[Celtic]

I am at present using an old P11 machine, next door on the same desk is a P111 Compaq running Windows2000.

A few days ago I inadvertently clicked upon a popup screen which appeared on my desktop. Despite clicking upon the X in the top right hand corner to close the pop up, it seems that from that, this computer got itself infected with a virus.

The first sympton was my desktop turned from it's normal wallpaper to a Black screen with the message, 'Warning - Your computer is infected!', though today this somehow changed to a blue box on the black background with the following message in it, 'Security Warning - A fatal error in IE has occured at 0028:C0011E36 in VXD VMM(01) + 00010E36. Error was caused by Trojan-Spy.HTML.Smitfraud.c

I am fairly new to computers and have only just begun to learn the basics, I certainly am not adept at going within the computer files to sort this problem out.

Would someone competent and trustworthy take me through the commands to get the computer uninfected?

Please keep it as simple as you possibly can, and be in that simplicity, be as precise as possible.

I would really appreciate your assistance, and thank you in advance for your time and patience.

Best regards!!

Edited by Celtic, 08 June 2005 - 09:48 AM.

[Advertisements]

Hi there and welcome to GTG.

OK, you might need someone else who knows more about computers to help you (if needed). I will try my best to help you out here though.

OK, before we do anything, did you read the sticky topic yet? If not:

Please read the first link in my signature and follow the steps outlined there. When you are ready, post the HijackThis log here.

If there is anything you don't understand there, feel free to ask here. I will help you out with this.

[greyknight17]

Hi there and welcome to GTG.

OK, you might need someone else who knows more about computers to help you (if needed). I will try my best to help you out here though.

OK, before we do anything, did you read the sticky topic yet? If not:

Please read the first link in my signature and follow the steps outlined there. When you are ready, post the HijackThis log here.

If there is anything you don't understand there, feel free to ask here. I will help you out with this.

[Celtic]

Sorry to take so long, thank you for your assistance, your time, consideration is very much appreciated.

This evening the pc crashed a few times, some new boxes appeared as programs uninvited and a red x has appeared in the lower right hand side next door to my other icons. I do not think they are helping. In fact, I fear they are something else altogether that is only contributing to these problems.

Here is the HJT Log File:

Logfile of HijackThis v1.99.1
Scan saved at 05:28:32, on 09/06/2005
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINNT\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Norton SystemWorks\Norton GoBack\GBPoll.exe
C:\WINNT\System32\GEARSec.exe
C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton SystemWorks\Norton Ghost\Agent\PQV2iSvc.exe
C:\Program Files\Norton SystemWorks\Norton AntiVirus\IWP\NPFMntor.exe
C:\PROGRA~1\NORTON~1\NORTON~1\NPROTECT.EXE
C:\WINNT\system32\MSTask.exe
C:\PROGRA~1\NORTON~1\NORTON~1\SPEEDD~1\NOPDB.EXE
C:\WINNT\system32\stisvc.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINNT\system32\ZoneLabs\vsmon.exe
C:\WINNT\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\SymTray.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\mspmspsv.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\inet10079\services.exe
C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Norton SystemWorks\Norton Ghost\Agent\GhostTray.exe
C:\WINNT\system32\UMonit2K.exe
C:\Program Files\Classic PhoneTools\CapFax.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\WINNT\system32\gglib.exe
C:\Program Files\AntivirusGold\AntivirusGold.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\AntivirusGold\AntivirusGold.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\WINNT\YumgoHomepageProtector.exe
C:\WINNT\system32\hookdump.exe
C:\Program Files\FinePixViewer\QuickDCF.exe
C:\Program Files\Norton SystemWorks\Norton GoBack\GBTray.exe
C:\Program Files\PhotoWise\quicklnk.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\Administrator\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.abebooks.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.abebooks.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.abebooks.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.abebooks.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.abebooks.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = http://www.abebooks.com
F3 - REG:win.ini: run=C:\WINNT\inet10079\services.exe
O1 - Hosts: 255.255.255.255 ar.atwola.com atdmt.com avp.ch avp.com avp.ru awaps.net ca.com dispatch.mcafee.com download.mcafee.com download.microsoft.com downloads.microsoft.com engine.awaps.net f-secure.com ftp.f-secure.com ftp.sophos.com go.microsoft.com liveupdate.symantec.com mast.mcafee.com mcafee.com msdn.microsoft.com my-etrust.com nai.com networkassociates.com office.microsoft.com phx.corporate-ir.net secure.nai.com securityresponse.symantec.com service1.symantec.com sophos.com spd.atdmt.com support.microsoft.com symantec.com update.symantec.com updates.symantec.com us.mcafee.com vil.nai.com viruslist.ru windowsupdate.microsoft.com www.avp.ch www.avp.com www.avp.ru www.awaps.net www.ca.com www.f-secure.com www.kaspersky.ru www.mcafee.com www.my-etrust.com www.nai.com www.networkassociates.com www.sophos.com www.symantec.com www.trendmicro.com www.viruslist.com www.viruslist.ru www3.ca.com
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: eBay Toolbar Helper - {22D8E815-4A5E-4DFB-845E-AAB64207F5BD} - C:\Program Files\eBay\eBay Toolbar2\eBayTB.dll
O2 - BHO: (no name) - {5321E378-FFAD-4999-8C62-03CA8155F0B3} - (no file)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - (no file)
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: eBay Toolbar - {92085AD4-F48A-450D-BD93-B28CC7DF67CE} - C:\Program Files\eBay\eBay Toolbar2\eBayTB.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [SpeedTouch USB Diagnostics] "C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe" /icon
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [SymTray - Norton SystemWorks] C:\Program Files\Common Files\Symantec Shared\Symtray.exe SetReg
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [Norton Ghost 9.0] C:\Program Files\Norton SystemWorks\Norton Ghost\Agent\GhostTray.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [Gene USB Monitor] C:\WINNT\system32\UMonit2K.exe
O4 - HKLM\..\Run: [REGSHAVE] C:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN
O4 - HKLM\..\Run: [CapFax] C:\Program Files\Classic PhoneTools\CapFax.EXE
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\Run: [xp_system] C:\WINNT\inet10079\services.exe
O4 - HKLM\..\Run: [vmtuner] gglib.exe
O4 - HKLM\..\Run: [AntivirusGold] C:\Program Files\AntivirusGold\AntivirusGold.exe /h
O4 - HKLM\..\Run: [PSGuard] C:\Program Files\PSGuard\PSGuard.exe
O4 - HKLM\..\Run: [Zone Labs Client] C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
O4 - HKLM\..\RunOnce: [SymTray - Norton SystemWorks] C:\Program Files\Common Files\Symantec Shared\Symtrdr.exe
O4 - HKCU\..\Run: [Norton SystemWorks] "C:\Program Files\Norton SystemWorks\cfgwiz.exe" /GUID {05858CFD-5CC4-4ceb-AAAF-CF00BF39736A} /MODE CfgWiz
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [Yumgo's Homepage Protector V1] YumgoHomepageProtector.exe
O4 - HKCU\..\Run: [HistoryKill] C:\Program Files\HistoryKill\\histkill.exe /startup
O4 - HKCU\..\Run: [BestPopUpKiller] C:\Program Files\BestPopUpKiller\BestPopupKiller.exe /startup
O4 - HKCU\..\Run: [Intel system tool] C:\WINNT\system32\hookdump.exe
O4 - HKCU\..\Run: [xp_system] C:\WINNT\inet10079\services.exe
O4 - Startup: BJ Status Monitor Canon i350.lnk = C:\Documents and Settings\Administrator\cnmss Canon i350 (Local).exe
O4 - Startup: Norton Disk Doctor.lnk = C:\Program Files\Norton SystemWorks\Norton Utilities\NDD32.EXE
O4 - Startup: PhotoWise QuickLink.lnk = C:\Program Files\PhotoWise\quicklnk.exe
O4 - Global Startup: Exif Launcher.lnk = C:\Program Files\FinePixViewer\QuickDCF.exe
O4 - Global Startup: Norton GoBack.lnk = C:\Program Files\Norton SystemWorks\Norton GoBack\GBTray.exe
O8 - Extra context menu item: &eBay Search - res://C:\Program Files\eBay\eBay Toolbar2\eBayTb.dll/RCSearch.html
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.syma...bin/AvSniff.cab
O16 - DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} (EPUImageControl Class) - http://tools.ebayimg...l_v1-0-3-24.cab
O16 - DPF: {5F8A33E7-6A32-4EE0-887A-134C627CB052} (Easy Upload Tool Combo Control) - http://inlunarsunpho...yUploadTool.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.syma...n/bin/cabsa.cab
O16 - DPF: {FF3F0F03-0F01-131A-A3F9-08F02B23E0CC} - http://66.117.37.13/dba2053.exe
O17 - HKLM\System\CCS\Services\Tcpip\..\{0340C825-7AB5-4835-927F-E28D5DD6D4D7}: NameServer = 80.225.248.178 80.225.248.186
O17 - HKLM\System\CS1\Services\Tcpip\..\{0340C825-7AB5-4835-927F-E28D5DD6D4D7}: NameServer = 80.225.248.178 80.225.248.186
O23 - Service: AutoComplete Service (Autocomplete) - Unknown owner - C:\Program Files\Acesoft\Tracks Eraser Pro\autocomp.exe (file missing)
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: GoBack Polling Service (GBPoll) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton GoBack\GBPoll.exe
O23 - Service: GEARSecurity - GEAR Software - C:\WINNT\System32\GEARSec.exe
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton Ghost - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton Ghost\Agent\PQV2iSvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\PROGRA~1\NORTON~1\NORTON~1\NPROTECT.EXE
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Speed Disk service - Symantec Corporation - C:\PROGRA~1\NORTON~1\NORTON~1\SPEEDD~1\NOPDB.EXE
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINNT\system32\ZoneLabs\vsmon.exe

[Celtic]

One or two things on there I do not recognise at all, they seem to have self invited themselves into the computer somehow. AntiVirusGold is one, another is PSGuard & BestPopUpKiller amongst others.

I must go bed now, it is almost 6am in the morning, have been on this all night.

Thank you once again.

Edited by Celtic, 08 June 2005 - 10:52 PM.

[greyknight17]

Yes, that's definitely smitfraud doing it's job behind the scenes. We will help you remove it now:

Please print out or copy this page to Notepad. Make sure to work through the fixes in the exact order it is mentioned below. If there's anything that you don't understand, ask your question(s) before proceeding with the fixes. You should 'not' have any open browsers when you are following the procedures below.

Right click on this link -> http://www.bleepingc...g/smitfraud.reg and save that file. Double click on it and click on Yes when it asks you if you want to merge it into the registry. Once that's done, right click on your Desktop and go to Properties. Next go to Desktop tab->Customize Desktop button->Web tab. Uncheck everything listed there. Then delete all the entries listed except for 'My Current Home Page'. Click OK and OK.

Go to Start->-Control Panel->Add or Remove Programs and remove/uninstall the following programs, if found:

Security iGuard
Virtual Maid
Search Maid
BestPopUpKiller
PSGuard

Exit Add/Remove Programs.

Go to My Computer->Tools/View->Folder Options->View tab and make sure that 'Show hidden files and folders' (or 'Show all files') is enabled. Also make sure that 'Display the contents of system folders' is checked.

Download KillBox http://www.greyknigh...spy/KillBox.exe. Run KillBox and check the box that says 'End Explorer Shell While Killing File'. Next click on 'Delete on Reboot'. For each of the following files below, check the box that says 'Unregister .dll Before Deleting' if it's not grayed out. Copy the below files and go back to KillBox. Go to File->Paste from Clipboard and then hit the button with red circle with a white X. Confirm to delete and when asked if you want to reboot now, say no:

C:\wp.exe
C:\wp.bmp
C:\bsw.exe
C:\Windows\sites.ini
C:\Windows\popuper.exe
C:\Windows\system32\hhk.dll
C:\Windows\System32\wldr.dll
C:\Windows\System32\helper.exe
C:\Windows\System32\intmon.exe
C:\Windows\System32\shnlog.exe
C:\Windows\System32\intmonp.exe
C:\Windows\System32\msmsgs.exe
C:\Windows\system32\msole32.exe
C:\Windows\system32\ole32vbs.exe
C:\WINNT\inet10079\services.exe
C:\WINNT\system32\gglib.exe
C:\WINNT\system32\hookdump.exe

Restart your computer and boot into Safe Mode by hitting the F8 key repeatedly until a menu shows up (and choose Safe Mode from the list). In some systems, this may be the F5 key, so try that if F8 doesn't work.

Delete these folders if they exist:

C:\Program Files\Search Maid\
C:\Program Files\Virtual Maid\
C:\Windows\System32\Log Files\
C:\Program Files\Security iGuard\
C:\Program Files\AntivirusGold\
C:\Program Files\PSGuard\
C:\Program Files\BestPopUpKiller\
C:\WINNT\inet10079\

Run a scan in HijackThis. Check each of the following and hit 'Fix checked' (after checking them) if they still exist (make sure not to miss any):

F3 - REG:win.ini: run=C:\WINNT\inet10079\services.exe
O1 - Hosts: 255.255.255.255 ar.atwola.com atdmt.com avp.ch avp.com avp.ru awaps.net ca.com dispatch.mcafee.com download.mcafee.com download.microsoft.com downloads.microsoft.com engine.awaps.net f-secure.com ftp.f-secure.com ftp.sophos.com go.microsoft.co
m liveupdate.symantec.com mast.mcafee.com mcafee.com msdn.microsoft.com my-etrust.com nai.com networkassociates.com office.microsoft.com phx.corporate-ir.net secure.nai.com securityresponse.symantec.com service1.symantec.com sophos.com spd.atdmt.com suppo
rt.microsoft.com symantec.com update.symantec.com updates.symantec.com us.mcafee.com vil.nai.com viruslist.ru windowsupdate.microsoft.com www.avp.ch www.avp.com www.avp.ru www.awaps.net www.ca.com www.f-secure.com www.kaspersky.ru www.mcafee.com www.my-et
rust.com www.nai.com www.networkassociates.com www.sophos.com www.symantec.com www.trendmicro.com www.viruslist.com www.viruslist.ru www3.ca.com
O2 - BHO: (no name) - {5321E378-FFAD-4999-8C62-03CA8155F0B3} - (no file)
O2 - BHO: (no name) - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - (no file)
O4 - HKLM\..\Run: [xp_system] C:\WINNT\inet10079\services.exe
O4 - HKLM\..\Run: [vmtuner] gglib.exe
O4 - HKLM\..\Run: [AntivirusGold] C:\Program Files\AntivirusGold\AntivirusGold.exe /h
O4 - HKLM\..\Run: [PSGuard] C:\Program Files\PSGuard\PSGuard.exe
O4 - HKCU\..\Run: [BestPopUpKiller] C:\Program Files\BestPopUpKiller\BestPopupKiller.exe /startup
O4 - HKCU\..\Run: [Intel system tool] C:\WINNT\system32\hookdump.exe
O4 - HKCU\..\Run: [xp_system] C:\WINNT\inet10079\services.exe
O16 - DPF: {FF3F0F03-0F01-131A-A3F9-08F02B23E0CC} - http://66.117.37.13/dba2053.exe

Do you know what the following program(s) are for? If not, fix it in HijackThis and delete that file (C:\WINNT\YumgoHomepageProtector.exe):

O4 - HKCU\..\Run: [Yumgo's Homepage Protector V1] YumgoHomepageProtector.exe

Close HijackThis.

Restart your computer.

1. Download Hoster http://www.greyknigh.../spy/Hoster.exe and run it. Choose the 'Restore Original Hosts' button and press OK. Close the program.

2. Right click on this link -> http://mvps.org/winh.../DelDomains.inf and select Save As to download WinHelp2002's DelDomains.inf. Save the file to the Desktop. To run the inf file, right click on it and select Install. Note: This will remove all entries in the 'Trusted Zone' and 'Ranges' also.

3. The Temp folders should be cleaned out periodically as installation programs and hijack programs leave a lot of junk there. Download CleanUp! http://cleanup.stevengould.org/ (Alternate Link if main link don't work - http://www.greyknigh...spy/Cleanup.exe ) and install it. Run CleanUp! and click on CleanUp! button. When it asks you if you want to logoff, click on Yes.

4. Run an online scan at http://www.pandasoft...com/activescan/ and save the results from the scan!

Restart and post a new HijackThis log along with the results from ActiveScan.

[Celtic]

That sounds as complicated as 'ell, but I'll give it a go. I may well have to post a reply or two or three for clarification on the next instruction.

Computer has not been switched on the past couple of days, it's going nuts at the moment with other smaller black boxes appearing and god knows what else.

Do appreciate your assistance - thank you!!


Here we go:

Edited by Celtic, 11 June 2005 - 03:13 PM.

[Celtic]

You said: Run KillBox and check the box that says 'End Explorer Shell While Killing File'. Next click on 'Delete on Reboot'. For each of the following files below, check the box that says 'Unregister .dll Before Deleting' if it's not grayed out. Copy the below files and go back to KillBox. Go to File->Paste from Clipboard and then hit the button with red circle with a white X. Confirm to delete and when asked if you want to reboot now, say no:


Which button do I click upon to RUN KillBox?

[Celtic]

Ok looking better, desktop has gone back to normal.

Didn't see some of those components you mentioned though sorted out those that I could find.

The only trouble now is that the computer is running awfully slow, would you have any more remedies for this now?

The other machine is on the last leg of the journey, downloading the ActiveScan, although it does seem to be taking forever, but thats ok, it'll get there eventually.

I'll post the new HJT Logfile as soon as I am able to do so.

Thank you again for all your kind assistance, very much appreciated. Nice job so far. Excellent!!

[greyknight17]

OK, were you able to run KillBox and do the other steps? For ActiveScan, it has to be on this computer because it will run the scan on the computer only and not download anything.

I know, all these steps do seem daunting, but we can remove it.

Post the new HijackThis log so I can see where you are at. There might be other things we need to fix which may be causing the slowdown.

[Celtic]

Thank you again for your reply.

Tried last night to post the new HJT log, but computer was / has / is running incredibly slow at the moment to the point of near impossibility. This only happened in the very latter stages of going through all your steps, which actually, don't seem so daunting as it did before.

The Killbox I ran but only found about 5-6 of the thinga'mejigs that you specified.

If I could only get the computer running at a more reasonable speed I am sure we could get the other problems sorted out.

This C:\\WINNT\winsocks5.exe I'm sure is part of the problem. Norton keeps on picking it up as something malicious, then everytime Norton gives me the option to either Allow or Block said dooberry, I have selected Block everytime.

I'm also still getting other / further error messages - wish I could stabilise things a bit more.

Appreciate your help and wouldn't mind finding out who your fav charity is to make a donation in exchange for your kindness, consideration and patience.

All the best!!

[Celtic]

I have put Mozilla Firefox on the pc last night, but we are still running extremely extremely slow, not able to get the ActiveScan download, (telling me that the browser is not supported.

???

What would be best to do now?

[greyknight17]

Panda and most other online scans require ActiveX which Firefox doesn't support. It's a good and bad thing actually. So if you want to use Panda, use Internet Explorer to do that. Use Firefox to do your regular surfing. Basically use Internet Explorer only if the site requires it.

You may KillBox this file -> C:\WINNT\winsocks5.exe
It's a trojan.

OK, please give me your HijackThis log then. That should be more easy to do. If you can also, give me the Panda log. Remember you have to use Internet Explorer to do the scan. If you can't get it to finish, then just give me the HijackThis log.

[Celtic]

Ok, typing this message from the old P11 again, the other computer with the problems on it has virtually ground to a halt and it's acting now awfully strange just when I thought some real progress had been made. I'm hardly able to get any programs or anything at all to work on it, my dial up connection to broadband (User Name) has gone blank, other boxes are appearing and when you click 'cancel' or whatever, invariably the exact opposite happens, other buttons show up getting pressed instead.

I've been trying for hours to get you the new HJT Logfile to no avail.

Time to think about drastic action. I don't care if I lose all my information stored on the other computer, if needs must, do you know of any way to delete and reboot the computer from scratch? Or any other such measure that saves all this hassle?

I'll give this 'til tomorrow before putting a sledgehammer through the whole machine, easier to go out and buy a new one at this rate.

Thank you again for your assistance

[Celtic]

Logfile of HijackThis v1.99.1
Scan saved at 03:11:48, on 13/06/2005
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINNT\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Norton SystemWorks\Norton GoBack\GBPoll.exe
C:\WINNT\System32\GEARSec.exe
C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton SystemWorks\Norton Ghost\Agent\PQV2iSvc.exe
C:\Program Files\Norton SystemWorks\Norton AntiVirus\IWP\NPFMntor.exe
C:\PROGRA~1\NORTON~1\NORTON~1\NPROTECT.EXE
C:\WINNT\system32\MSTask.exe
C:\WINNT\Explorer.EXE
C:\PROGRA~1\NORTON~1\NORTON~1\SPEEDD~1\NOPDB.EXE
C:\WINNT\system32\stisvc.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Common Files\Symantec Shared\SymTray.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\mspmspsv.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\SERVICES.EXE
C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Norton SystemWorks\Norton Ghost\Agent\GhostTray.exe
C:\WINNT\system32\UMonit2K.exe
C:\Program Files\Classic PhoneTools\CapFax.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\WINNT\winsocks5.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\Program Files\FinePixViewer\QuickDCF.exe
C:\Program Files\Norton SystemWorks\Norton GoBack\GBTray.exe
C:\Program Files\PhotoWise\quicklnk.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\HijackThis\HijackThis.exe
C:\Program Files\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.abebooks.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.abebooks.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.abebooks.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.abebooks.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = http://www.abebooks.com
F3 - REG:win.ini: run=C:\WINNT\inet10079\services.exe
O1 - Hosts: 64.91.255.87 www.dcsresearch.com
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: eBay Toolbar Helper - {22D8E815-4A5E-4DFB-845E-AAB64207F5BD} - C:\Program Files\eBay\eBay Toolbar2\eBayTB.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll (file missing)
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: eBay Toolbar - {92085AD4-F48A-450D-BD93-B28CC7DF67CE} - C:\Program Files\eBay\eBay Toolbar2\eBayTB.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [SpeedTouch USB Diagnostics] "C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe" /icon
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [SymTray - Norton SystemWorks] C:\Program Files\Common Files\Symantec Shared\Symtray.exe SetReg
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [Norton Ghost 9.0] C:\Program Files\Norton SystemWorks\Norton Ghost\Agent\GhostTray.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [Gene USB Monitor] C:\WINNT\system32\UMonit2K.exe
O4 - HKLM\..\Run: [REGSHAVE] C:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN
O4 - HKLM\..\Run: [CapFax] C:\Program Files\Classic PhoneTools\CapFax.EXE
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\Run: [Microsoft standard protector] C:\WINNT\winsocks5.exe
O4 - HKLM\..\RunOnce: [SymTray - Norton SystemWorks] C:\Program Files\Common Files\Symantec Shared\Symtrdr.exe
O4 - HKCU\..\Run: [Norton SystemWorks] "C:\Program Files\Norton SystemWorks\cfgwiz.exe" /GUID {05858CFD-5CC4-4ceb-AAAF-CF00BF39736A} /MODE CfgWiz
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [Yumgo's Homepage Protector V1] YumgoHomepageProtector.exe
O4 - HKCU\..\Run: [Spyware Doctor] "C:\Program Files\Spyware Doctor\swdoctor.exe" /Q
O4 - HKCU\..\Run: [HistoryKill] C:\Program Files\HistoryKill\\histkill.exe /startup
O4 - Startup: Norton Disk Doctor.lnk = C:\Program Files\Norton SystemWorks\Norton Utilities\NDD32.EXE
O4 - Startup: PhotoWise QuickLink.lnk = C:\Program Files\PhotoWise\quicklnk.exe
O4 - Global Startup: Exif Launcher.lnk = C:\Program Files\FinePixViewer\QuickDCF.exe
O4 - Global Startup: Norton GoBack.lnk = C:\Program Files\Norton SystemWorks\Norton GoBack\GBTray.exe
O8 - Extra context menu item: &eBay Search - res://C:\Program Files\eBay\eBay Toolbar2\eBayTb.dll/RCSearch.html
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll (file missing)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.syma...bin/AvSniff.cab
O16 - DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} (EPUImageControl Class) - http://tools.ebayimg...l_v1-0-3-24.cab
O16 - DPF: {5F8A33E7-6A32-4EE0-887A-134C627CB052} (Easy Upload Tool Combo Control) - http://inlunarsunpho...yUploadTool.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.syma...n/bin/cabsa.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft.../as5/asinst.cab
O16 - DPF: {9B03C5F1-F5AB-47EE-937D-A8EDA626F876} (Anonymizer Anti-Spyware Scanner) - http://download.zone...ctor/WebAAS.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{0340C825-7AB5-4835-927F-E28D5DD6D4D7}: NameServer = 80.225.248.178 80.225.248.186
O17 - HKLM\System\CS1\Services\Tcpip\..\{0340C825-7AB5-4835-927F-E28D5DD6D4D7}: NameServer = 80.225.248.178 80.225.248.186
O23 - Service: AutoComplete Service (Autocomplete) - Unknown owner - C:\Program Files\Acesoft\Tracks Eraser Pro\autocomp.exe (file missing)
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: GoBack Polling Service (GBPoll) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton GoBack\GBPoll.exe
O23 - Service: GEARSecurity - GEAR Software - C:\WINNT\System32\GEARSec.exe
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton Ghost - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton Ghost\Agent\PQV2iSvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\PROGRA~1\NORTON~1\NORTON~1\NPROTECT.EXE
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Speed Disk service - Symantec Corporation - C:\PROGRA~1\NORTON~1\NORTON~1\SPEEDD~1\NOPDB.EXE
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

[Celtic]

Okkkkk getting somewhere. Back on the problem computer.

Just ran Killbox deleted the C:\WINNT\winsocks.exe

Will await further instruction before doing anything else.

Cheers for all your help mate, ruddy nice one.