Page 2 of 4 FirstFirst 1 2 3 4 LastLast
Results 16 to 30 of 51

Thread: 7 new Spyware programs and I still have a virus

  1. #16
    Ultimate Member
    Join Date
    Oct 2002
    Location
    Jersey, UK
    Posts
    1,850
    Originally posted by Sterling_Aug
    Hmmm, this is why I BANNED my kids from going to Kazaa and all of the other P2P file sharing programs.

    If they infect their systems after I told them not to do something, then they wait a week before I fix it.
    I did the same for my dad

  2. #17
    Ultimate Member Strawbs's Avatar
    Join Date
    Sep 2001
    Posts
    4,706
    My daughter d\l'ed 2 infected files from Kazza 2 weeks ago, I only found out when I checked NAV's history last week and saw they had been quarantined! They didn't get to infect anything but I still gave her a good talking to, as they might have escaped detection and worked their way down the pipe to my box! If it happens again, my next move will be to withdraw all net activity for at least 2 weeks, and if again after that, she will be anti-surfing for a month. She's 17yrs old and loves those crappy teen sites too, but she's learning fast that the internet has some very bad ppl using tools that go beyond just placing cookies on your computer! The theft of ones ID can result in false charges being laid at your door, with no effective way to prove you didn't do something! Even if you do manage to prove your innocence ...there's usually no smoke without fire, right? I think that all kids should be taught the basics in computing security, because one day they will have their own computer in their own place and will need the know-how to protect themselves from all kinds of online threats.

    Personally ..if I ever suspect a virus or spyware - even after scanning - and it impacts system performance, If I can't source the root of the problem after a couple of days, I usually wipe the drive and clean install, because I don't fully trust AV fixes to purge everything installed by the virus. I always keep my data on a seperate partition to the OS and back up to a seperate drive.

  3. #18
    Member skytop's Avatar
    Join Date
    Jan 2002
    Posts
    277
    Bill:

    Don't believe anything is mangled but far from ideal. Slowly am making progress. Not such a knowledgeable user as I thought. So much new stuff and new areas to become familiar with.

    I was apprised by Google of a very useful program used to assist in seeing what is really loaded :

    Check out "HijackThis"
    http://www.soft32.com/download-HijackThis-19015-5.html

    I have found about 7 items on my machine that look very suspicious but I just do not have a clue as to whether to eliminate them. Remarkable amount of installed stuff on my machine that I never saw before. Ever use it?

  4. #19
    Extreme Member! BipolarBill's Avatar
    Join Date
    Oct 2000
    Location
    Norton Noo Joisey
    Posts
    41,522
    All the time. In your case, I'd be careful. After all, you thought that AVG was bad. Until you can tell the difference, tread lightly.
    MS MCP, MCSE

  5. #20
    Member skytop's Avatar
    Join Date
    Jan 2002
    Posts
    277

    New worm in Email doesn't need an attachment

    Now just previewing an email can be infectous according to this 'Business News Factor'article :

    A handful of Bagle worm variants are attacking Windows users with an insidious new twist: They can infect computers without tricking them into opening a file attachment -- opening an e-mail is all it takes.

    The passel of new worms sport a virtual alphabet soup of labels: "Bagle.q," "Bagle.r," "Bagle.s" and "Bagle.t." Some security firms have dubbed the new variants "beagle." They are mutations of the original Bagle worm first discovered in January.


    Bagle exploits a flaw in Outlook, revealed in October of 2003, that allows a hacker to upload and execute a file on a user's PC without that user opening the file. Microsoft (Nasdaq: MSFT - news) has issued a patch for the flaw in October, but users who have not updated their systems with this patch are at risk.

    The e-mails carrying the new Bagle variants do not have attachments. Experts speculate that the virus writers developed this non-attachment technique to bypass a common firewall technique called "gateway scanning," which intercepts any e-mail with an attachment.


    When a user open an e-mail carrying one of these new Bagle variants, the e-mail "goes back out to the Internet and tries to find a certain server that has the Bagle executable on it and bring it down through HTTP," Belthoff said.


    This is a two-step process, he explained. First, the carrier e-mail connects though Port 81 to the host server, and opens up a maliciously coded HTML file. Then, a visual basic script (VBS) file is sent to the victim's machine, which connects to the same server and downloads the virus via HTTP.

  6. #21
    Extreme Member! BipolarBill's Avatar
    Join Date
    Oct 2000
    Location
    Norton Noo Joisey
    Posts
    41,522
    There's no substitute for an updated AV program.
    MS MCP, MCSE

  7. #22
    Member skytop's Avatar
    Join Date
    Jan 2002
    Posts
    277

    From HijackThis

    Bill: These are the suspicious 8 items I cannot recognize. Please, do you see anything that could be the source of a problem?

    O2 - BHO: (no name) - {EBCDDA60-2A68-11D3-8A43-0060083CFB9C} - C:\WINDOWS\System32\nzdd.dll

    O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\System32\IME\PINTLGNT\ImScInst.exe /SYNC

    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup

    O4 - HKLM\..\Run: [nwiz] nwiz.exe /install

    O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /SYNC

    O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /IMEName

    O4 - HKLM\..\Run: [IMJPMIG8.1] C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE /Spoil /RemAdvDef /Migration32

    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000

  8. #23
    Ultimate Member Strawbs's Avatar
    Join Date
    Sep 2001
    Posts
    4,706

    Re: From HijackThis

    Originally posted by skytop


    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup

    O4 - HKLM\..\Run: [nwiz] nwiz.exe /install

    These 2 items are nVidia related and are fine! the rest I cannot be sure about, but others may know them!

    try entering the others into Google one by one and search for results!

  9. #24
    I got pie!!! Ammok's Avatar
    Join Date
    Dec 2001
    Location
    Stoke.UK
    Posts
    4,589
    do search for a file called hosts

    open with notepad

    if you see entries like


    192.23.145.20 www.hijackedsearch.com


    or whatever, i made that line up

    delete them all and save the file. so that it looks exactly like this

    # Copyright (c) 1993-1999 Microsoft Corp.
    #
    # This is a sample HOSTS file used by Microsoft TCP/IP for Windows.
    #
    # This file contains the mappings of IP addresses to host names. Each
    # entry should be kept on an individual line. The IP address should
    # be placed in the first column followed by the corresponding host name.
    # The IP address and the host name should be separated by at least one
    # space.
    #
    # Additionally, comments (such as these) may be inserted on individual
    # lines or following the machine name denoted by a '#' symbol.
    #
    # For example:
    #
    # 102.54.94.97 rhino.acme.com # source server
    # 38.25.63.10 x.acme.com # x client host

    127.0.0.1 localhost
    Life is a bowl of cherries

  10. #25
    Extreme Member! BipolarBill's Avatar
    Join Date
    Oct 2000
    Location
    Norton Noo Joisey
    Posts
    41,522
    Leave EXCEL, Nwiz and NVStartup alone. "Fix" the rest.
    MS MCP, MCSE

  11. #26
    Member skytop's Avatar
    Join Date
    Jan 2002
    Posts
    277
    Thanks!

  12. #27
    Member skytop's Avatar
    Join Date
    Jan 2002
    Posts
    277
    Just got machine back together and on line after 5 day period.

    In the middle of everything, my #4 mirror drive went south. You should have heard the banging the head was making! Called up Western Digital on Monday and was informed that the noise was due to oxide build up on the read/write head that made it iunable to reading disc magnetic data any longer. Head was blindly seeking and was smacking into the stops as it sailed left and right looking for data. They know about this.

    They waranteed the drive after two two months of use. Just got it back, had High Point bios rewrite the new drive to clone the hdd0 drive. Very pleased with Digitals handling of the problem.

    I 'fixed' the entries that Bill suggested but am still suffering the keystroke delays and system delays. Running 5 spywares but to no avail.

    Rats!

  13. #28
    Member
    Join Date
    Aug 2000
    Posts
    149
    You might try posting your hijack this results here

  14. #29
    Member
    Join Date
    Oct 1999
    Location
    Indiana
    Posts
    331
    There are new variants out that the anti-spyware apps haven't been upgraded to catch yet. I religiously keep Spybot S&D updated along with SpywareBlaster and I just went thru cleaning out a new variant of the Transponder BHO. I had the BI and the VX2 variants. The BI is a new release. The @#$!* company that is doing it is at abetterinternet.com.

    After all the cleaning, I downloaded and ran AdAware and it found more junk. Details are here: Transponder

    Btw, anti-virus software isn't designed to catch this stuff.

    Edited: I began having popups inspite of PopUp Dummy running, then StartUp Monitor gave a warning about belt.exe wanting to write to the registry. StartUp Monitor is here: StartUp Monitor
    Last edited by custer; 03-29-2004 at 12:30 AM.

  15. #30
    I got pie!!! Ammok's Avatar
    Join Date
    Dec 2001
    Location
    Stoke.UK
    Posts
    4,589
    you should use mozilla, or firebird or firefox, anything but IE6.
    Life is a bowl of cherries

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •