Shoutbox

infections all around - Printable Version

-Shoutbox (https://shoutbox.menthix.net)
+-- Forum: MsgHelp Archive (/forumdisplay.php?fid=58)
+--- Forum: Skype & Technology (/forumdisplay.php?fid=9)
+---- Forum: Tech Talk (/forumdisplay.php?fid=17)
+----- Thread: infections all around (/showthread.php?tid=55525)

infections all around by [MR] on 02-03-2006 at 08:00 PM

the other day i downloaded what i thought was going to be a no cd crack for a game.  it happened to be a program that deploys loads of adware and spyware and such.  i have been scanning and removing for days and looking through google and some adware/spyware removal forums which helped a bit but not really that much.  i have used xoftspy, adaware, trend micro anti-spyware, l2mfix, spybot, and symantec antivirus.  they have helped to get loads off my computer but there is still much on my computer.  Oh and i have used hijack this but im not really sure how to use it, but i can post my log file from hijack this on here if that is helpful.  i know that internet explorer is running the background and causes popups but that has gotten better just a few more things i need help with that.  firefox has tons of popups and icons appearing on my desktop and such.  i have no doubt whatsoever that it is adware and spyware junk.  some of the sites that want to pop up are big discounts some place called ad-w-a-r-e.com and others.  these only occur in firefox.  some threats i had a few minutes ago were coolwwwsearch and things like that.
now trend micro AS is coming up with tspy_small, adware_bhot, adware_bhot_accoona, tspy_agent, expl_mhtredir, adware_look2me and Adwaere_zestyfind, which all were detected by SAV as well but i guess it couldnt delete it?  anyways here is the log file from hijack this:

Logfile of HijackThis v1.99.1
Scan saved at 1:58:47 PM, on 2/3/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\MOZILL~1\FIREFOX.EXE
C:\Program Files\Trend Micro\Tmas\tmas.exe
C:\Documents and Settings\Michael Ruffner\Desktop\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = about:blank
R3 - URLSearchHook: (no name) - <default> - (no file)
O4 - HKLM\..\Run: [{0228e555-4f9c-4e35-a3ec-b109a192b4c2}] C:\Program Files\Google\Gmail Notifier\gnotify.exe
O4 - HKLM\..\Run: [MessengerPlus3] "C:\Program Files\MessengerPlus! 3\MsgPlus.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\RunServices: [RegisterDropHandler] C:\Program Files\ScannerU\TBRIDGE\BIN\RegisterDropHandler.exe
O4 - HKCU\..\Run: [MessengerPlus3] "C:\Program Files\MessengerPlus! 3\MsgPlus.exe" /WinStart
O4 - HKCU\..\Run: [µTorrent] "C:\Documents and Settings\Michael Ruffner\My Documents\My Downloads\utorrent.exe"
O4 - Startup: XPizeReloader.lnk = C:\WINDOWS\XPize\XPizeReloader.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Trend Micro Anti-Spyware.lnk = C:\Program Files\Trend Micro\Tmas\Tmas.exe
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar2.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: BITS - C:\WINDOWS\system32\kt00l7dm1.dll
O20 - Winlogon Notify: htproc - htproc32.dll (file missing)
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\system32\NavLogon.dll
O20 - Winlogon Notify: ssldr - C:\WINDOWS\SYSTEM32\ssldr32.dll
O21 - SSODL: AidnDTTdveqsIofy - {34FF400D-9E55-EAA7-B480-A4AA6415A2D8} - C:\WINDOWS\system32\vcd.dll (file missing)
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
O23 - Service: Virtual CD v7 Management Service (VC7SecS) - H+H Software GmbH - C:\Program Files\HHVcdV7Sys\VC7SecS.exe
O23 - Service: WMP54Gv4SVC - Unknown owner - C:\Program Files\Linksys Wireless-G PCI Wireless Network Monitor\WLService.exe" "WMP54Gv4.exe (file missing)



thanks.


RE: infections all around by user27089 on 02-03-2006 at 08:02 PM

System restore for a few days back... 8-).


RE: infections all around by [MR] on 02-03-2006 at 08:05 PM

all my restore points were deleted :-/


RE: infections all around by GiantSpider on 02-03-2006 at 08:06 PM

Recovery Disk?


RE: infections all around by [MR] on 02-03-2006 at 08:06 PM

dont have one but its not to the point of severity where i need a recovery disk


RE: infections all around by Millenium_edition on 02-03-2006 at 08:07 PM

try booting up in safe mode and then looking in your registry... elitebar used code injection in every open process and hid itself from the registry, until i booted in safe mode


RE: infections all around by [MR] on 02-03-2006 at 08:16 PM

there was no elitebar in regedit  and i am in safe mode now.  what else shouldnt be there?


RE: infections all around by ShawnZ on 02-03-2006 at 08:17 PM

run a virus scan in safe mode..


RE: infections all around by [MR] on 02-03-2006 at 08:43 PM

scanning...

i was looking through the users of my computer and i was unfimiliar with these cicled:
[Image: wtf3nt.jpg]

im sure they are safe to delete but just want to make sure.


RE: infections all around by ShawnZ on 02-03-2006 at 08:46 PM

nfi what CREATOR OWNER is, but Everyone represents every user on the system (by the way, those are the user grups, not the users)


RE: infections all around by [MR] on 02-03-2006 at 08:48 PM

i have never heard of CREATOR OWNER either, so i guess i'll delete it. 


RE: infections all around by Snake on 02-03-2006 at 08:51 PM

the death command...

C:\format C:


RE: infections all around by [MR] on 02-03-2006 at 08:58 PM

quote:
Originally posted by snake1131
the death command...

C:\format C:
that wont work unless im in dos :dodgy:

and i have too much stuff on my computer that i want to keep.
RE: infections all around by ShawnZ on 02-03-2006 at 09:01 PM

quote:
Originally posted by [MR
]that wont work unless im in dos

won't work anyway =p
RE: infections all around by kittymew on 02-03-2006 at 09:55 PM

http://www.ewido.net/en/download/

try this...but repeat the process  after rebooting several times.


RE: infections all around by [MR] on 02-04-2006 at 01:39 AM

these are the types of ads i was talking about earlier
[Image: ads3gl.th.jpg]

quote:
Originally posted by beamy-kitty
http://www.ewido.net/en/download/

try this...but repeat the process  after rebooting several times.
thanks for the link, i am half way done with the scanning and its already found like 70 items.  gracias :D
RE: infections all around by Dane on 02-04-2006 at 02:09 AM

You could always buy Norton Internet Security 2006 and use the live disk to scan your computer before windows is even started.  And then keep proactive protection.  ;)


RE: infections all around by ShawnZ on 02-04-2006 at 02:20 AM

quote:
Originally posted by Dane
You could always buy Norton Internet Security 2006 and use the live disk to scan your computer before windows is even started.  And then keep proactive protection.

I wouldn't suggest it. The live disk breaks things.
RE: infections all around by [MR] on 02-04-2006 at 03:43 AM

i have had that before and hated it so im not reinstalling it.  i dont trust norton like i do with symantec AV


RE: RE: infections all around by kittymew on 02-04-2006 at 03:57 AM

quote:
Originally posted by [MR]
these are the types of ads i was talking about earlier
[Image: ads3gl.th.jpg]

quote:
Originally posted by beamy-kitty
http://www.ewido.net/en/download/

try this...but repeat the process  after rebooting several times.
thanks for the link, i am half way done with the scanning and its already found like 70 items.  gracias :D


your welcome..:D
RE: infections all around by Dane on 02-04-2006 at 05:48 AM

Erm...the Norton Live Disk does not break your computer.  If anything, it can remove viruses easier because Windows isnt running processes or locking files.


RE: infections all around by [MR] on 02-04-2006 at 05:53 AM

here is another thing that has happened since the adware/spyware outbreak on my computer.  the quality of the icon shadows are the equivalent to the icons in windows ME if you are running icon packager:

[Image: jkjkjk0rt.jpg]

i have already reinstalled the drivers for the graphics card and looked around in the computer settings and cant find anything.  anyhelp will result in a thank you.

quote:
Originally posted by Dane
Erm...the Norton Live Disk does not break your computer.  If anything, it can remove viruses easier because Windows isnt running processes or locking files.

is it like the setup cd of internet security or NAV and you boot from it and your computer scans from the cd in dos? if so i have a norton cd that can do that.  i will try that in a bit.
RE: infections all around by AJR on 02-04-2006 at 07:06 AM

Very simple solution really. Burn the files you wish to keep onto a (few) DVDs. And do the files one by one - don't do the whole folder as you don't want anything unsafe.

Afterwards, reformat. I doubt you will ever get fully rid of it unless you do this..


RE: infections all around by [MR] on 02-04-2006 at 07:09 AM

i dont want to reformat.  i know how to backup AJR, i wouldnt use dvd's anyways, they take too long i always back things up on my ipod.  i think there is a way to get it all off and not reformat.