1. Computer problem? Tech Support Guy is completely free -- paid for by advertisers and donations. Click here to join today! If you're new to Tech Support Guy, we highly recommend that you visit our Guide for New Members.

[Solved] please help, think i have a virus, here's a copy of hijack this!! tia!!!

Discussion in 'Virus & Other Malware Removal' started by snowcrash, Apr 13, 2004.

Thread Status:
Not open for further replies.
Advertisement
  1. snowcrash

    snowcrash Thread Starter

    Joined:
    Apr 13, 2004
    Messages:
    2
    please help me out, i've done everything i can possible do that i know how to do with out screwing anything up. i was on the newsgroups the other day and downloaded a file somehow with a bunch of files i had selected, and didn't know it. anyway, i saw it in my file folder, and opened it by mistake with out running a virus check on it. anyway, it was something like britney.scr or something like that i think. today and yesterday my computer started acting up sending out emails, and norton was keeping most of them from going out.

    i've ran adaware, spybot search and destroy, norton, and stinger right now. i looked in my c:windows/system32 folder and there was svchost.exe. one was like 12.5kb(which i've read saying that is the correct one to have) and another one was svshost, a windows media file being like 59kb or something. i've ran a hijack this scan and saved the log. please help me out and let me know what i should delete and fix.

    running stinger right now, it's come up with this, will update as it finishes:
    Scan initiated:
    C:\System Volume Infomations\_restore{C4A8D267-D1AB-4290-BEE2-E75D8D49ADCB}\RP286\A0032299.exe
    Found the W32/Pate.dam virus!!!!
    C:\System Volume Infomations\_restore{C4A8D267-D1AB-4290-BEE2-E75D8D49ADCB}\RP286\A0032299.exe could not be repaired.

    thanks for any help!

    Logfile of HijackThis v1.97.7
    Scan saved at 10:09:09 PM, on 4/13/2004
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
    C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Microsoft Hardware\Keyboard\type32.exe
    C:\Program Files\Microsoft Hardware\Mouse\point32.exe
    C:\WINDOWS\System32\devldr32.exe
    C:\WINDOWS\System32\CTHELPER.EXE
    C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
    C:\WINDOWS\AGRSMMSG.exe
    C:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE
    C:\Program Files\Common Files\Symantec Shared\ccApp.exe
    C:\PROGRA~1\LEXMAR~1\ACMonitor_X83.exe
    C:\PROGRA~1\LEXMAR~1\AcBtnMgr_X83.exe
    C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
    C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
    C:\Program Files\Ascendis Software\Caller ID\CALLERID.exe
    C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
    C:\WINDOWS\System32\WISPTIS.EXE
    C:\WINDOWS\SYSTEM32\svshost.exe
    C:\Program Files\AIM95\aim.exe
    C:\Program Files\Norton AntiVirus\navapsvc.exe
    C:\Program Files\Norton AntiVirus\SAVScan.exe
    C:\Program Files\WinRAR\WinRAR.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\movies4\stinger.exe
    C:\Program Files\Common Files\Real\Update_OB\realsched.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\movies4\HijackThis.exe
    C:\Program Files\Messenger\msmsgs.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.rr.com/flash/index.cfm
    O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
    O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O4 - HKLM\..\Run: [IntelliType] "C:\Program Files\Microsoft Hardware\Keyboard\type32.exe"
    O4 - HKLM\..\Run: [POINTER] point32.exe
    O4 - HKLM\..\Run: [WINDVDPatch] CTHELPER.EXE
    O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
    O4 - HKLM\..\Run: [Jet Detection] "C:\Program Files\Creative\SBLive\PROGRAM\ADGJDet.exe"
    O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
    O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
    O4 - HKLM\..\Run: [rndll2] C:\program files\internet explorer\rndll2.exe
    O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
    O4 - HKLM\..\Run: [Advanced Tools Check] C:\PROGRA~1\NORTON~1\AdvTools\ADVCHK.EXE
    O4 - HKLM\..\Run: [Lexmark X83 Button Monitor] C:\PROGRA~1\LEXMAR~1\ACMonitor_X83.exe
    O4 - HKLM\..\Run: [Lexmark X83 Button Manager] C:\PROGRA~1\LEXMAR~1\AcBtnMgr_X83.exe
    O4 - HKLM\..\Run: [PrinTray] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\printray.exe
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
    O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
    O4 - HKLM\..\Run: [svshostdriver] svshost.exe
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
    O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
    O9 - Extra button: Research (HKLM)
    O9 - Extra button: AIM (HKLM)
    O16 - DPF: Yahoo! Freecell Solitaire - http://yog55.games.scd.yahoo.com/yog/y/fs9_x.cab
    O16 - DPF: Yahoo! Pool 2 - http://download.games.yahoo.com/games/clients/y/potb_x.cab
    O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
    O16 - DPF: {1954A4B1-9627-4CF2-A041-58AA2045CB35} (Brix6ie Control) - http://a19.g.akamai.net/7/19/7125/1267/ftp.coupons.com/v6/brix6ie.cab
    O16 - DPF: {2253F320-AB68-4A07-917D-4F12D8884A06} (ChainCast VMR Client Proxy) - http://64.124.45.181/downloads/ccpm_0237.cab
    O16 - DPF: {3E68E405-C6DE-49FF-83AE-41EE9F4C36CE} (Office Update Installation Engine) - http://office.microsoft.com/officeupdate/content/opuc.cab
    O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52...ple.com/drakken/us/win/QuickTimeInstaller.exe
    O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://207.188.7.150/29b1a1be7d8d9d729118/netzip/RdxIE6.cab
    O16 - DPF: {597C45C2-2D39-11D5-8D53-0050048383FE} (OPUCatalog Class) - http://office.microsoft.com/productupdates/content/opuc.cab
    O16 - DPF: {6B4788E2-BAE8-11D2-A1B4-00400512739B} (PWMediaSendControl Class) - http://216.249.24.143/code/PWActiveXImgCtl.CAB
    O16 - DPF: {917623D1-D8E5-11D2-BE8B-00104B06BDE3} (CamImage Class) - http://webcam.gsu.edu/activex/AxisCamControl.ocx
    O16 - DPF: {9522B3FB-7A2B-4646-8AF6-36E7F593073C} (cpbrkpie Control) - http://a19.g.akamai.net/7/19/7125/4019/ftp.coupons.com/v3123/cpbrkpie.cab
    O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37862.4937037037
    O16 - DPF: {BA00165E-C903-11D3-BD27-0050048A82BF} (eShare Technologies NetAgent Customer ActiveX Control) - http://ec112.ecicorp.com/netagent/objects/CustAppX.CAB
    O16 - DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE} (Symantec RuFSI Registry Information Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
    O16 - DPF: {D18F962A-3722-4B59-B08D-28BB9EB2281E} (PhotosCtrl Class) - http://photos.yahoo.com/ocx/us/yexplorer1_9us.cab
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    O16 - DPF: {E7D2588A-7FB5-47DC-8830-832605661009} (Live Collaboration) - https://rr.esecurecare.net/rnt/rnl/java/RntX.cab
    O16 - DPF: {E855A2D4-987E-4F3B-A51C-64D10A7E2479} (EPSImageControl Class) - http://tools.ebayimg.com/eps/activex/EPSControl_v1-32.cab
     
  2. Byteman

    Byteman Gone but Never Forgotten

    Joined:
    Jan 24, 2002
    Messages:
    17,742
    Hi, The infected files are in the RESTOR volume, and in order to fix that, you MUST delete all restore points....method:

    http://service1.symantec.com/SUPPOR...sf&view=docid&dtype=&prod=&ver=&osv=&osv_lvl=

    Don't see any other serious problems in your log.
    Get rid of Restore Points as it tells you... come back, post a fresh log from HJThis if you like, and then you should be scanning virus free...check that before you post, OK? You then, after a clean scan, can create New Restore Point.
     
  3. Flrman1

    Flrman1

    Joined:
    Jul 26, 2002
    Messages:
    46,329
    Hi Byteman. Our paths haven't crossed in a while. You doing OK?

    Mind if I butt in here! ;)


    And Hi snowcrash

    Welcome to TSG! :)

    Run Hijack This again and put a check by these. Close all windows except HijackThis and click "Fix checked"

    O4 - HKLM\..\Run: [rndll2] C:\program files\internet explorer\rndll2.exe

    O4 - HKLM\..\Run: [svshostdriver] svshost.exe

    O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://207.188.7.150/29b1a1be7d8d9d...tzip/RdxIE6.cab


    Restart to safe mode.

    How to start your computer in safe mode

    First in safe mode click on My Computer. Go to Tools > Folder Options. Click on the View tab and make sure that "Show hidden files and folders" is checked. Also uncheck "Hide protected operating system files" and "Hide extensions for known file types" . Now click "Apply to all folders"
    Click "Apply" then "OK"

    Now find and delete:

    The C:\program files\internet explorer\rndll2.exe file
    The C:\WINDOWS\SYSTEM32\svshost.exe file

    *Note: There is a file in C:\Windows\System32 that looks similar to svshost.exe. That file is svchost.exe. The svchost.exe file is legit. DO NOT delete it. Delete svshost.exe
     
  4. Byteman

    Byteman Gone but Never Forgotten

    Joined:
    Jan 24, 2002
    Messages:
    17,742
    Hi Mark (flrman1) yeah, doing OK but it is spelled W-O-R-K !! That and I have had some bronchitis spells that last a long time. Lately I have time to find a couple of posters that have no reply and get them started out-- usually late at night and then off to bed.
    I'm working as my carpenter "alter ego' days, plus the pc work locally in off time- lately folks have been bringing in two at a time to get running, so it's a time thing mostly!
    Last nite I wrestled with win2k Pro till 4 a.m., could not find a good driver for several modems I had around, but worked it out. Ended up tweaking the Services so it could restart in under 7 minutes... The computer was running 2kPro on a 300mhz PII with 192mb RAM, and very poky except hooked up to my cable ISP.
    Hey nice of you to ask if things were Ok Mark!
     
  5. Flrman1

    Flrman1

    Joined:
    Jul 26, 2002
    Messages:
    46,329
    Good luck with the bronchitis. Good to see you!
     
  6. snowcrash

    snowcrash Thread Starter

    Joined:
    Apr 13, 2004
    Messages:
    2
    thanks alot for the help, computer seems to be running a lot better now.
     
  7. Flrman1

    Flrman1

    Joined:
    Jul 26, 2002
    Messages:
    46,329
    You're Welcome! (y)
     
  8. Flrman1

    Flrman1

    Joined:
    Jul 26, 2002
    Messages:
    46,329
    I'm closing this thread. If you need it reopened please PM me or one of the other mods.

    Anyone else with a similar problem please start a "New Thread".
     
  9. Sponsor

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 733,556 other people just like you!

Loading...
Thread Status:
Not open for further replies.

Short URL to this thread: https://techguy.org/220194

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice