|
|
|||||||
| Spyware Cleaning Section Closed!! |
| Notice: The spyware cleaning (HijackThis) section is closed. Wilders Security no longer provides one on one spyware cleaning assistance. Please see this announcement for a list of websites that provide such services. |
|
|
Thread Tools | Search this Thread |
|
#1
December 7th, 2003, 05:36 PM
|
|||
|
|||
downloader.dia.a
Hi there!
Hope you can help please. Got back to day and ran newly installed AVG antivirus and found the above virus on the system. AVG has cleaned it, however i still have several problems. 1)No web access 2) cannot play any .wav files in real player or winmedia player. so obviously no sound PLease help here guys, it would be very much appreciated. I will run hijack if it will be of any help to you? JC |
|
#2
December 7th, 2003, 06:09 PM
|
|||
|
|||
|
Re:downloader.dia.a
Please find a copy of my hijack log
Logfile of HijackThis v1.97.7 Scan saved at 22:58:24, on 07/12/03 Platform: Windows 98 SE (Win9x 4.10.2222A) MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106) Running processes: C:\WINDOWS\SYSTEM\KERNEL32.DLL C:\WINDOWS\SYSTEM\MSGSRV32.EXE C:\WINDOWS\SYSTEM\SPOOL32.EXE C:\WINDOWS\SYSTEM\MPREXE.EXE C:\WINDOWS\SYSTEM\MSTASK.EXE C:\PROGRAM FILES\GRISOFT\AVG6\AVGSERV9.EXE C:\WINDOWS\SYSTEM\LEXBCES.EXE C:\WINDOWS\SYSTEM\RPCSS.EXE C:\WINDOWS\SYSTEM\LEXPPS.EXE C:\WINDOWS\EXPLORER.EXE C:\WINDOWS\SYSTEM\mmtask.tsk C:\WINDOWS\SYSTEM\SYSTRAY.EXE C:\WINDOWS\LOADQM.EXE C:\PROGRAM FILES\COMMON FILES\REAL\UPDATE_OB\EVNTSVC.EXE C:\WINDOWS\RUNDLL32.EXE C:\WINDOWS\SYSTEM\LXSUPMON.EXE C:\WINDOWS\SYSTEM\DDHELP.EXE C:\PROGRAM FILES\GRISOFT\AVG6\AVGCC32.EXE C:\WINDOWS\RUNDLL32.EXE C:\PROGRAM FILES\WINZIP\WZQKPICK.EXE C:\WINDOWS\SYSTEM\WMIEXE.EXE C:\MY DOCUMENTS\MY RECEIVED FILES\HIJACKTHIS.EXE R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.ntlworld.com/ O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX O4 - HKLM\..\Run: [SystemTray] SysTray.Exe O4 - HKLM\..\Run: [LoadQM] loadqm.exe O4 - HKLM\..\Run: [TkBellExe] C:\Program Files\Common Files\Real\Update_OB\evntsvc.exe -osboot O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\SYSTEM\NvCpl.dll,NvStartup O4 - HKLM\..\Run: [nwiz] nwiz.exe /install O4 - HKLM\..\Run: [LXSUPMON] C:\WINDOWS\SYSTEM\LXSUPMON.EXE RUN O4 - HKLM\..\Run: [CriticalUpdate] C:\WINDOWS\SYSTEM\wucrtupd.exe -startup O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme O4 - HKLM\..\Run: [AVG_CC] C:\PROGRA~1\GRISOFT\AVG6\avgcc32.exe /STARTUP O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme O4 - HKLM\..\RunServices: [SchedulingAgent] C:\WINDOWS\SYSTEM\mstask.exe O4 - HKLM\..\RunServices: [Avgserv9.exe] C:\PROGRA~1\GRISOFT\AVG6\Avgserv9.exe O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\SYSTEM\NVMCTRAY.DLL,NvTaskbarInit O4 - Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE O4 - Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE O4 - Startup: Reboot.exe O9 - Extra button: Related (HKLM) O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM) O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM) O12 - Plugin for .mid: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin.dll O12 - Plugin for .mov: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin.dll O16 - DPF: Yahoo! Pool 2 - http://download.games.yahoo.com/games/clients/y/potc_x.cab O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/ansi/iuctl.CAB?37898.555162037 O16 - DPF: {2F0D1DA3-F3E4-4C67-BB5C-5AFD70C1A4A5} (UDConnect Class) - http://01.sharedsource.org/html/UDConn.cab O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab O16 - DPF: {F5192746-22D6-41BD-9D2D-1E75D14FBD3C} - http://216.65.38.226/crack.CAB Some other items of interest my history, installer and nethhod files have all been duplicated numerous times within my windows JC |
|
#3
December 7th, 2003, 06:32 PM
|
|||
|
|||
|
Re:downloader.dia.a
Guys im really sorry
 (more haste less speed  ) i didnt reboot before doing the last hijack, this is the current oneLogfile of HijackThis v1.97.7 Scan saved at 23:27:08, on 07/12/03 Platform: Windows 98 SE (Win9x 4.10.2222A) MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106) Running processes: C:\WINDOWS\SYSTEM\KERNEL32.DLL C:\WINDOWS\SYSTEM\MSGSRV32.EXE C:\WINDOWS\SYSTEM\MPREXE.EXE C:\WINDOWS\SYSTEM\MSTASK.EXE C:\PROGRAM FILES\GRISOFT\AVG6\AVGSERV9.EXE C:\WINDOWS\EXPLORER.EXE C:\WINDOWS\SYSTEM\mmtask.tsk C:\WINDOWS\SYSTEM\SYSTRAY.EXE C:\WINDOWS\LOADQM.EXE C:\PROGRAM FILES\COMMON FILES\REAL\UPDATE_OB\EVNTSVC.EXE C:\WINDOWS\RUNDLL32.EXE C:\WINDOWS\SYSTEM\LXSUPMON.EXE C:\WINDOWS\SYSTEM\DDHELP.EXE C:\PROGRAM FILES\GRISOFT\AVG6\AVGCC32.EXE C:\WINDOWS\RUNDLL32.EXE C:\PROGRAM FILES\WINZIP\WZQKPICK.EXE C:\WINDOWS\SYSTEM\SPOOL32.EXE C:\WINDOWS\SYSTEM\WMIEXE.EXE C:\WINDOWS\SYSTEM\LEXBCES.EXE C:\WINDOWS\SYSTEM\RPCSS.EXE C:\WINDOWS\SYSTEM\LEXPPS.EXE C:\MY DOCUMENTS\MY RECEIVED FILES\HIJACKTHIS.EXE R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.ntlworld.com/ O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX O4 - HKLM\..\Run: [SystemTray] SysTray.Exe O4 - HKLM\..\Run: [LoadQM] loadqm.exe O4 - HKLM\..\Run: [TkBellExe] C:\Program Files\Common Files\Real\Update_OB\evntsvc.exe -osboot O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\SYSTEM\NvCpl.dll,NvStartup O4 - HKLM\..\Run: [nwiz] nwiz.exe /install O4 - HKLM\..\Run: [LXSUPMON] C:\WINDOWS\SYSTEM\LXSUPMON.EXE RUN O4 - HKLM\..\Run: [CriticalUpdate] C:\WINDOWS\SYSTEM\wucrtupd.exe -startup O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme O4 - HKLM\..\Run: [AVG_CC] C:\PROGRA~1\GRISOFT\AVG6\avgcc32.exe /STARTUP O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme O4 - HKLM\..\RunServices: [SchedulingAgent] C:\WINDOWS\SYSTEM\mstask.exe O4 - HKLM\..\RunServices: [Avgserv9.exe] C:\PROGRA~1\GRISOFT\AVG6\Avgserv9.exe O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\SYSTEM\NVMCTRAY.DLL,NvTaskbarInit O4 - Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE O4 - Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE O4 - Startup: Reboot.exe O9 - Extra button: Related (HKLM) O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM) O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM) O12 - Plugin for .mid: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin.dll O12 - Plugin for .mov: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin.dll O16 - DPF: Yahoo! Pool 2 - http://download.games.yahoo.com/games/clients/y/potc_x.cab O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/ansi/iuctl.CAB?37898.555162037 O16 - DPF: {2F0D1DA3-F3E4-4C67-BB5C-5AFD70C1A4A5} (UDConnect Class) - http://01.sharedsource.org/html/UDConn.cab O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab O16 - DPF: {F5192746-22D6-41BD-9D2D-1E75D14FBD3C} - http://216.65.38.226/crack.CAB Thanks again |
|
#4
December 8th, 2003, 03:25 AM
|
||||
|
||||
|
Re:downloader.dia.a
Hi JC,
Can you see if you can solve your internet access problem with LSPFIx: http://www.cexx.org/lspfix.htm I had to make a educated guess as to what downloader.dia.a exactly is, but I came up with http://www.doxdesk.com/parasite/ShopAtHomeSelect.html Maybe you can confirm that for me. I wish that the AV's that decide to identify and remove spyware, would at least do that without causing more damage then the spyware itself. [/END RANT] Regards, Pieter
__________________
Regards, Pieter Itīs nice to be important, but itīs more important to be nice. It's human to make mistakes. It's even more so to blame the computer for it. |
|
#5
December 8th, 2003, 03:49 AM
|
|||
|
|||
|
Re:downloader.dia.a
When i ran my spybot, i believe there were some files called DyFuCa. I think ive heard of that looked on symantec and that me to install some things form add/remove programs, which i have done.
|
|
#6
December 8th, 2003, 04:13 AM
|
|||
|
|||
|
Re:downloader.dia.a
|
|
#7
December 8th, 2003, 04:16 AM
|
||||
|
||||
|
Re:downloader.dia.a
Ah, OK. Well with Spybot you have now found a tool capable of dealing with it in a more "sophisticated" way.
Have you tried LSPFix? And if so, how did it work out? Regards, Pieter
__________________
Regards, Pieter Itīs nice to be important, but itīs more important to be nice. It's human to make mistakes. It's even more so to blame the computer for it. |
|
#8
December 8th, 2003, 04:27 AM
|
|||
|
|||
|
Re:downloader.dia.a
Am currently at work, so cannot try it.
Do you think i will be able to play my mp3's and wavs again? unfortunately i still couldnt access the net after removing the virus, runnign spybot and removing thos e programs. I dont understand why it would have duplicated the insstaller, nethood and history files either. Any ideas? Thanks for the help by the way Despite the frustration this is actually quite interesting |
|
#9
December 8th, 2003, 04:32 AM
|
||||
|
||||
|
Re:downloader.dia.a
Playing mp3's and wav's is something that can be solved in many ways, so I wouldn't worry about that too much.
Let's get you back online first. I'm not sure about the duplicates. Where did you find them? In another user-identity? Regards, Pieter
__________________
Regards, Pieter Itīs nice to be important, but itīs more important to be nice. It's human to make mistakes. It's even more so to blame the computer for it. |
|
#10
December 8th, 2003, 04:38 AM
|
|||
|
|||
|
Re:downloader.dia.a
No theyre all in my windows folder.......
|
|
#14
December 8th, 2003, 02:23 PM
|
||||
|
||||
|
Re:downloader.dia.a
Hi JC,
Unfortunately there are lots of nasties using filenames starting with ms, so that they look trustworthy at first sight. If you would like me to have a look, mail the file to the address in my profile. Do you have absolutely no internet access, or are there some functions you can perform? (Just no surfing) Regards, Pieter
__________________
Regards, Pieter Itīs nice to be important, but itīs more important to be nice. It's human to make mistakes. It's even more so to blame the computer for it. |
|
#16
December 8th, 2003, 02:31 PM
|
||||
|
||||
|
Re:downloader.dia.a
Hi JC,
Can you first fix these two items with HijackThis : O16 - DPF: {2F0D1DA3-F3E4-4C67-BB5C-5AFD70C1A4A5} (UDConnect Class) - http://01.sharedsource.org/html/UDConn.cab O16 - DPF: {F5192746-22D6-41BD-9D2D-1E75D14FBD3C} - http://216.65.38.226/crack.CAB Then check if you have on your PC : TEST.OCX If so send it to me please [unzy @ wilders.org] Thanks! Cheers,
__________________
TonyKlein's "How can I be better protected?" |
|
#17
December 8th, 2003, 03:00 PM
|
||||
|
||||
|
Re:downloader.dia.a
Hi JC,
MsblIco.Exe looks to be what it appears to be. Part of the MSN installation. Regards, Pieter
__________________
Regards, Pieter Itīs nice to be important, but itīs more important to be nice. It's human to make mistakes. It's even more so to blame the computer for it. |
|
#18
December 8th, 2003, 03:52 PM
|
|||
|
|||
|
Re:downloader.dia.a
OK more information -
when i start my pc now there is a scandisk prob saying that an invalid long file name........ When i press ctrl-alt-delete i have x2 rundll32 running. In my add/remove programs i have NPO Software update Mnager Win32 Bl application none of which(i dont think were there before) When i try to connect to the web i am getting an invalid syntax error. However winmx connects perfectly. The following files were created yesterday in my C: autoexec._av autoexec.bat config.sys config._av Also the following folders winsxs and shellnew. UNzy after following your advice and removing those 2 things the following files appeared on my desktop backup 20031208-203003-344 backup 20031208-203003-344.dll backup 20031208-203003-344.inf backup 20031208-203004-194 backup 20031208-203004-194.inf all very strange Here is my most recent log Logfile of HijackThis v1.97.7 Scan saved at 20:37:50, on 08/12/03 Platform: Windows 98 SE (Win9x 4.10.2222A) MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106) Running processes: C:\WINDOWS\SYSTEM\KERNEL32.DLL C:\WINDOWS\SYSTEM\MSGSRV32.EXE C:\WINDOWS\SYSTEM\MPREXE.EXE C:\WINDOWS\SYSTEM\MSTASK.EXE C:\PROGRAM FILES\GRISOFT\AVG6\AVGSERV9.EXE C:\WINDOWS\EXPLORER.EXE C:\WINDOWS\SYSTEM\mmtask.tsk C:\WINDOWS\SYSTEM\SYSTRAY.EXE C:\WINDOWS\LOADQM.EXE C:\PROGRAM FILES\COMMON FILES\REAL\UPDATE_OB\EVNTSVC.EXE C:\WINDOWS\RUNDLL32.EXE C:\WINDOWS\SYSTEM\LXSUPMON.EXE C:\PROGRAM FILES\GRISOFT\AVG6\AVGCC32.EXE C:\WINDOWS\RUNDLL32.EXE C:\WINDOWS\SYSTEM\DDHELP.EXE C:\WINDOWS\SYSTEM\SPOOL32.EXE C:\PROGRAM FILES\WINZIP\WZQKPICK.EXE C:\WINDOWS\SYSTEM\WMIEXE.EXE C:\WINDOWS\SYSTEM\LEXBCES.EXE C:\WINDOWS\SYSTEM\RPCSS.EXE C:\WINDOWS\SYSTEM\LEXPPS.EXE C:\WINDOWS\DESKTOP\HIJACKTHIS.EXE R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.ntlworld.com/ O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX O4 - HKLM\..\Run: [SystemTray] SysTray.Exe O4 - HKLM\..\Run: [LoadQM] loadqm.exe O4 - HKLM\..\Run: [TkBellExe] C:\Program Files\Common Files\Real\Update_OB\evntsvc.exe -osboot O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\SYSTEM\NvCpl.dll,NvStartup O4 - HKLM\..\Run: [nwiz] nwiz.exe /install O4 - HKLM\..\Run: [LXSUPMON] C:\WINDOWS\SYSTEM\LXSUPMON.EXE RUN O4 - HKLM\..\Run: [CriticalUpdate] C:\WINDOWS\SYSTEM\wucrtupd.exe -startup O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme O4 - HKLM\..\Run: [AVG_CC] C:\PROGRA~1\GRISOFT\AVG6\avgcc32.exe /STARTUP O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme O4 - HKLM\..\RunServices: [SchedulingAgent] C:\WINDOWS\SYSTEM\mstask.exe O4 - HKLM\..\RunServices: [Avgserv9.exe] C:\PROGRA~1\GRISOFT\AVG6\Avgserv9.exe O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\SYSTEM\NVMCTRAY.DLL,NvTaskbarInit O4 - Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE O4 - Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE O4 - Startup: Reboot.exe O9 - Extra button: Related (HKLM) O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM) O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM) O12 - Plugin for .mid: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin.dll O12 - Plugin for .mov: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin.dll O16 - DPF: Yahoo! Pool 2 - http://download.games.yahoo.com/games/clients/y/potc_x.cab O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/ansi/iuctl.CAB?37898.555162037 O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab |
|
#19
December 8th, 2003, 04:01 PM
|
||||
|
||||
|
Re:downloader.dia.a
Hi JC,
The backups were created by HijackThis. It freates them in the folder it is run from. In your case that is the desktop. Can you fetch and send mail? (other then webmail ofcourse) I still think there is something wrong with your winsock. Did you find the file Unzy asked for? Regards, Pieter
__________________
Regards, Pieter Itīs nice to be important, but itīs more important to be nice. It's human to make mistakes. It's even more so to blame the computer for it. |
|
#22
December 8th, 2003, 04:32 PM
|
||||
|
||||
|
Re:downloader.dia.a
Hi JC,
Have you set hidden files/folders enabled to show? Here's how If it was not enabled can you please do another search? Also check for : ddm download.ddm or something in that style Keep us posted Thanks! Ah, I know winSxS folder is part of MSN also
__________________
TonyKlein's "How can I be better protected?" |
|
#23
December 8th, 2003, 04:35 PM
|
||||
|
||||
|
Re:downloader.dia.a
If you can't find any of those files/folders, please try this program:
http://members.shaw.ca/techcd/VB_Projects/WinsockFix.zip Unzip and doubleclick it and then click Reg-Backup, then click Fix. If anything gets worse, you can use the backup. Regards, Pieter
__________________
Regards, Pieter Itīs nice to be important, but itīs more important to be nice. It's human to make mistakes. It's even more so to blame the computer for it. |
|
#25
December 8th, 2003, 05:01 PM
|
||||
|
||||
|
Re:downloader.dia.a
OK JC, Thanks for checking out.
Hope Pieter's advise will help you out Do you still get alerts about that trojan? Cheers,
__________________
TonyKlein's "How can I be better protected?" |
| « Previous Thread | Next Thread » |
| Thread Tools | Search this Thread |
|
|
will try the winsock fix) be back shortly 
