Ergebnis 1 bis 8 von 8

Thema: spyware/virus help

  1. #1
    Einsteiger
    Registriert seit
    13.09.2005
    Beiträge
    4

    spyware/virus help

    Please help I am having major problems with viruses and dial up on to dialer sites will not let me change homepage (hijacked) unable to clean. C:\windows\system32_t.exe trojan horse virus. mcafee, avg, spybot can not delete.

    Code:
     Logfile of HijackThis v1.99.1
    Scan saved at 1:10:50 PM, on 9/13/2005
    Platform: Windows XP  (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 (6.00.2600.0000)
    
    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
    C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
    c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
    C:\PROGRA~1\MCAFEE.COM\PERSON~1\MPFSERVICE.exe
    C:\WINDOWS\system32\pctspk.exe
    c:\PROGRA~1\mcafee.com\vso\mcshield.exe
    C:\PROGRA~1\MCAFEE.COM\PERSON~1\MPFAGENT.EXE
    C:\WINDOWS\System32\rgf09ov03l5thd.exe
    C:\WINDOWS\System32\tibs3.exe
    C:\PROGRA~1\MCAFEE.COM\PERSON~1\MPFTRAY.EXE
    C:\PROGRA~1\mcafee.com\agent\mcagent.exe
    C:\PROGRA~1\McAfee.com\Agent\McRegWiz.exe
    C:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
    C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe
    C:\Program Files\QuickTime\qttask.exe
    c:\progra~1\mcafee.com\vso\mcvsescn.exe
    C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
    C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
    C:\WINDOWS\Downloaded Program Files\UWFX5NetInstaller.exe
    C:\Program Files\Messenger\msmsgs.exe
    c:\progra~1\mcafee.com\vso\mcvsftsn.exe
    C:\WINDOWS\System32\dwwin.exe
    C:\WINDOWS\explorer.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Documents and Settings\Adil  khan\Local Settings\Temp\Temporary Directory 3 for hijackthis_199.zip\HijackThis.exe
    C:\Documents and Settings\Adil  khan\Local Settings\Temp\Temporary Directory 4 for hijackthis_199.zip\HijackThis.exe
    C:\WINDOWS\System32\dwwin.exe
    
    R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://letgohome.com/sp.htm?id=31403
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://213.159.117.134/index.php
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://letgohome.com/sp.htm?id=31403
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://tooncomics.com/enter.htm?id=31403
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://tooncomics.com/enter.htm?id=31403
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.virgin.net/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://tooncomics.com/enter.htm?id=31403
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = http://213.159.117.134/index.php
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = http://213.159.117.134/index.php
    O2 - BHO: (no name) - {467FAEB2-5F5B-4c81-BAE0-2A4752CA7F4E} - C:\WINDOWS\System32\LNLODP~1.DLL
    O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
    O3 - Toolbar: My &Search Bar - {0494D0D9-F8E0-41ad-92A3-14154ECE70AC} - C:\Program Files\MyWay\myBar\1.bin\MYBAR.DLL
    O3 - Toolbar: (no name) - {FF76BC8E-6E5B-4197-AC35-7314DFCB2A7B} - (no file)
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
    O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_3_16_0.dll
    O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
    O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
    O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
    O4 - HKLM\..\Run: [AtiCwd32] Aticwd32.exe
    O4 - HKLM\..\Run: [AtiQiPcl] AtiQiPcl.exe
    O4 - HKLM\..\Run: [Control handler] C:\WINDOWS\System32\rgf09ov03l5thd.exe
    O4 - HKLM\..\Run: [FX] C:\WINDOWS\Downloaded Program Files\ieloader.exe
    O4 - HKLM\..\Run: [tibs3] C:\WINDOWS\System32\tibs3.exe
    O4 - HKLM\..\Run: [stihmon.exe] C:\WINDOWS\System32\stihmon.exe
    O4 - HKLM\..\Run: [lnkfstub.exe] C:\WINDOWS\System32\lnkfstub.exe
    O4 - HKLM\..\Run: [dnscleaner] C:\WINDOWS\dnscleaner.exe
    O4 - HKLM\..\Run: [autocoinv.exe] C:\WINDOWS\System32\autocoinv.exe
    O4 - HKLM\..\Run: [routemoun.exe] C:\WINDOWS\System32\routemoun.exe
    O4 - HKLM\..\Run: [esmss.exe] C:\WINDOWS\System32\esmss.exe
    O4 - HKLM\..\Run: [MPFTray] C:\PROGRA~1\MCAFEE.COM\PERSON~1\MPFTRAY.EXE
    O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
    O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\mcupdate.exe
    O4 - HKLM\..\Run: [McRegWiz] C:\PROGRA~1\McAfee.com\Agent\McRegWiz.exe /autorun
    O4 - HKLM\..\Run: [VSOCheckTask] "c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe" /checktask
    O4 - HKLM\..\Run: [VirusScan Online] c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
    O4 - HKLM\..\Run: [SpeedTouch USB Diagnostics] "C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe" /icon
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [Media Access] C:\Program Files\Media Access\MediaAccK.exe
    O4 - HKLM\..\Run: [clsd] C:\WINDOWS\clsd.exe
    O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
    O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
    O4 - HKLM\..\Run: [NI.UWFX5] "C:\WINDOWS\Downloaded Program Files\UWFX5NetInstaller.exe"
    O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
    O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
    O4 - HKCU\..\Run: [stihmon.exe] C:\WINDOWS\System32\stihmon.exe
    O4 - HKCU\..\Run: [lnkfstub.exe] C:\WINDOWS\System32\lnkfstub.exe
    O4 - HKCU\..\Run: [autocoinv.exe] C:\WINDOWS\System32\autocoinv.exe
    O4 - HKCU\..\Run: [routemoun.exe] C:\WINDOWS\System32\routemoun.exe
    O4 - HKCU\..\Run: [esmss.exe] C:\WINDOWS\System32\esmss.exe
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
    O4 - Global Startup: winlogin.exe
    O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html
    O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar1.dll/cmwordtrans.html
    O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
    O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
    O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
    O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html
    O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
    O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
    O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
    O14 - IERESET.INF: START_PAGE_URL=http://www.virgin.net/
    O15 - Trusted Zone: *.ysbweb.com (HKLM)
    O16 - DPF: Yahoo! Pool 2 - http://download.games.yahoo.com/games/clients/y/pote_x.cab
    O16 - DPF: {00000000-7777-0704-0B53-2C8830E9FAEC} - http://web-url.de/cab/axload.cab
    O16 - DPF: {10003000-1000-0000-1000-000000000000} - ms-its:mhtml:file://C:\foo.mht!http://vparivalka.com/G7/chm10.chm::/ieloader.exe
    O16 - DPF: {11111111-1111-1111-1111-111111111157} - ms-its:mhtml:file://c:\nosuch.mht!http://iframedollars.biz/dl/adv555/x.chm::/load.exe
    O16 - DPF: {11311111-1111-1111-1111-111111111157} - file://C:\Recycled\Q678340.exe
    O16 - DPF: {15AD6789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://static.windupdates.com/cab/6247971CanadaInc/ie/bridge-c46.cab
    O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
    O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.com/download.yahoo.com/dl/yinst/yinst_current.cab
    O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5consumer/V5Controls/en/x86/client/wuweb_site.cab?1108227526966
    O16 - DPF: {FF3F0F03-0F01-131A-A3F9-08F02B23E0CC} - http://66.117.37.13/dba1862.exe
    O17 - HKLM\System\CCS\Services\Tcpip\..\{8825D7EE-0221-400B-9CBE-4669329A2B91}: NameServer = 212.50.160.100 213.249.130.100
    O20 - AppInit_DLLs: bv4v61721v4iuxll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll
    O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
    O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
    O23 - Service: McAfee.com McShield (McShield) - Unknown owner - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
    O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - Networks Associates Technology, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
    O23 - Service: McAfee.com VirusScan Online Realtime Engine (MCVSRte) - Networks Associates Technology, Inc - c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
    O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee Corporation - C:\PROGRA~1\MCAFEE.COM\PERSON~1\MPFSERVICE.exe
    O23 - Service: PCTEL Speaker Phone (Pctspk) - PCtel, Inc. - C:\WINDOWS\system32\pctspk.exe

  2. #2
    Supermod a.D. Avatar von Ruby
    Registriert seit
    25.01.2005
    Ort
    The Netherlands
    Beiträge
    20.038

    AW: spyware/virus help

    Welcome to HijackThis.de @ Tiny

    1
    Make sure you set windows to see the hidden files and folders.

    2
    Please load these files

    C:\WINDOWS\System32\rgf09ov03l5thd.exe
    C:\WINDOWS\Downloaded Program Files\ieloader.exe
    C:\WINDOWS\System32\stihmon.exe
    C:\WINDOWS\System32\lnkfstub.exe
    C:\WINDOWS\System32\autocoinv.exe
    C:\WINDOWS\System32\routemoun.exe
    C:\WINDOWS\System32\esmss.exe
    C:\WINDOWS\clsd.exe

    ->up to Upload malicious software.

    If you need a zip-tool we suggest zipgenius (It is free).
    Please make us know if you succeeded in uploading the files.

    You will get an email as answer from us with the results.
    Please post the results on Board.


    -----------------------
    You are running some worms and trojans at your system.
    Please load down

    RegistryProt
    read and follow the instructions.

    For your greatest safety, it is recommended that
    you may not do online-banking, file-sharing, mailing, messaging,
    up and downloads behalve to security sites untill your system is clean.
    Take a look to "Security Tips" in my signature.

    -----------------------

  3. #3
    Einsteiger
    Registriert seit
    13.09.2005
    Beiträge
    4

    Re: spyware/virus help

    Ruby,

    I have tried to do as you said but my system will not allow me to access those files (it takes ages) and then the system closes or freezes, is there any other way please as I am at my wits end.....

  4. #4
    Supermod a.D. Avatar von Ruby
    Registriert seit
    25.01.2005
    Ort
    The Netherlands
    Beiträge
    20.038

    AW: spyware/virus help

    Hello Tiny

    Let's try this....

    1
    Make sure you set windows to see the hidden files and folders.

    2
    Load down the KillBox safe it to your desktop

    3
    Run the Killbox

    o copy these files into the killbox:




    C:\WINDOWS\System32\rgf09ov03l5thd.exe
    C:\WINDOWS\Downloaded Program Files\ieloader.exe
    C:\WINDOWS\System32\stihmon.exe
    C:\WINDOWS\System32\lnkfstub.exe
    C:\WINDOWS\System32\autocoinv.exe
    C:\WINDOWS\System32\routemoun.exe
    C:\WINDOWS\System32\esmss.exe
    C:\WINDOWS\clsd.exe

    o activate "Standard File Kill"
    o then click onto the red X
    o "YES"
    o "NO" by the question if you want to reboot ...

    4
    ... reboot as you got the last file into the killbox.


    5
    Create a new folder "bad" (Windows Tutorial)

    6
    Go to START > Use the Windows Explorer > look for the folder "!Submit" -> C:\!Submit
    Open the folder "!Submit" > drag&drop all these files:

    C:\WINDOWS\System32\rgf09ov03l5thd.exe
    C:\WINDOWS\Downloaded Program Files\ieloader.exe
    C:\WINDOWS\System32\stihmon.exe
    C:\WINDOWS\System32\lnkfstub.exe
    C:\WINDOWS\System32\autocoinv.exe
    C:\WINDOWS\System32\routemoun.exe
    C:\WINDOWS\System32\esmss.exe
    C:\WINDOWS\clsd.exe

    into the new folder "bad".

    7
    Load this new folder bad up to ->up to Upload malicious software (*).
    (*) If you need a zip-tool we suggest zipgenius (It is free).

    8
    Please make us know if you succeeded in uploading the files.
    Angehängte Grafiken Angehängte Grafiken  

  5. #5
    Einsteiger
    Registriert seit
    13.09.2005
    Beiträge
    4

    Re: spyware/virus help

    Ruby,

    Thanks for the advice unfortunately the killbox trys to delete the files but keeps coming back with Files do not exist?????

    Any further advice would be greatly recieved. Thanks for the help so far.

  6. #6
    Supermod a.D. Avatar von Ruby
    Registriert seit
    25.01.2005
    Ort
    The Netherlands
    Beiträge
    20.038

    AW: spyware/virus help

    Hello Tiny

    Please load down Silent Runner.
    Run it, have it save a logfile and post it. Thanks.

  7. #7
    Einsteiger
    Registriert seit
    13.09.2005
    Beiträge
    4

    Re: spyware/virus help

    Ruby,

    Just downloaded script runner with no probs when I went to run the fil the following message was displayed:

    Script Host

    line 84
    charc 13
    error: could not create objects named "wscript.shell"
    code:80040111
    source: wscript.create object



    I dont understand why it does not work any ideas welcome please as still vdery desperate

  8. #8
    Supermod a.D. Avatar von Ruby
    Registriert seit
    25.01.2005
    Ort
    The Netherlands
    Beiträge
    20.038

    AW: spyware/virus help

    @ Tiny

    Please load down the Process Explorer. Look with it for these files and let me know if you could find them:

    C:\WINDOWS\System32\rgf09ov03l5thd.exe
    C:\WINDOWS\Downloaded Program Files\ieloader.exe
    C:\WINDOWS\System32\stihmon.exe
    C:\WINDOWS\System32\lnkfstub.exe
    C:\WINDOWS\System32\autocoinv.exe
    C:\WINDOWS\System32\routemoun.exe
    C:\WINDOWS\System32\esmss.exe
    C:\WINDOWS\clsd.exe

Aktive Benutzer

Aktive Benutzer

Aktive Benutzer in diesem Thema: 1 (Registrierte Benutzer: 0, Gäste: 1)

Ähnliche Themen

  1. Need a little help in helping a friend. :)
    Von dice_for_death_ im Forum Archiv
    Antworten: 1
    Letzter Beitrag: 29.07.2005, 02:23
  2. Antworten: 20
    Letzter Beitrag: 19.07.2005, 23:46
  3. Urgent help needed plzzz
    Von raja im Forum Archiv
    Antworten: 1
    Letzter Beitrag: 27.06.2005, 12:21
  4. major LOP problem, can someone help ME!
    Von tcraghead im Forum Archiv
    Antworten: 0
    Letzter Beitrag: 22.01.2005, 03:16

Berechtigungen

  • Neue Themen erstellen: Nein
  • Themen beantworten: Nein
  • Anhänge hochladen: Nein
  • Beiträge bearbeiten: Nein
  •