1. Computer problem? Tech Support Guy is completely free -- paid for by advertisers and donations. Click here to join today! If you're new to Tech Support Guy, we highly recommend that you visit our Guide for New Members.

Worm/virus help needed

Discussion in 'Earlier Versions of Windows' started by marimari, Sep 30, 2003.

Thread Status:
Not open for further replies.
Advertisement
  1. marimari

    marimari Thread Starter

    Joined:
    Sep 29, 2003
    Messages:
    2
    Hello,
    I'm new here and I want to say i'm totallt retarded when it comes to computers..
    I was stuck on ms_DOS for a day because I didn't know how to get back to windows.
    :confused:

    My problem..
    I seem to have the worm W32.Kwbot.F from Kazaa..

    I deleted a file called wTemp32 which was filled with software applications that I never downloaded..
    when I scanned them they all came up as a virus.

    I found 2 hidden zip-like files under windows/system called
    ms_32.exe & ms_bak.temp.exe
    so I deleted them too.

    I saw on a website to use REGEDIT and check the Kazaa items..
    I did and I deleted some things..
    one pointed people who downloaded from me to go to the folder that had all the software w/viruses

    then there is a Rundll16.exe
    what is that?
    there is no "value" set like the website said..
    should I delete Rundll16.exe?

    I also have "HijackThis"
    so if anyone knows what this is could you please look at this scan and tell me what to get rid of.

    Thanks,
    Mari
    ;)
    ====================
    Logfile of HijackThis v1.97.2
    Scan saved at 3:05:15 PM, on 9/30/03
    Platform: Windows 98 SE (Win9x 4.10.2222A)
    MSIE: Internet Explorer v5.00 (5.00.2614.3500)

    Running processes:
    C:\WINDOWS\SYSTEM\KERNEL32.DLL
    C:\WINDOWS\SYSTEM\MSGSRV32.EXE
    C:\WINDOWS\SYSTEM\MPREXE.EXE
    C:\WINDOWS\SYSTEM\mmtask.tsk
    C:\WINDOWS\SYSTEM\MSTASK.EXE
    C:\WINDOWS\EXPLORER.EXE
    C:\WINDOWS\SYSTEM\HIDSERV.EXE
    C:\WINDOWS\TASKMON.EXE
    C:\WINDOWS\SYSTEM\SYSTRAY.EXE
    C:\PROGRAM FILES\NETROPA\ONE-TOUCH MULTIMEDIA KEYBOARD\MMKEYBD.EXE
    C:\WINDOWS\SYSTEM\HPSYSDRV.EXE
    C:\WINDOWS\SYSTEM\USBMMKBD.EXE
    C:\PROGRAM FILES\DIRECTCD\DIRECTCD.EXE
    C:\PROGRAM FILES\POP UP STOPPER AND AD KILLER\PUSAK.EXE
    C:\PROGRAM FILES\COMMON FILES\REAL\UPDATE_OB\REALSCHED.EXE
    C:\PROGRAM FILES\ELABORATE BYTES\CLONECD\CLONECDTRAY.EXE
    C:\PROGRAM FILES\D-TOOLS\DAEMON.EXE
    C:\PROGRAM FILES\TEXTBRIDGE PRO 8.0\BIN\INSTANTACCESS.EXE
    C:\PROGRAM FILES\NETROPA\ONE-TOUCH MULTIMEDIA KEYBOARD\KEYBDMGR.EXE
    C:\WINDOWS\SYSTEM\STIMON.EXE
    C:\WINDOWS\RunDLL.exe
    C:\PROGRAM FILES\NETSCAPE\NETSCAPE\NETSCP.EXE
    C:\PROGRAM FILES\WINZIP\WZQKPICK.EXE
    C:\WINDOWS\TWAIN_32\1200UB\WATCH.EXE
    C:\PROGRAM FILES\NETROPA\ONSCREEN DISPLAY\OSD.EXE
    C:\WINDOWS\SYSTEM\DDHELP.EXE
    C:\WINDOWS\SYSTEM\WMIEXE.EXE
    C:\PROGRAM FILES\YAHOO!\MESSENGER\YMSGR_TRAY.EXE
    C:\PROGRAM FILES\NETROPA\ONE-TOUCH MULTIMEDIA KEYBOARD\MMUSBKB2.EXE
    C:\WINDOWS\SYSTEM\RNAAPP.EXE
    C:\WINDOWS\SYSTEM\TAPISRV.EXE
    C:\WINDOWS\NOTEPAD.EXE
    C:\WINDOWS\SYSTEM\PSTORES.EXE
    C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
    C:\WINDOWS\NOTEPAD.EXE
    C:\~VIRUS~\HIJACKTHIS.EXE

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.yahoo.com/ext/hp/search.html
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapps.yahoo.com/customize/ie/defaults/sp/ymsgr/*http://www.yahoo.com
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://red.clientapps.yahoo.com/customize/ie/defaults/stp/ymsgr*http://my.yahoo.com
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/cus.../*http://www.yahoo.com/ext/search/search.html
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapps.yahoo.com/customize/ie/defaults/sp/ymsgr/*http://www.yahoo.com
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://red.clientapps.yahoo.com/customize/ie/defaults/stp/ymsgr*http://my.yahoo.com
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://red.clientapps.yahoo.com/customize/ie/defaults/su/ymsgr/*http://www.yahoo.com
    R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customize/ie/defaults/su/ymsgr/*http://www.yahoo.com
    F1 - win.ini: run=hpfsched
    N3 - Netscape 7: user_pref("browser.startup.homepage", "http://home.netscape.com/bookmark/7_1/home.html"); (C:\WINDOWS\Application Data\Mozilla\Profiles\default\ilaijcv4.slt\prefs.js)
    N3 - Netscape 7: user_pref("browser.search.defaultengine", ""); (C:\WINDOWS\Application Data\Mozilla\Profiles\default\ilaijcv4.slt\prefs.js)
    O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\PROGRAM FILES\YAHOO!\COMMON\YCOMP5_1_5_0.DLL
    O2 - BHO: mwsBar BHO - {07B18EA1-A523-4961-B6BB-170DE4475CCA} - C:\PROGRAM FILES\MYWEBSEARCH\BAR\1.BIN\MWSBAR.DLL
    O2 - BHO: MyWebSearch Search Assistant BHO - {00A6FAF1-072E-44cf-8957-5838F569A31D} - C:\PROGRAM FILES\MYWEBSEARCH\SRCHASTT\1.BIN\MWSSRCAS.DLL
    O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRAM FILES\YAHOO!\COMMON\YCOMP5_1_5_0.DLL
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
    O3 - Toolbar: My &Web Search - {07B18EA9-A523-4961-B6BB-170DE4475CCA} - C:\PROGRAM FILES\MYWEBSEARCH\BAR\1.BIN\MWSBAR.DLL
    O4 - HKLM\..\Run: [ScanRegistry] c:\windows\scanregw.exe /autorun
    O4 - HKLM\..\Run: [TaskMonitor] c:\windows\taskmon.exe
    O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
    O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
    O4 - HKLM\..\Run: [Keyboard Manager] C:\Program Files\Netropa\One-touch Multimedia Keyboard\MMKeybd.exe
    O4 - HKLM\..\Run: [HPScanPatch] C:\WINDOWS\SYSTEM\HPScanFix.exe
    O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
    O4 - HKLM\..\Run: [USBMMKBD] usbmmkbd.exe
    O4 - HKLM\..\Run: [Adaptec DirectCD] C:\Program Files\DirectCD\DIRECTCD.EXE
    O4 - HKLM\..\Run: [PE2CKFNT SE] C:\Program Files\Ulead Systems\Ulead Photo Express 2 SE\ChkFont.exe
    O4 - HKLM\..\Run: [sureshotpopupkiller] "C:\PROGRAM FILES\POP UP STOPPER AND AD KILLER\PUSAK.EXE" -minimized
    O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe"
    O4 - HKLM\..\Run: [kfgjzwc] "C:\WINDOWS\SYSTEM\KFGJZWC.exe"
    O4 - HKLM\..\Run: [CloneCDTray] "C:\Program Files\Elaborate Bytes\CloneCD\CloneCDTray.exe"
    O4 - HKLM\..\Run: [DAEMON Tools-1033] "C:\Program Files\D-Tools\daemon.exe"
    O4 - HKLM\..\Run: [RDLL] RunDll16.exe
    O4 - HKLM\..\Run: [InstantAccess] C:\PROGRA~1\TEXTBR~1.0\BIN\INSTAN~1.EXE /h
    O4 - HKLM\..\Run: [RegisterDropHandler] C:\PROGRA~1\TEXTBR~1.0\BIN\REGIST~1.EXE
    O4 - HKLM\..\Run: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE
    O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
    O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
    O4 - HKLM\..\RunServices: [Encompass_ENCMONTR] C:\Program Files\Easy Internet\ENCMONTR.EXE
    O4 - HKLM\..\RunServices: [Hidserv] Hidserv.exe run
    O4 - HKLM\..\RunServices: [RegisterDropHandler] C:\PROGRA~1\TEXTBR~1.0\BIN\REGIST~1.EXE
    O4 - HKCU\..\Run: [Taskbar Display Controls] RunDLL deskcp16.dll,QUICKRES_RUNDLLENTRY
    O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
    O4 - HKCU\..\Run: [Mozilla Quick Launch] "C:\Program Files\Netscape\Netscape\Netscp.exe" -turbo
    O4 - Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
    O4 - Startup: Watch.lnk = C:\WINDOWS\TWAIN_32\1200UB\WATCH.exe
    O8 - Extra context menu item: Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
    O8 - Extra context menu item: Yahoo! Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
    O9 - Extra button: RealGuide (HKLM)
    O9 - Extra button: Messenger (HKLM)
    O9 - Extra 'Tools' menuitem: Yahoo! Messenger (HKLM)
    O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://download.yahoo.com/dl/installs/yinst.cab
    O16 - DPF: {A17E30C4-A9BA-11D4-8673-60DB54C10000} (YahooYMailTo Class) - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/yse/ymmapi_416.dll
    O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/swdir.cab
    O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} (Fun Web Products Installer Start) - http://imgfarm.com/images/nocache/funwebproducts/SmileyCentralInitialSetup1.0.0.5.cab
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
     
  2. Djas00

    Djas00

    Joined:
    Sep 24, 2002
    Messages:
    147
    Well first do not delete Rundll16.exe. I have heard of Hijack This but do not know what it is. I might have to check on that. It might help if you give a little information about your computer. Such as what kind of virus scan it has and what operating system it has.
     
  3. NiteHawk

    NiteHawk

    Joined:
    Mar 9, 2003
    Messages:
    4,699
    Welcome to TSG mari. Let's see what we can do to get you cleaned up and running smooth. Give me about 20 minutes to go thru your HJT log and make suggestions.
     
  4. NiteHawk

    NiteHawk

    Joined:
    Mar 9, 2003
    Messages:
    4,699
    Yes, rundll16 must go! It's the result of a virus/worm

    In Hijack This, check ALL of the following items. Double check so as to be sure not to miss a single one.
    Next, close all browser Windows, and have HT fix all checked.

    F1 - win.ini: run=hpfsched

    O2 - BHO: mwsBar BHO - {07B18EA1-A523-4961-B6BB-170DE4475CCA} - C:\PROGRAM FILES\MYWEBSEARCH\BAR\1.BIN\MWSBAR.DLL
    O2 - BHO: MyWebSearch Search Assistant BHO - {00A6FAF1-072E-44cf-8957-5838F569A31D} - C:\PROGRAM FILES\MYWEBSEARCH\SRCHASTT\1.BIN\MWSSRCAS.DLL

    O3 - Toolbar: My &Web Search - {07B18EA9-A523-4961-B6BB-170DE4475CCA} - C:\PROGRAM FILES\MYWEBSEARCH\BAR\1.BIN\MWSBAR.DLL

    O4 - HKLM\..\Run: [PE2CKFNT SE] C:\Program Files\Ulead Systems\Ulead Photo Express 2 SE\ChkFont.exe

    O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe"
    O4 - HKLM\..\Run: [RDLL] RunDll16.exe

    O4 - Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
    O4 - Startup: Watch.lnk = C:\WINDOWS\TWAIN_32\1200UB\WATCH.exe


    I can't find anything on this entry, which is not surprising, but anytime you have a random named file it is potentially viral in nature. And I know it doesn't belong in \windows\system. You can delete it with no harm.

    O4 - HKLM\..\Run: [kfgjzwc] "C:\WINDOWS\SYSTEM\KFGJZWC.exe"

    Next reboot into Safe Mode and remove the following files and folders that are bolded

    C:\Windows\ RunDll16.exe
    C:\WINDOWS\SYSTEM\KFGJZWC.exe

    See here http://service1.symantec.com/SUPPORT/tsgeninfo.nsf/docid/2001052409420406 for how to start in safe mode if you don't know how.

    Reboot into normal mode


    Now download Spybot - Search & Destroy (if you haven't got the program installed already)

    After installing, first press Online, and search for, put a check mark at, and install all updates.

    Next, close all Internet Explorer windows, hit 'Check for Problems', and have SpyBot remove/fix all it finds that are in RED

    Reboot

    Last, run HJT again and post your log again to see if anything was missed.

    Thanks
     
  5. marimari

    marimari Thread Starter

    Joined:
    Sep 29, 2003
    Messages:
    2
    Ok Thanks..
    Let's hope I don't kill my pc :-/
     
  6. Sponsor

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 733,556 other people just like you!

Thread Status:
Not open for further replies.

Short URL to this thread: https://techguy.org/168584

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice