1. Computer problem? Tech Support Guy is completely free -- paid for by advertisers and donations. Click here to join today! If you're new to Tech Support Guy, we highly recommend that you visit our Guide for New Members.

help me please!!!

Discussion in 'Virus & Other Malware Removal' started by wanta68gt, Jan 12, 2003.

Thread Status:
Not open for further replies.
  1. wanta68gt

    wanta68gt Thread Starter

    Jan 12, 2003
    Hey guys, Thanks for reading and any advice you can give me. I really need some assistance! Okay here's the deal- I am connected to the internet through a cable modem with an XP platform, and recently removed my firewall/antivirus (Norton 2002) to upgrade to the newer version. I forgot to unplug my modem for a couple of days while I shopped around for new software (I know, already you're saying 'big mistake'!) Anyway, to add on the instances of stupidity, I must tell you that I surfed the net a little, checked my email and even downloaded some stuff from P2P progs. What can I say, I'm an idiot. Anyway, realizing what I had done, two days ago I reinstalled my 2002 stuff, and figured everything was fine. I was moving some stuff around the desktop, you know just reorganizing, and I created a new folder called "private" on the desktop. I dragged some files from a rewriteable cd, deposited them in the desktop folder, and that's when everything started messing up. I don't even remember what happened, the screen sort of slowed-down, do you know what I mean? and then I looked down and noticed that the firewall icon wasn't in the sys. tray. I looked and the virus icon wasn't there either. Then I went back to the file forder, and the contents of the folder were gone, (Now help me out here- maybe they never got there in the first place and I just didn't notice. Like I said, I 'dragged' them from the contents folder of my CD, didn't copy and paste- so maybe they were never there in the first place.) Anyway, I opened up the "My computer" and saw that my computer wasn't showing that I had a dvd or a cd-rw drive, which I do have. I could still open and close them by pressing the physical buttons on the drives, but the computer was acting like they weren't there. I uninstalled them from the hardware list, (which listed them accompanied by a yellow 'X'), and then tried to re-install with new drivers, but it wouldn't work. Finally I had to do a system restore, and after that they've worked perfectly....
  2. wanta68gt

    wanta68gt Thread Starter

    Jan 12, 2003
    anyway, so I was a little suspicious of this, knowing that I had been without antivirus and firewall for a couple of days, so I bought Internet Security 2003 by Norton, and did a full sys. scan. It didn't find anything. But, I was looking around in my program files and noticed that windows messenger had mysteriously appeared. I didn't install it, and it wasn't in the add/remove list of programs, so I just deleted the entire folder. But, one file won't delete: msgsc.dll It says I can't delete it because another person or program is using it- you know what I mean. What is this? Then I was looking around somemore, and found this: in C:\documents and settings\guest (and then a hidden folder, in addition to a lot more hidden folders that I didn't hide) called
    \my recent documents\ When I opened this folder, are a lot of things I don't recognize, including a 'notepad' called first boot:

    "C:\hp\bin\cloaker.exe c:\hp\bin\commands /c C:\hp\bin\SBLIVE\SBLIVE.bat"
    "c:\hp\bin\cloaker.exe c:\hp\bin\commands /lw:c:\hp\bin\windvd\lg.ini /ww /c c:\hp\bin\windvd\windvd.js"
    "wscript c:\hp\bin\cdrw\uninstall.js //b"
    "c:\hp\bin\cloaker.exe c:\hp\bin\commands /c c:\hp\bin\eol\encarta.bat"
    "c:\hp\bin\cloaker.exe c:\hp\bin\commands /lw:c:\hp\bin\studio\lg.ini /ww /c c:\hp\bin\Studio\Studio.js"
    "c:\hp\bin\cloaker.exe c:\hp\bin\inimerge c:\windows\system32\oobe\oobeinfo.ini c:\hp\bin\merge.ini"
    "c:\hp\bin\cloaker.exe c:\hp\bin\commands /c c:\hp\bin\dvdlr\dvd51.bat"
    "regedit /s c:\hp\bin\i386.reg"

    I was worried when I saw this "cloaker"

    there is another folder called "bin" inside the recent docs. folder. Inside it is what I am asking you about....
  3. wanta68gt

    wanta68gt Thread Starter

    Jan 12, 2003
    Okay, in "bin" I find all sorts of scarey stuff:


    et cetera. I skipped some, those are the ones that are the most frightening to me personally, but I could have skipped the ones that matter- I just don't know. Did some more looking around, and found that the above list and the other files i skipped, are also located in C:\hp\bin

    Anyway, I bought Internet security 2003, ran a full system scan, and it didn't come up with anything. I even highlighted the above listed and anything else I could find that looked suspicious and nothing. I also tried it in safe mode with the settings norton recommends to pick up hidden virii, and zippola. I'm getting tired of writing about this, and besides if anybody could help, me you will probably have specific things I should look for. I went a little crazy and started deleting stuff throughout the program files lists that were in hidden folders- and now I can't adjust my speaker volume from the controls on my keyboard to add insult to injury! Thanks alot for reading, any advice you have for me I'll be eternally grateful. I've been unplugging my modem whenever I'm not posting a message, and it would be nice to stop that, I just don't feel comfortable without knowing exactly what this stuff is and how to get rid of it.
  4. wanta68gt

    wanta68gt Thread Starter

    Jan 12, 2003
    Here's my startup list:StartupList report, 1/12/2003, 1:13:53 AM
    StartupList version: 1.50
    Started from : C:\Documents and Settings\Owner\Local Settings\Temp\StartupList.EXE
    Detected: Windows XP (WinNT 5.01.2600)
    Detected: Internet Explorer v6.00 (6.00.2600.0000)
    * Using default options

    Running processes:

    C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    C:\Program Files\Norton Internet Security\NISUM.EXE
    C:\Program Files\Common Files\Totem Shared\Uninstall0001\upd.exe
    C:\Program Files\Common Files\Totem Shared\Uninstall0002\upd.exe
    C:\Program Files\Microsoft Hardware\Mouse\point32.exe
    C:\Program Files\Common Files\Symantec Shared\ccApp.exe
    C:\Program Files\Webshots\WebshotsTray.exe
    C:\Program Files\Norton Internet Security\ccPxySvc.exe
    C:\Program Files\Norton AntiVirus\navapsvc.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Program Files\Internet Explorer\IEXPLORE.EXE
    C:\Documents and Settings\Owner\Local Settings\Temp\StartupList.exe


    Listing of startup folders:

    Shell folders Startup:
    [C:\Documents and Settings\Owner\Start Menu\Programs\Startup]
    Webshots.lnk = C:\Program Files\Webshots\WebshotsTray.exe


    Checking Windows NT UserInit:

    [HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
    UserInit = C:\WINDOWS\system32\userinit.exe,


    Autorun entries from Registry:

    PS2 = C:\WINDOWS\system32\ps2.exe
    NvCplDaemon = RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
    IgfxTray = C:\WINDOWS\System32\igfxtray.exe
    hpsysdrv = c:\windows\system\hpsysdrv.exe
    HotKeysCmds = C:\WINDOWS\System32\hkcmd.exe
    Uninstall0001 = "C:\Program Files\Common Files\Totem Shared\Uninstall0001\upd.exe" LASTCALL!adverts.virtuagirl.com!StatsVirtuaGirl


    Autorun entries from Registry:

    washindex = C:\Program Files\Washer\washidx.exe "Owner"


    Autorun entries from Registry:

    Microsoft Works Update Detection = C:\Program Files\Microsoft Works\WkDetect.exe
    ATI Launchpad =
    ctfmon.exe = C:\WINDOWS\System32\ctfmon.exe
    Desktop Weather = C:\PROGRA~1\THEWEA~1\THEWEA~1.exe
    Acme.PCHButton = C:\PROGRA~1\HPINST~1\plugin\bin\PCHButton.exe


    Enumerating Active Setup stub paths:
    HKLM\Software\Microsoft\Active Setup\Installed Components
    (* = disabled by HKCU twin)

    [{2C7339CF-2B09-4501-B3F3-F3508C9228ED}] *
    StubPath = %SystemRoot%\system32\regsvr32.exe /s /n /i:/UserInstall %SystemRoot%\system32\themeui.dll

    [{44BBA840-CC51-11CF-AAFA-00AA00B6015C}] *
    StubPath = "%ProgramFiles%\Outlook Express\setup50.exe" /APP:OE /CALLER:WINNT /user /install

    [{7790769C-0471-11d2-AF11-00C04FA35D02}] *
    StubPath = "%ProgramFiles%\Outlook Express\setup50.exe" /APP:WAB /CALLER:WINNT /user /install

    [{89820200-ECBD-11cf-8B85-00AA005B4340}] *
    StubPath = regsvr32.exe /s /n /i:U shell32.dll

    [{89820200-ECBD-11cf-8B85-00AA005B4383}] *
    StubPath = %SystemRoot%\system32\ie4uinit.exe


    Load/Run keys from C:\WINDOWS\WIN.INI:


    Load/Run keys from Registry:

    HKLM\..\Windows NT\CurrentVersion\WinLogon: load=
    HKLM\..\Windows NT\CurrentVersion\WinLogon: run=
    HKLM\..\Windows\CurrentVersion\WinLogon: load=
    HKLM\..\Windows\CurrentVersion\WinLogon: run=
    HKCU\..\Windows NT\CurrentVersion\WinLogon: load=
    HKCU\..\Windows NT\CurrentVersion\WinLogon: run=
    HKCU\..\Windows\CurrentVersion\WinLogon: load=
    HKCU\..\Windows\CurrentVersion\WinLogon: run=
    HKCU\..\Windows NT\CurrentVersion\Windows: load=
    HKCU\..\Windows NT\CurrentVersion\Windows: run=
    HKLM\..\Windows NT\CurrentVersion\Windows: load=
    HKLM\..\Windows NT\CurrentVersion\Windows: run=
    HKLM\..\Windows NT\CurrentVersion\Windows: AppInit_DLLs=


    Shell & screensaver key from C:\WINDOWS\SYSTEM.INI:

    *INI section not found*
    *INI section not found*
    *INI section not found*

    Shell & screensaver key from Registry:

    *Registry value not found*
    *Registry value not found*

    Policies Shell key:

    HKCU\..\Policies: *Registry key not found*
    HKLM\..\Policies: *Registry value not found*


    Checking for EXPLORER.EXE instances:

    C:\WINDOWS\Explorer.exe: PRESENT!

    C:\Explorer.exe: not present
    C:\WINDOWS\Explorer\Explorer.exe: not present
    C:\WINDOWS\System\Explorer.exe: not present
    C:\WINDOWS\System32\Explorer.exe: not present
    C:\WINDOWS\Command\Explorer.exe: not present


    Checking for superhidden extensions:

    .lnk: HIDDEN! (arrow overlay: yes)
    .pif: HIDDEN! (arrow overlay: yes)
    .exe: not hidden
    .com: not hidden
    .bat: not hidden
    .hta: not hidden
    .scr: not hidden
    .shs: HIDDEN!
    .shb: HIDDEN!
    .vbs: not hidden
    .vbe: not hidden
    .wsh: not hidden
    .scf: HIDDEN! (arrow overlay: NO!)
    .url: HIDDEN! (arrow overlay: yes)
    .js: not hidden
    .jse: not hidden


    Enumerating Browser Helper Objects:

    (no name) - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}
    NAV Helper - C:\Program Files\Norton AntiVirus\NavShExt.dll - {BDF3E430-B101-42AD-A544-FADC6B084872}


    Enumerating Task Scheduler jobs:

    Disk Cleanup.job
    Norton AntiVirus - Scan my computer.job
    Symantec NetDetect.job
    Window Washer.job


    Enumerating Download Program Files:

    [Shockwave ActiveX Control]
    InProcServer32 = C:\WINDOWS\SYSTEM32\Macromed\Director\SwDir.dll
    CODEBASE = http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab

    [Symantec AntiVirus scanner]
    InProcServer32 = C:\WINDOWS\Downloaded Program Files\avsniff.dll
    CODEBASE = http://security.symantec.com/SSC/SharedContent/vc/bin/AvSniff.cab

    CODEBASE = http://a1540.g.akamai.net/7/1540/52...apple.com/qt505/us/win/QuickTimeInstaller.exe


    [ZingBatchAXDwnl Class]
    CODEBASE = http://www.imagestation.com/common/classes/batchdwnl.cab?version=4,3,2,20802


    [CamImage Class]
    InProcServer32 = C:\WINDOWS\Downloaded Program Files\AxisCamControl.ocx
    CODEBASE = http://keys3.expr.net/axiscam/Codebase/AxisCamControl.ocx

    CODEBASE = http://download.ha.net2phone.com/commcenter/IXCommCenter7272a.cab

    [Symantec RuFSI Registry Information Class]
    InProcServer32 = C:\WINDOWS\Downloaded Program Files\CONFLICT.1\rufsi.dll
    CODEBASE = http://security.symantec.com/SSC/SharedContent/common/bin/cabsa.cab


    [Shockwave Flash Object]
    InProcServer32 = C:\WINDOWS\System32\macromed\flash\Flash.ocx
    CODEBASE = http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab

    [Microsoft Office Tools on the Web Control]
    InProcServer32 = C:\WINDOWS\Downloaded Program Files\OUTC.DLL
    CODEBASE = http://officeupdate.microsoft.com/TemplateGallery/downloads/outc.cab

    [Measurement Service Client]
    InProcServer32 = C:\WINDOWS\DOWNLO~1\CONFLICT.1\MSC.ocx
    CODEBASE = http://ccon.madonion.com/global/msc.cab

    End of report, 9,089 bytes
    Report generated in 0.093 seconds

    Command line options:
    /verbose - to add additional info on each section
    /complete - to include empty sections and unsuspicious data
    /force9x - to include Win9x-only startups even if running on WinNT
    /forcent - to include WinNT-only startups even if running on Win9x
    /forceall - to include all Win9x and WinNT startups, regardless of platform
    /history - to list version history only
  5. Rollin' Rog

    Rollin' Rog

    Dec 9, 2000
    I can't explain all your symptoms but you've definitely picked up some junkware:

    Uninstall0001 = "C:\Program Files\Common Files\Totem Shared\Uninstall0001\upd.exe" LASTCALL!adverts.virtuagirl.com!StatsVirtuaGirl

    Follow the directions to install, update and run Spybot from the site below.


    You should also go to Internet Options>Settings>View Objects, right click on each of the files in that folder and remove any not associated with Microsoft, Macromedia or a major recognized vendor such as Symantec.
  6. wanta68gt

    wanta68gt Thread Starter

    Jan 12, 2003
    thanks rollin rog, will do!
  7. Rollin' Rog

    Rollin' Rog

    Dec 9, 2000
    By the way when you update Spybot, you want to download all the updates except for the Language and PGP stuff which you probably won't have any use for.
  8. Sponsor

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 733,556 other people just like you!

Thread Status:
Not open for further replies.

Short URL to this thread: https://techguy.org/112784

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice