Welcome guest. Before posting on our computer help forum, you must register. Click here it's easy and free.

« previous next »
Pages: [1] 2  All   Go Down

Author Topic: Spyware/Virus causing wacko results  (Read 8874 times)

0 Members and 1 Guest are viewing this topic.

Xeratul

    Topic Starter
  • 100,000th poster


    • Hopeful
  • Experience: Familiar
  • OS: Windows 7
Spyware/Virus causing wacko results
« on: February 21, 2006, 09:41:13 PM »
I'm having quite a few problems tonight which I think are being caused by a Spyware/Virus.
I ran some scans and put my all my firewalls up.
When I ran my scans Adaware picked up a trojan living in system32, and I deleted it.

My first problem is that I can't get to Task Manager by pressing Ctrl-Alt-Delete. It simply doesn't do anything. I went to the C:\WINDOWS\System32 folder where the file "taskmgr" lives and attempt to run it, and it gives me the error "Another program is using this file." I copied and pasted it on to the desktop.Where it can run the copy fine.  :-?

The Second problem is that whenever I completely exit (not just banish it to the quickbar) Limewire 4.10.9 it restarts moments later. I've searched some limewire forums, and have seen some people with the same problem.  :-/

My last problem is that my all my command prompts are screwy (cmd.exe, command.exe).  >:(
I have another thread on this forum about this problem here ----> http://www.computerhope.com/cgi-bin/yabb/YaBB.cgi?num=1140571622/0

Thanks for your guys help.
« Last Edit: February 21, 2006, 10:23:44 PM by Wraith112 »
Logged

GX1_Man

  • Guest
Re: Spyware/Virus causing wacko results
« Reply #1 on: February 22, 2006, 04:47:49 AM »
Did you try all of this:

http://www.computerhope.com/cgi-bin/yabb/YaBB.cgi?num=1134123580


P2P file sharing is a great way to get all of this.  ;)
Logged

Xeratul

    Topic Starter
  • 100,000th poster


    • Hopeful
  • Experience: Familiar
  • OS: Windows 7
Re: Spyware/Virus causing wacko results
« Reply #2 on: February 22, 2006, 08:07:31 PM »
Well, I've run Adaware, AVG, and Norton which have picked up a few things. All of which I deleted.
Whatever is causing these problems isn't being picked up by my scanners.    :(

Here is a hijackthis log file.

Logfile of HijackThis v1.99.1
Scan saved at 7:49:38 AM, on 2/22/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\Apache Group\Apache2\bin\Apache.exe
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Intel\Intel Application Accelerator\iaantmon.exe
C:\Program Files\Apache Group\Apache2\bin\Apache.exe
C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\PRISMSVR.EXE
C:\Program Files\Intel\Intel Application Accelerator\iaanotif.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\MUSICMATCH\Musicmatch Jukebox\mmtask.exe
C:\Program Files\HP\HP Software Update\HPWuSchd.exe
C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
C:\Program Files\MsMovies\MsMovies.exe
C:\WINDOWS\system32\winlogi.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\Apache Group\Apache2\bin\ApacheMonitor.exe
C:\Program Files\LimeWire\LimeWire.exe
C:\Program Files\Lavasoft\Ad-Aware SE Personal\Ad-Aware.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Jay\Desktop\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://www.begin2search.com/sidesearch.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://google.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell4me.com/myway
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 127.0.0.1:81
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = local
O1 - Hosts: 127.0
O1 - Hosts: 12zsearchtoolbar.com
O1 - Hosts: 12zsearchtoolbar.com
O1 - Hosts: 12
O1 - Hosts: 127.0.
O1 - Hosts: u.com
O1 - Hosts: com
O1 - Hosts: r.com
O1 - Hosts: bar.com
O1 - Hosts: olbar.com
O1 - Hosts: toolbar.com
O1 - Hosts: ertoolbar.com
O1 - Hosts: wsertoolbar.com
O1 - Hosts: rowsertoolbar.com
O1 - Hosts: 127.0.
O1 - Hosts: 127.0.0
O1 - Hosts: 1
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - (no file)
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: CNisExtBho Class - {9ECB9560-04F9-4bbc-943D-298DDF1699E1} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O2 - BHO: FlashFXP Helper for Internet Explorer - {E5A1691B-D188-4419-AD02-90002030B8EE} - C:\PROGRA~1\FlashFXP\IEFlash.dll
O3 - Toolbar: Web assistant - {0B53EAC3-8D69-4b9e-9B19-A37C9A5676A7} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
« Last Edit: February 22, 2006, 08:12:20 PM by Wraith112 »
Logged

Xeratul

    Topic Starter
  • 100,000th poster


    • Hopeful
  • Experience: Familiar
  • OS: Windows 7
Re: Spyware/Virus causing wacko results
« Reply #3 on: February 22, 2006, 08:08:26 PM »
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [PRISMSVR.EXE] "C:\WINDOWS\System32\PRISMSVR.EXE" /APPLY
O4 - HKLM\..\Run: [IAAnotif] C:\Program Files\Intel\Intel Application Accelerator\iaanotif.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\Media Experience\PCMService.exe"
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [URLLSTCK.exe] C:\Program Files\Norton Internet Security\UrlLstCk.exe
O4 - HKLM\..\Run: [mmtask] C:\Program Files\MUSICMATCH\Musicmatch Jukebox\mmtask.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\HP\HP Software Update\HPWuSchd.exe"
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
O4 - HKLM\..\Run: [MsMovies] C:\Program Files\MsMovies\MsMovies.exe /auto
O4 - HKLM\..\Run: [virtual-ie] winlogi.exe
O4 - HKLM\..\RunServices: [virtual-ie] winlogi.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\Dell Support\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [ProxyWay] C:\Program Files\ProxyWay\proxyway.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [Desktop Macros] C:\Program Files\Desktop Macros\MacroS.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: Monitor Apache Servers.lnk = C:\Program Files\Apache Group\Apache2\bin\ApacheMonitor.exe
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &NeoTrace It! - C:\PROGRA~1\NEOTRA~1\NTXcontext.htm
O8 - Extra context menu item: &Translate English Word - res://C:\Program Files\Google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
Logged

Xeratul

    Topic Starter
  • 100,000th poster


    • Hopeful
  • Experience: Familiar
  • OS: Windows 7
Re: Spyware/Virus causing wacko results
« Reply #4 on: February 22, 2006, 08:08:58 PM »
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: NeoTrace It! - {9885224C-1217-4c5f-83C2-00002E6CEF2B} - C:\PROGRA~1\NEOTRA~1\NTXtoolbar.htm (file missing) (HKCU)
O16 - DPF: {01111F00-3E00-11D2-8470-0060089874ED} (Support.com Installer) - http://supportsoft.adelphia.net/sdccommon/download/tgctlins.cab
O16 - DPF: {106E49CF-797A-11D2-81A2-00E02C015623} (AlternaTIFF ActiveX) - http://www.alternatiff.com/install/00/alttiff.cab
O16 - DPF: {1754A1BA-A1DF-4F10-B199-AA55AA1A120F} (InstallerBehaviorFactory Class) - https://signup.msn.com/pages/MsnInstC.cab
O16 - DPF: {288C5F13-7E52-4ADA-A32E-F5BF9D125F99} (CR64Loader Object) - http://www.miniclip.com/zenpuzzlegarden/miniclipGameLoader.dll
O16 - DPF: {3A7FE611-1994-4EF1-A09F-99456752289D} (WildTangent Active Launcher) - http://install.wildtangent.com/ActiveLauncher/ActiveLauncher.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{B5B3DEDA-EF7F-40AE-81C8-EF9F78409863}: NameServer = 67.21.13.2,67.21.13.4
O20 - Winlogon Notify: accwms - C:\WINDOWS\system\accwms.dll (file missing)
O20 - Winlogon Notify: infoap - C:\WINDOWS\system32\IAS\infoap.dll (file missing)
O20 - Winlogon Notify: keyodbc - C:\WINDOWS\system\keyodbc.dll (file missing)
O20 - Winlogon Notify: netcr - C:\WINDOWS\Config\netcr.dll (file missing)
O20 - Winlogon Notify: svrmc - C:\WINDOWS\MICROS~1.NET\svrmc.dll (file missing)
O20 - Winlogon Notify: sysodbc - C:\WINDOWS\Cursors\sysodbc.dll (file missing)
O20 - Winlogon Notify: taskad - C:\WINDOWS\AppPatch\taskad.dll (file missing)
O20 - Winlogon Notify: tasklog - C:\WINDOWS\AppPatch\tasklog.dll (file missing)
O23 - Service: Apache2 - Unknown owner - C:\Program Files\Apache Group\Apache2\bin\Apache.exe" -k runservice (file missing)
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: IAA Event Monitor (IAANTMon) - Intel Corporation - C:\Program Files\Intel\Intel Application Accelerator\iaantmon.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Unknown owner - %ProgramFiles%\WinPcap\rpcapd.exe" -d -f "%ProgramFiles%\WinPcap\rpcapd.ini (file missing)
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Ventrilo - Unknown owner - C:\Program Files\VentSrv\ventrilo_svc.exe (file missing)
Logged

rockerest



    Hopeful
    • Yes
  • Experience: Experienced
  • OS: Windows 7
Re: Spyware/Virus causing wacko results
« Reply #5 on: February 22, 2006, 08:22:46 PM »
OK, first of all, look at the bottom of your first HJT logfile post...

Quote
O1 - Hosts: com
O1 - Hosts: r.com
O1 - Hosts: bar.com
O1 - Hosts: olbar.com
O1 - Hosts: toolbar.com
O1 - Hosts: ertoolbar.com
O1 - Hosts: wsertoolbar.com
O1 - Hosts: rowsertoolbar.com
O1 - Hosts: 127.0.
O1 - Hosts: 127.0.0
O1 - Hosts: 1

That's all crap.......whatever it is, your software didn't catch it......

And that's just the stuff that caught my eye.......

and what is:
         O17 - HKLM\System\CCS\Services\Tcpip\..\{B5B3DEDA-EF7F-40AE-81C8-EF9F78409863}: NameServer = 67.21.13.2,67.21.13.4
????????

Not good.....try going to this site: http://www.hijackthis.de/
and pasting your logfile in the textbox.  Click analyze, and it should give you a good idea of what's bad on your computer....

These things are no doubt the reason for your problems........

-rock
Logged
In general, the PEBKAC.  Whether it's now or was three weeks ago, the PEBKAC.
Unsafe browsing and general computer / internet illiteracy IS the users problem.  Don't have sex if you don't know how to use a condom.
Also, there are 10 types of people in the world, those who understand binary, and those who don't.

rockerest



    Hopeful
    • Yes
  • Experience: Experienced
  • OS: Windows 7
Re: Spyware/Virus causing wacko results
« Reply #6 on: February 22, 2006, 08:29:00 PM »
Quote
Well, I've run Adaware, AVG, and Norton which have picked up a few things. All of which I deleted.
Whatever is causing these problems isn't being picked up by my scanners.    :(

Here are the things I would mark as "what is this?" (look 'em up on google)
Quote
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\System32\PRISMSVR.EXE
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
C:\WINDOWS\system32\winlogi.exe
C:\Program Files\Digital Line Detect\DLG.exe
O2 - BHO: (no name) - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - (no file)
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: FlashFXP Helper for Internet Explorer - {E5A1691B-D188-4419-AD02-90002030B8EE} - C:\PROGRA~1\FlashFXP\IEFlash.dll
Here's the stuff I would mark as SPYWARE!  Get rid of em, but don't take my word for it, do some research
Quote
R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://www.begin2search.com/sidesearch.html
O1 - Hosts: 127.0
O1 - Hosts: 12zsearchtoolbar.com
O1 - Hosts: 12zsearchtoolbar.com
O1 - Hosts: 12
O1 - Hosts: 127.0.
O1 - Hosts: u.com
O1 - Hosts: com
O1 - Hosts: r.com
O1 - Hosts: bar.com
O1 - Hosts: olbar.com
O1 - Hosts: toolbar.com
O1 - Hosts: ertoolbar.com
O1 - Hosts: wsertoolbar.com
O1 - Hosts: rowsertoolbar.com
O1 - Hosts: 127.0.
O1 - Hosts: 127.0.0
O1 - Hosts: 1
Here's stuff I would mark as UNNEEDED!  Your choice!
Quote
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
Logged
In general, the PEBKAC.  Whether it's now or was three weeks ago, the PEBKAC.
Unsafe browsing and general computer / internet illiteracy IS the users problem.  Don't have sex if you don't know how to use a condom.
Also, there are 10 types of people in the world, those who understand binary, and those who don't.

