Tech Support Guy banner
  • IMPORTANT: Only authorized members may reply to threads in this forum due to the complexity of the malware removal process. Authorized members include Malware Specialists and Trainees, Administrators, Moderators, and Trusted Advisors. Regular members are not permitted to reply, and any such posts will be deleted without notice or further explanation. Notice
Status
Not open for further replies.
1 - 4 of 4 Posts

·
Registered
Joined
·
1 Posts
Discussion Starter · #1 ·
Hi...can you teach me how to remoce this virus?
Also, what will this virus affect my computer?

Logfile of HijackThis v1.97.7
Scan saved at 9:46:51 PM, on 3/21/2004
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINPENJR\win32\pphidpad.exe
C:\WINPENJR\win32\pphidpad.exe
C:\Program Files\HSM-6108\shwicon.exe
C:\Program Files\Winamp\Winampa.exe
C:\Program Files\ICQLite\ICQLite.exe
C:\Program Files\Logitech\Video\LogiTray.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BackWeb-8876480.exe
C:\WINDOWS\System32\conime.exe
C:\WINDOWS\System32\LVComS.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpohmr08.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\WINPENJR\win32\ACREMCHK.EXE
C:\WINDOWS\webshots.scr
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpoevm08.exe
C:\PROGRA~1\Grisoft\AVG6\avgserv.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\Bin\hpoSTS08.exe
C:\WINDOWS\System32\mshta.exe
C:\WINDOWS\System32\HPZipm12.exe
C:\PROGRA~1\Grisoft\AVG6\AVGCC32.EXE
C:\Program Files\Grisoft\AVG6\avgw.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\IRIS LAM\×ÀÃæ\HijackThis.exe

O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O3 - Toolbar: ????? - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [IMJPMIG8.1] C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [AVG_CC] C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe /STARTUP
O4 - HKLM\..\Run: [PPHIDPAD] C:\WINPENJR\win32\pphidpad.exe
O4 - HKLM\..\Run: [ShowIcon_HHSEA_HSM-6108 v1.15e008] "C:\Program Files\HSM-6108\shwicon.exe" -t"HHSEA\HSM-6108 v1.15e008"
O4 - HKLM\..\Run: [Ad-aware] "C:\Program Files\Lavasoft\Ad-aware 6\Ad-aware.exe" +c
O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp\Winampa.exe"
O4 - HKLM\..\Run: [Online Service] C:\WINDOWS\msreg.exe
O4 - HKLM\..\Run: [ICQ Lite] C:\Program Files\ICQLite\ICQLite.exe -minimize
O4 - HKLM\..\Run: [App.exe] app.exe
O4 - HKLM\..\Run: [LogitechVideoRepair] C:\Program Files\Logitech\Video\ISStart.exe
O4 - HKLM\..\Run: [LogitechVideoTray] C:\Program Files\Logitech\Video\LogiTray.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [LDM] C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BackWeb-8876480.exe
O4 - HKCU\..\RunOnce: [ICQ Lite] C:\Program Files\ICQLite\ICQLite.exe -trayboot
O4 - Startup: .plugin141_03.trace
O4 - Startup: hpothb07.dat
O4 - Startup: hpothb07.tif
O4 - Startup: NTUSER.DAT
O4 - Startup: ntuser.dat.LOG
O4 - Startup: ntuser.ini
O8 - Extra context menu item: …R³öÖÁ Microsoft Excel(&X) - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: ICQ Lite (HKLM)
O9 - Extra 'Tools' menuitem: ICQ Lite (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Windows Messenger (HKLM)
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
O16 - DPF: {33564D57-0000-0010-8000-00AA00389B71} - http://download.microsoft.com/download/F/6/E/F6E491A6-77E1-4E20-9F5F-94901338C922/wmv9VCM.CAB
O16 - DPF: {34A22A39-FB15-4221-B914-27DA75158A34} (IIM ActiveX Control) - http://netmessenger.netvigator.com/nim/src/nmsetup.cab
O16 - DPF: {5D9E4B6D-CD17-4D85-99D4-6A52B394EC3B} (WSDownloader Control) - http://www.webshots.com/samplers/WSDownloader.ocx
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{5CEF2894-C7BD-40F9-B2A1-4AB2B875BFD1}: NameServer = 205.252.144.28 218.102.23.77
O17 - HKLM\System\CS2\Services\Tcpip\..\{5CEF2894-C7BD-40F9-B2A1-4AB2B875BFD1}: NameServer = 205.252.144.28 218.102.23.77
 

·
Retired Moderator Retired Malware Specialist
Joined
·
56,449 Posts

·
Registered
Joined
·
45,855 Posts
Check these two entries in the HijackThis Scanlog, then click Fix. Reboot and delete the bolded files:

O4 - HKLM\..\Run: [Online Service] C:\WINDOWS\msreg.exe

O4 - HKLM\..\Run: [App.exe] app.exe

This file is probably in c:\windows or c:\windows\system32. You may have to have "show hidden files" enabled in Folder Options > View to find it

http://securityresponse.symantec.com/avcenter/venc/data/backdoor.zinx.html
http://securityresponse.symantec.com/avcenter/venc/data/w32.waxpow.worm.html

I would also check and fix these or simply delete them from the Startup folder -- they make no sense to me:

O4 - Startup: .plugin141_03.trace
O4 - Startup: hpothb07.dat
O4 - Startup: hpothb07.tif
O4 - Startup: NTUSER.DAT
O4 - Startup: ntuser.dat.LOG
O4 - Startup: ntuser.ini

I would also recommend you do a full system scan with the latest virus definitions.

You can use one of the online scanners in this post:

http://forums.techguy.org/showthread.php?s=&postid=663486

Post another Scanlog when finished.
 
1 - 4 of 4 Posts
Status
Not open for further replies.
Top