1. Computer problem? Tech Support Guy is completely free -- paid for by advertisers and donations. Click here to join today! If you're new to Tech Support Guy, we highly recommend that you visit our Guide for New Members.

[SOLVED] Help needed for a newbie!!

Discussion in 'Virus & Other Malware Removal' started by xflamingMOEx, Sep 28, 2003.

Thread Status:
Not open for further replies.
Advertisement
  1. xflamingMOEx

    xflamingMOEx Thread Starter

    Joined:
    Sep 28, 2003
    Messages:
    7
    Hey, everyone. For the past few days, I've had either a virus/worm/trojan on my computer that, despite my best attempts, will not go away. I've run Norton Anti-Virus Corporate Edition, Ad-Aware 6.0, The Cleaner, Spybot: Search and Destroy, and Anti-Trojan, but everytime I restart my computer, new programs load themselves on. Some of the ones that have loaded have been Lycos SideSearch, Xupiter, Power Scan, eZula, and countless others. Below is my HijackThis report, and any and all help offered would be greatly appreciated. Thank you!!


    Logfile of HijackThis v1.97.2
    Scan saved at 1:14:10 AM, on 9/28/2003
    Platform: Windows XP (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 (6.00.2600.0000)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\Norton AntiVirus\defwatch.exe
    C:\Program Files\Norton AntiVirus\rtvscan.exe
    C:\Program Files\Browser Mouse\Browser Mouse\1.0\lwbwheel.exe
    C:\PROGRA~1\NORTON~1\vptray.exe
    C:\Program Files\Media\Media\UpdateStats.exe
    C:\Program Files\Window Maximizer\IE New Window Maximizer\iemaximizer.exe
    C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
    C:\Program Files\Microsoft Office\Office\OSA.EXE
    C:\Program Files\USR WLAN\USR USB Adapter\USRSTA.exe
    C:\Program Files\Sony Corporation\Image Transfer\SonyTray.exe
    C:\WINDOWS\System32\MsgSys.EXE
    C:\Documents and Settings\default\Desktop\Internet Explorer.EXE
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\KaZaA Lite\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\SYSTEM\blank.htm
    R3 - URLSearchHook: eUnivBHO Class - {269B6797-664E-48AA-B283-B012BDF6E525} - C:\PROGRA~1\INCRED~1\BHO\BHO.dll (file missing)
    N1 - Netscape 4: user_pref("browser.startup.homepage", "http://www.msn.com/"); (C:\Program Files\Netscape\Users\fenderboy05\prefs.js)
    O2 - BHO: NavErrRedir Class - {269B6797-664E-48AA-B283-B012BDF6E525} - C:\PROGRA~1\INCRED~1\BHO\BHO.dll (file missing)
    O2 - BHO: (no name) - {5312F28E-4370-495D-BE09-4D73CD9761D0} - C:\WINDOWS\System32\ymspubw40.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
    O4 - HKLM\..\Run: [LWBMOUSE] C:\Program Files\Browser Mouse\Browser Mouse\1.0\lwbwheel.exe
    O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
    O4 - HKLM\..\Run: [USRSTA.EXE] USRSTA.EXE START
    O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\NORTON~1\vptray.exe
    O4 - HKLM\..\Run: [DeadAIM] rundll32.exe "C:\PROGRA~1\AIM\\DeadAIM.ocm",ExportedCheckODLs
    O4 - HKLM\..\Run: [UpdateStats] C:\Program Files\Media\Media\UpdateStats.exe
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\Money Express.exe"
    O4 - HKCU\..\Run: [MSMSGS] "C:\PROGRA~1\MESSEN~1\msmsgs.exe" /background
    O4 - HKCU\..\Run: [IE New Window Maximizer] C:\Program Files\Window Maximizer\IE New Window Maximizer\iemaximizer.exe
    O4 - Global Startup: Microsoft Find Fast.lnk = C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
    O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
    O4 - Global Startup: Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE
    O4 - Global Startup: U.S.Robotics WLAN Utility.lnk = ?
    O4 - Global Startup: Image Transfer.lnk = ?
    O8 - Extra context menu item: &Save Flash In This Page - C:\PROGRA~1\FLASH\FLASHS~1.15\save.htm
    O9 - Extra button: AIM (HKLM)
    O9 - Extra button: Real.com (HKLM)
    O9 - Extra button: Messenger (HKLM)
    O9 - Extra 'Tools' menuitem: Messenger (HKLM)
    O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab
    O16 - DPF: {17D72920-7A15-11D4-921E-0080C8DA7A5E} (AimSp32 Class) - http://makeover.substance.com/save/makeover.cab
    O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a224.g.akamai.net/7/224/52/2...apple.com/qt502/us/win/QuickTimeInstaller.exe
    O16 - DPF: {C62DFDC7-2EEC-4C2C-827A-BC0BFB4260B3} (IMViewerControl Class) - http://companion.logitech.com/companion/logitech/ver1.4.0.1071/bin/imvid.cab
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    O16 - DPF: {EE5CA45C-BFAC-48E6-BE6C-3C607620FF43} (IMViewerControl Class) - http://companion.logitech.com/companion/logitech/ver1.3.1.2083/bin/imvid.cab
     
  2. KeithKman

    KeithKman

    Joined:
    Dec 28, 2002
    Messages:
    1,983
    Do this in order:

    1) Open Internet Explorer -> Tools -> Internet Options -> delete cookies, delete files (select off-line content), clear history. Then click ok and exit Internet Explorer.


    2) Read http://tomcoyote.org/SPYBOT/index1.html then download and run SpyBot. Make sure to get the updates for SpyBot before you have it scan your computer. After you scan and remove anything SpyBot finds, make sure to click the Immunize button and OK and then click the Immunize button in the right pane.


    3) Run one of the following free Anti-Virus programs here:

    http://housecall.trendmicro.com - I found this to work the best.

    http://www.pandasoftware.com/activescan

    http://www.ravantivirus.com/scan


    4) Re-post HiJackThis log...
     
  3. dvk01

    dvk01 Moderator Malware Specialist

    Joined:
    Dec 14, 2002
    Messages:
    56,185
    First Name:
    Derek
    run hijackthis, tick all below, doublecheck to make sure you haven't missed any, close all browser windows & press fix checked

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = about :blank
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\SYSTEM\blank.htm
    R3 - URLSearchHook: eUnivBHO Class - {269B6797-664E-48AA-B283-B012BDF6E525} - C:\PROGRA~1\INCRED~1\BHO\BHO.dll (file missing)
    O2 - BHO: NavErrRedir Class - {269B6797-664E-48AA-B283-B012BDF6E525} - C:\PROGRA~1\INCRED~1\BHO\BHO.dll (file missing)
    O2 - BHO: (no name) - {5312F28E-4370-495D-BE09-4D73CD9761D0} - C:\WINDOWS\System32\ymspubw40.dll

    then reboot & delete C:\WINDOWS\System32\ymspubw40.dll if it is still there

    then open IE/tools/options/programs and press reset web settings, that will give you M$ default setings and you can then set your hoem/search pages of choice
     
  4. xflamingMOEx

    xflamingMOEx Thread Starter

    Joined:
    Sep 28, 2003
    Messages:
    7
    Thanks, guys. I've done all the above steps, and I believe the virus/trojan/worm is gone, but the problem is that now, none of my windows or programs appear on the Windows toolbar. I can open windows just fine, but they don't show up for toggling or anything. Once they're minimized, my ALT+CTL+DEL shows that it's still running the programs, yet I have no way to access them. Any idea how to fix this?
     
  5. TonyKlein

    TonyKlein Malware Specialist

    Joined:
    Aug 26, 2001
    Messages:
    10,392
    Also have this one fixed:

    O4 - HKLM\..\Run: [UpdateStats] C:\Program Files\Media\Media\UpdateStats.exe

    After rebooting delete:

    The C:\Program Files\Media\Media subfolder
    The C:\Program Files\IncrediFind folder.

    About that taskbar, it's probably just hidden.
    Rightclick the Taskbar, and untick "Lock The Toolbars" from the context menu.
    Grab each of the toolbar dividers in turn, carefully drag them back and forth, and see whether anything's hidden behind them.
     
  6. xflamingMOEx

    xflamingMOEx Thread Starter

    Joined:
    Sep 28, 2003
    Messages:
    7
    The taskbar will work for a few minutes after I restart, but then I receive one of those "Windows Explorer has encountered an error" messages, making it go back to where I can't right click it or minimize windows. Any ideas on what to do?
     
  7. TonyKlein

    TonyKlein Malware Specialist

    Joined:
    Aug 26, 2001
    Messages:
    10,392
    The details of that error message would help.
     
  8. xflamingMOEx

    xflamingMOEx Thread Starter

    Joined:
    Sep 28, 2003
    Messages:
    7
    It's pretty much the standard XP error message, saying roughly "Windows Explorer has encountered and error and must be closed". When I click for details, it gives a long list of text and code, but I am unable to copy and paste it. It says it saved this information to:

    C:\DOCUME~1\default\LOCALS~1\Temp\WER17.tmp.dir00\appcompat.txt

    However, when I was searching for the WER17.tmp.dir00 folder, it didn't exist. Even after it closes Windows Explorer once, it continues to pop up with the message once I try loading Internet Explorer again. Here is my current HijackThis log:

    Logfile of HijackThis v1.97.2
    Scan saved at 12:43:24 PM, on 9/28/2003
    Platform: Windows XP (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 (6.00.2600.0000)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Norton AntiVirus\defwatch.exe
    C:\Program Files\Norton AntiVirus\rtvscan.exe
    C:\Program Files\Browser Mouse\Browser Mouse\1.0\lwbwheel.exe
    C:\PROGRA~1\NORTON~1\vptray.exe
    C:\Program Files\QuickTime\qttask.exe
    C:\Program Files\Window Maximizer\IE New Window Maximizer\iemaximizer.exe
    C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
    C:\Program Files\Microsoft Office\Office\OSA.EXE
    C:\Program Files\USR WLAN\USR USB Adapter\USRSTA.exe
    C:\Program Files\Sony Corporation\Image Transfer\SonyTray.exe
    C:\WINDOWS\System32\MsgSys.EXE
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\explorer.exe
    C:\Documents and Settings\default\Desktop\Internet Explorer.EXE
    C:\Program Files\KaZaA Lite\HijackThis.exe

    N1 - Netscape 4: user_pref("browser.startup.homepage", "http://www.msn.com/"); (C:\Program Files\Netscape\Users\fenderboy05\prefs.js)
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
    O4 - HKLM\..\Run: [LWBMOUSE] C:\Program Files\Browser Mouse\Browser Mouse\1.0\lwbwheel.exe
    O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
    O4 - HKLM\..\Run: [USRSTA.EXE] USRSTA.EXE START
    O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\NORTON~1\vptray.exe
    O4 - HKLM\..\Run: [DeadAIM] rundll32.exe "C:\PROGRA~1\AIM\\DeadAIM.ocm",ExportedCheckODLs
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\Money Express.exe"
    O4 - HKCU\..\Run: [MSMSGS] "C:\PROGRA~1\MESSEN~1\msmsgs.exe" /background
    O4 - HKCU\..\Run: [IE New Window Maximizer] C:\Program Files\Window Maximizer\IE New Window Maximizer\iemaximizer.exe
    O4 - Global Startup: Microsoft Find Fast.lnk = C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
    O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
    O4 - Global Startup: Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE
    O4 - Global Startup: U.S.Robotics WLAN Utility.lnk = ?
    O4 - Global Startup: Image Transfer.lnk = ?
    O8 - Extra context menu item: &Save Flash In This Page - C:\PROGRA~1\FLASH\FLASHS~1.15\save.htm
    O9 - Extra button: AIM (HKLM)
    O9 - Extra button: Real.com (HKLM)
    O9 - Extra button: Messenger (HKLM)
    O9 - Extra 'Tools' menuitem: Messenger (HKLM)
    O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab
    O16 - DPF: {17D72920-7A15-11D4-921E-0080C8DA7A5E} (AimSp32 Class) - http://makeover.substance.com/save/makeover.cab
    O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a224.g.akamai.net/7/224/52/2...apple.com/qt502/us/win/QuickTimeInstaller.exe
    O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/76808a0e7ae82f/housecall.antivirus.com/housecall/xscan53.cab
    O16 - DPF: {C62DFDC7-2EEC-4C2C-827A-BC0BFB4260B3} (IMViewerControl Class) - http://companion.logitech.com/companion/logitech/ver1.4.0.1071/bin/imvid.cab
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    O16 - DPF: {EE5CA45C-BFAC-48E6-BE6C-3C607620FF43} (IMViewerControl Class) - http://companion.logitech.com/companion/logitech/ver1.3.1.2083/bin/imvid.cab
     
  9. xflamingMOEx

    xflamingMOEx Thread Starter

    Joined:
    Sep 28, 2003
    Messages:
    7
    Anyone know how to fix it? The message that comes up says

    "Windows Explorer has encountered a problem and needs to close. We are sorry for the inconvenience.

    If you were in the middle of something, the information you were working on might be lost.

    Please tell Microsoft about this problem.

    [stuff about sending an error report]

    Error Signature:
    AppName: explorer.exe AppVer: 6.0.2600.0 ModName: msg{3957ab02-1bdf-4744-bde5-39a65e9551e9}0111.dll
    ModVer: 1.1.1.0 Offset: 00017a13"

    Any help?
     
  10. TonyKlein

    TonyKlein Malware Specialist

    Joined:
    Aug 26, 2001
    Messages:
    10,392
    Well, msg{3957ab02-1bdf-4744-bde5-39a65e9551e9}0111.dll is obviously your culprit, and I've seen that one before:

    It creates semi random files: msg(Class ID)(random numbers).dll, and Mosaic1 and I actually installed the malware in question a while ago to test it.
    Unfortunately <hits head rather violently against the wall...> I can't for the life of me remember which one it was.
    I have to start writing these things down...

    On a positive note, you have a file of that rather improbable name somewhere on your drive, probably in the Windows folder.

    Do a Find Files for msg{3957ab02-1bdf-4744-bde5-39a65e9551e9}0111.dll, and delete it. If it's in use by Windows, you may have to do so in Safe Mode.
     
  11. TonyKlein

    TonyKlein Malware Specialist

    Joined:
    Aug 26, 2001
    Messages:
    10,392
    Whoops, found it! :)

    It's the Look2Me foistware

    I even concocted a fix:

    Good luck,
     

    Attached Files:

  12. xflamingMOEx

    xflamingMOEx Thread Starter

    Joined:
    Sep 28, 2003
    Messages:
    7
    Thank you soooooo much, Tony. That fixed everything that I was having trouble with. Any idea what the name of this trojan/worm is?
     
  13. TonyKlein

    TonyKlein Malware Specialist

    Joined:
    Aug 26, 2001
    Messages:
    10,392
    Glad to hear that worked for you.

    As I said, it's the so-called Look2Me, also known as "Similar Singles" foistware.
     
  14. jltmaxx

    jltmaxx

    Joined:
    Nov 15, 2003
    Messages:
    4
    Hi. Im new here and I've been having the same problem. I did everything you said, but when I go to C:\Windows I can't find what you've described. When I do a file search it still does'nt come up. Please help.
     
  15. dvk01

    dvk01 Moderator Malware Specialist

    Joined:
    Dec 14, 2002
    Messages:
    56,185
    First Name:
    Derek
    jltmax

    go to http://www.spywareinfo.com/~merijn/files/hijackthis.zip , and download 'Hijack This!'.
    Unzip, doubleclick HijackThis.exe, and hit "Scan".

    When the scan is finished, the "Scan" button will change into a "Save Log" button.
    Press that, save the log somewhere, and please copy & paste its contents to the forum.

    It will possibly show issues deserving our attention, but most of what it lists will be harmless or even required,
    so do NOT fix anything yet.
    Someone here will be happy to help you analyze the results.


    BUT post it in a new thread, Do not piggyback on the end of a solved thread, you will not get dealt with that way
     
  16. Sponsor

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 733,556 other people just like you!

Loading...
Thread Status:
Not open for further replies.

Short URL to this thread: https://techguy.org/167989

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice