1. Computer problem? Tech Support Guy is completely free -- paid for by advertisers and donations. Click here to join today! If you're new to Tech Support Guy, we highly recommend that you visit our Guide for New Members.

[Resolved] I Need Help Fast

Discussion in 'Virus & Other Malware Removal' started by wrenie, Sep 22, 2003.

Thread Status:
Not open for further replies.
Advertisement
  1. wrenie

    wrenie Thread Starter

    Joined:
    Jan 20, 2003
    Messages:
    370
    I have a BIG problem and need your help fast. Somehow, not sure how, but my system has a bug. It is attacking my OE. I now have close to 500 messages there that all say Mail delivery error. It is sending mail to people I have never heard of and then sending me a message saying the mail failed. WHAT DO I DO. I have a virus scanner and it caught 2 virus' this morning, but now I am getting a message that there is a kernel error in it to. I tried to reload the vs, but it won't let me. Is there any way you can help me. wrenie
     
  2. mobo

    mobo

    Joined:
    Feb 23, 2003
    Messages:
    16,274
    Go here for a scan..
     
  3. wrenie

    wrenie Thread Starter

    Joined:
    Jan 20, 2003
    Messages:
    370
    Thank You Charlie, I did the scan, but couldn't tell if it found anything or not. Is that good or bad? I did see as I was deleting over 700 email, that one said I had Exploit=MIME and one said W32/[email protected] do you know anything about these two? Is there anything else I should dO? Someone told me I would need to reintall my XP, is that right?

    Again, Thank You for your help. Wrenie
     
  4. mobo

    mobo

    Joined:
    Feb 23, 2003
    Messages:
    16,274
    What antivirus do you have and have you updated it ? Also hold off on the xp reload, and post a Hijack log for someone to read..
     
  5. wrenie

    wrenie Thread Starter

    Joined:
    Jan 20, 2003
    Messages:
    370
    My Virus Scan was Grigsoft (I think that is the way you spell it) AVG. I did a scan every night at 11:00 pm. I just can't understand how this stuff got past and onto my system.

    I'm sorry I don't understand about the highjacking thingy. I have gone to that site and downloaded it. Now what do I need to do? Wrenie.
     
  6. mobo

    mobo

    Joined:
    Feb 23, 2003
    Messages:
    16,274
    Unzip it , then scan , save log , copy and paste it here.
     
  7. wrenie

    wrenie Thread Starter

    Joined:
    Jan 20, 2003
    Messages:
    370
    Logfile of HijackThis v1.97.2
    Scan saved at 12:21:22 AM, on 9/23/2003
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\EXPLORER.EXE
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\drrtgadx.exe
    C:\WINDOWS\drrtgadx.exe
    C:\PROGRA~1\HEWLET~2\HPSHAR~1\hpgs2wnd.exe
    C:\PROGRA~1\COMMON~1\MICROS~1\WORKSS~1\WkUFind.exe
    C:\WINDOWS\drrtgadx.exe
    C:\PROGRA~1\Roxio\EASYCD~1\DirectCD\DirectCD.exe
    C:\PROGRA~1\MESSEN~1\msmsgs.exe
    C:\PROGRA~1\Yahoo!\MESSEN~1\ypager.exe
    C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
    C:\PROGRA~1\INCRED~1\BIN\IMAPP.EXE
    C:\PROGRA~1\Grisoft\AVG6\avgserv.exe
    C:\WINDOWS\System32\svchost.exe
    C:\PROGRA~1\INCRED~1\bin\IncMail.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\DOCUME~1\SHARON~1\LOCALS~1\TEMPOR~1\Content.IE5\8TQZ4TYB\HIJACK~1\HIJACK~1.EXE

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/cus.../*http://www.yahoo.com/ext/search/search.html
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapps.yahoo.com/customize/ie/defaults/sp/ymsgr/*http://www.yahoo.com
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://red.clientapps.yahoo.com/customize/ie/defaults/stp/ymsgr*http://my.yahoo.com
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/cus.../*http://www.yahoo.com/ext/search/search.html
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapps.yahoo.com/customize/ie/defaults/sp/ymsgr/*http://www.yahoo.com
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://red.clientapps.yahoo.com/customize/ie/defaults/stp/ymsgr*http://my.yahoo.com
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://red.clientapps.yahoo.com/customize/ie/defaults/su/ymsgr/*http://www.yahoo.com
    R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customize/ie/defaults/su/ymsgr/*http://www.yahoo.com
    F2 - REG:system.ini: Shell=EXPLORER.EXE
    O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Common\ycomp5_1_5_0.dll
    O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
    O2 - BHO: (no name) - {243B17DE-77C7-46BF-B94B-0B5F309A0E64} - C:\Program Files\Microsoft Money\System\mnyside.dll
    O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\windows\googletoolbar_en_2.0.95-big.dll
    O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Common\ycomp5_1_5_0.dll
    O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\windows\googletoolbar_en_2.0.95-big.dll
    O4 - HKLM\..\Run: [AVG_CC] C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe /STARTUP
    O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
    O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
    O4 - HKLM\..\Run: [P2P Networking] C:\WINDOWS\System32\P2P Networking\P2P Networking.exe /AUTOSTART
    O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
    O4 - HKLM\..\Run: [wouwcld] drrtgadx.exe autorun
    O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
    O4 - HKCU\..\Run: [IncrediMail] C:\PROGRA~1\INCRED~1\bin\IncMail.exe /c
    O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
    O4 - Global Startup: Forget Me Not.lnk = C:\Program Files\Broderbund\AG Scrapbooks\AGremind.exe
    O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1
    O8 - Extra context menu item: &Add animation to IncrediMail Style Box - C:\PROGRA~1\INCRED~1\bin\resources\WebMenuImg.htm
    O8 - Extra context menu item: &Google Search - res://c:\windows\GoogleToolbar_en_2.0.95-big.dll/cmsearch.html
    O8 - Extra context menu item: Backward &Links - res://c:\windows\GoogleToolbar_en_2.0.95-big.dll/cmbacklinks.html
    O8 - Extra context menu item: Cac&hed Snapshot of Page - res://c:\windows\GoogleToolbar_en_2.0.95-big.dll/cmcache.html
    O8 - Extra context menu item: Si&milar Pages - res://c:\windows\GoogleToolbar_en_2.0.95-big.dll/cmsimilar.html
    O8 - Extra context menu item: Translate Page - res://c:\windows\GoogleToolbar_en_2.0.95-big.dll/cmtrans.html
    O8 - Extra context menu item: Yahoo! Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
    O8 - Extra context menu item: Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
    O9 - Extra button: TREND MICRO HouseCall (HKLM)
    O9 - Extra button: Messenger (HKLM)
    O9 - Extra 'Tools' menuitem: Yahoo! Messenger (HKLM)
    O9 - Extra button: MoneySide (HKLM)
    O12 - Plugin for .pdf: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll
    O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB
    O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://download.yahoo.com/dl/installs/yinst.cab
    O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/76808a0e7ae82f/housecall.antivirus.com/housecall/xscan53.cab
    O16 - DPF: {7ED7005B-4AF6-4CFF-9AE0-F243C4B8260F} (HouseCallButton.setup) - http://de.trendmicro-europe.com/file_downloads/common/housecall/HouseCallButton.CAB
    O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
    O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37804.5983796296
    O16 - DPF: {A17E30C4-A9BA-11D4-8673-60DB54C10000} (YahooYMailTo Class) - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/yse/ymmapi_416.dll
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    O16 - DPF: {DF6A0F17-0B1E-11D4-829D-00C04F6843FE} (Microsoft Office Tools on the Web Control) - http://officeupdate.microsoft.com/TemplateGallery/downloads/outc.cab

    Here you go!!!!
     
  8. mobo

    mobo

    Joined:
    Feb 23, 2003
    Messages:
    16,274
    Ok now hang on for a few minutes.
     
  9. wrenie

    wrenie Thread Starter

    Joined:
    Jan 20, 2003
    Messages:
    370
  10. mobo

    mobo

    Joined:
    Feb 23, 2003
    Messages:
    16,274
    Resacn with hijack and put A CHECK NEXT TO THESES AND FIX


    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/cus...rch/search.html
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapps.yahoo.com/cus...//www.yahoo.com
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://red.clientapps.yahoo.com/cus...://my.yahoo.com
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/cus...rch/search.html
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapps.yahoo.com/cus...//www.yahoo.com
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://red.clientapps.yahoo.com/cus...://my.yahoo.com
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://red.clientapps.yahoo.com/cus...//www.yahoo.com
    R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/cus...//www.yahoo.com
    F2 - REG:system.ini: Shell=EXPLORER.EXE
    O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Common\ycomp5_1_5_0.dll
    O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\windows\googletoolbar_en_2.0.95-big.dll
    O4 - HKLM\..\Run: [P2P Networking] C:\WINDOWS\System32\P2P Networking\P2P Networking.exe /AUTOSTART


    Do you recognize this ? C:\WINDOWS\drrtgadx.exe
    as a program you downloaded ?
     
  11. wrenie

    wrenie Thread Starter

    Joined:
    Jan 20, 2003
    Messages:
    370
    No, What is it?
     
  12. mobo

    mobo

    Joined:
    Feb 23, 2003
    Messages:
    16,274
    Hang tight I'm going to have someone look at it..
     
  13. mobo

    mobo

    Joined:
    Feb 23, 2003
    Messages:
    16,274
    I cannot get anything on it at all.Check in start / run / msconfig / startup tab and if there uncheck it and do not reboot when prompted. next right click on the taskbar and in taskmanager under processes if you see it there end task it.
     
  14. wrenie

    wrenie Thread Starter

    Joined:
    Jan 20, 2003
    Messages:
    370
    iWhen I did this I am getting an error message that says
    Memory Access Violation in Module kernel32 at 7298:93876649
     
  15. mobo

    mobo

    Joined:
    Feb 23, 2003
    Messages:
    16,274
    Please do this first.
     
  16. Sponsor

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 733,556 other people just like you!

Loading...
Thread Status:
Not open for further replies.

Short URL to this thread: https://techguy.org/166740

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice