Tom's Guide | Tom's Hardware | Tom's Games

Computing.Net > Forums > Windows 2000 > Virus infected

Computer Problems? Computing.Net has over 1,000,000 posts about all things technology related! Over 90% answered within 24 hours! Click here to start participating now! Also, be sure to check out the New User Guide.

Virus infected

Reply to Message Icon

Name: John22Home
Date: December 3, 2003 at 01:39:23 Pacific
OS: WIN2000
CPU/Ram: 1.7/1.5Gb
Comment:

Hallo,
My pc is infected with a taff virus.I can't remove it
Here are :
Scan Report with Rav and
Hijackthis Report

[Object/Status]
C:\WINNT\SYSTEM32\winsys.exe->(FSGPE) | Infected: Backdoor:Win32/WinShell.5_0

[General]
Scan Time = 03 decembrie 2003 11:28:35
Unpack exe = true
Inside archives = false
Scan mail files = true
Heuristic scan = true
Integrity check = true
Scanned files = SMART_SCAN
[Statistics]
Infected = 1
Virus bodies = 1

HIJACKED REPORT
Logfile of HijackThis v1.97.5
Scan saved at 11:07:52, on 03.12.2003
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v5.00 SP1 (5.00.2920.0000)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\System32\termsrv.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\msdtc.exe
C:\PROGRA~1\Grisoft\AVG6\avgserv.exe
c:\winnt\system32\spool\drivers\color\DEVLDR32.exe
C:\WINNT\SYSTEM32\DNTUS26.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\System32\llssrv.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Norton Internet Security\NISUM.exe
C:\WINNT\System32\nvsvc32.exe
C:\Program Files\GeCAD\RAV8 Desktop\ravmon.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\stisvc.exe
C:\Program Files\Norton Internet Security\SymProxySvc.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
c:\winnt\system32\winsys.exe
c:\winnt\system32\winsys.exe
C:\WINNT\System32\mspmspsv.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\xcommsvr.exe
C:\WINNT\System32\DRIVERS\CDANTSRV.exe
C:\WINNT\system32\Dfssvc.exe
C:\WINNT\System32\inetsrv\inetinfo.exe
C:\Program Files\Intel\Intel(R) Active Monitor\imonnt.exe
C:\Program Files\Norton Internet Security\NISSERV.exe
C:\WINNT\Explorer.exe
C:\WINNT\system32\Smtray.exe
C:\WINNT\system32\Promon.exe
C:\Program Files\Intel\Intel(R) Active Monitor\imontray.exe
C:\Program Files\Norton Internet Security\IAMAPP.exe
C:\Program Files\Common Files\Logitech\QCDriver\LVCOMS.exe
C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe
C:\WINNT\System32\hphmon04.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
C:\Program Files\Common Files\CMEII\CMESys.exe
C:\Program Files\Rosoft\Audio Tools\msbb.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
C:\WINNT\MSMGT.exe
C:\Program Files\MemoryMeter\MemoryMeter.exe
C:\WINNT\system32\ctfmon.exe
C:\Program Files\Common Files\GMT\GMT.exe
C:\Program Files\Internet Explorer\IEXPLORE.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\rdpclip.exe
C:\WINNT\Explorer.exe
C:\WINNT\system32\Smtray.exe
C:\WINNT\system32\Promon.exe
C:\Program Files\Intel\Intel(R) Active Monitor\imontray.exe
C:\Program Files\Norton Internet Security\IAMAPP.exe
C:\Program Files\Common Files\Logitech\QCDriver\LVCOMS.exe
C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe
C:\WINNT\System32\hphmon04.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
C:\Program Files\Rosoft\Audio Tools\msbb.exe
C:\WINNT\MSMGT.exe
C:\Program Files\MemoryMeter\MemoryMeter.exe
C:\WINNT\system32\ctfmon.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
C:\Program Files\DC++\DCPlusPlus.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Internet Explorer\IEXPLORE.exe
C:\Program Files\Internet Explorer\IEXPLORE.exe
L:\John\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.searchgateway.net/search/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.searchgateway.net/search/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.searchgateway.net/search/
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://www.searchgateway.net/search/%s
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 200.14.236.147:81
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
R3 - URLSearchHook: CleverHook Class - {707E6F76-9FFB-4920-A976-EA101271BC25} - C:\WINNT\jeired.dll
O2 - BHO: (no name) - {0096CC0A-623C-4829-AD9C-19AF0DC9D8FE} - C:\Program Files\DAP\DAPIEBar.dll (file missing)
O2 - BHO: myBar BHO - {0494D0D1-F8E0-41ad-92A3-14154ECE70AC} - C:\Program Files\MyWay\myBar\1.bin\MYBAR.DLL
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {707E6F76-9FFB-4920-A976-EA101271BC25} - C:\WINNT\jeired.dll
O3 - Toolbar: &SearchBar - {0494D0D9-F8E0-41ad-92A3-14154ECE70AC} - C:\Program Files\MyWay\myBar\1.bin\MYBAR.DLL
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\msdxm.ocx
O4 - HKLM\..\Run: [Smapp] Smtray.exe
O4 - HKLM\..\Run: [Promon.exe] Promon.exe
O4 - HKLM\..\Run: [IMONTRAY] C:\Program Files\Intel\Intel(R) Active Monitor\imontray.exe
O4 - HKLM\..\Run: [iamapp] C:\Program Files\Norton Internet Security\IAMAPP.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.exe NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [LVCOMS] C:\Program Files\Common Files\Logitech\QCDriver\LVCOMS.exe
O4 - HKLM\..\Run: [PE2CKFNT SE] C:\Program Files\Ulead Systems\Ulead Photo Express 2 SE\ChkFont.exe
O4 - HKLM\..\Run: [AVG_CC] C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe /STARTUP
O4 - HKLM\..\Run: [InstantAccess] C:\PROGRA~1\TEXTBR~1.0\Bin\INSTAN~1.exe /h
O4 - HKLM\..\Run: [RegisterDropHandler] C:\PROGRA~1\TEXTBR~1.0\Bin\REGIST~1.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINNT\System32\spool\drivers\w32x86\3\hpztsb05.exe
O4 - HKLM\..\Run: [HPHmon04] C:\WINNT\System32\hphmon04.exe
O4 - HKLM\..\Run: [HPHUPD04] "C:\Program Files\HP Photosmart 11\hphinstall\UniPatch\hphupd04.exe"
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [CMESys] "C:\Program Files\Common Files\CMEII\CMESys.exe"
O4 - HKLM\..\Run: [NeroCheck] C:\WINNT\system32\NeroCheck.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [msbb] C:\Program Files\Rosoft\Audio Tools\msbb.exe
O4 - HKLM\..\Run: [BHO] C:\WINNT\BHO.exe
O4 - HKLM\..\Run: [MSMGT] C:\WINNT\MSMGT.exe
O4 - HKLM\..\Run: [MemoryMeter] C:\Program Files\MemoryMeter\MemoryMeter.exe
O4 - HKLM\..\Run: [RAV8Tray] C:\Program Files\GeCAD\RAV8 Desktop\ravtray8.exe
O4 - HKLM\..\RunServices: [RegisterDropHandler] C:\PROGRA~1\TEXTBR~1.0\Bin\REGIST~1.exe
O4 - HKCU\..\Run: [ctfmon.exe] ctfmon.exe
O4 - HKCU\..\Run: [Felix] C:\Program Files\ScreenMates\felix.exe
O4 - Global Startup: ravmon.exe.lnk = C:\Program Files\GeCAD\RAV8 Desktop\ravmon.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {78AF2F24-A9C3-11D3-BF8C-0060B0FCC122} (AcDcToday Control) - file://C:\Program Files\MDT6\AcDcToday.ocx
O16 - DPF: {80DD2229-B8E4-4C77-B72F-F22972D723EA} (AvxScanOnline Control) - http://www.idilis.ro/scan/Msie/bitdefender.cab
O16 - DPF: {93B52CD5-EDFF-4405-8975-754100710FD5} (GameLauncher Control) - http://www.linkmania.ro/activex/installx/gamelauncher.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O16 - DPF: {AE563720-B4F5-11D4-A415-00108302FDFD} (NOXLATE-BANR) - file://C:\Program Files\MDT6\InstBanr.ocx
O16 - DPF: {C6637286-300D-11D4-AE0A-0010830243BD} (InstaFred) - file://C:\Program Files\MDT6\InstFred.ocx
O16 - DPF: {D32C3BAD-5213-49BD-A7D5-E6DE6C0D8249} (CRAVOnline Object) - http://antivirus.kappa.ro/ravonline.cab
O16 - DPF: {F281A59C-7B65-11D3-8617-0010830243BD} (AcPreview Control) - file://C:\Program Files\MDT6\AcPreview.ocx
O17 - HKLM\System\CCS\Services\Tcpip\..\{946F3400-C7CF-46BA-B0F0-5F517046A437}: NameServer = 194.176.168.1,194.176.168.2
O17 - HKLM\System\CCS\Services\Tcpip\..\{D5936AFC-C294-4E37-9C01-96C481CCDA9F}: NameServer = 194.176.168.1,194.176.168.2




Sponsored Link
Ads by Google

Response Number 1
Name: daveyb
Date: December 3, 2003 at 02:55:52 Pacific
Reply:

check this out:

http://www.symantec.com/avcenter/venc/data/backdoor.freefors.html


0

Response Number 2
Name: pc3wondergirl
Date: January 20, 2004 at 17:56:27 Pacific
Reply:

You are also infected with this backdoor trojan... see below for more info. (Note, the second page was actually more helpful to me...)

http://securityresponse.symantec.com/avcenter/venc/data/backdoor.lastras.html

http://www.net-integration.net/zeroscripts/dntus26.html


0

Sponsored Link
Ads by Google
Reply to Message Icon

Related Posts

See More



Post Locked

This post is quite old and has been locked from receiving new replies. Please create a new posting instead.


Go to Windows 2000 Forum Home


Sponsored links
Ads by Google


Results for: Virus infected
Can virus infect a hidden partition www.computing.net/answers/windows-2000/can-virus-infect-a-hidden-partition/53308.html

Possible Virus Infection www.computing.net/answers/windows-2000/possible-virus-infection/57841.html

Virus Infection www.computing.net/answers/windows-2000/virus-infection/51429.html