Computer reboots/Task manager disabled

Status
This thread has been Locked and is not open to further replies. Please start a New Thread if you're having a similar issue. View our Welcome Guide to learn how to use this site.

KrimsonKing

Thread Starter
Joined
Jul 8, 2005
Messages
4
Hi =)
Since yesterday my computer has been completely crippled...

I started getting random popups and my start page had changed, so i ran Microsoft antispyware... When the scan is halfway through my computer reboots... I tried with norton and ad-aware, but they also reboot halfway through the scan...
My task manager is also disabled, and my background has changed to a blue screen that says something along the lines of: "System Stopped. System has been stopped due to a serious malfunction. Spyware activity has been detected."

Here is my hijackthis.log:

Logfile of HijackThis v1.99.1
Scan saved at 02:58:15 p.m., on 08/07/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\CTHELPER.EXE
C:\Archivos de programa\MSN Messenger\msnmsgr.exe
C:\Archivos de programa\Winamp\Winamp.exe
C:\HJT\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.clicksearchclick.com/index.php?aff=19
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer proporcionado por PC Service
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *new-search.net*;*x-google.net*
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Vínculos
F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\System32\kernels32.exe
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Archivos de programa\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O4 - HKLM\..\Run: [WinampAgent] C:\Archivos de programa\Winamp\winampa.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [gcasServ] "C:\Archivos de programa\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\ARCHIV~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [System] C:\WINDOWS\System32\kernels32.exe
O4 - HKLM\..\Run: [Service Host] C:\WINDOWS\System32\Services\{3F72BEB7-7B3F-44C6-8817-9A0B1773B058}\SVCHOST.EXE
O4 - HKLM\..\Run: [Disk Keeper] C:\WINDOWS\System32\Services\{607FBC05-5EC0-4965-B8A6-E2A430F5DF9F}\SECURITY.EXE
O4 - HKLM\..\Run: [Disk Keeper] C:\WINDOWS\System32\Services\{607FBC05-5EC0-4965-B8A6-E2A430F5DF9F}\SECURITY.EXE
O4 - HKCU\..\Run: [msnmsgr] "C:\Archivos de programa\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [wupd] C:\WINDOWS\System32\win32.exe
O4 - HKCU\..\Run: [Epcu] C:\Archivos de programa\toac\auah.exe
O4 - HKCU\..\Run: [Windows installer] C:\winstall.exe
O8 - Extra context menu item: E&xportar a Microsoft Excel - res://C:\ARCHIV~1\MICROS~2\Office10\EXCEL.EXE/3000
O14 - IERESET.INF: START_PAGE_URL=http://latam.msn.com
O15 - Trusted Zone: *.blazefind.com
O15 - Trusted Zone: *.clickspring.net
O15 - Trusted Zone: *.flingstone.com
O15 - Trusted Zone: *.mt-download.com
O15 - Trusted Zone: *.my-internet.info
O15 - Trusted Zone: *.searchbarcash.com
O15 - Trusted Zone: *.searchmiracle.com
O15 - Trusted Zone: *.skoobidoo.com
O15 - Trusted Zone: *.slotch.com
O15 - Trusted Zone: *.slotchbar.com
O15 - Trusted Zone: *.windupdates.com
O15 - Trusted Zone: *.xxxtoolbar.com
O15 - Trusted Zone: *.ysbweb.com
O15 - Trusted Zone: *.blazefind.com (HKLM)
O15 - Trusted Zone: *.clickspring.net (HKLM)
O15 - Trusted Zone: *.flingstone.com (HKLM)
O15 - Trusted Zone: *.mt-download.com (HKLM)
O15 - Trusted Zone: *.my-internet.info (HKLM)
O15 - Trusted Zone: *.searchbarcash.com (HKLM)
O15 - Trusted Zone: *.searchmiracle.com (HKLM)
O15 - Trusted Zone: *.skoobidoo.com (HKLM)
O15 - Trusted Zone: *.slotch.com (HKLM)
O15 - Trusted Zone: *.slotchbar.com (HKLM)
O15 - Trusted Zone: *.windupdates.com (HKLM)
O15 - Trusted Zone: *.xxxtoolbar.com (HKLM)
O15 - Trusted Zone: *.ysbweb.com (HKLM)
O15 - Trusted IP range: 67.19.178.84
O15 - Trusted IP range: 67.19.178.84 (HKLM)
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by19fd.bay19.hotmail.msn.com/resources/MsnPUpld.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.c...ls/en/x86/client/wuweb_site.cab?1113624962161
O16 - DPF: {9EB320CE-BE1D-4304-A081-4B4665414BEF} (MediaTicketsInstaller Control) - http://www.mt-download.com/MediaTicketsInstaller.cab?refid=4600
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/msnmessengersetupdownloader.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://zone.msn.com/binFramework/v10/ZIntro.cab34246.cab
O16 - DPF: {E5D419D6-A846-4514-9FAD-97E826C84822} (HeartbeatCtl Class) - http://fdl.msn.com/zone/datafiles/heartbeat.cab
O20 - Winlogon Notify: drct16 - C:\WINDOWS\SYSTEM32\drct16.dll
O21 - SSODL: System - {323639AE-C965-4413-AC61-4C764E53906C} - vr_sys.dll (file missing)
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Archivos de programa\Archivos comunes\Symantec Shared\SNDSrvc.exe

Any ideas on what's going on or how to fix it?

Thanks in advance.. =)
 

KrimsonKing

Thread Starter
Joined
Jul 8, 2005
Messages
4
Hey
Couldnt download AVG =/
Panda didnt fix everything it found...

Hijackthis:

Logfile of HijackThis v1.99.1
Scan saved at 06:12:44 p.m., on 08/07/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Archivos de programa\Winamp\winampa.exe
C:\WINDOWS\System32\CTHELPER.EXE
C:\Archivos de programa\Microsoft AntiSpyware\gcasServ.exe
C:\WINDOWS\System32\Services\{4E5ADB13-1984-432D-BF11-75B4D84A889D}\SVCHOST.EXE
C:\Archivos de programa\MSN Messenger\msnmsgr.exe
C:\Archivos de programa\toac\auah.exe
C:\Archivos de programa\Microsoft AntiSpyware\gcasDtServ.exe
C:\HJT\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.clicksearchclick.com/index.php?aff=19
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Archivos de programa\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O4 - HKLM\..\Run: [WinampAgent] C:\Archivos de programa\Winamp\winampa.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [gcasServ] "C:\Archivos de programa\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\ARCHIV~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [Service Host] C:\WINDOWS\System32\Services\{4E5ADB13-1984-432D-BF11-75B4D84A889D}\SVCHOST.EXE
O4 - HKLM\..\Run: [Service Host] C:\WINDOWS\System32\Services\{4E5ADB13-1984-432D-BF11-75B4D84A889D}\SVCHOST.EXE
O4 - HKLM\..\Run: [Disk Keeper] C:\WINDOWS\System32\Services\{4E5ADB13-1984-432D-BF11-75B4D84A889D}\SECURITY.EXE
O4 - HKCU\..\Run: [msnmsgr] "C:\Archivos de programa\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [Epcu] C:\Archivos de programa\toac\auah.exe
O4 - HKCU\..\Run: [Windows installer] C:\winstall.exe
O8 - Extra context menu item: E&xportar a Microsoft Excel - res://C:\ARCHIV~1\MICROS~2\Office10\EXCEL.EXE/3000
O14 - IERESET.INF: START_PAGE_URL=http://latam.msn.com
O15 - Trusted Zone: *.slotchbar.com
O15 - Trusted IP range: 67.19.178.84
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by19fd.bay19.hotmail.msn.com/resources/MsnPUpld.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.c...ls/en/x86/client/wuweb_site.cab?1113624962161
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/msnmessengersetupdownloader.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://zone.msn.com/binFramework/v10/ZIntro.cab34246.cab
O16 - DPF: {E5D419D6-A846-4514-9FAD-97E826C84822} (HeartbeatCtl Class) - http://fdl.msn.com/zone/datafiles/heartbeat.cab
O20 - Winlogon Notify: drct16 - C:\WINDOWS\SYSTEM32\drct16.dll
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Archivos de programa\Archivos comunes\Symantec Shared\SNDSrvc.exe
 
Joined
Jul 26, 2002
Messages
46,353
Hi KrimsonKing

Welcome to TSG! :)

The advice you have been given here is not going to remove the smitfraud trojan that you have from your system.


I am attaching a smitRembeta.zip file to this post.
  • Download it and save it to your desktop.
  • Unzip smitRembeta.zip to extract the four files it contains all to the same folder.
  • Do not do anything with it yet. You will run the RunThis.bat file later in safe mode.


* Go here to download CCleaner.
  • Install CCleaner
  • Launch CCleaner and look in the upper right corner and click on the "Options" button.
  • Click "Advanced" and remove the check by "Only delete files in Windows temp folders older than 48 hours".
  • Click OK
  • Do not run CCleaner yet. You will run it later in safe mode.


* Download the trial version of Ewido Security Suite here.
  • Install ewido.
  • During the installation, under "Additional Options" uncheck "Install background guard" and "Install scan via context menu".
  • Launch ewido
  • It will prompt you to update click the OK button and it will go to the main screen
  • On the left side of the main screen click update
  • Click on Start and let it update.
  • DO NOT run a scan yet. You will do that later in safe mode.


* Click here for info on how to boot to safe mode if you don't already know how.


* Now copy these instructions to notepad and save them to your desktop. You will need them to refer to in safe mode.


* Restart your computer into safe mode now. Perform the following steps in safe mode:


* Open the smitRembeta folder, then double click the RunThis.bat file to start the tool. Follow the prompts on screen.
Wait for the tool to complete and disk cleanup to finish.


* Run Ewido:
  • Click on scanner
  • Click Complete System Scan and the scan will begin.
  • During the scan it will prompt you to clean files, click OK
  • When the scan is finished, look at the bottom of the screen and click the Save report button.
  • Save the report to your desktop


* Start Ccleaner and click Run Cleaner


* Go to Control Panel > Internet Options. Click on the Programs tab then click the "Reset Web Settings" button. Click Apply then OK.


* Next go to Control Panel > Display. Click on the "Desktop" tab then click the "Customize Desktop" button. Click on the "Web" tab. Under "Web Pages" you should see an entry checked called something like "Security info" or similar. If it is there, select that entry and click the "Delete" button. Click OK then Apply and OK.


* Restart back into Windows normally now.


* Run ActiveScan online virus scan here

When the scan is finished, anything that it cannot clean have it delete it. Make a note of the file location of anything that cannot be deleted so you can delete it yourself.
- Save the results from the scan!

Post a new HiJackThis log along with the results from ActiveScan and the ewido scan
 

Attachments

KrimsonKing

Thread Starter
Joined
Jul 8, 2005
Messages
4
=)
Things are looking good =)
Computer is working fine i think :p
HJT:
Logfile of HijackThis v1.99.1
Scan saved at 09:04:34 p.m., on 08/07/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Archivos de programa\Winamp\winampa.exe
C:\WINDOWS\System32\CTHELPER.EXE
C:\Archivos de programa\Microsoft AntiSpyware\gcasServ.exe
C:\Archivos de programa\Microsoft AntiSpyware\gcasDtServ.exe
C:\Archivos de programa\ewido\security suite\ewidoctrl.exe
C:\Archivos de programa\MSN Messenger\msnmsgr.exe
C:\Archivos de programa\toac\auah.exe
C:\HJT\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://latam.msn.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://latam.msn.com
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Archivos de programa\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O4 - HKLM\..\Run: [WinampAgent] C:\Archivos de programa\Winamp\winampa.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [gcasServ] "C:\Archivos de programa\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\ARCHIV~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [Service Host] C:\WINDOWS\System32\Services\{4E5ADB13-1984-432D-BF11-75B4D84A889D}\SVCHOST.EXE
O4 - HKLM\..\Run: [Disk Keeper] C:\WINDOWS\System32\Services\{4E5ADB13-1984-432D-BF11-75B4D84A889D}\SECURITY.EXE
O4 - HKCU\..\Run: [msnmsgr] "C:\Archivos de programa\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [Epcu] C:\Archivos de programa\toac\auah.exe
O8 - Extra context menu item: E&xportar a Microsoft Excel - res://C:\ARCHIV~1\MICROS~2\Office10\EXCEL.EXE/3000
O14 - IERESET.INF: START_PAGE_URL=http://latam.msn.com
O15 - Trusted Zone: *.slotchbar.com
O15 - Trusted IP range: 67.19.178.84
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by19fd.bay19.hotmail.msn.com/resources/MsnPUpld.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.c...ls/en/x86/client/wuweb_site.cab?1113624962161
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/msnmessengersetupdownloader.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://zone.msn.com/binFramework/v10/ZIntro.cab34246.cab
O16 - DPF: {E5D419D6-A846-4514-9FAD-97E826C84822} (HeartbeatCtl Class) - http://fdl.msn.com/zone/datafiles/heartbeat.cab
O20 - Winlogon Notify: drct16 - C:\WINDOWS\SYSTEM32\drct16.dll
O23 - Service: ewido security suite control - ewido networks - C:\Archivos de programa\ewido\security suite\ewidoctrl.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Archivos de programa\Archivos comunes\Symantec Shared\SNDSrvc.exe

---------------------------------------------------------
ewido security suite - Scan report
---------------------------------------------------------

+ Created on: 08:25:33 p.m., 08/07/2005
+ Report-Checksum: 69B6AD3

+ Scan result:

HKLM\SOFTWARE\Microsoft\Internet Explorer\Main\HTASSstp -> Spyware.CoolWebSearch : Cleaned with backup
HKLM\SOFTWARE\Microsoft\Internet Explorer\Main\WTLBAstp -> Spyware.CoolWebSearch : Cleaned with backup
C:\Archivos de programa\Microsoft AntiSpyware\Quarantine\01635D0B-6FA9-460E-9656-04AD3C\AF8948A0-ED6C-4C25-8552-724D70 -> Spyware.MediaTickets : Cleaned with backup
C:\Archivos de programa\Microsoft AntiSpyware\Quarantine\255B85DB-08B3-442B-AC8B-329C40\D8480C66-FFE4-4005-A648-569FB2 -> Spyware.Hijacker.Generic : Cleaned with backup
C:\Archivos de programa\Microsoft AntiSpyware\Quarantine\4B94840B-93DF-4D44-B5F4-D3CA3B\FBC52A43-3F26-4E98-A605-92C8A3 -> Spyware.MediaTickets : Cleaned with backup
C:\Archivos de programa\Microsoft AntiSpyware\Quarantine\D4F82D0E-8894-4F6B-A2DE-D4D14C\F31F688A-7847-43BB-9CC5-A414BC -> Spyware.MediaTickets : Cleaned with backup
C:\Documents and Settings\PC\Configuración local\Archivos temporales de Internet\Content.IE5\2R2PATGB\z[1].exe -> Trojan.WebSearch.j : Cleaned with backup
C:\Documents and Settings\PC\Cookies\[email protected][2].txt -> Spyware.Cookie.Specificclick : Cleaned with backup
C:\Documents and Settings\PC\Cookies\[email protected][2].txt -> Spyware.Cookie.Atdmt : Cleaned with backup
C:\Documents and Settings\PC\Cookies\[email protected][1].txt -> Spyware.Cookie.Doubleclick : Cleaned with backup
C:\Documents and Settings\PC\Cookies\[email protected][1].txt -> Spyware.Cookie.Ivwbox : Cleaned with backup
C:\Documents and Settings\PC\Cookies\[email protected][1].txt -> Spyware.Cookie.Paypopup : Cleaned with backup
C:\Documents and Settings\PC\Cookies\[email protected][1].txt -> Spyware.Cookie.Wegcash : Cleaned with backup
C:\Documents and Settings\PC\Cookies\[email protected][1].txt -> Spyware.Cookie.Tribalfusion : Cleaned with backup
C:\Documents and Settings\PC\Cookies\[email protected][2].txt -> Spyware.Cookie.Sidefind : Cleaned with backup
C:\Documents and Settings\PC\Cookies\[email protected][1].txt -> Spyware.Cookie.Ysbweb : Cleaned with backup
C:\loader.exe -> TrojanDownloader.Small.bas : Cleaned with backup
C:\sys.exe -> Trojan.WebSearch.j : Cleaned with backup
C:\WINDOWS\dload.exe -> Trojan.LowZones.bn : Cleaned with backup
C:\WINDOWS\sys203.exe -> Trojan.Crypt.c : Cleaned with backup
C:\WINDOWS\sys3046.exe -> Trojan.Crypt.c : Cleaned with backup
C:\WINDOWS\sys3047.exe -> Trojan.Crypt.c : Cleaned with backup
C:\WINDOWS\sys4847.exe -> Trojan.Crypt.c : Cleaned with backup
C:\WINDOWS\sys4856.exe -> Trojan.Crypt.c : Cleaned with backup
C:\WINDOWS\sys522.exe -> Trojan.Crypt.c : Cleaned with backup
C:\WINDOWS\sys523.exe -> Trojan.Crypt.c : Cleaned with backup
C:\WINDOWS\sys918.exe -> Trojan.Crypt.c : Cleaned with backup
C:\WINDOWS\sys952.exe -> Trojan.Crypt.c : Cleaned with backup
C:\WINDOWS\system\svchost.exe -> Backdoor.Agent.iw : Cleaned with backup
C:\WINDOWS\system\svchosthook.dll -> Backdoor.Agent.iw : Cleaned with backup
C:\WINDOWS\system32\maxd1.exe -> Dialer.Generic : Cleaned with backup
C:\WINDOWS\system32\newdial.exe -> Dialer.Generic : Cleaned with backup
C:\WINDOWS\system32\Services\{4E5ADB13-1984-432D-BF11-75B4D84A889D}\SECURITY.DLL -> Trojan.WebSearch.i : Cleaned with backup
C:\WINDOWS\system32\Services\{4E5ADB13-1984-432D-BF11-75B4D84A889D}\SECURITY.EXE -> Trojan.WebSearch.j : Cleaned with backup
C:\WINDOWS\system32\Services\{4E5ADB13-1984-432D-BF11-75B4D84A889D}\SVCHOST.DLL -> Trojan.WebSearch.j : Cleaned with backup
C:\WINDOWS\system32\Services\{4E5ADB13-1984-432D-BF11-75B4D84A889D}\SVCHOST.EXE -> Trojan.WebSearch.j : Cleaned with backup
C:\WINDOWS\system32\Services\{4E5ADB13-1984-432D-BF11-75B4D84A889D}\SVCHOST32.DLL -> Trojan.WebSearch.j : Cleaned with backup
C:\WINDOWS\system32\win32.exe -> Trojan.Crypt.c : Cleaned with backup
C:\WINDOWS\system32\~update.exe -> Trojan.Crypt.c : Cleaned with backup


::Report End
 
Joined
Jul 26, 2002
Messages
46,353
* Download DelDomains.inf from here.

Rightclick DelDomains.inf and choose install.


* Run Hijack This again and put a check by this entry. Close ALL windows except HijackThis and click "Fix checked"

O20 - Winlogon Notify: drct16 - C:\WINDOWS\SYSTEM32\drct16.dll



* Next in Hijack This and click on the Config button in the lower right corner. In the next window click on the Misc Tools button at the top. Now click on the Delete a file on reboot... button. Either type or copy and paste this line in the "File name" box:

C:\WINDOWS\SYSTEM32\drct16.dll

You will be asked if you want to restart. Click Yes and let it restart.


* Run ActiveScan online virus scan here

When the scan is finished, anything that it cannot clean have it delete it. Make a note of the file location of anything that cannot be deleted so you can delete it yourself.
- Save the results from the scan!

Post a new HiJackThis log along with the results from ActiveScan
 

KrimsonKing

Thread Starter
Joined
Jul 8, 2005
Messages
4
Done =)
Activescan:

Incidencia Estado Elemento

Adware:Adware/MediaTickets No desinfectado C:\Archivos de programa\Microsoft AntiSpyware\Quarantine\01635D0B-6FA9-460E-9656-04AD3C\A614F44B-62F5-42A8-BE38-CAD73B
Adware:Adware/MediaTickets No desinfectado C:\Archivos de programa\Microsoft AntiSpyware\Quarantine\4B94840B-93DF-4D44-B5F4-D3CA3B\37541E9F-3505-42A5-8B8C-6DD110
Adware:Adware/MediaTickets No desinfectado C:\Archivos de programa\Microsoft AntiSpyware\Quarantine\D4F82D0E-8894-4F6B-A2DE-D4D14C\24842D19-C6C1-4EA0-9494-113479
Adware:Adware/CWS No desinfectado C:\Documents and Settings\PC\Favoritos\Fun & Games\Betting.lnk
Adware:Adware/CWS No desinfectado C:\Documents and Settings\PC\Favoritos\Fun & Games\Casino Palace.lnk
Adware:Adware/CWS No desinfectado C:\Documents and Settings\PC\Favoritos\Fun & Games\Casino.lnk
Adware:Adware/CWS No desinfectado C:\Documents and Settings\PC\Favoritos\Fun & Games\Games.lnk
Adware:Adware/CWS No desinfectado C:\Documents and Settings\PC\Favoritos\Fun & Games\Horoscope.lnk
Adware:Adware/CWS No desinfectado C:\Documents and Settings\PC\Favoritos\Going Places\Air Tickets.lnk
Adware:Adware/CWS No desinfectado C:\Documents and Settings\PC\Favoritos\Going Places\Car Rentals.lnk
Adware:Adware/CWS No desinfectado C:\Documents and Settings\PC\Favoritos\Going Places\Hotel Deals.lnk
Adware:Adware/CWS No desinfectado C:\Documents and Settings\PC\Favoritos\Going Places\Luggage.lnk
Adware:Adware/CWS No desinfectado C:\Documents and Settings\PC\Favoritos\Going Places\Travel.lnk
Adware:Adware/CWS No desinfectado C:\Documents and Settings\PC\Favoritos\Living\Dating.lnk
Adware:Adware/CWS No desinfectado C:\Documents and Settings\PC\Favoritos\Living\Find a Degree.lnk
Adware:Adware/CWS No desinfectado C:\Documents and Settings\PC\Favoritos\Living\Find a job.lnk
Adware:Adware/CWS No desinfectado C:\Documents and Settings\PC\Favoritos\Living\Home.lnk
Adware:Adware/CWS No desinfectado C:\Documents and Settings\PC\Favoritos\Living\Insurance.lnk
Adware:Adware/CWS No desinfectado C:\Documents and Settings\PC\Favoritos\Shop\Auctions.lnk
Adware:Adware/CWS No desinfectado C:\Documents and Settings\PC\Favoritos\Shop\Books.lnk
Adware:Adware/CWS No desinfectado C:\Documents and Settings\PC\Favoritos\Shop\Computers.lnk
Adware:Adware/CWS No desinfectado C:\Documents and Settings\PC\Favoritos\Shop\Discount.lnk
Adware:Adware/CWS No desinfectado C:\Documents and Settings\PC\Favoritos\Shop\Flowers.lnk
Adware:Adware/CWS No desinfectado C:\Documents and Settings\PC\Favoritos\Shop\Golf.lnk
Adware:Adware/CWS No desinfectado C:\Documents and Settings\PC\Favoritos\Shop\Jewelry.lnk
Adware:Adware/CWS No desinfectado C:\Documents and Settings\PC\Favoritos\Shop\Movies.lnk
Adware:Adware/CWS No desinfectado C:\Documents and Settings\PC\Favoritos\Shop\Music.lnk
Adware:Adware/CWS No desinfectado C:\Documents and Settings\PC\Favoritos\Shop\Online Store.lnk
Adware:Adware/CWS No desinfectado C:\Documents and Settings\PC\Favoritos\Shop\Perfume.lnk
Adware:Adware/CWS No desinfectado C:\Documents and Settings\PC\Favoritos\Shop\Sleepwear.lnk
Adware:Adware/CWS No desinfectado C:\Documents and Settings\PC\Favoritos\Technology\Adware Remover.lnk
Adware:Adware/CWS No desinfectado C:\Documents and Settings\PC\Favoritos\Technology\Anti-Virus.lnk
Adware:Adware/CWS No desinfectado C:\Documents and Settings\PC\Favoritos\Technology\PC Cleaner.lnk
Adware:Adware/CWS No desinfectado C:\Documents and Settings\PC\Favoritos\Technology\Tech & gadgets.lnk
Virus:Trj/Shellbot.B Desinfectado C:\WINDOWS\system\svchost.dll
Virus:Bck/Haxdoor.A Renombrado C:\WINDOWS\system32\ps.a3d
Adware:Adware/Admess No desinfectado C:\WINDOWS\system32\tmp3.txt
Adware:Adware/Craft No desinfectado C:\WINDOWS\system32\trf32.dll
Virus:Bck/Haxdoor.A Renombrado C:\WINDOWS\system32\vdmt16.sys
Adware:Adware/Adsmart No desinfectado C:\WINDOWS\system32\vx.tll
Adware:Adware/Adsmart No desinfectado C:\WINDOWS\system32\vxgame6.exe
Adware:Adware/Adsmart No desinfectado C:\WINDOWS\system32\vxh8jkdq5.exe
Virus:Bck/Haxdoor.BG Desinfectado C:\WINDOWS\system32\winlow.sys
Adware:Adware/SpywareNo No desinfectado C:\WINDOWS\tool2.exe
Adware:Adware/Tracking No desinfectado D:\RECYCLER\NPROTECT\00007915.HTM
Adware:Adware/WUpd No desinfectado D:\RECYCLER\NPROTECT\00010415.PHP
Hijackthis:
Logfile of HijackThis v1.99.1
Scan saved at 10:24:35 p.m., on 08/07/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Archivos de programa\Winamp\winampa.exe
C:\WINDOWS\System32\CTHELPER.EXE
C:\Archivos de programa\Microsoft AntiSpyware\gcasServ.exe
C:\Archivos de programa\Microsoft AntiSpyware\gcasDtServ.exe
C:\Archivos de programa\ewido\security suite\ewidoctrl.exe
C:\Archivos de programa\MSN Messenger\msnmsgr.exe
C:\Archivos de programa\toac\auah.exe
C:\Archivos de programa\Internet Explorer\iexplore.exe
C:\HJT\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://latam.msn.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://latam.msn.com
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Archivos de programa\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O4 - HKLM\..\Run: [WinampAgent] C:\Archivos de programa\Winamp\winampa.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [gcasServ] "C:\Archivos de programa\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\ARCHIV~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [Service Host] C:\WINDOWS\System32\Services\{4E5ADB13-1984-432D-BF11-75B4D84A889D}\SVCHOST.EXE
O4 - HKLM\..\Run: [Disk Keeper] C:\WINDOWS\System32\Services\{4E5ADB13-1984-432D-BF11-75B4D84A889D}\SECURITY.EXE
O4 - HKCU\..\Run: [msnmsgr] "C:\Archivos de programa\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [Epcu] C:\Archivos de programa\toac\auah.exe
O8 - Extra context menu item: E&xportar a Microsoft Excel - res://C:\ARCHIV~1\MICROS~2\Office10\EXCEL.EXE/3000
O14 - IERESET.INF: START_PAGE_URL=http://latam.msn.com
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by19fd.bay19.hotmail.msn.com/resources/MsnPUpld.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.c...ls/en/x86/client/wuweb_site.cab?1113624962161
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/msnmessengersetupdownloader.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://zone.msn.com/binFramework/v10/ZIntro.cab34246.cab
O16 - DPF: {E5D419D6-A846-4514-9FAD-97E826C84822} (HeartbeatCtl Class) - http://fdl.msn.com/zone/datafiles/heartbeat.cab
O23 - Service: ewido security suite control - ewido networks - C:\Archivos de programa\ewido\security suite\ewidoctrl.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Archivos de programa\Archivos comunes\Symantec Shared\SNDSrvc.exe
 
Joined
Jul 26, 2002
Messages
46,353
** Before you proceed with the removal directions below you need to turn off MS Anti-Spyware's realtime protection as it will interfere with the changes we are trying to make.

  • Open MS Anti-Spyware and click on Options > Settings.
  • Click on "Realtime Protection" in the left pane.
  • Remove the check by these:
    • Enable the Microsoft Security Agents on startup (recommended)
    • Enable real-time spyware threat protection (recommended)
  • Click "Save"
  • Now right click the MS Anti-spyware icon in your system tray and choose "Shutdown Microsoft Anti-Spyware"
  • You should re-enable these when we are finished here.


* Click Here and download Killbox and save it to your desktop.


* Now copy these instructions to notepad and save them to your desktop. You will need them to refer to.


* Click on My Computer. Go to Tools > Folder Options. Click on the View tab and make sure that "Show hidden files and folders" is checked. Also uncheck "Hide protected operating system files" and "Hide extensions for known file types" . Now click "Apply to all folders"
Click "Apply" then "OK"


* Run Hijack This again and put a check by these. Close ALL windows except HijackThis and click "Fix checked"

O4 - HKLM\..\Run: [Service Host] C:\WINDOWS\System32\Services\{4E5ADB13-1984-432D-BF11-75B4D84A889D}\SVCHOST.EXE

O4 - HKLM\..\Run: [Disk Keeper] C:\WINDOWS\System32\Services\{4E5ADB13-1984-432D-BF11-75B4D84A889D}\SECURITY.EXE

O4 - HKCU\..\Run: [Epcu] C:\Archivos de programa\toac\auah.exe



* Restart your computer into safe mode now. Perform the following steps in safe mode:


* Double-click on Killbox.exe to run it. Now put a tick by Standard File Kill. In the "Full Path of File to Delete" box, copy and paste each of the following lines one at a time then click on the button that has the red circle with the X in the middle after you enter each file. It will ask for confimation to delete the file. Click Yes. Continue with that same procedure until you have copied and pasted all of these in the "Paste Full Path of File to Delete" box.

C:\WINDOWS\System32\Services\{4E5ADB13-1984-432D-BF11-75B4D84A889D}\SVCHOST.EXE

C:\WINDOWS\System32\Services\{4E5ADB13-1984-432D-BF11-75B4D84A889D}\SECURITY.EXE

C:\Archivos de programa\toac\auah.exe

C:\WINDOWS\system\svchost.dll

C:\WINDOWS\system32\ps.a3d

C:\WINDOWS\system32\tmp3.txt

C:\WINDOWS\system32\trf32.dll

C:\WINDOWS\system32\vdmt16.sys

C:\WINDOWS\system32\vx.tll

C:\WINDOWS\system32\vxgame6.exe

C:\WINDOWS\system32\vxh8jkdq5.exe

C:\WINDOWS\system32\winlow.sys

C:\WINDOWS\tool2.exe

D:\RECYCLER\NPROTECT\00007915.HTM

D:\RECYCLER\NPROTECT\00010415.PHP


Note: It is possible that Killbox will tell you that one or more files do not exist. If that happens, just continue on with all the files. Be sure you don't miss any.

Exit the Killbox.


* Delete these folders:

C:\WINDOWS\System32\Services
C:\Archivos de programa\toac


* Delete these folders from your favorites:

Fun & Games
Going Places
Living
Shop
Technology



* Start Ccleaner and click Run Cleaner


* Go to Control Panel > Internet Options. Click on the Programs tab then click the "Reset Web Settings" button. Click Apply then OK.


* Restart back into Windows normally now.


* Go here and do an online virus scan. Choose "Complete Scan" and select all drives to scan.

When the scan is finished, anything that it cannot clean have it delete it. Click "Print Report". The report will open in your browser. Go to File > Save As and save the file to your desktop. Under "Save as type" click the dropdown menu and choose "Text file (*.txt) and save it as a text file.

Post a new HiJackThis log along with the report from the Housecall scan
 
Status
This thread has been Locked and is not open to further replies. Please start a New Thread if you're having a similar issue. View our Welcome Guide to learn how to use this site.

Users Who Are Viewing This Thread (Users: 0, Guests: 1)

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 807,865 other people just like you!

Latest posts

Staff online

Top