Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

Virus, I Think!


  • This topic is locked This topic is locked

#1
drake

drake

    New Member

  • Member
  • Pip
  • 5 posts
<_< I downloaded and installed a program that will convert mp3 files into wav files. so i installed it and converted the files. then i uninstalled the program. now, i turn the computer on the next day and it was going so SLOW. I pressed control alt and delete and i was that there was about 20 programs running. normally there be less the 8 programs running at a time. there is something on my computer that keeps installing things by itself. i leave my computer unattended and when i come back, something was installed on its own. i had to uninstall all the programs. something installed toolbars on internet explorer. I am afraid to leave my computer cause something will be installed on it own. there is this file called wjview and jview in the c:/windows folder. i delete them but it keeps restoring itself.

Sometimes my computer starts to get realllllly slow. then i press ctrl alt delete and i see this program called Winhost32 running. It runs for about a minute then stops.
  • 0

Advertisements


#2
tazz1964

tazz1964

    Member

  • Member
  • PipPipPip
  • 608 posts
Welcome to the geekstogo :D

You may have a spyware or a virus. On the main forums page go to virus/worms/security/safety. In there the first post (free antivirus/antispyware resources) there are free online virus scans. Run one of them and see if it finds any virus. Then I would download spybot on same page and run that. There is a help in the spybot that tells you how to run it. After you run them. Please repost and let us know if that did fix it or don't. If it doesn't help there are some other things to do.
thank you
<_<
  • 0

#3
admin

admin

    Founder Geek

  • Administrator
  • 24,504 posts
Hi drake, tazz has given you very good advice. <_<

Winhost32.exe and inetadpt.dll are from Virtumundo, Inc.
See http://www.kephyr.co...dpt/index.phtml
Remove this Spyware.

First download LSPfix here: http://www.cexx.org/lspfix.htm

Launch the application, and click the "I know what I'm doing" checkbox.

Check all instances of inetadpt.dll (and nothing else), and move them to the "Remove" pane.
Then click Finish.

Next, The inetadpt.dll are associated with winhost32 but I don't see a startup for winhost32.exe itself.
Use the KillBox to find and delete it: Download, unzip and run The Kill Box

Enter C:\WINDOWS\SYSTEM\WINHOST32.EXE as file to Kill.

You can find the free virus scan here

Spybot Search and Destroy can be found here, and there's a tutorial on using it here

It definitely sounds like you have other Spyware installed on your machine. Spybot S&D should remove it, but a virus scan is also a good idea, as is an anti-virus program running on your computer at all times (Norton, McAfee). :D

In the future you may want to consult Spyware Guide before installing free software on your computer. It has a database that will inform you if it contains Spyware.
  • 0

#4
drake

drake

    New Member

  • Topic Starter
  • Member
  • Pip
  • 5 posts
I did that online virus scan and it said i had one virus. When i tried to delete it, i got an error saying the file was being used.

Virus=Troj Loom.a
Scan Result=Non-Cleanable
File=C:/Windows/System/msg{30561CCF-0E05-4DB6-B723-26A312B367BF}0111.dll.

I did a spyware/adware scan and it say i had 215 spyware/adware files. I deleted them all.

So far so good. The only thing is i dont know how to remove this toolbar from Internet Explorer.

Thanks for all the help <_< :D

Edited by drake, 07 November 2003 - 11:14 PM.

  • 0

#5
tazz1964

tazz1964

    Member

  • Member
  • PipPipPip
  • 608 posts
Hi Drake
you can try this and see if it removes that toolbar.
Tools>Internet>Advanced Tab
and remove the check in box for
enable 3rd party browsers extesions
you will have to restart your PC
<_<
  • 0

#6
admin

admin

    Founder Geek

  • Administrator
  • 24,504 posts
Troj Loom.a is actually a trojan horse infection. I couldn't find any reference to this specific trojan, but they are generally very nasty, and you DON'T want it on your computer. Try this program to scan and remove it (download the free 30 day trial).
  • 0

#7
tazz1964

tazz1964

    Member

  • Member
  • PipPipPip
  • 608 posts
Sorry I miss read you post thought you got rid of that virus.
Admin thank you for seeing that .
  • 0

#8
drake

drake

    New Member

  • Topic Starter
  • Member
  • Pip
  • 5 posts
I got the 30 day free trial. And I did the scan but it didnt find a trojan.

Removing the check in box for
enable 3rd party browsers extesions worked
  • 0

#9
tazz1964

tazz1964

    Member

  • Member
  • PipPipPip
  • 608 posts
I looked for that torjan I can not find any thing on it i'm still looking for more on it how did you get the name of it ?
<_<
  • 0

#10
tazz1964

tazz1964

    Member

  • Member
  • PipPipPip
  • 608 posts
drake
lets see if we can see if the file is running press ctrl alt delete all at the same time click on the processes tab and see if you can see the file there? if not there do you know how to use the msconfig.exe in run?
<_<
  • 0

Advertisements


#11
admin

admin

    Founder Geek

  • Administrator
  • 24,504 posts
If we can see what's running on your PC, we can determine if it's a trojan. Download this and install. Run a scan with Hijack This. Most of the files listed will be harmless and/or required so do not make any changes, just click on Save Log, copy it and post it back in this thread. <_<
  • 0

#12
admin

admin

    Founder Geek

  • Administrator
  • 24,504 posts
Hey Drake, I think I found a solution to your "trojan". It actually some nasty Spyware/Foistware called Look2Me, also known as "Similar Singles".

Here's a solution to fix it.

1. Download the attached Remove.txt, save the file anywhere you like as (rename to) Remove.reg (save as 'all file types') .

2. Doubleclick Remove.reg, and answer 'yes' when prompted to add its contents to the Registry.

3. Reboot when you're done.

4. Then delete the msg*******.dll file in C:\Windows (your was called msgmsg{3957ab02-1bdf-4744-bde5-39a65e9551e9}0111.dll, but they're all different.)

NOTE: Do NOT touch any of the following. They're Windows files: msg.exe, msg711.acm, msgsm32.acm, msgsvc.dll.

Attached Files


  • 0

#13
drake

drake

    New Member

  • Topic Starter
  • Member
  • Pip
  • 5 posts
Logfile of HijackThis v1.97.3
Scan saved at 5:55:29 PM, on 11/8/2003
Platform: Windows ME (Win9x 4.90.3000)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\SYSTEM\SSDPSRV.EXE
C:\WINDOWS\SOINTGR.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\RESTORE\STMGR.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\SYSTEM\IGFXTRAY.EXE
C:\WINDOWS\LOADQM.EXE
C:\PROGRAM FILES\BROADJUMP\CLIENT FOUNDATION\CFD.EXE
C:\PROGRAM FILES\2WIRE\GATEWAY\2PORTALMON.EXE
C:\WINDOWS\SYSTEM\LEXBCES.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\WINDOWS\SYSTEM\RPCSS.EXE
C:\PROGRAM FILES\MSN MESSENGER\MSNMSGR.EXE
C:\TOURNAMENTDEMO\SYSTEM\UNREALTOURNAMENT.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\MY DOCUMENTS\ALCATRAZ\YS-STUFF\HIJACKTHIS\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://rd.yahoo.com/...//www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by BellSouth
R3 - URLSearchHook: (no name) - {8952A998-1E7E-4716-B23D-3DBE03910972} - (no file)
R3 - URLSearchHook: IncrediFindBHO Class - {5D60FF48-95BE-4956-B4C6-6BB168A70310} - C:\PROGRA~1\INCRED~1\BHO\INCFIN~1.DLL (file missing)
N1 - Netscape 4: user_pref("browser.startup.homepage", "wabu.com"); (C:\Program Files\Netscape\Users\lil_bit369\prefs.js)
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\PROGRAM FILES\YAHOO!\COMPANION\INSTALLS\CPN\YCOMP5_2_3_0.DLL
O2 - BHO: (no name) - {F4A27D22-E603-4B1B-B8D0-1CF7D57E56F2} - C:\PROGRAM FILES\NETLEECH\IEEXT.DLL (file missing)
O2 - BHO: (no name) - {9B4C7A1D-80ED-4ED4-AA50-89CAF6EA6803} - (no file)
O2 - BHO: (no name) - {00A6FAF1-072E-44cf-8957-5838F569A31D} - C:\PROGRAM FILES\MYWEBSEARCH\SRCHASTT\1.BIN\MWSSRCAS.DLL (file missing)
O2 - BHO: (no name) - {C1E58A84-95B3-4630-B8C2-D06B77B7A0FC} - C:\PROGRAM FILES\NAVEXCEL\NAVHELPER\V2.0.4\NHELPER.DLL (file missing)
O2 - BHO: (no name) - {000006B1-19B5-414A-849F-2A3C64AE6939} - (no file)
O2 - BHO: (no name) - {63B78BC1-A711-4D46-AD2F-C581AC420D41} - C:\WINDOWS\SYSTEM\BTIEIN.DLL
O2 - BHO: (no name) - {65C8C1F5-230E-4DC9-9A0D-F3159A5E7778} - C:\PROGRAM FILES\POP\POP205.DLL (file missing)
O2 - BHO: (no name) - {3F50438F-BD0D-4729-9964-70DE86E11075} - C:\WINDOWS\SYSTEM\VFWLWDM32.DLL
O2 - BHO: (no name) - {38225f9e-c37f-4adc-9a3c-83ca39848d1e} - C:\WINDOWS\APPLICATION DATA\LLDRNEASTCY.DLL
O2 - BHO: NavErrRedir Class - {5D60FF48-95BE-4956-B4C6-6BB168A70310} - C:\PROGRA~1\INCRED~1\BHO\INCFIN~1.DLL (file missing)
O2 - BHO: (no name) - {F4A645D0-D4D5-439E-9DBC-B31BBD9CB890} - C:\WINDOWS\SYSTEM\BPV2S.DLL
O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRAM FILES\YAHOO!\COMPANION\INSTALLS\CPN\YCOMP5_2_3_0.DLL
O3 - Toolbar: &POP - {645FD3BC-C314-4F7A-9D2E-64D62A0FDD78} - C:\PROGRAM FILES\POP\POP205.DLL (file missing)
O3 - Toolbar: (no name) - {014DA6C9-189F-421a-88CD-07CFE51CFF10} - (no file)
O3 - Toolbar: (no name) - {105CC119-EF40-415C-8E40-D470969F0ECF} - (no file)
O3 - Toolbar: stxxfriessc - {d504791c-cade-455b-a2e1-faef0c3b0648} - C:\WINDOWS\APPLICATION DATA\LLDRNEASTCY.DLL
O3 - Toolbar: (no name) - {224530A0-C9CB-4AEE-9C0F-54AC1B533211} - (no file)
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [PCHealth] C:\WINDOWS\PCHealth\Support\PCHSchd.exe -s
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [eMachine eBoard] C:\PROGRA~1\ESOFT\EBOARD\eBoard.exe
O4 - HKLM\..\Run: [SO5 Integrator Pass Two] C:\WINDOWS\SOINTGR.EXE
O4 - HKLM\..\Run: [LexStart] Lexstart.exe
O4 - HKLM\..\Run: [LexmarkPrinTray] PrinTray.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\SYSTEM\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\SYSTEM\hkcmd.exe
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [BJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe
O4 - HKLM\..\Run: [2wSysTray] C:\PROGRAM FILES\2WIRE\GATEWAY\2PORTALMON.EXE
O4 - HKLM\..\Run: [BELT] C:\WINDOWS\BELT.exe
O4 - HKLM\..\Run: [updater] C:\Program Files\Common files\updater\wupdater.exe
O4 - HKLM\..\Run: [POP] C:\PROGRAM FILES\POP\POPSRV205.EXE
O4 - HKLM\..\Run: [AutoUpdater] c:\PROGRA~1\AUTOUP~1\AUTOUP~1.EXE
O4 - HKLM\..\Run: [SBHC] C:\Program Files\SuperBar\sbhc.exe
O4 - HKLM\..\Run: [WebScan] C:\PROGRAM FILES\ACCELERATION SOFTWARE\ANTI-VIRUS\DEFSCANGUI.EXE -k
O4 - HKLM\..\Run: [winactive] C:\PROGRAM FILES\WINDOW ACTIVE\WINACTIVE.EXE
O4 - HKLM\..\Run: [PGStub.exe] C:\DP-B23011805.EXE
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [SSDPSRV] C:\WINDOWS\SYSTEM\ssdpsrv.exe
O4 - HKLM\..\RunServices: [*StateMgr] C:\WINDOWS\System\Restore\StateMgr.exe
O4 - HKLM\..\RunServices: [SO5 Integrator Pass One] C:\WINDOWS\SOINTGR.EXE
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [SpyKiller] C:\Program Files\SpyKiller\spykiller.exe /startup
O4 - Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: updater.lnk = C:\Program Files\Common Files\updater\wupdater.exe
O8 - Extra context menu item: Download With NetLeech - C:\Program Files\NetLeech\NLExtMenu.htm
O8 - Extra context menu item: &Download with &DAP - C:\PROGRA~1\DAP\dapextie.htm
O8 - Extra context menu item: Download &all with DAP - C:\PROGRA~1\DAP\dapextie2.htm
O8 - Extra context menu item: &Google Search - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmsearch.html
O8 - Extra context menu item: Cac&hed Snapshot of Page - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmcache.html
O8 - Extra context menu item: Si&milar Pages - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmsimilar.html
O8 - Extra context menu item: Backward &Links - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmbacklinks.html
O8 - Extra context menu item: Translate into English - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmtrans.html
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O9 - Extra 'Tools' menuitem: MaxSpeed (HKLM)
O10 - Unknown file in Winsock LSP: c:\windows\system\inetadpt.dll
O10 - Unknown file in Winsock LSP: c:\windows\system\inetadpt.dll
O10 - Unknown file in Winsock LSP: c:\windows\system\inetadpt.dll
O10 - Unknown file in Winsock LSP: c:\windows\system\inetadpt.dll
O10 - Unknown file in Winsock LSP: c:\windows\system\inetadpt.dll
O10 - Unknown file in Winsock LSP: c:\windows\system\inetadpt.dll
O10 - Unknown file in Winsock LSP: c:\windows\system\inetadpt.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.bellsouth.net
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://download.yaho...alls/yinstc.cab
O16 - DPF: {A17E30C4-A9BA-11D4-8673-60DB54C10000} (YahooYMailTo Class) - http://us.dl1.yimg.c.../yse/ymmapi.dll
O16 - DPF: {15B782AF-55D8-11D1-B477-006097098764} (Macromedia Authorware Web Player Control) - http://www.phgenit.c...cab/awswaxf.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macr...ash/swflash.cab
O16 - DPF: Yahoo! Go Fish - http://download.game...nts/y/zt3_x.cab
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://fdl.msn.com/p...t/msnchat45.cab
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macr...ector/swdir.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupd...7897.9513773148
O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://imgfarm.com/i...etup1.0.0.6.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
___________________________________________________________
When i press ctrl alt delete, i see 6 programs running.
1. Explorer
2. 2Portalmon (this is the program installed for my bellsouth modem)
3. Loadqm
4. lgfxtray
5. Cfd
6. Systray
  • 0

#14
admin

admin

    Founder Geek

  • Administrator
  • 24,504 posts
Hi Drake, I added a post right above yours. Please see it. Also you have a few problems in your HiJack This log, I'll finish looking it over and post back what to fix.
  • 0

#15
admin

admin

    Founder Geek

  • Administrator
  • 24,504 posts
Fix the following entries with Hijack This:

R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R3 - URLSearchHook: (no name) - {8952A998-1E7E-4716-B23D-3DBE03910972} - (no file)
R3 - URLSearchHook: IncrediFindBHO Class - {5D60FF48-95BE-4956-B4C6-6BB168A70310} - C:\PROGRA~1\INCRED~1\BHO\INCFIN~1.DLL (file missing)
O2 - BHO: (no name) - {C1E58A84-95B3-4630-B8C2-D06B77B7A0FC} - C:\PROGRAM FILES\NAVEXCEL\NAVHELPER\V2.0.4\NHELPER.DLL (file missing)
O2 - BHO: (no name) - {000006B1-19B5-414A-849F-2A3C64AE6939} - (no file)
O2 - BHO: (no name) - {63B78BC1-A711-4D46-AD2F-C581AC420D41} - C:\WINDOWS\SYSTEM\BTIEIN.DLL
O2 - BHO: (no name) - {65C8C1F5-230E-4DC9-9A0D-F3159A5E7778} - C:\PROGRAM FILES\POP\POP205.DLL (file missing)
O2 - BHO: (no name) - {38225f9e-c37f-4adc-9a3c-83ca39848d1e} - C:\WINDOWS\APPLICATION DATA\LLDRNEASTCY.DLL
O3 - Toolbar: &POP - {645FD3BC-C314-4F7A-9D2E-64D62A0FDD78} - C:\PROGRAM FILES\POP\POP205.DLL (file missing)
O3 - Toolbar: (no name) - {014DA6C9-189F-421a-88CD-07CFE51CFF10} - (no file)
O3 - Toolbar: (no name) - {224530A0-C9CB-4AEE-9C0F-54AC1B533211} - (no file)
O4 - HKLM\..\Run: [BELT] C:\WINDOWS\BELT.exe
O4 - HKLM\..\Run: [POP] C:\PROGRAM FILES\POP\POPSRV205.EXE
O4 - HKLM\..\Run: [AutoUpdater] c:\PROGRA~1\AUTOUP~1\AUTOUP~1.EXE
O4 - HKLM\..\Run: [SBHC] C:\Program Files\SuperBar\sbhc.exe
O4 - HKLM\..\Run: [PGStub.exe] C:\DP-B23011805.EXE
O8 - Extra context menu item: Download With NetLeech - C:\Program Files\NetLeech\NLExtMenu.htm
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O9 - Extra 'Tools' menuitem: MaxSpeed (HKLM)
O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://imgfarm.com/i...etup1.0.0.6.cab

Also download and run the Superbar uninstaller here

Download and install Adaware to remove the lop spyware.

Finally, download LSPFix to fix these entries:
O10 - Unknown file in Winsock LSP: c:\windows\system\inetadpt.dll
Do not fix with Hijack This or you may be unable to access the Internet.

Whew! <_< When finished run another scan and post again. :D
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP