Is somebody else inside my puter???

I have gotten very little feed back from my post's
Is this a place to ask for and recieve some guidance
I got a couple worms, trojan or what ever they are (pretty sure still in control of sys). And am in serious need of "guidance"!
Got my sys back up using the drive that went down and now!, can't get sound card or "nero" to work at all
creative site saying no dl or update for sb audigy or inspire 5300 5.1 to use with xp pro what the heck, it all worked a week ago
I am at a loss of idea's on where to look or ask.

"fukenfooser@hotmail.com"
"johnnyfoos@hotmail.com"
"johnnyfoos@as-if.com"

 

Hey,

Okay, let's tackle the security issues first.

I take it from another post that you used NAV but also some other AV? What was that and are they indicating a clean bill of health as far as they are concerned? Have you tried an online AV scanner such as Pandas?

http://www.pandasoftware.com/activescan/com/activescan_principal.htm

Can you please download and run DCS's AutostartViewer from

http://www.diamondcs.com.au/downloads/asviewer.zip

Go to the "Main" menu and make sure that all three top options are selected and then press "Save" and then copy & paste the results here for us to review.


Also, can you please download DCS's OpenPorts program from

http://www.diamondcs.com.au/downloads/openports.zip

Unzip openports.exe in your Windows directory, and open up your Command Prompt and type;

openports > openports.txt

and then press the Enter key

Then type;

openports.txt

and press the Enter key again, and then copy the contents of the file in Notepad and paste it here for us to review

Also, I would strongly recommend that you download and install TDS3 from

http://tds.diamondcs.com.au/index.php?page=download

and before launching it, manually download the latest definitions database from the same page and put the file into the folder where you installed TDS

Thanks,

Dan

 

DiamondCS Autostart Viewer (www.diamondcs.com.au) - Report for Eros@DEADDRIVE, 10-07-2003
i:\windows\system32\autoexec.nt
I:\WINDOWS\system32\mscdexnt.exe
I:\WINDOWS\system32\redir.exe
I:\WINDOWS\system32\dosx.exe
i:\windows\system32\config.nt
I:\WINDOWS\system32\himem.sys
i:\windows\system.ini [drivers]
timer=timer.drv
i:\windows\system.ini [boot]\shell
I:\WINDOWS\Explorer.exe
i:\windows\system.ini [boot]\scrnsave.exe
i:\windows\webshots.scr
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell
I:\WINDOWS\Explorer.exe
HKCU\Control Panel\Desktop\scrnsave.exe
i:\windows\webshots.scr
HKCR\vbsfile\shell\open\command\
I:\WINDOWS\System32\WScript.exe "%1" %*
HKCR\vbefile\shell\open\command\
I:\WINDOWS\System32\WScript.exe "%1" %*
HKCR\jsfile\shell\open\command\
I:\WINDOWS\System32\WScript.exe "%1" %*
HKCR\jsefile\shell\open\command\
I:\WINDOWS\System32\WScript.exe "%1" %*
HKCR\wshfile\shell\open\command\
I:\WINDOWS\System32\WScript.exe "%1" %*
HKCR\wsffile\shell\open\command\
I:\WINDOWS\System32\WScript.exe "%1" %*
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\New.net Startup
rundll32 I:\PROGRA~1\NEWDOT~1\NEWDOT~1.DLL,NewDotNetStartup
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\UpdReg
I:\WINDOWS\Updreg.exe
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\CTStartup
I:\Program Files\Creative\Splash Screen\CTEaxSpl.EXE /run
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\Jet Detection
I:\Program Files\Creative\SBAudigy\PROGRAM\ADGJDet.exe
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\NvCplDaemon
RUNDLL32.EXE I:\WINDOWS\System32\NvCpl.dll,NvStartup
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\nwiz
nwiz.exe /install
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\KernelFaultCheck
I:\WINDOWS\system32\dumprep 0 -k
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\NeroCheck
I:\WINDOWS\System32\NeroCheck.exe
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\TDS3
G:\TDS3\TDS-3.exe
HKCU\Software\Microsoft\Windows\CurrentVersion\Run\NvMediaCenter
RUNDLL32.EXE I:\WINDOWS\System32\NVMCTRAY.DLL,NvTaskbarInit
HKCU\Software\Microsoft\Windows\CurrentVersion\Run\SystemSafe
C:\un zipped\ssm\SysSafe.exe
HKU\.Default\Software\Microsoft\Windows\CurrentVersion\Run\NvMediaCenter
RUNDLL32.EXE I:\WINDOWS\System32\NVMCTRAY.DLL,NvTaskbarInit
HKLM\Software\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\
I:\WINDOWS\system32\SHELL32.dll
I:\WINDOWS\system32\SHELL32.dll
I:\WINDOWS\System32\webcheck.dll
I:\WINDOWS\System32\stobject.dll
I:\Documents and Settings\Eros\Start Menu\Programs\Startup\Webshots.lnk
I:\Program Files\Webshots\WebshotsTray.exe
I:\Documents and Settings\All Users\Start Menu\Programs\Startup\ZoneAlarm.lnk
I:\Program Files\Zone Labs\ZoneAlarm\zonealarm.exe
HKLM\System\CurrentControlSet\Control\Session Manager\BootExecute
autocheck autochk *
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit
I:\WINDOWS\system32\userinit.exe
HKLM\System\CurrentControlSet\Control\WOW\cmdline
I:\WINDOWS\system32\ntvdm.exe
HKLM\System\CurrentControlSet\Control\WOW\wowcmdline
I:\WINDOWS\system32\ntvdm.exe -a %SystemRoot%\system32\krnl386
HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\
I:\WINDOWS\System32\dcsws2.dll
I:\WINDOWS\system32\mswsock.dll
I:\WINDOWS\system32\rsvpsp.dll
HKLM\Software\Microsoft\Active Setup\Installed Components\>{22d6f312-b0f6-11d0-94ab-0080c74c7e95}\
I:\WINDOWS\INF\unregmp2.exe /ShowWMP
HKLM\Software\Microsoft\Active Setup\Installed Components\>{26923b43-4d38-484f-9b9e-de460746276c}\
I:\WINDOWS\system32\shmgrate.exe OCInstallUserConfigIE
HKLM\Software\Microsoft\Active Setup\Installed Components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}MICROS\
RunDLL32 IEDKCS32.DLL,BrandIE4 SIGNUP
HKLM\Software\Microsoft\Active Setup\Installed Components\>{881dd1c5-3dcf-431b-b061-f3f88e8be88a}\
I:\WINDOWS\system32\shmgrate.exe OCInstallUserConfigOE
HKLM\Software\Microsoft\Active Setup\Installed Components\{2C7339CF-2B09-4501-B3F3-F3508C9228ED}\
I:\WINDOWS\system32\regsvr32.exe /s /n /i:/UserInstall %SystemRoot%\system32\themeui.dll
HKLM\Software\Microsoft\Active Setup\Installed Components\{44BBA840-CC51-11CF-AAFA-00AA00B6015C}\
%ProgramFiles%\Outlook Express\setup50.exe
HKLM\Software\Microsoft\Active Setup\Installed Components\{44BBA842-CC51-11CF-AAFA-00AA00B6015B}\
rundll32.exe advpack.dll,LaunchINFSection I:\WINDOWS\INF\msnetmtg.inf,NetMtg.Install.PerUser.NT
HKLM\Software\Microsoft\Active Setup\Installed Components\{6BF52A52-394A-11d3-B153-00C04F79FAA6}\
rundll32.exe advpack.dll,LaunchINFSection I:\WINDOWS\INF\wmp.inf,PerUserStub
HKLM\Software\Microsoft\Active Setup\Installed Components\{7790769C-0471-11d2-AF11-00C04FA35D02}\
%ProgramFiles%\Outlook Express\setup50.exe
HKLM\Software\Microsoft\Active Setup\Installed Components\{89820200-ECBD-11cf-8B85-00AA005B4340}\
regsvr32.exe /s /n /i:U shell32.dll
HKLM\Software\Microsoft\Active Setup\Installed Components\{89820200-ECBD-11cf-8B85-00AA005B4383}\
I:\WINDOWS\system32\ie4uinit.exe
HKLM\System\CurrentControlSet\Services\AFD\
I:\WINDOWS\System32\drivers\afd.sys
HKLM\System\CurrentControlSet\Services\AudioSrv\
I:\WINDOWS\System32\svchost.exe -k netsvcs
HKLM\System\CurrentControlSet\Services\Browser\
I:\WINDOWS\System32\svchost.exe -k netsvcs
HKLM\System\CurrentControlSet\Services\CryptSvc\
I:\WINDOWS\system32\svchost.exe -k netsvcs
HKLM\System\CurrentControlSet\Services\Dhcp\
I:\WINDOWS\System32\svchost.exe -k netsvcs
HKLM\System\CurrentControlSet\Services\dmserver\
I:\WINDOWS\System32\svchost.exe -k netsvcs
HKLM\System\CurrentControlSet\Services\Dnscache\
I:\WINDOWS\System32\svchost.exe -k NetworkService
HKLM\System\CurrentControlSet\Services\ERSvc\
I:\WINDOWS\System32\svchost.exe -k netsvcs
HKLM\System\CurrentControlSet\Services\Eventlog\
I:\WINDOWS\system32\services.exe
HKLM\System\CurrentControlSet\Services\helpsvc\
I:\WINDOWS\System32\svchost.exe -k netsvcs
HKLM\System\CurrentControlSet\Services\lanmanserver\
I:\WINDOWS\System32\svchost.exe -k netsvcs
HKLM\System\CurrentControlSet\Services\lanmanworkstation\
I:\WINDOWS\System32\svchost.exe -k netsvcs
HKLM\System\CurrentControlSet\Services\LmHosts\
I:\WINDOWS\System32\svchost.exe -k LocalService
HKLM\System\CurrentControlSet\Services\Messenger\
I:\WINDOWS\System32\svchost.exe -k netsvcs
HKLM\System\CurrentControlSet\Services\NVSvc\
I:\WINDOWS\System32\nvsvc32.exe
HKLM\System\CurrentControlSet\Services\PfModNT\
\??\I:\WINDOWS\System32\PfModNT.sys
HKLM\System\CurrentControlSet\Services\PlugPlay\
I:\WINDOWS\system32\services.exe
HKLM\System\CurrentControlSet\Services\PolicyAgent\
I:\WINDOWS\System32\lsass.exe
HKLM\System\CurrentControlSet\Services\ProtectedStorage\
I:\WINDOWS\system32\lsass.exe
HKLM\System\CurrentControlSet\Services\RemoteRegistry\
I:\WINDOWS\system32\svchost.exe -k LocalService
HKLM\System\CurrentControlSet\Services\RpcSs\
I:\WINDOWS\system32\svchost -k rpcss
HKLM\System\CurrentControlSet\Services\SamSs\
I:\WINDOWS\system32\lsass.exe
HKLM\System\CurrentControlSet\Services\Schedule\
I:\WINDOWS\System32\svchost.exe -k netsvcs
HKLM\System\CurrentControlSet\Services\seclogon\
I:\WINDOWS\System32\svchost.exe -k netsvcs
HKLM\System\CurrentControlSet\Services\SENS\
I:\WINDOWS\system32\svchost.exe -k netsvcs
HKLM\System\CurrentControlSet\Services\SharedAccess\
I:\WINDOWS\System32\svchost.exe -k netsvcs
HKLM\System\CurrentControlSet\Services\ShellHWDetection\
I:\WINDOWS\System32\svchost.exe -k netsvcs
HKLM\System\CurrentControlSet\Services\Spooler\
I:\WINDOWS\system32\spoolsv.exe
HKLM\System\CurrentControlSet\Services\srservice\
I:\WINDOWS\System32\svchost.exe -k netsvcs
HKLM\System\CurrentControlSet\Services\Themes\
I:\WINDOWS\System32\svchost.exe -k netsvcs
HKLM\System\CurrentControlSet\Services\TrkWks\
I:\WINDOWS\system32\svchost.exe -k netsvcs
HKLM\System\CurrentControlSet\Services\vsdatant\
\??\I:\WINDOWS\System32\vsdatant.sys
HKLM\System\CurrentControlSet\Services\vsmon\
I:\WINDOWS\system32\ZoneLabs\vsmon.exe -service
HKLM\System\CurrentControlSet\Services\W32Time\
I:\WINDOWS\System32\svchost.exe -k netsvcs
HKLM\System\CurrentControlSet\Services\WebClient\
I:\WINDOWS\System32\svchost.exe -k LocalService
HKLM\System\CurrentControlSet\Services\winmgmt\
I:\WINDOWS\system32\svchost.exe -k netsvcs
HKLM\System\CurrentControlSet\Services\wuauserv\
I:\WINDOWS\system32\svchost.exe -k netsvcs
HKLM\System\CurrentControlSet\Services\WZCSVC\
I:\WINDOWS\System32\svchost.exe -k netsvcs


[attachment deleted by admin]

 

The closest to a trojan I can find is NewDotNet.

Go to Add/Remove Software and look foor NewDotNet aka New.Net Domains and remove it from there.

Then download Spybot - Search & Destroy
After installing, first press Online, and search for, put a check mark at, and install all updates.
Next, close all IE windows, hit 'Check for Problems', and have SpyBot remove all it marks in red.

Or, download Ad-Aware at lavasoft.usa.com
After installing AAW, and before running the program, update by using the Globe icon.
Shut down and restart Ad-Aware.
Now press "Scan Now", "Select drives\folders to scan" and select the active partition (usually C: ), then 'next', and let Ad-Aware scan your drives.
It will find a number of "bad" files and registry keys. Click 'Next' again.
Rightclick in that pane and choose "select all" and click 'next'.
It will ask you whether you'd like to remove all checked items. Click OK.
Finally, close Ad-Aware, and reboot.

Regards,

Pieter

 

If you still strongly suspect that you have an active trojan then it may be too far entrenched to scan it locally as normal. If you can scan it across the network this might catch something that might be being missed now, or alternatively, if you can take your suspect drive and install it as a secondary drive in a clean system and scan it from that this would be good as well.

You didn't post any Openports output, this might help pinpoint any suspect ongoing communications or something prepared to communicate with an outsider. As an alternative you might try downloading and installing the demo of Port Explorer from the makers of TDS. You can then leave this open while you are doing your normal routine at the PC and periodically look at the "Remote" tab to show which outside hosts your programs are talking with.

 

Thanks to all for the help!!!
Have allways used spybot and have it fix ALL it finds, All online scans come up clean,(trend, panda only that I know of also one trojan one.).
Openport got better of me,(couldn't figure out.)
Have used Port explorer didn't see anything weird.
Ad-aware not up to Spy-bot ability as far as I can tell so stopped using 6 m ago,(run Ad then Spy, stuff still there, run spy then AD stuff all gone).
Ran "Drive Fittness test" Error = "Failure code 0x72", tech result code 720000EE. That does tell me that its bad, right?
Anyway got a RMA from retailer to send back and will as soon as crash again. Up right now using as three different partitions, got it to install on one of them but keeps running out of room so have been moving stuff from that one to others on same HD.
Another question is, after intalling OS on "extra HD", can't get it to delete one file in "my doc" is in my pictures and say's not allowed to get in there? All other OS stuff was deleted and am wondering about that one
thanks again
"Your serve"

 

Hey

Regarding the drive diagnostic; each vendor will have their own different implementations and their own codes. If I remember right, Western Digital calls their diagnostic test "Drive Fitness Test" and a code of 00 means that no error was found and any other code means that there are issues But I am going from my dubious memory and I am not sure your drive is a Western Digital.

Regarding the file in the Picture folder. I am not sure I understand your issue. I think that you have a fresh load on another drive and you are booting off that drive and using your original as a second drive? If so, you can try a couple of things.

Try to take ownership (via folder properties) of the problem folder and see if it lets you delete it then. Yoou might also try booting up in Safe Mode and try to delete it from there.

 

OK 5th try to reply tonight, (can't include "DFT") It booted me a bunch b4 fig it out!
Not smart enough to be here!
The "Main" HD is IBM used "DFT" by Hitachi , as per some other forum or post, to much to remember.
Am up now with OS on "main"HD partitioned into 3 partitions, keeps running out of room, (had to install on 5G on of course) (wasn't looking was drinking), (drink to ease pain from "reformat" every 12 hours), 12 was about all it would stay up, untill try the mutli-partition thing don't know why try multi but do know working?
The "extra" HD is a max something or another, put in when "main" started to make extra sounds A couple months ago, (nice bro give handme downs 30G)(IBM=60G), had OS on "extra" for about 4 hours, to run tests on "main",reformat "main" got up (breifly), a bunch of times, reformat, reformat till start to drink, (to keep from hurting hand on tower), anyway after up on "main" tried to remove OS from "extra" (to save room, was using as a B\U storage place' working well untill forget to DO). learning X !
Can't get that one folder to delete? tried properties,shareing, ??not a clue ??
"extra" passed "DFT", while "main" failed everytime, with out S.M.A.R.T. (don't know what that is??) and with it enabled.
"extra" allways PASS.
Ran "trend micro" online @ work and one of them, ( the server of course), showed, two (2) "Java.NoCheat",s on and when looking for them I also found that norton is holding something from last march??
Will fix another day, Or just show them and let them handle it, lol, they think I know what I'm doing, lol, yea right, but have gotten them off a couple of W95's since start there. But thats a long story...
Issue is to send off HD or not. Sys seams clean All scans show clean. removed "new what ever was", from with Add\remove in control panel and do run "TDs 3" with a few others now .
Only other issue might be ZONE giving fits (was just booted to for a block to port 1900)
Hope to get more feed back from you people
Also messenger won't work msn or win! loved IM's to tell when get Email!

would put my quarters up for you!!! (Foosball)

 

Sorry, lol, but I am having trouble following your prose style

Regarding Port 1900, that is used for MSN Messenger and along with 1863 so if MSN Messenger is not working correctly you might want to make sure that those ports are allowed.

With regard to the folder thing, it may be different on yours (I use Win2k PRO) but it should be something like the following

Right-click on the folder; Properties -> Security -> Advanced -> Owner and then make sure that your account is highlighted there and place a checkmark on "Replace Owner on subcontainers and objects"

Hope this helps

 

Thanks Dan
No XP isn't the same
"main" HD Off today for warr.
"extra" IS now (c)

Will write back when "sh t" happens!

Thanks again

 

Same problem??
Even now with OS on same drive "extra", that the original file was started with. can't del or get into??
" Documents and Settings" "Karezza",(a name used on a try at reinstalling last week on the old bad drive, when trying to check it for errors by putting OS on "extra" HD and after same old [CRASH] put OS back on bad drive to find can't del all files from "extra" that had to do with OS),"My Documents", My Pictures".
Not letting me in or letting me delete it?? Am pretty sure its empty but can never tell if unable to look at?


Any Ideas out there OS is XP Pro.