Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

Defensive software deactivated


  • Please log in to reply

#1
pjbarefield

pjbarefield

    New Member

  • Member
  • Pip
  • 3 posts
I am running XP on an e-machine. I worked through your process a few months ago to get rid of a virus, and downloaded all the recommended programs. A couple of days ago MacAfee firewall wouldn't start, and when I tried to run the various anti virus (Sophos) and anti spyware/malware programs none of these would start except for of Search and Destroy. On top of this I can't start any administration software or task manager. I have uninstalled most of the spyware progs intending to download them again from this site, but I also seem to be barred from downloading these and fixes from microsoft.

Normal programs such as Word and AOL for example are working normally. I have tried starting in safe mode and restoring the config, but that didn't cure the problem. Needless to say XP system restore won't start up either. Sorry but for the same reason I can't provide a hijackthis log.

From this morning every time I boot up I get an unpleasant text file displayed from some nerd who calls himsel N+E+T+D+E+V+I+L. As this is a family site I will not give you the content.

I would appreciate any ideas guys!!!
  • 0

Advertisements


#2
Wizard

Wizard

    Retired Staff

  • Retired Staff
  • 5,661 posts
You said you were here before?

Do you have an old version of HijackThis??

If not have you tried to downoload it?
HijackThis 1.99.1

If No,try this little utility:
CoolWWWSearch.SmartKiller (v1/v2)

Once it runs,try HijackThis again,if stil No Go,Post back and we will try something else!
  • 0

#3
pjbarefield

pjbarefield

    New Member

  • Topic Starter
  • Member
  • Pip
  • 3 posts
I've download and unzipped both files OK. When I try to run them I get the security screen 'The publisher could not be verified....' which should give me the option to run the program. Unfortunately there is barely time to read the display before it disappears.
  • 0

#4
Wizard

Wizard

    Retired Staff

  • Retired Staff
  • 5,661 posts
Hmmmm,I see this is going to be fun!!!

Try this,follow the same procedure but this time in Safe Mode!

To get to Safe Mode with Networking:

Restart the PC,as Windows Loads Up,tap the F8 key constantly until the Safe Mode Selection Screen Appears!

Select you Operating System if prompted,then locate Safe Mode with Networking and Select it!

Connect the PC to the Internet and Try to run the SmartKiller tool,then HijackThis!

If HijackThis Runs,Save the Scan and Post the Results here!

Edited by Cretemonster, 20 March 2005 - 06:33 AM.

  • 0

#5
pjbarefield

pjbarefield

    New Member

  • Topic Starter
  • Member
  • Pip
  • 3 posts
A minor victory it allowed me to unblock the security using properties. Unfortunately I can't do the same with delcwssk!!!

Logfile of HijackThis v1.99.1
Scan saved at 13:42:02, on 20/03/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\mcsv.com
C:\WINDOWS\Explorer.EXE
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\Common Files\AOL\ACS\AOLacsd.exe
C:\Documents and Settings\Peter\Desktop\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.freeserve.co.uk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.freeserve.co.uk
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,CustomizeSearch = res://C:\PROGRA~1\Toolbar\toolbar.dll/sa
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = https://loginnet.pas...uth.srf?lc=1033
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\mcsv.com
O1 - Hosts: 212.58.240.33 www.symantec.com
O1 - Hosts: 212.58.240.33 www.sophos.com
O1 - Hosts: 212.58.240.33 www.mcafee.com
O1 - Hosts: 212.58.240.33 www.viruslist.com
O1 - Hosts: 212.58.240.33 www.f-secure.com
O1 - Hosts: 212.58.240.33 www.avp.com
O1 - Hosts: 212.58.240.33 www.kaspersky.com
O1 - Hosts: 212.58.240.33 www.networkassociates.com
O1 - Hosts: 212.58.240.33 www.ca.com
O1 - Hosts: 212.58.240.33 www.my-etrust.com
O1 - Hosts: 212.58.240.33 www.nai.com
O1 - Hosts: 212.58.240.33 www.trendmicro.com
O1 - Hosts: 212.58.240.33 www.grisoft.com
O1 - Hosts: 212.58.240.33 securityresponse.symantec.com
O1 - Hosts: 212.58.240.33 symantec.com
O1 - Hosts: 212.58.240.33 sophos.com
O1 - Hosts: 212.58.240.33 mcafee.com
O1 - Hosts: 212.58.240.33 liveupdate.symantecliveupdate.com
O1 - Hosts: 212.58.240.33 viruslist.com
O1 - Hosts: 212.58.240.33 f-secure.com
O1 - Hosts: 212.58.240.33 kaspersky.com
O1 - Hosts: 212.58.240.33 kaspersky-labs.com
O1 - Hosts: 212.58.240.33 avp.com
O1 - Hosts: 212.58.240.33 networkassociates.com
O1 - Hosts: 212.58.240.33 ca.com
O1 - Hosts: 212.58.240.33 mast.mcafee.com
O1 - Hosts: 212.58.240.33 my-etrust.com
O1 - Hosts: 212.58.240.33 download.mcafee.com
O1 - Hosts: 212.58.240.33 dispatch.mcafee.com
O1 - Hosts: 212.58.240.33 secure.nai.com
O1 - Hosts: 212.58.240.33 nai.com
O1 - Hosts: 212.58.240.33 update.symantec.com
O1 - Hosts: 212.58.240.33 updates.symantec.com
O1 - Hosts: 212.58.240.33 us.mcafee.com
O1 - Hosts: 212.58.240.33 liveupdate.symantec.com
O1 - Hosts: 212.58.240.33 customer.symantec.com
O1 - Hosts: 212.58.240.33 rads.mcafee.com
O1 - Hosts: 212.58.240.33 trendmicro.com
O1 - Hosts: 212.58.240.33 grisoft.com
O1 - Hosts: 212.58.240.33 sandbox.norman.no
O1 - Hosts: 212.58.240.33 www.pandasoftware.com
O1 - Hosts: 212.58.240.33 uk.trendmicro-europe.com
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {41A4159A-5E43-B233-86FD-BEE550CB4EAF} - C:\WINDOWS\system32\haapvntb.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {7BA4BDE5-48B7-E940-6D32-1D123EE1EED9} - C:\WINDOWS\system32\srxkkuae.dll
O2 - BHO: (no name) - {AC3EB09A-3251-CC71-0F68-94AC828D57CA} - C:\WINDOWS\system32\sbekhmur.dll (file missing)
O4 - HKLM\..\Run: [AOLDialer] C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
O4 - HKLM\..\Run: [AOL Spyware Protection] "C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe"
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [lgqugeez] C:\WINDOWS\system32\lgqugeez.exe
O4 - HKLM\..\Run: [SDAv] C:\WINDOWS\svhost.exe
O4 - HKLM\..\Run: [NDAv] C:\WINDOWS\system32\csnss.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [NDAv] C:\WINDOWS\system32\csnss.exe
O4 - HKCU\..\Run: [SDAv] C:\WINDOWS\svhost.exe
O4 - Global Startup: BigFix.lnk = C:\Program Files\BigFix\BigFix.exe
O4 - Global Startup: InterCheck Monitor.LNK = C:\Program Files\Sophos SWEEP for NT\ICMON.EXE
O4 - Global Startup: McAfee Personal Firewall Plus.lnk = C:\Program Files\McAfee.com\Personal Firewall\MpfConsole.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.freeserve.co.uk
O16 - DPF: Mah Jong Garden by pogo - http://game4.pogo.co...g-ob-assets.cab
O16 - DPF: Pop Fu by pogo - http://game4.pogo.co...u-ob-assets.cab
O16 - DPF: Word Whomp Whackdown by pogo - http://game5.pogo.co...n-ob-assets.cab
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zon...ry/msgrchkr.cab
O16 - DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} (iPIX ActiveX Control) - http://www.ipix.com/viewers/ipixx.cab
O16 - DPF: {17D72920-7A15-11D4-921E-0080C8DA7A5E} (AimSp32 Class) - http://makeover.ivil...ve/makeover.cab
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zon...er.cab30149.cab
O16 - DPF: {4A3CF76B-EC7A-405D-A67D-8DC6B52AB35B} (QDiagAOLCCUpdateObj Class) - http://aolcc.aolsvc....kup/qdiagcc.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zon...StatsClient.cab
O16 - DPF: {BFF1950D-B1B4-4AE8-B842-B2CCF06D9A1B} (Zylom Games Player) - http://game14.zylomg...gamesplayer.cab
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
O23 - Service: AOL Spyware Protection Service (AOLService) - Unknown owner - C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\\aolserv.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTSvcCDA.EXE
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee Corporation - C:\PROGRA~1\McAfee.com\PERSON~1\MPFSERVICE.exe
O23 - Service: qhwqgvwvjeru (MsUpdate6) - Unknown owner - C:\WINDOWS\system32\msupd6.exe
O23 - Service: ScsiAccess - Unknown owner - C:\WINDOWS\system32\ScsiAccess.EXE
O23 - Service: Sophos Anti-Virus Network (SweepNet) - Sophos Plc - C:\Program Files\Sophos SWEEP for NT\SWNETSUP.EXE
O23 - Service: Sophos Anti-Virus (SWEEPSRV.SYS) - Sophos Plc - C:\Program Files\Sophos SWEEP for NT\SWEEPSRV.SYS
O23 - Service: UStorage Server Service - OTi - C:\WINDOWS\system32\UStorSrv.exe
  • 0

#6
Wizard

Wizard

    Retired Staff

  • Retired Staff
  • 5,661 posts
Alas,Something I can see!!!! :tazz:

Great job getting HijackThis to work!!

Copy&Paste these Instructions to NotePad,then Physically Unplug your Internet Connection from the Back of the PC!

First,we need to Disable a Service,to do this:

Click Start>>>Click Run>>>Type in Services.msc and Click OK!

This opens the Services Page,Scroll down that List and Locate this entry:

MsUpdate6
It may be listed like this:
qhwqgvwvjeru (MsUpdate6)

Once located,Right Click the Service Name and SelectProperties!

Now Click The Stop Button and go to StartUp Type and Change it to Disabled!

Unregister these DLLs,to do this:

Click Start>>>Click Run>>>Copy&Paste the Text below into the Text Box and Click OK!

regsvr32 /u haapvntb.dll
If you get an error message,try it like this:
regsvr32 /u C:\WINDOWS\system32\haapvntb.dll

Do the same for these:

regsvr32 /u srxkkuae.dll
or
regsvr32 /u C:\WINDOWS\system32\srxkkuae.dll


regsvr32 /u toolbar.dll
or
regsvr32 /u C:\Program Files\Toolbar\toolbar.dll

Open HijackThis and put a check by these but DO NOT hit the Fix Checked button yet!

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,CustomizeSearch = res://C:\PROGRA~1\Toolbar\toolbar.dll/sa

F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\mcsv.com

O1 - Hosts: 212.58.240.33 www.symantec.com
O1 - Hosts: 212.58.240.33 www.sophos.com
O1 - Hosts: 212.58.240.33 www.mcafee.com
O1 - Hosts: 212.58.240.33 www.viruslist.com
O1 - Hosts: 212.58.240.33 www.f-secure.com
O1 - Hosts: 212.58.240.33 www.avp.com
O1 - Hosts: 212.58.240.33 www.kaspersky.com
O1 - Hosts: 212.58.240.33 www.networkassociates.com
O1 - Hosts: 212.58.240.33 www.ca.com
O1 - Hosts: 212.58.240.33 www.my-etrust.com
O1 - Hosts: 212.58.240.33 www.nai.com
O1 - Hosts: 212.58.240.33 www.trendmicro.com
O1 - Hosts: 212.58.240.33 www.grisoft.com
O1 - Hosts: 212.58.240.33 securityresponse.symantec.com
O1 - Hosts: 212.58.240.33 symantec.com
O1 - Hosts: 212.58.240.33 sophos.com
O1 - Hosts: 212.58.240.33 mcafee.com
O1 - Hosts: 212.58.240.33 liveupdate.symantecliveupdate.com
O1 - Hosts: 212.58.240.33 viruslist.com
O1 - Hosts: 212.58.240.33 f-secure.com
O1 - Hosts: 212.58.240.33 kaspersky.com
O1 - Hosts: 212.58.240.33 kaspersky-labs.com
O1 - Hosts: 212.58.240.33 avp.com
O1 - Hosts: 212.58.240.33 networkassociates.com
O1 - Hosts: 212.58.240.33 ca.com
O1 - Hosts: 212.58.240.33 mast.mcafee.com
O1 - Hosts: 212.58.240.33 my-etrust.com
O1 - Hosts: 212.58.240.33 download.mcafee.com
O1 - Hosts: 212.58.240.33 dispatch.mcafee.com
O1 - Hosts: 212.58.240.33 secure.nai.com
O1 - Hosts: 212.58.240.33 nai.com
O1 - Hosts: 212.58.240.33 update.symantec.com
O1 - Hosts: 212.58.240.33 updates.symantec.com
O1 - Hosts: 212.58.240.33 us.mcafee.com
O1 - Hosts: 212.58.240.33 liveupdate.symantec.com
O1 - Hosts: 212.58.240.33 customer.symantec.com
O1 - Hosts: 212.58.240.33 rads.mcafee.com
O1 - Hosts: 212.58.240.33 trendmicro.com
O1 - Hosts: 212.58.240.33 grisoft.com
O1 - Hosts: 212.58.240.33 sandbox.norman.no
O1 - Hosts: 212.58.240.33 www.pandasoftware.com
O1 - Hosts: 212.58.240.33 uk.trendmicro-europe.com

O2 - BHO: (no name) - {41A4159A-5E43-B233-86FD-BEE550CB4EAF} - C:\WINDOWS\system32\haapvntb.dll

O2 - BHO: (no name) - {7BA4BDE5-48B7-E940-6D32-1D123EE1EED9} - C:\WINDOWS\system32\srxkkuae.dll

O2 - BHO: (no name) - {AC3EB09A-3251-CC71-0F68-94AC828D57CA} - C:\WINDOWS\system32\sbekhmur.dll (file missing)

O4 - HKLM\..\Run: [lgqugeez] C:\WINDOWS\system32\lgqugeez.exe

O4 - HKLM\..\Run: [SDAv] C:\WINDOWS\svhost.exe

O4 - HKLM\..\Run: [NDAv] C:\WINDOWS\system32\csnss.exe

O4 - HKCU\..\Run: [NDAv] C:\WINDOWS\system32\csnss.exe

O4 - HKCU\..\Run: [SDAv] C:\WINDOWS\svhost.exe

O16 - DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} (iPIX ActiveX Control) - http://www.ipix.com/viewers/ipixx.cab

O16 - DPF: {17D72920-7A15-11D4-921E-0080C8DA7A5E} (AimSp32 Class) - http://makeover.ivil...ve/makeover.cab

O16 - DPF: {BFF1950D-B1B4-4AE8-B842-B2CCF06D9A1B} (Zylom Games Player) - http://game14.zylomg...gamesplayer.cab

O23 - Service: qhwqgvwvjeru (MsUpdate6) - Unknown owner - C:\WINDOWS\system32\msupd6.exe

Now Make sure ALL WINDOWS and BROWSERS are CLOSED and hit the Fix Checked Button!!

Reboot into SAFE MODE(Tap F8 when restarting)
Here is a link on how to boot into Safe Mode:
Safe Mode

After restarting in Safe Mode,Configure Windows to Show All Hidden Files and Folders,this must be done after restarting in Safe Mode!!

To enable the viewing of Hidden files follow these steps:

1. Close all programs so that you are at your desktop.
2. Double-click on the My Computer icon.
3. Select the Tools menu and click Folder Options.
4. After the new window appears select the View tab.
5. Put a checkmark in the checkbox labeled Display the contents of system folders.
6. Under the Hidden files and folders section select the radio button labeled Show hidden files and folders.
7. Remove the checkmark from the checkbox labeled Hide file extensions for known file types.
8. Remove the checkmark from the checkbox labeled Hide protected operating system files.
9. Press the Apply button and then the OK button and shutdown My Computer.
10. Now your computer is configured to show all hidden files.

Now locate and Delete these Files or Folders listed in Bold Print:

C:\Program Files\Toolbar<<< Entire Toolbar Folder!

C:\WINDOWS\system32\mcsv.com<<< File Only!

C:\WINDOWS\system32\msupd6.exe<<< File Only!

C:\WINDOWS\system32\haapvntb.dll<<< File Only!

C:\WINDOWS\system32\srxkkuae.dll<<< File Only!

C:\WINDOWS\system32\lgqugeez.exe<<< File Only!

Pay close attention to special Instructions beside the next 2 Entries!

C:\WINDOWS\system32\csnss.exe<<< Just as I have it spelled!!
There is a Legit Process,with a Similar name
csrss.exe<<<Legit!!!

csnss.exe<<< Bad,Nasty,Ugly,Make it go away!!!!

C:\WINDOWS\svhost.exe<<< Just as I have it spelled and the one located in the Windows Folder!!

C:\WINDOWS\system32\svchost.exe<<< This is the Legit Entry!!!

C:\WINDOWS\svhost.exe<<< Bad,Nasty,Ugly,Make it go away!!!!

If you cant seem to locate any of these entries,Use the Search Assistant(Click Start>>>Click Search)Configure like this:

Open the Search Assistant,
Select All Files and Folders,
Select Advanced Options,
Make sure there is a check by these 3:

Search System Folders
Search hidden files and folders
Search Subfolders

Now under All Files and Folders,enter this into the text box:

If it returns any EXACT matches,delete it!!!

Make sure to Empty the Recycle Bin before restarting!!

Restart the PC in Normal Mode Now and see if you can download this Utility:

Download the Hoster from here.
Hoster
Unzip and Extract All Files!
Open the Program:
Press "Restore Original Hosts" and press "OK". Exit Program. This will restore the original deleted Hosts file.

If all goes well,Run MSCONFIG and enable everything in the startup area. To get to MSCONFIG, click on Start -> Run -> type in MSCONFIG -> click OK.
Make Sure Normal Startup is Checked!!
Select the tab labeled Startup and put a Check by every box there!! Once everything is enabled, run "Hijack This!" and post a new log to this thread!!

Here is a link explaining:
Msconfig
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP