Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Numerous infection problems, please help!


  • This topic is locked This topic is locked
1 reply to this topic

#1 roym-21

roym-21

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:06:47 AM

Posted 22 September 2004 - 03:15 PM

Hi,
I'm looking for support with numerous problems.

This all seems to have happened since I had the Blaster worm, which I thought I got rid of.
For a while now I've been getting the following message on desktop-Notepad on startup;

[.ShellClassInfo]
LocalizedResourceName=@%SystemRoot%\system32\shell32.dll,-21787


Taskmanager, Norton Anti-virus 2003 and now also Spybot are not working. They flash up on the screen for a split-second (if at all) when clicked and disappear. I've uninstalled and reinstalled Norton and it worked (once) but found nothing. The only information I got from Norton was that my subscription is up, which was not good news as I've been unable to use it. Is that now useless as it seems I can't update it? I restarted after the scan and it's not working again. Now I am also getting a Settings alert window from Symantec (every time I startup);

"Some Symantec product settings have been changed by an unauthorised program. This can indicate that an attacker or a virus is attempting to disable your protection.
To avoid problems, settings will be reverted to the previous configuration and your system will be restarted. Click OK to continue."

This shuts down and restarts all over again with the same message.

Ocasionally, I also get a message window "Internet Explorer has encountered a problem and needs to close" however there is no countdown on this and if I minimise it and ignore it it doesn't shutdown. Same goes for the Symantec one above.

First I went online to http://housecall.antivirus.com and got this;

housecall results;

TROJ SMALL.AA Non Cleanable
CHM PSYME.AF CanNotAccess
WORM SPYBOT.P CanNotAccess



I ran a Pestscan online, and got 243 results. I turned off system restore and I then ran spybot followed by ad-aware in safe mode. I cleared everything they suggested and ran a hijackthis.

Here is the Hijackthis logfile

Logfile of HijackThis v1.98.0

Scan saved at 14:01:06, on 22/09/2004

Platform: Windows XP SP1 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe

C:\WINDOWS\system32\LEXBCES.EXE

C:\WINDOWS\system32\LEXPPS.EXE

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Norton AntiVirus\navapsvc.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\Dell AIO Printer A940\dlbabmgr.exe

C:\WINDOWS\BCMSMMSG.exe

C:\WINDOWS\System32\hkcmd.exe

C:\Program Files\Dell AIO Printer A940\dlbabmon.exe

C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe

C:\WINDOWS\System32\SPOOLSRV.EXE

C:\WINDOWS\System32\ctfmon.exe

C:\Program Files\Messenger\msmsgs.exe

C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe

C:\WINDOWS\System32\wuauclt.exe

C:\Documents and Settings\Owner.ROYANDDEE-GG58G\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://home.iol.ie

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://home.iol.ie

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.pigsback.com/offers/604610622/subscription.asp

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://home.iol.ie

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =

O2 - BHO: myBar BHO - {0494D0D1-F8E0-41ad-92A3-14154ECE70AC} - C:\Program Files\MyWay\myBar\1.bin\MYBAR.DLL

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll

O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll

O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll

O3 - Toolbar: My &Search Bar - {0494D0D9-F8E0-41ad-92A3-14154ECE70AC} - C:\Program Files\MyWay\myBar\1.bin\MYBAR.DLL

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx

O3 - Toolbar: (no name) - {CE055D62-792E-4E56-9D35-737D7B4CFD7C} - (no file)

O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll

O4 - HKLM\..\Run: [Dell AIO Printer A940] "C:\Program Files\Dell AIO Printer A940\dlbabmgr.exe"

O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe

O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe

O4 - HKLM\..\Run: [StorageGuard] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r

O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe

O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe

O4 - HKLM\..\Run: [ccRegVfy] C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe

O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r

O4 - HKLM\..\Run: [Windows Spooler] SPOOLSRV.EXE

O4 - HKLM\..\Run: [ccApp] C:\Program Files\Common Files\Symantec Shared\ccApp.exe

O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe

O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background

O4 - HKCU\..\RunOnce: [Windows Spooler] SPOOLSRV.EXE

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE

O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE

O14 - IERESET.INF: START_PAGE_URL=http://www.pigsback.com/offers/604610622/subscription.asp

O16 - DPF: ppctlcab - http://69.44.122.156/scanner/ppctlcab.cab

O16 - DPF: {2FC9A21E-2069-4E47-8235-36318989DB13} (PPSDKActiveXScanner.MainScreen) - http://69.44.122.156/scanner/axscanner.cab

O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061...all/xscan53.cab

I then ran ad-aware in normal mode followed by hijackthis (Norton and spybot are not available again. Still found more. My latest Pestscan (run offline- I saved the HTML Document-webpage) is showing 95 results.

Even if I could open TaskManager, I have 30-40 things showing up on it, and I have no idea which to select to end task.

Is there anything else I can do? Or should I just dump it all and re-install windows. If I do, is that GUARANTEED to clear everything?

Thanks in advance for any help. I'm fairly new to all this, so please bear that in mind.

Roy

BC AdBot (Login to Remove)

 


#2 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,664 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:06:47 AM

Posted 22 September 2004 - 04:16 PM

You are using an outdated version of hijackthis. Please download the newer version.

Download HijackThis from:

HijackThis Download Site

Then post a new log




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users