[Gishmonster]

HI
While trying to download NORTON on a 26k Dial up, I have gotten infected. When dialing in the modem shows constant use incoming and outgoing. I cannot install Norton it says the file is corrupt. If I try to run any new EXE files to test with, they become corrupt, unless I go to SAFE MODE. Since I cannot plug in my Jump drive to download the HJT file I had to print it then scan on another computer with OCR. I have tried to correct all OCR errors.
I have read many of the HJT forums and tried all the software. I have removed
the Backdoor.RBot.ABG
the W32/SdBot.worm.GEN.j
the Trojan ASKEMAIL.EXE Trojandownloader.GYX.100
and found the file SYNCOR which is supposed to be the W32.HLLW.GAOBOT.EE but I ended up removing this in RegEdit manually.
One problem is I can do no updates on the downloaded help programs due to the modem locked up busy. I have to do everything from a remote computer and then come back. I did get updates on the ones that were available.
Spybot has been corrupted and cannot be run or removed .


But I have finally given up and am asking for help.

About Buster is clean.

HELP!!!!!!!!!!

Sorry, I attached the HJT log instead of pasting it.

Logfile of HijackThis v1.99.1
Scan saved at 10:25:07 AM, on 9/14/2005
platform: windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 Sp1 (6.00.2800.1106)

Running processes:
C:\WINOOWs\system32\smss.exe
C:\WINOOWs\system32\winlogon.exe
C:\WINDOWs\system32\services.exe
C:\WINOOWs\system32\lsass.exe
C:\WINOOWs\system32\svchost.exe
C:\WINDOWs\system32\svchost.exe
C:\WINOOWS\Explorer.EXE
C:\EXE2\HiJackThis\HijackThis1991.exe
C:\EXE2\HiJackThis\HijackThis1991.exe
RO - HKLM\Software\Microsoft\Internet Explorer\search,searchAssistant = http://www.earthlink...ton/search.html
RO - HKCU\software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\software\Microsoft\Internet connection wizard,shellNext = http://www.symantec....error=6 e=English&product=NAV&version=11.0.9
RO - HKCU\software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - Default uRLSearchHook is missing
02 - BHO: AcroIEHlprobj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BEOB3} - c:\program files\Adobe\Acrobat Reader 5\Reader\ActiveX\AcroIEHelper.ocx
02 - BHO: (no name) - {53707962-6F74-2D53-2644-20607942484F} - c:\program Files\spybot - Search & Destroy\SDHelper.dll
02 - BHO: NAV Helper - {BDF3E430-B101-42ADD-A544-FADC6B084872} - C:\Program Files\Norton Antivirus\NavshExt.dll
03 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00AOC9082467} ¬C:\WINDOWs\system32\msdxm.ocx
03 - Toolbar: Norton Antivirus - {42CDD1BF-3FFB-4238-8ADl-7859DFOOB1D6} - c:\Program Files\Norton Antivirus\NavshExt.dll
04 - HKlM\..\Run: [smapp] c:\Program Files\Analog oevices\soundMAX\smtray.exe
04 - HKlM\..\Run: [NvCploaemon] RUNOll32.EXE C:\WINOOWS\System32\NvCpl.dll,NvStartup
04 - HKlM\..\Run: [nwiz] nwiz.exe /install
04 - HKlM\..\Run: [monitr32] c:\Program Files\canon\MultiPAsS4\monitr32.exe
04 - HKlM\..\Run: [MPTBOX] c:\Program Files\canon\MultiPASS4\MPTBox.exe
04 - HKlM\..\Run: [Iomega Automatic Backup 1.0.1] c:\Program Files\Iomega\Iomega Automatic Backup\ibackup.exe
04 - HKlM\..\Run: [ADuserMon] c:\Program Files\Iomega\AutoDisk\ADuserMon.exe
04 - HKlM\..\Run: [Iomega Drive Icons] c:\Program Files\Iomega\oriveIcons\Imglcon.exe
04 - HKlM\..\Run: [oeskup] c:\Program Files\Iomega\Drivelcons\deskup.exe /IMGSTART
04 - HKlM\..\Run: [.svchost] C:\WINOOWs\system\CSRSS.EXE
04 - HKlM\..\Run: [CCApp] "C:\Program Files\Common Files\Symantec shared\ccApp.exe"
04 - HKlM\..\Run: [SsC_userprompt] c:\Program Files\common Files\symantec Shared\security Center\usrprmpt.exe
04 - HKlM\.. \Run: [THGuard] "C:\Program Files\TrojanHunter 4.2\THGuard.exe"
04 - HKCU\..\Run: [E6Taskpanel] "C:\Program Files\Earthlink
TotalAccess\Taskpanl.exe" -noauth
04 - Global Startup: Hotsync Manager.lnk = c:\Program Files\sony Handheld\HOTSYNC.EXE
04 - Global startup: Microsoft Office.lnk = c:\Program Files\Microsoft office\office10\OSA.EXE
04 - Global startup: QuickBooks update Agent.lnk = c:\program Files\common Files\Intuit\QuickBOoks\QBupdate\qbupdate.exe
09 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MsMSGS.EXE
09 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} ¬c:\Program Files\Messenger\MSMSGS.ExE
012 - plugin for .spop: c:\program Files\Internet Explorer\plugins\NPDoCBOX.dll
page 1



023 - service: Symantec Event Manager (CcEvtMgr) - Symantec corporation - c:\Program
Files\common Files\Symantec shared\ccEvtMgr.exe
023 - service: symantec Password validation (ccPwdSvc) - symantec corporation ­c:\Program Files\common Files\symantec Shared\ccPwdsvc.exe
023 - Service: symantec settings Manager (ccSetMgr) - symantec Corporation ­c:\Program Files\common Files\symantec shared\ccSetMgr.exe
023 - service: ewido security suite control - ewido networks - c:\Program Files\ewido\security suite\ewidoctrl.exe
023 - Service: ewido security suite guard - ewido networks - c:\Program Files\ewido\security suite\ewidoguard.exe
023 - Service: Iomega App Services - Iomega corporation ­C:\PROGRA 1\Iomega\system32\Appservices.exe
023 - Service: Mpservice - Canon Inc - c:\Program Files\canon\MultiPASS4\MPSERVIC.EXE
023 - Service: Norton Antivirus Auto-Protect service (navapsvc) - symantec corporation - C:\Program Files\Norton Antivirus\navapsvc.exe
023 - service: Norton AntiVirus Firewall Monitor service (NPFMntor) - symantec corporation - c:\Program Files\Norton Antivirus\IWP\NPFMntor.exe
023 - service: NVIDIA Display Driver Service (NVSvC) - NVIDIA corporation ­C:\WINDOWs\System32\nvsvc32.exe
023 - Service: scriptBlocking service (sBservice) - symantec corporation ­C:\PROGRA l\COMMON l\SYMANT l\SCRIPT l\SBServ.exe
023 - Service: Symantec Network Drivers Service (SNDSrvc) - symantec corporation ­c:\Program Files\Common Files\symantec shared\sNDSrvc.exe
023 - Service: SoundMAX Agent service (SoundMAX Agent service (default)) - Analog Devices, Inc. - c:\Program Files\Analog Devices\soundMAX\SMAgent.exe
023 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec corporation - c:\Program Files\common Files\symantec shared\SPBBC\SPBBCsvc.exe
023 - service: spywarecleanerservice - unknown owner - c:\program Files\spyware cleaner\Scservice.exe (file missing)
023 - service: ups - APC powerChute plus (ups) - APC - c:\Program Files\Pwrchute\ups.exe
023 - service: Iomega Active Disk (_IOMEGA-ACTIVE_DISK_SERVICE_) - Iomega corporation - c:\program Files\Iomega\AutoDisk\ADservice.exe

Page 2

Attached Files

•  HJT_Log_9_14RTF.rtf   4.2KB   119 downloads
•  HJT_Log_9_14RTF_p2.rtf   2.09KB   172 downloads

Edited by Gishmonster, 15 September 2005 - 07:02 AM.

[Advertisements]

Hi
No one has helped me , Yet.

I have tried to figure this out using HJT. I found the CSRSS.EXE virus.
I removed it using HJT and removed the EXE file in theWindows folder. Very confusing since there are legitimate Windows CSRSS files also. I did this in Safe mode and cleaned the backup files and had Restore OFF.
It says this virus deletes the following services.

SAVScan
SharedAccess
Symantec Core LC
kavsvc
navapsvc
wauserv

On reboot I ran HJT in regular mode and it is gone. I am posting a new HJT log just in case someone will help me.
I still can not run MSConfig. I tried to remove SpyBot and SpyWareCleaner, and it says the Uninstall file is corrupted or removed. They did not work. So I removed them with HJT and reinstalled Spybot and now it works. Although HJT showed Norton as installed it would not run do to corruption. I removed it and it came out with just a little error message I clicked ignor on.

SO - My problem now is how do I get the rest of my computer working again???

I tried to install the Win XP disk that came out for SP2 and it says I need to activate JAVA Script. I went into EI and activated everything that had JAVA in it, but it did not help.
I do not know if this will fix Windows or not. But since I am flailing in the wind here it seemed worth a try. Or SP2 may bomb out and take out XP and I will be forced to Reformat.

ANY HELP WOULD BE APPRCIATED.
THANKS
Gishmonster

Logfile of HijackThis v1.99.1
Scan saved at 3:01:17 PM, on 9/17/2004
Platform: windows XP sp1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 sp1 (6.00.2800.1106)

hijackthis

Running processes:
C:\WINDOWs\system32\smss.exe
C:\WINDOWs\system32\csrss.exe
C:\WINDOWs\system32\winlogon.exe
C:\WINDOWs\system32\services.exe
C:\WINDOWs\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWs\system32\svchost.exe
C:\WINDOWs\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
c:\Program Files\Analog Devices\soundMAX\smtray.exe
c:\program Files\canon\MultiPAss4\monitr32.exe
c:\Program Files\Analog Devices\soundMAX\Smtray.exe
C:\WINDOWS\system32\nwiz.exe
c:\Program Files\canon\MultiPASS4\MPTBox.exe
c:\program Files\canon\MultiPASS4\monitr32.exe
c:\Program Files\Iomega\AutoDisk\ADUserMon.exe
C:\program Files\Iomega\DriveIcons\ImgIcon.exe
C:\WINDOWs\system32\RUNDLL32.EXE
c:\Program Files\EarthLink TotalAccess\Taskpanl.exe
C:\Program Files\Sony Handheld\HOTSYNC.EXE
c:\Program Files\common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
C:\WINDOWs\system32\alg.exe
c:\program Files\ewido\security suite\ewidoctrl.exe
C:\PROGRA 1\Iomega\system32\AppServices.exe
c:\Program Files\canon\MultiPASS4\MPSERVIC.EXE
C:\WINDOWs\system32\nvsvc32.exe
C:\Program Files\Analog Devices\soundMAX\SMAgent.exe
C:\Program Files\Pwrchute\ups.exe
C:\Program Files\Iomega\AutoDisk\ADService.exe
C:\WINDows\explorer.exe
C:\EXE2\HiJackThis\HijackThis1991.exe
R1 - HKCU\software\Microsoft\Internet Explorer\Main,Default_page_uRL = http://start.earthlink.net
R1 - HKCU\software\Microsoft\Internet Explorer\Main,Default_search_uRL =
http://www.earthlink...ton/search.html
R0 - HKCU\software\Microsoft\Internet Explorer\Main,start page = http://start.earthlink.net/
02 - BHO: AcroIEHlprobj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BEOB3} - c:\program
files\Adobe\Acrobat Reader 5\Reader\ActiveX\AcroIEHelper.ocx
02 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} C:\Program Files\spybot - Search & Destroy\SDHelper.dll
03 - Tool bar: &Radio - {8E718888-423F-11D2-876E-OOAOC9082467} ­C:\WINDOWs\system32\msdxm.ocx
04 - HKLM\..\Run: [smapp] C:\Program Files\Analog Devices\soundMAX\smtray.exe
04 - HKLM\..\Run: [NvcplDaemon] RUNDLL32.EXE C:\WINDOWs\system32\NvCpl.dll,NvStartup
04 - HKLM\..\Run: [nwiz] nwiz.exe /install
04 - HKLM\..\Run: [monitr32] c:\Program Files\canon\MultiPAsS4\monitr32.exe
04 - HKLM\..\Run: [MPTBOX] c:\Program Files\canon\MultiPASS4\MPTBox.exe
04 - HKLM\..\Run: [Iomega Automatic Backup 1.0.1] c:\program Files\Iomega\Iomega Automatic Backup\ ibackup.exe
04 - HKLM\..\Run: [ADuserMon] C:\Program Files\Iomega\AutoDisk\ADuserMon.exe
04 - HKLM\..\Run: [Iomega Drive Icons] C:\Program Files\Iomega\DriveIcons\ImgIcon.exe
04 - HKLM\..\Run: [Deskup] C:\Program Files\Iomega\DriveIcons\deskup.exe /IMGSTART
04 - HKLM\.. \Run: [THGuard] "C:\Program Files\TrojanHunter 4.2\THGUard.exe"
Page 1

[Gishmonster]

Hi
No one has helped me , Yet.

I have tried to figure this out using HJT. I found the CSRSS.EXE virus.
I removed it using HJT and removed the EXE file in theWindows folder. Very confusing since there are legitimate Windows CSRSS files also. I did this in Safe mode and cleaned the backup files and had Restore OFF.
It says this virus deletes the following services.

SAVScan
SharedAccess
Symantec Core LC
kavsvc
navapsvc
wauserv

On reboot I ran HJT in regular mode and it is gone. I am posting a new HJT log just in case someone will help me.
I still can not run MSConfig. I tried to remove SpyBot and SpyWareCleaner, and it says the Uninstall file is corrupted or removed. They did not work. So I removed them with HJT and reinstalled Spybot and now it works. Although HJT showed Norton as installed it would not run do to corruption. I removed it and it came out with just a little error message I clicked ignor on.

SO - My problem now is how do I get the rest of my computer working again???

I tried to install the Win XP disk that came out for SP2 and it says I need to activate JAVA Script. I went into EI and activated everything that had JAVA in it, but it did not help.
I do not know if this will fix Windows or not. But since I am flailing in the wind here it seemed worth a try. Or SP2 may bomb out and take out XP and I will be forced to Reformat.

ANY HELP WOULD BE APPRCIATED.
THANKS
Gishmonster

Logfile of HijackThis v1.99.1
Scan saved at 3:01:17 PM, on 9/17/2004
Platform: windows XP sp1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 sp1 (6.00.2800.1106)

hijackthis

Running processes:
C:\WINDOWs\system32\smss.exe
C:\WINDOWs\system32\csrss.exe
C:\WINDOWs\system32\winlogon.exe
C:\WINDOWs\system32\services.exe
C:\WINDOWs\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWs\system32\svchost.exe
C:\WINDOWs\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
c:\Program Files\Analog Devices\soundMAX\smtray.exe
c:\program Files\canon\MultiPAss4\monitr32.exe
c:\Program Files\Analog Devices\soundMAX\Smtray.exe
C:\WINDOWS\system32\nwiz.exe
c:\Program Files\canon\MultiPASS4\MPTBox.exe
c:\program Files\canon\MultiPASS4\monitr32.exe
c:\Program Files\Iomega\AutoDisk\ADUserMon.exe
C:\program Files\Iomega\DriveIcons\ImgIcon.exe
C:\WINDOWs\system32\RUNDLL32.EXE
c:\Program Files\EarthLink TotalAccess\Taskpanl.exe
C:\Program Files\Sony Handheld\HOTSYNC.EXE
c:\Program Files\common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
C:\WINDOWs\system32\alg.exe
c:\program Files\ewido\security suite\ewidoctrl.exe
C:\PROGRA 1\Iomega\system32\AppServices.exe
c:\Program Files\canon\MultiPASS4\MPSERVIC.EXE
C:\WINDOWs\system32\nvsvc32.exe
C:\Program Files\Analog Devices\soundMAX\SMAgent.exe
C:\Program Files\Pwrchute\ups.exe
C:\Program Files\Iomega\AutoDisk\ADService.exe
C:\WINDows\explorer.exe
C:\EXE2\HiJackThis\HijackThis1991.exe
R1 - HKCU\software\Microsoft\Internet Explorer\Main,Default_page_uRL = http://start.earthlink.net
R1 - HKCU\software\Microsoft\Internet Explorer\Main,Default_search_uRL =
http://www.earthlink...ton/search.html
R0 - HKCU\software\Microsoft\Internet Explorer\Main,start page = http://start.earthlink.net/
02 - BHO: AcroIEHlprobj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BEOB3} - c:\program
files\Adobe\Acrobat Reader 5\Reader\ActiveX\AcroIEHelper.ocx
02 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} C:\Program Files\spybot - Search & Destroy\SDHelper.dll
03 - Tool bar: &Radio - {8E718888-423F-11D2-876E-OOAOC9082467} ­C:\WINDOWs\system32\msdxm.ocx
04 - HKLM\..\Run: [smapp] C:\Program Files\Analog Devices\soundMAX\smtray.exe
04 - HKLM\..\Run: [NvcplDaemon] RUNDLL32.EXE C:\WINDOWs\system32\NvCpl.dll,NvStartup
04 - HKLM\..\Run: [nwiz] nwiz.exe /install
04 - HKLM\..\Run: [monitr32] c:\Program Files\canon\MultiPAsS4\monitr32.exe
04 - HKLM\..\Run: [MPTBOX] c:\Program Files\canon\MultiPASS4\MPTBox.exe
04 - HKLM\..\Run: [Iomega Automatic Backup 1.0.1] c:\program Files\Iomega\Iomega Automatic Backup\ ibackup.exe
04 - HKLM\..\Run: [ADuserMon] C:\Program Files\Iomega\AutoDisk\ADuserMon.exe
04 - HKLM\..\Run: [Iomega Drive Icons] C:\Program Files\Iomega\DriveIcons\ImgIcon.exe
04 - HKLM\..\Run: [Deskup] C:\Program Files\Iomega\DriveIcons\deskup.exe /IMGSTART
04 - HKLM\.. \Run: [THGuard] "C:\Program Files\TrojanHunter 4.2\THGUard.exe"
Page 1

[Gishmonster]

HI
Well this forum is a wealth of information for those who get answers. Unfotunatley, after 7 days of waiting and getting no help, I continued hacking at this problem myself, and have had to reformat and reload.
The last virus found was with Avast, it found the Tenga. After finding 1366 infected .exe files the machine would not reboot on there removal.


If a Staff member reads this, please Close.

[Excal]

Since this issue appears to be resolved ... this Topic has been closed. Glad we could help.

If you're the topic starter, and need this topic reopened, please contact a staff member with the address of the thread.

Everyone else please begin a New Topic.