strange virus HELP

Computing.Net > Forums > Security and Virus > strange virus HELP

Original Message

Name: dr.ananas
Date: February 16, 2004 at 14:12:33 Pacific
Subject: strange virus HELP
OS: win xp pro
CPU/Ram: p4 rimm

Comment:

ok, i just found a trojan named classloader.td and removed it cause my system lagged due to this. then my internet explorer start page changed to a spamsite. i had this problem in the past but then the url was not so cryptic(something http://%34%234d%blablabla). i cant change the start page and now the funny thing: i type in google.de(german version) and a fake google appears and theres no way to get to google. what is that , i did several online and offline virus scans and ad aware but nothing worked. my system seems to be still affected by a trofan i guess cause everything laggs sometimes (so does my typing now). i need help immediately .thx

Report Offensive Message For Removal

Response Number 1

Name: DaveyB
Date: February 16, 2004 at 14:18:22 Pacific
Subject: strange virus HELP

Reply: (edit)

Have you chkd your process via ctrl+alt+del?
Have you removed all suspicious programs via run/msconfig?
Have you chkd your Registry?

Report Offensive Follow Up For Removal

Response Number 2

Name: dr.ananas
Date: February 16, 2004 at 15:03:38 Pacific
Subject: strange virus HELP

Reply: (edit)

i checked everything except the reg cause i have no clue what is right there and what shall not be. i guess i deleted the trojan succesfully, but nevertheless before being deleted it damaged something in my system. that may be the reason why no antivirus tool detects a virus. if anybody experienced the same or knows what my situation is( if its not the way i guess) please help. thx

Report Offensive Follow Up For Removal

Response Number 3

Name: blender
Date: February 16, 2004 at 15:16:35 Pacific
Subject: strange virus HELP

Reply: (edit)

dr. ananas
Since you have tried virus scans, spybot scans with no results....Download Hijackthis from site below, unzip it to its own folder (not a temporary folder), double click to start program. click "scan", the scan button changes to "save log" button. Save the log to same folder. The log file will open up in notepad, copy/paste the whole log in reply.
Please don't fix anything yet..most of what you see in the scan is safe or even essential. We will help you sort it out.
Hijackthis download

Thanks.
_________________________
I never give up!

Report Offensive Follow Up For Removal

Response Number 4

Name: dr.ananas
Date: February 16, 2004 at 18:02:37 Pacific
Subject: strange virus HELP

Reply: (edit)

thx for the guid here it is:
Logfile of HijackThis v1.97.7
Scan saved at 03:00:20, on 17.02.2004
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Programme\AVPersonal\AVGUARD.EXE
C:\Programme\AVPersonal\AVWUPSRV.EXE
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\Tablet.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Programme\WinFast\WFTVFM\WFWIZ.exe
C:\Programme\Gemeinsame Dateien\Real\Update_OB\realsched.exe
C:\Programme\AVPersonal\AVGNT.EXE
C:\Programme\Winamp\Winampa.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Programme\3M\PSN2Lite\Psn2Lite.exe
C:\Programme\Extensis\Suitcase 9.2\Suitcase.exe
C:\Programme\Wacom\TabUserW.exe
C:\PROGRA~1\3M\PSN2Lite\PSNGive.exe
C:\Programme\ICQ\ICQ.exe
C:\Programme\Gemeinsame Dateien\Real\Update_OB\rnathchk.exe
C:\Programme\Internet Explorer\IEXPLORE.EXE
D:\temp entpackt\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://homepage.com%00@www.efinder.cc/search/ (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://homepage.com%00@www.efinder.cc/search/ (obfuscated)
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://ehttp.cc/?www.googel.de (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://homepage.com%00@www.efinder.cc/search/ (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://homepage.com%00@www.efinder.cc/search/ (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://homepage.com%00@www.efinder.cc/search/ (obfuscated)
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://homepage.com%00@www.efinder.cc/hp/ (obfuscated)
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://homepage.com%00@www.efinder.cc/search/ (obfuscated)
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://homepage.com%00@www.efinder.cc/search/ (obfuscated)
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://homepage.com%00@www.efinder.cc/search/ (obfuscated)
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://homepage.com%00@www.efinder.cc/search/ (obfuscated)
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://homepage.com%00@www.efinder.cc/search/ (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://homepage.com%00@www.efinder.cc/search/ (obfuscated)
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,(Default) = http://homepage.com%00@www.efinder.cc/search/ (obfuscated)
O1 - Hosts: 38.115.131.131 sk2.slsk.org
O1 - Hosts: 38.115.131.131 www.slsk.org
O1 - Hosts: 38.115.131.131 mail.slsk.org
O1 - Hosts: 38.115.131.131 server.slsk.org
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programme\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [Mirabilis ICQ] C:\Programme\ICQ\NDetect.exe
O4 - HKLM\..\Run: [WinFast Schedule] C:\Programme\WinFast\WFTVFM\WFWIZ.exe
O4 - HKLM\..\Run: [AVGCtrl] C:\Programme\AVPersonal\AVGNT.EXE /min
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Programme\Gemeinsame Dateien\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Post-it� Software Notes Lite.lnk = C:\Programme\3M\PSN2Lite\Psn2Lite.exe
O4 - Global Startup: Suitcase Startup.lnk = ?
O4 - Global Startup: TabUserW.lnk = C:\Programme\Wacom\TabUserW.exe
O9 - Extra button: ICQ (HKLM)
O9 - Extra 'Tools' menuitem: ICQ (HKLM)
O13 - DefaultPrefix: http://%65%68%74%74%70%2E%63%63/?
O13 - WWW Prefix: http://%65%68%74%74%70%2E%63%63/?
O13 - WWW. Prefix: http://%65%68%74%74%70%2E%63%63/?
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab
O16 - DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} - http://a1540.g.akamai.net/7/1540/52/20030625/qtinstall.info.apple.com/abarth/de/win/QuickTimeInstaller.exe
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall-Kontrolle) - http://a840.g.akamai.net/7/840/537/2003120501/housecall.antivirus.com/housecall/xscan53.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{C70ED019-BEC0-4ABE-B6D0-FE8192C4E6D8}: NameServer = 145.253.2.142 145.253.2.81
O19 - User stylesheet: C:\WINDOWS\my.css
O19 - User stylesheet: C:\WINDOWS\my.css (HKLM)

Report Offensive Follow Up For Removal

Response Number 5

Name: blender
Date: February 16, 2004 at 20:49:08 Pacific
Subject: strange virus HELP

Reply: (edit)

Hi
First I would suggest putting hijack in its own permanent folder because it makes backups in case we make a mistake.
It looks like you hit a bad link with soulseek and in turn got hijacked by cool web search.
I tried going to one of the sites listed in your 01 hosts file and had an attempted hijack.
All the R1 and r0 entries are spoofed addresses.
The 013's and 019's are also part of the hijack.
Have hijackthis running with all other windows closed while offline and check the following lines:
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://homepage.com%00@www.efinder.cc/search/ (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://homepage.com%00@www.efinder.cc/search/ (obfuscated)
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://ehttp.cc/?www.googel.de (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://homepage.com%00@www.efinder.cc/search/ (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://homepage.com%00@www.efinder.cc/search/ (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://homepage.com%00@www.efinder.cc/search/ (obfuscated)
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://homepage.com%00@www.efinder.cc/hp/ (obfuscated)
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://homepage.com%00@www.efinder.cc/search/ (obfuscated)
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://homepage.com%00@www.efinder.cc/search/ (obfuscated)
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://homepage.com%00@www.efinder.cc/search/ (obfuscated)
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://homepage.com%00@www.efinder.cc/search/ (obfuscated)
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://homepage.com%00@www.efinder.cc/search/ (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://homepage.com%00@www.efinder.cc/search/ (obfuscated)
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,(Default) = http://homepage.com%00@www.efinder.cc/search/ (obfuscated)
O1 - Hosts: 38.115.131.131 sk2.slsk.org
O1 - Hosts: 38.115.131.131 www.slsk.org
O1 - Hosts: 38.115.131.131 mail.slsk.org
O1 - Hosts: 38.115.131.131 server.slsk.org
O13 - DefaultPrefix: http://%65%68%74%74%70%2E%63%63/?
O13 - WWW Prefix: http://%65%68%74%74%70%2E%63%63/?
O13 - WWW. Prefix: http://%65%68%74%74%70%2E%63%63/?
O19 - User stylesheet: C:\WINDOWS\my.css
O19 - User stylesheet: C:\WINDOWS\my.css (HKLM)
Click "fix checked"
Reboot the computer and delete the following:
c:\windows\my.css
You will need to reset your regular home page. (it will likely be: about blank)
Repost new log when done.
Thanks!
Once we are sure this is fixed you will need to visit windows update and apply all the critical updates including sp1 to prevent this from happening again.

I never give up!

Report Offensive Follow Up For Removal


Strange virus Trojan.ByteVerify Virus Help Virus help strange virus! please help! Severe virus - help needed!	very strange and scary virus. help! Trojan.ByteVerify Virus - help! zacker virus?? please help VIRUSES!!!!!!!!! HELP ME PLEASE!!!!! Possible Sound Virus? HELP!

Response Number 6

Name: dr.ananas
Date: February 17, 2004 at 05:04:14 Pacific
Subject: strange virus HELP

Reply: (edit)

her we go ( oh oh i dont like that sp1 nessessicity, u know why?)
Logfile of HijackThis v1.97.7
Scan saved at 13:59:55, on 17.02.2004
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Programme\AVPersonal\AVGUARD.EXE
C:\Programme\AVPersonal\AVWUPSRV.EXE
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\Tablet.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Programme\WinFast\WFTVFM\WFWIZ.exe
C:\Programme\AVPersonal\AVGNT.EXE
C:\WINDOWS\System32\ctfmon.exe
C:\Programme\3M\PSN2Lite\Psn2Lite.exe
C:\Programme\Extensis\Suitcase 9.2\Suitcase.exe
C:\Programme\Wacom\TabUserW.exe
C:\PROGRA~1\3M\PSN2Lite\PSNGive.exe
C:\Programme\ICQ\ICQ.exe
D:\hijackthis\HijackThis.exe
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programme\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [Mirabilis ICQ] C:\Programme\ICQ\NDetect.exe
O4 - HKLM\..\Run: [WinFast Schedule] C:\Programme\WinFast\WFTVFM\WFWIZ.exe
O4 - HKLM\..\Run: [AVGCtrl] C:\Programme\AVPersonal\AVGNT.EXE /min
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Programme\Gemeinsame Dateien\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Post-it� Software Notes Lite.lnk = C:\Programme\3M\PSN2Lite\Psn2Lite.exe
O4 - Global Startup: Suitcase Startup.lnk = ?
O4 - Global Startup: TabUserW.lnk = C:\Programme\Wacom\TabUserW.exe
O9 - Extra button: ICQ (HKLM)
O9 - Extra 'Tools' menuitem: ICQ (HKLM)
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
O16 - DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} - http://a1540.g.akamai.net/7/1540/52/20030625/qtinstall.info.apple.com/abarth/de/win/QuickTimeInstaller.exe
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall-Kontrolle) - http://a840.g.akamai.net/7/840/537/2003120501/housecall.antivirus.com/housecall/xscan53.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab

Report Offensive Follow Up For Removal

Response Number 7

Name: blender
Date: February 17, 2004 at 08:28:16 Pacific
Subject: strange virus HELP

Reply: (edit)

Hi dr.ananas
Log looks good...Internet explorer working ok now?
There are a few programs I can recommend to help protect you from re-occurance and many other nasties on the net.
If you don't have these already...
Spybot Search and destroy
Ad-aware
SpywareBlaster
All are free and require updating on a regular basis. (weekly is good)
spywareblaster will block many bad downloads. Once installed, click "check for updates", install all updates listed, click "select all", click "protect from checked items".
There is good help files for spybot and ad-aware.
Ad-aware and spybot are spyware/malware detectors and cleaners. Be sure to update them before running their scans. Also temporarily turn off virus protection to run scans to prevent conflicts and freezeups.
2 others...
SpywareGuard..also free..will watch your home/search pages in background and alert you if something tries to reset your internet explorer, you then have the option to keep the change or have the program fix it. Updates come out about once/month.
Last but not least I also use IE-Spyad...also free. That program puts over 5000 known bad sites (known for hijacking, backdoors, trojans, etc.) in your restricted zone in internet explorer. The restricted zone security settings by default have java, active x, etc. disabled so the website cannot do anyting to your computer (like hijack it). Read the page on how to install this one and how to do its updates...it is a little different install procedure.
I use all the above programs without any issues and has saved my butt many times.
I also recommend turning on your xp firewall to protect you even furthur.
Start> settings> network connections> right click your internet connection> click properties> advanced tab> checkmark "protect my computer....from the internet"> click ok
That should protect you from most of the nasties until you work out your sp1 issue. (yeah I know why...)
Here's the links:
Ad-aware
Spybot
Spywareblaster
SpywareGuard
IE-Spyad
Good luck
______________________________
I never give up!

Report Offensive Follow Up For Removal

Response Number 8

Name: dr.ananas
Date: February 17, 2004 at 09:17:28 Pacific
Subject: strange virus HELP

Reply: (edit)

thx a lot for the professional help. saved my life yeah .

Report Offensive Follow Up For Removal

Response Number 9

Name: blender
Date: February 17, 2004 at 15:44:37 Pacific
Subject: strange virus HELP

Reply: (edit)

Hi
Glad to be of help.
Thanks for posting back.
Good luck and take care.
_______________________
I never give up!

Report Offensive Follow Up For Removal

Response Number 10

Name: dr.ananas
Date: February 17, 2004 at 15:52:35 Pacific
Subject: strange virus HELP

Reply: (edit)

arghhh just me again:
all tools worked well except spywareblaster and spywareguard.
installing was ok but when opening these two applications the same error occurs:
"run-time error '339: Component MSCOMCTL.OCX or one of its dependencies not correctly registered: a file is missing or invalid"
should i blame it on the downloadfile?

Report Offensive Follow Up For Removal

Response Number 11

Name: sxshep
Date: February 17, 2004 at 18:17:53 Pacific
Subject: strange virus HELP

Reply: (edit)

dear doctor,
You can go Here for help in resolving the MSCOCTL.OCX etc. problem.
Shep

Report Offensive Follow Up For Removal

Spybot &Adaware - are...

Hijackthis, why so many q...

Use following form to reply to current message:

Name: From My Computing.Net Settings E-Mail: From My Computing.Net Settings Subject: strange virus HELP

Comments:

  Homepage URL (*): 
Homepage Title (*): 
         Image URL:

How often do you use Computing.Net?

Poll Finishes In 4 Days.
Discuss in The Lounge

Script to find whether link is up

Extracting multipe lines from file

Cannot reboot W2K

blank hard drive/no bios

Xbox 360 Serial Number

All Posts Awaiting Replies