Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

He


  • Please log in to reply

#1
UnreaL253

UnreaL253

    New Member

  • Member
  • Pip
  • 2 posts
Okay people, I am about to explode. I am very irriatated, upset, and very frustrated. Past 4 straight days, Ive been trying to fix this problem with my computer. I am going to give you all the information I have and I ask that anyone help me.

Okay first my computer specs are: Windows XP Professional SP2, AMD 64 3200+, 1GB DDR RAM, Shuttle AN50r motherboard, 80 GB Master, 250 GB Slave.

Now I was on my computer and I was trying to enable network sharing so my family can get some files from my computer, I read somewhere if I enable NetBIOS it would work. So I enabled it but it didnt work but then a few minutes later I get this popup of the Command Prompt, then a few seconds later a window titled "Sitebar! Internet Explorer Add In" okay I was like whatever its a popup. Heres a picture of the popup:

Posted Image

So I then continue to doing whatever, then my internet wont work in my internet explorer. So at first I thought it was my router or cable modem. But no it wasnt because rest of computers on network work fine. So I restart, still nothing. Then I run spyware, antivirus, everything and I had a couple adware but nothing important. So then Im like wow, I go to My Computer and in my C drive, I see a bunch of files I have no idea what but I figured they were spyware. Heres a pic of that:



Posted Image

Okay now I delete these files okay, then I restart log in, then a few minutes in I get the popup again with site bar and command prompt. All over again. For hours I spend trying to figure out what it is. I research low.exe, and I come across: http://www.virus-sca...enis-worm.shtml

It states that that worm spreads over netbios and so I disabled it and restarted did spyware scans, everything. Nothing worked, the popup still comes up. So I got to the point of okay Im just gonna format and reinstall. I have 2 hard drives so I disconnected my larger harddrive full of media and other stuff. So I format my windows hard drive install windows and everything, put sp2 back on, and connect my secondary hard drive. A few minutes later its back. After format. Im like omg wow. Internet still wont work. So I figured it probably came from my secondary hard drive, so I transferred files I really really wanted/needed to my bro's hard drive and formatted and then put files back. I formatted my computer and reconnected comp, it came back. And now I came across a similar topic in this site: http://www.geekstogo...showtopic=52721

I followed that topic but no luck. Please for the love of god someone help me. I just bought F.E.A.R. , Age of Empires 3, and Quake 4, and now I cant play them. :tazz: Im begging.

Heres the Hijack logfile while the popup is running:

Logfile of HijackThis v1.99.1
Scan saved at 12:15:54 AM, on 10/20/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Tech\iolo\System Mechanic Professional 6\IoloSGCtrl.exe
C:\WINDOWS\lsass.exe
C:\Program Files\Tech\Norton AntiVirus\navapsvc.exe
C:\Program Files\Tech\Norton AntiVirus\IWP\NPFMntor.exe
C:\Program Files\Tech\Spyware Doctor\sdhelp.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Tech\iolo\System Mechanic Professional 6\SystemGuardAlerter.exe
C:\Program Files\Messenger\msmsgs.exe
C:\PROGRA~1\ONLINE~1\AIM\aim.exe
C:\WINDOWS\system32\cmd.exe
C:\tb.exe
C:\Program Files\Tech\iolo\System Mechanic Professional 6\SMSystemAnalyzer.exe
C:\Program Files\ATI Technologies\ATI.ACE\CLI.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Documents and Settings\Mustafa\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Tech\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Tech\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [SystemGuardAlerter] "C:\Program Files\Tech\iolo\System Mechanic Professional 6\SystemGuardAlerter.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [AIM] C:\PROGRA~1\ONLINE~1\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [Steam] F:\Program Files\Games\Valve\Steam.exe -silent
O4 - HKCU\..\Run: [SMSystemAnalyzer] "C:\Program Files\Tech\iolo\System Mechanic Professional 6\SMSystemAnalyzer.exe"
O4 - Global Startup: ATI CATALYST System Tray.lnk = C:\Program Files\ATI Technologies\ATI.ACE\CLI.exe
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\PROGRA~1\ONLINE~1\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O17 - HKLM\System\CCS\Services\Tcpip\..\{43A6612D-0AC6-4BCA-83EC-488FBBBB334E}: NameServer = 68.168.240.2,68.168.240.5
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: iolo System Guard (IOLO_SRV) - Unknown owner - C:\Program Files\Tech\iolo\System Mechanic Professional 6\IoloSGCtrl.exe
O23 - Service: Local Security Authority Subsystem Service (lsass) - Unknown owner - C:\WINDOWS\lsass.exe
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Tech\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Tech\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Tech\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: PC Tools Spyware Doctor (SDhelper) - PC Tools - C:\Program Files\Tech\Spyware Doctor\sdhelp.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe






Heres the Hijack logfile with it off:


Logfile of HijackThis v1.99.1
Scan saved at 12:42:43 AM, on 10/20/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Tech\iolo\System Mechanic Professional 6\IoloSGCtrl.exe
C:\WINDOWS\lsass.exe
C:\Program Files\Tech\Norton AntiVirus\navapsvc.exe
C:\Program Files\Tech\Norton AntiVirus\IWP\NPFMntor.exe
C:\Program Files\Tech\Spyware Doctor\sdhelp.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Tech\iolo\System Mechanic Professional 6\SystemGuardAlerter.exe
C:\Program Files\Messenger\msmsgs.exe
C:\PROGRA~1\ONLINE~1\AIM\aim.exe
C:\Program Files\Tech\iolo\System Mechanic Professional 6\SMSystemAnalyzer.exe
C:\Program Files\ATI Technologies\ATI.ACE\CLI.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Outlook Express\msimn.exe
C:\Documents and Settings\Mustafa\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Tech\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Tech\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [SystemGuardAlerter] "C:\Program Files\Tech\iolo\System Mechanic Professional 6\SystemGuardAlerter.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [AIM] C:\PROGRA~1\ONLINE~1\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [Steam] F:\Program Files\Games\Valve\Steam.exe -silent
O4 - HKCU\..\Run: [SMSystemAnalyzer] "C:\Program Files\Tech\iolo\System Mechanic Professional 6\SMSystemAnalyzer.exe"
O4 - Global Startup: ATI CATALYST System Tray.lnk = C:\Program Files\ATI Technologies\ATI.ACE\CLI.exe
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\PROGRA~1\ONLINE~1\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O17 - HKLM\System\CCS\Services\Tcpip\..\{43A6612D-0AC6-4BCA-83EC-488FBBBB334E}: NameServer = 68.168.240.2,68.168.240.5
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: iolo System Guard (IOLO_SRV) - Unknown owner - C:\Program Files\Tech\iolo\System Mechanic Professional 6\IoloSGCtrl.exe
O23 - Service: Local Security Authority Subsystem Service (lsass) - Unknown owner - C:\WINDOWS\lsass.exe
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Tech\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Tech\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Tech\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: PC Tools Spyware Doctor (SDhelper) - PC Tools - C:\Program Files\Tech\Spyware Doctor\sdhelp.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
  • 0

Advertisements


#2
federsel

federsel

    New Member

  • Member
  • Pip
  • 7 posts
please, I need help with the exact same thing.
  • 0

#3
UnreaL253

UnreaL253

    New Member

  • Topic Starter
  • Member
  • Pip
  • 2 posts
Hey federsel, another person private messaged me with the solution, I didnt use it because I formatted and didnt let any network access go by where that spyware might be. But if you still have the problem here is what the guy said:

Hey what's up -- I'm not a staff member so can't reply to your topic, but I got infected by the same horrible spyware that you posted about (the Internet Explorer Sitebar). After some exhaustive searching, I found the solution:

This should take care of the problem until the anti-spyware co's get this puppy into the definitions.

1. go into safe mode

2. delete the following files from the C:\ directory:

zxvcc73x.exe
is.exe
low.exe
sw.bat
tb.exe
xe.exe

3. go to tools/folder options/view/ and under advanced settings, uncheck "hide protected operating system files" and check "show hidden files and folders" then press okay to exit

4. go to c:\windows and lsass.exe should be visible now. delete it. this is a trojan (fake) version of the REAL laass.exe, which should be in c:\windows\system32.

5. go to the registry key
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\lsass
and delete the whole lsass folder. it shouldnt be there on a normal computer

6. restart and it should be gone.

7. do scans if you are paranoid.


I got this info from a thread on DSLReports...here:

http://www.dslreport...remark,14621594

Good luck!

(by noahlh)
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP