Author Topic: Super-infected and irritated (Read 809 times)

Ana-bee · « **on:** October 16, 2005, 02:56:44 PM »

hey. Getting discouraged here, all that overpass my competences. okay I have viruses/worms that have lower my internet security, i think avg doesnt update properly, ad-aware detects about 30 highrisk spywares every 12 hours and AVG scan do not detect any virus or threats.

I tried to download Ewido (from a link you posted in 'i have a virus' 3 times now...but i can't install it: a window appear saying: NSIS Error "The installer you are using is corrupted or infected incomplete. It may be possible to skip this check by using the NCRC command line switch"

I will do a quick cleanup win the small program cleanup40 (seens on a post "i have a virus"), and i will run hijackthis and send the log file..

If can be of anyhelp ...
I downloaded MicroWorld AV and scanned with it: here the results..

gram Files\Grisoft\AVG Free\avgamui.dll". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{D9C027CF-DF75-4D2C-B763-AC1CA31C4AF8}" refers to invalid object "C:\Program Files\Grisoft\AVG Free\avgamiui.dll". Action Taken: No Action Taken.
Entry "HKCR\TypeLib\{7E67ADE2-1334-11D1-9676-00A0C9054168}" refers to invalid object "C:\WINDOWS\SYSTEM\IE4TOUR.DLL". Action Taken: No Action Taken.
Entry "HKCR\Overview.Document" refers to invalid object "{DA23B9C9-6893-11D0-8534-00C04FD7AD0C}". Action Taken: No Action Taken.
Entry "HKCR\TSHOOT.TSHOOTCtrl.1" refers to invalid object "{4B106874-DD36-11D0-8B44-00A024DD9EFF}". Action Taken: No Action Taken.
Entry "HKCR\.acl" refers to invalid object "ACLFile". Action Taken: No Action Taken.
Entry "HKCR\.aw" refers to invalid object "AWFile". Action Taken: No Action Taken.
Entry "HKCR\.col" refers to invalid object "COLFile". Action Taken: No Action Taken.
Entry "HKCR\.det" refers to invalid object "DETFile". Action Taken: No Action Taken.
Entry "HKCR\.elm" refers to invalid object "ELMFile". Action Taken: No Action Taken.
Entry "HKCR\.ffa" refers to invalid object "FFAFile". Action Taken: No Action Taken.
Entry "HKCR\.ffl" refers to invalid object "FFLFile". Action Taken: No Action Taken.
Entry "HKCR\.fft" refers to invalid object "FFTFile". Action Taken: No Action Taken.
Entry "HKCR\.ffx" refers to invalid object "FFXFile". Action Taken: No Action Taken.
Entry "HKCR\.gst" refers to invalid object "MSMap.Datainst.8". Action Taken: No Action Taken.
Entry "HKCR\.lex" refers to invalid object "LEXFile". Action Taken: No Action Taken.
Entry "HKCR\.opc" refers to invalid object "OPCFile". Action Taken: No Action Taken.
Entry "HKCR\.pcb" refers to invalid object "PCBFile". Action Taken: No Action Taken.
Entry "HKCR\.pip" refers to invalid object "PIPFile". Action Taken: No Action Taken.
Entry "HKCR\.SC2" refers to invalid object "SchedulePlus.Application.7". Action Taken: No Action Taken.
Entry "HKCR\.SCD" refers to invalid object "SchedulePlus.Application.7". Action Taken: No Action Taken.
Entry "HKCR\.SCH" refers to invalid object "SchedulePlus.Application.7". Action Taken: No Action Taken.
Entry "HKCR\.sll" refers to invalid object "SSLFile". Action Taken: No Action Taken.
Entry "HKCR\.stf" refers to invalid object "STFFile". Action Taken: No Action Taken.
Entry "HKCR\.tuw" refers to invalid object "TUWFile". Action Taken: No Action Taken.
Entry "HKCR\.wll" refers to invalid object "Word.Addin.8". Action Taken: No Action Taken.
Entry "HKCR\mapifvbx.object" refers to invalid object "{41116C00-8B90-101B-96CD-00AA003B14FC}". Action Taken: No Action Taken.
Entry "HKCR\mapifvbx.object.1" refers to invalid object "{41116C00-8B90-101B-96CD-00AA003B14FC}". Action Taken: No Action Taken.
Entry "HKCR\MailFileAtt" refers to invalid object "{00020D05-0000-0000-C000-000000000046}". Action Taken: No Action Taken.
Entry "HKCR\ActMsg.Session" refers to invalid object "{3FA7DEB3-6438-101B-ACC1-00AA00423326}". Action Taken: No Action Taken.

Ana-bee · « **Reply #1 on:** October 16, 2005, 03:06:59 PM »

hrm...

from the mwav results were missing the following i think...

Scans results with MWAS
Object "redv Spyware/Adware" found in File System! Action Taken: No Action Taken.
Object "redv Spyware/Adware" found in File System! Action Taken: No Action Taken.
Object "whenu.savenow Spyware/Adware" found in File System! Action Taken: No Action Taken.
Object "whenu.savenow Spyware/Adware" found in File System! Action Taken: No Action Taken.
Object "whenu.savenow Spyware/Adware" found in File System! Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\WINDOWS\SYSTEM\ECBTEG.DLL". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\App Paths\MsoHtmEd.exe" refers to invalid object "". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{D3B1DE00-6B94-1069-8754-08002B2BD64F}" refers to invalid object "C:\WINDOWS\SYSTEM\disktool.dll". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{E9975030-D326-11D0-BDE6-00AA001A1953}" refers to invalid object "C:\WINDOWS\SYSTEM\MSAAHTML.DLL". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{8EC31898-D1E6-4758-80BE-31E873AC2903}" refers to invalid object "C:\Program Files\Grisoft\AVG Free\avgamui.dll". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{8EC31897-D1E6-4758-80BE-31E873AC2903}" refers to invalid object

If anyone can help me at all, i would be gratefull .. will post hijackthis log in a lill bit.

Ana-bee · « **Reply #2 on:** October 16, 2005, 04:02:26 PM »

just in case that might help here the last hijackthis log that i got after cleaning out computer with that cleanup! tool and scanned with ad-aware (free personal version).

Logfile of HijackThis v1.99.1
Scan saved at 16:48:03, on 16/10/05
Platform: Windows 98 Gold (Win9x 4.10.1998)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\SYSTEM\KB891711\KB891711.EXE
C:\WINDOWS\RUNSERVICE.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\LOADQM.EXE
C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGCC.EXE
C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGAMSVR.EXE
C:\PROGRAM FILES\MSN MESSENGER\MSNMSGR.EXE
C:\HIJACKTHIS.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ca/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Liens
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGCC.EXE /STARTUP
O4 - HKLM\..\Run: [AVG7_AMSVR] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGAMSVR.EXE
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [KB891711] C:\WINDOWS\SYSTEM\KB891711\KB891711.EXE
O4 - HKLM\..\RunServices: [LicCtrl] runservice.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Startup: EPSON Background Monitor.lnk = C:\ESM2\Stms.exe
O11 - Options group: [Accessibilité] Accessibilité
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/msnmesse...pdownloader.cab

Ana-bee · « **Reply #3 on:** October 16, 2005, 04:31:00 PM »

http://images.thetechguide.com/forum/public/style_emoticons/<#EMO_DIR#>/smile.gif\' class=\'bbc_emoticon\' alt=\'

\' /> *hugs* thanks ahead to anyone who can bring me some help or technical support

http://images.thetechguide.com/forum/public/style_emoticons/<#EMO_DIR#>/smile.gif\' class=\'bbc_emoticon\' alt=\'

\' />

How do i reset my internet security.
when i run regedit and look through the HKLM security zone 3.. some odd numbers appear in the values .. is that normal.. not just 0's or 1'sbut number like :
0x000011000 (62987)
*darn of course now i cant find it anymore to show an actual example*

*shrugs*
Thanks

guestolo · « **Reply #4 on:** October 16, 2005, 08:21:13 PM »

Here's what I suspect you are looking for

From microsoft

1.   On the Tools menu in Internet Explorer, click Internet Options, and then click the Security tab.
2.   Click Internet, and then click Default Level.
3.   Click Local Intranet, and then click Default Level.
4.   Click Trusted sites, and then click Default Level.
5.   Click Restricted sites, and then click Default Level.
6.   Click Apply.
7.   On the Privacy tab, click Default, and then click Apply.

Ewido won't work on Windows 98, sorry

If you would like to run a different scanner similiar to Ewido
Try A-Squared by Emsisoft
http://www.emsisoft.com/en/software/free/

After installation check for updates, reboot the computer if prompted
Then run a complete scan

Let me know how it goes
If AVG or A-Squared finds something it can't remove
Let me know where the file is located
I would also check for updates with AVG now and see if you can get them
Make sure your running the latest version of "AVG7"

Can you also open Hijackthis>>Open Misc tools sections
Click the Hosts file manager
Click the "Open in Notepad" button
A text file will open, can you copy and paste back here the whole contents please

Ana-bee · « **Reply #5 on:** October 16, 2005, 11:55:30 PM »

Here it is .. the content of host files manager:

# Copyright © 1993-1999 Microsoft Corp.
#
# This is a sample HOSTS file used by Microsoft TCP/IP for Windows.
#
# This file contains the mappings of IP addresses to host names. Each
# entry should be kept on an individual line. The IP address should
# be placed in the first column followed by the corresponding host name.
# The IP address and the host name should be separated by at least one
# space.
#
# Additionally, comments (such as these) may be inserted on individual
# lines or following the machine name denoted by a '#' symbol.
#
# For example:
#
# 102.54.94.97 rhino.acme.com # source server
# 38.25.63.10 x.acme.com # x client host

127.0.0.1 localhost

------------------
---> The a-square scan revealed 5 malwares and cleaned them. The AVG didnt reveal anything. (I think im using the last version of avg7.. version 7.0.344.. virus updated 15:45 16/10/05.)
---> I reset the internet setting.. lol.. i saw that operation much more complicated than it was.. I'mrather glad i didnt have to go and change the values in the registry manually
---> So far so good i think. Computer or IE or any programs haven't crash yet.

thanks

Ana-bee · « **Reply #6 on:** October 17, 2005, 05:18:13 PM »

i have another question...

AVG doesnt not find virus anywhere.
But this morning i scanned with the free scan from mwav and it found 17 virus and 35 errors?

I tried to open grisoft web site .. but i feel like it isnt the same url as usual.. http://www.grisoft.com/doc/1 .

I feel like the computer is still infected.. and after updating the avg virus definition (3 time/day).. doesnt seem to detect anything.

any ideas?

guestolo · « **Reply #7 on:** October 17, 2005, 06:16:18 PM »

If I look at your last Mwav scan it doesn't appear to be viruses that are infecting you
Just left over registry entries and possibly a couple false positives

If you could, from my signature below to a free online scan at Panda's
Select to scan "Local Disks"
When the scan is done
If anything was found you will have the option to save a report
Do so and post the report back here

TheTechGuide Forum

News:

Author Topic: Super-infected and irritated (Read 809 times)

Ana-bee

Super-infected and irritated

Ana-bee

Super-infected and irritated

Ana-bee

Super-infected and irritated

Ana-bee

Super-infected and irritated

guestolo

Super-infected and irritated

Ana-bee

Super-infected and irritated

Ana-bee

Super-infected and irritated

guestolo

Super-infected and irritated