1. Computer problem? Tech Support Guy is completely free -- paid for by advertisers and donations. Click here to join today! If you're new to Tech Support Guy, we highly recommend that you visit our Guide for New Members.

help !!!!!!!! thanks

Discussion in 'Virus & Other Malware Removal' started by MTMT26442, Jan 29, 2007.

Thread Status:
Not open for further replies.
Advertisement
  1. MTMT26442

    MTMT26442 Thread Starter

    Joined:
    Jan 29, 2007
    Messages:
    6
    att ... hijackthis.log

    :( :confused:

    Logfile of HijackThis v1.99.1
    Scan saved at 01:00:29, on 30/01/2007
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
    C:\Program Files\Alwil Software\Avast4\ashServ.exe
    C:\WINDOWS\system32\nvsvc32.exe
    C:\WINDOWS\system32\r_server.exe
    C:\WINDOWS\system32\slserv.exe
    C:\scktsrvr.exe
    C:\WINDOWS\System32\WFXSVC.EXE
    C:\Program Files\Symantec\WinFax\WFXMOD32.EXE
    C:\WINDOWS\Explorer.EXE
    c:\windows\system32\svchost.exe
    C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
    C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
    C:\Program Files\VIAudioi\SBADeck\ADeck.exe
    C:\Program Files\MSN Apps\Updater\01.02.3000.1001\he-il\msnappau.exe
    C:\WINDOWS\system32\RUNDLL32.EXE
    C:\Program Files\VIA\RAID\raid_tool.exe
    C:\Program Files\MSI\Live Update 3\LMonitor.exe
    C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
    C:\Program Files\AdwareAlert\AdwareAlert.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\Program Files\MSN Messenger\msnmsgr.exe
    C:\Program Files\Ahead\Nero BackItUp\NBJ.exe
    C:\WINDOWS\system32\slrundll.exe
    D:\Winod32\DocScan.exe
    C:\Program Files\MSI\Core Center\CoreCenter.exe
    C:\Program Files\No-IP\DUC20.exe
    C:\Program Files\Netex Client\NetexTray.exe
    C:\Program Files\WinZip\WZQKPICK.EXE
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Program Files\Hijackthis\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.walla.co.il/
    R3 - URLSearchHook: FiltURL Class - {5038FED1-CEFE-11D2-9E74-00A0C945A948} - C:\PROGRA~1\netex\URLSEA~1.DLL
    F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\cliconf.exe,
    O2 - BHO: Netex - {000000A4-5858-4E36-BA5B-FDD80F3D5145} - C:\Program Files\Netex Client\netextb.dll
    O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
    O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\Program Files\MSN Apps\ST\01.03.0000.1005\en-xu\stmain.dll
    O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.5000.1021\he-il\msntb.dll
    O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.5000.1021\he-il\msntb.dll
    O3 - Toolbar: Netex - {000000A4-5858-4E36-BA5B-FDD80F3D5145} - C:\Program Files\Netex Client\netextb.dll
    O4 - HKLM\..\Run: [AudioDeck] C:\Program Files\VIAudioi\SBADeck\ADeck.exe 1
    O4 - HKLM\..\Run: [msnappau] "C:\Program Files\MSN Apps\Updater\01.02.3000.1001\he-il\msnappau.exe"
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
    O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
    O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
    O4 - HKLM\..\Run: [RaidTool] C:\Program Files\VIA\RAID\raid_tool.exe
    O4 - HKLM\..\Run: [LiveMonitor] C:\Program Files\MSI\Live Update 3\LMonitor.exe
    O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
    O4 - HKLM\..\Run: [RegistrySmart] "C:\Program Files\RegistrySmart\RegistrySmart.exe" -boot
    O4 - HKLM\..\Run: [adwarealert] C:\Program Files\AdwareAlert\AdwareAlert.exe -boot
    O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
    O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
    O4 - HKCU\..\Run: [NBJ] "C:\Program Files\Ahead\Nero BackItUp\NBJ.exe"
    O4 - HKCU\..\Run: [WinOD Data Agent] D:\Winod32\DocScan.exe
    O4 - Startup: winod.bat
    O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
    O4 - Global Startup: CoreCenter.lnk = C:\Program Files\MSI\Core Center\CoreCenter.exe
    O4 - Global Startup: No-IP DUC.lnk = C:\Program Files\No-IP\DUC20.exe
    O4 - Global Startup: Tray Application.lnk = C:\Program Files\Netex Client\NetexTray.exe
    O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
    O9 - Extra button: (no name) - {00000389-CB2E-4FAB-BC54-03FA0B39B465} - C:\Program Files\Netex Client\netextb.dll
    O9 - Extra 'Tools' menuitem: Netex - {00000389-CB2E-4FAB-BC54-03FA0B39B465} - C:\Program Files\Netex Client\netextb.dll
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O16 - DPF: {2B26018A-1D8D-4C19-9A9B-F6C49453A21D} (LauncherV1 Class) - http://irc.msn.co.il/Day/launcher.cab
    O16 - DPF: {A640B7AC-03CF-11D4-8F5F-0000E87715F0} (PAMain Class) - http://www.clalbit.co.il/safeclalnew/paweb/pasetup.cab
    O16 - DPF: {E4456C1D-ECE7-4C05-996A-3958091C6F55} (RemoteCfg Class) - http://www.012.net/securemail/auto/fwTechTool.cab
    O16 - DPF: {EC9C20C4-FF24-11D3-81B7-00902776CF54} (InstallerActiveX Class) - http://www.netex.co.il/site/Installer.CAB
    O17 - HKLM\System\CCS\Services\Tcpip\..\{7FB161FE-0575-4EB6-A1F4-6181AAAAD5DC}: NameServer = 10.0.0.2
    O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
    O20 - Winlogon Notify: PCANotify - C:\WINDOWS\SYSTEM32\PCANotify.dll
    O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
    O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exe
    O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
    O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
    O23 - Service: pcAnywhere Host Service (awhost32) - Symantec Corporation - C:\Program Files\Symantec\pcAnywhere\awhost32.exe
    O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
    O23 - Service: Remote Administrator Service (r_server) - Unknown owner - C:\WINDOWS\system32\r_server.exe" /service (file missing)
    O23 - Service: SmartLinkService (SLService) - - C:\WINDOWS\SYSTEM32\slserv.exe
    O23 - Service: Borland Socket Server (SocketServer) - Inprise Corporation - C:\scktsrvr.exe
    O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
    O23 - Service: WinFax PRO (wfxsvc) - Symantec Corporation - C:\WINDOWS\System32\WFXSVC.EXE

    :(

    Ok, I thought I was a fairly advanced user, but this one really has taken me over. Running Windows XP Home SP2, IE 6 ....
    It would appear while my nephew was surfing a foreign gaming website online, an embedded object/virus spyware has activated onto the system and has either already done its damage or just cannot be picked up by the Anti Virus Program.

    The virus does a few things. It constantly hijacks IE 6's homepage to 8757.com, no matter what you change it to, it re-creates it back to that. I've even gone into the registry and manually deleted it and it still comes back. It also won't allow access to the C drive through My Computer. When you double click on it you get the following message : "Windows XP Setup - Please go to the Control Panel to install and configure system components" . When I right click on the start button to EXPLORE I get the directory tree , but the Windows folder is nowhere to be found (including show hidden files/folders) . Furthermore, if you go into XP Help and Support, the screen is changed to Chinese lettering. On top of that, in msconfig startup, there are several entries of "realschd.exe" running in Windows/system32 . No matter how many times you uncheck it and close / reboot it reactivates them almost immediately. I even uninstalled RealPlayer and they are still running so I am guessing they are unrelated.

    I've run multiple spyware / virus scans (CA EZ Armour AntiVirus, Spybot, Ad-Aware, etc) both in safe mode and regular bootup, and it picked up this and that, but still this remains.

    Oddly enough, Firefox works fine as a browser, so do most of the other functions on the PC , but the system has a constant lag and struggles with multiple processes / applications / windows open when it didn't used to. But there's no access to the Hard Drive the traditional way and No Windows Folder. I checked for a System Restore Point, and it showed none available except todays date at 2:00am.

    Has it already pooched the system, or is it salvagable? Anybody heard of this virus? Online google searches turned up zilch. At its current unstable state it doesnt look like i can even burn cd's to backup precious recent data.

    Any help / ideas / suggestions greatly appreciated . . .

    atta ... hijackthis.log
     
  2. JSntgRvr

    JSntgRvr Moderator Malware Specialist

    Joined:
    Jul 1, 2003
    Messages:
    18,552
    First Name:
    José
    Hi, MTMT26442 :)

    Welcome to TSG.

    Please create a Restore point:

    1. Click Start, point to All Programs, point to Accessories, point to System Tools, and then click System Restore.
    2. In the System Restore dialog box, click Create a restore point, and then click Next.
    3. Type a description for your restore point, such as "Before VirusScan", then click Create.

    The steps that I am about to suggest involve modifying the registry. Modifying the registry can be dangerous so we will make a backup of the registry first.
    Modification of the registry can be EXTREMELY dangerous if you do not know exactly what you are doing so follow the steps that are listed below EXACTLY. if you cannot preform some of these steps or if you have ANY questions please ask BEFORE proceeding.

    Backing Up Your Registry
    1. Go Here and download ERUNT
      (ERUNT (Emergency Recovery Utility NT) is a free program that allows you to keep a complete backup of your registry and restore it when needed.)
    2. Install ERUNT by following the prompts
      (use the default install settings but say no to the portion that asks you to add ERUNT to the start-up folder, if you like you can enable this option later)
    3. Start ERUNT
      (either by double clicking on the desktop icon or choosing to start the program at the end of the setup)
    4. Choose a location for the backup
      (the default location is C:\WINDOWS\ERDNT which is acceptable).
    5. Make sure that at least the first two check boxes are ticked
    6. Press OK
    7. Press YES to create the folder.
    Registry Modifications

    Download the enclosed file. Save and extract its contents to the desktop. It is a folder containing a Registry Entries file, Regfix.reg . Don't do anything with it yet. We will run it shortly.

    Please download the Killbox by Option^Explicit.

    Note: In the event you already have Killbox, this is a new version that I need you to download.
    • Save it to your desktop.
    Please re-open HiJackThis and scan. Check the boxes next to all the entries listed below.

    F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\cliconf.exe,

    Now close all windows and browsers, other than HiJackThis, then click Fix Checked.

    Close Hijackthis.

    Double click on the Regfix.reg file and select Yes when prompted to merge it into the registry.

    Run Killbox.exe. Paste the following location into Killbox . Checkmark the box that says "Delete on Reboot" and checkmark the box "Unregister DLL" (If available) Click the RED X and it will ask you to confirm the file for deletion…say YES and when the next box opens prompting you to reboot now...click YES and it will reboot.

    C:\WINDOWS\system32\cliconf.exe

    If your computer does not restart automatically, please restart it manually.

    If you receive a message such as: "Component 'MsComCtl.ocx' or one of its dependencies not correctly registered: a file is missing or invalid." when trying to run Killbox, click here to download and run missingfilesetup.exe. Then try Killbox again.

    [​IMG]Please download ATF Cleaner by Atribune.
    This program is for XP and Windows 2000 only

    • Double-click ATF-Cleaner.exe to run the program.
      Under Main choose: Select All
      Click the Empty Selected button.
    If you use Firefox browser
    • Click Firefox at the top and choose: Select All
      Click the Empty Selected button.
      NOTE: If you would like to keep your saved passwords, please click No at the prompt.
    If you use Opera browser
    • Click Opera at the top and choose: Select All
      Click the Empty Selected button.
      NOTE: If you would like to keep your saved passwords, please click No at the prompt.
    Click Exit on the Main menu to close the program.
    For Technical Support, double-click the e-mail address located at the bottom of each menu.

