Tech Support Forum banner
Status
Not open for further replies.
1 - 20 of 26 Posts

·
Registered
Joined
·
59 Posts
Discussion Starter · #1 ·
I have this virus on my PC probably attained through Kazza.
What it seems to do:

-I can't open my Norton, when I click on the icon and go to click next nothing happens. I have tried runnig in safe mode and reinstalling. Nothing works! It will sometime give me a message that a virus is deteced but I cant open it to quaritine it.

-Go to symantic.com right? No such deal...I cant access symatic, macafee, or many other anti-virus web pages! It will say page cant be displayed.

I have stumped quit a few people with this one hoping to get some help here.

thank you anything is appreciated!

Erin
 

·
Premium Member
Joined
·
1,611 Posts
hello Berrybunches, welcome to the forums!!!

Symptoms that you are describing can be attributed to a wide variety of viruses and other issues not related to viruses...
What OS are you running ? have you looked for unusal programs / services running in task manager ? Has the space on your HD changed ? have settings in your IE changed ?

please let us know....
 

·
Registered
Joined
·
59 Posts
Discussion Starter · #3 ·
I use Winows XP for my defualt browser...other members of my family use aol (we have two Internet servers.) My hard drive space seems to stay the same and my task manager does not seem to be running anything new and unusual. I have cable connection and a 40bit hd gateway PC

(btw, I dont know that much about computers, computer wiz friends are the ones who have tried to help with this and they cant find the problem. But I know enough)

I'll list some other problems my PC has that I had attributed to other viruses we have probabaly gottne and cant fix...

-I seem to get an unhealthy anounts of sytem not responding messages (not an annoying amounts just at least a few times a day) I use all microsoft programs and thses are the ones that seem to have a problem. Another household member says winamp andnetscape browser never give them this... AOL will also give this message frequently


-I have a picture on my desk top and my orriganal background color is set as white...all my icons are "highlighted" in this white, like my original background surounds them but the rest of my desk top pic shows - this doesnt seem to hurt anything its just odd

-my friend used to play the game Counter Strike on my PC all the time...it started not running properly

-aol makes it run soo slow..I cant have it open with media player at the same time and I know aol is a space hog but it never used to do it so bad.

-I cant acess anti virus web pages like I said

-I did have a backdoor virus on my PC awhile back we couldnt get rid of it maybe its still there!

those are things off the top of my head

plz get back to me
 

·
Premium Member
Joined
·
1,611 Posts
Did you run scandisk and defrag recently ?
Do you have any firewall in place ? (not counting xp firewall)
Can you tell us anything more about a backdoor that you had ? Without any additional info it would be like looking for a needle in atlantic...
 

·
Registered
Joined
·
5,955 Posts
Hi, BB.

The symptoms that you describe take me back about 1 1/2 years...I had the same sort of problem, caused by a worm I did not completely remove.

Ya just gotta have a firewall! Zona Alarm Free is AOK.

Did you download SP4 as an update? If so, is there any time correlation with this problem?

With this very pervasive problem, I think we need to "cut to the chase".

The program "Hijack This" creates a log of running processes on the computer, alomg with a look at key parts of the registry.

The link I will give you below is a "quick start" site, and will explain the program in more detail.

http://www.tomcoyote.org/hjt/

Download HJT, close all browser windows and have it scan. Copy the log and paste it here, and we can see if there is anything lurking from that old infection that might answer your questions.

Ya just gotta have a firewall!
:tongue2:

Talk to you soon.
 

·
ID10T Circuit replacement
Joined
·
1,038 Posts
This Lentin (also known as Yaha) worm variant appeared on 17th of September 2003. It is an improved variant comparing to previous versions of the worm. Like its previous variants, this one spreads itself in e-mails, over LAN (local area network), kills tasks of certain programs, logs user's keyboard activities and performs DoS (Denial of Service) attacks on certain sites. The worm can also modify HTML pages on a webserver if it finds it on an infected computer. The worm blocks access to certain websites mostly belonging to anti-virus vendors

The above is from f-secure.com website. If you have this virus, f-secure is about the only one that isn't blocked. You might be able to go to their site and read more.
http://www.europe.f-secure.com/v-descs/yaha_t.shtml

Hopefully this helps.
 

·
Registered
Joined
·
59 Posts
Discussion Starter · #8 ·
Her are my results from the hijack this scan:

Logfile of HijackThis v1.97.2
Scan saved at 8:57:24 PM, on

9/25/2003
Platform: Windows XP SP1 (WinNT

5.01.2600)
MSIE: Internet Explorer v6.00 SP1

(6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\COMMON~1\AOL\A

CS\acsd.exe
C:\Program Files\Common

Files\Microsoft

Shared\VS7Debug\mdm.exe
C:\Program Files\Norton

AntiVirus\navapsvc.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\NORTON~1\navapw3

2.exe
C:\WINDOWS\System32\Drivers\XW

MSAPI.EXE
C:\Program

Files\Support.com\bin\tgcmd.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\America Online

9.0b\aoltray.exe
C:\Program Files\MSN

Messenger\msnmsgr.exe
C:\WINDOWS\System32\wisptis.exe
C:\Program Files\Internet

Explorer\iexplore.exe
C:\WINDOWS\system32\notepad.exe
C:\Documents and

Settings\~Yogi-Transcend~\Desktop\Eri

n\My Documents\HijackThis.exe

R0 - HKLM\Software\Microsoft\Internet

Explorer\Main,Start Page =

http://rd.yahoo.com/customize/ymsgr/def

aults/*http://my.yahoo.com
R1 - HKLM\Software\Microsoft\Internet

Explorer\Main,Search Bar =

http://rd.yahoo.com/customize/ymsgr/def

aults/sb/*http://www.yahoo.com/ext/sear

ch/search.html
R1 - HKLM\Software\Microsoft\Internet

Explorer\Main,Default_Page_URL =

http://www.rr.com
R1 - HKCU\Software\Microsoft\Internet

Explorer\Main,Window Title = Microsoft

Internet Explorer provided by

Roadrunner
R1 - HKCU\Software\Microsoft\Internet

Explorer\SearchURL,(Default) =

http://rd.yahoo.com/customize/ymsgr/def

aults/su/*http://www.yahoo.com
N3 - Netscape 7:

user_pref("browser.startup.homepage",

""); (C:\Documents and

Settings\~Yogi-Transcend~\Application

Data\Mozilla\Profiles\default\778uzmab.sl

t\prefs.js)
N3 - Netscape 7:

user_pref("browser.search.defaultengine"

,

"engine://C%3A%5CProgram%20Files

%5CNetscape%5CNetscape%5Csearc

hplugins%5CSBWeb_01.src");

(C:\Documents and

Settings\~Yogi-Transcend~\Application

Data\Mozilla\Profiles\default\778uzmab.sl

t\prefs.js)
O2 - BHO: (no name) -

{06849E9F-C8D7-4D59-B87D-784B7

D6BE0B3} - C:\Program

Files\Adobe\Acrobat

6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: NAV Helper -

{BDF3E430-B101-42AD-A544-FAD

C6B084872} - C:\Program Files\Norton

AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio -

{8E718888-423F-11D2-876E-00A0C

9082467} -

C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus -

{42CDD1BF-3FFB-4238-8AD1-7859

DF00B1D6} - C:\Program Files\Norton

AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [NAV Agent]

C:\PROGRA~1\NORTON~1\navapw3

2.exe
O4 - HKLM\..\Run: [XWMSUSBAPI]

C:\WINDOWS\System32\Drivers\XW

MSAPI.EXE
O4 - HKLM\..\Run: [BJCFD]

C:\Program Files\BroadJump\Client

Foundation\CFD.exe
O4 - HKLM\..\Run: [tgcmd]

"C:\Program

Files\Support.com\bin\tgcmd.exe" /server

/nosystray /deaf
O4 - HKLM\..\Run: [QuickTime Task]

"C:\Program Files\QuickTime\qttask.exe"

-atboottime
O4 - HKLM\..\Run: [NvCplDaemon]

RUNDLL32.EXE

C:\WINDOWS\System32\NvCpl.dll,Nv

Startup
O4 - HKLM\..\Run: [nwiz] nwiz.exe

/install
O4 - HKLM\..\Run: [EanthologyApp]

C:\PROGRA~1\COMMON~1\EACCE

L~1\EANTHO~1.EXE /b Startup
O4 - HKLM\..\Run: [WebScan]

C:\PROGRA~1\ACCELE~1\ANTI-V~

1\DEFSCA~1.EXE -k
O4 - HKCU\..\Run: [ctfmon.exe]

C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [Microsoft Works

Update Detection] C:\Program

Files\Microsoft Works\WkDetect.exe
O4 - Global Startup: America Online 9.0

Tray Icon.lnk = C:\Program

Files\America Online 9.0b\aoltray.exe
O8 - Extra context menu item: E&xport

to Microsoft Excel -

res://C:\PROGRA~1\MICROS~4\Office

10\EXCEL.EXE/3000
O9 - Extra 'Tools' menuitem: Sun Java

Console (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Yahoo!

Messenger (HKLM)
O9 - Extra button: ICQ (HKLM)
O9 - Extra 'Tools' menuitem: ICQ

(HKLM)
O9 - Extra button: AIM (HKLM)
O9 - Extra button: Real.com (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Messenger

(HKLM)
O12 - Plugin for .spop: C:\Program

Files\Internet

Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF:

START_PAGE_URL=http://www.rr.co

m
O16 - DPF: JT's Blocks -

http://download.games.yahoo.com/games

/clients/y/blt1_x.cab
O16 - DPF: Yahoo! Chat -

http://cs5.chat.sc5.yahoo.com/c381/chat.

cab
O16 - DPF: Yahoo! Chinese Checkers -

http://download.games.yahoo.com/games

/clients/y/cct0_x.cab
O16 - DPF: Yahoo! Dice -

http://download.games.yahoo.com/games

/clients/y/dct0_x.cab
O16 - DPF: Yahoo! Dots -

http://download.games.yahoo.com/games

/clients/y/dtt1_x.cab
O16 - DPF: Yahoo! Euchre -

http://download.games.yahoo.com/games

/clients/y/et0_x.cab
O16 - DPF: Yahoo! Go Fish -

http://download.games.yahoo.com/games

/clients/y/zt3_x.cab
O16 - DPF: Yahoo! Graffiti -

http://download.games.yahoo.com/games

/clients/y/grt1_x.cab
O16 - DPF: Yahoo! Literati -

http://download.games.yahoo.com/games

/clients/y/tt0_x.cab
O16 - DPF: Yahoo! Poker -

http://download.games.yahoo.com/games

/clients/y/pt0_x.cab
O16 - DPF: Yahoo! Pool 2 -

http://download.games.yahoo.com/games

/clients/y/potb_x.cab
O16 - DPF: YExplorer1_7US.CAB -

http://photos.groups.yahoo.com/ocx/us/y

explorer1_7us.cab
O16 - DPF:

{02BF25D5-8C17-4B23-BC80-D3488

ABDDC6B} (QuickTime Object) -

http://www.apple.com/qtactivex/qtplugin.

cab
O16 - DPF:

{17163BB4-107E-11D4-9B76-006097

DF2317} (EABootStrap Class) -

http://aol.ea.com/downloads/games/com

mon/boot_strap/iegils.cab
O16 - DPF:

{2119776A-F1AD-4FCD-9548-F1E1

C615350C} (AxOOdlz Class) -

http://raven.veloz.com/pub/download/oo

dlz_drw.cab
O16 - DPF:

{30528230-99F7-4BB4-88D8-FA1D4

F56A2AB} (YInstStarter Class) -

http://download.yahoo.com/dl/installs/yins

t.cab
O16 - DPF:

{33288993-5664-11D4-8B5B-00D0B

73B3518} (ell Class) -

http://aol.ea.com/downloads/games/com

mon/ieell.cab
O16 - DPF:

{41F17733-B041-4099-A042-B518B

B6A408C} -

http://a1540.g.akamai.net/7/1540/52/200

30530/qtinstall.info.apple.com/bonnie/us/

win/QuickTimeInstaller.exe
O16 - DPF:

{430DDE24-C051-11CF-95BE-0020

AFF75E4F} (ichat xchat Control) -

http://tank.wizards.com/chat/data/html/us

er/msie/msichat.ocx
O16 - DPF:

{4A3CF76B-EC7A-405D-A67D-8DC

6B52AB35B}

(QDiagAOLCCUpdateObj Class) -

http://aolcc.aol.com/computercheckup/qd

iagcc.cab
O16 - DPF:

{50F65670-1729-11D2-A51F-0020A

FE5D502} (ForumChat) -

http://objects.compuserve.com/chat/RTC

Chat.cab
O16 - DPF:

{6B4788E2-BAE8-11D2-A1B4-00400

512739B} (PWMediaSendControl

Class) -

http://216.249.24.141/code/PWActiveX

ImgCtl.CAB
O16 - DPF:

{74D05D43-3236-11D4-BDCD-00C0

4F9A3B61} (HouseCall Control) -

http://a840.g.akamai.net/7/840/537/bcd4

8c18cb7498/housecall.antivirus.com/hou

secall/xscan53.cab
O16 - DPF:

{7CF052DE-C74F-421B-B04A-3B30

37EF5887} (CCMPGui Class) -

http://64.124.45.181/chaincast/proxy/CC

MP.cab
O16 - DPF:

{80DD2229-B8E4-4C77-B72F-F2297

2D723EA} (AvxScanOnline Control) -

http://www.bitdefender.com/scan/Msie/bi

tdefender.cab
O16 - DPF:

{90C9629E-CD32-11D3-BBFB-0010

5A1F0D68} (InstallShield International

Setup Player) -

http://www.installengine.com/engine/isetu

p.cab
O16 - DPF:

{91602283-B7B5-11D3-A32A-00500

4B0E00E} (DiscoverWhy Class) -

http://216.132.173.29/CabFiles/dwInfo.c

ab
O16 - DPF:

{9A57B18E-2F5D-11D5-8997-00104

BD12D94} (compid Class) -

http://support.gateway.com/support/serial

harvest/gwCID.CAB
O16 - DPF:

{9F1C11AA-197B-4942-BA54-47A8

489BB47F} (Update Class) -

http://v4.windowsupdate.microsoft.com/

CAB/x86/unicode/iuctl.CAB?37459.207

8009259
O16 - DPF:

{A17E30C4-A9BA-11D4-8673-60DB

54C10000} (YahooYMailTo Class) -

http://us.dl1.yimg.com/download.yahoo.c

om/dl/installs/essentials/ymmapi_0727.dll
O16 - DPF:

{CC05BC12-2AA2-4AC7-AC81-0E4

0F83B1ADF} (Live365Player Class) -

http://www.live365.com/players/play365.

cab
O16 - DPF:

{D27CDB6E-AE6D-11CF-96B8-4445

53540000} (Shockwave Flash Object) -

http://download.macromedia.com/pub/sh

ockwave/cabs/flash/swflash.cab
O16 - DPF:

{DF6A0F17-0B1E-11D4-829D-00C0

4F6843FE} (Microsoft Office Tools on

the Web Control) -

http://officeupdate.microsoft.com/Templa

teGallery/downloads/outc.cab
O16 - DPF:

{E7D2588A-7FB5-47DC-8830-83260

5661009} (Live Collaboration) -

https://rr.esecurecare.net/rnt/rnl/java/Rnt

X.cab
O16 - DPF:

{F58E1CEF-A068-4C15-BA5E-587C

AF3EE8C6} (MSN Chat Control 4.5) -

http://fdl.msn.com/public/chat/msnchat45.

cab
 

·
Registered
Joined
·
59 Posts
Discussion Starter · #9 ·
idtent: I cant open that page either! But I did type the name of that worm in google and it seems to be descibing some of my problems. I saw there are many different versions of it. the one you suggested said to check applications in task manager which would be running if you were infected which I had none of.

So I believe I may have a version of that virus but not the one you listed, thanks for the help and I'll keep looking. any more sugestions are appreciated

Erin
 

·
Registered
Joined
·
59 Posts
Discussion Starter · #10 ·
sry for not waiting for a response but I was able to do a virus check from a link I found on another forum from symantic (the only symantic I have acsess to as far as I know)
It dected 2 viruses:

W32.Kwbot.C.Worm

W32.Kwbot.F.Worm

one of which I mentioned above

since norton wont work and I hope this is the cuase maybe someone could lead me to a free removal tool

thanks!
 

·
ID10T Circuit replacement
Joined
·
1,038 Posts
The kwbot worm doesn't appear to affect the av or av websites. Look for the file explorer32.exe and rename it and reboot. Then delete it.

For Yaha.t the files are hidden, and you need to turn the option on to view hidden files if you haven't yet.

There are other viruses that affect not being able to goto av sites. Off the top of my head, I am not sure.

Sorry MTX is the one I was thinking of here is partial description:
The most visible behaviour of the virus is that it stops visiting several Internet sites and disables sending messages to the same domains (they are anti-virus domain names). The virus detects them by four-letter combinations:


nii.
nai.
avp.
f-se
mapl
pand
soph
ndmi
afee
yenn
lywa
tbav
yman

Hope this helps.

BTW if you have a fat32 partition on your hard drive instead of ntfs, you can download f-prot from f-secure from a non infected computer and it can scan and remove viruses from a boot up disk.
 

·
ID10T Circuit replacement
Joined
·
1,038 Posts
It doesn't look like mtx can infect a XP machine???

You have to have something on their to stop your machine.

Norton recommends booting into safe mode to remove the viruses.
 

·
Registered
Joined
·
5,955 Posts
O2 - BHO: (no name) -

{06849E9F-C8D7-4D59-B87D-784B7

D6BE0B3} - C:\Program

Files\Support.com\bin\tgcmd.exe" /server

You can delete this item via HJT. Open, select the above and have it "fix" it.

The HJT log is somewhat of a mess. Please download Adaware 6.0 at http://www.lavasoftusa.com/, run a scan and delete everything found.

Since we have a serious problem here (I think even the HJT log has been corrupted), download Spybot S&D at http://www.safer-networking.org/index.php?lang=en&page=download, scan for problem and repair everything in red.

Post a new HJT log and let's see what happens.

We have to get to some baseline before we can start repairing. There is no sense in reinstalling the browser, etc, when we don't have a baseline yet, though reinstalling the browser is a fast way to get to those AV sites, once we have a stable base.
 

·
Registered
Joined
·
12 Posts
I also suggest that you temporarily disable system restore before doing a full scan again. Any viruses resident when a SR snapshot takes place invariably will not be removed
 

·
Registered
Joined
·
59 Posts
Discussion Starter · #15 ·
jgvernonco -

I deleted that file with HJT.

BTW I have adware and spybot s&d and run them fequently (my bf actually does it most so knows more about it) but I just did scan's with both and deleted everything found like you said though we ussually dont delete every one I feel ther is nothing to lose at this point.

Here is the HJT scan I just preformed:
Logfile of HijackThis v1.97.2
Scan saved at 9:03:58 PM, on 10/1/2003
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\NORTON~1\navapw32.exe
C:\WINDOWS\System32\Drivers\XWMSAPI.EXE
C:\Program Files\BroadJump\Client Foundation\CFD.exe
C:\Program Files\Support.com\bin\tgcmd.exe
C:\PROGRA~1\ACCELE~1\ANTI-V~1\DEFSCA~1.EXE
C:\Program Files\AIM95\aim.exe
C:\Program Files\WildTangent\Apps\GameChannel.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\America Online 9.0b\aoltray.exe
C:\PROGRA~1\ACCELE~1\SYSTEM~1\sys_alert.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\~Yogi-Transcend~\Desktop\Erin\My Documents\HijackThis.exe

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://rd.yahoo.com/customize/ymsgr/defaults/*http://my.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://rd.yahoo.com/customize/ymsgr/defaults/sb/*http://www.yahoo.com/ext/search/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.rr.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Roadrunner
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://rd.yahoo.com/customize/ymsgr/defaults/su/*http://www.yahoo.com
N3 - Netscape 7: user_pref("browser.startup.homepage", ""); (C:\Documents and Settings\~Yogi-Transcend~\Application Data\Mozilla\Profiles\default\778uzmab.slt\prefs.js)
N3 - Netscape 7: user_pref("browser.search.defaultengine", "engine://C%3A%5CProgram%20Files%5CNetscape%5CNetscape%5Csearchplugins%5CSBWeb_01.src"); (C:\Documents and Settings\~Yogi-Transcend~\Application Data\Mozilla\Profiles\default\778uzmab.slt\prefs.js)
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\navapw32.exe
O4 - HKLM\..\Run: [XWMSUSBAPI] C:\WINDOWS\System32\Drivers\XWMSAPI.EXE
O4 - HKLM\..\Run: [BJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe
O4 - HKLM\..\Run: [tgcmd] "C:\Program Files\Support.com\bin\tgcmd.exe" /server /nosystray /deaf
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [WebScan] C:\PROGRA~1\ACCELE~1\ANTI-V~1\DEFSCA~1.EXE -k
O4 - HKLM\..\Run: [SoloSentry] C:\PROGRA~1\SRNMIC~1\SOLOSENT.EXE
O4 - HKLM\..\Run: [WT GameChannel] C:\Program Files\WildTangent\Apps\GameChannel.exe
O4 - HKLM\..\Run: [eanth_critical_update_alert] C:\PROGRA~1\ACCELE~1\SYSTEM~1\sys_alert.exe /Startup
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKLM\..\RunOnce: [SpyBotSnD] "C:\Program Files\Spybot - Search & Destroy 1.1\SpybotSD.exe" /autocheck
O4 - Global Startup: America Online 9.0 Tray Icon.lnk = C:\Program Files\America Online 9.0b\aoltray.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000
O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Yahoo! Messenger (HKLM)
O9 - Extra button: ICQ (HKLM)
O9 - Extra 'Tools' menuitem: ICQ (HKLM)
O9 - Extra button: AIM (HKLM)
O9 - Extra button: Real.com (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Messenger (HKLM)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.rr.com
O16 - DPF: JT's Blocks - http://download.games.yahoo.com/games/clients/y/blt1_x.cab
O16 - DPF: Yahoo! Chat - http://cs5.chat.sc5.yahoo.com/c381/chat.cab
O16 - DPF: Yahoo! Chinese Checkers - http://download.games.yahoo.com/games/clients/y/cct0_x.cab
O16 - DPF: Yahoo! Dice - http://download.games.yahoo.com/games/clients/y/dct0_x.cab
O16 - DPF: Yahoo! Dots - http://download.games.yahoo.com/games/clients/y/dtt1_x.cab
O16 - DPF: Yahoo! Euchre - http://download.games.yahoo.com/games/clients/y/et0_x.cab
O16 - DPF: Yahoo! Go Fish - http://download.games.yahoo.com/games/clients/y/zt3_x.cab
O16 - DPF: Yahoo! Graffiti - http://download.games.yahoo.com/games/clients/y/grt1_x.cab
O16 - DPF: Yahoo! Literati - http://download.games.yahoo.com/games/clients/y/tt0_x.cab
O16 - DPF: Yahoo! Poker - http://download.games.yahoo.com/games/clients/y/pt0_x.cab
O16 - DPF: Yahoo! Pool 2 - http://download.games.yahoo.com/games/clients/y/potb_x.cab
O16 - DPF: YExplorer1_7US.CAB - http://photos.groups.yahoo.com/ocx/us/yexplorer1_7us.cab
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab
O16 - DPF: {17163BB4-107E-11D4-9B76-006097DF2317} (EABootStrap Class) - http://aol.ea.com/downloads/games/common/boot_strap/iegils.cab
O16 - DPF: {2119776A-F1AD-4FCD-9548-F1E1C615350C} - http://raven.veloz.com/pub/download/oodlz_drw.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://download.yahoo.com/dl/installs/yinst.cab
O16 - DPF: {33288993-5664-11D4-8B5B-00D0B73B3518} (ell Class) - http://aol.ea.com/downloads/games/common/ieell.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52...pple.com/bonnie/us/win/QuickTimeInstaller.exe
O16 - DPF: {430DDE24-C051-11CF-95BE-0020AFF75E4F} (ichat xchat Control) - http://tank.wizards.com/chat/data/html/user/msie/msichat.ocx
O16 - DPF: {4A3CF76B-EC7A-405D-A67D-8DC6B52AB35B} (QDiagAOLCCUpdateObj Class) - http://aolcc.aol.com/computercheckup/qdiagcc.cab
O16 - DPF: {50F65670-1729-11D2-A51F-0020AFE5D502} (ForumChat) - http://objects.compuserve.com/chat/RTCChat.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {6B4788E2-BAE8-11D2-A1B4-00400512739B} (PWMediaSendControl Class) - http://216.249.24.141/code/PWActiveXImgCtl.CAB
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/76808a0e7ae82f/housecall.antivirus.com/housecall/xscan53.cab
O16 - DPF: {7CF052DE-C74F-421B-B04A-3B3037EF5887} (CCMPGui Class) - http://64.124.45.181/chaincast/proxy/CCMP.cab
O16 - DPF: {80DD2229-B8E4-4C77-B72F-F22972D723EA} (AvxScanOnline Control) - http://www.bitdefender.com/scan/Msie/bitdefender.cab
O16 - DPF: {90C9629E-CD32-11D3-BBFB-00105A1F0D68} (InstallShield International Setup Player) - http://www.installengine.com/engine/isetup.cab
O16 - DPF: {91602283-B7B5-11D3-A32A-005004B0E00E} (DiscoverWhy Class) - http://216.132.173.29/CabFiles/dwInfo.cab
O16 - DPF: {9A57B18E-2F5D-11D5-8997-00104BD12D94} (compid Class) - http://support.gateway.com/support/serialharvest/gwCID.CAB
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37459.2078009259
O16 - DPF: {A17E30C4-A9BA-11D4-8673-60DB54C10000} (YahooYMailTo Class) - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/essentials/ymmapi_0727.dll
O16 - DPF: {CC05BC12-2AA2-4AC7-AC81-0E40F83B1ADF} (Live365Player Class) - http://www.live365.com/players/play365.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {DF6A0F17-0B1E-11D4-829D-00C04F6843FE} (Microsoft Office Tools on the Web Control) - http://officeupdate.microsoft.com/TemplateGallery/downloads/outc.cab
O16 - DPF: {E7D2588A-7FB5-47DC-8830-832605661009} (Live Collaboration) - https://rr.esecurecare.net/rnt/rnl/java/RntX.cab
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://fdl.msn.com/public/chat/msnchat45.cab
O16 - DPF: {FA13A9FA-CA9B-11D2-9780-00104B242EA3} (WildTangent Control) - http://www.wildtangent.com/install/wdriver/ddc/shockwave/wtinst.cab
 

·
Registered
Joined
·
12 Posts
Just one thing to do now and that is to prevent mdm.exe from starting

Go to Start | Run
type in msconfig
Click the Startup tab

Find mdm.exe and uncheck it

Restart your PC, put a checkmark in the Selective startup box and click OK for do not show this message again
 

·
Registered
Joined
·
5,955 Posts
C:\Program Files\Support.com\bin\tgcmd.exe O4 - HKLM\..\Run: [WebScan] C:\PROGRA~1\ACCELE~1\ANTI-V~1\DEFSCA~1.EXE -k
O16 - DPF: {2119776A-F1AD-4FCD-9548-F1E1C615350C} - http://raven.veloz.com/pub/download/oodlz_drw.cab (Stop Sign!)
O16 - DPF: {7CF052DE-C74F-421B-B04A-3B3037EF5887} (CCMPGui Class) - http://64.124.45.181/chaincast/proxy/CCMP.cab

Run HJT and delete all of the above.

Are you running Stop Sign? This is notorious Spyware. They explicitly ask for permission to run ads, but many times they can have 5 or more processes running at once.

I will refer you to the following site:

http://www.pestpatrol.com/PestInfo/S/StopSign.asp

I think I got everything without unterrupting your games and favorite sites.

;)
 

·
Registered
Joined
·
59 Posts
Discussion Starter · #19 ·
jgvernonco -

I deleted the HJ files you recomended.

I have to say that whole Stop Sign business is messy. I downloaded it when trying to find virus removal software since my Norton wont work...big mistake!!!
thanks fpr the help tho :)
and you dont have to tip toe around my games :) I dont mind if I have to load them again or if I ever play them again just so long as my problms get fixed. Thank you for comsideration anyway


has anyone figured ou the root of the whole problem yet? More comments are appreciated
 

·
Registered
Joined
·
139 Posts
Well, your first problem is not keeping your antivirus up to date and not having a firewall. NO ONE with a computer even with an internet connection just hooked up to the box should ever be running without protection! EVER! ESPECIALLY if it is giong to be used for games and chat rooms. PERIOD! NO EXCUSES!

When you get your machine cleaned up, the FIRST thing you will do is install/update your antivirus and get a FIREWALL! THEN you WILL update ALL of the Microsoft secrurty patches. One just came out yesterday morning. It should be on your machine! They ALL should! What I did before I thought about putting my new PC on the 'net was to install the Windows XP patches and update my Norton antivirus/firewall. How did I do this without catching anything? I downloaded my Microsoft patches on another secure PC and saved them to CD-R. I just ran the patches from the CD-R.

Your antivirus must be updated EVERY week, or more! It won't do a thing just being installed. You may as well not have an antivirus at all unless you keep your subscriptions up.

A lot of these viruses and worms are slick. They will disable and even try to delete your antivirus and firewall. When you get things cleared up, you will have to reinstall your antivirus.

There are trojans that will allow your PC to become a server for pron sites without your knowledge. And, think of all the crimminals out there collecting your personal information like addresses, telephone numbers, credit card numbers children's names...some people might even place kiddie porn on your PC and tell the feds! And, YOU would never know it. Am I scaring you? GOOD!

I DO mean to come off harsh because for every machine that is not protected, another 10-1000 machines get infected and hacked. There are people who leave port scanners on 24 hours a day just looking for some sucker with no protection. His job is pretty easy. It is the same as letting some stranger off the street in your home with your wife and kids.

Next, you will limit what other people can do on your PC. It IS your PC, right? Why are you letting others mess it up for you? If it's family, just configure it to prevent them from doing certain things on it. And, you must be very careful of what you download! There are very mean, sick individuals out there who love to mess up other people's lives. And i'm not just talking about the record companies! Reclaim YOUR machine!

If you don't get things cleared up, you may have to consider reinstalling windows and hope your BIOS hasn't been corrupted.

Good luck, and take my words very seriously. You can have lots of fun on the internet, but you have to be CAREFUL!
 
1 - 20 of 26 Posts
Status
Not open for further replies.
Top