A virus

[jackhammer_bob]

I downloaded a program, virus, that keeps launching iexplorer over and over again to try to connect to shredder.no-ip.info [217.82.67.67] using remote port 1472 even after i killed the process when by ctrl alt del, i set my firewall to ask me whenever something is trying to connect to the internet, including ie, so i would be able to stop it for now. any suggestions on getting rid of this virus? i have cleared regedit, software, microsoft, current version run in both local machine and current user. any suggestion would be greatly appreciated. scanned with adaware 6 and spybot1.6, latest versions. nothing came up.

 

[jackhammer_bob]

i just ran hijackthis on my computer, here is the log

http://mars.walagata.com/w/onemanarmyisback/hijackthis.log

Logfile of HijackThis v1.95.1
Scan saved at 5:15:28 PM, on 9/29/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Sygate\SPF\smc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\CTSvcCDA.exe
C:\WINDOWS\system32\crypserv.exe
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe
C:\Program Files\Network Associates\VirusScan\mcshield.exe
C:\Program Files\Network Associates\VirusScan\vstskmgr.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\ctfmon.exe
c:\program files\internet explorer\iexplore.exe
C:\Downloads\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://g.msn.com/0SEENUS/SAOS01
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://google.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\System32\blank.htm
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [SmcService] C:\PROGRA~1\Sygate\SPF\smc.exe -startgui
O4 - HKLM\..\Run: [winset16] C:\WINDOWS\System32\winset32.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKCU\..\Run: [winset16] C:\WINDOWS\System32\winset32.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: HPAiODevice(hp officejet g series) - 1.lnk = C:\Program Files\Hewlett-Packard\AiO\hp officejet g series\Bin\hpoavn07.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: &iSearch The Web - res://C:\WINDOWS\System32\toolbar.dll/SEARCH.HTML
O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
O9 - Extra button: AIM (HKLM)
O12 - Plugin for .pdf: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/yinst20040510.cab
O16 - DPF: {4E888414-DB8F-11D1-9CD9-00C04F98436A} (Microsoft.WinRep) - https://webresponse.one.microsoft.com/oas/ActiveX/winrep.cab
O16 - DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} - http://a1540.g.akamai.net/7/1540/52....apple.com/saba/us/win/QuickTimeInstaller.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.c...ls/en/x86/client/wuweb_site.cab?1093042065328
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?38119.7417361111
O16 - DPF: {A7E092C3-692A-11D0-A7E5-08002B322F3B} (WebResponseAttachments Control) - https://webresponse.one.microsoft.com/oas/ActiveX/FileXfer.cab
O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/suite/yautocomplete.cab
O16 - DPF: {C190FF32-96D0-445F-9F60-5CF288FD3D0F} (ActiveFormX Control) - http://172.16.224.10:8080/registration/cni-cat/CNICAT.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab

 

[EMO-TOCROSS]

first. go to www.mozilla.org and download the firefox beta. and use that as your browser. than, delete internet explorer if you can. I think. Go to control panel, remove programs, and scroll down for internet explorer. If its there, click uninstall. Than, Go to www.zonelabs.com(using the firefox you downloaded) (if doesnt work, go to google and search zone alarm and go to the companies site) and download the trial of the latest zone alarm software. It has a virus scanner/deleter. Use that and scan for the virus, it should find it and delete it. This is what I would do, let me know the results.

 

[jackhammer_bob]

i did that, virus scan caught 2 virus. i uninstalled zonealarm though because i had tried it before and it slowed down my connection through ie severely for reasons unknown. thanks for your help. for the time being, iexplorer.exe isn't restarting itself every 5 seconds trying to access the internet to that no-ip address i posted before. thanks

i was planning to switch to mozilla soon anyway, i guess now is the time . thanks again.

 

[Praetor]

C:\Program Files\Sygate\SPF\smc.exe

Nice choice

first. go to www.mozilla.org and download the firefox beta. and use that as your browser. than, delete internet explorer if you can

Sigh. Lets FIX the problem first rather than workaround it.

Than, Go to www.zonelabs.com(using the firefox you downloaded) (if doesnt work, go to google and search zone alarm and go to the companies site

Bad call:
1. ZoneAlarm sucks donkey nutz
2. He's got Sygate

i uninstalled zonealarm though because I had tried it before and it slowed down my connection through ie severely for reasons unknown

I dunno about slow-downs but you're perfectly fine with SPF

i was planning to switch to mozilla soon anyway, I guess now is the time . thanks again.

Switching the browser wont stop the service from activating and even if you unistall IE its gonna be an unnecceary burden on the system

 

[superflysmith]

Don't get rid of IE. Fix your problem. I do use firefox more than IE but, some sites don't work correctly or at all without IE.

 

[EMO-TOCROSS]

Bad call:
1. ZoneAlarm sucks donkey nutz

Why does Zone Alarm suck donkey nutz? I have had the full pro version of Zone Alarm Suite 5.0 and I love it. My internet doesnt slow down, I dont know whats wrong with it there jackhammer.. It blocks whats needed to be blocked, and ask's me everything so I have complete control over everything. The Anti-Virus part of it works great, just as good as the old Anti-Virus and Internet Security 2003's I had on my computer. Praetor, I think you need to have the full version of it and need to know how to run it, and it works fine. Therefor it doesnt suck much donkey nuts .

Sigh. Lets FIX the problem first rather than workaround it.

I'm not having him avoiding it, The reason i wanted him to do that, is so that he can aviod using IE so much while trying to fix this, b/c the last thing you want is for more to get infected... So I just thought for him to use Mozilla Firefox when fixing it to help decrease the chances of making things worse.

Don't get rid of IE. Fix your problem. I do use firefox more than IE but, some sites don't work correctly or at all without IE.

Most main sites do, except for the little cheaply done websites, which even then are starting to work now. You just need to install the right plug in's.

Just my thoughts

 

[Praetor]

Why does Zone Alarm suck donkey nutz? I have had the full pro version of Zone Alarm Suite 5.0 and I love it.

Because once you've tried a "real" firewall (no offense intended really), you'll see all the crazy stuff that ZoneAlarm doesnt tell you about

The Anti-Virus part of it works great, just as good as the old Anti-Virus and Internet Security 2003's I had on my computer. Praetor, I think you need to have the full version of it and need to know how to run it, and it works fine. Therefor it doesnt suck much donkey nuts

LOL i class NIS and NPF in the same category as ZA Sygate, Kerio and Agnitum have some niiiice firewalls (of course the downside is management) ... give it a whirl sometime and see all the stuff you're missin

 

[EMO-TOCROSS]

Link me up with the one you'd prefer, I'm always open to trying both sides of the world

 

[Praetor]

Agnitum's outpost actually comes ina free version too:
http://www.agnitum.com/products/outpost/

Kerio (what i use now)
http://www.kerio.com/kpf_home.html

Sygate (why my one buddy keeps telling me to switch to)
http://www.sygate.com/products/sygate-personal-firewall-pro.htm

 

[EMO-TOCROSS]

Okay so i downloaded the trial for sygate. or should I say hellgate. WTF!!! I downloaded the trial, installed it, and it asked to restart the computer, obviously, I restart the computer, once it got to my login in part to enter my password, it automatically shut down and rebooted, and repeats this and doesnt stop untill i unplug!!! Im on my brothers computer, and Im going Insane, I have a few papers to write tonight and one of them is saved on the computer and now i cant EFFING GET oN THE COMPUTER!!! WHATS GOING ON HELP ME IM GONNA DIE!! lol but seriously im freakin out wwhats happening what do i need to do

 

[Praetor]

LOL Sygate requires a lot of.... preparation (and i also find it too ... "wierd" ... although i am running it on my W2K3 box) .. to be honest .. ive got no idea. Sounds like software conflict ... but could be anything. Just uninstall it and stick with ZoneAlarm (btw you did uninstall ZA before installing SPF right?)

 

[EMO-TOCROSS]

Yeah I uninstalled Zone Alarm. I tried everything, right when it gets to the log in part of windows xp, it shuts down and restarts. I had two essays to write and a bundle of online assigments for school. And I was overwhelmed and did something I seriously regret. I tried going on in saftey mode, in the xp command prompt mode, changed settings in bios even the restart on power failure which I hoped the problem was. Nothing, nothing worked. So what did I do with so much on my head that I needed to do? I formatted my computer. Yes, with 65gb's on the harddrive, and not 1gb of backup. I lost 18 Games, Over two dozens of programs I got myself, probably about 10 movies, 3,000 songs, and tonse of other little things like my class folders and saved homework and saved information. It's too bad I had to come to such a quick conclusion... Now when I get out of school I need to install ALL the drivers again... grrr...

 

[Praetor]

And thats why you dont rush into new things.... do your background research.

 

[EMO-TOCROSS]

Yeah oh well, You learn from mistakes right? I needed a format anyways, I had way too much crap on the disk, There's just some valuable things I lost. Other than that, oh well, at least I learned something new from it, which is formatting from opening up XP Command Prompt. . It was cool . It looked matrix style and stuff. very cool.