Author Topic: My sisters comp  (Read 12844 times)

gibbler1010

  • Guest
My sisters comp
« on: March 31, 2007, 12:54:07 pm »
Ok, so my sister was downloading a song and ended up getting some major pop up programs.. I told her to run hijacthis.. and this is what she got :
Running processes:
E:\WINDOWS\System32\smss.exe
E:\WINDOWS\system32\winlogon.exe
E:\WINDOWS\system32\services.exe
E:\WINDOWS\system32\lsass.exe
E:\WINDOWS\system32\svchost.exe
E:\WINDOWS\System32\svchost.exe
E:\WINDOWS\system32\spoolsv.exe
E:\WINDOWS\Explorer.EXE
E:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\ISafe.exe
E:\WINDOWS\System32\nvsvc32.exe
E:\PROGRA~1\Aliant\HIGH-S~1\app\pppoeservice.exe
E:\WINDOWS\System32\svchost.exe
E:\WINDOWS\system32\ZoneLabs\vsmon.exe
E:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\VetMsg.exe
E:\Program Files\CA\eTrust EZ Armor\eTrust Anti-Spam\QSP-2.1.215.5\QOELoader.exe
E:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\CAVTray.exe
E:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\CAVRID.exe
E:\Program Files\CA\eTrust EZ Armor\eTrust EZ Firewall\ca.exe
E:\WINDOWS\System32\rundll32.exe
E:\WINDOWS\System32\rundll32.exe
C:\Program Files\YourWare Solutions\FreeRAM XP Pro\FreeRAM XP Pro.exe
E:\WINDOWS\System32\wbem\wmiapsrv.exe
E:\Program Files\Internet Explorer\iexplore.exe
E:\Program Files\WinRAR\WinRAR.exe
E:\DOCUME~1\trevnjen\LOCALS~1\Temp\Rar$EX00.581\HijackThis.exe
 
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://livesearch.alltheweb.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://livesearch.alltheweb.com/
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - E:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - e:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [NeroCheck] E:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE E:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [CDPreLoader] CDPreLoader.exe
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [QOELOADER] "E:\Program Files\CA\eTrust EZ Armor\eTrust Anti-Spam\QSP-2.1.215.5\QOELoader.exe"
O4 - HKLM\..\Run: [CaAvTray] "E:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\CAVTray.exe"
O4 - HKLM\..\Run: [CAVRID] "E:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\CAVRID.exe"
O4 - HKLM\..\Run: [Zone Labs Client] "E:\Program Files\CA\eTrust EZ Armor\eTrust EZ Firewall\ca.exe"
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE E:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [Tweak UI] RUNDLL32.EXE TWEAKUI.CPL,TweakMeUp
O4 - HKLM\..\Run: [QuickTime Task] "E:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [WinFlyer32.dll] "rundll32.exe" E:\WINDOWS\System32\WinFlyer32.dll,Run
O4 - HKLM\..\Run: [SoundService] rundll32.exe "E:\WINDOWS\System32\asfyxloi.dll",setvm
O4 - HKLM\..\Run: [mav_startupmon] "E:\Program Files\Common Files\WinAntiVirus Pro 2007\mav_startupmon.exe"
O4 - HKCU\..\Run: [FreeRAM XP] "c:\Program Files\YourWare Solutions\FreeRAM XP Pro\FreeRAM XP Pro.exe" -win
O4 - HKCU\..\Run: [Yahoo! Pager] "E:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - Startup: vibe2.lnk = ?
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = E:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: &Yahoo! Search - file:///E:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~1\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Yahoo! &Dictionary - file:///E:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///E:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///E:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - E:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - E:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - E:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - E:\Program Files\Messenger\MSMSGS.EXE (file missing)
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - E:\Program Files\Messenger\MSMSGS.EXE (file missing)
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://poopsypie.spaces.msn.com/PhotoUpload/MsnPUpld.cab?10,0,912,0
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://download.games.yahoo.com/games/web_games/popcap/chuzzle/popcaploader_v6.cab
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://chat.msn.com/controls/msnchat45.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{BA10D8DC-6E90-4D5B-9E7F-F5F7ECDFDB9B}: NameServer = 198.164.30.62 198.164.4.62
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - E:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - E:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O23 - Service: CAISafe - Computer Associates International, Inc. - E:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\ISafe.exe
O23 - Service: Google Updater Service (gusvc) - Google - E:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - E:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - E:\WINDOWS\System32\nvsvc32.exe
O23 - Service: PPPoE Service (PPPoEService) - Unknown owner - E:\PROGRA~1\Aliant\HIGH-S~1\app\pppoeservice.exe
O23 - Service: VET Message Service (VETMSGNT) - Computer Associates International, Inc. - E:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\VetMsg.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs Inc. - E:\WINDOWS\system32\ZoneLabs\vsmon.exe

any help would be appreciated..
 
 
 

 |

Offline chip!

  • Bad Ass
  • Administrator
  • Unstoppable
  • *****
  • Posts: 2301
  • Karma: +629/-6
    • View Profile
Re: My sisters comp
« Reply #1 on: March 31, 2007, 01:18:06 pm »
these look suspicious to me, i would kill them:



O4 - HKLM\..\Run: [WinFlyer32.dll] "rundll32.exe" E:\WINDOWS\System32\WinFlyer32.dll,Run
O4 - HKLM\..\Run: [SoundService] rundll32.exe "E:\WINDOWS\System32\asfyxloi.dll",setvm


O4 - HKLM\..\Run: [mav_startupmon] "E:\Program Files\Common Files\WinAntiVirus Pro 2007\mav_startupmon.exe"
(this i understand is malware, represents itself as an antivirus that gives you popups)
  -  https://convivea.com  -   And...  boom goes the dynamite.

gibbler1010

  • Guest
Re: My sisters comp
« Reply #2 on: March 31, 2007, 01:34:17 pm »
thanks I will let her know :)

Offline chip!

  • Bad Ass
  • Administrator
  • Unstoppable
  • *****
  • Posts: 2301
  • Karma: +629/-6
    • View Profile
Re: My sisters comp
« Reply #3 on: March 31, 2007, 01:40:39 pm »
but also grab NOD32 or AVG from our antivirus thread, and wouldnt hurt to sweep with Adaware and Spybot..
  -  https://convivea.com  -   And...  boom goes the dynamite.

gibbler1010

  • Guest
Re: My sisters comp
« Reply #4 on: April 01, 2007, 02:24:33 am »
ok so she deleted those entries.. did her scans.. and is still getting the same problem.. it's the poker pop ups that she keeps getting..  so  I dunno.. she's searched the entire comp looking for folders concerning this poker pop up.. deleted them... but it keeps re-infecting.. so obviously she is missing something.

Offline TheHalf™

  • The"better"Half™
  • Hero Member
  • *****
  • Posts: 726
  • Karma: +166/-0
  • Road Runner H.S.I. 30Mbps/5Mbps
    • View Profile
    • Bit Che
Re: My sisters comp
« Reply #5 on: April 01, 2007, 11:52:29 am »
If you can get a registered version of Spyware Doctor do so and run a complete scan. My buddy Dan had all kinds of crap in his PC from downloading those poker playing softwares. I ran Spyware Doctor on his PC and all the sh*t that it caught was amazing.

MinLo

  • Guest
Re: My sisters comp
« Reply #6 on: April 01, 2007, 04:13:58 pm »
1.Disable system restore

2.Download Spyware Blaster~http://www.javacoolsoftware.com/spywareblaster.html, Download Spyware Doctor~http://www.pctools.com/spyware-doctor/download/ (like The Half said), Download Nod 32 (using the board like Chip said)

3.Update Spyware Doctor, Adaware, Spybot SD, EZ Antivirus.......Install NOD 32 and update it

4.Update Windows, also make sure you allow windows to update to do auto updates

5.Go to Add/remove programs and remove winantiviruspro2007, like Chip said this is probably the main problem....It will keep reinfecting if there is a restore point with this saved inside of it.........It is a rogue anti-virus as here ->http://www.spywarewarrior.com/rogue_anti-spyware.htm#products.......Its the same as winantiviruspro 2005/2006, its just a newer and probably crappier version

6.Install Spyware Blaster, enable all protection, copy and paste a shourtcut for SB into startup folder.........Now it will run it everytime windows opens and all you have to do is update every two weeks........After it loads you can close it and it will run in the backgroud

7.Disable windows messenger if its enabled........you can pretty much disable it by doing the following, Uncheck "run windows messenger when window starts",uncheck "allow windows messenger to run in the background"......Close out the icon in bottom right

8.Do all the scans over, Spyware Doctor, Adaware, Spybot SD, EZ Antivirus, Nod 32.........Delete all viruses,spy/adware items.........Make sure to use the immunize feature in Spybot SD,Its on the main scan menu

9.Run HijackThis, Post results here or run it through the analyzer here->http://www.hijackthis.de/......You could also go into their forums for more help.......

10.Once the problem is resolved, which it should be after all these steps  :D, remember to enable system restore again........

When you tried scanning after Chips 1st post, even though you deleted items its possible that the virus/spyadware item/s were still inside of a restore save........ So clearing you restore points will erase that

Spyware Doctor should come with some kind of free trial.........If not Bitorrent/possibly Newsgroups will have a copy.....I prefer to use free things over using pirated apps but It's all up to your preferences I guess

Anytime one of my family or friends have had probs with their computer I use this process.........99% sucessful so far... 8).....One time I had to reinstall windows  :-[ because there was no hope/chance to do the above processes....... ;D

From what I've heard Ram apps that free ram are garbage IMO......Your sister has FreeRamXP Pro.......I'd uninstall that.....I also use CCleaner just to keep things tidy and fast .......If you do get Nod32,once the problem is fixed it would probably be best to scan with this and ditch EZ antivirus but it all depends on your preference......Does she use Firefox? I see that Internet Explorer is running in her processes, I'd suggest making the change to Firefox if she uses IE.........
« Last Edit: April 01, 2007, 04:56:29 pm by MinLo »

Offline HarHam

  • Newbie
  • *
  • Posts: 4
  • Karma: +2/-0
    • View Profile
Re: My sisters comp
« Reply #7 on: July 10, 2007, 06:24:09 pm »
I use Spysniper.. works for me as well as my clients.


http://www.pimasoft.com/images2/spysniperscreenshot.jpg

Offline HarHam

  • Newbie
  • *
  • Posts: 4
  • Karma: +2/-0
    • View Profile
Re: My sisters comp
« Reply #8 on: July 11, 2007, 03:22:10 am »
Regvac by superwin.com
The ultimate troubleshooter by answersthatwork.com
Advanced syware remover pro by evonsoft.com


I have used these programs when I service pc's (my buisness) and have found that these 3 progs work very well for cleaning up crap....

Hope this helps.....