Author Topic: is it a virus? (Read 4576 times)

billy01 · « **on:** September 15, 2004, 12:40:20 PM »

there seems to be something running in the background on my pc. it is most notable when i am connected to the internet, if i open my connection by clicking on the screens on my taskbar, the status window shows it is sending and receiving bytes constantly. it never used to do this until about a week ago. generally once my automatic updates were complete the connection icon would not flash. i am up to date with avast and running a full scan has not found anything. i have also tried adaware with no success. any suggestions would be appreciated.

whocares · « **Reply #1 on:** September 15, 2004, 01:39:58 PM »

Hi,
please describe your System more detailed and
post a hijackthis-Log for analysis..: -> http://klaffke.de

CharleyO · « **Reply #2 on:** September 16, 2004, 11:51:46 AM »

*

First, do as Whocares suggested and give us more system information ... plus a Hijackthis log.

It could be a keylogger or some other malware. Since Ad-aware did not find anything, I would suggest you also try Spybot-Search & Destroy. You can find it here:

http://www.safer-networking.org/en/index.html

*

billy01 · « **Reply #3 on:** September 16, 2004, 12:20:05 PM »

sorry for the delay in my response, i am located in rural australia.

os- win xp pro
p3 800
256mb ram
20gb seagate hdd

here are the results of the hijack this scan. i hope i have done it correctly as i have not used this before.thanks

Logfile of HijackThis v1.98.2
Scan saved at 8:15:20 PM, on 9/16/2004
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\System32\DVDRAMSV.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashmaisv.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\PCI Audio Applications\Bin\EchoCtrl.exe
C:\WINDOWS\Mixer.exe
C:\WINDOWS\System32\WINBOOT32.EXE
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
C:\WINDOWS\SYSTEM32\RAMASST.exe
C:\Program Files\Greetings Workshop\GWREMIND.EXE
C:\Program Files\Outlook Express\msimn.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Windows NT\Accessories\wordpad.exe
C:\unzipped\hijackthis\HijackThis.exe

R3 - Default URLSearchHook is missing
O2 - BHO: Clear Search - {00000000-0000-0000-0000-000000000240} - C:\PROGRAM FILES\CLEARSEARCH\IE_CLRSCH.DLL (file missing)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: SearchPRO - {4E7BD74F-2B8D-469E-8EEC-EF64B787BB38} - C:\WINDOWS\DOWNLO~1\SEARCH~1.DLL
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar.dll
O3 - Toolbar: EasySearchBar - {86790AA5-C6C7-4BCF-A46D-0FDAC4EA90EB} - C:\PROGRAM FILES\ESB\ESB.DLL
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar.dll
O3 - Toolbar: SearchPRO - {4E7BD74F-2B8D-469E-8EEC-EF64B787BB38} - C:\WINDOWS\DOWNLO~1\SEARCH~1.DLL
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [hpfsched] C:\WINDOWS\hpfsched.exe
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [ashMaiSv] C:\PROGRA~1\ALWILS~1\Avast4\ashmaisv.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\\NeroCheck.exe
O4 - HKLM\..\Run: [C-Media Echo Control] C:\Program Files\PCI Audio Applications\Bin\EchoCtrl.exe
O4 - HKLM\..\Run: [C-Media Mixer] Mixer.exe /startup
O4 - HKLM\..\Run: [Reg Services] WINBOOT32.EXE
O4 - HKLM\..\RunServices: [Reg Services] WINBOOT32.EXE
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Startup: Greetings Workshop Reminders.lnk = C:\Program Files\Greetings Workshop\GWREMIND.EXE
O4 - Global Startup: Microsoft Find Fast.lnk = C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
O4 - Global Startup: RAMASST.lnk = C:\WINDOWS\SYSTEM32\RAMASST.exe
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\googletoolbar.dll/cmsearch.html
O8 - Extra context menu item: Backward &Links - res://C:\Program Files\Google\googletoolbar.dll/cmbacklinks.html
O8 - Extra context menu item: Cac&hed Snapshot of Page - res://C:\Program Files\Google\googletoolbar.dll/cmcache.html
O8 - Extra context menu item: Si&milar Pages - res://C:\Program Files\Google\googletoolbar.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\googletoolbar.dll/cmtrans.html
O9 - Extra button: EasySearchBar - {A26ABCF0-1C8F-46e7-A67C-0489DC21B9CC} - C:\PROGRAM FILES\ESB\ESB.DLL
O9 - Extra 'Tools' menuitem: EasySearchBar - {A26ABCF0-1C8F-46e7-A67C-0489DC21B9CC} - C:\PROGRAM FILES\ESB\ESB.DLL
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: cpcScanner - http://www.crucial.com/controls/cpcScanner.cab
O16 - DPF: Win32 Classes -
O16 - DPF: {2A32B14F-4D29-4EA3-AC54-E9B19F436CE7} (Scanner Class) - http://www.windowsecurity.com/trojanscan/TDECntrl.CAB
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/20030530/qtinstall.info.apple.com/bonnie/us/win/QuickTimeInstaller.exe
O16 - DPF: {4E7BD74F-2B8D-469E-8EEC-EF64B787BB38} (SearchPRO) - http://www.searchpro.com.au/toolbar/searchpro.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{6B0B68FB-E104-4415-AAF2-CE81ED909AE8}: NameServer = 203.134.64.66 203.134.65.66
O17 - HKLM\System\CS1\Services\Tcpip\..\{6B0B68FB-E104-4415-AAF2-CE81ED909AE8}: NameServer = 203.134.64.66 203.134.65.66

galooma · « **Reply #4 on:** September 16, 2004, 12:33:51 PM »

Billy are you on broadband or dial up? given your country location i assume you are on dial up . You really should consider a firewall, more so if you are on broadband . there`s just too much garbage not to have one installed. plenty of free ones around.
I would also consider giving the searchbars the flick as they often come with added extras that dont always take you where you wanna go .

billy01 · « **Reply #5 on:** September 16, 2004, 01:00:01 PM »

i am on dial-up. have removed searchbars. i will get a firewall but dont know which one,i have never used one. will a firewall help me with my current problem or only help prevent future probs?

Eddy · « **Reply #6 on:** September 16, 2004, 01:16:14 PM »

1] Disable system restore
2] Reboot
3] Fix the following things:
\windows\system32\winboot32.exe
r3 - default urlsearchhook is missing
o2 - bho: searchpro - {4e7bd74f-2b8d-469e-8eec-ef64b787bb38} - c:\windows\downlo~1\search~1.dll
o3 - toolbar: easysearchbar - {86790aa5-c6c7-4bcf-a46d-0fdac4ea90eb} - c:\program files\esb\esb.dll
o3 - toolbar: searchpro - {4e7bd74f-2b8d-469e-8eec-ef64b787bb38} - c:\windows\downlo~1\search~1.dll
o4 - hklm\..\run: [reg services] winboot32.exe
o4 - hklm\..\runservices: [reg services] winboot32.exe
o9 - extra button: easysearchbar - {a26abcf0-1c8f-46e7-a67c-0489dc21b9cc} - c:\program files\esb\esb.dll
o9 - extra 'tools' menuitem: easysearchbar - {a26abcf0-1c8f-46e7-a67c-0489dc21b9cc} - c:\program files\esb\esb.dll

4] Visit http://v5.windowsupdate.microsoft.com/v5consumer/default.aspx?ln=en and keep going there till ALL security patches/updates are installed.
Both your Windows and your IE are very much outdated and vulnerable to all kinds of mallware.

galooma · « **Reply #7 on:** September 16, 2004, 01:39:55 PM »

firewall ,I reccommend Zonealarm you can find it in technicals links in general topics forum.its the simplest to use/setup.
But eddy`s right your biggest problem now is M$ update. you havent even got service pack one which is over a year ago. problem is, it alone takes 5-6 hrs to download on 56k and there are heaps of updates since .best to leave it running overnight. hope your plan is unlimited d/l.

do you know how to turn off sys restore? go to cont panel/ system/ and look for a system restore tab , check the box to turn off then hit apply, then uncheck again and apply
good luck

Eddy · « **Reply #8 on:** September 16, 2004, 01:42:34 PM »

Too bad you can't order the free security update cd anymore from MS $:-\$

billy01 · « **Reply #9 on:** September 16, 2004, 01:47:26 PM »

thanks eddy i will do what you say. though as far i was concerned i had done all windows updates (except sp1 & sp2).? but mind you, i only think i know what i'm talking about

Author Topic: is it a virus? (Read 4576 times)

billy01

is it a virus?

whocares

Re:is it a virus?

CharleyO

Re:is it a virus?

billy01

Re:is it a virus?

galooma

Re:is it a virus?

billy01

Re:is it a virus?

Eddy

Re:is it a virus?

galooma

Re:is it a virus?

Eddy

Re:is it a virus?

billy01

Re:is it a virus?