1. Computer problem? Tech Support Guy is completely free -- paid for by advertisers and donations. Click here to join today! If you're new to Tech Support Guy, we highly recommend that you visit our Guide for New Members.

please help serious trouble here

Discussion in 'Virus & Other Malware Removal' started by shagger, Apr 5, 2004.

Thread Status:
Not open for further replies.
Advertisement
  1. shagger

    shagger Thread Starter

    Joined:
    Apr 5, 2004
    Messages:
    6
    i have scanned my computer with trends online scanner since my norton av keeps shutting down to find that i have

    optixpro.13 & bionet.403 on my computer

    i am also posting my ht log can anyone help me with this ?.

    Scan saved at 17:02:59, on 05/04/2004
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\csrss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    c:\windows\system32\taskmark\tsk\RegChecker.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\zHotkey.exe
    C:\PROGRA~1\PHILIP~1\VProperty.exe
    C:\Program Files\BroadJump\Client Foundation\CFD.exe
    C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
    C:\Program Files\PopUp Killer\popupkiller.EXE
    C:\Program Files\MSN Messenger\MsnMsgr.Exe
    C:\WINDOWS\System32\dumprep32.exe
    C:\Program Files\Naviscope\naviscope.exe
    C:\WINDOWS\System32\taskmgr.exe
    C:\Program Files\Internet Explorer\IEXPLORE.EXE
    C:\Program Files\Internet Explorer\IEXPLORE.EXE
    c:\windows\system32\msiexec16.exe
    C:\Documents and Settings\Elizabeth Summers\Desktop\HijackThis.exe

    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.msn.co.uk
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=127.0.0.1:81
    O2 - BHO: (no name) - {000006B1-19B5-414A-849F-2A3C64AE6939} - C:\WINDOWS\bi.dll
    O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
    O2 - BHO: (no name) - {243B17DE-77C7-46BF-B94B-0B5F309A0E64} - C:\Program Files\Microsoft Money\System\mnyside.dll
    O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O4 - HKLM\..\Run: [CHotkey] zHotkey.exe
    O4 - HKLM\..\Run: [BlubsterSupport] javaw -cp "C:\Program Files\BlubsterSupport\System\Code" Main lp: "C:\Program Files\BlubsterSupport"
    O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
    O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
    O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
    O4 - HKLM\..\Run: [PopUpKiller] C:\Program Files\PopUp Killer\popupkiller.EXE
    O4 - HKLM\..\Run: [BJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe
    O4 - HKLM\..\Run: [Belt] C:\WINDOWS\Belt.exe
    O4 - HKLM\..\Run: [ToUcamVProperty] C:\PROGRA~1\PHILIP~1\VProperty.exe
    O4 - HKLM\..\Run: [GLSetIT32] c:\windows\system32\msiexec16.exe
    O4 - HKLM\..\Run: [System.exe] dumprep32.exe
    O4 - HKLM\..\RunServices: [GLSetIT32] c:\windows\system32\msiexec16.exe
    O4 - HKCU\..\Run: [Microsoft Works Update Detection] c:\Program Files\Microsoft Works\WkDetect.exe
    O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\mnyexpr.exe"
    O4 - HKCU\..\Run: [GreatDownloads] rundll32.exe C:\WINDOWS\System32\MSA64CHK.dll,DllMostrar Matrix_HTML:GreatDownloads:t
    O4 - HKCU\..\Run: [NiceMP3] rundll32.exe C:\WINDOWS\System32\MSA64CHK.dll,DllMostrar Matrix_HTML:NiceMP3:t
    O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
    O4 - HKCU\..\Run: [System.exe] dumprep32.exe
    O4 - Startup: naviscope.lnk = C:\Program Files\Naviscope\naviscope.exe
    O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
    O9 - Extra button: GreatDownloads (HKLM)
    O9 - Extra button: Real.com (HKLM)
    O9 - Extra button: Money Viewer (HKLM)
    O9 - Extra button: Messenger (HKLM)
    O9 - Extra 'Tools' menuitem: Messenger (HKLM)
    O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
    O14 - IERESET.INF: START_PAGE_URL=http://www.msn.co.uk
    O16 - DPF: {093F9CF8-0DE1-491C-95D5-5EC257BD4CA3} - http://akamai.downloadv3.com/binaries/IA/dtc32_EN_XP.cab
    O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
    O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://housecall.trendmicro-europe.com/housecall/Xscan53.cab
    O16 - DPF: {88C51E90-8E9C-4C96-8A45-574D88B63FAF} (Matrix Class) - http://acceso.masminutos.com/laaplicacion.cab
    O16 - DPF: {9E1089BC-1AE8-4685-8D77-6721E5C318A8} (loader2 Class) - http://217.73.66.16/comload.dll
    O16 - DPF: {A0F0D762-D1DE-43AF-B70E-D87864743EB3} (NSLiteUpdateCtrl Class) - http://217.145.76.16/nslite/nslite.cab
    O16 - DPF: {AD7FAFB0-16D6-40C3-AF27-585D6E6453FD} (loader Class) - http://dload.ipbill.com/del/loader.cab
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    O16 - DPF: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - http://us.dl1.yimg.com/download.companion.yahoo.com/dl/toolbar/yiebio5_3_16_0.cab
     
  2. $teve

    $teve

    Joined:
    Oct 9, 2001
    Messages:
    9,396
    Cntrl-Alt-Delete and end task on this:msiexec16.exe
    As many times as it takes....

    Run hijackthis again and put a checkmark against these entries....double check
    in case you miss anything....
    .....then,close all browser and outlook windows and "fix checked"

    O2 - BHO: (no name) - {000006B1-19B5-414A-849F-2A3C64AE6939} - C:\WINDOWS\bi.dll
    O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
    O4 - HKLM\..\Run: [BlubsterSupport] javaw -cp "C:\Program Files\BlubsterSupport\System\Code" Main lp: "C:\Program Files\BlubsterSupport"
    O4 - HKLM\..\Run: [Belt] C:\WINDOWS\Belt.exe
    O4 - HKLM\..\Run: [GLSetIT32] c:\windows\system32\msiexec16.exe
    O4 - HKLM\..\Run: [System.exe] dumprep32.exe
    O4 - HKLM\..\RunServices: [GLSetIT32] c:\windows\system32\msiexec16.exe
    O4 - HKCU\..\Run: [GreatDownloads] rundll32.exe C:\WINDOWS\System32\MSA64CHK.dll,DllMostrar Matrix_HTML:GreatDownloads:t
    O4 - HKCU\..\Run: [NiceMP3] rundll32.exe C:\WINDOWS\System32\MSA64CHK.dll,DllMostrar Matrix_HTML:NiceMP3:t
    O16 - DPF: {88C51E90-8E9C-4C96-8A45-574D88B63FAF} (Matrix Class) - http://acceso.masminutos.com/laaplicacion.cab
    O16 - DPF: {9E1089BC-1AE8-4685-8D77-6721E5C318A8} (loader2 Class) - http://217.73.66.16/comload.dll
    O16 - DPF: {A0F0D762-D1DE-43AF-B70E-D87864743EB3} (NSLiteUpdateCtrl Class) - http://217.145.76.16/nslite/nslite.cab
    O16 - DPF: {AD7FAFB0-16D6-40C3-AF27-585D6E6453FD} (loader Class) - http://dload.ipbill.com/del/loader.cab

    Reboot into safe mode by following instructions here: http://helpdesk.its.bethel.edu/resnet/Documents/Antivirus/Safemode.html
    then as some of the files or folders you need to delete may be hidden do this:
    Open Windows Explorer & Go to Tools > Folder Options. Click on the View tab and make sure that "Show hidden files and folders" is checked. Also uncheck "Hide protected operating system files" and untick "hide extensions for known file types" . Now click "Apply to all folders"
    Click "Apply" then "OK"

    Locate and delete:
    c:\windows\system32\msiexec16.exe
    C:\WINDOWS\Belt.exe
    C:\WINDOWS\System32\MSA64CHK.dll [if its still around]
    C:\Program Files\BlubsterSupport [and any other Blubster folders]
    c:\windows\system32\msiexec16.exe


    Post another log after.
    ;)
     
  3. shagger

    shagger Thread Starter

    Joined:
    Apr 5, 2004
    Messages:
    6
    thanks for your help :)
    here is my new log

    Logfile of HijackThis v1.97.7
    Scan saved at 19:04:02, on 05/04/2004
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\csrss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\DefWatch.exe
    C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe
    c:\windows\system32\taskmark\tsk\RegChecker.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\zHotkey.exe
    C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
    C:\PROGRA~1\PHILIP~1\VProperty.exe
    C:\Program Files\BroadJump\Client Foundation\CFD.exe
    C:\Program Files\PopUp Killer\popupkiller.EXE
    C:\Program Files\MSN Messenger\MsnMsgr.Exe
    C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
    C:\Program Files\Naviscope\naviscope.exe
    C:\Documents and Settings\Elizabeth Summers\Desktop\HijackThis.exe

    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.msn.co.uk
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=127.0.0.1:81
    O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
    O2 - BHO: (no name) - {243B17DE-77C7-46BF-B94B-0B5F309A0E64} - C:\Program Files\Microsoft Money\System\mnyside.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O4 - HKLM\..\Run: [CHotkey] zHotkey.exe
    O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
    O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
    O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
    O4 - HKLM\..\Run: [PopUpKiller] C:\Program Files\PopUp Killer\popupkiller.EXE
    O4 - HKLM\..\Run: [BJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe
    O4 - HKLM\..\Run: [ToUcamVProperty] C:\PROGRA~1\PHILIP~1\VProperty.exe
    O4 - HKCU\..\Run: [Microsoft Works Update Detection] c:\Program Files\Microsoft Works\WkDetect.exe
    O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\mnyexpr.exe"
    O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
    O4 - Startup: naviscope.lnk = C:\Program Files\Naviscope\naviscope.exe
    O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
    O9 - Extra button: GreatDownloads (HKLM)
    O9 - Extra button: Real.com (HKLM)
    O9 - Extra button: Money Viewer (HKLM)
    O9 - Extra button: Messenger (HKLM)
    O9 - Extra 'Tools' menuitem: Messenger (HKLM)
    O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
    O14 - IERESET.INF: START_PAGE_URL=http://www.msn.co.uk
    O16 - DPF: {093F9CF8-0DE1-491C-95D5-5EC257BD4CA3} - http://akamai.downloadv3.com/binaries/IA/dtc32_EN_XP.cab
    O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
    O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://housecall.trendmicro-europe.com/housecall/Xscan53.cab
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    O16 - DPF: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - http://us.dl1.yimg.com/download.companion.yahoo.com/dl/toolbar/yiebio5_3_16_0.cab
     
  4. winchester73

    winchester73

    Joined:
    Aug 18, 2003
    Messages:
    2,438
  5. shagger

    shagger Thread Starter

    Joined:
    Apr 5, 2004
    Messages:
    6
    are there any tools to get rid of these virus infections i have ?.

    bionet.403 and optixpro.13

    thanks for all the help so far
     
  6. shagger

    shagger Thread Starter

    Joined:
    Apr 5, 2004
    Messages:
    6
    Is there nobody who can help me with these viruses.

    I now cannot access any shortcuts on my desktop, or anything from my start menu.

    nor can i access most of the control panel applications.....
     
  7. cybertech

    cybertech Retired Moderator

    Joined:
    Apr 16, 2002
    Messages:
    72,115
    Where are you getting the virus information from? I don't see anything in your logs...
     
  8. pengwen

    pengwen

    Joined:
    Apr 6, 2004
    Messages:
    17
    I just cleaned up a machine that had those exact same issues. Turned out to be SirCam virus - but disguised itself as something else (now I can't remember what) and disabled the AV protection. This person couldn't use his short cuts, sometimes even his .exe files wouldn't do a thing. Plus we couldn't get into his control panel to add/remove programs...etc. Finally had to enter the computer via DOS to look at entries.
     
  9. shagger

    shagger Thread Starter

    Joined:
    Apr 5, 2004
    Messages:
    6
    these viruses were picked up by trends online scanner

    but i also managed to get avg installed but it has stopped that from working now too
     
  10. cybertech

    cybertech Retired Moderator

    Joined:
    Apr 16, 2002
    Messages:
    72,115
    shagger,
    Can you post another log. If you have these virus files are they in quarentine or system recover?
     
  11. shagger

    shagger Thread Starter

    Joined:
    Apr 5, 2004
    Messages:
    6
    i am actually using a freinds computer at the moment as mine wont allow me to use any kind of exe file or just about any file now.

    this has really got me stumped.......

    the last logfile i posted is certainly what any new one would look like....

    sorry i cant be more helpfull at the moment but i really cant do much with my computer at the moment
     
  12. cybertech

    cybertech Retired Moderator

    Joined:
    Apr 16, 2002
    Messages:
    72,115
    I saw a post about not being able to use exe files in XP, I'll see if I can find it...
     
  13. Neo4u

    Neo4u

    Joined:
    Feb 11, 2003
    Messages:
    71
    I think I have managed to resolve this one for shagger.
    the infections were quite bad and there were nine in total, In regards to the exe files i did a search here and found the post that cybertech was reffering to and found the solution to the fix the exe file problem so thanks for that one.

    I Have asked that once they get the pc home they run another hijack this and post the logfile just so the pro's here can make sure ive got everything else gone ok.

    But i think you can consider this one resolved guys (y) (hope i dont regret saying that :rolleyes: )
     
  14. cybertech

    cybertech Retired Moderator

    Joined:
    Apr 16, 2002
    Messages:
    72,115
    Neo4u, how are you involved here?
     
  15. Neo4u

    Neo4u

    Joined:
    Feb 11, 2003
    Messages:
    71
    Erm dont know if im just taking the question the wrong way but im involved just like everyone else is because i was asked for help.

    Shagger is my sister in law and it was my comp she was using to post her messages. i just had the time to look at the pc so i did and hopefully things are now resolved. ;)
     
  16. Sponsor

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 733,556 other people just like you!

Loading...
Thread Status:
Not open for further replies.

Short URL to this thread: https://techguy.org/217305

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice