Jump to content


Photo

"New Win32" Any Info?


  • Please log in to reply
8 replies to this topic

#1 shamp10

shamp10

    Member

  • Full Member
  • Pip
  • 6 posts

Posted 22 June 2004 - 10:27 PM

I am lost...I suppose if I can get help here, I'll have to go to the removal forum, but I'll start here...

McAfee tells me I have a virus named New Win32. I can find no information on this. The McAfee site just says it was added in 2002, but nothing else. What it does, where it came from, nada...

Anyone have any info on this? Thanks a lot.

Dee

#2 shamp10

shamp10

    Member

  • Full Member
  • Pip
  • 6 posts

Posted 22 June 2004 - 10:51 PM

BTW, the infected file name is A0011032.exe...

Sound familiar?

#3 thyme

thyme

    Full Member

  • Full Member
  • Pip
  • 93 posts

Posted 23 June 2004 - 01:03 AM

Hi

You could run mcafee programme stinger, link below, Please note that it states when you use this programme the following

Stinger is a stand-alone utility used to detect and remove specific viruses and worms, including Lovsan. Note: It is not a substitute for full anti-virus protection,



am suggesting this as you say it was added in 2002.

http://us.mcafee.com...val/Stinger.asp

#4 Misereor

Misereor

    Member

  • Full Member
  • Pip
  • 84 posts

Posted 23 June 2004 - 05:59 AM

From the McAfee virus database:

New Win32.
This is a heuristic detection which indicates that a file is possibly a Win32 virus. Win32 stands for 32-bit Windows and includes Windows 95, 98, NT, 2000, XP, ME, etc. Ensure that you are using the latest engine and DATs and send a copy of the file to AVERT if it is still detected as "New Win32"

And for orders sake, here is the Avert url:
https://www.webimmune.net/default.asp

#5 shamp10

shamp10

    Member

  • Full Member
  • Pip
  • 6 posts

Posted 23 June 2004 - 08:18 PM

Stinger didn't pick up anything. I ran PandaSoftware's Activescan and it found 5 additional infected files:

Virus:Trj/ClassLoader.B No disinfected C:\Documents and Settings\john\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\classload.jar-1f5b6b54-63b1779e.zip[GetAccess.class]
Virus:Exploit/ByteVerify No disinfected C:\Documents and Settings\john\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\classload.jar-1f5b6b54-63b1779e.zip[InsecureClassLoader.class]
Virus:Exploit/ByteVerify No disinfected C:\Documents and Settings\john\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\classload.jar-1f5b6b54-63b1779e.zip[Dummy.class]
Virus:Trj/Downloader.CL No disinfected C:\Documents and Settings\john\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\classload.jar-1f5b6b54-63b1779e.zip[Installer.class]
Virus:Exploit/ByteVerify No disinfected C:\Documents and Settings\john\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\counter.jar-315a6baf-7629134f.zip[Dummy.class]

Am I in trouble here?
Any advice is appreciated.
Thanks!

#6 shamp10

shamp10

    Member

  • Full Member
  • Pip
  • 6 posts

Posted 23 June 2004 - 08:32 PM

This is the HJT log...its greek to me...does it show anything?


Logfile of HijackThis v1.97.7
Scan saved at 9:29:28 PM, on 6/23/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\hkcmd.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Dell\Media Experience\PCMService.exe
C:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
C:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Microsoft Money\System\mnyexpr.exe
C:\Program Files\EarthLink TotalAccess\TaskPanl.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\AWS\WeatherBug\Weather.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Documents and Settings\deanna\Local Settings\Temp\Temporary Directory 1 for hijackthis.zip\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://start.earthlink.net/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell4me.com/myway
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: EarthLink Popup Blocker - {4B5F2E08-6F39-479a-B547-B2026E4C7EDF} - C:\Program Files\EarthLink TotalAccess\PnEL.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {549B5CA7-4A86-11D7-A4DF-000874180BB3} - (no file)
O2 - BHO: (no name) - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Pop-Up Blocker - {D7F30B62-8269-41AF-9539-B2697FA7D77E} - C:\Program Files\EarthLink TotalAccess\PnEL.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\Media Experience\PCMService.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\McUpdate.exe
O4 - HKLM\..\Run: [mmtask] c:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe
O4 - HKLM\..\Run: [MMTray] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [DwlClient] C:\Program Files\Common Files\Dell\EUSW\Support.exe
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [VSOCheckTask] "c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [VirusScan Online] c:\program files\mcafee.com\vso\mcvsshld.exe
O4 - HKLM\..\Run: [REGSHAVE] C:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN
O4 - HKLM\..\Run: [McRegWiz] c:\PROGRA~1\mcafee.com\agent\mcregwiz.exe /autorun
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\mnyexpr.exe"
O4 - HKCU\..\Run: [E6TaskPanel] "C:\Program Files\EarthLink TotalAccess\TaskPanl.exe" -winstart
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward &Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cac&hed Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Si&milar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O9 - Extra button: Real.com (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Messenger (HKLM)
O9 - Extra button: WeatherBug (HKCU)
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://download.yaho...s/yinst0401.cab
O16 - DPF: {33564D57-0000-0010-8000-00AA00389B71} - http://download.micr...922/wmv9VCM.CAB
O16 - DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} (EPUImageControl Class) - http://tools.ebayimg...ol_v1-0-3-9.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft.../as5/asinst.cab
O16 - DPF: {9AA73F41-EC64-489E-9A73-9CD52E528BC4} (ZoneAxRcMgr Class) - http://zone.msn.com/...me/ZAxRcMgr.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupd...8034.9368055556
O16 - DPF: {AE1C01E3-0283-11D3-9B3F-00C04F8EF466} (HeartbeatCtl Class) - http://fdl.msn.com/z...s/heartbeat.cab
O16 - DPF: {B942A249-D1E7-4C11-98AE-FCB76B08747F} (RealArcadeRdxIE Class) - http://games-dl.real...ArcadeRdxIE.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macr...ash/swflash.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://zone.msn.com/...aploader_v5.cab
O16 - DPF: {E855A2D4-987E-4F3B-A51C-64D10A7E2479} (EPSImageControl Class) - http://tools.ebayimg...ol_v1-0-3-0.cab
O16 - DPF: {EDFCDAF5-95D9-40E9-BBE6-10C33190C3EF} (cGameControl Class) - http://zone.msn.com/.../RumbleCube.cab

#7 shamp10

shamp10

    Member

  • Full Member
  • Pip
  • 6 posts

Posted 23 June 2004 - 08:48 PM

*

#8 shamp10

shamp10

    Member

  • Full Member
  • Pip
  • 6 posts

Posted 23 June 2004 - 09:07 PM

:ugh: :ugh:

#9 thyme

thyme

    Full Member

  • Full Member
  • Pip
  • 93 posts

Posted 24 June 2004 - 12:53 AM

Hi shampo 10

be patient & your log will get looked at, time difference sometimes affects response.

You have hi-jack this saved to a temporary folder you need to save this programme in to a permanent folder, this is because it will run backups to enable you to restore any changes you make by mistake etc.

Whilst you wait for your log to be looked at you could do the following:

run spybot search & destroy, check for updates first, download all updates,
and scan.When finished, make sure ALL RED items have been ticked, and click the "Fix Selected Problems" Button.

here is link for spybot search & destroy

http://www.safer-net...p?page=download

also you could run CWShredder

here is link to download from

http://www.spywareinfo.com/~merijn/

Download CWShredder Click on update, then close all browsers, and then click on Fix, not scan.

next

Make sure you can view all hidden files and folders, link below explains how

http://www.xtra.co.n...1916458,00.html

when you have done this post back a fresh hi jack this log and you should soon get a response.

here is a freeware trojan programe you could also run

http://www.a-2.org/en/software/free/

aČ is a complementary product to antivirus software which is specialized in protection against harmful software. Antivirus software often features an inadequate protection against Trojans, Dialers and Spyware. aČ fills this gap.


Edited by thyme, 24 June 2004 - 01:30 AM.





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

Member of ASAP and UNITE
Support SpywareInfo Forum - click the button