Uh, hmm...I have a question or two or....

Discussion in 'other security issues & news' started by ljc1174, Dec 5, 2004.

Thread Status:
Not open for further replies.
  1. ljc1174

    ljc1174 Registered Member

    Joined:
    Aug 15, 2002
    Posts:
    276
    Location:
    Cleveland, Ohio USA
    Hi all! Long time no talk to!

    As I said, I have a question! My father-in-law has given me his computer to "fix". I can tell you that I've installed Ad-Aware and it found 980 "issues", those were fixed. I've installed, Spybot S&D, Spywareguard, SpywareBlaster, Norton AV 2004 and Zone Alarm.

    Norton found no virus or trojans, but, according to my brother in law, "pops" computer is infected with PARASITES. I've never heard of this. He is also (due to anger for asking for my help) telling "pops" that the programs I've installed are actual viruses and trojans and I've done more harm than good, yada, yada, yada...

    When I stared on his computer yesterday, without opening IE, in the running processes IE would appear and show that it had anywhere from 25 to 250 windows attempting to open. After about 10 minutes at least 10 of those windows would start popping up. I closed them then the system would lock up or I would get an error message stating that mokee was unable to run, or that the memory was too low and or IE wouldn't reopen at all and I would have to reboot.

    These problems have all seized since installing the previous mentioned programs.

    So, are parasites real? Is there anyway to remove them if they are? And I have some issues with all the programs that are loading at start up! Since this is not my computer, and it was a purchased used by my father in law, I'm not sure what programs to disable. Some pop up IE's still attempt to load but not as many as before. And I believe it maybe something that is loading at start up.

    I would like to insert a screen shot of the start up items but after four kids my memory has left me for the simple things in life! I don't remember how, or what keys to use.

    I appreciate everyone's help!

    Lori
     
  2. snowbound

    snowbound Retired Moderator

    Joined:
    Feb 18, 2003
    Posts:
    8,723
    Location:
    The Big Smoke
    Here's how Lori. Courtesy of Tassie Devils,

    Hit Prnt Scrn
    Go to Accessories and open Paint..

    then simply hit Ctrl V [Paste]

    that's all you need to do.... when yu hit Prnt Scn, nothing will happen you can see but it saves an image to your clipboard, so when hitting CtrlV in paint it copies it in.. ok.

    it will paste an image into paint.. you can learn to use that.. crop, save as jpeg., etc. etc.


    BTW, it's nice to see u back here at Wilders. :)


    snowbound
     
  3. ljc1174

    ljc1174 Registered Member

    Joined:
    Aug 15, 2002
    Posts:
    276
    Location:
    Cleveland, Ohio USA
    Thank you Snowbound!

    I should have known that! :cool:

    But before I go any further with posting the screen shots am I in the right board for this?
     
  4. GlobalForce

    GlobalForce Regular Poster

    Joined:
    Jun 30, 2004
    Posts:
    3,581
    Location:
    Garden State, USA
  5. snowbound

    snowbound Retired Moderator

    Joined:
    Feb 18, 2003
    Posts:
    8,723
    Location:
    The Big Smoke
    Sure, this forum is fine. :)


    snowbound
     
  6. ljc1174

    ljc1174 Registered Member

    Joined:
    Aug 15, 2002
    Posts:
    276
    Location:
    Cleveland, Ohio USA
    Hey GF,

    Thanx mucho!

    Detection script
    Your browser has been checked for parasites. None were found. (However this script cannot detect all of them!)


    And the recommandations they gave for removal of parasites is exactly what I already have installed!
     
  7. ljc1174

    ljc1174 Registered Member

    Joined:
    Aug 15, 2002
    Posts:
    276
    Location:
    Cleveland, Ohio USA
    Ok, here's the screen shots! I had to take three because I cannot maximize the window... WeenieXP!!!

    But now I see that I cannot upload them either because they are too large!
    ARGH!
     
  8. GlobalForce

    GlobalForce Regular Poster

    Joined:
    Jun 30, 2004
    Posts:
    3,581
    Location:
    Garden State, USA
    Risize the screenie with M$ paint under image/stretch-skew. Upload needs to be under 100k.

    Have you run Spybot and the results? If you go to advanced mode in Spybot (upper left corner),
    then click "tools" from the left bar you'll see system startup. Post that screenie! :D

    edit - If your still having trouble with file size, upload the image here (click browse, select screenie, clk host it!),
    then use the copy URL Hotlink a clickable thumbnail on a forum or message board!.
    Drop this into the message (no need to hyperlink, just copy and paste).

    edit 2 - look at the screenie, mode/advanced....

    GF
     

    Attached Files:

    Last edited: Dec 5, 2004
  9. ljc1174

    ljc1174 Registered Member

    Joined:
    Aug 15, 2002
    Posts:
    276
    Location:
    Cleveland, Ohio USA
    I would like to try it with S&D but there is no option for tools or advanced! The left corner simply has File Language and Help.

    Down the left side there is only a tab that says
    Spybot S&D
    and under that is has the search and destroy, immunize, donations, recovery and update.
     
  10. GlobalForce

    GlobalForce Regular Poster

    Joined:
    Jun 30, 2004
    Posts:
    3,581
    Location:
    Garden State, USA
    Pevious post please..... :) :D

    GF
     
  11. ljc1174

    ljc1174 Registered Member

    Joined:
    Aug 15, 2002
    Posts:
    276
    Location:
    Cleveland, Ohio USA
    MY spybot doesn't look like your spybot! Why?

    I just installed it yesterday and it's says it's Version 1.2
     
  12. GlobalForce

    GlobalForce Regular Poster

    Joined:
    Jun 30, 2004
    Posts:
    3,581
    Location:
    Garden State, USA
    Go to help/about and tell us the version. Where was it downloaded?
    Oop's, missed that :D Latest ver1.3 or thereabouts...

    GF
     
  13. snowbound

    snowbound Retired Moderator

    Joined:
    Feb 18, 2003
    Posts:
    8,723
    Location:
    The Big Smoke
  14. ljc1174

    ljc1174 Registered Member

    Joined:
    Aug 15, 2002
    Posts:
    276
    Location:
    Cleveland, Ohio USA
    I see the problem! I downloaded it under easy mode...I'm assuming I have to uninstall and start over.
    I tried an update and it says it's all there.
    I used download/cnet website.
     
  15. ljc1174

    ljc1174 Registered Member

    Joined:
    Aug 15, 2002
    Posts:
    276
    Location:
    Cleveland, Ohio USA
    Thank you snowbound!
     
  16. snowbound

    snowbound Retired Moderator

    Joined:
    Feb 18, 2003
    Posts:
    8,723
    Location:
    The Big Smoke
    U should install the latest version. As GlobalForce mentioned, it's 1.3



    snowbound
     
  17. ljc1174

    ljc1174 Registered Member

    Joined:
    Aug 15, 2002
    Posts:
    276
    Location:
    Cleveland, Ohio USA
    Ok!
    I reinstalled it! I have advanced mode. I clicked on start up and to my surprise it doesn't list everything that msconfig shows! I find this very odd!!!

    I need to get some things done in the house. I'll be back in a bit!

    Thanks for you help guys!

    Lori
     
  18. GlobalForce

    GlobalForce Regular Poster

    Joined:
    Jun 30, 2004
    Posts:
    3,581
    Location:
    Garden State, USA
    This will provide more info than msconfig, direct download from ComputerCops (Castle) for Merijn's "StartupList.zip" here.
    Small executible, no system changes, extract all to a folder and run.

    GF
     

    Attached Files:

  19. ljc1174

    ljc1174 Registered Member

    Joined:
    Aug 15, 2002
    Posts:
    276
    Location:
    Cleveland, Ohio USA
    That was just lovely!!!

    Thnx GF!
    Ok, the ones I have marked in red are the ones I'm unsure of, but I also do not know which ones are for his internet. There are more "unknowns" listed further down, but I don't know if there are the same as what I have marked in red. I had to install my internet which is "SBC/Motive", his internet is through Cox Cable. Just thought I'd let you know! ;)

    ~Lori

    here's what it says...


    StartupList report, 12/5/2004, 11:23:51 PM
    StartupList version: 1.52
    Started from : C:\Documents and Settings\unknown\My Documents\My Received Files\StartupList.EXE
    Detected: Windows XP SP1 (WinNT 5.01.2600)
    Detected: Internet Explorer v6.00 SP1 (6.00.2800.1106)
    * Using default options
    ==================================================

    Running processes:

    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\BroadJump\Client Foundation\CFD.exe
    C:\Program Files\Visual Networks\Visual IP InSight\SBC\IPClient.exe
    C:\Program Files\Visual Networks\Visual IP InSight\SBC\IPMon32.exe
    C:\PROGRA~1\SBCSEL~1\SMARTB~1\MotiveSB.exe
    C:\Program Files\Common Files\Symantec Shared\ccApp.exe
    C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
    C:\Program Files\Norton AntiVirus\navapsvc.exe
    C:\Program Files\Norton AntiVirus\SAVScan.exe
    C:\WINDOWS\System32\ll_hpm.exe
    C:\WINDOWS\System32\prmsgm.exe
    C:\WINDOWS\System32\srsvpiau.exe
    C:\WINDOWS\System32\abview6c.exe

    C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
    C:\WINDOWS\System32\aaamona.exe
    C:\WINDOWS\System32\hlpapiip.exe
    C:\WINDOWS\System32\d?dplay.exe
    C:\Documents and Settings\unknown\Application Data\esse.exe
    C:\WINDOWS\System32\ciole32m.exe

    C:\WINDOWS\system32\ZoneLabs\vsmon.exe
    C:\Program Files\SpywareGuard\sgmain.exe
    C:\Program Files\SpywareGuard\sgbhp.exe
    C:\WINDOWS\System32\wuauclt.exe
    C:\Program Files\Internet Explorer\IEXPLORE.EXE
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\System32\ssenhd.exe
    C:\WINDOWS\System32\astlsr.exe
    C:\WINDOWS\System32\hellextlibs.exe
    C:\WINDOWS\System32\apiperft.exe
    C:\WINDOWS\System32\msiexec.exe

    C:\Program Files\Messenger\msmsgs.exe
    C:\Documents and Settings\unknown\My Documents\My Received Files\StartupList.exe

    --------------------------------------------------

    Listing of startup folders:

    Shell folders Startup:
    [C:\Documents and Settings\unknown\Start Menu\Programs\Startup]
    SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe

    --------------------------------------------------

    Checking Windows NT UserInit:

    [HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
    UserInit = userinit.exe

    --------------------------------------------------

    Autorun entries from Registry:
    HKLM\Software\Microsoft\Windows\CurrentVersion\Run

    cZ = C:\documents and settings\unknown\local settings\temp\cZ.exe
    dxn40Mn = C:\documents and settings\unknown\local settings\temp\dxn40Mn.exe
    90a58c90b2f9 = C:\WINDOWS\System32\batt2969.exe
    owrprofp = C:\WINDOWS\System32\owrprofp.exe
    BJCFD = C:\Program Files\BroadJump\Client Foundation\CFD.exe
    IPInSightLAN 01 = "C:\Program Files\Visual Networks\Visual IP InSight\SBC\IPClient.exe" -l
    IPInSightMonitor 01 = "C:\Program Files\Visual Networks\Visual IP InSight\SBC\IPMon32.exe"
    Motive SmartBridge = C:\PROGRA~1\SBCSEL~1\SMARTB~1\MotiveSB.exe
    ccApp = "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
    Zone Labs Client = "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
    SSC_UserPrompt = C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
    prmsgm = C:\WINDOWS\System32\prmsgm.exe
    ll_hpm = C:\WINDOWS\System32\ll_hpm.exe
    srsvpiau = C:\WINDOWS\System32\srsvpiau.exe
    abview6c = C:\WINDOWS\System32\abview6c.exe
    aaamona = C:\WINDOWS\System32\aaamona.exe
    hlpapiip = C:\WINDOWS\System32\hlpapiip.exe
    ciole32m = C:\WINDOWS\System32\ciole32m.exe
    ssenhd = C:\WINDOWS\System32\ssenhd.exe
    astlsr = C:\WINDOWS\System32\astlsr.exe
    hellextlibs = C:\WINDOWS\System32\hellextlibs.exe
    apiperft = C:\WINDOWS\System32\apiperft.exe

    --------------------------------------------------

    Autorun entries from Registry:
    HKCU\Software\Microsoft\Windows\CurrentVersion\Run

    Ygdm = C:\WINDOWS\System32\d?dplay.exe
    Wedl = C:\Documents and Settings\unknown\Application Data\esse.exe
    Yahoo! Pager = 1

    --------------------------------------------------

    Autorun entries in Registry subkeys of:
    HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnceEx

    [800]
    000 = C:\Program Files\Messenger\rtcimsp.dll|DllRegisterServer

    --------------------------------------------------

    Shell & screensaver key from C:\WINDOWS\SYSTEM.INI:

    Shell=*INI section not found*
    SCRNSAVE.EXE=*INI section not found*
    drivers=*INI section not found*

    Shell & screensaver key from Registry:

    Shell=Explorer.exe
    SCRNSAVE.EXE=C:\WINDOWS\System32\logon.scr
    drivers=*Registry value not found*

    Policies Shell key:

    HKCU\..\Policies: Shell=*Registry key not found*
    HKLM\..\Policies: Shell=*Registry value not found*

    --------------------------------------------------


    Enumerating Browser Helper Objects:

    (no name) - (no file) - SOFTWARE
    (no name) - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_0.dll - {02478D38-C3F9-4efb-9B51-7695ECA05670}
    (no name) - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}
    SpywareGuard Download Protection - C:\Program Files\SpywareGuard\dlprotect.dll - {4A368E80-174F-4872-96B5-0B27DDD11DB2}
    (no name) - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll - {53707962-6F74-2D53-2644-206D7942484F}
    NAV Helper - C:\Program Files\Norton AntiVirus\NavShExt.dll - {BDF3E430-B101-42AD-A544-FADC6B084872}
    (no name) - C:\WINDOWS\System32\srmtu.dll - {D5B388F0-C532-44D6-A10B-9D76E4B5D870}

    --------------------------------------------------

    Enumerating Task Scheduler jobs:

    Disk Cleanup.job
    Norton AntiVirus - Scan my computer - unknown.job
    Symantec NetDetect.job

    --------------------------------------------------

    Enumerating Download Program Files:

    [YInstStarter Class]
    InProcServer32 = C:\WINDOWS\Downloaded Program Files\yinsthelper.dll
    CODEBASE =
    [WUWebControl Class]
    InProcServer32 = C:\WINDOWS\System32\wuweb.dll
    CODEBASE =

    [HPObjectInstaller Class]
    InProcServer32 = C:\WINDOWS\Downloaded Program Files\HPCommunication.dll
    CODEBASE =

    [{9F1C11AA-197B-4942-BA54-47A8489BB47F}]
    CODEBASE =

    [MsnMessengerSetupDownloadControl Class]
    InProcServer32 = C:\WINDOWS\Downloaded Program Files\MsnMessengerSetupDownloader.ocx
    CODEBASE =

    [Shockwave Flash Object]
    InProcServer32 = C:\WINDOWS\System32\macromed\flash\Flash.ocx
    CODEBASE =

    --------------------------------------------------

    Enumerating Windows NT logon/logoff scripts:
    *No scripts set to run*

    Windows NT checkdisk command:
    BootExecute = autocheck autochk *

    Windows NT 'Wininit.ini':
    PendingFileRenameOperations: C:\DOCUME~1\unknown\LOCALS~1\Temp\_iu14D2N.tmp||C:\Program Files\Spybot - Search & Destroy\is-SFKMS.tmp => C:\Program Files\Spybot - Search & Destroy\SDHelper.dll|C:\DOCUME~1\unknown\LOCALS~1\Temp\msg2B.exe||C:\DOCUME~1\unknown\LOCALS~1\Temp\msg2C.exe||C:\DOCUME~1\unknown\LOCALS~1\Temp\msg2D.exe||C:\Program Files\Messenger\SET35.tmp => C:\Program Files\Messenger\msgsc.dll||S

    --------------------------------------------------

    Enumerating ShellServiceObjectDelayLoad items:

    PostBootReminder: C:\WINDOWS\system32\SHELL32.dll
    CDBurn: C:\WINDOWS\system32\SHELL32.dll
    WebCheck: C:\WINDOWS\System32\webcheck.dll
    SysTray: C:\WINDOWS\System32\stobject.dll

    --------------------------------------------------
    End of report, 8,688 bytes
    Report generated in 0.941 seconds

    Command line options:
    /verbose - to add additional info on each section
    /complete - to include empty sections and unsuspicious data
    /full - to include several rarely-important sections
    /force9x - to include Win9x-only startups even if running on WinNT
    /forcent - to include WinNT-only startups even if running on Win9x
    /forceall - to include all Win9x and WinNT startups, regardless of platform
    /history - to list version history only
     
    Last edited: Dec 6, 2004
  20. GlobalForce

    GlobalForce Regular Poster

    Joined:
    Jun 30, 2004
    Posts:
    3,581
    Location:
    Garden State, USA
    Hi Lori, I only took a quick looksee and won't be able to respond till later,
    but I may need some help with this as to the best way to proceed.

    If you get this in the meantime,
    please edit those live links with an "xxx" OK.

    GF
     
  21. nod32_9

    nod32_9 Guest

    It's best to backup important data, wipe the HD, and reload windows. Older versions of windows (W9.x/WME) don't do well after major infections. You're better off spending time teaching to old man how to surf safely.

    I would also give McAfee 7/8/9 the nod over Norton. Finally, avoid the use of those crappy Yahoo downloads (companion, pager, etc). Use IE only when Firefox or Opera fails to render a poorly coded webpage.
     
  22. ljc1174

    ljc1174 Registered Member

    Joined:
    Aug 15, 2002
    Posts:
    276
    Location:
    Cleveland, Ohio USA
    Thnx Nod...I was considering installing a new browser for him, but it would completely throw him off. So this is not an option.
    Items in start up are no longer an issue. Norton is slowly discovering trojans, it's found a second. Except this time it could not quarintine or delete it. I'm running an online scan with housecall.

    He bought his computer used. I have no restoration cd's for WeenieXP to reinstall for him. I have to do this the hard way.

    But someone with useful knowledge of NAV, AdAware & Spybot S&D would be greatly appreciated. I don't know if I should continue on this thread with these issues or not.

    Norton is finding 10 adware issues that adaware and S&D aren't finding.
    I cannot delete or quarintine them.

    Do I have to do a manual search for the issues and delete them from registry?

    There was one that was actually in his program files, i removed it in safe mode that was when norton found the second virus that it can't remove.
    ~Lori
     
  23. nod32_9

    nod32_9 Guest

    You can disable system restore, update NAV (latest definition is 4/12/2004), boot to safe mode, and rescan for bugs using NAV.

    If this is a mainstream PC (HP, Gateway, Dell, Compaq, etc), then contact the mfr to see if you could purchase a set of recovery CDs.
     
  24. Blackspear

    Blackspear Global Moderator

    Joined:
    Dec 2, 2002
    Posts:
    15,115
    Location:
    Gold Coast, Queensland, Australia
    Hi Ljc1174, there is a thread here: https://www.wilderssecurity.com/showthread.php?t=50662 If you READ through the ENTIRE thread BEFORE proceeding, then download EVERY program suggested, and run EVERY program in SAFE MODE when your are at the SAFE MODE step, this should get you fairly well sorted.

    What I have suggested is slightly different from the step by step instructions, in that you are downloading EVERY program first and then running all in SAFE MODE when you are at the Safe Mode Step.

    Hope this helps...

    Let us know how you go.

    Cheers :D
     
  25. GlobalForce

    GlobalForce Regular Poster

    Joined:
    Jun 30, 2004
    Posts:
    3,581
    Location:
    Garden State, USA
    Getting back Lori I wasn't exactly sure the appropriate course taking into account the impact removal of some of those entries might make on your father in-laws surf habits. Lacking the hard experience of some of the more informed participants here at Wilder's, I threw the mention of needing some help in the hopes of a few good souls dropping in....... ;)

    nod32_9 and Blackspear. Thankyou gentlemen. :cool:

    If I may add a few notes.....scanning in safe mode with system restore disabled as per nods suggestion is a must due
    to the nature of todays nasties hiding out in the system folders. If you utilize CWShredder, don't have it scan,
    have it "fix" when you run it. If you attempt to delete any files.....again, from safe mode. I feel nods comments in
    post 21 may be the way to go, but until and if those recovery cd's become available, Blackspears advice offered in his
    link are a good, sound starting point. If you need any links or I can assist further, please post again in this thread.

    One final thought....Should you decide to switch av's, please let us know.....
    there are a few important things to consider when removing Norton that many people discover too late!

    Keep in touch.....we'll be watching. :)


    GF
     
Loading...
Thread Status:
Not open for further replies.