Jump to content


Photo

Please Help


  • Please log in to reply
3 replies to this topic

#1 damnation

damnation

    Member

  • Full Member
  • Pip
  • 4 posts

Posted 11 June 2004 - 11:59 AM

I am new here, and I seek help as I think my com has been infected by the virus. This is my log file
Logfile of HijackThis v1.97.7
Scan saved at 2:25:13, on 12/06/04
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v5.50 (5.50.4134.0600)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\PROGRAM FILES\MCAFEE\MCAFEE VIRUSSCAN\VSSTAT.EXE
C:\PROGRAM FILES\MCAFEE\MCAFEE VIRUSSCAN\VSHWIN32.EXE
C:\PROGRAM FILES\STOPZILLA!\SZNTSVC.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\SYSTEM\INTERNAT.EXE
C:\PROGRAM FILES\ONE-TOUCH\CP32NBTN.EXE
C:\PROGRAM FILES\MCAFEE\MCAFEE VIRUSSCAN\ALOGSERV.EXE
C:\PROGRAM FILES\ONE-TOUCH\CDROMMNT.EXE
C:\PROGRAM FILES\ONE-TOUCH\KBOSDCTL.EXE
C:\PROGRAM FILES\ONE-TOUCH\CP32NKCC.EXE
C:\WINDOWS\SYSTEM\LVCOMS.EXE
C:\WINDOWS\LOADQM.EXE
C:\WINDOWS\SYSTEM\MPS.EXE
C:\PROGRAM FILES\STOPZILLA!\STOPZILLA.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\PROGRAM FILES\CANON\MULTIPASS4\MPDBMGR.EXE
C:\PROGRAM FILES\MSN MESSENGER\MSNMSGR.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\WINDOWS\SNDVOL32.EXE
C:\WINDOWS\NOTEPAD.EXE
C:\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://line-plus.com/search/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://line-plus.com/search/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://line-plus.com/search/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://fastmetasearch.com/bar.php
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://line-plus.com/sweb/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://default-homep.../start.cgi?hklm
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://server224.sma...t/7search/?hklm
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.singnet.com.sg
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://line-plus.com/sweb/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by SINGNET
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://www.locators....arch.php?que=%s
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = http://line-plus.com/search/
O2 - BHO: (no name) - {000020DD-C72E-4113-AF77-DD56626C6C42} - (no file)
O2 - BHO: (no name) - {000006B1-19B5-414A-849F-2A3C64AE6939} - (no file)
O2 - BHO: IE Agent - {00000000-0000-0000-0000-000000000221} - (no file)
O2 - BHO: (no name) - {FCADDC14-BD46-408A-9842-CDBE1C6D37EB} - (no file)
O2 - BHO: (no name) - {00A0A40C-F432-4C59-BA11-B25D142C7AB7} - (no file)
O2 - BHO: (no name) - {CC916B4B-BE44-4026-A19D-8C74BBD23361} - (no file)
O2 - BHO: (no name) - {0982868C-47F0-4EFB-A664-C7B0B1015808} - (no file)
O2 - BHO: (no name) - {25F7FA20-3FC3-11D7-B487-00D05990014C} - (no file)
O2 - BHO: (no name) - {E3215F20-3212-11D6-9F8B-00D0B743919D} - c:\WINDOWS\SYSTEM\SZIEBHO.dll
O2 - BHO: (no name) - {94927A13-4AAA-476A-989D-392456427688} - (no file)
O2 - BHO: (no name) - {447160CD-ECF5-4EA2-8A8A-1F70CA363F85} - (no file)
O2 - BHO: (no name) - {0BA1C6EB-D062-4E37-9DB5-B07743276324} - (no file)
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\PROGRAM FILES\CANON\EASY-WEBPRINT\TOOLBAND.DLL
O4 - HKLM\..\Run: [ScanRegistry] c:\windows\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] c:\windows\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [PRPCMonitor] PRPCUI.exe
O4 - HKLM\..\Run: [CP32NOT] C:\PROGRA~1\ONE-TO~1\CP32NBTN.EXE
O4 - HKLM\..\Run: [AlogServEXE] C:\Program Files\McAfee\McAfee VirusScan\AlogServ.exe
O4 - HKLM\..\Run: [AvconsoleEXE] C:\Program Files\McAfee\McAfee VirusScan\avconsol.exe /minimize
O4 - HKLM\..\Run: [DXM6Patch_981116] C:\WINDOWS\p_981116.exe /Q:A
O4 - HKLM\..\Run: [LVComs] c:\windows\SYSTEM\LVComS.exe
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [S3TRAYHP] S3trayhp.exe
O4 - HKLM\..\Run: [ClrSchLoader] \Program Files\ClearSearch\Loader.exe
O4 - HKLM\..\Run: [mdac_runonce] C:\WINDOWS\SYSTEM\runonce.exe
O4 - HKLM\..\Run: [mps] C:\WINDOWS\SYSTEM\mps.exe /s
O4 - HKLM\..\Run: [MPTBox] C:\Program Files\Canon\MultiPASS4\MPTBox.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime
O4 - HKLM\..\Run: [Vshwin32EXE] C:\PROGRAM FILES\MCAFEE\MCAFEE VIRUSSCAN\VSHWIN32.EXE
O4 - HKLM\..\Run: [STOPzilla] "c:\Program Files\STOPzilla!\Stopzilla.exe" /autorun
O4 - HKLM\..\Run: [ALCHEM] C:\WINDOWS\ALCHEM.exe
O4 - HKLM\..\Run: [BELT] C:\WINDOWS\BELT.exe
O4 - HKLM\..\Run: [inplayW] C:\WINDOWS\SYSTEM\inplayW.exe
O4 - HKLM\..\Run: [McAfeeWebScanX] C:\PROGRAM FILES\MCAFEE\MCAFEE VIRUSSCAN\WebScanX.Exe
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [VsecomrEXE] C:\Program Files\McAfee\McAfee VirusScan\VSEcomR.EXE
O4 - HKLM\..\RunServices: [VsStatEXE] C:\Program Files\McAfee\McAfee VirusScan\VSSTAT.EXE /SHOWWARNING
O4 - HKLM\..\RunServices: [Vshwin32EXE] C:\PROGRAM FILES\MCAFEE\MCAFEE VIRUSSCAN\VSHWIN32.EXE
O4 - HKLM\..\RunServices: [STOPzilla Service] C:\PROGRAM FILES\STOPZILLA!\SZNTSVC.EXE
O4 - HKLM\..\RunServices: [McAfeeWebScanX] C:\PROGRAM FILES\MCAFEE\MCAFEE VIRUSSCAN\WebScanX.Exe /RUNSERVICES
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [atiupdate] C:\ATIUPDATE5.EXE
O4 - HKCU\..\Run: [msmc] C:\WINDOWS\SYSTEM\msgked.exe
O4 - Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Startup: Reality Fusion GameCam SE.lnk = C:\Program Files\CHAT\CCHAT.EXE
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O9 - Extra button: Locators.com Search Bar (HKLM)
O9 - Extra 'Tools' menuitem: Locators.com Search Bar (HKLM)
O12 - Plugin for .pdf1: C:\PROGRA~1\INTERN~1\PLUGINS\nppdf32.dll
O13 - DefaultPrefix: http://line-plus.com/p/
O13 - WWW Prefix: http://line-plus.com/p/
O14 - IERESET.INF: START_PAGE_URL=http://www.singnet.com.sg
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macr...ash/swflash.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://download.yaho...talls/yinst.cab
O16 - DPF: Yahoo! Pool 2 - http://download.game...ts/y/potc_x.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zon...StatsClient.cab
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macr...director/sw.cab
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zon...MineSweeper.cab
O16 - DPF: {9AA73F41-EC64-489E-9A73-9CD52E528BC4} (ZoneAxRcMgr Class) - http://messenger.zon...ry/ZAxRcMgr.cab
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com...ex/qtplugin.cab
O16 - DPF: {CA034DCC-A580-4333-B52F-15F98C42E04C} (Downloader Class) - http://www.stopzilla...ller/dwnldr.cab

Help will be greatly appriciated. Thank You in advance. Cheers mate. :wave:

#2 damnation

damnation

    Member

  • Full Member
  • Pip
  • 4 posts

Posted 11 June 2004 - 08:19 PM

Bump..

#3 Racktracker

Racktracker

    Hunter of Malware

  • Retired Staff
  • PipPipPipPipPip
  • 1,306 posts

Posted 11 June 2004 - 08:22 PM

You need to run windows update and updtate your Internet Explorer to IE6.

You have a coolweb infection. Download coolweb shredder, unzip and click fix.

Run another hijackthis scan. Place a check next to the following entries, then close all other windows and click the fix button.

O2 - BHO: (no name) - {000020DD-C72E-4113-AF77-DD56626C6C42} - (no file)
O2 - BHO: (no name) - {000006B1-19B5-414A-849F-2A3C64AE6939} - (no file)
O2 - BHO: IE Agent - {00000000-0000-0000-0000-000000000221} - (no file)
O2 - BHO: (no name) - {FCADDC14-BD46-408A-9842-CDBE1C6D37EB} - (no file)
O2 - BHO: (no name) - {00A0A40C-F432-4C59-BA11-B25D142C7AB7} - (no file)
O2 - BHO: (no name) - {CC916B4B-BE44-4026-A19D-8C74BBD23361} - (no file)
O2 - BHO: (no name) - {0982868C-47F0-4EFB-A664-C7B0B1015808} - (no file)
O2 - BHO: (no name) - {25F7FA20-3FC3-11D7-B487-00D05990014C} - (no file)
O2 - BHO: (no name) - {94927A13-4AAA-476A-989D-392456427688} - (no file)
O2 - BHO: (no name) - {447160CD-ECF5-4EA2-8A8A-1F70CA363F85} - (no file)
O2 - BHO: (no name) - {0BA1C6EB-D062-4E37-9DB5-B07743276324} - (no file)
O4 - HKLM\..\Run: [DXM6Patch_981116] C:\WINDOWS\p_981116.exe /Q:A
O4 - HKLM\..\Run: [ClrSchLoader] \Program Files\ClearSearch\Loader.exe
O4 - HKLM\..\Run: [mdac_runonce] C:\WINDOWS\SYSTEM\runonce.exe
O4 - HKLM\..\Run: [ALCHEM] C:\WINDOWS\ALCHEM.exe
O4 - HKLM\..\Run: [BELT] C:\WINDOWS\BELT.exe
O4 - HKCU\..\Run: [atiupdate] C:\ATIUPDATE5.EXE
O4 - HKCU\..\Run: [msmc] C:\WINDOWS\SYSTEM\msgked.exe

Then reboot into safe mode and delete these files.
C:\WINDOWS\ALCHEM.exe
C:\WINDOWS\BELT.exe
C:\ATIUPDATE5.EXE
C:\WINDOWS\SYSTEM\msgked.exe

And these folders.
C:\Program Files\ClearSearch

You may have to enable hidden files to find all the files.

Then reboot into normal mode.

Run these free online virus scans.
http://housecall.trendmicro.com/
http://www.pandasoft...n_principal.htm

Next download spybot and adaware. Update and scan with both. Have spybot fix anything it lists in RED and adaware fix everything it finds. Then reboot and run another hijackthis scan and post your new log here.
Posted Image

#4 cnm

cnm

    Mother Lion of SWI

  • Administrators
  • PipPipPipPipPip
  • 25,317 posts

Posted 11 June 2004 - 08:25 PM

We'll get you fixed up, but first make a folder for your HijackThis.exe - you don't want all the backups in your C:\ root folder.
Put it in a permanent folder such as C:\HJT\.

Next, update your IE to IE 6, or you'll be getting infected as fast as we fix you. IE 5 is not maintained and is full of holes. http://www.microsoft.../ie/default.asp

Then, you have a CWS infection so
Download and run http://www.spywarein.../CWShredder.exe
from its own folder.
Click Fix and then Next, let it fix everything it asks about.

Then reboot and post another log....

Edit: Hi Racktracker, didn't see you. Carry on!
:wave:

Edited by cnm, 11 June 2004 - 08:26 PM.

Microsoft MVP Windows Security 2005-2006
How camest thou in this pickle? -- William Shakespeare:(1564-1616)
The various helper groups here
UNITE





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

Member of ASAP and UNITE
Support SpywareInfo Forum - click the button