Virus, Spyware...something. Help!

Advertise at AfterDawn.com

Link to us!

Private messages

Compose a private message

List of all updated threads

Threads without replies

Search messages

Wednesday 27.11.2024 / 21:42

Search AfterDawn Forums:

afterdawn.com > forums > software, operating systems and more > windows - virus and spyware problems > virus, spyware...something. help!

Browse by topic

Forums

Start a new thread

Virus, Spyware...something. Help!

Jump to:

Posted

Message

pagoda

Suspended due to non-functional email address

22. March 2006 @ 00:25

Link to this message

I have Windows XP and a firewall, but I suspect something somewhere is currupt. The whole system is running slow and I know that's a bad sign. I was looking at some of these post where people put all kinds of information on their running processes etc. I don't know how to do that, but when I pull up the task manager I see about a dozen "svchost.exe" programs running, which I'm told is not good. But what's to do? I'm weary of downloading programs because they're all spyware too, right? Well, maybe not, but what's the most basic plan of action here?

[ + quote]

mawdrgn

Member

22. March 2006 @ 03:08

Link to this message

Well you can always download HijackThis.

We'll see what your computer is up to, get the program here:

http://koti.mbnet.fi/pattaya1/HijackThis.exe

Save it in it's own folder in the root of the drive, for example:

C:\hjt\HijackThis.exe

Then start it up, click on Do A System Scan And Save Logfile, then in a minute you should see the log pop up on a Notepad. Copy the text in it's whole, and post it as a message in this topic, like you have seen the other topics.

As long as you don't go messing with the program any more than we ask you to, it's perfectly safe.

[ + quote]

pagoda

Suspended due to non-functional email address

22. March 2006 @ 21:07

Link to this message

Hey thanks. Here's the readout:

Logfile of HijackThis v1.99.1
Scan saved at 11:02:54 PM, on 3/22/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Hewlett-Packard\Toolbox\StatusClient\StatusClient.exe
C:\Program Files\Hewlett-Packard\OrderReminder\OrderReminder\OrderReminder.exe
C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe
C:\WINDOWS\system32\kmw_run.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Ahead\InCD\InCD.exe
C:\Program Files\Java\jre1.5.0_01\bin\jusched.exe
C:\WINDOWS\system32\KMW_SHOW.EXE
C:\PROGRA~1\Ahead\NEROPH~2\data\Xtras\mssysmgr.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\iPod\bin\root\Spyware Doctor\sdhelp.exe
C:\Program Files\Hewlett-Packard\Toolbox\jre\bin\javaw.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ycomp_adbe/defaults/sb/*http://w...
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ycomp_adbe/defaults/sp/*http://w...
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.cnn.com/
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_0.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: InstaFinderK - {4E7BD74F-2B8D-469E-90F0-F66AB581A933} - C:\PROGRA~1\INSTAF~1\INSTAF~1.DLL (file missing)
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\iPod\bin\root\SPYWAR~1\tools\iesdsg.dll
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\iPod\bin\root\SPYWAR~1\tools\iesdpb.dll
O2 - BHO: IEHlprObjClass - {CE7C3CF0-4B15-11D1-ABED-709549C10000} - C:\Program Files\Kensington\MouseWorks\IE_SPY.DLL (file missing)
O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_0.dll
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [StatusClient 2.6] C:\Program Files\Hewlett-Packard\Toolbox\StatusClient\StatusClient.exe /auto
O4 - HKLM\..\Run: [TomcatStartup 2.5] C:\Program Files\Hewlett-Packard\Toolbox\hpbpsttp.exe
O4 - HKLM\..\Run: [OrderReminder] C:\Program Files\Hewlett-Packard\OrderReminder\OrderReminder\OrderReminder.exe
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe"
O4 - HKLM\..\Run: [kmw_run.exe] kmw_run.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [InCD] C:\Program Files\Ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_01\bin\jusched.exe
O4 - HKLM\..\Run: [Trickler] "c:\windows\temp\adware\fsg_4203.exe"
O4 - HKLM\..\Run: [hgqhp.exe] C:\WINDOWS\system32\hgqhp.exe
O4 - HKCU\..\Run: [ares] "C:\Program Files\Ares\Ares.exe" -h
O4 - HKCU\..\Run: [PhotoShow Deluxe Media Manager] C:\PROGRA~1\Ahead\NEROPH~2\data\Xtras\mssysmgr.exe
O4 - HKCU\..\Run: [NBJ] "C:\Program Files\Ahead\Nero BackItUp\NBJ.exe"
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\iPod\bin\root\SPYWAR~1\tools\iesdpb.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O17 - HKLM\System\CCS\Services\Tcpip\..\{560A5289-6EBD-44BB-8C37-88EB2DD3D2D6}: NameServer = 85.255.114.66,85.255.112.130
O17 - HKLM\System\CCS\Services\Tcpip\..\{80AE0E36-3C71-4EF6-8A6E-6E3BA6E0BC91}: NameServer = 85.255.114.66,85.255.112.130
O23 - Service: InCD Helper (InCDsrv) - Nero AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\hpzipm12.exe
O23 - Service: PC Tools Spyware Doctor (SDhelper) - PC Tools Research Pty Ltd - C:\Program Files\iPod\bin\root\Spyware Doctor\sdhelp.exe

Diagnosis? Prognosis?

[ + quote]

mawdrgn

Member

22. March 2006 @ 23:50

Link to this message

Okay, first of all, put Hijack This in it's own folder called hjt(for example) in the C:drive, so it'll look like this:

C:\hjt\HijackTHis.exe

You have some adware there, and a trojan too!

Startup Hijack This, checkmark the following entries and after doing it to these:

O2 - BHO: InstaFinderK - {4E7BD74F-2B8D-469E-90F0-F66AB581A933} - C:\PROGRA~1\INSTAF~1\INSTAF~1.DLL (file missing)
O4 - HKLM\..\Run: [Trickler] "c:\windows\temp\adware\fsg_4203.exe"
O4 - HKLM\..\Run: [hgqhp.exe] C:\WINDOWS\system32\hgqhp.exe

See if you can find this in the Add/Remove Program-portion of Control Panel:

Instafinder

If you can, remove it.

And remove the following bolded files/directories:

c:\windows\temp\adware
C:\WINDOWS\system32\hgqhp.exe <== Do NOT for god's sakes remove the system32 folder! Only the hgqhp.exe-file.

After doing this, reboot and post a new Hijack This log so we'll see if it's allright.

And I'll have to ask you about those 017s, are you located in Belarus?

[ + quote]

This message has been edited since posting. Last time this message was edited on 22. March 2006 @ 23:51

-kemisti-

AfterDawn Addict

23. March 2006 @ 21:46

Link to this message

@mawdrgn: No, he's not in Belarus, but having WareOut-infection :)

@pagoda:

Uninstall via add/remove programs (control panel):

InstaFinder

Download fixwareout -> http://downloads.subratam.org/Fixwareout.exe
Save on desktop and doubleclick it. Follow instructions, reboot whan asked

HjT opens

Fix then these lines (do a system scan only, checkmark these and press fix checked):

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ycomp_adbe/defaults/sb/*http://w...
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ycomp_adbe/defaults/sp/*http://w...O2 - BHO: InstaFinderK - {4E7BD74F-2B8D-469E-90F0-F66AB581A933} - C:\PROGRA~1\INSTAF~1\INSTAF~1.DLL (file missing)
O4 - HKLM\..\Run: [Trickler] "c:\windows\temp\adware\fsg_4203.exe"
O4 - HKLM\..\Run: [hgqhp.exe] C:\WINDOWS\system32\hgqhp.exe
O4 - HKLM\..\Run: [kmw_run.exe] kmw_run.exe
O17 - HKLM\System\CCS\Services\Tcpip\..\{560A5289-6EBD-44BB-8C37-88EB2DD3D2D6}: NameServer = 85.255.114.66,85.255.112.130
O17 - HKLM\System\CCS\Services\Tcpip\..\{80AE0E36-3C71-4EF6-8A6E-6E3BA6E0BC91}: NameServer = 85.255.114.66,85.255.112.130

Delete if found:

c:\windows\temp\adware
C:\WINDOWS\system32\hgqhp.exe
kmw_run.exe (use Find-function)
C:\PROGRA~1\INSTAF~1

Post a fresh HjT log and contents of C:\fixwareout\report.txt

[ + quote]

This message has been edited since posting. Last time this message was edited on 23. March 2006 @ 22:59

Start a new thread

afterdawn.com > forums > software, operating systems and more > windows - virus and spyware problems > virus, spyware...something. help!


		User name	Password

		Not registered yet? Register here. Lost your password? Click here.