Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Hi, please help new fish like me


  • Please log in to reply
1 reply to this topic

#1 benwai123

benwai123

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:05:22 PM

Posted 11 November 2004 - 06:06 AM

Hi, I ma new here and I am having problem with a taks named "mp3fax.exe" which from time to time eats up to 80% of CPU power. I found this in the machine registry and exe file with hidden attritude in the \windows\systems

I tried removing the registry and file with "hijackthis", killbox and even with regedit. But the registry was still there when rebooted. Here below is my hijackthis log. Please give me some hint what to do.

Thanks a lot

Ben

--------------------------------------------------------------------
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\ibmpmsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\SonicWALL\SonicWALL VPN Client\IreIKE.exe
C:\WINDOWS\System32\brsvc01a.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\brss01a.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\Program Files\SonicWALL\SonicWALL VPN Client\IPSecMon.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
E:\Program Files\Norton AntiVirus\navapsvc.exe
E:\Program Files\Norton Internet Security\NISUM.EXE
C:\WINDOWS\System32\QCONSVC.EXE
C:\WINDOWS\System32\svchost.exe
E:\Program Files\Norton Internet Security\SymProxySvc.exe
E:\Program Files\Norton Internet Security\NISSERV.EXE
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\PROGRA~1\ThinkPad\UTILIT~1\TP98TRAY.EXE
C:\WINDOWS\System32\RunDll32.exe
C:\PROGRA~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe
C:\Program Files\VERITAS Software\StorageGuard\sgtray.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\WINDOWS\System32\IMWEBSTA.EXE
E:\utilities\Winamp\Winampa.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\fpdisp4.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\fppdis1.exe
C:\PROGRA~1\ThinkPad\CONNEC~1\QCTray.exe
C:\WINPENJR\Win32\pphidpad.exe
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb04.exe
E:\Program Files\Norton Internet Security\IAMAPP.EXE
E:\PROGRA~1\NORTON~1\navapw32.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\WINDOWS\Config\mp3fax.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\SonicWALL\SonicWALL VPN Client\SafeCfg.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\WINDOWS\system32\QTRAYIME.EXE
C:\Program Files\Yahoo!\YPSR\ypsr.exe
C:\DOCUME~1\IBMUSER\LOCALS~1\Temp\ycomp_5.5.7.0_ypsr_1.8_setup_.exe
C:\DOCUME~1\IBMUSER\LOCALS~1\Temp\GLB2F.tmp
C:\WINDOWS\System32\wuauclt.exe
E:\Netscape\Netscape 6\Netscp.exe
E:\Hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/customize/.../search/ie.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapps.yahoo.com/customize/...//www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customize/...//www.yahoo.com
N3 - Netscape 7: user_pref("browser.startup.homepage", "http://www.google.com"); (C:\Documents and Settings\IBMUSER\Application Data\Mozilla\Profiles\default\655cj03t.slt\prefs.js)
N3 - Netscape 7: user_pref("browser.search.defaultengine", "engine://E%3A%5CNetscape%5CNetscape%206%5Csearchplugins%5CSBWeb_01.src"); (C:\Documents and Settings\IBMUSER\Application Data\Mozilla\Profiles\default\655cj03t.slt\prefs.js)
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_0.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - E:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: CATLEvents Object - {3EC8E271-FAB9-418a-8A8E-65AEB4029E64} - C:\DOCUME~1\IBMUSER\LOCALS~1\Temp\lituteni.dat
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - E:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: CATLEvents Object - {60112085-E1CE-4e0e-823A-EBB1AD98804C} - C:\DOCUME~1\IBMUSER\LOCALS~1\Temp\lituteni.dat
O2 - BHO: CATLEvents Object - {8109AF33-6949-4833-8881-43DCC232B7B2} - C:\DOCUME~1\IBMUSER\LOCALS~1\Temp\lituteni.dat
O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - E:\Program Files\Norton AntiVirus\NavShExt.dll
O2 - BHO: CATLEvents Object - {ED5ABC42-8E4F-4C39-9972-F0CF619D672F} - C:\DOCUME~1\IBMUSER\LOCALS~1\Temp\xaf3pm.dat
O2 - BHO: CATLEvents Object - {F32F8ECD-6CF3-459D-82F2-9738392C85A8} - C:\DOCUME~1\IBMUSER\LOCALS~1\Temp\aluesm.dat
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: My &Search Bar - {014DA6C9-189F-421a-88CD-07CFE51CFF10} - C:\Program Files\MySearch\bar\1.bin\S4BAR.DLL
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - E:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_0.dll
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [TPTRAY] C:\PROGRA~1\ThinkPad\UTILIT~1\TP98TRAY.EXE
O4 - HKLM\..\Run: [BMMGAG] RunDll32 C:\PROGRA~1\ThinkPad\UTILIT~1\pwrmonit.dll,StartPwrMonitor
O4 - HKLM\..\Run: [TP4EX] tp4ex.exe
O4 - HKLM\..\Run: [TPHOTKEY] C:\PROGRA~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe
O4 - HKLM\..\Run: [Tgcmd] "C:\Program Files\Support.com\bin\tgcmd.exe /server"
O4 - HKLM\..\Run: [StorageGuard] "C:\Program Files\VERITAS Software\StorageGuard\sgtray.exe" /r
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [IMWEBSTA.EXE] IMWEBSTA.EXE START
O4 - HKLM\..\Run: [WinampAgent] "E:\utilities\Winamp\Winampa.exe"
O4 - HKLM\..\Run: [imjpmig] E:\IME\IMJP\imjpmig.exe /RemAdvDef /AIMEREG /Migration /SetPreload
O4 - HKLM\..\Run: [FinePrint Dispatcher v4] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\fpdisp4.exe
O4 - HKLM\..\Run: [pdfFactory Pro Dispatcher v1] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\fppdis1.exe
O4 - HKLM\..\Run: [QCTray] C:\PROGRA~1\ThinkPad\CONNEC~1\QCTray.exe
O4 - HKLM\..\Run: [PPHIDPAD] C:\WINPENJR\Win32\pphidpad.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb04.exe
O4 - HKLM\..\Run: [iamapp] E:\Program Files\Norton Internet Security\IAMAPP.EXE
O4 - HKLM\..\Run: [NAV Agent] E:\PROGRA~1\NORTON~1\navapw32.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - HKLM\..\Run: [*dllms] C:\WINDOWS\AppPatch\dllms.exe
O4 - HKLM\..\Run: [*netcmd] C:\WINDOWS\repair\netcmd.exe
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [*mp3fax] C:\WINDOWS\Config\mp3fax.exe
O4 - HKLM\..\RunOnce: [*mp3fax] C:\WINDOWS\Config\mp3fax.exe rerun
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\RunOnce: [*WinLogon] C:\WINDOWS\Registration\dlldvd.exe ren time:1100138307
O4 - Startup: Q9 Tray.lnk = C:\WINDOWS\system32\QTRAYIME.EXE
O4 - Global Startup: Action Manager 32.lnk = C:\Program Files\ScannerU\AM32.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: SonicWALL VPN Client.lnk = C:\Program Files\SonicWALL\SonicWALL VPN Client\SafeCfg.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: Open PDF in Word - res://C:\Program Files\Common Files\Microsoft Shared\TextConv\PDF32\IEShellExt.dll /101
O9 - Extra button: Net2Phone - {4B30061A-5B39-11D3-80F8-0090276F843F} - C:\Program Files\Net2Phone\Net2fone.exe
O9 - Extra 'Tools' menuitem: Net2Phone - {4B30061A-5B39-11D3-80F8-0090276F843F} - C:\Program Files\Net2Phone\Net2fone.exe
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.com/download.yahoo.com/...nst_current.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{3C38DC91-BB3F-4CA0-B9E8-B6540D24E640}: NameServer = 61.93.230.187,203.80.96.9,203.80.96.10
O17 - HKLM\System\CCS\Services\Tcpip\..\{6AAD6C79-6B22-40BD-8C87-A5A402C19123}: NameServer = 203.80.96.10,205.252.144.77,
O17 - HKLM\System\CS1\Services\Tcpip\..\{3C38DC91-BB3F-4CA0-B9E8-B6540D24E640}: NameServer = 61.93.230.187,203.80.96.9,203.80.96.10
O17 - HKLM\System\CS2\Services\Tcpip\..\{3C38DC91-BB3F-4CA0-B9E8-B6540D24E640}: NameServer = 61.93.230.187,203.80.96.9,203.80.96.10

BC AdBot (Login to Remove)

 


#2 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,590 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:06:22 PM

Posted 11 November 2004 - 08:03 PM

Note, please read this carefully, as the steps do repeat a few times, but the last step does change a bit

Download killbox here:

KillBox


Unzip the folder to your desktop.

Start Killbox.exe

Select the Delete on reboot option.


In the field labeled "Full path of file to delete" enter C:\DOCUMENTS AND SETTINGS\IBMUSER\LOCAL SETTINGS\Temp\lituteni.dat

Then press the button that looks like a red circle with a white X in it.

When it asks if you would like to Reboot now, press the NO button.


Next In the field labeled "Full path of file to delete" enter C:\DOCUMENTS AND SETTINGS\IBMUSER\LOCAL SETTINGS\Temp\xaf3pm.dat

Then press the button that looks like a red circle with a white X in it.

When it asks if you would like to Reboot now, press the NO button.


Next In the field labeled "Full path of file to delete" enter C:\DOCUMENTS AND SETTINGS\IBMUSER\LOCAL SETTINGS\Temp\aluesm.dat

Then press the button that looks like a red circle with a white X in it.

When it asks if you would like to Reboot now, press the NO button.


Next In the field labeled "Full path of file to delete" enter C:\WINDOWS\AppPatch\dllms.exe

Then press the button that looks like a red circle with a white X in it.

When it asks if you would like to Reboot now, press the NO button.


Next In the field labeled "Full path of file to delete" enter C:\WINDOWS\repair\netcmd.exe

Then press the button that looks like a red circle with a white X in it.

When it asks if you would like to Reboot now, press the NO button.


Next In the field labeled "Full path of file to delete" enter C:\WINDOWS\Config\mp3fax.exe

Then press the button that looks like a red circle with a white X in it.

When it asks if you would like to Reboot now, press the NO button.


Next In the field labeled "Full path of file to delete" enter C:\WINDOWS\Registration\dlldvd.exe

Then press the button that looks like a red circle with a white X in it.

When it asks if you would like to Reboot now, press the NO button.


Next In the field labeled "Full path of file to delete" enter C:\WINDOWS\system32\hostx.exe

Then press the button that looks like a red circle with a white X in it.

When it asks if you would like to Reboot now, press the NO button.


Next In the field labeled "Full path of file to delete" enter C:\WINDOWS\system32\bkinst.exe

Then press the button that looks like a red circle with a white X in it.

When it asks if you would like to Reboot now, press the YES button.


Your computer will now reboot and check to see if the file is gone.


When it reboots, fix these entries in hijackthis:

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/customize/.../search/ie.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapps.yahoo.com/customize/...//www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customize/...//www.yahoo.com
O2 - BHO: CATLEvents Object - {3EC8E271-FAB9-418a-8A8E-65AEB4029E64} - C:\DOCUME~1\IBMUSER\LOCALS~1\Temp\lituteni.dat
O2 - BHO: CATLEvents Object - {60112085-E1CE-4e0e-823A-EBB1AD98804C} - C:\DOCUME~1\IBMUSER\LOCALS~1\Temp\lituteni.dat
O2 - BHO: CATLEvents Object - {8109AF33-6949-4833-8881-43DCC232B7B2} - C:\DOCUME~1\IBMUSER\LOCALS~1\Temp\lituteni.dat
O2 - BHO: CATLEvents Object - {ED5ABC42-8E4F-4C39-9972-F0CF619D672F} - C:\DOCUME~1\IBMUSER\LOCALS~1\Temp\xaf3pm.dat
O2 - BHO: CATLEvents Object - {F32F8ECD-6CF3-459D-82F2-9738392C85A8} - C:\DOCUME~1\IBMUSER\LOCALS~1\Temp\aluesm.dat
O3 - Toolbar: My &Search Bar - {014DA6C9-189F-421a-88CD-07CFE51CFF10} - C:\Program Files\MySearch\bar\1.bin\S4BAR.DLL
O4 - HKLM\..\Run: [*dllms] C:\WINDOWS\AppPatch\dllms.exe
O4 - HKLM\..\Run: [*netcmd] C:\WINDOWS\repair\netcmd.exe
O4 - HKLM\..\Run: [*mp3fax] C:\WINDOWS\Config\mp3fax.exe
O4 - HKLM\..\RunOnce: [*mp3fax] C:\WINDOWS\Config\mp3fax.exe rerun
O4 - HKCU\..\RunOnce: [*WinLogon] C:\WINDOWS\Registration\dlldvd.exe ren time:1100138307

Reboot and post a new log




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users