Help, "virus"

Discussion in 'Computing, Science, and Technology' started by imranh101, Jan 6, 2010.

  1. imranh101

    imranh101 Active Member

    Joined:
    Jun 10, 2009
    Messages:
    1,789
    Likes Received:
    24
    Device:
    iPad w/ 3G
    Hey guys. Having a problem here.
    A couple of things I'm searching for, including information on a game im playing, are linking me to "searches" of the game / topic im searching for
    I.E. I search for "Shin megami tensei imagine _____" and I click a link that obviously, and even shows in the address bar, links to their site (Which I have used before)
    After a second of loading, it links me to a site such as encyclopedia.com, showing a page that appears to have automatically searched "Shin megami tensei"

    Here's a hijack this log :
    Code:
    Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 9:15:30 PM, on 1/6/2010
    Platform: Windows XP SP3 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)
    Boot mode: Normal
    
    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\nvsvc32.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
    C:\Program Files\Bonjour\mDNSResponder.exe
    C:\WINDOWS\system32\PnkBstrA.exe
    C:\WINDOWS\system32\PnkBstrB.exe
    C:\Documents and Settings\All Users\Application Data\SeekService\seekservice145.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\system32\DRIVERS\WtSrv.exe
    C:\WINDOWS\SOUNDMAN.EXE
    C:\WINDOWS\system32\RUNDLL32.EXE
    C:\Program Files\iTunes\iTunesHelper.exe
    C:\WINDOWS\system32\rundll32.exe
    C:\WINDOWS\system32\WService.EXE
    C:\Program Files\DNA\btdna.exe
    C:\Program Files\SRS Labs\Audio Sandbox\SRSSSC.exe
    C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
    C:\Program Files\SeekService\seekservice.exe
    C:\Program Files\iPod\bin\iPodService.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Mozilla Firefox\firefox.exe
    C:\Documents and Settings\imran\My Documents\Downloads\HijackThis.exe
    
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.ask.com?o=14986&l=dis
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
    O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
    O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
    O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
    O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
    O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
    O4 - HKLM\..\Run: [nwiz] C:\Program Files\NVIDIA Corporation\nView\nwiz.exe /install
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
    O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
    O4 - HKLM\..\Run: [WService] WService.EXE
    O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
    O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
    O4 - HKCU\..\Run: [NBJ] "C:\Program Files\Ahead\Nero BackItUp\NBJ.exe"
    O4 - HKCU\..\Run: [Bit******* DNA] "C:\Program Files\DNA\btdna.exe"
    O4 - HKCU\..\Run: [SRS Audio Sandbox] "C:\Program Files\SRS Labs\Audio Sandbox\SRSSSC.exe" /hideme
    O4 - HKCU\..\Run: [Google Update] "C:\Documents and Settings\imran\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" /c
    O4 - Startup: LimeWire On Startup.lnk = C:\Program Files\LimeWire\LimeWire.exe
    O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
    O4 - Global Startup: Bluetooth.lnk = ?
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
    O8 - Extra context menu item: Send to &Bluetooth Device... - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
    O8 - Extra context menu item: Send To Bluetooth - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
    O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
    O9 - Extra 'Tools' menuitem: @btrez.dll,-12650 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
    O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O20 - AppInit_DLLs: C:\WINDOWS\system32\0019.DLL
    O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
    O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
    O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation. - C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
    O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
    O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
    O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
    O23 - Service: nProtect GameGuard Service (npggsvc) - Unknown owner - C:\WINDOWS\system32\GameMon.des.exe (file missing)
    O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
    O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
    O23 - Service: PnkBstrB - Unknown owner - C:\WINDOWS\system32\PnkBstrB.exe
    O23 - Service: SiSoftware Deployment Agent Service (SandraAgentSrv) - SiSoftware - C:\Program Files\SiSoftware\SiSoftware Sandra Lite 2009.SP4\RpcAgentSrv.exe
    O23 - Service: SeekService Service - Unknown owner - C:\Documents and Settings\All Users\Application Data\SeekService\seekservice145.exe
    O23 - Service: SRS Labs License Service - SRS Labs - C:\Program Files\Common Files\SRS Labs Shared\Service\srslabslicenseservice.exe
    O23 - Service: WinTab Service (WinTabService) - Tablet Driver - C:\WINDOWS\system32\DRIVERS\WtSrv.exe
    
    --
    End of file - 6237 bytes
    Hold on, lemme run spybot and ad aware. Forgot to try that lol
    As I expected, neither found anything. AdAware did find a tracking cookie, but that helped nothing
    Now when i tried to log on to this site it redirected me 0.o
    Im getting sad now...
  2. Meikura

    Meikura Super Moderator Staff Member

    Joined:
    Jan 16, 2008
    Messages:
    6,081
    Likes Received:
    431
    Device:
    iPhone 4 (Black)
  3. rofl.

    rofl. Banned

    Joined:
    Dec 27, 2008
    Messages:
    821
    Likes Received:
    0
    Device:
    2G iPod touch
    It, to me, sounds more like a Malware problem than virus problem. Download the following program called Malwarbyte's Anti-Malware. It is free.

    Direct download: http://www.malwarebytes.org/affiliates/besttechie/mbam-setup.exe

    I ran a quick scan and it found a malware problem I had (note that I said "had".)

    I even renamed the EXE file to something else so the malware doesn't catch it; I just named it to Helper but anything will do.

    Hope this helps.
  4. imranh101

    imranh101 Active Member

    Joined:
    Jun 10, 2009
    Messages:
    1,789
    Likes Received:
    24
    Device:
    iPad w/ 3G
    Well, I tried MalBytes, it did find some problems with SeekService, and removed them, and asked me to reboot, which I did (I did a full scan, not a quick)
    Still having the problem.
    Reran hijackthis, here's a new log
    Code:
    Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 5:59:59 PM, on 1/7/2010
    Platform: Windows XP SP3 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)
    Boot mode: Normal
    
    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\nvsvc32.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\SOUNDMAN.EXE
    C:\WINDOWS\system32\RUNDLL32.EXE
    C:\WINDOWS\system32\WService.EXE
    C:\Program Files\iTunes\iTunesHelper.exe
    C:\WINDOWS\system32\rundll32.exe
    C:\Program Files\DNA\btdna.exe
    C:\Program Files\SRS Labs\Audio Sandbox\SRSSSC.exe
    C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
    C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
    C:\Program Files\Bonjour\mDNSResponder.exe
    C:\Program Files\Java\jre6\bin\jqs.exe
    C:\WINDOWS\system32\PnkBstrA.exe
    C:\WINDOWS\system32\PnkBstrB.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\system32\DRIVERS\WtSrv.exe
    C:\Program Files\iPod\bin\iPodService.exe
    C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe
    C:\Program Files\Mozilla Firefox\firefox.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Documents and Settings\imran\My Documents\Downloads\HijackThis.exe
    
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.ask.com?o=14986&l=dis
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
    O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
    O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
    O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
    O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
    O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
    O4 - HKLM\..\Run: [nwiz] C:\Program Files\NVIDIA Corporation\nView\nwiz.exe /install
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
    O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
    O4 - HKLM\..\Run: [WService] WService.EXE
    O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
    O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
    O4 - HKCU\..\Run: [NBJ] "C:\Program Files\Ahead\Nero BackItUp\NBJ.exe"
    O4 - HKCU\..\Run: [Bit******* DNA] "C:\Program Files\DNA\btdna.exe"
    O4 - HKCU\..\Run: [SRS Audio Sandbox] "C:\Program Files\SRS Labs\Audio Sandbox\SRSSSC.exe" /hideme
    O4 - HKCU\..\Run: [Google Update] "C:\Documents and Settings\imran\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" /c
    O4 - Startup: LimeWire On Startup.lnk = C:\Program Files\LimeWire\LimeWire.exe
    O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
    O4 - Global Startup: Bluetooth.lnk = ?
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
    O8 - Extra context menu item: Send to &Bluetooth Device... - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
    O8 - Extra context menu item: Send To Bluetooth - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
    O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
    O9 - Extra 'Tools' menuitem: @btrez.dll,-12650 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
    O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O20 - AppInit_DLLs: C:\WINDOWS\system32\0019.DLL
    O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
    O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
    O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation. - C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
    O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
    O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
    O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
    O23 - Service: nProtect GameGuard Service (npggsvc) - Unknown owner - C:\WINDOWS\system32\GameMon.des.exe (file missing)
    O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
    O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
    O23 - Service: PnkBstrB - Unknown owner - C:\WINDOWS\system32\PnkBstrB.exe
    O23 - Service: SiSoftware Deployment Agent Service (SandraAgentSrv) - SiSoftware - C:\Program Files\SiSoftware\SiSoftware Sandra Lite 2009.SP4\RpcAgentSrv.exe
    O23 - Service: SeekService Service - Unknown owner - C:\Documents and Settings\All Users\Application Data\SeekService\seekservice145.exe (file missing)
    O23 - Service: SRS Labs License Service - SRS Labs - C:\Program Files\Common Files\SRS Labs Shared\Service\srslabslicenseservice.exe
    O23 - Service: WinTab Service (WinTabService) - Tablet Driver - C:\WINDOWS\system32\DRIVERS\WtSrv.exe
    
    --
    End of file - 6215 bytes
    I dont want to try the other file, because, no offense, for all we know it's a virus

    Please Register or Log in to view images



    Thanks in advance, still need help

    Please Register or Log in to view images

  5. randomdude1234

    randomdude1234 Member

    Joined:
    Jul 17, 2009
    Messages:
    939
    Likes Received:
    2
    This exact thing happened to me once. It is a malware problem. ended up having to restore... had to back up any really important documents, it sucked.
  6. imranh101

    imranh101 Active Member

    Joined:
    Jun 10, 2009
    Messages:
    1,789
    Likes Received:
    24
    Device:
    iPad w/ 3G
    Oh please no.
    I really really really do not want to have to re-update all of those steam games, and download all those free games (not pirated, ones like combat arm)
    And do this... and that... ooooh god maybe Id rather keep the virus.
  7. Flea

    Flea New Member

    Joined:
    Aug 23, 2009
    Messages:
    349
    Likes Received:
    0
    Device:
    iPad
    you dont lose all that stuff with system restore, depending on when you got the virus,just restore to a day before that. Unless you installed all that stuff after you got the problem, than yes, system restore will remove them.
  8. rofl.

    rofl. Banned

    Joined:
    Dec 27, 2008
    Messages:
    821
    Likes Received:
    0
    Device:
    2G iPod touch
    M-Bam took care of the problem. The malware is off your computer. Try doing a search of Seekservice via explorer, and nothing should show up. If it does show up, it might be because it was quarantined, meaning yes, technically the file is on your computer, but it cannot do anything. If it shows up as being at C:\Documents and Settings\All Users\Application Data\SeekService\ then delete the whole SeekService folder (m-bam only finds the infected file, not folder.)


    Try clearing all your cache and cookies and see if that works. If the problem persists, re-install your browser. If it still persists, then run in safe mode and do the m-bam scan again.
  9. imranh101

    imranh101 Active Member

    Joined:
    Jun 10, 2009
    Messages:
    1,789
    Likes Received:
    24
    Device:
    iPad w/ 3G
    The malware is not off my computer.
    I tried what you said, everything, from searching and deleteing anything seekservice, to reinstalling the browser (firefox), to running m-bam is safe mode and still nothing.

    I need help someone!
  10. rofl.

    rofl. Banned

    Joined:
    Dec 27, 2008
    Messages:
    821
    Likes Received:
    0
    Device:
    2G iPod touch
    Oh wow, this thing is persistent.

    One last thing you could try before doing a restore to last good date...

    1. Run the following program: http://download.bleepingcomputer.com/grinler/rkill.exe
    That stops all malware activities.

    2. Let it stay on for a few moments then try searching for anything on google (or whatever site you found this problem) it should be able to go to the site you clicked on, and not a spam site. If it works, then that proves that it is, in fact, malware.

    If it doesn't work, then it is either the program, or you may need to run a virus scan. I use Avast! which you can download here: http://www.avast.com/eng/download-avast-home.html.

    3. Run m-bam with the program running.

    4. Restart computer

    5. Post another HiJack-this log and then the m-bam log.

    ===

    The absolute last thing I would suggest is restoring your computer to the latest point where the infection was not there.

    1.Click Start, point to All Programs, point to Accessories, point to System Tools, and then click System Restore.

    2.On the Welcome screen, click Restore my computer to an earlier time, and then click Next.

    3.On the Select a Restore Point page, select the date from the calendar that shows the point you'd like to restore to, as shown below, and then click Next.

    Please Register or Log in to view images



    4.On the Confirm Restore Point Selection page, verify that the correct restore point is chosen, and then close any open programs.

    5.Click Next if you are ready to proceed or click Back to change the restore point.

    6.The computer will shut down automatically and reboot. On reboot, you'll see the Restoration Complete page, and then click OK.

    After reviewing the stability of your system, you can choose another restore point or undo this restoration. Just open System Restore and make the appropriate choice. After you use System Restore, you'll have an additional task, Undo my last restoration, on the System Restore Welcome page. Remember that you'll have to reinstall any programs that were installed after the restore point.

    If System Restore doesn't work in Normal Mode, it might work in Safe Mode. To use System Restore in Safe Mode, press the F8 key during reboot and choose Safe Mode. When your computer starts in either Safe Mode or Normal Mode, System Restore can be used to capture a working previous state. System Restore can't be opened unless the system is bootable into one of these modes.

    (source: http://www.microsoft.com/windowsxp/using/helpandsupport/getstarted/ballew_03may19.mspx)


    This only restores your program files, drivers, etc. Your documents will not be removed.

    Hope this helps!

Share This Page