Some strange activities

Hi,

When I click ctrl + alt + del, there is a list of activities shown as "12345" i.e. a five-digits number in which the number always change each time I start or restart my pc. I tried to know what program running it by running msconfig and see the startup program. It doesn't any unknown program in the list.I can't figure it out. Then I run Spybot S&D and it also didn't find any spyware, etc. When running Spy Hunter, it found parasites name "Search Explorer Bar" in the registry, "Win Active" from C:\Windows\Favorites\Links\microsoft.url, According to the full list of startup files, it's a virus attack of Kitro.C or Dandi.A. But I check my pc, there is no signs of this virus. I'm running Windows 98 SE, IE 6 SP1, AVG free AV 6.0.553, Kerio Personal Firewall. My pc specs is P4-2.0A, 256 MB DDR, Winfast Titanium GForce 2 MX400 64 MB, Sound Max onboard sound card. I always update the anti virus definition files, all patches for Windows and IE, never visiting the underground or **** sites nor opening the attachment files in the incoming messages from unknown and known senders, except I ask it from my friends (and it always be scanned by av before opening it.

Is my pc has a virus, trojan, etc? How can I trace what program is running this 'number'? How to detect and remove it without any comeback?

Thanks.

Firda Yasmin

 

Hi,,
maybe an online av check first (links below) then

Post a log from HijackThis so one of the experts can see
what's going on. (im certainly not)
current version 1.97.7 dont forget to also keep it updated.
If you've used it before please dont have anything excluded

Get it here
http://www.net-integration.net/tools/hijackthis.html
Unzip, to a permanent folder,double-click HijackThis.exe, and hit "Scan ".
When the scan is finished, the "Scan" button will change into a "Save Log" button.
Press that, save the log, load it in Notepad, and copy its contents here. Most of what it lists will be harmless or even essential,don't fix anything yet.


Post it here and possibly one other forum
forums.spywareinfo.com or net intergration
==========
BitDefender AntiVirus - Data Security, AntiVirus Software, Free Protection: http://www.bitdefender.com/scan/licence.php
Command on Demand: http://www.commandondemand.com/eval/index.cfm
Panda ActiveScan - Free online scanner: http://www.pandasoftware.com/activescan/com/activescan_principal.htm
Symantec Security Check: http://security.symantec.com/ssc/home.asp?j=0&langid=ie&venid=sym&plfid=20&pkj=WNZFORVWHFHMFNZMBBX
Trend Micro - Free online virus Scan: http://housecall.trendmicro.com/
==========
Lonny

 

Hi, Lonny Jones

Thanks for the list and the related links.

I downloaded the proggies (hijack this, startup list and cwshredder) and then run them. How can I report the results to this board? Can I attach them or just copy and paste them to the message? After running cwshredder, there is no infection.

Thanks,

Yasmin

 

Yep just copy paste into your reply here,(hijackthis log),
But please do also post in another forum..always good to get several opinions
No need for the startup list,, dont post it unless somone asks for it..and you dont need the seperate startuplist becouse hijackthis has one integrated ie same thing,

Lonny

PS if you run cwshredder you'l need to hit the next button,, some folks make the mistake of doing a scan only then thinking there clean

 

Hi

if you Start|Run msinfo32 and look under Software Environment|Running Tasks it gives you a little more detail; "manufacturer's name" (if not blank) might prove interesting perhaps?
best wishes, HJ.

 

Hi, Lonny Jones.

Here is the copy of the Hijackthis.log:

Logfile of HijackThis v1.97.7
Scan saved at 5:29:00 AM, on 12/22/03
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\PROGRAM FILES\EXECUTIVE SOFTWARE\DISKEEPERLITE\DKSERVICE.EXE
C:\PROGRAM FILES\GRISOFT\AVG6\AVGSERV9.EXE
C:\PROGRAM FILES\KERIO\PERSONAL FIREWALL\PERSFW.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\WINDOWS\SYSTEM\WF2K.EXE
C:\PROGRAM FILES\GRISOFT\AVG6\AVGCC32.EXE
C:\PROGRAM FILES\GRISOFT\AVG6\AVGEMC.EXE
C:\WINDOWS\RUNDLL32.EXE
C:\PROGRAM FILES\A!K RESEARCH LABS\OFF-ROAD\OFFROAD.EXE
C:\WINDOWS\RUNDLL32.EXE
C:\WINDOWS\SYSTEM\PSTORES.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\PROGRAM FILES\WINZIP\WINZIP32.EXE
C:\WINDOWS\TEMP\HIJACKTHIS.EXE

O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX
O2 - BHO: (no name) - {371C6960-302C-45D0-9504-50B820247439} - C:\PROGRAM FILES\WINGET\WINIE.DLL
O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\SYSTEM\\NVCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [WinFoxV2] C:\WINDOWS\SYSTEM\WF2K.EXE
O4 - HKLM\..\Run: [WinFast2KLoadDefault] rundll32.exe wf2kcpl.dll,DllLoadDefaultSettings
O4 - HKLM\..\Run: [AVG_CC] C:\PROGRAM FILES\GRISOFT\AVG6\avgcc32.exe /startup
O4 - HKLM\..\Run: [AVG_EMC] C:\PROGRA~1\GRISOFT\AVG6\AVGEMC.EXE
O4 - HKLM\..\Run: [SpyHunter] C:\PROGRAM FILES\SPYHUNTER\SPYHUNTER.exe
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [DkService] C:\Program Files\Executive Software\DiskeeperLite\DkService.exe
O4 - HKLM\..\RunServices: [Avgserv9.exe] C:\PROGRA~1\GRISOFT\AVG6\Avgserv9.exe
O4 - HKLM\..\RunServices: [PersFw] "C:\Program Files\Kerio\Personal Firewall\persfw.exe" /hide
O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\SYSTEM\NVMCTRAY.DLL,NvTaskbarInit
O4 - HKCU\..\Run: [NVIEW] rundll32.exe nview.dll,nViewLoadHook
O4 - HKCU\..\Run: [A!K Mouse Off-road] C:\PROGRAM FILES\A!K RESEARCH LABS\OFF-ROAD\OFFROAD.EXE
O8 - Extra context menu item: Download with &WinGet - res://C:\Program Files\WinGet\WinIE.dll/300
O8 - Extra context menu item: &Google Search - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmsearch.html
O8 - Extra context menu item: Cac&hed Snapshot of Page - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmcache.html
O8 - Extra context menu item: Si&milar Pages - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmsimilar.html
O8 - Extra context menu item: Backward &Links - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmbacklinks.html
O8 - Extra context menu item: Translate into English - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmtrans.html
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
O16 - DPF: {88D969C0-F192-11D4-A65F-0040963251E5} (XML DOM Document 4.0) - file://C:\TempEI4\EI40_\msxml4.cab


I hope you or someone else can help me solve the problem.

Thanks also to Hugh Jarss and Tony T for the suggestions.

Cheers,

Yasmin

 

Hi
Im not sure if this will address the original question

Before proceeding put hijackthis in a permant folder

restore anything this tool has removed (spyhunter)
check first to see if theres an uninstall for it in control panel > addremove programs
In hijackthis place a check next to these/this and close all IE's and other window's.
then hit fix

O4 - HKLM\..\Run: [SpyHunter] C:\Program Files\SpyHunter\SpyHunter.exe


Reboot/restart
then delete this folder
The C:\Program Files\SpyHunter folder
More info
http://forums.spywareinfo.com/index.php?showtopic=21076&hl=spyhunter
===========================
find out what and how to control what starts with windows at
Startups do you realy need all of them:
http://www.pacs-portal.co.uk/startup_index.htm and answersthawork.. a process page
Like
SOUNDMAN.EXE
answersthatwork Recommendation :
Most users do not use any of the features of SOUNDMAN. If that is your case then disable SOUNDMAN in (MSCONFIG)
http://www.answersthatwork.com/

WF2K.EXE
Recommendation :
Irrelevant to most users. Disable with MSCONFIG
======
Not sure what to think of offroad
C:\PROGRAM FILES\A!K RESEARCH LABS\OFF-ROAD\OFFROAD.EXE
This is a fun application that measures the speed and mileage of a mouse. It lives in a small inconspicuous window that can be placed anywhere on your desktop.
======
Please also install Adaware and keep it updated
and possibly spywareBlaster and spywaregaurde
SpywareBlaster: http://www.wilderssecurity.net/spywareblaster.html

And finaly post another new hiajckthis log

Regards
Lonny

 

Hi, Lonny.

Thanks for the guidance. It works more than what I expect!

After disabling Soundman, I can enjoy the audio CD’s musics from the pc again!

And disabling many unnecessary resident programs reduce the system resources usage, too!

Once again, thank you very much for your kind help! God bless you!

Cheers,

Yasmin

 

I wonder if you uninstalled spyhunter,, was there an uninstaller ?

and if it was the numbered sequence ,,process that showed in close program box (task manager) ?

God bless you to and have a great Christmas and new years
Lonny