[Resolved] That "Microsoft" virus.. damn.. Hijack Log help requested

Status
This thread has been Locked and is not open to further replies. Please start a New Thread if you're having a similar issue. View our Welcome Guide to learn how to use this site.

alison

Thread Starter
Joined
Jul 17, 2003
Messages
67
I've been out of the loop with the recent viruses and I usually don't open attachments but... damn.. anyway, someone please help! This is my hijack this log after I ran spybot. Norton didn't even pick up on it. What should I do?

Logfile of HijackThis v1.97.2
Scan saved at 6:24:20 PM, on 9/19/03
Platform: Windows 98 Gold (Win9x 4.10.1998)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\PROGRAM FILES\SYMANTEC_CLIENT_SECURITY\SYMANTEC ANTIVIRUS\RTVSCN95.EXE
C:\PROGRAM FILES\SYMANTEC_CLIENT_SECURITY\SYMANTEC ANTIVIRUS\DEFWATCH.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\SYSTEM\STIMON.EXE
C:\PROGRAM FILES\SYMANTEC_CLIENT_SECURITY\SYMANTEC ANTIVIRUS\VPTRAY.EXE
C:\WINDOWS\ptsnoop.exe
C:\PROGRAM FILES\WINAMP\WINAMPA.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\PROGRAM FILES\SYMPATICO\ACCESS MANAGER\APP\ENTERNET.EXE
C:\PROGRAM FILES\ICQ\ICQ.EXE
C:\PROGRAM FILES\OUTLOOK EXPRESS\MSIMN.EXE
C:\WINDOWS\SYSTEM\PSTORES.EXE
C:\PROGRAM FILES\WINZIP\WINZIP32.EXE
C:\WINDOWS\UPSMQOPT.EXE
C:\PROGRAM FILES\SYMANTEC_CLIENT_SECURITY\SYMANTEC ANTIVIRUS\VPC32.EXE
C:\PROGRAM FILES\SPYBOT - SEARCH & DESTROY\SPYBOTSD.EXE
C:\MY DOCUMENTS\PROGRAMS\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.sympatico.ca/iesearchpane.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.muchmusic.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Sympatico
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
O4 - HKLM\..\Run: [PTSNOOP] ptsnoop.exe
O4 - HKLM\..\Run: [WinampAgent] "C:\PROGRAM FILES\WINAMP\WINAMPa.exe"
O4 - HKLM\..\Run: [CountrySelection] pctptt.exe
O4 - HKLM\..\Run: [ocwcdjlw] upsmqopt.exe autorun
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [rtvscn95] C:\PROGRA~1\SYMANT~1\SYMANT~1\rtvscn95.exe
O4 - HKLM\..\RunServices: [defwatch] C:\PROGRA~1\SYMANT~1\SYMANT~1\defwatch.exe
O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O9 - Extra button: ICQ (HKLM)
O9 - Extra 'Tools' menuitem: ICQ (HKLM)
O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
O12 - Plugin for .psd: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin2.dll
O16 - DPF: {917623D1-D8E5-11D2-BE8B-00104B06BDE3} (CamImage Class) - http://camera.muchmusic.com/activex/AxisCamControl.ocx
O16 - DPF: ChatSpace Java Client 2.1.0.90 - http://64.85.10.9:8041/Java/cs4ms090.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://download.yahoo.com/dl/installs/yinst.cab
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
O16 - DPF: {28F00B0F-DC4E-11D3-ABEC-005004A44EEB} (Register Class) - http://content.hiwirenetworks.net/inbrowser/cabfiles/2.5.26/Hiwire.cab
O16 - DPF: {7CF052DE-C74F-421B-B04A-3B3037EF5887} (CCMPGui Class) - http://64.124.45.181/chaincast/proxy/CCMP.cab
O16 - DPF: {36C66BBD-E667-4DAD-9682-58050E7C9FDC} (CDKey Class) - http://www.cdkeybonus.com/cdkey/ITCDKey.cab
O16 - DPF: {A48D0309-8DA3-41AA-98E4-89194D471890} (Pulse V5 ActiveX Control) - http://www.pulse3d.com/players/english/5.2/win/PulsePlayer5.2AxWin.cab
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://fdl.msn.com/public/chat/msnchat45.cab
O16 - DPF: {4DB565BD-A306-415B-ADCB-336EAAE8D262} (ChainCast VMR Client Proxy) - http://64.124.45.181/download/ccpm_0223.cab
O16 - DPF: {2253F320-AB68-4A07-917D-4F12D8884A06} (ChainCast VMR Client Proxy) - http://64.124.45.181/downloads/ccpm_0237.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/ansi/iuctl.CAB?37704.4350810185
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} - http://www.apple.com/qtactivex/qtplugin.cab
O16 - DPF: {03177121-226B-11D4-B0BE-005004AD3039} (UploaderCtrl Class) - http://members19.clubphoto.com/_img/uploader/atl_uploader.cab

Thanks in advance,
alison
 
Joined
Dec 9, 2000
Messages
45,855
It looks like you've got it here:

C:\WINDOWS\UPSMQOPT.EXE

If the Task Manager works, do a ctrl-alt-del and terminate that process.

Then, running HijackThis put a check in these two entries and click Fix checked:

O4 - HKLM\..\Run: [ocwcdjlw] upsmqopt.exe autorun

O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1

>> delete the file upsmqopt.exe

Finally, follow the instructions in this help post to repair the registry completely.

http://forums.techguy.org/t165882/s.html

>> Follow instructions to download the repair.txt attachment, rename it repair.reg and double click it to run.

When finished post a Startuplist (not the Scanlog). To do that, click Config > Misc Tools, check 'list minor sections' and click Generate Startuplist.
 

alison

Thread Starter
Joined
Jul 17, 2003
Messages
67
It's not in my Task Manager, and when I try to delete the file, it says it's in use. Should I be in Windows Safe Mode? And also I can't do those things with Run
 
Joined
Dec 9, 2000
Messages
45,855
Yes, use Safe Mode.

Did you check and fix the entries in HijackThis?

Did you download the repair.txt file and rename it repair.reg?

What happens when you double click it?
 

alison

Thread Starter
Joined
Jul 17, 2003
Messages
67
Yup, I did all that.. I get the error message.. "Memory access violation in module kernel..."
 
Joined
Dec 9, 2000
Messages
45,855
Well that's an odd error message but we haven't had much experience with this yet to know what to expect if the worm files are still active in memory.

So reboot to Safe Mode and perform the steps I indicated there.

You should be able to delete the worm file in Safe Mode.
 

alison

Thread Starter
Joined
Jul 17, 2003
Messages
67
would using MS DOS prompt help get around this? I'm not too good with that though
 
Joined
Dec 9, 2000
Messages
45,855
Well I don't understand how you got the message in Safe Mode, although it does sometimes happen that a process can remain in memory if you do not shutdown cold for about 10 to 20 seconds before restarting.

I'd try that. Do run HijackThis in Safe Mode first thing and check and fix those entries which should allow you to use regedit and run the registry repair file.

If you still get the error message or want to try this first, instead of rebooting to Safe Mode, reboot to a Command Prompt.

At the c:> prompt enter:

del C:\WINDOWS\UPSMQOPT.EXE

be sure to get the spelling right.

When you reboot (ctrl-alt-del) you will probably get various error messages, but using HijackThis should eliminate it.

You will still need to run the registry repair file.
 

alison

Thread Starter
Joined
Jul 17, 2003
Messages
67
I shutdown my computer and then I was able to delete upsmqopt.exe

But then when I tried to run the repair file, it said that windows cannot find upsmqopt.exe and that the program is needed for opening files of type 'Application'
 

alison

Thread Starter
Joined
Jul 17, 2003
Messages
67
Oh, also, I did delete those things with Hijack This

can i run the repair file through ms dos?
 

alison

Thread Starter
Joined
Jul 17, 2003
Messages
67
btw, i'm on another computer, so i'm running back and forth from the infected computer. i can't access the internet from there due to the virus
 
Joined
Dec 9, 2000
Messages
45,855
I'm surprised you cannot access the Internet. Did that just happen after deleting the file in DOS, or has it been like that? Usually Internet Explorer will work even when other exe files will not open.

If repair.reg has been copied to the root folder (c:)

Try rebooting to a c:> prompt and enter:

regedit /i repair.reg

I'm not sure this will work, but it's worth a shot.

If that doesn't work, there is a

regfile.inf registry repair file on the bottom of this link, download that, right click on it and select "install"

Do the same with the exefix08.inf file

You will have to copy them to a floppy disk if you have no Internet Access of course.

http://home.earthlink.net/~rmbox/Reticulated/Only_IE.html
 

alison

Thread Starter
Joined
Jul 17, 2003
Messages
67
regedit /i repair.reg didn't work for me

I haven't actually if Internet Explorer worked, but I have to use something called "access manager" to log on the internet but that doesn't work.. so I'm stuck with dial up for now.

I'm gonna try those downloads

thanks for all your help so far.. i'll post my results soon
 
Joined
Dec 9, 2000
Messages
45,855
Ok, after installing the .inf files, try once again to merge the repair.reg file. This time try right clicking on it and select "merge"

By the way, one thing I have completely forgot about here is the possibility of using scanreg /restore

You may be able to restore a registry which predates this problem by booting to a command prompt and entering:

scanreg /restore

use your arrow keys to select a started registry dated prior to the problem. But do not select the 5th or oldest.

Make sure the dates are not very old dates.
 
Status
This thread has been Locked and is not open to further replies. Please start a New Thread if you're having a similar issue. View our Welcome Guide to learn how to use this site.

Users Who Are Viewing This Thread (Users: 0, Guests: 1)

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 807,865 other people just like you!

Latest posts

Members online

Top