Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

coolwwwsearch.homesearch (virus?) [RESOLVED]


  • This topic is locked This topic is locked

#16
musicdex

musicdex

    Member

  • Topic Starter
  • Member
  • PipPip
  • 11 posts
That's good news about the MWav scan! I went ahead and manually deleted the infected files in my Norton Quarantine. Here's a new copy of a Hijack This log:

Logfile of HijackThis v1.99.1
Scan saved at 9:05:15 PM, on 8/26/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Sygate\SPF\Smc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Netropa\Multimedia Keyboard\MMKeybd.exe
C:\Program Files\NavNT\vptray.exe
C:\Program Files\Netropa\Onscreen Display\OSD.exe
C:\Program Files\Netropa\Multimedia Keyboard\nhksrv.exe
C:\Program Files\NavNT\defwatch.exe
C:\Program Files\Executive Software\Diskeeper\DkService.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\NavNT\rtvscan.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\WINDOWS\system32\MsgSys.EXE
C:\WINDOWS\System32\alg.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Yo Daddy\Desktop\Virus Help\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://login.yahoo.c...ex.html&.src=my
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [SmcService] C:\PROGRA~1\Sygate\SPF\Smc.exe -startgui
O4 - HKLM\..\Run: [MULTIMEDIA KEYBOARD] C:\Program Files\Netropa\Multimedia Keyboard\MMKeybd.exe
O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 4.2\THGuard.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [vptray] C:\Program Files\NavNT\vptray.exe
O4 - HKCU\..\Run: [SP2 Connection Patcher] "C:\Program Files\SP2 Connection Patcher\SP2ConnPatcher.exe" -n=200
O4 - Global Startup: Adobe Reader Speed Launch.lnk = ?
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {77E32299-629F-43C6-AB77-6A1E6D7663F6} - http://www.nick.com/.../GrooveAX27.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft...free/asinst.cab
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\System32\NavLogon.dll
O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\NavNT\defwatch.exe
O23 - Service: Diskeeper - Executive Software International, Inc. - C:\Program Files\Executive Software\Diskeeper\DkService.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: Netropa NHK Server (nhksrv) - Unknown owner - C:\Program Files\Netropa\Multimedia Keyboard\nhksrv.exe
O23 - Service: Norton AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Program Files\NavNT\rtvscan.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Sygate Personal Firewall Pro (SmcService) - Sygate Technologies, Inc. - C:\Program Files\Sygate\SPF\Smc.exe
  • 0

Advertisements


#17
Kat

Kat

    Retired

  • Retired Staff
  • 19,711 posts
  • MVP
Hello again musicdex! :tazz: Is everything still running ok? Your logs are coming back clean! :)

Do you want to dig deeper to be sure there's nothing else lurking? If not, let's get you a clean restore point:


To reset your restore points, please note that you will need to log into your computer with an account which has full administrator access. You will know if the account has administrator access because you will be able to see the System Restore tab. If the tab is missing, you are logged in under a limited account.

(Windows XP)
1. Turn off System Restore.
On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
Check Turn off System Restore.
Click Apply, and then click OK.

2. Reboot.

3. Turn ON System Restore.
On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
UN-Check *Turn off System Restore*.
Click Apply, and then click OK.


Let me know what you think! After all, it's *your* pc! :) I'll do whichever you like.
  • 0

#18
musicdex

musicdex

    Member

  • Topic Starter
  • Member
  • PipPip
  • 11 posts
Hi, Kat. I'm glad to hear my logs are looking clean. Regarding cleaning up more or setting a clean restore point, what do you recommend? If you think I could benefit from more "cleaning" (even if I try digging deeper and nothing is found), I think I'd rather be safe and search deeper just in case something else is still "lurking".

Out of curiosity, I thought I'd look at the options on my System Restore tab. Just logged in as me, and not Administrator, I was able to see the System Restore tab on the My Computer properties box. I clicked on the tab, but then things went south. Not only did I not see any "Turn off System Restore" to check/uncheck (I wasn’t going to check/uncheck, just see if they were there), I got a couple of messages that my pc popped up for me.

The first was ""Run a Dll as an App" has encountered a problem and needs to close." When I clicked on "More Info, click here", I saw:

"The following files will be included in this error report:
c:/documen~1/admini~/locals~1/temp/b481_appcompat.txt"

When I closed that out, another message popped up:

"DrWatson Postmortem Debugger has encountered a problem and needs to close.”

Again, I clicked on more info, and saw 2 other files that were “included in this error report”. I then decided to reboot in Safe Mode so I could log in as Administrator, thinking maybe that might make things work smoothly. I followed the same steps and got the same error messages. In both situations, I couldn’t close the My Computer properties box. I had to reboot each time just to get rid of it (it wasn’t listed in running Applications, and I didn't recognize it in running Processes).

Once out of Safe mode, I was going to reply to you and include what the error reports said, so I tried searching on my pc for them, but no luck. I’m guessing they’re only visible in Safe mode when I’m logged in as Administrator. Not sure if they were something you’d like to see or not.

Musicdex
  • 0

#19
Michelle

Michelle

    Malware Removal Goddess

  • Retired Staff
  • 8,928 posts
Hello Musicdex :)

Out of curiosity, did you replace your hard-drive on this system?

