Welcome guest. Before posting on our computer help forum, you must register. Click here it's easy and free.

« previous next »
Pages: 1 2 [All]   Go Down

Author Topic: Spyware/Virus causing wacko results  (Read 8926 times)

0 Members and 1 Guest are viewing this topic.

Xeratul

    Topic Starter
  • 100,000th poster


    • Hopeful
  • Experience: Familiar
  • OS: Windows 7
Spyware/Virus causing wacko results
« on: February 21, 2006, 09:41:13 PM »
I'm having quite a few problems tonight which I think are being caused by a Spyware/Virus.
I ran some scans and put my all my firewalls up.
When I ran my scans Adaware picked up a trojan living in system32, and I deleted it.

My first problem is that I can't get to Task Manager by pressing Ctrl-Alt-Delete. It simply doesn't do anything. I went to the C:\WINDOWS\System32 folder where the file "taskmgr" lives and attempt to run it, and it gives me the error "Another program is using this file." I copied and pasted it on to the desktop.Where it can run the copy fine.  :-?

The Second problem is that whenever I completely exit (not just banish it to the quickbar) Limewire 4.10.9 it restarts moments later. I've searched some limewire forums, and have seen some people with the same problem.  :-/

My last problem is that my all my command prompts are screwy (cmd.exe, command.exe).  >:(
I have another thread on this forum about this problem here ----> http://www.computerhope.com/cgi-bin/yabb/YaBB.cgi?num=1140571622/0

Thanks for your guys help.
« Last Edit: February 21, 2006, 10:23:44 PM by Wraith112 »
Logged

GX1_Man

  • Guest
Re: Spyware/Virus causing wacko results
« Reply #1 on: February 22, 2006, 04:47:49 AM »
Did you try all of this:

http://www.computerhope.com/cgi-bin/yabb/YaBB.cgi?num=1134123580


P2P file sharing is a great way to get all of this.  ;)
Logged

Xeratul

    Topic Starter
  • 100,000th poster


    • Hopeful
  • Experience: Familiar
  • OS: Windows 7
Re: Spyware/Virus causing wacko results
« Reply #2 on: February 22, 2006, 08:07:31 PM »
Well, I've run Adaware, AVG, and Norton which have picked up a few things. All of which I deleted.
Whatever is causing these problems isn't being picked up by my scanners.    :(

Here is a hijackthis log file.

Logfile of HijackThis v1.99.1
Scan saved at 7:49:38 AM, on 2/22/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\Apache Group\Apache2\bin\Apache.exe
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Intel\Intel Application Accelerator\iaantmon.exe
C:\Program Files\Apache Group\Apache2\bin\Apache.exe
C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\PRISMSVR.EXE
C:\Program Files\Intel\Intel Application Accelerator\iaanotif.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\MUSICMATCH\Musicmatch Jukebox\mmtask.exe
C:\Program Files\HP\HP Software Update\HPWuSchd.exe
C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
C:\Program Files\MsMovies\MsMovies.exe
C:\WINDOWS\system32\winlogi.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\Apache Group\Apache2\bin\ApacheMonitor.exe
C:\Program Files\LimeWire\LimeWire.exe
C:\Program Files\Lavasoft\Ad-Aware SE Personal\Ad-Aware.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Jay\Desktop\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://www.begin2search.com/sidesearch.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://google.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell4me.com/myway
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 127.0.0.1:81
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = local
O1 - Hosts: 127.0
O1 - Hosts: 12zsearchtoolbar.com
O1 - Hosts: 12zsearchtoolbar.com
O1 - Hosts: 12
O1 - Hosts: 127.0.
O1 - Hosts: u.com
O1 - Hosts: com
O1 - Hosts: r.com
O1 - Hosts: bar.com
O1 - Hosts: olbar.com
O1 - Hosts: toolbar.com
O1 - Hosts: ertoolbar.com
O1 - Hosts: wsertoolbar.com
O1 - Hosts: rowsertoolbar.com
O1 - Hosts: 127.0.
O1 - Hosts: 127.0.0
O1 - Hosts: 1
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - (no file)
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: CNisExtBho Class - {9ECB9560-04F9-4bbc-943D-298DDF1699E1} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O2 - BHO: FlashFXP Helper for Internet Explorer - {E5A1691B-D188-4419-AD02-90002030B8EE} - C:\PROGRA~1\FlashFXP\IEFlash.dll
O3 - Toolbar: Web assistant - {0B53EAC3-8D69-4b9e-9B19-A37C9A5676A7} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
« Last Edit: February 22, 2006, 08:12:20 PM by Wraith112 »
Logged

Xeratul

    Topic Starter
  • 100,000th poster


    • Hopeful
  • Experience: Familiar
  • OS: Windows 7
Re: Spyware/Virus causing wacko results
« Reply #3 on: February 22, 2006, 08:08:26 PM »
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [PRISMSVR.EXE] "C:\WINDOWS\System32\PRISMSVR.EXE" /APPLY
O4 - HKLM\..\Run: [IAAnotif] C:\Program Files\Intel\Intel Application Accelerator\iaanotif.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\Media Experience\PCMService.exe"
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [URLLSTCK.exe] C:\Program Files\Norton Internet Security\UrlLstCk.exe
O4 - HKLM\..\Run: [mmtask] C:\Program Files\MUSICMATCH\Musicmatch Jukebox\mmtask.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\HP\HP Software Update\HPWuSchd.exe"
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
O4 - HKLM\..\Run: [MsMovies] C:\Program Files\MsMovies\MsMovies.exe /auto
O4 - HKLM\..\Run: [virtual-ie] winlogi.exe
O4 - HKLM\..\RunServices: [virtual-ie] winlogi.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\Dell Support\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [ProxyWay] C:\Program Files\ProxyWay\proxyway.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [Desktop Macros] C:\Program Files\Desktop Macros\MacroS.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: Monitor Apache Servers.lnk = C:\Program Files\Apache Group\Apache2\bin\ApacheMonitor.exe
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &NeoTrace It! - C:\PROGRA~1\NEOTRA~1\NTXcontext.htm
O8 - Extra context menu item: &Translate English Word - res://C:\Program Files\Google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
Logged

Xeratul

    Topic Starter
  • 100,000th poster


    • Hopeful
  • Experience: Familiar
  • OS: Windows 7
Re: Spyware/Virus causing wacko results
« Reply #4 on: February 22, 2006, 08:08:58 PM »
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: NeoTrace It! - {9885224C-1217-4c5f-83C2-00002E6CEF2B} - C:\PROGRA~1\NEOTRA~1\NTXtoolbar.htm (file missing) (HKCU)
O16 - DPF: {01111F00-3E00-11D2-8470-0060089874ED} (Support.com Installer) - http://supportsoft.adelphia.net/sdccommon/download/tgctlins.cab
O16 - DPF: {106E49CF-797A-11D2-81A2-00E02C015623} (AlternaTIFF ActiveX) - http://www.alternatiff.com/install/00/alttiff.cab
O16 - DPF: {1754A1BA-A1DF-4F10-B199-AA55AA1A120F} (InstallerBehaviorFactory Class) - https://signup.msn.com/pages/MsnInstC.cab
O16 - DPF: {288C5F13-7E52-4ADA-A32E-F5BF9D125F99} (CR64Loader Object) - http://www.miniclip.com/zenpuzzlegarden/miniclipGameLoader.dll
O16 - DPF: {3A7FE611-1994-4EF1-A09F-99456752289D} (WildTangent Active Launcher) - http://install.wildtangent.com/ActiveLauncher/ActiveLauncher.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{B5B3DEDA-EF7F-40AE-81C8-EF9F78409863}: NameServer = 67.21.13.2,67.21.13.4
O20 - Winlogon Notify: accwms - C:\WINDOWS\system\accwms.dll (file missing)
O20 - Winlogon Notify: infoap - C:\WINDOWS\system32\IAS\infoap.dll (file missing)
O20 - Winlogon Notify: keyodbc - C:\WINDOWS\system\keyodbc.dll (file missing)
O20 - Winlogon Notify: netcr - C:\WINDOWS\Config\netcr.dll (file missing)
O20 - Winlogon Notify: svrmc - C:\WINDOWS\MICROS~1.NET\svrmc.dll (file missing)
O20 - Winlogon Notify: sysodbc - C:\WINDOWS\Cursors\sysodbc.dll (file missing)
O20 - Winlogon Notify: taskad - C:\WINDOWS\AppPatch\taskad.dll (file missing)
O20 - Winlogon Notify: tasklog - C:\WINDOWS\AppPatch\tasklog.dll (file missing)
O23 - Service: Apache2 - Unknown owner - C:\Program Files\Apache Group\Apache2\bin\Apache.exe" -k runservice (file missing)
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: IAA Event Monitor (IAANTMon) - Intel Corporation - C:\Program Files\Intel\Intel Application Accelerator\iaantmon.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Unknown owner - %ProgramFiles%\WinPcap\rpcapd.exe" -d -f "%ProgramFiles%\WinPcap\rpcapd.ini (file missing)
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Ventrilo - Unknown owner - C:\Program Files\VentSrv\ventrilo_svc.exe (file missing)
Logged

rockerest



    Hopeful
    • Yes
  • Experience: Experienced
  • OS: Windows 7
Re: Spyware/Virus causing wacko results
« Reply #5 on: February 22, 2006, 08:22:46 PM »
OK, first of all, look at the bottom of your first HJT logfile post...

Quote
O1 - Hosts: com
O1 - Hosts: r.com
O1 - Hosts: bar.com
O1 - Hosts: olbar.com
O1 - Hosts: toolbar.com
O1 - Hosts: ertoolbar.com
O1 - Hosts: wsertoolbar.com
O1 - Hosts: rowsertoolbar.com
O1 - Hosts: 127.0.
O1 - Hosts: 127.0.0
O1 - Hosts: 1

That's all crap.......whatever it is, your software didn't catch it......

And that's just the stuff that caught my eye.......

and what is:
         O17 - HKLM\System\CCS\Services\Tcpip\..\{B5B3DEDA-EF7F-40AE-81C8-EF9F78409863}: NameServer = 67.21.13.2,67.21.13.4
????????

Not good.....try going to this site: http://www.hijackthis.de/
and pasting your logfile in the textbox.  Click analyze, and it should give you a good idea of what's bad on your computer....

These things are no doubt the reason for your problems........

-rock
Logged
In general, the PEBKAC.  Whether it's now or was three weeks ago, the PEBKAC.
Unsafe browsing and general computer / internet illiteracy IS the users problem.  Don't have sex if you don't know how to use a condom.
Also, there are 10 types of people in the world, those who understand binary, and those who don't.

rockerest



    Hopeful
    • Yes
  • Experience: Experienced
  • OS: Windows 7
Re: Spyware/Virus causing wacko results
« Reply #6 on: February 22, 2006, 08:29:00 PM »
Quote
Well, I've run Adaware, AVG, and Norton which have picked up a few things. All of which I deleted.
Whatever is causing these problems isn't being picked up by my scanners.    :(

Here are the things I would mark as "what is this?" (look 'em up on google)
Quote
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\System32\PRISMSVR.EXE
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
C:\WINDOWS\system32\winlogi.exe
C:\Program Files\Digital Line Detect\DLG.exe
O2 - BHO: (no name) - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - (no file)
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: FlashFXP Helper for Internet Explorer - {E5A1691B-D188-4419-AD02-90002030B8EE} - C:\PROGRA~1\FlashFXP\IEFlash.dll
Here's the stuff I would mark as SPYWARE!  Get rid of em, but don't take my word for it, do some research
Quote
R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://www.begin2search.com/sidesearch.html
O1 - Hosts: 127.0
O1 - Hosts: 12zsearchtoolbar.com
O1 - Hosts: 12zsearchtoolbar.com
O1 - Hosts: 12
O1 - Hosts: 127.0.
O1 - Hosts: u.com
O1 - Hosts: com
O1 - Hosts: r.com
O1 - Hosts: bar.com
O1 - Hosts: olbar.com
O1 - Hosts: toolbar.com
O1 - Hosts: ertoolbar.com
O1 - Hosts: wsertoolbar.com
O1 - Hosts: rowsertoolbar.com
O1 - Hosts: 127.0.
O1 - Hosts: 127.0.0
O1 - Hosts: 1
Here's stuff I would mark as UNNEEDED!  Your choice!
Quote
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
Logged
In general, the PEBKAC.  Whether it's now or was three weeks ago, the PEBKAC.
Unsafe browsing and general computer / internet illiteracy IS the users problem.  Don't have sex if you don't know how to use a condom.
Also, there are 10 types of people in the world, those who understand binary, and those who don't.

rockerest



    Hopeful
    • Yes
  • Experience: Experienced
  • OS: Windows 7
Re: Spyware/Virus causing wacko results
« Reply #7 on: February 22, 2006, 08:29:35 PM »
That's just your first post, use a discerning eye for the rest, and try that site.......
Logged
In general, the PEBKAC.  Whether it's now or was three weeks ago, the PEBKAC.
Unsafe browsing and general computer / internet illiteracy IS the users problem.  Don't have sex if you don't know how to use a condom.
Also, there are 10 types of people in the world, those who understand binary, and those who don't.

Xeratul

    Topic Starter
  • 100,000th poster


    • Hopeful
  • Experience: Familiar
  • OS: Windows 7
Re: Spyware/Virus causing wacko results
« Reply #8 on: February 22, 2006, 08:33:17 PM »
Thanks, I'll get right to work.  :)
Logged

rockerest



    Hopeful
    • Yes
  • Experience: Experienced
  • OS: Windows 7
Re: Spyware/Virus causing wacko results
« Reply #9 on: February 22, 2006, 08:38:16 PM »
Quote
Here are the things I would mark as "what is this?" (look 'em up on google)
Quote
C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe

Oops, this one isn't unknown....it's the Java update scheduler, I believe.  Probably harmless, but you might want to check it out or disable it....

-rock
« Last Edit: February 22, 2006, 08:38:37 PM by rockerest »
Logged
In general, the PEBKAC.  Whether it's now or was three weeks ago, the PEBKAC.
Unsafe browsing and general computer / internet illiteracy IS the users problem.  Don't have sex if you don't know how to use a condom.
Also, there are 10 types of people in the world, those who understand binary, and those who don't.

Xeratul

    Topic Starter
  • 100,000th poster


    • Hopeful
  • Experience: Familiar
  • OS: Windows 7
Re: Spyware/Virus causing wacko results
« Reply #10 on: February 22, 2006, 09:15:20 PM »
The ones you said were spyware were indeed nasties.

I think the following is benign. It's one of my ISPs servers or something.
It's the address I get when I run the nslookup command in DOS.

Code: [Select]
O17 - HKLM\System\CCS\Services\Tcpip\..\{B5B3DEDA-EF7F-40AE-81C8-EF9F78409863}: NameServer = 67.21.13.2,67.21.13.4
Now that I've located the infections now I need to remove them...
I made another forum where I asked how ----> http://www.computerhope.com/cgi-bin/yabb/YaBB.cgi?num=1140666386/0
« Last Edit: February 22, 2006, 09:46:29 PM by Wraith112 »
Logged

dl65

  • R.I.P.


    • Prodigy

    Thanked: 18
    Re: Spyware/Virus causing wacko results
    « Reply #11 on: February 22, 2006, 09:29:47 PM »

    Run hijackthis and then mark for removal the following :

    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = local    
     
    O1 - Hosts: 127.0    

    O1 - Hosts: 12zsearchtoolbar.com    

    O1 - Hosts: 12zsearchtoolbar.com    

    O1 - Hosts: 12    

    O1 - Hosts: 127.0.    

    O1 - Hosts: u.com    

    O1 - Hosts: com    
     
    O1 - Hosts: r.com    
     
    O1 - Hosts: bar.com    

    O1 - Hosts: olbar.com    

    O1 - Hosts: toolbar.com    
     
    O1 - Hosts: ertoolbar.com    

    O1 - Hosts: wsertoolbar.com    

    O1 - Hosts: rowsertoolbar.com    

    O1 - Hosts: 127.0.    

    O1 - Hosts: 127.0.0    

    O1 - Hosts: 1    

    O9 - Extra button: NeoTrace It! - {9885224C-1217-4c5f-83C2-00002E6CEF2B} - C:\PROGRA~1\NEOTRA~1\NTXtoolbar.htm (file missing) (HKCU)  

    O16 - DPF: {288C5F13-7E52-4ADA-A32E-F5BF9D125F99} (CR64Loader Object) - http://www.miniclip.com/zenpuzzlegarden/miniclipGameLoader.dll    
     
     O16 - DPF: {3A7FE611-1994-4EF1-A09F-99456752289D} (WildTangent Active Launcher) - http://install.wildtangent.com/ActiveLauncher/ActiveLauncher.cab

    O20 - Winlogon Notify: accwms - C:\WINDOWS\system\accwms.dll (file missing)    

    O20 - Winlogon Notify: infoap - C:\WINDOWS\system32\IAS\infoap.dll (file missing)    
     
    O20 - Winlogon Notify: keyodbc - C:\WINDOWS\system\keyodbc.dll (file missing)    

    O20 - Winlogon Notify: netcr - C:\WINDOWS\Config\netcr.dll (file missing)    

    O20 - Winlogon Notify: svrmc - C:\WINDOWS\MICROS~1.NET\svrmc.dll (file missing)    
     
    O20 - Winlogon Notify: sysodbc - C:\WINDOWS\Cursors\sysodbc.dll (file missing)    
     
    O20 - Winlogon Notify: taskad - C:\WINDOWS\AppPatch\taskad.dll (file missing)    
     
    O20 - Winlogon Notify: tasklog - C:\WINDOWS\AppPatch\tasklog.dll (file missing)    
      
        
    O23 - Service: Apache2 - Unknown owner - C:\Program Files\Apache Group\Apache2\bin\Apache.exe" -k runservice (file missing)  

    O23 - Service: Ventrilo - Unknown owner - C:\Program Files\VentSrv\ventrilo_svc.exe (file missing)

    Once you have these marked for removal ...click on fix checked ...

    Then reboot and post a new logfile for us to look at .......

    There are also a number of other entries which may have to be removed as well , but lets start with these.

    dl65  ::)

    Logged
    If you don't know the answer, it isn't a dumb question.

    Xeratul

      Topic Starter
    • 100,000th poster


      • Hopeful
    • Experience: Familiar
    • OS: Windows 7
    Re: Spyware/Virus causing wacko results
    « Reply #12 on: February 22, 2006, 09:44:52 PM »
    I tryed to delete all those. Here's my new hijackthis log...

    Logfile of HijackThis v1.99.1
    Scan saved at 8:42:16 PM, on 2/22/2006
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\System32\Ati2evxx.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\LEXBCES.EXE
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\system32\LEXPPS.EXE
    C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
    C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
    C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
    C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
    C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
    C:\Program Files\Intel\Intel Application Accelerator\iaantmon.exe
    C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
    C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\System32\PRISMSVR.EXE
    C:\Program Files\Intel\Intel Application Accelerator\iaanotif.exe
    C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
    C:\WINDOWS\system32\dla\tfswctrl.exe
    C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe
    C:\Program Files\Common Files\Symantec Shared\ccApp.exe
    C:\Program Files\MUSICMATCH\Musicmatch Jukebox\mmtask.exe
    C:\Program Files\HP\HP Software Update\HPWuSchd.exe
    C:\Program Files\MsMovies\MsMovies.exe
    C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
    C:\Program Files\Messenger\msmsgs.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\Program Files\Digital Line Detect\DLG.exe
    C:\Program Files\Apache Group\Apache2\bin\ApacheMonitor.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\WINDOWS\system32\wuauclt.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Documents and Settings\Jay\Desktop\hijackthis\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://google.com/
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell4me.com/myway
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 127.0.0.1:81
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = local
    O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0

    \Reader\ActiveX\AcroIEHelper.dll
    O2 - BHO: (no name) - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - (no file)
    O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
    O2 - BHO: CNisExtBho Class - {9ECB9560-04F9-4bbc-943D-298DDF1699E1} - C:\Program Files\Common Files\Symantec

    Shared\AdBlocking\NISShExt.dll
    O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
    O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton Internet Security\Norton

    AntiVirus\NavShExt.dll
    O2 - BHO: FlashFXP Helper for Internet Explorer - {E5A1691B-D188-4419-AD02-90002030B8EE} - C:\PROGRA~1\FlashFXP\IEFlash.dll
    O3 - Toolbar: Web assistant - {0B53EAC3-8D69-4b9e-9B19-A37C9A5676A7} - C:\Program Files\Common Files\Symantec

    Shared\AdBlocking\NISShExt.dll
    O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton Internet Security\Norton

    AntiVirus\NavShExt.dll
    O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll

    « Last Edit: February 22, 2006, 09:48:56 PM by Wraith112 »
    Logged

    Xeratul

      Topic Starter
    • 100,000th poster


      • Hopeful
    • Experience: Familiar
    • OS: Windows 7
    Re: Spyware/Virus causing wacko results
    « Reply #13 on: February 22, 2006, 09:45:35 PM »
    O4 - HKLM\..\Run: [PRISMSVR.EXE] "C:\WINDOWS\System32\PRISMSVR.EXE" /APPLY
    O4 - HKLM\..\Run: [IAAnotif] C:\Program Files\Intel\Intel Application Accelerator\iaanotif.exe
    O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
    O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
    O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\Media Experience\PCMService.exe"
    O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
    O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
    O4 - HKLM\..\Run: [URLLSTCK.exe] C:\Program Files\Norton Internet Security\UrlLstCk.exe
    O4 - HKLM\..\Run: [mmtask] C:\Program Files\MUSICMATCH\Musicmatch Jukebox\mmtask.exe
    O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
    O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\HP\HP Software Update\HPWuSchd.exe"
    O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
    O4 - HKLM\..\Run: [MsMovies] C:\Program Files\MsMovies\MsMovies.exe /auto
    O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
    O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
    O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\Dell Support\DSAgnt.exe" /startup
    O4 - HKCU\..\Run: [ProxyWay] C:\Program Files\ProxyWay\proxyway.exe
    O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
    O4 - HKCU\..\Run: [Desktop Macros] C:\Program Files\Desktop Macros\MacroS.exe
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
    O4 - Global Startup: Digital Line Detect.lnk = ?
    O4 - Global Startup: Monitor Apache Servers.lnk = C:\Program Files\Apache Group\Apache2\bin\ApacheMonitor.exe
    O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
    O8 - Extra context menu item: &NeoTrace It! - C:\PROGRA~1\NEOTRA~1\NTXcontext.htm
    O8 - Extra context menu item: &Translate English Word - res://C:\Program Files\Google\GoogleToolbar1.dll/cmwordtrans.html
    O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
    O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
    O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
    O8 - Extra context menu item: Translate Page into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
    O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O16 - DPF: {01111F00-3E00-11D2-8470-0060089874ED} (Support.com Installer) - http://supportsoft.adelphia.net/sdccommon/download/tgctlins.cab
    O16 - DPF: {106E49CF-797A-11D2-81A2-00E02C015623} (AlternaTIFF ActiveX) - http://www.alternatiff.com/install/00/alttiff.cab
    O16 - DPF: {1754A1BA-A1DF-4F10-B199-AA55AA1A120F} (InstallerBehaviorFactory Class) - https://signup.msn.com/pages/MsnInstC.cab
    O17 - HKLM\System\CCS\Services\Tcpip\..\{B5B3DEDA-EF7F-40AE-81C8-EF9F78409863}: NameServer = 67.21.13.2,67.21.13.4
    O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
    Logged

    Xeratul

      Topic Starter
    • 100,000th poster


      • Hopeful
    • Experience: Familiar
    • OS: Windows 7
    Re: Spyware/Virus causing wacko results
    « Reply #14 on: February 22, 2006, 09:45:57 PM »
    O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
    O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
    O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
    O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
    O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
    O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
    O23 - Service: IAA Event Monitor (IAANTMon) - Intel Corporation - C:\Program Files\Intel\Intel Application Accelerator\iaantmon.exe
    O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
    O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton

    AntiVirus\navapsvc.exe
    O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
    O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Unknown owner - %ProgramFiles%\WinPcap\rpcapd.exe" -d -f "%

    ProgramFiles%\WinPcap\rpcapd.ini (file missing)
    O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe
    O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
    O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec

    Shared\SNDSrvc.exe
    Logged

    dl65

    • R.I.P.


      • Prodigy

      Thanked: 18
      Re: Spyware/Virus causing wacko results
      « Reply #15 on: February 22, 2006, 11:06:22 PM »
      Wraith......  Ok ....I see a new one that has appeared from somewhere.....

      Mark for removal .......

      O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Unknown owner - %ProgramFiles%\WinPcap\rpcapd.exe" -d -f "% ProgramFiles%\WinPcap\rpcapd.ini (file missing)

      Now then this one .....

      O17 - HKLM\System\CCS\Services\Tcpip\..\{B5B3DEDA-EF7F-40AE-81C8-EF9F78409863}: NameServer = 67.21.13.2,67.21.13.4  ....If this is something that you use and recognise as being safe leave it otherwise mark it for removal.

      Next please explain why you have 2 anti viruses installed now ?
      The point here is we are trying to get your system clean and you seem to be adding things. Dont do that until we get a clean logfile.......
      Are you using proxy server setting ? ...I'm trying to understand your R0 and R1 entries ......
      And you do have you system restore turned off don't you ?

      dl65  ::)

      « Last Edit: February 22, 2006, 11:07:32 PM by dl65 »
      Logged
      If you don't know the answer, it isn't a dumb question.

      Fed

      • Moderator


        • Sage
        • Thanked: 35
        • Experience: Experienced
        • OS: Windows XP
        Re: Spyware/Virus causing wacko results
        « Reply #16 on: February 22, 2006, 11:15:06 PM »
        DL, there's at least 3 threads running on this, I see he fixed it somewhere else.
        After bouncing around from thread to thread I say just cut him adrift but remember the name in case he comes back. LOL!
        Logged

        Xeratul

          Topic Starter
        • 100,000th poster


          • Hopeful
        • Experience: Familiar
        • OS: Windows 7
        Re: Spyware/Virus causing wacko results
        « Reply #17 on: February 26, 2006, 11:39:00 AM »
        Anymore, eh?
         
        I believe I've removed most of the malicious entries.
         
        The source of my problem seems to be this Alcan.32 worm. I scan for it and my software picks it up and deletes it. The next day it seems to be there again causing the same problem...
         
        I'm looking for a more permanent fix, what is causing it to not be properly deleted? :-?
        Logged

        Xeratul

          Topic Starter
        • 100,000th poster


          • Hopeful
        • Experience: Familiar
        • OS: Windows 7
        Re: Spyware/Virus causing wacko results
        « Reply #18 on: February 26, 2006, 11:50:25 AM »
        Quote
        Wraith......  Ok ....I see a new one that has appeared from somewhere.....

        Mark for removal .......

        O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Unknown owner - %ProgramFiles%\WinPcap\rpcapd.exe" -d -f "% ProgramFiles%\WinPcap\rpcapd.ini (file missing)

        Now then this one .....

        O17 - HKLM\System\CCS\Services\Tcpip\..\{B5B3DEDA-EF7F-40AE-81C8-EF9F78409863}: NameServer = 67.21.13.2,67.21.13.4  ....If this is something that you use and recognise as being safe leave it otherwise mark it for removal.

        Next please explain why you have 2 anti viruses installed now ?
        The point here is we are trying to get your system clean and you seem to be adding things. Dont do that until we get a clean logfile.......
        Are you using proxy server setting ? ...I'm trying to understand your R0 and R1 entries ......
        And you do have you system restore turned off don't you ?

        dl65  ::)


        The proxy settings I don't use anymore so I suppose I can delete those.

        I don't understand is having two antivirus installed going to conflict?

        The winpcap thing is for my ethereal I suppose I will delete that too.

        I have system restore turned off.

        Quote
        DL, there's at least 3 threads running on this, I see he fixed it somewhere else.
        After bouncing around from thread to thread I say just cut him adrift but remember the name in case he comes back. LOL!

        I'm sorry the reason I posted so many threads is sort of because I discovered the problems one at a time untill I discovered they were all connected. Limewire problem http://www.computerhope.com/cgi-bin/yabb/YaBB.cgi?num=1140579109 -- cmd problem -- http://www.computerhope.com/cgi-bin/yabb/YaBB.cgi?num=1140571622/0 -- and the task manager problem

        I tried to make this thread to combine them all. Do you think I should delete the other threads?


        « Last Edit: February 26, 2006, 11:52:02 AM by Wraith112 »
        Logged

        GX1_Man

        • Guest
        Re: Spyware/Virus causing wacko results
        « Reply #19 on: February 26, 2006, 11:52:03 AM »
        There is no reason to have two antivirus programs active and problems can result.  ;)
        Logged

        Backdated

        • Guest
        Re: Spyware/Virus causing wacko results
        « Reply #20 on: February 26, 2006, 04:52:25 PM »
        Without looking at your HijackThis log it's almost certain that your current problem evolves from having two AV suites installed. I'd put money on one seeing the virus in the quarantine folder of the other.
        Having said that, was System Restore disabled? Have all temp and temp internet folders been cleared? Has the recycle bin been emptied?
        Logged
        Pages: 1 2 [All]   Go Up
        « previous next »