another raze infection

Status
This thread has been Locked and is not open to further replies. Please start a New Thread if you're having a similar issue. View our Welcome Guide to learn how to use this site.

Mr Dewolf

Thread Starter
Joined
Jan 7, 2006
Messages
14
I have downloaded many of the programs, noted in the other threads and have tried to clean this mess up. However I am at the point where the screen flicks from gray to white and it appears this problem is not completly gone. Help!!

I am running Windows 2000 Professional Service Pack 4 (build 2195)

Thank you for your assistance!

Below is the logfile.


Logfile of HijackThis v1.99.1
Scan saved at 10:45:28 AM, on 1/7/2006
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\explorer.exe
C:\Program Files\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customize/ycomp/defaults/su/*http://www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\my.yahoo.com
R3 - Default URLSearchHook is missing
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {292AA44C-30FD-9D99-F5F2-1BA94C7FC96F} - (no file)
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~1\tools\iesdsg.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_0.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\Msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [NVIDIA nForce APU1 Utilities] NVATray.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [APVXDWIN] "C:\Program Files\Panda Software\Panda TruPrevent Personal 2006\APVXDWIN.EXE" /s
O4 - HKCU\..\Run: [Spyware Doctor] "C:\Program Files\Spyware Doctor\swdoctor.exe" /Q
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: SpySubtract.lnk = C:\Program Files\interMute\SpySubtract\SpySub.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar2.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O16 - DPF: {1E5B9B04-588D-19FD-B63B-120D777ACC62} - http://69.50.182.94/1/rdgUS1754.exe
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/yinst20040510.cab
O16 - DPF: {AB29A544-D6B4-4E36-A1F8-D3E34FC7B00A} (WTHoster Class) - http://install.wildtangent.com/bgn/partners/shockwave/stx/install.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://download.games.yahoo.com/games/web_games/popcap/bejeweled2/popcaploader_v6.cab
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: Network Monitor - Unknown owner - C:\Program Files\Network Monitor\netmon.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINNT\system32\nvsvc32.exe
O23 - Service: Panda Function Service (PAVFNSVR) - Panda Software - C:\Program Files\Panda Software\Panda TruPrevent Personal 2006\PavFnSvr.exe
O23 - Service: Panda Process Protection Service (PavPrSrv) - Panda Software - C:\Program Files\Common Files\Panda Software\PavShld\pavprsrv.exe
O23 - Service: Panda Network Manager (PNMSRV) - Panda Software - c:\program files\panda software\panda truprevent personal 2006\firewall\PNMSRV.EXE
O23 - Service: Panda IManager Service (PSIMSVC) - Panda Software Internacional - C:\Program Files\Panda Software\Panda TruPrevent Personal 2006\PsImSvc.exe
O23 - Service: Super Ad Blocker Service (SABSVC) - Unknown owner - C:\Program Files\SuperAdBlocker.com\Super Ad Blocker\SABSVC.EXE (file missing)
O23 - Service: Panda TPSrv (TPSrv) - Panda Software - C:\Program Files\Panda Software\Panda TruPrevent Personal 2006\TPSrv.exe
 

JSntgRvr

José
Retired Moderator and Malware Specialist
Joined
Jul 1, 2003
Messages
18,552
Click Start > Run > and type in:

services.msc

Click OK.

In the services window find:

Network Monitor

Right click and choose "Properties".
On the "General" tab under "Service Status" click the "Stop" button to stop the service.
Beside "Startup Type" in the dropdown menu select "Disabled".
Click Apply then OK.
Exit the Services utility.

Download smitRem.exe:

http://noahdfear.geekstogo.com/click counter/click.php?id=1.

Save the file to your desktop.
It is a self extracting file.
Doubleclick the smitRem.exe and it will extract the files to a smitRem folder on your desktop.
Do not do anything with it yet. You will run the RunThis.bat file later in safe mode.


Rescan with HijackThis, close all browser windows except HijackThis, put a check mark beside these entries and click fix checked.

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R3 - Default URLSearchHook is missing
O2 - BHO: (no name) - {292AA44C-30FD-9D99-F5F2-1BA94C7FC96F} - (no file)


Then boot to safe mode:

How to restart to safe mode

http://service1.symantec.com/SUPPOR...2001052409420406?OpenDocument&src=sec_doc_nam

Now copy these instructions to notepad and save them to your desktop. You will need them to refer to in safe mode.

Restart your computer into safe mode now. Perform the following steps in safe mode:

Open the smitRem folder, then double click the RunThis.bat file to start the tool. Follow the prompts on screen.

Wait for the tool to complete and disk cleanup to finish.

Run Ewido:
Click on scanner
Click Complete System Scan and the scan will begin.
During the scan it will prompt you to clean files, click OK
When the scan is finished, look at the bottom of the screen and click the Save report button.

Save the report to your desktop

Go to Control Panel > Internet Options. Click on the Programs tab then click the "Reset Web Settings" button. Click Apply then OK.

Next go to Control Panel > Display. Click on the "Desktop" tab then click the "Customize Desktop" button. Click on the "Web" tab. Under "Web Pages" you should see an entry checked called something like "Security info" or similar. If it is there, select that entry and click the "Delete" button. Click OK then Apply and OK.

Restart back into Windows normally now.

Before doing this, write down all the settings. Note that not all system/setups even have these settings, while some connection services will require them.

These instructions are basically for home users.

In the windows control panel, if you are using Windows XP's Category View, select the Network and Internet Connections category otherwise double click on Network Connections.

Then right click on your default connection, usually local area connection for cable and dsl, and left click on properties. Double-click on the Internet Protocol (TCP/IP) item and select the radio dial that says Obtain DNS servers automatically

Press OK twice to get out of the properties screen and reboot if it asks.

That option might not be available one some systems


Next Go start run type cmd and hit OK and type:

ipconfig /flushdns

Then hit enter, type exit and hit enter again. (The space between g and / is needed)


Run ActiveScan online virus scan here:

http://www.pandasoftware.com/products/activescan.htm

When the scan is finished, have it clean anything that it cannot clean. Make a note of the file location of anything that cannot be deleted so you can delete it yourself.

- Save the results from the scan!

Post a new HijackThis log along with the results from the Ewido and Panda scans
 

Mr Dewolf

Thread Starter
Joined
Jan 7, 2006
Messages
14
Arugh! Ok, I did something stupid. I was following the directions well up to the point where "Restart back into Windows normally now." I went on to "next go start run type.. ipconfig /flushdns" Then I did the activescan part and after scanning it suggested I download the latest microsoft updates. Which I did. Then things got worse....First my system seems to be free of any virus or malware/spyware. But I can not access the internet or see other computers on the network neighborhood. This is a home network system. Total three computers. I am on one of the others now and have internet access. Help me, I've fallen and can't get up!

Thanks!!!
 

dvk01

Derek
Retired Moderator Retired Malware Specialist
Joined
Dec 14, 2002
Messages
56,452
re-enable network momnitor which SHOULD NOT have been disabled as it appears legitimate and NOT the trojan one

se if that cures the problem

Edited:

see my post further down It might well be malicious
 

dvk01

Derek
Retired Moderator Retired Malware Specialist
Joined
Dec 14, 2002
Messages
56,452
then open the network control panel as described earlier & write down the settings there & compare them with a working computer on that network

I am guessing that you need to put 192.168.1.1 as a dns server to get it to work on the network
 

dvk01

Derek
Retired Moderator Retired Malware Specialist
Joined
Dec 14, 2002
Messages
56,452
hold off on re-enabling teh network moinitor it might be bad after all

try this to get conection back

it's small enough to downlaod on to another computer and transfer via floppy

Download LSPfix here: http://www.cexx.org/lspfix.htm
run the application. Just run it, you will see a list of files in the left hand pane and possibly some in the right hand pane. Do not change any of them, just tick the"I know what i'm doing" box & press finish and the program will do anything necessary
 

JSntgRvr

José
Retired Moderator and Malware Specialist
Joined
Jul 1, 2003
Messages
18,552
Sorry for this mishap, but first hand, was never indicated the computer was in a network, secondly, all my searches returned netmon.exe as a trojan.

Has the issue been resolved?
 

dvk01

Derek
Retired Moderator Retired Malware Specialist
Joined
Dec 14, 2002
Messages
56,452
JSntgRvr said:
Sorry for this mishap, but first hand, was never indicated the computer was in a network, secondly, all my searches returned netmon.exe as a trojan.

Has the issue been resolved?
Netmon.exe in system32 is 99% sure to be a trojan but in program files it'sslightly different

it's confusing but there appear to be 3 versions of netmon out there

2 in program files
and 1 in system32

one of those is a m$ program that is infrequently used in W2K & XP and one definitely bad that is always in system 32 ( or system in 98/ME)

it is starting to look like the version here is a new baddie & not the M$ one

some AV's are saying it's bad and some are dubious but we are looking at it

when the poster comes back we can find out more
 

Mr Dewolf

Thread Starter
Joined
Jan 7, 2006
Messages
14
Once I found a floppy, it hit me, the computer doesn't have a floppy, but a cd-rom works. Ok so I... Download LSPfix here: http://www.cexx.org/lspfix.htm, and copy it to the "infected computer" and run the application. Do the following...Just tick the"I know what i'm doing" box & press finish and the program will do anything necessary...and nothing better.

The two problems are no internet connection and no connection to the network. Is it possible to tackle the internet connection and then the network or are they tied together?

Plus I may not be looking in the right place, but I can't find the network control panel, (I'm running Windows 2000 Professional Service Pack 4 (build 2195)). I was able to find the network and dial up connection folder, same thing?

Thank you for your patience and help!
 

JSntgRvr

José
Retired Moderator and Malware Specialist
Joined
Jul 1, 2003
Messages
18,552
Well, I am not a Network expert, but from your replies, seems that you lost your connection after downloading Wndows Updates and not necessary due to the fix. It is also possible that the issue is due to a combination of a third-party proxy product that uses only basic authentication and Windows updates.

There is a fix developed by Microsoft that you may use if that is the case:

Internet Explorer 6 SP1 Update: You Cannot Connect to the Internet After You Install Microsoft Updates (411 kb):

http://www.microsoft.com/downloads/...FB-4F39-49B2-9276-F84813DA415C&displaylang=en

Go to the Internet Options, then the Connections tab, click on LAN Settings. LAN Settings contains sections for Automatic Configuration and Proxy Server. What is indicated therein?

Also try the following:

Open a command prompt. Type the following and press Enter:

ipconfig /all

ping 127.0.0.1

Are you able to provide us with the information displayed on screen after these commands?

Is the following option available in your system?

In the windows control panel, select the Network and Internet Connections category or Network Connections.

Then right click on your default connection, usually local area connection for cable and dsl, and left click on properties. Double-click on the Internet Protocol (TCP/IP) item and select the radio dial that says Obtain DNS servers automatically.
How do you connect to the Internet, through Dial-up or DSL?
 

Mr Dewolf

Thread Starter
Joined
Jan 7, 2006
Messages
14
Here is the latest:

Ran the Microsoft program to correct the loss of internet connections. Message "This update requires IE 6.0 Service Pack 1 to be installed. I am running IE 6.0.2800.1106, cipher strength:128-bit, update versions:; SP1;0823353

Checked the Internet options..LAN settings, the box is checked for Automatically detect settings, both use atuto config script and use a proxy server are unchecked.

Checked the TCP/IP properties the radio dial for obtain DNS servers Automatically was already selected( I unselected and then reslected it).
Results of ipconfig /all:

Host name: peter-pan
primary DNS suffix: (blank)
node type: broadcast
IP routing enabled: no
WINS proxy enabled: no

Ethernet adapter
connection-specific DNS suffix: (blank)

Description: NVIDIA nforce MCP Network adapter
physicall address: yes
DHCP enabled: yes
Auto config enabled: yes
Auto config IP address: 169.254.162.205
Subnet Mask: 255.255.0.0
Default Gateway: (blank)
DNS servers: 192.168.1.1

Result of ping 127.0.01

pinging 127.. with 32bytes of data
reply from 127..bytes=32, time<10ms, TTL=128
(repeated 4x)
ping statistics for 127..
Packets sent 4, received=4. lost = 0
approx round trip overall =0ms

FYI
Upon boot up the following message appears: an error occurred while reconnecting z: to \\De_wolf\CHRIS DRIVE Microsoft Windows Network: THe network path was not found.

I connect to the internet via cable-Time Warner roadrunner. The other two computers at home have no problem but both are running windows 98.

Thanks!!!
 

dvk01

Derek
Retired Moderator Retired Malware Specialist
Joined
Dec 14, 2002
Messages
56,452
I've asked one of the networking experts to take a look at this because those settings look wrong to me
 

JohnWill

Retired Moderator
Joined
Oct 19, 2002
Messages
106,429
First, let's try this Automated WINSOCK Fix all Windows Versions.

The 169.254.x.x address you're getting indicates that the machine doesn't see a DHCP server. This can be a number of things, WINSOCK corruption is the most likely since you just removed a bunch of malware. If that fails, I'd be looking at the cable, the NIC, or the connection at the other end.
 

JSntgRvr

José
Retired Moderator and Malware Specialist
Joined
Jul 1, 2003
Messages
18,552
LSPFIX has already been tried, John.
 

Mr Dewolf

Thread Starter
Joined
Jan 7, 2006
Messages
14
Yes, I have run the Lsp fix and nothing. Before and during the Raze-virus, I was able to access the internet and hit the network. Upon the suggestion of the activescan software, I downloaded the Mircrosoft updates. After the reboot, no internet-no network. My thoughts take me to maybe something so simple it is being overlooked. After rebooting, Spybot recognizes & wants to try and fix the "damaged " connection but is unsuccessful. Microsoft message is "The network path was not found". When I load IE, the bottom of the Error Page shows "cannot find server or DNS error". Should I resend current copies of reports, files or settings? I could go through a new check list of things in a specific order to verify the correct settings if that will help.

Thanks!!!
 
Status
This thread has been Locked and is not open to further replies. Please start a New Thread if you're having a similar issue. View our Welcome Guide to learn how to use this site.

Users Who Are Viewing This Thread (Users: 0, Guests: 1)

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 807,865 other people just like you!

Latest posts

Staff online

Top