Results 1 to 16 of 16

Thread: I think i got a worm!

  1. #1
    Junior Member
    Join Date
    Apr 2008
    Posts
    5

    I think i got a worm!

    Ok, hello all (first post here) but, i hate to think this, but i may have a worm. I have lurked on here for a while before joining up here, and installed many of the recommended anti-spyware apps (all worked great!) but i noticed Spybot-S&D was asking about weird changes to the registry though.

    A little background on why i think i have a worm though before i go there. I was torrenting something from TPB the other day (Some old movie i have on VHS, really wanted to watch it again, but i dont have a VCR anymore!) and since then, nothing but horrible lag. It takes about 50-70 sec to open Firefox, which used to be practically instant.

    So, i ran virus and spyware scans. I always have a bit of spyware here and t here, so i got rid of it. And had no viruses. I always try to be as secure as possible, i have Peer Guardian running 24/7 and have Spybot-S&D running 24/7 as well.

    Well, back to where i was going, i notices wierd blank requests to change the registry, Spybot-S&D said it may be a worm, virus, or spyware, so i denied it. But i used CCleaner, and noticed that there were alot of registry errors already, as well as new, kind of oddly named entries to the start up list. I removed them (forgot to remember their names XD) but nothing has worked.

    So yeah, my comp is just running horribly slow, and i dont know why! If you need me to run tests or post logs with something, ill do so. I appreciate all the help you can provide, cause i really hate this and want to fix it! I just think its a worm by what ive looked up about them, and their behavior, is pretty much what im experiencing. No idea what type it is though.

    (also, further security tips are appreciated to!)

    THANKS!!!

    HijackThis log

    Code:
    Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 11:07:32 PM, on 4/21/2008
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v7.00 (7.00.6000.16640)
    Boot mode: Normal
    
    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
    C:\WINDOWS\explorer.exe
    C:\WINDOWS\System32\hkcmd.exe
    C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
    C:\Program Files\GRISOFT\AVG Anti-Spyware 7.5\avgas.exe
    C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
    C:\Program Files\iTunes\iTunesHelper.exe
    C:\Program Files\Hewlett-Packard\Toolbox2.0\Apache 
    
    Tomcat 4.0
    
    \webapps\Toolbox\StatusClient\StatusClient.exe
    C:\Program Files\Messenger\msmsgs.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\Program Files\PeerGuardian2\pg2.exe
    C:\Program Files\Hewlett-Packard\Toolbox2.0
    
    \Javasoft\JRE\1.3.1\bin\javaw.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Common Files\Apple\Mobile Device 
    
    Support\bin\AppleMobileDeviceService.exe
    C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
    C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
    C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
    C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
    C:\Program Files\CCleaner\ccleaner.exe
    C:\Program Files\iPod\bin\iPodService.exe
    C:\Program Files\Pidgin\pidgin.exe
    C:\PROGRA~1\MOZILL~1\FIREFOX.EXE
    C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
    C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
    
    R1 - HKLM\Software\Microsoft\Internet 
    
    Explorer\Main,Default_Page_URL = 
    
    http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKLM\Software\Microsoft\Internet 
    
    Explorer\Main,Default_Search_URL = 
    
    http://go.microsoft.com/fwlink/?LinkId=54896
    R1 - HKLM\Software\Microsoft\Internet 
    
    Explorer\Main,Search Page = 
    
    http://go.microsoft.com/fwlink/?LinkId=54896
    R0 - HKLM\Software\Microsoft\Internet 
    
    Explorer\Main,Start Page = 
    
    http://go.microsoft.com/fwlink/?LinkId=69157
    F2 - REG:system.ini: Shell=explorer.exe 
    O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-
    
    C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common 
    
    Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
    O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-
    
    2D53-2644-206D7942484F} - C:\Program Files\Spybot - 
    
    Search & Destroy\SDHelper.dll
    O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-
    
    D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05
    
    \bin\ssv.dll
    O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32
    
    \igfxtray.exe
    O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32
    
    \hkcmd.exe
    O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7
    
    \avgcc.exe /STARTUP
    O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program 
    
    Files\GRISOFT\AVG Anti-Spyware 7.5\avgas.exe" 
    
    /minimized
    O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program 
    
    Files\Java\jre1.6.0_05\bin\jusched.exe"
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program 
    
    Files\QuickTime\QTTask.exe" -atboottime
    O4 - HKLM\..\Run: [iTunesHelper] "C:\Program 
    
    Files\iTunes\iTunesHelper.exe"
    O4 - HKLM\..\Run: [StatusClient] C:\Program 
    
    Files\Hewlett-Packard\Toolbox2.0\Apache Tomcat 4.0
    
    \webapps\Toolbox\StatusClient\StatusClient.exe /auto
    O4 - HKLM\..\Run: [TomcatStartup] C:\Program 
    
    Files\Hewlett-Packard\Toolbox2.0\hpbpsttp.exe
    O4 - HKCU\..\Run: [MSMSGS] "C:\Program 
    
    Files\Messenger\msmsgs.exe" /background
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32
    
    \ctfmon.exe
    O4 - HKCU\..\Run: [PeerGuardian] C:\Program 
    
    Files\PeerGuardian2\pg2.exe
    O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program 
    
    Files\Spybot - Search & Destroy\TeaTimer.exe
    O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1
    
    \Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
    O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1
    
    \Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK 
    
    SERVICE')
    O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1
    
    \Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
    O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1
    
    \Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-
    
    AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05
    
    \bin\ssv.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - 
    
    {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program 
    
    Files\Java\jre1.6.0_05\bin\ssv.dll
    O9 - Extra button: (no name) - {85d1f590-48f4-11d9-
    
    9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
    O9 - Extra 'Tools' menuitem: Uninstall BitDefender 
    
    Online Scanner v8 - {85d1f590-48f4-11d9-9669-
    
    0800200c9a66} - C:\WINDOWS\bdoscandel.exe
    O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-
    
    A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & 
    
    Destroy\SDHelper.dll
    O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy 
    
    Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} 
    
    - C:\Program Files\Spybot - Search & 
    
    Destroy\SDHelper.dll
    O9 - Extra button: (no name) - {e2e2dd38-d088-4134-
    
    82b7-f2ba38496583} - C:\WINDOWS\Network 
    
    Diagnostic\xpnetdiag.exe
    O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - 
    
    {e2e2dd38-d088-4134-82b7-f2ba38496583} - 
    
    C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-
    
    BB9E-00C04F795683} - C:\Program 
    
    Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - 
    
    {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program 
    
    Files\Messenger\msmsgs.exe
    O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} 
    
    (CKAVWebScan Object) - 
    
    http://www.kaspersky.com/kos/eng/partner/us/kavwebscan_
    
    unicode.cab
    O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} 
    
    (BDSCANONLINE Control) - 
    
    http://download.bitdefender.com/resources/scan8/oscan8.
    
    cab
    O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} 
    
    (WUWebControl Class) - 
    
    http://www.update.microsoft.com/windowsupdate/v6/V5Cont
    
    rols/en/x86/client/wuweb_site.cab?1204526163296
    O16 - DPF: {A796D216-2DE1-4EA8-BABB-FE6E7C959098} 
    
    (HPSDDX Class) - http://www.hp.com/cpso-support-
    
    new/SDD/hpsddObjSigned.cab
    O23 - Service: Ad-Aware 2007 Service (aawservice) - 
    
    Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007
    
    \aawservice.exe
    O23 - Service: Adobe LM Service - Adobe Systems - 
    
    C:\Program Files\Common Files\Adobe Systems 
    
    Shared\Service\Adobelmsvc.exe
    O23 - Service: Apple Mobile Device - Apple, Inc. - 
    
    C:\Program Files\Common Files\Apple\Mobile Device 
    
    Support\bin\AppleMobileDeviceService.exe
    O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. 
    
    - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5
    
    \guard.exe
    O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - 
    
    GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
    O23 - Service: AVG7 Update Service (Avg7UpdSvc) - 
    
    GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
    O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, 
    
    s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
    O23 - Service: iPod Service - Apple Inc. - C:\Program 
    
    Files\iPod\bin\iPodService.exe
    O23 - Service: Pml Driver HPZ12 - HP - 
    
    C:\WINDOWS\system32\HPZipm12.exe
    
    --
    End of file - 6881 bytes
    Last edited by goemon4; 04-21-08 at 11:15 PM.

  2. #2
    Second Most EVIL YARDofSTUF's Avatar
    Join Date
    Nov 2000
    Location
    USA
    Posts
    69,992
    F2 - REG:system.ini: Shell=explorer.exe

    Seems like a trace of something left, I don't really see anything else out of the ordinary though.

  3. #3
    Senior Member ghettoside's Avatar
    Join Date
    Mar 2003
    Location
    At Large in the US
    Posts
    5,134
    I agree w/ YoS, likely to be from Aurora sw (nail.exe)- hijacker/malware.

    Remove- F2 - REG:system.ini: Shell=explorer.exe

    post if it comes back after reboot
    Quote Originally Posted by Norm View Post

    There are idiots everywhere.

    At work, in forums, in poetry classes, everywhere!

  4. #4
    Junior Member
    Join Date
    Apr 2008
    Posts
    5
    Ok, doing that now, i also deleted and disabled the ctfmon.exe. I checked out info on Spybot S&D and it said it was not the actual file, but a trojan or virus. Should i keep it? (i havent emptied the trash yet) Ive also read that this leads to alot of system resources being hogged, and a lot of control problems. But yeah, ill see if it pops back up. (ill reboot now)

    Rebooted, and it didnt come back, anything else i should do?
    Last edited by goemon4; 04-22-08 at 09:28 PM.

  5. #5
    Senior Member ghettoside's Avatar
    Join Date
    Mar 2003
    Location
    At Large in the US
    Posts
    5,134
    Quote Originally Posted by goemon4 View Post
    Ok, doing that now, i also deleted and disabled the ctfmon.exe. I checked out info on Spybot S&D and it said it was not the actual file, but a trojan or virus. Should i keep it? (i havent emptied the trash yet) Ive also read that this leads to alot of system resources being hogged, and a lot of control problems. But yeah, ill see if it pops back up. (ill reboot now)

    Rebooted, and it didnt come back, anything else i should do?
    So how is your rig running, does it seem better?

    ctfmon.exe is part of MSOffice, once you start an Office app it keeps running. You can prevent it from running, see MSKB

    as to whether or not yours is a virus/malware, where was the file located? It should be in windows/system32... if it's in a sub folder it's a virus. more info here

    I suggest you defrag your hdd too
    Quote Originally Posted by Norm View Post

    There are idiots everywhere.

    At work, in forums, in poetry classes, everywhere!

  6. #6
    Junior Member
    Join Date
    Apr 2008
    Posts
    5
    Well, it was in the system32 folder, but i dont have MSOffice installed, and never have. My comp is still running like crap though. Its better, but still slow! Ive been running spyware and virus checks all night (while i sleep) and nothing is showing up. Windows Defender isnt picking anything up either.

    And the defragmenter says i dont need to defragment it (But ill run it anyway). Should i actually buy some secuirity software? Since im relying on freeware as of now, and just dont think its properly protecting me.

    Also, i just got an error about DrWatson Postmortem Debugger, what is this?!

  7. #7
    Second Most EVIL YARDofSTUF's Avatar
    Join Date
    Nov 2000
    Location
    USA
    Posts
    69,992
    Which scanners have you used so far?

  8. #8
    Junior Member
    Join Date
    Apr 2008
    Posts
    5
    For viruses
    Avg's free one
    and kaspersky online virus scanner

    For spyware
    Spybot S&D
    Avg's free one
    Ad-Aware
    and SpywareBlaster

    Not much else IIRC. But nothing other than that, oh except AVG's rootkit checker.

  9. #9
    Senior Member ghettoside's Avatar
    Join Date
    Mar 2003
    Location
    At Large in the US
    Posts
    5,134
    try the online scan of webroot spysweeper.

    Imho, the best commercial anti-spyware. if you can afford to buy the app- I say buy it. I've used it on removal jobs and a few times it's caught trojans that got past av (norton and mcaffee).

    I've never tried the online scan since I have the app. A tip: there are settings to scan for rootkits... you have to set it for that, it is not enabled by default.

    I'd also run rootkit revealer

    if you're gonna move away from freeware av, then I recommend Nod32.

    I was a die hard norton man until a couple years ago when Stonecat converted me to Nod. I love Nod, works great. it's easy on your sys resources too.

    also run CrapCleaner

    fyi, I run Nod32, spyware blaster, spybot. I never have a problem. I have Webroot spysweeper installed and keep it updated, but I don't use the real time protection, I only run manual scans. You might wanna use the real time since you like P2P, torrents.

    If you get Nod32, uninstall any other anti-virus.

    Imho, I don't like avg. Lots of folks I respect here do use it tho.
    Quote Originally Posted by Norm View Post

    There are idiots everywhere.

    At work, in forums, in poetry classes, everywhere!

  10. #10
    Junior Member
    Join Date
    Apr 2008
    Posts
    5
    Idk, this stuff is pretty pricey. I HATE!!! (like really hate) Norton and McAfee, ive had both on previous comps, and the problems... And yeah, AVG is good if you pay for it (From what i hear) Im thinking of trying that since it has everything for 60 bucks. (Anti Spyware, rootkit, virus etc) Yes i am that cheap, lol, but Nod looks nice. Does it cover everything aswell?

    Ty for the heads up though, i do need to invest in this stuff since im using my computer a lot more lately. And yeah, CCleaner is awesome, i use it daily.

    WOW!! I just updated to the free AVG 8, thing found hundreds of Adware, Trojan, Spyware, Trackers, downloaders, and hacker infections! Idk how the other programs missed this stuff... (Most of it are IE infections/regestry infections, aswell as a few others)
    Last edited by goemon4; 04-25-08 at 06:16 AM.

  11. #11
    Senior Member ghettoside's Avatar
    Join Date
    Mar 2003
    Location
    At Large in the US
    Posts
    5,134
    yeah, norton is too much bloatware for the past few years already, and I've seen waaaay too many problems on rigs running that McAfee garbage.

    Comcast is giving trials of McACrappy and people think it's good just cuz Comcast recommends it and bundles it w/ their service. That should be warning enough if Comcast gives it out!

    Quote Originally Posted by Far-N-Wide View Post
    I gave up on McAfee years ago, largely for the same reason listed above. Years ago I had to spend time testing the antivirus on offline systems, that it was not worth it. Personaly I don't think it could find a booger on a white hankerchief.
    I love to quote that post!

    As to Nod, they have another product, Smart Security, that has all the features. Nod32 av is an just that, an av. That's why I use the other appz I listed.

    I haven't tried Smart Security myself, but maybe Stonecat or someone else can tell you more.

    No av catches everything, but I've never had a problem w/ Nod on my rigs.

    Imho, if I was going to spend the $, I'd prefer trying Nod's Smart Security over AVG.
    Quote Originally Posted by Norm View Post

    There are idiots everywhere.

    At work, in forums, in poetry classes, everywhere!

  12. #12
    Second Most EVIL YARDofSTUF's Avatar
    Join Date
    Nov 2000
    Location
    USA
    Posts
    69,992
    Quote Originally Posted by goemon4 View Post
    For viruses
    Avg's free one
    and kaspersky online virus scanner

    For spyware
    Spybot S&D
    Avg's free one
    Ad-Aware
    and SpywareBlaster

    Not much else IIRC. But nothing other than that, oh except AVG's rootkit checker.

    Avira AntiVir is really the best freebie right now for virus scanners.

    Spybot, windows defender, and super antispyware are good adware/spyware scanners.

    Spyware blaster and the immunize feature of spybot are great deterrents.

    And Ccleaner and adaware are good to run first to clean up temp files and little junk so the others do scan unneeded files.

    If you dont have a router with the NAT feature on you should also get a firewall, but other than that you should be fine with those apps.

    I keep a few people's PCs clean with free apps only.

  13. #13
    Junior Member
    Join Date
    Mar 2008
    Posts
    36
    I agree with the above quote.

  14. #14
    Junior Member
    Join Date
    May 2009
    Posts
    1

    I think I got a worm !

    After going through your post I also think that you have got worm in your pc. But you need not to be worried about it at all.The problem you are facing now is quite common and a number of people have to go through the same problem.I know some of them who were greatly benefitted by http://www.supportonclick.com.The staffs out there are quite an expert and helpful to respond and solve your problem.I think you should opt for their support once you will be benefitted.

  15. #15
    Certified SG Addict CableDude's Avatar
    Join Date
    Jun 2001
    Posts
    26,786
    Quote Originally Posted by twister View Post
    After going through your post I also think that you have got worm in your pc. But you need not to be worried about it at all.The problem you are facing now is quite common and a number of people have to go through the same problem.I know some of them who were greatly benefitted by http://www.supportonclick.com.The staffs out there are quite an expert and helpful to respond and solve your problem.I think you should opt for their support once you will be benefitted.
    Welcome to last year.

  16. #16
    Junior Member jantrina's Avatar
    Join Date
    May 2009
    Posts
    10
    dont use avg...that's bad use NOD32...

Similar Threads

  1. Sober worm is set to strike at midnight tonight
    By Shinobi in forum Network Security
    Replies: 1
    Last Post: 01-06-06, 03:43 PM
  2. ******* Pedophile busted by SOBER worm email
    By thepieman in forum General Discussion Board
    Replies: 28
    Last Post: 12-21-05, 07:20 PM
  3. Worm strikes down Windows 2000 systems
    By Mark in forum General Discussion Board
    Replies: 10
    Last Post: 08-17-05, 09:56 AM
  4. 'Star Wars' Worm Targets AOL, Yahoo IM Services
    By Shinobi in forum Network Security
    Replies: 0
    Last Post: 05-25-05, 02:36 PM

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •