1. Computer problem? Tech Support Guy is completely free -- paid for by advertisers and donations. Click here to join today! If you're new to Tech Support Guy, we highly recommend that you visit our Guide for New Members.

I can't seem to find this virus!!

Discussion in 'Virus & Other Malware Removal' started by Jasmyne, Oct 7, 2003.

Thread Status:
Not open for further replies.
Advertisement
  1. Jasmyne

    Jasmyne Thread Starter

    Joined:
    Oct 7, 2003
    Messages:
    1
    Hi Guys!

    I need your help! I know I have a virus on my computer yet my Norton (although updated) is not finding it. I keep having the MIRC window open and disappear at start up, my modem is logged on and answers the phone if I don't deactivate it and... the computer does weird things all together.

    So by browsing this site I got to download HiJack this and, Here's my file... Hope someone can help me! I really don't want to format my harddrive like everybody is telling me too.

    Logfile of HijackThis v1.97.2
    Scan saved at 10:35:15 PM, on 10/7/2003
    Platform: Windows 2000 SP3 (WinNT 5.00.2195)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINNT\System32\smss.exe
    C:\WINNT\system32\winlogon.exe
    C:\WINNT\system32\services.exe
    C:\WINNT\system32\lsass.exe
    C:\WINNT\system32\svchost.exe
    C:\WINNT\system32\spoolsv.exe
    C:\Program Files\NavNT\defwatch.exe
    C:\WINNT\System32\svchost.exe
    C:\Program Files\Maximizer\Campaign Manager\AutoProgService.exe
    C:\Program Files\NavNT\rtvscan.exe
    C:\PROGRA~1\SYMPAT~1\GESTIO~1\app\pppoeservice.exe
    C:\WINNT\system32\regsvc.exe
    C:\WINNT\system32\Proxy.exe
    C:\WINNT\system32\MSTask.exe
    C:\WINNT\system32\stisvc.exe
    C:\WINNT\wanmpsvc.exe
    C:\WINNT\System32\WFXSVC.EXE
    C:\WINNT\System32\WBEM\WinMgmt.exe
    C:\WINNT\System32\mspmspsv.exe
    C:\WINNT\system32\svchost.exe
    C:\WINNT\Explorer.EXE
    C:\WINNT\System32\wfxsnt40.exe
    C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
    C:\PROGRA~1\COMMON~1\ADAPTE~1\CreateCD\CREATE~1.EXE
    C:\Program Files\NavNT\vptray.exe
    C:\Program Files\Common Files\Real\Update_OB\realsched.exe
    C:\WINNT\System32\MsgSys.EXE
    C:\WINNT\System32\spool\drivers\w32x86\3\hpztsb05.exe
    C:\Program Files\Common Files\Logitech\QCDriver\LVCOMS.EXE
    C:\WINNT\System32\internat.exe
    C:\WINNT\Web\printers\images\explorer.exe
    C:\PVSW\Bin\W3DBSMGR.EXE
    C:\Program Files\Zone Labs\ZoneAlarm\zapro.exe
    C:\Program Files\Webshots\WebshotsTray.exe
    C:\WINNT\system32\ZONELABS\vsmon.exe
    C:\WINNT\System32\wuauclt.exe
    C:\PROGRA~1\SYMPAT~1\GESTIO~1\app\EnterNet.exe
    C:\Program Files\Internet Explorer\IEXPLORE.EXE
    C:\Documents and Settings\Jasmyne Desbiens\My Documents\Download\Space Saver\spacesave.exe
    C:\Program Files\Outlook Express\msimn.exe
    C:\Program Files\WinRAR\WinRAR.exe
    C:\DOCUME~1\JASMYN~1\LOCALS~1\Temp\Rar$EX0k.110\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = https://www.dai.net/ssl/control.asp?id=165
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
    O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
    O4 - HKLM\..\Run: [WinFaxAppPortStarter] wfxsnt40.exe
    O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe"
    O4 - HKLM\..\Run: [CreateCD50] C:\PROGRA~1\COMMON~1\ADAPTE~1\CreateCD\CREATE~1.EXE -r
    O4 - HKLM\..\Run: [vptray] C:\Program Files\NavNT\vptray.exe
    O4 - HKLM\..\Run: [TkBellExe] C:\Program Files\Common Files\Real\Update_OB\realsched.exe -osboot
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINNT\System32\spool\drivers\w32x86\3\hpztsb05.exe
    O4 - HKLM\..\Run: [NTFix] C:\WINNT\system32\systask.exe
    O4 - HKLM\..\Run: [LVCOMS] C:\Program Files\Common Files\Logitech\QCDriver\LVCOMS.EXE
    O4 - HKLM\..\Run: [NAV Agent] C:\WINNT\WEB\PRINTERS\IMAGES\START.BAT
    O4 - HKLM\..\Run: [config32.exe] config32.exe
    O4 - HKLM\..\RunServices: [config32.exe] config32.exe
    O4 - HKCU\..\Run: [internat.exe] internat.exe
    O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
    O4 - Startup: Webshots.lnk = C:\Program Files\Webshots\WebshotsTray.exe
    O4 - Global Startup: Maximizer Pervasive Engine Launcher.lnk = C:\Program Files\Maximizer\mastartapp.exe
    O4 - Global Startup: Reality Fusion GameCam SE.lnk = C:\Program Files\Reality Fusion\Reality Fusion GameCam SE\Program\RFTRay.exe
    O4 - Global Startup: ZoneAlarm Pro.lnk = C:\Program Files\Zone Labs\ZoneAlarm\zapro.exe
    O4 - Global Startup: AOL 7.0 Tray Icon.lnk = C:\Program Files\AOL 7.0\aoltray.exe
    O9 - Extra button: Related (HKLM)
    O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
    O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52...le.com/samantha/us/win/QuickTimeInstaller.exe
    O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37656.3074768518
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://fdl.msn.com/public/chat/msnchat45.cab

    Anxiously awaiting...
    Jasmyne
     
  2. Rollin' Rog

    Rollin' Rog

    Joined:
    Dec 9, 2000
    Messages:
    45,855
    Ensure "show hidden files" is checked in Folder Options > View. This is available through the Control Panel or any Explorer Tools menu.

    Have a notepad copy of these instructions on the desktop and HijackThis in a convenient permanent folder.

    >> You will need to restart in Safe Mode. To do this run msconfig and open the Boot.ini tab and put a check in /safeboot. This will have to be unchecked before restarting from Safe Mode.

    Shutdown completely and wait 20 seconds before restarting to Safe Mode.

    1 -- In Safe Mode, run Explorer and delete the following files:

    C:\WINNT\Web\printers\images\explorer.exe (This is not the "real" Explorer which runs from c:\winnt)

    C:\WINNT\system32\systask.exe

    C:\WINNT\WEB\PRINTERS\IMAGES\START.BAT

    config32.exe (probably in the system32 folder, but you may have to do a file search for it.

    2 -- Run HijackThis and check and "fix" the following entries:

    O4 - HKLM\..\Run: [NTFix] C:\WINNT\system32\systask.exe

    O4 - HKLM\..\Run: [NAV Agent] C:\WINNT\WEB\PRINTERS\IMAGES\START.BAT
    O4 - HKLM\..\Run: [config32.exe] config32.exe
    O4 - HKLM\..\RunServices: [config32.exe] config32.exe

    3 -- Reboot and post a fresh Scanlog. Let us know if problems seem to be resolved.
     
  3. Jasmyne

    Jasmyne Thread Starter

    Joined:
    Oct 7, 2003
    Messages:
    1
    Hello! And thank you so much for your help.

    So I did pretty much everything you asked.

    I rebooted in safe mode by clicking F8... hope that was ok... And did what you asked. Just couldn't find some of the files... But here's the new log...

    When I rebooted at least I didn't get the MIRC window anymore or the CDME (or something like that)... So I'm gathering it worked! WOUHOU!

    I still have my modem loading when I don't want him too though... I'll check my control panel for more...

    So here's that log! THANK YOU!!! :))))(y)

    Logfile of HijackThis v1.97.2
    Scan saved at 5:55:16 PM, on 10/8/2003
    Platform: Windows 2000 SP3 (WinNT 5.00.2195)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINNT\System32\smss.exe
    C:\WINNT\system32\winlogon.exe
    C:\WINNT\system32\services.exe
    C:\WINNT\system32\lsass.exe
    C:\WINNT\system32\svchost.exe
    C:\WINNT\system32\spoolsv.exe
    C:\Program Files\NavNT\defwatch.exe
    C:\WINNT\System32\svchost.exe
    C:\Program Files\Maximizer\Campaign Manager\AutoProgService.exe
    C:\Program Files\NavNT\rtvscan.exe
    C:\PROGRA~1\SYMPAT~1\GESTIO~1\app\pppoeservice.exe
    C:\WINNT\system32\regsvc.exe
    C:\WINNT\system32\Proxy.exe
    C:\WINNT\system32\MSTask.exe
    C:\WINNT\system32\stisvc.exe
    C:\WINNT\wanmpsvc.exe
    C:\WINNT\System32\WFXSVC.EXE
    C:\WINNT\System32\WBEM\WinMgmt.exe
    C:\WINNT\System32\mspmspsv.exe
    C:\WINNT\system32\svchost.exe
    C:\WINNT\Explorer.EXE
    C:\WINNT\System32\MsgSys.EXE
    C:\WINNT\System32\wfxsnt40.exe
    C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
    C:\PROGRA~1\COMMON~1\ADAPTE~1\CreateCD\CREATE~1.EXE
    C:\Program Files\NavNT\vptray.exe
    C:\Program Files\Common Files\Real\Update_OB\realsched.exe
    C:\Program Files\QuickTime\qttask.exe
    C:\WINNT\System32\spool\drivers\w32x86\3\hpztsb05.exe
    C:\Program Files\Common Files\Logitech\QCDriver\LVCOMS.EXE
    C:\WINNT\System32\internat.exe
    C:\Program Files\MSN Messenger\MsnMsgr.Exe
    C:\PVSW\Bin\W3DBSMGR.EXE
    C:\Program Files\Reality Fusion\Reality Fusion GameCam SE\Program\RFTRay.exe
    C:\Program Files\Zone Labs\ZoneAlarm\zapro.exe
    C:\Program Files\Webshots\WebshotsTray.exe
    C:\WINNT\system32\ZONELABS\vsmon.exe
    C:\WINNT\System32\wuauclt.exe
    C:\PROGRA~1\SYMPAT~1\GESTIO~1\app\EnterNet.exe
    C:\Program Files\WinRAR\WinRAR.exe
    C:\DOCUME~1\JASMYN~1\LOCALS~1\Temp\Rar$EX00.p10\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = https://www.dai.net/ssl/control.asp?id=165
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
    O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
    O4 - HKLM\..\Run: [WinFaxAppPortStarter] wfxsnt40.exe
    O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe"
    O4 - HKLM\..\Run: [CreateCD50] C:\PROGRA~1\COMMON~1\ADAPTE~1\CreateCD\CREATE~1.EXE -r
    O4 - HKLM\..\Run: [vptray] C:\Program Files\NavNT\vptray.exe
    O4 - HKLM\..\Run: [TkBellExe] C:\Program Files\Common Files\Real\Update_OB\realsched.exe -osboot
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINNT\System32\spool\drivers\w32x86\3\hpztsb05.exe
    O4 - HKLM\..\Run: [LVCOMS] C:\Program Files\Common Files\Logitech\QCDriver\LVCOMS.EXE
    O4 - HKCU\..\Run: [internat.exe] internat.exe
    O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
    O4 - Startup: Webshots.lnk = C:\Program Files\Webshots\WebshotsTray.exe
    O4 - Global Startup: Maximizer Pervasive Engine Launcher.lnk = C:\Program Files\Maximizer\mastartapp.exe
    O4 - Global Startup: Reality Fusion GameCam SE.lnk = C:\Program Files\Reality Fusion\Reality Fusion GameCam SE\Program\RFTRay.exe
    O4 - Global Startup: ZoneAlarm Pro.lnk = C:\Program Files\Zone Labs\ZoneAlarm\zapro.exe
    O4 - Global Startup: AOL 7.0 Tray Icon.lnk = C:\Program Files\AOL 7.0\aoltray.exe
    O9 - Extra button: Related (HKLM)
    O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
    O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52...le.com/samantha/us/win/QuickTimeInstaller.exe
    O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37656.3074768518
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://fdl.msn.com/public/chat/msnchat45.cab
     
  4. dvk01

    dvk01 Moderator Malware Specialist

    Joined:
    Dec 14, 2002
    Messages:
    56,196
    First Name:
    Derek
    the modem problem is probably winfax, auto answer being set rather than manual
     
  5. Rollin' Rog

    Rollin' Rog

    Joined:
    Dec 9, 2000
    Messages:
    45,855
    Ok, well it looks like you were successful as far as that goes, since none of them came back.

    Derek probably has the answer to your modem problem. Never having used fax modems myself, I'm not familiar with their idiosyncrasies or configurations.
     
  6. Sponsor

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 733,556 other people just like you!

Loading...
Thread Status:
Not open for further replies.

Short URL to this thread: https://techguy.org/170331

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice