1. Computer problem? Tech Support Guy is completely free -- paid for by advertisers and donations. Click here to join today! If you're new to Tech Support Guy, we highly recommend that you visit our Guide for New Members.

spyware maybe ?

Discussion in 'Virus & Other Malware Removal' started by mediadvsgetz, Apr 19, 2004.

Thread Status:
Not open for further replies.
Advertisement
  1. mediadvsgetz

    mediadvsgetz Thread Starter

    Joined:
    Jan 6, 2004
    Messages:
    11
    for 2 days my computer has been running really slow, so i did a virus scan from nortan anti-virus, then did a scan with spybot search and destroy, then scanned with adaware 6.0, and also with hijackthis. adaware and spybot both deleted a lot of stuff but did not solve the problem. when i did a ctrl alt del, go to processes, it had these programs running that took up a lot of "CPU" and that also looked suspicious: EgneGcWl.exe, LKyrgy.exe, Sueb6ry.exe, FemLg7.exe, and Rayh0.exe. So i went to windows, system32, and found those files and deleted them, restarted my comp and 2 different ones were on taking up a lot of "CPU". i delelted those 2, then found a program called wcpsvit.exe.(it had an icon with a P with a halo on top of it)it said it was created 2 days ago so i deleted this as well. my comp still runs slow. any ideas ? also in my internet explorer when i go to internet options, clear history, delete cookies, delete files, it just loads for a little bit, but then after i still have these sites in my history..i cant seem to get rid of them. i also get these random popups when im not even using internet explorer. here is a log of hijackthis:

    Logfile of HijackThis v1.97.6
    Scan saved at 12:31:07 AM, on 4/19/2004
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    C:\WINDOWS\System32\sstray.exe
    C:\Program Files\Common Files\Symantec Shared\ccApp.exe
    C:\WINDOWS\System32\ctfmon.exe
    C:\Program Files\Norton AntiVirus\navapsvc.exe
    C:\WINDOWS\System32\nvsvc32.exe
    C:\WINDOWS\System32\MsPMSPSv.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Program Files\Messenger\msmsgs.exe
    C:\Documents and Settings\danny\Local Settings\Temp\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O3 - Toolbar: (no name) - {0494D0D9-F8E0-41ad-92A3-14154ECE70AC} - (no file)
    O4 - HKLM\..\Run: [nForce Tray Options] sstray.exe /r
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
    O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
    O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
    O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [5E3FD4N2BKT5PJ] C:\WINDOWS\System32\VchsZQoq.exe
    O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NVMCTRAY.DLL,NvTaskbarInit
    O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
    O4 - HKCU\..\Run: [Steam] "c:\program files\steam\steam.exe" -silent
    O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
    O4 - HKCU\..\Run: [WINT] C:\WINDOWS\System32\wcpsvit.exe
    O9 - Extra button: AIM (HKLM)

    if you can help me fix any of this...thanks
     
  2. cybertech

    cybertech Retired Moderator

    Joined:
    Apr 16, 2002
    Messages:
    72,115
    First run this uninstaller to get rid of the peper trojan:

    Just click on the uninst.exe and let it run. When it is finished it will just close. There will be no dialogue. Also you must be connected to the internet for the uninstaller to be effective.

    Restart your computer and post a new HJT log.
     
  3. mediadvsgetz

    mediadvsgetz Thread Starter

    Joined:
    Jan 6, 2004
    Messages:
    11
    ok before i did this "uninstaller" i scanned my comp with the housecall control virus scanner and it deleted 16 files and it said i have a virus called "http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=BKDR_SANDBOX.A", thats the link they gave me. anyways i just did the "uninstaller", restarted my comp, ran hijackthis and here is my log.

    Logfile of HijackThis v1.97.6
    Scan saved at 3:32:50 PM, on 4/19/2004
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    C:\WINDOWS\System32\sstray.exe
    C:\Program Files\Common Files\Symantec Shared\ccApp.exe
    C:\Program Files\QuickTime\qttask.exe
    C:\WINDOWS\System32\RUNDLL32.EXE
    C:\Program Files\AIM\aim.exe
    C:\WINDOWS\System32\ctfmon.exe
    C:\program files\steam\steam.exe
    C:\Program Files\Messenger\msmsgs.exe
    C:\Program Files\Norton AntiVirus\navapsvc.exe
    C:\WINDOWS\System32\nvsvc32.exe
    C:\WINDOWS\System32\MsPMSPSv.exe
    C:\WINDOWS\Explorer.EXE
    C:\Documents and Settings\danny\Local Settings\Temp\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O3 - Toolbar: (no name) - {0494D0D9-F8E0-41ad-92A3-14154ECE70AC} - (no file)
    O4 - HKLM\..\Run: [nForce Tray Options] sstray.exe /r
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
    O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
    O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
    O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NVMCTRAY.DLL,NvTaskbarInit
    O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
    O4 - HKCU\..\Run: [Steam] "c:\program files\steam\steam.exe" -silent
    O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
    O4 - HKCU\..\Run: [WINT] C:\WINDOWS\System32\wcpsvit.exe
    O9 - Extra button: AIM (HKLM)
    O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004033001/housecall.antivirus.com/housecall/xscan53.cab
     
  4. Meangean

    Meangean

    Joined:
    Apr 18, 2004
    Messages:
    216
    looks good to me but check with others
     
  5. mediadvsgetz

    mediadvsgetz Thread Starter

    Joined:
    Jan 6, 2004
    Messages:
    11
    i still cant delete my internet history, what can i do to erase this ? i tried clear history, delete files, delete cookies..and doesnt work. help ?
     
  6. Meangean

    Meangean

    Joined:
    Apr 18, 2004
    Messages:
    216
    go to tools, internet options then programs tab and go to reset web settings

    try that
     
  7. mediadvsgetz

    mediadvsgetz Thread Starter

    Joined:
    Jan 6, 2004
    Messages:
    11
    i tried it, but nope. i still have all these sites in my internet explorer, should i delete it and reinstall ?
     
  8. mediadvsgetz

    mediadvsgetz Thread Starter

    Joined:
    Jan 6, 2004
    Messages:
    11
    uhh help please ?
     
  9. cybertech

    cybertech Retired Moderator

    Joined:
    Apr 16, 2002
    Messages:
    72,115
    Run HJT again and check:

    O4 - HKCU\..\Run: [WINT] C:\WINDOWS\System32\wcpsvit.exe

    Close all applications and browser windows before you click "fix checked".

    Open My Computer. Go to Tools, Folder Options and click on the View tab. Make sure that "Show hidden files and folders" is checked. Also uncheck "Hide protected operating system files".

    Now click "Apply to all folders"
    Click "Apply" then "OK"

    Close all IE windows. Now using Windows explorer...go to documents and settings, your profile, Local Settings, History and Temporary Internet files and clean those out if you want. You will not be able to delete index.dat while logged on that profile.

    I would like to see an up to date HJT log...
     
  10. mediadvsgetz

    mediadvsgetz Thread Starter

    Joined:
    Jan 6, 2004
    Messages:
    11
    Logfile of HijackThis v1.97.6
    Scan saved at 5:08:46 PM, on 4/20/2004
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\System32\sstray.exe
    C:\Program Files\Common Files\Symantec Shared\ccApp.exe
    C:\WINDOWS\System32\RUNDLL32.EXE
    C:\Program Files\AIM\aim.exe
    C:\WINDOWS\System32\ctfmon.exe
    C:\program files\steam\steam.exe
    C:\Program Files\Messenger\msmsgs.exe
    C:\Program Files\Norton AntiVirus\navapsvc.exe
    C:\WINDOWS\System32\nvsvc32.exe
    C:\WINDOWS\System32\MsPMSPSv.exe
    C:\Documents and Settings\danny\Local Settings\Temp\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.microsoft.com/isapi/redir.dll?prd=ie&pver=6&ar=msnhome
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O3 - Toolbar: (no name) - {0494D0D9-F8E0-41ad-92A3-14154ECE70AC} - (no file)
    O4 - HKLM\..\Run: [nForce Tray Options] sstray.exe /r
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
    O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
    O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
    O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NVMCTRAY.DLL,NvTaskbarInit
    O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
    O4 - HKCU\..\Run: [Steam] "c:\program files\steam\steam.exe" -silent
    O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
    O9 - Extra button: AIM (HKLM)

    i already had it set so that it shows hidden files and folders. i went to my temp internet files and history and deleted a lot of stuff but when i still go to my internet explorer it still has all those listed.they arent in my favorites, its just on the address bar. ill type like "www." and ill get all these sites that start with that like "http://www2.enigmasoftwaregroup.com/TMP.html" or "http://www-atdp.berkeley.edu/9931/dkagan/ESSAY.html" or just random sites from sooo long ago.

    when i go to ctrl alt del, processes, system idle process, it runs at 90 to 99 "CPU", is that why my comp is so slow ? or is that normal ?
     
  11. cybertech

    cybertech Retired Moderator

    Joined:
    Apr 16, 2002
    Messages:
    72,115
    On the Tools menu in Internet Explorer, click Internet Options.
    Click the General tab.
    Under History, click Clear History.
     
  12. HisPetsMaste

    HisPetsMaste

    Joined:
    Apr 29, 2004
    Messages:
    1
    Yes system Idle is supposed to be in the high 90's when your not using your computer, and even when you are you will find it usually stays very high up there. Only if you have a program running in the background will it be less than that. For example you: you got [email protected] or are running a game, or are doing some mp3 ripping etc.

    Doing a very quick and cursory look at what you posted it looks like your clean now. The issue your having at this point might be that your registry file among other things, is junked up. There is the possibility that your still running an "invisible" process in the background and usually those are Trojans or viruses, or maybe somebody hijacked your system and is using your system and connection to do some DOS (or something similar). In all honesty, you should find a good boot time virus checker to clean out the system, then AFTER your sure its clean ( you could just reformat and reinstall everything), install Avast! or some other similar product. Once you have done so, install WinPatrol and either (or all) one or another of the adware/spyware cleaner/scanners. Lastly, I recommend a good firewall, zonealarm (free edition) has been giving me trouble recently and I have since moved to Tiny (kerio is very similar since they both used to be the same company), but honestly any of these would be good: Outpost, Tiny, Kerio, Zonealarm Pro, Norton and BlackIce. The others might or might not be good, those mentioned here are very good, each with their specific strengths and weaknesses, (like how hard it is to use, etc.).
    There are other very good freeware tools for registry cleaning but two that I find good to use (in conjunction) are the Norton SystemWorks one, and this one: RegSeeker.
    Also the TweakUI or PowerTools from Microsoft for XP is a very good little tool that gives you a lot of power with little chance of really screwing your system up.
    Give all this a try. BUT first make sure your system is in fact clean by doing a boot time scan with a good AV program (fprot comes to mind), you really should try and do it from a CDBoot disk made/burned on another computer that is known to be clean.
    Good luck and happy times
     
  13. Sponsor

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 733,556 other people just like you!

Loading...
Similar Threads - spyware maybe
  1. rjay13
    Replies:
    0
    Views:
    233
  2. dano_61
    Replies:
    14
    Views:
    812
Thread Status:
Not open for further replies.

Short URL to this thread: https://techguy.org/221816

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice