Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations Rhinorhino on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

my computer is taken over 4

Status
Not open for further replies.
electricpete

electricpete

Technical User
Joined
Oct 1, 2002
Messages
289
Location
US
I have Windows ME, no anti-virus protection.

If I leave my computer idle, after about 5 minutes the modem will call up and connect to my ISP. It will sit there transferring megabytes of data (no browser window open... no way to figure out who it's talking to).

Also when I am on-line sometimes it begins sending large amounts of data while I am idle.

My precautions so far: unplug phone line when not on-line. Remove personal info from my pc.

What is going on and how do I fix it?
Thanks in advance for any thoughts.
 
Sort by date Sort by votes
I would suggest the following:
Some anti-virus protection,
Adaware,
Spybot.

And it probably wouldn't hurt to have zone alarm installed.


Ed Fair
Give the wrong symptoms, get the wrong solutions.
 
Upvote 0 Downvote
Just to echo what carrr and edfair have already said.....

anti-virus........several free ones to choose from
firewall..........several free ones to choose from
spybot
adaware
spywareguard
etc....all free programs... and there to protect you

see this link :-


If you want help...do this and we'll get you started

Please Download hijackthis from


Unzip, doubleclick HijackThis.exe, and hit "Scan".

After the scan has finished the "scan" button will turn into a "save log" button

save the log file and paste it here

Do not delete anything yet, as most things hijackthis finds are harmless and needed.

steam
 
Upvote 0 Downvote
A little ironic...in the old days we were safe as long as we didn't run any downloaded programs... now we are supposed to download and run programs to stay safe.

Are the viruses smarter now that they can get in even when we don't run any programs?

Is this hijackthis a safe program?
Thx.



 
Upvote 0 Downvote
Thanks. Here is my logfile:

Logfile of HijackThis v1.97.6
Scan saved at 4:06:56 PM, on 11/14/2003
Platform: Windows ME (Win9x 4.90.3000)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\SYSTEM\SSDPSRV.EXE
C:\WINDOWS\SYSTEM\STIMON.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\RESTORE\STMGR.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\SYSTEM\FPDISP3A.EXE
C:\WINDOWS\ptsnoop.exe
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\PROGRAM FILES\COMMON FILES\ROXIO SHARED\PROJECT SELECTOR\PROJSELECTOR.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\PROGRAM FILES\ROXIO\EASY CD CREATOR 6\DRAGTODISC\DRGTODSC.EXE
C:\WINDOWS\SYSTEM\MSREXE.EXE
C:\PROGRAM FILES\ISTSVC\ISTSVC.EXE
C:\WINDOWS\SYSTEM\TAPISRV.EXE
C:\WINDOWS\SYSTEM\PSTORES.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\WINDOWS\TEMP\TD_0001.DIR\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = eFanz
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = R1 - HKLM\Software\Microsoft\Internet Explorer\Search,(Default) = O1 - Hosts: 66.250.171.138 auto.search.msn.com
O2 - BHO: (no name) - {00000762-3965-4A1A-98CE-3D4BF457D4C8} - C:\PROGRAM FILES\LYCOS\SIDESEARCH\SIDESEARCH1311.DLL
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [PCHealth] C:\WINDOWS\PCHealth\Support\PCHSchd.exe -s
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [FinePrint Dispatcher] C:\WINDOWS\SYSTEM\fpdisp3a.exe
O4 - HKLM\..\Run: [CountrySelection] pctptt.exe
O4 - HKLM\..\Run: [PTSNOOP] ptsnoop.exe
O4 - HKLM\..\Run: [PE2CKFNT SE] C:\Program Files\Ulead Systems\Ulead Photo Express 2 SE\ChkFont.exe
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [CamMonitor] C:\Program Files\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe
O4 - HKLM\..\Run: [projselector] "C:\Program Files\Common Files\Roxio Shared\Project Selector\projselector.exe" -r
O4 - HKLM\..\Run: [RoxioEngineUtility] "C:\Program Files\Common Files\Roxio Shared\System\EngUtil.exe"
O4 - HKLM\..\Run: [RoxioDragToDisc] "C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe"
O4 - HKLM\..\Run: [System Service] C:\WINDOWS\SYSTEM\MSREXE.EXE
O4 - HKLM\..\Run: [IST Service] C:\Program Files\ISTsvc\istsvc.exe
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [SSDPSRV] C:\WINDOWS\SYSTEM\ssdpsrv.exe
O4 - HKLM\..\RunServices: [*StateMgr] C:\WINDOWS\System\Restore\StateMgr.exe
O4 - HKLM\..\RunServices: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: MSN Messenger Service (HKLM)
O9 - Extra button: Real.com (HKLM)
O9 - Extra button: Sidesearch (HKLM)
O12 - Plugin for .ofb: C:\PROGRA~1\INTERN~1\PLUGINS\NPONFLOW.DLL
O14 - IERESET.INF: START_PAGE_URL=http://www.e4me.com/start.html
O16 - DPF: Dialpad US Java Applet - O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - O16 - DPF: {018B7EC3-EECA-11D3-8E71-0000E82C6C0D} -
 
Upvote 0 Downvote
A few things I recognize as my own customizations:
fineprint
Roxio, Projectselector
 
Upvote 0 Downvote
A site that will check your machine online is:


click on Downloads -> Symantec Security Check

It will check your entire system while you are online, and it is free.
 
Upvote 0 Downvote
Hi electricpete

Your computer has been hijacked by Coolwebsearch

Download and run this program :-


here is some info about it :-


If you are worried about running the shredder....Look at the top right hand side of this page (This forums top experts)...my name wouldn't be there if I was giving bad advice.

Then post a new log and we'll take out any stragglers

steam
 
Upvote 0 Downvote
Thanks steamwiz.

============Results of CWShredder===========
Done!
Removed from your system:
- CWS.Bootconf
- 9 infected IE registry values

Windows ME (4.90.3000 )
CWShredder v1.33.1

After CWShredder I rebooted my machine and then ran hihackthis.

=============Results of Hijackthis================
Logfile of HijackThis v1.97.6
Scan saved at 9:25:39 PM, on 11/14/2003
Platform: Windows ME (Win9x 4.90.3000)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\SYSTEM\SSDPSRV.EXE
C:\WINDOWS\SYSTEM\STIMON.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\SYSTEM\FPDISP3A.EXE
C:\WINDOWS\ptsnoop.exe
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\PROGRAM FILES\COMMON FILES\ROXIO SHARED\PROJECT SELECTOR\PROJSELECTOR.EXE
C:\PROGRAM FILES\ROXIO\EASY CD CREATOR 6\DRAGTODISC\DRGTODSC.EXE
C:\WINDOWS\SYSTEM\MSREXE.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\PROGRAM FILES\ISTSVC\ISTSVC.EXE
C:\WINDOWS\SYSTEM\RESTORE\STMGR.EXE
C:\WINDOWS\TEMP\TD_0002.DIR\HIJACKTHIS.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = eFanz
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = R1 - HKLM\Software\Microsoft\Internet Explorer\Search,(Default) = ,
O2 - BHO: (no name) - {00000762-3965-4A1A-98CE-3D4BF457D4C8} - C:\PROGRAM FILES\LYCOS\SIDESEARCH\SIDESEARCH1311.DLL
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [PCHealth] C:\WINDOWS\PCHealth\Support\PCHSchd.exe -s
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [FinePrint Dispatcher] C:\WINDOWS\SYSTEM\fpdisp3a.exe
O4 - HKLM\..\Run: [CountrySelection] pctptt.exe
O4 - HKLM\..\Run: [PTSNOOP] ptsnoop.exe
O4 - HKLM\..\Run: [PE2CKFNT SE] C:\Program Files\Ulead Systems\Ulead Photo Express 2 SE\ChkFont.exe
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [CamMonitor] C:\Program Files\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe
O4 - HKLM\..\Run: [projselector] "C:\Program Files\Common Files\Roxio Shared\Project Selector\projselector.exe" -r
O4 - HKLM\..\Run: [RoxioEngineUtility] "C:\Program Files\Common Files\Roxio Shared\System\EngUtil.exe"
O4 - HKLM\..\Run: [RoxioDragToDisc] "C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe"
O4 - HKLM\..\Run: [System Service] C:\WINDOWS\SYSTEM\MSREXE.EXE
O4 - HKLM\..\Run: [IST Service] C:\Program Files\ISTsvc\istsvc.exe
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [SSDPSRV] C:\WINDOWS\SYSTEM\ssdpsrv.exe
O4 - HKLM\..\RunServices: [*StateMgr] C:\WINDOWS\System\Restore\StateMgr.exe
O4 - HKLM\..\RunServices: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: MSN Messenger Service (HKLM)
O9 - Extra button: Real.com (HKLM)
O9 - Extra button: Sidesearch (HKLM)
O12 - Plugin for .ofb: C:\PROGRA~1\INTERN~1\PLUGINS\NPONFLOW.DLL
O14 - IERESET.INF: START_PAGE_URL=http://www.e4me.com/start.html
O16 - DPF: Dialpad US Java Applet - O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - O16 - DPF: {018B7EC3-EECA-11D3-8E71-0000E82C6C0D} -
===============================
What now?
I noticed a lycos icon showed up on my screen recently. I didn't put it there. Maybe I should get rid of that lycos thing?
 
Upvote 0 Downvote
There were a few improvements to my system after running the above:
1 - It seems to respond a lot faster now.
2 - Now when I type the wrong address I am redirected to search.msn.com... used to be redirected to some martfindersearch.com with porn stuff on it... not too great for the kids.

So things are better.

Unfortunately, the machine still seems to want to dial up and connect all by itself.
 
Upvote 0 Downvote
I would still advise running Spybot as I see some others in your log that need to be dealt with.

Kill the following:
O2 - BHO: (no name) - {00000762-3965-4A1A-98CE-3D4BF457D4C8} - C:\PROGRAM FILES\LYCOS\SIDESEARCH\SIDESEARCH1311.DLL
O9 - Extra button: Sidesearch (HKLM)


O12 - Plugin for .ofb: C:\PROGRA~1\INTERN~1\PLUGINS\NPONFLOW.DLL

O16 - DPF: {018B7EC3-EECA-11D3-8E71-0000E82C6C0D} -

O16 - DPF: Dialpad US Java Applet - This one looks evil. Anyone else have an opinion of it? Seems to be a phone card service.



 
Upvote 0 Downvote
This is a sub 7 trojan - undoubtedly the source of your problems

O4 - HKLM\..\Run: [System Service] C:\WINDOWS\SYSTEM\MSREXE.EXE

Find this file: C:\WINDOWS\System\msrexe.exe
and go here :- and upload it.

Let me know the results.

I suspect......msrexe.exe Infected: Backdoor.Jeemp.c

Let me know and I'll tell you what to do next

steam
 
Upvote 0 Downvote
I notice the date on msrexe.exe is 9/6/03... seems like around the time these problems started.

Here are the result of the on-line scan:

Current object: msrexe.exe

msrexe.exe Infected: Backdoor.Jeemp.c

Statistics:

--------------------------------------------------------------------------------
Known viruses: 77780 Updated: 16.11.2003
File size (Kb): 31 Scan time: 00:00:01
Speed (Kb/sec): 32 Virus bodies: 1
Archives: 0 Packed: 0
Folders: 0 Files: 1
Suspicious: 0 Warnings: 0
 
Upvote 0 Downvote
I downloaded trojanchecker.... but it seemed that some of the vital instructions were in German, so I was afraid to run it.

Then I followed the instructions at symantec for deleting the offending entries with regedit. That appears to have solved the problem.

Thanks to everyone and especially steamwiz for your help.

I never would have fixed it on my own.
 
Upvote 0 Downvote
For completeness, I should mention that I ran spybot and deleted those other items identified in my hijackthis log as suggested above. Nothing corrected the problem until I used regedit.
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

2ffat
  • Locked
  • News News
Audacity is Spyware?
Replies
2
Views
681
2ffat
2ffat
DrB0b
  • Locked
  • Question Question
Curious network activity over port 445
Replies
8
Views
1K
DrB0b
DrB0b
iambob
  • Locked
  • Question Question
Avast Anti-Virus is.. a virus?!
Replies
5
Views
864
Oorde
Oorde
Olumighty
  • Locked
  • Question Question
BIOS PASSWORD WIPE OR CLEAR ON COMPUTER LAPTOP
Replies
1
Views
551
SamBones
SamBones
shivajiboss
  • Locked
  • Question Question
I am getting a problem while opening up my windows
Replies
1
Views
707
2ffat
2ffat

Part and Inventory Search

Sponsor

Back
Top