| Forum Home | ||||
| Press F1 | ||||
| Thread ID: 62725 | 2005-10-17 10:18:00 | Autodial spyware | Advocar (1098) | Press F1 |
| Post ID | Timestamp | Content | User | ||
| 397095 | 2005-10-17 10:18:00 | Yesterday noticed programs not known to me requesting to allow dialout so pulled the plug. Temp on another PC now. Some sites found nnpy.nnctx.com.ru 210.246.2.(71) or .(168) or . (167) ct.eid.co.nz eid.co.nz re forums searched and deleted following files MMSVc32.exe spolls.exe-28dd7f85.pf 2 days prior to noticing above had run zonealarm scan and almost 100% secure. came up with very well locked down but could allow reply to outside source suggested I was not running a firewall. Checked that MS firewall was enabled and it was. Have run Hijack below is log. Logfile of HijackThis v1.99.1 Scan saved at 22:38:55, on 17/10/2005 Platform: Windows XP (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 (6.00.2600.0000) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe C:\PROGRA~1\ROCKWE~1\RSCOMMON\RSOBSERV.EXE C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe C:\WINDOWS\System32\nvsvc32.exe C:\Program Files\Common Files\OPC Foundation\OPCENUM.EXE C:\PROGRA~1\ROCKWE~1\RSLINX\RSLINX.EXE C:\WINDOWS\Explorer.EXE C:\WINDOWS\System32\svchost.exe C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe C:\Program Files\HP\hpcoretech\hpcmpmgr.exe C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb1 0.exe C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe C:\WINDOWS\System32\ctfmon.exe C:\virusdetectbits\hijackthis\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.nz/ R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.nz/ R3 - URLSearchHook: (no name) - - (no file) F3 - REG:win.ini: run= O2 - BHO: (no name) - {0096CC0A-623C-4829-AD9C-19AF0DC9D8FE} - (no file) O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - E:\Newprograms\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll O2 - BHO: (no name) - {BDF3E430-B101-42AD-A544-FADC6B084872} - (no file) O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe" O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe" O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb1 0.exe O4 - HKLM\..\Run: [MMTray] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe O4 - Global Startup: Adobe Reader Speed Launch.lnk = E:\Newprograms\Adobe\Acrobat 7.0\Reader\reader_sl.exe O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000 O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\Msjava.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\Msjava.dll O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll O16 - DPF: {638AF6A2-81A1-4655-9FFA-9FC09CDE22CF} (CScanner Object) - www.pestscan.com O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - a840.g.akamai.net O16 - DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE} (Symantec RuFSI Registry Information Class) - security.symantec.com O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe O23 - Service: dnWhoDisp - Unknown owner - C:\Program Files\Rockwell Software\RSLINX\dnwhodisp.exe O23 - Service: Harmony - Rockwell Software Inc. - C:\PROGRA~1\ROCKWE~1\RSCOMMON\RSOBSERV.EXE O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe O23 - Service: OPCEnum - Unknown owner - C:\Program Files\Common Files\OPC Foundation\OPCENUM.EXE O23 - Service: RSLinx - Rockwell Software, Inc. - C:\PROGRA~1\ROCKWE~1\RSLINX\RSLINX.EXE Have run skybot and Adware no ingfected files found Any help welcome |
Advocar (1098) | ||
| 397096 | 2005-10-17 10:31:00 | Tick there Ad. Close browser/s. Tick fix checked. Reboot R3 - URLSearchHook: (no name) - - (no file) F3 - REG:win.ini: run= O2 - BHO: (no name) - {0096CC0A-623C-4829-AD9C-19AF0DC9D8FE} - (no file) O2 - BHO: (no name) - {BDF3E430-B101-42AD-A544-FADC6B084872} - (no file) The other entries look OK. I would either update to SP1 or SP2 as well. |
Speedy Gonzales (78) | ||
| 397097 | 2005-10-18 11:30:00 | Thanks Speedy Gonzales but a bit criptic for me re following. Tick there Ad. Close browser/s. Tick fix checked. Reboot I dont appear to have any pop up adds to click on? or am I thick? Do I just remove / delete the others as well? Have managed to locate CD with SP2 on it. need to check out how and what I need to do before running it. Advocar |
Advocar (1098) | ||
| 397098 | 2005-10-18 11:41:00 | What Speedy meant was run HijackThis! again and tick those entries (in the box next to them) and then click "fix checked", which is under the list of entries. And make sure your browsers are closed (internet explorer/firefox etc.). Cheers, roddy |
roddy_boy (4115) | ||
| 397099 | 2005-10-19 05:10:00 | Good idea to run Hijackthis in safe mode (press F8 just as Windows loads) and with System Restore off. | gibler (49) | ||
| 397100 | 2005-10-21 10:10:00 | Hi guys, tried all above and after turning off restore tested lots of requests to open dial up with line unpluged and appeared to be OK. restore files had been removed. Ran nod32, latest virus checker from PC world disk and looked OK Put restore back on and retried OK pluged line in and within short time AVG showed IRC / backdoor virus was back again. I have not been to any IRC sites to my knowledge. Currently sorting out sp2 upgrade Thanks for help will post results when updated. | Advocar (1098) | ||
| 397101 | 2005-10-21 18:58:00 | If you still have something, DON'T install SP2 until its removed. SP2 is quite fussy about Spyware/viruses etc. And will complain, if u install SP2, and reboot. It may reboot continuously. What IRC backdoor virus/trojan, did AVG detect/pick up?? |
Speedy Gonzales (78) | ||
| 1 | |||||