Jump to content


Photo

Cannot find parasite


  • Please log in to reply
50 replies to this topic

#1 Chevyfan1

Chevyfan1

    Member

  • Full Member
  • Pip
  • 65 posts

Posted 23 May 2004 - 10:09 AM

Whenever I check my internet history, there have been many sites (mainly porn sites) written to it that I have definately never visited and have never seen before. The times in which the sites were accessed were times at which no one has been near the computer at all (some have been early in the moring when everyone in my family has been asleep). Adaware already found and deleted one file about a month ago. The file had been there a long time and was only found because the latest reference file was able to locate it. However, no other updates to Adaware have been able to find anything, and no updates have been available for Spybot S&D since January. Nothing the least bit incrimminating has showed up with HJT, which leads me to believe that whatever file(s) are currently on my system are not runnin g on startup, but are running at set invervals in the day (possibly random). The information on the file that was removed earlier indicated that that one worked the same way. The only thing I can think of doing next is manually searching for the file(s) and deleting them, but I don't really know where to look or what to look for. I have a program called System Security Suite which cleans all folders such as Temp, Temp. Int. Files, History, Cookies, etc., (it even cleans index.dat files), so these folders probably do not contain anything, and I have already checked downloaded program files without success. I know this is probably an unusually complex problem to solve, but I don't know where else to turn. Any help, such as what folders to check and what file extensions to check for, would be greatly appreciated.

Here is my latest HJT log file, but it doesn't look as if there is anything there which could cause any problem. (A text file called config.ini keeps reappearing every time I restart the computer even if I delete it, but I think I may have accidently put that there myself when trying to fix a startup program).

Logfile of HijackThis v1.97.7
Scan saved at 12:36:27 AM, on 1/17/01
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\PROGRAM FILES\NORTON ANTIVIRUS\NAVAPW32.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\START MENU\PROGRAMS\STARTUP\SYSTRAY.EXE
C:\WINDOWS\START MENU\PROGRAMS\STARTUP\SGBHP.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\WINDOWS\SYSTEM\PSTORES.EXE
C:\MY DOCUMENTS\NEW FOLDER\PROGRAMS\ANTI-SPYWARE\HIJACKTHIS2\HIJACKTHIS.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.37.com/
N2 - Netscape 6: user_pref("browser.search.defaultengine", "engine://C%3A%5CPROGRAM%20FILES%5CNETSCAPE%5CNETSCAPE%206%5Csearchplugins%5CSBWeb_04.src"); (C:\WINDOWS\Application Data\Mozilla\Profiles\default\rbigc81q.slt\prefs.js)
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\PROGRAM FILES\SPYWAREGUARD\DLPROTECT.DLL
O4 - Startup: SYSTRAY.EXE
O4 - Startup: config.ini
O4 - Startup: sgbhp.exe
O4 - Startup: iTouch Configuration.lnk.disabled
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://active.macrom...abs/swflash.cab

Some of these processes do kind of look suspicious to me though, but I probably just don;t know what they are.

Thank You.

#2 Chevyfan1

Chevyfan1

    Member

  • Full Member
  • Pip
  • 65 posts

Posted 24 May 2004 - 08:02 AM

I just installed a firewall from Kerio, and it appears that I have at least three trojans that are not being found by any of my current applications. Using the snort website referred to be Kerio, I searched for some of the trojans registry changes and files, but was unable to find anything. I am going to try another program and am getting a new version of Norton AntiVirus (my current version is the 1997 release), but in the meantime, any help would be appreciated.

#3 Chevyfan1

Chevyfan1

    Member

  • Full Member
  • Pip
  • 65 posts

Posted 24 May 2004 - 11:54 AM

After installing the demo for Pest Patrol, it discovered a large number of items (mainly remains of previously deleted items) which I was able to remove without too much difficulty). I have still not been able to locate the five trojans which are infecting my computer, which seem to include win-trin00, Matrix 2.0, and Q. Would still appreciate any advice, although the situation is now at least partly under control.

#4 dave38

dave38

    Devout Murphyite!

  • Emeritus
  • PipPipPipPipPip
  • 8,508 posts

Posted 24 May 2004 - 02:41 PM

That seems a very short log. However, let's shorten it some more!

Have Hijack This fix all of the following by placing a check in the appropriate boxes and hitting fix checked. Make sure all browser and all Windows Explorer windows are closed before fixing.

O4 - Startup: config.ini
O4 - Startup: sconfig.ini

Reboot, search for and delete the files

config.ini
sconfig.ini

These may be hidden files. See HERE for how to show hidden files.

Please post a followup Hijack this log, and say if your problems persist.
Be wary of strong drink. It may make you shoot at tax collectors, and miss!
Please support SWI forum

#5 Chevyfan1

Chevyfan1

    Member

  • Full Member
  • Pip
  • 65 posts

Posted 24 May 2004 - 04:57 PM

I cannot access HJT now. If I try, I get a message that says "access to the specified device, path, or file is denied.

I don't know what's happening, but my new firewall has indicated that my computer has been compromised by four different trojans, Deepthroat 3.1, Q (which is only supposed to affect Linux and I'm running Win 98se), win-trin00, and Matrix 2.0. My computer may also have been used in DOS attacks by a remote host. My internet now stops working if my computer is left on too long, Explorer freezes often, and just now my firewall shut down with a message saying it couldn't reach its host (I think). According to the website my firewall's company referred me too (snort.org), there are several registry entries and files to be deleted that belong to these trojans, but I checked and they were not there. My obsolete Norton AntiVirus (1997) will not find anything, even after updating my reference file, and I am not sure what to do next. First, I need to get HJT back. I know it seems like I've got a considerable problem here, but I really need help, and any that you could give me would be greatly appreciated. Thank You.

Maybe this thread should be moved to PC troubleshooting.

#6 Chevyfan1

Chevyfan1

    Member

  • Full Member
  • Pip
  • 65 posts

Posted 24 May 2004 - 07:40 PM

I fixed the HJT problem, I had an incorrect setting on my firewall that blocked it. I deleted the entries you told me to, but where did you come up with sconfig.ini? That entry isn't in any of my HJT logs, and the file sconfig.ini is not present on my system. As for config.ini, when I delete it and the files labelled config.ini, they come back after I reboot. I think I may have accidently caused that entry when I attempted to restore a deleted startup program, but I may be wrong. Here are two HJT logs, the first is when I deleted config.ini before I rebooted, the second is after I rebooted and config.ini reappeared. There is now a firewall from Kerio that wasn't in my earlier logs, as you can see.

1.

Logfile of HijackThis v1.97.7
Scan saved at 9:55:51 AM, on 1/18/01
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\PROGRAM FILES\NORTON ANTIVIRUS\NAVAPW32.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\EXPLORER.EXE
C:\PROGRAM FILES\SPYWAREGUARD\SGBHP.EXE
C:\WINDOWS\START MENU\PROGRAMS\STARTUP\SYSTRAY.EXE
C:\WINDOWS\START MENU\PROGRAMS\STARTUP\SGBHP.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\PROGRAM FILES\KERIO\PERSONAL FIREWALL 4\KPF4SS.EXE
C:\PROGRAM FILES\KERIO\PERSONAL FIREWALL 4\KPF4GUI.EXE
C:\MY DOCUMENTS\NEW FOLDER\PROGRAMS\ANTI-SPYWARE\HIJACKTHIS\HIJACKTHIS.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.37.com/
N2 - Netscape 6: user_pref("browser.search.defaultengine", "engine://C%3A%5CPROGRAM%20FILES%5CNETSCAPE%5CNETSCAPE%206%5Csearchplugins%5CSBWeb_04.src"); (C:\WINDOWS\Application Data\Mozilla\Profiles\default\rbigc81q.slt\prefs.js)
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\PROGRAM FILES\SPYWAREGUARD\DLPROTECT.DLL
O4 - HKCU\..\Run: [] C:\Program Files\SpywareGuard\sgbhp.exe
O4 - Startup: SYSTRAY.EXE
O4 - Startup: config.ini
O4 - Startup: sgbhp.exe
O4 - Startup: iTouch Configuration.lnk.disabled
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://active.macrom...abs/swflash.cab
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macr...director/sw.cab

2

Logfile of HijackThis v1.97.7
Scan saved at 9:57:04 AM, on 1/18/01
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\PROGRAM FILES\NORTON ANTIVIRUS\NAVAPW32.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\START MENU\PROGRAMS\STARTUP\SYSTRAY.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\PROGRAM FILES\KERIO\PERSONAL FIREWALL 4\KPF4SS.EXE
C:\PROGRAM FILES\KERIO\PERSONAL FIREWALL 4\KPF4GUI.EXE
C:\MY DOCUMENTS\NEW FOLDER\PROGRAMS\ANTI-SPYWARE\HIJACKTHIS\HIJACKTHIS.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.37.com/
N2 - Netscape 6: user_pref("browser.search.defaultengine", "engine://C%3A%5CPROGRAM%20FILES%5CNETSCAPE%5CNETSCAPE%206%5Csearchplugins%5CSBWeb_04.src"); (C:\WINDOWS\Application Data\Mozilla\Profiles\default\rbigc81q.slt\prefs.js)
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\PROGRAM FILES\SPYWAREGUARD\DLPROTECT.DLL
O4 - Startup: SYSTRAY.EXE
O4 - Startup: sgbhp.exe
O4 - Startup: iTouch Configuration.lnk.disabled
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://active.macrom...abs/swflash.cab
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macr...director/sw.cab

I still need to get rid of those trojans, but thanks so far.

#7 Chevyfan1

Chevyfan1

    Member

  • Full Member
  • Pip
  • 65 posts

Posted 25 May 2004 - 09:03 AM

Latest Report

I've found out that I have a variant of coolwebsearch called CWS.GoogleMS.3 which keeps adding the following key to my registry:
HKEY_CURRENT_USER\software\microsoft\windows\current version\internet settings\zonemap\domains\xxxtoolbar.com (I would also like to know if I can clean out other sites which are found under this key).

This happens even after I place xxxtoolbars.com in my restricted sites list. The latest version of CoolWeb Shredder does not fix the problem, and Adaware and Spybot find nothing (PP finds only the entry). Also, I have not been able to located or delete any of the four trojans which are affecting my computer, and my firewall is still being shut down with a message saying it cannot reach its server. Config.ini keeps reappearing at startup.

#8 Chevyfan1

Chevyfan1

    Member

  • Full Member
  • Pip
  • 65 posts

Posted 25 May 2004 - 01:07 PM

Latest Report

Here is a scan-only report from coolwebshredder. It won't get rid of any of this stuff though.

Windows 98 (4.10.2222 A)
Windows dir: C:\WINDOWS
Windows system dir: C:\WINDOWS\system
AppData folder: C:\WINDOWS\Application Data
Username: User

Found Hosts file: C:\WINDOWS\hosts (736 bytes, R)
Found CWS.Control (if filesize is over 50k) file: C:\WINDOWS\control.exe (2112 bytes, A, running)
CWS.Oslogo (if value is 2) Registry value: Domains: *.coolwebsearch.com [*] dword:4
CWS.Oslogo (if value is 2) Registry value: Domains: *.coolwwwsearch.com [*] dword:4
CWS.Googlems.2 (if value is 2) Registry value: Domains: *.xxxtoolbar.com [*] dword:4
CWS.Googlems.4 (if value is 2) Registry value: Domains: *.teensguru.com [*] dword:4
Registry value: DefaultPrefix (should be http://) [] http://
Registry value: WWW Prefix (should be http://) [www] http://
Registry value: Mosaic Prefix (should be http://) [mosaic] http://
Registry value: Home Prefix (should be http://) [home] http://
Found Win.ini file: C:\WINDOWS\win.ini (7710 bytes, A)
Found line in Win.ini: load=
Found line in Win.ini: run=
Found System.ini file: C:\WINDOWS\system.ini (2382 bytes, A)
Found line in System.ini: shell=Explorer.exe

- END OF REPORT -

I don't know whether to start with this stuff, the possible trojans, or the fact that my firewall will not remain on. Not being impatient though, just adding information as I find it. I have no idea how to proceed from here, however.

#9 Chevyfan1

Chevyfan1

    Member

  • Full Member
  • Pip
  • 65 posts

Posted 26 May 2004 - 08:12 AM

Bump.

More info concerning my crashing firewall. I believe that it only crashes when Bearshare is left on.

#10 Chevyfan1

Chevyfan1

    Member

  • Full Member
  • Pip
  • 65 posts

Posted 26 May 2004 - 07:53 PM

Bump.

I'm not trying to be impatient, and I know my post is not being neglected intentionally, but I'm afraid that since there are so many replies on this thread,(all but one made by me as I found more information on my problem), no one realizes that I'm not receiving any responses from helpers and that they think that a solution is under way. There are many other people who desperately need help, so I can wait, but I am worried because there seem to be several combined problems on my system, including CWS.GoogleMS.3 which seems to be new and difficult to remove, according to others.

If this thread has become too messed up or off-topic, it could be deleted or restarted.

#11 Chevyfan1

Chevyfan1

    Member

  • Full Member
  • Pip
  • 65 posts

Posted 30 May 2004 - 08:20 AM

Bump

#12 dave38

dave38

    Devout Murphyite!

  • Emeritus
  • PipPipPipPipPip
  • 8,508 posts

Posted 30 May 2004 - 11:17 AM

Have you run CWShredder, and chosen the "fix" option rather than "scan"?
Be wary of strong drink. It may make you shoot at tax collectors, and miss!
Please support SWI forum

#13 Chevyfan1

Chevyfan1

    Member

  • Full Member
  • Pip
  • 65 posts

Posted 30 May 2004 - 12:51 PM

Yes, I've run the CWSredder fix option several times but it doesn't find anything. I think at least two of those scan-only entries are false positives, maybe the others are too.

Now I have yet another problem to add to this list. I just tried to use one of my computers and found a text file under my recent documents menu called "smashing", which contained only the word "lift". This file is under My Documents, and there is also some file under my temporary internet files by the same name containing the same word. The Internet had stopped working, and when I tried to restart the computer it froze (actually this happens often lately).

By the way, I should probably name the products I am using, and the results they display (the most important are in bold print);

1.Ad-Aware 6.81 - Hasn't found anything for over a month, updated daily.

2. Spybot S&D - Currently finding nothing, haven't been able to get an update in months.

3. HJT - Finds config.ini (see log posted earlier). Will delete it, but it regenerates after rebooting.

4. Kerio Personal Firewall 4 - The details under the IDS tab suggest I have four different trojans; the same details appear every time the firewall is turned on. The logs and statistics have not shown any such attacks, however, just network scans (most of which seem to be from my ISP). A manual search for one trojan (by me) found nothing, and another is supposed to affect only Unix and Linux systems (I'm running 98se). See earlier posts in this thread for more details).

5. Norton Internet Security (Latest Version) - Just installed this yesterday with the new network I set up to share the Internet with another of my computers (which is free of spyware right now). Shows no problems of any kind yet.

6. CoolWebShredder (Latest Version) - Finds several items in scan only mode, but fixes nothing when fix option is selected. Log in previous post.

7. Spyware Guard - No problems to list here. No updates available lately.

8. Spyware Blaster - No problems to list here. No updates available lately.

9. Norton AntiVirus (1997) - Found several unidentified trojans months ago and deleted them successfully, but has found nothing lately (was updated often). I have discontinued this version in favour of NAV 2004 which came with my new router.

10. Norton AV (2004) - Updated yesterday, found nothing.

11. PestPatrol (Trial Version) - Found several files, most of which seemed to be leftover registry entries from earlier spyware. I removed all items manually except for three; one of these turned out to be a false positive, and the other two are related to SaveNow.

12. Camtech Spy Sites - Adds sites to restricted zone.

13. System Security Suite - Cleans up various folders, such as temp and temporary internet files.

As you can see, I have some protection, but if there is any other program I should get, I would like to know. As mentioned, there are some logs earlier in this thread, and some (such as the AdAware log) are useless, so there is no need for me to post them. If there is any crucial information I have not posted, please ask for it and I will post it as sson as possible. Thank You.

PS - I mentioned that I had other computers, but just to be clear, all problems here are only on one of them. Another has just been connected to the Internet through a LAN, but is clean. The other isn't connected to the Internet, and I don't use it anyway because it's too old and slow.

#14 Chevyfan1

Chevyfan1

    Member

  • Full Member
  • Pip
  • 65 posts

Posted 31 May 2004 - 04:23 PM

bump

Now I have another computer infected. There is a new thread for that one.

#15 Chevyfan1

Chevyfan1

    Member

  • Full Member
  • Pip
  • 65 posts

Posted 01 June 2004 - 08:09 PM

Bump

It's been over a week now.

#16 Chevyfan1

Chevyfan1

    Member

  • Full Member
  • Pip
  • 65 posts

Posted 14 June 2004 - 04:00 PM

I noticed that this has become a hot topic. What does that mean?

#17 PGPhantom

PGPhantom

    Superman of SWI

  • Emeritus
  • PipPipPipPipPip
  • 3,494 posts

Posted 14 June 2004 - 04:04 PM

It just means that there have been numerous posts in it. Are you still having a problem with this computer? If so, can you please post a fresh HijackThis log into this message?

#18 Chevyfan1

Chevyfan1

    Member

  • Full Member
  • Pip
  • 65 posts

Posted 15 June 2004 - 09:54 AM

Yes, and now it's gotten a lot worse. I found that my browser has been taken over this morning, and none of my anti-spyware programs are showing anything wrong. PestPatrol shows that savenow and virtumonde are regenerating every time they are deleted, and config.ini keeps reappearing after a reboot even if HJT deletes it. I am starting to become desperate for a solution.

Here is my HJT log.

Logfile of HijackThis v1.97.7
Scan saved at 12:04:51 AM, on 2/9/01
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCEVTMGR.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\PROGRAM FILES\NORTON INTERNET SECURITY\NISUM.EXE
C:\PROGRAM FILES\NORTON INTERNET SECURITY\CCPXYSVC.EXE
C:\WINDOWS\EXPLORER.EXE
C:\PROGRAM FILES\PESTPATROL\PPMEMCHECK.EXE
C:\PROGRAM FILES\PESTPATROL\PPCONTROL.EXE
C:\PROGRAM FILES\PESTPATROL\COOKIEPATROL.EXE
C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCAPP.EXE
C:\PROGRAM FILES\NORTON ANTIVIRUS\NAVAPW32.EXE
C:\WINDOWS\START MENU\PROGRAMS\STARTUP\SGBHP.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\MY DOCUMENTS\NEW FOLDER\PROGRAMS\ANTI-SPYWARE\HIJACKTHIS\HIJACKTHIS.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://megaspider.co...CKYESTOCONTINUE
N2 - Netscape 6: user_pref("browser.search.defaultengine", "engine://C%3A%5CPROGRAM%20FILES%5CNETSCAPE%5CNETSCAPE%206%5Csearchplugins%5CSBWeb_04.src"); (C:\WINDOWS\Application Data\Mozilla\Profiles\default\rbigc81q.slt\prefs.js)
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\PROGRAM FILES\SPYWAREGUARD\DLPROTECT.DLL
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHELPER.DLL
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [PPMemCheck] C:\PROGRA~1\PESTPA~1\PPMemCheck.exe
O4 - HKLM\..\Run: [PestPatrol Control Center] C:\PROGRA~1\PESTPA~1\PPControl.exe
O4 - HKLM\..\Run: [CookiePatrol] C:\PROGRA~1\PESTPA~1\CookiePatrol.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\NAVAPW32.EXE
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMANTEC\LIVEUP~1\SNDMON.EXE
O4 - HKLM\..\RunServices: [ccEvtMgr] "C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe"
O4 - HKLM\..\RunServices: [Nisum] C:\Program Files\Norton Internet Security\NISUM.EXE
O4 - HKLM\..\RunServices: [ccPxySvc] C:\PROGRA~1\NORTON~2\CCPXYSVC.EXE
O4 - HKLM\..\RunServices: [ScriptBlocking] "C:\Program Files\Common Files\Symantec Shared\Script Blocking\SBServ.exe" -reg
O4 - HKCU\..\Run: [Service Manager] C:\WINDOWS\dxsound.exe
O4 - Startup: config.ini
O4 - Startup: sgbhp.exe
O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://active.macrom...abs/swflash.cab
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macr...director/sw.cab
O16 - DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE} (Symantec RuFSI Registry Information Class) - http://security.syma...n/bin/cabsa.cab

I am also having problems with virtumonde on another computer. I have a different thread for that one.

#19 PGPhantom

PGPhantom

    Superman of SWI

  • Emeritus
  • PipPipPipPipPip
  • 3,494 posts

Posted 15 June 2004 - 11:25 AM

To Delete vituMonde
  • Automatic Removal => PandaSoftware <= PandaSoftware anti-virus will detect and remove VirtuMonde.
  • Manual Removal => Click Start, and then click Run. (The Run dialog box appears.)
  • Type regedit => Then click OK. (The Registry Editor opens.)
  • Navigate to and delete these keys, if found:
    • HKEY_CURRENT_USER\Software\Microsoft\WindowsUpd
    • HKEY_CURRENT_USER\Software\Microsoft\SysUpd
    • HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\bxxs5
    • HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\windowsupd
  • Exit the Registry Editor.
  • Restart your computer
  • Start Windows Explorer and delete:
    • %WinDir%\WindowsUpd1.exe
    • %WinDir%\WindowsUpd2.exe
    • %WinDir%\WindowsUpd4.exe
    • %WinDir%\system32\cidrules.dll
    • profilepath+\local settings\temp\bs5657.tmp
    • profilepath+\local settings\temp\vupd
    • C:\program files\earn
    • %WinDir%\temp\bs5e310.tmp
Note: %WinDir% is a variable. By default, this is C:\Windows (Windows 95/98/Me/XP) or C:\WINNT (Windows NT/2000).

Run HijackThis, click on "Scan" and then place a check mark in the following boxes, And click on "Fix Checked":
O4 - Startup: config.ini
O4 - Startup: sgbhp.exe
You have a trojan on your computer - PLease download, install and run Tojan Hunter (Trial).
The entry for the trojan is:
O4 - HKCU\..\Run: [Service Manager] C:\WINDOWS\dxsound.exe
Which needs to be deleted fro HijackThis as well.

One final note - Please stick to one thread as I see you have had multiple threads with the same issue.

#20 Chevyfan1

Chevyfan1

    Member

  • Full Member
  • Pip
  • 65 posts

Posted 15 June 2004 - 02:03 PM

Latest Report:

First of all, just as I got to my infected to computer to start the removal process that you had provided, I found that Norton Internet Security was in the process of blocking a Ddos attack from San Jose, California (I recorded the I.P address).

I have downloaded and run Trojan Hunter (Trial), and it found one suspicious file that I have submitted for analysis (C:\WINDOWS\SYSTEM\runtimes.exe). I am now waiting to find out what the file was.

I have not had a chance to remove Virtumonde or savenow from this computer, but the online scan is now proceeding on my other computer (at the time of this post, it has not yet found anything).

I removed those three entries with HJT, and for once, config.ini did not reappear (neither did the others).

Now, I am just waiting to see if I experience any more trojan activity, I will post back here as soon as I have something to add. Thank You.

Latest HJT log:

Logfile of HijackThis v1.97.7
Scan saved at 4:19:49 AM, on 2/9/01
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCEVTMGR.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\PROGRAM FILES\NORTON INTERNET SECURITY\NISUM.EXE
C:\PROGRAM FILES\NORTON INTERNET SECURITY\CCPXYSVC.EXE
C:\WINDOWS\EXPLORER.EXE
C:\PROGRAM FILES\PESTPATROL\PPMEMCHECK.EXE
C:\PROGRAM FILES\PESTPATROL\PPCONTROL.EXE
C:\PROGRAM FILES\PESTPATROL\COOKIEPATROL.EXE
C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCAPP.EXE
C:\PROGRAM FILES\NORTON ANTIVIRUS\NAVAPW32.EXE
C:\PROGRAM FILES\TROJANHUNTER 3.9\THGUARD.EXE
C:\MY DOCUMENTS\NEW FOLDER\PROGRAMS\ANTI-SPYWARE\HIJACKTHIS\HIJACKTHIS.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.37.com/
N2 - Netscape 6: user_pref("browser.search.defaultengine", "engine://C%3A%5CPROGRAM%20FILES%5CNETSCAPE%5CNETSCAPE%206%5Csearchplugins%5CSBWeb_04.src"); (C:\WINDOWS\Application Data\Mozilla\Profiles\default\rbigc81q.slt\prefs.js)
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\PROGRAM FILES\SPYWAREGUARD\DLPROTECT.DLL
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHELPER.DLL
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [PPMemCheck] C:\PROGRA~1\PESTPA~1\PPMemCheck.exe
O4 - HKLM\..\Run: [PestPatrol Control Center] C:\PROGRA~1\PESTPA~1\PPControl.exe
O4 - HKLM\..\Run: [CookiePatrol] C:\PROGRA~1\PESTPA~1\CookiePatrol.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\NAVAPW32.EXE
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMANTEC\LIVEUP~1\SNDMON.EXE
O4 - HKLM\..\Run: [THGuard] "C:\PROGRAM FILES\TROJANHUNTER 3.9\THGUARD.EXE"
O4 - HKLM\..\RunServices: [ccEvtMgr] "C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe"
O4 - HKLM\..\RunServices: [Nisum] C:\Program Files\Norton Internet Security\NISUM.EXE
O4 - HKLM\..\RunServices: [ccPxySvc] C:\PROGRA~1\NORTON~2\CCPXYSVC.EXE
O4 - HKLM\..\RunServices: [ScriptBlocking] "C:\Program Files\Common Files\Symantec Shared\Script Blocking\SBServ.exe" -reg
O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://active.macrom...abs/swflash.cab
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macr...director/sw.cab
O16 - DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE} (Symantec RuFSI Registry Information Class) - http://security.syma...n/bin/cabsa.cab

By the way, what is this entry?

C:\WINDOWS\SYSTEM\mmtask.tsk

#21 PGPhantom

PGPhantom

    Superman of SWI

  • Emeritus
  • PipPipPipPipPip
  • 3,494 posts

Posted 15 June 2004 - 04:53 PM

This entry ...
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.37.com/
Is related to CoolWeb. How to Remove CoolWebSearch with CoolWeb Shredder <= Please click on this link for instructions on how to download and use CoolWebSearch Shredder which will help remove a CWS infection on your computer. Make sure you close all programs and windows before running it and be sure to click on the "Fix" button. Even if you have already downloaded CWS, please make sure you are running v1.59.0.

C:\WINDOWS\SYSTEM\mmtask.tsk = Windows Multimedia Background Task Support Module that handles multimedia services. The software provides simulated multitasking for multimedia applications; for example, you could be playing more than one AVI movie at the same time. This task does not exist in Windows NT 4, 2000, or XP operating systems, which are true multitasking operating systems.

#22 Chevyfan1

Chevyfan1

    Member

  • Full Member
  • Pip
  • 65 posts

Posted 16 June 2004 - 08:23 AM

www.37.com is the correct page for this computer, and was set manually by my brother over a year ago (ironically, when I had coolwebsearch a few months ago, it replaced this page with something else), not by coolwebsearch. If this page is related to coolwebsearch, is it dangerous (ex. downloads cws without permission), or is it just related (ex. used as replacement)? If it is not dangerous, it is going to stay, but if it is dangerous, I will see about replacing it.

By the way, the online scan finished on the other computer (the one without the trojan), but it found nothing at all. I'm beginning to think that the Virtumonde detection is a false positive (Pest Patrol has yielded false positives before, including detection of sites in my restricted zone). I will run it on the more seriously affected computer later.

I still have received no response concerning the trojan-related file that Trojan Hunter found.

#23 Chevyfan1

Chevyfan1

    Member

  • Full Member
  • Pip
  • 65 posts

Posted 16 June 2004 - 08:26 AM

I forgot to mention, I have had CoolWebShredder for over six months, and have run it almost daily lately in search of my problem (I also downloaded the latest version). It has found nothing since I first downloaded it, so I do not believe this computer is being affected by CoolWebSearch.

#24 PGPhantom

PGPhantom

    Superman of SWI

  • Emeritus
  • PipPipPipPipPip
  • 3,494 posts

Posted 16 June 2004 - 10:05 AM

www.37.com is CWS related due to it propogating adware etc. I would strongly urge you to chage it.

Here are some tips, to reduce the potential for spyware infection in the future, I strongly recommend installing the following applications:
  • Spywareblaster <= SpywareBlaster will prevent spyware from being installed.
  • Spywareguard <= SpywareGuard offers realtime protection from spyware installation attempts.
  • How to use Ad-Aware to remove Spyware <= If you suspect that you have spyware installed on your computer, here are instructions on how to download, install and then use Ad-Aware.
  • How to use Spybot to remove Spyware <= If you suspect that you have spyware installed on your computer, here are instructions on how to download, install and then use Spybot. Similar to Ad-Aware, I strongly recommend both to catch most spyware.
To protect yourself further:
  • IE/Spyad <= IE/Spyad places over 4000 websites and domains in the IE Restricted list which will severely impair attempts to infect your system. It basically prevents any downloads (Cookies etc) from the sites listed, although you will still be able to connect to the sites.
  • MVPS Hosts file <= The MVPS Hosts file replaces your current HOSTS file with one containing well know ad sites etc. Basically, this prevents your coputer from connecting to those sites by redirecting them to 127.0.0.1 which is your local computer
  • Google Toolbar <= Get the free google toolbar to help stop pop up windows.
I also suggest that you delete any files from "temp", "tmp" folders. In Internet Explorer, click on "Tools" => "Internet Options" => "Delete Files" and select the box that says "Delete All Offline Content" and click on "OK" twice. Also, empty the recycle bin by right clicking on it and selecting "Empty Recycle Bin". These steps should be done on a regular basis.

#25 Chevyfan1

Chevyfan1

    Member

  • Full Member
  • Pip
  • 65 posts

Posted 16 June 2004 - 03:07 PM

Thanks for the advice, but except for the google toolbar, I already have all of those programs (and a few more). Here is a list:

Ad-Aware 6.81,
Spybot S&D,
Pest Patrol (Demo),
X-Cleaner (Demo),
Camtech Spy-Sites,
System Security Suite,
Norton AntiVirus,
Norton Internet Security,
Kerio Personal Firewall 4,
Spyware Blaster,
Spyware Guard,
IE/Spyad,
HJT,
CoolWebShredder,
Trojan Hunter (Trial).
That's all I can think of right now - I might be forgetting one or two. I did download the MVP Hosts file, but for some reason, I never installed it (although I will now). Most of these programs are updated by me on a daily basis, although some usually have no updates available (such as Spybot).

I also erase my Internet files and Temp files (including index.dat files) on a daily basis) - I use System Security Suite (S3) for that. My IE is also set to block 3rd party cookies, unsafe scripts, etc., and Norton Internet Security blocks pop-ups. Thanks for the advice anyway.

If there's anything else that you could think of, I would appreciate it. I'm still waiting to see if there's any more problems with the infected computer.

Thanks.

#26 PGPhantom

PGPhantom

    Superman of SWI

  • Emeritus
  • PipPipPipPipPip
  • 3,494 posts

Posted 16 June 2004 - 03:14 PM

All those programs - Looks very familiar ... Oh, wait a minute - That is almost identical to my own syste, :)

I wish more people were as diligent as you with the programs ...

Can we consider this particular problem resolved or are there any outstanding issues that I have overlooked?

#27 Chevyfan1

Chevyfan1

    Member

  • Full Member
  • Pip
  • 65 posts

Posted 16 June 2004 - 03:49 PM

I'm still waiting to see, but nothing has happened yet today. The computer has not been on very long though, and most problems (slowdowns, access to Internet not initiated by any user, etc.), seem to occur after the computer has been on for at least a couple of hours. It still freezes when it is shut down or restarted, my firewall was recently still detecting some port scans (it has never not detect any on my other computer), and I have falsly believed it to be free of malicious applications in the past, so I am still cautious right now. I will post back as soon as possible if I have anything else to report, but it may be clean.

Thank you for all your help so far.

Latest HJT log: (Computer that had/has Trojan):

Logfile of HijackThis v1.97.7
Scan saved at 6:05:06 AM, on 2/10/01
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCEVTMGR.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\PROGRAM FILES\NORTON INTERNET SECURITY\NISUM.EXE
C:\PROGRAM FILES\NORTON INTERNET SECURITY\CCPXYSVC.EXE
C:\WINDOWS\EXPLORER.EXE
C:\PROGRAM FILES\PESTPATROL\PPMEMCHECK.EXE
C:\PROGRAM FILES\PESTPATROL\PPCONTROL.EXE
C:\PROGRAM FILES\PESTPATROL\COOKIEPATROL.EXE
C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCAPP.EXE
C:\PROGRAM FILES\NORTON ANTIVIRUS\NAVAPW32.EXE
C:\PROGRAM FILES\TROJANHUNTER 3.9\THGUARD.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\MY DOCUMENTS\NEW FOLDER\PROGRAMS\ANTI-SPYWARE\HIJACKTHIS\HIJACKTHIS.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.37.com/
N2 - Netscape 6: user_pref("browser.search.defaultengine", "engine://C%3A%5CPROGRAM%20FILES%5CNETSCAPE%5CNETSCAPE%206%5Csearchplugins%5CSBWeb_04.src"); (C:\WINDOWS\Application Data\Mozilla\Profiles\default\rbigc81q.slt\prefs.js)
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\PROGRAM FILES\SPYWAREGUARD\DLPROTECT.DLL
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHELPER.DLL
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [PPMemCheck] C:\PROGRA~1\PESTPA~1\PPMemCheck.exe
O4 - HKLM\..\Run: [PestPatrol Control Center] C:\PROGRA~1\PESTPA~1\PPControl.exe
O4 - HKLM\..\Run: [CookiePatrol] C:\PROGRA~1\PESTPA~1\CookiePatrol.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\NAVAPW32.EXE
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMANTEC\LIVEUP~1\SNDMON.EXE
O4 - HKLM\..\Run: [THGuard] "C:\PROGRAM FILES\TROJANHUNTER 3.9\THGUARD.EXE"
O4 - HKLM\..\RunServices: [ccEvtMgr] "C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe"
O4 - HKLM\..\RunServices: [Nisum] C:\Program Files\Norton Internet Security\NISUM.EXE
O4 - HKLM\..\RunServices: [ccPxySvc] C:\PROGRA~1\NORTON~2\CCPXYSVC.EXE
O4 - HKLM\..\RunServices: [ScriptBlocking] "C:\Program Files\Common Files\Symantec Shared\Script Blocking\SBServ.exe" -reg
O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macr...ash/swflash.cab
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macr...director/sw.cab
O16 - DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE} (Symantec RuFSI Registry Information Class) - http://security.syma...n/bin/cabsa.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft.../as5/asinst.cab

Other Computer:

Logfile of HijackThis v1.97.7
Scan saved at 6:18:39 PM, on 6/16/04
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\PROGRAM FILES\KERIO\PERSONAL FIREWALL 4\KPF4SS.EXE
C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCEVTMGR.EXE
C:\PROGRAM FILES\NORTON INTERNET SECURITY\NISUM.EXE
C:\PROGRAM FILES\NORTON INTERNET SECURITY\CCPXYSVC.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\EXPLORER.EXE
C:\PROGRAM FILES\KERIO\PERSONAL FIREWALL 4\KPF4GUI.EXE
C:\PROGRAM FILES\SCANSOFT\OMNIPAGESE\OPWARE32.EXE
C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCAPP.EXE
C:\PROGRAM FILES\SPYWAREGUARD\SGMAIN.EXE
C:\PROGRAM FILES\SPYWAREGUARD\SGBHP.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\WINDOWS\PROFILES\TRUXTUN\DESKTOP\STORAGE FOLDER\FILES\PROGRAMS\ANTISPYWARE\HJT\HIJACKTHIS.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.altavista.com/
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\PROGRAM FILES\SPYWAREGUARD\DLPROTECT.DLL
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHELPER.DLL
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [Omnipage] C:\Program Files\ScanSoft\OmniPageSE\opware32.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [PestPatrol Control Center] C:\PROGRA~1\PESTPA~1\PPControl.exe
O4 - HKLM\..\Run: [PPMemCheck] C:\PROGRA~1\PESTPA~1\PPMemCheck.exe
O4 - HKLM\..\Run: [CookiePatrol] C:\PROGRA~1\PESTPA~1\CookiePatrol.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMANTEC\LIVEUP~1\SNDMON.EXE
O4 - HKLM\..\RunServices: [KPF4] C:\Program Files\Kerio\Personal Firewall 4\kpf4ss.exe
O4 - HKLM\..\RunServices: [ccEvtMgr] "C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe"
O4 - HKLM\..\RunServices: [Nisum] C:\Program Files\Norton Internet Security\NISUM.EXE
O4 - HKLM\..\RunServices: [ccPxySvc] C:\PROGRA~1\NORTON~2\CCPXYSVC.EXE
O4 - HKLM\..\RunServices: [ScriptBlocking] "C:\Program Files\Common Files\Symantec Shared\Script Blocking\SBServ.exe" -reg
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O4 - User Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupd...8136.4494328704
O16 - DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE} (Symantec RuFSI Registry Information Class) - http://security.syma...n/bin/cabsa.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://active.macrom...abs/swflash.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft.../as5/asinst.cab

Thanks again.

#28 PGPhantom

PGPhantom

    Superman of SWI

  • Emeritus
  • PipPipPipPipPip
  • 3,494 posts

Posted 16 June 2004 - 03:58 PM

Both logs are looking clean :)

It has been our pleasure to help you :)

If you need this topic reopened, please request this by sending the moderating team an email with the address of the thread. This applies only to the original topic starter. Everyone else please begin a New Topic.

#29 cnm

cnm

    Mother Lion of SWI

  • Administrators
  • PipPipPipPipPip
  • 25,317 posts

Posted 17 June 2004 - 06:39 PM

Opener at request of Chevyfan1.

Microsoft MVP Windows Security 2005-2006
How camest thou in this pickle? -- William Shakespeare:(1564-1616)
The various helper groups here
UNITE


#30 Chevyfan1

Chevyfan1

    Member

  • Full Member
  • Pip
  • 65 posts

Posted 17 June 2004 - 07:02 PM

Unfortunately, my problem does not appear to be solved. When I check my IE history, I find that porn and sometimes gambling sites are being accessed somehow at times when no one (definately) is near the computer at all. Also, the computer slows down to a crawl at times, and it freezes just about every time an attempt is made to restart it or shut it down. I am also experiencing random browser hijacks, although no attempt is made to make these changes permanent (ex, blocking access to Internet options). The Internet also stops working occasionally for no reason.

Right now I know that my situation is not too critical - I believe that a R.A.T. has been installed through a trojan downloader (which I have successfully removed earlier), and has only access to Internet Explorer. This might be a remnant of one of the following trojans - Deepthroat 3.1, Matrix 2.0, win-trin00, or Q. My firewall indicates that the controllers of these trojans (especially DT3.1 and wt00) have attempted to gain control of my computer or execute a Ddos attack. I can confirm that I have at least five trojans in the last eight months, and I believe one was Deepthroat 3.1 (others were unidentified). All were removed, but it could be possible that part of one remains (I guess - I don't really know). It could also be some file that is programmed to access sites to boost the apparent number of hits, but I think it is a trojan. As I mentionned earlier, Norton caught an attempt to hack in to my computer and blocked it, so this supports my belief.

I know that the team here is trying to help out, and I hope I don't sound impatient or anything - I'm just tired of having a problem that I have no idea at all how to solve. I've tried every program suggested and nothing works. Any further help would be greatly appreciated.

Thank You for everything so far.

PS - Would replacing my HOSTS file with the one provided by MVP help in this case?

and...

These files look extremely suspicious to me so I will post them:

hosts.bak0, CONFDENT.CPE, Active Setup Log.BAK, aw.pwd, brndlog.bak and WINPOPUP.EXE. I just deleted hh.dat and hh.exe because Pest Patrol's glossary indicated that they are trojan related.

#31 Chevyfan1

Chevyfan1

    Member

  • Full Member
  • Pip
  • 65 posts

Posted 17 June 2004 - 07:44 PM

I'm sorry, I forgot to mention that I also cannot update Windows anymore - I get the following error (0x800C0008). This has just started recently. I have e-mailed Microsoft, but have not received a response. Just thought this might be useful. Thanks.

#32 PGPhantom

PGPhantom

    Superman of SWI

  • Emeritus
  • PipPipPipPipPip
  • 3,494 posts

Posted 17 June 2004 - 08:46 PM

?? I was left under the impression that you had followed all steps that I suggested, one of them being to use the MVPS Hosts file. There was a reason for the suggestion. Can you please follow the suggestions offered and if you could, please post a new HijackThis log into this post so I can see what might be on your computer.

#33 Chevyfan1

Chevyfan1

    Member

  • Full Member
  • Pip
  • 65 posts

Posted 17 June 2004 - 09:36 PM

Seems to be a little confusion here with that particular post - I have already replaced the Hosts file as you recommended, but that was after I last experienced any problems (shortly before I last posted). I replaced it immediately on one computer, but thought I had already done so on this one (when I checked, the one in Windows was bigger so I realized I was wrong and replaced it then). I apologize for not wording that more clearly - I appreciate every suggestion provided here and make sure to implement every one of them. You have enough to worry about without people ignoring your instructions.

Anyway, my Internet stopped working about ten minutes ago, and the computer froze when I restarted it. I guess the new HOSTS file did not solve the problem itself, but there has been no unauthorized access to the Internet since. I am not experiencing any problems on my other computer, so we can forget about that one to lessen the confusion.

My HJT log has not changed. I should have posted it anyway, or at least commented on the lack of change. I'll make sure to post it from now on.

Here is a new one:

Logfile of HijackThis v1.97.7
Scan saved at 11:54:04 AM, on 2/11/01
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCEVTMGR.EXE
C:\PROGRAM FILES\NORTON INTERNET SECURITY\NISUM.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\PROGRAM FILES\NORTON INTERNET SECURITY\CCPXYSVC.EXE
C:\WINDOWS\EXPLORER.EXE
C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCAPP.EXE
C:\PROGRAM FILES\NORTON ANTIVIRUS\NAVAPW32.EXE
C:\PROGRAM FILES\TROJANHUNTER 3.9\THGUARD.EXE
C:\WINDOWS\SYSTEM\PSTORES.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\MY DOCUMENTS\NEW FOLDER\PROGRAMS\ANTI-SPYWARE\HIJACKTHIS\HIJACKTHIS.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.37.com/
N2 - Netscape 6: user_pref("browser.search.defaultengine", "engine://C%3A%5CPROGRAM%20FILES%5CNETSCAPE%5CNETSCAPE%206%5Csearchplugins%5CSBWeb_04.src"); (C:\WINDOWS\Application Data\Mozilla\Profiles\default\rbigc81q.slt\prefs.js)
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\PROGRAM FILES\SPYWAREGUARD\DLPROTECT.DLL
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHELPER.DLL
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [PPMemCheck] C:\PROGRA~1\PESTPA~1\PPMemCheck.exe
O4 - HKLM\..\Run: [PestPatrol Control Center] C:\PROGRA~1\PESTPA~1\PPControl.exe
O4 - HKLM\..\Run: [CookiePatrol] C:\PROGRA~1\PESTPA~1\CookiePatrol.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\NAVAPW32.EXE
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMANTEC\LIVEUP~1\SNDMON.EXE
O4 - HKLM\..\Run: [THGuard] "C:\PROGRAM FILES\TROJANHUNTER 3.9\THGUARD.EXE"
O4 - HKLM\..\RunServices: [ccEvtMgr] "C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe"
O4 - HKLM\..\RunServices: [Nisum] C:\Program Files\Norton Internet Security\NISUM.EXE
O4 - HKLM\..\RunServices: [ccPxySvc] C:\PROGRA~1\NORTON~2\CCPXYSVC.EXE
O4 - HKLM\..\RunServices: [ScriptBlocking] "C:\Program Files\Common Files\Symantec Shared\Script Blocking\SBServ.exe" -reg
O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macr...ash/swflash.cab
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macr...director/sw.cab
O16 - DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE} (Symantec RuFSI Registry Information Class) - http://security.syma...n/bin/cabsa.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft.../as5/asinst.cab

In my time zone, it is getting late, so I have to shut down the computer soon. I won't be back until tomorrow, so you can help somebody who is in a more immediate predicament than I am right now. I don't know if this thing can be cleaned since it can't be found, but if it can't, I still appreciate the attempt.

Thank you very much for all your help and advice, and be assured that I have not and do not plan to skip any advice provided. (maybe I should start using smilies, because I kind of sound impatient and angry and I'm not impatient or angry at all).

(By the way, if my posts are too long and rambling, please don't hesitate to tell me to shorten them).

I'll check back tomorrow.

#34 PGPhantom

PGPhantom

    Superman of SWI

  • Emeritus
  • PipPipPipPipPip
  • 3,494 posts

Posted 17 June 2004 - 11:34 PM

Very strange - Nothing showing in the logs.

hosts.bak0 <= Delete
CONFDENT.CPE <= Do not delete, part of Windows 98.
Active Setup Log.BAK <= Delete
aw.pwd <= Delete
brndlog.bak <= Do not delete, part of Windows 98.
WINPOPUP.EXE <= Do not delete, part of Windows 98.
hh.dat & hh.exe <= Deleting these will give you problems with IE as they are the help files and hh.dat is your favorites info.

At this point I would suggest re-installing IE as there may be some corruption there.

Please go to Microsoft Windows Update and download all critical updates for your system. This is imperative.

#35 Chevyfan1

Chevyfan1

    Member

  • Full Member
  • Pip
  • 65 posts

Posted 18 June 2004 - 08:21 AM

When I try to update Windows, I get an error every time - (0x800C0008). I've sent a message to Microsoft about it, but have received no response yet.

You're probably right about Windows being completely corrupted - When I removed Deepthroat 3.1 (I think it was DT, I've had so many trojans I'm not sure), I found that it had corrupted System Tray somehow (adding a line of code or something) and it has never worked right since.

On a positive note, PandaScan, which has been scanning all this time (either it is very slow or there are a lot of files on that computer's hard drives or both), has found and disinfected one file - I won't know what until the scan is finished (the day after tomorrow probably).

If my system is infected beyond hope, then it is probably a waste of time to try to repair it when there are so many other people in need of help. However, if there is any reasonable hope for this thing, or if fixing it may provide future help to others, then maybe we should continue. It's up to you to decide.

Soon, I will post some more suspicious files, if that will help.

In case you decide to close this thread now, I just want to say thanks to everyone who has tried to help out here.

#36 Chevyfan1

Chevyfan1

    Member

  • Full Member
  • Pip
  • 65 posts

Posted 18 June 2004 - 08:43 AM

Here are some files I do not trust, although most are probably harmless. All are located under C:\WINDOWS.

FYI.CPE
flg (file)
flg_temp (file)
LMHOSTS.SAM
jiaompg.ini
MICKEY32.DLL
mozver.dat
NAVWNT.MIF
NETDET.INI
NETH.MSG
ssitid.dat
tmpdelis.bat
ZGUICFGW.DAT
ZSNESW.CFG
vminst.log
SERVICES (file)
dict.dat
ARP.EXE
{3A6BB787-F0E2-11D4-B21D-004063C302A6}.dat
Default.sf0
Default.sfc
DefaultStore_59R.bin
dlinfo_0.drv
filspt20.ini

I have deleted the three you told me to delete.

#37 PGPhantom

PGPhantom

    Superman of SWI

  • Emeritus
  • PipPipPipPipPip
  • 3,494 posts

Posted 18 June 2004 - 09:21 AM

For your error:
Microsoft KB 830066
or ...
Microsoft KB 326253
Either of those should resolve the issue.

#38 Chevyfan1

Chevyfan1

    Member

  • Full Member
  • Pip
  • 65 posts

Posted 18 June 2004 - 01:42 PM

I finally have some good news to report!

First of all, one of the solutions you gave me for my Windows update problem worked, and I was able to install all critical updates (there were only two available) as well as some others.

Second, Panda Software's online scanner finally finished its scan, and found and deleted three different trojans. One downloaded pornographic content, and the others were similar to R.A.T.s.

Here is the log from the scan results:

Incident Status Location

Virus:Trj/Gric.B Disinfected C:\WINDOWS\dxsound.exe
Virus:Trj/Runet.A Disinfected C:\mssys.com
Virus:Trj/Startpage.D Disinfected C:\svchost.exe

(thought I'd deleted dxsound but I guess not.)

Just in case there is still something on my system (these trojans have evaded many detection attempts), I would still like for someone to check those files I listed (svchost.exe is already gone), and if you can provide a link for another online scanner, that would be greatly appreciated as well (different programs have different databases and would like to do another check for more trojans). I would appreciate it if you could you wait for a while before closing this thread in case there is somethimng else, too.

I may post a few more files later, if that would be useful and appropriate.

I don't think my HJT log has changed but here it is anyway:

Logfile of HijackThis v1.97.7
Scan saved at 4:08:37 AM, on 2/12/01
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCEVTMGR.EXE
C:\PROGRAM FILES\NORTON INTERNET SECURITY\NISUM.EXE
C:\PROGRAM FILES\NORTON INTERNET SECURITY\CCPXYSVC.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\PSTORES.EXE
C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCAPP.EXE
C:\PROGRAM FILES\NORTON ANTIVIRUS\NAVAPW32.EXE
C:\PROGRAM FILES\TROJANHUNTER 3.9\THGUARD.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\MY DOCUMENTS\NEW FOLDER\PROGRAMS\ANTI-SPYWARE\HIJACKTHIS\HIJACKTHIS.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.37.com/
N2 - Netscape 6: user_pref("browser.search.defaultengine", "engine://C%3A%5CPROGRAM%20FILES%5CNETSCAPE%5CNETSCAPE%206%5Csearchplugins%5CSBWeb_04.src"); (C:\WINDOWS\Application Data\Mozilla\Profiles\default\rbigc81q.slt\prefs.js)
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\PROGRAM FILES\SPYWAREGUARD\DLPROTECT.DLL
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHELPER.DLL
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [PPMemCheck] C:\PROGRA~1\PESTPA~1\PPMemCheck.exe
O4 - HKLM\..\Run: [PestPatrol Control Center] C:\PROGRA~1\PESTPA~1\PPControl.exe
O4 - HKLM\..\Run: [CookiePatrol] C:\PROGRA~1\PESTPA~1\CookiePatrol.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\NAVAPW32.EXE
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMANTEC\LIVEUP~1\SNDMON.EXE
O4 - HKLM\..\Run: [THGuard] "C:\PROGRAM FILES\TROJANHUNTER 3.9\THGUARD.EXE"
O4 - HKLM\..\RunServices: [ccEvtMgr] "C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe"
O4 - HKLM\..\RunServices: [Nisum] C:\Program Files\Norton Internet Security\NISUM.EXE
O4 - HKLM\..\RunServices: [ccPxySvc] C:\PROGRA~1\NORTON~2\CCPXYSVC.EXE
O4 - HKLM\..\RunServices: [ScriptBlocking] "C:\Program Files\Common Files\Symantec Shared\Script Blocking\SBServ.exe" -reg
O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macr...ash/swflash.cab
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macr...director/sw.cab
O16 - DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE} (Symantec RuFSI Registry Information Class) - http://security.syma...n/bin/cabsa.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft.../as5/asinst.cab

Thank You Very Much for everything.

#39 PGPhantom

PGPhantom

    Superman of SWI

  • Emeritus
  • PipPipPipPipPip
  • 3,494 posts

Posted 18 June 2004 - 01:49 PM

I hope you did not delete c:\windows\system32\svchost.exe?? If you did, YOU MUST restore is ASAP as your system will crash - It is a vital system file. If svchost.exe was in any other location - No problem to delete.

#40 Chevyfan1

Chevyfan1

    Member

  • Full Member
  • Pip
  • 65 posts

Posted 18 June 2004 - 01:55 PM

Don't worry, I didn't delete anything at all manually - the scanner found a file of that name under C drive (not in any directory and certainly not in the system32 directory) and "disinfected" it which I take to mean deleted. I decided not to delete anything manually without professional guidance first. Thanks for the prompt warning though.

#41 PGPhantom

PGPhantom

    Superman of SWI

  • Emeritus
  • PipPipPipPipPip
  • 3,494 posts

Posted 18 June 2004 - 02:39 PM

Whew :) I was worried about that for a moment ... If you ever want to check files etc to see what they do ... Answersthatwork is a good site.

#42 Chevyfan1

Chevyfan1

    Member

  • Full Member
  • Pip
  • 65 posts

Posted 18 June 2004 - 09:29 PM

Using AnswersThatWork and Pest Patrol's Website, I was able to determine that two of the files were malicious:

ARP.EXE - Related to two trojans which I don't believe are on my system.
dict.dat - CWS related - CWS is not currently on my system but it has been there previously.

There was no information available for any of the other files I listed.

I thought it would be best to post my findings here before I delete anything (remember I deleted hh.dat and hh.exe thinking it was safe to do so).

Is there another file identification site you can recommend, or could you identify a few of the files I posted in that list? If that list is too long, I can post the worst looking one here:

LMHOSTS.SAM
jiaompg.ini
MICKEY32.DLL
SERVICES (file)
{3A6BB787-F0E2-11D4-B21D-004063C302A6}.dat
Default.sf0
Default.sfc

Except for the possibility of leftover files, or possibly a hidden undetected trojan, it now looks as if my computer is finally clean. There are a few more files I would like to identify, and I would like to run a different online scan (could you recommend another good one?), but I am not observing any problems right now.

My HJT log hasn't changed since the last one.

Thanks for getting me through this confusing mess.

PS - Could you leave this thread open for another day or so in case I find something else. (Just in case).

#43 Chevyfan1

Chevyfan1

    Member

  • Full Member
  • Pip
  • 65 posts

Posted 20 June 2004 - 10:35 AM

Bad news again - trojan activity has returned. This computer has been too badly compromised to waste any more of your time fixing, so I am going to take your advice to reformat it. If I had known how badly it was infected, it would have been reformated in the first place. If you want to work with me to find more info to help others in future cases, I would be happy to continue for another short time for that reason.

For the information of others who cannot find the parasite on their system, here is a list of trojans which were either found on my system, or may have been on my system - and which evaded either NAV 2004, Trojan Hunter, or both:

Deepthroat 3.1 (R.A.T)
Matrix 2.0 (R.A.T.)
Q (Ddos?)
win-trin00 (Ddos)
Gric.B (R.A.T.)
Runet.A (Downloads pornographic content)
Startpage.D (R.A.T.)
Win32.Banker.J (unknown type)
TrojanSpy.Win32.VB.u (R.A.T.)
TrojanSpy.Win32.VB (R.A.T.)

The files ARP.EXE and dict.dat have also been indicated to be trojan or CWS related.

There have been at least another seven of these things on my system in the past, but I don't remember their names (some were unidentified anyway). There was also a trojan downloader from C2.lop which I removed (it evaded both AdAware and Spybot).

An infection this bad will likely not occur again with me, because of the layered protection I now have (the infection probably occurred before most of it was installed), but that won't help me with my current situation. To use a cliche, I've shut the barn door after the horse has escaped, (or in this case, after the trojan horse has gotten in).

Thanks for everything that has been done for me here - I really do appreciate it. I know that its not your fault this can't be fixed, I should have had more protection in the first place. At least now I know how to prevent a re-infection, although if there's any last precautions you can recommend, I would find those useful too.

PS - Adaware, after the MVP HOSTS file was installed and after it was last updated, found 72 hosts files from RBase01.ath and also Win32.Banker.J (as a hosts file too). Just wondering, are these false positives?

#44 Chevyfan1

Chevyfan1

    Member

  • Full Member
  • Pip
  • 65 posts

Posted 20 June 2004 - 10:59 AM

Just thought I'd add this - I ran AdAware on my other computer, which is experiencing no problems, and it too found 73 items. They were all the same as on the other system, except there was a different trojan in the list (although it had the same web address). I guess these were just false positives.

#45 PGPhantom

PGPhantom

    Superman of SWI

  • Emeritus
  • PipPipPipPipPip
  • 3,494 posts

Posted 20 June 2004 - 11:00 AM

I have never suggested formatting - That is a definitee last ditch effort. Are you running any fireewall software?

#46 Chevyfan1

Chevyfan1

    Member

  • Full Member
  • Pip
  • 65 posts

Posted 20 June 2004 - 12:19 PM

Yes, I am currently running Kerio Personal Firewall 4, and Norton Internet Security, but both were only installed during the last couple of months. Prior to that, my computer was left running almost continually with no shield against attackers. I just never thought to download a firewall - even now, my trial period for KP4 is almost up.

As for reformating, you did state:

"At this point I would suggest re-installing IE as there may be some corruption there".

I just realized now that you didn't mean to reformat the whole computer. What kind of corruption did you mean? (Maybe Windows has been corupted too?).

I now may reformat anyway, becuase I would like to upgrade to XP (98se is becoming obsolete), and I am experiencing too many problems anyway - P2P [Kazaa lite, BearShare] networks won't work, Internet shuts down, computer freezes - especially during shut-downs and restarting, deleted help files (thanks to me), scores of unknown and possibly malicious files under Windows, remnants of uninstalled programs, remnants of spyware programs, one trojan after another, unauthorized access to the Internet (mainly to porn and gambling sites) at regular intervals when no one is near the computer, Spyware Guard often shuts down with an error (especially when the computer freezes, probable deleted files from Windows (Trojans got some, like System tray, I might have deleted the others), and occasional failure of firewall protection (ex - if I disable access to IE, the changes are reversed during the night - and I'm the only one who knows how to use the firewall so it's probably a trojan or something similar). Just reinstalling the Internet may not be enough, as malicious files seem to regenerate regularly and would probably re-infect IE very quickly. This computer is used for online banking purposes, and I do not want to take chances.

Absolutely none of these problems are affecting my other computer, which I keep well organized and protected (layered protection was installed as soon as the Internet connection was made). The infected one is primarily used by my brother, who is not as careful or organized as I am, and it is only recently that I have been able to straighten it out a bit.

If you have any concerns about the P2P networks I mentionned, Kazaa Lite is a hacked version of Kazaa which contains no spyware, and Bearshare works without the two 3rd party items which come with it (I removed both 3rd party itmes and never upgrade to newer versions which come with more of the stuff). My brother would never agree to remove these P2P networks anyway, trojans or no trojans (I find them useful myself sometimes).

I should also mention that I am doing Distance Education courses for a University degree, and have limited time to work at this, since I have two tests and an assignment to work on. Reformating would be more efficient, since I can have it done at my local computer store. I thought I would be able to find a repair solution a little more quickly - I underestimated those trojans.

Before I do anything, it would help to have a professional opinion here. I have tried between 10-20 different programs and nothing worked - unless I removed all problems and they returned somehow. I don't know what I could possibly do next except reformat (and upgrade while I'm at it).

I still cannot find any information on any of those other files anywhere. I'm going to delete ARP.EXE and dict.dat within the hour if they are not system files. Maybe that will stop the problem. I would also like to know if the following files should be deleted:

LMHOSTS.SAM
jiaompg.ini
MICKEY32.DLL
SERVICES (file)
{3A6BB787-F0E2-11D4-B21D-004063C302A6}.dat
Default.sf0
Default.sfc

AnswersThatWork and PP have no info on these.

I also listed a few more earlier, but these are the worst looking.

That's all for now. I still think that at this point reformating is my best option, but thanks anyway. I will await a response.

#47 PGPhantom

PGPhantom

    Superman of SWI

  • Emeritus
  • PipPipPipPipPip
  • 3,494 posts

Posted 20 June 2004 - 02:52 PM

If you are thinking of going to XP - Do not upgrade. I have done many, many XP installs and the upgrades from 9x were a nightmare. If you truly want to go to XP - Reformat but only for that reason. Personally, and this is me personal opinion, I would not use any version of 9x on the internet - They are far, far too vulnerable and I do not like fighting them.

#48 Chevyfan1

Chevyfan1

    Member

  • Full Member
  • Pip
  • 65 posts

Posted 20 June 2004 - 04:16 PM

Actually, until now, I didn't even know you could do an XP upgrade from 98se - I was planning to just wipe the drive and have a fresh install done. I will make sure to do that now.

I know that this would probably fit better under 'PC Troubleshooting', but I've got just one last thing to ask on this topic. You said that either 98 or 95 are too vulnerable for modern Internet use. Is XP a big improvement over previous OS's, and if I can't get XP, should I get 2000 installed? (That would be my only alternative to 98se, as I've heard nothing but complaints about Windows ME, and we can assume Windows 3.1 and 3.11 are out of the question).

I've now disconnected the infected computer from my router, and am using the 'clean' one for now.

Thanks again.

#49 PGPhantom

PGPhantom

    Superman of SWI

  • Emeritus
  • PipPipPipPipPip
  • 3,494 posts

Posted 20 June 2004 - 05:38 PM

I would not touch ME with a 100 foot pole - Worse than 98se. 2000 is okay but Ijust changed to XP and it is far more secure and stable. With XP Sp2 due in a month, it will be even more secure than it already is.

#50 Chevyfan1

Chevyfan1

    Member

  • Full Member
  • Pip
  • 65 posts

Posted 21 June 2004 - 01:03 PM

Since I 'm now definately getting the computer reformated, this probably doesn't matter, but here's some more files found by me under C:\WINDOWS. Maybe they will be of some use in fixing someone else's computer.

dxwinini.bak
PFP90JCM.{PB
PFP90JPR.{PB
PIDSET.EXE
READM_01.HTZ
READM_02.HTZ
PROTMAN.EXE
PROTMAN.DOS
ssb.opt
OEWABLog.txt
filspt20.ini

Again, most (if not all) of these files are probably system or legitimate program files. I probably won't research into this any further, since there is no point. I will check back until the computer is reformated though, just in case you can think of some for advice for future prevention. Thanks.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

Member of ASAP and UNITE
Support SpywareInfo Forum - click the button