look here.....it will only take a second

Discussion in 'malware problems & news' started by Spencer, Jan 17, 2004.

Thread Status:
Not open for further replies.
  1. Spencer

    Spencer Guest

    My computer is infected! Will someone please walk me through the steps of securing my computer?
     
  2. snowbound

    snowbound Retired Moderator

    Joined:
    Feb 18, 2003
    Posts:
    8,723
    Location:
    The Big Smoke
    Hi Spencer :)

    Welcome to Wilders.

    Could u please follow the instuctions at this link,

    http://www.wilderssecurity.com/showthread.php?t=15913

    then post a HijackThis log.






    snowbound
     
  3. Spencer

    Spencer Guest

    Wait no!

    Thanks for writing me back. Here is the log for HT.
    I've already cleaned my log twice, but want to ask someone else if I am missing something. Also, I have two icons titled "Health Insurance" and "Credit Counseling", and every time I delete them they come back on the next reboot. Finally, I have AVG 6.0 and a notice will pop up saying that I have a trojan or virus titled "startpage.cg". It tells me to run AVG, and that it will remove it. At first it found it but couldn't remove or quarrintine it. Now it doesn't even find it. Same with my Norton, Spybot, Ad-aware, and the many anti-trojans I have used. Anyway, here is my log.

    Logfile of HijackThis v1.97.7
    Scan saved at 8:51:38 PM, on 1/17/2004
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\PROGRA~1\Grisoft\AVG6\avgserv.exe
    C:\Program Files\Norton AntiVirus\navapsvc.exe
    C:\Program Files\Norton Internet Security\NISUM.EXE
    C:\WINDOWS\system32\pctspk.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\Norton Internet Security\SymProxySvc.exe
    C:\Program Files\Norton Internet Security\NISSERV.EXE
    C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
    C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe
    C:\Program Files\Norton Internet Security\IAMAPP.EXE
    C:\PROGRA~1\NORTON~1\navapw32.exe
    C:\Program Files\Norton Internet Security\ATRACK.EXE
    C:\WINDOWS\System32\wuauclt.exe
    C:\Program Files\Internet Explorer\IEXPLORE.EXE
    C:\Documents and Settings\Spencer Wright\My Documents\My Music\Hijack This\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Compaq
    O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
    O4 - HKLM\..\Run: [srmclean] C:\Cpqs\Scom\srmclean.exe
    O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe"
    O4 - HKLM\..\Run: [AVG_CC] C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe /STARTUP
    O4 - HKLM\..\Run: [iamapp] C:\Program Files\Norton Internet Security\IAMAPP.EXE
    O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\navapw32.exe
    O9 - Extra button: Messenger (HKLM)
    O9 - Extra 'Tools' menuitem: Messenger (HKLM)
    O9 - Extra button: Support (HKCU)
    O12 - Plugin for .mid: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin.dll
    O12 - Plugin for .mov: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin.dll
    O12 - Plugin for .WAV: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin.dll
    O14 - IERESET.INF: START_PAGE_URL=http://store.presario.net/scripts/redirectors/presario/storeredir2.dll?s=consumerfav&c=3c01&lc=0409
    O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://pcpitstop.com/pcpitstop/PCPitStop.CAB
    O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/Swdir_Alt_Pub.cab
    O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37862.690474537
    O16 - DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE} (Symantec RuFSI Registry Information Class) - http://security.symantec.com/SSC/SharedContent/common/bin/cabsa.cab
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    O17 - HKLM\System\CCS\Services\Tcpip\..\{0EC293FC-8743-4FFE-9C29-1D65D433E6BF}: NameServer = 64.63.206.6 64.63.207.6
    O17 - HKLM\System\CS1\Services\Tcpip\..\{0EC293FC-8743-4FFE-9C29-1D65D433E6BF}: NameServer = 64.63.206.6 64.63.207.6

    Thanks.
     
  4. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,332
    Location:
    Netherlands
    Hi Spencer,

    Please download and run CWShredder

    Then reboot and scan with AVG. If it still finds startpage.cg aka CWS please let us know the full path of where the file is found.

    Regards,

    Pieter
     
  5. controler

    controler Guest

    Hello

    can you edit the INF file?
    I see you are going through Compaq.
    The hijacked page should show up in the INF file also.
    If you don't want to use notepad you can try this one.

    http://www.editpadpro.com/editpadlite.html


    con
     
  6. Spencer

    Spencer Guest

    CWShredder didn't find anything. Neither did AVG. But I got a notice from AVG reading:
    Virus
    Trojan horse Startpage.CG

    is found in file
    C:\System Volume
    Information\_restore{EEB01FFO-0722-40BC-8DCA-5D3D36C315C6}\RP246\A0051206.dll

    To Remove this virus, please run AVG for Windows

    I run AVG, but it can't do anything. Thanks a bunch.
     
  7. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,332
    Location:
    Netherlands
  8. Spencer

    Spencer Guest

    I did what you said and avg did not find anything. So I ran Panda and it found nothing also. I found something interesting though. When I go to tools and internet options in internet explorer and click on the connections tab, it lists my internet connections. It lists my current one, TIBS42, and also it lists exDialer. I deleted it from the add remove page, but it seems to be present. What should I do?
     
  9. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,332
    Location:
    Netherlands
    Hi Spencer,

    Go offline and remove the connection in the IE screen and in your Connections panel. That is sufficient.

    Regards,

    Pieter
     
Loading...
Thread Status:
Not open for further replies.