2007-05-01, 00:00 | Link #21 |
Senior Member
Join Date: Apr 2006
Location: Philippines
|
I surfed the net download.com and got to know some programs that looks cool problem is I don't know what program to trust can you help me out?
-Windows Defender(not sure if this is a anti virus) -Spyware Terminator(is this an anti virus not sure) -And once again cCleaner looks nice -Spybot search and destroy looks good to. Is it ok to have all of this installed? oh yeah all of those programs are freeware Is spybot detected as a virus for some anti virus programs? I know this questions are all stupid and I'm sorry for that. Last edited by toru310; 2007-05-01 at 00:14. |
2007-05-01, 00:49 | Link #22 |
Love Yourself
Join Date: Mar 2003
Location: Northeast USA
Age: 38
|
The questions aren't stupid. Believe me, you're interested in making sure that your computer stays under your own control - your inquiries are the right kind of inquiries to make.
Windows Defender is Microsoft's answer to increasing security concerns. I've heard mixed reviews over it, but overall it seems to be a decent solution. Feel free to get it (make sure it's a Microsoft product, and not some third party trying to mimic the name) Spyware Terminator I've never heard of, but the site looks OK and it has a number of favorable reviews on download.com... cCleaner I've already gone over, just make sure that you know it's not a security program. Spybot is good, and has my personal recommendation. It should not be detected as a virus by antivirus programs as far as I'm aware. I'll also mention again that Ad-Aware is free and has a good track record - before Spybot came along, all we had was Ad-Aware. Occasionally one program might miss something that the other could detect, or it might not be able to remove something that another would be able to, so thats why it's good to have two. But, just as with virus scanners, if there's an option for real-time protect, make sure that only one is running at a time.
__________________
|
2007-05-01, 01:36 | Link #23 |
INTJ
IT Support
|
SpySweeper's not so bad either. As I've said in another thread, it's best to install and use the utilities in safe mode. To clarify: Not safe mode with networking. Just safe mode. This way, it will keep the problem isolated and maybe even incapacitated while you scan for it and delete it.
Speaking of which, I'll need to do something similar. I have a feeling something's gotten to my MSN since every time I try to log on, the computer restarts a minute later. Fortunately, it's only MSN that's currently affected. |
2007-05-01, 02:55 | Link #25 |
Over Drive!
Join Date: Mar 2006
Age: 33
|
1. Go run Adaware and Spybot to get rid of some stray malware
2. Download CleanUp! Here and run it. It'll clear all your temporary internet files. 3. Go to Trendmicro and take a scan Here copy your results and save it somewhere (if notepad doesn't work, just email yourself) 4. Download Hijackthis Here. Scan and save a log file. Post the Trend Micro results and the Hijackthis scan (since .log is notepad, you probably can't open it. Just the whole file somehwere) here and see what we can do. Though I'd have to say... since your friend can run Linux, pull out an external or an HD enclosure, backup some data and reformat the computer. That's the best way IMO. |
2007-05-01, 04:11 | Link #26 |
Asuki-tan Kairin ↓
Join Date: Feb 2004
Location: Fürth (GER)
Age: 43
|
I've an unrelated question. I was looking on the grisoft site, is there no free AVG Anti Virus anymore? (I use the full version for server systems... because there are few anti virus applications that fully support Windows 2003 and are quite affordable too)
It looks like there are only trial versions offered.
__________________
|
2007-05-01, 07:40 | Link #27 | |
Senior Member
Join Date: Apr 2006
Location: Philippines
|
Quote:
|
|
2007-05-02, 01:19 | Link #30 |
INTJ
IT Support
|
Alright. Since this thread is already up and I'm the type to want to solve problems myself first, I'll step out of my box and ask for help in here. And since this thread is directly associated to what my computer seems to be suffering, this would be a good place to ask for it.
It seems my computer is suffering from a virus of sorts, but it could be something else. At first, my computer started to show signs of decrease in performance. The CPU in the task bar would indicate that it was processing much more so than normal, thus slowing the computer down. I attempted to stop some of the process, but only come up with a small increase in performance. This led me to believe that either the CPU, RAM or maybe even motherboard was starting to fail. Then MSN (the messenger) started to do something rather strange. Whenever I attempt to log in to it, it would log me in for a minute, then the computer would suddenly restart on it's own. Strangely enough, it was only this program's activation that would cause the computer to restart. I thought it was only hardware failure and that I can tolerate not using MSN until I get the replacement pieces. But after a few days, the computer had suddenly done something strange. mIRC was no longer able to connect, claiming that there was no internet connection available. Internet Explorer also would not allow me to click or type on anything other than the menues, although they would pop-up severely slowly. This was when I started getting the idea that it may be a virus. So, I restarted into safe mode with networking (which is what I'm on now) and it seems all the problems went away. So, I ran my utilities from SpySweeper to SmitFraud Fix to SpyBot to AdAware SE and Norton Anti-Virus. With the utilities, I found a keylogger and immediately deleted it. There were also some registries that were altered as well as some questionable dlls and other files that were removed. After a few hours of that, I restarted the computer to Normal mode, but it seems the virus persisted and reacted to the attempt. Now, mIRC is able to connect, but every other program claims that there is no internet connection detected. So, I'm back on safe mode with networking, scanning and attempting to fix any problems that I may come across, though I'm not 100% sure the next time I restart to Normal Mode, the computer will be restored. So, any suggestions? |
2007-05-02, 05:42 | Link #31 |
Senior Member
Join Date: Apr 2006
Location: Philippines
|
Have you checked your firewall? maybe it's missing? or corrupt? That happened to me before when you can't access the internet and then I realized that my firewall is missing..so I had to reformat. Ermm have you tried a combination of AVG anti virus and Hijackthis? Scan with avg and when it detected a virus copy the location and execute Hijackthis to remove it.
I'm no pro but I'm getting there..based on experience..hehe |
2007-05-02, 06:12 | Link #32 | ||||
Asuki-tan Kairin ↓
Join Date: Feb 2004
Location: Fürth (GER)
Age: 43
|
I think it is nice that you want to help people... well, don't get me wrong... ^^' ... the advice you offer here is only artly correct.
Quote:
Quote:
Quote:
Quote:
@Phantom-Takaya, can you run Hijackthis and provide the log for further investigation? Also a good thing imo is checking for root kits. e.g. using http://www.microsoft.com/technet/sys...tRevealer.mspx
__________________
|
||||
2007-05-02, 10:22 | Link #33 |
INTJ
IT Support
|
Actually, that's also another thing I forgot to point out that the virus reacted to. Right when I started it back to normal mode, Windows quickly informed me that Norton Firewall and Anti-Virus are disabled. I never disable those two. Unfortunately, my attempts to enable them were overriden by the virus. I know one easy way to fix this is to reinstall the OS, but that's a last resort.
I'm going to restart the computer to normal mode to run HijackThis. Maybe I've missed a process or two. |
2007-05-02, 10:35 | Link #34 |
INTJ
IT Support
|
Alright. This is the first scan in normal mode:
Logfile of Trend Micro HijackThis v2.0.0 (BETA) Scan saved at 7:27:19 AM, on 5/2/2007 Platform: Windows XP SP2 (WinNT 5.01.2600) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe c:\Program Files\Common Files\Symantec Shared\ccProxy.exe C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\system32\cisvc.exe C:\Program Files\Norton GoBack\GBPoll.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Nero\Nero 7\InCD\InCDsrv.exe C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE c:\Program Files\Norton AntiVirus\navapsvc.exe C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE C:\WINDOWS\system32\nvsvc32.exe C:\WINDOWS\System32\snmp.exe C:\WINDOWS\system32\svchost.exe C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe c:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe C:\WINDOWS\system32\wscntfy.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\system32\ctfmon.exe C:\WINDOWS\system32\RunDLL32.exe C:\Program Files\AIM6\aim6.exe C:\Program Files\johnsadventures.com\John's Background Switcher\BackgroundSwitcher.exe C:\Program Files\AIM6\aolsoftware.exe C:\WINDOWS\system32\wuauclt.exe F:\Installers\HiJackThis_v2.exe R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TY...rio&pf=desktop R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://ie.redirect.hp.com/svs/rdr?TY...rio&pf=desktop R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://ie.redirect.hp.com/svs/rdr?TY...rio&pf=desktop O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup O4 - HKLM\..\Run: [NvMediaCenter] RunDLL32.exe NvMCTray.dll,NvTaskbarInit O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe" O4 - HKCU\..\Run: [Aim6] "C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp O4 - Startup: John's Background Switcher.lnk = C:\Program Files\johnsadventures.com\John's Background Switcher\BackgroundSwitcher.exe O8 - Extra context menu item: &Clean Traces - C:\Program Files\DAP\Privacy Package\dapcleanerie.htm O8 - Extra context menu item: &Download with &DAP - C:\Program Files\DAP\dapextie.htm O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html O8 - Extra context menu item: Convert to existing PDF - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html O8 - Extra context menu item: Download &all with DAP - C:\Program Files\DAP\dapextie2.htm O15 - Trusted Zone: http://www.torrentmatrix.com O23 - Service: pcAnywhere Host Service (awhost32) - Symantec Corporation - C:\Program Files\Symantec\pcAnywhere\awhost32.exe O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccProxy.exe O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe O23 - Service: GoBack Polling Service (GBPoll) - Symantec Corporation - C:\Program Files\Norton GoBack\GBPoll.exe O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe O23 - Service: InCD Helper (InCDsrv) - Nero AG - C:\Program Files\Nero\Nero 7\InCD\InCDsrv.exe O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - c:\Program Files\Norton AntiVirus\navapsvc.exe O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe O23 - Service: TuneUp WinStyler Theme Service (TUWinStylerThemeSvc) - TuneUp Software GmbH - C:\Program Files\TuneUp Utilities 2006\WinStylerThemeSvc.exe O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe -- End of file - 6282 bytes I selected everything had HijackThis "fix" for the sake of it and scanned again. Here's the new results: Logfile of Trend Micro HijackThis v2.0.0 (BETA) Scan saved at 7:29:54 AM, on 5/2/2007 Platform: Windows XP SP2 (WinNT 5.01.2600) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe c:\Program Files\Common Files\Symantec Shared\ccProxy.exe C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\system32\cisvc.exe C:\Program Files\Norton GoBack\GBPoll.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Nero\Nero 7\InCD\InCDsrv.exe C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE c:\Program Files\Norton AntiVirus\navapsvc.exe C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE C:\WINDOWS\system32\nvsvc32.exe C:\WINDOWS\System32\snmp.exe C:\WINDOWS\system32\svchost.exe C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe c:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe C:\WINDOWS\system32\wscntfy.exe C:\WINDOWS\Explorer.EXE C:\Program Files\AIM6\aolsoftware.exe C:\WINDOWS\system32\wuauclt.exe C:\WINDOWS\notepad.exe C:\WINDOWS\system32\ctfmon.exe F:\Installers\HiJackThis_v2.exe O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O23 - Service: pcAnywhere Host Service (awhost32) - Symantec Corporation - C:\Program Files\Symantec\pcAnywhere\awhost32.exe O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccProxy.exe O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe O23 - Service: GoBack Polling Service (GBPoll) - Symantec Corporation - C:\Program Files\Norton GoBack\GBPoll.exe O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe O23 - Service: InCD Helper (InCDsrv) - Nero AG - C:\Program Files\Nero\Nero 7\InCD\InCDsrv.exe O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - c:\Program Files\Norton AntiVirus\navapsvc.exe O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe O23 - Service: TuneUp WinStyler Theme Service (TUWinStylerThemeSvc) - TuneUp Software GmbH - C:\Program Files\TuneUp Utilities 2006\WinStylerThemeSvc.exe O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe -- End of file - 3531 bytes |
2007-05-02, 12:14 | Link #35 |
Asuki-tan Kairin ↓
Join Date: Feb 2004
Location: Fürth (GER)
Age: 43
|
I found nothing really suspicious there... however...
I'ld disable cisvc.exe (indexing service for faster local search - but very performance demanding). This can be shut off in the windows search dialog (enable/disable file indexing) The IDriverT thingy you can set to manual start up (afaik it need not start up automatically) And now I need to know if these programs were installed by yourself (and are running with your consent...): O23 - Service: TuneUp WinStyler Theme Service (TUWinStylerThemeSvc) - TuneUp Software GmbH - C:\Program Files\TuneUp Utilities 2006\WinStylerThemeSvc.exe O23 - Service: pcAnywhere Host Service (awhost32) - Symantec Corporation - C:\Program Files\Symantec\pcAnywhere\awhost32.exe Now, the root kit analysis (it provides yet another log to examine)
__________________
|
2007-05-02, 14:22 | Link #36 |
AS Oji-kun
Join Date: Nov 2006
Age: 74
|
Anyone know what this was in the initial scan?
O15 - Trusted Zone: http://www.torrentmatrix.com I visited torrentmatrix.com and got a MySQL error page for too many connections. I notice it wasn't in the second scan after you ran HijackThis. If you don't recall putting this site into your "trusted" sites, I'd be very suspicious of an entry like that.
__________________
|
2007-05-02, 15:18 | Link #37 |
Asuki-tan Kairin ↓
Join Date: Feb 2004
Location: Fürth (GER)
Age: 43
|
Strange, when I visited the site before (and now) everything was alright there. Anyway its not there anymore... and the other stuff seems okay too (if there is not a camouflaged service...)
However the root kit test log would really interest me.
__________________
|
2007-05-02, 18:28 | Link #38 |
Love Yourself
Join Date: Mar 2003
Location: Northeast USA
Age: 38
|
I'm with Jinto Lin on the rootkit information. Somewhat related, does anyone have any recommendations on a Linux LiveCD for bailing out Windows? I found one called Helix, yet it seemingly couldn't mount NTFS partitions (I may have been using it wrong). I wanted to use it to scan for viruses completely outside of Windows with ClamWin (other tools would be nice too, but virus/spyware sweeping is the main thing).
After you've cleared the viruses and what not, I'd recommend repairing your Windows install (boot off the CD, skip recovery console, and when you're prompted for where to install, select your Windows partition and hit "r" (repair) - doesn't touch your registry or anything, but sets the critical system files back to normal). If you're having networking issues, there are a number of possible reasons, but one may be that the thing messed with some of the core networking files.
__________________
|
2007-05-02, 19:12 | Link #40 | |
AS Oji-kun
Join Date: Nov 2006
Age: 74
|
Quote:
For North American readers, there are copies available on one of my favorite download sites at the University of Wisconsin.
__________________
|
|
|
|