Tech Support Forum - View Single Post

vebmetal · 12-30-2004, 01:20 PM

Hi, It seems to me that I have some kind of trojan / worm sitting in my computer. I keep getting a msgfix.exe process running in Task Manager taking about 3,052K. I have found the file in the following folders numerous times, but they keep coming back after I delete them.
C:/WINNT/SYSTEM32
C:/WINDOWS/SYSTEM32
C:/
D:/

Before I go on I am using the following:
Win2K SP4, PC-Cillin (latest definitons), Ad-Aware, Spybot, PrevX Intrusion prevention.

(I generally use Firefox, but occasionally use IE for certain pages).

I have looked the registry in places like HKLM\Software\Microsoft\Windows\CurrentVersion\Run\ and have not found anything that I didn't recognize.

Full system virus scan doesn't find it. But the really strange thing is that when I locate and conduct a manual scan on the msgfix.exe file separately, Pc-cillin doesn't seem to come up with anything!!!! (It did however find another file in the system32 folder NAV.exe which had a TROJ_MULTIDRP.T virus).

Oh, other suspicious files I find with msgfix.exe are windae32.exe, winupddate.exe, MSsrvs32.exe etc.

HiJack This doesn't seem to find anything either, but here's the log.

HELP!

Logfile of HijackThis v1.98.2
Scan saved at 1:41:51 AM, on 12/31/2004
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\system32\CTsvcCDA.EXE
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\nvsvc32.exe
C:\Program Files\PREVX\Prevx Home\PXAgent.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\stisvc.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\PREVX\Prevx Home\SAGUI.exe
C:\WINNT\system32\msgfix.exe
C:\WINNT\explorer.exe
C:\WINNT\system32\rundll32.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\PccGuide.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Administrator.SYS\Desktop\Assorted\Hijack This 1_98_2.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://mail.yahoo.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = localhost:8080
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINNT\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [REGSHAVE] C:\Progra~1\REGSHAVE\REGSHAVE.EXE /autorun
O4 - HKLM\..\Run: [AME_CSA] rundll32 amecsa.cpl,RUN_DLL
O4 - HKLM\..\Run: [PrevX Home] C:\Program Files\PREVX\Prevx Home\SAGUI.exe
O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\Internet Security 2005\pccguide.exe"
O4 - HKCU\..\RunOnce: [East-Tec Eraser 2004] "C:\PROGRA~1\EAST-T~1\silent.exe" /R
O4 - Startup: AtomTimer.lnk = C:\Program Files\Atom Timer\AtomT.exe
O8 - Extra context menu item: Download with GetRight - C:\Program Files\GetRight\GRdownload.htm
O8 - Extra context menu item: Open with GetRight Browser - C:\Program Files\GetRight\GRbrowse.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINNT\system32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINNT\system32\msjava.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\PROGRA~1\AIM\aim.exe
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
O17 - HKLM\System\CCS\Services\Tcpip\..\{7CD88C2A-5878-4F9E-9039-DA2459722EB4}: NameServer = 202.56.215.6 202.56.230.6

12-30-2004, 01:20 PM	#1 (permalink)
vebmetal Registered User Join Date: Sep 2004 Posts: 14 OS: Win98	msgfix.exe help! Hi, It seems to me that I have some kind of trojan / worm sitting in my computer. I keep getting a msgfix.exe process running in Task Manager taking about 3,052K. I have found the file in the following folders numerous times, but they keep coming back after I delete them. C:/WINNT/SYSTEM32 C:/WINDOWS/SYSTEM32 C:/ D:/ Before I go on I am using the following: Win2K SP4, PC-Cillin (latest definitons), Ad-Aware, Spybot, PrevX Intrusion prevention. (I generally use Firefox, but occasionally use IE for certain pages). I have looked the registry in places like HKLM\Software\Microsoft\Windows\CurrentVersion\Run\ and have not found anything that I didn't recognize. Full system virus scan doesn't find it. But the really strange thing is that when I locate and conduct a manual scan on the msgfix.exe file separately, Pc-cillin doesn't seem to come up with anything!!!! (It did however find another file in the system32 folder NAV.exe which had a TROJ_MULTIDRP.T virus). Oh, other suspicious files I find with msgfix.exe are windae32.exe, winupddate.exe, MSsrvs32.exe etc. HiJack This doesn't seem to find anything either, but here's the log. HELP! Logfile of HijackThis v1.98.2 Scan saved at 1:41:51 AM, on 12/31/2004 Platform: Windows 2000 SP4 (WinNT 5.00.2195) MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106) Running processes: C:\WINNT\System32\smss.exe C:\WINNT\system32\winlogon.exe C:\WINNT\system32\services.exe C:\WINNT\system32\lsass.exe C:\WINNT\system32\svchost.exe C:\WINNT\system32\spoolsv.exe C:\WINNT\system32\CTsvcCDA.EXE C:\WINNT\System32\svchost.exe C:\WINNT\system32\nvsvc32.exe C:\Program Files\PREVX\Prevx Home\PXAgent.exe C:\WINNT\system32\regsvc.exe C:\WINNT\system32\MSTask.exe C:\WINNT\system32\stisvc.exe C:\WINNT\System32\WBEM\WinMgmt.exe C:\WINNT\system32\svchost.exe C:\WINNT\System32\svchost.exe C:\Program Files\PREVX\Prevx Home\SAGUI.exe C:\WINNT\system32\msgfix.exe C:\WINNT\explorer.exe C:\WINNT\system32\rundll32.exe C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe C:\PROGRA~1\TRENDM~1\INTERN~1\PccGuide.exe C:\Program Files\Mozilla Firefox\firefox.exe C:\Documents and Settings\Administrator.SYS\Desktop\Assorted\Hijack This 1_98_2.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://mail.yahoo.com/ R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = localhost:8080 O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINNT\system32\NvCpl.dll,NvStartup O4 - HKLM\..\Run: [REGSHAVE] C:\Progra~1\REGSHAVE\REGSHAVE.EXE /autorun O4 - HKLM\..\Run: [AME_CSA] rundll32 amecsa.cpl,RUN_DLL O4 - HKLM\..\Run: [PrevX Home] C:\Program Files\PREVX\Prevx Home\SAGUI.exe O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\Internet Security 2005\pccguide.exe" O4 - HKCU\..\RunOnce: [East-Tec Eraser 2004] "C:\PROGRA~1\EAST-T~1\silent.exe" /R O4 - Startup: AtomTimer.lnk = C:\Program Files\Atom Timer\AtomT.exe O8 - Extra context menu item: Download with GetRight - C:\Program Files\GetRight\GRdownload.htm O8 - Extra context menu item: Open with GetRight Browser - C:\Program Files\GetRight\GRbrowse.htm O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINNT\system32\msjava.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINNT\system32\msjava.dll O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\PROGRA~1\AIM\aim.exe O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe O17 - HKLM\System\CCS\Services\Tcpip\..\{7CD88C2A-5878-4F9E-9039-DA2459722EB4}: NameServer = 202.56.215.6 202.56.230.6