rockerest



    Hopeful
    • Yes
  • Experience: Experienced
  • OS: Windows 7
Re: Spyware/Virus causing wacko results
« Reply #7 on: February 22, 2006, 08:29:35 PM »
That's just your first post, use a discerning eye for the rest, and try that site.......
Logged
In general, the PEBKAC.  Whether it's now or was three weeks ago, the PEBKAC.
Unsafe browsing and general computer / internet illiteracy IS the users problem.  Don't have sex if you don't know how to use a condom.
Also, there are 10 types of people in the world, those who understand binary, and those who don't.

Xeratul

    Topic Starter
  • 100,000th poster


    • Hopeful
  • Experience: Familiar
  • OS: Windows 7
Re: Spyware/Virus causing wacko results
« Reply #8 on: February 22, 2006, 08:33:17 PM »
Thanks, I'll get right to work.  :)
Logged

rockerest



    Hopeful
    • Yes
  • Experience: Experienced
  • OS: Windows 7
Re: Spyware/Virus causing wacko results
« Reply #9 on: February 22, 2006, 08:38:16 PM »
Quote
Here are the things I would mark as "what is this?" (look 'em up on google)
Quote
C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe

Oops, this one isn't unknown....it's the Java update scheduler, I believe.  Probably harmless, but you might want to check it out or disable it....

-rock
« Last Edit: February 22, 2006, 08:38:37 PM by rockerest »
Logged
In general, the PEBKAC.  Whether it's now or was three weeks ago, the PEBKAC.
Unsafe browsing and general computer / internet illiteracy IS the users problem.  Don't have sex if you don't know how to use a condom.
Also, there are 10 types of people in the world, those who understand binary, and those who don't.

Xeratul

    Topic Starter
  • 100,000th poster


    • Hopeful
  • Experience: Familiar
  • OS: Windows 7
Re: Spyware/Virus causing wacko results
« Reply #10 on: February 22, 2006, 09:15:20 PM »
The ones you said were spyware were indeed nasties.

I think the following is benign. It's one of my ISPs servers or something.
It's the address I get when I run the nslookup command in DOS.

Code: [Select]
O17 - HKLM\System\CCS\Services\Tcpip\..\{B5B3DEDA-EF7F-40AE-81C8-EF9F78409863}: NameServer = 67.21.13.2,67.21.13.4
Now that I've located the infections now I need to remove them...
I made another forum where I asked how ----> http://www.computerhope.com/cgi-bin/yabb/YaBB.cgi?num=1140666386/0
« Last Edit: February 22, 2006, 09:46:29 PM by Wraith112 »
Logged

dl65

  • R.I.P.


    • Prodigy

    Thanked: 18
    Re: Spyware/Virus causing wacko results
    « Reply #11 on: February 22, 2006, 09:29:47 PM »

    Run hijackthis and then mark for removal the following :

    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = local    
     
    O1 - Hosts: 127.0    

    O1 - Hosts: 12zsearchtoolbar.com    

    O1 - Hosts: 12zsearchtoolbar.com    

    O1 - Hosts: 12    

    O1 - Hosts: 127.0.    

    O1 - Hosts: u.com    

    O1 - Hosts: com    
     
    O1 - Hosts: r.com    
     
    O1 - Hosts: bar.com    

    O1 - Hosts: olbar.com    

    O1 - Hosts: toolbar.com    
     
    O1 - Hosts: ertoolbar.com    

    O1 - Hosts: wsertoolbar.com    

    O1 - Hosts: rowsertoolbar.com    

    O1 - Hosts: 127.0.    

    O1 - Hosts: 127.0.0    

    O1 - Hosts: 1    

    O9 - Extra button: NeoTrace It! - {9885224C-1217-4c5f-83C2-00002E6CEF2B} - C:\PROGRA~1\NEOTRA~1\NTXtoolbar.htm (file missing) (HKCU)  

    O16 - DPF: {288C5F13-7E52-4ADA-A32E-F5BF9D125F99} (CR64Loader Object) - http://www.miniclip.com/zenpuzzlegarden/miniclipGameLoader.dll    
     
     O16 - DPF: {3A7FE611-1994-4EF1-A09F-99456752289D} (WildTangent Active Launcher) - http://install.wildtangent.com/ActiveLauncher/ActiveLauncher.cab

    O20 - Winlogon Notify: accwms - C:\WINDOWS\system\accwms.dll (file missing)    

    O20 - Winlogon Notify: infoap - C:\WINDOWS\system32\IAS\infoap.dll (file missing)    
     
    O20 - Winlogon Notify: keyodbc - C:\WINDOWS\system\keyodbc.dll (file missing)    

    O20 - Winlogon Notify: netcr - C:\WINDOWS\Config\netcr.dll (file missing)    

    O20 - Winlogon Notify: svrmc - C:\WINDOWS\MICROS~1.NET\svrmc.dll (file missing)    
     
    O20 - Winlogon Notify: sysodbc - C:\WINDOWS\Cursors\sysodbc.dll (file missing)    
     
    O20 - Winlogon Notify: taskad - C:\WINDOWS\AppPatch\taskad.dll (file missing)    
     
    O20 - Winlogon Notify: tasklog - C:\WINDOWS\AppPatch\tasklog.dll (file missing)    
      
        
    O23 - Service: Apache2 - Unknown owner - C:\Program Files\Apache Group\Apache2\bin\Apache.exe" -k runservice (file missing)  

    O23 - Service: Ventrilo - Unknown owner - C:\Program Files\VentSrv\ventrilo_svc.exe (file missing)

    Once you have these marked for removal ...click on fix checked ...

    Then reboot and post a new logfile for us to look at .......

    There are also a number of other entries which may have to be removed as well , but lets start with these.

    dl65  ::)

    Logged
    If you don't know the answer, it isn't a dumb question.

    Xeratul

      Topic Starter
    • 100,000th poster


      • Hopeful
    • Experience: Familiar
    • OS: Windows 7
    Re: Spyware/Virus causing wacko results
    « Reply #12 on: February 22, 2006, 09:44:52 PM »
    I tryed to delete all those. Here's my new hijackthis log...

    Logfile of HijackThis v1.99.1
    Scan saved at 8:42:16 PM, on 2/22/2006
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\System32\Ati2evxx.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\LEXBCES.EXE
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\system32\LEXPPS.EXE
    C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
    C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
    C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
    C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
    C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
    C:\Program Files\Intel\Intel Application Accelerator\iaantmon.exe
    C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
    C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\System32\PRISMSVR.EXE
    C:\Program Files\Intel\Intel Application Accelerator\iaanotif.exe
    C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
    C:\WINDOWS\system32\dla\tfswctrl.exe
    C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe
    C:\Program Files\Common Files\Symantec Shared\ccApp.exe
    C:\Program Files\MUSICMATCH\Musicmatch Jukebox\mmtask.exe
    C:\Program Files\HP\HP Software Update\HPWuSchd.exe
    C:\Program Files\MsMovies\MsMovies.exe
    C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
    C:\Program Files\Messenger\msmsgs.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\Program Files\Digital Line Detect\DLG.exe
    C:\Program Files\Apache Group\Apache2\bin\ApacheMonitor.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\WINDOWS\system32\wuauclt.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Documents and Settings\Jay\Desktop\hijackthis\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://google.com/
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell4me.com/myway
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 127.0.0.1:81
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = local
    O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0

    \Reader\ActiveX\AcroIEHelper.dll
    O2 - BHO: (no name) - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - (no file)
    O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
    O2 - BHO: CNisExtBho Class - {9ECB9560-04F9-4bbc-943D-298DDF1699E1} - C:\Program Files\Common Files\Symantec

    Shared\AdBlocking\NISShExt.dll
    O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
    O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton Internet Security\Norton

    AntiVirus\NavShExt.dll
    O2 - BHO: FlashFXP Helper for Internet Explorer - {E5A1691B-D188-4419-AD02-90002030B8EE} - C:\PROGRA~1\FlashFXP\IEFlash.dll
    O3 - Toolbar: Web assistant - {0B53EAC3-8D69-4b9e-9B19-A37C9A5676A7} - C:\Program Files\Common Files\Symantec

    Shared\AdBlocking\NISShExt.dll
    O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton Internet Security\Norton

    AntiVirus\NavShExt.dll
    O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll

    « Last Edit: February 22, 2006, 09:48:56 PM by Wraith112 »
    Logged

    Xeratul

      Topic Starter
    • 100,000th poster


      • Hopeful
    • Experience: Familiar
    • OS: Windows 7
    Re: Spyware/Virus causing wacko results
    « Reply #13 on: February 22, 2006, 09:45:35 PM »
    O4 - HKLM\..\Run: [PRISMSVR.EXE] "C:\WINDOWS\System32\PRISMSVR.EXE" /APPLY
    O4 - HKLM\..\Run: [IAAnotif] C:\Program Files\Intel\Intel Application Accelerator\iaanotif.exe
    O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
    O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
    O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\Media Experience\PCMService.exe"
    O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
    O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
    O4 - HKLM\..\Run: [URLLSTCK.exe] C:\Program Files\Norton Internet Security\UrlLstCk.exe
    O4 - HKLM\..\Run: [mmtask] C:\Program Files\MUSICMATCH\Musicmatch Jukebox\mmtask.exe
    O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
    O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\HP\HP Software Update\HPWuSchd.exe"
    O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
    O4 - HKLM\..\Run: [MsMovies] C:\Program Files\MsMovies\MsMovies.exe /auto
    O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
    O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
    O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\Dell Support\DSAgnt.exe" /startup
    O4 - HKCU\..\Run: [ProxyWay] C:\Program Files\ProxyWay\proxyway.exe
    O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
    O4 - HKCU\..\Run: [Desktop Macros] C:\Program Files\Desktop Macros\MacroS.exe
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
    O4 - Global Startup: Digital Line Detect.lnk = ?
    O4 - Global Startup: Monitor Apache Servers.lnk = C:\Program Files\Apache Group\Apache2\bin\ApacheMonitor.exe
    O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
    O8 - Extra context menu item: &NeoTrace It! - C:\PROGRA~1\NEOTRA~1\NTXcontext.htm
    O8 - Extra context menu item: &Translate English Word - res://C:\Program Files\Google\GoogleToolbar1.dll/cmwordtrans.html
    O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
    O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
    O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
    O8 - Extra context menu item: Translate Page into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
    O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O16 - DPF: {01111F00-3E00-11D2-8470-0060089874ED} (Support.com Installer) - http://supportsoft.adelphia.net/sdccommon/download/tgctlins.cab
    O16 - DPF: {106E49CF-797A-11D2-81A2-00E02C015623} (AlternaTIFF ActiveX) - http://www.alternatiff.com/install/00/alttiff.cab
    O16 - DPF: {1754A1BA-A1DF-4F10-B199-AA55AA1A120F} (InstallerBehaviorFactory Class) - https://signup.msn.com/pages/MsnInstC.cab
    O17 - HKLM\System\CCS\Services\Tcpip\..\{B5B3DEDA-EF7F-40AE-81C8-EF9F78409863}: NameServer = 67.21.13.2,67.21.13.4
    O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
    Logged

    Xeratul

      Topic Starter
    • 100,000th poster


      • Hopeful
    • Experience: Familiar
    • OS: Windows 7
    Re: Spyware/Virus causing wacko results
    « Reply #14 on: February 22, 2006, 09:45:57 PM »
    O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
    O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
    O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
    O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
    O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
    O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
    O23 - Service: IAA Event Monitor (IAANTMon) - Intel Corporation - C:\Program Files\Intel\Intel Application Accelerator\iaantmon.exe
    O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
    O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton

    AntiVirus\navapsvc.exe
    O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
    O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Unknown owner - %ProgramFiles%\WinPcap\rpcapd.exe" -d -f "%

    ProgramFiles%\WinPcap\rpcapd.ini (file missing)
    O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe
    O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
    O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec

    Shared\SNDSrvc.exe
    Logged
    Pages: [1] 2  All   Go Up
    « previous next »