1. Computer problem? Tech Support Guy is completely free -- paid for by advertisers and donations. Click here to join today! If you're new to Tech Support Guy, we highly recommend that you visit our Guide for New Members.

need some real help here (p[lease)

Discussion in 'Virus & Other Malware Removal' started by prime8, Sep 5, 2004.

Thread Status:
Not open for further replies.
  1. prime8

    prime8 Thread Starter

    Joined:
    Sep 3, 2003
    Messages:
    16
    well, i ve done everything that i can think of...
    i know i have a Trojan somewhere and i keeps eluding me. i've tried AdAware SE, Spybot, that and that.

    i am not able to download ANYTHING that has to do w/ spyware removal or critical updates--windows SP2 always stops downloading at 33%.
    anywho, i think im just going to reformat and call it a day but i wanted to make sur that there isn't anything i have overlooked or not thought of.

    below is my report from HiJack This..
    thanks guys (girls?)

    also do you have a snail-mail address to donate...i refuse to do it on-line w/ this damn virus!
    thanks!
    gabriel


    Logfile of HijackThis v1.98.2
    Scan saved at 8:09:37 PM, on 9/5/2004
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    C:\Program Files\Norton Internet Security\NISUM.EXE
    C:\Program Files\Microsoft Hardware\Keyboard\type32.exe
    C:\Program Files\Common Files\Symantec Shared\ccApp.exe
    C:\Program Files\Intel\Intel(R) Active Monitor\imontray.exe
    C:\WINDOWS\System32\phldtx.exe
    C:\Program Files\Norton Internet Security\ccPxySvc.exe
    C:\Program Files\Norton Antivirus\navapsvc.exe
    C:\WINDOWS\System32\nvsvc32.exe
    C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
    C:\Program Files\Intel\Intel(R) Active Monitor\imonnt.exe
    C:\WINDOWS\System32\devldr32.exe
    C:\WINDOWS\System32\wuauclt.exe
    C:\WINDOWS\SoftwareDistribution\Download\S-1-5-18\8b5e9cdb91dddbb342695fbdc36fe0e4\update\update.exe
    C:\Program Files\Internet Explorer\IEXPLORE.EXE
    C:\Program Files\Messenger\msmsgs.exe
    C:\Documents and Settings\qwerty\Local Settings\Temp\Temporary Directory 1 for hijackthis[1].zip\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = about:blank
    R3 - Default URLSearchHook is missing
    O2 - BHO: (no name) - {0000607D-D204-42C7-8E46-216055BF9918} - (no file)
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton Antivirus\NavShExt.dll
    O4 - HKLM\..\Run: [IntelliType] "C:\Program Files\Microsoft Hardware\Keyboard\type32.exe"
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
    O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
    O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\navapw32.exe
    O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
    O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
    O4 - HKLM\..\Run: [IMONTRAY] C:\Program Files\Intel\Intel(R) Active Monitor\imontray.exe
    O4 - HKLM\..\Run: [xzujbtqhdb] C:\WINDOWS\System32\phldtx.exe
    O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
    O15 - Trusted Zone: http://*.windowsupdate.microsoft.com
    O15 - Trusted Zone: http://*.windowsupdate.com
    O16 - DPF: {4E888414-DB8F-11D1-9CD9-00C04F98436A} (Microsoft.WinRep) - https://webresponse.one.microsoft.com/oas/ActiveX/winrep.cab
    O16 - DPF: {A7E092C3-692A-11D0-A7E5-08002B322F3B} (WebResponseAttachments Control) - https://webresponse.one.microsoft.com/oas/ActiveX/FileXfer.cab
    O16 - DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE} (Symantec RuFSI Registry Information Class) - http://security.symantec.com/SSC/SharedContent/common/bin/cabsa.cab
    O21 - SSODL: System - {05B5379C-6058-4EF3-B056-6B24157C8AB5} - C:\WINDOWS\system32\system32.dll (file missing)
     
  2. LDTate

    LDTate Malware Specialist

    Joined:
    Aug 13, 2004
    Messages:
    789
    If you haven't reformated yet, try a couple online scans.

    Click Here

    Click Here

    Make a new folder like C:\HJT and move your HijackThis.exe in there
    Post a new HijackThis log
     
  3. FinestRanger

    FinestRanger

    Joined:
    Oct 13, 2003
    Messages:
    2,367
    The first thing to do: Move HiJackThis to a permanent folder of its own; It creates back ups of the removed files and will be neatly scattered :) all over your desktop otherwise. (y)



    Run CWShredder.

    CWShredder download link

    Under "Official Downloads" download "CWShredder".

    Unzip the program to a permanent folder of your choosing. Close ALL (except CWShredder ;) )browser windows and click "FIX".

    After it's done running click on "How do I prevent re-infection?" and, at a minimum, click on "Go Download the ByteVerifier patch on Microsoft.com"

    If you have problems running CWShredder, then get the SmartKiller removal tool on this page:

    http://www.spywareinfo.com/~merijn/downloads.html

    Re-start your computer .





    Before we start, let's disable your System Restore. After the infection's been cleaned re-enable system restore.
    Disabling System Restore in Windows XP Disable System Restore in Windows ME

    IF, for some reason, you lose the ability to use IE or lose your internet connection...open HJT-->"Config"-->"Backups"-->"Restore".


    Open HiJackThis. Click "Scan". Put a checkmark next to these:

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = about:blank

    R3 - Default URLSearchHook is missing

    O2 - BHO: (no name) - {0000607D-D204-42C7-8E46-216055BF9918} - (no file)

    O4 - HKLM\..\Run: [xzujbtqhdb] C:\WINDOWS\System32\phldtx.exe

    O15 - Trusted Zone: http://*.windowsupdate.microsoft.com

    O15 - Trusted Zone: http://*.windowsupdate.com

    O21 - SSODL: System - {05B5379C-6058-4EF3-B056-6B24157C8AB5} - C:\WINDOWS\system32\system32.dll (file missing)


    Close ALL browser windows (except HiJackThis ;) ) and click "Fix checked."


    Re-start your computer.


    NEXT:


    Re-start your computer into safe mode:

    How to start your computer in Safe Mode



    NEXT:



    Also in safe mode navigate to the C:\Windows\Temp folder. Open the Temp folder and go to Edit > Select All then Edit > Delete to delete the entire contents of the Temp folder.

    http://www.computerhope.com/issues/ch000225.htm

    Next navigate to the C:\Documents and Settings\ <user's name>\Local Settings\Temp folder. Open the Temp folder and go to Edit > Select All then Edit > Delete to delete the entire contents of the Temp folder.

    Finally go to Control Panel > Internet Options. On the General tab under "Temporary Internet Files" Click "Delete Files". Put a check by "Delete Offline Content" and click OK. Now click the "Delete Cookies" button and click OK.


    Empty the Recycle Bin


    Re-start your computer and post another HJT log.
     
As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 733,556 other people just like you!

Loading...
Thread Status:
Not open for further replies.

Short URL to this thread: https://techguy.org/270585

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice