Jump to content


Photo

I`m a about blank victim-please help


  • Please log in to reply
4 replies to this topic

#1 omar

omar

    Member

  • New Member
  • Pip
  • 3 posts

Posted 21 July 2004 - 04:19 PM

I can`t get rid of it, it has been driving me mad for weeks now:




Logfile of HijackThis v1.98.0
Scan saved at 21:22:38, on 21/07/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashserv.exe
C:\WINDOWS\system32\slserv.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\SAMSUNG\SAMSUNG AHT-E310\CnxDslTb.exe
C:\Program Files\Alwil Software\Avast4\ashDisp.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\System32\qwerty.exe
C:\windows\system32\tasker32.exe
C:\documents and settings\colin\local settings\temp\Dq.exe
C:\documents and settings\colin\local settings\temp\A.exe
C:\WINDOWS\System32\svvhost.exe
C:\WINDOWS\System32\wuamagr32.exe
C:\documents and settings\judith\local settings\temp\zC.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\WINDOWS\System32\wapisvsu.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpohmr08.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpoevm08.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\Bin\hpoSTS08.exe
C:\PROGRA~1\LAVASOFT\AD-AWA~1\Ad-aware.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\james\Local Settings\Temp\Temporary Directory 4 for hijackthis[1].zip\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = www.ush.net
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = www.ush.net
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = www.ush.net
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = www.ush.net
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = www.ush.net
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = www.ush.net
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = www.ush.net
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = www.ush.net
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = www.ush.net
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = www.ush.net
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.timecomputers.com/
O1 - Hosts: 213.159.117.235 auto.search.msn.com
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {5FA6752A-C4A0-4222-88C2-928AE5AB4966} - (no file)
O2 - BHO: HTML Class - {D879A0F1-2B3B-4409-8879-FAD6E49E1EA9} - C:\WINDOWS\System32\mshtmpre.dll (file missing)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: (no name) - {C5183ABC-EB6E-4E05-B8C9-500A16B6CF94} - (no file)
O3 - Toolbar: (no name) - {2CF0B992-5EEB-4143-99C0-5297EF71F444} - (no file)
O4 - HKLM\..\Run: [SUPASTATUS] C:\Program Files\Internet Explorer\Connection Wizard\Status.exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [CnxDslTaskBar] C:\Program Files\SAMSUNG\SAMSUNG AHT-E310\CnxDslTb.exe
O4 - HKLM\..\Run: [avast!] C:\Program Files\Alwil Software\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [MessengerPlus2] "C:\Program Files\Messenger Plus! 2\MsgPlus.exe"
O4 - HKLM\..\Run: [LoadHTML] rundll32.exe C:\WINDOWS\System32\mshtmpre.dll,MShtmpre
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [WSAConfiguration] SYSTEM.DLL
O4 - HKLM\..\Run: [C73DC3C0] C:\WINDOWS\System32\aumhgn.exe
O4 - HKLM\..\Run: [Microsoft Update Machine] qwerty.exe
O4 - HKLM\..\Run: [Adstartup] C:\WINDOWS\System32\automove.exe
O4 - HKLM\..\Run: [Microsoft Task Scheduler] C:\windows\system32\tasker32.exe
O4 - HKLM\..\Run: [Dq] C:\documents and settings\colin\local settings\temp\Dq.exe
O4 - HKLM\..\Run: [A] C:\documents and settings\colin\local settings\temp\A.exe
O4 - HKLM\..\Run: [Bakra] C:\WINDOWS\System32\IEHost.exe
O4 - HKLM\..\Run: [qs4X37e] rmbpdmoe.exe
O4 - HKLM\..\Run: [Pcsv] C:\WINDOWS\system32\pcs\pcsvc.exe
O4 - HKLM\..\Run: [Dpi] C:\Program Files\Common Files\Dpi\dpi.exe
O4 - HKLM\..\Run: [Windows Firewalll] svvhost.exe
O4 - HKLM\..\Run: [Microsoft Update] wuamagr32.exe
O4 - HKLM\..\Run: [zC] C:\documents and settings\judith\local settings\temp\zC.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\RunServices: [WSAConfiguration] SYSTEM.DLL
O4 - HKLM\..\RunServices: [C6C73160] C:\WINDOWS\System32\aumhgn.exe
O4 - HKLM\..\RunServices: [Microsoft Update Machine] qwerty.exe
O4 - HKLM\..\RunServices: [Microsoft Task Scheduler] C:\windows\system32\tasker32.exe
O4 - HKLM\..\RunServices: [Windows Firewalll] svvhost.exe
O4 - HKLM\..\RunServices: [Microsoft Update] wuamagr32.exe
O4 - HKCU\..\Run: [Microsoft Update Machine] qwerty.exe
O4 - HKCU\..\Run: [Bssn] C:\Documents and Settings\james\Application Data\euea.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [WTSS] C:\WINDOWS\System32\wapisvsu.exe
O4 - HKCU\..\Run: [Windows Firewalll] svvhost.exe
O4 - HKCU\..\Run: [Microsoft Update] wuamagr32.exe
O4 - Global Startup: hpoddt01.exe.lnk = ?
O4 - Global Startup: hp psc 1000 series.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: (no name) - {120E090D-9136-4b78-8258-F0B44B4BD2AC} - C:\WINDOWS\System32\ms.exe
O9 - Extra 'Tools' menuitem: MaxSpeed - {120E090D-9136-4b78-8258-F0B44B4BD2AC} - C:\WINDOWS\System32\ms.exe
O9 - Extra button: ScreenSaverPlus - {76DD9E77-F06C-4471-AB6C-CF03C5C6B5B0} - C:\WINDOWS\System32\ScreenSaverPlus (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O14 - IERESET.INF: START_PAGE_URL=http://www.timecomputers.com
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{A860EBB1-22CD-42F1-A309-67ACB7E8A92D}: NameServer = 213.40.66.126 213.40.130.126
O18 - Protocol: start - {3050F406-98B5-11CF-BB82-00AA00BDCE0B} - C:\WINDOWS\System32\CFILORUX.dll
O18 - Filter: text/html - {63B95211-7D77-11D2-9F80-00104B107C96} - C:\WINDOWS\System32\CFILORUX.dll
O18 - Filter: text/plain - {63B95211-7D77-11D2-9F80-00104B107C96} - C:\WINDOWS\System32\CFILORUX.dll



how can i fix the problem?

#2 strafer

strafer

    Member

  • Full Member
  • Pip
  • 20 posts

Posted 21 July 2004 - 04:25 PM

Download About Buster (click here)

Run it in safe mode.

To get in safe mode, hit F5 a few times at the very beginning of startup.

After running it, change your homepage back to what you want it to be.

This should fix the problem.

Hope this helps.

#3 omar

omar

    Member

  • New Member
  • Pip
  • 3 posts

Posted 21 July 2004 - 04:32 PM

i`ll give it a go

#4 omar

omar

    Member

  • New Member
  • Pip
  • 3 posts

Posted 22 July 2004 - 03:22 AM

My avast has detected this virus,

wuamagr32.exe\[UPX]

but when i try deleting it all moving it to chest, it says "access denied". The same happens in Safe Mode.

I also tried deleting it "at next system start"

http://www.asw.cz/en...x.html#idt_1547

But i got a message saying "cannot proceed"

Please, can someone suggest how i can delete this virus?



Logfile of HijackThis v1.98.0
Scan saved at 21:22:38, on 21/07/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashserv.exe
C:\WINDOWS\system32\slserv.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\SAMSUNG\SAMSUNG AHT-E310\CnxDslTb.exe
C:\Program Files\Alwil Software\Avast4\ashDisp.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\System32\qwerty.exe
C:\windows\system32\tasker32.exe
C:\documents and settings\colin\local settings\temp\Dq.exe
C:\documents and settings\colin\local settings\temp\A.exe
C:\WINDOWS\System32\svvhost.exe
C:\WINDOWS\System32\wuamagr32.exe
C:\documents and settings\judith\local settings\temp\zC.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\WINDOWS\System32\wapisvsu.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpohmr08.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpoevm08.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\Bin\hpoSTS08.exe
C:\PROGRA~1\LAVASOFT\AD-AWA~1\Ad-aware.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\james\Local Settings\Temp\Temporary Directory 4 for hijackthis[1].zip\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = www.ush.net
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = www.ush.net
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = www.ush.net
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = www.ush.net
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = www.ush.net
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = www.ush.net
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = www.ush.net
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = www.ush.net
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = www.ush.net
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = www.ush.net
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.timecomputers.com/
O1 - Hosts: 213.159.117.235 auto.search.msn.com
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {5FA6752A-C4A0-4222-88C2-928AE5AB4966} - (no file)
O2 - BHO: HTML Class - {D879A0F1-2B3B-4409-8879-FAD6E49E1EA9} - C:\WINDOWS\System32\mshtmpre.dll (file missing)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: (no name) - {C5183ABC-EB6E-4E05-B8C9-500A16B6CF94} - (no file)
O3 - Toolbar: (no name) - {2CF0B992-5EEB-4143-99C0-5297EF71F444} - (no file)
O4 - HKLM\..\Run: [SUPASTATUS] C:\Program Files\Internet Explorer\Connection Wizard\Status.exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [CnxDslTaskBar] C:\Program Files\SAMSUNG\SAMSUNG AHT-E310\CnxDslTb.exe
O4 - HKLM\..\Run: [avast!] C:\Program Files\Alwil Software\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [MessengerPlus2] "C:\Program Files\Messenger Plus! 2\MsgPlus.exe"
O4 - HKLM\..\Run: [LoadHTML] rundll32.exe C:\WINDOWS\System32\mshtmpre.dll,MShtmpre
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [WSAConfiguration] SYSTEM.DLL
O4 - HKLM\..\Run: [C73DC3C0] C:\WINDOWS\System32\aumhgn.exe
O4 - HKLM\..\Run: [Microsoft Update Machine] qwerty.exe
O4 - HKLM\..\Run: [Adstartup] C:\WINDOWS\System32\automove.exe
O4 - HKLM\..\Run: [Microsoft Task Scheduler] C:\windows\system32\tasker32.exe
O4 - HKLM\..\Run: [Dq] C:\documents and settings\colin\local settings\temp\Dq.exe
O4 - HKLM\..\Run: [A] C:\documents and settings\colin\local settings\temp\A.exe
O4 - HKLM\..\Run: [Bakra] C:\WINDOWS\System32\IEHost.exe
O4 - HKLM\..\Run: [qs4X37e] rmbpdmoe.exe
O4 - HKLM\..\Run: [Pcsv] C:\WINDOWS\system32\pcs\pcsvc.exe
O4 - HKLM\..\Run: [Dpi] C:\Program Files\Common Files\Dpi\dpi.exe
O4 - HKLM\..\Run: [Windows Firewalll] svvhost.exe
O4 - HKLM\..\Run: [Microsoft Update] wuamagr32.exe
O4 - HKLM\..\Run: [zC] C:\documents and settings\judith\local settings\temp\zC.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\RunServices: [WSAConfiguration] SYSTEM.DLL
O4 - HKLM\..\RunServices: [C6C73160] C:\WINDOWS\System32\aumhgn.exe
O4 - HKLM\..\RunServices: [Microsoft Update Machine] qwerty.exe
O4 - HKLM\..\RunServices: [Microsoft Task Scheduler] C:\windows\system32\tasker32.exe
O4 - HKLM\..\RunServices: [Windows Firewalll] svvhost.exe
O4 - HKLM\..\RunServices: [Microsoft Update] wuamagr32.exe
O4 - HKCU\..\Run: [Microsoft Update Machine] qwerty.exe
O4 - HKCU\..\Run: [Bssn] C:\Documents and Settings\james\Application Data\euea.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [WTSS] C:\WINDOWS\System32\wapisvsu.exe
O4 - HKCU\..\Run: [Windows Firewalll] svvhost.exe
O4 - HKCU\..\Run: [Microsoft Update] wuamagr32.exe
O4 - Global Startup: hpoddt01.exe.lnk = ?
O4 - Global Startup: hp psc 1000 series.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: (no name) - {120E090D-9136-4b78-8258-F0B44B4BD2AC} - C:\WINDOWS\System32\ms.exe
O9 - Extra 'Tools' menuitem: MaxSpeed - {120E090D-9136-4b78-8258-F0B44B4BD2AC} - C:\WINDOWS\System32\ms.exe
O9 - Extra button: ScreenSaverPlus - {76DD9E77-F06C-4471-AB6C-CF03C5C6B5B0} - C:\WINDOWS\System32\ScreenSaverPlus (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O14 - IERESET.INF: START_PAGE_URL=http://www.timecomputers.com
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{A860EBB1-22CD-42F1-A309-67ACB7E8A92D}: NameServer = 213.40.66.126 213.40.130.126
O18 - Protocol: start - {3050F406-98B5-11CF-BB82-00AA00BDCE0B} - C:\WINDOWS\System32\CFILORUX.dll
O18 - Filter: text/html - {63B95211-7D77-11D2-9F80-00104B107C96} - C:\WINDOWS\System32\CFILORUX.dll
O18 - Filter: text/plain - {63B95211-7D77-11D2-9F80-00104B107C96} - C:\WINDOWS\System32\CFILORUX.dll

#5 strafer

strafer

    Member

  • Full Member
  • Pip
  • 20 posts

Posted 22 July 2004 - 01:14 PM

Right click on it and give yourself full access to the file. Then try deleting it. If not, download killbox or process killer. You will have to search for those because I cannot find the url; sorry.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

Member of ASAP and UNITE
Support SpywareInfo Forum - click the button