Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

ANTI VIRUS GOLD HAS MY COMPUTER HOSTAGE [RESOLVED]


  • This topic is locked This topic is locked

#1
Eleasha

Eleasha

    New Member

  • Member
  • Pip
  • 6 posts
I just found this site yesterday. I am in serious trouble with the Antivirus gold malware on my laptop. I have done the first steps that you required for all new malware issues to no avail. I have followed the solutions posts that you have here regarding the fixes to no avail. I did get rid of the black screen though. I have ran the ad-adware, ewido security, cwshredder etc in the order that was recommended here on the site. It even stopped my internet connection via my cable modem and I couldn't even connect via dial up with aol to post my hijackthis log. I am seriously at my wits end with this thing !! I decided to try to burn the hijackthis log onto a cd and copy it to my desktop pc to attach it to send to you Now the latest problem I noticed is that my cd burner application has changed to something called Nero and my windows media player now says "viewpoint player" but it still has the windows icon on it. My question is if I attempt to burn this log on a CD and copy it to my desktop pc will it infect my desktop pc? Because I don't want to have 2 non functioning pc's. Do you have any suggestions on how I can fix this??

thanks,

Eleasha
  • 0

Advertisements


#2
Eleasha

Eleasha

    New Member

  • Topic Starter
  • Member
  • Pip
  • 6 posts
Good Morning!! I re ran the winfix to get my internet connection back on my laptop. Here is a copy of my HJT log. Can someone please help?? I have been battling this thing for 3 days now and I am ready to throw away my laptop and it's only 5 months old!! :tazz:


HERE'S THE LOG

Logfile of HijackThis v1.99.1
Scan saved at 2:46:50 AM, on 7/18/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\skszj.dll/sp.html#37049
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\skszj.dll/sp.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\system32\skszj.dll/sp.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\skszj.dll/sp.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\skszj.dll/sp.html#37049
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system32\skszj.dll/sp.html#37049
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system32\skszj.dll/sp.html#37049
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.gateway.com/
R3 - Default URLSearchHook is missing
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: Class - {8757DCF3-EDCB-AF1D-2A96-1BA99BF8F486} - C:\WINDOWS\sdkza.dll
O2 - BHO: Class - {A91EF599-5AF3-83C2-86F7-5C9793216040} - C:\WINDOWS\atlmu32.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: Class - {E2FF6CD4-8C87-9B6D-3707-80D3C44B04E0} - C:\WINDOWS\apivj32.dll
O2 - BHO: Class - {F813BE06-EC76-A5FE-DD49-14847AD19AAC} - C:\WINDOWS\system32\mfchk32.dll
O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\COMPAN~1\Installs\cpn\ycomp5_5_7_0.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [SunKist] C:\Program Files\Digital Media Reader\shwicon2k.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [AOLDialer] C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
O4 - HKLM\..\Run: [eBayToolbar] C:\Program Files\eBay\eBay Toolbar2\eBayTBDaemon.exe
O4 - HKLM\..\Run: [crsr.exe] C:\WINDOWS\system32\crsr.exe
O4 - HKLM\..\RunOnce: [sysfu32.exe] C:\WINDOWS\sysfu32.exe
O4 - HKLM\..\RunOnce: [appgx32.exe] C:\WINDOWS\appgx32.exe
O4 - HKLM\..\RunOnce: [sdkxw32.exe] C:\WINDOWS\system32\sdkxw32.exe
O4 - HKLM\..\RunOnce: [apiuf.exe] C:\WINDOWS\apiuf.exe
O4 - HKLM\..\RunOnce: [sysza.exe] C:\WINDOWS\sysza.exe
O4 - HKLM\..\RunOnce: [sysvp32.exe] C:\WINDOWS\system32\sysvp32.exe
O4 - HKLM\..\RunOnce: [apivj32.exe] C:\WINDOWS\apivj32.exe
O4 - HKLM\..\RunOnce: [winbd32.exe] C:\WINDOWS\system32\winbd32.exe
O4 - HKLM\..\RunOnce: [msod.exe] C:\WINDOWS\system32\msod.exe
O4 - HKLM\..\RunOnce: [nttf32.exe] C:\WINDOWS\nttf32.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [AIM] C:\PROGRA~1\AIM\aim.exe -cnetwait.odl
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: America Online 9.0 Tray Icon.lnk = C:\Program Files\America Online 9.0\aoltray.exe
O4 - Global Startup: BigFix.lnk = C:\Program Files\BigFix\BigFix.exe
O4 - Global Startup: eFax DllCmd 3.5.lnk = C:\Program Files\eFax Messenger 3.5\J2GDllCmd.exe
O4 - Global Startup: eFax Tray Menu 3.5.lnk = C:\Program Files\eFax Messenger 3.5\J2GTray.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O8 - Extra context menu item: &eBay Search - res://C:\Program Files\eBay\eBay Toolbar2\eBayTb.dll/RCSearch.html
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://C:\Program Files\Google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra button: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - (no file)
O9 - Extra 'Tools' menuitem: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - (no file)
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\PROGRA~1\AIM\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {1F2F4C9E-6F09-47BC-970D-3C54734667FE} (LSSupCtl Class) - https://www-secure.s...sa/LSSupCtl.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {928626A3-6B98-11CF-90B4-00AA00A4011F} (SurroundVideoCtrl Object) - http://www.homestead...nd/MSSurVid.cab
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - https://www-secure.s...rl/SymAData.cab
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: Remote Procedure Call (RPC) Helper ( 11F#`I) - Unknown owner - C:\WINDOWS\sysfu32.exe" /s (file missing)
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: PrismXL - New Boundary Technologies, Inc. - C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS


ANY HELP WOULD BE APPRECIATED!!
  • 0

#3
greyknight17

greyknight17

    Malware Expert

  • Visiting Consultant
  • 16,560 posts
Please print out or copy this page to Notepad. Make sure to work through the fixes in the exact order it is mentioned below. If there's anything that you don't understand, ask your question(s) before proceeding with the fixes. You should 'not' have any open browsers when you are following the procedures below.

Go to My Computer->Tools/View->Folder Options->View tab and make sure that 'Show hidden files and folders' (or 'Show all files') is enabled. Also make sure that 'Display the contents of system folders' is checked. If you have Windows XP, the search feature is a little different. When you click on 'All files and folders' on the left pane, click on the 'More advanced options' at the bottom. Make sure that 'Search system folders', 'Search hidden files and folders', and 'Search subfolders' are checked.

For the options that you checked/enabled earlier, you may uncheck them after your log is clean. If we ask you to fix a program that you use or want to keep, please post back saying that (we don't know every program that exists, so we may tell you to delete a program that we think is bad to keep).

Download AboutBuster http://www.greyknigh...AboutBuster.zip and unzip the files to a folder on your Desktop. Run AboutBuster and click OK. Click Update button to see if there are any updates. Close the program now.

Download cwsserviceremove and unzip it. Don't run it yet.

Restart your computer and boot into Safe Mode by hitting the F8 key repeatedly until a menu shows up (and choose Safe Mode from the list). In some systems, this may be the F5 key, so try that if F8 doesn't work. Make sure to close any open browsers. Run a scan in HijackThis. Check each of the following and hit 'Fix checked' (after checking them) if they still exist (make sure not to miss any):

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\skszj.dll/sp.html#37049
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\skszj.dll/sp.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\system32\skszj.dll/sp.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\skszj.dll/sp.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\skszj.dll/sp.html#37049
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system32\skszj.dll/sp.html#37049
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system32\skszj.dll/sp.html#37049
R3 - Default URLSearchHook is missing
O2 - BHO: Class - {8757DCF3-EDCB-AF1D-2A96-1BA99BF8F486} - C:\WINDOWS\sdkza.dll
O2 - BHO: Class - {A91EF599-5AF3-83C2-86F7-5C9793216040} - C:\WINDOWS\atlmu32.dll
O2 - BHO: Class - {E2FF6CD4-8C87-9B6D-3707-80D3C44B04E0} - C:\WINDOWS\apivj32.dll
O2 - BHO: Class - {F813BE06-EC76-A5FE-DD49-14847AD19AAC} - C:\WINDOWS\system32\mfchk32.dll
O4 - HKLM\..\Run: [crsr.exe] C:\WINDOWS\system32\crsr.exe
O4 - HKLM\..\RunOnce: [sysfu32.exe] C:\WINDOWS\sysfu32.exe
O4 - HKLM\..\RunOnce: [appgx32.exe] C:\WINDOWS\appgx32.exe
O4 - HKLM\..\RunOnce: [sdkxw32.exe] C:\WINDOWS\system32\sdkxw32.exe
O4 - HKLM\..\RunOnce: [apiuf.exe] C:\WINDOWS\apiuf.exe
O4 - HKLM\..\RunOnce: [sysza.exe] C:\WINDOWS\sysza.exe
O4 - HKLM\..\RunOnce: [sysvp32.exe] C:\WINDOWS\system32\sysvp32.exe
O4 - HKLM\..\RunOnce: [apivj32.exe] C:\WINDOWS\apivj32.exe
O4 - HKLM\..\RunOnce: [winbd32.exe] C:\WINDOWS\system32\winbd32.exe
O4 - HKLM\..\RunOnce: [msod.exe] C:\WINDOWS\system32\msod.exe
O4 - HKLM\..\RunOnce: [nttf32.exe] C:\WINDOWS\nttf32.exe
O23 - Service: Remote Procedure Call (RPC) Helper ( 11F#`I) - Unknown owner - C:\WINDOWS\sysfu32.exe" /s (file missing)


Run AboutBuster and click Begin Removal button. Once that's done, just hit the OK button. Click Exit once you are done. Click the OK button and it should exit. Open up the 'Ab LogFile.txt' (which was created in the same folder as AboutBuster) and post the log here.

Delete the following Files/Folders (delete folders if no filename is specified) according to their directory (if none, just do a search for them) and delete them if they exist:

C:\WINDOWS\sdkza.dll
C:\WINDOWS\atlmu32.dll
C:\WINDOWS\apivj32.dll
C:\WINDOWS\system32\mfchk32.dll
C:\WINDOWS\system32\crsr.exe
C:\WINDOWS\sysfu32.exe
C:\WINDOWS\appgx32.exe
C:\WINDOWS\system32\sdkxw32.exe
C:\WINDOWS\apiuf.exe
C:\WINDOWS\sysza.exe
C:\WINDOWS\system32\sysvp32.exe
C:\WINDOWS\apivj32.exe
C:\WINDOWS\system32\winbd32.exe
C:\WINDOWS\system32\msod.exe
C:\WINDOWS\nttf32.exe
C:\WINDOWS\sysfu32.exe


Run cwsserviceremove.reg now and say yes to add it to the registry.

Restart and run a new HijackThis scan. Save the log file and post it here.
  • 0

#4
Eleasha

Eleasha

    New Member

  • Topic Starter
  • Member
  • Pip
  • 6 posts
you are a LIFE SAVER!! thank you! I am leaving on a business trip and won't be back until Friday. I will repost once I am back. I do have one question though. In my C:\windows\system32\ path I don't see those files. I have a lot of folders with different numbers on them. Should I just do a search for those programs that you have listed or do I have to go through each of the folders to find the programs? I will follow the steps and post back on Friday night or early Saturday morning. Again THANKS for everything!!
  • 0

#5
greyknight17

greyknight17

    Malware Expert

  • Visiting Consultant
  • 16,560 posts
No problem. Glad to help out :tazz:

I assume you ran AboutBuster already right? Then that's normal. You will usually not see those files anymore since AboutBuster should remove most, if not all, of them already.

Post back the AboutBuster and new HijackThis logs when ready (on Friday/Saturday).
  • 0

#6
Eleasha

Eleasha

    New Member

  • Topic Starter
  • Member
  • Pip
  • 6 posts
Hi Greyknight,
I have followed the steps you asked me to and I still have the about blank in my windows IE when I restarted the computer.

here is my Hijack this log:
Logfile of HijackThis v1.99.1
Scan saved at 10:55:41 PM, on 7/30/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\eFax Messenger 3.5\J2GDllCmd.exe
C:\Program Files\eFax Messenger 3.5\J2GTray.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\HijackThis\HijackThis.exe

O4 - Global Startup: eFax DllCmd 3.5.lnk = C:\Program Files\eFax Messenger

3.5\J2GDllCmd.exe
O4 - Global Startup: eFax Tray Menu 3.5.lnk = C:\Program Files\eFax Messenger

3.5\J2GTray.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft

Office\Office10\OSA.EXE
O16 - DPF: {1F2F4C9E-6F09-47BC-970D-3C54734667FE} (LSSupCtl Class) -

https://www-secure.s...sa/LSSupCtl.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) -

http://a840.g.akamai...icro.com/housec

all/xscan53.cab
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) -

https://www-secure.s...rl/SymAData.cab
O23 - Service: ewido security suite control - ewido networks - C:\Program

Files\ewido\security suite\ewidoctrl.exe




here is my about buster log:

AboutBuster 5.0 reference file 28
Scan started on [7/30/2005] at [10:36:21 PM]
------------------------------------------------
Removed Stream! C:\WINDOWS\_default.pif:dlcdyd
Removed Stream! C:\WINDOWS\_MSRSTRT.EXE:bncrzt
Removed Stream! C:\WINDOWS\_MSRSTRT.EXE:cjivpn
Removed Stream! C:\WINDOWS\_MSRSTRT.EXE:fbxjqu
------------------------------------------------
No Files Found!
------------------------------------------------
Scan was COMPLETED SUCCESSFULLY at 10:37:03 PM



so I don't know why I am still having the issue with the About Blank thing in my IE. Please advise!!


thanks,

Eleasha
  • 0

#7
greyknight17

greyknight17

    Malware Expert

  • Visiting Consultant
  • 16,560 posts
Hi Eleasha, please make sure that Word Wrap is turned OFF in notepad. It distorts the format when you post it here. So turn it OFF.

Also is this the whole log? It looks incomplete. Try running a new HijackThis scan again and post the new log here (make sure word wrap is disabled :tazz:).
  • 0

#8
Eleasha

Eleasha

    New Member

  • Topic Starter
  • Member
  • Pip
  • 6 posts
hi Greyknight,
I found the issue and fixed it. I had 4 more files to delete and once I did that I re ran everything and its working!! You ROCK !! THANK YOU for your help!
  • 0

#9
greyknight17

greyknight17

    Malware Expert

  • Visiting Consultant
  • 16,560 posts
To help prevent future spyware installations/infections, please read the Anti-Spyware Tutorial and use the tools provided.

Since this issue appears to be resolved ... this Topic has been closed. Glad we could help. :tazz:

If you're the topic starter, and need this topic reopened, please contact a staff member with the address of the thread.

Everyone else please begin a New Topic.
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP