[izaak]

Dear Geeks,

I am in a bad way. My box got infectd with a load of spy/adware. I found a user on this site who had the same problems, so I attempted to follow the advice listed in his discussion board. The adware was/is some combination of security iguard and antivirus-gold which hijacked my system, changed my desktop layout to a cheezie html script telling me my system was infected, put a couple of annoying icons in my tray, and redirected my IE to startsearches.net. I initially ran spybotSD but it was having a hard time getting rid of the files. I tried manually deleting them, but they kept coming back. After finding a post on this site, I followed some instructions which involved downloading hijackthis, smitfraud, killbox, hoster, and cleanup40. After running cleanup and restarting my system, my system is even more jacked up. The desktop html script is gone (replaced by a big, blue nothing), but the icons remain in my tray and my IE problem is even more brutal than before. Now I can't navigate anywhere online. Not only my homepage, but EVERY web address I insert is hijacked and sent back to the [bleep]'s search page. My start button has disappeared with it's pulldown menus and now spybot won't run at all. I'm typing this from my Mac as my PC now seems kaput. Help.

-Izaak

[Advertisements]

Hi izaak

Sorry for the delay in response. The forum has been very busy lately.

We can almost certainly help you but as your original post is over a week old, could you please update the situation for us. You will need to provide a HijackThis log so it can be reviewed.

Please follow the steps in this topic if possible http://www.geekstogo...?showtopic=2852

If that isn't possible download HijackThis from here http://www.geekstogo...action=cat&id=3 and post the log into this topic.

If you have already fixed your machine or received help elsewhere please post back and let us know.

Thank you

[ilago]

Hi izaak

Sorry for the delay in response. The forum has been very busy lately.

We can almost certainly help you but as your original post is over a week old, could you please update the situation for us. You will need to provide a HijackThis log so it can be reviewed.

Please follow the steps in this topic if possible http://www.geekstogo...?showtopic=2852

If that isn't possible download HijackThis from here http://www.geekstogo...action=cat&id=3 and post the log into this topic.

If you have already fixed your machine or received help elsewhere please post back and let us know.

Thank you

[izaak]

Ilago,

Here is my Hijack log. Let me caveat all this by saying that my biggest problems developed after running Cleanup. I have a feeling it was when I hit the "okay" button after being asked, "Are you sure you want to delete these files?". Since then, XP has been all jacked up and I can't launch half of my applications. Thankfully, I could launch HijackThis, but Notepad wouldn't open to give me the log. I saved the Hijack log to a CD and brought it to work with me so I could read it here and post it. So I'm afraid that even if you can find out what initially caused the problem, my amateur fixer-upper attempts may have botched any chance of easy restoration. That said...

Logfile of HijackThis v1.99.1
Scan saved at 7:48:31 AM, on 6/6/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\drivers\dcfssvc.exe
C:\WINDOWS\system32\HPConfig.exe
C:\Program Files\HPQ\Notebook Utilities\HPWirelessMgr.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\HPQ\ONE-TO~1\OneTouch.EXE
C:\Program Files\Tech\Wheel Mouse\5.3\MOUSE32A.EXE
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\System32\carpserv.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\System32\winnook.exe
C:\Program Files\Eraser\eraser.exe
C:\Program Files\AOL Companion\companion.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpohmr08.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\Program Files\KODAK\Kodak EasyShare software\bin\EasyShare.exe
C:\Program Files\KODAK\KODAK Software Updater\7288971\Program\backWeb-7288971.exe
C:\Program Files\Zone Labs\ZoneAlarm\zapro.exe
C:\Program Files\Linksys\Wireless-G Notebook Adapter\OdHost.exe
C:\Program Files\Linksys\Wireless-G Notebook Adapter\WPC54Cfg.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpoevm08.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\Bin\hpoSTS08.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Microsoft Office\Office\WINWORD.EXE
C:\Documents and Settings\Nebuchadnezzar\Local Settings\Temp\Temporary Directory 3 for hijackthis.zip\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://store.presari...&c=1c02&lc=0409
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://store.presari...&c=1c02&lc=0409
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Compaq
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=proxy-server.hawaii.rr.com:8080;https=proxy-server.hawaii.rr.com:8080
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1;ams-server.hawaii.rr.com;update-server.hawaii.rr.com;localhost
O2 - BHO: (no name) - {FFFFFFFF-FFFF-FFFF-FFFF-FFFFFFFFFFFA} - C:\WINDOWS\System32\hp980C.tmp (file missing)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [Advanced Tools Check] C:\PROGRA~1\NORTON~1\AdvTools\ADVCHK.EXE
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [P2P Networking] C:\WINDOWS\System32\P2P Networking\P2P Networking.exe /AUTOSTART
O4 - HKLM\..\Run: [Vrmon] C:\Documents and Settings\Nebuchadnezzar\Desktop\vrmonnt.exe
O4 - HKLM\..\Run: [type32] "C:\Program Files\Microsoft IntelliType Pro\type32.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [srmclean] C:\Cpqs\Scom\srmclean.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [QT4HPOT] C:\PROGRA~1\HPQ\ONE-TO~1\OneTouch.EXE
O4 - HKLM\..\Run: [PreloadApp] c:\hp\drivers\printers\photosmart\hphprld.exe c:\hp\drivers\printers\photosmart\setup.exe -d
O4 - HKLM\..\Run: [LWBMOUSE] C:\Program Files\Tech\Wheel Mouse\5.3\MOUSE32A.EXE
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [Display Settings] C:\Program Files\HPQ\Notebook Utilities\hptasks.exe /s
O4 - HKLM\..\Run: [Cpqset] C:\Program Files\HPQ\Default Settings\cpqset.exe
O4 - HKLM\..\Run: [CARPService] carpserv.exe
O4 - HKLM\..\Run: [AtiPTA] atiptaxx.exe
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKCU\..\Run: [Intel system tool] C:\WINDOWS\System32\winnook.exe
O4 - HKCU\..\Run: [Eraser] C:\Program Files\Eraser\eraser.exe -hide
O4 - Global Startup: America Online 9.0 Tray Icon.lnk = C:\Program Files\America Online 9.0\aoltray.exe
O4 - Global Startup: AOL Companion.lnk = C:\Program Files\AOL Companion\companion.exe
O4 - Global Startup: Billminder.lnk = C:\Program Files\Quicken\billmind.exe
O4 - Global Startup: hp psc 1000 series.lnk = ?
O4 - Global Startup: hpoddt01.exe.lnk = ?
O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\KODAK\Kodak EasyShare software\bin\EasyShare.exe
O4 - Global Startup: KODAK Software Updater.lnk = C:\Program Files\KODAK\KODAK Software Updater\7288971\Program\backWeb-7288971.exe
O4 - Global Startup: Microsoft Office.hta
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Quicken Scheduled Updates.lnk = C:\Program Files\Quicken\bagent.exe
O4 - Global Startup: Quicken Startup.lnk = C:\Program Files\Quicken\QWDLLS.EXE
O4 - Global Startup: Wireless-G Notebook Adapter Utility.lnk = C:\Program Files\Linksys\Wireless-G Notebook Adapter\Startup.exe
O4 - Global Startup: ZoneAlarm Pro.lnk = C:\Program Files\Zone Labs\ZoneAlarm\zapro.exe
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward &Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cac&hed Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Si&milar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra button: Advisor - {B3413D98-5C41-44AC-BB8D-6C346B24CDD5} - C:\Program Files\COMPAQ\Compaq Advisor\bin\rbaLauncher.exe (file missing) (HKCU)
O10 - Unknown file in Winsock LSP: c:\windows\system32\filesmgr.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\filesmgr.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\filesmgr.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://store.presario.net/scripts/redirectors/presario/storeredir2.dll?s=consumerfav&c=1c02&lc=0409
O16 - DPF: Yahoo! Fleet - http://download.game...s/y/fltt3_x.cab
O16 - DPF: Yahoo! Literati - http://download.game...nts/y/tt2_x.cab
O16 - DPF: {00000000-0000-0000-0000-000020040000} - ms-its:mhtml:file://c:\\foo.mht!http://67.15.130.39/...hm::/filter.exe
O16 - DPF: {14A3221B-1678-1982-A355-7263B1281987} - ms-its:mhtml:file://C:tsk.mht!http://69.50.171.149....chm::/file.exe
O16 - DPF: {90C9629E-CD32-11D3-BBFB-00105A1F0D68} (InstallShield International Setup Player) - http://www.installen...gine/isetup.cab
O16 - DPF: {A93D84FD-641F-43AE-B963-E6FA84BE7FE7} (LinkSys Content Update) - http://www.linksysfi...ll/gtdownls.cab
O16 - DPF: {DBA230D1-8467-4e69-987E-5FAE815A3B45} -
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Dcfssvc - Eastman Kodak Company - C:\WINDOWS\system32\drivers\dcfssvc.exe
O23 - Service: HP Configuration Interface Service (HPConfig) - Hewlett-Packard - C:\WINDOWS\system32\HPConfig.exe
O23 - Service: HPWirelessMgr - Hewlett-Packard Co. - C:\Program Files\HPQ\Notebook Utilities\HPWirelessMgr.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: NICSer_WPC54G - Unknown owner - C:\Program Files\Linksys\Wireless-G Notebook Adapter\NICServ.exe
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: Power Manager (PowerManager) - Unknown owner - C:\WINDOWS\svchost.exe (file missing)
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: ViRobot Expert Monitoring (vrmonsvc) - Unknown owner - C:\Documents and Settings\Nebuchadnezzar\Desktop\vrmonsvc.exe (file missing)
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs Inc. - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe

I've attempted several system restores, but all have failed. Again, must have been my meddling. Curses...

Thanks,

Izaak

[ilago]

Hi izaak

I doubt that Cleanup4.0 was the cause of your problems - it is only designed to remove temporary internet files, cookies and temporary files. You still have some nasty malware there, so we need to that cleaned up so you can get your computer functioning.

Please make a new folder for HijackThis. Something like c:\HJT It keeps backups which you may need. Running any programs from a folder in a temporary folder is not a good idea in any case. We are going to clean those folders out.

You may like to print these instructions out so you can follow them when you have no access to the internet.

Make sure you know how to get into Safe mode with confidence http://service1.syma...001052409420406

Set Windows Explorer to show hidden files http://www.xtra.co.n...1916458,00.html

Copy the part in bold below from REGEDIT4 to the end into notepad and save it as AVGoldfix.reg
Set Filetype to All Files and save it somewhere easy to find. We will use it later.

If Notepad is still not funtioning download this - it does a similar job: http://metallica.gee...tivirusgold.reg

Don't run it until you are asked to.


REGEDIT4

[-HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop\Components\1]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
"Intel system tool"=-

[-HKEY_LOCAL_MACHINE\SOFTWARE\AntivirusGold]

*Click Here to download Killbox by Option^Explicit.

*Extract the program to your desktop and double-click on its folder, then double-click on Killbox.exe to start the program.

*In the killbox program, select the Delete on Reboot option.

*Copy the file names below to the clipboard by highlighting them and pressing Control-C:

C:\Windows\System32\hookdump.exe
C:\Windows\System32\winnook.exe
C:\Windows\desktop.html
C:\Windows\screen.html

*Return to Killbox, go to the File menu, and choose "Paste from Clipboard".

*Click the red-and-white "Delete File" button. Click "Yes" at the Delete on Reboot prompt. Click "No" at the Pending Operations prompt if you get one.
*If the computer does not reboot by itself, do it manually.

While your computer is restarting, tap the F8 key continually until a menu appears. Use your up arrow key to highlight Safe Mode, then hit enter.

Doubleclick the AVGoldfix.reg we made earlier. Or use the file you downloaded antivirusgold.reg Click yes when asked to merge.

And (still in safe mode) use the DiskCleanup Tool to empty all your Temp folders.

Open HijackThis and click on "Do System Scan Only". Check the following items close all open windows and click on Fix checked.

O2 - BHO: (no name) - {FFFFFFFF-FFFF-FFFF-FFFF-FFFFFFFFFFFA} - C:\WINDOWS\System32\hp980C.tmp (file missing)
O4 - HKLM\..\Run: [P2P Networking] C:\WINDOWS\System32\P2P Networking\P2P Networking.exe /AUTOSTART
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKCU\..\Run: [Intel system tool] C:\WINDOWS\System32\winnook.exe
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O16 - DPF: Yahoo! Fleet - http://download.game...s/y/fltt3_x.cab
O16 - DPF: Yahoo! Literati - http://download.game...nts/y/tt2_x.cab
O16 - DPF: {00000000-0000-0000-0000-000020040000} - ms-its:mhtml:file://c:\\foo.mht!http://67.15.130.39/...hm::/filter.exe
O16 - DPF: {14A3221B-1678-1982-A355-7263B1281987} - ms-its:mhtml:file://C:tsk.mht!http://69.50.171.149....chm::/file.exe
O16 - DPF: {90C9629E-CD32-11D3-BBFB-00105A1F0D68} (InstallShield International Setup Player) - http://www.installen...gine/isetup.cab
O16 - DPF: {DBA230D1-8467-4e69-987E-5FAE815A3B45} -
O23 - Service: Power Manager (PowerManager) - Unknown owner - C:\WINDOWS\svchost.exe (file missing)
O23 - Service: ViRobot Expert Monitoring (vrmonsvc) - Unknown owner - C:\Documents and Settings\Nebuchadnezzar\Desktop\vrmonsvc.exe (file missing)

Still in Safe Mode - Open Windows Explorer Find and delete the following files and folders. You will need to look for them as the Search function may not be working.

C:\Program Files\AntiVirusGold - Delete entire folder
C:\WINDOWS\System32\hp980C.tmp - file only if it still exists
C:\WINDOWS\System32\P2P Networking - Delete entire folder
C:\WINDOWS\web\related.htm - file only

Open Control Panel click on Display > Desktop > Customize desktop > Website > Uncheck "Security Info"

Then boot back into normal mode. Run a new HijackThis Scan and post the new log. There will be more to do.

[izaak]

Ilago,

Just got back from a trip and read your reply. Thanks again for the help. I got through about half of it without a hitch, but when I try to execute the AVGoldfix.reg file, a window pops up saying "C:\Documents and Setting\.............\AVGoldfix.reg This application has failed to start because the application configuration is incorrect. Reinstalling the application may fix this problem." This is the same message (more or less) that I get when I try to open MANY file types now. What do I do? If I still had the XP discs I probably would have reloaded this thing by now... Grrrr.

Izaak

[izaak]

P.S.

For the fun of it, just tried to go on to the next step anyway and run DiskCleanup. Sorry! I get the same kind of error message. "Application has failed to start, etc, etc." My computer is barely functioning.

Izaak

[ilago]

Hi izaak

Could you please do another HijackThis log for me and post it. That will let me see what is happening now.

Thanks