Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

Worked over 20 hours in the past week to fix this!

Started by NikkiFeroniDotCom , Aug 04 2005 01:03 AM

  • This topic is locked This topic is locked

#1
NikkiFeroniDotCom
Posted 04 August 2005 - 01:03 AM

NikkiFeroniDotCom

    New Member

  • Member
  • Pip
  • 3 posts
OK here's the deal. I'm not new to the computer world by any means. However this IS my frist run-in with a Virus/Trojan and I have brains and pride... I've logged MANY hours working to fix this and here is my white flag....... :tazz: I can't take it anymore.

The short of it is this: I got nailed by the AIM "LOL LOOK!" virus that comes from someone on your Buddy list... clicked the link... the rest is history. I immediately deleted everything I could find to do with the AIM but of course that does nothing. And this "ABI" Company is smearing it's Corporate Feces all over my desktop every time I open Internet Explorer, in the form of 3 popups at a time. I am blocking ALL. Sadly they come through. I promise to switch to Firefox when this is over.

Here is my MAIN problem. I CANNOT GET INTO SAFE MODE. Not through F8 and not through MSCONFIG. What's worse? I CAN'T RUN MSCONFIG AT ALL. I get the quick-flash of it and it's gone. So I CAN'T STOP THESE PROGRAMS FROM RUNNING long enough to run a scan to get them out. They run - therefore they can't be deleted.

Problem number 2 - I use AVG Antivirus. Every time I start up, it detects 4 or 5 Trojan Downloaders. I heal them. They come back. I assume from these "files" that "run" 24 hours a day.

HERE IS WHAT I HAVE DONE SO FAR: Ran Startup Manager Platinum to see my Startup List (since I have no MSCONFIG to use) and disabled everything. Then refreshed the list... and found 2 files ADDING THEMSELVES BACK TO THE STARTUP MENU. So I know 2 of the guys that need to get zapped. But again - they constantly run so they're protected. ALSO... I have run ALL of the following programs, repeatedly, with many Reboots: CleanUp, AdAware, SpyBot, AVG, PurgeIE, Killbox, and Tracks Eraser Pro.

So after DAYS of this, I threw up my hands, and I am asking for some help... I downloaded and ran the Hijack This program... and here is my Logfile.


Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.exe
C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
c:\windows\system32\wopsct.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\WINDOWS\system32\drivers\KodakCCS.exe
C:\Program Files\PurgeIE\PurgeIE_Service.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Converted Music\HJT\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.rr.com/flash/index.cfm
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = about:blank
R3 - Default URLSearchHook is missing
F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\Nail.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\Run: [gciagm] c:\windows\system32\wopsct.exe r
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
O4 - HKCU\..\Run: [SP2 Connection Patcher] C:\Program Files\SP2 Connection Patcher\SP2ConnPatcher.exe -n=200
O4 - HKCU\..\Run: [SP2ConnPatcher] C:\Program Files\SP2 Connection Patcher\sp2connpatcher.exe -n=200
O4 - HKCU\..\Run: [warez] C:\Program Files\Warez P2P Client\warez.exe -h
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O15 - Trusted Zone: http://wsm.ezsitedesigner.com
O15 - Trusted Zone: http://www.networksolutions.com
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupd...b?1115743584765
O16 - DPF: {FFFFFFFF-CAFE-BABE-BABE-00AA0055595A} - http://www.networkso...rueSwitchEC.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AutoComplete Service (Autocomplete) - Acesoft - C:\Program Files\Acesoft\Tracks Eraser Pro\autocomp.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - C:\WINDOWS\system32\drivers\KodakCCS.exe
O23 - Service: PurgeIE XP Service (PurgeIEservice) - Assistance & Resources for Computing, Inc. - C:\Program Files\PurgeIE\PurgeIE_Service.exe
O23 - Service: System Startup Service (SvcProc) - Unknown owner - c:\windows\SvcProc.exe



I am extremely lost at this point... please, PLEASE give me a hand if anyone out there can. I know how to use the Hijack This software to fix things but I assume if they are RUNNING it can't do any more than any other program? Please help... it is very much appreciated. Thank you in advance,

~ Nikki Feroni
www.nikkiferoni.com
;)
  • 0

Advertisements

#2
Guest_thatman_*
Posted 04 August 2005 - 05:22 AM

Guest_thatman_*
  • Guest
Hi NikkiFeroniDotCom

Please read through the instructions before you start (you may want to print this out).

Please download and install AD-Aware se.
[urlhttp://russelltexas.com/malware/adawarese/adawarese.htm]Check Here on how setup and use it[/url] - please make sure you update it first. Don't run yet.

Download CWShredder (there is a link in my signature), unzip it, and save it on the Desktop. Please do not run it yet, though.

Download Pocket Killbox and unzip it; save it to your Desktop. We may need it later.

Please download SpyBot V1.4 http://www.majorgeek...wnload2471.html Update the program then run it.

Please download the trial version of Ewido Security Suite here:
http://www.ewido.net/en/download/
Install it, and update the definitions to the newest files. Do NOT run a scan yet.

Please go to the following website
Please download Nailfix
Unzip it to the desktop but please do NOT run it yet.

Shutdown your computer. Now you must disconnect your internet cable from your COMPUTER

Reboot the system and run with the fix.

Run Ewido full scan. Save the scan.log.

Clear out the files in the Prefetch folder. Go to start> run> type into the box Prefetch and delete all the files in that folder.

Please double-click on Nailfix.cmd. Your desktop and icons will disappear and reappear, and a window should open and close very quickly --- this is normal.

Then please run Ewido, and run a full scan. Save the logfile from the scan.

Please go offline, close all browsers and any open Windows, making sure that only HijackThis is open. Scan and when it finishes, put an X in the boxes, only next to these following items:
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = about:blank
R3 - Default URLSearchHook is missing
F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\Nail.exe
O4 - HKLM\..\Run: [gciagm] c:\windows\system32\wopsct.exe r
O23 - Service: System Startup Service (SvcProc) - Unknown owner - c:\windows\SvcProc.exe
Click on Fix Checked when finished and exit HijackThis.

Run Ad-aware se let remove all it finds

Run CWShredder to fix your CWS problem.

Clean out temporary and TIF files. Go to Start > Run and type in the box: cleanmgr. Let it scan your system for files to remove. Make sure all are checked and then press *ok* to remove:

Run killbox and click the radio button that says Delete a file on reboot. For each of the files you could not delete, paste them one at a time into the full path of file to delete box and click the red circle with a white cross in it.
The program will ask you if you want to reboot; say No each time until the last one has been pasted in whereupon you should answer Yes.
c:\windows\system32\wopsct.exe
C:\WINDOWS\Nail.exe
c:\windows\SvcProc.exe

Shutdown your computer.. Now reconnect the internet cable.

Please run the following free, online virus scans.
http://www.pandasoft...n_principal.htm
[B]Please post the logs From Panda virus scan and HJT.logWe will need them to remove previous infections that have left files on your system.

Kc :tazz:
  • 0

#3
NikkiFeroniDotCom
Posted 04 August 2005 - 10:59 AM

NikkiFeroniDotCom

    New Member

  • Topic Starter
  • Member
  • Pip
  • 3 posts
OK first of all THANK YOU immensely. I'm still showing Malware but not nearly as much of it. Here is the Panda Report:

Spyware:spyware/bargainbuddy No disinfected C:\WINDOWS\SYSTEM32\exclean.exe
Adware:adware/afaenhance No disinfected C:\WINDOWS\SYSTEM\QBUninstaller.exe
Adware:adware/pacimedia No disinfected C:\DOCUMENTS AND SETTINGS\NIK\FAVORITES\1111\1111.url
Adware:adware/bookedspace No disinfected C:\WINDOWS\cfgmgr52.ini
Adware:adware/twain-tech No disinfected C:\WINDOWS\smdat32m.sys
Adware:adware program No disinfected C:\WINDOWS\SYSTEM32\cache32dsrf4535dfs
Adware:adware/elitebar No disinfected C:\DOCUMENTS AND SETTINGS\NIK\FAVORITES\Casino & Carrers
Spyware:spyware/betterinet No disinfected Windows Registry
Hacktool:Hacktool/Processor No disinfected C:\Documents and Settings\All Users\Desktop\nailfix\Process.exe
Adware:Adware/WUpd No disinfected C:\update.html
Spyware:Spyware/BargainBuddy No disinfected C:\WINDOWS\etb\xml\images\casino.bmp
Spyware:Spyware/BargainBuddy No disinfected C:\WINDOWS\etb\xml\images\dating.bmp
Spyware:Spyware/BargainBuddy No disinfected C:\WINDOWS\etb\xml\images\drugs.bmp
Spyware:Spyware/BargainBuddy No disinfected C:\WINDOWS\etb\xml\images\fav.bmp
Spyware:Spyware/BargainBuddy No disinfected C:\WINDOWS\etb\xml\images\virus.bmp
Spyware:Spyware/BetterInet No disinfected C:\WINDOWS\system\QBUninstaller.exe
Adware:Adware/ClockSync No disinfected C:\WINDOWS\system32\VVSNInst.exe



And the HJT logfile:


Logfile of HijackThis v1.99.1
Scan saved at 12:48:54 PM, on 8/4/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\WINDOWS\system32\drivers\KodakCCS.exe
C:\Program Files\PurgeIE\PurgeIE_Service.exe
C:\WINDOWS\System32\svchost.exe
C:\Converted Music\HJT\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.rr.com/flash/index.cfm
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
O4 - HKLM\..\Run: [System service62] C:\WINDOWS\etb\pokapoka62.exe
O4 - HKLM\..\Run: [ejhpdtd] c:\windows\system32\stccvq.exe r
O4 - HKCU\..\Run: [SP2 Connection Patcher] "C:\Program Files\SP2 Connection Patcher\SP2ConnPatcher.exe" -n=200
O4 - HKCU\..\Run: [SP2ConnPatcher] C:\Program Files\SP2 Connection Patcher\sp2connpatcher.exe -n=200
O4 - HKCU\..\Run: [warez] "C:\Program Files\Warez P2P Client\warez.exe" -h
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O15 - Trusted Zone: http://wsm.ezsitedesigner.com
O15 - Trusted Zone: http://www.networksolutions.com
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupd...b?1115743584765
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft...free/asinst.cab
O16 - DPF: {FFFFFFFF-CAFE-BABE-BABE-00AA0055595A} - http://www.networkso...rueSwitchEC.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AutoComplete Service (Autocomplete) - Acesoft - C:\Program Files\Acesoft\Tracks Eraser Pro\autocomp.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - C:\WINDOWS\system32\drivers\KodakCCS.exe
O23 - Service: PurgeIE XP Service (PurgeIEservice) - Assistance & Resources for Computing, Inc. - C:\Program Files\PurgeIE\PurgeIE_Service.exe


And my msconfig seems to be working now, which is great.... but for some reason my XP bottom toolbar has changed, along with my Start Menu. It's now the old Windows Grey style with a small rectangular Start button... the blue toolbar that goes with XP is gone. Odd?!? :tazz:

~ Nikki
  • 0

#4
Guest_thatman_*
Posted 05 August 2005 - 09:23 AM

Guest_thatman_*
  • Guest
Hi NikkiFeroniDotCom

Please read through the instructions before you start (you may want to print this out).

Please set your system to show all files; please see here if you're unsure how to do this.

Download APT
Open apt and search in the window for the c:\windows\system32\stccvq.exe r.
Open your C:\Windows\system32 folder and search for the bad file. Don't delete it yet, just leave the system32 folder open so you can see the bad file.
In apt again, Select the bad process and Click Kill3

Then immediately delete the bad file from your system32 folder. c:\windows\system32\stccvq.exe r


Please go offline, close all browsers and any open Windows, making sure that only HijackThis is open. Scan and when it finishes, put an X in the boxes, only next to these following items:
O4 - HKLM\..\Run: [System service62] C:\WINDOWS\etb\pokapoka62.exe
O4 - HKLM\..\Run: [ejhpdtd] c:\windows\system32\stccvq.exe r
Click on Fix Checked when finished and exit HijackThis.

Reboot into Safe Mode: please see here if you are not sure how to do this.

Using Windows Explorer, locate the following files/folders, and delete them:
C:\WINDOWS\SYSTEM32\exclean.exe<--Delete this file
C:\WINDOWS\SYSTEM\QBUninstaller.exe<--Delete this file
C:\DOCUMENTS AND SETTINGS\NIK\FAVORITES\1111<--Delete the whole folder
C:\WINDOWS\cfgmgr52.ini<--Delete this file
C:\WINDOWS\smdat32m.sys<--Delete this file
C:\WINDOWS\SYSTEM32\cache32dsrf4535dfs<--Delete this file
C:\DOCUMENTS AND SETTINGS\NIK\FAVORITES\Casino & Carrers<--Delete this file
C:\update.html<--Delete the whole folder
C:\WINDOWS\etb\xml\images<--Delete the whole folder
C:\WINDOWS\system\QBUninstaller.exe<--Delete this file
C:\WINDOWS\system32\VVSNInst.exe<--Delete this file
C:\WINDOWS\etb\pokapoka62.exe<--Delete this file
c:\windows\system32\stccvq.exe r<--Delete this file

Exit Explorer.

Reboot as normal.

Please run the following free, online virus scans.
http://www.pandasoft...n_principal.htm
http://housecall.tre.../start_corp.asp
Please post the logs From Panda virus scan and HJT.logWe will need them to remove previous infections that have left files on your system.

Kc :tazz:
  • 0

#5
NikkiFeroniDotCom
Posted 08 August 2005 - 09:39 AM

NikkiFeroniDotCom

    New Member

  • Topic Starter
  • Member
  • Pip
  • 3 posts
UNFORTUNATELY, I had a crash.

After the last fix I went to MSCONFIG to SAFEBOOT... and upon restart I found out my Windows had been corrupted and would NOT start in safe mode. However, since SAFEBOOT in MSCONFIG was telling it to boot in Safemode... I couldn't use anything. Upon going to F8 and telling it to boot NORMALLY, at the gateway to Windows, MSCONFIG was telling it to GO TO SAFE MODE. It went round in circles. I had to take it to a friend to be backed up and have a Clean Windows Reload done to it. Which, in essence, should solve the rest of the virus problem but is a complete pain in the butt.

Thank you for all the help thus far, though, and I'll log on with results when I am back running. For now I have to go to my father's and mooch his computer to check EMail. This is sad. Thank you again,

~ Nikki Feroni
www.nikkiferoni.com
  • 0
Back to Virus, Spyware, Malware Removal · Next Unread Topic →




Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

  1. Geeks to Go Community
  2. Security
  3. Virus, Spyware, Malware Removal

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP