[SOLVED] Help needed for a newbie!!

Status
This thread has been Locked and is not open to further replies. Please start a New Thread if you're having a similar issue. View our Welcome Guide to learn how to use this site.

xflamingMOEx

Thread Starter
Joined
Sep 28, 2003
Messages
7
Hey, everyone. For the past few days, I've had either a virus/worm/trojan on my computer that, despite my best attempts, will not go away. I've run Norton Anti-Virus Corporate Edition, Ad-Aware 6.0, The Cleaner, Spybot: Search and Destroy, and Anti-Trojan, but everytime I restart my computer, new programs load themselves on. Some of the ones that have loaded have been Lycos SideSearch, Xupiter, Power Scan, eZula, and countless others. Below is my HijackThis report, and any and all help offered would be greatly appreciated. Thank you!!


Logfile of HijackThis v1.97.2
Scan saved at 1:14:10 AM, on 9/28/2003
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Norton AntiVirus\defwatch.exe
C:\Program Files\Norton AntiVirus\rtvscan.exe
C:\Program Files\Browser Mouse\Browser Mouse\1.0\lwbwheel.exe
C:\PROGRA~1\NORTON~1\vptray.exe
C:\Program Files\Media\Media\UpdateStats.exe
C:\Program Files\Window Maximizer\IE New Window Maximizer\iemaximizer.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
C:\Program Files\Microsoft Office\Office\OSA.EXE
C:\Program Files\USR WLAN\USR USB Adapter\USRSTA.exe
C:\Program Files\Sony Corporation\Image Transfer\SonyTray.exe
C:\WINDOWS\System32\MsgSys.EXE
C:\Documents and Settings\default\Desktop\Internet Explorer.EXE
C:\WINDOWS\System32\svchost.exe
C:\Program Files\KaZaA Lite\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\SYSTEM\blank.htm
R3 - URLSearchHook: eUnivBHO Class - {269B6797-664E-48AA-B283-B012BDF6E525} - C:\PROGRA~1\INCRED~1\BHO\BHO.dll (file missing)
N1 - Netscape 4: user_pref("browser.startup.homepage", "http://www.msn.com/"); (C:\Program Files\Netscape\Users\fenderboy05\prefs.js)
O2 - BHO: NavErrRedir Class - {269B6797-664E-48AA-B283-B012BDF6E525} - C:\PROGRA~1\INCRED~1\BHO\BHO.dll (file missing)
O2 - BHO: (no name) - {5312F28E-4370-495D-BE09-4D73CD9761D0} - C:\WINDOWS\System32\ymspubw40.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LWBMOUSE] C:\Program Files\Browser Mouse\Browser Mouse\1.0\lwbwheel.exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [USRSTA.EXE] USRSTA.EXE START
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\NORTON~1\vptray.exe
O4 - HKLM\..\Run: [DeadAIM] rundll32.exe "C:\PROGRA~1\AIM\\DeadAIM.ocm",ExportedCheckODLs
O4 - HKLM\..\Run: [UpdateStats] C:\Program Files\Media\Media\UpdateStats.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\Money Express.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\PROGRA~1\MESSEN~1\msmsgs.exe" /background
O4 - HKCU\..\Run: [IE New Window Maximizer] C:\Program Files\Window Maximizer\IE New Window Maximizer\iemaximizer.exe
O4 - Global Startup: Microsoft Find Fast.lnk = C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
O4 - Global Startup: Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE
O4 - Global Startup: U.S.Robotics WLAN Utility.lnk = ?
O4 - Global Startup: Image Transfer.lnk = ?
O8 - Extra context menu item: &Save Flash In This Page - C:\PROGRA~1\FLASH\FLASHS~1.15\save.htm
O9 - Extra button: AIM (HKLM)
O9 - Extra button: Real.com (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Messenger (HKLM)
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab
O16 - DPF: {17D72920-7A15-11D4-921E-0080C8DA7A5E} (AimSp32 Class) - http://makeover.substance.com/save/makeover.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a224.g.akamai.net/7/224/52/2...apple.com/qt502/us/win/QuickTimeInstaller.exe
O16 - DPF: {C62DFDC7-2EEC-4C2C-827A-BC0BFB4260B3} (IMViewerControl Class) - http://companion.logitech.com/companion/logitech/ver1.4.0.1071/bin/imvid.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {EE5CA45C-BFAC-48E6-BE6C-3C607620FF43} (IMViewerControl Class) - http://companion.logitech.com/companion/logitech/ver1.3.1.2083/bin/imvid.cab
 
Joined
Dec 28, 2002
Messages
1,983
Do this in order:

1) Open Internet Explorer -> Tools -> Internet Options -> delete cookies, delete files (select off-line content), clear history. Then click ok and exit Internet Explorer.


2) Read http://tomcoyote.org/SPYBOT/index1.html then download and run SpyBot. Make sure to get the updates for SpyBot before you have it scan your computer. After you scan and remove anything SpyBot finds, make sure to click the Immunize button and OK and then click the Immunize button in the right pane.


3) Run one of the following free Anti-Virus programs here:

http://housecall.trendmicro.com - I found this to work the best.

http://www.pandasoftware.com/activescan

http://www.ravantivirus.com/scan


4) Re-post HiJackThis log...
 

dvk01

Retired Moderator Retired Malware Specialist
Joined
Dec 14, 2002
Messages
56,452
First Name
Derek
run hijackthis, tick all below, doublecheck to make sure you haven't missed any, close all browser windows & press fix checked

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = about :blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\SYSTEM\blank.htm
R3 - URLSearchHook: eUnivBHO Class - {269B6797-664E-48AA-B283-B012BDF6E525} - C:\PROGRA~1\INCRED~1\BHO\BHO.dll (file missing)
O2 - BHO: NavErrRedir Class - {269B6797-664E-48AA-B283-B012BDF6E525} - C:\PROGRA~1\INCRED~1\BHO\BHO.dll (file missing)
O2 - BHO: (no name) - {5312F28E-4370-495D-BE09-4D73CD9761D0} - C:\WINDOWS\System32\ymspubw40.dll

then reboot & delete C:\WINDOWS\System32\ymspubw40.dll if it is still there

then open IE/tools/options/programs and press reset web settings, that will give you M$ default setings and you can then set your hoem/search pages of choice
 

xflamingMOEx

Thread Starter
Joined
Sep 28, 2003
Messages
7
Thanks, guys. I've done all the above steps, and I believe the virus/trojan/worm is gone, but the problem is that now, none of my windows or programs appear on the Windows toolbar. I can open windows just fine, but they don't show up for toggling or anything. Once they're minimized, my ALT+CTL+DEL shows that it's still running the programs, yet I have no way to access them. Any idea how to fix this?
 

TonyKlein

Malware Specialist
Joined
Aug 26, 2001
Messages
10,392
Also have this one fixed:

O4 - HKLM\..\Run: [UpdateStats] C:\Program Files\Media\Media\UpdateStats.exe

After rebooting delete:

The C:\Program Files\Media\Media subfolder
The C:\Program Files\IncrediFind folder.

About that taskbar, it's probably just hidden.
Rightclick the Taskbar, and untick "Lock The Toolbars" from the context menu.
Grab each of the toolbar dividers in turn, carefully drag them back and forth, and see whether anything's hidden behind them.
 

xflamingMOEx

Thread Starter
Joined
Sep 28, 2003
Messages
7
The taskbar will work for a few minutes after I restart, but then I receive one of those "Windows Explorer has encountered an error" messages, making it go back to where I can't right click it or minimize windows. Any ideas on what to do?
 

xflamingMOEx

Thread Starter
Joined
Sep 28, 2003
Messages
7
It's pretty much the standard XP error message, saying roughly "Windows Explorer has encountered and error and must be closed". When I click for details, it gives a long list of text and code, but I am unable to copy and paste it. It says it saved this information to:

C:\DOCUME~1\default\LOCALS~1\Temp\WER17.tmp.dir00\appcompat.txt

However, when I was searching for the WER17.tmp.dir00 folder, it didn't exist. Even after it closes Windows Explorer once, it continues to pop up with the message once I try loading Internet Explorer again. Here is my current HijackThis log:

Logfile of HijackThis v1.97.2
Scan saved at 12:43:24 PM, on 9/28/2003
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Norton AntiVirus\defwatch.exe
C:\Program Files\Norton AntiVirus\rtvscan.exe
C:\Program Files\Browser Mouse\Browser Mouse\1.0\lwbwheel.exe
C:\PROGRA~1\NORTON~1\vptray.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Window Maximizer\IE New Window Maximizer\iemaximizer.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
C:\Program Files\Microsoft Office\Office\OSA.EXE
C:\Program Files\USR WLAN\USR USB Adapter\USRSTA.exe
C:\Program Files\Sony Corporation\Image Transfer\SonyTray.exe
C:\WINDOWS\System32\MsgSys.EXE
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\explorer.exe
C:\Documents and Settings\default\Desktop\Internet Explorer.EXE
C:\Program Files\KaZaA Lite\HijackThis.exe

N1 - Netscape 4: user_pref("browser.startup.homepage", "http://www.msn.com/"); (C:\Program Files\Netscape\Users\fenderboy05\prefs.js)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LWBMOUSE] C:\Program Files\Browser Mouse\Browser Mouse\1.0\lwbwheel.exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [USRSTA.EXE] USRSTA.EXE START
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\NORTON~1\vptray.exe
O4 - HKLM\..\Run: [DeadAIM] rundll32.exe "C:\PROGRA~1\AIM\\DeadAIM.ocm",ExportedCheckODLs
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\Money Express.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\PROGRA~1\MESSEN~1\msmsgs.exe" /background
O4 - HKCU\..\Run: [IE New Window Maximizer] C:\Program Files\Window Maximizer\IE New Window Maximizer\iemaximizer.exe
O4 - Global Startup: Microsoft Find Fast.lnk = C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
O4 - Global Startup: Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE
O4 - Global Startup: U.S.Robotics WLAN Utility.lnk = ?
O4 - Global Startup: Image Transfer.lnk = ?
O8 - Extra context menu item: &Save Flash In This Page - C:\PROGRA~1\FLASH\FLASHS~1.15\save.htm
O9 - Extra button: AIM (HKLM)
O9 - Extra button: Real.com (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Messenger (HKLM)
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab
O16 - DPF: {17D72920-7A15-11D4-921E-0080C8DA7A5E} (AimSp32 Class) - http://makeover.substance.com/save/makeover.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a224.g.akamai.net/7/224/52/2...apple.com/qt502/us/win/QuickTimeInstaller.exe
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/76808a0e7ae82f/housecall.antivirus.com/housecall/xscan53.cab
O16 - DPF: {C62DFDC7-2EEC-4C2C-827A-BC0BFB4260B3} (IMViewerControl Class) - http://companion.logitech.com/companion/logitech/ver1.4.0.1071/bin/imvid.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {EE5CA45C-BFAC-48E6-BE6C-3C607620FF43} (IMViewerControl Class) - http://companion.logitech.com/companion/logitech/ver1.3.1.2083/bin/imvid.cab
 

xflamingMOEx

Thread Starter
Joined
Sep 28, 2003
Messages
7
Anyone know how to fix it? The message that comes up says

"Windows Explorer has encountered a problem and needs to close. We are sorry for the inconvenience.

If you were in the middle of something, the information you were working on might be lost.

Please tell Microsoft about this problem.

[stuff about sending an error report]

Error Signature:
AppName: explorer.exe AppVer: 6.0.2600.0 ModName: msg{3957ab02-1bdf-4744-bde5-39a65e9551e9}0111.dll
ModVer: 1.1.1.0 Offset: 00017a13"

Any help?
 

TonyKlein

Malware Specialist
Joined
Aug 26, 2001
Messages
10,392
Well, msg{3957ab02-1bdf-4744-bde5-39a65e9551e9}0111.dll is obviously your culprit, and I've seen that one before:

It creates semi random files: msg(Class ID)(random numbers).dll, and Mosaic1 and I actually installed the malware in question a while ago to test it.
Unfortunately <hits head rather violently against the wall...> I can't for the life of me remember which one it was.
I have to start writing these things down...

On a positive note, you have a file of that rather improbable name somewhere on your drive, probably in the Windows folder.

Do a Find Files for msg{3957ab02-1bdf-4744-bde5-39a65e9551e9}0111.dll, and delete it. If it's in use by Windows, you may have to do so in Safe Mode.
 

TonyKlein

Malware Specialist
Joined
Aug 26, 2001
Messages
10,392
Whoops, found it! :)

It's the Look2Me foistware

I even concocted a fix:

Download the attached Remove.txt, save the file anywhere you like as (rename to) Remove.reg (save as 'all file types') .

Doubleclick Remove.reg, and answer 'yes' when prompted to add its contents to the Registry.

Reboot when you're done.

Then delete the msg*******.dll file in C:\Windows (mine was called msg{F7C749BB-DEA8-41E9-8975-7BD2EA7A97D5}0110.dll, but they're all different.)


NOTE: Do NOT touch any of the following. They're Windows files: msg.exe, msg711.acm, msgsm32.acm, msgsvc.dll.
Good luck,
 

Attachments

xflamingMOEx

Thread Starter
Joined
Sep 28, 2003
Messages
7
Thank you soooooo much, Tony. That fixed everything that I was having trouble with. Any idea what the name of this trojan/worm is?
 

TonyKlein

Malware Specialist
Joined
Aug 26, 2001
Messages
10,392
Glad to hear that worked for you.

As I said, it's the so-called Look2Me, also known as "Similar Singles" foistware.
 
Joined
Nov 15, 2003
Messages
4
Hi. Im new here and I've been having the same problem. I did everything you said, but when I go to C:\Windows I can't find what you've described. When I do a file search it still does'nt come up. Please help.
 

dvk01

Retired Moderator Retired Malware Specialist
Joined
Dec 14, 2002
Messages
56,452
First Name
Derek
jltmax

go to http://www.spywareinfo.com/~merijn/files/hijackthis.zip , and download 'Hijack This!'.
Unzip, doubleclick HijackThis.exe, and hit "Scan".

When the scan is finished, the "Scan" button will change into a "Save Log" button.
Press that, save the log somewhere, and please copy & paste its contents to the forum.

It will possibly show issues deserving our attention, but most of what it lists will be harmless or even required,
so do NOT fix anything yet.
Someone here will be happy to help you analyze the results.


BUT post it in a new thread, Do not piggyback on the end of a solved thread, you will not get dealt with that way
 
Status
This thread has been Locked and is not open to further replies. Please start a New Thread if you're having a similar issue. View our Welcome Guide to learn how to use this site.

Users Who Are Viewing This Thread (Users: 0, Guests: 1)

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 807,865 other people just like you!

Latest posts

Staff online

Members online

Top