No announcement yet.

devils spyware/virus

  • Filter
  • Time
  • Show
Clear All
new posts

    devils spyware/virus

    my comp has been acting really weird last couple of hours:

    -cpu usage has increased
    -backgroud image dissapeared
    -instead of background there this this hyperlink giving me a warning that there s alot of spyware etc and I should buy antispyware programme.

    I cant seem to remove it

    I cant change the background image either. If I select a new background image the background goes blank.

    tried the following:

    2 different types of virus scanners. found nothing
    ad aware + hitmanpro + spyware blaster, spybot scanned several times but no luck
    hijackthis and removed files in save mode but still no good

    Every 30-40 minutes mcAfee blocks an infected file.

    If I click on the hyperlink I get the following:

    <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
    ***** This file is automatically generated by Microsoft Windows *****
    <**** **********=Content-Type content="text/html; charset=windows-1252"></HEAD>
    style="BORDER-RIGHT: medium none; BORDER-TOP: medium none; BORDER-LEFT: medium none; BORDER-BOTTOM: medium none"
    bottomMargin=0 bgColor=#004e98 leftMargin=0 background="" topMargin=0
    style="LEFT: 0px; WIDTH: 1280px; POSITION: absolute; TOP: 0px; HEIGHT: 1024px"><IMG
    style="LEFT: 0px; WIDTH: 100%; POSITION: absolute; TOP: 0px; HEIGHT: 100%" cache
    </DIV><IFRAME id=0
    style="BACKGROUND: none transparent scroll repeat 0% 0%; LEFT: 0px; WIDTH: 1280px; POSITION: absolute; TOP: 1px; HEIGHT: 993px"
    name=DeskMovrW marginWidth=0 marginHeight=0
    src="file:///C:/WINDOWS/Web/desktop.html" frameBorder=0 scrolling=no
    subscribed_url="C:\WINDOWS\Web\desktop.html" resizeable=""> </IFRAME>
    <OBJECT id=ActiveDesktopMover
    style="LEFT: 0px; VISIBILITY: hidden; WIDTH: 0px; POSITION: absolute; TOP: 0px; HEIGHT: 0px; container: positioned; zIndex: 5"
    <OBJECT id=ActiveDesktopMoverW
    style="Z-INDEX: -1; LEFT: -1px; VISIBILITY: hidden; WIDTH: 1282px; POSITION: absolute; TOP: 0px; HEIGHT: 995px; container: positioned"

    I havent altered anything.

    Hijack this logg:

    Running processes:
    C:\Program Files\McAfee\McAfee QuickClean\Plguni.exe
    C:\Program Files\MSN Messenger\msnmsgr.exe
    C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE
    C:\Program Files\Messenger\msmsgs.exe
    C:\Program Files\Sitecom\Bluetooth Software\bin\btwdins.exe
    C:\Program Files\Internet Explorer\IEXPLORE.EXE
    C:\Documents and Settings\yaqub\Desktop\hijackthis\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\\vso\mcvsshl.dll
    O4 - HKLM\..\Run: [VirusScan Online] "c:\PROGRA~1\\vso\mcvsshld.exe"
    O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\\agent\mcagent.exe
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
    O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\\agent\mcupdate.exe
    O4 - HKLM\..\Run: [MSKAGENTEXE] C:\PROGRA~1\McAfee\SPAMKI~1\MSKAgent.exe
    O4 - HKLM\..\Run: [VSOCheckTask] "c:\PROGRA~1\\vso\mcmnhdlr.exe" /checktask
    O4 - HKLM\..\Run: [nWpTnNEE.exe] C:\WINDOWS\system32\nWpTnNEE.exe
    O4 - HKLM\..\RunOnce: [Srv32 spool service] C:\WINDOWS\System32\spoolsrv32.exe
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
    O4 - HKCU\..\Run: [McAfee QuickClean Imonitor] C:\Program Files\McAfee\McAfee QuickClean\Plguni.exe /START
    O4 - HKCU\..\Run: [MSKAGENTEXE] C:\PROGRA~1\McAfee\SPAMKI~1\MskAgent.exe
    O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
    O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
    O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE"
    O4 - HKCU\..\RunOnce: [Srv32 spool service] C:\WINDOWS\System32\spoolsrv32.exe
    O8 - Extra context menu item: &Download with &DAP - C:\PROGRA~1\DAP\dapextie.htm
    O8 - Extra context menu item: Download &all with DAP - C:\PROGRA~1\DAP\dapextie2.htm
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
    O8 - Extra context menu item: Send To &Bluetooth - C:\Program Files\Sitecom\Bluetooth Software\btsendto_ie_ctx.htm
    O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INETREPL.DLL
    O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INETREPL.DLL
    O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INETREPL.DLL
    O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\Sitecom\Bluetooth Software\btsendto_ie.htm
    O9 - Extra 'Tools' menuitem: @btrez.dll,-4017 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\Sitecom\Bluetooth Software\btsendto_ie.htm
    O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) -
    O16 - DPF: {0594AF7E-573B-40DF-8165-E47AB2EAEFE8} -
    O16 - DPF: {10093E98-C073-4C75-8D0E-FB5CD3A71D33} (ZoneUpwords Object) -
    O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) -
    O16 - DPF: {31B7EB4E-8B4B-11D1-A789-00A0CC6651A8} (Cult3D ActiveX Player) -
    O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} -
    O16 - DPF: {469C7080-8EC8-43A6-AD97-45848113743C} -
    O16 - DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} (EPUImageControl Class) -
    O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} ( Operating System Class) -
    O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) -
    O16 - DPF: {50AD557E-3426-41FD-AFDD-2AF39BB1C387} -
    O16 - DPF: {6785FBC7-13AD-4F28-8FB3-1AEA411C03A5} (GSAG.GSAudioControl) -
    O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) -
    O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) -
    O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) -
    O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} -
    O16 - DPF: {F04A8AE2-A59D-11D2-8792-00C04F8EF29D} (Hotmail Attachments Control) -
    O23 - Service: Bluetooth Service (btwdins) - WIDCOMM, Inc. - C:\Program Files\Sitecom\Bluetooth Software\bin\btwdins.exe
    O23 - Service: McShield (McShield) - Unknown owner - c:\PROGRA~1\\vso\mcshield.exe
    O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - McAfee, Inc - C:\PROGRA~1\\Agent\mcupdmgr.exe
    O23 - Service: VirusScan Online Realtime Engine (MCVSRte) - McAfee, Inc - c:\PROGRA~1\\vso\mcvsrte.exe
    O23 - Service: McAfee SpamKiller Server (MskService) - McAfee Inc. - C:\PROGRA~1\McAfee\SPAMKI~1\MSKSrvr.exe
    O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
    O23 - Service: WinTools for IE service (WinToolsSvc) - Unknown owner - C:\Program Files\Common Files\WinTools\WToolsS.exe (file missing)

    yeah WToolsS.exe is missing. I fixed that but it seems its missing again
    There is a new icon on the taskbar warning that my computer is at risk and I should buy antispyware stuff

    so any ideas guys?
    I m a novice
    There is no salvation for the soul, But to fall in Love.
    It has to creep and crawl, Among the Lovers first.

    Imam Jallal-u-Din Rumi

    Re: devils spyware/virus

    please guys

    cant anyone help me out here?

    the virus that gets downloaded is: Downloader-YN.dll
    There is no salvation for the soul, But to fall in Love.
    It has to creep and crawl, Among the Lovers first.

    Imam Jallal-u-Din Rumi


      Re: devils spyware/virus

      dunno about the specific trojan - sure seems like a desktop hijacker, but here are a couple of ideas:

      1. did you try disabling system restore before attempting to fix the problem? make sure you do so cuz otherwise, the infected files might be restored everytime you boot your computer.

      2. check your windows/system32 folder for new files that have been created in the last day or so to get an idea of what to remove (in case a manual removal is warranted).

      3. check the services by running services.msc for any anomalies. Typically there are Run services which invoke a malicious batch or an exe file on system startup.
      For reason, ruling alone, is a force confining - and passion, unattended, is a flame that burns to its own destruction - Khalil Gibran


        Re: devils spyware/virus

        DP, I hope this is not the admin account. Create a new user account and login to that account and see if it works ok. If it does dump this account and delete the infected account's profile folder. If it doesn't work and/or this is the admin account then I would suggest doing a backup of important docs and reinstalling the whole computer, format the whole drive first.

        I posted an article about rootkits a few weeks back, them being the new potential "viruses". Usually they would not get on your computer, but are installed by some one. But I don't know who uses your PC, plus I'm not privvy to the newest virus technologies out there, so who knows...
        Last edited by TofiBaba; May 10, 2005, 08:04 AM.
        An Android a day keeps the Apple away!


          Re: devils spyware/virus

          You should buy antispyware stuff!


            Re: devils spyware/virus

            Umar: I will try again after turning system restore
            I deleted several files from system32 but somehow the files return. I ll try again.

            TB: yeah unfortuntaly its the admins account. I will have one more go at it and if it wont work I ll format the HD after saving data.

            Sh3rY: why buy anything from a company that promotes its stuff in this way?
            besides that there are plenty good FREE alternatives
            There is no more pleasant food for the soul than the knowledge of truth. - Lactantius


              Re: devils spyware/virus

              thanks for nothing u no good helpers

              I figured it out, I ran XP in save mode again. Threw, McAfee, Symantec and Kasper antivirus on it
              Deleted some files from system32 and several register keys.

              Found 9 trojans :halo:
              There is no salvation for the soul, But to fall in Love.
              It has to creep and crawl, Among the Lovers first.

              Imam Jallal-u-Din Rumi


                Re: devils spyware/virus

                ^ LOL DP yaar thats what you should have done in the first place before running hijackthis. Always try and scan your entire drive with the antivirus first. Good that you got rid of the trojans
                I am only responsible for what I say, not for what you understand.


                  Re: devils spyware/virus

                  dp's post has tooo much potential *hint* for 5abi and TB