Jump to content


Photo

First time Malware problem...anyone want to help?


  • Please log in to reply
3 replies to this topic

#1 slinger

slinger

    Member

  • New Member
  • Pip
  • 3 posts

Posted 17 June 2004 - 03:06 AM

Hey guys, as with most others here,´something has taken over control of IE and is playing silly buggers with my pc. I have tried using Adaware and Spybot S n D but it seems to have made things worse in terms of rebooting, pc goes a bit crazy. When i reboot and pull up the task manager there are lots of things running with the same name "winry" or something similar.
I have done a first scan and here is the log:

Logfile of HijackThis v1.97.7
Scan saved at 08:49:21, on 17.06.2004
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
C:\WINNT\System32\svchost.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\iple32.exe
C:\WINNT\Explorer.EXE
C:\WINNT\Mixer.exe
C:\Programme\Winamp3\winampa.exe
C:\programme\quicktime\qttask.exe
C:\Programme\Symantec_Client_Security\Symantec AntiVirus\vptray.exe
C:\Programme\ICQLite\ICQLite.exe
C:\WINNT\iejs32.exe
C:\Programme\MSN Messenger\MsnMsgr.Exe
C:\PVSW\Bin\w3dbsmgr.exe
C:\Programme\Produra2\ProduraTracker.exe
C:\Programme\Aluria Software\ASE\ASE Scheduler.exe
C:\Programme\Microsoft Office\Office\OUTLOOK.EXE
C:\Programme\Gemeinsame Dateien\System\MAPI\1031\nt\MAPISP32.EXE
C:\Programme\Internet Explorer\iexplore.exe
C:\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINNT\system32\pdquc.dll/sp.html#96676
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = res://pdquc.dll/index.html#96676
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = res://pdquc.dll/index.html#96676
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapp...rch/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINNT\system32\pdquc.dll/sp.html#96676
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = res://pdquc.dll/index.html#96676
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINNT\system32\pdquc.dll/sp.html#96676
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapp...//www.yahoo.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 192.168.0.254:3128
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 192.168.0.11;<local>
F1 - win.ini: run=C:\WINNT\system32\services\exploit.exe
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programme\Adobe\Acrobat 5.0\Acrobat\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {312D7B62-92D3-EB57-C95B-F602E458B11C} - C:\WINNT\atlaf.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [C-Media Mixer] Mixer.exe /startup
O4 - HKLM\..\Run: [WinampAgent] "C:\Programme\Winamp3\winampa.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\programme\quicktime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [vptray] C:\Programme\Symantec_Client_Security\Symantec AntiVirus\vptray.exe
O4 - HKLM\..\Run: [ICQ Lite] C:\Programme\ICQLite\ICQLite.exe -minimize
O4 - HKLM\..\Run: [iejs32.exe] C:\WINNT\iejs32.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Programme\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Programme\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [WTSS] C:\WINNT\system32\wapicc.exe
O4 - HKCU\..\Run: [ClockSync] C:\PROGRA~1\CLOCKS~1\Sync.exe
O4 - HKLM\..\RunOnce: [winry.exe] C:\WINNT\system32\winry.exe
O4 - HKLM\..\RunOnce: [mfcvx.exe] C:\WINNT\system32\mfcvx.exe
O4 - HKCU\..\RunOnce: [ICQ Lite] C:\Programme\ICQLite\ICQLite.exe -trayboot
O4 - Startup: ASE Scheduler.lnk = C:\Programme\Aluria Software\ASE\ASE Scheduler.exe
O4 - Global Startup: Cache Engine.lnk = C:\PVSW\Bin\w3dbsmgr.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Programme\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Produra Tracker.lnk = C:\Programme\Produra2\ProduraTracker.exe
O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
O9 - Extra button: ICQ Lite (HKLM)
O9 - Extra 'Tools' menuitem: ICQ Lite (HKLM)
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com...ex/qtplugin.cab
O16 - DPF: {0E25CA6C-52AE-47E0-BF44-BC5B3A0403F4} - http://www.anywebcam.com/awc/SGT.ocx
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macr...director/sw.cab
O16 - DPF: {33564D57-0000-0010-8000-00AA00389B71} - http://download.micr...922/wmv9VCM.CAB
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akama...meInstaller.exe
O16 - DPF: {42F2D240-B23C-11D6-8C73-70A05DC10000} - http://www.oyunfabri.../2/060172as.exe
O16 - DPF: {9EB320CE-BE1D-4304-A081-4B4665414BEF} - http://www.mt-downlo...tsInstaller.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupd...8154.4174074074
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macr...ash/swflash.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain =
O17 - HKLM\System\CCS\Services\Tcpip\..\{A728C509-BFA7-48C4-899E-5E5DC7603AE2}: NameServer =
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = HKLM\System\CS2\Services\Tcpip\Parameters: Domain =

any help much appreciated!

Edited by slinger, 18 June 2004 - 01:54 AM.


#2 Vulcano

Vulcano

    Member

  • Full Member
  • Pip
  • 14 posts

Posted 17 June 2004 - 03:53 AM

Read at:
http://www.spywarein...?showtopic=7447

Try first to find a topic with your problem, before open a new one.

#3 slinger

slinger

    Member

  • New Member
  • Pip
  • 3 posts

Posted 17 June 2004 - 04:28 AM

thanks, sorry, hardly have a clue what to look for so needed to post a new topic.
I will check it out....its all japanese to me but will see what i can do
thanks

#4 slinger

slinger

    Member

  • New Member
  • Pip
  • 3 posts

Posted 18 June 2004 - 02:02 AM

Ok, I have read the other post you directed me too.
I have performed my scan but my limited knowledge means i dont know what to delete from the following Hijack this logfile.

Logfile of HijackThis v1.97.7
Scan saved at 08:58:47, on 18.06.2004
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
C:\WINNT\System32\svchost.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\iple32.exe
C:\WINNT\Explorer.EXE
C:\WINNT\Mixer.exe
C:\Programme\Winamp3\winampa.exe
C:\programme\quicktime\qttask.exe
C:\Programme\Symantec_Client_Security\Symantec AntiVirus\vptray.exe
C:\Programme\ICQLite\ICQLite.exe
C:\WINNT\iejs32.exe
C:\Programme\MSN Messenger\MsnMsgr.Exe
C:\PVSW\Bin\w3dbsmgr.exe
C:\Programme\Produra2\ProduraTracker.exe
C:\Programme\Microsoft Office\Office\OUTLOOK.EXE
C:\Programme\Gemeinsame Dateien\System\MAPI\1031\nt\MAPISP32.EXE
C:\Programme\Internet Explorer\iexplore.exe
I:\Programme\EPROM\Deniba\Bin\InOrder.exe
I:\Programme\EPROM\Deniba\Bin\EHLogin.exe
C:\Programme\INTERN~1\IEXPLORE.EXE
C:\Programme\Microsoft Office\Office\EXCEL.EXE
C:\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINNT\system32\pdquc.dll/sp.html#96676
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = res://pdquc.dll/index.html#96676
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = res://pdquc.dll/index.html#96676
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapp...rch/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINNT\system32\pdquc.dll/sp.html#96676
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = res://pdquc.dll/index.html#96676
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINNT\system32\pdquc.dll/sp.html#96676
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapp...//www.yahoo.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 192.168.0.254:3128
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 192.168.0.11;<local>
F1 - win.ini: run=C:\WINNT\system32\services\exploit.exe
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programme\Adobe\Acrobat 5.0\Acrobat\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {312D7B62-92D3-EB57-C95B-F602E458B11C} - C:\WINNT\atlaf.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [C-Media Mixer] Mixer.exe /startup
O4 - HKLM\..\Run: [WinampAgent] "C:\Programme\Winamp3\winampa.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\programme\quicktime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [vptray] C:\Programme\Symantec_Client_Security\Symantec AntiVirus\vptray.exe
O4 - HKLM\..\Run: [ICQ Lite] C:\Programme\ICQLite\ICQLite.exe -minimize
O4 - HKLM\..\Run: [iejs32.exe] C:\WINNT\iejs32.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Programme\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Programme\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [WTSS] C:\WINNT\system32\wapicc.exe
O4 - HKCU\..\Run: [ClockSync] C:\PROGRA~1\CLOCKS~1\Sync.exe
O4 - HKLM\..\RunOnce: [msqh.exe] C:\WINNT\msqh.exe
O4 - HKLM\..\RunOnce: [javazy.exe] C:\WINNT\system32\javazy.exe
O4 - HKLM\..\RunOnce: [iple32.exe] C:\WINNT\system32\iple32.exe
O4 - HKCU\..\RunOnce: [ICQ Lite] C:\Programme\ICQLite\ICQLite.exe -trayboot
O4 - Global Startup: Cache Engine.lnk = C:\PVSW\Bin\w3dbsmgr.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Programme\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Produra Tracker.lnk = C:\Programme\Produra2\ProduraTracker.exe
O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
O9 - Extra button: ICQ Lite (HKLM)
O9 - Extra 'Tools' menuitem: ICQ Lite (HKLM)
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com...ex/qtplugin.cab
O16 - DPF: {0E25CA6C-52AE-47E0-BF44-BC5B3A0403F4} - http://www.anywebcam.com/awc/SGT.ocx
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macr...director/sw.cab
O16 - DPF: {33564D57-0000-0010-8000-00AA00389B71} - http://download.micr...922/wmv9VCM.CAB
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akama...meInstaller.exe
O16 - DPF: {42F2D240-B23C-11D6-8C73-70A05DC10000} - http://www.oyunfabri.../2/060172as.exe
O16 - DPF: {9EB320CE-BE1D-4304-A081-4B4665414BEF} - http://www.mt-downlo...tsInstaller.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupd...8154.4174074074
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macr...ash/swflash.cab


Help really would be appreciated

Also a question.... with these Malware, etc invasions, is it possible to save some of my files, so documents, a couple of programmes etc to another PC or will the files be infected???




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

Member of ASAP and UNITE
Support SpywareInfo Forum - click the button