Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

Another Virus?

Started by Sheldy , Nov 25 2004 02:08 AM

  • Please log in to reply

#1
Sheldy
Posted 25 November 2004 - 02:08 AM

Sheldy

    Member

  • Member
  • PipPip
  • 98 posts
Just wondering if someone could help me, got asked to take a look at another computer, it's a Pentium 4, 2GHz, 224MB RAM, Windows XP Home...
They said one problem they were having is not being able to dial-up to the internet. So on my own computer I downloaded both Ad-aware and AVG along with the up-to-date definition files for each. I also updated it to XP Service Pack 2, but that's as far as I could get with regards to Critical Updates, I tried connecting it to my high speed modem, but with even setting it up, I couldn't get it to connect, the icon in the taskbar for the LAN Connection says 'Connection has limited or no connectivity' or something to that effect, when it's plugged in. I have seemed to have gotten it to the point that there is no more spyware and viruses on it, but it still seems to act a little funny, I don't have the modem for the computer here, so I can't test if it would actually connect. They must have an external modem. But here's the HiJackThis.log file:

Logfile of HijackThis v1.98.2
Scan saved at 1:58:35 AM, on 11/25/2004
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\LXSUPMON.EXE
C:\WINDOWS\system32\SYSWB6.exe
C:\WINDOWS\goidr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\Winkb6.exe
C:\Program Files\HiJackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = http://www.websearch...spx?tb_id=50032
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.websearch...spx?tb_id=50032
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=127.0.0.1:6711
O1 - Hosts: 204.244.184.143 safeweb.com
O1 - Hosts: 204.244.184.143 www.safeweb.com
O4 - HKLM\..\Run: [LXSUPMON] C:\WINDOWS\System32\LXSUPMON.EXE RUN
O4 - HKLM\..\Run: [SYSWB6] SYSWB6
O4 - HKLM\..\Run: [Synchronization Manager] %SystemRoot%\system32\mobsync.exe /logon
O4 - HKLM\..\Run: [goidr] C:\WINDOWS\goidr.exe
O4 - HKLM\..\Run: [ashMaiSv] C:\PROGRA~1\ALWILS~1\Avast4\ashmaisv.exe
O4 - HKLM\..\Run: [Jawa322] C:\WINDOWS\jawa32.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [AIM] C:\PROGRA~1\AIM95\aim.exe -cnetwait.odl
O9 - Extra button: AOL Instant Messenger ™ - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\PROGRA~1\AIM95\aim.exe (file missing)
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Broken Internet access because of LSP provider 'c:\windows\system32\cdlsp.dll' missing
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} - http://207.188.7.150...tzip/RdxIE2.cab
O16 - DPF: {7A32634B-029C-4836-A023-528983982A49} - http://fdl.msn.com/p...t/msnchat42.cab
O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} - http://us.dl1.yimg.c...utocomplete.cab

Thanks in advance for your help!
  • 0

Advertisements

#2
Spank_Me
Posted 25 November 2004 - 06:00 PM

Spank_Me

    Member

  • Member
  • PipPipPip
  • 179 posts
<_< I'm not sure that I understand your Question.....

You are working on someones cp that has an external modem such as DSL.... correct, and you are having issues connecting it to your high speed modem, is it also for DSL or do you have a Cable modem? The two setups are similar but a world apart in configurations. All you can do to test is create another connection to the internet for your setup and try it that way.

With SP2 for XP, it does automatically reenable the firewall so you might want to check that. If you are disconnecting your cp and hooking theirs up, you will have to reboot your modem for it to recognize a newer MAC addy from the network card and have it assign a IP addy. If you are setting things up through a router or hub, the cps will have to be a member of the same workgroup or domain.

The only other thing that you can do if you have a spare NIC to toss into the cp is try to connect with the second NIC, the original card could be toast.

Hope some of this helps.
  • 0

#3
Sheldy
Posted 25 November 2004 - 06:07 PM

Sheldy

    Member

  • Topic Starter
  • Member
  • PipPip
  • 98 posts
Well I have no real way of testing their dial-up problem without their modem, and don't have access to it, but I was just wondering if from the Log file, anyone could see anything that needs fixing...
  • 0

#4
Spank_Me
Posted 25 November 2004 - 06:45 PM

Spank_Me

    Member

  • Member
  • PipPipPip
  • 179 posts
<_< Sorry, no modem, no testing

Hijack this log is good for checking running processes which could be legit or nasty bugs, without the modem there is no way to check the settings, such as correct #, username, password to get on, they might have to phone their ISP to check their account, if everything is ok, it might be the modem.
  • 0

#5
Sheldy
Posted 25 November 2004 - 06:46 PM

Sheldy

    Member

  • Topic Starter
  • Member
  • PipPip
  • 98 posts
I know I can't test it without the modem, I just wanted to make sure I got rid of all the nasty bugs, as you put it! <_< It had like almost 1000 occurances of spyware, and 18 virus-infected files, does it look ok to you?
  • 0

#6
Spank_Me
Posted 25 November 2004 - 07:07 PM

Spank_Me

    Member

  • Member
  • PipPipPip
  • 179 posts
<_< From what I can see there is still abit of cleaning to do, remove.....

C:\WINDOWS\goidr.exe (Gator, gotta love them)
O4 - HKLM\..\Run: [goidr] C:\WINDOWS\goidr.exe
O4 - HKLM\..\Run: [Jawa322] C:\WINDOWS\jawa32.exe (Backdoor.Agent.bg)
  • 0

#7
Sheldy
Posted 25 November 2004 - 10:07 PM

Sheldy

    Member

  • Topic Starter
  • Member
  • PipPip
  • 98 posts
I notice there is a jawa32.dat, jawa32e.bin, and jawa32vs.bin in C:\Windows, I assume I could delete these?
  • 0

#8
Sheldy
Posted 25 November 2004 - 11:09 PM

Sheldy

    Member

  • Topic Starter
  • Member
  • PipPip
  • 98 posts
Here's a new Log... how does it look:

Logfile of HijackThis v1.98.2
Scan saved at 11:06:58 PM, on 11/25/2004
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\LXSUPMON.EXE
C:\WINDOWS\system32\SYSWB6.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\Winkb6.exe
C:\Program Files\HiJackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = http://www.websearch...spx?tb_id=50032
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.websearch...spx?tb_id=50032
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=127.0.0.1:6711
O1 - Hosts: 204.244.184.143 safeweb.com
O1 - Hosts: 204.244.184.143 www.safeweb.com
O4 - HKLM\..\Run: [LXSUPMON] C:\WINDOWS\System32\LXSUPMON.EXE RUN
O4 - HKLM\..\Run: [SYSWB6] SYSWB6
O4 - HKLM\..\Run: [Synchronization Manager] %SystemRoot%\system32\mobsync.exe /logon
O4 - HKLM\..\Run: [ashMaiSv] C:\PROGRA~1\ALWILS~1\Avast4\ashmaisv.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\Run: [VTPreset] VTPreset.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [AIM] C:\PROGRA~1\AIM95\aim.exe -cnetwait.odl
O9 - Extra button: AOL Instant Messenger ™ - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\PROGRA~1\AIM95\aim.exe (file missing)
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} - http://207.188.7.150...tzip/RdxIE2.cab
O16 - DPF: {7A32634B-029C-4836-A023-528983982A49} - http://fdl.msn.com/p...t/msnchat42.cab
O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} - http://us.dl1.yimg.c...utocomplete.cab
  • 0

#9
-=jonnyrotten=-
Posted 26 November 2004 - 12:19 AM

-=jonnyrotten=-

    Member 2k

  • Retired Staff
  • 2,678 posts
You may wish to print out a copy of these instructions to follow while you complete this procedure.

Please save Hijack This in a permanent folder (i.e. C:\HJT). This ensures backups are saved and accessible.

Please go offline, close all browsers and any open Windows, making sure that only HijackThis is open. Scan and when it finishes, put an X in the boxes, only next to these following items, then click fix checked.

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = http://www.websearch...spx?tb_id=50032
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.websearch...spx?tb_id=50032
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
O9 - Extra button: AOL Instant Messenger ™ - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\PROGRA~1\AIM95\aim.exe (file missing)
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} - http://207.188.7.150...tzip/RdxIE2.cab

Please reboot into safe mode (continually tap the F8 key while your system is starting, select Safe Mode from the menu).
Be sure you're able to view hidden files, and remove the following files in bold (if found):

C:\WINDOWS\jawa32.exe
C:\WINDOWS\goidr.exe
C:\Windows\jawa32e.bin
C:\Windows\jawa32vs.bin
Reboot normally, post new log.

If they are using a dial up connection they need to be using the correct username and password in order to be able to connect to the isp. When attempting to connect do you know if there is a dial tone? Or does it try to connect and fail because of invalid usernama and or password? Please find out more information and give details. Did this connection used to work or is it a new one?

-=jonnyrotten=- <_<
  • 0
Back to Virus, Spyware, Malware Removal · Next Unread Topic →




Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

  1. Geeks to Go Community
  2. Security
  3. Virus, Spyware, Malware Removal

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP