PIC012.JPEG-WWW.PHOTOSHARE.COM virus + hjt log

  1. 07-04-2008  #1
    elva
    elva is offline Newbie

    PIC012.JPEG-WWW.PHOTOSHARE.COM virus + hjt log

    Im running windows 2000, AVG free, Spybot search and destroy and adaware...

    I have this PIC012.JPEG-WWW.PHOTOSHARE.COM virus. It messed with AVG straight away so it wont scan properly. Antivirus component is in error state, says "date of internal virus database is incorrect" It occasionally pops up saying it has found viruses (which I move to the vault) but obviously I have problems.

    It also started adding new registry keys straight away. I had spybot auto deny them but then spybot bugged out.

    Strange things are happening. My floppy drive was doing something, making sounds, had no disk in it and nothing to do with me. browser windows are flickering a little... Some progams are running very slow.

    I downloaded hijackthis, it generates errors and closes when i try to scan + save log...

    but here...

    Logfile of HijackThis v1.99.1
    Scan saved at 3:07:01 PM, on 4/7/1980
    Platform: Windows 2000 SP4 (WinNT 5.00.2195)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINNT\System32\smss.exe
    C:\WINNT\system32\winlogon.exe
    C:\WINNT\system32\services.exe
    C:\WINNT\system32\lsass.exe
    C:\WINNT\system32\svchost.exe
    C:\WINNT\system32\spoolsv.exe
    C:\xampp\apache\bin\apache.exe
    C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
    C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
    C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
    C:\WINNT\System32\svchost.exe
    C:\xampp\mysql\bin\mysqld-nt.exe
    C:\WINNT\system32\regsvc.exe
    C:\WINNT\system32\MSTask.exe
    C:\Program Files\Viewpoint\Common\ViewpointService.exe
    C:\WINNT\System32\WBEM\WinMgmt.exe
    C:\WINNT\System32\mspmspsv.exe
    C:\WINNT\system32\svchost.exe
    C:\xampp\apache\bin\apache.exe
    C:\WINNT\INF\MSI\SlowDownCPU\SlowDownCPU.exe
    C:\WINNT\system32\VTTimer.exe
    C:\Program Files\Winamp\winampa.exe
    C:\Program Files\Google\Google Talk\googletalk.exe
    C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
    C:\Program Files\Java\jre1.6.0_04\bin\jusched.exe
    C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe
    C:\Program Files\FinePixViewer\QuickDCF2.exe
    C:\PROGRA~1\MOZILL~1\FIREFOX.EXE
    C:\WINNT\system32\wuauclt.exe
    C:\Invision\mirc.exe
    C:\Program Files\Java\jre1.6.0_04\bin\jucheck.exe
    C:\WINNT\System32\svchost.exe
    C:\WINNT\explorer.exe
    C:\WINNT\System32\calc.exe
    C:\WINNT\system32\rundll32.exe
    C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
    C:\Program Files\Lavasoft\Ad-Aware 2007\Ad-Aware2007.exe
    C:\Program Files\PrevxCSI\PrevxCSI.exe
    C:\Program Files\PrevxCSI\PrevxCSI.exe
    C:\WINNT\system32\NOTEPAD.EXE
    C:\WINNT\system32\notepad.exe
    C:\Program Files\Grisoft\AVG7\avgwb.dat
    C:\Documents and Settings\Administrator\Desktop\hijackthis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.pussycat-ox.com/
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\msdxm.ocx
    O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
    O4 - HKLM\..\Run: [SlowDownCPU] C:\WINNT\INF\MSI\SlowDownCPU\SlowDownCPU.exe
    O4 - HKLM\..\Run: [VTTrayp] VTtrayp.exe
    O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
    O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINNT\system32\NeroCheck.exe
    O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
    O4 - HKLM\..\Run: [AudioDeck] C:\Program Files\VIAudioi\SBADeck\ADeck.exe 1
    O4 - HKLM\..\Run: [REGSHAVE] C:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN
    O4 - HKLM\..\Run: [googletalk] C:\Program Files\Google\Google Talk\googletalk.exe /autostart
    O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
    O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_04\bin\jusched.exe"
    O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
    O4 - HKLM\..\Run: [Windows live Messenger] msn.com
    O4 - HKLM\..\Run: [PrevxCSI] "C:\Program Files\PrevxCSI\prevxcsi.exe" /bootupreg
    O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe"
    O4 - HKCU\..\Run: [AnyDVD] C:\Program Files\SlySoft\AnyDVD\AnyDVD.exe
    O4 - HKCU\..\Run: [delmsbb] C:\WINNT\delmsbb.exe
    O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
    O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
    O4 - HKCU\..\Run: [Aim6] "C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
    O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
    O4 - Global Startup: ExifLauncher2.lnk = C:\Program Files\FinePixViewer\QuickDCF2.exe
    O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
    O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
    O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
    O23 - Service: Apache2.2 - Unknown owner - C:\xampp\apache\bin\apache.exe" -k runservice (file missing)
    O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
    O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
    O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
    O23 - Service: CSIScanner - Unknown owner - C:\Program Files\PrevxCSI\\PrevxCSI.exe" /service (file missing)
    O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
    O23 - Service: mysql - Unknown owner - C:\xampp\mysql\bin\mysqld-nt.exe
    O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe
    O23 - Service: XAMPP Service (XAMPP) - Unknown owner - c:\xampp\service.exe


    really quite nervous about this
    any help is appreciated
    thanks

    -Elva








    Edit: It's also sending itself to my MSN contacts

    I have a second pc hooked up to the same router, not sure if that may be infected as well, and an external HDD that was hooked up to this PC.
    Last edited by elva; 07-04-2008 at 07:06 AM.

  3. 07-04-2008  #2
    jephree
    jephree is offline ¨*·.¸ «.·°·..·°·.» ¸.·*¨
    Bump post.
  4. 07-04-2008  #3
    elva
    elva is offline Newbie
    erm, ok now my initial post doesnt exist but it does but it doesnt?
    im confused but thats not unusual
  5. 07-04-2008  #4
    jephree
    jephree is offline ¨*·.¸ «.·°·..·°·.» ¸.·*¨
    It is visible now.

    Sorry for the problem.

    We are trying a new Spam filter which is causing "false positives" on HijackThis logs.

    Your post is now visible and one of our experts should reply within the next 24 hours.

    Sorry again for the confusion.
  6. 07-04-2008  #5
    elva
    elva is offline Newbie
    thanks
  7. 07-04-2008  #6
    VopThis
    VopThis is offline Senior Member (Canada)
    Not much reported by Google - only three hits (2 by PREVX). It would appear to be an IRC-based infection:
    C:\Documents and Settings\RuGrAtS.MMK\Local Settings\Temp\photo08.zip/photo08.jpg-www.Photoshare.com Infected: Backdoor.Win32.IRCBot.bbn skipped
    C:\Documents and Settings\RuGrAtS.MMK\Local Settings\Temp\photo08.zip ZIP: infected - 1 skipped
    C:\Documents and Settings\RuGrAtS.MMK\Local Settings\Temp\Pic012.zip/Pic012.JPEG-www.Photoshare.com Infected: Backdoor.Win32.IRCBot.bbn skipped
    C:\Documents and Settings\RuGrAtS.MMK\Local Settings\Temp\Pic012.zip ZIP: infected - 1 skipped
    Search for (exact BOLD TEXT given below) and consider deleting any files like the above red items:

    *.ZIP (located in \Local Settings\Temp\)



    PrevX reports numerous infected EXE files that would be located in the TEMP folder:

    http://spywaredlls.prevx.com/spyware...C=ADHI44242630



    Try the following to remove the such infected EXE items:

    Clean out TEMPORARY FILES procedures:
    To clean your temp folder, recycle bin, etc..please download this free tool:

    CCleaner http://www.ccleaner.com/downloadbuilds.asp

    Install Options:
    • Don't install any Toolbars, or other programs, should it ask you!
    • Just uncheck the option of installing the Yahoo toolbar.

    It will put a shortcut on your Desktop.

    Do not run CCleaner until requested later.




    Run CCleaner in SAFE MODE (reboot tapping the F8 key after the beep).

    Select the ‘Options’ BUTTON option (top LEFT), ‘Advanced’ BUTTON, and then UNCHECK the ‘Only delete files in Windows Temp Folders older than 48 hours’ (often, the latest download traffic could be the bearer of bad content – RESET back to default after this particular cleaning).

    Select the ‘Cleaner’ BUTTON option (top LEFT), if not already selected. Use the ’Windows’ TAB up front by default.
    • Uncheck ‘Cookies’ option (advisable)
    • Optionally, Uncheck ‘Recently Typed URLs’ option (potentially still useful)
    • Click the ‘Analyse’ button.
    • Thereafter, click ‘Run Cleaner’ after you have reviewed what it proposes to clean.



    Otherwise,
    It might be advisable to consider using the fee based option for 'PrevX CSI'.
  8. 08-04-2008  #7
    elva
    elva is offline Newbie
    Save 20% on AVG Internet Security 2012 Suite!
    uhm
    i still cant see it
+ Reply to Thread
« Mouse malfunctioning | Downloader.Wimad.E/hjt log/unin log »