PDA

View Full Version : Limewire killed the PC



123456
01-18-2005, 08:55 PM
My sister's Dell 8200 has sloped. It has a 512mb RAm, P4 2.4GHz, and 80gb hdd, XP Pro. Limewire put so much spyware on it.
So we came home, she sees, "Only 10.2 mb left on your disk C." How can that be? Yesterday, it had 56.5gb free!!!
After a few scans with hijack this, adaware, and Spybot, it still doesn't do much. The add/remove program is useless. And she is deleting uneccessary files and now only has 2.2GB.
SHould she back up her files on a dvd and format the thingy?
She is reluctant to do this but we're afraid we have no choice.
Limewire has beenm running for nearly 1 year non stop.

PrntRhd
01-18-2005, 10:35 PM
123456,
This is one of the instances where you invoke the 2-Hour Rule:
Can you fix it two hours by scanning and removing malware? If you cannot, then back up what you can and format it and reload the OS.

Budfred
01-18-2005, 11:13 PM
I don't believe in the 2 hour rule, so I would fix it... However, it depends on how much you are willing to do.... you are likely to learn a lot in the process...

Either way, dump Limewire and stay away from Kazaa... :eek: :eek:

PrntRhd
01-19-2005, 01:35 AM
Well 123456,
I guess you have received at least two opinions on what to do. Budfred and I agree on the Limeware and Kazaa issues though...too much security baggage come with both.
:p

123456
01-19-2005, 06:34 PM
oh, we've got a good 4.3 gb free. "That's good enough."
Yeah, dream on. Got rid of limewire, but cannot get rid of damage done by spyware. Keeps coming back.
And I spent 3 hours on it, little recovery

Budfred
01-19-2005, 09:23 PM
If you want to keep working on it run the standard set of cleaning programs and HijackThis... This would be Ad-Aware SE, Spybot, an online virus scan or two, and I would go with the trial version of TrojanHunter too...

To run HJT, extract it to a permanent folder such as one you create like C:\HJT. Close all open windows and browsers and make sure that all programs are enabled if you use msconfig. Run it and Scan, then Save the log. When the log window appears, Right click to Copy it, open your browser and come here to Paste the entire log. Do not make any changes until it is checked since most items are either benign or essential to the computer.

Steve
01-19-2005, 11:32 PM
originally posted by Budfred:
I don't believe in the 2 hour rule,
I'm starting to question the two hour rule myself...and I might have invented it! :eek:

As time has passed, HDDs have increased in size to the point where it really doesn't make sense (for the slightly above average user anyway) to not set up a system of partitions to better utilize all the space available. So why not partition your HDD in a way that makes restoring an image or backup of the C: drive quick and easy. Sylvander has described this on many occasions.

As time has passed, the purveyors of spyware have found ways to make their products more and more resistant to cleaning. It's got to the point where the average (or slightly above average) user needs to spend hours educating himself in ways to prevent and eradicate this growing annoyance. Some popular programs will load your computer with enough malware that you might loose use of your computer for hours, if not days. Or maybe even completely, until you bring it to a tech for cleansing or format and reinstall.

Wouldn't you rather spend those hours and days using your computer, downloading illegal software and music, chatting with your friends, playing the newest games? After all, isn't this what you got the computer for?

Once you get used to the routine, you can restore a clean C: drive in minutes. So...I have rethought the two hour rule and I'm recommending (for those with the know how and proper setup) the thirty minute rule. If you're having problems with malware and it's going to take you more than a half hour to clean it up, learn to set up a system of partitions and backups and get back to using your computer in minutes rather than hours or days.

The thirty minute rule... ;)

123456
01-20-2005, 05:19 PM
dang it, nothing works. Krud. The pc is slower than a 450MHz. It is my sisters, and I barely use it. 4.00gb is what we;ll manage with until we are ready to format it. The files must be copied to a disk.

Paul Komski
01-20-2005, 06:39 PM
The files must be copied to a disk.
Well they must be copied somewhere; usb pendrive, cd/dvd, zipdrive, floppy, etc or even to a newly created partition on your hard drive.

Partition Magic or BootIt-NG can resize you current partition downwards by say 2 of the available 4GB and create a new 2GB partition at the end of your HDD. Backup your files onto the new partition and then, when you are ready format the big partition (taking care to not format your new backup partition) and then clean reinstall if or when you want to do this. Admittedly not as secure as backing up onto removable media but only you can make the value judgement.

123456
01-21-2005, 10:07 PM
Well, my sister won't even LET ME touch the thing

Steve
01-21-2005, 11:47 PM
If you had 56 gigs free one day and only 10MB the next, I'd say there's a good chance that someone has taken over control of the computer. Seeing that it's your sisters computer, there might not be anything you can do about it except give her the information.

It's up to her. I'd pull the plug on it myself and look it over to see what's going on but she might not be interested in that kind of stuff. Zeroing out the HDD and reinstalling is probably the best thing to do at this point but like I said, it's her computer.

Give her the info and let her decide. Once someone has control of the computer, it's going to be used for nothing good. Until you take it off the internet and look it over, you have know way of knowing what's going on.

123456
01-22-2005, 08:11 AM
Oh my god. Thank you so much steve, you just saved us $1,800! I'll keep you posted on what she decides

Paleo Pete
01-22-2005, 08:49 AM
I agree with Steve, I don't know of many ways to lose huge amounts of hard drive space in a few days, so I would do the same thing. Take it off the Internet completely and DO NOT get online again until it's cleaned out.

Run antivirus and trojan scans, Hijack This, do it all in Safe Mode, then do it again...or format and reinstall...but from what I've read so far it looks like either serious virus/spyware/trojan infection or someone has gotten remote access by trojan/backdoor and your sister is no longer in control....

Number one...GET IT OFFLINE...And keep it offline, no Internet at all, until it's fixed. (Except for things like Adaware and antivirus updates...) Once it's fixed, check the resources in Budfed's signature above, I think Whyzman lists them too, and get it set up with some malware protection.

Paul Komski
01-22-2005, 09:22 AM
To be only left with 10mb (which is such a tiny amount on that system) makes me wonder if some iterative process (bad software in a loop, malware, virus) had filled up the disk.

You might get some insight by trying to identify the files in question. You could search for all files using the wildcards *.* or just * but ensure that you include System Folders and Hidden Files and Folders from the Advanced Options. And, most relevantly, choose to search for files modified on or since a specific date. Having sorted them you can then order the list by file type or date or size to help you organise the list and see if any particular patterns emerge; just clicking on the header bar will toggle the order sorted as an ascending or descending list.

And why was $1800 ever likely to be the "cost of repair".

123456
01-22-2005, 11:26 AM
the $1,800 is what we paid for this system...the hdd is back up at 4.4gb...sister will eat me alive if I disconnect the internet

123456
01-22-2005, 06:28 PM
Okay, I told her she's been hacked. Cool. I told her she can do whatever she wants, but the hacker is putting crap on the computer. The thing has mcafee firewall, auto updates for it.

PrntRhd
01-22-2005, 06:37 PM
123456,
Tell her she has to keep it off the Internet until fixed, otherwise it can be a threat to others including any other PCs in the house. The only thing worse that an infected PC is several infected PCs when it comes to fixing them.
:p

123456
01-22-2005, 07:11 PM
It could damage other pcs in the house? Oh god. Now that's why Dda's been complaining of laptop sluggishness lately!

Paul Komski
01-22-2005, 07:17 PM
Okay, I told her she's been hacked. Cool.

1) Cool ?!?

2) What is the direct evidence that the PC has been hacked?

3) I know that McAfee doesn't always get the best press round here but shouldn't it have provided reasonable protection?

There is for example a long thread at http://www.dslreports.com/forum/remark,9735191~mode=flat~days=9999 which started out looking like malware or a hacker but turned out to be stuff in the recycler! OK - Maybe the PC has loads of crud on it or has been own3d but some evidence by entries in a HJT log or by finding the files taking up the space would be of some diagnostic use rather than speculation.

classicsoftware
01-22-2005, 07:53 PM
Why don't you post a hijack this log here and let us look at it.

You will need to clear out the temporary internet and temp files as best you can. Then empty the re-cycle bin. Then re-boot and see how much space you can clean up.

Then you can download eraser which will really help clean up the disk.

123456
01-22-2005, 08:23 PM
hmmm...recycle bin is empty.
As soon as I can actually gain permission from my sister, I'[ll post a hijack this log. link for eraser??

classicsoftware
01-22-2005, 08:38 PM
Eraser is a 5.7 mb download. You don't have the room right now. Let's look at the log and empty som temp files first.

I said to empty the recycle bin after you delete the contents of the TIF and Temp folders.

123456
01-22-2005, 09:38 PM
hijack this log
Logfile of HijackThis v1.99.0
Scan saved at 9:36:10 PM, on 1/22/2005
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\CTsvcCDA.exe
c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\PROGRA~1\McAfee\SPAMKI~1\MSKSrvr.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\snmp.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\Program Files\iPod\bin\iPodService.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
C:\PROGRA~1\mcafee.com\agent\mcagent.exe
c:\progra~1\mcafee.com\vso\mcvsescn.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\PROGRA~1\McAfee\SPAMKI~1\MskAgent.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\System32\ssnvrsaw.exe
C:\Program Files\Creative\SBLive\Diagnostics\diagent.exe
C:\WINDOWS\system32\config\winlogon.exe
C:\windows\system32\4oj.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\System32\ctfmon.exe
C:\WINDOWS\System32\calc.exe
c:\progra~1\mcafee.com\vso\mcvsftsn.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Hijack This\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://websearch.drsnsrch.com/sidesearch.cgi?uid=135892967&id=5.0
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://websearch.drsnsrch.com/sidesearch.cgi?uid=135892967&id=5.0
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://search.search-exe.com/nph-search.cgi?tcode=exesrch1&look=stmpl1&fw=
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://websearch.drsnsrch.com/sidesearch.cgi?uid=135892967&id=5.0
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://websearch.drsnsrch.com/sidesearch.cgi?uid=135892967&id=5.0
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://search.search-exe.com/nph-search.cgi?tcode=exesrch1&look=stmpl1&fw=
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://websearch.drsnsrch.com/sidesearch.cgi?uid=135892967&id=5.0
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://websearch.drsnsrch.com/sidesearch.cgi?uid=135892967&id=5.0
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = websearch.shopnav.com/q.cgi?q=
R1 - HKLM\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://search.search-exe.com/nph-search.cgi?tcode=exesrch1&look=stmpl1&fw=
R3 - Default URLSearchHook is missing
O2 - BHO: ZServObj Class - {00000000-C1EC-0345-6EC2-4D0300000000} - C:\WINDOWS\ZServ.dll
O2 - BHO: MxTargetObj Class - {0000607D-D204-42C7-8E46-216055BF9918} - C:\WINDOWS\mxTarget.dll
O2 - BHO: Band Class - {0007522A-2297-43C1-8EB1-C90B0FF20DA5} - C:\WINDOWS\enhtb.dll
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\PROGRA~1\Yahoo!\COMPAN~1\Installs\cpn\ycomp5_3_ 12_0.dll
O2 - BHO: Recommended Hotfix - {0421701D-CF13-4E70-ADF0-45A953E7CB8B} - C:\Program Files\Recommended Hotfix - 421701D\v15\RH.DLL
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {3DA3140E-E861-05E2-D30F-12557CD97235} - C:\WINDOWS\System32\xbcgaw.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {A9583642-8E84-A201-D513-F91DF36140B9} - C:\WINDOWS\System32\jxtywcs.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll (file missing)
O2 - BHO: Search Help - {E8EAEB34-F7B5-4C55-87FF-720FAF53D841} - C:\Documents and Settings\tanya\Local Settings\Temp\f2U2.dll (file missing)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\COMPAN~1\Installs\cpn\ycomp5_3_ 12_0.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll (file missing)
O3 - Toolbar: (no name) - {2CDE1A7D-A478-4291-BF31-E1B4C16F92EB} - (no file)
O4 - HKLM\..\Run: [VSOCheckTask] "c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [VirusScan Online] "c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe"
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\McUpdate.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [diagent] "C:\Program Files\Creative\SBLive\Diagnostics\diagent.exe" startup
O4 - HKLM\..\Run: [MSKAGENTEXE] C:\PROGRA~1\McAfee\SPAMKI~1\MskAgent.exe
O4 - HKLM\..\Run: [MSKDetectorExe] C:\PROGRA~1\McAfee\SPAMKI~1\MSKDetct.exe /startup
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [LogitechVideoRepair] C:\Program Files\Logitech\Video\ISStart.exe
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [zbposcfxr] C:\WINDOWS\System32\ssnvrsaw.exe
O4 - HKLM\..\Run: [satmat] C:\WINDOWS\satmat.exe
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [Search-Exe] "C:\Program Files\se\v11\se.EXE" /H
O4 - HKLM\..\Run: [Service Control Process] C:\WINDOWS\system32\config\winlogon.exe
O4 - HKLM\..\Run: [Services Process] C:\WINDOWS\system32\config\smss.exe
O4 - HKLM\..\Run: [farmmext] C:\WINDOWS\farmmext.exe
O4 - HKLM\..\Run: [4oj] C:\windows\system32\4oj.exe
O4 - HKLM\..\Run: [Win Server Updt] C:\WINDOWS\wupdt.exe
O4 - HKLM\..\Run: [Enh Win Updt] C:\WINDOWS\enhupdt.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Ebates - {6685509E-B47B-4f47-8E16-9A5F3A62F683} - file://C:\Program Files\Ebates_MoeMoneyMaker\Sy350\Tp350\scri350a.ht m (file missing) (HKCU)
O12 - Plugin for .pdf: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll
O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} (SysProWmi Class) - http://support.dell.com/systemprofiler/SysPro.CAB
O16 - DPF: {0246ECA8-996F-11D1-BE2F-00A0C9037DFE} (TDServer Control) - http://www.indiapress.org/pfr/tdserver.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcafee.com/molbin/shared/mcinsctl/en-us/4,0,0,81/mcinsctl.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/suite/autocomplete.cab
O16 - DPF: {BAC01377-73DD-4796-854D-2A8997E3D68A} (Yahoo! Photos Easy Upload Tool Class) - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/ydropper/ydropper1_4us.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://download.mcafee.com/molbin/shared/mcgdmgr/en-us/1,0,0,19/mcgdmgr.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = Seth
O17 - HKLM\Software\..\Telephony: DomainName = Seth
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = Seth
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = Seth
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: McAfee.com McShield - Unknown - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee SecurityCenter Update Manager - McAfee, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: McAfee.com VirusScan Online Realtime Engine - Networks Associates Technology, Inc - c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
O23 - Service: McAfee SpamKiller Server - Networks Associates Technology. Inc. - C:\PROGRA~1\McAfee\SPAMKI~1\MSKSrvr.exe
O23 - Service: NVIDIA Display Driver Service - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Symantec Network Drivers Service - Unknown - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe (file missing)
O23 - Service: Windows User Mode Driver Framework - Unknown - C:\WINDOWS\System32\wdfmgr.exe (file missing)

david eaton
01-23-2005, 03:37 PM
Reboot into safe mode. To access safe mode, see this link (http://service1.symantec.com/SUPPORT/tsgeninfo.nsf/docid/2001060608000039)

Have Hijack This fix all of the following by placing a check in the appropriate boxes and hitting fix checked. Make sure all browser and all Windows Explorer windows are closed before fixing.

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://websearch.drsnsrch.com/sides...35892967&id=5.0
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://websearch.drsnsrch.com/sides...35892967&id=5.0
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://search.search-exe.com/nph-se...look=stmpl1&fw=
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://websearch.drsnsrch.com/sides...35892967&id=5.0
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://websearch.drsnsrch.com/sides...35892967&id=5.0
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://search.search-exe.com/nph-se...look=stmpl1&fw=
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://websearch.drsnsrch.com/sides...35892967&id=5.0
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://websearch.drsnsrch.com/sides...35892967&id=5.0
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = websearch.shopnav.com/q.cgi?q=
R1 - HKLM\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://search.search-exe.com/nph-se...look=stmpl1&fw=

R3 - Default URLSearchHook is missing

O2 - BHO: ZServObj Class - {00000000-C1EC-0345-6EC2-4D0300000000} - C:\WINDOWS\ZServ.dll
O2 - BHO: MxTargetObj Class - {0000607D-D204-42C7-8E46-216055BF9918} - C:\WINDOWS\mxTarget.dll
O2 - BHO: Band Class - {0007522A-2297-43C1-8EB1-C90B0FF20DA5} - C:\WINDOWS\enhtb.dll
O2 - BHO: Recommended Hotfix - {0421701D-CF13-4E70-ADF0-45A953E7CB8B} - C:\Program Files\Recommended Hotfix - 421701D\v15\RH.DLL
O2 - BHO: (no name) - {3DA3140E-E861-05E2-D30F-12557CD97235} - C:\WINDOWS\System32\xbcgaw.dll
O2 - BHO: (no name) - {A9583642-8E84-A201-D513-F91DF36140B9} - C:\WINDOWS\System32\jxtywcs.dll
O2 - BHO: Search Help - {E8EAEB34-F7B5-4C55-87FF-720FAF53D841} - C:\Documents and Settings\tanya\Local Settings\Temp\f2U2.dll (file missing)

O3 - Toolbar: (no name) - {2CDE1A7D-A478-4291-BF31-E1B4C16F92EB} - (no file)

O4 - HKLM\..\Run: [zbposcfxr] C:\WINDOWS\System32\ssnvrsaw.exe
O4 - HKLM\..\Run: [satmat] C:\WINDOWS\satmat.exe
O4 - HKLM\..\Run: [Search-Exe] "C:\Program Files\se\v11\se.EXE" /H
O4 - HKLM\..\Run: [Service Control Process] C:\WINDOWS\system32\config\winlogon.exe
O4 - HKLM\..\Run: [Services Process] C:\WINDOWS\system32\config\smss.exe
O4 - HKLM\..\Run: [farmmext] C:\WINDOWS\farmmext.exe
O4 - HKLM\..\Run: [4oj] C:\windows\system32\4oj.exe
O4 - HKLM\..\Run: [Win Server Updt] C:\WINDOWS\wupdt.exe
O4 - HKLM\..\Run: [Enh Win Updt] C:\WINDOWS\enhupdt.exe

O9 - Extra button: Ebates - {6685509E-B47B-4f47-8E16-9A5F3A62F683} - file://C:\Program Files\Ebates_MoeMoneyMaker\Sy350\Tp350\scri350a.ht m (file missing) (HKCU)

O23 - Service: Windows User Mode Driver Framework - Unknown - C:\WINDOWS\System32\wdfmgr.exe (file missing)

Reboot and delete

files
All files in the folder C:\Documents and Settings\tanya\Local Settings\Temp
C:\WINDOWS\System32\ssnvrsaw.exe
C:\WINDOWS\satmat.exe
C:\WINDOWS\system32\config\winlogon.exe
C:\WINDOWS\system32\config\smss.exe
C:\WINDOWS\farmmext.exe
C:\windows\system32\4oj.exe
C:\WINDOWS\wupdt.exe
C:\WINDOWS\enhupdt.exe
C:\WINDOWS\System32\wdfmgr.exe

folders
C:\Program Files\se
C:\Program Files\Ebates_MoeMoneyMaker

These may be hidden files. See HERE (http://www.xtra.co.nz/help/0,,4155-1916458,00.html) for how to show hidden files.

Please post a followup Hijack this log, and say if your problems persist.

123456
01-23-2005, 04:48 PM
new hijt log
Logfile of HijackThis v1.99.0
Scan saved at 4:46:46 PM, on 1/23/2005
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\CTsvcCDA.exe
c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\PROGRA~1\McAfee\SPAMKI~1\MSKSrvr.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\snmp.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\Program Files\iPod\bin\iPodService.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
C:\WINDOWS\system32\winlogon.exe
C:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
C:\PROGRA~1\mcafee.com\agent\mcagent.exe
c:\progra~1\mcafee.com\vso\mcvsescn.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\PROGRA~1\McAfee\SPAMKI~1\MskAgent.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\System32\ssnvrsaw.exe
C:\Program Files\Creative\SBLive\Diagnostics\diagent.exe
C:\WINDOWS\system32\config\winlogon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\System32\ctfmon.exe
c:\progra~1\mcafee.com\vso\mcvsftsn.exe
C:\WINDOWS\system32\cleanmgr.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\System32\calc.exe
C:\Program Files\AIM\aim.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Hijack This\HijackThis.exe

O2 - BHO: ZServObj Class - {00000000-C1EC-0345-6EC2-4D0300000000} - C:\WINDOWS\ZServ.dll
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\PROGRA~1\Yahoo!\COMPAN~1\Installs\cpn\ycomp5_3_ 12_0.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll (file missing)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\COMPAN~1\Installs\cpn\ycomp5_3_ 12_0.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll (file missing)
O4 - HKLM\..\Run: [VSOCheckTask] "c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [VirusScan Online] "c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe"
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\McUpdate.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [diagent] "C:\Program Files\Creative\SBLive\Diagnostics\diagent.exe" startup
O4 - HKLM\..\Run: [MSKAGENTEXE] C:\PROGRA~1\McAfee\SPAMKI~1\MskAgent.exe
O4 - HKLM\..\Run: [MSKDetectorExe] C:\PROGRA~1\McAfee\SPAMKI~1\MSKDetct.exe /startup
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [LogitechVideoRepair] C:\Program Files\Logitech\Video\ISStart.exe
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [ssnvrsaw] c:\windows\system32\ssnvrsaw.exe
O4 - HKLM\..\Run: [Service Control Process] C:\WINDOWS\system32\config\winlogon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\RunOnce: [Web Offer] C:\WINDOWS\System32\ezPopStub.exe /UninstPOP2 C:\Program Files\Web Offer
O4 - HKCU\..\RunOnce: [eZstub] C:\WINDOWS\System32\eZstub.exe /Uninstall2 C:\Program Files\eZula
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O12 - Plugin for .pdf: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll
O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} (SysProWmi Class) - http://support.dell.com/systemprofiler/SysPro.CAB
O16 - DPF: {0246ECA8-996F-11D1-BE2F-00A0C9037DFE} (TDServer Control) - http://www.indiapress.org/pfr/tdserver.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcafee.com/molbin/shared/mcinsctl/en-us/4,0,0,81/mcinsctl.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/suite/autocomplete.cab
O16 - DPF: {BAC01377-73DD-4796-854D-2A8997E3D68A} (Yahoo! Photos Easy Upload Tool Class) - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/ydropper/ydropper1_4us.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://download.mcafee.com/molbin/shared/mcgdmgr/en-us/1,0,0,19/mcgdmgr.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = Seth
O17 - HKLM\Software\..\Telephony: DomainName = Seth
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = Seth
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = Seth
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: McAfee.com McShield - Unknown - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee SecurityCenter Update Manager - McAfee, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: McAfee.com VirusScan Online Realtime Engine - Networks Associates Technology, Inc - c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
O23 - Service: McAfee SpamKiller Server - Networks Associates Technology. Inc. - C:\PROGRA~1\McAfee\SPAMKI~1\MSKSrvr.exe
O23 - Service: NVIDIA Display Driver Service - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Symantec Network Drivers Service - Unknown - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe (file missing)

david eaton
01-23-2005, 06:22 PM
Two of the entries are still in your log.

Run Hijack this again, and click on Config>Misc tools>Process manager.
In the window, select the followong entries, and click on "kill process".

c:\windows\system32\ssnvrsaw.exe
C:\WINDOWS\system32\config\winlogon.exe

Then click the "scan button, and fix all of the following by placing a check in the appropriate boxes and hitting fix checked. Make sure all browser and all Windows Explorer windows are closed before fixing.

O4 - HKLM\..\Run: [ssnvrsaw] c:\windows\system32\ssnvrsaw.exe
O4 - HKLM\..\Run: [Service Control Process] C:\WINDOWS\system32\config\winlogon.exe

Reboot and delete

files
c:\windows\system32\ssnvrsaw.exe
C:\WINDOWS\system32\config\winlogon.exe

These may be hidden files. See HERE (http://www.xtra.co.nz/help/0,,4155-1916458,00.html) for how to show hidden files.

Please post a followup Hijack this log, and say if your problems persist.

Budfred
01-23-2005, 07:13 PM
These also need to be fixed with HJT:

O2 - BHO: ZServObj Class - {00000000-C1EC-0345-6EC2-4D0300000000} - C:\WINDOWS\ZServ.dll
O4 - HKCU\..\RunOnce: [Web Offer] C:\WINDOWS\System32\ezPopStub.exe /UninstPOP2 C:\Program Files\Web Offer
O4 - HKCU\..\RunOnce: [eZstub] C:\WINDOWS\System32\eZstub.exe /Uninstall2 C:\Program Files\eZula

And these also need to be deleted:

C:\Program Files\Web Offer
C:\Program Files\eZula

123456
01-25-2005, 08:31 PM
for some reason unknown to mankind, my sister won't let me touch her pc. And she installed limewire back. And she says that 4.21 gb free is good.

Budfred
01-25-2005, 10:23 PM
Then the best bet may be to just let it go and wait until the computer will not work at all anymore... Refuse to give her any help unless she agrees to let you clean it up completely and to use a safe P2P program if she insists on using one... You could also suggest that she simply turn off any protection programs that she has since they are probably not doing any good anymore anyway and since she has apparently decided to act as a server for slime on the internet who will use her computer to distribute SPAM porn and other garbage, it will make it easier for them to do that... I doubt she will get the irony, but it is clearly a hopeless situation if that mess is not fixed.... :eek: :confused: :eek:

123456
01-26-2005, 08:48 AM
Hmmm...I was thinking of doing that. Easier than to deal with her