Nod 32

[peat moss]

Originally posted by ZeroTolerance+8 August 2004 - 13:28--></div><table border='0' align='center' width='95%' cellpadding='3' cellspacing='1'><tr><td>QUOTE (ZeroTolerance @ 8 August 2004 - 13:28)</td></tr><tr><td id='QUOTE'> <!--QuoteBegin-peat moss@8 August 2004 - 21:20
ZeroTolerance,&nbsp; Friend you have some major problems with that puter&#33; Have you tryed
Hijack this ? Run program then post here. Some kind soul will help.


http://www.siena.edu/antivirus/Spyware/hijackthis.htm

ogfile of HijackThis v1.98.0
Scan saved at 4:30:50 PM, on 8/8/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:&#092;WINDOWS&#092;System32&#092;smss.exe
C:&#092;WINDOWS&#092;system32&#092;winlogon.exe
C:&#092;WINDOWS&#092;system32&#092;services.exe
C:&#092;WINDOWS&#092;system32&#092;lsass.exe
C:&#092;WINDOWS&#092;system32&#092;svchost.exe
C:&#092;WINDOWS&#092;System32&#092;svchost.exe
C:&#092;WINDOWS&#092;system32&#092;spoolsv.exe
C:&#092;Program Files&#092;Alwil Software&#092;Avast4&#092;aswUpdSv.exe
C:&#092;Program Files&#092;Alwil Software&#092;Avast4&#092;ashServ.exe
C:&#092;PROGRA~1&#092;Grisoft&#092;AVG6&#092;avgserv.exe
C:&#092;Program Files&#092;Softex&#092;OmniPass&#092;Omniserv.exe
C:&#092;WINDOWS&#092;System32&#092;svchost.exe
C:&#092;Program Files&#092;Softex&#092;OmniPass&#092;OPXPApp.exe
C:&#092;WINDOWS&#092;Explorer.EXE
C:&#092;windows&#092;system&#092;hpsysdrv.exe
C:&#092;HP&#092;KBD&#092;KBD.EXE
C:&#092;PROGRA~1&#092;ALWILS~1&#092;Avast4&#092;ashDisp.exe
C:&#092;PROGRA~1&#092;ALWILS~1&#092;Avast4&#092;ashmaisv.exe
C:&#092;Program Files&#092;Messenger&#092;msmsgs.exe
C:&#092;Program Files&#092;interMute&#092;SpamSubtract&#092;SpamSubtract.exe
C:&#092;Documents and Settings&#092;Owner&#092;Desktop&#092;trayit&#092;trayit&#33;.exe
C:&#092;Program Files&#092;Kazaa Lite K++&#092;KazaaLite.kpp
C:&#092;Program Files&#092;Internet Explorer&#092;IEXPLORE.EXE
C:&#092;Program Files&#092;Trojan Remover&#092;jyi1.exe
C:&#092;Program Files&#092;Trojan Remover&#092;jyi1.exe
C:&#092;Documents and Settings&#092;Owner&#092;Desktop&#092;hijackthis.exe

R1 - HKCU&#092;Software&#092;Microsoft&#092;Internet Explorer&#092;Main,Search Bar = http://google.icq.com/search/search_frame.php
R1 - HKCU&#092;Software&#092;Microsoft&#092;Internet Explorer&#092;Main,Search Page = http://google.icq.com
R0 - HKCU&#092;Software&#092;Microsoft&#092;Internet Explorer&#092;Main,Start Page = http://yahoo.sbc.com/dsl
R3 - URLSearchHook: ICQ Toolbar - {855F3B16-6D32-4fe6-8A56-BBB695989046} - C:&#092;Program Files&#092;ICQToolbar&#092;toolbaru.dll
O2 - BHO: Yahoo&#33; Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:&#092;Program Files&#092;Yahoo&#33;&#092;Messenger&#092;ycomp.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:&#092;PROGRA~1&#092;SPYBOT~1&#092;SDHelper.dll
O3 - Toolbar: &Yahoo&#33; Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:&#092;Program Files&#092;Yahoo&#33;&#092;Messenger&#092;ycomp.dll
O3 - Toolbar: ICQ Toolbar - {855F3B16-6D32-4fe6-8A56-BBB695989046} - C:&#092;Program Files&#092;ICQToolbar&#092;toolbaru.dll
O4 - HKLM&#092;..&#092;Run: [hpsysdrv] c:&#092;windows&#092;system&#092;hpsysdrv.exe
O4 - HKLM&#092;..&#092;Run: [KBD] C:&#092;HP&#092;KBD&#092;KBD.EXE
O4 - HKLM&#092;..&#092;Run: [NvCplDaemon] RUNDLL32.EXE C:&#092;WINDOWS&#092;System32&#092;NvCpl.dll,NvStartup
O4 - HKLM&#092;..&#092;Run: [nwiz] nwiz.exe /installquiet /keeploaded /nodetect
O4 - HKLM&#092;..&#092;Run: [NeroFilterCheck] C:&#092;WINDOWS&#092;system32&#092;NeroCheck.exe
O4 - HKLM&#092;..&#092;Run: [AlcxMonitor] ALCXMNTR.EXE
O4 - HKLM&#092;..&#092;Run: [AVG_CC] C:&#092;PROGRA~1&#092;Grisoft&#092;AVG6&#092;avgcc32.exe /STARTUP
O4 - HKLM&#092;..&#092;Run: [avast&#33;] C:&#092;PROGRA~1&#092;ALWILS~1&#092;Avast4&#092;ashDisp.exe
O4 - HKLM&#092;..&#092;Run: [ashMaiSv] C:&#092;PROGRA~1&#092;ALWILS~1&#092;Avast4&#092;ashmaisv.exe
O4 - HKLM&#092;..&#092;Run: [TrojanScanner] C:&#092;Program Files&#092;Trojan Remover&#092;Trjscan.exe
O4 - HKCU&#092;..&#092;Run: [NVIEW] rundll32.exe nview.dll,nViewLoadHook
O4 - HKCU&#092;..&#092;Run: [MSMSGS] "C:&#092;Program Files&#092;Messenger&#092;msmsgs.exe" /background
O4 - HKCU&#092;..&#092;Run: [Yahoo&#33; Pager] C:&#092;Program Files&#092;Yahoo&#33;&#092;Messenger&#092;ypager.exe -quiet
O4 - HKCU&#092;..&#092;Run: [Window Washer] C:&#092;Program Files&#092;Webroot&#092;Washer&#092;wwDisp.exe
O4 - Startup: spamsubtract.lnk = C:&#092;Program Files&#092;interMute&#092;SpamSubtract&#092;SpamSubtract.exe
O4 - Startup: TrayIt&#33;.lnk = C:&#092;Documents and Settings&#092;Owner&#092;Desktop&#092;trayit&#092;trayit&#33;.exe
O4 - Global Startup: Quicken Scheduled Updates.lnk = C:&#092;Program Files&#092;Quicken&#092;bagent.exe
O8 - Extra context menu item: &ICQ Toolbar Search - res://C:&#092;Program Files&#092;ICQToolbar&#092;toolbaru.dll/SEARCH.HTML
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:&#092;WINDOWS&#092;System32&#092;msjava.dll
O9 - Extra &#39;Tools&#39; menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:&#092;WINDOWS&#092;System32&#092;msjava.dll
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:&#092;Program Files&#092;Microsoft Money&#092;System&#092;mnyside.dll (file missing)
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061...all/xscan53.cab [/b][/quote]
Wow are you quick&#33; Good one.

[ZeroTolerance]

Originally posted by Rip The Jacker+8 August 2004 - 21:33--></div><table border='0' align='center' width='95%' cellpadding='3' cellspacing='1'><tr><td>QUOTE (Rip The Jacker @ 8 August 2004 - 21:33)</td></tr><tr><td id='QUOTE'>

Originally posted by ZeroTolerance@8 August 2004 - 13:25
<!--QuoteBegin-Rip The Jacker

@8 August 2004 - 21:16
If you can&#39;t find the file, all you have to do is go to Start > Run > type in "C:&#092;WINDOWS&#092;system32&#092;config&#092;systemprofile&#092;Local Settings&#092;Temp&#092;" without the quotes, and click OK, the folder holding the trojan should have opened up.

wouldnt that activate the trojan?

No. Just make sure you leave out the "bi.cab" part at the end.

Do this at Start > Run:
C:&#092;WINDOWS&#092;system32&#092;config&#092;systemprofile&#092;Local Settings&#092;Temp&#092;
And look for the "bi.cab" file and delete it.

Don&#39;t do this:
C:&#092;WINDOWS&#092;system32&#092;config&#092;systemprofile&#092;Local Settings&#092;Temp&#092;bi.cab
That will open the file. [/b][/quote]
ok i searched for the file and i dont see bi.cab

i see

bi
bi
bi

[hungrylilboy]

not being funny but get rid of avast&#33;
i had it for years and was a huge fan until i got a very bad destructive virus that killed all my .exes, .mp3, .avi files.
i then learnt that they dont have a huge database of old viruses, simply use the most common ones which is how they get good results in "in the wild" tests. they recently failed some tests too.

my advice would be to clean it up this time then move to kav or nav.

[ZeroTolerance]

i did, anybody know any other good programs?

[Rip The Jacker]

Originally posted by ZeroTolerance@8 August 2004 - 13:35
ok i searched for the file and i dont see bi.cab

i see

bi
bi
bi

3 "bi" files? What are they&#39;re extensions? In fact, I&#39;d bet those are the files your looking for.

[Chame1eon]

you can see the extensions by going to my computer>tools>folder options>view and unchecking "hide extensions for known file types"
if you open the cab file with winrar you can find and delete the file without deleting the entire archive.

[ZeroTolerance]

Originally posted by Chame1eon@9 August 2004 - 07:30
you can see the extensions by going to my computer>tools>folder options>view and unchecking "hide extensions for known file types"
if you open the cab file with winrar you can find and delete the file without deleting the entire archive.

it was a winrar bi.cab file but i deleted it already but i deleted the file but its still active on my computer. how do i get rid of it completely?

[peat moss]

Originally posted by ZeroTolerance+9 August 2004 - 12:02--></div><table border='0' align='center' width='95%' cellpadding='3' cellspacing='1'><tr><td>QUOTE (ZeroTolerance @ 9 August 2004 - 12:02)</td></tr><tr><td id='QUOTE'> <!--QuoteBegin-Chame1eon@9 August 2004 - 07:30
you can see the extensions by going to my computer>tools>folder options>view and unchecking "hide extensions for known file types"
if you open the cab file with winrar you can find and delete the file without deleting the entire archive.

it was a winrar bi.cab file but i deleted it already but i deleted the file but its still active on my computer. how do i get rid of it completely? [/b][/quote]
Is it still in the winrar archive?

[ZeroTolerance]

Originally posted by peat moss+9 August 2004 - 20:09--></div><table border='0' align='center' width='95%' cellpadding='3' cellspacing='1'><tr><td>QUOTE (peat moss @ 9 August 2004 - 20:09)</td></tr><tr><td id='QUOTE'>

Originally posted by ZeroTolerance@9 August 2004 - 12:02
<!--QuoteBegin-Chame1eon

@9 August 2004 - 07:30
you can see the extensions by going to my computer>tools>folder options>view and unchecking "hide extensions for known file types"
if you open the cab file with winrar you can find and delete the file without deleting the entire archive.

it was a winrar bi.cab file but i deleted it already but i deleted the file but its still active on my computer. how do i get rid of it completely?

Is it still in the winrar archive? [/b][/quote]
no i deleted before i put it in winrar, i just deleted manually.

[Chame1eon]

I&#39;m not sure what you are saying. you deleted it then put it in winrar ?