TheTechGuide Forum
General Category => Tech Clinic => Topic started by: monkey410 on May 11, 2005, 10:33:10 AM
-
basically i have a [censored] load of virus/trojans on my computer, i have been battling them for a long time and used alot of softwares/anti virus stuff. But it just happens that after i kill them they keep coming back, please help me out!!!
currently this is a fresh hijackthis log of my machine after i just cheaned the HD,Registry and startup of winjes and farmmext.
Logfile of HijackThis v1.99.1
Scan saved at 10:32:20 AM, on 5/11/2005
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2600.0000)
Running processes:
E:\WINDOWS\System32\smss.exe
E:\WINDOWS\system32\winlogon.exe
E:\WINDOWS\system32\services.exe
E:\WINDOWS\system32\lsass.exe
E:\WINDOWS\System32\Ati2evxx.exe
E:\WINDOWS\system32\svchost.exe
E:\WINDOWS\System32\svchost.exe
E:\WINDOWS\system32\spoolsv.exe
E:\WINDOWS\system32\Ati2evxx.exe
E:\WINDOWS\Explorer.EXE
E:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
E:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
F:\program files\powerstrip\pstrip.exe
E:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
E:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
E:\WINDOWS\AGRSMMSG.exe
E:\Program Files\AIM95\aim.exe
F:\shen\games\sierra\steam.exe
E:\WINDOWS\System32\ctfmon.exe
E:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
E:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
E:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
E:\Program Files\Mozilla Firefox\firefox.exe
F:\Shen\HJk\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/ (http://\"http://www.yahoo.com/\")
O2 - BHO: PynixObj Class - {00000000-DD60-0064-6EC2-6E0100000000} - E:\WINDOWS\Pynix.dll
O2 - BHO: (no name) - {01F44A8A-8C97-4325-A378-76E68DC4AB2E} - (no file)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - E:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - E:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_3_11_0.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - E:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [ViewMgr] E:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
O4 - HKLM\..\Run: [ATIPTA] E:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [PowerStrip] f:\program files\powerstrip\pstrip.exe
O4 - HKLM\..\Run: [AVG7_CC] E:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] E:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKCU\..\Run: [AIM] E:\Program Files\AIM95\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [Steam] "f:\shen\games\sierra\steam.exe" -silent
O4 - HKCU\..\Run: [ctfmon.exe] E:\WINDOWS\System32\ctfmon.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://E:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - E:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - E:\Program Files\AIM95\aim.exe
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O16 - DPF: {4C226336-4032-489F-9674-67E74225979B} (OTXMovie Class) - http://www.otxresearch.com/OTXMedia/OTXMedia.dll (http://\"http://www.otxresearch.com/OTXMedia/OTXMedia.dll\")
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061...all/xscan53.cab (http://\"http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab\")
O16 - DPF: {7CA3D0A3-7E2E-4AAB-A75E-FAB8ECA8BD95} (Skilljam Game Player Object) - http://gozing.skilljam.com/ssp/SSP.cab (http://\"http://gozing.skilljam.com/ssp/SSP.cab\")
O16 - DPF: {AED98630-0251-4E83-917D-43A23D66D507} (WebHandler Class) - http://activex.microgaming.com/DLhelper/ve...n7/dlhelper.cab (http://\"http://activex.microgaming.com/DLhelper/version7/dlhelper.cab\")
O16 - DPF: {D8089245-3211-40F6-819B-9E5E92CD61A2} (FlashXControl Object) - https://register3.valueactive.com/mpp_229/w...OCX/FlashAX.cab (http://\"https://register3.valueactive.com/mpp_229/webolr/OCX/FlashAX.cab\")
O23 - Service: Ati HotKey Poller - Unknown owner - E:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - E:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - E:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - E:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: NT login service (ntlogin32) - Unknown owner - E:\WINDOWS\System32\libsysmgr.exe (file missing)
O23 - Service: ScriptBlocking Service (SBService) - Unknown owner - E:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe (file missing)
-
File E:\WINDOWS\Pynix.dll infected by "not-a-virus:AdWare.DlMax.a" Virus. Action Taken: No Action Taken.
File E:\WINDOWS\Pynix.dll infected by "not-a-virus:AdWare.DlMax.a" Virus. Action Taken: No Action Taken.
File System Found infected by "Bargain Buddy Spyware/Adware" Virus. Action Taken: No Action Taken.
File System Found infected by "Bargain Buddy Spyware/Adware" Virus. Action Taken: No Action Taken.
File System Found infected by "Bargain Buddy Spyware/Adware" Virus. Action Taken: No Action Taken.
File System Found infected by "eZula Spyware/Adware" Virus. Action Taken: No Action Taken.
File System Found infected by "XXXToolbar Spyware/Adware" Virus. Action Taken: No Action Taken.
File System Found infected by "Alexa Spyware/Adware" Virus. Action Taken: No Action Taken.
File System Found infected by "BlazeFind Spyware/Adware" Virus. Action Taken: No Action Taken.
File System Found infected by "BetterInternet Spyware/Adware" Virus. Action Taken: No Action Taken.
File System Found infected by "BetterInternet Spyware/Adware" Virus. Action Taken: No Action Taken.
File System Found infected by "MyBar Spyware/Adware" Virus. Action Taken: No Action Taken.
File System Found infected by "Wind Updates Spyware/Adware" Virus. Action Taken: No Action Taken.
File System Found infected by "VX2 Spyware/Adware" Virus. Action Taken: No Action Taken.
File System Found infected by "myway Spyware/Adware" Virus. Action Taken: No Action Taken.
File System Found infected by "webrebates Spyware/Adware" Virus. Action Taken: No Action Taken.
File System Found infected by "kazaa Spyware/Adware" Virus. Action Taken: No Action Taken.
File System Found infected by "kazaa Spyware/Adware" Virus. Action Taken: No Action Taken.
File System Found infected by "pynix Spyware/Adware" Virus. Action Taken: No Action Taken.
File System Found infected by "VX2 Spyware/Adware" Virus. Action Taken: No Action Taken.
File System Found infected by "cws.therealsearch Spyware/Adware" Virus. Action Taken: No Action Taken.
File System Found infected by "farmmext Spyware/Adware" Virus. Action Taken: No Action Taken.
File System Found infected by "farmmext Spyware/Adware" Virus. Action Taken: No Action Taken.
File System Found infected by "VX2 Spyware/Adware" Virus. Action Taken: No Action Taken.
File E:\WINDOWS\localNRD.dll infected by "not-a-virus:AdWare.BiSpy.s" Virus. Action Taken: No Action Taken.
File E:\WINDOWS\NDNuninstall4_85.exe infected by "not-a-virus:AdWare.NewDotNet" Virus. Action Taken: No Action Taken.
File E:\WINDOWS\NDNuninstall6_10.exe infected by "not-a-virus:AdWare.NewDotNet" Virus. Action Taken: No Action Taken.
File E:\WINDOWS\System32\k404SearchSetup_MS14.exe infected by "not-a-virus:AdWare.ToolBar.404Search.a" Virus. Action Taken: No Action Taken.
File E:\WINDOWS\System32\MegasearchBarSetup.dll infected by "not-a-virus:AdWare.F1Organizer.n" Virus. Action Taken: No Action Taken.
this is what i got from running escan
this seems like alot of work, i'll definatly donate some $$
File E:\WINDOWS\System32\SHAgentNew.dll infected by "not-a-virus:AdWare.Sahat.g" Virus. Action Taken: No Action Taken.
File E:\DOCUME~1\SHENLI~1\LOCALS~1\Temp\DrTemp\farmmext.cab infected by "Trojan-Downloader.Win32.Stubby.c" Virus. Action Taken: No Action Taken.
File E:\DOCUME~1\SHENLI~1\LOCALS~1\Temp\DrTemp\farmmext.exe infected by "Trojan-Downloader.Win32.Stubby.c" Virus. Action Taken: No Action Taken.
File E:\DOCUME~1\SHENLI~1\LOCALS~1\Temp\DrTemp\MMaker4b.exe infected by "not-a-virus:AdWare.WebRebates.d" Virus. Action Taken: No Action Taken.
File E:\DOCUME~1\SHENLI~1\LOCALS~1\Temp\pynix.cab infected by "not-a-virus:AdWare.DlMax.a" Virus. Action Taken: No Action Taken.
File E:\DOCUME~1\SHENLI~1\LOCALS~1\Temp\Pynix.dll infected by "not-a-virus:AdWare.DlMax.a" Virus. Action Taken: No Action Taken.
File E:\DOCUME~1\SHENLI~1\LOCALS~1\Temp\THI8E4.tmp\pynix.cab infected by "not-a-virus:AdWare.BiSpy.t" Virus. Action Taken: No Action Taken.
File E:\DOCUME~1\SHENLI~1\LOCALS~1\Temp\THI8E4.tmp\Pynix.dll infected by "not-a-virus:AdWare.BiSpy.t" Virus. Action Taken: No Action Taken.
File E:\Documents and Settings\Shen Liang\Local Settings\Temp\DrTemp\farmmext.cab infected by "Trojan-Downloader.Win32.Stubby.c" Virus. Action Taken: No Action Taken.
File E:\Documents and Settings\Shen Liang\Local Settings\Temp\DrTemp\farmmext.exe infected by "Trojan-Downloader.Win32.Stubby.c" Virus. Action Taken: No Action Taken.
File E:\Documents and Settings\Shen Liang\Local Settings\Temp\DrTemp\MMaker4b.exe infected by "not-a-virus:AdWare.WebRebates.d" Virus. Action Taken: No Action Taken.
File E:\Documents and Settings\Shen Liang\Local Settings\Temp\pynix.cab infected by "not-a-virus:AdWare.DlMax.a" Virus. Action Taken: No Action Taken.
File E:\Documents and Settings\Shen Liang\Local Settings\Temp\Pynix.dll infected by "not-a-virus:AdWare.DlMax.a" Virus. Action Taken: No Action Taken.
File E:\Documents and Settings\Shen Liang\Local Settings\Temp\THI8E4.tmp\pynix.cab infected by "not-a-virus:AdWare.BiSpy.t" Virus. Action Taken: No Action Taken.
File E:\Documents and Settings\Shen Liang\Local Settings\Temp\THI8E4.tmp\Pynix.dll infected by "not-a-virus:AdWare.BiSpy.t" Virus. Action Taken: No Action Taken.
File E:\Program Files\Common Files\aolback\comp01.000 tagged as not-a-virus:Tool.Win32.Reboot. No Action Taken.
File E:\Shen(more mp3s and CS1.5)\SIERRA15\half-life\hltv.exe tagged as not-a-virus:RiskWare.Proxy.Hltv. No Action Taken.
File E:\WINDOWS\Downloaded Program Files\megasear.dll infected by "not-a-virus:AdWare.BHO.MegaSearch.a" Virus. Action Taken: No Action Taken.
File E:\WINDOWS\Downloaded Program Files\OTXMedia.dll infected by "not-a-virus:AdWare.OTX.a" Virus. Action Taken: No Action Taken.
File E:\WINDOWS\LastGood\Pynix.dll infected by "not-a-virus:AdWare.BiSpy.t" Virus. Action Taken: No Action Taken.
File E:\WINDOWS\localNRD.dll infected by "not-a-virus:AdWare.BiSpy.s" Virus. Action Taken: No Action Taken.
File E:\WINDOWS\NDNuninstall4_85.exe infected by "not-a-virus:AdWare.NewDotNet" Virus. Action Taken: No Action Taken.
File E:\WINDOWS\NDNuninstall6_10.exe infected by "not-a-virus:AdWare.NewDotNet" Virus. Action Taken: No Action Taken.
File E:\WINDOWS\system32\k404SearchSetup_MS14.exe infected by "not-a-virus:AdWare.ToolBar.404Search.a" Virus. Action Taken: No Action Taken.
File E:\WINDOWS\system32\MegasearchBarSetup.dll infected by "not-a-virus:AdWare.F1Organizer.n" Virus. Action Taken: No Action Taken.
