View Full Version : Help!!!!!
help!:( :(
My computer has been acting up lately, found some spyware or whatever they are viruses ..
deleted em but heres the catch my computer slows down or something after like 20 minutes
on the internet or mabey offline too but never seen that happen YET!
heres an example of what happens, if i go onto runescape or some game like that, few minutes
later...computer slows down by a ton, talk on messenger no reply...your probabley wondering how
i got this message on..i typed it on notepad and quickly go online and post it...
heres my log from hajickTHIS:
Logfile of HijackThis v1.99.1
Scan saved at 11:02:01 PM, on 11/26/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\PFShared\UmxCfg.exe
C:\Program Files\Tiny Firewall\UmxFwHlp.exe
C:\Program Files\Common Files\PFShared\UmxPol.exe
C:\Program Files\Tiny Firewall\UmxAgent.exe
C:\Program Files\Tiny Firewall\UmxTray.exe
C:\Program Files\Common Files\PFShared\umxlu.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\sm56hlpr.exe
C:\Program Files\Startup Mechanic\StartupMonitor.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\WINDOWS\system32\notepad.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Documents and Settings\mm\Desktop\hijackthis-virus cleaner\HijackThis.exe
C:\Program Files\Common Files\PFShared\SyncEvnt.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://g.msn.com//0seenus/saos01
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = \blank.htm
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_0.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_0.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\system32\msdxm.ocx
O4 - HKLM\..\Run: [SMSERIAL] sm56hlpr.exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\\NeroCheck.exe
O4 - HKLM\..\Run: [Startup Manager Scanner] C:\Program Files\Startup Mechanic\StartupMonitor.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [AMonitor] C:\Program Files\Tiny Firewall\amon.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab31267.cab
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab31267.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://zone.msn.com/binFramework/v10/ZIntro.cab34246.cab
O20 - Winlogon Notify: PFW - C:\WINDOWS\SYSTEM32\UmxWnp.Dll
O20 - Winlogon Notify: WRNotifier - WRLogonNTF.dll (file missing)
O23 - Service: NetDDE Server (NetDDEsrv) - Unknown owner - C:\WINDOWS\System32\netddesrv.exe
O23 - Service: FW Event Manager (UmxAgent) - Computer Associates International, Inc. - C:\Program Files\Tiny Firewall\UmxAgent.exe
O23 - Service: FW Configuration Interpreter (UmxCfg) - Computer Associates International, Inc. - C:\Program Files\Common Files\PFShared\UmxCfg.exe
O23 - Service: FW User-Mode Helper (UmxFwHlp) - Computer Associates International, Inc. - C:\Program Files\Tiny Firewall\UmxFwHlp.exe
O23 - Service: FW Live Update (UmxLU) - Tiny Software, Inc. - C:\Program Files\Common Files\PFShared\umxlu.exe
O23 - Service: FW Policy Manager (UmxPol) - Computer Associates International, Inc. - C:\Program Files\Common Files\PFShared\UmxPol.exe
--------------------------------------------------------------------------please get back to me asap thanks for your time and help i really owe you one!:o
pskelley
2006-02-10, 17:33
Hello and welcome to the forum. I will see what I can to help you out, but first I need to make you aware your system security is severely compromised, my suggestion would be to stay offline until this is fixed, this junk does attract other junk.
First, you need to review the information so you can see what has been done to the system, your passwords have very likely been compromised and you should consider changing them all, especially banking, etc.
http://www.sophos.com/virusinfo/analyses/w32codboty.html
Please follow these instructions in the posted order.
1) Ewido scan:
Please download Ewido Security Suite (http://www.ewido.net/en/download/) it is a trial version of the program.
Install ewido security suite
Launch ewido, there should be an icon on your desktop double-click it.
The program will now go to the main screen
You will need to update ewido to the latest definition files.
On the left hand side of the main screen click update
Then click on Start Update
The update will start and a progress bar will show the updates being installed.
If you are having problems with the updater, you can use this link to manually update Ewido.
Ewido manual updates (http://www.ewido.net/en/download/updates/)
Once the updates are installed do the following:
Click on scanner
Click on Complete System Scan and the scan will begin.
NOTE: During some scans with ewido it is finding cases of false positives.**
You will need to step through the process of cleaning files one-by-one.
If ewido detects a file you KNOW to be legitimate, select none as the action.
DO NOT select "Perform action on all infections"
If you are unsure of any entry found select none for now.
Once the scan has completed, there will be a button located on the bottom of the screen named Save report
Click Save report.
Save the report .txt file to your desktop.
Now close ewido security suite.
**(Ewido for example has been flagging parts of AVG Anti-Virus, pcAnywhere and the game "Risk")
2) Disable the offending Service
Click Start < Run and type services.msc.
Scroll down to NetDDE Server and right click on it.
Click Properties and under Service Status click Stop, then under Startup Type change it to Disabled.
Delete the offending Service
Open HijackThis and click Config -> Misc Tools -> Delete an NT service.
In the Delete window, type NetDDEsrv and press OK.
OK any prompts, close HijackThis, and restart your computer.
3) Open HijackThis and choose "Do a system scan only" then check the box in front of these line items:
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://g.msn.com//0seenus/saos01
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = \blank.htm
O23 - Service: NetDDE Server (NetDDEsrv) - Unknown owner - C:\WINDOWS\System32\netddesrv.exe
(may be gone)
Close all programs but HJT and all browser windows, then click on "Fix Checked"
4) Enable hidden files&folders..reverse the process when finished.
http://www.xtra.co.nz/help/0,,4155-1916458,00.html
RIGHT Click on Start then click on Explore. Locate and delete these items:
C:\WINDOWS\System32\netddesrv.exe <<< file if it is still there
C:\Windows\Prefetch\ >>> delete everything in this folder (NOT THE FOLDER)
Prefetch info: http://www.windowsnetworking.com/articles_tutorials/Gaining-Speed-Empty-Prefetch-XP.html
5) If you don't have a good cleaner, use this one with these instuctions:
Download CCleaner from this link: http://www.ccleaner.com/ Review the instructions http://www.ccleaner.com/help/tour1.asp
Run CCleaner, Windows & Applications when you run the registry cleaner (Issues) you will be prompted to backup before you can remove stuff, make sure you do.
Restart the computer and post the ewido scan results, a new HJT log and any feedback you think I should have.
Thanks...pskelley
Safer Networking Forums
thanks im doing this now
:bigthumb:
Thanks very much
I'm changing my passwords now...
Logfile of HijackThis v1.99.1
Scan saved at 1:46:04 PM, on 11/27/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\PFShared\UmxCfg.exe
C:\Program Files\Tiny Firewall\UmxFwHlp.exe
C:\Program Files\Common Files\PFShared\UmxPol.exe
C:\Program Files\Tiny Firewall\UmxAgent.exe
C:\Program Files\Tiny Firewall\UmxTray.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\Program Files\ewido anti-malware\ewidoguard.exe
C:\Program Files\Common Files\PFShared\umxlu.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\sm56hlpr.exe
C:\Program Files\Startup Mechanic\StartupMonitor.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Documents and Settings\mm\Desktop\hijackthis-virus cleaner\HijackThis.exe
C:\Program Files\Common Files\PFShared\SyncEvnt.exe
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_0.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_0.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\system32\msdxm.ocx
O4 - HKLM\..\Run: [SMSERIAL] sm56hlpr.exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\\NeroCheck.exe
O4 - HKLM\..\Run: [Startup Manager Scanner] C:\Program Files\Startup Mechanic\StartupMonitor.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [AMonitor] C:\Program Files\Tiny Firewall\amon.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab31267.cab
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab31267.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://zone.msn.com/binFramework/v10/ZIntro.cab34246.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{97AF3437-328C-484F-A49D-2E4707CC5C52}: NameServer = 210.55.12.1 210.55.12.2
O20 - Winlogon Notify: PFW - C:\WINDOWS\SYSTEM32\UmxWnp.Dll
O20 - Winlogon Notify: WRNotifier - WRLogonNTF.dll (file missing)
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido anti-malware\ewidoguard.exe
O23 - Service: FW Event Manager (UmxAgent) - Computer Associates International, Inc. - C:\Program Files\Tiny Firewall\UmxAgent.exe
O23 - Service: FW Configuration Interpreter (UmxCfg) - Computer Associates International, Inc. - C:\Program Files\Common Files\PFShared\UmxCfg.exe
O23 - Service: FW User-Mode Helper (UmxFwHlp) - Computer Associates International, Inc. - C:\Program Files\Tiny Firewall\UmxFwHlp.exe
O23 - Service: FW Live Update (UmxLU) - Tiny Software, Inc. - C:\Program Files\Common Files\PFShared\umxlu.exe
O23 - Service: FW Policy Manager (UmxPol) - Computer Associates International, Inc. - C:\Program Files\Common Files\PFShared\UmxPol.exe
---------------------------------------------------------
ewido anti-malware - Scan report
---------------------------------------------------------
+ Created on: 1:26:57 PM, 11/27/2005
+ Report-Checksum: 3D63CFC9
+ Scan result:
C:\WINDOWS\system32\TFTP1836 -> Backdoor.Rbot : Cleaned with backup
C:\WINDOWS\system32\TFTP836 -> Backdoor.Rbot : Cleaned with backup
C:\WINDOWS\system32\msgconfigre.exe -> Backdoor.Rbot : Cleaned with backup
C:\WINDOWS\system32\TFTP1256 -> Backdoor.Rbot : Cleaned with backup
C:\WINDOWS\system32\owinmsaw.exe -> Adware.ZenoSearch : Cleaned with backup
C:\WINDOWS\system32\rldsregj.exe -> Adware.ZenoSearch : Cleaned with backup
C:\WINDOWS\system32\TFTP3644 -> Backdoor.Rbot : Cleaned with backup
C:\WINDOWS\system32\msoftconf.exe -> Backdoor.Rbot : Cleaned with backup
C:\WINDOWS\system32\scrtkfg.exe -> Backdoor.Rbot : Cleaned with backup
C:\WINDOWS\system32\netddesrv.exe -> Backdoor.Codbot.bd : Cleaned with backup
C:\Documents and Settings\mm\Cookies\mm@tribalfusion[1].txt -> TrackingCookie.Tribalfusion : Cleaned with backup
C:\Documents and Settings\mm\Cookies\mm@spylog[1].txt -> TrackingCookie.Spylog : Cleaned with backup
C:\Documents and Settings\mm\Cookies\mm@paypopup[1].txt -> TrackingCookie.Paypopup : Cleaned with backup
C:\Documents and Settings\mm\Cookies\mm@hotlog[1].txt -> TrackingCookie.Hotlog : Cleaned with backup
C:\Documents and Settings\mm\Cookies\mm@msnportal.112.2o7[1].txt -> TrackingCookie.2o7 : Cleaned with backup
C:\Documents and Settings\mm\Cookies\mm@www.myaffiliateprogram[1].txt -> TrackingCookie.Myaffiliateprogram : Cleaned with backup
C:\System Volume Information\_restore{059F38FA-0CF7-4A18-86F7-4114C4CD812E}\RP153\A0106072.exe -> Trojan.LowZones.ct : Cleaned with backup
C:\System Volume Information\_restore{059F38FA-0CF7-4A18-86F7-4114C4CD812E}\RP153\A0106073.exe -> Downloader.VB.jl : Cleaned with backup
C:\System Volume Information\_restore{059F38FA-0CF7-4A18-86F7-4114C4CD812E}\RP153\A0106074.exe -> Trojan.LowZones.cq : Cleaned with backup
C:\System Volume Information\_restore{059F38FA-0CF7-4A18-86F7-4114C4CD812E}\RP153\A0106075.exe -> Downloader.VB.jl : Cleaned with backup
C:\System Volume Information\_restore{059F38FA-0CF7-4A18-86F7-4114C4CD812E}\RP153\A0106076.exe -> Trojan.LowZones.cq : Cleaned with backup
C:\System Volume Information\_restore{059F38FA-0CF7-4A18-86F7-4114C4CD812E}\RP153\A0106077.exe -> Trojan.LowZones.ct : Cleaned with backup
C:\System Volume Information\_restore{059F38FA-0CF7-4A18-86F7-4114C4CD812E}\RP153\A0106078.exe -> Downloader.VB.jl : Cleaned with backup
C:\System Volume Information\_restore{059F38FA-0CF7-4A18-86F7-4114C4CD812E}\RP153\A0106079.exe -> Trojan.LowZones.ct : Cleaned with backup
C:\System Volume Information\_restore{059F38FA-0CF7-4A18-86F7-4114C4CD812E}\RP153\A0106081.exe -> Adware.EZula : Cleaned with backup
C:\System Volume Information\_restore{059F38FA-0CF7-4A18-86F7-4114C4CD812E}\RP153\A0106083.exe -> Downloader.VB.jl : Cleaned with backup
C:\System Volume Information\_restore{059F38FA-0CF7-4A18-86F7-4114C4CD812E}\RP153\A0106084.exe -> Trojan.LowZones.ct : Cleaned with backup
C:\System Volume Information\_restore{059F38FA-0CF7-4A18-86F7-4114C4CD812E}\RP153\A0106085.exe -> Trojan.LowZones.cf : Cleaned with backup
C:\System Volume Information\_restore{059F38FA-0CF7-4A18-86F7-4114C4CD812E}\RP153\A0106087.exe -> Adware.Mirar : Cleaned with backup
C:\System Volume Information\_restore{059F38FA-0CF7-4A18-86F7-4114C4CD812E}\RP153\A0106088.exe -> Trojan.LowZones.am : Cleaned with backup
C:\System Volume Information\_restore{059F38FA-0CF7-4A18-86F7-4114C4CD812E}\RP153\A0106089.exe -> Adware.ZenoSearch : Cleaned with backup
C:\System Volume Information\_restore{059F38FA-0CF7-4A18-86F7-4114C4CD812E}\RP154\A0114095.ocx -> Adware.MediaMotor : Cleaned with backup
C:\System Volume Information\_restore{059F38FA-0CF7-4A18-86F7-4114C4CD812E}\RP154\A0115100.exe -> Logger.VB.eh : Cleaned with backup
C:\System Volume Information\_restore{059F38FA-0CF7-4A18-86F7-4114C4CD812E}\RP154\A0115101.ocx -> Downloader.VB.ov : Cleaned with backup
C:\System Volume Information\_restore{059F38FA-0CF7-4A18-86F7-4114C4CD812E}\RP154\A0115102.dll -> Downloader.Qoologic.ae : Cleaned with backup
C:\System Volume Information\_restore{059F38FA-0CF7-4A18-86F7-4114C4CD812E}\RP154\A0115103.cpl -> Downloader.Qoologic.ad : Cleaned with backup
C:\System Volume Information\_restore{059F38FA-0CF7-4A18-86F7-4114C4CD812E}\RP154\A0115104.exe -> Adware.ZenoSearch : Cleaned with backup
C:\FOUND.014\FILE0003.CHK -> Trojan.LowZones.ct : Cleaned with backup
C:\FOUND.014\FILE0004.CHK -> Trojan.LowZones.ct : Cleaned with backup
C:\FOUND.014\FILE0005.CHK -> Trojan.LowZones.cq : Cleaned with backup
C:\FOUND.014\FILE0006.CHK -> Trojan.LowZones.cq : Cleaned with backup
C:\FOUND.014\FILE0007.CHK -> Downloader.VB.jl : Cleaned with backup
C:\FOUND.014\FILE0008.CHK -> Downloader.VB.jl : Cleaned with backup
::Report End
pskelley
2006-02-15, 20:15
Hello, I must apologize, I did not get notified as I should have when you posted. If you post and do not hear from me with 8 hours of the post, send me a message here: http://forums.spybot.info/private.php?do=newpm&u=233
Looking at your logs now: OK...the HJT log is clean and it appears you and ewido killed all of the bad stuff, you can even see the bad item that was cleaned. Let me comver a few things with you.
1) Since you appear clean right now: Logfile of HijackThis v1.99.1 Scan saved at 1:46:04 PM, on 11/27/2005 Here is some great information from Tony Klein, Texruss, ChrisRLG and Grinler to help you stay clean and safe online:
http://boards.cexx.org/viewtopic.php?t=957
http://russelltexas.com/malware/allclear.htm
http://forum.malwareremoval.com/viewtopic.php?t=14
http://www.bleepingcomputer.com/forums/topict2520.html
http://cybercoyote.org/security/not-admin.shtml
2) Ewido is a great program but it does use some resources. Once the trial is over you can update and use the scanner for as long as you wish, but unless you purchase it you should turn it off completely so it does not run unless you start it manually.
3) System Restore does not know good from bad, it backs up everything. In case some of the infection got into your System Restore files, follow the instructions in this link to get clean System Restore files. Turn it off, restart your computer and turn it back on.
http://service1.symantec.com/SUPPORT/tsgeninfo.nsf/docid/2001111912274039?OpenDocument&src=sec_doc_nam
4) Check all of your security programs to make sure they are functioning properly, see this one that was removed:
http://securityresponse.symantec.com/avcenter/venc/data/trojan.lowzones.html
Safe surfing...Phil
Thanks...pskelley
Safer Networking Forums
http://www.spybot.info/en/donate/index.html
If you are reading this information...thank a teacher,
If you are reading it in English...thank a soldier.
As the problem appears to be resolved this topic will be archived.
If you need it re-opened please send me a pm and provide a link to the topic.
:)