Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

Trojan virus [CLOSED]


  • This topic is locked This topic is locked

#1
TechieDisabled

TechieDisabled

    New Member

  • Member
  • Pip
  • 2 posts
My computer (Windows 98) is infected with a virus which sporadically sends to all my contacts on msn messenger. Here is my HijackThis log.

Logfile of HijackThis v1.99.1
Scan saved at 13:12:24, on 02/08/05
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\SYSTEM\SISTRAY.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\WINDOWS\ptsnoop.exe
C:\WINDOWS\LOADQM.EXE
C:\ARQUIVOS DE PROGRAMAS\GRISOFT\AVG FREE\AVGCC.EXE
C:\ARQUIVOS DE PROGRAMAS\GRISOFT\AVG FREE\AVGEMC.EXE
C:\ARQUIVOS DE PROGRAMAS\GRISOFT\AVG FREE\AVGAMSVR.EXE
C:\WINDOWS\SYSTEM\POKER3.EXE
C:\WINDOWS\SYSTEM\8N8AKL3M.EXE
C:\ARQUIVOS DE PROGRAMAS\ANTIVIRUSKIT 2004\AVKWCTL9.EXE
C:\ARQUIVOS DE PROGRAMAS\ARQUIVOS COMUNS\G DATA\AVKMAIL\AVKPOP.EXE
C:\WINDOWS\SYSTEM\POKER3.EXE
C:\ARQUIVOS DE PROGRAMAS\WINZIP\WZQKPICK.EXE
C:\ARQUIVOS DE PROGRAMAS\AOL BRASIL 8.0\AOLTRAY.EXE
C:\ARQUIVOS DE PROGRAMAS\ARQUIVOS COMUNS\WINDOWS\SERVICES32.EXE
C:\WINDOWS\SYSTEM\WINOA386.MOD
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\WINDOWS\SYSTEM\WINOA386.MOD
C:\ARQUIVOS DE PROGRAMAS\INTERNET EXPLORER\IEXPLORE.EXE
C:\WINDOWS\PP.EXE
C:\ARQUIVOS DE PROGRAMAS\MSN MESSENGER\MSNMSGR.EXE
C:\ARQUIVOS DE PROGRAMAS\ANTIVIRUSKIT 2004\AVKSERVICE.EXE
C:\WINDOWS\ETB\POKAPOKA62.EXE
C:\WINDOWS\PP.EXE
C:\WINDOWS\PP.EXE
C:\WINDOWS\TEMPORARY INTERNET FILES\CONTENT.IE5\O3XZI6ND\HIJACKTHIS[1].EXE

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://searchmiracle.com/sp.php
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://g.msn.com.br/0SEPTBR/SAOS01
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.ricosurf.com.br/
F1 - win.ini: run=hpfsched
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [SiS Tray] C:\WINDOWS\SYSTEM\SISTRAY.EXE
O4 - HKLM\..\Run: [CountrySelection] pctptt.exe
O4 - HKLM\..\Run: [PTSNOOP] ptsnoop.exe
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\ARQUIV~1\GRISOFT\AVGFRE~1\AVGCC.EXE /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\ARQUIV~1\GRISOFT\AVGFRE~1\AVGEMC.EXE
O4 - HKLM\..\Run: [AVG7_AMSVR] C:\ARQUIV~1\GRISOFT\AVGFRE~1\AVGAMSVR.EXE
O4 - HKLM\..\Run: [Microsoft Windows DLL Services Configuration] poker3.exe
O4 - HKLM\..\Run: [xcvkr] C:\WINDOWS\xcvkr.exe
O4 - HKLM\..\Run: [8n8akl3m] C:\WINDOWS\SYSTEM\8n8akl3m.exe
O4 - HKLM\..\Run: [AVKWCtl] C:\ARQUIV~1\ANTIVI~1\AVKWCTL9.EXE
O4 - HKLM\..\Run: [AVK Mail Checker] "C:\ARQUIVOS DE PROGRAMAS\ARQUIVOS COMUNS\G DATA\AVKMAIL\AVKPOP.EXE"
O4 - HKLM\..\Run: [System service62] C:\WINDOWS\ETB\POKAPOKA62.EXE
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [Microsoft Windows DLL Services Configuration] poker3.exe
O4 - HKCU\..\Run: [Microsoft Windows DLL Services Configuration] poker3.exe
O4 - HKCU\..\Run: [services32] C:\Arquivos de programas\Arquivos comuns\Windows\mc-58-12-0000080.exe
O4 - Startup: Microsoft Office.lnk = C:\Arquivos de programas\Microsoft Office\Office\OSA9.EXE
O4 - Startup: WinZip Quick Pick.lnk = C:\Arquivos de programas\WinZip\WZQKPICK.EXE
O4 - Startup: Restart.exe
O4 - Startup: Mini AOL.lnk = C:\Arquivos de programas\Mini AOL\companion.exe
O4 - Startup: AOL Brasil 8.0 Tray Icon.lnk = C:\Arquivos de programas\AOL Brasil 8.0\aoltray.exe
O8 - Extra context menu item: &Search - http://bar.mywebsear...?p=ZSYYYYYYYYBR
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\SYSTEM\Shdocvw.dll
O14 - IERESET.INF: SEARCH_PAGE_URL=&http://home.microsof...ss/allinone.asp
O15 - Trusted Zone: http://ny.contentmatch.net (HKLM)
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn...pdownloader.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://messenger.zon...ro.cab32846.cab
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zon...nt.cab31267.cab
O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://ak.imgfarm.co...up1.0.0.8-2.cab

PLEASE HELP ME!!!
  • 0

Advertisements


#2
didom

didom

    Member 1K

  • Member
  • PipPipPipPip
  • 1,919 posts
Unzip HJT into it's own permanent folder before doing anything in order for it to create backups. (Not a temporary folder & not on the desktop).
Please create a directory on your c: drive called c:\hijackthis (and download) and unzip hijackthis into that directory. Run the program from that directory from now on. It is essential that you follow these steps or certain important features of the program will not function correctly.

------------------------------------

Scan again with HijackThis and check the following items:

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://searchmiracle.com/sp.php
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar =
O4 - HKLM\..\Run: [Microsoft Windows DLL Services Configuration] poker3.exe
O4 - HKLM\..\Run: [xcvkr] C:\WINDOWS\xcvkr.exe
O4 - HKLM\..\Run: [8n8akl3m] C:\WINDOWS\SYSTEM\8n8akl3m.exe
O4 - HKLM\..\Run: [System service62] C:\WINDOWS\ETB\POKAPOKA62.EXE
O4 - HKLM\..\RunServices: [Microsoft Windows DLL Services Configuration] poker3.exe
O4 - HKCU\..\Run: [Microsoft Windows DLL Services Configuration] poker3.exe
O4 - HKCU\..\Run: [services32] C:\Arquivos de programas\Arquivos comuns\Windows\mc-58-12-0000080.exe
O8 - Extra context menu item: &Search - http://bar.mywebsear...?p=ZSYYYYYYYYBR
O15 - Trusted Zone: http://ny.contentmatch.net (HKLM)

After checking these items, close all browser windows except HijackThis and click "Fix checked".

Make sure all hidden files and folders are visible (Instructions )
Reboot your computer into safe mode (Instructions)

Find and delete these files and folders (if they are still there):
Files:
C:\WINDOWS\PP.EXE
C:\WINDOWS\xcvkr.exe
C:\WINDOWS\SYSTEM\POKER3.EXE
C:\WINDOWS\SYSTEM\8N8AKL3M.EXE
C:\ARQUIVOS DE PROGRAMAS\ARQUIVOS COMUNS\WINDOWS\SERVICES32.EXE

Folders:
C:\WINDOWS\ETB
C:\Arquivos de programas\Arquivos comuns\Windows

Reboot your computer back into normal mode

Run Panda's online virus scan and perform a full system scan.
And save the results!

Finally, restart your computer once more, and please post a new HijackThis log as well as the log from the Panda scan!

Let me know if any problems persist.
  • 0

#3
didom

didom

    Member 1K

  • Member
  • PipPipPipPip
  • 1,919 posts
Due to lack of feedback, this topic has been closed.

If you need this topic reopened, please contact a staff member. This applies only to the original topic starter. Everyone else please begin a New Topic.
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP