 |  |  |  |  |  |  |  |
AVG finds a trojan on my comp
Thread Solved |
i installed avg antivirus system, free edition, and now it is showing a message every 20 minutes or so, saying something like this : " found a trojan on this location C:\system volume information\_restore {76F99043 - 158F - 476E - 90DB - 09E418DFFDA3}\ RP31\A0008834.exe"
every time i see that i run system check, but it can't find anything....
i tried to open that folder,"system volume information", but i couldn't : access denied !?!?!?!
Please, help me, this is my hjt log:
Logfile of HijackThis v1.97.7
Scan saved at 14:54:22, on 19/06/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG6\avgserv.exe
C:\PROGRA~1\MI6841~1\MSSQL\binn\sqlservr.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
C:\Program Files\Analog Devices\SoundMAX\Smax4.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\ASUS\Probe\AsusProb.exe
C:\WINDOWS\System32\Launcher.exe
C:\Program Files\Winamp\Winampa.exe
C:\WINDOWS\System32\carpserv.exe
C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe
C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
C:\WINDOWS\System32\dllhost.exe
C:\Documents and Settings\Administrator\My Documents\PAMETNE STVARI\hijackThis\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://solongas.com/sp.htm?id=632
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://solongas.com/sp.htm?id=632
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://solongas.com/sp.htm?id=632
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://solongas.com/hp.htm?id=632
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://solongas.com/sp.htm?id=632
R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
O2 - BHO: (no name) - {49E0E0F0-5C30-11D4-945D-000000000003} - C:\PROGRA~1\Ashampoo\ASHAMP~1\PopUp.dll
O2 - BHO: (no name) - {A9A674BF-771F-42E5-A440-D20DDA85A862} - (no file)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
O4 - HKLM\..\Run: [SoundMAX] "C:\Program Files\Analog Devices\SoundMAX\Smax4.exe" /tray
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [ASUS Probe] C:\Program Files\ASUS\Probe\AsusProb.exe
O4 - HKLM\..\Run: [PrimaLauncher] C:\WINDOWS\System32\Launcher.exe
O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp\Winampa.exe"
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [CARPService] carpserv.exe
O4 - HKLM\..\Run: [jopa] C:\WINDOWS\System32\sysstartup.exe
O4 - HKLM\..\Run: [AVG_CC] C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe /STARTUP
O4 - HKCU\..\Run: [uninstal] regsvr32 /u /s image.dll
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: GetRight - Tray Icon.lnk = C:\Program Files\GetRight\getright.exe
O4 - Global Startup: InterVideo WinCinema Manager.lnk = C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Service Manager.lnk = C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
O4 - Global Startup: winlogin.exe
O8 - Extra context menu item: Download with GetRight - C:\Program Files\GetRight\GRdownload.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Open with GetRight Browser - C:\Program Files\GetRight\GRbrowse.htm
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O15 - Trusted Zone: *.greg-search.com
O16 - DPF: {469C7080-8EC8-43A6-AD97-45848113743C} - http://akamai.downloadv3.com/binarie...hv32_EN_XP.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{3AAB0DD8-868E-4446-B9A6-D21B20231CDA}: NameServer = 161.53.114.145 161.53.114.135
every time i see that i run system check, but it can't find anything....
i tried to open that folder,"system volume information", but i couldn't : access denied !?!?!?!
Please, help me, this is my hjt log:
Logfile of HijackThis v1.97.7
Scan saved at 14:54:22, on 19/06/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG6\avgserv.exe
C:\PROGRA~1\MI6841~1\MSSQL\binn\sqlservr.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
C:\Program Files\Analog Devices\SoundMAX\Smax4.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\ASUS\Probe\AsusProb.exe
C:\WINDOWS\System32\Launcher.exe
C:\Program Files\Winamp\Winampa.exe
C:\WINDOWS\System32\carpserv.exe
C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe
C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
C:\WINDOWS\System32\dllhost.exe
C:\Documents and Settings\Administrator\My Documents\PAMETNE STVARI\hijackThis\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://solongas.com/sp.htm?id=632
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://solongas.com/sp.htm?id=632
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://solongas.com/sp.htm?id=632
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://solongas.com/hp.htm?id=632
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://solongas.com/sp.htm?id=632
R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
O2 - BHO: (no name) - {49E0E0F0-5C30-11D4-945D-000000000003} - C:\PROGRA~1\Ashampoo\ASHAMP~1\PopUp.dll
O2 - BHO: (no name) - {A9A674BF-771F-42E5-A440-D20DDA85A862} - (no file)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
O4 - HKLM\..\Run: [SoundMAX] "C:\Program Files\Analog Devices\SoundMAX\Smax4.exe" /tray
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [ASUS Probe] C:\Program Files\ASUS\Probe\AsusProb.exe
O4 - HKLM\..\Run: [PrimaLauncher] C:\WINDOWS\System32\Launcher.exe
O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp\Winampa.exe"
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [CARPService] carpserv.exe
O4 - HKLM\..\Run: [jopa] C:\WINDOWS\System32\sysstartup.exe
O4 - HKLM\..\Run: [AVG_CC] C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe /STARTUP
O4 - HKCU\..\Run: [uninstal] regsvr32 /u /s image.dll
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: GetRight - Tray Icon.lnk = C:\Program Files\GetRight\getright.exe
O4 - Global Startup: InterVideo WinCinema Manager.lnk = C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Service Manager.lnk = C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
O4 - Global Startup: winlogin.exe
O8 - Extra context menu item: Download with GetRight - C:\Program Files\GetRight\GRdownload.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Open with GetRight Browser - C:\Program Files\GetRight\GRbrowse.htm
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O15 - Trusted Zone: *.greg-search.com
O16 - DPF: {469C7080-8EC8-43A6-AD97-45848113743C} - http://akamai.downloadv3.com/binarie...hv32_EN_XP.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{3AAB0DD8-868E-4446-B9A6-D21B20231CDA}: NameServer = 161.53.114.145 161.53.114.135
•
•
Join Date: Feb 2004
Posts: 10,107
Reputation: 
Solved Threads: 768
Download CWShredder from here & run it. Select the fix button & it will get rid of everything related to CoolWebSearch that is stored in it's database. Close ALL windows, including IE, before running CWShredder. Reboot.
To help prevent this from happening again, install the patches for the vulnerabilities that this hijacker exploits by going here for your critical updates.
Reboot after doing this & post another log please.
To help prevent this from happening again, install the patches for the vulnerabilities that this hijacker exploits by going here for your critical updates.
Reboot after doing this & post another log please.
Proud member of ASAP (Alliance of Security analysis Professionals).
Opera AVAST anti-virus Comodo Firewall Spywareblaster
Opera AVAST anti-virus Comodo Firewall Spywareblaster
hi, again!
thnx,i did it:installed CWshredder (AND spybot :-))
and this is my log now:
Logfile of HijackThis v1.97.7
Scan saved at 16:13:40, on 19/06/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG6\avgserv.exe
C:\PROGRA~1\MI6841~1\MSSQL\binn\sqlservr.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
C:\Program Files\Analog Devices\SoundMAX\Smax4.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\ASUS\Probe\AsusProb.exe
C:\WINDOWS\System32\Launcher.exe
C:\Program Files\Winamp\Winampa.exe
C:\WINDOWS\System32\carpserv.exe
C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe
C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
C:\Documents and Settings\Administrator\My Documents\PAMETNE STVARI\hijackThis\HijackThis.exe
R3 - Default URLSearchHook is missing
O2 - BHO: (no name) - {49E0E0F0-5C30-11D4-945D-000000000003} - C:\PROGRA~1\Ashampoo\ASHAMP~1\PopUp.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {A9A674BF-771F-42E5-A440-D20DDA85A862} - (no file)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
O4 - HKLM\..\Run: [SoundMAX] "C:\Program Files\Analog Devices\SoundMAX\Smax4.exe" /tray
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [ASUS Probe] C:\Program Files\ASUS\Probe\AsusProb.exe
O4 - HKLM\..\Run: [PrimaLauncher] C:\WINDOWS\System32\Launcher.exe
O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp\Winampa.exe"
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [CARPService] carpserv.exe
O4 - HKLM\..\Run: [AVG_CC] C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe /STARTUP
O4 - HKCU\..\Run: [uninstal] regsvr32 /u /s image.dll
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: GetRight - Tray Icon.lnk = C:\Program Files\GetRight\getright.exe
O4 - Global Startup: InterVideo WinCinema Manager.lnk = C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Service Manager.lnk = C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
O8 - Extra context menu item: Download with GetRight - C:\Program Files\GetRight\GRdownload.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Open with GetRight Browser - C:\Program Files\GetRight\GRbrowse.htm
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {469C7080-8EC8-43A6-AD97-45848113743C} - http://akamai.downloadv3.com/binarie...hv32_EN_XP.cab
is it o.k?
i really hope so..
and, i have another problem, sometimes while on the internet i got message saying : "a runtime error happened. do you wish to debug?" - i hit "no" and everything seems ok, but is it?
thnx,i did it:installed CWshredder (AND spybot :-))
and this is my log now:
Logfile of HijackThis v1.97.7
Scan saved at 16:13:40, on 19/06/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG6\avgserv.exe
C:\PROGRA~1\MI6841~1\MSSQL\binn\sqlservr.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
C:\Program Files\Analog Devices\SoundMAX\Smax4.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\ASUS\Probe\AsusProb.exe
C:\WINDOWS\System32\Launcher.exe
C:\Program Files\Winamp\Winampa.exe
C:\WINDOWS\System32\carpserv.exe
C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe
C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
C:\Documents and Settings\Administrator\My Documents\PAMETNE STVARI\hijackThis\HijackThis.exe
R3 - Default URLSearchHook is missing
O2 - BHO: (no name) - {49E0E0F0-5C30-11D4-945D-000000000003} - C:\PROGRA~1\Ashampoo\ASHAMP~1\PopUp.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {A9A674BF-771F-42E5-A440-D20DDA85A862} - (no file)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
O4 - HKLM\..\Run: [SoundMAX] "C:\Program Files\Analog Devices\SoundMAX\Smax4.exe" /tray
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [ASUS Probe] C:\Program Files\ASUS\Probe\AsusProb.exe
O4 - HKLM\..\Run: [PrimaLauncher] C:\WINDOWS\System32\Launcher.exe
O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp\Winampa.exe"
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [CARPService] carpserv.exe
O4 - HKLM\..\Run: [AVG_CC] C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe /STARTUP
O4 - HKCU\..\Run: [uninstal] regsvr32 /u /s image.dll
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: GetRight - Tray Icon.lnk = C:\Program Files\GetRight\getright.exe
O4 - Global Startup: InterVideo WinCinema Manager.lnk = C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Service Manager.lnk = C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
O8 - Extra context menu item: Download with GetRight - C:\Program Files\GetRight\GRdownload.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Open with GetRight Browser - C:\Program Files\GetRight\GRbrowse.htm
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {469C7080-8EC8-43A6-AD97-45848113743C} - http://akamai.downloadv3.com/binarie...hv32_EN_XP.cab
is it o.k?
i really hope so..
and, i have another problem, sometimes while on the internet i got message saying : "a runtime error happened. do you wish to debug?" - i hit "no" and everything seems ok, but is it?
•
•
Join Date: Feb 2004
Posts: 10,107
Reputation:
Solved Threads: 768
Do the following first & see if the problem persists.
Close all (browser) windows & rescan with hijackthis. When the scan is finished place a check in the box to the left of the following entries & click 'fix checked' :
R3 - Default URLSearchHook is missing
O2 - BHO: (no name) - {A9A674BF-771F-42E5-A440-D20DDA85A862} - (no file)
O4 - HKCU\..\Run: [uninstal] regsvr32 /u /s image.dll
Reboot.
Clear your restore points now like so..
Turn off System Restore.
On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
Check Turn off System Restore.
Click Apply, and then click OK.
Reboot.
Turn ON System Restore.
On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
UN-Check *Turn off System Restore*.
Click Apply, and then click OK.
Update AVG & rescan your system. Note that all previous restore points will be lost.
Close all (browser) windows & rescan with hijackthis. When the scan is finished place a check in the box to the left of the following entries & click 'fix checked' :
R3 - Default URLSearchHook is missing
O2 - BHO: (no name) - {A9A674BF-771F-42E5-A440-D20DDA85A862} - (no file)
O4 - HKCU\..\Run: [uninstal] regsvr32 /u /s image.dll
Reboot.
Clear your restore points now like so..
Turn off System Restore.
On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
Check Turn off System Restore.
Click Apply, and then click OK.
Reboot.
Turn ON System Restore.
On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
UN-Check *Turn off System Restore*.
Click Apply, and then click OK.
Update AVG & rescan your system. Note that all previous restore points will be lost.
Proud member of ASAP (Alliance of Security analysis Professionals).
Opera AVAST anti-virus Comodo Firewall Spywareblaster
Opera AVAST anti-virus Comodo Firewall Spywareblaster
hi!
the "small problem" ->that little message-box saying: "a runtime error has occurred. do you wish to debug?" ->is growing rapidly..... now i can't even use my mailbox on the hotmail, cause everytime i open that page , those "runtime errors" keep showering on me.... situation with other websites is not so bad, here i got that message every ten minutes or so, amazon.com is ok for me (by now) , microsoft.com, where i tried to download updates , is horror.....errors all the time....
please, try to help me..
the "small problem" ->that little message-box saying: "a runtime error has occurred. do you wish to debug?" ->is growing rapidly..... now i can't even use my mailbox on the hotmail, cause everytime i open that page , those "runtime errors" keep showering on me.... situation with other websites is not so bad, here i got that message every ten minutes or so, amazon.com is ok for me (by now) , microsoft.com, where i tried to download updates , is horror.....errors all the time....
please, try to help me..
•
•
Join Date: Feb 2004
Posts: 10,107
Reputation:
Solved Threads: 768
Did you follow instructions from my last post?
Open Internet Explorer - click Tools - Internet Options - Advanced. Make sure Disable script debugging is ticked and Display a notification about every script error is unticked then Apply and OK your way out
Open Internet Explorer - click Tools - Internet Options - Advanced. Make sure Disable script debugging is ticked and Display a notification about every script error is unticked then Apply and OK your way out
Proud member of ASAP (Alliance of Security analysis Professionals).
Opera AVAST anti-virus Comodo Firewall Spywareblaster
Opera AVAST anti-virus Comodo Firewall Spywareblaster
yes, i followed all your instructions, thanks!
now i dit that last thing: dissabled script debugging, the other one, "Display a notification about every script error " was unticked allready...
i'm gonna give it a try now :-)
now i dit that last thing: dissabled script debugging, the other one, "Display a notification about every script error " was unticked allready...
i'm gonna give it a try now :-)
:-)
disabling script debugging solved that problem all right! THANKS!!!!
but i still have some other stuff....
every time i run Spybot-S&D it finds this:
--------------------------------------------------------------------------
Spybot-S&D
Data source object exploit
HKEY_USERS\S-1-5-18\Sofrware\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0\1004!=W=3
Data source object exploit
HKEY_USERS\S-1-5-121-515967899-261903793=839522115-500\Sofrware\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0\1004!=W=3
Data source object exploit
HKEY_USERS\S-1-5-20\Sofrware\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0\1004!=W=3
Data source object exploit
HKEY_USERS\S-1-5-19\Sofrware\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0\1004!=W=3
Data source object exploit
HKEY_USERS\.Default\Sofrware\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0\1004!=W=3
--------------------------------------------------------------------------
i hit "FIX" button, it said that it's fixed, but than i run Spybot again, and the same five problems appear.....
i did all that while i was disconnected from the internet.....
and it will go on as many times as i run Spybot....
what does it mean?
btw, Ad-aware finds no prob, nor does AVG-antivirus...
so, PLEASE HELP AGAIN :-)
disabling script debugging solved that problem all right! THANKS!!!!
but i still have some other stuff....
every time i run Spybot-S&D it finds this:
--------------------------------------------------------------------------
Spybot-S&D
Data source object exploit
HKEY_USERS\S-1-5-18\Sofrware\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0\1004!=W=3
Data source object exploit
HKEY_USERS\S-1-5-121-515967899-261903793=839522115-500\Sofrware\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0\1004!=W=3
Data source object exploit
HKEY_USERS\S-1-5-20\Sofrware\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0\1004!=W=3
Data source object exploit
HKEY_USERS\S-1-5-19\Sofrware\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0\1004!=W=3
Data source object exploit
HKEY_USERS\.Default\Sofrware\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0\1004!=W=3
--------------------------------------------------------------------------
i hit "FIX" button, it said that it's fixed, but than i run Spybot again, and the same five problems appear.....
i did all that while i was disconnected from the internet.....
and it will go on as many times as i run Spybot....
what does it mean?
btw, Ad-aware finds no prob, nor does AVG-antivirus...
so, PLEASE HELP AGAIN :-)
•
•
Join Date: Feb 2004
Posts: 10,107
Reputation:
Solved Threads: 768
The spybot forums would be the place to look for help regarding the DSO exploit. There seems to be a problem with spybot & there would be a fix at there forums, I am sure. You may be able to set spybot to ignore it on the scans.
Proud member of ASAP (Alliance of Security analysis Professionals).
Opera AVAST anti-virus Comodo Firewall Spywareblaster
Opera AVAST anti-virus Comodo Firewall Spywareblaster
I had several similar troubles this past week and got bit by Korgo, Sasser, Blaster ans Backdoor.Nibu! My AV program found some of them but not the newer ones (Korgo, latest Sasser version). I dowloaded a utility from Network Associates called stinger that identified and killed them. Its free and very effective for what it is written for, which is the latest 30 or so bugs. I also got some messages that were similar to what you have.
Here's the URL;
http://vil.nai.com/vil/stinger/
-nukechief
Here's the URL;
http://vil.nai.com/vil/stinger/
-nukechief
•
•
•
•
Originally Posted by marijana
i installed avg antivirus system, free edition, and now it is showing a message every 20 minutes or so, saying something like this : " found a trojan on this location C:\system volume information\_restore {76F99043 - 158F - 476E - 90DB - 09E418DFFDA3}\ RP31\A0008834.exe"
every time i see that i run system check, but it can't find anything....
i tried to open that folder,"system volume information", but i couldn't : access denied !?!?!?!
Please, help me, this is my hjt log:
Logfile of HijackThis v1.97.7
Scan saved at 14:54:22, on 19/06/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG6\avgserv.exe
C:\PROGRA~1\MI6841~1\MSSQL\binn\sqlservr.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
C:\Program Files\Analog Devices\SoundMAX\Smax4.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\ASUS\Probe\AsusProb.exe
C:\WINDOWS\System32\Launcher.exe
C:\Program Files\Winamp\Winampa.exe
C:\WINDOWS\System32\carpserv.exe
C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe
C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
C:\WINDOWS\System32\dllhost.exe
C:\Documents and Settings\Administrator\My Documents\PAMETNE STVARI\hijackThis\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://solongas.com/sp.htm?id=632
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://solongas.com/sp.htm?id=632
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://solongas.com/sp.htm?id=632
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://solongas.com/hp.htm?id=632
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://solongas.com/sp.htm?id=632
R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
O2 - BHO: (no name) - {49E0E0F0-5C30-11D4-945D-000000000003} - C:\PROGRA~1\Ashampoo\ASHAMP~1\PopUp.dll
O2 - BHO: (no name) - {A9A674BF-771F-42E5-A440-D20DDA85A862} - (no file)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
O4 - HKLM\..\Run: [SoundMAX] "C:\Program Files\Analog Devices\SoundMAX\Smax4.exe" /tray
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [ASUS Probe] C:\Program Files\ASUS\Probe\AsusProb.exe
O4 - HKLM\..\Run: [PrimaLauncher] C:\WINDOWS\System32\Launcher.exe
O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp\Winampa.exe"
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [CARPService] carpserv.exe
O4 - HKLM\..\Run: [jopa] C:\WINDOWS\System32\sysstartup.exe
O4 - HKLM\..\Run: [AVG_CC] C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe /STARTUP
O4 - HKCU\..\Run: [uninstal] regsvr32 /u /s image.dll
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: GetRight - Tray Icon.lnk = C:\Program Files\GetRight\getright.exe
O4 - Global Startup: InterVideo WinCinema Manager.lnk = C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Service Manager.lnk = C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
O4 - Global Startup: winlogin.exe
O8 - Extra context menu item: Download with GetRight - C:\Program Files\GetRight\GRdownload.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Open with GetRight Browser - C:\Program Files\GetRight\GRbrowse.htm
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O15 - Trusted Zone: *.greg-search.com
O16 - DPF: {469C7080-8EC8-43A6-AD97-45848113743C} - http://akamai.downloadv3.com/binarie...hv32_EN_XP.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{3AAB0DD8-868E-4446-B9A6-D21B20231CDA}: NameServer = 161.53.114.145 161.53.114.135
 |
Other Threads in the Viruses, Spyware and other Nasties Forum
- Previous Thread: Any body who's "tired" of "trying" programs to remove anything...
- Next Thread: Please look at HJT LOG,SYSTEM intermittently SLUGGISH
Views: 5289 | Replies: 11
| Thread Tools | Search this Thread |
Latest Viruses, Spyware and other Nasties Posts
Related Forum Features
Tag cloud for Viruses, Spyware and other Nasties
acrobat adware anti-malware antivirus apple attack audio avg backtoschoolspeech bar blackhat botnet botnets censorship china combofix commercial commercials conficker control crosssitescripting cybercrime cyberwarfare ddos domains e-mafia education email exam exploit facebook fake fancheckvirus gtaiv gumblar halloween herss.exe hijack hosting internet iphone logfiles mail malware mcafee mega-d microsoft msn nazi news norton obama onlinethreats paedophile panel parents patch pc pdf policeprovirusmba-mblockedinternetaccess president privacy pro redirect redirecting reliability report research rogueantivirus rootkit samhain sans scareware school search security seopoisoning sites software spam spyware symantec system teen translate trojan unabletoaccessanti-virussites unwanted update virus viruses vista vulnerability war warning windows worm yahoo zero-day zeroday
