Worm? Virus? Dr Dos or anyone...

dezod · September 4, 2006, 7:39pm

Well I snagged something on Toyota’s network and it fugged my computer bad. I have 95% of it all cleaned up after 200+ pieces of spyware AND 20 or so viruses.

The remaining problem is a worm or virus that seems to disable windows firewall and change my Norton Firewall settings. My NAV Corp Edt POS program says no viruses found, and was updated with fresh definitions yesterday. I am at whits end, and have been at this for about 5 days now non-stop.

Tried Windows Defender, Ad-Aware, Spy Bot, Crap Cleaner, Counter Spy, and some various other scanners and malicious software removers. Changed reg keys manually, and something on re-boot triggers them to be reset. Any help or feedback is appreciated.

LZ1 · September 4, 2006, 7:42pm

lol

Try booting to safe mode and using Hijackthis…

If you can figure out what files are causing probblems but can’t delete them…ERD Commander works well you can boot to that and delete whatever spyware/virus was causing probblems.

LZ1 · September 4, 2006, 7:43pm

A lot of those “anti spyware” programs suck…and have spyware built in btw…

I use Avast antivirus on a lot of computers…you install it…and run the boot time scan that gets rid of most stuff.

Poose22 · September 4, 2006, 7:44pm

.

dezod · September 4, 2006, 7:46pm

I just DL’d hijackthis. All of the programs on there seems legit. Not sure how else to proceed.

Anymore info on that AV prog?

LZ1 · September 4, 2006, 7:51pm

Run hijackthis…save the log and post it here.

Daddie · September 4, 2006, 7:52pm

Post your scan here

we will help

Poose22 · September 4, 2006, 8:01pm

.

dezod · September 5, 2006, 6:23am

Well, my AV program found a worm. I disconnected from the internet and am scanning in safe mode as we speak. Thank god for other computers. LOL

Soon as I have that worm under control, I will post the log. Thanks fellas!

LZ1 · September 5, 2006, 3:55pm

still waiting.

DrDoS · September 5, 2006, 3:56pm

i dont suggest hijackthis to novice users.

edit

uninstall NIS
Reboot in safe mode
run your task manager
goto the process tab
and look at the process that are running
get the name of each file…
such as taskbar.ext or so forth
goto this site here
http://www.processlibrary.com/
search each process and see what comes up
that sould take care of most stupid viri/trojans
some nasty ones will infect system files and just become a part of the system file
also look at ur regedit and see if you notice anything wrong in the startup folder.

BuickGN · September 5, 2006, 3:58pm

of google it and be done

ILCisDEAD · September 5, 2006, 4:25pm

thast great for the processes that are actually on there… hijackthis shows shit thats not showing

use hijack this … and paste what you get… don’t fucking do anything else… and we will give you the instructions

dezod · September 5, 2006, 4:25pm

Logfile of HijackThis v1.99.1
Scan saved at 7:24:21 PM, on 9/5/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32$sys$filesystem$sys$DRMServer.exe
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\WINDOWS\CDProxyServ.exe
C:\Program Files\NavNT\defwatch.exe
C:\Program Files\NavNT\rtvscan.exe
C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
C:\WINDOWS\rundll.exe
C:\WINDOWS\System32 cpsvcs.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\PROGRA~1\NORTON~2\SPEEDD~1
opdb.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Sony\Photo Server 20\appsrv\PicAppSrv.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\MsgSys.EXE
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Common Files\AOL\1133814008\ee\AOLSoftware.exe
C:\Program Files\NavNT\vptray.exe
C:\Program Files\Sunbelt Software\CounterSpy\Consumer\sunserver.exe
C:\Program Files\adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wuauclt.exe
D:\Program Files II\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
O4 - HKLM…\Run: [iTunesHelper] “C:\Program Files\iTunes\iTunesHelper.exe”
O4 - HKLM…\Run: [HostManager] C:\Program Files\Common Files\AOL\1133814008\ee\AOLSoftware.exe
O4 - HKLM…\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM…\Run: [IPHSend] C:\Program Files\Common Files\AOL\IPHSend\IPHSend.exe
O4 - HKLM…\Run: [QD FastAndSafe] C:\Program Files\Norton SystemWorks\Norton CleanSweep\QDCSFS.exe /startup
O4 - HKLM…\Run: [vptray] C:\Program Files\NavNT\vptray.exe
O4 - HKLM…\Run: [SunServer] C:\Program Files\Sunbelt Software\CounterSpy\Consumer\sunserver.exe
O4 - HKLM…\Run: [MIDI Sound Handler] HSMIDI.EXE
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: QuickBooks Update Agent.lnk = C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
O9 - Extra button: eBay - Homepage - {EF79EAC5-3452-4E02-B8BD-BA4C89F1AC7A} - C:\Program Files\IrfanView\Ebay\Ebay.htm (file missing)
O14 - IERESET.INF: START_PAGE_URL=
O15 - Trusted Zone: www.7thgencivic.com
O15 - Trusted Zone: 7thGenCivic.com Forum .url
O15 - Trusted Zone: http://www.dezod.com
O15 - Trusted Zone: http://.ekeystone.com
O15 - Trusted Zone: http://.ekeystoneexpress.com
O15 - Trusted Zone: .elitemediagroup.net
O15 - Trusted Zone: http://.fedex.com
O15 - Trusted Zone: http://.optauto.com
O15 - Trusted Zone: UBRF.ORG - powered by vBulletin.url
O15 - Trusted Zone: http://www.stainlesssteelbrakes.com
O15 - Trusted Zone: forums.thevboard.com
O15 - Trusted Zone: http://.ups.com
O15 - Trusted Zone: manager.verisign.com
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1157261535484
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\System32\NavLogon.dll
O20 - Winlogon Notify: Setup - C:\WINDOWS\system32\fp6603jse.dll (file missing)
O20 - Winlogon Notify: Telephony - C:\WINDOWS\system32\en6ol1j31.dll (file missing)
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Plug and Play Device Manager ($sys$DRMServer) - First 4 Internet Ltd - C:\WINDOWS\system32$sys$filesystem$sys$DRMServer.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: XCP CD Proxy (CD_Proxy) - Unknown owner - C:\WINDOWS\CDProxyServ.exe
O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\NavNT\defwatch.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Norton AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Program Files\NavNT\rtvscan.exe
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32
vsvc32.exe
O23 - Service: rundll.exe - Unknown owner - C:\WINDOWS\rundll.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Speed Disk service - Symantec Corporation - C:\PROGRA~1\NORTON~2\SPEEDD~1
opdb.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: VAIO Media Music Server (HTTP) (VAIOMediaPlatform-MusicServer-HTTP) - Unknown owner - C:\Program Files\Common Files\Sony Shared\VAIO Media Platform\sv_httpd.exe" /Service=VAIOMediaPlatform-MusicServer-HTTP /RegRoot=“Software\Sony Corporation\VAIO Media Platform\2.0” /RegExt=“Applications\MusicServer\HTTP (file missing)
O23 - Service: VAIO Media Music Server (UPnP) (VAIOMediaPlatform-MusicServer-UPnP) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\VAIO Media Platform\UPnPFramework.exe
O23 - Service: VAIO Media Photo Server (Application) (VAIOMediaPlatform-PhotoServer-AppServer) - Unknown owner - C:\Program Files\Sony\Photo Server 20\appsrv\PicAppSrv.exe
O23 - Service: VAIO Media Photo Server (HTTP) (VAIOMediaPlatform-PhotoServer-HTTP) - Unknown owner - C:\Program Files\Common Files\Sony Shared\VAIO Media Platform\SV_Httpd.exe” /Service=VAIOMediaPlatform-PhotoServer-HTTP /RegRoot=“Software\Sony Corporation\VAIO Media Platform\2.0” /RegExt="\Applications\PhotoServer\HTTP (file missing)
O23 - Service: VAIO Media Photo Server (UPnP) (VAIOMediaPlatform-PhotoServer-UPnP) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\VAIO Media Platform\UPnPFramework.exe

ILCisDEAD · September 5, 2006, 4:28pm

well at a glance

C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\WINDOWS\CDProxyServ.exe
C:\Program Files\NavNT\defwatch.exe
C:\Program Files\NavNT\rtvscan.exe
C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE

not great to have two anti-virus protection progs

they can conflict

edit: looking through more

LZ1 · September 5, 2006, 4:29pm

O23 - Service: rundll.exe - Unknown owner - C:\WINDOWS\rundll.exe

lol

ILCisDEAD · September 5, 2006, 4:32pm

yea i saw that too lol

this too

O23 - Service: XCP CD Proxy (CD_Proxy) - Unknown owner - C:\WINDOWS\CDProxyServ.exe

dezod · September 5, 2006, 4:35pm

WTF is that.

LZ1 · September 5, 2006, 4:35pm

Something thats not supposed to be there.

ILCisDEAD · September 5, 2006, 4:38pm

yea pretty much nothing but windows files should be in the c:\windows or …\system32

Topic		Replies	Views
My computer has the HIV... PittSpeed Off Topic	7	246	January 7, 2009
virus, program on my PC PittSpeed Off Topic	41	1394	October 31, 2006
computer help needed. i think i got hijacked PittSpeed Off Topic	5	280	March 29, 2010
fux0r3d my computer in four seconds. NYSpeed Off Topic	19	1719	June 19, 2007
Antivirus XP 08 Virus! wtf! NYSpeed Off Topic	12	326	July 29, 2008

Worm? Virus? Dr Dos or anyone...

Related Topics