View previous topic :: View next topic |
Author |
Message |
richardyork -
Joined: 22 Jun 2004 Posts: 410 Location: United Kingdom
|
Posted: Wed Aug 10, 2005 10:17 am Post subject: Has Anyone Seen This Virus/Spyware Before? |
|
|
Hi Everyone,
I have recently been infected with what i believe is a virus or some sort of spyware. Untill this morning it has just been in the system tray as a single red circle with a white cross that pops up every 30ish seconds. After booting up this morning three have appeared in the system tray and it has changed my desktop background! Hopefully thats all it's done.....!! I have searched google but I just can't find a way of getting rid of it :-( and I don't really want to format/re-install Windows! (I do that often enough anyway) LOL
I have provided a screenshot from this morning:
Have you ever come accross this/know a way of getting rid of it or have any other information about it?
Thank you in advance! _________________ Please SEARCH the forums BEFORE asking questions! |
|
Back to top |
|
|
AbyssUnderground -
Joined: 31 Dec 2004 Posts: 3855
|
Posted: Wed Aug 10, 2005 10:44 am Post subject: |
|
|
Try downloading and running SpyBot Search And Distroy, works for me. _________________ Andy (AbyssUnderground) (previously The Inquisitor)
www.abyssunderground.co.uk |
|
Back to top |
|
|
kushSeven -
Joined: 01 Aug 2005 Posts: 20 Location: Tomah, WI
|
Posted: Wed Aug 10, 2005 11:04 am Post subject: |
|
|
Adaware rulez |
|
Back to top |
|
|
richardyork -
Joined: 22 Jun 2004 Posts: 410 Location: United Kingdom
|
Posted: Wed Aug 10, 2005 11:04 am Post subject: |
|
|
Sorry, forgot to mention that I have tried SpyBot S+D, Ad-Aware and scanned with AVG - None of which seemed to find/detect anything suspicious! _________________ Please SEARCH the forums BEFORE asking questions! |
|
Back to top |
|
|
AbyssUnderground -
Joined: 31 Dec 2004 Posts: 3855
|
Posted: Wed Aug 10, 2005 11:05 am Post subject: |
|
|
Lol! Windows said it has downloaded the best one for you, yeah probably more spyware! _________________ Andy (AbyssUnderground) (previously The Inquisitor)
www.abyssunderground.co.uk |
|
Back to top |
|
|
Anonymoose -
Joined: 09 Sep 2003 Posts: 2192
|
Posted: Wed Aug 10, 2005 11:42 am Post subject: |
|
|
Post your hijackthis log file here and it should be easier enough to spot. Most spyware sticks out like a sore thumb.
Also, give the Microsoft Antispyware beta a whirl if Adaware and Spybot have failed to find anything. _________________
"Invent an idiot proof webserver and they'll invent a better idiot..." |
|
Back to top |
|
|
richardyork -
Joined: 22 Jun 2004 Posts: 410 Location: United Kingdom
|
Posted: Wed Aug 10, 2005 12:18 pm Post subject: |
|
|
Just tried Microsoft Anti-Spyware:
Here is the HijackThis log:
HijackThis wrote: | Logfile of HijackThis v1.99.1
Scan saved at 12:09:21, on 10/08/2005
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2600.0000)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe
C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\RxMon.exe
C:\WINDOWS\System32\kernels32.exe
C:\Program Files\MSI\Live Update 3\LMonitor.exe
C:\Program Files\Google\Gmail Notifier\G001-1.0.25.0\gnotify.exe
C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\Playlist.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\Adobe\Acrobat 7.0\Acrobat\acrobat_sl.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Documents and Settings\Donna\Desktop\HijackThis.exe
F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\System32\kernels32.exe
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\Run: [Zone Labs Client] C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
O4 - HKLM\..\Run: [Acrobat Assistant 7.0] "C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe"
O4 - HKLM\..\Run: [RoxioEngineUtility] "C:\Program Files\Common Files\Roxio Shared\System\EngUtil.exe"
O4 - HKLM\..\Run: [RoxioDragToDisc] "C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe"
O4 - HKLM\..\Run: [RoxioAudioCentral] "C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\RxMon.exe"
O4 - HKLM\..\Run: [LiveMonitor] C:\Program Files\MSI\Live Update 3\LMonitor.exe
O4 - HKLM\..\Run: [{0228e555-4f9c-4e35-a3ec-b109a192b4c2}] C:\Program Files\Google\Gmail Notifier\G001-1.0.25.0\gnotify.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [System] C:\WINDOWS\System32\kernels32.exe
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [Windows installer] C:\winstall.exe
O4 - Global Startup: Adobe Acrobat Speed Launcher.lnk = ?
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O9 - Extra button: Trace - {04849C74-016E-4a43-8AA5-1F01DE57F4A1} - C:\Program Files\VisualRoute\vrie.dll
O9 - Extra 'Tools' menuitem: VisualRoute Trace - {04849C74-016E-4a43-8AA5-1F01DE57F4A1} - C:\Program Files\VisualRoute\vrie.dll
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra button: EmpirePoker - {77E68763-4284-41d6-B7E7-B6E1F053A9E7} - C:\Program Files\EmpirePoker\EmpirePoker.exe
O9 - Extra 'Tools' menuitem: EmpirePoker - {77E68763-4284-41d6-B7E7-B6E1F053A9E7} - C:\Program Files\EmpirePoker\EmpirePoker.exe
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineSweeper.cab31267.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab
O16 - DPF: {9B03C5F1-F5AB-47EE-937D-A8EDA626F876} (Anonymizer Anti-Spyware Scanner) - http://download.zonelabs.com/bin/promotions/spywaredetector/WebAAS.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/msnmessengersetupdownloader.cab
O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
|
Thanks for all the replys you guys!
P.S.
1. Task Manager has been disabled - But I can get round that with a third-party app
2. I cannot change the desktop background
3. I get those annoying RPC 60 second reboot messages every now and again _________________ Please SEARCH the forums BEFORE asking questions! |
|
Back to top |
|
|
Anonymoose -
Joined: 09 Sep 2003 Posts: 2192
|
Posted: Wed Aug 10, 2005 12:49 pm Post subject: |
|
|
richardyork wrote: | Just tried Microsoft Anti-Spyware:
P.S.
1. Task Manager has been disabled - But I can get round that with a third-party app
2. I cannot change the desktop background
3. I get those annoying RPC 60 second reboot messages every now and again |
... And did MS Anti-Spyware remove it successfully? You do know that you need to attempt to remove malware in Safe Mode, not while booted normally?
1) See above - Task Manager should work just fine in Safe Mode.
2) Once you fix the malware it should be back to normal.
3) Do you have a router, or just a modem?
You do not appear to have any Windows service packs installed or the latest version of Internet Explorer. If you use IE as your main browser you shouldn't really be suprised if you get infected when not keeping it up to date.
Have you installed all the other Windows security updates? The only reason to get those 'annoying RPC 60 second reboot messages' is if you are wide open to infection by the LSASS vulnerability! Which would mean you have a router and have misconfigured it, or you have no router and have not configured your firewall correctly...
If MS Anti-Spyware hasn't removed the problem, let me know and I'll point out what's wrong with your HijackThis log. ( Kernels32.exe for a start :o ) _________________
"Invent an idiot proof webserver and they'll invent a better idiot..." |
|
Back to top |
|
|
richardyork -
Joined: 22 Jun 2004 Posts: 410 Location: United Kingdom
|
Posted: Wed Aug 10, 2005 1:22 pm Post subject: |
|
|
I have most updates but I will download the rest of them now!! (I have been meaning to, but havn't got round to it since my last format/re-install) I have run MS Anti-Spyware twice in normal mode and twice in Safe Mode - Every time the virus is removed and then it appears again!! I have a modem and yes, I have configured my firewall correctly (ZoneAlarm)! I do admit, this is my careless fault for not updating software fully. I have noticed quite a few out of the norm files, mainly in System32 folder such as:
kernels32.exe
winstall.exe
vxh8jkdq2.exe
vxh8jkdq5.exe
All of which ask to access the internet via ZoneAlarm. All suspicious files like the above have been totally blocked in ZoneAlarm. _________________ Please SEARCH the forums BEFORE asking questions! |
|
Back to top |
|
|
p3 -
Joined: 17 Jun 2005 Posts: 615
|
Posted: Wed Aug 10, 2005 2:28 pm Post subject: |
|
|
You quarantined that one file, right? Try opening up MS Antispyware and deleting it. |
|
Back to top |
|
|
k1ll3rdr4g0n -
Joined: 04 Jul 2004 Posts: 609
|
Posted: Wed Aug 10, 2005 4:06 pm Post subject: |
|
|
Oh, ouch never seen spyware like that.
Your not using another browser like firefox? Shame on you!
Using IE is just like screaming in the internet world "exploit me". _________________
|
|
Back to top |
|
|
MonkeyNation -
Joined: 05 Feb 2005 Posts: 921 Location: Cardiff
|
Posted: Wed Aug 10, 2005 7:40 pm Post subject: |
|
|
k1ll3rdr4g0n wrote: | Using IE is just like screaming in the internet world "exploit me". |
I hear that. _________________
|
|
Back to top |
|
|
richardyork -
Joined: 22 Jun 2004 Posts: 410 Location: United Kingdom
|
Posted: Wed Aug 10, 2005 9:56 pm Post subject: |
|
|
Everything is now sorted, everything up-to-date and just moved to FireFox ;-)
Thanks, Anonymoose! _________________ Please SEARCH the forums BEFORE asking questions! |
|
Back to top |
|
|
JamesJB30 -
Joined: 14 Aug 2005 Posts: 31 Location: Allentown,Pa
|
Posted: Mon Aug 15, 2005 2:20 pm Post subject: |
|
|
ugg first thing you should do after ya install windows is update it forget eveything else just go straight to windows update. Thats what i do.
Nowadays its almost err is suicide to surf the net without first updateing windows.
Not sure about you but every so often i go to windows update and check for new updates. im too paranoid lol. |
|
Back to top |
|
|
jlp09550 -
Joined: 05 Jun 2005 Posts: 123 Location: Louisiana, USA
|
Posted: Mon Aug 15, 2005 9:26 pm Post subject: |
|
|
Its just like Apache and Abyss, now your doing the thing with Firefox and Internet Explorer!? I have been using Internet Explorer forever and I have not even got one tiny spyware program or exploits. I think Firefox sucks because of is lack of using DIV's and alot more. Internet Explorer is best.
P.S. Once who get spyware from Internet Explorer, as they say, have no computer skills at all. They should put up a firewall and block certain ports. _________________ Hosted Abyss Sites-
http://jared.chibipaws.com/ - My Stuffs
http://jaredblog.chibipaws.com/ - My Blog |
|
Back to top |
|
|
richardyork -
Joined: 22 Jun 2004 Posts: 410 Location: United Kingdom
|
Posted: Mon Aug 15, 2005 10:12 pm Post subject: |
|
|
jlp09550 wrote: | P.S. Once who get spyware from Internet Explorer, as they say, have no computer skills at all. They should put up a firewall and block certain ports.
|
Are you implying that "I have no computer skills at all"?
Because I hope your not! _________________ Please SEARCH the forums BEFORE asking questions! |
|
Back to top |
|
|
168pin -
Joined: 09 Mar 2005 Posts: 33
|
Posted: Thu Aug 25, 2005 1:13 am Post subject: |
|
|
jlp09550 wrote: | Its just like Apache and Abyss, now your doing the thing with Firefox and Internet Explorer!? I have been using Internet Explorer forever and I have not even got one tiny spyware program or exploits. I think Firefox sucks because of is lack of using DIV's and alot more. Internet Explorer is best.
P.S. Once who get spyware from Internet Explorer, as they say, have no computer skills at all. They should put up a firewall and block certain ports. |
I beg to differ.
Where are the one-click themes for IE? And cool addons, with stuff like a decent FTP client, weather forecasts, or even an IRC client?
And more secure, without needing to be updated every two minutes?
When did you last update IE? When did I last update Firefox? _________________ Boycott sigs. |
|
Back to top |
|
|
|