Jump to content

Virus help please


Steve Burke

Recommended Posts

Both mine and Peggy's computer (we're on a wireless network) seem to have been hit by a nastie. This is despite keeping up to date with AVG free, Zone Alarm, Spyware Blaster, Spybot, Ad-Aware and Swat It.

 

My computer started running slow yesterday evening. As usual every evening I cleared the temporary internet files (I don't keep history but use Google desktop instead).

 

I did a further bout of housekeeping this morning and found 1 item of spyware (WarezP2P) on Spybot that I deleted. I then re-ran Spybot that showed I hadn't updated the definitions, despite doing so earlier this morning. Once I'd repeated this I scanned again. The scan failed almost immediately with the following message coming up: "User abort scan was not completed successfully". Subsequent attempts at a scan produced the same result, as did re-booting.

 

I then re-ran all the other programs mentioned above and the only problem thrown up was that, whilst AVG showed "no immediate threat", it did show that WINDOWS/system32/kernal32.dll & WINDOWS/system32/shell32.dll had been changed. A virus scan on Peggy's machine gave the same result, plus the same problem on Spybot.

 

I'm assuming that some nastie has disabled at least some of the protection on both mine and Peggy's computers.

 

Luckilly Peggy was working at a school today, and so I've got her to change all our passwords from there in case we have a keylogger.

 

I use XP Pro whilst Peggy uses XP home. We're both running IE6 not IE7 as I originally posted.

 

The big question is what do we do now? Please bear in mind I know almost nothing about computers and Peggy little more.

Edited by Steve Burke

Wingham Specimen Coarse & Carp Syndicates www.winghamfisheries.co.uk Beautiful, peaceful, little fished gravel pit syndicates in Kent with very big fish. 2017 Forum Fish-In Sat May 6 to Mon May 8. Articles http://www.anglersnet.co.uk/steveburke.htm Index of all my articles on Angler's Net

Link to comment
Share on other sites

  • Replies 30
  • Created
  • Last Reply

Top Posters In This Topic

Both mine and Peggy's computer (we're on a wireless network) seem to have been hit by a nastie. This is despite keeping up to date with AVG free, Zone Alarm, Spyware Blaster, Spybot, Ad-Aware and Swat It.

 

My computer started running slow yesterday evening. As usual every evening I cleared the temporary internet files (I don't keep history but use Google desktop instead).

 

I did a further bout of housekeeping this morning and found 1 item of spyware (WarezP2P) on Spybot that I deleted. I then re-ran Spybot that showed I hadn't updated the definitions, despite doing so earlier this morning. Once I'd repeated this I scanned again. The scan failed almost immediately with the following message coming up: "User abort scan was not completed successfully". Subsequent attempts at a scan produced the same result, as did re-booting.

 

I then re-ran all the other programs mentioned above and the only problem thrown up was that, whilst AVG showed "no immediate threat", it did show that WINDOWS/system32/kernal32.dll & WINDOWS/system32/shell32.dll had been changed. A virus scan on Peggy's machine gave the same result, plus the same problem on Spybot.

 

I'm assuming that some nastie has disabled at least some of the protection on both mine and Peggy's computers.

 

Luckilly Peggy was working at a school today, and so I've got her to change all our passwords from there in case we have a keylogger.

 

I use XP Pro whilst Peggy uses XP home. We're both running IE7.

 

The big question is what do we do now? Please bear in mind I know almost nothing about computers and Peggy little more.

 

Hi there. Sounds like your anti-spyware software's been compromised.

 

If you can, go to http://www.spywareinfo.com/~merijn/programs.php and download HijackThis (need to scroll down a bit to a list of download locations). Once downloaded, run the program and click the big "Run a system scan and do a log file" button - this should print out a log of various settings and processes on your system to notepad.

 

Copy and paste the results on here, and we can have a look to see if there's anything odd.

 

Run it while the other computer on your local network is switched off.

 

Some viruses / malware etc are wise to HijackThis as well, but it's always evolved pretty well in the past to get past this.

 

 

D

Link to comment
Share on other sites

One thing I would recommend is to use Windows Defender, available from www.microsoft.com one of the few microsoft products that seems to do what it should. I don't use spyware blaster or spybot anymore, just Defender

Link to comment
Share on other sites

Cheers, Guys.

 

Logfile of HijackThis v1.99.1

Scan saved at 13:08:33, on 17/11/2006

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\brsvc01a.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\system32\brss01a.exe

C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe

C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe

C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe

C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe

C:\WINDOWS\system32\dla\tfswctrl.exe

C:\Program Files\NETGEAR\WG311 Wireless Smart Configuration\Utility\NetgearAG.exe

C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe

C:\WINDOWS\system32\hkcmd.exe

C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe

C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe

C:\Program Files\Common Files\Real\Update_OB\realsched.exe

C:\Program Files\Swat It v2.1\SwatIt.exe

C:\Program Files\Messenger\msmsgs.exe

C:\Program Files\Google\GoogleToolbarNotifier\1.2.908.5008\GoogleToolbarNotifier.exe

C:\Program Files\Google\Google Desktop Search\GoogleDesktopIndex.exe

C:\Program Files\Clipboard Magic\ClipboardMagic.exe

C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe

C:\Program Files\Google\Google Desktop Search\GoogleDesktopCrawl.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\Program Files\Outlook Express\msimn.exe

C:\DOCUME~1\STEVEB~1\LOCALS~1\Temp\Temporary Directory 1 for hijackthis[1].zip\HijackThis.exe

 

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell.co.uk/myway

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.anglersnet.co.uk/forums/index.php?act=idx

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell.co.uk/myway

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell.co.uk/myway

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.dell.co.uk/myway

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll

O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll

O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll

O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)

O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll

O4 - HKLM\..\Run: [soundMAXPnP] C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe

O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe

O4 - HKLM\..\Run: [updateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r

O4 - HKLM\..\Run: [AS01_Netgear] C:\Program Files\NETGEAR\WG311 Wireless Smart Configuration\Utility\NetgearAG.exe -hide

O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup

O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP

O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"

O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot

O4 - HKLM\..\Run: [swatIt] C:\Program Files\Swat It v2.1\SwatIt.exe /tray

O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background

O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.908.5008\GoogleToolbarNotifier.exe

O4 - Startup: Clipboard Magic.lnk = C:\Program Files\Clipboard Magic\ClipboardMagic.exe

O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll

O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1128441012921

O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab

O16 - DPF: {B020B534-4AA2-4B99-BD6D-5F6EE286DF5C} - https://a248.e.akamai.net/f/248/5462/2h/www...ol/SymDlBrg.cab

O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL

O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxdev.dll

O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll

O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe

O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe

O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe

O23 - Service: BrSplService (Brother XP spl Service) - brother Industries Ltd - C:\WINDOWS\system32\brsvc01a.exe

O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe

O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe

Wingham Specimen Coarse & Carp Syndicates www.winghamfisheries.co.uk Beautiful, peaceful, little fished gravel pit syndicates in Kent with very big fish. 2017 Forum Fish-In Sat May 6 to Mon May 8. Articles http://www.anglersnet.co.uk/steveburke.htm Index of all my articles on Angler's Net

Link to comment
Share on other sites

Did anyone purposefully download and install WarezP2P? It's a peer-to-peer file sharing program which is on the spyware lists because it carries spyware, not because it is spyware.

 

Description of Warez P2P Client

Warez P2P Client is a free file-sharing application that allows users to upload and download files and programs from other Warez P2P users by connecting them on a single server. However, even if it claims it has no spyware, it bundles with it the Startnow.Hyperbar spyware, which delivers ads and hijacks your browser.

 

http://www.fbmsoftware.com/spyware-net/App...rez_P2P_Client/

 

If it were my computer my most pressing concern would be how that got onto my PC, because I would suspect that my machine had been compromised and was being used by hackers to share files. We had a PC in the office which had at one time been exposed directly to the net. I found it running a freeware FTP server and with a large folder structure full of script kiddy junk concealed within the hidden c:\recycler folder. It hadn't been accessed for some time, not since the PC in question had been moved behind a firewall and before I started working for the company, but it was still quite shocking to see what the little parasites had been up to. If I were you, I would have a sniff around my hard drive to ensure that I wasn't being used as a file server by low-lifes.

