| Forum Home | ||||
| Press F1 | ||||
| Thread ID: 53311 | 2005-01-14 00:01:00 | Malware / Registry Corrupted-undeditable | Aikisurfer (6865) | Press F1 |
| Post ID | Timestamp | Content | User | ||
| 313774 | 2005-01-14 00:01:00 | I run Win 2000 Pro/ IE 6 and have adAware 6 / spybot/ Search & Destroy./ Virus Scanner is MAcfee ..all is up todate in terms both of software updates. Prior to installing the anti spyware recently my registry was attcked by some malware whilst i was on the internet which now wont allow me to rewrite Home default pages etc in the registry ( for info the @%# page ref is 213.159.117.134) and now have and have had the porn dialler donnafm and TIB dialler hi-jak my internet access. Whilst my security is up todate I cant seem to stop these attacks nor can i clean my regsitry which I cant seem to edit to get rid of references to this site mentioned above ..it just seems to stay there. I can tidy up afterwards in terms of getting rid of the downloaded materiual but registry is still corrupted by references to this site. Unfortunately like all when the worst happns I dont have clean back up of my registry prior to this event. Any and all help most appreciated :-) |
Aikisurfer (6865) | ||
| 313775 | 2005-01-14 00:12:00 | Have you tried Hijack This? www.tomcoyote.org | Peterj116 (6762) | ||
| 313776 | 2005-01-14 00:13:00 | download hijackthis www.spywareinfo.com you will be able to remove the offending entries be careful what you delete with this though & make a backup you will probably need to edit & lock your hosts file as well if you don't know how to do it manually, I'm sure spybot can lock it, As well as your homepage Also run CWShredder from the same site |
bartsdadhomer (80) | ||
| 313777 | 2005-01-14 02:58:00 | Hey thanks Guys ..will use the advice ( have downloaded suggest software ) and revert once I have a go at fixing it over the weekend. Sure would like to get my hands on some of these people that write these things ... Cheers |
Aikisurfer (6865) | ||
| 313778 | 2005-01-14 09:07:00 | I run Win 2000 Pro/ IE 6 and have adAware 6 / spybot/ Search & Destroy./ Virus Scanner is MAcfee ..all is up todate in terms both of software updates. Your version of AdAware is old. Get the latest version and also grab Stinger which is a good anti-virus cleaner for many of the common viruses/trojans. Check out the forum's Spyware FAQ here (pressf1.pcworld.co.nz 16) for more information on getting rid of pests. |
FoxyMX (5) | ||
| 313779 | 2005-01-17 23:34:00 | Your version of AdAware is old . Get the latest version and also grab Stinger which is a good anti-virus cleaner for many of the common viruses/trojans . Check out the forum's Spyware FAQ here ( . pcworld . co . nz/faq . php?faq=pressf1_faqs_security#faq_pressf1_faq_" target="_blank">pressf1 . pcworld . co . nz 16) for more information on getting rid of pests . Thanks for that . Any chance of having a look at my starttup etc if there are items there that need cleaning out . Process list saved on 7:26:07 a . m . , on 15/01/2005 Platform: WinNT 5 . 00 . 2195 SP4 [full path to filename] [file version] [company name] C:\WINNT\System32\smss . exe 5 . 0 . 2195 . 6601 Microsoft Corporation C:\WINNT\system32\winlogon . exe 5 . 0 . 2195 . 6970 Microsoft Corporation C:\WINNT\system32\services . exe 5 . 0 . 2195 . 6700 Microsoft Corporation C:\WINNT\system32\lsass . exe 5 . 0 . 2195 . 6695 Microsoft Corporation C:\WINNT\system32\svchost . exe 5 . 0 . 2134 . 1 Microsoft Corporation C:\WINNT\system32\spoolsv . exe 5 . 0 . 2195 . 6659 Microsoft Corporation C:\Program Files\Network Associates\VirusScan\Avsynmgr . exe 4 . 5 . 496 . 0 C:\WINNT\System32\CTsvcCDA . exe 1 . 0 . 1 . 0 Creative Technology Ltd C:\WINNT\System32\svchost . exe 5 . 0 . 2134 . 1 Microsoft Corporation C:\WINNT\system32\MSTask . exe 4 . 71 . 2195 . 6704 Microsoft Corporation C:\WINNT\system32\stisvc . exe 5 . 0 . 2195 . 6656 Microsoft Corporation C:\WINNT\System32\mspmspsv . exe 7 . 1 . 0 . 3055 Microsoft Corporation C:\WINNT\system32\svchost . exe 5 . 0 . 2134 . 1 Microsoft Corporation C:\WINNT\System32\svchost . exe 5 . 0 . 2134 . 1 Microsoft Corporation C:\Program Files\Network Associates\VirusScan\VsStat . exe 4 . 5 . 496 . 0 C:\Program Files\Network Associates\VirusScan\Vshwin32 . exe 4 . 5 . 496 . 0 C:\Program Files\Common Files\Network Associates\McShield\Mcshield . exe 4 . 5 . 0 . 0 Network Associates, Inc . C:\Program Files\Network Associates\VirusScan\Avconsol . exe 4 . 5 . 496 . 0 C:\Program Files\Common Files\Network Associates\On Demand Scanner\Scan32\SCAN32 . EXE 4 . 5 . 496 . 0 C:\WINNT\Explorer . EXE 5 . 0 . 3700 . 6690 Microsoft Corporation C:\WINNT\system32\devldr32 . exe 1 . 0 . 0 . 15 Creative Technology Ltd . C:\Program Files\Creative\SBLive\AudioHQ\AHQTB . EXE 1 . 0 . 193 . 0 Creative Technology Ltd . C:\Program Files\Creative\ShareDLL\CtNotify . exe 1 . 55 . 0 . 0 Creative Technology Ltd . C:\PROGRA~1\Adaptec\DirectCD\directcd . exe 4 . 3 . 1 . 177 Adaptec C:\Program Files\Creative\ShareDLL\MediaDet . Exe 1 . 55 . 2 . 0 Creative Technology Ltd . C:\Program Files\Microsoft Works\WksSb . exe 6 . 0 . 1902 . 0 Microsoft® Corporation C:\Program Files\ICQ\NDetect . exe C:\WINNT\System32\spool\drivers\w32x86\3\hpztsb04 . exe 2 . 80 . 0 . 0 HP C:\WINNT\vsnpmi03 . exe 0 . 9 . 1 . 5 C:\PROGRA~1\PESTPA~1\PPControl . exe C:\PROGRA~1\PESTPA~1\PPMemCheck . exe C:\PROGRA~1\PESTPA~1\CookiePatrol . exe C:\Program Files\MSN Apps\Updater\01 . 02 . 3000 . 1001\en-nz\msnappau . exe 1 . 2 . 3000 . 1001 Microsoft Corporation C:\WINNT\system32\systime . exe C:\WINNT\system32\ujsmuj . exe C:\WINNT\system32\internat . exe 5 . 0 . 2920 . 0 Microsoft Corporation C:\Program Files\MSN Messenger\MsnMsgr . Exe 6 . 2 . 0 . 137 Microsoft Corporation C:\Program Files\Webroot\Spy Sweeper\SpySweeper . exe 2 . 6 . 1 . 45 Webroot Software, Inc . C:\WINNT\system32\systime . exe C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem . exe 6 . 0 . 1828 . 1 Microsoft® Corporation C:\Program Files\Sony Corporation\Image Transfer\SonyTray . exe C:\Program Files\WinZip\WZQKPICK . EXE 1 . 0 . 6028 . 0 WinZip Computing, Inc . C:\Program Files\Yahoo!\Messenger\ymsgr_tray . exe C:\Program Files\Adsspy\IBProcMan . exe 1 . 1 . 0 . 1 Soeperman Enterprises Ltd . DLLs loaded by process C:\WINNT\system32\svchost . exe: [full path to filename] [file version] [company name] C:\WINNT\system32\ntdll . dll 5 . 0 . 2195 . 6685 Microsoft Corporation C:\WINNT\system32\ADVAPI32 . DLL 5 . 0 . 2195 . 6710 Microsoft Corporation C:\WINNT\system32\KERNEL32 . DLL 5 . 0 . 2195 . 6946 Microsoft Corporation C:\WINNT\system32\RPCRT4 . DLL 5 . 0 . 2195 . 6802 Microsoft Corporation C:\WINNT\system32\OLE32 . DLL 5 . 0 . 2195 . 6810 Microsoft Corporation C:\WINNT\system32\GDI32 . dll 5 . 0 . 2195 . 6945 Microsoft Corporation C:\WINNT\system32\USER32 . dll 5 . 0 . 2195 . 7017 Microsoft Corporation c:\winnt\system32\rpcss . dll 5 . 0 . 2195 . 6810 Microsoft Corporation C:\WINNT\system32\MSVCRT . dll 6 . 1 . 9844 . 0 Microsoft Corporation c:\winnt\system32\USERENV . dll 5 . 0 . 2195 . 6794 Microsoft Corporation c:\winnt\system32\WS2_32 . dll 5 . 0 . 2195 . 6601 Microsoft Corporation c:\winnt\system32\WS2HELP . DLL 5 . 0 . 2134 . 1 Microsoft Corporation c:\winnt\system32\Secur32 . dll 5 . 0 . 2195 . 6695 Microsoft Corporation c:\winnt\system32\WINSTA . dll 5 . 0 . 2195 . 6701 Microsoft Corporation C:\WINNT\system32\mswsock . dll 5 . 0 . 2195 . 6603 Microsoft Corporation C:\WINNT\system32\DNSAPI . DLL 5 . 0 . 2195 . 6680 Microsoft Corporation C:\WINNT\system32\WSOCK32 . DLL 5 . 0 . 2195 . 6603 Microsoft Corporation C:\WINNT\system32\msafd . dll 5 . 0 . 2195 . 6602 Microsoft Corporation C:\WINNT\System32\wshtcpip . dll 5 . 0 . 2195 . 6601 Microsoft Corporation C:\WINNT\System32\rnr20 . dll 5 . 0 . 2195 . 6603 Microsoft Corporation C:\WINNT\system32\iphlpapi . dll 5 . 0 . 2195 . 6602 Microsoft Corporation C:\WINNT\system32\ICMP . DLL 5 . 0 . 2134 . 1 Microsoft Corporation C:\WINNT\system32\MPRAPI . DLL 5 . 0 . 2181 . 1 Microsoft Corporation C:\WINNT\system32\SAMLIB . DLL 5 . 0 . 2195 . 6666 Microsoft Corporation C:\WINNT\system32\NETAPI32 . DLL 5 . 0 . 2195 . 6601 Microsoft Corporation C:\WINNT\system32\NETRAP . DLL 5 . 0 . 2134 . 1 Microsoft Corporation C:\WINNT\system32\WLDAP32 . DLL 5 . 0 . 2195 . 6666 Microsoft Corporation C:\WINNT\system32\OLEAUT32 . DLL 2 . 40 . 4522 . 0 Microsoft Corporation C:\WINNT\system32\ACTIVEDS . DLL 5 . 0 . 2195 . 6601 Microsoft Corporation C:\WINNT\system32\ADSLDPC . DLL 5 . 0 . 2195 . 6701 Microsoft Corporation C:\WINNT\system32\RTUTILS . DLL 5 . 0 . 2168 . 1 Microsoft Corporation StartupList report, 17/01/2005, 08:22:08 StartupList version: 1 . 52 Started from : C:\Program Files\Adsspy\StartupList . EXE Detected: Windows 2000 SP4 (WinNT 5 . 00 . 2195) Detected: Internet Explorer v6 . 00 SP1 (6 . 00 . 2800 . 1106) * Using default options ================================================== Running processes: C:\WINNT\System32\smss . exe C:\WINNT\system32\winlogon . exe C:\WINNT\system32\services . exe C:\WINNT\system32\lsass . exe C:\WINNT\system32\svchost . exe C:\WINNT\system32\spoolsv . exe C:\Program Files\Network Associates\VirusScan\Avsynmgr . exe C:\WINNT\System32\CTsvcCDA . exe C:\WINNT\System32\svchost . exe C:\WINNT\system32\MSTask . exe C:\WINNT\system32\stisvc . exe C:\WINNT\System32\mspmspsv . exe C:\WINNT\system32\svchost . exe C:\WINNT\System32\svchost . exe C:\Program Files\Network Associates\VirusScan\VsStat . exe C:\Program Files\Network Associates\VirusScan\Vshwin32 . exe C:\Program Files\Common Files\Network Associates\McShield\Mcshield . exe C:\Program Files\Network Associates\VirusScan\Avconsol . exe C:\WINNT\Explorer . EXE C:\WINNT\system32\devldr32 . exe C:\Program Files\Creative\SBLive\AudioHQ\AHQTB . EXE C:\Program Files\Creative\ShareDLL\CtNotify . exe C:\Program Files\Common Files\Network Associates\On Demand Scanner\Scan32\SCAN32 . EXE C:\PROGRA~1\Adaptec\DirectCD\directcd . exe C:\Program Files\Creative\ShareDLL\MediaDet . Exe C:\Program Files\Microsoft Works\WksSb . exe C:\WINNT\System32\spool\drivers\w32x86\3\hpztsb04 . exe C:\DOCUMENTS AND SETTINGS\IAN\MY DOCUMENTS\GAME DOWNLOADS\qttask . exe C:\WINNT\vsnpmi03 . exe C:\PROGRA~1\PESTPA~1\PPControl . exe C:\PROGRA~1\PESTPA~1\PPMemCheck . exe C:\PROGRA~1\PESTPA~1\CookiePatrol . exe C:\Program Files\MSN Apps\Updater\01 . 02 . 3000 . 1001\en-nz\msnappau . exe C:\WINNT\system32\systime . exe C:\WINNT\system32\ujsmuj . exe C:\WINNT\system32\internat . exe C:\Program Files\Webroot\Spy Sweeper\SpySweeper . exe C:\WINNT\system32\systime . exe C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem . exe C:\Program Files\SpywareBlaster\spywareblaster . exe C:\Program Files\Yahoo!\Messenger\ypager . exe C:\WINNT\system32\LxrSG20s . exe C:\WINNT\system32\LxrConfig . exe C:\Program Files\Adsspy\StartupList . exe -------------------------------------------------- Listing of startup folders: Shell folders Common Startup: [C:\Documents and Settings\All Users\Start Menu\Programs\Startup] Microsoft Office . lnk = C:\Program Files\Microsoft Office\Office\OSA9 . EXE Microsoft Works Calendar Reminders . lnk = C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem . exe RealDownload . lnk = C:\Program Files\Real\RealDownload\Realdownload . exe Image Transfer . lnk = C:\Program Files\Sony Corporation\Image Transfer\SonyTray . exe WinZip Quick Pick . lnk = C:\Program Files\WinZip\WZQKPICK . EXE -------------------------------------------------- Checking Windows NT UserInit: [HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon] UserInit = C:\WINNT\system32\userinit . exe, -------------------------------------------------- Autorun entries from Registry: HKLM\Software\Microsoft\Windows\CurrentVersion\Run Synchronization Manager = mobsync . exe /logon Speed racer = C:\Program Files\Creative\PlayCenter\CTSRReg . exe AudioHQ = C:\Program Files\Creative\SBLive\AudioHQ\AHQTB . EXE UpdReg = C:\WINNT\Updreg . exe -------------------------------------------------- Autorun entries from Registry: HKCU\Software\Microsoft\Windows\CurrentVersion\Run internat . exe = internat . exe Yahoo! Pager = C:\Program Files\Yahoo!\Messenger\ypager . exe -quiet MsnMsgr = "C:\Program Files\MSN Messenger\MsnMsgr . Exe" /background SpySweeper = C:\Program Files\Webroot\Spy Sweeper\SpySweeper . exe /0 SysTime = C:\WINNT\system32\systime . exe -------------------------------------------------- Shell & screensaver key from C:\WINNT\SYSTEM . INI: Shell=*INI section not found* SCRNSAVE . EXE=*INI section not found* drivers=*INI section not found* Shell & screensaver key from Registry: Shell=Explorer . exe SCRNSAVE . EXE=C:\WINNT\System32\ss3dfo . scr drivers=*Registry value not found* Policies Shell key: HKCU\ . . \Policies: Shell=*Registry key not found* HKLM\ . . \Policies: Shell=*Registry value not found* -------------------------------------------------- Enumerating Browser Helper Objects: (no name) - C:\WINNT\ceres . dll - {00000049-8F91-4D9C-9573-F016E7626484} (no name) - C:\WINNT\questmod . dll - {7B55BB05-0B4D-44fd-81A6-B136188F5DEB} -------------------------------------------------- Enumerating Task Scheduler jobs: Symantec NetDetect . job -------------------------------------------------- Enumerating Download Program Files: [YInstStarter Class] InProcServer32 = C:\WINNT\Downloaded Program Files\yinsthelper . dll CODEBASE = . yahoo . com/dl/yinst/yinst_current . cab" target="_blank">download . yahoo . com [SecureLogin . SecureControl] InProcServer32 = C:\WINNT\Downloaded Program Files\ActiveSecurity . ocx CODEBASE = . comned . com/signuptemplates/ActiveSecurity . cab" target="_blank">secure2 . comned . com [YAddBook Class] InProcServer32 = C:\PROGRA~1\YAHOO!\Common\yaddbook . dll CODEBASE = . dl1 . yimg . com/download . yahoo . com/dl/installs/suite/yautocomplete . cab" target="_blank">us . dl1 . yimg . com [Shockwave Flash Object] InProcServer32 = C:\WINNT\System32\macromed\flash\Flash . ocx CODEBASE = . macromedia . com/pub/shockwave/cabs/flash/swflash . cab" target="_blank">download . macromedia . com -------------------------------------------------- Enumerating ShellServiceObjectDelayLoad items: Network . ConnectionTray: C:\WINNT\system32\NETSHELL . dll WebCheck: C:\WINNT\System32\webcheck . dll SysTray: stobject . dll -------------------------------------------------- End of report, 6,311 bytes Report generated in 0 . 391 seconds Command line options: /verbose - to add additional info on each section /complete - to include empty sections and unsuspicious data /full - to include several rarely-important sections /force9x - to include Win9x-only startups even if running on WinNT /forcent - to include WinNT-only startups even if running on Win9x /forceall - to include all Win9x and WinNT startups, regardless of platform /history - to list version history only |
Aikisurfer (6865) | ||
| 313780 | 2005-01-18 01:50:00 | Suspect this one ... C:\WINNT\system32\ujsmuj.exe Apart from that, looks clear. I would suggest, rather than delete it, just in case, rename it to something like ujsmuj.exe.sus |
pheonix (36) | ||
| 1 | |||||