What else...the klez virus...I need help

Discussion in 'malware problems & news' started by Josh, Jan 21, 2003.

Thread Status:
Not open for further replies.
  1. Josh

    Josh Guest

    Before I get started I know the easiest...strike that...the most thurough way to get rid of viruses is to reformat my hard drive. I'm trying to avoid that.

    2 days ago in hopes of getting a response to a new job, I opened unfamiliar mail. Sinnful I know but what ever. Anyway, I'm now up to my eye lids in this thing and its messing with my system.

    I have pc -cillin. I've ran it. Clean bill of health. I've run the downloadable debugger from trend micro for this virus. Clean bill of health. I"ve run defragers, i've done the regsvr32 urlmon.dll thing. and in the end, I've still got problems.

    I've had to reload, windows media player, music match. I think my joystick is now on the fritz. Also I find that my IE keeps getting hijacked to various, sales windows and then reverts to google, after I see it going to "google123.web1000.com"

    So whats going ono_O what do I need to do? I want my computer back and then I want to shove a red hot poker in this jerk's ass.

    In the end....do I just need to dump my whole system :'(
     
  2. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,312
    Location:
    Netherlands
    Hi Josh,

    Please download Hijackthis, unzip and run it: Scan > Save log, rename the .log to .txt and post it.
    Then under Config > Misc Tools > generate Startuplog and post that log as well.
    If for some reason you're uncomfortable with posting it feel free to email it to me.

    Regards,

    Pieter
     
  3. josh

    josh Guest

    Pieter

    I sent you the txt file for hijack this. because I could figure out how to attach a file to this forum. I can't find the config file your referring to. Please email with any further help. I'd be greatly indebted to you.

    thanks
     
  4. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,312
    Location:
    Netherlands
    Hi josh,

    Please surf to our downloads section and download Spybot S&D.
    Make sure to update before you run it.
    After scanning you will see items in red, black and green.
    Make sure all the red items are checked. The black and green ones are up to you but irrelevant for this problem. Then hit fix selected problems. The program makes backups unless you told it not to.
    See if that fixes it. Otherwise please have another look at Hijackthis.
    At the bottom right there is a button labelled Config.
    That is where to start making a Startuplog. I do need it to help you if Spybot S&D can't.

    Regards,

    Pieter
     
  5. josh

    josh Guest

    Hey guys,

    me again.

    alright I've gone through quite a bit here so I'm just going to lay out what I've found.

    StartupList report, 1/24/03, 12:08:19 AM
    StartupList version: 1.51
    Started from : C:\WINDOWS\DESKTOP\MY BRIEFCASE\HIJACK\HIJACKTHIS.EXE
    Detected: Windows 98 Gold (Win9x 4.10.199:cool:
    Detected: Internet Explorer v6.00 SP1 (6.00.2800.1106)
    * Using default options
    ==================================================

    Running processes:

    C:\WINDOWS\SYSTEM\KERNEL32.DLL
    C:\WINDOWS\SYSTEM\MSGSRV32.EXE
    C:\WINDOWS\SYSTEM\MPREXE.EXE
    C:\PROGRAM FILES\TREND PC-CILLIN 2000\PCCIOMON.EXE
    C:\WINDOWS\SYSTEM\GRXP4EXE.EXE
    C:\WINDOWS\SYSTEM\mmtask.tsk
    C:\WINDOWS\EXPLORER.EXE
    C:\WINDOWS\SYSTEM\SYSTRAY.EXE
    C:\PROGRAM FILES\TREND PC-CILLIN 2000\POP3TRAP.EXE
    C:\PROGRAM FILES\TREND PC-CILLIN 2000\WEBTRAP.EXE
    C:\PROGRAM FILES\LOGITECH\MOUSEWARE\SYSTEM\EM_EXEC.EXE
    C:\WINDOWS\SYSTEM\DDHELP.EXE
    C:\WINDOWS\LOADQM.EXE
    C:\PROGRAM FILES\AIM95\AIM.EXE
    C:\WINDOWS\DESKTOP\MY BRIEFCASE\HIJACK\HIJACKTHIS.EXE
    C:\WINDOWS\SYSTEM\PSTORES.EXE

    --------------------------------------------------

    Listing of startup folders:

    Shell folders Startup:
    [C:\WINDOWS\Start Menu\Programs\StartUp]
    Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
    PowerReg Scheduler.exe

    --------------------------------------------------

    Autorun entries from Registry:
    HKLM\Software\Microsoft\Windows\CurrentVersion\Run

    SystemTray = SysTray.Exe
    LoadPowerProfile = Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
    AELaunch = AELaunch.exe
    Tweak UI = RUNDLL32.EXE TWEAKUI.CPL,TweakMeUp
    PCCIOMON.EXE = "C:\Program Files\Trend PC-cillin 2000\PCCIOMON.EXE"
    pop3trap.exe = "C:\Program Files\Trend PC-cillin 2000\pop3trap.exe"
    WebTrap.exe = "C:\Program Files\Trend PC-cillin 2000\WebTrap.exe"
    autoupd = C:\WINDOWS\AUTOUPD\autoupd.exe
    EM_EXEC = C:\PROGRA~1\LOGITECH\MOUSEW~1\SYSTEM\EM_EXEC.EXE
    NvCplDaemon = RUNDLL32.EXE C:\WINDOWS\SYSTEM\NvCpl.dll,NvStartup
    nwiz = nwiz.exe /install
    LoadQM = loadqm.exe
    IFSplash = ImmSplsh.exe
    zSPGuard = c:\program files\pjw\spguard\spguard.exe /s

    --------------------------------------------------

    Autorun entries from Registry:
    HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices

    LoadPowerProfile = Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
    PCCIOMON.EXE = "C:\Program Files\Trend PC-cillin 2000\PCCIOMON.EXE"

    --------------------------------------------------

    Autorun entries from Registry:
    HKCU\Software\Microsoft\Windows\CurrentVersion\Run

    AIM = C:\PROGRAM FILES\AIM95\aim.exe -cnetwait.odl
    msnmsgr = "C:\PROGRAM FILES\MSN MESSENGER\MSNMSGR.EXE" /background

    --------------------------------------------------

    C:\WINDOWS\WININIT.BAK listing:
    (Created 23/1/2003, 0:22:32)

    [rename]
    nul=C:\WINDOWS\TEMP\~e5d141.tmp
    nul=C:\WINDOWS\TEMP\~ef6591
    nul=C:\WINDOWS\TEMP\~ef6591\clcd16.dll
    nul=C:\WINDOWS\TEMP\~ef6591\~efe2.tmp
    nul=C:\WINDOWS\TEMP\~e5d141.tmp
    nul=C:\WINDOWS\TEMP\~e5d141.tmp
    nul=C:\WINDOWS\TEMP\~e5d141.tmp
    nul=C:\WINDOWS\TEMP\~e5d141.tmp
    nul=C:\WINDOWS\TEMP\~e5d141.tmp
    nul=C:\WINDOWS\TEMP\~e5d141.tmp

    --------------------------------------------------

    C:\WINDOWS\WINSTART.BAT listing:

    C:\WINDOWS\tmpcpyis.bat

    --------------------------------------------------


    Enumerating Browser Helper Objects:

    (no name) - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}

    --------------------------------------------------

    Enumerating Task Scheduler jobs:

    Tune-up Application Start.job
    Maintenance-Defragment programs.job
    Maintenance-ScanDisk.job
    Maintenance-Disk cleanup.job

    --------------------------------------------------

    Enumerating Download Program Files:

    [CV3 Class]
    InProcServer32 = C:\WINDOWS\SYSTEM\WUV3IS.DLL
    CODEBASE = http://windowsupdate.microsoft.com/R1024/V31Controls/x86/w98/en/actsetup.cab

    [sys Class]
    InProcServer32 = C:\WINDOWS\DOWNLOADED PROGRAM FILES\PCPITSTOP.DLL
    CODEBASE = http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB

    [{41F17733-B041-4099-A042-B518BB6A408C}]
    CODEBASE = http://a224.g.akamai.net/7/224/52/20011004/qtinstall.info.apple.com/qt503/us/win/QuickTimeInstaller.exe

    [HouseCall Control]
    InProcServer32 = C:\WINDOWS\DOWNLO~1\CONFLICT.1\XSCAN53.OCX
    CODEBASE = http://a840.g.akamai.net/7/840/537/20011223/housecall.antivirus.com/housecall/xscan53.cab

    [OPUCatalog Class]
    InProcServer32 = C:\WINDOWS\SYSTEM\OPUC.DLL
    CODEBASE = http://office.microsoft.com/ProductUpdates/content/opuc.cab

    [RdxIE Class]
    InProcServer32 = C:\WINDOWS\DOWNLOADED PROGRAM FILES\RDXIE.DLL
    CODEBASE = http://207.188.7.150/094a888d9cb1ea1d0321/netzip/RdxIE.cab

    [GSDACtl Class]
    InProcServer32 = C:\WINDOWS\DOWNLOADED PROGRAM FILES\GSDA.DLL
    CODEBASE = http://launch.gamespyarcade.com/software/launch/alaunch.cab

    [Measurement Service Client]
    InProcServer32 = C:\WINDOWS\DOWNLO~1\MSC.OCX
    CODEBASE = http://ccon.madonion.com/global/msc.cab

    [Shockwave ActiveX Control]
    InProcServer32 = C:\WINDOWS\SYSTEM\MACROMED\DIRECTOR\SWDIR.DLL
    CODEBASE = http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab

    [Shockwave Flash Object]
    InProcServer32 = C:\WINDOWS\SYSTEM\MACROMED\FLASH\FLASH.OCX
    CODEBASE = http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab

    [QuickTime Object]
    InProcServer32 = C:\WINDOWS\SYSTEM\QTPLUGIN.OCX
    CODEBASE = http://www.apple.com/qtactivex/qtplugin.cab

    [Update Class]
    InProcServer32 = C:\WINDOWS\SYSTEM\IUCTL.DLL
    CODEBASE = http://v4.windowsupdate.microsoft.com/CAB/x86/ansi/iuctl.CAB?1038700330030

    --------------------------------------------------
    End of report, 6,224 bytes
    Report generated in 0.082 seconds

    Command line options:
    /verbose - to add additional info on each section
    /complete - to include empty sections and unsuspicious data
    /full - to include several rarely-important sections
    /force9x - to include Win9x-only startups even if running on WinNT
    /forcent - to include WinNT-only startups even if running on Win9x
    /forceall - to include all Win9x and WinNT startups, regardless of platform
    /history - to list version history only
    StartupList report, 1/24/03, 12:08:19 AM
    StartupList version: 1.51
    Started from : C:\WINDOWS\DESKTOP\MY BRIEFCASE\HIJACK\HIJACKTHIS.EXE
    Detected: Windows 98 Gold (Win9x 4.10.199:cool:
    Detected: Internet Explorer v6.00 SP1 (6.00.2800.1106)
    * Using default options
    ==================================================

    Running processes:

    C:\WINDOWS\SYSTEM\KERNEL32.DLL
    C:\WINDOWS\SYSTEM\MSGSRV32.EXE
    C:\WINDOWS\SYSTEM\MPREXE.EXE
    C:\PROGRAM FILES\TREND PC-CILLIN 2000\PCCIOMON.EXE
    C:\WINDOWS\SYSTEM\GRXP4EXE.EXE
    C:\WINDOWS\SYSTEM\mmtask.tsk
    C:\WINDOWS\EXPLORER.EXE
    C:\WINDOWS\SYSTEM\SYSTRAY.EXE
    C:\PROGRAM FILES\TREND PC-CILLIN 2000\POP3TRAP.EXE
    C:\PROGRAM FILES\TREND PC-CILLIN 2000\WEBTRAP.EXE
    C:\PROGRAM FILES\LOGITECH\MOUSEWARE\SYSTEM\EM_EXEC.EXE
    C:\WINDOWS\SYSTEM\DDHELP.EXE
    C:\WINDOWS\LOADQM.EXE
    C:\PROGRAM FILES\AIM95\AIM.EXE
    C:\WINDOWS\DESKTOP\MY BRIEFCASE\HIJACK\HIJACKTHIS.EXE
    C:\WINDOWS\SYSTEM\PSTORES.EXE

    --------------------------------------------------

    Listing of startup folders:

    Shell folders Startup:
    [C:\WINDOWS\Start Menu\Programs\StartUp]
    Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
    PowerReg Scheduler.exe

    --------------------------------------------------

    Autorun entries from Registry:
    HKLM\Software\Microsoft\Windows\CurrentVersion\Run

    SystemTray = SysTray.Exe
    LoadPowerProfile = Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
    AELaunch = AELaunch.exe
    Tweak UI = RUNDLL32.EXE TWEAKUI.CPL,TweakMeUp
    PCCIOMON.EXE = "C:\Program Files\Trend PC-cillin 2000\PCCIOMON.EXE"
    pop3trap.exe = "C:\Program Files\Trend PC-cillin 2000\pop3trap.exe"
    WebTrap.exe = "C:\Program Files\Trend PC-cillin 2000\WebTrap.exe"
    autoupd = C:\WINDOWS\AUTOUPD\autoupd.exe
    EM_EXEC = C:\PROGRA~1\LOGITECH\MOUSEW~1\SYSTEM\EM_EXEC.EXE
    NvCplDaemon = RUNDLL32.EXE C:\WINDOWS\SYSTEM\NvCpl.dll,NvStartup
    nwiz = nwiz.exe /install
    LoadQM = loadqm.exe
    IFSplash = ImmSplsh.exe
    zSPGuard = c:\program files\pjw\spguard\spguard.exe /s

    --------------------------------------------------

    Autorun entries from Registry:
    HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices

    LoadPowerProfile = Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
    PCCIOMON.EXE = "C:\Program Files\Trend PC-cillin 2000\PCCIOMON.EXE"

    --------------------------------------------------

    Autorun entries from Registry:
    HKCU\Software\Microsoft\Windows\CurrentVersion\Run

    AIM = C:\PROGRAM FILES\AIM95\aim.exe -cnetwait.odl
    msnmsgr = "C:\PROGRAM FILES\MSN MESSENGER\MSNMSGR.EXE" /background

    --------------------------------------------------

    C:\WINDOWS\WININIT.BAK listing:
    (Created 23/1/2003, 0:22:32)

    [rename]
    nul=C:\WINDOWS\TEMP\~e5d141.tmp
    nul=C:\WINDOWS\TEMP\~ef6591
    nul=C:\WINDOWS\TEMP\~ef6591\clcd16.dll
    nul=C:\WINDOWS\TEMP\~ef6591\~efe2.tmp
    nul=C:\WINDOWS\TEMP\~e5d141.tmp
    nul=C:\WINDOWS\TEMP\~e5d141.tmp
    nul=C:\WINDOWS\TEMP\~e5d141.tmp
    nul=C:\WINDOWS\TEMP\~e5d141.tmp
    nul=C:\WINDOWS\TEMP\~e5d141.tmp
    nul=C:\WINDOWS\TEMP\~e5d141.tmp

    --------------------------------------------------

    C:\WINDOWS\WINSTART.BAT listing:

    C:\WINDOWS\tmpcpyis.bat

    --------------------------------------------------


    Enumerating Browser Helper Objects:

    (no name) - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}

    --------------------------------------------------

    Enumerating Task Scheduler jobs:

    Tune-up Application Start.job
    Maintenance-Defragment programs.job
    Maintenance-ScanDisk.job
    Maintenance-Disk cleanup.job

    --------------------------------------------------

    Enumerating Download Program Files:

    [CV3 Class]
    InProcServer32 = C:\WINDOWS\SYSTEM\WUV3IS.DLL
    CODEBASE = http://windowsupdate.microsoft.com/R1024/V31Controls/x86/w98/en/actsetup.cab

    [sys Class]
    InProcServer32 = C:\WINDOWS\DOWNLOADED PROGRAM FILES\PCPITSTOP.DLL
    CODEBASE = http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB

    [{41F17733-B041-4099-A042-B518BB6A408C}]
    CODEBASE = http://a224.g.akamai.net/7/224/52/20011004/qtinstall.info.apple.com/qt503/us/win/QuickTimeInstaller.exe

    [HouseCall Control]
    InProcServer32 = C:\WINDOWS\DOWNLO~1\CONFLICT.1\XSCAN53.OCX
    CODEBASE = http://a840.g.akamai.net/7/840/537/20011223/housecall.antivirus.com/housecall/xscan53.cab

    [OPUCatalog Class]
    InProcServer32 = C:\WINDOWS\SYSTEM\OPUC.DLL
    CODEBASE = http://office.microsoft.com/ProductUpdates/content/opuc.cab

    [RdxIE Class]
    InProcServer32 = C:\WINDOWS\DOWNLOADED PROGRAM FILES\RDXIE.DLL
    CODEBASE = http://207.188.7.150/094a888d9cb1ea1d0321/netzip/RdxIE.cab

    [GSDACtl Class]
    InProcServer32 = C:\WINDOWS\DOWNLOADED PROGRAM FILES\GSDA.DLL
    CODEBASE = http://launch.gamespyarcade.com/software/launch/alaunch.cab

    [Measurement Service Client]
    InProcServer32 = C:\WINDOWS\DOWNLO~1\MSC.OCX
    CODEBASE = http://ccon.madonion.com/global/msc.cab

    [Shockwave ActiveX Control]
    InProcServer32 = C:\WINDOWS\SYSTEM\MACROMED\DIRECTOR\SWDIR.DLL
    CODEBASE = http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab

    [Shockwave Flash Object]
    InProcServer32 = C:\WINDOWS\SYSTEM\MACROMED\FLASH\FLASH.OCX
    CODEBASE = http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab

    [QuickTime Object]
    InProcServer32 = C:\WINDOWS\SYSTEM\QTPLUGIN.OCX
    CODEBASE = http://www.apple.com/qtactivex/qtplugin.cab

    [Update Class]
    InProcServer32 = C:\WINDOWS\SYSTEM\IUCTL.DLL
    CODEBASE = http://v4.windowsupdate.microsoft.com/CAB/x86/ansi/iuctl.CAB?1038700330030

    --------------------------------------------------
    End of report, 6,224 bytes
    Report generated in 0.082 seconds

    Command line options:
    /verbose - to add additional info on each section
    /complete - to include empty sections and unsuspicious data
    /full - to include several rarely-important sections
    /force9x - to include Win9x-only startups even if running on WinNT
    /forcent - to include WinNT-only startups even if running on Win9x
    /forceall - to include all Win9x and WinNT startups, regardless of platform
    /history - to list version history only


    Does anything look suspicious
     
Loading...
Thread Status:
Not open for further replies.