|
|||||||||
|
|||||||||
| |||||||||
|
|||||||||
|
|||||||||
| |||||||||
|
|
|
| |||||||||
 |
|
|
«
Previous Thread
|
Next Thread
»
|
Thread Tools | Search this Thread | Rate Thread | Display Modes |
Dev Shed Forums Sponsor:
|
|
Dell PowerEdge Servers
|
|
#1
July 28th, 2004, 04:28 PM
|
|||
|
|||
|
Hijacked or virus
I've spent all day running Ad-aware, Spybot and HiJackThis trying to get rid of all of the problems that my computer has somehow accumulated. There is apparently something that these programs are not catching though. I did a virus scan through housecall.trendmicro.com and found a few more problems, but all is still not well.
Problems I am still having: 1) Many pop-ups even when I do not have IE running. A pop-up from 680180.net is always the first. 2) At random times and then every time I try to login into Yahoo Mail (when I click the sign-in button), IE closes down. It doesn't even give an Error Message or the Send Error report message. 3) hiwinnager.dat This file keep appearing in my C:/ directory. It recreates itself no matter how many times I delete it. Here is my HiJackThis logfile: Logfile of HijackThis v1.98.0 Scan saved at 5:20:58 PM, on 7/28/2004 Platform: Windows XP SP1 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\system32\pctspk.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\System32\cvss.exe C:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe C:\Program Files\Messenger\msmsgs.exe C:\Program Files\AIM\aim.exe C:\Program Files\Lexmark X125\LEX125SU.exe C:\WINDOWS\System32\devldr32.exe C:\Program Files\Internet Explorer\iexplore.exe C:\Documents and Settings\Jimmy\Desktop\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.espn.com/ R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = O2 - BHO: VoiceIPObj Class - {00000250-0320-4DD4-BE4F-7566D2314352} - C:\WINDOWS\VoiceIP.dll O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O2 - BHO: (no name) - {C5183ABC-EB6E-4E05-B8C9-500A16B6CF94} - (no file) O2 - BHO: SDWin32 Class - {E68640D4-C5B3-44F7-B0D2-9C33A6B900AB} - C:\WINDOWS\System32\irzic.dll O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\NeroCheck.exe O4 - HKLM\..\Run: [mmtask] c:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe O4 - HKLM\..\Run: [Ad-aware] "C:\Program Files\Lavasoft\Ad-aware 6\Ad-aware.exe" +c O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl O4 - Global Startup: Lexmark X125 Settings Utility.lnk = C:\Program Files\Lexmark X125\LEX125SU.exe O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe O16 - DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} - http://a1540.g.akamai.net/7/1540/52/20031010/qtinstall.info.apple.com/mickey/us/win/QuickTimeFullInstaller.exe O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab O16 - DPF: {C4847596-972C-11D0-9567-00A0C9273C2A} (Crystal Report Viewer Control) - http://www.dpmr.kde.state.ky.us/viewer/activeXViewer/activexviewer.cab Thanks for any help in advance.
|
|
#2
July 28th, 2004, 09:10 PM
|
|||
|
|||
|
update ...
I have now followed some of Tom Myboy's advice ...
I have installed and ran the following: SpywareBlaster SpywareGuard IE-SPYAD I have checked my ActiveX settings and they are ok. I have ran the Trend Micro and Symantec virus scan and removed all the files that it found. I have downloaded and installed all critical updates from microsoft. I still have the three problems listed below though. Thanks for any help that you guys can provide. Quote:
|
|
#3
July 29th, 2004, 01:17 PM
|
|||
|
|||
|
Hi iakovosjam.
It sounds like you are doing all the right things! I see HijackThis is running on your Desktop. Please open My Computer > double-click your C:\ drive > File > New > Folder > name it HJT and put the program (HijackThis) into that folder. Please rescan with HijackThis and post an updated log. Some items have probably changed since the work you have done recently (the virus removal, etc). Tom
__________________
HijackThis Ad-aware Spybot Search & Destroy SpywareBlaster SpywareGuard Housecall Online A/V Scan Please read the stickys at the top of the forum before posting!
|
|
#4
July 29th, 2004, 04:11 PM
|
|||
|
|||
|
Here you go Tom ... Thanks for the help. Note that I have installed Zone Labs Inegrity Client (firewall). I'm still experiencing the same three problems I listed before. Pop-ups from 680180.net occur even though they are listed as a restriced site. I'm not able to sign on to hotmail or visit this website without IE shutting down (I'm using my laptop now). My computer has also gotten sluggish ... CPU usage staying at 100%, even when I'm not running anything that doesn't run continuously (ie ... not running AIM, IE, Word ...). The two programs sharing all of the 100% are vsmon.exe and iexplore.exe (But I don't have an IE browser open ...)
Here is my logfile (sent to my laptop via AIM file transfer): Logfile of HijackThis v1.98.0 Scan saved at 4:44:10 PM, on 7/29/2004 Platform: Windows XP SP1 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\System32\cvss.exe C:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe C:\WINDOWS\system32\pctspk.exe C:\WINDOWS\system32\ZoneLabs\vsmon.exe C:\Program Files\Messenger\msmsgs.exe C:\Program Files\AIM\aim.exe C:\Program Files\Zone Labs\Integrity Client\iclient.exe C:\Program Files\Lexmark X125\LEX125SU.exe C:\Program Files\SpywareGuard\sgmain.exe C:\Program Files\SpywareGuard\sgbhp.exe C:\WINDOWS\System32\devldr32.exe C:\WINDOWS\System32\wuauclt.exe C:\HJT\HijackThis.exe C:\Program Files\Internet Explorer\iexplore.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.espn.com/ R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = O2 - BHO: VoiceIPObj Class - {00000250-0320-4DD4-BE4F-7566D2314352} - C:\WINDOWS\VoiceIP.dll O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O2 - BHO: (no name) - {C5183ABC-EB6E-4E05-B8C9-500A16B6CF94} - (no file) O2 - BHO: SDWin32 Class - {E68640D4-C5B3-44F7-B0D2-9C33A6B900AB} - C:\WINDOWS\System32\irzic.dll O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\NeroCheck.exe O4 - HKLM\..\Run: [mmtask] c:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe O4 - HKLM\..\Run: [Ad-aware] "C:\Program Files\Lavasoft\Ad-aware 6\Ad-aware.exe" +c O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe O4 - Global Startup: Integrity Client.lnk = C:\Program Files\Zone Labs\Integrity Client\iclient.exe O4 - Global Startup: Lexmark X125 Settings Utility.lnk = C:\Program Files\Lexmark X125\LEX125SU.exe O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab O16 - DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} - http://a1540.g.akamai.net/7/1540/52/20031010/qtinstall.info.apple.com/mickey/us/win/QuickTimeFullInstaller.exe O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab O16 - DPF: {C4847596-972C-11D0-9567-00A0C9273C2A} (Crystal Report Viewer Control) - http://www.dpmr.kde.state.ky.us/viewer/activeXViewer/activexviewer.cab Thanks! Last edited by iakovosjam : July 29th, 2004 at 04:15 PM. Reason: typo
|
|
#5
July 29th, 2004, 04:47 PM
|
|||
|
|||
|
It's nice to see someone put all the tools available to work (firewall, spywareguard, etc)!
You might want to print these instructions. Logoff your internet connection. Run HijackThis, close all browsers and any other windows, place a checkmark next to the following items. Click "fix checked". R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = O2 - BHO: VoiceIPObj Class - {00000250-0320-4DD4-BE4F-7566D2314352} - C:\WINDOWS\VoiceIP.dll O2 - BHO: (no name) - {C5183ABC-EB6E-4E05-B8C9-500A16B6CF94} - (no file) O2 - BHO: SDWin32 Class - {E68640D4-C5B3-44F7-B0D2-9C33A6B900AB} - C:\WINDOWS\System32\irzic.dll Optional fix, resource hog. OK to fix this one too: O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE Boot into Safe Mode. Reboot your computer, start tapping F8 when it first starts booting, select Safe Mode. Show hidden files: How to Show hidden files and folders. http://www.xtra.co.nz/help/0,,4155-1916458,00.html Delete the following files: C:\WINDOWS\VoiceIP.dll C:\WINDOWS\System32\irzic.dll Reboot normally and post a fresh log. Tom
|
|
#6
July 29th, 2004, 10:17 PM
|
|||
|
|||
|
Here is a new Hijack This logfile. I couldn't get Hijack This to get rid of the two 'R0' problems. I'm also still experiencing 100% CPU Usage. Thanks again for all of your help.
Logfile of HijackThis v1.98.0 Scan saved at 10:57:06 PM, on 7/29/2004 Platform: Windows XP SP1 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\system32\pctspk.exe C:\WINDOWS\system32\ZoneLabs\vsmon.exe C:\WINDOWS\Explorer.EXE C:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe C:\WINDOWS\System32\cvss.exe C:\Program Files\AIM\aim.exe C:\Program Files\Zone Labs\Integrity Client\iclient.exe C:\Program Files\Lexmark X125\LEX125SU.exe C:\Program Files\SpywareGuard\sgmain.exe C:\Program Files\SpywareGuard\sgbhp.exe C:\WINDOWS\System32\devldr32.exe C:\HJT\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.espn.com/ R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\NeroCheck.exe O4 - HKLM\..\Run: [mmtask] c:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe O4 - HKLM\..\Run: [Ad-aware] "C:\Program Files\Lavasoft\Ad-aware 6\Ad-aware.exe" +c O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe O4 - Global Startup: Integrity Client.lnk = C:\Program Files\Zone Labs\Integrity Client\iclient.exe O4 - Global Startup: Lexmark X125 Settings Utility.lnk = C:\Program Files\Lexmark X125\LEX125SU.exe O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab O16 - DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} - http://a1540.g.akamai.net/7/1540/52/20031010/qtinstall.info.apple.com/mickey/us/win/QuickTimeFullInstaller.exe O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab O16 - DPF: {C4847596-972C-11D0-9567-00A0C9273C2A} (Crystal Report Viewer Control) - http://www.dpmr.kde.state.ky.us/viewer/activeXViewer/activexviewer.cab
|
|
#7
July 31st, 2004, 12:31 PM
|
|||
|
|||
|
You can boot into Safe Mode and delete these two with HJT:
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = Other than that, your log is clean. vsmon.exe is a part of Zone Alarm - Is it still using a large amount of CPU time? iexplore.exe can be virus related, if it's asscoiated with a rogue startup. but it would show up in your log. Here is removal instructions for 680180.net (Zamingo): Please use the following removal steps to remove this adware: 1. Click Start > Run, enter 'regedit' to open the registry editor. 2. Navigate to the following registry key: HKEY_LOCAL_MACHINE \ SOFTWARE \ Microsoft \ Windows \ CurrentVersion \ Run In the right pane, delete the value 'Adstartup'. 3. Close the registry editor. 4. Open a Dos command prompt window, enter the following commands: For Windows 2000/Xp, cd %WinDir%System32 regsvr32 /u SWin32.dll Or for Windows 98/Me cd %WinDir%System regsvr32 /u SWin32.dll 5. Reboot the computer. 6. Open Windows Explorer, type %WinDir%/System32 to open the system folder. Delete the following files (if present): ADStartUP.exe AdUpdater.exe Swin32.dll AutoMove.exe adupdmanager.xml data.xml IEEnhancer.dll Trans.exe Credit for fix: http://www.spyany.com/program/article_adw_rm_Zamingo.html Reboot and post a fresh log. Tom
|
|
#8
August 3rd, 2004, 08:16 AM
|
|||
|
|||
|
Tom -
1) Even in Safe Mode HJT won't delete these two: R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = 2) 680180.net (Zamingo) - I couldn't find the registry value 'Adstartup.' From the DOS prompt, I got a message saying that the commands were invalid. I could see that there was a regsrv32.exe, but I couldn't get it to run, even without the '/u SWin32.dll' part. I also looked in the system folder and did not find any of the files you listed to delete. The good news is that I haven't gotten the pop-up recently, so that problem may (somehow) fixed itself. 3) So the biggest problem I'm still having is the CPU usage being at 100% constantly when I have a IE window open. The part of Zone Labs I.C. (vsmon) is still using the majority of the CPU speed. Do you think it's taking up so much of the CPU b/c of a problem with the program or b/c of a virus/adware/etc. I could try to uninstall this version and switch to the free version that you mentioned earlier. Any other suggestions? Once again, I appreciate all of you help and the time you have spent doing so. -Jimmy **fresh HJT log*** Logfile of HijackThis v1.98.0 Scan saved at 9:15:41 AM, on 8/3/2004 Platform: Windows XP SP1 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\system32\pctspk.exe C:\WINDOWS\system32\ZoneLabs\vsmon.exe C:\Program Files\iPod\bin\iPodService.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\System32\cvss.exe C:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe C:\Program Files\AIM\aim.exe C:\Program Files\Zone Labs\Integrity Client\iclient.exe C:\Program Files\Lexmark X125\LEX125SU.exe C:\Program Files\SpywareGuard\sgmain.exe C:\Program Files\SpywareGuard\sgbhp.exe C:\Program Files\Internet Explorer\iexplore.exe C:\HJT\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.espn.com/ R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\NeroCheck.exe O4 - HKLM\..\Run: [mmtask] c:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe O4 - HKLM\..\Run: [Ad-aware] "C:\Program Files\Lavasoft\Ad-aware 6\Ad-aware.exe" +c O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe O4 - Global Startup: Integrity Client.lnk = C:\Program Files\Zone Labs\Integrity Client\iclient.exe O4 - Global Startup: Lexmark X125 Settings Utility.lnk = C:\Program Files\Lexmark X125\LEX125SU.exe O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab O16 - DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} - http://a1540.g.akamai.net/7/1540/52/20031010/qtinstall.info.apple.com/mickey/us/win/QuickTimeFullInstaller.exe O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab O16 - DPF: {C4847596-972C-11D0-9567-00A0C9273C2A} (Crystal Report Viewer Control) - http://www.dpmr.kde.state.ky.us/viewer/activeXViewer/activexviewer.cab
|
|
#9
August 3rd, 2004, 03:36 PM
|
|||
|
|||
|
vsmon.exe shouldn't take up all those CPU cycles. On my system it occasionally fluxuates from 0 to 29 and uses 8,044K of memory. I use the free version, but I can't see why the Pro version would be much different.
The file C:\WINDOWS\System32\cvss.exe is suspicious. I'd like you to perform an online scan at: Bitdefender http://www.bitdefender.com/scan/licence.php A trojan scan wouldn't hurt either: Install and perform a full system scan with each of these trial programs: Trojan Hunter http://www.misec.net/trojanhunter/ DiamondCS TDS-3 http://tds.diamondcs.com.au/ Capture and post the results from your scans, reboot and post a fresh HijackThis log. Tom
|
|
#10
August 4th, 2004, 12:17 PM
|
|||
|
|||
|
Tom -
I ran all three and each found and fixed several problems. Trojan Hunter found some that it didn't fix, though. It said that they were possible problems and that I should send email them as attachments to be analyzed. I haven't done that yet, as it appears that they are all Temporary Internet files that I can delete from the browser. Which do you think I should do? Here are the results from the three scans and a new HJT log: Logfile of HijackThis v1.98.0 Scan saved at 1:11:11 PM, on 8/4/2004 Platform: Windows XP SP1 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\csrss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\System32\alg.exe C:\WINDOWS\system32\pctspk.exe C:\WINDOWS\system32\ZoneLabs\vsmon.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\System32\cvss.exe C:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe C:\Program Files\AIM\aim.exe C:\Program Files\Zone Labs\Integrity Client\iclient.exe C:\Program Files\Lexmark X125\LEX125SU.exe C:\Program Files\SpywareGuard\sgmain.exe C:\Program Files\SpywareGuard\sgbhp.exe C:\WINDOWS\System32\devldr32.exe C:\HJT\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.espn.com/ R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = O1 - Hosts: 64.91.255.87 www.dcsresearch.com O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\NeroCheck.exe O4 - HKLM\..\Run: [mmtask] c:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe O4 - HKLM\..\Run: [Ad-aware] "C:\Program Files\Lavasoft\Ad-aware 6\Ad-aware.exe" +c O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 3.9\THGuard.exe" O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe O4 - Global Startup: Integrity Client.lnk = C:\Program Files\Zone Labs\Integrity Client\iclient.exe O4 - Global Startup: Lexmark X125 Settings Utility.lnk = C:\Program Files\Lexmark X125\LEX125SU.exe O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab O16 - DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} - http://a1540.g.akamai.net/7/1540/52/20031010/qtinstall.info.apple.com/mickey/us/win/QuickTimeFullInstaller.exe O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab O16 - DPF: {80DD2229-B8E4-4C77-B72F-F22972D723EA} (AvxScanOnline Control) - http://www.bitdefender.com/scan/Msie/bitdefender.cab O16 - DPF: {C4847596-972C-11D0-9567-00A0C9273C2A} (Crystal Report Viewer Control) - http://www.dpmr.kde.state.ky.us/viewer/activeXViewer/activexviewer.cab
|
|
#11
August 4th, 2004, 03:41 PM
|
|||
|
|||
|
In light of the recent infections, let's purge system restore.
Disable System Restore: 1 Right-click My Computer, and then click Properties. 2 Click the System Restore tab. 3 Check the "Turn off System Restore" or "Turn off System Restore on all drives" check box. 4 Click Apply 5 this will delete all existing restore points. Click Yes to do this. 6 Click OK. Then.... Open My Computer, browse to C:\documents and settings\User Name(repeat for all users)\local settings\temp folder and delete all files and folders in it. Open My Computer, browse to C:\Windows\Temp folder and delete all files and folders in it. Internet Explorer click Tools > Internet Options > General. Click "Delete Files",also check "delete all offline content" Click OK. Empty your Recycle Bin. Then.... I'd like you you download Pocket Killbox. Download it to your Desktop. Run the program, copy and paste C:\WINDOWS\System32\cvss.exe into the window. Click the Delete on Reboot button. Then press Delete file (The Red X). Be careful this is a powerful tool and is unforgiving once you instruct it to delete something. http://download.broadbandmedic.com/Killbox.exe Reboot and post an updated HijackThis log. Tom
|
|
#12
August 5th, 2004, 12:45 AM
|
|||
|
|||
|
Tom - I keep waiting for you to recommend that I toss my computer out the window and go buy another .....  I've disabled system restore, deleted all temp files under all users and the C:\\WINDOWS\temp folder. I've deleted files/offline content, history and cookies for IE under each user. Then I deleted C\\WINDOWS\System\cvss.exe using Killbox. During this, I learned something. HJT finds different things when ran under different users on the same computer. I found a lot under my wife's login and even some under the Admin login (a cvss.exe startup entry for one) that we had already removed for my login and I deleted them all. Also, here is a little bit more info on my 100% CPU usage problem ... before I open up an IE browser, my usage is pretty normal (6-9%). When I open a browser it shoots immediately up to 100%. It looks like this: iexplore.exe - 28 - 25328K vsmon.exe - 62 - 7064K Then when I close the browser, the iexplore.exe entry stays and continues to use a lot of memory/cpu (as well as vsmon). I cannot end the process either. If I end vsmon though, then things will return to normal. Anyway ... thanks again for all your help. I know I say it in every post, but what you do is really great and I think you need to know how much I appreciate your time. Here is a fresh log: Logfile of HijackThis v1.98.0 Scan saved at 1:30:39 AM, on 8/5/2004 Platform: Windows XP SP1 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\csrss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\System32\alg.exe C:\WINDOWS\system32\pctspk.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\system32\ZoneLabs\vsmon.exe C:\WINDOWS\System32\cvss.exe C:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe C:\Program Files\AIM\aim.exe C:\Program Files\Zone Labs\Integrity Client\iclient.exe C:\Progra |
Del.icio.us
Digg
Google
Spurl
Blink
Furl
Simpy
Y! MyWeb
