[UnreaL253]

Okay people, I am about to explode. I am very irriatated, upset, and very frustrated. Past 4 straight days, Ive been trying to fix this problem with my computer. I am going to give you all the information I have and I ask that anyone help me.

Okay first my computer specs are: Windows XP Professional SP2, AMD 64 3200+, 1GB DDR RAM, Shuttle AN50r motherboard, 80 GB Master, 250 GB Slave.

Now I was on my computer and I was trying to enable network sharing so my family can get some files from my computer, I read somewhere if I enable NetBIOS it would work. So I enabled it but it didnt work but then a few minutes later I get this popup of the Command Prompt, then a few seconds later a window titled "Sitebar! Internet Explorer Add In" okay I was like whatever its a popup. Heres a picture of the popup:



So I then continue to doing whatever, then my internet wont work in my internet explorer. So at first I thought it was my router or cable modem. But no it wasnt because rest of computers on network work fine. So I restart, still nothing. Then I run spyware, antivirus, everything and I had a couple adware but nothing important. So then Im like wow, I go to My Computer and in my C drive, I see a bunch of files I have no idea what but I figured they were spyware. Heres a pic of that:





Okay now I delete these files okay, then I restart log in, then a few minutes in I get the popup again with site bar and command prompt. All over again. For hours I spend trying to figure out what it is. I research low.exe, and I come across: http://www.virus-sca...enis-worm.shtml

It states that that worm spreads over netbios and so I disabled it and restarted did spyware scans, everything. Nothing worked, the popup still comes up. So I got to the point of okay Im just gonna format and reinstall. I have 2 hard drives so I disconnected my larger harddrive full of media and other stuff. So I format my windows hard drive install windows and everything, put sp2 back on, and connect my secondary hard drive. A few minutes later its back. After format. Im like omg wow. Internet still wont work. So I figured it probably came from my secondary hard drive, so I transferred files I really really wanted/needed to my bro's hard drive and formatted and then put files back. I formatted my computer and reconnected comp, it came back. And now I came across a similar topic in this site: http://www.geekstogo...showtopic=52721

I followed that topic but no luck. Please for the love of god someone help me. I just bought F.E.A.R. , Age of Empires 3, and Quake 4, and now I cant play them. Im begging.

Heres the Hijack logfile while the popup is running:

Logfile of HijackThis v1.99.1
Scan saved at 12:15:54 AM, on 10/20/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Tech\iolo\System Mechanic Professional 6\IoloSGCtrl.exe
C:\WINDOWS\lsass.exe
C:\Program Files\Tech\Norton AntiVirus\navapsvc.exe
C:\Program Files\Tech\Norton AntiVirus\IWP\NPFMntor.exe
C:\Program Files\Tech\Spyware Doctor\sdhelp.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Tech\iolo\System Mechanic Professional 6\SystemGuardAlerter.exe
C:\Program Files\Messenger\msmsgs.exe
C:\PROGRA~1\ONLINE~1\AIM\aim.exe
C:\WINDOWS\system32\cmd.exe
C:\tb.exe
C:\Program Files\Tech\iolo\System Mechanic Professional 6\SMSystemAnalyzer.exe
C:\Program Files\ATI Technologies\ATI.ACE\CLI.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Documents and Settings\Mustafa\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Tech\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Tech\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [SystemGuardAlerter] "C:\Program Files\Tech\iolo\System Mechanic Professional 6\SystemGuardAlerter.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [AIM] C:\PROGRA~1\ONLINE~1\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [Steam] F:\Program Files\Games\Valve\Steam.exe -silent
O4 - HKCU\..\Run: [SMSystemAnalyzer] "C:\Program Files\Tech\iolo\System Mechanic Professional 6\SMSystemAnalyzer.exe"
O4 - Global Startup: ATI CATALYST System Tray.lnk = C:\Program Files\ATI Technologies\ATI.ACE\CLI.exe
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\PROGRA~1\ONLINE~1\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O17 - HKLM\System\CCS\Services\Tcpip\..\{43A6612D-0AC6-4BCA-83EC-488FBBBB334E}: NameServer = 68.168.240.2,68.168.240.5
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: iolo System Guard (IOLO_SRV) - Unknown owner - C:\Program Files\Tech\iolo\System Mechanic Professional 6\IoloSGCtrl.exe
O23 - Service: Local Security Authority Subsystem Service (lsass) - Unknown owner - C:\WINDOWS\lsass.exe
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Tech\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Tech\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Tech\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: PC Tools Spyware Doctor (SDhelper) - PC Tools - C:\Program Files\Tech\Spyware Doctor\sdhelp.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe






Heres the Hijack logfile with it off:

Logfile of HijackThis v1.99.1
Scan saved at 12:42:43 AM, on 10/20/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Tech\iolo\System Mechanic Professional 6\IoloSGCtrl.exe
C:\WINDOWS\lsass.exe
C:\Program Files\Tech\Norton AntiVirus\navapsvc.exe
C:\Program Files\Tech\Norton AntiVirus\IWP\NPFMntor.exe
C:\Program Files\Tech\Spyware Doctor\sdhelp.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Tech\iolo\System Mechanic Professional 6\SystemGuardAlerter.exe
C:\Program Files\Messenger\msmsgs.exe
C:\PROGRA~1\ONLINE~1\AIM\aim.exe
C:\Program Files\Tech\iolo\System Mechanic Professional 6\SMSystemAnalyzer.exe
C:\Program Files\ATI Technologies\ATI.ACE\CLI.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Outlook Express\msimn.exe
C:\Documents and Settings\Mustafa\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Tech\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Tech\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [SystemGuardAlerter] "C:\Program Files\Tech\iolo\System Mechanic Professional 6\SystemGuardAlerter.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [AIM] C:\PROGRA~1\ONLINE~1\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [Steam] F:\Program Files\Games\Valve\Steam.exe -silent
O4 - HKCU\..\Run: [SMSystemAnalyzer] "C:\Program Files\Tech\iolo\System Mechanic Professional 6\SMSystemAnalyzer.exe"
O4 - Global Startup: ATI CATALYST System Tray.lnk = C:\Program Files\ATI Technologies\ATI.ACE\CLI.exe
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\PROGRA~1\ONLINE~1\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O17 - HKLM\System\CCS\Services\Tcpip\..\{43A6612D-0AC6-4BCA-83EC-488FBBBB334E}: NameServer = 68.168.240.2,68.168.240.5
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: iolo System Guard (IOLO_SRV) - Unknown owner - C:\Program Files\Tech\iolo\System Mechanic Professional 6\IoloSGCtrl.exe
O23 - Service: Local Security Authority Subsystem Service (lsass) - Unknown owner - C:\WINDOWS\lsass.exe
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Tech\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Tech\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Tech\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: PC Tools Spyware Doctor (SDhelper) - PC Tools - C:\Program Files\Tech\Spyware Doctor\sdhelp.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

[Advertisements]

please, I need help with the exact same thing.

[federsel]

please, I need help with the exact same thing.

[UnreaL253]

Hey federsel, another person private messaged me with the solution, I didnt use it because I formatted and didnt let any network access go by where that spyware might be. But if you still have the problem here is what the guy said:

Hey what's up -- I'm not a staff member so can't reply to your topic, but I got infected by the same horrible spyware that you posted about (the Internet Explorer Sitebar). After some exhaustive searching, I found the solution:

This should take care of the problem until the anti-spyware co's get this puppy into the definitions.

1. go into safe mode

2. delete the following files from the C:\ directory:

zxvcc73x.exe
is.exe
low.exe
sw.bat
tb.exe
xe.exe

3. go to tools/folder options/view/ and under advanced settings, uncheck "hide protected operating system files" and check "show hidden files and folders" then press okay to exit

4. go to c:\windows and lsass.exe should be visible now. delete it. this is a trojan (fake) version of the REAL laass.exe, which should be in c:\windows\system32.

5. go to the registry key
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\lsass
and delete the whole lsass folder. it shouldnt be there on a normal computer

6. restart and it should be gone.

7. do scans if you are paranoid.


I got this info from a thread on DSLReports...here:

http://www.dslreport...remark,14621594

Good luck!

(by noahlh)