| Forum Home | ||||
| Press F1 | ||||
| Thread ID: 92979 | 2008-08-30 05:05:00 | Possible virus, Please help | jake1192 (13816) | Press F1 |
| Post ID | Timestamp | Content | User | ||
| 701362 | 2008-08-30 05:05:00 | My family computer was infected with the seekmo/zango adware program. I ran an internet virus scan (HouseCall) and it detected and apparently deleted the program, but when I look in the hard drive the files for the seekmo program still show up. Can anyone tell me whether or not i still have the problem and how to fix it??? | jake1192 (13816) | ||
| 701363 | 2008-08-30 05:09:00 | Post a HijackThis log up and wait for Speedy to analyse it. | SPARTAN 860 (2618) | ||
| 701364 | 2008-08-30 06:20:00 | Can you not just delete the folder it's in but definitely post a hijack this log here | gary67 (56) | ||
| 701365 | 2008-08-31 03:32:00 | no, i cant delete the folder Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 10:57:25 PM, on 8/30/2008 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe C:\WINDOWS\system32\spoolsv.exe C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe C:\WINDOWS\eHome\ehRecvr.exe C:\WINDOWS\eHome\ehSched.exe C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE C:\Program Files\Norton AntiVirus\navapsvc.exe C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe C:\WINDOWS\system32\svchost.exe C:\Program Files\chatsupport.palm.com\bin\tgsrvc.exe C:\WINDOWS\system32\dllhost.exe C:\Program Files\iPod\bin\iPodService.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\Explorer.EXE C:\Program Files\PowerISO\PWRISOVM.EXE C:\Program Files\QuickTime\qttask.exe C:\Program Files\iTunes\iTunesHelper.exe C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe C:\Program Files\Messenger\msmsgs.exe C:\Program Files\Ares\Ares.exe C:\WINDOWS\system32\ctfmon.exe C:\Program Files\Palm\Hotsync.exe C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe C:\Program Files\AIM\aim.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Common Files\Real\Update_OB\realsched.exe C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\Kodak Software Updater.exe C:\WINDOWS\system32\wuauclt.exe C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Trend Micro\HijackThis\HijackThis.exe R3 - URLSearchHook: AOLTBSearch Class - {EA756889-2338-43DB-8F07-D1CA6FB9C90D} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll O2 - BHO: NavigationTool - {4B8AE75C-A139-558A-AB5B-5F07BC2FD566} - C:\Program Files\NavigationTool\NavigationTool-2.dll O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll O2 - BHO: AOL Toolbar Launcher - {7C554162-8CB7-45A4-B8F4-8EA1C75885F9} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll O2 - BHO: Viewpoint Toolbar BHO - {A7327C09-B521-4EDB-8509-7D2660C9EC98} - C:\Program Files\Viewpoint\Viewpoint Toolbar V35\ViewBarBHO.dll O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.1.1119.1736\s wg.dll O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll O3 - Toolbar: AOL Toolbar - {DE9C389F-3316-41A7-809B-AA305ED9D922} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll O3 - Toolbar: Viewpoint Toolbar - {F8AD5AA5-D966-4667-9DAF-2561D68B2012} - C:\Program Files\Viewpoint\Viewpoint Toolbar V35\ViewBar.dll O4 - HKLM\..\Run: [yvhpfbj] C:\WINDOWS\system32\yvhpfbj.exe O4 - HKLM\..\Run: [ainilaudbh] C:\WINDOWS\system32\ainilaudbh.exe O4 - HKLM\..\Run: [pplbsmspn] C:\WINDOWS\system32\pplbsmspn.exe O4 - HKLM\..\Run: [hq] C:\WINDOWS\system32\hq.exe O4 - HKLM\..\Run: [part chin math idol] C:\Documents and Settings\All Users\Application Data\That size part chin\Inter bows.exe O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot O4 - HKLM\..\Run: [PWRISOVM.EXE] C:\Program Files\PowerISO\PWRISOVM.EXE O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe" O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe" O4 - HKLM\..\Run: [Host Process] C:\WINDOWS\Fonts\svchost.exe O4 - HKLM\..\Run: [SeekmoSA] "C:\Program Files\Seekmo\bin\10.0.427.0\SeekmoSA.exe" O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background O4 - HKCU\..\Run: [ares] "C:\Program Files\Ares\Ares.exe" -h O4 - HKCU\..\Run: [websetup] C:\DOCUME~1\Jake\APPLIC~1\KNOBDE~1\timestart.exe O4 - HKCU\..\Run: [igndlm.exe] C:\Program Files\IGN\Download Manager\DLM.exe /windowsstart /startifwork O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O4 - HKUS\S-1-5-21-2579638799-496496606-2279891838-1005\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background (User 'Jesse') O4 - HKUS\S-1-5-21-2579638799-496496606-2279891838-1005\..\Run: [ares] "C:\Program Files\Ares\Ares.exe" -h (User 'Jesse') O4 - HKUS\S-1-5-21-2579638799-496496606-2279891838-1005\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime (User 'Jesse') O4 - HKUS\S-1-5-21-2579638799-496496606-2279891838-1005\..\Run: [Windows Media Center] RunDLL32.exe C:\WINDOWS\ehome\ehuihlp.dll,BootMediaCenter (User 'Jesse') O4 - HKUS\S-1-5-21-2579638799-496496606-2279891838-1005\..\Run: [igndlm.exe] C:\Program Files\IGN\Download Manager\DLM.exe /windowsstart /startifwork (User 'Jesse') O4 - HKUS\S-1-5-21-2579638799-496496606-2279891838-1005\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl (User 'Jesse') O4 - HKUS\S-1-5-21-2579638799-496496606-2279891838-1005\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe (User 'Jesse') O4 - HKUS\S-1-5-21-2579638799-496496606-2279891838-1005\..\Run: [WeatherDPA] "C:\Program Files\Zango\bin\10.1.181.0\Weather.exe" -auto (User 'Jesse') O4 - HKUS\S-1-5-21-2579638799-496496606-2279891838-1005\..\RunOnce: [SWHelper] "C:\WINDOWS\system32\Macromed\Shockwave 10\PostUpdate.exe" 1011016 (User 'Jesse') O4 - Startup: Palm Registration.lnk = C:\Program Files\Palm\register.exe O4 - Global Startup: HOTSYNCSHORTCUTNAME.lnk = C:\Program Files\Palm\Hotsync.exe O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe O4 - Global Startup: KODAK Software Updater.lnk = C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\Kodak Software Updater.exe O8 - Extra context menu item: &AOL Toolbar Search - res://c:\program files\aol\aol toolbar 2.0\aoltbhtml.dll/search.html O8 - Extra context menu item: &Viewpoint Search - res://C:\Program Files\Viewpoint\Viewpoint Toolbar V35\ViewBar.dll/CXTSEARCH.HTML O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000 O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll O9 - Extra button: AOL Toolbar - {3369AF0D-62E9-4bda-8103-B4C75499B578} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe O23 - Service: SupportSoft RemoteAssist - SupportSoft, Inc. - C:\Program Files\Common Files\supportsoft\bin\ssrc.exe O23 - Service: SupportSoft Repair Service (chatsupport.palm.com) (tgsrvc_chatsupport.palm.com) - SupportSoft, Inc. - C:\Program Files\chatsupport.palm.com\bin\tgsrvc.exe -- End of file - 9894 bytes thanks for the help |
jake1192 (13816) | ||
| 701366 | 2008-08-31 04:09:00 | Disable system restore Tick these then tick fix checked Close browsers Uninstall this O2 - BHO: NavigationTool - {4B8AE75C-A139-558A-AB5B-5F07BC2FD566} - C:\Program Files\NavigationTool\NavigationTool-2.dll Uninstall all versions of Java, yours is out of date, link below for the update O2 - BHO: NavigationTool - {4B8AE75C-A139-558A-AB5B-5F07BC2FD566} - C:\Program Files\NavigationTool\NavigationTool-2.dll Uninstall this O2 - BHO: Viewpoint Toolbar BHO - {A7327C09-B521-4EDB-8509-7D2660C9EC98} - C:\Program Files\Viewpoint\Viewpoint Toolbar V35\ViewBarBHO.dll If you can open task manager, kill these processes, then delete these files after you tick these then reboot O4 - HKLM\..\Run: [yvhpfbj] C:\WINDOWS\system32\yvhpfbj.exe O4 - HKLM\..\Run: [ainilaudbh] C:\WINDOWS\system32\ainilaudbh.exe O4 - HKLM\..\Run: [pplbsmspn] C:\WINDOWS\system32\pplbsmspn.exe O4 - HKLM\..\Run: [hq] C:\WINDOWS\system32\hq.exe O4 - HKLM\..\Run: [part chin math idol] C:\Documents and Settings\All Users\Application Data\That size part chin\Inter bows.exe O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe" End these processes, then go this folder and delete this file after you tick this entry and reboot O4 - HKLM\..\Run: [Host Process] C:\WINDOWS\Fonts\svchost.exe Uninstall this O4 - HKLM\..\Run: [SeekmoSA] "C:\Program Files\Seekmo\bin\10.0.427.0\SeekmoSA.exe" O4 - HKCU\..\Run: [websetup] C:\DOCUME~1\Jake\APPLIC~1\KNOBDE~1\timestart.exe Uninstall this O4 - HKUS\S-1-5-21-2579638799-496496606-2279891838-1005\..\Run: [WeatherDPA] "C:\Program Files\Zango\bin\10.1.181.0\Weather.exe" -auto (User 'Jesse') O4 - Startup: Palm Registration.lnk = C:\Program Files\Palm\register.exe O8 - Extra context menu item: &Viewpoint Search - res://C:\Program Files\Viewpoint\Viewpoint Toolbar V35\ViewBar.dll/CXTSEARCH.HTML Uninstall that useless Symantec program and install something better. ie: Avast or NOD 32. Get trojan remover after you reboot, install and update it then click on scan. Then select all options in the utilities menu Get Malwarebytes in my sig below. Update then scan Uninstall Ares, thats probably how you got infected in the first place |
Speedy Gonzales (78) | ||
| 701367 | 2008-08-31 04:40:00 | I fixed all the checked files on the test and after I rebooted all the files you said to delete where already gone. Is that normal? Also I'm not sure how to uninstall Seekmo - the files are still showing up but the program doesn't appear on the add/remove programs list. Additionally, I can't find the Zango folder that you listed under the Seekmo one. Please tell me what all of this means and thanks a lot for the help that you've given so far. Also about Ares, I know for a fact that the Seekmo infection was downloaded (intentionally) by one of the kids using the computer and I'm not sure if maybe the other problems were caused by Ares. Please clarify. I just realized i had trojan remover and my free trial ran out. Do you have any alternative suggestions or do you strongly recommend buying it? |
jake1192 (13816) | ||
| 701368 | 2008-08-31 04:45:00 | Get trojan remover and malwarebytes in my sig below. Install and update both. Then click on scan in both. Then select all options under utilities in trojan remover Then run my computer, highlight c / right mouse / scan with trojan remover. Whatever it picks up delete it If this file is still there C:\WINDOWS\Fonts\svchost.exe <-- delete it, it belongs to a trojan |
Speedy Gonzales (78) | ||
| 701369 | 2008-08-31 17:32:00 | I ran the scan and the svchost.exe is still there but i can't delete it. Also it is found in four places: C:\Documents and Settings\Jake\.housecall6.6\Quarantine (svchost.exe.vir.bac_a03528), C:\WINDOWS\I386 (SVCHOST.EX_), C:\WINDOWS\system32 (svchost.exe), and C:\UBCD4Win\BartPE\I386\SYSTEM32 (SVCHOST.EXE) but not found in C:\WINDOWS\Fonts\svchost.exe. I can delete three of the four, with the one found in C:\WINDOWS\system32 being the only one I can't delete...What should i do? In my task manager, there are 7 svchost.exe processes, should all or some be terminated? |
jake1192 (13816) | ||
| 701370 | 2008-08-31 17:49:00 | They may also be hiding in your system restore if you are using that. Just a guess that is. | rob_on_guitar (4196) | ||
| 701371 | 2008-08-31 19:39:00 | The only one you have to worry about is the one in this folder C:\WINDOWS\Fonts\svchost.exe Dont worry about the other ones. They're valid windows files You cant delete - DON'T try and delete the other 3 (besides the one that showed in fonts). Theyre system files. And are protected files, (and are needed, and will get replaced, if you delete them, and reboot) |
Speedy Gonzales (78) | ||
| 1 2 | |||||