raman
December 16, 2003, 4:01pm
21
You only need the “how to get rid of this”: http://www.merijn.org/cwschronicles.html#cwshredder
and please let these fix too:
O4 - HKLM..\Run: [QuickTime Task] “C:\Archivos de programa\QuickTime\qttask.exe” -atboottime
O4 - HKLM..\Run: [IST Service] C:\Archivos de programa\ISTsvc\istsvc.exe
O4 - HKLM..\Run: [Power Scan] C:\Archivos de programa\Power Scan\powerscan.exe
O4 - HKLM..\Run: [AttuneClientEngine] C:\ARCHIV~1\Aveo\Attune\bin\attune_ce.exe
O4 - HKLM..\Run: [CorelCorelDRAW10 Reminder] “C:\Archivos de programa\Corel\Graphics10\Register\NAVBrowser.exe” /r /i “C:\Archivos de programa\Corel\Graphics10\Register\NavLoad.ini”
O4 - HKLM..\Run: [WinampAgent] “C:\Archivos de programa\Música\Winamp\winampa.exe”
O4 - HKLM..\Run: [TkBellExe] “C:\Archivos de programa\Archivos comunes\Real\Update_OB\realsched.exe” -osboot
Maybe after get rid of all these, the Windowsupdatepage will work again.
Please post a new log after fixing all( incl. the cwshredder)
system
December 16, 2003, 4:15pm
22
I did everything, but the error page keeps on coming back, here`s the log after the SWshredder and fixing the files you specified…
Logfile of HijackThis v1.97.7
Scan saved at 12:10:12 p.m., on 16/12/2001
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\sm56hlpr.exe
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb05.exe
C:\WINDOWS\System32\P2P Networking\P2P Networking.exe
C:\program files\altnet\points manager\points manager.exe
C:\Archivos de programa\Archivos comunes\CMEII\CMESys.exe
C:\Archivos de programa\Música\Winamp\winampa.exe
C:\Archivos de programa\Archivos comunes\Real\Update_OB\realsched.exe
C:\Archivos de programa\Alwil Software\Avast4\ashDisp.exe
C:\WINDOWS\System32\ctfmon.exe
C:\program files\Webdialer\od-shma33.exe
C:\PROGRA~1\Altnet\DOWNLO~1\asm.exe
C:\WINDOWS\System32\rundll32.exe
C:\Archivos de programa\Alwil Software\Avast4\aswUpdSv.exe
C:\Archivos de programa\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\System32\CTsvcCDA.EXE
C:\WINDOWS\system32\crypserv.exe
C:\Archivos de programa\Archivos comunes\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\Archivos de programa\Archivos comunes\GMT\GMT.exe
C:\ARCHIV~1\ARCHIV~1\INSTAL~1\engine\6\INTEL3~1\knlwrap.exe
C:\ARCHIV~1\ARCHIV~1\INSTAL~1\engine\6\INTEL3~1\iKernel.exe
C:\ARCHIV~1\WINZIP\wzqkpick.exe
C:\Archivos de programa\Internet Explorer\iexplore.exe
C:\Documents and Settings\Kizzy\Escritorio\hijackthis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.hotmail.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://www.hotmail.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Vínculos
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM..\Run: [nwiz] nwiz.exe /install
O4 - HKLM..\Run: [Disc Detector] C:\Archivos de programa\Creative\ShareDLL\CtNotify.exe
O4 - HKLM..\Run: [UpdReg] C:\WINDOWS\Updreg.exe
O4 - HKLM..\Run: [AHQInit] C:\Archivos de programa\Creative\SBLive\Program\AHQInit.exe
O4 - HKLM..\Run: [AudioHQ] C:\Archivos de programa\Creative\SBLive\AudioHQ\AHQTB.EXE
O4 - HKLM..\Run: [SMSERIAL] sm56hlpr.exe
O4 - HKLM..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb05.exe
O4 - HKLM..\Run: [AltnetPointsManager] c:\program files\altnet\points manager\points manager.exe -s
O4 - HKLM..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM..\Run: [avast!] C:\Archivos de programa\Alwil Software\Avast4\ashDisp.exe
O4 - HKLM..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM..\Run: [Mirabilis ICQ] C:\ARCHIV~1\ICQ\ICQNet.exe
O4 - HKCU..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU..\Run: [NVIEW] rundll32.exe nview.dll,nViewLoadHook
O4 - HKLM..\RunOnce: [WIAWizardMenu] RUNDLL32.EXE C:\WINDOWS\System32\sti_ci.dll,WiaCreateWizardMenu
O8 - Extra context menu item: E&xportar a Microsoft Excel - res://C:\ARCHIV~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: ICQ Pro (HKLM)
O9 - Extra ‘Tools’ menuitem: ICQ (HKLM)
O9 - Extra button: Related (HKLM)
O9 - Extra ‘Tools’ menuitem: Show &Related Links (HKLM)
O12 - Plugin for .spop: C:\Archivos de programa\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O17 - HKLM\System\CCS\Services\Tcpip..{06E44AF3-7F44-4A5E-A634-3CDD4F73F593}: NameServer = 200.35.65.3 200.35.65.4
O17 - HKLM\System\CS1\Services\Tcpip..{06E44AF3-7F44-4A5E-A634-3CDD4F73F593}: NameServer = 200.35.65.3 200.35.65.4
raman
December 16, 2003, 4:28pm
23
The "Problem is, that Hijackthis only fix the registry, but not delete any files. Avast should be able to delte the files(at least in safe mode). And you should also give adaware a try( www.lavasoft.com ) because the Spy/Adware is still on your pc.
BTW forgot this. Its Spyware, too:
O4 - HKLM..\Run: [AltnetPointsManager] c:\program files\altnet\points manager\points manager.exe -s
BTW2: in which file does Avast find the torj-gen
system
December 16, 2003, 7:01pm
24
Hello, im back… so what do I do now?
What do I need from http://www.lavasoft.com/
Do you want me to restart my computer in safe mode and run the scan again? and try to delete that file you specified?
???
raman
December 16, 2003, 7:11pm
25
Sorry wrong link!
Adaware: http://lavasoft.element5.com/default.shtml.es
or SpybotSD: http://www.safer-networking.org/index.php?page=download
and yes, start you pc in safe mode and let Avast scan your PC.
system
December 22, 2003, 9:04pm
26
File: C:\WINDOWS\system32\audio.exe
OS: WinXP
Online virus scan done with Trent showed nothing however Avast keeps finding this file. I have run ad-aware and spybot too and cleaned up everything they found
Hijack This log:
Logfile of HijackThis v1.97.7
Scan saved at 22:00:07, on 22-12-2003
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\rundll32.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\Programmer\D-Tools\daemon.exe
C:\WINDOWS\system32\tbctray.exe
C:\WINDOWS\System32\ctfmon.exe
C:\WINDOWS\System32\RUNDLL32.EXE
C:\Programmer\SmartLaunch\Server\Server.exe
C:\Programmer\SmartLaunch\Administrator\Admin.exe
C:\Documents and Settings\Maddog.KIOSK\Skrivebord\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Hyperlinks
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM..\Run: [nwiz] nwiz.exe /install
O4 - HKLM..\Run: [DAEMON Tools-1033] “C:\Programmer\D-Tools\daemon.exe” -lang 1033
O4 - HKLM..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM..\Run: [bybdzzl] rundll32 C:\WINDOWS\System32:bybdzzl.dll,Init 1
O4 - HKLM..\Run: [TraySantaCruz] C:\WINDOWS\system32\tbctray.exe
O4 - HKCU..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NVMCTRAY.DLL,NvTaskbarInit
O4 - HKCU..\Run: [MsnMsgr] “C:\Programmer\MSN Messenger\MsnMsgr.Exe” /background
O4 - HKLM..\RunOnce: [*bybdzzl] rundll32 C:\WINDOWS\System32:bybdzzl.dll,Init 1
O4 - HKLM..\RunOnce: [KB826939] rundll32.exe apphelp.dll,ShimFlushCache
O4 - Global Startup: Smartlaunch Server.lnk = C:\Programmer\SmartLaunch\Server\Server.exe
O9 - Extra button: Messenger (HKLM)
O9 - Extra ‘Tools’ menuitem: Windows Messenger (HKLM)
O12 - Plugin for .spop: C:\Programmer\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37977.5068518519
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O17 - HKLM\System\CCS\Services\Tcpip..{B9A5FA46-20D8-426C-8E6F-4A9E5787FF00}: NameServer = 193.88.44.42,193.88.44.22
raman
December 22, 2003, 9:24pm
27
Possibly Afcore Variant:
O4 - HKLM..\RunOnce: [*bybdzzl] rundll32 C:\WINDOWS\System32:bybdzzl.dll,Init 1
If you are able to find the file test it here: http://www.kaspersky.com/remoteviruschk.html
system
December 22, 2003, 9:41pm
28
found the audio one and scanned it and it found nothing. Couldn’t find the bybdzzl.dll or anything like that anywhere…
raman
December 23, 2003, 4:47am
29
Fix the bybdzzl.dll lines and than type
rundll32 C:\WINDOWS\System32:bybdzzl.dll,uninstall that will uninstall it.
system
December 23, 2003, 5:59am
30
Okay did that.
Logfile of HijackThis v1.97.7
Scan saved at 06:58:03, on 23-12-2003
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Programmer\TGTSoft\StyleXP\StyleXPService.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Programmer\Alwil Software\Avast4\aswUpdSv.exe
C:\Programmer\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\System32\cisvc.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Programmer\D-Tools\daemon.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\WINDOWS\system32\tbctray.exe
C:\WINDOWS\System32\RUNDLL32.EXE
C:\Programmer\SmartLaunch\Server\Server.exe
C:\Programmer\SmartLaunch\Administrator\Admin.exe
C:\WINDOWS\System32\cidaemon.exe
C:\MozillaFirebird\MozillaFirebird.exe
C:\Programmer\MSN Messenger\msnmsgr.exe
C:\Documents and Settings\Maddog.KIOSK\Skrivebord\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Hyperlinks
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM..\Run: [nwiz] nwiz.exe /install
O4 - HKLM..\Run: [DAEMON Tools-1033] “C:\Programmer\D-Tools\daemon.exe” -lang 1033
O4 - HKLM..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKLM..\Run: [TraySantaCruz] C:\WINDOWS\system32\tbctray.exe
O4 - HKLM..\Run: [THGuard] C:\Programmer\TrojanHunter 3.7\THGuard.exe
O4 - HKCU..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NVMCTRAY.DLL,NvTaskbarInit
O4 - HKCU..\Run: [STYLEXP] C:\Programmer\TGTSoft\StyleXP\StyleXP.exe -Hide
O4 - HKCU..\Run: [msnmsgr] “C:\Programmer\MSN Messenger\msnmsgr.exe” /background
O4 - Global Startup: Smartlaunch Server.lnk = C:\Programmer\SmartLaunch\Server\Server.exe
O9 - Extra button: ICQ Pro (HKLM)
O9 - Extra ‘Tools’ menuitem: ICQ (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra ‘Tools’ menuitem: Windows Messenger (HKLM)
O12 - Plugin for .spop: C:\Programmer\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2003120501/housecall.antivirus.com/housecall/xscan53.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37977.5068518519
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O17 - HKLM\System\CCS\Services\Tcpip..{B9A5FA46-20D8-426C-8E6F-4A9E5787FF00}: NameServer = 193.88.44.42,193.88.44.22
raman
December 23, 2003, 7:20am
31
The log looks clean(to me). The audio.exe could be a “spamtrojan” just delete/or remove it from the Windowsdir if you want to keep it.
system
December 24, 2003, 8:21pm
32
I’m also having problems with win32:trojan-gen. A screen appeard when I was scanning my computer saying it was infected with win32:trojan-gen {VC}. I tried to remove it, but it wasn’t possible and I suspect that deleting the file will damage my computer. :-
Could you please help me?
It infected C:_restore\temp\A0151091.cpy. And this is the hijackthis log:
Logfile of HijackThis v1.97.7
Scan saved at 18:15:51, on 24/12/2003
Platform: Windows ME (Win9x 4.90.3000)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\ARQUIVOS DE PROGRAMAS\ALWIL SOFTWARE\AVAST4\ASHSERV.EXE
C:\WINDOWS\SYSTEM\RESTORE\STMGR.EXE
C:\WINDOWS\SYSTEM\RPCSS.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\PTSNOOP.EXE
C:\WINDOWS\SYSTEM\CMMPU.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\LOADQM.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\WINDOWS\CSRSS.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\ARQUIVOS DE PROGRAMAS\WINZIP\WINZIP32.EXE
C:\WINDOWS\TEMP\HIJACKTHIS.EXE
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://search.ieplugin.com/search.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://search.ieplugin.com/search.htm
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.uol.com.br/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://search.ieplugin.com/search.htm
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://search.ieplugin.com/search.htm
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://search.ieplugin.com/search.htm
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://search.ieplugin.com/search.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://search.ieplugin.com/q.cgi?q=%s
F1 - win.ini: load=ptsnoop.exe
F1 - win.ini: run=C:\WINDOWS\SYSTEM\cmmpu.exe
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\ARQUIVOS DE PROGRAMAS\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX
O2 - BHO: (no name) - {BD51AEC6-7991-4A60-94D6-D5FEBB655D10} - C:\WINDOWS\SYSTEM\IEMSG.DLL
O2 - BHO: (no name) - {69135BDE-5FDC-4B61-98AA-82AD2091BCCC} - (no file)
O2 - BHO: (no name) - {0019C3E2-DD48-4A6D-ABCD-8D32436323D9} - C:\WINDOWS\BXXS5.DLL
O3 - Toolbar: &Rádio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM..\Run: [SystemTray] SysTray.Exe
O4 - HKLM..\Run: [CountrySelection] pctptt.exe
O4 - HKLM..\Run: [PCHealth] C:\WINDOWS\PCHealth\Support\PCHSchd.exe -s
O4 - HKLM..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM..\Run: [LoadQM] loadqm.exe
O4 - HKLM..\Run: [QuickTime Task] “C:\WINDOWS\SYSTEM\QTTASK.EXE” -atboottime
O4 - HKLM..\Run: [CSRSS] C:\WINDOWS\CSRSS.EXE
O4 - HKLM..\Run: [bxxs5] RunDLL32.EXE C:\WINDOWS\BXXS5.DLL,DllRun
O4 - HKLM..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM..\RunServices: [*StateMgr] C:\WINDOWS\System\Restore\StateMgr.exe
O4 - HKLM..\RunServices: [avast!] C:\Arquivos de programas\Alwil Software\Avast4\ashServ.exe
O4 - Startup: Microsoft Office.lnk = C:\Arquivos de programas\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: &Define - C:\WINDOWS\Web\ERS_DEF.HTM
O8 - Extra context menu item: Look Up in &Encyclopedia - C:\WINDOWS\Web\ERS_ENC.HTM
O8 - Extra context menu item: &Search the Web - C:\WINDOWS\Web\ERS_SRC.HTM
O9 - Extra button: ICQ Pro (HKLM)
O9 - Extra ‘Tools’ menuitem: ICQ (HKLM)
O9 - Extra button: Coches (HKLM)
O12 - Plugin for .spop: C:\ARQUIV~1\INTERN~1\Plugins\NPDocBox.dll
O12 - Plugin for .pdf: C:\ARQUIV~1\INTERN~1\PLUGINS\nppdf32.dll
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {DA4EB021-5F1C-11D4-B006-00104B98E2C7} (McAfee Clinic Installer Control) - http://download.mcafee.com/molbin/shared/MInstall.cab
O16 - DPF: {33564D57-0000-0010-8000-00AA00389B71} - http://download.microsoft.com/download/F/6/E/F6E491A6-77E1-4E20-9F5F-94901338C922/wmv9VCM.CAB
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/ansi/iuctl.CAB?37819.2653935185
O16 - DPF: {72C23FEC-3AF9-48FC-9597-241A8EBDFE0A} (InstallShield International Setup Player) - http://ftp.hp.com/pub/automatic/player/isetupML.cab
O16 - DPF: {086A694F-91FB-4068-B44C-124FB69BF05D} - http://www.searchwww.com/search.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/20030530/qtinstall.info.apple.com/bonnie/us/win/QuickTimeInstaller.exe
O16 - DPF: {0246ECA8-996F-11D1-BE2F-00A0C9037DFE} (TDServer Control) - http://www.truedoc.com/activex/tdserver.cab
O16 - DPF: {05317530-B882-449D-9421-18D94FA3ED34} (OSInfo Control) - http://www.sis.com/support/chipdetect/OSInfo.cab
O16 - DPF: {BA549C46-AD38-11D7-A476-00D0590EC9DE} (SiS_OCX98 Control) - http://www.sis.com/support/chipdetect/SiSAutodetect98.cab
O16 - DPF: {5F426A93-0821-47D2-A126-5A48A874B289} (DialerWeb Class) - http://212.145.159.194/251065/dialercab/WebRecomendada.cab
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss-loc/vso/en-us/tools/mcfscan/1,5,0,4306/mcfscan.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2003120501/housecall.antivirus.com/housecall/xscan53.cab
O17 - HKLM\System\CCS\Services\VxD\MSTCP: Domain = Terra.com.br
O17 - HKLM\System\CCS\Services\VxD\MSTCP: NameServer = 200.204.0.10,200.204.0.138
Thanks
raman
December 25, 2003, 8:55am
33
One of your Problems is CWS: http://www.merijn.org/cwschronicles.html
Pleas test this file: C:\WINDOWS\CSRSS.EXE
here: http://www.kaspersky.com/remoteviruschk.html what virus does it report? Ciadoor? After doing all this( the cwshredder), post a new log.
system
December 25, 2003, 1:24pm
34
CWShredder says the computer is clean and the antivirus didn’t report any virus… :-\ hum… it doen’t look good to me… What should I do???
raman
December 25, 2003, 2:10pm
35
We will do it manually. Fix the following things:
Everything under R
O2 - BHO: (no name) - {BD51AEC6-7991-4A60-94D6-D5FEBB655D10} - C:\WINDOWS\SYSTEM\IEMSG.DLL
O2 - BHO: (no name) - {69135BDE-5FDC-4B61-98AA-82AD2091BCCC} - (no file)
O2 - BHO: (no name) - {0019C3E2-DD48-4A6D-ABCD-8D32436323D9} - C:\WINDOWS\BXXS5.DLL
O4 - HKLM..\Run: [LoadQM] loadqm.exe
O4 - HKLM..\Run: [QuickTime Task] “C:\WINDOWS\SYSTEM\QTTASK.EXE” -atboottime
O4 - HKLM..\Run: [CSRSS] C:\WINDOWS\CSRSS.EXE
O4 - HKLM..\Run: [bxxs5] RunDLL32.EXE C:\WINDOWS\BXXS5.DLL,DllRun
O4 - Startup: Microsoft Office.lnk = C:\Arquivos de programas\Microsoft Office\Office\OSA9.EXE
O16 - DPF: {0246ECA8-996F-11D1-BE2F-00A0C9037DFE} (TDServer Control) - http://www.truedoc.com/activex/tdserver.cab
O16 - DPF: {05317530-B882-449D-9421-18D94FA3ED34} (OSInfo Control) - http://www.sis.com/support/chipdetect/OSInfo.cab
O16 - DPF: {BA549C46-AD38-11D7-A476-00D0590EC9DE} (SiS_OCX98 Control) - http://www.sis.com/support/chipdetect/SiSAutodetect98.cab
O16 - DPF: {5F426A93-0821-47D2-A126-5A48A874B289} (DialerWeb Class) - http://212.145.159.194/251065/dialercab/WebRecomendada.cab
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss-loc/vso/en-us/tools/mcfscan/1,5,0,4306/mcfscan.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2003120501/housecall.antivirus.com/housecall/xscan53.cab
Make a restart and post a new log.
It would be nice if you could send me these files:
C:\WINDOWS\BXXS5.DLL
C:\WINDOWS\CSRSS.EXE
to the Email which can be found in my Profil or to virus@rokop-security.de
system
December 25, 2003, 4:18pm
36
I just did what you told. This is the log:
Logfile of HijackThis v1.97.7
Scan saved at 13:54:03, on 25/12/2003
Platform: Windows ME (Win9x 4.90.3000)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\ARQUIVOS DE PROGRAMAS\ALWIL SOFTWARE\AVAST4\ASHSERV.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\RESTORE\STMGR.EXE
C:\WINDOWS\SYSTEM\RPCSS.EXE
C:\WINDOWS\PTSNOOP.EXE
C:\WINDOWS\SYSTEM\CMMPU.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\ARQUIVOS DE PROGRAMAS\WINZIP\WINZIP32.EXE
C:\WINDOWS\TEMP\HIJACKTHIS.EXE
F1 - win.ini: load=ptsnoop.exe
F1 - win.ini: run=C:\WINDOWS\SYSTEM\cmmpu.exe
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\ARQUIVOS DE PROGRAMAS\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX
O3 - Toolbar: &Rádio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM..\Run: [SystemTray] SysTray.Exe
O4 - HKLM..\Run: [CountrySelection] pctptt.exe
O4 - HKLM..\Run: [PCHealth] C:\WINDOWS\PCHealth\Support\PCHSchd.exe -s
O4 - HKLM..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM..\RunServices: [*StateMgr] C:\WINDOWS\System\Restore\StateMgr.exe
O4 - HKLM..\RunServices: [avast!] C:\Arquivos de programas\Alwil Software\Avast4\ashServ.exe
O8 - Extra context menu item: &Define - C:\WINDOWS\Web\ERS_DEF.HTM
O8 - Extra context menu item: Look Up in &Encyclopedia - C:\WINDOWS\Web\ERS_ENC.HTM
O8 - Extra context menu item: &Search the Web - C:\WINDOWS\Web\ERS_SRC.HTM
O9 - Extra button: ICQ Pro (HKLM)
O9 - Extra ‘Tools’ menuitem: ICQ (HKLM)
O9 - Extra button: Coches (HKLM)
O12 - Plugin for .spop: C:\ARQUIV~1\INTERN~1\Plugins\NPDocBox.dll
O12 - Plugin for .pdf: C:\ARQUIV~1\INTERN~1\PLUGINS\nppdf32.dll
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {DA4EB021-5F1C-11D4-B006-00104B98E2C7} (McAfee Clinic Installer Control) - http://download.mcafee.com/molbin/shared/MInstall.cab
O16 - DPF: {33564D57-0000-0010-8000-00AA00389B71} - http://download.microsoft.com/download/F/6/E/F6E491A6-77E1-4E20-9F5F-94901338C922/wmv9VCM.CAB
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/ansi/iuctl.CAB?37819.2653935185
O16 - DPF: {72C23FEC-3AF9-48FC-9597-241A8EBDFE0A} (InstallShield International Setup Player) - http://ftp.hp.com/pub/automatic/player/isetupML.cab
O16 - DPF: {086A694F-91FB-4068-B44C-124FB69BF05D} - http://www.searchwww.com/search.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/20030530/qtinstall.info.apple.com/bonnie/us/win/QuickTimeInstaller.exe
I sent you csrss.exe, but I couldn’t send bxxs5.dll cause it disappeard after I fixed that stuff.
Is there anything else I should do?
By the way, Merry Christmas!! And thaks for helping
raman
December 25, 2003, 5:50pm
37
Thanks, and no problem.
Is there anything else I should do?
Yes, please fix this:
O16 - DPF: {086A694F-91FB-4068-B44C-124FB69BF05D} - http://www.searchwww.com/search.cab
and update your Windows /IE via www.windowsupdate.com
system
December 26, 2003, 12:25pm
38
I fixed that and updated Windows, but the antivirus keeps saying the file is infected and I can’t repair or remove it… :-. ??? What could that be? ???
raman
December 26, 2003, 12:33pm
39
Which file is reported as infected and where is it located(folder)?
You/Avast should be able to clean the file in Windows safe mode.
system
December 26, 2003, 12:33pm
40
my antivirus sw picked up a " Win32:Trojan-gen. {UPX!} " virus.
Logfile of HijackThis v1.97.7
Scan saved at 4:27:11 AM, on 12/26/2003
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Alwil Software\Avast4\ashDisp.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashmaisv.exe
C:\Program Files\Java\j2re1.4.2_01\bin\jusched.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\WINDOWS\System32\devldr32.exe
C:\Program Files\mIRC\mirc.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\Program Files\Executive Software\Diskeeper\DkService.exe
C:\WINDOWS\system32\fxssvc.exe
C:\Program Files\Internet Explorer\iexplore.exe
D:\HijackThis.exe
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM..\Run: [avast!] C:\Program Files\Alwil Software\Avast4\ashDisp.exe
O4 - HKLM..\Run: [ashMaiSv] C:\PROGRA~1\ALWILS~1\Avast4\ashmaisv.exe
O4 - HKLM..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_01\bin\jusched.exe
O4 - HKLM..\Run: [QuickTime Task] “C:\Program Files\QuickTime\qttask.exe” -atboottime
O4 - HKLM..\Run: [TkBellExe] “C:\Program Files\Common Files\Real\Update_OB\realsched.exe” -osboot
O4 - HKLM..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKCU..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - Startup: PowerReg Scheduler.exe
O4 - Global Startup: InterVideo WinCinema Manager.lnk = C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward &Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cac&hed Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Si&milar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra ‘Tools’ menuitem: Sun Java Console (HKLM)
O9 - Extra button: AIM (HKLM)
O9 - Extra button: Related (HKLM)
O9 - Extra ‘Tools’ menuitem: Show &Related Links (HKLM)
O16 - DPF: {00000000-CDDC-0704-0B53-2C8830E9FAEC} (IELoaderCtl Class) - http://install.global-netcom.de/ieloader.cab
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/swdir.cab
O16 - DPF: {3E68E405-C6DE-49FF-83AE-41EE9F4C36CE} (Office Update Installation Engine) - http://office.microsoft.com/officeupdate/content/opuc.cab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://207.188.7.150/0642e5bee8eb0ff6a106/netzip/RdxIE601.cab
O16 - DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} - http://a1540.g.akamai.net/7/1540/52/20030530/qtinstall.info.apple.com/abarth/us/win/QuickTimeInstaller.exe
O16 - DPF: {9CF28A69-7659-4C51-BFD5-9ADE19E19EC3} (RegConfig Class) - http://download.yahoo.com/dl/installs/bkm/prod/yregcfg.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37956.0703472222
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O17 - HKLM\System\CCS\Services\Tcpip..{57F83B31-4A82-4AB7-A10A-8FE126632530}: NameServer = 206.13.28.12 206.13.29.12
O17 - HKLM\System\CS1\Services\Tcpip..{57F83B31-4A82-4AB7-A10A-8FE126632530}: NameServer = 206.13.28.12 206.13.29.12
what should i do next?