Messages

1

Tech Clinic / Double Checking

« on: May 18, 2005, 01:36:07 PM »

Hi there all,
Last night I noticed that LiveUpdate hasn't updated over a week now. My last virus definition was 5/9/05. In addition I also noticed that my system hasn't been scanned in awile either. So I checcked my last scan date which said 5/09/05. However, I have Nortan's setup to scan every Saturday, which means that my last scan date should of been 5/14/05. So I tried running LiveUpdate, by clicking on it's button, but the scan said that I have the latest definitions which isn't true. At Symantec's web site they have mentioned that the lastest Definition date for Automatic LiveUpdate was 5/12/05. So I tried to manually run a scan and it popped up an error saying that some sort of file was missing. I don't think I am infected again, but to make sure, I did a test at trendmicro free online scan, and it mentioned that my computer is not infected. The only thing I could think of is because of after I was infected on May 9, 2005, and before I came here, I started picking files that I thought where infections and had deleted them. Doing so, I also notice this problem with Microsoft Office, asking me to please insert your Microsoft Office cd to complete the installation. So I am assuming that all these problems that I am now having has to do with my carelessness of deleting files I shouldn't of done. However to double check could you please my fresh Hijackthis log for me? Having some experience in Hijackthis now it doesn't appear to look like there is anything wrong but that doesn't mean anything.

Logfile of HijackThis v1.99.1
Scan saved at 2:05:24 PM, on 5/18/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\WScript.exe
C:\WINDOWS\System32\LXSUPMON.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Sony\VAIO Action Setup\VAServ.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\WINDOWS\system32\wscntfy.exe
c:\progra~1\Support.com\client\bin\tgcmd.exe
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\MOZILL~1\FIREFOX.EXE
C:\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.comcast.net/
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [ZTgServerSwitch] c:\program files\support.com\client\lserver\server.vbs
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [LXSUPMON] C:\WINDOWS\System32\LXSUPMON.EXE RUN
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Advanced Tools Check] C:\PROGRA~1\NORTON~1\AdvTools\ADVCHK.EXE
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: VAIO Action Setup (Server).lnk = ?
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {02CF1781-EA91-4FA5-A200-646E8241987C} (VaioInfo.CMClass) - http://esupport.sony.com/EN/mdldetect/VaioInfo.CAB
O16 - DPF: {1F2F4C9E-6F09-47BC-970D-3C54734667FE} (LSSupCtl Class) - http://www.symantec.com/techsupp/asa/LSSupCtl.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5co...b?1115961455311
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061...all/xscan53.cab
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - http://www.symantec.com/techsupp/asa/SymAData.cab
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

Thanks again.

2

Software / Building a program

« on: May 18, 2005, 12:59:39 AM »

Hi there all,
I am not sure if this is the right place to ask this, but I thought I give it a try. What I like to do is, I would like to build a program that can help others know what files are ok to disable at start up time. This program would also monitor malicious startups which will also guide the user on deleting them. The problem though is that I would need to make a registry definition list for the program to know what is legite and what is malicious, which means I would need to know all of the AV programs that are out their as well as all of the software firewall programs that are out their, and know what their start up keys are. So I am asking you guys if any of you know where I could find a list of all the AV and firewall programs and what their startup keys are, or if you would happen to know them yourself?

3

Tech Clinic / So much cr*p, will re-install fix it all?

« on: May 17, 2005, 09:11:02 PM »

I have Ad-Aware, SpyBot S&D, MS ANTIspyware, Norton Antivirus (which I cannot understand why it finds these trojans, but is unable to fix them?? what good is it then?)

First off, the reason why Nortans is not able to delete the viruses that where found is because the viruses are currently running. You can not delete any kind of file while it is opened or running. Eventhough Nortans sucks, this is not a defect in Nortans. It is the way how a lot of todays viruses run.

To me I think it seems more logical to just reinstall windows.

Have you ever try doing this before? I wouldn't suggest this!!!!! Hust reinstalling WindowsXP, will possibly reinfect your computer. If you wanted to reinstall windows without the risks of being infected, you would have to format your hard drive and reinstall everything which I think that is more of a headache then following our instructions. In addition, because you are networked with 2 computers, just only cleaning one machine doesn't mean that you would get reinfected. Meaning, usually once one machine gets infected, then all the computers on your network can get infected.

I am not running firewall, I tried zone alarm, the free version, and it blocked my network completely. I do not have a hardware firewall either, just a hub.

Should I get a hardware firewall even if I am still on dialup?

Taking about ZoneAlarm, some people have said that it doesn't work that well on Windows XP. To answser about getting a hardware firewall with dial-up, I am not that sure. It use to be a firewall where made for broadband internet becuase the internet is still active even if your not using the computer. However with hackers being able to automatically dial-out to the internet, recomendation rules could of changed now. You could call your ISP if there software includes firewall software, or if it is ok to use a hardware firewall. If it is and to make things cheaper get a router that includes a firewall. You can get a Linksys Firewall router for about $100 US Dollars.


Though here is what you can do. Lets start off by seeing if you can download a program called Hijackthis, by merlin. You can find merlin's web site, who created Hijackthis, here.

Also because you are not giving any details of what your computer is doing, meaning like is it automatically sending email without your permission or when surfing the net you are re-directed to a searchengine site instead of the place you actually wanted to go to etc, you could find some troubles downloading this file. Though the link that I gave you, has all the possible reasons why you can't download Hijackthis, and it also gives you alternitive routes on what to do. Once you download Hijackthis, it is very important where you install Hijackthis. The best location to installed this is by making new folder in this location...

c:\Hijackthis

Now, once Hijackthis has been installed, open up Hijackthis, and click on the button that says, "Do a system scan and save a logfile". When the scan is complete, Hijackthis will open up notepad and display your results. Next in notepad, go to edit->select all, and then edit-> copy. Then come back in here and and past you log in this thread. Also please keep in mind that this program does not replace nortan's. You must still use Nortan's, for its other features of protecting you. So after you post back, someone will get back to you to assist you.

4

Tech Clinic / Thanks Guestolo !

« on: May 17, 2005, 10:36:50 AM »

oops sorry about that. I was getting kind of confused considering that Daniel had so many posts. I have been reading other topics looking to see if there is a pattern to these viruses. The reason being is I like to see if I could build a program that could help others. The only pattern that I see is that the viruses are writting a startup key in the registery. I am thinking building a registery key monitor that allows users not have to post there logs. However this would be complicated becuase if someone doesn't know what there doing they could do more harm then what the virus did. I would need to build a definition list of either what are valid registery keys or what might be safer is finding a way that I can get my hands a definition list of all the possible bad registry keys. Sort of just like how spywareblaster has a definition list of all the bad urls and places them in the users restricted zone.

5

Tech Clinic / Thanks Guestolo !

« on: May 17, 2005, 01:15:38 AM »

The reason why you can not log-in, is because of these 2 registries
O4 - HKLM\..\Run: [Service Host] C:\WINDOWS\System32\Services\{6927BFDB-603D-4F8A-9D4A-40CAADED37CB}\SVCHOST.EXE
O4 - HKLM\..\Run: [Disk Keeper] C:\WINDOWS\System32\Services\{6927BFDB-603D-4F8A-9D4A-40CAADED37CB}\SECURITY.EXE

which is running this service...
C:\WINDOWS\System32\Services\{6927BFDB-603D-4F8A-9D4A-40CAADED37CB}\SVCHOST.EXE

I know of this file becuase I had a virus simular to this. The difference in mine was that I didn't have the security.exe file. Instead I just had the SVCHOST.EXE file and its dll files. How I was able to post my situation though, was becuase I know how to use the MSCONFIG tool, and I know what files are safe to disable at startup.

Symptons
This type virus is known to block people from running online virus scans. This is done by when you click on the link thinking you are being directed to the free online scan, but instead it redirects you to www.clicksearchclick.com site.

So either guestolo is going to have to understand that this type virus is not going to allow you to log-in to this fourum, or you could get a head start in removing at least this virus by tring this possible chance as follows...

Run Hijackthis again, and put a checkmark on the following bold entries...


R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.clicksearchclick.com/

O4 - HKLM\..\Run: [Service Host] C:\WINDOWS\System32\Services\{6927BFDB-603D-4F8A-9D4A-40CAADED37CB}\SVCHOST.EXE

O4 - HKLM\..\Run: [Disk Keeper] C:\WINDOWS\System32\Services\{6927BFDB-603D-4F8A-9D4A-40CAADED37CB}\SECURITY.EXE


Then after checking the above, make sure that all other windows are closed except for Hijackthis, and then click on FIX CHECKED

click ok to the prompt and then exit Hijackthis

Next, reopen Hijackthis, but this time open the misc. tools section. Then click on delete a file on reboot and browse and select the file down below in this location...


C:\WINDOWS\System32\Services\{6927BFDB-603D-4F8A-9D4A-40CAADED37CB}\SVCHOST.EXE


Then click on open and then click on the reboot button at the Hijackthis prompt. However, you want to this time to boot in safe mode. You can do this by holding the f8 key before the WindowsXP logo comes up. You will know you did it right by instead of windows booting, you get a bunch of optons to choose from. What you want to choose is just the words "safe mode". When the welcome screen pops up, select your user name that you use to login to windows. Next
if you get a warning message saying that you are in safe mode, just click on ok. Then you will want to locate the folder down below and delete it.

C:\WINDOWS\System32\ Services <- just this folder that is in bold

After that you will want to reset you browser startup page to your original startup page that you like using. You can do this by going to Start->Control Panel. Once the control panel loads, click on internet and network connections and then click on internet options. At the top of the Internet Options dialog box, there is a setting where you can type in what you want your startup page to be. For example, if you like going to www.google.com most frequently, then you would type in www.google.com in the startup text box. You can name it what ever valid url you want but you don't want it to say www.clicksearchclick.com

Then reboot the computer in normal mode, and this should clear the problem of not being able to log-in to this site. Though before you do come back, I would suggest doing another Hijackthis scan and posting the fresh log back in here so that guestolo can finish helping you.

Also, I hope that guestolo or any other moderator in here doesn't take my post in the wrong way. It is just that I thought it wasn't fair for that this person couldn't get the help becuase the virsus that he/she has is hijacking his/her browser from logging in. In addition, my instructions that I have posted in here are the same to what guestolo showed me on what to do by getting rid of this virus. The only differnce is, I disabled the startup of this virus before posting my question when I needed the help and maybe thats why guestolo didn't know why you couldn't login.

6

Tech Clinic / Danger Desktop Hijack

« on: May 16, 2005, 02:18:32 PM »

Kane62,
Just out of curriousty, does this desktop hijack look like the background has been replace with an ad with it's title saying "Warning you are in great danger!!!" ? Also, what version of Nortans AV do you have? I ask this because I see that one of the virus startup files you have is the same file that I had. In addition, Nortan's AV didn't detect this even in safemode. Sorry I can't help you with your HiJackthis log, though I can help some.

What I did, was I did a online scan through Trendmicro's website, and it found the trojan horse. While you are waiting for guestolo to help you, you can find Trendmicro's free online scan by going to www.trendmicro.com . After going to their homepage, click on free online scan. However, it is possible to get redirected. If this happens this means that your browser has been hijacked as well. The 2 only solutions that you can do then are the following...

The first way is NOT RECOMENED if you do not know how to use the MSCONFIG. However if you do then what you could do is to disable some of your startup files. HOWEVER, you do not want to disable Nortans AV and I also see that you are running ZoneAlarm, which you wouldn't want to disable that either.

The second option is to wait for guestolo to help.


also FYI,
This virus IS VERY DANGEROUS! It can crack usernames and passwords and access personal data. For example, if you do online backing, its possible that you wont see that money in your account the next day or so all because of this virus. If you wait for guestolo, then I really sugguest reading future reply's to this thread on another computer, considering it is such a dangerous virus and staying online only makes this worse.

7

Tech Clinic / Possibly put an end to Viruses!!!!

« on: May 16, 2005, 10:33:32 AM »

Hi there all,
Please excuse me if I am posting this in the wrong area though I thought that this would be the best area to post considering it has to do with viruses.

I have a lot of questions to ask. If anybody could take the time to help me out, I would greatly appreciate it. Before I ask my questions, let me describe my topic.

Being one of the victims of getting a massive amount of viruses, I found a topic at symantec web-site.  It states that they are issuing their customers that if they do not need to run vbscript files, then they should disable the Windows Scripting Host app, or to move it to a removable media devicwe, such as a  jump drive, floppy disk or cd etc. The file is called wscript.exe. You can find the topic here

What the Windows Script Host app does is it allows users to run vbscript files which this also includes running ActiveX. Reading other topics at other sites, I here that one of the most popular ways to get a virus, other than through email,  is through ActiveX. The reason is, ActiveX has capabilties of silently downloading viruses on to your computer. It use to be that you would get a pop-up window asking you if you want to install the the ActiveX plug-in to view the site's web page properly etc. However this is not the case anymore. The web site that you maybe viewing might just make the plug-in to install without your permission. So here are my questions....

1. How much more secure could your computer be if by removing the Windows Scripting Host application? Yeah I know you should still have other tools to help you keep your computer much more secure, such as an adware and spyware remover, using firewall, and keeping you AV up to date. However, besides doing all this other stuff, could we actually put an end to vireses or at least keeping our computer 99.9% secure by doing so? Also how many applications need vbscripting capibilities? Meaning, other than Microsoft Office, what are the possibilities that I have an application that needs vbscripting? I am a shockwave/graphic designer, so I can't really think of anything considering all I use is Photoshop, Illustrator, Director, Maya, and Quark Xpress.

2. Does shockwave use ActiveX? If so, and that would mean that I need the wscript.exe file, but is it possible to get infected with other ActiveX viruses, after installing the shockwave plug-in? I know that downloading shockwave is secure, and I know this by when a website askes you if you want to install the shockwave plug-in it shows that the plug-in is signed through VeriSign. However, does this open a hole in IE that could allow all other ActiveX to pass through?

3. Continuing questions with shockwave, and if need the ActiveX plug-in for it, is it possible to only allow this ActiveX plug-in to run by setting this through my IE securty settings? If so then how? This is really critical becuase I am a shockwave programmer, and I hope that shackwave can continue on and extend it's popularity. It is really a neat program considering that it does not allow to install files to the user's computer, where as there is java for games too, but sometimes it needs to install other things to the user's computer which actually could be a virus.

I appologize for the long story, and I really appreciate you guys who are reading this in taking the time to help. So in conclusion, just maybe by combining are brains togather we could kill viruses forever!!!!!!!!!!

8

Tech Clinic / FireFox and Sygate Firewall

« on: May 14, 2005, 04:04:47 PM »

Geustolo,
I don't know what I would do without you. Your the best.

9

Tech Clinic / FireFox and Sygate Firewall

« on: May 14, 2005, 01:30:37 PM »

[quote name=\'guestolo\' date=\'May 14 2005, 01:16 PM\']You shouldn't need to disable Norton's AV when installing Sygates
But if you want to be safe just disable Autoprotect temporarily and then install[/quote]

Ok, thanks

[quote name=\'guestolo\' date=\'May 14 2005, 01:16 PM\']Do you have problems accessing this link??
I don't seem to have a problem
http://www.comcast.net/comcast.html

But if I type in their IP address into the address bar I have a problem, it won't load[/quote]

yup, either typing it, or clicking on the link, will not let me connect.

[quote name=\'guestolo\' date=\'May 14 2005, 01:16 PM\']Why don't you set up Comcast email with Outlook Express?
Your decision, but it's a lot easier than going to the site in my opinion[/quote]

Becuase, I don't trust microsoft anymore. Also another great feature of comcast is that your email does not open your mail without you manually openning it. I am very disgusted with Symentac and Microsoft, that I am eventually switching to Treendmicro for AV, and looking to get a used Apple G4 or G5. When Microsoft comes out with their new OS, which is suppose to be sometime in the fall of this year, I am not even going to think about making a decision to upgrade to the new OS. I don't even care how well they secure their new OS, becuase this is what they said XP is suppose to be, but look at how many Service Packs they have built so far, and IE is still not secure. Also if you rember my last virus, do you know what the sad part is about that virus I had? It was already verified in Feburary 2005 by Trendmicros who knew about this virus but yet Symentac has no reculation of this virus and they don't have the definitions for it. In addition when I called them they wanted to charge me a starting rate of 39.95 to remove the virus, and it was not guarenteed. I hope that one day a lot more people start relizing that Nortan AV SUCKS, and I hope that symentac rots in hell.
 

[quote name=\'guestolo\' date=\'May 14 2005, 01:16 PM\']Just out of curiousity
Have you applied the Windows updates yet, this may help the situation[/quote]

yes I have. I am now running SP2 with the latest updates though this didn't fix the problem either. What I truely think the problem is there is something that I have set in FireFox that is causing this problem. I got a lot of restrictions turned on because I am not that expeirence in how viruses truely work. So I told FireFox to pretty much block everything
except for javascript. Could you give some pointers?

10

Tech Clinic / FireFox and Sygate Firewall

« on: May 14, 2005, 11:31:06 AM »

Hi there all,
First off I like to say thank you to guestolo, for helping me.
Second I have a couple questions with FireFox, and installing Sygate Firewall.

Well, my first question is I have installed Firefox which I love a whole lot better than IE. My Favorite feature that I like about is the tabbing feature. Anyways, one thing that I can't figure out is, why doesn't comcast homepage work with Firefox? When I go there, the status bar keeps swapping between saying "Waiting for www.comcast.net", and "loading page". However, waiting after 10 minutes nothing gets loaded, and there are no errors showing up". At first I thought it was because there was a problem with my flash plug-in, but I can access all other flash sites, as well as www.shockwave.com. I only have this problem with the website www.comcast./net, and it sucks because now I can't get my email because the way I access my email is by logging into comcast website. After I have been infected twice within 3 weeks, and the first infection made me have to reinstall everything, I learned my lesson not to use Microsoft Outlook to read my mail anymore.

My next Firefox question is, I wanted to know where do the cookies, temp files, and history files get placed when using FireFox?

... and my last question has to do with Sygate Firewall. If decided to install it, does the network, router, and Nortan's need to be disabled prior to installing Sygate firewall software? Could you explain this to me?

Thanks

11

Tech Clinic / Windows Update

« on: May 13, 2005, 09:57:34 AM »

I retried window update and I still get thist error, but I made a copy of the exact phrase for a better explaination

We've made improvements to our website. To download the new version of the software and begin using Windows Update, please click Install Now.

12

Tech Clinic / Windows Update

« on: May 13, 2005, 09:36:27 AM »

Hi there,
I appoligize if this is not the correct area to ask this, and I see that so many others here are asking for help removing viruses which I think comes first but I couldn't find an area to correctly place question at. I am taking a best guest that this is the best spot considering that it also discuses about other computer related problems. Otherwise here is my question

I don't want to make a long story in so to make it short but still to the point, I will briefly explain my situation. First off when Windows XP SP2 was released in the united states, I immediatly followed the procedures needed in order to run new service pack on my system. About 2 weeks ago, I think somone haked into my computer and installed a rootkit. I ask almost everyhere except for here what should I do, and they all basically said that it would be less headacke work by running a system recovery than to scrunttinize the problem. So I did. However a week latter, and before I got a chance to re update my computer I got another huge virus. This time I got some help from an export in this fourum which I think he is the god of virus killer. Anywho, though this has nothing to do with my question, I thought I mention my story before anybody comes here and laughs at me becuase my computer is so behind in updates.

Now to my point of question. I am now ready to start updating my computer, but doing so and I guess because I am so behind, when I went to windows update site it said that they have udated there site and before you continue, windows update needs to update your system. When you are ready to continue, please  click on the install now button. And that is all it said. It didn't say what it was going to install. I was affraid to click on the the install button becuse for its' poor description, I was affraid that it was just going to install sp2. However, so that my computer doesn't crash, it is critical that I install sp1 first so that I can run the updates from my computer manufacture prior to installing SP2. This is because the manufacture updates require sp1 and at there site it is in bold print to download and install these updates prior to installing SP2.

So my question is what is this installment that they say I need to install before continuing through the windows update site? The last time I went to windows update, was when it use to just scanned my computer and then I could put a check mark on the downloads that I wanted to do download, but this didn't do that. Meaning I thought it was going to first scan my computer and then provide a check box for the installment of sp1, but this isn't what happened. It just said install now. Should I just do a search on Microsoft website for sp1 download or aren't I suppose to use windows update to get sp1?

13

Tech Clinic / Removing Adware Threats

« on: May 12, 2005, 12:37:00 PM »

Not sure if I am aload to mention anything but, I like to give some pointers.

First off, your fresh Hijackthis log looks like it did delete the
F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\Nail.exe etc...

However rember this, what guestolo was tring to say is, the file that he mentioned that needs to be deleted upon reboot, means that this file will not delete untill you reboot the computer. So it is very important that you reboot the computer.

Second. While posting in here and while this virus is still running you can get infected with more virus especially if it is a backdoor virus. So a little trick that I figured out is if the virus is a startup file, you can disable it in msconfig. HOWEVER, make sure that it is enabled when you run Hijackthis. The reason why is because Hijackthis want see it. Or at least this is what happened to me. I ran a Hijackthis log, and I didn't see the startup file in the log, but when I enabled the file again and rebooted it popped up again.

Anyways if your not sure which one is the virus, and/or you don't know how to use msconfig then it is not recomended to play with the msconfig. You could accidently disable your anti virus program Though it is a good tool to learn how to use. Also if you do know what your doing with msconfig, and the virsus is blocking you from running msconfig, then try rebooting in safe mode and then disable the virus in msconfig and then reboot.

14

Tech Clinic / Seems to be simular to the daosearch

« on: May 12, 2005, 09:23:42 AM »

Hi guestolo,

Just to double check, can you open Hijackthis>>Open Misc tools section>>Open Host manager>> ...

Sure no problem, hough I don't know what these are, but here it is...

# Copyright © 1993-1999 Microsoft Corp.
#
# This is a sample HOSTS file used by Microsoft TCP/IP for Windows.
#
# This file contains the mappings of IP addresses to host names. Each
# entry should be kept on an individual line. The IP address should
# be placed in the first column followed by the corresponding host name.
# The IP address and the host name should be separated by at least one
# space.
#
# Additionally, comments (such as these) may be inserted on individual
# lines or following the machine name denoted by a '#' symbol.
#
# For example:
#
#      102.54.94.97     rhino.acme.com          # source server
#       38.25.63.10     x.acme.com              # x client host

127.0.0.1       localhost

Is your version of Windows Legit??
Why so far behind on Windows Updates???

yes it is. The reason is, I used to have SP2 running but I wasn't sure if it was because someone installed a rootkit or what but my available memory had dropped to 150MB of ram and my system became unstable. The weird part was I was running SP2 since the day it was available for download up untill 2 weeks ago when my memory had dropped dramatically from 325MB to 150MB. When this happened I, posted my question in google, and all the poeple who replied back could say was, run a scan with nortans and then run a scan with ad-aware. Nothing was resolved so I asked my manufacture and they said to do a system recovery. Then when this virus happened I posted back in google and they said to format the hard drive. They didn't even ask any questions what was going on or gave any thought into it. I thought this was really rediculas and I really didn't want to re-format my hard drive agian. So I did a lot of investagation on this before even thinking of formatting the hard drive and I thank god I found this site, and I also thank you for helping me. Thats why I said such a long thank you to you becuase of the experinces I had went through. Especially with the company Symantec. They wanted to charge me a starting rate of $39.95 to remove the virus, when I demanded them that I should get help because your damb program does not detect this virus.

I swear that is these AV companys who are building these viruses, and then they say that they come up with a fix by charging you 39.95 every year so that you can download their  patches. I am thinking of going back to my old program PC Cillin from TrendMicros considering that Nortans does not have the troj_small.yh virus definition. If it did, it would of got rid of most of this infection and then all I had to do is delete the svchoost virus, like you showed me how to do.

Also you wouldn't have any recomendations for a firewall software after I upgrade my system back to SP2 would ya? I was told that windows sp2 firewall is too standard, and it isn't the greates program. Though I do have a Linksys Firewall router, I also like to have a software version as well. And another thing, what do you recomend as a browser. I am nenver using IE again, and I hear good and bad things about Mozzilla but what do you think of it? Do you think I should use Netscape instead?

15

Tech Clinic / Seems to be simular to the daosearch

« on: May 11, 2005, 11:42:08 PM »

Well, I haven't checked if I can go to Trendmicro page with any misleading links as of yet, but doing your procedure and looking at the fresh Hijack This log, it seems that everything has been cleared. Anywho, here is my latest HiJack this log....

Logfile of HijackThis v1.99.1
Scan saved at 12:22:27 AM, on 5/12/2005
Platform: Windows XP  (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\System32\LXSUPMON.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Sony\VAIO Action Setup\VAServ.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\wuauclt.exe
C:\HijackThis\HijackThis.exe

O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [LXSUPMON] C:\WINDOWS\System32\LXSUPMON.EXE RUN
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Advanced Tools Check] C:\PROGRA~1\NORTON~1\AdvTools\ADVCHK.EXE
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: VAIO Action Setup (Server).lnk = ?
O16 - DPF: {1F2F4C9E-6F09-47BC-970D-3C54734667FE} (LSSupCtl Class) - http://www.symantec.com/techsupp/asa/LSSupCtl.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061...all/xscan53.cab
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - http://www.symantec.com/techsupp/asa/SymAData.cab
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

... and thank you very, very, very, very much!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! http://images.thetechguide.com/forum/public/style_emoticons/<#EMO_DIR#>/biggrin.gif\' class=\'bbc_emoticon\' alt=\'\' />
I am happy now and maybe I can actually get some sleep tonight considering that I haven't slept in 2 days. Also I will keep a watch out if you think or know that we are not done, as well as checking out if there are other suspicious clues if there are any. thanks again

16

Tech Clinic / Seems to be simular to the daosearch

« on: May 11, 2005, 10:01:05 PM »

Hi there,
Should I just try to follow one of the other posts that where posted through this fourum in the topic of the daosearch virus? I have read at least 7 threads in here and all of them that I nocticed where told to do something different. Meaning not all of them didn't say just go to so and so site do a scan and come back and post it. Each and every one seemed to have different asnswers So I wasn't sure which one to choose from and that I don't think mine is exactly the same. I just mean that the daosearch virus patern seems to be simular to what I have gone through. Also rember that I have already deleted 16 viruses, so maybe thats what is confusing you. If so all I can say is, that out of all the scans I have done and deleting the infected files, TrendMicro encyclopedia on the virus troj_small.yh was exactly what I was getting. If your not sure what this does I have posted a link to Trendmicros encylopedia on this topic in my original post in this thread. The problem though is it also says that this type of virus also allows the attacker to add more viruses besides the troj_small.yh virus. And I beleive thats where I am at as of right now.

17

Tech Clinic / Seems to be simular to the daosearch

« on: May 11, 2005, 02:37:37 PM »

Ok guys, like I said I would, here is my Hi Jack Log

Logfile of HijackThis v1.99.1
Scan saved at 3:26:01 PM, on 5/11/2005
Platform: Windows XP  (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\System32\WScript.exe
C:\WINDOWS\System32\LXSUPMON.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
C:\WINDOWS\System32\Services\{EF4CF5BD-C167-4842-8865-DE6703B2B0E3}\SVCHOST.EXE
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Sony\VAIO Action Setup\VAServ.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE
C:\WINDOWS\System32\nvsvc32.exe
c:\progra~1\Support.com\client\bin\tgcmd.exe
C:\HijackThis\HijackThis.exe
C:\WINDOWS\System32\wuauclt.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.clicksearchclick.com/
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [ZTgServerSwitch] c:\program files\support.com\client\lserver\server.vbs
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [LXSUPMON] C:\WINDOWS\System32\LXSUPMON.EXE RUN
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Advanced Tools Check] C:\PROGRA~1\NORTON~1\AdvTools\ADVCHK.EXE
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [Service Host] C:\WINDOWS\System32\Services\{EF4CF5BD-C167-4842-8865-DE6703B2B0E3}\SVCHOST.EXE
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: VAIO Action Setup (Server).lnk = ?
O16 - DPF: {1F2F4C9E-6F09-47BC-970D-3C54734667FE} (LSSupCtl Class) - http://www.symantec.com/techsupp/asa/LSSupCtl.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061...all/xscan53.cab
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - http://www.symantec.com/techsupp/asa/SymAData.cab
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

18

Tech Clinic / Seems to be simular to the daosearch

« on: May 11, 2005, 11:28:56 AM »

Hi there all,
I have been infected with 16 viruses that have been resolved so far but there are more on my system. I have found these virsues through Nortans AV, which I have on my system which had fund 12 small virsues, and I also tried the sampled online virus scan from Trendmicro which found 4 serious viruses. I think what Nortans found was some older viruses that I had through the past week which was nothing compared to what Trendmicro found. Trendmicro found 4 viruses called troj_small.yh which you can findhttp://www.trendmicro.com/vinfo/virusencyc...e=TROJ_SMALL.YH

Doing a search in this fourm this virus that I have seems simular to what the daosearch was doing. Also, I know I am still infected becuase every time I change my homepage back to where I want it, the virus still changes the web site to its virual website. In addition it blocks me from doing online virus scans by redirecting me to it's virual site as well. Also I atleast know of this one virus that it is redirecting me. It is called SVCHOST.EXE. Yeah I know, svchost is a necessory file for windows but it also can be a virus. How do I know? by disabling it in msconfig, and I also sent the file to be scanned at www.virustotal.com. If you don't what this site does, it allows you to send single files one at a time to be scanned with 18 popular AV company's such as McAffee, Panda, AntiVir, BitDefender, Nortans, and many more. After doing this scan some of them found that this file is a virus, and some of them didn't. However the Sites that did find this as a virus, and by going to there sites, they all said that they have no information as of yet on how to resolve this issue, but they are working very hard on this matter.

Also doing a HiJack this which finds the redirect site log, doesn't completely remove it. Meaning it just comes right back after you restart. I am going to do another HiJack this scan and post it in here latter but for now here is what it looks like in msconfig

Startup item: SVCHOST.EXE; Command:C:\WINDOWS\system32\Services\{EF4CF5BD-C167-4842-8865-DE6703B2B0E3}\SVCHOST.EXE

... and the location doesn't point to it's true registry because I have disabled it. So I don't know exactly where it is untill I re-enable it

and BTW, there are 3 files in this folder...
1. SVCHOST.EXE
2.SVCHOST.DLL
3. SVCHOST32.DLL