• Announcements

    • Budfred

      IE 11 copy/paste problem

      It has come to our attention that people using Internet Explorer 11 (IE 11) are having trouble with copy/paste to the forum. If you encounter this problem, using a different browser like Firefox or Chrome seems to get around the problem. We do not know what the problem is, but it seems to be specific to IE 11 and we are hopeful that Microsoft will eventually fix it.
Sign in to follow this  
Followers 0
escman108

My computer has been taken over by malware

2 posts in this topic

Okay, so i'm going to try and make this as quick and concise as possible:

 

My computer has been taken over by malware. Some idiot that used my computer downloaded a piece of shareware, specifically an ID game called "Duke Nukem 3D" and since then I've had nothing but problems with my computer. I can't log in to my network domain because everytime I do, my computer automatically reboots. I have SpyBot, SpywareBlaster, SpywareGuard, Ad-Aware and HijackThis all on my system and everyday I remove well over 200 entries of spyware and none of the automatic blockers are working except for the BHO removal from SpywareGurad. SpywareGuard somehow is being shutdown automatically every 5 minutes or so, so i'll have to restart it. I keep getting the web sites "www.look2me.com" and "zestyfind" coming up automatically even though SpywareBlaster is blocking them in it's protection list. The BHO's that are most frequently trying to be downloaded are named "WToolsB.dll", "common.dll" and "toolbar.dll". When I ran Ad-Aware, alot of files couldn't be removed and i'm afraid to reboot. One of the files that had over 30 entries in the registry was named "IBIS Toolbar". Finally, I've ran HijackThis and saved the log so i'll attach it to this post.

 

----------------------------------------------------------------------------------------------

 

Logfile of HijackThis v1.97.7

Scan saved at 8:33:16 AM, on 7/6/2004

Platform: Windows 2000 SP4 (WinNT 5.00.2195)

MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

 

Running processes:

C:\WINNT\System32\smss.exe

C:\WINNT\system32\winlogon.exe

C:\WINNT\system32\services.exe

C:\WINNT\system32\lsass.exe

C:\WINNT\system32\svchost.exe

C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe

C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe

C:\WINNT\system32\spoolsv.exe

C:\WINNT\system32\svchost.exe

C:\PROGRA~1\NORTON~1\NORTON~2\GHOSTS~2.EXE

C:\Program Files\Norton SystemWorks\Norton Antivirus\navapsvc.exe

C:\PROGRA~1\NORTON~1\NORTON~4\NPROTECT.EXE

C:\WINNT\system32\regsvc.exe

C:\Program Files\Norton SystemWorks\Norton Antivirus\SAVScan.exe

C:\WINNT\system32\MSTask.exe

C:\PROGRA~1\NORTON~1\NORTON~4\SPEEDD~1\NOPDB.EXE

C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

C:\Program Files\Common files\WinTools\WToolsS.exe

C:\WINNT\system32\svchost.exe

C:\WINNT\system32\inetsrv\inetinfo.exe

C:\WINNT\system32\rundll32.exe

C:\WINNT\Explorer.EXE

C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe

C:\Program Files\Common Files\Symantec Shared\ccApp.exe

C:\Program Files\Norton SystemWorks\Norton Ghost\GhostStartTrayApp.exe

C:\Program Files\Norton SystemWorks\Password Manager\AcctMgr.exe

C:\Program Files\Common Files\WinTools\WSup.exe

C:\Program Files\SpywareGuard\sgmain.exe

C:\Program Files\SpywareGuard\sgbhp.exe

C:\Program Files\Common Files\WinTools\WToolsA.exe

C:\WINNT\system32\svchost.exe

\Server\My Documents\Setup_Software Packages\Spyware Setup\HijackThis\HijackThis.exe

 

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = res://C:\PROGRA~1\Toolbar\toolbar.dll/sa

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,CustomizeSearch = res://C:\PROGRA~1\Toolbar\toolbar.dll/sa

R3 - Default URLSearchHook is missing

O3 - Toolbar: Ask Jeeves Bar - {43D9E6F0-1776-4897-AE14-ECEDECBAFEC0} - C:\WINNT\system32\askbarAB.dll

O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll

O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton SystemWorks\Norton Antivirus\NavShExt.dll

O3 - Toolbar: (no name) - {339BB23F-A864-48C0-A59F-29EA915965EC} - (no file)

O4 - HKLM\..\Run: [synchronization Manager] mobsync.exe /logon

O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd

O4 - HKLM\..\Run: [sunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe

O4 - HKLM\..\Run: [spybotSnD] "C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe" /autocheck /autofix

O4 - HKLM\..\Run: [QuickTime Task] "c:\program files\qttask.exe" -atboottime

O4 - HKLM\..\Run: [NeroCheck] C:\WINNT\system32\\NeroCheck.exe

O4 - HKLM\..\Run: [symTray - Norton SystemWorks] C:\Program Files\Common Files\Symantec Shared\Symtray.exe SetReg

O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"

O4 - HKLM\..\Run: [GhostStartTrayApp] C:\Program Files\Norton SystemWorks\Norton Ghost\GhostStartTrayApp.exe

O4 - HKLM\..\Run: [AcctMgr] C:\Program Files\Norton SystemWorks\Password Manager\AcctMgr.exe /startup

O4 - HKLM\..\Run: [Mix 4] C:\PROGRA~1\Spam Draw Copy\Defy Wait.exe

O4 - HKLM\..\Run: [WinTools] C:\Program Files\Common files\WinTools\WToolsA.exe

O8 - Extra context menu item: Ask Jeeves Search - res://C:\WINNT\system32\askbarAB.dll/cmd-search-selection

O8 - Extra context menu item: Dictionary Search - res://C:\WINNT\system32\askbarAB.dll/cmd-search-selection-word

O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)

O9 - Extra button: AIM (HKLM)

O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwa...director/sw.cab

O16 - DPF: {2B96D5CC-C5B5-49A5-A69D-CC0A30F9028C} (MiniBugTransporterX Class) - http://download.weatherbug.com/minibug/tri...Transporter.cab?

O16 - DPF: {4855C21B-E452-4661-A702-ED3493CE74DF} (AJ Installer Control) - http://sp.ask.com/docs/toolbar/download/askbar-inst.cab

O16 - DPF: {4D7F48C0-CB49-4EA6-97D4-04F4EACC2F3B} (InstallShield Setup Player 2K2) - http://www.ipswitch.com/_installs/wsftp_le/setup.exe

O16 - DPF: {5C7F15E1-F31A-44FD-AA1A-2EC63AAFFD3A} - http://www.atelys.com/src/Speedup.ocx

O16 - DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} - http://a1540.g.akamai.net/7/1540/52/200404...meInstaller.exe

O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwa...ash/swflash.cab

O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = es.com

O17 - HKLM\System\CCS\Services\Tcpip\..\{F47AB357-E1D5-46DE-8F41-C20784820640}: NameServer = 216.219.253.211,216.219.254.10,209.130.136.2,206.165.50.10

O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = es.com

O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = es.com

 

-------------------------------------------------------------------------------------------

 

The only recent thing that I did before all this happened was I upgraded to the most recent version of Norton Systemworks. It said I had 2 quarentine files and did I want to delete them. I said yes and I reboot my system after upgrading like it said to and couldn't log in to my domain, it kept rebooting. I logged in under the administrator on my local machine and did a scan and found 13 virus/malware infections when before there were none.

 

I hope someone can help me get rid of all this because I'm afraid that I'll have to save as much data as I can otherwise and reformat my harddrive if I can't because it's really cutting into my production time at work.

 

Thanks in advance and get back as soon as possible.

 

JT

Share this post


Link to post
Share on other sites

Okay, so I read through the pinned post about reading your HijackThis log and analyzing it yourself. It was very informative and I got rid of pretty much all the bad stuff on it. It stopped the autoloading of www.look2me.com so far but the only thing I couldn't get rid of was the section that says:

 

O4 - HKLM\..\Run: [WinTools] C:\Program Files\Common files\WinTools\WToolsA.exe

 

I couldn't get rid of it in HijackThis, I couldn't end the process from the Task Manager for this item:

 

C:\Program Files\Common Files\WinTools\WToolsA.exe

 

and I couldn't physically delete the files that are there using Windows Explorer to find them. The only other thing I can think of to do is restart my computer in Safe Mode and try removing it from there because as my understanding of safe mode goes, no processess (or very little) are running so maybe i'll be able to remove it that way.

 

I'm still receiving the BHO popup for the WToolsB.dll but that's probably because of the previously mentioned issue. It popsup about very minute or so.

 

Any help anyone can give would be appreciated. Thanks everyone!

 

JT

Share this post


Link to post
Share on other sites
Sign in to follow this  
Followers 0