1. Computer problem? Tech Support Guy is completely free -- paid for by advertisers and donations. Click here to join today! If you're new to Tech Support Guy, we highly recommend that you visit our Guide for New Members.

Could anyone help me please?

Discussion in 'Virus & Other Malware Removal' started by jessie03, Sep 13, 2003.

Thread Status:
Not open for further replies.
Advertisement
  1. jessie03

    jessie03 Thread Starter

    Joined:
    Sep 12, 2003
    Messages:
    4
    I think I've got the w32.kwbot.c.worm though norton virus said it had deleted it already. My mouse didn't work at first, it's ok again after I've changed it. Now it's the keyboard.. I've used spybot, after fixing the computer with that the keyboard seems to work again. I don't know whether the virus is going to make any other damage again. Could anyone help me with this hijackthis log file please? thx a lot


    Logfile of HijackThis v1.97.1
    Scan saved at 17:08:56, on 13/9/2003
    Platform: Windows 2000 SP4 (WinNT 5.00.2195)
    MSIE: Internet Explorer v5.00 SP4 (5.00.2920.0000)

    Running processes:
    C:\WINNT\System32\smss.exe
    C:\WINNT\system32\winlogon.exe
    C:\WINNT\system32\services.exe
    C:\WINNT\system32\lsass.exe
    C:\WINNT\system32\svchost.exe
    C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    C:\Program Files\Norton Internet Security\NISUM.EXE
    C:\WINNT\system32\spoolsv.exe
    C:\Program Files\Norton Internet Security\ccPxySvc.exe
    C:\WINNT\System32\svchost.exe
    C:\Program Files\Norton AntiVirus\navapsvc.exe
    C:\WINNT\system32\regsvc.exe
    C:\WINNT\system32\MSTask.exe
    C:\Program Files\Trend Micro\PC-cillin 2000\Tmntsrv.exe
    C:\WINNT\System32\WBEM\WinMgmt.exe
    C:\WINNT\system32\mspmspsv.exe
    C:\WINNT\system32\svchost.exe
    C:\Program Files\Trend Micro\PC-cillin 2000\pccntupd.exe
    C:\WINNT\Explorer.EXE
    C:\WINNT\System32\sistray.EXE
    C:\WINNT\System32\khooker.exe
    C:\WINNT\System32\SiSAudUt.exe
    C:\Program Files\ASUS\Probe\AsusProb.exe
    C:\WINNT\system32\pctspk.exe
    C:\Program Files\NETVIGATOR\NETVIGATOR BROADBAND\driver\cFosDNT.exe
    C:\WINNT\system32\spool\drivers\w32x86\3\hpztsb07.exe
    C:\WINNT\system32\P2P Networking\P2P Networking.exe
    C:\Program Files\Trend Micro\PC-cillin 2000\WebTrapNT.exe
    C:\Program Files\Trend Micro\PC-cillin 2000\Pop3trap.exe
    C:\Program Files\Common Files\Symantec Shared\ccApp.exe
    C:\Program Files\Common Files\Real\Update_OB\realsched.exe
    C:\WINNT\system32\internat.exe
    C:\Program Files\CASIO\Photo Loader\Plauto.exe
    C:\Program Files\Internet Explorer\IEXPLORE.EXE
    C:\Program Files\Internet Explorer\IEXPLORE.EXE
    C:\Program Files\Internet Explorer\IEXPLORE.EXE
    C:\Program Files\Microsoft Office\Office10\OSA.EXE
    C:\Program Files\Microsoft Office\Office10\WINWORD.EXE
    C:\WINNT\System32\svchost.exe
    C:\Program Files\ICQ\Icq.exe
    C:\Program Files\Internet Explorer\IEXPLORE.EXE
    C:\unzipped\HijackThis.exe

    O2 - BHO: (no name) - {029CA12C-89C1-46a7-A3C7-82F2F98635CB} - C:\Program Files\Kontiki\bin\bh304181.dll
    O2 - BHO: myBar BHO - {0494D0D1-F8E0-41ad-92A3-14154ECE70AC} - C:\Program Files\MyWay\myBar\1.bin\MYBAR.DLL
    O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
    O3 - Toolbar: &SearchBar - {0494D0D9-F8E0-41ad-92A3-14154ECE70AC} - C:\Program Files\MyWay\myBar\1.bin\MYBAR.DLL
    O3 - Toolbar: (no name) - {7BDB5524-DB6C-4F27-AC00-A8BFEB2948F4} - (no file)
    O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
    O3 - Toolbar: ????? - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\msdxm.ocx
    O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
    O4 - HKLM\..\Run: [SiS Tray] C:\WINNT\System32\sistray.EXE
    O4 - HKLM\..\Run: [SiS KHooker] C:\WINNT\System32\khooker.exe
    O4 - HKLM\..\Run: [SiS7012Utility] C:\WINNT\System32\SiSAudUt.exe -wdm
    O4 - HKLM\..\Run: [ASUS Probe] C:\Program Files\ASUS\Probe\AsusProb.exe
    O4 - HKLM\..\Run: [PCTVOICE] pctspk.exe
    O4 - HKLM\..\Run: [cFosDNT] C:\Program Files\NETVIGATOR\NETVIGATOR BROADBAND\driver\cFosDNT.exe
    O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINNT\system32\spool\drivers\w32x86\3\hpztsb07.exe
    O4 - HKLM\..\Run: [P2P Networking] C:\WINNT\system32\P2P Networking\P2P Networking.exe /AUTOSTART
    O4 - HKLM\..\Run: [NXF] C:\WINNT\NXF.exe
    O4 - HKLM\..\Run: [WebTrapNT.exe] "C:\Program Files\Trend Micro\PC-cillin 2000\WebTrapNT.exe"
    O4 - HKLM\..\Run: [Pop3trap.exe] "C:\Program Files\Trend Micro\PC-cillin 2000\Pop3trap.exe"
    O4 - HKLM\..\Run: [ccApp] C:\Program Files\Common Files\Symantec Shared\ccApp.exe
    O4 - HKLM\..\Run: [ccRegVfy] C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe
    O4 - HKLM\..\Run: [TkBellExe] C:\Program Files\Common Files\Real\Update_OB\realsched.exe -osboot
    O4 - HKLM\..\Run: [ZingSpooler] C:\Program Files\Common Files\Zing\ZingSpooler.exe
    O4 - HKCU\..\Run: [Internat.exe] internat.exe
    O4 - HKCU\..\RunOnce: [ICQ] C:\Program Files\ICQ\Icq.exe -trayboot
    O4 - Startup: NTUSER.DAT
    O4 - Startup: ntuser.dat.LOG
    O4 - Startup: ntuser.ini
    O4 - Global Startup: ntuser.pol
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
    O8 - Extra context menu item: Get It With Kontiki - res://C:\Program Files\Kontiki\bin\bh304181.dll/201
    O9 - Extra button: ICQ Pro (HKLM)
    O9 - Extra 'Tools' menuitem: ICQ (HKLM)
    O9 - Extra button: Related (HKLM)
    O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
    O14 - IERESET.INF: SEARCH_PAGE_URL=
    O14 - IERESET.INF: START_PAGE_URL=
    O16 - DPF: {5E943D9C-F8DC-4258-8E3F-A61BB3405A33} (ZingBatchAXDwnl Class) - http://www.imagestation.com/common/classes/batchdwnl.cab?version=4,3,2,20802
    O16 - DPF: {90C9629E-CD32-11D3-BBFB-00105A1F0D68} (InstallShield International Setup Player) - http://www.installengine.com/engine/isetup.cab
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    O17 - HKLM\System\CCS\Services\Tcpip\..\{27774122-4196-417F-8A46-5C2F9B28842A}: NameServer = 203.198.23.208 205.252.144.121

    :p
     
  2. tpb

    tpb

    Joined:
    Feb 27, 2001
    Messages:
    573
    Hi Jessie03,
    The only unusual entry is:
    O4 - HKLM\..\Run: [NXF] C:\WINNT\NXF.exe

    Could you email me a zipped copy of NXF.exe to analyze? You can email it Here
     
  3. kaspersky

    kaspersky

    Joined:
    Sep 10, 2003
    Messages:
    76
    maybe a trojan~~~:D
     
  4. jessie03

    jessie03 Thread Starter

    Joined:
    Sep 12, 2003
    Messages:
    4
    Thanks tpd, the problem is that I couldn't even find NXF.exe! I didn't see it in WINNT folder. I can't find it with the Search for folder function... Is there something wrong?

    And in fact when I tried to open WINNT folder for the first time, an error message pops out. It said something like the explorer.exe had to be restarted and some other things which I didn't really understand and which I can't type it here coz they were in Chinese.

    ??!!
     
  5. mobo

    mobo

    Joined:
    Feb 23, 2003
    Messages:
    16,274
    You also have a tremendous amount of items inyour startup folder that will most deffinitly slow down your system. You canngo to start/ run and type msconfig and ok. Then click on the startup tab to uncheck some of the unnessecary startup programs from running when not needed. compare this list with your list to see what can safely be removed which should be a lot.
     
  6. tpb

    tpb

    Joined:
    Feb 27, 2001
    Messages:
    573
    Run HT again and place a check in the box next to the following entry and click 'Fix Checked'. Reboot.

    O4 - HKLM\..\Run: [NXF] C:\WINNT\NXF.exe

    After rebooting, go here and run an online virus scan. If anything is found, Copy the report and paste it in a reply.

    http://www.ravantivirus.com/scan/


    Edit...I see you have both Norton AV and PcCillin both running. You should disable the 'Auto Protect' feature of one of them..
     
  7. kaspersky

    kaspersky

    Joined:
    Sep 10, 2003
    Messages:
    76
    WHEN THE error message APPEARs, you can catch a picture ,i understand Chinese:D
     
  8. Flrman1

    Flrman1

    Joined:
    Jul 26, 2002
    Messages:
    46,331
    jessie03

    When you do the search for NXF.exe make sure that under "More advanced options" you put a check in "Search system folders" , "Search hidden files and folders" and "Search sub folder". The file most likely has the hidden attribute.

    I'm not sure that the wording of the above options is the same in 2k but I'm sure it is similar.
     
  9. jessie03

    jessie03 Thread Starter

    Joined:
    Sep 12, 2003
    Messages:
    4
    Thanks everyone, it's really encouraging to see so many helpful ppl. It's really nice of you :)

    Motherboard> I tried to go to start/ run and type msconfig, but it said there is no such file name, I'm using windows 2000 now, is it the reason?

    Kaspersky> Thanks. The message doesn't appear again (luckily I guess ^.^) As I remember, I said something like öŒë“úŽ›ß”팚—§, what does that means??

    flrman1 and tpb> I've changed the settings to show every files, hidden or not, but still it doesn't show the NXF.exe. I've asked my family to help me find it, to make sure that it's not my own eye problem:) should I just fix it with hijackthis?

    Thanks
     
  10. mobo

    mobo

    Joined:
    Feb 23, 2003
    Messages:
    16,274
    Sorry...You'll have to download msconfig fro w2k here
     
  11. jessie03

    jessie03 Thread Starter

    Joined:
    Sep 12, 2003
    Messages:
    4
    tpb



    This is the report of that online scan befpre fix that NXF thing


    Scan started at 14/9/2003 21:29:32

    Scanning memory...
    Scanning boot sectors...
    Scanning files...

    Scanned
    ============================
    Objects: 24685
    Directories: 1889
    Archives: 582
    Size(Kb): 750722
    Infected files: 0

    Found
    ============================
    Viruses found: 0
    Suspicious files: 0
    Disinfected files: 0
    Mail files: 544



    so maybe there're no problem? or not the problem of virus ?
     
  12. $teve

    $teve

    Joined:
    Oct 9, 2001
    Messages:
    9,396
    best thing to do would be to mail the file to tpb for analysis...it only takes a few seconds.then if its legit(which i doubt) you have the option of deleting or keeping it.

    these also need fixing.

    O2 - BHO: myBar BHO - {0494D0D1-F8E0-41ad-92A3-14154ECE70AC} - C:\Program Files\MyWay\myBar\1.bin\MYBAR.DLL
    O3 - Toolbar: &SearchBar - {0494D0D9-F8E0-41ad-92A3-14154ECE70AC} - C:\Program Files\MyWay\myBar\1.bin\MYBAR.DLL
    O4 - HKLM\..\Run: [P2P Networking] C:\WINNT\system32\P2P Networking\P2P Networking.exe /AUTOSTART

    after,re-boot and delete the entire p2p networking folder.
     
  13. Sponsor

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 733,556 other people just like you!

Loading...
Thread Status:
Not open for further replies.

Short URL to this thread: https://techguy.org/164443

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice