1. Computer problem? Tech Support Guy is completely free -- paid for by advertisers and donations. Click here to join today! If you're new to Tech Support Guy, we highly recommend that you visit our Guide for New Members.

[Resolved] That "Microsoft" virus.. damn.. Hijack Log help requested

Discussion in 'Virus & Other Malware Removal' started by alison, Sep 19, 2003.

Thread Status:
Not open for further replies.
Advertisement
  1. alison

    alison Thread Starter

    Joined:
    Jul 17, 2003
    Messages:
    67
    I've been out of the loop with the recent viruses and I usually don't open attachments but... damn.. anyway, someone please help! This is my hijack this log after I ran spybot. Norton didn't even pick up on it. What should I do?

    Logfile of HijackThis v1.97.2
    Scan saved at 6:24:20 PM, on 9/19/03
    Platform: Windows 98 Gold (Win9x 4.10.1998)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\SYSTEM\KERNEL32.DLL
    C:\WINDOWS\SYSTEM\MSGSRV32.EXE
    C:\WINDOWS\SYSTEM\MPREXE.EXE
    C:\PROGRAM FILES\SYMANTEC_CLIENT_SECURITY\SYMANTEC ANTIVIRUS\RTVSCN95.EXE
    C:\PROGRAM FILES\SYMANTEC_CLIENT_SECURITY\SYMANTEC ANTIVIRUS\DEFWATCH.EXE
    C:\WINDOWS\SYSTEM\mmtask.tsk
    C:\WINDOWS\EXPLORER.EXE
    C:\WINDOWS\TASKMON.EXE
    C:\WINDOWS\SYSTEM\SYSTRAY.EXE
    C:\WINDOWS\SYSTEM\STIMON.EXE
    C:\PROGRAM FILES\SYMANTEC_CLIENT_SECURITY\SYMANTEC ANTIVIRUS\VPTRAY.EXE
    C:\WINDOWS\ptsnoop.exe
    C:\PROGRAM FILES\WINAMP\WINAMPA.EXE
    C:\WINDOWS\SYSTEM\DDHELP.EXE
    C:\PROGRAM FILES\SYMPATICO\ACCESS MANAGER\APP\ENTERNET.EXE
    C:\PROGRAM FILES\ICQ\ICQ.EXE
    C:\PROGRAM FILES\OUTLOOK EXPRESS\MSIMN.EXE
    C:\WINDOWS\SYSTEM\PSTORES.EXE
    C:\PROGRAM FILES\WINZIP\WINZIP32.EXE
    C:\WINDOWS\UPSMQOPT.EXE
    C:\PROGRAM FILES\SYMANTEC_CLIENT_SECURITY\SYMANTEC ANTIVIRUS\VPC32.EXE
    C:\PROGRAM FILES\SPYBOT - SEARCH & DESTROY\SPYBOTSD.EXE
    C:\MY DOCUMENTS\PROGRAMS\HIJACKTHIS.EXE

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.sympatico.ca/iesearchpane.html
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.muchmusic.com/
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Sympatico
    O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
    O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
    O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
    O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
    O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
    O4 - HKLM\..\Run: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE
    O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
    O4 - HKLM\..\Run: [PTSNOOP] ptsnoop.exe
    O4 - HKLM\..\Run: [WinampAgent] "C:\PROGRAM FILES\WINAMP\WINAMPa.exe"
    O4 - HKLM\..\Run: [CountrySelection] pctptt.exe
    O4 - HKLM\..\Run: [ocwcdjlw] upsmqopt.exe autorun
    O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
    O4 - HKLM\..\RunServices: [rtvscn95] C:\PROGRA~1\SYMANT~1\SYMANT~1\rtvscn95.exe
    O4 - HKLM\..\RunServices: [defwatch] C:\PROGRA~1\SYMANT~1\SYMANT~1\defwatch.exe
    O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1
    O9 - Extra button: Related (HKLM)
    O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
    O9 - Extra button: ICQ (HKLM)
    O9 - Extra 'Tools' menuitem: ICQ (HKLM)
    O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
    O12 - Plugin for .psd: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin2.dll
    O16 - DPF: {917623D1-D8E5-11D2-BE8B-00104B06BDE3} (CamImage Class) - http://camera.muchmusic.com/activex/AxisCamControl.ocx
    O16 - DPF: ChatSpace Java Client 2.1.0.90 - http://64.85.10.9:8041/Java/cs4ms090.cab
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://download.yahoo.com/dl/installs/yinst.cab
    O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
    O16 - DPF: {28F00B0F-DC4E-11D3-ABEC-005004A44EEB} (Register Class) - http://content.hiwirenetworks.net/inbrowser/cabfiles/2.5.26/Hiwire.cab
    O16 - DPF: {7CF052DE-C74F-421B-B04A-3B3037EF5887} (CCMPGui Class) - http://64.124.45.181/chaincast/proxy/CCMP.cab
    O16 - DPF: {36C66BBD-E667-4DAD-9682-58050E7C9FDC} (CDKey Class) - http://www.cdkeybonus.com/cdkey/ITCDKey.cab
    O16 - DPF: {A48D0309-8DA3-41AA-98E4-89194D471890} (Pulse V5 ActiveX Control) - http://www.pulse3d.com/players/english/5.2/win/PulsePlayer5.2AxWin.cab
    O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://fdl.msn.com/public/chat/msnchat45.cab
    O16 - DPF: {4DB565BD-A306-415B-ADCB-336EAAE8D262} (ChainCast VMR Client Proxy) - http://64.124.45.181/download/ccpm_0223.cab
    O16 - DPF: {2253F320-AB68-4A07-917D-4F12D8884A06} (ChainCast VMR Client Proxy) - http://64.124.45.181/downloads/ccpm_0237.cab
    O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/ansi/iuctl.CAB?37704.4350810185
    O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} - http://www.apple.com/qtactivex/qtplugin.cab
    O16 - DPF: {03177121-226B-11D4-B0BE-005004AD3039} (UploaderCtrl Class) - http://members19.clubphoto.com/_img/uploader/atl_uploader.cab

    Thanks in advance,
    alison
     
  2. Rollin' Rog

    Rollin' Rog

    Joined:
    Dec 9, 2000
    Messages:
    45,855
    It looks like you've got it here:

    C:\WINDOWS\UPSMQOPT.EXE

    If the Task Manager works, do a ctrl-alt-del and terminate that process.

    Then, running HijackThis put a check in these two entries and click Fix checked:

    O4 - HKLM\..\Run: [ocwcdjlw] upsmqopt.exe autorun

    O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1

    >> delete the file upsmqopt.exe

    Finally, follow the instructions in this help post to repair the registry completely.

    http://forums.techguy.org/t165882/s.html

    >> Follow instructions to download the repair.txt attachment, rename it repair.reg and double click it to run.

    When finished post a Startuplist (not the Scanlog). To do that, click Config > Misc Tools, check 'list minor sections' and click Generate Startuplist.
     
  3. alison

    alison Thread Starter

    Joined:
    Jul 17, 2003
    Messages:
    67
    It's not in my Task Manager, and when I try to delete the file, it says it's in use. Should I be in Windows Safe Mode? And also I can't do those things with Run
     
  4. Rollin' Rog

    Rollin' Rog

    Joined:
    Dec 9, 2000
    Messages:
    45,855
    Yes, use Safe Mode.

    Did you check and fix the entries in HijackThis?

    Did you download the repair.txt file and rename it repair.reg?

    What happens when you double click it?
     
  5. alison

    alison Thread Starter

    Joined:
    Jul 17, 2003
    Messages:
    67
    Yup, I did all that.. I get the error message.. "Memory access violation in module kernel..."
     
  6. Rollin' Rog

    Rollin' Rog

    Joined:
    Dec 9, 2000
    Messages:
    45,855
    Well that's an odd error message but we haven't had much experience with this yet to know what to expect if the worm files are still active in memory.

    So reboot to Safe Mode and perform the steps I indicated there.

    You should be able to delete the worm file in Safe Mode.
     
  7. alison

    alison Thread Starter

    Joined:
    Jul 17, 2003
    Messages:
    67
  8. alison

    alison Thread Starter

    Joined:
    Jul 17, 2003
    Messages:
    67
    would using MS DOS prompt help get around this? I'm not too good with that though
     
  9. Rollin' Rog

    Rollin' Rog

    Joined:
    Dec 9, 2000
    Messages:
    45,855
    Well I don't understand how you got the message in Safe Mode, although it does sometimes happen that a process can remain in memory if you do not shutdown cold for about 10 to 20 seconds before restarting.

    I'd try that. Do run HijackThis in Safe Mode first thing and check and fix those entries which should allow you to use regedit and run the registry repair file.

    If you still get the error message or want to try this first, instead of rebooting to Safe Mode, reboot to a Command Prompt.

    At the c:> prompt enter:

    del C:\WINDOWS\UPSMQOPT.EXE

    be sure to get the spelling right.

    When you reboot (ctrl-alt-del) you will probably get various error messages, but using HijackThis should eliminate it.

    You will still need to run the registry repair file.
     
  10. alison

    alison Thread Starter

    Joined:
    Jul 17, 2003
    Messages:
    67
    I shutdown my computer and then I was able to delete upsmqopt.exe

    But then when I tried to run the repair file, it said that windows cannot find upsmqopt.exe and that the program is needed for opening files of type 'Application'
     
  11. alison

    alison Thread Starter

    Joined:
    Jul 17, 2003
    Messages:
    67
    Oh, also, I did delete those things with Hijack This

    can i run the repair file through ms dos?
     
  12. alison

    alison Thread Starter

    Joined:
    Jul 17, 2003
    Messages:
    67
    btw, i'm on another computer, so i'm running back and forth from the infected computer. i can't access the internet from there due to the virus
     
  13. Rollin' Rog

    Rollin' Rog

    Joined:
    Dec 9, 2000
    Messages:
    45,855
    I'm surprised you cannot access the Internet. Did that just happen after deleting the file in DOS, or has it been like that? Usually Internet Explorer will work even when other exe files will not open.

    If repair.reg has been copied to the root folder (c:)

    Try rebooting to a c:> prompt and enter:

    regedit /i repair.reg

    I'm not sure this will work, but it's worth a shot.

    If that doesn't work, there is a

    regfile.inf registry repair file on the bottom of this link, download that, right click on it and select "install"

    Do the same with the exefix08.inf file

    You will have to copy them to a floppy disk if you have no Internet Access of course.

    http://home.earthlink.net/~rmbox/Reticulated/Only_IE.html
     
  14. alison

    alison Thread Starter

    Joined:
    Jul 17, 2003
    Messages:
    67
    regedit /i repair.reg didn't work for me

    I haven't actually if Internet Explorer worked, but I have to use something called "access manager" to log on the internet but that doesn't work.. so I'm stuck with dial up for now.

    I'm gonna try those downloads

    thanks for all your help so far.. i'll post my results soon
     
  15. Rollin' Rog

    Rollin' Rog

    Joined:
    Dec 9, 2000
    Messages:
    45,855
    Ok, after installing the .inf files, try once again to merge the repair.reg file. This time try right clicking on it and select "merge"

    By the way, one thing I have completely forgot about here is the possibility of using scanreg /restore

    You may be able to restore a registry which predates this problem by booting to a command prompt and entering:

    scanreg /restore

    use your arrow keys to select a started registry dated prior to the problem. But do not select the 5th or oldest.

    Make sure the dates are not very old dates.
     
  16. Sponsor

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 733,556 other people just like you!

Loading...
Thread Status:
Not open for further replies.

Short URL to this thread: https://techguy.org/166010

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice