PDA

View Full Version : Possible Virus?????



tomijon
01-22-2003, 12:10 PM
I have just tried pasting the addy for PC-World/uk into my address bar, I copied it direct from my onboard search engine. After quite along time I saw the web address change at the bottom of my page from what I had requested to one that said something like "Terra" in the title. When the page opened it was a porn image. Just recently my system has been a bit wierd, putting things in the wrong place and painfully slow on the internet. I have run an AVG scan with no results, could this still be a VIRUS ? if so could you advise as to the files I could search for. I do use Kazza but, don`t allow access to my files, if I can help it.
Many Thank`s, Tomijon.

Budfred
01-22-2003, 12:14 PM
It is more likely that you have a hijack/trojan than a virus. Kazaa has a bunch of spyware and other crap in it, so you probably got it from there or from places that you used Kazaa to access. I would run Spybot and probably Hijack This to see what you have and clean it out. You can get them here if you don't already have them. Make sure you run an undated copy. Also, some viruses will disable an antivirus program, so it can be worthwhile to run an online scan...

http://www.pcguide.com/vb/showthread.php?s=&threadid=15179

Budfred

mjc
01-22-2003, 01:55 PM
99.99% sure you have been jacked.......go download HijackThis (http://www.spywareinfo.com/~merijn/) and post the log, then maybe we can figure out which one it is.

tomijon
01-23-2003, 08:59 AM
I downloaded and ran Spybot and Bitdestroyer online scan, Spybot came up with a load of files with ! marks so I asked it to fix everything wich it did. Bitdestroyer gave us the all clear. I still have the problem with the wrong address taking over for PC-world. I just downloaded and ran Hijack this with the following results:nb.None of the search addresses are familiar, "Terra" featured in the address that took over from what I requested.
Logfile of HijackThis v1.91.2
Scan saved at 13:44:32, on 23/01/03
Platform: Windows 98 Gold (Win9x 4.10.1998)
MSIE: Internet Explorer v5.00 (5.00.2919.6304)

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL=http://66.40.16.198/sm/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar=http://66.40.16.198/sm/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page=http://66.40.16.198/sm/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page=http://hotmail.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL=about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant=http://66.40.16.198/sm/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch=http://www.hotfreebies.com/search.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant=http://www.terra.es/personal7/crabby/
R3 - URLSearchHook: (no name) - {07C84B9D-88F2-48B1-BD69-5BAB12A896CF} - (no file)
F1 - win.ini: run=C:\WINDOWS\SYSTEM\cmmpu.exe
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [MMHID] rundll32 mmhid.dll,StartMmHid
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [Iomega Startup Options] C:\Program Files\Iomega\Common\ImgStart.exe
O4 - HKLM\..\Run: [Iomega Drive Icons] C:\Program Files\Iomega\DriveIcons\ImgIcon.exe
O4 - HKLM\..\Run: [PMXInit] C:\WINDOWS\SYSTEM\pmxinit.exe -SetupRunOnce
O4 - HKLM\..\Run: [AVG_CC] C:\PROGRAM FILES\GRISOFT\AVG6\avgcc32.exe /startup
O4 - HKLM\..\Run: [PopupKiller] C:\PROGRA~1\ARTSOFT\POPUPK~1\PopupKiller.exe
O4 - HKLM\..\Run: [zBrowser Launcher] C:\Program Files\Logitech\iTouch\iTouch.exe
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [MiniLog] C:\WINDOWS\SYSTEM\ZONELABS\MINILOG.EXE -service
O4 - HKLM\..\RunServices: [Avgserv9.exe] C:\PROGRA~1\GRISOFT\AVG6\Avgserv9.exe
O4 - HKLM\..\RunServices: [TrueVector] C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE -service
O4 - HKCU\..\Run: [Washer] C:\Program Files\Washer\washer.exe /1
O4 - Startup: EPSON Status Monitor 3 Environment Check.lnk = C:\WINDOWS\SYSTEM\E_SRCV03.EXE
O4 - Startup: PowerReg SchedulerV2.exe
O4 - Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Startup: Windows Guardian.lnk = C:\Program Files\CyberMedia First Aid\FAWGRD32.EXE
O4 - Startup: Watch.lnk = C:\WINDOWS\TWAIN_32\A4CIS600\WATCH.exe
O4 - Global Startup: ZoneAlarm.lnk = C:\Program Files\Zone Labs\ZoneAlarm\zonealarm.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~1\OFFICE10\EXCEL.EXE/3000
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O16 - DPF: {C3DFA998-A486-11D4-AA25-00C04F72DAEB} (MSN Photo Upload Tool) - http://sc.communities.msn.com/controls/PhotoUC/MsnPUpld.cab
O16 - DPF: {80DD2229-B8E4-4C77-B72F-F22972D723EA} (AvxScanOnline Control) - http://www.bitdefender.com/scan/Msie/bitdefender.cab

Explorer\Search,SearchAssistant=http://www.terra.es/personal7/crabby/

Whyzman
01-23-2003, 09:27 AM
See if you have a file data789.tmp

This file is apparently a pointer that redirects to the crabby site! :mad:

There are 2 patches for IE 5 due to security issues which need to be fixed...or, you could get your Browser Hijacked...

About half way down check under Obnoxious Home Page Arrives, and Won't Go Away.
http://www.uninet.net/~blaisdel/IE_3.html

Be sure to read the entire entry under this heading, as you may need to do some Registry editing. If you are wary about venturing into the Registry I would wait for mjc's assistance...

mjc
01-23-2003, 10:41 AM
The easier way will be to run Hijackthis again and have it fix the following:

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL=http://66.40.16.198/sm/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar=http://66.40.16.198/sm/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page=http://66.40.16.198/sm/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page=http://hotmail.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL=about :blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant=http://66.40.16.198/sm/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch=http://www.hotfreebies.com/search.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant=http://www.terra.es/personal7/crabby/
R3 - URLSearchHook: (no name) - {07C84B9D-88F2-48B1-BD69-5BAB12A896CF} - (no file)

Explorer\Search,SearchAssistant=http://www.terra.es/personal7/crabby/


This one looks kind of suspicious, it is supposed to be a part of a video driver for a Power Colour Kyro video card...so if that is not you card then zip that file up and send me a private message.
O4 - HKLM\..\Run: [PMXInit] C:\WINDOWS\SYSTEM\pmxinit.exe -SetupRunOnce

Also clear your temp files, your browser cache and your cookies. (Spybot should let you do the cookies and cache...I would use the secure wipe option in Spybot). If you use Spybot for the cleaning make sure that all instences of IE are closed and that you have run the online update first.

tomijon
01-23-2003, 01:47 PM
OK, I have followed your instuctions, deleted the files and cleared temp internet.My search engine won`t open now though, "you are not authorised to veiw this page". My current video card is a Hercules Prophet that I replaced myself. Not sure what you mean by zipping it and mailing you???
Thank`s Again, Tomijon.

Budfred
01-23-2003, 02:24 PM
I can't tell you about the search engine, but I can tell you what mjc means about zipping it. He means to compress it into a zip file and attach it to a private message to him on the forum. By compressing it you make it safer for mjc to download it so that he can look at it and determine if it is malware. If you don't know how to zip a file, post back and we can give you instructions. You will need Winzip or some other file that zips.

Budfred

mjc
01-23-2003, 03:17 PM
What are you using for a search engine?

If it requires logging in you may need to log in again, because you most likely have removed the cookie.

Also another Hijack log would be handy.

tomijon
01-23-2003, 07:37 PM
Hotmail is my homepage. Msn search engine.
This is the latest log,
Logfile of HijackThis v1.91.2
Scan saved at 00:28:19, on 24/01/03
Platform: Windows 98 Gold (Win9x 4.10.1998)
MSIE: Internet Explorer v5.00 (5.00.2919.6304)

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page=http://hotmail.com/
F1 - win.ini: run=C:\WINDOWS\SYSTEM\cmmpu.exe
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [MMHID] rundll32 mmhid.dll,StartMmHid
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [Iomega Startup Options] C:\Program Files\Iomega\Common\ImgStart.exe
O4 - HKLM\..\Run: [Iomega Drive Icons] C:\Program Files\Iomega\DriveIcons\ImgIcon.exe
O4 - HKLM\..\Run: [PMXInit] C:\WINDOWS\SYSTEM\pmxinit.exe -SetupRunOnce
O4 - HKLM\..\Run: [AVG_CC] C:\PROGRAM FILES\GRISOFT\AVG6\avgcc32.exe /startup
O4 - HKLM\..\Run: [PopupKiller] C:\PROGRA~1\ARTSOFT\POPUPK~1\PopupKiller.exe
O4 - HKLM\..\Run: [zBrowser Launcher] C:\Program Files\Logitech\iTouch\iTouch.exe
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [MiniLog] C:\WINDOWS\SYSTEM\ZONELABS\MINILOG.EXE -service
O4 - HKLM\..\RunServices: [Avgserv9.exe] C:\PROGRA~1\GRISOFT\AVG6\Avgserv9.exe
O4 - HKLM\..\RunServices: [TrueVector] C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE -service
O4 - HKCU\..\Run: [Washer] C:\Program Files\Washer\washer.exe /1
O4 - Startup: EPSON Status Monitor 3 Environment Check.lnk = C:\WINDOWS\SYSTEM\E_SRCV03.EXE
O4 - Startup: PowerReg SchedulerV2.exe
O4 - Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Startup: Windows Guardian.lnk = C:\Program Files\CyberMedia First Aid\FAWGRD32.EXE
O4 - Startup: Watch.lnk = C:\WINDOWS\TWAIN_32\A4CIS600\WATCH.exe
O4 - Global Startup: ZoneAlarm.lnk = C:\Program Files\Zone Labs\ZoneAlarm\zonealarm.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~1\OFFICE10\EXCEL.EXE/3000
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O16 - DPF: {C3DFA998-A486-11D4-AA25-00C04F72DAEB} (MSN Photo Upload Tool) - http://sc.communities.msn.com/controls/PhotoUC/MsnPUpld.cab
O16 - DPF: {80DD2229-B8E4-4C77-B72F-F22972D723EA} (AvxScanOnline Control) - http://www.bitdefender.com/scan/Msie/bitdefender.cab

mjc
01-23-2003, 10:05 PM
REGEDIT4

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main]
"Search Page"="http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch"
[HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main]
"Default_Search_URL"="http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch"
"Search Page"="http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch"


Save the above as IEsearch.reg and then merge it into your registry by double clicking on it.

tomijon
01-24-2003, 08:42 PM
Sorry mjc, you will have to walk me through that one.I get as far as main in REGEDIT, then lost. Do I copy what you sent and paste it somewhere??
Cheeers, Tomijon.
Ps , search page is back up, yipee!!!!!!also the hijack adddresss has changed to: http://gallys.nastydollars.com/cs/49/nadia

mjc
01-24-2003, 11:41 PM
Ok, let me get this straight, you now have you search back but haven't actually gotten around to "fixing" it but you are now hijacked again?

I need this file: O4 - HKLM\..\Run: [PMXInit] C:\WINDOWS\SYSTEM\pmxinit.exe -SetupRunOnce. in the mean time, disable it!

tomijon
01-25-2003, 09:40 AM
mjc, I zipped and sent that to your e-mail address at your web site a couple of days ago, it`s the only file with that ref I can find. I have deleted it for now. I think the search engine was fixed after I deleted the files you told me to sack, I just needed to re-boot. I have used the search alot since, the only address that I get the unwanted page is the PC World one.
Thank`s, Tomijon.

john38
02-01-2003, 10:33 AM
i had the same sort of problem last week it was a backdoor trojan avg did not detect it anti norton 2003 did this is what it told me to do to comfirm that i had it.
1 click start,and click run.the run dialog box appears
2type in it regedit and then click ok the registory editor opens.
3 select the following keys
HKEY-LOCAL-MACHINE\software\microsoft\windows\currentversion\ run

if the onlt thing in there is a system 32 exe file you have the trojan
you will have to make a back up of your regestry then go through the proceder again and delete the system 32 exe file that will then have got rid of the trogen.
BONDY