Jump to content


Photo

Good lord, I'm swamped with viruses and other crap


  • Please log in to reply
4 replies to this topic

#1 arkitech

arkitech

    Member

  • Full Member
  • Pip
  • 6 posts

Posted 29 July 2004 - 06:11 PM

Here's my logfile, maybe one of you guys can help me figure out what I need to do to get rid of these viruses.



Logfile of HijackThis v1.98.0
Scan saved at 6:09:14 PM, on 7/29/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
H:\WINDOWS\System32\smss.exe
H:\WINDOWS\system32\winlogon.exe
H:\WINDOWS\system32\services.exe
H:\WINDOWS\system32\lsass.exe
H:\WINDOWS\System32\Ati2evxx.exe
H:\WINDOWS\system32\svchost.exe
H:\WINDOWS\System32\svchost.exe
H:\WINDOWS\system32\spoolsv.exe
H:\PROGRA~1\Grisoft\AVG6\avgserv.exe
H:\Program Files\Network Associates\Common Framework\FrameworkService.exe
H:\Program Files\Network Associates\VirusScan\mcshield.exe
H:\Program Files\Network Associates\VirusScan\vstskmgr.exe
H:\Program Files\Radmin\r_server.exe
H:\WINDOWS\system32\Ati2evxx.exe
H:\WINDOWS\Explorer.EXE
H:\Program Files\QuickTime\qttask.exe
H:\PROGRA~1\Grisoft\AVG6\avgcc32.exe
H:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
H:\Program Files\Winamp\winampa.exe
H:\Program Files\Network Associates\VirusScan\SHSTAT.EXE
H:\Program Files\Network Associates\Common Framework\UpdaterUI.exe
H:\Program Files\Messenger\msmsgs.exe
H:\Program Files\WinZip\WZQKPICK.EXE
H:\WINDOWS\System32\wuauclt.exe
H:\WINDOWS\system32\sol.exe
H:\WINDOWS\System32\mshta.exe
H:\WINDOWS\System32\mshta.exe
H:\WINDOWS\System32\mshta.exe
H:\WINDOWS\System32\mshta.exe
H:\Program Files\Internet Explorer\iexplore.exe
H:\Program Files\Common Files\Real\Update_OB\realsched.exe
H:\Downloads\Applications\hjtlog.exe
H:\Downloads\Applications\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = H:\WINDOWS\secure.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,SearchURL = http://www.enjoysear...nfo/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = H:\WINDOWS\secure.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dd88.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchURL = http://www.enjoysear...nfo/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = H:\WINDOWS\secure.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = H:\WINDOWS\secure.html
O1 - Hosts: 69.93.131.132 fadama.com
O1 - Hosts: 69.93.131.132 www.link8.com
O1 - Hosts: 69.93.131.132 www.avsex.tv
O1 - Hosts: 69.93.131.132 www.easypic2.com
O1 - Hosts: 69.93.131.132 www.rawpussy.com
O1 - Hosts: 69.93.131.132 www.sleazydream.com
O1 - Hosts: 69.93.131.132 www.freepicturepage.com
O1 - Hosts: 69.93.131.132 www.amsterdamsexxx.com
O1 - Hosts: 69.93.131.132 www.thumbco.com
O1 - Hosts: 69.93.131.132 www.cnstat.com
O1 - Hosts: 69.93.131.132 stat.t2t2.com
O1 - Hosts: 69.93.131.132 www.seetu.net
O1 - Hosts: 69.93.131.132 www.xfreehosting.com
O1 - Hosts: 69.93.131.132 www2.xfreehosting.com
O1 - Hosts: 69.93.131.132 www3.xfreehosting.com
O1 - Hosts: 69.93.131.132 www.sexushost.com
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - H:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - H:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: G1.GZ - {79C03BC5-6C55-4B5B-921F-C02B6F1ABD7B} - H:\DOCUME~1\ALLUSE~1\APPLIC~1\Pribi\Pribi.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - H:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [msconfig] H:\WINDOWS\system32\msconfig.exe
O4 - HKLM\..\Run: [Online Service] H:\WINDOWS\msreg.exe
O4 - HKLM\..\Run: [QuickTime Task] "H:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [AVG_CC] H:\PROGRA~1\Grisoft\AVG6\avgcc32.exe /STARTUP
O4 - HKLM\..\Run: [SunJavaUpdateSched] H:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
O4 - HKLM\..\Run: [xvwiz32] H:\WINDOWS\system32\xvwizard32.hta
O4 - HKLM\..\Run: [WinampAgent] H:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [TkBellExe] "H:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [ShStatEXE] "H:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "H:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [iTunesHelper] H:\Program Files\iTunes\iTunesHelper.exe
O4 - HKCU\..\Run: [MSMSGS] "H:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [msconfig] H:\WINDOWS\system32\msconfig.exe
O4 - HKCU\..\Run: [\IEService.exe] H:\DOCUME~1\ALLUSE~1\APPLIC~1\IESERV~1\IEService.exe
O4 - HKCU\..\Run: [\Pribi.exe] H:\DOCUME~1\ALLUSE~1\APPLIC~1\Pribi\Pribi.exe
O4 - Global Startup: WinZip Quick Pick.lnk = H:\Program Files\WinZip\WZQKPICK.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - (no file)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - (no file)
O16 - DPF: {10000000-1000-0000-1000-000000000000} - ms-its:mhtml:file://C:\MAIN.MHT!http://d.dialer2004.....chm::/load.exe
O16 - DPF: {11111111-1111-1111-1111-111111111157} - ms-its:mhtml:file://c:\nosuch.mht!http://213.159.117.1....chm::/load.exe
O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} - http://us.chat1.yimg...v45/yacscom.cab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.r...ip/RdxIE601.cab
O16 - DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} - http://a1540.g.akama...meInstaller.exe
O16 - DPF: {7D1E9C49-BD6A-11D3-87A8-009027A35D73} - http://chat.yahoo.com/cab/yacsui.cab
O16 - DPF: {E504EE6E-47C6-11D5-B8AB-00D0B78F3D48} (Yahoo! Webcam Viewer Wrapper) - http://chat.yahoo.com/cab/yvwrctl.cab
O21 - SSODL: System - {3B277B8A-0E9B-4035-819F-CB9505980D56} - H:\WINDOWS\system32\system32.dll (file missing)

#2 arkitech

arkitech

    Member

  • Full Member
  • Pip
  • 6 posts

Posted 30 July 2004 - 02:40 PM

up

#3 gravylover5

gravylover5

    Mashed Potato Inspector

  • Retired Staff - Helper
  • PipPipPip
  • 121 posts

Posted 30 July 2004 - 03:02 PM

Hello Arkitech, and welcome to the forums. Please print out my instructions for reference during the fix.

You have a variant of the CoolWebSearch infection, please download CWShredder. Search for updates and then scan. Fix all variants that it finds. Reboot after fixing.

Important: Create a folder on the C: drive called C:\HJT.
You can do this by going to My Computer (Windows key+e) then double click on C: then right click and select New then Folder and name it HJT.
Move HijackThis.exe into this folder. When you run HijackThis from C:\HJT folder and have it "Fixed checked" it will create a backup file of modifications to use if restore is necessary.

Post a new Hijack This log after doing the above.

#4 arkitech

arkitech

    Member

  • Full Member
  • Pip
  • 6 posts

Posted 30 July 2004 - 03:24 PM

Thanks for the help bro. I ran cw shredder and it found and corrected about 4 or 5 items. I reran hijackthis and noticed some additional garbage and I had hijackthis repair/delete those items. Here is my text file as it currently looks


Running processes:
H:\WINDOWS\System32\smss.exe
H:\WINDOWS\system32\winlogon.exe
H:\WINDOWS\system32\services.exe
H:\WINDOWS\system32\lsass.exe
H:\WINDOWS\System32\Ati2evxx.exe
H:\WINDOWS\system32\svchost.exe
H:\WINDOWS\System32\svchost.exe
H:\WINDOWS\system32\spoolsv.exe
H:\PROGRA~1\Grisoft\AVG6\avgserv.exe
H:\Program Files\Network Associates\Common Framework\FrameworkService.exe
H:\Program Files\Network Associates\VirusScan\mcshield.exe
H:\Program Files\Network Associates\VirusScan\vstskmgr.exe
H:\Program Files\Radmin\r_server.exe
H:\WINDOWS\system32\Ati2evxx.exe
H:\WINDOWS\Explorer.EXE
H:\Program Files\QuickTime\qttask.exe
H:\PROGRA~1\Grisoft\AVG6\avgcc32.exe
H:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
H:\Program Files\Winamp\winampa.exe
H:\Program Files\Common Files\Real\Update_OB\realsched.exe
H:\Program Files\Network Associates\VirusScan\SHSTAT.EXE
H:\Program Files\Network Associates\Common Framework\UpdaterUI.exe
H:\Program Files\Messenger\msmsgs.exe
H:\Program Files\WinZip\WZQKPICK.EXE
H:\WINDOWS\System32\wuauclt.exe
H:\WINDOWS\system32\NOTEPAD.EXE
H:\hjt\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.microsoft...=ie&ar=iesearch
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft...=ie&ar=iesearch
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.microsoft...=ie&ar=iesearch
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft...=ie&ar=iesearch
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://ie.search.msn...st/srchasst.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://ie.search.msn...st/srchcust.htm
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - H:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - H:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: G1.GZ - {79C03BC5-6C55-4B5B-921F-C02B6F1ABD7B} - H:\DOCUME~1\ALLUSE~1\APPLIC~1\Pribi\Pribi.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - H:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [QuickTime Task] "H:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [AVG_CC] H:\PROGRA~1\Grisoft\AVG6\avgcc32.exe /STARTUP
O4 - HKLM\..\Run: [SunJavaUpdateSched] H:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
O4 - HKLM\..\Run: [xvwiz32] H:\WINDOWS\system32\xvwizard32.hta
O4 - HKLM\..\Run: [WinampAgent] H:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [TkBellExe] "H:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [ShStatEXE] "H:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "H:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [iTunesHelper] H:\Program Files\iTunes\iTunesHelper.exe
O4 - HKCU\..\Run: [MSMSGS] "H:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [\IEService.exe] H:\DOCUME~1\ALLUSE~1\APPLIC~1\IESERV~1\IEService.exe
O4 - HKCU\..\Run: [\Pribi.exe] H:\DOCUME~1\ALLUSE~1\APPLIC~1\Pribi\Pribi.exe
O4 - Global Startup: WinZip Quick Pick.lnk = H:\Program Files\WinZip\WZQKPICK.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - (no file)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - (no file)
O16 - DPF: {11111111-1111-1111-1111-111111111157} - ms-its:mhtml:file://c:\nosuch.mht!http://213.159.117.1....chm::/load.exe
O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} - http://us.chat1.yimg...v45/yacscom.cab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.r...ip/RdxIE601.cab
O16 - DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} - http://a1540.g.akama...meInstaller.exe
O16 - DPF: {7D1E9C49-BD6A-11D3-87A8-009027A35D73} - http://chat.yahoo.com/cab/yacsui.cab
O16 - DPF: {E504EE6E-47C6-11D5-B8AB-00D0B78F3D48} (Yahoo! Webcam Viewer Wrapper) - http://chat.yahoo.com/cab/yvwrctl.cab

#5 gravylover5

gravylover5

    Mashed Potato Inspector

  • Retired Staff - Helper
  • PipPipPip
  • 121 posts

Posted 31 July 2004 - 02:23 PM

Arkitech,

Please print out my instructions for reference during the fix.

Open Hijack This and check the boxes next to these:

O2 - BHO: G1.GZ - {79C03BC5-6C55-4B5B-921F-C02B6F1ABD7B} - H:\DOCUME~1\ALLUSE~1\APPLIC~1\Pribi\Pribi.dll
O4 - HKLM\..\Run: [xvwiz32] H:\WINDOWS\system32\xvwizard32.hta
O4 - HKCU\..\Run: [\IEService.exe] H:\DOCUME~1\ALLUSE~1\APPLIC~1\IESERV~1\IEService.exe
O4 - HKCU\..\Run: [\Pribi.exe] H:\DOCUME~1\ALLUSE~1\APPLIC~1\Pribi\Pribi.exe
O16 - DPF: {11111111-1111-1111-1111-111111111157} - ms-its:mhtml:file://c:\nosuch.mht!http://213.159.117.1....chm::/load.exe
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.r...ip/RdxIE601.cab
O16 - DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} - http://a1540.g.akama...meInstaller.exe

Make sure all browsers and windows (including this one) are closed and hit "Fix Checked."

Reboot your computer into Safe Mode and delete the following files/folders. Be sure to show hidden files/folders.

Delete:

H:\DOCUME~1\ALLUSE~1\APPLIC~1\Pribi\ <- this folder
H:\WINDOWS\system32\xvwizard32.hta <- this file
H:\DOCUME~1\ALLUSE~1\APPLIC~1\IESERV~1\ <- this folder

Reboot your computer and post a new Hijack This log.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

Member of ASAP and UNITE
Support SpywareInfo Forum - click the button