Possible Virus Problem

Discussion in 'Software' started by rezuth, Jun 10, 2004.

  1. rezuth

    rezuth Private E-2

    As meantion in my last post I have gotten severals problem lately and the are getting worse. The virus is now killing my realtime scanning program so it wont be discoverd. When I used the command msconfig and checked autostart I noticed I got 5 winlogon. I did a logfile from hijackthis so if something is supsecious there you might tell me. I did a manual scan with my antivirus but then the I got this error going up, I attach a picture. The virus itself or atleast the things I notice it does is change my desktop resolulotion and the monitor picture size. Sometimes even reboot my computer this is getting annoying. If you like more info please tell me what kind.

    Greets Rezuth



    Logfile of HijackThis v1.97.7
    Scan saved at 16:26:43, on 2004-06-10
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program\Trend Micro\Antivirus\Tmntsrv.exe
    C:\Program\Trend Micro\Antivirus\tmproxy.exe
    C:\WINDOWS\Explorer.EXE
    C:\windows\system\hpsysdrv.exe
    C:\Program\Messenger Plus! 3\MsgPlus.exe
    C:\Program\Trend Micro\Antivirus\PCClient.exe
    C:\Program\Trend Micro\Antivirus\TMOAgent.exe
    C:\Program\MSN Messenger\MsnMsgr.Exe
    C:\Program\Internet Explorer\IEXPLORE.EXE
    C:\Documents and Settings\Ägare\Skrivbord\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://hot-searches.com/search.php?v=6&aff=0
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://hot-searches.com/index.php?v=6&aff=0
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://hot-searches.com/index.php?v=6&aff=0
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://sv8.hpwis.com/
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *hot-searches.com*;*lender-search.com*
    R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Länkar
    R3 - Default URLSearchHook is missing
    F0 - system.ini: Shell=Explorer.exe C:\WINDOWS\WinIogon.exe
    F1 - win.ini: load=C:\WINDOWS\WinIogon.exe
    F1 - win.ini: run=C:\WINDOWS\WinIogon.exe
    F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\WinIogon.exe
    O1 - Hosts file is located at: C:\WINDOWS\nsdb\hosts
    O1 - Hosts: 81.211.105.69 lender-search.com
    O1 - Hosts: 81.211.105.68 hot-searches.com
    O2 - BHO: (no name) - {000020DD-C72E-4113-AF77-DD56626C6C42} - (no file)
    O2 - BHO: (no name) - {0000607D-D204-42C7-8E46-216055BF9918} - (no file)
    O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program\google\googletoolbar1.dll
    O3 - Toolbar: MSN Verktygslåda - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program\MSN Toolbar\01.01.1629.0\sv\msntb.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
    O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
    O4 - HKLM\..\Run: [CorelDRAW Graphics Suite 11b] C:\Program\Corel\Corel Graphics 12\Languages\EN\Programs\Registration.exe /title="CorelDRAW Graphics Suite 12" /date=061504 serial=DR12WTX-9999998-YSP lang=EN
    O4 - HKLM\..\Run: [MessengerPlus3] "C:\Program\Messenger Plus! 3\MsgPlus.exe"
    O4 - HKLM\..\Run: [pccguide.exe] "C:\Program\Trend Micro\Antivirus\pccguide.exe"
    O4 - HKLM\..\Run: [PCClient.exe] "C:\Program\Trend Micro\Antivirus\PCClient.exe"
    O4 - HKLM\..\Run: [TM Outbreak Agent] "C:\Program\Trend Micro\Antivirus\TMOAgent.exe" /run
    O4 - HKLM\..\Run: [Windows Logon Application] C:\WINDOWS\WinIogon.exe
    O4 - HKLM\..\RunServices: [Windows Logon Application] C:\WINDOWS\WinIogon.exe
    O4 - HKCU\..\Run: [MessengerPlus3] "C:\Program\Messenger Plus! 3\MsgPlus.exe" /WinStart
    O4 - HKCU\..\Run: [msnmsgr] "C:\Program\MSN Messenger\MsnMsgr.Exe" /background
    O8 - Extra context menu item: &Google Search - res://C:\Program\Google\GoogleToolbar1.dll/cmsearch.html
    O8 - Extra context menu item: Backward &Links - res://C:\Program\Google\GoogleToolbar1.dll/cmbacklinks.html
    O8 - Extra context menu item: Cac&hed Snapshot of Page - res://C:\Program\Google\GoogleToolbar1.dll/cmcache.html
    O8 - Extra context menu item: Si&milar Pages - res://C:\Program\Google\GoogleToolbar1.dll/cmsimilar.html
    O9 - Extra button: Real.com (HKLM)
    O9 - Extra button: Messenger (HKLM)
    O9 - Extra 'Tools' menuitem: Messenger (HKLM)
    O16 - DPF: {0873478E-E67A-4876-B0A9-9A36D3AB3602} (vviewer control) -
    O16 - DPF: {83873F92-B99B-400A-9E36-52B5F4970FB7} (FileSharingCtrl Class) - http://appdirectory.messenger.msn.com/AppDirectory/P4Apps/FileSharing/sv/filesharingctrl.cab
    O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?38146.1048726852
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    O16 - DPF: {EB6D7E70-AAA9-40D9-BA05-F214089F2275} (Vitalize Class) - http://www.clickteam.com/vitalize3/vitalize.cab
     
    rezuth, Jun 10, 2004
    #1
  2. rezuth

    rezuth Private E-2

    forgot to attach :p
     

    Attached Files:

    rezuth, Jun 10, 2004
    #2
  3. Adrynalyne

    Adrynalyne Guest

    F0 - system.ini: Shell=Explorer.exe C:\WINDOWS\Winlogon.exe
    F1 - win.ini: load=C:\WINDOWS\Winlogon.exe
    F1 - win.ini: run=C:\WINDOWS\Winlogon.exe
    O4 - HKLM\..\Run: [Windows Logon Application] C:\WINDOWS\Winlogon.exe
    O4 - HKLM\..\RunServices: [Windows Logon Application] C:\WINDOWS\Winlogon.exe

    Well, there is your virus, but I don't know which virus it is.

    You need to delete these and remove the winlogon.exe from the location specified.

    Can you do an online virus scan?

    http://www.pandasoftware.com/activescan







    I'm guessing you really don't want these either :)


    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *hot-searches.com*;*lender-search.com*
    O1 - Hosts: 81.211.105.69 lender-search.com
    O1 - Hosts: 81.211.105.68 hot-searches.com
    O2 - BHO: (no name) - {000020DD-C72E-4113-AF77-DD56626C6C42} - (no file)
    O2 - BHO: (no name) - {0000607D-D204-42C7-8E46-216055BF9918} - (no file)
     
    Adrynalyne, Jun 10, 2004
    #3
  4. rezuth

    rezuth Private E-2

    Thanks I will try that
     
    rezuth, Jun 10, 2004
    #4

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds