|
-
January 9th, 2006, 01:45 AM
#1
Member
More spyware problems
Ok here is my problem some how when my brother was on my computer it got a ton of spyware on it. And maybe a few virus's now i have run my anti virus in safe mode as well as ad aware, mircosoft anti spyware and spybot. After doing this i couldnt connect to the internet open a browser or much else for that matter i got a error on boot up saying something about winnet.exe not being found. I ran the windows repair which fixed that problem now most of the spyware and what not is gone but now my computer is lacking in performance considering how it ran before all this. Ive ran my spyware stuff and found nothing. My IE keeps locking up on some pages but not other. I have taken a hijackthis log. Is there anything yall can tell me that might help?
Logfile of HijackThis v1.99.1
Scan saved at 6:40:25 PM, on 1/8/2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Panda Software\Panda Titanium 2006 Antivirus + Antispyware\FIREWALL\PNMSRV.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Common Files\Panda Software\PavShld\pavprsrv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\sachostx.exe
C:\WINDOWS\System32\sachostc.exe
C:\WINDOWS\System32\sachosts.exe
C:\Program Files\ABC\abc.exe
C:\PROGRA~1\WINZIP\winzip32.exe
C:\Documents and Settings\Zippy\Local Settings\Temp\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://webmail.ev1.net/
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Viewpoint Toolbar BHO - {A7327C09-B521-4EDB-8509-7D2660C9EC98} - C:\Program Files\Viewpoint\Viewpoint Toolbar\ViewBarBHO.dll
O3 - Toolbar: Viewpoint Toolbar - {F8AD5AA5-D966-4667-9DAF-2561D68B2012} - C:\Program Files\Viewpoint\Viewpoint Toolbar\ViewBar.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SystemLoader] C:\WINDOWS\sysldr32.exe
O4 - HKLM\..\Run: [WindowsUpdateNT] C:\WINDOWS\System\svwhost.exe /s
O4 - HKLM\..\Run: [HostSrv] C:\WINDOWS\sachostx.exe
O4 - HKLM\..\Run: [WinHound] C:\Program Files\WinHound\WinHound.exe
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [dmpit.exe] C:\WINDOWS\System32\dmpit.exe
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [WindowsUpdateNT] C:\WINDOWS\System\svwhost.exe
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/housecall/xscan60.cab
O16 - DPF: {3A7FE611-1994-4EF1-A09F-99456752289D} - http://install.wildtangent.com/Activ...veLauncher.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsu...?1129620561045
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/Ms...Downloader.cab
O20 - Winlogon Notify: browsela - C:\WINDOWS\system32\browsela.dll (file missing)
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Panda Process Protection Service (PavPrSrv) - Panda Software - C:\Program Files\Common Files\Panda Software\PavShld\pavprsrv.exe
-
January 9th, 2006, 02:10 AM
#2
This thing is still a mess. Any chance on a full format ? If not, here are a bunch to start with. Most are trojan related.
C:\WINDOWS\sachostx.exe
C:\WINDOWS\System32\sachostc.exe
O2 - BHO: Viewpoint Toolbar BHO - {A7327C09-B521-4EDB-8509-7D2660C9EC98} - C:\Program Files\Viewpoint\Viewpoint Toolbar\ViewBarBHO.dll
O3 - Toolbar: Viewpoint Toolbar - {F8AD5AA5-D966-4667-9DAF-2561D68B2012} - C:\Program Files\Viewpoint\Viewpoint Toolbar\ViewBar.dll
O4 - HKLM\..\Run: [SystemLoader] C:\WINDOWS\sysldr32.exe
O4 - HKLM\..\Run: [WindowsUpdateNT] C:\WINDOWS\System\svwhost.exe /s
O4 - HKLM\..\Run: [HostSrv] C:\WINDOWS\sachostx.exe
O4 - HKLM\..\Run: [WinHound] C:\Program Files\WinHound\WinHound.exe
O4 - HKCU\..\Run: [WindowsUpdateNT] C:\WINDOWS\System\svwhost.exe
O20 - Winlogon Notify: browsela - C:\WINDOWS\system32\browsela.dll (file missing
Not sure :
O16 - DPF: {3A7FE611-1994-4EF1-A09F-99456752289D} - http://install.wildtangent.com/Acti...iveLauncher.cab
O4 - HKLM\..\Run: [dmpit.exe] C:\WINDOWS\System32\dmpit.exe
-
January 9th, 2006, 02:14 AM
#3
oh man you those pron sites ur bro looks at are killing you
yea a reformat sounds good at this point unless hesperus helped you out a bit.
"When in doubt, use Brute Force."
Never argue with an idiot. They'll drag you down to their level, then beat you with experience.
-
January 9th, 2006, 02:18 AM
#4
Hmmm,
winnet.exe  please read this:
http://www.auditmypc.com/process/winnet.asp
You might also boot into safe mode and defragment your drive. I would also get Firefox, and use that rather than IE where possible. Get the script blocking and adblocking plug ins for it while you are at it.
Also get these and run them in safe mode:
http://www.emsisoft.com/en/software/free/
http://www.ewido.net/en/
-
January 9th, 2006, 01:50 PM
#5
Also...and some may disagree.....but when you have it all cleaned up, I strongly urge you to get the SP2 and security patches that have come out since SP2 was rolled out.(Aug 2004).
Then read How Did I get Infected
You can remove wildtangent through the Add/Remove function.
With some patience this can be cleaned up without doing a complete re-install, and while your doing it, you can better understand some of what you are playing around with....
Highjack This Log Tutorial
PC Registered user # 2,336,789,457...
"When the water reaches the upper level, follow the rats."
Claude Swanson
-
January 9th, 2006, 02:07 PM
#6
And give your brother a limited user account that does not permit installing software etc. Then if he gets hijacked, the malware will have relatively few authorities.
-
January 9th, 2006, 03:38 PM
#7
Greeting's
Somthing that seems to be missed out is the Windows (SP1) and Internet Explorer version (6.00.2800.1106) which is old. You must FIRST update your windows apply all patches.
Then use malware removing software in the safe mode. Also you might want to chang few settings in Internet explorer.
Go to Control Panel
Network and Internet connections
Internet Options
General
Temporary internet files
Settings
Set to: Every visit to page
Days to keep pages in history
Set to: 0
Security
Internet
Custom level
Reset to: High
Reset (yes)
Scroll down to "File download"
Set to: Enable
Local intranet
Sites
Make sure nothing is selected
Trusted sites
Sites (for using update and certain other feature's please add folowing site's
add: *.microsoft.com
Make sure "require server verification is not selected
Move the tab to "Medium"
Privacy
Advanced
Override automatic cookie handling
First party cookies: Block
Third-party cookies: Block
Enable: Always allow session cookies
Content
Autocomplete
Disable all
Clear forms (yes)
Clear passwords (yes)
Programs
Disable: Internet Explorer should check whether it is the default web browser
Also now go to advance options and then
UNCHECK : install on demand (others)
UNCHECK : enable third party broweser extention's
You might consider using firefox as a browser. But remember you system will never be secure TILL YOU DO NOT UPDATE YOUR OS (Windows)
Parth Maniar,
CISSP, CISM, CISA, SSCP
*Thank you GOD*
Greater the Difficulty, SWEETER the Victory.
Believe in yourself.
-
January 9th, 2006, 08:22 PM
#8
Junior Member
Spyware
Hey, Nihil. Thanks for the links to these tools. I was able to clean some major Spyware and malware from my personal computer and my 2003 server at work.
-
January 9th, 2006, 09:33 PM
#9
and my 2003 server at work.
Servers should not be used to browse the internet.....or pickup mail........so there really should be no spyware on the server.....or malware for that fact.
Unless of course it is not patched and firewalled.....
If your server had malware\spyware on it...I would seriously think about reinstalling....never know what you missed....or what has been left behind....
MLF
How people treat you is their karma- how you react is yours-Wayne Dyer
-
January 9th, 2006, 09:36 PM
#10
I was able to clean some major Spyware and malware from my personal computer and my 2003 server at work.
WTF 
HOW did you get a server infected
[edit]MLF types faster
so now I'm in my SIXTIES FFS
WTAF, how did that happen, so no more alterations to the sig, it will remain as is now
Beware of Geeks bearing GIF's
come and waste the day :P at The Taz Zone
Posting Permissions
- You may not post new threads
- You may not post replies
- You may not post attachments
- You may not edit your posts
-
Forum Rules
|
|
Reply With Quote
