1. Computer problem? Tech Support Guy is completely free -- paid for by advertisers and donations. Click here to join today! If you're new to Tech Support Guy, we highly recommend that you visit our Guide for New Members.

Windows 2000 pro-have a challenge for the helpers- my friend paid 100 bucks to get th

Discussion in 'Virus & Other Malware Removal' started by xfile47, Nov 10, 2007.

Thread Status:
Not open for further replies.
  1. xfile47

    xfile47 Thread Starter

    Joined:
    Jun 21, 2004
    Messages:
    2,142
    My friend paid 100 bucks to have a company try to clean this computer and they can't seem to get it fixed so I told him I think I know where there is some people who can help. Can you help where this expensive company tried and failed?

    It is windows 2000
    this company he said had it in normal mode and safemode all day one day they did it remotely and they put on HJT, adware, cwshredder, counterspy, killbox, vundo, smitfraud and God knows what else, he said they ran HJT three times they tried to get 0svchs0t.exe out of it and it kept coming back and a svchost.exe they couldn't get rid of either, there is a popup that comes up everytime you boot the computer when your at the desktop a box that is the Svchost box and in it says, 2007-11-10 is not a valid date and you click ok and it goes away. but the computer has dsl and is running terrible, has 512 RAM

    I will add the HJT I just did but I really hope you can help where this company failed. I ran spysweeper comes up clean
    spybot newest one comes up clean
    ran startup inspector and notning in startup that isn't good
    ran sfc /scannow

    anyway here is the HJT Log-I will wait to hear anything, I know how to run alot of programs if someone can tell me what I should be running to get the HJT Log clean. Here it is :mad:

    Logfile of HijackThis v1.99.1
    Scan saved at 10:44:18 AM, on 11/10/2007
    Platform: Windows 2000 SP4 (WinNT 5.00.2195)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINNT\System32\smss.exe
    C:\WINNT\system32\winlogon.exe
    C:\WINNT\system32\services.exe
    C:\WINNT\system32\lsass.exe
    C:\WINNT\system32\svchost.exe
    C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
    C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
    C:\WINNT\system32\spoolsv.exe
    C:\WINNT\system32\svchost.exe
    C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
    C:\Program Files\Symantec AntiVirus\DefWatch.exe
    C:\WINNT\System32\svchost.exe
    C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
    C:\WINNT\System32\svchost.exe
    C:\WINNT\system32\regsvc.exe
    C:\WINNT\system32\MSTask.exe
    C:\Program Files\Symantec AntiVirus\Rtvscan.exe
    C:\WINNT\System32\svchost.exe
    C:\WINNT\System32\svchost.exe
    C:\program files\internet explorer\IEXPLORE.EXE
    C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
    C:\WINNT\System32\WBEM\WinMgmt.exe
    C:\WINNT\system32\mspmspsv.exe
    C:\WINNT\system32\svchost.exe
    C:\WINNT\Explorer.EXE
    C:\Program Files\Common Files\Symantec Shared\ccApp.exe
    C:\PROGRA~1\SYMANT~1\VPTray.exe
    C:\Program Files\WinMagic\SecureDoc-NT\SDPin.exe
    C:\WINNT\system32\ctfmon.exe
    C:\Program Files\eRoom 7\ERClient7.exe
    C:\Documents and Settings\user\Desktop\SpyWareTools\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.netins.net/
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\windows\system32\blank.htm
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\windows\system32\blank.htm
    R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
    O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
    O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
    O4 - HKLM\..\Run: [StartSecurDoc] "C:\Program Files\WinMagic\SecureDoc-NT\SDPin.exe"
    O4 - HKLM\..\Run: [Synchronization Manager] "mobsync.exe" /logon
    O4 - HKLM\..\Run: [SBCSTray] "C:\Program Files\Sunbelt Software\CounterSpy\SBCSTray.exe"
    O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe" /startintray
    O4 - HKCU\..\Run: [ctfmon.exe] ctfmon.exe
    O4 - Startup: Monitor My eRooms (V7).lnk = C:\Program Files\eRoom 7\ERClient7.exe
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
    O16 - DPF: {123FE8C9-0BDC-4946-A854-DDBA7398CF64} - https://www.fts.newyorklife.com/ftWebUpdate/installs/ftwebupdate.cab
    O16 - DPF: {5EF90065-A2C4-4C6D-993E-40EE010EBA3D} (FTWebUtils.Redirecter) - https://www.fts.newyorklife.com/formslibrary/Package/FTWebUtils.CAB
    O20 - Winlogon Notify: NavLogon - C:\WINNT\system32\NavLogon.dll
    O20 - Winlogon Notify: WRNotifier - C:\WINNT\SYSTEM32\WRLogonNTF.dll
    O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
    O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
    O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
    O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
    O23 - Service: Events Log (Event) - Unknown owner - C:\WINNT\system32\drivers\csrss.exe (file missing)
    O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
    O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
    O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
    O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
    O23 - Service: Sunbelt CounterSpy Antispyware (SBCSSvc) - Sunbelt Software - C:\Program Files\Sunbelt Software\CounterSpy\SBCSSvc.exe
    O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
    O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
    O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
    O23 - Service: Transaction Coordinator - Unknown owner - C:\WINNT\system32\dllhosts.exe
    O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
    O23 - Service: Network Provisioning Services (Windowsclients) - Unknown owner - C:\WINDOWS\system32\config\SVCHOST.EXE (file missing)
    O23 - Service: Windows Accounts Driver (WindowsRemote2) - Unknown owner - C:\WINNT\system32\0svchs0t.exe (file missing)
    O23 - Service: Windows_rejoice2007_45 - Unknown owner - C:\Program Files\Common Files\Microsoft Shared\MSINFO\rejoice45.exe
     
  2. xfile47

    xfile47 Thread Starter

    Joined:
    Jun 21, 2004
    Messages:
    2,142
    I went to trendmicro and found some stuff on that 0svchs0t.exe it said to run search and look in the autorun.inf file to look at it in notepad and I did it had a couple of the files and one of them had exactly what trend micro said it would the

    Deleting Malware-created AUTORUN.INF/s

    Right-click Start then click Search... or Find..., depending on the version of Windows you are running.
    In the Named input box, type:
    AUTORUN.INF
    In the Look In drop-down list, select a drive, then press Enter.
    Select the file, then open using Notepad.
    Check if the following lines are present in the file:
    [AuToRun]
    open=sos.exe
    shell\open=´ò¿ª(&O)
    shell\open\Command=sos.exe
    shell\open\Default=1
    shell\explore=×ÊÔ´¹ÜÀíÆ÷(&X)
    shell\explore\Command=sos.exe
    If the lines are present, delete the file.
    Repeat steps 3 to 6 for AUTORUN.INF files in the remaining removable drives.
    Close Search Results.

    so I deleted that file and also found the
    h2.dll
    h3.dll
    h5.dll that it said to delete if found and I found them with seach and deleted them and am now running another full antivirus scan to see what happens. No one wants to take the challenge yet, hope someone does

    trend micro said to look for

    In the Look In drop-down list, select the drive that contains Windows, then press Enter.
    Once located, select the file then press SHIFT+DELETE.
    Repeat steps 2-4 for the following files:
    daemon_mgm.exe
    h2.dll
    h3.dll
    h5.dll
    NetMonInstaller.exe
    npf_mgm.exe
    rpcapd.exe

    and thats when I found the h2,h3, h5 dlls but didn't find the other ones
     
As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 733,556 other people just like you!

Loading...
Thread Status:
Not open for further replies.

Short URL to this thread: https://techguy.org/650271

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice