Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Spyware issues, possibly more


  • This topic is locked This topic is locked
7 replies to this topic

#1 Squeakity

Squeakity

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:01:01 PM

Posted 20 July 2005 - 03:24 PM

Hi Friends,
First, a little background. My roommates and I just replaced our computer a couple of days ago, and very foolishly did not immediately install an anti-bad stuff program. The very next day, our computer was brimming with the stuff. We downloaded AVG, which did said it cleaned out everything, but missed a bunch of stuff. Then we got Cox highspeed internet security, which found more stuff, but still not everything. The two that still pop up are C:windows
ail.exe, and cfgmgr52.dll, both as error messages upon startup. When we first found all of this spyware, our computer ran really slow, and kept needing to be rebooted (understandably, with so much spyware), but we could still use it. I could access the internet, My Computer, etc. etc.

Here's where there's a real problem: I can't access anything anymore. When I move my mouse over the Start button, or anywhere on that bar, the arrow becomes an hourglass indefinitely. I've tried to access Internet Explorer with Task Manager, but it never opens, and when I End Task, the window stays open, though I can no longer interact with it. The only thing I [I]can
do is access and run Cox highspeed internet security tools.

I'm sorry if this is very convoluted, but I can't seem to find the happy medium between leaving out what might be important info and keeping it brief. Anyway, thanks for any advice you can give.

Squeak

BC AdBot (Login to Remove)

 


m

#2 thedon57

thedon57

  • Members
  • 286 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Eastbourne East Susex UK
  • Local time:06:01 PM

Posted 21 July 2005 - 02:34 AM

Hi you said you had the computer new yes? did it come with any disks, also did it not come with windows preinstalled? if yes then it must of had an antivirus all ready on there can you supply more info.
Now installed Microsoft Security Essencials on my Tower with Windows Home Premium 32bit and Toshiba Satellite Pro Laptop with Windows Home Premium 64bit

#3 simplejohn

simplejohn

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:01:01 PM

Posted 21 July 2005 - 06:54 AM

Hey Squeakity

Try this... Start your computer in safe mode.
Click Start -> Run, and type msconfig.
Select the Boot Tab, and in there, remove the check from any unknown program that
looks suspicious.
By doing so, you are not removing the spy-ware from your computer, but you prevent it from running when windows boot up.
After that close the program, click Yes if you are been asked if you want to save, and reboot.

If that won't work, I think you need help from someone who know how to deal with this stuff, or on the other hand, just reinstall your WIN XP.

Good Luck

Edited by simplejohn, 22 July 2005 - 02:56 AM.


#4 stidyup

stidyup

  • Members
  • 641 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:01:01 PM

Posted 21 July 2005 - 07:44 AM

If you think you are infected submit a hijackthis log here.

How to submit a hijackthis log

Download Hijackthis

Try running Sysclean you'll also need the virus template file from here lpt***.zip

or

DrWeb CureIT

If your good with the command line also try Sophos Command Line scanner

Also try installing and running A2 Free and Ewido

I'd also run Spybot and Adaware

If your using Win2K/XP run adaware/spybot from "safe mode with command prompt"

At the C:\ prompt type the following:-

cd\
C:\progra~1\spybot~1\spybotsd.exe /autocheck /autofix
cd\
C:\progra~1\lavasoft\ad-awa~1\ad-aware.exe

#5 Squeakity

Squeakity
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:01:01 PM

Posted 22 July 2005 - 12:26 PM

I also posted this to the HJT Log Forum; sorry if that's bad etiquette, but i needed to repond anyway.
Simpljohn: I suggested that course of action, seeing as how we only had a few days worth of material saved on the drive, but was shot down due to the amount of work that needs to be spent re-programming everything (printer, fonts, Diablo II, etc....).
To thedon57: It's kind of a long story, but with me, what isn't? The computer we're using ins't really new, just new to the living room. I bought a computer in 2000 (henceforth known as Comp00), which I used at my parents house. When I moved in with my roommates in 2002, I bought a new one that a friend frankensteined together for me (Comp02), and kept my original at my parents house until they moved late last year. So, I have 2 computers; Comp00 in my room and Comp02 in the living room. For the past few months, Comp02 has been freezing randomly, and refusing to start up. I think it's something physical (dying fan?, dying wire going to the fan?, dying power source?) because there's a hum/buzz when I flip the power on, but I have no idea. Everything we've tried seems to work temporarily, from running spy removal software to reducing the number of software removal system to physically cleaning the inside of the computer. These all seem to work, and the comp runs fine, but the next day/hou/second, it's back to freezing again. Anyway, about two weeks ago we kind of gave up on Comp02 and replaced it with Comp00. When it was at my parents house, Comp00 had WindowsME, but when we swapped it out, we put XP on it, but no protection. I think I told the story from there, but that's what's up.

Oh, and here's the HJT Log, for anybody fluent in it. Speaking of, other than process of elimination, what would be the best way to become fluent in the ways of HJT log. That is, the best way to learn when something doesn't belong, and when deleting that something will make me regret it later.


Logfile of HijackThis v1.99.1
Scan saved at 1:21:59 AM, on 7/22/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:WINDOWSSystem32smss.exe
C:WINDOWSsystem32winlogon.exe
C:WINDOWSsystem32services.exe
C:WINDOWSsystem32lsass.exe
C:WINDOWSsystem32svchost.exe
C:WINDOWSSystem32svchost.exe
C:WINDOWSsystem32LEXBCES.EXE
C:WINDOWSsystem32spoolsv.exe
C:WINDOWSsystem32LEXPPS.EXE
C:Program FilesDrWebSpiderNT.exe
C:WINDOWSSystem32svchost.exe
C:WINDOWSsystem32
undll32.exe
C:WINDOWSexplorer.exe
C:Program FilesLexmark X1100 Serieslxbkbmgr.exe
C:Program FilesQuickTimeqttask.exe
C:Program FilesLexmark X1100 Serieslxbkbmon.exe
C:PROGRA~1DrWebspidernt.exe
C:Program FilesDrWebspiderml.exe
C:Program FilesDrWebDRWEBSCD.EXE
C:WINDOWSSystem32devldr32.exe
C:WINDOWSSystem32jpjnbo.exe
C:Program FilesMessengermsmsgs.exe
C:Program FilesCasClientcasclient.exe
C:Program Filesoasumnto.exe
C:WINDOWSSystem32j?vaw.exe
C:WINDOWSSystem32wpabaln.exe
C:Program FilesNaviSearchin
ls.exe
C:Program FilesBullsEye Networkinargains.exe
C:Program FilesInternet Exploreriexplore.exe
C:Documents and SettingsSqueakityLocal SettingsTempTemporary Directory 2 for hijackthis.zipHijackThis.exe

R1 - HKCUSoftwareMicrosoftInternet ExplorerMain,Search Bar = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R1 - HKCUSoftwareMicrosoftInternet ExplorerMain,Search Page = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R1 - HKLMSoftwareMicrosoftInternet ExplorerMain,Search Bar = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R1 - HKLMSoftwareMicrosoftInternet ExplorerMain,Search Page = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R0 - HKLMSoftwareMicrosoftInternet ExplorerSearch,SearchAssistant = http://www.exactsearch.net/sidesearch
R0 - HKLMSoftwareMicrosoftInternet ExplorerSearch,CustomizeSearch = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R1 - HKCUSoftwareMicrosoftInternet ExplorerSearchURL,(Default) = websearch.drsnsrch.com/q.cgi?q=
R3 - URLSearchHook: (no name) - {02EE5B04-F144-47BB-83FB-A60BD91B74A9} - C:Program FilesSurfSideKick 3SskBho.dll
F2 - REG:system.ini: Shell=Explorer.exe C:WINDOWSNail.exe
F2 - REG:system.ini: UserInit=C:WINDOWSSystem32AUserInit.exe
O1 - Hosts: localhost 127.0.0.1
O2 - BHO: AuthBHO.cBHO - {A4D90779-6CB2-4752-83C2-A2AB4D9A672D} - C:Program FilesCoxApplicationsappAuthBHO.dll
O2 - BHO: NLS UrlCatcher Class - {AEECBFDA-12FA-4881-BDCE-8C3E1CE4B344} - C:WINDOWSSystem32
vms.dll
O2 - BHO: (no name) - {CA73B45E-5EEE-433C-9EDC-2550D38B77C2} - C:WINDOWSSystem32vvl.dll
O2 - BHO: ADP UrlCatcher Class - {F4E04583-354E-4076-BE7D-ED6A80FD66DA} - C:WINDOWSSystem32msbe.dll
O3 - Toolbar: Cox Popup Blocker - {64634180-B0EA-48B6-82B7-9620D33362C1} - C:Program FilesCoxApplicationsappAuthBHO.dll
O3 - Toolbar: (no name) - {2CDE1A7D-A478-4291-BF31-E1B4C16F92EB} - (no file)
O4 - HKLM..Run: [Lexmark X1100 Series] "C:Program FilesLexmark X1100 Serieslxbkbmgr.exe"
O4 - HKLM..Run: [QuickTime Task] "C:Program FilesQuickTimeqttask.exe" -atboottime
O4 - HKLM..Run: [exp.exe] C:WINDOWSSystem32exp.exe
O4 - HKLM..Run: [WinTask driver] C:WINDOWSSystem32wintask.exe
O4 - HKLM..Run: [checkrun] c:windowssystem32eliteewc32.exe
O4 - HKLM..Run: [p4mX37l] dcomdmat.exe
O4 - HKLM..Run: [exp] C:WINDOWSSystem32exp
O4 - HKLM..Run: [MSConfig] C:WINDOWSPCHealthHelpCtrBinariesMSConfig.exe /auto
O4 - HKLM..Run: [SpIDerNT] C:PROGRA~1DrWebspidernt.exe /agent
O4 - HKLM..Run: [SpIDerMail] "C:Program FilesDrWebspiderml.exe"
O4 - HKLM..Run: [DrWebScheduler] "C:Program FilesDrWebDRWEBSCD.EXE"
O4 - HKLM..Run: [SurfSideKick 3] C:Program FilesSurfSideKick 3Ssk.exe
O4 - HKLM..Run: [winsync] C:WINDOWSSystem32jpjnbo.exe reg_run
O4 - HKCU..Run: [MSMSGS] "C:Program FilesMessengermsmsgs.exe" /background
O4 - HKCU..Run: [CAS Client] "C:Program FilesCasClientcasclient.exe"
O4 - HKCU..Run: [Epr] C:Program Filesoasumnto.exe
O4 - HKCU..Run: [Awk] C:WINDOWSSystem32j?vaw.exe
O4 - HKCU..Run: [SurfSideKick 3] C:Program FilesSurfSideKick 3Ssk.exe
O6 - HKCUSoftwarePoliciesMicrosoftInternet ExplorerRestrictions present
O6 - HKCUSoftwarePoliciesMicrosoftInternet ExplorerControl Panel present
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:WINDOWSweb
elated.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:WINDOWSweb
elated.htm
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:Program FilesMessengerMSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:Program FilesMessengerMSMSGS.EXE
O10 - Unknown file in Winsock LSP: c:windowssystem32drwebsp.dll
O10 - Unknown file in Winsock LSP: c:windowssystem32drwebsp.dll
O10 - Unknown file in Winsock LSP: c:windowssystem32drwebsp.dll
O10 - Unknown file in Winsock LSP: c:windowssystem32drwebsp.dll
O17 - HKLMSystemCCSServicesTcpip..{1F85A532-C4AE-45E3-9D82-6D7F1BB3FCD2}: NameServer = 69.50.184.86,85.255.112.9
O17 - HKLMSystemCCSServicesTcpip..{7663274E-99DB-4D9A-8BBE-7EB75440AEC8}: NameServer = 69.50.184.86,85.255.112.9
O17 - HKLMSystemCS1ServicesTcpip..{1F85A532-C4AE-45E3-9D82-6D7F1BB3FCD2}: NameServer = 69.50.184.86,85.255.112.9
O17 - HKLMSystemCS2ServicesTcpip..{1F85A532-C4AE-45E3-9D82-6D7F1BB3FCD2}: NameServer = 69.50.184.86,85.255.112.9
O18 - Filter: text/html - {8293D547-38DD-4325-B35A-F1817EDFA5FC} - C:Program FilesCasClientcasmf.dll
O20 - Winlogon Notify: OptimalLayout - C:WINDOWSsystem32vlajet32.dll
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:WINDOWSsystem32LEXBCES.EXE
O23 - Service: SpIDer Guard for Windows NT (spidernt) - Doctor Web Ltd - C:Program FilesDrWebSpiderNT.exe

Thanks for any help you can give.

Squeak

#6 KoanYorel

KoanYorel

    Bleepin' Conundrum


  • Staff Emeritus
  • 19,461 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:65 miles due East of the "Logic Free Zone", in Md, USA
  • Local time:02:01 PM

Posted 22 July 2005 - 12:46 PM

Hi Squeakity,

Watch the HJT Log forum for one of our Volunteer Techs to respond to your log there.
The fixes will not be provided in this forum.

Please be patient, it willl take some time to help you as they are all very busy.

Regards,
Koan

(I'll put a referal link from your log back to this thread to assist the Techs.)
The only easy day was yesterday.

...some do, some don't; some will, some won't (WR)

#7 thedon57

thedon57

  • Members
  • 286 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Eastbourne East Susex UK
  • Local time:06:01 PM

Posted 22 July 2005 - 01:09 PM

Hi i think both your computers need a good antivirus installed on them, and then run,if it finds anything it puts it in a chest this is the one i use,where you can leave it for 30 days, what happens is this, as it removes the infested virus to the chest it builds a new one and so on.

The buzz on your computer when it starts up is because it is under load that can be sorted once te rest of it is done.
Now installed Microsoft Security Essencials on my Tower with Windows Home Premium 32bit and Toshiba Satellite Pro Laptop with Windows Home Premium 64bit

#8 Scarlett

Scarlett

    Bleeping Diva


  • Members
  • 7,479 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:As always I'm beside myself ;)
  • Local time:01:01 PM

Posted 02 August 2005 - 09:27 PM

To whom it may concern, Squeakity's HJT log is here:

http://www.bleepingcomputer.com/forums/ind...=0&#entry149909

I think that this topic should now be closed. To prevent anyone from posting replies, which would only confuse the member seeking help.

BTW Squeakity your log has been replied to.

Edited by Scarlett, 02 August 2005 - 09:35 PM.

Posted Image




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users