Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

Bt2net and PSGuard Virus [RESOLVED]


  • This topic is locked This topic is locked

#1
.:bob schmo:.

.:bob schmo:.

    Member

  • Member
  • PipPip
  • 59 posts
I got this virus detected by norton bloodhound.win32 or something of that sort, then it restarted very fast. Now I keep getting these annoying site pop-ups from PSGuard and Bt2net P2P network; my broswer (FireFox) can be fully closed and my internet even off and a page will still pop out trying to connect to either the PSGuard website or the P2P website. And if I am occupying a browser, it'll redirect me to one of the two sites no matter what. I can only run my computer in safe mode right now.

I have followed the steps listed in the getting started, and it is impossible for me to run any of the online scanners because my IE does not work, only mozilla firefox. When I try to run my spybot search and antivirus programs, my computer displays a blue screen really fast with some error text that I cannot read and restarts. When it is done rebooting and on the login screen, it restarts itself again. I cannot also run the cwshredder and clean up, it also displays a blue screen and reboots. Here is my HijackThis log:

Logfile of HijackThis v1.99.1
Scan saved at 12:38:11 PM, on 6/30/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.exe
C:\Documents and Settings\Eric\My Documents\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://69.50.190.135...ype=start_page2
F2 - REG:system.ini: Shell=Explorer.exe install32m.exe
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O2 - BHO: ADP UrlCatcher Class - {F4E04583-354E-4076-BE7D-ED6A80FD66DA} - C:\WINDOWS\system32\msbe.dll (file missing)
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [kmw_run.exe] kmw_run.exe
O4 - HKLM\..\Run: [D-Link AirPlus Xtreme G] C:\Program Files\D-Link\AirPlus Xtreme G\AirPlusCFG.exe
O4 - HKLM\..\Run: [ANIWZCSService] C:\Program Files\Alpha Networks\ANIWZCS Service\WZCSLDR.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Advanced Tools Check] C:\PROGRA~1\NORTON~1\AdvTools\ADVCHK.EXE
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [RoxioEngineUtility] "C:\Program Files\Common Files\Roxio Shared\System\EngUtil.exe"
O4 - HKLM\..\Run: [type32] "C:\Program Files\Microsoft IntelliType Pro\type32.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe
O4 - HKLM\..\Run: [{0228e555-4f9c-4e35-a3ec-b109a192b4c2}] C:\Program Files\Google\Gmail Notifier\gnotify.exe
O4 - HKLM\..\Run: [Gravis Xperience Driver Support] Grxp4exe.exe /init
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [TraySantaCruz] C:\WINDOWS\system32\tbctray.exe
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [load32] C:\WINDOWS\system32\winldra.exe
O4 - HKLM\..\Run: [sys229] C:\WINDOWS\system32\sys229.exe
O4 - HKLM\..\Run: [sys219] C:\WINDOWS\system32\sys219.exe
O4 - HKLM\..\Run: [Internet Optimizer] "C:\Program Files\Internet Optimizer\optimize.exe"
O4 - HKLM\..\Run: [PSGuard] C:\Program Files\PSGuard\PSGuard.exe
O4 - HKLM\..\Run: [secboot] C:\WINDOWS\system32\avpx32.exe !!
O4 - HKLM\..\RunOnce: [DeleteISTbar] rundll32.exe advpack.dll,DelNodeRunDLL32 "C:\Program Files\ISTbar\istbarcm.dll"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [NVIEW] rundll32.exe nview.dll,nViewLoadHook
O4 - HKCU\..\Run: [DesktopX] "C:\PROGRA~1\Stardock\OBJECT~1\DesktopX\DesktopX.exe"
O4 - Startup: Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE
O4 - Startup: PowerMenu.lnk = C:\Program Files\PowerMenu\PowerMenu.exe
O4 - Startup: Stardock ObjectDock.lnk = C:\Program Files\Stardock\ObjectDock\ObjectDock.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: http://ny.contentmatch.net (HKLM)
O16 - DPF: {25365FF3-2746-4230-9DA7-163CCA318309} (GTDownloaderCtrl Class) - http://inst.c-wss.co...ml/gtdownlr.cab
O16 - DPF: {99410CDE-6F16-42ce-9D49-3807F78F0287} (ClientInstaller Class) - http://www.180search...com/180saax.cab
O20 - Winlogon Notify: avpx32 - C:\WINDOWS\SYSTEM32\avpx32.dll
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe


I also cannot do a system restore, it fails each time, no matter what the date...

***Everytime I start my computer, I get a popup saying that install32m.exe is missing in my winows/system32 folder...

Edited by .:bob schmo:., 30 June 2005 - 01:42 PM.

  • 0

Advertisements


#2
ScHwErV

ScHwErV

    Member 5k

  • Retired Staff
  • 21,285 posts
  • MVP
You have one heck of a mess going on there.

Lets start out with some general removals. We will likely have to take another stab at some of them, but this should help clean up things.

Since you are unable to run the activeX Antivirus Scanners, lets try this Java based solution from Trend Micro.

Please read this post completely, it may make it easier for you if you copy and paste this post to a new text document or print it for reference later.

Please re-open HiJackThis and scan. Check the boxes next to all the entries listed below.

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://69.50.190.135...ype=start_page2
F2 - REG:system.ini: Shell=Explorer.exe install32m.exe
O2 - BHO: ADP UrlCatcher Class - {F4E04583-354E-4076-BE7D-ED6A80FD66DA} - C:\WINDOWS\system32\msbe.dll (file missing)
O4 - HKLM\..\Run: [load32] C:\WINDOWS\system32\winldra.exe
O4 - HKLM\..\Run: [sys229] C:\WINDOWS\system32\sys229.exe
O4 - HKLM\..\Run: [sys219] C:\WINDOWS\system32\sys219.exe
O4 - HKLM\..\Run: [Internet Optimizer] "C:\Program Files\Internet Optimizer\optimize.exe"
O4 - HKLM\..\Run: [PSGuard] C:\Program Files\PSGuard\PSGuard.exe
O4 - HKLM\..\Run: [secboot] C:\WINDOWS\system32\avpx32.exe !!
O4 - HKLM\..\RunOnce: [DeleteISTbar] rundll32.exe advpack.dll,DelNodeRunDLL32 "C:\Program Files\ISTbar\istbarcm.dll"
O16 - DPF: {25365FF3-2746-4230-9DA7-163CCA318309} (GTDownloaderCtrl Class) - http://inst.c-wss.co...ml/gtdownlr.cab
O16 - DPF: {99410CDE-6F16-42ce-9D49-3807F78F0287} (ClientInstaller Class) - http://www.180search...com/180saax.cab
O20 - Winlogon Notify: avpx32 - C:\WINDOWS\SYSTEM32\avpx32.dll

Now close all windows other than HiJackThis, then click Fix Checked. Reboot into safe mode.

Restart your computer and as soon as it starts booting up again continuously tap F8. A menu should come up where you will be given the option to enter Safe Mode.

Please remove these entries from Add/Remove Programs in the Control Panel(if present):

Internet Optimizer
PSGuard
ISTBar

Please note any other programs that you dont recognize in that list in your next response

Please delete these folders using Windows Explorer(if present):

C:\Program Files\Internet Optimizer\
C:\Program Files\PSGuard\
C:\Program Files\ISTbar\

Please delete these files using Windows Explorer(if present):

C:\WINDOWS\system32\winldra.exe
C:\WINDOWS\system32\sys229.exe
C:\WINDOWS\system32\sys219.exe
C:\WINDOWS\system32\avpx32.exe
C:\WINDOWS\SYSTEM32\avpx32.dll

After that, Reboot.

After you reboot, post a fresh HiJackThis log here and let me know how things are running.

ScHwErV :tazz:
  • 0

#3
.:bob schmo:.

.:bob schmo:.

    Member

  • Topic Starter
  • Member
  • PipPip
  • 59 posts
Ok, I tried running the internet scanner, and after some trouble getting it to show on my monitor, I finally got it running. And well, somewhere in the Documents and Settings (Application Data) my computer showed a blue error screen like in my first post and rebooted by itself. Should I proceed just with the hijackthis and file deletion instead?

And by the way, the only thing I can run is safe mode because of whatever I have. Normal mode just restarts the computer everytime I login...

None of those programs show up in my program list either, I already removed them with the add/remove program prior to posting this topic....

Edited by .:bob schmo:., 05 July 2005 - 07:39 PM.

  • 0

#4
ScHwErV

ScHwErV

    Member 5k

  • Retired Staff
  • 21,285 posts
  • MVP
Yes, please continue on and try to get everything else done. Then post a fresh HiJackThis log so I can see what we have left.

ScHwErV :tazz:
  • 0

#5
.:bob schmo:.

.:bob schmo:.

    Member

  • Topic Starter
  • Member
  • PipPip
  • 59 posts
Okay, I can now login regularly in startup mode, then I see the desktop. Just then it flashes to a blank screen like before. This time it did not restart on it's own though, here is what the main points it said:

Problem detected, please shut down before further damage (Summarized)

PAGE_FAULT-IN-NONPAGED_AREA

STOP: 0x00000050 (0xF853E7D8, 0x00000000, 0x80563F2, 0x00000000)


^^These are just the importany parts (I think)

When I restarted in safe mode, the popup with the missing file did not pop up :tazz: And internet explorer would run. The address though was about:blank, and when I tried to go to a different page, it said it was doing something else, will you close the window. I clicked yes, and then the whole thing closed, and an error popped up. Here is the HijackThis log:

Logfile of HijackThis v1.99.1
Scan saved at 4:58:31 PM, on 7/6/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\savedump.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Documents and Settings\Eric\My Documents\HijackThis.exe

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [kmw_run.exe] kmw_run.exe
O4 - HKLM\..\Run: [D-Link AirPlus Xtreme G] C:\Program Files\D-Link\AirPlus Xtreme G\AirPlusCFG.exe
O4 - HKLM\..\Run: [ANIWZCSService] C:\Program Files\Alpha Networks\ANIWZCS Service\WZCSLDR.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Advanced Tools Check] C:\PROGRA~1\NORTON~1\AdvTools\ADVCHK.EXE
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [RoxioEngineUtility] "C:\Program Files\Common Files\Roxio Shared\System\EngUtil.exe"
O4 - HKLM\..\Run: [type32] "C:\Program Files\Microsoft IntelliType Pro\type32.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe
O4 - HKLM\..\Run: [{0228e555-4f9c-4e35-a3ec-b109a192b4c2}] C:\Program Files\Google\Gmail Notifier\gnotify.exe
O4 - HKLM\..\Run: [Gravis Xperience Driver Support] Grxp4exe.exe /init
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [TraySantaCruz] C:\WINDOWS\system32\tbctray.exe
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [secboot] C:\WINDOWS\system32\avpx32.exe !!
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [NVIEW] rundll32.exe nview.dll,nViewLoadHook
O4 - HKCU\..\Run: [DesktopX] "C:\PROGRA~1\Stardock\OBJECT~1\DesktopX\DesktopX.exe"
O4 - Startup: Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE
O4 - Startup: PowerMenu.lnk = C:\Program Files\PowerMenu\PowerMenu.exe
O4 - Startup: Stardock ObjectDock.lnk = C:\Program Files\Stardock\ObjectDock\ObjectDock.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: http://ny.contentmatch.net (HKLM)
O20 - Winlogon Notify: avpx32 - C:\WINDOWS\SYSTEM32\avpx32.dll
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

  • 0

#6
ScHwErV

ScHwErV

    Member 5k

  • Retired Staff
  • 21,285 posts
  • MVP
You have a Horseserver infection which requires some tools to get rid of.
  • First, download HSFix from here
  • After it is downloaded, create a new folder on your desktop called "HSFix" and extract all the files into the newly created folder.
  • Next, download CleanUp! Install it, but do not run it yet.
  • Boot into safe mode: Restart your computer and as soon as it starts booting up again continuously tap F8. A menu should come up where you will be given the option to enter Safe Mode.
  • Locate the HSFix folder on your desktop, open it, and double-click "hsfix.bat"
  • A log will be produced which you can close out of.
  • Then run HijackThis again, close any open windows and browsers and fix these:

    O4 - HKLM\..\Run: [secboot] C:\WINDOWS\system32\avpx32.exe !!
    O20 - Winlogon Notify: avpx32 - C:\WINDOWS\SYSTEM32\avpx32.dll

  • Run CleanUp! and let it clean your computer of temp files. Decline when it asks you to log off.
  • Restart your computer into normal mode and run at least one of the following free, online virus scans:
    Here, Or Here
  • Restart your computer one last time and post a new HijackThis log, as well as the HSFix log which is located at C:/hslog.txt
Note - This is a new variant that we have not seen too often, so this may take a few steps to remove.

ScHwErV :tazz:
  • 0

#7
Atribune

Atribune

    HijackThis Expert

  • Visiting Consultant
  • 956 posts
  • MVP
Hello .:bob schmo:. and ScHwErV,


Please hold off on downloading HSFix, I will update it to get this new variant and post back once uploaded

OK updated and should be ready to go :tazz:

Edited by Atribune, 07 July 2005 - 04:54 PM.

  • 0

#8
.:bob schmo:.

.:bob schmo:.

    Member

  • Topic Starter
  • Member
  • PipPip
  • 59 posts
Ok, I succesfully ran HSfix, and it deleted 3 files. I ran it again however, and the log was replaced, but here is what the second run came back with:

Horseserver Removal Tool v1.05
      by Atri
-
-
1. Registry Fix Started
-
   Registry fix complete
-
2. Deleted Services
-
-
3. Finding files Located on system
-
-
4. Deleting files that were found.
-
-
5. Checking for and Removing Winupdate
-
-
-

Then I ran HJT, and found the winlogin thingy and checked it, but I could not find the other you mentioned on the list. So I fixed that one, and here is the log:

Logfile of HijackThis v1.99.1
Scan saved at 4:24:04 PM, on 7/7/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Documents and Settings\Eric\My Documents\HijackThis.exe
C:\Program Files\Mozilla Firefox\firefox.exe

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [kmw_run.exe] kmw_run.exe
O4 - HKLM\..\Run: [D-Link AirPlus Xtreme G] C:\Program Files\D-Link\AirPlus Xtreme G\AirPlusCFG.exe
O4 - HKLM\..\Run: [ANIWZCSService] C:\Program Files\Alpha Networks\ANIWZCS Service\WZCSLDR.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Advanced Tools Check] C:\PROGRA~1\NORTON~1\AdvTools\ADVCHK.EXE
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [RoxioEngineUtility] "C:\Program Files\Common Files\Roxio Shared\System\EngUtil.exe"
O4 - HKLM\..\Run: [type32] "C:\Program Files\Microsoft IntelliType Pro\type32.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe
O4 - HKLM\..\Run: [{0228e555-4f9c-4e35-a3ec-b109a192b4c2}] C:\Program Files\Google\Gmail Notifier\gnotify.exe
O4 - HKLM\..\Run: [Gravis Xperience Driver Support] Grxp4exe.exe /init
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [TraySantaCruz] C:\WINDOWS\system32\tbctray.exe
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [NVIEW] rundll32.exe nview.dll,nViewLoadHook
O4 - HKCU\..\Run: [DesktopX] "C:\PROGRA~1\Stardock\OBJECT~1\DesktopX\DesktopX.exe"
O4 - Startup: Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE
O4 - Startup: PowerMenu.lnk = C:\Program Files\PowerMenu\PowerMenu.exe
O4 - Startup: Stardock ObjectDock.lnk = C:\Program Files\Stardock\ObjectDock\ObjectDock.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: http://ny.contentmatch.net (HKLM)
O20 - Winlogon Notify: avpx32 - C:\WINDOWS\SYSTEM32\avpx32.dll
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

When it restarted into normal mode, right after I successfully logged in, it again showed up with the blue screen error, which is the same one it showed before, and I ran the TrendMicro antivirus setup from the saved file on my computer, because I still cannot use Internet Explorer. An error popped up saying it was an invalid location, but I tried moving it and it did not work...What's the next step?
  • 0

#9
Atribune

Atribune

    HijackThis Expert

  • Visiting Consultant
  • 956 posts
  • MVP
I hope ScHwErV doesnt' mind me jumping his thread.

Try the following

1. Start Windows in Safe mode. To do so:
a. Restart the computer, and then press F8 while the computer starts.
b. On the Windows Advanced Options Menu that appears, use the ARROW keys to select Safe Mode, and then press ENTER.
c. Use the ARROW keys to select the operating system to start, and then press ENTER to start Windows XP in Safe mode.
2. In the message that states that Windows is running in Safe mode, click Yes.
3. Click Start, click Run, type msinfo32 in the Open box, and then click OK.
4. Under System Summary, expand Components, and then click Display.
5. In the right pane, note the information that corresponds to the INF File item, for example, Nv4.inf, Oem0.inf, or Atim128.inf.
6. Quit the System Information utility.
7. Click Start, right-click My Computer, and then click Properties.
8. Click the Hardware tab, and then click Device Manager.
9. Expand Display adapters, right-click the display adapter, and then click Uninstall.
10. Click OK.
11. Click Start, click Run, type cmd, and then click OK.
12. In the Command Prompt window, type the following commands, and then press ENTER after each line:
ren %systemroot%\inf\INF file name from Step 5.inf *inf.old
ren %systemroot%\inf\INF file name from Step 5.pnf *pnf.old
13. Close all open windows, and then restart the computer in the typical manner.
14. Log on to Windows by using an account that has administrative privileges, and then wait for Windows to detect new hardware.
15. When the Found New Hardware Wizard starts, click Cancel.

If you receive a stop error after you remove the updated display drivers, restart the computer and use the Last Known Good Configuration option. To do this, restart the computer, and then press the F8 key while the computer starts. On the Windows Advanced Options Menu that appears, use the ARROW keys to select Last Known Good Configuration, and then press ENTER.

If you receive a "System Has Recovered from a Serious Error" message when Windows starts, restart the computer again. This error message does not recur.
16. Obtain and install the latest drivers for your display adapter.


Post back with the results
  • 0

#10
.:bob schmo:.

.:bob schmo:.

    Member

  • Topic Starter
  • Member
  • PipPip
  • 59 posts

I hope ScHwErV doesnt' mind me jumping his thread.

Try the following

1. Start Windows in Safe mode. To do so:
a.  Restart the computer, and then press F8 while the computer starts.
b.  On the Windows Advanced Options Menu that appears, use the ARROW keys to select Safe Mode, and then press ENTER.
c.  Use the ARROW keys to select the operating system to start, and then press ENTER to start Windows XP in Safe mode.
2. In the message that states that Windows is running in Safe mode, click Yes.
3. Click Start, click Run, type msinfo32 in the Open box, and then click OK.
4. Under System Summary, expand Components, and then click Display.
5. In the right pane, note the information that corresponds to the INF File item, for example, Nv4.inf, Oem0.inf, or Atim128.inf.
6. Quit the System Information utility.
7. Click Start, right-click My Computer, and then click Properties.
8. Click the Hardware tab, and then click Device Manager.
9. Expand Display adapters, right-click the display adapter, and then click Uninstall.
10. Click OK.
11. Click Start, click Run, type cmd, and then click OK.
12. In the Command Prompt window, type the following commands, and then press ENTER after each line:
ren %systemroot%\inf\INF file name from Step 5.inf *inf.old
ren %systemroot%\inf\INF file name from Step 5.pnf *pnf.old
13. Close all open windows, and then restart the computer in the typical manner.
14. Log on to Windows by using an account that has administrative privileges, and then wait for Windows to detect new hardware.
15. When the Found New Hardware Wizard starts, click Cancel.

If you receive a stop error after you remove the updated display drivers, restart the computer and use the Last Known Good Configuration option. To do this, restart the computer, and then press the F8 key while the computer starts. On the Windows Advanced Options Menu that appears, use the ARROW keys to select Last Known Good Configuration, and then press ENTER.

If you receive a "System Has Recovered from a Serious Error" message when Windows starts, restart the computer again. This error message does not recur.
16. Obtain and install the latest drivers for your display adapter.
Post back with the results

View Post


So, what do I type in the run box? please tell me something like:

ren %systemroot%\nameofinffile.inf (If that is even right I don't know...)

or something, I'm a little confused. And what is this actually doing?
  • 0

Advertisements


#11
Atribune

Atribune

    HijackThis Expert

  • Visiting Consultant
  • 956 posts
  • MVP
Give me the name of the inf file please?

This is to fix the error you are recieving. The error has to do with your graphics card.

Edited by Atribune, 07 July 2005 - 06:39 PM.

  • 0

#12
ScHwErV

ScHwErV

    Member 5k

  • Retired Staff
  • 21,285 posts
  • MVP
.:bob schmo:.

You are in very capable hands here. Atribune wrote the first HSFix for this infection and he is going to work with you to help develop the fix for the latest version.

Atri

I dont mind at all. Good luck, Ill watch with much interest!

ScHwErV :tazz:
  • 0

#13
.:bob schmo:.

.:bob schmo:.

    Member

  • Topic Starter
  • Member
  • PipPip
  • 59 posts
The file name of the inf is Oem5.inf...

And I think Atribune already developed the fix, did he not? Anyways thanks for everything so far, I hope we can figure out what to do.
  • 0

#14
Atribune

Atribune

    HijackThis Expert

  • Visiting Consultant
  • 956 posts
  • MVP
these are the lines you need bob


ren %systemroot%\inf\Oem5.inf *inf.old
ren %systemroot%\inf\Oem5.pnf *pnf.old
  • 0

#15
.:bob schmo:.

.:bob schmo:.

    Member

  • Topic Starter
  • Member
  • PipPip
  • 59 posts
Ok, I uninstalled the adapter, but now as a try to run the lines you gave me, I get this error:

Windows can not find 'ren.' Make sure you spelled the filename correctly, etc.
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP