|
Need help, big virus problem. Taking over computer!
|
|
|
andy2000
Suspended due to non-functional email address
|
19. June 2006 @ 02:40 |
Link to this message
|
The past few days Ive been surfing the net a lot more. I must have traveled along some bad sits becauses theres spyware all over my computer and its taking over.
Its been hi-jacking my web settings- eg. changing my homepage, changining othe rsetting such as "Never dial up connection etc.
Theres an item in the taskbar that is making my computer run extra slow and theres no way I can get rid of it. I right clicking the item first up. No luck. Task manager wont close it, used easy cleaner to stop ot from starting up but it changed setting so I couldnt remove it etc.
The item is a STOP sign that periodically changes to a question mark. It displays a message that "I'm infected" and opens a page to- http://www.topsecuritysite.net/
Although it poses as something trying to help me, I'm sure its the source of all this.
I'm running Zone Alarm Security suite, conterspy and ewido anti-malware and they don't identify it as a threat.
Heres my HJT log-
Logfile of HijackThis v1.99.1
Scan saved at 8:39:08 PM, on 6/19/2006
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\COMMON~1\Stardock\SDMCP.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\cisvc.exe
C:\WINDOWS\System32\dcomcfg.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\TOSHIBA\gigabeat room 3.0\TosGbWatcher.exe
C:\Program Files\WordWeb\wweb32.exe
C:\WINDOWS\system32\drivers\KodakCCS.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\System32\ZoneLabs\isafe.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\WINDOWS\explorer.exe
C:\HJT\HijackThis.exe
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.optusnet.com.au
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by OptusNet
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_0.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Nothing - {686a161d-5bd1-4999-8832-6393f41e564c} - C:\WINDOWS\System32\hp100.tmp
O2 - BHO: (no name) - {6D794CB4-C7CD-4c6f-BFDC-9B77AFBDC02C} - C:\WINDOWS\system32\gebcyab.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_0.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [TosGbWatcher] "C:\Program Files\TOSHIBA\gigabeat room 3.0\TosGbWatcher.exe"
O4 - Startup: WordWeb.lnk = C:\Program Files\WordWeb\wweb32.exe
O8 - Extra context menu item: &WordWeb... - res://C:\WINDOWS\wweb32.dll/lookup.html
O8 - Extra context menu item: Download all with Free Download Manager - file://C:\Program Files\Free Download Manager\dlall.htm
O8 - Extra context menu item: Download selected with Free Download Manager - file://C:\Program Files\Free Download Manager\dlselected.htm
O8 - Extra context menu item: Download web site with Free Download Manager - file://C:\Program Files\Free Download Manager\dlpage.htm
O8 - Extra context menu item: Download with Free Download Manager - file://C:\Program Files\Free Download Manager\dllink.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O12 - Plugin for .pdf: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.optusnet.com.au
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://spaces.msn.com//PhotoUpload/MsnPUpld.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/cl...
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {74CD40EA-EF77-4BAD-808A-B5982DA73F20} - http://yax-download.yazzle.net/YazzleActiveX.cab?refid=1123
O17 - HKLM\System\CCS\Services\Tcpip\..\{FD1A1914-4464-4676-A665-B5B0F63FAB3A}: NameServer = 203.2.75.132 198.142.0.51
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: gebcyab - C:\WINDOWS\SYSTEM32\gebcyab.dll
O20 - Winlogon Notify: MCPClient - C:\PROGRA~1\COMMON~1\Stardock\mcpstub.dll
O20 - Winlogon Notify: winlxu32 - winlxu32.dll (file missing)
O20 - Winlogon Notify: WRNotifier - WRLogonNTF.dll (file missing)
O23 - Service: CA ISafe (CAISafe) - Computer Associates International, Inc. - C:\WINDOWS\System32\ZoneLabs\isafe.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - C:\WINDOWS\system32\drivers\KodakCCS.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
Thanks!
|
|
Advertisement
|
 |
|
|
Member
|
19. June 2006 @ 02:46 |
Link to this message
|
|
Hey, PM spuge9, he is very good with HijackThis logs. He is Finnish but speaks very good english. Tell him I told you to contact him, post back here to tell me if he could help.
Good luck
:D
This message has been edited since posting. Last time this message was edited on 19. June 2006 @ 02:46
|
Member
|
19. June 2006 @ 02:50 |
Link to this message
|
|
I dunno but i'm guessin' its one of these to processes;
O2 - BHO: Nothing - {686a161d-5bd1-4999-8832-6393f41e564c} - C:\WINDOWS\System32\hp100.tmp
O2 - BHO: (no name) - {6D794CB4-C7CD-4c6f-BFDC-9B77AFBDC02C} - C:\WINDOWS\system32\gebcyab.dll
Ask Spuge9
|
|
andy2000
Suspended due to non-functional email address
|
19. June 2006 @ 02:56 |
Link to this message
|
|
Alright, will do. This things really scaring me because it seems it has access to everything on my computer, its even changed some of my anti-spyare setting so i'm staying off the net as much as possible.
|
Member
|
19. June 2006 @ 03:12 |
Link to this message
|
|
Good idea. : )
|
AfterDawn Addict
|
19. June 2006 @ 03:45 |
Link to this message
|
|
This message has been edited since posting. Last time this message was edited on 19. June 2006 @ 14:16
|
|
ddp
Moderator
|
19. June 2006 @ 14:18 |
Link to this message
|
moved & ireland's post Ad-Aware se edited
|
Member
|
21. June 2006 @ 04:42 |
Link to this message
|
|
Any luck andy2000?
|
Senior Member
|
21. June 2006 @ 05:06 |
Link to this message
|
Hi You all, Especially you CR3AT10N and andy2000 ;)
andy2000, Please Download SmitfraudFix.zip to your desktop -> http://siri.urz.free.fr/Fix/SmitfraudFix.zip
Unzip it (folder named SmitFraudFix) to your desktop:
Open the folder SmitfraudFix and doubleclick smitfraudfix.cmd
Choose option #1 - Search by typing 1 and pressing "Enter"; a textfile opens and lists the infected files (if those exist)
Post the contents of this textfile to here.
(Some antiviruses recognises process.exe as a malware. It is not malware, it is a program that stops processes)
Send a fresh hijack log and rapport.txt
|
|
andy2000
Suspended due to non-functional email address
|
24. June 2006 @ 20:27 |
Link to this message
|
|
Too late.
I'm writing from my cousins computer. The virus crashed my hard drive and now my computers in for repairs. Oh well, I know exactly what caused it and I wont go to the site that did it again.
|
|
boxwrench
Suspended due to non-functional email address
|
24. June 2006 @ 20:49 |
Link to this message
|
|
andy2000
Would you like to share the root of your problem with us...it could save someone else the aggravation you have suffered.It might even help one of the people who tried to help you!
Main System- Amd/64 3800x2 currently@ 2.5ghz. Asus A8N-E,win.xp-pro.4x1gb.Ocz platnium ddr 400,Maxtor 40gb.& 250gb.ide & 2x W.D.250 sata,Benq 1650V dvd Reader & Benq DW-1655 Writer,EVGA Geforce 7600gs,Creative Audigy-LS,Antec 750w psu. Vizio 37"hdtv monitor 1360x768@75hz.
This message has been edited since posting. Last time this message was edited on 24. June 2006 @ 20:50
|
Member
|
25. June 2006 @ 01:25 |
Link to this message
|
|
That's unlucky andy2000. Hopefully it will be fixed up soon. =]
|
|
andy2000
Suspended due to non-functional email address
|
27. June 2006 @ 01:08 |
Link to this message
|
|
Yup, its all fixed up. Back on my computer now. The site that caused this problem was theserialz.com, my advice, dont ever go to it. EVER!
I was trying to get a serial number for Microsoft word because I lost the one it came with. I think I should have just called custormer service haha.
Ok so thanks for your help, and remember never go to that site or any other serial site for that matter.
|
Member
|
27. June 2006 @ 07:57 |
Link to this message
|
|
thnx 4 the advice.
|
|
boxwrench
Suspended due to non-functional email address
|
27. June 2006 @ 08:04 |
Link to this message
|
|
Thanks for sharing that with us.
Main System- Amd/64 3800x2 currently@ 2.5ghz. Asus A8N-E,win.xp-pro.4x1gb.Ocz platnium ddr 400,Maxtor 40gb.& 250gb.ide & 2x W.D.250 sata,Benq 1650V dvd Reader & Benq DW-1655 Writer,EVGA Geforce 7600gs,Creative Audigy-LS,Antec 750w psu. Vizio 37"hdtv monitor 1360x768@75hz.
|
Senior Member
|
27. June 2006 @ 22:50 |
Link to this message
|
|
Although your case is severe I would not blame it on theserialz.com for the fact that users send in the serials to the site. They choose what is in the files avaiable for use. You must be more careful when trying to "crack" something. Next time scan the file before you attempt to open it.
I use theserialz and others often and I must say that over 70% of the files on those sites are infected but I guess that the price to pay to get soemthing free.
|
|
andy2000
Suspended due to non-functional email address
|
27. June 2006 @ 23:04 |
Link to this message
|
|
What do you mean by files? I didnt really download anything. I just displayed the serial on screen as text. How would I go about scanning before it looked at them first.
Thanks
|
Senior Member
|
28. June 2006 @ 21:06 |
Link to this message
|
|
About how long did it take to crash from the time you visited that site? I use it often but only problem I have with a text serial is tracking cookies. My antivirus always picks them out as soon as I recieve them.
|
|
Advertisement
|
|
|
|
andy2000
Suspended due to non-functional email address
|
28. June 2006 @ 23:43 |
Link to this message
|
|
Well after I went to the site I noticed that icon I first mentioned. My spyware programs didnt detect it and three days later my computer crashed.
|
