Analysing HijackThis Log File

  • Thread starter Thread starter Marcus Reiter
  • Start date Start date
M

Marcus Reiter

Hi,

I had really bad problems with my PC -
first I had heaps of Spyware installed like something from 180 Solutions,
then I had Worms and Trojans and stuff.

Then I searched with Google and followed pretty much this instruction:
http://www.webuser.co.uk/cgi-bin/fo...=142301&page=1&view=collapsed&sb=5&o=93&part=


So I went to Save Mode (with Network drivers to be able to be online) I
installed and ran about 3 different Anti-Spyware programms,
then I used the online Scanners Housecall and Online Trojan Scan -
Housecall found 5 viruses in System32, Trojan Scan found nothing,
last but not least I used Sophos in console mode by typing in
SAV32CLI and it said:

Sophos Anti-Virus
Version 3.89.0 [Win32/Intel]
Virus data version 3.89, January 2005
Includes detection for 98175 viruses, trojans and worms

Then I looked up something new and typed in:
SAV32CLI -DI -P=C:\ELKLOGC.TXT
And it said:

Quick Scanning

2 boot sectors swept.
132602 files swept in 39 minutes and 20 seconds.
2 viruses were discovered.
2 files out of 132602 were infected.
Last but not least right now I am running:
SAV32CLI -REMOVE -P=C:\KLEZLOGC.TXT



I guess it should all be good then, but I am not completly sure, so I made
another HijackThis Protocoll.
Maybe you could have a look and tell me if all is fine now or what else I
will have to do:

Logfile of HijackThis v1.99.0
Scan saved at 02:01:14, on 05.01.2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\LVComsX.exe
C:\Programme\Mozilla Firefox\firefox.exe
C:\WINDOWS\System32\cmd.exe
C:\Programme\Internet Explorer\iexplore.exe
C:\SAV32CLI\SAV32CLI.EXE
C:\Programme\Outlook Express\msimn.exe
C:\WINDOWS\explorer.exe
C:\Programme\WebCam\FxSvr2.exe
C:\Dokumente und Einstellungen\Marcus\Lokale Einstellungen\Temp\Temporäres
Verzeichnis 1 für hijackthis.zip\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Internet
Explorer
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} -
C:\Programme\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} -
C:\Programme\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: IeCatch2 Class - {A5366673-E8CA-11D3-9CD9-0090271D075B} -
C:\PROGRA~1\FlashGet\jccatch.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} -
c:\programme\google\googletoolbar1.dll
O2 - BHO: AcroIEToolbarHelper Class -
{AE7CD045-E861-484f-8273-0445EE161910} - C:\Programme\Adobe\Acrobat
6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: FlashGet Bar - {E0E899AB-F487-11D5-8D29-0050BA6940E3} -
C:\PROGRA~1\FlashGet\fgiebar.dll
O3 - Toolbar: (no name) - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - (no file)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} -
C:\WINDOWS\system32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} -
c:\programme\google\googletoolbar1.dll
O4 - HKLM\..\Run: [System Update] C:\WINDOWS\System32\bdfkole.exe
O4 - HKLM\..\Run: [Cryptographic Service] C:\WINDOWS\System32\goegwmr.exe
O4 - HKLM\..\Run: [AVGCtrl] "C:\Programme\AntiVir\AVGNT.EXE" /min
O4 - HKCU\..\Run: [MsnMsgr] "C:\Programme\MSN Messenger\MsnMsgr.Exe"
/background
O4 - HKCU\..\Run: [SpySweeper] "C:\Programme\Spy Sweeper\SpySweeper.exe" /0
O8 - Extra context menu item: &Google Search -
res://c:\programme\google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Alles mit FlashGet laden -
C:\PROGRA~1\FlashGet\jc_all.htm
O8 - Extra context menu item: Im Cache gespeicherte Seite -
res://c:\programme\google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Mit FlashGet laden -
C:\PROGRA~1\FlashGet\jc_link.htm
O8 - Extra context menu item: Nach Microsoft &Excel exportieren -
res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Verweisseiten -
res://c:\programme\google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Ähnliche Seiten -
res://c:\programme\google\GoogleToolbar1.dll/cmsimilar.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} -
C:\Programme\Java\jre1.5.0\bin\npjpi150.dll
O9 - Extra 'Tools' menuitem: Sun Java Konsole -
{08B0E5C0-4FCB-11CF-AAA5-00401C608501} -
C:\Programme\Java\jre1.5.0\bin\npjpi150.dll
O9 - Extra button: Preispiraten 2.1.2 -
{86DE8B3B-1EB7-4386-84BD-EBE94348A913} -
C:\Programme\Preispiraten\Preispiraten2\preispiraten2ie.exe
O9 - Extra button: Preispiraten - {94A15285-AAE6-44E8-B2D7-4A2C6CDA9185} -
C:\Programme\Preispiraten\preispiraten.exe
O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} -
C:\PROGRA~1\FlashGet\flashget.exe
O9 - Extra 'Tools' menuitem: &FlashGet -
{D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\flashget.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) -
http://v5.windowsupdate.microsoft.c...ls/en/x86/client/wuweb_site.cab?1095606310968
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall-Kontrolle) -
http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
O16 - DPF: {88D969C0-F192-11D4-A65F-0040963251E5} (XML DOM Document 4.0) -
file://C:\Dokumente und Einstellungen\Marcus\Lokale
Einstellungen\Temp\EI40_\msxml4.cab
O17 -
HKLM\System\CCS\Services\Tcpip\..\{8DBFDA2C-0C0B-4A25-B537-616DA093B9BE}:
NameServer = 192.168.0.1
O23 - Service: Adobe LM Service - Unknown - C:\Programme\Gemeinsame
Dateien\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AntiVir Service - H+BEDV Datentechnik GmbH -
C:\Programme\AntiVir\AVGUARD.EXE
O23 - Service: AntiVir Update - H+BEDV Datentechnik GmbH, Germany -
C:\Programme\AntiVir\AVWUPSRV.EXE
O23 - Service: cyberJack PC/SC Service - REINER SCT -
C:\WINDOWS\system32\cJPCSC.exe
O23 - Service: Intel(R) Active Monitor - Unknown - C:\Program
Files\Intel\Intel(R) Active Monitor\imonnt.exe (file missing)
O23 - Service: Macromedia Licensing Service - Unknown -
C:\Programme\Gemeinsame Dateien\Macromedia Shared\Service\Macromedia
Licensing.exe
O23 - Service: MySQL - Unknown - C:\MySQL\bin\mysqld-nt".exe (file missing)
O23 - Service: Sophos Anti-Virus - Sophos Plc - C:\Programme\Sophos Anti
Vir\SWEEPSRV.SYS
O23 - Service: TuneUp WinStyler Theme Service - TuneUp Software GmbH -
C:\Programme\TuneUp Utilities\WinStylerThemeSvc.exe



Is that all good again or what would you suggest?

Thanks,

Marcus
 
Marcus said:
Hi,

I had really bad problems with my PC -
first I had heaps of Spyware installed like something from 180 Solutions,
then I had Worms and Trojans and stuff.

Then I searched with Google and followed pretty much this instruction:
http://www.webuser.co.uk/cgi-bin/fo...=142301&page=1&view=collapsed&sb=5&o=93&part=


So I went to Save Mode (with Network drivers to be able to be online) I
installed and ran about 3 different Anti-Spyware programms,
then I used the online Scanners Housecall and Online Trojan Scan -
Housecall found 5 viruses in System32, Trojan Scan found nothing,
last but not least I used Sophos in console mode by typing in
SAV32CLI and it said:

Sophos Anti-Virus
Version 3.89.0 [Win32/Intel]
Virus data version 3.89, January 2005
Includes detection for 98175 viruses, trojans and worms



Then I looked up something new and typed in:
SAV32CLI -DI -P=C:\ELKLOGC.TXT
And it said:

Quick Scanning



2 boot sectors swept.
132602 files swept in 39 minutes and 20 seconds.
2 viruses were discovered.
2 files out of 132602 were infected.
Last but not least right now I am running:
SAV32CLI -REMOVE -P=C:\KLEZLOGC.TXT



I guess it should all be good then, but I am not completly sure, so I made
another HijackThis Protocoll.
Maybe you could have a look and tell me if all is fine now or what else I
will have to do:

Logfile of HijackThis v1.99.0
Scan saved at 02:01:14, on 05.01.2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\LVComsX.exe
C:\Programme\Mozilla Firefox\firefox.exe
C:\WINDOWS\System32\cmd.exe
C:\Programme\Internet Explorer\iexplore.exe
C:\SAV32CLI\SAV32CLI.EXE
C:\Programme\Outlook Express\msimn.exe
C:\WINDOWS\explorer.exe
C:\Programme\WebCam\FxSvr2.exe
C:\Dokumente und Einstellungen\Marcus\Lokale Einstellungen\Temp\Temporäres
Verzeichnis 1 für hijackthis.zip\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Internet
Explorer
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} -
C:\Programme\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} -
C:\Programme\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: IeCatch2 Class - {A5366673-E8CA-11D3-9CD9-0090271D075B} -
C:\PROGRA~1\FlashGet\jccatch.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} -
c:\programme\google\googletoolbar1.dll
O2 - BHO: AcroIEToolbarHelper Class -
{AE7CD045-E861-484f-8273-0445EE161910} - C:\Programme\Adobe\Acrobat
6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: FlashGet Bar - {E0E899AB-F487-11D5-8D29-0050BA6940E3} -
C:\PROGRA~1\FlashGet\fgiebar.dll
O3 - Toolbar: (no name) - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - (no file)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} -
C:\WINDOWS\system32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} -
c:\programme\google\googletoolbar1.dll
O4 - HKLM\..\Run: [System Update] C:\WINDOWS\System32\bdfkole.exe
O4 - HKLM\..\Run: [Cryptographic Service] C:\WINDOWS\System32\goegwmr.exe
O4 - HKLM\..\Run: [AVGCtrl] "C:\Programme\AntiVir\AVGNT.EXE" /min
O4 - HKCU\..\Run: [MsnMsgr] "C:\Programme\MSN Messenger\MsnMsgr.Exe"
/background
O4 - HKCU\..\Run: [SpySweeper] "C:\Programme\Spy Sweeper\SpySweeper.exe" /0
O8 - Extra context menu item: &Google Search -
res://c:\programme\google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Alles mit FlashGet laden -
C:\PROGRA~1\FlashGet\jc_all.htm
O8 - Extra context menu item: Im Cache gespeicherte Seite -
res://c:\programme\google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Mit FlashGet laden -
C:\PROGRA~1\FlashGet\jc_link.htm
O8 - Extra context menu item: Nach Microsoft &Excel exportieren -
res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Verweisseiten -
res://c:\programme\google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Ähnliche Seiten -
res://c:\programme\google\GoogleToolbar1.dll/cmsimilar.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} -
C:\Programme\Java\jre1.5.0\bin\npjpi150.dll
O9 - Extra 'Tools' menuitem: Sun Java Konsole -
{08B0E5C0-4FCB-11CF-AAA5-00401C608501} -
C:\Programme\Java\jre1.5.0\bin\npjpi150.dll
O9 - Extra button: Preispiraten 2.1.2 -
{86DE8B3B-1EB7-4386-84BD-EBE94348A913} -
C:\Programme\Preispiraten\Preispiraten2\preispiraten2ie.exe
O9 - Extra button: Preispiraten - {94A15285-AAE6-44E8-B2D7-4A2C6CDA9185} -
C:\Programme\Preispiraten\preispiraten.exe
O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} -
C:\PROGRA~1\FlashGet\flashget.exe
O9 - Extra 'Tools' menuitem: &FlashGet -
{D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\flashget.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) -
http://v5.windowsupdate.microsoft.c...ls/en/x86/client/wuweb_site.cab?1095606310968
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall-Kontrolle) -
http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
O16 - DPF: {88D969C0-F192-11D4-A65F-0040963251E5} (XML DOM Document 4.0) -
file://C:\Dokumente und Einstellungen\Marcus\Lokale
Einstellungen\Temp\EI40_\msxml4.cab
O17 -
HKLM\System\CCS\Services\Tcpip\..\{8DBFDA2C-0C0B-4A25-B537-616DA093B9BE}:
NameServer = 192.168.0.1
O23 - Service: Adobe LM Service - Unknown - C:\Programme\Gemeinsame
Dateien\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AntiVir Service - H+BEDV Datentechnik GmbH -
C:\Programme\AntiVir\AVGUARD.EXE
O23 - Service: AntiVir Update - H+BEDV Datentechnik GmbH, Germany -
C:\Programme\AntiVir\AVWUPSRV.EXE
O23 - Service: cyberJack PC/SC Service - REINER SCT -
C:\WINDOWS\system32\cJPCSC.exe
O23 - Service: Intel(R) Active Monitor - Unknown - C:\Program
Files\Intel\Intel(R) Active Monitor\imonnt.exe (file missing)
O23 - Service: Macromedia Licensing Service - Unknown -
C:\Programme\Gemeinsame Dateien\Macromedia Shared\Service\Macromedia
Licensing.exe
O23 - Service: MySQL - Unknown - C:\MySQL\bin\mysqld-nt".exe (file missing)
O23 - Service: Sophos Anti-Virus - Sophos Plc - C:\Programme\Sophos Anti
Vir\SWEEPSRV.SYS
O23 - Service: TuneUp WinStyler Theme Service - TuneUp Software GmbH -
C:\Programme\TuneUp Utilities\WinStylerThemeSvc.exe



Is that all good again or what would you suggest?

Thanks,

Marcus
Click to expand...
You can find forums to post the log to have it analyzed here:
http://tomcoyote.org/hjt/
-max

--
Virus Removal Instructions: http://www.geocities.com/maxpro4u/
Keeping Windows Clean: http://www.geocities.com/maxpro4u/madmax.html
Virus Cleaning+Fixes: http://www.geocities.com/maxpro4u/TechPros
Change nomail.afraid.org to neo.rr.com so you can reply by e-mail
(nomail.afraid.org has been set up specifically for
use in Usenet. Feel free to use it yourself.)
 
Max M.Wachtel III - 05.01.2005 05:38 :

~ 200! unnecessary quoting lines (snipped) as usual. And all these many
SIG lines too. Are'nt you learnable?
 
in message ..
~ 200! unnecessary quoting lines (snipped) as usual.
Click to expand...

* giggles * .. is it all the scrolling, or all the bandwidth, or all the
many seconds lost due to all the scrolling and bandwidth waste, that ticks
you off? :-)
 
pp said:
in message ..


* giggles * .. is it all the scrolling, or all the bandwidth, or
all the many seconds lost due to all the scrolling and bandwidth
waste, that ticks you off? :-)
Click to expand...

You could add "all the storage space on thousands of news servers" to
that line for the next time... <g>
 
Somehow I *knew* your reply would follow....

--
Dave




| Max M.Wachtel III - 05.01.2005 05:38 :
|
| ~ 200! unnecessary quoting lines (snipped) as usual. And all these many
| SIG lines too. Are'nt you learnable?
|
| > You can find forums to post the log to have it analyzed here:
| > http://tomcoyote.org/hjt/
| > -max
| >
|
|
| --
| by(e) PS
|
| spam will be killed
|
 
On that special day, Marcus Reiter, ([email protected]) said...
O3 - Toolbar: (no name) - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - (no file)
Click to expand...

Was ist das für ein Dings (what's that)?
O4 - HKLM\..\Run: [System Update] C:\WINDOWS\System32\bdfkole.exe
Click to expand...

"Eigenschaften von bdfkole.exe" bitte angeben (please report "properties
of bdfkole.exe"

(lots of Google toolbar related stuff)
O9 - Extra button: Preispiraten 2.1.2 -
{86DE8B3B-1EB7-4386-84BD-EBE94348A913} -
C:\Programme\Preispiraten\Preispiraten2\preispiraten2ie.ex
O9 - Extra button: Preispiraten - {94A15285-AAE6-44E8-B2D7-4A2C6CDA9185} -
C:\Programme\Preispiraten\preispiraten.exe
Click to expand...

This is a certain website in Germany, that is looking for the cheapest
price of a given item...
O17 -
HKLM\System\CCS\Services\Tcpip\..\{8DBFDA2C-0C0B-4A25-B537-616DA093B9BE}:
NameServer = 192.168.0.1
Click to expand...

Wozu gehört das / Where does this belong to? Dein eigener Rechner bietet
einen Dienst an / your own machine is offering a service? Für wen / to
whom?
O23 - Service: cyberJack PC/SC Service - REINER SCT -
C:\WINDOWS\system32\cJPCSC.exe
Click to expand...

Wozu gehört das? Ich glaube, es ist ein legitimes Programm, aber ich
möchte sicher sein. / Where does that belong to? I think it is legit,
but wnat to be sure.
O23 - Service: Intel(R) Active Monitor - Unknown - C:\Program
Files\Intel\Intel(R) Active Monitor\imonnt.exe (file missing)
Click to expand...

Da wurde etwas weg geputzt, aber nicht sein Eintrag / something was
reoved, but not the registry entry.

Du hast http://faq.jors.net/virus gelesen und entsprechend gehandelt?
Bei einer *derartigen* Sammlung gibt es *keine* Garantie mehr, dass Du
Deinen Rechner wieder sauber bekommst. Trojaner neigen dazu, Junge zu
bekommen, im Dutzend, und mit einer hohen Mutationsrate. Kein Programm
der Welt kann *alle* Trojaner erkennen; die Programmierer entwickeln
eine Menge Kreativität, wenn es darum geht, die üblichen Prüfwege zu
umgehen.

Und Dein Rechner hat der Welt als allgemeiner Service zur Verfügung
gestanden

http://board.protecus.de/showtopic.php?threadid=13433

(I told him he cannot be sure that all malware is gone, as trojans tend
to breed, feetch other trojans, and that no progrm on this planet can
identify *all* trojans, with their many methods of sneaking into the
machine, and avoiding detection)

Marcus, you've been told exactly this in the German anti virus
newsgroup, listen to their answers. Back up your data (everything that
is NOT executable), format, re-install, install SP2, do NOT go onto
internet until *everything* is patched, and THEN connect again. Your
machine might have been a DDoS helper, mass mailer, fileserver and
whatnot, and you believe, you can have it going on like that for ever?

http://www.sophos.com/virusinfo/analyses/w32rbotsq.html (Advanced)

Sheesh.


Gabriele Neukam

(e-mail address removed)
 
"Beauregard T. Shagnasty" wrote in message
You could add "all the storage space on thousands of news servers" to
that line for the next time... <g>
Click to expand...

well since i dont run a news server i wouldnt know.. whats 20,000 * 8kb (8kb
being long post, 9kb being long post with 200 lines quoted) .. hold on hold
on, whats 500,000 * 8kb...

omg omg omg its almost 4GB . i figure they run low on space they parse/cut
the old, out with the old in with the new.. hmm 42 seconds worth of
bandwidth on a gigabit network, if they exist. expensive, but 42 seconds..
and maybe 2% of the total space.. for my next trick i divide 4GB by 2 and
times by 100... nah.. i just cant do the maths..

so our friend peter runs a news server with 1,000,000 users on 60,000
groups? on dialup? with a 20MB hd? oh my god! is he nuts?
 
pp said:
"Beauregard T. Shagnasty" wrote in message

well since i dont run a news server i wouldnt know.. whats 20,000 *
8kb (8kb being long post, 9kb being long post with 200 lines
quoted) .. hold on hold on, whats 500,000 * 8kb...

omg omg omg its almost 4GB . <snip>
Click to expand...

<lol> What's funnier/worse is when a person posts a message:

Picture of my cat.
<attached: mycat.jpg - 400KB>

and someone replies:

Cute cat!
<INCLUDES attached: mycat.jpg - 400KB>

(What's 20,000 * 400KB ...)
 
winmedplay.exe is a new virus. It is hosing our company right now. We
are in touch with Symantec trying to work something out.
 
Please submit it to Virus Total -- http://www.virustotal.com/flash/index_en.html and the
suspect will be tested against several AV vendor's scanners.

Please post back the EXACT results.

--
Dave




| winmedplay.exe is a new virus. It is hosing our company right now. We
| are in touch with Symantec trying to work something out.
|
 
Mike said:
winmedplay.exe is a new virus. It is hosing our company right now. We
are in touch with Symantec trying to work something out.
Click to expand...

I misspoke. It is not a virus, but it is defintely new spy/ad/malware.

If you get it, kill the process then delete the file from system32.
Scan the registry and remove all entries. It shows up in Run and Run
Services. The key name is Microsofts MediaScope. Obviously, they want
you to believe it is MS Media Player.
 
I misspoke. It is not a virus, but it is defintely new spy/ad/malware.

If you get it, kill the process then delete the file from system32.
Scan the registry and remove all entries. It shows up in Run and Run
Services. The key name is Microsofts MediaScope. Obviously, they want
you to believe it is MS Media Player.
Click to expand...

Scanning the registry for startups is something HJT is good at,
but if you don't want to be overwhelmed by all the other BHO and toolbar
type info etc. have a go at Mike Lin's Startup Control Panel:
http://www.mlin.net/StartupCPL.shtml
 
Back
Top