Avast WEBforum
Other => Viruses and worms => Topic started by: Friedrich on September 12, 2004, 11:21:05 PM
-
Every day when I log in on net I m attacked by virus Trojano 302 (trj).
Well Avast detect it and i always put him in the chest an delet him,but he always reappear when i m on the net.It is happening last few days....Even now when i m writening this message avast is working and detecting that virus in various files.
And when i m not on the net i scan my system and avast find nothing.
I m very confused and i dont know what to do.
I would like if someone can tell me how can i remove him without .....that unpopular format C:
Best wishes to u all......... :D
-
Welcome to the forums,
Some more detail about o.s
path to the file etc would be helpfull.
as a first course, have you tried AdAware S.E. and Spybot on your system as this might be caused by installing some software such as WeatherBug
Do a search to see if any of these files are on your system
C:\WINDOWS\system32\addwj32.exe
C:\WINDOWS\system32\iexw32.exe
C:\WINDOWS\system32\mfcde32.exe
C:\WINDOWS\winbl32.exe
C:\WINDOWS\System32\bbbfr.exe
-
Click on the link in my signature, follow the steps on that page to clean and protect your system properly.
-
its very aggressive.............its open portals to porno sites and my comp
opens unknown number of Expl.
I have windows XP.......help.............
-
Have you already done as I suggested?
-
I have pic up shredder ...it found nothin but i m still attacked.......i remove with ad -aware some possible hijack,but it always appear when i m on the net.
here some files from chest:
C\windows\appde32.exe
c\doc. and sett\in secure class loader
c\windows\netul.exe
c\windows\ntjh32.exe
c\windows\system32\sdkgq32.exe
and they are different all the yimes
-
how to disable system restore?
you mean to read that black letters...... ???
where can i find firewall????
-
Get and use at least the applications I mention in the first table on that page.
You can find links to everything you need (applications) on that page, as well as links to information like "how to disable system restore"
- Read the entire page.
- Follow the directions given there.
Take your time. Better slow and spend some time on it now, than later feeling sorry. ;)
-
its very aggressive.............its open portals to porno sites and my comp
opens unknown number of Expl.
I have windows XP.......help.............
I had an identical problem a couple months ago. It was caused by a dirty mcc.exe process and was not picked up by any AV or anti spyware at the time. Check in task manager to see if you have this process running, but don't kill or delete it yet because it can be legit. Don't want advertise for them but if you give me a hint of the sites it's opening I can confirm if it's the same problem I had.
-
GF, if it is as you suspect, HijackThis will pick it up and be able to deal with it.
-
Well.tahnx Edddie....but I think after all day battle with that virus i think i m losing my pation to do format C:
I do everything what you say on your site...and ....nothing helps because i have problem with that "process".
First I shout down at system restore monitoring.That was good.
Then I went to safe mode and try with Avast to find virus...and i found it.:)
Now ..........i couldnt delet it because it was in the that fil was in use by another process.......Tha i remember that u said to turn of in task manager process.....Now that is problem.....wich one???????????
I try to switch off all process......and normally i shout down comp.
Now i have new window till i write this.....wait a second......listen
C:\windows\system32apiip.exe file name
executable file viruses
avast! will try to repair the file according to teh Virus Recovery Database.Files with no database record cannot be repaired.
Repair Cancel
What should i do?????? ;D I will do repair....and lifes go on
Cannot be repaired.... :D
Now i have that window with alarm.....cannot delete cannot move to chest cannot repair
I m lost
-
Hi,
please post the HIJACKTHIS-Logfile here, and we'll try and help you...
;)
If you can't find the link: http://hjt.klaffke.de/en
;)
-
Yup, post the HJT log here. Don't worry, we will get you through this.
Remember, the easy way (format, clean install of everything) isn't the best way. If you learn how to handle a thing like this, you will have learned and may benefit from it later :D
-
Perhaps getting the programmes Eddy suggests downloaded first and printing out the page of suggestions, then physically removing your internet connection, by unplugging the cable so your machine is not connected during the clean up process might help?
-
exactly the same problem with trojano 302...is there someone who knows how to get rid of this?
-
hello ppl......i m very sorry but i m fighting this two days.........
first of all i pic up everything that eddy says ......but i m still what process i should terminate in safe mode.
second i m constantlu attacked by various viruse now new one is Trojan (gen) and some JS and today a new one.Well i have problem with AD Aware.
Everytime i do scan i delete some possible brows.hijack.and when i deleti it appears again evry time when i start up my comp.
Here is that new virus i have told you Win32:Opas-a-fSG (Wrm).
What is that?
What should i post here that u said ?I cold just write u names of hijack browser......its some http: easy-biz.com .Thats on ad aware.
Just tell me what process i have to turn off.I entr safe mode i disable montoring, i do everything but dont know what is that harmfull process?
-
Please do as many people have asked, run hijackthis, save the log file and attach it to a post here as a text file (.txt). If you have trouble doing this, then cut and paste the log file text into the post.
People want to help, but you need to help them to help you and the information contained in the hijackthis log file will do that.
-
I am getting ready to troubleshoot a machine with Trojano 302 too. I will follow the steps that Eddy has outlined above. Is there any cure for this virus which can be run from within Avast?
-
here it goes..................
Logfile of HijackThis v1.98.2
Scan saved at 16:20:55, on 9/15/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashmaisv.exe
C:\Program Files\FarStone\VirtualDrive\VDTask.exe
C:\WINDOWS\vcdplayx.exe
C:\WINDOWS\System32\carpserv.exe
C:\Program Files\Elaborate Bytes\CloneCD\CloneCDTray.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\ipiz.exe
C:\WINDOWS\System32\windows\services.exe
C:\WINDOWS\System32\twink64.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\runwin32.exe
C:\WINDOWS\wininet32.exe
C:\WINDOWS\System32\ir.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\Marija i Zeljko\Local Settings\Temp\Temporary Directory 2 for hijackthis.zip\HijackThis.exe
C:\WINDOWS\runwin32.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://easy-search.biz
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://easy-search.biz
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://easy-search.biz
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\system32\yymxr.dll/sp.html#37680
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://easy-search.biz
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://easy-search.biz
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://easy-search.biz
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system32\yymxr.dll/sp.html#37680
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://easy-search.biz
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://easy-search.biz
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://easy-search.biz
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 127.0.0.1:8080
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = local
R3 - Default URLSearchHook is missing
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {49FE9E16-856A-3121-F94B-0D522A4EABA7} - C:\WINDOWS\ippe.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [ashMaiSv] C:\PROGRA~1\ALWILS~1\Avast4\ashmaisv.exe
O4 - HKLM\..\Run: [VirtualDrive] "C:\Program Files\FarStone\VirtualDrive\VDTask.exe" /AutoRestore
O4 - HKLM\..\Run: [vcdplayx] "C:\WINDOWS\vcdplayx.exe"
O4 - HKLM\..\Run: [CARPService] carpserv.exe
O4 - HKLM\..\Run: [CloneCDTray] C:\Program Files\Elaborate Bytes\CloneCD\CloneCDTray.exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [ipiz.exe] C:\WINDOWS\ipiz.exe
O4 - HKLM\..\Run: [Windows] C:\WINDOWS\System32\windows\services.exe
O4 - HKLM\..\Run: [ControlPanel] C:\WINDOWS\System32\twink64.exe internat.dll,LoadKeyboardProfile
O4 - HKLM\..\RunOnce: [addtj.exe] C:\WINDOWS\addtj.exe
O4 - HKLM\..\RunOnce: [ipru.exe] C:\WINDOWS\ipru.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [windllsys32.exe] C:\WINDOWS\System32\windllsys32.exe
O4 - HKCU\..\Run: [runwin32] C:\WINDOWS\runwin32.exe
O4 - HKCU\..\Run: [wininet32] C:\WINDOWS\wininet32.exe
O8 - Extra context menu item: &Download with &DAP - C:\PROGRA~1\DAP\dapextie.htm
O8 - Extra context menu item: Download &all with DAP - C:\PROGRA~1\DAP\dapextie2.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Run DAP - {669695BC-A811-4A9D-8CDF-BA8C795F261C} - C:\PROGRA~1\DAP\DAP.EXE
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O15 - Trusted Zone: *.clickspring.net
O15 - Trusted Zone: *.mt-download.com
O15 - Trusted Zone: *.my-internet.info
O15 - Trusted Zone: *.searchmiracle.com
O15 - Trusted Zone: *.skoobidoo.com
O15 - Trusted Zone: *.windupdates.com
O16 - DPF: Yahoo! Chat - http://us.chat1.yimg.com/us.yimg.com/i/chat/applet/c381/chat.cab
O16 - DPF: {11111111-1111-1111-1111-111111113457} -
O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} (Yahoo! Audio Conferencing) - http://us.chat1.yimg.com/us.yimg.com/i/chat/applet/v45/yacscom.cab
O16 - DPF: {469C7080-8EC8-43A6-AD97-45848113743C} - http://akamai.downloadv3.com/binaries/IA/nethv32_EN_XP.cab
O16 - DPF: {7D1E9C49-BD6A-11D3-87A8-009027A35D73} (Yahoo! Audio UI1) - http://chat.yahoo.com/cab/yacsui.cab
O16 - DPF: {E504EE6E-47C6-11D5-B8AB-00D0B78F3D48} (Yahoo! Webcam Viewer Wrapper) - http://chat.yahoo.com/cab/yvwrctl.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{39E1B5B0-3B85-4A70-A67D-D0F6CB180AB6}: NameServer = 212.62.32.1 212.62.32.5
-
i couldnt done better....sorry for space...
i think that u wont mind me............
-
Hi Friedrich,
here's an Analysis:
http://hijackthis.de/logfiles/0d72307b76583fde40324a701e711c68.html
(CAUTION!! false positives are quite possible..)
But anyway, your system is loaded with baddies
-> if you in any way value the security of your system or Data, you should flatten the system and reinstall Windows; apply XP-SP2 OFFLINE then, before ever connecting to the inet
if you don't want to do this:
FIRST!!: move/unpack HIJACKTHIS.exe into a new empty folder of its own, or you might loose all its backups..!!
- disable system restore
- reboot to safeMode
- check & fix everything in Hijackthis that's marked RED in the above analysis; dito all yellow entries in O2, O15 & O16
- reboot in safeMode
- scan and fix severall times with Ad-Aware, SPYBOT & Cwshredder
- reboot normally..
- scan all files belonging to items flagged yellow with TREND, RAV & KAV and report findings here, and/or fix them yourself..
;)
Oh, and activate XP's built-in Firewall, and read the link "VirusRemoval" below in my sig, especially
- the BACKDOOR.section and on
- how to secure your system better.. ;)
-
All of these are redirecting stuff to easy-search.biz, unless this is your intention, you should tick the boxes in hijackthis and then click Fix Checked (these could be taking you to some dubious sites where infection is more likely). The last one about:blank could be valid, the bit about 'HomeOldSP = about:blank' seems strange.
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://easy-search.biz
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://easy-search.biz
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://easy-search.biz
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\system32\yymxr.dll/sp.html#37680
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://easy-search.biz
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://easy-search.biz
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://easy-search.biz
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system32\yymxr.dll/sp.html#37680
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://easy-search.biz
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://easy-search.biz
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://easy-search.biz
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
You are also running a lot of programs at start up (the Run entries) check and confirm that they are valid and need to run at startup.
Check all the Run entries (the .exe filenames) that are not familliar use google to search, I have just checked these three that are suspect, with a link to an information page below it (returned from the google search).
O4 - HKCU\..\Run: [windllsys32.exe] C:\WINDOWS\System32\windllsys32.exe
http://www.techsupportforum.com/showthread.php?t=13944 (http://www.techsupportforum.com/showthread.php?t=13944)
O4 - HKCU\..\Run: [runwin32] C:\WINDOWS\runwin32.exe
http://securityresponse.symantec.com/avcenter/venc/data/pwsteal.allight.html (http://securityresponse.symantec.com/avcenter/venc/data/pwsteal.allight.html) this one could be passing/stealing your passwords, so you should change them all when you finally get rid of these.
O4 - HKCU\..\Run: [wininet32] C:\WINDOWS\wininet32.exe
This is also suspect
There really are too many to deal with all at once, and you should deal with these and run hijackthis again and either using Eddy's analysis program http://members.home.nl/edeijl/download/hjt5.005.exe (http://members.home.nl/edeijl/download/hjt5.005.exe)
This should get you started but your computer is seriously compromised.
Edit: whocares bet me to it by a few minutes whilst I was searching using google and his overall analysis is correct and you may need to consider a format and clean install.
-
Oh and:
O16 - DPF ... nethv32_EN_XP.cab -> RiskWare.Dialer.E-Group.d
--> if you still got a (dialUp)modem in the PC,
archive "nethv32_EN_XP.cab" and respective registry entries to maybe complain about your next phone bill ;)