Jump to content


My pc has been taken over!!!

  • Please log in to reply
3 replies to this topic

#1 x-ray cat

x-ray cat


  • New Member
  • Pip
  • 1 posts

Posted 06 June 2004 - 11:19 PM

G'day guys, my names brad and I have just recently in the last week or so been getting a lot of strange emails everyday about, me requesting virus information and other garbage, but whenever i recieve these emails that are actually not even addressing me but calling me another name..

Also files have come up in my kazaa shared folder and downloaded file and god knows where else, that aren't mine I didn't download them and when i try to delete them its a lost cause coz they are just there again on start up. A lot of it is porn, and the rest appears to be software files, there's ones that mention crack files (such as microsoft office crack best, microsoft winxp crack full, crack & warez archive etc). Finally mt pc also keeps giving me a warning time till it shuts down, then when the time runs out it does exactly that. Its screwed.

I've done enough computer stuff at school to know that having a cracker inside my pc isn't a good thing. So if there is one any help you can give me will be much appreciated.

I have enclosed a log if that helps too!!
ta brad

Logfile of HijackThis v1.97.7
Scan saved at 2:15:53 PM, on 6/7/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Common Files\CMEII\CMESys.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\Common Files\GMT\GMT.exe
C:\Program Files\Creative\SBLive\Diagnostics\diagent.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Windows Media Player\setup_wm.exe
C:\Documents and Settings\Brad\Local Settings\Temp\Temporary Directory 6 for hijackthis.zip\HijackThis.exe

F0 - system.ini: Shell=explorer.exe C:\WINDOWS\System32\svohost.exe
F2 - REG:system.ini: Shell=explorer.exe C:\WINDOWS\System32\svohost.exe
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [diagent] "C:\Program Files\Creative\SBLive\Diagnostics\diagent.exe" startup
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [P2P Networking] C:\WINDOWS\System32\P2P Networking\P2P Networking.exe /AUTOSTART
O4 - HKLM\..\Run: [CMESys] "C:\Program Files\Common Files\CMEII\CMESys.exe"
O4 - HKLM\..\Run: [Norton Antivirus AV] C:\WINDOWS\FVProtect.exe
O4 - HKLM\..\Run: [load32] C:\WINDOWS\System32\swchost.exe
O4 - HKLM\..\Run: [NvClipRsv] C:\WINDOWS\svchost.exe
O4 - HKLM\..\Run: [Microsoft Restore] scrgrd.exe
O4 - HKLM\..\RunServices: [Microsoft Restore] scrgrd.exe
O4 - HKCU\..\Run: [Microsoft Restore] scrgrd.exe
O4 - Startup: svchost.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: GStartup.lnk = C:\Program Files\Common Files\GMT\GMT.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: Real.com (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Messenger (HKLM)
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akama...meInstaller.exe
O16 - DPF: {90C9629E-CD32-11D3-BBFB-00105A1F0D68} (InstallShield International Setup Player) - http://www.installen...gine/isetup.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macr...ash/swflash.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{AA7334CF-01ED-48B3-AA92-C442F5ED6B0B}: NameServer =

#2 dave38


    Devout Murphyite!

  • Retired Staff
  • PipPipPipPipPip
  • 8,508 posts

Posted 07 June 2004 - 04:32 PM

In spite of the entry in your log O4 - HKLM\..\Run: [Norton Antivirus AV] C:\WINDOWS\FVProtect.exe, there is no antivirus program on your computer, and traces of at least two virus processes.
First, get an on line scan at either Housecall or Panda A/V, and let it fix everything it finds.

Have Hijack This fix all of the following by placing a check in the appropriate boxes and hitting fix checked. Make sure all browser and all Windows Explorer windows are closed before fixing.

F0 - system.ini: Shell=explorer.exe C:\WINDOWS\System32\svohost.exe
F2 - REG:system.ini: Shell=explorer.exe C:\WINDOWS\System32\svohost.exe

O4 - HKLM\..\Run: [CMESys] "C:\Program Files\Common Files\CMEII\CMESys.exe"

O4 - HKLM\..\Run: [load32] C:\WINDOWS\System32\swchost.exe
O4 - HKLM\..\Run: [NvClipRsv] C:\WINDOWS\svchost.exe
O4 - HKLM\..\Run: [Microsoft Restore] scrgrd.exe
O4 - HKLM\..\RunServices: [Microsoft Restore] scrgrd.exe
O4 - HKCU\..\Run: [Microsoft Restore] scrgrd.exe
O4 - Startup: svchost.exe

Reboot, and delete


C:\Program Files\Common Files\CMEII

These may be hidden files. See HERE for how to show hidden files.

Then install a resident antivirus program. AVG free edition from Grisoft is well thought of by many of the regulars here.

If you have removed Kazaa, uninstall P2P networking from Add/Remove Programs. If not, then you are at great risk of reinfestation. I would suggest that you use a spyware free alternative, such as WinMX.

Please post a followup Hijack this log, and say if your problems persist.
Be wary of strong drink. It may make you shoot at tax collectors, and miss!
Please support SWI forum

#3 SysoPholis



  • New Member
  • Pip
  • 1 posts

Posted 15 June 2004 - 10:18 PM


Edited by SysoPholis, 16 June 2004 - 01:12 PM.

#4 Guardian


    Despiser of Malware everywhere

  • Full Member
  • Pip
  • 13 posts

Posted 23 June 2004 - 11:26 AM

Hey x-ray cat. From your post it appears you may have a variant of the Nibu trojan or Plexus worm. Had to investigate a computer that had gotten infected with a variant of one/both of these. You may want to check for the following files, and delete them.


If you find those files, check in your Temp directory for


If you found the above, then chances are good you had one of the Malware programs I mentioned above. The above files are part of a keylogger and Clipboard logger that were installed upon infection. You can look at the contents of everything but the prntsvr.dll file using notepad, as they are just text. They will have some of the information that was logged while you were using your infected PC. Periodically the virus/trojan/whatever will send the contents of these files out to someone via email or Web. The data sent could have had your usernames, passwords, personal or financial information, emails you wrote, anything!

Change your passwords now! Think about what you had done on your PC recently, and what information you may have entered while the PC was infected, and respond accordingly to protect yourself.

Also, you should check the "hosts" file in "C:\WINDOWS\System32\Drivers\etc\". Part of the infection for both of the Malware programs is to modify that file, so that most of the URL's for the major Anti-Virus programs resolve to your PC (, thus effectively preventing you from getting updates...Once you install one anyway!

Hope this helps,

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

Member of

Support SpywareInfo Forum - click the button
PayPal - The safer, easier way to pay online!