unable to repair worm (merged)

Discussion in 'adware, spyware & hijack cleaning' started by melian, Jul 11, 2004.

Thread Status:
Not open for further replies.
  1. melian

    melian Registered Member

    Joined:
    Apr 16, 2004
    Posts:
    23
    Location:
    Arequipa-Peru
    worm? or spyware?

    (Mod Note: Member has posted a more recent hijackthis log, which has been merged into this current thread (see post #16) - snap)


    hey there:
    Im having big trouble with a worm that displays a DOS window anytime that a program is started ,from the message displayed one would think it comes from my country (Peru)i dont like our president eithr but making a worm to criticize him wasnt between my plans:s...anyway heres the hijack this log, hope you can help me, because ive run avast and it detected something but wasnt able to erase anything, niether was panda online check...oh, BTW im having problems to visualize this site there are allmost no colors and most websites are shown in a bigger format than my monitor can show at once...that happened last time i had a malware problem also...why could that be?

    tnx a lot for every helping hand:D
     
    Last edited by a moderator: Jul 20, 2004
  2. melian

    melian Registered Member

    Joined:
    Apr 16, 2004
    Posts:
    23
    Location:
    Arequipa-Peru
    hijackthis log

    sorry forgot to send this:
    StartupList report, 11/07/04, 08:20:06 p.m.
    StartupList version: 1.52.2
    Started from : C:\ARCHIVOS DE PROGRAMA\HIJACKTHIS\HIJACKTHIS.EXE
    Detected: Windows 98 SE (Win9x 4.10.2222A)
    Detected: Internet Explorer v6.00 SP1 (6.00.2800.1106)
    * Using default options
    ==================================================

    Running processes:

    C:\WINDOWS\SYSTEM\KERNEL32.DLL
    C:\WINDOWS\SYSTEM\MSGSRV32.EXE
    C:\WINDOWS\SYSTEM\SPOOL32.EXE
    C:\WINDOWS\SYSTEM\MPREXE.EXE
    C:\WINDOWS\SYSTEM\MSTASK.EXE
    C:\ARCHIVOS DE PROGRAMA\ARCHIVOS COMUNES\SYSTEM\MOSEARCH\BIN\MOSEARCH.EXE
    C:\ARCHIVOS DE PROGRAMA\ARCHIVOS COMUNES\MICROSOFT SHARED\VS7DEBUG\MDM.EXE
    C:\ARCHIVOS DE PROGRAMA\PERAV\PAV.EXE
    C:\ARCHIVOS DE PROGRAMA\SYGATE\SPF\SMC.EXE
    C:\ARCHIVOS DE PROGRAMA\ARCHIVOS COMUNES\EPSON\EBAPI\SAGENT2.EXE
    D:\ALWIL SOFTWARE\AVAST4\ASHSERV.EXE
    C:\ARCHIVOS DE PROGRAMA\PERAV\PERVAC.EXE
    C:\ARCHIVOS DE PROGRAMA\PERAV\PERTSK.EXE
    C:\WINDOWS\SYSTEM\mmtask.tsk
    C:\WINDOWS\SYSTEM\PSTORES.EXE
    C:\WINDOWS\SYSTEM\RPCSS.EXE
    C:\WINDOWS\SYSTEM\ISUNINST38.EXE
    C:\WINDOWS\SYSTEM\IPCLEAN503.COM
    C:\WINDOWS\EXPLORER.EXE
    C:\WINDOWS\PTSNOOP.EXE
    C:\WINDOWS\TASKMON.EXE
    C:\WINDOWS\SYSTEM\SYSTRAY.EXE
    C:\WINDOWS\MIXER.EXE
    C:\WINDOWS\LOADQM.EXE
    C:\WINDOWS\SYSTEM\E_S10IC1.EXE
    C:\WINDOWS\SVSHOTS.EXE
    C:\WINDOWS\SYSTEM\CTFMON.EXE
    C:\ARCHIVOS DE PROGRAMA\DESKTOP ARCHITECT\DATRAY.EXE
    C:\WINDOWS\SYSTEM\WMIEXE.EXE
    C:\ARCHIVOS DE PROGRAMA\MSN MESSENGER\MSNMSGR.EXE
    C:\ARCHIVOS DE PROGRAMA\WEBWASHER\WWASHER.EXE
    C:\ARCHIVOS DE PROGRAMA\WEBSHOTS\WEBSHOTSTRAY.EXE
    C:\ARCHIVOS DE PROGRAMA\SPYWAREGUARD\SGMAIN.EXE
    C:\ARCHIVOS DE PROGRAMA\SAMSUNG\DIGIMAX VIEWER 1.0\DIGIMAXVIEWER.EXE
    C:\WINDOWS\SYSTEM\DDHELP.EXE
    C:\WINDOWS\SYSTEM\XPVIEWREP.PIF
    C:\ARCHIVOS DE PROGRAMA\SPYWAREGUARD\SGBHP.EXE
    C:\ARCHIVOS DE PROGRAMA\HIJACKTHIS\HIJACKTHIS.EXE

    --------------------------------------------------

    Listing of startup folders:

    Shell folders Startup:
    [C:\WINDOWS\Menú Inicio\Programas\Inicio]
    Webshots.lnk = C:\Archivos de programa\Webshots\WebshotsTray.exe
    Microsoft Office.lnk = C:\Archivos de programa\Microsoft Office\Office10\OSA.EXE
    SpywareGuard.lnk = C:\Archivos de programa\SpywareGuard\sgmain.exe
    PER Antivirus.lnk = C:\Archivos de programa\Perav\PAV.EXE
    Digimax Viewer 1.0.lnk = C:\Archivos de programa\Samsung\Digimax Viewer 1.0\DigimaxViewer.exe

    --------------------------------------------------

    Autorun entries from Registry:
    HKLM\Software\Microsoft\Windows\CurrentVersion\Run

    ScanRegistry = C:\WINDOWS\scanregw.exe /autorun
    TaskMonitor = C:\WINDOWS\taskmon.exe
    SystemTray = SysTray.Exe
    LoadPowerProfile = Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
    C-Media Mixer = Mixer.exe /startup
    CountrySelection = pctptt.exe
    WinampAgent = "C:\ARCHIVOS DE PROGRAMA\WINAMP\WINAMPa.exe"
    SmcService = C:\ARCHIV~1\SYGATE\SPF\SMC.EXE -startgui
    LoadQM = loadqm.exe
    EPSON Stylus C42 Series = C:\WINDOWS\SYSTEM\E_S10IC1.EXE /P23 "EPSON Stylus C42 Series" /O5 "LPT1:" /M "Stylus C42"
    XPVIEWREP = C:\WINDOWS\SYSTEM\XPVIEWREP.PIF
    svshots = C:\WINDOWS\svshots.exe
    ashMaiSv = D:\ALWILS~1\AVAST4\ashmaisv.exe

    --------------------------------------------------

    Autorun entries from Registry:
    HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices

    LoadPowerProfile = Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
    SchedulingAgent = mstask.exe
    MOSearch = C:\ARCHIV~1\ARCHIV~1\SYSTEM\MOSEARCH\BIN\MOSEARCH.EXE
    MDM7 = "C:\ARCHIVOS DE PROGRAMA\ARCHIVOS COMUNES\MICROSOFT SHARED\VS7DEBUG\MDM.EXE"
    PAV.EXE = C:\ARCHIV~1\PERAV\PAV.EXE
    SmcService = C:\ARCHIVOS DE PROGRAMA\SYGATE\SPF\SMC.EXE
    SAgent2ExePath = C:\Archivos de programa\Archivos comunes\EPSON\EBAPI\SAgent2.exe
    avast! = D:\Alwil Software\Avast4\ashServ.exe

    --------------------------------------------------

    Autorun entries from Registry:
    HKCU\Software\Microsoft\Windows\CurrentVersion\Run

    Desktop Architect = "C:\ARCHIVOS DE PROGRAMA\DESKTOP ARCHITECT\DATRAY.EXE" -S
    ctfmon.exe = ctfmon.exe
    MsnMsgr = "C:\Archivos de programa\MSN Messenger\MsnMsgr.Exe" /background
    WebWasher = C:\ARCHIVOS DE PROGRAMA\WEBWASHER\WWASHER.EXE

    --------------------------------------------------

    File association entry for .EXE:
    HKEY_CLASSES_ROOT\exefile\shell\open\command

    (Default) = C:\WINDOWS\SYSTEM\XPVIEWREP.PIF "%1" %*

    --------------------------------------------------

    File association entry for .COM:
    HKEY_CLASSES_ROOT\comfile\shell\open\command

    (Default) = C:\WINDOWS\SYSTEM\XPVIEWREP.PIF "%1" %*

    --------------------------------------------------

    File association entry for .BAT:
    HKEY_CLASSES_ROOT\batfile\shell\open\command

    (Default) = C:\WINDOWS\SYSTEM\XPVIEWREP.PIF "%1" %*

    --------------------------------------------------

    File association entry for .PIF:
    HKEY_CLASSES_ROOT\piffile\shell\open\command

    (Default) = C:\WINDOWS\SYSTEM\XPVIEWREP.PIF "%1" %*

    --------------------------------------------------

    File association entry for .SCR:
    HKEY_CLASSES_ROOT\scrfile\shell\open\command

    (Default) = C:\WINDOWS\SYSTEM\XPVIEWREP.PIF "%1" /S

    --------------------------------------------------

    File association entry for .TXT:
    HKEY_CLASSES_ROOT\txtfile\shell\open\command

    (Default) = C:\WINDOWS\NOTEPAD.EXE %1

    --------------------------------------------------

    Load/Run keys from C:\WINDOWS\WIN.INI:

    load=ptsnoop.exe
    run=

    --------------------------------------------------

    Shell & screensaver key from C:\WINDOWS\SYSTEM.INI:

    Shell=Explorer.exe
    SCRNSAVE.EXE=
    drivers=mmsystem.dll power.drv

    --------------------------------------------------

    C:\WINDOWS\WININIT.BAK listing:
    (Created 10/7/2004, 11:25:32)

    [rename]
    nul=C:\WINDOWS\TEMP\~e5d141.tmp

    --------------------------------------------------

    C:\AUTOEXEC.BAT listing:

    C:\ARCHIV~1\PERAV\PERVACD.EXE /BOOT
    mode con codepage prepare=((850) C:\WINDOWS\COMMAND\ega.cpi)
    mode con codepage select=850
    keyb la,,C:\WINDOWS\COMMAND\keyboard.sys
    SET PATH=%PATH%;C:\ARCHIV~1\ARCHIV~1\AUTODE~1

    --------------------------------------------------


    Enumerating Browser Helper Objects:

    SpywareGuard Download Protection - C:\ARCHIVOS DE PROGRAMA\SPYWAREGUARD\DLPROTECT.DLL - {4A368E80-174F-4872-96B5-0B27DDD11DB2}

    --------------------------------------------------

    Enumerating Task Scheduler jobs:

    Optimización del inicio de aplicaciones.job

    --------------------------------------------------

    Enumerating Download Program Files:

    [Update Class]
    InProcServer32 = C:\WINDOWS\SYSTEM\IUCTL.DLL
    CODEBASE = http://v4.windowsupdate.microsoft.com/CAB/x86/ansi/iuctl.CAB?38122.701724537

    [MessengerStatsClient Class]
    InProcServer32 = C:\WINDOWS\DOWNLOADED PROGRAM FILES\MESSENGERSTATSCLIENT.DLL
    CODEBASE = http://messenger.zone.msn.com/binary/MessengerStatsClient.cab28177.cab

    [FileSharingCtrl Class]
    InProcServer32 = C:\WINDOWS\DOWNLOADED PROGRAM FILES\FSMSNGR-ES.DLL
    CODEBASE = http://appdirectory.messenger.msn.com/AppDirectory/P4Apps/FileSharing/es/filesharingctrl.cab

    [{0000000A-0000-0010-8000-00AA00389B71}]
    CODEBASE = http://download.microsoft.com/download/d/4/4/d446e8a9-3a86-4b59-bb19-f5bd11b40367/wmavax.CAB

    [MSN Photo Upload Tool]
    InProcServer32 = C:\WINDOWS\DOWNLOADED PROGRAM FILES\MSNPUPLD.DLL
    CODEBASE = http://sc.groups.msn.com/controls/PhotoUC/MsnPUpld.cab

    [Shockwave Flash Object]
    InProcServer32 = C:\WINDOWS\SYSTEM\MACROMED\FLASH\FLASH.OCX
    CODEBASE = http://fpdownload.macromedia.com/get/shockwave/cabs/flash/swflash.cab

    [Solitaire Showdown Class]
    InProcServer32 = C:\WINDOWS\DOWNLOADED PROGRAM FILES\SOLITAIRESHOWDOWN.DLL
    CODEBASE = http://messenger.zone.msn.com/binary/SolitaireShowdown.cab28578.cab

    [ActiveScan Installer Class]
    InProcServer32 = C:\WINDOWS\DOWNLOADED PROGRAM FILES\ASINST.DLL
    CODEBASE = http://www.pandasoftware.com/activescan/as5/asinst.cab

    --------------------------------------------------

    Enumerating ShellServiceObjectDelayLoad items:

    WebCheck: C:\WINDOWS\SYSTEM\WEBCHECK.DLL

    --------------------------------------------------
    End of report, 8,863 bytes
    Report generated in 0.246 seconds
     
  3. bigc73542

    bigc73542 Retired Moderator

    Joined:
    Sep 21, 2003
    Posts:
    23,873
    Location:
    SW. Oklahoma
    Re: unable to repair worm

    you might want to get the latest HJT at the link and repost your log with the newer version
     
  4. snowbound

    snowbound Retired Moderator

    Joined:
    Feb 18, 2003
    Posts:
    8,723
    Location:
    The Big Smoke
    Re: unable to repair worm

    Hi melian :)

    What u have posted is your Startup List.

    The experts will need a HijackThis log. ;)

    Also i moved your thread to the appropriate forum.


    snowbound
     
  5. snowbound

    snowbound Retired Moderator

    Joined:
    Feb 18, 2003
    Posts:
    8,723
    Location:
    The Big Smoke
    Re: unable to repair worm

    oops, bigc beat me too it. :p



    snowbound
     
  6. melian

    melian Registered Member

    Joined:
    Apr 16, 2004
    Posts:
    23
    Location:
    Arequipa-Peru
    hicjak this

    sorry for the mistake...but ve just downloaded it btw tnx for the link.. and everything goes just fine till i click on scan after that the program wont aswer and i have to restart it...
     
  7. bigc73542

    bigc73542 Retired Moderator

    Joined:
    Sep 21, 2003
    Posts:
    23,873
    Location:
    SW. Oklahoma
    Re: unable to repair worm

    you might reboot your computer and then try. ;)
     
  8. melian

    melian Registered Member

    Joined:
    Apr 16, 2004
    Posts:
    23
    Location:
    Arequipa-Peru
    hijackthis log (finally!!!!)

    Ok, it finally answered, heres the log:
    againm tnx for your help...That was FAST!!!

    Logfile of HijackThis v1.97.7
    Scan saved at 09:04:56 p.m., on 11/07/04
    Platform: Windows 98 SE (Win9x 4.10.2222A)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\SYSTEM\KERNEL32.DLL
    C:\WINDOWS\SYSTEM\MSGSRV32.EXE
    C:\WINDOWS\SYSTEM\SPOOL32.EXE
    C:\WINDOWS\SYSTEM\MPREXE.EXE
    C:\WINDOWS\SYSTEM\MSTASK.EXE
    C:\ARCHIVOS DE PROGRAMA\ARCHIVOS COMUNES\SYSTEM\MOSEARCH\BIN\MOSEARCH.EXE
    C:\ARCHIVOS DE PROGRAMA\ARCHIVOS COMUNES\MICROSOFT SHARED\VS7DEBUG\MDM.EXE
    C:\ARCHIVOS DE PROGRAMA\PERAV\PAV.EXE
    C:\ARCHIVOS DE PROGRAMA\SYGATE\SPF\SMC.EXE
    C:\ARCHIVOS DE PROGRAMA\ARCHIVOS COMUNES\EPSON\EBAPI\SAGENT2.EXE
    D:\ALWIL SOFTWARE\AVAST4\ASHSERV.EXE
    C:\ARCHIVOS DE PROGRAMA\PERAV\PERVAC.EXE
    C:\ARCHIVOS DE PROGRAMA\PERAV\PERTSK.EXE
    C:\WINDOWS\SYSTEM\mmtask.tsk
    C:\WINDOWS\SYSTEM\PSTORES.EXE
    C:\WINDOWS\SYSTEM\RPCSS.EXE
    C:\WINDOWS\SYSTEM\ISUNINST38.EXE
    C:\WINDOWS\SYSTEM\IPCLEAN503.COM
    C:\WINDOWS\EXPLORER.EXE
    C:\WINDOWS\PTSNOOP.EXE
    C:\WINDOWS\TASKMON.EXE
    C:\WINDOWS\SYSTEM\SYSTRAY.EXE
    C:\WINDOWS\MIXER.EXE
    C:\WINDOWS\LOADQM.EXE
    C:\WINDOWS\SYSTEM\E_S10IC1.EXE
    C:\WINDOWS\SVSHOTS.EXE
    C:\WINDOWS\SYSTEM\CTFMON.EXE
    C:\ARCHIVOS DE PROGRAMA\DESKTOP ARCHITECT\DATRAY.EXE
    C:\WINDOWS\SYSTEM\WMIEXE.EXE
    C:\ARCHIVOS DE PROGRAMA\MSN MESSENGER\MSNMSGR.EXE
    C:\ARCHIVOS DE PROGRAMA\WEBWASHER\WWASHER.EXE
    C:\ARCHIVOS DE PROGRAMA\WEBSHOTS\WEBSHOTSTRAY.EXE
    C:\ARCHIVOS DE PROGRAMA\SPYWAREGUARD\SGMAIN.EXE
    C:\ARCHIVOS DE PROGRAMA\SAMSUNG\DIGIMAX VIEWER 1.0\DIGIMAXVIEWER.EXE
    C:\WINDOWS\SYSTEM\DDHELP.EXE
    C:\WINDOWS\SYSTEM\XPVIEWREP.PIF
    C:\ARCHIVOS DE PROGRAMA\SPYWAREGUARD\SGBHP.EXE
    C:\ARCHIVOS DE PROGRAMA\INTERNET EXPLORER\IEXPLORE.EXE
    D:\HIJACKTHIS\HIJACKTHIS.EXE

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://g.msn.es/0SEESES/SAOS01
    R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Vínculos
    F1 - win.ini: load=ptsnoop.exe
    O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\ARCHIVOS DE PROGRAMA\SPYWAREGUARD\DLPROTECT.DLL
    O3 - Toolbar: Barra de Herramientas MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\PROGRAM FILES\MSN TOOLBAR\01.01.1629.0\ES\MSNTB.DLL
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
    O3 - Toolbar: Copernic Agent - {F2E259E8-0FC8-438C-A6E0-342DD80FA53E} - C:\Archivos de programa\Copernic Agent\CopernicAgentExt.dll
    O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
    O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
    O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
    O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
    O4 - HKLM\..\Run: [C-Media Mixer] Mixer.exe /startup
    O4 - HKLM\..\Run: [CountrySelection] pctptt.exe
    O4 - HKLM\..\Run: [WinampAgent] "C:\ARCHIVOS DE PROGRAMA\WINAMP\WINAMPa.exe"
    O4 - HKLM\..\Run: [SmcService] C:\ARCHIV~1\SYGATE\SPF\SMC.EXE -startgui
    O4 - HKLM\..\Run: [LoadQM] loadqm.exe
    O4 - HKLM\..\Run: [EPSON Stylus C42 Series] C:\WINDOWS\SYSTEM\E_S10IC1.EXE /P23 "EPSON Stylus C42 Series" /O5 "LPT1:" /M "Stylus C42"
    O4 - HKLM\..\Run: [XPVIEWREP] C:\WINDOWS\SYSTEM\XPVIEWREP.PIF
    O4 - HKLM\..\Run: [svshots] C:\WINDOWS\svshots.exe
    O4 - HKLM\..\Run: [ashMaiSv] D:\ALWILS~1\AVAST4\ashmaisv.exe
    O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
    O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
    O4 - HKLM\..\RunServices: [MOSearch] C:\ARCHIV~1\ARCHIV~1\SYSTEM\MOSEARCH\BIN\MOSEARCH.EXE
    O4 - HKLM\..\RunServices: [MDM7] "C:\ARCHIVOS DE PROGRAMA\ARCHIVOS COMUNES\MICROSOFT SHARED\VS7DEBUG\MDM.EXE"
    O4 - HKLM\..\RunServices: [PAV.EXE] C:\ARCHIV~1\PERAV\PAV.EXE
    O4 - HKLM\..\RunServices: [SmcService] C:\ARCHIVOS DE PROGRAMA\SYGATE\SPF\SMC.EXE
    O4 - HKLM\..\RunServices: [SAgent2ExePath] C:\Archivos de programa\Archivos comunes\EPSON\EBAPI\SAgent2.exe
    O4 - HKLM\..\RunServices: [avast!] D:\Alwil Software\Avast4\ashServ.exe
    O4 - HKCU\..\Run: [Desktop Architect] "C:\ARCHIVOS DE PROGRAMA\DESKTOP ARCHITECT\DATRAY.EXE" -S
    O4 - HKCU\..\Run: [ctfmon.exe] ctfmon.exe
    O4 - HKCU\..\Run: [MsnMsgr] "C:\Archivos de programa\MSN Messenger\MsnMsgr.Exe" /background
    O4 - HKCU\..\Run: [WebWasher] C:\ARCHIVOS DE PROGRAMA\WEBWASHER\WWASHER.EXE
    O4 - Startup: Webshots.lnk = C:\Archivos de programa\Webshots\WebshotsTray.exe
    O4 - Startup: Microsoft Office.lnk = C:\Archivos de programa\Microsoft Office\Office10\OSA.EXE
    O4 - Startup: SpywareGuard.lnk = C:\Archivos de programa\SpywareGuard\sgmain.exe
    O4 - Startup: PER Antivirus.lnk = C:\Archivos de programa\Perav\PAV.EXE
    O4 - Startup: Digimax Viewer 1.0.lnk = C:\Archivos de programa\Samsung\Digimax Viewer 1.0\DigimaxViewer.exe
    O8 - Extra context menu item: E&xportar a Microsoft Excel - res://C:\ARCHIV~1\MICROS~1\OFFICE10\EXCEL.EXE/3000
    O8 - Extra context menu item: Add to filterlist (WebWasher) - http://-Web.Washer-/ie_add
    O8 - Extra context menu item: Realizar la búsqueda utilizando Copernic Agent - C:\Archivos de programa\Copernic Agent\Web\SearchExt.htm
    O9 - Extra button: Related (HKLM)
    O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
    O9 - Extra 'Tools' menuitem: Ejecutar Copernic Agent (HKLM)
    O9 - Extra button: Copernic Agent (HKLM)
    O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/ansi/iuctl.CAB?38122.701724537
    O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab28177.cab
    O16 - DPF: {C4660846-8760-4852-8154-82438E33E383} (FileSharingCtrl Class) - http://appdirectory.messenger.msn.com/AppDirectory/P4Apps/FileSharing/es/filesharingctrl.cab
    O16 - DPF: {0000000A-0000-0010-8000-00AA00389B71} - http://download.microsoft.com/download/d/4/4/d446e8a9-3a86-4b59-bb19-f5bd11b40367/wmavax.CAB
    O16 - DPF: {C3DFA998-A486-11D4-AA25-00C04F72DAEB} (MSN Photo Upload Tool) - http://sc.groups.msn.com/controls/PhotoUC/MsnPUpld.cab
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload.macromedia.com/get/shockwave/cabs/flash/swflash.cab
    O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/SolitaireShowdown.cab28578.cab
    O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
     
  9. melian

    melian Registered Member

    Joined:
    Apr 16, 2004
    Posts:
    23
    Location:
    Arequipa-Peru
    its still here

    Hi there:
    I do understnd there are lots of requests for help here, so i ve been trying to fix this thing by myself, i downloaded spybot yesterday and it found some stuff, but im still having problems to use internet, allmost every site is shown with errors and i cant use online antivirus scanners because they are suddenly interrupted and if i try to visit their site again i get an error notice .
    Its kind of mesy here...but ill keep waiting for advices
    so tnx to all people giving time to this forum for helping computer illiterad people like me
     
  10. melian

    melian Registered Member

    Joined:
    Apr 16, 2004
    Posts:
    23
    Location:
    Arequipa-Peru
    no response since 9/7

    Hi there:
    i posted a request for help eleven days ago, but had no answer, i know that many people ask for help in this site, so im trying again, heres the hijackthis log:
    tnx a lot!!!

    Logfile of HijackThis v1.98.0
    Scan saved at 11:23:09 a.m., on 20/07/04
    Platform: Windows 98 SE (Win9x 4.10.2222A)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\SYSTEM\KERNEL32.DLL
    C:\WINDOWS\SYSTEM\MSGSRV32.EXE
    C:\WINDOWS\SYSTEM\SPOOL32.EXE
    C:\WINDOWS\SYSTEM\MPREXE.EXE
    C:\WINDOWS\SYSTEM\MSTASK.EXE
    C:\ARCHIVOS DE PROGRAMA\ARCHIVOS COMUNES\SYSTEM\MOSEARCH\BIN\MOSEARCH.EXE
    C:\ARCHIVOS DE PROGRAMA\ARCHIVOS COMUNES\MICROSOFT SHARED\VS7DEBUG\MDM.EXE
    C:\ARCHIVOS DE PROGRAMA\SYGATE\SPF\SMC.EXE
    C:\ARCHIVOS DE PROGRAMA\ARCHIVOS COMUNES\EPSON\EBAPI\SAGENT2.EXE
    D:\ALWIL SOFTWARE\AVAST4\ASHSERV.EXE
    C:\WINDOWS\SYSTEM\mmtask.tsk
    C:\WINDOWS\SYSTEM\PSTORES.EXE
    C:\WINDOWS\EXPLORER.EXE
    C:\WINDOWS\SYSTEM\RPCSS.EXE
    C:\WINDOWS\PTSNOOP.EXE
    C:\WINDOWS\TASKMON.EXE
    C:\WINDOWS\SYSTEM\SYSTRAY.EXE
    C:\WINDOWS\MIXER.EXE
    C:\WINDOWS\LOADQM.EXE
    C:\WINDOWS\SYSTEM\E_S10IC1.EXE
    C:\WINDOWS\SYSTEM\XPVIEWREP.PIF
    C:\WINDOWS\SVSHOTS.EXE
    D:\ALWIL SOFTWARE\AVAST4\ASHMAISV.EXE
    C:\ARCHIVOS DE PROGRAMA\DESKTOP ARCHITECT\DATRAY.EXE
    C:\WINDOWS\SYSTEM\CTFMON.EXE
    C:\ARCHIVOS DE PROGRAMA\MSN MESSENGER\MSNMSGR.EXE
    C:\WINDOWS\SYSTEM\WMIEXE.EXE
    C:\ARCHIVOS DE PROGRAMA\WEBWASHER\WWASHER.EXE
    C:\ARCHIVOS DE PROGRAMA\WEBSHOTS\WEBSHOTSTRAY.EXE
    C:\ARCHIVOS DE PROGRAMA\SPYWAREGUARD\SGMAIN.EXE
    C:\WINDOWS\SYSTEM\ISUNINST38.EXE
    C:\WINDOWS\SYSTEM\IPCLEAN503.COM
    C:\ARCHIVOS DE PROGRAMA\SPYWAREGUARD\SGBHP.EXE
    C:\ARCHIVOS DE PROGRAMA\HIJACKTHIS\HIJACKTHIS.EXE

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://g.msn.es/0SEESES/SAOS01
    R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Vínculos
    F1 - win.ini: load=ptsnoop.exe
    O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\ARCHIVOS DE PROGRAMA\SPYWAREGUARD\DLPROTECT.DLL
    O3 - Toolbar: Barra de Herramientas MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\PROGRAM FILES\MSN TOOLBAR\01.01.1629.0\ES\MSNTB.DLL
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
    O3 - Toolbar: Copernic Agent - {F2E259E8-0FC8-438C-A6E0-342DD80FA53E} - C:\Archivos de programa\Copernic Agent\CopernicAgentExt.dll
    O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
    O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
    O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
    O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
    O4 - HKLM\..\Run: [C-Media Mixer] Mixer.exe /startup
    O4 - HKLM\..\Run: [CountrySelection] pctptt.exe
    O4 - HKLM\..\Run: [WinampAgent] "C:\ARCHIVOS DE PROGRAMA\WINAMP\WINAMPa.exe"
    O4 - HKLM\..\Run: [SmcService] C:\ARCHIV~1\SYGATE\SPF\SMC.EXE -startgui
    O4 - HKLM\..\Run: [LoadQM] loadqm.exe
    O4 - HKLM\..\Run: [EPSON Stylus C42 Series] C:\WINDOWS\SYSTEM\E_S10IC1.EXE /P23 "EPSON Stylus C42 Series" /O5 "LPT1:" /M "Stylus C42"
    O4 - HKLM\..\Run: [XPVIEWREP] C:\WINDOWS\SYSTEM\XPVIEWREP.PIF
    O4 - HKLM\..\Run: [svshots] C:\WINDOWS\svshots.exe
    O4 - HKLM\..\Run: [ashMaiSv] D:\ALWILS~1\AVAST4\ashmaisv.exe
    O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
    O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
    O4 - HKLM\..\RunServices: [MOSearch] C:\ARCHIV~1\ARCHIV~1\SYSTEM\MOSEARCH\BIN\MOSEARCH.EXE
    O4 - HKLM\..\RunServices: [MDM7] "C:\ARCHIVOS DE PROGRAMA\ARCHIVOS COMUNES\MICROSOFT SHARED\VS7DEBUG\MDM.EXE"
    O4 - HKLM\..\RunServices: [PAV.EXE] C:\ARCHIV~1\PERAV\PAV.EXE
    O4 - HKLM\..\RunServices: [SmcService] C:\ARCHIVOS DE PROGRAMA\SYGATE\SPF\SMC.EXE
    O4 - HKLM\..\RunServices: [SAgent2ExePath] C:\Archivos de programa\Archivos comunes\EPSON\EBAPI\SAgent2.exe
    O4 - HKLM\..\RunServices: [avast!] D:\Alwil Software\Avast4\ashServ.exe
    O4 - HKCU\..\Run: [Desktop Architect] "C:\ARCHIVOS DE PROGRAMA\DESKTOP ARCHITECT\DATRAY.EXE" -S
    O4 - HKCU\..\Run: [ctfmon.exe] ctfmon.exe
    O4 - HKCU\..\Run: [MsnMsgr] "C:\Archivos de programa\MSN Messenger\MsnMsgr.Exe" /background
    O4 - HKCU\..\Run: [WebWasher] C:\ARCHIVOS DE PROGRAMA\WEBWASHER\WWASHER.EXE
    O4 - Startup: Webshots.lnk = C:\Archivos de programa\Webshots\WebshotsTray.exe
    O4 - Startup: Microsoft Office.lnk = C:\Archivos de programa\Microsoft Office\Office10\OSA.EXE
    O4 - Startup: SpywareGuard.lnk = C:\Archivos de programa\SpywareGuard\sgmain.exe
    O4 - Startup: PER Antivirus.lnk = C:\Archivos de programa\Perav\PAV.EXE
    O4 - Startup: Digimax Viewer 1.0.pif = C:\ARCHIV~1\COMMIT.EXE
    O8 - Extra context menu item: E&xportar a Microsoft Excel - res://C:\ARCHIV~1\MICROS~1\OFFICE10\EXCEL.EXE/3000
    O8 - Extra context menu item: Add to filterlist (WebWasher) - http://-Web.Washer-/ie_add
    O8 - Extra context menu item: Realizar la búsqueda utilizando Copernic Agent - C:\Archivos de programa\Copernic Agent\Web\SearchExt.htm
    O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
    O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
    O9 - Extra button: (no name) - {193B17B0-7C9F-4D5B-AEAB-8D3605EFC084} - C:\ARCHIVOS DE PROGRAMA\COPERNIC AGENT\COPERNICAGENT.EXE
    O9 - Extra 'Tools' menuitem: Ejecutar Copernic Agent - {193B17B0-7C9F-4D5B-AEAB-8D3605EFC084} - C:\ARCHIVOS DE PROGRAMA\COPERNIC AGENT\COPERNICAGENT.EXE
    O9 - Extra button: Copernic Agent - {688DC797-DC11-46A7-9F1B-445F4F58CE6E} - C:\ARCHIVOS DE PROGRAMA\COPERNIC AGENT\COPERNICAGENT.EXE
    O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab28177.cab
    O16 - DPF: {C4660846-8760-4852-8154-82438E33E383} (FileSharingCtrl Class) - http://appdirectory.messenger.msn.com/AppDirectory/P4Apps/FileSharing/es/filesharingctrl.cab
    O16 - DPF: {C3DFA998-A486-11D4-AA25-00C04F72DAEB} (MSN Photo Upload Tool) - http://sc.groups.msn.com/controls/PhotoUC/MsnPUpld.cab
    O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/SolitaireShowdown.cab28578.cab
    O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
    O16 - DPF: {A3009861-330C-4E10-822B-39D16EC8829D} (CRAVOnline Object) - http://www.ravantivirus.com/scan/ravonline.cab
    O16 - DPF: {80DD2229-B8E4-4C77-B72F-F22972D723EA} (AvxScanOnline Control) - http://www.alken.nl/scan/Msie/bitdefender.cab
     
  11. snapdragin

    snapdragin Administrator

    Joined:
    Feb 16, 2002
    Posts:
    8,415
    Location:
    Southern Ont., Canada
    Hi Melian,

    The reason for no responses may be due to the fact there has been several posts in your thread already, and it may have looked like someone was working on your log.

    Is this the new reformatted computer? I'm noticing a few different entries than the last time you had problems. But there is one entry in particular I am suspicious of.

    Can you locate this file in the Windows folder, and upload it to Kaspersky for a scan.

    C:\WINDOWS\svshots.exe

    Let me know what the Kaspersky scan says about it, please.

    Also, can you zip up a copy of it and email it to submit@diamondcs.com.au for analysis. Please include a link to this thread in the email message.

    Regards,

    snap
     
  12. IMM

    IMM Spyware Fighter

    Joined:
    May 6, 2004
    Posts:
    351
    this one from your first log has me curious as well
    XPVIEWREP.PIF
     
  13. melian

    melian Registered Member

    Joined:
    Apr 16, 2004
    Posts:
    23
    Location:
    Arequipa-Peru
    done!

    Hey there:
    Thanks a lot for answering,I know that there are many many many requests for help here I guess thats why you arent receiving hijack this logs anymore, it must be a huge job, so I wanted to thank you for taking time to answer mine:D
    BTW Snap, yes this is the computer i got reformated last time
    well, i did what u told me to, and this is what kaspersky said:

    Scanned file: svshots.exe

    svshots.exe - packed with UPX
    svshots.exe - infected by Backdoor.VB.rj


    Statistics:
    Known viruses: 93589 Updated: 21-07-2004
    File size (Kb): 18 Virus bodies: 1
    Files: 2 Warnings: 0
    Archives: 0 Suspicious: 0


    Scanned file: XPVIEWREP.PIF

    XPVIEWREP.PIF - packed with UPX
    XPVIEWREP.PIF - infected by Worm.P2P.Capside.c


    Statistics:
    Known viruses: 93589 Updated: 21-07-2004
    File size (Kb): 41 Virus bodies: 1
    Files: 2 Warnings: 0
    Archives: 0 Suspicious: 0
     
  14. snapdragin

    snapdragin Administrator

    Joined:
    Feb 16, 2002
    Posts:
    8,415
    Location:
    Southern Ont., Canada
    Hi melian,

    IMM, yep, I was wondering about that XPVIEWREP.PIF too.

    The 'XPVIEWREP.PIF' looks like it could be a new variant of Worm.P2P.Capside. Could you also submit a zipped copy of the "XPVIEWREP.PIF" file to the email address I mentioned in my earlier post.

    These were the others that I wasn't find any information on. Do you recognize them? If not, can you go to the files and right-click on them, choose "Properties" and under the tabs check and see what information is there to help identify what they are for. If there is nothing under their Properties to identify them, then include them (zipped) also for submission.

    C:\WINDOWS\SYSTEM\ISUNINST38.EXE
    C:\WINDOWS\SYSTEM\IPCLEAN503.COM
    O4 - Startup: Digimax Viewer 1.0.pif = C:\ARCHIV~1\COMMIT.EXE <--this one is probably in the C:\ARCHIVOS DE PROGRAMA folder.


    Bring up your TaskManager (ctrl+alt+del keys) and end the running process for 'svshots.exe' and 'XPVIEWREP.PIF'.

    Then in HijackThis, place a check beside the following items.
    Close ALL browsers and any open programs/windows, except HijackThis, and click *Fix checked:

    O4 - HKLM\..\Run: [XPVIEWREP] C:\WINDOWS\SYSTEM\XPVIEWREP.PIF
    O4 - HKLM\..\Run: [svshots] C:\WINDOWS\svshots.exe

    Reboot your computer into Safe Mode by tapping the F8 key just before windows begins to load.

    Then find and delete the following file:
    C:\WINDOWS\svshots.exe

    At the moment, I don't want to say delete the XPVIEWREP.PIF file since it shows file associations in the AdAware scan. It may not have any effect, and the on-line scan may remove it cleanly.

    Reboot your computer back into normal mode, and do a full system scan at http://housecall.trendmicro.com/

    You should be able to get to an on-line scan site now.

    Then post a new Hijackthis log here in your next reply.

    Regards,

    snap
     
  15. melian

    melian Registered Member

    Joined:
    Apr 16, 2004
    Posts:
    23
    Location:
    Arequipa-Peru
    Hi Snap:
    Sorry it took so long,i had flu adn couldnt reach the computer...
    i´ve been trying to run hijackthis for the las two hours but it doesnt work, it opens normally but after i click on Scan button, it gets stuck on "015 Trusted Zone enumeration" and doesnt asnwer after that. :s is there any other way to make it work?maybe, run it from DOS or something alike...
    Btw i checked the properties tab of the items u told me and there was nothing about them, im sending them to diamonts right away.

    Tnx 4 everything;)

    Melian
     
  16. snapdragin

    snapdragin Administrator

    Joined:
    Feb 16, 2002
    Posts:
    8,415
    Location:
    Southern Ont., Canada
    Hi Melian,

    Try and run Hijackthis while in Safe Mode.

    Regards,

    snap
     
Thread Status:
Not open for further replies.