1. Computer problem? Tech Support Guy is completely free -- paid for by advertisers and donations. Click here to join today! If you're new to Tech Support Guy, we highly recommend that you visit our Guide for New Members.

help me please!!!

Discussion in 'Virus & Other Malware Removal' started by wanta68gt, Jan 12, 2003.

Thread Status:
Not open for further replies.
Advertisement
  1. wanta68gt

    wanta68gt Thread Starter

    Joined:
    Jan 12, 2003
    Messages:
    10
    Hey guys, Thanks for reading and any advice you can give me. I really need some assistance! Okay here's the deal- I am connected to the internet through a cable modem with an XP platform, and recently removed my firewall/antivirus (Norton 2002) to upgrade to the newer version. I forgot to unplug my modem for a couple of days while I shopped around for new software (I know, already you're saying 'big mistake'!) Anyway, to add on the instances of stupidity, I must tell you that I surfed the net a little, checked my email and even downloaded some stuff from P2P progs. What can I say, I'm an idiot. Anyway, realizing what I had done, two days ago I reinstalled my 2002 stuff, and figured everything was fine. I was moving some stuff around the desktop, you know just reorganizing, and I created a new folder called "private" on the desktop. I dragged some files from a rewriteable cd, deposited them in the desktop folder, and that's when everything started messing up. I don't even remember what happened, the screen sort of slowed-down, do you know what I mean? and then I looked down and noticed that the firewall icon wasn't in the sys. tray. I looked and the virus icon wasn't there either. Then I went back to the file forder, and the contents of the folder were gone, (Now help me out here- maybe they never got there in the first place and I just didn't notice. Like I said, I 'dragged' them from the contents folder of my CD, didn't copy and paste- so maybe they were never there in the first place.) Anyway, I opened up the "My computer" and saw that my computer wasn't showing that I had a dvd or a cd-rw drive, which I do have. I could still open and close them by pressing the physical buttons on the drives, but the computer was acting like they weren't there. I uninstalled them from the hardware list, (which listed them accompanied by a yellow 'X'), and then tried to re-install with new drivers, but it wouldn't work. Finally I had to do a system restore, and after that they've worked perfectly....
     
  2. wanta68gt

    wanta68gt Thread Starter

    Joined:
    Jan 12, 2003
    Messages:
    10
    anyway, so I was a little suspicious of this, knowing that I had been without antivirus and firewall for a couple of days, so I bought Internet Security 2003 by Norton, and did a full sys. scan. It didn't find anything. But, I was looking around in my program files and noticed that windows messenger had mysteriously appeared. I didn't install it, and it wasn't in the add/remove list of programs, so I just deleted the entire folder. But, one file won't delete: msgsc.dll It says I can't delete it because another person or program is using it- you know what I mean. What is this? Then I was looking around somemore, and found this: in C:\documents and settings\guest (and then a hidden folder, in addition to a lot more hidden folders that I didn't hide) called
    \my recent documents\ When I opened this folder, are a lot of things I don't recognize, including a 'notepad' called first boot:

    [commands]
    "C:\hp\bin\cloaker.exe c:\hp\bin\commands /c C:\hp\bin\SBLIVE\SBLIVE.bat"
    "c:\hp\bin\cloaker.exe c:\hp\bin\commands /lw:c:\hp\bin\windvd\lg.ini /ww /c c:\hp\bin\windvd\windvd.js"
    "wscript c:\hp\bin\cdrw\uninstall.js //b"
    "c:\hp\bin\cloaker.exe c:\hp\bin\commands /c c:\hp\bin\eol\encarta.bat"
    "c:\hp\bin\cloaker.exe c:\hp\bin\commands /lw:c:\hp\bin\studio\lg.ini /ww /c c:\hp\bin\Studio\Studio.js"
    "c:\hp\bin\cloaker.exe c:\hp\bin\inimerge c:\windows\system32\oobe\oobeinfo.ini c:\hp\bin\merge.ini"
    "c:\hp\bin\cloaker.exe c:\hp\bin\commands /c c:\hp\bin\dvdlr\dvd51.bat"
    "regedit /s c:\hp\bin\i386.reg"

    I was worried when I saw this "cloaker"

    there is another folder called "bin" inside the recent docs. folder. Inside it is what I am asking you about....
     
  3. wanta68gt

    wanta68gt Thread Starter

    Joined:
    Jan 12, 2003
    Messages:
    10
    Okay, in "bin" I find all sorts of scarey stuff:

    adddriverpatch.exe
    automod.exe
    automod32.exe
    cloaker.exe
    commands.exe
    copydisk.exe
    detto
    finis.exe
    fondlewindow.exe
    hpcheck.exe
    hpdmi.exe
    inimerge.exe
    isrunning.exe
    killit.exe
    willWind.exe
    processlogger.exe
    py152.exe
    refcount.exe
    replace.exe
    sleep.exe
    spawn.exe
    terminator.exe
    transientmessage.exe


    et cetera. I skipped some, those are the ones that are the most frightening to me personally, but I could have skipped the ones that matter- I just don't know. Did some more looking around, and found that the above list and the other files i skipped, are also located in C:\hp\bin

    Anyway, I bought Internet security 2003, ran a full system scan, and it didn't come up with anything. I even highlighted the above listed and anything else I could find that looked suspicious and nothing. I also tried it in safe mode with the settings norton recommends to pick up hidden virii, and zippola. I'm getting tired of writing about this, and besides if anybody could help, me you will probably have specific things I should look for. I went a little crazy and started deleting stuff throughout the program files lists that were in hidden folders- and now I can't adjust my speaker volume from the controls on my keyboard to add insult to injury! Thanks alot for reading, any advice you have for me I'll be eternally grateful. I've been unplugging my modem whenever I'm not posting a message, and it would be nice to stop that, I just don't feel comfortable without knowing exactly what this stuff is and how to get rid of it.
     
  4. wanta68gt

    wanta68gt Thread Starter

    Joined:
    Jan 12, 2003
    Messages:
    10
    Here's my startup list:StartupList report, 1/12/2003, 1:13:53 AM
    StartupList version: 1.50
    Started from : C:\Documents and Settings\Owner\Local Settings\Temp\StartupList.EXE
    Detected: Windows XP (WinNT 5.01.2600)
    Detected: Internet Explorer v6.00 (6.00.2600.0000)
    * Using default options
    ==================================================

    Running processes:

    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    C:\Program Files\Norton Internet Security\NISUM.EXE
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\Explorer.EXE
    C:\windows\system\hpsysdrv.exe
    C:\Program Files\Common Files\Totem Shared\Uninstall0001\upd.exe
    C:\Program Files\Common Files\Totem Shared\Uninstall0002\upd.exe
    C:\Program Files\Microsoft Hardware\Mouse\point32.exe
    C:\Program Files\Common Files\Symantec Shared\ccApp.exe
    C:\WINDOWS\System32\ctfmon.exe
    C:\Program Files\Webshots\WebshotsTray.exe
    C:\WINDOWS\System32\PackethSvc.exe
    C:\Program Files\Norton Internet Security\ccPxySvc.exe
    C:\WINDOWS\system32\crypserv.exe
    C:\Program Files\Norton AntiVirus\navapsvc.exe
    C:\WINDOWS\System32\nvsvc32.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\System32\ups.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Program Files\Internet Explorer\IEXPLORE.EXE
    C:\PROGRA~1\WINZIP\winzip32.exe
    C:\Documents and Settings\Owner\Local Settings\Temp\StartupList.exe

    --------------------------------------------------

    Listing of startup folders:

    Shell folders Startup:
    [C:\Documents and Settings\Owner\Start Menu\Programs\Startup]
    Webshots.lnk = C:\Program Files\Webshots\WebshotsTray.exe

    --------------------------------------------------

    Checking Windows NT UserInit:

    [HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
    UserInit = C:\WINDOWS\system32\userinit.exe,

    --------------------------------------------------

    Autorun entries from Registry:
    HKLM\Software\Microsoft\Windows\CurrentVersion\Run

    Recguard = C:\WINDOWS\SMINST\RECGUARD.EXE
    PS2 = C:\WINDOWS\system32\ps2.exe
    NvCplDaemon = RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
    IgfxTray = C:\WINDOWS\System32\igfxtray.exe
    hpsysdrv = c:\windows\system\hpsysdrv.exe
    HotKeysCmds = C:\WINDOWS\System32\hkcmd.exe
    Uninstall0001 = "C:\Program Files\Common Files\Totem Shared\Uninstall0001\upd.exe" LASTCALL!adverts.virtuagirl.com!StatsVirtuaGirl

    --------------------------------------------------

    Autorun entries from Registry:
    HKLM\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce

    washindex = C:\Program Files\Washer\washidx.exe "Owner"

    --------------------------------------------------

    Autorun entries from Registry:
    HKCU\Software\Microsoft\Windows\CurrentVersion\Run

    Microsoft Works Update Detection = C:\Program Files\Microsoft Works\WkDetect.exe
    ATI Launchpad =
    ctfmon.exe = C:\WINDOWS\System32\ctfmon.exe
    Desktop Weather = C:\PROGRA~1\THEWEA~1\THEWEA~1.exe
    Acme.PCHButton = C:\PROGRA~1\HPINST~1\plugin\bin\PCHButton.exe

    --------------------------------------------------

    Enumerating Active Setup stub paths:
    HKLM\Software\Microsoft\Active Setup\Installed Components
    (* = disabled by HKCU twin)

    [{2C7339CF-2B09-4501-B3F3-F3508C9228ED}] *
    StubPath = %SystemRoot%\system32\regsvr32.exe /s /n /i:/UserInstall %SystemRoot%\system32\themeui.dll

    [{44BBA840-CC51-11CF-AAFA-00AA00B6015C}] *
    StubPath = "%ProgramFiles%\Outlook Express\setup50.exe" /APP:OE /CALLER:WINNT /user /install

    [{7790769C-0471-11d2-AF11-00C04FA35D02}] *
    StubPath = "%ProgramFiles%\Outlook Express\setup50.exe" /APP:WAB /CALLER:WINNT /user /install

    [{89820200-ECBD-11cf-8B85-00AA005B4340}] *
    StubPath = regsvr32.exe /s /n /i:U shell32.dll

    [{89820200-ECBD-11cf-8B85-00AA005B4383}] *
    StubPath = %SystemRoot%\system32\ie4uinit.exe

    --------------------------------------------------

    Load/Run keys from C:\WINDOWS\WIN.INI:

    load=
    run=

    Load/Run keys from Registry:

    HKLM\..\Windows NT\CurrentVersion\WinLogon: load=
    HKLM\..\Windows NT\CurrentVersion\WinLogon: run=
    HKLM\..\Windows\CurrentVersion\WinLogon: load=
    HKLM\..\Windows\CurrentVersion\WinLogon: run=
    HKCU\..\Windows NT\CurrentVersion\WinLogon: load=
    HKCU\..\Windows NT\CurrentVersion\WinLogon: run=
    HKCU\..\Windows\CurrentVersion\WinLogon: load=
    HKCU\..\Windows\CurrentVersion\WinLogon: run=
    HKCU\..\Windows NT\CurrentVersion\Windows: load=
    HKCU\..\Windows NT\CurrentVersion\Windows: run=
    HKLM\..\Windows NT\CurrentVersion\Windows: load=
    HKLM\..\Windows NT\CurrentVersion\Windows: run=
    HKLM\..\Windows NT\CurrentVersion\Windows: AppInit_DLLs=

    --------------------------------------------------

    Shell & screensaver key from C:\WINDOWS\SYSTEM.INI:

    *INI section not found*
    *INI section not found*
    *INI section not found*

    Shell & screensaver key from Registry:

    Shell=Explorer.exe
    *Registry value not found*
    *Registry value not found*

    Policies Shell key:

    HKCU\..\Policies: *Registry key not found*
    HKLM\..\Policies: *Registry value not found*

    --------------------------------------------------

    Checking for EXPLORER.EXE instances:

    C:\WINDOWS\Explorer.exe: PRESENT!

    C:\Explorer.exe: not present
    C:\WINDOWS\Explorer\Explorer.exe: not present
    C:\WINDOWS\System\Explorer.exe: not present
    C:\WINDOWS\System32\Explorer.exe: not present
    C:\WINDOWS\Command\Explorer.exe: not present

    --------------------------------------------------

    Checking for superhidden extensions:

    .lnk: HIDDEN! (arrow overlay: yes)
    .pif: HIDDEN! (arrow overlay: yes)
    .exe: not hidden
    .com: not hidden
    .bat: not hidden
    .hta: not hidden
    .scr: not hidden
    .shs: HIDDEN!
    .shb: HIDDEN!
    .vbs: not hidden
    .vbe: not hidden
    .wsh: not hidden
    .scf: HIDDEN! (arrow overlay: NO!)
    .url: HIDDEN! (arrow overlay: yes)
    .js: not hidden
    .jse: not hidden

    --------------------------------------------------

    Enumerating Browser Helper Objects:

    (no name) - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}
    NAV Helper - C:\Program Files\Norton AntiVirus\NavShExt.dll - {BDF3E430-B101-42AD-A544-FADC6B084872}

    --------------------------------------------------

    Enumerating Task Scheduler jobs:

    Disk Cleanup.job
    Norton AntiVirus - Scan my computer.job
    Symantec NetDetect.job
    Window Washer.job

    --------------------------------------------------

    Enumerating Download Program Files:

    [Shockwave ActiveX Control]
    InProcServer32 = C:\WINDOWS\SYSTEM32\Macromed\Director\SwDir.dll
    CODEBASE = http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab

    [Symantec AntiVirus scanner]
    InProcServer32 = C:\WINDOWS\Downloaded Program Files\avsniff.dll
    CODEBASE = http://security.symantec.com/SSC/SharedContent/vc/bin/AvSniff.cab

    [{41F17733-B041-4099-A042-B518BB6A408C}]
    CODEBASE = http://a1540.g.akamai.net/7/1540/52...apple.com/qt505/us/win/QuickTimeInstaller.exe

    [{56336BCB-3D8A-11D6-A00B-0050DA18DE71}]
    CODEBASE = http://207.188.7.150/0783fa9d052e0e9b3c20/netzip/RdxIE2.cab

    [ZingBatchAXDwnl Class]
    CODEBASE = http://www.imagestation.com/common/classes/batchdwnl.cab?version=4,3,2,20802

    [{8AD9C840-044E-11D1-B3E9-00805F499D93}]

    [CamImage Class]
    InProcServer32 = C:\WINDOWS\Downloaded Program Files\AxisCamControl.ocx
    CODEBASE = http://keys3.expr.net/axiscam/Codebase/AxisCamControl.ocx

    [{9DBAFCCF-592F-FFFF-FFFF-00608CEC297B}]
    CODEBASE = http://download.ha.net2phone.com/commcenter/IXCommCenter7272a.cab

    [Symantec RuFSI Registry Information Class]
    InProcServer32 = C:\WINDOWS\Downloaded Program Files\CONFLICT.1\rufsi.dll
    CODEBASE = http://security.symantec.com/SSC/SharedContent/common/bin/cabsa.cab

    [{CAFEEFAC-0014-0000-0001-ABCDEFFEDCBA}]

    [Shockwave Flash Object]
    InProcServer32 = C:\WINDOWS\System32\macromed\flash\Flash.ocx
    CODEBASE = http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab

    [Microsoft Office Tools on the Web Control]
    InProcServer32 = C:\WINDOWS\Downloaded Program Files\OUTC.DLL
    CODEBASE = http://officeupdate.microsoft.com/TemplateGallery/downloads/outc.cab

    [Measurement Service Client]
    InProcServer32 = C:\WINDOWS\DOWNLO~1\CONFLICT.1\MSC.ocx
    CODEBASE = http://ccon.madonion.com/global/msc.cab

    --------------------------------------------------
    End of report, 9,089 bytes
    Report generated in 0.093 seconds

    Command line options:
    /verbose - to add additional info on each section
    /complete - to include empty sections and unsuspicious data
    /force9x - to include Win9x-only startups even if running on WinNT
    /forcent - to include WinNT-only startups even if running on Win9x
    /forceall - to include all Win9x and WinNT startups, regardless of platform
    /history - to list version history only
     
  5. Rollin' Rog

    Rollin' Rog

    Joined:
    Dec 9, 2000
    Messages:
    45,855
    I can't explain all your symptoms but you've definitely picked up some junkware:

    Uninstall0001 = "C:\Program Files\Common Files\Totem Shared\Uninstall0001\upd.exe" LASTCALL!adverts.virtuagirl.com!StatsVirtuaGirl

    Follow the directions to install, update and run Spybot from the site below.

    http://tomcoyote.com/SPYBOT/

    You should also go to Internet Options>Settings>View Objects, right click on each of the files in that folder and remove any not associated with Microsoft, Macromedia or a major recognized vendor such as Symantec.
     
  6. wanta68gt

    wanta68gt Thread Starter

    Joined:
    Jan 12, 2003
    Messages:
    10
    thanks rollin rog, will do!
     
  7. Rollin' Rog

    Rollin' Rog

    Joined:
    Dec 9, 2000
    Messages:
    45,855
    By the way when you update Spybot, you want to download all the updates except for the Language and PGP stuff which you probably won't have any use for.
     
  8. Sponsor

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 733,556 other people just like you!

Loading...
Thread Status:
Not open for further replies.

Short URL to this thread: https://techguy.org/112784

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice