ComputerForum.com ComputerForum.com  

Go Back   Computer Forum > Computer Software > Computer Security

Reply
 
LinkBack Thread Tools Search this Thread Display Modes
Old 03-11-2006, 10:20 PM   #1 (permalink)
Bronze Member
 
Join Date: Feb 2006
Posts: 37
Exclamation a little help

My girlfriends computer has some virus and i need some help. Everytime she gets on the internet pop ups about her registry start poping up every 5 seconds. I have already run adware and spybot it hasn't helped, i have also reinstalled the OS and it just keeps on messing up. So here goes my HJT log hope someone can help. Thanks
Logfile of HijackThis v1.99.1
Scan saved at 4:16:40 PM, on 3/11/2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Symantec AntiVirus\SavRoam.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\WINDOWS\System32\hkcmd.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\WINDOWS\System32\mfs.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\System32\SYSADWARE.EXE
C:\WINDOWS\System32\iexplorersis.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [Microsoft Incroporate] mfs.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Winsock2 driver] SYSADWARE.EXE
O4 - HKLM\..\Run: [Microsoft Machine Script] iexplorersis.exe
O4 - HKLM\..\RunServices: [NeroFil] NeroFil.EXE
O4 - HKLM\..\RunServices: [Microsoft Incroporate] mfs.exe
O4 - HKLM\..\RunServices: [Microsoft Machine Script] iexplorersis.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\RunServices: [NeroFil] NeroFil.EXE
O4 - HKCU\..\RunOnce: [Winsock2 driver] SYSADWARE.EXE
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - https://download.macromedia.com/pub/...sh/swflash.cab
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\System32\NavLogon.dll
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe

Last edited by foxtrot; 03-11-2006 at 10:36 PM.
foxtrot is offline   Reply With Quote


Old 03-11-2006, 10:55 PM   #2 (permalink)
Digaredd
 
Buzz1927's Avatar
 
Join Date: May 2005
Location: Melbourne AU
Posts: 7,582
Default

Run Hijackthis and select "Do a system scan only", place a check by the following entries.

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
O4 - HKLM\..\Run: [Microsoft Incroporate] mfs.exe
O4 - HKLM\..\Run: [Winsock2 driver] SYSADWARE.EXE
O4 - HKLM\..\Run: [Microsoft Machine Script] iexplorersis.exe
O4 - HKLM\..\RunServices: [NeroFil] NeroFil.EXE
O4 - HKLM\..\RunServices: [Microsoft Incroporate] mfs.exe
O4 - HKLM\..\RunServices: [Microsoft Machine Script] iexplorersis.exe
O4 - HKCU\..\RunServices: [NeroFil] NeroFil.EXE
O4 - HKCU\..\RunOnce: [Winsock2 driver] SYSADWARE.EXE


Close all open windows and browsers, and hit "Fix Checked".

Delete these files.

C:\WINDOWS\System32\mfs.exe
C:\WINDOWS\System32\SYSADWARE.EXE
C:\WINDOWS\System32\iexplorersis.exe

Find and delete this file.

NeroFil.EXE

Reboot and post a new Hijackthis log, and say how things are now.
__________________
Son of Glyndwr
Mae hen wlad fy nhadau yn annwyl i mi
Buzz1927 is offline   Reply With Quote
Old 03-11-2006, 11:13 PM   #3 (permalink)
banned
 
Clutch's Avatar
 
Join Date: Mar 2006
Age: 20
Posts: 572
Default

When you "reinstalled the OS", did you just reinstall? Or format then reinstall?
Clutch is offline   Reply With Quote
Old 03-11-2006, 11:24 PM   #4 (permalink)
Digaredd
 
Buzz1927's Avatar
 
Join Date: May 2005
Location: Melbourne AU
Posts: 7,582
Default

Quote:
Originally Posted by Clutch
When you "reinstalled the OS", did you just reinstall? Or format then reinstall?
As all the crap is still there, I'd say they just reinstalled.
__________________
Son of Glyndwr
Mae hen wlad fy nhadau yn annwyl i mi
Buzz1927 is offline   Reply With Quote
Old 03-11-2006, 11:29 PM   #5 (permalink)
banned
 
Clutch's Avatar
 
Join Date: Mar 2006
Age: 20
Posts: 572
Default

Quote:
Originally Posted by Buzz1927
As all the crap is still there, I'd say they just reinstalled.
Well, what I was thinking is that the virus could have lodged itself in a hidden boot sector, which then could have reinfected his new Windows installation.

But other than that, just reinstalling Windows won't help.
Clutch is offline   Reply With Quote


Old 03-11-2006, 11:51 PM   #6 (permalink)
Digaredd
 
Buzz1927's Avatar
 
Join Date: May 2005
Location: Melbourne AU
Posts: 7,582
Default

Quote:
Well, what I was thinking is that the virus could have lodged itself in a hidden boot sector
Which virus?
__________________
Son of Glyndwr
Mae hen wlad fy nhadau yn annwyl i mi
Buzz1927 is offline   Reply With Quote
Old 03-12-2006, 10:49 PM   #7 (permalink)
Bronze Member
 
Join Date: Feb 2006
Posts: 37
Default

Nothing has changed. But i couldnt find: C:\WINDOWS\System32\mfs.exe
C:\WINDOWS\System32\SYSADWARE.EXE
C:\WINDOWS\System32\iexplorersis.exe
NeroFil.EXE
maybe i was searching for them wrong but anyways here goes my new log.

Logfile of HijackThis v1.99.1
Scan saved at 4:47:53 PM, on 3/12/2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Symantec AntiVirus\SavRoam.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\WINDOWS\System32\hkcmd.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\HijackThis\HijackThis.exe

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - https://download.macromedia.com/pub/...sh/swflash.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{805B22CC-31FD-4D6C-B6D9-B375FAE35D49}: NameServer = 69.43.32.27 66.118.64.1
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\System32\NavLogon.dll
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
foxtrot is offline   Reply With Quote
Old 03-12-2006, 11:03 PM   #8 (permalink)
Digaredd
 
Buzz1927's Avatar
 
Join Date: May 2005
Location: Melbourne AU
Posts: 7,582
Default

Download the trial version of Spy Sweeper from Here

Install it using the Standard Install option. (You will be asked for your e-mail address, it is safe to give it. If you receive alerts from your firewall, allow all activities for Spy Sweeper)

You will be prompted to check for updated definitions, please do so.
(This may take several minutes)

Click on Options > Sweep Options and check Sweep all Folders on Selected drives. Check Local Disc C. Under What to Sweep, check every box.

Click on Sweep and allow it to fully scan your system.

When the sweep has finished, click Remove. Click Select All and then Next

From 'Results', select the Session Log tab. Click Save to File and save the log somewhere convenient.

Exit Spy Sweeper.

Restart your computer, and then please copy and paste the SpySweeper log into this thread.
__________________
Son of Glyndwr
Mae hen wlad fy nhadau yn annwyl i mi
Buzz1927 is offline   Reply With Quote
Old 03-13-2006, 01:39 PM   #9 (permalink)
Bronze Member
 
Join Date: Feb 2006
Posts: 37
Default

so far its been working fine but i havent been on the internet very long but here is the session log.

********
6:19 PM: | Start of Session, Sunday, March 12, 2006 |
6:19 PM: Spy Sweeper started
6:19 PM: Sweep initiated using definitions version 630
6:19 PM: Starting Memory Sweep
6:22 PM: Memory Sweep Complete, Elapsed Time: 00:03:20
6:22 PM: Starting Registry Sweep
6:22 PM: Registry Sweep Complete, Elapsed Time:00:00:28
6:22 PM: Starting Cookie Sweep
6:22 PM: Found Spy Cookie: websponsors cookie
6:22 PM: owner@a.websponsors[2].txt (ID = 3665)
6:22 PM: Found Spy Cookie: about cookie
6:22 PM: owner@about[1].txt (ID = 2037)
6:22 PM: Found Spy Cookie: yieldmanager cookie
6:22 PM: owner@ad.yieldmanager[1].txt (ID = 3751)
6:22 PM: Found Spy Cookie: adecn cookie
6:22 PM: owner@adecn[1].txt (ID = 2063)
6:22 PM: Found Spy Cookie: adknowledge cookie
6:22 PM: owner@adknowledge[1].txt (ID = 2072)
6:22 PM: Found Spy Cookie: hbmediapro cookie
6:22 PM: owner@adopt.hbmediapro[2].txt (ID = 2768)
6:22 PM: Found Spy Cookie: specificclick.com cookie
6:22 PM: owner@adopt.specificclick[1].txt (ID = 3400)
6:22 PM: Found Spy Cookie: ask cookie
6:22 PM: owner@ask[1].txt (ID = 2245)
6:22 PM: Found Spy Cookie: belnk cookie
6:22 PM: owner@ath.belnk[1].txt (ID = 2293)
6:22 PM: Found Spy Cookie: atwola cookie
6:22 PM: owner@atwola[2].txt (ID = 2255)
6:22 PM: Found Spy Cookie: banner cookie
6:22 PM: owner@banner[2].txt (ID = 2276)
6:22 PM: owner@belnk[1].txt (ID = 2292)
6:22 PM: Found Spy Cookie: bizrate cookie
6:22 PM: owner@bizrate[1].txt (ID = 2308)
6:22 PM: Found Spy Cookie: burstnet cookie
6:22 PM: owner@burstnet[2].txt (ID = 2336)
6:22 PM: Found Spy Cookie: enhance cookie
6:22 PM: owner@c.enhance[1].txt (ID = 2614)
6:22 PM: Found Spy Cookie: overture cookie
6:22 PM: owner@data2.perf.overture[1].txt (ID = 3106)
6:22 PM: owner@dist.belnk[1].txt (ID = 2293)
6:22 PM: Found Spy Cookie: ru4 cookie
6:22 PM: owner@edge.ru4[1].txt (ID = 3269)
6:22 PM: Found Spy Cookie: 2o7.net cookie
6:22 PM: owner@entrepreneur.122.2o7[1].txt (ID = 1958)
6:22 PM: Found Spy Cookie: go.com cookie
6:22 PM: owner@espn.go[2].txt (ID = 2729)
6:22 PM: owner@go[1].txt (ID = 2728)
6:22 PM: owner@guitar.about[2].txt (ID = 2038)
6:22 PM: Found Spy Cookie: clickandtrack cookie
6:22 PM: owner@hits.clickandtrack[2].txt (ID = 2397)
6:22 PM: Found Spy Cookie: screensavers.com cookie
6:22 PM: owner@i.screensavers[2].txt (ID = 3298)
6:22 PM: Found Spy Cookie: l2m.net cookie
6:22 PM: owner@l2m[1].txt (ID = 2913)
6:22 PM: owner@msnportal.112.2o7[1].txt (ID = 1958)
6:22 PM: Found Spy Cookie: nextag cookie
6:22 PM: owner@nextag[1].txt (ID = 5014)
6:22 PM: owner@rsi.espn.go[1].txt (ID = 2729)
6:22 PM: owner@screensavers[2].txt (ID = 3297)
6:22 PM: Found Spy Cookie: servlet cookie
6:22 PM: owner@servlet[2].txt (ID = 3345)
6:22 PM: owner@sports.espn.go[2].txt (ID = 2729)
6:22 PM: Found Spy Cookie: tacoda cookie
6:22 PM: owner@tacoda[2].txt (ID = 6444)
6:22 PM: Found Spy Cookie: burstbeacon cookie
6:22 PM: owner@www.burstbeacon[2].txt (ID = 2335)
6:22 PM: Cookie Sweep Complete, Elapsed Time: 00:00:03
6:23 PM: Starting File Sweep
6:25 PM: Found Adware: whenu savenow
6:25 PM: vvsninst.exe (ID = 127141)
6:35 PM: File Sweep Complete, Elapsed Time: 00:12:51
6:35 PM: Full Sweep has completed. Elapsed time 00:16:49
6:35 PM: Traces Found: 34
6:36 PM: Removal process initiated
6:36 PM: Quarantining All Traces: 2o7.net cookie
6:36 PM: Quarantining All Traces: about cookie
6:36 PM: Quarantining All Traces: adecn cookie
6:36 PM: Quarantining All Traces: adknowledge cookie
6:36 PM: Quarantining All Traces: ask cookie
6:36 PM: Quarantining All Traces: atwola cookie
6:36 PM: Quarantining All Traces: banner cookie
6:36 PM: Quarantining All Traces: belnk cookie
6:36 PM: Quarantining All Traces: bizrate cookie
6:36 PM: Quarantining All Traces: burstbeacon cookie
6:36 PM: Quarantining All Traces: burstnet cookie
6:36 PM: Quarantining All Traces: clickandtrack cookie
6:36 PM: Quarantining All Traces: enhance cookie
6:36 PM: Quarantining All Traces: go.com cookie
6:36 PM: Quarantining All Traces: hbmediapro cookie
6:36 PM: Quarantining All Traces: l2m.net cookie
6:36 PM: Quarantining All Traces: nextag cookie
6:36 PM: Quarantining All Traces: overture cookie
6:36 PM: Quarantining All Traces: ru4 cookie
6:36 PM: Quarantining All Traces: screensavers.com cookie
6:36 PM: Quarantining All Traces: servlet cookie
6:36 PM: Quarantining All Traces: specificclick.com cookie
6:36 PM: Quarantining All Traces: tacoda cookie
6:36 PM: Quarantining All Traces: websponsors cookie
6:36 PM: Quarantining All Traces: whenu savenow
6:36 PM: Quarantining All Traces: yieldmanager cookie
6:36 PM: Removal process completed. Elapsed time 00:00:09
********
6:04 PM: | Start of Session, Sunday, March 12, 2006 |
6:04 PM: Spy Sweeper started
6:04 PM: Messenger service has been disabled.
6:15 PM: Your spyware definitions have been updated.
6:19 PM: | End of Session, Sunday, March 12, 2006 |


Tnks for the help
foxtrot is offline   Reply With Quote
Reply

Bookmarks

Thread Tools Search this Thread
Search this Thread:

Advanced Search
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are On



All times are GMT +1. The time now is 09:33 AM.


Powered by: vBulletin Version 3.8.4
Copyright ©2000 - 2009, Jelsoft Enterprises Ltd.
SEO by vBSEO 3.3.0 ©2009, Crawlability, Inc.