Tom's Guide | Tom's Hardware | Tom's Games
 |
 |
 |
Name: Nelson_Ecks
This is something I've only just noticed today.
Shortly after I got on to internet, I tried to open internet option via tools in the IE window. And a warning message saying that the system administrator has disabled such function (or whatever) due the effects on the computer. Problem one, I am the admin on my own computer, why did this message pop up anyway. Then the normal option window opened.
Then I tried to open my e-mail box on hotmail and it redirected me to http://www.spacereg.com/df.html?www.hotmail.msn.com and tells me that I do not have the right to access /df directory on the site. Problem two, I know that spacereg is some web space company, why did I get redirected to their site when I tried to log onto hotmail? (note: mail box opened successfully 5 minutes ago, problem occured 1 hour ago)
Had the suspicion that the computer may be infected. I tried to visit www.grisoft.com which is the maker of AVG Antivirus to see if there's any updates today. Then I received the message "Forbidden, You don't have permission to access / on this server". Problem three, why doesn't the antivirus maker want its customer to visit its web site? Or is it actually because the virus maker doesn't want me to.
Then tried to visit http://www.wilderssecurity.net to get the latest spyware guard, and I received the same message.
Having install the latest update for AdAware, I scaned the hard drive. Found some suspicious Reg Keys and deleted them. But, above problems persist.
These problems are driving me nuts. Does anyone know the answer to all these things? Any help will be appreciated.
There is a very good chance you have a virus on the system. For once I'm going to tell someone to download HiJack This and post the log file. Go here and download HiJack This
KTTD
0 
I had already HiJacked my computer before I posted the message. But here's the log anyway. Hope you could help.
Logfile of HijackThis v1.96.0
Scan saved at 17:49:53, on 29/09/2003
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\Grisoft\AVG6\avgserv.exe
D:\Program Files\Executive Software\DiskeeperLite\DKService.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\Explorer.exe
C:\WINDOWS\SOINTGR.exe
C:\Program Files\Gearbox Connection Kit\bin\confsvr.exe
C:\WINDOWS\soundman.exe
C:\Program Files\Winamp3\winampa.exe
C:\Program Files\Grisoft\AVG6\avgcc32.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\MSN Messenger\MsnMsgr.exe
C:\Program Files\Zone Labs\ZoneAlarm\zonealarm.exe
C:\Program Files\Gearbox Connection Kit\bin\gbConMon.exe
D:\Program Files\SpywareGuard\sgmain.exe
C:\Program Files\Gearbox Connection Kit\bin\gbTask.exe
D:\Program Files\SpywareGuard\sgbhp.exe
C:\Program Files\Gearbox Connection Kit\bin\gbdash.exe
C:\Documents and Settings\Shuai Chen\My Documents\Download\HiJackThis\HijackThis.exe
C:\Program Files\Internet Explorer\iexplore.exe
D:\Program Files\SmartPopupKiller\PopupKillerTray.exeO2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - D:\Program Files\SpywareGuard\dlprotect.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - D:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {A09790E7-DD00-4A83-B632-5B563423CFBB} - D:\Program Files\SmartPopupKiller\PopupKillerIEDLL.dll
O2 - BHO: (no name) - {A5366673-E8CA-11D3-9CD9-0090271D075B} - C:\PROGRA~1\FlashGet\jccatch.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: FlashGet Bar - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\fgiebar.dll
O4 - HKLM\..\Run: [SO5 Integrator Pass Two] C:\WINDOWS\SOINTGR.exe
O4 - HKLM\..\Run: [IMJPMIG8.1] C:\WINDOWS\IME\imjp8_1\IMJPMIG.exe /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [IMEKRMIG6.1] C:\WINDOWS\ime\imkr6_1\IMEKRMIG.exe
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\System32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.exe /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.exe /IMEName
O4 - HKLM\..\Run: [Gearbox] "C:\Program Files\Gearbox Connection Kit\bin\confsvr.exe"
O4 - HKLM\..\Run: [SoundMan] soundman.exe
O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp3\winampa.exe"
O4 - HKLM\..\Run: [AVG_CC] C:\Program Files\Grisoft\AVG6\avgcc32.exe /startup
O4 - HKLM\..\RunServices: [Gearbox Deferal Check] C:\Program Files\Gearbox Connection Kit\bin\gbdefer.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.exe" /background
O4 - Startup: SpywareGuard.lnk = D:\Program Files\SpywareGuard\sgmain.exe
O4 - Startup: ÌÚѶQQ.lnk = D:\Program Files\Tencent\qq\QQ.exe
O4 - Global Startup: ZoneAlarm.lnk = C:\Program Files\Zone Labs\ZoneAlarm\zonealarm.exe
O8 - Extra context menu item: &Download by NetAnts - C:\PROGRA~1\NetAnts\NAGet.htm
O8 - Extra context menu item: Download &All by NetAnts - C:\PROGRA~1\NetAnts\NAGetAll.htm
O8 - Extra context menu item: Download All by FlashGet - C:\Program Files\FlashGet\jc_all.htm
O8 - Extra context menu item: Download using FlashGet - C:\Program Files\FlashGet\jc_link.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Edit with &XML Spy - C:\Program Files\Altova\XMLSPY\spy.htm
O8 - Extra context menu item: LimeShop Preferences - file://C:\Program Files\LimeShop\System\Temp\limeshop_script0.htm
O9 - Extra button: NetAnts (HKLM)
O9 - Extra 'Tools' menuitem: &NetAnts (HKLM)
O9 - Extra button: FlashGet (HKLM)
O9 - Extra 'Tools' menuitem: &FlashGet (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Messenger (HKLM)
O9 - Extra button: Edit with XML Spy (HKCU)
O9 - Extra 'Tools' menuitem: Edit with XML Spy (HKCU)
O12 - Plugin for .csm: C:\Program Files\Internet Explorer\Plugins\npchime.dll
O12 - Plugin for .csml: C:\Program Files\Internet Explorer\Plugins\npchime.dll
O12 - Plugin for .cub: C:\Program Files\Internet Explorer\Plugins\npchime.dll
O12 - Plugin for .cube: C:\Program Files\Internet Explorer\Plugins\npchime.dll
O12 - Plugin for .dx: C:\Program Files\Internet Explorer\Plugins\npchime.dll
O12 - Plugin for .emb: C:\Program Files\Internet Explorer\Plugins\npchime.dll
O12 - Plugin for .embl: C:\Program Files\Internet Explorer\Plugins\npchime.dll
O12 - Plugin for .gau: C:\Program Files\Internet Explorer\Plugins\npchime.dll
O12 - Plugin for .jdx: C:\Program Files\Internet Explorer\Plugins\npchime.dll
O12 - Plugin for .mol: C:\Program Files\Internet Explorer\Plugins\npchime.dll
O12 - Plugin for .mop: C:\Program Files\Internet Explorer\Plugins\npchime.dll
O12 - Plugin for .mpga: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin5.dll
O12 - Plugin for .pdb: C:\Program Files\Internet Explorer\Plugins\npchime.dll
O12 - Plugin for .rxn: C:\Program Files\Internet Explorer\Plugins\npchime.dll
O12 - Plugin for .scr: C:\Program Files\Internet Explorer\Plugins\npchime.dll
O12 - Plugin for .skc: C:\Program Files\Internet Explorer\Plugins\npchime.dll
O12 - Plugin for .spt: C:\Program Files\Internet Explorer\Plugins\npchime.dll
O12 - Plugin for .swf: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin7.dll
O12 - Plugin for .tgf: C:\Program Files\Internet Explorer\Plugins\npchime.dll
O12 - Plugin for .xyz: C:\Program Files\Internet Explorer\Plugins\npchime.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.medion.co.uk
O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} - http://cs7.chat.sc5.yahoo.com/v43/yacscom.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/SSC/SharedContent/vc/bin/AvSniff.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://download.yahoo.com/dl/installs/yinst.cab
O16 - DPF: {597C45C2-2D39-11D5-8D53-0050048383FE} (OPUCatalog Class) - http://office.microsoft.com/productupdates/content/opuc.cab
O16 - DPF: {5B7524C8-2446-40E9-9474-94A779DBA224} (InstallShield Update Service Agent) - http://updates.installshield.com/CAB/isusweb.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2003050501/housecall.antivirus.com/housecall/xscan53.cab
O16 - DPF: {8C9D5912-EED6-4488-B778-2D74EF9B859D} (HtmlIp3View Class) - http://www.drcnet.com.cn/fish_dll/Ip3HtmlView.dll
O16 - DPF: {9A54032D-31F7-400D-B184-83B33BDE65FA} (MSN File Upload Control) - http://sc.groups.msn.com/controls/FileUC/MsnUpld.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37561.4317592593
O16 - DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE} (Symantec RuFSI Registry Information Class) - http://security.symantec.com/SSC/SharedContent/common/bin/cabsa.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - http://us.dl1.yimg.com/download.yahoo.com/dl/toolbar/yiebio5_1_5_0.cab
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://fdl.msn.com/public/chat/msnchat45.cab
O18 - Protocol: about - {3050F406-98B5-11CF-BB82-00AA00BDCE0B} - %SystemRoot%\System32\mshtml.dllBy the way, I fixed two entries in O17 that's why they are not there any more.
0
Could the next viewer of this thread comfirm the states of both www.grisoft.com and www.wilderssecurity.net. Whether they are running properly or not.
0
Thanks for notify me. I'm going to restart my computer again, for the second time. And will add the O17 section on if it shows up.
0
O17 - HKLM\System\CCS\Services\Tcpip\..\{8288BCA3-6F14-42DD-B0F1-937626F0EFD7}: NameServer = 194.168.4.100 194.168.8.100
O17 - HKLM\System\CS1\Services\Tcpip\..\{8288BCA3-6F14-42DD-B0F1-937626F0EFD7}: NameServer = 194.168.4.100 194.168.8.100These are the entries in O17.
0
It does appear you have some spyware and I'm not seeing anything that is setting off major alarm bells but then again I do have a cold and brain is at 50%.
Can the HDD be removed and placed in another system that has Anti-Virus software that is updated and then scanned?
Also, feel free to repost your message as well as the Hi-Jack This Log in the security/virus forum. State in the message that I informed you to do so.
Thanks,
KTTD
0  |
 wireless connection upon ...
|
Saving Jpeg's!
|
This post is quite old and has been locked from receiving new replies. Please create a new posting instead.
| Ads by Google |
