Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

NEED HELP QUICK PLEASE!


  • This topic is locked This topic is locked
3 replies to this topic

#1 Square Duck

Square Duck

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:05:14 AM

Posted 20 May 2004 - 06:50 PM

Here is a message I recently posted on www.majorgeeks.com ... I will just copy and paste for convience purposes along with my hijackthis script... THanks!

Ok I've tried to post this like 3 times and my stupid browser keeps overtaking me with the site http://f$%^-teens-russia. I just posted my hijackthis script as a new message and hopefully yall can see it.

When my computer starts up: It automatically trys to connect me to to some random IP address by automatically popping up my dialup box...

I then notice a small 1 inch long box pop up in the left bottom corner of my screen (right above the windows start menu) that says , internat, in the header. It goes away within a couple seconds followed by an Internet Explorer Script Error asking me if I want to continue running script on this page or not... URL: file://C:\Windows\wins2.hta

Ok before all this I have ran all the NEWEST UPDATED versions of SpyBot, AdWare, AVG Antivirus, hijackthis, and CWshredder.

My homepage is now STILL http://greatersearch.biz and it used to be http://line-plus

I get random porn sites that pop up like the one mentioned above and another called http://ah-teens

Yes this sucks. Most of the time the sites wont even load they'll just sit for a while at the bottom of the screen and you can't maximize them... but before long theres 20 of them at times.

Also after being on the computer for a while.. .or mostly the net it seems... I get an application box to pop up with a big red/white X. It says a short message about some kinda memory error and after I hit OK a System Shutdown box comes up! It has this line in it... C:\Windows\system32\lsass.exe' and this status code -1073741819. It gives me one minute to save things and you can't stop it!

Im at the end of my rope here! I've ran All these software programs NUMEROUS TIMES over the last 2 days and each time it seems like they detect something new... I've had AVG detect dialer viruses and homepage trojans and other trojans every single time I've ran a full system scan. OH and the full system scan takes 35 min on this old G6-450 Gateway computer! :thumbsup:

Like I said everything is FULLY updated to the max. Things aren't as bad as they were but still very present. I hope my hijackthis script can spark up some kind of rememdy or maybe something I've said here! This is now my mom's computer and Im only going to be here tonight(5/20) and part of Friday morning (5/21), so I need help on any aspects of the things I've said in the next few hours PLEASE!! Thanks a bunch!

Logfile of HijackThis v1.97.7
Scan saved at 07:39, on 5/20/2004
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\PROGRA~1\Grisoft\AVG6\avgserv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\AVPersonal\AVWUPSRV.EXE
C:\WINDOWS\System32\DRIVERS\CDANTSRV.EXE
C:\WINDOWS\system32\fxssvc.exe
C:\WINDOWS\GWHotKey.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Microsoft Hardware\Mouse\point32.exe
C:\WINDOWS\System32\mshta.exe
C:\WINDOWS\System32\ms32.exe
C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe
C:\WINDOWS\SYSTEM32\services\all.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Broderbund\Mavis Beacon Teaches Typing 12 Standard\MiniMavis.exe
C:\Hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://greatsearch.biz/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://greatsearch.biz/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://greatsearch.biz/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://greatsearch.biz/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = http://greatsearch.biz/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = http://greatsearch.biz/
F1 - win.ini: run=C:\WINDOWS\SYSTEM32\services\wmplayer.exe
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [Multi-function Keyboard] GWHotKey.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Lexmark X73 Button Monitor] C:\PROGRA~1\LEXMAR~1\ACMonitor_X73.exe
O4 - HKLM\..\Run: [Lexmark X73 Button Manager] C:\PROGRA~1\LEXMAR~1\AcBtnMgr_X73.exe
O4 - HKLM\..\Run: [PrinTray] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\printray.exe
O4 - HKLM\..\Run: [POINTER] point32.exe
O4 - HKLM\..\Run: [SystemBoot] mshta file:///C:/Windows/wins2.hta
O4 - HKLM\..\Run: [System Backup] ms32.exe
O4 - HKLM\..\Run: [Services Process] C:\WINDOWS\system32\config\services.exe
O4 - HKLM\..\Run: [TE_RegProtect] C:\Program Files\Anti Trojan Elite\TERegPct.exe
O4 - HKLM\..\Run: [AVG_CC] C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe /STARTUP
O4 - HKLM\..\Run: [ist service uninstall] C:\WINDOWS\SYSTEM32\services\all.exe /u
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: MiniMavis.lnk = C:\Program Files\Broderbund\Mavis Beacon Teaches Typing 12 Standard\MiniMavis.exe
O9 - Extra button: AIM (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Messenger (HKLM)
O12 - Plugin for .inp: C:\PROGRA~1\INTERN~1\PLUGINS\npincplg.dll
O12 - Plugin for .swf: C:\Program Files\Netscape\Communicator\Program\PLUGINS\npswf32.dll
O16 - DPF: {2B96D5CC-C5B5-49A5-A69D-CC0A30F9028C} (MiniBugTransporterX Class) - http://download.weatherbug.com/minibug/tri...Transporter.cab?
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/

BC AdBot (Login to Remove)

 


m

#2 Guest_Plimsol_*

Guest_Plimsol_*

  • Guests
  • OFFLINE
  •  

Posted 20 May 2004 - 10:39 PM

I want you to fix some of those entries. Please do the following:

Please make sure that you can view all hidden files. Instructions on how to do this can be found here:

How to see hidden files in Windows

Start HijackThis, put a checkmark next to each item i list below, and then press fix:
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://greatsearch.biz/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://greatsearch.biz/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://greatsearch.biz/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://greatsearch.biz/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = http://greatsearch.biz/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = http://greatsearch.biz/
F1 - win.ini: run=C:\WINDOWS\SYSTEM32\services\wmplayer.exe
O4 - HKLM\..\Run: [SystemBoot] mshta file:///C:/Windows/wins2.hta
O4 - HKLM\..\Run: [System Backup] ms32.exe
O4 - HKLM\..\Run: [Services Process] C:\WINDOWS\system32\config\services.exe
O4 - HKLM\..\Run: [ist service uninstall] C:\WINDOWS\SYSTEM32\services\all.exe /u

Reboot your computer into Safe Mode.

Then delete these files or directories
C:\WINDOWS\SYSTEM32\services\wmplayer.exe
C:/Windows/wins2.hta
C:\WINDOWS\system32\config\services.exe
C:\WINDOWS\SYSTEM32\services\all.exe (you can delete anything you find in the c:\windows\system32\services directory)
C:\WINDOWS\System32\ms32.exe

Disable System Restore. You can find instructions on how to enable and reenable system restore here:

Managing Windows Millenium System Restore

or

Windows XP System Restore Guide

Renable system restore with instructions from tutorial above

Reboot your computer to go back to normal mode and post a new log.

#3 Square Duck

Square Duck
  • Topic Starter

  • Members
  • 2 posts
  • OFFLINE
  •  

Posted 20 May 2004 - 11:59 PM

THanks for the very helpful and detailed reply plimsol! I did everything you said step by step... I actually just now turned back on System Restore.

I couldn't find the file... C:\Windows\System32\services\wmplayer.exe

I didn't find the C:/Windows/wins.hta , but I did find a what seems like an unassociated file. It is titled, wins2 (also located in the main Windows directory), and when I highlight it , it says its an .html file I think. I didn't know if this is a suspicious file or not and I was afraid to delete it right off.

There were a couple other files , one a .dll file, the other a google.exe file, in the services directory. I took your advice and deleted these also as they seemed very suspicious. That directory is now completely clean.

I did find and delete the other 3 files you had listed after the ones listed above.

I reran hijackthis after rebooting back into normal mode and I'm STILL getting this crazy http://greatsearch.biz coming up as my homepage and on hijackthis. This think is HIGHLY determined to give me problems I guess.

Do you know of any other solutions with this? Is this particular site a common spyware problem?

Here is my new hijackthis script...

Logfile of HijackThis v1.97.7
Scan saved at 12:42, on 5/21/2004
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG6\avgserv.exe
C:\Program Files\AVPersonal\AVWUPSRV.EXE
C:\WINDOWS\System32\DRIVERS\CDANTSRV.EXE
C:\WINDOWS\system32\fxssvc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\GWHotKey.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Microsoft Hardware\Mouse\point32.exe
C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe
C:\Hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://greatsearch.biz/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://greatsearch.biz/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://greatsearch.biz/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://greatsearch.biz/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = http://greatsearch.biz/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = http://greatsearch.biz/
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [Multi-function Keyboard] GWHotKey.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Lexmark X73 Button Monitor] C:\PROGRA~1\LEXMAR~1\ACMonitor_X73.exe
O4 - HKLM\..\Run: [Lexmark X73 Button Manager] C:\PROGRA~1\LEXMAR~1\AcBtnMgr_X73.exe
O4 - HKLM\..\Run: [PrinTray] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\printray.exe
O4 - HKLM\..\Run: [POINTER] point32.exe
O4 - HKLM\..\Run: [TE_RegProtect] C:\Program Files\Anti Trojan Elite\TERegPct.exe
O4 - HKLM\..\Run: [AVG_CC] C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe /STARTUP
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: MiniMavis.lnk = C:\Program Files\Broderbund\Mavis Beacon Teaches Typing 12 Standard\MiniMavis.exe
O9 - Extra button: AIM (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Messenger (HKLM)
O12 - Plugin for .inp: C:\PROGRA~1\INTERN~1\PLUGINS\npincplg.dll
O12 - Plugin for .swf: C:\Program Files\Netscape\Communicator\Program\PLUGINS\npswf32.dll
O16 - DPF: {2B96D5CC-C5B5-49A5-A69D-CC0A30F9028C} (MiniBugTransporterX Class) - http://download.weatherbug.com/minibug/tri...Transporter.cab?
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004033...all/xscan53.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwa...ash/swflash.cab
O16 - DPF: {F57D17AE-CE37-4BC8-B232-EA57747BE5E7} - http://66.230.146.53/EPlugin_US.cab
O16 - DPF: {FE67C682-F5EA-11CF-9C2F-0000C0C83ADC} (Jamba Class Library) - http://www.americanracing.com/wheelmatch/Jambalib.cab
O16 - DPF: {FF65677A-8977-48CA-916A-DFF81B037DF3} (WMService Class) - http://download.overpro.com/WildApp.cab


P.S. I think I may still be getting this random application error as I talked about in my original posted message. As soon as I hit ok the System Shutdown message appears and gives me 1 min to save everything before it automatically shuts everything down. I found out that it had been doing this to my Mom for a while now and it seems to have nothing to do with these recent spyware problems. Do you know what is causing this by chance? AGAIN Thanks so much in advance!!!

#4 Guest_Plimsol_*

Guest_Plimsol_*

  • Guests
  • OFFLINE
  •  

Posted 21 May 2004 - 10:04 AM

That error message you are receiving is most likely because you have not updates the computer with www.windowsupdate.com and someone is trying to exploit a weakness crashing lsass.exe.

I want you to do this first thing. GO to the website http://www.windowsupdate.com and install all the critical updates. Keep installing and rebooting until there are 0 left. If you get that error in the middle of the update, set your clock on the computer back 1 year and you will be able to continue working.

As for greatsearch.biz, I want you to do this:

You are infected with a variant of the CoolWebSearch.

Download CWShredder from the below link and unzip it into a directory. Start CWShredder and click on the FIx button to have it remove all CWS infections it finds.

Download CWShredder from:

http://www.merijn.org/files/cwshredder.zip

After you download the program, unzip it into a directory. Make sure all browser windows are closed and double click on the cwshredder.exe to start the program. When the program is loaded click on the "Check for Update" button, and if it finds an new version it will download it. You should then double click on cwshredder.exe again and click on the "FIX" button (not the "Scan only" button) and let it scan your computer.

To get the best results it is recommended that you run it in safe mode. Reboot windows and press F8 at boot/windows startup, usually right after the beep. Then select safe mode.

A tutorial that goes over this process step by step can be found here:

How to remove CoolWebSearch with CoolWeb Shredder


Then post a new log




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users