|
Might need some help
|
|
|
patchted
Junior Member
|
9. September 2006 @ 23:15 |
Link to this message
|
Good Day my friends, Yesterday I did my weekly scan using Zone Alarm Security Suite, it found some virus and killed it so quick I didn,t manage to see what it was, then on using Spybot Search & destroy it found a Trogen which it killed. This morning I was looking at my 'c'drive using explorer and noticed fsxveje.exe - mhdjq.exe - rudkbpt.exe - snfmx.exe and yvontfxw.exe all were created yesterday 9/9/06. I have done a search on the web but can't find any infomation on them, can someone tell me if they should be on my computer or are they connected with the scans I did yesterday if so what should I do. Thanks
Jim.S.(UK)
|
|
Advertisement
|
|
|
|
Senior Member
|
9. September 2006 @ 23:23 |
Link to this message
|
They're not legit because names are random.
Download HijackThis, extract file to folder on desktop. Run a scan and save a log file. Paste that log here.
|
|
patchted
Junior Member
|
9. September 2006 @ 23:43 |
Link to this message
|
Hiya Niobis thanks for replying so quick. Here is my log
Logfile of HijackThis v1.99.1
Scan saved at 08:40:31, on 10/09/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\isafe.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I0H2.EXE
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\PROGRA~1\ZONELA~1\ZONEAL~1\MAILFR~1\mantispm.exe
C:\WINDOWS\system32\LVComsX.exe
C:\PROGRA~1\MICROS~2\Office\OUTLOOK.EXE
C:\Program Files\Mozilla Firefox\firefox.exe
D:\Backup\DownLoads\HijackThis_v1.99.1(2).exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://search.blueyonder.co.uk/search/search.jsp
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = www.blueyonder.co.uk
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Internet Explorer Provided by blueyonder
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [SW20] C:\WINDOWS\system32\sw20.exe
O4 - HKLM\..\Run: [EPSON Stylus Photo R200 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I0H2.EXE /P30 "EPSON Stylus Photo R200 Series" /O6 "USB001" /M "Stylus Photo R200"
O4 - HKLM\..\Run: [BCWipeTM Startup] "C:\Program Files\Jetico\BestCrypt\BCWipeTM.exe" startup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~2\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~2\MSGRAP~1.DLL
O20 - AppInit_DLLs: hplun.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Bluetooth Service (btwdins) - Unknown owner - C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe (file missing)
O23 - Service: CA ISafe (CAISafe) - Computer Associates International, Inc. - C:\WINDOWS\system32\ZoneLabs\isafe.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
Jim.S.(UK)
|
Senior Member
|
9. September 2006 @ 23:52 |
Link to this message
|
Not showing in your log. Go here run ActiveScan. When it finishes, save the results and post them here.
|
|
patchted
Junior Member
|
10. September 2006 @ 00:33 |
Link to this message
|
|
Here it is
Incident Status Location
Spyware:Cookie/Mediaplex Not disinfected C:\Documents and Settings\Jimmy\Application Data\Mozilla\Firefox\Profiles\koojapkj.default\cookies.txt[.mediaplex.com/]
Spyware:Cookie/FastClick Not disinfected C:\Documents and Settings\Jimmy\Application Data\Mozilla\Firefox\Profiles\koojapkj.default\cookies.txt[.fastclick.net/]
Spyware:Cookie/Casalemedia Not disinfected C:\Documents and Settings\Jimmy\Application Data\Mozilla\Firefox\Profiles\koojapkj.default\cookies.txt[.casalemedia.com/]
Spyware:Cookie/Tribalfusion Not disinfected C:\Documents and Settings\Jimmy\Application Data\Mozilla\Firefox\Profiles\koojapkj.default\cookies.txt[.tribalfusion.com/]
Spyware:Cookie/Atlas DMT Not disinfected C:\Documents and Settings\Jimmy\Application Data\Mozilla\Firefox\Profiles\koojapkj.default\cookies.txt[.atdmt.com/]
Spyware:Cookie/DriveCleaner Not disinfected C:\Documents and
Settings\Jimmy\Application Data\Mozilla\Firefox\Profiles\koojapkj.default\cookies.txt[.drivecleaner.com/]
Virus:W32/Junkcomp.A Renamed C:\fsxveje.exe
Adware:Adware/SpySheriff Not disinfected C:\mhdjq.exe
Virus:Trj/Jupillites.G Disinfected C:\rudkbpt.exe
Potentially unwanted tool:Application/Processor Not disinfected D:\Backup\Install Bak\Install\SmitfraudFix.zip[SmitfraudFix/Process.exe]
Jim.S.(UK)
|
Senior Member
|
10. September 2006 @ 01:00 |
Link to this message
|
You may have caught this in good time.
Go here and download KillBox.
Then, go here to download Ewdio.
Install and update.
Note: you may want to print these instructions, you will be in safe mode.
Restart your computer in safe mode.
Open Killbox.exe.
Check "Standard File Kill".
In the "Full Path of File to Delete" box, copy and paste each of the following lines one at a time. Then click the red X button after you enter each file.
You will be prompted to confirm, click Yes.
C:\fsxveje.exe
C:\mhdjq.exe
If KillBox prompts file doens't exist, just continue.
Close KillBox.
Open Ewido and run a full scan.
When it finishes, set all items to delete and click "Apply all actions".
Then click "Save Report".
Restart in normal mode.
Post Ewido log and tell if KillBox deleted both files.
|
|
patchted
Junior Member
|
10. September 2006 @ 03:33 |
Link to this message
|
|
Ello Niobis
I've done as requested here is the log
ewido anti-spyware - Scan Report
---------------------------------------------------------
+ Created at: 12:21:45 9/10/2006
+ Scan result:
C:\!KillBox\mhdjq.exe -> Downloader.Small.ctf : Cleaned with backup (quarantined).
:mozilla.28:C:\Documents and Settings\Jimmy\Application Data\Mozilla\Firefox\Profiles\koojapkj.default\cookies.txt -> TrackingCookie.Atdmt : Cleaned.
:mozilla.24:C:\Documents and Settings\Jimmy\Application Data\Mozilla\Firefox\Profiles\koojapkj.default\cookies.txt -> TrackingCookie.Casalemedia : Cleaned.
:mozilla.25:C:\Documents and Settings\Jimmy\Application Data\Mozilla\Firefox\Profiles\koojapkj.default\cookies.txt -> TrackingCookie.Casalemedia : Cleaned.
:mozilla.26:C:\Documents and Settings\Jimmy\Application Data\Mozilla\Firefox\Profiles\koojapkj.default\cookies.txt -> TrackingCookie.Casalemedia : Cleaned.
:mozilla.22:C:\Documents and Settings\Jimmy\Application Data\Mozilla\Firefox\Profiles\koojapkj.default\cookies.txt -> TrackingCookie.Fastclick : Cleaned.
:mozilla.23:C:\Documents and Settings\Jimmy\Application Data\Mozilla\Firefox\Profiles\koojapkj.default\cookies.txt -> TrackingCookie.Fastclick : Cleaned.
:mozilla.14:C:\Documents and Settings\Jimmy\Application Data\Mozilla\Firefox\Profiles\koojapkj.default\cookies.txt -> TrackingCookie.Googleadservices : Cleaned.
:mozilla.21:C:\Documents and Settings\Jimmy\Application Data\Mozilla\Firefox\Profiles\koojapkj.default\cookies.txt -> TrackingCookie.Mediaplex : Cleaned.
:mozilla.9:C:\Documents and Settings\Jimmy\Application Data\Mozilla\Firefox\Profiles\koojapkj.default\cookies.txt -> TrackingCookie.Myaffiliateprogram : Cleaned.
:mozilla.27:C:\Documents and Settings\Jimmy\Application Data\Mozilla\Firefox\Profiles\koojapkj.default\cookies.txt -> TrackingCookie.Tribalfusion : Cleaned.
::Report end
And KillBox found & deleted c:\mhdjq.exe but not c:\fsxveje.exe
Jim.S.(UK)
|
Senior Member
|
10. September 2006 @ 14:03 |
Link to this message
|
ActiveScan rennamed it.
First, show hidden files. Open Control Panel > Open Folder Options > View tab > check Show Hidden Files and folders box.
Look and search for fsxveje.exe, if found delete. If not, go here and download AVG Free.
Install and update.
Restart in safe mode.
Run full scan.
|
|
patchted
Junior Member
|
11. September 2006 @ 00:21 |
Link to this message
|
|
found it deleted it :-)
Jim.S.(UK)
|
Senior Member
|
11. September 2006 @ 00:31 |
Link to this message
|
|
Just noticed you listed "snfmx.exe" and "yvontfxw.exe". Search for those two also. If found, delete.
If you had/have to show hidden folders, be sure hide them after.
This message has been edited since posting. Last time this message was edited on 11. September 2006 @ 00:32
|
|
Advertisement
|
|
|
|
patchted
Junior Member
|
12. September 2006 @ 12:04 |
Link to this message
|
Well Niobis I deleted all the files I was concerned about and today I did a virus check with Zone Alarm, AVG and Ewido I also ran Ad-Aware and Spybot search & destroy and all came back clear so I would like to thank you for your help. THANKS
Jim.S.(UK)
|
