|
| |
|
|
chanchan
Posts: 2
Joined: 11/19/2005
Status: offline
 |
Trojan/Virus - cannot clean system - 11/19/2005 14:27:11
I was infected with a trojan the other day and cannot seem to clean my system. I keep getting pop-up ads and IE crashing regardless if I have IE open or not. The error message I recieve when IE crashes is "Internet Explorer has encountered a problem and needs to close. We are sorry for the inconvenience." Nothing about sending or viewing an error report.
Here is what I've currently done/ran:
Ad-Aware
Spyware
XoftSpy
Stopzilla
Ewido
Norton Antivirus
I ran these programs both in Safe Mode and normal.
I've also unchecked enable third-party browser extensions and made sure all Browser Helper Objects were safe. I then ran a registry cleaner.
Here is my hijackthis log:
Logfile of HijackThis v1.99.1
Scan saved at 1:10:45 PM, on 11/19/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\STOPzilla!\szserver.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Spyware Software\security suite\ewidoctrl.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
C:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\Program Files\Norton AntiVirus\SAVScan.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\system32\nvraidservice.exe
C:\Program Files\Creative\SB Live! 24-bit\Surround Mixer\CTSysVol.exe
C:\WINDOWS\system32\Rundll32.exe
C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
C:\Program Files\QuickTime\qttask.exe
C:\PROGRA~1\VISION~2\ONETOU~2.EXE
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\WINDOWS\system32\wbem\unsecapp.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Spyware Software\hijackthis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.cnn.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYWAR~1\SPYBOT~1\SDHelper.dll
O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O2 - BHO: STOPzilla Browser Helper Object - {E3215F20-3212-11D6-9F8B-00D0B743919D} - C:\Program Files\Spyware Software\STOPzilla\SZIEBHO.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [NVRaidService] C:\WINDOWS\system32\nvraidservice.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [CTSysVol] C:\Program Files\Creative\SB Live! 24-bit\Surround Mixer\CTSysVol.exe /r
O4 - HKLM\..\Run: [P17Helper] Rundll32 P17.dll,P17Helper
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [OneTouch Monitor] C:\PROGRA~1\VISION~2\ONETOU~2.EXE
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [QuickFinder Scheduler] "C:\Program Files\WordPerfect Office 11\Programs\QFSCHD110.EXE"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [STOPzilla] C:\Program Files\Spyware Software\STOPzilla\STOPzilla.exe /autostart
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O21 - SSODL: SysTray.Exys - {7368D5FC-6F5C-4f5b-B964-E67214F67852} - (no file)
O21 - SSODL: SysTray.Excn2 - {1722ECFF-4356-4f5b-B534-E67294FE75E9} - (no file)
O21 - SSODL: IEFFAIBE - {76730D16-14FB-4A11-73EE-4CA66A865803} - (no file)
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\Spyware Software\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\Spyware Software\security suite\ewidoguard.exe
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: STOPzilla Service (szserver) - Unknown owner - C:\Program Files\Common Files\STOPzilla!\szserver.exe
Any help would be GREATLY appreciated.
|
|
|
|
caz
Posts: 3468
Joined: 10/10/2001
From: Somewhere south of Chester, UK
Status: offline
|
RE: Trojan/Virus - cannot clean system - 11/19/2005 14:32:27
For help with Hijackthis logs try http://castlecops.com/c3-Privacy.html but be prepared for a wait.
_____________________________
Do not meddle in the affairs of cats, for they are subtle and will dance, or more on your keyboard.
Cheshire cat. www.doracat.co.uk
I remember when it took less than 4hrs to fly across the Atlantic.
| |
|
|
|
chanchan
Posts: 2
Joined: 11/19/2005
Status: offline
|
RE: Trojan/Virus - cannot clean system - 11/19/2005 15:38:06
I do have System Restore on. I tried restoring to a couple days before this happened, but it tells me it can't restore to that point because nothing has changed. Should I try an even earlier point?
| |
|
|
|
Nightrider1962
Posts: 2
Joined: 1/1/2006
Status: offline
|
RE: Trojan/Virus - cannot clean system - 1/1/2006 8:32:03
I understand your Dilema well, And I look for answers everywhere, Usually Google is my source.
And it just depends on HOW you word it, Don't get technical and you will get more results.
#1. Have you gone to your Control Panel and clicked on internet options and *delete all cookies*,Temporary Internet Files*delete files*, Clear history. "Helps to speed up computer system also".
#2. Start menu/accessories/system tools/disk clean up, *Almost every box there can be checked*
(right click each description to understand what each box is) and clean out your old unused or un-needed temp files and delete them. "Helps to speed up computer system also".
#3. Then reboot system, This helps to purge/clean your system. Refreshed
Scan as "Complete System" Scan.
My first complete scan for a 30 gig hard drive took almost 2 1/2 hours and check for other viruses.
Using AVG personal.
"Usually if theres ONE theres more!"
*YOU will need Visual Basic 6 Runtime Libraries to run this program".
http://download.microsoft.com/download/vb60pro/Redist/sp5/WIN98ME/EN-US/vbrun60sp5.exe
HijackThis : A general homepage hijackers detector and remover. Initially based on the article Hijacked!, but expanded with almost a dozen other checks against hijacker tricks.
It is continually updated to detect and remove new hijacks. It does not target specific programs/URLs, just the methods used by hijackers to force you onto their sites.
As a result, false positives are imminent and unless you are sure what you're doing, you should always consult with knowledgable folks (e.g. the forums) before deleting anything.
Currently at version: 1.99.1
-> Download from Merijn:
http://www.Merijn.org
->Download from Subratam: http://downloads.subratam.org/hijackthis.zip
-> Download from UniteTheCows:
http://www.unitethecows.com/software/HijackThis.exe
-> Download from BleepingComputer:
http://www.bleepingcomputer.com/files/Merijn/HijackThis.zip
-> Download from DKnoppix:
http://www.dknoppix.com/cgi-bin/download.cgi?HijackThis
-> Download from SpywareInfo:
http://www.spywareinfo.com/~merijn/files/hijackthis.zip
-> Download from CastleCops:
http://castlecops.com/downloads-file-328.html
HijackThis direct download:
http://216.180.233.162/~merijn/files/HijackThis.exe
Compatible with at least Windows 98, 98SE, ME, 2000, XP and newer.
HijackThis log tutorial
On the forums of frontpagewebmaster, a lot of people new to browser hijacking post topics asking for help analyzing logs from HijackThis, because they don't understand what stuff is good and what is bad.
This is a basic guide as to what the log means, and some tips on reading it yourself. This should in no way replace asking for help in the fpwm forums, but help you somewhat in understanding the log yourself.
My source I wish I could say was myself but I too am still learning, But I do give credit where credit is due.
"My Source"
http://www.spywareinfo.com/~merijn/htlogtutorial.html
Hope this helps.
If I can help, I will!
How to reset your Restore cache. (Restore Program)
You can Clear your Restore program to prevent any misdirections of returning to a previously saved time that was corrupted.
Right click My Computer and find System Properties, Look for System Restore tab and make sure that the box is CHECKED. *Reboot your computer*
Right click my computer again and find Restore System tab again and Now Un-Check the box, You have just cleared the Restore Cache So from this point on your system will be up to date and you will be able to use your restore if needed in the future.
:) Enjoy
< Message edited by Nightrider1962 -- 1/1/2006 9:06:09 >
| |
|
|
|
Giomanach
Posts: 6075
Joined: 11/19/2003
From: England
Status: offline
|
RE: Trojan/Virus - cannot clean system - 1/1/2006 9:03:11
The HiJack This report is fine, nothing wrong there. I would follow Taz's advice & turn off system restore, let the files delete, reboot the system, scan again, and if all clear, turn system restore back on.
I don't use System Restore either, mainly because I need the hard drive space it uses, and I find it's th perfect hidey hole for viruses & standard virus scanners/spayware programs can't remove the problem due to Windows Lockdown Permissions on the files. :)
_____________________________
| |
|
|
|
Aleksandr_8
Posts: 11
Joined: 12/16/2005
Status: offline
|
RE: Trojan/Virus - cannot clean system - 1/3/2006 7:58:47
try to uninstall IE and than install it again. use some good clean program. maybe the problem in cookies. i like TRACK ERASER pro that clean everything in IE. cookies, history, cash etc.
and advice. dont use those bad sites u have checked often before. :)
| |
|
|
|
BobbyDouglas
Posts: 5432
Joined: 5/15/2003
From: Arizona
Status: offline
|
RE: Trojan/Virus - cannot clean system - 1/3/2006 16:15:10
Try everything else suggested here before you decide to reinstall IE (something I think would end up causing quite a bit of problems).
_____________________________
Arizona Web Design - Mr Bobs Web Design in Arizona
The Arizona Web Hosting Challenge
| |
|
|
|
Electric_Cowboy
Posts: 8
Joined: 1/7/2006
Status: offline
|
RE: Trojan/Virus - cannot clean system - 1/7/2006 19:37:37
If you still have your Windows XP install disk
you can run recovery console to repair your operating
system.
Just reinstall over your existing installation without
changing the file system, you will also need your
cd key code although it should not ask to be
reactivated.
It's also not a bad idea to run 'fixmbr' and 'fixboot'
from the recovery console before you use it to
repair.
| |
|
|
|
rafael_bancer
Posts: 1
Joined: 1/25/2006
Status: offline
|
RE: Trojan/Virus - cannot clean system - 1/25/2006 9:43:08
Honestly...system restore is a memory hog..i suggest using Acrnois True Image 9..u can backup while runing windows..unliky crappy norton ghost..yuck...the chance of data loss is less then that of norton...now as to unwanted programs infiltrating yer winblows...have u thought of maybe using linux based OS..with x server...hmm..just a thought:)
| |
|
|
|
jcm001
Posts: 105
From: Charlotte, NC, USA
Status: offline
|
RE: Trojan/Virus - cannot clean system - 1/26/2006 14:09:25
I recently had my pc hijacked to a search engine after taking a blog-walk-about. I used hijack this and also this germany-based site to interpret the log file. http://www.hijackthis.de/ I found it Very helpful. The problem seems to be fixed.
| |
|
|
|
Texjd
Posts: 123
From: Houston, Texas
Status: offline
|
RE: Trojan/Virus - cannot clean system - 2/2/2006 10:48:40
I do local computer repair and support. I can tell you that 90% of service calls are now security related. It's probably the number one issue today with computer problems.
If you want to read one of my articles I just published on how to help keep you out of trouble and protect your data go here:
http://www.jdwebworks.com/computersecurity.htm
It will give the basics and explain ways to keep your computer and data secure.
| |
|
 New Messages |
 No New Messages |
 Hot Topic w/ New Messages |
 Hot Topic w/o New Messages |
 Locked w/ New Messages |
 Locked w/o New Messages |
|
Post New Thread
Reply to Message
Post New Poll
Submit Vote
Delete My Own Post
Delete My Own Thread
Rate Posts
|
|
|
Printable Version 
but others who come across the thread should know what to do and what not to do. Reinstalling IE should be one of the last things to do.
