Jump to content


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.

Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.


HELP! Under attack from everything!

  • Please log in to reply
1 reply to this topic

#1 Chizz


  • Members
  • 1 posts
  • Local time:06:57 PM

Posted 20 December 2004 - 01:29 PM

Hi there, I’ve got some major problems with my computer that just won’t seem to go away whatever I do - I’ve literally spent the whole week trying to fix things myself but nearly every time I got rid of something it would just show up again later on. So then I tried some of the recommended software programs that were supposed to clean my computer up like Spybot, Ad-Aware, Spy Sweeper and Norton Anti-virus and once again they seemed to get rid of a lot of things, and once again most of these things would just come back onto my computer later on. So I think the time has come for me to bring out the white flag and call in some expert help…

What I thought I would do is put down everything I know about my situation so far, as well as including a HijackThis log so you can get an idea of what’s going on with my system (although I really don’t think the log itself gives a full picture of my problems). I also thought that this approach might be helpful to other people in identifying similarities with their own situations and seeing what actions they need to take to get rid of a particular program.

As I understand it, I’ve been infected with some adware/spyware programs, most of which I seem to be able to identify and ‘delete’ from my computer easily enough, but either I’m not removing them permanently or there’s something still there that is putting them right back on my computer the next time I go online (and most probably it’s both of these). In fact, I’m pretty sure that some of these programs are even putting new spyware onto my system because every time I get rid of some I seem to have more of them coming back! But the fact is, I can’t get rid of these programs either by myself or by using software that is supposed to do the job for me…

As far as what particular spyware programs I’m actually suffering from go, here’s a list of all the problem files that I have identified so far, and as far as I know they are all still on my system in some way or another:

1) A program and folder called “Sed” which also placed a program in my startup
2) A program and folder called “Vbouncer” or “VirtualBouncer” while “VBouncerInner” appeared in my startup
3) A program and folder called “AdDestroyer”
4) A program called RH.exe which has a folder called “Recommended Hotfix – 421701D” and which has been identified as being “downloadware”
5) A program/dialler called “GlobalEAccess” which I think I managed to remove from my system, but now instead I keep getting pop ups trying to get me to download the program again and the only way I can find to close down the window is to end the Internet Explorer process
6) A program called “CoolWWSearch” which I’ve never been able to find or remove from my system (and “CWShredder” doesn’t work on it)
7) A program/folder called WtoolsA (and other related files) which also showed up in my startup
8) A program from a company called “Network Essentials” (but I haven’t been able to identify any particular folders or files that are causing the problems on my computer, I just know that it’s there and from these people)
9) A program called “TB_Setup” that appeared in my startup
10) Programs called “WksSb”, “WkDetect” and “Wkfud” that seem to be related to each other and all appeared in my start-up
11) Programs called “csrss.exe”, “winlogon.exe” and “services.exe” that were running as active tasks in addition to the legitimate versions of these processes
12) I also seem to have something (or things) that messes with my HOSTS file and adds things to it that shouldn’t be in there. However, every time I edit it and take out the ‘bad’ entries, they just put themselves back on a little later! I’ve tried using a few programs to ‘lock’ my HOSTS file but they never seem to actually do it, and so I’m stuck with either leaving the entries in there, or constantly editing the file. I’m putting in a copy here of what entries usually show up in my HOSTS file: www.igetnet.com code.ignphrases.com clear-search.com r1.clrsch.com sds.clrsch.com status.clrsch.com www.clrsch.com clr-sch.com sds-qckads.com status.qckads.com auto.search.msn.com search.netscape.com ieautosearch ieautosearch ieautosearch

Anyways, that’s a list of all the problems I seem to have come across so far, and as you can see it’s a pretty long list! I’m sorry to have written so much, but I thought that the more information I could give to you, the more help you could give me in return - And right now I’ll really take any help I can get! (And feel free to make your help/instructions real simple, cause I only know a bit about computers…)

So I think the only thing left for me to do is say thank you in advance for reading this and hopefully helping me, and to put in a copy of my HijackThis log so you can take a look at a few things yourselves –

Logfile of HijackThis v1.99.0
Scan saved at 17:52:23, on 19/12/2004
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Apoint2K\Apoint.exe
C:\Program Files\Saitek\Software\Profiler.exe
C:\Program Files\Saitek\Software\SaiSmart.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe
C:\Program Files\Apoint2K\Apntex.exe
C:\Program Files\WinPatrol\winpatrol.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\SpeedTouch\Dr SpeedTouch\drst.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
C:\Program Files\SpywareGuard\sgmain.exe
C:\Program Files\SpywareGuard\sgbhp.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\HJT\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
O1 - Hosts: auto.search.msn.com
O1 - Hosts: search.netscape.com
O1 - Hosts: ieautosearch
O1 - Hosts: ieautosearch
O1 - Hosts: ieautosearch
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: Guard-IE - {37C8204D-97C3-4127-BB28-1BFF3FA2F7DA} - C:\Program Files\GuardIE\PnIE.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint2K\Apoint.exe
O4 - HKLM\..\Run: [LManager] C:\PROGRA~1\LAUNCH~1\QtaET2S.EXE
O4 - HKLM\..\Run: [Profiler] C:\Program Files\Saitek\Software\Profiler.exe
O4 - HKLM\..\Run: [SaiSmart] C:\Program Files\Saitek\Software\SaiSmart.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [VTPreset] VTPreset.exe
O4 - HKLM\..\Run: [SpeedTouch USB Diagnostics] "C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe" /icon
O4 - HKLM\..\Run: [WinPatrol] C:\Program Files\WinPatrol\winpatrol.exe
O4 - HKLM\..\Run: [LaunchApp] Alaunch
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [STManager] "C:\Program Files\SpeedTouch\Dr SpeedTouch\drst.exe" -b
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: @C:\Program Files\GuardIE\PnIE.dll,-100 - {BDD75188-2FC0-4099-909F-AA8D432BE037} - C:\Program Files\GuardIE\PnIE.dll
O9 - Extra 'Tools' menuitem: @C:\Program Files\GuardIE\PnIE.dll,-100 - {BDD75188-2FC0-4099-909F-AA8D432BE037} - C:\Program Files\GuardIE\PnIE.dll
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\YAHOO!\MESSEN~1\YPAGER.EXE
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\YAHOO!\MESSEN~1\YPAGER.EXE
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {F04A8AE2-A59D-11D2-8792-00C04F8EF29D} (Hotmail Attachments Control) - http://by1fd.bay1.hotmail.msn.com/activex/HMAtchmt.ocx
O17 - HKLM\System\CCS\Services\Tcpip\..\{C14669D8-FC89-43DF-AFA5-529603A45EDC}: NameServer =
O23 - Service: Symantec Event Manager - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Norton AntiVirus Auto-Protect Service - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

BC AdBot (Login to Remove)



#2 daveai


  • Members
  • 266 posts
  • Local time:04:57 PM

Posted 22 December 2004 - 05:46 PM

Chizz -- Thanks for sending your HijackThis log.

The detail in your first post is very helpful.

I think you may have a new variant of the Look2Me infection. To start, we'll need to gather sme more information about your system.

Since this infection changes it's filenames of every reboot, please do not reboot once you start collecting information for me.

1 -- Run a full scan using Ad-aware with the most recent reference file, and delete anything it finds to remove as much as possible before starting.

2 -- Reboot and download these 2 utilities ready.

Dllcompare (version( will scan for locked files created by VX2)

Killbox (version, which will be responsible for removing the files found)

3 -- Using DllCompare

Copy the dllcompare.exe to your desktop, don't just run it from the download site.

It is preset to scan the System32 directory, so nothing other than you clicking the [Run locate.com] button is required.

When the scan is complete, you will see in blue Completed the scan, Click Compare to Continue at which time you will click the [Compare] button.

It will sort through the files it found and determine which should be flagged as "No access" and display them in the lower box.

In a few minutes it will complete *in blue Completed
Click the button [Make a Log of what was Found]

Copy and paste this log into your reply to this message.

Also include a fresh HijackThis log.

I'll follow up with the next instructions for using killbox.

"Applying computer technology is simply finding the right wrench to pound in the correct screw." Anonymous

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users