Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

winsock.cfg and other mals?


  • Please log in to reply

#1
History

History

    New Member

  • Member
  • Pip
  • 2 posts
Your help appreciated.
My IE is now corrupt. Every few seconds it returns to a pirate home page, despite my Webroot Spysweeper repeatedly correcting it back to www.google.com.

I use the Mozilla Firefox browser almost exclusively (except for an important IE-based certificate connection to check medical information at my hospital, which is why I need to find this adwarre/spyware problem and correct it).

One adware message that pops up is:

Your IP address is 69.205.244.96. Using this address a remote computer '83.116.72.11' has gained an access to your computer and is collecting the information about the sites you've visited and the files contained in the folder 'My Documents'. Attention! Choose and download the software to kill this spyware.

Your private info is collected by winSock.cfg

Your IP address: 69.205.244.96
They know you're using: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; .NET CLR 1.1.4322)
Your computer is: OS: Windows
Risk status for further investigation: VERY HIGH RISK
Time of investigation: Sun May 8 18:58:55 MSD 2005


Neither my Webroot Spysweeper nor Trend Micro Internet Security (nor the multiple programs your instructions had me install and perform) have corrected the problem. The on-line scanning via Trend Housecall or Panda Activescan will run on Mozilla, and each time I select "Scan" on the Panda Activescan site using the corrupted IE, I am hijacked to the same ad site homepage I cannot eliminate.

My Webroot Spyware Log from this morning is:

10:11 AM:  Internet Explorer internal web pages restored to protected values
10:25 AM:  Your spyware definitions have been updated.
10:29 AM:  Sweep initiated using definitions version 483
10:29 AM:  Sweeping memory for active spyware.
10:29 AM:  Memory sweep has completed.  Elapsed time 00:00:07
10:29 AM:  Registry sweep initiated.
10:29 AM:    Found: 18 CommonName registry traces.
10:29 AM:    Found: 20 CWS_MSAS registry traces.
10:29 AM:  Registry sweep completed.  Elapsed time 00:00:31
10:29 AM:  Full sweep on all local drives initiated.
10:29 AM:    Now sweeping drive C:
10:45 AM:    Found: 0 file traces.
10:45 AM:  Full Sweep has completed.  Elapsed time 00:16:46
            29,410 files swept
            38 spyware traces located
10:46 AM:  Removal process initiated
10:46 AM:    Quarantining: CommonName
10:46 AM:      Registry: HKEY_CLASSES_ROOT\interface\{1e1b2878-88ff-11d2-8d96-d7acac95951f}
10:46 AM:      Registry: HKEY_LOCAL_MACHINE\software\classes\interface\{1e1b2878-88ff-11d2-8d96-d7acac95951f}
10:46 AM:      Registry: HKEY_LOCAL_MACHINE\software\classes\interface\{1e1b2878-88ff-11d2-8d96-d7acac95951f}\proxystubclsid
10:46 AM:      Registry: HKEY_LOCAL_MACHINE\software\classes\interface\{1e1b2878-88ff-11d2-8d96-d7acac95951f}\proxystubclsid32
10:46 AM:      Registry: HKEY_LOCAL_MACHINE\software\classes\interface\{1e1b2878-88ff-11d2-8d96-d7acac95951f}\typelib
10:46 AM:      Registry: HKEY_LOCAL_MACHINE\software\classes\interface\{1e1b2878-88ff-11d2-8d96-d7acac95951f}||(-default-)
10:46 AM:      Registry: HKEY_LOCAL_MACHINE\software\classes\interface\{1e1b2878-88ff-11d2-8d96-d7acac95951f}\proxystubclsid||(-default-)
10:46 AM:      Registry: HKEY_LOCAL_MACHINE\software\classes\interface\{1e1b2878-88ff-11d2-8d96-d7acac95951f}\proxystubclsid32||(-default-)
10:46 AM:      Registry: HKEY_LOCAL_MACHINE\software\classes\interface\{1e1b2878-88ff-11d2-8d96-d7acac95951f}\typelib||(-default-)
10:46 AM:      Registry: HKEY_LOCAL_MACHINE\software\classes\interface\{1e1b2878-88ff-11d2-8d96-d7acac95951f}\typelib||version
10:46 AM:      Registry: HKEY_CLASSES_ROOT\interface\{1e1b2878-88ff-11d2-8d96-d7acac95951f}\proxystubclsid
10:46 AM:      Registry: HKEY_CLASSES_ROOT\interface\{1e1b2878-88ff-11d2-8d96-d7acac95951f}\proxystubclsid32
10:46 AM:      Registry: HKEY_CLASSES_ROOT\interface\{1e1b2878-88ff-11d2-8d96-d7acac95951f}\typelib
10:46 AM:      Registry: HKEY_CLASSES_ROOT\interface\{1e1b2878-88ff-11d2-8d96-d7acac95951f}||(-default-)
10:46 AM:      Registry: HKEY_CLASSES_ROOT\interface\{1e1b2878-88ff-11d2-8d96-d7acac95951f}\proxystubclsid||(-default-)
10:46 AM:      Registry: HKEY_CLASSES_ROOT\interface\{1e1b2878-88ff-11d2-8d96-d7acac95951f}\proxystubclsid32||(-default-)
10:46 AM:      Registry: HKEY_CLASSES_ROOT\interface\{1e1b2878-88ff-11d2-8d96-d7acac95951f}\typelib||(-default-)
10:46 AM:      Registry: HKEY_CLASSES_ROOT\interface\{1e1b2878-88ff-11d2-8d96-d7acac95951f}\typelib||version
10:46 AM:    Quarantining: CWS_MSAS
10:46 AM:      Registry: HKEY_CLASSES_ROOT\typelib\{1e1b286c-88ff-11d2-8d96-d7acac95951f}
10:46 AM:      Registry: HKEY_LOCAL_MACHINE\software\classes\typelib\{1e1b286c-88ff-11d2-8d96-d7acac95951f}
10:46 AM:      Registry: HKEY_LOCAL_MACHINE\software\classes\typelib\{1e1b286c-88ff-11d2-8d96-d7acac95951f}\1.0
10:46 AM:      Registry: HKEY_LOCAL_MACHINE\software\classes\typelib\{1e1b286c-88ff-11d2-8d96-d7acac95951f}\1.0\0
10:46 AM:      Registry: HKEY_LOCAL_MACHINE\software\classes\typelib\{1e1b286c-88ff-11d2-8d96-d7acac95951f}\1.0\flags
10:46 AM:      Registry: HKEY_LOCAL_MACHINE\software\classes\typelib\{1e1b286c-88ff-11d2-8d96-d7acac95951f}\1.0\helpdir
10:46 AM:      Registry: HKEY_LOCAL_MACHINE\software\classes\typelib\{1e1b286c-88ff-11d2-8d96-d7acac95951f}\1.0\0\win32
10:46 AM:      Registry: HKEY_LOCAL_MACHINE\software\classes\typelib\{1e1b286c-88ff-11d2-8d96-d7acac95951f}\1.0||(-default-)
10:46 AM:      Registry: HKEY_LOCAL_MACHINE\software\classes\typelib\{1e1b286c-88ff-11d2-8d96-d7acac95951f}\1.0\flags||(-default-)
10:46 AM:      Registry: HKEY_LOCAL_MACHINE\software\classes\typelib\{1e1b286c-88ff-11d2-8d96-d7acac95951f}\1.0\helpdir||(-default-)
10:46 AM:      Registry: HKEY_LOCAL_MACHINE\software\classes\typelib\{1e1b286c-88ff-11d2-8d96-d7acac95951f}\1.0\0\win32||(-default-)
10:46 AM:      Registry: HKEY_CLASSES_ROOT\typelib\{1e1b286c-88ff-11d2-8d96-d7acac95951f}\1.0
10:46 AM:      Registry: HKEY_CLASSES_ROOT\typelib\{1e1b286c-88ff-11d2-8d96-d7acac95951f}\1.0\0
10:46 AM:      Registry: HKEY_CLASSES_ROOT\typelib\{1e1b286c-88ff-11d2-8d96-d7acac95951f}\1.0\flags
10:46 AM:      Registry: HKEY_CLASSES_ROOT\typelib\{1e1b286c-88ff-11d2-8d96-d7acac95951f}\1.0\helpdir
10:46 AM:      Registry: HKEY_CLASSES_ROOT\typelib\{1e1b286c-88ff-11d2-8d96-d7acac95951f}\1.0\0\win32
10:46 AM:      Registry: HKEY_CLASSES_ROOT\typelib\{1e1b286c-88ff-11d2-8d96-d7acac95951f}\1.0||(-default-)
10:46 AM:      Registry: HKEY_CLASSES_ROOT\typelib\{1e1b286c-88ff-11d2-8d96-d7acac95951f}\1.0\flags||(-default-)
10:46 AM:      Registry: HKEY_CLASSES_ROOT\typelib\{1e1b286c-88ff-11d2-8d96-d7acac95951f}\1.0\helpdir||(-default-)
10:46 AM:      Registry: HKEY_CLASSES_ROOT\typelib\{1e1b286c-88ff-11d2-8d96-d7acac95951f}\1.0\0\win32||(-default-)
10:46 AM:    Cleaning Traces
10:46 AM:      Removing registry: HKEY_CLASSES_ROOT\typelib\{1e1b286c-88ff-11d2-8d96-d7acac95951f}\1.0\helpdir
10:46 AM:      Removing registry: HKEY_CLASSES_ROOT\typelib\{1e1b286c-88ff-11d2-8d96-d7acac95951f}\1.0\flags
10:46 AM:      Removing registry: HKEY_CLASSES_ROOT\typelib\{1e1b286c-88ff-11d2-8d96-d7acac95951f}\1.0\0\win32
10:46 AM:      Removing registry: HKEY_CLASSES_ROOT\typelib\{1e1b286c-88ff-11d2-8d96-d7acac95951f}\1.0\0
10:46 AM:      Removing registry: HKEY_CLASSES_ROOT\typelib\{1e1b286c-88ff-11d2-8d96-d7acac95951f}\1.0
10:46 AM:      Removing registry: HKEY_CLASSES_ROOT\typelib\{1e1b286c-88ff-11d2-8d96-d7acac95951f}
10:46 AM:      Removing registry: HKEY_CLASSES_ROOT\interface\{1e1b2878-88ff-11d2-8d96-d7acac95951f}\typelib|| (version)
10:46 AM:      Removing registry: HKEY_CLASSES_ROOT\interface\{1e1b2878-88ff-11d2-8d96-d7acac95951f}\typelib
10:46 AM:      Removing registry: HKEY_CLASSES_ROOT\interface\{1e1b2878-88ff-11d2-8d96-d7acac95951f}\proxystubclsid32
10:46 AM:      Removing registry: HKEY_CLASSES_ROOT\interface\{1e1b2878-88ff-11d2-8d96-d7acac95951f}\proxystubclsid
10:46 AM:      Removing registry: HKEY_CLASSES_ROOT\interface\{1e1b2878-88ff-11d2-8d96-d7acac95951f}
10:46 AM:      Removing registry: HKEY_LOCAL_MACHINE\software\classes\typelib\{1e1b286c-88ff-11d2-8d96-d7acac95951f}\1.0\helpdir
10:46 AM:      Removing registry: HKEY_LOCAL_MACHINE\software\classes\typelib\{1e1b286c-88ff-11d2-8d96-d7acac95951f}\1.0\flags
10:46 AM:      Removing registry: HKEY_LOCAL_MACHINE\software\classes\typelib\{1e1b286c-88ff-11d2-8d96-d7acac95951f}\1.0\0\win32
10:46 AM:      Removing registry: HKEY_LOCAL_MACHINE\software\classes\typelib\{1e1b286c-88ff-11d2-8d96-d7acac95951f}\1.0\0
10:46 AM:      Removing registry: HKEY_LOCAL_MACHINE\software\classes\typelib\{1e1b286c-88ff-11d2-8d96-d7acac95951f}\1.0
10:46 AM:      Removing registry: HKEY_LOCAL_MACHINE\software\classes\typelib\{1e1b286c-88ff-11d2-8d96-d7acac95951f}
10:46 AM:      Removing registry: HKEY_LOCAL_MACHINE\software\classes\interface\{1e1b2878-88ff-11d2-8d96-d7acac95951f}\typelib|| (version)
10:46 AM:      Removing registry: HKEY_LOCAL_MACHINE\software\classes\interface\{1e1b2878-88ff-11d2-8d96-d7acac95951f}\typelib
10:46 AM:      Removing registry: HKEY_LOCAL_MACHINE\software\classes\interface\{1e1b2878-88ff-11d2-8d96-d7acac95951f}\proxystubclsid32
10:46 AM:      Removing registry: HKEY_LOCAL_MACHINE\software\classes\interface\{1e1b2878-88ff-11d2-8d96-d7acac95951f}\proxystubclsid
10:46 AM:      Removing registry: HKEY_LOCAL_MACHINE\software\classes\interface\{1e1b2878-88ff-11d2-8d96-d7acac95951f}
10:46 AM:  Removal process completed.  Elapsed time 00:00:01
          2 items (38 traces) quarantined.
10:47 AM:  Deletion from quarantine initiated
10:47 AM:    Processing: CWS_MSAS
10:47 AM:    Processing: CommonName
10:47 AM:    Processing: Security iGuard
10:47 AM:  Deletion from quarantine completed.  Elapsed time 00:00:00
10:51 AM:  Internet Explorer internal web pages restored to protected values
10:52 AM:  Internet Explorer internal web pages restored to protected values
10:52 AM:  Internet Explorer internal web pages restored to protected values
10:52 AM:  Internet Explorer internal web pages restored to protected values
11:13 AM:  Internet Explorer internal web pages restored to protected values

And a repeat scan found nothing, but the IE homepage and pop-up problems continue.

My Hijack this log is:

Logfile of HijackThis v1.99.1
Scan saved at 11:34:52 AM, on 5/8/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Trend Micro\Internet Security\Tmntsrv.exe
C:\Program Files\Trend Micro\Internet Security\tmproxy.exe
C:\WINDOWS\System32\wdfmgr.exe
C:\Program Files\RealVNC\WinVNC\WinVNC.exe
C:\Program Files\Trend Micro\Internet Security\PccPfw.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\popuper.exe
C:\WINDOWS\System32\msole32.exe
C:\WINDOWS\System32\shnlog.exe
C:\WINDOWS\System32\intmonp.exe
C:\Program Files\Trend Micro\Internet Security\TMOAgent.exe
C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Trend Micro\Internet Security\PCClient.exe
C:\WINDOWS\System32\intmon.exe
C:\Program Files\Trend Micro\Internet Security\pccguide.exe
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb04.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\tbctray.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\WINDOWS\System32\RUNDLL32.EXE
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
C:\Program Files\Microtek\ScanWizard 5\ScannerFinder.exe
C:\Program Files\Microsoft Office\Office\1033\OLFSNT40.EXE
C:\Program Files\Mozilla Firefox\firefox.exe
C:\PROGRA~1\MICROS~2\Office\WINWORD.EXE
C:\Documents and Settings\Robert\Desktop\HijackThis.exe
C:\WINDOWS\system32\NOTEPAD.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.quicknavi...earch.php?qq=%1
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.quicknavigate.com/bar.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.quicknavi...earch.php?qq=%1
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.quicknavi...earch.php?qq=%1
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://www.quicknavi...earch.php?qq=%1
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://www.quicknavi...earch.php?qq=%1
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = http://www.quicknavigate.com/
F2 - REG:system.ini: Shell=explorer.exe, msmsgs.exe
O2 - BHO: VMHomepage Class - {FFFFFFFF-FFFF-FFFF-FFFF-FFFFFFFFFFFF} - C:\WINDOWS\System32\hpFE09.tmp
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [WinVNC] "C:\Program Files\RealVNC\WinVNC\WinVNC.exe" -servicehelper
O4 - HKLM\..\Run: [TM Outbreak Agent] "C:\Program Files\Trend Micro\Internet Security\TMOAgent.exe" /run
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [PCClient.exe] "C:\Program Files\Trend Micro\Internet Security\PCClient.exe"
O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\Internet Security\pccguide.exe"
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb04.exe
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [TraySantaCruz] C:\WINDOWS\system32\tbctray.exe
O4 - HKCU\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /1
O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NVMCTRAY.DLL,NvTaskbarInit
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Startup: Registration Myst Uru
O4 - Global Startup: Cisco Systems VPN Client.lnk = C:\Program Files\Cisco Systems\VPN Client\ipsecdialer.exe
O4 - Global Startup: InterVideo WinCinema Manager.lnk = C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Microtek Scanner Finder.lnk = C:\Program Files\Microtek\ScanWizard 5\ScannerFinder.exe
O4 - Global Startup: Symantec Fax Starter Edition Port.lnk = C:\Program Files\Microsoft Office\Office\1033\OLFSNT40.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_04\bin\npjpi142_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_04\bin\npjpi142_04.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra button: Microsoft AntiSpyware helper - {45767DCE-A116-4ADD-9429-F72A0DAEA75A} - (no file) (HKCU)
O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {45767DCE-A116-4ADD-9429-F72A0DAEA75A} - (no file) (HKCU)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.syma...bin/AvSniff.cab
O16 - DPF: {30FC2FD9-1AB1-4638-B3D2-434B7CB11AD5} (Netilla Get Computer Name Control) - https://pamc.netilla...getcompname.cab
O16 - DPF: {37066585-F2BD-4F2E-A6C6-F2CB64EEE826} (Token Class) - https://pamc.netilla...illaPackage.CAB
O16 - DPF: {6299BA62-2020-463C-954A-512718E5A22E} (PiViewNet Control) - https://pamc.netilla...p/PiViewNet.cab
O16 - DPF: {6299BA62-2020-463C-954A-512718E5A23A} (PiViewNet Control) - http://192.168.65.53/PiViewNet.cab
O16 - DPF: {EB387D2F-E27B-4D36-979E-847D1036C65D} (QDiagHUpdateObj Class) - http://h30043.www3.h.../qdiagh.cab?319
O20 - Winlogon Notify: PCANotify - C:\WINDOWS\SYSTEM32\PCANotify.dll
O23 - Service: pcAnywhere Host Service (awhost32) - Symantec Corporation - C:\Program Files\Symantec\pcAnywhere\awhost32.exe
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NetillaVPNService - Unknown owner - C:\WINDOWS\NVPNs.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Trend Micro Personal Firewall (PccPfw) - Trend Micro Incorporated. - C:\Program Files\Trend Micro\Internet Security\PccPfw.exe
O23 - Service: Trend NT Realtime Service (Tmntsrv) - Trend Micro Incorporated. - C:\Program Files\Trend Micro\Internet Security\Tmntsrv.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Incorporated. - C:\Program Files\Trend Micro\Internet Security\tmproxy.exe
O23 - Service: VNC Server (winvnc) - Unknown owner - C:\Program Files\RealVNC\WinVNC\WinVNC.exe" -service (file missing)


Your help is greatlt appreciated.

Respectfully,
History
  • 0

Advertisements


#2
Guest_nommork_*

Guest_nommork_*
  • Guest
Run at least two of these anti-spyware programs

Make sure all defintion files are up to date for all programs

Microsoft WIndows Anti-spyware
http://www.microsoft...re/default.mspx

Ad-aware se
http://www.lavasoft....ftware/adaware/

For Ad-ware se run a Full System Scan and ADS scan

Spysweeper
http://www.webroot.com

Ewido
http://www.ewido.net


Run at least two of the online AV scans:
http://www.trojanhunter.com/ Trojan hunter
http://www.pandasoft...n_principal.htm Panda Active Scan
http://housecall.trendmicro.com/ House Call (Trend Micro)
http://www.bitdefend...can/licence.php BitDefender Free OnlineVirus Scan
http://support.f-sec.../home/ols.shtml F-Secure Free OnlineVirus Scan
http://security.syma...IHKERRDTIPOKYJL Symantec Security Scan & Virus Detection
http://www.ravantivirus.com/scan/ RAV AntiVirus Online VirusScan
http://us.mcafee.com....asp?catid=free McAfee Antivirus scan
http://www.virus112....an_registration Danish Antivirus scan
http://support.f-sec.../home/ols.shtml F-SecureAntivirus scan
  • 0

#3
History

History

    New Member

  • Topic Starter
  • Member
  • Pip
  • 2 posts
Thank you for your post.
I have run Micorosoft Anti-Spyware and Ad-aware-se (again) and Torjan-hunter, the latter which now leaves the following up, multiple times, on my desktop:

Unable to get a handle to proces 1496 (C:\WINDOWS\System32\intmon.exe)
Trying filename C:\WINDOWS\System32\intmon.exe3151.tcf
Renamed file: C:\WINDOWS\System32\intmon.exe to C:\WINDOWS\System32\intmon.exe3151.tcf
Trojan cleaning finished

with "3151" changed to "5147" to etc...
and: File not found: C:\WINDOWS\System32\intmon.exe
and the major offender I cannot seem to remove from my Registry (per Trojan Hunter) is PopUser100

Registry scan
Registry key exists: HKEY_CLASSES_ROOT\Interface\{1E1B2878-88FF-11D2-8D96-D7ACAC95951F} (matches Adware.CommonName.100)  (Regedit Jump)
Registry value exists: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer\run\notepad2.exe (matches PopUper.100)


TrojanHunter also repeatedly finds: Adware.CommonName.100
But TrojanHunter has difficulty cleaning them. I receive the error message:

Access violation at address 0057E7C9 in module 'TrojanHunter.exe'. Read of address 00000057.


Hijackthislog is now:

Logfile of HijackThis v1.99.1
Scan saved at 10:34:49 PM, on 5/9/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\wdfmgr.exe
C:\Program Files\RealVNC\WinVNC\WinVNC.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\System32\msole32.exe
C:\WINDOWS\System32\shnlog.exe
C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb04.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\tbctray.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\WINDOWS\System32\RUNDLL32.EXE
C:\Program Files\Microsoft AntiSpyware\gcasServAlert.exe
C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
C:\Program Files\Microtek\ScanWizard 5\ScannerFinder.exe
C:\Program Files\Microsoft Office\Office\1033\OLFSNT40.EXE
C:\WINDOWS\System32\intmon.exe
C:\WINDOWS\System32\intmon.exe
C:\Program Files\Trend Micro\Internet Security\tmproxy.exe
C:\Program Files\Trend Micro\Internet Security\PccPfw.exe
C:\Program Files\Trend Micro\Internet Security\Tmntsrv.exe
C:\Program Files\Trend Micro\Internet Security\PCClient.EXE
C:\Program Files\Trend Micro\Internet Security\PCCGUIDE.EXE
C:\Program Files\Trend Micro\Internet Security\TMOAgent.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Robert\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.quicknavi...earch.php?qq=%1
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.quicknavigate.com/bar.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.quicknavi...earch.php?qq=%1
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.quicknavi...earch.php?qq=%1
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://www.quicknavi...earch.php?qq=%1
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://www.quicknavi...earch.php?qq=%1
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = http://www.quicknavigate.com/
O2 - BHO: VMHomepage Class - {FFFFFFFF-FFFF-FFFF-FFFF-FFFFFFFFFFFF} - C:\WINDOWS\System32\hpE647.tmp
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [WinVNC] "C:\Program Files\RealVNC\WinVNC\WinVNC.exe" -servicehelper
O4 - HKLM\..\Run: [TM Outbreak Agent] "C:\Program Files\Trend Micro\Internet Security\TMOAgent.exe" /run
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [PCClient.exe] "C:\Program Files\Trend Micro\Internet Security\PCClient.exe"
O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\Internet Security\pccguide.exe"
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb04.exe
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 4.2\THGuard.exe"
O4 - HKLM\..\Run: [TraySantaCruz] C:\WINDOWS\system32\tbctray.exe
O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NVMCTRAY.DLL,NvTaskbarInit
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Startup: Registration Myst Uru
O4 - Global Startup: Cisco Systems VPN Client.lnk = C:\Program Files\Cisco Systems\VPN Client\ipsecdialer.exe
O4 - Global Startup: InterVideo WinCinema Manager.lnk = C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Microtek Scanner Finder.lnk = C:\Program Files\Microtek\ScanWizard 5\ScannerFinder.exe
O4 - Global Startup: Symantec Fax Starter Edition Port.lnk = C:\Program Files\Microsoft Office\Office\1033\OLFSNT40.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_04\bin\npjpi142_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_04\bin\npjpi142_04.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra button: Microsoft AntiSpyware helper - {45767DCE-A116-4ADD-9429-F72A0DAEA75A} - (no file) (HKCU)
O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {45767DCE-A116-4ADD-9429-F72A0DAEA75A} - (no file) (HKCU)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.syma...bin/AvSniff.cab
O16 - DPF: {30FC2FD9-1AB1-4638-B3D2-434B7CB11AD5} (Netilla Get Computer Name Control) - https://pamc.netilla...getcompname.cab
O16 - DPF: {37066585-F2BD-4F2E-A6C6-F2CB64EEE826} (Token Class) - https://pamc.netilla...illaPackage.CAB
O16 - DPF: {6299BA62-2020-463C-954A-512718E5A22E} (PiViewNet Control) - https://pamc.netilla...p/PiViewNet.cab
O16 - DPF: {6299BA62-2020-463C-954A-512718E5A23A} (PiViewNet Control) - http://192.168.65.53/PiViewNet.cab
O16 - DPF: {EB387D2F-E27B-4D36-979E-847D1036C65D} (QDiagHUpdateObj Class) - http://h30043.www3.h.../qdiagh.cab?319
O20 - Winlogon Notify: PCANotify - C:\WINDOWS\SYSTEM32\PCANotify.dll
O23 - Service: pcAnywhere Host Service (awhost32) - Symantec Corporation - C:\Program Files\Symantec\pcAnywhere\awhost32.exe
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NetillaVPNService - Unknown owner - C:\WINDOWS\NVPNs.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Trend Micro Personal Firewall (PccPfw) - Trend Micro Incorporated. - C:\Program Files\Trend Micro\Internet Security\PccPfw.exe
O23 - Service: Trend NT Realtime Service (Tmntsrv) - Trend Micro Incorporated. - C:\Program Files\Trend Micro\Internet Security\Tmntsrv.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Incorporated. - C:\Program Files\Trend Micro\Internet Security\tmproxy.exe
O23 - Service: VNC Server (winvnc) - Unknown owner - C:\Program Files\RealVNC\WinVNC\WinVNC.exe" -service (file missing)


Unless I update my Microsoft IE, the remaining on-line Virus Scans will not run. Because I use IE exclsuively for a specific off-site hospital access (not previously compatible with some newer IE components, like Service Pack 2, I'll need to check with a hospital IS person before I upgrade). I'll let you know.

Respectfully,
History
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP