Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

Plagued with Spyware, Can't Open Exes w/o SafeMode [RESOLVED]


  • This topic is locked This topic is locked

#1
lilyvc

lilyvc

    Member

  • Member
  • PipPip
  • 20 posts
I've installed Ad-Aware, SpyBot, TrojanHunter, Ewido, Cleanup!, Microsoft Windows Anti-Spyware, AVG, and HijackThis on my XP machine and still can't get all the Spyware off! Things that keep showing up on the scans after scanning, cleaning, and rebooting are:

Adware.ABetterInternet
Adware.EliteBar

I also can't open many executables unless starting in SafeMode, including Regedit, msconfig, HiJackThis. I installed Sygate Personal Firewall too but it doesn't seem to ever start - I double-click the executable and nothing happens.

Also, the internet will work for about 20 minutes and then the connection stops - is this because it gets blocked my router because of spyware or the connection gets clogged up somehow?

Here is my latest HiJackThis log from running in SafeMode (Since it won't start when I boot up normally). Any help would be much appreciated!!! I'm close to just reinstalling the entire OS!


Logfile of HijackThis v1.99.1
Scan saved at 2:05:59 PM, on 8/21/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Unable to get Internet Explorer version!

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\Explorer.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Owner\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - Default URLSearchHook is missing
F2 - REG:system.ini: Shell=Explorer.exe
O4 - HKLM\..\Run: [GWMDMMSG] GWMDMMSG.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [GWMDMpi] C:\WINNT\GWMDMpi.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINNT\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINNT\System32\hkcmd.exe
O4 - HKLM\..\Run: [Gateway Ink Monitor] "C:\Program Files\Gateway Utilities\GWInkMonitor.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [MicroSoft Remote Secure Service] MSRSS.exe
O4 - HKLM\..\Run: [Task Help] wualcts.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_01\bin\jusched.exe
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [MediaXPServicePack2] msncx.exe
O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 4.2\THGuard.exe"
O4 - HKLM\..\Run: [MSConfig] C:\WINNT\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKLM\..\RunServices: [MicroSoft Remote Secure Service] MSRSS.exe
O4 - HKLM\..\RunServices: [Task Help] wualcts.exe
O4 - HKLM\..\RunServices: [Microsoft Application Center] mappc.exe
O4 - HKLM\..\RunServices: [MediaXPServicePack2] msncx.exe
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\mnyexpr.exe"
O4 - HKCU\..\Run: [Task Help] wualcts.exe
O4 - HKCU\..\Run: [MicroSoft Remote Secure Service] MSRSS.exe
O4 - HKCU\..\Run: [MediaXPServicePack] mxpsp.exe
O4 - HKCU\..\Run: [MediaXPServicePack2] msncx.exe
O4 - HKCU\..\RunServices: [winGuard] wingaurd32.exe
O4 - HKCU\..\RunServices: [Windows-XP-Service-Pack] xpspz.exe
O4 - HKCU\..\RunServices: [MediaXPServicePack] mxpsp.exe
O4 - HKCU\..\RunServices: [MediaXPServicePack2] msncx.exe
O4 - Startup: Shortcut to Smc.exe.lnk = C:\Program Files\Sygate\SPF\Smc.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_01\bin\npjpi150_01.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_01\bin\npjpi150_01.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINNT\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra button: WeatherBug - {AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} - C:\Program Files\AWS\WeatherBug\Weather.exe (file missing) (HKCU)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O15 - ProtocolDefaults: 'http' protocol is in My Computer Zone, should be Internet Zone
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.t...all/xscan60.cab
O16 - DPF: {511073AD-BE56-4D43-AE68-93390514385E} (TechToolsActivex.TechTools) - file://C:\Program Files\gateway\helpspot\TechTools.CAB
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupd...b?1109280642395
O16 - DPF: {739E8D90-2F4C-43AD-A1B8-66C356FCEA35} (RunExeActiveX.RunExe) - hcp://system/RunExeActiveX.CAB
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft...free/asinst.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{6BDE916A-DA72-412E-8678-04A822B0A1A6}: Domain = comcast.net
O20 - Winlogon Notify: igfxcui - C:\WINNT\SYSTEM32\igfxsrvc.dll
O23 - Service: AOL Instant Messanger (AIM) - Unknown owner - C:\WINNT\aim.exe (file missing)
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: Windows lsass Service (lsass) - Unknown owner - C:\WINNT\lsass.exe (file missing)
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Windows Configuration Loader - Unknown owner - C:\WINNT\svchost.exe (file missing)


ewido log:
---------------------------------------------------------
ewido security suite - Scan report
---------------------------------------------------------

+ Created on: 11:52:21 AM, 8/21/2005
+ Report-Checksum: 7A67FBAB

+ Scan result:

:mozilla.6:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\kw45riz3.default\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.8:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\kw45riz3.default\cookies.txt -> Spyware.Cookie.2o7 : Cleaned with backup
:mozilla.11:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\kw45riz3.default\cookies.txt -> Spyware.Cookie.Atdmt : Cleaned with backup
:mozilla.12:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\kw45riz3.default\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.14:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\kw45riz3.default\cookies.txt -> Spyware.Cookie.2o7 : Cleaned with backup
:mozilla.15:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\kw45riz3.default\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.17:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\kw45riz3.default\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.18:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\kw45riz3.default\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.19:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\kw45riz3.default\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.20:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\kw45riz3.default\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.21:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\kw45riz3.default\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.22:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\kw45riz3.default\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.23:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\kw45riz3.default\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.26:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\kw45riz3.default\cookies.txt -> Spyware.Cookie.Yieldmanager : Cleaned with backup
:mozilla.27:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\kw45riz3.default\cookies.txt -> Spyware.Cookie.Yieldmanager : Cleaned with backup
:mozilla.28:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\kw45riz3.default\cookies.txt -> Spyware.Cookie.Doubleclick : Cleaned with backup
:mozilla.29:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\kw45riz3.default\cookies.txt -> Spyware.Cookie.Centrport : Cleaned with backup
:mozilla.30:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\kw45riz3.default\cookies.txt -> Spyware.Cookie.Centrport : Cleaned with backup


::Report End

ActiveScan report:


Incident Status Location

Adware:adware/hotoffers No disinfected C:\DOCUMENTS AND SETTINGS\OWNER\DESKTOP\The Shield Professional 2005.lnk
Adware:adware/bookedspace No disinfected C:\WINNT\cfgmgr52.ini
Adware:adware/wintools No disinfected C:\WINNT\seeve.exe
Adware:adware/weirdontheweb No disinfected C:\WINNT\weirdontheweb_topc.exe
Adware:adware/webhancer No disinfected C:\WINNT\whCC-GIANT.exe
Adware:adware/wupd No disinfected C:\PROGRAM FILES\Preview AdService
Adware:adware/elitebar No disinfected C:\WINNT\etb
Adware:adware/novo No disinfected Windows Registry
Dialer:dialer.ags No disinfected HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\ActiveX Compatibility\{018B7EC3-EECA-11D3-8E71-0000E82C6C0D}
Adware:adware/mirar No disinfected Windows Registry
Dialer:dialer.adn No disinfected HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\ActiveX Compatibility\{5F426A93-0821-47D2-A126-5A48A874B289}
Adware:adware/delta No disinfected Windows Registry
Dialer:dialer.yz No disinfected HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\ActiveX Compatibility\{02C20140-76F8-4763-83D5-B660107B7A90}
Dialer:dialer.yy No disinfected HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\ActiveX Compatibility\{23273a1c-c870-43c4-a3e3-67dc98630ac6}
Dialer:dialer.yx No disinfected HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\ActiveX Compatibility\{6ed16eff-3b18-11d6-9139-00e02964e8e3}
Adware:adware/commandertoolbarNo disinfected Windows Registry
Dialer:dialer.yc No disinfected HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\ActiveX Compatibility\{e8edb60c-951e-4130-93dc-faf1ad25f8e7}
Adware:adware/powerstrip No disinfected Windows Registry
Dialer:dialer.xs No disinfected HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\ActiveX Compatibility\{ceb29da4-7afa-4f24-b3cd-17351d590df0}
Adware:adware/hungryhands No disinfected Windows Registry
Dialer:dialer.py No disinfected HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\ActiveX Compatibility\{8522F9B3-38C5-4AA4-AE40-7401F1BBC851}
Adware:adware/ieplugin No disinfected Windows Registry
Security Risk:Application/ProcessorNo disinfected C:\Documents and Settings\All Users\Desktop\nailfix\Process.exe
Adware:Adware/WUpd No disinfected C:\msw32.exe
Virus:W32/Gaobot.JMA.worm Disinfected C:\Program Files\Microsoft AntiSpyware\DeactivatedItems\078A6579-D822-445A-9769-400FF4.asq
Virus:W32/Gaobot.JMA.worm Disinfected C:\Program Files\Microsoft AntiSpyware\DeactivatedItems\1105A991-6E67-4C33-ABB0-C60B2B.asq
Virus:W32/Gaobot.JMA.worm Disinfected C:\Program Files\Microsoft AntiSpyware\DeactivatedItems\18851FB8-A1F3-4C7C-9445-3EF35B.asq
Virus:W32/Gaobot.JMA.worm Disinfected C:\Program Files\Microsoft AntiSpyware\DeactivatedItems\25EE5D49-8F14-452C-ABDB-B9820E.asq
Virus:W32/Gaobot.JMA.worm Disinfected C:\Program Files\Microsoft AntiSpyware\DeactivatedItems\2E45FDEF-4F83-476F-912E-5F6EC2.asq
Virus:W32/Gaobot.JMA.worm Disinfected C:\Program Files\Microsoft AntiSpyware\DeactivatedItems\322DA80C-0F4B-4353-9B18-8D3458.asq
Virus:W32/Gaobot.JMA.worm Disinfected C:\Program Files\Microsoft AntiSpyware\DeactivatedItems\3412C9D1-2446-4751-B932-3CA2EF.asq
Virus:W32/Gaobot.JMA.worm Disinfected C:\Program Files\Microsoft AntiSpyware\DeactivatedItems\3AD3E540-19DE-4371-8A85-8702E9.asq
Virus:W32/Gaobot.JMA.worm Disinfected C:\Program Files\Microsoft AntiSpyware\DeactivatedItems\3C1353D3-7A58-495B-8984-5C13AF.asq
Virus:W32/Gaobot.JMA.worm Disinfected C:\Program Files\Microsoft AntiSpyware\DeactivatedItems\3FE46FB9-D31A-464C-8353-4BBB80.asq
Virus:W32/Gaobot.JMA.worm Disinfected C:\Program Files\Microsoft AntiSpyware\DeactivatedItems\435A2B91-7C58-4E04-8301-C47455.asq
Virus:W32/Gaobot.JMA.worm Disinfected C:\Program Files\Microsoft AntiSpyware\DeactivatedItems\61BA4A7A-BE2E-4E2C-B2B0-F1FE09.asq
Virus:W32/Gaobot.JMA.worm Disinfected C:\Program Files\Microsoft AntiSpyware\DeactivatedItems\69DD8196-06A2-471F-914D-247419.asq
Virus:W32/Gaobot.JMA.worm Disinfected C:\Program Files\Microsoft AntiSpyware\DeactivatedItems\6B5C8284-B909-43DE-8294-5AC1BB.asq
Virus:W32/Gaobot.JMA.worm Disinfected C:\Program Files\Microsoft AntiSpyware\DeactivatedItems\743A2DFE-5E81-47C9-B7BE-BD4C3F.asq
Virus:W32/Gaobot.JMA.worm Disinfected C:\Program Files\Microsoft AntiSpyware\DeactivatedItems\76D06AD0-4E04-4E87-92B1-DDA99E.asq
Virus:W32/Gaobot.JMA.worm Disinfected C:\Program Files\Microsoft AntiSpyware\DeactivatedItems\820D46F8-8660-4B6D-B724-C42A34.asq
Virus:W32/Gaobot.JMA.worm Disinfected C:\Program Files\Microsoft AntiSpyware\DeactivatedItems\8DB7F1CD-A22F-491E-AF09-E10B4A.asq
Virus:W32/Gaobot.JMA.worm Disinfected C:\Program Files\Microsoft AntiSpyware\DeactivatedItems\97565847-497E-4E62-8264-D5367B.asq
Virus:W32/Gaobot.JMA.worm Disinfected C:\Program Files\Microsoft AntiSpyware\DeactivatedItems\9BFDA42A-8561-444B-A357-5D2F40.asq
Virus:W32/Gaobot.JMA.worm Disinfected C:\Program Files\Microsoft AntiSpyware\DeactivatedItems\A4506A3F-C36B-4F05-B7E1-F8352C.asq
Virus:W32/Gaobot.JMA.worm Disinfected C:\Program Files\Microsoft AntiSpyware\DeactivatedItems\A98FE524-84A1-4DC3-A501-4D01B6.asq
Virus:W32/Gaobot.JMA.worm Disinfected C:\Program Files\Microsoft AntiSpyware\DeactivatedItems\B80009EC-9ED3-406C-AAA6-F43612.asq
Virus:W32/Gaobot.JMA.worm Disinfected C:\Program Files\Microsoft AntiSpyware\DeactivatedItems\C740EA86-9263-4143-B046-E357B0.asq
Virus:W32/Gaobot.JMA.worm Disinfected C:\Program Files\Microsoft AntiSpyware\DeactivatedItems\C971DEBC-98C3-4AAB-86A8-9B764D.asq
Virus:W32/Gaobot.JMA.worm Disinfected C:\Program Files\Microsoft AntiSpyware\DeactivatedItems\ED5A2398-B386-4B31-932B-13EC22.asq
Virus:W32/Gaobot.JMA.worm Disinfected C:\Program Files\Microsoft AntiSpyware\DeactivatedItems\FFF75FF3-8850-43C4-A34B-91E460.asq
Adware:Adware/Apropos No disinfected C:\Program Files\Microsoft AntiSpyware\Quarantine\4F9401BB-842F-48F4-8670-45E751\1C711840-3C4C-4426-A76C-B1DE45
Adware:Adware/MediaTickets No disinfected C:\Program Files\Microsoft AntiSpyware\Quarantine\56380A74-6B33-4A98-BE17-BBA9E9\7ACC508F-B828-4996-ACBE-3573A0
Adware:Adware/Apropos No disinfected C:\Program Files\Microsoft AntiSpyware\Quarantine\89816FC4-0D35-4A98-9C5E-0D2640\3E4C40F0-4348-40CD-BE55-DD637E
Possible Virus. No disinfected C:\Program Files\TrojanHunter 4.2\Tools\Process Viewer\ProcessViewer.exe
Adware:Adware/WUpd No disinfected C:\update.html
Virus:Bck/Agent.AHW No disinfected C:\WINDOWS\cmdxp.exe.tcf[dreese.exe]
Spyware:Spyware/Media-motor No disinfected C:\WINNT\Downloaded Program Files\m67m.inf
Spyware:Spyware/BargainBuddy No disinfected C:\WINNT\etb\xml\images\casino.bmp
Spyware:Spyware/BargainBuddy No disinfected C:\WINNT\etb\xml\images\dating.bmp
Spyware:Spyware/BargainBuddy No disinfected C:\WINNT\etb\xml\images\drugs.bmp
Spyware:Spyware/BargainBuddy No disinfected C:\WINNT\etb\xml\images\fav.bmp
Spyware:Spyware/BargainBuddy No disinfected C:\WINNT\etb\xml\images\virus.bmp
Virus:Trj/Zapchast.D Disinfected C:\WINNT\system32\c.bat
Virus:W32/Sdbot.ftp Disinfected C:\WINNT\system32\i
Spyware:Spyware/Abcsearch No disinfected C:\WINNT\system32\msjpnd.dll
Adware:Adware/Hotoffers No disinfected C:\WINNT\system32\msodae.dll
Adware:Adware/ISearch No disinfected C:\WINNT\system32\mswes1.exe
Adware:Adware/PurityScan No disinfected C:\WINNT\system32\Shex.exe
Virus:W32/Sdbot.DIR.worm Disinfected C:\WINNT\system32\TFTP1172
Virus:W32/Sdbot.DKH.worm Disinfected C:\WINNT\system32\TFTP1632
Virus:W32/Gaobot.ISS.worm Disinfected C:\WINNT\system32\TFTP1720
Virus:W32/Sdbot.DOF.worm Disinfected C:\WINNT\system32\TFTP3040
Virus:W32/Gaobot.ETP.worm Disinfected C:\WINNT\system32\TFTP3056
Possible Virus. No disinfected C:\WINNT\Temp\ASHeuristic\ProcessViewer.exe.vir
Adware:Adware/Weirdontheweb No disinfected C:\WINNT\weirdontheweb_topc.exe
!
  • 0

Advertisements


#2
lilyvc

lilyvc

    Member

  • Topic Starter
  • Member
  • PipPip
  • 20 posts
I should say explicitly that I followed the directions in the "READ THIS POST FIRST" posting already. Thanks in advance!!! :tazz:
  • 0

#3
Rawe

Rawe

    Visiting Staff

  • Member
  • PipPipPipPipPipPipPip
  • 4,746 posts
Hello and welcome..

Can you look at the following website and follow the instructions to install and run the W32.Gaobot Removal Tool. Read all the info, download the tool, read the info how to run it and proceed. Then post a fresh HijackThis log once done.

http://securityrespo...moval.tool.html

Let me know if you have any problems. :tazz:
  • 0

#4
lilyvc

lilyvc

    Member

  • Topic Starter
  • Member
  • PipPip
  • 20 posts
Hi, I ran the tool but it found no traces of the virus on my machine.

Here's the HJT file again - thanks!



Logfile of HijackThis v1.99.1
Scan saved at 10:51:57 AM, on 8/26/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Unable to get Internet Explorer version!

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\Explorer.exe
C:\Documents and Settings\Owner\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - Default URLSearchHook is missing
F2 - REG:system.ini: Shell=Explorer.exe
O4 - HKLM\..\Run: [GWMDMMSG] GWMDMMSG.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [GWMDMpi] C:\WINNT\GWMDMpi.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINNT\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINNT\System32\hkcmd.exe
O4 - HKLM\..\Run: [Gateway Ink Monitor] "C:\Program Files\Gateway Utilities\GWInkMonitor.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [MicroSoft Remote Secure Service] MSRSS.exe
O4 - HKLM\..\Run: [Task Help] wualcts.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_01\bin\jusched.exe
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [MediaXPServicePack2] msncx.exe
O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 4.2\THGuard.exe"
O4 - HKLM\..\Run: [MSConfig] C:\WINNT\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\RunServices: [MicroSoft Remote Secure Service] MSRSS.exe
O4 - HKLM\..\RunServices: [Task Help] wualcts.exe
O4 - HKLM\..\RunServices: [Microsoft Application Center] mappc.exe
O4 - HKLM\..\RunServices: [MediaXPServicePack2] msncx.exe
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\mnyexpr.exe"
O4 - HKCU\..\Run: [Task Help] wualcts.exe
O4 - HKCU\..\Run: [MicroSoft Remote Secure Service] MSRSS.exe
O4 - HKCU\..\Run: [MediaXPServicePack] mxpsp.exe
O4 - HKCU\..\Run: [MediaXPServicePack2] msncx.exe
O4 - HKCU\..\RunServices: [winGuard] wingaurd32.exe
O4 - HKCU\..\RunServices: [Windows-XP-Service-Pack] xpspz.exe
O4 - HKCU\..\RunServices: [MediaXPServicePack] mxpsp.exe
O4 - HKCU\..\RunServices: [MediaXPServicePack2] msncx.exe
O4 - Startup: Shortcut to Smc.exe.lnk = C:\Program Files\Sygate\SPF\Smc.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_01\bin\npjpi150_01.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_01\bin\npjpi150_01.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINNT\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra button: WeatherBug - {AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} - C:\Program Files\AWS\WeatherBug\Weather.exe (file missing) (HKCU)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O15 - ProtocolDefaults: 'http' protocol is in My Computer Zone, should be Internet Zone
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.t...all/xscan60.cab
O16 - DPF: {511073AD-BE56-4D43-AE68-93390514385E} (TechToolsActivex.TechTools) - file://C:\Program Files\gateway\helpspot\TechTools.CAB
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupd...b?1109280642395
O16 - DPF: {739E8D90-2F4C-43AD-A1B8-66C356FCEA35} (RunExeActiveX.RunExe) - hcp://system/RunExeActiveX.CAB
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft...free/asinst.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{6BDE916A-DA72-412E-8678-04A822B0A1A6}: Domain = comcast.net
O20 - Winlogon Notify: igfxcui - C:\WINNT\SYSTEM32\igfxsrvc.dll
O23 - Service: AOL Instant Messanger (AIM) - Unknown owner - C:\WINNT\aim.exe (file missing)
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: Windows lsass Service (lsass) - Unknown owner - C:\WINNT\lsass.exe (file missing)
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Windows Configuration Loader - Unknown owner - C:\WINNT\svchost.exe (file missing)
  • 0

#5
Rawe

Rawe

    Visiting Staff

  • Member
  • PipPipPipPipPipPipPip
  • 4,746 posts
Ok, we need to try this then.

Please go to the TrendMicro website HERE
  • Click Check my PC now
  • On the next page it will verify that Trendmicro scan can be run.
  • There should be 4 green checkmarks, if any of them stay a red X please let me know which one(s)
  • Read the agreement, the click continue with Next Step
  • Wait for the scanner to load, if you get a security warning about the Trend-Micro applet, click YES
  • It will install "Core-Packages", then please run the scan - let me know how many infected items it found and if any of them couldn't be cleaned and the name/location

  • 0

#6
lilyvc

lilyvc

    Member

  • Topic Starter
  • Member
  • PipPip
  • 20 posts
Trend Micro HouseCall found the virus "TROJ_LOWZONES.DB" in my
  • 0

#7
Rawe

Rawe

    Visiting Staff

  • Member
  • PipPipPipPipPipPipPip
  • 4,746 posts
Where did it find it? Did the scan clean it or what?
  • 0

#8
lilyvc

lilyvc

    Member

  • Topic Starter
  • Member
  • PipPip
  • 20 posts
(oops, hit Enter by mistake - continuing...) Temporary Internet Files. It couldn't clean it so I chose to delete it.

A re-scan didn't turn up anything else. Here's the HJT log again afterwards:

Logfile of HijackThis v1.99.1
Scan saved at 12:05:57 PM, on 8/26/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Unable to get Internet Explorer version!

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\Explorer.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINNT\System32\cmd.exe
C:\Documents and Settings\Owner\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - Default URLSearchHook is missing
F2 - REG:system.ini: Shell=Explorer.exe
O4 - HKLM\..\Run: [GWMDMMSG] GWMDMMSG.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [GWMDMpi] C:\WINNT\GWMDMpi.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINNT\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINNT\System32\hkcmd.exe
O4 - HKLM\..\Run: [Gateway Ink Monitor] "C:\Program Files\Gateway Utilities\GWInkMonitor.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [MicroSoft Remote Secure Service] MSRSS.exe
O4 - HKLM\..\Run: [Task Help] wualcts.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_01\bin\jusched.exe
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [MediaXPServicePack2] msncx.exe
O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 4.2\THGuard.exe"
O4 - HKLM\..\Run: [MSConfig] C:\WINNT\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\RunServices: [MicroSoft Remote Secure Service] MSRSS.exe
O4 - HKLM\..\RunServices: [Task Help] wualcts.exe
O4 - HKLM\..\RunServices: [Microsoft Application Center] mappc.exe
O4 - HKLM\..\RunServices: [MediaXPServicePack2] msncx.exe
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\mnyexpr.exe"
O4 - HKCU\..\Run: [Task Help] wualcts.exe
O4 - HKCU\..\Run: [MicroSoft Remote Secure Service] MSRSS.exe
O4 - HKCU\..\Run: [MediaXPServicePack] mxpsp.exe
O4 - HKCU\..\Run: [MediaXPServicePack2] msncx.exe
O4 - HKCU\..\RunServices: [winGuard] wingaurd32.exe
O4 - HKCU\..\RunServices: [Windows-XP-Service-Pack] xpspz.exe
O4 - HKCU\..\RunServices: [MediaXPServicePack] mxpsp.exe
O4 - HKCU\..\RunServices: [MediaXPServicePack2] msncx.exe
O4 - Startup: Shortcut to Smc.exe.lnk = C:\Program Files\Sygate\SPF\Smc.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_01\bin\npjpi150_01.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_01\bin\npjpi150_01.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINNT\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra button: WeatherBug - {AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} - C:\Program Files\AWS\WeatherBug\Weather.exe (file missing) (HKCU)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O15 - ProtocolDefaults: 'http' protocol is in My Computer Zone, should be Internet Zone
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.t...all/xscan60.cab
O16 - DPF: {511073AD-BE56-4D43-AE68-93390514385E} (TechToolsActivex.TechTools) - file://C:\Program Files\gateway\helpspot\TechTools.CAB
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupd...b?1109280642395
O16 - DPF: {739E8D90-2F4C-43AD-A1B8-66C356FCEA35} (RunExeActiveX.RunExe) - hcp://system/RunExeActiveX.CAB
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft...free/asinst.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{6BDE916A-DA72-412E-8678-04A822B0A1A6}: Domain = comcast.net
O20 - Winlogon Notify: igfxcui - C:\WINNT\SYSTEM32\igfxsrvc.dll
O23 - Service: AOL Instant Messanger (AIM) - Unknown owner - C:\WINNT\aim.exe (file missing)
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: Windows lsass Service (lsass) - Unknown owner - C:\WINNT\lsass.exe (file missing)
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Windows Configuration Loader - Unknown owner - C:\WINNT\svchost.exe (file missing)
  • 0

#9
Rawe

Rawe

    Visiting Staff

  • Member
  • PipPipPipPipPipPipPip
  • 4,746 posts
Oh well, that didn't do much good. Let's try this manually..

Click Start => Run => and type in;

services.msc

Click "OK".

In the services window find service; Windows lsass Service

Right-click and choose "Properties". On the "General" tab under "Service Status" click the "Stop" button to stop the service. Beside "Startup Type" in the dropdown menu select "Disabled". Click Apply then "Ok". Exit the Services utility.

Repeat the same step for service: Windows Configuration Loader

Then we'll delete the services once disabled..
  • Open HiJackThis
  • Click on the configure button on the bottom right
  • Click on the tab "Misc Tools"
  • Click on "delete an NT service"
  • Copy and paste this in: lsass
  • Click "ok", then reboot
Once rebooted repeat the same step, this time paste this in:

Windows Configuration Loader

Then delete the following files:

C:\WINNT\svchost.exe
C:\WINNT\lsass.exe


(There is the legitimate lsass.exe/svchost.exe's in the System32 folder, do NOT even go in there. Just delete these ones.)

Then empty recycle bin and post a fresh log.

- Rawe :tazz:
  • 0

#10
lilyvc

lilyvc

    Member

  • Topic Starter
  • Member
  • PipPip
  • 20 posts
Thanks so much for your help so far! I disabled and deleted those services, but the files were not in the specified directory so I couldn't delete them. Here's the new HJT log:

Logfile of HijackThis v1.99.1
Scan saved at 12:36:36 PM, on 8/26/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Unable to get Internet Explorer version!

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\Explorer.exe
C:\Documents and Settings\Owner\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - Default URLSearchHook is missing
F2 - REG:system.ini: Shell=Explorer.exe
O4 - HKLM\..\Run: [GWMDMMSG] GWMDMMSG.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [GWMDMpi] C:\WINNT\GWMDMpi.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINNT\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINNT\System32\hkcmd.exe
O4 - HKLM\..\Run: [Gateway Ink Monitor] "C:\Program Files\Gateway Utilities\GWInkMonitor.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [MicroSoft Remote Secure Service] MSRSS.exe
O4 - HKLM\..\Run: [Task Help] wualcts.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_01\bin\jusched.exe
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [MediaXPServicePack2] msncx.exe
O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 4.2\THGuard.exe"
O4 - HKLM\..\Run: [MSConfig] C:\WINNT\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\RunServices: [MicroSoft Remote Secure Service] MSRSS.exe
O4 - HKLM\..\RunServices: [Task Help] wualcts.exe
O4 - HKLM\..\RunServices: [Microsoft Application Center] mappc.exe
O4 - HKLM\..\RunServices: [MediaXPServicePack2] msncx.exe
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\mnyexpr.exe"
O4 - HKCU\..\Run: [Task Help] wualcts.exe
O4 - HKCU\..\Run: [MicroSoft Remote Secure Service] MSRSS.exe
O4 - HKCU\..\Run: [MediaXPServicePack] mxpsp.exe
O4 - HKCU\..\Run: [MediaXPServicePack2] msncx.exe
O4 - HKCU\..\RunServices: [winGuard] wingaurd32.exe
O4 - HKCU\..\RunServices: [Windows-XP-Service-Pack] xpspz.exe
O4 - HKCU\..\RunServices: [MediaXPServicePack] mxpsp.exe
O4 - HKCU\..\RunServices: [MediaXPServicePack2] msncx.exe
O4 - Startup: Shortcut to Smc.exe.lnk = C:\Program Files\Sygate\SPF\Smc.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_01\bin\npjpi150_01.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_01\bin\npjpi150_01.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINNT\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra button: WeatherBug - {AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} - C:\Program Files\AWS\WeatherBug\Weather.exe (file missing) (HKCU)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O15 - ProtocolDefaults: 'http' protocol is in My Computer Zone, should be Internet Zone
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.t...all/xscan60.cab
O16 - DPF: {511073AD-BE56-4D43-AE68-93390514385E} (TechToolsActivex.TechTools) - file://C:\Program Files\gateway\helpspot\TechTools.CAB
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupd...b?1109280642395
O16 - DPF: {739E8D90-2F4C-43AD-A1B8-66C356FCEA35} (RunExeActiveX.RunExe) - hcp://system/RunExeActiveX.CAB
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft...free/asinst.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{6BDE916A-DA72-412E-8678-04A822B0A1A6}: Domain = comcast.net
O20 - Winlogon Notify: igfxcui - C:\WINNT\SYSTEM32\igfxsrvc.dll
O23 - Service: AOL Instant Messanger (AIM) - Unknown owner - C:\WINNT\aim.exe (file missing)
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
  • 0

Advertisements


#11
Rawe

Rawe

    Visiting Staff

  • Member
  • PipPipPipPipPipPipPip
  • 4,746 posts
Good.

Launch HiJackThis and go to the "Misc tools Section". Launch ADS Spy and run a scan with it. Save the log and copy the contents of the notepad file here. Don't remove anything yet. :tazz:
  • 0

#12
lilyvc

lilyvc

    Member

  • Topic Starter
  • Member
  • PipPip
  • 20 posts
Hmm I ran the scan but nothing turned up. The thing is, I'm running HJT in Safe Mode because it won't open when I start normally. Is that a problem?
  • 0

#13
Rawe

Rawe

    Visiting Staff

  • Member
  • PipPipPipPipPipPipPip
  • 4,746 posts
Is it giving you an error message of any sort??

Can you try to run it in normal mode again, just check if it would work this time.
  • 0

#14
lilyvc

lilyvc

    Member

  • Topic Starter
  • Member
  • PipPip
  • 20 posts
Nope it won't work :tazz: When I double-click it to open it, I see the HJT screen flicker once and then it closes.
  • 0

#15
Rawe

Rawe

    Visiting Staff

  • Member
  • PipPipPipPipPipPipPip
  • 4,746 posts
First we need to disable MSAS protection since it might interfere;
  • Right-click on the Microsoft Anti-Spyware tray icon by your clock (looks like a target).
  • Click on "Security Agents Status".
  • Click on "Disable real-time protection".
  • Next,
  • Click on the Options menu, then Settings.
  • Select "Real Time Protection" from the left column.
  • Uncheck "Enable (MSAS) Security Agents" and "Enable real-time spyware threat protection".
  • Click the Save button.
Finally, Right-click on the MSAS tray icon, select "Shutdown Microsoft Antispyware", and click "Yes" in the dialog that comes up.

Next,

Reboot back into Safe Mode and run a scan with HiJackThis, check the following objects for removal:

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - Default URLSearchHook is missing
O4 - HKLM\..\Run: [MicroSoft Remote Secure Service] MSRSS.exe
O4 - HKLM\..\Run: [Task Help] wualcts.exe
O4 - HKLM\..\Run: [MediaXPServicePack2] msncx.exe
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\RunServices: [MicroSoft Remote Secure Service] MSRSS.exe
O4 - HKLM\..\RunServices: [Task Help] wualcts.exe
O4 - HKLM\..\RunServices: [Microsoft Application Center] mappc.exe
O4 - HKLM\..\RunServices: [MediaXPServicePack2] msncx.exe
O4 - HKCU\..\Run: [Task Help] wualcts.exe
O4 - HKCU\..\Run: [MicroSoft Remote Secure Service] MSRSS.exe
O4 - HKCU\..\Run: [MediaXPServicePack] mxpsp.exe
O4 - HKCU\..\Run: [MediaXPServicePack2] msncx.exe
O4 - HKCU\..\RunServices: [winGuard] wingaurd32.exe
O4 - HKCU\..\RunServices: [Windows-XP-Service-Pack] xpspz.exe
O4 - HKCU\..\RunServices: [MediaXPServicePack] mxpsp.exe
O4 - HKCU\..\RunServices: [MediaXPServicePack2] msncx.exe


Close all open windows except for HJT, then click the Fix Checked button. Close HJT.

Go to My Computer >Tools >Folder Options >View tab and make sure that Show hidden files and folders is enabled. Also make sure that the System Files and Folders are showing / visible. Uncheck the Hide protected operating system files - option.

Next, go to -> C:\Windows and do a search for the following files, if present, delete:

mxpsp.exe
msncx.exe
xpspz.exe
MSRSS.exe
wualcts.exe
mappc.exe
wingaurd32.exe


Empty recycle bin.

Reboot and post a fresh HiJackThis log.

- Rawe :tazz:
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP