•
•
•
•
What is DaniWeb IT Discussion Community?
You're currently browsing the Viruses, Spyware and other Nasties section within the Tech Talk category of DaniWeb, a massive community of 425,986 software developers, web developers, Internet marketers, and tech gurus who are all enthusiastic about making contacts, networking, and learning from each other. In fact, there are 1,658 IT professionals currently interacting right now! Registration is free, only takes a minute and lets you enjoy all of the interactive features of the site.
Please support our Viruses, Spyware and other Nasties advertiser: Programming Forums
Views: 10874 | Replies: 27
 |
•
•
Join Date: Dec 2003
Location: Marin County, CA
Posts: 6,439
Reputation: 
Rep Power: 18
Solved Threads: 339
•
•
•
•
Originally Posted by TheAlex
I forget to mention I have also blocked a file called mcafee32.exe - judging by research I've done I think I should delete this too?
Yes- it's malicious.
Other than that though, the good news is that your log looks clean now.
As for the modem/Internet settings, I'm not sure about that and don't have the time to research it right now. I'll get back to you after I've had a chance to do so.
"May the Wombat of Happiness snuffle through your underbrush."
- Ancient Aborigine blessing
Please do not contact me by email or PM for help. We're all volunteers here, and only have so much free time to dedicate to our efforts.
However, if I've been working on a thread with you already, and seem to have "forgotten" your thread, please do send me a message. I try not to let things slip through the cracks, but it does happen sometimes.
- Ancient Aborigine blessing
Please do not contact me by email or PM for help. We're all volunteers here, and only have so much free time to dedicate to our efforts.
However, if I've been working on a thread with you already, and seem to have "forgotten" your thread, please do send me a message. I try not to let things slip through the cracks, but it does happen sometimes.
•
•
Join Date: Jul 2004
Location: Washington, USA
Posts: 2,964
Reputation:
Rep Power: 10
Solved Threads: 189
You need to go to Windows Update and get the Critical Updates for your system, at least SP1.
Links to help you help yourself :
Protect Your PC & Avoid Infections -- http://www.daniweb.com/techtalkforums/thread27519.html
Cleanup Procedures & Tools -- http://www.daniweb.com/techtalkforums/thread27570.html
Infection Removal & HijackThis Use -- http://www.daniweb.com/techtalkforums/thread28196.html
Protect Your PC & Avoid Infections -- http://www.daniweb.com/techtalkforums/thread27519.html
Cleanup Procedures & Tools -- http://www.daniweb.com/techtalkforums/thread27570.html
Infection Removal & HijackThis Use -- http://www.daniweb.com/techtalkforums/thread28196.html
•
•
Join Date: Dec 2003
Location: Marin County, CA
Posts: 6,439
Reputation:
Rep Power: 18
Solved Threads: 339
Thanks for the catch Danny- 
"May the Wombat of Happiness snuffle through your underbrush."
- Ancient Aborigine blessing
Please do not contact me by email or PM for help. We're all volunteers here, and only have so much free time to dedicate to our efforts.
However, if I've been working on a thread with you already, and seem to have "forgotten" your thread, please do send me a message. I try not to let things slip through the cracks, but it does happen sometimes.
- Ancient Aborigine blessing
Please do not contact me by email or PM for help. We're all volunteers here, and only have so much free time to dedicate to our efforts.
However, if I've been working on a thread with you already, and seem to have "forgotten" your thread, please do send me a message. I try not to let things slip through the cracks, but it does happen sometimes.
•
•
Join Date: Feb 2005
Location: Staffordshire, England
Posts: 46
Reputation:
Rep Power: 4
Solved Threads: 1
Light Poster
•
•
•
•
Originally Posted by dlh6213
You need to go to Windows Update and get the Critical Updates for your system, at least SP1.
I've still had the browser redirect, the spyware frame at the bottom of IE and winwiz32.exe.trying to access the internet even though I deleted it...
The about:blank problem has stopped and I can also access the Internet as soon as my computer starts up now.
Should I update to SP2 anyway?
•
•
Join Date: Feb 2004
Location: Oztralya
Posts: 7,812
Reputation:
Rep Power: 22
Solved Threads: 431
I am logging off now, but if you want you can download silent runners so that we can see if there is anything else running there that hijackthis cannot pick-up? I will have to check back tomorrow to have a look at the results.
Go here and download and run Silent Runners.vbs. It generates a log, please post the information back in this thread.
Go here and download and run Silent Runners.vbs. It generates a log, please post the information back in this thread.
Proud member of ASAP (Alliance of Security analysis Professionals).
Opera How you got infected AVAST anti-virus Comodo Firewall Spywareblaster
Please do not PM me for help. Instead, post in the public forum where others may benefit.
Opera How you got infected AVAST anti-virus Comodo Firewall Spywareblaster
Please do not PM me for help. Instead, post in the public forum where others may benefit.
•
•
Join Date: Feb 2005
Location: Staffordshire, England
Posts: 46
Reputation:
Rep Power: 4
Solved Threads: 1
Light Poster
How do I run that? It was associated with Xing player (video/MP3 software) but I've removed that association...
www.last.fm/music/The+Cakes
One day to go!
www.holeinmyhead.co.uk
Gig & travel photos, writing, artwork & other stuff...
One day to go!
www.holeinmyhead.co.uk
Gig & travel photos, writing, artwork & other stuff...
•
•
Join Date: Dec 2003
Location: Marin County, CA
Posts: 6,439
Reputation:
Rep Power: 18
Solved Threads: 339
•
•
•
•
Originally Posted by TheAlex
Should I update to SP2 anyway?
You can (and should) make sure you've applied all of the current critical/security updates for your current version of XP, but hold off on the SP2 upgrade until your computer is clean.
•
•
•
•
Originally Posted by TheAlex
How do I run that? It was associated with Xing player (video/MP3 software) but I've removed that association...
SilentRunners is just a VB (Visual Basic) script; if it somehow showed up as associated with Xing, that was a mistake on Windows' part.
The file should have a .vbs extension (if it doesn't, rename it so that it does), which would tell Windows that the file is a self-executing script. If the script won't run properly for some reason, try right-clicking on it, choose the "Open With..." option, and see if you have the option to open the file with the Windows Based Script Host. If you do, that program will run the script.
"May the Wombat of Happiness snuffle through your underbrush."
- Ancient Aborigine blessing
Please do not contact me by email or PM for help. We're all volunteers here, and only have so much free time to dedicate to our efforts.
However, if I've been working on a thread with you already, and seem to have "forgotten" your thread, please do send me a message. I try not to let things slip through the cracks, but it does happen sometimes.
- Ancient Aborigine blessing
Please do not contact me by email or PM for help. We're all volunteers here, and only have so much free time to dedicate to our efforts.
However, if I've been working on a thread with you already, and seem to have "forgotten" your thread, please do send me a message. I try not to let things slip through the cracks, but it does happen sometimes.
•
•
Join Date: Feb 2005
Location: Staffordshire, England
Posts: 46
Reputation:
Rep Power: 4
Solved Threads: 1
Light Poster
I get the error message "There is no script engine for file extension ".vbs"."
I'll see if I can run it through DOS later today...
I'll see if I can run it through DOS later today...
www.last.fm/music/The+Cakes
One day to go!
www.holeinmyhead.co.uk
Gig & travel photos, writing, artwork & other stuff...
One day to go!
www.holeinmyhead.co.uk
Gig & travel photos, writing, artwork & other stuff...
•
•
Join Date: Dec 2003
Location: Marin County, CA
Posts: 6,439
Reputation:
Rep Power: 18
Solved Threads: 339
It seems like you don't have the Windows Scripting Host installed; you can download the Win XP/2000 version here:
http://www.microsoft.com/downloads/d...displaylang=en
http://www.microsoft.com/downloads/d...displaylang=en
"May the Wombat of Happiness snuffle through your underbrush."
- Ancient Aborigine blessing
Please do not contact me by email or PM for help. We're all volunteers here, and only have so much free time to dedicate to our efforts.
However, if I've been working on a thread with you already, and seem to have "forgotten" your thread, please do send me a message. I try not to let things slip through the cracks, but it does happen sometimes.
- Ancient Aborigine blessing
Please do not contact me by email or PM for help. We're all volunteers here, and only have so much free time to dedicate to our efforts.
However, if I've been working on a thread with you already, and seem to have "forgotten" your thread, please do send me a message. I try not to let things slip through the cracks, but it does happen sometimes.
•
•
Join Date: Feb 2005
Location: Staffordshire, England
Posts: 46
Reputation:
Rep Power: 4
Solved Threads: 1
Light Poster
"Silent Runners.vbs", revision 31.1, http://www.silentrunners.org/
Operating System: Windows XP
Output limited to non-default values, except where indicated by "{++}"
Startup items buried in registry:
---------------------------------
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}
"ctfmon.exe" = "F:\WINDOWS\System32\ctfmon.exe" [MS]
"msnmsgr" = ""F:\Program Files\MSN Messenger\msnmsgr.exe" /background" [MS]
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}
"USRpdA" = "F:\WINDOWS\SYSTEM32\USRmlnkA.exe RunServices \Device\3cpipe-USRpdA" ["U.S. Robotics Corporation"]
"IMJPMIG8.1" = "F:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE /Spoil /RemAdvDef /Migration32" [MS]
"PHIME2002ASync" = "F:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /SYNC" [MS]
"PHIME2002A" = "F:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /IMEName" [MS]
"NAV Agent" = "F:\PROGRA~1\NORTON~1\navapw32.exe" ["Symantec Corporation"]
"iamapp" = "F:\Program Files\Norton Internet Security\IAMAPP.EXE" ["Symantec Corporation"]
"BTopenworld" = ""f:\program files\bt yahoo! internet\DialBTYahoo.exe" /ReInstallAutoDial" ["British Telecommunications plc"]
"HPDJ Taskbar Utility" = "F:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb04.exe" ["HP"]
"TkBellExe" = ""F:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot" ["RealNetworks, Inc."]
"QuickTime Task" = ""F:\Program Files\QuickTime\qttask.exe" -atboottime" ["Apple Computer, Inc."]
"SSC_UserPrompt" = "F:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe" ["Symantec Corporation"]
"rdspclips.exe" = "rdspclips.exe" [null data]
"sprmover.exe" = "sprmover.exe" [null data]
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
{02478D38-C3F9-4efb-9B51-7695ECA05670}\(Default) = "Yahoo! Companion BHO" [from CLSID]
-> {CLSID}\InProcServer32\(Default) = "F:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_0.dll" ["Yahoo! Inc."]
{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}\(Default) = "AcroIEHlprObj Class" [from CLSID]
-> {CLSID}\InProcServer32\(Default) = "F:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll" ["Adobe Systems Incorporated"]
{3A90D030-B644-4899-9C75-CAAB7977E62D}\(Default) = "Name" [from CLSID]
-> {CLSID}\InProcServer32\(Default) = "F:\WINDOWS\System32\msufe.dll" [null data]
{BDF3E430-B101-42AD-A544-FADC6B084872}\(Default) = "CNavExtBho Class" [from CLSID]
-> {CLSID}\InProcServer32\(Default) = "F:\Program Files\Norton AntiVirus\NavShExt.dll" ["Symantec Corporation"]
HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\
"{42071714-76d4-11d1-8b24-00a0c9068ff3}" = "Display Panning CPL Extension"
-> {CLSID}\InProcServer32\(Default) = "deskpan.dll" [file not found]
"{88895560-9AA2-1069-930E-00AA0030EBC8}" = "HyperTerminal Icon Ext"
-> {CLSID}\InProcServer32\(Default) = "F:\WINDOWS\System32\hticons.dll" ["Hilgraeve, Inc."]
"{F0CB00CD-5A07-4D91-97F5-A8C92CDA93E4}" = "Shell Extensions for RealOne Player"
-> {CLSID}\InProcServer32\(Default) = "F:\Program Files\Real\RealOne Player\rpshellext.dll" ["RealNetworks"]
"{B41DB860-8EE4-11D2-9906-E49FADC173CA}" = "WinRAR shell extension"
-> {CLSID}\InProcServer32\(Default) = "F:\Program Files\WinRAR\rarext.dll" [null data]
"{eb9ebda0-b3e7-11cf-81c9-0000c0aa665f}" = "FTP Explorer Shell Extension"
-> {CLSID}\InProcServer32\(Default) = "ftpxext.dll" ["FTPx Corp."]
"{0006F045-0000-0000-C000-000000000046}" = "Microsoft Outlook Custom Icon Handler"
-> {CLSID}\InProcServer32\(Default) = "F:\Program Files\Microsoft Office\Office10\OLKFSTUB.DLL" [MS]
"{42042206-2D85-11D3-8CFF-005004838597}" = "Microsoft Office HTML Icon Handler"
-> {CLSID}\InProcServer32\(Default) = "F:\Program Files\Microsoft Office\Office10\msohev.dll" [MS]
Enabled Scheduled Tasks:
------------------------
"Norton AntiVirus - Scan my computer" -> launches: "F:\PROGRA~1\NORTON~1\NAVW32.exe /task:F:\DOCUME~1\ALLUSE~1\APPLIC~1\Symantec\NORTON~1\Tasks\mycomp.sca" ["Symantec Corporation"]
"Symantec NetDetect" -> launches: "F:\Program Files\Symantec\LiveUpdate\NDETECT.EXE" ["Symantec Corporation"]
Running Services (Display Name, Service Name, Path {Service DLL}):
------------------------------------------------------------------
Norton AntiVirus Auto Protect Service, navapsvc, "F:\Program Files\Norton AntiVirus\navapsvc.exe" ["Symantec Corporation"]
Norton Internet Security Accounts Manager, NISUM, "F:\Program Files\Norton Internet Security\NISUM.EXE" ["Symantec Corporation"]
Norton Internet Security Proxy Service, SymProxySvc, "F:\Program Files\Norton Internet Security\SymProxySvc.exe" ["Symantec Corporation"]
Norton Internet Security Service, NISSERV, "F:\Program Files\Norton Internet Security\NISSERV.EXE" ["Symantec Corporation"]
Winsock2 Service Provider DLLs:
-------------------------------
Namespace Service Providers
HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++}
000000000001\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]
000000000002\LibraryPath = "%SystemRoot%\System32\winrnr.dll" [MS]
000000000003\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]
Transport Service Providers
HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++}
0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range:
%SystemRoot%\system32\mswsock.dll [MS], 01 - 03, 06 - 15
%SystemRoot%\system32\rsvpsp.dll [MS], 04 - 05
----------
This report excludes default entries except where indicated.
To see *everywhere* the script checks and *everything* it finds,
launch it from a command prompt or a shortcut with the -all parameter.
----------
Operating System: Windows XP
Output limited to non-default values, except where indicated by "{++}"
Startup items buried in registry:
---------------------------------
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}
"ctfmon.exe" = "F:\WINDOWS\System32\ctfmon.exe" [MS]
"msnmsgr" = ""F:\Program Files\MSN Messenger\msnmsgr.exe" /background" [MS]
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}
"USRpdA" = "F:\WINDOWS\SYSTEM32\USRmlnkA.exe RunServices \Device\3cpipe-USRpdA" ["U.S. Robotics Corporation"]
"IMJPMIG8.1" = "F:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE /Spoil /RemAdvDef /Migration32" [MS]
"PHIME2002ASync" = "F:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /SYNC" [MS]
"PHIME2002A" = "F:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /IMEName" [MS]
"NAV Agent" = "F:\PROGRA~1\NORTON~1\navapw32.exe" ["Symantec Corporation"]
"iamapp" = "F:\Program Files\Norton Internet Security\IAMAPP.EXE" ["Symantec Corporation"]
"BTopenworld" = ""f:\program files\bt yahoo! internet\DialBTYahoo.exe" /ReInstallAutoDial" ["British Telecommunications plc"]
"HPDJ Taskbar Utility" = "F:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb04.exe" ["HP"]
"TkBellExe" = ""F:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot" ["RealNetworks, Inc."]
"QuickTime Task" = ""F:\Program Files\QuickTime\qttask.exe" -atboottime" ["Apple Computer, Inc."]
"SSC_UserPrompt" = "F:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe" ["Symantec Corporation"]
"rdspclips.exe" = "rdspclips.exe" [null data]
"sprmover.exe" = "sprmover.exe" [null data]
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
{02478D38-C3F9-4efb-9B51-7695ECA05670}\(Default) = "Yahoo! Companion BHO" [from CLSID]
-> {CLSID}\InProcServer32\(Default) = "F:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_0.dll" ["Yahoo! Inc."]
{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}\(Default) = "AcroIEHlprObj Class" [from CLSID]
-> {CLSID}\InProcServer32\(Default) = "F:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll" ["Adobe Systems Incorporated"]
{3A90D030-B644-4899-9C75-CAAB7977E62D}\(Default) = "Name" [from CLSID]
-> {CLSID}\InProcServer32\(Default) = "F:\WINDOWS\System32\msufe.dll" [null data]
{BDF3E430-B101-42AD-A544-FADC6B084872}\(Default) = "CNavExtBho Class" [from CLSID]
-> {CLSID}\InProcServer32\(Default) = "F:\Program Files\Norton AntiVirus\NavShExt.dll" ["Symantec Corporation"]
HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\
"{42071714-76d4-11d1-8b24-00a0c9068ff3}" = "Display Panning CPL Extension"
-> {CLSID}\InProcServer32\(Default) = "deskpan.dll" [file not found]
"{88895560-9AA2-1069-930E-00AA0030EBC8}" = "HyperTerminal Icon Ext"
-> {CLSID}\InProcServer32\(Default) = "F:\WINDOWS\System32\hticons.dll" ["Hilgraeve, Inc."]
"{F0CB00CD-5A07-4D91-97F5-A8C92CDA93E4}" = "Shell Extensions for RealOne Player"
-> {CLSID}\InProcServer32\(Default) = "F:\Program Files\Real\RealOne Player\rpshellext.dll" ["RealNetworks"]
"{B41DB860-8EE4-11D2-9906-E49FADC173CA}" = "WinRAR shell extension"
-> {CLSID}\InProcServer32\(Default) = "F:\Program Files\WinRAR\rarext.dll" [null data]
"{eb9ebda0-b3e7-11cf-81c9-0000c0aa665f}" = "FTP Explorer Shell Extension"
-> {CLSID}\InProcServer32\(Default) = "ftpxext.dll" ["FTPx Corp."]
"{0006F045-0000-0000-C000-000000000046}" = "Microsoft Outlook Custom Icon Handler"
-> {CLSID}\InProcServer32\(Default) = "F:\Program Files\Microsoft Office\Office10\OLKFSTUB.DLL" [MS]
"{42042206-2D85-11D3-8CFF-005004838597}" = "Microsoft Office HTML Icon Handler"
-> {CLSID}\InProcServer32\(Default) = "F:\Program Files\Microsoft Office\Office10\msohev.dll" [MS]
Enabled Scheduled Tasks:
------------------------
"Norton AntiVirus - Scan my computer" -> launches: "F:\PROGRA~1\NORTON~1\NAVW32.exe /task:F:\DOCUME~1\ALLUSE~1\APPLIC~1\Symantec\NORTON~1\Tasks\mycomp.sca" ["Symantec Corporation"]
"Symantec NetDetect" -> launches: "F:\Program Files\Symantec\LiveUpdate\NDETECT.EXE" ["Symantec Corporation"]
Running Services (Display Name, Service Name, Path {Service DLL}):
------------------------------------------------------------------
Norton AntiVirus Auto Protect Service, navapsvc, "F:\Program Files\Norton AntiVirus\navapsvc.exe" ["Symantec Corporation"]
Norton Internet Security Accounts Manager, NISUM, "F:\Program Files\Norton Internet Security\NISUM.EXE" ["Symantec Corporation"]
Norton Internet Security Proxy Service, SymProxySvc, "F:\Program Files\Norton Internet Security\SymProxySvc.exe" ["Symantec Corporation"]
Norton Internet Security Service, NISSERV, "F:\Program Files\Norton Internet Security\NISSERV.EXE" ["Symantec Corporation"]
Winsock2 Service Provider DLLs:
-------------------------------
Namespace Service Providers
HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++}
000000000001\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]
000000000002\LibraryPath = "%SystemRoot%\System32\winrnr.dll" [MS]
000000000003\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]
Transport Service Providers
HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++}
0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range:
%SystemRoot%\system32\mswsock.dll [MS], 01 - 03, 06 - 15
%SystemRoot%\system32\rsvpsp.dll [MS], 04 - 05
----------
This report excludes default entries except where indicated.
To see *everywhere* the script checks and *everything* it finds,
launch it from a command prompt or a shortcut with the -all parameter.
----------
www.last.fm/music/The+Cakes
One day to go!
www.holeinmyhead.co.uk
Gig & travel photos, writing, artwork & other stuff...
One day to go!
www.holeinmyhead.co.uk
Gig & travel photos, writing, artwork & other stuff...
|
•
•
•
•
•
•
•
•
DaniWeb Viruses, Spyware and other Nasties Marketplace
•
•
•
•
Currently Active Users Viewing This Thread: 1 (0 members and 1 guests)
Linear Mode
•
•
•
•
adware apple beta bon browser complete information defender development echo email encryption firefox im internet legal malware mcafee microsoft mobile mozilla new folder new viruses news nhatquanglan nintendo opera patch pda privacy reliability safari search security software spoof spyware survey svchost testing url virus viruses vista web webmail wii windows
- Browser Redirect/System Restore Problems/etc.... (Viruses, Spyware and other Nasties)
Other Threads in the Viruses, Spyware and other Nasties Forum
- Previous Thread: Computer extremely slow - can you please help tell me what's wrong?
- Next Thread: CTFMON32 Hijackthis
