Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

yoursearch.ws infection

Started by thebup , Apr 01 2005 09:28 AM

  • Please log in to reply

#1
thebup
Posted 01 April 2005 - 09:28 AM

thebup

    New Member

  • Member
  • Pip
  • 2 posts
Several days ago I was on the Web and my computer froze up and it was clear something was being downloaded to it with out my permission. I stopped, shut down all browsers and apps and rebooted. Upon reboot, my homepage had been changed to yoursearch.ws and serveral other pages with yoursearch.ws had been added to my Favorites.

Also upon restart I get these error messages:

osa.exe application error
The instruction at "0x779234da" referenced memory at "0x00000014"
the memory could not be "read"

Click OK to terminate the program.

explorer.exe has generated errors and will be closed by windows. You will need to restart the program.

An error log is being generated.

________________________________________________________

Upon shutdown I get these messages:


drwtsn32.exe - DLL initialization failed

The application failed to initialize because the window station is shutting down.

OK

End program - msoffice.exe

The program is not responding................

End Now

End program - explorer.exe

The program is not responding................

End Now

________________________________________________________________


As per your instructions I have run Adaware, cwShredder, spybot and pandaActiveScan.

Here are the things Panda found and fixed:

1st scan;


Incident Status Location

Virus:Bck/Dumador.O Disinfected Operating system
Possible Virus. No disinfected C:\WINNT\prntsvra.dll
Virus:Trj/Dumarin.D Disinfected Operating system
Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\dcharles\Local Settings\Temporary Internet Files\Content.IE5\6JC39N8M\proc[1].jar[Jvb.class]
Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\dcharles\Local Settings\Temporary Internet Files\Content.IE5\6JC39N8M\proc[1].jar[MainApp.class]
Possible Virus. No disinfected C:\WINNT\prntsvra.dll
Virus:Trj/Qhost.AF Disinfected C:\WINNT\system32\drivers\etc\hosts
Virus:Trj/Downloader.BEH Disinfected C:\WINNT\system32\icasServ.exe
Virus:Bck/Dumador.O Disinfected C:\WINNT\winsms.dll
2nd scan;


Incident Status Location

Virus:Bck/Dumador.O Disinfected Operating system
Virus:Trj/Downloader.BMZ Disinfected C:\WINNT\prntsvra.dll
Virus:Bck/Dumador.O Disinfected C:\WINNT\winsms.dll
_______________________________________________________________

At this point the computer seems to be running pretty much OK. However, even after running these programs I'm still getting the above mentioned errors. Also, for some reason, I'm able to maximize browsers, applications, etc. from the ShortCut toolbar (at the bottom of my desktop) but I've lost the ability to minimize them using a "one click" from the toolbar. I have to go up to the top of page and hit the minimize in the upper right hand corner. I know it's a minor problem, but it's a hassle when you're busy.

Anyway, here's my HiJackThis log. It looks like your recommended programs have fixed a majority of the problems, but it seems like some of this scumware is either still on my system or may have damaged some components and they need to be fixed.

I just want to make sure this system has been cleaned up so I can begin to better secure it as per your instructions.

Please help

Thanks

________________________________________________________________


Logfile of HijackThis v1.99.1
Scan saved at 9:13:47 AM, on 4/1/2005
Platform: Windows 2000 SP3 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Network Associates\VirusScan\avsynmgr.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\WorldWide Dial Service\WWDS\InSight\ARUpld32.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\WorldWide Dial Service\WWDS\InSight\ARMon32a.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\System32\mspmspsv.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\Explorer.EXE
C:\Program Files\Network Associates\VirusScan\VsStat.exe
C:\Program Files\Network Associates\VirusScan\Vshwin32.exe
C:\Program Files\Network Associates\VirusScan\Avconsol.exe
C:\Program Files\Common Files\Network Associates\McShield\mcshield.exe
C:\WINNT\System32\RAS\update.exe
C:\WINNT\System32\lmsxxef.exe
C:\WINNT\System32\winldra.exe
C:\WINNT\System32\ctfmon.exe
C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE
C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\Linksys\Wireless-G Notebook Adapter\WPC54CFG.EXE
C:\Program Files\Microsoft Office\Office10\msoffice.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\jeem stuff\Code Downloads\geekstogo\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.cenco.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://yoursearch.ws/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://yoursearch.ws/
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Acrobat\ActiveX\AcroIEHelper.ocx
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [WWDS] C:\WINNT\System32\RAS\update.exe
O4 - HKLM\..\Run: [XE Fax LM Status] lmsxxef.exe
O4 - HKLM\..\Run: [load32] C:\WINNT\System32\winldra.exe
O4 - HKCU\..\Run: [ctfmon.exe] ctfmon.exe
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE"
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: UltraEdit-32 Help.lnk = C:\jeem stuff\Code Downloads\Ultraedit\Ultraedit Files\uedit32.hlp
O4 - Global Startup: UltraEdit-32 Order Form.lnk = C:\jeem stuff\Code Downloads\Ultraedit\Ultraedit Files\uedit32.exe
O4 - Global Startup: UltraEdit-32 Read Me.lnk = C:\jeem stuff\Code Downloads\Ultraedit\Ultraedit Files\uedit32.exe
O4 - Global Startup: UltraEdit-32 Text Editor.lnk = C:\jeem stuff\Code Downloads\Ultraedit\Ultraedit Files\uedit32.exe
O4 - Global Startup: UltraEdit-32 Uninstall.lnk = C:\jeem stuff\Code Downloads\Ultraedit\Ultraedit Files\Uninstall.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O4 - Global Startup: Wireless-G Notebook Adapter Utility.lnk = C:\Program Files\Linksys\Wireless-G Notebook Adapter\WPC54CFG.EXE
O4 - Global Startup: XE_fx Status Monitor.lnk = C:\Program Files\XWC_90fx\X9ENGSS.EXE
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INETREPL.DLL
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INETREPL.DLL
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INETREPL.DLL
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINNT\System32\Shdocvw.dll
O12 - Plugin for .m2v: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin3.dll
O12 - Plugin for .mp3: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin4.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O12 - Plugin for .swf: C:\Program Files\Netscape\Communicator\Program\PLUGINS\npswf32.dll
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft.../as5/asinst.cab
O16 - DPF: {BF116476-3238-4EDA-A2D7-6D6814EF0DEC} (Quicksilver Class) - http://vapwbc.ops.pl...quicksilver.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - file://D:\AUTORUN\Flash\swflash.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{55F88A01-F7E2-426A-AA11-1AA9F942F850}: NameServer = 163.39.250.190,163.39.252.78
O21 - SSODL: iEJXDgSWty - {CC675CB3-66CD-F619-D765-70D6AFC9B12B} - C:\WINNT\System32\bjo.dll
O23 - Service: AVSync Manager (AvSynMgr) - Unknown owner - C:\Program Files\Network Associates\VirusScan\avsynmgr.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: Visual IP InSight Client (CitiGroup-WWDS) (InverseLaunchIPI_CitiGroup:WWDS) - Visual Networks - C:\Program Files\WorldWide Dial Service\WWDS\InSight\LaunchIPI.exe
O23 - Service: McShield - Unknown owner - C:\Program Files\Common Files\Network Associates\McShield\mcshield.exe
  • 0

Advertisements

#2
thebup
Posted 03 April 2005 - 08:19 AM

thebup

    New Member

  • Topic Starter
  • Member
  • Pip
  • 2 posts
Is there anyone out there who can help with this situation and reply to this post?

Pandascan seems to be the only thing that really works. All the other apps that you guys recommended either crash when I run them or they don't find anything. Panda seems to find stuff and "fix" it.

However, I'm still getting these error messages and the system REALLY slowed down after I installed Sun's Java. I'm still worried that there's still stuff on here that could do bad things. I depend on this machine for work and I've avoided using it because I don't want stuff compromised. So, this situation is really messing me up.

It's been several days and I haven't gotten any response. I realize you are volunteers and I'm trying to be patient. But I'd be willing to pay something to get this expedited. Is there any way to get this moving quicker or can you recommend a service that will help me in a more timely manner?

Thanks
  • 0
Back to Virus, Spyware, Malware Removal · Next Unread Topic →




Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

  1. Geeks to Go Community
  2. Security
  3. Virus, Spyware, Malware Removal

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP