Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

Trojan virus [CLOSED]

Started by TechieDisabled , Aug 02 2005 10:10 AM

  • This topic is locked This topic is locked

#1
TechieDisabled
Posted 02 August 2005 - 10:10 AM

TechieDisabled

    New Member

  • Member
  • Pip
  • 2 posts
My computer (Windows 98) is infected with a virus which sporadically sends to all my contacts on msn messenger. Here is my HijackThis log.

Logfile of HijackThis v1.99.1
Scan saved at 13:12:24, on 02/08/05
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\SYSTEM\SISTRAY.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\WINDOWS\ptsnoop.exe
C:\WINDOWS\LOADQM.EXE
C:\ARQUIVOS DE PROGRAMAS\GRISOFT\AVG FREE\AVGCC.EXE
C:\ARQUIVOS DE PROGRAMAS\GRISOFT\AVG FREE\AVGEMC.EXE
C:\ARQUIVOS DE PROGRAMAS\GRISOFT\AVG FREE\AVGAMSVR.EXE
C:\WINDOWS\SYSTEM\POKER3.EXE
C:\WINDOWS\SYSTEM\8N8AKL3M.EXE
C:\ARQUIVOS DE PROGRAMAS\ANTIVIRUSKIT 2004\AVKWCTL9.EXE
C:\ARQUIVOS DE PROGRAMAS\ARQUIVOS COMUNS\G DATA\AVKMAIL\AVKPOP.EXE
C:\WINDOWS\SYSTEM\POKER3.EXE
C:\ARQUIVOS DE PROGRAMAS\WINZIP\WZQKPICK.EXE
C:\ARQUIVOS DE PROGRAMAS\AOL BRASIL 8.0\AOLTRAY.EXE
C:\ARQUIVOS DE PROGRAMAS\ARQUIVOS COMUNS\WINDOWS\SERVICES32.EXE
C:\WINDOWS\SYSTEM\WINOA386.MOD
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\WINDOWS\SYSTEM\WINOA386.MOD
C:\ARQUIVOS DE PROGRAMAS\INTERNET EXPLORER\IEXPLORE.EXE
C:\WINDOWS\PP.EXE
C:\ARQUIVOS DE PROGRAMAS\MSN MESSENGER\MSNMSGR.EXE
C:\ARQUIVOS DE PROGRAMAS\ANTIVIRUSKIT 2004\AVKSERVICE.EXE
C:\WINDOWS\ETB\POKAPOKA62.EXE
C:\WINDOWS\PP.EXE
C:\WINDOWS\PP.EXE
C:\WINDOWS\TEMPORARY INTERNET FILES\CONTENT.IE5\O3XZI6ND\HIJACKTHIS[1].EXE

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://searchmiracle.com/sp.php
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://g.msn.com.br/0SEPTBR/SAOS01
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.ricosurf.com.br/
F1 - win.ini: run=hpfsched
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [SiS Tray] C:\WINDOWS\SYSTEM\SISTRAY.EXE
O4 - HKLM\..\Run: [CountrySelection] pctptt.exe
O4 - HKLM\..\Run: [PTSNOOP] ptsnoop.exe
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\ARQUIV~1\GRISOFT\AVGFRE~1\AVGCC.EXE /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\ARQUIV~1\GRISOFT\AVGFRE~1\AVGEMC.EXE
O4 - HKLM\..\Run: [AVG7_AMSVR] C:\ARQUIV~1\GRISOFT\AVGFRE~1\AVGAMSVR.EXE
O4 - HKLM\..\Run: [Microsoft Windows DLL Services Configuration] poker3.exe
O4 - HKLM\..\Run: [xcvkr] C:\WINDOWS\xcvkr.exe
O4 - HKLM\..\Run: [8n8akl3m] C:\WINDOWS\SYSTEM\8n8akl3m.exe
O4 - HKLM\..\Run: [AVKWCtl] C:\ARQUIV~1\ANTIVI~1\AVKWCTL9.EXE
O4 - HKLM\..\Run: [AVK Mail Checker] "C:\ARQUIVOS DE PROGRAMAS\ARQUIVOS COMUNS\G DATA\AVKMAIL\AVKPOP.EXE"
O4 - HKLM\..\Run: [System service62] C:\WINDOWS\ETB\POKAPOKA62.EXE
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [Microsoft Windows DLL Services Configuration] poker3.exe
O4 - HKCU\..\Run: [Microsoft Windows DLL Services Configuration] poker3.exe
O4 - HKCU\..\Run: [services32] C:\Arquivos de programas\Arquivos comuns\Windows\mc-58-12-0000080.exe
O4 - Startup: Microsoft Office.lnk = C:\Arquivos de programas\Microsoft Office\Office\OSA9.EXE
O4 - Startup: WinZip Quick Pick.lnk = C:\Arquivos de programas\WinZip\WZQKPICK.EXE
O4 - Startup: Restart.exe
O4 - Startup: Mini AOL.lnk = C:\Arquivos de programas\Mini AOL\companion.exe
O4 - Startup: AOL Brasil 8.0 Tray Icon.lnk = C:\Arquivos de programas\AOL Brasil 8.0\aoltray.exe
O8 - Extra context menu item: &Search - http://bar.mywebsear...?p=ZSYYYYYYYYBR
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\SYSTEM\Shdocvw.dll
O14 - IERESET.INF: SEARCH_PAGE_URL=&http://home.microsof...ss/allinone.asp
O15 - Trusted Zone: http://ny.contentmatch.net (HKLM)
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn...pdownloader.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://messenger.zon...ro.cab32846.cab
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zon...nt.cab31267.cab
O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://ak.imgfarm.co...up1.0.0.8-2.cab

PLEASE HELP ME!!!
  • 0

Advertisements

#2
didom
Posted 06 August 2005 - 02:08 PM

didom

    Member 1K

  • Member
  • PipPipPipPip
  • 1,919 posts
Unzip HJT into it's own permanent folder before doing anything in order for it to create backups. (Not a temporary folder & not on the desktop).
Please create a directory on your c: drive called c:\hijackthis (and download) and unzip hijackthis into that directory. Run the program from that directory from now on. It is essential that you follow these steps or certain important features of the program will not function correctly.

------------------------------------

Scan again with HijackThis and check the following items:

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://searchmiracle.com/sp.php
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar =
O4 - HKLM\..\Run: [Microsoft Windows DLL Services Configuration] poker3.exe
O4 - HKLM\..\Run: [xcvkr] C:\WINDOWS\xcvkr.exe
O4 - HKLM\..\Run: [8n8akl3m] C:\WINDOWS\SYSTEM\8n8akl3m.exe
O4 - HKLM\..\Run: [System service62] C:\WINDOWS\ETB\POKAPOKA62.EXE
O4 - HKLM\..\RunServices: [Microsoft Windows DLL Services Configuration] poker3.exe
O4 - HKCU\..\Run: [Microsoft Windows DLL Services Configuration] poker3.exe
O4 - HKCU\..\Run: [services32] C:\Arquivos de programas\Arquivos comuns\Windows\mc-58-12-0000080.exe
O8 - Extra context menu item: &Search - http://bar.mywebsear...?p=ZSYYYYYYYYBR
O15 - Trusted Zone: http://ny.contentmatch.net (HKLM)

After checking these items, close all browser windows except HijackThis and click "Fix checked".

Make sure all hidden files and folders are visible (Instructions )
Reboot your computer into safe mode (Instructions)

Find and delete these files and folders (if they are still there):
Files:
C:\WINDOWS\PP.EXE
C:\WINDOWS\xcvkr.exe
C:\WINDOWS\SYSTEM\POKER3.EXE
C:\WINDOWS\SYSTEM\8N8AKL3M.EXE
C:\ARQUIVOS DE PROGRAMAS\ARQUIVOS COMUNS\WINDOWS\SERVICES32.EXE

Folders:
C:\WINDOWS\ETB
C:\Arquivos de programas\Arquivos comuns\Windows

Reboot your computer back into normal mode

Run Panda's online virus scan and perform a full system scan.
And save the results!

Finally, restart your computer once more, and please post a new HijackThis log as well as the log from the Panda scan!

Let me know if any problems persist.
  • 0

#3
didom
Posted 18 August 2005 - 04:38 AM

didom

    Member 1K

  • Member
  • PipPipPipPip
  • 1,919 posts
Due to lack of feedback, this topic has been closed.

If you need this topic reopened, please contact a staff member. This applies only to the original topic starter. Everyone else please begin a New Topic.
  • 0
Back to Virus, Spyware, Malware Removal · Next Unread Topic →




Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

  1. Geeks to Go Community
  2. Security
  3. Virus, Spyware, Malware Removal

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP