Windows problem... Help ?

eda2k · October 2, 2006, 5:46am

???Hi,

Ive used like 2 weeks internet explorer ... and now .. when i connect to the internet , comodo firewall tells me that a program zvdrtydgz.exe its trying to connect to the internet… Figures that i give him DENY … but next time when i reconnect … a new program like gdfgaetsf.ex trys again …
Ive unistalled the IE ... but still the same problem ... Someone told me that i wont get rid of that prog unless i reinstall windows … and thats bad ... How can i remove the prog, who its probablly a spyware or something …

It`s located in the /temp directory … and has another file called same name but with .tpl extension … What can I DO ???

system · October 2, 2006, 5:55am

Hi, first of all, the “exact” application trying to access the internet would be helpful. Let’s not think re-install just yet, you have many options. Can you explain in just a bit better detail of what IE you installed, beta 7? What operating system you have. Probably download hijackthis and show a scan log as well, or if you can screenshot the comodo logs.

Thanks,

Paul

system · October 2, 2006, 6:08am

On top of what Paul says I would also download Ewido anti-spyware, update it, then run it in safe mode. Do the same with ad-aware. I would also update and run your Anti-virus program in safe mode.

Ewido:

Ad-aware:

http://www.lavasoft.de/products/ad-aware_se_personal.php

panic · October 2, 2006, 6:54am

You, my friend, have a nasty on your system. Constantly changing and randomized names is a dead giveaway that your system is infected.

With what, we can’t tell. But you are infected.

Run a spyware checker.

Run an anti virus app.

Run spot run.

LOL

Ewen

system · October 2, 2006, 7:34am

run spot run??? Is that the new app. to kill the canine Trojan that pees all over your desktop?? ???

eda2k · October 7, 2006, 4:56pm

I`m using Comodo firewall, comodo antivirus, comodo back-up … like … comodo all the way.

Ive tested my sistem with XoftSpy .. and found some bugs. Deleted them. Ive tested the registry with Registry First aid … nothing .

Now i`ve rebooted and ANOTHER STUPID EXE like cxvjoeej.exe wanted to connect to the internet … ■■■■.

At details says :

Security risk: Unknown Invisible: Ask
Connections: Unlimited Version: Unknown
Path: C:\documents…\Temp\cxvjoeej.exe
Parent Path : C:\progra…\IExplorer.exe
Description : cxvjoeej.exe

The log from Hijackthis it`s :

Logfile of HijackThis v1.99.1
Scan saved at 19:54:51, on 07.10.2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Comodo\Personal Firewall\cmdagent.exe
C:\Program Files\Comodo\common\CAVASpy\cavasm.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\PROGRA~1\UpsPilot\Winpower.exe
C:\PROGRA~1\UpsPilot\monitor.exe
C:\Program Files\Comodo\Personal Firewall\CPF.exe
C:\Program Files\Comodo\LaunchPad\CLPTray.exe
C:\Program Files\Comodo\Comodo AntiVirus\CMain.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\vsnpstd2.exe
C:\Program Files\DAEMON Tools\daemon.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\ASUS\SmartDoctor\SmartDoctor.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\svchost.exe
C:\PROGRA~1\UpsPilot\hello21.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\Comodo\Comodo AntiVirus\Cavaud.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\ACD Systems\ACDSee\8.0.Pro\ACDSee8Pro.exe
D:\wordlist\last\Charon\Charon.exe
C:\Program Files\Opera\Opera.exe
C:\totalcmd\TOTALCMD.EXE
F:\progz\hiyjackthis\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = c:\WINDOWS\pchealth\helpctr\System\panels\blank.htm
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = c:\WINDOWS\pchealth\helpctr\System\panels\blank.htm
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 24.239.248.79:80
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_07\bin\ssv.dll
O2 - BHO: FDMIECookiesBHO Class - {CC59E0F9-7E43-44FA-9FAA-8377850BF205} - C:\Program Files\Free Download Manager\iefdmcks.dll
O4 - HKLM..\Run: [Comodo Personal Firewall] C:\Program Files\Comodo\Personal Firewall\CPF.exe sysrestart
O4 - HKLM..\Run: [Comodo Launch Pad Tray] C:\Program Files\Comodo\LaunchPad\CLPTray.exe
O4 - HKLM..\Run: [cnfgCav] “C:\Program Files\Comodo\Comodo AntiVirus\CMain.exe” " /login"
O4 - HKLM..\Run: [Tweak UI] RUNDLL32.EXE TWEAKUI.CPL,TweakMeUp
O4 - HKLM..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM..\Run: [SNPSTD2] C:\WINDOWS\vsnpstd2.exe
O4 - HKLM..\Run: [DAEMON Tools] “C:\Program Files\DAEMON Tools\daemon.exe” -lang 1033
O4 - HKLM..\Run: [ATICCC] “C:\Program Files\ATI Technologies\ATI.ACE\cli.exe” runtime -Delay
O4 - HKLM..\Run: [gwiz] C:\WINDOWS\system32\ntsystem.exe
O4 - HKLM..\RunServices: [Winpower] C:\Program Files\UpsPilot\Winpower.exe
O4 - HKCU..\Run: [ASUS SmartDoctor] C:\Program Files\ASUS\SmartDoctor\SmartDoctor.exe /start
O4 - HKCU..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU..\Run: [Yahoo! Pager] “C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe” -quiet
O8 - Extra context menu item: + Offline &Explorer: Download the link - file://C:\Program Files\Offline Explorer Enterprise\Add_UrlO.htm
O8 - Extra context menu item: + Offline E&xplorer: Download the current page - file://C:\Program Files\Offline Explorer Enterprise\Add_AllO.htm
O8 - Extra context menu item: Download all with Free Download Manager - file://C:\Program Files\Free Download Manager\dlall.htm
O8 - Extra context menu item: Download selected with Free Download Manager - file://C:\Program Files\Free Download Manager\dlselected.htm
O8 - Extra context menu item: Download with Free Download Manager - file://C:\Program Files\Free Download Manager\dllink.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_07\bin\ssv.dll
O9 - Extra ‘Tools’ menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_07\bin\ssv.dll
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
O9 - Extra ‘Tools’ menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra ‘Tools’ menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\cavemlsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\cavemlsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\cavemlsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\cavemlsp.dll
O17 - HKLM\System\CCS\Services\Tcpip..{32382D8B-0DA6-45FE-AB49-10FA21E64696}: NameServer = 194.55.169.1 194.55.169.2
O17 - HKLM\System\CS2\Services\Tcpip..{32382D8B-0DA6-45FE-AB49-10FA21E64696}: NameServer = 194.55.169.1 194.55.169.2
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Comodo Application Agent (CmdAgent) - COMODO - C:\Program Files\Comodo\Personal Firewall\cmdagent.exe
O23 - Service: Comodo Anti-Virus and Anti-Spyware Service - Comodo Inc. - C:\Program Files\Comodo\common\CAVASpy\cavasm.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Winpower - Zero G - C:\PROGRA~1\UpsPilot\Winpower.exe

HELP !!! … i`m an infected terran …

panic · October 7, 2006, 10:52pm

G’day,

There’s definitiely something bad lurking in your system, but nothing really stands out in your HJT log. Really odd. Obviously this is something that CAVS doesn’t yet know about.

If you use task manager to kill off the executable, does it, or another similarly oddly named exe reappear?

Have you tried using some of the other online malware scans? Have you tried downloading another spyware cheker, like Ewido?

I’d download Ewido ro Spybot, run it, quarantine whatever it finds and then submit the file to Comodo for analysis an inclusion in its databases.

Please post your results back here for the benefit of others.

TIA
Ewen

eda2k · October 8, 2006, 6:48am

Ewido solved the problem.

It was a file called ntsystem.exe that tryed to hijack when i was rebooting. The path was C:\Windows\system32\ntsystem.exe .Thats the program that hijackme. THANKS GOD for telling me about ewido, cause adware or xoft didnt found it. The infection is with Hijacker.Agent.hg.

Comodo antivirus didnt found it, adware didnt found it, xoft didnt found it, only ewido. Ill submit the file, just i must find out where … and how … i`ll try using cav.

eda2k · October 8, 2006, 6:56am

Just submited the file. The name that ive submited its filE7D4EF10.dat cause its in quarantine with ewido, and i didnt want to restore it … FIGURES !!! Hope that helps you, cause it sure helped me to get rid of that pesky zcxvxcvb.exe trying to connect, or vcxzbvcb.exe , or tzgsdgfs.exe … whatever name he got … THANKS !!!

eda2k · October 9, 2006, 1:10pm

Problem !!!

Ive deleted the file ntsystem.exe ... and after reboot, it has reapear, ewido anti-spyware told me again that a file c:\window\system32\ntsystem.exe tryes to hijack me ... ■■■■ ... how do i get RID of IT ??? HELP !!! ... ive deleted it and appear again … what can i do ? ???

eda2k · October 9, 2006, 3:48pm

Im sorry to say ..but ive uninstalled CAV … I had to try with other antivirus … and tested NOD32 … and … it solved the problem , found the virus that was luring in my computer … sorry to say, i wont install CAV very soon, cause im not protected with it … Hope you will make it work against those kind of treaths … take care

justin1278 · October 9, 2006, 3:55pm

Hi,

I’m sorry about your infection but you did get rid of it and that is the important thing, as for CAVS it is currently Beta 1.1 but Beta 2 is about to be released soon and that will be much better. As for Nod32 it is a great antivirus, however in time Comodo will become better