dezod
September 4, 2006, 7:39pm
1
Well I snagged something on Toyota’s network and it fugged my computer bad. I have 95% of it all cleaned up after 200+ pieces of spyware AND 20 or so viruses.
The remaining problem is a worm or virus that seems to disable windows firewall and change my Norton Firewall settings. My NAV Corp Edt POS program says no viruses found, and was updated with fresh definitions yesterday. I am at whits end, and have been at this for about 5 days now non-stop.
Tried Windows Defender, Ad-Aware, Spy Bot, Crap Cleaner, Counter Spy, and some various other scanners and malicious software removers. Changed reg keys manually, and something on re-boot triggers them to be reset. Any help or feedback is appreciated.
LZ1
September 4, 2006, 7:42pm
2
lol
Try booting to safe mode and using Hijackthis…
If you can figure out what files are causing probblems but can’t delete them…ERD Commander works well you can boot to that and delete whatever spyware/virus was causing probblems.
LZ1
September 4, 2006, 7:43pm
3
A lot of those “anti spyware” programs suck…and have spyware built in btw…
I use Avast antivirus on a lot of computers…you install it…and run the boot time scan that gets rid of most stuff.
dezod
September 4, 2006, 7:46pm
5
lol
Try booting to safe mode and using Hijackthis…
If you can figure out what files are causing probblems but can’t delete them…ERD Commander works well you can boot to that and delete whatever spyware/virus was causing probblems.
I just DL’d hijackthis. All of the programs on there seems legit. Not sure how else to proceed.
Anymore info on that AV prog?
LZ1
September 4, 2006, 7:51pm
6
Run hijackthis…save the log and post it here.
dezod
September 5, 2006, 6:23am
9
Well, my AV program found a worm. I disconnected from the internet and am scanning in safe mode as we speak. Thank god for other computers. LOL
Soon as I have that worm under control, I will post the log. Thanks fellas!
DrDoS
September 5, 2006, 3:56pm
11
i dont suggest hijackthis to novice users.
edit
uninstall NIS
Reboot in safe mode
run your task manager
goto the process tab
and look at the process that are running
get the name of each file…
such as taskbar.ext or so forth
goto this site here
http://www.processlibrary.com/
search each process and see what comes up
that sould take care of most stupid viri/trojans
some nasty ones will infect system files and just become a part of the system file
also look at ur regedit and see if you notice anything wrong in the startup folder.
thast great for the processes that are actually on there… hijackthis shows shit thats not showing
use hijack this … and paste what you get… don’t fucking do anything else… and we will give you the instructions
dezod
September 5, 2006, 4:25pm
14
Logfile of HijackThis v1.99.1
Scan saved at 7:24:21 PM, on 9/5/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32$sys$filesystem$sys$DRMServer.exe
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\WINDOWS\CDProxyServ.exe
C:\Program Files\NavNT\defwatch.exe
C:\Program Files\NavNT\rtvscan.exe
C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
C:\WINDOWS\rundll.exe
C:\WINDOWS\System32 cpsvcs.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\PROGRA~1\NORTON~2\SPEEDD~1
opdb.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Sony\Photo Server 20\appsrv\PicAppSrv.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\MsgSys.EXE
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Common Files\AOL\1133814008\ee\AOLSoftware.exe
C:\Program Files\NavNT\vptray.exe
C:\Program Files\Sunbelt Software\CounterSpy\Consumer\sunserver.exe
C:\Program Files\adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wuauclt.exe
D:\Program Files II\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
O4 - HKLM…\Run: [iTunesHelper] “C:\Program Files\iTunes\iTunesHelper.exe”
O4 - HKLM…\Run: [HostManager] C:\Program Files\Common Files\AOL\1133814008\ee\AOLSoftware.exe
O4 - HKLM…\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM…\Run: [IPHSend] C:\Program Files\Common Files\AOL\IPHSend\IPHSend.exe
O4 - HKLM…\Run: [QD FastAndSafe] C:\Program Files\Norton SystemWorks\Norton CleanSweep\QDCSFS.exe /startup
O4 - HKLM…\Run: [vptray] C:\Program Files\NavNT\vptray.exe
O4 - HKLM…\Run: [SunServer] C:\Program Files\Sunbelt Software\CounterSpy\Consumer\sunserver.exe
O4 - HKLM…\Run: [MIDI Sound Handler] HSMIDI.EXE
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: QuickBooks Update Agent.lnk = C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
O9 - Extra button: eBay - Homepage - {EF79EAC5-3452-4E02-B8BD-BA4C89F1AC7A} - C:\Program Files\IrfanView\Ebay\Ebay.htm (file missing)
O14 - IERESET.INF: START_PAGE_URL=
O15 - Trusted Zone: www.7thgencivic.com
O15 - Trusted Zone: 7thGenCivic.com Forum .url
O15 - Trusted Zone: http://www.dezod.com
O15 - Trusted Zone: http://.ekeystone.com
O15 - Trusted Zone: http:// .ekeystoneexpress.com
O15 - Trusted Zone: .elitemediagroup.net
O15 - Trusted Zone: http:// .fedex.com
O15 - Trusted Zone: http://.optauto.com
O15 - Trusted Zone: UBRF.ORG - powered by vBulletin.url
O15 - Trusted Zone: http://www.stainlesssteelbrakes.com
O15 - Trusted Zone: forums.thevboard.com
O15 - Trusted Zone: http:// .ups.com
O15 - Trusted Zone: manager.verisign.com
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1157261535484
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\System32\NavLogon.dll
O20 - Winlogon Notify: Setup - C:\WINDOWS\system32\fp6603jse.dll (file missing)
O20 - Winlogon Notify: Telephony - C:\WINDOWS\system32\en6ol1j31.dll (file missing)
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Plug and Play Device Manager ($sys$DRMServer) - First 4 Internet Ltd - C:\WINDOWS\system32$sys$filesystem$sys$DRMServer.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: XCP CD Proxy (CD_Proxy) - Unknown owner - C:\WINDOWS\CDProxyServ.exe
O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\NavNT\defwatch.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Norton AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Program Files\NavNT\rtvscan.exe
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32
vsvc32.exe
O23 - Service: rundll.exe - Unknown owner - C:\WINDOWS\rundll.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Speed Disk service - Symantec Corporation - C:\PROGRA~1\NORTON~2\SPEEDD~1
opdb.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: VAIO Media Music Server (HTTP) (VAIOMediaPlatform-MusicServer-HTTP) - Unknown owner - C:\Program Files\Common Files\Sony Shared\VAIO Media Platform\sv_httpd.exe" /Service=VAIOMediaPlatform-MusicServer-HTTP /RegRoot=“Software\Sony Corporation\VAIO Media Platform\2.0” /RegExt=“Applications\MusicServer\HTTP (file missing)
O23 - Service: VAIO Media Music Server (UPnP) (VAIOMediaPlatform-MusicServer-UPnP) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\VAIO Media Platform\UPnPFramework.exe
O23 - Service: VAIO Media Photo Server (Application) (VAIOMediaPlatform-PhotoServer-AppServer) - Unknown owner - C:\Program Files\Sony\Photo Server 20\appsrv\PicAppSrv.exe
O23 - Service: VAIO Media Photo Server (HTTP) (VAIOMediaPlatform-PhotoServer-HTTP) - Unknown owner - C:\Program Files\Common Files\Sony Shared\VAIO Media Platform\SV_Httpd.exe” /Service=VAIOMediaPlatform-PhotoServer-HTTP /RegRoot=“Software\Sony Corporation\VAIO Media Platform\2.0” /RegExt="\Applications\PhotoServer\HTTP (file missing)
O23 - Service: VAIO Media Photo Server (UPnP) (VAIOMediaPlatform-PhotoServer-UPnP) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\VAIO Media Platform\UPnPFramework.exe
well at a glance
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\WINDOWS\CDProxyServ.exe
C:\Program Files\NavNT\defwatch.exe
C:\Program Files\NavNT\rtvscan.exe
C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
not great to have two anti-virus protection progs
they can conflict
edit: looking through more
LZ1
September 5, 2006, 4:29pm
16
O23 - Service: rundll.exe - Unknown owner - C:\WINDOWS\rundll.exe
lol
yea i saw that too lol
this too
O23 - Service: XCP CD Proxy (CD_Proxy) - Unknown owner - C:\WINDOWS\CDProxyServ.exe
LZ1
September 5, 2006, 4:35pm
19
Something thats not supposed to be there.
yea pretty much nothing but windows files should be in the c:\windows or …\system32