This should get you fixed up (please let us know if you run into any problems!)

Go to Start > Run then type:

services.msc

Click OK.

Scroll down the list for the following service:

System Restore Service

When you find it, right-click on it and choose Properties.

Under Startup type choose Disabled, click Apply, click OK.

Then right-click My Computer, click Properties, and click the System Restore tab.

Everything should display properly (being able to turn it on and off etc.)

Finally, enable System Restore, then reboot :tazz: .

Edited by Michelle, 28 August 2005 - 12:48 AM.

  • 0

#20
musicdex

musicdex

    Member

  • Topic Starter
  • Member
  • PipPip
  • 11 posts
Michelle:

Yes, I changed my hard-drive setup a few months back. I added a second hard-drive. I made that my master, and my original became the slave. My brother, who knows a little bit about computers, helped me set it up, so I don't know what he did to get things going.

I followed your instructions, which then allowed me to follow's Kat's and everything worked perfectly! What about the entries that still show in my Registry? Are they ok there, or should I get rid of them somehow? I worry because many of them are the programs that persistently tried to get my pc to connect to the internet (fortunately my Sygate firewall warned me about it and I was able to prevent their connection). Although they're no longer acting like this, I wasn't sure if they are ok in my Registry or not.
  • 0

#21
Kat

Kat

    Retired

  • Retired Staff
  • 19,711 posts
  • MVP
:) Awesome!! I'm so glad that worked!!! :tazz: Those registry entries are just remembered searches performed on search engine and on your computer so there is no harm whatsoever! :)


Everything else good now??
  • 0

#22
musicdex

musicdex

    Member

  • Topic Starter
  • Member
  • PipPip
  • 11 posts
Yes, everything seems to be back to normal now. I can't thank you enough for all the help you've provided. I'm definitely going to make a donation to Geeks To Go to show my appreciation for all the kind and considerate help you guys have provided. Thanks!!!
  • 0

#23
Kat

Kat

    Retired

  • Retired Staff
  • 19,711 posts
  • MVP
Congratulations! Your log is now clean! :tazz:

Here are some items that you will want to add to your to-do list:

These are some tips to reduce the potential for Spyware/Adware/Virus infection in the future:
I would strongly recommend reviewing and installing the following applications if you dont currently have them running on your system:

Use Anti-Virus Software
It is very important that your computer has Anti-Virus software running on your machine. This alone can save you a lot of trouble with malware in the future.
See this link for a listing of some online and stand-alone Anti-Virus programs:
Virus, Spyware, and Malware Protection and Removal Resources

Update your AntiVirus Software
It is imperitive that you update your Anti-Virus software at least once a week (Even more if you wish). If you do not update your Anti-Virus software then it will not be able to catch any of the new variants that may come out.

Use a Firewall
I can not stress how important it is that you use a Firewall on your computer. Without a firewall your computer is succeptible to being hacked and taken over. Simply using a Firewall in its default configuration can lower your risk greatly.

For a tutorial on Firewalls and a listing of some available ones see the link below:
Understanding and Using Firewalls

Spyware/Adware Detection and Removal Programs:
Understanding Spyware, Browser Hijackers, and DialersAd-Aware SEIf you suspect that you have spyware installed on your computer, here are instructions on how to setup and use Ad-Aware SE
How to use Ad-Aware SE to remove Spyware
[/list]Spybot S&DIf you suspect that you have spyware installed on your computer, here are instructions on how to setup and use Spybot S&D
How to use Spybot to remove Spyware
[/list]I strongly recommend using both of these programs to catch most spyware/adware

Prevention Programs:
  • SpywareBlaster -- SpywareBlaster will prevent spyware from being installed.
  • SpywareGuard -- SpywareGuard offers realtime protection from spyware installation attempts.
  • IE/Spyad -- IE/Spyad places over 4000 websites and domains in the IE Restricted list which will severely impair attempts to infect your system. It basically prevents any downloads (Cookies etc) from the sites listed, although you will still be able to connect to the sites.
  • MVPS Hosts File -- The MVPS Hosts File replaces your current HOSTS file with one containing well know ad sites etc. Basically, this prevents your coputer from connecting to those sites by redirecting them to 127.0.0.1 which is your local computer.
  • Google Toolbar -- Get the free Google Toolbar to help stop pop up windows.
Other Necessary Programs:
  • A More Secure Browser
    Internet Explorer is not the most secure and best browser.
    There are safer and better alternatives available. I recommend using Firefox
Be sure to also keep up with Windows and IE updates.

Windows Security and Critical Updates
http://v4.windowsupdate.microsoft.com/en/default.asp

Internet Explorer Security and Critical Updates
http://www.microsoft.com/windows/ie/default.asp

And also see TonyKlein's good advice
So how did I get infected in the first place?

Update all these Programs Regularly:Make sure you update all the programs I have listed regularly. Without regular updates you WILL NOT be protected when new malicious programs are released. Follow this list and your potential for being infected again will reduce dramatically.

  • 0

#24
Kat

Kat

    Retired

  • Retired Staff
  • 19,711 posts
  • MVP
Since this issue appears to be resolved ... this Topic has been closed. Glad we could help. :tazz:

If you're the topic starter, and need this topic reopened, please contact a staff member with the address of the thread.

Everyone else please begin a New Topic.
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP