[hawthorn]

Hi all.

I have been writing for a while now about my ongoing problems since I installed my new HD. Thanks to Coachwife and Jonnyrotten for your help so far--certainly my PC is at least running reasonably fast thanks to you!

When I boot up, C:\Windows\system32 still boots up, and also i got this erroe a few times:

Generic Host Process for Win32 Services
Generic Host Process for Win32 Services has encountered a problem and needs to close.

And the Data error report contained:

szAppName : szAppVer: 0.0.0.0 szModName: unknown szModVer: 0.0.0.0
offset: 00000000

The following files were included

C:\DOCUMENT~1\KEVINC~1\LOCALS~1\TEMP\WER1E.tmp.dir00\svchost.exe.mdmp\appcompat.txt

The PC froze and nothing would open or close, so I had to press the on/off button.

Anyway, someone at PcPitstop advised me to run the Pitstop check, which i did and nothing major showed up. They also asked me to do some online virus checks. I did, with Housecall and Pitstop virus check, which i had to download.
Here are results from house call:

WORM WOOTBOT.O C:\WINDOWS\system32\videosd.32.exe
WORM RBOT.NR C:\WINDOWS\system32\wngard.exe
TROJ DLOADER.QB C:\explorer.exe
C:\iexplorer.exe
TROJ LOWZONES.C C:\mms.exe
REG LOWZONES.A C:\re11.REG
TROJ DLOADER.PE C:\xbbgs.exe
TROJ LOWZONES.C C:\xmmc.exe
TROJ LOWZONES.C C:\xnnc.exe
TROJ LOWZONES.C C:\xrttc.exe
TROJ LOWZONES.C C:\xssss.exe
TROJ DLOADER.PE C:\xttgs.exe

And from Pitstop:

The Trj/Downloader.TC Virus was found in file C:\opens.html

The W32/Gaobot.AQE.worm Virus was found in file C:\WINDOWS\system32\videosd32.exe

The W32/Gaobot.ASO.worm Virus was found in file C:\WINDOWS\system32\wngard.exe

Interestingly a scan with AVG showed NOTHING unusual! Surely it should have spotted something, or are the other programs giving false results?

Where do I go from here!!!??

[Advertisements]

These are trusted programs that have earned our recommendation:

Please run a free online virus scan here (tick the "Auto Clean" checkbox):
http://housecall.antivirus.com/

And a free trojan scan here:
http://www.moosoft.com/

[admin]

These are trusted programs that have earned our recommendation:

Please run a free online virus scan here (tick the "Auto Clean" checkbox):
http://housecall.antivirus.com/

And a free trojan scan here:
http://www.moosoft.com/

[hawthorn]

[quote name='hawthorn' date='Sep 27 2004, 06:31 PM']

Here are results from house call:

WORM WOOTBOT.O C:\WINDOWS\system32\videosd.32.exe
WORM RBOT.NR C:\WINDOWS\system32\wngard.exe
TROJ DLOADER.QB C:\explorer.exe
C:\iexplorer.exe
TROJ LOWZONES.C C:\mms.exe
REG LOWZONES.A C:\re11.REG
TROJ DLOADER.PE C:\xbbgs.exe
TROJ LOWZONES.C C:\xmmc.exe
TROJ LOWZONES.C C:\xnnc.exe
TROJ LOWZONES.C C:\xrttc.exe
TROJ LOWZONES.C C:\xssss.exe
TROJ DLOADER.PE C:\xttgs.exe

I already have scanned with Trend Housecall.

I've just scanned with Moosoft The Cleaner and NO trojans were found! Hmmm!

Puzzling!

[Smokey]

Reboot in safe mode (by tapping F8 at startup and select safe mode from the menu). Be sure you're able to view hidden files, and remove the following:

C:\WINDOWS\system32\videosd.32.exe
C:\WINDOWS\system32\wngard.exe
C:\explorer.exe
C:\iexplorer.exe
C:\mms.exe
C:\re11.REG
C:\xbbgs.exe
C:\xmmc.exe
C:\xnnc.exe
C:\xrttc.exe
C:\xssss.exe
C:\xttgs.exe
C:\opens.html
C:\WINDOWS\system32\videosd32.exe
C:\WINDOWS\system32\wngard.exe

Also, run Disk Cleanup:

1. Go to "Start", "All Programs", "Accessories". "System Tools", "Disk Cleanup"
2. Make sure all the boxes are checked, then hit "OK"

Finally, Reboot in regular mode and post a HiUackThis log. See the "HiJackThis Guide" link in my signature.

[hawthorn]

Hi, The Other Side, thanks for reply!

Im about to do as you suggested, but I think theres a feeling of deja vu about this! Coachwife went through a similar routine with me last week; maybe I've been re-infected. You see i loaded on XP to the new Hard Drive but i dont know what updates I actually have. At the moment theres updates waiting to be downloaded, but its SP2, and anyway I have that on a cover disc. I notice in a similar post from someone who has reformatted and STILL has trojans etc that coachwife says all malware should be removed before SP2, and gave instructions to dload all the updates up to SP2. Trouble is I dont know what I have, though if SP is waiting to d load would that mean Im up to date to that point?

Anyway I will now do as you suggested, and post results!

Thanks

Kevin

[hawthorn]

OK, other side!!

Ive done as you requested; here is Hijack This log:

Logfile of HijackThis v1.97.7
Scan saved at 19:47:13, on 29/09/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG6\avgserv.exe
C:\WINDOWS\System32\CTsvcCDA.exe
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\Program Files\Creative\SBAudigy2\Surround Mixer\CTSysVol.exe
C:\Program Files\Creative\SBAudigy2\DVDAudio\CTDVDDet.EXE
C:\WINDOWS\System32\CTHELPER.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe
C:\Program Files\The Cleaner\tca.exe
C:\Program Files\The Cleaner\tcm.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
C:\Program Files\Microsoft Money\System\urlmap.exe
C:\Documents and Settings\Kevin Carroll\Local Settings\Temp\Temporary Directory 3 for hijackthis.zip\HijackThis.exe
C:\WINDOWS\System32\wuauclt.exe

O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - C:\Program Files\Microsoft Money\System\mnyviewer.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [CTSysVol] C:\Program Files\Creative\SBAudigy2\Surround Mixer\CTSysVol.exe
O4 - HKLM\..\Run: [CTDVDDet] C:\Program Files\Creative\SBAudigy2\DVDAudio\CTDVDDet.EXE
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [AsioReg] REGSVR32.EXE /S CTASIO.DLL
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [EPSON Stylus C42 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S10IC2.EXE /P23 "EPSON Stylus C42 Series" /O6 "USB001" /M "Stylus C42"
O4 - HKLM\..\Run: [BuildLabs] C:\WINDOWS\system\csrss.exe
O4 - HKLM\..\Run: [NAV CfgWiz] C:\PROGRA~1\NORTON~1\NORTON~1\Cfgwiz.exe /R
O4 - HKLM\..\Run: [ccApp] C:\Program Files\Common Files\Symantec Shared\ccApp.exe
O4 - HKLM\..\Run: [ccRegVfy] C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe
O4 - HKLM\..\Run: [AVG_CC] C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe /STARTUP
O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 4.0\THGuard.exe"
O4 - HKLM\..\Run: [tcactive] C:\Program Files\The Cleaner\tca.exe
O4 - HKLM\..\Run: [tcmonitor] C:\Program Files\The Cleaner\tcm.exe
O4 - HKLM\..\Run: [WorksFUD] C:\Program Files\Microsoft Works\wkfud.exe
O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Program Files\Microsoft Works\WksSb.exe /AllUsers
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [MoneyStartUp10.0] "C:\Program Files\Microsoft Money\System\Activation.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [SB Audigy 2 Startup Menu] /L:ENG
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?
O9 - Extra button: Money Viewer (HKLM)
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop...p/PCPitStop.CAB
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupd...b?1095350570078
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macr...ash/swflash.cab
O16 - DPF: {EFAEF0E4-F044-4D57-9900-1C3FF18524C9} (AV Class) - http://www.pcpitstop...irus/PitPav.cab


When I rebooted, unfortunately, system 32 still opening up. Someone posted a link to a Microsoft solution for this, but it involved editing the registry which Im not confident at doing.

Also having problems logging in to Geeks site right now, wont recognize my password. I went through the process of filling in form for new one but same result. hardly connected to the problems Im having?

Kevin