PDA

View Full Version : Applications wont work .. virus ?



heinz57
30-12-2005, 11:00 AM
Good afternoon all .. Did ya have a good xmas?

My partner opened an email the other day .. hahaha .. and yes you guessed it .. out popped a virus .. and suddenly everything stopped .. ( grandson was using the lappy .. which is the one that is nromally online, the PC doesnt go online much, so AVG isnt updated regularly.)

Since then it shows an error when I try to open some programs, some programs dont even open, they try to open then stop.

Ive updated AVG on the laptop and taken it by memory stick to the PC, it took a while, and I dont even know how he did it, but AVG is now running on the PC, not found any viruses yet, and I suspect it wont.

Does this sound like a virus ? I cant get it online to TREND.

Speedy Gonzales
30-12-2005, 11:04 AM
Yup, if u cant get to any AV sites, it may well be a trojan/virus/worm.

Get this (http://www.merijn.org/files/hijackthis.zip)

Unzip it into its own folder, and then run it scan and copy and paste the log here.

Or here (http://www.hijackthis.de/en) if u know what to look for.

heinz57
30-12-2005, 11:25 AM
OK .. heres the log .. dont look like anything wrong :(

heinz57
30-12-2005, 11:26 AM
hehehehhe
here it is .....



Logfile of HijackThis v1.99.1
Scan saved at 12:20:03 , on 30/12/2005
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\NOTEPAD.EXE
G:\HijackThis.exe

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\SYSTEM\blank.htm
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: CometCursor Class - {1678F7E1-C422-11D0-AD7D-00400515CAAA} - C:\WINDOWS\SYSTEM32\COMET.DLL
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: WhenUSearch Helper - {BA2325ED-F9EB-4830-8FCE-0BC35B16969B} - C:\PROGRAM FILES\WHENUSEARCH\SEARCH.DLL
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\realplay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [BigDogPath] C:\WINDOWS\VM_STI.EXE VIMICRO USB PC Camera 301x
O4 - HKLM\..\Run: [anti_troj] C:\WINDOWS\System32\anti_troj.exe
O4 - HKLM\..\Run: [key2] C:\WINDOWS\System32\winlog.exe
O4 - HKLM\..\Run: [WinPatrol] "C:\PROGRA~1\BILLPS~1\WINPAT~1\WinPatrol.exe"
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [anti_troj] C:\WINDOWS\System32\anti_troj.exe
O4 - HKCU\..\Run: [key2] C:\WINDOWS\System32\winlog.exe
O4 - Global Startup: hpoddt01.exe.lnk = ?
O4 - Global Startup: hp psc 1000 series.lnk = ?
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: Win32 Classes -
O16 - DPF: {8714912E-380D-11D5-B8AA-00D0B78F3D48} (Yahoo! Webcam Upload Wrapper) - http://chat.yahoo.com/cab/yuplapp.cab
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: SearchList = 202.27.184.3
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: SearchList = 202.27.184.3
O17 - HKLM\System\CS3\Services\Tcpip\Parameters: SearchList = 202.27.184.3
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList = 202.27.184.3
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe

heinz57
30-12-2005, 11:31 AM
Ohh ok .. I just used your analyser .. I use a different one .. they show different things .. OK .. gonna get rid of the red ones now

Speedy Gonzales
30-12-2005, 11:41 AM
Boot into safe mode, and run HJT again. Tick these and tick fix checked.

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\SYSTEM\blank.htm

O2 - BHO: CometCursor Class - {1678F7E1-C422-11D0-AD7D-00400515CAAA} - C:\WINDOWS\SYSTEM32\COMET.DLL

O2 - BHO: WhenUSearch Helper - {BA2325ED-F9EB-4830-8FCE-0BC35B16969B} - C:\PROGRAM FILES\WHENUSEARCH\SEARCH.DLL

If Desktop Toolbar [WhenUSearch] appears in add/remove programs uninstall it.

O4 - HKLM\..\Run: [anti_troj] C:\WINDOWS\System32\anti_troj.exe (this is nasty).

O4 - HKLM\..\Run: [key2] C:\WINDOWS\System32\winlog.exe This is nasty too

O4 - HKCU\..\Run: [anti_troj] C:\WINDOWS\System32\anti_troj.exe

O4 - HKCU\..\Run: [key2] C:\WINDOWS\System32\winlog.exe

O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)

16 - DPF: Win32 Classes

O17 - HKLM\System\CS1\Services\Tcpip\Parameters: SearchList = 202.27.184.3

O17 - HKLM\System\CS2\Services\Tcpip\Parameters: SearchList = 202.27.184.3

O17 - HKLM\System\CS3\Services\Tcpip\Parameters: SearchList = 202.27.184.3

O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList = 02.27.184.3

O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)

O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)

These dont have to be in startup.

O4 - HKLM\..\Run: [RemoteControl] "C:\Program files\CyberLink\PowerDVD\PDVDServ.exe" (unless u have a remote for this).

I would try this (http://dl.filekicker.com/send/file/168259-1P80/trsetup.exe) from here (http://www.simplysup.com/tremover/download.html) or go here (http://www.ewido.net)

You have a few nasties on that system. I would also install SP1 or SP2, after these entries have been removed.

I would also install some kind of firewall. It doesn't look like u have one installed. You're asking for trouble without one.

Greg
30-12-2005, 12:41 PM
I think Speedy deserves a medal from PressF1 for his nearly tireless Hijackthis help. He's sure better than the German online automated assistance. Go Speedy! :thumbs:

heinz57
30-12-2005, 05:11 PM
As usual .. Speedy to the rescue!
Alas I have forgotten my previous sign in name, It was Lovelee or something, but everytime Ive had trouble no matter what it is, Speedy has done the job.
Hero Medal, thats what he should get!

Thank you mate. :)

pctek
30-12-2005, 10:11 PM
Ive updated AVG on the laptop and taken it by memory stick to the PC, it took a while, and I dont even know how he did it, but AVG is now running on the PC, not found any viruses yet, and I suspect it wont.

You should have some anti-spyware as well. See the FAQ here for the list. AV is not enough on its own.

Geez, the moderators should make this type of question a sticky........