Velocity Reviews - Computer Hardware Reviews

Velocity Reviews > Newsgroups > Computing > Computer Support > Malware/Spyware Infestation

Reply
Thread Tools

Malware/Spyware Infestation

 
 
Mike
Guest
Posts: n/a
 
      04-27-2005
Latitude D800 W2K PRo SP4, McAfee Virus Scan w/ latest .dat file, just
installed google toolbar w/o advanced options, no firewall - infested with
spyware/malware and trojans. Ran Spy Bot Search and Destroy, Immunize;
CWshredder, Ad-Aware and McAfee with latest virus definition files. Removed
>50 infections. Still lots of pop ups and stuff I can't remove eg.

caxbxnc.exe, rzavap.exe, YH.dr, daun.exe. Here's my HiHack This log:

Thanks, Mikke

Logfile of HijackThis v1.99.1
Scan saved at 10:00:31 PM, on 04/26/2005
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\System32\SCardSvr.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Network Associates\VirusScan\Avsynmgr.exe
C:\WINNT\System32\basfipm.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\System32\nvsvc32.exe
C:\Program Files\Network Associates\VirusScan\VsStat.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\Program Files\Network Associates\VirusScan\Vshwin32.exe
C:\WINNT\system32\mspmspsv.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\Network Associates\VirusScan\Avconsol.exe
C:\Program Files\Common Files\Network Associates\McShield\Mcshield.exe
C:\WINNT\Explorer.EXE
C:\Program Files\Apoint\Apoint.exe
C:\Program Files\Dell\QuickSet\QuickSet.exe
C:\WINNT\system32\PRPCUI.exe
C:\WINNT\System32\DSentry.exe
C:\Program Files\Apoint\Apntex.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\WINNT\system32\RUNDLL32.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\Program Files\bju3w2ep\bju3w2ep.exe
C:\DOCUME~1\ALLUSE~1\APPLIC~1\msw\BMan1.exe
C:\winnt\system32\ksvobjr.exe
C:\DOCUME~1\ALLUSE~1\APPLIC~1\msw\BMan.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\Program Files\NetZero\exec.exe
C:\winnt\system32\calc.exe
C:\Program Files\D-Link AirPlus Xtreme G DWL-G650\AirPlus.exe
C:\Program Files\bju3w2ep\77134336.exe
C:\Program Files\bju3w2ep\bju3w2ep.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Oemji\Toolbar\PopupBlocker\OemjiPopupBlocker .exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINNT\system32\rzavap.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\PROGRA~1\WINZIP\wzqkpick.exe
C:\PROGRA~1\WINZIP\winzip32.exe
C:\temp\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL =
http://government.dellnet.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar =
http://www.oemji.com/side_search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page =
http://www.oemji.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar =
http://red.clientapps.yahoo.com/cust...search/ie.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page =
http://red.clientapps.yahoo.com/cust.../www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
http://www.yahoo.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
http://www.oemji.com/side_search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) =
http://www.oemji.com/side_search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\SearchURL,(Default) =
http://red.clientapps.yahoo.com/cust.../www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: DLMaxObj Class - {00000000-59D4-4008-9058-080011001200} -
C:\WINNT\dlmax.dll
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} -
C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_6_0_0.d ll
O2 - BHO: PBHelper - {4115122B-85FF-4DD3-9515-F075BEDE5EB5} - C:\Program
Files\Oemji\Toolbar\PopupBlocker\PBHelper.dll
O2 - BHO: OemjiSearchPlus - {D240DC29-C093-4388-B71F-A7103C796B0C} -
C:\Program Files\Oemji\OemjiSearchPlus\OemjiPls.dll
O2 - BHO: (no name) - {ED103D9F-3070-4580-AB1E-E5C179C1AE41} - (no file)
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} -
C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_6_0_0.d ll
O3 - Toolbar: Oemji - {804DB5C7-31E6-4885-850A-F1941B58A4C7} - C:\Program
Files\Oemji\Toolbar\OemjiSrc.dll
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE
C:\WINNT\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet
O4 - HKLM\..\Run: [Dell QuickSet] C:\Program
Files\Dell\QuickSet\QuickSet.exe
O4 - HKLM\..\Run: [PRPCMonitor] PRPCUI.exe
O4 - HKLM\..\Run: [DVDSentry] C:\WINNT\System32\DSentry.exe
O4 - HKLM\..\Run: [D-Link AirPlus Xtreme G] C:\Documents and
Settings\vhabaldixonl\Desktop\AirPlusCFG.exe
O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint
Manager\ViewMgr.exe
O4 - HKLM\..\Run: [AUNPS2] RUNDLL32 AUNPS2.DLL,_Run@16
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft
AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [bju3w2ep] C:\Program Files\bju3w2ep\bju3w2ep.exe
O4 - HKLM\..\Run: [checkrun] C:\winnt\system32\eliteyrs32.exe
O4 - HKLM\..\Run: [BMan] C:\DOCUME~1\ALLUSE~1\APPLIC~1\msw\BMan1.exe
O4 - HKLM\..\Run: [ksvobjr] c:\winnt\system32\ksvobjr.exe
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [KavSvc] C:\WINNT\system32\rzavap.exe
O4 - HKCU\..\Run: [NetZero_uoltray] C:\Program Files\NetZero\exec.exe regrun
O4 - HKCU\..\Run: [sfmpbk] C:\WINNT\system32\sfmpbk.exe
O4 - Global Startup: D-Link AirPlus Xtreme G DWL-G650 Adapter Utility.lnk =
C:\Program Files\D-Link AirPlus Xtreme G DWL-G650\AirPlus.exe
O4 - Global Startup: Digital Line Detect.lnk = C:\Program Files\Digital Line
Detect\DLG.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft
Office\Office\OSA9.EXE
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program
Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: &Google Search - res://c:\program
files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://c:\program
files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program
files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://c:\program
files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\program
files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program
Files\AIM\aim.exe
O16 - DPF: Yahoo! Dots -
http://download.games.yahoo.com/game...s/y/dtt1_x.cab
O16 - DPF: Yahoo! Go Fish -
http://download.games.yahoo.com/game...ts/y/zt3_x.cab
O16 - DPF: Yahoo! Pool 2 -
http://download.games.yahoo.com/game...s/y/pote_x.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage
Validation Tool) - http://go.microsoft.com/fwlink/?link...67&clcid=0x409
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) -
http://us.dl1.yimg.com/download.yaho...st20040510.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) -
http://a840.g.akamai.net/7/840/537/2...ll/xscan53.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) -
http://download.games.yahoo.com/game...ploader_v6.cab
O23 - Service: AVSync Manager (AvSynMgr) - Unknown owner - C:\Program
Files\Network Associates\VirusScan\Avsynmgr.exe
O23 - Service: Broadcom ASF IP monitoring service v3.0.1 (BAsfIpM) -
Broadcom Corp. - C:\WINNT\System32\basfipm.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) -
VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: McShield - Unknown owner - C:\Program Files\Common
Files\Network Associates\McShield\Mcshield.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation -
C:\WINNT\System32\nvsvc32.exe


 
Reply With Quote
 
 
 
 
°Mike°
Guest
Posts: n/a
 
      04-27-2005
In <BXCbe.8166$yc.758@trnddc04>,
Mike took 166 lines to utter:

> Latitude D800 W2K PRo SP4, McAfee Virus Scan w/ latest .dat file, just
>installed google toolbar w/o advanced options, no firewall - infested with
>spyware/malware and trojans. Ran Spy Bot Search and Destroy, Immunize;
>CWshredder, Ad-Aware and McAfee with latest virus definition files. Removed
> >50 infections. Still lots of pop ups and stuff I can't remove eg.

>caxbxnc.exe, rzavap.exe, YH.dr, daun.exe. Here's my HiHack This log:
>
>Thanks, Mikke
>
>Logfile of HijackThis v1.99.1
>Scan saved at 10:00:31 PM, on 04/26/2005
>Platform: Windows 2000 SP4 (WinNT 5.00.2195)
>MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
>
>Running processes:


<snip>

>C:\Program Files\bju3w2ep\bju3w2ep.exe
>C:\DOCUME~1\ALLUSE~1\APPLIC~1\msw\BMan1.exe
>C:\winnt\system32\ksvobjr.exe
>C:\DOCUME~1\ALLUSE~1\APPLIC~1\msw\BMan.exe
>C:\Program Files\bju3w2ep\77134336.exe
>C:\Program Files\bju3w2ep\bju3w2ep.exe
>C:\Program Files\Oemji\Toolbar\PopupBlocker\OemjiPopupBlocker .exe
>C:\WINNT\system32\rzavap.exe


Terminate all of the ABOVE running processes (CTRL+ALT+DEL).


>R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar =
>http://www.oemji.com/side_search.html


>R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page =
>http://www.oemji.com


>R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
>http://www.oemji.com/side_search.html


>R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) =
>http://www.oemji.com/side_search.html


Have HijackThis fix the above 4 entries.


>O2 - BHO: DLMaxObj Class - {00000000-59D4-4008-9058-080011001200} -
>C:\WINNT\dlmax.dll


>O2 - BHO: PBHelper - {4115122B-85FF-4DD3-9515-F075BEDE5EB5} - C:\Program
>Files\Oemji\Toolbar\PopupBlocker\PBHelper.dll


>O2 - BHO: OemjiSearchPlus - {D240DC29-C093-4388-B71F-A7103C796B0C} -
>C:\Program Files\Oemji\OemjiSearchPlus\OemjiPls.dll


>O2 - BHO: (no name) - {ED103D9F-3070-4580-AB1E-E5C179C1AE41} - (no file)


Have HijackThis fix the above 4 entries.


>O3 - Toolbar: Oemji - {804DB5C7-31E6-4885-850A-F1941B58A4C7} - C:\Program
>Files\Oemji\Toolbar\OemjiSrc.dll


Have HijackThis fix the above entry.


>O4 - HKLM\..\Run: [AUNPS2] RUNDLL32 AUNPS2.DLL,_Run@16


>O4 - HKLM\..\Run: [bju3w2ep] C:\Program Files\bju3w2ep\bju3w2ep.exe


>O4 - HKLM\..\Run: [checkrun] C:\winnt\system32\eliteyrs32.exe


>O4 - HKLM\..\Run: [BMan] C:\DOCUME~1\ALLUSE~1\APPLIC~1\msw\BMan1.exe


>O4 - HKLM\..\Run: [ksvobjr] c:\winnt\system32\ksvobjr.exe


>O4 - HKLM\..\Run: [KavSvc] C:\WINNT\system32\rzavap.exe


>O4 - HKCU\..\Run: [sfmpbk] C:\WINNT\system32\sfmpbk.exe


Have HijackThis fix the above 7 entries and delete the associated files.


>O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft
>Office\Office\OSA9.EXE


The above is not needed (it's not nasty), and can be disabled (fixed).


>O16 - DPF:


Have HijackThis fix all of the 016-DPF entries. They are ActiveX
controls, and will be re-downloaded if and when necessary.


--
Basic computer maintenance
http://uk.geocities.com/personel44/maintenance.html
 
Reply With Quote
 
 
 
 
elaich
Guest
Posts: n/a
 
      04-27-2005
"Mike" <(E-Mail Removed)> wrote in news:BXCbe.8166$yc.758@trnddc04:

> C:\Program Files\Internet Explorer\iexplore.exe


You people will NEVER learn, will you?

--
"No sports writers were harmed during the making of this post. And what I
want to know is - why not?"
 
Reply With Quote
 
Mike
Guest
Posts: n/a
 
      04-27-2005
Will do.

Mike

"°Mike°" <(E-Mail Removed)> wrote in message
news:(E-Mail Removed)...
> In <BXCbe.8166$yc.758@trnddc04>,
> Mike took 166 lines to utter:
>
>> Latitude D800 W2K PRo SP4, McAfee Virus Scan w/ latest .dat file, just
>>installed google toolbar w/o advanced options, no firewall - infested with
>>spyware/malware and trojans. Ran Spy Bot Search and Destroy, Immunize;
>>CWshredder, Ad-Aware and McAfee with latest virus definition files.
>>Removed
>> >50 infections. Still lots of pop ups and stuff I can't remove eg.

>>caxbxnc.exe, rzavap.exe, YH.dr, daun.exe. Here's my HiHack This log:
>>
>>Thanks, Mikke
>>
>>Logfile of HijackThis v1.99.1
>>Scan saved at 10:00:31 PM, on 04/26/2005
>>Platform: Windows 2000 SP4 (WinNT 5.00.2195)
>>MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
>>
>>Running processes:

>
> <snip>
>
>>C:\Program Files\bju3w2ep\bju3w2ep.exe
>>C:\DOCUME~1\ALLUSE~1\APPLIC~1\msw\BMan1.exe
>>C:\winnt\system32\ksvobjr.exe
>>C:\DOCUME~1\ALLUSE~1\APPLIC~1\msw\BMan.exe
>>C:\Program Files\bju3w2ep\77134336.exe
>>C:\Program Files\bju3w2ep\bju3w2ep.exe
>>C:\Program Files\Oemji\Toolbar\PopupBlocker\OemjiPopupBlocker .exe
>>C:\WINNT\system32\rzavap.exe

>
> Terminate all of the ABOVE running processes (CTRL+ALT+DEL).
>
>
>>R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar =
>>http://www.oemji.com/side_search.html

>
>>R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page =
>>http://www.oemji.com

>
>>R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
>>http://www.oemji.com/side_search.html

>
>>R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) =
>>http://www.oemji.com/side_search.html

>
> Have HijackThis fix the above 4 entries.
>
>
>>O2 - BHO: DLMaxObj Class - {00000000-59D4-4008-9058-080011001200} -
>>C:\WINNT\dlmax.dll

>
>>O2 - BHO: PBHelper - {4115122B-85FF-4DD3-9515-F075BEDE5EB5} - C:\Program
>>Files\Oemji\Toolbar\PopupBlocker\PBHelper.dll

>
>>O2 - BHO: OemjiSearchPlus - {D240DC29-C093-4388-B71F-A7103C796B0C} -
>>C:\Program Files\Oemji\OemjiSearchPlus\OemjiPls.dll

>
>>O2 - BHO: (no name) - {ED103D9F-3070-4580-AB1E-E5C179C1AE41} - (no file)

>
> Have HijackThis fix the above 4 entries.
>
>
>>O3 - Toolbar: Oemji - {804DB5C7-31E6-4885-850A-F1941B58A4C7} - C:\Program
>>Files\Oemji\Toolbar\OemjiSrc.dll

>
> Have HijackThis fix the above entry.
>
>
>>O4 - HKLM\..\Run: [AUNPS2] RUNDLL32 AUNPS2.DLL,_Run@16

>
>>O4 - HKLM\..\Run: [bju3w2ep] C:\Program Files\bju3w2ep\bju3w2ep.exe

>
>>O4 - HKLM\..\Run: [checkrun] C:\winnt\system32\eliteyrs32.exe

>
>>O4 - HKLM\..\Run: [BMan] C:\DOCUME~1\ALLUSE~1\APPLIC~1\msw\BMan1.exe

>
>>O4 - HKLM\..\Run: [ksvobjr] c:\winnt\system32\ksvobjr.exe

>
>>O4 - HKLM\..\Run: [KavSvc] C:\WINNT\system32\rzavap.exe

>
>>O4 - HKCU\..\Run: [sfmpbk] C:\WINNT\system32\sfmpbk.exe

>
> Have HijackThis fix the above 7 entries and delete the associated files.
>
>
>>O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft
>>Office\Office\OSA9.EXE

>
> The above is not needed (it's not nasty), and can be disabled (fixed).
>
>
>>O16 - DPF:

>
> Have HijackThis fix all of the 016-DPF entries. They are ActiveX
> controls, and will be re-downloaded if and when necessary.
>
>
> --
> Basic computer maintenance
> http://uk.geocities.com/personel44/maintenance.html



 
Reply With Quote
 
Pennywise@DerryMaine.Gov
Guest
Posts: n/a
 
      04-27-2005
On 27 Apr 2005 03:59:34 GMT, elaich <(E-Mail Removed)> wrote:

|>"Mike" <(E-Mail Removed)> wrote in news:BXCbe.8166$yc.758@trnddc04:
|>
|>> C:\Program Files\Internet Explorer\iexplore.exe

|>You people will NEVER learn, will you?

Just today on Slashdot
http://slashdot.org/articles/05/04/2...4&tid=95&tid=1
Firefox nears 50 Million Downloads.

And nobody offered to swim across the Atlantic to get it that high
http://www.opera.com/swim/



--
The Eagle Nebula image release on Hubble's 15th birthday
http://tinyurl.com/982nm (space.com)
 
Reply With Quote
 
 
 
Reply

Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
spyware infestation--help gina.barbato@gmail.com Computer Support 4 03-07-2006 04:20 PM
Cannot change desktop wallpaper after spyware infestation Johnny8977 Computer Support 2 11-14-2005 01:26 AM
Trojan Infestation! Sens Fan Happy In OH Computer Support 11 06-27-2005 07:47 PM
Spyware/Virus Infestation Mike Computer Support 12 03-06-2005 02:44 PM
Virus Infestation Lukus Computer Support 20 05-17-2004 06:19 AM



Advertisments