Computer Hope
Software => Computer viruses and spyware => Topic started by: Kurt07 on November 05, 2007, 09:19:13 PM
-
I'm not sure if I really have any viruses...I was just wanting someone to take a look at my log to make sure....and give me pointers on what to do.
------------------------------------------------------------------------------------------------
Logfile of HijackThis v1.99.1
Scan saved at 10:21:13 PM, on 11/5/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\Windows\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\Windows\system32\services.exe
C:\Windows\system32\lsass.exe
C:\Windows\system32\svchost.exe
C:\Windows\System32\svchost.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\Windows\system32\spoolsv.exe
C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
C:\Windows\System32\svchost.exe
C:\Windows\Explorer.EXE
C:\Windows\system32\wscntfy.exe
C:\WINDOWS\SYSTEM32\USRmlnkA.exe
C:\WINDOWS\SYSTEM32\USRshutA.exe
C:\WINDOWS\SYSTEM32\USRmlnkA.exe
C:\Program Files\Ahead\InCD\InCD.exe
C:\WINDOWS\WIRELESS\Wireless.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Trillian\trillian.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Tibia8.0\Tibia\Tibia.exe
C:\Documents and Settings\Administrator\Desktop\Evolution 7.72\Bot-Forum-OT-PHP\Bots\1.12.5\Tibia Auto\tibiaauto.exe
C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe
C:\Documents and Settings\Administrator\Desktop\High Jack This\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://my.netzero.net/s/search?r=minisearch
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://my.netzero.net/s/search?r=minisearch
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://visual-utopia.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://my.netzero.net/s/search?r=minisearch
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://my.netzero.net/s/search?r=minisearch
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://my.netzero.net/s/search?r=minisearch
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://my.netzero.net/s/search?r=minisearch
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = :
R3 - URLSearchHook: (no name) - {D73F49B6-B51B-4d32-A3B7-BD04B8342F53} - C:\Program Files\MorpheusBar\SrchAstt\1.bin\MBSRCAS.DLL
R3 - URLSearchHook: (no name) - {00B008E0-B809-B6DD-2C22-CACE6CC8BEB5} - (no file)
O2 - BHO: MorpheusToolbar BHO - {3F3714A1-89A4-46be-8AF3-D0C9D1FB03F9} - C:\Program Files\MorpheusBar\bar\1.bin\MORPHBAR.DLL
O2 - BHO: (no name) - {4148A482-1466-15BE-4C84-60D4CCB5AABC} - (no file)
O2 - BHO: Pop-up Blocker - {52706EF7-D7A2-49AD-A615-E903858CF284} - C:\Program Files\NetZero\qsacc\X1IEBHO.dll (file missing)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {D73F49B1-B51B-4d32-A3B7-BD04B8342F53} - C:\Program Files\MorpheusBar\SrchAstt\1.bin\MBSRCAS.DLL
O3 - Toolbar: Morpheus Toolbar - {3F3714A9-89A4-46be-8AF3-D0C9D1FB03F9} - C:\Program Files\MorpheusBar\bar\1.bin\MORPHBAR.DLL
O4 - HKLM\..\Run: [USRpdA] C:\WINDOWS\SYSTEM32\USRmlnkA.exe RunServices \Device\3cpipe-USRpdA
O4 - HKLM\..\Run: [Pure Networks Port Magic] "C:\PROGRA~1\PURENE~1\PORTMA~1\PortAOL.exe" -Run
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Windows\system32\NeroCheck.exe
O4 - HKLM\..\Run: [InCD] C:\Program Files\Ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [svcmon] C:\inspect\PIN\svcmon.exe
O4 - HKLM\..\Run: [StandardKeyboard] C:\WINDOWS\WIRELESS\Wireless.exe
O4 - HKCU\..\Run: [ThePrivacyGuard] "C:\PROGRA~1\THEPRI~1\THEPRI~1.EXE" /startup
O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O8 - Extra context menu item: &Search - ?p=ZCfox000
O8 - Extra context menu item: AdSubtract: Bypass Site - res://C:\Program Files\interMute\AdSubtract\AdSub.exe/360
O8 - Extra context menu item: AdSubtract: Cloak Image - res://C:\Program Files\interMute\AdSubtract\AdSub.exe/361
O8 - Extra context menu item: AdSubtract: Report Site - res://C:\Program Files\interMute\AdSubtract\AdSub.exe/359
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Run IMVU - {d9288080-1baa-4bc4-9cf8-a92d743db949} - C:\Documents and Settings\Administrator\Start Menu\Programs\IMVU\Run IMVU.lnk (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.safety.live.com/resource/download/scanner/wlscbase8460.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://zone.msn.com/binFramework/v10/ZIntro.cab34246.cab
O20 - Winlogon Notify: igfxcui - C:\Windows\SYSTEM32\igfxsrvc.dll
O23 - Service: AOL TopSpeed Monitor (AOL TopSpeedMonitor) - America Online, Inc - C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
O23 - Service: FileZilla Server FTP server (FileZilla Server) - Unknown owner - C:\Documents and Settings\Administrator\Desktop\7.6 YurOTs\xampp\FileZillaFTP\FileZillaServer.exe (file missing)
O23 - Service: InCD Helper (InCDsrv) - Nero AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: InCD Helper (read only) (InCDsrvR) - Nero AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Windows User Mode Driver Framework (UMWdf) - Unknown owner - C:\WINDOWS\System32\wdfmgr.exe (file missing)
-
I'm checking your log file now...
-
You can fix the following:
R3 - URLSearchHook: (no name) - {00B008E0-B809-B6DD-2C22-CACE6CC8BEB5} - (no file)
O2 - BHO: (no name) - {4148A482-1466-15BE-4C84-60D4CCB5AABC} - (no file)
O2 - BHO: Pop-up Blocker - {52706EF7-D7A2-49AD-A615-E903858CF284} - C:\Program Files\NetZero\qsacc\X1IEBHO.dll (file missing)
O4 - HKLM\..\Run: [svcmon] C:\inspect\PIN\svcmon.exe
Did you install SVCMON? If not, fix this.
O9 - Extra button: Run IMVU - {d9288080-1baa-4bc4-9cf8-a92d743db949} - C:\Documents and Settings\Administrator\Start Menu\Programs\IMVU\Run IMVU.lnk (file missing)
O23 - Service: FileZilla Server FTP server (FileZilla Server) - Unknown owner - C:\Documents and Settings\Administrator\Desktop\7.6 YurOTs\xampp\FileZillaFTP\FileZillaServer.exe (file missing)
O23 - Service: Windows User Mode Driver Framework (UMWdf) - Unknown owner - C:\WINDOWS\System32\wdfmgr.exe (file missing)
If you haven't already, download and install Spybot Search & Destroy (http://www.safer-networking.org/en/spybotsd/index.html), run a full scan and fix all items highlighted in red.
-
Ok, I did all that. Yes, I do have S&D already.
It's the only program I have. Was wanting to know a good virus protector and such.
-
dairyman, I appreciate your desire to help, but please try to refrain until you have had the proper training.
Kurt,
Just to be on the safe side...
1. Download VundoFix (http://www.atribune.org/ccount/click.php?id=4) and save it to your desktop.
2. Run VundoFix and click on Scan For Vundo.
3. Once it's done scanning, click on Remove Vundo.
4. When it prompts you to remove the files, click on Yes.
5. Your desktop will go blank as it's removing files. Don't worry, this is normal.
6. It will prompt you to restart your computer, so click OK.
7. When your computer is turned back on, your problem should be gone.
8. The program normally produces a Vundofix.txt file. Please locate this file and paste the contents in your next post.
And then, just to be thorough...
1. Download VirtumundoBeGone (http://secured2k.home.comcast.net/tools/VirtumundoBeGone.exe) and save it to your desktop.
2. Reboot into Safe Mode.
3. Once you are in Safe Mode, run VirtumundoBeGone and follow the instructions.
4. Exit when it has finished and reboot back into normal mode.
5. The program normally produces a VBG.txt file. Please locate this file and paste the contents in your next post.
Before posting those logs, open up HijackThis and check the following entries (if they still exist)...
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://my.netzero.net/s/search?r=minisearch
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://my.netzero.net/s/search?r=minisearch
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://my.netzero.net/s/search?r=minisearch
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://my.netzero.net/s/search?r=minisearch
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://my.netzero.net/s/search?r=minisearch
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://my.netzero.net/s/search?r=minisearch
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = :
R3 - URLSearchHook: (no name) - {00B008E0-B809-B6DD-2C22-CACE6CC8BEB5} - (no file)
O2 - BHO: (no name) - {4148A482-1466-15BE-4C84-60D4CCB5AABC} - (no file)
O8 - Extra context menu item: &Search - ?p=ZCfox000
Close all other windows and click on Fix Checked. Post a new HijackThis log along with the logs mentioned above. Also...are you the only user of this computer?
-
Ok, I did all that. Yes, I do have S&D already.
It's the only program I have. Was wanting to know a good virus protector and such.
Different folks will recommend different anti-virus programs.
One that is often recommended is AVG. I'm one that likes it. :)
It is free.
Updates almost every day. Often several times daily.
You can download it here:
http://free.grisoft.com
-
Ok, I did all that. Yes, I do have S&D already.
It's the only program I have. Was wanting to know a good virus protector and such.
Regarding "and such" :
After you follow all of CBMatt's instructions, check out this post:
http://www.computerhope.com/forum/index.php/topic,45242.msg284012.html#msg284012
That should take you to « Reply #2 on: November 02, 2007 .
-
Vundofix found nothing.
I am the main user of this computer. My wife gets on it but not much...mostly just to check her mail or myspace. Why do you ask?
-----------------------------------
[11/06/2007, 9:52:46] - VirtumundoBeGone v1.5 ( "C:\Documents and Settings\Administrator\Desktop\VirtumundoBeGone.exe" )
[11/06/2007, 9:52:52] - Detected System Information:
[11/06/2007, 9:52:52] - Windows Version: 5.1.2600, Service Pack 2
[11/06/2007, 9:52:52] - Current Username: Administrator (Admin)
[11/06/2007, 9:52:52] - Windows is in SAFE mode with Networking.
[11/06/2007, 9:52:52] - Searching for Browser Helper Objects:
[11/06/2007, 9:52:52] - BHO 1: {3F3714A1-89A4-46be-8AF3-D0C9D1FB03F9} (MorpheusToolbar BHO)
[11/06/2007, 9:52:52] - BHO 2: {53707962-6F74-2D53-2644-206D7942484F} ()
[11/06/2007, 9:52:52] - WARNING: BHO has no default name. Checking for Winlogon reference.
[11/06/2007, 9:52:52] - Checking for HKLM\...\Winlogon\Notify\SDHelper
[11/06/2007, 9:52:52] - Key not found: HKLM\...\Winlogon\Notify\SDHelper, continuing.
[11/06/2007, 9:52:52] - BHO 3: {D73F49B1-B51B-4d32-A3B7-BD04B8342F53} ()
[11/06/2007, 9:52:52] - WARNING: BHO has no default name. Checking for Winlogon reference.
[11/06/2007, 9:52:52] - Checking for HKLM\...\Winlogon\Notify\MBSRCAS
[11/06/2007, 9:52:52] - Key not found: HKLM\...\Winlogon\Notify\MBSRCAS, continuing.
[11/06/2007, 9:52:52] - Finished Searching Browser Helper Objects
[11/06/2007, 9:52:52] - Finishing up...
[11/06/2007, 9:52:53] - Nothing found! Exiting...
-----------------------------------------------------------
Logfile of HijackThis v1.99.1
Scan saved at 9:59:33 AM, on 11/6/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\Windows\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\Windows\system32\services.exe
C:\Windows\system32\lsass.exe
C:\Windows\system32\svchost.exe
C:\Windows\System32\svchost.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\Windows\system32\spoolsv.exe
C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
C:\Windows\System32\svchost.exe
C:\Windows\Explorer.EXE
C:\WINDOWS\SYSTEM32\USRmlnkA.exe
C:\Program Files\Ahead\InCD\InCD.exe
C:\Windows\system32\wscntfy.exe
C:\WINDOWS\SYSTEM32\USRshutA.exe
C:\WINDOWS\WIRELESS\Wireless.exe
C:\WINDOWS\SYSTEM32\USRmlnkA.exe
C:\Windows\system32\wuauclt.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Administrator\Desktop\High Jack This\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://visual-utopia.com/
R3 - URLSearchHook: (no name) - {D73F49B6-B51B-4d32-A3B7-BD04B8342F53} - C:\Program Files\MorpheusBar\SrchAstt\1.bin\MBSRCAS.DLL
O2 - BHO: MorpheusToolbar BHO - {3F3714A1-89A4-46be-8AF3-D0C9D1FB03F9} - C:\Program Files\MorpheusBar\bar\1.bin\MORPHBAR.DLL
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {D73F49B1-B51B-4d32-A3B7-BD04B8342F53} - C:\Program Files\MorpheusBar\SrchAstt\1.bin\MBSRCAS.DLL
O3 - Toolbar: Morpheus Toolbar - {3F3714A9-89A4-46be-8AF3-D0C9D1FB03F9} - C:\Program Files\MorpheusBar\bar\1.bin\MORPHBAR.DLL
O4 - HKLM\..\Run: [USRpdA] C:\WINDOWS\SYSTEM32\USRmlnkA.exe RunServices \Device\3cpipe-USRpdA
O4 - HKLM\..\Run: [Pure Networks Port Magic] "C:\PROGRA~1\PURENE~1\PORTMA~1\PortAOL.exe" -Run
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Windows\system32\NeroCheck.exe
O4 - HKLM\..\Run: [InCD] C:\Program Files\Ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [StandardKeyboard] C:\WINDOWS\WIRELESS\Wireless.exe
O4 - HKCU\..\Run: [ThePrivacyGuard] "C:\PROGRA~1\THEPRI~1\THEPRI~1.EXE" /startup
O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O8 - Extra context menu item: AdSubtract: Bypass Site - res://C:\Program Files\interMute\AdSubtract\AdSub.exe/360
O8 - Extra context menu item: AdSubtract: Cloak Image - res://C:\Program Files\interMute\AdSubtract\AdSub.exe/361
O8 - Extra context menu item: AdSubtract: Report Site - res://C:\Program Files\interMute\AdSubtract\AdSub.exe/359
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.safety.live.com/resource/download/scanner/wlscbase8460.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://zone.msn.com/binFramework/v10/ZIntro.cab34246.cab
O20 - Winlogon Notify: igfxcui - C:\Windows\SYSTEM32\igfxsrvc.dll
O23 - Service: AOL TopSpeed Monitor (AOL TopSpeedMonitor) - America Online, Inc - C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
O23 - Service: FileZilla Server FTP server (FileZilla Server) - Unknown owner - C:\Documents and Settings\Administrator\Desktop\7.6 YurOTs\xampp\FileZillaFTP\FileZillaServer.exe (file missing)
O23 - Service: InCD Helper (InCDsrv) - Nero AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: InCD Helper (read only) (InCDsrvR) - Nero AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Windows User Mode Driver Framework (UMWdf) - Unknown owner - C:\WINDOWS\System32\wdfmgr.exe (file missing)
-
I am the main user of this computer. My wife gets on it but not much...mostly just to check her mail or myspace. Why do you ask?
I ask because of this entry pointed out by dairyman: O4 - HKLM\..\Run: [svcmon] C:\inspect\PIN\svcmon.exe
It's a surveillance program called Personal Inspector. If you or your wife installed the program, then it should be fine. However, if it wasn't installed by either one of you, then your privacy may be at risk. If you don't recognize the software, you may want to have a talk with your wife about it.
http://www.sarc.com/avcenter/venc/data/spyware.personinspect.html
Other than that, your log looks clean now. I'm a bit weary of your Morpheus Toolbar, though. It's one of those things I don't entirely trust. If it's something you use and would like to keep, then that's fine. But if you don't really use it, you can uninstall it through Add/Remove Programs.
You don't appear to have any sufficient anti-virus protection, which is a big no-no. If you surf the internet without a full arsenal, you will get infected. Download AVG Free (http://free.grisoft.com/freeweb.php/doc/2), install it, and reboot. Then let it update itself. If you would like, you can choose to let it scan your computer every time you boot up. You should perform a full-system scan each week.
Also...you're vulnerable without a firewall, so you should look into getting either ZoneAlarm (http://www.zonelabs.com/store/content/catalog/products/sku_list_za.jsp?lid=dbtopnav_za), Kerio Personal Firewall (http://www.sunbelt-software.com/Kerio.cfm), or Comodo (http://www.personalfirewall.comodo.com). They're all good free firewalls. Just be sure you only have one installed at a time! Download the firewall of your choice, disconnect from the internet, disable Windows Firewall, and install your new firewall.
Finally...I see that you don't have Java installed. You'll want to correct this quickly, as it will help provide further protection for you. To do so, go here (http://www.java.com/getjava/) and click on Free Java Download. You will be given instructions on what to do next.