Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

WinFixer + I now think a nasty virus/trojan [CLOSED]


  • This topic is locked This topic is locked

#16
Kat

Kat

    Retired

  • Retired Staff
  • 19,711 posts
  • MVP
Gina...

I see you currently reading the post. I just NOW made a couple of changes, so please refresh your browser and make SURE you have the current instructions before you proceed! :tazz:
  • 0

Advertisements


#17
gmg

gmg

    Member

  • Topic Starter
  • Member
  • PipPip
  • 24 posts
Kat~

I just wanted to check really quick...when I go to log off, I only have the one name "gina" and not the administrator file. I've always used this one and didn't even realize there was a separate administrator option until I tried the safe mode stuff. So is this one ok?

:tazz:

Thanks!
  • 0

#18
Kat

Kat

    Retired

  • Retired Staff
  • 19,711 posts
  • MVP
Use your account, Gina. Since that's the only one you see..you ARE the Admin account! :tazz:
  • 0

#19
gmg

gmg

    Member

  • Topic Starter
  • Member
  • PipPip
  • 24 posts
Kat~

Ok, almost there! I ran vundo alright, though it didn't show the first line anywhere (02-BHO: MSEvents...) I also had to disable my nortons because it kept popping up warnings. I'm working on the pandascan, but it's not doing anything...I told it to scan my computer (should I have said the drives?) and it hasn't moved or done anything in five minutes...EDIT::: Nevermind, I guess it just needed a kick in the pants, now panda is moving!

so close!

Thanks!
gina

Edited by gmg, 06 September 2005 - 08:31 PM.

  • 0

#20
Kat

Kat

    Retired

  • Retired Staff
  • 19,711 posts
  • MVP
Gina...when you are finished with those instructions, I need you to do this:


Go to Start>Run and paste this line in there:

regedit /e c:\safeboot.txt "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot"


Then click "ok" A log called "safeboot.txt" will be saved in C:\safeboot.txt

Please zip this file using WInzip (or any zip program of your choice), and attach this zip file to an email, and mail it to submit@atribune.org


This may give us a look into why you can't boot into Safe Mode! :tazz:
  • 0

#21
gmg

gmg

    Member

  • Topic Starter
  • Member
  • PipPip
  • 24 posts
So close...after about 15 mins of the panda scan (it was less than half done) my internet browser popped up a message saying an error had occured and needed to close so I lost the whole scan.

Should I try running it again? Should it also be taking that long?

Thanks all
Gina
  • 0

#22
Kat

Kat

    Retired

  • Retired Staff
  • 19,711 posts
  • MVP
Try running nothing but the Panda Scan. Close every other window, program, etc. Sometimes it may take awhile. :tazz: I know it's frustrating, trust me. I started out in this business after getting my own computer severely b0rked two years ago! :)
  • 0

#23
Kat

Kat

    Retired

  • Retired Staff
  • 19,711 posts
  • MVP
Hey again Gina! Atri said to just forego the Panda scan if it's still giving you trouble. Just give us the copy of the Vundo log and a new HijackThis log and we'll go from there. :tazz:

Don't forget to do the step to get that safeboot.txt and get it sent to Atri to look at!
  • 0

#24
gmg

gmg

    Member

  • Topic Starter
  • Member
  • PipPip
  • 24 posts
Ok, thank goodness I have 2 computers in the house so I can let my laptop run thru and type on this one. It's about halfway thru and has found 2 viruses :tazz: :) and 1 spyware. It has stopped at "F:" and popped up a window that says "Choose Profile" and in the box it says "Profile Name" and the suggested title of "outlook"

Now what? :)
  • 0

#25
Kat

Kat

    Retired

  • Retired Staff
  • 19,711 posts
  • MVP
Gina..let's go ahead and close out the Panda scan for now. We'll do a different scan in a bit. I need to see the Vundo log and a new HJT log please! :tazz:
  • 0

Advertisements


#26
gmg

gmg

    Member

  • Topic Starter
  • Member
  • PipPip
  • 24 posts
Alrighty then...the Panda still gave me a summary even though I cancelled, so here's that just in case.


Incident Status Location

Spyware:spyware/bargainbuddy No disinfected Windows Registry
Virus:Trj/Pakes.AV Disinfected C:\WINNT\system32\ddabb.dll
Virus:Trj/ShellHook.E Disinfected C:\WINNT\system32\ssqrs.dll


Here's Vundo

Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03
Copyright© 2002-2003 Craig.Peacock@beyondlogic.org
Suspending PID 816 'smss.exe'
Threads [820][824][828]

Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03
Copyright© 2002-2003 Craig.Peacock@beyondlogic.org
Killing PID 1904 'explorer.exe'
Killing PID 1904 'explorer.exe'

Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03
Copyright© 2002-2003 Craig.Peacock@beyondlogic.org
Error, Cannot find a process with an image name of rundll32.exe

Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03
Copyright© 2002-2003 Craig.Peacock@beyondlogic.org
Killing PID 892 'winlogon.exe'
Killing PID 892 'winlogon.exe'
Killing PID 892 'winlogon.exe'
Could not delete file.
Files Deleted sucessfully.


And Hijack

Logfile of HijackThis v1.99.1
Scan saved at 8:35:06 PM, on 9/6/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\System32\Ati2evxx.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINNT\Explorer.EXE
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINNT\System32\WLTRYSVC.EXE
C:\WINNT\System32\bcmwltry.exe
C:\WINNT\AGRSMMSG.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\SigmaTel\C-Major Audio\ControlPanel\StacSysTray.exe
C:\Program Files\Gateway Utilities\GWInkMonitor.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
C:\PROGRA~1\SigmaTel\C-MAJO~1\CONTRO~1\stacsrv.exe
C:\PROGRA~1\COMMON~1\AOL\110176~1\EE\AOLHOS~1.EXE
C:\PROGRA~1\COMMON~1\AOL\110176~1\EE\AOLServiceHost.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINNT\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://aolmail.aol.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.gateway.net
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://go.microsoft....ink/?LinkId=488
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [StacSysTray] C:\Program Files\SigmaTel\C-Major Audio\ControlPanel\StacSysTray.exe
O4 - HKLM\..\Run: [Gateway Ink Monitor] "C:\Program Files\Gateway Utilities\GWInkMonitor.exe"
O4 - HKLM\..\Run: [NeroCheck] C:\WINNT\System32\NeroCheck.exe
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1101763676\EE\AOLHostManager.exe
O4 - HKLM\..\Run: [AOLDialer] C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
O4 - HKLM\..\Run: [Pure Networks Port Magic] "C:\PROGRA~1\PURENE~1\PORTMA~1\PortAOL.exe" -Run
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINNT\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft...free/asinst.cab
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
O23 - Service: AOL TopSpeed Monitor (AOL TopSpeedMonitor) - America Online, Inc - C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINNT\System32\Ati2evxx.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: CWShredder Service - Unknown owner - C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\7J5BR9KW\CWShredder[1].exe (file missing)
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: Sigmatel PassThru (PassThru) - Unknown owner - C:\Program Files\SigmaTel\C-Major Audio\ControlPanel\passthru.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINNT\System32\HPZipm12.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: WLTRYSVC - Unknown owner - C:\WINNT\System32\WLTRYSVC.EXE



Thanks!
Gina
  • 0

#27
gmg

gmg

    Member

  • Topic Starter
  • Member
  • PipPip
  • 24 posts
And by the way, I have the safeboot txt but am ashamed to admit that I don't know how to zip it up...I can unzip...just not zip up I guess! :tazz:

Thanks
Gina
  • 0

#28
Kat

Kat

    Retired

  • Retired Staff
  • 19,711 posts
  • MVP
No shame, Gina! I had to learn how to do it not long ago myself! I'm assuming you have WinZip! Here is instructions step by step to zip it up! :tazz:

open winzip with the wizard mode. Click next and then click the button/circle that says "Create a new zip file" and click next. in that box, just type safemode and click next. In the big box area, click on the "Browse" button, and browse to where your safemode.txt is located (C:\..) Click "ok" then click "Zip now". The new zip will be saved in your "My Documents" folder. Attach that zip to an email and send it off to Atri! He'll let me know when he gets it and what we should do next, since I'm in the chat room with him! :)
  • 0

#29
Kat

Kat

    Retired

  • Retired Staff
  • 19,711 posts
  • MVP
Please re-open HiJackThis and scan. Check the boxes next to all the entries listed below.
O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k

Now close all windows other than HiJackThis, then click Fix Checked. Reboot the computer.

Please remove these entries from Add/Remove Programs in the Control Panel(if present):

Viewpoint
Please note any other programs that you dont recognize in that list in your next response

Please delete these folders using Windows Explorer(if present):

C:\Program Files\Viewpoint
Please delete these files using Windows Explorer(if present):

C:\WINNT\system32\ddabb.dll
After that, Reboot.

Post another HijackThis log here in a reply when done! :tazz:
  • 0

#30
gmg

gmg

    Member

  • Topic Starter
  • Member
  • PipPip
  • 24 posts
I don't think I have WinZip...or if I do, it's hiding somewhere. I'm pretty sure I've used it to open files before, but I ran a search and it's not appearing in my computer anywhere except in a cookie. Where would one usually find it?
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP