multiple viruses

Discussion in 'malware problems & news' started by djh, Jan 8, 2004.

Thread Status:
Not open for further replies.
  1. djh

    djh Registered Member

    Joined:
    Jan 8, 2004
    Posts:
    4
    choan you help new to this have so many viruses im surprised com starts how do i take reg settings and post for help
     
  2. JimIT

    JimIT Registered Member

    Joined:
    Jan 22, 2003
    Posts:
    1,035
    Location:
    Denton, Texas
    Welcome to Wilder's!

    I'm sure a mod will soon move this to an appropriate forum.

    1. Do you currently have an up to date antivirus installed? If so, what is it?

    2. Your operating system? (XP, ME, etc.)

    3. What specific symptoms are you noticing?

    If you can provide a bit more information for us, I'm sure others will be along soon to help, as well.

    :)
     
  3. djh

    djh Registered Member

    Joined:
    Jan 8, 2004
    Posts:
    4
    jim it thanks for helping running norton out of date will now be rectified system winxp problemms caused hijacked browser into porn sites and credit card details hijacked
     
  4. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,331
    Location:
    Netherlands
    Did I hear hijack? :D

    Hi djh,

    Could you please post a HijackThis log. Follow the instructions posted here:
    http://www.wilderssecurity.com/showthread.php?t=15913

    Regards,

    Pieter
     
  5. djh

    djh Registered Member

    Joined:
    Jan 8, 2004
    Posts:
    4
    copy of hijack this file

    Logfile of HijackThis v1.97.7
    Scan saved at 21:37:12, on 08/01/2004
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\twain_32\SiPix\SCBlink2\Srvany.exe
    C:\WINDOWS\System32\CTsvcCDA.EXE
    C:\WINDOWS\twain_32\SiPix\SCBlink2\USBPNP.exe
    C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
    C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
    C:\WINDOWS\System32\nvsvc32.exe
    C:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\Creative\ShareDLL\CtNotify.exe
    C:\PROGRA~1\NORTON~1\WinFax\WFXSWTCH.exe
    C:\PROGRA~1\NORTON~1\NORTON~1\navapw32.exe
    C:\Program Files\Creative\ShareDLL\MediaDet.Exe
    C:\WINDOWS\System32\P2P Networking\P2P Networking.exe
    C:\Program Files\Altnet\Points Manager\Points Manager.exe
    C:\WINDOWS\svchost.exe
    C:\WINDOWS\System32\mstaskm.exe
    C:\Program Files\Messenger\msmsgs.exe
    C:\PROGRA~1\Altnet\DOWNLO~1\asm.exe
    C:\Program Files\Creative\SBAudigy\Taskbar\CTLTray.exe
    C:\Program Files\Creative\SBAudigy\Taskbar\CTLTask.exe
    C:\Program Files\Norton SystemWorks\Norton CleanSweep\csinsmnt.exe
    C:\WINDOWS\system32\ntvdm.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Documents and Settings\dave\Local Settings\Temp\Temporary Directory 1 for hijackthis.zip\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = C:\WINDOWS\secure32.html
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = C:\WINDOWS\secure32.html
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\secure32.html
    R1 - HKCU\Software\Microsoft\Internet Connection Wizard,Shellnext = http://www.meshcomputers.com/
    F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe
    O2 - BHO: MSM32 Helper - {1E1B2879-88FF-11D2-8D96-000000000004} - C:\WINDOWS\system\SSocks32.dll (file missing)
    O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\windows\googletoolbar.dll
    O2 - BHO: (no name) - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
    O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\windows\googletoolbar.dll
    O4 - HKLM\..\Run: [Disc Detector] C:\Program Files\Creative\ShareDLL\CtNotify.exe
    O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\Updreg.exe
    O4 - HKLM\..\Run: [SCBlink2Menu] E:\Setup.exe
    O4 - HKLM\..\Run: [WFXSwtch] C:\PROGRA~1\NORTON~1\WinFax\WFXSWTCH.exe
    O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\NORTON~1\navapw32.exe
    O4 - HKLM\..\Run: [P2P Networking] C:\WINDOWS\System32\P2P Networking\P2P Networking.exe /AUTOSTART
    O4 - HKLM\..\Run: [AltnetPointsManager] C:\Program Files\Altnet\Points Manager\Points Manager.exe -s
    O4 - HKLM\..\Run: [Online Service] C:\WINDOWS\svchost.exe
    O4 - HKLM\..\Run: [Microsoft Helper Service] C:\WINDOWS\System32\mstaskm.exe
    O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
    O4 - HKCU\..\Run: [TaskTray] C:\Program Files\Creative\SBAudigy\Taskbar\CTLTray.exe
    O4 - HKCU\..\Run: [Taskbar] C:\Program Files\Creative\SBAudigy\Taskbar\CTLTask.exe
    O4 - Global Startup: CleanSweep Smart Sweep-Internet Sweep.lnk = C:\Program Files\Norton SystemWorks\Norton CleanSweep\csinsmnt.exe
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
    O9 - Extra button: Related (HKLM)
    O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
    O9 - Extra button: Real.com (HKLM)
    O9 - Extra button: Messenger (HKLM)
    O9 - Extra 'Tools' menuitem: Windows Messenger (HKLM)
    O14 - IERESET.INF: START_PAGE_URL=http://portal.plus.net/
    O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab
    O16 - DPF: {0A5FD7C5-A45C-49FC-ADB5-9952547D5715} (Creative Software AutoUpdate) - http://us.creative.com/support/downloads/su/ocx/12119/CTSUEng.cab
    O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
    O16 - DPF: {1D6711C8-7154-40BB-8380-3DEA45B69CBF} (Web P2P Installer) -
    O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} (Yahoo! Audio Conferencing) - http://us.chat1.yimg.com/us.yimg.com/i/chat/applet/v43/yacscom.cab
    O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
    O16 - DPF: {31B7EB4E-8B4B-11D1-A789-00A0CC6651A8} (Cult3D ActiveX Player) - http://www.cult3d.com/download/cult.cab
    O16 - DPF: {525A15D0-4938-11D4-94C7-0050DA20189B} (SnoopyCtrl Class) - http://www.ea.com/downloads/games/common/snoopy/iesnoopy.cab
    O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
    O16 - DPF: {78AF2F24-A9C3-11D3-BF8C-0060B0FCC122} (AcDcToday Control) - file://C:\Program Files\AutoCAD LT 2000i\AcDcToday.ocx
    O16 - DPF: {7D1E9C49-BD6A-11D3-87A8-009027A35D73} (Yahoo! Audio UI1) - http://chat.yahoo.com/cab/yacsui.cab
    O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37910.0193402778
    O16 - DPF: {C6637286-300D-11D4-AE0A-0010830243BD} (InstaFred Control) - file://C:\Program Files\AutoCAD LT 2000i\InstFred.ocx
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    O16 - DPF: {EFB22865-F3BC-4309-ADFA-C8E078A7F762} (SysWebTelecomInt Class) - http://www.sponsoradulto.com/en/SysWebTelecom.cab
    O16 - DPF: {F281A59C-7B65-11D3-8617-0010830243BD} (AcPreview Control) - file://C:\Program Files\AutoCAD LT 2000i\AcPreview.ocx
    O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} (Creative Software AutoUpdate Support Package) - http://us.creative.com/support/downloads/su/ocx/12119/CTPID.cab
    O17 - HKLM\System\CCS\Services\Tcpip\..\{D5E8ACDA-BB8E-4E4D-8A1E-F9481B9046DF}: NameServer = 212.159.11.150,212.159.13.150
     
  6. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,331
    Location:
    Netherlands
    Hi djh,

    Check the following items in HijackThis.
    Close all windows except HijackThis and click Fix checked:

    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = C:\WINDOWS\secure32.html
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = C:\WINDOWS\secure32.html
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\secure32.html

    O2 - BHO: MSM32 Helper - {1E1B2879-88FF-11D2-8D96-000000000004} - C:\WINDOWS\system\SSocks32.dll (file missing)

    O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\Updreg.exe
    O4 - HKLM\..\Run: [SCBlink2Menu] E:\Setup.exe

    O4 - HKLM\..\Run: [P2P Networking] C:\WINDOWS\System32\P2P Networking\P2P Networking.exe /AUTOSTART
    O4 - HKLM\..\Run: [AltnetPointsManager] C:\Program Files\Altnet\Points Manager\Points Manager.exe -s
    O4 - HKLM\..\Run: [Online Service] C:\WINDOWS\svchost.exe
    O4 - HKLM\..\Run: [Microsoft Helper Service] C:\WINDOWS\System32\mstaskm.exe

    O16 - DPF: {1D6711C8-7154-40BB-8380-3DEA45B69CBF} (Web P2P Installer) -

    O16 - DPF: {EFB22865-F3BC-4309-ADFA-C8E078A7F762} (SysWebTelecomInt Class) - http://www.sponsoradulto.com/en/SysWebTelecom.cab

    Reboot after doing so, preferably into safe mode and delete:
    C:\Program Files\Altnet\Points Manager <= entire folder
    C:\WINDOWS\svchost.exe <= only that one, do NOT try to remove the ones in the System32 folder
    C:\WINDOWS\System32\mstaskm.exe

    Then reboot normally and download and run CWShredder to get rid of the CWS elements that don't show in HijackThis.

    Regards,

    Pieter
     
  7. JimIT

    JimIT Registered Member

    Joined:
    Jan 22, 2003
    Posts:
    1,035
    Location:
    Denton, Texas
    djh,

    Pieter is definitely "the man" when it comes to this stuff... :D

    I would also follow up his instructions by updating your NAV, and doing a full system scan for stray bogies, as well.

    Good luck.

    ;)
     
  8. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,331
    Location:
    Netherlands
    Hey JimIT,

    You stick around and keep an eye out for any real viruses that show up, OK? :)

    Looking at the log, NAV (or something else) killed this one:
    http://www.symantec.com/avcenter/venc/data/backdoor.lixy.b.html

    Regards,

    Pieter
     
  9. JimIT

    JimIT Registered Member

    Joined:
    Jan 22, 2003
    Posts:
    1,035
    Location:
    Denton, Texas
    LOL!

    Will do. :D
     
  10. djh

    djh Registered Member

    Joined:
    Jan 8, 2004
    Posts:
    4
    to pieter
    Thanks very much for your instructions followed them to the letter works perfectly. Youre obviously a very clever man good job there are people like u about 2 undo the work of these parasites who write these viruses in the 1st place, once agen many thanx djh
    :)
     
  11. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,331
    Location:
    Netherlands
  12. Randy_Bell

    Randy_Bell Registered Member

    Joined:
    May 24, 2002
    Posts:
    3,004
    Location:
    Santa Clara, CA
    Unfortunately Wilders has no "thumbs-up" mechanism for us to privately commend Pieter {similar to that at dslreports}, so let's all just give him a shot of positive karma! :p :D :D
     
Loading...
Thread Status:
Not open for further replies.