« previous next »
Pages: 1 [2] 3 4   Go Down

Author Topic: WIN32:TROJAN-GEN. {UPX!} || HELP ME!  (Read 39688 times)

0 Members and 1 Guest are viewing this topic.

KIZZY

  • Guest
WIN32:TROJAN-GEN. {UPX!} || HELLO FROM VENEZUELA! S.O.S!!!!!
« Reply #15 on: December 16, 2003, 05:58:15 AM »
 :-[ HELLO, I`M KIZZY! FROM VENEZUELA, I`VE GOT THE SAME Win32:Trojan-gen WORM ON MY COMPUTER, AND I THINK I GOT IT FROM THAT LORD OF THE RING 3 (TRAILER) TOO!!  :'(  :'(  :'( I HAVE NO IDEA WHAT TO DO???? !!!!! I TRIED TO READ WHAT YOU SAID TO THE OTHER PERSON THAT HAD IT, BUT THIS IS THE 1ST TIME THIS HAPPENS TO ME... AND ITS A LITTLE BIT COMPLICATED  :-[  :-[   :-[ COULD YOU GUYS HELP ME?????????  ???   ???  ???
Logged

Offline raman

  • Avast Evangelist
  • Advanced Poster
  • ***
  • Posts: 1062
Re:WIN32:TROJAN-GEN. {UPX!} || HELP ME!
« Reply #16 on: December 16, 2003, 07:08:05 AM »
Please do that what was written on page 1 on this thread, make an onlinescan and/or post a hijackthis log.
Logged
MfG Ralf

KIZZY

  • Guest
FROM KIZZY: WIN32:TROJAN-GEN. {UPX!} || HELP ME!
« Reply #17 on: December 16, 2003, 03:39:04 PM »
Logfile of HijackThis v1.97.7
Scan saved at 10:33:22 a.m., on 16/12/2001
Platform: Windows XP  (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\sm56hlpr.exe
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb05.exe
C:\WINDOWS\System32\P2P Networking\P2P Networking.exe
C:\program files\altnet\points manager\points manager.exe
C:\Archivos de programa\Archivos comunes\CMEII\CMESys.exe
C:\Archivos de programa\Música\Winamp\winampa.exe
C:\Archivos de programa\Archivos comunes\Real\Update_OB\realsched.exe
C:\Archivos de programa\Alwil Software\Avast4\ashDisp.exe
C:\WINDOWS\System32\ctfmon.exe
C:\program files\Webdialer\od-shma33.exe
C:\PROGRA~1\Altnet\DOWNLO~1\asm.exe
C:\WINDOWS\System32\rundll32.exe
C:\Archivos de programa\Alwil Software\Avast4\aswUpdSv.exe
C:\Archivos de programa\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\System32\CTsvcCDA.EXE
C:\WINDOWS\system32\crypserv.exe
C:\Archivos de programa\Archivos comunes\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\Archivos de programa\Archivos comunes\GMT\GMT.exe
C:\Archivos de programa\Internet Explorer\iexplore.exe
C:\ARCHIV~1\ARCHIV~1\INSTAL~1\engine\6\INTEL3~1\knlwrap.exe
C:\ARCHIV~1\ARCHIV~1\INSTAL~1\engine\6\INTEL3~1\iKernel.exe
C:\ARCHIV~1\WINZIP\wzqkpick.exe
C:\Documents and Settings\Kizzy\Escritorio\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.couldnotfind.com/search_page.html?&account_id=69362
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.couldnotfind.com/search_page.html?&account_id=69362
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.hotmail.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.couldnotfind.com/search_page.html?&account_id=69362
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://www.hotmail.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Vínculos
O2 - BHO: myBar BHO - {0494D0D1-F8E0-41ad-92A3-14154ECE70AC} - C:\Archivos de programa\MyWay\myBar\1.bin\MYBAR.DLL
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Archivos de programa\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx (file missing)
O2 - BHO: (no name) - {4E7BD74F-2B8D-469E-C0FF-FD60B590A87D} - C:\ARCHIV~1\ARCHIV~1\Real\Toolbar\realbar.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &SearchBar - {0494D0D9-F8E0-41ad-92A3-14154ECE70AC} - C:\Archivos de programa\MyWay\myBar\1.bin\MYBAR.DLL
O3 - Toolbar: ISTbar - {5F1ABCDB-A875-46c1-8345-B72A4567E486} - C:\Archivos de programa\ISTbar\istbar.dll (file missing)
O3 - Toolbar: REALBAR - {4E7BD74F-2B8D-469E-C0FF-FD60B590A87D} - C:\ARCHIV~1\ARCHIV~1\Real\Toolbar\realbar.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [Disc Detector] C:\Archivos de programa\Creative\ShareDLL\CtNotify.exe
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\Updreg.exe
O4 - HKLM\..\Run: [AHQInit] C:\Archivos de programa\Creative\SBLive\Program\AHQInit.exe
O4 - HKLM\..\Run: [AudioHQ] C:\Archivos de programa\Creative\SBLive\AudioHQ\AHQTB.EXE
O4 - HKLM\..\Run: [SMSERIAL] sm56hlpr.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb05.exe
O4 - HKLM\..\Run: [P2P Networking] C:\WINDOWS\System32\P2P Networking\P2P Networking.exe /AUTOSTART
O4 - HKLM\..\Run: [AltnetPointsManager] c:\program files\altnet\points manager\points manager.exe -s
O4 - HKLM\..\Run: [QuickTime Task] "C:\Archivos de programa\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [CMESys] "C:\Archivos de programa\Archivos comunes\CMEII\CMESys.exe"
O4 - HKLM\..\Run: [IST Service] C:\Archivos de programa\ISTsvc\istsvc.exe
O4 - HKLM\..\Run: [Power Scan] C:\Archivos de programa\Power Scan\powerscan.exe
O4 - HKLM\..\Run: [AttuneClientEngine] C:\ARCHIV~1\Aveo\Attune\bin\attune_ce.exe
O4 - HKLM\..\Run: [CorelCorelDRAW10 Reminder] "C:\Archivos de programa\Corel\Graphics10\Register\NAVBrowser.exe" /r /i "C:\Archivos de programa\Corel\Graphics10\Register\NavLoad.ini"
O4 - HKLM\..\Run: [WinampAgent] "C:\Archivos de programa\Música\Winamp\winampa.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Archivos de programa\Archivos comunes\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [avast!] C:\Archivos de programa\Alwil Software\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [NVIEW] rundll32.exe nview.dll,nViewLoadHook
O4 - HKCU\..\Run: [od-shma33] c:\program files\Webdialer\od-shma33.exe -m
O4 - HKLM\..\RunOnce: [WIAWizardMenu] RUNDLL32.EXE C:\WINDOWS\System32\sti_ci.dll,WiaCreateWizardMenu
O4 - Startup: WinZip Quick Pick.lnk = C:\Archivos de programa\WinZip\WZQKPICK.EXE
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Archivos de programa\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: E&xportar a Microsoft Excel - res://C:\ARCHIV~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O12 - Plugin for .spop: C:\Archivos de programa\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {018B7EC3-EECA-11D3-8E71-0000E82C6C0D} (Installer Class) - http://www.xxxtoolbar.com/ist/softwares/v3.0/0006.cab
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab
O16 - DPF: {02C20140-76F8-4763-83D5-B660107B7A90} (Loader Class) - http://start.online-dialer.com/MaConnect.cab
O16 - DPF: {33564D57-0000-0010-8000-00AA00389B71} - http://download.microsoft.com/download/F/6/E/F6E491A6-77E1-4E20-9F5F-94901338C922/wmv9VCM.CAB
O16 - DPF: {486E48B5-ABF2-42BB-A327-2679DF3FB822} - http://akamai.downloadv3.com/binaries/IA/ia_XP.cab
O16 - DPF: {94742E3F-D9A1-4780-9A87-2FFA43655DA2} - http://akamai.downloadv3.com/binaries/DialHTML/EGDHTML_pack_XP.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {EB6AFDAB-E16D-430B-A5EE-0408A12289DC} (Installer2 Class) - http://download.mediacharger.com/swimsuitnetwork.cab
O16 - DPF: {EFB22865-F3BC-4309-ADFA-C8E078A7F762} (SysWebTelecomInt Class) - http://www.sponsoradulto.com/es/SysWebTelecom.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{06E44AF3-7F44-4A5E-A634-3CDD4F73F593}: NameServer = 200.35.65.3 200.35.65.4
O17 - HKLM\System\CS1\Services\Tcpip\..\{06E44AF3-7F44-4A5E-A634-3CDD4F73F593}: NameServer = 200.35.65.3 200.35.65.4


WAITING FOR YOUR HELP.... THIS IS SO NEW FOR ME  :P   ;D   ;)
Logged

Offline raman

  • Avast Evangelist
  • Advanced Poster
  • ***
  • Posts: 1062
Re:WIN32:TROJAN-GEN. {UPX!} || HELP ME!
« Reply #18 on: December 16, 2003, 03:49:17 PM »
First of all yyour windows is not up to date, update it by using www.windowsupdate.com.
Second you are  "infected" with coolwebsearch Hijacker Infos and a Fix can be found here: http://www.merijn.org/cwschronicles.html

Let the following things "fix" using Hijackthis:
O2 - BHO: myBar BHO - {0494D0D1-F8E0-41ad-92A3-14154ECE70AC} - C:\Archivos de programa\MyWay\myBar\1.bin\MYBAR.DLL
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Archivos de programa\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx (file missing)
O2 - BHO: (no name) - {4E7BD74F-2B8D-469E-C0FF-FD60B590A87D} - C:\ARCHIV~1\ARCHIV~1\Real\Toolbar\realbar.dll
O3 - Toolbar: &SearchBar - {0494D0D9-F8E0-41ad-92A3-14154ECE70AC} - C:\Archivos de programa\MyWay\myBar\1.bin\MYBAR.DLL
O3 - Toolbar: ISTbar - {5F1ABCDB-A875-46c1-8345-B72A4567E486} - C:\Archivos de programa\ISTbar\istbar.dll (file missing)
O3 - Toolbar: REALBAR - {4E7BD74F-2B8D-469E-C0FF-FD60B590A87D} - C:\ARCHIV~1\ARCHIV~1\Real\Toolbar\realbar.dll
O4 - HKLM\..\Run: [P2P Networking] C:\WINDOWS\System32\P2P Networking\P2P Networking.exe /AUTOSTART
O4 - HKLM\..\Run: [CMESys] "C:\Archivos de programa\Archivos comunes\CMEII\CMESys.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKCU\..\Run: [od-shma33] c:\program files\Webdialer\od-shma33.exe -m
O4 - Startup: WinZip Quick Pick.lnk = C:\Archivos de programa\WinZip\WZQKPICK.EXE
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Archivos de programa\WinZip\WZQKPICK.EXE
O16 - DPF: {018B7EC3-EECA-11D3-8E71-0000E82C6C0D} (Installer Class) - http://www.xxxtoolbar.com/ist/softwares/v3.0/0006.cab
O16 - DPF: {02C20140-76F8-4763-83D5-B660107B7A90} (Loader Class) - http://start.online-dialer.com/MaConnect.cab
O16 - DPF: {33564D57-0000-0010-8000-00AA00389B71} - http://download.microsoft.com/download/F/6/E/F6E491A6-77E1-4E20-9F5F-94901338C922/wmv9VCM.CAB
O16 - DPF: {486E48B5-ABF2-42BB-A327-2679DF3FB822} - http://akamai.downloadv3.com/binaries/IA/ia_XP.cab
O16 - DPF: {94742E3F-D9A1-4780-9A87-2FFA43655DA2} - http://akamai.downloadv3.com/binaries/DialHTML/EGDHTML_pack_XP.cab
O16 - DPF: {EB6AFDAB-E16D-430B-A5EE-0408A12289DC} (Installer2 Class) - http://download.mediacharger.com/swimsuitnetwork.cab
O16 - DPF: {EFB22865-F3BC-4309-ADFA-C8E078A7F762} (SysWebTelecomInt Class) - http://www.sponsoradulto.com/es/SysWebTelecom.cab

Post a new log after you have done all of these.

Please turn of your Shift/caps lock. You do not need to shout here! ;)


« Last Edit: December 16, 2003, 03:50:03 PM by raman »
Logged
MfG Ralf

KIZZY

  • Guest
FROM KIZZY: WIN32:TROJAN-GEN. {UPX!} || HELP ME!
« Reply #19 on: December 16, 2003, 04:49:17 PM »
1st. About updating my windows, i went to the windownsupdate website but when i clik on: look for updates (in spanish: buscar actualizaciones) it says that windowns update found an error so, i cant update it..   :-\
2nd. About what you said: about being infected with coolwebsearch Hijacker Info, is this mean that i have to do a whole other process in this other website you refer me to:
http://www.merijn.org/cwschronicles.html    What exactly do you mean when you say that I can find the Fix there?
3rd. Here is the new Log after i fixed the files you indicated:

Logfile of HijackThis v1.97.7
Scan saved at 11:43:45 a.m., on 16/12/2001
Platform: Windows XP  (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\sm56hlpr.exe
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb05.exe
C:\WINDOWS\System32\P2P Networking\P2P Networking.exe
C:\program files\altnet\points manager\points manager.exe
C:\Archivos de programa\Archivos comunes\CMEII\CMESys.exe
C:\Archivos de programa\Música\Winamp\winampa.exe
C:\Archivos de programa\Archivos comunes\Real\Update_OB\realsched.exe
C:\Archivos de programa\Alwil Software\Avast4\ashDisp.exe
C:\WINDOWS\System32\ctfmon.exe
C:\program files\Webdialer\od-shma33.exe
C:\PROGRA~1\Altnet\DOWNLO~1\asm.exe
C:\WINDOWS\System32\rundll32.exe
C:\Archivos de programa\Alwil Software\Avast4\aswUpdSv.exe
C:\Archivos de programa\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\System32\CTsvcCDA.EXE
C:\WINDOWS\system32\crypserv.exe
C:\Archivos de programa\Archivos comunes\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\Archivos de programa\Archivos comunes\GMT\GMT.exe
C:\ARCHIV~1\ARCHIV~1\INSTAL~1\engine\6\INTEL3~1\knlwrap.exe
C:\ARCHIV~1\ARCHIV~1\INSTAL~1\engine\6\INTEL3~1\iKernel.exe
C:\ARCHIV~1\WINZIP\wzqkpick.exe
C:\ARCHIV~1\ICQ\Icq.exe
C:\Documents and Settings\Kizzy\Escritorio\hijackthis\HijackThis.exe
C:\Archivos de programa\Internet Explorer\iexplore.exe
C:\Archivos de programa\Windows NT\Accesorios\wordpad.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.couldnotfind.com/search_page.html?&account_id=69362
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.couldnotfind.com/search_page.html?&account_id=69362
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.hotmail.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.couldnotfind.com/search_page.html?&account_id=69362
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.microsoft.com/isapi/redir.dll?prd={SUB_PRD}&clcid={SUB_CLSID}&pver={SUB_PVER}&ar=home
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.microsoft.com/isapi/redir.dll?prd=ie&pver=6&ar=msnhome
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://www.hotmail.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Vínculos
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [Disc Detector] C:\Archivos de programa\Creative\ShareDLL\CtNotify.exe
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\Updreg.exe
O4 - HKLM\..\Run: [AHQInit] C:\Archivos de programa\Creative\SBLive\Program\AHQInit.exe
O4 - HKLM\..\Run: [AudioHQ] C:\Archivos de programa\Creative\SBLive\AudioHQ\AHQTB.EXE
O4 - HKLM\..\Run: [SMSERIAL] sm56hlpr.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb05.exe
O4 - HKLM\..\Run: [AltnetPointsManager] c:\program files\altnet\points manager\points manager.exe -s
O4 - HKLM\..\Run: [QuickTime Task] "C:\Archivos de programa\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [IST Service] C:\Archivos de programa\ISTsvc\istsvc.exe
O4 - HKLM\..\Run: [Power Scan] C:\Archivos de programa\Power Scan\powerscan.exe
O4 - HKLM\..\Run: [AttuneClientEngine] C:\ARCHIV~1\Aveo\Attune\bin\attune_ce.exe
O4 - HKLM\..\Run: [CorelCorelDRAW10 Reminder] "C:\Archivos de programa\Corel\Graphics10\Register\NAVBrowser.exe" /r /i "C:\Archivos de programa\Corel\Graphics10\Register\NavLoad.ini"
O4 - HKLM\..\Run: [WinampAgent] "C:\Archivos de programa\Música\Winamp\winampa.exe"
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Archivos de programa\Archivos comunes\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [avast!] C:\Archivos de programa\Alwil Software\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [Mirabilis ICQ] C:\ARCHIV~1\ICQ\ICQNet.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [NVIEW] rundll32.exe nview.dll,nViewLoadHook
O4 - HKLM\..\RunOnce: [WIAWizardMenu] RUNDLL32.EXE C:\WINDOWS\System32\sti_ci.dll,WiaCreateWizardMenu
O8 - Extra context menu item: E&xportar a Microsoft Excel - res://C:\ARCHIV~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: ICQ Pro (HKLM)
O9 - Extra 'Tools' menuitem: ICQ (HKLM)
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O12 - Plugin for .spop: C:\Archivos de programa\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{06E44AF3-7F44-4A5E-A634-3CDD4F73F593}: NameServer = 200.35.65.3 200.35.65.4
O17 - HKLM\System\CS1\Services\Tcpip\..\{06E44AF3-7F44-4A5E-A634-3CDD4F73F593}: NameServer = 200.35.65.3 200.35.65.4


Sorry about the caps...  :D
Logged

Offline raman

  • Avast Evangelist
  • Advanced Poster
  • ***
  • Posts: 1062
Re:WIN32:TROJAN-GEN. {UPX!} || HELP ME!
« Reply #20 on: December 16, 2003, 05:01:27 PM »
You only need the "how to get rid of this": http://www.merijn.org/cwschronicles.html#cwshredder

and please let these fix too:
O4 - HKLM\..\Run: [QuickTime Task] "C:\Archivos de programa\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [IST Service] C:\Archivos de programa\ISTsvc\istsvc.exe
O4 - HKLM\..\Run: [Power Scan] C:\Archivos de programa\Power Scan\powerscan.exe
O4 - HKLM\..\Run: [AttuneClientEngine] C:\ARCHIV~1\Aveo\Attune\bin\attune_ce.exe
O4 - HKLM\..\Run: [CorelCorelDRAW10 Reminder] "C:\Archivos de programa\Corel\Graphics10\Register\NAVBrowser.exe" /r /i "C:\Archivos de programa\Corel\Graphics10\Register\NavLoad.ini"
O4 - HKLM\..\Run: [WinampAgent] "C:\Archivos de programa\Música\Winamp\winampa.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Archivos de programa\Archivos comunes\Real\Update_OB\realsched.exe" -osboot

Maybe after get rid of all these, the Windowsupdatepage will work again.

Please post a new log after fixing all( incl. the cwshredder)
Logged
MfG Ralf

KIZZY

  • Guest
Re:WIN32:TROJAN-GEN. {UPX!} || HELP ME!
« Reply #21 on: December 16, 2003, 05:15:56 PM »
I did everything, but the error page keeps on coming back, here`s the log after the SWshredder and fixing the files you specified...
 :)
 
Logfile of HijackThis v1.97.7
Scan saved at 12:10:12 p.m., on 16/12/2001
Platform: Windows XP  (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\sm56hlpr.exe
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb05.exe
C:\WINDOWS\System32\P2P Networking\P2P Networking.exe
C:\program files\altnet\points manager\points manager.exe
C:\Archivos de programa\Archivos comunes\CMEII\CMESys.exe
C:\Archivos de programa\Música\Winamp\winampa.exe
C:\Archivos de programa\Archivos comunes\Real\Update_OB\realsched.exe
C:\Archivos de programa\Alwil Software\Avast4\ashDisp.exe
C:\WINDOWS\System32\ctfmon.exe
C:\program files\Webdialer\od-shma33.exe
C:\PROGRA~1\Altnet\DOWNLO~1\asm.exe
C:\WINDOWS\System32\rundll32.exe
C:\Archivos de programa\Alwil Software\Avast4\aswUpdSv.exe
C:\Archivos de programa\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\System32\CTsvcCDA.EXE
C:\WINDOWS\system32\crypserv.exe
C:\Archivos de programa\Archivos comunes\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\Archivos de programa\Archivos comunes\GMT\GMT.exe
C:\ARCHIV~1\ARCHIV~1\INSTAL~1\engine\6\INTEL3~1\knlwrap.exe
C:\ARCHIV~1\ARCHIV~1\INSTAL~1\engine\6\INTEL3~1\iKernel.exe
C:\ARCHIV~1\WINZIP\wzqkpick.exe
C:\Archivos de programa\Internet Explorer\iexplore.exe
C:\Documents and Settings\Kizzy\Escritorio\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.hotmail.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://www.hotmail.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Vínculos
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [Disc Detector] C:\Archivos de programa\Creative\ShareDLL\CtNotify.exe
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\Updreg.exe
O4 - HKLM\..\Run: [AHQInit] C:\Archivos de programa\Creative\SBLive\Program\AHQInit.exe
O4 - HKLM\..\Run: [AudioHQ] C:\Archivos de programa\Creative\SBLive\AudioHQ\AHQTB.EXE
O4 - HKLM\..\Run: [SMSERIAL] sm56hlpr.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb05.exe
O4 - HKLM\..\Run: [AltnetPointsManager] c:\program files\altnet\points manager\points manager.exe -s
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [avast!] C:\Archivos de programa\Alwil Software\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [Mirabilis ICQ] C:\ARCHIV~1\ICQ\ICQNet.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [NVIEW] rundll32.exe nview.dll,nViewLoadHook
O4 - HKLM\..\RunOnce: [WIAWizardMenu] RUNDLL32.EXE C:\WINDOWS\System32\sti_ci.dll,WiaCreateWizardMenu
O8 - Extra context menu item: E&xportar a Microsoft Excel - res://C:\ARCHIV~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: ICQ Pro (HKLM)
O9 - Extra 'Tools' menuitem: ICQ (HKLM)
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O12 - Plugin for .spop: C:\Archivos de programa\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{06E44AF3-7F44-4A5E-A634-3CDD4F73F593}: NameServer = 200.35.65.3 200.35.65.4
O17 - HKLM\System\CS1\Services\Tcpip\..\{06E44AF3-7F44-4A5E-A634-3CDD4F73F593}: NameServer = 200.35.65.3 200.35.65.4
Logged

Offline raman

  • Avast Evangelist
  • Advanced Poster
  • ***
  • Posts: 1062
Re:WIN32:TROJAN-GEN. {UPX!} || HELP ME!
« Reply #22 on: December 16, 2003, 05:28:47 PM »
The "Problem is, that Hijackthis only fix the registry, but not delete any files.  Avast should be able to delte the files(at least in safe mode). And you should also give adaware a try( www.lavasoft.com) because the Spy/Adware is still on your pc.

BTW forgot this. Its Spyware, too:
O4 - HKLM\..\Run: [AltnetPointsManager] c:\program files\altnet\points manager\points manager.exe -s

BTW2: in which file does Avast find the torj-gen
Logged
MfG Ralf

KIZZY

  • Guest
KIZZY AGAIN: WIN32:TROJAN-GEN. {UPX!} || HELP ME!
« Reply #23 on: December 16, 2003, 08:01:09 PM »
Hello, im back... so what do I do now?
* What do I need from http://www.lavasoft.com/
* Do you want me to restart my computer in safe mode and run the scan again? and try to delete that file you specified?
 ???
Logged

Offline raman

  • Avast Evangelist
  • Advanced Poster
  • ***
  • Posts: 1062
Re:WIN32:TROJAN-GEN. {UPX!} || HELP ME!
« Reply #24 on: December 16, 2003, 08:11:25 PM »
Sorry wrong link!;)
Adaware: http://lavasoft.element5.com/default.shtml.es
or SpybotSD: http://www.safer-networking.org/index.php?page=download

and yes, start you pc in safe mode and let Avast scan your PC.
Logged
MfG Ralf

Birgitte

  • Guest
Re:WIN32:TROJAN-GEN. {UPX!} || HELP ME!
« Reply #25 on: December 22, 2003, 10:04:58 PM »
File: C:\WINDOWS\system32\audio.exe
OS: WinXP
Online virus scan done with Trent showed nothing however Avast keeps finding this file. I have run ad-aware and spybot too and cleaned up everything they found


Hijack This log:



Logfile of HijackThis v1.97.7
Scan saved at 22:00:07, on 22-12-2003
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\rundll32.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\Programmer\D-Tools\daemon.exe
C:\WINDOWS\system32\tbctray.exe
C:\WINDOWS\System32\ctfmon.exe
C:\WINDOWS\System32\RUNDLL32.EXE
C:\Programmer\SmartLaunch\Server\Server.exe
C:\Programmer\SmartLaunch\Administrator\Admin.exe
C:\Documents and Settings\Maddog.KIOSK\Skrivebord\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Hyperlinks
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [DAEMON Tools-1033] "C:\Programmer\D-Tools\daemon.exe"  -lang 1033
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [bybdzzl] rundll32 C:\WINDOWS\System32:bybdzzl.dll,Init 1
O4 - HKLM\..\Run: [TraySantaCruz] C:\WINDOWS\system32\tbctray.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NVMCTRAY.DLL,NvTaskbarInit
O4 - HKCU\..\Run: [MsnMsgr] "C:\Programmer\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKLM\..\RunOnce: [*bybdzzl] rundll32 C:\WINDOWS\System32:bybdzzl.dll,Init 1
O4 - HKLM\..\RunOnce: [KB826939] rundll32.exe apphelp.dll,ShimFlushCache
O4 - Global Startup: Smartlaunch Server.lnk = C:\Programmer\SmartLaunch\Server\Server.exe
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Windows Messenger (HKLM)
O12 - Plugin for .spop: C:\Programmer\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37977.5068518519
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{B9A5FA46-20D8-426C-8E6F-4A9E5787FF00}: NameServer = 193.88.44.42,193.88.44.22

« Last Edit: December 22, 2003, 10:23:04 PM by Birgitte »
Logged

Offline raman

  • Avast Evangelist
  • Advanced Poster
  • ***
  • Posts: 1062
Re:WIN32:TROJAN-GEN. {UPX!} || HELP ME!
« Reply #26 on: December 22, 2003, 10:24:46 PM »
Possibly Afcore Variant:
O4 - HKLM\..\RunOnce: [*bybdzzl] rundll32 C:\WINDOWS\System32:bybdzzl.dll,Init 1

If you are able to find the file test it here: http://www.kaspersky.com/remoteviruschk.html
Logged
MfG Ralf

Birgitte

  • Guest
Re:WIN32:TROJAN-GEN. {UPX!} || HELP ME!
« Reply #27 on: December 22, 2003, 10:41:06 PM »
found the audio one and scanned it and it found nothing. Couldn't find the bybdzzl.dll or anything like that anywhere..
Logged

Offline raman

  • Avast Evangelist
  • Advanced Poster
  • ***
  • Posts: 1062
Re:WIN32:TROJAN-GEN. {UPX!} || HELP ME!
« Reply #28 on: December 23, 2003, 05:47:04 AM »
Fix the bybdzzl.dll lines and than type
rundll32 C:\WINDOWS\System32:bybdzzl.dll,uninstall that will uninstall it.
Logged
MfG Ralf

Birgitte

  • Guest
Re:WIN32:TROJAN-GEN. {UPX!} || HELP ME!
« Reply #29 on: December 23, 2003, 06:59:26 AM »
Okay did that.


Logfile of HijackThis v1.97.7
Scan saved at 06:58:03, on 23-12-2003
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Programmer\TGTSoft\StyleXP\StyleXPService.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Programmer\Alwil Software\Avast4\aswUpdSv.exe
C:\Programmer\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\System32\cisvc.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Programmer\D-Tools\daemon.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\WINDOWS\system32\tbctray.exe
C:\WINDOWS\System32\RUNDLL32.EXE
C:\Programmer\SmartLaunch\Server\Server.exe
C:\Programmer\SmartLaunch\Administrator\Admin.exe
C:\WINDOWS\System32\cidaemon.exe
C:\MozillaFirebird\MozillaFirebird.exe
C:\Programmer\MSN Messenger\msnmsgr.exe
C:\Documents and Settings\Maddog.KIOSK\Skrivebord\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Hyperlinks
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [DAEMON Tools-1033] "C:\Programmer\D-Tools\daemon.exe"  -lang 1033
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKLM\..\Run: [TraySantaCruz] C:\WINDOWS\system32\tbctray.exe
O4 - HKLM\..\Run: [THGuard] C:\Programmer\TrojanHunter 3.7\THGuard.exe
O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NVMCTRAY.DLL,NvTaskbarInit
O4 - HKCU\..\Run: [STYLEXP] C:\Programmer\TGTSoft\StyleXP\StyleXP.exe -Hide
O4 - HKCU\..\Run: [msnmsgr] "C:\Programmer\MSN Messenger\msnmsgr.exe" /background
O4 - Global Startup: Smartlaunch Server.lnk = C:\Programmer\SmartLaunch\Server\Server.exe
O9 - Extra button: ICQ Pro (HKLM)
O9 - Extra 'Tools' menuitem: ICQ (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Windows Messenger (HKLM)
O12 - Plugin for .spop: C:\Programmer\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2003120501/housecall.antivirus.com/housecall/xscan53.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37977.5068518519
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{B9A5FA46-20D8-426C-8E6F-4A9E5787FF00}: NameServer = 193.88.44.42,193.88.44.22

Logged
Pages: 1 [2] 3 4   Go Up
« previous next »