• Announcements

    • Budfred

      IE 11 copy/paste problem

      It has come to our attention that people using Internet Explorer 11 (IE 11) are having trouble with copy/paste to the forum. If you encounter this problem, using a different browser like Firefox or Chrome seems to get around the problem. We do not know what the problem is, but it seems to be specific to IE 11 and we are hopeful that Microsoft will eventually fix it.
Sign in to follow this  
Followers 0
Guest Devil Duckie

No Net Access, No NAV, No Spyware?

11 posts in this topic

My boss' kids' got some nasty stuff on their computer. I ran Ad-Aware, Spybot S&D and Norton (with REALLY old virus defs because I can't get Live Update to work). Found a bunch of stuff and cleaned it up. NAV, Ad-Aware, S S&D all show nothing now. Still can't access the internet. Still can't copy/paste files. Still can't access the taskbar. Sound is dead.

 

I had to handwrite the Hijack This log so I could get it home to a computer that actually works...here's what HJT shows:

 

Logfile of Hijack This v1.97.7

Scan saved at 2:52:14PM, on 6/04/2004

Platform: Windows XP SP1 (WinNT 5.01.2600)

MSIE: Internet Explorer v 6.00 SP1 (6.00.2800.1106)

 

Running processes:

C:\WINNT\System32\smss.exe

C:\WINNT\system32\winlogon.exe

C:\WINNT\system32\lsass.exe

C:\WINNT\system32\svchost.exe

C:\WINNT\System32\svchost.exe

C:\WINNT\Explorer.EXE

C:\WINNT\System32\SK9910DM.EXE

C:\WINNT\GWMDMMSG.exe

C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe

C:\Program Files\QuickTime\qttask.exe

C:\Program Files\Common Files\Real\Update_OB\realsched.exe

C:\Program Files\Common Files\symantec shared\ccApp.exe

C:\Program Files\Common Files\symantec shared\ccRegVfy.exe

C:\documents and settings\sara\local settings\temp\SL.exe

C:\documents and settings\sara\local settings\temp\SL.exe

C:\PROGRA~1\AIM95\aim.exe

C:\Documents and Settings\Owner\Local Settings\Temp\Temporary Directory 10 for Hijackthis.zip\HijackThis.exe

C:\WINNT\System32\nvsvc32.exe

C:\Program Files\Common Files\Lanovation\PrismXL\PRISMXL.SYS

C:\PROGRA~1\Common~1\Symant~1\Script~1\SBServ.exe

C:\WINNT\wanmpsvc.exe

 

R0 - HKCU\Software\Microsoft\Internet Explorer\Main, Start Page - http://www.wrk.com/

02 - BHO: (no name) - {243B17DE-77C7-46BF-B94B-0B5F309A0E64} C:\Program Files\Microsoft Money\System\mnyside.dll

02 - BHO: (no name) - {28688B51-5177-446B-A9FA-8D617A212BAA} - C:\WINNT\maxvn.dll (disabled BHODemon)

02 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

02 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton Anti Virus\NavshExt.dll

03 - Toolbar:Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program FIles Norton AntiVirus\NavshExt.dll

03 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx

04-HKLM\..\Run: [Hot Key Kbd 9910 Daemon] SK9910DM.exe

04-HKLM\..\Run:[NvCplDaemon] RUNDLL32.EXE NvQTwk, NvCplDaemon initialize

04-HKLM\..\Run:[GWMDMMSG] GWMDMMSG.EXE

04-HKLM\..\Run:[Keyboard Preload Check] C:\OEMDRVRS\KEYB\Preload.exe /DEVID: /CLASS:Keyboard /RunValue: "Keyboard Preload Check"

04-HKLM\..\Run:[GWMDMpi] C:\WINNT\GWMDMpi.exe

04-HKLM\..\Run:[AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"

04-HKLM\..\Run:[EPSON Stylus C42 Series] C:\WINNT\System 32\spool\DRIVERS\W32X86\3\E_S10IC1.exe /P23 "Epson Stylus C42 Series" /06 "USB001" /M "Stylus C42"

04-HKLM\..\Run:[QUICK TIME TASK] "C:\Program Files\Quicktime\qttask.exe -atbootime

04-HKLM\..\Run:[TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot

04-HKLM\..\Run:[ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"

04-HKLM\..\Run:[ccRegvfy] "C:\Program Files\Common Files\Symantec Shared\ccRegvfy.exe"

04-HKLM\..\Run:[Pcsv] C:\WINNT\system32\pcs\pcsvc.exe

04-HKLM\..\Run:[GNTDKQX] C:\WINNT\GNTDKQX.exe

04-HKLM\..\Run:[enol] C:\WINNT\enol.exe

04-HKLM\..\Run:[sL] C:\documents and settings\sara\local settings\temp\SL.exe

04-HKLM\..\Run:[MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background

04-HKLM\..\Run:[AIM] C:\PROGRA~1\AIM95\aim.exe -cnetwait.odl

04-HKLM\..\Run:[PopUpStopperFreeEdition] "C:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe"

04-HKLM\..\Run:[Ltho] C:\Documents and Settings\Owner\Application Data\ootr.exe

04-HKLM\..\Run:[WNSI] C:\WINNT\System32\wnscpcc.exe

04-HKLM\..\Run:[ClockSync] C:\PROGRA~1\CLOCKS~1\Sync.exe /q

 

08 - Extra context menu item: Limeshop preferences - file://c:\Program Files\LimeShop\System\Temp\limeshop_script0.htm

 

09 - Extra Button: AIM (HKLM)

09 - Extra Button: Real.com (HKLM)

09 - Extra Button - MoneySide (HKLM)

 

012 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll

016 - DPF: {0ZBF25D5-8C17-4B23-BC80-D3488ABDOC6B} (Quick Time Object) - http://www.apple.com/qtactivex/qtplugin.cab

016-DPF: {33564D57-000-0010-8000-00AA00389B71} - http://download.microsoft.com/download/F/6...922/wmv9vcm.cab

016-DPF: {CC05BC12-2AA20-4AC7-AC81-0E40F83B1ADF} (Live365 Player Class) - http://www.live365.com/players/play365.cab

016-DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash object) - http://download.macromedia.com/pub/shockwa...ash/swflash.cab

 

Thanks so much for your help!

Share this post


Link to post
Share on other sites

Hi,

I had to handwrite the Hijack This log

Now that's dedication! :rofl:

 

Important! Create a folder via Windows Explorer for HijackThis, then move the file (HijackThis.exe) to that folder. This way any backups created are saved in a legit folder.

 

First thing to do is ...

 

Reconfigure Windows Explorer to show Hidden Files:

Open the Windows Explorer Folder Options - View [tab]:

 

Scroll down to the "Files and Folders" section.

Select: "Display the contents of system folders".

 

Scroll down to the "Hidden Files and Folders" section.

Select: "Show hidden files and folders", Ok the prompt

Uncheck: "Hide file extensions for known file types"

Uncheck: "Hide protected operating system files" Ok the Prompt, click Apply

 

Click the "Apply to all Folders" button. Close Windows Explorer.

 

Run BHODemon and undo the below:

02 - BHO: (no name) - {28688B51-5177-446B-A9FA-8D617A212BAA} - C:\WINNT\maxvn.dll (disabled BHODemon)

 

Close all open windows, except for HijackThis place a check in each of the following:

Then click "Fix checked".

 

02 - BHO: (no name) - {28688B51-5177-446B-A9FA-8D617A212BAA} - C:\WINNT\maxvn.dll

04-HKLM\..\Run:[GNTDKQX] C:\WINNT\GNTDKQX.exe

04-HKLM\..\Run:[enol] C:\WINNT\enol.exe

 

04-HKLM\..\Run:[sL] C:\documents and settings\sara\local settings\temp\SL.exe

Note: not exactly sure what "SL.exe" is but it shouldn't be running from there!

 

04-HKLM\..\Run:[Ltho] C:\Documents and Settings\Owner\Application Data\ootr.exe

04-HKLM\..\Run:[WNSI] C:\WINNT\System32\wnscpcc.exe

04-HKLM\..\Run:[ClockSync] C:\PROGRA~1\CLOCKS~1\Sync.exe /q

08 - Extra context menu item: Limeshop preferences - file://c:\Program Files\LimeShop\System\Temp\limeshop_script0.htm

016-DPF: {CC05BC12-2AA20-4AC7-AC81-0E40F83B1ADF} (Live365 Player Class) - http://www.live365.com/players/play365.cab

 

Then reboot, on restart, restart in Safe Mode (see "How To" below)

 

Open Windows Explorer locate and delete the following:

 

C:\WINNT\maxvn.dll <--this file

C:\WINNT\GNTDKQX.exe <--this file

C:\WINNT\enol.exe <--this file

C:\Documents and Settings\Owner\Application Data\ootr.exe <--this file

C:\Program Files\LimeShop <--this folder

C:\PROGRAM FILES\ClockSync <--this folder

 

Restart normally and then ...

 

Reconfigure Ad-Aware for Full Scan:

Please update the reference file following the instructions here:

http://www.lavahelp.com/howto/updref/index.html

 

Launch the program, and click on the Gear at the top of the start screen.

 

Click the "Scanning" button.

Under Drives & Folders, select "Scan within Archives".

Click "Click here to select Drives + folders" and select your installed hard drives.

 

Under Memory & Registry, select all options.

Click the "Advanced" button.

Under "Log-file detail", select all options.

Click the "Tweaks" button.

 

Under "Scanning Engine", select the following:

"Include additional Ad-aware settings in logfile" and

"Unload recognized processes during scanning."

Under "Cleaning Engine", select the following:

"Let Windows remove files in use after reboot."

Click on 'Proceed' to save these Preferences.

Please make sure that you activate IN-DEPTH scanning before you proceed.

 

After the above post a fresh log ...

And of course see if you can get online ...

Share this post


Link to post
Share on other sites

I won't be able to get back to his house until Monday... but at least now I'll have something to reference. (And can you really consider it dedication if he pays me my hourly wage PLUS a little extra for the on-site tech support? *grin*)

 

Thanks so much!

Share this post


Link to post
Share on other sites

OK. Still no happy. I got rid of everything per WinHelp2002's advice and a little something called "pcsvc.exe" which someone else told me was bad. Ad-Aware, Spybot and HijackThis aren't showing anything out of the norm. Norton is still down, IE won't work AND anytime I touch a file on the desktop, the computer freezes.

 

Here's the latest HJT log.

 

Logfile of HijackThis v1.97.7

Scan saved at 2:52:13 PM, on 6/7/2004

Platform: Windows XP SP1 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

 

Running processes:

C:\WINNT\System32\smss.exe

C:\WINNT\system32\winlogon.exe

C:\WINNT\system32\services.exe

C:\WINNT\system32\lsass.exe

C:\WINNT\system32\svchost.exe

C:\WINNT\System32\svchost.exe

C:\WINNT\System32\nvsvc32.exe

C:\Program Files\Common Files\Lanovation\PrismXL\PRISMXL.SYS

C:\WINNT\wanmpsvc.exe

C:\WINNT\Explorer.EXE

C:\WINNT\System32\SK9910DM.EXE

C:\WINNT\GWMDMMSG.exe

C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe

C:\Program Files\QuickTime\qttask.exe

C:\Program Files\Common Files\Real\Update_OB\realsched.exe

C:\Program Files\Common Files\Symantec Shared\ccApp.exe

C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe

C:\PROGRA~1\AIM95\aim.exe

C:\WINNT\system32\notepad.exe

C:\HiJack This\HijackThis.exe

 

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.wrk.com/

O2 - BHO: (no name) - {243B17DE-77C7-46BF-B94B-0B5F309A0E64} - C:\Program Files\Microsoft Money\System\mnyside.dll

