Beyond Help?

[aubry]

Hello,
Hoping someone can help me here. I'm trying to help out a friend. Her operating system is XP H.E. Vers 2002 Service Pack 1. I ran a virus scan yesterday, with Nortons 2004, (I'm now having problems using it) It found the W32/sdbot.worm.gen.t virus. I believe the worm was taken care of. My system restore did not work, trying to restore nortons 2002. There are tons of browsers poping up.  My home page has changed.  I've noticed new 'programs' icons on my desktop. I ran adaware and spybot, ran avasti this morning, it found some trojans. I ran a Hijackthis on her system this morning. I'm thinking she should just do a full system reformat, but not sure she has the proper discs. I hope I included everything you needed. Hoping you can help.  

Thanks alot, aubry




Logfile of HijackThis v1.98.2
Scan saved at 6:57:27 AM, on 11/3/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\cisvc.exe
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\WINNT\system32\rundll32.exe
C:\Margaret\Nortons\navapsvc.exe
C:\WINNT\System32\nvsvc32.exe
C:\Margaret\Nortons\SAVScan.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINNT\System32\MsPMSPSv.exe
C:\index.exe
C:\WINNT\System32\rundll32.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\SED\SED.exe
C:\Margaret\Window Washer\Window Washer Inst\Washer\washer.exe
C:\WINNT\System32\cidaemon.exe
C:\WINNT\explorer.exe
C:\Margaret\Hijackthis\hijackthis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\WINNT\System32/left.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.smarter.com/index.php
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.smarter.com/index.php
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.gateway.net
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = websearch.drsnsrch.com/q.cgi?q=
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
O1 - Hosts: 69.20.16.183 auto.search.msn.com
O1 - Hosts: 69.20.16.183 search.netscape.com
O1 - Hosts: 69.20.16.183 ieautosearch
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O3 - Toolbar: Search - {2CF0B992-5EEB-4143-99C2-5297EF71F44B} - C:\WINNT\System32\stlbupdt.DLL (file missing)
O3 - Toolbar: (no name) - {2CDE1A7D-A478-4291-BF31-E1B4C16F92EB} - (no file)
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Margaret\Nortons\NavShExt.dll
O3 - Toolbar: IEMenuExtension toolbar - {6b95678d-30a4-4ff8-a72f-4208340c1f7f} - C:\Program Files\IEMenuExtension\tbextn.dll
O4 - HKLM\..\Run: [REEGRUN] C:\index.exe
O4 - HKLM\..\Run: [Rundll32_8] rundll32.exe C:\WINNT\System32\inetp60.dll,DllRunServer
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [180ax] c:\winnt\180ax.exe
O4 - HKLM\..\Run: [cnuz] C:\WINNT\cnuz.exe
O4 - HKLM\..\Run: [IE Menu Extension toolbar] rundll32.exe "C:\PROGRA~1\IEMENU~1\tbextn.dll" DllShowTB
O4 - HKLM\..\Run: [SESync] "C:\Program Files\SED\SED.exe"
O4 - HKLM\..\Run: [VBundleOuterDL] C:\Program Files\VBouncer\BundleOuter.EXE
O4 - HKLM\..\Run: [Create A Monster] "C:\Program Files\Kudd.com\createAMonster.exe" -run
O4 - HKLM\..\RunServicesOnce: [washindex] C:\Margaret\Window Washer\Window Washer Inst\Washer\washidx.exe "Owner"
O4 - HKCU\..\Run: [Washer] C:\Margaret\Window Washer\Window Washer Inst\Washer\washer.exe /0
O8 - Extra context menu item: Web Rebates - file://C:\Program Files\Web_Rebates\Sy1150\Tp1150\scri1150a.htm
O9 - Extra button: Sidesearch - {000007C6-17DF-4438-92A4-DE5537471BA3} - C:\Program Files\Lycos\Sidesearch\sidesearch1500.dll (file missing)
O9 - Extra button: Browser Pal Toolbar - {07B7F771-1B8E-4B7B-823E-FFAC1732AA9F} - (no file)
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINNT\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE (file missing)
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE (file missing)
O10 - Unknown file in Winsock LSP: c:\winnt\system32\calsp.dll
O10 - Unknown file in Winsock LSP: c:\winnt\system32\calsp.dll
O10 - Unknown file in Winsock LSP: c:\winnt\system32\calsp.dll
O10 - Unknown file in Winsock LSP: c:\winnt\system32\lspak.dll
O10 - Unknown file in Winsock LSP: c:\winnt\system32\lspak.dll
O10 - Unknown file in Winsock LSP: c:\winnt\system32\lspak.dll
O10 - Unknown file in Winsock LSP: c:\winnt\system32\lspak.dll
O10 - Unknown file in Winsock LSP: c:\winnt\system32\calsp.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {15AD4789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://public.windupdates.com/get_file.php...267d9100f21782b
O16 - DPF: {739E8D90-2F4C-43AD-A1B8-66C356FCEA35} (RunExeActiveX.RunExe) - hcp://system/RunExeActiveX.CAB
O16 - DPF: {79849612-A98F-45B8-95E9-4D13C7B6B35C} (Loader2 Control) - http://static.topconverting.com/activex/loader2.ocx
O16 - DPF: {99CDFD87-F97A-42E1-9C13-D18220D90AD1} (StartFirstControl.CheckFirst) - hcp://system/StartFirstControl.CAB
O16 - DPF: {A031D222-B496-11D2-9CC8-00105A10AAF6} (WONWebLauncher Class) - http://www.flipside.com/cab/WONWebLauncherControl.cab
O16 - DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE} (Symantec RuFSI Registry Information Class) - http://security1.norton.com/SSC/SharedCont...c/bin/cabsa.cab
O16 - DPF: {FA13A9FA-CA9B-11D2-9780-00104B242EA3} - http://www.wildtangent.com/install/wdriver...xpro/wtinst.cab
O18 - Filter: text/html - {CC905FF6-B553-496C-9DFA-CFF65ADCD0FC} - c:\program files\clientman\run\searchrepf9d6a148.dll
O21 - SSODL: Web Event Logger - {79FEACFF-FFCE-815E-A900-316290B5B738} - C:\WINNT\System32\Clakkoij.dll

[guestolo]

You have a few nasties to remove
Whenever I see a log hijacked in your Winsock Layered Service Provider
Indicated by your 010 entries in the log, I like to have the user backup the registry
Please don't try and fix the 010 entries with Hijackthis

First off, if possible Create a Fresh Restore Point
You indicated that you can't use System Restore
Could you please Manually backup the Registry and save it in a convienient location
You can delete it later, we probably won't need the backup, it just a safety net. http://images.thetechguide.com/forum/public/style_emoticons/<#EMO_DIR#>/smile.gif\' class=\'bbc_emoticon\' alt=\'\' />

Go to START>>>Run>>type in regedit and hit Enter
Highlight My Computer
Click File>>>Export
Name and save this to a location on your hard drive

Let's try some cleaning
Could you download and save to desktop LSP fix
If you download the zipped version ensure you unzip it
Don't run this yet, you'll need it later

Access your Add/Remove Programs and Remove if found
WebSearch Toolbar
WebSearch Tools
Search Assistant
Win-Tools Easy Installer

Don't Restart your computer, even if prompted, until the last program has been uninstalled

Restart your computer if any or ALL have been Removed

After your back in Windows
Stay disconnected from the Internet, Close down all open Windows
Double click to run LSP fix
Check "I know what I'm doing".
Then select all occurances of lspak.dll and calsp.dll (and nothing else) in the left pane,
click the arrow button to have them moved into the right hand panel.(The Removal Pane)
Click Finish

Restart your computer again

Set Windows to Show Hidden Files and Folders
* Click Start.
    * Open My Computer.
    * Select the Tools menu and click Folder Options.
    * Select the View Tab.
    * Under the Hidden files and folders heading select Show hidden files and folders.
    * Uncheck the Hide protected operating system files (recommended) option.
    * Click Yes to confirm.
    * Click OK.

Find and delete these files if they exist --->> Send to the recyle bin for now
c:\winnt\system32\calsp.dll <--file
c:\winnt\system32\lspak.dll <--file

Post back with a fresh Hijackthis log afterwards, there will be more work to do, but this is a good start

Could you also open up Ad-Aware---Click on Details
Let me know Reference Number and Internal build

Open up Spybot--Click on HELP>>ABOUT
Let me know Spybot version and Latest Detection date

Could you also Download and save to desktop
VX2 Finder
You show signs of Look2Me infection, this will help to verify

Open VX2 Finder
"Click to Find VX2.Betterinternet"
Press the "Make Log"
Post that log back here too, thanks