MyTechSupport.ca :: Your Computer Technical Resource Headquarters! MyTechSupport.ca :: Your Computer Technical Resource Headquarters!
HOME FORUMS RESOURCES & TOOLS ARTICLES ONLINE STORE ABOUT US
Computer Support Forums arrow Internet & Network Support arrow Security & Viruses arrow Topic: hideproc.a strikes, free antivir 6.26 sticks
November 18, 2019, 02:02:48 AM
 

Home Forum Rules Help Search Mobile Version Login Register

Welcome, Guest. Please login or register.
Did you miss your activation email?
November 18, 2019, 02:02:48 AM

Login with username, password and session length
 Featured Sites:
News
New  Looking for cheap hardware and/or software?
Visit our new Online Store where you will be able to purchase from a reputable vendor by country.
  0 Members and 1 Guest are viewing this topic.
Pages: [1] 2  All Go Down Print
Author Topic: hideproc.a strikes, free antivir 6.26 sticks  (Read 4678 times)
Roland
Jr. Member
**

Karma: +0/-0
Offline Offline

Gender: Male
Posts: 17


Bookmark and Share

View Profile
« on: December 30, 2004, 07:17:20 PM »

PLEASE SUPPLY RELEVANT INFORMATION:
Operating System Version: Win XP Service Pack 1
Problem Application Name & Version: (free) antivir 6.26 on hideproc.a
Problem Hardware Make & Model: mobile AMD athlon 1900+ 1.60 GHz, 480 MB RAM (no hardware problem)
Error Messages: Die Datei "C:\Dokumente und Einstellungen\Besitzer\Lokale Einstellungen\TEMP\1.tmp" enth
Logged

 
jvic
Visiting Administrator
Hero Member
*****

Karma: +0/-0
Offline Offline

Gender: Male
Posts: 1238


Bookmark and Share

View Profile
« Reply #1 on: December 30, 2004, 07:26:32 PM »

Please download:
Hijack This

Make sure you unzip hijack this to its own folder
such as C:\Program files as this is where the backups will
be created.Run Hijack this but do NOT fix anything.Click save
log and a log will open in notepad.Copy and paste your log here.

[
Logged

John Vickers
Roland
Jr. Member
**

Karma: +0/-0
Offline Offline

Gender: Male
Posts: 17


Bookmark and Share

View Profile
« Reply #2 on: December 30, 2004, 07:31:51 PM »

Logfile of HijackThis v1.99.0
Scan saved at 20:34:38, on 30.12.2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\SYSTEM32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\brsvc01a.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\brss01a.exe
C:\WINDOWS\System32\S3hotkey.exe
C:\WINDOWS\System32\S3tray2.exe
C:\Programme\Gemeinsame Dateien\Microsoft Shared\Works Shared\WkUFind.exe
C:\programme\umsd tools\umsd.exe
C:\Programme\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
C:\Programme\Scansoft\PaperPort\pptd40nt.exe
C:\Programme\Gemeinsame Dateien\CMEII\CMESys.exe
C:\Programme\Winamp\winampa.exe
C:\WINDOWS\ieum.exe
C:\Programme\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
C:\Programme\Gemeinsame Dateien\Microsoft Shared\Works Shared\wkcalrem.exe
C:\Programme\Hewlett-Packard\Digital Imaging\bin\hpobnz08.exe
C:\Programme\Scansoft\PaperPort\SmartUI\SmartUI.exe
C:\Programme\Gemeinsame Dateien\GMT\GMT.exe
C:\Programme\AVPersonal\AVWUPSRV.EXE
c:\cad\catia\intel_a\code\bin\CATSysDemon.exe
C:\WINDOWS\system32\Brmfrmps.exe
C:\Programme\AMD\PowerNow!\GemServ.exe
C:\Programme\AMD\PowerNow!\gemback.exe
C:\WINDOWS\system32\slserv.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\javaqk.exe
C:\Programme\Internet Explorer\iexplore.exe
C:\Programme\ICQ\Icq.exe
C:\Dokumente und Einstellungen\Besitzer\Desktop\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\ktxlv.dll/sp.html#12345
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\ktxlv.dll/sp.html#12345
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\system32\ktxlv.dll/sp.html#12345
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\ktxlv.dll/sp.html#12345
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\ktxlv.dll/sp.html#12345
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system32\ktxlv.dll/sp.html#12345
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system32\ktxlv.dll/sp.html#12345
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,AutoConfigURL = http://proxyconf
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = perthus.supaero.fr:80
R3 - Default URLSearchHook is missing
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programme\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {EAC149FF-02FD-1262-BD19-76518252A5AD} - C:\WINDOWS\system32\apizm.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [S3hotkey] S3hotkey.exe
O4 - HKLM\..\Run: [S3TRAY2] S3tray2.exe
O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Programme\Microsoft Works\WksSb.exe /AllUsers
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Programme\Gemeinsame Dateien\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\NeroCheck.exe
O4 - HKLM\..\Run: [RealTray] C:\Programme\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [PLoader] c:\programme\umsd tools\umsd.exe sys_auto_run C:\Programme\UMSD Tools
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Programme\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Programme\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [PaperPort PTD] C:\Programme\Scansoft\PaperPort\pptd40nt.exe
O4 - HKLM\..\Run: [IndexSearch] C:\Programme\Scansoft\PaperPort\IndexSearch.exe
O4 - HKLM\..\Run: [SetDefPrt] C:\Programme\Brother\BRMFLPRO\BrDefPrt.exe
O4 - HKLM\..\Run: [Mirabilis ICQ] C:\PROGRA~1\ICQ\ICQNet.exe
O4 - HKLM\..\Run: [CMESys] "C:\Programme\Gemeinsame Dateien\CMEII\CMESys.exe"
O4 - HKLM\..\Run: [WinampAgent] C:\Programme\Winamp\winampa.exe
O4 - HKLM\..\Run: [ieum.exe] C:\WINDOWS\ieum.exe
O4 - HKLM\..\Run: [AVSCHED32] C:\Programme\AVPersonal\AVSCHED32.EXE /min
O4 - HKCU\..\Run: [MSMSGS] "C:\Programme\Messenger\msmsgs.exe" /background
