bad spy/adware
10 posts
• Page 1 of 1
bad spy/adware
ok i was checking my e-mail and i had a message from a friend with a link and i went to it but then my computer shut down. when i turned it back on some spy sherrif started running and my wallpaper changed to something blue with a black box in the midle that said spyware infection. windows explorer keeps on shuting down and i cant go into any file it just exits. i created a new acount and delete my old one and ran microsoft anti spyware but it diddent help. i want to reinstall windows however i have lost the cd so...
oh also there are icons appering on my desktop there has been about 12 within the last 10 min
Ooh, that's a bad one. First, I'd go to your friend's house and strangle him. As for the CD, MS will ship you a new one if you have all your info.
Everything that irritates us about others can lead us to an understanding of ourselves. -- Carl Jung
eVGA X58 tri-SLI, i7 930 @ 3.8GHz., Corsair 6GB Dominator, Inno3D GTX470, eVGA260
ASUS P8P67 Pro, i7 2600K @4.60 GHz, 8GB RAM, eVGA GTX 460
eVGA X58 tri-SLI, i7 930 @ 3.8GHz., Corsair 6GB Dominator, Inno3D GTX470, eVGA260
ASUS P8P67 Pro, i7 2600K @4.60 GHz, 8GB RAM, eVGA GTX 460
- augie
- Community Director
- Posts: 7870
- Joined: Mon Aug 26, 2002 1:55 am
- Location: Laurentians, Quebec
Ok, let's start with posting a log from Hijack This here.
Everything that irritates us about others can lead us to an understanding of ourselves. -- Carl Jung
eVGA X58 tri-SLI, i7 930 @ 3.8GHz., Corsair 6GB Dominator, Inno3D GTX470, eVGA260
ASUS P8P67 Pro, i7 2600K @4.60 GHz, 8GB RAM, eVGA GTX 460
eVGA X58 tri-SLI, i7 930 @ 3.8GHz., Corsair 6GB Dominator, Inno3D GTX470, eVGA260
ASUS P8P67 Pro, i7 2600K @4.60 GHz, 8GB RAM, eVGA GTX 460
- augie
- Community Director
- Posts: 7870
- Joined: Mon Aug 26, 2002 1:55 am
- Location: Laurentians, Quebec
StartupList report, 11/20/2005, 2:43:47 PM
StartupList version: 1.52
Started from : C:\DOCUME~1\jeff\LOCALS~1\Temp\Temporary Directory 1 for startuplist[1].zip\StartupList.EXE
Detected: Windows XP SP2 (WinNT 5.01.2600)
Detected: Internet Explorer v6.00 SP2 (6.00.2900.2180)
* Using default options
==================================================
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\system32\CTHELPER.EXE
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\wuauclt.exe
D:\Program Files\Azureus\Azureus.exe
C:\Program Files\Java\jre1.5.0_05\bin\javaw.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\DOCUME~1\jeff\LOCALS~1\Temp\Temporary Directory 1 for startuplist[1].zip\StartupList.exe
--------------------------------------------------
Listing of startup folders:
Shell folders Common Startup:
[C:\Documents and Settings\All Users.WINDOWS\Start Menu\Programs\Startup]
Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
--------------------------------------------------
Checking Windows NT UserInit:
[HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
UserInit = C:\WINDOWS\system32\userinit.exe,
--------------------------------------------------
Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
NvCplDaemon = RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
nwiz = nwiz.exe /install
NvMediaCenter = RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
WINDVDPatch = CTHELPER.EXE
UpdReg = C:\WINDOWS\UpdReg.EXE
Jet Detection = "C:\Program Files\Creative\SBLive\PROGRAM\ADGJDet.exe"
SunJavaUpdateSched = C:\Program Files\Java\jre1.5.0_05\bin\jusched.exe
SysMemory manager = c:\windows\system32\mdms.exe
gcasServ = "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
--------------------------------------------------
Shell & screensaver key from C:\WINDOWS\SYSTEM.INI:
Shell=*INI section not found*
SCRNSAVE.EXE=*INI section not found*
drivers=*INI section not found*
Shell & screensaver key from Registry:
Shell=explorer.exe "C:\Program Files\Common Files\Microsoft Shared\Web Folders\ibm00001.exe"
SCRNSAVE.EXE=C:\WINDOWS\System32\logon.scr
drivers=*Registry value not found*
Policies Shell key:
HKCU\..\Policies: Shell=*Registry key not found*
HKLM\..\Policies: Shell=*Registry value not found*
--------------------------------------------------
Enumerating Download Program Files:
[Windows Genuine Advantage Validation Tool]
InProcServer32 = C:\WINDOWS\System32\LegitCheckControl.DLL
CODEBASE = http://go.microsoft.com/fwlink/?linkid=39204
[WUWebControl Class]
InProcServer32 = C:\WINDOWS\System32\wuweb.dll
CODEBASE = http://update.microsoft.com/windowsupda ... 1404118937
[Shockwave Flash Object]
InProcServer32 = C:\WINDOWS\System32\Macromed\Flash\Flash8.ocx
CODEBASE = http://download.macromedia.com/pub/shoc ... wflash.cab
--------------------------------------------------
Enumerating ShellServiceObjectDelayLoad items:
PostBootReminder: C:\WINDOWS\system32\SHELL32.dll
CDBurn: C:\WINDOWS\system32\SHELL32.dll
WebCheck: C:\WINDOWS\System32\webcheck.dll
SysTray: C:\WINDOWS\System32\stobject.dll
SysTray.Exbr: C:\WINDOWS\System32\dcqbpahi.dll
--------------------------------------------------
End of report, 4,467 bytes
Report generated in 0.032 seconds
StartupList version: 1.52
Started from : C:\DOCUME~1\jeff\LOCALS~1\Temp\Temporary Directory 1 for startuplist[1].zip\StartupList.EXE
Detected: Windows XP SP2 (WinNT 5.01.2600)
Detected: Internet Explorer v6.00 SP2 (6.00.2900.2180)
* Using default options
==================================================
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\system32\CTHELPER.EXE
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\wuauclt.exe
D:\Program Files\Azureus\Azureus.exe
C:\Program Files\Java\jre1.5.0_05\bin\javaw.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\DOCUME~1\jeff\LOCALS~1\Temp\Temporary Directory 1 for startuplist[1].zip\StartupList.exe
--------------------------------------------------
Listing of startup folders:
Shell folders Common Startup:
[C:\Documents and Settings\All Users.WINDOWS\Start Menu\Programs\Startup]
Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
--------------------------------------------------
Checking Windows NT UserInit:
[HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
UserInit = C:\WINDOWS\system32\userinit.exe,
--------------------------------------------------
Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
NvCplDaemon = RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
nwiz = nwiz.exe /install
NvMediaCenter = RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
WINDVDPatch = CTHELPER.EXE
UpdReg = C:\WINDOWS\UpdReg.EXE
Jet Detection = "C:\Program Files\Creative\SBLive\PROGRAM\ADGJDet.exe"
SunJavaUpdateSched = C:\Program Files\Java\jre1.5.0_05\bin\jusched.exe
SysMemory manager = c:\windows\system32\mdms.exe
gcasServ = "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
--------------------------------------------------
Shell & screensaver key from C:\WINDOWS\SYSTEM.INI:
Shell=*INI section not found*
SCRNSAVE.EXE=*INI section not found*
drivers=*INI section not found*
Shell & screensaver key from Registry:
Shell=explorer.exe "C:\Program Files\Common Files\Microsoft Shared\Web Folders\ibm00001.exe"
SCRNSAVE.EXE=C:\WINDOWS\System32\logon.scr
drivers=*Registry value not found*
Policies Shell key:
HKCU\..\Policies: Shell=*Registry key not found*
HKLM\..\Policies: Shell=*Registry value not found*
--------------------------------------------------
Enumerating Download Program Files:
[Windows Genuine Advantage Validation Tool]
InProcServer32 = C:\WINDOWS\System32\LegitCheckControl.DLL
CODEBASE = http://go.microsoft.com/fwlink/?linkid=39204
[WUWebControl Class]
InProcServer32 = C:\WINDOWS\System32\wuweb.dll
CODEBASE = http://update.microsoft.com/windowsupda ... 1404118937
[Shockwave Flash Object]
InProcServer32 = C:\WINDOWS\System32\Macromed\Flash\Flash8.ocx
CODEBASE = http://download.macromedia.com/pub/shoc ... wflash.cab
--------------------------------------------------
Enumerating ShellServiceObjectDelayLoad items:
PostBootReminder: C:\WINDOWS\system32\SHELL32.dll
CDBurn: C:\WINDOWS\system32\SHELL32.dll
WebCheck: C:\WINDOWS\System32\webcheck.dll
SysTray: C:\WINDOWS\System32\stobject.dll
SysTray.Exbr: C:\WINDOWS\System32\dcqbpahi.dll
--------------------------------------------------
End of report, 4,467 bytes
Report generated in 0.032 seconds
Hmm, I don't see anything wrong in the startup except for the last .dll entry, next run this and post a log http://www.spywareinfo.com/~merijn/files/hijackthis.zip
Everything that irritates us about others can lead us to an understanding of ourselves. -- Carl Jung
eVGA X58 tri-SLI, i7 930 @ 3.8GHz., Corsair 6GB Dominator, Inno3D GTX470, eVGA260
ASUS P8P67 Pro, i7 2600K @4.60 GHz, 8GB RAM, eVGA GTX 460
eVGA X58 tri-SLI, i7 930 @ 3.8GHz., Corsair 6GB Dominator, Inno3D GTX470, eVGA260
ASUS P8P67 Pro, i7 2600K @4.60 GHz, 8GB RAM, eVGA GTX 460
- augie
- Community Director
- Posts: 7870
- Joined: Mon Aug 26, 2002 1:55 am
- Location: Laurentians, Quebec
http://www.sophos.com/virusinfo/analyse ... botch.html
The
If you have AV - let it try to get rid of it by performing a full system scan. If that doesn't work, boot into safemode and attempt to delete the file - if you can't delete it, try to rename it. You may have to hit Ctrl+Alt+Del and bring up the Task Manager, end explorer.exe, and then attempt to delete or rename the mdms.exe file. Once you've renamed it, go ahead and reboot into Windows - chances are this virus is in addition to the spyware/malware you got from the link from your friend.
Do you have any recently purchased Sony CDs? If you do, and you attempted to uninstall their DRM 'stuff' you might have the backdoor that allows machines to be remotely rebooted - or it could just be that whoever owns your computer through the virus infection decided to reboot it. See here and here
As long as you don't have a rootkit, you're still cleanable (and maybe even then...) - just keep posting the logs and we'll do all we can to get you back to top performance.
The
entry is a virus.SysMemory manager = c:\windows\system32\mdms.exe
If you have AV - let it try to get rid of it by performing a full system scan. If that doesn't work, boot into safemode and attempt to delete the file - if you can't delete it, try to rename it. You may have to hit Ctrl+Alt+Del and bring up the Task Manager, end explorer.exe, and then attempt to delete or rename the mdms.exe file. Once you've renamed it, go ahead and reboot into Windows - chances are this virus is in addition to the spyware/malware you got from the link from your friend.
Do you have any recently purchased Sony CDs? If you do, and you attempted to uninstall their DRM 'stuff' you might have the backdoor that allows machines to be remotely rebooted - or it could just be that whoever owns your computer through the virus infection decided to reboot it. See here and here
As long as you don't have a rootkit, you're still cleanable (and maybe even then...) - just keep posting the logs and we'll do all we can to get you back to top performance.
-ZRC
- ZRC
- Posts: 184
- Joined: Thu Mar 17, 2005 12:28 am
- Location: Massachusetts.USA.Earth.in-addr.arpa.
NUMBER ONE............. turn off your system restore
TWO.............. update your AV and other spyware/malware progs
THREE................ Boot to safemode and run your scans
FOUR.................... When you're convinced the issue is fixed, reboot back to normal mode and look at HJT scan, if you're brave enough to believe someone over the internet and run the fixes...................
FINALLY............. turn on your system restore [If you use it............... and you should]
TWO.............. update your AV and other spyware/malware progs
THREE................ Boot to safemode and run your scans
FOUR.................... When you're convinced the issue is fixed, reboot back to normal mode and look at HJT scan, if you're brave enough to believe someone over the internet and run the fixes...................
FINALLY............. turn on your system restore [If you use it............... and you should]
Hi Smokeyou,
Looking back at your startup list I see another one that you ought to be very careful with, Azureus. It's a very popular torrent P2P and has recently been infiltrated by a lot of malware cretins.
I found 3.2 GB of crippled porno files on my torrent drive, undoubtedly due to Azureus and friends, one day strictly by accident. I couldn't view them(and that infuriated me) but they had porno sounding names; you know what I mean. That was the day I wiped Azureus and its friends off my machines.
If you visit warez or keygen sites, you are certain to pick up some malware just as if you visited all the brothels in Manila.
One other to add to the 5 steps for fixing your machine. After you clean it, set another restore point, go into drive properties, cleanup the drive using the advanced function to clean all but the latest restore point. Then you will have removed the malware that might have been stored in the previous restores. All this is predicated on whether you have been using system restore; I highly recommend it; it saved my computer once again just yesterday.
Practicing safe computing is getting harder to do.
Looking back at your startup list I see another one that you ought to be very careful with, Azureus. It's a very popular torrent P2P and has recently been infiltrated by a lot of malware cretins.
I found 3.2 GB of crippled porno files on my torrent drive, undoubtedly due to Azureus and friends, one day strictly by accident. I couldn't view them(and that infuriated me) but they had porno sounding names; you know what I mean. That was the day I wiped Azureus and its friends off my machines.
If you visit warez or keygen sites, you are certain to pick up some malware just as if you visited all the brothels in Manila.
One other to add to the 5 steps for fixing your machine. After you clean it, set another restore point, go into drive properties, cleanup the drive using the advanced function to clean all but the latest restore point. Then you will have removed the malware that might have been stored in the previous restores. All this is predicated on whether you have been using system restore; I highly recommend it; it saved my computer once again just yesterday.
Practicing safe computing is getting harder to do.
- j8k3sp00n
- Posts: 315
- Joined: Fri Jul 12, 2002 5:01 pm
- Location: Baking my brains out on high ground in Sacramento
10 posts
• Page 1 of 1
Who is online
Users browsing this forum: No registered users and 3 guests