help me please!!!

Status
This thread has been Locked and is not open to further replies. Please start a New Thread if you're having a similar issue. View our Welcome Guide to learn how to use this site.

wanta68gt

Thread Starter
Joined
Jan 12, 2003
Messages
10
Hey guys, Thanks for reading and any advice you can give me. I really need some assistance! Okay here's the deal- I am connected to the internet through a cable modem with an XP platform, and recently removed my firewall/antivirus (Norton 2002) to upgrade to the newer version. I forgot to unplug my modem for a couple of days while I shopped around for new software (I know, already you're saying 'big mistake'!) Anyway, to add on the instances of stupidity, I must tell you that I surfed the net a little, checked my email and even downloaded some stuff from P2P progs. What can I say, I'm an idiot. Anyway, realizing what I had done, two days ago I reinstalled my 2002 stuff, and figured everything was fine. I was moving some stuff around the desktop, you know just reorganizing, and I created a new folder called "private" on the desktop. I dragged some files from a rewriteable cd, deposited them in the desktop folder, and that's when everything started messing up. I don't even remember what happened, the screen sort of slowed-down, do you know what I mean? and then I looked down and noticed that the firewall icon wasn't in the sys. tray. I looked and the virus icon wasn't there either. Then I went back to the file forder, and the contents of the folder were gone, (Now help me out here- maybe they never got there in the first place and I just didn't notice. Like I said, I 'dragged' them from the contents folder of my CD, didn't copy and paste- so maybe they were never there in the first place.) Anyway, I opened up the "My computer" and saw that my computer wasn't showing that I had a dvd or a cd-rw drive, which I do have. I could still open and close them by pressing the physical buttons on the drives, but the computer was acting like they weren't there. I uninstalled them from the hardware list, (which listed them accompanied by a yellow 'X'), and then tried to re-install with new drivers, but it wouldn't work. Finally I had to do a system restore, and after that they've worked perfectly....
 

wanta68gt

Thread Starter
Joined
Jan 12, 2003
Messages
10
anyway, so I was a little suspicious of this, knowing that I had been without antivirus and firewall for a couple of days, so I bought Internet Security 2003 by Norton, and did a full sys. scan. It didn't find anything. But, I was looking around in my program files and noticed that windows messenger had mysteriously appeared. I didn't install it, and it wasn't in the add/remove list of programs, so I just deleted the entire folder. But, one file won't delete: msgsc.dll It says I can't delete it because another person or program is using it- you know what I mean. What is this? Then I was looking around somemore, and found this: in C:\documents and settings\guest (and then a hidden folder, in addition to a lot more hidden folders that I didn't hide) called
\my recent documents\ When I opened this folder, are a lot of things I don't recognize, including a 'notepad' called first boot:

[commands]
"C:\hp\bin\cloaker.exe c:\hp\bin\commands /c C:\hp\bin\SBLIVE\SBLIVE.bat"
"c:\hp\bin\cloaker.exe c:\hp\bin\commands /lw:c:\hp\bin\windvd\lg.ini /ww /c c:\hp\bin\windvd\windvd.js"
"wscript c:\hp\bin\cdrw\uninstall.js //b"
"c:\hp\bin\cloaker.exe c:\hp\bin\commands /c c:\hp\bin\eol\encarta.bat"
"c:\hp\bin\cloaker.exe c:\hp\bin\commands /lw:c:\hp\bin\studio\lg.ini /ww /c c:\hp\bin\Studio\Studio.js"
"c:\hp\bin\cloaker.exe c:\hp\bin\inimerge c:\windows\system32\oobe\oobeinfo.ini c:\hp\bin\merge.ini"
"c:\hp\bin\cloaker.exe c:\hp\bin\commands /c c:\hp\bin\dvdlr\dvd51.bat"
"regedit /s c:\hp\bin\i386.reg"

I was worried when I saw this "cloaker"

there is another folder called "bin" inside the recent docs. folder. Inside it is what I am asking you about....
 

wanta68gt

Thread Starter
Joined
Jan 12, 2003
Messages
10
Okay, in "bin" I find all sorts of scarey stuff:

adddriverpatch.exe
automod.exe
automod32.exe
cloaker.exe
commands.exe
copydisk.exe
detto
finis.exe
fondlewindow.exe
hpcheck.exe
hpdmi.exe
inimerge.exe
isrunning.exe
killit.exe
willWind.exe
processlogger.exe
py152.exe
refcount.exe
replace.exe
sleep.exe
spawn.exe
terminator.exe
transientmessage.exe


et cetera. I skipped some, those are the ones that are the most frightening to me personally, but I could have skipped the ones that matter- I just don't know. Did some more looking around, and found that the above list and the other files i skipped, are also located in C:\hp\bin

Anyway, I bought Internet security 2003, ran a full system scan, and it didn't come up with anything. I even highlighted the above listed and anything else I could find that looked suspicious and nothing. I also tried it in safe mode with the settings norton recommends to pick up hidden virii, and zippola. I'm getting tired of writing about this, and besides if anybody could help, me you will probably have specific things I should look for. I went a little crazy and started deleting stuff throughout the program files lists that were in hidden folders- and now I can't adjust my speaker volume from the controls on my keyboard to add insult to injury! Thanks alot for reading, any advice you have for me I'll be eternally grateful. I've been unplugging my modem whenever I'm not posting a message, and it would be nice to stop that, I just don't feel comfortable without knowing exactly what this stuff is and how to get rid of it.
 

wanta68gt

Thread Starter
Joined
Jan 12, 2003
Messages
10
Here's my startup list:StartupList report, 1/12/2003, 1:13:53 AM
StartupList version: 1.50
Started from : C:\Documents and Settings\Owner\Local Settings\Temp\StartupList.EXE
Detected: Windows XP (WinNT 5.01.2600)
Detected: Internet Explorer v6.00 (6.00.2600.0000)
* Using default options
==================================================

Running processes:

C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Norton Internet Security\NISUM.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\windows\system\hpsysdrv.exe
C:\Program Files\Common Files\Totem Shared\Uninstall0001\upd.exe
C:\Program Files\Common Files\Totem Shared\Uninstall0002\upd.exe
C:\Program Files\Microsoft Hardware\Mouse\point32.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Webshots\WebshotsTray.exe
C:\WINDOWS\System32\PackethSvc.exe
C:\Program Files\Norton Internet Security\ccPxySvc.exe
C:\WINDOWS\system32\crypserv.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\ups.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\PROGRA~1\WINZIP\winzip32.exe
C:\Documents and Settings\Owner\Local Settings\Temp\StartupList.exe

--------------------------------------------------

Listing of startup folders:

Shell folders Startup:
[C:\Documents and Settings\Owner\Start Menu\Programs\Startup]
Webshots.lnk = C:\Program Files\Webshots\WebshotsTray.exe

--------------------------------------------------

Checking Windows NT UserInit:

[HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
UserInit = C:\WINDOWS\system32\userinit.exe,

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run

Recguard = C:\WINDOWS\SMINST\RECGUARD.EXE
PS2 = C:\WINDOWS\system32\ps2.exe
NvCplDaemon = RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
IgfxTray = C:\WINDOWS\System32\igfxtray.exe
hpsysdrv = c:\windows\system\hpsysdrv.exe
HotKeysCmds = C:\WINDOWS\System32\hkcmd.exe
Uninstall0001 = "C:\Program Files\Common Files\Totem Shared\Uninstall0001\upd.exe" LASTCALL!adverts.virtuagirl.com!StatsVirtuaGirl

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce

washindex = C:\Program Files\Washer\washidx.exe "Owner"

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run

Microsoft Works Update Detection = C:\Program Files\Microsoft Works\WkDetect.exe
ATI Launchpad =
ctfmon.exe = C:\WINDOWS\System32\ctfmon.exe
Desktop Weather = C:\PROGRA~1\THEWEA~1\THEWEA~1.exe
Acme.PCHButton = C:\PROGRA~1\HPINST~1\plugin\bin\PCHButton.exe

--------------------------------------------------

Enumerating Active Setup stub paths:
HKLM\Software\Microsoft\Active Setup\Installed Components
(* = disabled by HKCU twin)

[{2C7339CF-2B09-4501-B3F3-F3508C9228ED}] *
StubPath = %SystemRoot%\system32\regsvr32.exe /s /n /i:/UserInstall %SystemRoot%\system32\themeui.dll

[{44BBA840-CC51-11CF-AAFA-00AA00B6015C}] *
StubPath = "%ProgramFiles%\Outlook Express\setup50.exe" /APP:OE /CALLER:WINNT /user /install

[{7790769C-0471-11d2-AF11-00C04FA35D02}] *
StubPath = "%ProgramFiles%\Outlook Express\setup50.exe" /APP:WAB /CALLER:WINNT /user /install

[{89820200-ECBD-11cf-8B85-00AA005B4340}] *
StubPath = regsvr32.exe /s /n /i:U shell32.dll

[{89820200-ECBD-11cf-8B85-00AA005B4383}] *
StubPath = %SystemRoot%\system32\ie4uinit.exe

--------------------------------------------------

Load/Run keys from C:\WINDOWS\WIN.INI:

load=
run=

Load/Run keys from Registry:

HKLM\..\Windows NT\CurrentVersion\WinLogon: load=
HKLM\..\Windows NT\CurrentVersion\WinLogon: run=
HKLM\..\Windows\CurrentVersion\WinLogon: load=
HKLM\..\Windows\CurrentVersion\WinLogon: run=
HKCU\..\Windows NT\CurrentVersion\WinLogon: load=
HKCU\..\Windows NT\CurrentVersion\WinLogon: run=
HKCU\..\Windows\CurrentVersion\WinLogon: load=
HKCU\..\Windows\CurrentVersion\WinLogon: run=
HKCU\..\Windows NT\CurrentVersion\Windows: load=
HKCU\..\Windows NT\CurrentVersion\Windows: run=
HKLM\..\Windows NT\CurrentVersion\Windows: load=
HKLM\..\Windows NT\CurrentVersion\Windows: run=
HKLM\..\Windows NT\CurrentVersion\Windows: AppInit_DLLs=

--------------------------------------------------

Shell & screensaver key from C:\WINDOWS\SYSTEM.INI:

*INI section not found*
*INI section not found*
*INI section not found*

Shell & screensaver key from Registry:

Shell=Explorer.exe
*Registry value not found*
*Registry value not found*

Policies Shell key:

HKCU\..\Policies: *Registry key not found*
HKLM\..\Policies: *Registry value not found*

--------------------------------------------------

Checking for EXPLORER.EXE instances:

C:\WINDOWS\Explorer.exe: PRESENT!

C:\Explorer.exe: not present
C:\WINDOWS\Explorer\Explorer.exe: not present
C:\WINDOWS\System\Explorer.exe: not present
C:\WINDOWS\System32\Explorer.exe: not present
C:\WINDOWS\Command\Explorer.exe: not present

--------------------------------------------------

Checking for superhidden extensions:

.lnk: HIDDEN! (arrow overlay: yes)
.pif: HIDDEN! (arrow overlay: yes)
.exe: not hidden
.com: not hidden
.bat: not hidden
.hta: not hidden
.scr: not hidden
.shs: HIDDEN!
.shb: HIDDEN!
.vbs: not hidden
.vbe: not hidden
.wsh: not hidden
.scf: HIDDEN! (arrow overlay: NO!)
.url: HIDDEN! (arrow overlay: yes)
.js: not hidden
.jse: not hidden

--------------------------------------------------

Enumerating Browser Helper Objects:

(no name) - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}
NAV Helper - C:\Program Files\Norton AntiVirus\NavShExt.dll - {BDF3E430-B101-42AD-A544-FADC6B084872}

--------------------------------------------------

Enumerating Task Scheduler jobs:

Disk Cleanup.job
Norton AntiVirus - Scan my computer.job
Symantec NetDetect.job
Window Washer.job

--------------------------------------------------

Enumerating Download Program Files:

[Shockwave ActiveX Control]
InProcServer32 = C:\WINDOWS\SYSTEM32\Macromed\Director\SwDir.dll
CODEBASE = http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab

[Symantec AntiVirus scanner]
InProcServer32 = C:\WINDOWS\Downloaded Program Files\avsniff.dll
CODEBASE = http://security.symantec.com/SSC/SharedContent/vc/bin/AvSniff.cab

[{41F17733-B041-4099-A042-B518BB6A408C}]
CODEBASE = http://a1540.g.akamai.net/7/1540/52...apple.com/qt505/us/win/QuickTimeInstaller.exe

[{56336BCB-3D8A-11D6-A00B-0050DA18DE71}]
CODEBASE = http://207.188.7.150/0783fa9d052e0e9b3c20/netzip/RdxIE2.cab

[ZingBatchAXDwnl Class]
CODEBASE = http://www.imagestation.com/common/classes/batchdwnl.cab?version=4,3,2,20802

[{8AD9C840-044E-11D1-B3E9-00805F499D93}]

[CamImage Class]
InProcServer32 = C:\WINDOWS\Downloaded Program Files\AxisCamControl.ocx
CODEBASE = http://keys3.expr.net/axiscam/Codebase/AxisCamControl.ocx

[{9DBAFCCF-592F-FFFF-FFFF-00608CEC297B}]
CODEBASE = http://download.ha.net2phone.com/commcenter/IXCommCenter7272a.cab

[Symantec RuFSI Registry Information Class]
InProcServer32 = C:\WINDOWS\Downloaded Program Files\CONFLICT.1\rufsi.dll
CODEBASE = http://security.symantec.com/SSC/SharedContent/common/bin/cabsa.cab

[{CAFEEFAC-0014-0000-0001-ABCDEFFEDCBA}]

[Shockwave Flash Object]
InProcServer32 = C:\WINDOWS\System32\macromed\flash\Flash.ocx
CODEBASE = http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab

[Microsoft Office Tools on the Web Control]
InProcServer32 = C:\WINDOWS\Downloaded Program Files\OUTC.DLL
CODEBASE = http://officeupdate.microsoft.com/TemplateGallery/downloads/outc.cab

[Measurement Service Client]
InProcServer32 = C:\WINDOWS\DOWNLO~1\CONFLICT.1\MSC.ocx
CODEBASE = http://ccon.madonion.com/global/msc.cab

--------------------------------------------------
End of report, 9,089 bytes
Report generated in 0.093 seconds

Command line options:
/verbose - to add additional info on each section
/complete - to include empty sections and unsuspicious data
/force9x - to include Win9x-only startups even if running on WinNT
/forcent - to include WinNT-only startups even if running on Win9x
/forceall - to include all Win9x and WinNT startups, regardless of platform
/history - to list version history only
 
Joined
Dec 9, 2000
Messages
45,855
I can't explain all your symptoms but you've definitely picked up some junkware:

Uninstall0001 = "C:\Program Files\Common Files\Totem Shared\Uninstall0001\upd.exe" LASTCALL!adverts.virtuagirl.com!StatsVirtuaGirl

Follow the directions to install, update and run Spybot from the site below.

http://tomcoyote.com/SPYBOT/

You should also go to Internet Options>Settings>View Objects, right click on each of the files in that folder and remove any not associated with Microsoft, Macromedia or a major recognized vendor such as Symantec.
 
Joined
Dec 9, 2000
Messages
45,855
By the way when you update Spybot, you want to download all the updates except for the Language and PGP stuff which you probably won't have any use for.
 
Status
This thread has been Locked and is not open to further replies. Please start a New Thread if you're having a similar issue. View our Welcome Guide to learn how to use this site.

Users Who Are Viewing This Thread (Users: 0, Guests: 1)

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 807,865 other people just like you!

Latest posts

Members online

Top