So is it still there? This is kinda stupid, but have you updated definitions of Ad-aware, Spybot etc before running them?
wow... seems like you've been running without a firewall, etc.
Here's what I see that cause MAJOR concerns:
C:\WINDOWS\System32\cmd32.exe - not the real CMD...I bet it's some type of IRCbot, spyware or link catcher
C:\Program Files\Common Files\slmss\slmss.exe - slmss.exe seems to be the SeekSeek hijacker: http://www.pacs-portal.co.uk/startup_pages/startup_s.php
C:\WINDOWS\mwsvm.exe -- another toolbar/hijacker
Why is there 2 running instances of this...different places. one of them is the bad one. system32 is usually the real one.
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\svchost.exe
R3 - URLSearchHook: (no name) - {A045DC85-FC44-45be-8A50-E4F9C62C9A84} - (no file)
F0 - system.ini: Shell=Explorer.exe C:\WINDOWS\System32\cmd32.exe this isn't the real cmd. this is a trojan..
F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\System32\cmd32.exe - same
O4 - HKLM\..\RunServices: [CMD] cmd32.exe - same
it looks like you've been owned.
Also, if you have System file restore enabled, you may want to disable it before you delete these. If not, there's a good chance that you'll get them right back.
Here's what I see that cause MAJOR concerns:
C:\WINDOWS\System32\cmd32.exe - not the real CMD...I bet it's some type of IRCbot, spyware or link catcher
C:\Program Files\Common Files\slmss\slmss.exe - slmss.exe seems to be the SeekSeek hijacker: http://www.pacs-portal.co.uk/startup_pages/startup_s.php
C:\WINDOWS\mwsvm.exe -- another toolbar/hijacker
Why is there 2 running instances of this...different places. one of them is the bad one. system32 is usually the real one.
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\svchost.exe
R3 - URLSearchHook: (no name) - {A045DC85-FC44-45be-8A50-E4F9C62C9A84} - (no file)
F0 - system.ini: Shell=Explorer.exe C:\WINDOWS\System32\cmd32.exe this isn't the real cmd. this is a trojan..
F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\System32\cmd32.exe - same
O4 - HKLM\..\RunServices: [CMD] cmd32.exe - same
it looks like you've been owned.
Also, if you have System file restore enabled, you may want to disable it before you delete these. If not, there's a good chance that you'll get them right back.
- Dec 29, 2002
- 27,153
- 6
- 81
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.anandtech.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.anandtech.com
R3 - URLSearchHook: PerfectNavBHO Class - {A045DC85-FC44-45be-8A50-E4F9C62C9A84} - C:\PROGRA~1\PERFEC~1\BHO\PERFEC~1.DLL
F0 - system.ini: Shell=Explorer.exe C:\WINDOWS\System32\cmd32.exe
F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\System32\cmd32.exe
O2 - BHO: CCHelper - {0CF0B8EE-6596-11D5-A98E-0003470BB48E} - C:\Program Files\Panicware\Pop-Up Stopper Companion\CCHelper.dll
O2 - BHO: NavErrRedir Class - {A045DC85-FC44-45be-8A50-E4F9C62C9A84} - C:\PROGRA~1\PERFEC~1\BHO\PERFEC~1.DLL
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Pop-Up Stopper &Companion - {8F05B1A8-9D77-4B8F-AF54-6B2202066F95} - C:\Program Files\Panicware\Pop-Up Stopper Companion\popupus.dll
O4 - HKLM\..\Run: [DeadAIM] rundll32.exe "C:\PROGRA~1\AIM\\DeadAIM.ocm",ExportedCheckODLs
O4 - HKLM\..\Run: [RivaTunerStartupDaemon] "C:\Program Files\RivaTuner\RivaTuner.exe" /S
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [KAZAA] C:\Program Files\Kazaa\kazaa.exe /SYSTRAY
O4 - HKLM\..\Run: [CloneCDElbyCDFL] "C:\Program Files\Elaborate Bytes\CloneCD\ElbyCheck.exe" /L ElbyCDFL
O4 - HKLM\..\Run: [ASUS Probe] C:\Program Files\ASUS\Probe\AsusProb.exe
O4 - HKLM\..\Run: [updater] C:\Program Files\Common files\updater\wupdater.exe
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKLM\..\RunServices: [CMD] cmd32.exe
O4 - HKCU\..\Run: [AIM] C:\PROGRA~1\AIM\aim.exe -cnetwait.odl
O4 - Startup: UD Agent.lnk = C:\Program Files\United Devices\UD.EXE
O4 - Global Startup: GStartup.lnk = C:\Program Files\Common Files\GMT\GMT.exe
O9 - Extra button: AIM (HKLM)
O16 - DPF: {78960E0E-0B0C-11D4-8997-00104BD12D94} (AV Class) - http://www.pcpitstop.com/antivirus/PCPAV.CAB
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
thats my updated log. im not having any problems anymore, but is there anything in there i need to take out?
thanks!
SociallyChallenged
Elite
- Mar 22, 2002
- 10,483
- 32
- 81
spywareinfo
Here is the reccomended stuff to get rid of by one of the people on spywareinfo forums. I'm sure you have removed some of them already, but if there are any differences, do as he instructed--I'm sure it will work to prevent further infection.
Also do as others have recommended and get rid of kazaa, and get kazaa lite; it's harder to find on google now, the latest version of kazaa lite is 2.4.3.
Here is the reccomended stuff to get rid of by one of the people on spywareinfo forums. I'm sure you have removed some of them already, but if there are any differences, do as he instructed--I'm sure it will work to prevent further infection.
Also do as others have recommended and get rid of kazaa, and get kazaa lite; it's harder to find on google now, the latest version of kazaa lite is 2.4.3.
TRENDING THREADS
-
Discussion Zen 5 Speculation (EPYC Turin and Strix Point/Granite Ridge - Ryzen 9000)- Started by DisEnchantment
- Replies: 25K
-
Discussion Intel Meteor, Arrow, Lunar & Panther Lakes + WCL Discussion Threads
- Started by Tigerick
- Replies: 22K
-
News NVIDIA and Intel to Develop AI Infrastructure and Personal Computing Products- Started by poke01
- Replies: 384
-
Discussion Intel current and future Lakes & Rapids thread- Started by TheF34RChannel
- Replies: 23K
Facebook
Twitter