Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Bsod On Shutdown, Popups In Ie, Locksky.nag Smitfraud


  • This topic is locked This topic is locked
3 replies to this topic

#1 Slashvre

Slashvre

  • Members
  • 28 posts
  • OFFLINE
  •  
  • Local time:01:36 AM

Posted 23 March 2007 - 03:59 AM

I'm not sure how all this started, but I do know that my 6 year old nephew was on the computer the other day, and he can barely read. Was

prolly surfing the net and clicked a bunch of programs onto my computer :thumbsup:. Cox Communications literally suspended our Cable connection

because my computer was sending out spam e-mail(wtf!). I'm pretty sure I've got that part under control since then, but I have new

problems now, from the nephew incident:
Anyways, a short list of my problems:

1. BSOD on restart or shutdown.
2. Popups on Windows Internet Explorer.
3. Locksky.NAG & Smitfraud-C.
4. Windows Script Host error on log on.
5. Error Loading DLL file


1.
Blue Screen O' Death!
Whenever I try to restart my computer or shutdown, wether in normal or safe mode, I get this blue screen:
" STOP: c000021a {Fatal system Error}
The Windows Logon Process system process terminated unexpectedly with a status of 0xc0000005 (0x00000000 0x00000000)
system has been shutdown "

And then is just sits there until I force shutdown.

I notice that if I shutdown or restart before I log into any accounts when I start up, I dont get this message. My suspicion is that it deals with

"winlogon.exe" (all lowercase) that has been running on my computer for a long time. I think its been running on my computer for almost a

year now but it may have only just become troublesome a couple days ago.
Also, "winlogon.exe" is running when I am in Safe Mode too. Not sure if thats supposed to be or not. Windows won't let me stop the

process because its a "critical process."


2.
Popups!
If I have Windows IE open, I get constant popups. I had Deluxe Communications thrown onto my computer and I'm pretty sure I'm clear of it.

although maybe I'm not? I suppose the HackThis log could help mostly with this one?


3. Spybot keeps finding:
Locksky.NAG
Smitfraud-C.
Smitfraud-C.Toolbar888

And I can't seem to permanently get rid of these!
I tried a smitfraud.reg fix I read but didn't seem to work. Maybe I did it wrong?


4.
Starting up my computer and logging into a windows name, I get a popup titled " Windows Script Host" and has the following info in it:

Script: C:\Program Files\func.js
Line: 76
Char: 1
Error:system can't find file
Code:80070002
Soucre:(null)

I suppose its just a startup code that needs to be deleted(or re-installed) but I don't know how to do that.


5. Another windows popup that states:
" Error Loading C:\Windows\system32\yxtclggm.dll"

I think this was something one of the Virus/spyware programs deleted, and the computer is still trying to load it, even though I got rid of it.

Probably similar to #4 above.



Things I Have Tried:
Overall I've ran all of these updated programs multiple times, both in Normal and in Safe Mode(except BitD which wont load for me in safe):
AVG 7.5 Free Edition
Spybot - Search & Destroy
Lavasoft Ad-Aware SE Personal
BitDefender 8

Again, I also tried a smitfraud.reg fix, didn't seem to quite work, although I'll try it again.
These are multiple problems but any help would be appreciated!

Here is my Hijackthis Log:


Logfile of HijackThis v1.99.1
Scan saved at 1:52:15 AM, on 3/23/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16414)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\WINDOWS\system32\cisvc.exe
C:\program files\softwin\bitdefender8\bdnagent.exe
C:\WINDOWS\System32\CTsvcCDA.exe
C:\WINDOWS\system32\crypserv.exe
C:\WINDOWS\system32\msdpsv.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Softwin\BitDefender Communicator\xcommsvr.exe
C:\Program Files\Common Files\Softwin\BitDefender Scan Server\bdss.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\cidaemon.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Documents and Settings\Slash\Desktop\Programs\Protection\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.updatesearches.com/search.php?qq=%1
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.megatokyo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.updatesearches.com/search.php?qq=%1
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://www.updatesearches.com/search.php?qq=%1
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - URLSearchHook: (no name) - _{D6DFF6D8-B94B-4720-B730-1C38C7065C3B} - (no file)
O3 - Toolbar: (no name) - {724d43a0-0d85-11d4-9908-00400523e39a} - (no file)
O3 - Toolbar: &VSAdd-in - {74DD705D-6834-439C-A735-A6DBE2677452} - C:\Program Files\VSAdd-in\VSAdd-in.dll
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [2chkdsk] rundll32.exe "C:\WINDOWS\system32\yxtclggm.dll",setvm
O4 - HKLM\..\Run: [BDNewsAgent] "c:\program files\softwin\bitdefender8\bdnagent.exe"
O4 - HKLM\..\Run: [SoundService] rundll32.exe "C:\WINDOWS\system32\spsnjrjk.dll",setvm
O4 - HKLM\..\RunServices: [6BA4DF1E] C:\WINDOWS\system32\rsbmsc.exe
O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_08\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_08\bin\ssv.dll
O9 - Extra button: RoboForm - {724d43aa-0d85-11d4-9908-00400523e39a} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html (file missing)
O9 - Extra 'Tools' menuitem: RoboForm &2 - {724d43aa-0d85-11d4-9908-00400523e39a} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html (file missing)
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM95\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://a1540.g.akamai.net/7/1540/52/200612...ex/qtplugin.cab
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/housecall/xscan60.cab
O16 - DPF: {084F552D-19EB-4668-9788-984CBC781A8F} - http://survey.otxresearch.com/Preloader.dll
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {36EC1E98-9526-4BA2-935A-27C561F24877} - http://www.kerclink.com/Download/setup.cab
O16 - DPF: {4C226336-4032-489F-9674-67E74225979B} - http://www.otxresearch.com/OTXMedia/OTXMedia.dll
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1173428989031
O16 - DPF: {75D1F3B2-2A21-11D7-97B9-0010DC2A6243} - http://secure2.comned.com/signuptemplates/ActiveSecurity.cab
O16 - DPF: {BA61B6AE-9EDE-42EE-92C6-C938DEBCAFF3} - http://www.kerclink.com/Download/setup.cab
O16 - DPF: {C02226EB-A5D7-4B1F-BD7E-635E46C2288D} (Toontown Installer ActiveX Control) - http://a.download.toontown.com/sv1.0.21.10/ttinst.cab
O16 - DPF: {DC187740-46A9-11D5-A815-00B0D0428C0C} - http://ds1.downloadtech.net/cn1060/pcpowerscan.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: BitDefender Scan Server (bdss) - Unknown owner - C:\Program Files\Common Files\Softwin\BitDefender Scan Server\bdss.exe" /service (file missing)
O23 - Service: Client IP-IPX - Unknown owner - ".exe (file missing)
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.exe
O23 - Service: Crypkey License - CrypKey (Canada) Ltd. - C:\WINDOWS\SYSTEM32\crypserv.exe
O23 - Service: Data System Manager - Unknown owner - C:\WINDOWS\system32\vcmon.exe (file missing)
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Distributed Process Services (MSDPSV) - Unknown owner - C:\WINDOWS\system32\msdpsv.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Remote Public Machine - Unknown owner - C:\WINDOWS\system32\lcyss.exe (file missing)
O23 - Service: BitDefender Communicator (XCOMM) - Unknown owner - C:\Program Files\Common Files\Softwin\BitDefender Communicator\xcommsvr.exe" /service (file missing)

BC AdBot (Login to Remove)

 


#2 martym

martym

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Location:christchurch new zealand
  • Local time:04:36 AM

Posted 23 March 2007 - 04:33 AM

i would say you have been hi-jacked
and dont blame your nephew
how can a six year old go to a hi jack area
cut the can and tell the truth
so people can got on and help
you may have to reinstall your sys
normally in safe mode you can trouble shoot
so it may be the malware has taken out your
operating dll files
how to fix it. if you cant scan with any thing in safe mode
my advice
reinstall
and keep away from those sites
marty

here is abit of advice i keep in my favourites

http://www.microsoft.com/athome/security/default.mspx

Edited by martym, 23 March 2007 - 04:42 AM.


#3 Slashvre

Slashvre
  • Topic Starter

  • Members
  • 28 posts
  • OFFLINE
  •  
  • Local time:01:36 AM

Posted 23 March 2007 - 06:51 AM

what exactly is a "hi jack area"?

#4 jgweed

jgweed

  • Members
  • 28,473 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Chicago, Il.
  • Local time:04:36 AM

Posted 23 March 2007 - 07:02 AM

Please post your HJT log in the HJT Team Forum. Our team of experts will then review it and help you get rid of malware. If you have made any changes to your computer, then please submit a new log. Submit the log, as well as the information you have provided in your post (or a link to it) here:

http://www.bleepingcomputer.com/forums/t/34773/preparation-guide-for-use-before-using-malware-removal-tools-and-requesting-help/

Do NOT make any changes to your computer until the log is reviewed, and then only if a Team Member instructs you to do so. For this reason Members should refrain from replying to this thread until the log is worked, and I will close this thread.

Regards,
John

Edited by jgweed, 23 March 2007 - 07:03 AM.

Whereof one cannot speak, thereof one should be silent.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users