Re: VBS/psyme virus infection?!?!

Jonas_26 · ‎01-14-2005

My IE browser gets hijacked and I'm not sure how to get rid of it. i think it's the VBS/psyme virus, but i'm not sure. I've used ad-aware, CWshredder and Spybot Search and Destroy 1.3, but no luck. I've attached the logfile from HighjackThis. Can someone please help?!?! thanks!

Logfile of HijackThis v1.97.7
Scan saved at 오후 5:48:38, on 2005-01-15
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG6\avgserv.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\00THotkey.exe
C:\Program Files\Apoint2K\Apoint.exe
C:\WINDOWS\system32\TFNF5.exe
C:\Program Files\TOSHIBA\TouchED\TouchED.Exe
C:\WINDOWS\system32\TPWRTRAY.EXE
C:\Program Files\TOSHIBA\TOSHIBA Controls\TFncKy.exe
C:\Program Files\TOSHIBA\Wireless Hotkey\TosHKCW.exe
C:\WINDOWS\System32\ezSP_Px.exe
C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Apoint2K\Apntex.exe
C:\Program Files\Picasa\PicasaMediaDetector.exe
C:\WINDOWS\system32\conime.exe
C:\Program Files\HP\HP Software Update\HPWuSchd.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\CASIO\Photo Loader\Plauto.exe
C:\Program Files\HP\hpcoretech\comp\hptskmgr.exe
C:\WINDOWS\explorer.exe
C:\Program Files\MSN Messenger\msnmsgr.exe

O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: ninemsn Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Toolbar\01.01.1629.0\en-au\msntb.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [00THotkey] C:\WINDOWS\System32\00THotkey.exe
O4 - HKLM\..\Run: [000StTHK] 000StTHK.exe
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint2K\Apoint.exe
O4 - HKLM\..\Run: [TFNF5] TFNF5.exe
O4 - HKLM\..\Run: [TouchED] C:\Program Files\TOSHIBA\TouchED\TouchED.Exe
O4 - HKLM\..\Run: [Tpwrtray] TPWRTRAY.EXE
O4 - HKLM\..\Run: [TFncKy] TFncKy.exe /Type 20
O4 - HKLM\..\Run: [TosHKCW.exe] "C:\Program Files\TOSHIBA\Wireless Hotkey\TosHKCW.exe"
O4 - HKLM\..\Run: [ezShieldProtector for Px] C:\WINDOWS\System32\ezSP_Px.exe
O4 - HKLM\..\Run: [AVG_CC] C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe /STARTUP
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [LifeScape Media Detector] C:\Program Files\Picasa\PicasaMediaDetector.exe
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\HP\HP Software Update\HPWuSchd.exe"
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Photo Loader supervisory.lnk = C:\Program Files\CASIO\Photo Loader\Plauto.exe
O8 - Extra context menu item: &Google Search - res://c:\progra

Ron Kinner · ‎01-14-2005

Please post your log as an attachment to a reply by pressing the Browse button and pointing at your log. Certain lines in the logs tend to cause the Forum software to go crazy. There must be several lines missing since if you are being hijacked you should have some R0 and R1 lines and your last line is truncated.

The only line in what I can see that even looks suspicious is

C:\WINDOWS\system32\conime.exe

This can be a legitimate MS program and can also be a trojan. Only way to tell is to right click on it and check its properties. You will have to make Windows let you see it tho.

http://www.bleepingcomputer.com/forums/tutorial62.html

Ron

Jonas_26 · ‎01-17-2005

Thanks Ron, i've attached the log now, but i can't see any R0 or R1. everynow and then a window pops up saying i have the vbs/psyme virus, but when i scan, i can't find it. Sorry, i may have used the wrong word as my computer skills are very basic. but the main problem is when i type internet addresses, another takes it's place. plus, i found the conime.exe files. it sez it's a Console IME if that helps.
thanks again Ron, i really appreciate it!

Ron Kinner · ‎01-17-2005

Regarding: C:\WINDOWS\system32\conime.exe

This entry is used only when the locale of the computer is set to 932 (Japanese), 936 (Chinese), 949 (Korean Unified Hangul), or 950 (Chinese Big5 Extended).

Does that apply to you? Usually I see a bunch of other IME entries in the run section when conime is running.

http://www.microsoft.com/resources/documentation/Windows/2000/server/reskit/en-us/regentry/58824.asp

What URL is your homepage being hijacked to?

Try booting to Safe Mode (F8 without Networking) and rerun HijackThis and see if it shows anything different in the R1 R0 department.

Have you tried a free Panda scan?

http://www.pandasoftware.com/activescan/com/activescan_principal.htm

Ron

Jonas_26 · ‎01-21-2005

Hi Ron,
I used HijackThis in safe mode but still no luck. but when i used that panda software it did detect and remove something, but when i clicked to find out more, it changed and i wasn't able to find out more info on it. but i haven't had anything popping up saying i have a virus. still, i have the problem. usually all i have to do is delete history and its clear. but i still have the problem of internet sites still coming up as i type in addresses (but it doesn't actually go to the site) as if i've been there before. any suggestions?
thanks heaps

Ron Kinner · ‎01-21-2005

Tools Internet Option Clear History and see if that helps.

Ron

Jonas_26 · ‎01-24-2005

i've done all the basic stuff like clear history, delete temp folder etc, but still no luck... this is being a pain!!! any more ideas would be great!!! thanks

Ron Kinner · ‎01-24-2005

I have attached a short program called DirXP.txt. Save it to the Desktop (you can look at it with notepad) then open a CMD window and type:

cd "%UserProfile%\Desktop"
ren dirxp.txt dirxp.bat
dirxp.bat

That should create a new file on your desktop called junk.txt which list all files in critical folders sorted by date. Makes the bad guys easier to recognize that way.

Either attach the file to a reply or email me directly at rkinner AT att DOT net

Ron

Jonas_26 · ‎01-26-2005

Ok, i've done what you've said and i've sent an email. did i send it right? fingers crossed!!!

Ron Kinner · ‎01-27-2005

OK. Got your file but nothing jumps out.

Replied to your email. Let me know if you can't save the silent.vb file or if it gets filtered out or if you don't get the email.

Ron

Categories

Company

Local Language

Forums

Discussions

Forums

Discussions

Discussions

Forums

Discussions

Forums

Discussions

Forums

Forums

Discussions

Forums

Discussions

Forums

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Community

Resources

Other HPE Sites

Discussions

Forums

Blogs

Re: VBS/psyme virus infection?!?!

VBS/psyme virus infection?!?!