    [​IMG]Download AVG Anti-Spyware from HERE and save that file to your desktop.
    This is a 30 day trial of the program
    1. Once you have downloaded AVG Anti-Spyware, locate the icon on the desktop and double-click it to launch the set up program.
    2. Once the setup is complete you will need run AVG Anti-Spyware and update the definition files.
    3. On the main screen select the icon "Update" then select the "Update now" link.
      • Next select the "Start Update" button, the update will start and a progress bar will show the updates being installed.
    4. Once the update has completed select the "Scanner" icon at the top of the screen, then select the "Settings" tab.
    5. Once in the Settings screen click on "Recommended actions" and then select "Quarantine".
    6. Under "Reports"
      • Select "Automatically generate report after every scan"
      • Un-Select "Only if threats were found"
    Close AVG Anti-Spyware, Do Not run a scan just yet, we will shortly

    Now copy these instructions to notepad and save them to your desktop. You will need them to refer to in safe mode.

    Boot into Safe Mode:

    Restart your computer and as soon as it starts booting up again continuously tap F8. A menu should come up where you will be given the option to enter Safe Mode.

    Perform the following steps in safe mode:

    1. IMPORTANT: Do not open any other windows or programs while AVG Anti-Spyware is scanning, it may interfere with the scanning proccess:
    2. Lauch AVG Anti-Spyware by double-clicking the icon on your desktop.
    3. Select the "Scanner" icon at the top and then the "Scan" tab then click on "Complete System Scan".
    4. AVG Anti-Spyware will now begin the scanning process, be patient this may take a little time.
      Once the scan is complete do the following:
    5. If you have any infections you will prompted, then select "Apply all actions"
    6. Next select the "Reports" icon at the top.
    7. Select the "Save report as" button in the lower left hand of the screen and save it to a text file on your system (make sure to remember where you saved that file, this is important).
    8. Close AVG Anti-Spyware .
    Restart back into Windows normally now.

    Please go HERE to run Panda's ActiveScan
    • Once you are on the Panda site click the Scan your PC button
    • A new window will open...click the Check Now button
    • Enter your Country
    • Enter your State/Province
    • Enter your e-mail address and click send
    • Select either Home User or Company
    • Click the big Scan Now button
    • If it wants to install an ActiveX component allow it
    • It will start downloading the files it requires for the scan (Note: It may take a couple of minutes)
    • When download is complete, click on My Computer to start the scan
    • When the scan completes, if anything malicious is detected, click the See Report button, then Save Report and save it to a convenient location.
    Post a fresh Hijackthis log along with the AVG Anti-spyware and ActiveScan reports.
     

    Attached Files:

  3. MTMT26442

    MTMT26442 Thread Starter

    Joined:
    Jan 29, 2007
    Messages:
    6
    Attached HIJACKTHIS.LOG AND THE AVG REPORTS

    BUT..... WHILE RUNNING THE PANDA SCANNING IT SUDDENLY STOPS WITHOUT ANY MESSAGE... SO I CAN`T SEND A REPORT OF IT...

    WAITING FOR YOUR ADVICE - SOS SOS SOS


    THANKS FOR YOUR HELP


    MTMTM
     

    Attached Files:

  4. MTMT26442

    MTMT26442 Thread Starter

    Joined:
    Jan 29, 2007
    Messages:
    6
    sos sos - pleas help me
     
  5. JSntgRvr

    JSntgRvr Moderator Malware Specialist

    Joined:
    Jul 1, 2003
    Messages:
    18,552
    First Name:
    José
    Hi, MTMT26442 :)

    1. Open HijackThis, click Config, click Misc Tools
    2. Click "Open Uninstall Manager"
    3. Click "Save List" (generates uninstall_list.txt)
    4. Click Save, copy and paste the results in your next post.
    Download ComboFix from Here or Here. to your Desktop.

    Reboot to Safe mode:

    Restart your computer and begin tapping the F8 key on your keyboard just before Windows starts to load. If done right a Windows Advanced Options menu will appear. Select the Safe Mode option and press Enter.

    Perform the following actions in Safe Mode.
    • Double click combofix.exe and follow the prompts.
    • When finished, it shall produce a log for you. Post that log and a HiJackthis log in your next reply
    Note: Do not mouseclick combofix's window while its running. That may cause it to stall
     
  6. MTMT26442

    MTMT26442 Thread Starter

    Joined:
    Jan 29, 2007
    Messages:
    6
    Sorry, but I`m not yet able to send PMs.


    attached the log file ...

    please help - sos

    mtmt26442
     

    Attached Files:

  7. MTMT26442

    MTMT26442 Thread Starter

    Joined:
    Jan 29, 2007
    Messages:
    6
    fixed upload...


    Sorry, but I`m not yet able to send PMs.


    attached the log file ...

    please help - sos

    mtmt26442
     

    Attached Files:

  8. JSntgRvr

    JSntgRvr Moderator Malware Specialist

    Joined:
    Jul 1, 2003
    Messages:
    18,552
    First Name:
    José
    Hi, MTMT26442 :)

    Download the enclosed folder and extract its contents to the desktop. It is a folder containing a batch file. Once extracted double click on the batch file and a new document will be produced, autos.txt. Please open this document with notepad and post its contents in your next reply.
     
  9. MTMT26442

    MTMT26442 Thread Starter

    Joined:
    Jan 29, 2007
    Messages:
    6
    attached the autos.txt file ...

    please help - sos

    mtmt26442
     

    Attached Files:

  10. JSntgRvr

    JSntgRvr Moderator Malware Specialist

    Joined:
    Jul 1, 2003
    Messages:
    18,552
    First Name:
    José
    Hi, MTMT26442 :)

    Please create a Restore point:
    1. Click Start, point to All Programs, point to Accessories, point to System Tools, and then click System Restore.
    2. In the System Restore dialog box, click Create a restore point, and then click Next.
    3. Type a description for your restore point, such as "Before RegFix", then click Create.

    The steps that I am about to suggest involve modifying the registry. Modifying the registry can be dangerous so we will make a backup of the registry first.

    Modification of the registry can be EXTREMELY dangerous if you do not know exactly what you are doing so follow the steps that are listed below EXACTLY. if you cannot preform some of these steps or if you have ANY questions please ask BEFORE proceeding.

    Backing Up Your Registry
    1. Go Here and download ERUNT
      (ERUNT (Emergency Recovery Utility NT) is a free program that allows you to keep a complete backup of your registry and restore it when needed.)
    2. Install ERUNT by following the prompts
      (use the default install settings but say no to the portion that asks you to add ERUNT to the start-up folder, if you like you can enable this option later)
    3. Start ERUNT
      (either by double clicking on the desktop icon or choosing to start the program at the end of the setup)
    4. Choose a location for the backup
      (the default location is C:\WINDOWS\ERDNT which is acceptable).
    5. Make sure that at least the first two check boxes are ticked
    6. Press OK
    7. Press YES to create the folder.
    Registry Modifications

    Download the enclosed folders. Save and extract their content to the desktop. One is a folder containing a Registry Entries file, Regfix.reg . The other contains a batch file DelAutoruns.bat Once extracted, first open the regfix folder and double click on the Regfix.reg file. Select Yes when prompted to merge it into the registry. Then go to the desktop and double click on the DelAutoruns.bat. The MSDOS window will flash for a second. That is normal.

    Restart the computer.

    You should now be able to reach your drives without a problem.

    There are folders in your root directory C:\ with names that are either giberish or in another language. Can you recognize these folders?

    Keep me posted.
     

    Attached Files:

  11. Sponsor

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 733,556 other people just like you!

Loading...
Thread Status:
Not open for further replies.

Short URL to this thread: https://techguy.org/539435

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice