Tom's Guide | Tom's Hardware | Tom's Games

Computing.Net > Forums > Security and Virus > Trojan/Virus?? Unwanted downloads

Computer Problems? Computing.Net has over 1,000,000 posts about all things technology related! Click here to start participating now! Also, check out the New User Guide.

Trojan/Virus?? Unwanted downloads

Reply to Message Icon

Name: guspr
Date: January 21, 2004 at 17:13:10 Pacific
OS: XP
CPU/Ram: PIII/768
Comment:

Help!
I have 'cable' internet and i am running Windows XP.
About a week ago i was contacted by my ISP and told that my bandwith usage was out of control. I have not been doing anything different that what i always did. They suggested that i should run 'DUMETER' to see my up/down traffic.
My virus protection/firewall (Norton Internet Security) had not detected any intrusions, neither had Trojan Remover.
Since then, i have done extensive system scans and run Ad-ware, Anti-Hacker Trojan expert, Spy remover, SpyBot and now I have Spy Blocker running at start up. None of these have detected anything.
For the last week I have not been running anything. Just 'boot' and monitor, ocasionally check e-mail and since then according to DUMETER 1.3Gb have been downloaded an avg of 250mb a day.

After some investigation I heard about 'BCRAY' and 'CUPDATE' both were present in my system, I was able (I think) to clean them out, but my problem persits, I did a Higjack This log....hopefully somebody can help

Logfile of HijackThis v1.97.7
Scan saved at 4:13:50 PM, on 21/01/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\WINDOWS\Explorer.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\FaxTalk Messenger Pro\FTClCtrl.exe
C:\Program Files\DU Meter\DUMeter.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\SpyBlocker Software\spyblocker.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
C:\Program Files\FaxTalk Messenger Pro\FTSPKPHN.exe
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\Program Files\FaxTalk Messenger Pro\FAPIEXE.exe
C:\WINDOWS\system32\drivers\KodakCCS.exe
C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe
C:\WINDOWS\System32\ScsiAccess.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Soulseek\slsk.exe
H:\Program archive\Hijack This\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://msn.ca/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
N1 - Netscape 4: user_pref("browser.startup.homepage", "http://www.hispeed.rogers.com"); (C:\Program Files\Netscape\Users\guspr\prefs.js)
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Acrobat\ActiveX\AcroIEHelper.ocx
O2 - BHO: Web assistant - {9ECB9560-04F9-4bbc-943D-298DDF1699E1} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: Web assistant - {0B53EAC3-8D69-4b9e-9B19-A37C9A5676A7} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [FaxTalk CallControl 6.0] C:\Program Files\FaxTalk Messenger Pro\FTClCtrl.exe /autoload
O4 - HKLM\..\Run: [DU Meter] C:\Program Files\DU Meter\DUMeter.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [URLLSTCK.exe] C:\Program Files\Norton Internet Security\UrlLstCk.exe
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [TrojanScanner] C:\Program Files\Trojan Remover\Trjscan.exe
O4 - HKLM\..\Run: [SpyBlocker] C:\Program Files\SpyBlocker Software\spyblocker.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
O4 - Startup: FaxTalk Speakerphone.lnk = ?
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward &Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cac&hed Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Si&milar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: Joyo (HKLM)
O9 - Extra button: PowerWord (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Messenger (HKLM)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {034CC2DC-3245-4B26-B5C7-7B8777739CB7} - http://64.156.31.70/058669ca.exe
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/...7921.7982291667
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwa...ash/swflash.cab

Thanks
Gus




Sponsored Link
Ads by Google

Response Number 1
Name: Abnormal
Date: January 21, 2004 at 19:57:09 Pacific
Reply:

Someone put a file sharing program on there.

C:\Program Files\Soulseek\slsk.exe

This is bad and blocked by SpywareBlaster.
O16 - DPF: {034CC2DC-3245-4B26-B5C7-7B8777739CB7} - http://64.156.31.70/058669ca.exe

Others may spot something I missed.


0

Response Number 2
Name: Imp
Date: January 21, 2004 at 19:58:08 Pacific
Reply:

Hello Guspr,
You just understood the situation, when you are corrupted with a trojan horse, this one can keep asleep in your hard drive as long as you don't connect to internet....Trojan horses are not virus, but programs created by hackers to hijack your computer and steal vitals informations as for exemple credit cards numbers...
You need a specific program to detect and erase a trojan horse, download and try Trojan Remover 6.15 read well how to use the two scans embaded in the program, this is a freeware for one month, but fully updated... Good luck......


0

Response Number 3
Name: guspr
Date: January 22, 2004 at 13:57:08 Pacific
Reply:

Thanks Abnormal. I deleted/fixed that entry, it is not there anymore, but nothing has changed.
Gus


0
Reply to Message Icon

Related Posts

See More


I got something! A nasty! help with pop up virus



Post Locked

This post is quite old and has been locked from receiving new replies. Please create a new posting instead.


Go to Security and Virus Forum Home


Sponsored links
Ads by Google


Results for: Trojan/Virus?? Unwanted downloads
Trojan virus aftermath www.computing.net/answers/security/trojan-virus-aftermath/14532.html

Trojans/ viruses www.computing.net/answers/security/trojans-viruses/6924.html

download.trojan virus www.computing.net/answers/security/downloadtrojan-virus/10429.html