File E:\WINDOWS\system32\SHAgentNew.dll infected by "not-a-virus:AdWare.Sahat.g" Virus. Action Taken: No Action Taken.
File F:\Program Files\DivX\DivX Player 2.1\uninstall.exe tagged as not-a-virus:Tool.Win32.Reboot. No Action Taken.
File F:\Program Files\highjack\backup-20041022-055314-771.dll infected by "not-a-virus:AdWare.BHO.MegaSearch.a" Virus. Action Taken: No Action Taken.
File F:\Program Files\Kazaa\My Shared Folder\Game Full Lemonade Tycoon.exe tagged as not-a-virus:Tool.Win32.Reboot. No Action Taken.
File F:\Shen\DCdl\Tools\Lemonade_EN_BRO_1.0.2.exe tagged as not-a-virus:Tool.Win32.Reboot. No Action Taken.
File F:\Shen\DCdl\Tools\pod25ins.exe tagged as not-a-virus:Tool.Win32.Reboot. No Action Taken.
File F:\Shen\DCdl\Tools\SysReset 2.53 with mIRC 6.12.exe tagged as not-a-virus:RiskWare.mIRC.6.12. No Action Taken.
File F:\Shen\Games\SIERRA\half-life\hltv.exe tagged as not-a-virus:RiskWare.Proxy.Hltv. No Action Taken.
File F:\sysreset\IRC\mirc.exe tagged as not-a-virus:RiskWare.mIRC.6.12. No Action Taken.
-
Can I have you run a few free tools on your computer
All are free
Can you do the following please
==Download the Pocket Killbox (http://\"http://www.downloads.subratam.org/KillBox.zip\")
UNZIP it to a folder of your choice
==Download and Install this small program
to help clean your temp folders,cookies, etc...
Windows Cleanup (http://\"http://downloads.stevengould.org/cleanup/CleanUp40.exe\")
Give the link time to load or try it twice, it may be busy
Install for now, don't run a scan yet
Please Print this out or save these instructions to a Notepad file and save it to your Desktop
Know how to start in Safe mode, I'll be asking you to do this shortly
Disconnect from the Internet
Do another scan with Hijackthis and put a check next to these entries:
O2 - BHO: PynixObj Class - {00000000-DD60-0064-6EC2-6E0100000000} - E:\WINDOWS\Pynix.dll
O16 - DPF: {4C226336-4032-489F-9674-67E74225979B} (OTXMovie Class) - http://www.otxresearch.com/OTXMedia/OTXMedia.dll (http://\"http://www.otxresearch.com/OTXMedia/OTXMedia.dll\")
O16 - DPF: {7CA3D0A3-7E2E-4AAB-A75E-FAB8ECA8BD95} (Skilljam Game Player Object) - http://gozing.skilljam.com/ssp/SSP.cab (http://\"http://gozing.skilljam.com/ssp/SSP.cab\")
O16 - DPF: {AED98630-0251-4E83-917D-43A23D66D507} (WebHandler Class) - http://activex.microgaming.com/DLhelper/ve...n7/dlhelper.cab (http://\"http://activex.microgaming.com/DLhelper/ve...n7/dlhelper.cab\")
O16 - DPF: {D8089245-3211-40F6-819B-9E5E92CD61A2} (FlashXControl Object) - https://register3.valueactive.com/mpp_229/w...OCX/FlashAX.cab (http://\"https://register3.valueactive.com/mpp_229/w...OCX/FlashAX.cab\")
O23 - Service: NT login service (ntlogin32) - Unknown owner - E:\WINDOWS\System32\libsysmgr.exe (file missing)
After you have ticked the above entries, close All other open windows, including this one
Leave Hijackthis open and click FIX CHECKED
OK the prompt and exit Hijackthis
==Run Pocket KillBox>>Now killbox and this notepad file is open
Click on Tools>>Delete Temp files
In the Full Path of File to Delete box, copy and paste the entire line directly below in bold, do not type this in
E:\WINDOWS\Pynix.dll
Then click the Delete File button
The Red circle and a white X
Do the same for the next ones below
For any file that won't delete, keep track of them, we'll need them in a bit
E:\WINDOWS\NDNuninstall4_85.exe
E:\WINDOWS\NDNuninstall6_10.exe
E:\WINDOWS\System32\k404SearchSetup_MS14.exe
E:\WINDOWS\System32\MegasearchBarSetup.dll
E:\WINDOWS\System32\SHAgentNew.dll
E:\WINDOWS\Downloaded Program Files\megasear.dll
E:\WINDOWS\Downloaded Program Files\OTXMedia.dll
E:\WINDOWS\LastGood\Pynix.dll
E:\WINDOWS\localNRD.dll
E:\WINDOWS\System32\libsysmgr.exe
For any file that wouldn't delete, this time copy and paste that entry back to killbox
Select the radio button to
Delete on Reboot
Click The Red circle and a white X
When prompted to Delete on Reboot, click YES
IF prompted to Reboot Now, Click NO
When you've entered the last path to the file
Allow the computer to Reboot
RESTART your Computer in SAFE MODE (http://\"http://service1.symantec.com/SUPPORT/tsgeninfo.nsf/docid/2001060608000039?OpenDocument&ExpandSection=4#_Section4\")
You can do this by tapping the F8 key as the system is restarting, after the single post beep, or use the link
I supplied for a more detailed explanation
Open Hijackthis>>Open Misc Tools Section>>Open" Delete an NT Service"
In the new window, copy and paste or type the following in bold into the Open field and hit OK
ntlogin32
==Open Windows CleanUp!>>START>>programs>>Cleanup!
Click on the CleanUp button, let it finish scanning for files, when it's done
Restart back to Normal mode
Back in windows
Download and Install the free version of Ad-Aware SE Personal 1.05 (http://\"ftp://ftp.download.com/pub/win95/utilities/aawsepersonal.exe\")
Ensure you have this version or the paid version
Open Ad-Aware, ensure to click the check for updates now link and Connect to download the latest updates
Perform a Full system scan
When it's finished scanning
At this point you should either right click on the screen and and choose the "Select All" Objects option or individually put a checkmark in each objects checkbox
click on the Next button. Ad-Aware SE will now present you with a confirmation box as to whether or not you would like to remove the objects you have just selected. Press the "OK" button
RESTART your computer to finish the cleaning process
Back In windows
Download and Install Spybot S&D 1.3 (http://\"http://www.download.com/Spybot-Search-Destroy/3000-8022-10122137.html?part=dl-spybot&subj=dl&tag=but\")
Don't activate the Tea Timer when installing, it's a great feature but can get in the way
of any fixes we may still have to do
After installation--Click the UPDATE button on the left
SEARCH FOR UPDATES on the right
Check, and download all updates
Click the Search & Destroy button on the left
Check for Problems---When the Scan is complete
FIX all selected promblems in RED
RESTART the computer to finish the cleaning process
Post back a fresh Hijackthis log
Could you also do the following
Download and UNZIP to desktop Export.zip (http://\"http://www.thetechguide.com/forum/index.php?act=Attach&type=post&id=205\")
So you now have Export.bat on the desktop
Double click on Export.bat
If a new text file is placed on the desktop>>Export.txt
Can you copy and paste that info back here
If nothing is placed on the desktop, let me know that too, thanks
-
Ok heres the new log,
the export.exe didn't make a export.txt
i fixed almost everything except the ntlogin32 part
as u can see
O23 - Service: NT login service (ntlogin32) - Unknown owner - E:\WINDOWS\System32\libsysmgr.exe (file missing)
is still there
what happens is that when i try to end the "NT service" via hijackthis
it says the process is running and enabled and i must diable it 1st then do it.
but if i use taskmanager or killbox i do not see it as a system process
via hijackthis, whenever i deleted that , it just comes back again.
ps - i think this is a great thing u guys are doing, you guys could also have like anti-spyware classes online, through ventrilo or teamspeak and give hw with ftp and etc and charge money or accept donations. I'm sure alot of ppl would be interested!
Logfile of HijackThis v1.99.1
Scan saved at 7:14:24 PM, on 5/12/2005
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2600.0000)
Running processes:
E:\WINDOWS\System32\smss.exe
E:\WINDOWS\system32\winlogon.exe
E:\WINDOWS\system32\services.exe
E:\WINDOWS\system32\lsass.exe
E:\WINDOWS\System32\Ati2evxx.exe
E:\WINDOWS\system32\svchost.exe
E:\WINDOWS\System32\svchost.exe
E:\WINDOWS\system32\spoolsv.exe
E:\WINDOWS\system32\Ati2evxx.exe
E:\WINDOWS\Explorer.EXE
E:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
E:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
F:\program files\powerstrip\pstrip.exe
E:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
E:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
E:\WINDOWS\AGRSMMSG.exe
E:\Program Files\AIM95\aim.exe
F:\shen\games\sierra\steam.exe
E:\WINDOWS\System32\ctfmon.exe
E:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
E:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
E:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
E:\WINDOWS\system32\NOTEPAD.EXE
F:\Shen\Killhax\HJk\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/ (http://\"http://www.yahoo.com/\")
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - E:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - E:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_3_11_0.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - E:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [ViewMgr] E:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
O4 - HKLM\..\Run: [ATIPTA] E:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [PowerStrip] f:\program files\powerstrip\pstrip.exe
O4 - HKLM\..\Run: [AVG7_CC] E:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] E:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKCU\..\Run: [AIM] E:\Program Files\AIM95\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [Steam] "f:\shen\games\sierra\steam.exe" -silent
O4 - HKCU\..\Run: [ctfmon.exe] E:\WINDOWS\System32\ctfmon.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://E:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - E:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - E:\Program Files\AIM95\aim.exe
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061...all/xscan53.cab (http://\"http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab\")
O23 - Service: Ati HotKey Poller - Unknown owner - E:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - E:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - E:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - E:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: NT login service (ntlogin32) - Unknown owner - E:\WINDOWS\System32\libsysmgr.exe (file missing)
O23 - Service: ScriptBlocking Service (SBService) - Unknown owner - E:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe (file missing)
-
Your still not quite clean yet, let's try and get the rest, hopefully we can rid you of that bad service
==Download and Unzip to a folder Hoster.zip (http://\"http://www.funkytoad.com/download/hoster.zip\")
Please Print this out or save these instructions to a Notepad file and save it to your Desktop
RESTART your Computer in SAFE MODE (http://\"http://service1.symantec.com/SUPPORT/tsgeninfo.nsf/docid/2001060608000039?OpenDocument&ExpandSection=4#_Section4\")
You can do this by tapping the F8 key as the system is restarting, after the single post beep, or use the link
I supplied for a more detailed explanation
In safe mode
Go to START>>>RUN>>>type in services.msc
Hit OK
In the next window, look on the right hand side for this service
name---- NT login service
Double click on it--- STOP the service--If running
In the drop down menu, change the startup type to Disabled
Delete this file if found
E:\WINDOWS\System32\libsysmgr.exe <-file
Open Hijackthis>>Open Misc Tools Section>>Open" Delete an NT Service"
In the new window, copy and paste or type the following in bold into the Open field and hit OK
ntlogin32
Do another scan with Hijackthis and put a check next to these entries:
O4 - HKLM\..\Run: [ViewMgr] E:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
O23 - Service: NT login service (ntlogin32) - Unknown owner - E:\WINDOWS\System32\libsysmgr.exe (file missing)
O23 - Service: ScriptBlocking Service (SBService) - Unknown owner - E:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe (file missing)
After you have ticked the above entries, close All other open windows,
Leave Hijackthis open and click FIX CHECKED
OK the prompt and exit Hijackthis
Open Hoster>>Click on "Restore Original Hosts"
OK it
Restart back to Normal mode and post a fresh Hijackthis log
-
well i did everything u said, and got most of the problems but
i still can't get rid of this
O23 - Service: ScriptBlocking Service (SBService) - Unknown owner - E:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe (file missing)
everytime i delete it with Hijackthis it comes right back
Logfile of HijackThis v1.99.1
Scan saved at 11:16:33 AM, on 5/16/2005
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2600.0000)
Running processes:
E:\WINDOWS\System32\smss.exe
E:\WINDOWS\system32\winlogon.exe
E:\WINDOWS\system32\services.exe
E:\WINDOWS\system32\lsass.exe
E:\WINDOWS\System32\Ati2evxx.exe
E:\WINDOWS\system32\svchost.exe
E:\WINDOWS\System32\svchost.exe
E:\WINDOWS\system32\spoolsv.exe
E:\WINDOWS\system32\Ati2evxx.exe
E:\WINDOWS\Explorer.EXE
E:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
F:\program files\powerstrip\pstrip.exe
E:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
E:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
E:\WINDOWS\AGRSMMSG.exe
E:\WINDOWS\Mixer.exe
E:\Program Files\AIM95\aim.exe
F:\shen\games\sierra\steam.exe
E:\WINDOWS\System32\ctfmon.exe
E:\Program Files\MSN Messenger\msnmsgr.exe
E:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
E:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
E:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
F:\Shen\Killhax\HJk\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/ (http://\"http://www.yahoo.com/\")
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - E:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - E:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_3_11_0.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - E:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [ATIPTA] E:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [PowerStrip] f:\program files\powerstrip\pstrip.exe
O4 - HKLM\..\Run: [AVG7_CC] E:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] E:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [C-Media Speaker Configuration] \Setup.exe /SPEAKER
O4 - HKLM\..\Run: [C-Media Mixer] Mixer.exe /startup
O4 - HKCU\..\Run: [AIM] E:\Program Files\AIM95\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [Steam] "f:\shen\games\sierra\steam.exe" -silent
O4 - HKCU\..\Run: [ctfmon.exe] E:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [msnmsgr] "E:\Program Files\MSN Messenger\msnmsgr.exe" /background
O8 - Extra context menu item: E&xport to Microsoft Excel - res://E:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - E:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - E:\Program Files\AIM95\aim.exe
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061...all/xscan53.cab (http://\"http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab\")
O23 - Service: Ati HotKey Poller - Unknown owner - E:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - E:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - E:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - E:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: ScriptBlocking Service (SBService) - Unknown owner - E:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe (file missing)
-
That entry is a leftover from Symantec's product
It looks like you uninstalled it, but the service remained
Can you do the following please
Go to START>>>RUN>>>type in services.msc
Hit OK
In the next window, look on the right hand side for this service
name---- ScriptBlocking Service
Double click on it--- STOP the service--If running
In the drop down menu, change the startup type to Disabled
Then open Hijackthis>>Open Misc tools section>>Open "Delete an NT service"
In the next box copy and paste, or type the bold entry below and hit OK
SBService
If everything is running better
You should disable system restore---restart your computer--enable system restore
This will clear all your restore points and ensure you don't restore any nasties
Once reenabled it will create a fresh restore point
How to Disable and Re-enable System Restore feature (http://\"http://vil.nai.com/vil/SystemHelpDocs/DisableSysRestore.htm\")
Once back in Windows and System Restore is reenabled
You should set up protection against future attacks
SpywareBlaster 3.4 by JavaCool (http://\"http://www.javacoolsoftware.com/spywareblaster.html\")
*Will block bad ActiveX Controls
*Block Malevolent cookies in Internet Explorer and Firefox
*Restrict actions of potentially dangerous sites in Internet Explorer
IE-Spyad---IE-SPYAD puts over 5000 sites in your restricted zone so you'll be protected when you visit innocent-looking sites that aren't actually innocent at all.
Here is a tutorial and download link
TUTORIAL==Link to Tutorial (http://\"http://www.bleepingcomputer.com/forums/index.php?showtutorial=53\")
Download link (http://\"https://netfiles.uiuc.edu/ehowes/www/resource.htm#IESPYAD\")
With both, Check for updates every couple of weeks
Keep the link to IE-Spyad bookmarked so you can check for updates
SpywareBlaster, after every update just simply enable all protection
Why so far behind on Windows updates?
If your version of Windows is legit, this is important in keeping your system secure also