virus removal help

Status
This thread has been Locked and is not open to further replies. Please start a New Thread if you're having a similar issue. View our Welcome Guide to learn how to use this site.

cmg363

Thread Starter
Joined
Oct 13, 2003
Messages
8
First of all, I would like to thank Candy and Derek for their help thus far! I can now access some crucial files that are needed to determine what I need to do next. I still have a problem that needs resolved. I have 3 viruses ( backdoor lithium, backdoor litmus.gen, & backdoor subseven) I learned a lesson when I let Norton take care of a fourth virus and couldn't open any apps. I want to do my homework before I take care of the remaining 3! any suggestions?!
thank you
Chris
 

dvk01

Derek
Retired Moderator Retired Malware Specialist
Joined
Dec 14, 2002
Messages
56,452
go to http://www.spywareinfo.com/~merijn/files/hijackthis.zip , and download 'Hijack This!'.
Unzip, doubleclick HijackThis.exe, and hit "Scan".

When the scan is finished, the "Scan" button will change into a "Save Log" button.
Press that, save the log somewhere, and please copy & paste its contents to the forum.

It will possibly show issues deserving our attention, but most of what it lists will be harmless or even required, so do NOT fix anything yet.
Someone here will be happy to help you analyze the results.

as said in previous post, once we see your hijack log we can diagnose and fix most trojan/viral problems
 

cmg363

Thread Starter
Joined
Oct 13, 2003
Messages
8
Derek,
I just e-mailed Candy, and as I told her, I can view the log, but when I try to save it, it is trying to open with acrobat reader, and I get an error that it can't open because it doesn't start with % PDF. Any suggestions?
 

dvk01

Derek
Retired Moderator Retired Malware Specialist
Joined
Dec 14, 2002
Messages
56,452
hold down shift key & right click the log file and select open with, scroll down list and select notepad
 

dvk01

Derek
Retired Moderator Retired Malware Specialist
Joined
Dec 14, 2002
Messages
56,452
otherwise just attach the log file to your next post and we will paste it from this end

to do this
To add a log to your post
click on post reply not quick reply
First, save your log files as a text file using Notepad or similar program.

Then compose your post then click the browse button below the posting window and browse to the text log (wherever you have saved the text file) and then once selected, don`t preview your post, just click the submit Reply button.
 

cmg363

Thread Starter
Joined
Oct 13, 2003
Messages
8
Derek,
I've got a new problem. I tried to hold down the shift and right click open with, and I'm getting an error that it can't find rundll32.exe needed to open log files. any help? Thank you
 

~Candy~

Retired Administrator
Joined
Jan 27, 2001
Messages
103,706
I'm sure Derek will be along shortly ;) but I 'think' you may have to extract a new copy via SFC.
 

~Candy~

Retired Administrator
Joined
Jan 27, 2001
Messages
103,706
Start, run, then type SFC and hit ok......extract that one file to the windows directory......

Derek, is this ok?
 

cmg363

Thread Starter
Joined
Oct 13, 2003
Messages
8
Derek,
I was finally able to access the log file by renaming it to a .txt file. Hope this is readable. Thanks, Chris
Logfile of HijackThis v1.97.3
Scan saved at 6:43:50 AM, on 10/20/03
Platform: Windows 98 Gold (Win9x 4.10.1998)
MSIE: Internet Explorer v5.00 (5.00.2919.6304)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\RunDLL.exe
C:\PROGRAM FILES\YAHOO!\MESSENGER\YMSGR_TRAY.EXE
C:\WINDOWS\SYSTEM\RNAAPP.EXE
C:\WINDOWS\SYSTEM\TAPISRV.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\UNZIPPED\HIJACKTHIS\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://home.netscape.com/home/winsearch.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = home.netscape.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://home.netscape.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://home.netscape.com/home/winsearch200.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://home.netscape.com/home/winsearch.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://home.netscape.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://home.netscape.com/home/winsearch.html
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://keyword.netscape.com/keyword/%s
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
F0 - system.ini: Shell=
N1 - Netscape 4: user_pref("browser.startup.homepage", "http://www.gospelcom.net/rhm/"); (C:\Program Files\Netscape\Users\User1\prefs.js)
O3 - Toolbar: Pa&nicware Pop-Up Stopper - {7E82235C-F31E-46CB-AF9F-1ADD94C585FF} - C:\PROGRAM FILES\PANICWARE\POP-UP STOPPER\PSTOPPER.DLL
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] C:\WINDOWS\SYSTEM\mstask.exe
O4 - HKCU\..\Run: [Taskbar Display Controls] RunDLL deskcp16.dll,QUICKRES_RUNDLLENTRY
O4 - HKCU\..\Run: [KSphere] "C:\PROGRAM FILES\TIKAL KNOWLEDGE\KSPHERE\KSPHERE.EXE"
O4 - HKCU\..\Run: [Yahoo! Pager] C:\PROGRA~1\YAHOO!\MESSEN~1\ypager.exe -quiet
O4 - Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O9 - Extra button: Real.com (HKLM)
O9 - Extra button: AIM (HKLM)
O9 - Extra button: Yahoo! Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Yahoo! Messenger (HKLM)
O12 - Plugin for .swf: C:\PROGRAM FILES\NETSCAPE\COMMUNICATOR\PROGRAM\PLUGINS\npswf32.dll
O16 - DPF: Win32 Classes - file://C:\WINDOWS\Java\classes\win32ie4.cab
O17 - HKLM\System\CCS\Services\VxD\MSTCP: SearchList = ptdprolog.net
O17 - HKLM\System\CCS\Services\VxD\MSTCP: NameServer = 204.186.0.201,204.186.0.202,204.186.0.203
 

dvk01

Derek
Retired Moderator Retired Malware Specialist
Joined
Dec 14, 2002
Messages
56,452
Well I can't see any viruses running at all

the only entry I'm unsure about is
O4 - HKCU\..\Run: [KSphere] "C:\PROGRAM FILES\TIKAL KNOWLEDGE\KSPHERE\KSPHERE.EXE

all I can find out about it is when the k-sphere home page diverts to a scum advertising site, so that makes me suspect the program to be a parasitic ad spawning program, but I might be wrong and it could be genuine
 
Status
This thread has been Locked and is not open to further replies. Please start a New Thread if you're having a similar issue. View our Welcome Guide to learn how to use this site.

Users Who Are Viewing This Thread (Users: 0, Guests: 1)

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 807,865 other people just like you!

Latest posts

Staff online

Top