Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

Dr. Watson's Please Help [resolved]

Started by punkrockjew , Feb 27 2005 11:07 PM

  • This topic is locked This topic is locked

#1
punkrockjew
Posted 27 February 2005 - 11:07 PM

punkrockjew

    Member

  • Member
  • PipPip
  • 10 posts
Hi, I cannot open any folders because of Dr. Watson's postmortem debugger. Please let me know what I need to do to fix it. Thanks so much for your help! Adam

Here is my logfile


Logfile of HijackThis v1.99.1
Scan saved at 7:06:23 AM, on 2/28/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\TPWRTRAY.EXE
C:\WINDOWS\System32\EZSP_PX.EXE
C:\toshiba\ivp\ism\pinger.exe
C:\toshiba\sysstability\tsyssmon.exe
C:\Program Files\QuickTime\qttask.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Java\jre1.5.0_01\bin\jusched.exe
C:\WINDOWS\system32\atlrs32.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\RAMASST.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\WINDOWS\System32\DVDRAMSV.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\WINDOWS\winjx32.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Adam Parker\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.gmail.com/
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.toshiba.com/
R3 - Default URLSearchHook is missing
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {78F80350-DF77-499E-4B59-72E1FF551449} - C:\WINDOWS\system32\ieve32.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [Tpwrtray] TPWRTRAY.EXE
O4 - HKLM\..\Run: [ezShieldProtector for Px] C:\WINDOWS\System32\EZSP_PX.EXE
O4 - HKLM\..\Run: [Pinger] c:\toshiba\ivp\ism\pinger.exe /run
O4 - HKLM\..\Run: [TSysSMon] c:\toshiba\sysstability\tsyssmon.exe /detect
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_01\bin\jusched.exe
O4 - HKLM\..\Run: [atlrs32.exe] C:\WINDOWS\system32\atlrs32.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Startup: Protector.lnk = C:\Program Files\SpyCatcher\Protector.exe
O4 - Startup: Scheduler.lnk = C:\Program Files\SpyCatcher\Scheduler daemon.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: RAMASST.lnk = C:\WINDOWS\system32\RAMASST.exe
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: AnyWho - {0264505A-6793-44E0-AC75-9DCE3B13185C} - C:\Program Files\AT&T\WnClient\Programs\AnyWho.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_01\bin\npjpi150_01.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_01\bin\npjpi150_01.dll
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.toshiba.com
O15 - Trusted IP range: 206.161.125.149
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.r...ip/RdxIE601.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\System32\NavLogon.dll
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: DVD-RAM_Service - Matsushita Electric Industrial Co., Ltd. - C:\WINDOWS\System32\DVDRAMSV.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: Network Security Service (NSS) ( 6Q'8) - Unknown owner - C:\WINDOWS\winjx32.exe" /s (file missing)
  • 0

Advertisements

#2
Guest_thatman_*
Posted 28 February 2005 - 12:47 PM

Guest_thatman_*
  • Guest
Hi punkrockjew

Welcome to geekstogo ;)

Please set your system to show all files; see here for how to do this if you're unsure.

Copy and paste this document and save it to your desktop. Or if you have a printer you can print these instructions.

Press Control-Alt-Del to enter the Task Manager.
Click on the Processes tab and end the following processes:

C:\WINDOWS\system32\atlrs32.exe
C:\WINDOWS\winjx32.exe

Exit the Task Manager when finished

<color=red>Please go offline, close all browsers and any open Windows, making sure that only HijackThis is open. Scan and when it finishes, put an X in the boxes, only next to these following items.</color>

O2 - BHO: (no name) - {78F80350-DF77-499E-4B59-72E1FF551449} - C:\WINDOWS\system32\ieve32.dll
O4 - HKLM\..\Run: [atlrs32.exe] C:\WINDOWS\system32\atlrs32.exe
O15 - Trusted IP range: 206.161.125.149
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.r...ip/RdxIE601.cab

Click on Fix Checked and exit HijackThis.

Reboot into Safe Mode: see here if you don't know how to do this.

Using Windows Explorer, locate the following files/folders, and delete them:

C:\WINDOWS\system32\atlrs32.exe <--Delete this file
C:\WINDOWS\winjx32.exe<--Delete this file
C:\WINDOWS\system32\[b]ieve32.dll<--Delete this file

Exit Explorer, and reboot as normal afterwards.

Post back a fresh HijackThis log and we'll take another look.

Kc :tazz:
  • 0

#3
punkrockjew
Posted 28 February 2005 - 02:42 PM

punkrockjew

    Member

  • Topic Starter
  • Member
  • PipPip
  • 10 posts
Thanks a lot for your help. Unfortunately, the same problem seems to be happening as before with Dr. Watson's. When I try to open any folder it says that an error has occurred and Dr. Watson's Postmortem Debugger needs to close. It then freezes up my computer. I can fix it temporarily by closing drwtsn32.exe in the Processes section of the Task manager, but I still cannot open any folders. Here is my new logfile:

Logfile of HijackThis v1.99.1
Scan saved at 10:39:20 PM, on 2/28/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\TPWRTRAY.EXE
C:\WINDOWS\System32\EZSP_PX.EXE
C:\toshiba\ivp\ism\pinger.exe
C:\toshiba\sysstability\tsyssmon.exe
C:\Program Files\QuickTime\qttask.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Java\jre1.5.0_01\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\RAMASST.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\WINDOWS\System32\DVDRAMSV.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\explorer.exe
C:\Documents and Settings\Adam Parker\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.gmail.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\cwizo.dll/sp.html#28129
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\cwizo.dll/sp.html#28129
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\system32\cwizo.dll/sp.html#28129
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\cwizo.dll/sp.html#28129
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\cwizo.dll/sp.html#28129
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system32\cwizo.dll/sp.html#28129
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system32\cwizo.dll/sp.html#28129
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.toshiba.com/
R3 - Default URLSearchHook is missing
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: (no name) - {F699347E-F69C-BC1B-8D16-4CC14C18FA74} - C:\WINDOWS\system32\sdkbt32.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [Tpwrtray] TPWRTRAY.EXE
O4 - HKLM\..\Run: [ezShieldProtector for Px] C:\WINDOWS\System32\EZSP_PX.EXE
O4 - HKLM\..\Run: [Pinger] c:\toshiba\ivp\ism\pinger.exe /run
O4 - HKLM\..\Run: [TSysSMon] c:\toshiba\sysstability\tsyssmon.exe /detect
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_01\bin\jusched.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Startup: Protector.lnk = C:\Program Files\SpyCatcher\Protector.exe
O4 - Startup: Scheduler.lnk = C:\Program Files\SpyCatcher\Scheduler daemon.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: RAMASST.lnk = C:\WINDOWS\system32\RAMASST.exe
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: AnyWho - {0264505A-6793-44E0-AC75-9DCE3B13185C} - C:\Program Files\AT&T\WnClient\Programs\AnyWho.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_01\bin\npjpi150_01.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_01\bin\npjpi150_01.dll
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.toshiba.com
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\System32\NavLogon.dll
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: DVD-RAM_Service - Matsushita Electric Industrial Co., Ltd. - C:\WINDOWS\System32\DVDRAMSV.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: Network Security Service (NSS) ( 6Q'8) - Unknown owner - C:\WINDOWS\winjx32.exe" /s (file missing)

Thanks again. Adam
  • 0

#4
Guest_thatman_*
Posted 01 March 2005 - 06:52 AM

Guest_thatman_*
  • Guest
Hi punkrockjew

Welcome to geekstogo

You have a nasty About:Blank infection. This fix requires several tools that need to be downloaded. Please download these now, we will run them later.

1) About:Buster - Download it and extract it to C:/aboutbuster.
2) CleanUp! - Download it and install it.
3) CWShredder 2.11 - Download it and save it to your desktop.
4) Ad-Aware - Download, install, and update.

Enable hidden files and folders: Be sure you're able to Enable hidden files and folders:

During the fix do NOT connect to the internet. Unless you can memorize these instructions, it would be a good idea to print them out.

Boot into safe mode:
Restart your computer and as soon as it starts booting up again continuously tap F8. A menu should come up where you will be given the option to enter Safe Mode.

C:\Documents and Settings\John Ascani\Local Settings\Temporary Internet\ Delete all files in this folder
C:\Documents and Settings\John Ascani\Local Settings\Temp\ Delete all files in this folder

Using Windows Add Remove Program Files uninstall the following Programs:
C:\Program Files\AutoUpdate\AutoUpdate.exe
C:\Program Files\ISTsvc\istsvc.exe
c:\program files\180solutions\sais.exe

Exit Add Remove Program Files when done.

Press Control-Alt-Del to enter the Task Manager.
Click on the Processes tab and end the following processes:
C:\WINDOWS\qpnrw.dll
C:\WINDOWS\d3ln32.exe

Exit the Task Manager when finished

Run AboutBuster
-Click Start to begin the process
-Click OK on the Buster Report dialogue box to start the scan
AboutBuster scans the computer for malicious files and deletes them.
Save the report (copy and paste into Notepad and save as a .txt file) to post a copy for review.

Run CWShredder
-Next, click on the: Fix button
-Follow the prompts, and press OK

Run CleanUp
-Make sure it is on Standard Mode
-Click the "CleanUp!" button

Run Ad-Aware
1. If you have a previous version of Ad-Aware installed, during the installation of the new version you will be prompted to uninstall or keep the older version - be sure to uninstall the previous version.
2. After installing Ad-aware, you will be prompted to update the program and run a full scan. De-select all boxes so that it does not run.
3. Manually run "Ad-Aware SE Personal" and from the main screen Click on "Check for Updates Now".
4. Once the definitions have been updated:
5. Reconfigure Ad-Aware for Full Scan as per the following instructions:
* Launch the program, and click on the Gear at the top of the start screen.
* Under General Settings the following boxes should all be checked off: (Checked will be indicated by a green circle with a check mark in it, Un-Checked is a red circle with an X in it. If it is grayed out, those features are only available in the retail version.)
o "Automatically save logfile"
o Automatically quarantine objects prior to removal"
o Safe Mode (always request confirmation)
o Prompt to update outdated confirmation) - Change to 7 days.
* Click the "Scanning" button (On the left side).
* Under Drives & Folders, select "Scan within Archives"
* Click "Click here to select Drives + folders" and select your installed hard drives.
* Under Memory & Registry, select all options.
* Click the "Advanced" button (On the left-hand side).
* Under "Shell Integration", select "Move deleted files to Recycle Bin".
* Under "Log-file detail", select all options.
* Click on the "Defaults" button on the left.
* Type in the full url of what you want as your default homepage and searchpage e.g. http://www.google.com.
* Click the "Tweak" button (Again, on the left-hand side).
* Expand "Scanning Engine" by clicking on the "+" (Plus) symbol and select the following:
o "Unload recognized processes during scanning."
o "Obtain command line of scanned processes"
o "Scan registry for all users instead of current user only"
* Under "Cleaning Engine", select the following:
o "Automatically try to unregister objects prior to deletion."
o "During removal, unload explorer and IE if necessary"
o "Let Windows remove files in use at next reboot."
o "Delete quarantined objects after restoring"
* Click on "Safety Settings" and select "Write-protect system files after repair (Hosts file, etc)"
* Click on "Proceed" to save these Preferences.
* Click on the "Scan Now" button on the left.
* Under "Select Scan Mode, be sure to select "Use Custom Scanning Options".
6. Close all programs except ad-aware.
7. Click on "Next" in the bottom right corner to start the scan.
8. Run the Ad-Aware scan and allow it to remove everything it finds and then REBOOT - Even if not prompted to.
9. After you log back in, Ad-Aware may run to finalize the scan and remove any locked files that it may have found. Allow it to finish.

Run HJT, close any open windows, and fix the following items (if they are still there):

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\cwizo.dll/sp.html#28129
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\cwizo.dll/sp.html#28129
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\system32\cwizo.dll/sp.html#28129
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\cwizo.dll/sp.html#28129
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\cwizo.dll/sp.html#28129
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system32\cwizo.dll/sp.html#28129
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system32\cwizo.dll/sp.html#28129
O2 - BHO: (no name) - {F699347E-F69C-BC1B-8D16-4CC14C18FA74} - C:\WINDOWS\system32\sdkbt32.dll

Using Windows Explorer, locate the following files/folders, and delete them if found:

C:\WINDOWS\system32\cwizo.dll
C:\WINDOWS\system32\sdkbt32.dll

Reboot into normal mode (simply restart your computer as you normally would),

Please run the following free, online virus scans: Please post the logs From both virus scans we will need them to remove previous infections that have left files on your system.
http://housecall.tre.../start_corp.asp
http://www.pandasoft...n_principal.htm

Then restart your computer one more time and post a new HJT log as well as the About:Buster log I asked you to save earlier.

Kc :tazz:
  • 0

#5
punkrockjew
Posted 01 March 2005 - 10:38 AM

punkrockjew

    Member

  • Topic Starter
  • Member
  • PipPip
  • 10 posts
I can open my folders again! Thanks a lot!

Two comments:

(1) When I used CWShredder in Safe Mode, an error message flashed so quickly I couldn't read it and my computer rebooted automatically. I continued with the other steps in safe mode as you told me.

(2) When my computer restarted into normal mode once I was done 2 messages popped up saying that my computer had "recovered from a serious error."

Anyway, I did what you told me and it seems to have worked. There were several viruses picked up by PandaSoft and TrendMicro and I have posted the logs on this reply. Let me know what I need to do now to take care of the rest of the problems. Thanks.

Adam


(1) Trend Micro scan log

Virus Scan 33 viruses detected


Results:
We have detected 33 infected file(s) with 33 virus(es) on your computer.
Detected File Associated Virus Name
C:\WINDOWS\system32\apisv.exe TROJ_AGENT.KT
C:\WINDOWS\system32\d3ta.exe TROJ_AGENT.KT
C:\WINDOWS\system32\javapr.exe TROJ_AGENT.MP
C:\WINDOWS\system32\jwdlg.dll TROJ_CHOPENOZ.B
C:\WINDOWS\system32\mfcwl.exe TROJ_AGENT.MP
C:\WINDOWS\system32\msht32.exe TROJ_AGENT.KT
C:\WINDOWS\system32\msku.exe TROJ_AGENT.KT
C:\WINDOWS\system32\msrt32.exe TROJ_AGENT.MP
C:\WINDOWS\system32\netgh.exe TROJ_AGENT.MP
C:\WINDOWS\system32\netgq32.exe TROJ_AGENT.KT
C:\WINDOWS\system32\netzp.dll TROJ_AGENT.BCA
C:\WINDOWS\system32\ntaw32.exe TROJ_AGENT.ALL
C:\WINDOWS\system32\ntns32.exe TROJ_AGENT.KT
C:\WINDOWS\system32\nttw32.exe TROJ_AGENT.KT
C:\WINDOWS\system32\raywm.dll TROJ_CHOPENOZ.B
C:\WINDOWS\system32\sdkav32.exe TROJ_AGENT.MP
C:\WINDOWS\system32\sdkwz32.exe TROJ_AGENT.KT
C:\WINDOWS\system32\sysys32.exe TROJ_AGENT.KT
C:\WINDOWS\apico32.exe TROJ_AGENT.KT
C:\WINDOWS\apihi32.exe TROJ_AGENT.KT
C:\WINDOWS\apinn32.exe TROJ_AGENT.KT
C:\WINDOWS\atltn.dll TROJ_AGENT.BCA
C:\WINDOWS\atlyj.exe TROJ_AGENT.KT
C:\WINDOWS\ctgud.dll TROJ_CHOPENOZ.B
C:\WINDOWS\d3ko32.exe TROJ_AGENT.KT
C:\WINDOWS\ieho.exe TROJ_AGENT.KT
C:\WINDOWS\iemy.exe TROJ_AGENT.KT
C:\WINDOWS\ipqx32.exe TROJ_SMALL.SA
C:\WINDOWS\javaoe32.exe TROJ_AGENT.KT
C:\WINDOWS\msvq.exe TROJ_AGENT.KT
C:\WINDOWS\pfzrz.dll TROJ_CHOPENOZ.B
C:\WINDOWS\pjajv.dll TROJ_CHOPENOZ.B
C:\WINDOWS\winvi32.exe TROJ_AGENT.KT




Trojan/Worm Check No worm/Trojan horse detected

What we checked:
Malicious activity by a Trojan horse program. Although a Trojan seems like a harmless program, it contains malicious code and once installed can cause damage to your computer.
Results:
We have detected 0 Trojan horse program(s) and worm(s) on your computer.
Trojan/Worm Name Trojan/Worm Type




Spyware Check 2 spyware programs detected

What we checked:
Whether personal information was tracked and reported by spyware. Spyware is often installed secretly with legitimate programs downloaded from the Internet.
Results:
We have detected 2 spyware(s) on your computer.
Spyware Name Spyware Type
ADW_SECTHOUGHT.A Adware
ADW_SAHAGENT.A Adware




Microsoft Vulnerability Check 1 vulnerability detected

What we checked:
Microsoft known security vulnerabilities. These are issues Microsoft has identified and released Critical Updates to fix.
Results:
We have detected 1 vulnerability/vulnerabilities on your computer.
Risk Level Issue How to Fix
Important A vulnerability in ASP.NET allows an attacker to bypass the security of an ASP.NET Web site, and access a machine. The attacker gains unauthorized access to some areas of the said Web site, and is able to control it accordingly. The actions that the attacker could take would depend on the specific content being protected. MS05-004


(2) PandaSoft scan log


Incident Status Location

Adware:Adware/MediaTickets No disinfected Windows Registry
Adware:Adware/SuperSpider No disinfected C:\WINDOWS\msxmidi.exe
Virus:Trj/StartPage.FH Disinfected C:\Documents and Settings\Adam Parker\Desktop\backups\backup-20050228-222517-393.dll
Virus:Trj/StartPage.FH Disinfected C:\Documents and Settings\Adam Parker\Desktop\backups\backup-20050301-172410-646.dll
Adware:Adware/SearchAid No disinfected C:\WINDOWS\apico32.exe
Adware:Adware/SearchAid No disinfected C:\WINDOWS\apihi32.exe
Adware:Adware/SearchAid No disinfected C:\WINDOWS\apinn32.exe
Virus:Trj/StartPage.FH Disinfected C:\WINDOWS\apptt.exe
Spyware:Spyware/Petro-Line No disinfected C:\WINDOWS\atltn.dll
Adware:Adware/SearchAid No disinfected C:\WINDOWS\atlyj.exe
Adware:Adware/Winshow No disinfected C:\WINDOWS\ctgud.dll
Adware:Adware/SearchAid No disinfected C:\WINDOWS\d3ko32.exe
Adware:Adware/OneMore.A No disinfected C:\WINDOWS\dfdzk.dll
Adware:Adware/WUpd No disinfected C:\WINDOWS\Downloaded Program Files\DeskAdX.dll
Adware:Adware/SearchAid No disinfected C:\WINDOWS\ieho.exe
Virus:Trj/StartPage.FH Disinfected C:\WINDOWS\iejf.exe
Adware:Adware/SearchAid No disinfected C:\WINDOWS\iemy.exe
Adware:Adware/SearchAid No disinfected C:\WINDOWS\ipqx32.exe
Adware:Adware/SearchAid No disinfected C:\WINDOWS\javaoe32.exe
Adware:Adware/HT401 No disinfected C:\WINDOWS\kudro.dll
Adware:Adware/SearchAid No disinfected C:\WINDOWS\msvq.exe
Virus:Trj/StartPage.FH Disinfected C:\WINDOWS\mszn32.exe
Adware:Adware/SearchAid No disinfected C:\WINDOWS\n_toauqn.log
Adware:Adware/HT401 No disinfected C:\WINDOWS\oqozh.dll
Adware:Adware/Winshow No disinfected C:\WINDOWS\pfzrz.dll
Adware:Adware/Winshow No disinfected C:\WINDOWS\pjajv.dll
Virus:Trj/StartPage.FH Disinfected C:\WINDOWS\system32\addmb32.exe
Adware:Adware/SearchAid No disinfected C:\WINDOWS\system32\apisv.exe
Adware:Adware/SearchAid No disinfected C:\WINDOWS\system32\apptr.exe
Adware:Adware/SearchAid No disinfected C:\WINDOWS\system32\d3ta.exe
Adware:Adware/HT401 No disinfected C:\WINDOWS\system32\gppkq.dll
Virus:Trj/StartPage.FH Disinfected C:\WINDOWS\system32\javapr.exe
Adware:Adware/HT401 No disinfected C:\WINDOWS\system32\jmhwt.dll
Adware:Adware/Winshow No disinfected C:\WINDOWS\system32\jwdlg.dll
Virus:Trj/StartPage.FH Disinfected C:\WINDOWS\system32\mfcwl.exe
Adware:Adware/SearchAid No disinfected C:\WINDOWS\system32\msht32.exe
Adware:Adware/SearchAid No disinfected C:\WINDOWS\system32\msku.exe
Virus:Trj/StartPage.FH Disinfected C:\WINDOWS\system32\msrt32.exe
Virus:Trj/StartPage.FH Disinfected C:\WINDOWS\system32\netgh.exe
Adware:Adware/SearchAid No disinfected C:\WINDOWS\system32\netgq32.exe
Adware:Adware/ExactSearch No disinfected C:\WINDOWS\system32\netut80ex.vxd[exdl.exe]
Adware:Adware/ExactSearch No disinfected C:\WINDOWS\system32\netut80ex.vxd[mqexdlm.srg]
Adware:Adware/ExactSearch No disinfected C:\WINDOWS\system32\netut80ex.vxd[exul.exe]
Adware:Adware/ExactSearch No disinfected C:\WINDOWS\system32\netut80ex.vxd[javexulm.vxd]
Spyware:Spyware/BargainBuddy No disinfected C:\WINDOWS\system32\netut80ex.vxd[msexreg.exe]
Spyware:Spyware/Petro-Line No disinfected C:\WINDOWS\system32\netzp.dll
Adware:Adware/SearchAid No disinfected C:\WINDOWS\system32\ntaw32.exe
Virus:Trj/StartPage.FH Disinfected C:\WINDOWS\system32\ntev.exe
Adware:Adware/SearchAid No disinfected C:\WINDOWS\system32\ntns32.exe
Adware:Adware/SearchAid No disinfected C:\WINDOWS\system32\nttw32.exe
Adware:Adware/HT401 No disinfected C:\WINDOWS\system32\pmsjn.dll
Adware:Adware/Winshow No disinfected C:\WINDOWS\system32\raywm.dll
Virus:Trj/StartPage.FH Disinfected C:\WINDOWS\system32\sdkav32.exe
Adware:Adware/SearchAid No disinfected C:\WINDOWS\system32\sdkol32.exe
Adware:Adware/SearchAid No disinfected C:\WINDOWS\system32\sdkwz32.exe
Adware:Adware/SearchAid No disinfected C:\WINDOWS\system32\sysys32.exe
Adware:Adware/HT401 No disinfected C:\WINDOWS\uarll.dll
Adware:Adware/HT401 No disinfected C:\WINDOWS\vmajr.dll
Adware:Adware/SearchAid No disinfected C:\WINDOWS\winvi32.exe
  • 0

#6
punkrockjew
Posted 01 March 2005 - 10:45 AM

punkrockjew

    Member

  • Topic Starter
  • Member
  • PipPip
  • 10 posts
OK, I've rebooted and now I am in normal mode. Here is my final HJT log. Please let me know what else I need to do to take care of the remaining viruses, etc.
Thanks. Adam

Logfile of HijackThis v1.99.1
Scan saved at 6:43:19 PM, on 3/1/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\TPWRTRAY.EXE
C:\WINDOWS\System32\EZSP_PX.EXE
C:\toshiba\ivp\ism\pinger.exe
C:\toshiba\sysstability\tsyssmon.exe
C:\Program Files\QuickTime\qttask.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Java\jre1.5.0_01\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\RAMASST.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\WINDOWS\System32\DVDRAMSV.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\Documents and Settings\Adam Parker\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.gmail.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.gmail.com/
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.toshiba.com/
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [Tpwrtray] TPWRTRAY.EXE
O4 - HKLM\..\Run: [ezShieldProtector for Px] C:\WINDOWS\System32\EZSP_PX.EXE
O4 - HKLM\..\Run: [Pinger] c:\toshiba\ivp\ism\pinger.exe /run
O4 - HKLM\..\Run: [TSysSMon] c:\toshiba\sysstability\tsyssmon.exe /detect
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_01\bin\jusched.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Startup: Protector.lnk = C:\Program Files\SpyCatcher\Protector.exe
O4 - Startup: Scheduler.lnk = C:\Program Files\SpyCatcher\Scheduler daemon.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: RAMASST.lnk = C:\WINDOWS\system32\RAMASST.exe
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: AnyWho - {0264505A-6793-44E0-AC75-9DCE3B13185C} - C:\Program Files\AT&T\WnClient\Programs\AnyWho.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_01\bin\npjpi150_01.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_01\bin\npjpi150_01.dll
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.toshiba.com
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall-bet...all/xscan60.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft.../as5/asinst.cab
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\System32\NavLogon.dll
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: DVD-RAM_Service - Matsushita Electric Industrial Co., Ltd. - C:\WINDOWS\System32\DVDRAMSV.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: Network Security Service (NSS) ( 6Q'8) - Unknown owner - C:\WINDOWS\winjx32.exe" /s (file missing)
  • 0

#7
Guest_thatman_*
Posted 01 March 2005 - 01:24 PM

Guest_thatman_*
  • Guest
Hi punkrockjew

Important Step
Go to Start->Run and type "Services.msc" (without quotes) then hit Ok
Scroll down and find the service called:

Service: Network Security Service (NSS) ( 6Q'8) - Unknown owner - C:\WINDOWS\winjx32.exe

When you find it, double-click on it. In the next window that opens, click the Stop button, then click on properties and under the General Tab, change the Startup Type to Disabled. Now hit Apply and then Ok and close any open windows. If you dont find this service listed go ahead with the next steps.



Close all programs down, leaving only HijackThis running.
Place a check against the following items:

O23 - Service: Network Security Service (NSS) ( 6Q'8) - Unknown owner - C:\WINDOWS\winjx32.exe" /s (file missing)

Click on Fix Checked and exit HijackThis.

Reboot into Safe Mode: see here if you don't know how to do this.

Using Windows Explorer, locate the following files/folders, and delete them:

C:\WINDOWS\winjx32.exe
C:\WINDOWS\msxmidi.exe<--Delete this file
C:\WINDOWS\apico32.exe<--Delete this file
C:\WINDOWS\apihi32.exe<--Delete this file
C:\WINDOWS\apinn32.exe<--Delete this file
C:\WINDOWS\atltn.dll<--Delete this file
C:\WINDOWS\atlyj.exe<--Delete this file
C:\WINDOWS\ctgud.dll<--Delete this file
C:\WINDOWS\d3ko32.exe<--Delete this file
C:\WINDOWS\dfdzk.dll<--Delete this file
C:\WINDOWS\Downloaded Program Files\DeskAdX.dll<--Delete this file
C:\WINDOWS\ieho.exe<--Delete this file
C:\WINDOWS\iemy.exe<--Delete this file
C:\WINDOWS\ipqx32.exe<--Delete this file
C:\WINDOWS\javaoe32.exe<--Delete this file
C:\WINDOWS\kudro.dll<--Delete this file
C:\WINDOWS\msvq.exe<--Delete this file
C:\WINDOWS\n_toauqn.log<--Delete this file
C:\WINDOWS\oqozh.dll<--Delete this file
C:\WINDOWS\pfzrz.dll<--Delete this file
C:\WINDOWS\pjajv.dll<--Delete this file
C:\WINDOWS\system32\apisv.exe<--Delete this file
C:\WINDOWS\system32\apptr.exe<--Delete this file
C:\WINDOWS\system32\d3ta.exe<--Delete this file
C:\WINDOWS\system32\gppkq.dll<--Delete this file
C:\WINDOWS\system32\jmhwt.dll<--Delete this file
C:\WINDOWS\system32\jwdlg.dll<--Delete this file
C:\WINDOWS\system32\msht32.exe<--Delete this file
C:\WINDOWS\system32\msku.exe<--Delete this file
C:\WINDOWS\system32\netgq32.exe<--Delete this file
C:\WINDOWS\system32\exdl.exe<--Delete this file
C:\WINDOWS\system32\netut80ex.vxd<--Delete this file
C:\WINDOWS\system32\javexulm.vxd<--Delete this file
C:\WINDOWS\system32\msexreg.exe<--Delete this file
C:\WINDOWS\system32\exul.exe<--Delete this file
C:\WINDOWS\system32\mqexdlm.srg<--Delete this file
C:\WINDOWS\system32\netzp.dll<--Delete this file
C:\WINDOWS\system32\ntaw32.exe<--Delete this file
C:\WINDOWS\system32\ntns32.exe<--Delete this file
C:\WINDOWS\system32\nttw32.exe<--Delete this file
C:\WINDOWS\system32\pmsjn.dll<--Delete this file
C:\WINDOWS\system32\raywm.dll<--Delete this file
C:\WINDOWS\system32\sdkol32.exe<--Delete this file
C:\WINDOWS\system32\sdkwz32.exe<--Delete this file
C:\WINDOWS\system32\sysys32.exe<--Delete this file
C:\WINDOWS\uarll.dll<--Delete this file
C:\WINDOWS\vmajr.dll<--Delete this file
C:\WINDOWS\winvi32.exe<--Delete this file

Exit Explorer, and reboot as normal afterwards.

Post back a fresh HijackThis log and we'll take another look.

Kc :tazz:
  • 0

#8
punkrockjew
Posted 04 March 2005 - 07:42 AM

punkrockjew

    Member

  • Topic Starter
  • Member
  • PipPip
  • 10 posts
Hey,

So after I posted my logfile the last time once I had finished all the steps of cleaning I ran Adaware and the 2 online virus scans you suggested which removed most of the things you told me to remove this time. I only found a couple and I was able to delete them without even being in safe mode. I disabled the service you told me to and I saved a new logfile. Thanks. Adam

Logfile of HijackThis v1.99.1
Scan saved at 3:38:23 PM, on 3/4/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\WINDOWS\System32\DVDRAMSV.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\WINDOWS\system32\TPWRTRAY.EXE
C:\WINDOWS\System32\EZSP_PX.EXE
C:\toshiba\sysstability\tsyssmon.exe
C:\Program Files\QuickTime\qttask.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\Program Files\Java\jre1.5.0_01\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\RAMASST.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\toshiba\ivp\ism\ivpsvmgr.exe
C:\Documents and Settings\Adam Parker\Desktop\HijackThis.exe
C:\PROGRA~1\MOZILL~1\FIREFOX.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.gmail.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.gmail.com/
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.toshiba.com/
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [Tpwrtray] TPWRTRAY.EXE
O4 - HKLM\..\Run: [ezShieldProtector for Px] C:\WINDOWS\System32\EZSP_PX.EXE
O4 - HKLM\..\Run: [Pinger] c:\toshiba\ivp\ism\pinger.exe /run
O4 - HKLM\..\Run: [TSysSMon] c:\toshiba\sysstability\tsyssmon.exe /detect
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_01\bin\jusched.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Startup: Protector.lnk = C:\Program Files\SpyCatcher\Protector.exe
O4 - Startup: Scheduler.lnk = C:\Program Files\SpyCatcher\Scheduler daemon.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: RAMASST.lnk = C:\WINDOWS\system32\RAMASST.exe
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: AnyWho - {0264505A-6793-44E0-AC75-9DCE3B13185C} - C:\Program Files\AT&T\WnClient\Programs\AnyWho.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_01\bin\npjpi150_01.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_01\bin\npjpi150_01.dll
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.toshiba.com
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall-bet...all/xscan60.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft.../as5/asinst.cab
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\System32\NavLogon.dll
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: DVD-RAM_Service - Matsushita Electric Industrial Co., Ltd. - C:\WINDOWS\System32\DVDRAMSV.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
  • 0

#9
Guest_thatman_*
Posted 04 March 2005 - 08:18 AM

Guest_thatman_*
  • Guest
Hi punkrockjew

Download the ccleaner
I use this Program and is setup like this all boxs are check.

Clean out all temp files in Mozilla, Internet Explorer.
Internet Explorer: Tools/ Internet Options/ General/ Temporary internet files/ Delete Files (NOTE, that this may take very long!). You can also set the memory limit to about 80 MB at the Settings.

Mozilla: Edit/ Options/ Extended/ Cache/ Clear Cache

Turn of system restore
Disabling or enabling Windows XP System Restore

Defrag your hard drive turn system restore back on and create a new restore point.

Congratulations! Your system is CLEAN :tazz:

How do you prevent spyware from being installed again? We strongly recommend installing SpywareBlaster (it's free for personal use). Click Here
QUOTE
Prevent the installation of ActiveX-based spyware, adware, browser hijackers, dialers, and other potentially unwanted pests.
Block spyware/tracking cookies in Internet Explorer and Mozilla/Firefox.
Restrict the actions of potentially dangerous sites in Internet Explorer.
Consumes no system resources.

Download, run, check for updates, download updates, select all, protect against checked. All done. Check for updates every couple of weeks. If you have any errors running the program like a missing file see the link at the bottom of the javacool page.

It's also very important to keep your system up to date to avoid unnecessary security risks. Click Here http://windowsupdate.microsoft.com/ to make sure that you have the latest patches for Windows.

These next two steps are optional, but will provide the greatest protection.
1. Use ANY browser besides Internet Explorer, almost every exploit is crafted to take advantage of an IE weakness. We usually recommend FireFox user posted image.
2. Install Sun's Java. It's much more secure than Microsoft's Java Virtual Machine .

After doing all these, your system will be thoroughly protected from future threats. :thumbsup:

Kc ;)
  • 0

#10
punkrockjew
Posted 04 March 2005 - 08:41 AM

punkrockjew

    Member

  • Topic Starter
  • Member
  • PipPip
  • 10 posts
Thanks so much for all your help! I have 2 more questions:

1) My disk is not done defragmenting, but the last few times I have tried to use CWShredder it has automatically restarted my computer after flashing an error message. When I restart it says that my system has recovered from a serious error. Is this a problem with my computer or is there just something wrong with CWShredder? It happens only once it gets to a certain point in the scan.

2) What exactly does defragmenting do?

Thanks.
Adam
  • 0

#11
Guest_thatman_*
Posted 04 March 2005 - 09:15 AM

Guest_thatman_*
  • Guest
Hi punkrockjew

Defragmenting the hard drive improves the performance off your hard drive when its searching for files, it brings all the files together.
Reducing the need for the hard drive read heads jumping all over the place looking for the files you have click on, I defrag my drives every day clean out my temp files and clear out all junk with the ccleaner.

One more item you can click on the error checking tool just above the defrag icon and see if any off the files on your drive have been corupted by the malware

Post back if your having any problems

Kc :tazz:
  • 0

#12
punkrockjew
Posted 04 March 2005 - 10:00 AM

punkrockjew

    Member

  • Topic Starter
  • Member
  • PipPip
  • 10 posts
One more thing...
It seems that I can't open my gmail account. It flashes an error message when I try to log in saying that the file cannot be found, please try again. Anything wrong?
Thanks.
adam
  • 0

#13
Guest_thatman_*
Posted 04 March 2005 - 10:15 AM

Guest_thatman_*
  • Guest
Hi punkrockjew

The malware will have affected or Corrupted your Gmail files can you reinstal the program

Kc :tazz:
  • 0

#14
Guest_thatman_*
Posted 03 April 2005 - 02:56 AM

Guest_thatman_*
  • Guest
Topic resolved

Kc :tazz:
  • 0
Back to Virus, Spyware, Malware Removal · Next Unread Topic →




Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

  1. Geeks to Go Community
  2. Security
  3. Virus, Spyware, Malware Removal

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP