Malwares Plz help

[faizalb15]

Hi

Plz help me

I am connected to internet all day. Sometimes when i work i lose control of my mouse completely. it closes all my applications and open ms word and start typing "when the sky is dark malwares peek their head and it is time to have some fun" .

I have run symantec antivirus with updated virus definitions still no virus found

I have run ad aware and mc afee anti spyware still no response.

Plz help me

When i disconnect internet everything work perfect.

If someone have an idea of what is it plz let me know..

Thanks

[Fed]

Do you have a firewall running?

[dl65]

 faizalb15...... Is your pc connected to the net via a network or as a stand alone ?

Which operating system are you using ?
Can you scan your pc with hijackthis and post the logfile here for us to look at .


dl65  

[faizalb15]

no i dont have a firewall...

I am connected via a lan and the OS is win xp

Where can i can the hijackthis to scan the pc?

Plz help me

thanks

[Fed]

Get a firewall, Sygate is nice. Version 5.5 Build 2710
http://207.33.111.31/spf/

Get Hijackthis.
http://www.hijackthis.de/index.php?langselect=english

[dl65]

 faizalb15....You can download hijackthis from.......
http://www.download.com/HijackThis/3000-8022_4-10227353.html  

Install it into a folder on your desktop ........


dl65  

[Backdated]

Only download Hijackthis and other similar tools from trusted sites!!!!!
Hijackthis.de is not yet established and download.com is one of the most infected sites on the net!

In no particular order and apologies to those I've missed out:
www.spywareinfo.com
www.majorgeeks.com
www.tomcoyote.org
www.castlecops.com
www.subratam.org
www.lockergnome.com


This sounds like an RCT. Whilst it may be a prank, it could carry some very serious implications.
Carry out the procedures outlined in this post and report back.

[dl65]

download.com is one of the most infected sites on the net!

I have noticed that you have made that comment before .........What are you basing that on ........ I and many others have D/L utilities from that location on many occassions and have never had any issues.
If you could site some reliable sources it would be helpful.

dl65  

[Backdated]

This is the first link that I found via Google. There are sources which support my statement all over the internet:
http://www.lifehacker.com/software/spyware-cleaners/downloadcom-congratulates-self-for-filtering-spyware-101399.php
Those that have been security concious and aware of security issues for some time know well that downloaddotcom is/was an infected rats nest.

The first rule of malware detection/prevention is to download anti malware utilities etc from the authors site or from trusted security sources only. Go anywhere else and you're asking for trouble.

[GX1_Man]

Thanks for the info. I never go there, but AdAware links to it on their site even!

[Fed]

http://www.hijackthis.de/index.php?langselect=english

Due to a few misunderstandings, I just want to make it clear that this site provides only an online analysis, and [highlight]not[/highlight] HijackThis the program.

The site has a direct download link to http://www.mmdirect.de/downloads/hijackthis_199.zip

[Backdated]

Hijackthis.de has improved a little of late but do a search on it's history. I don't really care who links to what. Downloaddotcom is/was a cesspit and it's wise to avoid it.
In both instances, it's a case of leopards and spots. As yourselves this question, would you trust someone who has continually conned you over the years?
I repeat:
The first rule of malware detection/prevention is to download anti malware utilities etc from the authors site or from trusted security sources only. Go anywhere else and you're asking for trouble.

[dl65]

Backdated......  I appreciate your feedback as far as the link is concerned.......but......that referance was dated ....April 28th , 2005

CNET’s Download.com has always been a dodgy place to get software, and today they’ve proved it. As of yesterday, Download.com started testing their software for adware and spyware - and removed nearly 600 products from their index in the process.

........ yes perhaps there were issues in the past , however ...... it would appear they have the issue under control. I certainly have no connection to Download.com and as stated before ...... I and many others have D/L utilities from that location on many occassions and have never had any issues.  

I am giving you first hand experience ...re downloading from that site , not some year old comment .

dl65  
 

[Backdated]

As I said, that was the first link I came across in Google. There are well documented accounts all over the net and I have had perhaps not first hand experience but I had to deal with a system that was heavily infected after a trojan downloader was included as an added extra in a file from ddcom.
This was only about 2 months ago. As I said, leopards and spots.

If you give advice to users regarding the subject of virus/malware removal and prevention, please direct them to trusted sources only if they need tools etc.
It's not too much to ask is it?

[dl65]

Backdated .........

I have had perhaps not first hand experience but I had to deal with a system that was heavily infected after a trojan downloader was included as an added extra in a file from ddcom.

I tend to offer advice or opinions based on first hand experience rather than he said , she said information.

dl65  

[Backdated]

There are rules to follow where infection detection, removal and prevention is concerned. If you cannot heed the first and cardinal rule then please do not offer advice on this matter; it's really as simple as that. If you cannot understand that, then users of this forum should be warned to ignore your "advice".

I've had many long years of experience in this game and I haven't lost a customer yet! I operate on facts and I abide by rules; rules that are in place for a very good reason.

Perhaps you think I enjoy wasting my time slagging off download sites for the fun of it. Well I can tell you now, I don't!
I certainly have no hidden agenda, do you?

[faizalb15]

Logfile of HijackThis v1.99.1
Scan saved at 2:12:44 PM, on 3/2/2006
Platform: Windows XP  (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
c:\progra~1\mcafee\mcafee antispyware\massrv.exe
c:\program files\mcafee.com\agent\mcdetect.exe
c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
C:\Program Files\Network LookOut\Net Monitor for Employees Professional\bin\NLSAgentSvc.exe
C:\Program Files\Symantec AntiVirus\SavRoam.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\PROGRA~1\McAfee.com\Agent\mcupdui.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\progra~1\mcafee\MCAFEE~1\masalert.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\Program Files\GetRight\getright.exe
C:\Program Files\GetRight\getright.exe
C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
C:\Program Files\Microsoft Office\Office\1033\msoffice.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\WinRAR\WinRAR.exe
C:\DOCUME~1\computer\LOCALS~1\Temp\Rar$EX02.828\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://mail.gov.mu/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = **********
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = ************;<local>
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: bho2gr Class - {31FF080D-12A3-439A-A2EF-4BA95A3148E8} - C:\Program Files\GetRight\xx2gr.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: QUICKfind BHO Object - {C08DF07A-3E49-4E25-9AB0-D3882835F153} - C:\PROGRA~1\TEXTware\QUICKF~1\PlugIns\IEHelp.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\\NeroCheck.exe
O4 - HKLM\..\Run: [MCUpdateExe] c:\PROGRA~1\mcafee.com\agent\mcupdate.exe
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [_AntiSpyware] c:\progra~1\mcafee\MCAFEE~1\masalert.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe"  -osboot
O4 - HKLM\..\Run: [CloneCDTray] "C:\Program Files\SlySoft\CloneCD\CloneCDTray.exe" /s
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Symantec Fax Starter Edition Port.lnk = C:\Program Files\Microsoft Office\Office\1033\OLFSNT40.EXE
O4 - Global Startup: GetRight - Tray Icon.lnk = C:\Program Files\GetRight\getright.exe
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) -

[faizalb15]

http://download.mcafee.com/molbin/shared/mcinsctl/4,0,0,101/mcinsctl.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = csodom.local
O17 - HKLM\Software\..\Telephony: DomainName = csodom.local
O17 - HKLM\System\CCS\Services\Tcpip\..\{7E2DAED3-9B54-47EE-8810-DC16A7A64AA2}: NameServer = ***********
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = csodom.local
O17 - HKLM\System\CS1\Services\Tcpip\..\{7E2DAED3-9B54-47EE-8810-DC16A7A64AA2}: NameServer = *************
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = csodom.local
O17 - HKLM\System\CS2\Services\Tcpip\..\{7E2DAED3-9B54-47EE-8810-DC16A7A64AA2}: NameServer = ***************
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\System32\NavLogon.dll
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: McAfee AntiSpyware Service - McAfee, Inc. - c:\progra~1\mcafee\mcafee antispyware\massrv.exe
O23 - Service: McAfee WSC Integration (McDetect.exe) - McAfee, Inc - c:\program files\mcafee.com\agent\mcdetect.exe
O23 - Service: McAfee Task Scheduler (McTskshd.exe) - McAfee, Inc - c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - McAfee, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: Net Monitor for Employees Agent (NMEmployeesAgent) - Unknown owner - C:\Program Files\Network LookOut\Net Monitor for Employees Professional\bin\NLSAgentSvc.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe



As you have said i have downloaded the program
and here is the report

Plz let me know what to do next?

THanks

[dl65]

faizalb15...... I know you said you had run scans with your anti virus as well as
ad-aware and MCAfee Antispyware and nothing was found.  Did you run these scans from the safe mode ?

You mentioned you are connected to the net via a network (LAN) .....is this your network or one at work?

You also mentioned that your machine works perfectly when not connected to the network .  This would suggest that the issue may not be resident on your pc.

I also notice that you do not have SP2 installed .......Is there some reason you don't , as it has additional security items included which increase your protection.

Are you connected behind a router ?

I also notice you are using a proxy server ........ any particular reason why ?

If you can answer these questions , we can move along .

dl65  

[Backdated]

I can see a possibly very dangerous entry indeed that would cause the symptoms you first described but before I can disclose it I need to know more about the situation in which this computer is used.

As usual, there are a few unnecessary but non malicious entries.

[faizalb15]

i didnt installed sp2 because it makes my pc slow in performance.

Yea our company must use the proxy server to be connected to the internet

if we eliminate it wont get any access.

plz help me

[Fed]

Firewall?
I think your problems come from within your network.
Do you have an IT person?

[Backdated]

SP2 is not an option, it's a vital necessity.

This log can soon be amended and cleared but I need to have a chat to someone first.