Tech Support Guy banner
Status
Not open for further replies.
1 - 10 of 10 Posts

·
Registered
Joined
·
121 Posts
Discussion Starter · #1 ·
Wasn't sure where to post this so I put it here because I think I have a virus or spyware problem. The problem is on my teenagers' computer, Dell 8100, P4, running WinXP Home. I noticed going into control panel>administrative tools>services that all services were disabled. After painstakingly re-enabling what needed to be I find that after one or two restarts it's back to having everything disabled. I've run an array of cleaning progs including System Mechanic, Reg Cleaner, Spybot, Adaware and did a virus scan with AVG. Found no viruses and cleaned out all the crap but problem remains. Had this problem once before on same computer and was so frustrated I just formatted the thing but what a hassle. Don't really want to do that again. This computer is shared by three young boys and I notice they are always in some cheesy flash game site and who knows what they are picking up in there. If it says "yes" or "continue" they just click on it without even knowing why. Their homepage is constantly being taken over this way. If you have kids you know exactly what I'm talking about. I've submitted a HijackThis log for you to look over. I didn't really see anything on it but I'm not an expert.
Also I've got their cookie setting at medium/high. Would this be an appropriate setting to help keep out the crap? Please help... Thx

Logfile of HijackThis v1.99.1
Scan saved at 6:02:05 PM, on 1/14/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0011)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Programs\AVG75~1.432\avgcc.exe
C:\Programs\SYSTEM~1\PopupStopper.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\netdde.exe
C:\WINDOWS\system32\devldr32.exe
C:\Programs\AVG75~1.432\avgamsvr.exe
C:\Programs\AVG75~1.432\avgupsvc.exe
C:\Programs\AVG75~1.432\avgemc.exe
C:\WINDOWS\System32\cisvc.exe
C:\WINDOWS\system32\clipsrv.exe
C:\WINDOWS\System32\dllhost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\dllhost.exe
C:\WINDOWS\System32\vssvc.exe
C:\WINDOWS\System32\wbem\wmiapsrv.exe
C:\WINDOWS\System32\dmadmin.exe
C:\Program Files\Google\GoogleToolbarNotifier\1.2.908.5008\GoogleToolbarNotifier.exe
C:\Programs\System Mechanic 5 Pro\SysMech5.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\cidaemon.exe
C:\Programs\HijackThis 1.99.1\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.roadrunner.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Programs\SPYBOT~1.4\SDHelper.dll
O2 - BHO: (no name) - {59879FA4-4790-461c-A1CC-4EC4DE4CA483} - (no file)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [AVG7_CC] C:\Programs\AVG75~1.432\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKLM\..\RunOnce: [System Mechanic Cache Cleanup] C:\Programs\System Mechanic 5 Pro\SysMech5.exe /COMPLETECACHE
O4 - HKCU\..\Run: [System Mechanic Popup Stopper] "C:\Programs\SYSTEM~1\PopupStopper.exe"
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1144024911782
O17 - HKLM\System\CCS\Services\Tcpip\..\{981E6ACE-54DB-46E6-959D-0C90BE197F63}: NameServer = 85.255.116.153,85.255.112.12
O17 - HKLM\System\CCS\Services\Tcpip\..\{CDDFC7FC-8BD2-4A8F-9B8B-809C68D9DE86}: NameServer = 85.255.116.153,85.255.112.12
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 85.255.116.153 85.255.112.12
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.116.153 85.255.112.12
O18 - Filter: text/html - {2AB289AE-4B90-4281-B2AE-1F4BB034B647} - (no file)
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
 

Attachments

·
Administrator
Joined
·
123,542 Posts
Cookies settings should be customized.

In IE click on Tools - Internet Options - privacy tab and select "advanced". Set First Party cookies to "prompt" and Third Party cookies to either "block" or "prompt" and check "always allow session cookies". Basically, you should refuse all cookies except those from sites you trust or need to log in to.

You can refuse a cookie each time it asks (if you're not sure and don't want to block it all the time) or you can select the option to "apply my decision to all cookies from this website" and then select "block or allow". If you block a cookie and later find it's needed, you can go back into Internet Options, under the privacy tab and click on "advanced" and remove it from the list of blocked cookies there or change its designation to "always allow".

You may want to print out these instructions for reference, since you will have to restart your computer during the fix.

Please download FixWareout from one of these sites:
http://downloads.subratam.org/Fixwareout.exe
http://www.bleepingcomputer.com/files/lonny/Fixwareout.exe

Save it to your desktop and run it. Click Next, then Install, make sure "Run fixit" is checked and click Finish.
The fix will begin; follow the prompts. You will be asked to reboot your computer; please do so. Your system may take longer than usual to load; this is normal.

Once the desktop loads a text file will open (report.txt).

Now we will flush DNS:

In the windows control panel, if you are using Windows XP's Category View, select the Network and Internet Connections category otherwise double click on Network Connections.

Then right click on your default connection, usually local area connection for cable and dsl, and left click on properties. Double-click on the Internet Protocol (TCP/IP) item and select the radio dial that says Obtain DNS servers automatically

Press OK twice to get out of the properties screen and reboot if it asks.
That option might not be available on some systems

Next Go start run type cmd and hit OK and type:

ipconfig /flushdns

Then hit enter, type exit and hit enter again. (The space between g and / is needed).

Finally, please post the contents of the logfile C:\fixwareout\report.txt, along with a new HijackThis log into this topic.
 

·
Registered
Joined
·
121 Posts
Discussion Starter · #3 ·
Thanks...I'll try that and get back to you, but can you tell me what exactly you found in the HijackThis file that was detrimental. I not only would like to fix it, I also would like to learn what caused it to break. I like computers to be a constant learning experience.
 

·
Registered
Joined
·
121 Posts
Discussion Starter · #7 ·
OK, I ran the fixwareout and flushed DNS and after several restarts everything seems to be working fine again. Here are the logs you asked for but I did notice the 017's are still in there. Will that be a problem?

Fixwareout
Last edited 1/14/2006
Post this report in the forums please
...
Prerun check
»»»»» HKLM run and Winlogon System values
C:\WINDOWS\system32\kdkou.exe will be moved to C:\WINDOWS\temp\kdkou.ren at reboot.
»»»»» System restarted
...
Reg Entries that were deleted
...
Random Runs removed from HKLM
...

PLEASE NOTE, There WILL be LEGITIMATE FILES LISTED. IF YOU ARE UNSURE OF WHAT IT IS LEAVE THEM ALONE.

»»»»» Searching by size/names...

»»»»»
Search five digit cs, dm kd and jb files.
This WILL/CAN also list Legit Files, Submit them at Virustotal

Other suspects.

»»»»» Misc files.

»»»»» Checking for older varients covered by the Rem3 tool.

»»»»» Postrun check
»»»»» HKLM run
»»»»» Winlogon System value
"system"=""
»»»»»

Logfile of HijackThis v1.99.1
Scan saved at 8:35:47 PM, on 1/15/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0011)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Programs\AVG75~1.432\avgcc.exe
C:\Programs\SYSTEM~1\PopupStopper.exe
C:\WINDOWS\system32\netdde.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\system32\devldr32.exe
C:\Programs\AVG75~1.432\avgamsvr.exe
C:\Programs\AVG75~1.432\avgupsvc.exe
C:\Programs\AVG75~1.432\avgemc.exe
C:\WINDOWS\System32\cisvc.exe
C:\WINDOWS\system32\clipsrv.exe
C:\WINDOWS\System32\dllhost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\msiexec.exe
C:\WINDOWS\system32\sessmgr.exe
C:\WINDOWS\System32\rsvp.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\dllhost.exe
C:\WINDOWS\System32\vssvc.exe
C:\WINDOWS\System32\wbem\wmiapsrv.exe
C:\WINDOWS\System32\dmadmin.exe
C:\Program Files\Google\GoogleToolbarNotifier\1.2.908.5008\GoogleToolbarNotifier.exe
C:\Programs\HijackThis 1.99.1\HijackThis.exe

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Programs\SPYBOT~1.4\SDHelper.dll
O2 - BHO: (no name) - {59879FA4-4790-461c-A1CC-4EC4DE4CA483} - (no file)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [AVG7_CC] C:\Programs\AVG75~1.432\avgcc.exe /STARTUP
O4 - HKCU\..\Run: [System Mechanic Popup Stopper] "C:\Programs\SYSTEM~1\PopupStopper.exe"
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1144024911782
O17 - HKLM\System\CCS\Services\Tcpip\..\{CDDFC7FC-8BD2-4A8F-9B8B-809C68D9DE86}: NameServer = 85.255.116.153,85.255.112.12
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 85.255.116.153 85.255.112.12
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.116.153 85.255.112.12
O18 - Filter: text/html - {2AB289AE-4B90-4281-B2AE-1F4BB034B647} - (no file)
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\Programs\AVG75~1.432\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\Programs\AVG75~1.432\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\Programs\AVG75~1.432\avgemc.exe
O23 - Service: InCD File System Service (InCDsrv) - AHEAD Software - C:\Program Files\Ahead\InCD\InCDsrv.exe
 

·
Administrator
Joined
·
123,542 Posts
Rescan with HijackThis, close all browser windows except HijackThis, put a check mark beside these entries and click fix checked.

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =

O2 - BHO: (no name) - {59879FA4-4790-461c-A1CC-4EC4DE4CA483} - (no file)

O17 - HKLM\System\CCS\Services\Tcpip\..\{CDDFC7FC-8BD2-4A8F-9B8B-809C68D9DE86}: NameServer = 85.255.116.153,85.255.112.12

O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 85.255.116.153 85.255.112.12

O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.116.153 85.255.112.12


O18 - Filter: text/html - {2AB289AE-4B90-4281-B2AE-1F4BB034B647} - (no file)

Reboot and post a new HijackThis log please.
 

·
Registered
Joined
·
121 Posts
Discussion Starter · #9 ·
OK Cookiegal here is the latest log...
Logfile of HijackThis v1.99.1
Scan saved at 1:37:51 AM, on 1/16/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0011)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Programs\AVG75~1.432\avgcc.exe
C:\Programs\SYSTEM~1\PopupStopper.exe
C:\Programs\AVG75~1.432\avgamsvr.exe
C:\Programs\AVG75~1.432\avgupsvc.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Programs\AVG75~1.432\avgemc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\devldr32.exe
C:\Program Files\Google\GoogleToolbarNotifier\1.2.908.5008\GoogleToolbarNotifier.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Programs\HijackThis 1.99.1\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.roadrunner.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Programs\SPYBOT~1.4\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [AVG7_CC] C:\Programs\AVG75~1.432\avgcc.exe /STARTUP
O4 - HKCU\..\Run: [System Mechanic Popup Stopper] "C:\Programs\SYSTEM~1\PopupStopper.exe"
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1144024911782
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\Programs\AVG75~1.432\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\Programs\AVG75~1.432\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\Programs\AVG75~1.432\avgemc.exe
O23 - Service: InCD File System Service (InCDsrv) - AHEAD Software - C:\Program Files\Ahead\InCD\InCDsrv.exe
 

·
Administrator
Joined
·
123,542 Posts
The log looks good now but I think, given the circumstances, we should do a couple more scans to be thorough.

Download AVG Anti-Spyware from HERE and save that file to your desktop. This is not the same as your anti-virus. This is an anti-spyware program.

When the trial period expires it becomes feature-limited freeware but is still worth keeping as a good on-demand scanner.

  1. Once you have downloaded AVG Anti-Spyware, locate the icon on the desktop and double click it to launch the set up program.
  2. Once the setup is complete you will need run AVG Anti-Spyware and update the definition files.
  3. On the main screen select the icon "Update" then select the "Update now" link.
    • Next select the "Start Update" button. The update will start and a progress bar will show the updates being installed.
  4. Once the update has completed, select the "Scanner" icon at the top of the screen, then select the "Settings" tab.
  5. Once in the Settings screen click on "Recommended actions" and then select "Quarantine".
  6. Under "Reports"
    • Select "Automatically generate report after every scan"
    • Un-Select "Only if threats were found"
Close AVG Anti-Spyware. Do Not run a scan just yet, we will run it in safe mode.
  1. Reboot your computer into Safe Mode. You can do this by restarting your computer and continually tapping the F8 key until a menu appears. Use your up arrow key to highlight Safe Mode then hit enter.

    IMPORTANT: Do not open any other windows or programs while AVG Anti-Spyware is scanning as it may interfere with the scanning process:
  2. Launch AVG Anti-Spyware by double clicking the icon on your desktop.
  3. Select the "Scanner" icon at the top and then the "Scan" tab then click on "Complete System Scan".
  4. AVG will now begin the scanning process. Please be patient as this may take a little time.
    Once the scan is complete, do the following:
  5. If you have any infections you will be prompted. Then select "Apply all actions."
  6. Next select the "Reports" icon at the top.
  7. Select the "Save report as" button in the lower lef- hand of the screen and save it to a text file on your system (make sure to remember where you saved that file. This is important).
  8. Close AVG Anti-Spyware and reboot your system back into Normal Mode.

Please go HERE to run Panda's ActiveScan
  • You need to use IE to run this scan
  • Once you are on the Panda site click the Scan your PC button
  • A new window will open...click the Check Now button
  • Enter your Country
  • Enter your State/Province
  • Enter your e-mail address and click send
  • Select either Home User or Company
  • Click the big Scan Now button
  • If it wants to install an ActiveX component allow it
  • It will start downloading the files it requires for the scan (Note: It may take a couple of minutes)
  • When download is complete, click on My Computer to start the scan
  • When the scan completes, if anything malicious is detected, click the See Report button, then Save Report and save it to a convenient location. Post the contents of the ActiveScan report

Come back here and post a new HijackThis log along with the logs from the AVG and Panda scans.
 
1 - 10 of 10 Posts
Status
Not open for further replies.
Top