need help computer is going crazy

[cdoug55]

ok today i was sitting around and suddenly i got this message i think it was from spywareblaster that something was trying to change my ie. after that my computer has been going bonkers. my zone alarm has been going off constantly with all these programs i have never seen. my ie browser flickers and the hourglass comes up like its doing somthing and on top of that it like messes with keyboard functions, like all of a sudden my cap locks will be on even though its not and if i click on the screen it will select all text, as if my ctrl key was stuck (which its not). i ran ad-aware and spy bot numerous times and different registries keep showing up each time. i have also had some weird error message that shows up when ever i boot up but i have had that for a while and never caused any problems. i couldnt write it down because for some odd reason it doesnt show up now when i restart. please give me some help if you have any ideas. here is my hijack log:

Logfile of HijackThis v1.96.1
Scan saved at 8:32:14 PM, on 4/18/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\NORTON~1\navapw32.exe
C:\Program Files\Dell\Support\Alert\bin\DAMon.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\System32\gearsec.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\dp-k13w13.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Documents and Settings\Douglas Menikheim\Application Data\ttuh.exe
C:\WINDOWS\System32\wnsapisu.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
C:\Program Files\Zone Labs\ZoneAlarm\zonealarm.exe
C:\Program Files\SpywareGuard\sgmain.exe
C:\Program Files\SpywareGuard\sgbhp.exe
C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe
C:\WINDOWS\wanmpsvc.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\System32\DdrJY.exe
C:\WINDOWS\System32\JgvW.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\WinRAR\WinRAR.exe
C:\DOCUME~1\DOUGLA~1\LOCALS~1\Temp\Rar$EX00.922\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dellnet.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,Shellnext = http://www.dellnet.com/
R3 - URLSearchHook: (no name) - {5D60FF48-95BE-4956-B4C6-6BB168A70310} - (no file)
O1 - Hosts: 12.129.205.209 search.netscape.com12.129.205.209 sitefinder.verisign.com
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: Yahoo! Companion BHO - {13F537F0-AF09-11d6-9029-0002B31F9E59} - C:\WINDOWS\Downloaded Program Files\ycomp5_0_2_4.dll
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - C:\Program Files\Microsoft Money\System\mnyviewer.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\WINDOWS\Downloaded Program Files\ycomp5_0_2_4.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\navapw32.exe
O4 - HKLM\..\Run: [Dell|Alert] C:\Program Files\Dell\Support\Alert\bin\DAMon.exe
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [2LRX2W83X2T3MQ] C:\WINDOWS\System32\LsxI52.exe
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [RQ53] C:\docume~1\dougla~1\locals~1\temp\RQ53.exe
O4 - HKLM\..\Run: [Dsi] C:\WINDOWS\System32\dp-k13w13.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [Aida] C:\Documents and Settings\Douglas Menikheim\Application Data\ttuh.exe
O4 - HKCU\..\Run: [WNST] C:\WINDOWS\System32\wnsapisu.exe
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?
O4 - Global Startup: ZoneAlarm.lnk = C:\Program Files\Zone Labs\ZoneAlarm\zonealarm.exe
O9 - Extra 'Tools' menuitem: MaxSpeed (HKLM)
O9 - Extra button: AIM (HKLM)
O9 - Extra button: Real.com (HKLM)
O9 - Extra button: MoneySide (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Windows Messenger (HKLM)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: Yahoo! Chat - http://cs6.chat.sc5.yahoo.com/c381/chat.cab
O16 - DPF: Yahoo! Graffiti - http://download.games.yahoo.com/games/clients/y/grt5_x.cab
O16 - DPF: Yahoo! Pool 2 - http://download.games.yahoo.com/games/clients/y/potb_x.cab
O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} (SysProWmi Class) - http://support.dell.com/systemprofiler/SysPro.CAB
O16 - DPF: {1DB3B8DD-5801-443F-B2D5-9BF8912B980E} (dmgrax2Ctrl Class) - http://www.lxsystems.com/downloads/Install.cab
O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} (Yahoo! Audio Conferencing) - http://us.chat1.yimg.com/us.yimg.com/i/chat/applet/v45/yacscom.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52...pple.com/borris/us/win/QuickTimeInstaller.exe
O16 - DPF: {70BA88C8-DAE8-4CE9-92BB-979C4A75F53B} (GSDACtl Class) - http://launch.gamespyarcade.com/software/launch/alaunch.cab
O16 - DPF: {9013D8E9-B204-4EFF-9A97-6F2B4317F927} (PipPPush) - http://photos.msn.com/r/neutral/controls/PipPPush.cab
O16 - DPF: {CE74A05D-ED12-473A-97F8-85FB0E2F479F} (dlControl.UserControl1) - http://www.nugs.net/dev/dlControl.CAB
O16 - DPF: {D18F962A-3722-4B59-B08D-28BB9EB2281E} (PhotosCtrl Class) - http://photos.yahoo.com/ocx/us/yexplorer1_9us.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {E855A2D4-987E-4F3B-A51C-64D10A7E2479} (EPSImageControl Class) - http://tools.ebayimg.com/eps/activex/EPSControl_v1-32.cab
O16 - DPF: {EF99BD32-C1FB-11D2-892F-0090271D4F88} (&Yahoo! Companion) - http://us.dl1.yimg.com/download.yahoo.com/dl/toolbar/yiebio5_0_2_4.cab
O16 - DPF: {F5820AD3-9B20-423E-B2AA-7AF2B4055746} (CRegistryDownload Class) - http://download.paltalk.com/webregtest/RegDload.CAB

 

[Cookiegal]

You have the peper.a trojan so you will have to download and run the installer here:

http://www.zerosrealm.com/downloads/uninst.exe

You must be connected to the Internet to run this program.

Click on the uninst.exe and let it run. When it’s finished it will close itself.

Then download and run the following programs.

AD-AWARE

Go here: http://www.lavasoftusa.com/support/download/
and download Ad-Aware 6 Build 181

Install the program and launch it.

First in the main window look in the bottom right-hand corner and click on Check for updates now and download the latest reference files.

Make sure the following settings are made and on -------ON=GREEN

From main window: Click Start then Activate in-depth scan (recommended)

Click Use custom scanning options then click Customize and have these options selected: Under Drives and Folders put a check by Scan within archives and below that under Memory and Registry put a check by all the options there.

Now click on the Tweak button in that same window. Under Scanning engine select Unload recognized processes during scanning and under Cleaning Engine select Let windows remove files in use at next reboot

Click proceed to save your settings.

Now to scan just click the Next button.

When the scan is finished mark everything for removal and get rid of it. (Right click the window and choose select all from the drop down menu and click Next)

Restart your computer

Download and run: SPYBOT SEARCH & DESTROY, here:

http://download.com.com/3000-2144-1...tml?tag=lst-0-1

Open Spybot Search & Destroy (Click Start, Programs, Spybot S&D (Advanced Mode). Click online, Search for updates, Download all available updates. Close all Browser windows, Click ''Check for Problems'', Put a check in every entry Spybot Search & Destroy flags with a red exclamation mark and click ''Fix Selected Problems'' , Then restart your computer.

Download both of these for added protection: SPYWAREBLASTER & SPYWAREGUARD, here:

http://www.javacoolsoftware.com/spywareblaster.html

Once you've done all that, you need to download the latest version of HIJACK THIS (v1.97.7) and make sure you save it to it's own folder, not the Temporary files as your older version is and post another log.

You can get it here: http://www.sherrylynn.us/HijackThis.exe

Cookie

 

[cdoug55]

hey thanks for the help heres the new log:
Logfile of HijackThis v1.97.7
Scan saved at 10:58:37 PM, on 4/18/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\gearsec.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe
C:\WINDOWS\wanmpsvc.exe
C:\PROGRA~1\NORTON~1\navapw32.exe
C:\Program Files\Dell\Support\Alert\bin\DAMon.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
C:\Program Files\Zone Labs\ZoneAlarm\zonealarm.exe
C:\Program Files\SpywareGuard\sgmain.exe
C:\Program Files\SpywareGuard\sgbhp.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Douglas Menikheim\Desktop\hijack\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dellnet.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,Shellnext = http://www.dellnet.com/
R3 - Default URLSearchHook is missing
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: Yahoo! Companion BHO - {13F537F0-AF09-11d6-9029-0002B31F9E59} - C:\WINDOWS\Downloaded Program Files\ycomp5_0_2_4.dll
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - C:\Program Files\Microsoft Money\System\mnyviewer.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\WINDOWS\Downloaded Program Files\ycomp5_0_2_4.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\navapw32.exe
O4 - HKLM\..\Run: [Dell|Alert] C:\Program Files\Dell\Support\Alert\bin\DAMon.exe
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [RQ53] C:\docume~1\dougla~1\locals~1\temp\RQ53.exe
O4 - HKLM\..\Run: [Dsi] C:\WINDOWS\System32\dp-k13w13.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [WNST] C:\WINDOWS\System32\wnsapisu.exe
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?
O4 - Global Startup: ZoneAlarm.lnk = C:\Program Files\Zone Labs\ZoneAlarm\zonealarm.exe
O9 - Extra button: AIM (HKLM)
O9 - Extra button: Real.com (HKLM)
O9 - Extra button: MoneySide (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Windows Messenger (HKLM)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: Yahoo! Chat - http://cs6.chat.sc5.yahoo.com/c381/chat.cab
O16 - DPF: Yahoo! Graffiti - http://download.games.yahoo.com/games/clients/y/grt5_x.cab
O16 - DPF: Yahoo! Pool 2 - http://download.games.yahoo.com/games/clients/y/potb_x.cab
O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} (SysProWmi Class) - http://support.dell.com/systemprofiler/SysPro.CAB
O16 - DPF: {1DB3B8DD-5801-443F-B2D5-9BF8912B980E} (dmgrax2Ctrl Class) - http://www.lxsystems.com/downloads/Install.cab
O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} (Yahoo! Audio Conferencing) - http://us.chat1.yimg.com/us.yimg.com/i/chat/applet/v45/yacscom.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52...pple.com/borris/us/win/QuickTimeInstaller.exe
O16 - DPF: {70BA88C8-DAE8-4CE9-92BB-979C4A75F53B} (GSDACtl Class) - http://launch.gamespyarcade.com/software/launch/alaunch.cab
O16 - DPF: {9013D8E9-B204-4EFF-9A97-6F2B4317F927} (PipPPush) - http://photos.msn.com/r/neutral/controls/PipPPush.cab
O16 - DPF: {CE74A05D-ED12-473A-97F8-85FB0E2F479F} (dlControl.UserControl1) - http://www.nugs.net/dev/dlControl.CAB
O16 - DPF: {D18F962A-3722-4B59-B08D-28BB9EB2281E} (PhotosCtrl Class) - http://photos.yahoo.com/ocx/us/yexplorer1_9us.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {E855A2D4-987E-4F3B-A51C-64D10A7E2479} (EPSImageControl Class) - http://tools.ebayimg.com/eps/activex/EPSControl_v1-32.cab
O16 - DPF: {EF99BD32-C1FB-11D2-892F-0090271D4F88} (&Yahoo! Companion) - http://us.dl1.yimg.com/download.yahoo.com/dl/toolbar/yiebio5_0_2_4.cab
O16 - DPF: {F5820AD3-9B20-423E-B2AA-7AF2B4055746} (CRegistryDownload Class) - http://download.paltalk.com/webregtest/RegDload.CAB

 

[cybertech]

Run HJT again and check:

O4 - HKLM\..\Run: [RQ53] C:\docume~1\dougla~1\locals~1\temp\RQ53.exe

O4 - HKLM\..\Run: [Dsi] C:\WINDOWS\System32\dp-k13w13.exe

O4 - HKCU\..\Run: [WNST] C:\WINDOWS\System32\wnsapisu.exe

O16 - DPF: {1DB3B8DD-5801-443F-B2D5-9BF8912B980E} (dmgrax2Ctrl Class) - http://www.lxsystems.com/downloads/Install.cab


Close all applications and browser windows before you click "fix checked".


Restart in safe mode Click here to see how


Open My Computer. Go to Tools, Folder Options and click on the View tab. Make sure that "Show hidden files and folders" is checked. Also uncheck "Hide protected operating system files". Now click "Apply to all folders"
Click "Apply" then "OK"

Now find these files and folders and delete them.

C:\docume~1\dougla~1\locals~1\temp\RQ53.exe <-- file
C:\WINDOWS\System32\dp-k13w13.exe <-- file
C:\WINDOWS\System32\wnsapisu.exe <-- file

 

[pamelamama]

Hmm... I'm new here, but my situation involves similar symptoms. Should I post in this thread or start my own?? I have already followed the advice, but I"m not sure how to check if it has worked. Thanks!!

Pamela

 

[=Phant0M=]

Make a new thread so we may not confuse your probs with this guys.