Help for dumb ol grammy ME! please!

[teddyfluffy]

Hello im sorry if this sounds dumb! but due to much happening to me. I am WAY! slow of mind. and to quick to respond.  I jumped on my first message by avast. and just stuck three virus atacks in virus chest. before truely understanding ANYTHING! ..then I went and got their cleaning tool and ran it!.. it said I am clean now.(( but I dont understand any of this stuff!))   my computer has been  surfing tons lately by three people.. then its been acting weird. then out of nowhere. it pops up  trojen warnings  ((   SCARED ME !   )) so now what am I to do??? ..... ******  180ax.exe    C\WINDOWS\TEMP\180ax.exe     1/17/2005 12:50:5 ... 1/16/2005 ... win32: trojan-gen 4 ***** PH.EXE   C\WINDOWS\TEMP\APROPOSO\PH.EXE  1/17/2005 1:16:44...  1/16/2005  6:17:07  win32: trojano-901 [trJ} 5 *******PM.EXE   C\WINDOWS\TEMP\APROPOSO\PM.EXE  1/17/2005  1:16:44...     1/16/2005  6:17:22  win32: apropos-2[trj]  6 ****** all of that is tucked in avast virus chest now :'( thank you vary much for any words of help!

[inthewildteam]

First,

Welcome here!

Second  .......... don't panic

Third ...... more information is needed so do a search for "hijackthis", download it and post the results here.  Many members (more knowledgeable than me) can then decide what needs to be done to clean your system

[teddyfluffy]

