Help What to do now?

Discussion in 'NOD32 version 2 Forum' started by Russell, Sep 30, 2003.

Thread Status:
Not open for further replies.
  1. Russell

    Russell Guest

    I just had a virus come up and it says i cannot clean it i dont know what to do now?
    its c:\windows\taskmon.exe which is the infected file and this is the error message that comes up

    "trojan Win32/Optix.Pro.13 infiltration found in operating memory. NOD32 cannot clean this infiltration. No action can be applied to memory infiltration."

    so does anyone here know what i can do now because i cannot open some .exe files as a result of this such as mirc,kazza etc

    please help me
    thanks
     
  2. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,332
    Location:
    Netherlands
    Hi Russel,

    Please go to http://www.tomcoyote.org/hjt/, and download 'Hijack This!'.
    Unzip, doubleclick HijackThis.exe, and hit "Scan".
    If it doesn't work try changing the filename to hijackthis.com

    When the scan is finished, the "Scan" button will change into a "Save Log" button.
    Press that, save the log as a .txt file, and copy and paste its contents into your next post.

    Most of what it lists will be harmless, so do not fix anything yet.

    Regards,

    Pieter
     
  3. Russell

    Russell Guest

    Pieter thanks for your response. I scanned my system with the file and this is what i got

    Logfile of HijackThis v1.97.2
    Scan saved at 7:55:59 PM, on 30/09/2003
    Platform: Windows XP (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2600.0000)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\csrss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\System32\CTSvcCDA.exe
    C:\Program Files\Eset\nod32krn.exe
    C:\WINDOWS\System32\MsPMSPSv.exe
    C:\WINDOWS\System32\xl.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\System32\devldr32.exe
    C:\Program Files\Creative\SBLive2k\AudioHQ\AHQTB.EXE
    C:\Program Files\Winamp3\winampa.exe
    C:\Program Files\D-Tools\daemon.exe
    C:\windows\taskmgr.exe
    C:\WINDOWS\System32\ctfmon.exe
    C:\Program Files\Eset\nod32kui.exe
    C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
    C:\Program Files\Winamp3\Studio.exe
    C:\WINDOWS\system32\csrss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\System32\devldr32.exe
    C:\Program Files\Creative\SBLive2k\AudioHQ\AHQTB.EXE
    C:\Program Files\Winamp3\winampa.exe
    C:\Program Files\D-Tools\daemon.exe
    C:\Program Files\Creative\ShareDLL\CtNotify.exe
    C:\Program Files\Eset\nod32kui.exe
    C:\WINDOWS\System32\ctfmon.exe
    C:\Program Files\Creative\ShareDLL\MEDIADET.EXE
    C:\Program Files\MSN Messenger\msnmsgr.exe
    C:\Program Files\AIM95\aim.exe
    C:\PROGRA~1\MICROS~2\Office10\OUTLOOK.EXE
    C:\Program Files\Microsoft Office\Office10\WINWORD.EXE
    C:\WINDOWS\System32\wuauclt.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\PROGRA~1\WINZIP\winzip32.exe
    C:\Documents and Settings\Russell\Desktop\HijackThis.com

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://home.netscape.com/
    O2 - BHO: myBar BHO - {0494D0D1-F8E0-41ad-92A3-14154ECE70AC} - C:\Program Files\MyWay\myBar\1.bin\MYBAR.DLL
    O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O3 - Toolbar: &SearchBar - {0494D0D9-F8E0-41ad-92A3-14154ECE70AC} - C:\Program Files\MyWay\myBar\1.bin\MYBAR.DLL
    O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
    O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\Updreg.exe
    O4 - HKLM\..\Run: [AudioHQ] C:\Program Files\Creative\SBLive2k\AudioHQ\AHQTB.EXE
    O4 - HKLM\..\Run: [NewsUpd] C:\Program Files\Creative\News\NewsUpd.EXE /q
    O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp3\winampa.exe"
    O4 - HKLM\..\Run: [Mirabilis ICQ] C:\Program Files\ICQ\ICQNet.exe
    O4 - HKLM\..\Run: [DAEMON Tools-1033] "C:\Program Files\D-Tools\daemon.exe" -lang 1033
    O4 - HKLM\..\Run: [StorageGuard] "C:\Program Files\VERITAS Software\Update Manager\sgtray.exe" /r
    O4 - HKLM\..\Run: [Disc Detector] C:\Program Files\Creative\ShareDLL\CtNotify.exe
    O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
    O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
    O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
    O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
    O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
    O4 - HKCU\..\RunOnce: [ICQ] C:\Program Files\ICQ\ICQ.exe -trayboot
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
    O9 - Extra button: Messenger (HKLM)
    O9 - Extra 'Tools' menuitem: Yahoo! Messenger (HKLM)
    O9 - Extra button: ICQ Pro (HKLM)
    O9 - Extra 'Tools' menuitem: ICQ (HKLM)
    O9 - Extra button: AIM (HKLM)
    O10 - Broken Internet access because of LSP provider 'imon.dll' missing
    O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://download.yahoo.com/dl/installs/yinst.cab
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    O17 - HKLM\System\CCS\Services\Tcpip\..\{C822E4DF-763A-4EF5-AD6B-DE497A2818ED}:


    what should i do from hereo_O
     
  4. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,332
    Location:
    Netherlands
    Strange, I don't see it running or starting up.
    Maybe NOD killed it anyway.

    Please copy the part in bold below into notepad and save the file as commandfix.reg

    Windows Registry Editor Version 5.00

    [HKEY_CLASSES_ROOT\exefile\shell\open\command]
    @="\"%1\" %*"


    Then doubleclick it and confirm that you want to merge it with the registry.

    Then reboot and do another scan with NOD32.

    Keep us posted,

    Pieter
     
  5. Paul Wilders

    Paul Wilders Administrator

    Joined:
    Jul 1, 2001
    Posts:
    12,472
    Location:
    The Netherlands
    Russel,

    As it seems, you didn't have NOD32 resident running, and the IMON disabled; NAV looks like your resident antivirus?

    Anyway, the trojan server can be named anything - even a legitimate O/S file name. Most probably you'll need to perform some manual actions as well, after having an antivirus doing a partly cleaning job; have a look at these instructions.

    Optix Pro 13 is able to put most antiviruses, antitrojans as well as firewalls out of business, so take good care.

    regards.

    paul
     
Thread Status:
Not open for further replies.