Jump to content


Photo

My computer has been taken over by malware


  • Please log in to reply
1 reply to this topic

#1 escman108

escman108

    Member

  • Full Member
  • Pip
  • 4 posts

Posted 06 July 2004 - 07:49 AM

Okay, so i'm going to try and make this as quick and concise as possible:

My computer has been taken over by malware. Some idiot that used my computer downloaded a piece of shareware, specifically an ID game called "Duke Nukem 3D" and since then I've had nothing but problems with my computer. I can't log in to my network domain because everytime I do, my computer automatically reboots. I have SpyBot, SpywareBlaster, SpywareGuard, Ad-Aware and HijackThis all on my system and everyday I remove well over 200 entries of spyware and none of the automatic blockers are working except for the BHO removal from SpywareGurad. SpywareGuard somehow is being shutdown automatically every 5 minutes or so, so i'll have to restart it. I keep getting the web sites "www.look2me.com" and "zestyfind" coming up automatically even though SpywareBlaster is blocking them in it's protection list. The BHO's that are most frequently trying to be downloaded are named "WToolsB.dll", "common.dll" and "toolbar.dll". When I ran Ad-Aware, alot of files couldn't be removed and i'm afraid to reboot. One of the files that had over 30 entries in the registry was named "IBIS Toolbar". Finally, I've ran HijackThis and saved the log so i'll attach it to this post.

----------------------------------------------------------------------------------------------

Logfile of HijackThis v1.97.7
Scan saved at 8:33:16 AM, on 7/6/2004
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\system32\svchost.exe
C:\PROGRA~1\NORTON~1\NORTON~2\GHOSTS~2.EXE
C:\Program Files\Norton SystemWorks\Norton Antivirus\navapsvc.exe
C:\PROGRA~1\NORTON~1\NORTON~4\NPROTECT.EXE
C:\WINNT\system32\regsvc.exe
C:\Program Files\Norton SystemWorks\Norton Antivirus\SAVScan.exe
C:\WINNT\system32\MSTask.exe
C:\PROGRA~1\NORTON~1\NORTON~4\SPEEDD~1\NOPDB.EXE
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Common files\WinTools\WToolsS.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\inetsrv\inetinfo.exe
C:\WINNT\system32\rundll32.exe
C:\WINNT\Explorer.EXE
C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Norton SystemWorks\Norton Ghost\GhostStartTrayApp.exe
C:\Program Files\Norton SystemWorks\Password Manager\AcctMgr.exe
C:\Program Files\Common Files\WinTools\WSup.exe
C:\Program Files\SpywareGuard\sgmain.exe
C:\Program Files\SpywareGuard\sgbhp.exe
C:\Program Files\Common Files\WinTools\WToolsA.exe
C:\WINNT\system32\svchost.exe
\Server\My Documents\Setup_Software Packages\Spyware Setup\HijackThis\HijackThis.exe

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = res://C:\PROGRA~1\Toolbar\toolbar.dll/sa
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,CustomizeSearch = res://C:\PROGRA~1\Toolbar\toolbar.dll/sa
R3 - Default URLSearchHook is missing
O3 - Toolbar: Ask Jeeves Bar - {43D9E6F0-1776-4897-AE14-ECEDECBAFEC0} - C:\WINNT\system32\askbarAB.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton SystemWorks\Norton Antivirus\NavShExt.dll
O3 - Toolbar: (no name) - {339BB23F-A864-48C0-A59F-29EA915965EC} - (no file)
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
O4 - HKLM\..\Run: [SpybotSnD] "C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe" /autocheck /autofix
O4 - HKLM\..\Run: [QuickTime Task] "c:\program files\qttask.exe" -atboottime
O4 - HKLM\..\Run: [NeroCheck] C:\WINNT\system32\\NeroCheck.exe
O4 - HKLM\..\Run: [SymTray - Norton SystemWorks] C:\Program Files\Common Files\Symantec Shared\Symtray.exe SetReg
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [GhostStartTrayApp] C:\Program Files\Norton SystemWorks\Norton Ghost\GhostStartTrayApp.exe
O4 - HKLM\..\Run: [AcctMgr] C:\Program Files\Norton SystemWorks\Password Manager\AcctMgr.exe /startup
O4 - HKLM\..\Run: [Mix 4] C:\PROGRA~1\Spam Draw Copy\Defy Wait.exe
O4 - HKLM\..\Run: [WinTools] C:\Program Files\Common files\WinTools\WToolsA.exe
O8 - Extra context menu item: Ask Jeeves Search - res://C:\WINNT\system32\askbarAB.dll/cmd-search-selection
O8 - Extra context menu item: Dictionary Search - res://C:\WINNT\system32\askbarAB.dll/cmd-search-selection-word
O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
O9 - Extra button: AIM (HKLM)
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macr...director/sw.cab
O16 - DPF: {2B96D5CC-C5B5-49A5-A69D-CC0A30F9028C} (MiniBugTransporterX Class) - http://download.weat...Transporter.cab?
O16 - DPF: {4855C21B-E452-4661-A702-ED3493CE74DF} (AJ Installer Control) - http://sp.ask.com/do...askbar-inst.cab
O16 - DPF: {4D7F48C0-CB49-4EA6-97D4-04F4EACC2F3B} (InstallShield Setup Player 2K2) - http://www.ipswitch....tp_le/setup.exe
O16 - DPF: {5C7F15E1-F31A-44FD-AA1A-2EC63AAFFD3A} - http://www.atelys.com/src/Speedup.ocx
O16 - DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} - http://a1540.g.akama...meInstaller.exe
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macr...ash/swflash.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = es.com
O17 - HKLM\System\CCS\Services\Tcpip\..\{F47AB357-E1D5-46DE-8F41-C20784820640}: NameServer = 216.219.253.211,216.219.254.10,209.130.136.2,206.165.50.10
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = es.com
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = es.com

-------------------------------------------------------------------------------------------

The only recent thing that I did before all this happened was I upgraded to the most recent version of Norton Systemworks. It said I had 2 quarentine files and did I want to delete them. I said yes and I reboot my system after upgrading like it said to and couldn't log in to my domain, it kept rebooting. I logged in under the administrator on my local machine and did a scan and found 13 virus/malware infections when before there were none.

I hope someone can help me get rid of all this because I'm afraid that I'll have to save as much data as I can otherwise and reformat my harddrive if I can't because it's really cutting into my production time at work.

Thanks in advance and get back as soon as possible.

JT

#2 escman108

escman108

    Member

  • Full Member
  • Pip
  • 4 posts

Posted 06 July 2004 - 08:36 AM

Okay, so I read through the pinned post about reading your HijackThis log and analyzing it yourself. It was very informative and I got rid of pretty much all the bad stuff on it. It stopped the autoloading of www.look2me.com so far but the only thing I couldn't get rid of was the section that says:

O4 - HKLM\..\Run: [WinTools] C:\Program Files\Common files\WinTools\WToolsA.exe

I couldn't get rid of it in HijackThis, I couldn't end the process from the Task Manager for this item:

C:\Program Files\Common Files\WinTools\WToolsA.exe

and I couldn't physically delete the files that are there using Windows Explorer to find them. The only other thing I can think of to do is restart my computer in Safe Mode and try removing it from there because as my understanding of safe mode goes, no processess (or very little) are running so maybe i'll be able to remove it that way.

I'm still receiving the BHO popup for the WToolsB.dll but that's probably because of the previously mentioned issue. It popsup about very minute or so.

Any help anyone can give would be appreciated. Thanks everyone!

JT




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

Member of ASAP and UNITE
Support SpywareInfo Forum - click the button