O4 - Global Startup: Erinnerungen in Microsoft Works-Kalender.lnk = ?
O4 - Global Startup: AOL 7.0 Tray-Symbol.lnk = C:\Programme\AOL 7.0\aoltray.exe
O4 - Global Startup: hp psc 2000 Series.lnk = C:\Programme\Hewlett-Packard\Digital Imaging\bin\hpobnz08.exe
O4 - Global Startup: officejet 6100.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Programme\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: SmartUI.lnk = ?
O4 - Global Startup: GStartup.lnk = C:\Programme\Gemeinsame Dateien\GMT\GMT.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O9 - Extra button: ICQ Pro - {6224f700-cba3-4071-b251-47cb894244cd} - C:\PROGRA~1\ICQ\ICQ.exe
O9 - Extra 'Tools' menuitem: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\PROGRA~1\ICQ\ICQ.exe
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programme\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programme\Messenger\MSMSGS.EXE
O15 - Trusted Zone: *.05p.com
O15 - Trusted Zone: *.awmdabest.com
O15 - Trusted Zone: *.blazefind.com
O15 - Trusted Zone: *.clickspring.net
O15 - Trusted Zone: *.flingstone.com
O15 - Trusted Zone: *.frame.crazywinnings.com
O15 - Trusted Zone: *.mt-download.com
O15 - Trusted Zone: *.my-internet.info
O15 - Trusted Zone: *.scoobidoo.com
O15 - Trusted Zone: *.searchbarcash.com
O15 - Trusted Zone: *.searchmiracle.com
O15 - Trusted Zone: *.slotch.com
O15 - Trusted Zone: *.static.topconverting.com
O15 - Trusted Zone: *.xxxtoolbar.com
O15 - Trusted Zone: *.05p.com (HKLM)
O15 - Trusted Zone: *.awmdabest.com (HKLM)
O15 - Trusted Zone: *.blazefind.com (HKLM)
O15 - Trusted Zone: *.clickspring.net (HKLM)
O15 - Trusted Zone: *.flingstone.com (HKLM)
O15 - Trusted Zone: *.frame.crazywinnings.com (HKLM)
O15 - Trusted Zone: *.mt-download.com (HKLM)
O15 - Trusted Zone: *.my-internet.info (HKLM)
O15 - Trusted Zone: *.scoobidoo.com (HKLM)
O15 - Trusted Zone: *.searchbarcash.com (HKLM)
O15 - Trusted Zone: *.searchmiracle.com (HKLM)
O15 - Trusted Zone: *.slotch.com (HKLM)
O15 - Trusted Zone: *.static.topconverting.com (HKLM)
O15 - Trusted Zone: *.xxxtoolbar.com (HKLM)
O15 - Trusted IP range: 206.161.125.149
O15 - Trusted IP range: 206.161.125.149 (HKLM)
O16 - DPF: {30000273-8230-4DD4-BE4F-6889D1E74167} - http://download.abetterinternet.com/download/cabs/FON14006/thin.cab
O16 - DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} - http://a1540.g.akamai.net/7/1540/52/20040105/qtinstall.info.apple.com/mickey/de/win/QuickTimeInstaller.exe
O17 - HKLM\System\CCS\Services\Tcpip\..\{41A6BC1D-9283-4640-9E37-C46CD9650399}: Domain = supaero.fr
O17 - HKLM\System\CCS\Services\Tcpip\..\{41A6BC1D-9283-4640-9E37-C46CD9650399}: NameServer = 134.212.116.28
O23 - Service: AntiVir Service - H+BEDV Datentechnik GmbH - C:\Programme\AVPersonal\AVGUARD.EXE
O23 - Service: AntiVir Update - H+BEDV Datentechnik GmbH, Germany - C:\Programme\AVPersonal\AVWUPSRV.EXE
O23 - Service: Backbone Service - Dassault Systemes - c:\cad\catia\intel_a\code\bin\CATSysDemon.exe
O23 - Service: Brother Popup Suspend service for Resource manager - Brother Industries, Ltd. - C:\WINDOWS\system32\Brmfrmps.exe
O23 - Service: BrSplService - brother Industries Ltd - C:\WINDOWS\System32\brsvc01a.exe
O23 - Service: AMD PowerNow! (tm) Technology Service - Advanced Micro Devices - C:\Programme\AMD\PowerNow!\GemServ.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: SmartLinkService - Unknown - slserv.exe (file missing)
O23 - Service: WAN Miniport (ATW) Service - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe
O23 - Service: Workstation NetLogon Service - Unknown - C:\WINDOWS\javaqk.exe





Here you are, thanks.
(I am now trying to get rid of the problem for about six hours, so I am tired but also thankful)
Logged

 
Roland
Jr. Member
**

Karma: +0/-0
Offline Offline

Gender: Male
Posts: 17


Bookmark and Share

View Profile
« Reply #3 on: December 30, 2004, 07:42:11 PM »

What does "trusted zone" mean?
Logged

 
jvic
Visiting Administrator
Hero Member
*****

Karma: +0/-0
Offline Offline

Gender: Male
Posts: 1238


Bookmark and Share

View Profile
« Reply #4 on: December 30, 2004, 07:43:18 PM »

Ok, what we have here is a CoolWebSearch trojan variant known as an AboutBlank infection.
We've seen these numerous times in the past and it may take a couple of different process
we'll have to go through before we can get rid of it all. First, I want you to go and
download a program called AboutBuster. Here's the link:

http://www.snapfiles.com/get/aboutbuster.html

Run the program at least twice, until the log comes up clean (if it keeps finding files,
continue to run the program over and over until no more files are found). AboutBuster will
remove the AboutBlank infestation. When finished, I want you to go and download a program
called CWShredder. Here's the link:

http://www.intermute.com/spysubtrac...r_download.html

Run CWShredder, have it get the latest updates, and let it do it's thing. CWShredder will
eliminate any remaining parts of the CoolWebSearch infection if they still exist on your
system. Next I want you to go and download AntiVir's Free-AV. Here's the link:

http://www.free-av.com/

Run a full scan on your system with Free-AV. Free-AV will check to make sure no virus
infecting program are lurking where we can't see them. When finished, go and download the
latest version of Ad-aware SE. Here's the link:

http://www.majorgeeks.com/download.php?det=506

Click on one of the download locations and after downloading, install Ad-aware SE. At
the end of the installation, have Ad-aware get the latest updates and run a full scan
against your system. When it finishes, have Ad-aware fix everything it found by placing a
check in the "check-box" next to every entry.
Disable system restore.You can enable it once you are clean


Using System Restore Windows XP

When this is finished, run "Hijack This!" and
hit the SCAN button. Check off the following entries, but do NOT hit the "Fix Checked"
button just yet:


R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\ktxlv.dll/sp.html#12345
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\ktxlv.dll/sp.html#12345
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\system32\ktxlv.dll/sp.html#12345
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\ktxlv.dll/sp.html#12345
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\ktxlv.dll/sp.html#12345
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system32\ktxlv.dll/sp.html#12345
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system32\ktxlv.dll/sp.html#12345

R3 - Default URLSearchHook is missing
O4 - HKLM\..\Run: [CMESys] "C:\Programme\Gemeinsame Dateien\CMEII\CMESys.exe"
O4 - Global Startup: GStartup.lnk = C:\Programme\Gemeinsame Dateien\GMT\GMT.exe
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O15 - Trusted Zone: *.05p.com
O15 - Trusted Zone: *.awmdabest.com
O15 - Trusted Zone: *.blazefind.com
O15 - Trusted Zone: *.clickspring.net
O15 - Trusted Zone: *.flingstone.com
O15 - Trusted Zone: *.frame.crazywinnings.com
O15 - Trusted Zone: *.mt-download.com
O15 - Trusted Zone: *.my-internet.info
O15 - Trusted Zone: *.scoobidoo.com
O15 - Trusted Zone: *.searchbarcash.com
O15 - Trusted Zone: *.searchmiracle.com
O15 - Trusted Zone: *.slotch.com
O15 - Trusted Zone: *.static.topconverting.com
O15 - Trusted Zone: *.xxxtoolbar.com
O15 - Trusted Zone: *.05p.com (HKLM)
O15 - Trusted Zone: *.awmdabest.com (HKLM)
O15 - Trusted Zone: *.blazefind.com (HKLM)
O15 - Trusted Zone: *.clickspring.net (HKLM)
O15 - Trusted Zone: *.flingstone.com (HKLM)
O15 - Trusted Zone: *.frame.crazywinnings.com (HKLM)
O15 - Trusted Zone: *.mt-download.com (HKLM)
O15 - Trusted Zone: *.my-internet.info (HKLM)
O15 - Trusted Zone: *.scoobidoo.com (HKLM)
O15 - Trusted Zone: *.searchbarcash.com (HKLM)
O15 - Trusted Zone: *.searchmiracle.com (HKLM)
O15 - Trusted Zone: *.slotch.com (HKLM)
O15 - Trusted Zone: *.static.topconverting.com (HKLM)
O15 - Trusted Zone: *.xxxtoolbar.com (HKLM)
O15 - Trusted IP range: 206.161.125.149
O15 - Trusted IP range: 206.161.125.149 (HKLM)
O16 - DPF: {30000273-8230-4DD4-BE4F-6889D1E74167} - http://download.abetterinternet.com/download/cabs/FON14006/thin.cab
O16 - DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} - http://a1540.g.akamai.net/7/1540/52/20040105/qtinstall.info.apple.com/mickey/de/win/QuickTimeInstaller.exe
O23 - Service: SmartLinkService - Unknown - slserv.exe (file missing)

Close all windows except for hijack this and click fix

Reconfigure Windows XP to show hidden files:
Click Start. Open My Computer.
Select the Tools menu and click Folder Options. Select the View Tab.

