Problems...needing help

Computing.Net > Forums > Security and Virus > Problems...needing help

Original Message

Name: ther0ck
Date: January 2, 2006 at 15:42:00 Pacific
Subject: Problems...needing help
OS: WinXP
CPU/Ram: Intel

Comment:

Hello, new to this forum and new to virus/trojan, etc. problems...I have had a computer for a while and never had any problems, but recently I was bombarded by several viruses/spyware/other infections...
I was hit by UnSPYPc, SPYSheriff, and I found trojan downloaders and trojans...
I have run multiple spyware/adware/malware and antivirus programs and have detected and treated a lot of things. (AT first, my whole background, homepage and other things got changed, but I have managed to get my background and homepage back)
Basically, I just want to know if I have anything else on my PC that hasn't been picked up yet and needs to be cleansed/repaired (the only real thing I have noticed that is still there is a little problem with viewing the toolbars, i.e. unchecking the google toolbar actually takes away another toolbar (not googles))

Report Offensive Message For Removal

Response Number 1

Name: Bob (by BigBob)
Date: January 2, 2006 at 15:48:11 Pacific

Reply: (edit)

Try Hijack This and paste your log to the Analyzer Page
And you may also want to try Trojan Remover
" You're only as safe as your last update "

Report Offensive Follow Up For Removal

Response Number 2

Name: ther0ck
Date: January 2, 2006 at 16:06:27 Pacific

Reply: (edit)

Did what you suggested...
Trojan Remover found nothing...
And the analyzer showed some entries that were "possibly nasty"...
What should I do with those??

Report Offensive Follow Up For Removal

Response Number 3

Name: Bob (by BigBob)
Date: January 2, 2006 at 16:13:19 Pacific

Reply: (edit)

What did they find
" You're only as safe as your last update "

Report Offensive Follow Up For Removal

Response Number 4

Name: Bob (by BigBob)
Date: January 2, 2006 at 16:14:28 Pacific

Reply: (edit)

Possibly nastys likely mean that the program doesnt recognises it
" You're only as safe as your last update "

Report Offensive Follow Up For Removal

Response Number 5

Name: Johnw
Date: January 2, 2006 at 16:21:40 Pacific

Reply: (edit)

"possibly nasty"..
Put that file name into google.

Report Offensive Follow Up For Removal


need help with a weird problem!? Big email problem---need help Registry Cleaner 2.5 Need Help PSW.x-virtrojan, need help Ishost / Ismon Virus, need help.	I infected to myself! Need help! I need help please! IE Security Problem. Please Help! Need help with virus Need help asap hacker problem

Response Number 6

Name: ther0ck
Date: January 2, 2006 at 16:25:17 Pacific

Reply: (edit)

One of them was like this...
"It seems that the name of this program is the same as the name of the file. In the most cases this is the result of trojans. To be sure, you should check this file."
Some were from PartyPoker.com (which I don't think are nasty)
And the others deal with IPs or domains that do not appear to be mine "If this Domain does not belong to your ISP, or your firms network, these entries should be fixed. 'SearchList' entries should be fixed too."

Report Offensive Follow Up For Removal

Response Number 7

Name: Bob (by BigBob)
Date: January 2, 2006 at 16:28:26 Pacific

Reply: (edit)

Post me your list
" You're only as safe as your last update "

Report Offensive Follow Up For Removal

Response Number 8

Name: ther0ck
Date: January 2, 2006 at 16:34:36 Pacific

Reply: (edit)

Logfile of HijackThis v1.99.1
Scan saved at 6:52:33 PM, on 1/2/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\Nhksrv.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\cisvc.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\Program Files\ewido anti-malware\ewidoguard.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
C:\WINDOWS\DELLMMKB.EXE
C:\PROGRA~1\LEXMAR~1\ACMonitor_X73.exe
C:\PROGRA~1\LEXMAR~1\AcBtnMgr_X73.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\printray.exe
C:\WINDOWS\System32\qttask.exe
C:\WINDOWS\System32\tcpsvcs.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\WINDOWS\System32\snmp.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\Program Files\11g USB adapter\Wifiusb.exe
C:\WINDOWS\system32\fxssvc.exe
C:\Program Files\Netropa\OSD.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\AIM95\aim.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\HJT\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapps.yahoo.com/customize/ycomp/defaults/sp/*http://www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com/?.home=ytie
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customize/ycomp_wave/defaults/su/*http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.dellnet.com/
F2 - REG:system.ini: UserInit=userinit.exe
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [DellTouch] C:\WINDOWS\DELLMMKB.EXE
O4 - HKLM\..\Run: [Lexmark X73 Button Monitor] C:\PROGRA~1\LEXMAR~1\ACMonitor_X73.exe
O4 - HKLM\..\Run: [Lexmark X73 Button Manager] C:\PROGRA~1\LEXMAR~1\AcBtnMgr_X73.exe
O4 - HKLM\..\Run: [PrinTray] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\printray.exe
O4 - HKLM\..\Run: [QuickTime Task] C:\WINDOWS\System32\qttask.exe
O4 - HKLM\..\Run: [DXM6Patch_981116] C:\WINDOWS\p_981116.exe /Q:A
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [dmdak.exe] C:\WINDOWS\system32\dmdak.exe
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM95\aim.exe -cnetwait.odl
O4 - Global Startup: 802.11g USB adapter.lnk = C:\Program Files\11g USB adapter\Wifiusb.exe
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar2.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0522.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0522.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM95\aim.exe
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyPoker\PartyPoker.exe
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyPoker\PartyPoker.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: Tornado 21 - http://download.games.yahoo.com/games/clients/y/t21t0_x.cab
O16 - DPF: Video Poker - http://download.games.yahoo.com/games/clients/y/vpt0_x.cab
O16 - DPF: Yahoo! Blackjack - http://download.games.yahoo.com/games/clients/y/jt0_x.cab
O16 - DPF: Yahoo! Canasta - http://download.games.yahoo.com/games/clients/y/yt1_x.cab
O16 - DPF: Yahoo! Chat - http://us.chat1.yimg.com/us.yimg.com/i/chat/applet/c381/chat.cab
O16 - DPF: Yahoo! Checkers - http://download.games.yahoo.com/games/clients/y/kt4_x.cab
O16 - DPF: Yahoo! Chess - http://download.games.yahoo.com/games/clients/y/ct2_x.cab
O16 - DPF: Yahoo! Dominoes - http://download.games.yahoo.com/games/clients/y/dot8_x.cab
O16 - DPF: Yahoo! Gin - http://download.games.yahoo.com/games/clients/y/nt1_x.cab
O16 - DPF: Yahoo! Graffiti - http://download.games.yahoo.com/games/clients/y/grt5_x.cab
O16 - DPF: Yahoo! Literati - http://download.games.yahoo.com/games/clients/y/tt4_x.cab
O16 - DPF: Yahoo! Poker - http://download.games.yahoo.com/games/clients/y/pt3_x.cab
O16 - DPF: Yahoo! Pool 2 - http://download.games.yahoo.com/games/clients/y/pote_x.cab
O16 - DPF: Yahoo! Pyramids - http://download.games.yahoo.com/games/clients/y/pyt1_x.cab
O16 - DPF: Yahoo! Spades - http://download.games.yahoo.com/games/clients/y/st2_x.cab
O16 - DPF: Yahoo! Towers 2.0 - http://download.games.yahoo.com/games/clients/y/ywt0_x.cab
O16 - DPF: Yahoo! Word Racer - http://download.games.yahoo.com/games/clients/y/wt1_x.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://download.ewido.net/ewidoOnlineScan.cab
O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} (Yahoo! Audio Conferencing) - http://us.chat1.yimg.com/us.yimg.com/i/chat/applet/v45/yacscom.cab
O16 - DPF: {56393399-041A-4650-94C7-13DFCB1F4665} (PSFormX Control) - http://pestpatrol.com/pestscan/pestscan.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://zone.msn.com/binFramework/v10/ZIntro.cab34246.cab
O16 - DPF: {E504EE6E-47C6-11D5-B8AB-00D0B78F3D48} (Yahoo! Webcam Viewer Wrapper) - http://chat.yahoo.com/cab/yvwrctl.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{11293418-7ACA-4AB0-88D7-82AB57C07723}: NameServer = 85.255.116.130,85.255.112.215
O17 - HKLM\System\CCS\Services\Tcpip\..\{8C1A36A2-22DD-46B7-BDC2-0908FEA114DA}: NameServer = 85.255.116.130,85.255.112.215
O17 - HKLM\System\CS1\Services\Tcpip\..\{11293418-7ACA-4AB0-88D7-82AB57C07723}: NameServer = 85.255.116.130,85.255.112.215
O17 - HKLM\System\CS2\Services\Tcpip\..\{11293418-7ACA-4AB0-88D7-82AB57C07723}: NameServer = 85.255.116.130,85.255.112.215
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido anti-malware\ewidoguard.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Netropa NHK Server (Nhksrv) - Unknown owner - C:\WINDOWS\Nhksrv.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe

Well..here is the log...

Report Offensive Follow Up For Removal

Response Number 9

Name: Bob (by BigBob)
Date: January 2, 2006 at 16:53:36 Pacific

Reply: (edit)

This is to do with your virus
O4 - HKLM\..\Run: [dmdak.exe] C:\WINDOWS\system32\dmdak.exe
" You're only as safe as your last update "

Report Offensive Follow Up For Removal

Response Number 10

Name: Bob (by BigBob)
Date: January 2, 2006 at 16:57:01 Pacific

Reply: (edit)

check off these also
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyPoker\PartyPoker.exe
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyPoker\PartyPoker.exe

" You're only as safe as your last update "

Report Offensive Follow Up For Removal

Response Number 11

Name: Bob (by BigBob)
Date: January 2, 2006 at 17:02:17 Pacific

Reply: (edit)

if this is not your ISP server fix these also
O17 - HKLM\System\CCS\Services\Tcpip\..\{11293418-7ACA-4AB0-88D7-82AB57C07723}: NameServer = 85.255.116.130,85.255.112.215
O17 - HKLM\System\CCS\Services\Tcpip\..\{8C1A36A2-22DD-46B7-BDC2-0908FEA114DA}: NameServer = 85.255.116.130,85.255.112.215
O17 - HKLM\System\CS1\Services\Tcpip\..\{11293418-7ACA-4AB0-88D7-82AB57C07723}: NameServer = 85.255.116.130,85.255.112.215
O17 - HKLM\System\CS2\Services\Tcpip\..\{11293418-7ACA-4AB0-88D7-82AB57C07723}: NameServer = 85.255.116.130,85.255.112.215

" You're only as safe as your last update "

Report Offensive Follow Up For Removal

Response Number 12

Name: ther0ck
Date: January 2, 2006 at 17:02:55 Pacific

Reply: (edit)

Alright...done and done...
Anything else I should do?

Report Offensive Follow Up For Removal

Response Number 13

Name: Bob (by BigBob)
Date: January 2, 2006 at 17:04:14 Pacific

Reply: (edit)

Reboot and run HJT again
" You're only as safe as your last update "

Report Offensive Follow Up For Removal

Response Number 14

Name: ther0ck
Date: January 2, 2006 at 18:05:20 Pacific

Reply: (edit)

Sorry about that...had to do something...
Anyways...rebooted and ran HJT again...
Looks alright I guess...Even though I wasnt sure about the ISP server things....the first number listed I see, but the 2nd number I dunno :\

Report Offensive Follow Up For Removal

Response Number 15

Name: ther0ck
Date: January 2, 2006 at 18:06:33 Pacific

Reply: (edit)

Also, the whole viewing internet toolbars is still messed...

Report Offensive Follow Up For Removal

SpywareBlaster upgrade re...

HUGE Windows Security Th...

Use following form to reply to current message:

Name: From My Computing.Net Settings E-Mail: From My Computing.Net Settings Subject: Problems...needing help

Comments:

  Homepage URL (*): 
Homepage Title (*): 
         Image URL:

Have you ever used OpenOffice?

Poll Finishes Today.
Discuss in The Lounge

FTP Server. Under XP

Lock ups

Connecting wireless network printer

Windows Update Issue

MS Access Treeview Drag problems

All Posts Awaiting Replies