Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

Dr. Watson I presume [resolved]


  • This topic is locked This topic is locked

#1
The Smooth Operator

The Smooth Operator

    Member

  • Member
  • PipPip
  • 64 posts
Hi, so glad I found this forum!

I'm under attack here guys. My homepage never stays to what I want it to (now its an about:blank / search page); I have pop-ups all the time, some that take forever to load (and cancelling them before they do load means terminating IE); pc occasionally restarts without any prior warning; Explorer, desktop, taskbar freezes - although programs still run normally (conincides with a dr.watson debugger error report); and keep getting a balloon about windows security unknown, etc. I did have Norton for the trial period, but cannot afford to pay for its retail version.

I've downloaded HijackThis, CWShredder, AVS, AboutBuster. And, I've read a lot of these threads, but not sure if most of the information is specific to the original poster's needs, or whether I should just copy the advice.

At the moment everytime I click on windows explorer, or any desktop items, i have to cold boot my comp. I'm only able to browse windows by going through IE, and Folders. Getting real serious now, as its a personal pc I still use it to handle all my business things, so kinda scary.

Anyone got some time to help me fix my problems. Please?

Jim
:tazz:
  • 0

Advertisements


#2
Guest_thatman_*

Guest_thatman_*
  • Guest
Hi The Smooth Operator

please clic on the link below.
Please read all the topic first.
http://www.geekstogo..._Log-t2852.html

Kc :tazz:
  • 0

#3
The Smooth Operator

The Smooth Operator

    Member

  • Topic Starter
  • Member
  • PipPip
  • 64 posts
I've followed all the instructions there. Tried installing the SP1a update but it says there is no Windows Update currently to download.

The TDS3 program didn't report anything, but I'm overwhelmed with the interface and not sure what I need to do with it.

The CoolWebShredder didn't find anything.

Theres a few files that AVS cannot fix or delete due to them being in use.

Spybot cleared up a lot it seems, but computer has failed to reboot now a couple of times.

Ad-Aware, again, has quarantined 1000 files.

The problem still persists.

Here's the log from HijackThis.

Logfile of HijackThis v1.99.1
Scan saved at 22:54:00, on 27/03/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\WINDOWS\System32\CTsvcCDA.EXE
C:\WINDOWS\Explorer.EXE
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\SAVScan.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\fxssvc.exe
C:\WINDOWS\apizw.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\WINDOWS\system32\d3ap.exe
C:\Program Files\BHODemon 2\BHODemon.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\HJT\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\zmico.dll/sp.html#44768
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\zmico.dll/sp.html#44768
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\zmico.dll/sp.html#44768
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\zmico.dll/sp.html#44768
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\zmico.dll/sp.html#44768
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\zmico.dll/sp.html#44768
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Search_URL = http://www.searchxp.com/search.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\zmico.dll/sp.html#44768
R3 - Default URLSearchHook is missing
N3 - Netscape 7: user_pref("browser.startup.homepage", "http://home.netscape.com/"); (C:\Documents and Settings\Jim\Application Data\Mozilla\Profiles\default\allp9nwm.slt\prefs.js)
N3 - Netscape 7: user_pref("browser.search.defaultengine", "http://www.google.com/"); (C:\Documents and Settings\Jim\Application Data\Mozilla\Profiles\default\allp9nwm.slt\prefs.js)
O2 - BHO: (no name) - {EB4D80CE-A5EA-A544-8137-2F007EEFD4DA} - C:\WINDOWS\system32\syspz.dll
O4 - HKLM\..\Run: [vqcweyxkky] C:\WINDOWS\System32\ubjsqfd.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [iexplore.exe] C:\Program Files\Internet Explorer\iexplore.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\Run: [d3ap.exe] C:\WINDOWS\system32\d3ap.exe
O4 - HKLM\..\RunOnce: [apizw.exe] C:\WINDOWS\apizw.exe
O4 - Startup: BHODemon 2.0.lnk = C:\Program Files\BHODemon 2\BHODemon.exe
O15 - Trusted Zone: *.skoobidoo.com (HKLM)
O15 - Trusted Zone: *.windupdates.com (HKLM)
O15 - Trusted IP range: 213.159.117.133
O15 - ProtocolDefaults: 'https' protocol is in Trusted Zone, should be Internet Zone (HKLM)
O16 - DPF: {03F998B2-0E00-11D3-A498-00104B6EB52E} (MetaStreamCtl Class) - https://components.v...w.viewpoint.com
O16 - DPF: {0F9B4CA4-A30F-480A-841D-69B45C50A8F8} (SekureL0gin.SekureKontrol) - http://secure2.comne...iveSekurity.cab
O16 - DPF: {22A88341-AFCB-45F0-A856-C2BAE74F878E} (InstallX Class) - http://www.20x2p.com...e5ecd/enter.cab
O16 - DPF: {30CE93AE-4987-483C-9ABE-F2BD5301AB70} - http://64.158.165.49...dsldbaccess.exe
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {91433D86-9F27-402C-B5E3-DEBDD122C339} - http://www.netvenda....bc3/games30.cab
O23 - Service: Workstation NetLogon Service ( 11F#`I) - Unknown owner - C:\WINDOWS\apigl.exe (file missing)
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.EXE
O23 - Service: Windows System Uninstaller (HackerDefender100) - Unknown owner - C:\WINDOWS\winunins.exe (file missing)
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Security Agent (scagent) - Unknown owner - C:\WINDOWS\system32\scagent.exe" start (file missing)

Thank you in advance.

Jim
  • 0

#4
Michelle

Michelle

    Malware Removal Goddess

  • Retired Staff
  • 8,928 posts
You can't download Service Pack 1a because you have already surpassed it with Service Pack 2 on your system :tazz:

Ok here is your fix, hopefully your computer will quit restarting itself after this!

Please print these instructions before continuing

You have a nasty about:blank infection that requires various programs in order to fix. Please download the programs listed below, but do not run them yet:

1) About:Buster:
*Download it and extract it to C:/aboutbuster.
*Navigate to the AboutBuster directory and double-click on AboutBuster.exe.
*Click "OK" at the prompt with instructions.
*Click "Update" and then "Check For Update" to begin the update process.
*If any updates exist please download them by clicking "Download Update".
*You should not run the program yet so click "Exit".
2) CleanUp! - Download it and install it.
3) CWShredder 2.11 - Download it and save it to your desktop.
4) Ad-Aware - Download, install, and update After installing Ad-aware, you will be prompted to update the program and run a full scan. De-select all boxes so that it does not run a scan. Manually run "Ad-Aware SE Personal" and from the main screen Click on "Check for Updates Now".

IMPORTANT STEP
1. Go to Start->Run and type "Services.msc" (without quotes) then hit Ok
Scroll down and find the services called:

Workstation NetLogon Service
Windows System Uninstaller (HackerDefender100)
Security Agent (scagent)


When you find them, double-click on each one. In the next window that opens, click the Stop button, then click on properties and under the General Tab, change the Startup Type to Disabled. Now hit Apply and then Ok and close any open windows. If you dont find these service listed go ahead with the next steps.

Reboot your computer into Safe Mode. You can do this by restarting your computer and continuously tapping F8 until a menu appears. Use your up arrow key to highlight Safe Mode, then hit enter.

Run CWShredder
-Next, click on the: Fix button
-Follow the prompts, and press OK

Run AboutBuster and save the logs
*Browse to where you saved AboutBuster and run AboutBuster.exe.
*Click "OK" at the directions Read: Important! prompt.
*Click "Start" and then "OK" to allow AboutBuster to scan for Alternate Data Streams.
*Click "Yes" at the About:Buster prompt to allow it to shutdown explorer.exe.
*Please wait while AboutBuster scans your computer for malicious files. If it asks if you would like to do a second pass, allow it to do so.
*When it has finished, click "Save Log...". Make sure you save it as I will need a copy of it.
Click "Exit" and "Exit" again to exit AboutBuster.

Run CleanUp!
-Make sure it is on Standard Mode
-Click the "CleanUp!" button

Run Ad-Aware
Reconfigure Ad-Aware for Full Scan as per the following instructions:
In the Ad-Aware main window, click on the gear icon at the top of the screen to open the preferences window. In the "General" window, make sure the following options are selected:
1) Automatically save log-file
2) Automatically quarantine objects prior to removal
3) Safe Mode (always request confirmation)

Click the "Scanning" button on the left-hand side and make sure the following options are selected:
1) Scan within archives
2) Scan active processes
3) Scan registry
4) Deep scan registry
4) Scan my IE Favorites for banned URLs
5) Scan my Hosts file

Please also click on "Select drives & folders to scan" and select your hard drive(s). Then click the "Advanced" button on the left-hand side and make sure all the options under "Log-file Detail Level" are selected. Next, click the "Tweak" button on the left-hand side. Click on "Scanning Engine" and make sure the following options are selected:
1) Unload recognized processes & modules during scanning
2) Obtain command line of scanned processes
3) Scan registry for all users instead of current user only

Click on "Cleaning Engine" and make sure the following options are selected:
1) Always try to unload modules before deletion
2) During removal, unload Explorer and IE if necessary
3) Let Windows remove files in use at next reboot
4) Delete quarantined objects after restoring

Finally, click on "Safety Settings" and make sure the following options are selected:
1) Automatically select problematic objects in results lists
2) Write-protect system files after repair (Hosts file, etc)

Click on "Proceed" to save the preferences. Then please click the "Start" button on the bottom left side to begin a scan. Select "Use custom scanning options" and then click "Next". Ad-Aware will then scan for malware. When it is finished, make sure any objects listed in RED are selected and click "Next" to remove the objects.

Reboot in normal mode.

Please run both of these online virus scans:
TrendMicro's HouseCall - check "Auto Clean"
ActiveScan

Please press CTRL ALT DELETE and click on the "Processes" tab. End the following processes, if found :

d3ap.exe
apizw.exe


Exit Task Manager.

Make sure you are disconnected from the Internet, all other programs and windows are closed and run HijackThis again. Please place a checkmark next to the following items, if they exist, and then click "FIX CHECKED":

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\zmico.dll/sp.html#44768
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\zmico.dll/sp.html#44768
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\zmico.dll/sp.html#44768
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\zmico.dll/sp.html#44768
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\zmico.dll/sp.html#44768
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\zmico.dll/sp.html#44768
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Search_URL = http://www.searchxp.com/search.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\zmico.dll/sp.html#44768
R3 - Default URLSearchHook is missing

O2 - BHO: (no name) - {EB4D80CE-A5EA-A544-8137-2F007EEFD4DA} - C:\WINDOWS\system32\syspz.dll

O4 - HKLM\..\Run: [vqcweyxkky] C:\WINDOWS\System32\ubjsqfd.exe
O4 - HKLM\..\Run: [d3ap.exe] C:\WINDOWS\system32\d3ap.exe
O4 - HKLM\..\RunOnce: [apizw.exe] C:\WINDOWS\apizw.exe

O15 - Trusted Zone: *.skoobidoo.com (HKLM)
O15 - Trusted Zone: *.windupdates.com (HKLM)
O15 - Trusted IP range: 213.159.117.133
O15 - ProtocolDefaults: 'https' protocol is in Trusted Zone, should be Internet Zone (HKLM)

O16 - DPF: {03F998B2-0E00-11D3-A498-00104B6EB52E} (MetaStreamCtl Class) - https://components.v...w.viewpoint.com
O16 - DPF: {0F9B4CA4-A30F-480A-841D-69B45C50A8F8} (SekureL0gin.SekureKontrol) - http://secure2.comne...iveSekurity.cab
O16 - DPF: {22A88341-AFCB-45F0-A856-C2BAE74F878E} (InstallX Class) - http://www.20x2p.com...e5ecd/enter.cab
O16 - DPF: {30CE93AE-4987-483C-9ABE-F2BD5301AB70} - http://64.158.165.49...dsldbaccess.exe
O16 - DPF: {91433D86-9F27-402C-B5E3-DEBDD122C339} - http://www.netvenda....bc3/games30.cab

O23 - Service: Workstation NetLogon Service ( 11F#`I) - Unknown owner - C:\WINDOWS\apigl.exe (file missing)
O23 - Service: Windows System Uninstaller (HackerDefender100) - Unknown owner - C:\WINDOWS\winunins.exe (file missing)
O23 - Service: Security Agent (scagent) - Unknown owner - C:\WINDOWS\system32\scagent.exe" start (file missing)


Close HiJack This and reboot your computer into Safe Mode. You can do this by restarting your computer and continually tapping the F8, then highlighting "Safe Mode" on the menu then hitting enter. Delete the following files, IF FOUND (in bold).

Be sure you're able to VIEW HIDDEN FILES

Use Windows Explorer to locate the following FILES to delete:

C:\WINDOWS\system32\scagent.exe
C:\WINDOWS\winunins.exe
C:\WINDOWS\apigl.exe
C:\WINDOWS\System32\ubjsqfd.exe
C:\WINDOWS\system32\d3ap.exe
C:\WINDOWS\apizw.exe
C:\WINDOWS\system32\syspz.dll
C:\WINDOWS\zmico.dll/sp.html#44768

Reboot your computer in normal mode and post a new HiJackThis log and we'll clean up what's left.

Michelle
  • 0

#5
The Smooth Operator

The Smooth Operator

    Member

  • Topic Starter
  • Member
  • PipPip
  • 64 posts
A) The CleanIt! website has some broken links where the files should be, so can't get that right now.

B) services.msc : The 3 items were there, but they said staus:stopped already. I changed them from Automatic to Disabled however.

C) Not sure how to Show Hidden Files, because of the nature of my virus, I can't open folders, so I can't click on Tools > Folder Options. At the moment, I use IE to explore my folders and system, but there is no Folder Options under Tools. I have ran a xphidden.zip seeing advice given to others.

D) CWS v2.13 not found anything. Good.

E) Ad-Buster seemed to be doing the buzniss, then it crashed aronud 31% done. And system rebooted automatically. I tried 2 more times. After it shuts down Explorer, it scans for a bit more, then theres a flash of a pop up window too quick to read but mentioning SafeMode (which I was already in). Then it gets stuck saying Error Removing! C:\WINDOWS\system32hlpchh.dll (This file AVS is also promting me about because it says it cannot Fix or Delete it as it may be in use, so I always click Continue)

F) Running Ad-Aware. I've already set up the config as suggested by you or others on another thread and deleted or quarantined hundreds of critters, but now running it, it gets to about 200 / 20,000 files and system reboots again.

I'll wait for a response to see if I should continue with the rest of your advice.

Cheers,

Jim.
  • 0

#6
The Smooth Operator

The Smooth Operator

    Member

  • Topic Starter
  • Member
  • PipPip
  • 64 posts
Forgot to mention, the system32\hlpchh.dll file AVS cannot remove or fix, (and that is making AboutBuster stuck) AVS said it was the Trojan.backdoor.BA thing.

I'm ging to go try the housecall and activescan and HijackThis again.

Jim.
  • 0

#7
Michelle

Michelle

    Malware Removal Goddess

  • Retired Staff
  • 8,928 posts
A) The CleanIt! website has some broken links where the files should be, so can't get that right now.

Ok, we'll get back to that

B) services.msc : The 3 items were there, but they said staus:stopped already. I changed them from Automatic to Disabled however.

Good

C) Not sure how to Show Hidden Files, because of the nature of my virus, I can't open folders, so I can't click on Tools > Folder Options. At the moment, I use IE to explore my folders and system, but there is no Folder Options under Tools. I have ran a xphidden.zip seeing advice given to others.

This is why it's the very last of the fix to do, we have to clean up your system with the other programs before doing that since you can't access anything b/c of your infection. I hadn't planned on the programs not working :tazz:

D) CWS v2.13 not found anything. Good.

Well, not too good, since you do have the coolwebsearch on your computer!

Ok here is what I need you to do:

Please delete your temporary files. Double Click My Computer (WinXP: Navigate to Start --->My Computer)
You will see an icon representing your harddrive (most likely C: Drive). Right Click on the hard drive icon and click Properties at the
bottom of the fly out window. One the very first tab (General) you will see a button labeled "Disk Cleanup"...click that button.
Make sure the following are checked:
Downloaded Program Files
Temporary Internet Files
Recycle Bin

Click OK and Disk Cleanup will delete those files for you.[/b]

Then, run Housecall and Activescan both. Then, it would probably be a good idea to run the Trojan Scan from http://www.moosoft.com

Please copy the results from Activescan and paste them here, along with a new HiJackThis log
  • 0

#8
The Smooth Operator

The Smooth Operator

    Member

  • Topic Starter
  • Member
  • PipPip
  • 64 posts
Hehe you're still online. Great. I've been refreshing this thread all day. Lemme tell you what I've done since last posting.Housecall crashed my system. ActiveScan looked promising, I chose full system scan, and very early on crashed but not before the # went upto 10 infected files.

Said IE encountered a problem with the following add-on. syspz.dll I notice you want me to delete that from my windos dir, but its not there. (Co-incidently, BHODemon told me that was installed on my registry or something, when I installed Spy Bot - Search & Destroy, following other adivce on here).

I then done the HJT, after unconnecting from the net, but not in safe mode (does that matter?) All but one of them existed. I clicked Fix Checked.

Then rebooted. Done another HJT but notice they are still there. Were they not suposed to be deleted? Just fixed, hopefully?

Amazingly, I was scared to even try, but my windows and stuff works as it should now. So, I've gone to Folder Options and done the hdden files thing. I;ve searched for the files mentioned:

scagent.exe Couldn't See
ubjsqfd.exe Couldn't See
dsap.exe Found & Exterminated :tazz:
syspz.dll Couldn't See
winunins.exe Couldn't See but there is a winunins.ini but didn't touch it.

And here is my latest HJT log, but NOW I'm going to follow what you said in your last comment.

Logfile of HijackThis v1.99.1
Scan saved at 21:55:34, on 28/03/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\BHODemon 2\BHODemon.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\WINDOWS\System32\CTsvcCDA.EXE
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\SAVScan.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\fxssvc.exe
C:\WINDOWS\system32\wuauclt.exe
C:\HJT\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar =

res://C:\WINDOWS\zmico.dll/sp.html#44768
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page =

res://C:\WINDOWS\zmico.dll/sp.html#44768
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL =

about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL =

res://C:\WINDOWS\zmico.dll/sp.html#44768
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar =

res://C:\WINDOWS\zmico.dll/sp.html#44768
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page =

res://C:\WINDOWS\zmico.dll/sp.html#44768
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant =

res://C:\WINDOWS\zmico.dll/sp.html#44768
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =

res://C:\WINDOWS\zmico.dll/sp.html#44768
R3 - Default URLSearchHook is missing
N3 - Netscape 7: user_pref("browser.startup.homepage",

"http://home.netscape.com/"); (C:\Documents and Settings\Jim\Application

Data\Mozilla\Profiles\default\allp9nwm.slt\prefs.js)
N3 - Netscape 7: user_pref("browser.search.defaultengine",

"http://www.google.com/"); (C:\Documents and Settings\Jim\Application

Data\Mozilla\Profiles\default\allp9nwm.slt\prefs.js)
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common

Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [iexplore.exe] C:\Program Files\Internet

Explorer\iexplore.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - Startup: BHODemon 2.0.lnk = C:\Program Files\BHODemon 2\BHODemon.exe
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) -

http://a840.g.akamai...icro.com/housec

all/xscan53.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer

Class) - http://www.pandasoft.../as5/asinst.cab
O23 - Service: Workstation NetLogon Service ( 11F#`I) - Unknown owner

- C:\WINDOWS\apigl.exe (file missing)
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32

\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. -

C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. -

C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation -

C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation

- C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation -

C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd -

C:\WINDOWS\System32\CTsvcCDA.EXE
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec

Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton

AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation -

C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
  • 0

#9
Michelle

Michelle

    Malware Removal Goddess

  • Retired Staff
  • 8,928 posts
ignore the part about going into the start menu for deleting temporary internet files (it's the speech I always use for cleaning them out, but it's usually done at the very last). You should have a "My computer" icon on the desktop. If not, skip that too for now.

Michelle :tazz:
  • 0

#10
Michelle

Michelle

    Malware Removal Goddess

  • Retired Staff
  • 8,928 posts
We are making progress, slowly but surely!

Follow my previous instructions and double check that this service is disabled/stopped:

Workstation NetLogon Service

Since it's still there after "fixing" it with HiJackthis then we may need to run a program to get rid of it.

Michelle :tazz:
  • 0

Advertisements


#11
The Smooth Operator

The Smooth Operator

    Member

  • Topic Starter
  • Member
  • PipPip
  • 64 posts
DOH! Sorry if I'm jumping ahead and doing things before I should; I imagine that could cause more problems.

I have already gone to my disc clean up as mentioned. My C: drive has used 39 out of its 40gb's, and my D: drive has used 18 of its 80gb - although the D: drive hasn't got the Temporary Files, and Downloaded Files, etc. only a Recycle Bin. But I've cleaned all available (My D: drive is supposed to be exclusively for A/V storage).

Ages ago, I deleted my My Computer desktop icon to keep my desktop nice and clean. I access it through the Start Menu shortcuts, and as I said, they all work again now.

I've re-checked the start menu > run > services.msc
Even though I checked it to Disabled when I said, I have just checked and it was still saying Automatic again.

Also says Path to Exectuable: C:\WINDOWS\apigl.exe /s if that helps.

I've changed it again to Disabled. Haven't rebooted since.

At the moment I'm running the Housecall scan on my C: and D: drives. Seems very slow, and pauses for ages at some folders/files. So far has inspected 34.500 files and found 2 infected.

1) A TROJ.DROP.A in my settings\jim\temp\i19.tmp (Uncleanable)

2) PE Parite.A in my Kazaa\My Shared Folders\Project 64 1.5.exe (Cleanable) Don't actually use Kazaa anymore, think that was some computer console emulator I downloaded, yeah, used at my own risk, but it was a cool way of playing all the old games I used to play as a kid. ;)

Is there any difference that I'm doing all this on my jim account... or should it be Administrator? I don't know the difference... I don't even NEED or WANT multiple users, as its only me that uses this pc, but that might just be a side issue... don't want complicate it, just double-check our efforst aren't all in vain.

Housecall still continues, Activescan and log will follow.

As will some money at least for a bottle of your favourite wine :tazz:

Jim.
  • 0

#12
Michelle

Michelle

    Malware Removal Goddess

  • Retired Staff
  • 8,928 posts
;)

Since you at least one uncleanable virus in your temp files, then after you run housecall, download, install, and run Cleanup! (new link).

Then run Activescan and post the Activescan results log.

We have to try to get your system clean enough to run About:Buster!

You can only login under Admin when you're in Safe Mode, and yes, I recommend doing so when you go into safe mode for any reason while we're trying to clean your system.

Michelle :tazz:
  • 0

#13
Michelle

Michelle

    Malware Removal Goddess

  • Retired Staff
  • 8,928 posts
Oh, yes, make sure that Cleanup! is in Standard Mode otherwise it'll wipe out all of your "favorites" links! Click on "Options" to make sure.

Michelle :tazz:
  • 0

#14
The Smooth Operator

The Smooth Operator

    Member

  • Topic Starter
  • Member
  • PipPip
  • 64 posts
Don't you EVER sleep?

Housecall is still running. About 46 infections in C: drive. Moved on to D: drive now. Most of all in Windows dir or System32, and most of all Uncleanable. Will it give me a log at end or should I try and write em all down?

Oh yeah I did read about backing up files before running CleanIt! Will wait till Housecall has finished before checking your new link. Any reports of the latest 3.0 version messing up on Windooz XP SP2 blah blah?

You are amazing. :tazz: Please don't give up on me.

Jim.
  • 0

#15
Michelle

Michelle

    Malware Removal Goddess

  • Retired Staff
  • 8,928 posts

Don't you EVER sleep?

Sleep? Who needs Sleep? ;)

I've never heard of backing up files before running cleanup!, it just deletes temporary stuff - hmmm I'll look into that. But, you do really need to run it because there will probably be A LOT of stuff that ActiveScan will find and a bunch in temp files and it would be a major PITA to delete them manually. I haven't had any problems running it on XP SP2 (ran it on my own, without a problem - it cleaned out 1.2 gigs of temp stuff! ;) )

I'm actually not sure if Housecall gives you a log at the end or not... if the viruses are in a temporary folder then I don't need it. If you want to write down any others just to make sure, feel free! ActiveScan will give you a log, so there is no need to write anything down from there.

I won't give up on you! :)

Michelle :tazz:
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP