TechSpot

I think i'm infected.

By siedog
Oct 13, 2007
  1. I think i'm infected with something. I notice in the task manager it has muhta.exe, dvdplay.exe and msdtc.exe. These are processes which I haven't seen before. There's also something about an Internet Speed Monitor in my programs list which I've never downloaded or activated before too. I've ran my virus scan with updated definition files, search/destroy, root kit, cccleaner. I've attached the latest hjt file. Please help.
     
  2. Rik

    Rik Banned Posts: 3,814

    There are a few questionable entries in your log, i suggest you go through the instrictions below.


    You need to have a read of this - If your system is infected. Read this before deciding whether to CLEAN or REFORMAT.

    Then if you should wish to proceed with cleaning your system you need to go and read the Viruses/Spyware/Malware, preliminary removal instructions. Follow all the instructions exactly.

    Post fresh HJT, Combofix, and AVG Antispyware logs as ATTACHMENTS into this thread, only after doing the above.


    This thread is for the use of siedog only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
     
  3. siedog

    siedog TS Rookie Topic Starter Posts: 46

    Ok, I ran through the instructions above (took me awhile). Here are the latest HJT, Combofix and AVG Antispyware files.

    For the anti rootkit, it found this: c:\program files\common files\?ystem32\m?hta.exe (hidden application file)

    It looks like my computer is working ok for now. Please advise.

    Thanks.
     
  4. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 24,177   +19

    Have the Antirootkit programme fix that file it`s nasty. Post a fresh HJT log when done.

    Regards Howard :)

    This thread is for the use of siedog only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
     
  5. siedog

    siedog TS Rookie Topic Starter Posts: 46

    Ok, I disconeected from the net and ran the rootkit, but this time it didn't find anything. Attached is the new hjt log. Please let me know if there's anything to improve or advise.

    Thanks a lot.
     
  6. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 24,177   +19

    Your HJT log is now clean.

    Have HJT fix this unnecessary entry.

    O4 - HKCU\..\Run: [popcast] "C:\Program Files\Popcast\popcast.exe" -boot

    Locate and delete the following bold files and/or directories(if there).

    C:\WINNT\system32\mlnmp.bak1
    C:\WINNT\system32\mlnmp.bak2
    C:\Qoobox

    Other than the above, your system looks clean.

    Are you still having problems?

    Regards Howard :)

    This thread is for the use of siedog only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
     
  7. siedog

    siedog TS Rookie Topic Starter Posts: 46

    Ok, I've used hjt to fix the entry, but i noticed it also had the entry:

    O4 - HKCU\..\Run: [Kkuknkg] "C:\Program Files\Common Files\?ystem32\m?hta.exe"

    Do I use hjt this to fix this one also? It didn't find it in rootkit though.

    I found all 3 files/folder and deleted them. I also found mlnmp.ini in the C:\WINNT\system32\ folder too. Do you think I should delete this file too?

    Please advise and thanks a lot for your help.
     
  8. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 24,177   +19

    Yes, delete the mlnmp.ini file.

    Also, have HJT fix the O4 - HKCU\..\Run: [Kkuknkg] "C:\Program Files\Common Files\?ystem32\m?hta.exe" entry.

    Reboot your system and run a fresh HJT scan. Let me know if that entry still shows up. If it does, post a fresh HJT log.

    Regards Howard :)

    This thread is for the use of siedog only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
     
  9. siedog

    siedog TS Rookie Topic Starter Posts: 46

    Ok I deleted the ini file and used hjt to fix that entry, rebooted and ran hjt again. The file looks gone. Attached is the new hjt file.

    I hope this will do it. I installed zone alarm as a firewall but seem to use up quite a bit of memory (23, 576 K). I know it's necessary, but any way to lower this?

    Also, IE uses up a lot of memory too. Right now it's 50,548 K after going to about 3 web sites only. Any way this can be remedied?

    I know this is off topic, but any help or advice appreciated. Otherwise, the malware/virus/spyware issue seems ok for now.

    Thanks.
     
  10. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 24,177   +19

    Have HJT fix these entries.

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\windows\system32\blank.htm

    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\windows\system32\blank.htm

    Delete this file.

    C:\windows\system32\blank.htm

    You could alway try Comodo instead. It`s supposed to have a smaller footprint than Zonealarm.

    Turn off system restore.(XP/ME only) See how HERE.

    Now, turn system restore back on. This will have deleted all your old restore points and any nasties that are in them. It will also have created a new, clean restore point.


    If you have any further virus/spyware problems, please post in this thread.

    Regards Howard :)

    This thread is for the use of siedog only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
     
  11. siedog

    siedog TS Rookie Topic Starter Posts: 46

    Ok, I've deleted the 2 entries using hjt. (do I need to reboot?)

    I don't have the c:\windows directory though to find that file (blank.htm) and delete it. I do have winnt folder though but don't see that file.

    I'll think about using comodo. No help on IE though, huh?

    Since I'm using win2k, I don't think I can do the system restore.

    Any other advice?

    Thanks a bunch.
     
  12. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 24,177   +19

    Yes, you should reboot your system.

    I don`t know what the problem is with IE so can`t offer any advice.

    The files I wanted you to delete will probably mean you need to do the following in order to see them.

    In Windows Explorer, turn on "Show all files and folders, including hidden and system". See how HERE.

    Then, once deleted, rehide your protected OS files.

    Regards Howard :)

    This thread is for the use of siedog only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
     
  13. siedog

    siedog TS Rookie Topic Starter Posts: 46

    Ok, I rebooted my system, ran hjt and the files are gone.

    I already turned on all files and folders including system files. (able to see my pagefile.sys in the c: drive.) but still don't see the c:\windows folder.

    Any other ideas or suggestions?

    By the way, my pagefile.sys is 385mb. Any way to reduce this? maybe not.

    Thanks.
     
  14. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 24,177   +19

    Your page file isn`t overly large, so unless your having problems with it, I recommend you leave it alone.

    I don`t know why you can`t see your Windows folder. According to your HJT log, it`s definitely there. Double click your C drive and the Windows folder should be in the window that appears.

    Regards Howard :)

    This thread is for the use of siedog only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
     
  15. siedog

    siedog TS Rookie Topic Starter Posts: 46

    Nope. still not in the c:\ drive. I do have c:\winnt folder though. Maybe this is a leftover that hjt saw just like with the rootkit file (m?hta.exe) but already been deleted?

    I ran htj after rebooting and didn't see the blank.htm files (see attached).
     
  16. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 24,177   +19

    I`m very sorry, on Windows2000 the windows folder is indeed called winnt.

    I`m that used to dealing with Windows XP, it escaped my notice.

    But HJT definitely did say C:\windows\system32\blank.htm as you can see.

    Your HJT log is clean as a whistle.

    Regards Howard :)

    This thread is for the use of siedog only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
     
Topic Status:
Not open for further replies.

Similar Topics

Add New Comment

You need to be a member to leave a comment. Join thousands of tech enthusiasts and participate.
TechSpot Account You may also...