1. Computer problem? Tech Support Guy is completely free -- paid for by advertisers and donations. Click here to join today! If you're new to Tech Support Guy, we highly recommend that you visit our Guide for New Members.

Breached I believe

Discussion in 'Virus & Other Malware Removal' started by Col.USMC, Sep 27, 2003.

Mark Solved
Thread Status:
Not open for further replies.
Advertisement
  1. Col.USMC

    Col.USMC Guest Thread Starter

    I downloaded spyblocker from cnet and when it finished I found this new program called cnet download manager. ??? Since this my CPU runs 99.5%. I ran HJT and found only rundll32.exe and the cnet related objects. I "fixed" these and rebooted. The CPU continued to run at 99.5% and I then did C+A+D and found the rundll32.exe running at 99%. I proceded and terminated the rundll32.exe and CPU fell to 2%. Now the system idle process seems to run at 97%. I tried to delete the cnet manager via add/remove but it hangs up even after 5 minutes. I have ran adware6.0 and spybot both of which were updated. Now for the bad news norton firewall and NAV have been disabled w/o my authority???. I am unabe to get them turned back on. I am running Zonealert as a backup. I am also running a virus scan using one of the online virus scans. Gentlemen ant assistance would be greatly appreciated.
     
  2. Col.USMC

    Col.USMC Guest Thread Starter

    Logfile of HijackThis v1.97.2
    Scan saved at 8:38:23 PM, on 9/27/2003
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\LEXBCES.EXE
    C:\WINDOWS\system32\spoolsv.exe
    c:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    C:\WINDOWS\system32\LEXPPS.EXE
    C:\Program Files\Norton Personal Firewall\NISUM.EXE
    C:\Program Files\Norton Personal Firewall\ccPxySvc.exe
    c:\Program Files\Norton AntiVirus\navapsvc.exe
    C:\Program Files\Softex\OmniPass\Omniserv.exe
    C:\Program Files\Softex\OmniPass\OPXPApp.exe
    C:\WINDOWS\Explorer.EXE
    C:\windows\system\hpsysdrv.exe
    C:\Program Files\Common Files\Symantec Shared\ccApp.exe
    C:\WINDOWS\system32\ps2.exe
    C:\WINDOWS\System32\LXSUPMON.EXE
    C:\Program Files\SurfSecret\Privacy Protector\SS2-TRIAL.exe
    C:\Program Files\interMute\SpamSubtract\SpamSubtract.exe
    C:\Program Files\SpywareGuard\sgmain.exe
    C:\Program Files\SpywareGuard\sgbhp.exe
    C:\Program Files\BillP Studios\WinPatrol\WinPatrol.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Program Files\Messenger\msmsgs.exe
    C:\Documents and Settings\Owner\Desktop\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://yahoo.com/
    O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll
    O2 - BHO: (no name) - {BDF3E430-B101-42AD-A544-FADC6B084872} - c:\Program Files\Norton AntiVirus\NavShExt.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - c:\Program Files\Norton AntiVirus\NavShExt.dll
    O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
    O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
    O4 - HKLM\..\Run: [ccRegVfy] "c:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
    O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE
    O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
    O4 - HKLM\..\Run: [LXSUPMON] C:\WINDOWS\System32\LXSUPMON.EXE RUN
    O4 - HKCU\..\Run: [SurfSecret] C:\Program Files\SurfSecret\Privacy Protector\SS2-TRIAL.exe /min
    O4 - HKLM\..\RunOnce: [SSCTL] C:\Program Files\SurfSecret\Privacy Protector\IC.exe
    O4 - Startup: spamsubtract.lnk = C:\Program Files\interMute\SpamSubtract\SpamSubtract.exe
    O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
    O9 - Extra button: AIM (HKLM)
    O9 - Extra button: Messenger (HKLM)
    O9 - Extra 'Tools' menuitem: Messenger (HKLM)

    StartupList report, 9/27/2003, 8:38:31 PM
    StartupList version: 1.52
    Started from : C:\Documents and Settings\Owner\Desktop\HijackThis.EXE
    Detected: Windows XP SP1 (WinNT 5.01.2600)
    Detected: Internet Explorer v6.00 SP1 (6.00.2800.1106)
    * Using default options
    ==================================================

    Running processes:

    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\LEXBCES.EXE
    C:\WINDOWS\system32\spoolsv.exe
    c:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    C:\WINDOWS\system32\LEXPPS.EXE
    C:\Program Files\Norton Personal Firewall\NISUM.EXE
    C:\Program Files\Norton Personal Firewall\ccPxySvc.exe
    c:\Program Files\Norton AntiVirus\navapsvc.exe
    C:\Program Files\Softex\OmniPass\Omniserv.exe
    C:\Program Files\Softex\OmniPass\OPXPApp.exe
    C:\WINDOWS\Explorer.EXE
    C:\windows\system\hpsysdrv.exe
    C:\Program Files\Common Files\Symantec Shared\ccApp.exe
    C:\WINDOWS\system32\ps2.exe
    C:\WINDOWS\System32\LXSUPMON.EXE
    C:\Program Files\SurfSecret\Privacy Protector\SS2-TRIAL.exe
    C:\Program Files\interMute\SpamSubtract\SpamSubtract.exe
    C:\Program Files\SpywareGuard\sgmain.exe
    C:\Program Files\SpywareGuard\sgbhp.exe
    C:\Program Files\BillP Studios\WinPatrol\WinPatrol.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Program Files\Messenger\msmsgs.exe
    C:\Documents and Settings\Owner\Desktop\HijackThis.exe
    C:\WINDOWS\system32\NOTEPAD.EXE

    --------------------------------------------------

    Listing of startup folders:

    Shell folders Startup:
    [C:\Documents and Settings\Owner\Start Menu\Programs\Startup]
    spamsubtract.lnk = C:\Program Files\interMute\SpamSubtract\SpamSubtract.exe
    SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe

    --------------------------------------------------

    Checking Windows NT UserInit:

    [HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
    UserInit = C:\WINDOWS\system32\userinit.exe,

    --------------------------------------------------

    Autorun entries from Registry:
    HKLM\Software\Microsoft\Windows\CurrentVersion\Run

    hpsysdrv = c:\windows\system\hpsysdrv.exe
    ccApp = "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
    ccRegVfy = "c:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
    AlcxMonitor = ALCXMNTR.EXE
    PS2 = C:\WINDOWS\system32\ps2.exe
    LXSUPMON = C:\WINDOWS\System32\LXSUPMON.EXE RUN

    --------------------------------------------------

    Autorun entries from Registry:
    HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce

    SSCTL = C:\Program Files\SurfSecret\Privacy Protector\IC.exe

    --------------------------------------------------

    Autorun entries from Registry:
    HKCU\Software\Microsoft\Windows\CurrentVersion\Run

    SurfSecret = C:\Program Files\SurfSecret\Privacy Protector\SS2-TRIAL.exe /min
    (Default) =

    --------------------------------------------------

    Shell & screensaver key from C:\WINDOWS\SYSTEM.INI:

    Shell=*INI section not found*
    SCRNSAVE.EXE=*INI section not found*
    drivers=*INI section not found*

    Shell & screensaver key from Registry:

    Shell=Explorer.exe
    SCRNSAVE.EXE=*Registry value not found*
    drivers=*Registry value not found*

    Policies Shell key:

    HKCU\..\Policies: Shell=*Registry key not found*
    HKLM\..\Policies: Shell=*Registry value not found*

    --------------------------------------------------


    Enumerating Browser Helper Objects:

    SpywareGuard Download Protection - C:\Program Files\SpywareGuard\dlprotect.dll - {4A368E80-174F-4872-96B5-0B27DDD11DB2}
    (no name) - c:\Program Files\Norton AntiVirus\NavShExt.dll - {BDF3E430-B101-42AD-A544-FADC6B084872}

    --------------------------------------------------

    Enumerating Task Scheduler jobs:

    Norton AntiVirus - Scan my computer.job
    Symantec NetDetect.job

    --------------------------------------------------

    Enumerating ShellServiceObjectDelayLoad items:

    PostBootReminder: C:\WINDOWS\system32\SHELL32.dll
    CDBurn: C:\WINDOWS\system32\SHELL32.dll
    WebCheck: C:\WINDOWS\System32\webcheck.dll
    SysTray: C:\WINDOWS\System32\stobject.dll

    --------------------------------------------------
    End of report, 4,917 bytes
    Report generated in 0.031 seconds

    Command line options:
    /verbose - to add additional info on each section
    /complete - to include empty sections and unsuspicious data
    /full - to include several rarely-important sections
    /force9x - to include Win9x-only startups even if running on WinNT
    /forcent - to include WinNT-only startups even if running on Win9x
    /forceall - to include all Win9x and WinNT startups, regardless of platform
    /history - to list version history only
     
  3. NiteHawk

    NiteHawk

    Joined:
    Mar 9, 2003
    Messages:
    4,699
    Let's get your AV and firewall back up and running as a first priorty.

    Download Spybot - Search & Destroy (if you haven't got the program installed already)

    After installing, first press Online, and search for, put a check mark at, and install all updates.

    Next, close all Internet Explorer windows, hit 'Check for Problems', and have SpyBot remove/fix all it finds that are in RED

    Reboot

    Also download and run ExeFix08 http://home.earthlink.net/~rmbox/Reticulated/Toys.html

    If you have HiJack this, post a log. If not, go to http://tomcoyote.org/hjt/ and download HiJackThis. Use Winzip to unzip it, then install and run it. To run, click the “Scan” button. When it's done the "Scan" button changes to "Save Log". Save the log file it creates (it should open in Notepad at that point). Copy and paste the results in your next post. Most of what it finds is harmless, so do not do anything yet.
     
  4. Col.USMC

    Col.USMC Guest Thread Starter

    Here is a bit more intell I am not able to link to the earthlink reference you gave nor am I able to link to any of the online virus scanners. I even tried typing the IP address = nothing.

    Thank you
     
  5. Col.USMC

    Col.USMC Guest Thread Starter

    I have been able to get norton back online. I am now able to access sites previously listed. downloaded the Exefix from earthlink site. Did not launch it yet for it is listed for windows 95/98.
     
  6. Rollin' Rog

    Rollin' Rog

    Joined:
    Dec 9, 2000
    Messages:
    45,855
    I'm not sure you need to run any file association fixes at this point, but if you are having problems opening applications with exe extensions, this would be the one to use:

    http://www.dougknox.com/xp/file_assoc.htm

    What problem is remaining exactly? The System Idle process should be highest, representing all the UNused cpu time.

    If you are having problems getting rid of a program, why not just use System Restore to return to a prior state. It's the best uninstaller there is.
     
  7. Sponsor

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 733,556 other people just like you!

Thread Status:
Not open for further replies.

Short URL to this thread: https://techguy.org/167944

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice