Desperately Need Help!!! (from XP)

jimbo715 · 08-18-2005, 12:42 PM

I am looking for anyone who can offer some advice or direction on how to remedy the following issue. My browser has apparently been hijacked. I no longer have a router connected to my pc, but when it was connected, I could see all the websites being hit via the diagnostics section. My computer is hitting different sites about every few seconds, and the traffic is so heavy that it prevents me from being able to access the internet or email most of the time for my own use. The traffic is so heavy that sometimes the cable light on my cable modem goes blank and I lose connectivity completely. I also seem to have (4) virus infected files that I cannot locate in the system, and therefore cannot clean them out thru normal cleanup channels. When I boot I get the following:
Backdoor virus C:windows/sys32/nopat.exe
Backdoor virus C:windows/sys32/fio.exe
Backdoor virus C:windows/sys32/gdqfw.exe
W32Silly Trojan Virus C:windows/sys32/WININET.dll

My computer has been rendered almost useless and I would love some advice.

Thank you,
Jim

**Barry_R** · 08-18-2005, 01:08 PM

The best solution to your problem is to get onto a non infected machine and google those files that you have mentioned. Most places like Trend Micro will tell you how to get rid of them.

One you regain some sort of control over your machine you should run Spybot or Adaware to catch the rest of the stuff.

Here is one for NOPAT:
Trend Micro

Additional note: Be very carefull deleting some of the files these viruses install. Some create hooks into your system and if you just delete them your system loses functionality. Nasty buggers aint they!

jimbo715 · 08-18-2005, 01:33 PM

Thanks for response.. I use Adaware weekly, but it's never found these. These are found thru the anti-virus software I run thru Cox Communications, my cable internet provider.

I'll check out Trend Micro..

Thanks,
Jim

elf · 08-18-2005, 01:44 PM

You do update your adaware definitions regularly right? After that...

Download and install Spybot S&D. Run Spybot and click on the 'Search for Updates' button. Install any updates that are available. Next click on the 'Check for Problems' button. Let it run the scan. If it finds something, check all those in RED and hit the Fix Selected Problems button. Exit Spybot. If you keep getting the DSO Exploit entries, even after you updated Windows and fixed them, then download the Spybot DSO Exploit Fix and install it over the current Spybot installation.

Please download HijackThis - this program will help us determine if there are any spyware/malware on your computer. Create a folder at C:\HJT and move HijackThis.exe there. Double click on the program to run it.

1. If it gives you an intro screen, just choose 'Do a system scan and save a logfile'.
2. If you don't get the intro screen, just hit Scan and then click on Save log.
3. Get HijackThis Analyzer and save it to the same folder as the hijackthis.log file. Run HijackThis Analyzer and type in y if you agree. The result.txt file will open up in Notepad. Copy the whole result.txt log and post it in the forum. We do not need the original hijackthis.log (unless we ask for it). Do not fix anything in HijackThis since they may be harmless.

jimbo715 · 08-18-2005, 04:46 PM

I really appreciate the help. Here's the result.txt data:

====================================================================
Log was analyzed using KRC HijackThis Analyzer - Updated on 8/4/05
Get updates at http://www.greyknight17.com/download.htm#programs

***Security Programs Detected***

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Logfile of HijackThis v1.99.1
Scan saved at 4:40:59 PM, on 8/18/2005
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2600.0000)

Running processes:
c:\program files\cox\applications\app\CurtainsSysSvcNt.exe
C:\Program Files\Cox\Applications\app\Prism.exe
C:\WINDOWS\hostren.exe
C:\WINDOWS\hostdll.exe
C:\Program Files\WildTangent\Apps\CDA\GameDrvr.exe
C:\Program Files\Common Files\Command Software\dvpapi.exe
C:\Documents and Settings\Owner\Desktop\aswclnr.exe
C:\Documents and Settings\Owner\Desktop\aswF.tmp
C:\WINDOWS\regedit.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Cox High Speed Internet
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = ;localhost;<local>
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\auserinit.exe
O2 - BHO: URLLink Class - {4A2AACF3-ADF6-11D5-98A9-00E018981B9E} - C:\Program Files\NewDotNet\newdotnet4_50.dll (file missing)
O2 - BHO: AuthBHO.cBHO - {A4D90779-6CB2-4752-83C2-A2AB4D9A672D} - C:\Program Files\Cox\Applications\app\AuthBHO.dll
O3 - Toolbar: Cox Popup Blocker - {64634180-B0EA-48B6-82B7-9620D33362C1} - C:\Program Files\Cox\Applications\app\AuthBHO.dll
O4 - HKLM\..\Run: [HPGamesActiveMenu] C:\Program Files\WildTangent\ActiveMenu\HP\Games\ActiveMenu.exe
O4 - HKLM\..\Run: [win_upd.exe] C:\WINDOWS\System32\WINdirect.exe
O4 - HKLM\..\Run: [win_upd2.exe] C:\WINDOWS\System32\WINdirect.exe
O4 - HKLM\..\Run: [wpds.exe] C:\WINDOWS\System32\doriot.exe
O4 - HKLM\..\Run: [winshost.exe] C:\WINDOWS\System32\winshost.exe
O4 - HKLM\..\Run: [csrss.exe] C:\WINDOWS\csrss.exe
O4 - HKLM\..\Run: [winhlp.exe] C:\WINDOWS\winhlp.exe
O4 - HKLM\..\Run: [hostren.exe] C:\WINDOWS\hostren.exe
O4 - HKLM\..\Run: [hostdll.exe] C:\WINDOWS\hostdll.exe
O4 - HKLM\..\Run: [mscsvc.exe] C:\WINDOWS\mscsvc.exe
O4 - HKLM\..\Run: [windhost.exe] C:\WINDOWS\osrwin32.exe
O4 - HKLM\..\Run: [WildTangent CDA] "C:\Program Files\WildTangent\Apps\CDA\GameDrvr.exe" /startup "C:\Program Files\WildTangent\Apps\CDA\cdaEngine0500.dll"
O4 - HKLM\..\Run: [sm] C:\WINDOWS\sa_exe.exe
O4 - HKLM\..\RunServices: [Windows Explorer Update Build 1142] explorer32.exe
O4 - HKCU\..\Run: [SpyKiller] C:\Program Files\SpyKiller\spykiller.exe /startup
O4 - HKCU\..\Run: [ssgrate.exe] C:\WINDOWS\System32\sysdoor.exe
O4 - HKCU\..\Run: [wpds.exe] C:\WINDOWS\System32\doriot.exe
O4 - HKCU\..\Run: [winshost.exe] C:\WINDOWS\System32\winshost.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\Office10\EXCEL.EXE/3000
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0819.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0819.dll
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O16 - DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} (iPIX ActiveX Control) - http://www.ipix.com/viewers/ipixx.cab
O16 - DPF: {1842B0EE-B597-11D4-8997-00104BD12D94} (iCC Class) - http://www.pcpitstop.com/internet/pcpConnCheck.cab
O16 - DPF: {3C648A72-C49A-48EF-9F90-68EF13293F97} (Cacher Class) - http://www2.xmlsweb.socalmls.com/XMLSearch/XMLCache.CAB
O16 - DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} (EPUImageControl Class) - http://tools.ebayimg.com/eps/wl/acti..._v1-0-3-30.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcafee.com/molbin/sh...1/mcinsctl.cab
O16 - DPF: {6F6DBC29-7A0C-4AC0-A42D-10EC70678526} (Word Cubes Control) - http://mirror.worldwinner.com/games/...e/wordcube.cab
O16 - DPF: {72D59B9C-1E59-4958-803A-ABDEE2D4CFA6} (DivX Player) - http://download.divx.com/player/DivXPlayerInstaller.exe
O16 - DPF: {9600F64D-755F-11D4-A47F-0001023E6D5A} (Shutterfly Picture Upload Plugin) - http://web1.shutterfly.com/downloads/Uploader.cab
O16 - DPF: {99B6E512-3893-4155-9964-8EB8E06099CB} (WebSpyWareKiller Class) - http://download.zonelabs.com/bin/pro...tor/WebSWK.cab
O16 - DPF: {AE775D48-49AA-11D1-8F1C-00C04FB67063} (MS Investor Ticker) - http://fdl.msn.com/public/investor/v5/Ticker.cab
O16 - DPF: {C915801D-6F00-49CD-8A9A-8DE5C11ADDC1} (Pixami Drag/Drop Upload UI Control) - http://www.photoworks.com/pixami/DragDropUploader.cab
O23 - Service: Curtains for Windows System Service (CurtainsSysSvc) - Authentium, Inc. - c:\program files\cox\applications\app\CurtainsSysSvcNt.exe
O23 - Service: DvpApi (dvpapi) - Command Software Systems, Inc. - C:\Program Files\Common Files\Command Software\dvpapi.exe
O23 - Service: MSSQLServerADHelper - Unknown owner - C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqladhlp.exe (file missing)

End of KRC HijackThis Analyzer Log.
====================================================================

MicroBell · 08-19-2005, 12:48 AM

Hi and Welcome to TSF

Before attacking an adware/spyware problem with hijackthis make sure you have already run the following tools. Download and update the databases on each program before running.

Also make sure you are using the the latest version (1.99.1) of HijackThis and it's installed in it's own folder on the root drive. (C:\HJT)

Go to My Computer->Tools->Folder Options->View tab and make sure that Show hidden files and folders is enabled. Also make sure that the System Files and Folders are showing/visible.
Please make sure system restore is enabled by right clicking on My Computer and go to Properties->System Restore and check the box for Turn OFF System Restore and make sure it’s NOT checked. We want system restore ON and monitoring your current hard drive. Once your clean we will turn this off and then back on to remove the infection from the restore folder and create a clean restore point.

Please go to at least two of these sites and run an online Virus Scan.
Be sure to have the AutoFix box(es) checked.

http://housecall.trendmicro.com/
http://www3.ca.com/virusinfo/virusscan.aspx
http://www.pandasoftware.com/actives..._principal.htm
http://www.bitdefender.com/scan/license.php
http://us.mcafee.com/root/mfs/default.asp
http://security.symantec.com/sscv6/d...d=ie&venid=sym
http://www3.ca.com/virusinfo/virusscan.aspx

Download and install CleanUp! but do not run it yet.

*NOTE* Cleanup deletes EVERYTHING out of temp/temporary folders and does not make backups.

Download smitRem.exe and save the file to your desktop.
Double click on the file and it will extract it’s files into it's own folder on the desktop.

Place a shortcut to Panda ActiveScan on your desktop.

Please download the trial version of Ewido Security Suite here:
http://www.ewido.net/en/download/

Please read Ewido Setup Instructions
Install it, and update the definitions to the newest files. Do NOT run a scan yet.

If you have not already installed Ad-Aware SE 1.06, follow these download and setup instructions, otherwise, check for updates:
Ad-Aware SE Setup
Don't run it yet!

Open Cleanup! by double-clicking the icon on your desktop (or from the Start > All Programs menu). Set the program up as follows:
*Click "Options..."
*Move the arrow down to "Custom CleanUp!"
*Put a check next to the following:

Empty Recycle Bins
Delete Cookies
Delete Prefetch files
[X]Scan local drives for temporary files (Please uncheck this option)
Cleanup! All Users

Click OK
Press the CleanUp! button to start the program. Reboot/logoff when prompted.

Next, please reboot your computer in SafeMode by doing the following:

Restart your computer
After hearing your computer beep once during startup, but before the Windows icon appears, press F8.
Instead of Windows loading as normal, a menu should appear
Select the first option, to run Windows in Safe Mode.

Open Add/remove programs and remove the following IF listed.

WildTangent
NewDotNet
SpyKiller

Now scan with HJT and place a checkmark next to each of the following items:

O2 - BHO: URLLink Class - {4A2AACF3-ADF6-11D5-98A9-00E018981B9E} - C:\Program Files\NewDotNet\newdotnet4_50.dll (file missing)
O4 - HKLM\..\Run: [HPGamesActiveMenu] C:\Program Files\WildTangent\ActiveMenu\HP\Games\ActiveMenu.e xe
O4 - HKLM\..\Run: [win_upd.exe] C:\WINDOWS\System32\WINdirect.exe
O4 - HKLM\..\Run: [win_upd2.exe] C:\WINDOWS\System32\WINdirect.exe
O4 - HKLM\..\Run: [wpds.exe] C:\WINDOWS\System32\doriot.exe
O4 - HKLM\..\Run: [winshost.exe] C:\WINDOWS\System32\winshost.exe
O4 - HKLM\..\Run: [csrss.exe] C:\WINDOWS\csrss.exe
O4 - HKLM\..\Run: [winhlp.exe] C:\WINDOWS\winhlp.exe
O4 - HKLM\..\Run: [hostren.exe] C:\WINDOWS\hostren.exe
O4 - HKLM\..\Run: [hostdll.exe] C:\WINDOWS\hostdll.exe
O4 - HKLM\..\Run: [mscsvc.exe] C:\WINDOWS\mscsvc.exe
O4 - HKLM\..\Run: [windhost.exe] C:\WINDOWS\osrwin32.exe
O4 - HKLM\..\Run: [WildTangent CDA] "C:\Program Files\WildTangent\Apps\CDA\GameDrvr.exe" /startup "C:\Program Files\WildTangent\Apps\CDA\cdaEngine0500.dll"
O4 - HKLM\..\Run: [sm] C:\WINDOWS\sa_exe.exe
O4 - HKLM\..\RunServices: [Windows Explorer Update Build 1142] explorer32.exe
O4 - HKCU\..\Run: [SpyKiller] C:\Program Files\SpyKiller\spykiller.exe /startup
O4 - HKCU\..\Run: [ssgrate.exe] C:\WINDOWS\System32\sysdoor.exe
O4 - HKCU\..\Run: [wpds.exe] C:\WINDOWS\System32\doriot.exe
O4 - HKCU\..\Run: [winshost.exe] C:\WINDOWS\System32\winshost.exe
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O16 - DPF: {3C648A72-C49A-48EF-9F90-68EF13293F97} (Cacher Class) - http://www2.xmlsweb.socalmls.com/XMLSearch/XMLCache.CAB

Click fix and close HJT

Delete the following Files/Folders in RED (delete folders if no filename is specified or if they are highlighted in RED) according to their directory (If you can't find them...do a search for them…make sure you have search hidden files, folders, sub directory’s ect enabled if it apply’s to your OS)

C:\Program Files\NewDotNet\newdotnet4_50.dll
C:\Program Files\WildTangent\ActiveMenu\HP\Games\ActiveMenu.exe
C:\WINDOWS\System32\WINdirect.exe
C:\WINDOWS\System32\doriot.exe
C:\WINDOWS\System32\winshost.exe
C:\WINDOWS\csrss.exe
C:\WINDOWS\winhlp.exe
C:\WINDOWS\hostren.exe
C:\WINDOWS\hostdll.exe
C:\WINDOWS\mscsvc.exe
C:\WINDOWS\osrwin32.exe
C:\WINDOWS\sa_exe.exe
C:\WINDOWS\System32\sysdoor.exe
C:\Program Files\SpyKiller\spykiller.exe
explorer32.exe <--locate and delete that file!

Open the smitRem folder, then double click the RunThis.bat file to start the tool. Follow the prompts on screen.
Wait for the tool to complete and disk cleanup to finish.

The tool will create a log named smitfiles.txt in the root of your drive, eg; Local Disk C: or partition where your operating system is installed. Please post that log along with all others requested in your next reply

Open Ad-aware and do a full scan. Remove all it finds.

Run Ewido:

Click [Scanner]
Click [Complete System Scan] to begin scanning.
Click [OK] when prompted to clean files
With the first file it prompts to clean, select the option - "Perform action on all infections" - & choose clean and click [OK].
Once finished, click the [Save report] button
Save the report to your desktop

Close Ewido

Next go to Control Panel click Display > Desktop > Customize Desktop > Web > Uncheck "Security Info" if present.

Reboot back into Windows and click the Panda ActiveScan shortcut, then do a full system scan. Save the scan log and post it along with a new HijackThis Log the Ewido Log and the smitfiles.txt log.

Quote:

IMPORTANT!:

Before we can proceed any further, please visit the Microsoft's Windows Update Page and install ALL Critical Updates for your system (except service pack 2) (SP2). SP2 should only be installed on a fully disinfected system. At the minimum install at least SP1a for both XP and IE6. Without these updates your system is wide open to re-infection and we are both wasting our efforts to clean your system. After we have completed your clean-up, we will have you return to the Windows Update page and install SP2. We will also then advise you on how to better protect yourself online.

Please apply those updates BEFORE posting your next log. It is this forum's policy to stop the disinfection process until these basic updates are done. If during the updating process you get a message that your product key is invalid ....then you may not have a legitimate copy of Windows XP. Unfortunately it’s also this forums policy that we only address users with a legal copy of Windows XP.... therefore if you can not update Windows XP to SP1 we must stop the cleansing process here.

Thank you for your cooperation.

jimbo715 · 08-19-2005, 12:28 PM

Thank you for all the information. I was in the process of going thru the steps you mapped out. I have performed scans with Adaware and Spybot, and went to Trend Micro to use their online virus scan. After 2.5 hrs of scanning, I lost my connection as I always do with this infected system, and was not able to clean or fix anything it found.. the report below does show what it found, but I am thinking I will have to run through another 2.5 hr scan to see if I can keep my connection intact to allow me to complete the clean and recover process with the Trend Micro online tool.

Here's what it found: by the way, what does "no action available" mean?

Virus Scan 0 virus cleaned, 0 virus deleted

Results:We have detected 15 infected file(s) with 15 virus(es) on your computer: - 0 virus(es) passed, 15 virus(es) no action available
- 0 virus(es) cleaned, 0 virus(es) uncleanable
- 0 virus(es) deleted, 0 virus(es) undeletable
- 0 virus(es) not found, 0 virus(es) unaccessible
Detected File Associated Virus Name Action Taken
C:\WINDOWS\SYSTEM32\444.exe TROJ_BAGLE.CY No action available
C:\WINDOWS\SYSTEM32\doriot.exe TROJ_SMALL.KY No action available
C:\WINDOWS\SYSTEM32\ewerf.exe TROJ_BAGLE.E No action available
C:\WINDOWS\SYSTEM32\ewerfw.exe TROJ_BAGLE.DAM No action available
C:\WINDOWS\SYSTEM32\svc.exe WORM_Bagle.GEN No action available
C:\WINDOWS\SYSTEM32\sysdoor.exe TROJ_MTGLDR.BV No action available
C:\WINDOWS\SYSTEM32\winerdir.exe TROJ_MTGLDR.F No action available
C:\WINDOWS\SYSTEM32\wnrot.exe TROJ_BAGLE.GEN No action available
C:\WINDOWS\SYSTEM32\wwnrot.exe TROJ_KILLAV.AJ No action available
C:\WINDOWS\23148187.exe TROJ_MTGLDR.F No action available
C:\WINDOWS\37454578.exe TROJ_MITGLIEDR.E No action available
C:\WINDOWS\579578.exe TROJ_MTGLDR.F No action available
C:\WINDOWS\832328.exe TROJ_MTGLDR.F No action available
C:\WINDOWS\867125.exe TROJ_MTGLDR.BV No action available
C:\WINDOWS\igfseajuvsu.exe TROJ_MTGLIEDR.BW No action available

Trojan/Worm Check 0 worm/Trojan horse deleted

What we checked:Malicious activity by a Trojan horse program. Although a Trojan seems like a harmless program, it contains malicious code and once installed can cause damage to your computer.
Results:We have detected 8 Trojan horse program(s) and worm(s) on your computer: - 0 worm(s)/Trojan(s) passed, 8 worm(s)/Trojan(s) no action available
- 0 Worm(s)/Trojan(s) deleted, 0 worm(s)/Trojan(s) undeletable
Trojan/Worm Name Trojan/Worm Type Action Taken
WORM_NETSKY.AB Worm No action available
WORM_AGOBOT-3 Worm No action available
TROJ_MITGLIEDR.S Trojan No action available
WORM_BAGLE-4 Worm No action available
WORM_SDBOT.VQ Worm No action available
TROJ_LEGMIR.T Trojan No action available
TROJ_LEGMIR.Z Trojan No action available
WORM_AGOBOT.CAD Worm No action available

What we checked:Whether personal information was tracked and reported by spyware. Spyware is often installed secretly with legitimate programs downloaded from the Internet.
Results:We have detected 0 spyware(s) on your computer: - 0 spyware(s) passed, 0 spyware(s) no action available
- 0 spyware(s) removed, 0 spyware(s) unremovable

What we checked:Microsoft known security vulnerabilities. These are issues Microsoft has identified and released Critical Updates to fix.
Results:We have detected 0 vulnerability/vulnerabilities on your computer.

**POADB** · 08-19-2005, 12:37 PM

Download KillBox http://www.greyknight17.com/spy/KillBox.exe.

Run KillBox and check the box that says 'End Explorer Shell While Killing File'. Next click on 'Delete on Reboot'. For each of the following files below, check the box that says 'Unregister .dll Before Deleting' if it's not grayed out. Copy and paste each of the following into KillBox (hitting the X button for each file - Choose YES when informs you the file will be deleted on Reboot. Choose NO when it asks if you want to reboot):

C:\WINDOWS\SYSTEM32\444.exe
C:\WINDOWS\SYSTEM32\doriot.exe
C:\WINDOWS\SYSTEM32\ewerf.exe
C:\WINDOWS\SYSTEM32\ewerfw.exe
C:\WINDOWS\SYSTEM32\svc.exe
C:\WINDOWS\SYSTEM32\sysdoor.exe
C:\WINDOWS\SYSTEM32\winerdir.exe
C:\WINDOWS\SYSTEM32\wnrot.exe
C:\WINDOWS\SYSTEM32\wwnrot.exe
C:\WINDOWS\23148187.exe
C:\WINDOWS\37454578.exe
C:\WINDOWS\579578.exe
C:\WINDOWS\832328.exe
C:\WINDOWS\867125.exe
C:\WINDOWS\igfseajuvsu.exe

Reboot your computer now.

Re run HJT and a Virus scan and bring the results from both with you in your next post.

jimbo715 · 08-19-2005, 02:59 PM

Something went terribly wrong while going through your steps. I went thru each step to the point of running Cleanup, but I think something happened when navigating while in safe mode. smitREM never worked at all, disc cleanup said it could not be found and might be corrput. Ewida, which was working beforehand, now does not work and says it's installed incorrectly. I cannot launch email. It says C:ProgramFiles\OutlookExpress\msimn.exe application failed due to incorrect configuration, so I cannopt even get to email now. When I launch a browser, I have no bar along the bottom, nor do i have view of anylike file, view, refresh, stop.. nothing at all.. it looks like a generic version of what I had before..

Please help!!!

Quote:

Originally Posted by MicroBell

Hi and Welcome to TSF

Before attacking an adware/spyware problem with hijackthis make sure you have already run the following tools. Download and update the databases on each program before running.

Also make sure you are using the the latest version (1.99.1) of HijackThis and it's installed in it's own folder on the root drive. (C:\HJT)

Go to My Computer->Tools->Folder Options->View tab and make sure that Show hidden files and folders is enabled. Also make sure that the System Files and Folders are showing/visible.
Please make sure system restore is enabled by right clicking on My Computer and go to Properties->System Restore and check the box for Turn OFF System Restore and make sure it’s NOT checked. We want system restore ON and monitoring your current hard drive. Once your clean we will turn this off and then back on to remove the infection from the restore folder and create a clean restore point.

Please go to at least two of these sites and run an online Virus Scan.
Be sure to have the AutoFix box(es) checked.

http://housecall.trendmicro.com/
http://www3.ca.com/virusinfo/virusscan.aspx
http://www.pandasoftware.com/actives..._principal.htm
http://www.bitdefender.com/scan/license.php
http://us.mcafee.com/root/mfs/default.asp
http://security.symantec.com/sscv6/d...d=ie&venid=sym
http://www3.ca.com/virusinfo/virusscan.aspx

Download and install CleanUp! but do not run it yet.

*NOTE* Cleanup deletes EVERYTHING out of temp/temporary folders and does not make backups.

Download smitRem.exe and save the file to your desktop.
Double click on the file and it will extract it’s files into it's own folder on the desktop.

Place a shortcut to Panda ActiveScan on your desktop.

Please download the trial version of Ewido Security Suite here:
http://www.ewido.net/en/download/

Please read Ewido Setup Instructions
Install it, and update the definitions to the newest files. Do NOT run a scan yet.

If you have not already installed Ad-Aware SE 1.06, follow these download and setup instructions, otherwise, check for updates:
Ad-Aware SE Setup
Don't run it yet!

Open Cleanup! by double-clicking the icon on your desktop (or from the Start > All Programs menu). Set the program up as follows:
*Click "Options..."
*Move the arrow down to "Custom CleanUp!"
*Put a check next to the following:

Empty Recycle Bins
Delete Cookies
Delete Prefetch files
[X]Scan local drives for temporary files (Please uncheck this option)
Cleanup! All Users

Click OK
Press the CleanUp! button to start the program. Reboot/logoff when prompted.

Next, please reboot your computer in SafeMode by doing the following:

Restart your computer
After hearing your computer beep once during startup, but before the Windows icon appears, press F8.
Instead of Windows loading as normal, a menu should appear
Select the first option, to run Windows in Safe Mode.

Open Add/remove programs and remove the following IF listed.

WildTangent
NewDotNet
SpyKiller

Now scan with HJT and place a checkmark next to each of the following items:

O2 - BHO: URLLink Class - {4A2AACF3-ADF6-11D5-98A9-00E018981B9E} - C:\Program Files\NewDotNet\newdotnet4_50.dll (file missing)
O4 - HKLM\..\Run: [HPGamesActiveMenu] C:\Program Files\WildTangent\ActiveMenu\HP\Games\ActiveMenu.e xe
O4 - HKLM\..\Run: [win_upd.exe] C:\WINDOWS\System32\WINdirect.exe
O4 - HKLM\..\Run: [win_upd2.exe] C:\WINDOWS\System32\WINdirect.exe
O4 - HKLM\..\Run: [wpds.exe] C:\WINDOWS\System32\doriot.exe
O4 - HKLM\..\Run: [winshost.exe] C:\WINDOWS\System32\winshost.exe
O4 - HKLM\..\Run: [csrss.exe] C:\WINDOWS\csrss.exe
O4 - HKLM\..\Run: [winhlp.exe] C:\WINDOWS\winhlp.exe
O4 - HKLM\..\Run: [hostren.exe] C:\WINDOWS\hostren.exe
O4 - HKLM\..\Run: [hostdll.exe] C:\WINDOWS\hostdll.exe
O4 - HKLM\..\Run: [mscsvc.exe] C:\WINDOWS\mscsvc.exe
O4 - HKLM\..\Run: [windhost.exe] C:\WINDOWS\osrwin32.exe
O4 - HKLM\..\Run: [WildTangent CDA] "C:\Program Files\WildTangent\Apps\CDA\GameDrvr.exe" /startup "C:\Program Files\WildTangent\Apps\CDA\cdaEngine0500.dll"
O4 - HKLM\..\Run: [sm] C:\WINDOWS\sa_exe.exe
O4 - HKLM\..\RunServices: [Windows Explorer Update Build 1142] explorer32.exe
O4 - HKCU\..\Run: [SpyKiller] C:\Program Files\SpyKiller\spykiller.exe /startup
O4 - HKCU\..\Run: [ssgrate.exe] C:\WINDOWS\System32\sysdoor.exe
O4 - HKCU\..\Run: [wpds.exe] C:\WINDOWS\System32\doriot.exe
O4 - HKCU\..\Run: [winshost.exe] C:\WINDOWS\System32\winshost.exe
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O16 - DPF: {3C648A72-C49A-48EF-9F90-68EF13293F97} (Cacher Class) - http://www2.xmlsweb.socalmls.com/XMLSearch/XMLCache.CAB

Click fix and close HJT

Delete the following Files/Folders in RED (delete folders if no filename is specified or if they are highlighted in RED) according to their directory (If you can't find them...do a search for them…make sure you have search hidden files, folders, sub directory’s ect enabled if it apply’s to your OS)

C:\Program Files\NewDotNet\newdotnet4_50.dll
C:\Program Files\WildTangent\ActiveMenu\HP\Games\ActiveMenu.exe
C:\WINDOWS\System32\WINdirect.exe
C:\WINDOWS\System32\doriot.exe
C:\WINDOWS\System32\winshost.exe
C:\WINDOWS\csrss.exe
C:\WINDOWS\winhlp.exe
C:\WINDOWS\hostren.exe
C:\WINDOWS\hostdll.exe
C:\WINDOWS\mscsvc.exe
C:\WINDOWS\osrwin32.exe
C:\WINDOWS\sa_exe.exe
C:\WINDOWS\System32\sysdoor.exe
C:\Program Files\SpyKiller\spykiller.exe
explorer32.exe <--locate and delete that file!

Open the smitRem folder, then double click the RunThis.bat file to start the tool. Follow the prompts on screen.
Wait for the tool to complete and disk cleanup to finish.

The tool will create a log named smitfiles.txt in the root of your drive, eg; Local Disk C: or partition where your operating system is installed. Please post that log along with all others requested in your next reply

Open Ad-aware and do a full scan. Remove all it finds.

Run Ewido:

Click [Scanner]
Click [Complete System Scan] to begin scanning.
Click [OK] when prompted to clean files
With the first file it prompts to clean, select the option - "Perform action on all infections" - & choose clean and click [OK].
Once finished, click the [Save report] button
Save the report to your desktop

Close Ewido

Next go to Control Panel click Display > Desktop > Customize Desktop > Web > Uncheck "Security Info" if present.

Reboot back into Windows and click the Panda ActiveScan shortcut, then do a full system scan. Save the scan log and post it along with a new HijackThis Log the Ewido Log and the smitfiles.txt log.

jimbo715 · 08-19-2005, 08:01 PM

If someone could respond to this, I'd be very grateful. My system is trashed after following a portion of the steps outlined previously to clean out my system of viruses. Why would my email no longer work, and why would my task bar, toolbar and many other items disappear? Am i still running safe mode even though it doesn't say so? How can I find out what's going on?

Thank you,
Jim

**POADB** · 08-20-2005, 12:14 AM

Hi Jim.

I assume your talking about MicroBells instructions quoted above, and not the instructions I gave you. If so, out of the below list of deletions, tell me exactly which file and folder you deleted:

Quote:

C:\Program Files\NewDotNet\newdotnet4_50.dll
C:\Program Files\WildTangent\ActiveMenu\HP\Games\ActiveMenu.exe
C:\WINDOWS\System32\WINdirect.exe
C:\WINDOWS\System32\doriot.exe
C:\WINDOWS\System32\winshost.exe
C:\WINDOWS\csrss.exe
C:\WINDOWS\winhlp.exe
C:\WINDOWS\hostren.exe
C:\WINDOWS\hostdll.exe
C:\WINDOWS\mscsvc.exe
C:\WINDOWS\osrwin32.exe
C:\WINDOWS\sa_exe.exe
C:\WINDOWS\System32\sysdoor.exe
C:\Program Files\SpyKiller\spykiller.exe
explorer32.exe <--locate and delete that file!

I have a feeling you may have deleted the system32 folder.. - is this correct?

If not - try and tell us a what point something started going wrong...

jimbo715 · 08-20-2005, 07:14 AM

Hi,

Let's see if I can make this succint enough and not ramble. Yes I was going through Microbell's steps, and while going through them in order, everything seemed to be working right thru the point where I used cleanup and got just over 1GB of space back, so I was excited at that point. It seems to me things started going wrong while attempting the steps outlined for use in safe mode. I ran HJT, and checked the boxes mapped out for me, but when trying to run smitREN, it seemed to go wrong there. It scrolled thru a ton of files very quickly, most of which said file not found from what I could see, then it prompted me to allow time for disc cleanup, and then nothing happened and it never created a smitfiles.txt. Then it gave me an error notice that disc cleanup could not be found. So I moved on to the next step of running Ewido, and that application even though installed correctly and working previously in normal mode, would not launch and said it was configured incorrectly. I'm not 100% sure how safe mode is supposed to look, but this looked very weird and did not seem to be working as smoothly as I had expected from the instructions, so I decided to close out and relog into windows as it suggested, but without having done those steps since they could not be completed, and that's when things were bad. When it rebooted, my icons were huge, the settings were changed to 800x600, and the grasphics looked cloudy, like there was a ghost behind them. I did manage to change back to 1024 x 768 after like 4 attepts to even do that. Intially it would not make the change and then all of the sudden it just flashed a few moments after my last attempt and it did change ove. Even that was very weird. I cannot launch Outlook Express, Windows Media Player, Ewido, and who knows how many other applications. I have not tried them all. My browser looks like a generic stripped down version of what it was, this am thye computer took more than 5 mins to boot up.. whatever was deleted has also rendered my the anti-virus portion of my Cox Communications Security Suite disabled, and it won't let me re-enable it.. it's all grayed out and inaccessible now. it was working fine before going into safe mode as well. I cannot even open any of the logs that HJT created to submit to this forum, those say application not configured correctly as well, and that's not correct because I can still run the HJT.exe file but that's it. As for your other question, I only attempted to delete the files you listed with Killbox, and actually tried that after encountering problems, in hopes of just trying anything to help my situation, so it would not have been from using Killbox to delete any of the above files you mentioned, and I don't even know for sure if they're deleted. I simply copied them into Killbox and clicked to delete upon reboot. I have not checked to see if they're actually gone because I do not have Windows Explorer access either, so it's much more difficult to search for files. I didn't delete the sys32 folder.

In addition, all my desktop icons look weird, the graphics appear to be off and a bit blurry. I am missing most of my buttons on the top and bottom bars, including Start, Home, Refresh, Stop, etc as well as Open, Edit, View and all the rest.. there's just nothing there anymore. I could email a few screen shots via my web mail if you wish. I cannot get into Windows Explorer thru normal channels, but when I do get to those folders, they look very weird, the text looks strange, and the graphics are wrong. Also if I try to toggle from say list view to details view, it's all the same, there's only one view for the folders, so that got damaed somehow as well.

Any thoughts on what could possibly have gone wrong?

jimbo715 · 08-20-2005, 10:12 AM

Please keep in mind I have no problem making a donation to the site for the free svcs following this.. so please let me know how we can remedy the damage done.

Jim

**POADB** · 08-20-2005, 10:19 AM

Cleanup has been known to take out some .tmp files. Such as Luna which is probably what has disturbed your desktop. Please confirm - did you use the following settings as directed by MicroBell:

Quote:

Open Cleanup! by double-clicking the icon on your desktop (or from the Start > All Programs menu). Set the program up as follows:
*Click "Options..."
*Move the arrow down to "Custom CleanUp!"
*Put a check next to the following:

* Empty Recycle Bins
* Delete Cookies
* Delete Prefetch files
[X]Scan local drives for temporary files (Please uncheck this option)
* Cleanup! All Users

Click OK
Press the CleanUp! button to start the program. Reboot/logoff when prompted.

Meanwhile: Go to Start->Run and type in sfc /scannow and hit OK. Let it scan. If it finds any files missing/corrupted, it may ask for the Windows CD.

jimbo715 · 08-20-2005, 10:49 AM

I did exactly as instructed below with Cleanup.

As for doing the the steps you suggested, I do not have a start button, and therefore cannot go to Start->Run, etc. I have nothing along the bottom of my screen except a blank bar, and then a few jumbled icons on the far right corner like Ewid and Cox Communications, as well as an icon indicating it's trying to perform disc cleanup but cannot, and then my clock.

jimbo715 · 08-20-2005, 10:54 AM

I just realized I had checked the scan for temp files. It was not unchecked. Is that the culprit? If so, what can be done?

**Barry_R** · 08-20-2005, 12:12 PM

I don't want to nagate the efforts you and the techs are placing on this problem but I have to wonder if the OS is so damaged at this point that a clean install is needed.

I have found after multiple instances of this kind that even when I sucessfully repaired the OS that it was never the same. Maybe it is just an inverse placebo effect that I experienced but I was always happier with a clean install after such an ordeal.

jimbo715 · 08-20-2005, 01:16 PM

Barry,

The only problem with reloading the OS is that I no longer have the disk. My system is about 4yrs years old ( HP Pavillion 7915 w/ Intel Celeron 1.3Ghz ) and is eventually going to be replaced, but I was not planning to do it so soon. I also would be concerend about the loss of my data in Outlook Express. I have about 6,000 mssgs in there, and a huge address book.. none of which I can afford to lose, as they're both business and personal contacts. Aside from not having the disk, which is a huge prob if I need to reinstall, I have never actually performed a reinstall.

Would I be able to provide Microsoft the serial numbers or any pertinent info off my system and software so they can verify it is a legitimate, licensed product and then have them send me a copy of the disk or would they not do that? I don't know of any other way to get my hands on the disk if it's needed. I bought the system thru CompUSA, but again it was 4 yrs ago, so they'll be no help at this point. If I took it to someone MS authorized to have them perform a reload of XP, what does that typically cost? I really do not want to throw any real $$ into this system. It would be a waste.

Jim

**Barry_R** · 08-20-2005, 01:36 PM

If I were in your situation I would start backing up all my stuff right now

The more you mess with this situation the more the danger of losing something.

jimbo715 · 08-20-2005, 02:12 PM

Good point.. in fact I already have a number of items backed up including photos, MP3s, My Documents, etc. Here's the the concern: If I cannot open Outlook Express, how am I to back up those Mail and Address Book files?

Any ideas? Last I recall, you need to go into the application to do that right? Is there another way because I cannot launch a number of applications since this happened, including Outlook Express.

Jim

08-18-2005, 12:42 PM	#1 (permalink)
jimbo715 Registered User Join Date: Aug 2005 Posts: 16 OS: XP	Desperately Need Help!!! (from XP) I am looking for anyone who can offer some advice or direction on how to remedy the following issue. My browser has apparently been hijacked. I no longer have a router connected to my pc, but when it was connected, I could see all the websites being hit via the diagnostics section. My computer is hitting different sites about every few seconds, and the traffic is so heavy that it prevents me from being able to access the internet or email most of the time for my own use. The traffic is so heavy that sometimes the cable light on my cable modem goes blank and I lose connectivity completely. I also seem to have (4) virus infected files that I cannot locate in the system, and therefore cannot clean them out thru normal cleanup channels. When I boot I get the following: Backdoor virus C:windows/sys32/nopat.exe Backdoor virus C:windows/sys32/fio.exe Backdoor virus C:windows/sys32/gdqfw.exe W32Silly Trojan Virus C:windows/sys32/WININET.dll My computer has been rendered almost useless and I would love some advice. Thank you, Jim Last edited by jimbo715; 08-18-2005 at 12:44 PM.

08-18-2005, 01:08 PM	#2 (permalink)
Barry_R TSF Enthusiast Join Date: Aug 2005 Location: California Posts: 700 OS: Win XP Home, Linux Mint My System	The best solution to your problem is to get onto a non infected machine and google those files that you have mentioned. Most places like Trend Micro will tell you how to get rid of them. One you regain some sort of control over your machine you should run Spybot or Adaware to catch the rest of the stuff. Here is one for NOPAT: Trend Micro Additional note: Be very carefull deleting some of the files these viruses install. Some create hooks into your system and if you just delete them your system loses functionality. Nasty buggers aint they! Last edited by Barry_R; 08-18-2005 at 01:17 PM.

08-18-2005, 01:44 PM	#4 (permalink)
elf Manager, Microsoft Support Join Date: Jul 2002 Location: Knoxville, TN or Austin, TX depending Posts: 6,825 OS: WinXP Pro SP3 and Windows 7 My System	You do update your adaware definitions regularly right? After that... Download and install Spybot S&D. Run Spybot and click on the 'Search for Updates' button. Install any updates that are available. Next click on the 'Check for Problems' button. Let it run the scan. If it finds something, check all those in RED and hit the Fix Selected Problems button. Exit Spybot. If you keep getting the DSO Exploit entries, even after you updated Windows and fixed them, then download the Spybot DSO Exploit Fix and install it over the current Spybot installation. Please download HijackThis - this program will help us determine if there are any spyware/malware on your computer. Create a folder at C:\HJT and move HijackThis.exe there. Double click on the program to run it. 1. If it gives you an intro screen, just choose 'Do a system scan and save a logfile'. 2. If you don't get the intro screen, just hit Scan and then click on Save log. 3. Get HijackThis Analyzer and save it to the same folder as the hijackthis.log file. Run HijackThis Analyzer and type in y if you agree. The result.txt file will open up in Notepad. Copy the whole result.txt log and post it in the forum. We do not need the original hijackthis.log (unless we ask for it). Do not fix anything in HijackThis since they may be harmless. __________________ If TSF has helped you, Tell us about it! or Donate to help keep the site up! I do not subscribe to threads, so if I stop replying, PM me with a link to your thread so I can find it again.

08-19-2005, 12:37 PM	#8 (permalink)
POADB Moderator, Microsoft Support Join Date: Jul 2004 Location: United Kingdom Posts: 6,420 OS: XP SP2	Download KillBox http://www.greyknight17.com/spy/KillBox.exe. Run KillBox and check the box that says 'End Explorer Shell While Killing File'. Next click on 'Delete on Reboot'. For each of the following files below, check the box that says 'Unregister .dll Before Deleting' if it's not grayed out. Copy and paste each of the following into KillBox (hitting the X button for each file - Choose YES when informs you the file will be deleted on Reboot. Choose NO when it asks if you want to reboot): C:\WINDOWS\SYSTEM32\444.exe C:\WINDOWS\SYSTEM32\doriot.exe C:\WINDOWS\SYSTEM32\ewerf.exe C:\WINDOWS\SYSTEM32\ewerfw.exe C:\WINDOWS\SYSTEM32\svc.exe C:\WINDOWS\SYSTEM32\sysdoor.exe C:\WINDOWS\SYSTEM32\winerdir.exe C:\WINDOWS\SYSTEM32\wnrot.exe C:\WINDOWS\SYSTEM32\wwnrot.exe C:\WINDOWS\23148187.exe C:\WINDOWS\37454578.exe C:\WINDOWS\579578.exe C:\WINDOWS\832328.exe C:\WINDOWS\867125.exe C:\WINDOWS\igfseajuvsu.exe Reboot your computer now. Re run HJT and a Virus scan and bring the results from both with you in your next post. __________________

08-19-2005, 08:01 PM	#10 (permalink)
jimbo715 Registered User Join Date: Aug 2005 Posts: 16 OS: XP	I really need some input! If someone could respond to this, I'd be very grateful. My system is trashed after following a portion of the steps outlined previously to clean out my system of viruses. Why would my email no longer work, and why would my task bar, toolbar and many other items disappear? Am i still running safe mode even though it doesn't say so? How can I find out what's going on? Thank you, Jim

08-18-2005, 01:33 PM	#3 (permalink)
jimbo715 Registered User Join Date: Aug 2005 Posts: 16 OS: XP	Thanks for response.. I use Adaware weekly, but it's never found these. These are found thru the anti-virus software I run thru Cox Communications, my cable internet provider. I'll check out Trend Micro.. Thanks, Jim

08-18-2005, 04:46 PM	#5 (permalink)
jimbo715 Registered User Join Date: Aug 2005 Posts: 16 OS: XP	I really appreciate the help. Here's the result.txt data: ==================================================================== Log was analyzed using KRC HijackThis Analyzer - Updated on 8/4/05 Get updates at http://www.greyknight17.com/download.htm#programs *Security Programs Detected* ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Logfile of HijackThis v1.99.1 Scan saved at 4:40:59 PM, on 8/18/2005 Platform: Windows XP (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP1 (6.00.2600.0000) Running processes: c:\program files\cox\applications\app\CurtainsSysSvcNt.exe C:\Program Files\Cox\Applications\app\Prism.exe C:\WINDOWS\hostren.exe C:\WINDOWS\hostdll.exe C:\Program Files\WildTangent\Apps\CDA\GameDrvr.exe C:\Program Files\Common Files\Command Software\dvpapi.exe C:\Documents and Settings\Owner\Desktop\aswclnr.exe C:\Documents and Settings\Owner\Desktop\aswF.tmp C:\WINDOWS\regedit.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/ R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Cox High Speed Internet R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = ;localhost;<local> F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\auserinit.exe O2 - BHO: URLLink Class - {4A2AACF3-ADF6-11D5-98A9-00E018981B9E} - C:\Program Files\NewDotNet\newdotnet4_50.dll (file missing) O2 - BHO: AuthBHO.cBHO - {A4D90779-6CB2-4752-83C2-A2AB4D9A672D} - C:\Program Files\Cox\Applications\app\AuthBHO.dll O3 - Toolbar: Cox Popup Blocker - {64634180-B0EA-48B6-82B7-9620D33362C1} - C:\Program Files\Cox\Applications\app\AuthBHO.dll O4 - HKLM\..\Run: [HPGamesActiveMenu] C:\Program Files\WildTangent\ActiveMenu\HP\Games\ActiveMenu.exe O4 - HKLM\..\Run: [win_upd.exe] C:\WINDOWS\System32\WINdirect.exe O4 - HKLM\..\Run: [win_upd2.exe] C:\WINDOWS\System32\WINdirect.exe O4 - HKLM\..\Run: [wpds.exe] C:\WINDOWS\System32\doriot.exe O4 - HKLM\..\Run: [winshost.exe] C:\WINDOWS\System32\winshost.exe O4 - HKLM\..\Run: [csrss.exe] C:\WINDOWS\csrss.exe O4 - HKLM\..\Run: [winhlp.exe] C:\WINDOWS\winhlp.exe O4 - HKLM\..\Run: [hostren.exe] C:\WINDOWS\hostren.exe O4 - HKLM\..\Run: [hostdll.exe] C:\WINDOWS\hostdll.exe O4 - HKLM\..\Run: [mscsvc.exe] C:\WINDOWS\mscsvc.exe O4 - HKLM\..\Run: [windhost.exe] C:\WINDOWS\osrwin32.exe O4 - HKLM\..\Run: [WildTangent CDA] "C:\Program Files\WildTangent\Apps\CDA\GameDrvr.exe" /startup "C:\Program Files\WildTangent\Apps\CDA\cdaEngine0500.dll" O4 - HKLM\..\Run: [sm] C:\WINDOWS\sa_exe.exe O4 - HKLM\..\RunServices: [Windows Explorer Update Build 1142] explorer32.exe O4 - HKCU\..\Run: [SpyKiller] C:\Program Files\SpyKiller\spykiller.exe /startup O4 - HKCU\..\Run: [ssgrate.exe] C:\WINDOWS\System32\sysdoor.exe O4 - HKCU\..\Run: [wpds.exe] C:\WINDOWS\System32\doriot.exe O4 - HKCU\..\Run: [winshost.exe] C:\WINDOWS\System32\winshost.exe O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\Office10\EXCEL.EXE/3000 O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0819.dll O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0819.dll O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file) O16 - DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} (iPIX ActiveX Control) - http://www.ipix.com/viewers/ipixx.cab O16 - DPF: {1842B0EE-B597-11D4-8997-00104BD12D94} (iCC Class) - http://www.pcpitstop.com/internet/pcpConnCheck.cab O16 - DPF: {3C648A72-C49A-48EF-9F90-68EF13293F97} (Cacher Class) - http://www2.xmlsweb.socalmls.com/XMLSearch/XMLCache.CAB O16 - DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} (EPUImageControl Class) - http://tools.ebayimg.com/eps/wl/acti..._v1-0-3-30.cab O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcafee.com/molbin/sh...1/mcinsctl.cab O16 - DPF: {6F6DBC29-7A0C-4AC0-A42D-10EC70678526} (Word Cubes Control) - http://mirror.worldwinner.com/games/...e/wordcube.cab O16 - DPF: {72D59B9C-1E59-4958-803A-ABDEE2D4CFA6} (DivX Player) - http://download.divx.com/player/DivXPlayerInstaller.exe O16 - DPF: {9600F64D-755F-11D4-A47F-0001023E6D5A} (Shutterfly Picture Upload Plugin) - http://web1.shutterfly.com/downloads/Uploader.cab O16 - DPF: {99B6E512-3893-4155-9964-8EB8E06099CB} (WebSpyWareKiller Class) - http://download.zonelabs.com/bin/pro...tor/WebSWK.cab O16 - DPF: {AE775D48-49AA-11D1-8F1C-00C04FB67063} (MS Investor Ticker) - http://fdl.msn.com/public/investor/v5/Ticker.cab O16 - DPF: {C915801D-6F00-49CD-8A9A-8DE5C11ADDC1} (Pixami Drag/Drop Upload UI Control) - http://www.photoworks.com/pixami/DragDropUploader.cab O23 - Service: Curtains for Windows System Service (CurtainsSysSvc) - Authentium, Inc. - c:\program files\cox\applications\app\CurtainsSysSvcNt.exe O23 - Service: DvpApi (dvpapi) - Command Software Systems, Inc. - C:\Program Files\Common Files\Command Software\dvpapi.exe O23 - Service: MSSQLServerADHelper - Unknown owner - C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqladhlp.exe (file missing) End of KRC HijackThis Analyzer Log. ====================================================================

08-19-2005, 12:28 PM	#7 (permalink)
jimbo715 Registered User Join Date: Aug 2005 Posts: 16 OS: XP	Thank you for all the information. I was in the process of going thru the steps you mapped out. I have performed scans with Adaware and Spybot, and went to Trend Micro to use their online virus scan. After 2.5 hrs of scanning, I lost my connection as I always do with this infected system, and was not able to clean or fix anything it found.. the report below does show what it found, but I am thinking I will have to run through another 2.5 hr scan to see if I can keep my connection intact to allow me to complete the clean and recover process with the Trend Micro online tool. Here's what it found: by the way, what does "no action available" mean? Virus Scan 0 virus cleaned, 0 virus deleted Results:We have detected 15 infected file(s) with 15 virus(es) on your computer: - 0 virus(es) passed, 15 virus(es) no action available - 0 virus(es) cleaned, 0 virus(es) uncleanable - 0 virus(es) deleted, 0 virus(es) undeletable - 0 virus(es) not found, 0 virus(es) unaccessible Detected File Associated Virus Name Action Taken C:\WINDOWS\SYSTEM32\444.exe TROJ_BAGLE.CY No action available C:\WINDOWS\SYSTEM32\doriot.exe TROJ_SMALL.KY No action available C:\WINDOWS\SYSTEM32\ewerf.exe TROJ_BAGLE.E No action available C:\WINDOWS\SYSTEM32\ewerfw.exe TROJ_BAGLE.DAM No action available C:\WINDOWS\SYSTEM32\svc.exe WORM_Bagle.GEN No action available C:\WINDOWS\SYSTEM32\sysdoor.exe TROJ_MTGLDR.BV No action available C:\WINDOWS\SYSTEM32\winerdir.exe TROJ_MTGLDR.F No action available C:\WINDOWS\SYSTEM32\wnrot.exe TROJ_BAGLE.GEN No action available C:\WINDOWS\SYSTEM32\wwnrot.exe TROJ_KILLAV.AJ No action available C:\WINDOWS\23148187.exe TROJ_MTGLDR.F No action available C:\WINDOWS\37454578.exe TROJ_MITGLIEDR.E No action available C:\WINDOWS\579578.exe TROJ_MTGLDR.F No action available C:\WINDOWS\832328.exe TROJ_MTGLDR.F No action available C:\WINDOWS\867125.exe TROJ_MTGLDR.BV No action available C:\WINDOWS\igfseajuvsu.exe TROJ_MTGLIEDR.BW No action available Trojan/Worm Check 0 worm/Trojan horse deleted What we checked:Malicious activity by a Trojan horse program. Although a Trojan seems like a harmless program, it contains malicious code and once installed can cause damage to your computer. Results:We have detected 8 Trojan horse program(s) and worm(s) on your computer: - 0 worm(s)/Trojan(s) passed, 8 worm(s)/Trojan(s) no action available - 0 Worm(s)/Trojan(s) deleted, 0 worm(s)/Trojan(s) undeletable Trojan/Worm Name Trojan/Worm Type Action Taken WORM_NETSKY.AB Worm No action available WORM_AGOBOT-3 Worm No action available TROJ_MITGLIEDR.S Trojan No action available WORM_BAGLE-4 Worm No action available WORM_SDBOT.VQ Worm No action available TROJ_LEGMIR.T Trojan No action available TROJ_LEGMIR.Z Trojan No action available WORM_AGOBOT.CAD Worm No action available What we checked:Whether personal information was tracked and reported by spyware. Spyware is often installed secretly with legitimate programs downloaded from the Internet. Results:We have detected 0 spyware(s) on your computer: - 0 spyware(s) passed, 0 spyware(s) no action available - 0 spyware(s) removed, 0 spyware(s) unremovable What we checked:Microsoft known security vulnerabilities. These are issues Microsoft has identified and released Critical Updates to fix. Results:We have detected 0 vulnerability/vulnerabilities on your computer.

08-20-2005, 07:14 AM	#12 (permalink)
jimbo715 Registered User Join Date: Aug 2005 Posts: 16 OS: XP	Hi, Let's see if I can make this succint enough and not ramble. Yes I was going through Microbell's steps, and while going through them in order, everything seemed to be working right thru the point where I used cleanup and got just over 1GB of space back, so I was excited at that point. It seems to me things started going wrong while attempting the steps outlined for use in safe mode. I ran HJT, and checked the boxes mapped out for me, but when trying to run smitREN, it seemed to go wrong there. It scrolled thru a ton of files very quickly, most of which said file not found from what I could see, then it prompted me to allow time for disc cleanup, and then nothing happened and it never created a smitfiles.txt. Then it gave me an error notice that disc cleanup could not be found. So I moved on to the next step of running Ewido, and that application even though installed correctly and working previously in normal mode, would not launch and said it was configured incorrectly. I'm not 100% sure how safe mode is supposed to look, but this looked very weird and did not seem to be working as smoothly as I had expected from the instructions, so I decided to close out and relog into windows as it suggested, but without having done those steps since they could not be completed, and that's when things were bad. When it rebooted, my icons were huge, the settings were changed to 800x600, and the grasphics looked cloudy, like there was a ghost behind them. I did manage to change back to 1024 x 768 after like 4 attepts to even do that. Intially it would not make the change and then all of the sudden it just flashed a few moments after my last attempt and it did change ove. Even that was very weird. I cannot launch Outlook Express, Windows Media Player, Ewido, and who knows how many other applications. I have not tried them all. My browser looks like a generic stripped down version of what it was, this am thye computer took more than 5 mins to boot up.. whatever was deleted has also rendered my the anti-virus portion of my Cox Communications Security Suite disabled, and it won't let me re-enable it.. it's all grayed out and inaccessible now. it was working fine before going into safe mode as well. I cannot even open any of the logs that HJT created to submit to this forum, those say application not configured correctly as well, and that's not correct because I can still run the HJT.exe file but that's it. As for your other question, I only attempted to delete the files you listed with Killbox, and actually tried that after encountering problems, in hopes of just trying anything to help my situation, so it would not have been from using Killbox to delete any of the above files you mentioned, and I don't even know for sure if they're deleted. I simply copied them into Killbox and clicked to delete upon reboot. I have not checked to see if they're actually gone because I do not have Windows Explorer access either, so it's much more difficult to search for files. I didn't delete the sys32 folder. In addition, all my desktop icons look weird, the graphics appear to be off and a bit blurry. I am missing most of my buttons on the top and bottom bars, including Start, Home, Refresh, Stop, etc as well as Open, Edit, View and all the rest.. there's just nothing there anymore. I could email a few screen shots via my web mail if you wish. I cannot get into Windows Explorer thru normal channels, but when I do get to those folders, they look very weird, the text looks strange, and the graphics are wrong. Also if I try to toggle from say list view to details view, it's all the same, there's only one view for the folders, so that got damaed somehow as well. Any thoughts on what could possibly have gone wrong?

08-20-2005, 10:12 AM	#13 (permalink)
jimbo715 Registered User Join Date: Aug 2005 Posts: 16 OS: XP	Please keep in mind I have no problem making a donation to the site for the free svcs following this.. so please let me know how we can remedy the damage done. Jim

08-20-2005, 10:49 AM	#15 (permalink)
jimbo715 Registered User Join Date: Aug 2005 Posts: 16 OS: XP	I did exactly as instructed below with Cleanup. As for doing the the steps you suggested, I do not have a start button, and therefore cannot go to Start->Run, etc. I have nothing along the bottom of my screen except a blank bar, and then a few jumbled icons on the far right corner like Ewid and Cox Communications, as well as an icon indicating it's trying to perform disc cleanup but cannot, and then my clock.

08-20-2005, 10:54 AM	#16 (permalink)
jimbo715 Registered User Join Date: Aug 2005 Posts: 16 OS: XP	I just realized I had checked the scan for temp files. It was not unchecked. Is that the culprit? If so, what can be done?

08-20-2005, 12:12 PM	#17 (permalink)
Barry_R TSF Enthusiast Join Date: Aug 2005 Location: California Posts: 700 OS: Win XP Home, Linux Mint My System	I don't want to nagate the efforts you and the techs are placing on this problem but I have to wonder if the OS is so damaged at this point that a clean install is needed. I have found after multiple instances of this kind that even when I sucessfully repaired the OS that it was never the same. Maybe it is just an inverse placebo effect that I experienced but I was always happier with a clean install after such an ordeal.

08-20-2005, 01:16 PM	#18 (permalink)
jimbo715 Registered User Join Date: Aug 2005 Posts: 16 OS: XP	Barry, The only problem with reloading the OS is that I no longer have the disk. My system is about 4yrs years old ( HP Pavillion 7915 w/ Intel Celeron 1.3Ghz ) and is eventually going to be replaced, but I was not planning to do it so soon. I also would be concerend about the loss of my data in Outlook Express. I have about 6,000 mssgs in there, and a huge address book.. none of which I can afford to lose, as they're both business and personal contacts. Aside from not having the disk, which is a huge prob if I need to reinstall, I have never actually performed a reinstall. Would I be able to provide Microsoft the serial numbers or any pertinent info off my system and software so they can verify it is a legitimate, licensed product and then have them send me a copy of the disk or would they not do that? I don't know of any other way to get my hands on the disk if it's needed. I bought the system thru CompUSA, but again it was 4 yrs ago, so they'll be no help at this point. If I took it to someone MS authorized to have them perform a reload of XP, what does that typically cost? I really do not want to throw any real $$ into this system. It would be a waste. Jim

08-20-2005, 01:36 PM	#19 (permalink)
Barry_R TSF Enthusiast Join Date: Aug 2005 Location: California Posts: 700 OS: Win XP Home, Linux Mint My System	If I were in your situation I would start backing up all my stuff right now The more you mess with this situation the more the danger of losing something.

08-20-2005, 02:12 PM	#20 (permalink)
jimbo715 Registered User Join Date: Aug 2005 Posts: 16 OS: XP	Good point.. in fact I already have a number of items backed up including photos, MP3s, My Documents, etc. Here's the the concern: If I cannot open Outlook Express, how am I to back up those Mail and Address Book files? Any ideas? Last I recall, you need to go into the application to do that right? Is there another way because I cannot launch a number of applications since this happened, including Outlook Express. Jim