Skip to main content

PC acting weird...

Comments

9 comments

  • Customer

    seriously, can any1 take a look?

    0
  • Customer

    *bump*it's been a while now... can any1 look at this pleasE? zomg...

    0
  • Customer

    Hi,

     

    Things may have changed since your first post so could you run a fresh scan with HijackThis and post back with a fresh copy of your HijackThis log please.

     

    Many thanks

    0
  • Customer

    Logfile of HijackThis v1.99.1

    Scan saved at 1:26:22 PM, on 9/6/2006

    Platform: Windows XP SP2 (WinNT 5.01.2600)

    MSIE: Internet Explorer v7.00 (7.00.5450.0004)

     

    Running processes:

    C:\WINDOWS\System32\smss.exe

    C:\WINDOWS\system32\winlogon.exe

    C:\WINDOWS\system32\services.exe

    C:\WINDOWS\system32\lsass.exe

    C:\WINDOWS\system32\svchost.exe

    C:\WINDOWS\System32\svchost.exe

    C:\WINDOWS\system32\spoolsv.exe

    C:\WINDOWS\Explorer.EXE

    C:\WINDOWS\system32\hkcmd.exe

    c:\program files\common files\mcafee\mna\mcnasvc.exe

    c:\PROGRA~1\COMMON~1\mcafee\redirsvc\redirsvc.exe

    C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe

    C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE

    C:\WINDOWS\System32\svchost.exe

    C:\Documents and Settings\Owner\Desktop\My stuff (Andrey)\Programs\Mozzila\firefox.exe

    C:\Documents and Settings\Owner\Desktop\My stuff (Andrey)\Programs\Hijackthis\HijackThis.exe

     

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://g.msn.com/0SEENUS/SAOS01

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://yahoo.com

    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=54729

    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://g.msn.com/0SEENUS/SAOS01

    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=552...cid={SUB_CLCID}

    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = :

    O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll

    O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - c:\PROGRA~1\mcafee\VIRUSS~1\scriptsn.dll

    O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe

    O4 - HKLM\..\Run: [igfxTray] C:\WINDOWS\system32\igfxtray.exe

    O4 - HKLM\..\Run: [Winexes] C:\WINDOWS\system32\server.exe

    O4 - HKLM\..\Run: [McLogLch_exe] "C:\Program Files\McAfee\MSC\McLogLch.exe"

    O4 - HKCU\..\Run: [Winexes] C:\WINDOWS\system32\server.exe

    O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe

    O8 - Extra context menu item: &Clean Traces - C:\Documents and Settings\Owner\Desktop\My stuff (Andrey)\Programs\DAP\Privacy Package\dapcleanerie.htm

    O8 - Extra context menu item: &Download with &DAP - C:\Documents and Settings\Owner\Desktop\My stuff (Andrey)\Programs\DAP\dapextie.htm

    O8 - Extra context menu item: Download &all with DAP - C:\Documents and Settings\Owner\Desktop\My stuff (Andrey)\Programs\DAP\dapextie2.htm

    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000

    O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL

    O11 - Options group: [iNTERNATIONAL] International*

    O16 - DPF: {13EC55CF-D993-475B-9ACA-F4A384957956} - https://www.windowsonecare.com/install/cli/...nSSWebAgent.CAB

    O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204

    O16 - DPF: {77E32299-629F-43C6-AB77-6A1E6D7663F6} - http://www.nick.com/common/groove/gx/GrooveAX28.cab

    O16 - DPF: {9C024426-7859-4B2D-AB4C-B1E370AE7549} - http://us.mcafee.com/Apps/WSC/en-us/WscWlanScannerCtrl.cab

    O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll

    O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll

    O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dll

    O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll

    O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe

    O23 - Service: McAfee E-mail Proxy (Emproxy) - McAfee, Inc. - C:\PROGRA~1\COMMON~1\McAfee\EmProxy\emproxy.exe

    O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe

    O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe

    O23 - Service: McAfee HackerWatch Service - McAfee, Inc. - C:\Program Files\Common Files\McAfee\HackerWatch\HWAPI.exe

    O23 - Service: McAfee Log Manager (McLogManagerService) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mclogsrv.exe

    O23 - Service: McAfee Update Manager (mcmispupdmgr) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcupdmgr.exe

    O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\program files\common files\mcafee\mna\mcnasvc.exe

    O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe

    O23 - Service: McAfee Protection Manager (mcpromgr) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcpromgr.exe

    O23 - Service: McAfee Redirector Service (McRedirector) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\redirsvc\redirsvc.exe

    O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe

    O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe

    O23 - Service: McAfee Task Scheduler (mctskshd.exe) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mctskshd.exe

    O23 - Service: McAfee User Manager (mcusrmgr) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcusrmgr.exe

    O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe

    O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe

    O23 - Service: TuneUp WinStyler Theme Service (TUWinStylerThemeSvc) - TuneUp Software GmbH - C:\Documents and Settings\Owner\Desktop\My stuff (Andrey)\Programs\TuneUp\WinStylerThemeSvc.exe

    O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe

    0
  • Support

    Hi ,

     

    Apologies for the late reply, we've been quite swamped in here as you can probably see.

     

    Open HijackThis and do a *system scan only*

     

    When it finishes, checkmark these two entries, then press the *fix checked* button.

     

    O4 - HKLM\..\Run: [Winexes] C:\WINDOWS\system32\server.exe

     

    O4 - HKCU\..\Run: [Winexes] C:\WINDOWS\system32\server.exe

     

    Please download the Killbox by Option^Explicit.

    http://www.downloads.subratam.org/KillBox.zip

     

    Unzip/Extract the contents to your desktop

    How to extract (decompress) zipped or compressed files

    http://www.lvsonline.com/compresstut/index.shtml

     

    1. Open Killbox by clicking on Killbox.exe

     

    2. Select *Delete on Reboot* in the first column

     

     

    3. Copy and paste the following text shown in bold into the white box that says "Full Path of File to Delete"

     

    C:\WINDOWS\system32\server.exe

     

     

    4. Press the red button with the white x in it.

     

    5. You will receive a prompt stating that files will be deleted on next reboot. Do you want to reboot now?

    Choose Yes when asked if you want to reboot. If your computer does not restart, please reboot it manually

     

     

    Note: Backups will be stored in the following directory created on the Hard-drive (usually C):

    C:\!KillBox

     

    6. Navigate to the Killbox backup folder:

    C:\!KillBox

     

    a. Right–click folder !KillBox

     

    b. Point to Send To

     

    c. Then click Compressed (zipped) Folder

     

    This will make a compressed folder, identified by a zipper icon, which displays the same name as the file you compressed.

    C:\!KillBox.zip

     

    7. Go here to upload the files as attachments

    http://www.thespykiller.co.uk/forum/index.php?board=1.0

    Just press new topic (Make the subject: For CalamityJane from Andy{Leet_krew} ),

    fill in a short message & then press the browse button and then navigate to & select these files on your computer, If there is more than 1 file then press the more attachments button for each extra file and browse and select etc and then when all the files are listed in the windows press the *Post* button to upload the files

     

    Files to upload:

     

    C:\!KillBox.zip

     

    You DO NOT need to be a member to upload, anybody can upload the files.

     

    You will not see the files that have been uploaded as they only show to the authorized users who can download them. I'll be able to collect it from there to examine and see what it is.

    .........................

    8. After the reboot, scan once more with HijackThis and post a fresh log please.

    0
  • Customer

    Ok, rebooted.. blah-blah.. did everything u said.. posted new topic on that forum (attached same file twice by mistake...lol)

    Here's new "fresh" Log.

     

    Logfile of HijackThis v1.99.1

    Scan saved at 2:48:51 PM, on 9/6/2006

    Platform: Windows XP SP2 (WinNT 5.01.2600)

    MSIE: Internet Explorer v7.00 (7.00.5450.0004)

     

    Running processes:

    C:\WINDOWS\System32\smss.exe

    C:\WINDOWS\system32\winlogon.exe

    C:\WINDOWS\system32\services.exe

    C:\WINDOWS\system32\lsass.exe

    C:\WINDOWS\system32\svchost.exe

    C:\WINDOWS\System32\svchost.exe

    C:\WINDOWS\system32\spoolsv.exe

    C:\WINDOWS\Explorer.EXE

    C:\WINDOWS\system32\hkcmd.exe

    c:\program files\common files\mcafee\mna\mcnasvc.exe

    c:\PROGRA~1\COMMON~1\mcafee\redirsvc\redirsvc.exe

    C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe

    C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE

    C:\WINDOWS\System32\svchost.exe

    C:\Documents and Settings\Owner\Desktop\My stuff (Andrey)\Programs\Mozzila\firefox.exe

    C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe

    C:\PROGRA~1\McAfee\MSC\mclogsrv.exe

    C:\Documents and Settings\Owner\Desktop\My stuff (Andrey)\Programs\Hijackthis\HijackThis.exe

     

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://g.msn.com/0SEENUS/SAOS01

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://yahoo.com

    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=54729

    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://g.msn.com/0SEENUS/SAOS01

    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=552...cid={SUB_CLCID}

    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = :

    O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll

    O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - c:\PROGRA~1\mcafee\VIRUSS~1\scriptsn.dll

    O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe

    O4 - HKLM\..\Run: [igfxTray] C:\WINDOWS\system32\igfxtray.exe

    O4 - HKLM\..\Run: [McLogLch_exe] "C:\Program Files\McAfee\MSC\McLogLch.exe"

    O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe

    O8 - Extra context menu item: &Clean Traces - C:\Documents and Settings\Owner\Desktop\My stuff (Andrey)\Programs\DAP\Privacy Package\dapcleanerie.htm

    O8 - Extra context menu item: &Download with &DAP - C:\Documents and Settings\Owner\Desktop\My stuff (Andrey)\Programs\DAP\dapextie.htm

    O8 - Extra context menu item: Download &all with DAP - C:\Documents and Settings\Owner\Desktop\My stuff (Andrey)\Programs\DAP\dapextie2.htm

    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000

    O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL

    O11 - Options group: [iNTERNATIONAL] International*

    O16 - DPF: {13EC55CF-D993-475B-9ACA-F4A384957956} - https://www.windowsonecare.com/install/cli/...nSSWebAgent.CAB

    O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204

    O16 - DPF: {77E32299-629F-43C6-AB77-6A1E6D7663F6} - http://www.nick.com/common/groove/gx/GrooveAX28.cab

    O16 - DPF: {9C024426-7859-4B2D-AB4C-B1E370AE7549} - http://us.mcafee.com/Apps/WSC/en-us/WscWlanScannerCtrl.cab

    O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll

    O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll

    O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dll

    O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll

    O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe

    O23 - Service: McAfee E-mail Proxy (Emproxy) - McAfee, Inc. - C:\PROGRA~1\COMMON~1\McAfee\EmProxy\emproxy.exe

    O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe

    O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe

    O23 - Service: McAfee HackerWatch Service - McAfee, Inc. - C:\Program Files\Common Files\McAfee\HackerWatch\HWAPI.exe

    O23 - Service: McAfee Log Manager (McLogManagerService) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mclogsrv.exe

    O23 - Service: McAfee Update Manager (mcmispupdmgr) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcupdmgr.exe

    O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\program files\common files\mcafee\mna\mcnasvc.exe

    O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe

    O23 - Service: McAfee Protection Manager (mcpromgr) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcpromgr.exe

    O23 - Service: McAfee Redirector Service (McRedirector) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\redirsvc\redirsvc.exe

    O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe

    O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe

    O23 - Service: McAfee Task Scheduler (mctskshd.exe) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mctskshd.exe

    O23 - Service: McAfee User Manager (mcusrmgr) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcusrmgr.exe

    O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe

    O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe

    O23 - Service: TuneUp WinStyler Theme Service (TUWinStylerThemeSvc) - TuneUp Software GmbH - C:\Documents and Settings\Owner\Desktop\My stuff (Andrey)\Programs\TuneUp\WinStylerThemeSvc.exe

    O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe

    0
  • Support

    Looks like that got it.

     

    Scan with HijackThis and also checkmark this item:

    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = :

     

    Then press the fixed check button

     

    The file you uploaded is not widely detected but this scan with multiple AV scanners indicates it is infected

     

    Jotti Malware Scan

    File: server.exe

    Status:

    INFECTED/MALWARE

    MD5 d2ad79c3554b2512d7d2c59ea0939ba6

    Packers detected:

    -

    Scanner results

    AntiVir Found Heuristic/Crypted (probable variant)

    ArcaVir Found nothing

    Avast Found nothing

    AVG Antivirus Found nothing

    BitDefender Found nothing

    ClamAV Found nothing

    Dr.Web Found nothing

    F-Prot Antivirus Found nothing

    Fortinet Found nothing

    Kaspersky Anti-Virus Found Trojan.Win32.Pakes

    NOD32 Found nothing

    Norman Virus Control Found Bifrose.D

    UNA Found nothing

    VirusBuster Found nothing

    VBA32 Found nothing


     

    Let me know if this has now resolved the issues you were seeing?

    0
  • Customer

    ok, i deleted

    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = :

    how would i know if its fixed.. do i need to send u Killbox thingy again?

    thnx alot!

    0
  • Support

    Since Kaspersky is one of the few AVs detecting this, let's run an online AV scan at the KAV site. Save the log at the end and post the results back here. The online scanner won't fix anything, but I can delete any files found infected manually.

     

    You can delete the backups for Killbox - no need to keep it and I have a copy which I'll be submitting to the other AV/AT/AS companies for detection.

     

    Open Killbox and choose *File* at the top

    Then choose *Cleanup* in the dropdown menu

    And selected *Delete all backups*

     

    Then get the free online AV scan (full system) from Kaspersky here:

    http://www.kaspersky.com/virusscanner

     

    Rember to save the log at the end and post it back here for review

    0

Please sign in to leave a comment.