Under the Hidden files and folders heading select "Show hidden files and folders".
Uncheck the "Hide protected operating system files (recommended)" option.
Uncheck the "Hide file extensions for known file types" option.
Click Yes to confirm. Click OK.

Boot into Safe Mode:
Restart your computer and as soon as it starts booting up again continuously tap F8. A menu should come up where you will be given the option to enter Safe Mode.
To get back to normal mode just restart the computer as you normally would.

Delete:

C:\Programme\Gemeinsame Dateien\CMEII\CMESys.exe
C:\Programme\Gemeinsame Dateien\GMT\GMT.exe
C:\WINDOWS\javaqk.exe

Run hijack this and post a new log
« Last Edit: December 31, 2004, 01:21:34 AM by jvic » Logged

John Vickers
Roland
Jr. Member
**

Karma: +0/-0
Offline Offline

Gender: Male
Posts: 17


Bookmark and Share

View Profile
« Reply #5 on: December 30, 2004, 07:52:49 PM »

Interim Question:

Antivir is already installed on my PC. Like I wrote in my initial message, it stuck on 1.tmp.
I updated antivir today. What to do? It seems strange to me.

Is free av different from free antivir?

Question on AboutBuster:

How do I notice that the log is free?

Current Log:

-- Scan 1 ---------------------------
About:Buster Version 4.0
Reference List : 19


ADS not scanned System(FAT)
Removed 3 Random Key Entries
Removed! : C:\WINDOWS\qelhk.dat
Removed! : C:\WINDOWS\vjpvdc.dat
Removed! : C:\WINDOWS\rgftdb.dat
Attempted Clean Of Temp folder.
Removed Uninstall Key (HSA)
Removed Uninstall Key (SE)
Removed Uninstall Key (SW)
Pages Reset... Done!

-- Scan 2 ---------------------------
About:Buster Version 4.0
Reference List : 19


ADS not scanned System(FAT)
Attempted Clean Of Temp folder.
Removed Uninstall Key (HSA)
Removed Uninstall Key (SE)
Removed Uninstall Key (SW)
Pages Reset... Done!

-- Scan 3 ---------------------------
About:Buster Version 4.0
Reference List : 19


ADS not scanned System(FAT)
Attempted Clean Of Temp folder.
Removed Uninstall Key (HSA)
Removed Uninstall Key (SE)
Removed Uninstall Key (SW)
Pages Reset... Done!
Logged

 
Roland
Jr. Member
**

Karma: +0/-0
Offline Offline

Gender: Male
Posts: 17


Bookmark and Share

View Profile
« Reply #6 on: December 30, 2004, 07:57:35 PM »

Another Problem:

AboutBuster tells me not to open Internet Explorer until reboot.

?

Internet explorer is still running and I will need it in order to get the other links you indicated, or is it also possible to work with mozilla firefox?
Logged

 
jvic
Visiting Administrator
Hero Member
*****

Karma: +0/-0
Offline Offline

Gender: Male
Posts: 1238


Bookmark and Share

View Profile
« Reply #7 on: December 30, 2004, 08:04:22 PM »

About buster will find no more files...Keep going with rest of instructions and when I see your hijack this log after you have done everything we will know where to go from there
Logged

John Vickers
Roland
Jr. Member
**

Karma: +0/-0
Offline Offline

Gender: Male
Posts: 17


Bookmark and Share

View Profile
« Reply #8 on: December 30, 2004, 08:08:59 PM »

1. Can't download CWShredder, page not found.
2. Do I really have to download free av when I already have it (was my first action on knowing about the problem)
Logged

 
Roland
Jr. Member
**

Karma: +0/-0
Offline Offline

Gender: Male
Posts: 17


Bookmark and Share

View Profile
« Reply #9 on: December 30, 2004, 08:22:22 PM »

http://www.chip.de/downloads/c_downloads_11353799.html

...got CWShredder there. I hope that it's the same:


Version:   2.12
Sprache:   Englisch
Downloadzahl:   238764
Autor:   InterMute
Betriebssystem:   Win 98
Win NT 4.0
Win 2000
Win Me
Win 95
Win XP
Dateigr
« Last Edit: December 30, 2004, 08:24:12 PM by Roland » Logged

 
Roland
Jr. Member
**

Karma: +0/-0
Offline Offline

Gender: Male
Posts: 17


Bookmark and Share

View Profile
« Reply #10 on: December 30, 2004, 08:27:03 PM »

...
CW Shredder Report
« Last Edit: December 30, 2004, 11:08:37 PM by Roland » Logged

 
jvic
Visiting Administrator
Hero Member
*****

Karma: +0/-0
Offline Offline

Gender: Male
Posts: 1238


Bookmark and Share

View Profile
« Reply #11 on: December 30, 2004, 10:59:43 PM »

All I need to see is the new hijack this log
Logged

John Vickers
Roland
Jr. Member
**

Karma: +0/-0
Offline Offline

Gender: Male
Posts: 17


Bookmark and Share

View Profile
« Reply #12 on: December 31, 2004, 12:19:16 AM »

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,AutoConfigURL = http://proxyconf
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = perthus.supaero.fr:80


...these concern the proxyport of the campus' firewall. What does it mean to check off? Mark/unmark these lines?
Logged

 
Roland
Jr. Member
**

Karma: +0/-0
Offline Offline

Gender: Male
Posts: 17


Bookmark and Share

View Profile
« Reply #13 on: December 31, 2004, 01:10:42 AM »

Logfile of HijackThis v1.99.0
Scan saved at 02:08:26, on 31.12.2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\SYSTEM32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\brsvc01a.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\brss01a.exe
C:\WINDOWS\System32\S3tray2.exe
C:\Programme\Gemeinsame Dateien\Microsoft Shared\Works Shared\WkUFind.exe
C:\programme\umsd tools\umsd.exe
C:\Programme\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
C:\Programme\Scansoft\PaperPort\pptd40nt.exe
C:\Programme\Winamp\winampa.exe
C:\Programme\Messenger\msmsgs.exe
C:\Programme\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
C:\Programme\Gemeinsame Dateien\Microsoft Shared\Works Shared\wkcalrem.exe
C:\Programme\Hewlett-Packard\Digital Imaging\bin\hpobnz08.exe
C:\Programme\Scansoft\PaperPort\SmartUI\SmartUI.exe
C:\Programme\AVPersonal\AVWUPSRV.EXE
c:\cad\catia\intel_a\code\bin\CATSysDemon.exe
C:\WINDOWS\system32\Brmfrmps.exe
C:\Programme\AMD\PowerNow!\GemServ.exe
C:\Programme\AMD\PowerNow!\gemback.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Dokumente und Einstellungen\Besitzer\Desktop\hijackthis\HijackThis.exe

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programme\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [S3TRAY2] S3tray2.exe
O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Programme\Microsoft Works\WksSb.exe /AllUsers
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Programme\Gemeinsame Dateien\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [RealTray] C:\Programme\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [PLoader] c:\programme\umsd tools\umsd.exe sys_auto_run C:\Programme\UMSD Tools
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Programme\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Programme\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [PaperPort PTD] C:\Programme\Scansoft\PaperPort\pptd40nt.exe
O4 - HKLM\..\Run: [SetDefPrt] C:\Programme\Brother\BRMFLPRO\BrDefPrt.exe
O4 - HKLM\..\Run: [Mirabilis ICQ] C:\PROGRA~1\ICQ\ICQNet.exe
O4 - HKLM\..\Run: [WinampAgent] C:\Programme\Winamp\winampa.exe
O4 - HKLM\..\Run: [AVSCHED32] C:\Programme\AVPersonal\AVSCHED32.EXE /min
O4 - HKCU\..\Run: [MSMSGS] "C:\Programme\Messenger\msmsgs.exe" /background
O4 - Global Startup: Erinnerungen in Microsoft Works-Kalender.lnk = ?
O4 - Global Startup: AOL 7.0 Tray-Symbol.lnk = C:\Programme\AOL 7.0\aoltray.exe
O4 - Global Startup: hp psc 2000 Series.lnk = C:\Programme\Hewlett-Packard\Digital Imaging\bin\hpobnz08.exe
O4 - Global Startup: officejet 6100.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Programme\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: SmartUI.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O9 - Extra button: ICQ Pro - {6224f700-cba3-4071-b251-47cb894244cd} - C:\PROGRA~1\ICQ\ICQ.exe
O9 - Extra 'Tools' menuitem: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\PROGRA~1\ICQ\ICQ.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programme\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programme\Messenger\MSMSGS.EXE
O15 - Trusted Zone: *.frame.crazywinnings.com
O15 - Trusted Zone: *.frame.crazywinnings.com (HKLM)
O17 - HKLM\System\CCS\Services\Tcpip\..\{41A6BC1D-9283-4640-9E37-C46CD9650399}: Domain = supaero.fr
O17 - HKLM\System\CCS\Services\Tcpip\..\{41A6BC1D-9283-4640-9E37-C46CD9650399}: NameServer = 134.212.116.28
O23 - Service: AntiVir Service - H+BEDV Datentechnik GmbH - C:\Programme\AVPersonal\AVGUARD.EXE
O23 - Service: AntiVir Update - H+BEDV Datentechnik GmbH, Germany - C:\Programme\AVPersonal\AVWUPSRV.EXE
O23 - Service: Backbone Service - Dassault Systemes - c:\cad\catia\intel_a\code\bin\CATSysDemon.exe
O23 - Service: Brother Popup Suspend service for Resource manager - Brother Industries, Ltd. - C:\WINDOWS\system32\Brmfrmps.exe
O23 - Service: BrSplService - brother Industries Ltd - C:\WINDOWS\System32\brsvc01a.exe
O23 - Service: AMD PowerNow! (tm) Technology Service - Advanced Micro Devices - C:\Programme\AMD\PowerNow!\GemServ.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: WAN Miniport (ATW) Service - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe




NOTE:
My PC was not able to run safe mode. I taped F8 and I chose the option run from harddisc and run safe mode. after watching 10 minutes the cursor blinking in the upper left corner of my screen, I decided to abort this. When I looked afterwards in normal mode, I did not find the *.exe you indicated. Though I post the current hijack log.

On checking the processes running with the task manager, I found the process SVCHost which I know to be linked to either a worm or a virus.  

I am now on this problem for about 12 hours. I take now a little rest.

Roland
Logged

 
jvic
Visiting Administrator
Hero Member
*****

Karma: +0/-0
Offline Offline

Gender: Male
Posts: 1238


Bookmark and Share

View Profile
« Reply #14 on: December 31, 2004, 01:16:06 AM »

We've got quite a bit of it off your computer.We'll pick this back up in the morning
Logged

John Vickers
Pages: [1] 2  All Go Up Print 
 
Jump to:  

Powered by MySQL Powered by PHP

Powered by SMF 1.1.21 | SMF © 2015, Simple Machines

Valid XHTML 1.0! Valid CSS!

Disclaimer
This site is NOT responsible for any damage that the information on this site may cause to your system. Everything you try, whether inspired by the response given from this site or not, is entirely at your own risk. All product names and company names used herein are for identification purpose only and may be trademarks or registered trademarks of their respective owners. We are in no way affiliated or representing any of the companies on this site unless specified.
Back to Top
Stop Spam Harvesters, Join Project Honey Pot Fight Back Against Spammers! Get Firefox! Get Thunderbird! View Sylvain Amyots profile on LinkedIn
Back to Top
Google visited last this page June 10, 2018, 06:04:45 AM