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll

O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx

O4 - HKLM\..\Run: [Hot Key Kbd 9910 Daemon] SK9910DM.EXE

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize

O4 - HKLM\..\Run: [GWMDMMSG] GWMDMMSG.exe

O4 - HKLM\..\Run: [Keyboard Preload Check] C:\OEMDRVRS\KEYB\Preload.exe /DEVID: /CLASS:Keyboard /RunValue:"Keyboard Preload Check"

O4 - HKLM\..\Run: [GWMDMpi] C:\WINNT\GWMDMpi.exe

O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"

O4 - HKLM\..\Run: [EPSON Stylus C42 Series] C:\WINNT\System32\spool\DRIVERS\W32X86\3\E_S10IC1.EXE /P23 "EPSON Stylus C42 Series" /O6 "USB001" /M "Stylus C42"

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot

O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"

O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"

O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background

O4 - HKCU\..\Run: [AIM] C:\PROGRA~1\AIM95\aim.exe -cnetwait.odl

O4 - HKCU\..\Run: [PopUpStopperFreeEdition] "C:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe"

O9 - Extra button: AIM (HKLM)

O9 - Extra button: Real.com (HKLM)

O9 - Extra button: MoneySide (HKLM)

O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll

O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab

O16 - DPF: {33564D57-0000-0010-8000-00AA00389B71} - http://download.microsoft.com/download/F/6...922/wmv9VCM.CAB

O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwa...ash/swflash.cab

Share this post


Link to post
Share on other sites

is it possible there's some kind of virus/trojan? Norton's completely gone. Like uninstalled gone and I can't seem to reinstall it. XP keeps throwing up an error message about a corrupt installer and I can't get on the internet to run an online scanner like panda or avg.

 

I did manage to run the Blaster fix tool from Symantec just in case (symptoms looked kind of similar) but that found nothing. I'm also going to run Sasser, Mydoom, and Beagle. If those don't work, what's my option?

 

The boss wants me to take windows off and reinstall it, but I'm a mac gal myself and reinstalling windows gives me the woozies. Besides, even if I reinstall, aren't the odds good the *whatever* will still be there?

Share this post


Link to post
Share on other sites

Hi,

Your log looks clean now ...

 

If things worked in Safe Mode, deleting files, etc. then it sounds like a bad or corrupt video driver, if you get a "screen freeze" (no mouse or keyboard) in regular mode.

 

Try reducing the Hardware Accelerator 2 notches (reboot required)

Display Properties | Settings | Advanced

[or]

Use the System File Checker tool to scan all of the protected files on your computer:

Click Start, and then click Run.

In the Open box, type "sfc /scannow" (no quotes), and then click OK.

Share this post


Link to post
Share on other sites

Safe Mode didn't do much for me. Still had a heck of a time pulling off the hijack this log - at least I didn't have to handwrite it. We ended up pulling the plug and taking it to a repair shop. The tech was amazed by how slow it was loading and thinks there are more problems than just the 600+ pieces of spyware I pulled off.

 

I'd like to find the people responsible for this stuff and wring their necks. I lost almost an entire 4 days trying to figure out what was wrong and teaching myself more than I ever wanted to know about Windows in the process. *sigh* (I'm OK with Win 98. HATE XP with a passion. )

 

Thanks for all the help, though. If I hear what was actually at the root of the problem, I'll be in touch.

Share this post


Link to post
Share on other sites

Hi,

We ended up pulling the plug and taking it to a repair shop

Ok ... well good luck with it :wave:

Share this post


Link to post
Share on other sites

So- we heard back from the repair shop. Most of the spyware was gone (thanks WinHelp2002!) but they had 4 viruses on there and a keystroke lifter. The registry had been damaged so badly by the viruses that a clean install didn't fix the problems. They had to go in and do a lot of fix-it-work.

 

It runs much better now and I've gone ahead and installed all the spyware blockers that have been recommended on this forum. I'm going to keep my fingers crossed and hope they work.

 

Thanks so much for your help!

Share this post


Link to post
Share on other sites
Sign in to follow this  
Followers 0