| Forum Home | ||||
| Press F1 | ||||
| Thread ID: 52603 | 2004-12-24 00:04:00 | Virus | Edward (31) | Press F1 |
| Post ID | Timestamp | Content | User | ||
| 307071 | 2004-12-24 00:04:00 | Hi guys. I reakon I've got a virus/spyware, or both. Here's why. I installed MSN messenger plus, then discoveredthere were tons of icons sprawled all over the desktop. Smelling a rat, I ran Ad-Aware & Spybot. It came up with CoolWWWsearch. But since then, I've found some other problems. For 1 I keep getting "Mail Failed" messages from <Mailer-Daemon>@clear.net.nz. I've been told to ignore these, but when I find "Spam start internet love.exe", i'm not so sure. Plus Outpost firewall keeps saying "4 trust.exe" wants internet access. For some reason, I can't get any website by typing in it's URL (accessing PF1 via IP), so I can't even find what these do. So can someone tell me what these do? Spybot, Ad-Aware & Norton don't pick up anything, but I'm not sure. Thanks, Edward :) (C:\Documents & Settings\Games_2\Application Data\ROADAXIS\) 4 trust.exe (C:\Documents & Settings\Games_2\Application Data\Face bird okay\) Drv Chick Thunk.exe fadrfgefm.exe NURBMEOW.exe skip bend coal scr.exe spam start internet love.exe So you can see why I'm suspicious. I'm not naive to run them to see what they do :badpc: |
Edward (31) | ||
| 307072 | 2004-12-24 00:04:00 | Update: The skip bend coal scr.exe is a lop apparently. | Edward (31) | ||
| 307073 | 2004-12-24 00:38:00 | Download and run HijackThis - this can be downloaded from here using this URL 209.133.47.12 Also have a read of the userguide 216.213.19.27 Hopefully you will be able to access those sites. Post your log back here if you need further help with it. |
Jen (38) | ||
| 307074 | 2004-12-24 00:44:00 | You do have a great dose of hijackers. First, run Ccleaner, http://www.ccleaner.com/ Then CWShredder, www.majorgeeks.com Then Hijackthis, www.spychecker.com Then re-run Ad-aware and Spybot S&D Even though you may pick up those unknown files, CoolWeb hides, and will just produce more. It depends on what variation you have as to how damned difficult it is to eliminate. |
pheonix (36) | ||
| 307075 | 2004-12-24 03:59:00 | Hey Edward, it might pay to uninstall Messenger Plus and reinstall it. This time don't accept the sponsor stuff. It does continue loading up then without any spyware. I've used it for ages with no probs, doing it like that. | Catweazle (2535) | ||
| 307076 | 2004-12-24 04:55:00 | crap! msconfig reveals "acid1.exe" and nurbmeow.exe" are running at startup :eek: anyway, here's the hijackthis log [Glad CCleaner didn't dispose of it] Logfile of HijackThis v1.99.0 Scan saved at 11:39:22 a.m., on 24/12/2004 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe D:\Cd Writer\In CD\InCD\InCDsrv.exe C:\Program Files\TGTSoft\StyleXP\StyleXPService.exe C:\WINDOWS\system32\spoolsv.exe C:\Reactor\apache\bin\Apache.exe C:\WINDOWS\System32\cisvc.exe C:\Program Files\NavNT\defwatch.exe C:\Reactor\mysql\bin\mysqld-nt.exe D:\Downloads\no-ip\DUC20.exe C:\Reactor\apache\bin\Apache.exe C:\Program Files\NavNT\rtvscan.exe D:\DOWNLO~1\firewall\OUTPOS~1\outpost.exe C:\WINDOWS\System32\snmp.exe C:\WINDOWS\System32\svchost.exe D:\Downloads\VLC\VNC4\WinVNC4.exe C:\WINDOWS\System32\Fast.exe C:\WINDOWS\system32\MsgSys.EXE C:\Program Files\Common Files\Stardock\SDMCP.exe C:\WINDOWS\Explorer.EXE C:\Program Files\NavNT\vptray.exe C:\WINDOWS\System32\taskswitch.exe C:\WINDOWS\System32\fast.exe D:\Cd Writer\In CD\InCD\InCD.exe D:\Downloads\msnplus\MsgPlus.exe C:\Program Files\Internet Explorer\iexplore.exe D:\Downloads\trillian\trillian.exe C:\Program Files\TGTSoft\StyleXP\StyleXP.exe c:\progra~1\intern~1\iexplore.exe D:\Downloads\dock\objectdock\ObjectDock\Objectdock .exe D:\Downloads\leechget\LeechGet 2004\LeechGet.exe D:\Downloads\distributed computing\dnetc.exe C:\Program Files\MSN Messenger\MSN Messenger.exe C:\WINDOWS\system32\cidaemon.exe C:\WINDOWS\system32\winlogon.exe C:\DOCUME~1\GAMES_2\LOCALS~1\TEMP\HIJACKTHIS.EXE R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = www.xopqcbrjhqcelyliayclmcmr.com _/hUmyAQFu_w5E.html R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://localhost/ R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.orcon.net.nz R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Int ernet Settings,ProxyServer = http=localhost:8080 O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\Downloads\Acrobat\Reader\ActiveX\AcroIEHelper.d ll O2 - BHO: Idea2 SidebarBrowserMonitor Class - {45AD732C-2CE2-4666-B366-B2214AD57A49} - (no file) O2 - BHO: (no name) - {46890B25-7497-F0A4-4C55-DC81097C365C} - C:\DOCUME~1\Games_2\APPLIC~1\ROADAXIS\4 TRUST.exe O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - D:\DOWNLO~1\SPYBOT~1\SPYBOT~1\SDHelper.dll O2 - BHO: (no name) - {7DAAC7DE-9EF0-4FF0-BFA5-AFF3E899054C} - (no file) O2 - BHO: QuickSearch Search Bar - {82315A18-6CFB-44a7-BDFD-90E36537C252} - C:\Program Files\QuickSearch\QuickSearchBar1_27.dll O2 - BHO: IEWatchObj Class - {9527D42F-D666-11D3-B8DD-00600838CD5F} - (no file) O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll (file missing) O2 - BHO: CoTGT_BHO Class - {C333CF63-767F-4831-94AC-E683D962C63C} - C:\Program Files\TGTSoft\StyleXP\TGT_BHO.dll O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll (file missing) O3 - Toolbar: QuickSearch Search Bar - {82315A18-6CFB-44a7-BDFD-90E36537C252} - C:\Program Files\QuickSearch\QuickSearchBar1_27.dll O3 - Toolbar: Steganos Internet Anonym - {00000000-5736-4205-0008-781cd0e19f00} - d:\downloads\proxy\siapro7iep.dll O4 - HKLM\..\Run: [vptray] C:\Program Files\NavNT\vptray.exe O4 - HKLM\..\Run: [CoolSwitch] C:\WINDOWS\System32\taskswitch.exe O4 - HKLM\..\Run: [FastUser] C:\WINDOWS\System32\fast.exe O4 - HKLM\..\Run: [Openwares LiveUpdate] C:\Program Files\LiveUpdate\LiveUpdate.exe O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe O4 - HKLM\..\Run: [InCD] D:\Cd Writer\In CD\InCD\InCD.exe O4 - HKLM\..\Run: [Outpost Firewall] D:\Downloads\firewall\Outpost Firewall(2)\outpost.exe /waitservice O4 - HKLM\..\Run: [MessengerPlus3] "D:\Downloads\msnplus\MsgPlus.exe" O4 - HKLM\..\Run: [BarbBinMediaThis] C:\Documents and Settings\All Users\Application Data\skip ford barb bin\Acid 1.exe O4 - HKCU\..\Run: [Trillian] D:/Downloads/trillian/trillian.exe O4 - HKCU\..\Run: [STYLEXP] C:\Program Files\TGTSoft\StyleXP\StyleXP.exe -Hide O4 - HKCU\..\Run: [Dock] D:\Downloads\dock\objectdock\ObjectDock\Objectdock .exe O4 - HKCU\..\Run: [LeechGet] "D:\Downloads\leechget\LeechGet 2004\LeechGet.exe" -intray O4 - HKCU\..\Run: [Distributed Client] "D:\Downloads\distributed computing\dnetc.exe" -hide O4 - HKCU\..\Run: [skip pop] C:\DOCUME~1\Games_2\APPLIC~1\FACEBI~1\nurbmeow.exe O4 - HKCU\..\Run: [MessengerPlus3] "D:\Downloads\msnplus\MsgPlus.exe" /WinStart O4 - HKCU\..\Run: [SpySweeper] "D:\Downloads\Spy Sweeper\SpySweeper.exe" /0 O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\MSN Messenger.exe" /background O4 - Global Startup: distributed.net client.lnk = distributed computing\dnetc.exe O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Toolbars\Restrictions present O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html O8 - Extra context menu item: Download using LeechGet - file://D:\Downloads\leechget\LeechGet 2004\\AddUrl.html O8 - Extra context menu item: Download using LeechGet Wizard - file://D:\Downloads\leechget\LeechGet 2004\\Wizard.html O8 - Extra context menu item: Parse with LeechGet - file://D:\Downloads\leechget\LeechGet 2004\\Parser.html O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html O9 - Extra button: Trace - {04849C74-016E-4a43-8AA5-1F01DE57F4A1} - D:\Downloads\visual route\vrie.dll O9 - Extra 'Tools' menuitem: VisualRoute Trace - {04849C74-016E-4a43-8AA5-1F01DE57F4A1} - D:\Downloads\visual route\vrie.dll O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - d:\Program Files\Java\j2re1.4.1_02\bin\npjpi141_02.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - d:\Program Files\Java\j2re1.4.1_02\bin\npjpi141_02.dll O9 - Extra button: Subscribe in Desktop Sidebar - {09FE188B-6E85-479e-9411-51FB2220DF80} - C:\WINDOWS\System32\shdocvw.dll O9 - Extra 'Tools' menuitem: Subscribe in Desktop Sidebar - {09FE188B-6E85-479e-9411-51FB2220DF80} - C:\WINDOWS\System32\shdocvw.dll O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra button: Trashcan - {072F3B8A-2DA2-40e2-B841-88899F240200} - D:\DOWNLO~1\firewall\OUTPOS~1\TRASH.EXE (HKCU) O9 - Extra 'Tools' menuitem: Show Trashcan - {072F3B8A-2DA2-40e2-B841-88899F240200} - D:\DOWNLO~1\firewall\OUTPOS~1\TRASH.EXE (HKCU) O14 - IERESET.INF: START_PAGE_URL=http://www.orcon.net.nz O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - messenger.zone.msn.com O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - www.pcpitstop.com O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - messenger.zone.msn.com O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - messenger.zone.msn.com O17 - HKLM\System\CCS\Services\Tcpip\..\{B528FB0E-B3F0-4A51-9F5F-227ED08FCC1A}: NameServer = 210.55.12.1 210.55.12.2 O18 - Protocol: cetihpz - {CF184AD3-CDCB-4168-A3F7-8E447D129300} - C:\Program Files\HP\hpcoretech\comp\hpuiprot.dll O23 - Service: Apache - Unknown - D:\DOWNLO~1\easyphp\EASYPH~1\Apache\apache.exe (file missing) O23 - Service: Apache2 - Apache Software Foundation - C:\Reactor\apache\bin\Apache.exe O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\NavNT\defwatch.exe O23 - Service: InCD Helper - Ahead Software AG - D:\Cd Writer\In CD\InCD\InCDsrv.exe O23 - Service: MySQL - Unknown - C:\Reactor\mysql\bin\mysqld-nt.exe O23 - Service: NoIPDUCService - Vitalwerks LLC - D:\Downloads\no-ip\DUC20.exe O23 - Service: Norton AntiVirus Client - Symantec Corporation - C:\Program Files\NavNT\rtvscan.exe O23 - Service: Outpost Firewall Service - Agnitum - D:\DOWNLO~1\firewall\OUTPOS~1\outpost.exe O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe O23 - Service: StyleXPService - Unknown - C:\Program Files\TGTSoft\StyleXP\StyleXPService.exe O23 - Service: VNC Server Version 4 - RealVNC Ltd. - D:\Downloads\VLC\VNC4\WinVNC4.exe |
Edward (31) | ||
| 307077 | 2004-12-24 09:08:00 | Any luck with your problem yet? I am unfamiliar with working through a hijackthis log, but you can use this site as a reference - HijackThis Tutorial - How to use HijackThis to remove Browser Hijackers & Spyware (216.213.19.27). Someone might come along shortly and provide more guidance with your log. :) |
Jen (38) | ||
| 307078 | 2004-12-24 09:25:00 | Did you actually do what Pheonix suggested about running updated versions of Adaware, Spybot, CWShredder, etc? If you have not then do so and post a fresh log, but close down all your running apps first as it is just too much to wade through otherwise. It is not a good idea to post your HijackThis log like you have done as it makes it very difficult to read. It is a hassle copying and pasting it into Notepad so it would have been helpful if you could just copy and paste the log straight onto the forum. From a very quick glance you can get HijackThis to fix the following: R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = www.xopqcbrjhqcelyliayclmcmr.com _/hUmyAQFu_w5E.html O2 - BHO: QuickSearch Search Bar - {82315A18-6CFB-44a7-BDFD-90E36537C252} - C:\Program Files\QuickSearch\QuickSearchBar1_27.dll O3 - Toolbar: QuickSearch Search Bar - {82315A18-6CFB-44a7-BDFD-90E36537C252} - C:\Program Files\QuickSearch\QuickSearchBar1_27.dll There are others I am not sure about but do the suggestions above first and post another log. |
FoxyMX (5) | ||
| 307079 | 2004-12-24 10:09:00 | Things to eliminate, c:\program files\quicksearch (the whole folder, and if it objects, may have to be done in safemode) R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = www.xopqcbrjhqcelyliayclmcmr.com _/hUmyAQFu_w5E.html O2 - BHO: QuickSearch Search Bar - {82315A18-6CFB-44a7-BDFD-90E36537C252} - C:\Program Files\QuickSearch\QuickSearchBar1_27.dll O3 - Toolbar: QuickSearch Search Bar - {82315A18-6CFB-44a7-BDFD-90E36537C252} - C:\Program Files\QuickSearch\QuickSearchBar1_27.dll O4 - HKLM\..\Run: [BarbBinMediaThis] C:\Documents and Settings\All Users\Application Data\skip ford barb bin\Acid 1.exe |
pheonix (36) | ||
| 307080 | 2004-12-24 10:19:00 | google and download A2 (a squared) Stinger reboot in safe mode run each of the downloaded programs then run your fav' spyware killing proggy Reason for safe mode the os (xp in your case I think) will not let anything alter/delete a exe if it has a process running and safe mode prevents this type of exe from starting therefore having no dependant processes (go get the little beastie ) Good Luck and have Merry Xmas :thumbs: |
beama (111) | ||
| 1 | |||||