HI
I recently got a virus which automatically got downloaded into my computer.
suddenlly it gives a pop up window saying
"hi I am HCZ_UX_12o11, i am your virus software. i live in your system, a know all about you ,anf my master know all about you too"
the picture is stored in filename AIVIR.JPEG

the pop up window opens a site
http://vv2.s13.topx.cc/open_console_out.php?n=3&pin=154
and then shows the above message

i downloaded the latest norton antivirus update, also the spybotSD resident and spyware blaster but of no use.

again i got a pop up from the same site that he is still present in my computer

It always tries to start a self executable file "PLEASE WAIT AS WE TRY TO OPEN THE PLUGIN "

the virus also creates a cc.c program, and other 1.dat extending to 10.dat in the c:\ (folder)
it also creates a application program 12240 witha girls photo and a shortcut in the start menu.

it does not allow me to do any work. my homepage cannot be changed. all over FREE SEX ICONS comes and this embaresses my whole family.

my computer config is: P4 1.8 ghz o/s- win98 (Earlier it wasnt giving any problem as we used to check only mail and send greetings card)
norton antivirus 2003
agp card

u guys are good, pls hellp me out.

thanks
roshaz

Poll is useless, thus closed.

Do you have a screen shot of the "popup" by the virus? Are you sure it isn't someone sending you a NetBIOS popup (net send ..)?

i dont know how to give u the snap shot. i have stored in the computer as a JPEg image but cannot upload into this forum
roshaz

hi moderator
plz help me out. i am already quite embaressed as my parents think i download all these porn stuff which i dont .
they want me to fix the problem and i myself dont know.
through NAV spybot and adware and spyware i removed around 500 different porn spywares. but this one does not even go. it has got installed as search assistant and i cannot uninstall it

roshaz

Do you have Hijackthis? If you do, fire that up and paste the results here.

As for the screenshot, next time just hit shift+print screen. Then open Paint (should be under Start --> Programs --> Accessories). Hit CTRL + V and then go to File --> Save As. Choose JPG from the list. And finally upload it like you did the picture above.

By the way, why did you upload that picture?


MsMittens' troll-sense is tingling... much like the Spidey-sense

that picture was a part of it
the above writing was there and then was this picture
i seached in the google. one of the results were itself a virus html site which nav blocked

roshaz

I think the solution to can be found at http://www.bullguard.com/forum/9/Need-help-removing-trojans-hav_6705.html

Found the above googling on "I am your virus software" (many pages in an Chinese or something like it)

Hope that helps.

Cheers,
-D

Hi,

roshaz we need you to Download HijackThis (http://www.spychecker.com/download/download_hijackthis.html).

Extarct the Contents of the Zip File into some permenent Folder .

Run HijackThis.exe

Press "Do and System Scan and Save a log File Button" Scan with it ...................and Post the Log here ..............Don't delete Anything yourself ................just Scan and post the contemt of the Log File here....................and wait for someine to tell you what to get rid of
....


And if you can Post the Snapshot of that Popup by the method MsMittens told.........it could be helpful too ...... :)

As for the screenshot, next time just hit print screen. Then open Paint (should be under Start --> Programs --> Accessories). Hit CTRL + V and then go to File --> Save As. Choose JPG from the list. And finally upload it like you did the picture above.

--Good Luck--

HI moderator and swordfish,
thanks for your suggestions . i have done the scan and the stored the log file. i have also taken the snapshot of the scan.
pls help me out....

Hi

roshaz Open the Log File in Notepad and "Select all" -->"Copy" and then Paste the Content here .

Or Post the Log File as an Attachment ..............

hi moderator and swordfish


Logfile of HijackThis v1.99.0
Scan saved at 3:43:32 PM, on 12/24/04
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 (6.00.2462.0000)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MDM.EXE
C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCEVTMGR.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\SYSTEM\IGFXTRAY.EXE
C:\WINDOWS\SYSTEM\HKCMD.EXE
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\SYSTEM\CMD32.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCAPP.EXE
C:\PROGRAM FILES\SPYBOT - SEARCH & DESTROY\TEATIMER.EXE
C:\WINDOWS\APPLICATION DATA\COST.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\PROGRAM FILES\YAHOO!\MESSENGER\YMSGR_TRAY.EXE
C:\WINDOWS\EXPLORER.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\WINDOWS\SYSTEM\IR.EXE
C:\WINDOWS\SYSTEM\PSTORES.EXE
C:\PROGRAM FILES\WINZIP\WINZIP32.EXE
C:\WINDOWS\TEMP\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://213.159.117.134/index.php
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = about:NavigationFailure
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = about:NavigationFailure
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://213.159.117.134/index.php
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = about:NavigationFailure
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:NavigationFailure
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:NavigationFailure
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:NavigationFailure
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customize/ie/defaults/su/ymsgr6/*http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = http://213.159.117.134/index.php
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 203.200.72.100:80
O1 - Hosts: 127.0.0.3 n-glx.s-redirect.com
O1 - Hosts: 127.0.0.3 x.full-tgp.net
O1 - Hosts: 127.0.0.3 counter.sexmaniack.com
O1 - Hosts: 127.0.0.3 autoescrowpay.com
O1 - Hosts: 127.0.0.3 www.autoescrowpay.com
O1 - Hosts: 127.0.0.3 www.awmdabest.com
O1 - Hosts: 127.0.0.3 www.sexfiles.nu
O1 - Hosts: 127.0.0.3 awmdabest.com
O1 - Hosts: 127.0.0.3 sexfiles.nu
O1 - Hosts: 127.0.0.3 allforadult.com
O1 - Hosts: 127.0.0.3 www.allforadult.com
O1 - Hosts: 127.0.0.3 www.iframe.biz
O1 - Hosts: 127.0.0.3 iframe.biz
O1 - Hosts: 127.0.0.3 www.newiframe.biz
O1 - Hosts: 127.0.0.3 newiframe.biz
O1 - Hosts: 127.0.0.3 www.vesbiz.biz
O1 - Hosts: 127.0.0.3 vesbiz.biz
O1 - Hosts: 127.0.0.3 www.pizdato.biz
O1 - Hosts: 127.0.0.3 pizdato.biz
O1 - Hosts: 127.0.0.3 www.aaasexypics.com
O1 - Hosts: 127.0.0.3 aaasexypics.com
O1 - Hosts: 127.0.0.3 www.virgin-tgp.net
O1 - Hosts: 127.0.0.3 virgin-tgp.net
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX
O2 - BHO: (no name) - {7B55BB05-0B4D-44fd-81A6-B136188F5DEB} - C:\WINDOWS\QUESTMOD.DLL
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - c:\Program Files\Norton AntiVirus\NavShExt.dll
O2 - BHO: (no name) - {9274D048-5431-11D9-8423-4C00531E4DC6} - C:\WINDOWS\SYSTEM\DLK.DLL
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHELPER.DLL
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - c:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [ScanRegistry] c:\windows\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] c:\windows\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\SYSTEM\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\SYSTEM\hkcmd.exe
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [ControlPanel] C:\WINDOWS\SYSTEM\cmd32.exe internat.dll,LoadKeyboardProfile
O4 - HKLM\..\Run: [ccApp] "c:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "c:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [Machine Debug Manager] C:\WINDOWS\SYSTEM\MDM.EXE
O4 - HKLM\..\RunServices: [ccEvtMgr] "c:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe"
O4 - HKLM\..\RunServices: [ScriptBlocking] "C:\Program Files\Common Files\Symantec Shared\Script Blocking\SBServ.exe" -reg
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunOnce: [SpybotSnD] "C:\PROGRAM FILES\SPYBOT - SEARCH & DESTROY\SPYBOTSD.EXE" /autocheck
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [Sbob] C:\WINDOWS\Application Data\cost.exe
O4 - Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Startup: EPSON Status Monitor 3 Environment Check.lnk = C:\WINDOWS\SYSTEM\E_SRCV03.EXE
O4 - Startup: DLHelperEXE.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O8 - Extra context menu item: &Download with &DAP - C:\PROGRA~1\DAP\dapextie.htm
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: MSN Messenger Service - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra button: Contacts - {9239E4EC-C9A6-11D2-A844-00C04F68D538} - C:\PROGRAM FILES\INTERNET EXPLORER\IECONT.DLL
O9 - Extra button: (no name) - {233A9694-667E-11d1-9DFB-006097D5040A} - (no file)
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
O15 - Trusted Zone: *.windupdates.com
O15 - Trusted Zone: *.my-internet.info
O15 - Trusted Zone: *.flingstone.com
O15 - Trusted Zone: *.clickspring.net
O15 - Trusted Zone: *.topconverting.com
O15 - Trusted Zone: *.crazywinnings.com
O15 - Trusted Zone: *.ysbweb.com
O15 - Trusted Zone: *.slotchbar.com
O15 - Trusted Zone: *.windupdates.com (HKLM)
O15 - Trusted Zone: *.my-internet.info (HKLM)
O15 - Trusted Zone: *.flingstone.com (HKLM)
O15 - Trusted Zone: *.clickspring.net (HKLM)
O15 - Trusted Zone: *.topconverting.com (HKLM)
O15 - Trusted Zone: *.crazywinnings.com (HKLM)
O15 - Trusted Zone: *.ysbweb.com (HKLM)
O15 - Trusted Zone: *.slotchbar.com (HKLM)
O15 - Trusted IP range: 67.19.185.246
O15 - Trusted IP range: 67.19.185.246 (HKLM)
O16 - DPF: {11111111-1111-1111-1111-111111111157} - ms-its:mhtml:file://c:\nosuch.mht!http://209.8.20.130/dl/adv343/x.chm::/load.exe
O16 - DPF: {33333333-3333-4444-3333-555555555555} - ms-its:mhtml:file://d:\foo.mht!http://kscorporations.com//style.css::/open.exe
O16 - DPF: {15AD4789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://static.windupdates.com/cab/ClickYesToContinue/ie/bridge-c18.cab
O18 - Filter: text/html - {07C21C40-5432-11D9-8423-4C00F62D97E6} - C:\WINDOWS\SYSTEM\DLK.DLL
O18 - Filter: text/plain - {07C21C40-5432-11D9-8423-4C00F62D97E6} - C:\WINDOWS\SYSTEM\DLK.DLL
O21 - SSODL: OLE Automation Module - {3F143C3A-1457-6CCA-03A7-7AA23B61E40F} - (no file)

Greeting's

roshaz you can start the following way.

If you can go online do the following :

1. Go to windows update site and scan your computer for any security patches. download them all. (this step is most important)

2. Get a firewall like Zonealarm (this is very easy to configure. just pay attention to what program's you allow access over the internet this will also allow you to stop that malware from going online.

3. update your norton and scan your entire computer (all the drive's). remember NOT TO EXCLUDE ANY FILES OR FILE TYPE'S. ALSO CHANGE YOUR BLOODHOUND SETTINGS IN NORTON TO MAXIMUM. <----- "DO THE SCAN IN " SAFE MODE ". DELETE ALL FILES NO QUARANTINE.

4. now run your spy-bot (update it first) in safe mode to and see that you include your donload directories too. (this can be done by starting spy-bot in advanced mode then settings and then directories) if you dont know how to start in advanced mode just start spy-bot then from upper menu's select Mode>Advanced mode.

5. Uninstall any P2P program and any unwanted program.

If done correctly your the malware should be gone. but for precaution

download spywareblaster and spywareguard from www.javacoolsoftware.com

also get your computer scanned online at http://housecall.trendmicro.com

and if you can (and i think you should) change your browser to firefox which can be downloaded from :
http://www.mozilla.org/products/firefox/central.html.

Hope this help's. keep us updated . :)

greeting's

start internet explorer. then do the following.
Tools>internet option>Security>Trusted site's and remove all site's from here. <---- very important you do this.

Now change your internet settings you medium and then click on default level and

1. disable loading of active-x component's better still make all active-x related settings to "DISABLE"

like i said before get mozilla firefox.

Also update your computer now go to windowsupdate site. you will never be able to get malware out of your system if you dont patch it.

Greeting's

also it looks like your host file is completely infested.

go to your host file (i am not sure where it is in winndows 98) but you may try by changing your viewing option to show "ALL FILES" then going to windows directory and opening your host file and removing all entries.


and for better understanding whats wrong with you PC go to
http://www.hijackthis.de/logfiles/6fc52cafad36a66fa929fe31490a74a0.html

I have saved analysis of your hiajckthis log.

hi ted
i m a newbie. i have been downloading all sorts of things into the comp.
i have updated all type of software.
even now my comp is doin the trend micro thing
you are scaring me by telling all the jargons.
wht is host file? pls clarify

sword fish and moderator where art thou?
i have done the trusted sites thing
thanks

Ok, basically you computer is totally infested with sex crap. Looking at your hijack this log I can tell you that these:

O1 - Hosts: 127.0.0.3 n-glx.s-redirect.com
O1 - Hosts: 127.0.0.3 x.full-tgp.net
O1 - Hosts: 127.0.0.3 counter.sexmaniack.com
O1 - Hosts: 127.0.0.3 autoescrowpay.com
O1 - Hosts: 127.0.0.3 www.autoescrowpay.com
O1 - Hosts: 127.0.0.3 www.awmdabest.com
O1 - Hosts: 127.0.0.3 www.sexfiles.nu
O1 - Hosts: 127.0.0.3 awmdabest.com
O1 - Hosts: 127.0.0.3 sexfiles.nu
O1 - Hosts: 127.0.0.3 allforadult.com
O1 - Hosts: 127.0.0.3 www.allforadult.com
O1 - Hosts: 127.0.0.3 www.iframe.biz
O1 - Hosts: 127.0.0.3 iframe.biz
O1 - Hosts: 127.0.0.3 www.newiframe.biz
O1 - Hosts: 127.0.0.3 newiframe.biz
O1 - Hosts: 127.0.0.3 www.vesbiz.biz
O1 - Hosts: 127.0.0.3 vesbiz.biz
O1 - Hosts: 127.0.0.3 www.pizdato.biz
O1 - Hosts: 127.0.0.3 pizdato.biz
O1 - Hosts: 127.0.0.3 www.aaasexypics.com
O1 - Hosts: 127.0.0.3 aaasexypics.com
O1 - Hosts: 127.0.0.3 www.virgin-tgp.net
O1 - Hosts: 127.0.0.3 virgin-tgp.net

are not good, you should delete those, also:

O15 - Trusted Zone: *.windupdates.com
O15 - Trusted Zone: *.my-internet.info
O15 - Trusted Zone: *.flingstone.com
O15 - Trusted Zone: *.clickspring.net
O15 - Trusted Zone: *.topconverting.com
O15 - Trusted Zone: *.crazywinnings.com
O15 - Trusted Zone: *.ysbweb.com
O15 - Trusted Zone: *.slotchbar.com
O15 - Trusted Zone: *.windupdates.com (HKLM)
O15 - Trusted Zone: *.my-internet.info (HKLM)
O15 - Trusted Zone: *.flingstone.com (HKLM)
O15 - Trusted Zone: *.clickspring.net (HKLM)
O15 - Trusted Zone: *.topconverting.com (HKLM)
O15 - Trusted Zone: *.crazywinnings.com (HKLM)
O15 - Trusted Zone: *.ysbweb.com (HKLM)
O15 - Trusted Zone: *.slotchbar.com (HKLM)
O15 - Trusted IP range: 67.19.185.246
O15 - Trusted IP range: 67.19.185.246 (HKLM)

don't look good either, maybe think about deleting those.

I think you should take an hour of your time and do research on all of those things I have pointed out. I just did a quick scan of your log and I'm sure I missed alot of other bad things in your log. Don't go deleting things just because I told you though, you should wait for a mroe experienced hijack this user to come a long and double check, but I can definitly tell you that the things I have listed are not good lol. Make a system restore point before deleting things...

Ros~

My nilam, my baljit..............I hope I got those right :D

Do a Google search and find AdAware SE and Spybot Search & Destroy.......run these, and an updated anti-virus in SAFE MODE

Then post the HJT log

Sorry............I am lazy.........let the donkeys/mules carry the heavy loads?

:D

hi nihil
wht is hjt log.
i have spybot but how to get the log file.

i am trying to solve through hijack this.
but always i get this
O15 - Trusted IP range: 67.19.185.246
O15 - Trusted IP range: 67.19.185.246 (HKLM)
no matter how much i delete it. it comes back

is there anyhow i can delete the temporary files in the IE as my NAV detects all of virus from
D:\Temporary Internet Files\Content.IE5

can u also provide info about:
O2 - BHO: (no name) - {9274D048-5431-11D9-8423-4C00531E4DC6} - C:\WINDOWS\SYSTEM\DLK.DLL
and when i submitted it in hijack this to analyse my log file then they used a term HIT RATE=-1 %
wht does it mean
and
O4 - Startup: DLHelperEXE.exe
have you ever heard of this DLhelperexe.exe

plz help me out

thanks

i have deleted all the necessary files .
plz tell me which all more should be fixed through hijackthis

Logfile of HijackThis v1.99.0
Scan saved at 11:18:36 AM, on 12/26/04
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 (6.00.2462.0000)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCEVTMGR.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\SYSTEM\IGFXTRAY.EXE
C:\WINDOWS\SYSTEM\HKCMD.EXE
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCAPP.EXE
C:\WINDOWS\SYSTEM\LVCOMSX.EXE
C:\PROGRAM FILES\LOGITECH\VIDEO\LOGITRAY.EXE
C:\WINDOWS\SYSTEM\STIMON.EXE
C:\PROGRAM FILES\SPYBOT - SEARCH & DESTROY\TEATIMER.EXE
C:\WINDOWS\APPLICATION DATA\COST.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\PROGRAM FILES\LOGITECH\VIDEO\FXSVR2.EXE
C:\WINDOWS\SYSTEM\IR.EXE
C:\PROGRAM FILES\YAHOO!\MESSENGER\YMSGR_TRAY.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\WINDOWS\DESKTOP\HIJACKTHIS.EXE

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - c:\Program Files\Norton AntiVirus\NavShExt.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHELPER.DLL
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - c:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [ScanRegistry] c:\windows\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] c:\windows\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\SYSTEM\hkcmd.exe
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [ccApp] "c:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "c:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [TrojanScanner] C:\Program Files\Trojan Remover\Trjscan.exe
O4 - HKLM\..\Run: [LVCOMSX] c:\windows\SYSTEM\LVCOMSX.EXE
O4 - HKLM\..\Run: [LogitechVideoRepair] C:\Program Files\Logitech\Video\ISStart.exe
O4 - HKLM\..\Run: [LogitechVideoTray] C:\Program Files\Logitech\Video\LogiTray.exe
O4 - HKLM\..\Run: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [Machine Debug Manager] C:\WINDOWS\SYSTEM\MDM.EXE
O4 - HKLM\..\RunServices: [ccEvtMgr] "c:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe"
O4 - HKLM\..\RunServices: [ScriptBlocking] "C:\Program Files\Common Files\Symantec Shared\Script Blocking\SBServ.exe" -reg
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [LogitechSoftwareUpdate] "C:\PROGRAM FILES\LOGITECH\VIDEO\MANIFESTENGINE.EXE" boot
O4 - Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Startup: EPSON Status Monitor 3 Environment Check.lnk = C:\WINDOWS\SYSTEM\E_SRCV03.EXE
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: MSN Messenger Service - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
O15 - Trusted IP range: 67.19.185.246
O15 - Trusted IP range: 67.19.185.246 (HKLM)
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab



as you can see i cannot delete the trusted sites things as they keep on coming
even when i delete it everytime.

thanks
roshaz

hmmm.... Those trusted IP ranges do look a little fishy to me but i'd leave them for now... it looks like your log is pretty clean, do you still get those porn icons and pop ups??

You can clear your temp internet files by going opening internet explorer and clicking "tools" >> "Internet Options" and then click on "delete cookies" and "Delete Files" (click on checkbox to delete all offline crap) and then click on "Clear History". That should do a pretty good job, if you still want more I'll give you instructions for creating a bat file that does a good job...

Greeting's


Those 2 Ip's in the trusted zone look very fishy and they shouldn't be there at all remove them.
This IP are registered to some internet service provider and these don't have a up and running website anyway you should remove them.

Analysis of your Hijackthis Log shows that your internet explorer version is old. the latest is .
6.0.2900.2180. So go to windows update and download all updates.

for detailed analysis of your log go to http://www.hijackthis.de/logfiles/c71d915c710245206bc8c0c908db5fb2.html

anyway just try running all your malware remover program's once in safe mode and then again in normal mode. with updated definition file's ofcourse and I just wanted to know if housecall (online scan) found any trojan's and/pr viruses also when was the last virus detected by norton.

Plus i hope you have downloaded and installed a firewall its very important you do so to add a layer of security.

and if you want a nifty little program to delete all cookies for you download cookiemonster from http://www.ampsoft.net/
and better still if you want a software do delete all your online junk as wekk as windows temp file donwload CCleaner from http://www.ccleaner.com/.

Keep us updated

Next, please download this file to your desktop - http://www.mvps.org/winhelp2002/DelDomains.inf .

Right click on the file you downloaded and select install. This resets the trusted and restricted zones to defaults. This will clean out your 015's.

Next, reboot and post a fresh log and we'll see if your log stays clean.

:)

byte wrangler, he has windows 98 and because of that I don't think he will be able to get the latest internet explorer because of compatability issues...

Greeting's :

Okay I found this URl from where you can download latest patch (actually Service Pack) for other version's of windows except WINDWOS XP.

http://www.microsoft.com/windows/IE/nonxp.mspx

Moreover I hope "Roshaz" you tell us if your windows is completely updated because a completely patched (updated) windows or for that matter any software is always required if you want to secure system.

well let that be a lesson to you to use a fire wall at all times and use an upto date antivirus
rest leave it to M$ guys!!!!

hi friends
thanks for the constant help which you all have provided.
i downloaded DelDomains from the internet and installed it but my screen is not retreshing and getting hanged as i move the page down button
a sample is givenm below
i have the latest updates from NAV. i am also attaching the hijack this log file
pls c and tell me how to remove other stuff

thanks once again
roshaz

and as i m minimising the browser it does not go to the tool bar but goesa some where else
Logfile of HijackThis v1.99.0
Scan saved at 6:17:34 PM, on 12/29/04
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\MDM.EXE
C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCEVTMGR.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\SYSTEM\HKCMD.EXE
C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCAPP.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\WINDOWS\SYSTEM\LVCOMSX.EXE
C:\PROGRAM FILES\LOGITECH\VIDEO\LOGITRAY.EXE
C:\WINDOWS\SYSTEM\STIMON.EXE
C:\PROGRAM FILES\SPYBOT - SEARCH & DESTROY\TEATIMER.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\PROGRAM FILES\LOGITECH\VIDEO\FXSVR2.EXE
C:\PROGRAM FILES\YAHOO!\MESSENGER\YPAGER.EXE
C:\WINDOWS\SYSTEM\PSTORES.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\WINDOWS\DESKTOP\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = file://c:\windows\TEMP\sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = file://c:\windows\TEMP\sp.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = file://c:\windows\TEMP\sp.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = file://c:\windows\TEMP\sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://c:\windows\TEMP\sp.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://c:\windows\TEMP\sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - c:\Program Files\Norton AntiVirus\NavShExt.dll
O2 - BHO: (no name) - {26DD753A-59AA-11D9-8423-4C00DF6EEEDD} - (no file)
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - (no file)
O2 - BHO: (no name) - {7B55BB05-0B4D-44fd-81A6-B136188F5DEB} - (no file)
O2 - BHO: (no name) - {9274D048-5431-11D9-8423-4C00531E4DC6} - (no file)
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - c:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [ScanRegistry] c:\windows\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] c:\windows\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\SYSTEM\hkcmd.exe
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [ccApp] "c:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "c:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [TrojanScanner] C:\Program Files\Trojan Remover\Trjscan.exe
O4 - HKLM\..\Run: [LVCOMSX] c:\windows\SYSTEM\LVCOMSX.EXE
O4 - HKLM\..\Run: [LogitechVideoRepair] C:\Program Files\Logitech\Video\ISStart.exe
O4 - HKLM\..\Run: [LogitechVideoTray] C:\Program Files\Logitech\Video\LogiTray.exe
O4 - HKLM\..\Run: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [Machine Debug Manager] C:\WINDOWS\SYSTEM\MDM.EXE
O4 - HKLM\..\RunServices: [ccEvtMgr] "c:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe"
O4 - HKLM\..\RunServices: [ScriptBlocking] "C:\Program Files\Common Files\Symantec Shared\Script Blocking\SBServ.exe" -reg
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [LogitechSoftwareUpdate] "C:\PROGRAM FILES\LOGITECH\VIDEO\MANIFESTENGINE.EXE" boot
O4 - HKCU\..\Run: [ccleaner] "C:\PROGRAM FILES\CCLEANER\CCLEANER.exe" /AUTO
O4 - Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Startup: EPSON Status Monitor 3 Environment Check.lnk = C:\WINDOWS\SYSTEM\E_SRCV03.EXE
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
O18 - Filter: text/html - {26DD7539-59AA-11D9-8423-4C002FBC70AA} - (no file)
O18 - Filter: text/plain - {26DD7539-59AA-11D9-8423-4C002FBC70AA} - (no file)

Even if you didn't think that file worked something cleared the 015's from your log......

Now to finish the clean-up.

Please select the following with HijackThis. With all windows (including this one!) closed, please select "fix.”

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = file://c:\windows\TEMP\sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = file://c:\windows\TEMP\sp.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = file://c:\windows\TEMP\sp.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = file://c:\windows\TEMP\sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://c:\windows\TEMP\sp.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://c:\windows\TEMP\sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about :blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about :blank
O18 - Filter: text/html - {26DD7539-59AA-11D9-8423-4C002FBC70AA} - (no file)
O18 - Filter: text/plain - {26DD7539-59AA-11D9-8423-4C002FBC70AA} - (no file)


Then, while in safe mode, run the CWShredder (click here (http://www.intermute.com/spysubtract/cwshredder_download.html
) to download).

Run the Housecall scan again and Ad-aware in safe mode.

Then reboot and post a fresh HijackThis log.

:D

Follow these guys' instructions closely, and you should be alright. But if you don't understand how and why you got infected, this is a waste of time, as you'll be infected with crap all over again within a day or two.

Here's what got you in so much trouble:

i have been downloading all sorts of things into the comp.

You must be very very careful what you download from where and exercise a lot of discretion. Many worms, viruses, and other forms of malware piggyback atop otherwise innocent files, so anything you download is potentially infectuous. Until you get out of your newbie stage especially, you should only download files from well-known, trusted websites (and even then, you're still very much at risk) and scan every single thing you download with NAV.

Going download-crazy will get you every time, especially if you're a newbie.

I highly suggest taking a couple of days to sit down and just research basic computer security (start by reading tutorials here at AO). Start your learning by focusing on viruses, trojans, worms, spyware, adware, firewalls, and antivirus programs. Just do a search on each and start studying. We can tell you what to do here every step of the way, but if you're only doing as you're told and not actually understanding what it is you're doing and why, you're just going to wind up in this situation all over again soon.

Good luck getting cleaned up and keep us posted.

hi everybody

thanks for the constant help you all were providing during my mayhem days
Its been a week and my computer is running well

HAPPY NEW YEAR!!!!

ROSHAZZ :)

Hi everybody,

I have had that virus problem last year and TWO labtops of mine got totally screwed up with the viruses.
I spent a lot of money in having repaired the labtops but finally I can´t connect the with the internet without a firewall that makes them work incredibly slow or without risking another virus again.

So the solution for me was to buy a MAC. labtop.
These do not get any viruses. That´s the advantage and I must say, I am really happy with it.
On the other hand, mac is provided with little disc space and is prone to other technical shortcomings.

Wish U best to sort out your viruses!
Cheers from
Elias09