (TmPfw) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe
O23 - Service: VET Message Service (VETMSGNT) - Computer Associates International, Inc. - C:\Vet\VetMsg.exe
  • 0

Advertisements


#2
cherubkim

cherubkim

    New Member

  • Topic Starter
  • Member
  • Pip
  • 3 posts
:tazz:
;)
Pleaaaaase help me... I need to use this PC every day for work and its really difficult... keep getting [bleep] pop-ups plus error mesages, etc

;)
Thanks
  • 0

#3
cherubkim

cherubkim

    New Member

  • Topic Starter
  • Member
  • Pip
  • 3 posts
I seem to have solved the problem now. Managed to uninstall a suspicious looking program in Add/Remove Programs which has returned system to normal on reboot?

Thanks anyway
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP