Need help! (spyware related)

Discussion in 'System Security & Infection Support' started by ATCQ, Sep 25, 2006.

  1. ATCQ

    ATCQ Naughty By Nature

    Joined:
    Oct 20, 2004
    Messages:
    16
    Likes Received:
    0
    Location:
    Southern Cal
    Ok, i installed a router last night and since then I've been hearing random music playing from time to time. It sounds like a yahoo online radio broadcast. None of my media players are on, all messengers are exited out of and I dont know what it is but its annoying.

    my 2nd problem is ads popping up randomly. Its ads that say a trojan has been detected and it wants me to install a software. WinAnitvirus pro 2006. It sucks. You can hear that clicking sound in the background when your on a page like if a popup wants to come on. I tried Ad-Aware, Ccleaner and virus scan and i clear what it says to clear and it doesnt do jack. What's up with my pc? what can I do to find out what it might be?
     
    ATCQ, Sep 25, 2006
    #1
    1. Advertisements

  2. ATCQ

    TheOneGreatX VIP Member

    Joined:
    Apr 27, 2004
    Messages:
    1,276
    Likes Received:
    16
    Location:
    US
    have you tried restarting? Also try doing scans in safe mode (pres f8 when your computer is turning on)
     
    TheOneGreatX, Sep 25, 2006
    #2
    1. Advertisements

  3. ATCQ

    Codex85 Mouse Potato VIP Member

    Joined:
    Apr 19, 2005
    Messages:
    776
    Likes Received:
    18
    Location:
    US
    You might also download and run HijackThis and post your log. There are a few people here who enjoy poring through those. ;)
     
    Codex85, Sep 25, 2006
    #3
  4. ATCQ

    TheOneGreatX VIP Member

    Joined:
    Apr 27, 2004
    Messages:
    1,276
    Likes Received:
    16
    Location:
    US
    Really? Who? ;)
    But, posting a log is actually a really good idea.
     
    TheOneGreatX, Sep 25, 2006
    #4
  5. ATCQ

    Zeus Moderator

    Joined:
    Jun 20, 2005
    Messages:
    2,006
    Likes Received:
    33
    Location:
    Virginia

    I do. It keeps me on my toes, more practice if you will.
     
    Zeus, Sep 26, 2006
    #5
  6. ATCQ

    ATCQ Naughty By Nature

    Joined:
    Oct 20, 2004
    Messages:
    16
    Likes Received:
    0
    Location:
    Southern Cal
    Logfile of HijackThis v1.99.1
    Scan saved at 10:32:41 AM, on 9/26/2006
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
    C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
    C:\Program Files\Norton Internet Security\ISSVC.exe
    C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
    C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
    C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
    C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
    C:\Program Files\Linksys\Wireless-G Notebook Adapter\NICServ.exe
    C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
    C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
    C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
    C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
    C:\WINDOWS\system32\igfxtray.exe
    C:\WINDOWS\system32\hkcmd.exe
    C:\DOCUME~1\XXXX\LOCALS~1\Temp\200681494251_mcinfo.exe
    C:\Program Files\Common Files\Symantec Shared\ccApp.exe
    C:\PROGRA~1\360UNI~1\XBDocker.exe
    C:\Program Files\Messenger\msmsgs.exe
    C:\Program Files\Linksys\Wireless-G Notebook Adapter\Gcc.exe
    C:\Program Files\Linksys\Wireless-G Notebook Adapter\OdHost.exe
    C:\Program Files\Windows Media Player\wmplayer.exe
    C:\WINDOWS\System32\svchost.exe
    C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Program Files\AIM\aim.exe
    C:\Documents and Settings\XXXX\Desktop\HijackThis.exe
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.nfl.com/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.gatewaybiz.com
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.gatewaybiz.com
    R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = "C:\Program Files\Outlook Express\msimn.exe"
    O2 - BHO: (no name) - {A9254E95-00F6-4E0D-A976-182FEE873A0D} - C:\WINDOWS\system32\joylib.dll
    O3 - Toolbar: Norton Internet Security - {0B53EAC3-8D69-4b9e-9B19-A37C9A5676A7} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll (file missing)
    O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll (file missing)
    O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
    O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
    O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
    O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
    O4 - HKLM\..\Run: [Recguard] %WINDIR%\SMINST\RECGUARD.EXE
    O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
    O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
    O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
    O4 - HKLM\..\Run: [msci] C:\DOCUME~1\XXXX\LOCALS~1\Temp\200681494251_mcinfo.exe /insfin
    O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
    O4 - HKLM\..\Run: [XBDocker] C:\PROGRA~1\360UNI~1\XBDocker.exe
    O4 - HKCU\..\Run: [Yahoo! Pager] "C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet
    O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
    O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
    O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
    O4 - Global Startup: Wireless-G Notebook Adapter.lnk = C:\Program Files\Linksys\Wireless-G Notebook Adapter\Gcc.exe
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
    O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
    O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
    O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
    O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
    O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/FacebookPhotoUploader.cab
    O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
    O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
    O20 - Winlogon Notify: joylib - C:\WINDOWS\SYSTEM32\joylib.dll
    O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
    O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
    O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
    O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
    O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
    O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
    O23 - Service: ISSvc (ISSVC) - Symantec Corporation - C:\Program Files\Norton Internet Security\ISSVC.exe
    O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
    O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
    O23 - Service: NICSer_WPC54G - Unknown owner - C:\Program Files\Linksys\Wireless-G Notebook Adapter\NICServ.exe
    O23 - Service: PrismXL - New Boundary Technologies, Inc. - C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
    O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe
    O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
    O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
    O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
    O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
     
    ATCQ, Sep 26, 2006
    #6
  7. ATCQ

    Codex85 Mouse Potato VIP Member

    Joined:
    Apr 19, 2005
    Messages:
    776
    Likes Received:
    18
    Location:
    US
    I'm not seeing anything suspicious. A few things that you could do without, but nothing sinister.

    Zeus, you're up. :)
     
    Codex85, Sep 26, 2006
    #7
  8. ATCQ

    Zeus Moderator

    Joined:
    Jun 20, 2005
    Messages:
    2,006
    Likes Received:
    33
    Location:
    Virginia
    Well, you have a couple of dead links that can go away, but they aren't your problem:


    O3 - Toolbar: Norton Internet Security - {0B53EAC3-8D69-4b9e-9B19-A37C9A5676A7} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll (file missing)


    O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll (file missing)


    And here are a couple that I don't know what they are. I don't have time to google them for you either.

    C:\PROGRA~1\360UNI~1\XBDocker.exe

    O4 - HKLM\..\Run: [msci] C:\DOCUME~1\XXXX\LOCALS~1\Temp\200681494251_mcinfo .exe /insfin

    O4 - HKLM\..\Run: [XBDocker] C:\PROGRA~1\360UNI~1\XBDocker.exe


    O20 - Winlogon Notify: joylib - C:\WINDOWS\SYSTEM32\joylib.dll
     
    Zeus, Sep 27, 2006
    #8
  9. ATCQ

    Crimson Devil's Advocate VIP Member

    Joined:
    Aug 21, 2006
    Messages:
    479
    Likes Received:
    3
    Location:
    Norfolk, VA
    Pop-up issue:
    Easy way to get those off. When you see a pop up exit all windows except the popup (this is so you don't block the IP that you want to use). Go to the command prompt and type netstat -all. Find The IP connected to your computer via port 80. Go to your router and block that IP. Rinse. Repeat.
     
    Crimson, Sep 27, 2006
    #9
  10. ATCQ

    Zeus Moderator

    Joined:
    Jun 20, 2005
    Messages:
    2,006
    Likes Received:
    33
    Location:
    Virginia

    I taught him that ;)

    Not really, but it's what I do too (actually I think he gave me that idea). On average I get about 1 pop up (or pup as I like to call them) a week. That's not bad considering my computer is on 24/7 and being used most of that time.
     
    Zeus, Sep 27, 2006
    #10
  11. ATCQ

    Crimson Devil's Advocate VIP Member

    Joined:
    Aug 21, 2006
    Messages:
    479
    Likes Received:
    3
    Location:
    Norfolk, VA
    No, you taught me that just because someone has an open wireless network doesn't mean I can leave "incrimidating" evidence on said network.

    Wait... no. You taught me that just because someone has an open wireless network does mean I can leave "incrimidating" evidence on said network.
    :D:D:D
     
    Crimson, Sep 28, 2006
    #11
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.