Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Help - Winword.exe Virus/spyware?


  • This topic is locked This topic is locked
33 replies to this topic

#1 system366

system366

  • Members
  • 51 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:a
  • Local time:12:48 AM

Posted 03 April 2007 - 07:27 PM

Hello... i have recently noticed that there seems to be a constant process called Winword.exe running. I just thought i would get this checked out incase its anything bad coz i dont know. i have read some other forums and thier have been differant views from several people.

If this ino helps then i use :

Outlook Express 6
Ms Word (Latest but cant member version name)
Ms Wordpad
Ms Notepad

Please help would be much apreciated =]

Thanks in advance

-Nick-


I have attached my HijackThis log which i did at 02:20AM on 04/04/2007

Attached Files


Edited by system366, 03 April 2007 - 07:29 PM.


BC AdBot (Login to Remove)

 


#2 sjpritch25

sjpritch25

  • Security Colleague
  • 895 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:West Coast of Florida, USA
  • Local time:07:48 PM

Posted 06 April 2007 - 09:20 AM

Welcome to BC !!!!! :thumbsup:

You have a file i would like you to get anaylzed. Please go to VirusTotal. On the very top of the Website, you will see a Browse button. Use that to search for this file C:\WINDOWS\system32\p2pnetsi.dll. Then Click on Send. This could take between 30 Second-a couple of minutes. When you get the Results, Open Notepad, please highlight the results, copy them to Notepad and save it as "Scan.txt ". Save the text file "Scan.txt t" to your desktop. Please include the file in your next post.


Note: You may need to unhide hidden files and folders.
Configure Windows XP to show hide hidden files:
Click Start. Open My Computer.
Select the Tools menu and click Folder Options. Select the View Tab.

Under the Hidden files and folders heading select "Show hidden files and folders".
Uncheck the "Hide protected operating system files (recommended)" option.
Uncheck the "Hide file extensions for known file types" option.
Click Yes to confirm. Click OK.


=======================================

Download Combofix and save it to your desktop.
http://download.bleepingcomputer.com/sUBs/ComboFix.exe


Note: It is important that it is saved directly to your desktop

Close any open browsers.

Double click on combofix.exe & follow the prompts.
When finished, it shall produce a log for you.

Post the ComboFix.txt in your next reply.

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall
Microsoft MVP Consumer Security--2007-2010

#3 system366

system366
  • Topic Starter

  • Members
  • 51 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:a
  • Local time:12:48 AM

Posted 09 April 2007 - 05:25 PM

Ok here is the results of the scan






Antivirus Version Update Result
AhnLab-V3 2007.4.10.0 04.09.2007 no virus found
AntiVir 7.3.1.48 04.09.2007 ADSPY/Stud.A.29
Authentium 4.93.8 04.09.2007 no virus found
Avast 4.7.936.0 04.08.2007 Win32:Trojano-3384
AVG 7.5.0.447 04.08.2007 Adware Generic.RSB
BitDefender 7.2 04.09.2007 Adware.Stud.A
CAT-QuickHeal 9.00 04.09.2007 no virus found
ClamAV devel-20070312 04.09.2007 Adware.BHO-12
DrWeb 4.33 04.09.2007 Trojan.DownLoader.6588
eSafe 7.0.15.0 04.09.2007 no virus found
eTrust-Vet 30.7.3556 04.09.2007 no virus found
Ewido 4.0 04.09.2007 Downloader.Small.cgu
FileAdvisor 1 04.10.2007 no virus found
Fortinet 2.85.0.0 04.09.2007 no virus found
F-Prot 4.3.1.45 04.08.2007 W32/Adware.ENL
F-Secure 6.70.13030.0 04.09.2007 no virus found
Ikarus T3.1.1.3 04.09.2007 not-a-virus:AdWare.Win32.Stud.a
Kaspersky 4.0.2.24 04.10.2007 not-a-virus:AdWare.Win32.Stud.a
McAfee 5004 04.09.2007 no virus found
Microsoft 1.2405 04.09.2007 no virus found
NOD32v2 2175 04.09.2007 a variant of Win32/Adware.BHO.AA
Norman 5.80.02 04.09.2007 W32/Stud.R
Panda 9.0.0.4 04.09.2007 Adware/KeenValue


Aditional Information
File size: 29221 bytes
MD5: 8977e0289572ca5c933060097877a6d3
SHA1: f8bfc35cb1af0127ae812d2d642e913bafe55909
packers: UPX
packers: UPX
packers: UPX
packers: UPX

Edited by system366, 09 April 2007 - 08:00 PM.


#4 sjpritch25

sjpritch25

  • Security Colleague
  • 895 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:West Coast of Florida, USA
  • Local time:07:48 PM

Posted 09 April 2007 - 07:02 PM

I need you to download Combofix and post the results. I would recommend editing your post and removing your email. Because you are going to get spammed. I need you to post here, i don't work via email.
Microsoft MVP Consumer Security--2007-2010

#5 system366

system366
  • Topic Starter

  • Members
  • 51 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:a
  • Local time:12:48 AM

Posted 09 April 2007 - 08:18 PM

Wooooooo Spammness =D

Ok i edited it out

I have attached the log u asked for

I would like to bring it to ur attention that the 1st time i tried to run it (While other programmes wer running)

in order :

MSN froze and closed

X-Fire died and braught up thier error report

Window error thingy showed up and said Explorer needed to close (As usual i clicked dont send)

Windows error thingy showed again with sumthing lyk Dr ... uhhh cant remember, docter sumthing tho was wierd never heard of it before, sounded as if it was supposed to be anti-virus / spyware software... iunno

Then adfter i clicked Dont send on there the computer locked up couldnt do anything ecept move the mouse and the keyboard wouldnt respond... i then hit the reset button and re-ran combofix while all programmes wer closed

This time it only showed once with Explorer needing to close i clicked Dont send and the Desktop went blank and reloaded (As usual)

So yeh iunno if this makes the log unusable in anyway or make it in anyways less help but here it is =]

Attached Files



#6 sjpritch25

sjpritch25

  • Security Colleague
  • 895 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:West Coast of Florida, USA
  • Local time:07:48 PM

Posted 09 April 2007 - 09:03 PM

Download SDFix and save it to your Desktop.

Double click SDFix.exe and it will extract the files to %systemdrive%
(Drive that contains the Windows Directory, typically C:\SDFix)

Please then reboot your computer in Safe Mode by doing the following :
  • Restart your computer
  • After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
  • Instead of Windows loading as normal, the Advanced Options Menu should appear;
  • Select the first option, to run Windows in Safe Mode, then press Enter.
  • Choose your usual account.
  • Open the extracted SDFix folder and double click RunThis.bat to start the script.
  • Type Y to begin the cleanup process.
  • It will remove any Trojan Services and Registry Entries that it finds then prompt you to press any key to Reboot.
  • Press any Key and it will restart the PC.
  • When the PC restarts the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.
  • Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt
    (Report.txt will also be copied to Clipboard ready for posting back on the forum).
  • Finally paste the contents of the Report.txt back on the forum with a new HijackThis log

Microsoft MVP Consumer Security--2007-2010

#7 system366

system366
  • Topic Starter

  • Members
  • 51 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:a
  • Local time:12:48 AM

Posted 10 April 2007 - 10:49 AM

Hio... ok... ever since i ran Combofix i have been getting and error evrytime my desktop loads on start up... i figured it would go away after this scan thing... unfortunatly it has not, should i attatch a screen shot???? or even do a Check disc?

Anyways... heres the SDfix log file and Catchme

Attached Files



#8 sjpritch25

sjpritch25

  • Security Colleague
  • 895 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:West Coast of Florida, USA
  • Local time:07:48 PM

Posted 10 April 2007 - 03:23 PM

Please attach a screen shot. Thanks.
Microsoft MVP Consumer Security--2007-2010

#9 system366

system366
  • Topic Starter

  • Members
  • 51 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:a
  • Local time:12:48 AM

Posted 10 April 2007 - 05:20 PM

Okays, here is teh screenshot =P

I put red circle round the message box but also put 1 round a warning for windows update blah blah thing... i cant get rid of it? it keeps popping up and minimizing my game... How can i get rid of this pelase???

I went into (Right click) Mycomputer > Manage > Services and Applications > Services > ... Nvm... i just relised what i did wrong and now have rid of it so u can ignore the lil pop up in my system tray which i circled =D

...Screen shot is attached below...

Attached Files



#10 sjpritch25

sjpritch25

  • Security Colleague
  • 895 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:West Coast of Florida, USA
  • Local time:07:48 PM

Posted 10 April 2007 - 05:41 PM

That's not a big deal. I can fix it, but i need you to post a fresh Hijackhis log. Thanks.
Microsoft MVP Consumer Security--2007-2010

#11 system366

system366
  • Topic Starter

  • Members
  • 51 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:a
  • Local time:12:48 AM

Posted 10 April 2007 - 09:46 PM

Hio... okays here is teh fresh log =] ummmm... i have Installed and Un-Installed about... 7/8 differant programmes in about the last 15 minutes so anything extremely strange thats suddenly there will be form one of them (Testing some file security software and key loggers) May i ask for any suggestions on any good free ones if you know of any? =]

Fesh log is attached

Attached Files



#12 sjpritch25

sjpritch25

  • Security Colleague
  • 895 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:West Coast of Florida, USA
  • Local time:07:48 PM

Posted 11 April 2007 - 04:50 AM

Did you install Free Keylogger King??? If not then we need to remove it.



Download OTMoveIt by OldTimer and save to your Desktop.
  • Double-click on OTMoveIt.exe to launch the program.
  • Please copy the file(s)/folder(s) paths listed below - highlight everything in red and press CTRL+C or right-click and choose Copy.
    • C:\WINDOWS\system32\p2pnetsi.dll
      C:\Program Files\Free Keylogger King
      C:\PROGRA~1\NEWDOT~1
  • Then in OTMoveIt, right-click in the open text box labeled "Paste List of Files/Folders to be Moved" and choose Paste.
  • Click the red MoveIt! button.
  • The list will be processed and the results for each line will be displayed in the right-hand pane.
  • Highlight everything in the Results window, press CTRL+C or right-click, choose Copy, right-click again and Paste it in your next reply.
  • Close the program when done.
  • Important! If a file or folder cannot be moved immediately you may be asked to reboot your computer in order to finish the move process. If asked to reboot, choose Yes.
=====================================

Run HijackThis, and press "Do a System Scan Only".
1. When the scan is complete place a check mark next to the following entries:

O2 - BHO: (no name) - {9BDEDC58-0E6E-4D37-BE36-2D776AF3EA3F} - C:\WINDOWS\system32\p2pnetsi.dll
O4 - HKLM\..\Run: [New.net Startup] rundll32 C:\PROGRA~1\NEWDOT~1\NEWDOT~2.DLL,ClientStartup -s
O4 - HKLM\..\Run: [winlogonsys.exe] C:\Program Files\Free Keylogger King\winlogonsys.exe

2. After checking these items CLOSE ALL open windows EXCEPT HijackThis and click "Fix Checked." Then, reboot your computer...

=====================================

Download and scan with SUPERAntiSypware Free for Home Users
alternate site
  • Double-click SUPERAntiSypware.exe to install and use the default settings for installation.
  • Run SUPERAntiSypware and update the definitions before scanning by selecting "Check for Udates".
  • When done, select "Scan for Harmful Software".
  • There are three scanning options available. Choose "Perform Complete Scan" and click "Next".
  • When done, a Scan Summary will appear with potentially harmful items that were detected. Click "OK".
  • Place a checkmark next to items you wish to remove/quarantine and Click "Next".
  • A notification will appear that "Quarantine and Removal is Complete". Click "OK" and then click the "Finish" button to return to the main menu.
  • If asked to Reboot, please do.
  • After Reboot, double-click on SuperAnti-Spyware icon on your Deskto[
  • Click Preferences, Click the Statistics/Logs Tab.
  • Under Scanner logs, Double-click SuperAnti-Spyware Scan Log.
  • It will open in your default test editor (such as Notepad or WordPad).
  • Please Highlight everything in the Notepad, then right-click and choose copy.
  • In your next reply, please post those results and include a fresh Hijackthis log.
  • Select close to exit the program.
Note: If you encounter any problems while downloading the updates, manually download and unzip them from here.
Microsoft MVP Consumer Security--2007-2010

#13 system366

system366
  • Topic Starter

  • Members
  • 51 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:a
  • Local time:12:48 AM

Posted 11 April 2007 - 11:18 AM

Yeh i did... im doing tech support for a learning centre... or more of training centre im at as they have nothing... so yeh i was tesing several security software keyloggers and folder lockers... Free keylogger king or wtv was one but it was bleep -.-

I did uninstalll it but obviusly its left traces so ill remove them still =P also atm i am using Actual Spy Keylogger =] its awsome =P

Also it may help for u to know i use Folder Guard (File locking security stuff yeh) so just thought id let u know as that mught affect scans maybe? altho i disable protection when i scan
=P

Edited by system366, 11 April 2007 - 11:30 AM.


#14 system366

system366
  • Topic Starter

  • Members
  • 51 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:a
  • Local time:12:48 AM

Posted 11 April 2007 - 04:30 PM

Ok, i have done 4 scans (2 hijack this - before and after - 1 OTMoveIt and 1 SuperAntiSpyware)

I have numberd them in the order i did them =]

...All attached...

Attached Files



#15 sjpritch25

sjpritch25

  • Security Colleague
  • 895 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:West Coast of Florida, USA
  • Local time:07:48 PM

Posted 11 April 2007 - 08:11 PM

Panda Activescan
http://www.pandasoftware.com/products/activescan.htm
  • Once you are on the Panda site click the Scan your PC button
  • A new window will open...click the Check Now button
  • Enter your Country
  • Enter your State/Province
  • Enter your e-mail address and click send
  • Select either Home User or Company
  • Click the big Scan Now button
  • If it wants to install an ActiveX component allow it
  • It will start downloading the files it requires for the scan (Note: It may take a couple of minutes)
  • When download is complete, click on Local Disks to start the scan
  • When the scan completes, if anything malicious is detected, click the See Report button, then Save Report and save it to a convenient location.

Microsoft MVP Consumer Security--2007-2010




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users