Malware

Discussion in 'Computer Support' started by twitchy, Dec 28, 2004.

  1. twitchy

    twitchy Guest

    My pc is infected with malware, I ran Adaware and it was removedfore about
    10 mins. A page tried to open in IE then it was back, it leaves 4 small
    icons on my desktop which also dissapear after Adaware has removed it only
    to reappear when the page tries to open.I have also run spybot which does
    not find anything. I ran hijack this but didn't have a clue which boxes to
    tick, a logfile of hijack this is below, any help would be gratefully
    appreciated.
    Twitchy

    Logfile of HijackThis v1.99.0
    Scan saved at 18:35:51, on 28/12/2004
    Platform: Windows XP (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 (6.00.2600.0000)

    Running processes:
    D:\WINDOWS\System32\smss.exe
    D:\WINDOWS\system32\winlogon.exe
    D:\WINDOWS\system32\services.exe
    D:\WINDOWS\system32\lsass.exe
    D:\WINDOWS\system32\svchost.exe
    D:\WINDOWS\System32\svchost.exe
    D:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
    D:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
    D:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    D:\WINDOWS\system32\spoolsv.exe
    D:\WINDOWS\System32\drivers\CDAC11BA.EXE
    D:\Program Files\Common Files\Symantec Shared\ccProxy.exe
    D:\Program Files\Norton AntiVirus\navapsvc.exe
    D:\WINDOWS\System32\nvsvc32.exe
    D:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
    D:\WINDOWS\Explorer.EXE
    D:\Program Files\Common Files\Symantec Shared\ccApp.exe
    D:\WINDOWS\System32\open32.exe
    D:\WINDOWS\System32\ctfmon.exe
    D:\Program Files\Messenger\msmsgs.exe
    D:\Program Files\Norton AntiVirus\SAVScan.exe
    D:\WINDOWS\sys5613.exe
    D:\WINDOWS\sys588.exe
    D:\Documents and Settings\valentino\Desktop\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
    http://www.google.co.uk/
    R3 - Default URLSearchHook is missing
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} -
    D:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} -
    D:\PROGRA~1\SPYWAR~1\tools\iesdsg.dll (file missing)
    O2 - BHO: Web assistant - {9ECB9560-04F9-4bbc-943D-298DDF1699E1} -
    D:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
    O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} -
    d:\program files\google\googletoolbar1.dll
    O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - D:\Program
    Files\Norton AntiVirus\NavShExt.dll
    O3 - Toolbar: Web assistant - {0B53EAC3-8D69-4b9e-9B19-A37C9A5676A7} -
    D:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
    O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} -
    D:\Program Files\Norton AntiVirus\NavShExt.dll
    O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - d:\program
    files\google\googletoolbar1.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} -
    D:\WINDOWS\System32\msdxm.ocx
    O4 - HKLM\..\Run: [ccApp] "D:\Program Files\Common Files\Symantec
    Shared\ccApp.exe"
    O4 - HKLM\..\Run: [Symantec NetDriver Monitor]
    D:\PROGRA~1\SYMNET~1\SNDMon.exe
    O4 - HKLM\..\Run: [SSC_UserPrompt] D:\Program Files\Common Files\Symantec
    Shared\Security Center\UsrPrmpt.exe
    O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE
    D:\WINDOWS\System32\NvCpl.dll,NvStartup
    O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE
    D:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
    O4 - HKLM\..\Run: [Shell opener] open32.exe
    O4 - HKCU\..\Run: [Symantec NetDriver Monitor]
    D:\PROGRA~1\SYMNET~1\SNDMon.exe
    O4 - HKCU\..\Run: [ctfmon.exe] D:\WINDOWS\System32\ctfmon.exe
    O4 - HKCU\..\Run: [MSMSGS] "D:\Program Files\Messenger\msmsgs.exe"
    /background
    O4 - Global Startup: Microsoft Office.lnk = D:\Program Files\Microsoft
    Office\Office10\OSA.EXE
    O8 - Extra context menu item: &Google Search - res://D:\Program
    Files\Google\GoogleToolbar1.dll/cmsearch.html
    O8 - Extra context menu item: Backward &Links - res://D:\Program
    Files\Google\GoogleToolbar1.dll/cmbacklinks.html
    O8 - Extra context menu item: Cac&hed Snapshot of Page - res://D:\Program
    Files\Google\GoogleToolbar1.dll/cmcache.html
    O8 - Extra context menu item: E&xport to Microsoft Excel -
    res://D:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
    O8 - Extra context menu item: Si&milar Pages - res://D:\Program
    Files\Google\GoogleToolbar1.dll/cmsimilar.html
    O8 - Extra context menu item: Translate into English - res://D:\Program
    Files\Google\GoogleToolbar1.dll/cmtrans.html
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} -
    D:\Program Files\Messenger\MSMSGS.EXE
    O9 - Extra 'Tools' menuitem: Windows Messenger -
    {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program
    Files\Messenger\MSMSGS.EXE
    O16 - DPF: {10000000-1000-0000-1000-000000000000} -
    mhtml:file://C:\ARCHIVE.MHT!http://anonymous.offhost.info/server.exe
    O16 - DPF: {11111111-1111-1111-1111-111111114457} - file://c:\ied_s7m.cab
    O16 - DPF: {14A3221B-1678-1982-A355-7263B1281987} -
    ms-its:mhtml:file://c:\nosuch.mht!http://gente.chueca.com/dexpmon/q/files1.c
    hm::/file.exe
    O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) -
    http://v5.windowsupdate.microsoft.com/v5consumer/V5Controls/en/x86/client/wu
    web_site.cab?1102353066686
    O16 - DPF: {C606BA60-AB76-48B6-96A7-2C4D5C386F70} (PreQualifier Class) -
    http://www.telewest.co.uk/motive/files/MotivePreQual.cab
    O21 - SSODL: Sysctl Desktop Handler -
    {23456789-0000-0020-0900-00AAFF6D2EA4} - D:\WINDOWS\System32\ntosv.dll
    O23 - Service: C-DillaCdaC11BA - Macrovision -
    D:\WINDOWS\System32\drivers\CDAC11BA.EXE
    O23 - Service: Symantec Event Manager - Symantec Corporation - D:\Program
    Files\Common Files\Symantec Shared\ccEvtMgr.exe
    O23 - Service: Symantec Network Proxy - Symantec Corporation - D:\Program
    Files\Common Files\Symantec Shared\ccProxy.exe
    O23 - Service: Symantec Password Validation - Symantec Corporation -
    D:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
    O23 - Service: Symantec Settings Manager - Symantec Corporation - D:\Program
    Files\Common Files\Symantec Shared\ccSetMgr.exe
    O23 - Service: Norton AntiVirus Auto Protect Service - Symantec
    Corporation - D:\Program Files\Norton AntiVirus\navapsvc.exe
    O23 - Service: NVIDIA Display Driver Service - NVIDIA Corporation -
    D:\WINDOWS\System32\nvsvc32.exe
    O23 - Service: SAVScan - Symantec Corporation - D:\Program Files\Norton
    AntiVirus\SAVScan.exe
    O23 - Service: ScriptBlocking Service - Symantec Corporation -
    D:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
    O23 - Service: Symantec Network Drivers Service - Symantec Corporation -
    D:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
    O23 - Service: Symantec Core LC - Symantec Corporation - D:\Program
    Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
    O23 - Service: SymWMI Service - Symantec Corporation - D:\Program
    Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
    twitchy, Dec 28, 2004
    #1
    1. Advertising

  2. twitchy

    dadiOH Guest

    twitchy wrote:
    > My pc is infected with malware, I ran Adaware and it was removedfore
    > about 10 mins. A page tried to open in IE then it was back, it leaves
    > 4 small icons on my desktop which also dissapear after Adaware has
    > removed it only to reappear when the page tries to open.I have also
    > run spybot which does not find anything. I ran hijack this but didn't
    > have a clue which boxes to tick, a logfile of hijack this is below,
    > any help would be gratefully appreciated.


    You have a Trojan. Update and run your anti-virus program. If it finds
    nothing, try one or more on line - BitDefender is good.

    --
    dadiOH
    ____________________________

    dadiOH's dandies v3.05...
    ....a help file of info about MP3s, recording from
    LP/cassette and tips & tricks on this and that.
    Get it at http://mysite.verizon.net/xico
    dadiOH, Dec 28, 2004
    #2
    1. Advertising

  3. twitchy

    Richard Guest

    twitchy wrote:

    > My pc is infected with malware, I ran Adaware and it was removedfore about
    > 10 mins. A page tried to open in IE then it was back, it leaves 4 small
    > icons on my desktop which also dissapear after Adaware has removed it only
    > to reappear when the page tries to open.I have also run spybot which does
    > not find anything. I ran hijack this but didn't have a clue which boxes to
    > tick, a logfile of hijack this is below, any help would be gratefully
    > appreciated.
    > Twitchy



    I didn't see anything that could be a virus.
    You might want to clear out your temp internet cache files and rebooting.
    Clean your registry with "Easy cleaner" from toniarts but don't patronize
    the toniarts.com website.

    I would strongly suggest total removal of norton as it has been known to
    miss on virus information and screw up the system.

    run msconfig and in the startup tab, check to see what programs are listed
    for startup. Uncheck them until you find the culprit.
    Richard, Dec 28, 2004
    #3
  4. twitchy

    Guest

    On Tue, 28 Dec 2004 14:44:36 -0600, "Richard" <Anonymous@127.001> wrote:

    |> > My pc is infected with malware, I ran Adaware and it was removedfore about
    |> > 10 mins. A page tried to open in IE then it was back, it leaves 4 small
    |> > icons on my desktop which also dissapear after Adaware has removed it only
    |> > to reappear when the page tries to open.I have also run spybot which does
    |> > not find anything. I ran hijack this but didn't have a clue which boxes to
    |> > tick, a logfile of hijack this is below, any help would be gratefully
    |> > appreciated.
    |> > Twitchy
    |>
    |>
    |> I didn't see anything that could be a virus.

    Look harder:

    mhtml:file://C:\ARCHIVE.MHT!http://anonymous.offhost.info/server.exe

    running process. (server.exe)
    Added as a result of the EASYSERV VIRUS!

    This is a nasty process! You should fix it and try to delete it
    manually!

    Ref: http://hijackthis.de/index.php?langselect=english

    --
    , Dec 28, 2004
    #4
  5. twitchy

    Joel Rubin Guest

    My Norton complained about the Bloodhound Exploit 6 virus within your
    post. I don't see where your post had anything but text in it but
    that's what happened. When I copied it in to a text file it said the
    same thing about the text file.
    Joel Rubin, Dec 28, 2004
    #5
  6. twitchy

    Jay Guest

    yep i got the same thing on Norton 05. definite bug here somewhere.

    - Jay
    www.volted.com

    "Joel Rubin" <> wrote in message
    news:...
    > My Norton complained about the Bloodhound Exploit 6 virus within your
    > post. I don't see where your post had anything but text in it but
    > that's what happened. When I copied it in to a text file it said the
    > same thing about the text file.
    >
    Jay, Dec 29, 2004
    #6
  7. twitchy

    Guest

    On Tue, 28 Dec 2004 20:49:04 -0600, "Jay" <>
    wrote:

    |> yep i got the same thing on Norton 05. definite bug here somewhere.

    No bug, virus checkers look for strings of text, just so happen'd one's
    inbedded in the message that Norton's looking for.

    X5O!P%@AP[4\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H*

    I'd like to think the above set your checkers off :)

    http://www.eicar.org/anti_virus_test_file.htm



    |>
    |> "Joel Rubin" <> wrote in message
    |> news:...
    |> > My Norton complained about the Bloodhound Exploit 6 virus within your
    |> > post. I don't see where your post had anything but text in it but
    |> > that's what happened. When I copied it in to a text file it said the
    |> > same thing about the text file.
    |> >
    |>


    --
    , Dec 29, 2004
    #7
  8. twitchy

    Ron Martell Guest

    "twitchy" <> wrote:

    >My pc is infected with malware, I ran Adaware and it was removedfore about
    >10 mins. A page tried to open in IE then it was back, it leaves 4 small
    >icons on my desktop which also dissapear after Adaware has removed it only
    >to reappear when the page tries to open.I have also run spybot which does
    >not find anything. I ran hijack this but didn't have a clue which boxes to
    >tick, a logfile of hijack this is below, any help would be gratefully
    >appreciated.
    > Twitchy


    See MVP Jim Eshelman's Spyware Quick Fix page at
    http://www.aumha.org/a/quickfix.htm

    You need to use at least 3 different spyware removal apps in order to
    get a system cleaned up.

    And make sure that your AdAware is the new AdAware SE 1.05 version and
    not the no longer supported 6.181 version or one of the earlier
    releases of SE.

    Once you have used Jim's suggested tools you can create a new log file
    with HiJackThis and post it to his HiJackThis form at Aumha.org. You
    should get some good advice on what else needs to be removed.

    Good luck


    Ron Martell Duncan B.C. Canada
    --
    Microsoft MVP
    On-Line Help Computer Service
    http://onlinehelp.bc.ca

    "The reason computer chips are so small is computers don't eat much."
    Ron Martell, Dec 29, 2004
    #8
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Echuca

    Malware

    Echuca, Oct 15, 2004, in forum: Firefox
    Replies:
    1
    Views:
    595
    Moz Champion
    Oct 26, 2004
  2. EDWARD DOYLE

    anti malware software

    EDWARD DOYLE, Apr 15, 2004, in forum: Computer Support
    Replies:
    3
    Views:
    5,283
    ┬░Mike┬░
    Apr 15, 2004
  3. Jaypie

    Malware

    Jaypie, Apr 16, 2004, in forum: Computer Support
    Replies:
    5
    Views:
    679
    Jaypie
    Apr 17, 2004
  4. fkasner

    Malware Turning off NAV on boot

    fkasner, Feb 18, 2005, in forum: Computer Support
    Replies:
    7
    Views:
    418
    Vanguard
    Feb 19, 2005
  5. Blinky the Shark

    PING individual.net Members - Malware Alert

    Blinky the Shark, Mar 2, 2005, in forum: Computer Support
    Replies:
    5
    Views:
    443
    Blinky the Shark
    Mar 4, 2005
Loading...

Share This Page