Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

can't get rid of mgrsts [RESOLVED]


  • This topic is locked This topic is locked

#1
Help Panos

Help Panos

    Member

  • Member
  • PipPip
  • 70 posts
First of all i'm sorry for my English. I may make some mistakes. Now the problem that occurs to my computer is the following: i enter into my account and after a while the program i"m running freezes. After aproximatelly 5 sec. the screen goes black like it is in a stand by mode. Then when i try to restart the computer doesn't restart.Instead it makes a sound bip,bip,bip and the screan remains black.I searched my computer for virus and i found one called mgrsts which i cannot delete. What can i do about this? I appreciate for your help.Below is what i found with the program HijackThis which i read somewhere that can help.

Logfile of HijackThis v1.99.1
Scan saved at 1:45:09 PM, on 7/15/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb09.exe
C:\WINDOWS\htpatch.exe
C:\Program Files\Analog Devices\SoundMAX\SMTray.exe
C:\Program Files\Winamp\winampa.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\system32\qttask.exe
C:\Program Files\Java\jre1.5.0_01\bin\jusched.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Documents and Settings\Panos\Desktop\HijackThis.exe

R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
O2 - BHO: BHObj Class - {00000010-6F7D-442C-93E3-4A4827C2E4C8} - C:\WINDOWS\nem220.dll (file missing)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O2 - BHO: ADP UrlCatcher Class - {F4E04583-354E-4076-BE7D-ED6A80FD66DA} - C:\WINDOWS\system32\msbe.dll (file missing)
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: ISTbar - {5F1ABCDB-A875-46c1-8345-B72A4567E486} - C:\PROGRA~1\ISTbar\istbar.dll (file missing)
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb09.exe
O4 - HKLM\..\Run: [HTpatch] C:\WINDOWS\htpatch.exe
O4 - HKLM\..\Run: [Smapp] C:\Program Files\Analog Devices\SoundMAX\SMTray.exe
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\system32\qttask.exe" -atboottime
O4 - HKLM\..\Run: [WINDOWSflashbrg] C:\WINDOWS\sqldata1.exe
O4 - HKLM\..\Run: [NFeA5nbTG] C:\WINDOWS\tapyk.exe
O4 - HKLM\..\Run: [Internet Optimizer] "C:\Program Files\Internet Optimizer\optimize.exe"
O4 - HKLM\..\Run: [sais] c:\program files\180solutions\sais.exe
O4 - HKLM\..\Run: [BullsEye Network] C:\Program Files\BullsEye Network\bin\bargains.exe
O4 - HKLM\..\Run: [abongj] C:\WINDOWS\abongj.exe
O4 - HKLM\..\Run: [Ο:½ΣήωDOWπ\tμώy¸ΞexeC:\Program Files\ISTsvc\istsvc.exe] C:\WINDOWS\tapyk.exe
O4 - HKLM\..\Run: [NΖeΟ5λ¨ΠG] C:\WINDOWS\tapyk.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_01\bin\jusched.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Instant Access] rundll32.exe EGDACCESS_1060.dll,InstantAccess
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
O4 - Global Startup: AutoCAD Startup Accelerator.lnk = C:\Program Files\Common Files\Autodesk Shared\acstart16.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_01\bin\npjpi150_01.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_01\bin\npjpi150_01.dll
O9 - Extra button: SideFind - {10E42047-DEB9-4535-A118-B3F6EC39B807} - C:\Program Files\SideFind\sidefind.dll (file missing)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {78AF2F24-A9C3-11D3-BF8C-0060B0FCC122} (AcDcToday Control) - file://C:\Program Files\AutoCAD 2002\AcDcToday.ocx
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zon...nt.cab31267.cab
O16 - DPF: {AE563720-B4F5-11D4-A415-00108302FDFD} (NOXLATE-BANR) - file://C:\Program Files\AutoCAD 2002\InstBanr.ocx
O16 - DPF: {C6637286-300D-11D4-AE0A-0010830243BD} (InstaFred) - file://C:\Program Files\AutoCAD 2002\InstFred.ocx
O16 - DPF: {F281A59C-7B65-11D3-8617-0010830243BD} (AcPreview Control) - file://C:\Program Files\AutoCAD 2002\AcPreview.ocx
O23 - Service: Autodesk Licensing Service - Autodesk, Inc. - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: ZESOFT - Unknown owner - C:\WINDOWS\zeta.exe (file missing)
  • 0

Advertisements


#2
Rawe

Rawe

    Visiting Staff

  • Member
  • PipPipPipPipPipPipPip
  • 4,746 posts
Hello and welcome to Geekstogo! I moved your topic to Malware removal forum since this is where HiJackThis logs belong ;)

If you haven't followed these steps outlined HERE
please do so. I'll get back to you once you done that. ;)

- Rawe :tazz:
  • 0

#3
Help Panos

Help Panos

    Member

  • Topic Starter
  • Member
  • PipPip
  • 70 posts
First of all i have to inform you that i have no idea of computers.
Secondly have i got to download all these programs?
I thank you in advance for your patience and your reply.
  • 0

#4
Rawe

Rawe

    Visiting Staff

  • Member
  • PipPipPipPipPipPipPip
  • 4,746 posts
Hello again.

You do have a infection on your machine, and I really would like to see how much those automated programs help you to clean your machine before jumping into manual removing. When you come to the step to install CWShredder, I don't think you'll need that. Other programs, - yes. If you want to get your PC back to normal.. You will need to do these steps.
Thanks. If you have anything else to ask, feel free to ask from me. I'm gonna help you to get your PC clean, if you're willing to. ;)

- Rawe :tazz:
  • 0

#5
Help Panos

Help Panos

    Member

  • Topic Starter
  • Member
  • PipPip
  • 70 posts
Hello there! I did all the things that you asked me to except from the following:

1) Trend Housecall
2) AVG as i have Norton AntiVirus
3) Windows update

Before i restarted my computer i noticed that the file mgrsts was still there. But i restarted my PC in order to see the result of the cleaning process. For almost all night the computer was working properly!! For 10 min i was yelling ''Hip hip hurey!!!" and when i slept i saw beautiful dreams of 'cleaned' computers running up and down. Unfortunately this morning i opened my computer and 'bip,bip,bip' the problem was still there. Then for 10 min i was crying ''Bu hu hu".
Oh not to forget, after the cleaning process when i enter my account it tells me that a file called "EGDACCESS_1060.dll'' cannot be found.As i recall i have erased it from system32 as one of the cleaning programs found it suspicius.What to do know?
  • 0

#6
Help Panos

Help Panos

    Member

  • Topic Starter
  • Member
  • PipPip
  • 70 posts
Hello there! I did all the things that you asked me to except from the following:

1) Trend Housecall
2) AVG as i have Norton AntiVirus
3) Windows update

Before i restarted my computer i noticed that the file mgrsts was still there. But i restarted my PC in order to see the result of the cleaning process. For almost all night the computer was working properly!! For 10 min i was yelling ''Hip hip hurey!!!" and when i slept i saw beautiful dreams of 'cleaned' computers running up and down. Unfortunately this morning i opened my computer and 'bip,bip,bip' the problem was still there. Then for 10 min i was crying ''Bu hu hu".
Oh not to forget, after the cleaning process when i enter my account it tells me that a file called "EGDACCESS_1060.dll'' cannot be found.As i recall i have erased it from system32 as one of the cleaning programs found it suspicius.What to do know?
  • 0

#7
Rawe

Rawe

    Visiting Staff

  • Member
  • PipPipPipPipPipPipPip
  • 4,746 posts
Hi again! Since you have done almost everything from the read before you post - thread, could you please run a new scan with HiJackThis and then copy & paste the fresh log to this topic.
I'll take a look at it. :tazz:
  • 0

#8
Help Panos

Help Panos

    Member

  • Topic Starter
  • Member
  • PipPip
  • 70 posts
Here it is, i hope you find a solution! I look forward for your reply..
Thanks again for your help!!

Logfile of HijackThis v1.99.1
Scan saved at 2:30:51 PM, on 7/16/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\savedump.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb09.exe
C:\WINDOWS\htpatch.exe
C:\Program Files\Analog Devices\SoundMAX\SMTray.exe
C:\Program Files\Winamp\winampa.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\system32\qttask.exe
C:\Program Files\Java\jre1.5.0_01\bin\jusched.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\Panos\Desktop\HijackThis.exe

R3 - Default URLSearchHook is missing
O1 - Hosts: 64.91.255.87 www.dcsresearch.com
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb09.exe
O4 - HKLM\..\Run: [HTpatch] C:\WINDOWS\htpatch.exe
O4 - HKLM\..\Run: [Smapp] C:\Program Files\Analog Devices\SoundMAX\SMTray.exe
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\system32\qttask.exe" -atboottime
O4 - HKLM\..\Run: [WINDOWSflashbrg] C:\WINDOWS\sqldata1.exe
O4 - HKLM\..\Run: [NFeA5nbTG] C:\WINDOWS\tapyk.exe
O4 - HKLM\..\Run: [sais] c:\program files\180solutions\sais.exe
O4 - HKLM\..\Run: [abongj] C:\WINDOWS\abongj.exe
O4 - HKLM\..\Run: [Ο:½ΣήωDOWπ\tμώy¸ΞexeC:\Program Files\ISTsvc\istsvc.exe] C:\WINDOWS\tapyk.exe
O4 - HKLM\..\Run: [NΖeΟ5λ¨ΠG] C:\WINDOWS\tapyk.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_01\bin\jusched.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Instant Access] rundll32.exe EGDACCESS_1060.dll,InstantAccess
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
O4 - Global Startup: AutoCAD Startup Accelerator.lnk = C:\Program Files\Common Files\Autodesk Shared\acstart16.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_01\bin\npjpi150_01.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_01\bin\npjpi150_01.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {78AF2F24-A9C3-11D3-BF8C-0060B0FCC122} (AcDcToday Control) - file://C:\Program Files\AutoCAD 2002\AcDcToday.ocx
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zon...nt.cab31267.cab
O16 - DPF: {AE563720-B4F5-11D4-A415-00108302FDFD} (NOXLATE-BANR) - file://C:\Program Files\AutoCAD 2002\InstBanr.ocx
O16 - DPF: {C6637286-300D-11D4-AE0A-0010830243BD} (InstaFred) - file://C:\Program Files\AutoCAD 2002\InstFred.ocx
O16 - DPF: {F281A59C-7B65-11D3-8617-0010830243BD} (AcPreview Control) - file://C:\Program Files\AutoCAD 2002\AcPreview.ocx
O17 - HKLM\System\CCS\Services\Tcpip\..\{08B4486D-5605-4A62-9505-8E1078C0E58A}: NameServer = 147.102.222.220 147.102.222.210
O17 - HKLM\System\CS3\Services\Tcpip\..\{08B4486D-5605-4A62-9505-8E1078C0E58A}: NameServer = 147.102.222.220 147.102.222.210
O23 - Service: Autodesk Licensing Service - Autodesk, Inc. - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
  • 0

#9
Rawe

Rawe

    Visiting Staff

  • Member
  • PipPipPipPipPipPipPip
  • 4,746 posts
Hi again! Thanks for the log.

Please print these instructions out, or write them down, as you can't read them during the fix.

Ok, you do have few things which needs our attention.

First, download;

- CleanUp

Run the CleanUp installer and get the program ready to be used, but don't run it yet.

- Ewido Security Suite

Once installed, please launch it and update it's definitions. Don't run a scan yet!

Please run a free online Anti-virus scan here (note, this scan doesn't have to be used in Internet Explorer, it works on other browsers too) Use it's "Auto-Clean" option;

- Trend Micro

(Save the log, and let it remove anything. Post the results of the scan to your next reply.)

Next, please reboot your computer in Safe Mode by doing the following:
1) Restart your computer
2) After hearing your computer beep once during startup, but before the Windows icon appears, press F8.
3) Instead of Windows loading as normal, a menu should appear
4) Select the first option, to run Windows in Safe Mode.


For additional help in booting into Safe Mode, see the following site:
http://www.pchell.co.../safemode.shtml

Once in Safe Mode, make sure to close any open windows. Run a scan with HiJackThis, and check these objects for removal;

R3 - Default URLSearchHook is missing
O4 - HKLM\..\Run: [WINDOWSflashbrg] C:\WINDOWS\sqldata1.exe
O4 - HKLM\..\Run: [NFeA5nbTG] C:\WINDOWS\tapyk.exe
O4 - HKLM\..\Run: [sais] c:\program files\180solutions\sais.exe
O4 - HKLM\..\Run: [abongj] C:\WINDOWS\abongj.exe
O4 - HKLM\..\Run: [Ο:½ΣήωDOWπ\tμώy¸ΞexeC:\Program Files\ISTsvc\istsvc.exe] C:\WINDOWS\tapyk.exe
O4 - HKLM\..\Run: [NΖeΟ5λ¨ΠG] C:\WINDOWS\tapyk.exe
O4 - HKCU\..\Run: [Instant Access] rundll32.exe EGDACCESS_1060.dll,InstantAccess


Make sure that the above mentioned objects are all checked, then hit "Fix Checked".

Exit HiJackThis. Using Windows Explorer, locate the following files and delete if present;

C:\Program Files\ISTsvc\ <= Entire Folder
C:\WINDOWS\tapyk.exe
c:\program files\180solutions\ <= Entire Folder
C:\WINDOWS\sqldata1.exe
EGDACCESS_1060.dll (Locate using Windows Search function)


Now, launch Ewido Security Suite. Make sure to close any open windows. Run a Full Scan with it. Save the scanlog it produces, and let it remove anything it finds.

Run CleanUp! making sure to reboot your PC when prompted. Boot up into normal mode again. Once your Windows has loaded, run a new scan with HiJackThis, post the fresh log here along with the logs from the Trend Micro online scan & Ewido's Full Scan. ;)

Thanks!

- Rawe :tazz:

If you have anything to ask or you're unsure of something, be sure to ask them before proceeding the fix. Also, if you cannot for some reason finish a step, please move on to the next step & let me know on your next reply if you had difficulties with something.
  • 0

#10
Help Panos

Help Panos

    Member

  • Topic Starter
  • Member
  • PipPip
  • 70 posts
I don't have much time as the virus keeps making my system collapse. You know, come to a stand by mode and then can't do a thing. I have to close it, wait for 7-8 min and open again my computer. I tried to scan online with trend micro but i didn't found the Auto clean option. I clicked 'scan now it's free' then 'latest virus alert' and then all the times i tried to continue were a disaster as my PC closed due to the virus i think.Can i continue with the steps after trend micro? I haven't sent you this message earlier as the virus is going crazy!
  • 0

Advertisements


#11
Rawe

Rawe

    Visiting Staff

  • Member
  • PipPipPipPipPipPipPip
  • 4,746 posts
If you installed CleanUp! and Ewido Security Suite, you may continue without the online scan.
Just boot up into Safe Mode and follow the instructions :tazz:
  • 0

#12
Help Panos

Help Panos

    Member

  • Topic Starter
  • Member
  • PipPip
  • 70 posts
Hello there!
I followed your instructions step by step. First of all The 5 things you asked me to delete weren't present so i launched Ewido and here are the results:

+ Created on: 2:18:15 PM, 7/18/2005
+ Report-Checksum: 40551522

+ Scan result:

:mozilla.20:C:\Documents and Settings\Panos\Application Data\Mozilla\Firefox\Profiles\jq2pdrbh.default\cookies.txt -> Spyware.Cookie.Overture : Cleaned with backup
:mozilla.21:C:\Documents and Settings\Panos\Application Data\Mozilla\Firefox\Profiles\jq2pdrbh.default\cookies.txt -> Spyware.Cookie.Overture : Cleaned with backup
:mozilla.24:C:\Documents and Settings\Panos\Application Data\Mozilla\Firefox\Profiles\jq2pdrbh.default\cookies.txt -> Spyware.Cookie.Doubleclick : Cleaned with backup
:mozilla.28:C:\Documents and Settings\Panos\Application Data\Mozilla\Firefox\Profiles\jq2pdrbh.default\cookies.txt -> Spyware.Cookie.Sexlist : Cleaned with backup
:mozilla.29:C:\Documents and Settings\Panos\Application Data\Mozilla\Firefox\Profiles\jq2pdrbh.default\cookies.txt -> Spyware.Cookie.Sexlist : Cleaned with backup
:mozilla.30:C:\Documents and Settings\Panos\Application Data\Mozilla\Firefox\Profiles\jq2pdrbh.default\cookies.txt -> Spyware.Cookie.Sexlist : Cleaned with backup
:mozilla.31:C:\Documents and Settings\Panos\Application Data\Mozilla\Firefox\Profiles\jq2pdrbh.default\cookies.txt -> Spyware.Cookie.Sexlist : Cleaned with backup
:mozilla.55:C:\Documents and Settings\Panos\Application Data\Mozilla\Firefox\Profiles\jq2pdrbh.default\cookies.txt -> Spyware.Cookie.Paycounter : Cleaned with backup
:mozilla.73:C:\Documents and Settings\Panos\Application Data\Mozilla\Firefox\Profiles\jq2pdrbh.default\cookies.txt -> Spyware.Cookie.Targetnet : Cleaned with backup
:mozilla.74:C:\Documents and Settings\Panos\Application Data\Mozilla\Firefox\Profiles\jq2pdrbh.default\cookies.txt -> Spyware.Cookie.Targetnet : Cleaned with backup
:mozilla.80:C:\Documents and Settings\Panos\Application Data\Mozilla\Firefox\Profiles\jq2pdrbh.default\cookies.txt -> Spyware.Cookie.Atdmt : Cleaned with backup
:mozilla.81:C:\Documents and Settings\Panos\Application Data\Mozilla\Firefox\Profiles\jq2pdrbh.default\cookies.txt -> Spyware.Cookie.Fastclick : Cleaned with backup
:mozilla.82:C:\Documents and Settings\Panos\Application Data\Mozilla\Firefox\Profiles\jq2pdrbh.default\cookies.txt -> Spyware.Cookie.Fastclick : Cleaned with backup
:mozilla.84:C:\Documents and Settings\Panos\Application Data\Mozilla\Firefox\Profiles\jq2pdrbh.default\cookies.txt -> Spyware.Cookie.Tribalfusion : Cleaned with backup
:mozilla.118:C:\Documents and Settings\Panos\Application Data\Mozilla\Firefox\Profiles\jq2pdrbh.default\cookies.txt -> Spyware.Cookie.Hitbox : Cleaned with backup
:mozilla.120:C:\Documents and Settings\Panos\Application Data\Mozilla\Firefox\Profiles\jq2pdrbh.default\cookies.txt -> Spyware.Cookie.Hitbox : Cleaned with backup
:mozilla.123:C:\Documents and Settings\Panos\Application Data\Mozilla\Firefox\Profiles\jq2pdrbh.default\cookies.txt -> Spyware.Cookie.2o7 : Cleaned with backup
:mozilla.124:C:\Documents and Settings\Panos\Application Data\Mozilla\Firefox\Profiles\jq2pdrbh.default\cookies.txt -> Spyware.Cookie.2o7 : Cleaned with backup
:mozilla.134:C:\Documents and Settings\Panos\Application Data\Mozilla\Firefox\Profiles\jq2pdrbh.default\cookies.txt -> Spyware.Cookie.Hitbox : Cleaned with backup
:mozilla.161:C:\Documents and Settings\Panos\Application Data\Mozilla\Firefox\Profiles\jq2pdrbh.default\cookies.txt -> Spyware.Cookie.Trafficmp : Cleaned with backup
:mozilla.162:C:\Documents and Settings\Panos\Application Data\Mozilla\Firefox\Profiles\jq2pdrbh.default\cookies.txt -> Spyware.Cookie.Trafficmp : Cleaned with backup
:mozilla.164:C:\Documents and Settings\Panos\Application Data\Mozilla\Firefox\Profiles\jq2pdrbh.default\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.165:C:\Documents and Settings\Panos\Application Data\Mozilla\Firefox\Profiles\jq2pdrbh.default\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.174:C:\Documents and Settings\Panos\Application Data\Mozilla\Firefox\Profiles\jq2pdrbh.default\cookies.txt -> Spyware.Cookie.Hitbox : Cleaned with backup
:mozilla.203:C:\Documents and Settings\Panos\Application Data\Mozilla\Firefox\Profiles\jq2pdrbh.default\cookies.txt -> Spyware.Cookie.Findwhat : Cleaned with backup
C:\WINDOWS\system32\msclock32.dll -> Dialer.Generic : Cleaned with backup


::Report End

Then after clean up and reboot i scanned with HiJack This and here is the lovely report:

Logfile of HijackThis v1.99.1
Scan saved at 2:24:06 PM, on 7/18/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb09.exe
C:\WINDOWS\htpatch.exe
C:\Program Files\Analog Devices\SoundMAX\SMTray.exe
C:\Program Files\Winamp\winampa.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\system32\qttask.exe
C:\Program Files\Java\jre1.5.0_01\bin\jusched.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\Panos\Desktop\HijackThis.exe

O1 - Hosts: 64.91.255.87 www.dcsresearch.com
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb09.exe
O4 - HKLM\..\Run: [HTpatch] C:\WINDOWS\htpatch.exe
O4 - HKLM\..\Run: [Smapp] C:\Program Files\Analog Devices\SoundMAX\SMTray.exe
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\system32\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_01\bin\jusched.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
O4 - Global Startup: AutoCAD Startup Accelerator.lnk = C:\Program Files\Common Files\Autodesk Shared\acstart16.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_01\bin\npjpi150_01.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_01\bin\npjpi150_01.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {78AF2F24-A9C3-11D3-BF8C-0060B0FCC122} (AcDcToday Control) - file://C:\Program Files\AutoCAD 2002\AcDcToday.ocx
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zon...nt.cab31267.cab
O16 - DPF: {AE563720-B4F5-11D4-A415-00108302FDFD} (NOXLATE-BANR) - file://C:\Program Files\AutoCAD 2002\InstBanr.ocx
O16 - DPF: {C6637286-300D-11D4-AE0A-0010830243BD} (InstaFred) - file://C:\Program Files\AutoCAD 2002\InstFred.ocx
O16 - DPF: {F281A59C-7B65-11D3-8617-0010830243BD} (AcPreview Control) - file://C:\Program Files\AutoCAD 2002\AcPreview.ocx
O23 - Service: Autodesk Licensing Service - Autodesk, Inc. - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

I look forward to hear the news from you! Oh just from curiosity, Rawe is a nickname
or is it a real name?
  • 0

#13
Rawe

Rawe

    Visiting Staff

  • Member
  • PipPipPipPipPipPipPip
  • 4,746 posts
Just a nickname ;)

Hey, your log looks good. I just want to make sure this;
How's your computer behaving now? Do you still have those problems?

- Rawe :tazz:
  • 0

#14
Help Panos

Help Panos

    Member

  • Topic Starter
  • Member
  • PipPip
  • 70 posts
The computer is behaving fine but i'm not so optimistic. You see if i am online and the computer doesn't malfunction within the first 15 min then the problem seems to have never exist. I do not know why this happens. I also searched the folder called 'Windows" and i found again this mgrsts. I thank you a lot for your help, really i'm obliged. I shall run my computer again in the afternoon and i will inform you about everything relevant to the problem. Thanks a lot! Again from curiosity, you are all the time in the Internet helping people? And again in greek language efxaristo ( thank you in greece).
  • 0

#15
Rawe

Rawe

    Visiting Staff

  • Member
  • PipPipPipPipPipPipPip
  • 4,746 posts
Hehe, I like Greece =)
Well, ya. I'm usually the whole day on Internet. At least almost. Helping people.
I do want to help you if your computer isn't clean yet, infact, I guess I'll post you further instructions to this thread. I'm not too optimistic either.
Hey, I'm from Finland myself, so don't worry about your english language. I want to thank you too. ("Kiitos", thank you in finnish.) :tazz:

- Rawe ;)

I'll post soon with further instructions and we will see from that, do you have some malware on your PC or not.
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP