Hmm...trojan Help

Posted 7/26/2004 10:49 PM
#2124
User avatar

Amy Member

Date Joined Nov 2016
Total Posts: 5
So i've gone through quite a process....running Bullguard for over 30 hours first (I posted the log below). After it was at 100% (but still didn't stop) I closed it out and closed both that and Mccaffe entirely, and then ran hijack this...and got the log below. I have turned off system restore, but I don't know what I need to do now, and strangely the computer is running at at least 50 times the speed it has been for the past day or so. Anyway, help?




Logfile of HijackThis v1.97.7
Scan saved at 4:38:13 PM, on 7/26/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\COMMON~1\aol\ACS\acsd.exe
C:\WINDOWS\system32\cisvc.exe
C:\WINDOWS\system32\drivers\KodakCCS.exe
c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
C:\WINDOWS\System32\tcpsvcs.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\wanmpsvc.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
C:\WINDOWS\Explorer.exe
C:\WINDOWS\System32\system32.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
C:\WINDOWS\BCMSMMSG.exe
C:\WINDOWS\System32\igfxtray.exe
C:\WINDOWS\System32\hkcmd.exe
C:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
C:\WINDOWS\System32\DSentry.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\BullGuard\bgnewsag.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\ScanSoft\PaperPort\Pplinks.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
C:\Program Files\Common Files\Real\Update_OB\realevent.exe
C:\Program Files\Common Files\BullGuard\BullGuard Communicator\xcommsvr.exe
C:\Program Files\Common Files\BullGuard\BullGuard Scan Server\bdss.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\System32\rundll32.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Adobe\Acrobat 5.0\Reader\AcroRd32.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Documents and Settings\TEMP.JEPPSON.001\Local Settings\Temp\Temporary Directory 1 for hijackthis[1].zip\HijackThis.exe
C:\WINDOWS\SYSTEM32\notepad.exe
C:\WINDOWS\notepad.exe
C:\WINDOWS\notepad.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = https://www.dellnet.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = https://www.dellnet.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = res://C:\PROGRA~1\Toolbar\toolbar.dll/sa
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,Shellnext = https://www.dellnet.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = https://www.websearch.com/ie.aspx?tb_id=40
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,CustomizeSearch = res://C:\PROGRA~1\Toolbar\toolbar.dll/sa
F0 - system.ini: Shell=Explorer.exe C:\WINDOWS\System32\system32.exe
F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\System32\system32.exe
O2 - BHO: myBar BHO - {0494D0D1-F8E0-41ad-92A3-14154ECE70AC} - C:\Program Files\MyWay\myBar\1.bin\MYBAR.DLL
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: (no name) - {339BB23F-A864-48C0-A59F-29EA915965EC} - (no file)
O3 - Toolbar: My &Search Bar - {0494D0D9-F8E0-41ad-92A3-14154ECE70AC} - C:\Program Files\MyWay\myBar\1.bin\MYBAR.DLL
O4 - HKLM\..\Run: [MMTray] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [DwlClient] C:\Program Files\Common Files\Dell\EUSW\Support.exe
O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\McAfee.com\Agent\McUpdate.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [WorksFUD] C:\Program Files\Microsoft Works\wkfud.exe
O4 - HKLM\..\Run: [VirusScan Online] c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Program Files\Microsoft Works\WksSb.exe /AllUsers
O4 - HKLM\..\Run: [MCAgentExe] C:\Program Files\McAfee.com\Agent\mcagent.exe
O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
O4 - HKLM\..\Run: [FLSYFMSZC] C:\WINDOWS\FLSYFMSZC.exe
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe"
O4 - HKLM\..\Run: [DeviceDiscovery] C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb09.exe
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [OneTouch Monitor] C:\PROGRA~1\VISION~1\OneTouchMon.exe
O4 - HKLM\..\Run: [BDMCon] C:\Program Files\BullGuard\\bdmcon.exe
O4 - HKLM\..\Run: [BGNewsAgent] c:\program files\bullguard\bgnewsag.exe
O4 - HKLM\..\Run: [McafDellTag] C:\Program Files\McAfee.com\Agent\mcdeltag.exe
O4 - HKLM\..\RunServices: [SystemSAS] system32.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - Global Startup: America Online 9.0 Tray Icon.lnk = C:\Program Files\America Online 9.0\aoltray.exe
O4 - Global Startup: Forget Me Not.lnk = C:\Program Files\Broderbund\AG CreataCard\AGRemind.exe
O4 - Global Startup: InterVideo WinCinema Manager.lnk = C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?
O9 - Extra button: AIM (HKLM)
O9 - Extra button: Real.com (HKLM)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - https://messenger.zone.msn.com/binary/msgrchkr.cab28578.cab
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - https://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab28578.cab
O16 - DPF: {31932A5C-9234-4377-A920-72E7DD340DB4} (Snapfish File Upload ActiveX Control) - https://www.snapfish.com/SnapfishUpload.cab
O16 - DPF: {3BFFE033-BF43-11D5-A271-00A024A51325} (iNotes6 Class) - https://travel.beminc.com/iNotes6.cab
O16 - DPF: {4A3CF76B-EC7A-405D-A67D-8DC6B52AB35B} (QDiagAOLCCUpdateObj Class) - https://aolcc.aol.com/computercheckup/qdiagcc.cab
O16 - DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} (EPUImageControl Class) - https://tools.ebayimg.com/eps/wl/activex/EPUWALControl_v1-0-3-9.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - https://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - https://messenger.zone.msn.com/binary/MessengerStatsClient.cab28578.cab
O16 - DPF: {9522B3FB-7A2B-4646-8AF6-36E7F593073C} (cpbrkpie Control) - https://a19.g.akamai.net/7/19/7125/4019/ftp.coupons.com/v3123/cpbrkpie.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - https://messenger.zone.msn.com/binary/ZIntro.cab28578.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - https://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {D719897A-B07A-4C0C-AEA9-9B663A28DFCB} (iTunesDetector Class) - https://ax.phobos.apple.com.edgesuite.net/detection/ITDetector.cab
O16 - DPF: {DA758BB1-5F89-4465-975F-8D7179A4BCF3} (WheelofFortune Object) - https://messenger.zone.msn.com/binary/WoF.cab28578.cab
O16 - DPF: {E855A2D4-987E-4F3B-A51C-64D10A7E2479} (EPSImageControl Class) - https://tools.ebayimg.com/eps/activex/EPSControl_v1-32.cab
O16 - DPF: {E87F6C8E-16C0-11D3-BEF7-009027438003} (Persits Software XUpload) - https://www.sparedollar.com/sdImage/XUpload.ocx
O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - https://messenger.zone.msn.com/binary/SolitaireShowdown.cab28578.cab






BullGuard report file
//
// Created on: 25/07/2004 10:24:30
//
//-----------------------------------------------------------------


Summary:

C:\Documents and Settings\All Users\Application Data\McAfee.com\Agent\News\valert.ui=>CmnIds.vbs Password protected
C:\Documents and Settings\All Users\Application Data\McAfee.com\Agent\News\valert.ui=>images/arrow_right.gif Password protected
C:\Documents and Settings\All Users\Application Data\McAfee.com\Agent\News\valert.ui=>images/btn_signup_52x20.gif Password protected
C:\Documents and Settings\All Users\Application Data\McAfee.com\Agent\News\valert.ui=>images/more_info.gif Password protected
C:\Documents and Settings\All Users\Application Data\McAfee.com\Agent\News\valert.ui=>images/sidetable_bottom.gif Password protected
C:\Documents and Settings\All Users\Application Data\McAfee.com\Agent\News\valert.ui=>images/sidetable_bottom_red.gif Password protected
C:\Documents and Settings\All Users\Application Data\McAfee.com\Agent\News\valert.ui=>images/sidetable_top.gif Password protected
C:\Documents and Settings\All Users\Application Data\McAfee.com\Agent\News\valert.ui=>images/sidetable_top_red.gif Password protected
C:\Documents and Settings\All Users\Application Data\McAfee.com\Agent\News\valert.ui=>images/transpix.gif Password protected
C:\Documents and Settings\All Users\Application Data\McAfee.com\Agent\News\valert.ui=>images/watermark_mys_150x130.gif Password protected
C:\Documents and Settings\All Users\Application Data\McAfee.com\Agent\News\valert.ui=>oemcfg.vbs Password protected
C:\Documents and Settings\All Users\Application Data\McAfee.com\Agent\News\valert.ui=>OEMIds.vbs Password protected
C:\Documents and Settings\All Users\Application Data\McAfee.com\Agent\News\valert.ui=>valert.htm Password protected
C:\Documents and Settings\All Users\Application Data\McAfee.com\Agent\News\valert.ui=>valert_old.htm Password protected
C:\Documents and Settings\Michelle Jeppson\Local Settings\Temp\Belt.exe Infected Trojan.Downloader.Stubby.A
C:\Documents and Settings\Michelle Jeppson\Local Settings\Temp\Belt.exe Disinfection failed - Trying second action
C:\Documents and Settings\Michelle Jeppson\Local Settings\Temp\Belt.exe Moved
C:\Documents and Settings\Michelle Jeppson\Local Settings\Temp\Installer2.exe=>(Embedded EXE o) Infected Trojan.Clicker.Delf.R
C:\Documents and Settings\Michelle Jeppson\Local Settings\Temp\Installer2.exe=>(Embedded EXE o) Disinfection failed - Trying second action
C:\Documents and Settings\Michelle Jeppson\Local Settings\Temp\Installer2.exe=>(Embedded EXE o) Move failed
C:\Documents and Settings\Michelle Jeppson\Local Settings\Temp\ncmyb.dll Infected Adware.1088
C:\Documents and Settings\Michelle Jeppson\Local Settings\Temp\ncmyb.dll Disinfection failed - Trying second action
C:\Documents and Settings\Michelle Jeppson\Local Settings\Temp\ncmyb.dll Moved
C:\Documents and Settings\Samantha Jeppson\Local Settings\Temp\~7772838386.tmp Infected Trojan.Downloader.Siboco.A
C:\Documents and Settings\Samantha Jeppson\Local Settings\Temp\~7772838386.tmp Deleted

Statistics

Scan path : A:\
C:\
D:\
E:\
Folders : 1903
Files : 162106
Archives : 4615
Packed files : 9220
Identified viruses : 4
Infected files : 4
Warnings : 0
Suspect files : 0
Disinfected files : 0
Deleted files : 1
Copied files : 0
Moved files : 2
Renamed files : 0
I/O errors : 13
Scan time : 29:55:22
Scan speed (files/sec) : 1

Virus definitions : 87568
Scan plugins : 12
Archive plugins : 36
Unpack plugins : 3
Mail plugins : 6
System plugins : 1

Scan options

Detection
[X] Scan boot sectors
[X] Scan archives
[X] Scan packed files
[X] Scan email

File mask
[ ] Programs
[X] All files
[ ] User defined extensions:
[ ] Exclude extensions: ;

Action

Infected objects
[ ] Ignore
[X] Disinfect
[ ] Delete
[ ] Copy to quarantine
[ ] Move to quarantine
[ ] Rename
[ ] Prompt user

Second action
[ ] Ignore
[ ] Delete
[ ] Copy to quarantine
[X] Move to quarantine
[ ] Rename
[ ] Prompt user

Scan options
[X] Enable warnings
[X] Enable heuristics
[ ] Show all files in log
[X] Report file: vscan.log
[ ] Append to existing report
Posted 7/26/2004 11:52 PM
#2126
User avatar

Amy Member

Date Joined Nov 2016
Total Posts: 5
New after CWShredder. Please help me. Please.


Logfile of HijackThis v1.97.7
Scan saved at 5:51:10 PM, on 7/26/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\COMMON~1\aol\ACS\acsd.exe
C:\WINDOWS\system32\cisvc.exe
C:\WINDOWS\system32\drivers\KodakCCS.exe
c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
C:\WINDOWS\System32\tcpsvcs.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\wanmpsvc.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
C:\WINDOWS\Explorer.exe
C:\Program Files\Common Files\BullGuard\BullGuard Communicator\xcommsvr.exe
C:\Program Files\Common Files\BullGuard\BullGuard Scan Server\bdss.exe
C:\WINDOWS\System32\rundll32.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Adobe\Acrobat 5.0\Reader\AcroRd32.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\BullGuard\vsserv.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\TEMP.JEPPSON.001\Local Settings\Temporary Internet Files\Content.IE5\6JYLAZOX\HijackThis[1].exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = https://www.dellnet.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = https://www.dellnet.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = res://C:\PROGRA~1\Toolbar\toolbar.dll/sa
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,Shellnext = https://www.dellnet.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = https://www.websearch.com/ie.aspx?tb_id=40
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,CustomizeSearch = res://C:\PROGRA~1\Toolbar\toolbar.dll/sa
F0 - system.ini: Shell=Explorer.exe C:\WINDOWS\System32\system32.exe
F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\System32\system32.exe
O2 - BHO: myBar BHO - {0494D0D1-F8E0-41ad-92A3-14154ECE70AC} - C:\Program Files\MyWay\myBar\1.bin\MYBAR.DLL
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: (no name) - {339BB23F-A864-48C0-A59F-29EA915965EC} - (no file)
O3 - Toolbar: My &Search Bar - {0494D0D9-F8E0-41ad-92A3-14154ECE70AC} - C:\Program Files\MyWay\myBar\1.bin\MYBAR.DLL
O4 - HKLM\..\Run: [MMTray] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [DwlClient] C:\Program Files\Common Files\Dell\EUSW\Support.exe
O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\McAfee.com\Agent\McUpdate.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [WorksFUD] C:\Program Files\Microsoft Works\wkfud.exe
O4 - HKLM\..\Run: [VirusScan Online] c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Program Files\Microsoft Works\WksSb.exe /AllUsers
O4 - HKLM\..\Run: [MCAgentExe] C:\Program Files\McAfee.com\Agent\mcagent.exe
O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
O4 - HKLM\..\Run: [FLSYFMSZC] C:\WINDOWS\FLSYFMSZC.exe
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe"
O4 - HKLM\..\Run: [DeviceDiscovery] C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb09.exe
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [OneTouch Monitor] C:\PROGRA~1\VISION~1\OneTouchMon.exe
O4 - HKLM\..\Run: [BDMCon] C:\Program Files\BullGuard\\bdmcon.exe
O4 - HKLM\..\Run: [BGNewsAgent] c:\program files\bullguard\bgnewsag.exe
O4 - HKLM\..\Run: [McafDellTag] C:\Program Files\McAfee.com\Agent\mcdeltag.exe
O4 - HKLM\..\RunServices: [SystemSAS] system32.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - Global Startup: America Online 9.0 Tray Icon.lnk = C:\Program Files\America Online 9.0\aoltray.exe
O4 - Global Startup: Forget Me Not.lnk = C:\Program Files\Broderbund\AG CreataCard\AGRemind.exe
O4 - Global Startup: InterVideo WinCinema Manager.lnk = C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?
O9 - Extra button: AIM (HKLM)
O9 - Extra button: Real.com (HKLM)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - https://messenger.zone.msn.com/binary/msgrchkr.cab28578.cab
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - https://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab28578.cab
O16 - DPF: {31932A5C-9234-4377-A920-72E7DD340DB4} (Snapfish File Upload ActiveX Control) - https://www.snapfish.com/SnapfishUpload.cab
O16 - DPF: {3BFFE033-BF43-11D5-A271-00A024A51325} (iNotes6 Class) - https://travel.beminc.com/iNotes6.cab
O16 - DPF: {4A3CF76B-EC7A-405D-A67D-8DC6B52AB35B} (QDiagAOLCCUpdateObj Class) - https://aolcc.aol.com/computercheckup/qdiagcc.cab
O16 - DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} (EPUImageControl Class) - https://tools.ebayimg.com/eps/wl/activex/EPUWALControl_v1-0-3-9.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - https://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - https://messenger.zone.msn.com/binary/MessengerStatsClient.cab28578.cab
O16 - DPF: {9522B3FB-7A2B-4646-8AF6-36E7F593073C} (cpbrkpie Control) - https://a19.g.akamai.net/7/19/7125/4019/ftp.coupons.com/v3123/cpbrkpie.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - https://messenger.zone.msn.com/binary/ZIntro.cab28578.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - https://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {D719897A-B07A-4C0C-AEA9-9B663A28DFCB} (iTunesDetector Class) - https://ax.phobos.apple.com.edgesuite.net/detection/ITDetector.cab
O16 - DPF: {DA758BB1-5F89-4465-975F-8D7179A4BCF3} (WheelofFortune Object) - https://messenger.zone.msn.com/binary/WoF.cab28578.cab
O16 - DPF: {E855A2D4-987E-4F3B-A51C-64D10A7E2479} (EPSImageControl Class) - https://tools.ebayimg.com/eps/activex/EPSControl_v1-32.cab
O16 - DPF: {E87F6C8E-16C0-11D3-BEF7-009027438003} (Persits Software XUpload) - https://www.sparedollar.com/sdImage/XUpload.ocx
O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - https://messenger.zone.msn.com/binary/SolitaireShowdown.cab28578.cab
Posted 7/27/2004 4:03 AM
#2131
User avatar

Touch Advanced member

Date Joined Nov 2016
Total Posts: 12974
Hi Amy

Install a firewall: https://www.zonelabs.com/store/content/company/products/znalm/freeDownload.jsp
If you use Bullguard´s firewall-deactivate it!

And deactivate one of your virus programs.

Deactivate sysemrestore.

Run Hijackthis, close all other windows, put a checkmark to these, and FIX:

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = https://www.websearch.com/ie.aspx?tb_id=40
F0 - system.ini: Shell=Explorer.exe C:\WINDOWS\System32\system32.exe
F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\System32\system32.exe
O2 - BHO: myBar BHO - {0494D0D1-F8E0-41ad-92A3-14154ECE70AC} - C:\Program Files\MyWay\myBar\1.bin\MYBAR.DLL
O3 - Toolbar: (no name) - {339BB23F-A864-48C0-A59F-29EA915965EC} - (no file)
O3 - Toolbar: My &Search Bar - {0494D0D9-F8E0-41ad-92A3-14154ECE70AC} - C:\Program Files\MyWay\myBar\1.bin\MYBAR.DLL
O4 - HKLM\..\Run: [FLSYFMSZC] C:\WINDOWS\FLSYFMSZC.exe
O4 - HKLM\..\RunServices: [SystemSAS] system32.exe

Boot to safe mode- F8
Show hidden files-
https://service1.symantec.com/SUPPORT/tsgeninfo.nsf/docid/2002092715262339?Open&src=ent&docid=2002092514302348&nsf=ent-security.nsf&view=docid&dtype=corp&prod=Symantec%20AntiVirus%20Corporate%20Edition&ver=8.x&osv=&osv_lvl=

Find and delete:
C:\WINDOWS\System32\system32.exe <<<Exe File
C:\Program Files\MyWay\myBar\1.bin\MYBAR.DLL >>>Folder
C:\WINDOWS\FLSYFMSZC.exe <<<<<File

Boot to normal mode, and run: https://housecall.trendmicro.com/


And post a new log

[color=black face="Courier New" sab="311">[2]Click here: Before-posting-a-log[/2][/url]

<?xml:namespace prefix = o ns = "urn:schemas-microsoft-com:office:office" />[/color]
Do not PM me with logfiles. They will be deleted.


Posted 7/27/2004 5:11 PM
#2151
User avatar

Amy Member

Date Joined Nov 2016
Total Posts: 5
I've done everything you've suggested, up until finding and deleting the files and folder above. I could not find them. Is there a better way to try and find them other than start--->search?
Posted 7/27/2004 5:17 PM
#2152
User avatar

Touch Advanced member

Date Joined Nov 2016
Total Posts: 12974
Try finding from explorer.

[color=black face="Courier New" sab="311">[2]Click here: Before-posting-a-log[/2][/url]

<?xml:namespace prefix = o ns = "urn:schemas-microsoft-com:office:office" />[/color]
Do not PM me with logfiles. They will be deleted.


Posted 7/27/2004 5:21 PM
#2154
User avatar

Amy Member

Date Joined Nov 2016
Total Posts: 5
sorry. I feel stupid asking this, but how?
Posted 7/27/2004 6:35 PM
#2156
User avatar

Touch Advanced member

Date Joined Nov 2016
Total Posts: 12974
There is no stupid questions, only stupid answers :yeah:


Open Explorer, through- My Computer- C-drive., find

C:\WINDOWS\System32\system32.exe <<<Exe File
C:\Program Files\MyWay\myBar\1.bin\MYBAR.DLL >>>Folder
C:\WINDOWS\FLSYFMSZC.exe <<<<<File



Doubleclick on Windows, find system32 folder below, doubleclick, and find system32 exe- delete it



Same procedure with the others

[color=black face="Courier New" sab="311">[2]Click here: Before-posting-a-log[/2][/url]

<?xml:namespace prefix = o ns = "urn:schemas-microsoft-com:office:office" />[/color]
Do not PM me with logfiles. They will be deleted.


Posted 7/27/2004 7:30 PM
#2159
User avatar

Amy Member

Date Joined Nov 2016
Total Posts: 5
Hi.

system32.exe won't let me delete it, as it is access denied...MYBAR.DLL is now gone, and I can't find FLSYFMSZC.exe. How do I override the access denied to delete the system32.exe file?
Posted 7/27/2004 11:26 PM
#2164
User avatar

old_fart Advanced member

Date Joined Nov 2016
Total Posts: 33
Amy

Saw that no one picked up your last post, so thought I'd give it a go.

Here is a site that has a downloadable scanner and remover for system32.exe

https://www.2-spyware.com/file-system32-exe.html

You can not remove it because it is running. Open TaskManager and look for it in processes. Stopit, and then delete it. It may come back on boot. You will need to turn off SystemRestore, and then remove it.

You may also have some registry entries that are affecting it, and may cause you to get a pop up on boot stating that you have a missing file - System32.exe. All will still work, but it is annoying.

If you have never edited the registry, it can be tricky, so you may not want to try it.

Another approach would be to kill the .exe, remove the file, and then do a Systemrestore to some previous date. prior to the infection. Of, course, this won't work if you have already turned it off.

Multiple AV progs running interfere with each other. One of the best I have found is AVG from Grisoft, free too. It is the least intrusive, and can find these trojans on a scan.

I will unfortunatly be working on my XP box tonight, so E-mail me if you are on. I don't do messaging, also too intrusive, but I can answer questions through E-mail

You can post here if you don't find my E-mail. double click on my profile and it is in the comments.
  • Unread posts or replies
  • No unread posts or replies
  • Unread Posts (Read Only Forum)
  • No Unread Posts (Read Only Forum)

Forum Information

Currently it is Friday, December 2, 2022, 1:48 PM (GMT +1)
There are a total of 61,974 posts in 13,697 threads.
In the last 3 days there were 0 new threads and 0 reply posts.

Who's online

This forum has 38,573 registered members. Please welcome our newest member, iAwake.
59 Guest(s), 0 Registered Member(s) are currently online.