devils spyware/virus

Science & Technology Information Technology, Gaming, Machines, Gadgets
1

my comp has been acting really weird last couple of hours:

-cpu usage has increased
-backgroud image dissapeared
-instead of background there this this hyperlink giving me a warning that there s alot of spyware etc and I should buy antispyware programme.

I cant seem to remove it

I cant change the background image either. If I select a new background image the background goes blank.

tried the following:

2 different types of virus scanners. found nothing
ad aware + hitmanpro + spyware blaster, spybot scanned several times but no luck
hijackthis and removed files in save mode but still no good

Every 30-40 minutes mcAfee blocks an infected file.

If I click on the hyperlink I get the following:

 

I havent altered anything.

Hijack this logg:

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
C:\PROGRA~1\mcafee.com\agent\mcagent.exe
c:\progra~1\mcafee.com\vso\mcvsescn.exe
C:\WINDOWS\system32
WpTnNEE.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\McAfee\McAfee QuickClean\Plguni.exe
C:\PROGRA~1\McAfee\SPAMKI~1\MskAgent.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE
C:\WINDOWS\system32
WpTnNEE.exe
c:\progra~1\mcafee.com\vso\mcvsftsn.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Sitecom\Bluetooth Software\bin\btwdins.exe
c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
C:\PROGRA~1\McAfee\SPAMKI~1\MSKSrvr.exe
C:\WINDOWS\System32
vsvc32.exe
C:\WINDOWS\System32\svchost.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
C:\PROGRA~1\DVDREG~2\DVDRegionFree.exe
C:\WINDOWS\System32
otepad.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\yaqub\Desktop\hijackthis\HijackThis.exe
C:\WINDOWS\System32
otepad.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.nl/
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O4 - HKLM..\Run: [VirusScan Online] “c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe”
O4 - HKLM..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\mcupdate.exe
O4 - HKLM..\Run: [MSKAGENTEXE] C:\PROGRA~1\McAfee\SPAMKI~1\MSKAgent.exe
O4 - HKLM..\Run: [VSOCheckTask] “c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe” /checktask
O4 - HKLM..\Run: [nWpTnNEE.exe] C:\WINDOWS\system32
WpTnNEE.exe
O4 - HKLM..\RunOnce: [Srv32 spool service] C:\WINDOWS\System32\spoolsrv32.exe
O4 - HKCU..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU..\Run: [McAfee QuickClean Imonitor] C:\Program Files\McAfee\McAfee QuickClean\Plguni.exe /START
O4 - HKCU..\Run: [MSKAGENTEXE] C:\PROGRA~1\McAfee\SPAMKI~1\MskAgent.exe
O4 - HKCU..\Run: [msnmsgr] “C:\Program Files\MSN Messenger\msnmsgr.exe” /background
O4 - HKCU..\Run: [Skype] “C:\Program Files\Skype\Phone\Skype.exe” /nosplash /minimized
O4 - HKCU..\Run: [H/PC Connection Agent] “C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE”
O4 - HKCU..\RunOnce: [Srv32 spool service] C:\WINDOWS\System32\spoolsrv32.exe
O8 - Extra context menu item: &Download with &DAP - C:\PROGRA~1\DAP\dapextie.htm
O8 - Extra context menu item: Download &all with DAP - C:\PROGRA~1\DAP\dapextie2.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Send To &Bluetooth - C:\Program Files\Sitecom\Bluetooth Software\btsendto_ie_ctx.htm
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INETREPL.DLL
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INETREPL.DLL
O9 - Extra ‘Tools’ menuitem: Create Mobile Favorite… - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INETREPL.DLL
O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\Sitecom\Bluetooth Software\btsendto_ie.htm
O9 - Extra ‘Tools’ menuitem: @btrez.dll,-4017 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\Sitecom\Bluetooth Software\btsendto_ie.htm
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab
O16 - DPF: {0594AF7E-573B-40DF-8165-E47AB2EAEFE8} - http://akamai.downloadv3.com/binaries/P2EClient/EGAUTH_1015_EN_XP.cab
O16 - DPF: {10093E98-C073-4C75-8D0E-FB5CD3A71D33} (ZoneUpwords Object) - http://messenger.zone.msn.com/binary/Upwords.cab31267.cab
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab31267.cab
O16 - DPF: {31B7EB4E-8B4B-11D1-A789-00A0CC6651A8} (Cult3D ActiveX Player) - Redirecting...
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/20031216/qtinstall.info.apple.com/mickey/us/win/QuickTimeInstaller.exe
O16 - DPF: {469C7080-8EC8-43A6-AD97-45848113743C} - http://akamai.downloadv3.com/binaries/IA/nethv32_EN_XP.cab
O16 - DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} (EPUImageControl Class) - http://tools.ebayimg.com/eps/wl/activex/EPUWALControl_v1-0-3-12.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://bin.mcafee.com/molbin/shared/mcinsctl/en-us/4,0,0,76/mcinsctl.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by10fd.bay10.hotmail.msn.com/resources/MsnPUpld.cab
O16 - DPF: {50AD557E-3426-41FD-AFDD-2AF39BB1C387} - http://akamai.downloadv3.com/binaries/LiveService/LiveService_5_EN_XP.cab
O16 - DPF: {6785FBC7-13AD-4F28-8FB3-1AEA411C03A5} (GSAG.GSAudioControl) - http://gim.gupistan.com/vg/GSAG.CAB
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/msnmessengersetupdownloader.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://messenger.zone.msn.com/binary/ZIntro.cab32846.cab
O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/suite/yautocomplete.cab
O16 - DPF: {F04A8AE2-A59D-11D2-8792-00C04F8EF29D} (Hotmail Attachments Control) - http://by15fd.bay15.hotmail.msn.com/activex/HMAtchmt.ocx
O23 - Service: Bluetooth Service (btwdins) - WIDCOMM, Inc. - C:\Program Files\Sitecom\Bluetooth Software\bin\btwdins.exe
O23 - Service: McAfee.com McShield (McShield) - Unknown owner - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - McAfee, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: McAfee.com VirusScan Online Realtime Engine (MCVSRte) - McAfee, Inc - c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
O23 - Service: McAfee SpamKiller Server (MskService) - McAfee Inc. - C:\PROGRA~1\McAfee\SPAMKI~1\MSKSrvr.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32
vsvc32.exe
O23 - Service: WinTools for IE service (WinToolsSvc) - Unknown owner - C:\Program Files\Common Files\WinTools\WToolsS.exe (file missing)

yeah WToolsS.exe is missing. I fixed that but it seems its missing again :smack:
There is a new icon on the taskbar warning that my computer is at risk and I should buy antispyware stuff :smiley:

so any ideas guys? :smiley:
I m a novice :smiley:

2

Re: devils spyware/virus

please guys :frowning:

cant anyone help me out here? :smack:

the virus that gets downloaded is: Downloader-YN.dll

3

Re: devils spyware/virus

dunno about the specific trojan - sure seems like a desktop hijacker, but here are a couple of ideas:

  1. did you try disabling system restore before attempting to fix the problem? make sure you do so cuz otherwise, the infected files might be restored everytime you boot your computer.

  2. check your windows/system32 folder for new files that have been created in the last day or so to get an idea of what to remove (in case a manual removal is warranted).

  3. check the services by running services.msc for any anomalies. Typically there are Run services which invoke a malicious batch or an exe file on system startup.

4

Re: devils spyware/virus

DP, I hope this is not the admin account. Create a new user account and login to that account and see if it works ok. If it does dump this account and delete the infected account's profile folder. If it doesn't work and/or this is the admin account then I would suggest doing a backup of important docs and reinstalling the whole computer, format the whole drive first.

I posted an article about rootkits a few weeks back, them being the new potential "viruses". Usually they would not get on your computer, but are installed by some one. But I don't know who uses your PC, plus I'm not privvy to the newest virus technologies out there, so who knows...

5

Re: devils spyware/virus

You should buy antispyware stuff! :D

6

Re: devils spyware/virus

Umar: I will try again after turning system restore
I deleted several files from system32 but somehow the files return. I ll try again.

TB: yeah unfortuntaly its the admins account. I will have one more go at it and if it wont work I ll format the HD after saving data.

Sh3rY: why buy anything from a company that promotes its stuff in this way? :hoonh:
besides that there are plenty good FREE alternatives :stuck_out_tongue:

7

Re: devils spyware/virus

thanks for nothing u no good helpers :stuck_out_tongue:

I figured it out, I ran XP in save mode again. Threw, McAfee, Symantec and Kasper antivirus on it :smiley:
Deleted some files from system32 and several register keys.

Found 9 trojans :halo:

Mehndi Done By...
8

Re: devils spyware/virus

^ LOL DP yaar thats what you should have done in the first place before running hijackthis. Always try and scan your entire drive with the antivirus first. Good that you got rid of the trojans

GS in your life
9

Re: devils spyware/virus

dp's post has tooo much potential :D hint for 5abi and TB

shireen