Logfile of HijackThis v1.99.0
Scan saved at 8:49:31 PM, on 1/16/2005
Platform: Windows ME (Win9x 4.90.3000)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\SYSTEM\SSDPSRV.EXE
C:\PROGRAM FILES\ALWIL SOFTWARE\AVAST4\ASHSERV.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\RESTORE\STMGR.EXE
C:\WINDOWS\SYSTEM\RPCSS.EXE
C:\WINDOWS\EXPLORER.EXE
C:\OPLIMIT\OCRAWARE.EXE
C:\OPLIMIT\OCRAWR32.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\LOADQM.EXE
C:\PROGRAM FILES\COMMON FILES\REAL\UPDATE_OB\REALSCHED.EXE
C:\PROGRAM FILES\COMMON FILES\REAL\UPDATE_OB\RNATHCHK.EXE
C:\WINDOWS\TEMP\SVCMM32.EXE
C:\PROGRAM FILES\ALWIL SOFTWARE\AVAST4\ASHMAISV.EXE
C:\PROGRAM FILES\AUTOUPDATE\AUTOUPDATE.EXE
C:\PROGRAM FILES\AWS\WEATHERBUG\WEATHER.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\PROGRAM FILES\CXTPLS\CXTPLS.EXE
C:\WINDOWS\DESKTOP\HIJACKTHIS.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
F1 - win.ini: load=C:\OPLIMIT\ocraware.exe
O2 - BHO: YBIOCtrl Class - {004A5840-FF59-11d2-B50D-0090271D3FD4} - (no file)
O2 - BHO: FavoriteMan Class - {EBBD88E5-C372-469D-B4C5-1FE00352AB9B} - C:\WINDOWS\SYSTEM\MMVIEW_101.DLL
O2 - BHO: (no name) - {016235BE-59D4-4CEB-ADD5-E2378282A1D9} - C:\PROGRAM FILES\CXTPLS\CXTPLS.DLL
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O3 - Toolbar: (no name) - {014DA6C9-189F-421a-88CD-07CFE51CFF10} - (no file)
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [PCHealth] C:\WINDOWS\PCHealth\Support\PCHSchd.exe -s
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [TkBellExe] C:\Program Files\Common Files\Real\Update_OB\realsched.exe -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime
O4 - HKLM\..\Run: [USB controller] "C:\WINDOWS\TEMP\SVCMM32.EXE" /startup
O4 - HKLM\..\Run: [ashMaiSv] C:\PROGRA~1\ALWILS~1\AVAST4\ashmaisv.exe
O4 - HKLM\..\Run: [AutoUpdater] "c:\Program Files\AutoUpdate\AutoUpdate.exe"
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [SSDPSRV] C:\WINDOWS\SYSTEM\ssdpsrv.exe
O4 - HKLM\..\RunServices: [*StateMgr] C:\WINDOWS\System\Restore\StateMgr.exe
O4 - HKLM\..\RunServices: [avast!] C:\Program Files\Alwil Software\Avast4\ashServ.exe
O4 - HKCU\..\Run: [Communicator] C:\PROGRAM FILES\LILO & STITCH FUN PAK\COMMUNICATOR.EXE
O4 - HKCU\..\Run: [MessengerPlus2] "C:\Program Files\Messenger Plus! 2\MsgPlus.exe" /WinStart
O4 - HKCU\..\Run: [msnmsgr] "C:\PROGRAM FILES\MSN MESSENGER\MSNMSGR.EXE" /background
O4 - HKCU\..\Run: [MSMSGS] C:\Program Files\MSN Messenger\msmsgs.exe /background
O4 - HKCU\..\Run: [Spyware Doctor] "C:\PROGRAM FILES\SPYWARE DOCTOR\SWDOCTOR.EXE" /Q
O4 - HKCU\..\Run: [Weather] C:\PROGRAM FILES\AWS\WEATHERBUG\WEATHER.EXE 1
O4 - Startup: DLHelperEXE.exe
O4 - Startup: UMAX VistaAccess.lnk = C:\VSTASCAN\vsaccess.exe
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\SYSTEM\Shdocvw.dll
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\PROGRAM FILES\YAHOO!\MESSENGER\YHEXBMES12031.DLL
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\PROGRAM FILES\YAHOO!\MESSENGER\YHEXBMES12031.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\MSN Messenger\MSMSGS.EXE (file missing)
O9 - Extra 'Tools' menuitem: MSN Messenger Service - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\MSN Messenger\MSMSGS.EXE (file missing)
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\SYSTEM\MSJAVA.DLL
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\SYSTEM\MSJAVA.DLL
O9 - Extra button: WeatherBug - {AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} - C:\PROGRA~1\AWS\WEATHE~1\Weather.exe (HKCU)
O12 - Plugin for .mid: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin2.dll
O12 - Plugin for .mpg: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin3.dll
O15 - Trusted Zone: http://chat.msn.com
O16 - DPF: {CC05BC12-2AA2-4AC7-AC81-0E40F83B1ADF} (Live365Player Class) - http://www.live365.com/players/play365.cab
O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} (Yahoo! Audio Conferencing) - http://us.chat1.yimg.com/us.yimg.com/i/chat/applet/v45/yacscom.cab
O16 - DPF: {E855A2D4-987E-4F3B-A51C-64D10A7E2479} (EPSImageControl Class) - http://tools.ebayimg.com/eps/activex/EPSControl_v1-0-3-0.cab
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://chat.msn.com/bin/msnchat45.cab
O16 - DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} (EPUImageControl Class) - http://tools.ebayimg.com/eps/wl/activex/EPUWALControl_v1-0-3-17.cab
O16 - DPF: {EAA105FE-7BBD-4196-8B96-D46743894195} (MjpegControl Class) - http://www.xlenttech.com/plugin/mjpegcontrol.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.com/download.yahoo.com/dl/yinst/yinst_current.cab
O16 - DPF: {2B96D5CC-C5B5-49A5-A69D-CC0A30F9028C} (MiniBugTransporterX Class) - http://wdownload.weatherbug.com/minibug/tricklers/AWS/MiniBugTransporter.cab?
O16 - DPF: {EBBD88E5-C372-469D-B4C5-1FE00352AB9B} (FavoriteMan Class) - http://fad-1115.nyc1.targetnet.com/ad/id=auctionmoms&opt=htj&pt=13757354812190035727&pfin=J8MTQ2KAMXQN&cv=210&uid=590782429&url=http://www.ouchvideo.com/mmviewer_101.cab

[galooma]

hi teddy
can you run HJT again and fix these( read the tutorial if you dont understandtp://www.net-integration.net/index.php?page=hijackthis)
C:\WINDOWS\TEMP\SVCMM32.EXE           Nasty
O2 - BHO: YBIOCtrl Class - {004A5840-FF59-11d2-B50D-0090271D3FD4} - (no file)           
    O2 - BHO: FavoriteMan Class - {EBBD88E5-C372-469D-B4C5-1FE00352AB9B} - C:\WINDOWS\SYSTEM\MMVIEW_101.DLL
      O2 - BHO: (no name) - {016235BE-59D4-4CEB-ADD5-E2378282A1D9} - C:\PROGRAM FILES\CXTPLS\CXTPLS.DLL           Nasty
O3 - Toolbar: (no name) - {014DA6C9-189F-421a-88CD-07CFE51CFF10} - (no file)
O4 - HKLM\..\Run: [USB controller] "C:\WINDOWS\TEMP\SVCMM32.EXE" /startup 
    O4 - HKLM\..\Run: [AutoUpdater] "c:\Program Files\AutoUpdate\AutoUpdate.exe"
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\MSN Messenger\MSMSGS.EXE (file missing)           Unnecessarily
9 - Extra 'Tools' menuitem: MSN Messenger Service - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\MSN Messenger\MSMSGS.EXE (file missing)           Unnecessarily
O16 - DPF: {EBBD88E5-C372-469D-B4C5-1FE00352AB9B} (FavoriteMan Class) - http://fad-1115.nyc1.targetnet.com/ad/id=auctionmoms&opt=htj&pt=1375735481219003 5727&pfin           Nasty
Having done that you should see some improvement but go to pandahttp://www.pandasoftware.com/activescan/com/activescan_principal.htm
and run it to see what if anything it finds
good luck

[watchthisspace]

Have you tried deleteing your temp internet files?
To do this go Internet explorer >>Tools>>Internet options>>Delete files >>Click delete all offline content (just to be sure) >> click ok. It might take some time to delete them.

I hope this helps 

Watchthisspace

[teddyfluffy]

first i did what you said Incident                      Status                        Location                                                                                                                                                                                                                                                       

Virus:Trj/Downloader.KW       No disinfected                C:\WINDOWS\Temporary Internet Files\Content.IE5\GR0DKNWT\mmviewer_101[1].cab[mmview_101.dll]                                                                                                                                                                   
Virus:Trj/Downloader.KW       Disinfected                   C:\WINDOWS\Desktop\backups\backup-20050116-225209-505.dll                                                                                                                                                                                                       
Virus:Trj/Downloader.KW       Disinfected                   C:\WINDOWS\Desktop\backups\backup-20050116-225212-997.dll                                                                                                   ************************************************************************ now you guys want me to empty the cookies? yes or no?

[DavidR]

Hi, welcome to the forums.

teddyfluffy, for the future you should check these tools and information out.

Eddy's Website click the "HiJackThis Section" and also the "Malware removal instructions and applications" section.
and follow the directions there and get back to us if you need more help....

For an on-line scan of your Hijackthis log file try here http://hijackthis.de/index.php

[teddyfluffy]

ok so your saying disable my system restore.......... then use the ( hijackthis scan) this is all I am thinking its saying? Im sorry I dont understand  so it will scan and remove trojens ? then i am lost>>>>>>>>>>>>Disable system restore (windows ME/XP) (info ME) (info XP)
Stop the harmfull process(es) by booting in safe mode (info) or disable them in the task manager.
Install a firewall. (A router with build in hardware firewall is preferable).
Use the programs mentioned above to clean the system.
(if you have Avast on a NT based system, shedule a boot time scan)
Scan the system with a online scanner.
Visit Windows update and install ALL security patches/updates, including SP2.
Check your hosts file(s) for unknown entries. If there are any, remove them.(info on hosts file)
Reboot the system to make all changes effective.
Scan all recently used floppies, burned cdr(w)'s, dvdr(w)'s etc.<<<<<<<<<<<< vary tec to my understanding

[teddyfluffy]

IM SCARED  :'(  I know you want me to do something !!!! ... BUT IT SAYS ITS BAD TO TAKE OFF MY SYESTEM REPARE THING!!  :'(  I dont know steps to do as I should!

[Eddy]

Don't worry. Just follow the 9 steps at that website one at a time.
Don't rush, there is no need for it, and you will be fine.

[teddyfluffy]

ok so #1 I Disable system restore #2 restart  in safe mode...((( it will let me online? ))... and what is a firewall? where do I get one to install?

[teddyfluffy]

ok now i foundout what firewall is now trying to think out next steps

[teddyfluffy]

  I just wanted to come back and thank all of you for helping me !!! I so  needed the help! and was vary sared of the whole thing! (((((((( BIG HUGS)))))))))) and God Bless You All VARY VARY MUCH !

[Eddy]

Thanks for the hug.

And just remember, we are here if you need us.

[DavidR]

We are happy to help, but give yourself a hug too, as you did all the hard work, not to mention you learned a lot.