User Name Password Register
DaniWeb IT Discussion Community
Home
Forums
Tutorials
Blogs
Link Directory
All
What is DaniWeb IT Discussion Community?
You're currently browsing the Viruses, Spyware and other Nasties section within the Tech Talk category of DaniWeb, a massive community of 391,897 software developers, web developers, Internet marketers, and tech gurus who are all enthusiastic about making contacts, networking, and learning from each other. In fact, there are 3,555 IT professionals currently interacting right now! Registration is free, only takes a minute and lets you enjoy all of the interactive features of the site.
Join our community!
Please support our Viruses, Spyware and other Nasties advertiser:
Views: 1496 | Replies: 8
Reply
Join Date: Mar 2006
Posts: 13
Reputation: bearpunk is an unknown quantity at this point 
Rep Power: 3
Solved Threads: 0
bearpunk bearpunk is offline Offline
Newbie Poster

recurring spyware/virus problem.. girls.exe etc...

  #1  
May 23rd, 2006
hi everyone-
about 2 months ago i had a problem with surfsidekick 3 and new dot net and a bunch of ther nastygrams.. i got rid of everything and even went ahead and purchased spysweeper. it seemed great or about 2 weeks and now nearly every day my computer locks up, i reboot it, and EVERY TIME i reboot something pops up. lately it's been girls.exe in my root directory.
i don't know what to do to get rid of everything and prevent this from happening. i dont click on spam or ads, i dont leave my computer running with the internet connected, i use firefox not ie, i dont even use p2p software... i'm so confused.

i did a kaspersky scan and the only two files that come up in c:\winnt are not there when i go to delete them (one is devldrv.exe listen in the HJT log). i went through my control panel and set it to view hidden files and they still don't show up... that's the only lead i have.

anyhow, here's my hijack this log incase anyone sees anything fishy. please give me some advice!
thanks!

Logfile of HijackThis v1.99.1
Scan saved at 2:57:07 AM, on 5/23/2006
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\WINNT\system32\nvsvc32.exe
C:\WINNT\system32\MSTask.exe
C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\WINNT\devldr32.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\System32\mspmspsv.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\Raxco\PerfectDisk\PDSched.exe
C:\WINNT\Explorer.EXE
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\WINNT\explorer.exe
C:\Program Files\Dudez\ProtoWall\ProtoWall.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\HJT\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.insightbb.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Insight Broadband
R3 - Default URLSearchHook is missing
F2 - REG:system.ini: UserInit=C:\WINNT\SYSTEM32\Userinit.exe,winusmx.exe
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll (file missing)
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll (file missing)
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /startintray
O4 - HKCU\..\Run: [ProtoWall] C:\Program Files\Dudez\ProtoWall\ProtoWall.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.insightbb.com
O16 - DPF: {01010E00-5E80-11D8-9E86-0007E96C65AE} (SupportSoft SmartIssue) - http://www.symantec.com/techsupp/asa/ctrl/tgctlsi.cab
O16 - DPF: {01012101-5E80-11D8-9E86-0007E96C65AE} (SupportSoft Script Runner Class) - http://www.symantec.com/techsupp/asa/ctrl/tgctlsr.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english...an_unicode.cab
O16 - DPF: {1F2F4C9E-6F09-47BC-970D-3C54734667FE} (LSSupCtl Class) - http://www.symantec.com/techsupp/asa/ctrl/LSSupCtl.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} -
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - http://www.symantec.com/techsupp/asa/ctrl/SymAData.cab
O20 - Winlogon Notify: NavLogon - C:\WINNT\system32\NavLogon.dll
O20 - Winlogon Notify: URL - C:\WINNT\system32\mdidlpm.dll (file missing)
O20 - Winlogon Notify: WRNotifier - C:\WINNT\SYSTEM32\WRLogonNTF.dll
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINNT\system32\nvsvc32.exe
O23 - Service: PDEngine - Raxco Software, Inc. - C:\Program Files\Raxco\PerfectDisk\PDEngine.exe
O23 - Service: PDScheduler (PDSched) - Raxco Software, Inc. - C:\Program Files\Raxco\PerfectDisk\PDSched.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
O23 - Service: Microsoft Windows Driver Service (Windows Driver Service) - Unknown owner - C:\WINNT\devldr32.exe
AddThis Social Bookmark Button
Reply With Quote  
Join Date: Jul 2005
Location: FL.
Posts: 1,536
Reputation: tayspen is on a distinguished road 
Rep Power: 7
Solved Threads: 98
Colleague
tayspen's Avatar
tayspen tayspen is offline Offline
<Insert title here>

Re: recurring spyware/virus problem.. girls.exe etc...

  #2  
May 23rd, 2006
Hi, please run HJT again, and check off the following items


R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.insightbb.com

R3 - Default URLSearchHook is missing

F2 - REG:system.ini: UserInit=C:\WINNT\SYSTEM32\Userinit.exe,winusmx.exe

O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} -

O20 - Winlogon Notify: URL - C:\WINNT\system32\mdidlpm.dll (file missing)

O23 - Service: Microsoft Windows Driver Service (Windows Driver Service) - Unknown owner - C:\WINNT\devldr32.exe



**Read here about devldr32.exe. Because you said it seems to be the rpoblem, I tink it may be the virus form of it, though it can be a legit sound card driver.**

Click Fix Checked.

___________________________________________________

We need to remove a NT Service

Do the following:
  • Start -> Run
    *type services.msc
    *click OK
The Services Management Console opens - do the following:
  • Click the Extended tab.
    *Scroll down until you find Microsoft Windows Driver Service (Windows Driver Service)
    *Click on the service to highlight it.
    *Click Stop
    *Right-Click on Microsoft Windows Driver Service (Windows Driver Service) .
    *Click on 'Properties'
    *Select the 'General' tab
    *Click the down-arrow on the right-hand side on the 'Start-up Type' box
    *From the drop-down menu, select ' Disabled'
    *Click the 'Apply' tab
    *Click 'OK'
Now:[list=type]Open HJT
*Click on Config>>Misc Tools>>Delete an NT Service
*Type Microsoft Windows Driver Service (Windows Driver Service) in the space provided and click 'OK'.
*The program will ask you to REBOOT --- Accept
*Attach another HijackThis log[/ list]
___________________________________________________



Please download ewido anti-malware it is a free version of the program.
  1. Install ewido anti-malware
  2. When installing, under "Additional Options" uncheck..
    • Install background guard
    • Install scan via context menu
  3. Launch ewido, there should be an icon on your desktop, double-click it.
  4. The program will now open to the main screen.
  5. When you run ewido for the first time, you may get a warning "Database could not be found!". Click OK. We will fix this in a moment.
  6. You will need to update ewido to the latest definition files.
    • On the left hand side of the main screen click update.
    • Then click on Start Update.
  7. The update will start and a progress bar will show the updates being installed.
    (the status bar at the bottom will display ("Update successful" )
If you are having problems with the updater, you can use this link to manually update ewido.
ewido manual updates

Once the updates are installed do the following:
  • Open up Ewido
  • Click on scanner
  • Click on Complete System Scan and the scan will begin.
  • You will be prompted to clean the first infection.
  • Select "Perform action on all infections", then proceed.
  • Once the scan has completed, there will be a button located on the bottom of the screen named Save report
  • Click Save report.
  • Save the report .txt file to your desktop or a location where you can find it easily.
  • Close ewido anti-malware.

Reboot.

____________________________________________________

Follow instructions here now. To remove Qoologic.

http://forums.majorgeeks.com/showthread.php?t=74268

_____________________________________________________

Post a new HJT log, and teh ewido log
Firefox
Ewido
Tune up windows
Get detailed system information
My Fixes

Member - Alliance of Security Analysis Professionals - Since 2006
Reply With Quote  
Join Date: Mar 2006
Posts: 13
Reputation: bearpunk is an unknown quantity at this point 
Rep Power: 3
Solved Threads: 0
bearpunk bearpunk is offline Offline
Newbie Poster

Re: recurring spyware/virus problem.. girls.exe etc...

  #3  
May 23rd, 2006
okay here's the first pre-ewido hijack this log.. i clicked on fix the insightbb.com thing (the first r1):

Logfile of HijackThis v1.99.1
Scan saved at 11:20:24 PM, on 5/23/2006
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\WINNT\system32\nvsvc32.exe
C:\WINNT\system32\MSTask.exe
C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\System32\mspmspsv.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\Raxco\PerfectDisk\PDSched.exe
C:\WINNT\Explorer.EXE
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\Program Files\Dudez\ProtoWall\ProtoWall.exe
C:\Program Files\HJT\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.insightbb.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Insight Broadband
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll (file missing)
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll (file missing)
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /startintray
O4 - HKCU\..\Run: [ProtoWall] C:\Program Files\Dudez\ProtoWall\ProtoWall.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.insightbb.com
O16 - DPF: {01010E00-5E80-11D8-9E86-0007E96C65AE} (SupportSoft SmartIssue) - http://www.symantec.com/techsupp/asa/ctrl/tgctlsi.cab
O16 - DPF: {01012101-5E80-11D8-9E86-0007E96C65AE} (SupportSoft Script Runner Class) - http://www.symantec.com/techsupp/asa/ctrl/tgctlsr.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english...an_unicode.cab
O16 - DPF: {1F2F4C9E-6F09-47BC-970D-3C54734667FE} (LSSupCtl Class) - http://www.symantec.com/techsupp/asa/ctrl/LSSupCtl.cab
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - http://www.symantec.com/techsupp/asa/ctrl/SymAData.cab
O20 - Winlogon Notify: NavLogon - C:\WINNT\system32\NavLogon.dll
O20 - Winlogon Notify: WRNotifier - C:\WINNT\SYSTEM32\WRLogonNTF.dll
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINNT\system32\nvsvc32.exe
O23 - Service: PDEngine - Raxco Software, Inc. - C:\Program Files\Raxco\PerfectDisk\PDEngine.exe
O23 - Service: PDScheduler (PDSched) - Raxco Software, Inc. - C:\Program Files\Raxco\PerfectDisk\PDSched.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe

ewido and 2nd HJT to follow.
thanks for the help!
Reply With Quote  
Join Date: Dec 2003
Location: Marin County, CA
Posts: 6,439
Reputation: DMR will become famous soon enough DMR will become famous soon enough 
Rep Power: 18
Solved Threads: 339
Colleague
DMR's Avatar
DMR DMR is offline Offline
Wombat At Large

Re: recurring spyware/virus problem.. girls.exe etc...

  #4  
May 24th, 2006
That's good so far (don't worry about the insightbb entries; they're related to your ISP). Please follow through with the rest of tayspen's instructions and then post the ewido log and new HJT log after that.
"May the Wombat of Happiness snuffle through your underbrush."
- Ancient Aborigine blessing

Please do not contact me by email or PM for help. We're all volunteers here, and only have so much free time to dedicate to our efforts.

However, if I've been working on a thread with you already, and seem to have "forgotten" your thread, please do send me a message. I try not to let things slip through the cracks, but it does happen sometimes.
Reply With Quote  
Join Date: Mar 2006
Posts: 13
Reputation: bearpunk is an unknown quantity at this point 
Rep Power: 3
Solved Threads: 0
bearpunk bearpunk is offline Offline
Newbie Poster

Re: recurring spyware/virus problem.. girls.exe etc...

  #5  
May 24th, 2006
okay here's ewido and here's HJT:

---------------------------------------------------------
ewido anti-malware - Scan report
---------------------------------------------------------

+ Created on: 11:53:09 PM, 5/23/2006
+ Report-Checksum: 1DCE5626

+ Scan result:

C:\Documents and Settings\Default User\Cookies\system@ad.yieldmanager[1].txt -> TrackingCookie.Yieldmanager : Cleaned with backup
:mozilla.19:C:\Documents and Settings\Jooster\Application Data\Mozilla\Firefox\Profiles\5yk27elu.default\cookies.txt -> TrackingCookie.Adjuggler : Cleaned with backup
:mozilla.20:C:\Documents and Settings\Jooster\Application Data\Mozilla\Firefox\Profiles\5yk27elu.default\cookies.txt -> TrackingCookie.Falkag : Cleaned with backup
:mozilla.21:C:\Documents and Settings\Jooster\Application Data\Mozilla\Firefox\Profiles\5yk27elu.default\cookies.txt -> TrackingCookie.Falkag : Cleaned with backup
:mozilla.22:C:\Documents and Settings\Jooster\Application Data\Mozilla\Firefox\Profiles\5yk27elu.default\cookies.txt -> TrackingCookie.Adjuggler : Cleaned with backup
:mozilla.23:C:\Documents and Settings\Jooster\Application Data\Mozilla\Firefox\Profiles\5yk27elu.default\cookies.txt -> TrackingCookie.Adjuggler : Cleaned with backup
:mozilla.24:C:\Documents and Settings\Jooster\Application Data\Mozilla\Firefox\Profiles\5yk27elu.default\cookies.txt -> TrackingCookie.Adjuggler : Cleaned with backup
:mozilla.25:C:\Documents and Settings\Jooster\Application Data\Mozilla\Firefox\Profiles\5yk27elu.default\cookies.txt -> TrackingCookie.Adjuggler : Cleaned with backup
:mozilla.26:C:\Documents and Settings\Jooster\Application Data\Mozilla\Firefox\Profiles\5yk27elu.default\cookies.txt -> TrackingCookie.Adjuggler : Cleaned with backup
:mozilla.27:C:\Documents and Settings\Jooster\Application Data\Mozilla\Firefox\Profiles\5yk27elu.default\cookies.txt -> TrackingCookie.Adjuggler : Cleaned with backup
:mozilla.28:C:\Documents and Settings\Jooster\Application Data\Mozilla\Firefox\Profiles\5yk27elu.default\cookies.txt -> TrackingCookie.Falkag : Cleaned with backup
:mozilla.29:C:\Documents and Settings\Jooster\Application Data\Mozilla\Firefox\Profiles\5yk27elu.default\cookies.txt -> TrackingCookie.Falkag : Cleaned with backup
:mozilla.30:C:\Documents and Settings\Jooster\Application Data\Mozilla\Firefox\Profiles\5yk27elu.default\cookies.txt -> TrackingCookie.Falkag : Cleaned with backup
:mozilla.31:C:\Documents and Settings\Jooster\Application Data\Mozilla\Firefox\Profiles\5yk27elu.default\cookies.txt -> TrackingCookie.Falkag : Cleaned with backup
:mozilla.94:C:\Documents and Settings\Jooster\Application Data\Mozilla\Firefox\Profiles\5yk27elu.default\cookies.txt -> TrackingCookie.Overture : Cleaned with backup
:mozilla.104:C:\Documents and Settings\Jooster\Application Data\Mozilla\Firefox\Profiles\5yk27elu.default\cookies.txt -> TrackingCookie.Yieldmanager : Cleaned with backup
:mozilla.105:C:\Documents and Settings\Jooster\Application Data\Mozilla\Firefox\Profiles\5yk27elu.default\cookies.txt -> TrackingCookie.Yieldmanager : Cleaned with backup
:mozilla.106:C:\Documents and Settings\Jooster\Application Data\Mozilla\Firefox\Profiles\5yk27elu.default\cookies.txt -> TrackingCookie.Yieldmanager : Cleaned with backup
:mozilla.135:C:\Documents and Settings\Jooster\Application Data\Mozilla\Firefox\Profiles\5yk27elu.default\cookies.txt -> TrackingCookie.Tacoda : Cleaned with backup
:mozilla.136:C:\Documents and Settings\Jooster\Application Data\Mozilla\Firefox\Profiles\5yk27elu.default\cookies.txt -> TrackingCookie.Tacoda : Cleaned with backup
:mozilla.137:C:\Documents and Settings\Jooster\Application Data\Mozilla\Firefox\Profiles\5yk27elu.default\cookies.txt -> TrackingCookie.Tacoda : Cleaned with backup
:mozilla.162:C:\Documents and Settings\Jooster\Application Data\Mozilla\Firefox\Profiles\5yk27elu.default\cookies.txt -> TrackingCookie.Liveperson : Cleaned with backup
:mozilla.163:C:\Documents and Settings\Jooster\Application Data\Mozilla\Firefox\Profiles\5yk27elu.default\cookies.txt -> TrackingCookie.Liveperson : Cleaned with backup
:mozilla.170:C:\Documents and Settings\Jooster\Application Data\Mozilla\Firefox\Profiles\5yk27elu.default\cookies.txt -> TrackingCookie.Liveperson : Cleaned with backup
:mozilla.180:C:\Documents and Settings\Jooster\Application Data\Mozilla\Firefox\Profiles\5yk27elu.default\cookies.txt -> TrackingCookie.Googleadservices : Cleaned with backup
:mozilla.194:C:\Documents and Settings\Jooster\Application Data\Mozilla\Firefox\Profiles\5yk27elu.default\cookies.txt -> TrackingCookie.Googleadservices : Cleaned with backup


::Report End


and hjt:

Logfile of HijackThis v1.99.1
Scan saved at 3:19:23 AM, on 5/24/2006
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\WINNT\system32\nvsvc32.exe
C:\Program Files\Raxco\PerfectDisk\PDEngine.exe
C:\WINNT\system32\MSTask.exe
C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\System32\mspmspsv.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\Raxco\PerfectDisk\PDSched.exe
C:\WINNT\Explorer.EXE
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\Program Files\Dudez\ProtoWall\ProtoWall.exe
C:\Program Files\HJT\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.insightbb.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Insight Broadband
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll (file missing)
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll (file missing)
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /startintray
O4 - HKCU\..\Run: [ProtoWall] C:\Program Files\Dudez\ProtoWall\ProtoWall.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.insightbb.com
O16 - DPF: {01010E00-5E80-11D8-9E86-0007E96C65AE} (SupportSoft SmartIssue) - http://www.symantec.com/techsupp/asa/ctrl/tgctlsi.cab
O16 - DPF: {01012101-5E80-11D8-9E86-0007E96C65AE} (SupportSoft Script Runner Class) - http://www.symantec.com/techsupp/asa/ctrl/tgctlsr.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english...an_unicode.cab
O16 - DPF: {1F2F4C9E-6F09-47BC-970D-3C54734667FE} (LSSupCtl Class) - http://www.symantec.com/techsupp/asa/ctrl/LSSupCtl.cab
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - http://www.symantec.com/techsupp/asa/ctrl/SymAData.cab
O20 - Winlogon Notify: NavLogon - C:\WINNT\system32\NavLogon.dll
O20 - Winlogon Notify: WRNotifier - C:\WINNT\SYSTEM32\WRLogonNTF.dll
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINNT\system32\nvsvc32.exe
O23 - Service: PDEngine - Raxco Software, Inc. - C:\Program Files\Raxco\PerfectDisk\PDEngine.exe
O23 - Service: PDScheduler (PDSched) - Raxco Software, Inc. - C:\Program Files\Raxco\PerfectDisk\PDSched.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe



with the three fixes i ran from that link, i only ended up deleting two files... am i wrong in thinking the dates on files are a giveaway? like if something that spyware programs like ewido or spysweeper find was "created on" any date in may 2006 i think it must be bogus and delete it. but if it was "created on" any date like 02/1999 i think it's legit? is that dumb?

anyhow thanks again.
Reply With Quote  
Join Date: Dec 2003
Location: Marin County, CA
Posts: 6,439
Reputation: DMR will become famous soon enough DMR will become famous soon enough 
Rep Power: 18
Solved Threads: 339
Colleague
DMR's Avatar
DMR DMR is offline Offline
Wombat At Large

Re: recurring spyware/virus problem.. girls.exe etc...

  #6  
May 24th, 2006
Originally Posted by bearpunk
am i wrong in thinking the dates on files are a giveaway?...
Dates can be a clue, but you shouldn't go by that alone. The operating system and your programs will create or modify different files as part of their normal operation, so the fact that a file was modified/created on a date that you didn't manipulate any files isn't an absolute indication that the file is malware-related.

Some other fators that can help you determine whether a file is malicious or not:

* The exact time of creation/modification. If you find a clump of files whose timestamps (as well as datestamps) are identical or very close, chances are good that the files were created/modified by the same process.

* No identifying information (version #, company name, etc.) in a file's properties pages. Such "anonymous" files are always worth looking into.

* Random or "garbage" filenames. For instance, common sense should indicate that a file named "11Fßä#·ºÄÖ`I" just might be malicious.

* Files whose names are almost identical to normal/legit files: scvhost.exe instead of svchost.exe, for example.
"May the Wombat of Happiness snuffle through your underbrush."
- Ancient Aborigine blessing

Please do not contact me by email or PM for help. We're all volunteers here, and only have so much free time to dedicate to our efforts.

However, if I've been working on a thread with you already, and seem to have "forgotten" your thread, please do send me a message. I try not to let things slip through the cracks, but it does happen sometimes.
Reply With Quote  
Join Date: Dec 2003
Location: Marin County, CA
Posts: 6,439
Reputation: DMR will become famous soon enough DMR will become famous soon enough 
Rep Power: 18
Solved Threads: 339
Colleague
DMR's Avatar
DMR DMR is offline Offline
Wombat At Large

Re: recurring spyware/virus problem.. girls.exe etc...

  #7  
May 24th, 2006
By the way- your HJT log is clean, and ewido seems to have nothing aside from cookies. Are you seeing any indications of possibly lingering infections, or do things seem back to normal now?
"May the Wombat of Happiness snuffle through your underbrush."
- Ancient Aborigine blessing

Please do not contact me by email or PM for help. We're all volunteers here, and only have so much free time to dedicate to our efforts.

However, if I've been working on a thread with you already, and seem to have "forgotten" your thread, please do send me a message. I try not to let things slip through the cracks, but it does happen sometimes.
Reply With Quote  
Join Date: Mar 2006
Posts: 13
Reputation: bearpunk is an unknown quantity at this point 
Rep Power: 3
Solved Threads: 0
bearpunk bearpunk is offline Offline
Newbie Poster

Re: recurring spyware/virus problem.. girls.exe etc...

  #8  
May 24th, 2006
yeah everything seems okay but i'll check back in a few days to make sure it's still clean...

thanks for answering all of those questions and giving me pointers. i'm trying to learn about everything so i don't just have to get a program to do it all for me but windows can be difficult with the hidden files, program files, registry stuff...

any last ideas on how i was getting the same things over and over? was it one lingering file (dvldr32 or whatever) that kept sprouting new ones? or am i doing something dumb?

anyhow, like i said, thanks tons and i'll check back in here in a day or two...
Reply With Quote  
Join Date: Dec 2003
Location: Marin County, CA
Posts: 6,439
Reputation: DMR will become famous soon enough DMR will become famous soon enough 
Rep Power: 18
Solved Threads: 339
Colleague
DMR's Avatar
DMR DMR is offline Offline
Wombat At Large

Re: recurring spyware/virus problem.. girls.exe etc...

  #9  
May 24th, 2006
Originally Posted by bearpunk
i'm trying to learn about everything so i don't just have to get a program to do it all for me but windows can be difficult with the hidden files, program files, registry stuff...
Yes, and those reasons are why we actually prefer to avoid the "manual" removal approach unless as a last resort. The automated anti-malware programs know where to look for the hidden components of the infections and are programmed to safely remove them. Performing malware removal "by hand" can, in the worst case, lead to making some incorrect "fix" which wrecks your computer. At the very least, manual removal quite often leaves some remnants of the infections lurking in your system.

Originally Posted by bearpunk
any last ideas on how i was getting the same things over and over? was it one lingering file (dvldr32 or whatever) that kept sprouting new ones? or am i doing something dumb?
That particular infection, like many others, installs other infected files which may/can "respawn" the full infection. The devldr32.exe file is a component of a netwrok worm, so you could also have been reinfected by another (also infected) remote computer.
Since the worm's infection method includes attempting to gain access to computers using well-known ("weak") passwords, one primary way to lessen the chances of reinfection is to use "strong" (8 random characters or more, mixed upper/lower case, mixed letters/punctuation symbols, etc.) passwords on your user accounts, your router or modem, and any other place where passwords are an option.
Many worms, including this one, also attempt to connect to and infect remote machines via certain network ports, so closing all unused ports on your system is recommended. Ports can be blocked by hardware devices such as routers, or by firewall software installed on your computer; having at least one of those protections in place is recommended. Unused ports can also be closed by turning off the Windows Services which use those ports.
The definitive site for information on Windows Services configuration is unfortunately down, but a mirror of its contents can be found here.
"May the Wombat of Happiness snuffle through your underbrush."
- Ancient Aborigine blessing

Please do not contact me by email or PM for help. We're all volunteers here, and only have so much free time to dedicate to our efforts.

However, if I've been working on a thread with you already, and seem to have "forgotten" your thread, please do send me a message. I try not to let things slip through the cracks, but it does happen sometimes.
Reply With Quote  
Reply

Only community members can participate in forum threads. You must register or log in to contribute.

Register
Currently Active Users Viewing This Thread: 1 (0 members and 1 guests)

 

DaniWeb Viruses, Spyware and other Nasties Marketplace
Thread Tools Display Modes
Linear Mode Linear Mode

adware antivirus apple complete information defender email exploit fix fraction funny gaming girls gmail google hidden files how ipod kaspersky legal malware mcafee microsoft mobile new folder new viruses news nhatquanglan onecare phone reliability remove report satnav search second security software solve spyware ssvichosst survey svchost taskmanager trends trojan video games virus viruses vista windows
Similar Threads
Other Threads in the Viruses, Spyware and other Nasties Forum

Advertising Opportunities on DaniWeb
Contact Us - Newsletter Archive - Sitemap - Privacy Statement
All times are GMT -4. The time now is 7:28 am.
Forum system based on vBulletin Copyright ©2000 - 2008, Jelsoft Enterprises Ltd.
©2003 - 2008 DaniWeb® LLC