Link to comment
Share on other sites

Did anyone purposefully download and install WarezP2P? It's a peer-to-peer file sharing program which is on the spyware lists because it carries spyware, not because it is spyware.

http://www.fbmsoftware.com/spyware-net/App...rez_P2P_Client/

 

If it were my computer my most pressing concern would be how that got onto my PC, because I would suspect that my machine had been compromised and was being used by hackers to share files. We had a PC in the office which had at one time been exposed directly to the net. I found it running a freeware FTP server and with a large folder structure full of script kiddy junk concealed within the hidden c:\recycler folder. It hadn't been accessed for some time, not since the PC in question had been moved behind a firewall and before I started working for the company, but it was still quite shocking to see what the little parasites had been up to. If I were you, I would have a sniff around my hard drive to ensure that I wasn't being used as a file server by low-lifes.

 

I certainly haven't installed WarezP2P, and I assume Peggy hasn't either.

 

How do I get rid of it?

 

I'm afraid I've no idea how to check my hard drive, let alone what should be on there. Any help on this would be gratefully received.

Wingham Specimen Coarse & Carp Syndicates www.winghamfisheries.co.uk Beautiful, peaceful, little fished gravel pit syndicates in Kent with very big fish. 2017 Forum Fish-In Sat May 6 to Mon May 8. Articles http://www.anglersnet.co.uk/steveburke.htm Index of all my articles on Angler's Net

Link to comment
Share on other sites

I certainly haven't installed WarezP2P, and I assume Peggy hasn't either.

 

How do I get rid of it?

 

To uninstall Warez properly don't use add/remove programs, instead go to your start menu>all programs>Warez>uninstall, this will remove all the components Warez installed (ie registry entries) and will leave your shared folder alone.

 

Lifted from http://support.warez.com/index.php?_m=know...=13&nav=0,1

 

Also this o16 entry looks bad.....

 

O16 - DPF: {B020B534-4AA2-4B99-BD6D-5F6EE286DF5C} - https://a248.e.akamai.net/f/248/5462/2h/www...ol/SymDlBrg.cab

 

Rest doesn't show anything very obvious...........

 

Suggest that you go to trend micro http://housecall.trendmicro.com/ and do an online scan when you have time.

Link to comment
Share on other sites

To uninstall Warez properly don't use add/remove programs, instead go to your start menu>all programs>Warez>uninstall, this will remove all the components Warez installed (ie registry entries) and will leave your shared folder alone.

 

Lifted from http://support.warez.com/index.php?_m=know...=13&nav=0,1

 

Also this o16 entry looks bad.....

 

O16 - DPF: {B020B534-4AA2-4B99-BD6D-5F6EE286DF5C} - https://a248.e.akamai.net/f/248/5462/2h/www...ol/SymDlBrg.cab

 

Rest doesn't show anything very obvious...........

 

Suggest that you go to trend micro http://housecall.trendmicro.com/ and do an online scan when you have time.

 

Thanks, but Warez doesn't appear on the list of programs on the start menu. What next?

 

What should I do about the O16 entry? The link is down, and I'm afraid I don't understand what any of it means.

 

Sorry to be so thick!

Wingham Specimen Coarse & Carp Syndicates www.winghamfisheries.co.uk Beautiful, peaceful, little fished gravel pit syndicates in Kent with very big fish. 2017 Forum Fish-In Sat May 6 to Mon May 8. Articles http://www.anglersnet.co.uk/steveburke.htm Index of all my articles on Angler's Net

Link to comment
Share on other sites

No probs, the warez report in spybot could be a false/positive so just double check add/remove and see if it is there, if not then hopefully not a problem.

 

Re the O16 entry, re-run HJT and do a scan, tick in the box nect to THAT entry and then click fix. Then re-boot.

 

More and more viruses are able to conceal themselves from HJT now hence I suggested an online scan. Trend is good 'cos it deletes any dodgy files for you but as with all online scans it takes a while!

Link to comment
Share on other sites

That particular 016 entry seems to be for updating the Symantec Download Bridge - so probably best to leave alone.

 

As Slap says, everything else looks ok, so if you don't get anywhere with Windows Defender or the online scan, try the rootkit revealer at http://download.sysinternals.com/Files/RootkitRevealer.zip. If you get that far, let us know and can talk you through using it.

 

D

Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now

×
×
  • Create New...

Important Information

We and our partners use cookies on our website to give you the most relevant experience by remembering your preferences, repeat visits and to show you personalised advertisements. By clicking “I Agree”, you consent to the use of ALL the cookies. However, you may visit Cookie Settings to provide a controlled consent.