Tom's Guide | Tom's Hardware | Tom's Games
 |
 |
 |
hey,
a few days ago i got a hacktool.flooder virus alert infecting my command.exe file.. i rebooted in safemode and nothing came up,, just about 2 minutes ago i got a message that it had infected my win32.exe file....WHAT DO I DOOO
thanks
Both command.exe and win32.exe would be virus files (they are not Windows files) and need to be deleted.
You will also need to remove the associated registry entries first before deleting the files. Let's locate them.
Go here and download, unzip and run startuplist. It will create a log file, copy the log and paste it in a reply.
0 
Hi foks,
I´ve got the same problem with this flooder. My infected file is install.exe. The Problem is, i can´t remove that file and the file is only active, if I´m in the internet. I defently can´t remove the file, because it is all the time in use and i can´t find the running service of the file.
best regards
netproxy (GER)
0
Hello, I too have hacktool.flooder virus that infects internet.exe in the windows folder every time i start any program. Norton deletes it then it finds it again ad nauseum. Ive done the safe boot and removed the registry entry internet.exe, but it keeps coming back.Im running xp home sp1 with latest virus defs and nortons firewall.
Heres my startup list:
Running processes:C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\TGTSoft\StyleXP\StyleXPService.exe
C:\WINDOWS\Explorer.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Norton Personal Firewall\NISUM.exe
C:\Program Files\Norton Personal Firewall\ccPxySvc.exe
C:\WINDOWS\system32\cisvc.exe
C:\WINDOWS\System32\CTsvcCDA.exe
C:\WINDOWS\system32\crypserv.exe
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\system32\slserv.exe
C:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\Tablet.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\System32\Rundll.exe
C:\WINDOWS\System32\rundll32.exe
C:\Program Files\DU Meter\DUMeter.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\System32\devldr32.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\CursorXP\CursorXP.exe
C:\WINDOWS\FSScrCtl.exe
C:\Program Files\Wacom\TabUserW.exe
C:\WINDOWS\system32\cidaemon.exe
C:\Program Files\GetRight\GETRIGHT.exe
C:\Program Files\GetRight\GETRIGHT.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\regedit.exe
C:\Documents and Settings\ColBex\Desktop\startuplist1521\StartupList.exe
Thanks for any help, its driving me nuts, i even did a repair install of xp to no avail :(
0
oops!, heres the startup list
Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunREGSHAVE = C:\Program Files\REGSHAVE\REGSHAVE.exe /AUTORUN
QD FastAndSafe = C:\PROGRA~1\NORTON~1\NORTON~2\QDCSFS.exe /startup
POINTER = C:\Program Files\Microsoft Hardware\Mouse\Mouse\SETUP\MSH\Mouse\point32.exe
NvCplDaemon = RUNDLL32.exe NvQTwk,NvCplDaemon initialize
New.net Startup = rundll32 C:\PROGRA~1\NEWDOT~1\NEWDOT~2.DLL,NewDotNetStartup
NeroCheck = C:\WINDOWS\system32\NeroCheck.exe
NAV Agent = C:\Program Files\Norton SystemWorks\Norton AntiVirus\NAVAPW32.exe
DU Meter = C:\Program Files\DU Meter\DUMeter.exe
ccRegVfy = "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
ccApp = "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
AHQInit = C:\Program Files\Creative\SBLive\Program\AHQInit.exe
AudioHQ = C:\Program Files\Creative\SBLive\AudioHQ\AHQTB.exe
0
I'm sure you have all seen this http://www.symantec.com/avcenter/venc/data/hacktool.flooder.html -and this-
http://www.asia.cnet.com/itmanager/netadmin/0,39006400,39081965-1,00.htmBroccoli (Cabbage), The file “internet.exe” was probably added to your computer as a result of the "W32.MagicCall" virus.
I would be interested in seeing your (or anyone else who is infected with this "Hacktool.Flooder") HijackThis logfile. Download Hijackthis from http://www.spywareinfo.com/files/hijackthis.zip and run a scan. Don't make any changes, just click on Save Log, copy it and post it back in this thread.
As Tom41 said both "Command.exe" and "Win32.exe" are both virus files. "Command.exe" was added as a result of the "Troj_buddy.E" virus and "Win32.exe" was added as a result of the "Backdoor.Ratega" virus.
There are 3 virus files (so far) for this “Hacktool.Flooder”??? I don’t know.
0
hi setter:
i have exactly the same problem as broccoli, except i am using windows xp pro & sp1.
here is a result of my scan result from hijackthis. some unkown chars are asia chars, u can ignore them.
---Logfile of HijackThis v1.94.0
Scan saved at 2:39:40 PM, on 5/18/2003
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)O2 - BHO: (no name) - {A5366673-E8CA-11D3-9CD9-0090271D075B} - C:\PROGRA~1\FlashGet\jccatch.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: FlashGet Bar - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\fgiebar.dll
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.exe" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.exe /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.exe /IMEName
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [Advanced Tools Check] C:\PROGRA~1\NORTON~1\AdvTools\ADVCHK.exe
O4 - HKLM\..\Run: [MessengerPlus2] "C:\Program Files\Messenger Plus! 2\MsgPlus.exe"
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [MessengerPlus2] "C:\Program Files\Messenger Plus! 2\MsgPlus.exe" /WinStart
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: ʹÓÃÍø¼Ê¿ì³µÏÂÔØ - C:\Program Files\FlashGet\jc_link.htm
O8 - Extra context menu item: ʹÓÃÍø¼Ê¿ì³µÏÂÔØÈ«²¿Á´½Ó - C:\Program Files\FlashGet\jc_all.htm
O9 - Extra button: Joyo (HKLM)
O9 - Extra button: PowerWord (HKLM)
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O9 - Extra button: FlashGet (HKLM)
O9 - Extra 'Tools' menuitem: &FlashGet (HKLM)
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/SSC/SharedContent/vc/bin/AvSniff.cab
O16 - DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE} (Symantec RuFSI Registry Information Class) - http://security.symantec.com/SSC/SharedContent/common/bin/cabsa.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
0
Your HijackThis Logfile is pretty clean!
I don’t see anything out of the ordinary. At one time I think Flashget used to be "Spyware/Adware” but that was the free version.
So I don’t know what your problem is.
0
timothy, Seeing as I found nothing obvious, I recommend going to the people at http://www.spywareinfo.com/forums/index.php?s=f90fed280400c9e9567f1ae67b0d7938. Please post your problem and HijackThis logfile at the site in the "Spyware and Hijackware Removal Support” They will inform you of the next step or what to do.
As I remember Flashget used to have spyware/adware I don’t know if it is still the case. Rather than miss anything I think it is better to have many eyes looking at it. The people at http://www.spywareinfo.com keep up with the latest.
If you still have POP-UP problems at least they are may not be Spyware related. (maybe that is not your problem) I highly recommend the program Proxomitron for stopping html page pop-ups and much more, and it's free.
0
Hi , i got the same problem with command.exe HERES A LIST OF MY PROCESSES C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\system32\pctspk.exe
C:\WINDOWS\System32\tcpsvcs.exe
C:\PROGRA~1\Srng\Srng.exe
C:\PROGRA~1\COMMON~1\Real\UPDATE~1\REALSC~1.exe
C:\PROGRA~1\Compaq\EASYAC~1\StartEAK.exe
C:\PROGRA~1\SuperBar\sbhc.exe
C:\WINDOWS\wt\updater\wcmdmgr.exe
C:\WINDOWS\TVTMD.exe
C:\WINDOWS\System32\rundll32.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\CMPDPSRV.exe
C:\Program Files\Compaq\Easy Access Button Support\CPQEADM.exe
C:\COMPAQ\CPQINET\CPQInet.exe
C:\PROGRA~1\PRECIS~1\PRECIS~1.exe
C:\Compaq\EAKDRV\EAUSBKBD.exe
C:\PROGRA~1\Compaq\EASYAC~1\BttnServ.exe
C:\PROGRA~1\INTERN~1\iexplore.exe
C:\DOCUME~1\RODRIQ~1\MYDOCU~1\wininetd.exe
\?\C:\WINDOWS\system32\WBEM\WMIADAP.exe
C:\DOCUME~1\RODRIQ~1\Desktop\STARTU~1\STARTU~1.exe
0  |
 |
 |
This post is quite old and has been locked from receiving new replies. Please create a new posting instead.
| Ads by Google |
