HELP ME PLEASE

Discussion in 'malware problems & news' started by katie, Sep 16, 2003.

Thread Status:
Not open for further replies.
  1. katie

    katie Registered Member

    Joined:
    Sep 16, 2003
    Posts:
    12
    HELP ME PLEASE!!! I have a virus that is only affecting my AIM. When I put up an away message, it will change to something obscene after about 5 minutes. I will also get the sound like someone is messaging me just randomly when no one is talking to me. I also have been having obscene pictures just poping up on my computer right after my away message changes by itself. I have checked my computer for viruses and nothing is being caught and I don't know how to fix the problem. can you help me out at all? I don't know what to do. I have run hijackthis and my results should be below.
    ~katie
     
  2. katie

    katie Registered Member

    Joined:
    Sep 16, 2003
    Posts:
    12
    for whatever reason, my attachment didnt work last time so here it goes one more time. my results of hijackthis are as follows

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\system32\spoolsv.exe
    C:\PROGRA~1\Grisoft\AVG6\avgserv.exe
    C:\Program Files\Real\RealPlayer\RealPlay.exe
    C:\WINDOWS\System32\P2P Networking\P2P Networking.exe
    C:\program files\altnet\points manager\points manager.exe
    C:\WINDOWS\System32\Microsoft.NET\msconfig.exe
    C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe
    C:\PROGRA~1\AWS\WEATHE~1\WEATHER.EXE
    C:\windows\system32\inetinfo.exe
    C:\Program Files\MSN Messenger\msnmsgr.exe
    C:\PROGRA~1\Altnet\DOWNLO~1\asm.exe
    C:\Program Files\AIM\aim.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Documents and Settings\Katie\Local Settings\Temp\Temporary Directory 1 for hijackthis.zip\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
    O4 - HKLM\..\Run: [msnager32] C:\windows\system32\host32.exe
    O4 - HKLM\..\Run: [P2P Networking] C:\WINDOWS\System32\P2P Networking\P2P Networking.exe /AUTOSTART
    O4 - HKLM\..\Run: [KAZAA] C:\Program Files\Kazaa\kazaa.exe /SYSTRAY
    O4 - HKLM\..\Run: [AltnetPointsManager] c:\program files\altnet\points manager\points manager.exe -s
    O4 - HKLM\..\Run: [msc] C:\WINDOWS\System32\Microsoft.NET\msconfig.exe
    O4 - HKLM\..\Run: [AVG_CC] C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe /STARTUP
    O4 - HKCU\..\Run: [Weather] C:\PROGRA~1\AWS\WEATHE~1\WEATHER.EXE 1
    O4 - HKCU\..\Run: [Extreme Messenger for AIM] C:\Program Files\Extreme Messenger\ExtremeMessenger.exe nosplash
    O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
    O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
    O9 - Extra button: AIM (HKLM)
    O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
    O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/SSC/SharedContent/vc/bin/AvSniff.cab
    O16 - DPF: {7D1E9C49-BD6A-11D3-87A8-009027A35D73} (Yahoo! Audio UI1) - http://chat.yahoo.com/cab/yacsui.cab
    O16 - DPF: {9DBAFCCF-592F-FFFF-FFFF-00608CEC297C} - http://download.weatherbug.com/minibug/tricklers/AWS/minibuginstaller.cab?rand=20032412
    O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37879.7395833333
    O16 - DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE} (Symantec RuFSI Registry Information Class) - http://security.symantec.com/SSC/SharedContent/common/bin/cabsa.cab
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss-loc/vso/en-us/tools/mcfscan/1,5,0,4292/mcfscan.cab
     
  3. solarpowered candle

    solarpowered candle Registered Member

    Joined:
    Jan 9, 2003
    Posts:
    1,181
    Location:
    new zealand
    Hi Katie . Whilst you are waiting for the experts who will be able to help you ,( they may be sleeping at this hour) you may wish to run another scan from an online source . ie http://www3.ca.com/virusinfo/virusscan.aspx
    there are others also .such as http://housecall.trendmicro.com/

    an anti trojon scan from an online source such as http://www.trojanscan.com/ may be helpful. in the now.

    Do you have spybot search n destroy or adaware . as that may help also .
    http://shinobiresources.com/downloads.htm#SpyBot

    Some one with good expertise will be along soon to look through your hi-jack log Im sure .
     
  4. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,330
    Location:
    Netherlands
    Hi katie,

    Check the items listed below in HijackThis, close all windows except HijackThis and click Fix checked:

    O4 - HKLM\..\Run: [msnager32] C:\windows\system32\host32.exe
    O4 - HKLM\..\Run: [P2P Networking] C:\WINDOWS\System32\P2P Networking\P2P Networking.exe /AUTOSTART
    O4 - HKLM\..\Run: [KAZAA] C:\Program Files\Kazaa\kazaa.exe /SYSTRAY
    O4 - HKLM\..\Run: [AltnetPointsManager] c:\program files\altnet\points manager\points manager.exe -s
    O16 - DPF: {9DBAFCCF-592F-FFFF-FFFF-00608CEC297C} - http://download.weatherbug.com/minibug/tricklers/AWS/minibuginstaller.cab?rand=20032412

    Add:
    O4 - HKCU\..\Run: [Weather] C:\PROGRA~1\AWS\WEATHE~1\WEATHER.EXE 1
    if you didn't install the Weatherbug yourself.

    Reboot after doing so, preferably into safe mode
    and delete:
    C:\windows\system32\host32.exe
    c:\program files\altnet\points manager\

    Keep the host32.exe in your trashcan in case anyone wants a copy.
    Please send one to the e-mail address in my profile.

    I would advise you to uninstall KaZaa as wel and consider a spywarefree alternative:
    http://www.spywareinfoforum.com/articles/p2p/

    Regards,

    Pieter
     
  5. katie

    katie Registered Member

    Joined:
    Sep 16, 2003
    Posts:
    12
    Thank you for replying so quickly. Unfortunately I can't take care of this matter untill around 4 this afternoon because I'm a 3rd grade teacher and I have to go to work. But thank you for your help and I will do what you said later today and get those results to you.
    ~katie
     
  6. GlennO

    GlennO Registered Member

    Joined:
    Jul 29, 2003
    Posts:
    5
    Location:
    Ocean View, Hawaii
    Hi Katie,

    Is your anti-virus program up-to-date?

    If you haven't recently updated the database, it is possible that your anti-virus program can't "catch" the problem.

    If you go to the Wilders Security download page, you will find a number of different programs that might help you.

    I would suggest the following: AVG by Grisoft (an Anti-Virus program), Wilders Spyware Blaster and Spyware Guard, Spbot Search and Destroy, Zone Alarm firewall, and EndPopups.COM.

    Also, try going to the sites hosted by Trend Micro, McAfee, and/or Norton and use their online (free) virus testing programs.

    The problem you describe is difficult to cure because the cause isn't obvious. This is typical anytime a virus/worm/spy is encountered. Once the problem is cleared it is easy to look back upon it with 20/20 vision and say Aha!!!

    Be patient.

    If worse comes to worse and you can't clear it, try downloading a free-standing Anti-Virus program that can boot from a floppy disk using another computer. Then run that on your machine.

    There are numerous other possible solutions, but hopefully one of those I've mentioned will accomplish the task at hand.

    Aloha from Hawaii,
    Glenn
     
  7. katie

    katie Registered Member

    Joined:
    Sep 16, 2003
    Posts:
    12
    I do have up to date antivirus software. I have AVG 6.0 and I also have adaware 6.0. I have done the free virus scans from both Mcafee and Norton and they aren't catching anything.
     
  8. katie

    katie Registered Member

    Joined:
    Sep 16, 2003
    Posts:
    12
    alright, I fixed all the things you told me to with hijackthis, but how do I delete C:\windows\system32\host32.exe
    c:\program files\altnet\points manager\
    from my machine?
     
  9. Dan Perez

    Dan Perez Retired Moderator

    Joined:
    May 18, 2003
    Posts:
    1,495
    Location:
    Sunny San Diego
    Hi Katie,

    The easiest way to remove each of these is to go to the Start menu and select "Search" -> "For files or folders"

    and then in the search field put "host32.exe" (without quotes) and start the search, once it is found (and it shows it in the path mentioned above) you can right-click on it in the results window and select delete.

    Then you do similarly a search for "points manager"

    Please let me know if you are still unsure on this.

    Regards,

    Dan
     
  10. katie

    katie Registered Member

    Joined:
    Sep 16, 2003
    Posts:
    12
    ok both of those files were deleted from my computer. I ran the two scans that were suggested and they both turned up with no results. Now what do I do? I also have the problem that when I hit ctrl alt delete, it says 'task manager has been disabled by your administrator'. . . . . .I'm so lost as to what else to do.
    ~Katie :(
     
  11. Dan Perez

    Dan Perez Retired Moderator

    Joined:
    May 18, 2003
    Posts:
    1,495
    Location:
    Sunny San Diego
    Hi Katie;

    Don't worry, some of these are just harder to catch. There are lots more tools in our belts :)

    Can you please rescan with HijackThis and repost a fresh log?

    Also, can you please download and run DCS's AutostartViewer from

    http://www.diamondcs.com.au/downloads/asviewer.zip

    Go to the "Main" menu and make sure that all three top options are selected and then press "Save" and then copy & paste the results here for us to review.

    Thanks!

    Dan
     
  12. katie

    katie Registered Member

    Joined:
    Sep 16, 2003
    Posts:
    12
    Thank you for helping Dan! I really appreciate it. here are the results new results of hijackthis:
    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\system32\spoolsv.exe
    C:\PROGRA~1\Grisoft\AVG6\avgserv.exe
    C:\Program Files\Real\RealPlayer\RealPlay.exe
    C:\WINDOWS\System32\Microsoft.NET\msconfig.exe
    C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe
    C:\WINDOWS\System32\P2P Networking\P2P Networking.exe
    C:\PROGRA~1\AWS\WEATHE~1\WEATHER.EXE
    C:\Program Files\MSN Messenger\msnmsgr.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\WINDOWS\System32\cmd.exe
    C:\Documents and Settings\Katie\Local Settings\Temp\Temporary Directory 5 for hijackthis.zip\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
    O4 - HKLM\..\Run: [msc] C:\WINDOWS\System32\Microsoft.NET\msconfig.exe
    O4 - HKLM\..\Run: [AVG_CC] C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe /STARTUP
    O4 - HKCU\..\Run: [Weather] C:\PROGRA~1\AWS\WEATHE~1\WEATHER.EXE 1
    O4 - HKCU\..\Run: [Extreme Messenger for AIM] C:\Program Files\Extreme Messenger\ExtremeMessenger.exe nosplash
    O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
    O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
    O9 - Extra button: AIM (HKLM)
    O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
    O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/SSC/SharedContent/vc/bin/AvSniff.cab
    O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www3.ca.com/virusinfo/webscan.cab
    O16 - DPF: {7D1E9C49-BD6A-11D3-87A8-009027A35D73} (Yahoo! Audio UI1) - http://chat.yahoo.com/cab/yacsui.cab
    O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37879.7395833333
    O16 - DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE} (Symantec RuFSI Registry Information Class) - http://security.symantec.com/SSC/SharedContent/common/bin/cabsa.cab
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss-loc/vso/en-us/tools/mcfscan/1,5,0,4292/mcfscan.cab

    and here are the results from asviewer:
    DiamondCS Autostart Viewer (www.diamondcs.com.au) - Report for Katie@KATIE-DD9OVDQ3L, 09-17-2003
    c:\windows\system32\autoexec.nt
    C:\WINDOWS\system32\mscdexnt.exe
    C:\WINDOWS\system32\redir.exe
    C:\WINDOWS\system32\dosx.exe
    c:\windows\system32\config.nt
    C:\WINDOWS\system32\himem.sys
    c:\windows\system.ini [drivers]
    timer=timer.drv
    c:\windows\system.ini [boot]\shell
    C:\WINDOWS\Explorer.exe
    HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell
    C:\WINDOWS\Explorer.exe
    HKCR\vbsfile\shell\open\command\
    C:\WINDOWS\System32\WScript.exe "%1" %*
    HKCR\vbefile\shell\open\command\
    C:\WINDOWS\System32\WScript.exe "%1" %*
    HKCR\jsfile\shell\open\command\
    C:\WINDOWS\System32\WScript.exe "%1" %*
    HKCR\jsefile\shell\open\command\
    C:\WINDOWS\System32\WScript.exe "%1" %*
    HKCR\wshfile\shell\open\command\
    C:\WINDOWS\System32\WScript.exe "%1" %*
    HKCR\wsffile\shell\open\command\
    C:\WINDOWS\System32\WScript.exe "%1" %*
    HKLM\Software\Microsoft\Windows\CurrentVersion\Run\RealTray
    C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
    HKLM\Software\Microsoft\Windows\CurrentVersion\Run\msc
    C:\WINDOWS\System32\Microsoft.NET\msconfig.exe
    HKLM\Software\Microsoft\Windows\CurrentVersion\Run\AVG_CC
    C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe /STARTUP
    HKCU\Software\Microsoft\Windows\CurrentVersion\Run\Weather
    C:\PROGRA~1\AWS\WEATHE~1\WEATHER.EXE 1
    HKCU\Software\Microsoft\Windows\CurrentVersion\Run\Extreme Messenger for AIM
    C:\Program Files\Extreme Messenger\ExtremeMessenger.exe nosplash
    HKCU\Software\Microsoft\Windows\CurrentVersion\Run\msnmsgr
    C:\Program Files\MSN Messenger\msnmsgr.exe
    HKCU\Software\Microsoft\Windows\CurrentVersion\Run\AIM
    C:\Program Files\AIM\aim.exe -cnetwait.odl
    HKLM\Software\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\
    C:\WINDOWS\system32\SHELL32.dll
    C:\WINDOWS\system32\SHELL32.dll
    C:\WINDOWS\System32\webcheck.dll
    C:\WINDOWS\System32\stobject.dll
    C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
    C:\Program Files\Microsoft Office\Office\OSA9.EXE
    HKLM\System\CurrentControlSet\Control\Session Manager\BootExecute
    autocheck autochk *
    HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit
    C:\WINDOWS\system32\userinit.exe
    HKLM\System\CurrentControlSet\Control\WOW\cmdline
    C:\WINDOWS\system32\ntvdm.exe
    HKLM\System\CurrentControlSet\Control\WOW\wowcmdline
    C:\WINDOWS\system32\ntvdm.exe -a %SystemRoot%\system32\krnl386
    HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\
    C:\WINDOWS\system32\mswsock.dll
    C:\WINDOWS\system32\rsvpsp.dll
    HKLM\Software\Microsoft\Active Setup\Installed Components\>{22d6f312-b0f6-11d0-94ab-0080c74c7e95}\
    C:\WINDOWS\INF\unregmp2.exe /ShowWMP
    HKLM\Software\Microsoft\Active Setup\Installed Components\>{26923b43-4d38-484f-9b9e-de460746276c}\
    C:\WINDOWS\system32\shmgrate.exe OCInstallUserConfigIE
    HKLM\Software\Microsoft\Active Setup\Installed Components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}MICROS\
    RunDLL32 IEDKCS32.DLL,BrandIE4 SIGNUP
    HKLM\Software\Microsoft\Active Setup\Installed Components\>{881dd1c5-3dcf-431b-b061-f3f88e8be88a}\
    C:\WINDOWS\system32\shmgrate.exe OCInstallUserConfigOE
    HKLM\Software\Microsoft\Active Setup\Installed Components\{22d6f312-b0f6-11d0-94ab-0080c74c7e95}\
    rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\mplayer2.inf,PerUserStub.NT
    HKLM\Software\Microsoft\Active Setup\Installed Components\{2C7339CF-2B09-4501-B3F3-F3508C9228ED}\
    C:\WINDOWS\system32\regsvr32.exe /s /n /i:/UserInstall %SystemRoot%\system32\themeui.dll
    HKLM\Software\Microsoft\Active Setup\Installed Components\{306D6C21-C1B6-4629-986C-E59E1875B8AF}\
    C:\WINDOWS\System32\rundll32.exe
    HKLM\Software\Microsoft\Active Setup\Installed Components\{44BBA840-CC51-11CF-AAFA-00AA00B6015C}\
    %ProgramFiles%\Outlook Express\setup50.exe
    HKLM\Software\Microsoft\Active Setup\Installed Components\{44BBA842-CC51-11CF-AAFA-00AA00B6015B}\
    rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\msnetmtg.inf,NetMtg.Install.PerUser.NT
    HKLM\Software\Microsoft\Active Setup\Installed Components\{5945c046-1e7d-11d1-bc44-00c04fd912be}\
    rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\msmsgs.inf,BLC.Install.PerUser
    HKLM\Software\Microsoft\Active Setup\Installed Components\{6BF52A52-394A-11d3-B153-00C04F79FAA6}\
    rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\wmp.inf,PerUserStub
    HKLM\Software\Microsoft\Active Setup\Installed Components\{7790769C-0471-11d2-AF11-00C04FA35D02}\
    %ProgramFiles%\Outlook Express\setup50.exe
    HKLM\Software\Microsoft\Active Setup\Installed Components\{89820200-ECBD-11cf-8B85-00AA005B4340}\
    regsvr32.exe /s /n /i:U shell32.dll
    HKLM\Software\Microsoft\Active Setup\Installed Components\{89820200-ECBD-11cf-8B85-00AA005B4383}\
    C:\WINDOWS\system32\ie4uinit.exe
    HKLM\System\CurrentControlSet\Services\VxD\JAVASUP\
    C:\WINDOWS\system32\JAVASUP.VXD
    HKLM\System\CurrentControlSet\Services\AFD\
    C:\WINDOWS\System32\drivers\afd.sys
    HKLM\System\CurrentControlSet\Services\AudioSrv\
    C:\WINDOWS\System32\svchost.exe -k netsvcs
    HKLM\System\CurrentControlSet\Services\AvgCore\
    \??\C:\PROGRA~1\Grisoft\AVG6\avgcore.sys
    HKLM\System\CurrentControlSet\Services\AvgFsh\
    \??\C:\PROGRA~1\Grisoft\AVG6\avgfsh.sys
    HKLM\System\CurrentControlSet\Services\AvgServ\
    C:\PROGRA~1\Grisoft\AVG6\avgserv.exe
    HKLM\System\CurrentControlSet\Services\Browser\
    C:\WINDOWS\System32\svchost.exe -k netsvcs
    HKLM\System\CurrentControlSet\Services\CryptSvc\
    C:\WINDOWS\system32\svchost.exe -k netsvcs
    HKLM\System\CurrentControlSet\Services\Dhcp\
    C:\WINDOWS\System32\svchost.exe -k netsvcs
    HKLM\System\CurrentControlSet\Services\Dnscache\
    C:\WINDOWS\System32\svchost.exe -k NetworkService
    HKLM\System\CurrentControlSet\Services\ERSvc\
    C:\WINDOWS\System32\svchost.exe -k netsvcs
    HKLM\System\CurrentControlSet\Services\Eventlog\
    C:\WINDOWS\system32\services.exe
    HKLM\System\CurrentControlSet\Services\helpsvc\
    C:\WINDOWS\System32\svchost.exe -k netsvcs
    HKLM\System\CurrentControlSet\Services\lanmanserver\
    C:\WINDOWS\System32\svchost.exe -k netsvcs
    HKLM\System\CurrentControlSet\Services\lanmanworkstation\
    C:\WINDOWS\System32\svchost.exe -k netsvcs
    HKLM\System\CurrentControlSet\Services\LmHosts\
    C:\WINDOWS\System32\svchost.exe -k LocalService
    HKLM\System\CurrentControlSet\Services\Messenger\
    C:\WINDOWS\System32\svchost.exe -k netsvcs
    HKLM\System\CurrentControlSet\Services\PlugPlay\
    C:\WINDOWS\system32\services.exe
    HKLM\System\CurrentControlSet\Services\PolicyAgent\
    C:\WINDOWS\System32\lsass.exe
    HKLM\System\CurrentControlSet\Services\ProtectedStorage\
    C:\WINDOWS\system32\lsass.exe
    HKLM\System\CurrentControlSet\Services\RpcSs\
    C:\WINDOWS\system32\svchost -k rpcss
    HKLM\System\CurrentControlSet\Services\SamSs\
    C:\WINDOWS\system32\lsass.exe
    HKLM\System\CurrentControlSet\Services\Schedule\
    C:\WINDOWS\System32\svchost.exe -k netsvcs
    HKLM\System\CurrentControlSet\Services\seclogon\
    C:\WINDOWS\System32\svchost.exe -k netsvcs
    HKLM\System\CurrentControlSet\Services\SENS\
    C:\WINDOWS\system32\svchost.exe -k netsvcs
    HKLM\System\CurrentControlSet\Services\ShellHWDetection\
    C:\WINDOWS\System32\svchost.exe -k netsvcs
    HKLM\System\CurrentControlSet\Services\Spooler\
    C:\WINDOWS\system32\spoolsv.exe
    HKLM\System\CurrentControlSet\Services\srservice\
    C:\WINDOWS\System32\svchost.exe -k netsvcs
    HKLM\System\CurrentControlSet\Services\Themes\
    C:\WINDOWS\System32\svchost.exe -k netsvcs
    HKLM\System\CurrentControlSet\Services\TrkWks\
    C:\WINDOWS\system32\svchost.exe -k netsvcs
    HKLM\System\CurrentControlSet\Services\uploadmgr\
    C:\WINDOWS\System32\svchost.exe -k netsvcs
    HKLM\System\CurrentControlSet\Services\W32Time\
    C:\WINDOWS\System32\svchost.exe -k netsvcs
    HKLM\System\CurrentControlSet\Services\WebClient\
    C:\WINDOWS\System32\svchost.exe -k LocalService
    HKLM\System\CurrentControlSet\Services\winmgmt\
    C:\WINDOWS\system32\svchost.exe -k netsvcs
    HKLM\System\CurrentControlSet\Services\WmdmPmSp\
    C:\WINDOWS\System32\svchost.exe -k netsvcs
    HKLM\System\CurrentControlSet\Services\wuauserv\
    C:\WINDOWS\system32\svchost.exe -k netsvcs
    HKLM\System\CurrentControlSet\Services\WZCSVC\
    C:\WINDOWS\System32\svchost.exe -k netsvcs


    Let me know what needs to be done from here. Again, Thank you so much.
    ~katie
     
  13. Dan Perez

    Dan Perez Retired Moderator

    Joined:
    May 18, 2003
    Posts:
    1,495
    Location:
    Sunny San Diego
    Hi Katie,

    This is rather interesting. You correctly removed the autostart entry for p2pnetworking and yet it is running. Autostart Viewer shows every autostart location and yet it does not show where this is being launched from.

    Lets try this,

    Press Ctrl+Alt+Del and try to stop the

    P2P Networking.exe

    process. If it gives you an error indicating it cannot be stopped or if it seems to "comply" but on clicking Ctrl+Alt+Del again you see it is still there, then you need to boot your system into Safe Mode. It should not be running there.

    However you do it, once you no longer have that program running I want you to do a search for the

    P2P Networking

    folder and remove that folder. Then do a reboot and let us know how things are at this point.

    Thanks
     
  14. katie

    katie Registered Member

    Joined:
    Sep 16, 2003
    Posts:
    12
    when I try to do Ctrl + Alt + Del I get a message saying 'task manager has been disabled by your administrator' but I well reboot into safe mode, search for P2PNetworking and try to delete it that way.
    ~Katie
     
  15. katie

    katie Registered Member

    Joined:
    Sep 16, 2003
    Posts:
    12
    alright I deleted the P2P Networking files in safe mode and when I restarted my computer and ran hijackthis, it showed it as still running. . . . .What should I do now?
    ~Katie
     
  16. Dan Perez

    Dan Perez Retired Moderator

    Joined:
    May 18, 2003
    Posts:
    1,495
    Location:
    Sunny San Diego
    :)

    Sorry about the Ctrl+Alt+Del thing, I completely forgot about the problem you were having with it.

    But this is getting more strange, you deleted the file and yet it still runs on the next boot? Is it still running from the same path (I mean, when you see it in HijackThis does it appear exactly as below

    C:\WINDOWS\System32\P2P Networking\P2P Networking.exe

    or is part of that string different? When you deleted it in Safe Mode, did you empty the recycle bin (my fault for not instructing you to before) if you didn't I think it would be worth a shot. Also, do you have an y dedicated Anti-Trojan program? If not, and depending on what I hear back from you we might try downloading the trial of TDS

    http://www.diamondcs.com.au/tds/downloads/tds3setup.exe

    After you install it, while the program is still not running, go to the same link as above and download the latest database and put it in your TDS3 folder. Then you can launch it and set all sensitivity settings to their highest and do a full scan of your system.
     
  17. katie

    katie Registered Member

    Joined:
    Sep 16, 2003
    Posts:
    12
    alright, I tried to 'fix it' again with hijackthis and it apears to be gone now. I dried the trojan scan about an hour ago and it came up with no results (the diamond one). I'm not getting the initial message when I sign on to AIM that I was before but I will put up an away message to test it and see if it changes on me after a few mins. I will get back to you on whether it seems to have worked or not
     
  18. katie

    katie Registered Member

    Joined:
    Sep 16, 2003
    Posts:
    12
    ya, my AIM is still having problems but now it's a new one. the AIM window will go to full size by itself about every minute. So whatever it is eating away at my computer, it's still there.
    ~katie
     
  19. katie

    katie Registered Member

    Joined:
    Sep 16, 2003
    Posts:
    12
    I dont know if this helps out at all, but another problem I have been having is that I keep getting messages that pop up even when I'm not signed on to AIM saying 'the AIM hyperlink you have entered cannot be reached offline. Please log on' those arent the exact words but its something along those lines
     
  20. Dan Perez

    Dan Perez Retired Moderator

    Joined:
    May 18, 2003
    Posts:
    1,495
    Location:
    Sunny San Diego
    So the former problem is no longer evident?

    If this is so, I think we are now looking at a program issue and not any sort of malware/spyware issue.

    I am not sure about this but you may want to consider removing the ExtremeMessenger for AIM as a test. This seems to be an AIM add-on and I don't know how much you rely on it but at least for troubleshooting purposes it might be worthwhile to remove it via Add/Remove programs.
     
  21. Primrose

    Primrose Registered Member

    Joined:
    Sep 21, 2002
    Posts:
    2,743
    Hi Dan,

    Curious only here...since many of those items can be removed with the add/remove in the control panel...why do not you start there to delete them ??

    Example:


    P2P Networking

    Overview
    P2P Networking is a component that enables other applications to use Peer-to-Peer functionality.

    P2P Networking is bundled with Kazaa but is not required for its operation. There is no option to opt-out.

    Files
    P2P Networking.exe, marhal.dll

    Vendor
    Joltid

    Privacy Violation
    Joltid privacy policy

    Detection
    Bazooka Adware and Spyware Scanner detects P2P Networking.

    Feedback, suggestions, support
    Please let us know if you need support, have questions or would like to give us feedback.

    Uninstall procedure
    Uninstall P2P Networking from "Add/Remove Programs" in the Windows® Control Panel. Notice that uninstalling it can break the programs that use the peer-two-peer component.

    http://www.kephyr.com/spywarescanner/library/p2pnetworking/index.phtml
     
Loading...
Thread Status:
Not open for further replies.