1. Computer problem? Tech Support Guy is completely free -- paid for by advertisers and donations. Click here to join today! If you're new to Tech Support Guy, we highly recommend that you visit our Guide for New Members.

Probably a Trojan. Really don't know what to do. Please help!

Discussion in 'Virus & Other Malware Removal' started by mattofelki, Apr 7, 2004.

Thread Status:
Not open for further replies.
Advertisement
  1. mattofelki

    mattofelki Thread Starter

    Joined:
    Apr 7, 2004
    Messages:
    7
    I have read many posts in this forum and I found a solution to solve my problem almost every time. But this time nothing works.

    My problem is probably connected with the presence of a trojan linked to a virus called W32.HLLW.Gaobot.gen. Usually Norton kills it but this time the file was not automaticly deleted, but just quarantined. Suddenly my CPU was taking almast all resources making my computer turn to bluescreen with message:

    "stop 0x000000D1..........driver_irql_not_less_or_equal address......-mrxsmb.sys beggining dump of physical memory.

    I tried to connect to Norton live update but the message was that I do not have an internet connection established, which was not true. The ADSL connection was working fine with IE explorer and Outlook. I downloaded the AVG 6.0 which could not update for live update for the same reason stated.

    Also I can not access the www.symantec.com for information about the virus. The IE explorer want username and password to connect to it, which is totally strange.

    I deleted some harmless cookies with Ad-aware 6.0 but that is all I did at this moment.

    I followed the instructions on this forum to copy the hijackthis log in here so I did. This is waht it gave me:

    Logfile of HijackThis v1.97.7
    Scan saved at 19:26:16, on 7.4.2004
    Platform: Windows 2000 SP4 (WinNT 5.00.2195)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINNT\System32\smss.exe
    C:\WINNT\system32\winlogon.exe
    C:\WINNT\system32\services.exe
    C:\WINNT\system32\lsass.exe
    C:\WINNT\system32\svchost.exe
    C:\WINNT\system32\spoolsv.exe
    C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    C:\PROGRA~1\Grisoft\AVG6\avgserv.exe
    C:\Program Files\Norton AntiVirus\navapsvc.exe
    C:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE
    C:\PROGRA~1\SiOL\ADSL\app\pppoeservice.exe
    C:\WINNT\system32\regsvc.exe
    C:\WINNT\system32\MSTask.exe
    C:\WINNT\System32\snmp.exe
    C:\WINNT\System32\WBEM\WinMgmt.exe
    C:\WINNT\System32\mspmspsv.exe
    C:\WINNT\System32\inetsrv\inetinfo.exe
    C:\WINNT\Explorer.EXE
    C:\Program Files\Common Files\Symantec Shared\ccApp.exe
    C:\WINNT\system32\netsvcs.exe
    C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe
    C:\PROGRA~1\SiOL\ADSL\app\enternet.exe
    C:\WINNT\System32\mdm.exe
    C:\Plac\Matko\Programi\Antivirusi\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.najdi.si/
    O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program

    Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
    O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton

    AntiVirus\NavShExt.dll
    O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program

    Files\Norton AntiVirus\NavShExt.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
    O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\WINNT\Downloaded Program

    Files\googlenav.dll
    O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
    O4 - HKLM\..\Run: [NeroCheck] C:\WINNT\system32\NeroCheck.exe
    O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
    O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
    O4 - HKLM\..\Run: [Advanced Tools Check] C:\PROGRA~1\NORTON~1\AdvTools\ADVCHK.EXE
    O4 - HKLM\..\Run: [RegShave] D:\Progra~1\REGSHAVE\REGSHAVE.EXE /autorun
    O4 - HKLM\..\Run: [Video Process] netsvcs.exe
    O4 - HKLM\..\Run: [AVG_CC] C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe /STARTUP
    O4 - HKLM\..\RunServices: [Video Process] netsvcs.exe
    O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common

    Files\Adobe\Calibration\Adobe Gamma Loader.exe
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft

    Office\Office\OSA9.EXE
    O8 - Extra context menu item: &Google Search - res://C:\WINNT\Downloaded Program

    Files\googlenav.dll/cmsearch.html
    O8 - Extra context menu item: Backward &Links - res://C:\WINNT\Downloaded Program

    Files\googlenav.dll/cmbacklinks.html
    O8 - Extra context menu item: Cac&hed Snapshot of Page - res://C:\WINNT\Downloaded Program

    Files\googlenav.dll/cmcache.html
    O8 - Extra context menu item: Si&milar Pages - res://C:\WINNT\Downloaded Program

    Files\googlenav.dll/cmsimilar.html
    O16 - DPF: {33564D57-0000-0010-8000-00AA00389B71} -

    http://download.microsoft.com/download/F/6/E/F6E491A6-77E1-4E20-9F5F-94901338C922/wmv9VCM.CA

    B
    O16 - DPF: {6CB5E471-C305-11D3-99A8-000086395495} (Google Activate) -

    http://toolbar.google.com/data/sl/big/1.1.62-big/GoogleNav.cab
    O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) -

    http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?38015.5782407407
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) -

    http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab


    Please help me. I am getting a little bit desperate.
     
  2. $teve

    $teve

    Joined:
    Oct 9, 2001
    Messages:
    9,396
    Hi :)
    Cntrl-Alt-Delete and end task on netsvcs.exe.........as many times as it takes to end it.



    Run hijackthis again and put a checkmark against these entries....double check
    in case you miss anything....
    .....then,close all browser and outlook windows and "fix checked"

    O4 - HKLM\..\Run: [Video Process] netsvcs.exe

    O4 - HKLM\..\RunServices: [Video Process] netsvcs.exe


    Reboot into safe mode by following instructions here: http://helpdesk.its.bethel.edu/resnet/Documents/Antivirus/Safemode.html
    then as some of the files or folders you need to delete may be hidden do this:
    Open Windows Explorer & Go to Tools > Folder Options. Click on the View tab and make sure that "Show hidden files and folders" is checked. Also uncheck "Hide protected operating system files" and untick "hide extensions for known file types" . Now click "Apply to all folders"
    Click "Apply" then "OK"

    Locate and remove:
    C:\WINNT\system32\netsvcs.exe

    Post another log after.
    ;)
     
  3. mattofelki

    mattofelki Thread Starter

    Joined:
    Apr 7, 2004
    Messages:
    7
    Thank you for your help. Did everything as you suggested. But I still have files netsvcs.exe on C:\WINNT\netsvcs.exe and on D:\netsvcs.exe
    Should I delete these two also?

    By the way: Norton (LU1814: Live updatecould not retrieve the update list)and AVG still cannot connect to the live updates. Both programs behave as if there were no internet connection. Why is that?

    Here's the latest hijackthis log:

    Logfile of HijackThis v1.97.7
    Scan saved at 22:21:05, on 7.4.2004
    Platform: Windows 2000 SP4 (WinNT 5.00.2195)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINNT\System32\smss.exe
    C:\WINNT\system32\winlogon.exe
    C:\WINNT\system32\services.exe
    C:\WINNT\system32\lsass.exe
    C:\WINNT\system32\svchost.exe
    C:\WINNT\system32\spoolsv.exe
    C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    C:\PROGRA~1\Grisoft\AVG6\avgserv.exe
    C:\Program Files\Norton AntiVirus\navapsvc.exe
    C:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE
    C:\PROGRA~1\SiOL\ADSL\app\pppoeservice.exe
    C:\WINNT\system32\regsvc.exe
    C:\WINNT\system32\MSTask.exe
    C:\WINNT\System32\snmp.exe
    C:\WINNT\System32\WBEM\WinMgmt.exe
    C:\WINNT\System32\mspmspsv.exe
    C:\WINNT\System32\inetsrv\inetinfo.exe
    C:\WINNT\Explorer.EXE
    C:\Program Files\Common Files\Symantec Shared\ccApp.exe
    C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe
    C:\PROGRA~1\SiOL\ADSL\app\enternet.exe
    C:\Program Files\Internet Explorer\IEXPLORE.EXE
    C:\Plac\Matko\Programi\Antivirusi\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.najdi.si/
    O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
    O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
    O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
    O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\WINNT\Downloaded Program Files\googlenav.dll
    O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
    O4 - HKLM\..\Run: [NeroCheck] C:\WINNT\system32\NeroCheck.exe
    O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
    O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
    O4 - HKLM\..\Run: [Advanced Tools Check] C:\PROGRA~1\NORTON~1\AdvTools\ADVCHK.EXE
    O4 - HKLM\..\Run: [RegShave] D:\Progra~1\REGSHAVE\REGSHAVE.EXE /autorun
    O4 - HKLM\..\Run: [AVG_CC] C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe /STARTUP
    O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
    O8 - Extra context menu item: &Google Search - res://C:\WINNT\Downloaded Program Files\googlenav.dll/cmsearch.html
    O8 - Extra context menu item: Backward &Links - res://C:\WINNT\Downloaded Program Files\googlenav.dll/cmbacklinks.html
    O8 - Extra context menu item: Cac&hed Snapshot of Page - res://C:\WINNT\Downloaded Program Files\googlenav.dll/cmcache.html
    O8 - Extra context menu item: Si&milar Pages - res://C:\WINNT\Downloaded Program Files\googlenav.dll/cmsimilar.html
    O16 - DPF: {33564D57-0000-0010-8000-00AA00389B71} - http://download.microsoft.com/download/F/6/E/F6E491A6-77E1-4E20-9F5F-94901338C922/wmv9VCM.CAB
    O16 - DPF: {6CB5E471-C305-11D3-99A8-000086395495} (Google Activate) - http://toolbar.google.com/data/sl/big/1.1.62-big/GoogleNav.cab
    O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?38015.5782407407
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
     
  4. mattofelki

    mattofelki Thread Starter

    Joined:
    Apr 7, 2004
    Messages:
    7
    I still have a problem with my resources making my computer turn to bluescreen with message:

    "stop 0x000000D1..........driver_irql_not_less_or_equal address......-mrxsmb.sys beggining dump of physical memory.

    and I still cannot update norton lists via internet.

    Could somebody help me?
     
  5. $teve

    $teve

    Joined:
    Oct 9, 2001
    Messages:
    9,396
    Remove any and all instances of "netsvcs.exe"

    Are you using both AVG and NOrton A/V?
    Not a good idea to have 2 A/V programs.....you will get conflicts between the two.
    As for your blue screens........Probably hardware related.
    Take a look here:http://aumha.org/win5/kbestop.htm
    ;)
     
  6. Sponsor

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 733,556 other people just like you!

Loading...
Similar Threads - Probably Trojan Really
  1. Lxnny
    Replies:
    4
    Views:
    824
  2. indeepcrap
    Replies:
    22
    Views:
    1,116
  3. K1979
    Replies:
    26
    Views:
    1,612
  4. JDStreet
    Replies:
    18
    Views:
    1,410
  5. Sumfeg
    Replies:
    0
    Views:
    723
Thread Status:
Not open for further replies.

Short URL to this thread: https://techguy.org/218074

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice