[Michelle]

Try downloading this by right-clicking and "Save Target As":

ftp://ftp.f-secure.com/anti-virus/tools/f-sdbot.exe

When it's done click "open" a black window will open up, just let it scan your computer until it's done. Hopefully this will find that worm.

[Advertisements]

I'm using netscape to access the internet because nothing else works and when I right click that there is no option to save target as...

[racinmason001]

I'm using netscape to access the internet because nothing else works and when I right click that there is no option to save target as...

[Michelle]

Just click on the link to download it then.

[racinmason001]

I was able to download that program and run it and it seemed like it sent mt hijackthis shortcut to the recycling bin and thats all,ohh it gave me some instructions that I didnt really understand to do after infection removal,and I still cant access my norton anti virus software.

[Michelle]

It didn't say anything was infected on the screen?

I'll be back in just a little bit - going to eat! I'll be thinking about what to do next!

[racinmason001]

no it didnt say anything was infected on the screen this is so frustrating I'm am almost ready to give up!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!

[Michelle]

If I'm not giving up either are you!!

I need you to reboot into safe mode.

While in Safe Mode, run HiJackThis and place a check next to the following items and click FIX CHECKED:

O4 - HKLM\..\Run: [Windows Service Drivers] mswin32.exe
O4 - HKLM\..\RunServices: [Windows Service Drivers] mswin32.exe
O4 - HKCU\..\Run: [Windows Service Drivers] mswin32.exe
O4 - HKCU\..\RunServices: [Windows Service Drivers] mswin32.exe
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm

Using Windows Explorer look for the following file and delete it:

C:\Windows\mswin32.exe
C:\Windows\System32\mswin32.exe

Reboot into normal mode. In the meantime I'm going to put together a list of important programs I need you to download since you can download stuff with Netscape at the moment!!

[Michelle]

Download as many of these programs as you can (especially killbox) in this order. Download them to your desktop:

http://www.atribune....ads/KillBox.exe

http://www.silentrun...ent Runners.vbs

http://skads.org/special/rkfiles.zip

http://www.atribune....nloads/find.zip

http://www.atribune....oads/l2mfix.exe

http://downloads.sub.../DllCompare.exe
-Right click on your desktop, click new, folder, and name it dllcompare and save it there.

http://www.ewido.net/en/download/

I know it's a lot of programs, but you have a rootkit and many worms that are running amok and we have to find them!

[racinmason001]

ok I'm back and ready to be frustrated I will start on that right away and let you know when I finish.

[Michelle]

I'll be here!!

[racinmason001]

mswin32 I have deleted it everywhere you said to and I did a windows explorer search and its coming up in a folder called recycler and I cannot delete them beacause I get and error saying access is denied or the folder is write protected???here is a new hijackthis log too.

Logfile of HijackThis v1.99.1
Scan saved at 11:18:35 PM, on 4/29/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\SAVScan.exe
C:\PROGRA~1\Toolbar\TBPSSvc.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\System32\scrtkfg.exe
C:\WINDOWS\System32\ap9h4qmo.exe
C:\PROGRA~1\Toolbar\TBPS.exe
C:\PROGRA~1\COMMON~1\WinTools\WToolsA.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\BigFix\BigFix.exe
C:\PROGRA~1\Toolbar\PIB.exe
C:\Program Files\Common Files\WinTools\WSup.exe
c:\PROGRA~1\Toolbar\radio.exe
C:\Program Files\Netscape\Netscape 6\netscp6.exe
C:\program files\internet explorer\iexplore.exe
C:\WINDOWS\System32\dumprep.exe
C:\Hijackthis\HijackThis.exe
C:\WINDOWS\System32\dwwin.exe
C:\Program Files\Symantec\LiveUpdate\LUALL.EXE
C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.websearch...spx?tb_id=50245
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.emachines.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.emachines.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = http://www.websearch...spx?tb_id=50245
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,CustomizeSearch = res://C:\PROGRA~1\Toolbar\toolbar.dll/sa
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.websearch...spx?tb_id=50245
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = res://C:\PROGRA~1\Toolbar\toolbar.dll/sa
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.emachines.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
N2 - Netscape 6: user_pref("browser.search.defaultengine", "engine://C%3A%5CProgram%20Files%5CNetscape%5CNetscape%206%5Csearchplugins%5CSBWeb_01.src"); (C:\Documents and Settings\Joey\Application Data\Mozilla\Profiles\default\6hdgikqx.slt\prefs.js)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {243B17DE-77C7-46BF-B94B-0B5F309A0E64} - C:\Program Files\Microsoft Money\System\mnyside.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: (no name) - {8952A998-1E7E-4716-B23D-3DBE03910972} - C:\PROGRA~1\Toolbar\toolbar.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Search Toolbar - {339BB23F-A864-48C0-A59F-29EA915965EC} - C:\PROGRA~1\Toolbar\toolbar.dll
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [NAV CfgWiz] C:\Program Files\Common Files\Symantec Shared\CfgWiz.exe /GUID NAV /CMDLINE "REBOOT"
O4 - HKLM\..\Run: [System CSRSS Patch] scrtkfg.exe
O4 - HKLM\..\Run: [ap9h4qmo] C:\WINDOWS\System32\ap9h4qmo.exe
O4 - HKLM\..\Run: [TBPS] C:\PROGRA~1\Toolbar\TBPS.exe
O4 - HKLM\..\Run: [WinTools] C:\PROGRA~1\COMMON~1\WinTools\WToolsA.exe
O4 - HKLM\..\RunServices: [System CSRSS Patch] scrtkfg.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Windows Service Drivers] mswin32.exe
O4 - HKCU\..\RunServices: [Windows Service Drivers] mswin32.exe
O4 - Global Startup: BigFix.lnk = C:\Program Files\BigFix\BigFix.exe
O9 - Extra button: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\Program Files\ICQ\ICQ.exe
O9 - Extra 'Tools' menuitem: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\Program Files\ICQ\ICQ.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyside.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.emachines.com
O18 - Protocol: tpro - {FF76A5DA-6158-4439-99FF-EDC1B3FE100C} - C:\PROGRA~1\Toolbar\toolbar.dll
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: WebSeach Toolbar support NT service (TBPSSvc) - Unknown owner - C:\PROGRA~1\Toolbar\TBPSSvc.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe

[Michelle]

Ok, let me look at your log real quick!

Edited by bananafanafo, 30 April 2005 - 01:02 AM.

[Michelle]

Ah you're computer is picking up a bunch of spyware CRAP!

Were you able to download the programs?

Edited by bananafanafo, 30 April 2005 - 12:53 AM.

[racinmason001]

No I wasnt and I dont know why.norton is updated and running right now it deleted a bunch of stuff so I made a new log for you to look at.

[Michelle]

You couldn't download anything, not even with Netscape??

There are some patches that you desperately need for your computer.

Also, what do you mean you don't have the XP cd but restored it with a millenium cd?