:( snapshots erased by virus

Discussion in 'malware problems & news' started by melian, Apr 16, 2004.

Thread Status:
Not open for further replies.
  1. melian

    melian Registered Member

    Joined:
    Apr 16, 2004
    Posts:
    23
    Location:
    Arequipa-Peru
    Hi there:
    Im having a big troble with some kind of virus, it has uninstalled all my firewalls, antivirus programs, and erased the snapshots i had saved, could anyone tell me if there is any way to get the snapshots back?
    tnx for ur help

    melian
     
  2. snapdragin

    snapdragin Administrator

    Joined:
    Feb 16, 2002
    Posts:
    8,415
    Location:
    Southern Ont., Canada
    Hi melian,

    Uhmm...with not knowing what kind of virus you are dealing with, it would be hard to say what damage has been done to your image files. But more importantly would be what damage has been done to your antivirus program and firewall.

    I would first take care of removing the virus from your computer, then reinstalling your antivirus and your firewall and get your system secured again before anything else nasty gets onto your computer.

    You can do an on-line scan at one of these free sites listed here:
    Free Services

    Regards,

    snap
     
  3. melian

    melian Registered Member

    Joined:
    Apr 16, 2004
    Posts:
    23
    Location:
    Arequipa-Peru
    thank you!!!!

    Hi again:)
    Thank you so much for the advice, i had downloaded some virusscan programs before posting my log, (avast, td3 )and they got some stuff fixed, but not all of it,i downloaded panda from the site you gave me and it erased eight virus. i hope that will be the end of the problem, i still have some more questions tough:
    1.the erased snapshots were spywareblaster ones, ¿should i reinstall it?also
    2.every image bitmap or vector, if shown at all, has really low resolution, is there any way to fix that?or to Know what needs to be fixed? and my last question:before noticing i had virus, i used some floppys in another pc, that is not connected to internet, now its getting programs erased,what should i do as i cannot wire it to internet?
    Sorry for giving you so much work.
    Again tnx
    really mean it!!

    Melian
     
  4. Godzilla

    Godzilla AV Expert

    Joined:
    Nov 1, 2003
    Posts:
    63
    Re: thank you!!!!

    The problem is here what is a "virus" for you ?
    If you are infected with a fileinfector virus ( a true virus ) maybe your floppys still containing this virus. However, this problem should not affect Spyware and Worms (that they write themself to floppy disks) except you did store such a worm or trojan directly on a floppy.

    Regards,
    Michael
     
  5. snapdragin

    snapdragin Administrator

    Joined:
    Feb 16, 2002
    Posts:
    8,415
    Location:
    Southern Ont., Canada
    Re: thank you!!!!

    Hi melian

    Avast is an anti-virus program, but TDS-3 is a anti-trojan program. Glad to hear they were able to detect and remove some problems.

    I am not clear though about what you mean when you said: "....before posting my log". I am not seeing a post with a log anywhere, or what log you are referring to? A scan result log, or a HijackThis log, or do you mean your first post above?

    Also, do you remember what the names of the viruses the Panda scan said you had and removed? That would be very helpful to know.

    Do you mean the "System Snapshot" feature in SpywareBlaster? I am not familiar with what malware there is that would remove SpywareBlaster's system snapshots, or if the SpywareBlaster program has been damaged by what malware was on your computer. Once we find out what that was, we'll have a better idea of what might have happened.

    Hard to say again since we don't know what viruses were active on your computer, or what software programs or hardware could have been damaged by them.

    No problem, that is why we are here, to answers your questions and help you get your computer clean again.

    Lets take care of the computer connected to the internet first, then we'll look at how we can get your other computer clean. For now, do not use floppies between the two computers as you will end up transferring the infection back and forth between them.

    Can you download HijackThis in Step 2 here: https://www.wilderssecurity.com/showthread.php?t=15913

    Scan your computer with it and then copy & paste the HijackThis log into your next post.

    Once we find out exactly what we are dealing with on the one computer that you are using to connect to the internet with, then we can look at what steps to take to clean your other computer.

    Regards,

    snap
     
  6. melian

    melian Registered Member

    Joined:
    Apr 16, 2004
    Posts:
    23
    Location:
    Arequipa-Peru
    hijackthis log

    Hi snap:
    Ive just run hijack this an this is what it found;
    C:\WINDOWS\SYSTEM\KERNEL32.DLL
    C:\WINDOWS\SYSTEM\MSGSRV32.EXE
    C:\WINDOWS\SYSTEM\SPOOL32.EXE
    C:\WINDOWS\SYSTEM\MPREXE.EXE
    C:\WINDOWS\SYSTEM\MSTASK.EXE
    C:\ARCHIVOS DE PROGRAMA\ARCHIVOS COMUNES\SYSTEM\MOSEARCH\BIN\MOSEARCH.EXE
    C:\ARCHIVOS DE PROGRAMA\PERAV\PAV.EXE
    C:\ARCHIVOS DE PROGRAMA\ARCHIVOS COMUNES\EPSON\EBAPI\SAGENT2.EXE
    D:\ANTIVIRUS\ASHSERV.EXE
    C:\ARCHIVOS DE PROGRAMA\SYGATE\SPF\SMC.EXE
    C:\ARCHIVOS DE PROGRAMA\PERAV\PERVAC.EXE
    C:\WINDOWS\SYSTEM\PSTORES.EXE
    C:\WINDOWS\EXPLORER.EXE
    C:\WINDOWS\TASKMON.EXE
    C:\WINDOWS\SYSTEM\SYSTRAY.EXE
    C:\ARCHIVOS DE PROGRAMA\MSN MESSENGER\MSNMSGR.EXE
    C:\ARCHIVOS DE PROGRAMA\WEBROOT\SPY SWEEPER\SPYSWEEPER.EXE
    C:\WINDOWS\SYSTEM\WMIEXE.EXE
    C:\WINDOWS\SYSTEM\DDHELP.EXE
    C:\ARCHIVOS DE PROGRAMA\INTERNET EXPLORER\IEXPLORE.EXE
    C:\ARCHIVOS DE PROGRAMA\ARCHIVOS COMUNES\MICROSOFT SHARED\VS7DEBUG\MDM.EXE
    C:\WINDOWS\SYSTEM\CTFMON.EXE
    C:\ARCHIVOS DE PROGRAMA\WINZIP\WINZIP32.EXE
    C:\WINDOWS\TEMP\HIJACKTHIS.EXE

    R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://qwertysearch123.biz/?id=1120
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/cus.../*http://www.yahoo.com/ext/search/search.html
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapps.yahoo.com/customize/ie/defaults/sp/ymsgr/*http://www.yahoo.com
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://awebfind.biz/sp.htm
    R1 - HKLM\Software\Microsoft\Internet Explorer,SearchURL = http://awebfind.biz/sp.htm
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/cus.../*http://www.yahoo.com/ext/search/search.html
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapps.yahoo.com/customize/ie/defaults/sp/ymsgr/*http://www.yahoo.com
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://red.clientapps.yahoo.com/customize/ie/defaults/stp/ymsgr*http://my.yahoo.com
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://red.clientapps.yahoo.com/customize/ie/defaults/su/ymsgr/*http://www.yahoo.com
    R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customize/ie/defaults/su/ymsgr/*http://www.yahoo.com
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,AutoConfigURL = www.starglobal.com
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = http://liwbof.t.muxa.cc/h.php?aid=420 (obfuscated)
    R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Vínculos
    F0 - system.ini: Shell=
    F1 - win.ini: load=C:\Archivos de programa\MSN Messenger\ptsnoop.exe;C:\WINDOWS\ptsnoop.exe;C:\WINDOWS\COMMAND\ptsnoop.exe;C:\ARCHIV~1\ARCHIV~1\AUTODE~1\ptsnoop.exe;C:\WINDOWS\SYSTEM\ptsnoop.exe
    O1 - Hosts: 203.161.127.141 www.dcsresearch.com
    O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\ARCHIVOS DE PROGRAMA\YAHOO!\COMPANION\INSTALLS\CPN\YCOMP5_3_12_0.DLL
    O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\ARCHIVOS DE PROGRAMA\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX
    O3 - Toolbar: @msdxmLC.dll,-1@3082,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
    O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\ARCHIVOS DE PROGRAMA\YAHOO!\COMPANION\INSTALLS\CPN\YCOMP5_3_12_0.DLL
    O3 - Toolbar: Copernic Agent - {F2E259E8-0FC8-438C-A6E0-342DD80FA53E} - C:\Archivos de programa\Copernic Agent\CopernicAgentExt.dll
    O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
    O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
    O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
    O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
    O4 - HKLM\..\Run: [C-Media Mixer] Mixer.exe /startup
    O4 - HKLM\..\Run: [CountrySelection] pctptt.exe
    O4 - HKLM\..\Run: [WinampAgent] "C:\ARCHIVOS DE PROGRAMA\WINAMP\WINAMPa.exe"
    O4 - HKLM\..\Run: [CloneCDTray] "C:\Archivos de programa\Elaborate Bytes\CloneCD\CloneCDTray.exe"
    O4 - HKLM\..\Run: [LoadQM] loadqm.exe
    O4 - HKLM\..\Run: [EPSON Stylus C42 Series] C:\WINDOWS\SYSTEM\E_S10IC1.EXE /P23 "EPSON Stylus C42 Series" /O5 "LPT1:" /M "Stylus C42"
    O4 - HKLM\..\Run: [Ink Monitor] C:\Archivos de programa\EPSON\Ink Monitor\InkMonitor.exe
    O4 - HKLM\..\Run: [SmcService] C:\ARCHIV~1\SYGATE\SPF\SMC.EXE -startgui
    O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
    O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
    O4 - HKLM\..\RunServices: [MOSearch] C:\ARCHIV~1\ARCHIV~1\SYSTEM\MOSEARCH\BIN\MOSEARCH.EXE
    O4 - HKLM\..\RunServices: [MDM7] "C:\ARCHIVOS DE PROGRAMA\ARCHIVOS COMUNES\MICROSOFT SHARED\VS7DEBUG\MDM.EXE"
    O4 - HKLM\..\RunServices: [PAV.EXE] C:\ARCHIV~1\PERAV\PAV.EXE
    O4 - HKLM\..\RunServices: [SAgent2ExePath] C:\Archivos de programa\Archivos comunes\EPSON\EBAPI\SAgent2.exe
    O4 - HKLM\..\RunServices: [avast!] D:\antivirus\ashServ.exe
    O4 - HKLM\..\RunServices: [SmcService] C:\ARCHIVOS DE PROGRAMA\SYGATE\SPF\SMC.EXE
    O4 - HKCU\..\Run: [ctfmon.exe] ctfmon.exe
    O4 - HKCU\..\Run: [MsnMsgr] "C:\Archivos de programa\MSN Messenger\MsnMsgr.Exe" /background
    O4 - HKCU\..\Run: [Yahoo! Pager] C:\Archivos de programa\Yahoo!\Messenger\ypager.exe -quiet
    O4 - HKCU\..\Run: [SpySweeper] C:\Archivos de programa\Webroot\Spy Sweeper\SpySweeper.exe /0
    O4 - Startup: Webshots.lnk = C:\Archivos de programa\Webshots\WebshotsTray.exe
    O4 - Startup: Microsoft Office.lnk = C:\Archivos de programa\Microsoft Office\Office10\OSA.EXE
    O4 - Startup: PER Antivirus.lnk = C:\Archivos de programa\Perav\PAV.EXE
    O8 - Extra context menu item: E&xportar a Microsoft Excel - res://C:\ARCHIV~1\MICROS~1\OFFICE10\EXCEL.EXE/3000
    O8 - Extra context menu item: Yahoo! Search - file:///C:\Archivos de programa\Yahoo!\Common/ycsrch.htm
    O8 - Extra context menu item: Yahoo! Dictionary - file:///C:\Archivos de programa\Yahoo!\Common/ycdict.htm
    O9 - Extra button: Messenger (HKLM)
    O9 - Extra 'Tools' menuitem: Yahoo! Messenger (HKLM)
    O12 - Plugin for .spop: C:\ARCHIV~1\INTERN~1\Plugins\NPDocBox.dll
    O14 - IERESET.INF: SEARCH_PAGE_URL=
    O14 - IERESET.INF: START_PAGE_URL=
    O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://download.yahoo.com/dl/installs/yinst0401.cab
    O16 - DPF: {A17E30C4-A9BA-11D4-8673-60DB54C10000} (YahooYMailTo Class) - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/yse/ymmapi_416.dll
    O16 - DPF: {1EB17D1C-141D-4D9D-91CB-24D99215851D} - http://akamai.downloadv3.com/binaries/IA/netia32_ES.cab
    O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
    O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (Control HouseCall) - http://a840.g.akamai.net/7/840/537/2004033001/housecall.antivirus.com/housecall/xscan53.cab


    yes,thats what I meant, sorry my english isnt good enough sometimes.

    yes, they were
    gedza.a and a trojan called startpage.t the weird thing about this is that anytime i run an antivirus, gedza is found, under different names.

    yes, and not just that, my antivirus and old firewall were erased also, in guess it was some kind of trojan, because about two weeks ago i turned on the pc and it keept working for about five minutes, but rebooted by itself time after time, that happenned about five times until i found two new programs (with weird names )i hadnt installed, i uninstalled them, checked my programs and beside antivirus and firewall everything was just fine but the pc worked normally for a couple of days only, after that i started to get files and programs missing.

    Once more thanks!!!!
    gratefully

    Melian
     
  7. melian

    melian Registered Member

    Joined:
    Apr 16, 2004
    Posts:
    23
    Location:
    Arequipa-Peru
    Re: thank you!!!!

    forgot asking about this on my last post:
    there is an dll application that keeps trying to access the internet
    its name is kernell32.dll, i´ve read that trojans often come with dll extensions, could this be a trojan?

    melian
     
  8. snapdragin

    snapdragin Administrator

    Joined:
    Feb 16, 2002
    Posts:
    8,415
    Location:
    Southern Ont., Canada
    Re: thank you!!!!

    Hi melian,

    Are you sure you meant to type kernell32.dll with two l's in it? There is the legitimate kernel32.dll (spelled only with one l) and that is not a trojan:
    http://www.liutilities.com/products/wintaskspro/processlibrary/kernel32/

    You do have a coolwebsearch infection there that needs to be taken care of.

    Before you begin, please create a permanent folder for HijackThis, and move the HijackThis.exe file into that folder. HijackThis creates backups in the folder it is ran from, and running it from a temp folder the backups will be easily lost.

    Then with only HijackThis open and ALL browsers closed, place a check beside the following and click *Fix checked:

    R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://qwertysearch123.biz/?id=1120
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/cus...rch/search.html
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapps.yahoo.com/cus...//www.yahoo.com
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://awebfind.biz/sp.htm
    R1 - HKLM\Software\Microsoft\Internet Explorer,SearchURL = http://awebfind.biz/sp.htm
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/cus...rch/search.html
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapps.yahoo.com/cus...//www.yahoo.com
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://red.clientapps.yahoo.com/cus...://my.yahoo.com
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://red.clientapps.yahoo.com/cus...//www.yahoo.com
    R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/cus...//www.yahoo.com

    (Does the starglobal url look familiar to you? If you did not set it, then place a check beside it too)
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,AutoConfigURL = www.starglobal.com

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = http://liwbof.t.muxa.cc/h.php?aid=420 (obfuscated)

    F0 - system.ini: Shell=

    O14 - IERESET.INF: SEARCH_PAGE_URL=
    O14 - IERESET.INF: START_PAGE_URL=

    O16 - DPF: {1EB17D1C-141D-4D9D-91CB-24D99215851D} - http://akamai.downloadv3.com/binaries/IA/netia32_ES.cab


    Download the latest version of CWShredder.
    Unzip the file, close ALL windows, and click on the cwshredder.exe to start the program.
    Make sure you click "Fix" (Not "Scan only") and follow the instructions you will receive.

    Reboot your computer and do another scan with HijackThis and post a new log here to be checked.

    *Edit - melian, when you copy & paste your next HijackThis log here, please include the very top part of it where it lists the version of HijackThis and your operating system.

    Regards,

    snap
     
  9. melian

    melian Registered Member

    Joined:
    Apr 16, 2004
    Posts:
    23
    Location:
    Arequipa-Peru
    done

    Hey once more:)

    u r right, i misswrote it, it should say kernel32.dll
    i just run hijackthis ,BTW, the url starglobal.com is mi lan internet provider, so i didnt erase it
    the log is:

    Logfile of HijackThis v1.97.7
    Scan saved at 03:45:39 p.m., on 22/04/04
    Platform: Windows 98 SE (Win9x 4.10.2222A)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\SYSTEM\KERNEL32.DLL
    C:\WINDOWS\SYSTEM\MSGSRV32.EXE
    C:\WINDOWS\SYSTEM\MPREXE.EXE
    C:\WINDOWS\SYSTEM\MSTASK.EXE
    C:\ARCHIVOS DE PROGRAMA\ARCHIVOS COMUNES\SYSTEM\MOSEARCH\BIN\MOSEARCH.EXE
    C:\ARCHIVOS DE PROGRAMA\ARCHIVOS COMUNES\MICROSOFT SHARED\VS7DEBUG\MDM.EXE
    C:\ARCHIVOS DE PROGRAMA\PERAV\PAV.EXE
    C:\ARCHIVOS DE PROGRAMA\ARCHIVOS COMUNES\EPSON\EBAPI\SAGENT2.EXE
    D:\ANTIVIRUS\ASHSERV.EXE
    C:\ARCHIVOS DE PROGRAMA\SYGATE\SPF\SMC.EXE
    C:\ARCHIVOS DE PROGRAMA\PERAV\PERVAC.EXE
    C:\ARCHIVOS DE PROGRAMA\PERAV\PERTSK.EXE
    C:\WINDOWS\SYSTEM\DDHELP.EXE
    C:\WINDOWS\EXPLORER.EXE
    C:\WINDOWS\SYSTEM\PSTORES.EXE
    C:\WINDOWS\PTSNOOP.EXE
    C:\WINDOWS\TASKMON.EXE
    C:\WINDOWS\SYSTEM\SYSTRAY.EXE
    C:\ARCHIVOS DE PROGRAMA\ELABORATE BYTES\CLONECD\CLONECDTRAY.EXE
    C:\WINDOWS\LOADQM.EXE
    C:\WINDOWS\SYSTEM\E_S10IC1.EXE
    C:\WINDOWS\SYSTEM\SPOOL32.EXE
    C:\WINDOWS\SYSTEM\CTFMON.EXE
    C:\ARCHIVOS DE PROGRAMA\MSN MESSENGER\MSNMSGR.EXE
    C:\ARCHIVOS DE PROGRAMA\WEBROOT\SPY SWEEPER\SPYSWEEPER.EXE
    C:\ARCHIVOS DE PROGRAMA\WEBSHOTS\WEBSHOTSTRAY.EXE
    C:\WINDOWS\SYSTEM\WMIEXE.EXE
    D:\HIJACKTHIS\HIJACKTHIS.EXE

    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,AutoConfigURL = www.starglobal.com
    R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Vínculos
    F1 - win.ini: load=C:\Archivos de programa\MSN Messenger\ptsnoop.exe;C:\WINDOWS\ptsnoop.exe;C:\WINDOWS\COMMAND\ptsnoop.exe;C:\ARCHIV~1\ARCHIV~1\AUTODE~1\ptsnoop.exe;C:\WINDOWS\SYSTEM\ptsnoop.exe
    O1 - Hosts: 203.161.127.141 www.dcsresearch.com
    O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\ARCHIVOS DE PROGRAMA\YAHOO!\COMPANION\INSTALLS\CPN\YCOMP5_3_12_0.DLL
    O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\ARCHIVOS DE PROGRAMA\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX
    O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\ARCHIVOS DE PROGRAMA\YAHOO!\COMPANION\INSTALLS\CPN\YCOMP5_3_12_0.DLL
    O3 - Toolbar: Copernic Agent - {F2E259E8-0FC8-438C-A6E0-342DD80FA53E} - C:\Archivos de programa\Copernic Agent\CopernicAgentExt.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
    O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
    O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
    O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
    O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
    O4 - HKLM\..\Run: [C-Media Mixer] Mixer.exe /startup
    O4 - HKLM\..\Run: [CountrySelection] pctptt.exe
    O4 - HKLM\..\Run: [WinampAgent] "C:\ARCHIVOS DE PROGRAMA\WINAMP\WINAMPa.exe"
    O4 - HKLM\..\Run: [CloneCDTray] "C:\Archivos de programa\Elaborate Bytes\CloneCD\CloneCDTray.exe"
    O4 - HKLM\..\Run: [LoadQM] loadqm.exe
    O4 - HKLM\..\Run: [EPSON Stylus C42 Series] C:\WINDOWS\SYSTEM\E_S10IC1.EXE /P23 "EPSON Stylus C42 Series" /O5 "LPT1:" /M "Stylus C42"
    O4 - HKLM\..\Run: [Ink Monitor] C:\Archivos de programa\EPSON\Ink Monitor\InkMonitor.exe
    O4 - HKLM\..\Run: [SmcService] C:\ARCHIV~1\SYGATE\SPF\SMC.EXE -startgui
    O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
    O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
    O4 - HKLM\..\RunServices: [MOSearch] C:\ARCHIV~1\ARCHIV~1\SYSTEM\MOSEARCH\BIN\MOSEARCH.EXE
    O4 - HKLM\..\RunServices: [MDM7] "C:\ARCHIVOS DE PROGRAMA\ARCHIVOS COMUNES\MICROSOFT SHARED\VS7DEBUG\MDM.EXE"
    O4 - HKLM\..\RunServices: [PAV.EXE] C:\ARCHIV~1\PERAV\PAV.EXE
    O4 - HKLM\..\RunServices: [SAgent2ExePath] C:\Archivos de programa\Archivos comunes\EPSON\EBAPI\SAgent2.exe
    O4 - HKLM\..\RunServices: [avast!] D:\antivirus\ashServ.exe
    O4 - HKLM\..\RunServices: [SmcService] C:\ARCHIVOS DE PROGRAMA\SYGATE\SPF\SMC.EXE
    O4 - HKCU\..\Run: [ctfmon.exe] ctfmon.exe
    O4 - HKCU\..\Run: [MsnMsgr] "C:\Archivos de programa\MSN Messenger\MsnMsgr.Exe" /background
    O4 - HKCU\..\Run: [Yahoo! Pager] C:\Archivos de programa\Yahoo!\Messenger\ypager.exe -quiet
    O4 - HKCU\..\Run: [SpySweeper] C:\Archivos de programa\Webroot\Spy Sweeper\SpySweeper.exe /0
    O4 - Startup: Webshots.lnk = C:\Archivos de programa\Webshots\WebshotsTray.exe
    O4 - Startup: Microsoft Office.lnk = C:\Archivos de programa\Microsoft Office\Office10\OSA.EXE
    O4 - Startup: PER Antivirus.lnk = C:\Archivos de programa\Perav\PAV.EXE
    O8 - Extra context menu item: E&xportar a Microsoft Excel - res://C:\ARCHIV~1\MICROS~1\OFFICE10\EXCEL.EXE/3000
    O8 - Extra context menu item: Yahoo! Search - file:///C:\Archivos de programa\Yahoo!\Common/ycsrch.htm
    O8 - Extra context menu item: Yahoo! Dictionary - file:///C:\Archivos de programa\Yahoo!\Common/ycdict.htm
    O9 - Extra button: Messenger (HKLM)
    O9 - Extra 'Tools' menuitem: Yahoo! Messenger (HKLM)
    O9 - Extra button: Related (HKLM)
    O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
    O12 - Plugin for .spop: C:\ARCHIV~1\INTERN~1\Plugins\NPDocBox.dll
    O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://download.yahoo.com/dl/installs/yinst0401.cab
    O16 - DPF: {A17E30C4-A9BA-11D4-8673-60DB54C10000} (YahooYMailTo Class) - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/yse/ymmapi_416.dll
    O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
    O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (Control HouseCall) - http://a840.g.akamai.net/7/840/537/2004033001/housecall.antivirus.com/housecall/xscan53.cab
    O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/ansi/iuctl.CAB?38099.4874768518


    i´ll be waiting for more instrauctions;)
    i must have said this 20 times already but never feels enought, tnx!!!
     
  10. dvk01

    dvk01 Global Moderator

    Joined:
    Oct 9, 2003
    Posts:
    3,131
    Location:
    Loughton, Essex. UK
    Re: done

    ptsnoop is sometimes amodem driver and sometimesa trojan

    this lot here just don't look right
    F1 - win.ini: load=C:\Archivos de programa\MSN Messenger\ptsnoop.exe;C:\WINDOWS\ptsnoop.exe;C:\WINDOWS\COMMAND\ptsnoop.exe;C:\ARCHIV~1\ARCHIV~1\AUTODE~1\ptsnoop.exe;C:\WINDOWS\SYSTEM\ptsnoop.exe

    these files all need to be examined to see if they are trojans or genuine

    please zip them up and send to support@diamondcs.com.au who will check them out for you
    give them a short note explaining the problem and a link to this thread
    C:\Archivos de programa\MSN Messenger\ptsnoop.exe
    C:\WINDOWS\ptsnoop.exe
    C:\WINDOWS\COMMAND\ptsnoop.exe
    C:\WINDOWS\SYSTEM\ptsnoop.exe

    Normally the ptsnoop modem driver will only be one entry in windows\system
     
    Last edited: Apr 22, 2004
  11. melian

    melian Registered Member

    Joined:
    Apr 16, 2004
    Posts:
    23
    Location:
    Arequipa-Peru
    Re: done

    Hi dvk01
    I was able to find this one only
    C:\WINDOWS\ptsnoop.exe
    all the others cant be found
    ( i checked that the "display all files" option was enabled)
    anyway im going to send it to the email you gave me,
    nice to meet you by the way, tnx for the advice.
     
  12. melian

    melian Registered Member

    Joined:
    Apr 16, 2004
    Posts:
    23
    Location:
    Arequipa-Peru
    hi again:)

    just got an email from diamonts support, was told that ptsnoop is not a trojan but a modem driver,my question now is,
    can i assume that my pc is clean now?i,ve run td3, avast , spy sweeper and installed sygate, but it´s still working weird, i´ve got to reboot very often, and images are poorly shown, also have lost most of my driversim not very good at computers stuff (as you may have noticed) how should i repair it?
     
  13. snapdragin

    snapdragin Administrator

    Joined:
    Feb 16, 2002
    Posts:
    8,415
    Location:
    Southern Ont., Canada
    Hi melian,

    With the results you received on ptsnoop.exe, and looking over your last HijackThis log, your computer looks clean to me. But since it has been a few days now since your last log, could you do another scan with HijackThis and post a fresh log to be checked.

    Also, when was the last time you did a 'scandisk' and a 'defrag' of your system?

    snap
     
  14. melian

    melian Registered Member

    Joined:
    Apr 16, 2004
    Posts:
    23
    Location:
    Arequipa-Peru
    log

    hi snap:)
    this is what hijackthis found:
    Logfile of HijackThis v1.97.7
    Scan saved at 03:33:10 p.m., on 28/04/04
    Platform: Windows 98 SE (Win9x 4.10.2222A)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\SYSTEM\KERNEL32.DLL
    C:\WINDOWS\SYSTEM\MSGSRV32.EXE
    C:\WINDOWS\SYSTEM\SPOOL32.EXE
    C:\WINDOWS\SYSTEM\MPREXE.EXE
    C:\WINDOWS\SYSTEM\MSTASK.EXE
    C:\ARCHIVOS DE PROGRAMA\ARCHIVOS COMUNES\SYSTEM\MOSEARCH\BIN\MOSEARCH.EXE
    C:\ARCHIVOS DE PROGRAMA\ARCHIVOS COMUNES\MICROSOFT SHARED\VS7DEBUG\MDM.EXE
    C:\ARCHIVOS DE PROGRAMA\PERAV\PAV.EXE
    C:\ARCHIVOS DE PROGRAMA\ARCHIVOS COMUNES\EPSON\EBAPI\SAGENT2.EXE
    D:\ANTIVIRUS\ASHSERV.EXE
    C:\ARCHIVOS DE PROGRAMA\SYGATE\SPF\SMC.EXE
    C:\ARCHIVOS DE PROGRAMA\PERAV\PERVAC.EXE
    C:\ARCHIVOS DE PROGRAMA\PERAV\PERTSK.EXE
    C:\WINDOWS\EXPLORER.EXE
    C:\WINDOWS\SYSTEM\PSTORES.EXE
    C:\WINDOWS\TASKMON.EXE
    C:\WINDOWS\SYSTEM\SYSTRAY.EXE
    C:\ARCHIVOS DE PROGRAMA\ELABORATE BYTES\CLONECD\CLONECDTRAY.EXE
    C:\WINDOWS\LOADQM.EXE
    C:\WINDOWS\SYSTEM\E_S10IC1.EXE
    C:\WINDOWS\SYSTEM\CTFMON.EXE
    C:\ARCHIVOS DE PROGRAMA\MSN MESSENGER\MSNMSGR.EXE
    C:\ARCHIVOS DE PROGRAMA\WEBROOT\SPY SWEEPER\SPYSWEEPER.EXE
    C:\ARCHIVOS DE PROGRAMA\WEBSHOTS\WEBSHOTSTRAY.EXE
    C:\WINDOWS\SYSTEM\WMIEXE.EXE
    C:\WINDOWS\SYSTEM\DDHELP.EXE
    C:\ARCHIVOS DE PROGRAMA\INTERNET EXPLORER\DW15.EXE
    C:\ARCHIVOS DE PROGRAMA\INTERNET EXPLORER\IEXPLORE.EXE
    D:\HIJACKTHIS\HIJACKTHIS.EXE

    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,AutoConfigURL = www.starglobal.com
    R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Vínculos
    F1 - win.ini: load=C:\Archivos de programa\MSN Messenger\ptsnoop.exe;C:\WINDOWS\ptsnoop.exe;C:\WINDOWS\COMMAND\ptsnoop.exe;C:\ARCHIV~1\ARCHIV~1\AUTODE~1\ptsnoop.exe;C:\WINDOWS\SYSTEM\ptsnoop.exe
    O1 - Hosts: 203.161.127.141 www.dcsresearch.com
    O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\ARCHIVOS DE PROGRAMA\YAHOO!\COMPANION\INSTALLS\CPN\YCOMP5_3_12_0.DLL
    O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\ARCHIVOS DE PROGRAMA\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX
    O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\ARCHIVOS DE PROGRAMA\YAHOO!\COMPANION\INSTALLS\CPN\YCOMP5_3_12_0.DLL
    O3 - Toolbar: Copernic Agent - {F2E259E8-0FC8-438C-A6E0-342DD80FA53E} - C:\Archivos de programa\Copernic Agent\CopernicAgentExt.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
    O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
    O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
    O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
    O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
    O4 - HKLM\..\Run: [C-Media Mixer] Mixer.exe /startup
    O4 - HKLM\..\Run: [CountrySelection] pctptt.exe
    O4 - HKLM\..\Run: [WinampAgent] "C:\ARCHIVOS DE PROGRAMA\WINAMP\WINAMPa.exe"
    O4 - HKLM\..\Run: [CloneCDTray] "C:\Archivos de programa\Elaborate Bytes\CloneCD\CloneCDTray.exe"
    O4 - HKLM\..\Run: [LoadQM] loadqm.exe
    O4 - HKLM\..\Run: [EPSON Stylus C42 Series] C:\WINDOWS\SYSTEM\E_S10IC1.EXE /P23 "EPSON Stylus C42 Series" /O5 "LPT1:" /M "Stylus C42"
    O4 - HKLM\..\Run: [Ink Monitor] C:\Archivos de programa\EPSON\Ink Monitor\InkMonitor.exe
    O4 - HKLM\..\Run: [SmcService] C:\ARCHIV~1\SYGATE\SPF\SMC.EXE -startgui
    O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
    O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
    O4 - HKLM\..\RunServices: [MOSearch] C:\ARCHIV~1\ARCHIV~1\SYSTEM\MOSEARCH\BIN\MOSEARCH.EXE
    O4 - HKLM\..\RunServices: [MDM7] "C:\ARCHIVOS DE PROGRAMA\ARCHIVOS COMUNES\MICROSOFT SHARED\VS7DEBUG\MDM.EXE"
    O4 - HKLM\..\RunServices: [PAV.EXE] C:\ARCHIV~1\PERAV\PAV.EXE
    O4 - HKLM\..\RunServices: [SAgent2ExePath] C:\Archivos de programa\Archivos comunes\EPSON\EBAPI\SAgent2.exe
    O4 - HKLM\..\RunServices: [avast!] D:\antivirus\ashServ.exe
    O4 - HKLM\..\RunServices: [SmcService] C:\ARCHIVOS DE PROGRAMA\SYGATE\SPF\SMC.EXE
    O4 - HKCU\..\Run: [ctfmon.exe] ctfmon.exe
    O4 - HKCU\..\Run: [MsnMsgr] "C:\Archivos de programa\MSN Messenger\MsnMsgr.Exe" /background
    O4 - HKCU\..\Run: [Yahoo! Pager] C:\Archivos de programa\Yahoo!\Messenger\ypager.exe -quiet
    O4 - HKCU\..\Run: [SpySweeper] C:\Archivos de programa\Webroot\Spy Sweeper\SpySweeper.exe /0
    O4 - Startup: Webshots.lnk = C:\Archivos de programa\Webshots\WebshotsTray.exe
    O4 - Startup: Microsoft Office.lnk = C:\Archivos de programa\Microsoft Office\Office10\OSA.EXE
    O4 - Startup: PER Antivirus.lnk = C:\Archivos de programa\Perav\PAV.EXE
    O8 - Extra context menu item: E&xportar a Microsoft Excel - res://C:\ARCHIV~1\MICROS~1\OFFICE10\EXCEL.EXE/3000
    O8 - Extra context menu item: Yahoo! Search - file:///C:\Archivos de programa\Yahoo!\Common/ycsrch.htm
    O8 - Extra context menu item: Yahoo! Dictionary - file:///C:\Archivos de programa\Yahoo!\Common/ycdict.htm
    O9 - Extra button: Messenger (HKLM)
    O9 - Extra 'Tools' menuitem: Yahoo! Messenger (HKLM)
    O9 - Extra button: Related (HKLM)
    O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
    O12 - Plugin for .spop: C:\ARCHIV~1\INTERN~1\Plugins\NPDocBox.dll
    O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://download.yahoo.com/dl/installs/yinst0401.cab
    O16 - DPF: {A17E30C4-A9BA-11D4-8673-60DB54C10000} (YahooYMailTo Class) - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/yse/ymmapi_416.dll
    O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
    O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (Control HouseCall) - http://a840.g.akamai.net/7/840/537/2004033001/housecall.antivirus.com/housecall/xscan53.cab
    O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/ansi/iuctl.CAB?38099.4874768518

    about scan and defrag, i tryied to do it last week but it just didnt work:s many of my programs are damaged also.
    but the last time i did was about two months ago...
     
    Last edited: Apr 29, 2004
  15. melian

    melian Registered Member

    Joined:
    Apr 16, 2004
    Posts:
    23
    Location:
    Arequipa-Peru
    hi there
    i noticed something yesterday, my internet explorer that was one of the few programs that had not been damaged, isnt working well now, sometimes it works some others it doesnt, why could this be happenning?
     
  16. snapdragin

    snapdragin Administrator

    Joined:
    Feb 16, 2002
    Posts:
    8,415
    Location:
    Southern Ont., Canada
    Hi melian,

    You're still having quite a few problem with your computer yet, and I am not sure why your Internet Explorer is starting to give you problems now as your log is not showing any signs of infection. I'm wondering if it isn't now either a software conflict, or a hardware conflict. You do have quite a few programs running at Startup which can drain the resources on a Win98se computer fast. Many programs will not operate properly when resources are low.

    I have asked the Experts to look at your log, but first let me ask you a few questions that would give us a better idea of what might be happening with your computer.

    It looks like you may have two antivirus programs running at the same time. Do you have two antivirus programs running resident (meaning they are both monitoring at the same time) ? If you do, then this can cause software conflict. The first thing you should do is turn one of them off. Keep one running as your resident antivirus, and use the other as an on-demand scanner only.

    Also, have you recently installed any XP programs/software? The reason I am asking this is because the file MOSEARCH.EXE is used for fast user switching, and can waste quite a bit of resources. Not a file I've seen on a win98se too often.

    Do you still have your win98se CD? You will need to have that handy if it ends up that you have to reinstall any of the operating system files, or do a possible reformat of your computer.

    I like you to try and stop several of the unnecessary programs from starting up when you turn on your computer so you can save some system resources.

    - Winamp Agent: Right-click on the Winamp icon in the system Tray and choose "Disable Winamp Agent.
    - MsnMsgr: You can choose to have this program not startup with your computer by disabling that option in the program's preferences.
    - Yahoo! Pager: Try and disable that program from starting up also through it's preference settings.
    - EPSON's Ink Monitor: This is just a reminder to tell you when you are running out of ink. Try and disable this reminder through the printer's preference settings.

    (The above programs can all be accessed through the Start button --> Programs, so you can still start them up when you want, and this will give you better control over the amount of resources your computer uses. There are a few more programs we can disable, but I don't want to do too much at once, so we'll look at those later.)


    - MOSEARCH.EXE: You can disable this through the System Configuration Utility.
    To do that, Click on the Start button, then click on Run.
    Next, type in msconfig then click "OK". (the System Configurtion Utility box will pop up).
    Look for the MOSEARCH.EXE, and un-check the box next to it.
    Click "OK" again, and close the System Configuration Utility box.


    You said that you were unable to get 'scandisk' and 'defrag' to work properly. I would like you to try and do the scandisk and defrag in Safe Mode. Follow these instructions rebooting windows 98 into Safe Mode:
    http://service1.symantec.com/SUPPORT/tsgeninfo.nsf/docid/2001052409420406

    (We'll do this in steps)

    Step 1. Disconnect from the internet, then rebooted your computer into Safe Mode.

    Step 2. Now click on the Start button ---> Programs --->Accessories --->System Tools ---> and choose "Disk Cleanup."
    A box will pop up asking you what drive to select to cleanup, choose Drive C.
    Then place a check in the box beside the following:
    - Temporary Internet Files,
    - Recycle Bin
    - Temporary Files
    Then click "Ok" and say "Yes" when it asks you if you are sure you want to delete the files.

    Step 3. Next, click on the Start button -->Programs -->Accessories -->System Tools --> and choose "Scandisk"
    Make sure there is a check in the box beside "Standard" and "Automatically Fix Errors".
    (Scandisk may take awhile to complete depending on how full your hard disk is.)

    Step 4. Once Scandisk finishes, follow the same steps above to get to System Tools, but this time choose "Disk Defragmenter". Make sure Drive C is chosen, and click "OK" to start the defrag utility.
    (defrag may take even longer than the scandisk did).

    Once you have finished the above, reboot your computer normally, and let us know how your computer is working.

    Regards,

    snap
     
  17. melian

    melian Registered Member

    Joined:
    Apr 16, 2004
    Posts:
    23
    Location:
    Arequipa-Peru
    Hi again
    sorry it took so long ,but the day after i posted my last question, i turned on the pc and my mouse and some keyboard keys didnt work, it was so messy that gave up and i got it reformated.
    just got the pc back today, and i´d like to know what sould i do protect it?, is athere any other option beside firewalls and antivirus?i had them before this happenned, perhaps i choose the wrong ones?

    tnx !!!!

    Melian
     
  18. snapdragin

    snapdragin Administrator

    Joined:
    Feb 16, 2002
    Posts:
    8,415
    Location:
    Southern Ont., Canada
    Hi melian, it is great to see you back here with us. :D

    I believe you made the right choice to reformat given all that you went through with the problems you were having with your computer. So to secure your system so you don't become infected again is definitely the first steps you want to take now.

    A good place to start would be to read this post:
    https://www.wilderssecurity.com/showthread.php?t=27971

    There is valuable information there along with links to free programs that will help protect you on-line.

    Another good source of information would be to go through the list of tools available here: http://www.wilders.org/free_tools.htm

    Once you have done a bit of reading on how to secure your system, you can ask questions in the appropriate forum for the programs you are interested in using. You'll find many members here that use the tools mentioned in those links, so browsing through the forums here will give you some valuable assistance with what to use and how to use it.

    Glad to see you back.

    Regards,

    snap
     
Loading...
Thread Status:
Not open for further replies.