Mobile/PDA About Us Advertise here
User User name Password  
  Not registered yet? Register here.
Lost your password? Click here. 		 
  Home   News   Guides   Downloads   Glossary   Hardware   Profiles   Forums   v4  
 Advertise at AfterDawn.com     Link to us!     Private messages     Compose a private message     List of all updated threads     Threads without replies     Search messages
Wednesday 22.1.2025 / 05:57
Search AfterDawn Forums:        In English   Suomeksi   På svenska
afterdawn.com > forums > software, operating systems and more > windows - virus and spyware problems > g_server2006
Show topics
 
Forums
Forums
g_server2006
  Jump to:
 
Posted Message
hotboxdp
Newbie
_ 		30. July 2006 @ 12:26 _ Link to this message    Send private message to this user   
Can someone take a look at this and advise. I was having a lot of problems with a trojan which seems to have been generating from the file: c:\windows\g_server2006, dll, and 123

I ran adaware, Spybot, smitfraud, and hijack this. I went into msconfig and unchecked g_server. I changed the extensions in windows to .bak and moved to another folder.

Here is the hijack this log:

Logfile of HijackThis v1.99.1
Scan saved at 4:15:06 PM, on 7/30/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\WINDOWS\system32\wsys.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Plaxo\2.6.2.15\PlaxoHelper.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\D-Link\AirPlus G\AirGCFG.exe
C:\WINDOWS\ALCWZRD.EXE
C:\WINDOWS\SYSTEM32\SOUNDMAN.EXE
C:\Program Files\ANI\ANIWZCS2 Service\WZCSLDR2.exe
C:\WINDOWS\LSASS.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\Program Files\Common Files\AOL\1134529827\ee\AOLSoftware.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Logitech\SetPoint\KEM.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Logitech\SetPoint\KHALMNPR.EXE
c:\program files\common files\aol\1134529827\ee\aim6.exe
C:\Program Files\HP\Digital Imaging\bin\hpqgalry.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\Program Files\Microsoft Office\OFFICE11\OUTLOOK.EXE
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE
D:\Download\HijackThis_v1.99.1.exe

O1 - Hosts: 61.129.75.124 mir.100888290cs.com
O1 - Hosts: 61.129.75.124 woool.100888290cs.com
O1 - Hosts: 61.129.75.124 www.mir5173.com
O1 - Hosts: 61.129.75.124 ert0003.e76.163ns.com
O1 - Hosts: 222.73.4.246 www.chenshijituan.com
O1 - Hosts: 59.36.96.132 qq.etsoft.com.cn
O1 - Hosts: 61.129.75.124 www.wg581.com
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Acrobat\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O4 - HKLM\..\Run: [AlcWzrd] ALCWZRD.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [D-Link AirPlus G] C:\Program Files\D-Link\AirPlus G\AirGCFG.exe
O4 - HKLM\..\Run: [ANIWZCS2Service] C:\Program Files\ANI\ANIWZCS2 Service\WZCSLDR2.exe
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1134529827\ee\AOLSoftware.exe
O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [IntelAudioStudio] "C:\Program Files\Intel Audio Studio\INTELAUDIOSTUDIO.exe" BOOT
O4 - HKLM\..\Run: [ToP] C:\WINDOWS\LSASS.exe
O4 - HKLM\..\Run: [SOUNDMAN] C:\WINDOWS\SYSTEM32\SOUNDMAN.EXE
O4 - HKLM\..\RunServices: [] C:\WINDOWS\system32\intenat.exe
O4 - HKCU\..\Run: [Aim6] "C:\Program Files\Common Files\AOL\Launch\AOLLaunch.exe" /d locale=en-US ee://aol/imApp
O4 - HKCU\..\Run: [PlaxoUpdate] C:\Program Files\Plaxo\2.6.2.15\PlaxoHelper.exe -a
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: HP Image Zone Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe
O4 - Global Startup: Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\KEM.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .mp3: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin4.dll
O12 - Plugin for .mpeg: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin3.dll
O12 - Plugin for .mpg: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin3.dll
O12 - Plugin for .PSD: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin2.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} (EPUImageControl Class) - http://tools.ebayimg.com/eps/wl/activex/eBay_Enhanced_Picture_Con...
O18 - Protocol: g7ps - {9EACF0FB-4FC7-436E-989B-3197142AD979} - C:\Program Files\Common Files\G7PS\Shared Files\G7PSDLL\G7PS.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: ANIWZCSd Service (ANIWZCSdService) - Alpha Networks Inc. - C:\Program Files\ANI\ANIWZCS2 Service\ANIWZCSdS.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
[ + quote]
Advertisement
_ 		__
Niobis
Senior Member
_ 		30. July 2006 @ 21:28 _ Link to this message    Send private message to this user   
Check to fix these in HijackThis.

O1 - Hosts: 61.129.75.124 mir.100888290cs.com

O1 - Hosts: 61.129.75.124 woool.100888290cs.com

O1 - Hosts: 61.129.75.124 www.mir5173.com

O1 - Hosts: 61.129.75.124 ert0003.e76.163ns.com

O1 - Hosts: 222.73.4.246 www.chenshijituan.com

O1 - Hosts: 59.36.96.132 qq.etsoft.com.cn

O1 - Hosts: 61.129.75.124 www.wg581.com

O4 - HKLM\..\RunServices: [] C:\WINDOWS\system32\intenat.exe

Post new log after fix.


[ + quote]
Don't be fooled any longer.
http://www.youtube.com/watch?v=BUtbGYgsIu4&feature=related
hotboxdp
Newbie
_ 		31. July 2006 @ 08:31 _ Link to this message    Send private message to this user   
Too late, I somehow got the most malicious virus. Within a couple of hours my entire system was wiped out. w32/horn.A infected every dll and exe file and my AVG virus software could do nothing. I removed AVG and installed NOR32 I think was the name, could not heal the 'over 380 infected files'. I was dead in the road. I could not access system restore during any of this. I tried everything in my bag of tricks. Then when I finally gave in and went to format my hard drive and start all over, it killed my motherboard! My computer will not even start. I tried removing and installing the memory and checked all the connections but it seems to be a gonner. Anyone have anything to add or ask?
[ + quote]
Niobis
Senior Member
_ 		31. July 2006 @ 19:52 _ Link to this message    Send private message to this user   
Holy sh*t! That's a very bad case of a virus! I'm sorry to here that. Do you know how you aquired this virus?
[ + quote]
Don't be fooled any longer.
http://www.youtube.com/watch?v=BUtbGYgsIu4&feature=related
Advertisement
_ 		__
 
_
hotboxdp
Newbie
_ 		1. August 2006 @ 04:47 _ Link to this message    Send private message to this user   
I have no idea, I was looking at different hotels for a trip to Costa Rica and these viruses started popping up, I couldn't find them on the internet for help to remove them. Here is a list of their names: win32/delf.bu, generic.ygx, generic.xlq, psw.generic.agent.bxj, w32.honk.a
[ + quote]
afterdawn.com > forums > software, operating systems and more > windows - virus and spyware problems > g_server2006
 

Digital video: AfterDawn.com | AfterDawn Forums
Music: MP3Lizard.com
Gaming: Blasteroids.com | Blasteroids Forums | Compare game prices
Software: Software downloads
Blogs: User profile pages
RSS feeds: AfterDawn.com News | Software updates | AfterDawn Forums
International: AfterDawn in Finnish | AfterDawn in Swedish | AfterDawn in Norwegian | download.fi
Navigate: Search | Site map
About us: About AfterDawn Ltd | Advertise on our sites | Rules, Restrictions, Legal disclaimer & Privacy policy
Contact us: Send feedback | Contact our media sales team
 
  © 1999-2025 by AfterDawn Ltd.

  IDG TechNetwork