Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

Virus Problems


  • This topic is locked This topic is locked

#1
mmcarr

mmcarr

    New Member

  • Member
  • Pip
  • 5 posts
I run the tool for blaster virus, it says that there is no virus but I have same problems on my computer. It has now stopped my Norton 2004. I try and run the patch and I get an error message saying to check and see if my cryptographic service is running. I cant get on the internet it has stopped that completely. I have to get help from computer at work. I have tried everything that norton has to offer. I have even ran everything in safe mode no help. I am running XP.

Edited by mmcarr, 02 January 2004 - 08:28 AM.

  • 0

Advertisements


#2
tazz1964

tazz1964

    Member

  • Member
  • PipPipPip
  • 608 posts
Hi mmcarr
Welcome to geekstogo
Have you tryed to run the tools off the nortons cd ? have you tried to restore to a date before the problem started? try to do these if you have not done so. repost and let us know if you need more help if you can get the system so it can get on the internet there are so good virus scans you can run on line.
<_<
  • 0

#3
mmcarr

mmcarr

    New Member

  • Topic Starter
  • Member
  • Pip
  • 5 posts
I downloaded Norton from the Internet, so I dont have the CD. I thought I had everything worked out until two days ago. I followed nortons instructions to turn of my restore, now I have no dates to restore back to. When I call up Norton, it pops up then dissappears, If i keep trying it will eventually come up but wont do nothing. My modem wont come up anymore. I have read your spyware, do you think I could have some kind of spyware on my computer.
  • 0

#4
tazz1964

tazz1964

    Member

  • Member
  • PipPipPip
  • 608 posts
Hi
you can down load spybot and see if you have any but its 3.5 mb. frist thing we should get you back so you can get on the web what do you use for the internet dsl dailup cable?
<_<
  • 0

#5
mmcarr

mmcarr

    New Member

  • Topic Starter
  • Member
  • Pip
  • 5 posts
<_< I ran the spybot, I followed the instructions. My modem would not come up, I have dial up. So I unistalled the program (which is sbcglobal). Then I got the disc and tried to reload the program. My computer wont run it. I cant call up the help file, or system restore. I was thinking I should delete everything and start all over.
  • 0

#6
admin

admin

    Founder Geek

  • Administrator
  • 24,504 posts
Hi mmcarr,

Let's try this, see the HiJack This Guide link in my signature. Download, run, and copy the log into this topic.

edit: I see you don't have Internet access on your computer, but you'll be able to save HiJack This to a floppy, run it on your system, and then save the log as a notepad file. Copy to your floppy. When you get to a computer w/Internet access, copy the text from this notepad file and paste it to this topic. <_<

Edited by admin, 05 January 2004 - 01:24 PM.

  • 0

#7
mmcarr

mmcarr

    New Member

  • Topic Starter
  • Member
  • Pip
  • 5 posts
Logfile of HijackThis v1.97.7
Scan saved at 7:46:45 PM, on 1/5/2004
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\NMSSvc.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\System32\igfxtray.exe
C:\WINDOWS\System32\hkcmd.exe
C:\WINDOWS\System32\PROMon.exe
C:\Program Files\Analog Devices\SoundMAX\Smtray.exe
C:\PROGRA~1\LEXMAR~1\ACMonitor_X84-X85.exe
C:\PROGRA~1\LEXMAR~1\AcBtnMgr_X84-X85.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\printray.exe
C:\WINDOWS\System32\systry.exe
C:\WINDOWS\System32\LSAS.exe
C:\Program Files\AIM\aim.exe
C:\Documents and Settings\Jim Howlett.PAM\Local Settings\Temp\Temporary Directory 1 for hijackthis.zip\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://search.ieplugin.com/search.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://search.ieplugin.com/search.htm
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.oecadvantage.net/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://yahoo.sbc.com/dial
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://search.ieplugin.com/search.htm
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://search.ieplugin.com/search.htm
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.oecadvantage.net
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://search.ieplugin.com/search.htm
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://search.ieplugin.com/search.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by OEC Advantage
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://search.ieplugin.com/q.cgi?q=%s
F2 - REG:system.ini: UserInit=C:\WINDOWS\System32\Userinit.exe
O2 - BHO: (no name) - {00000762-3965-4A1A-98CE-3D4BF457D4C8} - C:\Program Files\Lycos\Sidesearch\sidesearch1311.dll
O2 - BHO: (no name) - {0019C3E2-DD48-4A6D-ABCD-8D32436323D9} - C:\WINDOWS\bxxs5.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: (no name) - {69135BDE-5FDC-4B61-98AA-82AD2091BCCC} - (no file)
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [PROMon.exe] PROMon.exe
O4 - HKLM\..\Run: [Smapp] C:\Program Files\Analog Devices\SoundMAX\Smtray.exe
O4 - HKLM\..\Run: [Tgcmd] "C:\Program Files\Support.com\bin\tgcmd.exe /server"
O4 - HKLM\..\Run: [Lexmark X84-X85 Button Monitor] C:\PROGRA~1\LEXMAR~1\ACMonitor_X84-X85.exe
O4 - HKLM\..\Run: [Lexmark X84-X85 Button Manager] C:\PROGRA~1\LEXMAR~1\AcBtnMgr_X84-X85.exe
O4 - HKLM\..\Run: [PrinTray] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\printray.exe
O4 - HKLM\..\Run: [Windows SYStry] systry.exe
O4 - HKLM\..\Run: [JAKRICFT] C:\WINDOWS\JAKRICFT.exe
O4 - HKLM\..\Run: [bxxs5] RunDLL32.EXE C:\WINDOWS\bxxs5.dll,DllRun
O4 - HKLM\..\Run: [VFSMGQQUO] C:\WINDOWS\VFSMGQQUO.exe
O4 - HKLM\..\Run: [C:\Program Files\SBC Yahoo!\Connection Manager\ConnectionManager.exe ] SBC Yahoo! Connection Manager
O4 - HKLM\..\Run: [eanth_critical_update_alert] C:\PROGRA~1\ACCELE~1\ANTI-V~1\EANTH_~1.EXE /Startup
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Windows Explorer] LSAS.exe
O4 - HKLM\..\Run: [SpybotSnD] "C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe"
O4 - HKLM\..\Run: [msbb] C:\WINDOWS\msbb.exe
O4 - HKLM\..\RunServices: [Windows SYStry] systry.exe
O4 - HKLM\..\RunServices: [Windows Explorer] LSAS.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1
O8 - Extra context menu item: Yahoo! Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O9 - Extra button: Sidesearch (HKLM)
O9 - Extra 'Tools' menuitem: IMI (HKLM)
O9 - Extra button: AIM (HKLM)
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.oecadvantage.net
O16 - DPF: Yahoo! Chat - http://us.chat1.yimg...t/c381/chat.cab
O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} - http://download.yaho...alls/yab_af.cab
O16 - DPF: {D18F962A-3722-4B59-B08D-28BB9EB2281E} (PhotosCtrl Class) - http://photos.yahoo....plorer1_9us.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macr...ash/swflash.cab

StartupList report, 1/5/2004, 7:52:27 PM
StartupList version: 1.52
Started from : C:\Documents and Settings\Jim Howlett.PAM\Local Settings\Temp\Temporary Directory 1 for hijackthis.zip\HijackThis.EXE
Detected: Windows XP (WinNT 5.01.2600)
Detected: Internet Explorer v6.00 (6.00.2600.0000)
* Using default options
==================================================

Running processes:

C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\NMSSvc.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\System32\igfxtray.exe
C:\WINDOWS\System32\hkcmd.exe
C:\WINDOWS\System32\PROMon.exe
C:\Program Files\Analog Devices\SoundMAX\Smtray.exe
C:\PROGRA~1\LEXMAR~1\ACMonitor_X84-X85.exe
C:\PROGRA~1\LEXMAR~1\AcBtnMgr_X84-X85.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\printray.exe
C:\WINDOWS\System32\systry.exe
C:\WINDOWS\System32\LSAS.exe
C:\Program Files\AIM\aim.exe
C:\Documents and Settings\Jim Howlett.PAM\Local Settings\Temp\Temporary Directory 1 for hijackthis.zip\HijackThis.exe

--------------------------------------------------

Listing of startup folders:

Shell folders Common Startup:
[C:\Documents and Settings\All Users\Start Menu\Programs\Startup]
Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE

--------------------------------------------------

Checking Windows NT UserInit:

[HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
UserInit = C:\WINDOWS\System32\Userinit.exe

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run

IgfxTray = C:\WINDOWS\System32\igfxtray.exe
HotKeysCmds = C:\WINDOWS\System32\hkcmd.exe
PROMon.exe = PROMon.exe
Smapp = C:\Program Files\Analog Devices\SoundMAX\Smtray.exe
Tgcmd = "C:\Program Files\Support.com\bin\tgcmd.exe /server"
UC_SMB =
Lexmark X84-X85 Button Monitor = C:\PROGRA~1\LEXMAR~1\ACMonitor_X84-X85.exe
Lexmark X84-X85 Button Manager = C:\PROGRA~1\LEXMAR~1\AcBtnMgr_X84-X85.exe
PrinTray = C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\printray.exe
Windows SYStry = systry.exe
JAKRICFT = C:\WINDOWS\JAKRICFT.exe
bxxs5 = RunDLL32.EXE C:\WINDOWS\bxxs5.dll,DllRun
VFSMGQQUO = C:\WINDOWS\VFSMGQQUO.exe
C:\Program Files\SBC Yahoo!\Connection Manager\ConnectionManager.exe = SBC Yahoo! Connection Manager
eanth_critical_update_alert = C:\PROGRA~1\ACCELE~1\ANTI-V~1\EANTH_~1.EXE /Startup
ccApp = "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
Windows Explorer = LSAS.exe
SpybotSnD = "C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe"
msbb = C:\WINDOWS\msbb.exe

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices

Windows SYStry = systry.exe
Windows Explorer = LSAS.exe

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run

MSMSGS = "C:\Program Files\Messenger\msmsgs.exe" /background
AIM = C:\Program Files\AIM\aim.exe -cnetwait.odl

--------------------------------------------------

File association entry for .SCR:
HKEY_CLASSES_ROOT\scrfile\shell\open\command

(Default) = %1

--------------------------------------------------

Shell & screensaver key from C:\WINDOWS\SYSTEM.INI:

Shell=*INI section not found*
SCRNSAVE.EXE=*INI section not found*
drivers=*INI section not found*

Shell & screensaver key from Registry:

Shell=explorer.exe
SCRNSAVE.EXE=C:\WINDOWS\System32\logon.scr
drivers=*Registry value not found*

Policies Shell key:

HKCU\..\Policies: Shell=*Registry value not found*
HKLM\..\Policies: Shell=*Registry value not found*

--------------------------------------------------


Enumerating Browser Helper Objects:

(no name) - C:\Program Files\Lycos\Sidesearch\sidesearch1311.dll - {00000762-3965-4A1A-98CE-3D4BF457D4C8}
(no name) - C:\WINDOWS\bxxs5.dll - {0019C3E2-DD48-4A6D-ABCD-8D32436323D9}
NAV Helper - C:\Program Files\Norton AntiVirus\NavShExt.dll - {BDF3E430-B101-42AD-A544-FADC6B084872}

--------------------------------------------------

Enumerating Task Scheduler jobs:

Norton AntiVirus - Scan my computer.job
Symantec NetDetect.job
{5AA12161-7538-48A7-B7D2-7BED49B44D54}_PAM_Matt Howlett.job
{CB02BE89-5B19-4760-9D7E-680AC441458A}_PAM_Jim Howlett.job

--------------------------------------------------

Enumerating Download Program Files:

[{B9191F79-5613-4C76-AA2A-398534BB8999}]
CODEBASE = http://download.yaho...alls/yab_af.cab

[PhotosCtrl Class]
InProcServer32 = C:\Program Files\Yahoo!\Common\YPhotos.dll
CODEBASE = http://photos.yahoo....plorer1_9us.cab

[Shockwave Flash Object]
InProcServer32 = C:\WINDOWS\System32\macromed\flash\Flash.ocx
CODEBASE = http://download.macr...ash/swflash.cab

--------------------------------------------------

Enumerating ShellServiceObjectDelayLoad items:

PostBootReminder: C:\WINDOWS\system32\SHELL32.dll
CDBurn: C:\WINDOWS\system32\SHELL32.dll
WebCheck: C:\WINDOWS\System32\webcheck.dll
SysTray: C:\WINDOWS\System32\stobject.dll

--------------------------------------------------
End of report, 6,316 bytes
Report generated in 0.703 seconds

Command line options:
/verbose - to add additional info on each section
/complete - to include empty sections and unsuspicious data
/full - to include several rarely-important sections
/force9x - to include Win9x-only startups even if running on WinNT
/forcent - to include WinNT-only startups even if running on Win9x
/forceall - to include all Win9x and WinNT startups, regardless of platform
/history - to list version history only
  • 0

#8
admin

admin

    Founder Geek

  • Administrator
  • 24,504 posts
Restart HiJack This and Fix the following:

C:\WINDOWS\System32\LSAS.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://search.ieplugin.com/search.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://search.ieplugin.com/search.htm
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://search.ieplugin.com/search.htm
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://search.ieplugin.com/search.htm
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://search.ieplugin.com/search.htm
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://search.ieplugin.com/search.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://search.ieplugin.com/q.cgi?q=%s
F2 - REG:system.ini: UserInit=C:\WINDOWS\System32\Userinit.exe
O2 - BHO: (no name) - {0019C3E2-DD48-4A6D-ABCD-8D32436323D9} - C:\WINDOWS\bxxs5.dll
O3 - Toolbar: (no name) - {69135BDE-5FDC-4B61-98AA-82AD2091BCCC} - (no file)
O4 - HKLM\..\Run: [Windows SYStry] systry.exe
O4 - HKLM\..\Run: [JAKRICFT] C:\WINDOWS\JAKRICFT.exe
O4 - HKLM\..\Run: [bxxs5] RunDLL32.EXE C:\WINDOWS\bxxs5.dll,DllRun
O4 - HKLM\..\Run: [VFSMGQQUO] C:\WINDOWS\VFSMGQQUO.exe
O4 - HKLM\..\Run: [Windows Explorer] LSAS.exe

Restart in Safe Mode by pressing F8 while restarting. Search for and delete:
System32\LSAS.exe <- file
systry.exe <- file

LSAS.exe is a worm infection. To prevent in the future, regularly run Windows Update, install and anti-virus program and keep it up-to-date. To be safe you should also run a free virus scan at Trend Micro Housecall service

systry.exe is a nuisance joke program, but can cause your computer to behave strangely. Thank you "friends". <_<

When finished post a new log. :D
  • 0

#9
mmcarr

mmcarr

    New Member

  • Topic Starter
  • Member
  • Pip
  • 5 posts
<_< Thanks for helping, you have been a life saver. After I did what you told me I was able to get back on-line. I had to unistall my norton than try and install it again. When I try to my modem will disconnect half way in the middle of the process. I am able to get back on-line now. One other problem, when I tried to search for the two files you suggested, my search won't come up. It says, run setup files missing. Here is the problem I can't find my setup disc. OH NO! what do I do, am i screwed. But thank you for all your help. I was able to download a firewall from zone alaram. Thank You
  • 0

#10
admin

admin

    Founder Geek

  • Administrator
  • 24,504 posts
I'm glad we were able to help you get back online and fix the virus problem :D

If you'd like assistance getting your search to work, please start a new topic (this help to avoid confusion, and also better helps other members that may have the same problem). <_<
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP