| Forum Home | ||||
| Press F1 | ||||
| Thread ID: 68938 | 2006-05-16 08:50:00 | Spyware and modem trouble | pine-o-cleen (2955) | Press F1 |
| Post ID | Timestamp | Content | User | ||
| 455318 | 2006-05-16 08:50:00 | My girlfriend is having a few problems with her pc. Windows starts normally. In the task bar two red circles with white crosses come up and a balloon comes up saying "Your computer is in danger! Windows security centre has detected spyware / adware infection! It is strongly recommended to use special anti-spyware tools to prevent data loss. Click here to install the latest protection tools!" Whan you click on that, nothing happens. She has run adaware and AVG (both updated) with no results. When connecting to the internet, the connection drops off in less than 5 minutes. The modem beeps continuously for a minute when the connection drops off. The beeping stops when the modem cord is pulled out. |
pine-o-cleen (2955) | ||
| 455319 | 2006-05-16 09:26:00 | What "special anti-spyware tools" does the balloon message say to use? Have a look in Add/Remove Programs to see if anything is listed in there and remove if there is . If nothing is there post a HijackThis log here for analysis . |
FoxyMX (5) | ||
| 455320 | 2006-05-16 14:09:00 | those are pop-ups. you shouldn't be clicking on them at all - oops too late. you're gonna need hi-jack, spybot & geniune anti-spyware to fix it. you might be able to disable it from msconfig (start - run, type msconfig) & untick any suss startups. if this is beyond you - get someone (real experienced, not pretend experienced) to help you. I've fixed a lot of these & they can still take a long time. |
quarry (252) | ||
| 455321 | 2006-05-16 19:08:00 | Download/install/update and then run (in safe mode) EWIDO trial version....that'll get rid of it most likely it soun'ds very like a smitfraud infection to me...... | drcspy (146) | ||
| 455322 | 2006-05-16 20:22:00 | I got rid of that smitfraud out of a mates pc the other day, and its a nasty little $%!#$ piece of software aint it. | Nyuuji (5460) | ||
| 455323 | 2006-05-18 08:56:00 | Logfile of HijackThis v1.99.1 Scan saved at 7:52:08 p.m., on 18/05/2006 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Running processes: D:\WINDOWS\System32\smss.exe D:\WINDOWS\system32\csrss.exe D:\WINDOWS\system32\services.exe D:\WINDOWS\system32\lsass.exe D:\WINDOWS\system32\svchost.exe D:\WINDOWS\system32\svchost.exe D:\WINDOWS\System32\svchost.exe D:\WINDOWS\System32\svchost.exe D:\WINDOWS\System32\svchost.exe D:\WINDOWS\system32\spoolsv.exe C:\PROGRA~1\Grisoft\AVG6\avgserv.exe D:\WINDOWS\system32\drivers\KodakCCS.exe D:\WINDOWS\System32\svchost.exe D:\WINDOWS\system32\wdfmgr.exe C:\precisionscan\PrecisionScan\HPLamp.exe D:\Program Files\Common Files\Logitech\QCDriver\LVCOMS.EXE D:\WINDOWS\system32\termcaps.exe D:\Program Files\Java\jre1.5.0_06\bin\jusched.exe D:\WINDOWS\system32\kernels8.exe D:\WINDOWS\system32\svchost.exe D:\Program Files\Messenger\msmsgs.exe D:\WINDOWS\svchost.exe C:\Windows\xpupdate.exe D:\WINDOWS\system32\dlh9jkdq2.exe D:\WINDOWS\system32\dlh9jkdq6.exe D:\Program Files\Kodak\KODAK Software Updater\7288971\Program\Kodak Software Updater.exe D:\WINDOWS\system32\dlh9jkdq7.exe C:\Program Files\Panasonic\Panasonic X800 PC Software Suite\connmngmntbox.exe C:\Program Files\Panasonic\Panasonic X800 PC Software Suite\ectaskscheduler.exe D:\Program Files\Intuwave Ltd\Shared\mRouterRunTime\mRouterRuntime.exe C:\PROGRA~1\PANASO~1\PANASO~1\Elogerr.exe C:\PROGRA~1\PANASO~1\PANASO~1\BROADC~1.EXE C:\PROGRA~1\PANASO~1\PANASO~1\SCRFS.exe C:\PROGRA~1\FIREFOX.EXE D:\Program Files\Internet Explorer\iexplore.exe c:\kl1.exe D:\WINDOWS\system32\winsrv32.exe D:\Program Files\Windows NT\Accessories\wordpad.exe D:\Program Files\MSN Messenger\msnmsgr.exe D:\DOCUME~1\OWNER~1.SAR\LOCALS~1\Temp\Temporary Directory 2 for hijackthis.zip\HijackThis.exe R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = c:\secure32.html R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = c:\secure32.html R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = c:\secure32.html R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = c:\secure32.html R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = c:\secure32.html R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = c:\secure32.html R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = loginnet.passport.com O2 - BHO: (no name) - {00000000-59D4-4008-9058-080011001200} - (no file) O2 - BHO: (no name) - {00000000-C1EC-0345-6EC2-4D0300000000} - (no file) O2 - BHO: (no name) - {00000000-F09C-02B4-6EC2-AD0300000000} - (no file) O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll O2 - BHO: (no name) - {196B9CB5-4C83-46F7-9B06-9672ECD9D99B} - D:\WINDOWS\system32\winbrume.dll O2 - BHO: (no name) - {3ceff6cd-6f08-4e4d-bccd-ff7415288c3b} - (no file) O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - D:\Program Files\Java\jre1.5.0_06\bin\ssv.dll O2 - BHO: (no name) - {7b55bb05-0b4d-44fd-81a6-b136188f5deb} - (no file) O2 - BHO: (no name) - {8333c319-0669-4893-a418-f56d9249fca6} - (no file) O2 - BHO: (no name) - {9c691a33-7dda-4c2f-be4c-c176083f35cf} - (no file) O2 - BHO: (no name) - {e52dedbb-d168-4bdb-b229-c48160800e81} - (no file) O2 - BHO: (no name) - {ffd2825e-0785-40c5-9a41-518f53a8261f} - (no file) O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\ Yahoo! \Companion\Installs\cpn1\yt.dll O4 - HKLM\..\Run: [hpppt] /ICON O4 - HKLM\..\Run: [HP Lamp] c:\precisionscan\PrecisionScan\HPLamp.exe O4 - HKLM\..\Run: [LVCOMS] D:\Program Files\Common Files\Logitech\QCDriver\LVCOMS.EXE O4 - HKLM\..\Run: [{0228e555-4f9c-4e35-a3ec-b109a192b4c2}] C:\Program Files\Google\Gmail Notifier\G001-1.0.25.0\gnotify.exe O4 - HKLM\..\Run: [AVG_CC] C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe /STARTUP O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe" O4 - HKLM\..\Run: [orderShell] D:\Documents and Settings\Owner.SARZY\orderfeiq.exe O4 - HKLM\..\Run: [eventwvr] D:\WINDOWS\system32\eventwvr.exe O4 - HKLM\..\Run: [termcaps] D:\WINDOWS\system32\termcaps.exe O4 - HKLM\..\Run: [SunJavaUpdateSched] D:\Program Files\Java\jre1.5.0_06\bin\jusched.exe O4 - HKLM\..\Run: [ZPoint] D:\WINDOWS\system32\winmuse.exe O4 - HKLM\..\Run: [Adware.Srv32] D:\WINDOWS\system32\runsrv32.exe O4 - HKLM\..\Run: [Transponder] D:\WINDOWS\system32\susp.exe O4 - HKLM\..\RunServices: [termcaps] D:\WINDOWS\system32\termcaps.exe O4 - HKCU\..\Run: [msnmsgr] "D:\Program Files\MSN Messenger\msnmsgr.exe" /background O4 - HKCU\..\Run: [ Yahoo! Pager] "C:\Program Files\ Yahoo! \Messenger\ypager.exe" -quiet O4 - HKCU\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe O4 - HKCU\..\Run: [MSMSGS] "D:\Program Files\Messenger\msmsgs.exe" /background O4 - HKCU\..\Run: [termcaps] D:\WINDOWS\system32\termcaps.exe O4 - HKCU\..\Run: [System] D:\WINDOWS\svchost.exe O4 - HKCU\..\Run: [Windows update loader] C:\Windows\xpupdate.exe O4 - HKCU\..\Run: [shell] "D:\Program Files\Common Files\Microsoft Shared\Web Folders\ibm00019.exe" O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe O4 - Global Startup: cpew2kup.exe.lnk = E:\app\cpew2kup.exe O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak EasyShare software\bin\EasyShare.exe O4 - Global Startup: Kodak software updater.lnk = D:\Program Files\Kodak\KODAK Software Updater\7288971\Program\Kodak Software Updater.exe O4 - Global Startup: PanasonicX800PCSoftwareSuite Detect.lnk = ? O4 - Global Startup: PanasonicX800PCSoftwareSuite TS.lnk = ? O4 - Global Startup: Picture Package Menu.lnk = ? O4 - Global Startup: Picture Package VCD Maker.lnk = ? O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\Program Files\Java\jre1.5.0_06\bin\ssv.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\Program Files\Java\jre1.5.0_06\bin\ssv.dll O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\ Yahoo! \MESSEN~1\YPager.exe O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\ Yahoo! \MESSEN~1\YPager.exe O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\msmsgs.exe O12 - Plugin for .spop: D:\Program Files\Internet Explorer\Plugins\NPDocBox.dll O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - messenger.zone.msn.com O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - messenger.zone.msn.com O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - spaces.msn.com O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - messenger.zone.msn.com O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} - us.dl1.yimg.com O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - messenger.zone.msn.com O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "D:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing) O20 - AppInit_DLLs: D:\WINDOWS\system32\wmfhotfix.dll O20 - Winlogon Notify: tcpR32 - D:\WINDOWS\SYSTEM32\tcpR32.dll O20 - Winlogon Notify: WgaLogon - D:\WINDOWS\SYSTEM32\WgaLogon.dll O23 - Service: AVG6 Service (AvgServ) - GRISOFT(c) SOFTWARE s.r.o - C:\PROGRA~1\Grisoft\AVG6\avgserv.exe O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - D:\WINDOWS\system32\drivers\KodakCCS.exe O23 - Service: Microsoft Printer Spooler Service - Unknown owner - D:\WINDOWS\spoolsv.exe (file missing) Will try EWIDO |
pine-o-cleen (2955) | ||
| 455324 | 2006-05-18 09:25:00 | C:\Windows\System32\kernels8.exe Added by the Troj/Vixup-BN Trojan. D:\WINDOWS\system32\termcaps.exe C:\Windows\xpupdate.exe D:\WINDOWS\system32\dlh9jkdq2.exe D:\WINDOWS\system32\dlh9jkdq6.exe D:\WINDOWS\system32\dlh9jkdq7.exe c:\kl1.exe D:\WINDOWS\system32\winsrv32.exe R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = c:\secure32.html R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = c:\secure32.html R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = c:\secure32.html R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = c:\secure32.html R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = c:\secure32.html R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = c:\secure32.html O2 - BHO: (no name) - {00000000-59D4-4008-9058-080011001200} - (no file) O2 - BHO: (no name) - {00000000-C1EC-0345-6EC2-4D0300000000} - (no file) O2 - BHO: (no name) - {00000000-F09C-02B4-6EC2-AD0300000000} - (no file) O2 - BHO: (no name) - {196B9CB5-4C83-46F7-9B06-9672ECD9D99B} - O2 - BHO: (no name) - {3ceff6cd-6f08-4e4d-bccd-ff7415288c3b} - (no file) O2 - BHO: (no name) - {7b55bb05-0b4d-44fd-81a6-b136188f5deb} - (no file) O2 - BHO: (no name) - {8333c319-0669-4893-a418-f56d9249fca6} - (no file) O2 - BHO: (no name) - {9c691a33-7dda-4c2f-be4c-c176083f35cf} - (no file) O2 - BHO: (no name) - {e52dedbb-d168-4bdb-b229-c48160800e81} - (no file) O2 - BHO: (no name) - {ffd2825e-0785-40c5-9a41-518f53a8261f} - (no file) D:\WINDOWS\system32\winbrume.dll O4 - HKLM\..\Run: [orderShell] D:\Documents and Settings\Owner.SARZY\orderfeiq.exe O4 - HKLM\..\Run: [eventwvr] D:\WINDOWS\system32\eventwvr.exe O4 - HKLM\..\Run: [termcaps] D:\WINDOWS\system32\termcaps.exe O4 - HKLM\..\Run: [ZPoint] D:\WINDOWS\system32\winmuse.exe O4 - HKLM\..\Run: [Adware.Srv32] D:\WINDOWS\system32\runsrv32.exe O4 - HKLM\..\Run: [Transponder] D:\WINDOWS\system32\susp.exe O4 - HKLM\..\RunServices: [termcaps] D:\WINDOWS\system32\termcaps.exe O4 - HKCU\..\Run: [termcaps] D:\WINDOWS\system32\termcaps.exe O4 - HKCU\..\Run: [Windows update loader] C:\Windows\xpupdate.exe O4 - Global Startup: cpew2kup.exe.lnk = E:\app\cpew2kup.exe O20 - AppInit_DLLs: D:\WINDOWS\system32\wmfhotfix.dll O20 - Winlogon Notify: tcpR32 - D:\WINDOWS\SYSTEM32\tcpR32.dll i think that roughly right. ewindo or the usual spyware progs should take care of most of the infections. AVG needs fixing and why on earth is windows doing on D drive ? also if a firewall was installed these infections would have been noticed very early on and blocked. it appears one of them is a downloader trojen, ie it downloads and installs apps in the background which proberly accounts for the other infections. |
tweak'e (69) | ||
| 455325 | 2006-05-18 09:26:00 | You've got a LOT of nasties in that log. Smitfraud being one of them. Boot into safe mode, turn system restore off, and run HJT again, tick these entries and tick fix checked. D:\WINDOWS\svchost.exe C:\Windows\xpupdate.exe D:\WINDOWS\system32\dlh9jkdq2.exe D:\WINDOWS\system32\dlh9jkdq6.exe D:\WINDOWS\system32\dlh9jkdq7.exe D:\WINDOWS\system32\winsrv32.exe These entries belong to Smitfraud Go here for info (siri.urz.free.fr) R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = c:\secure32.html R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = c:\secure32.html R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = c:\secure32.html R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = c:\secure32.html R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = c:\secure32.html O2 - BHO: (no name) - {00000000-59D4-4008-9058-080011001200} - (no file) O2 - BHO: (no name) - {00000000-C1EC-0345-6EC2-4D0300000000} - (no file) O2 - BHO: (no name) - {00000000-F09C-02B4-6EC2-AD0300000000} - (no file) O2 - BHO: (no name) - {3ceff6cd-6f08-4e4d-bccd-ff7415288c3b} - (no file) O2 - BHO: (no name) - {7b55bb05-0b4d-44fd-81a6-b136188f5deb} - (no file) O2 - BHO: (no name) - {8333c319-0669-4893-a418-f56d9249fca6} - (no file) O2 - BHO: (no name) - {9c691a33-7dda-4c2f-be4c-c176083f35cf} - (no file) O2 - BHO: (no name) - {e52dedbb-d168-4bdb-b229-c48160800e81} - (no file) O2 - BHO: (no name) - {ffd2825e-0785-40c5-9a41-518f53a8261f} - (no file) O4 - HKLM\..\Run: [orderShell] D:\Documents and Settings\Owner.SARZY\orderfeiq.exe O4 - HKLM\..\Run: [eventwvr] D:\WINDOWS\system32\eventwvr.exe O4 - HKLM\..\Run: [termcaps] D:\WINDOWS\system32\termcaps.exe O4 - HKLM\..\Run: [SunJavaUpdateSched] D:\Program Files\Java\jre1.5.0_06\bin\jusched.exe O4 - HKLM\..\Run: [ZPoint] D:\WINDOWS\system32\winmuse.exe O4 - HKLM\..\Run: [Adware.Srv32] D:\WINDOWS\system32\runsrv32.exe O4 - HKLM\..\Run: [Transponder] D:\WINDOWS\system32\susp.exe O4 - HKLM\..\RunServices: [termcaps] D:\WINDOWS\system32\termcaps.exe O4 - HKCU\..\Run: [msnmsgr] "D:\Program Files\MSN Messenger\msnmsgr.exe" /background O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\ypager.exe" -quiet O4 - HKCU\..\Run: [MSMSGS] "D:\Program Files\Messenger\msmsgs.exe" /background O4 - HKCU\..\Run: [termcaps] D:\WINDOWS\system32\termcaps.exe O4 - HKCU\..\Run: [System] D:\WINDOWS\svchost.exe O4 - HKCU\..\Run: [Windows update loader] C:\Windows\xpupdate.ex O4 - Global Startup: cpew2kup.exe.lnk = E:\app\cpew2kup.exe O20 - Winlogon Notify: tcpR32 - D:\WINDOWS\SYSTEM32\tcpR32.dll D:\WINDOWS\system32\kernels8.exe c:\kl1.exe And install a firewall. I would use Ewido, Search and Destroy (update this first), |
Speedy Gonzales (78) | ||
| 455326 | 2006-05-18 09:44:00 | This entry MAYBE safe E:\app\cpew2kup.exe |
Speedy Gonzales (78) | ||
| 455327 | 2006-05-18 10:34:00 | Does she have system restore? Like Go Back? If the spyware or virus infected staight away and unable to control is to use Norton Go Back. I got McAfee Spyware and Anti Vrius. I think it is more effective than AVG like one of my Norton Anti Vrius couldn't scan for trojans in my file but McAfee was able to stop the virus immidiately. Extra protection means costing money but it is safer. Plus less work. The files are not so at high risk. |
MTLance (6768) | ||
| 1 | |||||